This article pretty clearly isn't intended to be a technical manual for the Enigma process, but rather explaining the basic idea and possible uses to a mainstream audience. People reading a general-interest technology site like MIT TR aren't going to be capable of understanding the actual math and encryption techniques involved. If they were, they would likely be getting their Enigma news from the papers involved, or the project's website, or progress logs, etc.
Wait wait what? So I can send my (locally encrypted) CC info into an Enigma-enabled CC processor, and they can deduct an amount from my account without ever actually knowing my account info?
Or more like I can send an encrypted list of passwords and they can tell me what the most common letter is in all the passwords without ever knowing any of the passwords?
If these things aren't possible, can someone provide a useful example of this being used to solve a problem? I'm having a bit of trouble actually understanding what this is/does.
I don't know about CC processing, because... banks and regulations.
But what fully homomorphic encryption allows you to is to perform arbitrary computations on encrypted data.
So you send your encrypted data to a machine, it performs the computation, and sends it back to you still encrypted. Like the password list example you mentioned.
What is cool about this is that is solves the problem with privacy in cloud computing platforms. You don't expose your data.
NOTE: I'm not a cryptographer nor haven't read the article yet. Just writing what I can remember.
ZeroDB here. We're not homomorphic, and it is possible to make a cloud hosting you're talking about w/o homomorphic encryption.
But if you are to perform heavy computing on server side, you have to be homomorphic. Or other amazing opportunities like decentralized key management, content tokenization (DRM) etc appear from this homomorphic work (even if the speed is 100 times slower than unencrypted)
This isn't fully homomorphic encryption though only somewhat homomorphic encryption. Addition and things that can be done with routines that only use addition would be able to be performed on the encrypted data, but other operations would not.
Or at least having skimmed the white paper, and having some background in this, that was my take away.
EDIT: Your explanation of homomorphic encryption is a good way to explain it at a level people can understand just what a breakthrough a workable implementation would be.
Ah, thanks for the edit. I've read about homomorphic computing a while ago, and I was getting excited, but there's still no fully homomorphic implementation, is that right?
Is there at least proof that it is possible? This would be amazing technology.
I believe there is a proof of concept which if implemented would be trillions of time slower, so lets say kinda? 100x slower as is the case with this method would be amazing if they managed to get make it fully homomorphic eventually and keep that speed.
It doesn't seem like anything is actually encrypted, just randomly distributed amongst nodes in small enough pieces so as not to provide any useful information about the original data.
Since the paper states that all nodes must collude to recover (not decrypt) the data I would assume that the pieces are encrypted asymmetrically for each node to ensure a sufficiently powerful man in the middle (cough NSA) doesn't just reassemble the pieces.
This is actually a form of encryption (See - https://en.wikipedia.org/wiki/Threshold_cryptosystem). It is encrypted in the sense that combining any number of pieces smaller than the defined threshold won't leak even a single bit of information.
The difference is encryption is usually associated with obscuring data with a key that you keep secret. In this system you broadcast out all the pieces needed to reconstruct the data. No secrets, just inconvenience due to distribution. It is not very inconvenient for an adversary that is already collecting all of your communications.
I'm still waiting for a distributed program that stores its own private bitcoin wallet keys using homomorphic encryption to keep the keys secret. Can Enigma do that? Doesn't sound like it's quite there yet, but the direction is very interesting.
1. Decentralized private key generation – Multiple Enigma nodes locally create a segment of
the key, whereas the full key is only ever assembled by the user. No trail of evidence is left
anywhere.
2. Decentralized transaction signing – Transactions signed without ever exposing the private
key or leaving a trail.
3. Decentralized controls - Set spending limits, multi-sig, CHECKLOCKTIMEVERIFY like
controls, and more with a private script. Lock time,
OK, so the secret can be generated in decentralized fashion. From reading this, I can't tell if the secret is only obtainable at the client, or does this mean that the enigma network could in effect store the pieces of the key and re-assemble it based on some pre-agreed computation that is not subject to modification by any particular user?
(Enigma here). Yes, that is possible. You can distribute a key to the nodes and make it retrievable only if some computation is satisfied (which is also done privately and leaks no information).
We have some ideas on how to do it, but we're hoping gifted developers out there would use our platform to develop such highly-needed applications (that would probably be much better than what we have in mind).
