tl;dr

1. Zero-knowledge proofs (ZKPs) are demonstrably useful for boosting scalability and privacy in web3, but are hindered by dependence on third-party handling of unencrypted data.
2. Fully homomorphic encryption (FHE) presents a breakthrough, allowing for both shared and individual private states simultaneously, without the third-party trust requirement.
3. FHE enables computation directly over encrypted data, enabling applications like dark pool AMMs and private lending pools, where global state information is never revealed.
4. Benefits include trustless operations and permissionless on-chain state transitions over encrypted data, with challenges centered around computational latency and integrity.
5. Key players in the emerging FHE-crypto space focus on developing private smart contracts and specialized hardware acceleration for scaling.
6. Future FHE-crypto architecture includes the potential for integrating FHE rollups directly on Ethereum.

“One of the largest remaining challenges in the Ethereum ecosystem is privacy (…) using the entire suite of Ethereum applications involves making a significant portion of your life public for anyone to see and analyze.” — Vitalik

Zero-knowledge proofs (ZKPs) have been the darling of cryptography in the crypto space for at least the past year but it has its limitations. They are valuable for privacy, proving knowledge of information without revealing it, and scalability, notably within zk-rollups, however, they currently face at least a few major limitations:

(1) Hidden info is typically stored and computed off-chain by trusted third parties, limiting permissionless composability where other apps need access to those off-chain data. This server-side proving resembles a system like web2 cloud computing.

(2) State transition has to be done over plaintext, meaning users have to trust those third-party provers with their unencrypted data.

(3) ZKPs are not suitable for applications where knowing the shared private state is necessary for generating proofs about the local private state.

However, any multiplayer use case (e.g. dark pool AMM, private lending pool) requires an on-chain shared private state, meaning, using ZK would require some kind of centralized/off-chain coordinator to achieve a shared private state, making it cumbersome and introducing trust assumptions.

ENTER FULLY HOMOMORPHIC ENCRYPTION

Fully homomorphic encryption (FHE) is a cryptography scheme that allows computations to be performed over data without the need for prior decryption. It allows plaintext to be encrypted by the user into ciphertext and sent to third parties who process it without decrypting it.

What does this mean? End-to-end encryption. FHE allows for a shared private state.

For instance, in an AMM, a decentralized market maker account interacts with each trade but is not owned by any single user. When someone swaps Token A for Token B, they must be aware of the existing amounts of both tokens within the shared market maker account to generate a valid proof of the swap details. However, if the global state is hidden with a ZKP scheme, generating that proof would no longer be feasible. Conversely, if the global state information is publicly accessible, it allows other users to infer specifics about an individual’s swap.

With FHE, it is theoretically possible to conceal both shared and personal state, since proofs could be computed over encrypted data.

In addition to FHE, another key technology in achieving the privacy holy grail is multiparty computation (MPC), which solves the problem of computing over private inputs, and disclosing only the results of these computations while preserving the confidentiality of the inputs. But, we save that for another discussion. Our focus here is on FHE — its benefits and drawbacks, current market, and use cases.

It is important to note that FHE is still early in development and this is not a tribalist question of FHE vs. ZKPs, or FHE vs. MPC, but rather the additional features unlocked when combined with technology currently available. For example, a privacy-focused blockchain can use FHE to enable confidential smart contracts, MPC to distribute shards of the decryption key across validators, and ZKPs to verify the integrity of FHE computations.

BENEFITS & DRAWBACKS

At this point in time:

The benefits of FHE include:

1. No third-party trust requirement. Data can remain secure and private in untrusted environments.
2. Composability via shared private state.
3. Data usability while maintaining data privacy.
4. Quantum resistance with (ring-)LWE.
5. Ability to do on-chain state transitions on top of encrypted data permissionlessly.
6. No need for hardware like Intel SGX that’s prone to side-channel attacks and a centralized supply chain.
7. In the context of a fully homomorphic EVM (fhEVM), no need to learn to execute repetitive mathematical multiplications (e.g., multiscalar multiplication) or use unfamiliar ZK tooling.

