The Beginnings of Encrypted Computing In the Cloud

eldavojohn writes "A method of computing from a 2009 paper allows the computing of data without ever decrypting it. With cloud computing on the rise, this may be the holy grail of keeping private data private in the cloud. It's called Fully Homomorphic Encryption, and if you've got the computer science/mathematics chops you can read the thesis (PDF). After reworking it and simplifying it, researchers have moved it away from being true, fully homomorphic encryption, but it is now a little closer to being ready for cloud usage. The problem is that the more operations performed on your encrypted data, the more likely it has become 'dirty' or corrupted. To combat this, Gentry developed a way to periodically clean the data by making it self-correcting. The article notes that although this isn't prepared for use in reliable systems, it is a quick jump to implementation just one year after the paper was published — earlier encryption papers would take as much as half a decade until they were implemented at all."

maybe it's just me

[ihxo]

The idea that my data is on the "cloud" and I have to pay a monthly fee (or watch some ads) to access it is really not very interesting to me.

Re:Job market time?

[symes]

While it might be ultimately impractical - there's no harm in researchers getting their work out to intelligent, informed audiences... like, errr, ummmmm... that other place

Re:um, no.

[Monkeedude1212]

Practical homomorphic encryption is a fantasy,

So what about impractical, if they can get it to work impractically, isn't it just a matter of resources playing catchup?

Is The Cloud Considered

[Anonymous Coward]

a botnet ?

Thanks in advance.

Yours In Akademgorodok,
K. Trout

Freenet is clever

[Anonymous Coward]

I am a Freenet user (posting anonymously for obvious reasons) and I use it for Freenet Messaging System (FMS) which is a web forums on top of Freenet. The key thing about Freenet is that it is an anonymous data store. Even if you are offline, someone can fetch the data that is spinning around in the network.

You use a lot of CPU in my experience to retransmit lots of requests from other users, it's not obvious to your node whether or not you actually requested a piece of data. Even better is to make a darknet with people you trust.

Re:What about just using encfs and fuse?

[lgw]

The intent is that the cloud provider, who doesn't have the password, could perform useful operations on your data. I don't see how anything good could come from this.

Re:No that wouldn't allow them to analyze your dat

[Anonymous Coward]

The whole point of cloud computing is to give corporations access to all your files and all your computing behavior so they can analyze it, sell it, broadcast it, trade it, and make it into a product for governments and corporations around the world.

Where do you get that from?

It seems as though you are thinking about the wrong layer of the 'cloud'.
 
This is about high availability, to where the hardware operators can have many servers on standby and seemlessly (via VMotion or similar technologies) change hardware without a hiccup. If a node goes down then just bring up the same resource on an alternate server.

Re:What about just using encfs and fuse?

[xZgf6xHx2uhoAj9D]

Yes, but that would be missing the boat. The whole point of cloud computing is that computations do not happen on your local computer. That's what fully homomorphic encryption offers: for a server to perform computations on encrypted data without decrypting the data.

Re:So, tests are left out in the cold?

[Dragoniz3r]

The whole idea behind this is that you'd be able to encrypt your data, upload it to your cloud provider, and use their hardware to do a bunch of work on it, without ever decrypting it. The reason why this is attractive is because you don't want your cloud provider looking at your data. If you can sort your data by plaintext, while still in ciphertext form (ie, without decrypting it on the cloud's hardware AT ALL), then what's stopping your cloud provider from doing it, too? You're leaking information about your data to your provider, and if they wanted to, they could perform a process of elimination and discover your plaintext.

Note, sorting is only ONE example of a class of algorithms that might have to be performed. Pretty much any useful algorithm would in some way leak information about the plaintext, in a way that would be visible to people who don't have your private key. That defeats the whole purpose. Might as well just upload all your data XOR encrypted.

The thing to keep in mind here is that the idea is to make it so your cloud provider has no way to read, or infer information about, your data. I'm in the camp that believes it's not possible, but even if it is possible, known methods (like this one) are neither plausible nor secure.

Re:um, no.

