This paper investigates the impact of modular reduction backends on the security–performance trade-offs of the CKKS approximate homomorphic encryption scheme. Specifically, we compare a standard Residue Number System–Chinese Remainder Theorem (RNS-CRT) implementation with a Barrett reduction–based backend across representative parameter sets (N,logq), spanning approximately 80–256-bit security levels as recommended by the Homomorphic Encryption Standard. We evaluate typical CKKS workloads—including encoding, encryption, homomorphic multiplication with the Number Theoretic Transform (NTT), rescaling, relinearization, and decryption—by measuring execution time and peak memory usage on a uniform experimental platform. Our results indicate that the parameter pair (N,logq) primarily determines both security level and computational cost, while the choice of backend significantly influences the trade-offs between performance and memory efficiency. In particular, the Barrett-based backend is competitive and slightly more memory-efficient at lower security levels, whereas the CRT-based approach achieves lower latency at higher security levels. However, Barrett reduction provides notable memory savings at the cost of a 2–4× increase in runtime. Based on these findings, we derive practical guidelines for selecting CKKS parameters and modular reduction backends under varying constraints on security, latency, and memory.
Goganaboina et al. (Mon,) studied this question.