Hybrid Homomorphic Encryption (HHE)

Updated 28 December 2025

Hybrid Homomorphic Encryption (HHE) is a cryptographic paradigm that combines efficient symmetric-key encryption with homomorphic operations, enabling secure and scalable computation.
It uses a two-part approach where lightweight client-side encryption is paired with server-side transciphering to minimize communication and computational load.
HHE underpins advances in privacy-preserving machine learning and federated learning, achieving significant improvements in client efficiency and communication reduction.

Hybrid Homomorphic Encryption (HHE) is a cryptographic paradigm that interleaves the efficiency of symmetric-key encryption with the computation-enabled power of homomorphic encryption. HHE protocols have catalyzed a new generation of privacy-preserving machine learning (PPML) and secure aggregation frameworks that reconcile the constraints of edge devices with the privacy requirements of modern cloud services. By coupling lightweight stream ciphers optimized for homomorphic evaluation with LWE- or RLWE-based FHE schemes, HHE frameworks minimize ciphertext expansion and offload the bulk of computational cost to the server, while the client engages only in resource-efficient symmetric encryption operations. This division of labor and the associated cryptographic engineering underpin recent advances in scalable, energy-efficient, and practical cryptographically secure computation.

1. Core Principles and Formalization

The canonical HHE scheme consists of a symmetric encryption component (SKE) and a public-key homomorphic encryption component (HE), both instantiated over a common security parameter $\lambda$ (Nguyen et al., 10 Sep 2024, Frimpong et al., 26 Jan 2024). The scheme can be described as follows:

Keygen: $(\mathsf{pk},\mathsf{sk},\mathsf{evk}) \gets \mathsf{HE.KeyGen}(1^\lambda)$
Encryption:

$K \gets \mathsf{SKE.Gen}(1^\lambda)$
$c = \mathsf{SKE.Enc}_K(x)$
$c_K = \mathsf{HE.Enc}_{\mathsf{pk}}(K)$
Output $(c, c_K)$

Decomposition (Transciphering): $\mathsf{HE.Eval}_{\mathsf{evk}}(\mathsf{SKE.Dec}, c_K, c)$
Homomorphic Evaluation: standard $\mathsf{HE.Eval}$ on ciphertexts resulting from decomposition
Decryption: $\mathsf{HE.Dec}_{\mathsf{sk}}(\cdot)$

This pipeline allows lightweight client encryption and significant communication reductions while enabling arbitrary homomorphic computation on the server side. The composition is IND-CPA secure under the RLWE (for HE) and PRP (for SKE, e.g., PASTA, Rubato) assumptions (Nguyen et al., 10 Sep 2024, Frimpong et al., 26 Jan 2024).

2. Cipher and Scheme Engineering for HHE

Symmetric ciphers for HHE must have low arithmetic and multiplicative depth, and be structurally compatible with the algebraic domains of major HE schemes (BFV, CKKS, TFHE). PASTA, Rubato, and HERA are the predominant examples (Jeon et al., 1 Jul 2025, Zhao et al., 21 Dec 2025, Nguyen et al., 20 Jul 2025):

Cipher	Target HE	Structure	Key Features
PASTA	BFV	Transpose-filter/block	Low degree, fast, 16-/32-bit
Rubato	CKKS	MixColumns/MixRows/Feistel	Transposition-invariant, batched
HERA	CKKS	Cube nonlinearity	Vectorized, modular-friendly

Architectures such as Presto and DNA-HHE implement these ciphers with deeply pipelined, hardware-accelerated units, employing vectorization, transposition-invariance, deferred RNG, and multi-field butterfly units to maximize throughput and minimize energy (Jeon et al., 1 Jul 2025, Zhao et al., 21 Dec 2025).

3. Protocols and Deployment Models

HHE is now foundational in multiple secure computation settings:

PPML and Inference: Clients encrypt data under SKE, wrap the key under HE, and transmit to the CSP, which transciphers to HE-space and performs evaluation (Nguyen et al., 10 Sep 2024, Frimpong et al., 26 Jan 2024, Chan et al., 23 Oct 2025). In frameworks like Safhire, non-linear activations are offloaded to the client in plaintext, obviating expensive bootstrapping (Biswas et al., 1 Sep 2025).
Federated Learning: Each client encrypts model updates using a symmetric stream cipher and sends the result, plus the HE-encrypted key, to the server, which homomorphically decrypts and aggregates. This achieves drastic bandwidth and runtime savings for clients, with server-side cost dominated by transciphering (Correia et al., 3 Sep 2025, Nguyen et al., 20 Jul 2025).
Hybrid TEE–FHE Workflows: In settings such as SAFETY or new hybrid DSLs, TEEs are combined with FHE or HHE to balance trust assumptions and performance, for example, delegating decomposition or decryption to enclaves (Sadat et al., 2017, Laage, 27 May 2025).
Edge-to-Cloud PPOC: Dual-mode accelerators enable switching between RNS-CKKS and Rubato within the same hardware for edge-centric privacy-preserving computation (Zhao et al., 21 Dec 2025, Chan et al., 23 Oct 2025).

