Key Points
- Homomorphic encryption allows computation directly on ciphertext, so sensitive data never has to be decrypted before processing — data in use stays encrypted throughout.
- There are three kinds: partially homomorphic (PHE), somewhat homomorphic (SHE), and fully homomorphic encryption (FHE), each with different capabilities and performance tradeoffs.
- Enterprise PKI infrastructure must be in place before adding advanced privacy-preserving computation like homomorphic encryption.
Homomorphic encryption is a new, advanced form of cryptography that closes an attack window left open by other kinds of digital security. Encryption, from TLS to AES, has protected data in transit and at rest for decades. But data being actively processed — queried by an analytics engine, scored by a machine learning model, analyzed by a cloud service — has historically had to be decrypted first, leaving it vulnerable.
Homomorphic encryption (HE) closes that window. It allows mathematical operations to be performed directly on encrypted data, producing an encrypted result that, when decrypted by the authorized party, matches what you would get from running the same operation on the plaintext.
This post covers what homomorphic cryptography is, how it works, the three types IT teams need to know, about where it is being deployed today, and where it genuinely falls short. It also explains why the organizations best positioned to adopt HE are the ones that already have solid cryptographic infrastructure underneath it.
What Is Homomorphic Encryption?
Homomorphic encryption is a form of encryption that allows specific computations to be performed on ciphertext without decrypting it first, producing an encrypted result that, when decrypted, equals the output of the same computation on the original plaintext.
The word “homomorphic” comes from abstract algebra. A function is homomorphic when it preserves structure through a transformation. In the context of encryption, the mathematical structure of the underlying data is preserved in a way that lets certain operations pass through the encryption layer unchanged in meaning, even though the data is never exposed.
Here’s a practical analogy. Imagine sending a locked briefcase with a transparent window showing important numbers to an accountant. The accountant adds the numbers without ever opening the briefcase. You can later unlock the briefcase to access its undisturbed contents while knowing the numbers have already been computed. Homomorphic encryption is the cryptographic implementation of that idea — the “window” comes from the mathematical structure of the cipher, not by physical transparency.
While useful, HE is not a replacement for TLS, nor is it an alternative to access control, or a general-purpose substitute for conventional encryption. HE is a targeted tool that addresses the specific problem of data in use, which other encryption schemes have historically left exposed.
How Homomorphic Encryption Works
Understanding the mechanics of HE requires some background. A standard asymmetric encryption scheme takes plaintext, applies an encryption function with a public key, and produces ciphertext. Decryption requires the corresponding private key. Operations on that ciphertext — without the private key — produce nonsense.
Homomorphic encryption schemes are constructed differently. They are built on hard mathematical problems, primarily lattice-based cryptography, that preserve the algebraic structure of data even as that data is transformed by the encryption algorithm. This structure is what makes computation on ciphertext possible.
The homomorphic encryption and evaluation process follows this sequence:
- Key generation: A key pair is generated — a public key for encryption, a private key for decryption. In many schemes an additional evaluation key is also generated, allowing third parties to perform operations without being able to decrypt.
- Encryption: Plaintext values are encoded and encrypted under the public key, producing ciphertext. A small amount of random noise is intentionally added to the ciphertext for security.
- Evaluation: A third party (a cloud server, an analytics engine, a model inference endpoint) receives the ciphertext and applies operations — additions, multiplications — directly to it using the evaluation key.
- Noise accumulation: Each operation on the ciphertext adds noise. If noise grows too large, decryption produces incorrect results. This is the central engineering challenge of HE.
- Bootstrapping (FHE only): Fully homomorphic encryption uses a technique called bootstrapping to periodically refresh ciphertext and reduce accumulated noise, allowing an unlimited number of operations. Bootstrapping is computationally expensive.
- Decryption: The authorized party decrypts the evaluated ciphertext with the private key, recovering the result as plaintext.
Accumulating noise is not a flaw to be fixed — it is an intentional security mechanism. The challenge is managing how fast it is added across a computation.
Types of Homomorphic Encryption
Not all homomorphic encryption schemes are equal. There are three tiers, distinguished by what, and how many, operations they support.
