Math ∩ Programming

Math ∩ Programminghttps://www.jeremykun.com/Recent content on Math ∩ ProgrammingHugo -- gohugo.ioen-usWed, 29 Apr 2026 05:25:44 -0700Featured Postshttps://www.jeremykun.com/2011/06/20/featured-posts/Mon, 20 Jun 2011 18:31:45 +0000https://www.jeremykun.com/2011/06/20/featured-posts/ My next book will be Practical Math for Programmers A High-Level Overview of Fully Homomorphic Encryption Searching for Riemann Hypothesis Counterexamples Linear Programming and Healthy Diets Hybrid Images Bezier Curves and PicassoCKKS — Polynomials, the Canonical Embedding, and Encodinghttps://www.jeremykun.com/2026/04/29/ckks-polynomials-the-canonical-embedding-and-encoding/Wed, 29 Apr 2026 05:25:44 -0700https://www.jeremykun.com/2026/04/29/ckks-polynomials-the-canonical-embedding-and-encoding/Table of Contents In this tutorial series, I will introduce the CKKS homomorphic encryption scheme from the ground up, in rather intricate detail. Each article in this series corresponds to a pull request on a GitHub repository. The code for this article is in this pull request. Follow along by cloning the repository and checking out the code at the relevant commit. This first article will cover some of the mathematical background necessary in the formulation of the CKKS encryption scheme, specifically the polynomial ring used in the most basic version of CKKS, and the canonical embedding used to encode cleartext messages as plaintexts.<article id="main" class="content-container look-sheet article-pad-v h-entry" itemscope="" itemtype="https://schema.org/Article" morss_own_score="8.300830431288508" morss_score="14.591979918606372"><h1>CKKS — Polynomials, the Canonical Embedding, and Encoding</h1>2026-04-29<div itemprop="articleBody" id="content" class="article-body margin-top-2em" morss_own_score="5.582298974635726" morss_score="219.4938250231284"><a href="https://github.com/j2kun/ckks-tutorial#ckks-tutorial">Table of Contents</a>In this tutorial series, I will introduce the CKKS homomorphic encryption scheme from the ground up, in rather intricate detail. Each article in this series corresponds to a pull request on <a href="https://github.com/j2kun/ckks-tutorial">a GitHub repository</a>. The code for this article is in <a href="https://github.com/j2kun/ckks-tutorial/pull/2">this pull request</a>. Follow along by cloning the repository and checking out the code at the relevant commit.This first article will cover some of the mathematical background necessary in the formulation of the CKKS encryption scheme, specifically the polynomial ring used in the most basic version of CKKS, and the canonical embedding used to encode cleartext messages as plaintexts.This series will contain plenty of mathematics, but I may abbreviate some verbose definitions, especially those that I would expect to be familiar to readers of this blog (such as the formal definition of a ring). In other words, I’ll assume basic undergraduate mathematics familiarity, with some reminders. A good accompaniment for this series would be <a href="https://fhetextbook.github.io/">The Beginner’s Textbook for Fully Homomorphic Encryption</a> by Ronny Ko, which complements this series in giving more complete (albeit terse) definitions, formulas, and proofs.<h2>A brief history of CKKS</h2>Some of the terms used in this section may make more sense if you’ve read my <a href="https://www.jeremykun.com/2024/05/04/fhe-overview/">high-level technical overview of homomorphic encryption</a>. We will re-cover all of this in detail in future articles.The original CKKS homomorphic encryption scheme was introduced in the 2016 paper <a href="https://eprint.iacr.org/2016/421">Homomorphic Encryption for Arithmetic of Approximate Numbers</a> by Jung Hee Cheon, Andrey Kim, Miran Kim, and Yongsoo Song as a joint collaboration between Seoul National University and UC San Diego.<a href="https://www.jeremykun.com/2026/04/29/ckks-polynomials-the-canonical-embedding-and-encoding/#fn:1">1</a> Its primary innovation was to handle approximate arithmetic on real or complex numbers, rather than prior schemes which only handled exact arithmetic on integers. This is relevant in contexts like neural network inference, where the calculations can be inexact and still useful. In particular, CKKS allows the inexactness of fixed-point arithmetic to coexist with the error introduced by the homomorphic encryption scheme itself.After its initial publication, several followup papers made improvements to CKKS that elevated it to the state of the art. First, and most importantly, a bootstrapping procedure <a href="https://eprint.iacr.org/2018/153">was found in 2018</a> that made CKKS “fully homomorphic.” Subsequent years saw a plethora of additional improvements and variants to CKKS bootstrapping. Experts would even say there are too many variants to keep track of.The second major improvement was the introduction of the <a href="https://eprint.iacr.org/2018/931">residue number system variant of CKKS</a> in 2017. The original CKKS scheme used large integer arithmetic, in particular doing arithmetic modulo hundred-bit or even thousand-bit moduli. Using a residue number system (RNS) allows one to replace the (inherently serial) carry propagation required for large-precision arithmetic with parallel operations on vectors of 64-bit values.<a href="https://www.jeremykun.com/2026/04/29/ckks-polynomials-the-canonical-embedding-and-encoding/#fn:2">2</a>Combining RNS with bootstrapping produces what, in my view, is the “baseline” version of CKKS that most new works extend or use for contrast.