Compile-Time Fully Homomorphic Encryption: Eliminating Online Encryption via Algebraic Basis Synthesis

Abstract

We propose a new framework for compile-time ciphertext synthesis in fully homomorphic encryption (FHE) systems. Instead of invoking encryption algorithms at runtime, our method synthesizes ciphertexts from precomputed encrypted basis vectors using only homomorphic additions, scalar multiplications, and randomized encryptions of zero. This decouples ciphertext generation from encryption and enables efficient batch encoding through algebraic reuse. We formalize this technique as a randomized module morphism and prove that it satisfies IND-CPA security. Our proof uses a hybrid game framework that interpolates between encrypted vector instances and reduces the adversarial advantage to the indistinguishability advantage of the underlying FHE scheme. This reduction structure captures the security implications of ciphertext basis reuse and structured noise injection. The proposed synthesis primitive supports fast, encryption-free ingestion in outsourced database systems and other high-throughput FHE pipelines. It is compatible with standard FHE APIs and preserves layout semantics for downstream homomorphic operations.

1. Introduction

1.1. Background and Motivation

Fully homomorphic encryption (FHE) [1,2,3] has become a foundational tool for secure outsourced computation, especially in the context of untrusted cloud-based data management. One prominent application scenario involves outsourced database systems [4], where data owners upload encrypted records to untrusted servers while retaining the ability to execute structured queries, such as selections, aggregations, and joins, directly over encrypted data.

While recent advances in FHE have significantly reduced the cost of homomorphic operations [5], the act of encryption itself remains a major bottleneck. This asymmetry is particularly pronounced in streaming and dynamic database environments, where data ingestion is frequent and continuous, whereas query frequency may be sporadic or lightweight in comparison. In such settings, the performance-critical path is often not the homomorphic evaluation, but the initial data encryption.

To address this, the Rache system [6] proposed an encryption caching technique in which ciphertexts are precomputed for each individual plaintext value and reused when needed. However, this approach fundamentally assumes that each message is a scalar plaintext. In practice, most FHE applications—including encrypted database systems—rely on batch encoding, where a vector of plaintext values is packed into a single ciphertext using polynomial embeddings. This batching mechanism is essential for scalability and aligns with SIMD-style vectorized processing.

Unfortunately, scalar precomputation schemes such as Rache do not generalize to batched encodings. Attempting to precompute ciphertexts on a per-coordinate basis breaks the structural invariants of the encoded plaintext polynomial, leading to semantically invalid ciphertexts and disrupting the vector semantics needed for homomorphic rotation, slot-wise evaluation, and packed aggregation.

This mismatch raises a fundamental question:

Can we perform ciphertext precomputation at the vector level, while preserving compatibility with FHE’s batched encoding and without performing any encryption at runtime?

1.2. Proposed Work

In this paper, we propose a new algebraic framework for compile-time ciphertext generation in batched fully homomorphic encryption (FHE) systems. The central idea is to decouple ciphertext generation from encryption by defining a reusable synthesis interface, that is, a randomized module morphism that constructs ciphertexts from precomputed encrypted bases.

We model the plaintext space as a finite ${\mathbb{Z}}_t$-module, where each vector can be expressed as a linear combination of standard basis elements. Prior to deployment, we precompute and cache the encryptions of these basis vectors—each embedded via batching into a polynomial ring such as $R={\mathbb{Z}}_q\left[x\right]/\left(f\left(x\right)\right)$. At runtime, a new plaintext vector $\mathbf{m}={\sum }_i{\alpha }_i{e}_i$ is encrypted by computing the linear combination ${\sum }_i{\alpha }_i·{\mathbf{c}}_i$, where each ${\mathbf{c}}_i=\mathsf{Enc}\left(e_i\right)$ is a cached ciphertext. This process eliminates all online encryption operations, relying solely on ciphertext-level addition and scalar multiplication.

To ensure semantic security, we augment the synthesized ciphertext with a random masking term drawn from a pool of independently generated encryptions of the zero vector. Each noise ciphertext is sampled offline using fresh randomness, forming a high-entropy ensemble over $\mathsf{Enc}\left(0\right)$. This masking strategy maintains IND-CPA indistinguishability while preserving layout compatibility for downstream computation.

The resulting framework enables ciphertext synthesis that is both algebraically sound and cryptographically secure. By defining ciphertext generation as a randomized morphism over the module structure, we obtain a compile-time encryption primitive with provable security guarantees under standard assumptions. Our proof strategy uses a hybrid game reduction that bounds adversarial advantage in terms of the IND-CPA security of the underlying FHE scheme.

Finally, this synthesis-based approach provides practical benefits in system-level deployments. In settings such as outsourced encrypted databases or streaming data pipelines, where high-throughput ingestion is required, our method enables an amortized encryption-free runtime path. It integrates seamlessly with existing FHE APIs, preserves slot semantics, and supports symbolic downstream operations such as rotation, packing, and aggregation.

1.3. Contributions

This paper provides the following contributions:

• An algebraic interface for compile-time encryption. We introduce a formal abstraction for ciphertext synthesis based on randomized module morphisms, capturing a reusable and backend-agnostic structure for encrypted vector generation.
• A concrete realization via basis caching. We instantiate this interface using a precomputed ciphertext basis and randomized zero masking, enabling ciphertext synthesis without any encryption at runtime.
• Formal security under standard assumptions. We prove that the synthesis procedure satisfies IND-CPA security, using a hybrid game argument that reduces the adversarial advantage to the underlying FHE encryption scheme.
• System-level compatibility and ingestion acceleration. Our framework defines a new primitive for encrypted data ingestion, preserving semantic compatibility with FHE APIs while reducing online encryption costs through compile-time vector-level reuse.

1.4. Applications

Compile-time ciphertext synthesis opens up a new paradigm for secure data processing, where encryption can be performed ahead of time, entirely offline, during system compilation or data preparation. This approach is especially advantageous in applications where the structure of data or queries is known in advance, allowing encryption to be decoupled from runtime execution. We highlight several scenarios where this model offers both practical benefits and security guarantees.

1.4.1. Immutable Outsourced Databases

Many outsourced databases—such as regulatory archives, financial ledgers, and versioned scientific repositories—have a largely static or append-only structure. For such deployments, it is feasible to precompile encrypted representations of frequently queried values (e.g., thresholds, aggregates, or classification anchors). By performing encryption at compile time, our approach eliminates the runtime cost of public-key encryption and enables efficient query execution on homomorphically encoded data.

