January 20, 2023
What is Homomorphic Encryption and How It’s Used
Most data encryption is for data that is either at rest or in transit. Most security experts do not consider encryption a viable option for data in use because it’s hard to process and analyze encrypted data. As the need for privacy and security increases, however, there is a perceived need to encrypt data even when it is in use. To encrypt data and use it at the same time is not an easy task. Enter homomorphic encryption.
What Is Homomorphic Encryption?
Homomorphic encryption is an emerging type of encryption that allows users or systems to perform operations using encrypted data (without decrypting it first). The result of the operation is also encrypted. Once the result is decrypted, however, it will be exactly the same as it would have been were it computed with the unencrypted data.
When Should Homomorphic Encryption Be Used?
Thanks to homomorphic encryption, organizations are able to use cloud computing in external environments while keeping the data there encrypted the entire time. That is, third parties can handle sensitive data without compromising the security or privacy of that data. If the third party becomes compromised in any way, the data will still be secure, because it is never decrypted while it is with the third party.
Before, it was impossible to outsource certain data processing tasks because of privacy concerns. Because it was necessary to decrypt data to perform computations, the data would be exposed while in use. Homomorphic encryption addresses those concerns. This is a game changer for organizations in a wide variety of industries.
For example, homomorphic encryption allows healthcare providers to outsource private medical data for computation and analysis. The benefits of homomorphic encryption are not limited to healthcare. As regulations like GDPR become more common and more strict, it becomes crucial to protect personal data at all times, even while performing data analysis on it.
Is Homomorphic Encryption Practical?
Homomorphic encryption has been theoretically possible for a long time. The first fully homomorphic encryption schemes are already more than 10 years old. The problem is that the process requires an immense amount of computing power. The herculean effort that goes into this particular type of encryption has prevented it from becoming a viable option for most organizations.
Now, though, an immense amount of computing power is not as hard to come by as it used to be. We are still not seeing much homomorphic encryption adoption just yet, but more organizations are taking interest.
Expect to see it become a hot new opportunity in cybersecurity circles as homomorphic encryption becomes more necessary and more attainable at the same time. (The increased necessity is because of strict new rules for data privacy, while the increased attainability is from the exponential growth of computing power).
Partially Homomorphic vs. Fully Homomorphic Encryption
There are multiple types of homomorphic encryption schemes. At two ends of the spectrum, cybersecurity experts classify these schemes as partially homomorphic or fully homomorphic. As this type of encryption becomes more viable, people are finding new ways to classify it, introducing new categories between partially and fully homomorphic.
Currently, we talk about homomorphic encryption in the following ways:
- Partially Homomorphic Encryption – The lowest level, only supports one type of evaluation (such as multiplication, division, subtraction, addition, etc.)
- Somewhat Homomorphic Encryption – Supports any type of evaluation, but only for a specific number of ciphertexts
- Fully Homomorphic Encryption – Supports an infinite amount of computations on any amount of ciphertexts
As applications of homomorphic encryption become more plausible, expect to see greater nuance emerge. We will see pros and cons of homomorphic encryption that may not be apparent until there are more case studies.
Potential Vulnerabilities of Homomorphic Encryption
In March of 2022, academics at North Carolina State University and Dokuz Eylyl University worked together to poke a hole in Homomorphic Encryption. Specifically, researchers showed they could steal data during homomorphic encryption by using a side-channel attack.
“We were not able to crack homomorphic encryption using mathematical tools,” said Aydin Aysu, an assistant professor of computer engineering at North Carolina State University. “Instead, we used side-channel attacks. Basically, by monitoring power consumption in a device that is encoding data for homomorphic encryption, we are able to read the data as it is being encrypted. This demonstrates that even next generation encryption technologies need protection against side-channel attacks.”
Is Homomorphic Encryption Safe?
Before this study scares you away from the potential of homomorphic encryption, it is worth noting a few things:
- The vulnerability discovered was only in Microsoft SEAL, an open-source implementation of homomorphic encryption technology.
- The researchers were studying versions of Microsoft SEAL released before December 3, 2020. Later versions of the product have replaced the algorithm that created the vulnerability.
- The academics did not conclude that this type of homomorphic encryption was entirely unsafe, only that it needed protection from side-channel attacks. And there are established ways to protect against side-channel attacks.
Does this mean modern homomorphic encryption is necessarily impermeable? No. However, the results of this study are not cause for excessive concern. One big takeaway is that the vulnerability in software from 2020 was not discovered until 2022, when newer versions had already corrected the problem. With commitment to an evolving cybersecurity plan, companies can stay a step ahead of hackers (and academic researchers).
Assistant Professor Aysu seems confident about the future of homomorphic encryption, as long as organizations also take additional precautions. “As homomorphic encryption moves forward, we need to ensure that we are also incorporating tools and techniques to protect against side-channel attacks,” he says.
How to Use Homomorphic Encryption
There are multiple open source homomorphic encryption libraries, and Microsoft SEAL is the most common. It was developed by the Microsoft Research Cryptography Research Group. More cybersecurity experts are becoming interested in homomorphic encryption, and it is getting faster.
For now, though, it still is not the best option for most organizations. Upon comparing the differences between encryption, tokenization, and masking, most find that masking is currently the best option for data in use.