Hashing It Out
Hashing It Out

Episode 26 · 3 years ago

Hashing It Out #26: NuFHE - Michael Egorov and John "Tux" Pacific

ABOUT THIS EPISODE

Great Caesar's Ghost! NuCypher has demo'd a practical fully-homomorphic encryption (FHE) scheme that leverages an Ethereum smart contract for a proof mechanism. We get to go over FHE: what it is, how it works, how it commits to the blockchain, scaling issues, and the future of encrypted computation. This will enable new privacy mechanisms on layer 2 solutions which interface with the blockchain cheaply and efficiently. Very big stuff for anyone trying to use blockchain as a resolution mechanism but wants to hide their business rules in the process!

Links https://blog.nucypher.com/releasing-nufhe-library-b5f9345dc1fbhttps://github.com/nucypher/nufhe

Now injry kindcasmetwork welcome to hashing it out APOGASP, forwe talk to the tech, innovators behind blocked in intrastructure anddecentralized networks. We dive into the weeds to get at Wy and how peoplebuild this technology, the problems they face along the way, i'me listeningand learn from the best in the business. You can join their rinks all right, big news today. I rememberthat news, but e fun, Potcass, Esode, twenty six of hashing it out im, dctor,Corrypatty, Micohost, Collin, say hello, Callim, hello, Colin mysr c. What I canget you to say with that that leaden from here on out just to change it up mtoday, avtosow T at Consistso. She is king man, no, never hs episode. We have two Cyproteam on totalk about M A PC wellthey've been working on it for quite a while, butthey did a demo of a fully home, Morpor concription library, birten python at sBerlin a couple of weeks ago, and I liked it and it like what I saw. Iwanted to get them on the show to try and talk about what exactly it is whereit's currently at and what like the implications, may be Um, so tuck bikenice to have you on the show. Why don't you give or aunience o quickintroduction as to who you are what new Cypher is, and we can start talkingabout the weeds after that, sir, so I'm Tux, I am a chrotographyengineer, an Ecycher. I work on our proxy encryption. Nowwer can also avebeen doing some research in Fiy, homomorphic, encryptionalaly and Michael the cito of new cipher, and I guess I probably need to cover alittle bit about what new Ciceryis, what we are doing so m. Our firstproduct is proxyr encryption network, which isproverb which is like you can say that it's somethingwhich allows to manage permissions for Infretsof Dati, um in se decentralized networks, but doesn't have to be desentualized networks. So Iimagine that all of the data is encrypted and you can um you can define who can read yourdata and who not without trusting any central Servitto to that and to achievethat. We use proxyreencryption o something which allows to transformpsychatects from being ICRIPAT under one key to be incripted under otherk. But while we've been doing that, we'vebeen asked many many times whether we can not just share cincrepted data, butwhether we can compute of Incrypo data, whether we can do something like private privacy preserve ing smartcontracts Um, and we thought whether we can do it there auremultiple approaches, how one would be able to achieve it. Um like, for example, once witalic pointed out that Baltiparsacomputation can be used for privacy, preservand, pars contracts, um or youcould use secure anclaves, which is kind of apopular approach right now, ecause because of being practical performancewise. But there is another thing which is calledFll tecamomorthic encryption, which I think can be used for this kind ofstuff, Um, so Um, and what full of homomophic. So we actuallytr decid to try this pash Um and what for the CONOF Mrtet cencryption is it's the Specifi sorts of encryptionwhich allows to do arbitrary, computations over increted data? So youcan ran your program, wit encrypta data as an input. You have incrypted dat asan output and whoever executes the program doesn't know what the plan taxdata is ever Um and Um, and you you can have this programdefined in one or two ways it could be. It would be a logic circuit. So thenyou can pretty much inploment anything or you can make it a little bit morepractical for for some subset of opplications more like for dataanalytics where you can um run it so that it can do...

