Keyed-Homomorphic Encryption Overview
- Keyed-Homomorphic Encryption (KHE) is a family of cryptographic schemes that explicitly tracks encryption keys, enabling evaluation over ciphertexts from different key domains.
- Symmetric-key KHE schemes perform homomorphic operations without revealing the secret key, using methods such as matrix or polynomial constructions for exact or approximated arithmetic.
- Multi-key and threshold-assisted KHE designs support collaborative computations in applications like federated learning by merging distinct encryption domains while managing masking and joint decryption.
Keyed-Homomorphic Encryption (KHE) denotes homomorphic cryptosystems that explicitly keep track of encryption keys and support evaluation over ciphertexts tied to different keys or identities (Wu et al., 25 Jun 2025). In symmetric-key settings, the same term is used for schemes in which encryption and decryption are controlled by a symmetric secret key, while homomorphic evaluation is performed on ciphertexts without revealing that key (Sharma, 2013, Dowerah et al., 2019). In the BFV/CKKS literature on secure aggregation, KHE is treated as synonymous in spirit with Multi-Key Homomorphic Encryption (MKHE): evaluators compute over ciphertexts encrypted under distinct keys without a single shared secret, whereas threshold HE uses a single public key and shares the secret key among parties (Wu et al., 25 Jun 2025, Aloufi et al., 2019).
1. Terminological scope and conceptual variants
Across these works, KHE is not a single standardized construction but a family of keyed homomorphic paradigms. One line of work uses KHE as an umbrella notion for key-aware homomorphic evaluation across different identities or public keys; in that formulation, “multi-identity” and “multi-key” HE are concrete realizations, and the key set referenced by a ciphertext is part of the semantics of evaluation (Wu et al., 25 Jun 2025). A second line uses KHE for symmetric-key homomorphic encryption, where a single secret key governs encryption and decryption, while evaluators operate directly on ciphertexts and do not hold that secret key (Sharma, 2013, Dowerah et al., 2019).
This terminological split is substantive rather than merely stylistic. In symmetric-key KHE, all ciphertexts are under one secret key, and key awareness concerns access control and delegation. In MKHE, ciphertexts may originate under distinct keys, and the central technical problem is how to evaluate across heterogeneous key domains while preserving joint decryptability. A common source of ambiguity is therefore the assumption that KHE must be public-key and cross-key; the cited literature shows that it also includes single-key symmetric constructions.
A further conceptual boundary is with threshold HE. In the MKHE-centered account, threshold HE uses one public key and a shared secret, so it avoids heterogeneous-key extension but requires threshold setup and a comparatively static participant set. MKHE instead preserves distinct keys and supports evaluation over their union, at the price of more elaborate expansion, relinearization, and distributed decryption mechanisms (Wu et al., 25 Jun 2025, Aloufi et al., 2019).
2. Symmetric-key keyed homomorphism
The symmetric matrix-based fully homomorphic construction in "Fully Homomorphic Encryption Scheme with Symmetric Keys" fixes ciphertext space in , where and each . The secret key is an invertible matrix with inverse . Encryption samples , builds a diagonal matrix via CRT-defined auxiliary entries, and outputs ; decryption computes and returns . Evaluation requires neither the secret key nor a separate evaluation key: homomorphic addition is matrix addition modulo 0, and homomorphic multiplication is matrix multiplication modulo 1. Because conjugation by 2 is exact modulo 3, the scheme defines 4 for ciphertexts produced by 5 and 6, so the construction is multi-hop, requires no bootstrapping, and supports arithmetic circuits of unbounded depth modulo 7 (Sharma, 2013).
That matrix scheme is explicitly symmetric rather than public-key. Its security discussion reduces confidentiality to the hardness of factoring 8, states one-wayness and IND-KPA/IND-CPA goals, and does not claim CCA2 security. It also introduces operational primitives 9, 0, and 1, which composes several matrices 2 into a master key 3. These primitives are used to organize a cloud workflow with separate roles for Data Owner, Delegator, Computation Center, Mapping Division, and Data User, while keeping evaluators keyless (Sharma, 2013).