1.4.2. Query Template Compilation in ML Inference Pipelines

In privacy-preserving machine learning systems, inference often relies on a fixed set of queries over encrypted input embeddings. For example, content moderation systems, facial recognition modules, or document classifiers typically evaluate a static model against varying input data. By compiling encrypted model weights and template vectors offline, our method removes the need to encrypt model-side data during inference, reducing latency and client-side load.

1.4.3. Secure Code Generation for Embedded Systems

Resource-constrained devices such as IoT sensors or edge processors cannot afford online encryption due to limited computation and power. Using compile-time encrypted constants (e.g., reference thresholds, expected sensor baselines), developers can generate firmware that embeds ciphertexts directly into the binary. These constants can then participate in encrypted computation (e.g., homomorphic comparison or aggregation) without leaking plaintext or requiring runtime cryptographic operations.

1.4.4. Pre-Encrypted Search in Compliance Auditing

Auditing frameworks often evaluate a known set of rules or compliance conditions against a stream of incoming records. Since the conditions (e.g., legal thresholds, policy markers) are fixed, our compile-time encryption approach allows these rules to be encoded once and reused across audits. This improves performance and ensures that sensitive audit logic remains protected throughout the process.

These scenarios demonstrate the practical value of separating encryption from execution. By enabling encryption to occur during compilation or deployment—rather than in response to each runtime query—our framework reduces online overhead while preserving full homomorphic compatibility and security guarantees.

2. Preliminaries

2.1. Algebraic Structures

2.1.1. Group

A group is a set G equipped with a binary operation $·:G\times G\to G$ that satisfies the following three properties: associativity ($(a·b)·c=a·(b·c)$ for all $a,b,c\in G$), the existence of an identity element $e\in G$ such that $e·g=g$ for all $g\in G$, and the existence of inverses, meaning that for every $g\in G$ there exists an element $g^{-1}\in G$ with $g·g^{-1}=e$. If the operation is also commutative—i.e., $g_1·g_2=g_2·g_1$ for all $g_1,g_2\in G$—then G is called an abelian group. Abelian groups are the additive backbone of many algebraic structures, including rings, modules, and vector spaces, and play a central role in the algebraic foundations of cryptography.

2.1.2. Ring

A ring is a set R equipped with two binary operations + and · such that $(R,+)$ forms an abelian group and $(R,·)$ is associative and distributes over addition. Many FHE schemes are defined over polynomial rings of the form $R_q={\mathbb{Z}}_q\left[x\right]/\left(f\left(x\right)\right)$, where $f\left(x\right)$ is typically a cyclotomic polynomial. These rings support efficient arithmetic while maintaining the algebraic structure needed for encryption homomorphism.

2.1.3. Field

A field is a commutative ring $(F,+,·)$ in which every non-zero element has a multiplicative inverse. Fields serve as the underlying scalars for modules and vector spaces and are often used for defining plaintext domains in leveled FHE schemes, especially those based on arithmetic circuits over ${\mathbb{Z}}_p$ or ${\mathbb{F}}_q$.

2.1.4. Vector Space

Let F be a field. A vector space over F is a set V equipped with an abelian group structure $(V,+)$ and a scalar multiplication operation $F\times V\to V$, such that scalar multiplication distributes over both field addition and vector addition, and respects associativity and identity with respect to F. Unlike Euclidean vectors, the elements of V need not have coordinates or geometric form—they may be functions, polynomials, or other algebraic objects. What matters is that linear combinations of elements using scalars from F remain within V.

2.1.5. Module

A module is a generalization of a vector space where the scalars form a ring instead of a field. Given a ring, R, an R-module, M, is an abelian group with a scalar multiplication $R\times M\to M$ satisfying linearity properties. In batched FHE systems, plaintext vectors can be viewed as elements in an R-module, and encryption functions act as module homomorphisms (preserving both addition and scalar multiplication).

2.2. Fully Homomorphic Encryption Schemes (Based on Arithmetic Operations)

2.2.1. Gentry’s Thesis

Gentry’s seminal 2009 thesis [1] introduced the first fully homomorphic encryption (FHE) scheme, based on ideal lattices and bootstrapping. The scheme supported the evaluation of arbitrary circuits over encrypted data but was initially impractical due to large ciphertext sizes and expensive noise management. Bootstrapping remains a defining feature of FHE, allowing the refreshing of ciphertexts to sustain arbitrary computation depth.

2.2.2. Schemes for Integers

Integer-based schemes, such as BGV [7] and BFV [2], operate over plaintexts in ${\mathbb{Z}}_t^n$, encoded into polynomials and encrypted using ring-LWE hardness assumptions. These schemes enable both additive and multiplicative homomorphisms and support batching via the Chinese remainder theorem (CRT). Integer-based schemes are widely used in database-style workloads due to their modular arithmetic semantics.

2.2.3. Schemes for Floating Numbers

CKKS [3] is a prominent FHE scheme that supports approximate arithmetic over complex numbers. It encodes floating-point vectors into plaintext polynomials and allows multiplicative and additive homomorphisms with controllable error. CKKS is particularly useful in machine learning and numerical workloads due to its natural support for dot products and real-valued activation functions.

2.3. Encoding and Encryption of Arithmetic FHE Schemes over Vectors

Modern arithmetic FHE schemes such as BGV [7], BFV [2], and CKKS [3] support batch encryption, enabling multiple plaintext values to be packed into a single ciphertext. This is achieved by leveraging the Chinese remainder theorem (CRT) structure of the underlying plaintext ring and encoding vectors as elements in a quotient ring.

Let t be the plaintext modulus and N be a power-of-two cyclotomic order. The plaintext ring is defined as follows:

$$R_t:={\mathbb{Z}}_t\left[x\right]/(x^N+1),$$

which is isomorphic (under suitable conditions) to the direct product of N scalar slots:

$$R_t\cong {\mathbb{Z}}_t^N.$$

This isomorphism allows a plaintext vector $\mathbf{m}=(m_0,\dots ,m_{N-1})\in {\mathbb{Z}}_t^N$ to be encoded as a polynomial $m\left(x\right)\in R_t$ using either coefficient embedding (for BFV/BGV) or canonical embedding (for CKKS).

The encryption algorithm is then applied to $m\left(x\right)$ in the larger ring $R_q:={\mathbb{Z}}_q\left[x\right]/(x^N+1)$, where $q\gg t$ is the ciphertext modulus. A standard public key encryption (PKE) procedure yields a ciphertext as follows:

$${\mathsf{Enc}}_{pk}\left(m\right)=\mathbf{c}=(c_0\left(x\right),c_1\left(x\right))\in R_q^2,$$

such that decryption satisfies the following:

$${\mathsf{Dec}}_{sk}\left(\mathbf{c}\right)=m\left(x\right)+e\left(x\right)\in R_q,$$

where $e\left(x\right)$ is a bounded noise polynomial, and the final message is recovered modulo t.

