Google's fully homomorphic encryption package
With FHE, encrypted data can travel across the Internet to a server, where it can be processed without being decrypted. Google’s transpiler will enable developers to write code for any type of basic computation such as simple string processing or math, and run it on encrypted data. The transpiler will transform that code into a version that can run on encrypted data. This then allows developers to create new programming applications that don’t need unencrypted data." See this white paper for more details on how it all works.
Posted Jun 14, 2021 17:46 UTC (Mon)
by HenrikH (subscriber, #31152)
[Link] (31 responses)
Posted Jun 14, 2021 19:02 UTC (Mon)
by calumapplepie (guest, #143655)
[Link] (29 responses)
Posted Jun 14, 2021 20:10 UTC (Mon)
by Cyberax (✭ supporter ✭, #52523)
[Link] (28 responses)
Posted Jun 15, 2021 2:39 UTC (Tue)
by jamesh (guest, #1159)
[Link] (16 responses)
Posted Jun 15, 2021 3:28 UTC (Tue)
by Cyberax (✭ supporter ✭, #52523)
[Link] (4 responses)
Before anyone says: "but fiat money!", rich people get richer with fiat money by investing it or using it to underwrite loans.
Posted Jun 15, 2021 6:41 UTC (Tue)
by cpitrat (subscriber, #116459)
[Link] (2 responses)
Posted Jun 15, 2021 8:39 UTC (Tue)
by k3ninho (subscriber, #50375)
[Link] (1 responses)
I don't know if you're aware of the 'eat the rich' movement which posits that the rich are qualitatively and quantitatively better than the non-rich and so it follows that they're nutritionally better and so, by eating the billionnaires, we become part of their betterness.
I think it's not in the Jargon File because Eric Raymond once held stock that was briefly worth $40m.
K3n. :-P
Posted Jun 16, 2021 6:38 UTC (Wed)
by thoeme (subscriber, #2871)
[Link]
Posted Jun 16, 2021 8:23 UTC (Wed)
by Ranguvar (subscriber, #56734)
[Link]
The low rewards necessary under PoS largely invalidate this advantage, and PoS has many other advantages such as wasting FAR less energy.
It has less centralizing effects as manufacturing and distribution aren't a concern.
GPUs are an interesting third option but they have their own issues and side effects, and it may not be possible to keep ASICs out forever.
Posted Jun 15, 2021 19:43 UTC (Tue)
by job (guest, #670)
[Link] (3 responses)
It is probably also not a coincidence that all blockchains that migrate to the rich-get-richer model started out with "let's all agree that I have all the money and then I can sell it to you", also known as a pre-mine or initial-coin-offering.
Posted Jun 20, 2021 7:52 UTC (Sun)
by teknohog (guest, #70891)
[Link] (2 responses)
Proof of Stake was introduced by Peercoin in 2012, and it also used Proof of Work on the side for a fairer bootstrap. The PoW rewards declined quite rapidly over time to favour the more energy-efficient PoS. Some other coins such as Zano use a similar scheme.
A lot of cryptocurrencies have a bastardized version of PoS where you need a minimum deposit to earn PoS rewards. These obviously have a "rich get richer" issue, but they also have other problems such as centralizing the entire network logic into fewer select nodes.
Posted Jun 20, 2021 12:38 UTC (Sun)
by smurf (subscriber, #17840)
[Link] (1 responses)
Peercoin's algorithm is a good start but is kindof simplistic compared to Ether's admittedly more elaborate scheme. Not surprising, as we have a decade more experience WRT the [more-or-less nonexistent] ability of crypto currencies to scale up sufficiently.
Posted Jun 20, 2021 14:34 UTC (Sun)
by teknohog (guest, #70891)
[Link]
Good point, I hadn't considered that one. However, as I already mentioned in passing, staking thresholds will centralize the validation process into fewer nodes, away from the decentralized aims of original cryptocurrencies. Mining pools are a part of this problem, even for existing PoW coins.
It shouldn't be a problem for anyone if I want to help maintain the distributed nature of the network at my own expense. Perhaps in Ethereum's case, the threshold is a part of the greenwashing as they transform from PoW to PoS. However, it should be seen as a problem whenever a cryptocurrency is promoting increased centralization.