Partially Homomorphic Encryption (PHE)
Partially homomorphic encryption supports either addition or multiplication on ciphertext, but not both. RSA, for example, is multiplicatively homomorphic — multiplying two RSA ciphertexts produces the encryption of the product of the underlying plaintexts. By contrast, the Paillier cryptosystem is additively homomorphic.
PHE is computationally efficient because it does not accumulate noise if users perform multiple operations. It is suitable for specific, constrained workloads: summing encrypted vote counts, aggregating encrypted sensor data, or computing encrypted billing totals.
The limitation is obvious — if your computation requires both addition and multiplication (which most analytics and machine learning operations do), PHE is not sufficient.
Somewhat Homomorphic Encryption (SHE)
Somewhat homomorphic encryption supports both addition and multiplication, but with limitations. Each multiplication substantially increases ciphertext noise. Once accumulated noise exceeds the scheme’s threshold, decryption fails. A scheme’s “circuit depth” refers to the total number of sequential multiplications a scheme can handle before the noise becomes unmanageable.
SHE is practical for computations with bounded complexity: fixed-depth neural network inference, specific statistical models, or SQL-style aggregations with limited nesting. The developer designs computations to fit within the noise budget.
Fully Homomorphic Encryption (FHE)
Fully homomorphic encryption supports an unlimited number of additions and multiplications on ciphertext. It achieves this through bootstrapping — a procedure that removes accumulated noise by re-encrypting the ciphertext. This process allows arbitrarily complex computations to be performed on encrypted data.
FHE is the end goal of homomorphic cryptography research, and it is increasingly practical for targeted enterprise workloads in 2026. The performance overhead remains significant, but has dropped by multiple orders of magnitude over the past decade.
| Type | Supported Operations | Circuit Depth | Bootstrapping | Relative Performance |
| Partially Homomorphic (PHE) | Addition OR multiplication | Unlimited within one type | No | Fast |
| Somewhat Homomorphic (SHE) | Addition AND multiplication | Limited (fixed depth) | No | Moderate |
| Fully Homomorphic (FHE) | Addition AND multiplication | Unlimited | Yes | Slow (improving) |
PHE and SHE are the practical reality for most enterprise deployments today; FHE is appropriate for high-value scenarios where the performance cost is justified.
Major Fully Homomorphic Encryption Schemes: CKKS, BFV, and BGV
Different FHE implementations are optimized for different workloads. Three schemes are common in enterprise and research settings.
CKKS (Cheon-Kim-Kim-Song) operates on approximate numbers, making it well suited for machine learning inference and statistical analysis. It accepts a small margin of error in decrypted results in exchange for significantly improved performance. For applications like encrypted model scoring or private analytics where floating-point approximation is acceptable, CKKS is the standard choice.
BFV (Brakerski/Fan-Vercauteren) operates on exact integers, supporting modular arithmetic. It is suitable for exact computations where precision is required — encrypted database queries, exact billing computations, and certain financial calculations where rounding is not permissible.
BGV (Brakerski-Gentry-Vaikuntanathan) is similar to BFV in supporting exact integer arithmetic but uses a different noise management strategy. It performs better than BFV for workloads with many more additions than multiplications. It is often preferred for preserving privacy in large datasets.
Open-source libraries exist for all three: Microsoft SEAL supports CKKS and BFV; OpenFHE supports CKKS, BFV, BGV, and third-generation FHE systems like FHEW/TFHE. Both libraries are production-quality, well-documented, and actively maintained as of 2026.
Enterprise Use Cases
Homomorphic encryption is used when an organization must share or process sensitive data with a party it cannot fully trust, such as a cloud vendor, a research collaborator, or a third-party analytics provider. These are some examples of sectors moving quickly to adopt HE.
Healthcare and Life Sciences
Healthcare organizations need to analyze patient data for research, clinical decision support, and population health analytics. HIPAA limits how and where that data can be shared. HE allows a hospital or health system to send encrypted patient records to a cloud analytics provider, receive encrypted results, and decrypt those results in-house — without the cloud provider ever seeing identifiable patient data.
Genomic research is a particularly active area. Multi-institution studies require pooling sensitive genetic data. FHE allows each institution to contribute encrypted data to a shared computation without exposing individual records to other participants. Several academic medical centers have run production pilots using CKKS-based FHE for this work.
