Fact-checked by Grok 2 weeks ago

Homomorphic encryption

Homomorphic encryption is a cryptographic technique that enables computations to be performed directly on encrypted data—known as —such that the result, when decrypted, corresponds to the outcome of the same operations applied to the original unencrypted data, or , thereby preserving without requiring decryption during processing. The concept was first proposed in by Ronald Rivest, Len Adleman, and Michael Dertouzos in their paper "On Data Banks and Privacy Homomorphisms," where they envisioned privacy-preserving computations on encrypted information stored in databases. Early schemes were limited to partially homomorphic encryption (PHE), supporting only specific operations like addition (e.g., the from 1999) or multiplication (e.g., textbook encryption). In 2009, Craig Gentry introduced the first fully homomorphic encryption (FHE) scheme, capable of arbitrary computations on encrypted data, based on ideal lattices and incorporating a bootstrapping mechanism to manage noise accumulation in ciphertexts. Subsequent advancements have refined FHE, including somewhat homomorphic encryption (SHE) variants that support a bounded number of operations before noise limits further computation, as demonstrated in Kristin Lauter's 2011 proof-of-concept for genomic data analysis. These developments have addressed initial performance challenges, with libraries like IBM's HElib enabling practical implementations, though FHE remains computationally intensive—often millions of times slower than unencrypted processing. Homomorphic encryption holds significant promise for applications in secure cloud computing, privacy-preserving machine learning, and sensitive data analysis in fields like healthcare and finance, allowing third parties to process data without accessing its contents.

Fundamentals

Definition and Motivation

Homomorphic encryption is a cryptographic technique that enables computations on encrypted data without requiring decryption, producing an encrypted output that, upon decryption, corresponds to the result of the same computations performed on the underlying . This property preserves the of the data during processing, distinguishing it from conventional schemes where data must be decrypted before any operations can be applied. The concept was originally termed "privacy homomorphisms" by Rivest, Adleman, and Dertouzos in their 1978 paper, which described functions that map operations on to corresponding operations on ciphertext while maintaining secrecy. Formally, in a homomorphic encryption scheme, the encryption function \text{Enc} satisfies \text{Enc}(f(m_1, \dots, m_k)) = f(\text{Enc}(m_1), \dots, \text{Enc}(m_k)) for plaintext messages m_1, \dots, m_k and some allowed function f, such as addition or multiplication, thereby permitting the evaluation of circuits or functions directly on ciphertexts. This allows untrusted parties, such as cloud providers, to perform complex data analysis or machine learning tasks on sensitive information without accessing the raw data, addressing key privacy challenges in modern computing environments. The primary motivation for homomorphic encryption stems from the need to outsource computations securely in scenarios like cloud computing, where users send encrypted data to third parties for processing but wish to prevent exposure of plaintexts to potential adversaries or even the service providers themselves. Unlike traditional encryption, which protects data at rest or in transit but requires decryption for computation—risking breaches during processing—homomorphic encryption maintains confidentiality throughout the entire workflow, enabling applications in healthcare, finance, and genomics where data privacy is paramount. A simple illustration of this property appears in the additive homomorphic variant of , where the addition of two s yields a encrypting the sum of the respective plaintexts: \text{Enc}(a) + \text{Enc}(b) = \text{Enc}(a + b). The roots of homomorphic encryption trace back to the 1970s with the emergence of , but practical schemes supporting arbitrary computations were not achieved until Gentry's 2009 construction of fully homomorphic encryption.

Core Properties

Homomorphic encryption schemes are characterized by their ability to support specific algebraic operations on ciphertexts that correspond to operations on the underlying s, preserving the between the plaintext and spaces. These schemes can be additive, allowing homomorphic where the encryption of the of two messages equals the of their encryptions, denoted as \Enc(m_1 + m_2) = \Enc(m_1) + \Enc(m_2); multiplicative, supporting homomorphic such that \Enc(m_1 \cdot m_2) = \Enc(m_1) \cdot \Enc(m_2); or fully homomorphic, enabling both operations and thus arbitrary computations expressible as circuits. A core operational property in many homomorphic encryption schemes, particularly lattice-based ones, is noise growth, where each homomorphic operation—especially —increases the inherent in the . This , introduced during to ensure , accumulates such that after sufficient operations, it may exceed a , causing decryption failure unless mitigated by techniques like , which refreshes the ciphertext to reduce . Formally, a homomorphic is defined by algorithms \KeyGen for , \Enc for , \Dec for decryption, and \Eval for , satisfying correctness: for any function f supported by the , \Dec(\sk, \Eval_f(\Enc(\pk, m))) = f(m) with overwhelming probability over the in , , and . Additionally, these schemes achieve (or IND-CPA ), ensuring that no efficient adversary can distinguish encryptions of two distinct messages with non-negligible advantage, even after seeing arbitrary ciphertexts. Computations in homomorphic encryption are typically represented as circuits (using gates like , NOT for bit-level operations) or arithmetic circuits (using and over rings or fields), with non-fully homomorphic schemes limited to circuits of bounded depth or size to control noise growth and maintain correctness. Most practical homomorphic encryption schemes are public-key, where encryption uses a public key \pk and evaluation is performed without the secret key \sk, though symmetric variants exist that require a for both encryption and evaluation, offering efficiency trade-offs in certain settings. A desirable property is compact ciphertexts, where the size of an evaluated remains polylogarithmic in the of the , independent of the number of input ciphertexts or operations performed, enabling scalable evaluations.

Classification of Schemes

Homomorphic encryption schemes are broadly classified according to the computational capabilities they provide over encrypted data, particularly the types and quantities of operations supported. This distinguishes between schemes that handle limited operations and those enabling more complex computations, while also considering factors like noise management and arithmetic domains. The primary categories include partially homomorphic encryption (PHE), somewhat homomorphic encryption (SWHE), and fully homomorphic encryption (FHE), with further subdivisions into leveled and bootstrappable variants, as well as exact (integer-based) and approximate (real-number-based) schemes. Partially homomorphic encryption (PHE) schemes support an unlimited number of a single operation type—either addition or multiplication—on ciphertexts, but cannot combine both indefinitely. Classic examples include the RSA cryptosystem, which enables homomorphic multiplication and relies on the hardness of the integer factorization problem, and the Paillier scheme, which supports homomorphic addition based on the composite residuosity assumption. These schemes are efficient for specific applications like secure voting or financial computations requiring only one operation, but their limitations prevent general-purpose use. Somewhat homomorphic encryption (SWHE) extends PHE by allowing a limited number of both additions and multiplications, sufficient for evaluating bounded-depth circuits or of restricted degree, without the need for ciphertext refreshment. These schemes, prevalent before fully homomorphic breakthroughs, manage growth to support a polynomial number of operations, often based on problems like the (LWE) assumption. However, exceeding the operation limit leads to decryption failures due to excessive accumulation. Fully homomorphic encryption (FHE) enables an unbounded number of arbitrary additions and multiplications, realizing computations on any depth by incorporating to periodically refresh noisy ciphertexts and prevent decryption errors. Introduced by in 2009 using ideal lattices under the approximate (GCD) assumption, FHE schemes typically rely on ring-LWE (RLWE) for security in modern variants. While theoretically powerful, FHE remains computationally intensive due to the overhead of . Within FHE, leveled homomorphic encryption provides a practical by supporting a fixed number of operations (a predetermined depth) without , trading unbounded computation for efficiency. The BGV scheme exemplifies this, using RLWE and modulus switching to control noise for leveled operations on packed integers. FHE, in contrast, achieves unbounded depth through periodic , as in Gentry's original construction. Schemes also differ in their arithmetic domains: exact FHE operates on integers with precise results, as in BGV and BFV, while approximate variants handle real or complex numbers with controlled precision loss, suitable for applications like . The CKKS scheme, based on RLWE, scales ciphertexts to approximate real arithmetic, introducing small errors but enabling efficient packed computations. The following table summarizes key characteristics of these classifications:
TypeSupported OperationsSecurity BasisLimitations
PHEUnlimited additions or multiplicationsFactoring (e.g., ), composite residuosity (Paillier)Single operation type only
SWHELimited additions and multiplications (bounded depth)LWE/RLWENoise limits circuit depth
Leveled FHEFixed-depth additions and multiplicationsRLWENo unbounded computation; depth preset
Bootstrappable FHEArbitrary additions and multiplicationsRLWEHigh computational overhead from
Approximate FHEReal/complex arithmetic with scalingRLWEPrecision loss in results

