Is end-to-end encryption (E2EE) a myth? Traditional encryption has vulnerabilities. Fully homomorphic encryption (FHE) brings new hope for truly secure messaging, cloud storage, and data analytics.
Encryption is like waterproofing: you either do it all or nothing. Just as it makes no sense to waterproof your left shoe but not your right, it makes no sense to encrypt the consumer-facing components of your messaging app if the content can be decrypted later on a cloud server.
It's called end-to-end encryption (E2EE) for a reason, but to date many services that claim to leverage this technology have fallen woefully short. From an architectural perspective, E2EE is difficult to implement, especially in applications that serve millions of users.
But the emergence of a relatively new encryption technology is raising hopes that E2EE might become a reality rather than just an aspiration: Its name is Fully Homomorphic Encryption (FHE), and its unique design makes it ideal for services that rely on true end-to-end encryption.
How end-to-end encryption works
End-to-end encryption is a technology that ensures that only the users communicating with each other can read their messages. This could be two individuals chatting through a messaging application, or a business exchanging payment data with another organization, such as a bank. The data is encrypted on the sender's device and decrypted on the recipient's device, preventing intermediaries, such as service providers, from accessing the content.
This is achieved by encoding messages with an encryption key before sending them in encrypted form. The other party can decode the message using their own encryption key to read its contents. In addition to messaging apps like Signal and Telegram, the technology is also used by email providers, cloud storage services, and file-sharing platforms. It's no exaggeration to say that E2EE is the backbone of the internet.
While E2EE is highly effective at preventing third parties from intercepting messages, it is by no means perfect: Concerted attempts by adversaries ranging from governments to state-sponsored hackers to weaken encryption and introduce backdoors have rendered many services that claim to use E2EE vulnerable.
Importantly, from a user perspective, there is no easy way to verify whether encryption is being maintained consistently, and as a result, individuals are forced to take their service provider's word for it when they promise that their messages are fully encrypted.
How encrypted is fully encrypted?
If a service claims to be end-to-end encrypted, that is exactly what it means. In reality, implementations can vary widely in terms of encryption strength. While it is theoretically possible for users to check if the service they are using implements robust encryption, technical complexities make this feature out of reach for most users.
For example, Telegram allows users to verify that their open source code is the same as the code used in their mobile application and desktop, but this requires running a series of terminal commands.
Telegram founder Pavel Durov has previously targeted other messaging applications and questioned the integrity of E2EE. He claimed on his Telegram channel: “A surprising number of important people I've spoken to have had their 'private' Signal messages used against them in US courts and in the media. But when someone questions their encryption, Signal's typical response is: 'We're open source, so anyone can verify that everything is fine.' But this is a trick.”
Additionally, it details how users have no way of verifying whether Signal's Github code is the same as the code running within the app. It's important to note that despite claiming to offer superior encryption, Telegram has also been accused of vulnerabilities in its own E2EE implementation.
One challenge is that messages can be decrypted even if a service provider implements strong encryption. There are many ways that an attacker can gain access to content, from weak key management to compromising a device with malware. And if a key is compromised, the entire message history can be decrypted unless the provider generates a new key for each session.
Finally, even when E2EE works optimally, its implementation imposes additional computational demands on the network, increasing latency and reducing performance, especially on devices with limited processing power and on resource-constrained blockchains. For this reason, E2EE is by no means invincible. Can FHE solve some of these challenges, or will it run into the same problems that have undermined existing cryptographic protocols?
The Convergence of FHE and E2EE
One of the weaknesses of traditional E2EE is data decryption, which means that a third party may be able to access the data. In contrast, FHE allows direct computation on encrypted data without decryption, so the data remains protected throughout the entire process. This is the biggest feature of FHE and what sets it apart from other encryption technologies.
It may be hard to visualize the benefits FHE brings in this regard when you think of messaging applications where data needs to be decrypted before the recipient can read it. But consider another example where FHE has proven to be superior in protecting data within E2EE systems: email. Here, FHE allows email providers or cloud services to return results from encrypted databases without actually seeing the data.
This capability can also be extended to many other use cases where data can be analyzed without disclosing its contents. Analysts can run algorithms on encrypted data sets and the results can only be decrypted by the intended recipient. Encrypted data can also be used to train machine learning models, allowing organizations to leverage powerful AI tools without compromising the privacy of the underlying data.
In the context of blockchain, fully homomorphic encryption also has great potential, especially in building end-to-end encrypted applications for messaging and the transmission of financial data. For example, Fhenix ships with the fhEVM, a variation of the Ethereum Virtual Machine that supports confidential smart contracts. As a result, sensitive data can be analyzed and transmitted without disclosing its contents.
With FHE, data remains encrypted at every stage – in transit, at rest, and while being processed – so it’s no wonder developers are excited about its potential to enhance E2EE systems.
FHE reduces the attack surface and ensures that sensitive data is not exposed to unauthorized parties even while it is being processed. This removes the need to trust service providers as they only process encrypted data, reducing the risks associated with a data breach.
If FHE is widely adopted in both blockchain and traditional systems, end-to-end encryption may soon live up to its name and provide truly unbreakable data protection.
Related Topics
- WhatsApp engineers fear encryption flaw could expose user data
- 8 tips to protect company data transmitted over your home internet connection
- Signal, Least AI-Generated Art, Amazon, Facebook Most Intrusive Apps