In CKKS, the encoding maps complex vectors into ${\mathbb{C}}^N$ via canonical embedding, and the decryption process recovers an approximation of the original message, i.e.,

$${\mathsf{Dec}}_{sk}\left(\mathbf{c}\right)\approx m\left(x\right),$$

with multiplicative noise that grows during homomorphic operations.

The packed ciphertext $\mathbf{c}$ supports component-wise homomorphic operations such as addition and scalar multiplication:

$$\mathsf{Enc}({\mathbf{m}}_1+{\mathbf{m}}_2)=\mathsf{Enc}\left({\mathbf{m}}_1\right)+\mathsf{Enc}\left({\mathbf{m}}_2\right),\mathsf{Enc}(a·\mathbf{m})=a·\mathsf{Enc}\left(\mathbf{m}\right),$$

where $a\in {\mathbb{Z}}_t$.

More advanced operations, such as slot-wise rotation and permutation, are implemented using Galois keys, enabling ciphertext manipulation without decryption.

This batched encoding mechanism enables SIMD-style parallelism across slots and is crucial for performance in encrypted databases, neural networks, and scientific computing pipelines. However, it also imposes structural constraints on how ciphertexts must be constructed and interpreted—constraints that any precomputation or synthesis-based encryption technique must preserve.

3. Abstract Interface for Compile-Time Ciphertext Synthesis

We formalize the notion of compile-time encrypted vector construction as an algebraic interface. This interface captures the essential properties of synthesis-based ciphertext generation schemes, enabling reasoning about structure, security, and reusability without reference to a particular cryptographic encoding.

3.1. Interface Semantics

Let ${\mathbb{Z}}_t^d$ denote the plaintext module and $R_q^k$ the ciphertext module under a leveled fully homomorphic encryption scheme. A ciphertext synthesis interface is a randomized map:

$$\mathsf{SynthEnc}:{\mathbb{Z}}_t^d\to R_q^k$$

parameterized by an encrypted basis $\mathcal{B}=\{{\mathbf{c}}_1,\dots ,{\mathbf{c}}_d\}$ and a randomness distribution ${\mathcal{D}}_{\mathsf{zero}}$ over noise terms.

In its deterministic core, $\mathsf{SynthEnc}$ acts as a ${\mathbb{Z}}_t$-module homomorphism:

$${\mathsf{SynthEnc}}_0\left(\mathbf{m}\right):=\sum _{i=1}^d{m}_i·{\mathbf{c}}_i.$$

To ensure semantic security, which is composed of a noise-injection layer:

$$\mathsf{SynthEnc}:=\mathsf{NoiseInject}\circ {\mathsf{SynthEnc}}_0,$$

where $\mathsf{NoiseInject}$ is a randomized endofunctor over the ciphertext category, mapping ciphertexts to indistinguishable variants while preserving decryption correctness.

This interface can be viewed as a morphism in a fibered category of encrypted modules, where each instantiation lifts a plaintext vector to an encrypted fiber over the base ring ${\mathbb{Z}}_t$. The structure of $\mathcal{B}$ defines the embedding geometry, while noise preserves indistinguishability across fibers.

3.2. Correctness as Exactness

Decryption defines a projection $\mathsf{Dec}:R_q^k\to {\mathbb{Z}}_t^d$. Interface correctness requires the following:

$$\mathsf{Dec}\circ \mathsf{SynthEnc}\left(\mathbf{m}\right)=\mathbf{m}\mathrm{for}\mathrm{all}\mathbf{m}\in {\mathbb{Z}}_t^d,$$

except with negligible error due to noise overflow. This condition corresponds to the existence of an exact sequence:

$$0\to \mathcal{N}\to R_q^k\stackrel{\mathsf{Dec}}{\to }{\mathbb{Z}}_t^d\to 0,$$

where $\mathcal{N}$ is the noise submodule. The synthesis interface produces ciphertexts in the preimage of $\mathbf{m}$ under $\mathsf{Dec}$, with the randomness distributed across $\mathcal{N}$.

3.3. Security Definition

We define IND-CPA security of $\mathsf{SynthEnc}$ via a two-message challenge game, assuming the basis $\mathcal{B}$ and noise pool are fixed and public. For all PPT adversaries $\mathcal{A}$, we define the advantage:

$${\mathsf{Adv}}_{\mathsf{SynthEnc}}^{\mathsf{IND}-\mathsf{CPA}}\left(\lambda \right):=\left|Pr[b^{\prime }=b]-{\displaystyle \frac{1}{2}}\right|.$$

The interface is secure if this advantage is negligible in $\lambda$, under the assumption that the noise distribution ${\mathcal{D}}_{\mathsf{zero}}$ consists of honest encryptions of 0 under a semantically secure scheme.

3.4. Interface Instantiability

The concrete scheme described in Section 4 instantiates $\mathsf{SynthEnc}$ via precomputed encryptions of unit basis vectors, along with a finite pool of randomized zero ciphertexts. However, the abstraction also encompasses alternative instantiations with nonstandard bases, structured embedding layouts, or symbolic synthesis graphs. The interface framework allows such instantiations to be analyzed uniformly with respect to algebraic behavior and security constraints.

4. Vector Caching for FHE

We now present a concrete instantiation of the abstract interface defined in Section 3. This instantiation realizes the $\mathsf{SynthEnc}$ map using a precomputed ciphertext basis and a pool of randomized zero encryptions. The construction satisfies the algebraic and security properties of the interface and forms the foundation for our compile-time FHE pipeline.

We begin by specifying notation and algebraic context, followed by the basis construction, randomized synthesis procedure, and runtime algorithms.

4.1. Notation

Let $R_t={\mathbb{Z}}_t\left[x\right]/\left(f\left(x\right)\right)$ and $R_q={\mathbb{Z}}_q\left[x\right]/\left(f\left(x\right)\right)$ denote the plaintext and ciphertext polynomial rings, respectively, where $f\left(x\right)=x^N+1$ is a power-of-two cyclotomic polynomial. Let N denote the ring degree and $d\le N$ be the number of plaintext slots (i.e., the batch size).

We denote by $\mathcal{B}=\{{\mathbf{c}}_1,\dots ,{\mathbf{c}}_d\}$ a set of precomputed ciphertexts, where each

$${\mathbf{c}}_i=\mathsf{Enc}\left(e_i\right)$$

is the encryption of the i-th unit basis vector $e_i\in {\mathbb{Z}}_t^d$, embedded into $R_t$ via coefficient or canonical embedding.