...what's the iditions and multiplicationshomomorphically in principle. You can convert glogic circuits to into thisway of operation, but that it will be a little slower, so Um bicologic circuits,I'm Lon INRUSSEL. So that's why wee we've tried fo helarkeincucture ofthose and, as I said, the hope is to to be able to do. Privacy preserveing martcontracts using ful e HEMOMORCHEC encryptions. So for the general audience can I can Itry and explain F t like the way I understand it is that you have thisprogram all right this, this piece of coat and this codeoperates on encrypted DAA. I know you said this, but I just want to reiterateit eoprats on encryptid data and does general purpose compute on this dataand will give a encrypted output. And at no point does this program know whatthat encrypted data originally was and- and it doesn't know what the meaningbehind the encrypted output is, and so you can, as a person go. I amencrypting. My data for home pully, homomorphic, encryption, cryptic IFP,send that packet or SOM that package to the the D centralized, let's Yus, say:setralize the unknown compute system, th the untrusted compute system, and itwill do the compute for you on your behalf and then send you a result backwhich then you cannot only decrypt but also verify is corre is is followed therules of the original encryption correct or the original system yeah.Well, that is correct H. it's doesn't necessarily include the verify partsbut, as probably we know with any deterministic computation, you can dothe very fie parts on in kind of in a indifferent way.Let's say if you wok at trobit what what it is intended to do. It's itprovides incentives to to do computations while ensuring correctnessof these computations, provided that they are the terminister and Fomo encryption Qite Fasen to that, soyou can. You can implement the verify part tolffully independently of the of the F, although there are someCryptographica ways to do verification, also welcould. You also send anexpected result over and if you get that expected result back and P as partof your results, a t, then you know that it's been done properly because itwon't be garbled or wrong or anything like that, like just a pass througheven M, would those kind of things work to verify yeah? Well, I guess you can even Um Mthere is just one certain way whichyou need to run the the this honomorphic circuit in. So ifthere is any other note which runs this exact circuit, it should arive withexactly the same sycatext. So you don't even have todownload this result M decrypted to verify in principle. You can have thisverified totally independently by the network itself, just because, if yourepeat this same computation or winker to data, you should get the same. SyteAttak, whether this syphatax is correct or not, of course, depends onhow. Well you assemble the circuit. Maybe your homawortic program has a bag,and but this is then this is up to you as a developer andthe computr like whoever computes that Um it can has no adbelity to know whetherwhether you did have a bug in it or not, they just executed. They got the resulthere as the results. So I'd like to try and Franiss a littlebit first off. I want to say if you are interested in the proxy Reinchrustianaspect of what Newssover does we've had Tuxon previously on episode eleven ofPashing. It out check that out. That'll tell you all about that part of thecompany Um and to frame the context of Um fuly little warfor concription as itapplies to decentral lise networks, which is basically what we focusd on inhis in this potcast Um Tha Thet Gus. The standard kind of analogy peoplewould use here is um like looking at sea cash and that is defining a a setof rules. groaming up primitives that allow you to then Um sin transactionsand the nodes that verify these transactions don't understand. All ofthe UM variables associated with transaction,such as who is going to where it's going and how much but they're doing itproperly, and you can be you can you can be guaranteed that they're doingthat TAT valunation properly without them, knowing what they're doing, andso, if you EXTRAC like that to private smart contracts, a big Bane, R ordownfall or problem that a lot of...

...people see with public blockchains isthat all of the information stored in the smart contracts are open in PublicDosa. So imagine if you will adding privacy to something like that, you canhave the dejoyse trust. That's associated with public block chains andthe privacy associated with not public boching, so that nodes can validate anddo proper computation on deployed smart contracts, but you could never see thedata insighe of them that's kind of the goal here. If I'm, if I'm not mistaken,can you can you talk t that that's pretty much the the the concept of another point that I'd like to point on, as well as thatUm on a lot of people have problems withputting encrypted Aon Bloch on Public Lathions, because the dat will sitthere for a very long time, and essentially it's always going to bethere right. It's nonvaluable, it's going to be there for the years to come.Who knows how Long Certain Block thins are going to go? But the point is: is that eventually,at some point, maybe some of this encryptidat will also get within rangeof practical attacks such as like quant computing right, and so whathappens is if that like, for example, everything on bickoin right now, you ct s a and things like that may become vulnerable in the future and we'll haveto harm for it to to do those things with fully homoworphic encryption, theOlerthanweuse there are actually also pust quantum. So if, if things are puton the watch- and they are also quatsrom resistent now, so it's one ofthe cool components of it, so just by happen stance, it happens to be alittle more future proof in terms of being able to be hecked later on downthe line yeah just a bit more fiture proof cryptographically, who knows whatthe future holds in terms of cryptinolsis M, but so far theassumptions that F he makes. If you want to look into this, it's called thalearning with arrs a hard problem. If you want th, it turns out that thisis a really strong assumption, an it's actually very difficult n to quantumand classic seden. Can you repeat that not alearning withnerrors yeah learning with airs so yeah th,there's several variancs of it, but the assumption it is that it's withoutgetting very, very indepth on it. It's essecially, if you have somevactor, plus some noise or some air, as it's called it's very hard to invert,that and figure U and learn the secret from it from some factor so yeah, and so this just assumption thathas been very strong and strongly held. NBR ND proven time and time again now,and so it's looking very good for the future. For this okay, I think a G, agood. I guess next step here would be to talk about. Why has this not donebeen done before whyisest, difficult and Um? What have you done? That makes youbelieve that you can you're pushing it in the right direction, yeah to to tokind o Ha Tiger on wotthat a little. We do use some form of homomorphicencryption right now. Cord mentioned Z, cash rearlier. So what differentiatesthis from those other things right m. So the bank component OFZ cash, is alsoINXICA sarks. It like and zeanoldged proofs, and the cool thing is fullyhomomorthic encryption. Is that fully homomorchic encryption mplies that asthe Aknowledge pres exist, but Zeools cruts don't imply that fullyhelemorphic encryption exists Um, so we can actually start constructingprimitives and things like zero knoledge groups in the Holomorphexcelling to build things like that. But if you're asking wythus has notbeen done before it's because previously, there are several large,fairly large problems getting in the way of actual utility of these H, uhholemorphic schemes like CIPROTEX size and performance speed, as well as one thingthat new Cypher has done, is that we have demonstrated that it is a very strong that there is a very strongability to improve the performance of this using gpus and Asex as well. So that's one thing: We've done withNWFG was construct a very optumized variants of another library called Tfag,and it has shown that it is very performant in this Oman and we'vegotten it to around six to seven thousand opera logicaloperations per second depending on the graphics card, and it shows that we can actually make avery performant usable scheme in terms of smart contracts. 'cause. You may notmeat anything much faster for that Um. Another problem at that would becyprotexsized because the CYPROTEX actually expends greatly so to encryptone bit you're talking around like a...

