FHE (fully homomorphic encryption) provides quantum-secure computing on encrypted data, guaranteeing that plaintext data and its derivative computational results are never exposed and remain secure from modification and/or breach despite compromised infrastructures. Most FHE schemes are based on lattice mathematics, are believed to be secure from breach by quantum computing,^{9} and are considered PQC (post-quantum cryptography). New hardware accelerator architectures are an active area of research and development,^{1,3} and academic research continues to develop new and more efficient implementation schemes, making the full implication of FHE on data processing close to realization. With the advent of commercial FHE:

• Data, including its unrestricted computational derivatives, remains encrypted both at rest and throughout its life cycle and is decrypted to plaintext only in secure, trusted environments.

• Valuable insights through AI (artificial intelligence), big data, and analytics can be extracted from data—even from multiple and different sources—all without exposing the data, secret decryption keys, or, if need be, the underlying evaluation code.

Industry-standard, perimeter-based security techniques common in today's IT infrastructure are built with thousands of integrated, constantly changing hardware and software components. They mostly depend on encryption techniques that rely on the difficulty of existing hardware to find discrete logarithms and/or factor large integers. This leads to some uncomfortable conclusions about the state of data security today:

• It is a statistical certainty that infrastructure breach points will always exist regardless of effort because of the number and ever-changing nature of these components. The only unknown is whether they have been identified and exploited. Protecting data has become an increasingly complex and breach-prone process because provable data security is unachievable with this approach. Moreover, data processing is operating in an increasingly aggressive regulatory context with significant consequences and costs for breaches.^{7}

• Widely used encryption technologies depend on the difficulty of finding discrete logarithms and/or factoring large integers on standard hardware. Quantum computing algorithms can easily solve these problems.^{11} With the commercial quantum computing market growing at a compound annual growth rate of 36.5% and projected to reach $1,987.6 million by 2028^{8} , these encryption techniques are quickly becoming obsolete and new PQC is needed.

What is required is a security mechanism that:

• Assumes that IT infrastructure is already compromised, so does not depend on a strong perimeter defense to protect data.

• Uses PQC encryption techniques not considered vulnerable to quantum computing attacks.

FHE meets both these requirements.

The idea of direct computation on encrypted data was first recognized in 1978 by Ronald L. Rivest, Len Adelman, and Michael L. Dertouzos.^{10} They observed that under RSA (Rivest-Shamir-Adleman) encryption, two encrypted numbers could be multiplied and the result would be equivalent to the plaintext product encrypted using the same key. They called these properties *privacy homomorphisms*, recognizing that encryption schemes can have properties where the results from a set of operations on plaintext data equals the results of those same operations performed on their encrypted forms and then decrypted. RSA encryption exhibited *multiplicative homomorphism*.

They recognized that:

• With HE (homomorphic encryption), the ability to do computation on encrypted data, data access can be separated from data processing by allowing computation to occur on encrypted data without the need for the secret decryption key.

• A user could take a piece of data, encrypt it homomorphically, use that encrypted data in a query (where the query itself could be encrypted or not) to a database, and get a result encrypted in the same way.

• At no time during this computation were the original query data, secret decryption key, results of the query, or—if encrypted—the query itself, ever exposed.

In 2009, more than 30 years later, Craig Gentry proposed the first plausibly secure FHE scheme.^{4} Algorithms were defined as a circuit of logic gates, and unrestricted computation occurred on encrypted data with results encrypted in the same way. It was extremely slow, taking about 30 minutes to complete a single logic gate on standard x86 hardware.^{5} Continued research has resulted in four distinct generations of FHE and substantial speed-up on standard hardware platforms.

Today, conventional wisdom suggests that an additional performance acceleration of at least another 1 million times would be required to make FHE operate at commercially viable speeds. At the moment, Cornami is the only commercial chip company to announce a forthcoming product that can meet and exceed that performance level.^{3}

FHE provides all the functions supported by asymmetric PKE (public key encryption). As it is used today, PKE is based on finding discrete logarithms or factoring large integers and has five properties:

• *Key generation:*`(sk, pk) ← K(λ)`

where key generation function `K`

with argument random seed number `λ`

produces a key pair consisting of a secret key `sk`

and a public key `pk`

.

• *Encryption:*`c ← E(pk, m)`

where encryption function `E`

with arguments `pk`

and plaintext message `m`

produces encrypted message ciphertext `c`

.

• *Decryption:*`m ← D(sk, c)`

where decryption function `D`

with arguments `sk`

and `c`

produce `m`

.

