Confidential Computing and Homomorphic Encryption

dmiddleton — Wed, 29 Mar 2023 13:00:27 +0000

Dan Middleton, Principal Engineer | Confidential Computing, Intel Corp.

Rosario Cammarota, Chief Scientist | Privacy-Enhanced Computing Research, Intel Corp.

Oil and water or belt and suspenders? Confidential Computing and Homomorphic Encryption… are these two security technologies opposing or complementary? Spoiler: these are complementary in terms of both utility and time horizon.

But before we get there, let’s take care of some preliminaries. We can think of data as having three phases. Instead of solid, liquid, and gas, we have at rest, in use, and in transit. Security technologies have been widely available and adopted for data at rest and in transit. When we record sensitive information, we encrypt it on disk. When we transmit it, we use encrypted protocols like Transport Layer Security (TLS). However, when we make use of that information, it has been loaded necessarily in plain text in system memory. There it is exposed to adversaries in the host from malware to insider actors. A small handful of technologies are available to protect this “data in use” phase.

Prominently among them are Confidential Computing and Homomorphic Encryption (usually, Fully Homomorphic Encryption or FHE). As defined by the CCC, “Confidential Computing protects data in use by performing computation in a hardware-based, attested Trusted Execution Environment.” Confidential Computing is widely available today for use in enterprises and by datacenters for cloud platforms. It came on the datacenter scene in the last couple of years, and cloud providers are continuing to broaden their Confidential Computing offerings to expand their security capabilities. FHE research has matured tremendously over the last decade, and we anticipate that it will be commercially useable in another 2-3 years. At that point, Confidential Computing and FHE will be simultaneously available and augment each other. To understand how, let’s look at each individually first.

FHE is a pure cryptographic technique. It enables performing computation on encrypted data without first decrypting it. Given two encrypted values, you can add, subtract, or multiply them, arriving at a still encrypted result. Modern FHE extends that to large sets of numbers and large amounts of operations that represent higher-level tasks. Among its strengths are that the only thing you must trust is the math, not the host, system admins, or software. The challenges to commercial adoption are in at least a few areas. First, FHE can be 1,000 to 1,000,000 times slower than doing those same operations without FHE. An operation that normally takes a millisecond might instead take minutes to complete making FHE “impractical for general purpose computations due to its poor performance.” Second, the size of the encrypted data is also significantly larger (ciphertext expansion). That means that just transmitting and storing this kind of encryption gets more expensive and slower. Third, FHE does not implicitly provide integrity. That means that even though the information is protected from reading it is not protected from unwanted changes. Code integrity is out-of-scope of the FHE security model. This last point is significant. An adopter needs to incorporate some way to enforce that only authorized changes are made to the encrypted values. Let’s say you were to trust a banking service that added encrypted deposits to a joint bank account. Without integrity checks you would not have a way to know that the service wasn’t altering the amounts. Also, FHE alone is not a solution. It is a primitive operation. A solution must compose this primitive with other techniques, and so integration with other security technologies is also necessary (hint: Confidential Computing).

Confidential Computing also has some limitations. There are potential side-channels that are difficult to guard against. For all that, Confidential Computing has clear strengths. It is practical. You can use existing code and protect it without modification or choose to dial into greater levels of precision with software development kits (SDKs). Performance impacts are generally within a few percentage points, not orders of magnitude. It is widely available from cloud providers and hardware vendors. The preceding years have seen a growth in software vendors and system integrators offering Confidential Computing based solutions. Over the next few years, we will see the technology continue to strengthen. Confidential Computing can also enforce code integrity. For example, some implementations like Intel® SGX take a measurement—a cryptographic hash—of the protected enclave memory when it is loaded and can report that value along with the computed result or output. That lets you know that, bit for bit, the code you wrote is the code that was loaded. The output of your Confidential Computing application can be bound to those measurements using attestation (a hardware-signed message listing the measurement of the code and, optionally, a hash of the resulting output).

Given the strengths and limitations of FHE and Confidential Computing, we can start to see where they can complement each other. Perhaps most significantly, Confidential Computing provides code integrity (at load time), whereas code integrity is out of scope for the FHE model. What this could look like is sending the FHE-based encrypted values into a Confidential Computing enclave. The integrity of the enclave program has been checked by the hardware. The result of the program is accompanied by a hardware-based attestation which gives evidence that the encrypted output was the result of an intended computation. Likewise, using FHE in the enclave adds defense in depth against any attacks that penetrate the enclave or are fundamentally outside the threat model of the enclave.

Confidential Computing is available in production today. It provides practical, useful protections for data in use and in a few years, we should see Homomorphic Encryption become available for production use cases. Running FHE computations in a Confidential Computing enclave will add code integrity protection to FHE and defense in depth to Confidential Computing.

Ulf Mattsson. “Security and Performance of Homomorphic Encryption.” Global Security Mag, https://www.globalsecuritymag.com/Security-and-Performance-of,20210601,112333.html Jun 2021.

