Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
IBM Encryption

Why IBM is Pushing 'Fully Homomorphic Encryption' (venturebeat.com) 122

VentureBeat reports on a "next-generation security" technique that allows data to remain encrypted while it's being processed.

"A security process known as fully homomorphic encryption is now on the verge of making its way out of the labs and into the hands of early adopters after a long gestation period." Companies such as Microsoft and Intel have been big proponents of homomorphic encryption. Last December, IBM made a splash when it released its first homomorphic encryption services. That package included educational material, support, and prototyping environments for companies that want to experiment. In a recent media presentation on the future of cryptography, IBM director of strategy and emerging technology Eric Maass explained why the company is so bullish on "fully homomorphic encryption" (FHE)...

"IBM has been working on FHE for more than a decade, and we're finally reaching an apex where we believe this is ready for clients to begin adopting in a more widespread manner," Maass said. "And that becomes the next challenge: widespread adoption. There are currently very few organizations here that have the skills and expertise to use FHE." To accelerate that development, IBM Research has released open source toolkits, while IBM Security launched its first commercial FHE service in December...

Maass said in the near term, IBM envisions FHE being attractive to highly regulated industries, such as financial services and health care. "They have both the need to unlock the value of that data, but also face extreme pressures to secure and preserve the privacy of the data that they're computing upon," he said.

The Wikipedia entry for homomorphic encryption calls it "an extension of either symmetric-key or public-key cryptography."
This discussion has been archived. No new comments can be posted.

Why IBM is Pushing 'Fully Homomorphic Encryption'

Comments Filter:
  • Its IBM. (Score:5, Interesting)

    by Revek ( 133289 ) on Monday April 05, 2021 @06:43AM (#61237940)
    I figure they have a really easy way to crack it and they want to sell it to a government. No necessarily the US government.
    • Can you crack RSA? RSA supports homomorphic operations.

      • ...and the vast majority of data is not encrypted with RSA owing to its speed, or the lack thereor.
        • Yes, speed is the key limiter on FHE. Always has been.

          • Even in absence of FHE, most encrypted data to my understanding is encrypted with symmetric block or stream ciphers.
          • Re:Its IBM. (Score:5, Informative)

            by dowem ( 6935416 ) on Monday April 05, 2021 @09:31AM (#61238406)
            Full disclosure, I work at IBM on FHE! As mentioned in the article we get the speed concerns. It is a major priority for us to make FHE faster and easier to consume. With regards to speed, it is clear that FHE operations are slower than unencrypted operations. Even so, some amazing speed results can be achieved if one stops looking at raw performance numbers compared to unencrypted work. There are many tasks companies would like to do today that they simply cannot because of the risks involved (like computing on your healthcare records or other sensitive personal information). FHE, while slower than unencrypted operations lets you implement FHE systems that can never never be put into production as unencrypted operations. The article mentions an AI inferencing task on genomic data that happens in well under a second. The myth that FHE is too slow to be useful persists. I would argue FHE is ready today for MANY scenarios where latencies in computing are on the order of minutes or seconds (a lot of banking work and healthcare work take longer than those timescales today).
      • by raymorris ( 2726007 ) on Monday April 05, 2021 @08:39AM (#61238226) Journal

        Beware the hype. It's mathematically impossible to have homomorphic encryption that is secure by any definition used by the cryptography community.

        Which isn't to say it's not better than plaintext. If you absolutely must process sensitive data on the cloud, because your office has no power outlets, it's better to use homomorphic encryption than nothing. Slightly better.

        For example, all homomorphic schemes are necessarily "malleable". That's the crypto term for "the bad guy can change the data, without needing to know the key.

        Suppose their is a purchase transaction or other transfer. Maybe I'm buying something and you encrypt the data uses in the redirect to the payment processor. If you use homomorphic encryption, I can change the price to be price / 10. Without needing to know the know the secret key.

        They are also wide open to what are called inference attacks.
        Suppose your site shows the average X, but doesn't reveal X for any particular person. You are being careful about inference attacks, so you only let me query the average salary for large groups like male employees and you let me query the average salary for football players. You don't let me query the average salary of GLBTQ employees because the group is small enough that the average would let me I get something about the individuals. If you're using homomorphic encryption your carefulness is all for naught - the mathematical relationships between the values are on display for all to see, so once I know my own salary I can calculate the salary of any other individual.

        So the security is pretty weak. By definition - if the service provider can compute the average salary of Ray and Joe, so can the attacker. Since the attacker is Ray, he already knows Ray's salary, so he can compute Joe's salary (or bank account number) by simple arithmetic.