• *Correctness:*`m = D(sk, E(pk, m))`

for all key pairs, messages, and encryption randomness.

• *Semantic security:*`∀m ∈ {0, 1}`

— for all single-bit messages `m`

, member of the set 0 and 1, `E(pk, 0)`

and `E(pk, 1)`

must be computationally indistinguishable and must be probabilistic (e.g., there should be many encrypted messages `c`

per plaintext message `m`

).

For use in HE, two more properties must be added:

• ** Evaluate:** Along with the

`K, E,`

and `D`

functions, `V`

for evaluate is added. • *Correctness:*`D(sk, V(pk, f, c`

where decryption function _{1}, ... c_{n})) = f(m_{1}, ... , m_{n})`D`

with arguments `sk`

and evaluation function `V`

with arguments `pk`

; function `f`

where `f ∈ `

(a set of or family of efficiently computable functions that have the desired homomorphic properties); and ciphertexts *F*`c`

are equal to function _{1}, ... , c_{n}`f`

applied to arguments `m`

. For multiplication this would be _{1}, ... , m_{n}`D(sk, HE-MULTIPLY(pk, MULTIPLY, E(pk, m`

._{1}), E(pk, m_{2}))) = MULTIPLY(m_{1}, m_{2})

To achieve unrestricted homomorphic computation, or FHE, you must choose

to be a set of functions that is complete for all computation (e.g., Turing complete). The two functions required to achieve this goal are bit *F*`Addition`

(equivalent to Boolean `XOR`

) and bit `Multiplication`

(equivalent to Boolean `AND`

), as the set `{XOR, AND}`

is Turing complete. Any computable function can be created with a combination of `XOR`

and `AND`

gates. If one homomorphically computes `SUM`

s and `PRODUCT`

s on encrypted bits, then one can compute *any* function on encrypted bits.

While bit `XOR/Addition`

and bit `AND/Multiplication`

are necessary for a homomorphic computational system to be Turing complete, algorithms need not be directly defined in those low-level terms. Current FHE models define computation in Boolean circuits, integer arithmetic, or real/complex arithmetic.

In their 1978 paper, Rivest, Adelman, and Dertouzos proposed that the secret key `sk`

(they used the variable `p`

) be hidden in a public key `pk`

by creating random multiples of `p`

(e.g.` q`

) where _{i}p`q`

is a secret factorization that is different for each encryption. Encryption of a single-bit _{i}`b`

using a public key was the addition of random multiples of `p`

to `b`

. Decryption was then `m = c modulo p modulo 2`

. Sadly, this approach breaks *semantic security* since encryptions of plaintext bit 0 are just multiples of `p:`

`1. c = q`

_{i}p + b modulo 2

`2. = q`

_{i}p + 0 modulo 2

`3. p = GCD(<encryptions of 0>)`

In 2010 Martin van Dijk, Craig Gentry, Shai Halevi, and Vinod Vaikuntanathan^{12} (DGHV) determined that adding noise to the `pq`

public key blocks GCD (greatest common divisor) secret-key discovery and, at present, any other secret-key discovery approach. The amount of noise to be added is determined by the _{i}*Approximate GCD assumption*: If you sample many integers from set `{x`

where (1) _{i} = q_{i}p + 2r_{i} : r_{i} << p : p << q_{i}}`r`

is a slight amount of noise and is different for each encryption, and (2) each _{i} `x`

is very close to multiples of _{i} `p`

but not exact multiples of `p`

, then the set of integers `x`

is indistinguishable from random integers of the same size. _{i}

HE encrypts a plaintext bit into a polynomial.

1. Pick a large, odd number `p`

to be the secret key.

2. For each encryption, pick a random, large multiple of `p`

, say `q`

._{i}p

3. Then for each encryption, sum bit `b`

and `q`

with a _{i}p `Noise`

expression defined by the doubling of a random small number `r`

to _{i} `2r`

. This produces ciphertext _{i}`c = q`

where _{i}p + 2r_{i }+ b`q`

is the public key. _{i}p + 2r_{i }

`b = c modulo p modulo 2`

removes the `Noise. `

` = q`

_{i}p + 2r_{i} + b modulo p modulo 2

`c`

_{1} = q_{1}p + 2r_{1} + b_{1}

`c`

_{2} = q_{2}p + 2r_{2} + b_{2}

`c`

_{1} + c_{2} = p(q_{1} + q_{2}) + 2(r_{1} + r_{2}) + (b_{1} + b_{2})

