Fully Homomorphic Encryption Overview

Updated 14 November 2025

Fully Homomorphic Encryption (FHE) is a public-key cryptosystem that allows arbitrary computations on encrypted data while safeguarding privacy.
FHE schemes rely on advanced techniques such as bootstrapping, noise management, and relinearization to ensure correct decryption after complex operations.
Practical implementations of FHE power secure applications like encrypted search, private databases, and confidential machine learning, despite inherent performance trade-offs.

Fully Homomorphic Encryption (FHE) is a class of public-key cryptosystems permitting arbitrary and unbounded computations to be performed directly on encrypted data, while ensuring at all times that the data, intermediate results, and final outputs remain cryptographically inaccessible to the computing party. FHE schemes are structured so that the decryption of a homomorphically evaluated ciphertext yields the result of applying the same sequence of operations to the corresponding plaintexts, guaranteeing computational privacy even in untrusted environments.

1. Formal Structure and Mathematical Foundations

A fully homomorphic encryption scheme is typically defined by the tuple of algorithms

$\mathsf{FHE} = (\mathsf{KeyGen},\,\mathsf{Enc},\,\mathsf{Eval},\,\mathsf{Dec})$

with the following interfaces:

$\mathsf{KeyGen}(1^\lambda) \rightarrow (pk, sk, evk)$ produces public and secret keys and auxiliary evaluation keys, parameterized by the security parameter $\lambda$ .
$\mathsf{Enc}(pk, m) \rightarrow c$ encrypts a plaintext $m$ .
$\mathsf{Eval}(evk, f, c_1, \ldots, c_t) \rightarrow c_f$ allows for homomorphic execution of an arbitrary function $f$ over encrypted inputs.
$\mathsf{Dec}(sk, c_f) \rightarrow m'$ decrypts the output.

Semantic security is derived from hard lattice problems, most notably the (Ring-)Learning-With-Errors (RLWE/LWE) assumptions, where the intractability of recovering secret structure from noisy polynomial or vector samples underpins the resistance to cryptanalysis.

Let $R_q = \mathbb{Z}_q[x]/(x^n + 1)$ denote the base ring (with $n$ a power of 2 and $q$ a large modulus), and let $\chi$ be a discretized Gaussian noise distribution. In canonical RLWE-based FHE, encryption of $m \in R_t$ is performed by scaling $m$ up to $R_q$ , introducing noise $e \leftarrow \chi$ , and outputting ciphertexts of the form $(a,\, b=-a\cdot s + \Delta m + e)$ under secret key $s \in R_q$ .

Correctness requires that after arbitrary sequences of operations, the cumulative noise does not overwhelm the modulus, i.e., the decryption rounding recovers $m$ whenever $||e_{\text{total}}|| < \Delta/2$ . This constraint necessitates both theoretical and practical management of noise growth.

2. Core Principles: Homomorphic Operations, Noise, Bootstrapping

FHE supports at minimum:

Homomorphic addition: $c_{\text{add}} = (a_1 + a_2,\ b_1 + b_2)$ , yielding encrypted $m_1 + m_2$ .
Homomorphic multiplication, in leveled schemes, produces higher-dimensional ciphertexts that must be relinearized to maintain efficiency.

Every ciphertext carries a "noise" component growing after each operation: linearly for additions, polynomially or exponentially for multiplications, depending on the scheme and circuit depth $L$ . To enable unbounded computation ("full" homomorphism), FHE employs bootstrapping—a procedure where the decryption circuit is evaluated homomorphically to refresh noise. In schemes such as TFHE, this is performed "gate-wise," with every binary operation followed by an expensive bootstrapping to maintain a fresh error level (Müller et al., 9 Oct 2025, Ko, 7 Mar 2025).

The seminal result, due to Gentry, is that if a somewhat homomorphic encryption can evaluate its own decryption circuit (plus a trivial Boolean operation), then by repeated bootstrappings one obtains a scheme supporting circuits of arbitrary depth. In practice, this translates to the choice of parameters (modulus $q$ , degree $n$ , error standard deviation $\sigma$ ) that balance security, supported depth, and bootstrapping cost.

3. Practical Scheme Families and Implementations

Prominent instantiations include:

BGV/BFV: Supporting integer plaintexts, leveraging modulus-switching and relinearization (Ko, 7 Mar 2025).
CKKS: Enables approximate arithmetic on real or complex vector slots via scaling and rescaling, at the expense of controlled error (Dathathri et al., 2019).
TFHE/FHEW (GSW-style): Targeting bitwise logic, providing low-latency bootstrapping after every binary gate (Müller et al., 9 Oct 2025, Jiang et al., 2022).

Parameter selection remains highly nontrivial:

BGV/BFV/CKKS: Bound the multiplicative depth $L$ , allocate ring degree $n$ and modulus chain $q$ to keep post-computation decryption correct, and consider side-channel defenses.
TFHE: Set fixed $n \sim 1024-2048$ , $q=2^{32}$ , and per-gate bootstrapping—noise budget is constant per gate.

A defining trade-off in all these schemes is the interplay between circuit depth, ciphertext size, key size, evaluation latency, and precision.

