Fundamentals of Fully Homomorphic Encryption
Computer Vision over Homomorphically Encrypted Data
CVPR 2025 Tutorial
June 12, 2025
The blind spot of traditional encryption
- IBM Security report (2024)
- Average breach cost of $4.9M
- 9 months for identifying a breach
Decryption causes costly damages that are hard to recover from.
Modern encryption provides Protection in use
- IBM Security report (2024)
- Security AI adoption saved organizations an average of $2.2M
Securing data in use is now a business must.
FHE can help AI models achieve trustworthiness
FHE enables AI models to process encrypted data without decryption.
Evolution of FHE schemes
Learning with Errors (LWE)
LWE problem prevents attackers from breaking FHE schemes' securityThe Hardness Foundation of LWE-Based FHE
$\mathbf{s} = \begin{bmatrix}10 \\ 82 \\ 50 \\ 51\end{bmatrix}$
\[ \begin{align} 77w + 7x + 28y + 23z &= 2859 \text{ } \nonumber \\ 21w
+ 19x + 30y + 48z &= 3508 \text{ } \nonumber \\ 4w + 24x + 33y + 38z &=
3848 \text{ } \nonumber \\ 8w + 20x + 84y + 61z &= 6225 \text{ }
\nonumber \\ \end{align} \]
\[ \begin{align} 77w + 7x + 28y + 23z &= 2859 \text{ } \nonumber \\ 21w
+ 19x + 30y + 48z &= 3508 \text{ } \nonumber \\ 4w + 24x + 33y + 38z &=
3848 \text{ } \nonumber \\ 8w + 20x + 84y + 61z &= 6225 \text{ }
\nonumber \\ \end{align} \]
\[ \begin{align} 77w + 7x + 28y + 23z &= 2859 \text{ } \nonumber \\ 21w
+ 19x + 30y + 48z &= 3508 \text{ } \nonumber \\ 4w + 24x + 33y + 38z &=
3848 \text{ } \nonumber \\ 8w + 20x + 84y + 61z &= 6225 \text{ }
\nonumber \\ \end{align} \]
\[ \begin{align} 77w + 7x + 28y + 23z &= 2859 \text{ } \color{#ff8080}{
+ \text{ } (-3)} \nonumber \\ 21w + 19x + 30y + 48z &= 3508 \text{ }
\color{#ff8080}{ + \text{ } (+2)} \nonumber \\ 4w + 24x + 33y + 38z &=
3848 \text{ } \color{#ff8080}{ + \text{ } (-1)} \nonumber \\ 8w + 20x +
84y + 61z &= 6225 \text{ } \color{#ff8080}{ \underbrace{+ \text{ }
(+0)}_{noise}}\nonumber \\ \end{align} \]
\[ \begin{align} 77w + 7x + 28y + 23z &= 2859 \text{ } \color{#ff8080}{
+ \text{ } (-3)} \nonumber \\ 21w + 19x + 30y + 48z &= 3508 \text{ }
\color{#ff8080}{ + \text{ } (+2)} \nonumber \\ 4w + 24x + 33y + 38z &=
3848 \text{ } \color{#ff8080}{ + \text{ } (-1)} \nonumber \\ 8w + 20x +
84y + 61z &= 6225 \text{ } \color{#ff8080}{ \underbrace{+ \text{ }
(+0)}_{noise}}\nonumber \\ \end{align} \]
\[ \begin{align} 77w + 7x + 28y + 23z &= 2859 \text{ } \color{#ff8080}{
+ \text{ } (-3)} \color{cyan}{\text{ (mod 89)}} \nonumber \\ 21w + 19x +
30y + 48z &= 3508 \text{ } \color{#ff8080}{ + \text{ } (+2)}
\color{cyan}{\text{ (mod 89)}} \nonumber \\ 4w + 24x + 33y + 38z &= 3848
\text{ } \color{#ff8080}{ + \text{ } (-1)} \color{cyan}{\text{ (mod
89)}} \nonumber \\ 8w + 20x + 84y + 61z &= 6225 \text{ }
\color{#ff8080}{ \underbrace{+ \text{ } (+0)}_{noise}}\text{
}\color{cyan}{\underbrace{\text{(mod 89)}}_{ring}} \nonumber \\
\end{align} \]
\[ \begin{align} 77w + 7x + 28y + 23z &= 2859 \text{ } \color{#ff8080}{
+ \text{ } (-3)} \color{cyan}{\text{ (mod 89)}} \nonumber \\ 21w + 19x +
30y + 48z &= 3508 \text{ } \color{#ff8080}{ + \text{ } (+2)}
\color{cyan}{\text{ (mod 89)}} \nonumber \\ 4w + 24x + 33y + 38z &= 3848
\text{ } \color{#ff8080}{ + \text{ } (-1)} \color{cyan}{\text{ (mod
89)}} \nonumber \\ 8w + 20x + 84y + 61z &= 6225 \text{ }
\color{#ff8080}{ \underbrace{+ \text{ } (+0)}_{noise}}\text{
}\color{cyan}{\underbrace{\text{(mod 89)}}_{ring}} \nonumber \\
\end{align} \]
Breaking FHE $\Leftrightarrow$ Solving LWE problem: recovering private key from public key.