<h2>Plaintexts and a polynomial ring</h2>The main setting for CKKS is a particular polynomial ring. We start with some ring $R$ of coefficients for the polynomials $R[x]$; sometimes $R$ will be the integers, reals, but more often it will be the field of integers modulo a prime.CKKS is an encryption scheme, and in every encryption scheme there are three distinct spaces: the cleartext space, the plaintext space, and the ciphertext space.Cleartexts describe the atomic message units (e.g., a vector of 32-bit integers of a fixed size). The user must decide how to split their larger program data into cleartext units, say, by chunking. Plaintexts describe preprocessing required to make a cleartext compatible with the encryption scheme. And ciphertexts are the form of the messages after they are encrypted.I spell all this out because, while many encryption schemes don’t have major differences between cleartext and plaintext space, CKKS uses a sophisticated transformation. This article focuses purely on the conversion between the cleartext and plaintext space.Fix a parameter $N$, a power of two, which will be used to define the polynomial ring. A CKKS cleartext is a vector of $N/2$ complex numbers.<a href="https://www.jeremykun.com/2026/04/29/ckks-polynomials-the-canonical-embedding-and-encoding/#fn:3">3</a> A CKKS plaintext is an element of the ring\[ (\mathbb{Z}/Q\mathbb{Z})[x] \Big / (x^N+1) \]As a reminder, the coefficients $\mathbb{Z}/Q\mathbb{Z}$ form the ring of integers with arithmetic done modulo $Q$. If $Q$ were a prime, this would form a field, but in most cases $Q$ is composite.As a second reminder, the polynomial modulus converts the ring of polynomials mod $Q$ into a quotient ring where two polynomials $p(x)$ and $q(x)$ are equivalent if they have the same remainder when dividing by $x^N + 1$. Some features that are important for computation:<ul><li>Elements of this ring have degree bounded by $N-1$ (when choosing their minimal-degree coset representative). So a polynomial can be viewed as a vector of $N$ entries, the coefficients at degrees 0 to $N-1$.</li><li>One can identify $x^N$ with $-1$, and this gives a baseline method to reduce larger polynomials to their canonical representative: take each coefficient at degree $k \geq N$ and add it with a sign flip to the coefficient at degree $k - N$.</li><li>Because of the previous item, multiplying a polynomial in this ring by a monomial can be implemented by cyclically rotating the coefficient vector and sign-flipping the values that wrap around an odd number of times. This operation is also known as negacyclic rotation.</li></ul>There are other important structures of this ring for cryptographic reasons.<a href="https://www.jeremykun.com/2026/04/29/ckks-polynomials-the-canonical-embedding-and-encoding/#fn:4">4</a> For one, the value of $N$ being a power of two ensures this polynomial forms a number field. I don’t want to go too deeply into Galois theory here, but the basic idea of a number field is that you start from the rational numbers $\mathbb{Q}$, pick a finite number of elements $\alpha_1, \dots, \alpha_r$ not in $\mathbb{Q}$ (in our case they will be complex roots of unity), and “add them” to $\mathbb{Q}$, forming an extension field $\mathbb{Q}(\alpha_1, \dots, \alpha_r)$ by also including all the derived quantities required to satisfy the field axioms (inverses, sums and products, sums of products, etc.).<a href="https://www.jeremykun.com/2026/04/29/ckks-polynomials-the-canonical-embedding-and-encoding/#fn:5">5</a> In order to be a number field, these elements need to have some finite algebraic formula that gets them back to zero. In other words, the degree of $\mathbb{Q}(\alpha_1, \dots, \alpha_r)$ as a $\mathbb{Q}$-vector space must be finite. The simplest example is $\mathbb{Q}(\sqrt{2})$, which has degree 2 because $\sqrt{2}$ is a root of the polynomial $x^2 - 2$.Back to CKKS, the polynomial ring $(\mathbb{Z}/Q\mathbb{Z})[x] \Big / (x^N+1)$ is not obviously a number field. You have to do a bit of work to first identify $\mathbb{Z}[x] \Big / (x^N+1)$ with $K = \mathbb{Q}(\omega_{2N})$, where $\omega_{2N}$ is a primitive $2N$-th root of unity.<a href="https://www.jeremykun.com/2026/04/29/ckks-polynomials-the-canonical-embedding-and-encoding/#fn:6">6</a> Once you do, taking a quotient by $Q$ in the coefficients translates to a quotient ring $K / QK$. Another angle is to start from $\mathbb{Z}[x] / (x^N + 1)$, identify that as the ring of integers of the number field $\mathbb{Q}[x] / (x^N + 1) = \mathbb{Q}(\omega_{2N})$, and take a quotient by the modulus $Q$.We will touch on this more later in the series. The choice of $N$ and $Q$ implies a particular structure of this quotient ring, which impacts how we implement various homomorphic operations. In particular, it affects the efficiency of the number theoretic transform. But for this article, what matters is mainly that the plaintexts are polynomials and that their coefficients are discrete. This implies two obstacles:<ul><li>We must transform a vector of complex numbers into a polynomial.</li><li>We must discretize an inherently continuous quantity, complex numbers.</li></ul><h2>The canonical embedding</h2>The tool that CKKS uses to solve both of these problems is called the canonical embedding. This term has a lot of abstract definitions in different parts of mathematics, but for our purposes the canonical embedding has a simple definition.Definition: Let $N$ be a power of two, and let $p(x)$ be a polynomial in $\mathbb{C}[x] / (x^N + 1)$. Then the canonical embedding of $p(x)$ in $\mathbb{C}^N$ is the vector of evaluations of $p(x)$ at the roots of $x^N + 1$. In particular, for a primitive $2N$-th root of unity $\omega = e^{2 \pi i / (2N)} = e^{\pi i / N}$ (which generates the roots of $x^N + 1$), the canonical embedding of $p(x)$ is the vector\[ \sigma_N(p) = (p(\omega), p(\omega^3), p(\omega^5), \dots, p(\omega^{2N - 1})) \]Define the canonical embedding $\sigma_N$ to map polynomials to their evaluations at the odd powers of the complex $2N$-th roots of unity.