Financial Services
Banks and payment processors run fraud detection models that require transaction data, which is often subject to strict privacy regulations or contractual restrictions on sharing with model providers. HE allows a financial institution to submit encrypted transaction records to a model inference endpoint, receive an encrypted fraud score, and decrypt locally. The model provider never sees the underlying account data.
Cross-institutional risk analytics is another active area. For example, two banks analyzing shared counterparty exposure historically required complex data-sharing agreements and regulatory approvals. Additive HE (PHE or CKKS) can allow both parties to contribute encrypted positions and receive a joint risk metric without revealing individual portfolio details.
AI and Machine Learning
Private inference — running a machine learning model on encrypted inputs — is one of the highest-activity areas in applied FHE research. The use case: a user submits sensitive query data to an AI service; the service runs inference on encrypted inputs; the user decrypts the result. Neither the user’s input nor the model weights are exposed to the other party.
This matters for healthcare diagnostics, legal document review, and any domain where proprietary model weights and sensitive input data must coexist in a computation without either side revealing their asset to the other. Performance overhead is still a limiting factor for complex models, but CKKS-based inference for shallow neural networks is viable today.
Cloud SaaS and Third-Party Processing
Any organization that processes sensitive data in a multi-tenant cloud environment has a version of this problem. When a cloud-hosted query engine searches an encrypted database field or a cloud SaaS workflow processes an encrypted document, the cloud provider must operate on data it cannot read. PHE and SHE can address bounded versions of these workloads; FHE handles more complex queries.
Limitations and Current Maturity
Homomorphic encryption is being used by enterprises today for specific workloads..However is is not yet a universal drop-in encryption layer.
Performance overhead is significant. FHE operations are orders of magnitude slower than equivalent plaintext operations. Benchmarks vary by scheme and hardware, but a computation that takes milliseconds in plaintext may take seconds or minutes in FHE. Hardware acceleration (GPU, FPGA, and dedicated HE ASICs from several startups) is narrowing this gap, but performance remains the primary adoption barrier for general-purpose workloads.
Operation support is not universal. Non-linear functions — comparisons, divisions, branching conditionals — are expensive or unsupported in standard HE schemes. Developers designing HE-compatible computations must restructure algorithms to work within the algebraic constraints of the scheme. This is a non-trivial engineering effort.
Key and ciphertext sizes are large. HE schemes produce ciphertext significantly larger than the underlying plaintext, and key management for evaluation keys adds operational complexity. Storage and bandwidth costs scale accordingly.
Developer tooling is improving but not mature. SEAL and OpenFHE are well-maintained, but robust automated systems for moving to FHE are still in development. Teams need developers with background in the relevant mathematics or time to develop that background.
Circuit depth planning is required for SHE. For schemes without bootstrapping, developers must plan computations to stay within the noise budget. This requires analysis of computation depth before implementation, not after.
HE is not a technology to deploy broadly tomorrow. It is a technology to understand today, pilot in high-value scenarios, and deploy where the data sensitivity justifies the engineering cost.
Homomorphic Encryption and Post-Quantum Cryptography
HE and post-quantum cryptography are often discussed separately, but they share the same mathematical foundation. Both are built primarily on lattice-based hard problems like the Learning With Errors (LWE) problem and its variants. This is not a coincidence. Lattice problems are resistant to quantum computer attacks, which is why NIST selected lattice-based schemes for its post-quantum cryptography standards.
NIST finalized its first post-quantum standards in 2024: ML-KEM (Module Lattice Key Encapsulation Mechanism, formerly CRYSTALS-Kyber) for key exchange and ML-DSA (Module Lattice Digital Signature Algorithm, formerly CRYSTALS-Dilithium) for digital signatures. Both are lattice-based. The same mathematical logic underlies most mature FHE schemes.
This convergence matters for enterprise planning in two ways.
First, organizations deploying HE schemes are already working in the lattice-based cryptographic world that post-quantum standards will make mandatory. The learning curve is shallower for teams that have already worked with lattice-based primitives.
Second, and more practically for most enterprise IT teams: the move to post-quantum cryptography will require replacing existing RSA and ECDSA certificates across the PKI infrastructure. This is not a software patch — it requires certificate re-issuance at scale, updated protocol support across endpoints, and potentially new hardware for constrained devices that cannot run larger PQC key sizes efficiently.
