One to watch #3: Homomorphic encryption specialist Enveil

"The AML use case kind of starts in the UK with the FCA"

One to watch #3: Homomorphic encryption specialist Enveil

Plenty of people want to be entrepreneurs when they grow up. Dr Ellison Anne Williams was no exception. Not quite so many take a route that involves twin Masters’ degrees in Set Theoretic Topology and Machine Learning (Neural Networks), a doctorate in Algebraic Combinatorics, and a career at the National Security Agency (NSA).  Leaving the NSA after a 12- year career with a deep cryptography skillset, Williams is now running a business, as she says she wanted to as a child. (“I come from an entrepreneurial family; no technologists”.)

That business, "Enveil", is category creator in a unique emerging category. We're making it our third "one to watch": a monthly feature that highlights an exciting technology startup. (Enveil joins Tel Aviv's cloud data warehouse specialist Firebolt and Arizona-based climate data innovator Persefoni in The Stack's spotlight.)

Williams founded Enveil in 2016. She launched its first commercial product -- which lets users operate on and search data while it is still encrypted -- in 2018, and raised $10 million in a Series A in early 2020. (Early stage investors included 1843 Capital, Bloomberg Beta, Capital One Growth Ventures, London's C5 Capital, and Mastercard).

Homomorphic encryption: please don't call it "magic".

Enveil offers a brace of products built around homomorphic encryption: a form of encryption that lets you compute on and search data while it’s still encrypted. Sounds like magic (she winces); looks like mathematics. (Enveil's products are underpinned by IP that includes 12 patents: you can see some here.)

Long an area of interest for academics, homomorphic encryption is beginning to tumble out of professors’ offices and national security agencies, and into the enterprise space, where businesses – those who are aware it is a viable “thing” – are increasingly intrigued by the potential to collaborate on data across jurisdictional boundaries without having to worry too much about data privacy, because the data they’re working on remains encrypted.

Readers may be thinking “even if that works, I bet the computational overhead is utterly monstrous and the latency tax horrific” but Ellison Anne -- who speaks with the crisp precision of someone who’s learned to tune their intelligence precisely to the challenge in front of them; whether that’s making the Goldwasser-Micali cryptosystem behave, or seperating math from magic for an out-of-depth journalist -- insists non.

"Performance is acceptable relative to use case: it's phenomenal for these use cases..."

Speaking with The Stack she notes: "For example, in a large financial services institution in which we just actively deployed, running an encrypted query from one jurisdiction across the globe to the other, and processing hundreds of millions of records took seconds for round trip time. So when you hear a lot of people say, 'HE [homomorphic encryption] is so computationally intensive!' Well, there's been tremendous strides in that. But also performance is acceptable relative to the use case. So to transmit the globe and do an encrypted search over hundreds of millions of records and wait seconds for that is perfectly acceptable.

"In fact, it's phenomenal for these use cases, because it opens the door for them to get a good global operating picture that they could never otherwise get in that kind of timeframe. It's perfect for that type of a use case.

"But if you start talking about doing it inline for packet streaming across the network, we're not quite there yet. But in the market there are a million use cases that don't require that kind of instant/real-time packet-level latency requirement. So it's a myth, I would say that homomorphic encryption is not performant enough for real use cases."

Enveil: Deployed via "two-party, proxy layer software"

Enveil -- a winner at the 2017 RSA Conference Innovation Sandbox and the youngest company ever invited to participate in the annual competition -- is putting its commercial focus on two products, dubbed "ZeroReveal Search" and "ZeroReveal Machine Learning." As Williams explains: "They fit within the form factor of this neural 'Compute Fabric' as we call it.

"The 'search' line is designed to encrypt and protect searches: those are very rich searches; page-long, kind of searches that you're going to find in the financial services institution, it can be very rich things like geospatial, for example, it can do encrypted watch listing, and tipping and alerting. The ZeroReveal machine learning product line will take machine learning models that have been trained, encrypt them and then enable them to be evaluated anywhere the software is installed, without ever decrypting, which just opens the door to different kinds of data resources.

Enveil describes the "Compute Fabric" as a "two-party, proxy layer software". It's easy for vendors to get caught up in the language of webs and meshes and fabrics. What does it actually mean and where does it sit?

"It means there are two lightweight applications that are the backbone of what we do in an organisation. There's a client application and a server application. The client application is going to live in the environment of the requesting party that wants to securely utilise data. So for example, in that cross-jurisdictional financial services use case the client application could live within the bank in the UK.

"The client application's job -- super lightweight -- is to encrypt those searches before they ever leave that trusted organisational boundary and decrypt the results as they come back. [It lives in trusted space because] our working premise is that either the content of that search and or the result contains something sensitive to that bank in the UK that needs to be protected. Otherwise, why would they use us?

