BGV ("exact" scheme) — FHE family that operates over integers. No approximation noise. Census counts need absolute exactness — BGV is the right scheme.

8 192 slots — Each ciphertext is a vector of 8 192 values. In real census production, each slot can encode a family or a region. A single operation processes them all.

Multiplicative depth 2 — How many chained multiplications the ciphertext supports. For census sums, low depth suffices — summing is cheaper than multiplying.

~128 bits of security — Industry standard. Breaking the key would require ~2¹²⁸ operations — astronomical, infeasible even on quantum hardware.

RLWE base — Ring Learning With Errors. Same problem behind ML-KEM/ML-DSA standardized by NIST as post-quantum cryptography.

IBGE — technical census operator. Holds share 1. Alone, cannot decrypt anything.

ANPD — national data protection authority. Holds share 2. Ensures usage complies with LGPD.

AGU — Federal Attorney General. Holds share 3. Legal custodian of the operation.

Required quorum: 3 of 3. Without authorization from all three, the result remains mathematically inaccessible.

Key split, not copied — The secret key that decrypts the result is mathematically split into N pieces (shares) using techniques like Shamir Secret Sharing. No single share carries useful information about the whole key — like handing out 3 puzzle pieces where no single piece reveals the image.

Collective decryption — To decrypt, each party generates a "decryption share" (without revealing its key piece). The shares are aggregated mathematically and only then does the result appear in cleartext. If a party is missing, the aggregate is useless.

k-of-n (quorum) — In real production you can configure "3-of-5" or "4-of-7" for redundancy: if up to k-1 parties are unavailable, the system still works. Here we use 3-of-3 (all mandatory) for simplicity.

Triple guarantee — Technical (mathematical), legal (LGPD via ANPD), political (public audit via AGU). Every decryption leaves an irrefutable trail of the three authorizations.

Cleartext data (on the phone):

Binary vector generated locally:

Local encryption: the vector is encrypted with the consortium public key (generated during the threshold phase). Only a ~384 KB ciphertext leaves the home.

Characteristic (one-hot) vector — Instead of sending "I am in the Northeast and I am poor", the family sends a binary vector where each position represents a region and the value is 1 or 0. This lets IBGE simply sum the vectors to get totals per region.

Encryption before sending — The crucial difference vs a traditional census: the vector is encrypted inside the home, before it travels. At no point does a cleartext copy exist outside the family's device.

3 ms per dataset — Encrypting an 8 192-slot vector takes a few milliseconds on a commodity smartphone. Speed is not a bottleneck.

100 families in the demo — Didactic version. In real IBGE production, millions of families contribute in parallel. The pattern scales because each encryption is independent.

Incoming bytes:

These bytes are pseudo-random — indistinguishable from noise to any observer without the secret key.

US CLOUD Act — A 2018 US law that compels American companies (including AWS, Azure, GCP) to hand over customer data under US court order, even if the data sits physically outside the US. It is Brazil's biggest digital-sovereignty worry today.

Why FHE neutralizes it — The cloud only stores ciphertext. It has no key (the key is distributed in Brazil among IBGE+ANPD+AGU). Even under US court order compelling it to hand over everything, it would hand over pseudo-random bytes. Nobody — not even the US judge — can extract useful information.

Data sovereignty through math — Instead of migrating everything to a national cloud (expensive, slow, limited), Brazil can use global cloud infrastructure without giving up sovereignty. It is exactly the kind of move serious digital-sovereignty countries (France via SecNumCloud, Germany via Gaia-X) are pursuing.

Homomorphic sum — The property that gives "FHE" (Fully Homomorphic Encryption) its name is exactly this: the sum of two ciphertexts decrypts to the sum of the plaintexts. Dec(ct₁ + ct₂) = m₁ + m₂. The server runs the operation without ever seeing the numbers.

Slot-wise — Each ciphertext has 8 192 slots (5 of them active for the 5 regions). The sum is performed slot by slot. Slot 0 (North) only accumulates 1's from Northern families. Slot 1 (Northeast) only from Northeast families. And so on. All in parallel, in a single operation.

Why this demo is "trivial" — The didactic example arrives with the aggregates pre-summed to simplify the walkthrough. In real IBGE production, this is where the millions of sums happen — and it is the step that gains most from slot batching.

No decryption — At no point does the server touch cleartext values. It only knows it has two "opaque objects" and that the Add operation returns a third opaque object. The math guarantees that this third object, once decrypted by the quorum, will be the correct sum.

BGV is an "exact" scheme — Unlike CKKS (which operates on approximate real numbers), BGV operates on integers modulo a prime. No approximation noise. The result of the encrypted sum is always bit-identical to the plaintext sum.

Why this matters for a census — In public statistics, "31% poor in the North" and "30.8% poor in the North" are different numbers. Precision must be absolute. BGV guarantees it. For hospital benchmarking or federated ML, approximate CKKS is enough. For census, we demand exact BGV.

Public audit possible — Because the result is mathematically verifiable (FHE introduces no randomness in the final result), any independent auditor can rerun the same operation over the same ciphertexts and obtain the same aggregate. Reproducibility is part of the guarantee.

Attack: a US judge orders AWS/Azure/GCP to hand over all Brazilian data hosted on their servers.

Defense: the cloud only has ciphertext. It hands over pseudo-random bytes. Without the key (distributed in Brazil among IBGE+ANPD+AGU), nothing is decryptable. Even the NSA with a classical supercomputer would need ~2¹²⁸ operations to attempt to break a single key.

Attack: an employee with access to the IBGE share tries to decrypt individual data.

Defense: they only have 1 of the 3 required shares. Alone, their share is mathematically useless. To decrypt they would have to convince ANPD and AGU to collaborate — three simultaneous institutional decisions, with audit.

Attack: a legitimate researcher tries to cross-reference the aggregated table with public datasets (electoral rolls, CNPJ, OpenStreetMap) to re-identify specific families.

Defense: the aggregated table with K-anonymity ≥ 10 per cell is resistant — each cell represents at least 10 indistinguishable families. For extra hardening, differential privacy (calibrated Gaussian noise) can be applied before publishing.

Defense in depth — The strength doesn't come from a single "perfect" barrier, but from three independent barriers that would all need to be broken simultaneously. Breaking the math (RLWE) is infeasible. Breaking the key distribution requires a triple institutional collusion. Breaking anonymization requires re-identification against a DP-protected aggregate.

It is not "trust in IBGE" — The defense is deliberately built to survive a malicious IBGE. That is the point of FHE + threshold: trust nobody, and still work.