Homomorphic Encryption (HE)

A scheme that supports an unlimited number of operations of a single type (either addition or multiplication) on ciphertexts. It is the most efficient and practical form of HE for specific use cases.

• Examples: RSA (multiplicative), ElGamal (multiplicative), Paillier (additive).
• Use Case: Secure voting systems using Paillier for tallying encrypted votes without decryption.

A scheme that supports both addition and multiplication on ciphertexts, but only for a limited number of operations. After a certain depth of computation, noise grows and corrupts the ciphertext. Bootstrapping is required to continue.

• Foundation: Early schemes like BGN (Boneh–Goh–Nissim) and early versions of BGV/BFV were SHE.
• Limitation: Practical only for circuits (computations) of a predefined, shallow depth.

The 'holy grail' of HE, allowing an unlimited number of both addition and multiplication operations on ciphertexts. First realized by Craig Gentry in 2009 using a bootstrapping technique to manage noise growth.

• Core Mechanism: Bootstrapping refreshes a ciphertext, reducing noise and enabling further computations.
• Trade-off: Bootstrapping is computationally intensive, making FHE orders of magnitude slower than PHE or SHE.

Two closely related Ring Learning With Errors (RLWE)-based FHE schemes that operate on integer arithmetic. They are among the most widely implemented and studied FHE schemes.

• BFV (Brakerski/Fan-Vercauteren): Optimized for efficient integer arithmetic and often used for applications like private machine learning inference.
• BGV (Brakerski-Gentry-Vaikuntanathan): Similar to BFV but uses a different noise management technique. Often considered together in libraries like Microsoft SEAL.

A Cheon-Kim-Kim-Song (CKKS) scheme is an RLWE-based FHE method designed for approximate arithmetic on real or complex numbers. It is the primary scheme for privacy-preserving machine learning.

• Key Feature: Encrypts numbers with inherent approximation error, trading perfect precision for much greater efficiency in computations like matrix multiplications and activation functions.
• Primary Use: Enabling neural network inference on encrypted data without revealing the model or the input.

Fast Fully Homomorphic Encryption over the Torus (TFHE) is a scheme optimized for Boolean circuit evaluation (AND, OR, NOT, XOR gates) with very fast bootstrapping.

• Operation: Encrypts single bits and performs logical gate operations homomorphically.
• Advantage: Extremely fast bootstrapping (milliseconds per gate) makes it suitable for complex, deep Boolean circuits where other schemes would be impractical.
• Use Case: Secure evaluation of arbitrary functions expressed as binary circuits.

Homomorphic Encryption is a form of encryption that allows specific types of computations to be performed directly on ciphertext, generating an encrypted result which, when decrypted, matches the result of operations performed on the plaintext. This property is categorized by the operations it supports:

• Partially Homomorphic Encryption (PHE): Supports one operation (e.g., addition or multiplication) an unlimited number of times.
• Somewhat Homomorphic Encryption (SHE): Supports both addition and multiplication, but only for a limited number of operations.
• Fully Homomorphic Encryption (FHE): Supports both addition and multiplication an unlimited number of times, enabling arbitrary computations on encrypted data.

HE enables confidential smart contracts where transaction details and state changes remain encrypted. This is critical for applications requiring privacy, such as:

• Private Voting & Governance: Casting encrypted votes on-chain where the tally is computed without revealing individual choices.
• Sealed-Bid Auctions: Submitting encrypted bids, with the winner determined without exposing other bids.
• Private DeFi: Executing financial transactions (e.g., loans, trades) without leaking sensitive position data or amounts to the public ledger. Projects like Fhenix and Inco are building FHE-enabled Layer 1 and Layer 2 blockchains to bring this capability to Web3.

HE addresses critical trust issues in blockchain data feeds and transaction ordering:

• Private Oracles: Sensitive off-chain data (e.g., credit scores, medical records) can be encrypted before being sent to an oracle. Smart contracts can then compute using this encrypted data without ever seeing the raw information.
• Miner/Maximal Extractable Value (MEV) Mitigation: Users can submit encrypted transactions. Validators or sequencers can order and include them in a block without being able to front-run or sandwich the transactions, as the contents remain hidden until after block confirmation.

HE allows for verification of credentials without exposing the underlying data, a key component for decentralized identity (DID) and Zero-Knowledge-adjacent systems.

• Proof of Compliance: A user can prove they are over a certain age or hold a specific credential by providing an encrypted proof that a smart contract can verify.
• Private Access Control: Granting access to a resource based on encrypted attributes, ensuring the resource provider never learns the user's specific traits. This moves beyond simple anonymity to provide selective disclosure and computational privacy.

Despite its promise, HE faces significant hurdles for mainstream Web3 adoption:

• Computational Overhead: FHE operations are orders of magnitude slower and more resource-intensive than plaintext computations, leading to high gas costs and latency.
• Ciphertext Expansion: Encrypted data (ciphertext) is much larger than the original plaintext, increasing blockchain storage and bandwidth requirements.
• Complex Key Management: Systems often require multiple keys (public, private, evaluation) and sophisticated protocols for secure generation and distribution. Ongoing research in hardware acceleration (e.g., GPUs, FPGAs) and more efficient cryptographic schemes (like CKKS for approximate arithmetic) aims to mitigate these issues.