<a href="https://www.jeremykun.com/2026/04/29/ckks-polynomials-the-canonical-embedding-and-encoding/#fn:7">7</a>Let’s prove some properties of the canonical embedding.Homomorphism: Evaluating a polynomial at a fixed value is a homomorphism with respect to addition and scaling of the polynomials ($(p+q)(x) = p(x) + q(x)$ by definition), and the same is true componentwise for different evaluations, so $\sigma_N$ is a homomorphism from $\mathbb{C}[x] / (x^N + 1) \to \mathbb{C}^N$.Well-defined: Let $p(x)$ and $q(x)$ have the property that $x^N + 1$ divides $p(x) - q(x)$. Then for any root $r$ of $x^N + 1$ we have $p(r) - q(r) = 0$. Hence,\[ \sigma_N(p) - \sigma_N(q) = (p(\omega^k) - q(\omega^k))_{k=1, 3, \dots, 2n-1} = (0, 0, \dots, 0) \]Conjugate symmetry when coefficients are real: when the input $p(x)$ to the canonical embedding happens to have real coefficients, it holds that $p(x)$ commutes with complex conjugation of its inputs, i.e., $p(\overline{x}) = \overline{p(x)}$. Combine this with the fact that the roots of $x^N + 1$ come in conjugate pairs:\[ \begin{aligned} \omega^1 &= \overline{\omega^{2N-1}} \\ \omega^3 &= \overline{\omega^{2N-3}} \\ &\vdots \\ \omega^{N-1} &= \overline{\omega^{N+1}} \\ \end{aligned} \]And you get that, in this special case of real coefficients, the canonical embedding has a special conjugate symmetry: the second half of the vector’s entries are the reversed-complex conjugates of the first half.\[ \sigma_N(p) = ( p(\omega^1), p(\omega^3), \dots, p(\omega^{N-1}), \overline{p(\omega^{N-1})}, \dots, \overline{p(\omega^3)}, \overline{p(\omega^1)} ) \]This property has been named the “Hermitian” property, and given a name: $\mathbb{H}^N$ is defined as the set of complex vectors in $\mathbb{C}^N$ whose second half is the reversed-complex conjugates of the first half.You might think that, because the second half of $\mathbb{H}^N$ is uniquely determined by the first half, that $\mathbb{H}^N$ is isomorphic to $\mathbb{C}^{N/2}$. You’d be right, but you have to be careful. Because despite having complex-valued entries, $\mathbb{H}^N$ is not a vector space over $\mathbb{C}$ at all. Scalar multiplication by a complex number does not preserve the conjugate symmetry. It only does so if the scalar is real. So $\mathbb{H}^N$ and $\mathbb{C}^{N/2}$ are isomorphic, but only as $\mathbb{R}$-vector spaces.The above limitation is no problem, however, because we actually want our input vectors to be real-valued polynomials (so we can round them to integer-coefficient plaintexts). This leads us to the next fact, which is the converse of the “Conjugate symmetry when coefficients are real” fact above.Proposition: Let $v \in \mathbb{H}^N$, and $\sigma_N : \mathbb{C}[x] \Big / (x^N + 1) \to \mathbb{C}^N$ be the canonical embedding. Then $\sigma_N^{-1}(v) \in \mathbb{R}[x] \Big / (x^N + 1)$, i.e., has real-valued coefficients.Finally, the last property, which I will not prove here (see Appendix C of <a href="https://eprint.iacr.org/2011/535">Damgård-Pastro-Smart-Zakarias</a>), relates the geometry of the input and output of the canonical embedding. This is useful when analyzing the noise growth of CKKS ciphertexts. In fact, as far as I can tell this was one of the core reasons the original CKKS authors bothered with all this machinery:Proposition: Fix $N$ and let $\sigma = \sigma_N$ be the canonical embedding as defined above. Let $\left \| x \right \|$ denote the infinity-norm of $x$ (the magnitude of the largest component). Then for all $p(x), q(x)$,\[ \left \| \sigma(p) \cdot \sigma(q) \right \| \leq \left \| \sigma(p) \right \| \cdot \left \| \cdot \sigma(q) \right \| \]Moreover, there is a constant $c$ (depending only on $N$) such that for every $p(x)$,\[ \left \| p \right \| \leq c \left \| \sigma(p) \right \| \]These facts allow one to measure the growth of polynomial error in the CKKS scheme by analyzing the growth of the canonical embeddings. We will come back to that topic in future articles.<h2>Implementing the canonical embedding and its inverse</h2>In this section we’ll implement the canonical embedding and its inverse in Python. Reminder, the code can be found <a href="https://github.com/j2kun/ckks-tutorial/pull/2/changes/386f028f079c91968a90846f80500321c60930b7">in commit 386f028</a> of <a href="https://github.com/j2kun/ckks-tutorial/pull/2">this pull request</a> for the overall tutorial series.Because the canonical embedding involves evaluating a polynomial at a set of complex roots of unity, we naturally turn to the Fast Fourier Transform. See <a href="https://www.jeremykun.com/2022/11/16/polynomial-multiplication-using-the-fft/">“Polynomial Multiplication Using the FFT”</a> and <a href="https://www.jeremykun.com/2022/12/09/negacyclic-polynomial-multiplication/">“Negacyclic Polynomial Multiplication</a> for more details of why this is a good approach. In particular, the canonical embedding and its inverse reduce to particular invocations of <code>fft</code> and <code>ifft</code>.We start with a simple <code>Polynomial</code> class that wraps the coefficients and $N$.<pre><code>class Polynomial: """A univariate polynomial with a ring modulus x^N + 1.""" def __init__(self, coefficients: np.ndarray, modulus_degree: int): self.coefficients = coefficients self.modulus_degree = modulus_degree # ... <validations> ... # ... __eq__, __repr__, etc. ... </code></pre>The above doesn’t include any actual polynomial operators yet, since these functions will mutate the underlying coefficients directly.