Benchmarks Stack Ranking H33 FHE FHE-IQ APIs Pricing PQC Docs Blog About
H33 Blog FHE-IQ: Two-Phase Policy Router
FHE NO PRIOR ART 3 ENGINES February 22, 2026 · 12 min read

FHE-IQ: The First Two-Phase
Policy Router for FHE

H33 operates three independent FHE engines with mutually incompatible ciphertexts. FHE-IQ is a novel two-phase policy router — binary mathematical disqualification followed by adaptive weighted optimization — that selects the optimal backend in under 500 nanoseconds. No one else has multiple production FHE backends to route between.

<500ns
Routing decision
3
FHE engines
4
Scoring dimensions
0
Prior art
FHE-IQ · H33 Production · c8g.metal-48xl (Graviton4) · February 2026

The Problem No One Else Has

Most FHE libraries ship a single implementation. Microsoft SEAL gives you BFV and CKKS but you choose manually. Zama gives you TFHE. OpenFHE gives you everything but you're responsible for configuration. None of them route for you — because none of them need to.

H33 has three distinct FHE implementations because they serve fundamentally different workloads. These aren't parameter variations of the same library. They are different implementations at the polynomial arithmetic level — different coefficient widths, different NTT strategies, different SIMD instruction sets. And their ciphertexts are mutually incompatible: you cannot add a BFV-64 ciphertext to a CKKS ciphertext. The backend decision is permanent for the lifetime of a session.

Why This Matters

Get the backend wrong and you don't get an error message. You get silent data corruption, blown noise budgets, or ciphertexts that refuse to interoperate. Worse: there's no recovery. You start over with different parameters. FHE-IQ makes this decision impossible to get wrong.

Three FHE Engines

BFV-64
Exact integer · u64
64-bit coefficients with Montgomery NTT. Supports all 5 product tiers (H0–H256). Biometric auth, identity matching, encrypted database queries.
H0 – H256
CKKS
Approximate float · f64
Complex number encoding via canonical embedding. Full bootstrapping for unlimited multiplicative depth. ML inference, credit scoring, privacy-preserving analytics.
H0 – H33
BFV-32
Integer · u32 · ARM NEON
32-bit coefficients with native ARM NEON vmull_u32. Nearly 2x faster NTT on Apple Silicon and Graviton. Mobile/edge auth, IoT, battery-constrained devices.
H0 – H1

Two-Phase Architecture: A New Routing Paradigm

FHE-IQ's router is a pure function with zero I/O that makes its decision in under 500 nanoseconds. It operates in two mathematically distinct phases:

Phase 1 · Hard Filters
Binary Mathematical Disqualification
Instant, binary elimination of backends that are mathematically incapable of fulfilling the request. DataType::Float → CKKS only. ProductTier::H256 → BFV-64 only. needs_rotation → BFV-32 out. No scoring. Pass or fail.
Phase 2 · Weighted Scoring
Adaptive Weighted Optimization
Scores surviving candidates across four dimensions with AI-adaptive weights. Latency fit (40%), security margin (25%), hardware affinity (20%), health signal (15%). Weights adjust in real-time via telemetry from three sub-µs Rust AI agents.

Routing Flow

INPUT
RoutingRequest arrives
{ data_type: Integer, tier: H33, security: Q128, needs_rotation: true, latency_budget: 5000µs }
PHASE 1
Hard filters eliminate ineligible backends
CKKS: DISQUALIFIED — integer data requires integer backend
BFV-32: DISQUALIFIED — rotation not supported
BFV-64: PASSES all filters
PHASE 2
Weighted scoring on survivors
Latency fit: 40% × 0.95 = 0.380 · Security margin: 25% × 1.00 = 0.250 · Hardware affinity: 20% × 0.85 = 0.170 · Health signal: 15% × 1.00 = 0.150 — Total: 0.95
RESULT
RoutingDecision { backend: BFV-64, tier: H33, score: 0.95 }
Session created. All subsequent operations route to BFV-64. Backend locked for session lifetime.

Four Scoring Dimensions

Latency Fit (40%)

Compares each backend's observed p99 latency (rolling 256-sample window) against the caller's latency budget. A backend delivering 1,200µs when you budgeted 5,000µs scores higher than one delivering 4,800µs — more headroom for downstream ZK proofs and Dilithium attestation.

Security Margin (25%)

Maps every configuration to estimated security bits via SecurityTier. Request 128-bit (NIST Level 1) and a backend offering 128 bits scores 1.0. Excess security above the requirement is valued but discounted. Prevents the router from always selecting maximum-security parameters.

Hardware Affinity (20%)

FHE-IQ detects the platform at startup and applies a hardware affinity matrix based on actual ISA capabilities. This is where the routing gets novel:

Platform BFV-64 BFV-32 CKKS Why
ARM NEON 0.80 1.00 0.80 vmull_u32 exists; vmull_u64 doesn't
x86 AVX-512 1.00 0.40 0.90 512-bit registers process 8 u64 coefficients
Generic 0.70 0.50 0.70 Scalar fallback, no SIMD advantage
ISA-Level Routing Decision

BFV-32 gets a perfect affinity score on ARM because it uses native vmull_u32 for 4-lane SIMD multiplication. ARM NEON lacks vmull_u64 entirely — the 64-bit variant extracts to scalar, does u128 multiply, repacks. Net overhead. This is why hardware affinity isn't optional — it's measuring real ISA gaps, not benchmarking preferences.

