Why IBM is Pushing 'Fully Homomorphic Encryption'

VentureBeat reports on a "next-generation security" technique that allows data to remain encrypted while it's being processed.

"A security process known as fully homomorphic encryption is now on the verge of making its way out of the labs and into the hands of early adopters after a long gestation period." Companies such as Microsoft and Intel have been big proponents of homomorphic encryption. Last December, IBM made a splash when it released its first homomorphic encryption services. That package included educational material, support, and prototyping environments for companies that want to experiment. In a recent media presentation on the future of cryptography, IBM director of strategy and emerging technology Eric Maass explained why the company is so bullish on "fully homomorphic encryption" (FHE)...

"IBM has been working on FHE for more than a decade, and we're finally reaching an apex where we believe this is ready for clients to begin adopting in a more widespread manner," Maass said. "And that becomes the next challenge: widespread adoption. There are currently very few organizations here that have the skills and expertise to use FHE." To accelerate that development, IBM Research has released open source toolkits, while IBM Security launched its first commercial FHE service in December...

Maass said in the near term, IBM envisions FHE being attractive to highly regulated industries, such as financial services and health care. "They have both the need to unlock the value of that data, but also face extreme pressures to secure and preserve the privacy of the data that they're computing upon," he said.
The Wikipedia entry for homomorphic encryption calls it "an extension of either symmetric-key or public-key cryptography."

Its IBM.

[Revek]

I figure they have a really easy way to crack it and they want to sell it to a government. No necessarily the US government.

Re:

[lessSockMorePuppet]

Can you crack RSA? RSA supports homomorphic operations.

Re:

[K. S. Kyosuke]

...and the vast majority of data is not encrypted with RSA owing to its speed, or the lack thereor.

Re:

[lessSockMorePuppet]

Yes, speed is the key limiter on FHE. Always has been.

Re:

[K. S. Kyosuke]

Even in absence of FHE, most encrypted data to my understanding is encrypted with symmetric block or stream ciphers.

Re:

[lessSockMorePuppet]

And there are symmetric key versions. The issue becomes that, in naive schemes, the numbers become extremely large, very fast and need to be reencrypted. Presumably IBM solved that.

Re:

[K. S. Kyosuke]

Then what was the relevance of mentioning RSA?

Re:

[lessSockMorePuppet]

Go read the FP again.

Re:

[K. S. Kyosuke]

The one about IBM selling something (that is presumably not the RSA) to the government? What about it?

Re:

[lessSockMorePuppet]

Because it's being rather hasty to assume it can't possibly work, when one of the most well-known and attacked cryptosystems supports homomorphic operations. If that broke it, don't you think we'd all know by now?

Re:

[K. S. Kyosuke]

I didn't read it as "it can't possibly work", but rather "I wouldn't trust IBM with this".

Re:

[lessSockMorePuppet]

That's also a fair reading of it.

Re:Its IBM.

[dowem]

Full disclosure, I work at IBM on FHE! As mentioned in the article we get the speed concerns. It is a major priority for us to make FHE faster and easier to consume. With regards to speed, it is clear that FHE operations are slower than unencrypted operations. Even so, some amazing speed results can be achieved if one stops looking at raw performance numbers compared to unencrypted work. There are many tasks companies would like to do today that they simply cannot because of the risks involved (like computing on your healthcare records or other sensitive personal information). FHE, while slower than unencrypted operations lets you implement FHE systems that can never never be put into production as unencrypted operations. The article mentions an AI inferencing task on genomic data that happens in well under a second. The myth that FHE is too slow to be useful persists. I would argue FHE is ready today for MANY scenarios where latencies in computing are on the order of minutes or seconds (a lot of banking work and healthcare work take longer than those timescales today).

Homomorphic is crackable by definition

[raymorris]

Beware the hype. It's mathematically impossible to have homomorphic encryption that is secure by any definition used by the cryptography community.

Which isn't to say it's not better than plaintext. If you absolutely must process sensitive data on the cloud, because your office has no power outlets, it's better to use homomorphic encryption than nothing. Slightly better.

