Separation-of-Duties-based Homomorphic Encryption Wrapper
Fully-fledged RESTful Survey Example
BGV encryption from Lattigo with fixed parameterization
A generic aggregation API
Testing and bug fixes
TLS support for the API
Multiple fixed parameterization options
Additional usage examples
Integration of CCKS
Configurable parameterization (BGV/CKKS)
Additional functionalities (mean, variance, standard deviation)
Configurable SIMD encoding
Introduction of output privacy mechanisms
Additional functionalities (set intersection, matching, and various distance metrics)
WASM compression
Additional usage examples
DSL for non-cryptographers enabling fully automated parameterization and SIMD encoding
"I have nothing to hide" (until I do, and then using E2EE makes me look suspicious).
"Big companies and the government already know everything about me, so why bother?" (until there’s a data breach, a political shift (USA 2025), or an employee abuses access—but it’ll never happen to me, right?).
Either you have heard one of the above statements, or you have said one yourself. Fortunately, we have moved past the era of "I have nothing to hide," at least when it comes to the mechanisms protecting our data at rest and in transit. Although overall awareness still adheres to that mindset—and amid the rise of AI agents and debates over chat control that threaten end-device privacy—the methods of end-to-end encryption remain the industrial state of the art as of 2025. However, data-in-use protection remains largely unexplored territory for the industry, which can be particularly daunting for a privacy-aware data subject—a person who uses a web service, provides their data, and cares (or would like to) about privacy. Data-in-use protections serve not only as a security measure for service providers but also as privacy-preserving measures for data subjects. Our Encrypted Processing API Engine is an attempt to foster a more privacy-aware web service industry by leveraging the concept of homomorphic encryption. It does not solve all of the privacy-preserving challenges, but we hope it will be a step in the right direction.
Homomorphic Encryption has existed since 1978 (Rivest, R. L., Adleman, L., & Dertouzos, M. L., "On Data Banks and Privacy Homomorphisms"), yet it has not gained significant traction in the industry. One major reason is the misconception that these methods are inherently too inefficient for practical use.
When exploring research in cryptography—particularly in homomorphic encryption or outsourced secure computation—one often encounters complex challenges that researchers are eager to solve. This is intentional; research aims to push the boundaries of what is possible. However, despite these advances, the industry has made little progress in adopting privacy-preserving or data-in-use protection measures on a broad scale. It seems that everyone is waiting for the holy grail—a kind of "FHEwGGE" (Fully Homomorphic Encryption with Generally Guaranteed Efficiency) scheme that will solve all problems at once. This mindset is dangerous, as it leaves the industry vulnerable to privacy breaches and data misuse. With no clear signs of progress, the industry remains stuck in a loop of waiting for the perfect solution, even though simple, practical alternatives are already available.
As applied cryptology researchers collaborating with SMEs over the years, we have observed that many web services could easily be enhanced with simple privacy-preserving mechanisms, such as homomorphic encryption, without compromising efficiency, accuracy, or security. This realization was striking because:
This situation is akin to a student attending a lecture, momentarily losing focus, and then realizing the board is filled with formulas they no longer understand. In this analogy, the research community is the lecturer, and the industry is the student. To bridge this gap, we, as cryptology researchers, decided to take two steps back and reassess industry needs from a new perspective—so that we can move one step forward together.
To facilitate seamless integration of privacy-preserving mechanisms into web services, we developed a simple API engine.
Our Encrypted Processing API Engine enables privacy-preserving and efficient data processing for applications. It leverages state-of-the-art homomorphic encryption implementations from Lattigo, wrapped in our EncProc Engine, which abstracts away cryptographic complexities. This means you don’t need cryptographic expertise to secure your web service with these privacy-enhancing mechanisms.
Our approach focuses on practical functionality—such as aggregation—ensuring efficiency without sacrificing accuracy while benefiting from homomorphic encryption’s privacy guarantees. Furthermore, our wrapper is built on a separation-of-duties-based single-key homomorphic encryption processing architecture. This architecture ensures a clear distinction between the encryption/decryption component and the processing component.
We have formally proven the security of this architecture under the universal composability framework. Our results are available on ePrint. We will reference a conference version of this paper in the near future. If you are a cryptology researcher or a web developer interested in collaborating with us, please reach out (encproc@gmail.com). We have a Discord server dedicated to this purpose, where we discuss and code together. Ideally, we will grow as a community and develop an engine that everyone can use and benefit from.