back to article IBM's homomorphic encryption accelerated to run 75 times faster

IBM has rewritten its C++ homomorphic encryption library and claims it now goes up to 75 times faster. Homomorphic encryption is a technique used to operate on encrypted data without decrypting it. This would make sensitive operations much more secure: for example, companies could encrypt their cloud-hosted databases, and work …

  1. John Smith 19 Gold badge
    Thumb Up

    It's the future given the eagerness of TLA's to spy on people.

    As business rush lemming like into putting their core systems into what are "anonymous server farms in unknown jurisdictions" this is pretty much the only way to handle the problem.

    Now, does that mean you can run a query on the DB underlying your line of business system, get the correct records back and decrypt them on site?

    1. Milton

      Re: It's the future given the eagerness of TLA's to spy on people.

      In principle this may be true but there are good reasons to think that in practice HE queries will remain many orders of magnitude slower than using plaintext. Getting HE to execute meaningful, useful queries only a million times slower than plain ones would be an improbable and amazing breakthrough.

      And since most serious businesses can afford the kit to keep data and do analysis in-house - whatever the beancounters and cloudy marketurds say - I would respectfully suggest that the only way to work on confidential data securely is not to let it off the premises.

      1. Anonymous Coward
        Anonymous Coward

        Re: It's the future given the eagerness of TLA's to spy on people.

        You entirely miss the point.

        IBM can SELL you enough compute to make up for the lack of efficiency, indeed if this is sold on the basis of MIPS (Millions of Instructions Per Second) then they are quids in twice as you can bet it will be a licenced offering...

        It has to be just fast enough to make the ensuing bill for your organisation seems reasonable against your next upgrade cycle...

        1. Ken Hagan Gold badge
          Facepalm

          Re: It's the future given the eagerness of TLA's to spy on people.

          "IBM can SELL you enough compute to make up for the lack of efficiency,"

          Really? Gosh! And here was me thinking that the million-fold speed penalty implied in the article might be a problem. Clearly if IBM are willing to sell me a million times as much compute as I could buy elsewhere with the same money then it's a no-brainer.

      2. justincormack

        Re: It's the future given the eagerness of TLA's to spy on people.

        If it was fast enough you would use this everywhere. Your own premises are not secure either.

      3. LeoP

        Re: It's the future given the eagerness of TLA's to spy on people.

        I suspect you might have missed the point of HE! Assume you want to query a HE database for a string, then what you need to do is encrypt your search string then query the (encrypted) DB with the (encrypted) search string - this takes the same time as the unencrypted version. You the need to decrypt the resulting records.

        The H in HE means, exactly that works as expected, so the performance penalty comes down to the pre-query and post-query operations. The same thing of course makes it susceptible to the good old tools of frequency analysis etc., which is why the key needs to be huge to be not easily defeated.

      4. John Smith 19 Gold badge
        Unhappy

        I would respectfully suggest..to work on confidential data securely..not.let it off the premises.

        Preaching to the choir here.

        But, watch out if some smooth talking sales type gets to your PHB and starts con-vincing them about the super low TCO, and the lowering of expensive, experienced staff, agile development blah blah. *

        *All statements using completely bogus environments and data volumes that wouldn't exist IRL.

    2. Aodhhan

      Re: It's the future given the eagerness of TLA's to spy on people.

      By itself, it doesn't keep anyone from 'spying' on you or intercepting and attacking the encryption.

      HE is about not having to decrypt the data in-transit and then re-encrypting; like when data is passed through perimeter security devices. Or when data is stored at rest, an application doesn't have to decrypt the data before processing it.

      You still have to maintain a small modulus to noise ratio (in the key-switching matrices) and manage the field for security.

      Switching to low-dimensional fields speeds up the homomorphic process at the cost of security/increased risk. Something we are all familiar with already. We can switch from TLS to SSL, but we also increase risk.

    3. Michael Wojcik Silver badge

      Re: It's the future given the eagerness of TLA's to spy on people.

      does that mean you can run a query on the DB underlying your line of business system, get the correct records back and decrypt them on site?

      Encrypted databases and encrypted database search are big research areas. The Morning Paper has done a bunch of papers on them. See for example:

      Why your encrypted database is not secure (which also has links to three other related papers)

      SoK: Cryptographically protected database search

      Note that there are encrypted DBMSes and cryptographically-protected-search DBMSes available for production use, if you can accommodate the performance hit (which is much less than that of HE), and if their security guarantees (which aren't that great, per the papers cited in those articles) are useful. They do not use homomorphic encryption.

  2. 273 Kelvin

    So, 100 trillion times slower, speeded up by 2 million times, then by 75 times, isn't that still 666k times slower?

    No wonder it's still in research!

    1. Anonymous Coward
      Pint

      No it is ready to be productized, or so say IBM salesmen who will make more commission the beefier servers they sell!

