2.1  Definitions of Symbols

Table 1  Definitions of symbols.

The notations used in this paper are shown in Table 1. The LUTs containing input and output entries of a given function are denoted as \(T_{in}\) and \(T_{out}\), respectively. For example, assuming an single-input function \(f(x)=|x|\), where \(x\) is an Integer satisfying \(-2\le x\le 2\); then we have \(T_{in}=[-2, -1, 0, 1, 2]\) and \(T_{out}=[2, 1, 0, 1, 2]\), where \(f(T_{in}(i))=T_{out}(i)\) and \(i\) shows the index of LUTs. We denote vectors in bold lowercase letters and matrices in uppercase letters, i.e., \(ct(\boldsymbol{a})\), and \(ct(A(i))\) represent an encrypted vector \(\boldsymbol{a}\), and an encrypted \(i\)-th row of matrix \(A\), respectively.

2.2  SIMD Operation over Fully Homomorphic Encryption

Element-wise single instruction multiple data (SIMD) operations with FHE were introduced by N. P. Smart and F. Vercauterenin [27] in 2014. A vector that holds \(l\) elements is encrypted as a single ciphertext by the word-wise FHE, where each element is called a slot [24]. An element is an Integer that is handled on modulo computation within a given modulus. For example, assuming two vectors \(\boldsymbol{x}:=[x_0,x_1,\ldots,x_{l-1}]\) and \(\boldsymbol{y}:=[y_0,y_1,\ldots,y_{l-1}]\) are encrypted by \(Enc(\boldsymbol{x})\) and \(Enc(\boldsymbol{y})\). The SIMD operation enables element-wise addition and multiplication as follows:

2.3  Private Information Retrieval over FHE

Private information retrieval (PIR) was first introduced by Chor et al. [28]. PIR hides users’ access information from a database when they search for data from the database. The main idea is as follows. Given a private database \(\boldsymbol{D}\), where \(\boldsymbol{D}:=[d_0,\ldots,d_{l-1}]\). To hide the access information from the database, the user makes a vector \(\boldsymbol{q}:=[0,\ldots,1,\ldots,0]\), where only the index of the target data element is one and the other elements are zero. Then, the user sends the ciphertext of PIR query \(ct(\boldsymbol{q})\) to the database. After receiving \(ct(\boldsymbol{q})\), the database computes the encrypted inner product \(\boldsymbol{D}\cdot ct(\boldsymbol{q})\), followed by sending back the inner product, i.e., the result, to the user. It is important to note that the result of the calculation between a plaintext and a ciphertext is a ciphertext. Since all of the operations in the database are over ciphertexts, we can hide the user’s access information from the database.

3.1  Polynomial Approximation-Based Methods

Polynomial approximation with FHE was initially introduced by Xie et al. in 2014 [13]. However, the approximation method encounters errors, particularly when operating with inputs beyond the predefined range. Additionally, achieving more accurate outputs demands higher polynomial degrees, resulting in long latency due to the necessity of a larger multiplication level.

Chabanne et al. [14] applied polynomial approximation to the ReLU function, utilizing degrees ranging from 2 to 6. This approach yielded accuracy ranging from 97.55% (2 degrees) to 97.91% (6 degrees) when applied to their neural network. E. Lee et al. [15] and J. Lee et al. [16] proposed utilizing a composition of minimax approximated polynomials with low degrees for functions such as Sign [15], ReLU [16], and max-pooling [16]. E. Lee et al.’s algorithm determined the optimal set of degrees for the minimax composite polynomial by considering the number of non-scalar multiplications and depth consumption. This approach effectively reduced function runtime by an average of 45% [15]. While E. Lee et al. achieved low degrees of polynomial approximation, the range of applicability for the approximation method remains limited.

3.2  Lookup Table-Based Methods

Crawford et al. [17], Chillotti et al. [18], Carpov et al. [19], Micciancio et al. [20], and Liu et al. [21] employed homomorphic table lookup to implement complex operations, utilizing bit-wise FHE. The naive bit-wise LUT incurs a computation cost of \(O(s\cdot 2^d)\), where \(d\) represents the input bit-length and \(s\) signifies the output bit-length of a given function.

