Papers
Topics
Authors
Recent
Search
2000 character limit reached

Keyed-Homomorphic Encryption Overview

Updated 7 July 2026
  • Keyed-Homomorphic Encryption (KHE) is a family of cryptographic schemes that explicitly tracks encryption keys, enabling evaluation over ciphertexts from different key domains.
  • Symmetric-key KHE schemes perform homomorphic operations without revealing the secret key, using methods such as matrix or polynomial constructions for exact or approximated arithmetic.
  • Multi-key and threshold-assisted KHE designs support collaborative computations in applications like federated learning by merging distinct encryption domains while managing masking and joint decryption.

Keyed-Homomorphic Encryption (KHE) denotes homomorphic cryptosystems that explicitly keep track of encryption keys and support evaluation over ciphertexts tied to different keys or identities (Wu et al., 25 Jun 2025). In symmetric-key settings, the same term is used for schemes in which encryption and decryption are controlled by a symmetric secret key, while homomorphic evaluation is performed on ciphertexts without revealing that key (Sharma, 2013, Dowerah et al., 2019). In the BFV/CKKS literature on secure aggregation, KHE is treated as synonymous in spirit with Multi-Key Homomorphic Encryption (MKHE): evaluators compute over ciphertexts encrypted under distinct keys without a single shared secret, whereas threshold HE uses a single public key and shares the secret key among parties (Wu et al., 25 Jun 2025, Aloufi et al., 2019).

1. Terminological scope and conceptual variants

Across these works, KHE is not a single standardized construction but a family of keyed homomorphic paradigms. One line of work uses KHE as an umbrella notion for key-aware homomorphic evaluation across different identities or public keys; in that formulation, “multi-identity” and “multi-key” HE are concrete realizations, and the key set referenced by a ciphertext is part of the semantics of evaluation (Wu et al., 25 Jun 2025). A second line uses KHE for symmetric-key homomorphic encryption, where a single secret key governs encryption and decryption, while evaluators operate directly on ciphertexts and do not hold that secret key (Sharma, 2013, Dowerah et al., 2019).

This terminological split is substantive rather than merely stylistic. In symmetric-key KHE, all ciphertexts are under one secret key, and key awareness concerns access control and delegation. In MKHE, ciphertexts may originate under distinct keys, and the central technical problem is how to evaluate across heterogeneous key domains while preserving joint decryptability. A common source of ambiguity is therefore the assumption that KHE must be public-key and cross-key; the cited literature shows that it also includes single-key symmetric constructions.

A further conceptual boundary is with threshold HE. In the MKHE-centered account, threshold HE uses one public key and a shared secret, so it avoids heterogeneous-key extension but requires threshold setup and a comparatively static participant set. MKHE instead preserves distinct keys and supports evaluation over their union, at the price of more elaborate expansion, relinearization, and distributed decryption mechanisms (Wu et al., 25 Jun 2025, Aloufi et al., 2019).

2. Symmetric-key keyed homomorphism

The symmetric matrix-based fully homomorphic construction in "Fully Homomorphic Encryption Scheme with Symmetric Keys" fixes ciphertext space in Mat4(ZN)\mathrm{Mat}_4(\mathbb{Z}_N), where N=i=1mfiN=\prod_{i=1}^{m} f_i and each fi=piqif_i=p_i q_i. The secret key is an invertible matrix kGL4(ZN)k \in \mathrm{GL}_4(\mathbb{Z}_N) with inverse k1k^{-1}. Encryption samples rZN{m}r \in \mathbb{Z}_N \setminus \{m\}, builds a diagonal matrix D(m,r)=diag(m,x1,x2,x3)D(m,r)=\mathrm{diag}(m,x_1,x_2,x_3) via CRT-defined auxiliary entries, and outputs C=k1D(m,r)kmodNC=k^{-1}D(m,r)k \bmod N; decryption computes D=kCk1modND=k C k^{-1} \bmod N and returns D1,1D_{1,1}. Evaluation requires neither the secret key nor a separate evaluation key: homomorphic addition is matrix addition modulo N=i=1mfiN=\prod_{i=1}^{m} f_i0, and homomorphic multiplication is matrix multiplication modulo N=i=1mfiN=\prod_{i=1}^{m} f_i1. Because conjugation by N=i=1mfiN=\prod_{i=1}^{m} f_i2 is exact modulo N=i=1mfiN=\prod_{i=1}^{m} f_i3, the scheme defines N=i=1mfiN=\prod_{i=1}^{m} f_i4 for ciphertexts produced by N=i=1mfiN=\prod_{i=1}^{m} f_i5 and N=i=1mfiN=\prod_{i=1}^{m} f_i6, so the construction is multi-hop, requires no bootstrapping, and supports arithmetic circuits of unbounded depth modulo N=i=1mfiN=\prod_{i=1}^{m} f_i7 (Sharma, 2013).

