Oil and water or belt and suspenders? Confidential Computing and Homomorphic Encryption… are these two security technologies opposing or complementary? Spoiler: these are complementary in terms of both utility and time horizon.
But before we get there, let’s take care of some preliminaries. We can think of data as having three phases. Instead of solid, liquid, and gas, we have at rest, in use, and in transit. Security technologies have been widely available and adopted for data at rest and in transit. When we record sensitive information, we encrypt it on disk. When we transmit it, we use encrypted protocols like Transport Layer Security (TLS). However, when we make use of that information, it has been loaded necessarily in plain text in system memory. There it is exposed to adversaries in the host from malware to insider actors. A small handful of technologies are available to protect this “data in use” phase.
Prominently among them are Confidential Computing and Homomorphic Encryption (usually, Fully Homomorphic Encryption or FHE). As defined by the CCC, “Confidential Computing protects data in use by performing computation in a hardware-based, attested Trusted Execution Environment.” Confidential Computing is widely available today for use in enterprises and by datacenters for cloud platforms. It came on the datacenter scene in the last couple of years, and cloud providers are continuing to broaden their Confidential Computing offerings to expand their security capabilities. FHE research has matured tremendously over the last decade, and we anticipate that it will be commercially useable in another 2-3 years. At that point, Confidential Computing and FHE will be simultaneously available and augment each other. To understand how, let’s look at each individually first.
FHE is a pure cryptographic technique. It enables performing computation on encrypted data without first decrypting it. Given two encrypted values, you can add, subtract, or multiply them, arriving at a still encrypted result. Modern FHE extends that to large sets of numbers and large amounts of operations that represent higher-level tasks. Among its strengths are that the only thing you must trust is the math, not the host, system admins, or software. The challenges to commercial adoption are in at least a few areas. First, FHE can be 1,000 to 1,000,000 times slower than doing those same operations without FHE. An operation that normally takes a millisecond might instead take minutes to complete making FHE “impractical for general purpose computations due to its poor performance.” Second, the size of the encrypted data is also significantly larger (ciphertext expansion). That means that just transmitting and storing this kind of encryption gets more expensive and slower. Third, FHE does not implicitly provide integrity. That means that even though the information is protected from reading it is not protected from unwanted changes. Code integrity is out-of-scope of the FHE security model. This last point is significant. An adopter needs to incorporate some way to enforce that only authorized changes are made to the encrypted values. Let’s say you were to trust a banking service that added encrypted deposits to a joint bank account. Without integrity checks you would not have a way to know that the service wasn’t altering the amounts. Also, FHE alone is not a solution. It is a primitive operation. A solution must compose this primitive with other techniques, and so integration with other security technologies is also necessary (hint: Confidential Computing).
Confidential Computing also has some limitations. There are potential side-channels that are difficult to guard against. For all that, Confidential Computing has clear strengths. It is practical. You can use existing code and protect it without modification or choose to dial into greater levels of precision with software development kits (SDKs). Performance impacts are generally within a few percentage points, not orders of magnitude. It is widely available from cloud providers and hardware vendors. The preceding years have seen a growth in software vendors and system integrators offering Confidential Computing based solutions. Over the next few years, we will see the technology continue to strengthen. Confidential Computing can also enforce code integrity. For example, some implementations like Intel® SGX take a measurement—a cryptographic hash—of the protected enclave memory when it is loaded and can report that value along with the computed result or output. That lets you know that, bit for bit, the code you wrote is the code that was loaded. The output of your Confidential Computing application can be bound to those measurements using attestation (a hardware-signed message listing the measurement of the code and, optionally, a hash of the resulting output).
Given the strengths and limitations of FHE and Confidential Computing, we can start to see where they can complement each other. Perhaps most significantly, Confidential Computing provides code integrity (at load time), whereas code integrity is out of scope for the FHE model. What this could look like is sending the FHE-based encrypted values into a Confidential Computing enclave. The integrity of the enclave program has been checked by the hardware. The result of the program is accompanied by a hardware-based attestation which gives evidence that the encrypted output was the result of an intended computation. Likewise, using FHE in the enclave adds defense in depth against any attacks that penetrate the enclave or are fundamentally outside the threat model of the enclave.
Confidential Computing is available in production today. It provides practical, useful protections for data in use and in a few years, we should see Homomorphic Encryption become available for production use cases. Running FHE computations in a Confidential Computing enclave will add code integrity protection to FHE and defense in depth to Confidential Computing.
Ulf Mattsson. “Security and Performance of Homomorphic Encryption.” Global Security Mag, https://www.globalsecuritymag.com/Security-and-Performance-of,20210601,112333.html Jun 2021.
Gentry, Craig, Shai Halevi, and Nigel P. Smart. “Homomorphic evaluation of the AES circuit.” Advances in Cryptology–CRYPTO 2012: 32nd Annual Cryptology Conference, Santa Barbara, CA, USA, August 19-23, 2012. Proceedings. Springer Berlin Heidelberg, 2012. (Updated 2015).
Sidorov, Vasily, Ethan Yi Fan Wei, and Wee Keong Ng. “Comprehensive performance analysis of homomorphic cryptosystems for practical data processing.” arXiv preprint arXiv:2202.02960 (2022).