What Crypto Can Do for You: Solutions in Search of Problems Anna Lysyanskaya Brown University
Systemic Risk from Local Information
M.C.Escher, Belvedere
Who Puts Together the Big Picture?
The government?
Who Puts Together the Big Picture? The government?
Who Puts Together the Big Picture? An independent trustworthy party?
Who Puts Together the Big Picture? An independent trustworthy party?
Who Puts Together the Big Picture? The data owners (financial institutions) themselves?
Who Puts Together the Big Picture? The data owners (financial institutions) themselves?
Who Puts Together the Big Picture? Cryptography tells us: For any efficiently computable function F, there is an “efficient” interactive algorithm that n data owners, P 1 (x 1 ),…,P n (x n ), can run together such that: 1.They learn F(x 1,x 2,…,x n ) 2.Other than that, P i learns nothing about x j, j≠i [Yao, GMW, BGW, …]
Example: Set Intersection Alice’s set Bob’s set 5 12 Intersection
How to compute the intersection w/o learning the rest of each other’s sets? [FMP04,…,BCCKLS09,…,KMRS14]
Step 1: Alice’s set becomes a polynomial Alice’s set p(x) = (x-12)(x-18)(x-5)(x-6)(x-31) mod q = x 5 + c 4 x 4 + c 3 x 3 + c 2 x 2 + c 1 x + c 0 c4c4 c3c3 c2c2 c1c1 c0c0
Step 1: Alice’s set becomes a polynomial Alice’s polynomial p(x) c4c4 c3c3 c2c2 c1c1 c0c0
Step 2: Alice encrypts her polynomial Alice’s polynomial p(x) c4c4 c3c3 c2c2 c1c1 c0c0
Step 2: Alice encrypts her polynomial Alice’s encrypted polynomial p(x) E(c 4 )E(c 3 )E(c 2 )E(c 1 )E(c 0 )
Step 2: Alice encrypts her polynomial… Alice’s encrypted polynomial p(x) E(c 4 )E(c 3 )E(c 2 )E(c 1 )E(c 0 ) …using an “additive” encryption scheme E(x) * E(y) = E(x+y) [Paillier’99]
Step 2: Alice encrypts her polynomial… Alice’s encrypted polynomial p(x) E(c 4 )E(c 3 )E(c 2 )E(c 1 )E(c 0 ) …using an “additive” encryption scheme …for which she holds the decryption key
Step 3: Alice sends the encrypted Alice’s encrypted polynomial p(x) E(c 4 )E(c 3 )E(c 2 )E(c 1 )E(c 0 ) polynomial to Bob
Step 4: Bob evaluates the encrypted Alice’s encrypted polynomial p(x) E(c 4 )E(c 3 )E(c 2 )E(c 1 )E(c 0 ) polynomial on his set Bob’s set p(42) = c c c c 1 42+c 0 mod q E(p(42)) = E(42 5 ) * E(c 4 )42 4 * E(c 3 )42 3 * E(c 2 )42 2 * E(c 1 )42 * E(c 0 )
Step 4: Bob evaluates the encrypted Alice’s encrypted polynomial p(x) E(c 4 )E(c 3 )E(c 2 )E(c 1 )E(c 0 ) polynomial on his set Bob’s set p(x) evaluated on Bob’s set E(p(42))E(p(5))E(p(24))E(p(12))E(p(3))
Step 4: Bob evaluates the encrypted Alice’s encrypted polynomial p(x) E(c 4 )E(c 3 )E(c 2 )E(c 1 )E(c 0 ) polynomial on his set p(x) evaluated on Bob’s set E(p(42))E(0)E(p(24))E(0)E(p(3)) Note: p(y) = 0 iff y is in Alice’s set
Step 5: Bob randomizes the result E(p(42))R 1 E(0)R 2 E(p(24))R 3 E(0)R 4 E(p(3))R 5
Step 5: Bob randomizes the result E(u 1 )E(0)E(u 3 )E(0)E(u 5 )
Step 6: Bob sends the result to Alice E(u 1 )E(0)E(u 3 )E(0)E(u 5 )
Step 7: Alice decrypts it... E(u 1 )E(0)E(u 3 )E(0)E(u 5 ) u1u1 0u3u3 0u5u5
Step 7: Alice decrypts it... and sends the locations of 0’s to Bob u1u1 0u3u3 0u5u5
Step 7: Alice decrypts it... and sends the locations of 0’s to Bob ?0?0?
Step 8: Bob derives the intersection ?0?0?
Step 8: Bob derives the intersection and sends it to Alice 5 12
A More General Solution for Two Parties: Yao’s Encrypted Circuit Alice’s logical circuit C Bob’s input x Encrypted circuit Oblivious transfer of keys
A More General Solution for N Parties: Secure Multi-Party Computation Split the computation into logical steps (ANDs, ORs, NOTs) or algebraic steps (ADD, MULT) Securely evaluate step by step [GMW, BGW, …]
Conclusion Tell me how you could detect systemic risk given complete information… …and I will tell you how to do it via a privacy- preserving protocol!