Encrypted Data Analytics

Executive summary

Encrypted data analytics Referring to a set of privacy-boosting tools, these technologies enable analysts, cloud services, or parties to conduct computations on confidential data without exposing it in its original form. This toolbox includes homomorphic encryption, secure multi-party computation, structured/searchable encryption, private set operations, and functional encryption. Moreover, within industry standards, this term encompasses a range of supplementary techniques. trusted execution environments and confidential computing, which protect data in use NIST, the ICO, and leading cloud providers consider these tools essential in the larger context of PET and confidential computing, using hardware isolation instead of relying solely on cryptographic techniques. [1]

No single technique dominates. TEEs/confidential VMs At present, the most straightforward way to achieve extensive functionality and nearly native performance in SQL, joins, and ML is by integrating hardware trust, attestation, and side-channel assumptions. Searchable encryption and ORE/OPE While they are often the optimal choice for handling equality, range, and search workloads, indexes also pose the threat of potential data leakage that can be exploited. MPC is frequently the preferred choice for numerous organizations seeking collaborative analytics without involving a third party, but its success depends heavily on interactivity and network strength. FHE offers the best trust reduction for outsourced single-server computation, albeit at a steep price, and is currently most proficient in specific domains like aggregation, linear algebra, similarity search, and low-depth ML inference, rather than general-purpose OLAP. [2]

The most important design lesson is that "encrypted analytics" is not a binary propertyDifferent systems have different capabilities in defending against various threats, such as cloud operators, collaborating parties, database administrators, output inference, side channels, frequency leakage, and collusion among compute nodes. They also vary in their abilities to perform tasks like calculating sums, linear models, approximate neural inference, equality search, range search, joins, sorting, or executing arbitrary code. Consequently, choosing the right system is essential. threat-model-first, not feature-first. [3]

When it comes to deployment, the dominant production trend in 2026 is hybridizationConfidential computing layer for execution, cryptographic protocols for sensitive steps, limited query capability encryption, and privacy measures for result release. Demonstrated in products such as SecretFlow, Duality on AWS Nitro Enclaves, Decentriq on Azure Confidential Computing, Google Confidential Space, MongoDB Queryable Encryption, AWS Clean Rooms Differential Privacy, and Prio/DAP private aggregation systems. [4]

Definitions and scope

NIST’s Privacy-Enhancing Cryptography project describes the core primitives clearly: MPC lets multiple distrustful parties compute on private inputs; FHE A server can assess available functions on ciphertexts to verify that decryption results in the expected function output. PIR retrieves a database item without revealing the query; and structured encryption permits private searching on encrypted data structures, as highlighted by NIST. functional encryption In the realm of PEC tools, this provides a strong foundation for defining encrypted data analytics. [5]

For this report, encrypted data analytics covers all structures that allow for efficient processing of sensitive data through data analysis, search, merge, or machine learning without compromising the confidentiality of the raw data. This involves conducting cryptographic tasks on encrypted data or secret shares, running structured and searchable queries on secure indexes, securely performing computations with hardware attestation, and incorporating output controls such as differential privacy alongside encrypted or secret-shared processing. On the other hand, Simply encrypting data while it is at rest or in transit is inadequate to meet the necessary standards.as the application or analytic engine processes plaintext in its standard memory region. [6]

A useful practical distinction is between strict cryptographic opacity and reduced plaintext exposureFHE, MPC, PIR/PSI, and several FE constructions prioritize data encryption, whereas TEEs prioritize data plaintext. inside In real-world deployments that depend on existing SQL engines, model runtimes, or data clean-room workflows, a secure enclave or private VM must be established to keep the operator, hypervisor, and surrounding platform outside the trust boundary. Trusted Execution Environments (TEEs) are essential for these operations, providing unique guarantees beyond traditional cryptographic methods. [7]

The scope of "analytics" here is broad: aggregation such as count, sum, average, histogram, and group-by; ML inference and, where feasible, training; SQL-like filtering and selected joins; search over encrypted databases or documents; and cross-party linkage or overlap analysis Various PETs offer support for different subsets of the workload family, including private join and compute, which is a main focus of the report. [8]

