 Thank you everyone. So I'm very lucky to speak right after Great presenter from NIST because I think it dovetails extremely well with what we've just heard So I'd like to tell you about our homomorphic encryption standardization effort our community that we've built over the last two years It's excellent timing because we actually just had our fourth standardization workshop yesterday at Intel and Santa Clara Co-located with usenix and I'll tell you a little bit more about that If there's one thing that you can remember or take away from this talk is that we actually have Published a draft standard for homomorphic encryption, which was approved by our community about a year ago last November and not only it's been available online and People tell us that they use it and there have been a lot of references, but I actually just put it on e-print So it's just appearing on e-print like today so you can access it so Another key piece of information that you should know about our community is that it's very open So you're all welcome so you can go to the website. It's homomorphic encryption org and You can add yourself to the mailing list So we actually try to keep the traffic very low on the mailing list. It pertains primarily just to our standardization Organizing efforts, so you don't have to worry if you join that you'll be inundated Because there's many Working groups or sub mailing lists that you can also join for specific topics But the main one standards at homomorphic encryption org We have more than 300 people on our mailing list now, so it's a growing community So the main organizers of this effort has started at Microsoft Research with my team collaborating with Microsoft Research Outreach So the the people that have been co organizers for all the workshops so far are Kim Lina from the Cryptography group a researcher and my team myself and Roy and Kim has done the lion's share of the work especially in the recent workshop yesterday and for the third second third and fourth workshops co have been co-organized with duality technologies, so Kurt Roehoff and Yuri Polikov, but We've had co organizers from a number of different Institutions in the different the four different workshops. So for example Lily Chen from NIST was a co organizer of the first one We've had the second one was hosted at MIT Jung Hee Chan was a co organizer of the first one also second one was hosted by Vinod Vikatunathan at MIT and he was a co organizer for the first three workshops Glenn Gulak at Toronto, Kazmir, Wysanski at Intel and Wontron Kosso from EPFL So you can see a wide range of people and Institutions are represented in the in the actual formal organizing committee But we've had a great deal of input from all different directions both researchers and companies in in our effort, so For one thing I put a partial list of kind of government agencies and standardization bodies who have been involved at Being at panels or giving short presentations So certainly NIST was represented at all three of the first three Unfortunately for our timing with the NIST workshop happening this weekend. Lily was not able to attend yesterday, but NIH Participated in the first three workshops NSA has been represented. I think in the first three NSF The Canadian security establishment Canadian ministries such as Ministry of Health asked to be Invited to the one in Toronto for example the Korean credit bureau came to the one at MIT and representatives from the UN ITU working group. So we've had a lot of interest from both, you know standardizing bodies and government agencies and People at NSA have actually told us that having our state standard available online has been extremely useful to them Because they can pass around this document internally in the classified environment and reason about the status quo and this and the status So so this was the first workshop, so this is how we kind of got this work this effort off the ground I mean honestly, we had been talking about it for a couple of years with people including Kurt at Duality and Shai Halevi at IBM and Vinod by Jonathan at MIT And the way that we actually got it off the ground is Microsoft funded it. We had Microsoft outreach Brought 36 people to campus. It was invitation only it was three groups of 12 and it was not a like It was not a junket. It was a working conference It was to it was basically two days in which in groups of 12 we wrote three white papers We actually wrote them in two days and that was possible because we're bringing experts in this area together and setting the Expectation that we wanted to get something done and we just worked really hard and so Within about two weeks of the workshop. We said we kind of threatened everyone. We're putting these white papers online So if you want to make comments if you want to make changes, you know, they're just white papers, right? So, you know, we're trying to be bullies But we just wanted to make sure that there was some some concrete outcomes And so these white papers went online almost immediately and the way it was divided was one that was one working group focused on security one focused on APIs and one focused on applications and so what we did was The We kind of decided on the the next workshop. So the next workshop was at MIT in March of 2018 so it was, you know, roughly nine months later and What we had kind of decided at the first workshop was that we just we discussed a lot of different paths to standardization and since we had many of the relevant people in the room There were many other experts in homomorphic