Homomorphic Encryption

Updated 10 December 2025

Homomorphic encryption is a cryptographic method that permits operations directly on ciphertexts, yielding results identical to those on plaintexts.
It includes schemes ranging from partially to fully homomorphic, supporting limited arithmetic or Boolean operations with noise management limitations.
Recent advances feature polynomial-ring and code-based constructions with quantum-safe extensions, addressing performance, key size, and bootstrapping challenges.

Homomorphic encryption (HE) is a cryptographic paradigm in which one can perform meaningful operations directly on ciphertexts, such that after decryption, the result matches the operation on the underlying plaintexts. This property enables secure delegation of computation to untrusted environments without direct access to the secret key or the plaintext data. HE schemes can be realized for different sets of operations—some support a single operation (addition or multiplication), while others support arbitrary Boolean or arithmetic circuits. Modern research focuses on both the algebraic foundations and practical designs, including security under post-quantum assumptions, coding-theory constructions, polynomial ring/LWE-based approaches, as well as quantum extensions (Grimaldi, 17 Sep 2025).

1. Formal Syntax and Classification

A homomorphic encryption scheme $\mathcal{E}$ is defined by a tuple of probabilistic polynomial-time algorithms: $(\mathsf{KeyGen}_{\mathcal{E}},\;\mathsf{Encrypt}_{\mathcal{E}},\;\mathsf{Decrypt}_{\mathcal{E}},\;\mathsf{Eval}_{\mathcal{E}})$ where

$\mathsf{KeyGen}_{\mathcal{E}}(1^\lambda)\to (pk,sk)$ generates a public (and optionally, secret) key,
$\mathsf{Encrypt}_{\mathcal{E}}(pk, m)\to c$ maps message $m$ to ciphertext $c$ ,
$\mathsf{Decrypt}_{\mathcal{E}}(sk, c)\to m$ recovers $m$ from $c$ ,
$\mathsf{Eval}_{\mathcal{E}}(f,c_1,\ldots,c_t)\to c_f$ evaluates a function $f$ on ciphertexts $c_i$ , so that: $\mathsf{Decrypt}_{\mathcal{E}}(sk, c_f) = f(m_1,\ldots,m_t).$

Schemes are categorized as:

Partially Homomorphic Encryption (PHE): Supports unlimited applications of a single operation (e.g., Paillier for addition in $\mathbb{Z}_N$ , RSA for multiplication in $\mathbb{Z}_N$ ).
Somewhat Homomorphic Encryption (SHE): Supports both addition and multiplication, but only up to a bounded multiplicative depth due to error (“noise”) accumulation. The Armknecht–Augot–Perret–Sadeghi (AAPS) scheme based on Reed–Muller codes is SHE with unlimited addition and bounded multiplication.
Fully Homomorphic Encryption (FHE): Supports arbitrary circuits of unbounded depth, typically achieved via bootstrapping, enabling refresh of ciphertext noise. Notable polynomial-based FHE designs include BFV, BGV, and CKKS (Grimaldi, 17 Sep 2025, Sen, 2013).

2. Coding-Theoretic Constructions

HE schemes based on coding theory exploit the hardness of decoding random linear codes or rank-metric codes up to a prescribed error threshold.

2.1. Armknecht–Augot–Perret–Sadeghi (AAPS) Scheme

Structure: Utilizes two nested evaluation codes $\mathcal{C}\subset\tilde{\mathcal{C}}$ , with a secret set $I$ of “good positions”, and supports componentwise addition and multiplication up to multiplicative depth $\mu$ .
Encryption: $c = w + e$ , $w\in\mathcal{C}$ , $e$ supported outside $I$ .
Decryption: Polynomial interpolation at “good positions”, then evaluation at a secret point $y$ yields the message, provided the error is confined to “bad positions.”
Homomorphism: Addition is componentwise; multiplication is Hadamard (componentwise) product, limited by $\mu$ .
Security: Rests on the Decoding-Synchronized-Codes Problem (DSCP): distinguishing the secret set $I$ given code descriptions is conjectured hard.

2.2. Rank-Metric Schemes

Structure: Based on ideal rank-metric codes over extension fields $\mathbb{F}_{q^m}$ .
Encryption: $c = P x + m \mathbf{1} + e$ , with $P$ public, $x$ random, $e$ small rank-weight.
Decryption: Involves combining certain codeword positions relative to a secret set $S$ to recover $m$ .
Security: Hardness corresponds to the Ideal Rank-Metric Decoding problem.

Table: Comparison of Code-Based Homomorphic Schemes

Scheme	Homomorphic Capacity	Security Assumption
AAPS (Reed–Muller codes)	SHE (add, bounded mult)	Hardness of DSCP (good set recovery)
Bogdanov–Lee (rank-metric codes)	SHE (add, bounded mult)	Ideal Rank-Metric Decoding (IRSD)

3. Polynomial-Ring and Lattice-Based Schemes

Most current FHE systems operate over polynomial quotient rings, leveraging the LWE or RLWE problem for security and supporting more efficient noise management.

