Blog | Townsend Security

Homomorphic Encryption is Cool, and You Should NOT Use It

Written by Patrick Townsend | Oct 6, 2014 5:33:00 PM

The academic cryptographic community has been very inventive lately and we are seeing some promising new encryption technologies start to emerge. Format preserving encryption is moving through a standards track at the National Institute of Standards and Technology (NIST) and I think we will see one or more of the proposed FFX modes of encryption achieve standards status soon.

Homomorphic encryption is also a promising encryption approach that allows for various operations on encrypted (ciphertext) values without having to first decrypt the value. That’s pretty cool. There are a number of cryptographers working on approaches to homomorphic encryption, but at this point there is no clear consensus on the right approach. I suspect that some consensus on the best approach will emerge, but it may take some time for this to happen. Cryptography is hard, and it needs time for proper examination and analysis of both mathematical and implementation strengths and weaknesses before its adoption in commercial systems. We need to give the cryptographic community time to do their work.

If homomorphic encryption is cool, why not use it?

It has not achieved wide review and acceptance
While there is promising work on homomorphic encryption, there is no clear consensus on the best method or implementation approach. Typically a new cryptographic method will not get a full review from the cryptographic community until there is some consensus, and not until a standards body takes up the new method in a formal review process. There are a large number of potentially good encryption methods that have been thoroughly reviewed by the professional cryptographic community but which have not achieved the status of an approved standard.

Homomorphic encryption has not yet been through this process and it is too early to trust any current proposals or implementations.

It is not a standard
Standards are important in the encryption world. Standard encryption algorithms receive the full scrutiny of the professional cryptographic community and we all benefit from this. Weaknesses are discovered much faster, weak implementations are identified, and we all have much more confidence in encryption based on standards. The Advanced Encryption Standard (AES) has stood the test of time since its adoption by NIST in 2001.

Homomorphic encryption has not yet achieved the status of an accepted and published standard.

Note: Mathematical proofs do not a standard make. They are required as a part of the standards review and adoption process, but mathematical proofs alone do not rise to a level of an accepted standard. Claims to the contrary are false.

It cannot be certified by a standards body
Since homomorphic encryption is not a standard, there is no independent standards body process to validate a vendor’s implementation. This is important - in an early study by NIST of encryption solutions submitted for validation, nearly 37% of the solutions contained errors in the implementation and failed validation. The failure rate for implementations of homomorphic encryption are likely as high and unknowable. All serious vendors of encryption technology have validated their AES implementations to FIPS 197 standard through the NIST AES validation process.

No such similar standards validation process exists for homographic encryption.

It cannot achieve FIPS 140-2 validation
Encryption key management solutions are cryptographic modules and can be validated to the FIPS 140-2 standard. NIST has established a validation process through a number of chartered test labs. All serious vendors of encryption and key management solutions validate their products through this process. One of the first steps in key management FIPS 140-2 validation is validation of the encryption methods used by the key manager. The approved encryption methods are documented in Annex A of FIPS 140-2.

Homomorphic encryption is not an approved encryption method and cannot be validated to FIPS 140-2 at this point. Any representation that homomorphic encryption or key management systems implemented with it are “FIPS 140-2 compliant” is false.

Intellectual property claims are not resolved
Organizations large and small are rightfully concerned about violating patents and other intellectual property claims on information technology. At the present time there are multiple vendors claiming patents on homomorphic encryption techniques. Most encryption methods that have been adopted as standards are free of these types of IP claims, but homomorphic encryption is not free of them.

Organizations would be wise to be cautious about deploying homomorphic encryption until the patent and intellectual property issues are clearer.

Compliance regulations prohibit its use
Many compliance regulations such as PCI-DSS, HIPAA/HITECH, FISMA, and others are clear that only encryption based on industry standards meet minimal requirements. Standards bodies such as NIST, ISO, and ANSI have published standards for a variety of encryption methods including the Advanced Encryption Standard (AES).

Homomorphic encryption is not a standard and it is difficult to imagine that it could meet the minimum requirements of these and other compliance regulations.

Summary
Homomorphic encryption is a promising new cryptographic method and I hope that we will continue to see the cryptographic community work on it, and that we will see its future adoption by standards bodies with a proper validation processes. We just aren’t there yet.