encryption who had also been invited But who couldn't come and we also wanted to capture their input as well So we decided that's when we decided to create the website create the mailing list and try to make it an open community and Solicit input from as many people as possible and we decided among the standardization Efforts open to us. The only one that we can control is to create our own kind of essentially de facto standard basically it's like an industry consortium. So our group homomorphic encryption org Currently has no governance. It's a completely open volunteer effort and so that has Really good parts to it being, you know, anybody can join anybody can contribute We asked for volunteers at every meeting people step up and volunteer to help with different things Preparing documents giving presentations all kinds of things. So that's great But we don't have the structure that a standardization body has or a government agency has So and whatever we create there's nothing is binding It's only you know the recommendations that people and the community can see that there, you know There's a consortium of people that have created these this document on the other hand on the flip side because you know because it's very open and collaborative we've had really great participation from companies actually around the world and Industry participants Participation has been kind of skyrocketing meeting after meeting over meeting and so, you know, I think that that it's an attractive venue for people to come to learn about homomorphic encryption so engineers and they You know can ask questions about things like interoperability or certification accreditation that type of stuff and It also it's been honestly a place where People can come who are looking for jobs and people students come and they we always have a very active poster session There's a number of students that have gotten hired through connections that they've made at these workshops So it's really a it functions as a community on a lot of different levels So the draft standard that we came out of the The first workshop let me let me tell you how we kind of decided how to proceed So we had these three tracks security apis and Applications and we kind of said to ourselves well Nothing can happen without people having confidence in the underlying mathematics and underlying hard problem And of all the libraries that exist in the world for a public key and for a homomorphic encryption they were all based on RLW the ring learning with errors problem, which is related to hard lattice problems And so we decided to actually standardize the kind of the hard, you know math problem underneath the current versions of a homomorphic encryption and Really try to set the parameters to achieve certain security levels So that was our goal because we figured first of all that takes time once we kind of collect the communities You know knowledge about security levels for a lattice-based cryptography And we translate them through through a lot of concrete work that a lot of different Computational number theorists have done once we translate that into concrete parameters that we propose That those become kind of de facto challenges So our standard is out there anyone can attack any one of those rows in our table And so now we've since we've put this out now, you know a year ago We can stand behind this and let the community think about you know attacking these and get used To these are the levels that we stand behind these are the security levels that we think we're achieving with these parameters And then so now we're we're going is how do you build on that? So let me tell you a little bit about okay, so this was the MIT workshop in March 2018 Where we approved the draft standard we actually asked for co-signers of the meeting so there's actually 16 co-authors on the document and There were more than 50 co-signers, so we have like more than 65 co-signers of our standard and then Actually after that was a good I was able to like twist everyone's arm to get the white papers out within two weeks after the first workshop But I wasn't able to twist everyone's arm to give their input on the standard before the March meeting And so what we did was we collected quite a lot of input after the Second workshop and we incorporated they incorporated that into the draft that's now available online that became kind of public in November 2018 so At the Toronto workshop we kind of approved we approved the changes that had been made since the March workshop and we kind of planned for for future versions and So what was very exciting is is that yesterday in Santa Clara our fourth workshop was hosted by Intel So in the meantime, you know based on the seal library So I haven't said much about individual libraries yet But my team at Microsoft Research has built and released the seal homomorphic encryption library It's available open source under the MIT license So it's available for commercial use in particular Intel has built on this and they're using this as the engine For their n-graph, which is like a machine learning like deep learning predictions And there's a number of other companies that have started to either use it or write press releases or experiment with it so this this Intel's kind of partnership on this was really great to see them step up and say that they wanted to host this workshop at Intel and it was co-located with us Nick security, which was in Santa Clara last week And so in each of these workshops as the second third and fourth workshops, we've had about 70 participants