What ‘Crypto Agility’ Means in Practice
Crypto agility is the ability of a system to switch cryptographic algorithms without requiring architectural changes. It allows organizations to adapt when current i algorithms are broken or superseded?
For most enterprises, crypto agility is a PKI problem first. Certificates encode specific algorithms — RSA-2048, ECDSA P-256 — and replacing them at scale requires an automated enrollment and re-issuance pipeline. An organization running manual certificate management today has no realistic path to PQC migration on any reasonable timeline.
The best course of action is to audit the algorithms your current PKI issues, confirm your PKI vendor supports algorithm agility without re-enrollment downtime, and start tracking NIST PQC deployment milestones. That will position your organization to adopt HE in the future when you judge it to be necessary.
How HE Fits Into a Continuous Trust Architecture
Homomorphic encryption addresses the data layer, allowing aa third party to work on sensitive data without seeing it.
In a continuous trust architecture, where every connection, user, and device is validated before access is granted, HE operates at a different layer than identity. Identity-based access controls — certificate-based authentication, verified device posture, identity provider lookups on every request — determine who gets access to a system. HE determines what that system can learn from the data it processes.
Complementary elements of a continuous trust architecture include:
- Encryption in transit (TLS, mTLS): protects data moving between systems
- Encryption at rest (AES, disk encryption): protects data stored in databases and filesystems
- Encryption in use (HE): protects data while being processed by a third party
The identity layer — PKI authentication, certificate-based access controls, cloud RADIUS — must first be solid. An organization that cannot reliably verify which users and devices are connecting to its systems is not in a position to benefit from HE’s protections at the processing layer.
This is also why crypto agility at the identity layer matters for organizations planning HE adoption. If your PKI issues RSA-2048 certificates today and cannot migrate to ML-DSA without a full re-enrollment, the bottleneck is not HE implementation — it is the certificate infrastructure below. Similarly, in the evolution from SHA-2 and ECC algorithms to post-quantum algorithms infrastructure that cannot rotate algorithms is infrastructure that cannot adapt.
What IT Teams Should Do Today
Most IT teams are not deploying FHE in the next 12 months. But ignoring it entirely is also a mistake. The smart thing to do now is to fully understand the technology and begin to position your infrastructure for an eventual move to HE.
Here is a practical sequence for enterprise IT and security teams:
Inventory where sensitive data is processed externally. Identify workloads where sensitive data is shared with cloud vendors, analytics providers, or research partners. These are the candidates for HE. Even if you do not deploy HE today, knowing the workloads tells you where the exposure is.
Confirm your PKI is crypto-agile. Before considering HE or PQC, confirm that your certificate infrastructure can issue and rotate certificates under new algorithms without manual re-enrollment. Talk to your PKI vendor about ML-KEM and ML-DSA support timelines. If you are still running an on-premise certificate authority with manual workflows, this is the first problem to solve — not HE.
Track NIST PQC deployment guidance. NIST’s National Cybersecurity Center of Excellence (NCCoE) publishes migration guidance for federal agencies, but the timelines and migration patterns apply to enterprise and healthcare organizations too. Separately, a 2025 Executive Order instructs federal agencies to begin the process of preparing for PQC.
Pilot HE on a bounded, high-value workload. If your organization handles regulated data (HIPAA, GDPR) and uses a cloud analytics provider, evaluate whether a PHE or SHE scheme could be applied to that specific workload. SEAL and OpenFHE are both free, open-source, and well-documented starting points. The goal of a pilot is understanding the engineering cost before committing to broader adoption.
Follow the CKKS scheme for ML workloads. If your organization is deploying AI/ML models for sensitive data, CKKS-based private inference is the most mature and best-documented option. Academic papers and production case studies from the healthcare and finance sectors are publicly available.
Build Your Cryptographic Foundation With SecureW2
Homomorphic encryption will not be the first cryptographic challenge most IT teams face in 2026. Instead, post-quantum PKI migration is the more pressing issue Both challenges share the same dependency: an enterprise PKI that can rotate algorithms, issue certificates at scale, and adapt to new cryptographic standards without manual re-enrollment or architectural redesign.