Let $\mathsf{Enc}:R_t\to R_q^k$ be a semantically secure public-key FHE encryption scheme with homomorphic addition and scalar multiplication, and let $\mathsf{Dec}:R_q^k\to R_t$ be the corresponding decryption function.

We use $\mathbf{m}\in {\mathbb{Z}}_t^d$ to denote the plaintext vector to be encrypted, and let ${\mathsf{EncBasis}}_{\mathcal{B}}\left(\mathbf{m}\right)$ denote the synthesized ciphertext produced from basis $\mathcal{B}$.

4.2. Construction

We define the synthesized ciphertext ${\mathsf{SynthEnc}}_{\mathcal{B}}\left(\mathbf{m}\right)$ as follows:

$${\mathsf{SynthEnc}}_{\mathcal{B}}\left(\mathbf{m}\right):=\sum _{i=1}^d{m}_i·{\mathbf{c}}_i.$$

This construction does not invoke the encryption algorithm at runtime. Instead, it reuses precomputed ciphertexts of basis vectors and leverages the linear homomorphic properties of the FHE scheme:

• $\mathsf{Enc}\left({\mathbf{m}}_1\right)+\mathsf{Enc}\left({\mathbf{m}}_2\right)=\mathsf{Enc}({\mathbf{m}}_1+{\mathbf{m}}_2)$,
• $a·\mathsf{Enc}\left(\mathbf{m}\right)=\mathsf{Enc}(a·\mathbf{m})$ for $a\in {\mathbb{Z}}_t$.

The correctness of this construction follows directly from the module structure of the plaintext space and the preservation of linear operations under FHE encryption:

$$\mathsf{Dec}\left(\sum _{i=1}^d{m}_i·\mathsf{Enc}\left(e_i\right)\right)=\sum _{i=1}^d{m}_i·e_i=\mathbf{m}.$$

4.3. Randomization

To ensure semantic security and prevent deterministic ciphertext reuse, we inject a random ciphertext of zero into each synthesized output. Let $\mathcal{R}=\{{\mathbf{r}}_1,\dots ,{\mathbf{r}}_s\}$ be a pool of independently generated encryptions of the zero vector:

$${\mathbf{r}}_j\leftarrow \mathsf{Enc}\left(0^d\right),j\in \left[s\right],$$

where each ${\mathbf{r}}_j$ has fresh encryption randomness. During synthesis, we select a random index $j\leftarrow \left[s\right]$ and output:

$${\mathsf{SynthEnc}}_{\mathcal{B}}^{\mathcal{R}}\left(\mathbf{m}\right):=\sum _{i=1}^d{m}_i·{\mathbf{c}}_i+{\mathbf{r}}_j.$$

This randomization ensures that multiple encryptions of the same plaintext vector $\mathbf{m}$ yield computationally indistinguishable ciphertexts, satisfying IND-CPA under the assumption that $\mathsf{Enc}$ is semantically secure.

4.4. Overall Algorithm

We now describe the full pipeline for compile-time encryption via vector synthesis. The process is divided into the following stages: (1) an offline precomputation stage in which the ciphertext basis and randomized noise pool are constructed, and (2) a runtime synthesis stage that generates ciphertexts for arbitrary plaintext vectors using only cached ciphertexts and ciphertext-level operations.

Algorithm 1 initializes the ciphertext basis $\mathcal{B}$ by encrypting the standard basis vectors $e_i\in {\mathbb{Z}}_t^d$ using the public key. These basis vectors are embedded into the polynomial ring and encrypted using the FHE scheme’s batch encoding interface. In addition, a pool $\mathcal{R}$ of randomized encryptions of the all-zero vector is generated. Each ${\mathbf{r}}_j\in \mathcal{R}$ is independently sampled using fresh encryption randomness to ensure semantic variability.

Algorithm 1: $\mathsf{PrecomputeBasisAndNoise}(d,s,pk)$

Input: Dimension d; number of random noise samples s; public key $pk$       Output: Cached basis $\mathcal{B}=\{{\mathbf{c}}_1,\dots ,{\mathbf{c}}_d\}$; noise pool $\mathcal{R}=\{{\mathbf{r}}_1,\dots ,{\mathbf{r}}_s\}$

At runtime, Algorithm 2 takes as input a plaintext vector $\mathbf{m}=(m_1,\dots ,m_d)$ and synthesizes the corresponding ciphertext by computing a linear combination of the precomputed basis ciphertexts:

$$\mathbf{c}=\sum _{i=1}^d{m}_i·{\mathbf{c}}_i+\mathbf{r},$$

where $\mathbf{r}\in \mathcal{R}$ is a randomly chosen noise ciphertext. The final ciphertext is computationally indistinguishable from a freshly encrypted version of $\mathbf{m}$ under IND-CPA security, assuming the underlying encryption scheme satisfies semantic security.

Algorithm 2: $\mathsf{SynthEnc}(\mathbf{m};\mathcal{B},\mathcal{R})$

Input: Plaintext vector $\mathbf{m}\in {\mathbb{Z}}_t^d$;                           Precomputed basis $\mathcal{B}=\{{\mathbf{c}}_1,\dots ,{\mathbf{c}}_d\}$;                           Noise pool $\mathcal{R}=\{{\mathbf{r}}_1,\dots ,{\mathbf{r}}_s\}$.       Output: Ciphertext $\mathbf{c}$ such that ${\mathsf{Dec}}_{sk}\left(\mathbf{c}\right)=\mathbf{m}$.

Complexity

The runtime cost of $\mathsf{SynthEnc}$ is linear in the vector dimension, d, requiring d ciphertext-level scalar multiplications and $d+1$ additions over the ciphertext module $R_q^k$. Assuming constant-time modular operations—as achieved in NTT-optimized FHE backends—the total runtime per synthesized ciphertext is $\mathcal{O}\left(d\right)$. The offline precomputation phase involves $\mathcal{O}(d+s)$ encryption calls, where d is the number of basis vectors and s is the size of the randomized zero pool. Once initialized, the online phase is encryption-free and parallelizable across slots, enabling high-throughput ingestion without repeated use of cryptographic primitives.

5. Correctness and Noise Analysis

In this section, we analyze the correctness and noise behavior of the proposed ciphertext synthesis procedure under standard fully homomorphic encryption (FHE) semantics. Our focus is to verify that synthesized ciphertexts decrypt correctly to their intended plaintext vectors and remain compatible with subsequent homomorphic operations.