Boura et al. [29] and Lu et al. [22] introduced a technique that enables seamless transitions between polynomial and non-polynomial functions on encrypted data. This approach allows the evaluation of arithmetic functions using word-wise encoding FHE to enhance efficiency, as seen with schemes like CKKS [30], while assessing LUTs through bit-wise encoding FHE for functions that cannot be decomposed into additions and multiplications, as exemplified by FHEW [31]. Maeda et al. [23] introduced a LUT method for uni/bivariate functions using word-wise FHE. However, Maeda et al. and Lu et al. [22], [23] did not address the solution for multi-input functions with inputs exceeding two.

3.3  Summary

In summary, the problems to be solved are that 1) polynomial approximation introduces inherent errors, making it unable to adapt to exact calculations; 2) bit-wise LUT methods suffer from long latencies that increase exponentially with the bit-length of the function’s input(s) and output; and 3) current word-wise LUT methods cannot handle multi-input functions with more than two inputs.

4.1  System Overview

The proposed method involves three parties as shown in Fig. 2: 1) a user responsible for sending input value(s) of a given function, 2) a computational server (CS) which can be a cloud server tasked with function evaluation, and 3) a trusted authority (TA) responsible for managing the FHE key pairs and operating as a decryption server without knowing raw input and output data. The user and the CS are assumed to be semi-honest, while the TA is assumed to be honest; the three parties are deemed not to collude.

During the initialization phase, the TA generates a set of FHE keys, including the public key (PK) used for encryption, the secret key (SK) used for decryption, the relinearization key (RK) used for reducing ciphertext size, and the Galois key (GK) used for slot rotation within a ciphertext. The TA retains the SK while sharing the RK and GK with the CS, and distributing the PK to the other two parties.

The pre-computed LUTs for a given function are encrypted and stored within the CS, where an LUT provider also retains the PK. Both the input and output LUTs contain the input values and their corresponding outputs that satisfy the relationship \(f(T_{in}(i))=T_{out}(i)\), where \(i\) denotes the LUT index. The encrypted LUTs can be provided by users, the CS, or a third party, but not by the TA as the TA holds the secret key. The processing steps are shown in Fig. 2.

In the following, we explain 1) the preparation scheme of LUT data points, 2) the construction of LUTs, 3) the table separation scheme, and 4) the detailed LUT processing steps.

Fig. 2  The overview of our proposed system.

4.2  Preparation of LUT Data Points

We prepare a given function’s data points, i.e., input values, before constructing the LUTs. First, we select the data points for the LUTs. Then, we convert all decimal points representing input values to integers because we adopt the BFV scheme [34] handing integers only. Finally, we add several redundant data points to the LUTs to prevent the TA from obtaining matched-index-related knowledge, such as statistics. The following subsections describe the three steps in detail.

4.3  Construction of LUT

This subsection explains the construction method of LUTs. We first explain the single-input function case followed by the multi-input function case.

4.3.1  LUTs for Single-Input Functions

We construct input LUT \(T_{in}\) and output LUT \(T_{out}\) of a given single-input function \(f(x)\). The \(T_{in}\) stores input data points for \(f(x)\), while \(T_{out}\) stores corresponding outputs. All the data points in \(T_{in}\) are sorted in order.

In the following, \(\boldsymbol{x}\) represents a vector that contains the prepared input data points for \(f(\boldsymbol{x})\). In the example illustrated in Fig. 3, we define \(\boldsymbol{x} :=[-4,-3,-2,-1,0,1,2,4]\), where the plaintext space ranges from \(-4\) to \(4\). The vector \(f(\boldsymbol{x})\) represents the corresponding output data points for \(\boldsymbol{x}\), denoted as \(f(\boldsymbol{x})=[f(-4),f(-3),f(-2),f(-1),f(0),f(1),f(2), f(4)]\). The straightforward construction of \(T_{in}\) and \(T_{out}\) is to meet the conditions \(T_{in}(i)= \boldsymbol{x}(i)\) and \(T_{out}(i)= f(\boldsymbol{x}(i))\) for all indices \(i\) that satisfy \(0\le i\le 7\).

Fig. 3  An example of constructing LUTs for single-input function.

As explained in Sect. 2.2, we accelerate LUT processing, which involves 1) searching for the matched element \(\boldsymbol{x}(i)\) of the input in \(T_{in}\) and 2) extracting the corresponding output from \(T_{out}\), by SIMD operations. In order to implement SIMD operations, we transform the LUTs into a two-dimensional format, as detailed below:

\[\begin{equation*} \begin{aligned} & T_{in}(indIn_{row},indIn_{col})=T_{in}(i) \\ & T_{out}(indOut_{row},indOut_{col})=T_{out}(i), \end{aligned} \tag{2} \end{equation*}\]

where \(indIn_{row}=indOut_{row}=\lfloor i/l \rfloor\) and \(indIn_{col}=indOut_{col}=i \mod l\).