Historical Development

Early Concepts and Predecessors

The concept of homomorphic encryption originated in 1978 with the introduction of "privacy homomorphisms" by Ronald Rivest, Leonard Adleman, and Michael Dertouzos, who envisioned encryption schemes allowing computations on encrypted data to produce encrypted results corresponding to operations on plaintexts, thereby enabling secure data processing without decryption. This idea was inspired by early public-key cryptography, including the Diffie-Hellman key exchange from 1976, which exhibits homomorphic properties in the exponentiation operation over discrete logarithm groups, allowing additive operations on exponents to translate to multiplicative operations on group elements. Shortly thereafter, the RSA cryptosystem, proposed in 1978 by Rivest, Adleman, and Adi Shamir, demonstrated multiplicative homomorphism: the product of two ciphertexts encrypts the product of their plaintexts, supporting unlimited multiplications. In 1982, Shafi Goldwasser and Silvio Micali advanced probabilistic encryption with a scheme based on the quadratic residuosity assumption, providing semantic security and homomorphism with respect to bitwise XOR operations on single bits, where the XOR of plaintext bits corresponds to the product of their ciphertexts modulo a Blum integer. This allowed limited logical operations on encrypted bits but suffered from high expansion, as each bit required a full modulus-sized ciphertext. Josh Benaloh extended this in 1994 with dense probabilistic encryption, modifying the Goldwasser-Micali framework to encode multiple bits per ciphertext using higher-degree residues, thereby improving efficiency while preserving XOR homomorphism and semantic security under the higher residuosity assumption. Additive homomorphism emerged prominently in 1999 with Pascal Paillier's , based on the composite residuosity problem, where the product of two ciphertexts encrypts the sum of their , and by a plaintext value can be performed on a , enabling unlimited additions and a bounded number of multiplications. These partially homomorphic schemes—supporting either addition or multiplication indefinitely, but not both without bound—laid essential groundwork for more general systems. Theoretical progress in the 1990s, particularly Miklós Ajtai's 1996 construction of hard instances and his 1997 collaboration with on a public-key , demonstrated worst-case to average-case reductions for problems, hinting at the potential for bootstrappable schemes that could support arbitrary , including both additions and multiplications. Concurrently, Yao's 1986 garbled circuits offered an alternative to homomorphic for secure , enabling two parties to evaluate any function on private inputs without revealing them, using and circuit evaluation, though it required interaction and did not operate directly on encrypted data. Despite these advances, all pre-2009 schemes remained partially homomorphic, limited to either additive or multiplicative operations without unbounded depth for both, preventing general-purpose computation on encrypted data until Craig Gentry's breakthrough in fully homomorphic encryption.

First-Generation Fully Homomorphic Encryption

In 2009, Craig Gentry introduced the first fully homomorphic encryption (FHE) scheme, marking a breakthrough in allowing arbitrary computations on encrypted data without decryption. This construction builds on prior somewhat homomorphic schemes, such as those based on the , but extends them to support unlimited depth through a novel refresh mechanism. The scheme relies on ideal lattices over polynomial rings, where computations are performed modulo an , enabling efficient representation of both and operations. The core construction treats as in the R = \mathbb{Z} / (f(x)), where f(x) is typically x^n + 1 with n a power of 2, ensuring the ring supports efficient homomorphic properties. The secret key is a short element s \in R, and a ciphertext for a binary message m \in \{0, 1\} is a pair (a, b) \in R_q \times R_q, where q is a large , a is chosen uniformly, and b = a \cdot s + e + m \cdot \lfloor q / 2 \rfloor with e a small term from a discrete Gaussian distribution to ensure . Homomorphic and are performed componentwise: for , (a_1, b_1) + (a_2, b_2) = (a_1 + a_2, b_1 + b_2); for , (a_1, b_1) \cdot (a_2, b_2) = (a_1 a_2, a_1 b_2 + a_2 b_1 + b_1 b_2), all q, though causes the e to grow quadratically. Decryption recovers m by computing \lfloor (b - a \cdot s)/ (q/2) \rceil \mod 2, provided the remains below q/4; noise tracking is essential, as accumulated errors limit the scheme to "somewhat" homomorphic evaluation until refreshed. The scheme also incorporates inspired by sparse subset sum problems for generating sparse errors that maintain the noise growth under control during initial evaluations. A key innovation is the "squashing" technique, which simplifies the decryption circuit to enable bootstrapping by augmenting the public key with hints—short multiples of the secret key—that allow decryption via a low-degree polynomial evaluation and rounding, reducing the circuit complexity from linear to constant size in the security parameter. Bootstrapping then achieves full homomorphy: to refresh a noisy ciphertext \psi, an auxiliary public key encrypts the secret key s under the same scheme, and the evaluator homomorphically computes the decryption circuit on \psi using these encrypted keys, producing a new ciphertext with reduced noise, thus allowing unbounded computation depth at the cost of evaluating the scheme on itself. The security of Gentry's scheme reduces to the hardness of worst-case lattice problems in ideal lattices, specifically the approximate shortest vector problem (SVP) and shortest independent vectors problem (SIVP), assuming the quantum worst-case for subexponential approximation factors. This basis provides a strong foundation, as solving SVP in the full implies breaking the scheme, with reductions holding under the (LWE) assumption adapted to ideal lattices. Despite its theoretical significance, the scheme suffers from extreme inefficiency due to large parameters and costly . Early implementations, such as the variant by and Halevi, required public keys up to 2.3 gigabytes for modest security levels (around 72 bits), with taking up to 7.5 hours and (refresh) operations exceeding 2 hours per instance on contemporary hardware. Overall performance equated to seconds per bit for basic operations, rendering it impractical for all but proof-of-concept demonstrations, primarily due to the quadratic growth and overhead of ring arithmetic in high dimensions.

Second-Generation Fully Homomorphic Encryption

Second-generation fully homomorphic encryption schemes, emerging around 2011–2012, shifted focus toward efficiency by constructing leveled FHE systems capable of evaluating of predetermined depth without relying on for noise refreshment in many cases. These schemes leverage lattice-based assumptions, particularly the (LWE) problem, to achieve exact arithmetic on encrypted integers while dramatically reducing computational overhead compared to first-generation constructions. By introducing techniques for controlled noise growth, they enabled practical implementations for shallow computations, such as those in privacy-preserving or with limited circuit depth. The Brakerski-Vaikuntanathan (BV) scheme of 2011 establishes a foundation on the standard LWE assumption, utilizing a scale-invariant variant of LWE to manage effectively during homomorphic operations. In this approach, the noise distribution remains independent of the scale, preventing that plagued earlier schemes and allowing for more multiplications before noise overwhelms the signal. The BV construction supports addition and multiplication on encrypted data, with security directly reducing to the hardness of LWE, a problem conjectured secure against quantum attacks. This scale-invariant property facilitates modulus reduction techniques that "squash" noise without altering the underlying message, making the scheme suitable for leveled FHE up to moderate depths. The Brakerski-Gentry-Vaikuntanathan (BGV) scheme of 2012 extends the BV framework by basing it on the ring-LWE assumption, which operates over polynomial rings to enable packed single-instruction multiple-data (SIMD) operations for batching multiple plaintexts into a single . Central techniques include modulus switching, which scales down the ciphertext modulus post-operation to bound noise growth while preserving correctness, and key switching, which replaces the expanded secret key after with a more compact one to maintain efficiency. Additionally, relinearization applies key switching to quadratic ciphertexts produced by , ensuring ciphertext sizes remain constant rather than growing linearly with depth. These mechanisms allow BGV to support leveled FHE for circuits of depth 10–20 in practice, with security reducing to ring-LWE, an extension of LWE believed to offer comparable hardness. Overall, second-generation schemes achieve up to 1,000-fold speedups over first-generation FHE by eliminating frequent —referencing the recryption method from Gentry's 2009 blueprint only for unbounded depth if needed—and prioritizing optimized for real-world leveled applications. This stems from tighter noise bounds and ring-based packing, making them foundational for subsequent libraries like HElib.

Third-Generation Fully Homomorphic Encryption

Third-generation fully homomorphic encryption schemes, developed between 2013 and 2017, marked a shift toward more efficient constructions that support approximate computations on non-integer data, such as real or complex numbers, while maintaining security under the (LWE) assumption. These schemes addressed limitations in prior generations by introducing techniques like matrix-based operations and rescaling, enabling practical evaluations of circuits with controlled loss. Unlike earlier integer-based approaches, third-generation methods prioritize for applications requiring floating-point-like operations, though they introduce inherent errors that must be managed. A foundational in this generation is the Gentry-Sahai-Waters (GSW) construction from 2013, which employs a matrix-based approach over the integers for homomorphic operations. In GSW, are represented as , and homomorphic corresponds to , simplifying relinearization—a process to reduce ciphertext degree after —by avoiding the need for an explicit key and leveraging efficient matrix computations. This design yields asymptotically faster performance compared to previous LWE-based fully homomorphic encryption , particularly in key-switching operations essential for maintaining low noise growth. Security relies on the hardness of the LWE problem, with the supporting leveled homomorphic properties that can be extended to full homomorphy via techniques inherited from second-generation methods. Building on similar LWE foundations, the Cheon-Kim-Kim-Song (CKKS) scheme from extends support to approximate computations on real and numbers by encoding plaintexts as polynomials via the canonical embedding. CKKS manages through a rescaling operation that truncates the modulus, intentionally introducing a small precision loss to control error growth, while an accompanying error analysis bounds the total to at most one additional bit beyond what occurs in unencrypted over the circuit depth. Homomorphic multiplication in CKKS thus proceeds with controlled precision degradation, and the scheme avoids costly bit-decomposition steps required in prior integer schemes, enabling efficient evaluation of transcendental functions like exponentials and Fourier transforms. For full homomorphy, variants refresh ciphertexts to reset , though the leveled version suffices for many approximate applications. Security is based on the ring-LWE (RLWE) problem, with rigorous guarantees on accuracy derived from properties. These schemes offer key advantages for privacy-preserving , where approximate arithmetic aligns with the tolerance for floating-point errors in training and inference. CKKS, in particular, facilitates packed operations on vectors of real numbers, supporting batched computations that are significantly more efficient—often by factors of 10 to 100 for multiplications and related operations—than second-generation schemes like BGV for such workloads. The linear growth of the modulus with depth in CKKS further enhances practicality, reducing the computational overhead for deep circuits compared to exponential expansions in earlier designs.