"We don't build a user interface. We're designed to sit behind the scenes of the existing workflows, user interfaces, risk platforms"

"The client app is similarly assumed to sit in trusted space... and is completely API based. So what does that mean? It means that we're designed to hook into all of the lovely enterprise systems and features that you would expect in production-level enterprise grade software. So for example, we don't build a user interface. We're designed to sit behind the scenes of the existing workflows, user interfaces, risk platforms, in the financial services institution that they already have and they use for their business purposes, and we allow them to get a better reach through that.

"The second part of that two party form factor is the server application. So the server app -- again, super lightweight -- sits out in the environment of the data, wherever that may be: it could be literally anywhere, but in our case for cross jurisdictional data sharing, that server app could be out in Singapore, for example. Its job is to function as a brain in that environment to understand what to do with an encrypted blob, that I called an encrypted search.; and without ever decrypting it, process it over the data to which it's been granted access, producing those encrypted results. Those are then sent back to the client app where they can be decrypted, and then further consumed upstream by the workflow, the risk platform, etc.

"If we didn't have the server application, of course, that the data environment in Singapore would have no idea what to do with that encrypted blob, and how to process it. So that's why we have to be two party. And of course, we do it that way from an API proxy layer perspective, because proxy layer speaks to the behind the scenes nature of what we do.

Who's interested in this?

"The really fascinating thing about creating a new market is that you're starting from baseline zero in your go-to market" Williams admits. And there have been lessons along the way about who's actually interested in the product: "When figuring out my go to market initially, you know, we are a data security company, we sell product and solution that's essentially powered by really interesting cryptography, right?

"So we thought, well, the CISO was going to be our buyer. That's not the case at all. And in hindsight, it makes complete sense. So the beautiful thing about homomorphic encryption, is that privacy-enhancing technologies as a family -- and homomorphic encryption, in particular -- are not making something that already exists better or more secure, they make entirely new things possible from a business perspective.

"As it turns out, we are business-enabling in our capabilities, not security focused. So our go-to-market isn't to the security buyer, it's the actual business line. For cross jurisdictional data sharing and collaboration, for example, we are going to talk to the actual business owner within the bank that has the pain not being able to look across their different operating jurisdictions to obtain insights about the customer base or activity or transactions or things like that, and say, 'hey, we can help you do that and gain those insights from the UK to Singapore, to Turkey to Switzerland, in a way that's going to respect your regulatory requirements and obligations as a financial services institution.'"

Was that a surprise? "Hindsight is always 20-20. And [although] we were born in the federal space, we were born because we were trying to solve specific mission problems: we weren't dorks in a room with paper and pencil, proving theorems. We had really specific problems around how do we use data in environments that we don't own, control, or trust. And that's been the case in the commercial world. So our go to market is go directly to the business line. Now, once they nod north-south and say 'yes, this really does have the potential to solve some acute pain points for me', then we go into the validation phases, where you get all the technical questions around, well, how do you deploy? How do you integrate? Is it performant enough for our business use case, etc."

Enveil's customer base is "in double digit 10s" at the moment as the market gets to grips with how the technology works and what it can achieve. That's partly because the strategy is whale hunting: "These are really large organisations. We aren't consumer-facing app tech."

Digital transformation in AML

Both some of Enveil's funders and the case studies cited are in the financial services space. What's the focus there? Is deployment being concentrated on AML, for example? "Anti-money laundering is a huge one in privacy-enhancing technologies" Williams notes.

"That kind of starts in the UK with the FCA, which really recognised the power of the family of privacy enhancing technologies to really transform how money laundering and financial crime was attacked within the financial services institutions. They hosted a tech sprint, where they gathered together the banks and different companies that are solutioning, around privacy enhancing technologies.

"We demonstrated [during that sprint] how we could use our capabilities -- in combination with [BAE Systems' NetReveal] because they were on the team -- to securely and privately obtain insight simultaneously from three different peer banks, as well as three different operating jurisdictions across the same bank, bring those back in a matter of seconds and by doing that obtain this really rich picture for KYC and customer onboarding.

"It was this huge 'aha' moment of 'wow, this can really transform anti-money laundering in particular; because that's where the FCA stood up and planted the first flag. And that's where the financial services institutions started paying attention. It's a huge problem. It's 3% of the global GDP is laundered."

With that, our time is up. One last quick question: is Williams planning to raise more funding in 2021? "No", is the short answer, for a pleasingly straight-forward reason: "Money can come from a lot of different sources. My preference is that it comes from revenue."

See also: Exclusive Interview: Pamela Chase Dyson, CIO, Federal Reserve Bank of New York