For example, all homomorphic schemes are necessarily "malleable". That's the crypto term for "the bad guy can change the data, without needing to know the key.

Suppose their is a purchase transaction or other transfer. Maybe I'm buying something and you encrypt the data uses in the redirect to the payment processor. If you use homomorphic encryption, I can change the price to be price / 10. Without needing to know the know the secret key.

They are also wide open to what are called inference attacks.
Suppose your site shows the average X, but doesn't reveal X for any particular person. You are being careful about inference attacks, so you only let me query the average salary for large groups like male employees and you let me query the average salary for football players. You don't let me query the average salary of GLBTQ employees because the group is small enough that the average would let me I get something about the individuals. If you're using homomorphic encryption your carefulness is all for naught - the mathematical relationships between the values are on display for all to see, so once I know my own salary I can calculate the salary of any other individual.

So the security is pretty weak. By definition - if the service provider can compute the average salary of Ray and Joe, so can the attacker. Since the attacker is Ray, he already knows Ray's salary, so he can compute Joe's salary (or bank account number) by simple arithmetic.

Besides being weak in security, homomorphic encryption is limited in the operations it can perform. Very, very limited in the case of the type that provides at least a reasonable fascimile of a useful degree of security. Fully homomorphic can do all the operations, but is about as secure as base64.

Re:Homomorphic is crackable by definition

[dowem]

Hey there! Full disclosure, I work on FHE at IBM. I thought you might want to check out the protection of the runtime using something like Hyper Protect to prevent the bad guys from manipulating your data. We open-sourced some code this past week that looks at FHE as part of a comprehensive security model for putting work in public and private clouds. The scripts to deploy the FHE toolkit to Hyper Protect are in the automation directory in our Linux Toolkit Github. We totally get that FHE is not a silver bullet, and we are addressing issues like the malleability concern already with our existing enterprise-grade cloud infrastructure. I think we are further along in providing the hardened comprehensive system infrastructure than any of our competitors.

Re:

[Aighearach]

The scripts to deploy the FHE toolkit to Hyper Protect are in the automation directory in our Linux Toolkit Github.

https://github.com/ibm/fhe-too... [github.com]

Thanks, this is the part that makes the subject interesting! Without that, it isn't really even news to me.

Also, people should note that the key part, HElib ( https://github.com/IBM-HElib/H... [github.com] ) is under the Apache 2 License.

I am a bit disappointed that it uses C++17, instead of something more portable like C99 or C11.

Re:

[swillden]

I am a bit disappointed that it uses C++17, instead of something more portable like C99 or C11.

Are there any platforms where FHE would be used that don't have a modern C++ compiler and libraries? Even tiny IoT CPUs do, and I expect that FHE will mostly be a server-side thing.

Re:

[Aighearach]

Even tiny IoT CPUs do

That's not accurate.

And it makes integration much more difficult. It is generally dubious in embedded programming to require a compiler version less than 10 years old.

It isn't enough to have a compiler, you also have to integrate the libraries. This is a library; it shouldn't require a cutting edge compiler. The application will usually already be using an older compiler.

Re:

[BAReFO0t]

I *knew* it had to be snake oil.
It had all the smells of a self-contradiction.

Re:

[raymorris]

The hype is indeed - well, hype.
Also, the technology isn't *total* bullshit.

Think the ad says "motorcycle", the reality is a kids' 12V motorscooter.

Re:

[DarkOx]

I theory the inference attacks are avoidable. I suspect in practice exposing information that does not allow people to back into the data they are looking for is going to be extremely challenging.

lets say I know my salary and I get access to the cipher texts. There are two records in the system. Mine and Alice. I can see the salary total cipher text but I havent got the key. I can see my cipher text is X, my salary the plain-text is 250,000, and Alice's salary ciphertext is Y. The total is Z

This means I

Re:

[DarkOx]

I was mainly considering multi tenant ASP situations. An attacker is going to target the ASP. The computation keys are that point are no longer secrets (if the attack is successful). The private key should be held by the data owner and presumably be much harder to obtain.