    2. Cuddles

      "So, 100 trillion times slower, speeded up by 2 million times, then by 75 times, isn't that still 666k times slower?"

      Yes, it's still a bit slower than plaintext operations. However, it probably doesn't look quite so bad once you add in the overhead of having to decrypt and then re-encrypt every time you want to carry out said plaintext operations. Throw in the added security of never having a plaintext version lying around to be potentially stolen, and it's believable that this is reaching the realms of practical use.

    3. mosw
      Coat

      "... isn't that still 666k times slower?"

      Yes but because you can process data while it remains encrypted you don't have to install those Intel patches for Meltdown/Spectre. So comes out even in the end.

    4. Michael Wojcik Silver badge

      No wonder it's still in research!

      And god forbid we research things that aren't immediately practical.

  3. Solarflare
    Coat

    Am I the only one who read that as

    "IBM's homophobic encryption" at first? Anyone? ...No? OK, mine's the nice black one on the left.

    1. msknight

      Re: Am I the only one who read that as

      Yup. Me too. I put it down to needing stronger coffee in the morning.

    2. ISYS

      #MeToo

      Am I the only one who read that as

      "IBM's homophobic encryption" at first? Anyone? ...No? OK, mine's the nice black one on the left.

      I'm glad it is not just me.

    3. Pen-y-gors

      Re: Am I the only one who read that as

      I think quite a lot of us did that - bit like the old shopfitting/shoplifting one.

      Raises an interesting idea though. How would homophobic encryption work? What would it do? Would it be the encryption system of choice for the DUP?

      1. Dave 126 Silver badge

        Re: Am I the only one who read that as

        Homophobic encryption would take your data and and output:

        0101010101010101...

        So that no 0 was paired with a 0, and no 1 was paired with a 1. As a bonus, your data is 100% uncrackable by baddies, but the downside is that it would be bloody useless to you too.

        1. Korev Silver badge
          Coat

          Re: Am I the only one who read that as

          You've raised the gay bar with that...

        2. Francis Boyle Silver badge

          Re: Am I the only one who read that as

          "Homophobic encryption would take your data and and output:

          0101010101010101..."

          Well, ISTR traditional homophobic encryption is quite happy with a few '0's getting together especially if there's a '1' on the other side.

    4. handleoclast

      Re: Am I the only one who read that as

      Strangely, I read it as "homeopathic."

      1. Korev Silver badge
        Coat

        Re: Am I the only one who read that as

        "Strangely, I read it as "homeopathic."

        I remember an edition of AbFab where Eddie's mum called them that :)

        Mine's the Gucci one, darling -->

      2. spold Silver badge

        Re: Am I the only one who read that as

        >"Strangely, I read it as "homeopathic."

        Yes dropping 1 homeopathic encrypted bit into the dataset cures all your sensitive data processing problems.

    5. katrinab Silver badge

      Re: Am I the only one who read that as

      No, I read it as homoerotic, as in photos / videos of cute lesbians, or things with men in them if that's what you prefer.

    6. Anonymous Coward
      Anonymous Coward

      Re: Am I the only one who read that as

      "IBM's homophobic encryption" at first? Anyone/

      Actually I read it as "Homoerotic".

  4. Korev Silver badge
    Boffin

    More please IBM

    This is the kind of research that used to make IBM great; please do more of it.

    And don't let your salepeople muck it up by trying to force Bluemix / Power on everyone...

  5. steelpillow Silver badge

    acceleration

    The logical outcome is a hardware accelerator.

    Let's hope the chip doesn't feature a Management Engine malware magnet.

  6. Anonymous Coward
    Anonymous Coward

    Answer is simple ?

    Just use HE where data crosses boundaries ?

    Same way you store indexes in RAM and data on disk.

  7. Anonymous Coward
    Anonymous Coward

    What sort of operations can be done?

    Because if you can change the actual encrypted data (as opposed to just trashing it) without decrypting it then doesn't that defeat the whole point of encryption?

    1. Anonymous Coward
      Anonymous Coward

      Re: What sort of operations can be done?

      No, it's having to decrypt the data before you can change it that defeats the whole point of encryption, because that means plaintext copies of it are being left around on your system.

      1. Anonymous Coward
        Anonymous Coward

        Re: What sort of operations can be done?

        "No, it's having to decrypt the data before you can change it that defeats the whole point of encryption, because that means plaintext copies of it are being left around on your system."

        Yes, I get that. But if encrypted data can be changed without requiring decryption first then how can any encrypted data be safe from tampering?

        1. mosw

          Re: What sort of operations can be done?

          "how can any encrypted data be safe from tampering?"

          I think the main purpose is to allow outside processing of data while maintaining secrecy even from whoever is doing the processing for you.

          Where needed, digital signatures/hash algorithms can be used to test for tampering. These can already be shared safely, as they do not reveal the contents of the data.

        2. Michael Wojcik Silver badge

          Re: What sort of operations can be done?