...sixteen thousand. Sixteen thousand x expansions, so onebit equals around two kill lights, and so that's the next fron pot that youneed to to go down on their schemes that actually enabled that as well andand also keep the performance. So that would be like the next step is inresearches to shrink the syprotex ize, get a better performance. Mergene still,research on actually get these primitives out there and build morecrimitives, but it was actually an interesting story how um how we discover that it's actually possible toaccelerate this thi scheme, um the library qalt fch. It appear in, I think,twent y fifteen, or something Um and Um Um, while just which, as beingcurious, I looked at that and it seemed like the main bottle. NACK over. Therewas fast for a transform and it was all happening on a CPU UM.But then I remember that actually I wasdoing a PhD in physics. I was doing experimental physics and a friend ofmine was doing theoretical physics M theritical physics is not just doingformulas, it's actually doing computations on s trying to stimulate physics. Soanyway, I was doing doing working on quantum gases. Bosan sancondensates anda friend of Mine Bagdon worked on simulating those so Um, andactually he managed to accelerate both simulations by factor oer hundreds because, like he, he actually t triedto paralize that on a GPU, the main bottle Nack over there was fast fr otransform. So I remember that and sounds like the bottomeck is verysimilar here. So I talk to I talkd to him like pretty much this year and he said. Yeah sounds likeit's possible to Accelerae, so we reqired him and in a couple of monthshe accelerated the Tky Library. It provedout to be also like factor of a hundred acceleration. Itwas a little bit Um Um. It was a little bit more complexthan just accelerating ASPA Transform, because if you, if you ju just that youwell t takes time to transfor data to the GPU and back Um and you you willnot gain any performance. If you do that, all the time so Gein to keepeverything on GPU, so you need to reimplement the whole Algoris ont y toyou ut, when you do that, it's apparently pretty fast, so turned outto be exactly the same acceleration as far as I remember, like ff t, wasacchelerated on Byan videa itself, but just the library which a friend ofminro was a little faster and he exploited some some properties of the data which hasworked on in this encryptionalgorithm. So you don't haveto to do certain things in FFT, so it's not like standard F, fifty and thenit's even faster than than it's. Actually it actually is when it'scendered, but I can certainly imagine you can probably do some hardware toaccelerate from amorphic encryption, but what I think it's probably itprobably makes sense to to take. What is there m using GPS, implementsomething practical and very, very useful, like privacy, preserving smartcontracts, and then they woild be economic incentives for people toCreate Fast Implementations of Um of chomomorphic encryption, whetherin software or in hardware, and then we probably will have kind of m akind of economic competition of like whoever makes it faster will earn moremoney by mining and, at the same time makingtheir a platform foster. So it wouldn't be like useless po proof of work. Itwould be probably some useful computations which are incentilized tobe accelerated. Wel, so explain to me a little more about this fft problem M.I actually want to know more about how this this actual encryption works. Howhow it from a more basic standpoint, I want to know littlemore of the technicals of that Nd. Can you kind of describe to me what m whatwhat a lot of this looks like, and why...