Bitcoin doesn't have any staking rewards, but its community also recognizes the importance of publicly accessible nodes for the health of the network. There used to be the Bitnodes project that would reward nodes with high uptime, but it never really materialized due to low participation numbers.
Posted Jun 16, 2021 8:16 UTC (Wed)
by Ranguvar (subscriber, #56734)
[Link] (5 responses)
"ASIC mining also means the rich get richer, and that game is even more tilted in favor of the rich. At least in PoS the minimum needed to stake is quite low and within reach of many regular people."
https://vitalik.ca/general/2020/11/06/pos2020.html
They both suffer from this, but Proof of Stake handles it better.
Posted Jun 16, 2021 9:23 UTC (Wed)
by Cyberax (✭ supporter ✭, #52523)
[Link] (1 responses)
Proof-of-stake is purely passive income, without ANY advantages of classic banking (where it's used to underwrite loans).
Posted Jun 16, 2021 12:29 UTC (Wed)
by smurf (subscriber, #17840)
[Link]
Instead ASICs (and the boxes they come in) eat a heap of mostly-nonrenewable resources and emit a heap of greenhouse gases, both building and operating these ASICs, with benefit to nobody. Is that really something we want to incentivize even further? Do we really want to "spread the wealth" (an economic concept of rather dubious real-world efficacy) by having the rich buy more useless stuff in order for them to become even richer?
We don't fix the rich-people-get-richer problem by making the rich buy stuff, to them expenses are just another tax write-off. (We all know how much income tax Bezos pays.) We fix that by closing all these stupid brain-dead tax loopholes.
If BTC aficionados want their bits to be a currency, fine, treat it like one. You're mining? you transfer %TAX to the government (or a registered charity of your choice) or you get shut down, just like anybody else is supposed to.
Posted Jun 16, 2021 9:35 UTC (Wed)
by excors (subscriber, #95769)
[Link] (2 responses)
For Ethereum's planned PoS model, apparently the minimum stake is 32 ETH (https://ethereum.org/en/developers/docs/consensus-mechani...). When the article you linked was written, that was worth about $15K. At the peak a couple of months ago, that was worth about $130K. I'm not sure that counts as "quite low and within reach of many regular people".
(If you have less than 32 ETH, you can give it to a staking pool (seemingly in exchange for some new type of tradeable token which accumulates a share of the pool's staking rewards (minus admin fee), and which can't be converted back into ETH yet but they promise that'll be supported at some point in the future). But that sounds like it kind of undermines the decentralised security that PoS is meant to provide, since the pool operators are getting a lot of power over the network for no investment of their own. And there's the usual risks of losing all your money if you choose a pool who accidentally wrote buggy smart contracts (but the code is open source and audited and there's a bug bounty program, so surely it will never have exploitable bugs!) or intentionally buggy ones that let the pool operators steal your money.)
Posted Jun 16, 2021 12:33 UTC (Wed)
by smurf (subscriber, #17840)
[Link]
Posted Jun 17, 2021 0:44 UTC (Thu)
by Ranguvar (subscriber, #56734)
[Link]
Having read the validator slashing rules, and compared to the complexity of all the other contracts which are now being massively utilized, there seems very little cause for concern.
Staking fees earned will likely be quite low due to the minimal risk.
Posted Jun 24, 2021 12:08 UTC (Thu)
by immibis (subscriber, #105511)
[Link]
PoS simply gives you more coins for having coins, straight-up.
Posted Jun 15, 2021 11:02 UTC (Tue)
by scientes (guest, #83068)
[Link] (1 responses)
Posted Jun 15, 2021 11:03 UTC (Tue)
by scientes (guest, #83068)
[Link]
Posted Jun 15, 2021 12:14 UTC (Tue)
by kleptog (subscriber, #1183)
[Link] (5 responses)
Posted Jun 15, 2021 13:27 UTC (Tue)
by anselm (subscriber, #2796)
[Link]
If you want random people to help maintain a distributed public ledger, you have to incentivise them somehow to expend the required resources (CPU cycles, storage, …). Otherwise there will be problems keeping the ledger “distributed enough” that no single entity can go back and change stuff because they're in a position to spend more resources than everyone else together.
“Cryptocurrencies” have an advantage here in that you can use the “currency” itself to pay people for mining, but even that doesn't seem to prevent de-facto centralisation (as with Bitcoin). Public blockchains used for other purposes will be facing still more of an uphill battle in that respect.
