CKKS Homomorphic Encryption

A DID scheme based on homomorphic encryption of face features

CKKS algorithm is a fully homomorphic encryption (HE) scheme used for encrypted computation. Its full name is "Cheon-Kim-Kim-Song" and was proposed by Cheon et al. (2017) [3]. The CKKS algorithm can support encrypted computation for complex and real number data, and can achieve relatively high encryption computation accuracy and small ciphertext expansion factors, making it one of the widely used fully homomorphic encryption schemes today.

CKKS plaintext space

Unlike other HE schemes, the CKKS scheme supports approximate arithmetic over complex numbers. More precisely, the plaintext space of the CKKS scheme is Cn/2 \mathbb{C}^{n/2} for some power-of-two integer n n . To deal with the complex plaintext vector efficiently, Cheon et al. proposed plaintext encoding/decoding methods which exploits a ring isomorphism Ο•:R[X]/(Xn+1)β†’Cn/2 \phi: \mathbb{R}[X]/(X^n+1) \rightarrow \mathbb{C}^{n/2} .

Encoding method

Given a plaintext vector zβƒ—=(z1,z2,...,zn/2)∈Cn/2 \vec z = (z_1,z_2,...,z_{n/2}) \in \mathbb{C}^{n/2} and a scaling factor Ξ”>1 \Delta > 1 , the plaintext vector is encoded as a polynomial m(X)∈R:=Z[X]/(Xn+1) m(X) \in R:= \mathbb{Z}[X]/(X^n+1) by computing m(X)=βŒŠΞ”β‹…Ο•βˆ’1(zβƒ—)βŒ‰βˆˆR m(X) = \lfloor \Delta \cdot \phi^{-1}(\vec z) \rceil \in R where βŒŠβ‹…βŒ‰ \lfloor \cdot \rceil denotes the coefficient-wise rounding function.

Decoding method

Given a message polynomial m(X)∈R m(X) \in R and a scaling factor Ξ”>1 \Delta > 1 , the message polynomial is decoded to a complex vector zβƒ—βˆˆCn/2 \vec z \in \mathbb{C}^{n/2} by computing zβƒ—=Ξ”βˆ’1β‹…Ο•(m(X))∈Cn/2 \vec z = \Delta^{-1}\cdot \phi(m(X)) \in \mathbb{C}^{n/2} .

Here the scaling factor Ξ”>1 \Delta > 1 enables us to control the encoding/decoding error which is occurred by the rounding process. Namely, one can obtain the approximate equation Dcd(Ecd(zβƒ—;Ξ”);Ξ”)β‰ˆzβƒ— \text{Dcd}(\text{Ecd}(\vec z; \Delta); \Delta) \approx \vec z by controlling Ξ” \Delta where Ecd\text{Ecd} and Dcd\text{Dcd} denote the encoding and decoding algorithm, respectively.

From the ring-isomorphic property of the mapping ϕ:R[X]/(Xn+1)→Cn/2\phi: \mathbb{R}[X]/(X^n+1) \rightarrow \mathbb{C}^{n/2} , for m1=Ecd(z⃗1;Δ)m_1 = \text{Ecd}(\vec z_1;\Delta) and m2=Ecd(z⃗2;Δ)m_2 = \text{Ecd}(\vec z_2;\Delta), the following hold:

  • Dcd(m1+m2;Ξ”)β‰ˆzβƒ—1+zβƒ—2\text{Dcd}(m_1 + m_2;\Delta) \approx \vec z_1 + \vec z_2,

  • Dcd(m1β‹…m2;Ξ”)β‰ˆzβƒ—1∘zβƒ—2\text{Dcd}(m_1\cdot m_2;\Delta) \approx \vec z_1 \circ \vec z_2,

where ∘\circ denotes the [[Hadamard product (matrices)|Hadamard product]] of the same-length vectors. These properties guarantee the approximate correctness of the computations in the encoded state when the scaling factor Ξ”\Delta is chosen appropriately.


The CKKS scheme basically consists of those algorithms: key Generation, encryption, decryption, homomorphic addition and multiplication, and rescaling. For a positive integer qq, let Rq:=R/qRR_q := R/qR be the quotient ring of RR modulo qq. Let Ο‡s\chi_s, Ο‡r\chi_r and Ο‡e\chi_e be distributions over RR which output polynomials with small coefficients. These distributions, the initial modulus QQ, and the ring dimension nn are predetermined before the key generation phase.

