What is the difference between FHE and zero-knowledge proofs?

FHE (Fully Homomorphic Encryption) allows computation on encrypted data without decrypting it — the output is an encrypted result. Zero-knowledge proofs (ZKPs) allow one party to prove a statement is true without revealing the underlying data. FHE protects data during computation. ZKPs protect data during verification. They solve different problems and are complementary, not interchangeable.

When should I use FHE instead of zero-knowledge proofs?

Use FHE when you need to compute on sensitive data without exposing it: encrypted biometric matching, ML inference on private data, encrypted search, financial aggregation. The server processes ciphertexts and returns encrypted results. The raw data never leaves encryption. Use ZK when you need to prove a fact to a verifier without revealing why it's true — like proving you are over 21 without showing your birth date.

Can FHE and ZK proofs be used together?

Yes, and the combination is more powerful than either alone. A common pattern: use FHE to compute on encrypted data (e.g., a biometric match score), then use a ZK proof to prove a property of the result (e.g., the score exceeds a threshold) without revealing the score or the inputs. H33 combines BFV/CKKS/TFHE for encrypted computation with STARK proofs for verification, connected by H33-74 post-quantum attestation.

Are FHE and zero-knowledge proofs post-quantum secure?

Both can be post-quantum secure. FHE schemes like BFV and CKKS are based on the Ring Learning With Errors (RLWE) problem, which is believed to resist quantum attacks. STARKs are hash-based and require no trusted setup, making them inherently post-quantum. SNARKs based on elliptic curve pairings (like Groth16) are NOT post-quantum secure. H33 uses only post-quantum-secure primitives: RLWE-based FHE, hash-based STARKs, and three PQ signature families (ML-DSA, FALCON, SLH-DSA).

← Blog

April 28, 2026 · Engineering

FHE vs Zero-Knowledge Proofs: When to Use Which

Fully homomorphic encryption computes on data you cannot see. Zero-knowledge proofs prove statements without revealing why they are true. They are not interchangeable. They are complementary. Here is when to use each — and what happens when you combine them in one pipeline.

They Solve Different Problems

FHE and ZK proofs get grouped together under "privacy-preserving cryptography," and that grouping obscures a fundamental distinction. They protect different things at different stages of a computation.

FHE protects data during computation. You encrypt your inputs. A server computes on the ciphertexts. The server never sees the plaintext. The output is an encrypted result that only you can decrypt. The server did useful work on data it could not read.

ZK proofs protect data during verification. You have a fact you want someone to believe. You construct a proof that the fact is true. The verifier checks the proof. At no point does the verifier see the underlying data that makes the fact true. The verifier is convinced; the data remains private.

The difference is not subtle. FHE answers: "How do I compute on private data without exposing it?" ZK answers: "How do I prove a claim without revealing the evidence?" These are different questions. They arise at different stages of a pipeline. And the engineering requirements for each are radically different.

A simple test: If you need the server to produce a result from private inputs, you need FHE. If you need to convince a verifier that a result satisfies some condition, you need ZK. If you need both, you need both.

When to Use FHE

FHE is the right tool when you have sensitive data and need to compute on it without exposing it to the party performing the computation. The defining characteristic: the computation produces an encrypted result. Nobody in the pipeline — not the server, not the network, not the storage layer — ever sees the plaintext inputs or the plaintext output.

Concrete use cases where FHE is the correct choice:

Encrypted biometric matching. A user's biometric template is encrypted on-device. The server computes an inner product between the encrypted template and a stored encrypted reference. The match score is encrypted. The server knows whether authentication succeeded (via a threshold comparison), but never sees the biometric data. This is H33's core authentication pipeline: BFV inner product at 42 microseconds per auth.
ML inference on private data. A hospital encrypts patient records. A model provider runs inference on the encrypted data. The predictions are returned encrypted. Neither the model provider nor any intermediate infrastructure sees the patient data. CKKS handles the real-number arithmetic: 333ms for a 64-dimensional encrypted dot product.
Encrypted search and aggregation. A financial institution encrypts transaction records. An auditor runs encrypted queries — sum, average, count — over the encrypted dataset. The aggregate results are decrypted only by the institution. The auditor sees the aggregates, never the individual transactions.
Encrypted threshold decisions. An insurance company needs to determine whether a risk score exceeds a threshold. TFHE evaluates the comparison gate on encrypted inputs. The comparison result is encrypted. The insurer decrypts only the boolean: above or below threshold. The actual score remains encrypted throughout.

The common thread: data stays encrypted through the entire computation. The output is encrypted. Decryption happens only at the endpoint that owns the key.

When to Use ZK

Zero-knowledge proofs are the right tool when you need to prove something to a verifier without revealing the underlying data. The defining characteristic: the verifier learns that a statement is true, and nothing else. Not the data. Not the computation path. Not any auxiliary information.

