Google Open-Sources Fully Homomorphic Encryption (FHE) Toolkit

Google has open-sourced a collection of C++ libraries for implementing Fully Homomorphic Encryption (FHE) in modern applications. From a report: Fully homomorphic encryption, or simply homomorphic encryption, is a form of data encryption that allows users/applications to perform mathematical computations on encrypted data without decrypting it first, keeping the data's privacy intact. While the concept of homomorphic encryption has been around since 1978, when it was first described at a theoretical level, and 2009, when it was first implemented in practice, it has not been broadly adopted in software due to its complexity, advanced cryptography techniques, and lack of open-source code and public documentation. However, despite this, today, FHE is a hot technology in software design.

FHE allows software vendors to work on encrypted data without sharing the encryption/decryption keys with untrustworthy systems such as client-side apps or publicly-hosted web servers, where the keys could be stolen or intercepted by malware or malicious human operators. FHE allows developers to keep data secure, encrypted, and private, all at the same time, and Google hopes that developers will use its FHE libraries as the first step into adopting this new type of encryption technology within their applications.

Re:

[Anonymous Coward]

You can run those if you want to, but it's just more processing overhead. It's generally recommended to disable that option in your copy, but I realize everyone's situation is different.

Re:not quite

[AmiMoJo]

Healthcare might be the killer app for this. Companies would love to have access to masses of healthcare data to do analysis on, but privacy is a barrier. If data could be supplied in an encrypted state, not just anonymous but actually encrypted, it might open up a lot of new opportunities for research and services.

Re:

[Mattcelt]

Healthcare is one possible application for this type of encryption.

So it is an "app", perhaps just not in the way you were expecting.

Re:not quite

[Entrope]

The complication with FHE is that if you don't know what the data is you also don't know (for sure) what the operations you perform are, nor what the results are. FHE enables a company with "protected health information" (PHI) to outsource FHE processing of that data, but it wouldn't give them PHI in the first place, and it wouldn't let the contracted data processors know what they were doing.

What you're probably looking for is generally called "privacy-preserving queries" of a database. The simplest reliable way to do that involves adding noise to many or most aggregate results, depending on how many records go into that aggregate and the population statistics of the underlying records, which is still (a) hard to get truly right in a privacy sense and (b) annoying to the database users.

And some examples

[Okian Warrior]

The complication with FHE is that if you don't know what the data is you also don't know (for sure) what the operations you perform are, nor what the results are.

And there are numerous examples of this.

AI uses big batches of data everywhere, and you can get some interesting sources of data from Kaggle and online corpora. When you examine the data, you find many individual data fields are invalid for some reason or another - data is missing, data is typo'ed, fields truncated and so on.

Suppose you want to compute average patient age using FHE: if there is a single missing data element represented by 9999 (or -1, or 0), the average will be somewhat off. If your average is then part of the cross-correlation matrix calculation, then your matrix will be somewhat off. And if the CCM is used to calculate a multivariate regression, then the results of *that* will be off. Depending on the scope of the errors, it can be impossible to detect that the end result is invalid.

If you make a mistake in a computer program, it crashes. If you make a mistake in a data mining operation, you get noise. And there's no way to distinguish noise in the data from noise in your process.

The first step in any data mining operation should be to check the validity of the data. I don't think this can be done with FHE.

Re:

[Luke has no name]

The onus of data validation would have to be on the data sources. Those teams or organizations who ingest ciphertext will need to have "integrity" trust in the data sources, rather than data source having "confidentiality" trust in the processor.

Re:

[Ed Tice]

I find it hard to fathom a situation where the processor trusts the data source but can't just have the owner of the data run the query!

Re:

[bws111]

It could BE the owner of the data running the query. Every time you decrypt the data there is a chance of exposure. Doing operations while the data is encrypted improves your own security.

Re:

[Ed Tice]

Thank you. That's a good use. Although not one mentioned in TFS. So I wish I could mod you up!

Re:

[Gallactide]

I seem to remember there's safeguards for this sort of validation isn't there? Isn't the point essentially logical circuits the state of which we can't know without some intermediate secured step? I.e. averaging a value could be expressed as a mapreduce with a basic construction such as sum+={X > min && X max} && age? It's not some minor in/decrement operations and boolean arithmetic right? Even if limited to minor basic operations it's up to developers to build larger abstractions from

Re:

[Tom]

FHE enables a company with "protected health information" (PHI) to outsource FHE processing of that data

This.

FHE is pretty much a pre-requisite to run calculations on actually sensitive(*) data in the cloud.

(*) I mean, when it's taken seriously. Lots of companies deal with sensitive data in a way that should land them in jail, but we all know that it won't happen because it's ordinary people whose data is going to be lost, and who cares about them?