<pre><code>def canonical_embedding(poly: Polynomial) -> np.ndarray: """Computes the canonical embedding of a polynomial.""" poly_coeffs = poly.coefficients N = poly.modulus_degree # 2N-point FFT evaluates at all 2N-th roots: omega^0, omega^1, ..., # omega^{2N-1}. But return only the odd entries for the primitive roots. padded = np.concatenate([poly_coeffs, np.zeros(N)]) fft_result = np.fft.ifft(padded) * (2 * N) return fft_result[np.arange(1, 2 * N, 2)] </code></pre>This method is slightly inefficient: to get the <code>numpy.fft.fft/ifft</code> functions to correspond to evaluations at $2N$-th roots of unity, we need to have a vector of length $2N$ as input. Then afterward to get the odd evaluations, we need to filter by the appropriate range.To be more efficient, production CKKS implementations implement a custom FFT routine here that avoids this extra work in two ways: first by operating on the odd powers directly, and second taking advantage of the additional conjugate symmetry of the odd powers. For one such reference, see the <a href="https://github.com/openfheorg/openfhe-development/blob/1306d14f8c26bb6150d3e6ad54f28dfe1007689e/src/core/lib/math/dftransform.cpp#L241">FFTSpecial</a> invocation in <a href="https://github.com/openfheorg/openfhe-development/blob/1306d14f8c26bb6150d3e6ad54f28dfe1007689e/src/pke/lib/encoding/ckkspackedencoding.cpp#L238">OpenFHE’s CKKS encoding routine</a>, which implements Algorithm 1 of <a href="https://eprint.iacr.org/2018/1043">Chen-Chillotti-Song 2018</a>.<a href="https://www.jeremykun.com/2026/04/29/ckks-polynomials-the-canonical-embedding-and-encoding/#fn:8">8</a><a href="https://github.com/j2kun/ckks-tutorial/pull/2/changes/386f028f079c91968a90846f80500321c60930b7">Commit 386f028</a> also includes a more direct implementation using a matrix-vector multiplication by the <a href="https://github.com/j2kun/ckks-tutorial/pull/2/changes/fb58601d16e55bc8a5a4ce3c0a99c1e10d879329#diff-3e74404a7218b087c3cd6ff47dd023a496e36d441a1d7fe9cbcdec91aa8b05ccR77">Vandermonde matrix</a>. In the tests for this commit, we include equivalence testing of the two methods.<h2>Encoding and decoding</h2>With all the hard work done, we turn to encoding. The inverse of the canonical embedding allows us to map a complex (Hermitian) vector to a polynomial with real coefficients. However, to get a polynomial with integer coefficients (our desired plaintext space), we need to round. That raises the question of precision.CKKS’s solution is the same as traditional fixed-point arithmetic. That is, we choose a scaling factor $\Delta$, and multiply the polynomial’s coefficients by $\Delta$ before rounding to the nearest integer. The message can be recovered by dividing by $\Delta$.Fixed-point arithmetic will have major implications for CKKS. Specifically, it introduces an application-dependent decision for how to set parameters. Applications that can afford to be a bit less precise (like neural networks) can use smaller scaling factors, which leads to more efficient programs. We will return to this topic in fine detail later. For now, it gives us our final encoding algorithm:<ol><li>Apply the inverse canonical embedding.</li><li>Multiply by the scale $\Delta$.</li><li>Round to the nearest integer mod $Q$.</li></ol>Because scaling by $\Delta$ is followed by rounding mod $Q$, the choice of $Q$ implies a limit to the choice of $\Delta$: the scaled coefficients after step 2 cannot exceed $Q/2$, or else they will wrap around mod $Q$ and the original value will be lost.The code in <a href="https://github.com/j2kun/ckks-tutorial/pull/2/changes/2410f9da9781752b399bc589abd1df03dc4a6ea7">commit 2410f9d</a> demonstrates this.First we have a dataclass for parameters<pre><code>Cleartext = np.ndarray Plaintext = Polynomial @dataclass(frozen=True) class EncodingParams: scale: float poly_modulus_degree: int </code></pre>Then encoding is<pre><code>def encode(message: Cleartext, params: EncodingParams) -> Plaintext: """Encode a vector of complex numbers into a plaintext polynomial.""" # Pad with zeros up to N / 2 num_zeros = params.poly_modulus_degree // 2 - message.shape[0] if num_zeros: message = np.concatenate( [message, np.zeros(num_zeros, dtype=message.dtype)] ) # Concat with flipped conjugate to make Hermitian hermitian_msg = np.concatenate( [message, np.flip(np.conjugate(message))] ) # Result of inverse canonical_embedding is guaranteed to # be real-valued. polynomial = inverse_canonical_embedding(hermitian_msg) rounded_scaled_coeffs = np.round( np.real(polynomial.coefficients) * params.scale ) return Polynomial(rounded_scaled_coeffs, params.poly_modulus_degree) </code></pre>Similarly, decoding divides by the scale, applies the canonical embedding, and then returns the first $N/2$ slots.<pre><code>def decode(plaintext: Plaintext, params: EncodingParams) -> Cleartext: """Decode a CKKS plaintext into a vector of complex numbers.""" scale_removed = Polynomial( coefficients=plaintext.coefficients / params.scale, modulus_degree=plaintext.modulus_degree, ) unembedded = canonical_embedding(scale_removed) return unembedded[: params.poly_modulus_degree // 2] </code></pre><h2>Investigating precision</h2>To understand the precision loss of CKKS encoding in a bit more detail, let’s plot it.<a href="https://github.com/j2kun/ckks-tutorial/pull/2/changes/0df56503d2490810d9032279b3b59cab62e0ff79">Commit 0df5650</a> provides the code, and for $N=32$ with scaling factors ranging from $2$ to $2^{40}$ (the latter is a typical CKKS scaling factor seen in the wild), this is the plot of absolute and relative errors.