__| |__

*Noise*

`c`

_{1} = q_{1}p + 2r_{1} + b_{1}

`c`

_{2} = q_{2}p + 2r_{2} + b_{2}

`c`

_{1}c_{2} = p(q_{1}q_{2} + q_{1}b_{2} + q_{2}b_{1}) + r_{1}(2pq_{2} + b_{2}) + r_{2}(2pq_{1} + b_{1}) + r_{1}r_{2} + b_{1}b_{2}

__| |__

*Noise*

• Addition: `2(r`

_{1} + r_{2}) Noise = 2 x <initial noise>

• Multiplication: `r`

_{1}(2pq_{2} + b_{2}) + r_{2}(2pq_{1} + b_{1}) + r_{1}r_{2} Noise = <initial noise>^{2}

If `|Noise|`

exceeds `p/2`

, decryption cannot be guaranteed. Because Addition `Noise`

growth is linear and Multiplication is exponential, if there is no mechanism to reset `Noise`

growth, this approach will allow many additions and some multiplications before reaching the `p/2`

limit. Working within the `p/2 Noise`

limit is the definition of SHE ("somewhat" homomorphic encryption) and can be effective for many valuable, bounded, use cases such as database query and spam filtering. SHE does not have a mechanism to reset `Noise`

growth during encrypted value computation, does not support unrestricted computation on encrypted data, and therefore is not FHE.

Before Gentry's 2009 paper, `Noise`

aggregated during HE computation significantly limited HE use cases. There were basically two options to address larger homomorphic computational threads.

Increase the `Noise`

limit by increasing the size of the secret key `sk`

. This would increase the amount of computation that could be accomplished before hitting the `sk/2`

limit.

1. Freeze a homomorphic computational thread on an untrusted, insecure site.

2. Transfer the encrypted intermediate value `c`

back to a secure, trusted site._{n}

3. Decrypt `c`

with the secret key _{n}`sk`

to plaintext `m`

._{n}

4. Encrypt `m`

back to _{n}`c`

with a public key _{n}`pk`

reducing `Noise`

to a nominal state.

5. Transfer `c`

back to the untrusted, insecure site._{n}

6. Restart the homomorphic computational thread with the new re-encrypted and lower noise `c`

._{n}

Obviously, Option 2 is not practical. Gentry developed a mechanism to reset `Noise`

in an encrypted result so that a computational thread could continue indefinitely. In his approach he used lattice-based cryptography that is considered resistant to attack by both classical and quantum computer methods.

Gentry effectively implemented Option 2 by applying a recursive, embedded, homomorphic decryption that allowed for the noise of encrypted value `c`

to be reset without exposing it or the secret key to potential breach or physically transferring it to a secure, trusted site for decryption and re-encryption. In this way Gentry showed that unrestricted computation on encrypted data or FHE is possible. Gentry's approach follows these steps (as shown in figure 1):_{n}

1. Encrypt a plaintext message `m`

with public key `pk`

to produce ciphertext `c`

._{1}

2. Perform some number of HE computations on `c`

to produce _{1}`c`

such that _{n}`c`

is near to but not over the noise limit _{n}`sk/2`

.

3. Encrypt secret key `sk`

with public key `pk`

to create an encrypted secret key `ck`

.

4. Encrypt `c`

with public key _{n}`pk,`

resulting in a new double-encrypted `cc`

._{n}

5. HE Decrypt `cc`

using encrypted secret key _{n}`ck`

to produce `c`

with a reset noise level. _{n}

6. Continue the computation using `c`

._{n}

What Gentry achieved was to decrypt and re-encrypt an encrypted value `c`

using a homomorphic computation with an encrypted secret key `sk`

and the public key `pk`

. Gentry called his `Noise`

reset process *bootstrapping*. While it showed that unrestricted computation on encrypted data is possible, two significant limitations prevented its use in programming applications: (1) The computation required by the bootstrapping algorithm far exceeded the performance capabilities of available hardware platforms; (2) it lacked an efficient implementation of *conditionals,* which enable programmatic comparison and selection/jump operations.

Since 2009, researchers have evolved substantial performance and functional improvements over the original Gentry scheme: Enhance overall homomorphic computational performance; increase bootstrap performance; decrease the number of bootstraps required for a fixed amount of homomorphic computation; minimize noise growth during homomorphic computation without bootstrapping; and refine cryptographic models based on known, high-difficulty problems in lattice mathematics not solvable with quantum computing.

