Homomorphic Polynomial Evaluation

Updated 6 February 2026

Homomorphic evaluation of polynomials is a technique that enables computation on encrypted data, allowing functions to be evaluated without decryption.
It leverages algebraic and cryptographic constructions, such as ring-based and code-based schemes, to manage noise and multiplicative depth effectively.
Advanced protocols like VESPo and verifiable homomorphic secret sharing ensure dynamic verifiability and efficiency in secure multiparty computations and privacy-preserving applications.

Homomorphic evaluation of polynomials is a central technique in modern cryptography and privacy-preserving computation, enabling the secure computation of polynomial functions on encrypted or secret-shared data. This paradigm finds application in privacy-preserving machine learning, secure multiparty computation, verifiable outsourced storage, and functional encryption. The following sections comprehensively survey foundational definitions, algebraic and cryptographic constructions, efficiency techniques, verification and updatability, as well as representative complexity and security guarantees, with references to recent and canonical arXiv literature.

1. Formal Definitions and Core Models

Homomorphic evaluation of polynomials refers to the ability to compute $f(x_1,\ldots,x_n)$ on encrypted (or secret-shared) values $x_i$ without decrypting them, producing an encrypted (or shared) result that decrypts to $f(x_1,\ldots,x_n)$ . A scheme is called somewhat, leveled, or fully homomorphic depending on the supported polynomial degree or circuit depth.

Additively or linearly homomorphic schemes natively support $f(x)=a_0+\sum_{i=1}^n a_ix_i$ .
Partially or somewhat homomorphic schemes handle polynomials up to a bounded (but possibly superlinear) degree, with correctness limited by noise growth or structural constraints (Dowerah et al., 2019, Dyer et al., 2017).
Fully homomorphic encryption (FHE) permits arbitrary-degree (unbounded depth) evaluation but requires sophisticated noise management and key switching (Dowerah et al., 2019).

Homomorphic evaluation is implemented in diverse settings:

Public-key or symmetric-key encryption: e.g., Paillier, BFV/BGV, CKKS, Dowerah–Krishnaswamy, Goldwasser–Micali (Dowerah et al., 2019, Dowerah et al., 2019, Dyer et al., 2017, Yu et al., 2023).
Functional and secret-sharing approaches: e.g., homomorphic secret sharing (HSS), verifiable HSS, functional encryption with algebraic hiding (Chen et al., 2021, Kuang et al., 2023).
Code-based: Armknecht-style constructions, or hybrid polynomial code/FHE schemes (Grimaldi, 17 Sep 2025).

For verification, correctness proofs, and support for coefficient updates or dynamism, augmented protocols such as VESPo (Dumas et al., 2021) and verifiable HSS (Chen et al., 2021) have been developed.

2. Algebraic and Cryptographic Foundations

The homomorphic polynomial evaluation capability of a scheme depends on the underlying algebraic carrier and its cryptographic realization.

Ring-based schemes: Plaintexts are represented as elements of a polynomial quotient ring, typically $\mathbb{Z}_q[x]/(x^n+1)$ or a multivariate quotient. Homomorphic addition and multiplication are implemented via ring arithmetic, where degree growth and noise accumulation are core limiting factors (Dowerah et al., 2019, Grimaldi, 17 Sep 2025).
Code-based schemes: Plaintexts are embedded via evaluation of low-degree polynomials at secret positions, cipher expansion is controlled by code multiplicative properties, and decryption is achieved via interpolation at hidden information sets (Grimaldi, 17 Sep 2025).
Linearly homomorphic encryption: Supports encrypted polynomial evaluation by exploiting the fact that exponentiation and multiplication correspond to linear or affine combinations when viewed over an appropriate cyclic group or field (Dumas et al., 2021, Hosseinalizadeh et al., 2021).

A unifying principle is that encryption maps plaintext coefficients or messages into structured algebraic objects ("noisy polynomials" or "noisy codewords") so that evaluating $f$ can be mapped to corresponding operations in the encrypted domain. Decryption eliminates or inverts masking to reveal the computed value, provided algebraic and noise constraints are satisfied.

3. Protocols for Efficient and Verified Polynomial Evaluation

Homomorphic polynomial evaluation is realized by algorithmic protocols customized for storage, communication, and verification requirements.

VESPo protocol (Dumas et al., 2021): Enables dynamic, verified, homomorphic evaluation of univariate polynomials stored in encrypted form on an untrusted server. The protocol uses Paillier-type linearly homomorphic encryption and bilinear pairings to allow efficient client verification of correctness proofs for each evaluation at a public point. Dynamic updates to individual coefficients require only logarithmic-sized Merkle proofs.
Distributed and multiparty computation (Hosseinalizadeh et al., 2021): Arbitrary multivariate polynomials are securely decomposed into sums of bivariate and multivariate components, using Paillier PHE for additive components and multiplicative-additive secret sharing for product terms, supporting information-theoretic privacy against limited collusion.
Quantum and hybrid protocols (Yu et al., 2023): XOR oblivious transfer, quantum states, and classical XOR-homomorphic encryption combine to provide private linear polynomial evaluation modulo 2, achieving computational or partial information-theoretic security.
Homomorphic functional encryption (Kuang et al., 2023): Coefficient-wise modular hiding in a secret ring $\mathbb{Z}_S$ allows evaluation at field points with exact, invertible decryption and IND-CPA security under the modular Diophantine problem.

