Cointime

Cointime

Download App
iOS & Android

Zero to Start: Applied Fully Homomorphic Encryption (FHE) Part 1

Part 1: An Introduction to FHE, ZKPs & MPC, and The State of FHE Development Today

This post was written by 0xZoey. Special thanks to JanmajayaEnrico, and Owen who generously gave their time and expertise to review this piece. Your valuable contributions and feedback have greatly enhanced the quality and depth of this work.

Find Part 2: Fundamental Concepts, FHE Development, Applied FHE, Challenges and Open Problems here…

What is FHE?

Present privacy technology ensures secure communication and storage, encrypting our emails during transit and safeguarding databases in storage. However, accessing data for processing requires the data to be first decrypted. What if secure processing could occur without compromising data privacy?

FHE allows computation over encrypted data

Fully Homomorphic Encryption (FHE) is a technology that allows computation over encrypted data, where only the owner of the key can decrypt the result of the computation.

This article focuses on the current state of FHE, fundamental concepts, applied FHE, and design challenges ahead. It is meant to help users understand the thought framework around applied FHE without requiring the reader to understand complex math or cryptography.

The idea for FHE was initially proposed in 1978 by Rivest, Adleman, and Dertouzous (the "R" and "A" of RSA). FHE is an extension of public key cryptography; the encryption is "homomorphic" because it works on the principle that for every function performed on unencrypted text (Plaintext), there is an equivalent function for encrypted text (Ciphertext).

Homomorphic Encryption

FHE shares fundamental components with traditional cryptography like encryption, decryption, and key generation. In addition to this, it uniquely enables arithmetic operations such as addition and multiplication on ciphertexts.

There are generally four categories of homomorphic encryption:

  1. Partially homomorphic: enables only one type of operation (addition or multiplication). RSA is an example of partially homomorphic encryption only using multiplication and not addition.
  2. Somewhat homomorphic: limited for one operation but unlimited for the other. For example, limited multiplications but unlimited additions.
  3. Leveled homomorphic: limited operations for both addition and multiplication
  4. Fully homomorphic: unlimited operations for both addition and multiplication (and others).

In the past, the difficulty in achieving FHE  was due to the "noise" that accumulated with every subsequent operation. The excess overflow in noise eventually makes decryption impossible. Craig Gentry proposed the first FHE scheme in 2009, where he solved this problem with a method called bootstrapping. Bootstrapping is used to recursively evaluate the decryption circuit to reduce and manage noise accumulation.

Why is FHE important?

Fully Homomorphic Encryption (FHE) signifies a groundbreaking shift in privacy, enabling data-centric systems to preserve privacy with minimal data exposure inherently. FHE, built using lattice-based cryptography, also offers the notable advantage of being post-quantum resistant, ensuring robust security against future potential threats from quantum computing.

Some general FHE use cases include:

  • Private inference & training: FHE could be used to protect the privacy of both the model and data  (likely 3-5 years away).
  • Encrypted searches: query an encrypted file and only see the result of your specific query without the entire contents of the database revealed, also known as Private Information Retrieval (PIR).
  • Policy Compliance & Identity Management: Secure identity management by enabling the processing of identity-related data without exposure, allowing organizations to comply with regulators' KYC policies.

General FHE Use Cases

Fully Homomorphic Encryption (FHE) holds immense significance in blockchain technology because it can perform encrypted data computations within a trustless environment. We won't dive into the importance of privacy on the blockchain and how off-chain ZKPs are not the complete solution, but Wei Dai's article Navigating Privacy on Public Blockchains is a great primer.

Here are some theoretical blockchain use cases that FHE could facilitate:

  • Private Transactions: the processing of confidential transactions by smart contracts, allowing private transactions in dark pools, AMMs, blind auctions, and voting.
  • MEV (Maximal Extractable Value) Mitigation: FHE could potentially allow proposing blocks and ordering transactions while ensuring Pre-execution, failed execution, and post-execution privacy, offering a potential solution to prevent front-running.
  • Scaling: Leveraging FHE Rollups presents a scalable approach to execute private smart contracts utilizing the security derived from Ethereum for state transitions
  • Private Blockchains: encrypted chain states that are programmatically decrypted via consensus using Threshold FHE.

FHE: Blockchain Use Cases

The applied use cases for FHE are far-reaching, there are non-trivial technical challenges to overcome, and many are still being explored today. At its core, FHE ensures secure data processing, which, combined with other cryptographic primitives, can be incredibly powerful. In our exploration of Applied FHE, we dive deeper into real-world applications and use cases.

ZKP, MPC, & FHE

The terms ZKPs, MPC, and FHE have often been misused and interchanged and have been the source of much confusion. The post, Beyond Zero-Knowledge: What's Next in Programmable Cryptography? provides a succinct overview and comparisons of Zero-Knowledge Proofs (ZKPs), Multi-Party Computation (MPC), Fully Homomorphic Encryption (FHE) and Indistinguishability Obfuscation (iO). All fall under the broader umbrella of programmable cryptography.

