Accelerating PEGASUS by Applying NTRU-Based GSW-Like

Encryption

Shusaku Uemura and Kazuhide Fukushima

KDDI Research, Inc., Saitama, Japan

Keywords:

Fully Homomorphic Encryption, Scheme Switching, PEGASUS, NTRU-Based GSW-Like Encryption,

Look-up Table Evaluation.

Abstract:

Fully homomorphic encryption (FHE) enables to execute operations on ciphertexts without decryption. This

leads to an expectation on FHE to be applied to analyses of conﬁdential data. Each of FHE schemes proposed

thus far has its own strengths such as an ability to handle real numbers or execute arbitrary functions. Scheme

switching enables to switch one FHE ciphertext to another, and enables to utilize both strengths. However,

as scheme switching is computationally expensive, it is sometimes more efﬁcient to use one scheme with

approximation. Xiang et al. (CRYPTO23) proposed an efﬁcient blind rotation technique which is used in a

scheme switching method named PEGASUS. They use the NTRU-based GSW-like encryption to accelerate

blind rotation, which can be applied to schemes that use the GSW encryption. This paper investigates the

effects of the application of the NTRU-based GSW-like encryption to PEGASUS. We found that applying

the NTRU-based GSW-like encryption to PEGASUS theoretically reduces the key size required to evaluate

a look-up table by 43% and the number of multiplications of integers by 96%. We also conﬁrmed through

experiments that using the NTRU-based GSW-like encryption in PEGASUS accelerates the evaluation of a

look-up table by 1.55 times.

1 INTRODUCTION

Fully homomorphic encryption (FHE) is an encryp-

tion scheme that enables operations on ciphertexts

without decryption. FHE is expected to be useful

for analyzing sensitive data and conducting collabo-

rative analyses of conﬁdential data among several or-

ganizations. Multi-party computation (MPC) is also

known as one of secure computation schemes that en-

able computation without the computers knowing the

conﬁdential information. MPC carries a risk that the

computers such as servers may know the conﬁdential

information if they maliciously cooperate. Thus, it

requires the assumption that the servers do not ma-

liciously cooperate. On the other hand, FHE does

not require such an assumption because the comput-

ers cannot know the values of the plaintext unless they

have access to the secret key. Although FHE tends to

be more computationally expensive than MPC, it in-

curs lower communication costs. FHE is expected to

be applied to various ﬁelds for the above reasons.

The noise of a FHE ciphertext grows as operations

are performed on it. The decrypted value of it be-

https://orcid.org/0000-0003-2571-0116

comes wrong when the noise exceeds a certain thresh-

old. Homomorphic operations can be performed on

ciphertexts as long as the noise is less than this thresh-

old. Homomorphic encryption schemes with a lim-

ited number of operations are called somewhat ho-

momorphic encryption or leveled homomorphic en-

cryption. To make the number of operations unlim-

ited, FHE adopts a noise-reducing operation called

bootstrapping. Many FHE schemes proposed thus far

(Cheon et al., 2017; Chillotti et al., 2020) are based on

learning with errors (LWE) encryption (Regev, 2005).

They adopt different operations for multiplication and

bootstrapping.

One major FHE scheme proposed thus far is

the Cheon-Kim-Kim-Song (CKKS) scheme (Cheon

et al., 2017), which enables handling approximate

numbers as plaintext and homomorphically evaluat-

ing polynomials. CKKS is used for data analyses

(Geva et al., 2023) and implemented in FHE libraries

(Al Badawi et al., 2022).

FHEW (Ducas and Micciancio, 2015) and TFHE

(Chillotti et al., 2020) are also major FHE schemes.

They utilize Gentry-Sahai-Waters (GSW) encryption

(Gentry et al., 2013) to implement homomorphic mul-

tiplication. They also realize bootstrapping with GSW

650

Uemura, S. and Fukushima, K.

Accelerating PEGASUS by Applying NTRU-Based GSW-Like Encryption.

DOI: 10.5220/0013555300003979

In Proceedings of the 22nd International Conference on Security and Cryptography (SECRYPT 2025), pages 650-657

ISBN: 978-989-758-760-3; ISSN: 2184-7711

ciphertexts. Their bootstrapping scheme is called pro-

grammable bootstrapping (PBS) because it enables

the evaluations of any functions using a look-up ta-

ble (LUT) while reducing noise. As PBS can homo-

morphically evaluate any function, TFHE is expected

to be applied in ﬁelds of machine learning and data

analysis where evaluations of nonlinear functions are

necessary. There are several libraries of TFHE (Zama,

2022) and machine learning using TFHE (Meyre

et al., 2022).

There are several FHE schemes each of which has

its own strengths, and it is necessary to select an ap-

propriate scheme for the intended purpose. These

schemes sometimes have their own weaknesses in ex-

ecuting complicated operations. Thus, it is useful to

combine their strengths and mitigate their weaknesses

by switching one ciphertext to another This switching

technique is called scheme switching.

Although scheme switching enables mutual

switching of ciphertext and utilize the strengths of

each scheme, it requires extra keys and operations.

