2. Data Privacy
Data as Liability
“control over users’ data and digital possessions
and activity is rapidly moving from an asset to a
liability.” - Vitalik Buterin, 2019
“Data is a toxic asset” - Bruce Schneier, 2016
Self-sovereignty
“You are the product of Facebook”
- John Lanchester, 2017
“Cambridge Analytica illicitly procured the data of
50 million Facebook users” - Todd Spangler, 2018
“일부 ‘지식인’ 들의 고집으로 전 국민을
피곤하게 만드는거 아닐까?
지금이 편하고 좋은데 …”
3. Data Sharing
• Genome analytics
• Government policy making
• Smart city – public safety
• and Blockchain
4. Knowledge Discovery
Without Data Sharing
f(xa, xb, xc)
- Privacy-preserving
- Verifiable output
Alice Bob
Carol
Xa
Xb
Xc
Secure MPC
Trusted Computing
between Trustless Parties
5. Inventors
Andrew Yao, Millionaires’ Problem1982
Andrew Yao’s GC (Garbled Circuits)1986
GMW (Goldreich-Micali-Wigderson) Protocol1987
BGW (Ben-Or, Goldwasser, Wigderson) Protocol, CCD (Chaum, Crépeau, Damgård) Protocol1988
China
Physics
Computer Science
Israel
Computer Science
Italia
Computer Science
Israel
Computer Science
Israel
Mathematics
U.S (Israeli)
Computer Science
(Mathematics)
Israel
Computer Science
U.S
Computer Science
Denmark
Mathematics
Canada
Computer Science
7. Building Knowledge Discovery Functions
Boolean
Circuit
Arithmetic
Circuit
Gates Example
XOR
AND
NOT
Addition
Multiplication
Adder 4-bit Parallel Adder
Xa XbXc
×
+
Output
f(xa, xb, xc) = xa + xb × xc
8. Comparison (A > B)
A
B NOT
AND (A>B)
A B ¬B A ⋀ ¬B
0 0 1 0
0 1 0 0
1 0 1 1
1 1 0 0
9. Alice Bob
$A
millions
$B
millions
f(A, B) = (A > B)
B-2 B-1 B B+1 B+2 B+3 B+4
B-2 B-1 B B+1 B+2
= A
B+3 B+4
X OTRUE FALSEResult
X X X X O O O
Millionaires’ Problem for Dummies
B-2 B-1 B B+1 B+2
= A
B+3 B+4
X X X X O O O
10. Basic Idea of GC (Garbled Circuit)
1 2 3 4
1
2
3
4
BA
1 1 10
0 1 10
0 0 10
0 0 00
Alice Bob
$3
millions
$2
millions
f(A, B) = (A > B)
k1
k2
k3
k4
Permutation (Garbling)
11. Basic Idea of GC (Garbled Circuit)
1 1 10
0 1 10
0 0 10
0 0 00
Alice Bob
$3
millions
$2
millions
f(A, B) = (A > B)
k1
k2
k3
k4
1 out of 4 OT (Oblivious Transfer)
Alice does not know B=2, Bob does not know kj (j≠B)
12. Basic Idea of GC
1 1 10
0 1 10
0 0 10
0 0 00
Alice Bob
$3
millions
$2
millions
f(A, B) = (A > B)
k2
Open
13. Basic Idea of OT
Alice (Sender) Bob (Receiver)
Has secrets Want to know xb where b ∈ {0,1}
Bob does not know x0Alice does not know b
0 b=1
0 1
x0 x1
x0 x1
0 b=1
x0
x1
Bob이 열쇠 두 개를
다 가지고 있다면?
14. More Secure OT
Alice (Sender) Bob (Receiver)
• G: cyclic group where
DH problem is hard
• g: generator of G
Pick C ∈R G C
Has secrets, x0 and x1 Want to know x1 (let b = 1)
Pick a ∈R [0..|G|-1]
h1 = ga, h0 = C∙h1
-1
h0, h1
Check h0h1 = C
Pick r0, r1 ∈R G
c0 = H(h0
r0) ⊕ x0
c1 = H(h1
r1) ⊕ x1
gr0, gr1, c0, c1
Compute x1 = c1 ⊕ H((gr1)a)
Bob cannot compute x0Alice does not know b
15. Circuit: Multiple Gates
1 2 3 4
1
2
3
4
BA
1 1 10
0 1 10
0 0 10
0 0 00
Alice Bob
$3
millions
$2
millions
f(A, B)
0 1
0
1
00
10
Domains of A, B
are very small
Generally, …
Gate
16. Fairplay (2004)
Alice Bob
A =
10 of
16-bit
numbers
(sorted)
B =
10 of
16-bit
numbers
(sorted)
f(A, B)
= median(A ∪ B)
4383 Gates,
7 seconds
(over LAN)
17. Basic Idea of GMW: Secret Sharing
G
wi wj
wk
x y
Alice Bob
x y
1) ⊕ secret sharing: (xi ⊕ ri) ⊕ ri = xi
∴ = xi ⊕ (ri ⊕ ri) = xi ⊕ zero = xi
si
1 = x ⊕ r
si
2 = r
⊕ secret sharing of x,
P1’s secret1)
r ∈R {0,1}
è sj
2 = y ⊕ q
sj
1 = q
⊕ secret sharing of y,
P2’s secret
ç
q ∈R {0,1}Alice’s
knowledge
Bob’s
knowledge
18. Basic Idea of GMW: Gate Evaluation
XOR1)
wi wj
wk
x y
si
1
si
2 sj
2
sj
1
NOT
wi
wk
x
si
1
si
2
Alice’s knowledge
Bob’s knowledge
AND
wi wj
wk
x y
si
1
si
2 sj
2
sj
1
without any interaction
sk
1 = ¬ si
1
sk
2 = si
2
sk
1 = si
1 ⊕ sj
1
sk
2 = si
2 ⊕ sj
2
1) sk
1 ⊕ sk
2 = (si
1 ⊕ sj
1) ⊕ (si
2 ⊕ sj
2) = (si
1 ⊕ si
2) ⊕ (sj
1 ⊕ sj
2) = x ⊕ y
use 1-out-of-4 OT
1-out-of-4 OT
Alice’s knowledge
Bob’s knowledge
Alice’s knowledge
Bob’s knowledge
Alice’s knowledge
Bob’s knowledge
Alice’s knowledge
Bob’s knowledge
19. BGW: Shamir’s Secret Sharing
f(x) = a*x + S (random a)
S = 3
Sa
= (1, f(1))
Sb
= (2, f(2))
Sc
= (3, f(3))
[2,3]-SS: Two of three
can jointly find f(x) and S.
