
Intro to Fully Homomorphic Encryption - yuedongze
http://blog.higashi.tech/2020/06/16/fhe_01.html
======
daenz
If Enc(2) + Enc(3) = Enc(5), and Enc(1) + Enc(4) = Enc(5). Does Enc(5)
represent the same ciphertext in both cases? I'm asking because, if so,
shouldn't it be trivial to uncover the plaintexts if you can perform any math
op on the ciphertexts?

~~~
aildours
As KenoFischer says, they are not the same ciphertext, even if we consider a
non homomorphic encryption system. Enc is basically a random algorithm, and we
need it to return different ciphertexts for the same plaintext, otherwise it
would be easy to break - if I know Enc(1) and the scheme is additive, then I'd
know Enc(n) for all n...

~~~
blincoln
Are there any existing FHE algorithms with that property, or is it just a
theoretical goal for the field?

Every time I've heard FHE mentioned, I've had the same "this sounds like it
has all the problems of ECB mode plus some new ones" reaction. This article
(like all of the ones I've read) doesn't seem to cover how what you're
describing would be achieved.

What is the input to the algorithm that makes two identical cleartexts encrypt
to different ciphertexts? In a traditional block cipher, it would be an IV or
a "confounder", but IVs are included with the ciphertext, so I'm assuming it's
more like a "confounder".

If an FHE algorithm that exists today has this property, how does essentially
randomizing the ciphertext not break the ability to perform calculations on
it? It seems like whatever does the randomizing would need to be known to all
parties in order to take it into account, and so anyone could factor it out in
some way to get back to ciphertexts that are identical for identical
cleartexts.

~~~
y7
Yes, all existing FHE schemes have this property (called semantic security).
The encryption algorithm is a randomized algorithm, which takes the plaintext
and a random value as input (just like an IV). Note that we're talking about
public-key crypto here, which is a different primitive from the symmetric
crypto you're thinking of. Each key is actually a key pair consisting of a
secret key and a public key. Such cryptosystems are based on some mathematical
trapdoor: only with the secret key are you able to "undo" the randomization
and learn the plaintext. It therefore doesn't matter if you want to undo the
randomization on a direct encryption of a plaintext, or whether the ciphertext
is the sum of several ciphertexts.

If you want to see how this works on a bit more technical level, look at the
ElGamal cryptosystem [1]. It is in fact partially homomorphic (you can add
ciphertexts, but cannot multiply), and it's probably the easiest to understand
system with this property.

[https://en.wikipedia.org/wiki/ElGamal_encryption](https://en.wikipedia.org/wiki/ElGamal_encryption)

------
arkadiyt
The author touched on the performance problem but is anyone aware of
homomorphic encryption being used in the real world today, outside of
academia?

~~~
Taek
Because of the sheer performance challenges, and the availability of SGX as an
alternative, and also the competitiveness of MPC, I think most use cases
struggle to justify selecting homomorphic encryption as the best choice.

To me, who is involved in related fields but not FHE directly, it seems like
practical FHE is probably 15 or more years away, even for niche use cases.

~~~
FabioBertone
What are SGX and MPC? :-)

~~~
coolspot
Intel SGX - allows you to run your code on a someone’s hardware fully assured
that owner can’t get nor your code not your data.

MPC - Multi-Party Computations. To protect your data and algorithms, you split
data and code between multiple parties in special way that prevents them from
knowing what exactly was computed.

[https://en.wikipedia.org/wiki/Software_Guard_Extensions](https://en.wikipedia.org/wiki/Software_Guard_Extensions)

[https://en.wikipedia.org/wiki/Secure_multi-
party_computation](https://en.wikipedia.org/wiki/Secure_multi-
party_computation)

------
davidmurdoch
This is only a "Gentle Intro" if you know advanced mathematical notation.

~~~
galacticaactual
The notation in that article is basic discrete math stuff...

~~~
exdsq
Says a stem grad?

~~~
bawolff
Stem grads generally don't study "advanced mathamatical notation" unless you
are the "m" in stem.

Of course, its all relative, grade school mathamatical notation is advanced
notation to someone who doesn't know it