Organizations running on-premise certificate authorities with manual workflows are already behind on this readiness curve. Crypto agility requires automation — automated enrollment, automated issuance, automated revocation, and support for updated algorithm suites as NIST PQC standards roll into vendor products.
SecureW2 Dynamic PKI is a cloud-native managed PKI platform built for exactly this environment. It automates certificate issuance and lifecycle management across Wi-Fi, VPN, and web application access — with native integrations to Microsoft Intune, Jamf, Okta, Entra ID, and Google Workspace. The same infrastructure that issues certificates for 802.1X authentication today is the infrastructure that must flex to accommodate ML-DSA signatures tomorrow.
If your team is evaluating post-quantum readiness, assessing cryptographic infrastructure for a regulatory audit, or planning a PKI migration, start with the identity and certificate layer. HE addresses data in use; PKI addresses identity in transit. Both matter. The foundation comes first.
Schedule a demo to see how SecureW2 Dynamic PKI supports crypto-agile enterprise certificate management, or contact SecureW2 to discuss your organization’s PKI and post-quantum readiness posture.
Frequently Asked Questions
What is the difference between homomorphic encryption and regular encryption?
Standard encryption protects data from being read. To use the data you must first decrypt it, creating an exposure window. Homomorphic encryption allows computation directly on ciphertext, so the data is never exposed during processing. The result, when decrypted, is the same as if the computation had been performed on plaintext.
Is fully homomorphic encryption practical today?
Yes, for specific, bounded workloads. Private machine learning inference using CKKS, encrypted genomic analysis, and privacy-preserving financial analytics have all been demonstrated in production environments. For general-purpose workloads with complex, unbounded computation requirements, performance overhead remains a significant constraint. FHE performance has improved by several orders of magnitude since 2009, and hardware acceleration is narrowing the gap further.
What is the difference between PHE, SHE, and FHE?
Partially homomorphic encryption (PHE) supports one operation type — either addition or multiplication — but not both. Somewhat homomorphic encryption (SHE) supports both operations but only up to a fixed computation depth before noise makes decryption unreliable. Fully homomorphic encryption (FHE) supports unlimited operations of both types by using a bootstrapping procedure to refresh accumulated noise. Performance cost increases along this spectrum: PHE is fast, SHE is moderate, FHE is slow but improving.
How does homomorphic encryption relate to post-quantum cryptography?
Both rely primarily on lattice-based hard mathematical problems — specifically variants of the Learning With Errors (LWE) problem. NIST’s finalized post-quantum standards (ML-KEM, ML-DSA) and most production FHE schemes (CKKS, BFV, BGV) share this mathematical foundation. Quantum computers cannot efficiently solve LWE problems, which is why lattice-based cryptography underpins both PQC and HE. Organizations planning for PQC migration are already operating in the same mathematical domain as HE.
What industries are deploying homomorphic encryption today?
Healthcare and life sciences (HIPAA-compliant analytics, genomic research), financial services (fraud detection, cross-institutional risk analytics), and technology companies deploying private ML inference. Government and defense organizations have run classified pilots, though public information is limited. Most production deployments in 2025–2026 use PHE or SHE rather than full FHE and apply it to specific high-value workloads rather than general infrastructure.
What are the main limitations of fully homomorphic encryption?
Performance is the primary constraint — FHE operations are substantially slower than plaintext equivalents, though hardware acceleration is improving this. Ciphertext sizes are large, increasing storage and bandwidth requirements. Not all operations are efficient: non-linear functions like comparisons and conditional branches require approximation or decomposition that adds computational complexity. Bootstrapping, required for unlimited operations, is itself computationally expensive. Practical FHE deployment requires developers with a cryptographic background or significant ramp-up time.
How does homomorphic encryption fit into a zero trust architecture?
HE operates at the data processing layer, not the access control layer. In a continuous trust architecture, identity verification controls who can access a system; HE controls what a system learns from the data it processes. They operate independently and at different layers. An organization implementing HE still needs strong identity controls — certificate-based authentication, verified device posture — at the access layer. HE does not replace or replicate those controls; it extends protection to data that the authorized processor needs to compute on but should not read in plaintext.