Referring to the example in Fig. 3, every row in \(T_{in}\) and \(T_{out}\) represents a ciphertext whose slot size is \(l\). This structure facilitates column-wise addition and multiplication by slot-wise computation [24]. Additionally, we can leverage the multi-threading technique for row-wise parallelization.

4.3.2  LUTs for Multi-Input Functions

In the case of a multi-input function, we consider \(m\) input vectors denoted as \(\boldsymbol{x}_0,\boldsymbol{x}_1,\ldots,\boldsymbol{x}_{m-1}\), along with a single output vector whose each element corresponds to \(f(\boldsymbol{x}_0,\boldsymbol{x}_1,\ldots,\boldsymbol{x}_{m-1})\). Regarding the LUTs, we prepare \(m\)-input LUTs denoted as \(T_{in}^j\), where \(0\le j<m\). Additionally, there is one output LUT referred to as \(T_{out}\), with a size of \(|T_{out}|=\prod_{j=0}^{m-1}|T^{j}_{in}|\).

The index of corresponding output for the \(m\)-dimensional inputs \(\boldsymbol{x}_0(i_0),\ldots,\boldsymbol{x}_{m-1}(i_{m-1})\) is \(f(\boldsymbol{x}_0(i_0),\ldots,\)\(\boldsymbol{x}_{m-1}(i_{m-1}))\) whose index in \(T_{out}\) is \((indOut_{row},indOut_{col})\), where \(indOut_{row}=\lfloor ind_{out} / l\rfloor\) and \(indOut_{col}=ind_{out}\mod l\), and

\[\begin{equation*} \begin{aligned} ind_{out}&=\sum_{j=0}^{m-2} \left( \prod_{z=j+1}^{m-2}\big(|T^{z}_{in}|\big) \times i_{j} \right)+i_{m-1}\\ \end{aligned} \tag{3} \end{equation*}\]

The LUTs construction example of a 6-bit 2-input function is shown in Fig. 4 and Fig. 5. In this example, the number of data points \(|T_{in}|=64\), and the number of slots \(l=8\), \(T_{in}^0:=\boldsymbol{x}_0\) and \(T_{in}^1:=\boldsymbol{x}_1\). \(T_{in}^0(i_0)\) and \(T_{in}^1(i_1)\) are transferred into two dimensional \(T_{in}^0(indIn_{row}^0, indIn_{col}^0)\) and \(T_{in}^1(indIn_{row}^1, indIn_{col}^1)\), respectively. When \(i_0=30\) and \(i_1=41\), we have \(T_{in}^0(indIn_{row}^0, indIn_{col}^0)=(\lfloor 30/8\rfloor, 30\mod 8)=(3,6)\) and, \(T_{in}^1(indIn_{row}^1, indIn_{col}^1)=(\lfloor 41/8\rfloor, 41\mod 8)=(5,1)\).

Fig. 4  An example of multi-input function’s \(T_{in}\).

Fig. 5  An example of multi-input function’s \(T_{out}\).

The output LUT holds \(|T^0_{in}|\times |T^1_{in}|=64\times 64=4096\) corresponding data points. When \(i_0=30\) and \(i_1=41\), the index of corresponding output is computed by Eq. (3) as \(ind_{out}=64\times 30+41=1961\) and \(T_{out}(indOut_{row},indOut_{col})=(\lfloor 1961/8\rfloor, 1961\mod 8)=(245,1)\).

4.4  Table Separation

In order to shorten the runtime of LUT processing, we present our table separation technique [25]. In the BFV scheme [34] in Microsoft/SEAL [35], three primary parameters impact the runtime of FHE computations: the degree of polynomial modulus, the coefficient modulus, and the plaintext modulus (plaintext space). When a large plaintext space is needed to implement LUTs, meaning a large plaintext modulus, the consumption of the noise budget for each operation increases significantly, necessitating a greater noise budget for the initial ciphertext. Although it is possible to allocate more noise budget to the initially encrypted ciphertext using a larger coefficient modulus, this also considerably extends the runtime. Note that the polynomial modulus sets a limit on the maximum coefficient modulus, and a larger polynomial modulus supports more slots but leads to an increase in runtime.