The following are some of the more notable advances:

• ** LWE (learning with errors) and RLWE (ring learning with errors).** Equivalent to solving the CVP (closest vector problem) in lattice mathematics and based on the inability of determining coefficients (which represent the secret key) in a sampling of a system of linear equations (LWE) or polynomial rings over finite fields (RLWE), where each equation has a small, random, additive error.

• ** Leveling. **Allowing the evaluation of a logic-gate circuit of predetermined depth before requiring a bootstrap.

• ** Relinearization.** Computationally expensive method of reducing both homomorphic computational cost and storage burden by reducing cyphertext length (resulting from homomorphic multiplication) while preserving correctness of the underlying message.

• ** Modulus switching.** Reducing noise without secret-key use while preserving the integrity of a ciphertext

`c`

by dividing a ciphertext `c modulo q`

by noise factor `|r|`

to produce a new, lower-noise, equivalent cyphertext `c' = c/r modulo q/r`

.

The history of FHE is shown in figure 2.^{13}

Gentry's original ideal lattice-based FHE scheme supported both addition and multiplication on cyphertexts that allowed for logic circuits to perform unrestricted computation (e.g., Turing complete). It was very slow. DGHV then replaced the SHE portion of Gentry's approach with a simple integer-based scheme.

BFV (Brakerski/Fan-Vercauteren) and BGV (Brakerski-Gentry-Vaikuntantan) introduced LWE and RLWE security models and also introduced leveling schemes that allow for the execution of a logic-gate circuit of set depth before requiring a bootstrap.

GSW (Gentry-Sahai-Waters) avoided computationally expensive *relinearization* used in homomorphic multiplication. It had slower noise growth. There was development of more efficient ring variants with FHEW (Ducas-Micciancio — "Fastest Homomorphic Encryption in the West"), as well as simplification and increased optimization of bootstrapping.

CKKS (Cheon-Kim-Kim-Song) introduced efficient rounding operations for encrypted values that control noise rate increases in HE multiplication and reduce the number of bootstraps in a logic circuit. It also introduced the concept of PBS (programmable bootstrapping) to TFHE^{2 }(torus fully homomorphic encryption), reducing the number of bootstraps required in a logic circuit.

Current FHE schemes^{6} implement computation in one of three ways:

• Plaintext: bits

• Computation: arbitrary Boolean logic-gate circuits

• Fast number comparison and bootstrapping

• GSW, FHEW, TFHE

• Plaintext: integers modulo a plaintext modulus `a`

(or their vectors)

• Computation: integer arithmetic circuits mod `a`

• Efficient SIMD (single-instruction multiple data) batch computations over integer vectors

• Fast, high-precision integer arithmetic and scalar multiplication

• Leveling that can avoid bootstrapping

• BGV, BFV

• Plaintext: real or complex numbers

• Computation: similar to floating-point arithmetic

• Fast polynomial approximation

• Relatively fast multiplicative inverse and discrete Fourier transform

• Deep approximate computations, such as logistic regression learning

• Efficient SIMD batch computations over real-number vectors

• Leveling that can avoid bootstrapping

• CKKS

Table 1 shows current FHE frameworks and supported schemes, and table 2 lists FHE platforms.

With hardware FHE accelerators now on the horizon, it is important to understand some of the use cases that will become available with commercial-grade FHE. This is a partial list of potential application areas:

• Secure data from breach/modification throughout its life cycle. Privacy-preserving computing on encrypted data guarantees that data and its derivative computational results remain secure from modification and/or breach despite compromised infrastructure. Provable security for data both at rest and throughout its computational life cycle will accelerate the move to untrusted platforms for computation services on confidential data, removing much of the rationale for private data-center use.

• Secure data from quantum computing attacks. The lattice-based PQC used in FHE is not considered vulnerable to quantum computing attacks, while industry-standard number factoring and discrete logarithms-based encryption used today are vulnerable. With many quantum computer products either released or scheduled to be released, the PQC era has already started.

• Protect application services data, results, and analytic models from disclosure. Execution of big data, AI, and/or analytic services using FHE-secure, user-encrypted data inputs, service results, and analytic model information (such as neural network weights).

• Analysis of confidential data aggregated from multiple organizations. Different confidential datasets from multiple organizations are aggregated and analyzed without underlying data disclosure. Examples include (1) big data, AI, or analytics insights into industrywide trends; (2) balance-sheet aggregation to evaluate mergers and acquisitions; (3) combining data from different vendors to facilitate pharmaceutical drug trials; and (4) analysis to be applied to the combined potential partnership data to determine potential business value.

