

Show HN: Distributed Homomorphic Encryption Adder (Weekend Project) - 9ac345a5509a
http://9ac345a5509a.github.io/p2p-paillier/

======
ReidZB
Honestly, I think the potential advent of _efficient_ fully-homomorphic
encryption is potentially one of the largest effects we could ever see on
privacy-related computing. The possibilities are absolutely staggering.
Imagine, for example, a search engine that returns useful results but does not
know what the user is searching for. And so on; the possibilities are well-
covered in the literature.

As of right now, the current-day state-of-the-art fully-homomorphic schemes
impose roughly a billion-factor overhead on operations, but this is quickly
decreasing (in the past 4 years, we've already knocked off three orders of
magnitude). But I am personally convinced that an efficient scheme would
likely revolutionize privacy in computing. Exciting stuff, especially with
recent events.

Unfortunately, I don't expect an efficient scheme to be widely-used for at
least 15-25 years. For one, even if a super-efficient FHE scheme was published
tomorrow, it'd probably take at least 6-10 years of powerful, sustained
cryptanalysis for the community to trust it. Add the time to discover such a
scheme (if even possible...) and you have quite a while. But still, the
potential is amazing.

~~~
cabalamat
By fully-homomorphic do you mean Turing-complete?

~~~
xyzzyz
No, by fully homomorphic he means the usual meaning of this phrase:
[http://en.wikipedia.org/wiki/Homomorphic_encryption#Fully_ho...](http://en.wikipedia.org/wiki/Homomorphic_encryption#Fully_homomorphic_encryption)

~~~
mjn
I suppose it depends on which you consider more fundamental to the definition.
The reason this particular ring and set of operations is _interesting_ is
because it implies being able to compute any Turing-computable function of the
data. Hence Gentry's high-level overview paper was entitled "Computing
arbitrary functions of encrypted data" [1].

[1]
[http://ece.gmu.edu/coursewebpages/ECE/ECE646/F10/project/F10...](http://ece.gmu.edu/coursewebpages/ECE/ECE646/F10/project/F10_Project_Resources/Computing_Arbitrary_Functions_of_Encrypted_Data.pdf)

------
davidw
Here's a hypothetical use case for homomorphic encryption, although I think it
needs to do a lot more than the linked example if it's actually going to work
in this case:

There's a bunch of data on a server, including, say, encrypted names. Users
accessing the server have a key to decrypt those names, but they also need to
be able to search for and sort names. Decrypting all the names and
searching/sorting would be one option, but with enough names, it becomes very,
very slow. Another option is having a big index that you decrypt for
searching/sorting. This is kind of unwieldy as well, even if it's faster than
decrypting everything piece by piece.

Perhaps the right homomorphic encryption techniques could also be used,
although you'd have to account for substring searching in the case of names:
finding "David" searching for "Dav".

------
joshuak
This reminds me of the average salary tool. If you are not allowed, or it is
bad form, to ask your peers' salaries you can create a list of people add a
random number to your own salary give it to the first person on the list that
person had their salary and gives it to the next continuing through the list.
The last person give you the final number. You subtract your random number and
divide by the total number of people and bingo you have the average salary of
the group.

I actually did this once at a company I worked for. Both the management and
the employees ended up unhappy.

(the typical, and more secure, version of this includes public key encryption
between each participant)

~~~
aaronmerriam
Can you expand a little on why the result of this made people unhappy? At a
guess, something relating to significant differences in salary for similar
jobs?

~~~
carb
I assume he has three groups:

1\. Employees paid less than the average 2\. Employees paid equal to or more
than the average 3\. Management.

Reactions are:

1\. Unhappy: Being paid less than average 2\. Happy: Being paid more than
average 3\. Unhappy: Half of their employees now know they are being paid less
and are unhappy.

~~~
joshuak
Yep that's it. Less then half of the total people involved are made happy by
this.

However, one thing management should be more happy about is that usually the
highest paid people are the nosiest. With a tool like this perhaps they can
shut them up.

------
nkoren
Very intriguing, but this is broken for me on Chrome 28 for OSX. A while after
I try to add two numbers, console gives the following:

    
    
      Uncaught TypeError: Cannot read property 'length' of undefined      BigInt.js:1
      expand                                                              BigInt.js:1
      powMod                                                              BigInt.js:1
      decryptRecAns                                                    paillier.js:70
      getConsensus                                                   distribute.js:94

------
eterm
1 + -1 = 1

Are negative numbers not yet supported?

editted to add: Or indeed decimal numbers.

Natural numbers only then?

Still seems cool even if how it works is a mystery to me.

~~~
9ac345a5509a
Very nice observation, and yes, natural numbers only. I believe it could be
modified to allow for negative numbers.

------
ewillbefull
This makes me curious.

Is it possible to use homomorphic encryption to create a network of "dump
pipes" for exchanging data?

Tor is slow because data has to hop from peer to peer until it hits its
destination. What if the "nodes" between you and the recipient ran on a single
machine? Clients would simply send a homomorphically encrypted program to a
central server which merely executed it. The programs and the data exchanged
could be completely transparent, you could even give law enforcement access,
and assuming:

1\. the homomorphic encryption is secure

2\. your data passes through enough trustworthy peers

3\. there are enough nodes involved for plausible deniability

...it would not be possible to identify the path data takes as it is routed
around.

Or am I missing something?

~~~
shubb
Could you explain what you mean a bit more clearly?

Traffic can be anonamised hopping it around many peers (assuming that a
critical mass of them are not observed, which seems entirely likely these
days).

If you sent a request to a single machine, which routed it between processes,
eventually decoding the request, you are saying that the machine would not
know what user made that request, and it could return the result via the same
chain. But because both ends and the processing are observed, traffic analysis
would yield which client asked for the file trivially. Rather like if the
enemy controlled every node on your darknet, they could trivially know who you
were and what you were doing.

The strength of the network is lots of nodes and lots of hops, in the hope
that you will pass through enough uncontrolled ones that traffic can't be
resolved. While what you suggest might, possibly reduce the risk from a
compromised node in a multihop chain, it would not defeat traffic analysis,
which is the major problem. Better just to inject fake traffic.

~~~
ewillbefull
Traffic analysis would not be a concern if the data being transferred and
decoded by each program was interlaced with data from other streams. This
would prevent an all-knowing adversary from following the data as it changes
state through each program's execution.

And of course, the standard onion-encryption would be applied. The data on one
end would be different than on the other or at any point in between. Padding
to prevent size attacks, etc. (Everything Tor already does, I believe.)

The homomorphic-encryption would just allow you to 'outsource' your
cryptography, routing and buffering mechanisms to a remote host, making data
transfer between each individual 'identity' much faster without jeopardizing
anonymity.

------
geal
Homomorphic encryption is interesting from a business standpoint (think:
manipulating credit card numbers without being able to read them).

For anonymization systems, care must be taken: being able to manipulate
encrypted data could very well create information leaks.

There have been some interesting theoretical uses of the Pallier cryptosystem
in private information retrieval systems, though.

~~~
swordswinger12
What kind of arithmetic operations would you ever need to do on a credit card
number? Other than maybe verifying the checksum digit.

------
general_failure
Stuck on "Awaiting network consensus"