The drawbacks include:

1. Latency. Computationally intensive meaning most schemes are currently commercially unviable for compute-heavy applications. It is worthwhile to note that this is a shorter-term bottleneck given hardware acceleration is actively in development and that, at this point, Zama’s fhEVM can already do ~2 TPS on ~$2k per month of hardware.
2. Accuracy issues. FHE schemes require noise management to prevent ciphertexts from becoming invalid or corrupted. TFHE, however, is more accurate because it doesn’t require approximation (as opposed to CKKS for certain operations).
3. Early. There are very few production-ready FHE projects that have launched in the web3 space meaning there is a lot of battle testing to be done.

MARKET OVERVIEW

Current FHE x Crypto landscape

Highlights

Zama provides a range of open-source FHE tooling for both crypto and non-crypto use cases. Its fhEVM library enables private smart contracts, guaranteeing both on-chain confidentiality and composability.

Fhenix leverages Zama’s fhEVM library to enable an end-to-end encrypted rollup. They aim to streamline the process of integrating FHE into any EVM smart contract, requiring minimal modifications to existing contracts. The founding team consists of the founder of Secret Network and Intel’s previous FHE bizdev lead. Fhenix recently raised $7M in seed funding.

Inco Network is an FHE-powered, EVM-compatible L1, bringing computation over encrypted data to smart contracts by integrating Zama’s fhEVM cryptography. Remi Gai, the founder, was a founding member of Parallel Finance and is joined by several Cosmos engineers to realize this vision.

Hardware. A few entities are building hardware acceleration to solve latency issues. Notably, Intel, Cornami, Fabric, Optalysis, KU Leuven, Niobium, Chain Reaction, and some ZK ASIC/FPGA teams. This surge in development was propelled by a DARPA grant awarded for ASIC-based FHE acceleration about three years ago. That said, such specialized hardware acceleration may not be necessary for some blockchain applications where GPUs can likely reach 20+ TPS. FHE ASICs could potentially enhance performance to 100+ TPS while substantially reducing operational costs for validators.

Notable mentions. Google, Intel, OpenFHE are all contributing significantly to the general advancement of FHE, just less specifically within the context of crypto.

USE CASES

The key advantage is enabling shared private state and personal private state. What does this mean?

Private smart contracts: Traditional blockchain architectures leave user data exposed in web3 apps. Each user’s assets and transactions are visible to every other user. This is useful for trust and auditability, but it’s also a major barrier to enterprise adoption. Many businesses are reluctant or simply refuse to publicize this information. FHE changes this.

Beyond end-to-end encrypted transactions, FHE enables encrypted mempools, encrypted blocks, and confidential state transitions.

This unlocks a variety of novel use cases:

• DeFi: dark pools, eliminating malicious MEV via encrypted mempools, untrackable wallets, and confidential payments (e.g. employee salaries for on-chain organizations).
• Gaming: encrypted state multiplayer strategy games enabling various new game mechanics such as secret alliances, resource concealment, sabotage, spying, bluffing, etc.
• DAO: private voting.
• DID: encrypted on chain credit scores and other identifiers.
• Data: compliant on-chain data management.

SO WHAT DOES THE FUTURE OF FHE-CRYPTO ARCHITECTURE LOOK LIKE?

There are three core components we should elaborate on:

Layer 1: This layer serves as the foundation for developers to (a) launch applications natively on the network or (b) interface with the existing Ethereum ecosystem (an input-output model), including both the Ethereum mainnet and its L2s/sidechains.

The flexibility of the L1 is key here, as it caters to new projects seeking a native platform with FHE capabilities while also accommodating existing applications that prefer to remain on their current chains.

Rollups / Appchains: Applications can launch their own rollup or appchain on top of these FHE-enabled L1s. To this end, Zama’s working on both optimistic and ZK FHE rollup stacks for fhEVM L1s for scaling privacy-focused solutions.