Re:

[juancn]

It's also extremely expensive. Computation cost is several orders of magnitude higher. For large data volumes or complex processing it's likely prohibitive cost-wise.

Re:

[hey!]

Suppose your site shows the average X...

Perhaps I'm misunderstanding, but this attack applys to any scheme where try to make the properties of some subsets of data public while keeping the properties of other subsets of data private -- but is that really what people are trying to accomplish with homomorphic encryption? As far as I can tell, the point is to allow a service to do a computation without either the service or any third party knowing anything at all about the nature of the decrypted data. And if you know nothing you can't make any infe

Re:

[raymorris]

I was a little unclear there.

Inference attacks are a concern any time an adversary could do computations on in data derived from the plaintext. The canonical examples would be "I can see whether tow values are the same" and "I can see the average for males, the average for employees in Dallas, and the average for programmers. Therefore I can calculate the value for the male programmer in Dallas". So to defend against inference attacks we try various strategies.

That's the example, but let's remember the defi

Re:

[hey!]

Thanks. That's much clearer.

Turns it into a substitution cipher (child's play)

[raymorris]

The mode of operation is just as important as the cipher primitive.
There are plenty of constructions using AES or RSA which are trivially easy to break. See the ECB penguin for a visual example.

The homomorphic case is essentially ECB (and therefore garbage). The encryption is applied to each discrete data value independently, rather than to the database as a whole. What that means is C(19) = C(19), any given plaintext value always yields the same ciphertext. So let's make up our own such cipher, which is

Re:

[leonbev]

Nah... they just need to find a way to deprecate TLS 1.2 and 1.3 faster so they can use it as an excuse to force you to upgrade to the latest version of (Insert expensive Enterprise software package here) for SOX/HIPPA/PCI compliance.

Re:

[Third Position]

I figure they have a really easy way to crack it and they want to sell it to a government. No necessarily the US government.

Either that, or they've figured out a way to use it to fire and offshore even more people.

2 Words.

[Forty Two Tenfold]

Patent portfolio.

Shame of them!

[Anonymous Coward]

In today's society there is no reason to be homomorphic! Just let people do as they please in their own private lives.

Example Use-Case

[Whibla]

All it needs for adoption is a compelling use-case.

So, I can't help but wonder if the current furore over vaccine passports (or inevitable international adoption, depending on your viewpoint) has influenced the timing of this announcement...

Re:Example Use-Case

[lessSockMorePuppet]

Cloud computing is the use case. Host proof computing.

Re:

[slack_justyb]

Cloud computing is the use case

Yes. Decrypting traffic is a cost. Doing something to save a few cycles here and there adds up to a non-zero number of savings. That isn't to say that Facebook or whoever isn't interested in your data, just that there is some traffic that these companies do that if they can avoid the cost of decrypting it, then that is a few more cycles for somewhere else. FHE is one of those cases of "save n% (where 0<n<=1) here every time and it adds up to $xxx.xx per year in savings." Bean counters go ga-ga ov

Re:

[Ostracus]

Well EXTERNAL cloud would be the use case. Nothing keeps a company from having a private cloud in their basement. [differencebetween.com]

Re:

[BAReFO0t]

That is not a "cloud".

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Example Use-Case

[lessSockMorePuppet]

Uh, the whole point is that you supply encrypted data. If they dont use FHE, you won't get anything useful back. They never get the key.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Example Use-Case

[lessSockMorePuppet]

https://ijsbeer.org:81/a-symme... [ijsbeer.org]

Code for you. Go learn something.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[lessSockMorePuppet]

Okay, stop thinking of computing at such a high level. You have to work at gate level. The line with the c = is the only part that would happen on a cloud server. Read the linked paper.

For $100/hr, I'll tutor you.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[lessSockMorePuppet]

That code implements the simplest possible homomorphic encryption and operations you can perform. It's based on a paper that's exceedingly easy to understand and is linked in the summary. It's a far better explanation than you'll find anywhere else.

