Comments on: Homomorphic Encryption
http://www.metafilter.com/106354/Homomorphic-Encryption/
Comments on MetaFilter post Homomorphic EncryptionTue, 09 Aug 2011 11:08:05 -0800Tue, 09 Aug 2011 11:08:05 -0800en-ushttp://blogs.law.harvard.edu/tech/rss60Homomorphic Encryption
http://www.metafilter.com/106354/Homomorphic-Encryption
Described as <a href="http://blogs.teamb.com/craigstuntz/2010/03/18/38566/">'cryptography's holy grail'</a>, <a href="http://en.wikipedia.org/wiki/Homomorphic_encryption">Homomorphic Encryption/Computation</a> is a form of encryption where specific algebraic operations on the plaintext translate into different algebraic operations on the ciphertext, allowing the plaintext's owner to <a href="http://techpp.com/2011/06/08/homomorphic-encryption/">'outsource'</a> computations to <a href="http://www.technologyreview.com/computing/38239/">untrusted</a> machines. <br /><br />There have been efficient 'partially' homomorphic cryptosystems that preserve either addition or multiplication, but not both, ever since RSA was discovered, the most well know being <a href="http://en.wikipedia.org/wiki/Diffie–Hellman_key_exchange">Diffie–Hellman key exchange</a>. A 'fully' homomorphic cryptosystems permitting both ring operations was first devised in <a href="http://www.forbes.com/forbes/2009/0713/breakthroughs-privacy-super-secret-encryption.html">2009</a> using <a href="http://en.wikipedia.org/wiki/Lattice-based_cryptography">lattice-based cryptography</a>, but remained inefficient. Recent progress has centered upon finding good compromises of the two fully homomorphic systems that enable reasonable computations.
Applications include voting systems (<a href="http://web.mit.edu/6.857/OldStuff/Fall02/handouts/L15-voting.pdf">pdf</a>), collision-resistant hash functions, <a href="http://en.wikipedia.org/wiki/Private_information_retrieval">private information retrieval</a>, watermarking, <a href="http://digiorgio.com/blog/?p=397">in-house security</a>, <a href="http://blogs.forbes.com/andygreenberg/2011/04/06/darpa-will-spend-20-million-to-search-for-cryptos-holy-grail/">DARPA</a> funding, and obviously improving computational scalability through outsourcing computations on sensitive business data, conceivably already in limited use for algorithm trading. There might also be applications of public key homomorphic encryption to providing targeted advertisements without revealing personal information.post:www.metafilter.com,2011:site.106354Tue, 09 Aug 2011 10:56:14 -0800jeffburdgescryptographyhomomorphicencryptionencryptionhomomorphichomomorphismcryptosystemsRSADARPABy: DU
http://www.metafilter.com/106354/Homomorphic-Encryption#3860906
<i>"pure" and un-padded RSA is homomorphic with respect to multiplication.</i>
It's pretty clear (from the first link) what it means for rot13 to be homomorphic wrt concat. But I don't get what homomorphicity wrt multiplication would mean. I run "ABC" through RSA. I get a bunch of numbers. I multiply those numbers by 5. I decrypt. I now have "ABC" x 5?
(I really like this blog, though.)comment:www.metafilter.com,2011:site.106354-3860906Tue, 09 Aug 2011 11:08:05 -0800DUBy: introp
http://www.metafilter.com/106354/Homomorphic-Encryption#3860913
Related: a Technology Review article from Monday that says Microsoft has a working practical proof-of-concept for a partially homomorphic encryption system (details are thin, but all addition and some multiplication are supported). The referenced (unlinked, ugh) <a href="http://research.microsoft.com/apps/pubs/default.aspx?id=148825">paper at Microsoft Research</a> is only 11 pages and I've not yet dug into it.comment:www.metafilter.com,2011:site.106354-3860913Tue, 09 Aug 2011 11:09:59 -0800intropBy: introp
http://www.metafilter.com/106354/Homomorphic-Encryption#3860936
Homomorphic with respect to multiplication means that you run 17 through your encryption engine which yields X, run 5 through your encryption engine which yields Y, and there's a method to multiply X and Y which produces a result Z that you, the key-holder, can decrypt and get 85. The process doing the multiplying has no idea what pre-encrypted values that X and Y represent.
