Homomorphic Encryption: How It Changes the Way We Protect Data

As the use of cloud-based data processing services increases, homomorphic encryption becomes a more crucial emerging technology to apply to hybrid cloud solutions, expanding to other uses such as coding and processing technologies. Let’s know more about the concept, how it exactly works, its current and possible use cases, and the potential attacks it can help repel. Read on.

Protecting data throughout its lifecycle is a continuous effort, made more difficult as more information passes through the cloud and is provided to various service providers. Encryption works well for data in transit and at rest, but it begins to fail for data in use and derived data created by service providers. Homomorphic encryption, now emerging as a viable technology, helps fill these gaps by enabling sharing and processing of information without decrypting it.

The Data Life Cycle

Beginning with the creating and collecting of information, data setsOpens a new window pass through a continuous lifecycle, with each stage of the cycle requiring its own risk assessment and related safeguards.   Figure 1 depicts the six lifecycle stages. 

An organization creates or collects data and adds it to the data set. The data set is stored locally or in the cloud, protected according to its classification. Highly classified information is typically encrypted at rest (stored) and in transit.

When needed, users and processes typically decrypt the stored data for use. Traditionally, this was a serious risk, but confidential computing technology has reduced the risk, even when the data is processed in the cloud. However, the success of confidential computing depends on whether the service providers actually deploy the needed technology.

Organizations often use third-party solutions to analyze their data sets, potentially sharing the data and keys, decrypting data outside the data owner’s direct control, passing information covered by privacy statutes into uncertain environments, and deriving business statistics accessible by the vendor and any lurking threat actors.  

Data no longer needed for business operation, but requiring retention due to business or regulatory requirements, is usually archived in an encrypted state. Finally, data no longer needed for any reason is destroyed.

As described above, the two stages of the lifecycle most vulnerable to unwanted access are using and sharing. With the emergence of homomorphic encryption, organizations can eventually manage this risk across all data sets.

See More: Next-Generation Cryptography: How to Secure Your Data Like Never Before

What is Homomorphic Encryption?

Traditional asymmetric and symmetric encryption require decryption when the data is needed for business operations by the collecting/creating organization or by third-party information processors. On the other hand, homomorphic encryption allows the processing of classified data without decryption.

Homomorphic encryption has three types, depending on how the encryption approach is designed.

• Partially homomorphic encryption (PHE) allows either addition or multiplication an infinite number of times.
• Somewhat homomorphic encryption (SHE) enables both addition and multiplication but restricts the number of operations performed.
• Fully homomorphic encryption (FHE) enables both addition and multiplication, but unlike SHE, it allows an infinite number of operations.

FHE is the type emerging as a solution provided by large service providers. It is the target of intense continuous research that currently focuses on using FHE to enable safe big data machine learning analysis by third-party service providers. The analysis results are also homomorphically encrypted, making no sensitive information available to anyone outside the data owner organization.

How homomorphic encryption works

Like legacy asymmetric encryption, two keys are needed to encrypt and decrypt FHE-protected data, with the private key needed to decrypt data encrypted with the public key and the data owner the sole possessor of the private key. Data elements encrypted with the public key are accessible without decryption for protected processing.    

Anastasios Arampatzis writesOpens a new window that “…homomorphic describes the transformation of one data set into another while preserving relationships between elements in both sets” using the Ring-Learning With Errors problemOpens a new window (RLWE). RLWE is a complex mathematical problem associated with high-dimensional lattices. An intermediate-level mathematical introduction to this process is available in the Microsoft training video, Intro to Homomorphic EncryptionOpens a new window .

When implementing homomorphic encryption, organizations face one major challenge: performance. Based on today’s homomorphic algorithms and the state of processing technology, homomorphic encryption is far from mainstream, requiring more processing power than most organizations can afford or manage, essentially reserving homomorphism for cloud service provider machine learning analysis.  

Current and future uses

Leveraging safe homomorphic processing approaches to provide big data analysis services, many FHE services and coding tools are emerging, as listedOpens a new window by the Academic Consortium to Advance Secure Computation.  Figure 3 is an example of how this might work.

• The organization that collected/created the data, the data owner, creates a data set for analysis. Examples include
  • Advertising and marketing 
  • Banking and financial services
  • Business intelligence
  • Government intelligence
  • Electronic health care treatment records
  • Student performance information
• The data owner designs and codes a homomorphic approach, including the necessary keys. The keys include a public key for encryption, a private key for decryption, and an evaluation key used by the service provider to process the encrypted data elements. The data owner often creates the evaluation key in collaboration with the service provider.
• The data owner then encrypts the data with the public key.
• The encrypted data, along with the evaluation key, are provided to a cloud service provider for machine learning-based analysis.  
• The service provider processes the data without actually seeing it.
• The analysis results remain encrypted, unseen by the service provider, and returned to the data owner.
• The data owner uses the private key to decrypt the analysis results for business use.

Other uses are slowly appearing. Anina Ott reportsOpens a new window that Microsoft and Google have found a way to use homomorphic encryption in Edge and Chrome as part of their password compromise checking processes, processes that rely on the computing power these tech giants can bring to the table, enabling password reliability management without the vendor knowing any passwords.

An example of how homomorphism might be used in the future is privacy protection when requesting location- or identity-based web information. For example, a user might use her cell phone to ask Google for the location of the closest coffee shop. Instead of providing clear text location and phone information, the information needed by Google would be homomorphically encrypted, used in the cloud for a location search, and the encrypted results returned to the user, enabling that next dose of caffeine without any loss of privacy.

Other uses will arise as organizations begin to justify the costs of adopting and implementing homomorphic encryption, using one or more of the available open-source homomorphic encryption libraries and toolsetsOpens a new window . Justification requires balancing the cost of homomorphic processing with the need to safeguard classified data sets.

See More: Top 10 SIEM Solutions in 2022

Attacks against homomorphic encryption

The homomorphic encryption processes are not perfect. Attempts to leverage potential vulnerabilities are ongoing by researchers, researchers and threat actors who always try to break anything new; if you build it, they will break it.  

The encryption cannot be hacked yet and is considered impervious to quantum computing, but attacks against the process are possible.

For example, North Carolina State University and Dokuz Eylul University researchers have demonstrated the first side-channel attack. Ravie Lakshmanan reportsOpens a new window that the attack monitors “…power consumption in a device that is encoding data for homomorphic encryption,” enabling researchers to read the data. This data leakage attack was against a Microsoft SEAL vulnerability.

Risk assessments are needed to ensure security during every phase of the process, requiring team knowledge of each step when deciding whether to use FHE services for data processing.

Final thoughts

As the use of cloud-based data processing services increases, homomorphic encryption becomes a more crucial emerging technology to apply to hybrid cloud solutions, expanding to other uses as coding and processing technologies improve.

Solutions like Microsoft SEAL are available as open-source homomorphic encryption solutions today. When used selectively, SEAL and other tools can provide safe and efficient storage, use, and sharing of classified data anywhere without significant regulatory or internal policy violation risks.

Homomorphic encryption is coming to services near you, so now is the time to prepare, train teams, and include possible uses in strategic planning to strengthen classified data use across multiple services and locations.

Do you think homomorphic encryption can be transformative for data security? Let us know on LinkedInOpens a new window , Facebook,Opens a new window and TwitterOpens a new window . We would love to hear from you!

MORE ON DATA ENCRYPTION

• Intel, Microsoft Push Homomorphic Encryption with Open-Source Moves
• 7 Essential Tools to Ensure Data Protection and Drive Innovation
• What Is Confidential Computing and Why It’s Key To Securing Data in Use?