That matrix scheme is explicitly symmetric rather than public-key. Its security discussion reduces confidentiality to the hardness of factoring N=i=1mfiN=\prod_{i=1}^{m} f_i8, states one-wayness and IND-KPA/IND-CPA goals, and does not claim CCA2 security. It also introduces operational primitives N=i=1mfiN=\prod_{i=1}^{m} f_i9, fi=piqif_i=p_i q_i0, and fi=piqif_i=p_i q_i1, which composes several matrices fi=piqif_i=p_i q_i2 into a master key fi=piqif_i=p_i q_i3. These primitives are used to organize a cloud workflow with separate roles for Data Owner, Delegator, Computation Center, Mapping Division, and Data User, while keeping evaluators keyless (Sharma, 2013).

The multivariate-polynomial construction in "A Somewhat Homomorphic Encryption Scheme based on Multivariate Polynomial Evaluation" is also symmetric-key, but its algebraic organization is different. The secret key includes an ideal fi=piqif_i=p_i q_i4, evaluation points fi=piqif_i=p_i q_i5, a scaling factor fi=piqif_i=p_i q_i6, and a vector fi=piqif_i=p_i q_i7. Ciphertexts lie in fi=piqif_i=p_i q_i8 and take the form

fi=piqif_i=p_i q_i9

where kGL4(ZN)k \in \mathrm{GL}_4(\mathbb{Z}_N)0 and kGL4(ZN)k \in \mathrm{GL}_4(\mathbb{Z}_N)1. Decryption computes

kGL4(ZN)k \in \mathrm{GL}_4(\mathbb{Z}_N)2

Evaluation is again keyless: addition is kGL4(ZN)k \in \mathrm{GL}_4(\mathbb{Z}_N)3, and multiplication is kGL4(ZN)k \in \mathrm{GL}_4(\mathbb{Z}_N)4, where kGL4(ZN)k \in \mathrm{GL}_4(\mathbb{Z}_N)5 is the Hadamard product. The scheme is only somewhat homomorphic, because noise grows under evaluation. After kGL4(ZN)k \in \mathrm{GL}_4(\mathbb{Z}_N)6 additions, the inner-product noise standard deviation scales as kGL4(ZN)k \in \mathrm{GL}_4(\mathbb{Z}_N)7, while multiplication introduces the bound kGL4(ZN)k \in \mathrm{GL}_4(\mathbb{Z}_N)8 (Dowerah et al., 2019).

These two symmetric-key KHE lines occupy opposite ends of the exactness spectrum. The matrix scheme performs exact modular arithmetic with no noise growth, whereas the polynomial scheme behaves like a conventional leveled SHE system: correctness depends on keeping the extracted noise below the decision threshold, and multiplicative depth is structurally limited (Sharma, 2013, Dowerah et al., 2019).

3. Multi-key evaluation and threshold-assisted reconciliation

A formal MKHE syntax used in the BFV/CKKS setting comprises kGL4(ZN)k \in \mathrm{GL}_4(\mathbb{Z}_N)9, k1k^{-1}0, k1k^{-1}1, k1k^{-1}2, k1k^{-1}3, k1k^{-1}4, k1k^{-1}5, and k1k^{-1}6. A fresh ciphertext under one public key is first expanded into a unified representation referencing a set of keys; evaluation then runs over the expanded ciphertexts and produces an output tied to the union of the participating key sets; decryption can be single-shot or distributed through partial decryptions k1k^{-1}7 followed by a merge step. Correctness is exact for exact schemes and approximate for CKKS (Wu et al., 25 Jun 2025).

