Extended version in Les Echos
Author: Mariem Krichen (Innovation Projects Manager - Wallix)
The era of the IoT revolution and “on Premise” services migration into the Cloud caused the invasion of individuals privacy. Our personal data turned into a booming global market fuel: Data Monetization.
In this context, where technological developments often go hand in hand with trust crisis, Europe has set up a unique legal framework, the so-called GDPR (the General Data Protection Regulation), aimed at regulating data economy. Since the entry into force of the GDPR, the concept of privacy by design which is at the heart of the regulation is gaining ground.
The technology of End-to-end encryption (E2EE) embraces this concept, thus attracting cybersecurity editors’ interest. In order to defend the E2EE cause for privacy protection, Functional Encryption technique is essential for a legitimate use of encrypted data, such as statistical analytics.
Often described as the 21st-century oil, data is a key resource that can be expensive depending on its interest levels. The power of data and its possible exploitation abuses could vary from advertising targeting to strategic reversal of an election campaign. Thus, data analyst and services providers collaborate so that each piece of data is scrutinized, analyzed then properly exploited before selling it to interested companies.
Furthermore, this treasure hunt also becomes the hackers' main target by multiplying data servers’ attacks. No one is spared. SMEs and industry giants have experienced the damage of data leakage: employees privacy invasion, loss of credibility from the customers' point of view, judicial liquidation.
The risk to data privacy coupled with RGPD compliance obligation is a powerful driver for cybersecurity market expansion. This context enabled the activity scope extension of cybersecurity actors and particularly data and content protection actors.
In this contest where data protection is vital, E2EE enables companies to strengthen the security of their applications in order to avoid data leakage that could be harmful to the employer's image. Indeed, integrating this technology into applications will offer a high level of security to end-users without any change of their user experience while ensuring confidentiality of personal data during transport as well as storage.
However, E2EE shows defects and is facing a functional and psychological barrier: without decryption, any legitimate encrypted data exploitation is hopeless. Functional encryption provides an answer to this problem by proving that it is possible to store data, on Cloud or “on Premise”, in an encrypted form and to exploit some for legitimate purposes without decryption process.
Functional Encryption (FE) seems appropriate to ensure statistical analytics on collected encrypted data without revealing them given their personal or strategic nature. Indeed, FE allows a central entity to provide in cleartext, via a functional key, aggregated values from encrypted data. ENS, cryptographic protocols design expert, proposed a decentralized approach based on FE, The Decentralized Multi-Client Functional Encryption (DMCFE), in order to reduce the power of the central entity by sharing it among several entities. Thus, the function key is created by the participants of data collection. The evaluation of the central entity is then limited to a simple aggregation of encrypted data preserving at the same time the privacy of individual data collected by the participants.