IBM Claims Breakthrough In Analysis of Encrypted Data

An anonymous reader writes "An IBM researcher has solved a thorny mathematical problem that has confounded scientists since the invention of public-key encryption several decades ago. The breakthrough, called 'privacy homomorphism,' or 'fully homomorphic encryption,' makes possible the deep and unlimited analysis of encrypted information — data that has been intentionally scrambled — without sacrificing confidentiality." Reader ElasticVapor writes that the solution IBM claims "might better enable a cloud computing vendor to perform computations on clients' data at their request, such as analyzing sales patterns, without exposing the original data. Other potential applications include enabling filters to identify spam, even in encrypted email, or protecting information contained in electronic medical records."

OH SHIT!

[jadedoto]

I hope IBM won't be working with NSA on this one too!

First post!

[fenring]

Have you seen the new neighbours. I think they're homomorphic.

Re:First post!

[mcgrew]

I miss metamoderation, where mods with IQs too low to get the joke were weeded out.

THIS comment is offtopic, the parent should be modded "funny" and if metamoderation was like it use to be, the moderation on the parent would be modded "unfair".

Re:First post!

Agreed 100%. Slashdot needs to stop fuxxoring with the site just because they can, and stick with what works (the shit that did work worked fucking great). Now the CSS is completely hosed and the metamodding has been completely neutered. Can't we just roll everything back to the way it was two or three years ago?

Re:First post!

Nah, I saw them together with a woman. I think they're bijective.

Re:First post!

[Tanktalus]

Don't worry. In two or three years, you'll be saying the same about now.

Re:First post!

(+1, Sad but True)

For a group so focused on and enthusiastic about pushing the technological barriers forward, /. also has some of the rosiest-tinted glasses. Funny.

Re:First post!

[moxitek]

Shhh! Don't say it too loudly! Everybody on the block is homomorphobic!

Yeah

[rodrigoandrade]

"might better enable a cloud computing vendor to perform computations on clients' data at their request, such as analyzing sales patterns, without exposing the original data. Other potential applications include enabling filters to identify spam, even in encrypted email, or protecting information contained in electronic medical records."

Right, because we've already figured out everything about cloud computing and it's a totally stable environment ready to be deployed in every company around the globe. Time to take it to the next step.

Re:Yeah

[birrddog]

Or you could just use cloud computing resources to break the encryption code, then trawl through the data.

Re:Yeah

[bkpark]

Right, because we've already figured out everything about cloud computing and it's a totally stable environment ready to be deployed in every company around the globe. Time to take it to the next step.

One might argue that this is one of the pieces we had to figure out before cloud computing could become more widespread.

After all, who would entrust third party computers to do the computation unless the confidentiality of data could be guaranteed? Projects that generate no profit such as SETI and other scientific projects apparently have no issue with this, but no company would ever use cloud computing in a commercial project without somehow ensuring that their data is protected.

No one's claiming that this is the entire solution to every problem in cloud computing, or even the last piece of the puzzle—but somebody is claiming that this is a solution to a significant part of the problem, and I frankly agree.

Re:Yeah

[MaskedSlacker]

You think companies give a shit? Never mind the gross anthropomorphization of property, what about the monthly (so it seems) cases of workers losing laptops with unencrypted information--credit card numbers and social security numbers. Since when have most institutions ever bothered to secure their data?

Finally

DRM that works.

Re:Finally

[SilverHatHacker]

Don't say that too loud...the RIAA might get an idea...

Re:Finally

[MaskedSlacker]

Mod Parent "-1 Judas"

No More Privacy

[basementman]

"perform computations on clients' data at their request, such as analyzing sales patterns"

Or without their request.

Re:No More Privacy

[megamerican]

Or without their request.

The NSA figured that out a long time ago.

Re:No More Privacy

Or without their request.

If they really figured it out, then sure they can analyze without your request, but they can't decrypt the results without your key. So you still have the same privacy. BTW, this is the entire point of this process.

Re:No More Privacy

[Jurily]

s/clients/citizens/

Re:No More Privacy

[mea37]

TFA doesn't seem clear on this point, but what the name of the technique implies is that you can perform the operation, but neither the inputs nor the outputs are ever decrypted. So if you can't see the question, and you can't see the answer, then why would you perform the operation other than at the request of someone who can (i.e. the client)?

That said, I'd like to know a lot more about this before I'd want to trust it. For this to work, I'd think a lot of the data's structure must be preserved. Maybe you can't detect that structure from the encrypted data, but you can probably infer a lot about it by analyzing the algorithms your clients ask you to apply (especially if they're your algorithms - i.e. software-as-a-service type stuff). I'm impressed if this doesn't create vulnerabilities.

Also I suspect this is fundamentally divorced from public key techniques. If I'm able to encrypt values of my choosing and perform operations of my choosing on encrypted values, I'm pretty sure I can work backward to extract the cleartext from the encrypted data the client provides...

Re:No More Privacy

[John+Hasler]

Everything remains encrypted throughout the process, including the output. Only the client can read the results. That is the point.

Re:No More Privacy

[Mashiara]

TFA is skimp on this but after bit of Googling around I understand a little more, see also http://en.wikipedia.org/wiki/Homomorphic_encryption.

The point being that those who provide the encrypted data must encrypt it in a special way to allow the homomorphic properties to be taken advantage of.

Re:No More Privacy

[bhagwad]

I'd like to know what sort of "analysis" can be done without the client's permission. Can they find out how many times the word "and" occurs (without reading the message) for example?

Basically can they do any sort of content analysis? If they're saying they can filter spam, then it's not at all a stretch to assume that they can "read" your data as well. What's the point of encryption then?

Re:No More Privacy

[caramelcarrot]

Also, as someone points out below, http://science.slashdot.org/comments.pl?sid=1282009&cid=28470091, you don't use the same algorithm as before - but you instead "encrypt" the algorithm so it's working in the same space as the encrypted data. I'm sort of imagining some sort of encrypted virtual machine. Otherwise some of the flaws being talked about would be an issue.

Re:No More Privacy

Thank you. I was reading this thinking that it was logically impossible. Now I get it

Re:No More Privacy

[SiliconEntity]

I'd like to know what sort of "analysis" can be done without the client's permission. Can they find out how many times the word "and" occurs (without reading the message) for example?

Yes, but the answer would be encrypted, and only the client could decrypt it.

Basically can they do any sort of content analysis? If they're saying they can filter spam, then it's not at all a stretch to assume that they can "read" your data as well. What's the point of encryption then?

They could filter spam, and come up with a score for how likely the message is to be spam. But the score would be encrypted, and only the client could decrypt it.

(This is all only true in theory, I don't think the new system is actually practical for these kinds of purposes. But it is the kind of thing one could theoretically do with a homomorphic encryption system.)

Re:No More Privacy

[onemorechip]

So if the answer to "how many times does 'and' occur" is 3, then they can try the analysis on a file encrypted with client's public key that they know has 3 occurrences of "and", and if it matches the (encrypted) result sent to the client, then they know that about the client's file.

OK, I know that's probably wrong; I would imagine that the answer is salted somehow so that two output files with the same result from different inputs won't match.

Re:No More Privacy

This was a STOC 2009 paper so for more details than the press release, see Craig Gentry. Fully homomorphic encryption using ideal lattices. In STOC '09: Proceedings of the 41st annual ACM symposium on theory of computing, pp. 169--178. 2009. It's online here for those with access to that.

Re:No More Privacy

[Chris+Kamel]

Doesn't matter, you'll need to decrypt the output anyway so the analyzer won't be able to benefit from the analysis result, only the client can:
http://en.wikipedia.org/wiki/Homomorphic_encryption
Using such a scheme, one could homomorphically evaluate any circuit, effectively allowing the construction of programs which may be run on encryptions of their inputs to produce an encryption of their output. Since such a program never decrypts its input, it could be run by an untrusted party without revealing its inputs and internal state. The existence of a fully homomorphic cryptosystem would have great practical implications in the outsourcing of private computations, for instance, in the context of cloud computing

Re:No More Privacy

When outsourcing, you have several more challenges though. Not only do you need the homomorphic system to protect the data, and I assume some manner to protect the computation itself (since the type of processing could also reveal confidential info), but you really need a computation that produces a proof-carrying result. You need a way to verify the result cheaply, because you cannot trust the outsourced vendor to perform the calculation accurately.

This is the reasoning behind the search systems like SETI duplicating work units (to avoid false negatives from computers failing to detect interesting patterns) and reevaluating possible matches (to avoid false positives from computers claiming an interesting pattern when there isn't one).

Re:No More Privacy

[GargamelSpaceman]

But the output is encrypted. So basically you give them your sales data ( encrypted ) and they compute the results ( encrypted ). They can't understand the results they produce. Only you can decrypt the results and make use of them.

Re:No More Privacy

[GargamelSpaceman]

I wonder if this would make possible the following:

Here is Encrypt(www.slashdot.org), please compute Encrypt(DNSLookup(www.slashdot.org)) so that I can then Decrypt(Encrypt(DNSLookup(www.slashdot.org))) to produce 216.34.181.48.

Re:No More Privacy

[lugiebear]

It is not divorced from public key techniques. The technique homomorphically decrypts from one public key to another public key to keep error vector from growing (if it grows to big, data is lost = no decryption). It is public key based encryption. See http://www.fields.utoronto.ca/audio/08-09/crypto/gentry/index.html

Re:No More Privacy

[lugiebear]

The question "how many times does 'and' occur?" has to be encrypted with the client's secret key. The server does not know how to ask the question in the first place. The way email spam filter would work is that the client would encrypt the relevant questions with its secret key, then the email server would filter for spam, and when the data hit the client, the client would decrypt info and filter everything out. The vulnerability here would be known ciphertext (i.e., there are only so many questions one can ask about filtering spam).

Re:No More Privacy

[onemorechip]

That sounds untenable. Server has to perform some operation on a message X, and the identity of the operation is encrypted in the message. How does the server know what to do?

I thought the principle was that the server performs known operations on the ciphertext that correspond to operations on the plaintext (analogous to adding logarithms to get the log of a product, but with the added condition that the relation between cipher and plaintext is not an easily reversible operation like logarithm but a "one-way" operation).