The size of the key is generally larger than that of the

secret key and ciphertexts. The computational cost of

switching between schemes is relatively high. Some

research of applying FHE to machine learning does

not adopt scheme switching and instead use approx-

imations of complicated functions or plaintext (Geva

et al., 2023; Azogagh et al., 2022) due to the above

reason. Therefore, it is important to reduce the key

size, space complexity and time complexity for the

applications of fully homomorphic encryptions.

Xiang et al. (Xiang et al., 2023) proposed efﬁ-

cient blind rotation technique. Blind rotation is of-

ten used in TFHE-like schemes to evaluate a look-

up table. Their research proposed a vector of NTRU

ciphertexts that enables homomorphic multiplication

with an NTRU ciphertext. Their scheme makes an

evaluation of a blind rotation more efﬁcient by using

this homomorphic multiplication.

This paper investigates the effects of applying

Xiang’s method to PEGASUS, a scheme switching

method of FHE. Most of FHE schemes proposed thus

far can be switched to another since they are based

on LWE encryption (Regev, 2005). Scheme switch-

ing among LWE-based FHE schemes uses GSW en-

cryption to execute homomorphic multiplication. As

Xiang’s method requires less space complexity and

fewer operations, we discuss the effect of applying

Xiang’s method to PEGASUS.

2 PRELIMINARIES

This section deﬁnes the notations used in the rest of

this paper and quickly reviews homomorphic encryp-

tions and scheme switching.

2.1 Notations

The set of integers is denoted by Z. We deﬁne Z

for a positive integer q by Z

= Z/qZ. The set of n-

dimensional vectors each entry of which is an integer

is denoted by Z

. For a vector v, we use v

to represent

the i-th entry of v.

⟨

u,v

⟩

denotes an inner product

of two vectors u, v. For a positive integer q and a

power of two N, we deﬁne R

= Z[X]/(X

+ 1) and

= R/qR.

2.2 Fully Homomorphic Encryption

Fully homomorphic encryption (FHE) is an encryp-

tion scheme that enables operations such as addi-

tion and multiplication on ciphertexts without de-

cryption. Major FHE schemes are Brakerski-Fan-

Vercauteren (BFV) (Fan and Vercauteren, 2012),

Cheon-Kim-Kim-Song (CKKS) (Cheon et al., 2017),

TFHE (Chillotti et al., 2020). These schemes are

based on Learning with Errors (LWE) encryption

(Regev, 2005) and its variant using polynomial, Ring-

LWE (Lyubashevsky et al., 2013). Each of them has

its own strength such as the ability to perform SIMD,

to handle a real number as a message and to evaluate

an arbitrary function. As all of the above schemes are

based on the LWE encryption, it is possible to com-

bine their strengths by mutually switching between

them. Such a method of switching schemes is called

scheme switching and several methods have been pro-

posed (Boura et al., 2020; Lu et al., 2021).

FHE is mainly composed of three algorithms:

key generation, encryption and decryption, similar to

public-key encryption. Addition of LWE-based FHE

scheme is conducted by simply adding two cipher-

texts. Multiplication of them is realized with a spe-

cial key called an evaluation key, which contains the

information of the secret key. These operations on a

ciphertext increase a noise in it, which increases the

decryption failure rate. Thus, it is necessary to reduce

the noise using a special operation called bootstrap-

ping. The details of bootstrapping differ among each

scheme, but they have in common that all schemes re-

alize bootstrapping with homomorphic operation with

a special key containing information about the secret

key.

As CKKS and FHEW/TFHE schemes are based

on LWE encryption, we will describe LWE encryp-

tion at ﬁrst. The parameters of LWE are positive in-

tegers q and n. Let D

be an error distribution. An

LWE ciphertext with a secret key s ∈ Z

is given by

LWE(m)

= (a, −⟨a, s⟩ + ∆m + e) ∈ Z

n+1

Accelerating PEGASUS by Applying NTRU-Based GSW-Like Encryption

651

where e is sampled from D

and ∆ is a scale param-

eter. For an LWE ciphertext (a, b) = LWE (m), de-

cryption can be performed by removing the error from

⟨

a,s

⟩

by division and rounding. An RLWE cipher-

text is similarly deﬁned by replacing Z

in the deﬁni-

tion of an LWE ciphertext with R

2.3 CKKS

CKKS scheme is an RLWE-based FHE scheme pro-

posed by Cheon et al. and can handle a real or com-

plex number as a message by encoding it into a plain-

text. Secret keys are sampled from R

and each entry

of the key belongs to {0, ±1} with Hamming weight

equal to h. The error distribution is a discrete Gaus-

sian distribution with the mean equal to 0 and the stan-

dard deviation parameterized by σ. CKKS scheme

uses an evaluation key of RLWE containing informa-

tion about the secret key for homomorphic multipli-

cation.

