Ian Miers
@secparam.bsky.social
UMD CS Prof. Security and applied cryptography.
IMHO Long term, this sowdkt matter. integrity likely comes from ZK proofs inside FHE/MPC. There's promising work on the FHE side, and impressive results MPC: Groth16 proofs with 2x overhead.
This isn't MPC vs FHE, or ZK solving everything. it's about real progress in making these systems practical.
This isn't MPC vs FHE, or ZK solving everything. it's about real progress in making these systems practical.
November 1, 2025 at 7:02 PM
IMHO Long term, this sowdkt matter. integrity likely comes from ZK proofs inside FHE/MPC. There's promising work on the FHE side, and impressive results MPC: Groth16 proofs with 2x overhead.
This isn't MPC vs FHE, or ZK solving everything. it's about real progress in making these systems practical.
This isn't MPC vs FHE, or ZK solving everything. it's about real progress in making these systems practical.
The flip side is, most FHE does not get you integrity, so to add that you need, e.g., zk proofs. So fully untrusted for privacy and integrity FHE evaluation is even more expensive.
November 1, 2025 at 7:02 PM
The flip side is, most FHE does not get you integrity, so to add that you need, e.g., zk proofs. So fully untrusted for privacy and integrity FHE evaluation is even more expensive.
Once you accept that FHE fundamentally depends on a non-collusion/non-compromise assumption for threshold decryption, there is one very modest security advantage over MPC:
Key holders are less exposed than in MPC. They only decrypt, they don't compute the function.
Key holders are less exposed than in MPC. They only decrypt, they don't compute the function.
November 1, 2025 at 7:02 PM
Once you accept that FHE fundamentally depends on a non-collusion/non-compromise assumption for threshold decryption, there is one very modest security advantage over MPC:
Key holders are less exposed than in MPC. They only decrypt, they don't compute the function.
Key holders are less exposed than in MPC. They only decrypt, they don't compute the function.
To be clear, there are legitimate use cases for this, and some very impressive research.
And these same problems apply to MPC. It's not MPC vs FHE.
BUT, the discussion around security for them should be "ok, where's the key?"
And these same problems apply to MPC. It's not MPC vs FHE.
BUT, the discussion around security for them should be "ok, where's the key?"
November 1, 2025 at 7:02 PM
To be clear, there are legitimate use cases for this, and some very impressive research.
And these same problems apply to MPC. It's not MPC vs FHE.
BUT, the discussion around security for them should be "ok, where's the key?"
And these same problems apply to MPC. It's not MPC vs FHE.
BUT, the discussion around security for them should be "ok, where's the key?"
Scenario B is where we see proposed protocols IRL: darkpools, private anti-money laundering systems, etc.
No one person is trusted to hold the key, theres a committee for threshold decryption. But the security of the entire solution depends on the committee not just "encryption"!
No one person is trusted to hold the key, theres a committee for threshold decryption. But the security of the entire solution depends on the committee not just "encryption"!
November 1, 2025 at 7:02 PM
Scenario B is where we see proposed protocols IRL: darkpools, private anti-money laundering systems, etc.
No one person is trusted to hold the key, theres a committee for threshold decryption. But the security of the entire solution depends on the committee not just "encryption"!
No one person is trusted to hold the key, theres a committee for threshold decryption. But the security of the entire solution depends on the committee not just "encryption"!
Given Enc(data), FHE lets you compute Enc(f(data)) for any f. But someone has to decrypt the result!
There two scenarios
a) Your data, your key, you just outsourced computation. Safe, but rarely worth the FHE overhead.
b) Its multiple people's secret data, so who gets the key?
There two scenarios
a) Your data, your key, you just outsourced computation. Safe, but rarely worth the FHE overhead.
b) Its multiple people's secret data, so who gets the key?
November 1, 2025 at 7:02 PM
Given Enc(data), FHE lets you compute Enc(f(data)) for any f. But someone has to decrypt the result!
There two scenarios
a) Your data, your key, you just outsourced computation. Safe, but rarely worth the FHE overhead.
b) Its multiple people's secret data, so who gets the key?
There two scenarios
a) Your data, your key, you just outsourced computation. Safe, but rarely worth the FHE overhead.
b) Its multiple people's secret data, so who gets the key?
As Thomas Dullien said, malware is a "weird machine." MIE breaks some tools for building malware. But if the tiny number of brilliantly weird folks who build these machines are the real price bottleneck, then, if they adapt to MIE, the cost of exploits may not change that much.
October 18, 2025 at 7:18 PM
As Thomas Dullien said, malware is a "weird machine." MIE breaks some tools for building malware. But if the tiny number of brilliantly weird folks who build these machines are the real price bottleneck, then, if they adapt to MIE, the cost of exploits may not change that much.
First, let's get this out of the way: MIE isn't foolproof. I'm told it does not cover memory access/data from other hardware in the phone, like a baseband modem. And there are some known (though tricky) bypasses for normal code. See Project Zero's blog googleprojectzero.blogspot.com/2025/09/poin...
Pointer leaks through pointer-keyed data structures
Posted by Jann Horn, Google Project Zero Introduction Some time in 2024, during a Project Zero team discussion, we were talking about how...
googleprojectzero.blogspot.com
October 18, 2025 at 7:18 PM
First, let's get this out of the way: MIE isn't foolproof. I'm told it does not cover memory access/data from other hardware in the phone, like a baseband modem. And there are some known (though tricky) bypasses for normal code. See Project Zero's blog googleprojectzero.blogspot.com/2025/09/poin...
