Oh hey, this is something I've actually done some real work on!<p>> Just try converting that into a circuit<p>Hmm. I think this article is a little behind the times. Loops are not a problem with Homomorphic encryption, as we can create circuits that work exactly like a transistor-based CPU.<p>In fact, I've got an implementation of one that I've been working on here: <a href="https://github.com/mmastrac/oblivious-cpu" rel="nofollow">https://github.com/mmastrac/oblivious-cpu</a><p>The trick to making this work is that you may not know how long the computation is going to take, so you need to either add a set number of iterations to run (ie: clock cycles), or send back encrypted updates as you run to give your trusted computer a chance to determine when the calculation has finished.
One limitation of Homomorphic encryption, as far as I can see, is that there is no way for the encrypted program to <i>choose</i> to communicate some data in the clear.<p>Which means it can't be used to allow an untrusted party to run your encrypted server, and have the server communicate with parties that it doesn't trust. Which is what most servers do. Unless I'm mistaken, or there has been an advance?
This is a very interesting read, highly recommend! I'm currently reading the excellent book Cryptography Engineering [1] and this article definitely adds to my newborn interest in cryptography!<p>[1] <a href="https://www.schneier.com/books/cryptography_engineering/" rel="nofollow">https://www.schneier.com/books/cryptography_engineering/</a>