"Collaborative Homomorphic Computation on Data Encrypted under Multiple Keys" realizes this cross-key KHE functionality by combining threshold HE and MKHE. A fixed set of model owners first aggregates their keys into one joint key k1k^{-1}8 through threshold setup, while each dynamic client retains its own key k1k^{-1}9. At evaluation time, ciphertexts are extended only to the two-key set rZN{m}r \in \mathbb{Z}_N \setminus \{m\}0 rather than to rZN{m}r \in \mathbb{Z}_N \setminus \{m\}1 separate keys. In the paper’s terminology, this reduces the extended ciphertext “dimension” from rZN{m}r \in \mathbb{Z}_N \setminus \{m\}2 to rZN{m}r \in \mathbb{Z}_N \setminus \{m\}3, equivalently reducing extended ciphertext length from rZN{m}r \in \mathbb{Z}_N \setminus \{m\}4 to rZN{m}r \in \mathbb{Z}_N \setminus \{m\}5 (Aloufi et al., 2019).

The mechanism is built from leveled MKBGV and RGSW. Fresh BGV ciphertexts are standard two-component RLWE encryptions; extension places those components into the slots corresponding to the active keys; multiplication uses a tensor product followed by rZN{m}r \in \mathbb{Z}_N \setminus \{m\}6 and rZN{m}r \in \mathbb{Z}_N \setminus \{m\}7. Decryption is collaborative. Each model owner returns a blinded partial

rZN{m}r \in \mathbb{Z}_N \setminus \{m\}8

the evaluator aggregates rZN{m}r \in \mathbb{Z}_N \setminus \{m\}9, and the client completes decryption via

D(m,r)=diag(m,x1,x2,x3)D(m,r)=\mathrm{diag}(m,x_1,x_2,x_3)0

The evaluator is semi-honest, the model-owner side is fixed, and the approach removes per-client joint-key setup while preserving collaborative decryption (Aloufi et al., 2019).

This hybrid construction clarifies one important meaning of KHE in collaborative machine learning: key awareness need not imply that every key remains separate throughout the whole protocol. A threshold-aggregated domain can serve as one side of the computation, with MKHE used only to bridge to another party’s key at runtime.

4. Secure MKHE for privacy-preserving federated learning

The CDKS family of multi-key BFV/CKKS schemes extends MKHE with asymptotically optimal multi-key packed HE and faster multi-key operations via homomorphic gadget decomposition, but its use in multiparty secure computation creates a specific leakage channel. In the privacy-preserving federated learning setting analyzed in "Secure Multi-Key Homomorphic Encryption with Application to Privacy-Preserving Federated Learning", the server expands each client ciphertext D(m,r)=diag(m,x1,x2,x3)D(m,r)=\mathrm{diag}(m,x_1,x_2,x_3)1 into a common key-indexed form, homomorphically adds them to obtain

D(m,r)=diag(m,x1,x2,x3)D(m,r)=\mathrm{diag}(m,x_1,x_2,x_3)2

and then receives distributed partial decryptions D(m,r)=diag(m,x1,x2,x3)D(m,r)=\mathrm{diag}(m,x_1,x_2,x_3)3. Because D(m,r)=diag(m,x1,x2,x3)D(m,r)=\mathrm{diag}(m,x_1,x_2,x_3)4 is public in the expanded ciphertext and D(m,r)=diag(m,x1,x2,x3)D(m,r)=\mathrm{diag}(m,x_1,x_2,x_3)5 is shared for merge, anyone observing both can compute D(m,r)=diag(m,x1,x2,x3)D(m,r)=\mathrm{diag}(m,x_1,x_2,x_3)6. The paper identifies this as a critical security vulnerability for PPFL and proposes SMHE, which retains the CDKS multi-key structure but introduces a masking layer tailored to BFV/CKKS (Wu et al., 25 Jun 2025).

