Homomorphic Encryption: Computation on Encrypted Data

Updated 11 December 2025

Homomorphic encryption is a cryptographic method that allows computations on encrypted data without revealing plaintext, ensuring data confidentiality.
It underpins privacy-preserving applications in cloud computing, federated learning, secure statistical analytics, and encrypted machine learning.
Key challenges include managing noise growth, ciphertext expansion, and computational cost, driving research in bootstrapping and hardware accelerations.

Homomorphic encryption (HE) is a class of cryptographic primitives enabling computation on encrypted data, such that decryption of the result yields the output as if computed on the plaintext. HE underpins privacy-preserving computation in untrusted environments and is foundational in secure outsourced computation, federated learning, cloud data analytics, privacy-preserving machine learning, secure statistical data mining, and privacy-protecting protocols for genomics, medical imaging, and database search.

1. Formalism and Core Scheme Taxonomy

HE is typically specified as a tuple of efficient algorithms $(\mathsf{KeyGen},\mathsf{Enc},\mathsf{Eval},\mathsf{Dec})$ . For security parameter $\lambda$ , $\mathsf{KeyGen}$ produces public and secret keys; $\mathsf{Enc}$ encrypts a message $m$ ; $\mathsf{Eval}$ enables computation of a function $f$ or circuit $C$ on ciphertexts, and $\mathsf{Dec}$ decrypts the output ciphertext to $f(m_1,\ldots,m_t)$ , preserving correctness:

$\mathsf{Dec}_{sk}\left(\mathsf{Eval}_{pk}(C, \mathsf{Enc}_{pk}(m_1), \ldots, \mathsf{Enc}_{pk}(m_t))\right) = C(m_1, \ldots, m_t)$

HE schemes are classified by the scope of permitted homomorphic computations:

Partially Homomorphic Encryption (PHE): Supports one operation (additive or multiplicative) an unbounded number of times (e.g., Paillier for addition, RSA/ElGamal for multiplication) (Amorim et al., 2023, Acar et al., 2017).
Somewhat Homomorphic Encryption (SWHE): Permits both addition and multiplication, but with noise growth limiting circuit depth (Amorim et al., 2023, Acar et al., 2017).
Leveled FHE: Supports all circuits up to a depth $d$ by parameter delegation (moduli selection), avoiding bootstrapping (Jain et al., 2023, Iezzi, 2020, Aslett et al., 2015).
Fully Homomorphic Encryption (FHE): Allows unbounded circuit depth via bootstrapping—periodically homomorphically evaluating decryption to reduce noise (Jain et al., 2023, Acar et al., 2017).

Security is based on hard problems: classical PHE schemes (e.g., RSA, Paillier, ElGamal) rely on factoring or discrete log; all post-2009 practical FHE schemes rely on the Learning With Errors (LWE) and Ring-LWE (RLWE) assumptions (Jain et al., 2023, Bhoi et al., 28 Mar 2025).

2. Algebraic Foundations and Main Scheme Families

The RLWE paradigm dominates efficient FHE implementations. Let $R_q = \mathbb{Z}_q[x]/(f(x))$ , frequently with $f(x)$ cyclotomic, $n = \deg f$ , and "noise" sampled from a discrete Gaussian $\chi$ . Ciphertexts are typically tuples over $R_q$ ; plaintexts are in $R_t$ , $t \ll q$ . Most schemes are key-switching and modulus-switching enabled, allowing efficient relinearization and depth management (Jain et al., 2023, Acar et al., 2017, Aslett et al., 2015).

Key FHE Families and Features

Scheme	Model	Key Concepts	Security	Applications
BGV	Leveled+bootstrap	Modulus-switching	RLWE	Linear algebra, private DBs
BFV	Integer/FV-style	Plaintext batching	RLWE	ML, statistics
CKKS	Approximate	Scaled real vectors	RLWE	Private ML, genomics
TFHE	Boolean gates	Fast gate bootstrap	LWE/Torus-LWE	Secure logic, bit ops

BGV and BFV provide leveled and optionally fully homomorphic integer arithmetic (Jain et al., 2023, Acar et al., 2017, Aslett et al., 2015).
CKKS offers approximate arithmetic with SIMD (“slot packing”), advantageous for ML inference and floating-point workflows (Jain et al., 2023, Aslett et al., 2015, Iezzi, 2020).
TFHE is optimized for bit-level Boolean circuits, supports sub-millisecond universal bootstrapping, and is essential for privacy-preserving logic (Jain et al., 2023, Hsiao et al., 2022).

Noise management is central: additive and multiplicative noise growth are regime-defining. Ciphertext expansion, noise budget, and the requirement for relinearization and rescaling after each multiplication determine circuit depth and parameter selection (Jain et al., 2023, Aslett et al., 2015, Iezzi, 2020, Acar et al., 2017).

3. Bootstrapping, Depth, and Performance Engineering

Bootstrapping—homomorphically evaluating nearly the entire decryption procedure using encrypted secret keys—restores noise to a baseline and enables FHE (Jain et al., 2023, Kim et al., 2021, Acar et al., 2017). In BGV/BFV/CKKS, bootstrapping consists of hundreds of homomorphic multiplications, automorphisms, and rescalings, consuming large modulus levels and imposing significant time/memory requirements (Kim et al., 2021).

