1kx Research Partners: FHE is "very close" to large-scale application, closely monitoring developments in the field

Interview and Article by: Wendy, Foresight News

Interviewee: Wei Dai, Partner at 1kx

"For a long time, Fully Homomorphic Encryption (FHE) has been regarded as one of the crowns of cryptography," Vitalik wrote at the beginning of a blog post published on July 20, 2020. On May 5 of this year, Vitalik once again shared this article titled "Exploring Fully Homomorphic Encryption" on X (Twitter), stating that "many people are interested in fully homomorphic encryption."

This "interest" has already been reflected in the crypto venture capital space. In March of this year, the fully homomorphic encryption company Zama announced it had secured $73 million in Series A funding led by Multicoin and Protocol Labs, attracting market attention.

Foresight News recently summarized that the FHE ecosystem in the crypto field has already formed. Some keen crypto funds have also begun to lay out their strategies in FHE, including 1kx. Earlier this year, 1kx led an investment in a fully homomorphic encryption project based on Zama called Inco. The fund's research partner Wei Dai revealed to Foresight News that they are closely monitoring developments in this field, as fully homomorphic encryption technology is "very close" to being widely adopted.

Wei Dai holds a PhD in cryptography from the University of California, San Diego. In his view, although the overall development of fully homomorphic encryption lags behind zero-knowledge proofs by about three to four years, its potential is enormous, especially in addressing privacy issues on the blockchain. Once this technology is combined with related technologies such as Multi-Party Computation (MPC) and Zero-Knowledge Proofs (ZKP), it is expected to unlock greater imaginative possibilities.

Foresight News: Compared to traditional cryptographic technologies like partially homomorphic encryption, what are the main advantages and innovations of fully homomorphic encryption?

Wei Dai: Fully Homomorphic Encryption (FHE) has been discussed since the 1970s, and it has been around for three to four decades, but it is very difficult to implement.

The origin of the idea is simple: encrypt data and then decrypt it, which is standard encryption. Soon, people realized that it was actually possible to perform simple operations on them (these encrypted data), such as addition (note: multiplication can also be done, but not simultaneously), which is known as partially homomorphic encryption. Then people began to wonder if arbitrary forms of computation could be performed on it. If addition and multiplication can be done, then you essentially have a complete universal computation type. This idea was realized in 2009 through Craig Gentry's paper. Since then, this new field based on Craig Gentry's fully homomorphic encryption scheme has been widely researched. We have seen a lot of progress since then.

So, the main advantage of fully homomorphic encryption is that you can perform any type of computation (while in an encrypted state).

Foresight News: Vitalik mentioned in an article a few years ago that fully homomorphic encryption is expected to become a key technology for blockchain scalability and privacy protection. What do you think about the application prospects of fully homomorphic encryption in these two areas? What specific improvements can it bring?

Wei Dai: Current blockchains are transparent by default; every transaction and every variable in smart contracts is public, and anyone can view them—this needs to change.

So, we see many projects essentially transforming a completely transparent blockchain into a partially encrypted form, still controllable by smart contracts. For example, the FHE virtual machine built by Zama. Zama is a company with 40 PhDs, and it is building deep tech FHE primitives and products based on them. Essentially, programmers can simply write Solidity code to manipulate FHE primitives. This is very powerful. I believe this will help address the privacy issues present in today's blockchains. For instance, you can create slot machines, open casinos, and conduct encrypted payments. It is not entirely like Tornado Cash. Tornado Cash obscures the entire transaction graph, but using FHE and encrypted payments, the transaction graph is actually preserved, just with the amounts hidden. Therefore, in a sense, it is slightly easier to trace and may be more friendly to regulators.

Another point Vitalik mentioned about privacy is that privacy projects like Zcash, Aztec, and Tornado Cash have a huge problem in usability: if you use them on a phone or browser, it takes a long time to get your balance information. If someone pays you, it also takes a long time to sync with the on-chain state. It turns out that FHE solves this problem. This is something Aztec is researching. It is called Oblivious Message Retrieval (OMR). If you want to sync the state of your wallet client without revealing what you are accessing, then FHE can provide some form of solution for you.

In terms of scalability, I actually don't think FHE truly addresses this issue. I don't think Vitalik explicitly mentioned this in his article; for privacy coins currently using ZK, there are scalability issues on the client side, as the client needs to sync with the on-chain state. FHE solves these privacy coins' client-side scalability issues.

