For the past few years, we have been building the most developer friendly, fast and secure Fully Homomorphic Encryption (FHE) scheme, licensing the technology to dozens of companies across blockchain and AI. Today, we are unveiling our most ambitious product to date: the Zama Confidential Blockchain Protocol, and announcing our $57m Series B at a valuation of over $1b.

Follow us @zama_fhe and @randhindi to be informed when the testnet goes live!

The blockchain confidentiality dilemma

Why do we need blockchain? This question often comes along when discussing building decentralized applications (dapps). After all, most things we use today are not blockchain based and work just fine. However, there are some applications where the cost of blindly trusting a third party and being wrong is too high, such as when dealing with financial assets, identity or governance. In those cases, consumers and companies want strong guarantees that whatever service is being provided is done correctly, while service providers want to ensure their users have the right to use the assets/data they claim.

Blockchains solve this by enabling anyone to publicly verify that a request was executed according to a predetermined logic, and that the resulting state of the overall system is correct. Service providers and their customers no longer have to trust each other, as the integrity of the transaction is guaranteed by the blockchain itself.

One major issue with public verifiability however is that it requires disclosing all the transactions and data to everyone, as keeping them private would prevent verifiability in the first place. This lack of confidentiality has been a major hindrance to global adoption of blockchains, as the very data it is supposed to be used for (money, identity, …) is highly sensitive by nature. Without confidentiality, blockchain cannot reach mass adoption.

The Zama Confidential Blockchain Protocol

The Zama Confidential Blockchain Protocol (or simply the Zama Protocol) enables confidential smart contracts on top of any L1 or L2. It is the most advanced confidentiality protocol to date, offering:

• End-to-end encryption of transaction inputs and state: no-one can see the data, not even node operators.
• Composability between confidential contracts, as well as with non-confidential ones. Developers can build on top of other contracts, tokens and dapps.
• Programmable confidentiality: smart contracts define who can decrypt what, meaning developers have full control over confidentiality rules in their applications.

The Zama Protocol is not a new L1 or L2, but rather a cross-chain confidentiality layer sitting on top of existing chains. As such, users don’t need to bridge to a new chain and can interact with confidential dapps from wherever they choose.

It leverages Zama’s state-of-the-art Fully Homomorphic Encryption (FHE) technology, which enables computing directly on encrypted data. FHE has long been considered the “holy grail” of cryptography, as it allows end-to-end encryption for any application, onchain or offchain. We believe that just like the internet went from zero encryption with HTTP to encrypting data in transit with HTTPS, the next natural step will be to use FHE to enable end-to-end encryption by default in every application, something we call HTTPZ.

Until recently however, FHE was too slow, too limited in terms of applications it could support, and too difficult to use for developers. This is what our team at Zama has spent the last 5 years solving. We now have a highly efficient FHE technology that can support any type of application, using common programming languages such as Solidity and Python, while being over 100x faster than 5 years ago. Importantly, Zama’s FHE technology is already post-quantum, meaning there is no known quantum algorithms that can break it.

While FHE is the core technology used in the Zama Protocol, we also leverage Multi-Party Computation (MPC) and Zero-Knowledge Proofs (ZK) to address the shortcomings of other confidentiality solutions:

• FHE enables confidentiality while being fully publicly verifiable (anyone can recompute the FHE operations and verify them). Using GPUs will soon allow scaling to 100+ transactions/s while dedicated hardware accelerators (FPGAs and ASICs) will enable scaling to thousands of transactions per second.
• MPC enables decentralizing the global network key, ensuring no single party can access it. Using MPC only to generate keys and decrypt data for users minimizes latency and communication, thereby making it far more scalable and decentralized than using it for private computation.
• ZK ensures the encrypted inputs provided by users were actually encrypted correctly. Using ZK only for this specific purpose makes the ZK proofs lightweight and cheap to generate in a browser or mobile app.

Our first testnet is live, with a mainnet on Ethereum planned in the coming months, alongside with the release of the $ZAMA token (more on this soon). We will then progressively deploy the protocol on other EVM chains first, then on Solana next.

The launch of our testnet also coincides with the close of our Series B, where we raised over $57m at a $1b+ valuation. The round was led by two fantastic investors: Pantera Capital, who joined Zama for the first time, and Blockchange, who has been an early backer since our Series A. We are thrilled to have them onboard as we make confidentiality the new normal in blockchain!

Confidentiality is the last missing piece to enable massive adoption of blockchain

Confidential smart contracts enable a new design space for blockchain applications, in particular when applied to finance, identity and governance. If we look at web2, it is clear that most applications do not share all the data publicly, and thus it is likely that the vast majority of blockchain applications are yet to be built, now that confidentiality is no longer an issue.

