← Demos Index
FHE in Action · Cohort Statistics
Demo 02 · Inter-Hospital Benchmarking
Factual Demonstration

Trust That You Can Compute.

Five hospitals compare stroke length-of-stay without any of them exposing their absolute numbers. Each one learns only its relative position.

The Scenario

Five reference hospitals want a quality benchmark. Metric: average length of stay for ischemic stroke.

The Problem

No hospital wants to expose absolute numbers — PR risk. Under traditional architecture, honest benchmarking among competitors is impossible.

The Guarantee

The aggregator computes mean, variance and standard deviation over ciphertexts. Each hospital only decrypts its relative position. RLWE mathematical guarantee.

Everything is realNumbers, timings and sizes were captured from a real execution of demo 02/main.go using Lattigo v6 + CKKS.
Step 01 · Setup

Define the parameters.

Before encrypting the length-of-stay values, we choose CKKS parameters. Each parameter is a trade-off between security, speed and computational capacity.

Parameters · CKKS

// Lattigo v6 — CKKS
params := ckks.NewParametersFromLiteral({
  LogN: 14,  // N = 16384
  LogQ: [55,45,45,45,45],
  LogP: [61],
  LogScale: 45,
})
8 192Slots/ciphertext
APPROX.Scheme type

What each term means

CKKS ("approximate" scheme) — Homomorphic encryption family that operates over real numbers. It has controlled approximation noise (error ~10⁻⁹). It is the standard scheme for machine learning, descriptive statistics and signal processing — exactly what inter-hospital benchmarking needs.

8 192 slots — An FHE ciphertext is not a single value: it is a vector of 8 192 packed values. You operate on all 8 192 at once. In real benchmarking production, thousands of hospitals fit in a handful of ciphertexts.

Multiplicative depth — How many chained multiplications a ciphertext supports. CKKS lets you tune it via LogQ. For mean + variance (which needs squares), 4-5 levels are enough.

~128 bits of security — Industry standard. Brute-forcing the key would require ~2128 operations — an astronomical number, infeasible even on foreseeable quantum hardware.

RLWE base — Ring Learning With Errors. The mathematical problem that underpins the security. It is the same problem over which NIST standardized post-quantum cryptography (ML-KEM, ML-DSA).

Step 02 · Keys

Generate collaborative keys.

In production, threshold cryptography splits the key among the 5 hospitals. Here we simplify with a single key for didactic clarity.

Generated Keys

~50 msTotal time
~7 KBpk
~44 KBrlk
128 bitSecurity

Galois Keys

We additionally generate Galois keys to support rotation operations (needed for InnerSum over vectors of many slots). These keys are the heaviest — several MB in total.

Step 03 · Hospitals

Encrypt adjusted data.

Each hospital computes its case-mix adjusted average length of stay over its internal cohort. It encrypts that value and sends it. The aggregator NEVER sees the cleartext value.

Local data (case-mix adjusted)

Albert Einstein72.4 h
Sírio-Libanês81.2 h
HCor69.8 h
Oswaldo Cruz78.5 h
Hospital Moinhos75.1 h
9.2 msEncryption
1.25 MBCiphertext

Clinical note · case-mix adjustment

Comparing raw averages is invalid — Albert Einstein receives more severe stroke cases than HCor, not because of worse quality but because of case-mix (age, comorbidities, severity). Comparing raw length of stay distorts the evaluation.

Industry-standard adjustment — Serious hospital benchmarking uses the Elixhauser Comorbidity Index or Charlson Index to adjust average length of stay by cohort severity, before comparing. The adjustment is performed locally at each hospital.

In this demo — The values already represent adjusted times computed locally. FHE enters afterwards: it aggregates the adjusted values without exposing the absolute numbers.

Step 04 · Transit

The aggregator receives.

The 5 ciphertexts travel to a neutral aggregator (medical society, IBGE, academic consortium). The aggregator has no secret key — it cannot see any value.

Real Ciphertext Sample (first 32 bytes)

01 7b 22 50 6c 61 69 6e
74 65 78 74 4d 65 74 61
44 61 74 61 22 3a 7b 22
53 63 61 6c 65 22 3a 7b
...

Each ciphertext has ~1.25 MB of pseudo-random bytes. Without the key, recovering 72.4h would require solving Ring-LWE at N=16384 → ~2128 operations.

Total Transferred

5Ciphertexts
~6.2 MBTotal sent
Step 05 · Aggregator

Statistics under encryption.

The aggregator adds the ciphertexts, multiplies by 1/N for the mean, and computes the second moment for variance. All under encryption. The aggregator never sees individual values.

The Algorithm

// encrypted sum
ctSum := evaluator.Add(ct1, ct2)
for i := 2; i < N; i++ {
  evaluator.Add(ctSum, cts[i])
}
// mean
evaluator.Mul(ctSum, 1.0/N)
evaluator.Rescale(ctSum)
// second moment
for ct in cts: ctSq² += ct·ct

Real Performance

85 msTotal aggregation
8Add ops
6Mul ops
0Bytes decrypted
Step 06 · Decryption

Statistics revealed.

The encrypted result is decrypted collectively. Only the aggregated statistics come out — mean, variance, standard deviation. No individual value.

Aggregated Result

75.40 hSector mean
16.74Variance
4.09 hStandard deviation
5Hospitals

Relative Position

Each hospital learns only ITS z-score:

Einstein: -0.73 ↓ below average
Sírio: +1.42 ↑ above average
HCor: -1.37 ↓ best in the group
Oswaldo: +0.76 ↑ slightly above
Moinhos: -0.07 ≈ average

Step 07 · Proof

Mathematical validation.

Direct comparison between the FHE computation and the plaintext computation. The CKKS approximation error is controlled and negligible for clinical analysis.

FHE vs Plaintext

MetricFHECleartextError
Mean75.40000075.4000007.0e-11
Variance16.74000016.7400002.0e-08
Std. dev.4.0914554.0914552.5e-09

Result

2.5 × 10⁻⁹Max error

For clinical statistical analysis, 9 decimal places of precision is dramatically more than enough.

Step 08 · Adversarial

The dishonest aggregator.

What can a dishonest aggregator extract?

Attack Attempts

  • 1 — Read one hospital's ciphertextPseudo-random bytes. Nothing recoverable.
  • 2 — Invert the mean to obtain individuals5 unknowns, 1 equation. Under-determined system. Individual values remain mathematically protected.
  • 3 — Recover sk from pkRing-LWE at N=16384, ~2128 operations. Infeasible.

What comes out

ONLY the aggregated statistics (mean, variance, standard deviation). Each hospital learns only its relative position. The absolute numbers of the others remain mathematically impossible to recover.

Step 09 · Summary

What happened.

In under 1 second, five hospitals discovered their relative positions on a quality metric — without any of them exposing their absolute numbers.

The Flow

  1. Five hospitals locally encrypted their mean length of stay
  2. They sent only the ciphertexts to the neutral aggregator
  3. The aggregator computed mean and variance under encryption (85 ms)
  4. The decrypted result revealed the aggregated statistics
  5. Each hospital learned only its relative position

Real Numbers

9 msEncryption/hospital
85 msAggregation
1.25 MBPer ciphertext
10⁻⁹Precision error
This primitive serves 4 eBooksHospitals (benchmarking), Labs (multicenter), Pharma (RWE interim), Health plans (population actuarial).
PT EN