        Besides being weak in security, homomorphic encryption is limited in the operations it can perform. Very, very limited in the case of the type that provides at least a reasonable fascimile of a useful degree of security. Fully homomorphic can do all the operations, but is about as secure as base64.

        • by dowem ( 6935416 ) on Monday April 05, 2021 @09:22AM (#61238378)
          Hey there! Full disclosure, I work on FHE at IBM. I thought you might want to check out the protection of the runtime using something like Hyper Protect to prevent the bad guys from manipulating your data. We open-sourced some code this past week that looks at FHE as part of a comprehensive security model for putting work in public and private clouds. The scripts to deploy the FHE toolkit to Hyper Protect are in the automation directory in our Linux Toolkit Github. We totally get that FHE is not a silver bullet, and we are addressing issues like the malleability concern already with our existing enterprise-grade cloud infrastructure. I think we are further along in providing the hardened comprehensive system infrastructure than any of our competitors.
          • The scripts to deploy the FHE toolkit to Hyper Protect are in the automation directory in our Linux Toolkit Github.

            https://github.com/ibm/fhe-too... [github.com]

            Thanks, this is the part that makes the subject interesting! Without that, it isn't really even news to me.

            Also, people should note that the key part, HElib ( https://github.com/IBM-HElib/H... [github.com] ) is under the Apache 2 License.

            I am a bit disappointed that it uses C++17, instead of something more portable like C99 or C11.

            • I am a bit disappointed that it uses C++17, instead of something more portable like C99 or C11.

              Are there any platforms where FHE would be used that don't have a modern C++ compiler and libraries? Even tiny IoT CPUs do, and I expect that FHE will mostly be a server-side thing.

              • Even tiny IoT CPUs do

                That's not accurate.

                And it makes integration much more difficult. It is generally dubious in embedded programming to require a compiler version less than 10 years old.

                It isn't enough to have a compiler, you also have to integrate the libraries. This is a library; it shouldn't require a cutting edge compiler. The application will usually already be using an older compiler.

        • I *knew* it had to be snake oil.
          It had all the smells of a self-contradiction.

          • The hype is indeed - well, hype.
            Also, the technology isn't *total* bullshit.

            Think the ad says "motorcycle", the reality is a kids' 12V motorscooter.

        • by DarkOx ( 621550 )

          I theory the inference attacks are avoidable. I suspect in practice exposing information that does not allow people to back into the data they are looking for is going to be extremely challenging.

          lets say I know my salary and I get access to the cipher texts. There are two records in the system. Mine and Alice. I can see the salary total cipher text but I havent got the key. I can see my cipher text is X, my salary the plain-text is 250,000, and Alice's salary ciphertext is Y. The total is Z

          This means I

        • by juancn ( 596002 )
          It's also extremely expensive. Computation cost is several orders of magnitude higher. For large data volumes or complex processing it's likely prohibitive cost-wise.
        • by hey! ( 33014 )

          Suppose your site shows the average X...

          Perhaps I'm misunderstanding, but this attack applys to any scheme where try to make the properties of some subsets of data public while keeping the properties of other subsets of data private -- but is that really what people are trying to accomplish with homomorphic encryption? As far as I can tell, the point is to allow a service to do a computation without either the service or any third party knowing anything at all about the nature of the decrypted data. And if you know nothing you can't make any infe

          • I was a little unclear there.

            Inference attacks are a concern any time an adversary could do computations on in data derived from the plaintext. The canonical examples would be "I can see whether tow values are the same" and "I can see the average for males, the average for employees in Dallas, and the average for programmers. Therefore I can calculate the value for the male programmer in Dallas". So to defend against inference attacks we try various strategies.

            That's the example, but let's remember the defi

      • The mode of operation is just as important as the cipher primitive.
        There are plenty of constructions using AES or RSA which are trivially easy to break. See the ECB penguin for a visual example.

        The homomorphic case is essentially ECB (and therefore garbage). The encryption is applied to each discrete data value independently, rather than to the database as a whole. What that means is C(19) = C(19), any given plaintext value always yields the same ciphertext. So let's make up our own such cipher, which is

    • by leonbev ( 111395 )

      Nah... they just need to find a way to deprecate TLS 1.2 and 1.3 faster so they can use it as an excuse to force you to upgrade to the latest version of (Insert expensive Enterprise software package here) for SOX/HIPPA/PCI compliance.

