[benlivengood]

Anything worthwhile in fully homomorphic encryption yet? I keep seeing the tools get faster but security is still relatively unknown compared to modern symmetric/asymmetric ciphers. There's also several interesting papers on anonymous/garbled circuit evaluation that I'm assuming will lead to even better untrusted third-party computation services. What I'm waiting for is FHE/circuits/something that can selectively decrypt some of their own outputs.

[betterunix2]

FHE security is reasonably well understood but not as well understood as EC or RSA/DH security. For the most part today's FHE systems are all based on the (R)LWE problem and the hardness of that problem is not in doubt for the right parameter choices (though choosing the right parameters is a careful balancing act).

It is unlikely (in my opinion) that "true" FHE applications will be deployed any time soon, but "leveled" FHE applications are already being deployed for a small number of levels (e.g. 2). Beyond quartic functions the performance is probably going to be too much of a problem for most applications. Homomorphic encryption in general is commonly used as a building block in larger MPC systems and you will probably see more widespread use of leveled FHE as such a building block too.

As for selectively decrypting outputs, that sounds like functional encryption and it is still an active area of research (see also obfuscation, which was a hot topic a few years ago). I doubt you will see practical applications for a very long time.