IBM Explores the Future of Cryptography
Few businesses would argue that their IT systems wouldn’t benefit from additional security measures, particularly in the wake of last year’s major cyberattack against the US government and other institutions via flaws in popular security and cloud services. The question surrounding security enhancements, encryption in particular, has always been: at what cost?
Not just cost in terms of the money needed to develop or implement better security and hire staff capable of managing encryption and other complex technologies, but the impact of such measures on network and application performance.
Efforts to lower such costs have been met with success in recent years, and new innovations on the horizon will soon offer organizations better ways to protect themselves from both current and emerging cybersecurity threats. IBM conveyed that message during its recent “Future of Cryptography” online event, citing advances in three critical emerging areas of data privacy and encryption:
- Confidential computing,
- Quantum-safe cryptography, and
- Fully homomorphic encryption.
“Each of these is solving a different piece of the data security equation,” said event host Gosia Steinder, IBM Fellow and head of the company’s hybrid cloud security research.
Confidential computing provides hardware-level privacy assurance by encrypting data within a secure enclave that not even the cloud provider can view or access.
Think of confidential computing as a hotel room safe, Hillery Hunter, an IBM Fellow, as well as VP and CTO of IBM Cloud, said during the event. The hotel room is a private space within a building where others are staying, in which you can expect a level of privacy to go about your activities and to keep your belongings when you leave for the day. Of course, hotel staff can still access the room, so you’re trusting them not to breach your privacy. Belongings that require additional security get locked in the room’s safe, for which only you know the code. This way, even if hotel staff must enter the room for cleaning, they cannot access those more valuable possessions.
In 2018, IBM became the first cloud provider to offer confidential computing for use in production. Today, IBM delivers confidential computing capabilities via IBM Cloud Hyper Protect Services, and it is embedded into the IBM Cloud for Financial Services.
“Confidential computing allows a company running workloads in the cloud or on prem to maintain full privacy and control over their workloads despite not owning the infrastructure that the workload is hosted on,” Hunter said.
DIA, an open-source financial information platform, chose IBM’s confidential computing capabilities delivered via a hybrid cloud architecture to ensure the integrity of the startup’s data and applications.
“Given that we work with money, if someone finds a way to tamper with our data, there’s a very high cost of corruption that undermines trust in our platform,” Samuel Brack, DIA’s co-founder and CTO, told Hunter. “We operate in a decentralized fashion in a fast-moving space, where a lot of data is handled in a short amount of time, so we needed a reliable and scalable solution that didn’t introduce a lot of latency or costs.”
As a leader in quantum computing IBM has already deployed more than 30 quantum computing systems sine 2016 and released a hardware roadmap showing a clear pathway to viable quantum computers with more than 1,000 qubits and beyond. Despite quantum computing’s highly anticipated benefits, the technology’s superior capacity to factor large numbers has a lot of people concerned about the security of current approaches to cryptography as quantum computing matures.
Acknowledging those concerns, IBM Research, the National Institute of Standards and Technology (NIST) and the broader cryptography community have for the past few years explored new approaches to encryption and data protection to keep sensitive data safe from quantum computers. One concern is that someone could steal encrypted data and hold onto it until quantum computing advances far enough to crack today’s encryption standards, NIST mathematician Dustin Moody said during the IBM event.
The good news: researchers are developing quantum-safe cryptography to counter efforts to crack encrypted data using quantum computers, according to Moody. Foremost among those efforts, a Post-Quantum Cryptography Standardization competition NIST launched in 2016 to help future-proof data against quantum computers. After 69 candidates and several rounds of evaluation, IBM has emerged as a frontrunner, with four of the seven finalist entries—all based on lattice cryptography, according to Vadim Lyubashevsky, a cryptographer in the Security group at IBM Research – Europe, in Zurich.
Lattice cryptography hides data inside complex math problems (or algebraic structures) called lattices—commonly explained via the so-called “knapsack problem.” “In most cases if today’s cryptography is replaced by lattices, the user wouldn’t see any changes, except maybe a speed up in performance,” Lyubashevsky said.
IBM announced in November 2020 quantum-safe cryptography support for key management and application transactions in IBM Cloud. In addition, IBM Cloud is also introducing quantum-safe cryptography support to enable application transactions. When cloud native containerized applications run on Red Hat OpenShift on IBM Cloud or IBM Cloud Kubernetes Services, secured transport layer connections can help application transactions with quantum-safe cryptography support during data-in-transit.
Fully Homomorphic Encryption
The third element of cryptography’s future covered at the IBM event is Fully Homomorphic Encryption (FHE), which allows data to remain encrypted during computation—regardless of the cloud or infrastructure used to process it. As a result, FHE could help drive greater adoption of hybrid cloud architectures, enabling data to move between clouds without compromising security.
“If we have an application that has to do statistical analysis on a data set, the app needs to decrypt the data,” Eric Maass, Director, Strategy, Design and Emerging Technology at IBM Security Services, said during his FHE presentation. “But the act of decrypting the data makes that data vulnerable. With FHE, we can avoid exposing the data during computation.”
FHE is based on a different mathematical algorithm than traditional encryption, designed so that computations can be performed directly on encrypted data. This emerging encryption model could allow third parties to process and analyze encrypted healthcare, financial or other data in the cloud and return accurate results to the data owner, without ever exposing the original data in plain text.
FHE has historically been slow, complex and demanding, in terms of computing power. “That’s changing, as IBM researchers have refined the FHE process, making it much more efficient,” Maass said.
Whereas FHE just a few years ago required hundreds of lines of code and hours to process, researchers at the event announced it can now be executed as an API call to the cloud with 12 lines of code in fractions of a second. IBM is helping bring FHE from the research realm into early adoption with clients – publishing open-source toolkits for developers, and in December IBM Security launched its Homomorphic Encryption Servicesfor clients to start experimenting with the technology.