maxkabakov - Fotolia
Enterprises routinely grapple with the effects of data loss. This could be much less of a problem if applications could run on data that didn't need to be decrypted first.
An emerging class of technologies that enable apps to run on encrypted data -- called homomorphic encryption -- is close to a point where it can be used for practical application development. Encrypted computing enables apps to run algorithms on sensitive data -- such as health or financial information -- in a way that reduces privacy and security concerns. This development could be an important step for companies that want to build apps that won't violate privacy regulations, such as GDPR.
"Homomorphic encryption is at an inflection point, where several real-world applications are now within reach, and initial standardization efforts are underway," said Shai Halevi, cryptographer at IBM Research.
Homomorphic encryption also makes it possible to run algorithms in the cloud in a safe way. This form of computing creates protections against data copying by competitors or foreign governments and counters fears against the loss of trade secrets. Homomorphic encryption could complement other trust-related technologies, such as blockchain and distributed ledger technology, because it enables computation on data encrypted in the blocks.
The core idea emerged out of the 2009 Defense Advanced Research Projects Agency Grand Challenge, but it suffered serious performance issues compared to computing on clear data. Since that time, several companies -- including IBM, Microsoft, Duality, Enveil and Inpher -- have worked to address these speed issues. What was once roughly 100,000 times slower is now closer to only a few hundred thousand times slower. With advances in modern processors and cluster approaches to distributed computations, it's reasonable to expect this technology will be relevant in more and more situations.
Homomorphic encryption algorithms have started to cross the practical use threshold for computational efficiency in some domains. Alexander "Sasha" Gusev, principal investigator at the Dana-Farber Cancer Institute and assistant professor at Harvard Medical School, has worked on homomorphic encryption for genetics research.
"Up until very recently, even in 2018, encrypted algorithms were still being published using bandwidth-heavy interactive techniques because [homomorphic encryption] was seen as out of the question -- something that would take thousands of years of computation to perform basic analysis," Gusev said.
He has seen improvements to homomorphic encryption algorithms that can perform computations on large-scale data in minutes or hours. "That's a huge leap forward methodologically, and it finally puts [homomorphic encryption] in the realm of everyday use," Gusev said.
A new era of computing
"This opens a new area of computing," said Alon Kaufman, CEO of Duality. "It is not like taking a better car and asking how much more efficient it could be. It is more like inventing a shuttle to Mars, where you can do analysis on sensitive data without disclosing anything to the application."
Duality works to simplify the abstractions to build out encrypted apps that could be run on the cloud or private servers. The company works with the National Institutes of Health (NIH) to refine the algorithms for other healthcare applications, along with several undisclosed finance tech companies.
Additionally, several companies, along with NIH and NIST, have collaborated on standards for homomorphic encryption to help make it easier to write and run encrypted apps across platforms from various vendors. Some of these participants have also worked on bake-offs to demonstrate the speed of various approaches, including the iDASH competition to securely analyze encrypted genetic data.
Other approaches to processing encrypted data focus on how to mask or pseudonymize sensitive fields in data records. This method can limit the kinds of insights that can be gleaned from the data. Also, malicious actors could reconstitute sensitive data fields through a process called deanonymization. In 2009, researchers found they could reidentify 87% of individuals from anonymized data simply by combining a person's date of birth and zip code.
Get ready for GVB
Modern internet security was driven in large part by the development of public key cryptography by Ron Rivest, Adi Shamir and Leonard Adleman in 1977, which came to be known as the RSA algorithm. It's used to exchange data securely among untrusted parties and services.
A promising encrypted computing algorithm developed by Craig Gentry, Zvika Brakerski and Vinod Vaikuntanathan, is coming to be known as GVB. Palisade, the most popular scheme to develop encrypted computing apps, is available on GitHub.
Different vendors are working to build better algorithms that translate existing applications into encrypted apps. Even so, it's not easy to learn how to work with vectors versus binary numbering systems, Kaufman said.
He also said this mirrors the way developers can achieve significant performance improvements if they rethink algorithms to run on GPUs. At least initially, Duality is focused on supporting Python apps.
Duality recently conducted a project with NIH around analyzing anonymous data. Ten years ago, using encrypted computing to multiply two numbers would take a half-hour. Better implementations can now analyze hundreds of thousands of genetic sequences in less than a minute. It's more expensive than normal computation, but it has become scalable and can be done in the cloud, Kaufman said.
IBM expects homomorphic encryption to be commercially available for niche projects, such as genomics research, within the next year; with additional improvements, significant adoption could come in about five years, Halevi predicted.
Gusev expects to see a big rush to figure out what complex algorithms can be efficiently implemented through homomorphic encryption and where the technology is limited. "More generally, [homomorphic encryption] applications could really change the way we think about data sharing, by allowing patients to participate in studies without sacrificing their privacy or requiring complex arrangements and by allowing researchers to crowdsource participants without requiring them to release their sensitive data," he said.