Re:

[MrL0G1C]

This is too weird, how on earth do you perform mathematics on numbers when you don't know what those numbers are? I thought Par files were mad, this is total computer voodoo.

Re:

[DarkOx]

This is a gross over simplification but the idea here is that for at least certain defined operations either doing the operation or some other algorithmic transform on two cipher texts and then decrypting is the same as if you did the operation on the plain texts.

a + b = c

dec(SomeOperation(enc(a), enc(b))) = c

Re: not quite

[mcelrath]

Here's a simple example: perform the computation in the exponent over a finite field. Let's say you're doing linear regression and need to compute a*x+b. I'm going to pick a number g and give you g^x instead of x. You're going to compute g^(a*x+b) = (g^x)^a*g^b. Now you can twiddle a and b to fit a line. But you don't know the data x (because inverting g^x is computationally hard, aka the discrete logarithm problem). Note 1: this is vastly oversimplified to demonstrate the idea. Note 2: this is partially homomorphic encryption -- you can't multiply two hidden numbers in the exponent -- this is what is added by fully homomorphic encryption, which pulls in a mountain of new headaches.

Re:

[i.r.id10t]

Even with the explanations by DarkOx and mcelrath I'm still quite confused as to how encrypted data can have operations performed on it and the result can be decrypted correctly without the data being decrypted for the actual operation and the result being re-encrypted.

Admittedly I'm very weak on math... but it seems to me that the types of encryption that can be used and the types of operations that can be performed would need to be severely limited OR the encryption isn't really encryption and is more li

Re: not quite

[ceoyoyo]

It's pretty easy to demonstrate with the venerable (and super secure) rot13 algorithm, or even with one time pads.

Suppose I've got the numbers 5 and 10 and I want to send them to you to add together. I generate the pads 12838 and 83850, giving me the encrypted values 12843 and 83860, which I send to you.

You add them together, getting 96703. I can then decrypt that value by subtracting 12838 + 83850, giving 15.

As DarkOx said, that's a gross simplification, but this toy example shows the concept that, by constructing your encrypting scheme carefully you can set things up so computations done on the encrypted values correspond to computations (usually not the same ones) on the plain text ones.

Re:

[gtall]

A bit more technically. A homomorphism h from algebraic structure (A, +) to alg. struct. (B, +) must satisfy

for all x, y in A h(x + y) = h(x) + h(y) where the first + is from (A, +) and the second from (B, +)

Now think of h as being an encrypter, it has an inverse g. (I'll suppress the keys, they are parametric anyhow, think of h and g being equipped appropriately).

So I want g(h( x + y )) but you must do the addition. You get h(x) and h(x) and you return h(x) + h(y).
We know that g a

Re:

[i.r.id10t]

OK, that certainly clarifies it, though with the simple example it seems that this is fairly useless. Why off load the simple operation when you have to do the encryption/decryption and then the same basic operation to handle the results?

Is it possible to do calculations complex enough to counter balance the overhead involved?

Again, math dummy but it seems anything complex enough to make it worthwhile would fail, eg "here's an array of 100001 numbers where the index is the X and the value is the Y of a poi

Re: not quite

[Generic User Account]

The lure of homomorphic encryption is that you can hand over your encrypted data to someone else and they do something with your data and give you the result. This way they do not get to know your data and you do not get to know their algorithm. It should be blindingly obvious why a company like Google wants this.

Re:

[Ed Tice]

It's not blindingly obvious to me. If the algorithm is that valuable, Google could just buy the company!

Re:

[ceoyoyo]

Yes, that's the idea. My simple example is more to demonstrate that it's possible, rather than how it's actually done. The guys with the algebra are describing the actual operation. If you set up your encryption system appropriately you can enable more complicated operations and it's more akin to encrypting all the input with the same key, then decrypting the result with that same key (as opposed to the OTP I used). So theoretically I could give you a fairly small, encrypted input, you could do some very c

Re: not quite

[MrBoring]

As a parent poster said, I also am not so good at math. Do you loose strength of encryption with FHE data?

Re:

[ceoyoyo]

That depends on what you mean by strength of encryption. As far as I know there's no theoretical reason why an FHE encryption scheme can't protect your data from being decrypted just as well as another type of encryption. Non-homomorphic encryption does protect your data from modification though, and homomorphic of course doesn't.

If you send me the number 10 via regular symmetric or public key encryption, if somebody messes with it in transit the result will be incomprehensible to both of us. If that same n

Re:

[TechyImmigrant]

This is too weird, how on earth do you perform mathematics on numbers when you don't know what those numbers are? I thought Par files were mad, this is total computer voodoo.

Not voodoo. Just massively slow with no benefit that can be simply expressed.

Try this for an example : https://web.mit.edu/sonka89/ww... [mit.edu]

Your algorithm is a circuit of gates (no feedback - it's combinatorial). Each gate is implemented with a bunch of encryption and KDF functions (hence the massive slowdown). Your data size on the wire got a lot larger.

