Am I wrong? I freely admit I don't know how it's supposed to work inside, because I've never taken the time to learn, because I believed those limitations made it unusable for most purposes.
Yet the abstract suggests that FHE is useful for running machine learning models, and I assume that means models of significant size.
If we're 6 orders of magnitude off, then we need to double our speed 20 times (2^20 = 1,048,576), which would give us speeds approximately in line with 40 years ago. Unless my understanding is completely off.
Obfuscating input and output formats could be very effective.
Obfuscation layers can be incorporated into training. With an input (output) layer that passes information forward, but whose output (input) is optimized to have statistically flat characteristics, resistant to attempts to interpret.
Nothing like apparent pure noise for obfuscation!
The core of the model would then be trained, and infer, on the obfuscated data.
When used, the core model would publicly operate on obfuscated data. While the obfuscation/de-obfuscation layers would be used privately.
In addition to obfuscating, the pre and post-layers could also reduce data dimensionality. Naturally increasing obfuscation and reducing data transfer costs. It is a really good fit.
Even the most elaborate obfuscation layers will be orders and orders of magnitude faster than today's homomorphic approaches.
(Given the natural level parameter obfuscation, and the highly limited set of operations for most deep models, I wouldn't be surprised if efficient homomorphic approaches were found in the future.)
I heard it described as a system that encrypts each bit and then evaluates the "encrypted bit" in a virtual gate-based circuit that implements the desired operations that one wants applied to the plaintext. The key to (de|en)crypt plaintext will be at least one gigabyte. Processing this exponentially larger data is why FHE based on the system I've described is so slow.
So, if you wanted to, say, add numbers, that would involve implementing a full adder [0] circuit in the FHE system.
[0] https://en.wikipedia.org/wiki/Adder_(electronics)#/media/Fil...
For a better overview that is shorter than the linked 250 page paper, I encourage you to consider Jeremy Kun's 2024 overview [1]
Accelerators are being developed that claim to get down to 10x, though i think they will be more like 100-1000x, which would still be a huge improvement considering how people use LLMs today for basic tasks like string matching.
https://vishakh.blog/2025/08/06/lessons-from-using-fhe-to-bu...
Since neural networks are differentiable, they can be homomorphically encrypted!
That’s right, your LLM can be made to secretly produce stuff hehe
The circuits are built out of "+" and "×" gates, which are enough to express any polynomial. In turn, these are enough to approximate any continuous function (Weierstrass's approximation theorem). In turn, every computable function on the real numbers is a continuous function - so FHE is very powerful.
That doesn't seem right. Consider the function f(x: ℝ) = 1 if x ≥ 0, 0 otherwise. That's computable but not continuous.
Very insightful comment, though. LLMs run under FHE (or just fully local LLMs) are a great step forwards for mankind. Everyone should have the right to interact with LLMs privately. That is an ideal to strive for.
Homomorphism just means say I have a bijective function [1] f: A -> B and a binary operator * in A and *’ in B, f is homomorphic if f(a1*a2) = f(a1)*’f(a2). Loosely speaking it “preserves structure”.
So if f is my encryption then I can do *’ outside the encryption and I know because f is homomorphic that the result is identical to doing * inside the encryption. So you need your encryption to be an isomorphism [2]and you need to have ”outside the encryption “ variants of any operation you want to do inside the encryption. That is a different requirement to differentiability.
1: bijective means it’s a one to one correspondence
2: a bijection that has the homomorphism property is called an isomorphism because it makes set A equivalent to set B in our example.
I see “Unified Line and Paragraph Detection by Graph Convolutional Networks (2022)”
There were (at least) two posts from arxiv.org on the front page at the time, and when I was updating the title on the other one I must have applied it to this one instead. I've fixed it now and re-upped it onto the front page so I can have its full exposure on the front page with its correct title.
My question might be very naive but I'd like to better understand the impact of FHE, discussions here seem to revolve very much around the use of FHE in ML, but are there other uses for FHE?
For example, could it be used for everyday work in an OS or a messaging app?
Also, is it the path for true obsfuscation?
There's no value to it in circumstances where you control all the hardware processing data, so "everyday work in an OS" - only if that OS is hosted on someone else's hardware, "a messaging app" - only if you expect some of the messages or metadata to undergo processing on someone else's hardware.
It seems wildly unlikely that the performance characteristics will improve dramatically, so in practice the uses are going to remain somewhat niche.
But what about the case where you don't have so much control about what runs next to your program? Could it be possible for an attacker to run a program in order to extract some data when your program is run?
Also, could FHE offer some protection against vulnerabilities like Meltdown and Spectre?
> It seems wildly unlikely that the performance characteristics will improve dramatically
Why? Are there some specific signs for this already? I had the impression that everytime people tend to believe that with technology they get proven wrong later.
noman-land•4mo ago
https://fhetextbook.github.io/