Fully homomorphic encryption using ideal lattices

[grshutt]

The abstract for Gentry's article can be found at: http://doi.acm.org/10.1145/1536414.1536440

If they can analyze the data...

[Lord+Juan]

then that form of encryption is useless for highly sensitive information.

It's as simple as that.

Re:If they can analyze the data...

[Isarian]

So I may have missed something from the article, but are all forms of public-key encryption vulnerable or just certain algorithms?

Re:If they can analyze the data...

[Chris+Mattern]

then that form of encryption is useless for highly sensitive information.

Unless the analysis is also encrypted.

Re:If they can analyze the data...

They can perform computations on the data, but the answer is still encrypted.

Re:If they can analyze the data...

[John+Hasler]

All the data and all the results remain encrypted so that only the client can read the results. That is the point. Read about homomorphic encryption here

Re:If they can analyze the data...

[Magic5Ball]

This isn't a vulnerability with existing encryption systems, it's a scheme for a different way to structure and encrypt the data to explicitly allow calculations on the data without exposing the original values.

Since it's close to being slashdotted...

[Magic5Ball]

IBM researcher solves longstanding cryptographic challenge
Posted on 25 June 2009.
An IBM researcher has solved a thorny mathematical problem that has confounded scientists since the invention of public-key encryption several decades ago. The breakthrough, called "privacy homomorphism," or "fully homomorphic encryption," makes possible the deep and unlimited analysis of encrypted information - data that has been intentionally scrambled - without sacrificing confidentiality.

IBM's solution, formulated by IBM Researcher Craig Gentry, uses a mathematical object called an "ideal lattice," and allows people to fully interact with encrypted data in ways previously thought impossible. With the breakthrough, computer vendors storing the confidential, electronic data of others will be able to fully analyze data on their clients' behalf without expensive interaction with the client, and without seeing any of the private data. With Gentry's technique, the analysis of encrypted information can yield the same detailed results as if the original data was fully visible to all.

Using the solution could help strengthen the business model of "cloud computing," where a computer vendor is entrusted to host the confidential data of others in a ubiquitous Internet presence. It might better enable a cloud computing vendor to perform computations on clients' data at their request, such as analyzing sales patterns, without exposing the original data.

Other potential applications include enabling filters to identify spam, even in encrypted email, or protecting information contained in electronic medical records. The breakthrough might also one day enable computer users to retrieve information from a search engine with more confidentiality.

"At IBM, as we aim to help businesses and governments operate in more intelligent ways, we are also pursuing the future of privacy and security," said Charles Lickel, vice president of Software Research at IBM. "Fully homomorphic encryption is a bit like enabling a layperson to perform flawless neurosurgery while blindfolded, and without later remembering the episode. We believe this breakthrough will enable businesses to make more informed decisions, based on more studied analysis, without compromising privacy. We also think that the lattice approach holds potential for helping to solve additional cryptography challenges in the future."

Two fathers of modern encryption - Ron Rivest and Leonard Adleman - together with Michael Dertouzos, introduced and struggled with the notion of fully homomorphic encryption approximately 30 years ago. Although advances through the years offered partial solutions to this problem, a full solution that achieves all the desired properties of homomorphic encryption did not exist until now.

IBM enjoys a tradition of making major cryptography breakthroughs, such as the design of the Data Encryption Standard (DES); Hash Message Authentication Code (HMAC); the first lattice-based encryption with a rigorous proof-of-security; and numerous other solutions that have helped advance Internet security.

Craig Gentry conducted research on privacy homomorphism while he was a summer student at IBM Research and while working on his PhD at Stanford University.

Wait, what?

[spiffmastercow]

Okay, maybe I'm a noob when it comes to encryption, but I was under the impression that if you were able to read the encrypted email, you were probably able to read the encrypted recipient address too. Is there something I'm missing here?

Re:Wait, what?

[moogied]

Yes, yes you are.

The point is not to read the content, but to enable a computer to analyze the content in such a way that they can deduce statistics and patterns from it. FTFA:

computer vendors storing the confidential, electronic data of others will be able to fully analyze data on their clients' behalf without expensive interaction with the client, and without seeing any of the private data

I don't need to know that you love apples to know you definitely love the same thing as 14 other people. Lets assume that we have 20 encrypted sets of data. Lets also assume the 20 sets say basically the same thing but because of the encyrption method look nothing a like from the raw data perspective. If you go ahead and find a way to analyze the encryption enough to know that the 20 emails all contain a similar message, but not enough to actually know what the message is... well then! You could go ahead and store all of ebay's customer information and do massive amounts of data crunching for them, without ever actually seeing any data.

This is a huge problem in IT, where admins need access to the databases in order to see how the data is being stored, how the tables are working, etc etc.. but can't actually have access to the database because then they might see customer information. So you either let joe-bob admin in there and let him see all the data, or you don't. Now you can let the admin in there, they can determine anything they might want to know, but they never actually see any exact data.

No, I don't know anything about the math portion.. but thats basically what they are trying to say in the article. I think. :)

Re:Wait, what?

It's possible to understand what is going on just by looking at the words used. They say they've come up with a homomorphic encryption. Homo means says morhpic means changing. So homomorphic encryption is an encryption that preserves some predefined properties.

What you've got is a set of properties that are preserved by the encryption. A lot more research (in the sense of reading papers on the subject) on exactly what the properties are is necessary to figure out the value of the encryption.

If the properties in question are important to you, the encryption might be worthless. Then again, if the properties in question are not something you need to keep secret, then the encryption might be worth a great deal to you.

The strength of the encryption is also something that needs to be questioned. This question is separate from the fact that some properties are not changed.

Re:Wait, what?

[geminidomino]

Yes, yes you are.

The point is not to read the content, but to enable a computer to analyze the content in such a way that they can deduce statistics and patterns from it.

I'm not crypto-geek, but aren't patterns generally the bane of encryption?

Re:Wait, what?

[Cyberax]

Implausible. Changing just one bit results in an 'avalanche effect' in good ciphers, so quite a lot of bits will be changed.

You won't be able to derive any useful information from that.

Re:Wait, what?

[spiffmastercow]

Fair enough, but how is that better than just "anonymizing" data from a database through a one-way hash and then removing all directly identifiable info (client ID, etc)?

Re:Wait, what?

[e-scetic]

If I encrypt my data, and I like apples, and I can now use this new technique to determine that 20 other people like apples too, don't I have an essential piece of information I can use to decrypt the encrypted data of those 20 other people?

Re:Wait, what?

[John+Hasler]

Homomorphic encryption does not give you any such ability.

Re:Wait, what?

Each of the examples listed above allows homomorphic computation of only one operation (either addition or multiplication) on plaintexts. A cryptosystem which supports both addition and multiplication (thereby preserving the ring structure of the plaintexts) would be far more powerful. Using such a scheme, one could homomorphically evaluate any circuit, effectively allowing the construction of programs which may be run on encryptions of their inputs to produce an encryption of their output. Since such a program never decrypts its input, it could be run by an untrusted party without revealing its inputs and internal state. The existence of a fully homomorphic cryptosystem would have great practical implications in the outsourcing of private computations, for instance, in the context of cloud computing.

http://en.wikipedia.org/wiki/Homomorphic_encryption

Re:Wait, what?

[spiffmastercow]

Okay... So what if I like apples. And I have a username that starts with S. Now we've already established that I can see how many other people like apples. Can I see how many other people like apples that have usernames that start with S? And then can I see how many other people like apples, and have usernames that start with 'Sp'? I'm sure you see where I'm going with this. I may just be a cynical bastard with a math education insufficient to understand the technique by which this works, but it sounds like the idea is to intentionally weaken the encryption.

Re:Wait, what?

[moogied]

electronic data of others will be able to fully analyze data on their clients' behalf without expensive interaction with the client

Re:Wait, what?

[lordofwhee]

This is why the data has to be encrypted in such a way as to prevent the avalanche effect, which defeats the purpose of encryption by forcing you to use a weak algorithm (at least from my understanding).

Really, you may as well use character-replacement for all the good the algorithms that support this technique would do you.

Re:Wait, what?

[geminidomino]

Unfortunately, as a non-cryptogeek (as I said), I have no idea WTF that says. It says that the program never decrypts the data. I got that much. That doesn't say anything about patterns and statistics, that TFS mentions.

It seems that if you can determine how often things show up in encrypted data (the "statistics" part), you're already revealing information.

Re:Wait, what?

[EvanED]

Changing just one bit results in an 'avalanche effect' in good ciphers, so quite a lot of bits will be changed.

Not necessarily true. Think a one-time pad; the best cypher out there, unbreakable without the key (well, you have to control for length issues), and doesn't have the avalanche effect.

I can't speak to whether there are or aren't other good cyphers without the avalanche effect, but there is at least one important exception.

Re:Wait, what?

[NAR8789]

It doesn't allow you to compare data encrypted by different ciphers. It allows particular "multiplication" and "addition" operations on data encrypted by the same cipher. If I like apples, and have a username that starts with "S", someone with both encrypted blocks can produce another encrypted block of "I like apples" or XOR "I like apples" or something more computationally complicated along those lines. So, it does not allow the sort of attack you're proposing.

Re:Wait, what?

[NAR8789]

...can produce another encrypted block of "I like apples" or XOR "I like apples" or...

ah... sorry. failed to properly proofread my comment. That should be "...can produce another encryptoed block of "I like apples" or XOR "I like apples" or..."

Re:Wait, what?

[NAR8789]

I'm an idiot. There a modifier for HTML retard?

"[username]I like apples" or [username] XOR "I like apples"

Re:Wait, what?

[mhall119]

You can only see if 20 other people like apples if that plaintext data was encrypted with the same key as the plaintext data that says you like apples.

Suppose Coca-Cola and Pepsi Cola both use the same Market Research firm, which we'll call StatisticsInc. Now, companies are very jealous of market insight data, most will not work with a firm that also works with a competitor, lest someone get bribed into sharing trade secrets. What this allows if for Coca-Cola to sent a bunch of demographic data to StatisticsInc for analysis, and StatisticsInc will never know what the input or result contained, and therefore cannot share any confidential data to Pepsi.

