Homomorphic encryption tools find their niche

Current homomorphic encryption offerings require fewer specialized skills and are proving themselves effective in some use cases.

A circuit board with CPU / chip displaying glowing binary code.
Matejmo / Getty Images

Organizations are starting to take an interest in homomorphic encryption, which allows computation to be performed directly on encrypted data without requiring access to a secret key. While the technology isn’t new (it has been around for more than a decade), many of its implementations are, and most of the vendors are either startups or have only had products sold within the past few years.

While it's difficult to obtain precise pricing, most of these tools aren’t going to be cheap: Expect to spend at least six figures and sign multi-year contracts to get started. That ups the potential risk. Still, some existing deployments, particularly in financial services and healthcare, are worth studying to see how effective homomorphic encryption can be at solving privacy problems and delivering actionable data insights. Let’s look at a few noteworthy examples.

  • The San Diego-based Community Information Exchange uses homomorphic encryption to allow multiple social service agencies to share data on their clients without revealing their personal information. This is useful if one client requires services from multiple agencies, such as a housing benefit, food stamps and medicines. The exchange satisfies the HIPAA requirements for privacy yet allows for the coordination of the various social agencies to avoid duplicating benefits.
  • Microsoft has created a research project aimed at improving election ballot security called Election Guard. While it hasn’t yet been deployed by any elections board in production, it was used in a small municipal election in a Wisconsin primary vote in February as a trial run. The issue in voting is that voters have secret ballots but want to verify that their vote was tabulated. Election Guard is based on homomorphic encryption and satisfies the needs of voters and the elections board.
  • One of the more compelling use cases is in the financial services sector. Scotiabank is using homomorphic encryption technology from Duality Technologies for its anti-money laundering (AML) detection. To give you an idea of how big a problem this is, the United Nations reports that up to $2 trillion in funds is laundered through the global financial system every year. These include a wide range of illicit activities such as terrorism, drugs, cybercrime and human trafficking.

    With AML, you want to be able to correlate and query activities by the criminals across multiple banks but can’t reveal who the targets are due to privacy regulations. Homomorphic encryption offers the ability to get this information without disclosing who the subject of the query is and instead hides this data from the entity that is processing the query. These bank-to-bank transactions are a natural fit for homomorphic encryption. Resolving some of these fraud cases could take months, but with homomorphic encryption they can be resolved within minutes.

Finding the right use cases

That brings up another important point for homomorphic encryption: Because the encryption algorithms use problem-solving complex mathematics, they take more time to process transactions than non-encrypted methods. That isn’t a surprise to anyone who has worked in the data encryption space, and the slower processing has been considered a roadblock to adoption. Homomorphic encryption vendors refute this notion.

Ellison Anne Williams, CEO and founder of Enveil, which sells its homomorphic encryption-based ZeroReveal product, says, “Our homomorphic encryption is not as fast as unencrypted security. Certainly, there is a time tradeoff, but it isn’t humanly perceptible and can save our customers many weeks’ time.” She mentioned that running an encrypted search of 20MB of data would have taken days to complete five years ago, but today she has customers who are able to do fuzzy matching of billions of encrypted transactions that take only seconds to complete.

Still, the longer processing time means choosing the homomorphic encryption deployments where they make sense. “This isn’t appropriate for use in a self-driving car app, for example,” says Alon Kaufman, the CEO of Duality. Instead, homomorphic encryption makes sense for what one company executive called latency-insensitive batch-computations, using homomorphic encryption’s latest efficiency improvements to help gain adherents. “Back 12 years ago, homomorphic encryption wasn’t practical because of its lengthy compute times. Today you don’t have to encrypt everything. Instead, you limit your focus and can run your homomorphic encryption apps a lot faster. We have found use cases that can deal with a few seconds to complete the calculations that normally took days or weeks to do with other methods,” said Kaufman.

More toolkit than tool

Before the most recent era, most of the homomorphic encryption was a collection of code libraries or open-source projects that required a high skill level to implement, whether that be mathematics or data science experts. For example, these three vendors all have more demonstrations of homomorphic encryption than actual products:

Packaged homomorphic encryption products

What has helped the newest homomorphic encryption vendors is that they can hide the homomorphic encryption computations and encryption processing from the actual use of their products. “No one should care how encryption works, provided it does actually work,” says Kaufman. This makes them all more enterprise-ready and better than trying to implement a Google or IBM coding project. So, what are the typical components?

First, every product needs two agents that work in tandem to encrypt the data on the server side and process the encrypted data on the analysis side. No actual decryption is happening — this isn’t like secure sockets layer transactions. The key is being able to carefully select the data portion that needs to be encrypted.

In a banking scenario, you just need a few details about the transaction to identify the customer and the resulting banking action. The agents communicate via a well-structured collection of APIs that are specific to each product. These interact with the back-end application such as a database, a CRM application, or some other structured data collection and make the encrypt and query process transparent to the end user.

Second, you need to get a handle on what data you need to extend beyond your enterprise and how you intend to collaborate with your partners or cohorts in other businesses. What needs to be kept private (for regulatory or other reasons)? What systems will be integrated with each other, and how will this integration happen? What programming needs to take place, and who will do it — whether in house or using one of the homomorphic encryption vendors or their own integrators to do so?

The table below compares some of the homomorphic encryption products and the markets they target.

CSO  >  Homomorphic encryption product comparison [table] CSO / IDG

This is still the brave new world. Expect to see more homomorphic encryption tools from established database and data platform vendors in the coming years. The balance of security and privacy is a solid reason to investigate these tools.

Copyright © 2020 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.