Who's Down with MPC? (Yeah, You Know Me!)

MultiParty Computation improves data security by calculating encrypted information – what is not revealed cannot be leaked.

8 encryption
Thinkstock

ING is a global financial services firm based in Europe that has restructured their services towards a distinctly digital-first orientation.  One of the firm’s subsidiaries, ING Belgium, recently began experimenting with homomorphic encryption according to a recent post in The Wall Street Journal.

The complexities of European banking are generally lost on Americans.  When faced with our own nation’s archaic banking laws governing cross-state transactions we roll our eyes, mumble a disparaging comment, and proceed to work around the inconvenient state-specific regulations. 

(To wit:  I’ve lived in Florida for over 10 years and still have a North Carolina-based checking and savings account. Does my bank mention it from time to time? Yes they do.  Do I care?  No I do not.  Why?  Because it does not interfere with the daily business of running my life.)

But that’s not the case for Europeans.

There, financial institutions have a litany of national laws to deal with – laws that have teeth to them.  Penalties, fines, and threats of seizure.  There are language barriers that have to be considered – the European Union has 23 officially recognized languages!

Then throw in all the ethnic dialects, regional cultural quirks, and the historic antagonism between some of the individual neighbors and you’ve got quite the potential powder keg for fiscal conflict!  Yet somehow, they make it work. 

One of the things ING wants to do is analyze information without anyone having to actually share it!  This is an impressive bit of technology, one where Europe is ahead of the United States in many ways.

Why might someone want to analyze information without sharing it?  Well, there are a number of scenarios where this might play out:

  • A hospital needs to share disease information, but doesn’t want to compromise individual patient privacy
  • A municipality needs to tally up votes on a referendum, but doesn’t want individual voting records to become public
  • A manufacturing firm wants to benchmark production against industry norms, but doesn’t want competitors to know their true production volume

Each of these scenarios requires analyzing individual figures that must remain confidential.  This can be done relatively easily, and in building on the success of others, ING is developing new functionalities for MultiParty Computation, or MPC.

Gimme a Beet…

MPC utilizes a little known fact about certain types of encryption – it’s actually possible to perform a variety of mathematical functions on a secure file. Denmark has used MPC to conduct their annual sugar beet auction for ten years.

Basic addition and multiplication of encrypted figures would appear to be a paradox.  But the simplicity of the math belies the security of the encrypted files, and this is what makes the process so cost efficient.  Each farmer’s data remains secure because there is no single information repository.  That is the beauty of MPC – no one has anyone else’s information, so there is no way for the data to leak! Nobody is at risk for storing and securing someone else’s information.

In Denmark, twenty-five thousand tons of production contracts are bid on by thousands of individual farmers.  Using a double-blind auction across several computer servers, MPC calculates the individual bids without revealing each farmer’s information. Over 80% of the farmers say the auction is conducted fairly and are pleased with the confidentiality of the process.  So, how would we use MPC in the US?

Say you want to calculate the average salary among a group of coworkers.  Sharing salary information between colleagues is generally frowned upon.  But if each person shares their wage in encrypted form, none of their colleagues will know the other’s information.  They can choose to share the average of everyone’s salary in a couple of different ways.

mpc encryption Tom Waters

First off, they can simply publish the average.  Everyone can calculate the difference of their own salary from this public average.  Secondly, they could publish the calculated average with a decryption combination lock - one that only works if each and every participating member shares their part of the combination.  If anyone backs out, nobody can decrypt the file to get the average.  Thirdly, they can provide a decryption key to a neutral third party that none of the individual participants have access to.

Health and Medical Records

The possibilities for this technology are endless.  Imagine your fitness wearable sharing your work out regime with your physician.  With your permission, that data could also be shared with researchers at Stanford University or the Mayo Clinic, yet your identity cannot be compromised, because they never have it to begin with! 

For those with chronic illnesses like diabetes, their glucose levels over time can be compared against other people of similar ethnic backgrounds, ages, geographic locations, or other demographics.  Best practices could be quickly made public for patients to put into practice, yet their own participation in those determinations would remain private.

Imagine what this could do for pharmaceutical clinical trials!  Again, patient confidentiality is paramount, but so is the double-blind design of protocols where placebos are used to ensure the legitimacy of the study.  Big pharma would have no access to the underlying data and therefore no potential to manipulate the results!  The FDA, and patients, would be certain the published results are unadulterated.

MPC, homomorphic encryption, and similarly secure methods will soon provide a wide variety of technologies to preserve individual privacy.  While government leaks may play out on the evening news every night, we can all rest comfortably knowing our data remains safe – because nobody but us has access to it!

This article is published as part of the IDG Contributor Network. Want to Join?

New! Download the State of Cybercrime 2017 report