20. BGW: Shamir’s Secret Sharing
f(x) = x2 + x * 4 - 3 f(x) = x3 * 0.02 + x2 * 0.05 + x * 1 - 3
S = 3
S = 3
Sa
= (1, f(1))
Sb
= (2, f(2))
Sc
= (3, f(3))
[3,4]-SS: Three of four
can jointly find f(x) and S.
Sd
= (4, f(4))
[4,5]-SS: Four of five
can jointly find f(x) and S.
21. Secure Addition: Voting
1
1
0
Generate Shares Secret-share&Compute
4
-2
-2
-2
1
2
2
-4
3
Send&Compute
Sum
2
Sum
2
Sum
2
2 -2 1
3 -4 2
4 -2 -2
1 = 2 + (-2) + 1
1 = 3 + (-4) + 2
0 = 4 + (-2) + (-2)
Alice
Bob
Carol
S2b
S2b
S1c
S1c
S3a
S3a
Sum
S2b=-8
Sum
S3a=1
Sum
S1c=9
S2b
S1c
S3a
xi = 1 (agree) or 0 (disagree)
22. Secure Addition: Voting
1
1
0
Generate Shares Secret-share&Compute
4
-2
-2
-2
1
2
2
-4
3
Send&Compute
Sum
1
Sum
1
Sum
1
2 -2 1
3 -4 2
4 -2 -2
1 = 2 + (-2) + 1
1 = 3 + (-4) + 2
0 = 4 + (-2) + (-2)
Alice
Bob
Carol
S2b
S2b
S1c
S1c
S3a
S3a
Sum
S2b=-8
Sum
S3a=1
Sum
S1c=9 è 8 (cheat!)
S2b
S1c
S3a
xi = 1 (agree) or 0 (disagree)
23. Secure and Verifiable Addition: Voting
1
1
0
Generate Shares Secret-share&Compute
4
-2
-2
-2
1
2
2
-4
3
Send&Compute
Sum
2
Sum
2
Sum
2
2 -2 1
3 -4 2
4 -2 -2
1 = 2 + (-2) + 1
1 = 3 + (-4) + 2
0 = 4 + (-2) + (-2)
Alice
Bob
Carol
S2b
S2b
S1c
S1c
S3a
S3a
Sum
S2b=-8
Sum
S3a=1
Sum
S1c=9
S2b
S1c
S3a
-2
-2
4
1
2
-2
3
2
-4
Sum
S3b=1
Sum
S1a=9
Sum
S2c=-8
S3b
S3b
S3b
S2c
S2c
S2c
S1a
S1a
S1a
Verify
Verify
Verify
xi = 1 (agree) or 0 (disagree)
24. Secure Multiplication: Dating
A = 1
B = 1
Generate Shares
Secret-Share
&Compute
Send&Compute
B1 B3
B1 B2
B2 B3
A2 A3
A1 A2
A1 A3
B1 B2 B3
A1 A2 A3
B = B1+B2+B3
A = A1+A2+A3
Sb
= A2*B2+A2*B3+A3*B2
Sa
= A3*B3+A1*B3+A3*B1
Sc
= A1*B1+A1*B2+A2*B1
Secure
Addition
of
Sb, Sa, Sc
A * B
= 1
Alice
Bob
Carol
xi = 1 (interest) or 0 (not interest)
26. Our Project
Typical Setup with Key
•Single point of failure
•Not recoverable
Private Key
Keyless Setup with Custody
Custody
•No single point of failure
- Threshold Signature (2,3)1)
•Recoverable
Shares
1) Any 2 shares of 3 can restore the associated private key or sign transactions
Knowledge Discovery Function:
ECDSA (Elliptic Curve Digital Signing Algorithm)