Re:

[Aighearach]

IBM open sourced their toolkit already, maybe there is something to it.

Re:

[CrappySnackPlane]

This is too weird, how on earth do you perform mathematics on numbers when you don't know what those numbers are?

The amount of number pairs that add to a given number is infinite - given number "10", you have 1+9, 2+8, 3+7, 4+6, 5+5, 6+4, and so on - plus negative numbers (which means even if we're limited to whole numbers, our potential set is now infinite), plus decimals on top of that.

Even zero, arguably the most simple result, has an infinite amount of number pairings - 1 + -1, 2 + -2, and so on.

Because of the transitive property of addition, it's trivial for me to come up with "encoded" number pairs, for instance

Re:

[znrt]

not really. this scheme is good for validation but not really for research. you may perform consistent operations on the data, which is a lot, but nothing more. for healthcare applications it is meaningless that e.g. the exponentiation of all the blood pressure values in a dataset is consistent with its encrypted counterpart, they would need the actual values.

this could be used to anonymize part of the dataset but probably overkill as there are far simpler methods to do that.

Re:

[Mostly a lurker]

The word sounds to me like something that modifies someone's homosexuality (i.e. some kind of gay conversion therapy).

Re:

[ClueHammer]

Homomorphic: A person that changes their gender to match their current partner to remain homosexual no matter what gender they are with.

Re:

[bill_mcgonigle]

Somebody added 'sexuality to this conversation where it didn't exist

Is it tough to walk down the milk aisle?

Re:

[fahrbot-bot]

The word sounds to me like something that modifies someone's homosexuality (i.e. some kind of gay conversion therapy).

I imagine a Red/Southern state will try to ban Homomorphic Encryption sooner or later ... :-)

Hey . .

[Joey Vegetables]

I'm homomorphophobic, you insensitive clod!

Re:

[olfdag_kerfunke]

You may be joking, but it would make sense to be homomorphoic encryption phobic. This essentially means that malware can perform fully encrypted computation on your system using your CPU time. There is no way to know what data is being processed or what type of processing is being applied. This instantly brings to mind a bittorrent-esque malware network that is entirely impossible to identify or protect against; all blended in with an uncountable number of secret processes executed on encrypted data.

Such pr

Re:

[Joey Vegetables]

OK, showing my ignorance here I guess, but how is that different from the current situation?

Re:

[olfdag_kerfunke]

That depends upon the capability of the user to disassemble or decompile machine code executed on their platforms and the complexity of the web of dynamic libraries involved. So from a practical standpoint I'll admit there is no difference - however - from the point of view of a security researcher or anyone doing any reverse engineering this is a nightmare.

Re:

[Joey Vegetables]

OK. That seems fair.

As an aside regarding reverse engineering and why it's more necessary than it used to be:

I've been doing software development for a long time. In the past, we used to write, test, and deploy our own code, using libraries only when truly appropriate and only when fully understood, since we were ultimately responsible for the result. Lately, however, with the rise of Framework Oriented Programming, we basically glue other people's code together until it sort of works, then hope that bit

It is also dead slow

[gweihir]

The main problem remaining is that this is dead slow. That makes it more something of theoretical interest, because any data transformations protected this way will need to do more than just a few simple steps to be of any value and then things will take forever.

Don't get me wrong, FHE is a great and fundamental theoretical result. But its practical applications are rather limited and usually get vastly overstated.

Re:

[Ostracus]

Yes, but I imagine the idea is to use dedicated hardware to speed things up. There will always be a penalty, just a lessor of one.

Re:

[gweihir]

Yes, but I imagine the idea is to use dedicated hardware to speed things up. There will always be a penalty, just a lessor of one.

I know that. The penalty will always be extreme here though.

Re:

[cathector]

Can someone explain this screenshot from the git repo's examples,
where the operation is a simple CapitalizeString(),
and the "Total Time" is 0.7 seconds (capitalizing just 30 characters or so!)
but the "CPU Time" is 46 seconds.

https://raw.githubusercontent.... [githubusercontent.com]

Re:

[bws111]

Explain what? Yes, it is slow, nobody is claiming otherwise. As for CPU time vs total time, they parallelized the operation over a bunch of CPUs. 64 CPUs working for .7 seconds would be about 45 seconds of CPU time.

Re:

[gweihir]

This also gives a nice example of the performance. Capitalizing 30 chars on a modern CPU should be in the area of less than 1us. This takes around 50'000'000 times longer.

Re:

[Tom]

There are some applications where you're dealing with highly sensitive data, and throwing more CPU power at the problem to do it like this is cheaper than setting up an entire dedicated system with hardening, strict auditing, secure interfaces etc.

And, you know, a few CPU generations down the line, what seems theoretical today is merely a bit expensive then.