Threat models and regulatory constraints

The first question in encrypted analytics is who is the adversaryThere are multiple potential threats to consider, such as a trustworthy yet curious cloud provider, a deceitful cloud operator or hypervisor, coordinated input parties in an MPC process, a database administrator with access to storage and logs, a side-channel attacker capable of monitoring memory and microarchitectural effects, and an analyst who can only view aggregate outputs but may try membership or reconstruction attacks through repeated queries. Various Privacy Enhancing Technologies (PETs) have been developed to address these specific threats within this wide range. [10]

For cryptographic In most methods, the main focus is on the complexity of lattice or number-theoretic problems and the amount of information leakage allowed by the design of the scheme. MPCThe key assumptions in NIST's PEC descriptions and widely used MPC frameworks are the corruption model and collusion threshold. These assumptions differentiate between passive and malicious adversaries, honest-majority and dishonest-majority, and protocol behavior under abort. Modern frameworks such as MP-SPDZ, MPyC, and MOTION provide developers with access to various security models. [11]

For TEEsIn a more focused threat model, Azure, Google, and AWS employ hardware-based TEEs to safeguard code and data from unauthorized access by cloud providers and other entities. Nevertheless, if your risk profile includes hardware/firmware vulnerabilities, side-channel attacks, or trust concerns with the platform vendor's supply chain, relying solely on TEEs may not suffice. [12]

Regulatory treatment is similarly nuanced. Under the GDPR, pseudonymisation not a replacement for the necessary data protection measures mandated by regulations like Article 25 and Article 32. not a silver bulletOrganizations still need legal, fair, and transparent processing, along with a personalized DPIA for each case. [13]

That means encrypted analytics typically helps with risk reduction, processor minimization, breach resilience, and cross-organizational data sharing, but it usually does not Eliminating legal responsibilities regarding purpose limitation, transparency, data-subject rights, retention, or international-transfer analysis can pose a potential risk, especially if a controller is able to identify individuals by decrypting outputs or connecting results back to them. This conclusion is based on the GDPR definition of pseudonymisation and the ICO/EDPB's belief that PETs offer extra protection as part of a thorough compliance plan. [14]

In U.S. sectoral regulations, the message stays the same. HHS's HIPAA security recommendations instruct covered entities to follow NIST security controls and encryption guidelines; the FTC's health data guidance emphasizes understanding data flows, implementing strong protective measures, and avoiding deceptive privacy claims; and the FTC Safeguards Rule under GLBA focuses on risk management and safeguarding customer information's confidentiality, integrity, and security. Encrypted analytics work best when integrated with... Risk assessments, access control, attestation, key management, and governance of outputs are crucial elements that cannot be overlooked., except when viewed independently as a justification for following rules. [15]

Technique catalog

Homomorphic encryption

Partially homomorphic encryption Paillier-based libraries are well-suited for the advanced low-functionality end of homomorphic encryption, thanks to their additive homomorphism and scalar multiplication features. counts, sums, weighted sums, private billing, and secure aggregationPublic-key semantic security in partially homomorphic encryption (PHE) relies on number-theoretic assumptions and offers improved performance compared to fully homomorphic encryption (FHE) as it does not require bootstrapping or deep circuit support. In practice, PHE is often integrated into larger protocols rather than used as a standalone analytical engine. Tools such as CSIRO/Data61's python-paillier and lightweight packages like LightPHE are frequently employed. Deployment typically involves client-side encryption, server-side accumulation, and decryption by the key owner or a threshold group of key holders. The primary drawback is its simplicity. no arbitrary comparisons, joins, or general SQL without combining PHE with other primitives. [16]

Fully homomorphic encryption Fully Homomorphic Encryption (FHE) is considered the leading method for outsourcing single-server computation on encrypted data. NIST defines FHE as the ability to evaluate functions on encrypted data, with decryption resulting in the output of the function. The HomomorphicEncryption.org community's 2024 security guidelines are commonly used to set up modern FHE systems. There is a wide range of practical library options available, including projects like OpenFHE, Microsoft SEAL, HElib, Lattigo, TFHE-rs, Concrete, and Concrete ML. These libraries offer support for various schemes such as BFV, BGV, CKKS, and TFHE-style variants. Current analytics capabilities with FHE are extensive. Combining vectors, comparing similarities, executing simple arithmetic circuits, and performing specific machine learning inference tasks.; multiparty HE variants extend this toward collaborative analytics. However, SQL engines, joins, and extensive OLAP are predominantly utilized in the fields of research and prototyping.Recent surveys and tools such as ArcEDB and FHE-SQL indicate progress towards being production-ready, but not yet fully operational. [17]