(If the usefulness of this being extended isn't obvious, here's one pie-in-the-sky: imagine if you stored your email on Google's servers in a homomorphic encrypted form that supported a bunch of string operations. They could still index and search it for you but would have no idea what the underlying email *says*. Of course, that's no in their best interest, but you get the idea.)comment:www.metafilter.com,2011:site.106354-3860936Tue, 09 Aug 2011 11:15:21 -0800intropBy: kmz
http://www.metafilter.com/106354/Homomorphic-Encryption#3860947
A homomorphism is an operation that basically "preserves" structure. Formally for a ring, a ring homomorphism is a function <i>f</i> such that f(a+b) = f(a) + f(b) and f(a*b) = f(a) * f(b).
Keep in mind that at the algorithmic level, everything is a number. So the idea would be crypt(a) * crypt(b) = crypt(a*b). And it's fairly trivial to see why plain RSA is multiplicatively homomorphic. (See <a href="http://en.wikipedia.org/wiki/Homomorphic_encryption#Unpadded_RSA">here</a>.)comment:www.metafilter.com,2011:site.106354-3860947Tue, 09 Aug 2011 11:17:46 -0800kmzBy: thsmchnekllsfascists
http://www.metafilter.com/106354/Homomorphic-Encryption#3860968
You guys are too smart for me. I love it when a crypto thread pops up.
<small> No really I do</small>comment:www.metafilter.com,2011:site.106354-3860968Tue, 09 Aug 2011 11:25:39 -0800thsmchnekllsfascistsBy: Craig Stuntz
http://www.metafilter.com/106354/Homomorphic-Encryption#3860974
DU, introp's explanation of multiplication is correct. kmz's explanation is slightly misleading, insofar as it implies that the homomorphic multiplication is the same operation as the non-homomorphic operation. This isn't true in general and is certainly not the case with Gentry's system in particular. Instead, I would write something like (HMultiply(crypt(a), crypt(b)) = crypt(a*b).
[Long-time lurker, joined when my blog post turned up on the front page.]comment:www.metafilter.com,2011:site.106354-3860974Tue, 09 Aug 2011 11:28:19 -0800Craig StuntzBy: DU
http://www.metafilter.com/106354/Homomorphic-Encryption#3860979
<i>Homomorphic with respect to multiplication means that you run 17 through your encryption engine which yields X, run 5 through your encryption engine which yields Y, and there's a method to multiply X and Y which produces a result Z that you, the key-holder, can decrypt and get 85. </i>
OK. Now if you can do both AND and XOR and therefore compute any function, why can't you do this in the tax forms example:
<pre>
i = 0
while TOTALLY_ENCRYPTED_VALUE < 0
TOTALLY_ENCRYPTED_VALUE -= 1
print i</pre>comment:www.metafilter.com,2011:site.106354-3860979Tue, 09 Aug 2011 11:31:44 -0800DUBy: It's Never Lurgi
http://www.metafilter.com/106354/Homomorphic-Encryption#3860985
DU - The string ABC is also a sequence of bits which you can also treat as an integer. It's that number that gets multiplied by two.
If you have a magical ability to multiply by two and I want you to multiply my number by two but I don't want to reveal my number. I cleverly encrypt my number (in binary) using RSA and give it to you. You double it and return the result. I decrypt the result and, magic! I have my number doubled.
(I'm not sure that the multiplication on the encrypted data is exactly the same operation as "multiplication", but the basic idea is there. You do a "homomorphic multiply by two", which has the result of multiplying my data by two).