Fourth-Generation and Recent Advances

The fourth generation of fully homomorphic encryption (FHE) schemes, emerging post-2018, emphasizes enhanced efficiency and practical deployment, building on prior lattice-based constructions to support faster programmable operations over encrypted data. A seminal advancement is the TFHE scheme, introduced by Chillotti et al., which operates over the and enables gate-by-gate with a reported time of 13 milliseconds per binary on a single CPU core, significantly reducing computational overhead compared to earlier methods. This scheme supports arbitrary circuits through programmable , allowing evaluation of any function via lookup tables, and has been implemented in an open-source library that facilitates efficient homomorphic operations for privacy-sensitive applications. Recent library updates have further optimized approximate FHE variants, particularly the CKKS scheme for real-number computations. In 2024, enhancements to SEAL incorporated advanced parameter selection and rescaling techniques, achieving up to 2x speedup in multiplication depth for CKKS bootstrapping while maintaining precision for workloads. Comparative studies in 2025 have evaluated FHE libraries like SEAL, OpenFHE, and others for privacy-preserving , highlighting TFHE's superiority in low-latency inference (e.g., under 100ms for small neural networks) but noting CKKS's advantages in vectorized approximate operations for larger datasets. These analyses underscore ongoing efficiency gains, with hybrid schemes reducing overall runtime by 30-50% in encrypted ML tasks. Hybrid approaches combining TFHE with CKKS address precision trade-offs by leveraging TFHE for exact Boolean gates in low-precision components and CKKS for approximate arithmetic in high-dimensional data, enabling mixed-precision computations in neural network inference with minimal accuracy loss (under 2% degradation). For instance, the CKKS-FHEW/TFHE hybrid framework switches schemes mid-circuit to optimize for both speed and scalability, achieving end-to-end inference times of 1-5 seconds on standard hardware for models like ResNet-20. Hardware accelerations, including GPU support, have amplified these gains; implementations like GPU-accelerated TFHE bootstrapping report 10-20x speedups for key generation and evaluation, with frameworks such as Concrete v2.7 providing native CUDA integration for parallel polynomial arithmetic. Key milestones include the 2021 unification efforts leading to the OpenFHE library, which merged implementations from prior projects like HElib and to support multiple schemes (BFV, BGV, CKKS, TFHE) in a single extensible framework, fostering community-driven optimizations and interoperability. NIST's standardization process, ongoing since 2016 with lattice-based candidates advanced in rounds post-2018, indirectly bolsters FHE by validating underlying primitives resistant to quantum attacks. Looking ahead, quantum-resistant variants, such as code-based FHE proposals, aim to diversify beyond lattices for enhanced security margins, while market projections indicate growth to approximately $526 million by 2035, driven by demand in secure and .

Specific Cryptosystems

Partially Homomorphic Schemes

Partially homomorphic schemes, also known as partially homomorphic encryption (PHE), enable unlimited homomorphic operations of a single type—either or multiplication—on encrypted data without decryption. These schemes emerged as early public-key cryptosystems with inherent homomorphic properties, allowing computations like repeated multiplications or on ciphertexts to correspond directly to operations on the underlying plaintexts. Unlike fully homomorphic encryption, PHE supports only one operation type indefinitely, making it efficient for specific applications but limited for general-purpose computation. The RSA cryptosystem, introduced in 1978 by Rivest, Shamir, and Adleman, provides multiplicative homomorphicity. In RSA, encryption is performed as \Enc(m) = m^e \mod n, where n = pq for large primes p and q, and e is the public exponent. Multiplication of two ciphertexts c_1 = m_1^e \mod n and c_2 = m_2^e \mod n yields c_1 \cdot c_2 = (m_1 m_2)^e \mod n, enabling arbitrary exponentiations that act as multiplications on plaintexts. Its security relies on the hardness of integer factorization, assuming the inability to compute \phi(n) without knowing p and q. However, textbook RSA is deterministic and not semantically secure under chosen-plaintext attacks. RSA's homomorphic property has been applied in scenarios requiring product computations on encrypted data, such as secure auctions where bids are multiplied without revealing values.) ElGamal encryption, proposed by Taher ElGamal in 1985, is multiplicative over elliptic curve or finite field groups and additive in the exponent domain. The scheme uses a cyclic group G of prime order q with generator g, where the public key is h = g^x for secret x. Encryption of message m (as a group element) produces c = (g^r, h^{-r} \cdot m) for random r, and multiplication of ciphertexts corresponds to multiplication of plaintexts: (g^{r_1}, h^{-r_1} m_1) \cdot (g^{r_2}, h^{-r_2} m_2) = (g^{r_1 + r_2}, h^{-(r_1 + r_2)} (m_1 m_2)). In the exponent, this supports addition, as \Enc(m_1 + m_2) = \Enc(m_1) \cdot \Enc(m_2) when messages are exponents. Security is based on the decisional Diffie-Hellman assumption in the group and provides semantic security when properly randomized. ElGamal has been used in privacy-preserving voting systems, where encrypted votes can be multiplicatively aggregated. The Paillier cryptosystem, developed by Pascal Paillier in 1999, offers additive homomorphicity. Encryption is \Enc(m) = g^m \cdot r^n \mod n^2, where n = pq, g is a base, and r is random; decryption uses the discrete logarithm or Carmichael function. Addition of ciphertexts yields \Enc(m_1) \cdot \Enc(m_2) = g^{m_1 + m_2} \cdot (r_1 r_2)^n \mod n^2 = \Enc(m_1 + m_2), supporting scalar multiplication by exponentiation: \Enc(k m) = \Enc(m)^k. Its security stems from the composite degree residuosity assumption, equivalent to the hardness of the decisional composite residuosity problem, and provides semantic security under chosen-plaintext attacks. Paillier is widely applied in secure auctions and electronic voting, enabling summation of encrypted bids or tallies without exposure. The Goldwasser-Micali cryptosystem, introduced by and Silvio Micali in 1982, is designed for bit encryption and is homomorphic under XOR (addition modulo 2) operations. It uses quadratic residues modulo n = pq, with encryption \Enc(b) = s^2 \cdot x^b \mod n, where x is a fixed quadratic non-residue modulo n with (x/n) = 1, and s is random with \gcd(s, n) = 1; the determines the bit value (residue for 0, non-residue for 1). For bits b_1, b_2, \Enc(b_1) \cdot \Enc(b_2) = \Enc(b_1 + b_2 \mod 2) under multiplication, enabling bit-wise XOR operations. Security relies on the quadratic residuosity assumption, assuming the inability to distinguish quadratic residues from non-residues modulo composite n, and provides . This scheme supports applications like mental poker protocols but is less efficient for large data due to bit-level granularity. These schemes are constructed over number-theoretic problems like factoring or discrete logarithms. Except for textbook , they provide under chosen-plaintext attacks when properly randomized. They find use in privacy-focused protocols, such as mix-nets for anonymous voting or sealed-bid auctions where only aggregates are revealed. However, their limitation to a single operation type prevents indefinite mixing of additions and multiplications, restricting them to linear or multiplicative computations without mechanisms.

Somewhat Homomorphic Schemes

Somewhat homomorphic encryption (SWHE) schemes enable computations on encrypted data supporting both and operations, but only up to a predefined depth, beyond which the accumulated prevents correct decryption. Unlike fully homomorphic schemes, SWHE does not require to manage noise growth, making it suitable for bounded-depth circuits where the number of operations is fixed in advance. The in ciphertexts grows linearly with additions and quadratically with multiplications, constraining the scheme to shallow evaluations while maintaining efficiency. Prominent examples include early variants of Craig Gentry's 2009 ideal -based scheme without the "squashing" function, which supported homomorphic evaluation of arbitrary circuits of depth up to roughly \log n (where n is the dimension) before noise overflow. Another key example is the leveled mode of the Brakerski-Gentry-Vaikuntanathan (BGV) scheme, which allows evaluation of circuits of fixed depth L without noise refresh, using modulus switching to control noise at each level. These schemes are predominantly lattice-based constructions, relying on rings such as R = \mathbb{Z} / (x^n + 1) for efficient polynomial arithmetic. Key generation typically involves sampling the secret key s from a discrete Gaussian distribution over the ring, with public key components derived from Ring Learning With Errors (Ring-LWE) samples to ensure semantic security. Encryption adds controlled noise via error terms sampled from narrow Gaussian distributions, while homomorphic operations preserve correctness as long as the total noise remains below a decryption threshold. Security for SWHE schemes is grounded in the hardness of the Ring-LWE problem, where distinguishing ring elements perturbed by small errors from uniform random elements is computationally infeasible. Parameters are carefully tuned based on the desired computational depth d and security level \lambda: the ring dimension n scales as O(\lambda \log \lambda), the modulus q as \theta(d (\log \lambda + \log d)) bits, and the error standard deviation to balance noise growth against security, ensuring polynomial-time security against known lattice attacks. SWHE finds use in applications requiring evaluation of shallow circuits, such as basic operations (e.g., inner products or simple aggregations) in privacy-preserving , where the fixed depth suffices and performance is significantly faster than fully homomorphic alternatives due to the absence of overhead. For instance, the leveled BGV scheme enables efficient packed evaluations of low-depth or circuits, achieving per-gate costs of \tilde{O}(\lambda) for circuits of width \Omega(\lambda).

