Inferensys

Glossary

Fully Homomorphic Encryption (FHE)

A cryptographic scheme that enables arbitrary computation directly on encrypted data, producing an encrypted result that decrypts to the same output as if the operations were performed on the plaintext.
Data scientist building training data pipeline on laptop, data preprocessing visible, technical workspace.
CRYPTOGRAPHIC PRIMITIVE

What is Fully Homomorphic Encryption (FHE)?

Fully Homomorphic Encryption (FHE) is a cryptographic scheme that enables arbitrary computation directly on encrypted data, producing an encrypted result that decrypts to the same output as if the operations were performed on the plaintext.

Fully Homomorphic Encryption (FHE) is a cryptographic primitive that allows the evaluation of arbitrary circuits—both additions and multiplications—on ciphertexts. Unlike Partially Homomorphic Encryption (PHE) or Somewhat Homomorphic Encryption (SWHE), FHE supports unlimited depth computation without decrypting the data, typically achieved through a bootstrapping procedure that refreshes the ciphertext's noise budget.

Modern FHE schemes, such as CKKS, BFV, and TFHE, are constructed on lattice-based cryptography and the hardness of the Ring Learning With Errors (RLWE) problem. This provides IND-CPA security and post-quantum resistance. In machine learning, FHE enables encrypted inference, where a server evaluates a model on a client's encrypted input and returns an encrypted prediction, ensuring the server never sees the raw query.

CRYPTOGRAPHIC PRIMITIVES

Key Properties of FHE

Fully Homomorphic Encryption enables arbitrary computation on encrypted data. These core properties define its security model, operational constraints, and practical applicability in privacy-preserving machine learning.

01

IND-CPA Security

The foundational semantic security guarantee for FHE schemes. Indistinguishability under Chosen-Plaintext Attack ensures that an adversary cannot distinguish between encryptions of two different plaintexts, even when allowed to encrypt arbitrary messages of their choosing.

  • Relies on probabilistic encryption: the same plaintext encrypts to different ciphertexts each time
  • Guarantees that ciphertexts reveal no partial information about the underlying data
  • Achieved by injecting fresh randomness during encryption
  • Forms the baseline requirement for any homomorphic encryption scheme used in production
02

Noise Budget Management

Every FHE ciphertext contains a finite amount of cryptographic noise that grows with each homomorphic operation. When noise exceeds a critical threshold, decryption fails and produces garbage output.

  • Addition increases noise additively (relatively cheap)
  • Multiplication increases noise multiplicatively (rapid growth)
  • The noise budget dictates the multiplicative depth of a computable circuit
  • Exceeding the budget requires bootstrapping to refresh the ciphertext
03

Ciphertext Expansion

The ratio of encrypted data size to original plaintext size. FHE ciphertexts are substantially larger than their plaintext counterparts, creating significant storage and bandwidth overhead.

  • Typical expansion factors range from 100x to 10,000x depending on scheme and parameters
  • A single encrypted 64-bit integer may occupy several kilobytes
  • Relinearization prevents quadratic growth after multiplication
  • SIMD packing amortizes this overhead by encoding thousands of values in one ciphertext
04

Post-Quantum Security

FHE schemes are built on lattice-based cryptography, which is believed to resist attacks from both classical and large-scale quantum computers. This contrasts with traditional public-key cryptosystems like RSA and ECC.

  • Security rests on the hardness of Ring Learning With Errors (RLWE) and related lattice problems
  • No known quantum algorithm efficiently solves these lattice problems
  • NIST's post-quantum standardization process has validated lattice-based approaches
  • Provides long-term data confidentiality even against future quantum adversaries
05

Circuit Privacy

A stronger security property ensuring that the evaluated function itself remains hidden from the party performing the computation. Without circuit privacy, the server learns the structure of the model being evaluated.

  • Protects proprietary model architectures during encrypted inference
  • Achieved by adding noise to the output ciphertext after evaluation
  • Prevents the server from inferring which polynomial approximation was used
  • Critical for model marketplace scenarios where the model is a trade secret
06

Programmable Bootstrapping

An advanced technique in the TFHE scheme that simultaneously refreshes noise and evaluates an arbitrary function via lookup table. This transforms bootstrapping from a pure noise-management operation into a computational primitive.

  • Evaluates any univariate function in a single step during noise refresh
  • Enables efficient non-linear activations (ReLU, sigmoid) in encrypted neural networks
  • Operates via blind rotation of encrypted values
  • Eliminates the need for separate polynomial approximation of activation functions
FHE CLARIFIED

Frequently Asked Questions

Clear, technically precise answers to the most common questions about Fully Homomorphic Encryption, its mechanisms, and its role in privacy-preserving machine learning.

