Launch HN: Blyss (YC W23) – Homomorphic encryption as a service
Fully homomorphic encryption (FHE) enables computation on encrypted data. This is essentially the ultimate privacy guarantee - a server that does work for its users (like fetching emails, tweets, or search results), without ever knowing what its users are doing - who they talk to, who they follow, or even what they search for. Servers using FHE give you cryptographic proof that they aren’t spying on you.
Unfortunately, performing general computation using FHE is notoriously slow. We have focused on solving a simple, specific problem: retrieve an item from a key-value store, without revealing to the server which item was retrieved.
By focusing on retrievals, we achieve huge speedups that make Blyss practical for real-world applications: a password scanner like “Have I Been Pwned?” that checks your credentials against breaches, but never learns anything about your password (https://playground.blyss.dev/passwords), domain name servers that don’t get to see what domains you’re fetching (https://sprl.it/), and social apps that let you find out which of your contacts are already on the platform, without letting the service see your contacts (https://stackblitz.com/edit/blyss-private-contact-intersecti...).
Big companies (Apple, Google, Microsoft) are already using private retrieval: Chrome and Edge use this technology today to check URLs against blocklists of known phishing sites, and check user passwords against hacked credential dumps, without seeing any of the underlying URLs or passwords.
Blyss makes it easy for developers to use homomorphic encryption from a familiar, Firebase-like interface. You can create key-value data buckets, fill them with data, and then make cryptographically private retrievals. No entity, not even the Blyss service itself, can learn which items are retrieved from a Blyss bucket. We handle all the server infrastructure, and maintain robust open source JS clients, with the cryptography written in Rust and compiled to WebAssembly. We also have an open source server you can host yourself.
(Side note: a lot of what drew us to this problem is just how paradoxical the private retrieval guarantee sounds—it seems intuitively like it should be impossible to get data from a server without it learning what you retrieve! The basic idea of how this is actually possible is: the client encrypts a one-hot vector (all 0’s except a single 1) using homomorphic encryption, and the server is able to ‘multiply’ these by the database without learning anything about the underlying encrypted values. The dot product of the encrypted query and the database yields an encrypted result. The client decrypts this, and gets the database item it wanted. To the server, all the inputs and outputs stay completely opaque. We have a blog post explaining more, with pictures, that was on HN previously: https://news.ycombinator.com/item?id=32987155.)
Neil and I met eight years ago on the first day of freshman year of college; we’ve been best friends (and roommates!) since. We are privacy nerds—before Blyss, I worked at Yubico, and Neil worked at Apple. I’ve had an academic interest in homomorphic encryption for years, but it became a practical interest when a private Wikipedia demo I posted on HN (https://news.ycombinator.com/item?id=31668814) became popular, and people start...
79 comments
[ 5.8 ms ] story [ 155 ms ] threadIn your landing page example, where does the secret client key fit in?
And how is the data that was initially written encrypted/decrypted? who holds the key for that?
And this depends on the application - for example, for the private password checker, all the dumped passwords data is from a public dataset, so its not encrypted. In messaging, the data would be encrypted under the intended recipient's public key.
Isn't this perfect for mostly criminals and all the bad actors?
Is there anything you're going to do about these people using your service?
While talking about a crime is illegal, it is the person(s) talking about the crime that are criminals, not the letter it is written on.
The businesses using Blyss want to perform tasks (like scanning for breached credentials) without seeing sensitive customer data. Even the US government's civilian cybersecurity agency, CISA, recommends that you use end-to-end encrypted solutions for credential vaults (https://www.cisa.gov/news-events/cybersecurity-advisories/aa... Blyss is an added layer for these services, protecting even access metadata.
Private retrieval is a more general concept, which refers to retrieving data from a server without letting it learn your access pattern. In a specific application, it's easier to see the contrast: for example, in our password checker (https://playground.blyss.dev/passwords), the data that Blyss helps keep encrypted, and prevents the server from learning, is which password you are checking. With standard E2EE techniques, it would not really possible to keep your query private.
In messaging, Blyss can be used to build messaging services that not only do not learn what you say (the standard E2EE guarantee), but also do not learn who you talk to. We're working on this, but it's a tricky thing to ship.
(A couple years ago this was more like minutes, and about 10 years ago it would have taken hours!)
Have you thought about making some ELI5 explainer on how the algo essentially works?