Hence, reducing the plaintext space is essential to shorten the runtime of LUT processing. The subsequent table separation technique reduces the LUT’s table size, contributing to the reduction of the plaintext space.

Let us assume we set the plaintext space as \(w\)-bit and decompose a \(u\)-bit large integer \(a\) to \(w\)-bit small integers \(a_0,a_1,\ldots,a_{t-1}\), where \(t=\lceil u/w\rceil\), shown in Eq. (4).

Each small integer is stored in the same index of the corresponding sub-table. For example, we can decompose the 6-bit integer 45 to three 2-bit integers such that \(a_0=1, a_1=3, a_2=2\), i.e., \(45=1+3\times 2^2+2\times 2^4\), and store in three sub-tables, i.e., \(L^{a_0},L^{a_1}\), and \(L^{a_2}\) separately.

We can apply the aforementioned technique to both the input and output LUTs; nevertheless, a limitation exists for the input LUT. The table separation technique can solely be applied to the input LUT only when full data points, specifically \(2^u\) data points, are supplied.

4.5  LUT Processing with FHE

This subsection details the primary steps of our proposed LUT processing using FHE, facilitating the evaluation of arbitrary multi-input functions with both exact and nearby matching, where nearby matching returns the closest data point to the input while exact matching returns the matched data point.

The CS retains the encrypted LUTs and performs FHE-based LUT processing by communicating with the TA. The process consists of six key steps, enumerated as follows. (Each step is indicated by the corresponding number in parentheses in Fig. 2.)

Step 1: For a single-input function, the user sends both a ciphertext of the input \(ct(\boldsymbol{c})\) and a ciphertext of the artificial noise \(ct(\boldsymbol{r}_{noise})\) to the CS. Here, \(ct(\boldsymbol{c})=Enc([c,\ldots,c])\), where every element is filled with the same input value \(c\) for the function and \(|\boldsymbol{c}|=l\), i.e., slot size of the ciphertext. The vector \(ct(\boldsymbol{r}_{noise})\) is utilized to conceal the function’s output from the TA in Step 6, where \(|\boldsymbol{r}_{noise}|=l\) and every element is filled with different random value.

For an \(m\)-input function, the user sends \(m\)-fold inputs, denoted as \(ct(\boldsymbol{c}_0),\ldots,ct(\boldsymbol{c}_{m-1})\), along with artificial noise \(\boldsymbol{r}_{noise}\) to the CS, where \(c_j(0\le j<m-1)\) represents the \(j\)-th encrypted input vector of the \(m\)-input function, and \(ct(\boldsymbol{c}_j) \gets Enc([c_j,\ldots,c_j])\), with \(|\boldsymbol{c}_j|=l\).

Step 2: The CS generates the intermediate result \(ct(R^j)\) for input \(ct(\boldsymbol{c}_j)\), and subsequently sends it to the TA. The intermediate result \(ct(R^j)\) comprises the differences between each data point in \(T_{in}^j\) and the function’s input \(ct(\boldsymbol{c}_j)\). As shown in Fig. 6, the intermediate result \(ct(R^j)\) is composed of the same number of ciphertexts as \(ct(T_{in}^j)\). Here, \(ct(R^j(g))\) represents a single ciphertext consisting of \(l\)-fold data, where \(0\le g<\lceil |T_{in}^j|/l \rceil\).

The evaluation of Eq. (5) can be parallelized with \(g\), i.e., ciphertext by ciphertext, by adopting multi-threading.

In the example shown in Fig. 6, we consider the inputs \(c\) as 8, the slot size \(l\) as 4, and \(|T_{in}|=12\). The encrypted input \(ct(\boldsymbol{c})\) is a ciphertext that encrypts a vector with all elements set to the input value 8. Utilizing multi-threading, we simultaneously calculate the intermediate result \(ct(R(g))\) for \(0\le g< 3\), running in parallel with \(g\).

Fig. 6  Example of preparing intermediate result.

Step 3: The TA decrypts the received intermediate result \(ct(R)\) and then identifies the index of the corresponding data point within \(ct(T_{in})\). Note that for multi-input functions, this step is repeated for each input. Due to the TA’s lack of knowledge about the input and the data points stored in \(ct(T_{in})\), even after decrypting \(ct(R)\), the matched data point is not revealed to the TA. The TA is only informed of the index of the matched data point. Furthermore, as elucidated in Sect. 4.2.3, since \(T_{in}\) incorporates distinct data points through the inclusion of redundant data points in every LUT processing, the TA cannot deduce the data points even upon observing a sequence of decrypted \(ct(R)\) results.

