The US Defense Advanced Projects Agency (Darpa) has awarded contracts to four teams to develop ASIC accelerators for fully homomorphic encryption as part of its data protection in virtual environments (DPRIVE) program. The four contracts have been awarded to teams led by Duality Technologies, Intel, SRI International and Galois. Three of the four are worth between $11.5 million to $15 million; Intel did not disclose the amount of its award.
Fully homomorphic encryption is the “Holy Grail” of encryption technologies
The goal of the 3.5-year DPRIVE program is to enable computation on FHE-encrypted data within one order of magnitude of the compute time of current unencrypted computation. Often referred to as the “Holy Grail” of encryption, fully homomorphic encryption allows computations to be carried out on encrypted data — when the result is decrypted, it matches what the result would have been from the same algorithm performed on unencrypted data.
Existing encryption schemes allow encrypted data to be shared, but the key must also be shared so that the data can be decrypted to perform calculations with it. This makes them vulnerable to attack. Homomorphic encryption schemes do not require sharing of the key — the data is encrypted from end to end.
Plain homomorphic encryption techniques are already used commercially, but these typically allow adding encrypted numbers together and nothing more. Fully homomorphic encryption allows any mathematical operations to be run on encrypted data without decryption; schemes have existed since 2009 but up to now, the technology has not been usable in the real world as it is so computationally intensive.
“A computation that would take a millisecond to complete on a standard laptop would take weeks to compute on a conventional server running FHE today,” said Darpa program manager Tom Rondeau, in a statement.
Cornami CEO Wally Rhines told EE Times last year that fully homomorphic encryption requires “thousands of FFTs sequentially, and 500 order polynomials with coefficients that are double precision floating point,” and that this would require many times the performance of today’s state-of-the-art CPUs and GPUs.
Wally Rhines (Image: Cornami)
Cornami, a California startup not involved in the DPRIVE program, initially applied its reconfigurable many-core compute fabric to AI acceleration. Since Rhines took the helm, the company is focusing on FHE, a field in which “there are no competitors,” Rhines said at the time. Like the Darpa efforts, Cornami’s aim is to accelerate FHE to usable levels.
The implications of a usable FHE technology would be tremendous for fields such as AI. Today, the vast majority of AI training takes place in the cloud, but privacy concerns do not allow companies in several key applications (finance and healthcare, for example) to send data into the cloud. With future ASIC accelerators for FHE, medical research companies or fintech startups could upload encrypted data into the cloud, train AI models with it and download the results, decrypting the result only once it was safely back in-house. Data can also be pooled – such as medical data from different hospitals – each party retains their data privacy but the AI is able to learn from it anyway.
The challenge for each of the research teams in the DPRIVE program is to develop a hardware and software stack to accelerate FHE computation so that it is comparable to similar unencrypted data operations. Darpa’s requirements for the hardware include flexibility, scalability and programmability.
One of the key approaches the teams will take is exploration of large arithmetic word sizes (LAWS). Current CPU design is based on 64-bit words, but FHE requires much longer word lengths. The signal-to-noise ratio for encrypted data is directly related to word size; longer words mean less noise is accumulated each time an FHE calculation is processed. This means more calculations can be performed before the irreparable noise threshold is reached (beyond which data can no longer be recovered). Teams are expected to explore word sizes up to thousands of bits.
Verification of LAWS circuits is particularly difficult, since the circuit state space becomes unmanageably large. Darpa’s tender document says that previous verification attempts on large word size multipliers timed out when the word size reached 256 bits. Cryptographic circuits have a high burden of proof for mathematical correctness, which necessitates full-circuit verification.
Teams will also explore novel approaches to memory management, flexible data structures and programming models.
Duality Technologies has been awarded $14.5m by Darpa for DPRIVE. The company is a start-up that helps regulatory-bound companies (mostly in the financial and medical fields) to share homomorphically encrypted data. Duality already provides commercial platforms based on FHE, such as SecurePlus, its middleware platform which allows companies to encrypt data and then run analytics on the encrypted data, on companies’ own servers or in the cloud.
