Homomorphic Encryption Myths & Misconceptions
When homomorphic encryption (HE) was first theorized, it was simply not practical. Performing even the most basic operation (something as simple as 1+1) in ciphertext would take days and an amount of compute power that made it unreasonable for any broad applicability. But that is no longer the case. Advances in the underlying technology, as well as efficiencies relating to its use, mean that HE can now operate at the speed of business for a number of use cases.
Encrypted searches can be performed over millions of data records and returned within seconds rather than days or even weeks (yes, it started out that slow). Commercial and government entities are using HE operationally at scale today. Not working toward using it, but actually using it in production environments to solve real problems. One of the areas where early adopters have emerged is the financial services industry, for anti-money laundering applications.
Homomorphic encryption uniquely enables encrypted processing, allowing encrypted searches/analytics to be performed over both encrypted and unencrypted data. While HE-encrypted operations can be run over encrypted data, in many use cases, that level of protection is unnecessary. Take, for example, investors performing research to inform decision-making regarding a possible merger or acquisition. They likely turn to standard industry tools, including data aggregators, for the most current information available. Is the underlying data within these third-party environments sensitive? Not at all — investors just needs to tap into existing information to learn about the company and its market positioning.
However, is the content of the search and reason behind the query sensitive? Absolutely. Exposing interest in a specific company could expose intent, potentially signaling to other interested parties and jeopardizing the investor’s bargaining power.
One of the most exciting use cases for HE is in the area of secure data sharing and collaboration. By allowing third parties to securely and privately work together, HE enables collaboration that was not previously possible. One of the key elements that has prevented such efforts from moving forward in the past is the need to pool sensitive data assets in order to make them accessible to a collective group. This is impractical for a number of reasons, at the core of which is an understandable unwillingness of organizations to increase their own risk and liability by giving up ownership of their assets.
While some implementations of HE suggest data must be pooled and encrypted in a centralized location, it is rarely practical or desirable. When HE is used specifically to protect the interaction with the data (i.e. the query or analytic), it can be done in a decentralized manner that allows all contributors to maintain control and ownership of their data assets.
While it can be confusing for those unfamiliar with the space, there is a significant difference between an HE library and an HE-powered solution. Think of it this way: an HE solution is the house; HE libraries are the raw lumber.
Homomorphic encryption libraries provide the basic cryptographic components for enabling the capabilities, but it takes a lot of work including software engineering, innovative algorithms, and enterprise integration features to get to a usable, commercial grade product. Companies who build and maintain these libraries do so via research teams. Vendors providing HE solutions have already built the house and often leverage HE libraries — while some may require remodeling to ensure the product addresses specific needs, the heavy lifting is done. When investigating offerings in the space, it is important organizations know what they are getting: raw building blocks, plans, or a house.