The CKKS scheme encodes a message before en-

cryption so that it can handle a real number as a

message and decodes the decrypted text to obtain

the message. Decoding and encoding are sets of

embeddings from polynomial space R

to complex

numbers and their inverses. Thus decoding is rep-

resented by a map φ : R

→ C

N/2

. Concretely, for

f (X) ∈ R

, the embedding φ is given by φ( f ) =



f (ζ), f (ζ

),..., f (ζ

N−1

)



∈ C

N/2

where ζ = e

2πi/N

Encoding is performed by evaluating the inverse φ

−1

and multiplying a scaling factor on a message vec-

tor. Note that not all the complex vectors are nec-

essarily encoded to a polynomial with integer coef-

ﬁcients, thus rounding is required. Decoding can be

performed by the inverse of encoding, in other words,

multiplying by the inverse of the scaling factor and

applying φ so that the complex vector is obtained. By

rounding the obtained vector to an appropriate accu-

racy, the decoded message is obtained. As each entry

of φ, a map that substitutes X with ζ

2i+1

, is a homo-

morphism, addition and multiplication after encoding

correspond to those before encoding. This is the rea-

son that CKKS can handle a real or complex number

as a message while using polynomials with integer co-

efﬁcients as a ciphertext.

2.4 FHEW and TFHE

FHEW and TFHE are called the third generation of

FHE. They enables homomorphic multiplication by

utilizing bit decomposition. FHEW (Ducas and Mic-

ciancio, 2015) is an FHE scheme proposed by Ducas

et al., which accelerate bootstrapping by bit opera-

tions. TFHE is a scheme proposed by Chilloti et

al. that deﬁnes its ciphertext over a torus. These

schemes utilize GSW encryption to realize homomor-

phic multiplication. A GSW ciphertext concsists of a

vector of LWE ciphertexts with a gadget matrix that

corresponds to a bit decomposition of the plaintext.

An operation called external product of an LWE ci-

phertext and a GSW ciphertext enables homomorphic

multiplication. A GSW ciphertext is composed as

follows. Let g

= (q/B,...,q/B

) be a gadget vec-

tor for positive integers B,l. We deﬁne a gadget ma-

trix G as G

= diag(g,g,...,g) ∈ Z

l(n+1)×(n+1)

. A

GSW ciphertext is deﬁned by GSW (m) = L + m · G

where L is a vector of l(n + 1) LWE ciphertexts:

= (LWE (0) , . . . , LWE (0)). Homomorphic multi-

plication of an LWE ciphertext and a GSW ciphertext

is given by

GSW(m

) ⊙ LWE(m

)

⟨GSW(m

),BitDecomp

(LWE(m

))⟩

where BitDecomp

stands for a bit decomposition by

a base B for each entry of the LWE ciphertext. The

inner product of a GSW ciphertext and bit decompo-

sition of an LWE ciphertext is deﬁned by the sum of

the multiplication of the component LWE ciphertext

of the GSW ciphertext and each bit-decomposed entry

of the LWE ciphertext. This operation gives an LWE

ciphertext of m

, i.e. LWE (m

). A ring GSW

(RGSW) ciphertext is deﬁned similarly as above ex-

cept it is deﬁned over R

instead of Z

TFHE scheme utilizes RGSW ciphertexts to boot-

strap an LWE ciphertext by blind rotation. Blind ro-

tation multiplies X

to a polynomial r(X ) without de-

cryption and not knowing the value of i. Concretely,

blind rotation obtains r(X ) × X

−(b+

⟨

a,s

⟩

)

for an LWE

ciphertext (a,b) for message m. Denoting r

the i-th

coefﬁcient of r(X), one can obtain r

by taking the

constant term of the blind rotated value. This proce-

dure gives a LWE ciphertext of f (m) by setting the

coefﬁcients of r(X) so that they correspond to f (X).

TFHE uses RGSW ciphertexts as the bootstrap-

ping key to perform the above procedure. The

bootstrapping key is a set of RGSW ciphertexts of

each entry of the secret key s

∈ {0,1}. Bootstrap-

ping can be executed as follows. First, an initial

RLWE ciphertext is prepared by computing Acc

RLWE



r(X ) × X

−b



. Then, Acc

for i = 1, . . . , n are

computed by

Acc

= RGSW (s

) ⊙ (Acc

i−1

· (X

− 1)) + Acc

i−1

recursively. The value of Acc

is an RLWE ciphertext

RLWE



r(X ) × X

−(b+⟨a,s⟩)



because s

equals 0 or 1.

By applying a method called sample extraction to the

obtained RLWE ciphertext, one can obtain the desired

SECRYPT 2025 - 22nd International Conference on Security and Cryptography

652

LWE ciphertext LWE ( f (m)). Blind rotation is an im-

portant component of the bootstrapping procedure of

TFHE because it reduces the noise of the LWE ci-

phertext through the procedure. The above procedure

is also called a look-up table (LUT) evaluation as it

can evaluate a prepared function.

2.5 Scheme Switching

It is necessary for users to choose an appropriate FHE

scheme depending on the purpose as each scheme

has its own strengths and weaknesses. On the other

hand, it is often difﬁcult to determine the appropri-

ate FHE scheme for data analyses or machine learn-

ing as they require many kinds of processes. For in-

stance, on the one hand, the CKKS scheme is useful

for neural networks as it can handle a real number

as a message and process multiple messages simul-

taneously though it requires approximating activation

functions with polynomials (Choi et al., 2024). On the

other hand, TFHE can evaluate any activation func-

tion though it requires to scale messages to integers

(Stoian et al., 2023). Considering these situations, it

is useful to combine multiple schemes to implement

complicated computations such as neural networks.