Efforts focus on reducing its computational complexity (e.g., hardware-aware optimizations, parallel architectures, advanced RNS arithmetic), with hardware implementations such as BTS achieving up to $5,556\times$ improvements on machine learning workloads versus CPU (Kim et al., 2021).
Parameter tuning is critical: the trade-off between security (via polynomial dimension $N$ and modulus $q$ ), practical noise margin, multiplicative depth, and working set/memory constraints is delicate (Jain et al., 2023, Kim et al., 2021, Jung et al., 2020, Aslett et al., 2015).

SIMD batching—packing multiple plaintext elements into a single ciphertext—amortizes per-operation overhead across slots and is key to usable encrypted matrix multiplication and ML inference (Gao et al., 3 May 2024, Boemer et al., 2018, Recto et al., 2023). Compiler technology (e.g., Viaduct-HE, nGraph-HE) automates data layout and schedule search to optimize slot utilization, depth, and communication (Recto et al., 2023, Boemer et al., 2018).

4. Applications and Protocol Integration

HE is deployed in a spectrum of domains:

Privacy-Preserving Machine Learning: Both inference and federated training are feasible; e.g., deep learning on encrypted medical images (oblivious inference on OCT scans and federated nodule detection with CKKS and threshold Paillier in (Dutil et al., 2021)), collaborative FL on foundation models (CKKS-based FedAvg with sensitivity mask in (Jin et al., 2023)), and support for regression, PCA, and clustering (Aslett et al., 2015, Iezzi, 2020).
Secure Database Search: Exact and range queries evaluated via homomorphic matching polynomials over ring-based FHE; blockwise encoding in RLWE rings accelerates protocols compared to bitwise integer DGHV (Palamakumbura et al., 2016).
Encrypted Genomics: Large-scale GWAS computation with complex packing into CKKS slots; semi-parallel logistic regression using homomorphic matrix-multiplies and slot-level polynomial approximations (Sim et al., 2019).
Encrypted Statistical Analytics: Homomorphic linear algebra primitives for regression, ML model evaluation, and encrypted matrix operations; slot-packing enables vector operations at scale (Aslett et al., 2015, Gao et al., 3 May 2024).

Searchable encryption schemes increasingly employ HE (often PHE for sum/TF-IDF rankings) as a subcomponent for index construction and search, with support for ranked multi-keyword queries and verifiability, though limitations in functional expressiveness and ciphertext expansion persist (Amorim et al., 2023).

5. Practical Limitations, Hardware, and Compiler Optimizations

HE systems contend with several fundamental limitations (Aslett et al., 2015, Jain et al., 2023, Kim et al., 2021):

Noise growth bounds circuit depth: Without bootstrapping, schemes are leveled and circuits must fit within the permitted multiplicative depth (dictated by $q$ , $N,$ and the choice of $\chi$ ).
Ciphertext Expansion: All RLWE-based schemes expand plaintexts to tuples of $n$ -degree polynomials with $q$ -bit coefficients; typical sizes are 1–5 kB for BFV/BGV, hundreds of kB for large packing (Jain et al., 2023, Aslett et al., 2015).
Operation Complexity: Ciphertext-ciphertext multiplication—including key-switching and relinearization—are orders of magnitude slower than plaintext operations; bootstrapping remains the largest computational bottleneck unless offloaded to ASIC/FPGA accelerators (Jung et al., 2020, Kim et al., 2021).
Compiler Support: Array-to-HE compilers such as Viaduct-HE (Recto et al., 2023) and graph-based intermediate representations (e.g., nGraph-HE (Boemer et al., 2018)) automate layout and depth minimization, enabling competitive runtimes and sophisticated schedule search.

Hardware accelerators—flexibly co-designed for NTT, RNS base conversion, and memory-access locality—are pivotal for scaling to deep neural networks and high-throughput analytics (Kim et al., 2021, Reis et al., 2020, Jung et al., 2020).

6. Security Analysis, Post-Quantum Status, and Open Directions

Almost all current practical HE schemes base security on RLWE, conjectured quantum-resistant but potentially subject to subexponential attacks if lattice reduction advances. Main points (Bhoi et al., 28 Mar 2025, Jain et al., 2023, Acar et al., 2017):

Lattice-based schemes (LWE/RLWE): Currently best-studied and most widely implemented (BGV, BFV, CKKS, TFHE) (Jain et al., 2023, Bhoi et al., 28 Mar 2025).
Code-based FHE: Motivated by post-quantum diversification, these rely on NP-hard syndrome decoding (e.g. McEliece, rank-metric constructions) but remain mainly SWHE (supporting limited depth), with obstacles in bootstrapping efficiency and key size (Bhoi et al., 28 Mar 2025). Five key future research directions include practical bootstrapping for codes, key-size reduction with structured codes, error-correction homomorphic to noise, formal reduction to worst-case code problems, and integration with multi-party and zero-knowledge protocols (Bhoi et al., 28 Mar 2025).

Open research challenges documented in recent surveys (Jain et al., 2023, Iezzi, 2020, Recto et al., 2023) include:

Reducing bootstrapping latency to millisecond scale.
Automating parameter selection for tighter security/noise/ciphertext trade-offs.
Compiler and toolchain advancements for transparent integration into machine learning and data science.
Multi-user and threshold FHE for distributed/private key settings.

HE is already fueling practical, privacy-preserving workflows in sensitive cloud computing, federated learning, statistical analytics, and secure multi-party collaboration. Ongoing advances in acceleration, tooling, and deeper theoretical understanding are rapidly expanding its scientific and engineering impact.