I'm serious. I'm not trying to shit you. It really works. I know, because.. who the hell do you think learned and wrote it?

Re:

[lessSockMorePuppet]

I should be extra clear: that code is a working example of an explanatory paper on the subject that only supplies pseudocode.

But that paper is THE introduction to the subject.

Re:

[lessSockMorePuppet]

I'm sorry, that page lost the original paper link at some point. I apologize.

It's https://crypto.stanford.edu/cr... [stanford.edu]

Re:

[Ostracus]

And here I was going to ask if you were Craig Gentry. Now here's an idea. Implement some of that in an FPGA/Microcontroller board. [aloriumtech.com]

Re:

[lessSockMorePuppet]

It's just one person, why charge a ton?

Also, this is why I'm *not* a consultant normally. I don't like charging people money. Weird character flaw.

Re:

[jbengt]

Just an instinct, but I would assume that if you are able to work on encrypted data without decrypting it, and without having the keys, then the encryption must be not be truly random, and so would be more easily breakable.

Re:

[lessSockMorePuppet]

And you'd be wrong.

Re:

[Aighearach]

Using "instincts" to predict the capabilities of extant computer algorithms that you're unfamiliar with is absurd folly.

Re:

[thegarbz]

Code for you. Go learn something.

I'd like to learn what the GP is doing. Can you ELI5 rather than posting some incomprehensible code? Some of us are just interested and don't have our masters in computer science.

Re:Example Use-Case

[Entrope]

The idea is that you provide encrypted data, and some description of how to process it, and the math works out such that the computer can process the data -- and generate a sensible, but still encrypted, result without knowing what the inputs or outputs really mean. The ciphertext is generally a lot bigger than the plaintext in order to create mathematical structure that makes the operations on encrypted data sensible, and the operations are far less efficient than the equivalent operation on unencrypted data.

That inefficiency is what has held back FHE to date. This [iacr.org] is a fairly good intro to the subject, but note some of the then-current best results: performing a single bitwise operation might take 13 milliseconds. IBM's announcement implies that they have gone a long way in solving that problem.

Re:

[account_deleted]

Comment removed based on user account deletion

Re: Example Use-Case

[OrangeTide]

it doesn't need a key. it's just math. you can read the analysis and see the proofs for the limited operations you can perform on the encrypted data. from those primitive operations you can build up an arithmetic system.

Re:Example Use-Case

[dowem]

Full disclosure, I work at IBM on FHE. This is a gross simplification but here goes! The secret data that you want to protect is encrypted by effectively hiding it in a massive polynomial with special modular arithmetic properties based on the private key. Only the person doing the encryption has this key. The FHE foundational operations work on these massive polynomials. So the processor who does the computing only sees huge polynomials. The agent who does the processing of the large polynomials cannot tease out the secret data that is protected (it is simply too spread out throughout these massive numbers represented as polynomials). The magic is that the operations on the polynomials behave in a way that is consistent with having operated on just the secret bits once you a modular arithmetic trick at the end to remove all the "junk" or "noise" that is hiding the real data. Note: There are actually public-type keys involved on the processing side and even some kinds of keys that are only used for internal processes during the computation. But as far as privacy is concerned, only the person who did the encryption (and has the private key) can decrypt the jumble of massive polynomial shenanigans to make sense of it all.

Re:

[Ostracus]

Sort of a spread-spectrum, hiding information in the noise type of thing.

Re:

[trawg]

Thank you for taking the time to contribute to this thread, it is great to see people involved in the work actually commenting on Slashdot (and sadly too rare).

Re:

[bd580slashdot]

Just firing off here without searching so feel free to ignore ... Any similarities to winnow and chafe as set out by the RSA guys?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[ceoyoyo]

Lol. Was waiting for a comment like this.

Re:

[XXongo]

People have been concerned about security "in the cloud" for a while now.

Not concerned enough.

Re:

[DarkOx]

I doubt it. A compelling use case is just about every multi-tenant SAS product in existence.