Boura et al. proposed scheme switching al-

gorithms named CHIMERA (Boura et al., 2020).

CHIMERA sets TFHE as its hub and provides algo-

rithms to switch from TFHE to BFV or CKKS and

vice versa. Transformation of TFHE to CKKS in

CHIMERA packs N/2 TFHE ciphertexts in one poly-

nomial and homomorphically encodes it. Finally, it

evaluates the exponential function on the packed ci-

phertext to obtain CKKS ciphertext. This transfor-

mation performs homomorphic decryption with the

GSW-based evaluation keys. Although CHIMERA

provides scheme switching among three major FHE

schemes, it is pointed out that it requires large-sized

repacking keys (Lu et al., 2021).

Lu et al. proposed scheme switching algorithms

named PEGASUS (Lu et al., 2021). PEGASUS en-

ables to handle a real number like CKKS and to evalu-

ate any function (LUT) homomorphically like FHEW.

PEGASUS uses RGSW evaluation keys for LUT sim-

ilarly to TFHE described in Section 2.4. Note that

the gadget vector used to construct the evaluation

key does not correspond to bit decomposition but the

residue number system (RNS) for efﬁciency. The di-

mension of the vector is one. The evaluation key con-

sists of 2n RGSW ciphertexts (represented as EK

j,k

which contains information of the secret keys. Con-

cretely, EK

j,k

encrypts the j-th entry of the secret key

) and k = 0 (resp. k = 1) corresponds to when s

1 (resp. s

= −1). PEGASUS obtains f (X) · X

b−

⟨

a,s

⟩

by repeating homomorphic multiplications of X

˜a

Finally, extracting the constant term of the ciphertext

gives LWE(T (m)).

In the whole protocol of PEGASUS, it ﬁrst ex-

tracts l LWE ciphertexts from the RLWE ciphertext

of CKKS. It switches the parameter n and the secret

key of LWE ciphertexts, applies the LUT described

as above and switches n and the secret key again. It

ﬁnally repacks l LWE ciphertexts into one RLWE ci-

phertext. Through the above procedure, PEGASUS

enables to utilize the strength of CKKS in handling

a real number and that of FHEW in evaluating LUT.

Due to the space limitation, we have explained the

sketch of PEGASUS, refer to the original paper (Lu

et al., 2021, Figures 2 and 6) for the detail.

3 NTRU-BASED GSW-LIKE

CIPHERTEXT

This section describes the efﬁcient blind rotation al-

gorithm proposed by Xiang et al. (Xiang et al., 2023).

Their idea is to use the NTRU-based ciphertext (Hoff-

stein et al., 1998) to realize homomorphic multiplica-

tion. This algorithm shares a common feature with

the GSW-based blind rotation that they both use bit

decomposition to make the increase of noise in the

ciphertext small.

3.1 NTRU-Based GSW-Like Ciphertext

We describe an NTRU ciphertext and an NTRU

′

ci-

phertext proposed by Xiang et al. Their NTRU ci-

phertext is slightly different from the original NTRU

ciphertext as it multiplies the inverse of the secret key

by the message. An NTRU ciphertext of a message

u ∈ R

is deﬁned as follows:

NTRU(m)

= τ · g/ f + ∆ · u/ f ∈ R

where f ∈ R

is the secret key that is invertible in R

and g ∈ R

is a polynomial with small coefﬁcients.

Parameters τ and ∆ are determined depending on the

used FHE scheme. For CKKS, both of them equal

one. We represent by / f a multiplication of the in-

verse of f .

An NTRU

′

ciphertext of a message v ∈ R

is de-

ﬁned as follows:

NTRU

′

(v)

= (τ · g

/ f + v,τ · g

/ f + B · v,...,

τ · g

d−1

/ f + B

d−1

· v



∈ R

where f ∈ R

is the secret key that is invertible in R

and g

,...,g

d−1

∈ R

are polynomials with small co-

efﬁcients. τ and B are integer parameters and d

⌈log

Q⌉.

Accelerating PEGASUS by Applying NTRU-Based GSW-Like Encryption

653

Homomorphic multiplication of an NTRU cipher-

text and an NTRU

′

ciphertext is deﬁned as follows.

We deﬁne a bit decomposition of a polynomial for

a base B. Bit decomposition of h ∈ R

is given by

BitDecomp(h)

= (h

,...,h

d−1

) ∈ R

so that it sat-

isﬁes that h =

∑

d−1

i=0

. The external product ⊙

of a polynomial h ∈ R

and a vector of polynomials

c ∈ R

is deﬁned as

h ⊙ c

= ⟨BitDecomp

(h),c⟩.

Homomorphic multiplication of an NTRU ciphertext

and an NTRU

′

ciphertext is given by the product

NTRU(u) ⊙ NTRU

′

(v). We can verify it by the fol-

lowing equation:

NTRU(u) ⊙ NTRU

′

(v) =

d−1

∑

i=0

(τg

/ f + B

· v)

d−1

∑

i=0

(τg

/ f ) + NTRU (u) · v

= τ

g +

d−1

∑

i=0

/ f + ∆u · v/ f

where (h

)

d−1

i=0

is the decomposition of NTRU(u) with

the base B. As g +

∑

d−1

i=0

is a polynomial with

small coefﬁcients under an appropriate setting, it

holds that

NTRU(u) ⊙ NTRU

′

(v) = NTRU(uv).