and It's worth taking a note of that because as I said the first one when we kick-started this effort we invited everyone to Microsoft to Redmond and paid for everyone to come everyone who could accept payment every workshop since then there's been no funding for travel every Participant has paid for their own travel to come to these workshops and we've had about 70 people at each one and another thing that was really remarkable about yesterday's workshop is that the So there were actually more than 19 or more companies that were there And which was an increase over previous previous ones. So What did we do yesterday so we kind of Discussed we kind of reviewed possible Accentions to the security standard We discussed the next steps for kind of standardizing the schemes the homomorphic encryption schemes that are used for the different libraries There's about four different scheme all based on the hardness of RLWE which is related to hard lattice problems and We just we also discussed a governance proposal possibly make formalizing our community a little bit more and some other issues The one of the big issues always at each workshop is where is the next one going to be? And so we actually have three proposals teams wanting to host the next one Which is also a great sign that there's a lot of support and interest in being involved in this community so Seoul National University and Samsung are very interested in hosting this in Korea and we think we can connect with a lot of Asian companies and You know possibly regulators as well and we We have a proposal from EPFL and a startup called infer To host it in Switzerland Possibly co-located with the UN ITU AI for good summit that they're having in May. This would be right before Eurycrypt so we have a couple of possible next steps for the next workshop There's still a lot of work to be done. So we plan to continue kind of working having these workshops on this cadence So, I mean just a couple of notes that I put up here. This was the the Toronto workshop is that You know as you could kind of hear in the previous talk I mean open standards in cryptography are kind of preferable because since cryptography is inherently Secret, I mean somehow the community in the public needs to understand whether they should trust some new crypto That's coming along and so we feel that open standards are really preferable and the standardization process creates trust It's currently creating trust between many of us in our community between companies and government agencies and researchers But also a lot of regulated industries require Standardization and they will eventually require some kind of certification process So that's what we're aiming for in the longer term like let's say in the ten-year time frame so What I wanted to do is to just tell you a little bit about the resources for you to get involved if you're interested So this is kind of important points. So I put this up front So if you go to the homomorphic encryption org website, what will you find there? You can find like links to all of the workshops links to the white paper links to the standards So those are really important, but there's also other things like, you know lists of all the publicly available libraries that news and events things Things like that So you can actually send any comments on the website or whatever to this email contact Or if you want to volunteer or just ask a question or whatever you can send us email You can opt in or out of the news channel or other channels that we have and we also have a Twitter handle So for example from yesterday's a workshop We have a ton of tweets online with covering, you know what the content what content was being presented and pictures and stuff So Just to kind of give you an idea for those of you that are not really familiar There are a number of publicly available homomorphic encryption libraries in the world and it has evolved quite fast in the last five years or so So the first one that was publicly available is from IBM H.E. Lib So shy Halevi and his collaborators and shy has been a major contributor and collaborator for these this series of workshops so It was widely used by by researchers and based on the BGV scheme is starting in 2015 Microsoft seal has been publicly available for research and as of 2018 Open it's released out of the open source license for the MIT license for commercial use as well Seal is designed to be a very robust well engineered and well documented library That's intended for commercial use and we've gotten a lot of good feedback on it over time There are a number of other libraries such as NFL live that was developed at crypto experts. I Tancred had to step out I think but Tancred worked on that Palisade From 2017 on was has been developed. I think with funding from a DARPA grant So Yuri Polikov and and Kurt rolloff are major Developers for that. There's a GPU library coming out of We're just a polytechnic. It's a Q he I'm not sure if I'm pronouncing that right There's the library coming out of soul national University Heian, which supports approximate arithmetic That's been available since 2017 and then there's also a slightly different approach Which is based on kind of bootstrapping after every gate the few scheme and library that came out in 2015 from Daniela Michio and and Leo Ducca and now the TFA G is in a sense an extension of that work TFA G has been available since 2017 and the the infor team has been developing TFA G was has been represented at our workshop. So Maria and Nikola and and Dmitar was we're all