• Secure and confidential rule matching against network traffic. Patterns of behavior, methods, and techniques used by network bad actors are learned over time through advanced NTA (network traffic analysis), are defined as rules, and encrypted using FHE. Those encrypted rules are applied using FHE computation to network traffic in untrusted environments identifying and monitoring threat actors' presence without revealing threat signatures or matching traffic. This is useful in both WAN/LAN computer network security and AML (anti-money laundering).

• PSI (private set intersection): Secure and confidential data intersection check within a larger database. This is the ability to query if specific data exists in a larger data store without revealing information about the contents of the query or the data store.

• FHE-enhanced blockchains. Enabling *private transactions *recorded on a blockchain using FHE and ZKP (zero-knowledge proofs) can prove that a transaction occurred without revealing data detail.

• Guaranteed data security and integrity across sensor/controller/actuator realtime control chain. Through encryption of sensor data at the source and supporting encrypted computation throughout the realtime control chain, data can be protected from both breach and modification.

• Monetization of confidential data resources. Revenue streams can be produced from licensing FHE-encrypted proprietary/confidential datasets for use by untrusted machine learning/big data/analytic applications on untrusted platforms.

Often called the Holy Grail of cryptography, commercial FHE is near. Strong forces are combining to drive FHE to commercial reality. These include the following:

• Provable security models for IT infrastructures will become an unavoidable requirement.

• Increased regulatory requirements and the widespread availability of quantum computers will make PQC an imperative for government and industry.

• Aggregation of confidential data from multiple sources without its disclosure will open up far-reaching ways for organizations to partner and extract new high-valued insights into a wide range of industry trends.

• High-value analytic service models will be protected from disclosure even when operating on untrusted platforms.

• Data integrity will be maintained through the sensor-processing-actuator chain.

• Opportunities will exist for new data-licensing revenue models that do not risk confidential data disclosure.

• Active research and development will continue to develop hardware FHE accelerators.

• Continued academic research will accelerate FHE scheme performance.

Once commercial FHE is achieved, data access will become completely separated from unrestricted data processing, and provably secure storage and computation on untrusted platforms will become both relatively inexpensive and widely accessible. In ways similar to the impact of the database, cloud computing, PKE, and AI, FHE will invoke a sea change in how confidential information is protected, processed, and shared, and will fundamentally change the course of computing at a foundational level.

1. Atherton, K. 2021. DARPA awards contracts for encrypted data processing. Breaking Defense; https://breakingdefense.com/2021/03/darpa-awards-contracts-for-encrypted-data-processing/.

2. Chillotti, I., Joye, M., Paillier, P. 2020. Programmable bootstrapping enables efficient homomorphic inference of deep neural networks; https://whitepaper.zama.ai/.

3. Cornami, Inc. Fully homomorphic encryption; https://cornami.com/fully-homomorphic-encryption-fhe/.

4. Gentry, C. 2009. Fully homomorphic encryption using ideal lattices. In *Proceedings of the 41st Annual ACM Symposium on Theory of Computing*, 169—178; https://www.cs.cmu.edu/~odonnell/hits09/gentry-homomorphic-encryption.pdf.

5. Gentry, C., Halevi, S. 2011. Implementing Gentry's Fully-Homomorphic Encryption Scheme; IBM Research. https://eprint.iacr.org/2010/520.pdf.

6. Homomorphic Encryption Standardization Consortium. 2018. Building Applications with Homomorphic Encryption; https://homomorphicencryption.org/wp-content/uploads/2018/10/CCS-HE-Tutorial-Slides.pdf.

7. IT Governance. 2018. Data breach notification laws by state; https://www.itgovernanceusa.com/data-breach-notification-laws.

8. MarketWatch. Quantum Computing Market Size In 2022; https://www.marketwatch.com/press-release/quantum-computing-market-size-in-2022-352-cagr-analysis-of-key-trends-with-top-countries-data-top-key-manufactures-industry-dynamics-insights-and-future-growth-2028-exclusive-110-pages-report-2022-07-21.

9. Regev, O. 2006. Lattice-based cryptography. In *Advances in Cryptology*, ed. C. Dwork, 131—141. Lecture Notes in Computer Science 4117. Berlin, Heidelberg: Springer; https://link.springer.com/content/pdf/10.1007/11818175_8.pdf.

