The co-processor uses partially homomorphic encrypted execution. Since the data is never decrypted, it remains secure.
Researchers at NYU Abu Dhabi (NYUAD) have designed a co-processor that relies on partially homomorphic encrypted (PHE) execution, enabling it to perform computations directly on encrypted data.
Processors in PCs and smartphones currently compute on ordinary, unencrypted data only. The new processor, CoPHEE, mitigates data leakage and limits threats and vulnerabilities from hackers, by computing directly using encrypted data without decryption.
The project is led by NYUAD assistant professor of electrical and computer engineering Michail Maniatakos, with contributors including research engineers at NYUAD’s center for cyber security (NYUAD CCS) Mohammed Nabeel and Mohammed Ashraf, NYUAD CCS post-doctoral associate Eduardo Chielle, and NYU alumni and assistant professor of electrical and computer engineering at the University of Delaware, Nektarios Tsoutsos. The project is funded by GlobalFoundries, which is owned by Mubadala, an investment firm based in Abu Dhabi.
In a paper presented earlier this year at the IEEE International Symposium on Hardware Oriented Security and Trust (HOST), the NYUAD researchers said ASIC designs for encrypted execution impose unique challenges. They include the the need for non-traditional arithmetic units (modular inverse, greatest common divisor), very wide datapaths (2048 bits), and the requirement for secure multiplexer units enabling general-purpose execution on encrypted values. Even solutions like Intel SGX require the data to be processed as plaintext, which renders the entire microprocessor core and cache memories vulnerable to hardware Trojans and side channel attacks.
To address this, the CoPHEE processor enables PHE encryption execution. It is a fully functional co-processor chip, and communicates to a main processor via UART. It was fabricated at GlobalFoundries in a 65nm CMOS process. Specifically, the designers used the multi-project wafer (MPW) fabrication service from MOSIS. The IC has a die area of 9mm2 and a target frequency of 100 Mhz (constrained by the maximum speed of the provided I/O pads).
The researchers said that if a system-on-chip approach is taken where CoPHEE is also located on the same bus, the communication with the main CPU would clearly be much faster than this experimental off-chip set-up. Assuming a 32-bit ARM architecture, on-chip communication on AHB-Lite would accelerate communication to around 9.65E-08 seconds per operation.
The processor is instantiated using 2048-bit encrypted operands and can be readily used to accelerate a broad range of secure applications, such as voting protocols, threshold cryptosystems, watermarking and secret sharing schemes, as well as server-aided polynomial evaluation protocols. For this it incorporates special arithmetic units for modular multiplication (ModMul), exponentiation (ModExp), inversion (ModInv) and greatest common divisor (GCD). In addition, to extend support for ciphertext-based control flow decisions in PHE-protected algorithms, it adopts the Cryptoleq blueprint and instantiates a secure multiplexer in trusted hardware, effectively minimizing the required trust surface to a single operation.
The arithmetic units for modular multiplication, exponentiation, inversion, and GCD accelerate the computation of very wide datapaths, while its secure multiplexer and true random number generator enables universal computation in the encrypted domain. In their paper, the team conclude, “To the best of our knowledge, CoPHEE is the first academic effort towards constructing a fast and reliable processor capable of processing encrypted data. This paper presents all required steps for a fully functional silicon, from the RTL design to fabrication and validation. Given the silicon, future work will explore side-channel analysis and information extraction through power, timing, and electromagnetic emissions.”
Maniatakos adds, “Existing data protection solutions protect data at rest in our hard disks and data in transit over the internet, similar to Whatsapp’s end-to-end encryption. These solutions are not suitable to manipulate encrypted data i.e. perform operations directly on the encrypted domain. With this new processor, non-trivial encrypted data manipulation is a reality and anyone stealing our data from our computers can do nothing with it since everything is encrypted. We are confident that any smart technology using data can benefit from the new processor including PCs, personal tablets, and smartphones.”
Note on Homomorphic Encryption
Homomorphic encryption allows computations to be carried out directly on encrypted data without having to decrypt it first or requiring access to a secret key; this is meant to maintain the privacy of the original data.
According to HomomorphicEncryption.org, an open consortium of industry, government and academia to standardize homomorphic encryption, the fact that the world is now using cheap cloud computing and cloud storage has implications on the way people use and manage data. The organization says traditional encryption methods, such as AES, are extremely fast, and allow data to be stored conveniently in encrypted form. However, to perform even simple analytics on the encrypted data, either the cloud server needs access to the secret key, which leads to security concerns, or the owner of the data needs to download, decrypt, and operate on the data locally, which can be costly and create a logistic challenge.
Hence homomorphic encryption can simplify this scenario, enabling direct operations to be carried out on the encrypted data, and returning only the encrypted result. It adds that more complex application scenarios can involve multiple parties with private data that a third party can operate on and return the result to one or more of the participants to be decrypted.
Google uses homomorphic encryption in its newly rolled out open source Private Join and Compute cryptographic protocol, which it says help organizations work together with confidential data sets ‘while raising the bar for privacy’.
The NYUAD team claim that existing hardware solutions for fully homomorphic encryption are not yet practical since they incur excessive overheads in area and performance – area overheads are in the order of megabytes per ciphertext. Partially homomorphic encryption (PHE) schemes offer a more practical and efficient alternative, which is what their CoPHEE processor does.