I don't see why you need this to do vaccine passwords at all. All you need is any regular old boring public key private key crypto over a file containing the persons photo, name, status, and issue date signed by whatever authorized entity did the jab, their key being signed by whatever government authority authorized them to give jabs.

Because who you are and status are fundamental to the use the passport. There is n

Re: Example Use-Case

[BytePusher]

Ever heard of the slippery slope fallacy? But really, if you're living in the modern world and don't have the luxury of citizenship of a "good" country, you're already living the in "papers please" world.

Re:

[jbengt]

Too late for that slippery slope argument, anyway.
You already need to provide proof of vaccinations travel to certain countries or to attend schools (though there are sometimes exceptions you can provide instead).

Re: Example Use-Case

[BytePusher]

I mean, that seems reasonable. People should have the right to protect themselves from willfully ignorant disease bags. OMBad was arguing vaccination requirements would turn into Nazism, which is a specimen of a slippery slope fallacy if I ever saw one.

Re:

[jm007]

long before covid, to somebody somewhere, you yourself are a disease bag putting them at risk

by your argument, from their pov, it's their right to have you conform your life to their requirements, and not what you'd decide for yourself

one group deciding for another what's best for them.... yep, generic fascism and tyranny right there; no need to label it under the Natzee Brand Oppresson

Re: Example Use-Case

[BytePusher]

I mean, I'm ok if say indigenous Peruvians don't want me to visit their villages if somehow my presence would harm them, whether by disease or exploitation. What you're arguing for is the right to go wherever the f-ck you want regardless of the consequences to the people who call it home. That is the delusion of the white settler, manifest destiny, domination by divine right, we will coup whomever we want mentality.

Re: Example Use-Case

[NagrothAgain]

Ever heard of the slippery slope fallacy?

Yes. What makes it a fallacy is when you state that the "bottom" of the slope is unavoidable. There's no fallacy in talking about or predicting a cascading chain of events, as long as you allow for intermediate events to change the outcome.

Re:

[heson]

The fascists have already won as I need to keep a paper with a phoho of my likeness and my name to prove I am educated to drive a simple car. What's next from the bastards, some kind of limitation on how much fertiliser I can buy for my garden (70 tonnes should be OK, I cant go buying more every millennia)

Mo money

[Malifescent]

The 'why' usually has to do with money if IBM is involved.

I'm somewhat surprised they still employ 130.000 worldwide. Are they still selling their old mainframes to those few stalwarts that refuse to use Intel hardware?

Re:

[RevDisk]

They still sell brand new zOS mainframes, and quite a few of them.

I worked at a data center that had about two dozen, with decade long maintenance contracts and support agreement. Lots of banks, governments, etc still use them. Especially for sequential data that can't be easily parallelized, or legacy code that would run billions to replace with a likely worse version.

Re:

[Malifescent]

How many of those are Indian these days? And how many American?

I've seen IBM lay off many Americans only to hire Indian replacements through the H1-B visa system. In some cases Americans were even forced to train their own replacements. The horror!

As far as I'm concerned IBM is dead, merely a shell company to enrich its management and a few shareholders. The employees are ending up with the short end of the stick.

Can you print out this super secret data for me?

[mick232]

I need to distribute it to some people. But make sure it stays encrypted, it is super secret.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[rudy_wayne]

I'm sure IBM employs a lot of homomorphics

Re:

[HyacinthL]

I gotta admit. At first glance, I read that completely wrong.

Me too, after reading a zillion comment thread about homophobic web browsers earlier. haha

Re:

[account_deleted]

Comment removed based on user account deletion

Description?

[quadelirus]

The slashdot editor added: The Wikipedia entry for homomorphic encryption calls it "an extension of either symmetric-key or public-key cryptography."

to the end of the post as if that somehow explains to people what homomorphic encryption is.

Homomorphic encryption is any encryption scheme that allows you to perform computation on the encrypted data without decrypting it. So, for example, if you had heart rate data that was decrypted and stored on your phone, you could send it safely fully encrypted to a web service that could then calculate the average and send it back to you to compute your average HR. But the web-service itself wouldn't have any idea what your average heart rate is, it would only know an encrypted version of your average heart rate, which it would send back to your device. Your device would decrypt it and show it to you.