Re:Wait, what?

Extracting ANY usable info from encrypted data is a security failure. Apples be damned, you have no business knowing that I love the same thing as 14 other people, or even that I love anything at all, or that I even EXIST. And, any information about encrypted content can be used to break the encryption as many people have already noted. So, fine, use this for stuff your manager told you to encrypt but doesn't really need to be secure. Don't use it for any information that you want to completely conceal.

Re:Wait, what?

[DragonWriter]

Now you can let the admin in there, they can determine anything they might want to know, but they never actually see any exact data.

If they can determine "anything they might want to know" about the data, that is exactly equivalent to having full access to the data. So if that's what this offers, for a 12 order of magnitude performance hit, I'm not impressed.

Re:Wait, what?

[Prune]

That is not correct. We're not simply dealing with chunks of encrypted data in a database here. We're talking about actual arithmetic operations. If your system supports at least addition and multiplication on encrypted data, then you can implement any other computation based on these.

Re:Wait, what?

[setagllib]

The one-time pad is a theoretical base case that has virtually no useful applications. Even Bruce Schneier says so: http://www.schneier.com/crypto-gram-0210.html#7

Re:Wait, what?

[gadzook33]

This is wrong. If you know that the underlying plaintext is the same as anything else, information is being leaked. If someone can deduce anything about the underlying data, then you've screwed up your crypto. This is the intent of initialization vectors; to decorrelate the underlying plaintext.

Look but don't see.

[Itninja]

First data is created and deemed private. It's then encrypted to prevent unauthorized people from seeing the private data. But other people want to analyze the data, without actually seeing it. Kind of like how it's good to know the income demographics of a city, but not to know the personal income of every person in said city. Never mind the fact that someone had to see the information at some point to render the statistics. Unless of course the results are never audited for accuracy. But's that's another story.

Anyway, so then we put our private data on someone else's server (we call it a 'cloud' - isn't that nice?) and they can't look at it because it's encrypted. But they will run analysis on the data, which requires a special tool to or something....look - all's I know is I get's me my KPI's for my board meetin'. Who really cares if some guys personal health records are sniffed by some computer...whoa! Jim has ass herpes?! I am so updating this on the Interwebz!

Re:Look but don't see.

You've thoroughly misunderstood what this is about, I think. AFAIK this is about performing computations on encrypted data without having to decrypt the data.

Say I have a function F that I want to run on data A to produce data B. i.e. B=F(A)

F is an expensive function to run (big computation), so I'd like to hire the performance of computation service from someone, let's call them MBI, with a huge ass-computer.

But I don't want MBI to know the data A.

So I encrypt it, and give them CryptA instead.

But applying F to CryptA isn't going to give B, and maybe I don't want MBI to know B either!

But say I could derive a function G from function F, that given CryptA, produced an encrypted output CryptB, that when I decrypted gave B. i.e. CryptB = G(CryptA)

So I could give MBI data CryptA and function G, they could computer CryptB for me for a small (large) fee, no doubt - time on a blue gene machine or other large scary linux box isn't all that cheap to provide, though it's often at taxpayer expense.

And then I could decrypt CryptB to get the B I wanted. Since MBI only ever have CryptA, function G and CryptB, I don't leak input A or output B to them (I'm not sure off the top of my head whether they can derive F from G)

i.e. this is to enable provision of a SAFE (well, until someone makes a quantum computer...) computation service that PROTECTS privacy the way current systems don't

Actually, I thought it was "solved" (for cryptographer values of "solved"), just very computationally expensive and that's why people don't do it, I could have been wrong there, not actually a cryptographer.

Re:Look but don't see.

[John+Hasler]

They not only can't look at the data, they can't look at the results of the analysis. Only you can. That's the point.

Re:Look but don't see.

[Simetrical]

And then I could decrypt CryptB to get the B I wanted. Since MBI only ever have CryptA, function G and CryptB, I don't leak input A or output B to them (I'm not sure off the top of my head whether they can derive F from G)

They can, AFAICT. F must be expressed in terms of two binary operations that distribute (like * and +, or & and ^). The translated function G will consist of just replacing each instance of * with & and + with ^, or whatever the equivalent operations are. So you know exactly what they're doing.

I could have been wrong there, not actually a cryptographer.

Neither am I, but I'm a grad student in math, and I know my homomorphisms. :)

Re:Look but don't see.

[Simetrical]

They can, AFAICT. F must be expressed in terms of two binary operations that distribute (like * and +, or & and ^). The translated function G will consist of just replacing each instance of * with & and + with ^, or whatever the equivalent operations are. So you know exactly what they're doing.

. . . I'm not so sure about this, actually. You might not know what the binary operations actually signify. You could probably gain some info in any event, but the point is it might be a lot less than you'd gain if you could decrypt the data, if the method is actually secure.

logic?

[poetmatt]

Apparently the logic is missed altogether:
"makes possible the deep and unlimited analysis of encrypted information - data that has been intentionally scrambled - without sacrificing confidentiality." is a conflicting phrase in and of itself.

If you can analyze the data "with or without confidentiality", you have already sacrificed the confidentiality. Or does nobody remember the aol search results fiasco?

This is more like "we can crack our own encrpytion, as if people are surprised".

Re:logic?

[John+Hasler]

Wrong. The whole point of homomorphic encryption is that everything remains encrypted throughout the process including the output. Only the client can read the results.

Re:logic?

[quanticle]

The summary is wrong. A Privacy Homomorphism allows third parties to compute calculations on the data on your behalf without decrypting either the input or the output. In other words, the cloud provider could, for example, total up your sales data without ever decrypting the individual sale information or the final total. The encrypted final total would then be given to you, and you would decrypt it to learn what it was.

At no point does a third party have access to a decrypted form of your data.

Re:logic?

[GargamelSpaceman]

What if a process is generally used to add two numbers and then divide them by a third number? If the process is designed badly so that the sum is first computed and then the third number is only sent subsequently, then the fact that the third number was zero could be deduced with high confidence from the fact that the third number was never sent ( why request a division by zero? ) Careful design such as requiring all three numbers be sent simultaneously, and that a specific NotANumber value be returned in the case of division by zero would fix this, but it seems prone to programmer error/oversight.

Re:logic?

[quanticle]

To be fair, though, that's not really an attack against the cryptographic protocol, so much as it is an attack based on traffic analysis between the host and the server. Of course, any application implementing this protocol would have to take these things into consideration, but the existence of flaws such as these doesn't necessarily point out an inherent flaw in the cryptosystem itself.

from the horses mouth

Just FYI this site is whole sale cut and paste ripping IBM press off.

http://www-03.ibm.com/press/us/en/pressrelease/27840.wss

Re:from the horses mouth

[Iluvatar]

Also, is it just me, or the article title and content a bit misleading: how is a summer intern (PhD student from Stanford), who published this as a single-author paper (no IBM co-authors), an "IBM researcher"?

This is mentioned only at the very end of the "article".

Re:from the horses mouth

[NoCowardsHere]

Uhh... I'm not sure how to break this to you, but WHOLE POINT of a PRESS RELEASE is that it gets sent out to the press, in the hopes that websites and newspapers will reprint it. That's why IBM published it in the first place. So, yeah, it's not plagiarism, sorry.

Re:from the horses mouth

[RegularFry]

Yeah, but it's kind of nice to hope that the news vendor will add some of their own analysis rather than simply regurgitating a press release. Foolishly optimistic, in most cases, but nice nonetheless.

Sacrificing confidentiality

[0xABADC0DA]

I bet multi-modal reflection sorting can determine what the confidential info is.

Re:Fully homomorphic encryption using ideal lattic

[spiffmastercow]

Abstractly, we accomplish this by enabling the encrypter to start the decryption process, leaving less work for the decrypter, much like the server leaves less work for the decrypter in a server-aided cryptosystem.

Umm... That doesn't ease my concerns about this already disturbing prospect..

But what if it took... a TRILLION times longer?

[spun]

Yeah, you can perform calculations on encrypted data without unencrypting it. But it's just a LITTLE slow. The first step is just showing it can be done, but it's a very long way from useful.

Re:But what if it took... a TRILLION times longer?

[SiliconEntity]

I read the paper and my guess is that a TRILLION is actually an understatement. It looks to me like it might be almost INFINITELY slower. In other words, completely impractical and only of theoretical value.

However, now that the first step has been taken, it's possible that someone will come up with an improvement that makes the idea practical someday.

Re:But what if it took... a TRILLION times longer?

[js_sebastian]

Actually, the presentation (http://www.fields.utoronto.ca/audio/08-09/crypto/gentry/index.html) claims that evaluating one logic gate takes in the order of k to the 7th operations, where k is the size of the key. For 128-bit keys that's around 10 to the 15th power. Which is most definitely not infinitely slower (whatever this "informative" sentence is supposed to mean), but also not exactly practical.

Mod Parent Up

Well, Net-Security missed the last part. So, I'll just post it here.

"IBM Research is home to the largest team of cryptography researchers outside of the academic and government communities. For more information about IBM Research, please visit http://www.research.ibm.com/."

Explanation?

[drunken_boxer777]

Could someone explain how this "breakthrough might also one day enable computer users to retrieve information from a search engine with more confidentiality"? (Quoted from the article.)

From the article it seems as if this aids in the scanning and searching of encrypted data rather than securing anything. While this might ultimately benefit large corporations or governments hiring third parties to perform analyses, is it of any use to the rest of us?

Even a car analogy would be great. Umm, make that "acceptable".

Re:Explanation?

[instagib]

A car analogy? Good idea:

You bring your car to the shop. You don't tell them what type of car it is, or what the problem is. They analyze it, then hand you a closed envelope with the results the computer printed there without them seeing. You alone will read what's wrong with your car, and based on that you can order repairs.

Thinking of it, this would be great! They can't charge you for fantasy repairs anymore...

Re:Explanation?