4. Techniques for Depth and Noise Minimization

Efficient homomorphic evaluation is critically dependent on controlling multiplicative depth and noise:

Depth-optimal evaluation via neural networks (Chiang, 2024): Homomorphic polynomial evaluation can be modeled as encrypted inference in a feedforward neural network with polynomial activations. Proper architecture and activation degree selection yield near-optimal (logarithmic in the target degree) multiplicative depth, outperforming Horner's rule or Paterson-Stockmeyer in modulus consumption and bootstrapping frequency.
Multi-input ciphertext multiplication (Akherati et al., 2024): Introduction of native three-input multiplication (with one extra evaluation key) for BFV/CKKS significantly reduces multiplicative depth and relinearization noise relative to the composition of two binary multiplications. This achieves lower operation latency, reduced hardware area, and improved noise scaling, especially when high-degree monomials are evaluated.
Noise control and parameter selection (Dowerah et al., 2019, Dyer et al., 2017, Dowerah et al., 2019, Grimaldi, 17 Sep 2025): Homomorphic addition increases noise linearly, multiplication increases either additively or multiplicatively (depending on scheme). Secure parameter choices require modulus and noise budgets to remain sufficient for correct decryption throughout the circuit or polynomial evaluation.

5. Verifiability, Updatability, and Security Guarantees

Several advanced protocols guarantee verifiable correctness, dynamic updates, and robust security:

Verifiable Evaluation (VESPo) (Dumas et al., 2021): Servers produce succinct ( $O(1)$ -size) pairing-based certificates with each homomorphic polynomial evaluation; clients can verify correctness in $O(\log d)$ time. Dynamic coefficient update and audit protocols preserve efficiency and cryptographic security under standard assumptions.
Verifiable Homomorphic Secret Sharing (Chen et al., 2021): Two-server HSS architecture provides full verifiability and context-hiding; a malicious server cannot induce an incorrect output, and each output client verifies function correctness via tag comparison, with client-side computation independent of the polynomial degree.
Rigorous security analyses: All schemes are proven IND-CPA or context-hiding secure under concrete assumptions—LWE (for BFV/BGV-style FHE), Hidden Subspace Membership (for Dowerah–Krishnaswamy), approximate common divisor or factoring (for integer-based schemes), or NP-hardness of modular Diophantine equations (for functional encryption) (Dowerah et al., 2019, Dowerah et al., 2019, Dyer et al., 2017, Kuang et al., 2023).
Soundness in multiparty protocols (Hosseinalizadeh et al., 2021): Information-theoretic privacy is preserved up to explicit collusion thresholds; simulation-based proofs show that intermediate messages reveal nothing beyond the computed value.

6. Complexity and Performance Considerations

State-of-the-art constructions achieve varied performance and complexity trade-offs, summarized below:

Scheme/Protocol	Max Degree/Depth Supported	Storage/Comm Costs	Homomorphic/Verification Cost	Security Assumptions
VESPo (Dumas et al., 2021)	$d\sim10^6$	$O(d)$ server, $O(1)$ client	$O(d)$ server, $O(1)$ client	LHE + pairing/DLM
Depth-optimal NN (Chiang, 2024)	$d=2^{O(L)}$ with $O(Ld)$ depth	weights: $O(\sum n_i)$	$O(\sum d_i)$ HE mults	Underlying HE (CKKS, etc.)
Quantum/hybrid (Yu et al., 2023)	Linear polynomials (mod 2)	$O(n)$ quantum/classical	$O(n)$ round complexity	Info-th./computational
Functional encryption (Kuang et al., 2023)	Arbitrary univariate degree	$O(d)$	$O(d)$ per eval	Modular Diophantine
2-server verif. HSS (Chen et al., 2021)	Degree $\operatorname{poly}(\lambda)$	$O(n)$ input, $O(1)$ output	$O(t\,d)$ per server, $O(1)$ client	Ring-LWE
Integer HE (Dyer et al., 2017)	Low-degree, practical	$O(k)$ words	$O(k^3)$ for $k$ -vector	Factoring/APCD
Code-based/BFV (Grimaldi, 17 Sep 2025)	$\mu$ as mult. depth bound	$O(n)$ ; $n\sim\mu^3$	$O(n)$ field ops	Code ISD/LWE

All performance claims and complexity upper bounds are verbatim from the cited works.

7. Impact, Limitations, and Open Research Directions

Homomorphic evaluation of polynomials underpins privacy-preserving analytics, secure outsourced storage, and privacy-preserving machine learning. Notable advances include:

Demonstration of dynamic, scalable, and verifiable outsourced storage (VESPo) with terabyte-scale performance and auditability (Dumas et al., 2021).
Realization of efficient, high-degree, verifiable polynomial evaluation with minimal server count (2-server HSS) (Chen et al., 2021).
Frameworks enabling arbitrary function approximation with near-optimal multiplicative depth through neural architectures (Chiang, 2024).
Concrete hardware optimizations, e.g., ternary multiplication to reduce hardware and noise overhead (Akherati et al., 2024), directly impacting practical FHE library design.

Key limitations or open problems include:

Managing noise growth for extremely deep polynomials or circuits without frequent bootstrapping (Dowerah et al., 2019, Grimaldi, 17 Sep 2025).
Improving the tractability of general homomorphism polynomial families beyond the known dichotomies for specific classes of graph polynomials (Engels, 2014).
Extending partial information-theoretic protocols (e.g., quantum OT-based) to higher-degree circuits under minimal leakage (Yu et al., 2023).
Further reducing client-side storage and verification footprint in highly dynamic update scenarios (Dumas et al., 2021).

Advances in parameter optimization, complexity-theoretic characterization, and practical implementations continue to refine the efficiency, scalability, and breadth of homomorphic polynomial evaluation schemes across cryptographic domains.