Performance in the 2026 FHE Benchmarking Suite is the main focus, with key metrics such as latency, throughput, memory usage, storage expansion, communication complexity, and accuracy reduction. Bootstrapping is a significant bottleneck, as stated in the HE Standard, which emphasizes the importance of bounded-depth schemes and the high cost of bootstrapping. Concrete ML's documentation further emphasizes this operational reality by highlighting its current focus on. inferenceCertain models must comply with quantization and precision limits, rather than using arbitrary floating-point training processes. It is important to note that in some cases, approximate HE schemes like CKKS may need more thorough evaluation for security compared to plain IND-CPA. [18]

The most effective methods for Fully Homomorphic Encryption (FHE) today include encrypting data on the client side, sending ciphertexts and evaluation keys to an untrusted compute service for homomorphic evaluation, and sending back encrypted outputs or threshold-decryptable outputs to the data owner or consortium. Common applications for FHE implementation include: one-owner outsourced computation and hybrid pipelines FHE protects sensitive processes as business continues to grow, with IBM HElayers/FHE services, Duality, Zama, and hardware acceleration projects from multiple vendors all contributing significantly. [19]

Secure multi-party computation

MPC is the natural choice when Many groups store their raw data on-site but seek a cooperative end result.As per NIST, Multi-Party Computation (MPC) allows multiple parties to compute on private inputs without revealing sensitive information. MPC systems can provide various levels of security, support different scenarios, and use a mix of techniques like secret sharing, oblivious transfer, garbled circuits, and sometimes homomorphic encryption. Popular open-source MPC frameworks include MP-SPDZ, MPyC, MOTION, EMP, ABY3, and SecretFlow. [20]

Functionality is broad but topology-sensitive. MPC is strong for aggregations, histograms, PSI, private joins, secure overlap-and-sum, federated analytics, and classical machine learning training/inference with partitioned data.Google's Private Join and Compute allows for private summation of values across shared identifiers, while ABY3 was created as a versatile mixed-protocol system for machine learning. Recent improvements in honest-majority protocols have led to reduced high-latency connections and improved efficiency. 50% fewer basic instructions per gate than prior state of the art in certain 3PC/4PC settings. [21]

Rich multi-party computation generally performs better than fully homomorphic encryption in terms of efficiency, but lags behind trusted execution environments for simple lift-and-shift analytics. The main reasons for this performance gap are... communication cycles, bandwidth capacity, and autonomous computing entities presenceIn a network with minimal delay and a well-thought-out protocol, MPC can expand efficiently. However, in WAN settings or when cautious protocols are needed because of corruption levels, tail latency can quickly rise. To combat this, usual setups include 2-4 synchronized compute participants with explicit collusion assumptions and strict operational guidelines regarding party autonomy and output disclosure. Major obstacles include intricacy, troubleshooting difficulties, fairness and abort problems, and the danger of security assurances being jeopardized if excessive collusion occurs. [22]

Trusted execution environments

TEEs and confidential-computing platforms protect data by constraining where it is decrypted and executed, instead of keeping transparency throughout the computation process. Common examples in use today include Intel SGX enclaves, AWS Nitro Enclaves, AMD SEV/SEV-SNP, Intel TDX, Azure confidential VMs, Google Confidential Space, and confidential GPUs like NVIDIA H100. Their main guarantee typically revolves around restricting access to. attested workload It is possible to access the keys or plaintext when operating within a secure environment. [23]

Utilizing current analytics code with minimal changes, TEEs emerge as the preferred option for functional versatility. SQL joins are frequently utilized in traditional databases to link data tables, implement specific application logic, and conduct machine learning training or. The DuckDB-SGX2 paper demonstrates impressive performance by effectively executing a TPC-H scale-factor-30 analytical workload. under 2x overhead Enclave execution comes with its own set of risks, such as higher cache-miss costs, vulnerability to NUMA, and enclave paging. Common tools used for enclave execution include Gramine, Open Enclave, and Confidential Containers. [24]