    • I figure they have a really easy way to crack it and they want to sell it to a government. No necessarily the US government.

      Either that, or they've figured out a way to use it to fire and offshore even more people.

    • Patent portfolio.
  • by Anonymous Coward

    In today's society there is no reason to be homomorphic! Just let people do as they please in their own private lives.

  • All it needs for adoption is a compelling use-case.

    So, I can't help but wonder if the current furore over vaccine passports (or inevitable international adoption, depending on your viewpoint) has influenced the timing of this announcement...

    • by lessSockMorePuppet ( 6778792 ) on Monday April 05, 2021 @07:21AM (#61237988) Homepage

      Cloud computing is the use case. Host proof computing.

      • Cloud computing is the use case

        Yes. Decrypting traffic is a cost. Doing something to save a few cycles here and there adds up to a non-zero number of savings. That isn't to say that Facebook or whoever isn't interested in your data, just that there is some traffic that these companies do that if they can avoid the cost of decrypting it, then that is a few more cycles for somewhere else. FHE is one of those cases of "save n% (where 0<n<=1) here every time and it adds up to $xxx.xx per year in savings." Bean counters go ga-ga ov

      • Well EXTERNAL cloud would be the use case. Nothing keeps a company from having a private cloud in their basement. [differencebetween.com]

    • Comment removed based on user account deletion
      • Re:Example Use-Case (Score:5, Informative)

        by lessSockMorePuppet ( 6778792 ) on Monday April 05, 2021 @07:38AM (#61238026) Homepage

        Uh, the whole point is that you supply encrypted data. If they dont use FHE, you won't get anything useful back. They never get the key.

        • Comment removed based on user account deletion
          • Re:Example Use-Case (Score:4, Informative)

            by lessSockMorePuppet ( 6778792 ) on Monday April 05, 2021 @07:55AM (#61238068) Homepage

            https://ijsbeer.org:81/a-symme... [ijsbeer.org]

            Code for you. Go learn something.

            • Comment removed based on user account deletion
              • Okay, stop thinking of computing at such a high level. You have to work at gate level. The line with the c = is the only part that would happen on a cloud server. Read the linked paper.

                For $100/hr, I'll tutor you.

            • by jbengt ( 874751 )
              Just an instinct, but I would assume that if you are able to work on encrypted data without decrypting it, and without having the keys, then the encryption must be not be truly random, and so would be more easily breakable.
            • Code for you. Go learn something.

              I'd like to learn what the GP is doing. Can you ELI5 rather than posting some incomprehensible code? Some of us are just interested and don't have our masters in computer science.

          • Re:Example Use-Case (Score:5, Interesting)

            by Entrope ( 68843 ) on Monday April 05, 2021 @08:48AM (#61238258) Homepage

            The idea is that you provide encrypted data, and some description of how to process it, and the math works out such that the computer can process the data -- and generate a sensible, but still encrypted, result without knowing what the inputs or outputs really mean. The ciphertext is generally a lot bigger than the plaintext in order to create mathematical structure that makes the operations on encrypted data sensible, and the operations are far less efficient than the equivalent operation on unencrypted data.

            That inefficiency is what has held back FHE to date. This [iacr.org] is a fairly good intro to the subject, but note some of the then-current best results: performing a single bitwise operation might take 13 milliseconds. IBM's announcement implies that they have gone a long way in solving that problem.

          • it doesn't need a key. it's just math. you can read the analysis and see the proofs for the limited operations you can perform on the encrypted data. from those primitive operations you can build up an arithmetic system.

          • Re:Example Use-Case (Score:5, Informative)

            by dowem ( 6935416 ) on Monday April 05, 2021 @09:43AM (#61238450)
            Full disclosure, I work at IBM on FHE. This is a gross simplification but here goes! The secret data that you want to protect is encrypted by effectively hiding it in a massive polynomial with special modular arithmetic properties based on the private key. Only the person doing the encryption has this key. The FHE foundational operations work on these massive polynomials. So the processor who does the computing only sees huge polynomials. The agent who does the processing of the large polynomials cannot tease out the secret data that is protected (it is simply too spread out throughout these massive numbers represented as polynomials). The magic is that the operations on the polynomials behave in a way that is consistent with having operated on just the secret bits once you a modular arithmetic trick at the end to remove all the "junk" or "noise" that is hiding the real data. Note: There are actually public-type keys involved on the processing side and even some kinds of keys that are only used for internal processes during the computation. But as far as privacy is concerned, only the person who did the encryption (and has the private key) can decrypt the jumble of massive polynomial shenanigans to make sense of it all.
          • by ceoyoyo ( 59147 )

            Lol. Was waiting for a comment like this.