Posted Jun 15, 2021 17:10 UTC (Tue)
by Cyberax (✭ supporter ✭, #52523)
[Link] (3 responses)
And then there's also a distinct lack of need for a decentralized public ledger.
Posted Jun 15, 2021 19:35 UTC (Tue)
by job (guest, #670)
[Link] (2 responses)
Posted Jun 15, 2021 22:34 UTC (Tue)
by Cyberax (✭ supporter ✭, #52523)
[Link] (1 responses)
But yep, it's the closest practical example where blockchain can be useful.
Posted Jun 19, 2021 2:29 UTC (Sat)
by tialaramex (subscriber, #21167)
[Link]
It's just that the only allowed "changes" are logging certificates with specific characteristics, and in many cases all the interesting certificates have been logged. You can't log the same certificate again.
Historically, prior to the mandate, and to a lesser extent up until this month (at the end of May 2021 near as I can tell the last possible certificate that could have existed, trusted in the Web PKI without ever being logged, would have expired) it was possible to find certificates out in the wild which hadn't been logged and go log them. But by 2017 or so you'd need to be on the ball because Google's spiders, the ones which power the search engine, were doing the same thing.
If you have money, and thus can afford to make it worth their while, a CA can sell you (No Let's Encrypt doesn't offer this, they could but there's no obvious reason why you should want it or why it would be in their interests to offer it) a certificate which hasn't been logged, even now. The mandate from Chrome isn't a root store policy, it's just a mandate for Chrome. You can then submit that certificate to logs yourself, the CA which sold it to you likely has some suggestions for where to do that. So long as you keep your receipts (SCTs, everybody else's are burned inside their certificate, but since yours was not logged when you received it, it's too late for that) you can prove this certificate was properly logged and it will work just fine.
Google does that, for some of their systems. But they know what they're doing (or at least, they employ teams of people to know).
Posted Jun 20, 2021 7:36 UTC (Sun)
by teknohog (guest, #70891)
[Link] (2 responses)
Later cryptocurrencies have bastardized this idea by setting arbitratry thresholds for the PoS rewards. For example, with Ethereum you will need a minimum of 32 ETH to get staking rewards.
In general, it's hard to avoid the idea that the rich get richer, because the rich will always have more options for investment. However, the original PoS idea is a level playing field where anyone can start investing and staking.
Original cryptocurrencies were all about decentralization. The newer "masternode" concepts with staking thresholds are a direct attack against this ideal, since the staking nodes are what validates transactions for all users.
Posted Jun 20, 2021 7:40 UTC (Sun)
by Cyberax (✭ supporter ✭, #52523)
[Link] (1 responses)
But it IS an investment.
Proof-of-stake is literally money out of thin air.
Posted Jun 28, 2021 11:31 UTC (Mon)
by immibis (subscriber, #105511)
[Link]
Posted Jun 15, 2021 14:55 UTC (Tue)
by ballombe (subscriber, #9523)
[Link]
Posted Jun 14, 2021 21:40 UTC (Mon)
by randomguy3 (subscriber, #71063)
[Link] (4 responses)
There was a brief mention of less than 0.1 seconds per bootstrap operation, and it seems to do a bootstrap for every logic gate, so I'm guessing it's multiple seconds to even do an addition.
Posted Jun 14, 2021 22:14 UTC (Mon)
by floppus (guest, #137245)
[Link] (2 responses)
> Each binary gate takes about 13 milliseconds single-core time to evaluate, which improves [DM15] by a factor 53, and the mux gate takes about 26 CPU-ms.
and:
> the library can evaluate a net-list of binary gates homomorphically at a rate of about 76 gates per second per core, without decrypting its input.
Not sure how that jibes with "less than 0.1 seconds", though it's true that 0.013 is less than 0.1.
Posted Jun 15, 2021 2:33 UTC (Tue)
by ras (subscriber, #33059)
[Link]
[0] Clearly my 13ps number should be taken with a bag of salt. Accuracy wasn't the only consideration when choosing it. More accurate figures can be found in Table II here: https://acadpubl.eu/jsi/2018-118-18/articles/18e/3.pdf
Posted Jun 15, 2021 7:41 UTC (Tue)
by randomguy3 (subscriber, #71063)
[Link]
Posted Jun 15, 2021 10:03 UTC (Tue)
by Kamiccolo (subscriber, #95159)
[Link]
Posted Jun 15, 2021 5:12 UTC (Tue)
by Subsentient (subscriber, #142918)
[Link] (12 responses)
Jokes aside, this technology will be very useful indeed. Not sure it's quite mature enough for me to personally start using it, but I'm very glad to see it out there.