The multivariate-polynomial construction in "A Somewhat Homomorphic Encryption Scheme based on Multivariate Polynomial Evaluation" is also symmetric-key, but its algebraic organization is different. The secret key includes an ideal 4, evaluation points 5, a scaling factor 6, and a vector 7. Ciphertexts lie in 8 and take the form
9
where 0 and 1. Decryption computes
2
Evaluation is again keyless: addition is 3, and multiplication is 4, where 5 is the Hadamard product. The scheme is only somewhat homomorphic, because noise grows under evaluation. After 6 additions, the inner-product noise standard deviation scales as 7, while multiplication introduces the bound 8 (Dowerah et al., 2019).
These two symmetric-key KHE lines occupy opposite ends of the exactness spectrum. The matrix scheme performs exact modular arithmetic with no noise growth, whereas the polynomial scheme behaves like a conventional leveled SHE system: correctness depends on keeping the extracted noise below the decision threshold, and multiplicative depth is structurally limited (Sharma, 2013, Dowerah et al., 2019).
3. Multi-key evaluation and threshold-assisted reconciliation
A formal MKHE syntax used in the BFV/CKKS setting comprises 9, 0, 1, 2, 3, 4, 5, and 6. A fresh ciphertext under one public key is first expanded into a unified representation referencing a set of keys; evaluation then runs over the expanded ciphertexts and produces an output tied to the union of the participating key sets; decryption can be single-shot or distributed through partial decryptions 7 followed by a merge step. Correctness is exact for exact schemes and approximate for CKKS (Wu et al., 25 Jun 2025).
"Collaborative Homomorphic Computation on Data Encrypted under Multiple Keys" realizes this cross-key KHE functionality by combining threshold HE and MKHE. A fixed set of model owners first aggregates their keys into one joint key 8 through threshold setup, while each dynamic client retains its own key 9. At evaluation time, ciphertexts are extended only to the two-key set 0 rather than to 1 separate keys. In the paper’s terminology, this reduces the extended ciphertext “dimension” from 2 to 3, equivalently reducing extended ciphertext length from 4 to 5 (Aloufi et al., 2019).
The mechanism is built from leveled MKBGV and RGSW. Fresh BGV ciphertexts are standard two-component RLWE encryptions; extension places those components into the slots corresponding to the active keys; multiplication uses a tensor product followed by 6 and 7. Decryption is collaborative. Each model owner returns a blinded partial
8
the evaluator aggregates 9, and the client completes decryption via
0
The evaluator is semi-honest, the model-owner side is fixed, and the approach removes per-client joint-key setup while preserving collaborative decryption (Aloufi et al., 2019).
This hybrid construction clarifies one important meaning of KHE in collaborative machine learning: key awareness need not imply that every key remains separate throughout the whole protocol. A threshold-aggregated domain can serve as one side of the computation, with MKHE used only to bridge to another party’s key at runtime.
4. Secure MKHE for privacy-preserving federated learning
The CDKS family of multi-key BFV/CKKS schemes extends MKHE with asymptotically optimal multi-key packed HE and faster multi-key operations via homomorphic gadget decomposition, but its use in multiparty secure computation creates a specific leakage channel. In the privacy-preserving federated learning setting analyzed in "Secure Multi-Key Homomorphic Encryption with Application to Privacy-Preserving Federated Learning", the server expands each client ciphertext 1 into a common key-indexed form, homomorphically adds them to obtain
2
and then receives distributed partial decryptions 3. Because 4 is public in the expanded ciphertext and 5 is shared for merge, anyone observing both can compute 6. The paper identifies this as a critical security vulnerability for PPFL and proposes SMHE, which retains the CDKS multi-key structure but introduces a masking layer tailored to BFV/CKKS (Wu et al., 25 Jun 2025).
SMHE attaches to each encrypted message a masking tuple 7. Here 8 is an encryption of 9 under a random mask 0, and 1 is a gadget encryption of 2. Given two public keys 3 and 4, the evaluator computes a correction ciphertext
5
so that the masking equations satisfy
6
and
7
The multi-party operator 8 compresses multiple pairwise extensions by using 9, and masked addition inserts the balancing terms into the expanded ciphertext so that only the final joint decryption cancels them. Multiplication and relinearization are unchanged from CDKS.
In the PPFL workflow, the server publishes 0, each client runs 1, performs local training to obtain a gradient 2, encodes it as 3, and sends 4 to the server. The server expands the ciphertexts under the selected client set 5, iteratively applies 6 with masking material, receives partial decryptions 7, reconstructs
8
decodes the aggregate gradient 9, and updates
0
The privacy claim is that every individual term 1 is entangled with masks derived from other parties’ public keys, and de-masking occurs only in the collective sum (Wu et al., 25 Jun 2025).