This procedure does not require decryption, and thus

it is homomorphic multiplication.

3.2 Blind Rotation with NTRU

Ciphertext

We describe the blind rotation technique introduced

by Xiang et al. using NTRU and NTRU

′

ciphertexts.

In the rest of this section, we ﬁx the parameter q of

LWE with the secret key s = (s

,...,s

n−1

) and NTRU

parameter Q with the secret key f ∈ R

The degree of

is a power of two N that can be divided by q. This

blind rotation requires n +1 evaluation keys and q− 1

key switching keys. Evaluation keys are deﬁned as

follows:

evk

= NTRU

′

/ f ) , evk

= NTRU

′

)

evk

= NTRU

′



−

∑

n−1

i=0



Key switching keys are

ksk

= NTRU

′



f (X

)/ f (X)



where j ∈ S

{

2N/q + 1

1 ≤ i ≤ q − 1

}

. The algo-

rithm contains homomorphic evaluations of the au-

tomorphisms (EvalAuto

) that homomorphically sub-

stitutes X of an NTRU ciphertext with X

. In

other words, EvalAuto

transforms NTRU(u(X)) to

NTRU



u(X

)



. See (Xiang et al., 2023, Section 3)

for details.

We brieﬂy review the correctness of the al-

gorithm. The homomorphic multiplication

of the accumulated value and the evaluation

key (evk

) makes the accumulated value equal

to NTRU



r(X

′

) · X

−

′

∑

i−1

k=0

′



By evaluating the automorphism, it obtains

NTRU



r(X

′

i+1

) · X

−

′

i+1

∑

k=0

′

i+1



Finally, the output becomes

NTRU



r(X

′

i+1

) · X

−

∑

n−1

k=0

−

∑

n−1

k=0



= NTRU





· X

(

−b+

∑

n−1

i=0

)



by the homomorphic multiplication of the accumu-

lated value and the n-th evaluation key. Therefore, the

blind rotation algorithm outputs an NTRU ciphertext

of the blind rotated polynomial.

As the output of the blind rotation algorithm is

an NTRU ciphertext of the blind rotated polyno-

mial, it is required to revert it to an LWE ciphertext.

This operation can be performed by sample extrac-

tion (Kim et al., 2024). Let c = (c

,...,c

N−1

) and

f = ( f

,..., f

N−1

) be coefﬁcient vectors of the output

c ∈ R

of the algorithm and the secret key f ∈ R

. We

set

= (c

,−c

N−1

,...,−c

), then (

c,0) ∈ Z

N+1

is a

desired LWE ciphertext with the secret key f.

The whole procedure of bootstrapping consists of

three parts: blind rotation, modulus switching and key

switching. It ﬁrst applies the aforementioned blind

rotation algorithm to the input LWE ciphertext. The

input LWE ciphertext becomes an NTRU ciphertext

of the blind rotated polynomial by the blind rotation

and an LWE ciphertext is extracted by sample extrac-

tion. As the modulus and the secret key of this LWE

ciphertext are different from those of the input LWE

ciphertext, it is necessary to revert them to their orig-

inal values. This is solved by modulus switching and

key switching. Modulus switching from Q to q is ac-

complished by ⌊q/Q · LWE(m)⌉ mod q.

Key switching of an LWE ciphertext requires

LWE ciphertexts containing information of the secret

key f as key switching keys. The key switching keys

are given by

lksk

i, j,v

= LWE



−vB



where s is the secret key after key switching, B

and Q

are integer parameters, and it hold that

i ∈ Z

, j ∈ Z

, 1 ≤ v < B

. We set d

⌈log

⌉. The procedure of key switching with the

above key switching keys is outlined as follows. Let

SECRYPT 2025 - 22nd International Conference on Security and Cryptography

654

(

b) = ( ˆa

,..., ˆa

N−1

b) be an LWE ciphertext and

i,0

,...,v

i,d

−1

) be a decomposition of ˆa

with the

base B

. We write lksk

i, j,v

= (a

i, j,v

). Here, we

set

′

N−1

∑

i=0

d−1

∑

j=0,v

i, j

̸=0

i, j,v

i, j

′

N−1

∑

i=0

d−1

∑

j=0,v

i, j

̸=0

i, j,v

i, j

Then, it can be veriﬁed that (

′

) is an LWE cipher-

text with the secret key s.

The above procedure completes the bootstrapping

on an LWE ciphertext with NTRU-based GSW-like

keys. Thus, it ﬁnally outputs LWE ( f (m)) from the

input LWE (m). Due to the space limitation, we have

described the sketch of the algorithm. See (Xiang

et al., 2023, Section 3) for details.

4 APPLICATION TO PEGASUS

This section discusses the effects of Xiang’s NTRU-

based technique as applied to PEGASUS. We discuss

the effects both theoretically and experimentally.

