For decades, society has benefitted from modern cryptography to protect our sensitive data during transmission and at rest. It seems daily that we see news about data breaches, privacy lapses, and inadvertent disclosures of information. In a real sense data privacy has gone from boardroom discussion a decade ago, to dinner table discussion.
For IBM Z clients today, data can already be encrypted at rest and in-flight with pervasive encryption. Clients can also protect data with Data Privacy Passports on IBM Z, a consolidated data-centric audit and protection technology (DCAP)* for eligible data that has the capability to protect data along its journey through your enterprise by setting appropriate data protection controls. However, we have never been able to keep the data protected and processed simultaneously, a concept known as Fully Homomorphic Encryption (FHE).
Today, we are announcing a new FHE toolkit for Linux, bringing FHE to multiple Linux distributions for IBM Z and x86 architectures. The toolkit for IBM Z supports Ubuntu at launch time. We support Ubuntu, Fedora, and CentOS editions of the toolkit for x86 platforms. Experienced Docker developers can easily port this toolkit to their preferred distribution. The journey to pervasive FHE starts with these reference implementations, but we anticipate that it will evolve with community involvement.
Today’s announcement takes our commitment to Linux and security a step further to add data in-use security capabilities – the missing link of end-to-end encryption. Our initial release support targets enterprise developers on distributed platforms as well as day-one support on IBM Z to enable our clients, those that the world trusts daily with our most sensitive data, to experiment easily with FHE.
How We Got Here
In 2009, IBM invented FHE, which has been touted as the “holy grail” of cloud security. The idea is simple, you can now process sensitive data without providing unencrypted access to that sensitive data. In short, you can’t steal information when you can’t understand it (even when it’s in plain sight). To give you a practical example, insurance companies can run analysis on patient healthcare data, without any personal identifiable information being visible to the insurer.
Initially FHE was too slow for practical use, but here we are 11 years later and the cryptography has reached an inflection point where its performance is now becoming useable. What once took hours and days and required a PhD in computer science can now be done in minutes by enterprise developers.
Making FHE Easy
Since starting our early work with clients like Brazil’s Banco Bradesco S.A., my colleagues and I have focused on making FHE usability a priority. In January 2020 we released HELib version 1.0.0 after only one year of beta releases and today it’s the most mature and versatile encryption library, packed with sophisticated autonomous housekeeping tasks freeing developers to concentrate on the algorithmic design of their applications. Since then we released two other minor versions with improvements, bug fixes and sample programs making it easier to write FHE-based code. More enhancements are planned for the next months.
This past June we published two new FHE toolkits for MacOS, iOS on GitHub and the response has been tremendous. These toolkits build on the base HElib library provide an easy to use set of IDE integrated examples that work out of the box. In less than a month, we have seen 350 stars and more than 25 forks, inspiring us to push back our summer vacations and deliver the Linux toolkit today.
Similar to the MacOS and the iOS toolkits, the Linux version includes an easy to follow and simple demonstration of a privacy preserving search against an encrypted database using the English names of countries and their capital cities across Europe. Selecting the country will perform a search of the matching capital. Unlike the MacOS and iOS toolkits which are based on Xcode, the Linux toolkit is distributed as a Docker container in your choice of supported distributions. The containers have been built and tested on several modern Linux distributions as well as macOS hosts. The code is available through GitHub to build your own container, or you can obtain pre-built docker containers from Docker Hub to get started in minutes.
We also added a second user case demonstration for the finance industry. More specifically, developers can detect credit card fraud by applying neural network inference over fully homomorphic encrypted datasets and models. The neural network and dataset determine fraudulent activities based on anonymized transactions.
AI in the Future
In our forthcoming releases we plan to bring new AI functionality to the toolkits. After demonstrating how machine learning can work homomorphically with Banco Bradesco SA, this new AI functionality will now give toolkit users, and our clients, another test case for hands-on experimentation — so watch this space.
Additionally, we are exploring performance improvements to the FHE toolkits and underlying libraries using the unique capabilities provided by IBM Z.
The best place to get started is to join our Slack community and for clients interested in on-going training, knowledge transfer and joint development to sign up for a subscription to the FHE 2020 – Research Engagement Program. You may also be interested in this introductory webinar we recently hosted.
We invite you to reach out to us, share your use cases and your FHE tech experiences, provide feedback, become a sponsor user or beta tester, collaborate as a GitHub contributor, or just hang out on Slack watch the conversation unfold.
*Data Privacy Passports supports data sources that can be accessed through a JDBC connection
One year ago, IBM Research published the first major release of the Adversarial Robustness Toolbox (ART) v1.0, an open-source Python library for machine learning (ML) security. ART v1.0 marked a milestone in AI Security by extending unified support of adversarial ML beyond deep learning towards conventional ML models and towards a large variety of data types […]
What if I told you that it’s possible to teleport memory from one server and attach it to another server, without entering the datacenter building? You would probably: a) think you’re dreaming of a Star Trek episode; b) or better yet, think this is really cool and you could use it to improve the efficiency […]
IBM Research and its university partners including: UC Santa Cruz; Cornell University and Cornell Tech; University of Illinois at Urbana Champagne; Oregon State University are collaborating on new programming systems and languages to build secure cryptographic applications.