      • by XXongo ( 3986865 )

        People have been concerned about security "in the cloud" for a while now.

        Not concerned enough.

    • Re: (Score:2, Insightful)

      by DarkOx ( 621550 )

      I doubt it. A compelling use case is just about every multi-tenant SAS product in existence.

      I don't see why you need this to do vaccine passwords at all. All you need is any regular old boring public key private key crypto over a file containing the persons photo, name, status, and issue date signed by whatever authorized entity did the jab, their key being signed by whatever government authority authorized them to give jabs.

      Because who you are and status are fundamental to the use the passport. There is n

  • The 'why' usually has to do with money if IBM is involved.

    I'm somewhat surprised they still employ 130.000 worldwide. Are they still selling their old mainframes to those few stalwarts that refuse to use Intel hardware?
    • by RevDisk ( 740008 )
      They still sell brand new zOS mainframes, and quite a few of them.

      I worked at a data center that had about two dozen, with decade long maintenance contracts and support agreement. Lots of banks, governments, etc still use them. Especially for sequential data that can't be easily parallelized, or legacy code that would run billions to replace with a likely worse version.
  • I need to distribute it to some people. But make sure it stays encrypted, it is super secret.
  • Comment removed based on user account deletion
  • Description? (Score:5, Informative)

    by quadelirus ( 694946 ) on Monday April 05, 2021 @07:34AM (#61238014)

    The slashdot editor added: The Wikipedia entry for homomorphic encryption calls it "an extension of either symmetric-key or public-key cryptography."

    to the end of the post as if that somehow explains to people what homomorphic encryption is.

    Homomorphic encryption is any encryption scheme that allows you to perform computation on the encrypted data without decrypting it. So, for example, if you had heart rate data that was decrypted and stored on your phone, you could send it safely fully encrypted to a web service that could then calculate the average and send it back to you to compute your average HR. But the web-service itself wouldn't have any idea what your average heart rate is, it would only know an encrypted version of your average heart rate, which it would send back to your device. Your device would decrypt it and show it to you.

    This is different than normal encryption schemes where the encrypted version of the data is essentially useless and must be decrypted to compute anything with, so if you want a 3rd party to compute something on your data, you have to trust them to work with the decrypted data.

    • If you want practical examples in simple Python, see https://ijsbeer.org:81/a-symme... [ijsbeer.org].

    • Homomorphic means "human-shaped", and usually refers to shape-shifters that take on human form, like Our Lizardy Overlords.

    • Thank you. I was going to write a comment to the same effect.

  • No homomorphs need to feel like they have to stay encrypted these days.

  • It is complete crap. The whole point of instruction decoding is ease and speed. Data has to end up in registers, and useful comparisons performed. If you need to ask is A = B you can't do that if the data is encrypted, or you could compare in a shadow set of registers, and bingo power consumption is through the roof. Next you ask is the point of weakness the OS - or the CPU?. Hardly anyone is complaining that Intel has not fixed up their speculative piplelines - which also get deleted if there was hypotheti
    • performance is one possible feature for any computing product. but it isn't the only requirement and often not the most important. for example, performing operations without the decryption keys and without being able to set aside intermediate results is a very valuable feature in some narrow use case.

    • by SirSlud ( 67381 )

      what in the holy hell are you on about

  • I first read that as "fully homeopathic encryption"...which given that it is IBM, probably means it has about the same level of efficacy.

  • While neat, I was unaware anything was crackable sans social engineering to get at keys and passwords.

    The only mild danger is quantum computing, and even that just means longer keys.

  • by scourfish ( 573542 ) <.moc.oohay. .ta. .hsifruocs.> on Monday April 05, 2021 @08:26AM (#61238180)
    We run a clean, Christian datacenter.
  • Explanation (Score:3, Informative)

    by Gaglia ( 4311287 ) on Monday April 05, 2021 @09:29AM (#61238396)
    Before the Dunning-Kruger mob starts spreading nonsense as usual, here is a short explanation.

    The scenario is that usual encryption schemes turn plaintexts (say, numbers, or bytes) into ciphertexts that "look random", so clearly any property that those plaintexts initially had (for example, the possibility of being added together to form another number) gets "lost" during encryption, in the sense that the "addition of two ciphertexts" is totally unrelated to the addition of the two underlying plaintexts.