As stated in Section 2.5, PEGASUS extracts

LWE ciphertexts from an RLWE ciphertext of CKKS

and evaluates a look-up table by blind rotation with

RGSW-based evaluation keys. The LUT evaluation

of this process can be replaced by Xiang’s LUT tech-

nique. We will discuss the effects of reducing the

key size and the number of computations when the

LUT is replaced. In this paper, the LUT evaluation

of PEGASUS will be replaced by Xiang’s LUT illus-

trated in the previous section. The modulus q of an

LWE ciphertext can be switched by modulus switch-

ing. The parameter n also can be changed through

the key switching executed in the PEGASUS scheme.

Thus, we use the same LWE and NTRU parameter

sets as proposed in (Lu et al., 2021; Xiang et al., 2023)

and skip ﬁne-tuning of parameters. Xiang et al. pro-

posed the 128-bit and 192-bit security NTRU param-

eters while Lu et al. proposed the LWE parameters at

least 119-bit security. Hence, we use 128-bit security

parameters for the NTRU scheme.

4.1 Comparison of Key Size

Xiang’s algorithm uses n + 1 NTRU

′

ciphertexts as

evaluation keys, i.e. evk

, to contain information

of the secret key and q − 1 NTRU

′

ciphertexts as

key switching keys, i.e. ksk

, to change the expo-

nent of polynomials. Thus, it requires n + q NTRU

′

ciphertexts in total. An NTRU

′

ciphertext consists

of d entries of R

. As the degree of a polyno-

mial in R

equals N − 1, it requires N⌈log

Q⌉ bits

to represent one R

element. Therefore, it requires

d(n + q)N⌈log

Q⌉ bits in total to store the evaluation

keys for blind rotation.

Additionally, to complete the bootstrapping pro-

cedure, LWE key switching keys (LKSK) are also

required. They also have to be taken into account.

LKSK is composed of multiple LWE ciphertexts. The

number of LWE ciphertexts is N × d

× (B

− 1)

since the sufﬁxes i, j,v of lksk

i, j,v

satisfy i ∈ Z

j ∈ Z

, and 1 ≤ v < B

. It requires n +1 elements of

to represent a single LWE ciphertext. Therefore

N · d

· (B

− 1) · (n + 1)log

bits are necessary

for LKSK. The sum of the bits of the evaluation keys

and the LWE key switching keys is the number of bits

required to store the keys for the bootstrapping pro-

cedure. Xiang et al. proposed the following param-

eters: n = 512, q = N = 1024, d = 5, log

Q ≈ 19.9,

log

B = 4, log

= 14, log

= 7, and d

= 2.

By substituting these values into the parameters, the

bits of the evaluation keys equal 18.75MB and the

bits of the key switching keys equal 222.7MB, thus

241.4MB in total. The difference of 0.1 is due to the

rounding error.

PEGASUS employs RGSW ciphertexts to evalu-

ate LUT. One RGSW ciphertext consists of four R

elements. The degree of a polynomial in R

is N − 1

and PEGASUS uses 2n RGSW ciphertexts. Hence,

it requires 8nN log

q bits in total. Considering that

the parameters of PEGASUS are n = 2

, N = 2

logq ≈ 105, the size of the evaluation key is 420MB.

Based on the above discussion, application of

NTRU-based GSW-like technique to PEGASUS re-

duces the LUT evaluation key size by 178.6MB

(43%).

4.2 Comparisons of the Number of

Operations

The most signiﬁcant part of the computational cost

is the external products in both PEGASUS and the

NTRU-based algorithm because the other parts con-

sist of additions and multiplications of plaintexts. For

this reason, we compare the computational cost of the

external products. As the degrees of the polynomi-

als used in RGSW ciphertexts and NTRU

′

ciphertexts

differs, it is fair to compare the numbers of integer

multiplications incurred by the external products, not

the numbers of polynomial multiplications.

The external products are executed twice in the for

loop of Xiang’s algorithm. This for loop repeats the

operation n times and there is another external prod-

uct after the loop. Thus, it requires 2n + 1 external

Accelerating PEGASUS by Applying NTRU-Based GSW-Like Encryption

655

Table 1: Comparisons of Key size and the number of integer

multiplications when NTRU-based GSW-like encryption is

applied to PEGASUS.

Key size #Integer

[MB] Mult.

PEGASUS 420 1.37 × 10

PEGASUS+NTRU 241.4 5.37 × 10

Difference 178.6 1.32 × 10

(43%) (96%)

products. One external product consists of d poly-

nomial multiplications. Taking the degree N − 1 of

the polynomial into account, the number of neces-

sary multiplications in Z

is d(n + 1)N

. We ob-

tain 5.37×10

by substituting the parameters with the

aforementioned values.

PEGASUS executes 2n external products, result-

ing in 8n polynomial multiplications as one external

product consists of four polynomial multiplications.

Therefore, it conducts 8nN

integer multiplications,

which is equal to 1.37 ×10

with the aforementioned

parameters substituted.

Hence, application of NTRU-based GSW-like

technique to PEGASUS reduces the number of inte-

ger multiplications by 1.32 × 10

(96%).