HE and Zero-Knowledge Proofs (ZKPs) are complementary privacy technologies with different core functions:

• Homomorphic Encryption: Focuses on private computation. Data is encrypted, processed while encrypted, and results remain encrypted for the user to decrypt.
• Zero-Knowledge Proofs: Focus on private verification. They prove a statement is true (e.g., 'I have a valid password') without revealing the underlying data used to generate the proof. Hybrid systems are emerging. For example, using HE to perform private computations and a ZKP to generate a verifiable proof that the computation was executed correctly on the encrypted data, combining privacy with auditability.

The primary limitation of Homomorphic Encryption (HE) is its immense computational cost. Performing operations on ciphertext is orders of magnitude slower than on plaintext. For example, a simple multiplication in Fully Homomorphic Encryption (FHE) can be 10,000 to 1,000,000 times slower than its plaintext counterpart. This overhead makes it currently impractical for high-throughput, real-time applications without specialized hardware acceleration.

HE schemes cause significant ciphertext expansion, where encrypted data is much larger than the original plaintext. A single bit of data can expand into kilobytes of ciphertext. This impacts:

• Storage costs: Requiring substantially more disk space.
• Network bandwidth: Increasing latency for data transfer.
• Memory usage: Limiting the complexity of computations that can be performed in-memory. Managing this expansion is a critical systems engineering challenge.

HE security rests on specific cryptographic hardness assumptions, most commonly the Learning With Errors (LWE) problem or its ring-based variant (RLWE). Limitations include:

• Parameter selection: Incorrectly chosen security parameters (e.g., polynomial degree, ciphertext modulus) can weaken the scheme.
• Quantum vulnerability: While LWE/RLWE are considered post-quantum secure, specific implementations may have weaknesses.
• Trusted setup: Some HE schemes require a trusted party to generate public parameters, creating a potential single point of failure.

HE supports a restricted set of operations, typically addition and multiplication over integers or fixed-point numbers. Key limitations are:

• No native comparisons: Operations like > or == are not directly possible without complex, expensive workarounds.
• Limited precision: Representing floating-point numbers or performing complex functions (e.g., division, logarithms) requires approximation techniques, introducing computational error.
• Circuit depth limits: In Somewhat Homomorphic Encryption (SHE), noise growth limits the number of sequential multiplications possible before decryption fails.

Robust key management is more complex than in standard encryption. Considerations include:

• Secret key distribution: The entity performing decryption must securely hold the secret key, creating a central trust point.
• Key rotation: Changing keys requires re-encrypting all data, which is highly expensive due to ciphertext expansion.
• Multi-key & threshold schemes: Enabling computations on data encrypted under different keys (e.g., from multiple parties) adds significant cryptographic and operational overhead.

Like all cryptography, HE implementations are vulnerable to side-channel attacks that exploit physical leaks (timing, power consumption, electromagnetic emissions). Defenses are non-trivial because:

• Complex operations have variable execution paths that can leak secret key material.
• Protections like masking further increase the already substantial computational overhead.
• Formal verification of HE libraries and circuits is essential but challenging, leaving room for subtle bugs that compromise security.

The most powerful form, allowing arbitrary computations on encrypted data. A ciphertext (encrypted data) can be transformed into another ciphertext that, when decrypted, matches the result of performing any function on the original plaintext. This enables complex private smart contracts and confidential decentralized finance (DeFi) where data never needs to be revealed.

• Key Property: Supports unlimited addition and multiplication operations.
• Example: A blockchain node can validate a transaction proving a user's balance is sufficient without ever knowing the actual balance.

Allows only one type of operation (either addition or multiplication) to be performed an unlimited number of times on ciphertexts. It is less computationally intensive than FHE and is used in specific privacy applications.

• Additive HE: Ciphertexts can be added; the sum decrypts to the sum of the plaintexts. Used in private voting and privacy-preserving analytics.
• Multiplicative HE: Ciphertexts can be multiplied; the product decrypts to the product of the plaintexts.

A practical middle ground that supports both addition and multiplication but only for a limited number of operations (a bounded computational depth). After too many operations, noise in the ciphertext grows, making decryption impossible. SHE schemes are often used as building blocks for bootstrappable FHE systems, where the ciphertext is periodically "refreshed" to allow further computations.

A complementary cryptographic primitive often used with HE. While HE allows computation on encrypted data, ZKPs allow one party to prove the correctness of a computation about private data without revealing the data itself. In blockchain, they are combined for maximum privacy and scalability.

• Key Difference: ZKPs generate a proof of computation; HE allows the computation itself to be performed in encrypted form.
• Synergy: HE can encrypt private inputs, and a ZKP can prove the encrypted computation was executed correctly.

Another privacy-enhancing technique where multiple parties jointly compute a function over their private inputs while keeping those inputs concealed from each other. HE is a key tool for constructing MPC protocols.

• Relation to HE: In MPC, data is often secret-shared or encrypted using HE schemes to enable joint computation.
• Blockchain Use Case: Threshold signatures for wallets and private decentralized exchanges where order book matching occurs without revealing individual orders.

The primary mathematical foundation for modern, post-quantum FHE schemes. Security relies on the hardness of problems like Learning With Errors (LWE) and Ring-LWE, which are believed to be resistant to attacks by quantum computers.

• Importance for HE: Provides the algebraic structure that enables efficient addition and multiplication on ciphertexts while controlling noise growth.
• Future-Proofing: Makes FHE a viable long-term solution for privacy in a potential quantum computing era.