It has current practical applications in inter-bank fraud detection, where you want to query if someone is on someone else's blacklist but not reveal the blacklist or the person being queried.
These applications can easily handle an 80 sec delay. It's also likely that queries scale well by batching into larger combined queries (since you need to involve every row already anyway).
Because I was confused by this scenario I wrote down the steps:
1. Alice provides Bob with her public and evaluation keys.
2. Bob encrypts each row of the blacklist with her public key.
3. Alice encrypts her query (e.g. for "Eve") and sends to Bob.
4. Bob evaluates some circuit on Alice's query and Bob's rows, and sends her one (encrypted) result per row
5. Alice decrypts the rows and sees if any are ones.
Ways this can be made more efficient:
* Outputs from each row's evaluation can chain into the next evaluation, so Bob only need return O(1) data.
* Bloom filters could cut down on average-case performance, but that would make Alice leak information (whether she follows up her FHE bloom filter query with a more precise query.)
A bunch of the papers I found from a quick Google search use secure MPC rather than FHE for interbank fraud. Which one is more practical these days wrt latency?
These applications can easily handle an 80 sec delay. It's also likely that queries scale well by batching into larger combined queries (since you need to involve every row already anyway).