Broken Key (L)

What is Secure Multi-Party Computation (MPC)?

Imagine a situation, where a group of five people within a company want to know their average salary to see if they are underpaid, yet no one wants to disclose their individual salary figure. Is there any way to calculate the average while keeping their salaries secret? 

Normally, to do so, they would need to provide their salary figures to a trusted third party (i.e. a person or a preprogrammed computer) and rely on them to compute the result.

However, the major concern of having to rely on a third party is that there might not be any trusted third party at all, especially when it comes to the handling of secretive information. Besides, even if there is a reliable third party, the data could still be exposed during the transferring and handling process.

So, is there a better way to solve the problem? Could there be a way to calculate their average salary without the need to disclose or transfer their salary figures? Could there be a way for them to calculate it themselves without having to rely on a third party?

Scientists and researchers have come up with a solution; if the data needed for computation cannot be shared, why not just divide the computation process? Each data subject handles a part of the computation process, hence the name – multi-party computation.

 

What is secure multi-party computation?

 

Secure multi-party computation (MPC or SMPC) is a cryptographic protocol that distributes a computation process across multiple parties, where no single party can view the data of others. In other words, MPC allows the joint analysis of data without sharing them. 

We are not here to explain the underlying mathematical methodologies of how to distribute computation between multiple parties. Instead, we will explain the practical implications of MPC with a simplified example.

 

Average salary

Now, let’s see how MPC can solve the average salary problem. The first step is to break down each person’s data (i.e. salary figure) into multiple pieces so that each person can share a piece. Let’s say Person A earns a salary of $62,000. Since there are five people in total, this figure would be broken down into five pieces: $31,000, $-102,000, $85,000, $43,000, and $5,000, all of which add up to $62,000. Each of the five people would keep one of the pieces. Note that each piece of data provides no meaning on its own. 

Person B, C, D, and E’s salary figures would be broken down in the same way, leaving a total of 25 meaningless pieces of data, with each person ending up with five pieces of them.

Now, each person simply needs to add up their five pieces of data. Since the five pieces come from five different salary figures, adding them up does not reveal any information.

Lastly, after each person sums up their pieces. The five people can sum up all their totals to obtain the grand total of the 25 pieces, and divide them by five to obtain the average salary.

 

The above example provides a simplified explanation of what MPC means without having to go through the technical background. Nevertheless, when it comes to real-life usage, MPC involves much more complex computations.

 

Use cases of MPC

 

MPC received widespread attention in the academic community over the past decade, yet it is not until recently that the technology began to gain presence in the field. Despite its slow start, it is almost certain that the technology’s application would surge within the next few years. Here is why.

The fourth industrial revolution has transitioned us into a digital world where data has become the new currency. We now pay to use online services by giving up our personal data. The service provider would then use the data for advertising optimization.

Still, as we progress further, organizations are feeling the need to share the data with other parties to offer quality and cost-saving services. For example, taxi companies might need real-time transportation data from public transportation companies in order to find the best locations to dispatch their fleet.

Nevertheless, when it comes to data sharing, strict laws and regulations like GDPR and CCPA are in place to prevent any unauthorized flow of sensitive data. Indeed, these laws are here because the sharing and storage of sensitive data can be very vulnerable to attacks and thefts.

Under such contexts, MPC technology can be useful for two purposes: secured data sharing and secured data storage. First, it can be used to share the data analysis process without the need to share actual data, reducing the need for data sharing in the first place. Second, it can be used to distribute cryptographic keys. By dividing a key among multiple people, it significantly enhances the security of data storage.

 

Sharing of data analysis

Research institutions in the science and medical field require extensive collaboration. Take the current COVID-19 pandemic, for example, hospitals need to share their patients’ information and medical conditions with research institutions so that these institutions can study deeper about the virus and perhaps develop appropriate treatments and vaccines. This process requires the sharing of extremely sensitive information about a patient. MPC technology allows research institutions to work with hospitals on data analysis without the need to share the data.

 

Sharing of cryptographic keys

When storing secretive information, it is always safer to break it down into pieces and keep these in different locations. The same goes for encryption keys. Rather than having a single key handled by a single individual, breaking down the key into multiple pieces and having multiple persons manage these would enhance security. 

A cryptographic key can be broken down and distributed using MPC technology, so that an encrypted database would only be accessible when all holders of the key fragments come together. No single key fragment holder can access the data. And no data can be accessed unless every key fragment holder is present.

The same concept applies to the signatures generated during digital asset transactions, where a transaction would only be valid when all members of the MPC group are qualified.

Penta Security’s MPC solution is built exactly for this purpose. Every time a signature is generated after a digital asset transaction, MPC solution would distribute that signature among multiple members on the platform, ensuring the accuracy and integrity of the transaction.

As the most powerful multi-signature solution, Penta Security’s MPC solution also manages the overall encryption key lifecycle, including the creation and computation of MPC keys within an inaccessible Trusted Execution Environment (TEE).

Penta Security currently offers an open-source MPC software development kit. Try it for free at: mpc.pentasecurity.com

 

Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Web Application Firewall for Cloud: WAPPLES SA

Database Encryption: D’Amo

Authentication: ISign+ 

Smart Car Security: AutoCrypt