
TFHE: Fast Fully-Homomorphic Encryption Over the Torus - _d4bj
https://tfhe.github.io/tfhe/
======
phkahler
One interesting thing about this: You are performing known operations on
unknown data. But theoretically you could simulate a generic computer whose
program is encrypted data as well, thus enabling unknown operations on unknown
data. However, with speeds in the ms per gate we are a long way from that
being practical right now.

~~~
erikpukinskis
> with speeds in the ms per gate

I wonder if you could write your programs in such a way that the bulk of the
computation was done publically, and only sensitive ops were shunted out to
the secure processing network.

Maybe in a language similar to Erlang, but instead of writing code that's
amenable to sharing between multiple CPUs, you'd be sharing between multiple
degrees of privacy.

~~~
Bromskloss
> I wonder if you could write your programs in such a way that the bulk of the
> computation was done publically, and only sensitive ops were shunted out to
> the secure processing network.

Do you have some example of what such an application may be?

~~~
phaedrus
Encode computations as NP hard graph optimization problems. Use the public
computation resources to solve the hard part, but keep the labels of the nodes
and edges in the slower encrypted computing resource.

------
otoburb
For a layman like myself, downloading and skimming the reference papers at the
bottom of the page, starting with Craig Gentry 2013's paper[1], really helped.

[1] [https://eprint.iacr.org/2013/340](https://eprint.iacr.org/2013/340)

------
tome
What operations can I do homomorphically with this library? The page says

"With the cloud-keyset, the library can evaluate a net-list of binary gates
homomorphically at a rate of about 50 gates per second per core, without
decrypting its input. It suffices to provide the sequence of gates, as well as
ciphertexts of the input bits. And the library computes ciphertexts of the
output bits."

but what does "evaluating a net list of binary gates" come to in practice?
What operations could I expect to be able to perform?

~~~
tveita
"The library supports the homomorphic evaluation of the 10 binary gates (And,
Or, Xor, Nand, Nor, etc…), as well as the negation and the Mux gate."

So you'd program it by designing a digital circuit using AND, OR, and NOT
gates, somewhat similar to how you would make a circuit with physical
components.

You have millions, maybe billions of these gates in your CPU, each capable of
doing millions of calculations for each tick of your homomorphic gate, so the
"fast" in the title should be taken with a grain of salt. Your homomorphic
circuit could have a noticeable delay adding two 64-bit numbers.

[https://en.wikipedia.org/wiki/Logic_gate#Symbols](https://en.wikipedia.org/wiki/Logic_gate#Symbols)

[https://tfhe.github.io/tfhe/tuto-
cloud.html](https://tfhe.github.io/tfhe/tuto-cloud.html)

~~~
dllthomas
Why would we expect to need a full modern CPU? An 8080 had thousands, and
that's still general purpose. Something built for a specific task might well
be substantially smaller. Still slow, but possibly realistic for some tasks.

~~~
mikeash
It's a long way from even an 8080. The 8080 had a couple thousand gates and
ran at 2+MHz. At 50 gates per second, this would run an 8080 at maybe 20
_milli_ hertz.

~~~
dllthomas
Yeah, I didn't mean to imply that it'll happily emulate an 8080 at useful
speeds. I wanted to illustrate the orders of magnitude between "minimal
something useful" and "a modern cpu", and an 8080 is a reasonably familiar
point on that spectrum.

Anything you can do in 10 or 20 cycles of an 8080, you can now do _to secret
data_ in a few hours. And you can probably do much, much faster than that if
you design a special purpose circuit. It's still sloooow by the computational
standards we're used to. But it might be fast enough that there are useful
applications.

~~~
mikeash
Makes sense. I am definitely excited to see something that even vaguely
approaches practicality, even if it's a long way from megaflop territory.

------
Bromskloss
What does "over the torus" mean here?

~~~
cypherpunks01
I think it means that this implementation of homomorphic encryption relies on
polynomial computations being done on the plane of a geometrical torus? See
the relevant paper here:

[https://eprint.iacr.org/2016/870.pdf](https://eprint.iacr.org/2016/870.pdf)

Someone with more background could probably expand on that.

------
Bromskloss
Would it be correct to say that general homomorphic computing is now (and
perhaps already before this) possible, though slow?

------
anfractuosity
Sounds very interesting!, I'm going to have to look at in more detail. I'm
just wondering how it compares to something like
[https://github.com/shaih/HElib](https://github.com/shaih/HElib)

~~~
enigma83
The best analogy is that Helib is a homomorphic GPU while TFHE is a
homomorphic CPU. Elementary operations (addition, multiplication modulo p)
with Helib are slower (especially bootstrapping), but are performed on a huge
vector of data simultaneously. In the opposite, elementary operations with
TFHE (binary gates) are extremely fast, but deal with a single bit.

