[3/3] Practical applications of advanced cryptography
Rédigé par Monir Azraoui
-
25 March 2025The interviews gave us an overview of the foundations and promises of post-quantum cryptography (article #1) and advanced privacy-preserving cryptography techniques (article #2). The experts discussed practical use cases for these promising technologies while highlighting the challenges that need to be overcome for their widespread adoption.
While classical cryptography continues to play an essential role in everyday life, advanced cryptographic tools respond to new challenges posed by uses such as cloud computing and artificial intelligence, where data processing is often delegated to remote servers. When it comes to zero-knowledge proofs (ZKP), the approach is slightly different: the primary goal is to improve security guarantees by reducing the need to trust a third party, while minimizing the associated risks. It is also important to note that these new cryptographic tools are based on the fundamentals of traditional cryptography, such as encryption and hashing.
Summary
- Introductory article: Experts provide the keys to deciphering today’s and tomorrow’s cryptography
- Article 1: Post-quantum cryptography
- Article 2: Advanced privacy-preserving cryptographic techniques
- Article 3: Practical applications of advanced cryptography
The practical applications of advanced cryptography
During the interviews, the experts all agreed that these technologies can play a key role in the processing and protection of data, particularly personal data.
Contributing to compliance with GDPR principles
Advanced cryptography technologies can contribute in part to compliance with certain data protection principles set out in Article 5 of the GDPR:
The principle of confidentiality
Advanced cryptographic technologies naturally contribute to compliance with the principle of confidentiality. Techniques such as FHE (Fully Homomorphic Encryption), FE (Functional Encryption) and secure multiparty computation (MPC) enable operations to be performed on encrypted personal data without decrypting it, thereby preserving its confidentiality at every stage of processing. On the other hand, by allowing knowledge of information to be demonstrated without revealing it, zero-knowledge proofs (ZKP) can also contribute to the confidentiality of personal data.
The principle of data minimisation
The ability of ZKPs to provide proof of the veracity of a statement without disclosing the underlying information contributes to compliance with the GDPR's principle of data minimisation. Thus, ZKPs could prove useful in authentication and access control systems, where proof of a user's identity is required without revealing unnecessary personal information (such as « age verification »).
The principle of fairness and transparency
Advanced cryptographic techniques providing verifiability guarantees (verifiable storage, verifiable computation, verifiable encryption, etc.) could contribute to the principle of transparency by enabling data subjects to verify the data operations performed by a data controller.
The principle of purpose limitation
Functional encryption (FE) seems particularly well suited to contributing to the principle of purpose limitation. This technology allows access to data only for specific purposes using functional keys, thereby limiting the use of data to a defined objective. Similarly, ad-hoc MPC protocols, designed for a particular use, allow data operations for specific purposes.
The principle of accountability
Group signatures, for example, provide, by design, a mechanism that can contribute to the principle of accountability: in the event of abuse, the group administrator can identify the signers and hold them accountable for the transactions they signed with their private signature key.
Machine learning and artificial intelligence
Among the most dynamic applications of advanced cryptography, machine learning and artificial intelligence (AI) occupy an important place. This is particularly true in the context of deep neural networks.
MPC techniques are highly relevant in the field of machine learning, particularly in scenarios where models are trained collaboratively by multiple parties on data that must remain confidential. One of the challenges of MPC protocols is the requirement that stakeholders remain connected throughout the protocol.
The training phase on encrypted data is a hot topic in research. This approach would make it possible to preserve the confidentiality of training data. However, its implementation is still complex today. On the other hand, the inference phase on encrypted data in FHE already allows AI models to make predictions while keeping the data encrypted.
Furthermore, one of the experts mentioned ongoing work on the digital watermarking of AI models and training data (see LINC’s articles on digital watermarking in AI), which attracts strong interest from many industries, particularly for the purpose of protecting the intellectual property of models. The goal of watermarking is to embed a unique, unalterable, undetectable, and hard-to-predict signal into the data or the model. This would allow the model owner to prove actual ownership and to demonstrate when their model is being used without authorisation.
Confidential computing in the cloud
In the context of cloud computing, the end customer is responsible for protecting the data they store and process in the cloud. Encryption is one of the measures they can use.
Advanced encryption techniques, particularly FHE, are proving to be a relevant measure in this context. By encrypting data with FHE before it leaves the customer and keeping it encrypted during transit, storage, and processing in the cloud, the data remains unreadable to both malicious third parties and the provider itself, while maintaining the functionality of the cloud service.