Since all computer operations, at their core, are simple arithmetic operations, I think you can see how this can get exponentially cooler if you have the ability to do a few more operations. Unfortunately, it also gets exponentially slower.comment:www.metafilter.com,2011:site.106354-3860985Tue, 09 Aug 2011 11:34:42 -0800It's Never LurgiBy: Craig Stuntz
http://www.metafilter.com/106354/Homomorphic-Encryption#3861013
DU, you can't do a conditional branch, because the program can't know the value of TOTALLY_ENCRYPTED_VALUE (because, obviously, it's encrypted). So code like you write isn't possible, because the program wouldn't know which branch to take. Instead, you must be able to represent your algorithms as mathematical operations (or, from an equivalent but slightly different point of view, as digital circuits) where knowing the result doesn't determine program flow.
I have a worked out example in <a href="http://blogs.teamb.com/craigstuntz/2010/04/08/38577/">this follow-up post</a>.comment:www.metafilter.com,2011:site.106354-3861013Tue, 09 Aug 2011 11:43:58 -0800Craig StuntzBy: kmz
http://www.metafilter.com/106354/Homomorphic-Encryption#3861017
Ah yes, sorry, it's been too long since my math camp days. Then again I often fell asleep during the algebra lectures back then too.comment:www.metafilter.com,2011:site.106354-3861017Tue, 09 Aug 2011 11:46:00 -0800kmzBy: LogicalDash
http://www.metafilter.com/106354/Homomorphic-Encryption#3861333
So, for these purposes, Boolean logic gates don't do computation?comment:www.metafilter.com,2011:site.106354-3861333Tue, 09 Aug 2011 13:49:51 -0800LogicalDashBy: Eideteker
http://www.metafilter.com/106354/Homomorphic-Encryption#3861633
<em>"(I really like this blog, though.)"</em>
Holy shit, DU got hacked! Homomorphic Encryption NOW!comment:www.metafilter.com,2011:site.106354-3861633Tue, 09 Aug 2011 15:55:23 -0800EidetekerBy: DU
http://www.metafilter.com/106354/Homomorphic-Encryption#3861688
If you can't do a conditional branch, then you can't compute every function. But in that same paragraph, you do say you are being "deliberately imprecise" so maybe that's part of the hand-waving exclusion.comment:www.metafilter.com,2011:site.106354-3861688Tue, 09 Aug 2011 16:17:06 -0800DUBy: phliar
http://www.metafilter.com/106354/Homomorphic-Encryption#3861739
<em>Applications include... DARPA funding</em>
Indeed, most research projects have this as an application. (The rest can be used for NIH or NSF funding.)comment:www.metafilter.com,2011:site.106354-3861739Tue, 09 Aug 2011 16:35:41 -0800phliarBy: jeffburdges
http://www.metafilter.com/106354/Homomorphic-Encryption#3862149
Ain't nobody said you couldn't have cycles DU, hell even Brainfuck is Turing complete. Yes, you need some method for ending your loop, but that's doable by either asking the plaintext holder whether you're done. And maybe you could even send some termination signal from inside the encrypted computation.
There isn't anyone seeking to port the linux kernel some homomorphic encryption system, instead we'll just see very specialized computations run this way, roughly like quantum computing. An algorithmic trading house might outsource an enormous number of long sequences of matrix multiplications, for example.comment:www.metafilter.com,2011:site.106354-3862149Tue, 09 Aug 2011 20:32:38 -0800jeffburdgesBy: GallonOfAlan
http://www.metafilter.com/106354/Homomorphic-Encryption#3862386
I read this as "homoerotic encryption" the first time I scanned the page. That would be awesome.comment:www.metafilter.com,2011:site.106354-3862386Wed, 10 Aug 2011 02:14:06 -0800GallonOfAlanBy: wenestvedt
http://www.metafilter.com/106354/Homomorphic-Encryption#3862499
<i>I read this as "homoerotic encryption"...</i>
And speaking of Alan Turing....comment:www.metafilter.com,2011:site.106354-3862499Wed, 10 Aug 2011 05:35:38 -0800wenestvedt