...why this is a revolutionary and maybeeven provide somemonologies on what the real revolution is that that thathappens? Well, was it two thousand and fourteen, or something when the first,a a james created the first ea she was created in thousand and nine by CraigGentry and yeah it was. It was a veryinteresting, interesting way how he? U managed to do it. I think Jon correctme. If I'm wrong, but Um, I think there was homomorphic POTAMORPHEC encription,which could do like finite number of operations, but then yeah. So the thing is: is that e CRginjury didn't create the first O ex ceeme he heis the one who made apractical on is tesas. If, if you read his thesis, he talks about how we cantake a somewhat, it's called somewhat homomorthic encription meeting that Iallows a both addition and multiplication right. So we have likeeverybody's familiar with like pae the PAIE CRYTI system, which allows I lakeadative Oeortic comcription right, so you can only adve stuff um with CR gentry. He created this conceptWif boot strapping, which allows you to take a scheme. That is also that allowsadditive and must plicative, and he figured out a way to have. I doarbatrary number of computations before this. We have schemes. Tha an't, allowa certain number of operations, but et they kind of t y. They weren't thatgreat. They were very bad horrible performance, Um th, again limited inthe number of operations you can do, which obviously chmits the number thetype of allorms you can do as well so craiggentry created was this thingcalled bood strapping, which allows you to just essentially encrypt your yourprivate key or your secret key for this homomorphic scheme under the same key.This follows something called the circular security assumption that youcan look more into there and what it does is that then decrypsthe data in thehomomorphic Domaine and then reincrips it again with the key sothat it refreshes this this tex. So the problem with schemes up to the state,where that, as you would add, more data to it, it would alreas do more competitionsTho. It would add noise to the PSYCHROTEX meeting at some point. Thelike you just can't do any more computations to it. It's it's like toomuch single, too much noise to signal right and so hedid. He called thisthing called refreshing, the ciprotext, a d that just allows you to drop thatnoise ceiling below or to drop the noise below the Sea of the thresholdagain, so you can perform mar more computations and so where we are atright now and researches that is boot. Strapping componint of it is beginingto take the majority of the UH, the majority of the of the computation,an the performance. So there's a lot of room for it to befixed there, but yeah. There are schemes like level Holomorphic cencription where youcan like define. You know, rotate the knobs of it and the variables and andmake it say you can perform arbitrary number of convertations up toa certain point and that you can have no more. So the idea is that maybe youcould construct a leveled scheme that only allows the number of operationsyou need to perform this one algorithm and you can do it like a CCA, securemanner rather than a CPA securaer, but I guess for for privacy,preservtants mast contracts, it's actually pretty important to to be able to do unlimited number ofcomputations because you maybe you have output, but not necessarily. You wantthe original Eritional user to Decrib theself. Maybe you want to H, executesome more and more methods using that as an input end level. COMOMORTHICencryption probably wouldn't really work with that. So you need to do bootstraking at somepoint and Um. That's I guess that's. Why were soexcited about this this scheme, because it does do goodstriping and can do like arbitrary, complex programs, so, okay, so you're able to do thesearbitrary, complex programs? What are your current, like requirements toactually execute this meaning? Like I didn't see your Sperlyn talk so stepme through what what that was like wh, what you can do with with thecentralis networks using this and what are the room? What kind ofimprovements on Romasce? U C coming forward in this, so n Weve won m theEPERLAND Hakazon by building it was called sputnick SPOIC. It was just likea proof of concept, kind of Demo and Demonstrat that you know there is alanguage that you can write. There is a parser that can pass that language andthen thereis a virtual machine that can...

...execute homomorphic instructions, soit's very, very primitive and kind of hacky still, but essentially what it allowed us todo. Wass just define a a program state, an operations on thatstate, so you can do logic, operations like exor and not etcetera, Um and every time the program an execute. Itwould output this state in a mircle tree. So the conthe idea at the timewas that you could use this mirkle tree to kind of as like a verifiedcomputation kind of thing where it's like, Oh letme, take ou, wouldn't beable to prove that some logic was done, of course, because you can't noldrequire likeolege groups and stuff to prove that logic was performed. Butwhat we can do is prove the flow of logic. So, if you have given, if youwere given a Cyprotext, you would be able to prove that a the output of thatsycretext was on was alwas performed on chain, for example, where you UN lookit up on the Blok, Tane Hash, your sychrotext and use it, and just likesee like Oh, where, where when was this o somebody gives you like some ALCOM aday that you want to know that a computation was done on it. So you canlook it up in the Botchin and see it um further more with dis, dcentralized, computations, ND andnowworks like that Um the solutions probably lie in verifiable computation,and things like that. I actually did quite fully understandthat so you're saying S, you have a system of Vm that does the fullyhomamorphic computation, correck right H, and thatwas separate from the evm. I take it. Oh Yeah Sp. It was just a pythonprogram that was powered by NWF okayand. Then you committed mercal mirgle trees,basically to the block chain, which t rvided proof that the execution wasdone. Um, how do you retrieve your results from that and like decrypted,so you'd have a client which does the encryption of your your data, you'dOnboad, that Deta? Somehow I don't know W if that mechanism quite is basicallywhat you can't think of it as you store all their intrerted states off chainripe, some of Juses, some oftan storage and you bag every step in thecomputation to the blockching E. I feel like I feel like this is likemaybe summed up is like a fully homomorthic audin ability. Yeah, it'spretty much. It's computation onability you can. So all we did was just commit.The MERKE reast wo the e chain, and then we can pick any sitotexapoint othe La work is and way I iotion it was like y. You look at it as like a myrkletree ou a to perform an xor. You need two side protexts to perform an Exoron,a n Pudan I woud be, and then you exo. What, essentially, is it just createsanother SICOTEX which is right upon it right, so you can do that, and so, ifwe put this in the form of Amircl tree and ash everything together up that upthat way, then and then mergle root and everything wouldessentially be some where similars like the outwor of the actual program se. Sothe idea is that you could take your cycrotext that you want to know if thiswas actually used in the computation you can like. I said this doesn't provehow it was used and pebue. It proves that it was use, though, so you can take the CYCROTEX Pash itand then say: okay, I'm justerate a mercal proof for me. That says thatthis s actually is, I wa say it was. It was probably the first styp to toimplementing this kind of Um trivs, preserving blorchain as a sidechain to therium, and let's say if, if something went wrong, if somecomputation was done incorrectly, then in this local tree proving proving theresults of the computation, you would have some some disagreement, so youprobably could have the atwork of notes recalculating all their dependencies ofthe broken part, while leaving everything which was computerdcorrectly still in place, for example, that that's what this mirkle tree could bewit. Ces Lie being able to generate front proofs for various things, yeahright right. So, but it's not like fully not fully working fullco market site chain or whatever isjust a profof concept. Um. Another important thing is that it was. It isusing the state. So it's like a state based Um Platform Pino, and this is animportant distinction from from Zikash sozicash Um since t it actually usesduring osh proofs m. It has has to have...