Fully Homomorphic Schemes

Fully homomorphic encryption (FHE) schemes enable arbitrary computations on encrypted data by supporting both addition and multiplication operations without decryption, while maintaining under standard hardness assumptions like the (LWE) problem. The general architecture of an FHE scheme includes key generation, which produces a public key \mathrm{pk} and a secret key \mathrm{sk} from a security parameter \lambda; encryption, which transforms a message m into a c = \mathrm{Enc}(\mathrm{pk}, m) that hides m amid ; evaluation, which applies homomorphic operations to ciphertexts to compute encrypted results; and decryption, which recovers the plaintext from a valid ciphertext using \mathrm{sk}, provided the remains below a . To achieve unbounded computation, FHE incorporates , a process that refreshes noisy ciphertexts by homomorphically evaluating the scheme's own decryption circuit on an encrypted secret key, thereby reducing and allowing further operations. Key constructions of FHE span lattice-based approaches, with Gentry's seminal relying on lattices to support via quadratic residues modulo a , enabling the first theoretical realization of unlimited homomorphic operations. The Brakerski-Gentry-Vaikuntanathan (BGV) builds on ring-LWE assumptions, introducing modulus switching to manage noise growth without for leveled computations, where the public key and ciphertexts are polynomials in a ring R_q = \mathbb{Z}_q/(x^n + 1). For approximate arithmetic on real or complex numbers, the Cheon-Kim-Kim-Song (CKKS) uses ring-LWE with rescaling to control precision loss, encoding plaintexts as vectors scaled by a factor and supporting homomorphic operations that approximate the desired computation within a specified error bound. The Fully Homomorphic Encryption (TFHE) , based on the \mathbb{T}, optimizes for gate-level evaluations using LWE samples and programmable , allowing efficient homomorphic gates via lookup tables on the . Homomorphic evaluation in these schemes treats addition as straightforward component-wise operations on ciphertext components, preserving the additive structure of the underlying lattice or ring; for instance, in ring-LWE-based schemes like BGV and CKKS, adding two ciphertexts c_1 = (a, b_1) and c_2 = (a', b_2) yields c_3 = (a + a', b_1 + b_2), modulo the ring parameters, with the resulting noise being the sum of individual noises. Multiplication, however, expands the ciphertext degree, requiring relinearization to restore compactness: after component-wise multiplication of c_1 and c_2, which produces a degree-2 term, an evaluation key—derived from the secret key—is used to replace this quadratic component with a linear one, ensuring the output ciphertext remains in the same space as inputs while introducing controlled additional noise. This technique, essential in BGV and CKKS, leverages gadget decompositions to approximate the necessary linear transformations efficiently. Noise management is critical in FHE, as operations amplify the inherent error in lattice-based ciphertexts, potentially overwhelming the decryption process. In typical ring-LWE constructions, fresh ciphertexts have noise drawn from a discrete Gaussian with variance \sigma^2; additions accumulate noise linearly by summing variances, while multiplications amplify it quadratically, leading to an overall noise variance bounded approximately by \sigma^2 (1 + L), where L represents the multiplicative depth of the circuit. Exceeding the noise budget renders decryption incorrect, so schemes like BGV employ modulus switching—reducing the modulus q post-multiplication to scale down noise—while CKKS uses rescaling to maintain approximation precision. Bootstrapping addresses this by treating decryption as a homomorphic circuit: given a ciphertext c encrypting m under \mathrm{pk}, an encrypted secret key \mathrm{Enc}(\mathrm{pk}, \mathrm{sk}) is used to evaluate \mathrm{Dec}(\mathrm{sk}, c) homomorphically, yielding a fresh ciphertext for m with low noise, at the cost of evaluating a circuit of depth logarithmic in the bit-length of \mathrm{sk}. Variants of FHE extend functionality for multi-party settings, such as multi-key FHE, which allows evaluation on ciphertexts encrypted under distinct keys without key aggregation. López-Alt, Tromer, and Vaikuntanathan's construction achieves this by embedding multiple keys into a single structure, enabling on-the-fly multiparty where each party's input remains encrypted under their own key during joint evaluation. These schemes, often built atop BGV or Gentry's , support applications like secure aggregation but incur overhead from key-dependent growth. Across generations, FHE constructions have evolved from Gentry's bootstrapping-heavy approach to more efficient ring-LWE variants, prioritizing reduced and faster evaluations.

Implementations

Software Libraries and Tools

is an open-source C++ library for homomorphic encryption, initially released in 2015 by , that implements the BFV, BGV, and CKKS schemes, enabling computations on encrypted integers and real numbers. It supports features such as relinearization, key switching, and approximate bootstrapping for CKKS, with ongoing optimizations for performance in privacy-preserving applications. HElib, developed by and first released in 2012, is a C++ library built on the NTL mathematical library, primarily focused on the BGV with support and also implementing CKKS for approximate computations. It emphasizes efficient ciphertext packing techniques, allowing (SIMD) operations on packed encrypted vectors to accelerate homomorphic evaluations. OpenFHE, launched in 2022 as an open-source C++ library, merges design elements from the and HElib projects to provide extensible implementations of multiple schemes, including BGV, BFV, CKKS, FHEW, and TFHE (via CGGI). As of October 2025, version 1.4.2 includes enhanced support for CKKS . This multi-scheme support facilitates scheme switching and functional , making it suitable for diverse homomorphic applications. The TFHE library, developed by Inria, is an open-source C++ implementation of fast fully homomorphic encryption over the , specializing in efficient evaluation of arbitrary circuits on encrypted bits through programmable . Python wrappers such as -Python and Py extend accessibility by providing bindings to the SEAL library, allowing developers to perform homomorphic operations in Python scripts without direct C++ interaction. These tools simplify prototyping for and tasks. Key features across these libraries include performance optimizations for homomorphic operations; for instance, benchmarks on demonstrate multiplication times around 0.04 milliseconds per operation under typical parameters, enabling sequences of thousands of multiplications in under a second on standard hardware. Additionally, integrations like bridge with , supporting encrypted inference and training workflows. Commercial offerings include Duality Technologies' platform, which leverages fully homomorphic encryption for secure data collaboration and analytics in enterprise environments, incorporating contributions to for advanced features like scheme switching. Enveil provides enterprise-grade solutions using homomorphic encryption to protect data in use, enabling privacy-preserving searches and computations across distributed systems.

Hardware and Optimization Techniques

Field-programmable gate arrays (FPGAs) have emerged as a key hardware platform for accelerating homomorphic encryption due to their flexibility in implementing parallel computations, particularly the number theoretic transform (NTT) essential for multiplications in schemes like BGV and CKKS. FPGA designs enable custom pipelines for NTT operations, reducing in and key switching. For example, the FAB accelerator, implemented on FPGAs, supports bootstrappable fully homomorphic encryption (FHE) by optimizing lookup tables and arithmetic units, achieving up to 10 times faster compared to CPU implementations while consuming moderate power. Similarly, a 2025 FPGA-based accelerator for the TFHE scheme parameterizes gate to handle variable precision. Graphics processing units (GPUs), often programmed via , excel in tasks suited to the CKKS scheme's approximate arithmetic on real-number data. GPU accelerations focus on vectorized NTT and operations, yielding substantial speedups for encrypted workloads. A memory-centric GPU optimization for CKKS reports over 100 times faster performance than prior CPU-based methods, with single multiplications accelerated by 7 times, enabling practical evaluation of neural networks on encrypted data. A 2025 CUDA-accelerated framework for secure federated achieves up to 30 times speedup in vertical scenarios using Paillier on high-end GPUs like A100, while CKKS is used for horizontal scenarios with minimal overhead. Application-specific integrated circuits (ASICs) provide the highest efficiency for dedicated FHE tasks, minimizing area and power overheads through tailored circuits for noise management and modular arithmetic. ASIC prototypes target bootstrapping bottlenecks, with designs reporting 100 to 1,000 times higher NTT throughput relative to FPGA or GPU counterparts. A 2025 exploration repurposes AI accelerator ASICs, such as Google's TPUv4, for FHE via specialized compilers like CROSS, achieving up to 161 times speedup over many-core CPUs. The Poseidon ASIC-like accelerator further optimizes bandwidth for complex FHE circuits, supporting up to 500,000 operations per second with 50% reduced resource utilization compared to general-purpose hardware. Algorithmic optimizations complement by mitigating accumulation and enhancing parallelism. Homomorphic encryption switching (HES) protocols enable seamless transitions between schemes—such as from additive Paillier to multiplicative ElGamal—tailored to operation types, reducing overall ciphertext sizes and computation in hybrid applications. Batching and (SIMD) techniques pack multiple plaintexts into one , allowing parallel homomorphic operations that boost throughput by factors of 10 to 100 for vectorized workloads like encrypted database queries. In approximate schemes like CKKS, -reduction methods, including variants, limit approximation errors to under 2^{-40}, extending circuit depth without and improving by 20-30%. By 2025, integrations with platforms, such as Intel SGX enclaves, hybridize FHE with trusted execution environments to offload partial decryptions securely, achieving end-to-end privacy in cloud settings with minimal performance overhead. Key metrics across these approaches include throughput (e.g., 10^4 to 10^6 operations per second) and (e.g., 0.1-10 joules per operation), with leading in both for production-scale deployments; for instance, the LP-HENN ReRAM-based design achieves up to 31.82 times speedup over CPU for HE-CNN inference at 1.93-2.35 watts.

