GRAFHEN: Noise-Free Group-Based FHE
- GRAFHEN is a group-based fully homomorphic encryption scheme that encodes plaintext algebra into groups using rewriting systems.
- It performs homomorphic evaluation through exact group-word manipulations, avoiding noise accumulation and the need for bootstrapping.
- The scheme’s security is based on the subgroup membership problem within public group presentations, with efficiency enhanced by pseudo-bounded rewriting systems.
Searching arXiv for the GRAFHEN paper and closely related homomorphic-encryption/group-theoretic work. GRAFHEN, short for Group-based Fully Homomorphic Encryption without Noise, is a cryptographic scheme that realizes fully homomorphic encryption by encoding plaintext algebra inside a group and representing that group on a machine by a rewriting system. Its defining claim is that homomorphic evaluation can be performed by exact group-word manipulation rather than by approximate arithmetic with accumulated ciphertext noise, so the scheme is presented as fully homomorphic encryption without bootstrapping and without noise (Guillot et al., 24 Oct 2025). In the formulation proposed in “Introducing GRAFHEN: Group-based Fully Homomorphic Encryption without Noise” (Guillot et al., 24 Oct 2025), security is tied to hiding a subgroup kernel inside a public group presentation while preserving efficient evaluation and decryption.
1. Conceptual framework
GRAFHEN formalizes a homomorphic encryption of a ring $\K$ through a decryption map
$\dec:C\to \K$
with public operations
$\smbadd,\mul:C\times C\to C$
satisfying
$\dec(\smbadd(x,y))=\dec(x)+\dec(y),\qquad \dec(\mul(x,y))=\dec(x)\cdot \dec(y).$
For bit encryption, where $\K=F_2$, the scheme is already fully homomorphic because arbitrary Boolean functions can be built from addition and multiplication, equivalently NAND (Guillot et al., 24 Oct 2025).
The paper reduces this problem to group theory by introducing a homomorphic encoding of $\K$ into a group . An injective map
$Enc:\K\to E$
is required together with polynomial maps $add,\mul:E^2\to E$ such that
$add(Enc(k),Enc(\ell))=Enc(k+\ell),\qquad \mul(Enc(k),Enc(\ell))=Enc(k\ell).$
Here “polynomial” means built only from multiplication and constants in the group: $\dec:C\to \K$0
The encryption scheme then lifts this encoding to a larger group $\dec:C\to \K$1 via a secret surjection
$\dec:C\to \K$2
From this, the ciphertext space is defined as
$\dec:C\to \K$3
the zero-cipher subgroup is
$\dec:C\to \K$4
and decryption is
$\dec:C\to \K$5
A central interpretation follows directly: encrypting messages is reduced to hiding a subgroup $\dec:C\to \K$6 inside a group $\dec:C\to \K$7, while still allowing efficient computation on word representatives (Guillot et al., 24 Oct 2025).
2. Algebraic realization in groups
The paper gives a concrete encoding of any commutative ring $\dec:C\to \K$8 in
$\dec:C\to \K$9
The encoding is
$\smbadd,\mul:C\times C\to C$0
Addition is then ordinary matrix multiplication: $\smbadd,\mul:C\times C\to C$1 so
$\smbadd,\mul:C\times C\to C$2
For multiplication, the construction uses the fixed matrices
$\smbadd,\mul:C\times C\to C$3
They conjugate encoded values into upper-triangular forms: $\smbadd,\mul:C\times C\to C$4 Using the commutator
$\smbadd,\mul:C\times C\to C$5
the paper derives
$\smbadd,\mul:C\times C\to C$6
and therefore
$\smbadd,\mul:C\times C\to C$7
A smaller bit-encryption variant is also given in $\smbadd,\mul:C\times C\to C$8, with
$\smbadd,\mul:C\times C\to C$9
$\dec(\smbadd(x,y))=\dec(x)+\dec(y),\qquad \dec(\mul(x,y))=\dec(x)\cdot \dec(y).$0
and
$\dec(\smbadd(x,y))=\dec(x)+\dec(y),\qquad \dec(\mul(x,y))=\dec(x)\cdot \dec(y).$1
where
$\dec(\smbadd(x,y))=\dec(x)+\dec(y),\qquad \dec(\mul(x,y))=\dec(x)\cdot \dec(y).$2
This $\dec(\smbadd(x,y))=\dec(x)+\dec(y),\qquad \dec(\mul(x,y))=\dec(x)\cdot \dec(y).$3 construction serves as the running example and benchmark target in the paper (Guillot et al., 24 Oct 2025).
