How encrypted and private is the encrypted data in such systems?
When I looked at encrypted databases, the real ones, not the encrypted at rest databases, I read comments saying that the crypto was relatively too weak to have any use outside research. That it is a neat research topic, it will be great eventually, but it's not ready for production.
So I went with the classic and simple solution : encrypt with aes256gcm, and decrypt and reencrypt if I manipulate the data.
Does a system like cingulata offers encryption as strong or better than aes256gcm?
Systems like Cingulata are true end-to-end encrypted systems. No data is decrypted at any point in the process.
All data manipulation and -processing takes place on encrypted data, as opposed to the encrypted database you mentioned, which still decrypts its contents in memory prior to processing.
The reason homomorphic encryption is far from being ready for production, is that all operations (e.g. all your algorithms and programs) need to be transformed to a virtual circuit that operates on cipher text encrypted by a specific algorithm.
This is akin to translating your software into an inefficient byte code that's then dynamically executed by an obnoxiously slow interpreter.
The great part is that you can simply encrypt your data on a local (and trusted) machine, send the cipher text into the cloud for indexed storage or processing and do your queries or operations on encrypted data. At no point will your data ever be decrypted on the remote machine.
So there's great potential there w.r.t. privacy and cloud computing (and especially AI where training data is often the "magic sauce" that gives your company an edge over the competition) and SaaS.
All modern FHE is lattice based, so pretty strong if you chose the right parameters. But of course if you dont chose secure parameters.. well, it wont be secure :)
FHE encryption is bleeding edge crypto. You probably shouldn't use it in real systems with hard security requirements at all without input from experts.
You have formulas to calculate the security level given a threat model, so the compiler could in theory do it automatically. Just specify that you wants 128 bits of security or whatever, and it will do the rest.
It's a separate project because our intention is to provide an easier/faster way to chose HE parameters than lwe-estimator. You need to provide only the multiplicative depth (or the circuit describing the computation for example) and CinguParam will automatically generate the code snippet/parameter file for the HE scheme you want.
Also as CinguParam contains a database of HE parameters the actual parameter generation is really faster than using lwe-estimator.
There is a lot of work to be done on this project in order to automatize parameter database update, generate HE parameters more precisely using circuit representation instead of multiplicative depth, take into account HE libraries implementation details (RNS, NTT), etc.
Note that encrypted db stuff generally tries to use weaker notions of security in exchange for performance. Generally research revealed that it was even weaker than the authors thought. FHE is generally something different.
>Does a system like cingulata offers encryption as strong or better than aes256gcm?
One of the security garuntees of aes-gcm is non malleablity. Any attempt to modify the ciphertext is detected. This is the key reason why GCM is popular over older methods like CBC. In homomorphic encryption, the entire point is to be able to able to do arbiteary computations on ciphertexts without decrypting. So even theoretically it would be impossible for homomorphic encryption to give same/better security properties as aes-gcm.
That's true that it's theoretically impossible, but you can get close by using verifiable computation protocols like Pinocchio to restrict the computations that the adversary can do. That is to say that before blindly accepting the result from the adversary and decrypting it, you first ensure that they performed a computation you specified beforehand.
...so if you're going to redo the computation you just sent off to the adversary to do in order to check that the adversary did the computation you wanted them to, why mess with outsourcing the outsourcing of the computation at all?
When I looked at encrypted databases, the real ones, not the encrypted at rest databases, I read comments saying that the crypto was relatively too weak to have any use outside research. That it is a neat research topic, it will be great eventually, but it's not ready for production.
So I went with the classic and simple solution : encrypt with aes256gcm, and decrypt and reencrypt if I manipulate the data.
Does a system like cingulata offers encryption as strong or better than aes256gcm?