Fully Homomorphic Encryption in Production Systems

In this living document, I will list all production systems I’m aware of that use fully homomorphic encryption (FHE). For background on FHE, see my overview of the field.

If you have any information about production FHE systems not in this list, or corrections to information in this list, please send me an email with sufficient detail allow the claim to be publicly verified.

For all production deployments, I will distinguish between cases where the deployed system does “fully” homomorphic encryption (with bootstrapping), aka FHE, and “somewhat” homomorphic encryption, aka SHE (avoiding bootstrapping).

Table of contents:

Microsoft’s Password checkup (SHE)

After a proof of concept in two papers 2017-2018 papers by Hao Chen, Zhicong Huang, Kim Laine, and Peter Rindal (1, 2), the Microsoft Edge team implemented a password checkup service that uses FHE to compare a user’s passwords privately against a database of known compromised passwords. They use FHE as part of a custom private set intersection (PSI) protocol, other components of which include Oblivious Pseudo-Random Function evaluation as well as hashing tricks to shard the password database.

They used the FV (BFV) scheme as implemented in Microsoft’s SEAL library (v2.1). This was deployed in Edge as recently as 2021-01.

Sources:

• Corporate blog post
• Edge support page (“powerful encryption helps protect your information from being revealed to anyone.”)

Apple Live Caller ID Lookup (SHE)

On 2024-07-30, Apple announced that iOS 18 includes a feature called Live Caller ID Lookup, which supports third-party caller ID and spam blocking services, and now uses homomorphic encryption to prevent third party servers from seeing the call information. To the best of my understanding, Apple still sees your call information.

This is implemented using BFV in Swift, and seems to be unrelated to the corecrypto BFV implementation mentioned in the rumors section. A demonstration app is provided.

Source:

• Swift blog
• Apple Live Caller ID documentation
• Swift homomorphic encryption library

Apple enhanced visual search for photos (SHE)

In a 2024 blog post, Apple described a private nearest neighbor search technique that combines differential privacy and somewhat homomorphic encryption to do private image search.

The server maintains a K-means clustering of the embeddings of the images in the database to be searched, and sends the centroids to the client. The client locally computes the nearest centroid, then sends the centroid (unencrypted) and the query embedding (encrypted) to the server. Then the server computes homomorphically the nearest member of the cluster and returns the encrypted result to the client.

To avoid the server learning about the cluster in question, Apple adds a layer of indirection via an anonymization network and periodically sends fake queries (encryptions of zero with random centroids) to the server, in a scheme that is claimed to provide adequate differential privacy.

This also uses the BFV implementation in Swift, as with the caller ID lookup.

Source:

• Apple blog post
• Wally paper

Rumors, developments, and things to watch and further verify

• In 2023, Apple implemented BFV and included it in their corecrypto library, but with no explanation of what it’s used for. I verified this by downloading corecrypto at the bottom of the Apple security page, and browsing the source tree for ccbfv. (Source)
• In June 2023, CryptoLab signed a three-year contract with Macrogen, a Korean generic data analysis company. “Macrogen will seamlessly integrate the HEaaN (CKKS) solution into their genomic analysis services, further bolstering the safeguarding of customer data.” (Source)
• In 2023 the Special Operands Association of America (SOAA) published a whitepaper describing Duality Technologies “Zero Footprint” Investigations query engine, which they describe as allowing one to use FHE to securely query third party data providers for information relevant to risks related to military service members. I.e., is there a leak of sensitive information that could allow a covert service member’s identity to be compromised? If the data is owned by a third party, this cannot be queried directly since doing so would reveal the identity of the service member. The whitepaper does not use language directly suggesting that SOAA uses this product, but it reads more as a recommendation for the US government to use it. The whitepaper also claims that the Zero Footprint engine is “currently in use” by the Department of Homeland Security, though it’s not clear if they’re using it for this particular use case, or some other use case. Moreover, the SOAA is a veteran’s advocacy nonprofit, and does not speak authoritatively for the Department of Homeland Security, so it’s hard to say how much evidence this whitepaper is to DHS actually using it. (Source)
• In 2021, TuneInsight claimed their health products (formerly named MedCo) “has already been tested and deployed in Swiss university hospitals.” The website for MedCo (https://medco.epfl.ch, now marked outdated) says they use “collective homomorphic encryption” along with multi-party computation (MPC) and differential privacy (DP), so it’s unclear what and how they use FHE in the actual hospitals. (Source)
• At the 6th Homomorphic Encryption Standards meeting in Seoul, Korea (which I attended), Brian Anthony of MIT gave a talk on the use of FHE in manufacturing. I recall some of the details, but have not been able to find any corroborating information. (Source, under March 24th in the morning session titled “Applications and Requirements I”) Some companies like Cornami have mentioned similar use cases with manufacturers who want to help users monitor equipment but don’t want to share direct sensor data or configurations.
• There is some talk about FHE being used in blockchain, but I don’t consider current blockchain use cases legitimate. Call me when they are widely used for something besides crime, scams, and price speculation.

