Is it really only 40 times slower? I thought it was millions of times slower. If it's only 40 times slower than a modern CPU, then this technology is a lot more interesting than I thought.
From a few minutes of Googling, I can't find any obvious benchmarks.
It depends on what you are computing. In some cases it will be as fast as the insecure version (not counting encryption/decryption time). On the other hand, random access will have to be simulated by a linear scan over an array, which is asymptotically slower. Complex control flow e.g. deeply nested loops with input-dependent side effects can cause the overhead to balloon.
Thanks for passing on that reference @onepointsixC. Yourself and the parent poster might be interested in a webinar we posted on YouTube which talks about those slides from one of the paper authors (Flavio) and yours truly. That slide is about halfway through the video, but the whole thing is worth a watch. https://www.youtube.com/watch?v=W9G1s1t_d80&list=PL0VD16H1q5...
We put up a cryptography playlist during the last week on youtube since it felt like people didn't have enough resources to refer to easily. We hope it helps! It includes the video walkthrough of how to get the toolkit running and run some demos.
From a few minutes of Googling, I can't find any obvious benchmarks.