Applications

Privacy-Preserving Data Processing

Homomorphic encryption facilitates privacy-preserving processing in outsourcing scenarios by enabling encrypted search operations on without decryption. Partially homomorphic encryption (PHE) schemes, such as Paillier for additive operations, support efficient keyword searches and range queries on encrypted , allowing users to outsource sensitive information to untrusted providers while retrieving relevant results securely. This approach ensures that the performs computations solely on ciphertexts, preserving during and retrieval. Secure aggregation in represents another key application, where homomorphic encryption aggregates model updates from multiple participants without exposing individual contributions. By leveraging additive homomorphic properties, parties encrypt their local gradients, and the computes the sum on ciphertexts to derive a global model, mitigating risks of data leakage in distributed environments. This method supports collaborative across decentralized nodes, such as in or settings, without requiring a trusted . In (MPC), homomorphic encryption serves as a building block for non-interactive protocols, enabling parties to jointly compute functions on private inputs without revealing them. Multi-key homomorphic encryption frameworks allow multiple users to encrypt data under distinct keys, supporting threshold decryption and distributed evaluation of circuits on shared ciphertexts. These protocols reduce interaction rounds compared to traditional MPC, making them suitable for scenarios like joint data analysis in untrusted networks. Practical examples include genomic data analysis, where fully homomorphic encryption (FHE) enables computation of statistics like minor allele frequencies and chi-squared tests on encrypted DNA sequences without decryption. Researchers can outsource encrypted genomic datasets to cloud servers for genome-wide association studies (GWAS), ensuring patient privacy while obtaining accurate results upon decryption. In financial modeling, homomorphic encryption supports operations on encrypted ledgers, such as risk assessment and auction mechanisms, allowing institutions to process transaction data or share aggregated insights without exposing raw values. A notable case study involves FHE for GDPR-compliant data sharing in financial collaborations, as demonstrated in 2024 initiatives where institutions used homomorphic encryption to perform joint analytics on encrypted datasets, adhering to EU privacy regulations without plaintext exposure. The primary benefits include end-to-end privacy, as data remains encrypted throughout processing, and the elimination of trusted third parties, enabling secure outsourcing to public clouds. This enhances compliance in regulated sectors while fostering data utility.

Encrypted Machine Learning

Homomorphic encryption enables inference on encrypted data, allowing models to process ciphertexts without decryption and thus preserving input . In this paradigm, neural networks evaluate encrypted inputs to produce encrypted outputs, which the data owner decrypts locally. A seminal approach is CryptoNets, which adapts neural networks for homomorphic evaluation using polynomial approximations of activation functions like the , achieving high throughput on encrypted data. The CKKS scheme, supporting approximate arithmetic on real numbers, is particularly suited for such computations due to its handling of floating-point operations essential for matrix multiplications in neural layers. Training machine learning models under homomorphic encryption involves performing gradient descent directly on ciphertexts, but non-polynomial activation functions pose significant challenges, often requiring low-degree polynomial approximations to maintain compatibility with the limited multiplicative depth of schemes. This approximation introduces minor accuracy degradation, typically less than 1% on benchmarks like MNIST, where encrypted training retains 96.4% accuracy compared to 99% in plaintext scenarios. Recent advancements mitigate these issues by optimizing approximations for deeper networks, enabling end-to-end training on encrypted datasets while bounding error accumulation. Frameworks like Encrypted integrate homomorphic encryption into TensorFlow workflows, leveraging libraries such as to support encrypted tensor operations for both training and inference. By 2025, these tools have advanced applications in healthcare , such as encrypted diagnostic models that analyze patient data without exposure, using FHE to perform secure image classification on encrypted medical scans. Practical examples include privacy-preserving recommendation systems, where homomorphic encryption secures matrix factorization over user profiles to generate suggestions without revealing preferences. In , HE facilitates secure aggregation of model updates from distributed clients, summing encrypted gradients to update a global model while preventing leakage of individual contributions. These applications typically incur a 100x slowdown compared to unencrypted computations, highlighting the trade-off between privacy and efficiency in real-world deployments.

Challenges and Limitations

Performance and Efficiency Issues

Homomorphic encryption (HE) schemes impose significant computational overhead due to the inherent complexity of performing operations on encrypted data while preserving and correctness. In fully homomorphic encryption (FHE), a single operation typically requires on the order of 0.03 to 0.1 milliseconds on standard CPU for secure parameter settings (as of 2025 benchmarks), compared to milliseconds for equivalent computations. This slowdown arises from the need to manage noise and perform over large rings, often resulting in 10^3 to 10^6 times more computational effort than unencrypted processing. Ciphertexts in FHE are also substantially larger, frequently 100 times or more the size of equivalents, with representative sizes ranging from 25 for a single encryption to several megabytes for vectorized data under high-security parameters. Noise accumulation represents a core efficiency bottleneck in lattice-based HE, the dominant paradigm for FHE. Additions introduce linear noise growth, while multiplications cause exponential increases, rapidly limiting the number of operations before the noise exceeds the decryption threshold and renders results incorrect. This necessitates oversized parameters—such as polynomial degrees exceeding 2^{14} and modulus sizes in the thousands of bits—to accommodate noise margins, which in turn amplify runtime and memory usage. Leveled HE variants mitigate this by bounding computation depth to avoid noise refresh, enabling faster execution for shallow circuits (e.g., up to 10-20 multiplications) at the cost of restricted expressiveness, whereas full FHE relies on for arbitrary depth, trading efficiency for generality. Scalability issues further hinder practical deployment, particularly in distributed environments. Parallelization opportunities exist for independent operations, such as batching additions or rotations in schemes like CKKS, but the sequential dependency on computation depth constrains overall speedup, often yielding only modest gains beyond 4-8 cores on multi-threaded CPUs. Communication overhead in multi-party or settings is exacerbated by voluminous ciphertexts, where transmitting a single FHE-encoded vector can consume equivalent to hundreds of equivalents, limiting throughput in networked applications. Recent advancements emphasize scheme-specific optimizations to alleviate these challenges. TFHE excels for boolean circuit evaluation with bootstrapping times under 1 millisecond on GPUs, making it suitable for gate-level computations despite higher per-operation costs. In contrast, CKKS offers superior performance for approximate numerical operations on vectors, with benchmarks showing it outperforming TFHE by factors of 5-10x in multiplications and evaluations on datasets of 65,536 elements. Evaluations in 2025 libraries like OpenFHE and SEAL demonstrate up to 100x efficiency gains in through techniques like amortized processing and GPU acceleration, reducing refresh costs from seconds to milliseconds while maintaining security. remains resource-intensive, typically involving on the order of 2^{16} operations per ciphertext refresh in optimized implementations.