But what if the real cost driver is not the technical complexity of each exploit, but human resources. Suppose there are maybe 5 teams worldwide can actually productize a vuln into a stable exploit. MIE raises the bar for them, but does it slow them down much after they adapt?
October 18, 2025 at 7:18 PM
But what if the real cost driver is not the technical complexity of each exploit, but human resources. Suppose there are maybe 5 teams worldwide can actually productize a vuln into a stable exploit. MIE raises the bar for them, but does it slow them down much after they adapt?
Matt took the conventional (and likely right) take: MIE should increase the cost of zero-days substantially. When a single exploit chain already costs ~$5 million, a defense like MIE might double the price or more by eliminating whole sets of techniques.
October 18, 2025 at 7:18 PM
Matt took the conventional (and likely right) take: MIE should increase the cost of zero-days substantially. When a single exploit chain already costs ~$5 million, a defense like MIE might double the price or more by eliminating whole sets of techniques.
Problem is once users have digital IDs, demands will shift. Instead of 'are you 18?', it becomes: prove you're human, prove you're not banned, prove you live here. Then you need programmable identity. Private IDs are just a start, as we looked at here.
eprint.iacr.org/2022/878
eprint.iacr.org/2022/878
zk-creds: Flexible Anonymous Credentials from zkSNARKs and Existing Identity Infrastructure
Frequently, users on the web need to show that they are, for example, not a robot, old enough to access an age restricted video, or eligible to download an ebook from their local public library withou...
eprint.iacr.org
October 9, 2025 at 7:59 PM
Problem is once users have digital IDs, demands will shift. Instead of 'are you 18?', it becomes: prove you're human, prove you're not banned, prove you live here. Then you need programmable identity. Private IDs are just a start, as we looked at here.
eprint.iacr.org/2022/878
eprint.iacr.org/2022/878
How do we do better?
Well, a simple solution to this particular problem is zk-proofs. Instead of giving Discord your ID, you prove you have one. We did some preliminary work on this in 2023, and Google is rolling out a version of zk proofs of IDs.But basic proofs aren't enough.
Well, a simple solution to this particular problem is zk-proofs. Instead of giving Discord your ID, you prove you have one. We did some preliminary work on this in 2023, and Google is rolling out a version of zk proofs of IDs.But basic proofs aren't enough.
October 9, 2025 at 7:59 PM
How do we do better?
Well, a simple solution to this particular problem is zk-proofs. Instead of giving Discord your ID, you prove you have one. We did some preliminary work on this in 2023, and Google is rolling out a version of zk proofs of IDs.But basic proofs aren't enough.
Well, a simple solution to this particular problem is zk-proofs. Instead of giving Discord your ID, you prove you have one. We did some preliminary work on this in 2023, and Google is rolling out a version of zk proofs of IDs.But basic proofs aren't enough.
What's worse but predictable? Attackers get both IDs and messages. Every conversation you've ever had, every dumb comment, or like attached to your legal name and address. There's no evidence it happened here, but it will happen soon. We need better approaches to identity.
October 9, 2025 at 7:59 PM
What's worse but predictable? Attackers get both IDs and messages. Every conversation you've ever had, every dumb comment, or like attached to your legal name and address. There's no evidence it happened here, but it will happen soon. We need better approaches to identity.
Isn't it worse than that. If your professional account is marked ChatControllExempt, isn't that a giant gapping red flag to adversaries to go look at the personal account of you, your spouse, anyone you might be having an affair with or owe money?
September 17, 2025 at 10:02 PM
Isn't it worse than that. If your professional account is marked ChatControllExempt, isn't that a giant gapping red flag to adversaries to go look at the personal account of you, your spouse, anyone you might be having an affair with or owe money?
Best cover for a stego system.
September 11, 2025 at 11:47 PM
Best cover for a stego system.
There's a very niche case where
1) you succeed at building the quantum computer
2) crypto does migrate to pq
3) you can still sell recovery services on non migrated addresses
4) those addresses don't get robbed by others or FUD from competing PQ secure chais says they were
1) you succeed at building the quantum computer
2) crypto does migrate to pq
3) you can still sell recovery services on non migrated addresses
4) those addresses don't get robbed by others or FUD from competing PQ secure chais says they were
September 11, 2025 at 10:48 PM
There's a very niche case where
1) you succeed at building the quantum computer
2) crypto does migrate to pq
3) you can still sell recovery services on non migrated addresses
4) those addresses don't get robbed by others or FUD from competing PQ secure chais says they were
1) you succeed at building the quantum computer
2) crypto does migrate to pq
3) you can still sell recovery services on non migrated addresses
4) those addresses don't get robbed by others or FUD from competing PQ secure chais says they were
What's the value of recovering X% of crypto, discounted by: legal risk it's deemed theft, the chance crypto migrates to PQ-resistant algorithms first, and the risk that BTC/ETH prices collapse the moment everyone realizes the same quantum tech makes ALL legacy crypto vulnerable?
September 11, 2025 at 10:48 PM
What's the value of recovering X% of crypto, discounted by: legal risk it's deemed theft, the chance crypto migrates to PQ-resistant algorithms first, and the risk that BTC/ETH prices collapse the moment everyone realizes the same quantum tech makes ALL legacy crypto vulnerable?
If true, this says more about VC funding fads than cryptography. It highlights how hard it is to find valuable applications that classical computers can't approximate well enough. And I have questions for the junior deal partner who modeled the ROI for pq crypto "recovery."
September 11, 2025 at 10:48 PM
If true, this says more about VC funding fads than cryptography. It highlights how hard it is to find valuable applications that classical computers can't approximate well enough. And I have questions for the junior deal partner who modeled the ROI for pq crypto "recovery."