Kurt Rohloff (Image: Duality Technologies)
“[Hardware FHE acceleration] is an issue of dimensionality and bit width,” Duality’s CEO Kurt Rohloff told EE Times in a 2019 interview. “We are dealing with vectorized operations and the dimensions of the vectors are typically in the order of tens of thousands… 16,000 or 32,000 dimensionality is fairly standard in this case. We have done a fair amount of work on 64-bit operations, but I can easily see us going to multi-hundred-bit or even multi-thousand-bit word sizes.”
For the DPRIVE contract, Duality has put together a team of experts from the University of Southern California Information Sciences Institute, New York University, Carnegie Mellon University, SpiralGen, Drexel University, and TwoSix Labs. The hardware accelerator this team develops will be fully integrated with the Palisade open-source FHE library.
Intel has also joined the DPRIVE program, with a team that spans Intel Labs, Intel’s design engineering group and the company’s data platforms group. Intel has partnered with Microsoft, who will lead the commercial deployment of the resulting Intel ASIC by testing it in their Azure and Jedi clouds. The two companies will also work with international standards bodies on FHE standards.
Intel says its future ASIC could potentially reduce the time for processing FHE cryptograms by “five orders of magnitude,” though it did not give any hints on how it was planning to achieve this. The company said it plans to assess progress of its FHE accelerator ASIC on AI training and inference workloads using FHE-encrypted data at scale, throughout the process – perhaps giving us a hint as to how it sees the technology being used in commercial applications.
A third team is from the nonprofit research institute SRI International, which was awarded $11.5m as part of the program. The company said it has assembled a world class team of researchers and engineers to take on the challenge.
“Creating a new hardware accelerator for FHE encrypted data is a unique technical challenge that requires expertise in co-processor architectures, hardware design, computer-aided verification of hardware, software, mathematics and FHE algorithms,” said Karim Eldefrawy, principal computer scientist at SRI International, in a statement. “With the team of word-class researchers we have assembled for this project, we are confident that in a few years we can develop a viable hardware solution that will make FHE data processing practical and commercially viable for a large set of applications.”
Computer science R&D firm Galois already works with many US government entities, including Darpa and Nasa, to solve difficult technological problems. The company has been awarded a $15.3m contract to develop a FHE accelerator by DPRIVE.
Galois plans to focus on asynchronous circuit design which will allow each computation to run as fast as it can, rather than being limited by the worst case, as well as creating a new dataflow microarchitecture designed to route data “just in time” to independently operating processing elements.
Galois believes an overall performance gain of 10,000X is feasible relative to current software-based FHE systems. The company broke down the performance gains it expects as follows:
- 300X from ASIC-based hardware acceleration
- 2X or more from use of asynchronous instead of clocked logic
- 10X from large arithmetic word size operations in hardware, foregoing the need for unwieldy residue number system representations
- 5X from an optimized dataflow approach that maximizes utilization of arithmetic functional units
- 2X from optimized memory access patterns and vectorization.
DPRIVE is a three-phase, 42-month program, with performance metrics to be achieved at the end of each phase to enable progression to the next phase. It is not expected that all teams will proceed beyond phase one.
During the 15 months of phase one, teams will produce the core logic of the FHE accelerator design, optimizing word size and emulating circuit building blocks. Phase two, also 15 months, will see teams finishing the design of the FHE accelerator based on the building blocks from phase 1, along with memory architecture. During a one-year phase three, teams will build a working and usable FHE accelerator, complete with full software programmability.
The DPRIVE program should wrap up around September 2024.
>> This article was originally published on our sister site, EE Times.
- IoT Security – Physical and hardware security
- Memory plays vital role in security
- Achieving MPU security
- IoT Security – Critical cryptographic capabilities
- MCUs use PUF tech to fill private key security gap
- How quantum computing will impact IoT security
- An introduction to confidential edge computing for IoT security
- Security compliance, root of trust, software at embedded world 2021
For more Embedded, subscribe to Embedded’s weekly email newsletter.