    "Homomorphic" refers to the property of an encryption scheme of commuting with some algebraic operation. Most classic public-key encryption schemes are actually homomorphic, but *only* in respect to one operation. This is called "group homomorphic encryption", or sometimes "partially homomorphic encryption" (not to be confused with "somewhat homomorphic encryption", which is something else still). For example, in textbook RSA, the product of two ciphertexts is really the ciphertext corresponding to the sum of the two underlying plaintexts. A group homomorphism is an invertible map between the operation in the plaintext group and in the ciphertext group.

    So, group homomorphic encryption (related to only *one* operation) exists and is already used. But what about *two* operations at the same time? For example, addition and multiplication? Boolean AND and OR? Any two operations that allow to build arbitrary circuits?

    This is what is called "fully homomorphic encryption" (FHE). For long time people have tried and failed to build it, and many wondered whether FHE was even possible to achieve at all. This changed in 2009, with the groundbreaking discovery by Craig Gentry of the first construction for a public key FHE scheme. Gentry eventually joined IBM, which is now pushing for adoption of this technology. No conspiracy here, just follow the money: FHE would be extremely useful, especially for cloud. For example, say you are Big Pharma, and would like to rent IBM cloud power to run some computationally expensive algorithm for chemical simulation of a new drug you are developing. The problem is that the design of the drug is top secret because it hasn't been patented yet, and you don't want to give it in clear to IBM. With FHE, you can give to IBM an encrypted version of your molecule, and IBM would be able to perform computation on it without even knowing what it is, and the result would be already encrypted with your public key.

    Applications of FHE are countless, in fact FHE is sort of super-powerful: it can be used to build pretty much any kind of encryption, zero-knowledge proofs, consensus algorithms etc. So far only another cryptographic primitive, "indistinguishability obfuscation", is suspected to be "more powerful" than FHE (and this is not yet sure). As an added bonus, FHE is natively quantum-resistant.

    There is only one little problem: FHE is slow as hell.

    Just to put it into perspective, in the original Gentry scheme to encrypt a single bit of information would require key sizes of several GB, the resulting ciphertexts are huge, and evaluating a single algebraic operation takes several hours. Since 2009 many improvements have been done, and the (open-source and peer-reviewed) library offered by IBM is probably one of the most advanced ones. But we are still far, far away from practicality for most applications. So, maybe one day, but for now it is much more efficient to use other techniques that are tailored to the specific use case.

    Fun anecdote: at a social dinner during an academic conference in Lugano a few years ago, the "elder" professor who was giving a speech about the state of the art in cryptography got a bit tipsy, stumbled on his own words, and mentioned something about "the great progress ongoing in homophobic encryption".
  • Somewhere, someone is developing a little black box which will sit on a desk between the pencil jar and the lamp. It will be part of Setec Astronomy.

  • Homo = humanoid
    morphic = change shape

    so like a were , can turn into an animal

  • by dowem ( 6935416 ) on Monday April 05, 2021 @09:56AM (#61238494)
    Full Disclosure, I work at IBM on FHE. Readers of slashdot might also be interested to watch this video I linked below in this post. The link jumps right to a demonstration of our FHE AI SDK on youtube, but a few minutes earlier in that video stream there are some use cases explained and some other content. However, I figure news for nerds means show me the code/demo! https://youtu.be/rAW2qVBZdYM?t... [youtu.be] The video linked above shows our python FHE programming runtime that is a much more user-friendly programming environment for building FHE applications. This SDK is licensed software. But, if you want to dabble a bit and run a few programs to get your hands on the technology, you can check out our freely available FHE toolkits (that do not have the python magic but are still pretty awesome) here: https://github.com/ibm/fhe-too... [github.com], https://github.com/ibm/fhe-too... [github.com], https://github.com/ibm/fhe-too... [github.com] At our github Readmes you can also find out how to join our public slack community to learn more or get in touch.
  • The biggest obstacle to adoption is IBM's 4800 patents on the technology. This is what killed arithmetic compression. Nobody wants to use a technology owned by a litigious patent accumulator.

    The idea that anyone would adopt this as a standard is insane. Nobody in their right mind will do so.

  • I would actually have said Financial services and Health are the Two areas that SHOULD NOT touch FHE yet. While I am confident the maths and encryption is all good, I will bet my last dollar there will be flaws in the implementations for some time to come, better to let less critical services find and fix those first.

Every nonzero finite dimensional inner product space has an orthonormal basis. It makes sense, when you don't think about it.

Working...