Vulnerability in next-generation homomorphic encryption allows data to be stolen even while encrypted

Cybersecurity specialists report the detection of a critical vulnerability in homomorphic encryption, one of the most advanced security technologies today. According to the report, the flaw would allow threat actors to steal data even during the encryption process.

This variant of encryption allows data to be encrypted so that third parties cannot read it, although it does allow third parties and third-party technologies to perform operations using the protected data. For example, a user could use homomorphic encryption to upload sensitive data to a cloud deployment to perform data analysis; cloud solutions could perform the analyses and send the resulting information to the user without reading the sensitive data.

Aydin Aysu, an expert at North Carolina State University in charge of the research, says, “Homomorphic encryption is attractive because it preserves data privacy, but allows users to make use of that information, even though it requires a lot of computing resources.” Given the large amount of hardware and software resources required, this is not a practical implementation.

Microsoft has excelled in the development of homomorphic encryption, creating the SEAL Homomrphic Encryption Library to facilitate research among the specialized community. Aysu’s report notes that there is a way to crack homomorphic encryption using the SEAL library through a side-channel attack.

According to the report, the researchers detected this vulnerability at least in SEAL versions prior to 3.6: “This library receives constant updates, so it is likely that the flaw will be corrected in later iterations, although it is also not ruled out that later versions remain exposed to this vulnerability.

Finally, experts point out that side-channel attacks are a widely documented hacking variant, so organizations with adequate security protocols should have no problem containing this threat: “With the advancement of homomorphic encryption, the computer industry must ensure that it incorporates the necessary security tools for protection against side-channel attacks and other security threats,” concludes Aysu.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.