SMHE attaches to each encrypted message a masking tuple D(m,r)=diag(m,x1,x2,x3)D(m,r)=\mathrm{diag}(m,x_1,x_2,x_3)7. Here D(m,r)=diag(m,x1,x2,x3)D(m,r)=\mathrm{diag}(m,x_1,x_2,x_3)8 is an encryption of D(m,r)=diag(m,x1,x2,x3)D(m,r)=\mathrm{diag}(m,x_1,x_2,x_3)9 under a random mask C=k1D(m,r)kmodNC=k^{-1}D(m,r)k \bmod N0, and C=k1D(m,r)kmodNC=k^{-1}D(m,r)k \bmod N1 is a gadget encryption of C=k1D(m,r)kmodNC=k^{-1}D(m,r)k \bmod N2. Given two public keys C=k1D(m,r)kmodNC=k^{-1}D(m,r)k \bmod N3 and C=k1D(m,r)kmodNC=k^{-1}D(m,r)k \bmod N4, the evaluator computes a correction ciphertext

C=k1D(m,r)kmodNC=k^{-1}D(m,r)k \bmod N5

so that the masking equations satisfy

C=k1D(m,r)kmodNC=k^{-1}D(m,r)k \bmod N6

and

C=k1D(m,r)kmodNC=k^{-1}D(m,r)k \bmod N7

The multi-party operator C=k1D(m,r)kmodNC=k^{-1}D(m,r)k \bmod N8 compresses multiple pairwise extensions by using C=k1D(m,r)kmodNC=k^{-1}D(m,r)k \bmod N9, and masked addition inserts the balancing terms into the expanded ciphertext so that only the final joint decryption cancels them. Multiplication and relinearization are unchanged from CDKS.

In the PPFL workflow, the server publishes D=kCk1modND=k C k^{-1} \bmod N0, each client runs D=kCk1modND=k C k^{-1} \bmod N1, performs local training to obtain a gradient D=kCk1modND=k C k^{-1} \bmod N2, encodes it as D=kCk1modND=k C k^{-1} \bmod N3, and sends D=kCk1modND=k C k^{-1} \bmod N4 to the server. The server expands the ciphertexts under the selected client set D=kCk1modND=k C k^{-1} \bmod N5, iteratively applies D=kCk1modND=k C k^{-1} \bmod N6 with masking material, receives partial decryptions D=kCk1modND=k C k^{-1} \bmod N7, reconstructs

D=kCk1modND=k C k^{-1} \bmod N8

decodes the aggregate gradient D=kCk1modND=k C k^{-1} \bmod N9, and updates

D1,1D_{1,1}0

The privacy claim is that every individual term D1,1D_{1,1}1 is entangled with masks derived from other parties’ public keys, and de-masking occurs only in the collective sum (Wu et al., 25 Jun 2025).

5. Security foundations, correctness regimes, and computational behavior

The cited KHE constructions rest on three distinct hardness bases. The BFV/CKKS and BGV-based multi-key systems are formulated over cyclotomic rings such as D1,1D_{1,1}2 and D1,1D_{1,1}3, and rely on RLWE-based indistinguishability; the SMHE paper further states a simulation-based semi-honest security condition in which there exists a PPT simulator D1,1D_{1,1}4 such that D1,1D_{1,1}5 (Wu et al., 25 Jun 2025). The hybrid threshold/MKHE system inherits RLWE and RGSW security and assumes a semi-honest evaluator plus blinded threshold-style partial decryptions (Aloufi et al., 2019). By contrast, the matrix symmetric FHE reduces security to factoring D1,1D_{1,1}6 and emphasizes one-wayness and IND-KPA/IND-CPA rather than lattice assumptions (Sharma, 2013). The multivariate-polynomial SHE reduces IND-CPA security to the Hidden Subspace Membership problem, and states an HSM-to-LWE equivalence when the noise is confined to the last coordinate (Dowerah et al., 2019).