Key generation

The key generation algorithm is following:

  • Sample a secret polynomial s←χss \leftarrow \chi_s.

  • Sample aa (resp. aβ€²a') uniform randomly from RQR_Q (resp. RPQR_{PQ}), and e,e′←χee,e' \leftarrow \chi_e.

  • Output a secret key sk←(1,s)∈RQ2sk \leftarrow (1, s)\in R_Q^2, a public key pk←(b=βˆ’aβ‹…s+e,a)∈RQ2pk \leftarrow (b = -a \cdot s + e, a) \in R_Q^2, and an evaluation key evk←(bβ€²=βˆ’aβ€²β‹…s+eβ€²+Pβ‹…s2,aβ€²)∈RPQ2evk \leftarrow (b' = -a' \cdot s + e' + P\cdot s^2, a') \in R_{PQ}^2.


The encryption algorithm is following:

  • Sample an ephemeral secret polynomial r←χrr \leftarrow \chi_r.

  • For a given message polynomial m∈Rm \in R, output a ciphertext ct←(c0=rβ‹…b+e0+m,c1=rβ‹…a+e1)∈RQ2ct \leftarrow (c_0 = r\cdot b + e_0 + m, c_1 = r\cdot a + e_1) \in R_Q^2.


The decryption algorithm is following:

  • For a given ciphertext ct∈Rq2ct \in R_q^2, output a message mβ€²β†βŸ¨ct,sk⟩</math><math>(modΒ q)m' \leftarrow \langle ct, sk \rangle </math> <math> (\text{mod } q).

The decryption outputs an approximate value of the original message, i.e., Dec(sk,Enc(pk,m))β‰ˆm\text{Dec}(sk, \text{Enc}(pk, m)) \approx m, and the approximation error is determined by the choice of distributions Ο‡s,Ο‡e,Ο‡r\chi_s, \chi_e, \chi_r. When considering homomorphic operations, the evaluation errors are also included in the approximation error. Basic homomorphic operations, addition and multiplication, are done as follows.

Homomorphic addition

The homomorphic addition algorithm is following:

  • Given two ciphertexts ctct and ctβ€²ct' in Rq2R_q^2, output ctadd←ct+ctβ€²βˆˆRq2ct_{\text{add}} \leftarrow ct + ct' \in R_q^2.

The correctness holds as Dec(sk,ctadd)β‰ˆDec(sk,ct)+Dec(sk,ctβ€²)\text{Dec}(sk, ct_\text{add}) \approx \text{Dec}(sk, ct) + \text{Dec}(sk, ct').

Homomorphic multiplication

The homomorphic multiplication algorithm is following:

  • Given two ciphertext ct=(c0,c1)ct =(c_0, c_1) and ctβ€²=(c0β€²,c1β€²)ct' =(c_0', c_1') in Rq2R_q^2, compute (d0,d1,d2)=(c0c0β€²,c0c1β€²+c1c0β€²,c1c1β€²)(d_0, d_1, d_2) = (c_0c_0', c_0c_1'+c_1c_0', c_1c_1') (modΒ q)(\text{mod } q). Output ctmult←(d0,d1)+⌊Pβˆ’1β‹…d2β‹…evkβŒ‰βˆˆRq2ct_{\text{mult}} \leftarrow (d_0, d_1) + \lfloor P^{-1}\cdot d_2 \cdot evk \rceil \in R_q^2.

The correctness holds as Dec(sk,ctmult)β‰ˆDec(sk,ct)β‹…Dec(sk,ctβ€²)\text{Dec}(sk, ct_\text{mult}) \approx \text{Dec}(sk, ct) \cdot \text{Dec}(sk, ct').

Note that the approximation error (on the message) exponentially grows up on the number of homomorphic multiplications. To overcome this problem, most of HE schemes usually use a modulus-switching technique which was introduced by Brakerski et al. (2012) [4].

