Standardisation efforts on secure computing

Secure computing (also known as computing on encrypted data) is still maturing as a discipline. As such, there are no certification or standardisation schemes that would cover it as a whole.

However, there have been a number of initiatives to standardise certain techniques or their uses in certain settings. The Sharemind team has had the opportunity to be involved in several of them. Here is an overview of the ones we know about. If you know of more, do let us know by writing to sharemind@cyber.ee.

Standardisation of Secret Sharing

ISO/IEC JTC 1 Subcommittee 27 is a standards body working on standards for information security management systems, cryptography, security certification, identity and privacy technologies. It has published two standards on secret sharing.

Part 1 of the standard (more formally, ISO/IEC 19592-1:2016) focuses on the general model of secret sharing and the related terminology. It introduces properties that secret sharing schemes could have, e.g. the homomorphic property that is a key aspect for Sharemind MPC.

Part 2 of the standard (ISO/IEC 19592-2:2017) introduces specific schemes. It starts with the classic ones like Shamir and replicated secret sharing, which is also in use in Sharemind MPC. All schemes are systematically described using the terms and properties from Part 1. There were originally plans to have more parts for this standard, but work has not started yet

Standardisation of Homomorphic Encryption

ISO/IEC JTC 1 SC 27 is working on a standard on homomorphic encryption schemes (ISO/IEC 18033-6). Given the more conservative nature of ISO/IEC when it comes to encryption schemes, it is attempting to focus on the ones with multiple known industrial uses. However, as it is still work in progress, it is unclear how it will turn out in the end.

There is also an open standardisation initiative for homomorphic encryption, where industry, government and academic partners contribute. It is taking a more liberal approach, targeting lattice-based schemes and their operations. Given that the efficient fundamental primitives of these schemes are not always the typical addition and multiplication, this is very welcome development that will support the proliferation of the technology.

Secure computing for privacy preservation

ISO/IEC 29101:2013 - the standard on Privacy Architecture Frameworks is actually one of the oldest standards efforts that handles secure computing. It presents architectural views for information systems that process personal data and show how Privacy Enhancing Technologies such as secure computing, but also pseudonymisation, query restrictions and more could be deployed to protect Personally Identifiable Information.

29101 pre-dates the General Data Protection Regulation (GDPR), so it does not include all the latest knowledge on secure computing and its role in regulation. For example, it is unaware of the view of anonymised processing and using secure computing might actually not be processing in the sense of the law.

There is another project that approaches privacy technologies a bit differently. The Privacy enhancing data de-identification techniques project (ISO/IEC 20889) will result in a standard that describes ways to turn identifiable data into de-identified data. Here, the choices include various noise-based techniques, cryptographic techniques and more. As the project is still under way, we don't fully know how it will turn out.

Impact and future of privacy standards

This was not an exhaustive list of privacy technology standardisation projects. While ISO has taken a leadership role in standardising cryptography around secure computing and its application in privacy, other efforts might have a strong impact, if they are more “open”.

To conclude, when implementing secure computing today, you may want to see if the standards describe your solution. It will help if you start selling to larger customers who seek additional validation for the technology. We're glad to say that the secure computing of Sharemind MPC is nicely covered by ISO/IEC 19592-1, ISO/IEC 19592-1, ISO/IEC 29101:2013 and we expect it to be covered by ISO/IEC 20889 as well.

In time, we hope to work with other secure computing providers to agree on common security goals that might lead to protection profile and certification targets. All around, exciting times for the technology!