IARPA explores easy-to-use cryptography
A new program will look at developing tools that architects and programmers can use without having to understand the nuances of specific cryptographic concepts.
The intelligence community’s bleeding-edge research organization is gearing up for a five-year development program that could fundamentally alter the way secure applications are written.
The Intelligence Advanced Research Project Activity initiative’s key goal is a comprehensive framework that system architects and application developers could use to “develop a broad spectrum of secure distributed applications using advanced cryptographic techniques,” even if they have no real cryptographic expertise.
The Homomorphic Encryption Computing Techniques with Overhead Reduction (HECTOR) program will look to accomplish this by developing a “comprehensive set” of cryptographic tools, programming languages, design and verification tools that architects and programmers can use to take advantage of the latest and greatest advances in cryptography, without having to understand the nuances of those cryptographic concepts.
IARPA declined to comment on specifics of the initiative in advance of a HECTOR Proposer’s Day, currently set for July 26.
In a recent announcement, however, IARPA listed a string of cryptographic technologies it wants to look at for possible use in system and application development, but that aren’t now generally considered because of the expertise and experience involved:
- Fully/somewhat/partial homomorphic encryption
- Verifiable computation
- Functional encryption
- Conditional proxy re-encryption
- Zero-knowledge proofs
- Oblivious RAM
- Secure multiparty computation (both general techniques and some special cases of particular interest, such as set intersection and private information retrieval)
The framework, according to IARPA, will allow developers “to explore the space of distributed applications, and explore possible compositions of different cryptographic techniques, while getting feedback on the feasibility of such applications and compositions given the currently known protocols, and on the resources that would be consumed by them.”
Whatever tools are developed under HECTOR, ease of use has to be an important feature, said David Archer, principal investigator at security services company Galois. Whenever a program offers a new tool and capabilities, there’s a potential challenge to how much that will interrupt developers’ workflow.
“As a programmer, if that happens, my productivity decreases for some amount of time, and that affects how I get evaluated,” he said. “Getting people to adopt a new technology, such as adding security through cryptographic techniques, is a challenge because of that.”
So a major part of the HECTOR program should be to develop tools that are as easy as possible to use, he said, even though they will provide an extensive cryptographic capability.
That was a primary goal of a one-year development effort that Galois carried out for IARPA. Archer described that program as a “seedling” that attempted to determine the feasibility of fully homomorphic encryption and what hard challenges might be associated with it, ahead of IARPA accepting it for one of its major research programs like HECTOR.
FHE has shown great promise as a way of performing computations on encrypted data without having to decrypt it to do so. However, current methods of using FHE are far too slow and cumbersome for general application development, so Galois has been developing ways to make it fast enough for real-world applications.
“We want to do things like automate the selection of some of the tool features and have developers still be able to write the same functional code (for the applications) and, behind the scenes, have it be transformed into a secure code,” Archer said. “And that’s a very big challenge.”
If and when the formal solicitation for HECTOR is released, Archer said Galois will be very interested in making a bid.
The HECTOR program as it’s now described involves three areas of technical focus: system development platforms, programming languages/representation formats, and cryptographic protocols and optimization. The program will run for five years, through three distinct phases.
Along with research ideas, HECTOR will also look at various use cases and the challenges involved with those. A specific interest is computing on data that belong to different and “potentially mutually distrusting” parties that are either unwilling or unable, because of various laws and regulations, of sharing the data with each other, IARPA said.
NEXT STORY: Indiana’s cybersecurity game plan