FHE Rollup on Ethereum: Launching an FHE rollup on Ethereum itself could significantly enhance native privacy on Ethereum but faces several technical challenges:

1. Data storage costs: FHE ciphertext data is quite large (8 kb+ each), even if the plaintext entry is small. Storing such large amounts of data on Ethereum for data availability (DA) purposes would be very costly in terms of gas fees.
2. Sequencer centralization: Centralized sequencers ordering transactions and controlling the global FHE key is a major privacy and security issue that defies the purpose of fhEVM in the first place. While MPC is a potential solution for decentralizing control over the global FHE key, maintaining the network of multiple parties to perform computations would increase operating costs and introduce potential inefficiencies.
3. Generating valid ZKPs: Generating ZKPs for FHE operations is a complex task that’s still under development. While companies like Sunscreen are making progress, it may be several years before such technology is ready for widespread commercial use.
4. EVM integration: FHE operations need to be incorporated into the EVM as precompiles, thus requiring a consensus vote over a network-wide upgrade involving several questions around computational overhead and security concerns.
5. Validator hardware requirements: Ethereum validators would need to upgrade their hardware to run FHE libraries, raising concerns about centralization and costs.

We expect that FHE will initially find its niche in lower liquidity environments and specific areas where privacy is paramount. Eventually, deeper liquidity may be found on an FHE L1 as throughput increases. In the longer term, once the issues above are solved, we may see an FHE rollup on Ethereum that can more frictionlessly tap liquidity and users from mainnet. The challenge now lies in finding a killer use case for FHE, maintaining compliance, and bringing a production-ready technology to market.

In the meantime, any developer looking to get their hands dirty or make some money bounty hunting can take a stab at Fherma’s FHE challenges with several 4-figure bounties attached to them.

Acknowledgements: A big thank you to Gurgen Arakelov (founder of Yasha Labs/Fherma), @randhindi">Rand Hindi (founder of Zama), @remi.gai">Remi Gai (founder of Inco Network), and Hiroki Kotabe (research principal at Inception Capital) for their contributions to this article.

Relevant Reading:

Paillier, Pascal. “5 ways in which FHE can solve blockchain’s privacy problems.” Help Net Security, 4 September 2023, https://www.helpnetsecurity.com/2023/09/04/fully-homomorphic-encryption-fhe/

Inco Network Documentation, https://docs.inco.network/

Samani, Kyle. “The Dawn of On-Chain FHE.” Multicoin Capital, 26 September 2023, https://multicoin.capital/2023/09/26/the-dawn-of-on-chain-fhe/

Hindi, Rand. “Private Smart Contracts Using Homomorphic Encryption.” Zama, 23 May 2023, https://www.zama.ai/post/private-smart-contracts-using-homomorphic-encryption

Ramaswamy, Anita. “This niche cryptographic technique could transform privacy in web3.” Techcrunch, 18 July 2022. https://techcrunch.com/2022/07/18/crypto-blockchain-web3-privacy-cryptography-fully-homomorphic-encryption-startup-sunscreen/

Michael De Vega’s talk at DeCompute Conference, 2023. https://twitter.com/nillionnetwork/status/1710372206423756887?s=20

Wei Dai’s thread on FHE. https://twitter.com/_weidai/status/1707474764783354340?s=20

Fisher, Evan et al. “Fully Homomorphic Encryption (FHE).” Portal Ventures. 10 July 2023. https://portal.vc/fhe

Solomon, Ravital. “How SNARKs fall short for FHE.” Sunscreen. 24 August 2023. https://blog.sunscreen.tech/snarks-shortcomings/

Fouda, Mohamed. “ZKPs, FHE, MPC: Managing Private State in Blockchains.” Alliance. 22 December 2023. https://medium.com/alliancedao/zkps-fhe-mpc-managing-private-state-in-blockchains-17cc3661007d

Disclaimer：

1. This article is reprinted from [medium]. All copyrights belong to the original author [Mads Pedersen]. If there are objections to this reprint, please contact the Gate Learn team, and they will handle it promptly.
2. Liability Disclaimer: The views and opinions expressed in this article are solely those of the author and do not constitute any investment advice.
3. Translations of the article into other languages are done by the Gate Learn team. Unless mentioned, copying, distributing, or plagiarizing the translated articles is prohibited.