In my previous post, I explored secure multi-party computation. In this post, I will discuss how to implement a fair secure multi-party computation platform using blockchain technology.
Multi-party computation involves data distributed across multiple nodes and authorities. Each node and authority has its own rules and data sharing policies.
The goal of multi-party computation is to allow users to run computations on data pulled from multiple sources. Challenges include: navigating the rules and data sharing policies of different nodes and authorities, preserving the privacy of each participant’s input and guaranteeing the correctness of computations.
If a trusted third party is involved, the trust issues that multi-party computation seeks to resolve do not arise. Any users parties can submit their data to the trusted third party and get the results of the computation back.
Multi-party computation assumes that there is no trusted third party. It occurs in a distributed environment, in which two or more parties do not trust each other, and parties want to protect their data but independently run computations using one another’s data.
Foiling Semi-Honest and Malicious Users
There are two types of users that this decentralized environment hopes to avoid:
1. Semi-honest players who are seeking to learn more about others’ data. These users participate in computations according to the rules of the multi-party computation, but are always interested in discovering additional information through the process.
2. Malicious users who are trying to disrupt the computation. Malicious users can influence outputs by giving false inputs.
Partly due to the actions of such users, multi-party computations do not scale well. Preventing semi-honest and malicious user behaviors requires a method of computation which is both private and secure.
Fair Multi-Party Computing Protocol
In a ‘Fair Multi-Party Computing Protocol’ (‘Fair MPC’) either all parties receive the output at the same time, or none do. A great use case for this is auctions or tenders. For example, if a user finds out that they didn’t win the auction before the rest of the participants, they can claim a network failure and enter again with a new bid. Therefore, it is essential that either all parties receive the output simultaneously, or no party receives any output at all.
Solving Fair MPC
Fair MPC on the blockchain is possible, and requires the following:
1. Users have access to a public blockchain ledger.
2. Users have the ability to publish arbitrary strings on this ledger — which are used for MPC protocols.
3. These ‘arbitrary’ strings can be the encrypted outputs of ‘arbitrary’ inputs, so the user who has generated a string has the decryption key and can decrypt it.
4. Each string contains proof about who has published the string and this proof can be verified by anyone (so, the ledger contains a tamper-proof history of all activity on the ledger, including by semi-honest and malicious users).
5. Rather than directly producing a function’s output, an encryption of that output is made publicly available.
6. The output of a multi-party computation in the public ledger is now available to all users, in encrypted form. To make it visible, a decryption key is required.
7. Creating the decryption key requires all parties to post outputs of their ‘arbitrary’ strings. Each user can keep their ‘arbitrary’ input a secret, and share the encrypted ‘arbitrary’ output. Only once all the outputs are shared, a decryption key is generated and given to all parties simultaneously. This is Fair MPC — either everyone can decrypt the result of the multi-party computation, or no one can.
One possible Fair MPC system is ‘witness encryption’, a concept presented in a 2017 paper by scholars at Johns Hopkins. In this system, users run a multi-party computation to output a randomized function which takes private inputs from users and returns a ‘witness encryption’ cipher-text. This means each user has the encrypted result of the computation, but needs to decrypt it.
To access the cipher-text, each user needs to generate (using cryptography) and publicly post a ‘release token’ on the ledger. Once a user posts their release token, corresponding proof of posting the release token is also published on the ledger. This proof is called the ‘witness’. The witness can then be used to decrypt the cipher-text and obtain the result of the multi-party computation. To ensure that everyone can view the result simultaneously, the result of the computation should be posted on a public blockchain at a specified time.
Fair Multi-Party Computation can allow a group of users to run computations on one another’s data securely, on the blockchain, without the need for a trusted third party and without each user revealing their data. There are many use cases for this technology, such as auctions, public tenders, and projects that use health, financial or other sensitive data that is subject to regulation, internal data policies or simply an increased public expectation of privacy.