...you take so kind of model fortransactions, so you have h all the Yo gas blockchain. You have m some. Youknow coin transfers between users on the network and if well, basically nobody can readcointranspers of other people. So if you observe this blockchain and younever transacted on Zcash, you just see some encrypted h garbage, although you can verifycorrectly o that. But if you ever transacted on Zcash,you need to pass through all the block chain and say: okay, so thistransaction and that transactially were my transactions. So I can look at thoseand figure out how much money I have right. So that's kind of what the cash allowsyou to do, but you have to have all the block chain downloadd and in Syrium orlike smart contract platforms like that you actually have to have states. Soyou have every user having his State. Oh well,you have global state actually m and the state shows like what is thecurrent situation on the Blockchin, so you don't have to pass through all thehistory Um and with full homomorthic incryption. Youalso have state, although it would be kind of state for user, but at stillstate so user doesn't have to pass through whatever happened, the user. Just can see what what the user actually has right now,I'd like to try and rephrase a bit of what you just said an the way. Iunderstand it to see if I'm I'm getting it correctly and that's t's, it'sfocusing on the difference, es Wezcash and what Youve N, what you're workingon now and an and Zcash is done. The way it isis b, especially with utx o model is because the way you do that type ofhomomorphic cencription is completely different, and so, in order to it's yeah, it's oing, all its proof,yea. I just WNA. I want to like frame this in like in a way that people canunderstand like the differences here and the way thatthey've done it the way they they implemented. It is done by Um. You have to basically constrict therule set down to a for efficiency purposes. A small numberof possible rules in order to generate D, do the trustand set up and generate all the primitives necessary to then constructproofs Um and the way that you're doing you'reimplementing whoor an ecryption is a much more general approach that doesn'trequire to define a very small rule set in the beginning. Is that necessarily white? I feel like thatfeel like they've been zcash uses, parcal homomorichic, ecryptionmultiplicative, specifically in the zic proof, so yes I'll just Goa. I think that's that iscorrect. Right, H, myctuck iw'LD, like you, guys to expend a bitmore on w exactly that you're trying to get at that rule set. I think sothatyou C in order to like verify. Something is done right like the wayI've always defined. I guess ZRNOC pursof. Somebody is that you define a rule set it's very Li,it's very axiomatic and in order yo in or for you to verify that something isdone properly in a whome work. Accet you have to then encode all of thoserules using fun math to correactpirmites that you en use tothen verify stuff than Lik Sai. Yeah it followed all of those rules and and themore rules you in introduce into the system the more difficult it is t tocreate those permitives, Ari it yeah and UH. I guess I'm guessing what you're tryingto say and in Fullcmorthic encription you can this rule you can have theserules running totally and like Oternaly Com, iself yea are beforethe complex and then you, if you want to you, may Prov you can provesomething about the result. You've got, but not necessarily about the wholeprocess. Yeah Yeah, pretty much Ye. You can buildlike a this real set like you're talking about it. We are defining ourlogic operations on literally just encryptin data. So the way you can dothis is you can build protocols. It's it's very low level, like you said soyou can. You can build protocols that allow for certain things to be done,like Zeoknowledge, proofs and and other form. So, for example, the case like Zcash, if you ned te billike just, is se proof of like some some amount of money.There is probably there's an Oge like a logical compar that you can build to belike. Is it greater than this amount right and so yep? I'm trying to I mtrying to l expand on why this is so...