3.1. BFV and BGV Schemes

Algebra: Messages and ciphertexts are polynomials in $\mathbb{Z}_q[X]/\langle X^n+1\rangle$ , exploiting the ring structure for SIMD operations.
KeyGen: Samples secret $s\in\mathcal{R}_q$ ; public key is in LWE form.
Encryption: Encodes $m$ as $\Delta m$ in the ring, adds bounded noise.
Homomorphic operations: Addition is componentwise. Multiplication requires relinearization to reduce ciphertext dimension and manage the $s^2$ term.
Noise theory: Additions increase noise additively; multiplications increase it multiplicatively. Modulus switching and bootstrapping control the growth (Grimaldi, 17 Sep 2025).

3.2. CKKS (Approximate HE)

Extends the BFV methodology for approximate (real or complex) arithmetic. After each mult, rescaling (division by modulus) prevents noise from outpacing the scale factor, supporting high-precision approximate computation for machine learning (Bae et al., 20 Mar 2025).

Table: Comparative Features—Coding vs. Polynomial FHE

Feature	Code-Based	Polynomial-Ring (RLWE)
Security	Code decoding (DSCP/IRSD)	LWE/RLWE (worst-case lattice)
Ciphertext Size	$O(n)$ over $\mathbb{F}_q$	$O(n\log q)$ polynomials
Multiplicative Depth	Bounded ( $\mu$ )	Unbounded (via bootstrapping)
Key Size	Generator/Parity matrix	$O(n\log q)$ for keys
Practical Bootstrapping	Not known	Yes (modulus switching/boot)

4. Quantum and Post-Quantum Extensions

Quantum-safe HE schemes, notably those based on code theory (McEliece) and lattices (NTRU, MLWE), resist known quantum attacks such as Shor's algorithm.

Code-Based Additive Schemes: XOR-homomorphic encryption over McEliece codes achieves semantic security under well-established coding assumptions and efficiently supports batch operations, with strong quantum resistance (Chen, 22 Feb 2024).

Lattice-Based Post-Quantum HE: NTRU-like schemes over truncated polynomial rings secure additive homomorphism under the hardness of convolutional-lattice problems. Multiplicative homomorphism and full FHE for the lattice setting typically require LWE/SIS assumptions and bootstrapping techniques (Chen, 23 Dec 2024).

Quantum Homomorphic Encryption: Quantum analogues use group-theoretic tools (e.g., commuting centralizer actions on quantum states) to support classes of quantum operations while hiding a fraction of the input information. Security can be characterized information-theoretically (Holevo bound), and efficient masking is possible for special group actions (Tan et al., 2014).

5. Performance, Security, and Practicality

Polynomial/FHE systems (BFV, BGV, CKKS) have reached practical deployment in privacy-preserving computation, achieving:

Throughput: Homomorphic multiplications in milliseconds with $n=2^{14}$ , $q\approx 2^{60}$ (Grimaldi, 17 Sep 2025).
Software: Optimized libraries (SEAL, PALISADE) for RLWE-based schemes leverage NTT and modular arithmetic for fast polynomial ops (Bae et al., 20 Mar 2025).
Capacity: SIMD slots (batching) for parallel vector operations; approximate CKKS for floating-point computation closely mimics floating-point BLAS with practical overhead (4–12 $\times$ ) (Bae et al., 20 Mar 2025).

However, all designs face fundamental bottlenecks:

Noise Growth/Precision Loss: Multiplies amplify noise, mandating expensive bootstrapping or modulus switching.
Key and Ciphertext Size: Auxiliary keys (e.g., rotations in BGV/CKKS) can be very large.
Performance Overhead: FHE is orders of magnitude slower than vanilla arithmetic.
Coding-Theoretic Limitation: Existing code-based schemes are restricted to bounded depth; practical FHE for code-based HE remains an open challenge (Grimaldi, 17 Sep 2025).

6. Open Problems and Research Directions

Continued progress in HE research is focused on:

Reducing noise blow-up per multiplication, enabling more practical depth and reducing the need for bootstrapping.
Key and ciphertext size optimization, especially for auxiliary key material in RLWE schemes.
Hardware acceleration—GPUs and FPGAs—targeting polynomial arithmetic and bootstrapping procedures.
Expanding code-based HE to practical FHE (unbounded depth), or discovering new code families supporting bootstrappable primitives.
Developing quantum homomorphic schemes with broader operation support and tighter privacy guarantees (Grimaldi, 17 Sep 2025, Tan et al., 2014).

Polynomial-ring FHE (BFV/BGV/CKKS) is currently the most versatile and performant, but the code-based approach offers orthogonal design space that may lead to new cryptanalytic and implementation trade-offs (Grimaldi, 17 Sep 2025).