Homomorphically Encrypting CRDTs

125 jakelazaroff 31 6/18/2025, 12:59:58 PM jakelazaroff.com ↗

Comments (31)

plopilop · 3h ago

As the article mentions, fully homomorphic encryption is insanely slow and inefficient. But I have to say that it is a relatively new field (the first FHE scheme was discovered in 2009), and that the field has immensely progressed over the last decade and a half.

The first FHE scheme required keys of several TB/PB, bootstrapping (an operation that is pivotal in FHE schemes, when too many multiplications are computed) would take thousands of hours. We are now down to keys of "only" 30 MB, and bootstrapping in less than 0.1 second.

Hopefully progress will continue and FHE will become more practical.

westurner · 2h ago

Should students trust and run FHE encrypted WASM or JS grading code that contains the answers on their own Chromebooks; for example with JupyterLite and ottergrader?

On code signing and the SETI@home screensaver

6r17 · 3h ago

CRDTs are also crazy slow due to their architecture ; even the best alg out there are costly by design ; so adding homomorphic encryption is even more of a challenge ; tough it really is impressing I'm curious if this can be usable at all;

edit so i bring some "proof" of my claim: from this very page : `To calculate the new map, the server must go through and merge every single key. After that, it needs to transfer the full map to each peer — because remember, as far as it knows, the entire map is different.`

jason_oster · 1h ago

CRDTs are not inherently “crazy slow”. Researchers just don’t succumb to the appeal of premature optimization.

See: https://josephg.com/blog/crdts-go-brrr/

(And even these optimizations are nascent. It can still get so much better.)

The section you quoted describes an effect of homomorphic encryption alone.

There is the problem that both CRDTs and encryption add some overhead, and the overhead is additive when use together. But I can’t tell if that is the point you are trying to make.

hansvm · 11m ago

> additive

The overhead is usually multiplicative per-item. Let's say you're doing N things. CRDTs make that O(Nk) for some scaling factor k, and adding encryption makes it O(Nkj) for some scaling factor j.

Give or take some multiplicative log (or worse) factors depending on the implementation.

motorest · 53m ago

> CRDTs are also crazy slow due to their architecture ;

You must back up your extraordinary claim with some extraordinary evidence. There is nothing inherently slow in CRDTs.

Also, applying changes is hardly on anyone's hot path.

The only instance where I saw anyone complaining about CRDT performance, it turned out to be from very naive implementations that tried to spam changes with overly chatty implementations. If you come up with any code that requires a full HTTPS connection to send a single character down the wire, the problem is not the algorithm.

__MatrixMan__ · 2h ago

Is it the CRDT that's slow there, or is the problem that they've made it one party's job to update everybody?

By having a server in the mix it feels like we're forcing a hub/spoke model on something that wants to be a partial mesh. Not surprising that the hub is stressed out.

Asraelite · 2h ago

> CRDTs are also crazy slow due to their architecture

What kinds of CRDTs specifically are you referring to? On its own this statement sounds far too broad to be meaningful. It's like saying "nested for loops are crazy slow".

qualeed · 4h ago

It doesn't actually say it anywhere, so: CRDT = Conflict-free replicated data type.

https://en.wikipedia.org/wiki/Conflict-free_replicated_data_...

Xeoncross · 3h ago

e.g. commonly used by applications that need to deal with multiple people editing a document.

NetRunnerSu · 1h ago

FHE is indeed slow, but the progress since 2009 is truly remarkable. Bootstrapping speed alone improved by tens of millions of times, and tfhe-rs already demonstrates homomorphic AES-128. Real-time FHE for AI inference/training feels increasingly plausible.

> https://github.com/sharkbot1/tfhe-aes-128

teleforce · 3h ago

>Runtime performance is also — to put it lightly — lacking. I benchmarked the unencrypted and encrypted versions of the last write wins register on an M4 MacBook Pro. The unencrypted one averaged a merge time of 0.52 nanoseconds.The encrypted one? 1.06 seconds. That’s not a typo: the homomorphically encrypted merge is two billion times slower.

Ouch!

somezero · 27m ago

FHE is simply the wrong tool here. FHE is for a central server operating on data held/known by another. They want MPC -multiple parties jointly computing on distributed data- and that’s fairly more efficient.

mihau · 57m ago

Sorry for going off-topic, but kudos for UI/UX on your blog!

To name a few: Nice style (colors, font, style), "footnotes" visible on the margin, always on table of contents, interactivity and link previews on hover.

Nice. What's your tech stack?

Joker_vD · 4h ago

> Now, however, the server can no longer understand the changes you send. If you want to see your friend’s latest changes, you’ll need to both be online at the same time.

What? No, the server sends you the changes you've not seen yet, you decrypt and merge them, and so you get the latest version of the document. Right?

The homomorphic encryption is a fascinating topic, but it's almost never an answer if you need anything resembling reasonable performance and/or reasonable bandwidth.