The paper’s distinction from lattice FHE is explicit. Ciphertexts are not approximate encodings with accumulated error; they are exact group words. Homomorphic evaluation does not add noise because the scheme is based on exact group multiplication. Rewriting is therefore not a correctness-restoration mechanism analogous to bootstrapping, but a compression and normalization mechanism used to keep word lengths manageable (Guillot et al., 24 Oct 2025).
3. Rewriting systems and machine representation
The main engineering mechanism in GRAFHEN is the representation of the public group by a rewriting system. Let $\dec(\smbadd(x,y))=\dec(x)+\dec(y),\qquad \dec(\mul(x,y))=\dec(x)\cdot \dec(y).$4 be an alphabet and $\dec(\smbadd(x,y))=\dec(x)+\dec(y),\qquad \dec(\mul(x,y))=\dec(x)\cdot \dec(y).$5 the monoid of words. A rewriting system is a finite set of rules
$\dec(\smbadd(x,y))=\dec(x)+\dec(y),\qquad \dec(\mul(x,y))=\dec(x)\cdot \dec(y).$6
with $\dec(\smbadd(x,y))=\dec(x)+\dec(y),\qquad \dec(\mul(x,y))=\dec(x)\cdot \dec(y).$7, meaning that any occurrence of $\dec(\smbadd(x,y))=\dec(x)+\dec(y),\qquad \dec(\mul(x,y))=\dec(x)\cdot \dec(y).$8 inside a word can be replaced by $\dec(\smbadd(x,y))=\dec(x)+\dec(y),\qquad \dec(\mul(x,y))=\dec(x)\cdot \dec(y).$9. The paper defines the standard relations $\K=F_2$0, $\K=F_2$1, and $\K=F_2$2, and calls a rewriting system compatible with a group $\K=F_2$3 when two words are equivalent under rewriting if and only if they evaluate to the same group element (Guillot et al., 24 Oct 2025).
Three properties structure the discussion. A system is noetherian if no infinite rewrite chain exists, confluent if every word reduces to a unique reduced word, and bounded if every word reduces to a word of length at most some fixed $\K=F_2$4. The paper stresses that boundedness is the practically relevant property because it controls memory growth during evaluation.
Two standard algorithms are discussed. Knuth–Bendix is presented as a method that completes a finitely presented system to a reduced confluent one, but it is said to be too expensive for the large examples of interest. Froidure–Pin is the practical workhorse: it computes the reduced confluent rewriting system for a finite monoid or group from generators alone by enumerating reduced words by length and discovering rules when two words evaluate to the same group element (Guillot et al., 24 Oct 2025).
In practice, the paper often stops Froidure–Pin early to obtain a pseudo-bounded system rather than a fully confluent one. The heuristic test is described as follows: pick $\K=F_2$5 random words of length $\K=F_2$6, reduce them, concatenate the reduced outputs, reduce again, and if the final length is below $\K=F_2$7, where $\K=F_2$8 is the average reduced length, accept the system as pseudo-bounded. The paper presents this as a practical criterion for keeping cipher lengths manageable rather than as a formal boundedness proof.
This suggests a distinctive separation of concerns in GRAFHEN: the cryptographic algebra lives in the hidden quotient structure, while the operational efficiency of the public system depends on rewriting quality, especially pseudo-bounded reduction behavior.