You could create your query on the clients side(in your web browser maybe?) and then send that query, which the server side cannot decrypt but can run against their data. The server would then respond with encrypted data that you would then need to decrypt to actually see the results.

Wikipedia to the rescue

[Dr.+Manhattan]

With fully homomorphic encryption, you can perform operations on the encrypted data, in encrypted form, that produces encrypted output. Sort of like doing a database query on encrypted data, that produces an encrypted result. So you could store your data somewhere in encrypted form, ask the host to perform some operations using their CPU cycles, and send you the result. You decrypt the result yourself, the host never sees unencrypted data at any point.

Cool, but I'm half-convinced that holes will be found. The first time a new encryption scheme is put to the test, it usually fails. Still, hopefully, it'll lead to a truly secure scheme.

Re:Wikipedia to the rescue

[bobdehnhardt]

Holes are always found - no method is 100% foolproof. The question is will the holes be usable? If the level of effort to exploit the holes is high enough, we may not see them exploited for some time. But the holes are there, and they will be found.

Re:Wikipedia to the rescue

Holes are usually due to the implementations, much more than the algorithms themselves.

Re:Wikipedia to the rescue

Your proclamation betrays your ignorance. Provably correct methods are 100% foolproof. Very few things, however, are provably correct.

Re:Wikipedia to the rescue

[wren337]

Holes are always found - no method is 100% foolproof.

http://en.wikipedia.org/wiki/One-time_pad

Re:Wikipedia to the rescue

[Guy+Harris]

Your proclamation betrays your ignorance. Provably correct methods are 100% foolproof. Very few things, however, are provably correct.

And, of course, there is the risk of an error in the proof. Possibly a negligible risk, but it can happen.

Re:Wikipedia to the rescue

[jgbishop]

Of course holes will be found. It's made out of a lattice!

Re:Wikipedia to the rescue

Breakable ones the pad is leaked or reused, which a fool will do. People seem to be confused as to what "foolproof" means. No method is 100% foolproof because there'll always be some fool who breaks an assumption of the method.

Re:Wikipedia to the rescue

[Anti_Climax]

While I love the elegance of good OTP encryption, it is only as good as the security during the key exchange which is not 100% foolproof.

Re:Wikipedia to the rescue

----
This same mistake [reusing the one-time pad] let American cryptanalysts decode thousands of Soviet spy messages in the 1940s and -50s.
----

So even the one-time pad is--literally--not "fool" proof. In theory, theory and practice are the same thing...

So even if this homomorphic encryption is mathematically "perfect"...as long as you don't perform certain queries...or as long as you don't repeat certain queries...or as long as you don't publish the result of a query allowing a plain-text attack...or...or...or... ... eventually, someone's ad-hoc query is going to break the rules and IBM will own your data.

(But bobdehnhardt has a good point--as long as its more effort to break your encryption than, say, bribe one of your employees or steal their laptop, the service can still be useful.)

Re:Wikipedia to the rescue

[Abcd1234]

Nevertheless, OTP itself *is* foolproof. Key exchange is a whole other ball of wax.

Re:Wikipedia to the rescue

[Prune]

Exactly. However, even here there is an implicit assumption--the one-time pad is truly random. If you use a crappy pseudorandom generator, your encryption will be vulnerable.

Re:Wikipedia to the rescue

[Prune]

Note that hardware generators are not guaranteed to produce great random numbers either, since they have non-uniform distributions. It's best to mix them up (in a feedback mode) with some other thing that has a good distribution, like a mersenne twister or coupled logistic functions.

BAD summary

[spun]

You can not analyze the data. You can perform calculations on it without knowing what it is. So, for instance, you could encrypt all your tax info, send it to a company that processes the encrypted data without decrypting it, and sends you back your encrypted tax return, without ever having seen any of your financial detail.

Re:BAD summary

Bullshit. If it's possible to perform any meaningful calculations (by a third party) on the encrypted data at all then there is information leaking and it's a weak algorithm.

Re:BAD summary

[rbenech]

Actually, imagine being able to add two numbers together without knowing what those two numbers were and returning the total that you STILL don't know what the number is, but you have the cyphertext for it. You still need the key to decrypt the total.

Example in plaintext:

4 + 5 = 9

Example encypted (oversimplified):

D32JFS3 + 234DSF31 = 42SDF23

So the third party would receive D32JFS3 and 234DSF31 (not knowing they meant 4 and 5) and he would return 42SDF23 (not knowing it was 9)

The ablility to add two peices of cyphertext to get some (still unknonw) peice of cyphertext does not increase the "breakability" of the encryption because, just like the rosetta stone, you really need pairs of plaintext and cyphertext to do any real analysis. There may be some NEW attack methods on lattice based encryption techniques, but they are not yet widely known.

Re:BAD summary

[KevinIsOwn]

You better send this to the reviewers of Gentry's paper so that they have this important information!!!

Re:BAD summary

[Shimmer]

My problem with this is that you'd have to expose the structure of your data, if not its contents. Using your example, the cyphertext might look like: "QEDD32JFS3234DSF31". You'd have to tell the analyzer that integer A starts at index 3 and integer B starts at index 10. That information alone could help the analyzer crack your encryption.

Re:BAD summary

[statdr]

Not sure I see the point of this technology. Since the data provider has access to the raw unencrypted data (else how could the data provider see the unecrypted analysis results), wouldn't it be cheaper to develop a standalone analysis program for the data provider? Why encrypt, transmit, apply complex analysis process, retransmit, and decrypt results when one could just analyze the results onsite?

Re:BAD summary

[spun]

Considering that, currently, performing calculations on encrypted data takes trillions of times as long as calculations on unencrypted data, you may very well be right. But this is just a proof of concept, and the thought is, this could be useful if the processing time can be brought down.

Besides the tax example, other articles have mentioned search terms. Perhaps you don't want Google to know you are searching for 'bisexual midget porn.' Now, there's a solution! They also mention cloud computing. With a system like this, you could outsource processing of classified data.

Think of the possibilities for games. You could have cheat proof peer to peer gaming. Each peer could compute a part of the shared world, without knowing what the data was or how to alter it to cheat.

I'm sure there are tons of other applications no one has even thought of yet (or at least, that I haven't thought of yet.) But only if the processing time can be reduced by many orders of magnitude.

Re:BAD summary

[daveime]

The ablility to add two peices of cyphertext to get some (still unknonw) peice of cyphertext does not increase the "breakability" of the encryption because, just like the rosetta stone, you really need pairs of plaintext and cyphertext to do any real analysis

Nope, absolutely not ... assuming the processor at least knows that the encrypted data represents integers, then he could simply do the following, using your values above :-

D32JFS3 / D32JFS3 = XXXXXXX (he has now established the encrypted data for the value 1).

Then repeat D32JFS3 - XXXXXXX until the result is also XXXXXXX. The count of the repeats has now exposed the value of D32JFS3.

Simplistic example, I know, but the principle exists ...

Re:BAD summary

[dalhamir]

The exact opposite, it saves lots of transmission time.

Unencrypted analysis:
The data is encrypted and transferred once to the cloud. An analysis is designed, the entire dataset must be transmitted back off the cloud, decrypted, and analyzed.

Encrypted analysis:
The data is encrypted and transferred once to the cloud. An analysis is designed, and just the encrypted analysis function is passed to the cloud. Analysis is performed in the cloud, and just the result is transfered back, where it is decrypted.

so, we've traded transmission of the dataset (probably big) for transmission of the analysis function and the results (probably smaller).

Re:BAD summary

[SiliconEntity]

Nope, absolutely not ... assuming the processor at least knows that the encrypted data represents integers, then he could simply do the following, using your values above :-

D32JFS3 / D32JFS3 = XXXXXXX (he has now established the encrypted data for the value 1).

Clever idea but it does not work.

First, it's easy to figure out the encrypted data for the value 1: just encrypt the value 1! This is public key encryption.

Second, there are multiple ways of encrypting the value 1. This is randomized encryption.

So it's easy to learn an encryption of the value 1 (or of any value for that matter), but it won't shed any light on what values are actually encrypted, because even if you guess right (i.e. you try encrypting the value 14 and you are later given an encryption of the value 14), the encryptions won't match because there are too many different ways of encrypting the same value.

Re:BAD summary

[unfasten]

Second, there are multiple ways of encrypting the value 1. This is randomized encryption.

Wouldn't he still be able to value of that specific instance of that number? Given enough queries (or if they're able to figure out the data structure) couldn't this expose a lot of data, even if time consuming?

I'm not stating any of this is true, I'm just geniunely curious if it would work like that.

Re:BAD summary

Could someone explain to me how you can do tax calculations without knowing the magnitude of the values? Tax rates are not linear, some deductions are capped or have minimum thresholds, etc. It seems that if you can determine what tax bracket someone is in, you are in fact able to determine information about the values.

Don't get me wrong; this seems like a really cool and important discovery, but I don't see how you could do the kind of conditional logic that's needed for general-purpose manipulation of data using just what's described here...

Re:BAD summary

[Prune]

Not with any proper encryption I can think of.

Re:BAD summary

As another poster stated, finding the encrypted data for the value 1 is trivial on current public key cryptosystems anyways. As for your method of "breaking" the system; it's a bit like saying we shouldn't use RSA because all you have to do to break it is factor a very very very large composite number. If the algorithm encrypts in 128 bit blocks, for instance, your method takes 2^127 subtractions half the time, 2^126 subtractions a quarter of the time, 2^125 subtractions an eighth of the time, ... and so on. With a certain very small subset of the possible encrypted messages you can decrypt them quickly; but this is already true with RSA, ECC, and every other public key encryption system I am familiar with.

Re:BAD summary

[DamnStupidElf]

D32JFS3 / D32JFS3 = XXXXXXX (he has now established the encrypted data for the value 1).

division is the solution to a multiplicative and additive identity: dividend = quotient*divisor + remainder.

Homomorphic encryption allows multiplication and addition of ciphertext, but not division, because the quotient would be encrypted. There is no algorithm to determine a quotient such that the remainder is less than the divisor (because the less than operator does not exist in homomorphic encryption), which is required to solve a standard division problem.