4.3 Experimental Results

We implemented the external products of both the

schemes that we discussed above. As described in the

previous subsection, the elapsed time to execute LUT

evaluation is dominated by the time to execute the ex-

ternal products. Therefore, we compare the elapsed

time to execute as many external products as are re-

quired to execute one LUT evaluation.

We implemented the external products with Sage-

Math 10.3 (The Sage Developers, 2024), which works

on Python 3.11.8.

The execution environment was a Mac mini with

an Apple M2 CPU, 24 GB RAM, and macOS Ven-

tura 13.6.3. We employed the quotient ring structure

pre-implemented in SageMath to implement RLWE,

RGSW, NTRU and NTRU

′

ciphertexts.

The details of our experiments were as follows.

We implemented the external products of both PEGA-

SUS and Xiang’s NTRU-based algorithm. We exe-

cuted as many external products as necessary for each

algorithm, in other words, 2048 times for PEGASUS

and 1025 times for Xiang’s NTRU-based algorithm.

We repeated this experiment 100 times to measure the

mean time to execute one LUT evaluation.

The experimental results we obtained are shown

in Table 2. The mean time for PEGASUS is 67.03

seconds while that for the NTRU is 43.28 seconds.

Table 2: Experimental results of mean time and standard

deviation to execute as many external products as required

to perform one LUT evaluation.

mean time [s] std. dev.[s]

PEGASUS 67.03 0.52

PEGASUS+NTRU 43.28 5.82

This means that replacing the GSW-based algorithm

of PEGASUS with the NTRU-based algorithm im-

proves the execution time by a factor of 1.55 times.

Although our theoretical calculation showed that this

replacement would reduce 96% of the execution time,

the experimental results do not show such a reduc-

tion. This is considered to be because of the dif-

ference in the time required for polynomial multipli-

cations. The 25 times acceleration of our proposed

method consists of 16 times acceleration of a sin-

gle polynomial multiplication and 1.6 times improve-

ment in the number of polynomial multiplications.

Concretely, the NTRU-based LUT evaluation requires

5125 polynomial multiplications and each polynomial

multiplication requires 1024

integer multiplications

while the PEGASUS scheme requires 8192 polyno-

mial multiplications and each polynomial multiplica-

tion requires 4096

integer multiplications. As we

implemented the NTRU and RGSW using the poly-

nomial structure of SageMath, the polynomial multi-

plication is optimized. This leads to a slight differ-

ence between polynomial multiplications with differ-

ent degrees. Hence, the difference of the two schemes

only occurs in the number of polynomial multiplica-

tions. The theoretical improvement of the number

of polynomial multiplications is approximately 1.60

(= 8192/5125). This explains our experimental im-

provement.

5 CONCLUSION

We have discussed the effects of applying Xiang’s

NTRU-based GSW encryption to PEGASUS. We the-

oretically conﬁrmed that this application reduces the

key size for LUT by 43% and the number of inte-

ger multiplications of external products by 96% by

replacing the LUT evaluation of PEGASUS with Xi-

ang’s NTRU-based blind rotation technique. We also

conﬁrmed by experiments that NTRU-based GSW-

like encryption improves PEGASUS scheme by a fac-

tor of 1.55 times.

We employed the original parameters to analyze

the effects of the replacement of the look-up table

evaluation of the original PEGASUS scheme with

the NTRU-based look-up table evaluation. However,

it may be possible to make the scheme more efﬁ-

SECRYPT 2025 - 22nd International Conference on Security and Cryptography

656

cient by optimizing the parameter set. Our future

work is to optimize the parameters of both PEGASUS

and NTRU-based schemes and compare their perfor-

mances.

REFERENCES

Al Badawi, A., Bates, J., Bergamaschi, F., Cousins, D. B.,

Erabelli, S., Genise, N., Halevi, S., Hunt, H., Kim, A.,

Lee, Y., Liu, Z., Micciancio, D., Quah, I., Polyakov,

Y., R.V., S., Rohloff, K., Saylor, J., Suponitsky,

D., Triplett, M., Vaikuntanathan, V., and Zucca, V.

(2022). OpenFHE: Open-Source Fully Homomor-

phic Encryption Library. In Proceedings of the 10th

Workshop on Encrypted Computing & Applied Ho-

momorphic Cryptography, WAHC’22, pages 53–63,

New York, NY, USA. Association for Computing Ma-

chinery.

Azogagh, S., Delfour, V., Gambs, S., and Killijian, M.-

O. (2022). PROBONITE: PRivate One-Branch-Only

Non-Interactive decision Tree Evaluation. In Proceed-

ings of the 10th Workshop on Encrypted Computing

& Applied Homomorphic Cryptography, WAHC’22,

page 23–33, New York, NY, USA. Association for

Computing Machinery.

Boura, C., Gama, N., Georgieva, M., and Jetchev, D.

(2020). CHIMERA: Combining Ring-LWE-based

Fully Homomorphic Encryption Schemes. Journal of

Mathematical Cryptology, 14(1):316–338.

Cheon, J. H., Kim, A., Kim, M., and Song, Y. (2017).

