Homomorphic Encryption Vaults (Haults)

Updated 25 November 2025

Homomorphic Encryption-Based Vaults (Haults) are cryptographic protocols that secure on-chain asset management by leveraging homomorphic encryption and zero-knowledge proofs.
They employ EC-ElGamal encryption and SNARK-based circuits to enforce balance integrity, prevent double-spending, and enable selective disclosure for compliance.
Performance benchmarks and integration with VM-enabled assets demonstrate Haults' practical viability for privacy-preserving and auditable blockchain transactions.

Homomorphic Encryption-Based Vaults (Haults) are cryptographic protocols that employ homomorphic encryption and zero-knowledge proofs to provide confidential, auditable asset management—specifically on VM-enabled (e.g., EVM-style) blockchains. Haults maintain user balances and transaction amounts as encrypted ciphertexts directly on-chain, achieving both transaction privacy and regulatory compliance through selective audibility. Their design is rooted in EC-ElGamal encryption, SNARK-based integrity proofs, and cryptographic mechanisms that enforce balance integrity, double-spending prevention, and secure auditor interventions (Salleras, 21 Nov 2025). Generalizations of the approach, using verifiable Fully Homomorphic Encryption (vFHE), are feasible for broader secret-store scenarios with cryptographic proof of computation integrity (Viand et al., 2023).

1. System Architecture and Roles

Haults integrate cryptographic and blockchain primitives to realize encrypted smart wallets with compliance features. The protocol partitions the ecosystem into several principal roles:

Users: Each holds two keypairs: (i) a native blockchain keypair $(\sk^{\nat}, \pk^{\nat})$ for VM authentication, and (ii) a Hault EC-ElGamal keypair $(\sk, \pk)$ for balance encryption.
Contract Owner: Maintains an allowlist mapping $(\pk^{\nat})$ to Hault public keys $(\pk)$ and controls enrollment to the permissioned system.
Auditor: Holds a dedicated Hault keypair $(\sk[D], \pk[D])$ for regulatory operations—selective disclosures and force transfers.

Balances are represented by "notes," each encapsulating a value $v$ in two ciphertexts: a recoverable encryption $v_{\enc} = \Enc(\pk, {\tt Map}_{\mathrm{rec}}(v))$ and a homomorphic encryption $V_{\enc} = \Enc(\pk, {\tt Map}_{\mathrm{hom}}(v))$. The user's aggregate balance is a group sum $V^{\mathit{tot}}_{\enc} = \sum_i V_{\enc}^{(i)}$, decrypted only with the user's secret key.

Transfers, deposits, and withdrawals operate under explicit protocols. Each transfer produces new notes for sender, recipient, and auditor, accompanied by a SNARK-based zero-knowledge proof $\pi$ ensuring protocol correctness and balance conservation. Selective disclosure is supported by duplicating recipient ciphertexts for the auditor, enabling post hoc decryption under $\sk[D]$ (Salleras, 21 Nov 2025).

2. Cryptographic Primitives: EC-ElGamal and Mapping Functions

Haults are constructed on EC-ElGamal encryption over an elliptic-curve group $\G$ of order $r$ :

$\Enc(\pk, M) = (C_1, C_2) \text{ with } k \xleftarrow{\$} \mathbb{F}_r: C_1 = k G,\; C_2 = k \pk + M $</p> <p>Decryption is$ M = C_2 - \sk C_1 $. The additive homomorphism arises directly: summing two ciphertexts yields a valid encryption of the sum of plaintexts.</p> <p>Discrete scalar values (amounts) are mapped into curve points using two injective maps:</p> <ul> <li>$ {\tt Map}_{\mathrm{hom}}(v) = v\cdot G $ensures correct group addition for encrypted sum.</li> <li>$ {\tt Map}_{\mathrm{rec}}(v) $encodes$ v $in the least significant bits of a$ y $-coordinate, ensuring efficient recoverability (<a href="/papers/2511.17842" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">Salleras, 21 Nov 2025</a>).</li> </ul> <h2 class='paper-heading' id='zero-knowledge-proofs-for-transaction-validity'>3. Zero-Knowledge Proofs for Transaction Validity</h2> <p>To enforce protocol integrity, each transfer operation is accompanied by a zero-knowledge proof (ZK proof)—implemented as a Groth16 SNARK in the reference prototype. The proof circuit asserts:</p> <ul> <li>Transfer value$ w $is consistently and correctly encrypted for both recipient and auditor:$ w_{\enc[B]} $,$ W_{\enc[B]} $,$ w_{\enc[D]} $,$ W_{\enc[D]}$.</li> <li>Sender's old balance $v^{old} $decrypts from$ V^{old}_{\enc[A]} $, computed correctly in the witness.</li> <li>Updated balances$ v^{new} $and encodings are valid,$ v^{new} = v^{old} - w \geq 0$ (with range checks).

