Encryption is like phone networks, or railways, or plumbing—it’s a huge part of our daily lives that we very seldom think about. Encryption protects the most personal information we share online in interactions with our bank, our doctor, our friends, and when we shop, and stream video, and store our photos in the cloud.

All firms encrypt sensitive data—from competitive data to personally identifying information (PII) about individuals—that has to be protected at rest or in transit. Regulations like the General Data Protection Regulation (GDPR) make the misuse of PII a very expensive mistake for financial institutions to make.

Fortunately, modern encryption standards like the Advanced Encryption Standard (AES) are extremely robust. But no matter how seemingly unbreakable, they are not perfect. Imagine getting an encrypted email. When you open it, it’s just a weird, unreadable scramble of characters. If you wanted to read it, you would have to decrypt it, leaving it in the clear for as long as it took you to absorb and react to the information you receive. For the duration of the processing, the data is vulnerable. And, moreover, it’s exposed to whoever is processing it.

How to process data without having to reveal the data has been a concern of cryptographers for decades. And now technology companies and banks are (often quite secretively) working on an encryption scheme called homomorphic encryption (HE), with a selling point that sounds almost too good to be true: What if you could perform computations on ciphertext (an encrypted document) without having to decrypt it first?

“Today, there are industries—especially those that are heavily regulated—that have the challenge that on the one hand, they want to do collaborative data science, but on the other hand, have various security and privacy challenges stopping them,” says Alon Kaufman, CEO and co-founder of Duality Technologies.

Duality is a cryptography and data science company that is working on bringing homomorphic encryption to firms in financial services, insurance, retail, healthcare and the automotive industries. 

“These industries see a lot of value in working together on data, but can’t just go and do it freely,” Kaufman says.

Certainly for financial firms, the possibilities of this technology appear endless. Banks could pool data with competitors for analysis or offer personalized services without having to reveal clients’ personal information. Cloud customers could store data remotely without having to trust that the cloud service is managing the data securely. You could store very sensitive data in your Dropbox or even on your phone. (WatersTechnology took a closer look at some of those use cases. click here to read more.)

Duality has been working closely with the Cyber Defence Alliance (CDA)—a non-profit anti-fraud alliance of banks including Lloyds, Santander, and Deutsche Bank—piloting a solution leveraging homomorphic encryption for cybercrime and fraud detection.

Maria Vello, CEO of CDA, is excited about the possibilities of homomorphic encryption. She thinks it could make banks more comfortable with joining fraud investigations. The CDA tries to get banks to share information about cybercrime to look for patterns, but has found that many are reluctant to open up, for reputational, economic, and legal reasons.

“Some banks will share a lot to identify criminal activity, while others are still risk-averse. So we thought that if we leveraged a technology like homomorphic encryption and were able to obfuscate the data and get the answers we need for further investigations, we could get the banks to share more,” Vello says.

One exploit at a bank is just one of the thousands of hacks that happen daily. But what if you could find similar incidents across five or six banks, proving that there is a pattern of crime that might amount to large-scale instances of fraud, information loss, and monetary loss—the kind of numbers that make law enforcement sit up and take notice? And what if, crucially, you could share all this information with peers and competitors without revealing sensitive data? 

“If one bank goes to law enforcement and says, ‘We are seeing this type of fraud’—well, no one has enough capacity to follow that up,” Vello says. “So law enforcement might say, ‘This is not significant enough; there are not enough victims.’ But if we suspect there is a new fraud scheme emerging, we can say we have a bigger case [where] we are seeing it across multiple banks. The interest from law enforcement goes up if we can build a bigger case and make it actionable.”

The CDA has tested a proof-of-concept with Duality that would enable banks to share information on criminal activity. They have been working with synthetic data so far, identifying the fields they want to search to find cases of fraud.

“You never get the broad data back, you just get the computations,” Vello says. “No one knows the questions you are asking, no one knows what you are querying.”

For example: There could be a phone number that is suspected to be linked to a case of fraud. The CDA could ask the banks for their records, look for that phone number and see if it is linked to a particular name or address.

“All you are going to get is numbers, computations. But you would know which bank to go to for the information and its propensity for sharing information,” Vello says.

Duality’s Kaufman says banks could collaborate on anti-money-laundering and know-your-customer (AML/KYC) processes, as well as fraud cases.

“This is relatively simple data science, running simple queries on models. But one bank could run the model on another bank’s premises without disclosing, for example, who is the suspect [in a fraud case].”

The CDA and Duality took part in the Financial Conduct Authority’s TechSprint this year, and presented on this concept.

A Brief History of HE

Homomorphic encryption might sound like science fiction, but it’s not a new concept. When the seminal RSA algorithm, still one of the most widely used encryption schemes in the world, was theorized back in the 1970s, its creators noted that it had some homomorphic properties. Two of its developers went on to ask, what could one do with a scheme that was fully homomorphic? That is: Could there be an encryption function that permits encrypted data to be operated on without decrypting the operands?

This problem was answered in 2009 by IBM researcher Craig Gentry, whose doctoral dissertation put forward the first fully homomorphic encryption scheme. Gentry wrote in his abstract that, “such a scheme allows one to compute arbitrary functions over encrypted data without the decryption key.”