<figure><a href="https://www.jeremykun.com/img/2026/ckks-encoding-precision.png"><img src="https://www.jeremykun.com/img/2026/ckks-encoding-precision.png"></a></figure>The top plot shows that absolute precision scales linearly with the scaling factor. The bottom plot shows the relative deviation from the theoretical bound, and even for a smallish $N=32$ the fit is pretty good. The “theoretical” line plotted corresponds to the average expected root-mean-squared precision loss, by following heuristic reasoning.For $N$ random values, rounding introduces a uniform error in $[-0.5, 0.5]$ for each of the coefficients. Decoding sums these errors, and the resulting distribution is Gaussian with mean roughly $\sqrt{N}$.We can also plot this as $N$ grows (<a href="https://github.com/j2kun/ckks-tutorial/pull/2/changes/090147f2b4a08abea7953f5284e838ad8986c8af">commit 090147f</a>).<figure><a href="https://www.jeremykun.com/img/2026/ckks-encoding-precision-vs-N.png"><img src="https://www.jeremykun.com/img/2026/ckks-encoding-precision-vs-N.png"></a></figure>The theoretical bound still holds, except that when $N$ is sufficiently large (and when the scaling factor is sufficiently large), then, as best I can tell, the floating point errors in the FFT routine itself are of comparable magnitude to the precision loss due to rounding, which would explain the positive bias in error. At least, if I reduce the scaling factor to $2^{20}$, this positive bias disappears:<figure><a href="https://www.jeremykun.com/img/2026/ckks-encoding-precision-vs-N-2-20.png"><img src="https://www.jeremykun.com/img/2026/ckks-encoding-precision-vs-N-2-20.png"></a></figure><h2>Wrapping it up</h2>Recapping, the two obstacles we faced at the start of the article were:<ul><li>We must transform a vector of complex numbers into a polynomial.</li><li>We must discretize an inherently continuous quantity, complex numbers.</li></ul>The canonical embedding solves the first obstacle by providing an isomorphism between vectors of complex numbers and polynomials. The use of fixed-point arithmetic and a scaling factor solves the second.While CKKS encoding does introduce errors in its encoding process, the standard intended application<a href="https://www.jeremykun.com/2026/04/29/ckks-polynomials-the-canonical-embedding-and-encoding/#fn:9">9</a> of CKKS is to machine learning inference. In this context, programs are naturally tolerant of error, and the encoding error is a small one-time cost. As we will see throughout the rest of the tutorial, encoding error will become dominated by rescaling and bootstrapping noise. But either way, it’s important not to forget about this source of error.<h2>Acknowledgements</h2>Thanks to <a href="https://scholar.google.com/citations?user=ztrus-YAAAAJ&hl=en">Asra Ali</a>, <a href="https://edwjchen.com/">Edward Chen</a>, <a href="https://jianmingtong.github.io/">Jianming Tong</a>, and <a href="https://hongrenzhe.ng/">Hongren Zheng</a> for feedback on a draft of this article.<hr><ol morss_own_score="2.8413461538461537" morss_score="12.795908886315864"><li>UC San Diego is involved because Miran Kim was doing a postdoc there at the time. Now she is a professor at Hanyang University in South Korea. I bring this up mainly to note that Korea has been a powerhouse of innovation in homomorphic encryption for the past decade, and particularly for its contributions to CKKS, its variants, and the variety of startups that have sprung up around it. <a href="https://www.jeremykun.com/2026/04/29/ckks-polynomials-the-canonical-embedding-and-encoding/#fnref:1">↩︎</a></li><li>As my colleague Hongren Zheng reminded me, the original high-precision modulus for CKKS was a large power of two. So the switch to RNS-CKKS also required switching to a modulus that was a product of machine-word-sized primes. <a href="https://www.jeremykun.com/2026/04/29/ckks-polynomials-the-canonical-embedding-and-encoding/#fnref:2">↩︎</a></li><li>As far as I can tell, except for some specialized research papers or hand-compiled applications, the extra complex structure is not used in applications. That is, most CKKS users treat the cleartext space as a vector of double-precision floating point values. <a href="https://www.jeremykun.com/2026/04/29/ckks-polynomials-the-canonical-embedding-and-encoding/#fnref:3">↩︎</a></li><li>Indeed, if you’re paying attention to any of the work on post-quantum cryptography (which all of FHE is built on top of), you’ll see this ring again in the Kyber/ML-KEM scheme, though it is important to note that the choice of parameters $Q, N$ are meaningfully different there. <a href="https://www.jeremykun.com/2026/04/29/ckks-polynomials-the-canonical-embedding-and-encoding/#fnref:4">↩︎</a></li><li>Many math texts give the existential definition “the smallest field containing $\mathbb{Q}$ and the added elements.” <a href="https://www.jeremykun.com/2026/04/29/ckks-polynomials-the-canonical-embedding-and-encoding/#fnref:5">↩︎</a></li><li>This is basically a first course in Galois theory. I enjoyed <a href="https://amzn.to/3OllR79">Ian Stewart’s textbook</a> on the subject. But if you squint you can kind of see it: $x^N + 1$ is a factor of $x^{2N} - 1 = (x^N-1)(x^N+1)$, and the complex $2N$-th roots of unity are the roots of $x^{2N} - 1$, with the primitive root generating all the rest and being (any one of) the roots of the irreducible part $x^N + 1$. This irreducibility requires $N$ is a power of two, but you can do the same logic for any $N$ if you spend more time working out the $N$-th cyclotomic polynomial. <a href="https://www.jeremykun.com/2026/04/29/ckks-polynomials-the-canonical-embedding-and-encoding/#fnref:6">↩︎</a></li><li>It may be worth a sneak preview here: the choice of which primitive root and the order of the evaluations is arbitrary, and choosing a different root and order will be useful for CKKS in that it will allow us to define slot rotation as a homomorphic operation. At that point we’ll have to make some slight tweaks to the encoding algorithm here. Having a precise diff of the code changes will make those differences clearer