Posted Jun 15, 2021 5:33 UTC (Tue)
by brunowolff (guest, #71160)
[Link] (11 responses)
Posted Jun 15, 2021 8:29 UTC (Tue)
by smurf (subscriber, #17840)
[Link] (10 responses)
Nice proof of concept, but unless somebody gets the speed penalty down to maybe 10k or so *and* invents a way to check whether a number is zero (given floating point and no comparison op this won't divulge any secrets) this isn't useful for any real-world processing.
Posted Jun 15, 2021 15:07 UTC (Tue)
by NYKevin (subscriber, #129325)
[Link] (9 responses)
There's only four billion floats (assuming single precision). You can loop through all four billion and subtract-and-compare-to-zero.
Posted Jun 15, 2021 16:26 UTC (Tue)
by kleptog (subscriber, #1183)
[Link] (5 responses)
That doesn't help, the compare-to-zero would just return a blob that you also can't decrypt. As such, you can't really do control flow decisions that way, but as you can see with graphics cards, you can still do a lot despite that. Doing it holomorphicly is the trick of course.
If you think you're going to be clever and generate a zero another way and compare the blobs, not all zeros need look alike. You have schemes where every operation adds a bit of error which can only be removed with the key.
Posted Jun 15, 2021 17:18 UTC (Tue)
by smurf (subscriber, #17840)
[Link]
Problem is, this thought experiment doesn't apply to Google's paper in the first place: they use a gate-level back-end which doesn't know zip about numbers – just single logic gates. A non-opaque test of single bits defeats the whole purpose of this exercise.
Posted Jun 16, 2021 21:43 UTC (Wed)
by njwhite (guest, #51848)
[Link] (3 responses)
Can anyone recommend some pointers to learn more about coding within these constraints, which from the "as you can see with graphics cards" comment above I assume are also more common in GPU coding? It's not something I've had to think about before, but sounds interesting.
Posted Jun 17, 2021 8:55 UTC (Thu)
by kleptog (subscriber, #1183)
[Link] (2 responses)
Suppose you have code like:
this can be rewritten as:
Now there's no branches, but you're doing twice the work. But GPUs in particular excel in parallel processing so as long as you have enough hardware it doesn't matter. What you cant do is loops with an unbounded number of iterations, a limited number you can simply unroll. Lookup tables can be converted to big if statements and flattened.
Put another way, you have to turn your program into a mathematical formula, because FHE works based on the structures of mathematical groups. If you can't turn your program into a formula, it's hard you to see how you could calculate it holomorphically.
So it's like quantum computing, good for some tasks, but it won't replace general computing.
Now, crypto algorithms tend to be all made all fixed time for various reasons, which makes them perfect for this kind of construction. 3D graphics is generally long pipelines of various mappings with not much in the way of loops so also work well.
Posted Jun 17, 2021 10:12 UTC (Thu)
by excors (subscriber, #95769)
[Link]
In more modern GPUs, the tricky part is that you write a GPU shader as scalar code but it gets executed as SIMD (with typically around 32 SIMD lanes), and the hardware uses a combination of dynamic flow control and masking. Like in your example "if(a == 0) r = comp1(); else r = comp2();", if the condition is true for all 32 lanes then the GPU will execute comp1() and jump over comp2(). But if the condition is only true for 31 lanes, it has to step through all the instructions of both comp1() and comp2() for all 32 lanes, with a mask register to suppress execution on individual lanes based on the condition. The divergent control flow in 1 out of 32 lanes is doubling the total number of instructions processed for all 32 lanes, so you want to be careful to avoid that if you care about performance.
That masking is not quite the same as manually writing "r = (a==0)*comp1() + (a!=0)*comp2()", because the masking will likely also suppress any memory reads performed by comp1()/comp2() in the disabled lanes. That's good for performance, though obviously not good if your goal is to avoid leaking information. On the other hand, if there are no memory reads and a high likelihood of divergent control flow, then you might get better performance by doing more arithmetic and avoiding the overhead of branches.