Security and Theoretical Foundations

Homomorphic encryption schemes are typically analyzed under the standard indistinguishability under (IND-CPA) security notion, which ensures that an adversary cannot distinguish encryptions of two plaintexts without access to the secret key. This definition applies directly to the underlying encryption in both partially and fully homomorphic schemes, treating them as standard public-key encryption systems during security proofs. For fully homomorphic encryption (FHE), achieving IND-CPA must account for the noise growth inherent in homomorphic operations, where decryption errors are tolerated up to a certain . Early FHE constructions, such as Gentry's original scheme, relied on to refresh ciphertexts and enable unlimited computations, but this process assumed circular —namely, the security of the scheme even when the adversary knows encryptions of the secret key itself. This assumption was controversial due to its non-standard nature and potential circularity in proofs. Second-generation schemes, like those based on the Brakerski-Gentry-Vaikuntanathan (BGV) framework, mitigated circular security concerns by using alternative noise-management techniques, such as modulus switching and key switching, grounded in more conventional hardness assumptions without invoking during the core proof. The security of most modern homomorphic encryption schemes rests on the hardness of the (LWE) problem or its variants, such as Ring-LWE, which posits that distinguishing random linear equations modulo a prime from those perturbed by small errors is computationally infeasible. LWE is believed to be quantum-resistant, as no efficient quantum algorithms are known to solve it, unlike classical problems like , making lattice-based homomorphic encryption a prime candidate for migration. This quantum resistance stems from the problem's worst-case connections to lattice problems like the shortest vector problem, which remain hard even for quantum adversaries. Beyond computational assumptions, homomorphic encryption is vulnerable to side-channel attacks that exploit implementation details, such as timing variations revealing levels in ciphertexts or power consumption patterns during operations. For instance, in schemes like CKKS, adversaries can recover secret keys by analyzing decryption outputs when -flooding countermeasures are insufficiently tuned. Theoretical limits on homomorphic encryption include impossibility results showing that certain forms of group homomorphic encryption cannot exist securely in the for abelian groups under standard IND-CPA , assuming the and ciphertext spaces form abelian groups. This underscores the necessity of -based constructions for achieving strong homomorphic properties, as non-lattice approaches fail to provide quantum-secure additively or multiplicatively homomorphic encryption without additional assumptions. As a result, the post-quantum migration for homomorphic encryption emphasizes problems like LWE, which inherently support the required for homomorphic operations. Known attacks on homomorphic encryption often target weak parameter choices, such as insufficiently large moduli or error distributions, enabling techniques to recover secret keys efficiently. For example, in early Paillier-based schemes or underpowered LWE instances, cyclotomic attacks or hybrid sieving can break for parameters below recommended levels, recovering plaintexts from as few as a handful of ciphertexts. Recent analyses, including 2024 work on approximate homomorphic schemes, demonstrate key recovery via passive attacks exploiting noise management flaws in real-world deployments. Open problems in the theoretical foundations of homomorphic encryption include establishing tighter reductions from worst-case problems to average-case LWE instances, which would strengthen confidence in the scheme's without relying on potentially loose parameters. Another major challenge is constructing fully compact FHE schemes that support unbounded computations without , as current approaches either limit depth (leveled FHE) or incur significant overhead from refresh operations. Achieving such compactness under standard assumptions like LWE remains unresolved, with ongoing efforts exploring alternative noise-growth controls or novel algebraic structures.

Standardization Efforts

NIST Post-Quantum Cryptography Standardization

The National Institute of Standards and Technology (NIST) launched its (PQC) Standardization Project in December 2016 to identify and standardize cryptographic algorithms resistant to attacks by quantum computers. This initiative progressed through multiple rounds of evaluation, with Round 4 candidates including lattice-based schemes such as , a (KEM) based on the (LWE) problem. These lattice-based primitives provide a foundational basis for homomorphic encryption (HE) schemes, as LWE-hardness assumptions underpin many post-quantum secure fully homomorphic encryption (FHE) constructions, enabling computations on encrypted data without decryption. As of 2025, NIST has not yet established a direct standard for FHE, but its PQC efforts indirectly support HE development by prioritizing quantum-resistant . In March 2025, NIST selected HQC as an additional lattice-based KEM for , further supporting quantum-resistant relevant to homomorphic encryption. In March 2025, NIST issued its first call for multi-party schemes under NISTIR 8214C, explicitly including fully homomorphic encryption alongside and to advance . This call seeks submissions for cryptosystems that could integrate homomorphic properties, fostering in distributed settings. To further this, NIST is hosting the on Multi-Party Schemes from November 17–20, 2025, focusing on evaluating proposals for . Key milestones include the selection and finalization of as ML-KEM in August 2024, marking NIST's first set of PQC standards alongside other algorithms like ML-DSA and SLH-DSA. The overarching goals of these efforts are to ensure cryptographic interoperability across systems and provide resistance to quantum threats, such as , which can efficiently break classical schemes like and Paillier encryption.

Industry and Open Standards

The Homomorphic Encryption Standardization Consortium, established in 2017 as an among , , and , has driven efforts to develop community standards for homomorphic encryption, including white papers on parameters, APIs, and interoperability to facilitate broader adoption. This consortium hosts regular workshops, with the seventh meeting held on October 13, 2024, focusing on refining these standards to address practical deployment needs. Open standards initiatives emphasize portability and interoperability across schemes. The OpenFHE library, an open-source fully homomorphic encryption framework, supports multiple schemes such as BFV, BGV, CKKS, FHEW, and TFHE through extensible implementations and serialization mechanisms, enabling scheme portability by allowing encrypted data and keys to be shared across different cryptographic contexts without decryption. Additionally, the (IETF) has advanced encrypted protocols via drafts like "Homomorphic Cryptography Protocols for Measurement Information Collection," initially published in October 2024 and revised in April 2025, which define protocols for and on ciphertexts to support privacy-preserving network measurements. In the , cloud providers have integrated homomorphic encryption to offer . (AWS) launched support for fully homomorphic encryption in endpoints in March 2023, allowing secure real-time inferencing on encrypted data without decryption, effectively providing homomorphic encryption (HEaaS) for workloads. Recent developments include European Union-funded projects incorporating fully homomorphic encryption to enhance GDPR compliance. The RECITALS project, launched in January 2025 under the program, implements homomorphic encryption alongside other privacy technologies for resilient secure systems, ensuring computations on encrypted align with GDPR requirements for data protection by design. Similarly, the SECURED project advances homomorphic encryption for secure data sharing in collaborative environments, supporting GDPR's emphasis on . In healthcare, homomorphic encryption is emerging as a HIPAA-compliant tool for processing ; for instance, providers leverage it under business associate agreements to analyze encrypted patient data without accessing , meeting HIPAA Security Rule standards for transmission and access controls. Despite these advances, challenges persist in achieving a unified for homomorphic encryption, as diverse schemes and libraries lead to restrictive programming models and complexities that hinder . Efforts toward common interfaces are underway, with libraries like OpenFHE providing standardized support for operations across schemes to refresh ciphertexts and enable unlimited computations, though manual management remains a barrier to efficiency. Industry examples include Microsoft's SEAL library, widely adopted for applications due to its ease of use in homomorphic computations on encrypted data, with ongoing enhancements for integration in secure environments.