When the function’s input exactly matches one of the data points in \(T_{in}\), the corresponding data point in \(R\) has a value of \(0\) by evaluating Eq. (5). If the TA is unable to identify a \(0\) value in \(R\), the TA outputs the index with the smallest absolute value in \(R\). This process is called a nearby search, which involves identifying the nearest data point. Notably, if there are two data points with the smallest absolute values in \(R\), one of them can be selected, as these two data points are equidistant from the function input value. For instance, in Fig. 6, the shaded data points \(T_{in}(2,0)\) and \(T_{in}(2,1)\) represent the smallest absolute values, both of which can be selected.

As elucidated in Sect. 4.2.1, \(T_{in}\) must contain the maximum and minimum data points of the plaintext space. Let us explain with an example. When assuming \(T_{in}=[-2,-1,1,2]\) and input is \(-2\) with the plaintext space ranging from \(-2\) to 2, the resultant \(R\) is \([0, -1, 2, 1]\) after executing Eq. (5) with modulus calculations. As a result, the matched index is 0, because \(R(0)=0\). However, if the minimum data point is absent, and the data points in \(T_{in}\) is \([-1,1,2]\), we have \(R\) as \([-1,2,1]\). In this case, the two smallest absolute values exist at indices 0 and 2. However, the resultant index 2 is incorrect because \(T_{in}(2)=2\), which considerably deviates from the input value of \(-2\). The rationale behind \(R(2)=1\) lies in the modulus calculation of polynomials. Consequently, including the maximum and minimum data points in \(T_{in}\) is essential to avert the side effect of modulus calculations that might hinder the identification of the nearest data point(s). The proof is provided below.

Theorem: Having both \(-p\) and \(p\) data points is a necessary and sufficient condition for the smallest absolute value of the \(R\) to be the closest data point(s) to any of the inputs, where \([-p,p]\) is the plaintext space.

proof: Let \(c\) be an input value for a given function, \(d\) be a data point in LUT, where \(c,d\in [-p,p]\). The distance between \(d\) and \(c\) is \(|c-d|\le 2p\) because of \(-2p\le c-d\le 2p\).

Sufficient condition: When \(-p\le c-d\le p\), the \(|c-d|\) is within the plaintext space, where \(|\cdot|\) shows absolute value. Thus, the closest data point(s) to \(c\) is the data point(s) with the smallest \(|c-d|\). On the other hand, when \(p<c-d\) or \(c-d<-p\), the \(|c-d|\) does not show the real distance because of the modulus calculations, which are classified into the following two patterns:

1): When \(c-d>p\), \(|c-d|\) becomes \(|c-d-(2p+1)|\) after modulus calculation. \(\because d\in[-p,p], c-d>p \therefore\) the minimum \(|c-d-(2p+1)|\) appears iff \(d=-p\). Also, \(\because c\le p\), \(\therefore |c-p-1|=p-c+1\). Meanwhile, \(|c-d|=|c-p|=p-c\) iff \(d=p\). Thus, the distance between the data point \(p\) and \(c\) is smaller than that between \(-p\) and \(c\), and as a result, the closest data point never be the border that needs modulus calculation.

2): When \(c-d<-p\), \(|c-d|\) becomes \(|c-d+(2p+1)|\) after modulus calculation. \(\because d\in[-p,p], c-d<-p \therefore\) the minimum \(|c-d+(2p+1)|\) appears iff \(d=p\). Also, \(\because -p\le c\), \(\therefore |c+p+1|=c+p+1\). Meanwhile, \(|c-d|=|c+p|=c+p\) iff \(d=-p\). Thus, the distance between the data point \(-p\) and \(c\) is smaller than that between \(p\) and \(c\), and as a result, the closest data point never be the border that needs modulus calculation.

