FHE vs ZK: Best Proven Private DeFi Architectures 2025.
Article Structure
Private DeFi moved from demos to working systems. Teams now choose between two main cryptography tracks: Fully Homomorphic Encryption (FHE) and Zero-Knowledge (ZK). Both secure user data, yet they differ in performance, trust, and developer flow. This guide maps the trade-offs and shows which patterns work in production in 2025.
What problem private DeFi must solve
DeFi leaks sensitive data by default. Traders expose balances. MEV bots read intent flow. Credit and auctions reveal strategy. A private design must hide inputs during compute, guarantee correct results, keep fees practical, and stay composable with other apps. It also must offer audit and recovery paths for real capital.
Quick definitions
Zero-Knowledge: a prover computes in cleartext off-chain, then posts a succinct proof on-chain. The chain verifies correctness without seeing inputs. zkSNARKs are compact with a setup; zkSTARKs skip setup but cost more to verify.
Fully Homomorphic Encryption: users encrypt data with a public key. Nodes compute directly on ciphertexts. Outputs stay encrypted until an authorized party or threshold decrypts. TFHE handles boolean gates fast; CKKS handles approximate arithmetic for finance models.
Core difference in practice
ZK moves privacy to the proof boundary. Inputs stay private, but the resulting state or outcome is usually public. FHE keeps state private during and after compute until a decrypt step. This changes UX, fees, and risk.
Proven architectures you can ship in 2025
Teams use stable patterns that match chain limits and user expectations. The list below summarizes the designs that see real usage and that pass audits and live traffic.
- ZK settlement with public state: compute off-chain, prove with zkSNARK, post result on L2. Good for private orders where final swap is public.
- ZK rollup with shielded state: maintain a Merkle tree of encrypted notes; proofs update the tree. Good for private transfers and basic AMMs.
- FHE coprocessor for encrypted intents: users encrypt orders; a network computes match and fee on ciphertexts; authorized decryption reveals only the fill.
- FHE state machines: smart contracts run on ciphertexts and never expose intermediate state; view keys allow selective audit.
- Hybrid: ZK proof of correct FHE decryption or key rotation; FHE for ongoing state, ZK for settlement integrity.
These patterns balance speed and privacy. A private AMM may start with ZK settlement to keep fees low and later add FHE for encrypted order flow once liquidity grows.
Comparison table
The table gives a direct view of how FHE and ZK differ on the factors that most DeFi teams care about. Use it to filter options before deep design.
| Aspect | ZK (SNARK/STARK) | FHE (TFHE/CKKS) |
|---|---|---|
| Privacy scope | Inputs private; outputs usually public | Inputs and state remain encrypted; selective decrypt |
| Latency | Proofs in seconds to minutes; verify in ms on-chain | Compute slower; bootstrapping adds 10–100s ms per gate |
| Gas/fees | Low verify gas; off-chain proving cost | Fees shift off-chain; decryption and key ops add steps |
| Composability | Strong with EVM/L2; mature tooling | Improving via fhEVM-like runtimes; limited cross-app reads |
| Key assumptions | Proof system soundness; setup for SNARKs | Key custody or threshold; parameter tuning security |
| Maturity | High; many audits and live apps | Medium; live networks exist, fewer battle-tested apps |
| Best fits | Private orders, shielded transfers, auctions | Encrypted intents, private state machines, credit scoring |
This view suggests a rule of thumb: use ZK when you can keep final state public without harming users. Use FHE when state must stay hidden across steps.
Concrete scenarios
Private AMM order: a trader submits a size and slippage limit. With ZK, the engine matches in cleartext off-chain, generates a proof, and posts a public swap. With FHE, the engine matches on ciphertexts and decrypts only the final fill. Bots see less, so MEV drops, but compute cost rises.
On-chain credit line: a user provides a credit score from several data vendors. ZK can prove the score meets a threshold without revealing inputs. FHE can hold the score encrypted and update it with payments over time without exposing the value to validators.
Batch auctions: ZK proves a solver found the max-clearing price. Results go public at settlement. FHE can keep bids encrypted until the decrypt window, which blocks pre-trade signaling.
Tooling and ecosystems to watch
Developers need stable SDKs, audits, and L2 access. The projects below lead their category in 2025 with real code and active support.
- ZK stacks: Starknet, zkSync Era, Polygon zkEVM, Scroll, Risc0, Noir, Halo2, Plonky2.
- ZK privacy chains: Aztec (hybrid privacy), Aleo (ZK-native programs), Penumbra (shielded DEX, Cosmos).
- FHE stacks: fhEVM by Zama, Fhenix, Inco Network, Concrete/TFHE, OpenFHE, HEaaN (CKKS).
- Hybrid aids: Succinct and Lagrange for off-chain compute proofs; Lit or Hashicorp plugins for threshold keys.
Pick stacks with full examples. A minimal private swap with benchmarks beats a whitepaper promise.
Security and risk notes
ZK risks center on circuit bugs, incorrect constraints, or toxic trusted setup. Strong audits and circuit test vectors reduce this. Use universal setups where possible.
FHE risks center on key compromise, weak parameter sets, or side channels in ciphertext compute. Use threshold keys, rotate regularly, and keep parameter margins safe for the target security level.
Both models need clear data access policy. Add viewing keys or regulated auditor keys with strict scope and logs.
Performance heuristics you can count on
Proof generation costs drop fast with recursion and GPUs. Many teams reach sub-30s proof times for medium circuits. Verification remains cheap on L2. This suits market flows with minute-scale finality.
FHE throughput improves with gate packing and batching. TFHE gates run in sub-millisecond on tuned hardware. Yet multi-step logic still costs more than cleartext. This suits encrypted matching engines or state that should never leak.
How to choose: a practical path
Use the steps below to select an approach that fits your app and runway. This avoids refactors after launch.
- Write your privacy boundary: list which fields must stay hidden at each step.
- Set a latency budget: pick max wait for users and for settlement.
- Map the trust: decide who can decrypt, how many shares, and rotation policy.
- Prototype two flows: one ZK, one FHE or hybrid; measure with real inputs.
- Ship the simpler model that meets privacy and cost targets; plan upgrades.
Teams often start ZK for speed and move high-value flows to FHE when MEV or data sales pressure grows.
Design patterns that work
These patterns reduce risk and help audits. Keep them close to your reference design and you will save weeks.
- Use intent-based orders. Users sign what they want, not how to do it.
- Separate proving and settlement. Keep proofs off-chain and verification on cheap L2s.
- Add viewing keys from day one. Auditors and users need controlled access.
- Log commitments and nullifiers cleanly. This avoids replay and double spend bugs.
- Bench with public datasets. Publish latency, gas, and failure modes.
A small example: publish a weekly report that shows median proof time, failed decrypts, and average gas per swap. This keeps the team honest and users informed.
What “best proven” looks like in 2025
For private transfers and simple swaps, ZK rollups with shielded notes are the default. They scale and prove well-understood circuits. For encrypted order flow, private RFQ, and long-lived private state, FHE coprocessors or fhEVM-style chains are now practical, with threshold decryption and audit trails. Hybrids bind the two: ZK proofs anchor FHE decryption and key changes to the chain, which raises trust.
The winning setups mix clear rules with strong cryptography. They respect user privacy, post verifiable results, and keep costs within L2 budgets. Choose the narrowest tool that meets your privacy boundary, then iterate with measured gains.