4. Protocol structure and homomorphic evaluation
The protocol is built from a public group $\K=F_2$9 with rewriting rules, a secret generating tuple $\K$0 for $\K$1, a subgroup $\K$2, and a secret surjection $\K$3 (Guillot et al., 24 Oct 2025).
In key generation, generators $\K$4 for $\K$5 are chosen as the private key, and a rewriting system for the resulting presentation is computed. To encrypt $\K$6, one chooses $\K$7 such that $\K$8, writes $\K$9 as a word in the secret generators, and optionally reduces that word. To decrypt a word 0, one computes its product
1
in 2. Because ciphertexts are chosen from 3, this element lies in 4, so 5 is defined and
6
Homomorphic evaluation is obtained by lifting the group-level polynomial formulas to word formulas. If the encoding uses constants 7, then ciphertext operations substitute chosen representative words 8 for those constants and concatenate. For the running 9 example,
$Enc:\K\to E$0
and
$Enc:\K\to E$1
The paper characterizes this as FHE without noise because evaluation does not degrade decryptability through approximation error. Word reduction by rewriting may be postponed if memory is not an issue, and is described as lossless data compression rather than as a mandatory refresh step (Guillot et al., 24 Oct 2025). A plausible implication is that the operational bottleneck shifts from noise management to the construction of group presentations and rewrite systems that are simultaneously efficient and resistant to structural attacks.
5. Security model, attack surface, and hardening mechanisms
The paper’s central security intuition is that an attacker must not be able to decide whether a fresh ciphertext lies in the zero-cipher subgroup $Enc:\K\to E$2. This is framed as the subgroup membership problem for a finitely presented group and a subgroup specified by generators (Guillot et al., 24 Oct 2025). The paper argues that this is a promising hardness basis because subgroup membership is undecidable in general, and may remain undecidable even when the word problem is decidable. It explicitly rejects permutation groups and matrix groups over finite fields as public attacker-facing representations because subgroup membership is too easy there.
The attack discussion is organized around two broad families: attacks on the representation or key, and attacks on ciphertexts themselves. The paper reviews brute-force key search, Todd–Coxeter attacks that seek a permutation representation, attacks that reduce the effective number of generators, random reduction attacks using many short zero-ciphers, and attacks that infer message values from relations between known and unknown ciphertexts (Guillot et al., 24 Oct 2025).
To harden the system, the authors introduce admissible rules. A rule $Enc:\K\to E$3 is admissible for a parameter $Enc:\K\to E$4 if both sides use the entire alphabet, both have length at least $Enc:\K\to E$5, and $Enc:\K\to E$6 and $Enc:\K\to E$7 have no common prefix or suffix. Froidure–Pin is modified to discard non-admissible rules. According to the paper, this prevents easy reduction to fewer generators, hides algebraic structure, makes random-reduction attacks much less effective, and makes ciphers of $Enc:\K\to E$8 harder to collapse to very short words (Guillot et al., 24 Oct 2025).
A further hardening device is the semidirect-product trick. Starting from rewriting systems $Enc:\K\to E$9 and $add,\mul:E^2\to E$0, the paper combines them with commutation rules
$add,\mul:E^2\to E$1
to obtain a system compatible with
$add,\mul:E^2\to E$2
A key lemma states that
$add,\mul:E^2\to E$3
via
$add,\mul:E^2\to E$4
yielding a homomorphism
$add,\mul:E^2\to E$5
and the projection
$add,\mul:E^2\to E$6
From $add,\mul:E^2\to E$7, the construction defines
$add,\mul:E^2\to E$8
The stated purpose is to enlarge $add,\mul:E^2\to E$9, the index $add(Enc(k),Enc(\ell))=Enc(k+\ell),\qquad \mul(Enc(k),Enc(\ell))=Enc(k\ell).$0, and the size of the attack space while keeping decryption manageable (Guillot et al., 24 Oct 2025).
