Homomorphic Encryption

The “Holy Grail” of cryptography?

Typically, accessing and processing encrypted data necessitates prior decryption using the secret key. While this safeguards confidentiality, it can also present limitations. For instance, a company storing encrypted data with an external, untrusted cloud provider might hesitate to outsource data processing in the same environment. To process the data, the company would either have to share the secret key with the untrusted cloud system, increasing the risk of a confidentiality breach, or transfer the data to a secure, internal environment for decryption and processing. This latter approach increases time, complexity, and cost, as well as potential exposure risks when the data is unencrypted. Even with end-to-end encryption, while data is protected during transit and storage, it still requires decryption for processing, potentially exposing it at that point.

Homomorphic encryption (HE) offers a breakthrough by allowing specific computations to be performed directly on encrypted data without prior decryption and without needing the secret key. The results of these computations remain encrypted and can be decrypted later by the secret key owner (Homomorphic Encryption Standardization, n.d.).

Homomorphic encryption can be partially homomorphic (PHE), somewhat homomorphic (SHE), or fully homomorphic (FHE), with variations in between. The distinction lies in the extent to which fundamental computer operations – addition and multiplication – can be performed on the encrypted data. PHE allows only one type of operation (either addition or multiplication) but an unlimited number of times. SHE enables both addition and multiplication, but with a limited number of repetitions (Munjal and Bhatia, 2022). Crucially, the available operations are determined during the encryption process. This means that if PHE or SHE is used for a specific set of operations on data, other operations cannot be performed on the same encrypted dataset (ISOC, 2023). FHE, on the other hand, aims to enable any arbitrary computation on encrypted data in any combination. With FHE, programs could run directly on encrypted data, eliminating the risk of data leakage during or after computation, as the final output is only decrypted when it returns to the user's device (Gorantala, Springer and Gipson, 2023).

What could FHE be used for?

In theory, fully homomorphic encryption (FHE) unlocks a vast array of potential applications. For instance, sensitive data could be both stored and processed within untrusted environments, such as cloud platforms, significantly mitigating the risk of data breaches. Malicious actors compromising the cloud provider's system would have no visibility into the homomorphically encrypted data or the results of its processing, just like the provider itself. Furthermore, the physical location of the cloud platform would become less critical when selecting a provider. The risk of governments or other entities leveraging cloud providers within their jurisdiction for surveillance purposes would be substantially reduced (Paillier, 2020), at least as long as cloud providers aren't subjected to additional obligations like the custodianship of FHE keys.

FHE would enable third parties to perform analytics on sensitive data without compromising its confidentiality in fields like healthcare (e.g., applying machine learning to genomic data for medical research), finance (e.g., analyzing transaction records), and law enforcement (e.g., detecting tax evasion, preventing crime, conducting investigations) (Koerner, 2021). It would also allow querying whether specific data exists in a data store without revealing the contents of the query or the data store itself (Creeger, 2022). FHE could facilitate data sharing for machine learning in sectors like finance, which were previously deemed impossible or highly undesirable due to trust deficits, including the potential for data breaches (Masters and Hunt, 2019). Participants could use FHE to analyze confidential data from multiple organizations without these organizations having to share the raw data or the computational results with each other or any other party (as exemplified by the SCRAM platform developed at MIT for multi-user cybersecurity applications (MIT, 2021)).

FHE can be considered a powerful privacy-enhancing technology (PET) (OECD, 2023). It has the potential to significantly enhance privacy in everyday applications such as GPS navigation, biometric identification, and voice assistants. With FHE, users wouldn't need to share personal data with providers of location, identification, voice assistant, or other services but could still benefit from them (Zama, n.d.). Enthusiasts even envision a future FHE-enabled HTTP where all data, including processing, is encrypted by default (Zama, n.d.). FHE could also serve as a fundamental component of a Zero Trust environment, as it allows computation even if the environment is known to be compromised by an attacker (IBM, 2021). Some argue that the persistent issue of data breaches despite encryption during transit stems from the lack of encryption during processing (Zama, n.d.).

The implementation of FHE would raise significant legal questions. For instance, should homomorphically encrypted personal data be classified as anonymous, pseudonymous, or personal data? The answer would have implications for data controllers' regulatory requirements when using HE. For example, would data subject consent still be necessary before FHE processing of their data (Koerner, 2021)? While some view HE as a way to reduce compliance burdens or the risk of non-compliance, further investigation is needed to confirm this and, if so, under what conditions. The immense potential for novel applications partly explains why experts have dubbed FHE the "Holy Grail of cryptography" (Tourky, ElKawkagy and Keshk, 2016) and "a technology that will change the world" (Paillier, 2020).

What Homomorphic Encryption Can Do!

What are the main challenges and limitations of FHE?

