Enveil CEO Ellison Anne Williams takes on a few common myths and misconceptions about homomorphic encryption in this article for HelpNetSecurity.
One of the challenges with the current pace of innovation is deciphering what is real and what is vaporware. Most of us are understandably skeptical when we hear of technical advances that sound too good to be true – our skepticism is rooted in our experience filtering endless marketing claims.
As a mathematician, I understand and even celebrate a certain degree of skepticism and believe that the best way to address questions is to present the evidence in a direct manner so individuals can make their own judgements on the topic at hand. I like tackling misconceptions relating to innovative technical advancements in my own line of work, and here I’ll talk about homomorphic encryption.
The field of homomorphic encryption has been the focus of academic research for more than four decades, but it has garnered increased attention of late as a pillar of a broader category known as Privacy Enhancing Technologies (PETs).
Grouped together for their ability to enhance and preserve the privacy of data during its processing lifecycle, these business-enabling technologies address an important need for organizations facing global regulatory challenges as well as a consumer base that values privacy more than ever before.
Within the PETs category, homomorphic encryption stands out for its ability to allow encrypted operations (think search or analytics) to be performed on data. From a technical standpoint, it enables operations to be performed on ciphertext as if it were plaintext. This allows data to be used without exposure, delivering an unmatched level of security and privacy enablement.
If you’re thinking that homomorphic encryption sounds incredible and that we should use it to encrypt everything, you’re not alone. In fact, homomorphic encryption is often hailed as the “holy grail” of crypto for its paradigm-shifting potential to revolutionize how and where organizations can securely and privately leverage data resources and assets.
The advances that have brought homomorphic encryption from land of theoretical research to commercially practical are absolutely worthy of celebration and are transformative to a wide range of business use cases across a variety of verticals. The excitement that continues to build around the space is justified as there are a plethora of ways that it can – and is – being used now for commercial applications in areas including anti-money laundering, financial fraud, and data monetization.
Of course, no technology is a magic bullet that can be used for anything and everything. Homomorphic encryption is no different and there are tradeoffs that come with its use. Moreover, due to its “holy grail” status, there is naturally a lingering degree of skepticism about whether it is ready for broad commercial use. Here are four misconceptions about homomorphic encryption that should be considered by anyone interested in potential use cases.
When homomorphic encryption was first theorized, it was simply not practical. Performing even the most basic operation (something as simple as 1+1) in ciphertext would take days and an amount of compute power that made it unreasonable for any broad applicability. But that is no longer the case. Advances in the underlying technology, as well as efficiencies relating to its use, mean that homomorphic encryption can now operate at the speed of business for a number of use cases.
Encrypted searches can be performed over millions of data records and returned within seconds rather than days or even weeks (yes, it started out that slow). Commercial and government entities are using homomorphic encryption operationally at scale today. Not working toward using it, but actually using it in production environments to solve real problems.
One of the areas where early adopters have emerged is the financial services industry, for anti-money laundering applications.
While regulations are an effective means for minimizing data exposure risk and safeguarding consumer privacy, they can also make it challenging for banks to discover and expose criminal activity. Regulatory directives frequently prevent global banks from effectively sharing data across privacy jurisdictions, even when that data is contained within branches of their own institutions.
For example, if a bank in the UK wants to check information relating to a possible new customer during onboarding, there is no efficient or automated privacy-preserving way for them to ask other branches across the globe if they know anything about the customer being considered. Homomorphic encryption is uniquely able to solve this compliance challenge because it keeps data encrypted during processing, thereby never revealing sensitive data or PII in the other operating jurisdiction.
By creating an encrypted search to run over data in another jurisdiction, the onboarding bank can get the information it needs in real time while respecting the privacy of the potential customer. Homomorphic encryption eliminates compliance risk by ensuring this new sensitive personal information is never exposed to others — or that any unrelated regulated data is introduced into its own jurisdiction.
Homomorphic encryption uniquely enables encrypted processing, allowing thusly-encrypted searches/analytics to be performed over both encrypted and unencrypted data. While HE-encrypted operations can be run over encrypted data, in many use cases, that level of protection is unnecessary.
Take, for example, an investor performing research to inform his or her decision-making regarding a possible merger or acquisition. The investor likely turns to standard industry tools, including data aggregators, that can provide the most current information available. Is the underlying data within these third-party environments sensitive? Not at all — the investor just needs to tap into this existing information to understand more about the company and its market positioning.
However, is the content of the search and reason behind the query sensitive? Absolutely. Exposing the investor’s interest in a specific company could expose intent, potentially signaling it to other interested parties and jeopardizing the investor’s bargaining power. In multi-million dollar transactions, the exposure of any such information is extremely significant.
Homomorphic encryption solves the problem by enabling investors to specifically protect the part that matters – the content of the query and its corresponding results delivered by the third-party data aggregator – thereby ensuring that their interests and intents are never exposed. In most scenarios, the homomorphic encryption capability can be delivered within the data aggregator’s existing environment without the data needing to be moved or changed in any way.
One of the most exciting use cases for homomorphic encryption today is in the area of secure data sharing and collaboration. By allowing third parties to securely and privately work together, it opens the door to never-before-possible opportunities for public-private collaboration, as well as across private industry. Just consider the gains that could be realized if organizations were able to come together to collectively combat the horrors of human trafficking and drug smuggling on a global scale.
One of the key elements that has prevented such efforts from moving forward in the past is the need to pool sensitive data assets in order to make them accessible to a collective group. This is impractical for a number of reasons, at the core of which is an understandable unwillingness of organizations to increase their own risk and liability by giving up ownership of their assets. Doing so puts the organization in jeopardy of violating privacy regulations, not to mention the broader reputational risk associated with compromising customer trust by exposing their data to third parties – even if it is done with the best of intentions.
While some implementations of homomorphic encryption suggest data must be pooled and encrypted in a centralized location, it is rarely practical or desirable. When homomorphic encryption is used to specifically protect the interaction with the data (in this case, the query or analytic being performed), it can be done in a decentralized manner that allows all contributors to maintain control and ownership of their data assets.
While it can sometimes be confusing to people unfamiliar with the space, there is a significant difference between a homomorphic encryption library and an HE-powered solution. Think of it this way: a homomorphic encryption solution is the house; homomorphic encryption libraries are the raw lumber.
Homomorphic encryption libraries provide the basic cryptographic components for enabling the capabilities, but it takes a lot of work including software engineering, innovative algorithms, and enterprise integration features to get to a usable, commercial grade product. Companies who build and maintain these libraries do so from their research teams and often offer consulting services to help organizations think about how to design plans to put these basic elements to use.
Vendors providing homomorphic encryption solutions have already built the house and many times leverage various homomorphic encryption libraries — while some may require remodeling to ensure the product addresses specific needs, the heavy lifting is done. When investigating offerings in the space, it is important organizations know what they are getting: raw building blocks, plans, or a house.
The impact that ongoing advances in homomorphic encryption – and PETs more generally – will have in the data privacy arena are not being overstated. These technologies are positioned to change the way we use and process data, ensuring the organization can perform critical business functions while prioritizing privacy.
Gartner predicts that more than half of organizations will be using privacy-enhancing computation to process data in untrusted environments by 2025. Amid the fast-moving advances taking place to achieve this milestone, it is important we understand what is true and what is not. I am confident that homomorphic encryption will prove compelling enough to stand up to any skepticism encountered along the way.
Read the full article at HelpNetSecurity.