There are a lot of elegant ideas in cryptography. Fully homomorphic encryption (FHE) might be the most absurd one that actually works.
The idea: you encrypt your data, hand it to someone else, they run computations on it, hand back a result, and when you decrypt that result, it’s correct. The person who did the computing never saw your data. Not a scrubbed version. Not a hash. The actual underlying values, never exposed, not even for a microsecond.
Craig Gentry proved this was possible in 2009. The cryptography community had been wondering if it was achievable for roughly 30 years prior.
How FHE works
Regular encryption is a one-way door. You lock the data, and anyone who wants to do something with it has to unlock it first. FHE keeps the door locked but lets you rearrange the furniture from the outside.
More precisely: FHE schemes define two operations on ciphertexts, typically called homomorphic addition and homomorphic multiplication. These map to the same operations on the underlying plaintexts. If you add two encrypted values, the result, when decrypted, equals the sum of the originals. Same for multiplication.
Those two operations are enough to build any function a computer can calculate. (Addition and multiplication over binary fields give you AND and XOR gates, which give you arbitrary circuits.) That’s the bridge from “two operations on encrypted numbers” to “arbitrary computation on encrypted data.”
The catch is noise. Every FHE operation adds a small amount of error to the ciphertext. Run enough operations and the noise swamps the signal. You can no longer decrypt. Gentry’s key contribution was a technique called bootstrapping: a way to run the decryption circuit on the ciphertext while it’s still encrypted, which resets the noise level. It’s deeply strange if you think about it too long. The decryption function decrypts… inside the encryption. That’s what makes the scheme “fully” homomorphic rather than just “somewhat” homomorphic.
Somewhat homomorphic encryption (SHE) handles a fixed number of operations before noise becomes fatal. Leveled homomorphic encryption (LHE) handles a predetermined circuit depth. FHE handles any circuit, unbounded, because bootstrapping lets you keep going.
Where FHE is usable now
For most applications, FHE is still too slow. But “most” has a sharp edge to it. There are real deployments running today.
Private machine learning inference. A client has sensitive input data. A server has a proprietary model. Neither wants to expose what they have to the other. FHE lets the server evaluate its model on the client’s encrypted input and return an encrypted result the client can decrypt. The server never sees the input. The client never sees the model weights. Companies have shipped this for specific model architectures. The workload fits FHE’s current constraints because the circuit depth is bounded and predictable.
Private genomic computation. Genomic data is sensitive in ways that go beyond a social security number: it implicates your relatives, it’s permanent, and the privacy risks compound as reference databases grow. Researchers have used FHE to compute disease risk scores and genetic comparisons without exposing the underlying sequences to the computing party. iDASH competitions have been benchmarking this use case since 2014.
Private database queries. You want to query a database without revealing what you’re looking for. Keyword search, range queries, and set membership tests all have FHE constructions. The overhead is still significant but manageable for low-frequency, high-value queries.
Federated computation with privacy guarantees. Multiple hospitals want to train a model on their combined patient data without sharing records. FHE (often combined with secure multi-party computation) gives you the combined computation without the data pooling.
FHE versus other privacy-preserving approaches
FHE doesn’t exist in isolation. It’s one tool in a stack that includes:
Secure multi-party computation (MPC): multiple parties jointly compute a function without revealing their inputs to each other. MPC is often faster than FHE for specific functions and requires multiple non-colluding parties. FHE works with a single server.
Differential privacy (DP): adds calibrated noise to outputs to bound what an adversary can infer about individuals in a dataset. DP protects against inference attacks on aggregated results but doesn’t give you computation on private inputs.
Trusted execution environments (TEEs): hardware enclaves (Intel SGX, AMD SEV) that run code in a shielded memory region the operating system can’t read. TEEs assume you trust the hardware vendor and have no flaw in the implementation. FHE assumes you trust the math.
Zero-knowledge proofs (ZKPs): let you prove a statement is true without revealing why it’s true. ZKPs prove properties; FHE computes on private values. They’re complementary.
Hybrid systems are increasingly common. FHE handles the sensitive computation; ZKPs verify the computation was done correctly; MPC distributes trust. The boundaries between these technologies are dissolving as practitioners build systems that need properties from several simultaneously.
