{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,6]],"date-time":"2026-05-06T04:14:55Z","timestamp":1778040895810,"version":"3.51.4"},"reference-count":50,"publisher":"International Association for Cryptologic Research","issue":"1","license":[{"start":{"date-parts":[[2025,10,7]],"date-time":"2025-10-07T00:00:00Z","timestamp":1759795200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IACR CiC"],"accepted":{"date-parts":[[2025,12,2]]},"abstract":"Fully Homomorphic encryption allows the evaluation of any circuits over encrypted data while preserving the privacy of the data. However, without any additional properties, no guarantee is provided for the privacy of the circuits which are evaluated.<\/jats:p>\n A sanitization algorithm allows to destroy all previous information about how a ciphertext was obtained, ensuring that the circuit which was evaluated remains secret. In this paper, we present two new techniques to randomize RLWE ciphertexts, and show how they can be used to achieve ciphertext sanitization for the TFHE scheme proposed by Chilotti et al.\u00a0(Asiacrypt 2016), by modifying the bootstrapping procedure internally.<\/jats:p>\n Our first technique relies on a generalization of the strategy proposed by Bourse et al.\u00a0(Crypto 2016) to the ring setting. Using a backward induction over the circuit size, we also improve on their proof technique to avoid randomization at each step of the computation, enabling faster randomization and smaller noise growth. While this first approach adapts well in theory, we show evidence that it fails to provide a practical solution and propose a second solution with more realistic parameters at the cost of using an additional public key.<\/jats:p>\n As an additional contribution, we improve on the prohibitive size of the public key by relaxing the circuit privacy property to its computational counterpart, and build an efficient public randomizer composed of an RLWE-based public key encryption with additional properties on the ciphertexts distribution. We show that this randomizer can be used in the soak-and-spin paradigm of Ducas and Stehl\u00e9 (Eurocrypt 2016) as well, and that it yields a significant improvement, mainly in the size of the public key.<\/jats:p>\n As a proof of concept, we provide a C implementation of our sanitization strategy, which shows that a sanitized LWE ciphertext can be obtained almost for free compared to a bootstrapped LWE ciphertext assuming many discrete Gaussian samples at hand.<\/jats:p>","DOI":"10.62056\/ayl8ksuc2","type":"journal-article","created":{"date-parts":[[2026,5,4]],"date-time":"2026-05-04T18:09:08Z","timestamp":1777918148000},"update-policy":"https:\/\/doi.org\/10.62056\/adfjwm02dj","source":"Crossref","is-referenced-by-count":0,"title":["Plug-and-play sanitization for TFHE"],"prefix":"10.62056","volume":"3","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-6014-2436","authenticated-orcid":false,"given":"Florian","family":"Bourse","sequence":"first","affiliation":[{"name":"Independent Scholar","place":["France"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0216-7958","authenticated-orcid":false,"given":"Malika","family":"Izabachene","sequence":"additional","affiliation":[{"name":"ETIS UMR 8051, CY Cergy Paris Universit\u00e9, ENSEA, CNRS","place":["France"]}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"48349","published-online":{"date-parts":[[2026,5,4]]},"reference":[{"key":"ref1:STOC:Regev05","doi-asserted-by":"publisher","first-page":"84","DOI":"10.1145\/1060590.1060603","article-title":"On lattices, learning with errors, random linear codes, and\n cryptography","author":"Oded Regev","year":"2005"},{"key":"ref2:STOC:Gentry09","doi-asserted-by":"publisher","first-page":"169","DOI":"10.1145\/1536414.1536440","article-title":"Fully homomorphic encryption using ideal lattices","author":"Craig Gentry","year":"2009"},{"key":"ref3:C:Brakerski12","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"868","DOI":"10.1007\/978-3-642-32009-5_50","article-title":"Fully Homomorphic Encryption without Modulus Switching from\n Classical GapSVP","volume":"7417","author":"Zvika Brakerski","year":"2012"},{"key":"ref4:ITCS:BraGenVai12","doi-asserted-by":"publisher","first-page":"309","DOI":"10.1145\/2090236.2090262","article-title":"(Leveled) fully