Ciphertext operations (additions/subtractions) are consistent with protocol definitions.

Auditor's state transitions are sound analogously.

The public inputs are all new and old ciphertexts and relevant public keys; the witness contains all ephemeral randomness, decrypted values, and secret keys as necessary for checkability. This structure eliminates the risk of unauthorized minting, value overflow, or double-spending by cryptographically binding proofs to transaction data and contract state (Salleras, 21 Nov 2025).

4. Compliance Controls: Selective Disclosure and Auditor Operations

Compliance support is integral to Haults’ design:

Selective Disclosure: Each transfer encrypts the transferred value under both the recipient's and auditor's public keys, allowing regulated entities to observe transaction amounts via off-chain decryption if required.
Force Transfers: The auditor may forcibly reassign all of a user's funds (e.g., in key loss or regulatory intervention) by executing the same transfer protocol as the original sender, but under the auditor's keys and with ciphertexts constructed deterministically (zero randomness), yielding transparent outputs. The ZK circuit and contract logic validate that funds are exhausted and transferred correctly, and that the auditor does not retain surplus balance (Salleras, 21 Nov 2025).

5. Security Model and Cryptographic Assumptions

Haults’ security relies on:

Adversary Model: All on-chain data and proofs are public; only allowlisted users transact.
Cryptographic Assumptions:
- Discrete log hardness in $\G$
- IND-CPA security of EC-ElGamal encryption
- Soundness, completeness, and zero-knowledge of SNARKs

Protocols guarantee:

Balance Integrity: Ciphertext sums rigorously enforce conservation of value.
Double-Spending Protection: Notes are consumed (removed) upon transfer.
Confidentiality: Only secret key holders (or auditors, if permitted) can decrypt values.
Non-malleability: Transaction and proof binding prevents replay or manipulation (Salleras, 21 Nov 2025).

Expanding to the broader context, verifiable FHE architectures further extend these guarantees to malicious server scenarios, ensuring both integrity and confidentiality even where the vault server may actively deviate from protocol, by integrating ZK proofs (SNARKs over FHE computations) or secure hardware attestation (Viand et al., 2023).

6. Performance Benchmarks and Practical Cost

The reference Haults implementation uses Solidity and Circom (BN254/Baby-JubJub curve) with Groth16 SNARKs:

Circuit Complexity: ~ $2^{16}$ constraints.
Proof Generation: $\sim$ 2 seconds on Ryzen 7 5800X.
Gas Costs (EVM): SNARK verification ≈ 504,000 gas; end-to-end transfer ≈ 895,000 gas.

While transaction gas costs exceed those of transparent transfers, they are compatible with mainnet usage, and can be further optimized using L2 rollups or native cryptographic precompiles (Salleras, 21 Nov 2025).

Verifiable FHE instantiations present a spectrum of cost-performance tradeoffs depending on the proof system—ranging from seconds (FHE-in-TEE) to minutes (classical SNARKs) or longer (Bulletproofs), as presented in the following table (Viand et al., 2023):

ZK System	Prover Time	Verifier Time
Groth16	200–640 s	2 ms
Rinocchio	0.5–57 s	0.1–0.18 s
FHE-in-TEE	0.15–1.26 s	negligible

These figures illustrate the practical viability of deployment for real-world secure storage and computation services.

7. Integration with External Tokens and Generalizations

Haults are compatible with both in-contract tokens and external assets such as native VM coins (e.g., Ether) and arbitrary ERC20 tokens:

Deposits: The contract owner mints a transparent note (zero randomness) matching the deposited value for the user.
Withdrawals: The user demonstrates control over encrypted balances summing to the withdrawal value using the transfer ZK circuit; spent notes are burned, and clear token transfer is performed externally.

Withdrawals inherently leak the withdrawal amount, requiring either trust in the contract owner (for asset gateways) or enhancement with blind-redeem protocols. These design choices make Haults suitable as privacy-preserving wrappers for external assets as well as for internal ledger tokens (Salleras, 21 Nov 2025).

Moreover, the verifiable FHE formulation generalizes Haults beyond blockchains—to arbitrary secret-store and computation vaults—by providing cryptographic guarantees of both confidentiality and integrity, even against fully malicious operators. Future directions include dedicated ring-arithmetic SNARKs, hybrid integrity primitives, multidimensional batching, efficient circuit privacy, and robust defense against side-channel leakage (Viand et al., 2023).

PDF Markdown Chat (Pro)

References (2)

Homomorphic Encryption-based Vaults for Anonymous Balances on VM-enabled Blockchains (2025)

Verifiable Fully Homomorphic Encryption (2023)

Whiteboard

Generate a whiteboard explanation of this topic.

Follow Topic

Get notified by email when new papers are published related to Homomorphic Encryption-Based Vaults (Haults).