Jezper - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Is homomorphic encryption the answer to enterprise encryption issues?

Homomorphic encryption can be used to bypass encryption, but it's for the good of all. Application security expert Michael Cobb explains.

I recently read something about schemes that use homomorphic encryption to bypass encryption. How does homomorphic encryption work, and what steps can my organization take to prevent it?

Homomorphic encryption is actually a breakthrough in encryption techniques, not a breaking of encryption. Let me explain.

Strong encryption is the best way to keep sensitive data and information secure as it renders it meaningless. This very attribute, though, means that it can't be used or processed; so in order to edit an encrypted file or perform operations on an encrypted database, the data has to be decrypted first, immediately removing the protection that encryption provides. For example, in the simple Customer Order table below, data in row 1 is in plaintext, so calculating the total value of the order is easy: 2 times 20.00 = 40.00. The same data is encrypted in row 2, but how do you multiply FBjOII6Eu8c= by tiwlGzIV9uY= and get the correct answer of 40.00 while still keeping the data and the answer encrypted? Answer: homomorphic encryption.

  Id Quantity Price
Plaintext 1 2 20.00
Ciphertext 2 FBjOII6Eu8c= tiwlGzIV9uY=

Homomorphic encryption allows computations to be carried out directly on encrypted data or ciphertext. These computations generate an encrypted result which is the same as if the computations were done on unencrypted data or plaintext.

So using homomorphic encryption to multiply FBjOII6Eu8c= by tiwlGzIV9uY= would generate ubXOlx4aHAc= as the encrypted answer of 40.00. The ability to keep sensitive data encrypted at all times would be a huge boost to Internet security as information such as an online shopping order that is passed to various services provided by different companies (e.g., accounts, fulfillment, shipping, payment and so on) could be processed without exposing the unencrypted data to any of them. Its use in cloud computing environments is another obvious example; a program that never needs to decrypt its data can be run by an untrusted party, making outsourcing services that handle sensitive data a lot less risky.

This perfect state of protection has mainly been theoretical as the computational power and time required to perform even a simple calculation have made it impractical. However, IBM, which has been working on this problem for a long time, was recently granted a patent for an efficient implementation of fully homomorphic encryption, which may mean that a practical solution to performing computations securely may be on the distant horizon. I say distant because the algorithms and working implementations -- a common weakness with encryption technology in general -- would need to be analyzed and stress-tested by the global security community to validate that they are indeed secure. To this end, IBM is offering public challenges for its homomorphic encryption schemes so that any successful attacks can be examined in detail.

Victor Shoup and Shai Halevi of the IBM T. J. Watson Research Center released HElib, an open source library that implements homomorphic encryption, targeted mainly at fellow researchers. There is also the hcrypt project, but again its library should not be used for any mission-critical applications. The Homomorphic Encryption Project is also aiming to provide homomorphic encryption libraries for developers.

If a practical homomorphic encryption technology does emerge, then the Internet, cloud computing and the Internet of Things can all be far more secure; hopefully IBM researcher Craig Gentry -- who came up with the first fully homomorphic encryption scheme -- and others can crack this challenge.

Ask the Expert:
SearchSecurity expert Michael Cobb is ready to answer your application security questions -- submit them now. (All questions are anonymous.)

Next Steps

Get the latest encryption news and advice from SearchSecurity

This was last published in April 2015

Dig Deeper on Disk and file encryption tools