[debatem1]

Nitpicking, but homomorphic encryption gets used all the time- both RSA and ElGamal have a multiplicative homomorphic property, and blind signing (an application of that property) is fairly common. It's fully homomorphic cryptosystems which aren't currently used in practice, and I can assure you that interest in it is quickly moving from pure-theory labs into the more practical research communities. It would not at all surprise me to see the first real applications in the next five years, although you're right that large-scale deployment is still probably many years off.

Re:um, no.

[Anonymous Coward]

I'm glad to see that another Slashdotter actually understands what this work is about, because most of the commenters on this thread are clueless.

This work is fascinating because the author's encryption scheme is homomorphic for both multiplicative and additive operations, allowing you to compute arbitrary boolean circuits on the encrypted data!

Unfortunately, the computational complexity of their approach is too slow for this to have any practical applications (due to some astoundingly complicated "gadgets" they had to implement that prevent the encrypted data from losing its meaning after doing too many computations), but it's fascinating from a cryptographic point of view.

The computed results don't reveal the inputs!

[jonaskoelker]

If you can sort your data by plaintext, while still in ciphertext form (ie, without decrypting it on the cloud's hardware AT ALL), then what's stopping your cloud provider from doing it, too?

Nothing. The result will be a list of ciphertexts which won't reveal anything about the plaintexts.

See also the thesis, page 5 (5 on paper, 15 in pdf):

At a high-level, the essence of fully homomorphic encryption is simple: given ciphertexts that encrypt pi_1, ..., p_t fully homomorphic encryption should allow anyone (not just the key-holder) to output a ciphertext that encrypts f(pi_1, ..., p_t) for any desired function f, as long as that function can be efficiently computed. No information about pi_1, ..., p_t or
f(pi_1, ..., pi_t), or any intermediate plaintext values, should leak; the inputs, output and intermediate values are always encrypted.

So if I give you pi_1 and pi_2, you'll know that E(min(pi_1, pi_2)) = 42 and E(max(pi_1, pi_2)) = 17. What do their encryptions tell you about pi_1 and pi_2?

You're leaking information about your data to your provider, and if they wanted to, they could perform a process of elimination and discover your plaintext.

I don't think it's possible; I must admit I haven't read Gentry's thesis, but I assume he proves what he advertises---that he has a fully homomorphic encryption scheme. In that case, it is indeed possible to carry out any computation on encrypted values without revealing information about neither the plaintext nor the result of the computation.

Of course, if I'm wrong, I would very much like to see your algorithm for discovering the plaintext.

The thing to keep in mind here is that the idea is to make it so your cloud provider has no way to read, or infer information about, your data. I'm in the camp that believes it's not possible, but even if it is possible, known methods (like this one) are neither plausible nor secure.

Gentry's approach uses lattices; his approach should be secure against people whose computational resources are polynomial in the plaintext size, even (I think we think*) if they have quantum computers.

(* I haven't looked closely, so I'm randomly guessing his use of lattices is of the kind where no publicly known quantum attacks exist).

Security isn't an on/off thing. There's a stricter security property Gentry's system either satisfies or doesn't satisfy---that no one can know anything about the plain texts, even if computing on the ciphertexts "forever".

But in-use technology such as SSL, ssh, PGP/GPG doesn't live up to this standard, yet in practical security it's never the *crypto* that's broken.

To say that Gentry's work is not only wrong (not secure) but not plausible I think implies that the PhD committee at Stanford is doing a piss-poor job. Is that really what you mean?

(This is one of the reasons I'm doing my PhD in cryptography: in algorithms, or languages, or $subfield, when there's something you don't know you just know that you don't know how to do X; in cryptography, when there's stuff you don't know, it seems like magic is possible)

Re:maybe it's just me

[lbates_35476]

So I'm guessing you aren't using hosted email in any way. If you are, your email data is "in the cloud". Another excellent use of the cloud is for system backups (note I work for a company that provides secure system backups to our cloud storage). One of the few "reliable" ways of keeping up-to-date point-in-time backups of systems for disaster recovery is by using secure cloud storage. Every other method that I've investigated has serious (and often fatal) flaws to keeping a recoverable image of critical business systems. I gave up on the "take a copy of all my servers/workstations" home method a long time ago because it has become unworkable and people are inherently unreliable.