From 1) and 2), if we have both borders’ data points, the closest data point(s) to any inputs is the data point which has the smallest absolute value in \(R\).\(\tag*{◻}\)

Necessary condition: The absolute value in \(R\) reflects the real distance between the data points in LUT with the input \(c\) iff it is calculated w/o modulus calculation. Thus, the closest data point must be the one that has a minimum distance w/o modulus calculation. Both border data points are needed because this can guarantee the existence of the distance w/o modulus calculation having a smaller distance than that with modulus calculation. Therefore, both borders’ data points are needed to search for the closest data points to the input from the \(R\).\(\tag*{◻}\)

The Algorithm 1 shows how to search for the matched index in \(T_{in}\) and construct PIR queries. In Algorithm 1, the matched index for the \(j\)-th input of the \(m\)-input function is denoted as \(indIn_{row}^j\) and \(indIn_{col}^j\), where \(0\le j<m\). The index of the output LUT \(T_{out}\) that corresponds to the function’s input, specified as \(indOut_{row}\) and \(indOut_{col}\), is determined through the following calculation.

where \(ind_{out}=\sum_{j=0}^{m-2} (\prod_{z=j+1}^{m-2}(|T^{z}_{in}|) \times (indIn_{row}^{j}\times l+indIn_{col}^{j}))+(indIn_{row}^{m-1}\times l+indIn_{col}^{m-1})\). Once the matched index in \(T_{out}\) is computed, the TA proceeds to generate PIR queries and send them back to the CS, effectively concealing the matched index in \(T_{out}\) from the CS. The number of PIR queries denoted as \(N_q\) is calculated by the formula \(N_q=\lceil \log_l |T_{out}|\rceil\). Subsequently, the TA employs Algorithm 1 to produce the encrypted PIR queries, expressed as \(ct(Q):=[ct(Q(0)),\ldots,ct(Q(N_q-1))]\).

Figure 7 shows an example of generating PIR queries for a single-input function. In this example, the absolute value of 1 is the smallest, whose index \((indOut_{row},indOut_{col})\) is \((2,0)\) or \((2,1)\). As these two data points have the same distance from the function input value, we select \((2,0)\) this time. The number of PIR queries is calculated by \(N_q=\lceil \log_4 12\rceil=2\), i.e., \(Q(0)\) and \(Q(1)\). The \(Q(0)\) is a vector in which the \(indOut_{col}\)-th element is 1 and others are 0. The \(Q(1)\) is a rotated vector that left rotate \(indQ_1\) elements of \(Q(0)\), where \(indQ_1=\lfloor(2\times 4+0)/ 4\rfloor \mod 4 = 2\).

Fig. 7  Example of generating PIR queries.

Step 4: The CS receives the PIR queries from the TA and creates a \(ct(T_{out})\)-style ciphertexts vector \(\boldsymbol{q}_{last}\) in whose element indicated by \(ct(Q)\) is one and others are zero by Algorithm 2. Then, the CS proceeds to extract the matched data point in \(T_{out}\) as \(ct(\boldsymbol{r})\) by Algorithm 3.

Step 5: The CS adds the noise \(ct(\boldsymbol{r}_{noise})\) to the function’s output \(ct(\boldsymbol{r})\) to create \(ct(\boldsymbol{r}+\boldsymbol{r}_{noise})\). Subsequently, the CS sends \(ct(\boldsymbol{r}+\boldsymbol{r}_{noise})\) to the TA.

Step 6: The TA decrypts the received \(ct(\boldsymbol{r}+\boldsymbol{r}_{noise})\) and then forwards \(\boldsymbol{r}+\boldsymbol{r}_{noise}\) to the user. In the final step, the user obtains the function’s result by subtracting \(\boldsymbol{r}+\boldsymbol{r}_{noise}\) from the received data.

6.1  Error Evaluation with Different Numbers of LUT Data Points

We evaluate the error of Swish and ReLU functions by varying the numbers of LUT data points to verify the extent to which function outputs exhibit minimal deviations from the actual calculation results. The data points are selected using two techniques: 1) selecting data points of equal distance within the required range (referred to as equidistant selection) and 2) selecting data points from frequently encountered input data (referred to as input data-aware selection).

We prepared a historical input dataset that follows a standard normal distribution, with a mean of zero, comprising 100,000 data. Out of these, 80% of the items were allocated as a training dataset (80,000 data) for fine-tuning the data points of input data-aware selection. The remaining 20% were designated as a test dataset (20,000 data) for calculating the error. For our evaluation, we established the data point range from \(-6.5536\) to \(6.5535\), assuming that the LUT without selection consists of \(2^{17}=131,072\) data points spanning from \(-65,536\) to \(65,535\), with a scale parameter \(\mathfrak{p}=10,000\).