Fully Homomorphic Encryption (FHE) is a cryptographic scheme that enables arbitrary computation directly on encrypted data, producing an encrypted result that, when decrypted, matches the output as if the operations were performed on the original plaintext. It works by constructing a homomorphic evaluation function Eval that takes a public evaluation key, a function f, and a set of ciphertexts c₁...cₙ such that Decrypt(sk, Eval(ek, f, c₁...cₙ)) = f(m₁...mₙ). Modern FHE schemes, such as CKKS, BFV, and TFHE, are built on lattice-based cryptography, specifically the hardness of the Ring Learning With Errors (RLWE) problem. Each ciphertext contains a small amount of random noise that grows with every homomorphic operation—primarily multiplication. To enable unlimited computation, FHE relies on bootstrapping, a procedure that homomorphically evaluates the decryption circuit to reset the noise budget, allowing an unbounded number of operations without corrupting the ciphertext.

PRIVACY-PRESERVING COMPUTATION

Applications of FHE in Machine Learning

Fully Homomorphic Encryption enables machine learning models to perform inference and training directly on encrypted data, ensuring that sensitive inputs remain confidential even from the service provider processing them.

01

Encrypted Inference as a Service

A client encrypts their sensitive query (e.g., a medical image or financial record) and sends it to a cloud-hosted model. The server performs the forward pass using only homomorphic addition and multiplication on the ciphertext, returning an encrypted prediction that only the client can decrypt. The server never sees the raw input.

  • Use Case: A hospital queries a proprietary diagnostic model without exposing patient scans to the model owner.
  • Key Requirement: The model's non-linear activation functions must be replaced with polynomial approximations compatible with FHE arithmetic.
02

Privacy-Preserving Model Training

FHE allows a data owner to contribute encrypted records to a centralized training process. The model owner performs gradient descent directly on the encrypted data, updating model weights without ever accessing the underlying plaintext. This is distinct from federated learning, as the raw data remains encrypted during the entire computation, not just during transmission.

  • Challenge: Training on encrypted data is computationally intensive due to the noise budget management required for deep circuits.
  • Advantage: Provides a provable privacy guarantee under the IND-CPA security standard, stronger than differential privacy alone.
03

Secure Multi-Party Analytics

Multiple institutions can jointly compute aggregate statistics or train a model on their combined encrypted datasets without revealing individual records to each other. FHE enables this by allowing a central compute node to perform operations on ciphertexts from all parties, producing an encrypted result that requires a threshold of parties to decrypt.

  • Example: A consortium of banks computes an encrypted fraud detection model across their combined transaction histories.
  • Enabling Technology: Multi-Party FHE distributes the decryption key, preventing any single entity from unilaterally accessing the final output.
04

Private Information Retrieval for ML

A client can query a database or a model's embedding lookup table without revealing which record or token they are requesting. FHE enables the server to perform a homomorphic equality check across the entire encrypted index, returning only the encrypted result corresponding to the client's secret query.

  • Application: A user queries a language model's embedding layer for a specific token without the server learning which token was requested.
  • Mechanism: The query is encoded as an encrypted one-hot vector, and the lookup is computed as a homomorphic dot product over the entire table.
05

Encrypted Neural Network Evaluation with CKKS

The CKKS scheme is the dominant FHE scheme for machine learning because it natively supports approximate fixed-point arithmetic on real numbers. This aligns with the inherent noise tolerance of neural networks. CKKS enables efficient SIMD packing, where multiple data samples are batched into a single ciphertext for parallel homomorphic evaluation.

  • Operation: After each homomorphic multiplication, rescaling is performed to maintain a stable scale and manage noise, analogous to truncating floating-point precision.
  • Optimization: A transpiler automatically converts a high-level neural network definition into an optimized CKKS circuit, abstracting away cryptographic complexity.
06

Programmable Bootstrapping for Arbitrary Functions

The TFHE scheme introduces programmable bootstrapping, which simultaneously refreshes a ciphertext's noise budget and evaluates a lookup table function. This allows the homomorphic evaluation of arbitrary non-linear functions, such as ReLU or sigmoid, in a single step without polynomial approximation.

  • Mechanism: A blind rotation operation evaluates an encrypted lookup table on the ciphertext, outputting the result with a reset noise budget.
  • Trade-off: TFHE operates on individual bits or small integers, making it ideal for decision trees and quantized models but less efficient for large tensor operations compared to CKKS.
SCHEME COMPARISON

FHE vs. Other Homomorphic Encryption Schemes

A comparison of computational capabilities, supported operations, and practical limitations across the three primary classes of homomorphic encryption.

FeaturePartially Homomorphic (PHE)Somewhat Homomorphic (SWHE)Fully Homomorphic (FHE)

Supported Operations

Single type: addition OR multiplication

Both addition AND multiplication

Both addition AND multiplication

Circuit Depth

Unlimited for single operation

Limited by noise budget

Unlimited (via bootstrapping)

Arbitrary Computation

Bootstrapping Required

Typical Ciphertext Size

2-4 KB

10-100 KB

100 KB - 1 MB

Relative Performance

Fastest (1x overhead)

Moderate (100-1000x overhead)

Slowest (1000-1,000,000x overhead)

Common Use Case

Encrypted aggregation, private voting

Fixed-depth ML inference

Arbitrary encrypted computation

Example Scheme

Paillier, ElGamal

BGV (without bootstrapping)

CKKS, TFHE, BFV (with bootstrapping)

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.