there yesterday So we found out about one more library yesterday that I didn't know about Latigo is now been developed at EPFL for a Specific application that they're trying to do in the medical sector and that was very interesting to hear about So as I said, these were this this was to begin with these are our principles on we wanted to standardize the security first Sorry about that and then to move on to API's and applications and so we're basically on step two now step two and three and These are we've stuck with our original principles of kind of open participation Communication we we send out emails via the mailing list For example when the draft standard is ready or when we want to start a new working group to work on some particular project emails go out saying who would like to volunteer or could you please give your input or This will be voted on at the next workshop. Can you please send comments by such and such a time? So that's kind of how it works and then approval is done usually by things like a show of hand and stuff at the workshops So one thing I want to make sure to do is to just show you just a couple of the pages from the document and like I said the history of the document was that at the first workshop we decided that we would just create this de facto standard and circulated and get feedback and then approve it and Like I said, we got a lot of input in the meantime from people other than the first 12 authors So there's 16 co-authors on the document So this is just the first page of the document. It's called the homomorphic encryption stand standard It's but HES or HES 1.0 in a sense. It's the first version. We expect this to evolve over time So we also wanted to set the expectation that we're choosing our security parameters very conservatively based on currently known Estimates for attacks we expect of course attacks to evolve a little bit over time Unless we get an incredibly disruptive new attack We expect these parameters to be safe for quite a while and to be a we could Potentially if needed modify them slightly like gradually over time So that would be the plan in the absence of a disruptive attack on lattice problems And so we tried to kind of set that expectation We also have post-quantum security for these lattice problems and we've actually officially asked NIST if it as part of the PQC process if we could potentially Standardize a larger range of parameters that allow for homomorphic encryption Instead of just the smaller parameters that you would use for key exchange So we'll see what I mean by that when I go to this slide Okay, so sorry that this is just the first table in the end of the document Sorry for all the numbers here But if you just look at for example the first line So what's happening here is we have three different tables depending on how you choose the secret for your encryption and here the most Obviously a secure approach is to choose the Secret vector uniformly at random. So this is the uniform secret table. That's why it says uniform in the upper left corner That's the distribution for the secret and then like the minimum Lattice dimension that you would do anything with for homomorphic encryption is 1024 So the first line is if you want to use a 1024 bit lattice and you want a bit 1024 dimensional lattice and you want to have a security level of 128 bits then you should choose your Your modulus your log Q should be No more than 29 bits so what that means is is that in practice You're going to have some homomorphic computation that you want to do the way homomorphic encryption works is that Once you start computing on ciphertexts the error grows and the plaintext grows And so what happens is is that there's a limit to how much computation you can do without refreshing in some way and so What what'll happen is from an implementer's point of view if they want to do some concrete task They'll look and see. Oh, what's the task that I want to do? How big is my data? How big of basically a kind of a coefficient modulus Q do I need? And so what you would then do is to kind of look at this column here and you'd go kind of down this column and Until you hit the Q that you need like you need a Q That's at least so large but these are saying for these rows Q can be no larger than these values So so then let's say you think you need like You know like a 440 bit Q or 400 bit Q or something So you would go down to this row of the table and you would say oh Okay, this Q that'll be large enough for me And if I want 128 bit security that means I need to use lattice dimension, which is 16 k and And the largest one that we have in the tables today is 32 K One thing we discussed yesterday is adding some rows here to allow for even bigger lattice dimension But with 32 K In by and large we think that you can do bootstrapping with 32 K bits And so initially we thought that 32 I'm sorry 32,000 Dimension and so we thought that that might be sufficient But there are various implementers asking for a little bit more room to do more So we'll probably add more more rows to this table So that kind of should give you an idea that it's a it's a long ish document like 30 plus pages and it has two sections. It has a section which is just Giving basics of the schemes the BGV and the BF schemes and pointing to some alternatives such as GSW But then the the primary content of the document is describing all the known attacks on lattice problems And describing our both our methodology and our reasoning as to which You know which parameters choices that we Wanted to standardize and stand