Correctness also differs sharply across families. The matrix symmetric FHE is exact and explicitly sets D1,1D_{1,1}7, so there is no noise accumulation. The multivariate-polynomial scheme is exact only while the extracted inner-product noise remains below the rounding threshold. BFV-style MKHE is exact modulo the plaintext modulus, whereas CKKS-style MKHE is approximate and phrases correctness as D1,1D_{1,1}8 (Sharma, 2013, Dowerah et al., 2019, Wu et al., 25 Jun 2025).

The most detailed implementation data appear in the SMHE study. Its PPFL implementation targets approximately 128-bit RLWE security with D1,1D_{1,1}9, gadget dimension N=i=1mfiN=\prod_{i=1}^{m} f_i00, discrete Gaussian parameter N=i=1mfiN=\prod_{i=1}^{m} f_i01, slot count N=i=1mfiN=\prod_{i=1}^{m} f_i02, and N=i=1mfiN=\prod_{i=1}^{m} f_i03 with coefficients drawn from N=i=1mfiN=\prod_{i=1}^{m} f_i04; gadget decomposition follows the RNS-friendly approach by Bajard et al., and the released implementation uses C++, NTL 10.4.0, GMP 6.2.1, and PyTorch 1.11.0. For a single AlexNet iteration, client-side runtime is 4.64 s for SMHE and 2.72 s for CDKS, while server-side runtime is 38.22 s and 31.23 s respectively. Communication per iteration is 16.00 MB versus 7.00 MB on FCN and 139.50 MB versus 76.50 MB on AlexNet for SMHE and CDKS, whereas MKGSW reaches 33.39 GB and 381.47 GB. With 10 clients, FCN reports accuracy about 97.9% across schemes, with SMHE at 6.22 h and 41.40 GB; AlexNet reports accuracy about 74%, with SMHE at 232.49 h and 1397.31 GB. The paper summarizes this as less than a N=i=1mfiN=\prod_{i=1}^{m} f_i05 runtime and communication overhead relative to CDKS/THE while eliminating the identified leakage (Wu et al., 25 Jun 2025).

6. Boundaries, limitations, and unresolved questions

Several limitations recur across the KHE literature. The SMHE security proof is only for the semi-honest model; the paper states that extending to malicious adversaries would require verifiable computation such as zero-knowledge proofs or IOPs, and it also notes that the CKKS scaling/rescaling interplay with masking is not elaborated beyond approximate correctness (Wu et al., 25 Jun 2025). The hybrid threshold/MKHE construction assumes a relatively static model-owner group, incurs N=i=1mfiN=\prod_{i=1}^{m} f_i06 decryption interactions, does not include share verification or zero-knowledge proofs, and leaves concrete parameterization and tight noise bounds to future work (Aloufi et al., 2019).

The symmetric-key constructions have different but equally substantive constraints. The matrix FHE does not claim CCA2 security, describes IND-CPA security only against up to N=i=1mfiN=\prod_{i=1}^{m} f_i07 chosen pairs, and explicitly distinguishes itself from targeted-malleability KHE and key-homomorphic PRFs, which it does not realize (Sharma, 2013). The multivariate-polynomial construction is only somewhat homomorphic, supports bit messages, requires stronger orthogonality conditions such as N=i=1mfiN=\prod_{i=1}^{m} f_i08 for multiplication, and would need progressively larger spaces for deeper multiplicative circuits; bootstrapping is not provided (Dowerah et al., 2019).

These limitations also mark the conceptual boundaries of KHE. In symmetric-key KHE, keyedness chiefly governs who may encrypt and decrypt, while evaluation remains keyless. In MKHE, keyedness becomes part of the ciphertext state itself, because evaluation must preserve the association with a set of keys. The current literature therefore supports two complementary readings: KHE as secret-key-controlled homomorphic delegation, and KHE as homomorphic computation across heterogeneous key domains. The cited constructions show that both readings are active, technically non-equivalent, and relevant to cloud computation, collaborative ML, and privacy-preserving federated learning.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Keyed-Homomorphic Encryption (KHE).