However, regarding solving scalability issues, compared to Rollup-type scalability, FHE does not really address this problem. In fact, or perhaps as he mentioned, when FHE complements ZK, it may help solve these issues. There is something called Verifiable FHE, and it turns out that if you want to do FHE connected to the chain in a Rollup setting, you actually need to make the FHE computation values verifiable. Similar to ZK Rollup, you can guarantee that there is a computation running on certain inputs that gives you some outputs. FHE does not provide this by default. It is still trusted computation, but you can do some specialized, verified FHE schemes to ensure the computation is completed correctly. For example, RISC Zero and other ZK projects are trying to do this in a general form; they use ZKVM, insert Zama's code, and try to do this in a general way. But in reality, you can do some smarter and more efficient things by mathematically studying FHE operations to perform verifiable computation in a more customized way.

Foresight News: You mentioned that Zero-Knowledge Proofs (ZKP) are also a promising technology in the field of cryptography. What are the connections and differences between fully homomorphic encryption (FHE) and zero-knowledge proof (ZKP) technologies? Can the two complement each other? How should one weigh and choose between these two technologies in the field of privacy protection?

Wei Dai: This is a very complex topic, and I will try to explain it succinctly.

Zero-Knowledge Proofs mainly allow you to do two things: verifiable computation and the "zero-knowledge" property, which is the ZK attribute. Currently, all ZK L2 essentially perform verifiable computation—you can perform a computation and verify it without redoing the computation. The zero-knowledge property in ZKP allows you to prove things about data without actually constructing the data itself, which can give you some form of privacy. This has been used in things like mixnets, privacy coins (like Zcash), and Tornado Cash. You can also extend them to further computations, like Aleo and Mina, which use ZK to hide data. This can be done off-chain rather than on-chain.

However, in terms of privacy, ZK does not allow you to have privacy over shared states; it only allows you to protect privacy over private states, meaning if the information is private to one or more parties, that’s fine.

But this does not apply to smart contracts. For example, the liquidity on Uniswap can interact with anyone in a permissionless manner; this type of privacy is what I refer to as privacy or confidentiality over shared states. This is not feasible for ZK, which is where you need MPC (Multi-Party Computation) and FHE.

What FHE truly allows you to do is separate computation from data; you can encrypt data, perform computations on it, and you do not see the data during the computation. And the place where encryption is done does not need to know what computation is being run on it, so this is really good in a blockchain environment because you can have encrypted smart contracts or smart contracts holding encrypted values and still perform computations on them. It’s like adding a layer of FHE to Uniswap to obtain some form of encrypted computation trace.

So, the distinction between FHE and ZK is very subtle, but overall, if you want to make smart contracts private, you need MPC or FHE. But for simpler things like payments, you can use ZK.

Foresight News: Recently, some projects have been discussing the ZK+FHE narrative. What are your thoughts on this?

Wei Dai: Regarding the idea of ZK+FHE, I do believe these two are complementary technologies, but at the current stage, if you really stack them together, the computational load will increase exponentially because their computational loads are multiplicative. For example, if using ZK increases the computational load by a thousand times, and using FHE also increases it by a thousand times, then the combination would be a million times. In reality, the actual increase in computational load could be a trillion times.

So I think this is almost unfeasible right now unless there are really some use cases that require it.

Foresight News: In your view, what stage is the development of fully homomorphic encryption technology currently in? How far are we from large-scale applications?

Wei Dai: It is difficult to say what stage this technology is at from an absolute perspective; I think this question can be explained by the relative positioning of FHE with other technologies.

If you talk to people working at FHE companies like Zama or Duality, they would say that the overall development of FHE is lagging behind ZK by a few years. Specifically, how many years behind? Some people might say two to three years, others might say five to six years, and some even think it could be as long as ten years. The reason for the different opinions is that people look at different metrics, such as the number of developers, the number of technical papers, or the number of new applications based on this technology.

I haven't done a very comprehensive review on this, but based on my personal interactions with these communities, I believe that if we average these metrics, then FHE's development is roughly three to four years behind ZK.

ZK has been getting faster, and so has FHE. So how far are we from large-scale applications of FHE? I think we are actually very close. (In terms of FHE) the first generation of projects is just coming online for testnets, and the mainnet will launch later this year, so I think we are about to see this (referring to the large-scale application of FHE). If we measure the computational overhead in these real systems now, FHE still has a bit more overhead than ZKP. However, once something goes into production, if it sees active adaptation and can scale, it can start to grow relatively quickly, usually resulting in exponential growth. We can look at ZK rollup, which went from a theoretical concept to actual use in a relatively short time and has already secured billions of dollars in value.

Foresight News: In terms of implementation, what bottlenecks does fully homomorphic encryption technology (FHE) currently face? For example, computational efficiency, key management, etc. What issues do you think still need to be tackled in terms of algorithm optimization, hardware acceleration, and so on?

Wei Dai: First of all, there are definitely many challenges that need to be solved. For FHE, the problem often lies in bootstrapping. Bootstrapping is actually a crazy thing; it involves a lot of computation, but it is gradually decreasing with algorithm improvements and general engineering optimizations.

