IBM completes successful field trials on Fully Homomorphic Encryption:
Yesterday, Ars spoke with IBM Senior Research Scientist Flavio Bergamaschi about the company's recent successful field trials of Fully Homomorphic Encryption. We suspect many of you will have the same questions that we did—beginning with "what is Fully Homomorphic Encryption?"
FHE is a type of encryption that allows direct mathematical operations on the encrypted data. Upon decryption, the results will be correct. For example, you might encrypt 2, 3, and 7 and send the three encrypted values to a third party. If you then ask the third party to add the first and second values, then multiply the result by the third value and return the result to you, you can then decrypt that result—and get 35.
You don't ever have to share a key with the third party doing the computation; the data remains encrypted with a key the third party never received. So, while the third party performed the operations you asked it to, it never knew the values of either the inputs or the output. You can also ask the third party to perform mathematical or logical operations of the encrypted data with non-encrypted data—for example, in pseudocode, FHE_decrypt(FHE_encrypt(2) * 5) equals 10.
[...] Although Fully Homomorphic Encryption makes things possible that otherwise would not be, it comes at a steep cost. Above, we can see charts indicating the additional compute power and memory resources required to operate on FHE-encrypted machine-learning models—roughly 40 to 50 times the compute and 10 to 20 times the RAM that would be required to do the same work on unencrypted models.
[...] Each operation performed on a floating-point value decreases its accuracy a little bit—a very small amount for additive operations, and a larger one for multiplicative. Since the FHE encryption and decryption themselves are mathematical operations, this adds a small amount of additional degradation to the accuracy of the floating-point values.
[...] As daunting as the performance penalties for FHE may be, they're well under the threshold for usefulness—Bergamaschi told us that IBM initially estimated that the minimum efficiency to make FHE useful in the real world would be on the order of 1,000:1. With penalties well under 100:1, IBM contracted with one large American bank and one large European bank to perform real-world field trials of FHE techniques, using live data.
[...] IBM's Homomorphic Encryption algorithms use lattice-based encryption, are significantly quantum-computing resistant, and are available as open source libraries for Linux, MacOS, and iOS. Support for Android is on its way.
This statement doesn't make any sense. In floating-point arithmetic, multiplication (assuming no over/underflow) of two values will introduce negligible additional (relative) error: the relative error of the result is essentially bounded by the product of the relative error of the inputs (within a small constant). This is because the most significant digits of the multiplication result depend only on the most significant digits of the input so any small error on the inputs has only a small effect on the result.
However floating-point addition has no such simple bounds on the error as addition can potentially cancel every single correct digit.
This makes me think they must not actually be using floating-point arithmetic? For example, fixed point multiplication does behave very badly in this regard...
Many people in CS, particularly those coming from other branches of mathematics, have no understanding of how floating point actually works. The article is flat out wrong about addition rounding errors always being smaller than multiplication errors.
I am not completely sure if I'd trust the tech[1], but over there is even a standard for it, which I suppose IBM adhere to:
http://homomorphicencryption.org/wp-content/uploads/2018/11/HomomorphicEncryptionStandardv1.1.pdf [homomorphicencryption.org]
[1]Lattices are not convincingly resistant enough to quantum computing for me, but consider this a rant only for now.
This allows you to work securely on untrusted hardware, ie, "the cloud"?
FFS, why are you using untrusted hardware, if you need security? This looks like a solution to a problem that never should have existed.
So, what is the next step? "Bill, they have ultra-cheap cloud services in China now." "Yeah, but we can't trust China, they'll steal all of our secrets." "But, Bill, we can use homomorphic encryption to keep our secrets secret!" "Dammit, Jim, I'm not moving to the cloud. Next month, the Chinese are going to break homomorphing anyway."
Cost. If you only need it occasionally then it can be far cheaper to rent computing power than buy it. All of the world's top supercomputers that aren't military or weather prediction rent time to third parties. This also has implications for distributed computing projects like Folding@Home.