...much more fundamentally generic thensomething like o. He w the way decash of Litan Arge groops. I I still thinkof it myself as the difference btween partal and fully homomophacecryption.When you can make that distinction- and I I I call it Partiali- I'm not sure-is that the official term for it yeah but um you can do homomorphic encription on asubset of operations, so Zyezeki tarks uses Um multiplicative operation is is fully ishomomorphically incretable. So that's how it does it's your knowledge proof.It only focuses on the idea that you can homemorphically encrypt on the Mmultiplicative Properti, so a times B, equal seat encrypted a times encryptedB equals encrypted s, and then you can decrypt se and get your actual result,but that only works for multiplication. You could do that for other thingsaddition, possibly I guess division would probably be an inverse case ofultipication mot. Sure, if that would make a difference in the scheme, butyou could do this on specific gat specific things that you can do um thehe differentiator. As I understand it, with fully homomorphic ecryption, isthat his general compute you can do multiplication, you can do audition,you could do exor logic, you coul do literally any and by the way, it'sprobably better to think of it, as as a logic gate than it is from a logicate standpoint that it islike the mathe standpoint of multiplication. Whatnot Y OU DO AMRODNAN well with Nan. You've got an universal gate, basically Um SanderNorth, whatever you can do. EXOR like you, Coul, do these gates in acompletely generic way where you encrypt the input dataoperate on it ma even take multiple sets of it. endcrypted input dataoperate on all of them and return an encrypted result, and then you can, as the person whosubmitted the data, can decrypt that result, but you don't need to set up hey. This is only for multiplication.Hey. This only works for addition. Hey this only wors for exsor. You know youcan you? Can Literally Go, this is just takes any piece of ENCRYPTA data thatuses our scheme and outputs an encrypted output. Using that scheme is,is that answer n your question clarifying it enough gorier did I dothat wrong? Is that what youwre getting at Yeah Yeah? I think you, I think you put it reallyeloquently there, because the way you have to think about it is it's likethis. This logic gate right. It's it's building like that, it's much easier tothink of that than additionof ultipication, and so yeah we nd by theway, I said Dan E. No, I think both you can actually use for universal gates,but, yes, n the way I e I've actually started. Looking intow how to constructthe stuff is to look just ditial circuits just because they se the exactsame things, and I'm just like reading back and forth on how to like. Youwould construct some sorts of like some of these algorthms and it's it's prettysimple, that the only problem that we have now ith us with our CT FG schemesis that, like branching, for example, is actually fairly difficult. There isa lot of research in branching, FG, and but the problem is because it'sencryptid a you would be breaking CPA security if you were to be like. Ifthis then like, that's just something, you can't do you've said CPA a couple of times andsomething else actually don't know the Augorithms I fel like. I should hat acronym and I fel like I should.Could you explain that so it just means it's SONANTIC security. It I it'sindistinguishable under chosen, plane text attack so escentially, it's likeif an attactor has the ability to encript certain messages, can they weak some information aboutabout the Keyr or something like that or about the message and break cumfinjelly like that, so the idea, O th t what I'm saying byt branching is likeusually like. If this, if this do this else, do that right so with that PAC, you actually can't dothat because you have to do it, you have to construct programs in a linyourfashion. So if you were to do it, if else, then it wo, you would essentiallyhave to have two different programs operating. At the same time andconcurent to say like if this is the output do this, and if this is theoutput, do this right, so it it's complicated. There's a lot of researchon this too that we've been meeting to do sommore research on but yeah. It'slike one of the major pro essponsibe yeah. I guess as a simple example to todo it. Imagine you have a four loop which looks hundred times and you havesome heit condition happening inside the forelook, so you have two possible branches andyou pet that hundred times and imagine if you, if you really had it, go in oneor other way, then possibly you could say okay. Thisbranch is executed faster than this brance. So and when you repeat this ahundred times, it's not Qite by a...

...hundred times, so you can figure outthat if, if it went this way, it's different by the execution time fromwhen it went this way, but it should not happen if, if this happens, itbreaks your security, so you basically have to execute to branches and if itsive within the forelook, you have to execute basically to two branches to the power of ahundreds. So this is, of course, a problem M, so yeah. So that's that'skind of a problem with ful Heomorphac cencription and that's. Why, like what we usually think of o anormal during a complete program, probably not necessarily is not necessarilyalways practical there, because you have to execute all the possibilities. Yo just justdescribed why most compilers or all compilers can't optimize loops oly someloops Soo o like iler like if you, if you canpile something I I'd, come fromscience of Computerg so like. If you try and have your compiler optemize variousloops to be more efficient. If you include arbitrary logic in their likeiff statements, then they just they just basically ignore them because ofthat branching, because of the all of the possibilities that can go from eachloop as you get right through that loo- and I guess it's the same for likethese types of things, you can't determinisically figure out what thepossible space is. If you have like these kind of branching outpossibilities as you git erate, through Aloop, and if you get to like the finalexecution state that I guess people in the Space Anto itwhat mirkle trees look like at each each level of the loop creates anotherlevel of a tree and get the very bottom. That thing is possibly incredibly largein searching that space. ADERCL is very difficult, yeah and then we also expandon this with the other problems of homomophic encription, like cyphretexexpansion, and suddenly this becomes a very unmanageable problem. So does this limit themthe size of thethe computation you can actually do on on your currt roofco concepts m limitthe size of the comvetation t, not lice yeah, the Po like 'm complexite Olax?I'm looking for okay, yes, Asserte, no, there's, absolutely nothing IIT tesieor the the complexity of our of our logic. U It's mostly STI languageipplementation! It's not! Really! It's not a real programming lanuage! So it's it's just a list of logicatesthat we perform. I guess I guess you can stillpractically say that he as it it does limit what you can do because, like, ifimagine you have a forloop with if condition inside then I guess thecircuit, for that would be incratibly large. Of course, you can still do it,but it will be very, very slow and the intuition aboutwriting. Normal progrems is a little different from intuition about writingprograms for Fr, hemomorphic encryption trob exactly because of this problem,but at the same time, if you want to just process a very very large amountof data, maybe might produce fire fashion or something, then I guess it'sit's actually still practical, because you can have not necessarily UPRCOMPLEXprogram being executed, Um h being executed once you have somethingsimple to be an executive, multiple time, and because of this too as well, it'slike, as you start, encripting more and more data. Obviously your cycrotex getsmuch much larger, so one bit gives you two killvits like right now. So if youwant to do like something like mackardis right, Youa, haveten, crippea lot ofdayn and we're talking about a huge sychetext right. So it's not thatpractical for large data Censr, yet it's more or less practical for verysimple executions and research right now is mostly whatwhat we're trying inting, O and trying to use this floor now said earlier.This was a massive step forward in the efficiency of doing teongrithm andnenecessarily. The efficiency of the output of the Algorithm and and Ansorein in public plot Chan contexts if you're going to be storing all thesecyprotects in the block chain. That then becomes quite a big deal. You Nedyou need that other part of the research to move forward as well forpractical application. Well, I o Enway you'R ATPERLIN thing. It sounds likeyou can actually prove computation to some degree using the block chain, soyou could do awfully or two solutions which do the fht and sit and share thedata around and what you've built is...