To briefly summarize how the three concepts are connected:

Multi-Party Computation (MPC): MPC, when described as a general function, is any setup where mutually distrustful parties can individually provide inputs (private to others) to collaboratively compute a public outcome.  MPC can be used as the term used to describe the technology itself, where randomized data shares from each individual are delegated for compute across servers.

MPC

To add to the confusion, it is also often used to describe MPC use cases, most notably in the context of Distributed Key Generation (DKG) and Threshold Signature Schemes (TSS).

Three leading technologies form the building blocks of MPC applications: Garbled Circuits (GC), Linear Secret Sharing Schemes (LSSS), and Fully Homomorphic Encryption (FHE). These can be used both conjunctively or exclusively.

MPC & ZKPs

Zero-Knowledge Proofs (ZKPs): A method that allows a single party (prover) to prove to another party (verifier) knowledge about a piece of data without revealing the data itself. Using both public and private inputs, ZKPs enable the prover to present a true or false output to the verifier.

ZKPs

In Web 3 applications, the integration of ZKPs alongside FHE becomes crucial for constructing private and secure systems. ZKPs are vital because they can be used to generate proofs of correctly constructed FHE ciphertexts. Otherwise, users can encrypt any unverified gibberish. Hence corrupting the entire FHE circuit evaluation.

Note the difference in ZKPs, FHE, and MPCs, where the input element of each primitive is distinct when evaluating the exposure of private data.

  • In ZKPs, private data contained in the input is only visible to the prover
  • In MPC, private data contained in each input is only visible to the owner
  • In FHE, private data contained in the input is encrypted and is never revealed

While MPC is network bound, FHE and ZKPs are compute bound. The three primitives also differ regarding relative computation costs and interactiveness required between parties.

ZKPs, MPC, FHE, computation costs and interactiveness

In summary,

  • ZKPs focus on proving the truth of a statement without revealing the underlying data; it is useful for preserving private states for the prover.
  • MPC enables joint computation; it is useful when users want to keep their state private from others.
  • FHE allows computations on encrypted data without decryption; it is non-interactive and useful for preserving privacy throughout the entire computation process.

FHE is an extension of public key cryptography, not a replacement for ZKPs or MPC. Each can act as an individual building block and serve a distinct cryptographic purpose. An assessment needs to be made on where and which primitive should be applied within different applications.

The State of FHE Today

Early concepts of FHE developed in the 1970s-90s laid the theoretical groundwork for homomorphic encryption. However, the real breakthrough came with Gentry's solution for FHE in 2009. The initial construction needed to be faster to be practically applied. Performance at the time was close to 30mins per bit operation and only applicable in a single key setting. Much of the research published following Gentry's paper has been focused on performance improvements that address these issues through:

FHE is not possible with Ethereum today due to the size of ciphertexts and the cost of computation on-chain. It is estimated with the current rate of hardware acceleration, we may see applications in production by 2025.

Zama’s implementation of fhEVM is a fork of Ethereum; they have several tools available:

  • TFHE-rs: Pure Rust implementation of TFHE for boolean and small integer arithmetics over encrypted data
  • fhEVM: Private smart contracts on the EVM using homomorphic encryption

There are some challenges with ZAMA's fhEVM approach that are yet to be improved. Networks using ZAMA's fhEVM are limited to about 2 FHE transactions per second (tps). Compared to Ethereum's ~15 tps this is not far off; however, it will need to be greatly improved for many time-sensitive applications.

Additionally, operations on encrypted integers are much more difficult to perform than on plaintext integers. For example, on an Amazon m6i.metal machine (one of Amazon's top machines costing $2-4k per month to operate):

  • adding or subtracting two encrypted uint8 values takes around 70ms
  • adding plaintext uint8 values is essentially free and instant on any modern device

There are also limitations to the size of unsigned integers available in the fhEVM context. Encrypted uint32 values are the largest possible in the fhEVM, while uint256 are the largest in the standard EVM and are used frequently by many protocols on Ethereum. Due to the challenge of operating on encrypted values in the fhEVM it is currently unreasonable to run validators at home, which makes this more suitable for networks with a smaller, more trusted validator set.

Sunscreen is another project actively working on FHE; they have a Rust-based FHE compiler using the BFV scheme with a playground. They’ve deployed a blind auction proof of concept on SepoliaETH.

Fhenix, a team working on a modular “FHE blockchain extension”, plans on launching their testnet in January 2024. They also recently released their whitepaper on FHE-Rollups.

In the last five years, significant advancements have been made to make FHE more usable. Shruthi Gorantala's framework for thinking about FHE development as a hierarchy of needs is particularly helpful. The performance improvements listed above address deficiency needs and are contained in Layers 1-3 within the FHE tech stack. For FHE to realize its full potential, we also need to address the growth needs listed in Layers 4-5.

FHE Hierarchy of Needs

A critical aspect of systems integration is figuring out how to combine FHE technology with other privacy-enhancing primitives like ZKPs and MPC in a way that suits each unique trust model and protocol.

multi-party computation ZK
Comments

All Comments

Recommended for you

  • Insider: Trump team supports Kevin Warsh as US Treasury Secretary

     informed sources said that the Trump team supports Kevin Warsh as the US Treasury Secretary, and discussions are still ongoing.