The average absolute error and error percentage are calculated by Eq. (7).

where \(N\) is the number of test data, \(r_{lut}\) is the output value using LUT, and \(r_{real}\) is the actual calculation result.

Table 5 shows the result. We confirm that the calculation error decreases as the number of data points increases. Besides, the LUT with input data-aware selection has better accuracy than the LUT with equidistant selection.

Table 5  The average error with different numbers of LUT data points.

6.2  Runtime and Communication Cost Evaluation for Single-Input Function

We evaluate the overhead of \(d\)-bit single-input functions, where the LUTs contain a total of \(2^d\) data points. In this experiment, we investigate the time consumption, memory usage, and communication cost of our proposed FHE-based method. With the FHE parameters shown in Table 4, the size of a single ciphertext is approximately 262 KB. We measure the overhead by varying the bit-length of both the input and output data points to 18-bit, 16-bit, 14-bit, and 12-bit, using one, two, and four threads for evaluation. Since we maintain the same parameters in this experiment, the number of slots remains a constant value. The number of ciphertexts in \(T_{in}\) and \(T_{out}\) is shown in Table 6 and Table 7.

Table 6 shows the runtime for each step described in Sect. 4.5, varying the length of input bits. The runtime from steps 2 to 5 in Table 6 shows the latency of the function evaluation after receiving the input value \(ct(\boldsymbol{c})\) to outputting the result \(ct(\boldsymbol{r}+\boldsymbol{r}_{noise})\). Table 7 shows the memory consumption in each step, and Table 8 shows the transferred data size between the CS and the TA from Step 2 to 4 for handling the intermediate result and PIR query. Table 8 shows the simulated data transferring time between the CS and the TA under an ideal 100 Mbps net-connection environment.

As shown in Tables 6 and 8, we can evaluate the 18-bit function within 4.52 s (3.12+1.40) by one thread and 2.53 s (1.13+1.40) by four threads. The runtime increases with LUT size (the number of ciphertexts in LUT). The multi-thread implementation reduced the runtime by one-third by four threads but increased memory consumption by 2.4 times. The largest memory consumption in this experiment was 309.87 MB when evaluating an 18-bit function using four threads.

Table 6  The runtime of single-input function in each step.

Table 7  The main memory consumption in each step.

Table 8  The communication cost between the CS and the TA.

6.3  Runtime and Communication Cost Evaluation for Multi-Input Function

We evaluate two and three-input functions using our proposed method, varying the number of bits for both input and output data points. This process helps to confirm the adaptability of our proposed method across various functions.

We employed the same FHE parameters as presented in Table 4. Table 9 shows the overall runtime from Step 2 to 5 under different thread counts with the time for communication. In this experiment, we evaluated two-input functions ranging from 4 to 12 bits and three-input functions ranging from 4 to 8 bits.

The runtime increases rapidly as the number of inputs for the function increases, primarily because the size of the output LUT expands exponentially with the number of inputs. In this experiment, the number of data points of output LUT is \(2^{m\cdot d}\), where the number of data points of input LUT is \(2^d\) in case preparing all data points that can be expressed in \(d\)-bit; \(m\) shows the number of inputs for the function. The result shows the worst runtime when evaluating \(d\)-bit functions because we prepare all data points in the LUT. For instance, for 12-bit two-input functions and 8-bit three-input functions, the maximum number of output data points is \(2^{24}=16,777,216\).

Table 9  The runtime of \(m\)-input functions.

As demonstrated in Table 9, we can evaluate an arbitrary 12-bit two-input function or 8-bit three-input function within 208.5 s using one thread, and within 17 s using 16 threads, which is approximately 12 times faster. Evaluating 6- and 4-bit two-input functions, or 4-bit three-input functions, required 0.2 s. Note that the runtimes of 6- or 4-bit two-input functions and 4-bit three-input functions were not impacted by an increase in the number of threads, as each input LUT and output LUT both consist of a single ciphertext, which prevents parallelization.

6.4  Comparison with Related Work

The fourth experiment compares the accuracy and runtime of our proposed LUT-based method with the polynomial approximation methods [14] when implementing Swish and ReLU functions. Additionally, we provide a brief comparison of the runtime between our proposed LUT-based method and the naive bit-wise LUT method.