In other word, if the application you are aiming at is suitable for running on
a GPU, go for Helib, else if it would be faster on a CPU, use TFHE.

~~~
anfractuosity
Interesting! Thanks for the reply.

------
saganus
This looks very interesting!

However, not being an expert on FHE, is there a way to leverage this on
current RDBMS systems for example?

It says the library can evaluate binary gates. If we would like to run a SQL
query for example, how do we translate it to a series of gates? Is it
possible?

Or is this so low level that we basically would need to build our own
"processor" with binary gates and then build the rest of the stack on top of
it so we can, in the end, run a query?

Can anyone shed some light on how exactly can we take advantage of this
library?

~~~
michwill
I would apply it instead of garbled circuits here
[https://eprint.iacr.org/2016/591](https://eprint.iacr.org/2016/591).

Although slower, it feels like TFHE would provide better security against an
active adversary. So, at least, simple server-side encrypted queries would
well be possible

~~~
swordswinger12
Can you explain how you would use FHE instead of garbled circuits in the Arx
range query data structure? I don't see how that would work - wouldn't you
have to (re-)introduce interaction to let the server learn intermediate
results?

------
michwill
That's a seriously cool thing to have in the toolbox!

Does it produce only encrypted output, or can it optionally produce
unencrypted results also? Can it optionally use public data as an input?

Also I am guessing if it could be accelerated on GPUs. I worked with a guy who
accelerated a standard FFT on CUDA 100..1000 times for scientific computations
(and later NVidia copied his code, lol). I wonder if something similar can be
done here

~~~
hmottestad
The point is to be able to give encrypted data to a third party and have them
do operations on that data (ex. sum all the values) and give you an encrypted
result back.

tldr. computations in the cloud with encrypted, private data

~~~
michwill
Yes, I understand. I was thinking about:

a) smart contracts controlling something within the encrypted data based on
publicly available data;

b) encrypted key-value store where you traverse the tree structure based on
encrypted query and encrypted tree buckets, but get a publicly available
result about which bucket is next (similarly to how it was done in Arx paper
using garbled circuits).

------
fenollp
This looks like the slowest routines are FFT and GEMM (CPU bound). I wonder if
one can find DSPs easily for racked servers. Maybe hardware h264 encoders can
be repurposed that way? I obviously don't know what I am talking about! Would
an FPGA implementation accelerate execution?

~~~
DannyBee
Yes, FPGA can help, as can GPU.

The real problem tends to be the (CPU to other thing and back again) latency,
not the how fast can the other thing do the computation.

------
sandGorgon
Will this be useful for machine learning in the same way as this ?

[https://medium.com/numerai/encrypted-data-for-efficient-
mark...](https://medium.com/numerai/encrypted-data-for-efficient-markets-
fffbe9743ba8)

~~~
proofofstake
Yes, but not to the same degree. Numerai uses structure-preserving encryption
/ neural encryption. This allows people to use any existing machine learning
algorithm on the data. For fully homomorphic encryption you would need
specialized algorithms. These are way more difficult to design. They also run
slower.

~~~
lkowalcz
Worth pointing out that Numerai actually doesn't use encryption in any
standard sense (including structure-preserving encryption), but instead seems
to be using some heuristic method of obfuscating their data.

Their (closed-source) method of obfuscating their data apparently does have
the property that it preserves the structure of the data, but calling it
"structure-preserving encryption" is misleading imo since it risks confusing
it with standard notions of encryption and structure-preserving encryption
which have much stronger security guarantees.