Re:

[gweihir]

There are some applications where you're dealing with highly sensitive data, and throwing more CPU power at the problem to do it like this is cheaper than setting up an entire dedicated system with hardening, strict auditing, secure interfaces etc.

Unlikely. Because the amount of data you can realistically process is tiny.

And, you know, a few CPU generations down the line, what seems theoretical today is merely a bit expensive then.

Nope. The mathematics does not allow that. Also. CPUs have basically hit a wall performance-wise about 5-10 years ago.

Re:

[flux]

I think you don't appreciate how slow this is.

It seems the computers would need to be around 2^30 times as fast as they are now to do the string capitalization task as fast as current computers can do locally. So, assuming Moore's Law holds (this task seems to be suitable for parallelization), that's around half a century.

Code Link

[Some Guy]

A link to the actual code since the post doesn't include it: https://github.com/google/full... [github.com]

Re:Not "encrypted" if you can glean information

[ceoyoyo]

You can't get any information about the contents, unless you have the encryption keys. You can execute computations, but you have no idea what the result means, unless you have the encryption keys.

Magical technology

[WaffleMonster]

TFA should have just linked to this:
https://github.com/google/full... [github.com]

Personally I don't have a need for this and don't see much of a point of running code on systems you don't trust. Add to that security of these systems rely on the untrusted server faithfully executing a given code and value prop gets a little weird.

Nonetheless the idea and concepts are interesting themselves and transpiler makes it easier to use than I assumed it would be. Sum/calc examples in github literally just define functions that

Not how its being sold

[MooseTick]

I've had several training classes from seemingly highly competent individuals claiming Homomorphic Encryption can be used to park your data in the cloud and allow you to use their tools to search, index, etc to optimize your data yet keep the cloud provider from being able to see the data.

I've argued (and from this description, rightfully so) that if their tools can read your data, they can read your data, extract it, provide it to governments, or anything else they want.

They are trying to sell this tech to

Re:Not how its being sold

[MancunianMaskMan]

no they can't read your data, because you only give them the ciphertext of your data. You can then ask them to perform some maths, e.g.

SELECT MAX(salary) FROM employees

with your data and you get the result and decrypt it on you end.

Re:

[bws111]

It should be easy for you to prove your assertion, so do it. Otherwise, it just sounds like 'I don't understand it so it must be wrong'.

What you use it for

[FeelGood314]

I will use it when I create a database in the cloud and need to do queries on the data but don't want the cloud provider to know what the data is or what my query is. I will use it for voting tabulation where everyone can see the votes, everyone can tabulate and verify the results but no one can see how an individual votes. I'm not going to use FHE for processing your medical records or any single large record in the cloud, at least not anytime soon.

I think the first use for this will be password and other login information storage. I will keep your Credit card info, username and password in the cloud and my cloud provider won't know who's information I have stored but I can query this database for say users who's accounts will expire next month.

Re:

[Ed Tice]

Why? You don't need HME for this? Existing encryption methods work just fine. For passwords you can use one-way encryption. For the credit cards, just use asymmetric encryption where you retain the key, download the record in question, and verify it. The point of HME is to operate on large data sets not individual records.

Re:

[tlhIngan]

Why? You don't need HME for this? Existing encryption methods work just fine. For passwords you can use one-way encryption. For the credit cards, just use asymmetric encryption where you retain the key, download the record in question, and verify it. The point of HME is to operate on large data sets not individual records.

No, the point of HME is to perform computations on database records without decrypting the data.

Let's say you have a database of employees. Naturally, it's encrypted because ransomware and

Re:

[Ed Tice]

That all sounds good. And this isn't my area of expertise. And I hate to argue with the "hot, new" thing. There are clearly *some* useful HME operations but there are also operations that are not HME. i.e. I want to provide an employee self-service portal to update their mailing address. I need to pre-fill it with their address. So I need to retrieve...and decrypt it. So now I have some HME operations and some non-HME operations which means I have increased (not decreased) my attack surface. I can s

Google's is a late entry?

[gus goose]

IBM released their FHE code first https://www.ibm.com/security/s... [ibm.com]

https://developer.ibm.com/solu... [ibm.com]

Reported here on Slashdot as well
https://developers.slashdot.or... [slashdot.org]

Microsoft too

[figleaf]

https://github.com/Microsoft/S... [github.com]

Homomorphic encryption, you say?

[Miles_O'Toole]

Does that mean using it will turn me gay? Asking for a friend.

Really? Google thinks this is ok?

[scourfish]

I thought this was 2021. Get with the times.

"google opensources"

[superwiz]

That's one sure way to kill it. Quick! Name a product or technology that wasn't killed by Google open sourcing it. Yes, Kubernetes is in that category, too. Google is just god awful at pushing tech, even good tech. Golang? Dead. And it's actually a good language.