It may also be true that the cipher relies on overdefinition of numbers, e.g. A=E(1) may not equal B=E(1) for any two encryptions, but D(A) = D(B) = 1. This can be accomplished by carrying random state within the ciphertext that accumulates with operations but does not affect the decrypted result.

Re:BAD summary

What's the point if they're so stupid as to continue as far as they have?

Re:BAD summary

[Mozk]

I'm pretty sure that the OP's example was just an example to explain the concept, and that that's not how this actually works.

Re:BAD summary

[maxwell+demon]

But there are interesting queries where there are only two possible answers, "yes" or "no". And if you have found all possible encryptions of "yes" and "no" once, you can find out the answer for any computable yes/no question. So the actually interesting question is: How many different representations of the same result exist? Is it feasible to compute all of them once? Or maybe there's even a yet unknown specific weakness which allows to easily distinguish 0 and 1 if you know the encrypted value is one of those.

Also note that repeatedly subtracting 1 is a very inefficient method of determining an integer. A much better algorithm is to repeatedly divide by two and determine the reminders. To determine a 128 bit number this way only needs 128 steps, as opposed to an average of 2^127 for the subtraction method.

Re:BAD summary

[master_p]

How is it possible for them to calculate the tax return if they do not analyze the data?

Re:BAD summary

[spun]

That's the breakthrough. They add (as a made up example) E47F109A and FA619B05, coming up with 191AA7FC. They have no idea that, when decrypted with your key, those values are 51, 49, and 100 respectively. How is that possible? You'll have to read the paper, because I can't explain it :)

Re:BAD summary

[Tokerat]

It sounds to me like these operations are "safe" because the folks doing the 3rd-party analysis never see the results, or the original data. Basically, you can add two encrypted values together and get a third encrypted value which contains the answer, and that answer can only be seen via decryption with the key.

What the hell good is that to Mr. 3rd Party processor? Why don't the original data holders just do it themselves, which will probably increase security and accuracy? If your data is so sensitive it needs to be heavily encrypted, should you really run the risk of outsourcing data analysis to a 3rd party that can't even check their work for accuracy? What if some subtle rounding error goes unnoticed during testing? This could cost you millions.

Can I run this homomorphism on your data?

[Saint+Stephen]

f(x) = x

Re:Can I run this homomorphism on your data?

[SUB7IME]

Yes, you may, until 1==0.

Re:Can I run this homomorphism on your data?

[Simetrical]

f(x) = x

No. The operations you get are addition and multiplication, that's it. Given E(x) and E(y), you can compute E(x + y) or E(xy), nothing else. And you do this without ever learning x or y. RTFWA.

The reason for the terminology is that the encryption function E is a ring homomorphism between plaintext and ciphertext. Some operation of addition is defined on both plaintext and ciphertext such that if x and y are plaintext, f(x + y) = f(x) + f(y). (The "+" on the left is addition of plaintext, the "+" on the right is addition of ciphertext: two totally different operations.) Multiplication is similar. You don't get to apply arbitrary homomorphisms to the data, it's the (predetermined) encryption function that's the homomorphism.

Actually, I don't see any mention of subtraction -- so maybe it's really a semiring homomorphism. With an actual ring homomorphism you'd also have f(x - y) = f(x) - f(y), and some 0 element with f(0) = 0. And maybe f(1) = 1, depending on definition.

Re:Can I run this homomorphism on your data?

a - b == a + (-b)
a/b == a*1/b

Re:Can I run this homomorphism on your data?

[Simetrical]

a - b == a + (-b)

a/b == a*1/b

In a semiring, the element "-b" need not exist. One straightforward example is the natural numbers 0, 1, 2, ...: there's no number x such that 1 + x = 0, i.e., such that x = -1. Likewise, in a ring or semiring, 1/b need not exist. Again using the natural numbers, there is no natural number equal to 1/2. You don't even have to have any 0 or 1 element in a semiring (0 is required in rings, though).

Of course, the natural numbers can be extended to a field, where everything has a negative and everything except 0 has a reciprocal. But not all rings or semirings can be extended to fields. Consider the set of 32-bit integers with operations ^ (in place of +) and & (in place of *). 0 takes the place of 0 (since n ^ 0 == n for all n), and 0xFFFFFFFF takes the place of 1 (since n & 0xFFFFFFFF == n for all n).

Now, 1 & 2 == 0. If in any extension of this ring there were some n so that n & 1 == 0xFFFFFFFF (i.e., there were an inverse for 1 under the operation &), we would have 0 == n & 0 == n & (1 & 2) == (n & 1) & 2 == 0xFFFFFFFF & 2 == 2, a contradiction. Therefore, 1 cannot have any inverse under &, in any extension of this ring.

Man, we need more Slashdot articles involving real mathematics.

hmmm...

[whopub]

Why, are you trying to keep all the gay fun for yourself?!

<SEINFELD>No that there's anything wrong with that!</SEINFELD>

Re:First post! I was thinking this was an exotic

[davidsyes]

sexy topic... a DEEP, probative analysis of sorts. I bet the analyzers are as gay/giddy as they can morph into... Maybe they can be TRANS-FORMERS.... slap some dap and scrum some bum...

simple explanation

OK, it looks like a lot of people are missing the point.

What Gentry figured out was a scheme for carrying out arbitrary computations on encrypted data, producing an encrypted result. That way, you can do your computation on encrypted data in the "cloud", but only you can view the results.

If E() is your encryption function, x is your data, and f() is the function you'd like to compute, homomorphic encryption gives you a function f'() such that f'(E(x)) = E(f(x)). But at no point does it actually decrypt your data.

This could be huge for secure computing.

Re:simple explanation

[TypoNAM]

If E() is your encryption function, x is your data, and f() is the function you'd like to compute, homomorphic encryption gives you a function f'() such that f'(E(x)) = E(f(x)). But at no point does it actually decrypt your data.

Got an example in C language instead?

Re:simple explanation

[cenc]

Perhaps I am a bit slow and stupid, but is this not like running an encrypted virtual machine or at least could be done in some sort of encrypted virtual machine? Something where the underlying hardware and OS does not know what the processes and data are at the higher level.

Re:simple explanation

Let x be the data. Assume x is a 2 bit value.

Let f(x) = x & 0x01
Let g(x) = (x & 0x02) >> 1

Use new magic to get f'() and g'()

compute f'(E(x)) and g'(E(x))

if they are the same, you know x is either 00 or 11
if they are different, you know x is either 01 or 10

This can be scaled up to any N bit value to arrive at one of two possible values for any x given E(x).

If you know anything at all about the type of x (i.e. it may be ascii text, or its range may be bounded), choosing the right one of the two possibilities is trivial.

Re:simple explanation

Presumably the "new magic" (i.e. the method of deriving f' and g') depends on the encryption key.

If you upload some encrypted data to the cloud you can create a function and have your provider apply it your data without your provider being able to understand the data, the function or the result.

Re:simple explanation

[Prune]

He didn't figure out arbitrary computations, just both addition and multiplication. That other computations can be built on top of those primitives has been known for much longer and is nothing new. So while in a sense your comment is formally correct, it is misleading.

Re:simple explanation

[Lunzo]

Replace the = with ==. You now have it in C.

Joking aside GP was talking mathematical functions, which is quite appropriate given the context - theory underpinning cryptography.

Re:simple explanation

[harlows_monkeys]

What Gentry figured out was a scheme for carrying out arbitrary computations on encrypted data, producing an encrypted result. That way, you can do your computation on encrypted data in the "cloud", but only you can view the results

The other direction--letting the server do secure computation on the client, is also very interesting. Consider an MMORPG. One of the problems in MMORPG is cheat programs. These can be particularly troublesome in a PvP game. For example, there were programs for Dark Age of Camelot that would show you every enemy player in a large bubble around you, regardless of any obstacles blocking line of sight or the use of stealth abilities.

The obvious solution for this is that the server should only send player position information to the client for players that should be visible to that player. That is currently not feasible, because the server hardware is simply not powerful enough. The server has to send all the information, and let the client do the extensive calculations of visibility.

If secure encrypted computing could be made fast enough, the server could send encrypted information on all nearby players, the client could compute what is visible and send the results back to the server, which could then send an unencrypted list of what players the client should show. The cheat programs would never see the data on the invisible players.

Analysis can mean Disclosure of Information

[statdr]

If a human (or computer) looks at the "analyses" performed on encrypted data and can make the same inferences as if the analyses were performed on the unencrypted data, then the encryption process hasn't reduced the possibility of disclosure that arises through analysis (or data access).

  Simple analyses like 1) produce a 2x2 table of outcomes or 2) produce a linear regression of an outcome on covariates can be used to identify information about individuals or even identify individuals.

  I've seen a push by IT firms to focus on the encryption/transmission issue when discussing privacy concerns. While important, it's only a piece of the HIPAA/privacy issue. If a human being/computer can make correct inferences from analyses of data (encrypted or not), then there is a potential for disclosure that is not covered by the encryption process.

  It is extremely difficult to determine a priori what analyses could/would reveal identities or information about individuals. Perhaps simple pre-defined two-way tables/one-way tables could be created for a given fixed set of information. A general purpose non-disclosive analysis system doesn't yet exist (if ever).

iaas (I am a statistician)

Re:Analysis can mean Disclosure of Information

[gr8_phk]

A general purpose non-disclosive analysis system doesn't yet exist

It does now. That's the point. I don't think the wording in the article is very good. What they're doing is more like simulation of circuits (AND and XOR gates). You can construct a general purpose computer from such gates. You can run a gate-level simulation of such a machine, but your simulation would normally use unencrypted data. This breakthrough allows your simulated machine to use encrypted data, so you feed it encrypted data and you get out encrypted data. All the guy running the simulation knows is the design of the simulated hardware.

This can be taken one step further. If you simulate a programmable computer - not just a fixed algorithm - then the guy running the simulation won't even know what *algorithm* he's running in addition to not knowing what the data is since the program is just encrypted data. I've been toying with this for a while without knowing the proper name for it :-) And no, I never found a method that could handle both AND and XOR, so I look forward to reading more about this.

