Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Privacy-Enhancing Cryptography PEC

Fully-Homomorphic Encryption (FHE)

Fully-Homomorphic Encryption (FHE) is a main tool of Privacy-Enhancing Cryptography (PEC), alongside with Multi-Party Computation (MPC), Zero-Knowledge Proofs (ZKP), Private-Set Intersection (PSI), and others. The NIST PEC project is accompanying FHE developments and initiatives toward future useful standards.

Informally speaking, FHE allows non-interactive evaluation of functions/operations over encrypted data. This can be used as a PEC tool in myriad scenarios where privacy by design is a requirement. Conceivable and real use-cases of FHE are possible in many sectors. Some examples:

  • Collaborative insights. FHE can enable privacy-preserving collaborative computations, e.g., for medical discoveries of societal benefit, for fraud detection (e.g., in the financial sector) while compliant with comprehensive privacy regulations.
  • Artificial Intelligence (AI). FHE can enable privacy-preserving development of AI models, including in a federated learning setting, and enable querying those models in a privacy-preserving manner. Privacy goals can relate to (i) the input data used to create the model, (ii) the actual generated model, and (iii) the queries and replies.
  • Web3. Decentralized applications (without a trusted party) supported on blockchain technology, e.g., for smart-contracts with encrypted data, and voting.
  • Cryptography. FHE can work alongside other PEC tools (e.g., MPC, ZKP and PSI), and other types of privacy-enhancing technologies (e.g., differential privacy), to achieve advanced privacy-enhancing goals.
  • Privacy for the people: FHE has the potential to be used for applications that support people's agency over their privacy. 

Note: This list is a work in progress. We intend to progressively refine the list to provide a more concrete and comprehensive set of examples. Suggestions and feedback are welcome.

The PEC project draws FHE context from various informative initiatives about FHE progress:

  1. HES meetings. NIST has attended various HomomorphicEncryption.Org Standardization (HES) meetings, including HES1 (Redmond, 2017), which led to a community proposal of HE security standard. The NIST-PEC team also participated with invited talks at the HES5 [slides] (Geneva, 2022), HES6 [slides] (South Korea, 2023) and HES7 [slides] (Salt Lake City, 2024) meetings.
  2. WPEC 2024. The 3-day NIST Workshop on Privacy-Enhancing Cryptography 2024 included (in its 2nd day, Sept 25) a session on PEC in Government and another session on FHE. The hosted talks included a brief tutorial on FHE, notes on FHE hardware performance, government use-cases in the health sector and financial sector, a use-case on encrypted inference, and notes about progress and consensus on security guidelines for implementing FHE.
  3. PEC-STPPA6. On 2023-July-25, the 6th event of the Special Topics on Privacy and Public Auditability (STPPA) series hosted talks about "Community efforts on advanced cryptography techniques", including about The HomomorphicEncryption.org Community and the Applied Fully Homomorphic Encryption Standardization Efforts, and the Efforts on Standardizing Fully Homomorphic Encryption at ISO/IEC.
  4. NIST Threshold Call. The NIST First Call for Multi-Party Threshold Schemes (draft in 2023, submissions aimed for 2025), has a subcategory (C2.6) devoted to FHE. Submissions in reply to this call are expected to provide a basis for public scrutiny of specifications and implementation of FHE. The analysis, of joint interest by the MPTC and PEC projects, is expected to bring clarification useful to specify future processes toward FHE recommendations and/or standardization.
  5. MPTS 2023. The 3-day NIST Workshop on Multi-Party Threshold Schemes 2023 included talks about FHE in the Threshold Call (Sept 27), and building blocks (gadgets) for FHE (Sept 28).
  6. US National Strategies. NIST-PEC collaborates in the writing of and feedback on some National Strategies, whose scope of applicability includes FHE as a useful tool. Notable examples are the National Strategy to Advance Privacy-Preserving Data Sharing and Analytics (PPDSA), and the National Strategy on Privacy Research (upcoming, 2024).
  7. Gov initiatives: Various governance-level initiatives have been highlighting the foreseen utility of FHE. Some examples: U.S. PETs Prize Challenge (2022-2023), UN PET Guide (2023), ...
  8. Synergies with other PEC tools. The topic of FHE also arises in connection with other PEC tools. For example: FHE can be used to enable MPC, including PSI; the correctness of FHE evaluations can be verify based on ZKPs.