10. Rivest, R. L., Adleman, L., Dertouzos, M. L. 1978. On data banks and privacy homomorphism. Massachusetts Institute of Technology. Academic Press; https://people.csail.mit.edu/rivest/RivestAdlemanDertouzos-OnDataBanksAndPrivacyHomomorphisms.pdf.

11. Shor, P. W. 1994. In *Proceedings of the 35th Annual Symposium on Foundations of Computer Science*. IEEE Computer Society Press, 124—134; https://klein.mit.edu/~shor/papers/algsfqc-dlf.pdf.

12. van Dijk, M., Gentry, C., Halevi, S., Vaikuntanathan, V. 2010. Fully homomorphic encryption over the integers. In *Advances in Cryptology — Eurocrypt 2010*, ed. H. Gilbert. Lecture Notes in Computer Science 6110. Berlin, Heidelberg: Springer; https://eprint.iacr.org/2009/616.pdf.

13. Wikipedia. Homomorphic encryption; https://en.wikipedia.org/wiki/Homomorphic_encryption.

**Mache Creeger** has spent his career focused on commercializing newly emerging technologies and has worked at Sun, MIPS, Sony, LISP Machine Inc., InstallShield, several startups, Naval Research Lab, and Jet Propulsion Lab, and ran his own consulting practice. At Cornami, he is VP of business development and focuses on working with FHE (fully homomorphic encryption) framework vendors to enable Cornami hardware acceleration of FHE applications. Creeger founded and ran *acmqueue*'s CTO Roundtable series as head wrangler, was a columnist for *acmqueue* magazine, and co-chaired three panel discussions about emerging commercial technology trends (synthetic biology, human augmentation, and autonomous vehicles) as a volunteer at the Stanford Chapter of the MIT Enterprise Forum (VLAB). He has written 23 published articles and has one US patent application. He has a B.S. in psychology and biochemistry, one year of postgraduate study in biochemistry, and an M.S. in computer science, all from the University of Maryland.

Copyright © 2022 held by owner/author. Publication rights licensed to ACM.

*Originally published in Queue vol. 20, no. 4*—

Comment on this article in the ACM Digital Library

More related articles:

Jinnan Guo, Peter Pietzuch, Andrew Paverd, Kapil Vaswani - **Trustworthy AI using Confidential Federated Learning**

The principles of security, privacy, accountability, transparency, and fairness are the cornerstones of modern AI regulations. Classic FL was designed with a strong emphasis on security and privacy, at the cost of transparency and accountability. CFL addresses this gap with a careful combination of FL with TEEs and commitments. In addition, CFL brings other desirable security properties, such as code-based access control, model confidentiality, and protection of models during inference. Recent advances in confidential computing such as confidential containers and confidential GPUs mean that existing FL frameworks can be extended seamlessly to support CFL with low overheads.

Raluca Ada Popa - **Confidential Computing or Cryptographic Computing?**

Secure computation via MPC/homomorphic encryption versus hardware enclaves presents tradeoffs involving deployment, security, and performance. Regarding performance, it matters a lot which workload you have in mind. For simple workloads such as simple summations, low-degree polynomials, or simple machine-learning tasks, both approaches can be ready to use in practice, but for rich computations such as complex SQL analytics or training large machine-learning models, only the hardware enclave approach is at this moment practical enough for many real-world deployment scenarios.

Matthew A. Johnson, Stavros Volos, Ken Gordon, Sean T. Allen, Christoph M. Wintersteiger, Sylvan Clebsch, John Starks, Manuel Costa - **Confidential Container Groups**

The experiments presented here demonstrate that Parma, the architecture that drives confidential containers on Azure container instances, adds less than one percent additional performance overhead beyond that added by the underlying TEE. Importantly, Parma ensures a security invariant over all reachable states of the container group rooted in the attestation report. This allows external third parties to communicate securely with containers, enabling a wide range of containerized workflows that require confidential access to secure data. Companies obtain the advantages of running their most confidential workflows in the cloud without having to compromise on their security requirements.

Charles Garcia-Tobin, Mark Knight - **Elevating Security with Arm CCA**

Confidential computing has great potential to improve the security of general-purpose computing platforms by taking supervisory systems out of the TCB, thereby reducing the size of the TCB, the attack surface, and the attack vectors that security architects must consider. Confidential computing requires innovations in platform hardware and software, but these have the potential to enable greater trust in computing, especially on devices that are owned or controlled by third parties. Early consumers of confidential computing will need to make their own decisions about the platforms they choose to trust.