CPS-0026? | Approaches to Fully Homomorphic Encryption #1143
CPS-0026? | Approaches to Fully Homomorphic Encryption #1143kozross wants to merge 9 commits intocardano-foundation:masterfrom
Conversation
rphair
added
Category: Plutus
rphair
left a comment
rphair
left a comment
There was a problem hiding this comment.
@kozross this is on agenda for Triage at next CIP meeting (https://hackmd.io/@cip-editors/127) where I hope we can confirm some title which is specific enough to cover Fully Homomorphic Encryption but general enough to accommodate any of the approaches under consideration here.
- Ideally a CPS should be stated as a problem rather than a solution. I've given it a "working title" and please feel free to refine it further & we'll also visit that issue at the meeting.
rphair
changed the title
|
@rphair - I renamed Edit: I've also reworded the open questions section to hopefully be less wordy and better organized. |
perturbing
left a comment
perturbing
left a comment
There was a problem hiding this comment.
Just a quick review: nice proposal! I see the value, I do wonder if these operations will fit inside the Plutus budget. 🤔 Having a benchmark as an indication is paramount. (see for example the bls12-381 msm cip here)
|
@perturbing - 'fitting inside the budget' is a problem, but I feel the bigger issue is that programmable bootstrapping is like higher-order builtins on steroids. Consider something like this kind of builtin and its intended signature (in Plinth):
Nothing semantically prohibits us from defining such a builtin. However, how on earth do you cost this? The only assurances we have are that the function argument would get called a number of times proportional to the length of the list argument, as the function argument could do more-or-less arbitrary amounts of work, which we wouldn't be able to figure out. Programmable bootstrapping is this, but even worse: Boolean circuits are a very general model of computation, which gives even less to go on. And that's before we consider that they can be encrypted! @kwxm explained the problem of higher-order builtin costing to me at length - I would love to hear his opinion on the problem of costing something like programmable bootstrapping and what possible solutions could exist. In terms of having a benchmark, I believe this is a concern for a CIP, not a CSP. Indeed, I see this as a call to action towards getting us to the point where we know what we need to even do such a measurement. |
I see your point, and I do not have the answer (unfortunately). I know that costing is complex and the devil is in the details, and clearly your function I do not know yet how the interface of your linked library works, but if it is indeed similar to |
|
@perturbing - that is exactly my point. Hopefully @kwxm might be able to chime in and clarify the situation a bit better, as I'm not a costing expert. Edit: Also @perturbing - addressed your comment regarding Rust FFI. |
rphair
changed the title
rphair
added
State: Confirmed
rphair
changed the title
rphair
left a comment
rphair
left a comment
There was a problem hiding this comment.
@kozross this was considered a well researched production at the CIP meeting today and a good starting point for discussing how to include this in Cardano. There were some views that maybe homomorphic encryption would be better provided from elsewhere: and then there was a counter-argument of "why pass that business off to other chains & L2's when we might not have to?".
As already pointed out the main question is cost and we noted that @kwxm was already tagged - although if this is coming from/through Mlabs we also noted that the primary responsibility of providing a refined costing model & estimate should be from the proposer.
@kozross please continue to tag others who may be interested in the general features of this - I am no subject matter expert myself but think @effectfully @michaelpj could be interested & insightful about this.
Please in any case change the containing directory to CPS-0026 and update the "rendered" link in your original comment 🎉
|
@rphair - thanks for that! The 'L2 or not L2' question is precisely the difference between the 'non-native' approach and the other two, so I believe the CPS provides for both possibilities. I happen to agree that 'owning' the capability is better for a lot of reasons, but we expect the necessary research phase before any implementation choices to consider this more thoroughly. In terms of costing models and estimates - the standard process MLabs have experienced with all of the CIPs proposing builtins was that we specify the overall scaling (for example, 'linear in the first argument'), while the exact model is defined based on work once a PR of the new builtin(s) has been sent to Plutus Core. Obviously, if costing such a builtin is outright impossible, no amount of work on the proposer's part will help. This is one reason I want to hear what Kenneth has to say. Edit: Updated as per your request. |
|
@rphair - maybe this is noted somewhere, so sorry if I'm asking for a reiteration, but what is required for this PR to merge? I guess a better question is 'once a CPS reaches Confirmed state, what needs to happen for it to merge'? |
rphair
left a comment
rphair
left a comment
There was a problem hiding this comment.
@kozross the overall process goes as in this state diagram (terms defined in the section before it): generally with one biweekly interval required per state change on the shortest path to merge.
As I understand it, the only uncertainty about this CPS subject would apply to whatever CIPs develop from it, rather than the CPS itself: so I'm personally ready to sign off on it after some format nitpicks. Once the first editor green-ticks it, it can be marked Last Check which I think would suit the next CIP meeting in a week's time: https://hackmd.io/@cip-editors/128
For anything else that definitely should be added to the CPS before merge, I would follow @perturbing's technical opinion. Also I think we should wait until seeing at least a post from @kwxm about the efficiency issues as you yourself have requested.
|
@rphair - thanks for the clarification! I'm certainly in no rush: Kenneth told me recently he won't have time to respond to this for a little while yet, and I'd definitely like to hear from him. I'll make the requested edits. Edit: Done. |
4 participants
This CPS discusses what benefits having full homomorphic encryption (specifically TFHE) on Cardano would have, and what problems would have to be addressed to deal with it.
Rendered