IAASB Digital Technology Market Scan: Homomorphic Encryption
Welcome to the fifth Market Scan from the IAASB's Disruptive Technology team. Building on our previous work, we issue a Market Scan approximately every two to three months. Market Scans cover exciting trends, including new developments, corporate and start-up innovation, noteworthy investments and what it all might mean for the IAASB. Special thanks to Maddie Zietsman for helping to author this edition.
In this Market Scan, we explore Homomorphic Encryptionfor Analyzing Encrypted Data, a technology which has applications within Protecting Information. This technology has the potential to impact how data is used in the audit—creating opportunities for greater collaboration and access to specialist skills.
What is Homomorphic Encryption and why is it important?
The latest developments
What this might mean for the IAASB
What is Homomorphic Encryption? Why is it important?
Homomorphic Encryption (HE) is a set of algorithms that allows computations to be done on encrypted data without the need for decryption. Homomorphic encryption lets data be protected while “in use”, so analysis can be run directly on encrypted information without disclosing it and providing complete confidentiality during analysis.
Source: What is Homomorphic Encryption?, OpenMined
There are two main types of homomorphic encryption, Partial Homomorphic Encryption, which supports only a single operation over encrypted data, and Fully Homomorphic Encryption, which supports multiple operations. Federated Learning (FL) is another privacy-enhancing technology that distributes machine learning across devices or servers, thereby reducing latency and security risk whilst protecting privacy.
Fully Homomorphic Encryption: Why it Matters, IBM News, three-minute watch
Homomorphic encryption has many potential benefits for a wide range of industries from healthcare to financial services. From an audit and assurance perspective, there are several areas where homomorphic encryption can be leveraged.
Using aggregated data tosecurely achieve common goals –Audit firms or other organizations that may perceive privacy or confidentiality risks when working together could collaborate using encrypted data to achieve a common goal such as developing fraud pattern detection applications. Using homomorphic encryption, encrypted data sets from multiple sources could be linked together, used to train an AI application, and develop a technology product for all parties to use.
Enabling use of third parties without compromising data privacy – Homomorphic encryption may enable audit practitioners to leverage third parties with greater analytics capabilities or expertise to perform analysis on encrypted data to support audit procedures—an approach that would be difficult if not impossible without the encryption technology.
Enhancing effectiveness of cross-border audits – Homomorphic encryption could be used to enable data analysis across borders while respecting data residency and privacy laws. This would be particularly beneficial to group audits with components in jurisdictions with strict data residency restrictions.
Greater capability to perform benchmarking – Homomorphic encryption could be used to provide benchmarks across industries, including competitive companies, without exposing market sensitive data. Benchmarking data may be used when performing an audit, for example when performing analytical procedures.
Mitigating bias whilst stress testing models – Using homomorphic encryption, machine learning models and algorithms could be stress tested using encrypted data sets, so the data could not be fitted to the model ahead of time.
All these areas focus on homomorphic encryption’s ability to increase the data analysis that can be done while still ensuring data security and privacy. As the technology gains wider traction, it offers audit and assurance practitioners opportunities to increase their analytical capabilities and leverage the specialized skills of other entities or parties, without compromising data privacy.
Recent Noteworthy Developments in Homomorphic Encryption
This section is designed to provide examples of recent developments that may signal future disruption in this area. It is not a complete list of all activities in Homomorphic Encryption. For a reminder of Key Venture Capital and Investment terms please refer to the first Market Scan.
1. Big player activity
Homomorphic Encryption is gaining traction and growing fast. Top companies, such as Intel, Microsoft and Google, are leveraging the power of this technology and working to develop its use in various sectors of the economy.