SGX's extensive range of documented attacks, including those projected for 2024, highlights the trade-off between performance and the fragility of a growing trust base. SGX.Fail Systematization extensively analyzes popular SGX attacks and their adaptability to various architectures, including the recent scrutiny of AMD's SEV-SNP in 2026. Fabricked A routing-misconfiguration attack can result in unauthorized read/write access and falsified attestation in paper reports, as acknowledged in AMD's security bulletin which highlights the integrity impact and provides mitigation measures for affected products. When used in combination with TEEs, the effectiveness of security measures is greatly enhanced. key release is determined by attestation and adherence to patch management, with a focus on reducing trusted computing bases, securely deleting secrets, and maintaining control., and weakest when treated as “set-and-forget encryption in use.” [25]

Searchable encryption and encrypted indexes

Searchable encryption includes various techniques that allow for searches on encrypted indexes or structures associated with ciphertext. NIST's structured encryption definition highlights the capability to search encrypted data structures without revealing all details in the database. This principle is put into action by... blind indexes, indexes reversed, secure token/query protocols, and secure field-level query systemsExamples of representative tools include OpenSSE, CipherSweet, Cosmian Findex, MongoDB Queryable Encryption, and other similar platforms. [26]

The security model purposely differs from that of FHE or MPC, since efficient searchable systems often reveal a combination of data. When considering important factors, search pattern, access pattern, frequency, result size, update pattern, and index structure all play a crucial role.Recent research shows that leakage is not just a minor issue. Efficient structured/searchable encryption explicitly allows for some leakage, as evidenced by current studies on exploiting leakage. This compromise leads to significant speed improvements, making searchable encryption the ideal choice for. equality search, document retrieval, keyword search, and selected range/prefix/suffix queriesNonetheless, it is not a simple resolution for every kind of join or analytics that necessitate advanced levels of semantic security. [27]

MongoDB Queryable Encryption is a key feature in production, offering equality queries in version 7.0+ and support for equality and range queries. However, prefix/suffix/substring queries are still in preview in version 8.2 and not recommended for production. MongoDB also emphasizes the operational costs of queryable encryption, such as increased storage requirements, impact on query performance, and reduced observability with redacted logs and diagnostics in encrypted collections. An independent security analysis by USENIX highlighted potential security risks in operational logs and noted the absence of a complete public security proof during the study. [28]

Order-preserving and order-revealing encryption

OPE and ORE are specialization tools for range predicates, sorting, thresholding, and ORDER BY-like semanticsORE, as outlined by Stanford's Applied Crypto Group, enables fast range queries, sorting, and threshold filtering on encrypted data. An illustration of a practical Rust Block-ORE setup can be seen in CipherStash's ore.rs, used in a searchable-encryption system. These implementations are valued for their speed and easy integration with database indexes. [29]

But the security compromise is fundamental: these schemes reveal orderThis leakage poses a significant risk of inference attacks, particularly when the attacker can access additional distribution information or public reference data. The research on inference attacks on property-preserving encrypted databases is a vital reminder. While OPE/ORE can be useful for quick range searches, it is crucial to address and manage the leakage through meticulous domain design and access controls. It is inaccurate to equate them to conventional encryption with query functionalities. [30]

Functional encryption

IBM states that functional encryption is a cryptographic tool that combines encryption and access control, allowing users to learn specific functions while maintaining data security. selected function The Fentec libraries implement encrypted data and fine-grained access control through functional encryption for linear, inner-product, and quadratic functionalities. This approach associates secret keys with specific functions, limiting analysts to access only necessary information. f(x) and nothing more, at least in the ideal model. [31]

While FE is highly effective for analytics, its practical uses are currently restricted. inner products, specific linear algebra operations, a couple scoring functions, and custom machine learning modulesRecent work has been delving deeper into scalable solutions for federated learning and DP-augmented variations. not A commonly utilized platform for general SQL, strong joins, and endless ML training, yet its tooling ecosystem is restricted and lacks mainstream cloud support. Managing operational key management can be difficult due to the need for a master authority to issue function keys, indicating that there is still room for improvement in FE. promising but low-maturity for encrypted data analysis in corporate environments outside of specialized research or niche high-value tasks. [32]

