How a new encryption technique can help protect privacy amid COVID-19

This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.

Author: Dalia Khader, Divisional CISO, Swisslife Global Solution & Husna Siddiqi, Independent Advisory Board Member, UKRI Centre for ART-AI, University of Bath

• COVID-19 has brought the debate on balancing privacy and public interest to the fore.
• A technique called ‘homomorphic encryption ‘ could help us strike the right balance.

The debate over balancing public interest and the basic human right to privacy is not new, but in recent months it has reached almost every household due to Covid-19.

In order to manage the global pandemic, there has been an onslaught of Covid-19 applications, including contact tracing and statistical data analysis tools to help identify patterns that may lead to cures or prevention measures.

Quite understandably, this has led to mixed emotions of relief and worry – relief from experts being able to collect and process data in order to curb the virus, and worry that the apps could be used to for the surveillance of people or to reveal sensitive personal data.

The development of these apps with an “accepted level of data protection” is probably the second most important Covid-19 innovation, after vaccines. The key challenge lies in ensuring information protection within these apps, and subsequently assuring society that the purpose is to trace the virus and not people.

What is homomorphic encryption?

Homomorphic encryption is a cryptographic tool that could offer the much needed balance between public interest and privacy.

Encryption of data is like placing the data in a box and locking it such that it can only be opened (i.e. decrypted) by those that hold the key to unlock the contents. In today’s world, information security specialists have defined three key states of data – data at rest, in transit and in use. Using the analogy of the locked box, encryption of data at rest is putting the locked box in a storage facility, while encryption of data in transit is moving the box from one facility to another without revealing the contents. Modern cryptography has done a great job in protecting data at rest and in transit using different encryption algorithms.

“Encryption of data in use” can be more challenging. An example would be placing two numbers in a box and performing a mathematical calculation on those numbers without having to open the box and see the original numbers. Imagine how useful this mechanism would be in performing Covid-19 related risk calculations while protecting personal data.

Computation over encrypted data is known as homomorphic encryption, which has existed since the 1970s in its partial form, hereafter PHE. There are two types of PHE: additive and multiplicative. This means numbers entered in a locked box can be either added or multiplied (but not both) with each other without revealing the original contents. For more complex calculations involving both operations, a full homomorphic encryption, hereafter FHE, is needed. The concept of FHE was barely a dream until the computer scientist Craig Gentry made it a reality in 2009.

Figure 1 illustrates homomorphic encryption using the analogy of boxes, sticks and dynamites that somewhat defy the laws of physics but could help readers visualise the concept.

PHE: The blue boxes and pink boxes in figure 1 are locked and can only be unlocked by those holding the key.

• When sticks are entered in pink boxes and then multiple pink boxes are connected with each other, the borders between them disappear adding all the sticks together.
• The blue boxes allow for dynamites to be entered. When boxes of this type are connected together, their internal borders also disappear but the number of dynamites multiply with the number of dynamites in the adjacent box, resulting in number of sticks that equal to the product.

The pink and blue boxes do not connect with each other. This means if we wanted to perform a complex function that involves both addition and multiplication, the process would involve taking out the contents in the midst of the calculation at some point.

FHE: If addition and multiplication needs to be performed without having to take the contents out of the boxes (i.e. enabling end to end encryption during computation), a new type of box needs to be designed which allows for the operation to be set to addition or multiplication as needed.

The table below gives examples of the homomorphic encryption in context of a University gathering Covid-19 research data.

Despite the strong privacy notion provided by FHE, it is not used today due to being computationally inefficient.

The speed ratio between FHE and the calculation of un-encrypted data is actually 450 times greater than the ratio of the average man walking and a passenger aircraft.

Nevertheless, crisis is the mother of innovations. In 2020, the year of Covid-19, recent initiatives led to FHE becoming 1000 times faster than Gentry solution; an excellent indication that we are on the right track.