The paper also proposes an automorphism-based variant in which one works with
$add(Enc(k),Enc(\ell))=Enc(k+\ell),\qquad \mul(Enc(k),Enc(\ell))=Enc(k\ell).$1
An automorphism is stored by the images of the generators, and composition becomes substitution of words. The authors describe subgroup membership in this representation as “exceedingly difficult,” although they do not fully benchmark it (Guillot et al., 24 Oct 2025).
6. Parameters, benchmark claims, and limitations
The recommended practical setup in the paper is: $add(Enc(k),Enc(\ell))=Enc(k+\ell),\qquad \mul(Enc(k),Enc(\ell))=Enc(k\ell).$2, $add(Enc(k),Enc(\ell))=Enc(k+\ell),\qquad \mul(Enc(k),Enc(\ell))=Enc(k\ell).$3, $add(Enc(k),Enc(\ell))=Enc(k+\ell),\qquad \mul(Enc(k),Enc(\ell))=Enc(k\ell).$4 random generators, an admissible pseudo-bounded rewriting system, a second independent copy, combination through the semidirect-product trick, and
$add(Enc(k),Enc(\ell))=Enc(k+\ell),\qquad \mul(Enc(k),Enc(\ell))=Enc(k\ell).$5
Encryption of $add(Enc(k),Enc(\ell))=Enc(k+\ell),\qquad \mul(Enc(k),Enc(\ell))=Enc(k\ell).$6 is then performed by choosing $add(Enc(k),Enc(\ell))=Enc(k+\ell),\qquad \mul(Enc(k),Enc(\ell))=Enc(k\ell).$7 and forming
$add(Enc(k),Enc(\ell))=Enc(k+\ell),\qquad \mul(Enc(k),Enc(\ell))=Enc(k\ell).$8
The paper reports about $add(Enc(k),Enc(\ell))=Enc(k+\ell),\qquad \mul(Enc(k),Enc(\ell))=Enc(k\ell).$9 million rules for one system and just under $\dec:C\to \K$00 million rules for the full combined key, and estimates the number of truly different keys as
$\dec:C\to \K$01
(Guillot et al., 24 Oct 2025).
The benchmark comparison is against OpenFHE on encrypted bits with AND gates. The OpenFHE baseline uses the default bootstrapping method GINX/TFHE at security level $\dec:C\to \K$02 bits. GRAFHEN is implemented in Rust with the $\dec:C\to \K$03 parameter set; homomorphic multiplication on $\dec:C\to \K$04 requires $\dec:C\to \K$05 group operations in the chosen encoding; and the measured average time for the equivalent AND operation is
$\dec:C\to \K$06
compared with
$\dec:C\to \K$07
for OpenFHE. The paper therefore claims that GRAFHEN is about $\dec:C\to \K$08 times faster in this proof-of-concept benchmark (Guillot et al., 24 Oct 2025).
The appendix by James Mitchell provides an independent attack study based on Todd–Coxeter-style methods on monoids and word graphs. For non-semidirect-product schemes based on $\dec:C\to \K$09, the study reports that at least $\dec:C\to \K$10 of challenge words could often be decoded, but runtime and memory usage appeared to grow exponentially with $\dec:C\to \K$11, and challenges starting at $\dec:C\to \K$12 could not be broken. For the recommended semidirect-product schemes $\dec:C\to \K$13, the study reports failure to break cases for $\dec:C\to \K$14, and in particular not for $\dec:C\to \K$15 (Guillot et al., 24 Oct 2025).
These results should be read together with the paper’s own design assumptions. GRAFHEN depends on the existence of efficient public rewriting systems, secret subgroup structure that remains hidden in the public presentation, and attack resistance of the chosen finitely presented groups. This suggests that the scheme’s significance lies less in a finalized parameter set than in a specific cryptographic paradigm: exact algebraic homomorphic computation by group-word manipulation, with security grounded in subgroup membership over carefully engineered rewriting-system representations.