Cryptographic computing can accelerate the adoption of cloud computing

Secure multi-party computation (MPC) enables n parties P₁,…,P_n, with private inputs x₁,…,x_n, to compute y = f(x₁,…,x_n) in such a way that all parties learn y but no P_i learns anything about x_j, for j≠i, except what is logically implied by y and x_i.

Consider the following toy example. Suppose 20 pupils, whom we will call P₁ through P₂₀, are in the same class and have received their graded exams from their teacher. They want to compute the average of their grades without revealing their individual grades, which we will denote by g₁ through g₂₀. They can use the following simple MPC protocol. P₁ chooses a random number r, computes x₁ = g₁ + r, and sends x₁ to P₂. Then P₂ computes x₂ = x₁ + g₂ and sends x₂ to P₃. They continue in this fashion until P₂₀ computes x₂₀ = x₁₉ + g₂₀ and sends x₂₀ to P₁. In the last step, P₁ computes x₂₀ – r, which is of course the sum g₁ + g₂ + … + g₂₀ of the individual grades. He divides this sum by 20 to obtain the average and broadcasts the result to all of the pupils.

If all of the pupils follow this protocol faithfully, then they all learn the average, but none learns anything about the others’ grades except what is logically implied by the average and his own grade. Here, “following the protocol faithfully” requires not colluding with another pupil to discover someone else’s grade. If, say, P₃ and P₅ executed all of the steps of the protocol correctly but also got together on the side to pool their information, they could compute P₄’s grade g₄. That is because g₄ = x₄ – x₃, and, during the execution of the protocol, P₃ learns x₃ and P₅ learns x₄. Fortunately, there are techniques (the details of which are beyond the scope of this article) for ensuring that this type of collusion does not reveal private inputs; they include secret-sharing schemes, described below.

One powerful class of MPC protocols proceeds in multiple rounds. In the first round, each P_i breaks x_i into shares, using a secret-sharing scheme, and sends one share to each P_j. The information-theoretic properties of secret sharing guarantee that no other party (or even limited-sized coalition of other parties) can compute x_i from the share(s). The parties then execute a multi-round protocol to compute shares of y, in which the shares of intermediate results computed in each round also do not reveal x_i. In the last round, the parties broadcast their shares of y so that all of them can reconstruct the result.

In the secure-outsourcing protocol architecture, depicted below, the parties P₁,…,P_n play the role of input providers and a disjoint, much smaller set of parties S₁,…,S_k play the role of secure-computation servers; typically, 2 ≤ k ≤ 4. The input providers share their inputs with the servers, which then execute a basic, k-party MPC protocol to compute y. For an appropriate choice of secret-sharing scheme, the inputs remain private as long as at least one server does not collude with the others. Note that cloud-computing companies are ideally positioned to supply secure computation servers!