| System | Problem | Complexity | Solution |
| $b=As$ in $\mathbb{R}$ | System of Linear Equations | P | Gaussian Elimination |
| $b=As+e$ in $\mathbb{R}$ | Least Squares Problem | P | Least Squares Estimator |
| $b=As+e \mod q$ in $\mathbb{Z}_q$ | Learning with Errors Problem | NP-hard | No known efficient algorithm (not even quantum) |
| $b(X)=A(X)s(X)+e(X) \mod q$ in $\mathbb{Z}_q[X]/(X^N+1)$ | Ring Learning with Errors Problem | NP-hard | No known efficient algorithm (not even quantum) |
Pipeline of Homomorphic Evaluation of Encrypted Data
Using CKKS scheme as an example
Encoding/Decoding
Key generation
Encryption/Decryption
Evaluation
Data Encoding and decoding
Ex: CKKS encoding operates in the cyclotomic ring $\mathbb{Z}_q[X]/(X^N+1)$
Key generation
- Example of CKKS Keys
- Private key: $sk = s(X)$
- $s(X)\in \mathbb{Z}[X]/(X^N+1)$ sampled from $\mathbb{Z}[X]/(X^N+1)$ with coefficients in $\{-1,0,1\}$.
- Public key: $pk=(a(X),b(x))$
- $a(X)$ sampled at random from $\mathbb{Z}_q[X]/(X^N+1)$
- $b(X) = -a(X) \cdot s(X)+e(X) \mod q$ where $e(X)$ is a small error sampled.
- Evaluation keys: $evK$
- Multiplication keys for ciphertext size reduction.
- Rotation keys to enable rotate and conjugate.
Security parameters selection
| Security | $N$ | $log_2(q)$ | Pt Slots ($\frac{N}{2}$) | Mult Depth |
|
128 bits
128 bits
|
8192 | 218 bits |
4096
4096
4096
|
5
5
5
|
| 16384 | 438 bits |
8192
8192
|
7
7
|
|
|
192 bits
192 bits
|
16384 | 307 bits |
8192
8192
8192
|
5
5
5
|
| 32768 | 620 bits | 16384 | 8 | |
|
256 bits
256 bits
|
16384 | 239 bits |
8192
8192
|
3
3
|
| 32768 | 440 bits |
16384
16384
16384
|
5
5
5
|
Higher security allows more packing at fixed depth, but reduces depth at fixed packing.
Encryption and Decryption
Ex: CKKS ciphertext is composed of two polynomials.
- Encryption
- $\left[\!\left[ m \right]\!\right]=(c_0(X),c_1(X))$
- $c_0(X) = b(X) \cdot r(X) + m(X) \mod q$
- $c_1(X) = a(X) \cdot r(X) \mod q$
- $r(X)$ sampled at random from $\mathbb{Z}_q[X]/(X^N+1)$
- Decryption
- $\tilde{m}(X) = \text{round} (c_0(X) + c_1(X) \cdot s(X) \mod q) $
Bootstrapping enables unlimited HE operations over encrypted data
Bootstrapping is very slow and need to be avoided
FHE Schemes support basic HE capabilities
Data Packing and SIMD operations
Choosing the right packing scheme significantly reduces latency.
