Computation-Enabled Cryptosystems

Updated 31 December 2025

Computation-enabled cryptosystems are encryption frameworks that allow data transformation and aggregation while remaining encrypted, using algebraic and hardware-software co-design principles.
They implement secure computation via methodologies like lattice-based schemes, reversible logic, and TEE-assisted protocols to achieve high-security and efficiency.
These systems support a range of applications—from secure key exchange to post-quantum encryption—by integrating modular, hybrid, and exact computation models.

Computation-enabled cryptosystems encompass the class of encryption, key-exchange, and secure aggregation frameworks explicitly designed to permit computation, transformation, or aggregation of data while it remains in an encrypted state. These systems leverage algebraic structures, reversible logics, hardware parallelism, and hybrid architectures to realize efficient and verifiable secure computation beyond the capabilities of legacy cryptography. State-of-the-art schemes rely on number-theoretic hardness (LWE, DLP, syndrome decoding), reversible circuits, noncommutative gate algebra, and hardware-software co-design to support modular, bit-level, and even exact computation under high-security constraints, extending to post-quantum, IND-CCA2, and hyper quantum-resilient regimes.

1. Fundamental Design Principles and Mathematical Foundations

Computation-enabled cryptosystem design centers on choice of an underlying algebraic or logical structure amenable to “hidden” computation, coupled to a security reduction to an intractable problem.

Lattice/Ring-LWE Platforms: Modern homomorphic encryption instantiations (e.g. BGV, BFV, RLWE, CKKS) encode data as vectors in $R_q = \mathbb{Z}_q[X]/(X^N+1)$ , leveraging the ring-learning-with-errors assumption for semantic security (Jang et al., 18 Apr 2025, Sidorov et al., 2022). Encryption, homomorphic addition, and multiplication are realized via polynomial arithmetic (NTT, modular reduction), with error bounds ensuring decryption correctness.
Code-Based and Syndrome Decoding: Schemes such as HQC base security on the syndrome decoding problem for quasi-cyclic codes. Core algorithmics involve polynomial multiplication over $\mathbb{F}_2[x]/(x^n-1)$ , sparse weight error correction, Reed-Solomon and Reed-Muller decoding (Schöffel et al., 2023).
Discrete Logarithm and Pell Hyperbolas: DLP frameworks over algebraic groups, including those on generalized Pell conics, harness group isomorphisms and rational function parametrizations (Rédéi functions) to realize ElGamal-like PKE with efficient exponentiation (Alecci et al., 2021).
Reversible Logic and Operator Encodings: Encrypted Operator Computing (EOC) employs conjugation of reversible functions $\hat F$ by reversible ciphers $\hat E$ to create obfuscated evaluation circuits $O(\hat{F}^E)$ whose functionality is exposed only through polynomial-sized BDDs, hiding structural details (Chamon et al., 2022).
Quantum-Gate Polynomial Frameworks: The Exact Homomorphic Encryption (EHE) paradigm leverages invertible, noncommuting quantum gate products for both message and computation encryption, encoding operations as evaluations of encrypted polynomial sets over $\mathbb{Z}_2^k$ (Su et al., 2024).

2. Architectural and Algorithmic Realizations

Modern computation-enabled systems increasingly rely on architectural co-design and hardware accelerators to achieve practical latency, throughput, and energy metrics.

Hardware/Software Co-Design: The HQC implementation integrates RISC-V cores, instruction-set extensions, DMA controllers, and modular hardware accelerators (Keccak, Hadamard, $\mathcal{R}$ -poly units) for sub-mm² ASIC or sub-14k LUT FPGA KEM implementations, achieving encapsulation in $\approx0.2$ ms and $\lt8\mu$ J per operation (Schöffel et al., 2023).
Near-Cache and Bitline Compute: Crypto-Near-Cache (CNC) modules, integrated per LLC slice, support in-place SRAM bitline logic (AND, XOR, shifts), high-parallel NTT, Montgomery modular multiplication, GF-conversions, and AVX-style vector kernels via minimal ISA extensions (SW_CNC, RD_D2CNC, LD_CMD, ALG_CNC), yielding $>25\times$ energy improvement for PQC primitives and full virtual-memory compatibility (Zhang et al., 27 Sep 2025).
TPU/Matrix Engine Acceleration: Polynomial multiplication for FHE/ZKP is remapped as block-circulant matrix multiplies, leveraging massive MAC parallelism (TPU v2/v3, 256 $\times$ 256 arrays), residue-number system (RNS) encoding for large $q$ , and recursive blocking for large degrees. CRT recombination and memory transfer limitations govern the optimal parallelism (Karanjai et al., 2023).
Ring-LWE Encrypted Control: Dynamic controllers for linear systems (discrete-time plants) leveraging ring-LWE/BGV schemes are implemented over Lattigo APIs, with careful packing, external products (GSW), and NTT-based fir architectures (BGV), balancing security ( $N=2^{13}$ , $q\approx2^{56}$ ) and per-step latency ( $\lt$ 20ms) (Jang et al., 18 Apr 2025).

3. Hybrid, Bridged, and Exact Computation Models

Hybridization of arithmetic paradigms and bridging techniques enhance the flexibility and scalability of encrypted computation.