Gentry, Craig, Shai Halevi, and Nigel P. Smart. “Homomorphic evaluation of the AES circuit.” Advances in Cryptology–CRYPTO 2012: 32nd Annual Cryptology Conference, Santa Barbara, CA, USA, August 19-23, 2012. Proceedings. Springer Berlin Heidelberg, 2012. (Updated 2015).

Sidorov, Vasily, Ethan Yi Fan Wei, and Wee Keong Ng. “Comprehensive performance analysis of homomorphic cryptosystems for practical data processing.” arXiv preprint arXiv:2202.02960 (2022).

Unifying Remote Attestation Protocol Implementations

Confidential Computing Consortium — Mon, 06 Mar 2023 15:37:26 +0000

Shanwei Cen (@shnwc), Dan Middleton (@dcmiddle)

We’re excited to announce some recent attestation news. One of the hallmarks of confidential computing is the ability to build trusted communication with an application running in a hardware-based trusted execution environment. To make attestation easily accessible it can be incorporated into common protocols. That way developers don’t need to figure out all the details to build a secure protocol themselves. One of these protocols is called Remote Attestation TLS (RA-TLS), which builds on the ubiquitously used Transport Layer Security protocol underlying most secure internet communication. It turns out several projects independently implemented RA-TLS with tiny but incompatible differences. In the CCC Attestation SIG, we’ve agreed on and, in some cases, already implemented changes to make them all be able to interoperate.

The CCC Attestation SIG is chartered to develop attestation-related software aimed at improving interoperability, and to achieve harmonization and de-fragmentation between multiple projects. One approach is to identify and review projects in SIG meetings, propose improvements for interoperability and standardization, and work with these projects for implementation and tests. Interoperable RA-TLS is a great example showcasing how the SIG delivers on its charter.

RA-TLS (Remote Attestation TLS) architecture is defined in the white paper Integrating Remote Attestation with Transport Layer Security, to enable Intel® Software Guard Extensions (Intel® SGX) remote attestation during the establishment of a standard Transport Layer Security (TLS) connection. In a TLS server / client scenario, the TLS server runs inside an SGX enclave. It generates a public-private keypair, creates an SGX report with a hash of the public key in its user-data field, and gets an SGX quote for this report. It then creates an X.509 certificate with a custom extension containing this SGX quote. This customized certificate is sent to a TLS client in the TLS handshake protocol. The client gets the SGX quote from the certificate and performs remote attestation to verify that the connected server runs inside an authentic Intel® SGX enclave.

There are a few aspects of RA-TLS architecture that were not covered in this white paper. Some of the gaps include the specific X.509 extension OID value for the SGX quote, the supported types of SGX quote, and how the public key is hashed. Additionally, since the white paper was published, new TEEs like Intel® Trust Domain Extensions (Intel® TDX) and new quote formats have become available. The level of specificity in the RA-TLS paper left room for incompatibility between different implementations and prevented their interoperability.

RA-TLS has been supported in multiple open-source projects, including Gramine, RATS-TLS, Open Enclave Attested TLS, and SGX SDK Attested TLS. The CCC Attestation SIG invited these projects to its meetings for review, and recommended further investigation to look into harmonization between them for interoperability. Following up on this recommendation, we conducted an in-depth investigation and identified areas of incompatibility. We documented our findings, created a draft proposal for an interoperable RA-TLS architecture, and presented our work back to the SIG.

Based on the interoperable RA-TLS draft proposal, we refined the design, and aligned it with the upcoming DICE Attestation Architecture v1.1 draft standard on X.509 extension OID value and evidence format definition (as a tagged CBOR byte string). We created an CCC Attestation SIG github project interoperable-ra-tls to host the design documents and interoperability tests. This project also facilitates discussion among members of the RA-TLS projects and the CCC Attestation SIG community in general. In addition, we registered the needed CBOR tags with the IANA registration service. In the process, we provided feedback to the DICE Attestation Architecture workgroup for refinement of their draft standard specification.

Great progress has been made to implement this proposed interoperable RA-TLS scheme in the RA-TLS projects. We’ve worked with all the projects to create issues and pull requests for their implementations. Especially, as discussed in some of the interoperable-ra-tls project issues, Gramine and RATS-TLS have completed their implementation, and have been active in interoperability tests.

In summary, the interoperable RA-TLS work demonstrated the value of the CCC Attestation SIG in providing a constructive forum to collaborate on attestation technology. We invite you to try out the new unified implementations in Gramine and RATS-TLS. If you are interested in getting more involved, please join us at the CCC Attestation SIG or any other facet of our Confidential Computing Consortium open source community. All are welcome here.

Featured Article – Confidential Computing Consortium

Confidential Computing and Homomorphic Encryption

Unifying Remote Attestation Protocol Implementations