what crypto can do for you: solutions in search of problems anna lysyanskaya brown university
TRANSCRIPT
What Crypto Can Do for You: Solutions in Search of
Problems
Anna LysyanskayaBrown University
Systemic Risk from Local Information
Systemic Risk from Local Information
Systemic Risk from Local Information
Systemic Risk from Local Information
Systemic Risk from Local Information
Systemic Risk from Local Information
Systemic Risk from Local Information
M.C.Escher, Belvedere
Who Puts Together the Big Picture?
Who Puts Together the Big Picture?
The government?
Who Puts Together the Big Picture?
The government?
Who Puts Together the Big Picture?
An independent trustworthy party?
Who Puts Together the Big Picture?
An independent trustworthy party?
Who Puts Together the Big Picture?
The data owners (financial institutions) themselves?
Who Puts Together the Big Picture?
The data owners (financial institutions) themselves?
Who Puts Together the Big Picture?
Cryptography tells us:
For any efficiently computable function F, there is an “efficient” interactive algorithm that n data owners, P1(x1),…,Pn(xn), can run together such that:
•They learn F(x1,x2,…,xn) •Other than that, Pi learns nothing about xj, j≠i[Yao, GMW, BGW, …]
Example: Set Intersection
12
18
5
6
31
42
5
24
12
3
Alice’s set Bob’s set
5
12
Intersection
How to compute the intersection w/o learning the rest of each other’s
sets?
[FMP04,…,BCCKLS09,…,KMRS14]
Step 1: Alice’s set becomes a polynomial
12
18
5
6
31
Alice’s set
p(x) = (x-12)(x-18)(x-5)(x-6)(x-31) mod q = x5 + c4x4 + c3x3 + c2x2 + c1x + c0
c4 c3 c2 c1 c0
Step 1: Alice’s set becomes a polynomial
Alice’s polynomial p(x)
c4 c3 c2 c1 c0
Step 2: Alice encrypts her polynomial
Alice’s polynomial p(x)
c4 c3 c2 c1 c0
Step 2: Alice encrypts her polynomial
Alice’s encrypted polynomial p(x)
E(c4) E(c3) E(c2) E(c1) E(c0)
Step 2: Alice encrypts her polynomial…
Alice’s encrypted polynomial p(x)
E(c4) E(c3) E(c2) E(c1) E(c0)
…using an “additive” encryption scheme
E(x) * E(y) = E(x+y) [Paillier’99]
Step 2: Alice encrypts her polynomial…
Alice’s encrypted polynomial p(x)
E(c4) E(c3) E(c2) E(c1) E(c0)
…using an “additive” encryption scheme…for which she holds the decryption
key
Step 3: Alice sends the encrypted
Alice’s encrypted polynomial p(x)
E(c4) E(c3) E(c2) E(c1) E(c0)
polynomial to Bob
Step 4: Bob evaluates the encrypted
Alice’s encrypted polynomial p(x)
E(c4) E(c3) E(c2) E(c1) E(c0)
polynomial on his set 42
5
24
12
3
Bob’s set
p(42) = 425 + c4424 + c3423+c2422+c142+c0 mod q
E(p(42)) = E(425) * E(c4)424 * E(c3)423
* E(c2)422 * E(c1)42 * E(c0)
Step 4: Bob evaluates the encrypted
Alice’s encrypted polynomial p(x)
E(c4) E(c3) E(c2) E(c1) E(c0)
polynomial on his set 42
5
24
12
3
Bob’s setp(x) evaluated on Bob’s set
E(p(42)) E(p(5)) E(p(24)) E(p(12)) E(p(3))
Step 4: Bob evaluates the encrypted
Alice’s encrypted polynomial p(x)
E(c4) E(c3) E(c2) E(c1) E(c0)
polynomial on his set
p(x) evaluated on Bob’s set
E(p(42)) E(0) E(p(24)) E(0) E(p(3))
Note: p(y) = 0iff y is in Alice’s set
Step 5: Bob randomizes the result
E(p(42))R1 E(0)R2 E(p(24))R3 E(0)R4 E(p(3))R5
Step 5: Bob randomizes the result
E(u1) E(0) E(u3) E(0) E(u5)
Step 6: Bob sends the result to Alice
E(u1) E(0) E(u3) E(0) E(u5)
Step 7: Alice decrypts it...
E(u1) E(0) E(u3) E(0) E(u5)
u1 0 u3 0 u5
Step 7: Alice decrypts it...and sends the locations of 0’s to
Bob
u1 0 u3 0 u5
Step 7: Alice decrypts it...and sends the locations of 0’s to
Bob
? 0 ? 0 ?
Step 8: Bob derives the intersection
? 0 ? 0 ?
42
5
24
12
3
Step 8: Bob derives the intersectionand sends it to Alice
5
12
A More General Solution for Two Parties:Yao’s Encrypted Circuit
Alice’s logical circuit C Bob’s input x
0
1
1
Encrypted circuit
Oblivious transfer of keys
A More General Solution for N Parties: Secure Multi-Party Computation
• Split the computation into logical steps (ANDs, ORs, NOTs) or algebraic steps (ADD, MULT)
• Securely evaluate step by step• [GMW, BGW, …]
Conclusion
• Tell me how you could detect systemic risk given complete information…
• …and I will tell you how to do it via a privacy-preserving protocol!