5. Security foundations, correctness regimes, and computational behavior
The cited KHE constructions rest on three distinct hardness bases. The BFV/CKKS and BGV-based multi-key systems are formulated over cyclotomic rings such as 2 and 3, and rely on RLWE-based indistinguishability; the SMHE paper further states a simulation-based semi-honest security condition in which there exists a PPT simulator 4 such that 5 (Wu et al., 25 Jun 2025). The hybrid threshold/MKHE system inherits RLWE and RGSW security and assumes a semi-honest evaluator plus blinded threshold-style partial decryptions (Aloufi et al., 2019). By contrast, the matrix symmetric FHE reduces security to factoring 6 and emphasizes one-wayness and IND-KPA/IND-CPA rather than lattice assumptions (Sharma, 2013). The multivariate-polynomial SHE reduces IND-CPA security to the Hidden Subspace Membership problem, and states an HSM-to-LWE equivalence when the noise is confined to the last coordinate (Dowerah et al., 2019).
Correctness also differs sharply across families. The matrix symmetric FHE is exact and explicitly sets 7, so there is no noise accumulation. The multivariate-polynomial scheme is exact only while the extracted inner-product noise remains below the rounding threshold. BFV-style MKHE is exact modulo the plaintext modulus, whereas CKKS-style MKHE is approximate and phrases correctness as 8 (Sharma, 2013, Dowerah et al., 2019, Wu et al., 25 Jun 2025).
The most detailed implementation data appear in the SMHE study. Its PPFL implementation targets approximately 128-bit RLWE security with 9, gadget dimension 00, discrete Gaussian parameter 01, slot count 02, and 03 with coefficients drawn from 04; gadget decomposition follows the RNS-friendly approach by Bajard et al., and the released implementation uses C++, NTL 10.4.0, GMP 6.2.1, and PyTorch 1.11.0. For a single AlexNet iteration, client-side runtime is 4.64 s for SMHE and 2.72 s for CDKS, while server-side runtime is 38.22 s and 31.23 s respectively. Communication per iteration is 16.00 MB versus 7.00 MB on FCN and 139.50 MB versus 76.50 MB on AlexNet for SMHE and CDKS, whereas MKGSW reaches 33.39 GB and 381.47 GB. With 10 clients, FCN reports accuracy about 97.9% across schemes, with SMHE at 6.22 h and 41.40 GB; AlexNet reports accuracy about 74%, with SMHE at 232.49 h and 1397.31 GB. The paper summarizes this as less than a 05 runtime and communication overhead relative to CDKS/THE while eliminating the identified leakage (Wu et al., 25 Jun 2025).
6. Boundaries, limitations, and unresolved questions
Several limitations recur across the KHE literature. The SMHE security proof is only for the semi-honest model; the paper states that extending to malicious adversaries would require verifiable computation such as zero-knowledge proofs or IOPs, and it also notes that the CKKS scaling/rescaling interplay with masking is not elaborated beyond approximate correctness (Wu et al., 25 Jun 2025). The hybrid threshold/MKHE construction assumes a relatively static model-owner group, incurs 06 decryption interactions, does not include share verification or zero-knowledge proofs, and leaves concrete parameterization and tight noise bounds to future work (Aloufi et al., 2019).
The symmetric-key constructions have different but equally substantive constraints. The matrix FHE does not claim CCA2 security, describes IND-CPA security only against up to 07 chosen pairs, and explicitly distinguishes itself from targeted-malleability KHE and key-homomorphic PRFs, which it does not realize (Sharma, 2013). The multivariate-polynomial construction is only somewhat homomorphic, supports bit messages, requires stronger orthogonality conditions such as 08 for multiplication, and would need progressively larger spaces for deeper multiplicative circuits; bootstrapping is not provided (Dowerah et al., 2019).
These limitations also mark the conceptual boundaries of KHE. In symmetric-key KHE, keyedness chiefly governs who may encrypt and decrypt, while evaluation remains keyless. In MKHE, keyedness becomes part of the ciphertext state itself, because evaluation must preserve the association with a set of keys. The current literature therefore supports two complementary readings: KHE as secret-key-controlled homomorphic delegation, and KHE as homomorphic computation across heterogeneous key domains. The cited constructions show that both readings are active, technically non-equivalent, and relevant to cloud computation, collaborative ML, and privacy-preserving federated learning.