Here are some example use cases:

Finance

• Confidential payments. Stablecoins are one the most successful use case for blockchain, with trillions in yearly volume. Everything from credit card payments to salaries, remittances and banking rails is now moving onchain. One of the absolute key requirement however is confidentiality and compliance. Thanks to FHE and the Zama Protocol, this is now possible: balances and transfer amounts are kept encrypted end-to-end, while payment providers can embed compliance features into the token contract directly. You can read more about confidential, compliant payments here.
• Tokenization & RWAs. The tokenization of financial assets is one of the main adoption drivers of blockchain for large institutions. From fund shares to stocks, bonds or derivatives, there is up to $100T of assets that could potentially move onchain. Due to confidentiality and compliance issues however, TradFi institutions have had to rely on private blockchains, making it difficult to ensure interoperability between institutions. With the Zama Protocol, they can now use existing public blockchain such as Ethereum or Solana to tokenize and trade their assets, while keeping their activity and investor identity confidential. They can also ensure KYC/AML checks are done in the smart contracts directly, without revealing sensitive information to others. You can read more about this use case in the report published by JP Morgan - Kynexis, in which they built a proof-of-concept using Zama’s technology.
• Confidential DeFi. DeFi has redefined finance by allowing anyone to participate and earn yield, but it suffers from two major issues: people don’t like sharing how much they own, and bots front-running transactions makes it expensive for end users to swap assets onchain. FHE can solve both issues by enabling end-to-end encrypted swaps, where the amount and possibly asset is kept private at all times. Some other use cases includes confidential lending, onchain credit scoring, option pricing and more.

Tokens

• Sealed-bid auctions. Sell assets such as NFTs or tokens in an onchain sealed-bid auction. Each participant places an encrypted bid onchain. When the auction ends, the highest bidder(s) win the item(s), without revealing any of the bids. Not only does this enable better price discovery, it also prevents bots from stealing the auction by monitoring the mempool. This is a particularly effective method for public token sales.
• Confidential distributions. Distributing tokens currently requires disclosing publicly how much each address receives. Whether it’s for airdrops, grants, investors or developers, keeping the distributed amounts private is paramount to privacy and security onchain. With FHE, protocols can distribute their token confidentially, run vesting on those encrypted tokens, enable confidential staking and more.

Identity and Governance

• Composable onchain identity. Offchain, we use our identities all the time, from buying products online to booking plane tickets. Doing so onchain however would leak sensitive information such as your name, address, social security number and more. With FHE however, you can have a complete Decentralized ID (DID) + Verifiable Credentials (VC) system onchain, where your identity is encrypted while being fully composable with decentralized applications. Just like you can have account abstraction, you can now have identity abstraction. This is also essential for compliance in onchain payments and tokenization, as it can be used by smart contracts to verify claims in a decentralized, private manner.
• Confidential governance. The idea of onchain voting, whether for DAOs, companies or governments, has been explored for as long as blockchains exist. But having the votes cast publicly onchain can lead to biases, blackmailing, or bribing. With FHE, votes (and numbers of tokens staked) can be kept private, ensuring only the final tally is revealed, and not the individual votes.

Other examples

• Onchain corporations. Managing a company onchain would be impossible without the promise of confidentiality. Indeed, information such as the cap table, financials, board votes, customers, and employee registers should not be disclosed publicly. With FHE, all this information could be kept onchain, allowing smart contracts to automate many day-to-day company operations. ‍‍
• Prediction markets. ‍‍Prediction markets are based on the wisdom of the crowd concept: the average prediction of a large number of people tend to be close to the correct outcome. However, this only works if participants are not biased by previous predictions. The Zama Protocol solves this by enabling prediction markets where predictions are encrypted until revealed periodically, leading to better precision in outcomes.
• Data marketplaces for AI. ‍‍AI strives on data. With FHE, users can selectively share and sell their data with companies wishing to train AI models. More than this, models can potentially be trained encrypted, with only the result being decrypted, ensuring that users have a constant stream of revenue for their data vs selling it only once and it being used forever.

These are just some examples of what can be done today. We believe that FHE, through Zama’s Protocol, will enable unprecedented use cases and bring massive adoption to blockchain overall. With time and scale, it would even become possible to run entire companies, cities or even countries onchain, including their financial and identity infrastructure, elections, currency, taxes, land, car and company registries. Confidential blockchains don’t just enable programmable money: they enable programmable public infrastructure.

Anyone can build on the Zama Protocol

Developers can create confidential applications without any knowledge of cryptography, simply by using the provided Solidity library. Furthermore, deploying apps on the Zama Protocol is completely free, and doesn’t require an additional license from us. 

The following example shows an example confidential token contract:

pragma solidity ^0.8.26;

import "@fhevm/solidity/lib/FHE.sol";
import { IConfidentialFungibleToken } from "./IConfidentialFungibleToken.sol";

abstract contract ConfidentialFungibleToken is IConfidentialFungibleToken {

    uint64 internal _totalSupply;
    string internal _name;
    string internal _symbol;

    // Balances are encrypted
    mapping(address account => euint64 balance) internal _balances;

    // Transfer an encrypted amount
    function transfer(address to, externalEuint64 encryptedAmount, bytes calldata inputProof) public virtual returns (euint64) {

        // Verify the input is correct and cast to euint64
        euint64 amount = FHE.fromExternal(encryptedAmount, inputProof);

