ring0 is currently in active development. Follow our progress. Learn morering0 is currently in active development. Follow our progress. Learn morering0 is currently in active development. Follow our progress. Learn morering0 is currently in active development. Follow our progress. Learn morering0 is currently in active development. Follow our progress. Learn morering0 is currently in active development. Follow our progress. Learn morering0 is currently in active development. Follow our progress. Learn morering0 is currently in active development. Follow our progress. Learn morering0 is currently in active development. Follow our progress. Learn morering0 is currently in active development. Follow our progress. Learn morering0 is currently in active development. Follow our progress. Learn morering0 is currently in active development. Follow our progress. Learn morering0 is currently in active development. Follow our progress. Learn morering0 is currently in active development. Follow our progress. Learn morering0 is currently in active development. Follow our progress. Learn morering0 is currently in active development. Follow our progress. Learn morering0 is currently in active development. Follow our progress. Learn morering0 is currently in active development. Follow our progress. Learn morering0 is currently in active development. Follow our progress. Learn morering0 is currently in active development. Follow our progress. Learn morering0 is currently in active development. Follow our progress. Learn morering0 is currently in active development. Follow our progress. Learn morering0 is currently in active development. Follow our progress. Learn morering0 is currently in active development. Follow our progress. Learn more
Ring0Ring0

Section VII

HSS-CoFHE

Privacy-Preserving Collaborative Proving

HSS-CoFHE (Homomorphic Secret Sharing with Collaborative Fully Homomorphic Encryption) enables zero-knowledge proving over secret-shared data. No single validator ever observes plaintext transactions. The production system achieves 3,506× speedup over classical FHE approaches through a noise-free protocol design with UC-composable security.

core design

Core Design

HSS-CoFHE splits transaction data across multiple proving servers so that no single server ever sees plaintext. Computation proceeds over encrypted and secret-shared values. The protocol converts encrypted data into additive secret shares without revealing the underlying values, then uses these shares for efficient ZK proof generation. The production protocol is noise-free (no accumulated encryption noise) and achieves UC-composable security — meaning it remains secure when composed with any other protocol.

collaborative proving

Collaborative Proving (VeriCoop)

VeriCoop is Ring0's collaborative proving protocol that generates ZK proofs over secret-shared data through a multi-phase process.

  • Setup: Distribute correlation seeds to all proving servers
  • Input sharing: Convert encrypted transaction data into secret shares — each server holds only a random-looking fragment
  • Proof computation: Servers jointly compute the ZK proof over their shares using pre-generated correlations
  • Privacy masking: Two-layer masking ensures the proof reveals nothing beyond its validity
  • Output: Reconstruct the final proof from server contributions — the proof is public, but no server ever held the full witness

performance advantage

3,506× Performance Advantage

The production protocol achieves a multiplication gate cost of 3.2μs — a 3,506× speedup over the initial protocol design. This dramatic improvement comes from eliminating encryption noise entirely, which removes the need for expensive noise management operations. The result is that privacy-preserving proving is fast enough for real-time transaction processing.

threshold decryption

Threshold Decryption

HSS-CoFHE uses threshold decryption where a minimum number of servers (t out of n) must cooperate to decrypt any value. Corrupting fewer than t servers reveals absolutely nothing about the plaintext data — this is an information-theoretic guarantee, not a computational one. The threshold can be configured per deployment to balance between liveness (fewer servers needed) and security (more servers needed to collude).

uc security

UC-Composable Security

The protocol achieves Universal Composability (UC) security — the strongest standard for cryptographic protocols. UC-composable security means the protocol remains secure when run alongside any other protocols, in any scheduling environment, and under any composition. This is essential for a blockchain where HSS-CoFHE must compose safely with the ZK proving system, consensus mechanism, and networking layer simultaneously.

PreviousOptimumNextFAFO