homomorphic encryption without\n bootstrapping","author":"Zvika Brakerski","year":"2012"},{"key":"ref5:FanVer12","volume-title":"Somewhat Practical Fully Homomorphic Encryption","author":"Junfeng Fan","year":"2012"},{"key":"ref6:AC:CKKS17","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"409","DOI":"10.1007\/978-3-319-70694-8_15","article-title":"Homomorphic Encryption for Arithmetic of Approximate\n Numbers","volume":"10624","author":"Jung Hee Cheon","year":"2017"},{"key":"ref7:PROVSEC:CheZha17","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"285","DOI":"10.1007\/978-3-319-68637-0_18","article-title":"Bootstrapping Fully Homomorphic Encryption with Ring\n Plaintexts Within Polynomial Noise","volume":"10592","author":"Long Chen","year":"2017"},{"key":"ref8:ICALP:MicSor18","series-title":"LIPIcs","doi-asserted-by":"publisher","DOI":"10.4230\/LIPIcs.ICALP.2018.100","article-title":"Ring Packing and Amortized FHEW Bootstrapping","volume":"107","author":"Daniele Micciancio","year":"2018"},{"key":"ref9:AC:GuiPervLe23","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"3","DOI":"10.1007\/978-981-99-8736-8_1","article-title":"Amortized Bootstrapping Revisited: Simpler,\n Asymptotically-Faster, Implemented","volume":"14443","author":"Antonio Guimar\u00e3es","year":"2023"},{"key":"ref10:C:AlpPei14","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"297","DOI":"10.1007\/978-3-662-44371-2_17","article-title":"Faster Bootstrapping with Polynomial Error","volume":"8616","author":"Jacob Alperin-Sheriff","year":"2014"},{"key":"ref11:EC:DucMic15","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"617","DOI":"10.1007\/978-3-662-46800-5_24","article-title":"FHEW: Bootstrapping Homomorphic Encryption in Less Than a\n Second","volume":"9056","author":"L\u00e9o Ducas","year":"2015"},{"key":"ref12:EC:CHKKS18","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"360","DOI":"10.1007\/978-3-319-78381-9_14","article-title":"Bootstrapping for Approximate Homomorphic Encryption","volume":"10820","author":"Jung Hee Cheon","year":"2018"},{"key":"ref13:JC:CGGI20","doi-asserted-by":"publisher","first-page":"34","DOI":"10.1007\/s00145-019-09319-x","article-title":"TFHE: Fast Fully Homomorphic Encryption Over the Torus","volume":"33","author":"Ilaria Chillotti","year":"2020","journal-title":"Journal of Cryptology"},{"key":"ref14:CCS:CheLaiRin17","doi-asserted-by":"publisher","first-page":"1243","DOI":"10.1145\/3133956.3134061","article-title":"Fast Private Set Intersection from Homomorphic Encryption","author":"Hao Chen","year":"2017"},{"key":"ref15:CCS:CMGDIL21","doi-asserted-by":"publisher","first-page":"1135","DOI":"10.1145\/3460120.3484760","article-title":"Labeled PSI from Homomorphic Encryption with Reduced\n Computation and Communication","author":"Kelong Cong","year":"2021"},{"key":"ref16:C:BGGJKR18","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"565","DOI":"10.1007\/978-3-319-96884-1_19","article-title":"Threshold Cryptosystems from Threshold Fully Homomorphic\n Encryption","volume":"10991","author":"Dan Boneh","year":"2018"},{"key":"ref17:ICALP:AgrSteYad22","series-title":"LIPIcs","doi-asserted-by":"publisher","DOI":"10.4230\/LIPIcs.ICALP.2022.8","article-title":"Round-Optimal Lattice-Based Threshold Signatures,\n Revisited","volume":"229","author":"Shweta Agrawal","year":"2022"},{"key":"ref18:C:OstPasPas14","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"536","DOI":"10.1007\/978-3-662-44371-2_30","article-title":"Maliciously Circuit-Private FHE","volume":"8616","author":"Rafail Ostrovsky","year":"2014"},{"key":"ref19:C:GenHalVai10","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"155","DOI":"10.1007\/978-3-642-14623-7_9","article-title":"i-Hop Homomorphic Encryption and Rerandomizable Yao\n Circuits","volume":"6223","author":"Craig Gentry","year":"2010"},{"key":"ref20:EC:DucSte16","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"294","DOI":"10.1007\/978-3-662-49890-3_12","article-title":"Sanitization of FHE Ciphertexts","volume":"9665","author":"L\u00e9o Ducas","year":"2016"},{"key":"ref21:SCN:AbbPre20","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"492","DOI":"10.1007\/978-3-030-57990-6_24","article-title":"Cryptographic