5.1. Decryption

Let $\mathbf{c}\in R_q^k$ be a ciphertext synthesized via Algorithm 2, i.e.,

$$\mathbf{c}=\sum _{i=1}^d{m}_i·\mathsf{Enc}\left(e_i\right)+\mathsf{Enc}\left(0\right),$$

where each $\mathsf{Enc}\left(e_i\right)=(c_{i,0},c_{i,1})$ is a ciphertext encrypting a basis vector $e_i\in {\mathbb{Z}}_t^d$ under standard polynomial encoding.

Decryption proceeds using the secret key $sk=s\left(x\right)$:

$${\mathsf{Dec}}_{sk}\left(\mathbf{c}\right)=\left(\sum _{i=1}^d{m}_i·e_i\right)+e\left(x\right)=\mathbf{m}+e\left(x\right)\in R_q,$$

where $e\left(x\right)$ is the aggregated noise term arising from the homomorphic additions and scalar multiplications.

Correct decryption holds as long as

$${\parallel e\left(x\right)\parallel }_{\infty }<{\displaystyle \frac{q}{2t}},$$

ensuring that reduction modulo t eliminates noise and yields the correct plaintext vector.

5.2. Homomorphic Addition

Let ${\mathbf{c}}^{\left(1\right)}=\mathsf{SynthEnc}\left({\mathbf{m}}_1\right)$ and ${\mathbf{c}}^{\left(2\right)}=\mathsf{SynthEnc}\left({\mathbf{m}}_2\right)$ be two synthesized ciphertexts. Their homomorphic sum is as follows:

$${\mathbf{c}}^{\left(1\right)}+{\mathbf{c}}^{\left(2\right)}=\sum _i(m_i^{\left(1\right)}+m_i^{\left(2\right)})·{\mathbf{c}}_i+({\mathbf{r}}^{\left(1\right)}+{\mathbf{r}}^{\left(2\right)}).$$

By linearity of encryption and noise:

$$\mathsf{Dec}({\mathbf{c}}^{\left(1\right)}+{\mathbf{c}}^{\left(2\right)})={\mathbf{m}}_1+{\mathbf{m}}_2+e\left(x\right),$$

where the new noise $e\left(x\right)$ is the sum of the individual noise components from both ciphertexts. Assuming noise growth is additive, we have the following:

$${\parallel e\left(x\right)\parallel }_{\infty }\le \parallel e^{\left(1\right)}{\left(x\right)\parallel }_{\infty }+{\parallel e^{\left(2\right)}\left(x\right)\parallel }_{\infty }.$$

Thus, additive homomorphism is preserved, and the noise growth is predictable and controlled.

5.3. Homomorphic Multiplication

Let ${\mathbf{c}}^{\left(1\right)}=\mathsf{SynthEnc}\left({\mathbf{m}}_1\right)$ and ${\mathbf{c}}^{\left(2\right)}=\mathsf{SynthEnc}\left({\mathbf{m}}_2\right)$ be synthesized ciphertexts represented in a two-component form:

$${\mathbf{c}}^{\left(1\right)}=(c_0^{\left(1\right)},c_1^{\left(1\right)}),{\mathbf{c}}^{\left(2\right)}=(c_0^{\left(2\right)},c_1^{\left(2\right)}).$$

Their homomorphic product ${\mathbf{c}}^{\left(1\right)}·{\mathbf{c}}^{\left(2\right)}$ yields a ciphertext with three components:

$${\mathbf{c}}^{\left(\mathrm{mult}\right)}=(d_0,d_1,d_2),\mathrm{where}$$

$$\begin{array}{cc}\hfill d_0& =c_0^{\left(1\right)}·c_0^{\left(2\right)},\hfill \\ \hfill d_1& =c_0^{\left(1\right)}·c_1^{\left(2\right)}+c_1^{\left(1\right)}·c_0^{\left(2\right)},\hfill \\ \hfill d_2& =c_1^{\left(1\right)}·c_1^{\left(2\right)}.\hfill \end{array}$$

To convert this ciphertext back into the standard two-component form $(c_0^{\prime },c_1^{\prime })$, a relinearization step is required. Given a relinearization key $rk=\mathsf{Enc}\left(s^2\right)$, we perform the following:

$${\mathbf{c}}^{\left(\mathrm{rel}\right)}=\mathsf{Relin}\left({\mathbf{c}}^{\left(\mathrm{mult}\right)}\right)=(d_0+{\mathsf{RLK}}_0\left(d_2\right),d_1+{\mathsf{RLK}}_1\left(d_2\right)),$$

where ${\mathsf{RLK}}_0$, ${\mathsf{RLK}}_1$ are decomposition-based key-switching functions:

$${\mathsf{RLK}}_j\left(d_2\right)=\mathrm{KeySwitch}(d_2,r{k}_j),j\in \{0,1\}.$$

This yields a valid ciphertext of ${\mathbf{m}}_1\circ {\mathbf{m}}_2$, where ∘ denotes slot-wise multiplication (or approximate multiplication in CKKS). The resulting noise grows quadratically:

$$\parallel e_{\mathrm{mult}}{\left(x\right)\parallel }_{\infty }=\mathcal{O}(\parallel e^{\left(1\right)}{\left(x\right)\parallel }_{\infty }·\parallel e^{\left(2\right)}\left(x\right){\parallel }_{\infty }+\mathrm{RelinNoise}).$$

In leveled schemes, such as BFV or BGV, a modulus-switching step may be applied post-multiplication to reduce noise. Given a modulus chain, $q_L>q_{L-1}>\cdots >q_0$, switching from level ℓ to $\ell -1$ involves rescaling:

$$\mathbf{c}\leftarrow {\mathsf{ModSwitch}}_{q_{\ell }\to q_{\ell -1}}\left(\mathbf{c}\right),$$

and correspondingly:

$${\parallel e\left(x\right)\parallel }_{\infty }\leftarrow {\displaystyle \frac{q_{\ell -1}}{q_{\ell }}}·{\parallel e\left(x\right)\parallel }_{\infty }.$$

However, modulus switching also introduces the rounding error, and in schemes like CKKS, approximate rescaling impacts decryption accuracy.

Hence, homomorphic multiplication in synthesized ciphertexts is functionally identical to native ciphertext multiplication but inherits the usual cost in both depth and noise. Correctness is maintained as long as the total noise remains below the decryption threshold:

$$\parallel e_{\mathrm{final}}{\left(x\right)\parallel }_{\infty }<{\displaystyle \frac{q_{\ell }}{2t}}.$$

6. Security Analysis

6.1. Security Model

We consider the standard notion of semantic security under the chosen-plaintext attack (IND-CPA). Let $\mathsf{Enc}:R_t\to R_q^k$ denote a semantically secure public-key encryption scheme. Let ${\mathsf{SynthEnc}}_{\mathcal{B}}^{\mathcal{R}}\left(\mathbf{m}\right)$ denote our proposed synthesized ciphertext construction using the precomputed basis $\mathcal{B}$ and randomized noise pool $\mathcal{R}$.