(Their marketing seems to encourage this conflation by, for example, citing
academic advances in standard notions of homomorphic encryption and SPE and
implying that these advances have enabled Numerai's technology)

[https://medium.com/numerai/encrypted-data-for-efficient-
mark...](https://medium.com/numerai/encrypted-data-for-efficient-markets-
fffbe9743ba8)

~~~
proofofstake
They switched from structure-preserving encryption to neural encryption (using
a neural net's layer activations).

> Just a few months ago this package was released by Louis Aslett at Oxford
> [http://www.louisaslett.com/HomomorphicEncryption/](http://www.louisaslett.com/HomomorphicEncryption/).
> Louis helped me use his package to do Fan and Vercauteren homomorphic
> encryption on my dataset. Because the ciphertexts are polynomials it's not
> too easy for an average data scientist to use the data. That's why I came up
> with more chill ways of encrypting Numerai's data that the article mentions
> like order-preserving encryption. There's a security vs easy of use trade
> off, for sure. But homomorphic encryption is a real thing.

[https://www.reddit.com/r/MachineLearning/comments/3zvuge/enc...](https://www.reddit.com/r/MachineLearning/comments/3zvuge/encrypted_data_for_efficient_markets_an_mnist_for/cyprq84/)

Louis Aslett authored
[https://arxiv.org/abs/1508.06574](https://arxiv.org/abs/1508.06574)

~~~
lkowalcz
Thanks for that link! I was never able to find any details from someone who
works for Numerai (or claims to at least)

I still don't think it's fair to market their method as comparable to Aslett's
scheme or "standard" notions of homormorphic/order preserving encryption, no
matter how "chill" they are :)

~~~
proofofstake
Do you think neural encryption is closer to encryption? GAN-style: One network
encrypts while preserving structure, another network tries to reverse engineer
to the original features.

Edit: No specific sources for what Numerai is using, but in general:
[https://arxiv.org/abs/1610.06918](https://arxiv.org/abs/1610.06918) "Learning
to Protect Communications with Adversarial Neural Cryptography".

Edit2: Yes, in general. I would say "yes, this is a valid form of encryption".
But I do agree that their marketing was perhaps a bit too optimistic. I have
no problem calling it "obfuscation" either (I just think their method of
"obfuscation" is way more advanced than removing headers and normalizing
within 0-1).

~~~
lkowalcz
I've never heard of neural encryption before, do you have a good source for
me?

From the Wikipedia page for "Neural cryptography", it seems like there's some
success in using NN's for cryptanalysis, but not for constructions...

Edit: Do you mean the Google GAN experiment?
([https://arxiv.org/pdf/1610.06918v1.pdf](https://arxiv.org/pdf/1610.06918v1.pdf))
Ahh ok, well at least for this there looks like an attempt at defining a
security model (security against some other NN). I don't really believe the
security model is realistic (how do we know NN's are really that effective as
adversaries?), but at least there is a model, so calling that "encryption"
sits somewhat better with me. I'm pretty sure this is not what's being used by
Numerai since it seems like it would not result in ciphertexts with the
structure necessary to perform ML operations on.

Edit2: Maybe you're right and it is more advanced. In any case, as a crypto
nerd I wish they would disclose what they are actually doing / the rationale
instead of tantalizingly suggesting that they have made (what would be) a
breakthrough in a practical use case of advanced encryption schemes, but not
saying how.

~~~
sandGorgon
That particular paper got a LOT of flames when it was posted to
/r/MachineLearning

[https://www.reddit.com/r/MachineLearning/comments/59v9ua/r_1...](https://www.reddit.com/r/MachineLearning/comments/59v9ua/r_161006918_learning_to_protect_communications/)

------
EGreg
Is this available now? Can we do fast homomorphic encryption baby??

~~~
striking
"Each binary gate takes about 20 milliseconds single-core time to evaluate"

So yes, for varying definitions of "fast".

~~~
SilasX
If you equate a binary gate operation with an instruction, then that's 50
instructions per second, which compares to UNIVAC's 2000 IPS (0.002 MIPS).

[https://en.wikipedia.org/wiki/Instructions_per_second#Timeli...](https://en.wikipedia.org/wiki/Instructions_per_second#Timeline_of_instructions_per_second)

Of course, an op on a single bit is still far short of a CPU instruction,
AIUI.

You gotta start somewhere though!

~~~
jacobush
So a cluster of modern cores could approach a UNIVAC...

------
gigatexal
so who's going to write the Python wrapper to this?

------
jondubois
I feel like there are so many use cases for this library.

