Closing the Last Gap in Data Security with Homomorphic Encryption
There has been a phase of the data life cycle that often goes overlooked in modern data security practices: data in use.
Modern encryption algorithms successfully protect data at rest (data that’s stored) and data in transit (data traveling across a network). But when it comes to protecting data while it’s being used or processed, traditional methods do not alleviate these security concerns.
An area of cryptography called homomorphic encryption offered a groundbreaking solution by allowing computations to be performed directly on data without requiring decryption. But it was seen as theoretical and inefficient when first introduced.
DC-based startup, Enveil, utilized this groundbreaking technology to build a solution that both delivers on the security promises of homomorphic encryption and is efficient enough for commercial use.
We spoke with Ryan Carr, CTO and VP of Engineering at Enveil, to get an insider’s perspective on the startup’s journey and creation of their product: ZeroReveal®.
The conversation below has been edited for length and content.
Can you share your backstory and how you got to Enveil?
I was born in Maryland and lived there my whole life. I went to Centennial High school in Howard County, completed my undergrad at UMBC, and got my computer science PhD at College Park.
In 2013, I started working at John Hopkins APL in Fulton, MD on the big data analytics group. That’s where I met Ellison Anne Williams who would later become the founder of Enveil.
We worked together for a couple years and did a lot of cool projects from all different aspects of federal government.
She and some colleagues at the agency made advances in homomorphic crypto algorithms that improved performance and scalability. She went through the grueling process to get some of that open sourced, and then decided to start a company around it. That’s when she emailed me and said, “Want to come start a company?”
I said yes.
I honestly never thought I would be working at a startup. Ellison Anne is probably the only person I would have agreed to leave APL and start a company with, simply based on what I saw from her at the agency. She is extremely smart and driven and just gets stuff done.
I had never worked with crypto or homomorphic encryption before, beyond some undergrad courses.
So when she told me about the technology, I was like, “That sounds like that can’t be possible. That sounds like magic.”
I had to know more.
Now I know more, and it doesn’t seem like magic anymore.
Can you describe the current standing of homomorphic cryptography and Enveil’s product?
Homomorphic encryption is the technology that our company is really built on. It’s right on the bubble of moving from the academic space to something that’s used regularly in a commercial setting. It’s been a real privilege working with it. Having seen what it can do, I’m confident that it’s going to be everywhere in twenty years.
There are going to be undergrad courses on it. People are going to learn and use it as a routine course of doing business.
But, right now, it’s still in the area where few people outside of academia have really heard of it and what it could do.
This technology lets you take your data, encrypt it, and let other people make computations and get results on the data without being able to see the data itself.
Imagine being able to ask a database a question and get an answer, but the database does not get to see what you’re asking or what the answer is. That’s why it sounded like impossible magic to me when I first started the company.
But it’s not magic, it’s just math.
It’s been fascinating to educate people about it and recruit new people to come and work with it.
What have been some of your favorite aspects of building this product? What have been some of the challenges?
In terms of my skillset, I think I’ve gotten to do a lot of things that I wouldn’t have otherwise gotten to do. I have written a lot of patents, done a lot of recruiting, figured out how to manage and build a team, and made a product from the ground up. It’s really been a fantastic journey in that respect.
In terms of challenges, one difficult aspect is building the market around that kind of technology. As I mentioned, few people have heard of it and what it could do, so a lot of our best and highest use cases for the product are things that people have never even considered that they could do.
One of the most interesting things our product can do is take a sensitive query that’s in a sensitive domain, encrypt it, and let you send it and run it against data sets that are on their own sensitive domain. That’s a foreign concept to anybody who has worked in a sensitive space. You train your brain not to spill the sensitive information. Not to let anything out.
That’s been one of the challenges in convincing people that this is something that can be done. This is something that’s been vetted by the government and it’s been cleared to carry these sensitive terms.
After our initial federal use cases, we moved into the commercial side. Our first target was banks since they have a similar kind of problem: PII data and sensitive internal data that’s treated the same as classified. So, they’ve trained themselves not to let that data leave their walls.
These new use cases that we brought to them were things they’ve never considered they could do before.
Building the market around these types of innovative products has been challenging, but we are seeing traction now and just closed our Series A funding.
As to building your team, what do you look for and what’s been effective?
A lot of our technology heavily uses cryptography. Thankfully, there are some agencies in the Maryland and Virginia area where people regularly use crypto. We’ve had success from both agencies and contractors in the area.
One of the interesting challenges has been convincing people to join a startup.
A lot of people in this area have never considered working for a startup. I was one of them until a few years ago. Most people who want to join startups go out to San Francisco. That’s always a big part of our recruiting process. I’m extremely upfront with people about the differences between working at a startup versus working at a contractor or a government agency. How it’s better, how it’s worse, and how it’s just different. So far, we’ve had a pretty good track record.
There are a lot of appealing things about working at a startup, especially if you don’t like the big bureaucracy types of things that most tech jobs around here require you to deal with.
How do you educate future team members and the general data industry on the implications and importance of your product?
The first thing we do is point them to the literature on it. A lot of articles and academic standards are trying to push for this technology to be widely adopted.
A big reason for that is the math it’s based on. As of right now, lattice-based encryption techniques, which power most homomorphic encryption systems, are thought to be the best candidates for what’s called quantum resistant cryptography.
Researchers have come up with techniques that could use powerful quantum computers to speed up attacks on most kinds of encryption used today, effectively breaking them. But nobody has found a way to do this for lattice-based encryption techniques. So, there has been a lot of interest (especially in Maryland and Virginia) in these lattice-based approaches, independent of their applications to homomorphic cryptography, and some of them are being evaluated for standardization by NIST and other agencies around the world.
For those who haven’t heard about homomorphic cryptography, I tell them it’s going to be one of the basic building blocks of software in twenty years. It’s a fascinating and extremely powerful technology that’s just now moving to something that has a lot of applications. I think it’s a very attractive thing for people to come and gain these skills because they’re going to be in high demand.
I liken it to working with databases in the 80s. People had just started to use them, but now they’re everywhere. I really do believe this kind of cryptography is going to be like that. It’s going to be everywhere and in extremely high demand.