We define the adversary’s goal as distinguishing two synthesized ciphertexts corresponding to plaintext vectors of its choice, drawn from the same message space ${\mathbb{Z}}_t^d$. Formally, the IND-CPA experiment proceeds as follows:

Definition 1

(IND-CPA Game for Synthesized Encryption). Let $\mathcal{A}$ be a PPT adversary. The IND-CPA advantage of $\mathcal{A}$ in distinguishing synthesized ciphertexts is defined by the following game:

1. 

The challenger runs $\mathsf{KeyGen}\left(\right)\to (pk,sk)$ and sends $pk$ to $\mathcal{A}$.

2. 

The challenger computes $\mathcal{B}={\left\{{\mathsf{Enc}}_{pk}\left(e_i\right)\right\}}_{i=1}^d$ and $\mathcal{R}={\left\{{\mathsf{Enc}}_{pk}\left(0\right)\right\}}_{j=1}^s$, and gives $(\mathcal{B},\mathcal{R})$ to $\mathcal{A}$.

3. 

$\mathcal{A}$ submits two equal-length plaintext vectors $({\mathbf{m}}_0,{\mathbf{m}}_1)\in {\mathbb{Z}}_t^d\times {\mathbb{Z}}_t^d$.

4. 

The challenger selects $b\leftarrow \{0,1\}$ uniformly at random, and returns ${\mathbf{c}}^{*}={\mathsf{SynthEnc}}_{\mathcal{B}}^{\mathcal{R}}\left({\mathbf{m}}_b\right)$.

5. 

$\mathcal{A}$ outputs a guess $b^{\prime }\in \{0,1\}$.

We define the adversary’s advantage as follows:

$${\mathsf{Adv}}_{\mathsf{SynthEnc}}^{\mathsf{IND}-\mathsf{CPA}}\left(\mathcal{A}\right)=\left|Pr[b^{\prime }=b]-{\displaystyle \frac{1}{2}}\right|.$$

6.2. Assumptions and Reduction Strategy

Our security analysis is based on a standard reduction to the IND-CPA security of the underlying FHE encryption scheme.

We assume that the public-key encryption function $\mathsf{Enc}:R_t\to R_q^k$ is semantically secure under chosen-plaintext attacks. That is, for all PPT adversaries $\mathcal{B}$, consider the standard IND-CPA game:

• The challenger runs $\mathsf{KeyGen}\left(\right)\to (pk,sk)$ and sends $pk$ to $\mathcal{B}$.
• $\mathcal{B}$ submits two messages $m_0,m_1\in R_t$.
• A bit $b\leftarrow \{0,1\}$ is chosen uniformly at random, and the challenger returns ${\mathbf{c}}^{*}={\mathsf{Enc}}_{pk}\left(m_b\right)$.
• $\mathcal{B}$ outputs a guess $b^{\prime }\in \{0,1\}$.

We define the adversary’s advantage as follows:

$${\mathsf{Adv}}_{\mathsf{Enc}}^{\mathsf{IND}-\mathsf{CPA}}\left(\mathcal{B}\right)=\left|Pr[b^{\prime }=b]-{\displaystyle \frac{1}{2}}\right|.$$

We assume that ${\mathsf{Adv}}_{\mathsf{Enc}}^{\mathsf{IND}-\mathsf{CPA}}\left(\mathcal{B}\right)$ is negligible in the security parameter $\lambda$.

Our goal is to show that if any adversary $\mathcal{A}$ has a non-negligible advantage in the $\mathsf{SynthEnc}$ IND-CPA game (as defined above), then we can construct an adversary $\mathcal{B}$ that breaks the IND-CPA security of $\mathsf{Enc}$ with a non-negligible advantage.

This reduction proceeds via a sequence of hybrid games (detailed in the next section), in which each game-hop simulates one coordinate substitution between two synthesized ciphertexts. Each hop relies on the indistinguishability of encryptions under $\mathsf{Enc}$, and the cumulative advantage is bounded via a union bound over d coordinate transitions.

6.3. Provable Security

We now prove that if the underlying encryption scheme $\mathsf{Enc}$ is IND-CPA secure, then the synthesized encryption scheme $\mathsf{SynthEnc}$ is also IND-CPA secure.

Our strategy is to construct a sequence of hybrid games ${\left\{G_i\right\}}_{i=0}^{d+1}$, where $G_0$ corresponds to the challenge ciphertext generated using ${\mathbf{m}}_0$, and $G_{d+1}$ corresponds to the ciphertext for ${\mathbf{m}}_1$. In each intermediate game $G_i$, the first i coordinates of ${\mathbf{m}}_0$ are replaced with those of ${\mathbf{m}}_1$, while the remaining coordinates remain unchanged. By bounding the distinguishing advantage between successive games, we obtain the final security bound via a standard hybrid argument.

6.3.1. Game $G_0$

This is the real-world experiment with the challenge ciphertext:

$${\mathbf{c}}^{*}=\sum _{i=1}^d{\left(m_0\right)}_i·{\mathbf{c}}_i+\mathbf{r},\mathbf{r}\leftarrow \mathcal{R}.$$

6.3.2. Game $G_i$

In this game, the challenge ciphertext is as follows:

$${\mathbf{c}}^{*}=\sum _{j=1}^i{\left(m_1\right)}_j·{\mathbf{c}}_j+\sum _{j=i+1}^d{\left(m_0\right)}_j·{\mathbf{c}}_j+\mathbf{r}.$$

That is, the first i slots are taken from ${\mathbf{m}}_1$, and the rest from ${\mathbf{m}}_0$.

6.3.3. Game $G_{d+1}$

This corresponds to the synthesized ciphertext of ${\mathbf{m}}_1$:

$${\mathbf{c}}^{*}=\sum _{i=1}^d{\left(m_1\right)}_i·{\mathbf{c}}_i+\mathbf{r}.$$

Note that $G_0$ and $G_{d+1}$ correspond exactly to the real challenge cases for $b=0$ and $b=1$, respectively.

