Homomorphic encryption (HE)

• What is homomorphic encryption and what does it do?
• How does HE assist with data protection compliance?
• What do we need to know about implementing HE?
• What are the risks associated with using homomorphic encryption?

What is homomorphic encryption and what does it do?

Homomorphic encryption allows you to perform computations on encrypted information without first decrypting it. The computations themselves are also encrypted. Once you decrypt them, the result is an output identical to what would have been produced if you had performed the computation on the original plaintext data.

There are three types of homomorphic encryption:

• fully (FHE);
• somewhat (SHE); and
• partial (PHE).

You should choose the HE scheme based on the nature, scale and the purpose of your processing and the type of computation you require to fulfil your purposes. You should also consider the number of different types of mathematical operations the HE scheme supports, as well as any limit to how many operations the scheme can perform.

HE uses a public key-generation algorithm to generate a pair of private and public keys, and an evaluation key. The evaluation key is needed to perform computations on the encrypted information when it is shared with the entity that will perform them. This entity does not need access to the private key to perform the analysis. The client, who retains the private key, can then decrypt the output to obtain the result they require. Any entity that has only the public and the evaluation keys cannot learn anything about the encrypted data in isolation.

How does HE assist with data protection compliance?

HE can help you to ensure:

• security and confidentiality - it can minimise the risk from data breaches, if they occur. This is because personal information remains encrypted at rest, in transit and during computation. For example, because HE renders the information unintelligible to an attacker, the risks people are reduced; and
• accuracy - it provides a level of assurance that the result of a computation is the same as if you performed it on unencrypted data, as long as you ensure the inputs are correct prior to encryption taking place. This is because HE does not require you to alter the information in other ways (eg adding “noise” like differential privacy). This means the result may be different from performing the processing on unencrypted data.

HE can also be a building block for other PETs, such as private-set intersection and federated learning.

HE can provide a level of guarantee to an organisation when outsourcing a computation in an untrusted setting, without the other party ever learning about the “original” unencrypted data, the computation, or result of the computation.

What do we need to know about implementing HE?

FHE can add significant computational overhead (several thousand times slower than processing plaintext) and increase communications cost. It may therefore not be appropriate if you process large volumes of personal information.

FHE’s performance deficit is reducing due to technological progress. For example, increasing computational power and efficiency improvements of the FHE algorithms. This means challenges relating to computational overhead and costs are likely to become less significant over time, and FHE may therefore become more viable for large-scale processing operations. At present, FHE is suitable for some types of computation (eg addition operations), but it is still not feasible for many types of processing due to the computational cost.

Other schemes such as PHE and SHE are less affected by overhead but are more limited in terms of mathematical operations they support.

There are also off-the-shelf HE products and services, including open-source solutions. These can help you to implement HE, if you do not have the sufficient technical expertise. For example, these products and services can provide:

• the underlying cryptographic operations;
• application programming interfaces (APIs);
• key generation;
• encryption and decryption; and
• particular addition or multiplication functions.

Additionally, industry efforts to standardise HE schemes are ongoing. You should monitor the effectiveness of the solution you choose as technologies continue to develop.

What are the risks associated with using homomorphic encryption?

HE has similar risks to encryption more generally. You should ensure that you:

• choose the right algorithm;
• choose the right key size;
• choose the right software; and
• keep the key secure.

This is particularly important with HE because the private key can be used to decrypt the outputs. You must therefore use appropriate technical and organisational measures to keep it secure. You must also have processes in place to generate a new key immediately if the original is compromised.

The security of most HE schemes is based on hard mathematical problems that are currently considered to be secure even against quantum computers. You should monitor the effectiveness of your HE scheme as decryption technologies continue to develop.

There are some additional risks that HE may introduce. For example:

• • FHE does not protect against:
    • differencing attacks (attacks using background knowledge about someone to learn sensitive information about them by analysing multiple statistics which includes their information); or
    • dataset recovery through multiple queries.

Therefore, you should consider additional measures, such as rate limiting (ie, controlling the rate at which queries may be submitted) and therefore the number of queries permitted.

• • While HE protects inputs and data during computation, it does not protect the output once it has been decrypted. So, if the output is personal information, you should put in place other encryption measures to mitigate the risks of this information being compromised.