References

  1. [1]
    Core Concept: Homomorphic encryption - PMC - NIH
    Jul 14, 2015 · Homomorphic encryption allows people to use data in computations even while that data are still encrypted. This just isn't possible with standard encryption ...
  2. [2]
    [PDF] On Data Banks and Privacy Homomorphisms - of Luca Giuzzi
    Encryption is a well—known technique for preserving the privacy of sensitive information. One of the basic, apparently inherent, limitations of this ...
  3. [3]
    Fully Homomorphic Encryption over the Integers
    Paper 2009/616. Fully Homomorphic Encryption over the Integers. Marten van ... Gentry's techniques to convert it into a fully homomorphic scheme.
  4. [4]
    What Is Homomorphic Encryption? - IEEE Digital Privacy
    Homomorphic encryption systems allow data to be analyzed and processed on a ciphertext rather than the underlying data itself.
  5. [5]
    [PDF] Fully Homomorphic Encryption Using Ideal Lattices
    Jun 2, 2009 · We propose a fully homomorphic encryption scheme – i.e., a scheme that allows one to evaluate circuits over encrypted.
  6. [6]
    Fully Homomorphic Encryption vs Confidential Computing | CSA
    Aug 22, 2024 · FHE offers unparalleled privacy, making it possible to perform computations on highly sensitive data without ever exposing it in plaintext.
  7. [7]
    [PDF] Homomorphic decryption in blockchains via compressed discrete ...
    Many privacy preserving blockchain and e-voting systems are based on the modified ElGamal scheme that supports homomorphic addition of encrypted values. For ...
  8. [8]
    [1704.03578] A Survey on Homomorphic Encryption Schemes - arXiv
    Apr 12, 2017 · First, we present the basics of HE and the details of the well-known Partially Homomorphic Encryption (PHE) and Somewhat Homomorphic Encryption ...
  9. [9]
    [PDF] Dense Probabilistic Encryption - Microsoft
    This paper develops a method of probabilistic encryption in which the ratio of ciphertext text size to plaintext size and the proportion of random bits to.
  10. [10]
    Public-Key Cryptosystems Based on Composite Degree Residuosity ...
    Apr 15, 1999 · This paper investigates a novel computational problem, namely the Composite Residuosity Class Problem, and its applications to public-key cryptography.Missing: URL | Show results with:URL
  11. [11]
    A public-key cryptosystem with worst-case/average-case equivalence
    Ajtai, Generating Hard Instances of Lattice Problems, Proceedings 28th Annual ACM Symposium on Theory of Computing, 1996 ... Halevi, Public- Key Cryptosystems ...
  12. [12]
    Fully homomorphic encryption using ideal lattices
    May 31, 2009 · We propose a fully homomorphic encryption scheme -- ie, a scheme that allows one to evaluate circuits over encrypted data without being able to decrypt.<|control11|><|separator|>
  13. [13]
    https://eprint.iacr.org/2011/344
  14. [14]
    (Leveled) fully homomorphic encryption without bootstrapping
    We present a novel approach to fully homomorphic encryption (FHE) that dramatically improves performance and bases security on weaker assumptions.
  15. [15]
    Homomorphic Encryption from Learning with Errors
    Jun 9, 2013 · We describe a comparatively simple fully homomorphic encryption (FHE) scheme based on the learning with errors (LWE) problem.
  16. [16]
    Homomorphic Encryption for Arithmetic of Approximate Numbers
    ### Summary of CKKS Scheme
  17. [17]
    TFHE: Fast Fully Homomorphic Encryption over the Torus
    May 10, 2018 · This work describes a fast fully homomorphic encryption scheme over the torus (TFHE), that revisits, generalizes and improves the fully homomorphic encryption ...
  18. [18]
    https://arxiv.org/pdf/2408.07304
  19. [19]
    Encrypted Intelligence: A Comparative Analysis of Homomorphic ...
    Aug 29, 2025 · This paper presents a comparative study of various homomorphic encryption models to evaluate their qualitative and quantitative benefits and ...
  20. [20]
    [PDF] An Efficient CKKS-FHEW/TFHE Hybrid Encrypted Inference ...
    The large-precision version is desired for real-world applications but its computing efficiency should be further improved. The CKKS-FHEW/TFHE Hybrid scheme [25] ...Missing: mixed | Show results with:mixed
  21. [21]
    GPU Acceleration for FHEW/TFHE Bootstrapping
    Dec 9, 2024 · Our research focuses on designing and implementing a Graphic Processing Unit (GPU)-based accelerator for the third generation FHEW/TFHE bootstrapping scheme.
  22. [22]
    Concrete v2.7: GPU Wheel, Extended Function Composition ... - Zama
    Jul 5, 2024 · Concrete v2.7 introduces the first wheel that can accelerate computations on GPUs! In this new release, we also extend the support for function composition.
  23. [23]
    OpenFHE: Open-Source Fully Homomorphic Encryption Library
    We introduce OpenFHE, a new open-source FHE software library that incorporates selected design ideas from prior FHE projects, such as PALISADE, HElib, and ...
  24. [24]
    Post-Quantum Cryptography | CSRC
    NIST initiated a process to solicit, evaluate, and standardize one or more quantum-resistant public-key cryptographic algorithms. Full details can be found in ...Workshops and Timeline · Presentations · Email List (PQC Forum) · NIST FAQMissing: candidates 2021
  25. [25]
    Post-Quantum Homomorphic Encryption: A Case for Code-Based ...
    Mar 28, 2025 · Unlike lattice-based schemes, which depend on complex algebraic structures and intricate noise management techniques, code-based homomorphic ...
  26. [26]
    Homomorphic Encryption Market Size & Insights Report, 2035
    Global homomorphic encryption market to rise from $234.74M in 2025 to $526.40M by 2035, at a CAGR of 8.41%. Discover encryption trends now.
  27. [27]
    [PDF] A FULLY HOMOMORPHIC ENCRYPTION SCHEME A ...
    We propose the first fully homomorphic encryption scheme, solving a central open problem in cryptography. Such a scheme allows one to compute arbitrary ...
  28. [28]
    Fully Homomorphic Encryption without Bootstrapping
    We present a radically new approach to fully homomorphic encryption (FHE) that dramatically improves performance and bases security on weaker assumptions.
  29. [29]
    Bootstrapping in Fully Homomorphic Encryption (FHE)
    Jan 1, 2023 · BGV/BFV bootstrapping is somewhat faster than DM/CGGI (if we consider slot-amortized time), but slower than CKKS. However, BGV bootstrapping ...<|control11|><|separator|>
  30. [30]
    A High-Level Technical Overview of Fully Homomorphic Encryption
    May 4, 2024 · Homomorphic encryption lets you encrypt data in such a way that you can run programs on it without ever decrypting it.LWE and RLWE · BFV and BGV (integer/fixed... · CGGI (boolean/short integer...
  31. [31]
    Microsoft SEAL is an easy-to-use and powerful homomorphic ...
    The CKKS scheme allows additions and multiplications on encrypted real or complex numbers, but yields only approximate results. In applications such as summing ...Issues · Security · Actions · Pull requests 6
  32. [32]
    Microsoft SEAL: Fast and Easy-to-Use Homomorphic Encryption ...
    Microsoft SEAL is an easy-to-use and powerful open-source homomorphic encryption library that enables running computations directly on encrypted data.News & features · Videos · Release News · PublicationsMissing: BGV CKKS 2024
  33. [33]
    homenc/HElib - GitHub
    HElib is an open-source software library that implements homomorphic encryption. It supports the BGV scheme with bootstrapping and the Approximate Number CKKS ...Missing: SIMD | Show results with:SIMD
  34. [34]
    Design and implementation of HElib: a homomorphic encryption ...
    Nov 29, 2020 · HElib is a C++ open source library (see https://github.com/homenc/HElib) that implements both the BGV and CKKS fully homomorphic encryption (FHE) schemes.Missing: IBM NTL SIMD packing
  35. [35]
    OpenFHE.org – OpenFHE – Open-Source Fully Homomorphic ...
    OpenFHE is an open-source project that provides efficient extensible implementations of the leading post-quantum Fully Homomorphic Encryption (FHE) schemes.Documentation · Downloads · Community · WebinarsMissing: unification 2021
  36. [36]
    TFHE Fast Fully Homomorphic Encryption over the Torus
    TFHE is an open-source library for fully homomorphic encryption, distributed under the terms of the Apache 2.0 license.Tutorial · Versions and Features · Installation · Usage
  37. [37]
    Huelse/SEAL-Python: Microsoft SEAL 4.X For Python - GitHub
    Microsoft SEAL is an easy-to-use open-source (MIT licensed) homomorphic encryption library developed by the Cryptography Research group at Microsoft.
  38. [38]
    A Benchmark Study of SEAL, HElib, OpenFHE, and Lattigo
    Jul 1, 2025 · The performance of these libraries is compared across BGV, BFV, and CKKS schemes. Results show HElib excels in addition and subtraction in the ...
  39. [39]
    tf-encrypted/tf-seal: Bridge between TensorFlow and the ... - GitHub
    TF SEAL provides a bridge between TensorFlow and the Microsoft SEAL homomorphic encryption library, making it easier than ever to use this library to compute ...
  40. [40]
    Fully Homomorphic Encryption - Duality Technologies
    Utilize cryptography to analyze encrypted data, post quantum protection on sensitive data for encrypted queries, secure machine learning and analytics.
  41. [41]
    Enveil Is A Privacy Enhancing Technology Company | Enveil
    Enveil is a pioneering Privacy Enhancing Technology company. We change the paradigm of how and where organizations can leverage data to unlock value.About Us · Products · Get in Touch · Careers
  42. [42]
    FAB: An FPGA-based Accelerator for Bootstrappable Fully ...
    FAB is an FPGA-based accelerator for bootstrappable FHE, which allows computations on encrypted data, and it accelerates bootstrapping.
  43. [43]
    [PDF] Over 100x Faster Bootstrapping in Fully Homomorphic Encryption
    Aug 11, 2021 · Our GPU implementation shows a 7.02× speedup for a single CKKS multiplication compared to the state-of-the-art GPU implementation and an ...
  44. [44]
    Security for Data Privacy in Federated Learning with CUDA ...
    Dec 18, 2024 · CUDA-accelerated Homomorphic Encryption with Federated XGBoost adds security protection for data privacy and delivers up to 30x speedups for vertical XGBoost.Missing: cuHE | Show results with:cuHE
  45. [45]
    Poseidon: Practical Homomorphic Encryption Accelerator
    Poseidon is a practical FHE accelerator that improves hardware resource and bandwidth consumption, supporting complex FHE operations.
  46. [46]
    [PDF] HECO: Fully Homomorphic Encryption Compiler - USENIX
    Aug 11, 2023 · We devise a series of transformations and optimizations that can translate batching-amenable programs to fully exploit SIMD operations while ...