A homomorphic encryption scheme is a special type of encryption scheme that enables computing functions over encrypted data, such that a later decryption outputs the function applied over the data. A Fully homomorphic encryption scheme enables this property for any computable function. FHE can be achieved both in the public-key setting and in the symmetric-key setting.

Comparison with a regular encryption scheme. A regular encryption scheme is specified as a triple (KeyGen, Enc, Dec) of algorithms: key generation (KeyGen), encryption (Enc) and decryption (Dec). Two essential properties (among others):

  • Confidentiality. Without the decryption key (k) (left implicit hereafter), the ciphertext (c = ext{Enc}(m)) resulting from the encryption of a plaintext (m) (also known as message) does not reveal any meaningful information about the plaintext. (Technically speaking, this is usually called semantic security).
  • Completeness/Correctness. The decryption of an encrypted message returns the original message, i.e., (m = ext{Dec}( ext{Enc}(m))).

The meaning of homomorphic evaluation. An homomorphic encryption scheme is a special type of encryption scheme that also supports an evaluation (Eval) operation over encrypted data. This can be expressed for functions that act on a single argument (e.g., (f(m))), or functions (or operators) that act on multiple arguments (e.g., (m_1 * m_2)). For example:

  • If (i) (f) is a supported function, (ii) (c = ext{Enc}(m)), and (iii) (c' = ext{Eval}(c,f)), then ( ext{Dec}(c') = f(m)).
  • If (i) (*) is a supported operation (e.g., multiplication), (ii) (c_1= ext{Enc}(m_1)), (iii) (c_2 = ext{Enc}(m_2)), and (c' = ext{Eval}(c_1,c_2,*)), then ( ext{Dec}(c') = m_1 * m_2).

The next illustration depicts an idealized FHE functionality ((mathcal{F})), which in an idealized world would mediate the encryption, decryption and evaluation. In this example: (1) a client encrypts (color{red}x_1) and (color{red}x_2), and then (2) the server learns that two elements have been encrypted, but not their content; then (3), the server homomorphically evaluates a function ( ed{f}) over the two encrypted values, and (4) the result is learned only by the Client. Depending on the application, the function (color{red}f) may also be chosen by the client.

FHE ideal functionality

An actual FHE scheme "emulates" this ideal functionality, without any third party mediation.

See WPEC 2024 Talk 2b1 for a brief invited tutorial on FHE types and properties. See WPEC 2024 Talk 2b6 for a brief overview of community developed security guidelines for implementing FHE. While the conceptualization of FHE can look very clean, in practice three are various distinct approaches for FHE, each with particular advantages. It is usual to characterize the known solutions in three types, depending on the plaintext domain and types of operations:

  • FHE for exact operations over bits
  • FHE for exact operations over large integers
  • FHE for approximate computations (floats)

A note on malleability (an essential feature) in FHE: Some applications of regular (non-homomoprhic) encryption schemes take advantage of a security property called indistinguishability against adaptive chosen-ciphertext attacks (IND-CCA2). FHE requires the opposite (a malleability property) as a feature: that someone with a ciphertext (e.g., (c = ext{Enc}(m))) but without the decryption key can calculate a new valid ciphertext ((c' = ext{Eval}(f,c))) for a new plaintext (m'=f(m)) that would be obtained from a known operation ((f)) on the original (unknown) plaintext.

IND-CPA-D: A minimum desired property of FHE is IND-CPA, i.e., indistinguishability against chosen plaintext attacks. While IND-CCA is nota applicable to FHE, it is important to consider the security of a scheme when an adversary can submit ciphertexts to a decryption oracle. The property IND-CPA-D is especially relevant for schemes where the result of an homomorphic evaluation may contain noise correlated with the key, and/or when the probability of decryption error is not negligible.

The NIST Threshold Call (submission deadline to be set in 2025) is a community opportunity for the public to submit FHE specifications+implementations+evaluations that showcase FHE state-of-the-art techniques and discuss their security properties.

Created January 03, 2017, Updated February 05, 2025