later, I hope. <a href="https://www.jeremykun.com/2026/04/29/ckks-polynomials-the-canonical-embedding-and-encoding/#fnref:7">↩︎</a></li><li>Interestingly, Algorithm 1 was designed for evaluating the encoding/decoding algorithm of CKKS homomorphically (as part of bootstrapping, which we’ll see later in this series in detail), but the referenced OpenFHE code uses it for cleartext evaluation for encoding. <a href="https://www.jeremykun.com/2026/04/29/ckks-polynomials-the-canonical-embedding-and-encoding/#fnref:8">↩︎</a></li><li>For more, see <a href="https://www.jeremykun.com/fhe-in-production/">FHE in production</a>. <a href="https://www.jeremykun.com/2026/04/29/ckks-polynomials-the-canonical-embedding-and-encoding/#fnref:9">↩︎</a></li></ol><hr>Want to respond? <a href="mailto:mathintersectprogramming@gmail.com">Send me an email</a>, <a href="https://webmention.io/www.jeremykun.com/webmention">post a webmention</a>, or find me <a href="https://www.jeremykun.com/about/">elsewhere on the internet</a>.This article is syndicated on:<hr></div></article>Unusual uses of OEIS sequences on GitHubhttps://www.jeremykun.com/shortform/2026-04-13-0700/Mon, 13 Apr 2026 07:00:00 -0700https://www.jeremykun.com/shortform/2026-04-13-0700/I went hunting for references to the OEIS in open source code, and found some weird ones. There are not one, but two live-coding music frameworks that use OEIS sequences as a source for “anything that can be sequenced” in music. I’m guessing that’s used for choosing pseudorandom melodies, interesting rhythyms, or how to overlap tracks in different ways. The first project is called mercury, which is advertised as having “an extensive library of algorithms to generate or transform numbersequences that can modulate parameters.<article id="main" class="content-container look-sheet article-pad-v h-entry" itemscope="" itemtype="https://schema.org/Article" morss_own_score="7.825065274151436" morss_score="13.999862022118915"><h1>Unusual uses of OEIS sequences on GitHub</h1>2026-04-13<div itemprop="articleBody" id="content" class="article-body margin-top-2em" morss_own_score="5.349593495934959" morss_score="42.152420463825734">I went hunting for references to the OEIS in open source code, and found some weird ones.There are not one, but two live-coding music frameworks that use OEIS sequences as a source for “anything that can be sequenced” in music. I’m guessing that’s used for choosing pseudorandom melodies, interesting rhythyms, or how to overlap tracks in different ways.The first project is called <a href="https://github.com/tmhglnd/mercury">mercury</a>, which is advertised as having “an extensive library of algorithms to generate or transform numbersequences that can modulate parameters.”As far as OEIS sequences, they have A000045 (Fibonacci), A006190 (Fibonacci-like), A000032 (Lucas), A000129 (Pell), which are all Fibonacci-like.Then there’s <a href="https://github.com/amiika/ziffers">ziffers</a>, which is an extension for Sonic Pi. In their ziffers/lib/enumerables.rb there are a lot more, and weirder sequences.It has the de Bruijn sequence (A000695), Recamán’s sequence (A005132), Thue-Morse (A010060), Dress’s sequence (A001316), and many more. There are a bunch of 10-adic decimal expansions like A225410, the 10-adic integer x such that $x^3 = 7/9$, which seems&mldr;music-theory ish?And then there’s the Inventory Sequence, <a href="http://oeis.org/A342585">A342585</a> (oh goodness what is going on there), which seems very much NOT music-theory ish.My real question is: how does music that relies on these weird sequences actually sound? I can’t imagine a melody decided by the Inventory Sequence sounds very good. Every time someone does music based on the digits of pi, it’s kind of meh. But let me know if you’ve tried this.The Kobo e-reader has a document viewing program called <a href="https://github.com/baskerville/plato/">Plato</a>. It has a pen tool for markup, and for whatever reason, they use A000041 (the number of partitions of n) as the options for pen size. No reasoning was given in the commit/PR that added this.Finally, the <a href="https://github.com/GCWizard/GCWizard">GC wizard</a> is a geocaching app that serves as “an offline tool to support geocachers with in-field mysteries and riddles.”There are many hard-coded OEIS sequences and formulas in it, which leads to the amusing mental image of cache hunters standing in the wilderness, trying to decode a clue based on the look-and-say sequence, maybe using a stick to draw formulas in the dirt.<hr>Want to respond? <a href="mailto:mathintersectprogramming@gmail.com">Send me an email</a>, <a href="https://webmention.io/www.jeremykun.com/webmention">post a webmention</a>, or find me <a href="https://www.jeremykun.com/about/">elsewhere on the internet</a>.This article is syndicated on:<hr></div></article>The OEIS meta sequence and subway stationshttps://www.jeremykun.com/shortform/2026-04-09-0556/Thu, 09 Apr 2026 06:55:17 -0700https://www.jeremykun.com/shortform/2026-04-09-0556/A051070 is a sequence about OEIS sequences. a(n) is the n-th term in sequence A_n (or -1 if A_n doesn’t have enough terms). So the first term in A051070 is 1 because A000001 is the number of groups of order n, and that sequence has 1 as its entry in index 1. A000002 is the Kolakoski sequence (what? For another time) and has value 2 in entry 2. The sequence continues: 1, 2, 1, 0, 2, 3, 0, 7, 8, 4, 63, 1, 316, …<article id="main" class="content-container look-sheet article-pad-v h-entry" itemscope="" itemtype="https://schema.org/Article" morss_own_score="8.10179640718563" morss_score="14.367228505951061"><h1>The OEIS meta sequence and subway stations</h1>2026-04-09<div itemprop="articleBody" id="content" class="article-body