This is different than normal encryption schemes where the encrypted version of the data is essentially useless and must be decrypted to compute anything with, so if you want a 3rd party to compute something on your data, you have to trust them to work with the decrypted data.

Re:

[lessSockMorePuppet]

If you want practical examples in simple Python, see https://ijsbeer.org:81/a-symme... [ijsbeer.org].

Re:

[Black Parrot]

Homomorphic means "human-shaped", and usually refers to shape-shifters that take on human form, like Our Lizardy Overlords.

Re:

[boudie2]

For those playing at home https://en.wikipedia.org/wiki/... [wikipedia.org]

Re:

[groobly]

Thank you. I was going to write a comment to the same effect.

Re:

[Anonymous Coward]

Literally the first line in the summary explains that: "VentureBeat reports on a "next-generation security" technique that allows data to remain encrypted while it's being processed"

I read your comment, and thought "No it didn't."
I scrolled to the top and began reading "A security process known as fully homomorphic encryption...
Eventually I realized that I started reading at the second line... both times.

Re:

[quadelirus]

Ah I see it, so it does. I was skimming and found the weird out of context wikipedia quote at the end unnecessary and somewhat oddly chosen, as if they were trying to explain but ended up with a pull quote that doesn't really explain. Another commenter noted that it may actually be an automated tool pulling those, which I think is probably right, since that sentence is a bit useless out of context. Oh well.

c'mon, it's 2021

[argStyopa]

No homomorphs need to feel like they have to stay encrypted these days.

Complete Crap 16X slower

[Canberra1]

It is complete crap. The whole point of instruction decoding is ease and speed. Data has to end up in registers, and useful comparisons performed. If you need to ask is A = B you can't do that if the data is encrypted, or you could compare in a shadow set of registers, and bingo power consumption is through the roof. Next you ask is the point of weakness the OS - or the CPU?. Hardly anyone is complaining that Intel has not fixed up their speculative piplelines - which also get deleted if there was hypotheti

Re: Complete Crap 16X slower

[OrangeTide]

performance is one possible feature for any computing product. but it isn't the only requirement and often not the most important. for example, performing operations without the decryption keys and without being able to set aside intermediate results is a very valuable feature in some narrow use case.

Re:

[SirSlud]

what in the holy hell are you on about

I need new glasses...

[acroyear]

I first read that as "fully homeopathic encryption"...which given that it is IBM, probably means it has about the same level of efficacy.

Key

[Impy the Impiuos Imp]

While neat, I was unaware anything was crackable sans social engineering to get at keys and passwords.

The only mild danger is quantum computing, and even that just means longer keys.

NOT IN THIS HOUSE

[scourfish]

We run a clean, Christian datacenter.

Re:

[Surak_Prime]

https://giphy.com/gifs/cbc-can... [giphy.com]

Re:

[JaredOfEuropa]

Does that mean it powers down on Sundays?
The company that made my old accounting software was run by strict Dutch Reformed Christians, as (for some reason) most accounting software firms here are. The software - thankfully - worked on Sundays, but their website would go completely off the air on those days.

Explanation

[Gaglia]

Before the Dunning-Kruger mob starts spreading nonsense as usual, here is a short explanation.

The scenario is that usual encryption schemes turn plaintexts (say, numbers, or bytes) into ciphertexts that "look random", so clearly any property that those plaintexts initially had (for example, the possibility of being added together to form another number) gets "lost" during encryption, in the sense that the "addition of two ciphertexts" is totally unrelated to the addition of the two underlying plaintexts.

"Homomorphic" refers to the property of an encryption scheme of commuting with some algebraic operation. Most classic public-key encryption schemes are actually homomorphic, but *only* in respect to one operation. This is called "group homomorphic encryption", or sometimes "partially homomorphic encryption" (not to be confused with "somewhat homomorphic encryption", which is something else still). For example, in textbook RSA, the product of two ciphertexts is really the ciphertext corresponding to the sum of the two underlying plaintexts. A group homomorphism is an invertible map between the operation in the plaintext group and in the ciphertext group.