The post you link to is already a great start, I feel like it’s just a question of a little editing work and maybe more examples
— for the nerds to get interested and actually read the paper
— for the users to understand privacy properties better (eg why this is better than TLS in case of a server infected with malware, etc
— and also things which it doesn’t do, which would calm anxiety in those who /need/ to understand the limitations to feel safe
— and to keep devs from thinking it’s a magic pixie dust and over-promising users, only to get hacked
I'm working on a higher-level "why/how to use this" blog post that should help. Thanks for the suggestions!
Aside from the Apple and Googles of the world, how do you convince engineers and their managers that your solution solves a problem? Sure privacy is nice, but most consumers either don't think about it or simply assume it isn't private no matter what you tell them.
As I was able to gather it's like, you send them a camera which can only hold one picture.
Then they use this camera to scan every document they have. The trick is that this camera will only save the picture, without revealing them which one, of the record you are interested in.
When they finish scanning all the documents, they send you back the camera which now has a single picture of the document you wanted, and than only you can access.
From a hardware perspective, NTT can be done in parallel, but has a fairly large working set of data (~512 MB) with lots of unstructured accesses. This is too big to fit in even the largest CPU L3 caches, so DRAM bandwidth is still relevant. It may be eventually be feasible to build an ASIC with this much on-chip memory, but in the meantime, GPUs do a pretty decent job with their massive HBM bandwidth.
I'm kidding... for a while I wanted to make a game named "blyss". I own the blyss.io domain name. I'll sell it to you if you want!
We are trying to avoid the "ECB Penguin", of course: https://crypto.stackexchange.com/questions/14487/can-someone...
In other cases, for the same compliance and data security reasons behind the desire for on-prem, larger enterprises prefer that their SaaS vendors collect as little data about them as possible. Blyss can get you the best of both worlds: the data security of on-prem, with the convenience and ease-of-deployment of SaaS.
Question: Have you considered using zk-STARKs for succinct proofs of computation? Or would that be too far off target wrt. being good at one thing?
E.g. https://github.com/TritonVM
There is a cool company trying to instead use FHE to accelerate SNARKs: https://github.com/Sunscreen-tech/Sunscreen. They seem to be making some headway!
Or do a git clone (pinned to commit hash) and host the client locally, I guess))
We'd also love to bind our client JS code to a hash of our build output from GitHub, but as of now there's no simple way to do this that the browser will pin automatically - integrity checks are good, but don't prevent the server from just changing the hash. We've toyed with writing an extension for this, but haven't gotten around to it.
UPD yeah, extension hashing resources sounds nice too
Usually, when I have an idea for a standard, it turns out one exists, so maybe I’ll do some digging…
OpenAI's GPT-4 announcement, Google announcing AI for Workspace, Meta additional 10k layoffs, and now we're seeing homomorphic encryption come out to the masses.
All in one day!
one important feature I see missing is that one cannot run queries with comparisons, such as "give me any message sent between 2022-10-10 and 2023-02-01". This would be very important when one doesn't have all the keys, or when the keys are too many, like in the messages example above.
Any idea for this kind of scenario?
The Bloom filter is also served over Blyss, so the server still learns nothing about which keys you're interested in. We implemented this system for our private password checker, which tests passwords against almost a billion breached credentials: https://playground.blyss.dev/passwords
If my application wants to retrieve data within a certain range (< and > operators) is there anything I can do to implement it on top of you SDK?
Think of the encrypted messages app: how can I retrieve this month's messages using your SDK?
I hope this clearer now...
The simple way to efficiently do this kind of check would be to store an index of keys (perhaps chunk them into buckets, like 0-10, 10-20, etc), and then privately retrieve the individual items. Retrievals are fast, especially when batched, so if the ultimate number of items you’re trying to retrieve is not too large, this can work.
If you want to chat more about range queries, feel free to email us (founders @ blyss.dev)
A generic functionality that would adapt to all situations would be nicer. Maybe Blyss could offer some libraries for that?
When your bitwarden vault is not opened, if you log in to website, the extension will ask if you want to store the password, even if your vault already has an entry for that website. Of course, this is by design so that bitwarden doesn't store websites you have credentials for in plaintext (unlike lastpass and it blew up in their face).
Would this allow your browser to query a database of "domains i have a password for" without a leak on bitwarden's server exposing this exact database? There are other implementation details but you get the idea.
Currently, what are your plans related to security audit both in terms of structuring it and context to you it would make sense?
[1] https://www.trailofbits.com/
https://www.usenix.org/conference/usenix-security-11/pir-tor...
What potential legal or ethical issues do you see with access via Tor onion service?
Would love to share notes if you're up for it!