Privacy professionals are witnessing a revolution in privacy technology. The emergence and maturing of new privacy-enhancing technologies that allow for data use and collaboration without sharing plain text data or sending data to a central location are part of this revolution.
The United Nations, the , the U.S. White House, the European Union Agency for Cybersecurity, the UK Royal Society, and Singapore’s media and privacy authorities all released reports, guidelines and regulatory sandboxes around the use of PETs in quick succession. We are in an era where there are high hopes for data insights to be leveraged for the public good while maintaining privacy principles and enhanced security.
A prominent example of a PET is fully homomorphic encryption, often mentioned in the same breath as differential privacy, federated learning, secure multiparty computation, private set intersection, synthetic data, zero knowledge proofs or trusted execution environments.
As FHE advances and becomes standardized, it has the potential to revolutionize the way we handle, protect and utilize personal data. Staying informed about the latest advancements in this field can help privacy pros prepare for the changes ahead in this rapidly evolving digital landscape.
Homomorphic encryption: A game changer?
FHE is a groundbreaking cryptographic technique that enables third parties to process information without revealing the data itself by running computations on encrypted data.
This technology can have far-reaching implications for secure data analytics. Requests to a databank can be answered without accessing its plain text data, as the analysis is conducted on data that remains encrypted. This adds a third layer of security for data when in use, along with protecting data at rest and in transit.
As use cases for FHE seem rather straightforward, applications are of high interest to financial services, health care, government and wider industry stakeholders. Examples include secure cloud computing, manufacturing, secure analytics, privacy-preserving machine learning, secure communication, data outsourcing and processing, and secure search. In addition, FHE schemes are believed to be quantum resistant and protect against quantum computing attacks.
Recent developments and standardization efforts
With ISO/IEC WD 18033-8, the International Organization for Standardization and the International Electrotechnical Commission initiated an official project to establish FHE standards. Currently, the project is in the comments resolution phase, with the passing on the first-of-its-kind FHE standardization expected within the next few years.
Following the current standard's passage, the next phase might involve developing application domain standards, including memory encryption, wireless communication, location services, portable devices and multistakeholder software-defined networks at the edge. Areas for further standardization may also include compilers, executables, formats, interoperability tools and FHE-Virtual Machines.
One priority will be to harness guidelines for key management, as the current public key infrastructure is not well-suited for FHE. Here, it could be useful for the Internet Engineering Task Force, a standards organization for the technical standards of the internet, to get involved and support developments in FHE adoption.
Other standardization bodies, such as the National Institute of Standards and Technology, are supporting developments for the successful adoption and recognition of FHE. The NIST's current call for proposals for cryptographic threshold schemes to achieve a secure distribution of trust includes FHE. The NIST is looking forward to publishing selected schemes as recommendations, potentially leading to future standardization efforts in a second step. Additionally, a high-level NIST report will outline specific aspects of FHE standardization. These collaborative efforts will ultimately contribute to wider adoption and regulatory recognition of the technology.
Uptake of FHE: Identifying the benefits and educating stakeholders
Potential users and stakeholders who can benefit from being informed and staying up to date about FHE applications include developers, customers and regulators.
For developers, a variety of open-source libraries are available for public use and contributions, including OpenFHE, TFHE and HEAAN, as well as compilers. These help developers, convert source code written in C++ programming language to implement FHE in their own applications, for example.
For customers, an overview of potential use cases might be harder to grasp. Recent publications by regulators and data protection bodies, such as the U.K. Information Commissioner’s Office and ENISA, provide guidance on when FHE can be the technology of choice.
Furthermore, critical discussions regularly evolve in the community around how FHE can be interpreted in the light of legal frameworks regarding anonymization and deidentification of personal data. While, under specific circumstances, it can be argued FHE can serve as a means of anonymizing personal data, encryption is generally seen as enhancing security through pseudonymizing personal data. In this regard, it would be helpful if regulators clarified open questions around FHE fulfilling anonymization or deidentification standards in various jurisdictions or under the new privacy-enhancing data deidentification framework ISO/IEC 27559:2022.
Challenges in adopting PETs
While homomorphic encryption and other PETs show great promise, challenges persist in their widespread adoption. As mentioned, the absence of widely recognized standards and regulatory certainties can hinder the interoperability and compatibility of PETs, making it difficult for organizations to integrate them into existing systems or making companies hesitant to adopt PETs due to potential compliance issues. Additionally, the technical complexity and performance trade-offs can hinder adoption.
The ongoing ISO standardization efforts for FHE are crucial in addressing these challenges. Establishing standards will not only improve interoperability and compatibility but also provide regulatory recognition, further emphasizing the importance of FHE in data privacy and security. New hardware solutions for homomorphic encryption currently under development, will eventually make the technology widely accessible. In particular, the U.S. Defense Advanced Research Projects Agency is sponsoring the development of hardware chips specifically designed to accelerate the implementation of FHE algorithms under its "Data Protection in Virtual Environments" program. DPRIVE aims to develop an FHE infrastructure to reduce the processing overhead required for FHE calculations to within one order of magnitude of current performance on unencrypted data. When these ambitious goals are met, FHE will likely enter into mainstream adoption in practical data security applications.
Importance of FHE for privacy pros
FHE has the potential to revolutionize data security and privacy across industries. The increasing international developments and political support for PETs show they are no longer confined to academic research and will soon enter the mainstream. With impending standardization and hardware solutions, various application domains are expected to advance rapidly. Being aware of the latest developments and having a cryptographer on a privacy engineering team can help prepare for upcoming developments, make informed decisions and advocate for the responsible use of AI with available emerging PETs.