Modular and Bit-Level Bridging: FHE “bridging” frameworks combine cheap modular arithmetic (native add/mult) with universal Boolean circuits (bitwise logic, comparisons) via efficient conversion primitives (Horner’s method for bits $\to$ mod, Fermat exponentiation for mod $\to$ bits), reducing evaluation depth from $O(sk)$ (pure circuit) to $O(s+k)$ (bridged), with 1–2 orders-of-magnitude speedup and practical real-world imputation workflows (Chielle et al., 2022).
Hybrid Cryptography/TEE Aggregation: Protocols decompose aggregate computation (e.g. secure sum) into “trusted-hardware zones” (SGX enclaves running native arithmetic) and “pure-crypto zones” (FHE, threshold FHE), optionally mediated by oblivious transfer, secret sharing, or remote attestation. Performance improvements (up to 785 $\times$ latency, 41 $\times$ communication gain) accompany flexible risk/performance customization (Laage et al., 11 Apr 2025, Wang et al., 2019).

4. Security Paradigms and Theoretical Analysis

Computation-enabled cryptosystems derive security from the intractability of distinguishing, reconstructing, or reversing underlying transformations, often harnessing combinatorial and noncommutative phenomena.

Hardness Reductions: LWE/ring-LWE for lattice schemes (Jang et al., 18 Apr 2025); syndrome decoding for code-based (Schöffel et al., 2023); DLP for Pell groups (Alecci et al., 2021); best-possible obfuscation by OBDDs for operator encryption (Chamon et al., 2022); NP-hard circuit reconstruction (MCSP), XL attack resistance ( $2^k$ complexity), noncommutativity combinatorics for gate-based (EHE) (Su et al., 2024).
Koopman Operator and Dynamical Lifting: Cryptosystems such as DH and RSA are analytically lifted to exact finite-dimensional linear systems, allowing formal recovery of secret exponents by eigenanalysis of companion matrices. The required lifting dimension $d^*=(p-1)/2+1$ forces exponential cost, consistent with the classical hardness of discrete logarithm and factoring. Data-driven extensions leverage EDMD with $N\geq d^*$ samples to reconstruct the Koopman operator (Strässer et al., 2023).

5. Performance, Practicality, and Implementation Trade-Offs

Benchmarking reveals clear stratification in performance and complexity.

Homomorphic and Partially Homomorphic Cryptosystems

Scheme	Add/Sub (ms, 1000 ops)	Mult (ms, 1000 ops)	Bootstrapping	Deployment Eco.
Paillier	≈0.03	N/A	N/A	Large-scale aggregation ( $\mu$ s-level ops)
ElGamal	≈0.04	≈0.035	N/A	Multiplicative aggregation
SEAL (BFV)	0.12–0.18	≈27	No pub.	Expensive for deep circuits
HElib (BGV)	0.9–2.9	≈34	≈600 ms	Bootstrapping required for depth, slow
PyAono	≈0.42	≈4	No	Not practical for large-scale (Sidorov et al., 2022)

PQC Hardware/Software Co-Design (Schöffel et al., 2023, Zhang et al., 27 Sep 2025)

Config	Throughput (ops/sec)	Energy/Op (μJ)	Area (mm²)	Comments
HQC-ASIC	1.3k (encaps)	2.41 (encaps)	0.12	97-99% faster than reference, sub-mm² area
CNC-2048-SA	86,943 (Kyber)	–	24.3	1% die, 25× energy gain over CPU

TEE-Enhanced Secure Aggregation (Laage et al., 11 Apr 2025)

Variant	Latency (150 parties)	Speedup vs FHE	Comments
TEE at aggregator	0.20 s	43×	Near-native, low comm/mem overhead
Pure FHE	8.43 s	baseline	Communication and computation bottleneck
TEE both sides	3.22 s	16.6×	Practical for large-scale confidential queries

6. Research Directions and Open Challenges

Ongoing and future work include:

Extending bridging primitives to CKKS or multi-key FHE (Chielle et al., 2022).
Mapping NTT operations directly to systolic arrays in TPUs for faster polynomial transforms (Karanjai et al., 2023).
Integrating CNC-style SRAM computing as generic PIM for neural, graph, and database workloads (Zhang et al., 27 Sep 2025).
Further obfuscator-theoretic analysis of EOC and EHE constructs, quantifying information leakage under combinatorial randomness and circuit noncommutativity (Su et al., 2024, Chamon et al., 2022).
Formal side-channel and compositional analysis of TEE+cryptography hybrid architectures (Laage et al., 11 Apr 2025, Wang et al., 2019).
Automated scheduling of mixed additive/multiplicative workloads between Paillier, ElGamal, and FHE segments for latency minimization (Sidorov et al., 2022).

7. Context, Limitations, and Comparative Insights

A misconception persists that fully homomorphic and computation-enabled cryptosystems are universally practical. In reality, partially homomorphic schemes (Paillier, ElGamal) remain far more efficient for realistic workloads (dot-products, aggregation) (Sidorov et al., 2022). Performance bottlenecks in FHE derive chiefly from polynomial multiplication, bootstrapping, and noise management, but advances in matrix-centric engines (TPU, CNC) offer compelling acceleration. Hardware/software co-design, noncommutative gate algebra, and exact computation frameworks (EHE, EOC) are actively closing the gap, while secure aggregation protocols must carefully balance hardware trust, side-channel resistance, and end-to-end confidentiality.

A plausible implication is that the future of computation-enabled cryptosystems lies in modular hybrid architectures, exploiting both cryptographic and hardware primitives, combinatorial algebra, logical circuit obfuscation, and parameter-level adaptivity for context-specific security, efficiency, and scalability.