  • Lido is preparing a blockchain identity verification platform codenamed "Y" to compete with World Network

    According to insiders, Cyber Fund, led by Lido co-founders Konstantin Lomashuk and Vasiliy Shapovalov, is preparing a blockchain identity verification platform codenamed "Y" to directly compete with Sam Altman's World Network. Unlike World Network, which uses iris scanning for identity verification, the Y project will use users' social media and blockchain activity data, combined with Ethereum Attestation Service, to verify their identity. The solution aims to address the risk of biometric data leakage and minimize the potential for fraud.

  • Tether announces upcoming investment in stablecoin company Quantoz Payments

    On November 18th, Tether announced that it will invest in Quantoz Payments to launch EURQ and USDQ electronic currency tokens (EMT) that comply with the MiCAR standard for the euro and the US dollar respectively. Tether has not disclosed the amount of its investment, and Quantoz will use Tether's Hadron asset tokenization platform.

  • U.S. 30-year Treasury yield rises to 4.68%

    30-year US Treasury bond yield rose to 4.68%, the highest level since May 31.

  • NANO LABS announces Bitcoin as its strategic reserve asset

    Nano Labs announced that it will use Bitcoin as its strategic reserve asset.

  • Revolut Launches Staking Feature for Six Cryptocurrencies, Allowing Users to Earn Rewards

    Revolut, a prominent digital bank, has introduced a staking feature that enables users to temporarily lock funds to secure a cryptocurrency's network and earn rewards. The staking process is simple and easy to use, and currently supports six cryptocurrencies: Ethereum, Solana, Polkadot, Cardano, Tezos, and Polygon. The rewards for staking vary depending on the amount of crypto staked and the chosen cryptocurrency, with APYs ranging from 2.09% to 12.30%. However, some cryptocurrencies have lock-up periods before users can access their balances. Revolut users can stake Ethereum and receive their rewards daily after a waiting period of approximately 2 days, but must wait 10 days to access their balance once unstaked. Staking Solana on Revolut offers an APY of 5.25%, with rewards paid every 3 days after an initial waiting period of 3 days. Staking Polygon on Revolut offers an APY of up to 3.74%, with rewards paid daily after a 1-day warm-up period. Revolut staking is available in select countries within the EEA, with fees ranging from 15% to 35% depending on the token and the amount staked.

  • Ethereum Struggles with Institutional Adoption, Losing Ground to Bitcoin

    Ethereum's eight-year support trend against Bitcoin has been broken, causing concern for its future. Tuur Demeester, founder of Adamant Capital, has described Ethereum as "dying a slow death" due to this development. The slow adoption by institutions is being blamed for Ethereum's setback, while Bitcoin continues to dominate. This could have implications for Ethereum's position as an asset class. Despite this, Bitcoin's price remains stable, while altcoins show mixed performance. The disparity between Bitcoin and Ethereum's adoption among institutional investors is due to Bitcoin's simpler use case and fixed supply, as well as its higher trading volumes in ETFs compared to Ethereum. Ethereum's scalability challenges and regulatory scrutiny, particularly regarding its transition to a proof-of-stake model, are also contributing factors. Institutional endorsement of Bitcoin ETFs has outpaced that of Ethereum, with major asset managers like Fidelity and Morgan Stanley adding Bitcoin ETFs to their offerings. Experts suggest that Ethereum needs to address scalability issues and redefine its role as a technology-driven platform to regain its competitive edge. Until then, institutional investment appears to favor Bitcoin.

  • Morgan Stanley expects US interest rate cuts of 75 basis points in the first half of 2025

    Morgan Stanley predicts that by mid-2025, the yield on 10-year US Treasury bonds will fall to 3.75%, and by the end of next year it will fall to slightly above 3.50%. It is expected that the US will cut interest rates by 75 basis points in the first half of 2025.

  • Vitalik: Hope to see more EVM Rollups to improve data efficiency

    Vitalik Buterin, co-founder of Ethereum, wrote on the X platform that part of the L2 expansion is for Ethereum to increase its blob capacity, and the other part is for Rollups to become more data-efficient. It is great to see Starknet rise to the challenge and hope to see more EVM Rollups improve data efficiency. Earlier, Starknet announced the release of the solution Starknet v0.13.3, which aims to meet the stable growth of Ethereum blob processing needs.

  • The claim rate of ZK airdrop tokens is 86%, and the total claim volume exceeds 3.17 billion

    The latest data from Dune shows that currently 3,178,010,067 ZK tokens have been claimed in the airdrop, accounting for 86.48% of the total airdrop amount (3,675,000,000 ZK).

Daily Must-Read

Popular Activities

Delysium $AGI & AI Private Yacht Party

Delysium $AGI & AI Private Yacht Party

March 27 - March 27
Seoul

Popular Tags

Cointime
News
Contents
RSS
Company