Homomorphic Encryption for Arithmetic of Approx-

imate Numbers. In Takagi, T. and Peyrin, T., editors,

Advances in Cryptology – ASIACRYPT 2017, pages

409–437, Cham. Springer International Publishing.

Chillotti, I., Gama, N., Georgieva, M., and Izabach

ene, M.

(2020). TFHE: Fast fully homomorphic encryption

over the torus. Journal of Cryptology, 33:34–91.

Choi, H., Woo, S. S., and Kim, H. (2024). Blind-Touch:

Homomorphic Encryption-Based Distributed Neural

Network Inference for Privacy-Preserving Fingerprint

Authentication. In Proceedings of the AAAI Con-

ference on Artiﬁcial Intelligence, number 2452 in

AAAI’24/IAAI’24/EAAI’24, pages 21976–21985.

Ducas, L. and Micciancio, D. (2015). FHEW: Bootstrap-

ping Homomorphic Encryption in Less Than a Sec-

ond. In Oswald, E. and Fischlin, M., editors, Advances

in Cryptology – EUROCRYPT 2015, pages 617–640,

Berlin, Heidelberg. Springer Berlin Heidelberg.

Fan, J. and Vercauteren, F. (2012). Somewhat Practical

Fully Homomorphic Encryption. Cryptology ePrint

Archive, Paper 2012/144. https://eprint.iacr.org/2012/

144.

Gentry, C., Sahai, A., and Waters, B. (2013). Homomorphic

Encryption from Learning with Errors: Conceptually-

Simpler, Asymptotically-Faster, Attribute-Based. In

Canetti, R. and Garay, J. A., editors, Advances in

Cryptology – CRYPTO 2013, pages 75–92, Berlin,

Heidelberg. Springer Berlin Heidelberg.

Geva, R., Gusev, A., Polyakov, Y., Liram, L., Rosolio,

O., Alexandru, A., Genise, N., Blatt, M., Duchin,

Z., Waissengrin, B., Mirelman, D., Bukstein, F., Blu-

menthal, D. T., Wolf, I., Pelles-Avraham, S., Schaf-

fer, T., Lavi, L. A., Micciancio, D., Vaikuntanathan,

V., Badawi, A. A., and Goldwasser, S. (2023). Col-

laborative privacy-preserving analysis of oncologi-

cal data using multiparty homomorphic encryption.

Proceedings of the National Academy of Sciences,

120(33):e2304415120.

Hoffstein, J., Pipher, J., and Silverman, J. H. (1998). NTRU:

A ring-based public key cryptosystem. In Buhler, J. P.,

editor, Algorithmic Number Theory, pages 267–288,

Berlin, Heidelberg. Springer Berlin Heidelberg.

Kim, A., Deryabin, M., Eom, J., Choi, R., Lee, Y., Ghang,

W., and Yoo, D. (2024). General Bootstrapping Ap-

proach for RLWE-Based Homomorphic Encryption.

IEEE Transactions on Computers, 73(1):86–96.

Lu, W.-j., Huang, Z., Hong, C., Ma, Y., and Qu, H.

(2021). PEGASUS: Bridging Polynomial and Non-

polynomial Evaluations in Homomorphic Encryption.

In 2021 IEEE Symposium on Security and Privacy

(SP), pages 1057–1073.

Lyubashevsky, V., Peikert, C., and Regev, O. (2013). On

Ideal Lattices and Learning with Errors over Rings. J.

ACM, 60(6).

Meyre, A., Chevallier-Mames, B., Frery, J., Stoian, A.,

Bredehoft, R., Montero, L., and Kherfallah, C.

(2022). Concrete ML: a Privacy-Preserving Machine

Learning Library using Fully Homomorphic Encryp-

tion for Data Scientists. https://github.com/zama-ai/

concrete-ml.

Regev, O. (2005). On Lattices, Learning with Errors, Ran-

dom Linear Codes, and Cryptography. In Proceed-

ings of the Thirty-Seventh Annual ACM Symposium on

Theory of Computing, STOC ’05, page 84–93, New

York, NY, USA. Association for Computing Machin-

ery.

Stoian, A., Frery, J., Bredehoft, R., Montero, L., Kherfal-

lah, C., and Chevallier-Mames, B. (2023). Deep Neu-

ral Networks for Encrypted Inference with TFHE. In

Dolev, S., Gudes, E., and Paillier, P., editors, Cyber

Security, Cryptology, and Machine Learning, pages

493–500, Cham. Springer Nature Switzerland.

The Sage Developers (2024). SageMath, the Sage

Mathematics Software System (Version 10.3).

https://www.sagemath.org.

Xiang, B., Zhang, J., Deng, Y., Dai, Y., and Feng, D.

(2023). Fast Blind Rotation for Bootstrapping FHEs.

In Handschuh, H. and Lysyanskaya, A., editors, Ad-

vances in Cryptology – CRYPTO 2023, pages 3–36,

Cham. Springer Nature Switzerland.

Zama (2022). TFHE-rs: A Pure Rust Implementation of the

TFHE Scheme for Boolean and Integer Arithmetics

Over Encrypted Data. https://github.com/zama-ai/

tfhe-rs.

Accelerating PEGASUS by Applying NTRU-Based GSW-Like Encryption

657