However, the "Holy Grail" of fully homomorphic encryption (FHE) currently remains more of a promising vision than a practical reality due to several significant limitations. While homomorphic encryption (HE) has seen substantial progress in the four decades since its basic concept was proposed in 1978 by Ron Rivest, Len Adleman, and Michael Dertouzos, it is still an evolving field, and FHE is not yet a fully mature technology. It took thirty years after the initial concept for the first fully homomorphic encryption scheme to be developed by Craig Gentry at IBM in 2008. Since then, four generations of improved FHE schemes have emerged, each with its own set of advantages and disadvantages in terms of efficiency and security (van den Nieuwenhoff, 2021).

Firstly, HE is extremely computationally intensive. Compared to processing the same data in its unencrypted form ("in the clear"), HE is slower, less efficient, and consumes more energy. These factors vary depending on the specific technique employed. FHE, in particular, demands enormous computational resources for even simple operations. According to the FHE program manager at DARPA, a computation that would take a millisecond on a standard laptop could take weeks on a conventional server running FHE today (DARPA, 2021). Current estimates suggest that FHE processing can be 1,000 to 1 million times slower than equivalent plaintext processing (Mattsson, 2021). This significant overhead latency might make it suitable for certain business scenarios but not for applications requiring real-time computation. However, some companies are investing in specialized FHE acceleration chips to address this issue (Arghire, 2022), and DARPA's DPRIVE project, in collaboration with Intel and Microsoft, aims to develop a hardware accelerator for FHE that could be integrated into Microsoft's cloud ecosystem (Intel, 2021; DARPA, 2021). While such innovations promise performance improvements, their impact on the overall cost of an FHE solution remains to be seen.

Secondly, HE faces limitations in multi-user environments like outsourced processing. Designed for a single user, HE schemes rely on a single secret key. Extending this to multiple users would necessitate sharing the secret key, which is impractical in many scenarios, especially when users belong to different organizations or when strict control over the secret key is required. Multi-user HE schemes have been developed to address this, but they introduce a new challenge: the ciphertext size increases with the number of users. This leads to a proportional increase in both computation and communication costs (Park, 2021), limiting its potential for applications like government analysis of financial data for tax evasion detection.

Thirdly, FHE can present correctness challenges due to the generation of "noise" that can accumulate over time and distort results. Sophisticated or repeated applications of FHE to the same data might necessitate complex mathematical manipulations of the ciphertext, potentially affecting the accuracy of the outcomes (Yang et al., 2023). More broadly, managing noise generation is the primary hurdle in advancing from PHE to FHE, with FHE requiring additional techniques to control this noise, further exacerbating the efficiency challenge. Moreover, implementing FHE or other HE computations in a cloud environment doesn't guarantee the accuracy of the computations for clients (Fernàndez-València, 2022). In other words, clients cannot easily verify the correctness of the output.

Fourthly, FHE is potentially susceptible to various types of attacks, ranging from side-channel attacks to key recovery attacks (Yang et al., 2023). For instance, using FHE in a cloud environment is currently vulnerable to attacks that could substitute a given ciphertext with another valid ciphertext or replace a valid computation query with a different one (Awadallah, Samsudin and Almazrooie, 2021).

Fifthly, while a growing number of HE software libraries and tools are being developed by key industry and research players, HE is still not user-friendly for beginners or even programmers and remains very difficult for non-cryptographers to understand (van den Nieuwenhoff, 2021). Some stakeholders, like Intel with its Homomorphic Encryption Toolkit, are working to improve HE usability (Intel, n.d.).

Finally, despite being a cryptographic method conceived four decades ago, HE standardization is still in its early stages. The availability of technical standards for a cryptographic method generally reflects its maturity. Standards build confidence, ensure interoperability, and enable stakeholders to develop tools that encourage adoption. A cryptographic method lacking widely recognized standards is unlikely to significantly impact the technology landscape. In 2019, the International Organization for Standardization and the International Electrotechnical Commission (ISO/IEC) published a standard addressing some homomorphic encryption mechanisms and including a "general model" for HE (ISO/IEC, 2049). The US National Institute of Standards and Technology (NIST) includes HE in its Privacy-Enhancing Cryptography project (NIST, 2023). FHE is also the subject of a draft Technical Report on "FHE-based data collaboration in machine learning" under development in ITU-T Study Group 17 on security (ITU, 2023; ITU, 2022). On the industry front, HomomorphicEncryption.org, an open consortium of industry, government, and academia, has been working on standardizing HE since 2017, released a standard in 2018 (Albrecht et al., 2018), and holds regular workshops on this topic.

In conclusion, while HE and FHE hold significant promise for transforming the security landscape with substantial economic implications across all sectors, and while some HE applications are already in use, FHE does not yet appear ready for widespread adoption. According to renowned cryptographer Pascal Paillier, "fully homomorphic encryption is today where deep learning was 10 years ago" (Paillier, 2020). However, the timeline for FHE to reach the tipping point of broad and rapid adoption remains uncertain.

Page updated

Google Sites

Report abuse