6

Fully homomorphic encryption has been implemented by Craig Gentry using ideal lattices. Can it be applied to data stored on a private cloud setup in practice? I've seen references here and on other sites that lead to the conclusion that it is very slow.

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
  • Homomorphic encryption is still more theory than practice. – ewanm89 Sep 24 '12 at 11:12
  • I agree it to be more on theory ! But theoretically also they rate FHE to be slowest. Isn't there any mechanism or algorithm to make it more efficient as far as the time latency is concerned ? – Shashank Bajpai Sep 24 '12 at 11:15
  • 1
    possible duplicate of [In what ways does Full or Partial Homomorphic Encryption benefit the cloud?](http://security.stackexchange.com/questions/3728/in-what-ways-does-full-or-partial-homomorphic-encryption-benefit-the-cloud) – Polynomial Sep 24 '12 at 11:28
  • I am well aware of the benefits of the FHE on Cloud. I specifically ask for Practical Implementation of the same. So that cant be a Duplicate. – Shashank Bajpai Sep 24 '12 at 11:42

2 Answers2

7

There is no proof that FHE cannot be implemented efficiently. It is just that, right now, we do not know how to do it. With currently known algorithms (Gentry's algorithm, with a few known optimizations), it would be extremely slow, which means impractical (and quite far in the "impractical" realm, actually). FHE would have to become thousands of times faster than what can be done today, in order to achieve some kind of generic practicality.

Of course, there are a few specific applications which can already make use, in a very practical way, of homomorphic encryption. Typically voting systems, such as Helios Voting -- these do not need fully homomorphic encryption, and can work with a plain, efficient, partially homomorphic ElGamal.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • Apart from being very slow on time constraints are there any other drawbacks/flaws of a Fully Homomorphic Encryption Scheme ? – Shashank Bajpai Sep 25 '12 at 11:05
  • @ShashankBajpai: its slowness makes it unusable; it is difficult to have bigger drawbacks than that... Yet I would add that it is a bit too new for its security to be trusted. My rule of thumb is: 5 years of extensive usage in the field. Right now, for Gentry's algorithm, this 5 year period has not even begun... – Thomas Pornin Sep 25 '12 at 11:08
  • I agree on that 5 year period of usage. @Thomas Pornin: Thanks a lot for the valuable input. – Shashank Bajpai Sep 25 '12 at 12:27
2

The answer to this question is already completely covered by these questions:

Excerpts: "The short answer is that none of them are practical ... yet. But there is a lot of active research, and if we're lucky, maybe that will lead to enough improvements that it might become practical. We'll see." " They're too slow for most/all practical applications. No point in considering homomorphic encryption for production use today -- way too slow."

Use the search bar on the upper-right of this site, and on Crypto.SE, to find more information about homomorphic cryptography.

D.W.
  • 98,420
  • 30
  • 267
  • 572