Divergences: New Techniques and New\n Applications","volume":"12238","author":"Marc Abboud","year":"2020"},{"key":"ref22:C:BPMW16","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"62","DOI":"10.1007\/978-3-662-53008-5_3","article-title":"FHE Circuit Privacy Almost for Free","volume":"9815","author":"Florian Bourse","year":"2016"},{"key":"ref23:C:GenSahWat13","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"75","DOI":"10.1007\/978-3-642-40041-4_5","article-title":"Homomorphic Encryption from Learning with Errors:\n Conceptually-Simpler, Asymptotically-Faster, Attribute-Based","volume":"8042","author":"Craig Gentry","year":"2013"},{"key":"ref24:BraVai14","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/2554797.2554799","article-title":"Lattice-based FHE as secure as PKE.","author":"Zvika Brakerski","year":"2014"},{"key":"ref25:CIC:Kluczniak24","doi-asserted-by":"publisher","first-page":"33","DOI":"10.62056\/av11c3w9p","article-title":"Circuit Privacy for FHEW\/TFHE-Style Fully Homomorphic\n Encryption in Practice","volume":"1","author":"Kamil Kluczniak","year":"2024","journal-title":"CiC"},{"key":"ref26:EPRINT:HwaMinSon25","volume-title":"Ciphertext-Simulatable HE from BFV with Randomized\n Evaluation","author":"Intak Hwang","year":"2025"},{"key":"ref27:WAHC:MicPol21","doi-asserted-by":"publisher","first-page":"17","DOI":"10.1145\/3474366.3486924","article-title":"Bootstrapping in FHEW-like Cryptosystems","author":"Daniele Micciancio","year":"2021"},{"key":"ref28:AFRICACRYPT:BonDucFil18","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"217","DOI":"10.1007\/978-3-319-89339-6_13","article-title":"Large FHE Gates from Tensored Homomorphic Accumulator","volume":"10831","author":"Guillaume Bonnoron","year":"2018"},{"key":"ref29:RSA:CarIzaMol19","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"106","DOI":"10.1007\/978-3-030-12612-4_6","article-title":"New Techniques for Multi-value Input Homomorphic Evaluation\n and Applications","volume":"11405","author":"Sergiu Carpov","year":"2019"},{"key":"ref30:TCHES:GuiBorAra21","doi-asserted-by":"publisher","first-page":"229","DOI":"10.46586\/tches.v2021.i2.229-253","article-title":"Revisiting the functional bootstrap in TFHE","volume":"2021","author":"Antonio Guimar\u00e3es","year":"2021","journal-title":"IACR TCHES","ISSN":"https:\/\/id.crossref.org\/issn\/2569-2925","issn-type":"electronic"},{"key":"ref31:AC:CLOT21","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"670","DOI":"10.1007\/978-3-030-92078-4_23","article-title":"Improved Programmable Bootstrapping with Larger Precision\n and Efficient Arithmetic Circuits for TFHE","volume":"13092","author":"Ilaria Chillotti","year":"2021"},{"key":"ref32:PKC:LeeYoo23","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"33","DOI":"10.1007\/978-3-031-31371-4_2","article-title":"Discretization Error Reduction for High Precision Torus\n Fully Homomorphic Encryption","volume":"13941","author":"KangHoon Lee","year":"2023"},{"key":"ref33:C:MicMol11","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"465","DOI":"10.1007\/978-3-642-22792-9_26","article-title":"Pseudorandom Knapsacks and the Sample Complexity of LWE\n Search-to-Decision Reductions","volume":"6841","author":"Daniele Micciancio","year":"2011"},{"key":"ref34:PKC:MKMS22","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"163","DOI":"10.1007\/978-3-030-97131-1_6","article-title":"Efficient Lattice-Based Inner-Product Functional\n Encryption","volume":"13178","author":"Jose Maria Bermudo Mera","year":"2022"},{"key":"ref35:STOC:GenPeiVai08","doi-asserted-by":"publisher","first-page":"197","DOI":"10.1145\/1374376.1374407","article-title":"Trapdoors for hard lattices and new cryptographic\n constructions","author":"Craig Gentry","year":"2008"},{"key":"ref36:C:Peikert10","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"80","DOI":"10.1007\/978-3-642-14623-7_5","article-title":"An Efficient and Parallel Gaussian Sampler for Lattices","volume":"6223","author":"Chris Peikert","year":"2010"},{"key":"ref37:EC:MicPei12","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"700","DOI":"10.1007\/978-3-642-29011-4_41","article-title":"Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller","volume":"7237","author":"Daniele Micciancio","year":"2012"},{"key":"ref38:STOC:BLPRS13","doi-asserted-by":"publisher","first-page":"575","DOI":"10.1145\/2488608.2488680","article-title":"Classical hardness of learning with errors","author":"Zvika Brakerski","year":"2013"},{"key":"ref39:MicReg07","doi-asserted-by":"publisher","first-page":"267","DOI":"10.1137\/S0097539705447360","article-title":"Worst-case to average-case reductions based on gaussian\n measures","volume":"37","author":"Daniele Micciancio","year":"2007","journal-title":"SIAM J. Comput."