Re:Analysis can mean Disclosure of Information

[stuffeh]

Am I correct in assuming that you are talking about trying to run an identity function through the encrypted data set and thus outputting the original data? I find this to be a moot point because I'd assume that the person doing this would not be smart enough to figure out the identity function, and if it is trivial, then a filter can be programmed in to disallow the use of it.

Also, I'd hope that the individual that is working with the information is cleared and trusted by the organization to access the raw data anyways. And how are we doing this now anyways? We have individuals who manually analyze the data and produce output, so it is kinda a like saying, "I've just invented a new foolproof/crash proof car, but you can only drive it if you get a new driver's license." You don't need to re-trust the current people who are working with the data since they are already working with it raw. It isn't like they'll be giving away the private key to someone to encrypt the function to create the outputs themselves.

At first...

[curtix7]

I thought I was being childish when i thought to myself "tehee homo-morphic,"
but after RTFA my suspicions may be justified:

Two fathers of modern encryption...

Re:At first...

[stuffeh]

Umm... Math. What's the probability you are going to find a woman? Anyways, one of the pioneers in encryption, Alan Turing, was a complete 'mo. Thus not completely surprising if you were right.

thanks, but no

[JackSpratts]

ok, so if your sales are tanking your competitors can analyse your encrypted offsite data to find out your sales are tanking. that about it?

up to you but i'll pass.

here's why this is important.

[goombah99]

TFA doesn't seem clear on this point, but what the name of the technique implies is that you can perform the operation, but neither the inputs nor the outputs are ever decrypted. So if you can't see the question, and you can't see the answer, then why would you perform the operation other than at the request of someone who can (i.e. the client)?

Example, I want the total sales figures for all the left handed employees. I cobble together the appropriate SQL processing request send it to my cloud server which rummages throught the data base summing up the figures for some subset of the fields. It sends me back just the sum, encypted. It never knows which employees it was selecting nor any of their sales figures or even the sum. It just has the encrypted result that it sends to me all processed.

otherwise I'd have to pull every encrypted record of every employee across the web to my computer. In effect doing a table dump across the net for even the smallest calculation. Yuck! let alone not working on my iphone.

Another application is encryption of ballots. The achilies heel of almost every voting encryption algorithm is that somewhere somebody has the key and to do any processing you have to decrypt the ballots. THis way you can do the sum and only decrypt the results. you could publish the encrypted sum before the key is even unsealed then publish the key. The key does not have to ever be in the hands of the central tabulators.

Current voting encryption schemes require centralized control with possession of the keys. This way the control is decentralized with the counters and the key keepers not being the same person.

Re:here's why this is important.

[Cacadril]

David Chaum's original system, Secret-ballot Receipt, does not have completely centralized decryption. There is a number of trustees, each with a private decryption key. If e1, e2, ..., en are the encryption functions, e1(e2(...en(ballot)...)) is sent to trustee 1, who decrypts and sends e2(...en(ballot)...) to trustee 2. Eventually trustee n receives en(ballot) and publishes ballot. But each trustee receives a batch of N encrypted ballots, and emits another batch of N ballots in a different order. Only the trustee itself knows which ballot in the emitted batch corresponds to which element of the received batch. Since the trustees can include political parties, human rights organizations, churches, etc, it is unlikely that all would collude to trace a decrypted ballot all the way back to the original encrypted ballot of which the voter has a receipt. There are additional mechanisms in place to prevent other kinds of abuses.

However, Chaum's original scheme was deemed to have usability problems for the voter (which I think are overblown), and its mathematical virtues are hard to explain to ordinary people beyond stating "it's sooo safe! Mathematicians say so!".

Homomorphic encryption has the property that e(n)+e(m)=e(n+m) for some meaning of = and +.

If 'n' and 'm' are answer vectors of 0 (no) and 1 (yes) answers to a vector of questions (Mickey Mouse for president? Donald Duck for president? etc), the sum m+n is the tally of those two ballots. Now I presume that with fully homomorphic encryption it is also possible to (e.g.) weed out overvotes and undervotes before adding up the results.

Even if it may be beyond most people how an encryption scheme can be homomorphic, it may be explainable to a somewhat larger section of the public how a homomorphic encryption can be used to tally the ballots publicly while maintaining the secrecy.

More about Chaum's scheme:

All inputs and outputs of all trustees are posted on a web site where anybody can download them, with some additional data that allows everyone to check 1) my encrypted ballot (as shown in my receipt) is there in the input to trustee 1, and 2) if a trustee has cheated with n ballots, anyone who runs the checking algorithm on the data will flag at least some of them, with probability (1 - 2^-n). Since usually more than 100 ballots must be stolen to steal an election, the chances of doing so undetected is less than one in 2^100. An detection will not just be "detection", it will be a mathematical fact that every math teacher in the world can verify (and many others). Additionally, there are similar guarantees that the encrypted data on the receipt really represents the votes that the voter saw and accepted in the booth.

If the ayatollahs had had such a system in place in Iran, they would probably have been able to convince the public that Ahmadinejad won - provided he did. So, even supposing that there was no fraud, the ayatollah's are to blame for the doubt and the protests. They could have avoided that making the elections more transparent.

The 2000 Florida fraud would still not have been prevented. More than 60000 voters were turned away because the shared names with alleged felons. All the recount discussions failed to consider them, discussing far smaller numbers of hanging chads and military absentee votes. No mathematical voting scheme could have prevented that. In Florida, those turned away should have been offered the opportunity to cast a provisional ballot that could have been counted after they had challenged their "felon" status.

Re:here's why this is important.

[TheLink]

Why would you encrypt ballots?

You should allow observers and party representatives to watch the counting of the votes.

Requirement #0 of democratic elections: elections do not just have to be fair, they have to be seen as fair.

Electronic voting systems fail that requirement.

You can have simple scalable solutions like paper based voting that are easily understandable (esp on how easy and hard it is to cheat) and thus satisfy requirement #0.

So it makes no sense to me to use electronic voting systems unless you want elections to be even more easily rigged. Or the country is so screwed up that too few people in the population know how to count high enough...

Not really a threat to privacy

[bk2204]

Basically, IBM has created a set of cryptographic algorithms that allow fully homomorphic encryption. If you don't want your data to be analyzed, all you have to do is use an algorithm that doesn't support it. You'd want to do that anyway, since you'd want to use algorithms that are already considered strong, such as RSA and AES. Although RSA is homomorphic in theory, in practice it is not, since padding is used to prevent other weaknesses.

Re:Not really a threat to privacy

[stuffeh]

You wouldn't want to use RSA if you were truly serious about being secure. http://en.wikipedia.org/wiki/Elliptic_curve_cryptography is much much better, however there has been research that states that you can use ElGamal with ECC to make a homomorphic encryption algorithm. But all that says is that if you want to, it still won't make other means ECC with different means to be homomorphic by nature (or any real way to force them to be homomorphic). Then again, i could be wrong because it has been a while since I've even looked at encryption.

Homomorphic Agenda

This is clearly a plot to turn our encrypted files gay.

Star Trek prior art

[Muad'Dave]

Fully homomorphic encryption is a bit like enabling a layperson to perform flawless neurosurgery while blindfolded, and without later remembering the episode.

Oh, I get it! It's like when Dr. McCoy reinstalled Spock's brain. McCoy was an idiot before, got the 1337 skillz, and then forgot it all.

Re:Star Trek prior art

[14erCleaner]

Fully homomorphic encryption is a bit like enabling a layperson to perform flawless neurosurgery while blindfolded, and without later remembering the episode.

I remember the episode: Spock's Brain.

Setec Astronomy

[tekrat]

I don't suppose the researcher's name was Janik?

Re:Setec Astronomy

Can't be. River Phoenix is dead.

Deep packet inspection/National firewalls

[zig43]

Great...the net nannies and oppressive governments will have yet another censorship tool in their arsenal.

Homomorphism

[NAR8789]

This article needs some clarification. In particular, a lot of the worried comments here show a lack of understanding of the word "homomorphic".

Here's a very simplified example of a homomorphism. I define a function
f(x) = 3x
This function is a homomorphism on numbers under addition. Its image "preserves" the addition operation. What I mean more precisely is
f(a) + f(b) = f(a + b)
That's pretty easy to verify for the function I've given.

Homomorphic encryption is interested in an encryption function f() that preserves useful computational operations. If we take my example as a very very simplified encryption then, say I have two numbers, 6, and 15, and I lack the computational power to do addtion, but I can encrypt my data with my key--3. (I'm generalizing my function to be multiplication by a key. And yes, for some reason I have the computational power to do multiplication. Humor me). I can encrypt my data, f(6) = 18 and f(15) = 45, and pass these to you, and ask you do do addtion for me. You'll do the addition, get 63, and pass this result to me, which I can then decrypt, which yields 21.

Now, my encryption here is very simple and very, very weak, but if you're willing to suspend disbelief, you'll note that the information I've allowed you to handle does not reveal either my inputs or my outputs. (In fact, with the particular numbers I've chosen, you might guess that my key is 9 instead of 3, (though relying on lucky choices or constraining myself to choices which have this property make my scheme rather useless))

If you generalize this to strong encryption and more useful computational operations, you begin to see how homomorphic encryption can be useful. One should note that, no, homomorphic encryption will not be a drop-in replacement for other forms of encryption. (Sending encrypted emails with homormorphic encryption would be unwise. An attacker can modify the data (though, if my understanding is correct, only with other data encrypted with the same key)) Homomorphic encryption simply fills a need that the other forms do not serve.

Hopefully you now also see how the article's use of the word "analysis" can be rather misleading. In particular, one of the earlier comments notes that it might be useful in allowing you to determine if different people's encrypted information is identical. By my understanding, homomorphic encryption would not allow this.

In any case, if my explanation is not enough, here's the wikipedia article.

Re:Homomorphism

[lomedhi]

That's an excellent explanation. Thank you.

Re:Homomorphism

[Simetrical]

Here's a very simplified example of a homomorphism. I define a function

f(x) = 3x

This function is a homomorphism on numbers under addition. Its image "preserves" the addition operation. What I mean more precisely is

f(a) + f(b) = f(a + b)

That's pretty easy to verify for the function I've given.