behind so for example all the homomorphic encryptions are using schemes that today are using ring Lwe and So we only standardized to power cyclotomic rings because we have better attacks on other types of rings including general cyclotomics so and in My experience when you already have kind of new or devastating attacks in some for some types of choices You'll own those attacks will only improve over time And so we stayed away for and from any parameter choices that we thought would be kind of risky So we only standardized to power cyclotomic rings We have you know guidance on how to choose the error distribution for homomorphic encryption. We give our Rationale for what cost models we use for modeling the cost of the different attacks So we have a lot of explanations of that nature in the in the second half of the document before before the tables Okay, so now that our standard is Public and online and now it will even be on e-print as of today The next steps are we have quite a few issues. So like I said yesterday, we had a discussion about Whether we want to have a more Formal structure of steering committee and working groups because right now it's all volunteer all very ad hoc basically run by the Visors that I listed on the first slide in consultation with other Advisors that have been heavily involved in the workshops and through sending out emails on the mailing list There are of course people have brought up IPR issues. So right now, there's no IPR policy in our community We do not have anything stating we request people disclose their patents So participation in this that it's a good and a bad. I mean every company that's participating there They're allowed they can participate without being required to disclose their patents So and also no company is actually Contributing anything to the standard the standard itself. It's just an academic document so far That's collecting knowledge, but once we move into the schemes and Optimist optimal versions, you know of implementations of the schemes and also into the applications There's also a potential there to run into patent issues So IPR is definitely an issue that is on the table that we're talking about how it should be handled White we want to have actually individual white papers describing each of the main schemes Instead of the current, you know, very very minimal Specification that's in the first document. So there's going to be separate working groups for bgb vfb ckks and tfhe And we're going to try to have some kind of uniformity in terms of the level of exposition and what's included in those different specifications feel that those be very important for going for For example to a propose a standardization effort at IETF They would most likely want to standardize the schemes and so we want to have very good descriptions of the schemes written and So we're just starting on the applications track trying to formalize that so yesterday Juan Trancoso from EPFL Presented the work that they did building on their medco projects. So in Switzerland They have brought together a consortium of seven Swiss hospitals That are using a protocol that they designed which includes homomorphic encryption as one of the building blocks and which they had Implemented and deployed and kind of learned from and so they did the exercise Juan presented Yesterday, I think it's not quite public yet of translating their technical paper Into an RFC kind of a document. So a protocol. It's like a draft Standard of a protocol for using homomorphic encryption for a purpose in the medical sector And so we're really pleased because that's the first example of an application being built on top of our standard There's been a couple of other instances where our standard has been referred to and used in the ongoing I-dash competitions which are funded by NIH. So NIH has been funding for more than five years group of academics and researchers at UCSD and UT Health and Houston and Indiana to run a competition every year It's called secure genome analysis competition and they put out data sets of genomic data and they create challenges And they say here's the homomorphic encryption challenge for this year and last year They actually referred to our standard asking for everyone to comply with the standard and use 128 bit security for their solution So that was a nice way to bring all the solutions from these are teams from all over the world And bringing them all together to some kind of common foundation. So that's another way that our standard is already used There's a couple of other issues that Are definitely things that we're going to probably struggle with over time which are things like interoperability of libraries and Certification or accreditation of libraries and solutions a lot of the engineers from different companies in the room yesterday We're repeatedly bringing up these these questions and so then You know just as a review of kind of like the way we're thinking about standardization There's a lot of paths to standardization. We started with just Essentially a consortium, you know an open industry consortium and we feel like we've made a lot of progress We're really happy. I mean we also really enjoy our community. It's a great community But the whole goal was to have other agencies and other standardizing bodies build on this standard And we're in the process of thinking about how do we go and propose, you know Starting with maybe birds of a feather session at ITF meeting Work joining one of the working groups at the UN ITU Working together with NIST. I mean we we've