          But if encrypted data can be changed without requiring decryption first then how can any encrypted data be safe from tampering?

          Integrity protection is not normally an attribute of encryption. For one thing, it's not true of any stream cipher, by definition. Nor is it true of a block cipher in ECB mode, or of many classic pen-and-paper ciphers, and so on.

          There are AE combining modes of block ciphers which produce a stream cipher, an authentication verifier, and an integrity verifier - in fact those are now the preferred modes for TLS - but authentication and integrity are still notionally separate cryptographic products.

    2. Francis Boyle Silver badge

      I assume

      the trick is that it can only be applied to suitably structured data. So you have an array in which the content of each element is encrypted but its meaning is known. The content is one secret and is still protected. Protection against modification is protection of a different secret and will therefore require its own encryption.

  8. Anonymous Coward
    Anonymous Coward

    Curse speed-reading !

    At first glance, I read the article title as "IBM's homophobic encryption accelerated to run 75 times faster".

    Obviously the only encryption algorithm in the village.

  9. Pen-y-gors

    I'm still none the wiser

    So, I have a 500MB blob of encryption. Somewhere in there is record 12345 and I want to change column X to the value 'Trump' - how the feck does it manage to do that without decrypting the thing? Witchcraft?

    1. Anonymous Coward
      Anonymous Coward

      Re: I'm still none the wiser

      I think (disclaimer:I'm NO crypto geek, so this is a poorly educated guess) you're missing the point.

      Homomorphic cryptosystems are used to enable mathematical operations in ciphertext which then have regular effects on ciphertext.

      So my understanding is its purpose is not to enable you to change words, but rather to enable you to send databases to India / the cloud etc. .... and enable them to "calculate stuff", "look for patterns" etc.

      There's an example of this in the financial world, Numerai (https://numer.ai/). They release "otherwise expensive data" to the the open internet, protected by homomorphic encryption. This enables every man and his dog to "have a go" in a competition to win prizes for the best "data science".

    2. Dave 126 Silver badge

      Re: I'm still none the wiser

      Might as well be witchcraft - the Wikipedia entry contains both mathematical notation and English sentences that I can't make head nor tail of:

      https://en.m.wikipedia.org/wiki/Homomorphic_encryption

      1. Anonymous Coward
        Anonymous Coward

        Re: I'm still none the wiser

        "the Wikipedia entry contains English sentences that I can't make head nor tail of"

        Isn't that pretty much standard for Wikipedia ? ;-)

        1. Dave 126 Silver badge

          Re: I'm still none the wiser

          Perhaps, but in this instance I suspect the article makes sense - but just not to me. It's talking about taking a near homomorphic encryption scheme and bodging it into a full homomorphic scheme that can the be recursively bootstrapped by some bloke called Gentry, I kid ye not. There's some Polish looking names and some funny symbols too - often signals for me to give up on any hope of comprehension.

      2. GruntyMcPugh Silver badge

        Re: I'm still none the wiser

        Thanks,... and nope, still don't get it.

        1. Bronek Kozicki

          Re: I'm still none the wiser

          At the end of that wiki page is a good example.

          Imagine you have generated a keypair (private key "a" and public "A"). Your public key "A" is a not memorable at all, but you want memorable one. Another person takes your public key "A" and generates a keypair (private "b" and public "B") such that operation "A + B" yields a "vanity" public key "C", i.e. one which is easier to remember (where "+" may not necessarily denote addition; it is just some mathematical operation). You buy from them the keypair "b" and "B" and then apply the same mathematical operation on private keys "a + b" which gives you a private key "c", matching the public key "C" (which, to remind, is a result of "A + B"). This is of course assuming that the homomorphic encryption was applied here - otherwise, this won't work.

      3. Anonymous Coward
        Anonymous Coward

        Re: I'm still none the wiser

        " the Wikipedia entry contains both mathematical notation and English sentences that I can't make head nor tail of:"

        Its articles like that that remind one that it doesn't matter how smart you think you are, there are always an awful lot of people who are a damn site smarter. Scarily smarter in some cases.

      4. mosw
        Coat

        An example of homomorphic encryption

        "the Wikipedia entry contains English sentences that I can't make head nor tail of"

        Maybe the wiki article is just an example of homomorphic encryption. You can spell check it, change the grammar but still cannot extract the meaning. You have to know the key (whatever terminology homomorphic encryption experts use) to actual understand what it means.

  10. Anonymous Coward
    Anonymous Coward

    Shoup

    Victor Shoup is also the author of a very nice maths library and a nice introductory algebra book (all available on his homepage http://www.shoup.net/ ). He is also a pretty good singer.

  11. Bronek Kozicki

    The real news is ...

    ... IBM giving access to cutting-edge research under APACHE 2.0 license. That's the one which explicitly grants (although under the condition of non-litigation) licensees access to relevant patents. Yes, that's IBM.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like