FHE and secure enclaves (like Intel SGX and ARM TrustZone) both enable computation on sensitive data. However, they take fundamentally different approaches with different security properties. Understanding these differences helps you choose the right technology.
Fundamental Approaches
FHE (Fully Homomorphic Encryption)
Mathematical protection: data remains encrypted during computation, security based on cryptographic hardness.
Secure Enclaves
Hardware protection: data decrypted inside a protected hardware region, security based on physical isolation.
Key Distinction
FHE: Data never decrypted, even during processing
Enclaves: Data decrypted but in protected memory
Security Model Comparison
FHE Security
- Based on mathematical problems (lattice hardness)
- No trusted hardware required
- Post-quantum secure (lattice-based schemes)
- Data protected even if server is fully compromised
Enclave Security
- Based on hardware isolation
- Requires trust in hardware manufacturer
- Vulnerable to side-channel attacks (Spectre, Meltdown variants)
- Attestation proves code integrity
Attack Surface
FHE Attack Vectors
- Cryptographic breaks (theoretical, none known for standard schemes)
- Implementation bugs in FHE libraries
- Key management failures
Enclave Attack Vectors
- Side-channel attacks (many demonstrated)
- Hardware vulnerabilities
- Microcode/firmware attacks
- Supply chain attacks on hardware
Performance Comparison
FHE Performance
- Significant overhead compared to plaintext
- Improving rapidly (10-1000x improvement in recent years)
- Simple operations: microseconds to milliseconds
- Complex operations: seconds to minutes
Enclave Performance
- Near-native speed for computation
- Overhead mainly in enclave entry/exit
- Limited memory (historically)
- Context switches are expensive
Practical Considerations
Choose FHE when:
- You can't trust the computing infrastructure
- Post-quantum security is required
- Data must never be decrypted outside your control
- Computation is relatively simple
Choose Enclaves when:
- Performance is critical
- Complex arbitrary code must run
- You can trust hardware attestation
- Side-channel mitigations are acceptable
Hybrid Approaches
The best solutions often combine both:
- FHE for long-term data protection
- Enclaves for performance-critical operations
- FHE key operations inside enclaves
- Defense in depth
H33's Approach
We primarily use FHE for biometric matching because:
- Biometric data has lifetime sensitivity
- Users shouldn't trust any third party with their biometrics
- Our optimizations achieve acceptable performance
- Post-quantum security future-proofs the protection
Both FHE and secure enclaves have their place. Understand their trade-offs to make the right choice for your application.
Ready to Go Quantum-Secure?
Start protecting your users with post-quantum authentication today. 1,000 free auths, no credit card required.
Get Free API Key →