I was thinking of it more like a distributed supercomputer that can tackle large amounts of data without actually knowing what the data is, so it can be trusted with tasks that might otherwise have to be kept on local clusters. Crunching genome data for medical patients or something might be a good example of having to comb through lots of private data.
This would be awesome as an alternative to Facebook having all your likes / personal information and other companies tapping into that. Imagine if you stored all of that in Enigma instead and only gave it to the companies you trusted.
So you could store your own list of favorite music bands in the cloud and share that with say spotify or pandora to get personalized recommendations, but nobody else knows about it. Then you store your favorite authors in another location which only amazon has access to. Or your medical records could be kept in the cloud and only shared with your personal doctor, then easily transfered to another doctor if you switch.
This seems like a great solution for storing these small pieces of personal information in the cloud without having to give them all to a central authority like so many people do with Facebook currently.
I had a similar idea! I'm glad something like this is being implemented.
The most important idea imo is that companies can never claim ownership of personal data because they never have access to it. Another cool idea is that if you have a currency that can be cashed in for fractional computing power on the network you could pay tech companies in computing power, either providing it from a device you own or paying for it with the currency.
I look forward to the papers/code that they release.
Edit: I'm not really clear on this, is there any currency component to Enigma? I was thinking there could be a currency that's a transferrable debt of fractional computing power of the network.
Edit 2: Apparently it isn't a currency and uses bitcoin for fees...
MaidSafe[1] is a similar scheme for data (not CPU cycles) and it does have a currency based on amount shared and a couple of other things. It is also serverless but it doesn't use a blockchain. They are doing a lot of active development in the space right now.
You are correct about using stored work to pay for other compute being interesting. I believe this is actually the nature of reality, not just some new fangled thing we're getting around to 'inventing'. I will note this is an opinion of a futurist, so it is what it is.
At the least, compute federation is enabled with cryptocurrencies. They give you a way to pay for use (payments), identify with them (identity managment) and a way to standardize the use of the compute (immutable data structures).
I'm not a big fan of cryptocurrencies, especially the blockchain, but if they did one thing they started up the conversation in government of how distributed electronic currencies should be regulated. So I think more experimental things like what I described should show up in the near future. :)
One of my friends informed me that the idea of currencies backed by computing power has existed for a long time in science fiction so perhaps we'll see these specific kinds of systems soon.
So if I am understanding correctly, this could compete with services like s3 and ec2.
People can earn money by attaching their machines to the network (but they have to include a security deposit). Then they will collect fees from users for each request processed as well as a set fee for storage.
The application developer will then use a provided scripting language (I am not sure if they actually write the application using this language or if it is just for ensuring a contract). They will need to continually pay storage fees or their data will be disabled and eventually deleted.
I would like to see examples of the scripting language they reference.
I don't believe centralized/public clouds will disappear anytime soon. However, there simply aren't any privacy-preserving alternatives out there. We're hoping to change that.
Also, your description is accurate. We'll be releasing our code and some dev-friendly documentation for the beta soon. You're welcome to sign up at http://enigma.media.mit.edu.
Sometimes I wonder what kind of operations would actually be useful to do on such data in the real world.
I mean, the way the web currently works is that I trust some server to host my data. I can have this service auth an external consumer site and display data in an iframe, say, which the consumer site can't get at. This is good enough for displaying people their personalized info (name, friends) on various services (eg directions to their house in an iframe, for a user authenticated with my chosen provider).
But to go further, what if I don't want to trust any provider?
Then I could simply encrypt the data and store encrypted data with the provider (or providers for redundancy). The authentication could be replaced with visitors holding a key to decrypt the data (because I gave it to them) and I can switch to using some other key and effectively "unfriend" those who don't get my updated key.
But all this is good enough for displaying data and files I upload. Now, why would I want to do operations on those files "in the cloud" without trusting a provider? I am already trusting my friends with the data, since they can reshare it once it's displayed to them. So why not trust a provider? One of my friends can run the provider.
I guess the only scenario I see it being useful is if all my friends can only have limited access to the data and all manipulations on the data are collaborative, and that's where the homeomorphism comes in. Perhaps no one will be able to see the whole data and it's not really about data at all, but views of some Enigmatic process running on some network (like an autonomous corporation.) is that the use case?