Study shows growing interest in homomorphic encryption technologies
A December 2021 study by Deloitte noted 19 different “publicly announced pilots, products, and proofs of concept for homomorphic encryption”. Companies that are leading these pilots include large companies like Apple, Google, Microsoft, Nvidia, IBM, and more. Finance, health, and social care currently dominate the pilot projects, but the expectation is that more industries will reap the benefits from the technology as it continues to gain leverage. These pilots also present opportunities for the audit and assurance industry to capitalize on the power of homomorphic encryption and how the using data encryption may contribute to or enhance the performance of quality audit or assurance engagements.
Intel and Microsoft announce collaboration on security technology
Intel and Microsoft have partnered together as part of a DARPA program to focus on reducing the overhead that is associated with using homomorphic encryption. To reap the benefits of this technology, it is important that it is both accessible and affordable. Both Intel and Microsoft’s investment in time and research in homomorphic encryption reveals the importance that both companies see in the technology’s ability to change the working world. As these large companies continue their research and testing, it may not be long before homomorphic encryption is accessible to companies of all sizes.
2. Start-up activity
As homomorphic encryption becomes more prominent, there have been a few key start-ups that have spearheaded its development, including those highlighted below.
Duality advances Homomorphic Encryption Landscape
Duality, a leader in enabling privacy-enhanced collaboration on sensitive data launched their open-source fully homomorphic encryption (FHE) library, OpenFHE, in July 2022. This was a collaborative project with other leaders in cryptography including Intel, Samsung, University of California-San Diego and MIT. OpenFHE is considered a next generation open-source FHE software library providing even greater security, robust privacy protection and wider useability.
Enveil announces new encrypted training solution
Enveil, a start-up company founded in 2016, has been a key leader in developing homomorphic encryption and federated learning technologies. In June 2022, Enveil announced a new solution called ZeroReveal ML Encrypted Training (ZMET), which enables encrypted federated learning and usage of decentralized datasets for machine learning applications.
New start-up sees web3 opportunity using homomorphic encryption
Brand new start-up, Sunscreen, just raised $4.65 million in seed funding to develop advanced privacy technology for the next generation of the world wide web, web3. Currently zero-knowledge proofs (ZKPs), which allow for a transaction to be verified on a blockchain without the underlying data being shared, are seen as the main solution for improving privacy in web3 but require significant processing power. However, co-founder and CEO of Sunscreen, Ravital Solomon, thinks “fully homomorphic encryption is even more promising in its potential to bolster privacy in web3.”
What this might mean for the IAASB
The IAASB is interested in maintaining its collective knowledgebase on digital technologies (including on specific sub-topics such as homomorphic encryption), promoting digital readiness and enablement through its engagement with stakeholders, and encouraging action by others to supplement and support the IAASB’s standard-setting activities. The IAASB is also keen to explore how technologies could be used to enhance interaction with auditing standards. Subject to IAASB’s work plan decisions, possible use cases of digital technologies for audited entities and audit engagements might provide input to further modernize IAASB’s standards to be adaptable to and reflect the current business and audit environment (while recognizing that the standards would address digital technologies in a principles-based manner).
Access to appropriate and reliable data is fundamental to being able to use automated tools and techniques in the audit. Considerations around data protection and privacy are key to this approach and homomorphic encryption presents a potential solution to current data access restrictions.
Homomorphic Encryption also offers opportunities for those in audit and assurance to develop advanced analytics, machine learning and AI technologies through enabling more options for data management.
However, using this technology may present unique practical challenges with applying certain principles set out in existing standards that address aspects of, for example, quality management, audit evidence, service organizations and using the work of others which may indicate the need for additional guidance. Given the nascent nature of this technology it is too early to fully comprehend the practical implications related to its use, but the IAASB will continue to monitor developments in this area.
Scientists at the University of Texas have developed an ink containing polymers that can store data and have used it to write a letter containing a hidden message. “The idea of writing a message but the real, hidden message is contained in the molecular structure of the ink is fascinating, although maybe not the most practical method,” says Alan Woodward at the University of Surrey, UK.
What do you think about this bulletin?
Please take the time to fill out our quick survey to let us know your thoughts about this bulletin, how it can be improved and what you would like to hear about going forward.