
A very casual introduction to Fully Homomorphic Encryption (2012) - ergot
https://blog.cryptographyengineering.com/2012/01/02/very-casual-introduction-to-fully/
======
mmastrac
Oh hey, this is something I've actually done some real work on!

> Just try converting that into a circuit

Hmm. I think this article is a little behind the times. Loops are not a
problem with Homomorphic encryption, as we can create circuits that work
exactly like a transistor-based CPU.

In fact, I've got an implementation of one that I've been working on here:
[https://github.com/mmastrac/oblivious-
cpu](https://github.com/mmastrac/oblivious-cpu)

The trick to making this work is that you may not know how long the
computation is going to take, so you need to either add a set number of
iterations to run (ie: clock cycles), or send back encrypted updates as you
run to give your trusted computer a chance to determine when the calculation
has finished.

~~~
mti
I'm not sure what specific scheme you have in mind, but while FHE for Turing
machines does exist, it is really, really hard to instantiate. A construction
with some restrictions and requiring a massive amount of preprocessing is
given in Goldwasser et al.'s famous paper on reusable garbled circuits, and it
already uses succinct functional encryption as a building block; and for the
stronger notion of FHE for TM you basically need obfuscation. So thinking
about implementing any of this seems somewhat premature to me.

------
ajb
One limitation of Homomorphic encryption, as far as I can see, is that there
is no way for the encrypted program to _choose_ to communicate some data in
the clear.

Which means it can't be used to allow an untrusted party to run your encrypted
server, and have the server communicate with parties that it doesn't trust.
Which is what most servers do. Unless I'm mistaken, or there has been an
advance?

~~~
baby
There is no encrypted program, there is encrypted data. You can operate on
this data, and it will reflect on the plaintext after decryption. I think what
you're thinking about is functional encryption?

~~~
ajb
I'm not thinking of functional encryption. I thought I'd read somewhere a plan
to use homomorphic encryption with an encrypted program by simply applying an
interpreter to it.

~~~
deutronium
You're not thinking of Indistinguishability Obfuscation per chance?

[https://blog.cryptographyengineering.com/2014/02/21/cryptogr...](https://blog.cryptographyengineering.com/2014/02/21/cryptographic-
obfuscation-and/) seems an interesting article.

~~~
ajb
That might be it - Thanks.

------
maxekman
This is a very interesting read, highly recommend! I'm currently reading the
excellent book Cryptography Engineering [1] and this article definitely adds
to my newborn interest in cryptography!

[1]
[https://www.schneier.com/books/cryptography_engineering/](https://www.schneier.com/books/cryptography_engineering/)

------
based2
[http://www.americanscientist.org/issues/pub/2012/5/alice-
and...](http://www.americanscientist.org/issues/pub/2012/5/alice-and-bob-in-
cipherspace)

~~~
saycheese
Link to the PDF of the content:
[http://www.americanscientist.org/libraries/documents/2012861...](http://www.americanscientist.org/libraries/documents/201286159329266-2012-09CompSciHayes.pdf)

------
kaffeemitsahne
Was there ever a followup blogpost?

~~~
matthewdgreen
Nope. Seny Kamara managed to write such a good series that you're better off
treating his posts as the follow up:

[http://outsourcedbits.org/2012/06/26/applying-fully-
homomorp...](http://outsourcedbits.org/2012/06/26/applying-fully-homomorphic-
encryption-part-1/)

[http://outsourcedbits.org/2012/09/29/applying-fully-
homomorp...](http://outsourcedbits.org/2012/09/29/applying-fully-homomorphic-
encryption-part-2/)

------
quickben
[https://en.m.wikipedia.org/wiki/Homomorphic_encryption](https://en.m.wikipedia.org/wiki/Homomorphic_encryption)

~~~
jwilk
Non-mobile version:
[https://en.wikipedia.org/wiki/Homomorphic_encryption](https://en.wikipedia.org/wiki/Homomorphic_encryption)