Gentry’s breakthrough was a major event in the cryptography world. Kurt Rohloff is now CTO and co-founder of Duality, but in 2009, he was running research projects in high-performance computing and data analytics funded by the Defense Advanced Research Projects Agency (Darpa), the research arm of the US military.

Darpa gave Rohloff money to form a team to take homomorphic encryption from theory to practice with a software and hardware implementation. “So I can honestly say that I have been building this technology, implementing and applying it longer than anyone else in the public space,” Rohloff says.

Fully homomorphic encryption has not made its way into commercial applications because it comes with a high computational overhead. It was billions of times slower to run computations on ciphertext than plaintext in 2009 when Gentry published his thesis; although companies like Duality and IBM say they have reduced runtime greatly, many commentators, like security guru Bruce Schneier, say fully homomorphic encryption is not really possible.

Rohloff, however, says this is a mis­perception—homomorphic encryption is “very practical, very feasible for high-value problems,” he says.

He points to his own work on the Darpa-funded project as proof. His project delivered scalable, secure voice over IP (VoIP) teleconferencing on ordinary iPhone 5S handsets and over commercial data networks.

“We basically improved runtime performance of HE by six-plus orders of magnitude every six months for that six-year period,” Rohloff says.

Rohloff says he and Duality’s other co-founders, Vinod Vaikuntanathan and Shafi Goldwasser, believe in the commercial viability of HE.

“We have collectively drunk the Kool-Aid on the high value and potential impact of this technology,” Rohloff says.

Vaikuntanathan and Goldwasser are professors of computer science at MIT, and Goldwasser won the Turing Award—the computer science world’s equivalent of the Nobel Prize—in 2012. She co-invented zero knowledge proofs, which remain one of the most revolutionary technologies for verification.

Speed and Standards

Duality is not alone in marketing homomorphic encryption for commercial use. Microsoft, IBM, Google, and others all have solutions around this form of encryption. Researchers with these organizations say they have sped up work with HE using various techniques. One way is to use open-source libraries like Palisade (which Rohloff helped to develop and Duality still leverages) or Microsoft’s SEAL.

Flavio Bergamaschi, senior research scientist at IBM, says his team has performed an homomorphic encryption experiment on real data with a bank. They proved they could run 256-bit encryption and it was only 50 times as slow as it would have been running the computations in Python on plaintext. (See the accompanying feature on HE on page 20.)

Bergamaschi predicts HE products will really emerge over the next year.

The CDA’s Vello says that in partnering with Duality, they have had some issues with the length of time a query took, but the developers are progressively decreasing runtime. She says Duality has promised it can deliver it at 10 times faster in the first quarter of next year.

“I think the evolution of this technology and the transformation of encryption is at a point now where it is going to increase at a very steady rate,” she says.

Companies in this space also like to point out that HE is futureproof, as it is robust against quantum computing. Gentry’s scheme for fully homomorphic encryption is based on “ideal lattices,” a concept in number theory. Lattice cryptography is a family of crypto schemes whose security derives from these complex algebraic structures. It probably takes a math degree to understand this, but what the layman can grasp is that lattice cryptography is so complicated that even a quantum computer cannot break the cipher—or at least it cannot as we understand quantum today.

“There has been a lot of anxiety about the prospect of advanced quantum computing devices breaking traditional crypto systems like RSA, for example,” Rohloff says. “And there has been a push in the security community, in the crypto community, to define what is called post-quantum crypto standards.”

The basic premise of encryption is that security is derived from hard math problems, he says: If you can show the difficulty of breaking a cryptographic system is at least as hard as solving a problem, then you know that the crypto system is secure. The problem that defined RSA (factoring) is believed to be crackable by quantum computing, Rohloff says.

“But the underlying math hardness properties of the lattice-based crypto systems, which are the underlying infrastructure of HE, are believed to be quantum safe, meaning that they cannot be cracked easily by quantum computing devices.”

At the same time, collaboration among firms exploring homomorphic encryption is growing, particularly to develop standards. Duality have led these standardization efforts, with Rohloff and Vaikuntanathan heading the formation of a consortium that includes government bodies like the National Institute of Science and Technology (NIST), academics, corporates, and tech firms including Intel, Microsoft, IBM, Google and Inpher.

“We have been having two meetings a year for the past several years, and we have draft standards that mostly define protocols and security settings,” Rohloff says.

The standards define protocols (how the keys are generated, for example); security parameters like the size of the keys; and the API standard—what it looks like to call a crypto library.

“That third one is not so much for security as it is to make the libraries interoperable. So people can design once and not have to re-engineer as libraries evolve, for example,” Rohloff says.

Duality is applying homomorphic encryption in other industries, too, doing work on genomic data, for example. Rohloff would like to see HE become so much a part of life that it becomes boring, in the way that AES is now.

Kaufman says that in an increasingly data-driven world, where regulators and individuals are worried about data privacy and ethical AI, homomorphic encryption can enable collaboration without compromising on security and without companies giving up their IP. 

“This is going to be a critical technology going forward,” Kaufman says. “It is becoming practical, and with the rise of standards and the advancement in AI, the ability to use this data and derive value from it without disclosing it—that is highly critical.”