
TFHE: Fast Fully Homomorphic Encryption over the Torus - EvgeniyZh
https://tfhe.github.io/tfhe/
======
isatty
Quick ELI15: Homomorphic encryption is a form of encryption that allows
computation on ciphertexts, generating an encrypted result which, when
decrypted, matches the result of the operations as if they had been performed
on the plaintext.

A cryptosystem that supports arbitrary computation on ciphertexts is known as
fully homomorphic encryption (FHE).

[https://en.wikipedia.org/wiki/Homomorphic_encryption](https://en.wikipedia.org/wiki/Homomorphic_encryption)

------
motohagiography
If viable, FHE solves some very urgent problems in sharing personal health
information data sets for research, and there are literally billions of
dollars in individual transaction data locked up behind legal firewalls in
banks. This is a great usable library we can reason about, but in terms of a
trust model for it, is TFHE a candidate or on a certification path?

Given people trust institutions, and institutions trust other institutions
that trust math, from people who write the code - you have the math and the
code, my question would be, which institutions can we help to get priority for
trusting this?

~~~
sterlind
you might be thinking of functional encryption. FHE doesn't make much sense
for data sets because you can't read the answers.. you can perform any
operation you want to, run any program, but you'll just read out ciphertexts.
functional encryption is the one where you can only apply certain functions
but you get plaintext out.

~~~
candiodari
It is trivial to create almost any encryption scheme from a fully homomorphic
algorithm:

You create a program, which after all is just a set of simple instructions. If
you can do homomorphic add, mul and mod you have everything you need, and I
believe you can work with just a few bit operations.

So you make a homomorphically encrypted program that _has an encryptor en
decryptor routine_ , themselves encrypted (and can thus safely contain a
private key), and that program then does the operations requested, which does
indeed get you an encrypted result.

Then you ask the encrypted program to please decrypt the answer. It can
validate that question however it wants (implementing privacy policies seems
like it would be a good way to do that here), and if it agrees, it decrypts
the answer. There's all sorts of schemas you can build into this to do replay
protection.

For the truly paranoid such a program can be created with a random encryption
key that is then deleted as soon as the program is created. Then there is no
trust _of anyone at all_. You could implement bitcoin, or a totally secure
root of trust of for example the dns root zone on the internet. The only
problem is that changing the program becomes impossible for anyone, which may
be a good thing.

And you keep homomorphic guarantees: No need for trust. No need for trusting
the CPU your homomorphic program executes on, or it's memory. NO information,
not the code, not the temporary values, not the memory, not the stack ever, at
any time in the program's execution, exists unencrypted.

(paraphrasing a paper that pointed out that implementing bitcoin-like systems
with homomorphic encryption is very easy indeed, which is a similar problem)

~~~
sterlind
unfortunately FHE doesn't work like you describe. in FHE, the answer output is
always indistinguishable from random noise. in fact, the "encrypted decryptor"
routine you're describing is more or less how bootstrapping works - the
ciphertext is double-encrypted to the bootstrapping key, the circuit evaluates
decryption of the encrypted ciphertext to produce a fresh ciphertext against
the bootstrapping key, then a key switching operation exchanges the
bootstrapping key for the evaluation key.

* needing certain policies to be met for decryption is the field of attribute-based encryption.

* only being able to evaluate certain functions of a ciphertext to decrypted plaintext is the field of functional encryption.

* the general holy grail you're describing is program obfuscation - a secure black box that evaluates an arbitrary circuit on an input. unfortunately there are strong impossibility results in program obfuscation, though there's some theoretical progress towards weaker obfuscation or much more limited types of circuits, involving extremely inefficient mathematical wizardry that's regularly being badly broken by cryptanalysis.

in summary, you've confused FHE with program obfuscation, and the decryptor
routine you describe is just bootstrapping.

------
api
I wonder at what point might we implement a very old CPU like the 6502/6510 on
this and demonstrate the proof of concept of e.g. a very very slow fully
homomorphic Commodore 64 emulator.

Has it been done?

~~~
KenoFischer
You can't do control flow homomorphicly, so that tends to throw a wrench into
this kind of thing.

~~~
heavenlyblue
No, you can. Any control flow program can be converted into a matrix
multiplication. Obviously, the matrix size is exponential to the number of if
conditions - but that is a pre-requisite for homomorphic encryption anyway,
otherwise you would be able to tell which branch was taken.

~~~
dragonwriter
> Any control flow program can be converted into a matrix multiplication.

Any control flow program, on a set of inputs for which it terminates[0], can
be, but it's not true that any control flow program, with unspecified inputs,
can be, even with variables for the inputs, since the shape of the
multiplication as well as the value of elements in the matrices may depend on
the inputs (also, whether it's even a terminating program can obviously depend
on the inputs.)

[0] and any program which always terminates can also be, though the general
form may be more complex than is necessary for some inputs.

~~~
api
I guess then that my hypothetical fully homomorphic C-64 would be _huge_ and
would have a limited run-time?

~~~
lazersharkman
Yes. No recursion. Essentially what could be fabbed as a circuit

~~~
api
I get it. I think I had the misconception that you could branch in FHE, but as
I think about it this would by its nature reveal quite a lot of information
about the plaintext.

Would it perhaps be possible to create a weaker form of homomorphic encryption
that could branch? It would not be strong enough for the most serious security
use cases (authentication, financial, etc.) but would perhaps be usable for
cases where you just want to protect data confidentiality e.g. processing PII.
The processor could probably infer the structure of the running program but
not necessarily its data if appropriate constant-time comparisons and other
constructions were used.

~~~
heavenlyblue
If you can branch then you can always run a program that compares the
encrypted value to a constant, then iterate over the whole space of possible
values for the constant and that way decrypt the value

------
rjeli
How hard would it be to use Yosys
([http://www.clifford.at/yosys/documentation.html](http://www.clifford.at/yosys/documentation.html))
for logical gate synthesis to run arbitrary Verilog on TFHE?

~~~
ssmiler
Something equivalent is done in [https://github.com/CEA-
LIST/Cingulata](https://github.com/CEA-LIST/Cingulata) The current execution
run-time accepts a .blif file (a Boolean circuit) and executes it. For the
moment only the BFV homomorphic encryption can be used. Although, supporting
TFHE will not be so hard and some work is going on the parallel_bit_exec
branch.

~~~
nindanaoto
Cingulata currently supports TFHE. [https://github.com/CEA-
LIST/Cingulata/wiki#headlight](https://github.com/CEA-
LIST/Cingulata/wiki#headlight) We also used Yosys to convert Chisel into JSON
netlist. It is easy to use. I hope this may help. This is archived but simple.
[https://github.com/virtualsecureplatform/V2TT](https://github.com/virtualsecureplatform/V2TT)

------
gumby
Whats the real world application? For example you can't train a neural network
on such a database as all the values are no longer commensurate.

~~~
em3rgent0rdr
Tallying of encrypted votes, allowing for secure voting over the internet.

~~~
Enginerrrd
Seems like overkill. I'd rather just see every vote get a random unique
identifier and all the votes get sent to a central database that is publicly
searchable with the identifier.

------
physicsyogi
Since TFHE does the encryption at the binary level, it looks like it would
need to also work on the float level to be useful for a lot of data
science/machine learning use cases. I could be wrong though.

~~~
malux85
If you can do binary, then you can represent floating point numbers, no?

------
ttsda
I imaging further developments in this technology will lead to some sort of
private ethereum-like coin.