Maybe I misunderstood, but it sounds like the service for distributing the work would have to be trusted (since with enough pieces of information you could decrypt the original data), which if true would remove the whole point of the system.
Two things I haven't yet seen here in the comments:
1) Electricity used. This scheme
only multiplies the computing requirements
for a calculation by less than 100 fold
It's bad enough that bitcoin mining itself is so energy intensive, but now we're coming up with additional power-hungry schemes.
2) (Ab)use of the blockchain:
Enigma stores that metadata in the bitcoin
blockchain, the unforgeable record of messages
copied to thousands of computers to prevent
counterfeit and fraud in the bitcoin economy
So eventually the whole world will use the one true blockchain for "unforgeable records" of everything? Eventually the chain will grow by what, 1 GB per hour, 1 GB per minute, 1 GB per second?
1) It's not related to bitcoin energy usage, which is designed to be high. This is based on the current best science has to offer in making things cheap.
The 100x multiple is to the cost of normal computation. Normal, unsecured, visible to your hosting provider, etc, computation. Companies already pay huge amounts for securing computation so a pure mathematical way to do it that's only 100 times the base cost of the CPU time is actually a huge savings to many.
You don't have to run your whole webserver this way, just the payment processing pieces...
2) What will happen is pure guessing because it depends on the hidden motives of others via market (and other) dynamics.
But the options are roughly,
A) The bitcoin blockchain remains at today's general capacity. In this case the price per blockchain/byte will increase and people will use side-chains and "link" them back in as they feel appropriate. You will have the option of downloading sidechains you care about.
B) The bitcoin users decide on one of the proposals to increase the blockchain capacity dramatically - and all of these offer some form of prunability so you don't need to hold the GBs of stuff you don't care about in order to strongly verify the things you do care about (like the balance of someone who's paying you)...
C) Some other currency which solves these things really is the "one".
But these questions didn't need asking. They're needlessly critical - as if technologies should (or even could) all be invented at greater than 100% ROI just out of thin air, and as if market dynamics wouldn't handle things anyway. If this solution is too expensive, nobody will use it. There are no externalities involved here, nobody is getting a free lunch; they'll only pay for it if it helps them overall.
1) More electricity it used, but it has some benefits. What is the social and financial cost of data breaches and identity theft? Hopefully at scale a system like Enigma can help with that.
2) At scale, you are correct. Blockchain scaling is a problem that a lot of people are working on, hopefully it will be solved in one way or another. If it doesn't, we'll need to find another solution or Enigma will fail.
A better response than mine had already been posted by the time I finished writing mine. As such you may wish to skip reading my response. However, I'll let my response remain here anyway. /EDIT
1)
I'm not sure why this would have a power cost significantly comparable to bitcoin. This seems like the power use would be akin to using a computer which uses power inefficiently, which doesn't seem terrible.
It seems inevitable that a system that serves the same purpose would take more resources, seeing as the computation has to be done in multiple places, and as such, a relatively small constant factor doesn't sound terrible (not sure how one could hope for better. ).
It is not as if the programs which are written to run in web browsers now would have been written to allow as much inefficiency in equivalent desktop programs 14 years ago, right?
Does not sending an encrypted message to someone take a constant factor more time to send than it would to send it plaintext? (referring to time it takes to send and receive, not the time during actual transit)
2)
It uses a blockchain (bitcoin's) to store some data, but that would just store some transactions, and from what I can tell it shouldn't significantly increase the electricity required by the bitcoin network?
I guess it could contribute to blockchain size (I'm not sure how much data needs to be stored for the commitments.
re: "one true blockchain" :
I assume that if this were to be adopted in such numbers, either some scalability things would be added to bitcoin, or this or something like this would be transferred to some other more scalable blockchain, using something like hypercube chains or something like that. A program running using a system like this would be fine using just one of the subchains, and the people using it would mostly only have to keep track of that subchain (and I guess the chain that ties the subchains together), so because more subchains can be added whenever they are needed, the size of the subchain being used would presumably not grow at unacceptable rates.
notes:
I do not own any bitcoin. The only cryptocurrency I own any of is testnet ether, which is for a testnet. Additionally I have not made any wagers about the success of any cryptography technologies, and am not employed in any cryptography related field. I don't think I have any financial incentives to promote any particular view about any given cryptography technology.