Concrete use cases where ZK is the correct choice:

Age verification without identity disclosure. A user proves they are over 21 to a merchant. The merchant learns "over 21" and nothing else — not the birth date, not the name, not the ID number. The ZK proof encodes the age check against a committed credential.
Compliance proof without record exposure. A bank proves to a regulator that all AML checks passed for a batch of transactions. The regulator verifies the proof. The individual transaction details remain confidential. The proof demonstrates compliance without creating a new data exposure surface.
Identity attestation without credential revelation. A user proves they hold a valid credential (professional license, security clearance, health certification) without revealing the credential itself. The verifier confirms validity. The credential's contents remain private.
Computation integrity proof. A server computes a result and publishes a proof that the computation was performed correctly. Any verifier can check the proof without re-executing the computation. This is how rollups work, and it is how H33 attests that FHE computation was performed correctly.

The common thread: a verifier is convinced of a fact. The evidence for that fact remains hidden. No data is computed on — a pre-existing statement is proven.

The Overlap Zone

Both FHE and ZK protect privacy. But they protect it at different stages. Understanding the overlap zone — where both are useful in the same pipeline — is where the real architectural insight lies.

Consider a practical scenario: encrypted credit scoring.

Stage 1 (FHE): A borrower's financial records are encrypted on-device. A lender's server runs an encrypted scoring model via CKKS. The output is an encrypted credit score. The lender's server never sees the financial records or the score.
Stage 2 (ZK): The encrypted score is decrypted by the borrower. The borrower generates a ZK proof that the score exceeds a threshold (e.g., above 700) without revealing the actual score. The lender verifies the proof. The lender knows "score above 700" and nothing more.
Stage 3 (Attestation): The entire pipeline — the FHE computation, the ZK proof, the threshold check — is committed to a post-quantum attestation. The attestation proves that the pipeline executed correctly, that the FHE computation used the correct model, and that the ZK proof verified.

FHE protected the data during computation. ZK protected the result during verification. The attestation binds both stages into an auditable, tamper-evident record. Neither technology alone covers all three stages. Together, they close every gap in the pipeline.

The principle: FHE protects inputs and computation. ZK protects outputs and verification. Attestation binds the whole pipeline into a permanent, verifiable record. A complete privacy architecture needs all three.

H33's Approach: Both in One Pipeline

H33 does not force you to choose. The platform routes operations to the appropriate cryptographic engine automatically. A single API call can involve FHE computation, ZK proof generation, and post-quantum attestation — the developer does not manage the transitions.

The production stack:

FHE engines: BFV for exact integer arithmetic (biometric auth, encrypted search). CKKS for real-number computation (ML inference, scoring, aggregation). TFHE for boolean circuits and comparisons (threshold decisions, encrypted conditionals).
ZK engine: STARK proofs for computation integrity and selective disclosure. Hash-based, no trusted setup, post-quantum secure by construction. No Groth16 anywhere in the stack — elliptic curve pairings are not quantum-resistant.
Attestation: H33-74 substrate. 74 bytes containing a three-family post-quantum signature (ML-DSA + FALCON + SLH-DSA) that commits the computation result, the routing decision, and the authorization context.

The concrete pipeline for encrypted biometric authentication:

FHE (BFV): Encrypted biometric template is matched against an encrypted reference via inner product. 32 users per ciphertext, batch-processed. 943 microseconds for the FHE batch.
ZK (STARK): A cached STARK proof attests that the match computation was performed correctly and that the result satisfies the threshold. 2.0 microseconds to prove, 0.2 microseconds to verify (cached lookup via CacheeEngine).
Attestation (H33-74): The match result and STARK proof are committed to a three-family PQ signature. SHA3-256 hash + Dilithium sign + Dilithium verify. 391 microseconds for the batch attestation.

<1ms

Additional overhead from ZK proof in the FHE pipeline · STARK cached lookup via CacheeEngine · 0.358µs per verification

The ZK layer adds less than 1 microsecond per authentication to the FHE pipeline. It is not a performance penalty. It is a verification guarantee at near-zero marginal cost.

Performance Comparison

Measured on AWS Graviton4 c8g.metal-48xl (192 vCPUs, 96 physical cores). All numbers from production builds, not benchmarks on developer hardware.

Operation	Engine	Latency	Notes
Biometric auth (per user)	BFV (FHE)	42µs	32-user SIMD batch, full pipeline
CKKS dot product (64-dim)	CKKS (FHE)	333ms	Full multiply + relin + rescale + rotation
CKKS multiply pipeline	CKKS (FHE)	61ms	Multiply + relinearization + rescale
TFHE greater-than (8-bit)	TFHE (FHE)	768 TPS	96-channel Graviton4
STARK prove (cached)	STARK (ZK)	2.0µs	CacheeEngine cached lookup
STARK verify (cached)	STARK (ZK)	0.2µs	CacheeEngine cached lookup
Batch attestation (32 users)	H33-74	391µs	SHA3 + Dilithium sign + verify

FHE dominates the pipeline latency. That is expected — computing on encrypted data is inherently more expensive than proving a statement about plaintext. The ZK layer is three orders of magnitude faster than the FHE layer because it operates on hashes and commitments, not on encrypted polynomial rings.