Case Studies

• In 2024, TikTok’s TechJam hackathon gave a grand prize to a project called “Anonymous Ads,” using FHE to deliver targeted, private ads. The authors—P J Anthony, Nigel Lee, Jeremiah Au, and Vansh Nath (they appear to be undergraduates at the National University of Singapore)—used Zama’s Concrete-ML framework to convert a trained ad targeting model to FHE, and then serve inferences with it on encrypted search queries. As far as I can tell, they use a neural network for regression, via Concrete-ML’s NeuralNetRegressor, and the client is in charge of keeping track of (plaintext) search history and converting the search history to an encrypted input query to the server. Then the result is decrypted by the client and used (with noise injection for obfuscation) to request the next ad from an ad server. This last part doesn’t seem to be particularly private, but there are other projects demonstrating that one can privately request an ad from a server without the server knowing which ad is sent. Note, this demo does not require the client to prove the decryption of the result was correct. Sources: KrAsia news, DevPost, GitHub
• The IDASH privacy workshop has a yearly competition since 2014, which often involves FHE-related tasks. The topics are usually about genomics, including the concept of a genome-wide association study (GWAS). The FHE-related topics and winners in each year were:
  • 2015: GWAS with FHE (winner)
  • 2016: Testing for Genetic Diseases on Encrypted Genomes (winner)
  • 2017: Logistic regression (winner)
  • 2018: GWAS with FHE (winner).
  • 2019: Genotype Imputation (winner)
  • 2020: Secure multi-label Tumor classification (four teams tied for the win?); seems like they stopped posting enough information for me to find the paper after this year.
  • 2021: Homomorphic Encryption-based Secure Viral Strain Classification (two teams tied)
  • 2022: Secure Model Evaluation on Homomorphically Encrypted Genotype Data (winner was “AngelPowerFL (Tencent)”)
  • 2023: Secure Relative Detection in (Forensic) Databases (winner was “AntChain Morse”)
• Multi-institution statistical analyses. In 2023, Duality also announced a pilot partnership with Tel Aviv Sourasky Medical Center to use some kind of multi-party FHE to run descriptive analytics on patient data across medical institutions. The study encompassed a “real-world data set of colorectal cancer patients’ survival data, which includes 623 patients and 24 variables, amounting to 14,952 items of data.” They computed basic summary statistics, ran chi-square and t-tests, and Kaplan-Meier and log-rank survival analyses, which each taking between 1 and 3 minutes to run. They use CKKS with additional interactive protocols on top to handle bootstrapping more efficiently, described in the appendix to their paper. One interesting tidbit here is that the overhead of FHE was far outweighed by the alternative overhead of anonymizing the data so that it could be used without FHE. (PNAS publication, Duality Pamphlet, Duality blog post)
• Private contact tracing for COVID. This paper and associated app of Yongdae An, Seungmyung Lee, Seungwoo Jung, Howard Park, Yongsoo Song, and Taehoon Ko. As far as I can tell, while an FHE-powered app was created and field tested, it was not used for COVID contact tracing in production. Instead, Korea actually used a broad, centralized contact tracing system that was debated for its data collection and lack of privacy protections. (Source)
• Financial crime intelligence. In a 2023 (?) report, Singapore’s Infocomm Media Development Authority (IMDA) and Mastercard teamed up to run a case study simulating two entities sharing financial data across national borders to try to help detect fraud. Imagine a bank in Singapore wants to ask banks in the US, India, and the UK if an international bank account number is considered high risk. They use FHE to encrypt the query, and the foreign banks match against their (locally plaintext) databases to return an encrypted boolean response. The implemented a linear scan over the database (required for FHE) and had a latency of ~100 seconds for 1 million rows. They did not state what FHE schemes were used, though their implementation was provided by Duality/OpenFHE (source), so it seems likely to have been a RLWE-based scheme. The report mentions a number of regulatory issues that must be resolved to productionize. Similar proofs of concept (though many of the examples in the linked source report seem suspicious, I listed ones that seem more legit):
  • Enveil ZeroReveal (2019) (source, section 7.1)
  • Duality SecurePlusTM Query (2019) (source, section 7.2)
  • AUSTRAC (Australian Transaction Reports and Analysis Centre) financial crime alerting system (source, section 7.8). They use leveled BFV as part of an MPC protocol. I cannot find any details about it. They mentioned launching in 2020 but I have not seen any news about it since then.
• Multi-institution machine learning training. In 2019, IBM and Brazilian Banco Baresco (one of Brazil’s largest banks) demonstrated a proof of concept for using FHE to do regression inference and variable selection (but not training, AFAICT). They used CKKS via HElib (IBM’s FHE library). The variable selection phase input had 7500 entries with 546 explanatory features (they reported using real financial transaction data over two years to generate this dataset, and it seems they only ended up using 100-200 variables out of those 546), and the prediction phase input had 16 variables. At 128-bit security they did equivalently-good prediction in 5.4 sec / inference. For variable selection, they used Nesterov gradient descent with 5 or 6 steps, taking between 1.5 and 2.5 hours to finish. (source)

Similar pages

• Repository of use cases for privacy-enhancing technologies
• Differential privacy
• Secure Multi-Party Computation

Thanks

Thanks to Jonas Böhler and Derek Wood for contributions to the article.