I've seen a paper that ingeniuously uses homomorphic encryption to implement arbitrary algorithmic computations, totally secret, by encoding a (custom-crafted) CPU together with RAM and then running "tick a clock" algorithm on them. And it works, so you can borrow some AWS huge instance and run you super-important calculations there — at 1 Hz. I am not kidding, it's literally 1 virtual CPU instruction per second. Well, if you are okay with such speed and costs, you either have very small data — at which point just run your computation locally, or you're really, really rich — at which point just buy your own goddamn hardware and, again, run it locally.

killerstorm · 1h ago

It's very common for CS and cryptography-adjacent papers to describe something impractical. Even more impractical than what you described - e.g. complexity of an attack is reduced from 2^250 to 2^230.

The purpose of these papers is to map out what's possible, etc, which might at some point help with actual R&D.

zawaideh · 3h ago

If the server can't operate on the content, it can't merge it into the CRDT documents. Which means it would need to sending and receiving the entire state of the CRDT with each change.

If the friend is online then sending operations is possible, because they can be decrypted and merged.

ath92 · 2h ago

Generally, this is not really true. The point of CRDTs is that as long as all parties receive all messages (in any order), they should be able to recreate the same state.

So instead of merging changes on the server, all you need is some way of knowing which messages you haven’t received yet. Importantly this does not require the server to be able to actually read those messages. All it needs is some metadata (basically just an id per message), and when reconnecting, it needs to send all the not-yet-received messages to the client, so it’s probably useful to keep track of which client has received which messages, to prevent having to figure that out every time a client connects.

charcircuit · 50m ago

If it takes 1 seconds per merge as per the article it sounds like a poor user experience for when new people join they have to wait hundreds or thousands of seconds to get to the doc.

ctde · 22m ago

it was 0.5 ns .. 1s was the FHE case

Joker_vD · 2h ago

I... still can't make heads or tails out of this description. Let me restate how I understand the scheme in TFA: there are two people, editing on the same document using CRDTs. When one person makes an edit, they push an encrypted CRDT to the sync server. Periodically, each of them pulls edits made by the other from the sync server, apply them to their own copy, and push the (encrypted) result back. Because of CRDT's properties, they both end up with the same document.

This scheme doesn't require them two people to be on-line simultaneously — all updates are mediated via the sync server, after all. So, where am I wrong?

eightys3v3n · 2h ago

I think the difference in understanding is that the article implies, as I understand it, that the server is applying the changes to the document when it receives a change message, not the clients. If the clients were applying the changes then we don't need Homomorphic encryption in the first place. The server would just store a log of all changes; cleaning it up once it was sure everyone played the changes if that is possible. Without Homomorphic encryption, the server must store all changes since some full snapshot and a full snapshot of the document. Where as with it, the server only ever stores the most recent copy of the document.

This could be done to reduce the time required for a client to catch up once it comes online (because it would need to replay all changes that have happened since it last connected to achieve the conflict free modification). But the article also mentions something about keeping the latest version quickly accessible.

Joker_vD · 1h ago

Article literally starts with

    One way to solve this is end-to-end encryption. You and your friend agree
    on a secret key, known only to each other. You each use that key to encrypt
    your changes before sending them, decrypt them upon receipt, and no one in
    the middle is able to listen in. Because the document is a CRDT, you can
    each still get the latest document without the sync server merging the
    updates.

    That is indeed a solution,

but then for some reason claims that this schemes requires both parties to be on-line simultaneously. No, it doesn't, unless this scheme is (tacitly) supposed to be directly peer-to-peer which I find unlikely: if it were P2P, there would be no need for "the sync server" in the first place, and the description clearly states that in this scheme it doesn't do anything with document updates except for relaying them.

jason_oster · 1h ago

The protocol half of most real world CRDTs do not want to send the raw stream of changes. They prefer to compress changes into a minimal patch set. Each patch set is specific to individual peers, based on the state of their local CRDT at merge time.

The naive raw stream of changes is far too inefficient due to the immense amount of overhead required to indicate relationships between changes. Changing a single character in a document needs to include the peer ID (e.g., a 128-bit UUID, or a public key), a change ID (like a commit hash - also about 128-bit), and the character’s position in the document (usually a reference to the parent’s ID and relative marker indicating the insert is either before or after the parent).

The other obvious compression is deletions. They will be compressed to tombstones so that the original change messages for deleted content does not need to be relayed.

And I know it is only implied, but peer to peer independent edits are the point of CRDTs. The “relay server” is there only for the worst case scenario described: when peers are not simultaneously available to perform the merge operation.

jakelazaroff · 1h ago

Hi, author here! The scenario was meant to be high level — I guess I should have gotten more into the various architectures and tradeoffs, but the article is already pretty long.

The way I see it there are a couple of ways this can shake out:

1. If you have a sync server that only relays the updates between peers, then you can of course have it work asynchronously — just store the encrypted updates and send them when a peer comes back online. The problem is that there's no way for the server to compress any of the updates; if a peer is offline for an extended period of time, they might need to download a ton of data.

2. If your sync server can merge updates, it can send compressed updates to each peer when it comes online. The downside, of course, is that the server can see everything.

Ink & Switch's Keyhive (which I link to at the end) proposes a method for each peer to independently agree on how updates should be compressed [1] which attempts to solve the problems with #1.