Lemma 1

(Single-hop indistinguishability). For each $i\in \{0,\dots ,d-1\}$, let $G_i$ and $G_{i+1}$ be defined as above. If the underlying encryption scheme $\mathsf{Enc}$ is IND-CPA secure, then for any PPT adversary $\mathcal{A}$:

$$\left|Pr\left[\mathcal{A}\mathrm{wins}{G}_i\right]-Pr\left[\mathcal{A}\mathrm{wins}{G}_{i+1}\right]\right|\le ϵ\left(\lambda \right),$$

 for negligible function ϵ in the security parameter λ.

Proof.

We define the distinguishing difference:

$${\Delta }_i:=Pr[\mathcal{A}\mathrm{outputs}{b}^{\prime }=1\mid G_i]-Pr[\mathcal{A}\mathrm{outputs}{b}^{\prime }=1\mid G_{i+1}].$$

The difference between $G_i$ and $G_{i+1}$ lies in a single coefficient ${\left(m_0\right)}_{i+1}$ vs. ${\left(m_1\right)}_{i+1}$ in the linear combination:

$${\mathbf{c}}^{*}={\mathbf{c}}_{\mathrm{fixed}}+{\left(m_b\right)}_{i+1}·{\mathbf{c}}_{i+1}.$$

If $\mathcal{A}$ can distinguish between games $G_i$ and $G_{i+1}$ with non-negligible probability, we can construct a reduction adversary $\mathcal{B}$ that breaks the IND-CPA security of the underlying encryption scheme $\mathsf{Enc}$. Specifically, $\mathcal{B}$ receives a challenge ciphertext ${\mathbf{c}}^{*}$ corresponding to either $m_0$ or $m_1$ in a single-slot encryption instance. It embeds this challenge into a fully synthesized ciphertext by constructing $\mathbf{c}={\mathbf{c}}_{\mathrm{fixed}}+m^{*}·{\mathbf{c}}_{i+1}$, where ${\mathbf{c}}_{\mathrm{fixed}}$ encodes all other coordinates from the hybrid game. If $\mathcal{A}$ correctly distinguishes whether $m^{*}={\left(m_0\right)}_{i+1}$ or ${\left(m_1\right)}_{i+1}$, then $\mathcal{B}$ breaks the IND-CPA security of $\mathsf{Enc}$.

Hence, ${\Delta }_i$ must be negligible. □

We now turn to the main result of this section. Building on the sequence of hybrid games ${\left\{G_i\right\}}_{i=0}^{d+1}$ and the indistinguishability lemma established for adjacent hybrids, we apply a telescoping argument over the entire chain. The accumulated advantage across all transitions allows us to bound the distinguishing probability of any adversary in the full $\mathsf{SynthEnc}$-IND-CPA experiment. The result is formalized in the following theorem:

Theorem 1 

(IND-CPA Security of Synthesized Encryption). Let $\mathsf{Enc}$ be a semantically secure public-key encryption scheme. Then the synthesized encryption scheme $\mathsf{SynthEnc}$, constructed via basis combination and random zero injection, is also IND-CPA secure. In particular, for any PPT adversary $\mathcal{A}$, there exists a negligible function $\epsilon \left(\lambda \right)$ such that we have the following:

$${\mathsf{Adv}}_{\mathsf{SynthEnc}}^{\mathsf{IND}-\mathsf{CPA}}\left(\mathcal{A}\right)\le \epsilon \left(\lambda \right).$$

Proof.

Let ${\left\{G_i\right\}}_{i=0}^{d+1}$ be the hybrid game sequence constructed in the previous subsection, where $G_0$ corresponds to a synthesized encryption of ${\mathbf{m}}_0$ and $G_{d+1}$ to that of ${\mathbf{m}}_1$. Each intermediate game $G_i$ partially interpolates between the two vectors by encrypting a message whose first i coordinates are from ${\mathbf{m}}_1$ and the remaining $d-i$ coordinates from ${\mathbf{m}}_0$.

Let $p_i$ denote the probability that the adversary $\mathcal{A}$ outputs 1 in game $G_i$, i.e., $p_i:=Pr[\mathcal{A}\mathrm{outputs}1\mid G_i]$. The adversary’s overall advantage in the $\mathsf{SynthEnc}$-IND-CPA experiment is given by the absolute difference $|p_0-p_{d+1}|$.

This difference can be expressed as a telescoping sum over adjacent game transitions:

$$|p_0-p_{d+1}| =\left|\sum _{i=0}^d(p_i-p_{i+1})\right|.$$

Applying the triangle inequality, this yields an upper bound:

$$|p_0-p_{d+1}| \le \sum _{i=0}^d|p_i-p_{i+1}|.$$

Each pair of games $(G_i,G_{i+1})$ differs in a single coordinate of the synthesized plaintext vector. Specifically, only the $(i+1)$-th coordinate is switched from ${\left(m_0\right)}_{i+1}$ to ${\left(m_1\right)}_{i+1}$, while all other components are held fixed. Thus, each transition corresponds to a one-coordinate hybrid hop.

By the security of the underlying encryption scheme $\mathsf{Enc}$, and in particular the indistinguishability guaranteed by Lemma 1, we know that for each i, the distinguishing advantage between $G_i$ and $G_{i+1}$ is bounded by a negligible function ${ϵ}_i\left(\lambda \right)$, where $\lambda$ is the security parameter. That is,

$$|p_i-p_{i+1}| \le {ϵ}_i\left(\lambda \right)\mathrm{for}\mathrm{all}i\in \{0,1,\dots ,d\}.$$

We now apply the union bound, a standard tool in cryptographic reductions. In its probabilistic form, it states that for any finite collection of distinguishable events, the probability of at least one occurring is bounded by the sum of their individual probabilities. When applied to game-hopping sequences, this translates to the total distinguishing advantage across a chain of hybrids being at most the sum of the individual hop advantages. Thus,

$$|p_0-p_{d+1}| \le \sum _{i=0}^d{ϵ}_i\left(\lambda \right).$$

To complete the argument, we define a function, $\epsilon \left(\lambda \right):={\sum }_{i=0}^d{ϵ}_i\left(\lambda \right)$. Each ${ϵ}_i\left(\lambda \right)$ is negligible by assumption, and d is polynomially bounded in $\lambda$ since it corresponds to the number of plaintext slots. It is a standard closure property of negligible functions that a finite sum of negligible functions—with the number of terms bounded by a polynomial—remains negligible. Hence, $\epsilon \left(\lambda \right)$ is negligible.