},{"key":"ref40:Banaszczyk93","doi-asserted-by":"publisher","first-page":"625","DOI":"10.1007\/bf01445125","article-title":"New bounds in some transference theorems in the geometry of\n numbers","volume":"296","author":"Wojciech Banaszczyk","year":"1993","journal-title":"Mathematische Annalen"},{"key":"ref41:AC:AGHS13","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"97","DOI":"10.1007\/978-3-642-42033-7_6","article-title":"Discrete Gaussian Leftover Hash Lemma over Infinite\n Domains","volume":"8269","author":"Shweta Agrawal","year":"2013"},{"key":"ref42:C:KLSS23","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"549","DOI":"10.1007\/978-3-031-38545-2_8","article-title":"Toward Practical Lattice-Based Proof of Knowledge from\n Hint-MLWE","volume":"14085","author":"Duhyeong Kim","year":"2023"},{"key":"ref43:AC:SSTX09","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"617","DOI":"10.1007\/978-3-642-10366-7_36","article-title":"Efficient Public Key Encryption Based on Ideal Lattices","volume":"5912","author":"Damien Stehl\u00e9","year":"2009"},{"key":"ref44:EC:LyuPeiReg10","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/978-3-642-13190-5_1","article-title":"On Ideal Lattices and Learning with Errors over Rings","volume":"6110","author":"Vadim Lyubashevsky","year":"2010"},{"key":"ref45:EC:LyuPeiReg13","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"35","DOI":"10.1007\/978-3-642-38348-9_3","article-title":"A Toolkit for Ring-LWE Cryptography","volume":"7881","author":"Vadim Lyubashevsky","year":"2013"},{"key":"ref46:C:LiuWan20","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"296","DOI":"10.1007\/978-3-030-56880-1_11","article-title":"Rounding in the Rings","volume":"12171","author":"Feng-Hao Liu","year":"2020"},{"key":"ref47:DGKS21","doi-asserted-by":"publisher","first-page":"87","DOI":"10.1515\/jmc-2020-0029","article-title":"Towards a Ring Analogue of the Leftover Hash Lemma","volume":"15","author":"Dana Dachman-Soled","year":"2021","journal-title":"J. Math. Cryptol."},{"key":"ref48:EPRINT:Kluczniak22b","volume-title":"Circuit Privacy for FHEW\/TFHE-Style Fully Homomorphic\n Encryption in Practice","author":"Kamil Kluczniak","year":"2022"},{"key":"ref49:APS15","doi-asserted-by":"publisher","DOI":"10.1515\/jmc-2015-0016","article-title":"On the concrete hardness of Learning with Errors","author":"Martin R. Albrecht","year":"2015","journal-title":"Journal of Mathematical Cryptology. Volume 9, Issue 3, Pages\n 169\u2013203, ISSN (Online) 1862-2984"},{"key":"ref50:C:MicWal17","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"455","DOI":"10.1007\/978-3-319-63715-0_16","article-title":"Gaussian Sampling over the Integers: Efficient, Generic,\n Constant-Time","volume":"10402","author":"Daniele Micciancio","year":"2017"}],"container-title":["IACR Communications in Cryptology"],"original-title":[],"language":"en","deposited":{"date-parts":[[2026,5,6]],"date-time":"2026-05-06T04:00:48Z","timestamp":1778040048000},"score":1,"resource":{"primary":{"URL":"https:\/\/cic.iacr.org\/p\/3\/1\/3"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,5,4]]},"references-count":50,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2026,5,4]]}},"URL":"https:\/\/doi.org\/10.62056\/ayl8ksuc2","archive":["Internet Archive","Internet Archive"],"relation":{},"ISSN":["3006-5496"],"issn-type":[{"value":"3006-5496","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,5,4]]},"assertion":[{"value":"2025-10-07","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-12-02","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}}],"article-number":"cc2-4-26"}}