FHE: Compute Without Decrypting
Fully Homomorphic Encryption (FHE) allows a server to perform meaningful computation on encrypted data without ever decrypting it. The server receives ciphertext, performs operations on that ciphertext, and produces encrypted results. When the data owner decrypts the result, they get the same answer as if the computation had been performed on the plaintext.
This is not a theoretical concept. It is running in production. H33 operates three FHE engines, each optimized for different computation types, all producing verifiable results at scale.
The critical question FHE raises is not "can we compute on encrypted data?" — that has been answered since Gentry's 2009 construction. The critical question is: how do you verify that the computation was correct when you cannot see what was computed?
The Verification Challenge
In plaintext computation, verification is straightforward: re-run the computation and compare results. In encrypted computation, this approach fails because the verifier does not have the plaintext inputs, cannot re-run the computation on cleartext, and must establish correctness purely from the ciphertext operations.
Three verification problems arise:
- Computation integrity — Did the server actually perform the claimed operation, or did it substitute a different result?
- Input binding — Is the result bound to the specific encrypted inputs that were submitted, or could the server have swapped in different ciphertexts?
- Operation fidelity — Did the server perform the exact operation specified (e.g., inner product), or a different operation that happens to produce a plausible-looking ciphertext?
H33 solves all three through a combination of STARK proofs for computation integrity and the H33-74 attestation model for binding inputs to outputs.
H33-74: The 74-Byte Attestation
Every encrypted computation produces an H33-74 attestation bundle: exactly 74 bytes. 32 bytes are stored on-chain (or in any immutable store). 42 bytes are stored in Cachee (H33's post-quantum attested cache).
The 74-byte bundle contains:
- Computation hash — SHA3-256 of the canonicalized computation descriptor (operation type, parameter dimensions, scheme identifier)
- Input commitment — Commitment to the encrypted inputs (binding without revealing)
- Output commitment — Commitment to the encrypted output
- STARK proof reference — Pointer to the full STARK proof (stored separately for space efficiency)
- Three PQ signatures — Compressed signature bundle from ML-DSA-65, FALCON-512, SLH-DSA-SHA2-128f
The 74-byte size is constant regardless of the computation's complexity, the input size, or the FHE scheme used. A simple addition and a complex neural network inference both produce the same 74-byte attestation.
74 bytes is not compression. It is distillation. The full proof, signatures, and computation trace are preserved in their complete form. The 74-byte bundle is a commitment structure that binds all components together and enables verification without retrieving the full proof unless the verifier needs to inspect computation details.
Three FHE Schemes, One Attestation Model
H33 operates three FHE engines. Each is optimized for a different computation type, but all produce the same H33-74 attestation format.
| Scheme | Engine | Domain | Plaintext Type | Noise Model |
|---|---|---|---|---|
| BFV | H33-128 | Exact integer arithmetic | Integers mod t | Additive, bounded |
| CKKS | H33-CKKS | Approximate floating-point | Complex numbers | Precision-controlled |
| TFHE | H33-TFHE | Boolean gate-level | Individual bits | Bootstrappable |
BFV: Exact Integer Computation
BFV (Brakerski/Fan-Vercauteren) operates on integers modulo a plaintext modulus t. It supports addition and multiplication of encrypted integers with exact results (no approximation error). H33's BFV engine (H33-128) uses N=4096, a single 56-bit modulus, and t=65537.
Primary use case: biometric authentication. The FHE batch stage processes 32 users simultaneously via inner product on encrypted biometric vectors. Batch latency: 943 microseconds.
CKKS: Approximate Floating-Point
CKKS encodes real numbers into polynomials with controlled precision loss. This enables encrypted floating-point arithmetic for machine learning inference, financial calculations, and scientific computation. Precision is a tunable parameter, not an uncontrolled error.
TFHE: Boolean Gate-Level
TFHE operates at the individual bit level, supporting encrypted Boolean gates (AND, OR, XOR, NOT). This enables arbitrary computation on encrypted data by composing gates, similar to how a CPU executes instructions. The bootstrapping operation refreshes ciphertext noise, enabling unlimited computation depth.
The attestation model does not care which scheme produced the computation. The H33-74 bundle binds the computation hash, input commitment, and output commitment regardless of the underlying FHE engine. This means a verifier can validate a CKKS computation and a TFHE computation using the same verification logic.
STARK Proofs for Computation Integrity
STARK (Scalable Transparent Argument of Knowledge) proofs verify that a computation was performed correctly without the verifier re-executing the computation. H33 uses STARKs specifically for FHE computation integrity.
The STARK proof demonstrates: given encrypted inputs I and encrypted output O, there exists a valid execution trace of the claimed FHE operation that transforms I into O. The proof is generated by the computing party and verified by anyone.
Key properties of H33's STARK implementation:
- No trusted setup — STARKs require no trusted setup ceremony, unlike SNARKs. The proving system is transparent.
- Post-quantum secure — STARK security relies on hash function collision resistance, which is quantum-resistant.
- Verification time — STARK verification is polylogarithmic in the computation size. Verifying a 1M-operation computation takes roughly the same time as verifying a 1K-operation computation.
- Proof size — Larger than SNARKs (kilobytes vs. hundreds of bytes) but acceptable for H33's use case since the proof is stored off-chain and referenced by hash in the 74-byte bundle.
Performance: The Full Pipeline
| Stage | Component | Latency | % Pipeline |
|---|---|---|---|
| 1 | FHE Batch (BFV inner product, 32 users) | 943 us | 70% |
| 2 | Batch Attestation (SHA3 + ML-DSA sign + verify) | 391 us | 29% |
| 3 | ZKP Cached Lookup (Cachee) | 0.358 us | <1% |
| Total (32-user batch) | 1,345 us | ||
| Per authentication | 42 us | ||
The FHE stage dominates the pipeline at 70% of total latency. This is inherent to the mathematics of lattice-based encryption. H33's optimization path has focused on reducing this stage through SIMD vectorization, Montgomery-form arithmetic, and batch amortization (processing 32 users per ciphertext operation rather than one).
The attestation stage at 29% includes SHA3-256 hashing of the batch result, ML-DSA-65 signature generation and verification, and chain extension. The ZKP stage at less than 1% is a cached lookup in Cachee, not a fresh proof generation — the STARK proof is generated once and cached.
Frequently Asked Questions
What is Fully Homomorphic Encryption (FHE)?
FHE allows computation on encrypted data without decrypting it. The encrypted result, when decrypted, matches the result of performing the same computation on the plaintext. The server never sees cleartext data.
How does H33 verify that encrypted computation was performed correctly?
H33 generates a 74-byte attestation bundle (H33-74) binding computation inputs, the operation performed, and the encrypted result. A STARK proof verifies computation integrity without revealing data. Three PQ signature families sign the attestation.
What FHE schemes does H33 support?
Three schemes: BFV for exact integer arithmetic, CKKS for approximate floating-point, and TFHE for Boolean gate-level computation. All three produce the same 74-byte attestation format.
What is H33-74?
A 74-byte attestation bundle: 32 bytes on-chain, 42 bytes in Cachee. It binds a computation result to its proof of correctness using three PQ signature families. The format is constant regardless of computation complexity or FHE scheme.
What throughput does H33 achieve for encrypted computation verification?
2.2 million authentications per second sustained on Graviton4 c8g.metal-48xl (192 vCPUs). FHE batch: 943us for 32 users. Per-auth: 42us including FHE, attestation, and ZKP verification.