margin-top-2em" morss_own_score="5.530864197530864" morss_score="32.04374298540965"><a href="https://oeis.org/A051070">A051070</a> is a sequence about OEIS sequences. a(n) is the n-th term in sequence A_n (or -1 if A_n doesn’t have enough terms).So the first term in A051070 is 1 because A000001 is the number of groups of order n, and that sequence has 1 as its entry in index 1. A000002 is the Kolakoski sequence (what? For another time) and has value 2 in entry 2. The sequence continues: 1, 2, 1, 0, 2, 3, 0, 7, 8, 4, 63, 1, 316, &mldr;At first you might think, “what in the Gödel?” What if the arbitrary indexing of the OEIS changes over time? Aren’t these sequences supposed to be defined by mathematical rules?Not the fun ones, apparently. In the comments, Pontus von Brömssen noted that a(58) has 58669977298272603 digits, so it’s too large to include in the database entry for A051070. a(66) is the first unknown value, because A000066 (Smallest number of vertices in trivalent graph with girth (shortest cycle) = n) is only known up to 12 vertices. And then we get to my two favorite quirks about this sequence.The first is that the first time a(n) = -1 occurs, it’s for n = 53 and 54, quoting the OEIS, “in both cases because the relevant New York subway lines do not have enough stops.” What? Why are New York Subway lines involved? Turns out, the OEIS has roughly a dozen sequences of numbered stops on train lines. A000053 is “Local stops on New York City 1 Train (Broadway-7 Avenue Local) subway.” A001049 is “Numbered stops in Manhattan on the Lexington Avenue subway.” Of course, this chips away even further at the idea that OEIS sequences need to have a mathematical definition removed from worldly messiness. Digging around, I could only find a short note in <a href="https://www.youtube.com/watch?v=ydn7s9-3GRc">this Numberphile video</a> where Neil Sloane (who created OEIS and added these entries) mentioned that they’re commonly used on math quizzes and tests. If you know someone who has used train lines on their quizzes, and didn’t already know about these OEIS entries, please let me know. I need this to be a common organic experience.The second quirk is that A051070 leaves open the question of what the value of a(51070) is. It gets worse with <a href="https://oeis.org/A102288">A102288</a>, which is defined as 1 + the n-th term in sequence A_n. (There are some slight differences about offsets here, but I’m using A102288 because it has juicier comments) Even if there was a default value for the 102288-th entry in this sequence, it would contradict its own definition.There is an argument in the comments section, which starts with an unattributed “What is a(102288)?!” M. F. Hasler complained in 2017: “The term a(102288) has no possible value according to the present definition, so the definition of this term should be changed.” Neil Sloane replied the same day: “I disagree with the previous comment! I prefer the present, deliberately paradoxical, definition.” In the age-old battle between whimsy and well-definedness, whimsy wins again.<hr>Want to respond? <a href="mailto:mathintersectprogramming@gmail.com">Send me an email</a>, <a href="https://webmention.io/www.jeremykun.com/webmention">post a webmention</a>, or find me <a href="https://www.jeremykun.com/about/">elsewhere on the internet</a>.This article is syndicated on:<hr></div></article>Deterministic Primality Testing for Limited Bit Widthhttps://www.jeremykun.com/2026/04/07/deterministic-miller-rabin/Tue, 07 Apr 2026 06:00:00 -0700https://www.jeremykun.com/2026/04/07/deterministic-miller-rabin/Problem: Determine if a 32-bit number is prime (deterministically) Solution: (in C++) // Bases to test. Using the first 4 prime bases makes the test deterministic // for all 32-bit integers. See https://oeis.org/A014233. int64_t bases[] = {2, 3, 5, 7}; inline int countTrailingZeros(uint64_t n) { if (n == 0) return 64; return __builtin_ctzll(n); } int64_t modularExponentiation(int64_t base, int64_t exponent, int64_t modulus) { int64_t res = 1; int64_t b = base % modulus; int64_t e = exponent; while (e > 0) { if (e & 1) { // Doesn't overflow because we assume 32-bit integer inputs res = (res * b) % modulus; } b = (b * b) % modulus; e >>= 1; } return res; } bool isPrime(int64_t n) { if (n < 2) return false; if (n < 4) return true; if (!<article id="main" class="content-container look-sheet article-pad-v h-entry" itemscope="" itemtype="https://schema.org/Article" morss_own_score="7.475247524752475" morss_score="13.52879882125755"><h1>Deterministic Primality Testing for Limited Bit Width</h1>2026-04-07<div itemprop="articleBody" id="content" class="article-body margin-top-2em" morss_own_score="5.107102593010146" morss_score="48.75939493597984">Problem: Determine if a 32-bit number is prime (deterministically)Solution: (in C++)<pre><code>// Bases to test. Using the first 4 prime bases makes the test deterministic // for all 32-bit integers. See https://oeis.org/A014233. int64_t bases[] = {2, 3, 5, 7}; inline int countTrailingZeros(uint64_t n) { if (n == 0) return 64; return __builtin_ctzll(n); } int64_t modularExponentiation(int64_t base, int64_t exponent, int64_t modulus) { int64_t res = 1; int64_t b = base % modulus; int64_t e = exponent; while (e > 0) { if (e & 1) { // Doesn't overflow because we assume 32-bit integer inputs res = (res * b) % modulus; } b = (b * b) % modulus; e >>= 1; } return res; } bool isPrime(int64_t n) { if (n < 2) return false; if (n < 4) return true; if (!