Differential privacy with encryption

Differential privacy is a precise method for controlling the information that can be inferred, rather than a technique for handling encrypted data. released outputsThis is the reason it integrates effortlessly with encrypted analytics, with OpenDP defining DP as limiting individual information in the results, while Google's documentation on distributed differential privacy in federated learning expands on its complementary role. secure aggregationThe server is anticipated to receive only a collective model update, not individual user updates. [33]

The strongest practical pattern is therefore: Protect the inputs with encryption, secret sharing, or TEEs during collection and computation, and then ensure the privacy of the released statistics or model with DP.Examples of production methods include Google's federated learning with secure aggregation and distributed differential privacy (DP), AWS Clean Rooms Differential Privacy, and systems such as Prio/DAP that manipulate client reports before sharing them. The computational expense of the DP step is relatively low when compared to the cryptography involved; the difficult aspects are... privacy accounting, contribution bounding, sampling assumptions, and utility-loss managementDP tackles vulnerabilities in security systems that cryptography alone cannot solve. output. [34]

Hybrid architectures

Hybrid designs are increasingly popular in production, aligning technique with task. SecretFlow adopts this strategy through abstraction. MPC, HE, and TEE Duality's AWS case study showcases the implementation of Nitro Enclaves in conjunction with FHE, federated learning, and differential privacy techniques, surpassing the limitations of a single PET. Additionally, Decentriq's Azure resources demonstrate the integration of clean-room architectures, combining confidential computing with diverse privacy technologies like differential privacy. [35]

The architectural value is straightforward. A hybrid stack can use searchable encryption for narrow lookup, TEE execution for general SQL or model serving, MPC for cross-party joins and aggregation while keeping plaintext hidden from any individual operator, FHE/PHE for the most sensitive arithmetic subroutines, and DP Releasing anything beyond the trust boundary can often surpass individual primitives in meeting the common objectives of security, functionality, and cost. Yet, the drawback is just as evident: security proofs become compositional rather than monolithicWith the addition of each layer, the operational complexity increases substantially as new assumptions, observability needs, and potential failure modes are introduced. [36]

Comparative tradeoffs

The table below is a qualitative synthesis The term 'security level' signifies the level of trust detracted from the operating environment, rather than a fixed standard. when the stated assumptions hold. [38]

Deployments, case studies, and vendor landscape

The clearest production maturity today is in confidential-computing and clean-room deploymentsGoogle Documents classifies Confidential Space as a Trusted Execution Environment (TEE) for approved tasks, using the identical foundational structure. Google Ads confidential matchingMicrosoft's Azure Confidential Computing and AWS Nitro Enclaves with KMS-integrated attestation are leading the way in secure processing environments for sensitive data analysis, such as cross-border cancer research, showcasing the current leadership in encrypted analytics. Decentriq leverages Azure Confidential Computing to establish enterprise data clean rooms, while Duality's AWS case study demonstrates the use of Nitro Enclaves for creating isolated processing spaces. TEE-centric and hybrid architectures. [48]

On the pure cryptography On the other hand, the market remains authentic yet increasingly selective. IBM continues to provide HE solutions and public FHE resources, demonstrating a successful integration with Intesa Sanpaolo to safeguard digital transaction processes. Duality specializes in securing data partnerships in healthcare, finance, and government using PETs and open-source FHE. Zama has built a thriving FHE ecosystem centered on TFHE-rs, Concrete, and Concrete ML, focusing primarily on blockchain and confidential smart contract infrastructure rather than traditional SQL analytics. Inpher emerges as a leading provider in MPC/HE/federated learning, serving industries like healthcare, finance, and IoT. [49]

For queryable encrypted databasesMongoDB Queryable Encryption is a top contender in the field, providing solutions for equality and range queries while also tackling issues related to storage, performance, and observability. Other options, such as CipherSweet, OpenSSE, Cosmian Findex, and CipherStash, offer simpler paths to adoption for searchable encryption and encrypted index building, making them suitable alternatives to FHE for workloads that prioritize exact, range, and search predicates with acceptable leakage profiles. [50]

For privacy-preserving aggregation and telemetryPrio and its descendants have been acknowledged as among the most reliable real-world applications. Mozilla has publicly disclosed their plans to implement. Prio-based DAP In Firefox, Divvi Up is recognized as a tool for generating aggregate statistics with Prio3. Google's federated-learning blog highlights secure aggregation and distributed differential privacy in model training, while AWS Clean Rooms Differential Privacy demonstrates cloud products that focus on privacy-controlled sharing of aggregate results. These instances underscore the importance of encrypted analytics beyond databases and model serving, encompassing different facets of data privacy. safe measurement and telemetry at scale. [51]