This is why combining them works: the ZK overhead is invisible relative to the FHE cost. You get computation integrity verification for free, in performance terms.

Post-Quantum Security

Both FHE and STARKs are post-quantum secure, but for different reasons.

FHE (BFV, CKKS, TFHE): Based on the Ring Learning With Errors (RLWE) problem. The best known quantum algorithm for RLWE offers no significant advantage over classical algorithms. NIST's post-quantum standards (ML-KEM, ML-DSA) are built on the same lattice hardness assumptions. FHE inherits this security by construction.

STARKs: Based on collision-resistant hash functions (SHA3-256 in H33's implementation). Grover's algorithm reduces the effective security of hash functions by half — a 256-bit hash provides 128 bits of quantum security. This exceeds NIST's Level 1 threshold. No pairing-based mathematics. No elliptic curves. No trusted setup ceremony that could be compromised.

What H33 does NOT use: Groth16. BN254 pairings. Any SNARK construction that relies on the hardness of the discrete logarithm problem on elliptic curves. These constructions are efficient and widely deployed, but they are broken by Shor's algorithm. A post-quantum privacy stack cannot include non-post-quantum verification.

Every attestation in the H33 pipeline carries three independent post-quantum signature families: ML-DSA (lattice-based), FALCON (NTRU lattice-based), and SLH-DSA (hash-based). An attacker must break MLWE lattices, NTRU lattices, AND stateless hash functions simultaneously. Three independent mathematical bets.

Decision Framework

Use this table when architecting a privacy-preserving system. The question is not "FHE or ZK?" The question is "What does each stage of my pipeline need?"

I want to...	Technology	H33 Engine
Compute on private data without exposing it	FHE	BFV / CKKS / TFHE
Prove a statement without revealing evidence	ZK	STARK
Compute on private data AND prove the result	FHE + ZK	BFV/CKKS/TFHE + STARK
All of the above, post-quantum attested	FHE + ZK + Attestation	Full H33 pipeline + H33-74
Match biometrics without seeing templates	FHE	BFV (42µs/auth)
Prove age without revealing birth date	ZK	STARK
Score credit risk on encrypted financials	FHE	CKKS (333ms dot product)
Prove score exceeds threshold without revealing it	ZK	STARK
Run encrypted ML and prove correctness	FHE + ZK	CKKS + STARK
Evaluate encrypted boolean conditions	FHE	TFHE (768 TPS 8-bit GT)

The framework reduces to three questions:

Do I need to compute on encrypted data? If yes, FHE. Choose the scheme by data type: BFV for integers, CKKS for real numbers, TFHE for booleans and comparisons.
Do I need to prove a property of the result? If yes, ZK. Use STARKs for post-quantum security. Avoid Groth16/SNARKs if quantum resistance is a requirement.
Do I need a permanent, tamper-evident, post-quantum record? If yes, attestation. H33-74 substrate: 74 bytes, three PQ signature families, chain-agnostic.

Most production privacy pipelines need at least two of these three. Many need all three. The architecture that wins is the one where the developer does not have to stitch them together manually.

The Real Question

The industry conversation around "FHE vs ZK" frames them as competing technologies. They are not. They are complementary stages of a complete privacy pipeline. Asking "Should I use FHE or ZK?" is like asking "Should I use encryption or authentication?" The answer is yes. Both. For different purposes. In the same system.

FHE without ZK means you compute on encrypted data but cannot prove anything about the result without decrypting it. ZK without FHE means you can prove statements about data, but the data must exist in plaintext somewhere for the proof to be constructed. The combination — FHE computation followed by ZK verification — closes both gaps. The data is never plaintext during computation, and the result is never revealed during verification.

Add post-quantum attestation and the pipeline is complete: private computation, verifiable results, and a tamper-evident record that survives quantum computers. One API. Three cryptographic layers. Every gap closed.

The question is not FHE or ZK. The question is: where in your pipeline does each one belong? H33 answers that question with a router that selects the right engine for every operation, a STARK layer that proves every computation, and an attestation layer that commits every result. 42 microseconds per auth. Sub-microsecond verification. 74 bytes of permanent, post-quantum proof.

Eric Beans

CEO, H33.ai, Inc.

Patent pending. U.S. Patent Application Nos. 19/309,560 and 19/645,499. Additional applications pending.
All benchmarks measured on AWS c8g.metal-48xl (Graviton4, 192 vCPUs, Neoverse V2), April 2026. Rust 1.94.0.
All NIST security tests passed: FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), FIPS 205 (SLH-DSA). FIPS 140-3 KATs operational. 20,000+ tests across the platform.
H33-74 is a trademark of H33.ai, Inc. AWS and Graviton4 are trademarks of Amazon Web Services, Inc.