[ajb]

One limitation of Homomorphic encryption, as far as I can see, is that there is no way for the encrypted program to choose to communicate some data in the clear.

Which means it can't be used to allow an untrusted party to run your encrypted server, and have the server communicate with parties that it doesn't trust. Which is what most servers do. Unless I'm mistaken, or there has been an advance?

[baby]

There is no encrypted program, there is encrypted data. You can operate on this data, and it will reflect on the plaintext after decryption. I think what you're thinking about is functional encryption?

[taejo]

The distinction between program and data is not a sharp one, since f(x) = apply(<f, x>) = eval_x(f) (where eval_x takes the description of some program f and runs it on the constant input x). You can use this equivalence to compute f(x) where f is in plaintext and x is encrypted (ordinary HE), f and x are both encrypted (but apply is plaintext), or f is encrypted but x is not (so we can derive eval_x). In every case, however, the output is encrypted.

In general, this is only of theoretical interest, since the interpreter apply and the specialized interpreter eval_x are large, complicated programs.

[ajb]

I'm not thinking of functional encryption. I thought I'd read somewhere a plan to use homomorphic encryption with an encrypted program by simply applying an interpreter to it.

[deutronium]

You're not thinking of Indistinguishability Obfuscation per chance?

https://blog.cryptographyengineering.com/2014/02/21/cryptogr... seems an interesting article.

[ajb]

That might be it - Thanks.

[yazr]

Could you spare a minute to comment of the current state of functional encryption?

Is it practical on an intel cpu ?

[Ar-Curunir]

If you want fully general functional FE, then no; constructions are based on something called "indistinguishability obfuscation", a crypto primitive that a) we're not sure exists b) has conjectured constructions that are ultra ultra ultra slow.

[asrp]

Can you tell us what do you mean by "encrypted program"?

Do you mean that if all operations of a universal Turing machine were homomorphic then you can encryt the code with a hard-coded input and get an encrypted output?

Can you also elaborate on your server example? I don't understand what you are trying to do. (Whats an "encrypted server"?

[ajb]

Pretty much. Like mmastrac's comment (currently top). I hadn't realised people had got so far.

What you'd like to be able to do, is something like encrypt the code of a tor node in such a way that it could be run by an untrusted hosting provider, without breaking the security of tor.

[matthewdgreen]

FHE does in principle allow you to do this, but it has the limitation that the outputs of the "Tor node" will themselves be encrypted. That's ok if you have the decryption key and are the one interacting with the Tor node. It's not ok if you want the Tor node to output useful data like network packet headers that anyone can parse.

There is another field called cryptographic program obfuscation that tries to avoid this problem, and actually create "encrypted" programs that can output useful unencrypted outputs that anyone can use. There are a lot of restrictions on that type of program. Here's another long (and very high level) blog post on that: https://blog.cryptographyengineering.com/2014/02/21/cryptogr...