We conclude that the adversary’s advantage satisfies the following:

$${\mathsf{Adv}}_{\mathsf{SynthEnc}}^{\mathsf{IND}-\mathsf{CPA}}\left(\mathcal{A}\right)=|p_0-p_{d+1}|\le \epsilon \left(\lambda \right),$$

as required. □

7. Related Work

7.1. Algorithmic Optimizations for FHE

The advent of homomorphic encryption (HE) has enabled secure computation over encrypted data, a paradigm originally made viable by Gentry’s pioneering construction [1]. Since then, various schemes have been developed to support different computation models and performance trade-offs. Notable examples include BFV [2,8], BGV [7], and CKKS [3], which have been implemented in libraries such as Microsoft SEAL [9] and OpenFHE [10]. TFHE [11], in particular, supports Boolean gate operations and has been significantly accelerated by circuit-level bootstrapping improvements [12,13].

Recent algorithmic work has focused on tuning performance along multiple axes. In the CKKS scheme, which supports approximate arithmetic over complex numbers, optimizations have targeted bootstrapping [14], SIMD-aware packing [15], and machine learning workloads [16,17,18]. BFV and BGV, with their support for exact modular arithmetic, remain a standard choice for applications requiring stronger correctness guarantees [19]. Across schemes, implementation-level enhancements have improved low-level primitives such as NTT, key switching, and ciphertext relinearization [2,20,21,22,23]. In parallel, cross-domain insights from deep learning and IoT security have occasionally inspired representation-level decompositions that may inform future FHE system design [24].

Our work builds on these algorithmic foundations by revisiting the ciphertext construction interface itself. Rather than modifying cryptographic primitives or introducing new circuits, we treat vector encryption as a structured synthesis process grounded in basis expansion and symbolic slot control. This perspective enables efficient compile-time ingestion, tight coordination over encoder reuse and randomized noise injection, and the formulation of encryption as a system-level abstraction layer.

7.2. High-Performance FHE Computing with Hardware Acceleration

The high computational and bandwidth demands of fully homomorphic encryption (FHE) have inspired a broad class of hardware acceleration techniques across GPUs, FPGAs, and ASICs. GPU-based approaches leverage high memory bandwidth and SIMD-style parallelism to accelerate core FHE operations such as modular multiplication and bootstrapping. For instance, Jung et al. [25] reported a 257× speedup on an NVIDIA Tesla V100 for bootstrapping tasks, while Tan et al. [26] proposed floating-point approximations for GPU-friendly cryptographic kernels, achieving up to 150× acceleration. Open-source libraries like cuFHE [27] and nufhe [28] further explore software abstractions over GPU backends.

More recently, Poseidon [29] demonstrated a practical FPGA-based FHE accelerator that decomposes higher-level routines into a shared set of reusable operator cores—such as NTT, modular arithmetic, and automorphism—enabling hardware-level reuse and efficient scheduling under constrained resources. Poseidon achieves up to 1300× operator-level speedup and 10× end-to-end performance gains over GPU baselines, rivaling or exceeding contemporary ASIC implementations in several benchmarks. Its use of techniques such as NTT fusion and HFAuto illustrates the value of algebraic decompositions and memory-aware co-design in FHE acceleration.

ASIC accelerators, including F1 [30], BTS [31], and CraterLake [32], push the performance frontier by tightly integrating bootstrapping, rotation, and rescaling into fully pipelined microarchitectures with dedicated multi-hundred MB scratchpads. However, such designs are often constrained to fixed parameters, costly to manufacture, and remain largely impractical for general-purpose deployment.

In contrast, our work is orthogonal and complementary to these efforts. Rather than accelerating encryption via specialized hardware, we eliminate the encryption bottleneck altogether by transforming ciphertext generation into a compile-time symbolic process based on algebraic synthesis and vector-level precomputation. This enables efficient encrypted ingestion even within software-only or resource-constrained systems.

7.3. FHE for Outsourced Databases

Several systems have explored the integration of fully homomorphic encryption (FHE) into outsourced database environments, where sensitive data is stored in encrypted form and queried without decryption. Symmetria [4] applies leveled FHE to support SQL-style query evaluation over encrypted relational tables. Its design emphasizes query planner integration and leverages SIMD-style batched homomorphic execution to evaluate selection and projection operations across tuples. However, the high cost of encryption, especially during data ingestion, remains a fundamental bottleneck.

The Rache framework [6] takes a different approach by precomputing ciphertexts for all possible scalar plaintexts in small domains and caching them for reuse. This enables fast ingestion when plaintext reuse is common, and supports layout-aware optimization for memory and SIMD alignment. Nonetheless, the method does not naturally extend to vector-based encryption, where each ciphertext encodes a structured tuple of values. In such settings, coordinate-wise caching disrupts the structural semantics of the encoded polynomial, making it incompatible with downstream FHE operations such as rotation, slot masking, or aggregation.

These efforts underscore the importance of treating encryption not as a black-box primitive, but as a programmable interface between systems and cryptography. Our framework builds on this insight by enabling vector-level synthesis with full control over structural layout, symbolic decomposition, and secure randomness injection.

8. Final Remarks

This work proposes a new perspective on ciphertext generation in fully homomorphic encryption (FHE), shifting the focus from runtime encryption to compile-time algebraic synthesis. By precomputing a structured ciphertext basis and leveraging linearity in the encryption function, we eliminate the need for direct encryption during data ingestion, reducing overhead while preserving semantic correctness and security.

The proposed abstraction treats ciphertexts not merely as outputs of cryptographic primitives, but as composable objects synthesized from a reusable module of encrypted algebraic components. This design philosophy opens new possibilities in encrypted systems, where synthesis, slot-level layout control, and noise injection can be decoupled from cryptographic internals and expressed as part of the system architecture itself.

Beyond the specific construction introduced here, the broader message is conceptual—encryption, when viewed through the lens of algebraic programming, admits symbolic compilation strategies previously confined to plaintext computing. We believe this direction can serve as a foundation for further advances in encrypted database systems, bootstrappable encrypted pipelines, and secure compiler backends that reason about ciphertexts as algebraically structured data.

Looking ahead, an even deeper question emerges—can we eliminate encryption noise altogether, not by amortizing or refreshing it, but by constructing encryption schemes whose algebraic semantics are inherently noiseless? We suspect that such structures may lie beyond the conventional polynomial ring frameworks used in current lattice-based schemes. Candidate directions include the use of flat modules, cohomological vanishing in sheaf-theoretic encodings, or fiber product constructions that preserve exactness across encrypted morphisms. The technical barriers are considerable—extending exact sequences under encryption, controlling derived functors over non-reduced schemes, and establishing structural invariants in ciphertext categories—but the potential theoretical payoff is equally substantial. We welcome collaborations from researchers interested in the intersection of modern algebra and cryptographic structure, and view this as a long-term invitation to reimagine encrypted computation from first mathematical principles.