...basically a proove construct. So youcan use the watching for what is really meant to be used for in nothing else,which is definitely what we want to strive for anyway. Every operaring this,if you don't want to put your Cyphotex on the block chain, that's clunky andnasty. What you want to do is prove that the result you've gotten fromsomebody doing an offchained calculation is correct. So what this isis kind of like an alternative to true that only kind of like more Um, I don'tknow Wal Ternanes right in Balltown, Hav Ow, it's it's more. It's just a yeah, a wayof sort of verifying aalega yeah. No, I guess maybe even like a compliment saidto true Betzaltrubit as the problem right now, where you'd have to shareyour input- data, literally God and everybody, in order to get your yourchallenge, results and whatnot and thebounties collected in Yadiadiada Um.With this, you can do those bounties and those challenges improve them,prove your prove that somebody's you know moocking around with the system oror doing something in in an incorrect way through consensus mechanism,consensus layer like a block chain, and it would basically allow you tosort of Um h. You know not broadcast your your results to theworld, but still have people be able to calculate on your data if you give itto them and prove that they did a at least these steps, and somebody alsowants to run calculations on this data and come up with their own proof and itcontradicts yours. Then there could be a resolution or Yadiada, but right nowwhat you've done is is he said: Hey we o prove that I did this and I'm obeyingthese rules that you've provided on this layer. Two Solution Yo gave methis Cypro Texand. This is my output and if somebody else were to do thesame thing, they would be able to prove that there was something wrong if youwerej not correct or something like that, I g yeah, so basically you've used itas a truth, like truth mechanism, which is really what a bloctd hand's supposeto e dous talk a little bit about the higher implications of this kind ofwork, and where do you see this this project going Um? What what do youthink? What do you think? When do you think people will start using thesekind of things? How far are we from? I know that you said in the lastprogramere at least ten years out from really good Um homomorphic encryptionulnow. We said we send FORAE Cangen ten years out to start asking goodquestions about where we'll be okay, sure then Um. Where do where doyou ar that really puts a hamper on myquestion? Thaire Cory, I'm sorry! Where are we going to be whres? Where are wewhat's next? How how Don, who do you think is going to be interested in thisright away? I think a lot of people are actually Gein to be really interested,mainly because people using solutions like trusted execution environmentswhich are actually really horrible, and not good for disentializedenvironments, because they are trusted execution environments, not trustlessexecution environments. M fh represents a software based control in thisrespect, and it is a is a trustless comp, computition the environment,really so than it's like the one thing that Rthat I ely really excited about for it um whether or not I even as it ends uphaving amazing batching usecases. It's it's just thisidea that we can have trustles computations at the software level, notthe hardware level and that's huge just by imself Yo Hav Otraction, like sory. It allegeyou to abstract away, Tho trust and en not put it we should. We should nevercare about the hardware if we can right right. The problems are th t ther.There is the notion of security in ft where it is like it's not the greatest security, because the theschemes forigner are obviously valeable. So given a cycrotext in a key, you canactually change the psychotects of it and give you something that that may bedangerous for you to reveal the STO to the same part and it computerd it. U Sothere's a lot of room for research here, an and you're asking. Where are we? Ithink we're honestly good two three years out, maybe from this being likethey seeing widescale adoption, maybe already were even the firstpractical implimentation of this stuff yeah. Well, I would say that at leastthat performance of F sh feels already practical for something like privacy,preserving smart contracts, whether you can have practical privacy to preservesMas contaxes still, and it needs to be researched a little bit, but I thinkwe're very, very close. But of course implementing is one thingguessing that adopted is another thing, Um and yeah, and if basically what' s, what options o Youlhave right. Now for...

