Homomorphic Encryption Makes Real-World Gains, Pushed by Google, IBM, Microsoft
The increasing mobility of data, as it ping-pongs between clouds, data centers and the edge, has made it an easier target of cybercrime groups, which has put a premium on the encryption of that data in recent years.
Cybersecurity vendors have stepped up, developing strong and efficient ways to encrypt data both while it’s at rest and when it’s in transit. However, there is a glaring weakness. When the data is being processed, analyzed or used by applications in another way, it needs to be unencrypted, making it more vulnerable to attack.
To counter this, some major IT vendors are pushing forward with a decades-old encryption idea that was first talked about in the late 1970s but not successfully demonstrated for the first time until 2009. Since then, interest in fully homomorphic encryption (FHE) has increased, largely paralleling the rise of cloud computing.
Putting a Focus on FHE
FHE enables data to remain encrypted even as it is processed and analyzed, whether that’s in the cloud or in third-party environments. The data is protected against cybercriminals as well as others who are not supposed to see it. Once the mathematical operations, such as calculations, are run on the encrypted data, the results are decrypted and corrected.
In recent months, the list of interested vendors has included IBM, which in December announced its Security Homomorphic Encryption Services, a managed offering hosted on the IBM Cloud. Big Blue has been active in the development for years – it was an IBM researcher who ran the 2009 demonstration – and earlier last year conducted successful FHE field trials. The company also released an FHE toolkit for Apple’s MacOS and iOS operating systems, with Android and Linux being added later.
“Fully homomorphic encryption holds tremendous potential for the future of privacy and cloud computing, but businesses must begin learning about and experimenting with FHE before they can take full advantage of what it has to offer,” IBM Security CTO Sridhar Muppidi said in a statement at the time.
Microsoft’s SEAL (Simple Encrypted Arithmetic Library) is another such effort, an open-source software library created by researchers at the company that uses multiple forms of homomorphic encryption. It’s available on GitHub.
DARPA Gets In on the Effort
Intel, which has been adding security features to its silicon for years and has been working on FHE techniques, was picked earlier this year by the federal Defense Advanced Research Projects Agency (DARPA) to work with Microsoft to create an ASIC chip for homomorphic encryption. DARPA will use the accelerator in DARPA’s Data Protection in Virtual Environments (DRPIVE) program to create the hardware needed to reduce the compute power and time that currently is required to run FHE operations. Intel will lead one of four research teams; the other three will be headed by software makers Duality Technologies – which uses homomorphic encryption in its Duality SecurePlus platform – and Galois and a Silicon Valley-based nonprofit scientific research institute, SRI International.
Earlier this month, Google released a collection of open-source libraries that can be used to implement FHE in modern workloads and made them available on GitHub.
“As cloud computing services continue to see widespread adoption, it becomes increasingly important for service providers to guarantee the security and privacy of the data of their customers,” Google researchers wrote in a paper released on GitHub.
Homomorphic Encryption a Long Time Coming
The FHE demo in 2009 proved the technology could work, but it was too slow and consumed too much compute power to be put to use and it was too expensive and required expertise in cryptography. However, such challenges are being addressed.
“Fortunately, over the last few years, FHE has become less computationally intensive, due to significant progress in hardware acceleration, efficient optimizations, and low-level implementations,” the Google researchers wrote.
Still, they added, for adoption of FHE to be widespread, tools are needed to enable software developers without cryptographic expertise to integrate homomorphic encryption into their applications. Dirk Schrader, global vice president of security research at New Net Technologies, agreed. He said a hurdle will be the application of FHE “where the analytics of large data sets will be used for benchmarking individuals, as seen in all those fitness applications or health monitors. Consumerization has the intrinsic tendency to include the question of cost of operation and maintenance, and applying high-end cryptography requires solid knowledge and development skills.”
Digital Health Projects to Benefit
Despite the remaining hurdles, Google, IBM, Microsoft and others are pushing to make it easier for developers to leverage the technology. Bringing FHE to the point where it could be used by vendors and developers would be helpful to organizations in a range of industries, Schrader, whose company makes cybersecurity and compliance software, told eSecurity Planet.
FHE “can solve some of the pressing issues arising out of the conflict to analyze large sums of data points generated by many individuals,” he said. “Many countries are considering some kind of digital health initiatives, where the promise to find better cures is countered by the fear [of losing] privacy. [Homomorphic encryption] offers an interesting approach here by allowing the analysis of encrypted data for purposes that are not related to an individual data set.”
Other possible uses include autonomous public transportation analyzing users’ locations to predict the load in a highly populated urban area, he said, adding that big data “is based on the promise to distill previously undiscovered opportunities from large amounts of data and has, so far with good reason, earned criticism from data privacy advocates.”
A Small but Growing Market
The FHE market is small but expected to grow in the coming years, with market research firm The Insight Partners predicting it will increase from $120.12 million in 2019 to $246.29 million by 2027, an average of 9.7 percent a year. Most of the use will be in North America and Europe, though the Asia-Pacific region stands to see the fastest growth. IBM noted that Gartner forecasts that while currently fewer than 1 percent of companies have the budget for projects that include FHE, that number will be more than 20 percent by 2025.
All this is happening as businesses increasingly adopt hybrid cloud and multi-cloud strategies. In its annual State of the Cloud report, IT management software maker Flexera found that 92 percent of enterprises have embraced a multi-cloud environment and 80 percent have hybrid clouds. Meanwhile, the number of government regulations and standards, such as the European Union’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA), are putting growing pressure on enterprises to ensure that the data they collect, store, analyze and act on, is protected from bad actors and prying eyes. Being able to leverage FHE would give them another tool to use to do just that.