[hedora]

There are a number of strong negative theoretical results in this space, and I mostly hear about people hand waving around them, making nonsensical claims, and then building insecure systems.

For example, you can use outside information to run overly specific queries: “list the male students in woman’s studies 326 that got over a C”. Tricking me into running this, and observing the number of bytes returned will give you a nice approximation of Jim’s grade if you know he’s the only male in that class. The set of queries I can safely provide varies with the side channel information the attacker has.

Also, if you have the ability to subtract and compare (I think those are the right two operators), then you can use that to decrypt the underlying data.

There is also the best picture I have ever seen on wikipedia: https://en.m.wikipedia.org/wiki/Block_cipher_mode_of_operati... Scroll down to “electronic code book” to see why basic equality computationa break encryption guarantees.

To make things worse, the attacker can keep track of what time each encrypted block is read/written, and infer communication patterns between users, and even infer which blocks contain information on which topics. (This is similar to the concerns over governments that gather “metadata”, because gathering “data” would be illegal)

Anyway, I skimmed this article, but have spent days reading negative research results in this space that are pitched as though they are somehow practical, and I suspect I’m not the only one suffering from homomorphic encryption fatigue.

[plopilop]

I think you're confusing several things.

About your query example, (F)HE never claimed to be secure against leaked information inherent to the query. This is more the resort of privacy, which is tackled by differential privacy researchers (and as such has nothing to do with FHE). Naturally you can put differential privacy on top of FHE but we're not there yet. The biggest problem here is that crypto is not magic: in your example, NO system can truthfully answer to the question without leaking the only male's grade, crypto or not. So maybe you'll restrict the system to run the query only when there are at least two male students. But then you're still leaking info to me if I'm the second student, and so on. Wanting crypto being able to do this kind of job is equivalent to wanting cars able to go fast anywhere anytime but that should never crash into a tree at more than 5 km/h: if you can go fast anywhere, you can go fast into a tree. Sad but true.

About the ability to subtract and compare, I don't understand what you are talking about, could you explain it?

About ECB, I mean, yeah, everyone in crypto knows ECB is insecure, this is stream cypher 101 and equivalent to "ROT13 is not secure, do not use it for crypto". But this has nothing to do with FHE.

Keeping track of time is a side-channel attack. Nothing to do with FHE in particular, it's common to all crypto. Most crypto libraries are secure against timing attacks, as it is one of the most obvious side-channel attack. FHE libraries will hopefully be too, just give them time. Also I think FHE is by nature more resilient to timing attacks as it must natively implement simultaneous computation of if/else branches, for instance.

Long story short, yeah, crypto is insanely hard to implement correctly. When your problem is well-defined (first difficulty), you must find the good tools (second difficulty), with the correct security parameters (3rd), and implement them correctly: no bugs (4th) and no side-channel attacks (5th). That's the reason why the first rule of crypto is "don't write your own crypto".

[hedora]

No, it is much worse for homomorphic encryption than for conventional encryption. Homomorphic encryption systems are trying to push a computation to an untrusted server instead of just downloading the whole data set and doing the computation locally.

It is known that this doesn’t work if any one of these bullet points is true:

(a) the size of the results are correlated to facts contained in the answer and the attacker can get you to run queries (even if you don’t share the results)

(b) the computation on the server supports basic arithmetic

(c) the computation on the server supports equality tests

(d) it is computationally feasible for the server to perforn a computation over O(1) data by examining O(1) bytes.

Given those (and other, more subtle) constraints, the challenge is to design a practical HE service.

There aren’t any examples of people successfully building such a system so far.

[plopilop]

Are you sure about (b) and (c)? They seem quite wrong to me. Just looking at the abstract of [0], one can have homomorphic equality test in a semi-honest model, which already seems good enough. The abstract does not point any theoretical limit either.

(a) is a classical side-channel attack, and as I say non-homomorphic libraries already take these kinds of attacks in consideration. HE won't be an exception to that, depending on what level of privacy is needed.

I did not understand what you mean by (d), and to be honest by (b) either. If you have any papers/blogs about that I'll be glad to read them.

And yes I agree, successful FHE system is inexistent as for now. But the evidence of the bare existence of FHE is only ten years old, somewhat practical FHE is even younger. We've not even reached practical FHE yet, security issues will be tackled when they will become the blocking point. At this point of the technology you can't expect research to be immediately applicable. ZK proofs were first designed in the 80s, and as far as I know they only started to be used in practice (zk-SNARKS for instance) recently.

[0]: https://ieeexplore.ieee.org/document/7941933/