12/12 REFHE is the result of work by @dWalletLabs cryptography team and reflects our broader mission: pushing the boundaries of cryptography to create a secure, programmable, private and decentralized world without compromising on the Zero-Trust principles of Web3. Paper link:

11/12 We believe this is a foundational shift. REFHE reframes FHE as a platform for encrypted computation that mirrors the machine model - allowing us to reason about programs, not just circuits. It's the first step toward a real homomorphic ALU.

10/12 With 100x smaller ciphertexts, 20x faster multiplication, and 1000x faster additions, REFHE surpasses TFHE in every parameter Benchmarks in the paper.

9/12 We also generalize modulus switching to the setting where plaintext and ciphertext moduli are ideals, not integers. And we explore algebraic moduli construction that enables a Double-CRT representation - typically unavailable outside cyclotomic rings.

8/12 REFHE does not require batching. That’s intentional. Instead, we focus on single-word encrypted computation - matching the CPU-like abstraction. This makes it particularly relevant for use cases like: - Encrypted VMs - Smart contracts with FHE backends - zkCompute over

7/12 For example, to compute a > b homomorphically: 1. Subtract b from a 2. Bootstrap the result 3. Extract the most significant bit → gives you the result of the comparison This kind of operation would be painful in arithmetic schemes and bloated in boolean ones.

6/12 🔧 Bootstrapping in REFHE Our bootstrapping mechanism: - Recursively extracts encrypted bits µᵢ of the message during bootstrap - Enables boolean ops during bootstrapping - e.g. comparisons, bit shifts, masking

5/12 This has profound consequences: - The bits of the integer are just the coefficients of the polynomial - Noise scales like n^O(d) for depth-d circuits (vs 2^O(d) in prior Z₂ⁿ approaches) - Bootstrapping becomes a natural place to extract bit-level structure

4/12 REFHE starts from the BGV blueprint but makes two key architectural shifts: 1. We work over a non-cyclotomic ring: ℤ[x]/(xⁿ - x + 2) 2. We define the plaintext space as an ideal: ⟨x - 2⟩, giving us plaintexts ≅ Z₂ⁿ This lets us represent 64-bit values directly - with

3/12 Why is this a big deal? Most existing schemes fall into one of two camps: - Arithmetic-focused (BGV, BFV, CKKS) - fast at math, awkward for logic - Boolean-focused (TFHE) - logic is native, but everything is bit-bloated Real programs use both. REFHE bridges this divide.

2/12 At its core, REFHE asks: Can we build an FHE scheme that behaves like a CPU ALU? That means: - Integer arithmetic (mod 2⁶⁴) - Logic ops like AND, OR, comparisons - Operations on encrypted values - Efficient bootstrapping All natively supported. Not simulated.

🧵1/12 We're excited to share REFHE: Fully Homomorphic ALU, our new paper introducing an FHE scheme that natively supports both arithmetic and logical operations on 64-bit machine words. This is a step toward treating FHE not as a circuit model - but as a real compute model.

Today we released our Threshold FHE paper - the first that can be used by nodes of a decentralized network for threshold decryption of FHE ciphertexts. We had the pleasure of working with Prof. Zvika Brakerski on this one. A single key insight enabled it all 🧵

Today we are publishing our Threshold FHE scheme, redefining cryptographic computation and bringing Web3 a step closer to true confidential compute without relying on hardware and trusted third parties. Our team consistently delivers the best threshold cryptography research, and

11/ Our scheme is scalable: supporting thousands of participants, DKG and reconfiguration in minutes (should happen once every > 24 hours) and sub-second decryption!

10/ Our scheme is reconfigurable: allowing participants (think: node operators) to join and leave, and still participate in decryption. This is crucial to enable permissionless setups of threshold networks where parties join and leave at will.

9/ It is publicly verifiable, and with f<n/3, admits Guaranteed Output Delivery (GOD) - meaning that as long as less than a 1/3 of the parties are malicious, the decryption is guranteed to succeed, a really difficult and useful trait to achieve!

8/ Our scheme is blockchain compatible: It is realized over an asynchronous network and only utilizes reliable broadcast.

7/ Our scheme is generic: it can work under any t-out-of-n setting and for any FHE scheme. Importantly, we solve a key-issue here with t=2/3 which is commonly used for consensus, and no scheme known to us has been able to achieve a practical, scalable solution for.

6/ This makes it the first threshold FHE scheme that can be used for decentralized networks, and the first to allow building permissionless threshold decryption networks and many other solutions.