Existing FHE schemes
| Security | Plaintext | SIMD | Bootstrapping |
| Ring LWE | Integer | CRT packing | Reduce noise after n ops ๐ |
| Security | Plaintext | SIMD | Bootstrapping |
| Ring LWE | Integer | CRT packing | Reduce noise after n ops ๐ |
| Security | Plaintext | SIMD | Bootstrapping |
| LWE & Ring LWE | Binary | โ | Reset noise after op โก |
| Security | Plaintext | SIMD | Bootstrapping |
| Torus LWE | Binary | โ | Reset noise per op โกโก |
| Security | Plaintext | SIMD | Bootstrapping |
| Ring LWE | Real & Complex | Polynomial rings | Increase modulus level after n ops ๐ |
Functions natively supported by FHE
Vector operations
Squared Euclidean distance
Polynomial evaluation
Matrix operations
Vector operations Under Encryption
Squared Euclidean distance Under Encryption
- Squared Euclidean distance $$\text{SED}(\mathbf{x},\mathbf{y}) = \sum_{i=1}^{d} (x_i - y_i)^2$$
- Encrypted SED $$ct = \left[\!\left[ \mathbf{x} \right]\!\right] - \left[\!\left[ \mathbf{y} \right]\!\right] = \left[\!\left[ x_1 -y_1, \cdots, x_d -y_d \right]\!\right]$$ $$ct' = ct \times ct = \left[\!\left[ (x_1 -y_1)^2, \cdots, (x_d -y_d)^2 \right]\!\right]$$ $$\left[\!\left[ \text{SED}(\mathbf{x},\mathbf{y}) \right]\!\right] = \sum_{i=1}^{\log_2(d)} \text{rot}(ct', 2^i)$$
Complexity
- Additions: $\log_2(d)$
- Multiplications: $1$
- Rotations: $\log_2(d)$
Latency
Low latency that depends on $d$.
Applications
Inner product Under Encryption
- For normalized $\mathbf{\tilde{x}}$ and $\mathbf{\tilde{y}}$, cosine becomes inner product (IP): $$< \mathbf{\tilde{x}},\mathbf{\tilde{y}}> = \sum_{i=1}^{d} \tilde{x_i} \tilde{y_i}$$
- Encrypted IP $$ct = \left[\!\left[ \mathbf{\tilde{x}} \right]\!\right] \times \left[\!\left[ \mathbf{\tilde{y}} \right]\!\right] = \left[\!\left[ (\tilde{x_1} \tilde{y_1}, \cdots, \tilde{x_d} \tilde{y_d}) \right]\!\right]$$ $$\left[\!\left[ < \mathbf{\tilde{x}},\mathbf{\tilde{y}}>\right]\!\right] = \sum_{i=1}^{\log_2(d)} \text{rot}(ct, 2^i)$$
Complexity
- Additions: $\log_2(d)-1$
- Multiplications: $1$
- Rotations: $\log_2(d)$
Latency
Low latency that depends on $d$.
Applications
Polynomial evaluation Under Encryption
- Polynomial evaluation $$P(X) = a_0 + a_1 X + a_2 X^2 + \cdots + a_n X^n$$
- Viewed as an inner product $P(X) = <\mathbb{a}, \mathbb{X}>$
- $\mathbb{a} = (a_0, a_1, \cdots, a_n)$
- $\mathbb{X} = (1, X^1, \cdots, X^n)$
-
Encrypted polynomial evaluation
- Pt-Ct multiplication $ct = \mathbb{a} \times \left[\!\left[ \mathbb{X} \right]\!\right]$
- Ct-Ct multiplication $ct = \left[\!\left[ \mathbb{a} \right]\!\right] \times \left[\!\left[ \mathbb{X} \right]\!\right]$
Complexity
- Additions: $\log_2(n+1)-1$
- Multiplications: $1$
- Rotations: $\log_2(n+1)$
Latency
Low latency that depends on $n$.
Applications
Matrix operations Under Encryption
Matrix-vector multiplication
Complexity
- Additions: $2$
- Multiplications: $n$ rows
- Rotations: $3$
Latency
Medium latency that depends on the matrix dimension.
Applications
Matrix operations Under Encryption
Matrix-Matrix multiplication
Complexity
- Additions: $2$
- Multiplications: $n \times m$
- Rotations: $0$
Latency
High latency that depends on the dimensions of the matrices.
Application
Takeaways
FHE offers data protection throughout its entire lifecycle.
Right security parameters
Adequate packing scheme
Minimize #Multiplications and #Rotations
Apply bootstrapping to avoid exhausting ciphertexts