But examples like you gave (semigroup homomorphisms) have existed for a long time. Basic RSA has that property. The key advance here is that you have a semiring homomorphism, where it preserves two operations, one of which distributes over the other. Like multiplication and addition, or bitwise and and xor. (For those who don't follow: x*(y + z) = x*y + x*z, x & (y ^ z) = (x & y) ^ (x & z). If you don't believe the second identity, try all possibilities.)

An example of a semiring homomorphism on the reals is f(x) = -x. Then f(x + y) = -(x + y) = f(x) + f(y), and f(xy) = (-x)(-y) = xy = f(x)f(y). (Unless you believe in Time Cube.)

It seems distributivity is enough to do complicated calculations. You could simulate and and xor gates, I guess. Then you could get ~x = x ^ -1, x | y = ~(~x & ~y), etc.: all possible binary operations. That's enough to build a virtual computer right there, all operating on encrypted data.

Of course, the one running the code would be able to figure out exactly what algorithm you're using. So it's not perfect. But it's pretty cool regardless.

Re:Homomorphism

[mtremsal]

Thank you.

With both your explanations, I can finally understand TFA.
It lacked maths. Badly.

Could you just explain your sentence "Of course, the one running the code would be able to figure out exactly what algorithm you're using."
I don't think it means what I (currently) think it means.

(I don't thank you for the Time Cube reference though)

Re:Homomorphism

[master_p]

Thank you for the explanation. Here is a shorter explanation: using homomorphic encryption, mathematical operations on encrypted data can produce results which are themselves encrypted by the same encryption code.

Re:Homomorphism

[Simetrical]

Could you just explain your sentence "Of course, the one running the code would be able to figure out exactly what algorithm you're using." I don't think it means what I (currently) think it means.

Well, to be honest I'm mostly guessing here, with no theoretical knowledge of cryptography (only knowledge of abstract algebra). If I understand correctly, there will be a one-to-one correspondence between the two binary operations on plaintext, and the two binary operations on ciphertext. That's what a homomorphism means, usually. So the processor will know the sequence of ciphertext operations, and if they know how those map to plaintext operations they'll know what they're doing to the plaintext, even if they don't know what the plaintext actually is.

Also, I should point out that not all (semi)ring operations are created equal. For instance, you can't have a homomorphism from the integers under ^ and & to the integers under + and *, unless it maps everything to zero. Since it's a homomorphism, you have f(x) = (f(x) + f(x))/2 = f(x ^ x)/2 = f(0)/2 = 0 for all x. In this case you can only have a nontrivial homomorphism the other way around, and only one of those -- all even numbers will get mapped to 0 (f(2n) = f(n + n) = f(n) ^ f(n) = 0) and all odd numbers will get mapped to f(1) (same logic). (I'm assuming ring here instead of semiring, but semiring is similar.)

So I'd imagine a lot depends on the exact operations supported on both sides, not just the fact that there is some ring homomorphism. Not to mention, of course, that it's not really a ring homomorphism: Wikipedia says there's a limit on the number of multiplications you can do before you have to re-encrypt it.

But I could be completely wrong on a lot of this. I haven't tried reading the actual paper.

Re:Homomorphism

[gadzook33]

By my understanding, homomorphic encryption would not allow this.

Absolutely. If it did, the crypto would be leaking information in a big way.

Do I need to understand this?

[grikdog]

If someone can detect spam in public-key encrypted email, how is this different from knowing my private key? Even if they promise they haven't read my mail, only "analysed" it, hasn't my encryption scheme been compromised?

In particular, hasn't the long-standing suspicion that public-key encryption reduces to a trivial case been confirmed? (A suspicion that arose when NSA dropped its objections to Phil Zimmerman's PGP scheme involving public-key encryption of the actual key being used to encipher plaintext using Triple-DES or IDEA or whatever it was. Either NSA knew how to crack a 256-bit key, or public-key encryption was already compromised.)

Similarly, to calculate the time required to discover Major Kong's OPE code prefix, given the 28 SAC B-52 bombers proceding to targets inside Russia on the Dr. Strangelove Big Board, we simply divide 26 cubed by 28, distributing a range of 628 prefix combinations to as many teams of radiomen who can send perhaps 20 prefices a minute to a single B-52. Major Kong's OPE prefix should turn up in 21 minutes, well within the deadline, provided his CRM 114 Discriminator isn't already toast. Now that's useful.

Previous Ask Slashdot Article: Encrypted But Searc

If I understand the summary correctly, there was a previous Ask Slashdot article dealing with this idea:

"Encrypted But Searchable Online Storage?" (http://ask.slashdot.org/article.pl?sid=09/04/16/1953224)

It was of course instantly tagged as "impossible even in theory".

OK, I don't understand

[Tired+and+Emotional]

What are the operations for which this is homomorphic?

It has to be quite limited. Otherwise for example, lets suppose I have an integer (encrypted of course) and I have comparison and addition/subtraction and multiply/divide.

I can very easily find the encrypted values of both 0 (a-a for any a) and 1 (a/a)

I can now decrypt the data with repeated additions (or subtractions) of 1 and equality comparisons.

And, I don't see how you can prevent equality tests in the encrypted domain. You might have to calculate a Kernel but surely there is no way to prevent that.

So I don't see how the operations available can be as much as the usual operators on reals.

Re:OK, I don't understand

[SiliconEntity]

What are the operations for which this is homomorphic?
It has to be quite limited. Otherwise for example, lets suppose I have an integer (encrypted of course) and I have comparison and addition/subtraction and multiply/divide.

I can very easily find the encrypted values of both 0 (a-a for any a) and 1 (a/a)

The article neglected to mention that the underlying encryption system is randomized public key encryption. This means (A) you can easily discover encryptions of 0, encryptions of 1, and encryptions of anything else, because it is a public key system and you can encrypt anything you like.

It also means (B) this won't help you with decryption because every encryption of 0 looks different. So knowing some encryptions of 0 will not let you recognize whether a given encrypted value is an encryption of 0, of 1, or of anything else.

And, I don't see how you can prevent equality tests in the encrypted domain. You might have to calculate a Kernel but surely there is no way to prevent that.

You certainly can do equality tests in the encrypted domain. It's just that the result of the equality test is encrypted; for example, it is an encryption of 0 or an encryption of 1. But you have no idea which it is. Only the client who supplied the encrypted data (and more importantly, the public key encryption system) can decrypt the result of your equality test, or of any other calculations you do on encrypted data.

Re:OK, I don't understand

[NAR8789]

It doesn't prevent equality tests in a single encrypted domain. But in a single encrypted domain, two ciphertexts for the same plaintext (i.e. including an extra block for obfuscation/resolution is cheating) are the same anyways. The unnecessary worry is about equality across different encrypted domains. I should hope the kernel is trivial, else we have collisions, and this indicates a different sort of a problem with our encryption scheme.

Your decryption concern is more interesting, but it takes me out of my depth for the moment. I think there's a flaw to be found in that line of reasoning though. Perhaps someone more knowledgeable reading this thread can provide a proper explanation?

Re:OK, I don't understand

[NAR8789]

Ah, I've got a response for your decryption concern now. Your decryption fails to work in the ring of polynomials, among other things.

Re:OK, I don't understand

[NAR8789]

More specifically, your decryption fails in any ideal in which 1 alone is not a complete basis.

Re:OK, I don't understand

[SiliconEntity]

It doesn't prevent equality tests in a single encrypted domain. But in a single encrypted domain, two ciphertexts for the same plaintext (i.e. including an extra block for obfuscation/resolution is cheating) are the same anyways.

No, they are not. This is what is called randomized encryption, and in fact is the only way to make public key encryption secure. Otherwise you could do as you say, guess the plaintext for a particular ciphertext, encrypt your guess yourself (remember in public key cryptography anyone can encrypt data), and compare it with the ciphertext. Systems which allow such guessing are totally insecure!

So of course this new scheme does not allow guess-encrypt-and-compare attacks. No respectable author would propose such an encryption scheme today. Instead, modern public key encryption is always randomized. It means that there are multiple ciphertexts corresponding to the same plaintext.

In the homomorphic scheme, equality tests are possible but the result is encrypted, and only the person who provided you the encrypted data (or more precisely, the person who holds the private keys under which the data is encrypted) can decrypt the result and learn the answer.

Re:OK, I don't understand

[NAR8789]

Ah... that's even neater than I thought then.

Though, I'm aware that public key encryption doesn't produce identical ciphertexts for the same plaintext. But I thought that involved encrypting the plaintext with a randomly generated symmetric key, and then encrypting the symmetric key with an asymmetric key. I noted in my comment that that would be "cheating". The parent's concern seemed to be from a purely mathematical standpoint, and I was trying to address it from the same. In particular, we both allowed the assumption for this particular discussion that we're modeling encryption here as an ideal homomorphism.

That this scheme is both randmized and allows equality tests is ridiculously neat though. Could you explain this for me, or point me at additional resources for exploring this further?

Re:OK, I don't understand

[Simetrical]

So I don't see how the operations available can be as much as the usual operators on reals.

The idea seems to make the operations map to something like & and ^, so that you can recover all logical operators and make a virtual computer using them. & and ^ on the integers may not seem as powerful as * and + on integers/floating points/etc., but you can easily encode the latter as the former.

Is the plaintext needed post-encryption?

[rlseaman]

A lot of respondents seem to have seized on a spurious notion of what this is all about. That isn't surprising since the Slashdot article and the press release and even the abstract are rather obscure. No sign of a preprint, but the same abstract shows up for a number of colloquiums in the last couple of months. The paper is from a proceedings, so it may itself not be especially profound.

The abstract says: "We propose a fully homomorphic encryption scheme -- i.e., a scheme that allows one to evaluate circuits over encrypted data without being able to decrypt. Our solution comes in three steps. First, we provide a general result -- that, to construct an encryption scheme that permits evaluation of arbitrary circuits, it suffices to construct an encryption scheme that can evaluate (slightly augmented versions of) its own decryption circuit; we call a scheme that can evaluate its (augmented) decryption circuit bootstrappable."