(n & 1)) return false; int64_t d = n - 1; unsigned s = countTrailingZeros(d); d = d >> s; for (uint64_t a : bases) { if (n <= a) break; int64_t x = modularExponentiation(a, d, n); if (x == 1 || x == n - 1) continue; bool composite = true; for (unsigned r = 1; r < s; ++r) { // Doesn't overflow because it is at most n < 32 bits x = (x * x) % n; if (x == n - 1) { composite = false; break; } } if (composite) return false; } return true; } </code></pre>Discussion: In the late 1980’s Gary Miller and Michael Rabin came up with their now-famous Miller-Rabin primality test. See <a href="https://en.wikipedia.org/wiki/Miller%E2%80%93Rabin_primality_test">Wikipedia</a> and <a href="https://www.jeremykun.com/2013/06/16/miller-rabin-primality-test/">my 2013 Program Gallery entry</a>. It was notable in that it provided a randomized algorithm to check if an integer is prime, which had a tunable parameter to increase the probability of being correct.The intervening 40 years has seen a huge body of research improving both randomized and deterministic primality testing. In 2002, <a href="https://en.wikipedia.org/wiki/AKS_primality_test">Agrawal, Kayal, and Saxena found</a> a condition-free deterministic polynomial-time algorithm, and the <a href="https://en.wikipedia.org/wiki/Baillie%E2%80%93PSW_primality_test">Ballie-PSW</a> test, designed around the same time as Miller-Rabin, is still often used today in conjunction with Miller-Rabin. One of my favorite papers showing the importance of doing primality testing properly is in cryptography, Albrecht et al’s 2018 paper, <a href="https://dl.acm.org/doi/10.1145/3243734.3243787">Prime and Prejudice: Primality Testing Under Adversarial Conditions</a>.In relation to <a href="https://heir.dev">my work on homomorphic encryption</a>, I found myself needing to generate a list of 40 primes, all roughly 32-bit in size, with particular properties. I stumbled across OEIS <a href="https://oeis.org/A014233">A014233</a>, through which I learned about the study of strong pseudoprimes.A strong pseudoprime is a composite number that passes Miller-Rabin’s deterministic test for a particular prime base $a$. That is, a number $n$ of the form $d \cdot 2^s + 1$ such that $a^d \equiv 1 \mod n$ or $a^{d \cdot 2^r} \equiv -1 \mod n$ for some $0 \leq r < s$. For example, if you only check Miller-Rabin with a base of 2, $2047 = 23 \cdot 89$ will pass the test.If you test multiple bases on the same input, you’ll hedge against hitting small strong pseudoprimes. Testing 2, 3, and 5, means the smallest pseudoprime that confounds your test is 25326001. The code above demonstrates that if you add 7 to this list, you get a deterministic test for all 32-bit integers.To the best of my knowledge, the idea to track the growth rate of strong pseudoprimes for the purpose of fast primality testing was first published in <a href="https://doi.org/10.1090/S0025-5718-1980-0572872-7">a 1980 Mathematics of Computation journal paper</a> by Carl Pomerance, J. L. Selfridge and Samuel S. Wagstaff, Jr., titled “The Pseudoprimes to $25 \cdot 10^9$.”The <a href="https://miller-rabin.appspot.com/">SPRP bases</a> website has a nice little competition: who can find the best set of bases (not necessarily prime) for deterministic primality testing? For each cardinality (number of bases), the site lists the set of bases that produces the largest minimal pseudoprime to those bases. For covering all 64-bit integers, Jim Sinclair found this set of 7 bases.$$ \{ 2, 325, 9375, 28178, 450775, 9780504, 1795265022 \} $$For 32-bits, it can be done with three 64-bit bases$$ \{ 4230279247111683200, 14694767155120705706, 16641139526367750375 \} $$though the code above would need to be modified to account for overflow.Performance-wise, the naive implementation of deterministic Miller-Rabin is decently fast. It can test primality of all 32-bit numbers in about 2 minutes on a Macbook (single-threaded). That said, there are far faster implementations, such as Kim Walisch’s <a href="https://github.com/kimwalisch/primesieve"><code>primesieve</code></a>, which can generate all 32-bit primes in 60 milliseconds. Notably, it does not use deterministic Miller-Rabin, opting instead for a <a href="https://github.com/kimwalisch/primesieve/blob/master/doc/ALGORITHMS.md">sieve-based method</a> with lots of cache optimizations and multithreading.I am not a CPU performance tuning expert, but if you are it might be fun to try to beat that runtime using this method. The <a href="https://miller-rabin.appspot.com/">SPRP bases</a> also includes a section where they discuss using hashing to reduce the compute cost of the compositeness test in Miller-Rabin, which seems like it would be a useful component. I <a href="https://github.com/kimwalisch/primesieve/issues/180#issuecomment-4164369713">asked</a> Kim Walisch, the author of <code>primesieve</code>, and they replied that they had not tried a deterministic Miller-Rabin variant.Finally, it is also worth noting<a href="https://www.jeremykun.com/2026/04/07/deterministic-miller-rabin/#fn:1">1</a> that the <a href="https://en.wikipedia.org/wiki/Baillie%E2%80%93PSW_primality_test">Ballie-PSW</a> test is also randomized, and also is known to be deterministic up to 64 bits. In fact, there is no known composite number that passes the Ballie-PSW test. I mainly chose not to implement it here because it’s a bit more complicated than Miller-Rabin.The code above is also <a href="https://github.com/j2kun/deterministic-miller-rabin">on GitHub</a>.<hr><ol><li>User <code>less_less</code> on HackerNews mentioned this, which I realize now was an oversight not to mention. <a href="https://www.jeremykun.com/2026/04/07/deterministic-miller-rabin/#fnref:1">↩︎</a></li></ol><hr>Want to respond? <a href="mailto:mathintersectprogramming@gmail.com">Send me an email</a>, <a href="https://webmention.io/www.jeremykun.com/webmention">post a webmention</a>, or find me <a href="https://www.jeremykun.com/about/">elsewhere on the internet</a>.This article is syndicated on:<hr></div></article>