Posted Jun 17, 2021 17:18 UTC (Thu)
by smurf (subscriber, #17840)
[Link]
However, the library Google uses doesn't work that way. Instead, it works by basically simulating a boolean hardware circuit that carries out the operation. Computer hardware doesn't have if/then/else – it has boolean and/or/not. So you want a simple 32-bit addition? Fine, just write a loop over a 32-bit field with hardware carry and all that.
This is where the 9-orders-of-magnitude slowdown WRT "real" computer hardware comes from. That's a lot: a one-second calculation would take 30 years. Thus yes it's nice but still a research proof of concept until somebody manages to speed those bit operations up a whole lot *or* somebody manages to implement subtraction and test-for-zero.
Posted Jun 15, 2021 17:05 UTC (Tue)
by smurf (subscriber, #17840)
[Link] (2 responses)
Posted Jun 15, 2021 18:32 UTC (Tue)
by NYKevin (subscriber, #129325)
[Link] (1 responses)
(That's not to mention the fact that you may be able to guess some of the exponent bits, if you know what the float represents and approximately how big it should be. So you can probably knock off a good 5 or 6 bits right there.)
Posted Jun 15, 2021 19:01 UTC (Tue)
by smurf (subscriber, #17840)
[Link]
The question is moot anyway, as I don't see that change any time soon given that the state of the art appears to be a bitwise simulation of actual hardware, just with encrypted bits. Any algorithm which could decide whether all of 64 bits of something is zero would be able to discover the state of a single bit, hence render the whole encrypted processing scheme useless.
Posted Jun 17, 2021 18:26 UTC (Thu)
by t-v (guest, #112111)
[Link]
Google's fully homomorphic encryption package
Google's fully homomorphic encryption package
Google's fully homomorphic encryption package
Google's fully homomorphic encryption package
Google's fully homomorphic encryption package
Google's fully homomorphic encryption package
Google's fully homomorphic encryption package
Google's fully homomorphic encryption package
No but I fondly remember the "Eat The Rich" movie :-) RIP Ian "Lemmy" Kilmister
Google's fully homomorphic encryption package
"Proof of stake is more like a "closed system", leading to higher wealth concentration over the long term"
Google's fully homomorphic encryption package
Google's fully homomorphic encryption package
Google's fully homomorphic encryption package
Google's fully homomorphic encryption package
Google's fully homomorphic encryption package
Google's fully homomorphic encryption package
Google's fully homomorphic encryption package
Google's fully homomorphic encryption package
Google's fully homomorphic encryption package
Google's fully homomorphic encryption package
Google's fully homomorphic encryption package
Google's fully homomorphic encryption package
Google's fully homomorphic encryption package
Google's fully homomorphic encryption package
Google's fully homomorphic encryption package
Google's fully homomorphic encryption package
Google's fully homomorphic encryption package
Google's fully homomorphic encryption package
CT
Google's fully homomorphic encryption package
Google's fully homomorphic encryption package
A deposit at the bank is an investment, that is used to underwrite loans. The risk is very small, so the gains are also small.
Google's fully homomorphic encryption package
Google's fully homomorphic encryption package
Google's fully homomorphic encryption package
Google's fully homomorphic encryption package
Google's fully homomorphic encryption package
Google's fully homomorphic encryption package
Google's fully homomorphic encryption package
Google's fully homomorphic encryption package
Turns out I'm just bi.
I wonder how quantum-resistant it is.
Google's fully homomorphic encryption package
What it does allow is for someone with data they want to keep secret and someone with algorithms they want to keep secret to securely allow the side with the data to process that data using the other side's algorithms. I think society would on the whole, benefit more by having people share the algorithms, but in some cases this approach might lead to research that otherwise wouldn't be funded.
Google's fully homomorphic encryption package
Google's fully homomorphic encryption package
Google's fully homomorphic encryption package
Google's fully homomorphic encryption package
Google's fully homomorphic encryption package
I don't have any good references, but the basic idea is straightforward.
Google's fully homomorphic encryption package
if(a == 0)
r = comp1()
else
r = comp2()
r = (a==0)*comp1() + (a!=0)*comp2()
Google's fully homomorphic encryption package
Google's fully homomorphic encryption package
Google's fully homomorphic encryption package
Google's fully homomorphic encryption package
Google's fully homomorphic encryption package
Google's fully homomorphic encryption package