  47. [47]
    https://ieeexplore.ieee.org/document/10070984/
  48. [48]
    LP-HENN: fully homomorphic encryption accelerator with high ...
    May 30, 2025 · This paper proposed LP-HENN, a novel low-power and energy-efficient FHE accelerator architecture that leverages a RISC-V vector coprocessor and ReRAM crossbar ...
  49. [49]
    Leveraging Searchable Encryption through Homomorphic ... - MDPI
    This paper provides a comprehensive analysis of the advancements in HE-based privacy-preserving techniques, focusing on their application in SE.
  50. [50]
    A Secure Federated Learning framework using Homomorphic ...
    In this paper, we present the first Federated Learning (FL) framework which is secure against both confidentiality and integrity threats from the aggregation ...
  51. [51]
    A General Framework of Homomorphic Encryption for Multiple ...
    Oct 24, 2021 · Homomorphic Encryption (HE) is a useful primitive for secure computation, but it is not generally applicable when multiple parties are involved, ...
  52. [52]
    Private genome analysis through homomorphic encryption - PMC
    Dec 21, 2015 · Fully homomorphic encryption (e.g., [9-11]) permits encrypted data to be computed on without decryption, so it allows us to evaluate arbitrary ...
  53. [53]
    https://eprint.iacr.org/2021/1412
  54. [54]
    [PDF] Privacy-Preserving Data Sharing across Financial Institutions
    Sep 25, 2024 · ▫ Use-case “Homomorphic encryption for data sharing” developed in collaboration with Duality ... ▫ Ability to collaborate in compliance with GDPR ...
  55. [55]
    What is Fully Homomorphic Encryption? - FHE Explained - Inpher
    Benefits of Fully Homomorphic Encryption​​ No trusted third-parties: Data remains secure and private in untrusted environments, like public clouds or external ...
  56. [56]
    [PDF] CryptoNets: Applying Neural Networks to Encrypted Data with High ...
    CryptoNets are neural networks that can be applied to encrypted data, allowing for encrypted predictions and high throughput, while maintaining data privacy.
  57. [57]
    [PDF] Homomorphic Encryption for Arithmetic of Approximate Numbers
    Abstract. We suggest a method to construct a homomorphic encryption scheme for approxi- mate arithmetic. It supports an approximate addition and ...
  58. [58]
    [PDF] Fast and Accurately Training Deep Neural Networks on Encrypted ...
    To train a DNN on encrypted data in a completely non-interactive way, a recent work proposes a fully homomorphic encryption (FHE)-based technique implementing.
  59. [59]
    A Framework for Encrypted Machine Learning in TensorFlow - GitHub
    TF Encrypted is a framework for encrypted machine learning in TensorFlow. It looks and feels like TensorFlow, taking advantage of the ease-of-use of the Keras ...
  60. [60]
    A privacy preserving machine learning framework for medical image ...
    Jul 30, 2025 · Table 13 presents a comparative analysis of various FHE schemes such as CKKS, BFV, and TFHE evaluated on multiple subsets of the MedMNIST ...Missing: studies | Show results with:studies
  61. [61]
    Efficient Privacy-Preserving Matrix Factorization for ...
    In this article, we propose the first privacy-preserving matrix factorization for recommendation using fully homomorphic encryption.
  62. [62]
    Secure Aggregation in Federated Learning using Multiparty ... - arXiv
    Mar 1, 2025 · We develop a method based on multiparty homomorphic encryption (MPHE) that enables the central node to compute this aggregate, while receiving only encrypted ...
  63. [63]
    [PDF] SoK: New Insights into Fully Homomorphic Encryption Libraries via ...
    To allow programmers to effectively utilize the power of FHE, we employ a series of benchmarks called the Terminator 2 Benchmark Suite and present new insights ...
  64. [64]
    [PDF] Fully Composable Homomorphic Encryption DRAFT
    Oct 2, 2023 · In this section we recall the standard notion of (homomorphic) encryption scheme and (circular) security against chosen plaintext attacks.
  65. [65]
    [PDF] On the Security of Homomorphic Encryption on Approximate Numbers
    A passive attack on CKKS, a homomorphic encryption scheme, leads to key recovery. Traditional IND-CPA security is insufficient for approximate encryption, ...
  66. [66]
    [PDF] Fully Homomorphic Encryption without Bootstrapping
    Fully Homomorphic Encryption without Bootstrapping · Zvika Brakerski, Craig Gentry, V. Vaikuntanathan · Published in IACR Cryptology ePrint… 2011 · Computer ...
  67. [67]
    [PDF] Lecture 21: (Lattice Based) Homomorphic Encryption
    Nov 27, 2017 · One of the largest motivators for this is that LWE appears to be resistant to quantum algorithms, unlike factoring or discrete log assumptions.
  68. [68]
    [PDF] The Learning with Errors Problem
    This leads to a hardness result for LWE based on the assumption that GAPSVP is hard even given an unusually good basis for it (see [Pei09a] for the exact ...
  69. [69]
    Side Channel Analysis in Homomorphic Encryption - arXiv
    May 16, 2025 · This paper presents a comprehensive review of HE side-channel threats, highlighting key attack vectors and analyzing real-world case studies.Missing: weak | Show results with:weak
  70. [70]
    [PDF] Key Recovery Attacks on Approximate Homomorphic Encryption ...
    For instance, the addition of two ciphertexts will lead to a new ciphertext with noise variance the sum of the noise variances of the two input ciphertexts.
  71. [71]
    General Impossibility of Group Homomorphic Encryption in the ...
    In this work, we prove the general impossibility of (abelian) group homomorphic encryption in the presence of quantum adversaries, when assuming the IND-CPA ...
  72. [72]
    Fully Homomorphic Encryption and Post-Quantum Cryptography
    Oct 5, 2022 · Answering the question: is fully Homomorphic encryption quantum resistant?Missing: variants | Show results with:variants
  73. [73]
    Cycling attacks against homomorphic cryptosystems - SpringerLink
    Nov 8, 2008 · Anyhow, two effective methods are given to construct weak parameters for certain homomorphic cryptosystems, and two moduli over 1 024 bits ...
  74. [74]
    Benchmarking Attacks on Learning with Errors - arXiv
    Aug 1, 2024 · Furthermore, all publicly available fully homomorphic encryption (HE) libraries rely on the hardness of LWE for their security. HE was ...
  75. [75]
    (Leveled) Fully Homomorphic Encryption without Bootstrapping
    Aug 10, 2025 · We present a novel approach to fully homomorphic encryption (FHE) that dramatically improves performance and bases security on weaker ...
  76. [76]
    NIST Post-Quantum Cryptography Standardization
    NIST has initiated a process to solicit, evaluate, and standardize one or more quantum-resistant public-key cryptographic algorithms.Round 3 Submissions · Call for Proposals · Round 1 SubmissionsMissing: homomorphic | Show results with:homomorphic
  77. [77]
    [PDF] NISTIR 8214C 2pd: NIST First Call for Multi-Party Threshold Schemes
    Mar 21, 2025 · Crypto-systems; distributed systems; fully-homomorphic encryption (FHE); post-quantum ... Post-Quantum Cryptography Standardization Process. https ...
  78. [78]
    NIST Workshop on Multi-Party Threshold Schemes 2025 | CSRC
    Apr 29, 2025 · The NIST Workshop on Multi-Party Threshold Schemes 2025 is a virtual event from November 17-20, focusing on Threshold Cryptography and the MPTC ...
  79. [79]
    NIST Releases First 3 Finalized Post-Quantum Encryption Standards
    Aug 13, 2024 · NIST has finalized its principal set of encryption algorithms designed to withstand cyberattacks from a quantum computer.Missing: homomorphic | Show results with:homomorphic
  80. [80]
    Homomorphic Encryption Standardization – An Open Industry ...
    HomomorphicEncryption.org is an open consortium of industry, government and academia to standardize homomorphic encryption.Standard · Introduction · Participants of Recent Standards Workshops · Mailing Lists
  81. [81]
    Download the standard - Homomorphic Encryption Standardization
    We are developing a community standard for homomorphic encryption based on three white papers created by the standards' meetings' participants.
  82. [82]
    Homomorphic Encryption Announcements - Google Groups
    7th Homomorphic Encryption Standards Meeting - October 13, 2024 - Save the Date! Dear Colleagues: We're happy to announce the 7th Homomorphic Encryption ...
  83. [83]
    [PDF] Homomorphic Encryption Serialization for Applications | OpenFHE
    HOMOMORPHIC ENCRYPTION FOR PALISADE USERS: TUTORIAL WITH APPLICATIONS ... ultra portability. • A trusted Server builds CryptoContext and shares it with ...
  84. [84]
    Homomorphic Cryptography Protocols for Measurement Information ...
    Oct 17, 2024 · Homomorphic encryption is an algorithm that allows computations to be performed on encrypted data without first having to decrypt it.Table of Contents · Introduction · Prerequisites · Protocol Definition
  85. [85]
    draft-li-ppm-homomorphic-encryption-01 - IETF Datatracker
    Apr 18, 2025 · This document provides a homomorphic cryptographic protocol that supports addition and multiplication in the ciphertext state.
  86. [86]
    Enable fully homomorphic encryption with Amazon SageMaker ...
    Mar 23, 2023 · Homomorphic encryption is a new approach to encryption that allows computations and analytical functions to be run on encrypted data, without first having to ...Missing: HEaaS | Show results with:HEaaS
  87. [87]
    Top 7 Cloud Encryption Trends in Healthcare 2025 - Censinet
    Using homomorphic encryption, these providers can process healthcare data under business associate agreements without ever accessing unencrypted PHI.
  88. [88]
    Federated Security for Privacy Preservation of Healthcare Data in ...
    Aug 17, 2025 · This raises compliance concerns under regulations like HIPAA, GDPR, and Australia's Privacy Act. ... Homomorphic Encryption Security Standard.
  89. [89]
    Enhancing Applications with Homomorphic Encryption
    Feb 24, 2025 · The key difficulties include restrictive programming models of homomorphic schemes and choosing suitable parameters for an application. In this ...
  90. [90]
    [PDF] The Investigation of Fully Homomorphic Encryption - SciTePress
    Abstract: Fully Homomorphic Encryption (FHE) is an encryption method that enables direct computation on encrypted data without revealing its contents.<|control11|><|separator|>
  91. [91]
    Duality Advances Homomorphic Encryption Landscape with OpenFHE
    Jul 7, 2022 · This new library supports a raft of advanced FHE features, including bootstrapping and scheme switching, multiple hardware acceleration backends ...Missing: merger | Show results with:merger<|separator|>