[1] https://github.com/inkandswitch/keyhive/blob/main/design/sed...

killerstorm · 58m ago

There's another option: let the clients do the compression. I.e. a client would sign & encrypt a message "I applied messages 0..1001 and got document X". Then this can be a starting point, perhaps after it's signed by multiple clients.

That introduces a communication overhead, but is still likely to be orders of magnitude cheaper than homomorphic encryption

blamestross · 7m ago

> Which means it would need to sending and receiving the entire state of the CRDT with each change. > If the friend is online then sending operations is possible, because they can be decrypted and merged.

Or the user's client can flatten un-acked changes and tell the server to store that instead.

It can just allways flatten until it hears back from a peer.

The entire scenario is over-contrived. I wish they had just shown it off instead of making the lie of a justification.

clawlor · 2h ago

There are variants of CRDTs where each change is only a state delta, or each change is described in terms of operations performed, which don't require sending the entire state for each change.

scyclow · 2h ago

Encrypt the diffs for the server and write the hash to a blockchain to manage the ordering. Boom, problem solved without HME.

thrance · 3h ago

Another cool use of FHE, allowing to browse wikipedia privately while still online: https://news.ycombinator.com/item?id=31668814

867-5309 · 2h ago

Conflict-Free Replicated Data Type

John Carmack Keen AI: Research Directions [video] (youtube.com)

Private Credit Is Eating Private Equity's Lunch (dealflowiq.com)

Code with AI the Hard Way (kamens.com)

Pope Leo makes AI's threat to humanity a signature issue (techcrunch.com)

A new album every two weeks: The story of Aleksi Perälä (attackmagazine.com)

She Says Social-Media Algorithms Led to Her Eating Disorder (time.com)

Scaling Development with Remote Agents: Augment Code (docs.augmentcode.com)

How to report suspected Microsoft service compromise?

How Dopamine neurons devalue delayed rewards (nature.com)

Surprise: Minnesota Killer Used Data Brokers to Target and Murder Politicians (techdirt.com)

Modular 25.4: One Container, AMD and Nvidia GPUs, No Lock-In (modular.com)

Show HN: I built a lightweight tRPC alternative to ease LLMs working with APIs (github.com)

How A.I. Sees Us (nytimes.com)

We Don’t Have to Give In to the Smartphones (nytimes.com)

A Cheeky Pint with OpenAI Cofounder Greg Brockman [video] (youtube.com)

Death sentences and executions in 2024 – Amnesty International Report (amnesty.org)

Biome v2–Codename: Biotype (biomejs.dev)

Andrej Karpathy's talk on the future of the industry (donnamagi.com)

Show HN: TabDirector – Fast, Customizable Tab Switcher for Safari on macOS (apps.apple.com)

Craig Federighi Opens Up About iPadOS, Its Multitasking Journey, and Essence (macstories.net)

Making CSP more usable for organizations at scale (github.com)

Zen Browser not accessible on GitHub (github.com)

Pro-Israel group hacks Iranian crypto exchange $90M, Throws away the money (fortune.com)

HTAP: Still the Dream, a Decade Later (medium.com)

Ask HN: How should I spend 10 weeks delving into AI?

JSON module scripts are now Baseline Newly available (web.dev)

Midjourney introduces v1 video model (twitter.com)

The US Navy is more aggressively telling startups, 'We want you' (techcrunch.com)

Show HN: Simple TTS augmentative and alternative communication app (udderance.app)

Show HN: Delve, an open source (AGPL) enterprise-grade data analytics platform (github.com)

The Brute Squad (sourcegraph.com)

ChatGPT Gets 'Absolutely Wrecked' in Chess Match with 1978 Atari (pcmag.com)

Passive cooling paint sweats off heat to deliver 10x cooling, 30% energy savings (techxplore.com)

The Great Decoupling (Or Why Your Clicks Are Down and Impressions Up) (ahrefs.com)

How We Use AI at Pulley (W20) (ignorance.ai)

UK brands found in 'fast fashion graveyard' in African conservation area (unearthed.greenpeace.org)

Apple Created a Custom iPhone Camera for 'F1' (wired.com)

NYC by Foot, Ferry, or Car (herbertlui.net)

The Best and the Brightest Under Pressure (thebignewsletter.com)

US to drop guidance to limit alcohol to one or two drinks per day, sources say (reuters.com)

First Look at the Rebooted Digg (techcrunch.com)

US added over 1k new millionaires a day last year, UBS Report Says (reuters.com)

Spicy Noodle Challenge: CTO Tries to Install His Own Product (youtube.com)

Confidential Inference via Trusted Virtual Machines (anthropic.com)

It's Not Cool to Be a Job Creator Right Now (bloomberg.com)

Visa Agree to Hasten Stablecoin Adoption in Africa (bloomberg.com)

The hacked iPhone camera Apple built to shoot real race scenes for F1 The Movie (9to5mac.com)

HydraSDR RFOne Preview Highlights Extensible SDR Design with Open Firmware (linuxgizmos.com)

The Unreasonable Effectiveness of Fuzzing for Porting Programs (rjp.io)

Hypermedia Introduction (hypermedia.systems)

Homomorphically Encrypting CRDTs

Comments (31)