What Crypto Can Do for You: Solutions in Search of Problems Anna Lysyanskaya Brown University.

What Crypto Can Do for You: Solutions in Search of

Problems

Anna LysyanskayaBrown University

Systemic Risk from Local Information







M.C.Escher, Belvedere

Who Puts Together the Big Picture?


The government?


The government?


An independent trustworthy party?


An independent trustworthy party?


The data owners (financial institutions) themselves?


The data owners (financial institutions) themselves?


Cryptography tells us:

For any efficiently computable function F, there is an “efficient” interactive algorithm that n data owners, P1(x1),…,Pn(xn), can run together such that:

•They learn F(x1,x2,…,xn) •Other than that, Pi learns nothing about xj, j≠i[Yao, GMW, BGW, …]

Example: Set Intersection

12

18

5

6

31

42

5

24

12

3

Alice’s set Bob’s set

5

12

Intersection

How to compute the intersection w/o learning the rest of each other’s

sets?

[FMP04,…,BCCKLS09,…,KMRS14]

Step 1: Alice’s set becomes a polynomial

12

18

5

6

31

Alice’s set

p(x) = (x-12)(x-18)(x-5)(x-6)(x-31) mod q = x5 + c4x4 + c3x3 + c2x2 + c1x + c0

c4 c3 c2 c1 c0

Step 1: Alice’s set becomes a polynomial

Alice’s polynomial p(x)

c4 c3 c2 c1 c0

Step 2: Alice encrypts her polynomial

Alice’s polynomial p(x)

c4 c3 c2 c1 c0

Step 2: Alice encrypts her polynomial

Alice’s encrypted polynomial p(x)

E(c4) E(c3) E(c2) E(c1) E(c0)

Step 2: Alice encrypts her polynomial…


E(c4) E(c3) E(c2) E(c1) E(c0)

…using an “additive” encryption scheme

E(x) * E(y) = E(x+y) [Paillier’99]

Step 2: Alice encrypts her polynomial…


E(c4) E(c3) E(c2) E(c1) E(c0)

…using an “additive” encryption scheme…for which she holds the decryption

key

Step 3: Alice sends the encrypted


E(c4) E(c3) E(c2) E(c1) E(c0)

polynomial to Bob

Step 4: Bob evaluates the encrypted


E(c4) E(c3) E(c2) E(c1) E(c0)

polynomial on his set 42

5

24

12

3

Bob’s set

p(42) = 425 + c4424 + c3423+c2422+c142+c0 mod q

E(p(42)) = E(425) * E(c4)424 * E(c3)423

* E(c2)422 * E(c1)42 * E(c0)



E(c4) E(c3) E(c2) E(c1) E(c0)

polynomial on his set 42

5

24

12

3

Bob’s setp(x) evaluated on Bob’s set

E(p(42)) E(p(5)) E(p(24)) E(p(12)) E(p(3))



E(c4) E(c3) E(c2) E(c1) E(c0)

polynomial on his set

p(x) evaluated on Bob’s set

E(p(42)) E(0) E(p(24)) E(0) E(p(3))

Note: p(y) = 0iff y is in Alice’s set

Step 5: Bob randomizes the result

E(p(42))R1 E(0)R2 E(p(24))R3 E(0)R4 E(p(3))R5

Step 5: Bob randomizes the result

E(u1) E(0) E(u3) E(0) E(u5)

Step 6: Bob sends the result to Alice

E(u1) E(0) E(u3) E(0) E(u5)

Step 7: Alice decrypts it...

E(u1) E(0) E(u3) E(0) E(u5)

u1 0 u3 0 u5

Step 7: Alice decrypts it...and sends the locations of 0’s to

Bob

u1 0 u3 0 u5

Step 7: Alice decrypts it...and sends the locations of 0’s to

Bob

? 0 ? 0 ?

Step 8: Bob derives the intersection

? 0 ? 0 ?

42

5

24

12

3

Step 8: Bob derives the intersectionand sends it to Alice

5

12

A More General Solution for Two Parties:Yao’s Encrypted Circuit

Alice’s logical circuit C Bob’s input x

0

1

1

Encrypted circuit

Oblivious transfer of keys

A More General Solution for N Parties: Secure Multi-Party Computation

• Split the computation into logical steps (ANDs, ORs, NOTs) or algebraic steps (ADD, MULT)

• Securely evaluate step by step• [GMW, BGW, …]

Conclusion

• Tell me how you could detect systemic risk given complete information…

• …and I will tell you how to do it via a privacy-preserving protocol!

What Crypto Can Do for You: Solutions in Search of Problems Anna Lysyanskaya Brown University.

Documents

polynomial px ec

bob slide

intersection slide

kmrs14 slide

ep42ep5ep24ep12ep3 slide

belvedere slide

alices set

set px