In case of HEAAN, the modulus-switching procedure is called rescaling. The Rescaling algorithm is very simple compared to Brakerski-Gentry-Vaikuntanathan's original algorithm. Applying the rescaling algorithm after a homomomorphic multiplication, the approximation error grows linearly, not exponentially.


The rescaling algorithm is following:

  • Given a ciphertext ct∈Rq2ct \in R_q^2 and a new modulus qβ€²q' output a rescaled ciphertext ctrsβ†βŒŠ(qβ€²/q)β‹…ctβŒ‰βˆˆRqβ€²2ct_{\text{rs}}\leftarrow \lfloor (q'/q)\cdot ct\rceil \in R_{q'}^2.

The total procedure of the CKKS scheme is as following: Each plaintext vector zβƒ—\vec z which consists of complex (or real) numbers is firstly encoded as a polynomial m(X)∈Rm(X) \in R by the encoding method, and then encrypted as a ciphertext ct∈Rq2ct \in R_q^2. After several homomorphic operations, the resulting ciphertext is decrypted as a polynomial mβ€²(X)∈Rm'(X) \in R and then decoded as a plaintext vector zβƒ—β€²\vec z' which is the final output.

DID Creation Based on Homomorphic Encrypted Face Features

This scheme uses homomorphic encryption technology to protect users' facial feature data. During user registration, facial features are extracted using liveness verification technology, encrypted using homomorphic encryption technology, and uploaded to the server. The server uses homomorphic encryption technology to compare and generate similarity ciphertext, which will be sent back to the frontend application for decryption and verification. If the user's facial features are not registered, the DID identifier and facial feature ciphertext will be saved in the database to complete the registration.

Homomorphic encryption technology allows calculations to be performed on data in an encrypted state, which can prevent sensitive data from being exposed in plaintext. At the same time, liveness verification technology can prevent malicious users from uploading photos of others to register fake accounts. This scheme provides a secure and reliable method for creating DID identifiers and protecting user privacy.

The creation process is as follows:

  1. Generate a public-private key pair on the frontend: Users generate a public-private key pair on the frontend application, where the public key is used to create the DID identifier, and the private key is used for signature.

  2. Generate a DID identifier: The DID identifier is generated using the public key, which is used to identify the user's identity.

  3. Scan the user's face, perform liveness verification, and extract facial features: The frontend application scans the user's face, uses liveness verification technology to ensure that the face is real, and extracts facial features (faceprint) from it.

  4. Homomorphically encrypt the faceprint vector values and upload the facial feature ciphertext to the server: Use homomorphic encryption technology to encrypt the facial features, and upload the encrypted facial feature values to the server.

  5. Perform similarity matching based on facial feature ciphertext on the server and obtain the similarity ciphertext: The server uses homomorphic encryption technology to compare the encrypted facial features, and obtains a similarity score ciphertext.

  6. Send the similarity ciphertext to the frontend: The server sends the similarity ciphertext to the frontend application.

  7. Decrypt the similarity ciphertext on the frontend and determine if the facial features have been registered: The frontend application uses the private key to decrypt the similarity ciphertext to determine whether the facial features have been registered.

  8. Register the DID identifier and facial feature ciphertext: If the facial features are not registered, the DID identifier and facial feature ciphertext will be saved to the database to complete the registration process.


  • Boddeti, Vishnu Naresh. "Secure face matching using fully homomorphic encryption." 2018 IEEE 9th International Conference on Biometrics Theory, Applications and Systems (BTAS). IEEE, 2018.

  • Liu, Weiyang, et al. "Sphereface: Deep hypersphere embedding for face recognition." Proceedings of the IEEE conference on computer vision and pattern recognition. 2017.

  • Cheon, Jung Hee, et al. "Homomorphic encryption for arithmetic of approximate numbers." Advances in Cryptology–ASIACRYPT 2017: 23rd International Conference on the Theory and Applications of Cryptology and Information Security, Hong Kong, China, December 3-7, 2017, Proceedings, Part I 23. Springer International Publishing, 2017.

  • Brakerski, Zvika. "Fully homomorphic encryption without modulus switching from classical GapSVP." Advances in Cryptology–CRYPTO 2012: 32nd Annual Cryptology Conference, Santa Barbara, CA, USA, August 19-23, 2012. Proceedings. Springer Berlin Heidelberg, 2012.

Last updated