A Cloud that Can't Leak
Researchers at Microsoft have built a virtual vault that could work on medical data without ever decrypting it.
Imagine getting a friend’s advice on a personal problem and being safe in the knowledge that it would be impossible for your friend to divulge the question, or even his own reply.
Researchers at Microsoft have taken a step toward making something similar possible for cloud computing, so that data sent to an Internet server can be used without ever being revealed. Their prototype can perform statistical analyses on encrypted data despite never decrypting it. The results worked out by the software emerge fully encrypted, too, and can only be interpreted using the key in the possession of the data’s owner.
Cloud services are increasingly being used for every kind of computing, from entertainment to business software. Yet there are justifiable fears over security, as the attacks on Sony’s servers that liberated personal details from 100 million accounts demonstrated.
Kristin Lauter, the Microsoft researcher who collaborated with colleagues Vinod Vaikuntanathan and Michael Naehrig on the new design, says it would ensure that data could only escape in an encrypted form that would be nearly impossible for attackers to decode without possession of a user’s decryption key. “This proof of concept shows that we could build a medical service that calculates predictions or warnings based on data from a medical monitor tracking something like heart rate or blood sugar,” she says. “A person’s data would always remain encrypted, and that protects their privacy.”
The prototype storage system is the most practical example yet of a cryptographic technique known as homomorphic encryption. “People have been talking about it for a while as the Holy Grail for cloud computing security,” says Lauter. “We wanted to show that it can already be used for some types of cloud service.”
Researchers recognized the potential value of fully homomorphic encryption (in which software could perform any calculation on encrypted data and produce a result that was also encrypted) many years ago. But until recently, it wasn’t known to be possible, let alone practical. Only in 2009 did Craig Gentry of IBM publish a mathematical proof showing fully homomorphic encryption was possible.
In the relatively short time since, Gentry and other researchers have built on that initial proof to develop more working prototypes, although these remain too inefficient to use on a real cloud server, says Lauter.
Lauter and colleagues implemented only the most efficient parts of a fully homomorphic encryption system. As a result, they’ve produced a system dubbed “somewhat” homomorphic that can only perform some calculations, but is speedy enough to be used in real software. “I’m trying to look at this from a practical perspective and say what can we do now,” she says.
Only additions and a few multiplications can be done on a piece of encrypted data sent to the system, but that’s enough for many services, says Lauter. “You can still do a lot of statistical functions and perform analysis like logistical regression, which is used to do things like predict how likely a person is to have a heart attack,” she says.
The software was tested on an ordinary laptop. It added together 100 numbers, each 128 binary digits long, in 20 milliseconds. This and other performance tests show that such a system could be used for a real cloud service today, says Lauter, without waiting for the fully homomorphic encryption designs to be made practical.
“Those schemes are still very much in flux and evolving fast,” she says. “We’re hoping that people will do serious implementations of our design.”
Daniele Micciancio, a professor and cryptography researcher at the University of California, San Diego, says that Lauter and colleagues have demonstrated a new avenue for work in the area. “She showed that taking a fundamental building block of the schemes for fully homomorphic encryption could be enough to build applications,” he says. “It demonstrates that it is possible to work with homomorphic encryption at different levels.”
As techniques for fully homomorphic encryption evolve, it might be possible to gradually increase the complexity of calculations that can be performed practically. Today, however, performing calculations using fully homomorphic encryption often takes around 30 minutes, not a few milliseconds, says Micciancio.
Carson Sweet, founder and chief executive of Cloudpassage, which works on security for cloud services, says the technology will need considerable development to attract the interest of commercial cloud providers, but could solve significant problems. “You can push encrypted data into a cloud service today, but it can’t be indexed, searched, or operated on,” he says.
Sweet says that the privacy and security issues associated with storing and processing medical records make this an area in which the technology could be deployed first. “Federal government and financial services are other areas where people are willing to accept a performance penalty to get better security,” says Sweet.
Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.Subscribe today