1) Error and Runtime Comparison with the Polynomial Approximation Method

We implemented the polynomial approximation and our proposed methods using the CKKS and the BFV schemes in the Microsoft SEAL library, respectively. For the polynomial approximation, we use the polyfit² function from NumPy in Python and show the results in Table 10. The approximation range used was chosen as \([-3,3]\). We omitted terms with coefficients less than \(10^{-5}\). We used the same test dataset and LUTs in Sect. 6.1. The average absolute error is defined by Eq. (7). The results and the parameters are shown in Table 11.

As shown in Table 11, the runtime of our proposed method is the same when the number of data points is smaller than \(2^{12}\) because one row, i.e., one ciphertext, can store up to \(2^{12}\) data points so that one row is enough to implement. The absolute error on average of the output value for the Swish (ReLU) function is \(4.81\times 10^{-4}(2.77\times 10^{-2})\) when using the degree-8 polynomial approximation, which requires 115 (185) ms. Meanwhile, our proposed LUT method with input data-aware selection can achieve \(3.28\times 10^{-4} (2.92\times 10^{-4})\) computation error on average with approximately 95 (95) ms including communication time. Thus, we confirmed that our proposed method achieves higher accuracy with a shorter runtime compared to the polynomial approximation method.

Note that the polynomial approximation method suits batch-style function evaluations because the polynomial approximation method can evaluate the number of \(l\) inputs simultaneously using the SIMD technique. On the contrary, our proposed method already adopted the SIMD technique for handling LUT-based function evaluation; thus, our method cannot fit batch-style function evaluations.

Table 10  Polynomial approximation result.

Table 11  Runtime comparison between polynomial approximation and our proposed method.

2) Runtime Comparison with the Bit-Wise LUT Method

In this section, we compare the runtime of the bit-wise LUT method with that of our proposed word-wise LUT method. First, the runtimes of the bit-wise LUT method proposed in previous papers are reviewed, and then the results of the actual implementation are presented.

Carpov et al. [19] showed that the latency of 6-to-6-bit functions was under 1.6 s. Chillotti et al. [18] evaluated 8-to-8-bit and 16-to-8-bit functions spent approximately 1.1 s and 2.2 s, respectively. Lu et al. [22] reported 0.97 s for 7-bit functions. Since these results are evaluated in different environments, they are not directly comparable; however, compared to our results in Tables 6 and 8, our method can evaluate a 12-bit function in 0.14 s by one thread, which shows the superiority of our method.

To confirm our superiority in detail, we implement the naive bit-wise LUT method as a reference. Since the Microsoft SEAL library does not support bit-wise encoding FHE, we adopt OpenFHE³ library v1.0.3. The security level is set as STD128 and other parameters are left as the default. We also set the bit-length of input and output to be the same, represented as \(d(=s)\).

To evaluate \(m\)-input \(d\)-to-\(s\)-bit function, we combine the inputs as a single input whose bit-length is \(m\cdot d\). The encrypted vector of input bits is \(\boldsymbol{q}=[ct(q_0),\ldots,ct(q_{m\cdot d-1})]\). The \(T_{in}\) and \(T_{out}\) are matrices, each of whose elements are encrypted bits, where the number of data points is \(2^{m\cdot d}\), bit-length of input and output are \(m\cdot d\) and \(s\), respectively. The encrypted vector of result \(\boldsymbol{r}=[ct(r_0),\ldots,ct(r_{s-1})]\) is computed as follows.

where \(0\le i\le s\).

The results with 4-thread are shown in Table 12. Our proposed method showed the same runtime regardless of the input bit-length because the proposed method uses the same number of ciphertexts even if the bit-length changes. As shown in Table 2, if \(2^d\) does not exceed slot size, the proposed method’s runtime stays the same. On the contrary, the naive bit-wise LUT increases its runtime with the increase of the bit-length because the runtime is proportional to \(O(s\cdot 2^{m\cdot d})\) as shown in Table 2.

When the number of inputs increases, our proposed method’s runtime increases as the output LUT size increases (when the \(N_q\) remains unchanged). As for the naive bit-wise implementation, the runtime increases with the same reason when the bit-length increases.

For the 1-bit one-, two-, and three-input functions, our method decreases the runtime to approximately 30.9, 47.5, and 107.9 times compared to the naive bit-wise LUT implementation. Note that we used different FHE libraries to implement the two methods; thus, we cannot compare the runtime directly. However, we could confirm how the runtime increases in each method.

Table 12  Runtime comparison in seconds [s] of \(m\)-input functions between naive bit-wise LUT and our proposed method (using 4-thread).