Duality: Homomorphic Encryption Platform Deployment on Oracle Cloud Infrastructure
Duality runs its SecurePlus homomorphic encryption platform on Oracle Cloud Infrastructure (OCI), enabling secure, privacy-protected collaboration between financial services companies and other institutions, while protecting sensitive data and complying with global privacy regulations.
Duality's platform encrypts, anonymizes, and analyzes data without ever decrypting it. Whether data is in transit, in computation, in use, or even at rest, it stays encrypted, even as different companies are collaborating and processing the same data simultaneously.
But, running its platform on local servers within its customers data centers posed scalability problems for its clients, prompting Duality to move to the cloud. Since moving to Oracle Cloud Infrastructure, Duality has been helping its clients to scale their computations, to aggregate more data from more sources, and to reduce their hardware, energy, and labor costs.
Architecture
To facilitate collaboration between parties who are located across multiple geographies and who don't completely trust one another, it is usually required that at least part of the application’s components or logical roles be located in an external location outside of the collaborating parties’ site.
To run its SecurePlus homomorphic encryption platform on Oracle Cloud Infrastructure, Duality uses Oracle API services, bare metal servers, and virtual machines. On the bare metal compute instances, Duality runs Intel Ice Lake CPUs to help process vectorized instruction sets, which support Duality's resource-intensive homomorphic encryption computations. For computations that don't require high-speed acceleration, Duality runs those workloads on Oracle Cloud Infrastructure Compute E4 virtual machines, with third generation AMD EPYC processors instead.
The Intel Ice Lake CPUs by themselves showed a 50% improvement in processing duration compared to an equivalent AMD EPYC CPU running various computations. When using a designated FHE optimization package, HEXL (Homomorphic Encryption Acceleration), the computation duration was reduced by an additional 50% when compared to Ice Lake performance without this package, and 66% when compared to the AMD EPYC CPU performance.
Duality’s application supports a REST API, allowing customers to integrate Duality’s application into their native GUI and/or legacy systems. While Duality's application runs on MS-SQL, Oracle Database, MySQL, and PostgreSQL, it is continually adding support for additional databases.
As Duality looks to run more machine learning workloads–and distribute those across geographical regions, it is considering using Oracle Cloud Infrastructure High Performance Computing platform, and additional Oracle Cloud regions for disaster recovery capabilities.
In the architecture diagram below, Duality's environment on Oracle Cloud Infrastructure shows a secure collaboration between five parties. Three parties provide encrypted data, which is then analyzed by a fourth party. A fifth party connects the different parties' systems together, and provisions necessary compute resources. After the data is encrypted, and the data providers are anonymized, the analyzing party can then run computations on a single data owner, or on several data owners in aggregate.
The following diagram illustrates this reference architecture.
The architecture has the following components:
- Region
An Oracle Cloud Infrastructure region is a localized geographic area that contains one or more data centers, called availability domains. Regions are independent of other regions, and vast distances can separate them (across countries or even continents).
- Identity and access management (IAM)
Oracle Cloud Infrastructure Identity and Access Management (IAM) enables you to control who can access your resources in Oracle Cloud Infrastructure and the operations that they can perform on those resources.
- Availability domain
Availability domains are standalone, independent data centers within a region. The physical resources in each availability domain are isolated from the resources in the other availability domains, which provides fault tolerance. Availability domains don’t share infrastructure such as power or cooling, or the internal availability domain network. So, a failure at one availability domain is unlikely to affect the other availability domains in the region.
- Virtual cloud network (VCN) and subnets
A VCN is a customizable, software-defined network that you set up in an Oracle Cloud Infrastructure region. Like traditional data center networks, VCNs give you complete control over your network environment. A VCN can have multiple non-overlapping CIDR blocks that you can change after you create the VCN. You can segment a VCN into subnets, which can be scoped to a region or to an availability domain. Each subnet consists of a contiguous range of addresses that don't overlap with the other subnets in the VCN. You can change the size of a subnet after creation. A subnet can be public or private.
- Security list
For each subnet, you can create security rules that specify the source, destination, and type of traffic that must be allowed in and out of the subnet.
- Route table
Virtual route tables contain rules to route traffic from subnets to destinations outside a VCN, typically through gateways.
- Virtual Machine
The Oracle Cloud Infrastructure Compute service enables you to provision and manage compute hosts in the cloud. You can launch compute instances with shapes that meet your resource requirements for CPU, memory, network bandwidth, and storage. After creating a compute instance, you can access it securely, restart it, attach and detach volumes, and terminate it when you no longer need it.
Duality set up its virtual machines with third-generation AMD Epyc CPUs to help companies analyze encrypted data and share decrypted results. The VMs are also responsible for running the computations on the encrypted data, masking the data owner’s name/location/IP, and preventing the analyzing party from retrieving organization-specific data.
The bare metal shape uses the Intel Ice Lake CPU, which has reduced the computation duration by 50% when compared to the virtual machine instances running less compute-intensive workloads.
- Database system
The database system lets you easily build, scale, and secure Oracle databases with license-included pricing in Oracle Cloud. You can also leverage Oracle Cloud Infrastructure to manage Oracle databases in your data center alongside your cloud databases.
- Oracle Cloud Infrastructure APIs
Oracle Cloud Infrastructure APIs are typical REST APIs that use HTTPS requests and responses.
Get Featured in Built and Deployed
Want to show off what you built on Oracle Cloud Infrastructure? Care to share your lessons learned, best practices, and reference architectures with our global community of cloud architects? Let us help you get started.
- Download the template (PPTX)
Illustrate your own reference architecture by dragging and dropping the icons into the sample wireframe.
- Watch the architecture tutorial
Get step by step instructions on how to create a reference architecture.
- Submit your diagram
Send us an email with your diagram. Our cloud architects will review your diagram and contact you to discuss your architecture.