        // Check if the user has enough balance, otherwise set the transfer amount to zero
        euint64 transferValue = FHE.select(FHE.le(amount, _balances[msg.sender]), amount, FHE.asEuint64(0));

        // Make the transfer
        _balances[to] = FHE.add(_balances[to], transferValue);
        _balances[from] = FHE.sub(_balances[from], transferValue);

        // Allow users to see their balances, and the contract to update it
        FHE.allow(_balances[to], to);
        FHE.allow(_balances[from], from);
        FHE.allowThis(_balances[to]);
        FHE.allowThis(_balances[from]);

        return transferValue;
    }
}

Simply replace the integer operations by their FHE equivalent, then specify who can decrypt the balances. Of course, developers can build much more complicated applications, such as AMMs, lending, and more. On top of the smart contract library, we also provide a Javascript SDK that streamlines the encryption and decryption client-side, making it almost invisible to end-users.

The access control system used by the Zama Protocol is extremely powerful. By allowing contracts to define who can decrypt which value in it, it makes confidentiality (and compliance) fully programmable. There is no assumption at the protocol or user level, everything is encoded in the application logic itself, allowing companies to choose whether they want to offer end-to-end encryption (aka nobody sees anything, not even the companies building the dapp), or onchain encryption (aka the web2 model: only the user and service provider see the data, but nobody else onchain).

Enabling confidentiality on existing chains through a network of FHE coprocessors

Blockchains typically only support limited computations, making it impossible to run FHE natively on Ethereum and other L1/L2s. To address this issue, we designed the Zama Protocol based on two core ideas: symbolic execution and threshold decryption.

‍Symbolic execution

The idea behind symbolic execution is that whenever a contract calls the Zama FHEVM Solidity library on the host chain (the L1/L2 where the confidential dapp is deployed) to perform an FHE operation, the host chain itself doesn’t do any actual FHE computation; instead, it produces a pointer to the result and emits an event to notify a network of coprocessors, who do the actual FHE computation. This has many advantages:

• The host chain does not need to change anything, run expensive FHE operations or use specific hardware.
• The host chain is not slowed down by FHE, so non-FHE transactions can be executed as fast as they always have been
• FHE operations can be executed in parallel, rather than sequentially, dramatically increasing throughput.

Since all ciphertexts on the host chain are simply pointers (the actual data is stored by coprocessors), FHE operations can be chained just like regular operations, without needing to wait for the previous ones to complete. The only time we need to wait for a ciphertext to be computed is when it has to be decrypted.

From a security perspective, everything the coprocessors do is publicly verifiable, and anyone can just recompute the ciphertexts to verify the result. Initially, we use multiple coprocessors with a majority consensus, but longer term the goal is to enable anyone to compete to execute FHE operations, leveraging ZK-FHE to prove the correctness.

Threshold decryption

To maintain composability onchain, all ciphertexts need to be encrypted under the same public key. This means the private decryption key has to be secured in a way that prevents illegitimate decryption of ciphertexts. The Zama Protocol solves this by splitting the private key amongst multiple parties, using a dedicated threshold MPC protocol as its Key Management Service (KMS).

In order for a user or contract to decrypt a value, they need to first have been explicitly allowed to do so by the contract that produced the value on the host chain. Decrypting the result is then a simple request to the Zama Gateway, which acts as an orchestrator for the protocol and forwards the request to the KMS parties.

This again ensures that all decryption requests are publicly visible, and thus anyone can verify they match the access control logic defined by smart contracts.

FHE is getting faster exponentially

The Zama Protocol is designed to be horizontally scalable, leveraging our cutting-edge TFHE-rs library. Contrary to the sequential behavior of the EVM, the Zama Protocol parallelizes the computation of FHE operations. As long as a specific ciphertext isn’t used in a sequential chain of FHE operations, Coprocessors will be able to increase the throughput simply by adding more servers.

Since we started working on the Zama Protocol, we have been able to increase throughput exponentially from 0.5 transactions per second to over 20 transactions per second. Note that this throughput is per Host Chain, which means that the Zama Protocol can already theoretically support hundreds of transactions per second across all Host Chains. While this is enough to cover most EVM chains (Ethereum does ~15 tps), it is still insufficient for retail payments (VISA does 25,000 tps) and for Solana (1,000+ tps).

To bridge that gap, we will progressively move to more and more powerful hardware. First, we will move from CPU to GPU, increasing throughput per chain to over ~50-100 tps (assuming state-independent transactions). Then we will leverage our recently open-sourced FPGA accelerator, targeting 500-1000 tps / chain. Finally, using dedicated hardware accelerators (ASICs) will enable 10,000+ tps / chain.

The important point here is that FHE is no longer limited by underlying algorithms, and is now mostly driven by Moore’s law: the better the hardware, the better the throughput of the Zama Protocol. 

It's no longer a question of if, but a question of when blockchain will become encrypted end-to-end. Privacy is normal!

Rand

Additional links

• Read the Zama Confidential Blockchain Litepaper
• Check out the Zama Protocol documentation.
• Looking to integrate Fully Homomorphic Encryption (FHE) into your project? Talk to the Zama team.