The encryption and compression literature tends to use the word "scheme" where others might say algorithm or transform. "Circuits" here is a term of art (maybe arising originally from actual physical circuits, as in the Enigma machine?)

"An encryption scheme that permits evaluation of arbitrary circuits" suggests only that the possessor of the private key can generate these arbitrary queries, not that anybody and their brother can scavenge the encrypted data. It isn't stated whether such a query also requires the plaintext. It would be pretty cool if one feature were to be able to discard the plaintext post-encryption.

The gimmick appears to be that the arbitrary circuit can include the decryption itself (the bootstrap part). Note that this feature is far more cool (assuming it works) than all the nonsense about cloud computing. Somehow the data are *arbitrarily* available to properly encoded queries without ever being exposed - even to the CPU performing the operations. This processor could be on the same machine, on some remote server, in the cloud or across the galaxy. How cool is that?

Missing from summary

A few points that are missing from the summary:

* This is a new encryption algorithm, designed specifically to enable this sort of analysis. You can't do this with AES, RSA etc when they're properly implemented.

* You still can't get any information out without the secret key. The use case is like, the sender sends an encrypted message, the recipient's firewall virus scans it without seeing it, then the recipient decrypts it. But the firewall doesn't know whether any viruses were found. Or we'll all submit encrypted votes in an election, and the voting machines sum up all the votes without seeing them, then forward them to an election authority which sees only the sum.

* It's too slow for practical use. Polynomial-time, but the polynomial is large.

* It's not provably as secure as existing systems, and even if it were, lattice systems are notoriously difficult to actually build.

And yes, I am a cryptographer. And I've written a paper with Craig Gentry. And I don't recommend reading this one unless you're a cryptographer or you really like ideal lattices, because it's pretty long and ugly.

Re:No, misleading headline

[Taxman415a]

No, the Slashdot headline is, as usual, misleading. The article didn't really help explain the distinction either. This breakthrough doesn't help anybody break otherwise secure, non homomorphic cryptosystems and suddenly make them insecure. What the researcher did was be the first to create a fully homomorphic cryptosystem that allows the types of things described in the article, while still keeping certain desired information secure. This Wikipedia article gives a much better description of the issue, and you don't even really have to understand abstract algebra to understand that section.

Description is nonsense

[DragonWriter]

makes possible the deep and unlimited analysis of encrypted information -- data that has been intentionally scrambled -- without sacrificing confidentiality."

This is nonsense: unlimited analysis being possible is the same thing as confidentiality being sacrificed.

Maybe there is something significant and important here, but TFA doesn't provide a clue as to what it is.

Doh!

[itsybitsy]

I downloaded the PDF paper and it says "We omit full details due to lack of space...". Doh!!!

What use is an ACM account when white papers "omit full details"?

Well I suppose they don't have to kill me as they omitted the full details... that's something at least.

Ummm...

[Kazoo+the+Clown]

Wouldn't this sort of analysis of the encrypted data potentially provide clues of its nature that would help in the decryption of the data? Seems to me that this new analysis method weakens ALL POSSIBLE encryption techniques...

filters schmilters

[tirnacopu]

enabling filters to identify spam, even in encrypted email

I would warmly appreciate them working on the unencrypted junk first..

Old news?

Homomorphic encryption has been around for quite some time, but differing algorithms only performed certain mathematical functions. For example, Pallier homomorphic encryption will let you do addition in a fully homomorphic manner and there are others for multiplication, XOR, etc. Having done privacy research and written experiments using homomorphic schemes, the main problems with current homomorphic schemes are twofold:

1. Each algorithm is limited in the type of operations it performs, if the paper presented solves this and allows for all basic operations then there will be a way to privatize most any algorithm.

2. The algorithms are very very very slow. To be secure you must use a large key size (ie 4096 bits) making the otherwise small encrypted number quite large for mathematical operations. You must then take these large numbers and multiply, divide, bring to the power of, ect to properly perform the internal mathmatics. For example, in Pallier you multiply the two cryptotexts to add the numbers together [ p(3)*p(5)=p(3+5) ]. While inclreasing computer speed seems to eventually solve this problem, with faster computers come faster brute froce attacks so we need bigger keys... >

Clarification on the technology

[SiliconEntity]

A few misconceptions continue to circulate here; let me try to shed some light.

First, the encryption system is apparently not practical in its current form. Maybe improvements will occur some day to make it practical, maybe not. It is still a major theoretical breakthrough because fully homomorphic encryption had often been thought to be impossible in the past. It has been a long sought goal in cryptography and it is remarkable to see it finally achieved. So in practice nobody is going to be doing spam filtering, income tax returns, or anonymous google searches any time soon.

Second, several people have gotten tripped up over an apparent weakness: if you can calculate E(X-Y) you can get an encryption of 0; if you can calculate E(X/Y) you can get an encryption of 1; and from these you could get other encryptions and potentially break the system. This idea fails for two reasons: first, it is a public-key system, so you don't need to go through all this rigamarole to get encryptions of 0, 1, or anything. In public key cryptography, anyone can encrypt data under a given key, without knowing any secrets. So it is already possible to get encryptions of known values, even without the special homomorphic properties. Second, in order for public key systems to be secure, they need to have a randomization property. In randomized encryption, there are multiple ciphertext values that encrypt the same plaintext. Basically, the encryption algorithm takes both the plaintext and a random value, and produces the ciphertext. Each different possible random value causes the same plaintext to go to a different ciphertext. The decryption algorithm nevertheless can take any of these different ciphertext values and produce the same plaintext.

This may be confusing because the most well known public key encryption system, RSA is not randomized. At the time it was invented, this aspect was not well understood. Shortly afterwards it became clear how important randomization is. Other encryption systems like ElGamal do use randomization, and RSA was adapted to allow randomization via what is called a "random padding" layer, known by the technical name PKCS-1. This adds the randomness which allows RSA to be used securely.

One other point is that people are getting hung up about what "fully" homomorphic encryption covers. Exactly what operations can you do? I think the best way to think of it is to go down to the binary level. We know that in our computers, at the lowest level everything is 1's and 0's. These get combined with elementary logical operations like AND, OR, NOT, XOR, and so on. Using these primitive operations, all the complexity of modern programs can be built up.

In the case of the homomorphic encryption, it is probably best to think of the values being encrypted in binary form, as encryptions of 1's and 0's. Keep in mind the point above about randomized encryption: all the encryptions of 1 look different, as do all the encryptions of 0. You can't tell whether a given value encrypts a 1 or a 0. Given these encrypted values, you can compute AND, OR, XOR, NOT and so on with these values, and get new encrypted values as the answers. You don't know the value of the outputs, they are encrypted. Only the holder of the private key, who originally encrypted the data, could decrypt the output. But you can continue to work with these output values, do more calculations with them, and so on.

Let me give an example of how you could do an equality comparison. Suppose you have two encrypted values and want to determine if they are the same. Recall that we are working in binary, so you actually have two sequences of encrypted bits; some are encrypted 1's and some are encrypted 0's, but you can't tell which. So the first thing you compute is the XOR of corresponding bits in the two values: XOR the 1st bits of each value; XOR the 2nd bits of each value, and so on. Now if the values are equal, the results are all encryptions of 0's. If the values are different, some of the results will be encryptions of 1's. But aga

Re:Clarification on the technology

[NAR8789]

Ah, thanks for the clarification. That clears up a misconception I had about randomization and sufficiently answers my remaining question about how that might mesh with the homomorphism aspect.

Re:Clarification on the technology

[NAR8789]

Hmmm... some of the comments on structure got me thinking. What if I write two algorithms--one that fails to halt on equal data, and another that fails to halt on unequal data, then feed both your cipherdata, to compare to a guess encrypted with your public key. This feels to me like a much more credible guess-and-check attack. Admittedly, guess-and-check not such a great attack anyways, but what if I take this further, to, say, a regex pattern match?

Here's how you could disclose the information

Assume your get a encoded number XJSDASF and you don't know what it is, but you can operate with it and return a result.

You can do the operation XJSDASF - XJSDASF and get the encrypted value of zero.
You can do the operation XJSDASF / XJSDASF and get the encrypted value of one.
You can keep subtracting one to XJSDASF until you get the encrypted value of zero.

If the information is not too big (say, the amount of money in your bank account), I can find how much money do you have, and also return to you any integer value.

But I haven't read the article so I might be wrong.

Is it really arbitrary?

[mdmkolbe]

Isn't there some restriction on your "f" function? For example, it might be nice to compute a diff between two encrypted files, but the resulting size of the diff could reveal a lot of information and thus make the system insecure.

Not an "IBM Researcher"

Gentry did this work as part of his PhD at Stanford; IBM played a minor role, if any at all, in this research. The original article is copied word-for-word from this IBM press release: http://www-03.ibm.com/press/us/en/pressrelease/27840.wss

It's no surprise that IBM is trying to claim this as their work, but Craig has been giving talks on this topic for a while in academic settings; I was fortunate to be in the audience at Brown six weeks ago when he blew the audience's minds in a two-hour talk. The conference at which he officially unveiled this technique, STOC 2009, happened at the beginning of this month, so any way you slice it this IBM PR stunt is late to the game. The language in the press release is just depressing, as they transparently try to take credit for this seminal work that has very little to do with the company, and only admit at the very end that he just happened to visit IBM during one summer.

How to handle branches?

How do this handle branches?
If the algorithm to be performed have IF's in them, the computation would have to go down both paths to do the calculation securely. But is this possible with the proposed system?
If the both branches is not gone through, it will be easy to determine any input number, by comparing it to constants, and looking at the state.

A popular explanation

[UnixUnix]

A popular explanation of how it was done can be found here: http://www.mail-archive.com/cryptography@metzdowd.com/msg10571.html

Re:Fully homomorphic encryption using ideal lattic

[spiffmastercow]

how the flying fuck did this get modded off-topic? its a direct quote from TFA.

what? what?

I need to get my eyes checked or my mind.

I read that as "an IBM researcher has solved the fully homoerotic erection"

GAH!