It turns out that there are other types of schemes that can avoid bootstrapping, which may be more efficient for ML (machine learning). If you use specialized classical computation, you can actually optimize for it. Especially for computations that do not run for long periods and are more like one-time computations, such as AI inference. There has not been much commercial effort focused on optimizing specific classical computations and putting a lot of effort into a specific direction. What Zama is currently doing for on-chain computation is very general, which means it is not as efficient because every step requires bootstrapping.

There are also some challenges in key management. Zama's fhEVM, Inco, or Phoenix require threshold key management, where you have a group of validators who collectively have the ability to decrypt. I think this is on the roadmap, but Zama has not fully realized this yet. This is an obstacle that needs to be overcome; otherwise, a single validator still has a single point of failure in being able to decrypt.

Foresight News: As a research partner at 1kx, from an investment perspective, what technical directions and application scenarios in the field of fully homomorphic encryption do you think are worth paying attention to? What is the market outlook? What are the main opportunities and challenges?

Wei Dai: I think it is particularly worth paying attention to not just fully homomorphic encryption, but also threshold fully homomorphic encryption (threshold FHE or TFHE), which is the combination of FHE (fully homomorphic encryption), MPC (multi-party computation), and blockchain. This special combination will unlock a whole new set of use cases. I am very excited about this.

In fact, before Zama even started working on fhEVM, I had been discussing the application of TFHE on the blockchain. We recently led an investment in Inco, which is built on Zama and aims to launch fhEVM use cases. They are working with some partners to develop small use cases like slot machines, casinos, commercial payments, and gaming. I am excited to see the first batch of applications hitting the market.

Additionally, it is also very developer-friendly because it is easy to program; you just need to operate Solidity. And you know, if you need developers to program in a custom programming language, it becomes much harder to see applications, as seen with ZK. But it turns out that in this very good form, FHE is connected to the chain, and developers do not need to think about FHE at all; it is a very simple type of encrypted data, and performing very simple operations on it allows you to decrypt everything programmatically in Solidity. So I think this is the main area I am most excited about in the next year or two.

Moreover, there are many other emerging areas. Another point about this on-chain FHE is that the computations typically done in smart contracts are really short and concise. Because smart contract applications are designed around limited computing environments like Ethereum, something like Uniswap is actually very lightweight. So it is really well-suited for FHE because FHE is currently not very efficient.

Besides that, I think other forms of FHE may see more applications. When FHE was initially discussed, what really excited the cryptography community was the outsourcing of computation. If there is data—whether owned by users or organizations—then that data can be outsourced to others for computation. Perhaps you will have an ML use case where everyone's data is actually encrypted, but you can still use it as training data.

Although these are still more distant, I believe there are great teams researching these directions. Perhaps in the future, we can see machine learning inference, machine learning, and even machine learning training being done within FHE.

Foresight News: In terms of regulation, there are differences in attitudes towards crypto technology in different countries and regions. Especially with the development of AI, data privacy is becoming increasingly important. How do you think the regulatory environment may evolve in the future? What impact will this have on the research and application of fully homomorphic encryption technology?

Wei Dai: I don't know much about the regulatory aspects of privacy. But I know there are two main types of privacy: data privacy and financial asset privacy. These two are vastly different, but sometimes people conflate them when talking about privacy. In reality, these two different types of privacy also need to be distinguished, and there needs to be more social consensus on this.

Now, when people talk about regulation, they think we should have a lot of data privacy, but financial privacy is a gray area. I believe FHE can play a role in both areas, but it is certainly more directly applicable to the data privacy part. Currently, large tech companies profit from user data, and through FHE, users can potentially retain data ownership and somehow sell data to large tech companies. This way, there is still some social positive effect, which is training models based on this data, advertisers accessing user data in a controlled manner, while users can have data autonomy.

Foresight News: Looking ahead to the next three to five years, what are your expectations for the development of fully homomorphic encryption technology? What potential technological breakthroughs could change the landscape?

Wei Dai: I do not expect to see any groundbreaking changes, but rather gradual improvements. All these related factors—theory, software, hardware, algorithms, etc.—are cumulative, and each layer will see improvements. Over time, you will see steady improvements in computational load and developer experience, making this technology increasingly usable.

FHE is currently at the stage of going from zero to one, but at the same time, it is also on the track of going from one to ten. I want to reiterate that the development of FHE requires progress in hardware, software, theory, and developer experience, and I believe there are some interesting companies working in these areas.

Foresight News: 1kx has already made a lot of investments in ZK. What about in FHE? Besides the Inco project you just mentioned, are you looking at other projects, and is there a possibility of further betting on the FHE track in the future?

Wei Dai: Yes, we have invested in a network company called Inco, but we have also invested in hardware. I cannot disclose too many details at this time, but we are looking at the entire technology stack. I think this is a very exciting moment, and in three to five years, we will see how far this field can go.