Selection criteria, deployment checklist, and evaluation metrics

The vendor or algorithm chosen does not determine the initial decision criterion; instead, it is based on other factors. trust boundary you are trying to moveIf you have doubts about trusting the cloud operator, but have confidence in a hardware root of trust and need reliable existing software, TEEs may be a good starting point. For situations where multiple organizations need to ensure that no single operator can access data, consider beginning with MPC or PJC. If a data owner wishes to delegate computation without trusting the server, starting with FHE or PHE is recommended. For primary workloads involving equality/range retrieval in a database, searchable encryption or queryable encryption could be suitable. If the concern goes beyond input secrecy to encompass... sensitive outputs, you need DP on top. [52]

The second criterion is workload shapeRich involvement, random UDFs, and training models often favor TEEs or hybrids. Conversely, cross-party federated features, overlap analysis, and private record linkage typically align with MPC/PJC. Low-depth inference, vector similarity, and specialized arithmetic pipelines are increasingly feasible with FHE. Encrypted indexes are typically better for equality/range lookup compared to application data. To prevent under-securing or over-engineering workloads, it's essential to consider query selectivity, data sizes, cardinalities, and latency SLOs without specifying operators. [53]

Practical Deployment Stage-Gate Checklist

Neglecting adversary modeling and realistic prototyping can lead to a higher failure rate in PET projects. [54]

The benchmarking program must be equally transparent. The FHE Benchmarking Suite serves as a valuable example due to its focus. latency, throughput, memory, storage expansion, communication complexity, and quality lossfurther metrics pertaining to the enclave include attestation time, EPC utilization, enclave-paging behavior, cache-miss amplification, and observable overhead under realistic OLAP workloads with TEE-based SQL. index size, query selectivity, token-generation cost, and leakage profile documentation. For DP-based releases, add epsilon, delta, contribution bounding, privacy-budget burn rate, and utility loss. [55]

A benchmark suite that covers a variety of workload families usually includes a minimum of five different techniques. aggregations on wide tables; private join or PSI-plus-sum on skewed identifiers; search with equality and range predicates; SQL analytics on a TPC-H-like subset with one or two joins; and ML Evaluate the performance metrics of p50/p95 latency, throughput, ciphertext or share expansion, network bytes, RAM/VRAM usage, accuracy degradation, deployment time, and operator effort for both a traditional model and a smaller neural model. Additionally, consider any hidden parameter tuning or hand-crafted circuits that may pose a significant cost factor rather than just a minor detail for your team. [56]

A concise decision rule is this: Select the most efficient tool that minimizes the threat you are worried about, even if it is not the most powerful.Using a combination of searchable encryption, TEE-based confidential computing, MPC, FHE, and DP allows for the strongest production systems, as each method serves a specific purpose in securing data and collaboration across organizations. [57]

Open questions and limitations

Certain parts of this region are evolving quickly, making it challenging to document every detail in a fixed report. General-purpose FHE for SQL and large-model training Advancements are underway, but current evidence indicates that selective inference and focused analytics are preferred over drop-in encrypted datastores for a range of tasks. While the new benchmarking ecosystem is promising, it is still in its initial phases. [58]

Searchable encryption leakage There is a persistent open design flaw in the line that structured encryption must address with explicit leakage. Determining what constitutes 'acceptable leakage' is context-specific and a topic of ongoing research. Vendors and academics may have differing perspectives on this issue. [59]

TEE risk New discoveries from SGX and SEV-SNP highlight the ongoing susceptibility of confidential computing to microarchitectural, firmware, and attestation-chain weaknesses, underscoring the lack of stability. Consequently, decisions dependent on TEEs must be consistently reviewed with advancements in hardware, cloud attestations, and vendor patches. [25]

Finally, functional encryption Large-scale deployment of FE is not as advanced as other privacy-preserving technologies like FHE, MPC, searchable encryption, and confidential computing. Therefore, targeted pilots may be a more practical option for enterprises unless the function family is highly compatible with the application. While the theory and libraries for FE are well-developed, recent evidence is scarce. [45]