4. Performance Characteristics and Tradeoffs

Consistently across evaluations, HHE yields large improvements in client efficiency and total communication volume:

Encryption Latency: FPGA-based accelerators (e.g., HHEML) reduce client encryption latency by $>50\times$ relative to pure HE, achieving $>2\times$ throughput versus prior software/FPGA HHE ciphers (Chan et al., 23 Oct 2025).
Communication: Uplink bandwidth is reduced by $10^2$ – $10^3\times$ versus pure FHE, as symmetric ciphertexts are compact (often less than 1–2 MB for hundreds of inputs) (Nguyen et al., 10 Sep 2024, Frimpong et al., 26 Jan 2024, Nguyen et al., 20 Jul 2025, Correia et al., 3 Sep 2025).
Accuracy: Practical HHE PPML pipelines consistently match plaintext or integer-only accuracy within $\sim1\%$ , even for large datasets such as MIT-BIH or MNIST (Frimpong et al., 26 Jan 2024, Nguyen et al., 10 Sep 2024, Correia et al., 3 Sep 2025).
Server Cost: The transciphering (“decomp”) phase incurs a significant computational blow-up for the server ( $>10^4\times$ versus pure HE aggregation), with practical deployment mitigated by parallelism or hardware offload (Correia et al., 3 Sep 2025, Nguyen et al., 20 Jul 2025).

Key tradeoffs include increased circuit complexity (and noise) in the transcipher step, requirement for HE-friendly ciphers, and the assumption of a non-colluding or honest-but-curious server.

5. Hardware Acceleration and Microarchitectural Optimizations

Major gains in HHE practicality derive from dedicated hardware for symmetric cipher evaluation and transciphering (Chan et al., 23 Oct 2025, Jeon et al., 1 Jul 2025, Zhao et al., 21 Dec 2025):

Accelerator	Supported Modes	Throughput	Area Efficiency	Notable Features
Presto	HERA, Rubato (CKKS)	$6\times$ SW	High	Transposition-inv. MRMC, RNG decoupling
HHEML	PASTA (BFV/FV)	$>50\times$ SW	Low-power (FPGA)	Two-XOF pipeline, AXI4-Stream/DMA integration
DNA-HHE	RNS-CKKS, Rubato	$1.19-158\times$	0.7 mm²/31k slices	Dual-mode BFU, DSP-Barrett, NIC coupling

Microarchitectural techniques such as parallel XOF pipelines, fused MixColumns/MixRows, resource-sharing Karatsuba multipliers, and direct NIC coupling remove bottlenecks and expose latent performance in both symmetric and homomorphic computation (Zhao et al., 21 Dec 2025, Jeon et al., 1 Jul 2025, Chan et al., 23 Oct 2025).

6. Application Domains: PPML, Federated Learning, Hybrid Secure Computation

HHE has been pivotal in diverse application verticals:

PPML: ECG classification (GuardML, ecgPPML), CNN inference (Safhire, A2Q+), and tiny ML multi-layer networks demonstrate near-identical accuracy and $100\times–300\times$ communication savings versus pure FHE (Frimpong et al., 26 Jan 2024, Nguyen et al., 10 Sep 2024, Biswas et al., 1 Sep 2025).
Federated Learning: Aggregation protocols with HHE achieve $>2,000\times$ communication reduction, $1.3\%$ accuracy penalty, and $30\%$ client runtime reduction but impose high server cost, motivating research into lower-depth HE-compatible ciphers and parallel transciphering (Correia et al., 3 Sep 2025, Nguyen et al., 20 Jul 2025).
Hybrid/DSL: Programming abstractions for hybrid FHE/TEE workflows, via modality-aware DSLs, allow code to be backended by FHE or TEE with minimal rewriting, enhancing both developer productivity and deployment flexibility (Laage, 27 May 2025, Sadat et al., 2017).

7. Limitations and Future Directions

Despite its advantages, HHE research identifies the following open problems and next steps (Frimpong et al., 26 Jan 2024, Nguyen et al., 10 Sep 2024, Chan et al., 23 Oct 2025, Jeon et al., 1 Jul 2025, Correia et al., 3 Sep 2025):

Transciphering Cost: Server-side decomp can dominate total runtime; further optimization (especially for large-scale FL/PPML) is required.
Circuit Depth and Cipher Design: Symmetric ciphers for HHE must maintain ultra-low multiplicative depth; extending to deep networks or higher-precision remains non-trivial.
Automatic Code Partitioning: DSLs supporting mixed FHE/TEE backends could introduce automatic partitioning for optimal performance/security tradeoff.
Edge-Centric Deployment: As accelerator designs evolve, scaling multi-core and flexible-mode architectures (SE/HE) will address bandwidth and area constraints in edge environments.
Integration with New HE Primitives: Ongoing work on more efficient bootstrapping, CKKS/TFHE compatibility, and approximate arithmetic may broaden the domain of feasible HHE deployments.

In summary, HHE represents a crucial advance in cryptographic protocol design, combining algorithm engineering, hardware-software co-design, and rigorous security foundations to offer scalable privacy-preserving computation for a wide spectrum of modern applications (Nguyen et al., 10 Sep 2024, Frimpong et al., 26 Jan 2024, Chan et al., 23 Oct 2025, Jeon et al., 1 Jul 2025, Zhao et al., 21 Dec 2025, Correia et al., 3 Sep 2025, Nguyen et al., 20 Jul 2025, Biswas et al., 1 Sep 2025).