...for private computations, we have fo Hemortic, incryption e, havemultiparticomputation and trusted execution environments trustedexecution environments, they they are fast, but they are currently broken and in principle youalways probably will have hardwareside channel attack possible. So you cannotrally fully trust as stranger to execute a thing for you um you, you canmake it harder for the stranger to figure out what's going on, but I thinkit's still possible Um with multipritan computation, it's a little bit better,but first of all you, if you, if your computers Collud, they will figure outwhat's going on and also also it's it's actually currentlyrequiring a lot of data exchange like gigabytes, if not terrobite, some datafor executing, let's say a simple mort contract, especially if you have morethan three partis computing. You think so multiparcecomputation is a little bitnot practical yet, and it was believed that fomorthic cencryption is notpractical yet, but we show that they please. We can do seven thousandoperations per second, which I think is at least performance, wise, practicalfor for privacy, preserving smart contracts, Um and so yeah. I Guess Performance Whiit's there, but there are some other things which need to be worked on and Ithink it's, it's probably Um, it's probably a couple of years. Untiluntil we have like a practical latform for doing drivat, but not really fastcomputations, which are all right for mas contract nd, that KINDOF starts offwith like why you do how anything slowly gets better better. Is that it'spractical for a very small subset of things that really really need thattype of functionality and overtime as it's developed, thenthe efficiency's gains, which then opens it up to a broader audience ofbroader usecases yeah a so maybe I I think that it probably will work forsmart contracts first and then there will be economic concentives toaccelerate that some asic manufacturers jump on it and make it let's sayanother hundred times faster, and then we are saddely at about and Magahertz megacers performance and H, and maybe we can dosomething more complex, like I don't know, Um think o print recognition orlike face recognition without exposing exposing anyone's privacy to to somestrangers and and then, like the whole. A whole bunchof applications which are currently done by central services probably couldbe done over increpted data, but still still, even even then. I wouldn't usethat to to do like performance, critical applications, because I'l sayif you, if something takes a year or like Sayif, something takes severaldays to analyze on like real CPUs in unencrypted form in incretive form, itwould be, it would be actually way slower to do, even if you accelerate itin any possible way. So you really need to you still be focussed on somesubsect of operations which really require private data. So let me giveyou lete ground Tis for th a minute, and I know we gotta wrap this stup in asecond but Um. One problem that was presented to methat I think this could immediately kind of solve. Is people want to usecryptic currency for royalty management and Um possession of assets um in termsof say the music in history? So if you have a music, if you're in the musicindustry, do you want to use crypticcurrency as your backingmechanism for actually h? You know licensing a particular piece of work.They can't do that right now with the current smart contract system, becauseguess what they don't want to expose, what Thei r their licensing agreementsare. They don't want to expose who gets a percentage of what they don't want toexpose? Who? Who Y, who gets to take? How much dospot? If I get how much isthe music lay will get much? Does the artist get nobody wants the world toknow that data? This doesn't just apply to royalty management also applies tosay bills, oflading in in supply chain,when you're doing t tr transport from Pointa to point B, they don't want toexpose their deals to everybody, but they still want to operate on the dataand that want to do it in a trustless way. That's backed with some sort oftoken security right now. They can't do that because they can't keep it private.They can't do it in a way where t,...

...unless they use something likethreshhold relay, where they're passing the documents around, but even thenlike they would rather do it in some automatic automated way, anprove thatit's been done correctly. POLIOMOMORPHIC CECRYPTION in a veryminor scale, just calculating percentages. Just basically you getthis cut, you get this cut you get. This cut. Um can take the rule set as ecipretext and output the result as necessary, and nobody necessarily knowswhat exactly 's going on in the little black box of the virtual machine andthey can still in the fact that they can prove it on the truth mechanism andeven make changes to Um to to balances that maybe e exist off chain and can bereflected on chain through some resolution. Aier, which is also hiddenand also kind of a blackbox system to me, soundsreally really interesting, because then they can do their calculations agregate,they can have thei total balances committed an aggregate, but they don'tactually have all that information exposed, and this is not complicatedprogramming. This is no a very t. This not fingerprint analysis. This is basicmultiplication and adition problems that are all over the financial world,and people want to be able to use cryptocurrency to kind of pack thisbecause they like th the features that it has except it doesn't have privacy,and so I see the fully homomorphic encryption, the stuff that you guys arebuilding Um, to be kind of the thing that mightbridge the gap and make some more broad adoption into this space, because itwill enable these kind of transactions to occur through a trustless mechanismsuch as a block chain and resolve out in the blotching as a on the resolutionlayer, so yeah really interesting, stuff, Um yeah, looking forward to seeing howthis progresses is there any thing we should have askedyou that we didn't. I think we got our bases covered yeah.I feel much better about where you like what you've done, whereyou're, at wit, maybe some of the potential issues if, where I've movedforward and kind of the timelines associated with it, and I hope thataudience can too, how can people reach out and get a hold of you with respectothis work or even the proxy rancript and stuff? You can email me, John atNusifer Com or you can use my Birsoli Mal me at John Pacific Com. Yeah, allyou can email me, Michael. I I dus call em or actually I would recommend to goto a reciple, dotcom website and Findallin to all discords, and then youcan ask all sorts of questions and every any of us will be happy torespond. IGOSS, Persa, Tas, right and, as usually, you can reach us coryat Corpetti on twitter and myself at Colin Cuchen, Hontwitter and yeahthanks foo things fommong US.

In-Stream Audio Search

NEW

Search across all episodes within this podcast

Episodes (108)