Is End-to-End Encryption (E2EE) a Myth? Traditional encryption has vulnerabilities. Fully Homomorphic Encryption (FHE) offers a new hope for truly secure messaging, cloud storage, and data analysis.
Encryption is like waterproofing: it needs to be all or not at all. Just as it makes no sense to waterproof a left shoe and leave the right unprotected, encrypting the consumer component of a messaging app is pointless if content can later be decrypted on cloud servers.
It’s called end-to-end encryption (E2EE) for a reason, but up until now many services claiming to utilize this technology have fallen woefully short. From an architectural perspective, E2EE is difficult to implement, particularly in applications that serve millions of users.
However, the emergence of a relatively new encryption technology is raising hope that E2EE may become a reality rather than an aspiration. Its name is Fully Homomorphic Encryption (FHE) and its unique design makes it ideally suited to services that are reliant on true end-to-end encryption.
How End-to-End Encryption Works
End-to-end encryption is a technology that’s meant to ensure that only users communicating with one another can read the messages. This could be two individuals chatting via a messaging application or it could be a business exchanging payment data with another entity such as a bank. Data is encrypted on the sender’s device and decrypted on the recipient’s device, preventing intermediaries, including service providers, from accessing the content.
This is achieved by using cryptographic keys that encode the message before transmitting it in encrypted form. The counterparty then decodes the message using its own cryptographic key in order to read its content. In addition to messaging apps such as Signal and Telegram, the technology is used by email providers, cloud storage services, and file-sharing platforms. It’s no exaggeration to say that E2EE is the backbone of the internet.
While E2EE can prove very effective at preventing third parties from intercepting messages, it is by no means bulletproof. Concerted attempts by adversaries, ranging from governments to state-sponsored hackers, to weaken encryption and introduce backdoors have resulted in many services that purport to use E2EE being vulnerable.
Critically, from the user’s perspective, there is no easy means of verifying whether encryption has been maintained throughout. As a result, individuals are compelled to take service providers at their word when they promise that messages are fully encrypted.
How Encrypted Is Fully Encrypted?
When a service claims to be end-to-end encrypted, it should be just that. In reality, implementations can differ wildly in terms of encryption strength. While it’s theoretically possible for users to check that the service they’re using is implementing robust encryption, it’s technically complex to do so, placing this ability beyond the reach of most users.
Telegram, for instance, allows users to verify that its open-source code is the same as that being used within its mobile applications and on desktop. However, this requires running a series of Terminal commands.
Telegram founder Pavel Durov has previously taken aim at other messaging applications, questioning the integrity of their E2EE. In his personal Telegram channel, he’s claimed: “An alarming number of important people I’ve spoken to remarked that their “private” Signal messages had been exploited against them in US courts or media. But whenever somebody raises doubt about their encryption, Signal’s typical response is “we are open source so anyone can verify that everything is all right”. That, however, is a trick.”
He then elaborates on the inability for users to verify that Signal’s Github code is the same as that running in the app. It should be noted that despite its claims to offer superior encryption, Telegram has also fielded accusations of weaknesses in its own E2EE implementation.
One of the challenges is that even when a service provider has implemented robust encryption, there is still the potential for messages to be deciphered. From weak key management to compromised devices due to malware, there’s a multitude of ways in which content can be accessed by adversaries. And when a key is compromised, unless the provider generates new keys for every session, it’s possible to decrypt the entire messaging history.
Finally, even when E2EE is working optimally, its implementation places additional computational demands on networks, resulting in increased latency and reduced performance, especially on devices with limited processing power or on blockchains where resources are capped. For this reason, E2EE is by no means impregnable. Can FHE solve some of these challenges, or will it run into the same problems that have weakened existing encryption protocols?
FHE Meets E2EE
One of the weak points with traditional E2EE is when it comes to decrypting the data: it’s here that there’s potential for a third party to gain access to it. FHE, in comparison, allows computation to be performed directly on encrypted data without decryption, ensuring that data remains protected throughout the entire process. This is its greatest attribute and the one that differentiates it from other encryption technologies.
It may be hard to visualize the benefit FHE brings to bear in this respect when considering a messaging application, in which the data must be decrypted before it can be read by the recipient. But consider another instance in which FHE proves superior at safeguarding data within E2EE systems: email. Here, FHE makes it possible for an email provider or cloud service to return results from an encrypted database without actually seeing the data.
This capability can also be extended to numerous other use cases in which data can be analyzed without disclosing its contents: analysts can run algorithms on encrypted datasets, with the results only decryptable by the intended recipient. Or machine learning models can be trained using encrypted data. This allows organizations to leverage powerful AI tools without compromising the privacy of the underlying data.
Within a blockchain context, fully homomorphic encryption also has significant potential, particularly in the construction of end-to-end encrypted applications for messaging or transmitting financial data. Fhenix, for example, is powered by fhEVM, a variation of the Ethereum Virtual Machine, that supports confidential smart contracts. As a result, confidential data can be analyzed and transmitted without its contents being disclosed.
Given that data remains encrypted at all stages with FHE – in transit, at rest, and during processing – it’s easy to see why developers are so excited about its potential for strengthening E2EE systems.
FHE can reduce the attack surface and ensure that sensitive data is never exposed to unauthorized parties, even during processing. This eliminates the need to trust service providers since they only handle encrypted data and mitigates the risks associated with data breaches.
If FHE can achieve wider adoption, both in blockchain and traditional systems, end-to-end encryption may soon live up to its name, providing truly unbreakable data protection.
RELATED TOPICS
- WhatsApp Engineers Fear Encryption Flaw Exposes User Data
- 8 tips to protect company data sent via home internet connections
- Signal, AI Generated Art Least, Amazon, Facebook Most Invasive Apps