So, group homomorphic encryption (related to only *one* operation) exists and is already used. But what about *two* operations at the same time? For example, addition and multiplication? Boolean AND and OR? Any two operations that allow to build arbitrary circuits?

This is what is called "fully homomorphic encryption" (FHE). For long time people have tried and failed to build it, and many wondered whether FHE was even possible to achieve at all. This changed in 2009, with the groundbreaking discovery by Craig Gentry of the first construction for a public key FHE scheme. Gentry eventually joined IBM, which is now pushing for adoption of this technology. No conspiracy here, just follow the money: FHE would be extremely useful, especially for cloud. For example, say you are Big Pharma, and would like to rent IBM cloud power to run some computationally expensive algorithm for chemical simulation of a new drug you are developing. The problem is that the design of the drug is top secret because it hasn't been patented yet, and you don't want to give it in clear to IBM. With FHE, you can give to IBM an encrypted version of your molecule, and IBM would be able to perform computation on it without even knowing what it is, and the result would be already encrypted with your public key.

Applications of FHE are countless, in fact FHE is sort of super-powerful: it can be used to build pretty much any kind of encryption, zero-knowledge proofs, consensus algorithms etc. So far only another cryptographic primitive, "indistinguishability obfuscation", is suspected to be "more powerful" than FHE (and this is not yet sure). As an added bonus, FHE is natively quantum-resistant.

There is only one little problem: FHE is slow as hell.

Just to put it into perspective, in the original Gentry scheme to encrypt a single bit of information would require key sizes of several GB, the resulting ciphertexts are huge, and evaluating a single algebraic operation takes several hours. Since 2009 many improvements have been done, and the (open-source and peer-reviewed) library offered by IBM is probably one of the most advanced ones. But we are still far, far away from practicality for most applications. So, maybe one day, but for now it is much more efficient to use other techniques that are tailored to the specific use case.

Fun anecdote: at a social dinner during an academic conference in Lugano a few years ago, the "elder" professor who was giving a speech about the state of the art in cryptography got a bit tipsy, stumbled on his own words, and mentioned something about "the great progress ongoing in homophobic encryption".

Little black box

[smooth wombat]

Somewhere, someone is developing a little black box which will sit on a desk between the pencil jar and the lamp. It will be part of Setec Astronomy.

wechselbalg

[rossdee]

Homo = humanoid
morphic = change shape

so like a were , can turn into an animal

Python APIs Available Too

[dowem]

Full Disclosure, I work at IBM on FHE. Readers of slashdot might also be interested to watch this video I linked below in this post. The link jumps right to a demonstration of our FHE AI SDK on youtube, but a few minutes earlier in that video stream there are some use cases explained and some other content. However, I figure news for nerds means show me the code/demo! https://youtu.be/rAW2qVBZdYM?t... [youtu.be] The video linked above shows our python FHE programming runtime that is a much more user-friendly programming environment for building FHE applications. This SDK is licensed software. But, if you want to dabble a bit and run a few programs to get your hands on the technology, you can check out our freely available FHE toolkits (that do not have the python magic but are still pretty awesome) here: https://github.com/ibm/fhe-too... [github.com], https://github.com/ibm/fhe-too... [github.com], https://github.com/ibm/fhe-too... [github.com] At our github Readmes you can also find out how to join our public slack community to learn more or get in touch.

Stating the obvious.

[Cryptimus]

The biggest obstacle to adoption is IBM's 4800 patents on the technology. This is what killed arithmetic compression. Nobody wants to use a technology owned by a litigious patent accumulator.

The idea that anyone would adopt this as a standard is insane. Nobody in their right mind will do so.

avoid for finance and health

[bloodhawk]

I would actually have said Financial services and Health are the Two areas that SHOULD NOT touch FHE yet. While I am confident the maths and encryption is all good, I will bet my last dollar there will be flaws in the implementations for some time to come, better to let less critical services find and fix those first.