actually Daniel was at our third workshop And I mentioned Lily had co-organized our first and Dustin Moody is a co-author on this document So we'd really love to to work together with NIST We feel that it also overlaps with the ongoing PQC Competition since we're trying to standardize lattice problems, which are the same lattice problems that are used for key exchange There are several differences in terms of parameter size and error distribution But by and large it fits very well with the current PQC Process for NIST and it's also a big incentive for companies that are thinking about having to transition to post-quantum solutions Anyway, to have that homomorphic encryption option on the table so we have kind of a lot of different options and I'm hoping that will continue to work with some of the specific communities such as the medical Community NIH that we've partnered with so far and also things like the financial services So inclusion I'd like to say that one thing that's been really important for us in this area of homomorphic encryption is talent development So we're really lucky at Microsoft research. We have an awesome intern program So we have many many interns every summer But we want it's hard to bring in to bring in PhD students who already have a lot of expertise in both cryptography and Applications that we're working on such as machine learning and all kinds of things. So we're actually doing we're starting something new We're gonna try this December. We're doing a private AI boot camp and we're actually intending to bring 30 PhD students from around the country who are in any area. They don't have to be crypto researchers So this could be PhD students that are primarily focusing on machine learning or privacy or security or whatever And so we're gonna try to have tutorials on how to use seal Tutorials on privacy preserving machine learning a lot of different aspects of this so application deadline is September 5th I Realize it's a shameless advertisement but on the other hand it's a good opportunity to connect several different threads here and that is You know the talent pool development, which is necessary for all of us for advanced crypto and also being very Interdisciplinary about it not just being crypto researchers in isolation But rather crypto and security researchers that can reason across boundaries and and collaborate on interdisciplinary projects So we feel this is very important and it also feeds very well into our standardization Effort and our attempt to create, you know, like the title of this workshop advanced Crypto standards. So thank you very much for listening. We only have about five minutes for questions, but I Appreciate your attention. Thank you very much. I guess one of the things that we've found most challenging in the ZK proof effort is kind of this idea of benchmarking different constructions And I'm wondering like what is the way that you're putting this out to the community What are the ways to like benchmark apples to apples really right between protocols? And I guess the i-dash competition comes in a bit in there Yes, so that's an excellent question. So the i-dash We almost feel like we've been kind of partnering with the i-dash Organizers and competition over the last couple of years because they really have been playing that role for the last five years The i-dash competition the he track has produced benchmark numbers for it and these aren't just Like a homomorphic encryption like raw performance numbers These are numbers that show how it performs in a given environment The only thing that's a little bit hard to kind of pick apart or decipher is that each team will come up with a Solution to the challenge and these solutions can be different. So it's still not necessarily apples to apples when Somebody's chosen like a machine learning model that you know like converges faster or needs less precision or something like that But still that's a set of like five years of tasks where there are benchmark numbers Available online and the papers from those workshops have been published like in nature genomics and other you know top journals So that's one answer is the i-dash performance numbers. So Interestingly, I don't think that we have necessarily publicly available Performance numbers for each one of these libraries, you know on that's on the website But that being said there are a lot of scientific papers that the authors of these libraries have Published giving performance numbers another example of where you see like concrete benchmarks is that So in 2016 my team published a paper called crypto nets in ICML which shows evaluating Deep neural nets on homomorphically encrypted data And this was you know three years ago was fairly surprising at the time that we could do predictions homomorphically encrypted data. These are very very deep circuits But what has happened since then is an explosion of research in the area So yesterday jog he chi on presented a table with like 10 different papers that have been published since then from different groups Using different libraries doing they're you know, basically extending crypto nets doing deep net Evaluation of neural nets and giving performance numbers So you could see on his table the throughput and the latency for each one of the solutions and they come from papers like CCS last year crypto last year like all the top conferences and stuff So that's another example where we do have benchmarks, but not for the raw performance numbers, but rather for the application. I Don't know if that answers your question