Health Signal (15%)

Three native Rust AI agents — Harvest Detection (0.69µs), Side-Channel Detection (1.14µs), and Crypto Health (0.52µs) — continuously monitor each backend. The health score:

Rust adaptive_weights.rs 
// AI-adaptive health scoring
let health = (1.0 - error_rate * 10.0).clamp(0.0, 1.0);

// 0% errors → 1.0 | 5% errors → 0.5 | 10%+ errors → 0.0
// At 10%+ the router routes AROUND the backend entirely

// Weights themselves are adaptive:
pub struct AdaptiveWeights {
    latency_fit:      f64,  // default 0.40
    security_margin:  f64,  // default 0.25
    hardware_affinity: f64, // default 0.20
    health_signal:    f64,  // default 0.15
}
// AI agents can shift health_signal to 0.40 during attack scenarios

Session Stickiness & Opaque Handles

Once FHE-IQ selects a backend, that decision is locked for the session lifetime. Every subsequent operation routes to the same backend. This is a correctness requirement: FHE ciphertexts are parameterized by (N, Q, t) and polynomial rings must match for any homomorphic operation to be mathematically defined.

Design: Opaque Ciphertext Handles

FHE-IQ never sends ciphertexts to the client. It returns CiphertextHandle — an opaque string ID referencing server-side encrypted data. No multi-megabyte payloads over the wire. No client-side key management. Server optimizes storage layout without breaking API contracts. Key material uses zeroize-on-drop — cryptographic erasure guaranteed at the type level.

The API: From 14 Lines to 4

Rust before_fhe_iq.rs 
// Before FHE-IQ: manual everything (14 lines)
let tier = ProductTier::H33;
let config = tier.resolve();
let ctx = BfvContext::new(config.poly_degree, &config.coeff_moduli, config.plain_modulus);
let keygen = KeyGenerator::new(&ctx);
let (pk, sk) = (keygen.public_key(), keygen.secret_key());
let encoder = BatchEncoder::new(&ctx);
let encryptor = Encryptor::new(&ctx, &pk);
let decryptor = Decryptor::new(&ctx, &sk);
let evaluator = Evaluator::new(&ctx);
let pt = encoder.encode(&values)?;
let ct = encryptor.encrypt(&pt)?;
// And you still need to know which scheme to pick
Rust with_fhe_iq.rs 
// After FHE-IQ: describe what you need (4 lines)
let fabric = FabricSessionStore::new(Default::default());
let session = fabric.create_session(RoutingRequest {
    data_type: DataType::Integer,
    product_tier: ProductTier::H33,
    security_tier: SecurityTier::Q128,
    ..Default::default()
}, "user-42")?;
let ct = fabric.encrypt(&session.session_id, &[42, 100, 7, 255])?;

REST Endpoints

FHE-IQ exposes routing intelligence through REST under /api/v1/fhe/fabric/*. Coexists with existing endpoints — zero breaking changes.

Method Endpoint Purpose
POST /session Create session (router selects backend)
POST /encrypt Encrypt integers or floats
POST /decrypt Decrypt ciphertext handle
POST /compute Homomorphic operation (add, multiply, rotate)
POST /recommend Stateless preview — what would the router pick?
POST /batch-encrypt Batch encrypt (up to 32 users per ciphertext)
GET /backends List all backends with capabilities
GET /health Per-backend health, latency, active sessions
GET /session/:id Session info (backend, tier, stats)
DEL /session/:id Destroy session (zeroize keys)
The /recommend Endpoint

/recommend runs the full two-phase routing algorithm without creating a session. Returns the decision, score, and disqualification reasons for every backend considered. Lets you explore routing logic before committing resources. No state created, no keys generated.

Where FHE-IQ Fits in the Pipeline

FHE-IQ is the compute layer in H33's fully post-quantum authentication pipeline. A single API call flows through three cryptographic stages:

Full-Stack Pipeline · ~50µs per auth

FHE-IQ (batch 32 users)~1,375µs
Dilithium Attestation (batch)~240µs
STARK ZK Proof0.067µs
Total (32-user batch)~1,615µs
Per auth: ~50µs · Sustained: 1.2M auth/sec on Graviton4 · Fully post-quantum

Why This Architecture Is New

No prior art exists because the prerequisite — operating multiple independent, production-grade FHE backends with incompatible ciphertext formats — has never existed before H33.

Try FHE-IQ Today

One API call. Optimal backend. Post-quantum security. Your data never decrypted.

Get Free API Key → FHE-IQ Product Page API Docs
Free tier · No credit card required

Related Articles

FHE
What Is Fully Homomorphic Encryption?
FHE
FHE Performance Optimization
FHE
BFV vs CKKS FHE Schemes
Verify It Yourself