4. Programming, Compilation, and Circuit Realization

Because FHE is restricted to addition and multiplication at the cryptographic layer, arbitrary computations must first be compiled to Boolean or low-degree arithmetic circuits. Several approaches are notable:

Manual Circuit Design: Programs must be rewritten into circuits, imposing severe burdens on software engineering and correctness reasoning.
Compiler-Aided Flows: Tools such as "A Haskell to FHE Transpiler" (Müller et al., 9 Oct 2025) chain high-level language front-ends (e.g., Clash for Haskell) through hardware description (Verilog/Yosys) to Boolean circuit DAGs suitable for FHE evaluation. For word-oriented schemes, compilers such as EVA or nGraph-HE (Dathathri et al., 2019, Viand et al., 2021) automate scheduling of ciphertext maintenance (relinearization, rescaling, modulus-switching), parameter estimation, and data packing (SIMD).
Mapping and Circuit Semantics: Top-level Haskell functions are transformed into statically sized, closure-free circuits: pattern-matching is realized by gate-level multiplexers, recursive definitions are unfolded to finite iterations, and algebraic data types are encoded as wire bundles. All control flow must be made structural; no data-dependent branching is permitted.

Automatic parallelization is essential due to the massive computational overhead: the Boolean circuit is topologically sorted and levelized, then layer-parallel execution is assigned to $p$ threads. Practical analysis shows speedups of $36\times$ (for $p=100$ ) and efficiencies in the $0.3-0.7$ range (Müller et al., 9 Oct 2025). However, efficiency decays as depth increases or with skewed width distribution across layers.

5. Performance Considerations and Platform Scaling

FHE is computationally orders of magnitude slower than plaintext computing. Two central determinants of performance are:

Ciphertext Size: For TFHE, each encrypted bit requires hundreds of kilobytes to megabytes; for ring-based schemes, each vector slot occupies $O(n \log q)$ bits.
Homomorphic Latency: Each bootstrapped gate costs $8$–$311$ seconds single-threaded for real-world circuits (AES over TFHE with $|C|=27\,987$ gates, depth $204$), but can approach $8$ seconds for $100$ threads (Müller et al., 9 Oct 2025).

The cost profile depends acutely on:

Parallelism: Static scheduling by circuit depth exposes maximal thread-level concurrency with minor synchronization overheads.
Storage design: Systems such as FHE-SQL decouple metadata from blob ciphertext storage to mitigate high-latency accesses and garbage-collect unused ciphertexts (Tseng et al., 17 Oct 2025).
Circuit depth and width: Circuit complexity measures—gate count $|C|$ , depth $D(C)$ , and width $W(C)$ —directly map to memory, compute, and communication demands.

Benchmarks in the literature show that modern automatic circuit parallelization at the Boolean level can match or outperform manually parallelized FHE implementations on classical CPUs (Müller et al., 9 Oct 2025). Specialized LUT-optimized code using advanced packing (e.g., Hippogryph S-Box optimizations) remains up to $10\times$ faster for fixed workloads such as AES, but at much higher engineering cost.

6. Applications, Limitations, and Future Trajectories

FHE is a cornerstone for privacy-preserving outsourcing in domains such as:

Encrypted Search: Private Information Retrieval (PIR) via homomorphic multiplexers and equality circuits; current designs attain wall-clock times of 1.69 s (PIR-100, 100 threads) (Müller et al., 9 Oct 2025).
Secure Databases: General SQL queries evaluated on encrypted relations, with semantic security and without hardware trust assumptions (Tseng et al., 17 Oct 2025).
Confidential ML: Inference or training on sensitive data streams, where FHE assures that the server observes nothing but ciphertexts (Ko, 7 Mar 2025, Onoufriou et al., 2021).

Key limitations remain:

Performance: End-to-end SQL queries with FHE-only methods are only practical for datasets with $n$ in the low thousands; scaling to large $n$ requires indexing, parallel FHE, or hybrid approaches.
Restricted Control Flow: Only static, data-independent branching can be compiled; recursive or data-dependent flows must be unrolled and are costly in depth and gate count.
Engineering Complexity: High-level language integration reduces, but does not eliminate, the need for security-aware, hardware-conscious software design.

Ongoing work includes integration of multi-bit bootstrapping (LUTs directly in TFHE), improved support for non-strictly structural recursion, and adoption of circuit generation pipelines in languages beyond Haskell, e.g., OCaml/HardCaml (Müller et al., 9 Oct 2025).

7. Comparative Analysis and Research Directions

A survey of FHE schemes exposes the diverse capabilities and optimal settings for each (Jiang et al., 2022, Viand et al., 2021):

Leveled Schemes: BFV/BGV/CKKS provide high-throughput, approximate or exact arithmetic for integer or real data, efficient SIMD packing, and are well suited to ML and database applications.
Bitwise Schemes: TFHE and FHEW specialize in bootstrapped binary logic, critical for secure control flow, finely grained predicates, and encrypted search.
Interoperability: Compiler automation has closed the gap in usability and expressiveness between domain-specific FHE (e.g., neural net inference) and general-purpose software engineering.

Future challenges center on efficient hybridization, transparent noise and resource budgeting, cross-language intermediate representations, and pervasive support for function integrity within outsourced homomorphic computation.

References: (Müller et al., 9 Oct 2025, Ko, 7 Mar 2025, Tseng et al., 17 Oct 2025, Jiang et al., 2022, Viand et al., 2021)