In addition, MPC offers advanced applications for secure storage and processing of personal data in cloud environments. MPC enables calculations to be performed on distributed datasets while preserving the confidentiality of information. For example, it can be used to perform calculations on personal data distributed across multiple cloud service providers, ensuring that data is never centralised in a single location (this is particularly true for secret sharing-based MPC protocols, where data is fragmented and processed collaboratively without revealing the entirety of the information to each party). This approach reduces the risk of compromise in the event of a breach at a single provider, as the data is fragmented and distributed securely. MPC is also useful for performing calculations on data from multiple customers while preserving the confidentiality of each customer's individual data (in cases of data pooling and collaborative computing). MPC allows these processes to be carried out in the cloud without disclosing specific customer data to the cloud provider or other customers.
What are the barriers to adoption?
This is a legitimate question. These technologies offer innovative, even revolutionary potential in terms of how personal data could be processed while maintaining its security. However, their adoption is not yet widespread. The interviews enabled us to identify some answers to this paradox.
A constantly evolving field
The interviews highlighted that the field of advanced cryptography is constantly evolving, and that this evolution is rapid. Technologies that were considered mere theories a few years ago (FHE, post-quantum, etc.) are now among the most dynamic areas of research. This uncertainty about technologies can make decision-making difficult for companies, as they must constantly assess whether new advances are ready for adoption.
Furthermore, the technical complexity of these solutions can be an obstacle to their widespread adoption. However, frameworks such as Concrete-ML (for FHE), or initiatives aimed at simplifying implementation, such as the SCALE-MAMBA tool (for MPC), can help overcome this complexity and make these technologies more accessible.
Finally, performance trade-offs can hinder the adoption of these technologies. Advanced encryption techniques are inherently computationally intensive. They introduce significant overhead when processing encrypted data, which inevitably leads to longer processing times compared to operations performed on unencrypted data. This can be a limiting factor for companies that require high performance. However, depending on the use case, some organisations may be satisfied with slower technologies that do not require real-time processing. In such cases, they should be able to accommodate the intensive calculations (for example, by running a process overnight). Nevertheless, improving performance is an ongoing goal, with researchers and manufacturers working on new techniques (particularly hardware) and more efficient algorithms. It is therefore reasonable to expect that eventually performance will improve sufficiently to meet the needs of organisations.
Industrial adoption not widely encouraged
Despite the maturity of certain advanced cryptography technologies, their adoption has been slow. Industry inertia, resistance to change, and a lack of regulatory incentives are all factors that can hinder their widespread implementation.
One expert noted that the barrier to widespread adoption of advanced cryptographic technologies can be partly attributed to a lack of market demand. Why invest heavily in research and development for these technologies if customers are not explicitly asking for them? As long as the adoption of these technologies is not a requirement clearly stated by customers or imposed by strict regulations, many companies may prefer to invest their resources elsewhere, where they perceive more immediate demand and therefore greater profit. Some form of external incentive may be necessary.
This same expert therefore envisages calls for tenders for specific projects that could include PET requirements in their specifications, thereby forcing manufacturers to meet these requirements in order to be eligible for these projects. Ultimately, he believes that normative or regulatory obligations could change the situation.
The complexity of the transition to post-quantum cryptography
This transition is complex and requires thorough planning by the stakeholders. It will not simply be a matter of replacing pre-quantum algorithms with new post-quantum algorithms. ANSSI therefore recommends implementing hybrid systems. However, managing these hybrid systems could be complex. It will be necessary to raise awareness among bodies and inform them about the measures needed to prepare for post-quantum.
Conclusion of the three articles
In conclusion, interviews with experts reveal that certain advanced cryptography tools are already practical and deployable, even if they have not yet been widely adopted by industry.
Furthermore, the interviews show that the field of advanced cryptography is currently experiencing a period of rapid growth, both in research and in industrial applications. The emerging opportunities are promising, offering relevant solutions for the protection of personal data and AI security.
In addition, the standards currently being developed by organisations such as NIST (for post-quantum), ISO (for FHE, MPC, ZKP, and group signatures), and the Homomorphic Encryption Standardization Consortium (for FHE) play a key role in adoption by industry.
However, the widespread adoption of these technologies is not without challenges, such as technological maturity that has yet to be achieved and the lack of incentives to use these technologies.
It is undeniable that the CNIL has an important role to play, within the framework of its missions, in promoting the adoption and encouraging the use of advanced cryptographic technologies.
Illustration : pexels
