>> Seny Kamara: Okay, so, we’re gonna have the second invited talk today. So, it’s our pleasure to have
David Evans speaking. David is a professor at University of Virginia. He’s worked in many different areas
in security: so in wireless networks, sensor networks, especially in software security, a lot of work there,
he’s also been very active in computer science education. He’s been working with Udacity, which is one
of the big on-line… massive on-line courses–MOOCs. So, he’s teaching an intro to computer science
class and a cryptography class as well. David has also written a book, an introduction to computer
science, which is really nice and I think is freely available, so if you want to check that out you should.
And, of course, sort of more relevant to this audience, he’s done a lot of work on applied multiparty
computation and he’s worked on the fast double circuit framework, and also done work on progress and
intersection and has looked at how to, sort of, how to generate circuits for MPC, and, yeah, and also, I
guess, one of his students has a talk this afternoon on data-oblivious computation as well. So, with that,
I’ll let him get started.
>> David Evans: Okay, well, thank you, Seny. I much appreciate the introduction, especially that the
plug for my book and I actually have a new book that just released this week that I’m going to plug later,
so, I take that as permission that I can plug my book. There were a lot of interesting technical talks
yesterday and more interesting technical… or additional interesting technical talks today. I won’t
presume which ones are going to be more interesting. I’m going to try to balance that by not having
anything technical at all in my talk. So, I hope you’ll be okay with that. Yehuda asked for a proof, but
I’m afraid that I won’t have one.
>>: You’re going to prove to us that you’re a practical person by not giving us any proofs?
>> David Evans: Yes, I guess it is a self-proving talk. Several people wondered about my title - why
2029? And this is a good question, so, I should try to explain that. And there’s an obvious answer to
that – that it’s fifteen years from now. So, why fifteen years? And there are lots of answers to this. The
one I’m going to give is actually from a talk that Neil DeGrasse Tyson gave at a conference about fifteen
years ago and it got turned into an essay, which I do have posted on my site–I hope people will read this.
What he talks about is this inevitable progress in science–having this golden age. And he explains it by
talking about going into the library at Princeton, and he’s an astrophysicist so he was looking at the
astrophysics journals and trying to figure out what the rate of new knowledge is. And so he went into
the library and he tried to figure out where the midpoint of the width of all the journals is, and he found
that that was fifteen years ago. And so, fifteen years ago was half-way–and then he figured, well,
“what’s the midpoint between here and there?” And that was also fifteen years ago. And he kept doing
this and found that—you know—the amount of knowledge, if you can measure it by the thickness of this
astrophysical journal, which I guess in astrophysics is a reasonable way to measure knowledge,
[laughter] was doubling every fifteen years, and that keeps going. And there are lots of reasons for this.
We talk about Moore’s law a lot in computing and saying, “well maybe Moore’s law is running out.” But
there are lots of other things that will extend beyond that and there are lots of things that happened
before that, that whether it’s the printing press or telephones or getting on airplanes–things that make
it easier for people to communicate and keep track of knowledge or ways that you can build on previous
work–there are lots of reasons why fields like science, astrophysics and computing and MPC are all
experiencing exponential growth and endless golden ages. So, in order to look at my predictions for the
next fifteen years we want to start by going back a little bit and see what happened in the last, the last
two doublings. And if you look just to measure the state of where we are now this is just the search for
all the–oops, oh, what did I do? Oops…okay, maybe my inking isn’t working–but I don’t really… So, this is
all the papers that have multiparty computation in their title or abstract in the last year and there’s
about seven hundred of them. And I talked yesterday on the panel that we’re writing too many papers,
don’t know—I have not read all seven hundred so there may be some gems in there that we’ve all
missed, but if anyone has read all six hundred and ninety-seven of them, my guess is the average quality
is probably pretty small… or at least the average size of contribution is probably pretty small if we’re
able to make that many papers in a year. So, if we go back fifteen years to 1999, there were a hundred
sixty-two papers and the fifteen years between 1985 and 1999, so that fits pretty well – actually it’s
much more rapid than the doubling amount of content that Neil DeGrasse Tyson was talking about in
astrophysics. But there were some really important papers being written in that era, and the one that
I’ll highlight that I think is quite interesting for this talk, so, Shafi Goldwasser gave a talk at Potsy in 1997
talking about the past and present of multiparty computations, and she was smart enough not to put a
date on her predictions about the future, so, but was talking about “we believe the field is today where
public-key crypto was ten years ago,” so this was… would be where public-key crypto was in 1987, and
an extremely powerful tool and rich theory whose real life usage is at this time only beginning. And so I
think that is probably a good prediction for today rather than 1997. So I could end my talk there and not
risk making any of my own predictions, but I think I have another forty minutes, so I won’t do that.
Okay, so that was 1997. Let’s go back another fifteen years. What were people doing in 1984? Well,
they were, at least according to google scholar, eight results. You’ll see one that Payman was already
[laughter] working in multiparty computing back in 1908 [laughter]. I wasn’t aware of that until doing
this search, but apparently his record in this field goes back further than we understood. Okay so, going
back to 1969, we had things that were a little different in terms of multiparty computation. But this was
really when computing started to get cheap and practical. This is the investment by NASA to build the
control for the Apollo Guidance computer as well as for ICBM’s was what got integrated circuits and
started a lot of what made computing practical enough that everyone can use it. So… have to go back a
few doublings to get to that and the free NOR gate required quite a bit of silicon back then.
Okay, so, now that we’ve gone back a little bit, we should try to go forward, and that’s what I’m gonna
do the rest of the talk. So, where should we be in 2029? And… there’s been a lot of investment in this
area–it’s fairly hard to get a really good, accurate estimate, but it’s order of a hundred million dollars or
so, I think, and that’s just in the US, and probably another hundred million in the rest of the world. So,
that’s enough that we should expect something pretty big to come of this. For comparison, that’s about
what the government spends on Art, Dance, Literature, Music, Museums, Opera, and Visual Arts and
Theater in a year… is what’s getting spent on our community.
>>: What’s the entire span for this one hundred million dollars?
>> David Evans: So, that’s a good question. So this is probably over more than one year. Right? And for
comparison, a hair over a year, but not more than two or three years and—yeah—it would be good and
maybe someone with more understanding of how funding agencies work can figure out more accurately
what the spend per year… but I’d say the spend per year is at least fifty million, and the spend over the
last three years is definitely at least a hundred million. Okay… now, before we get too embarrassed
about not making contributions at the level of Music, Opera, Theater, Art and Literature, we can also
compare it to snow removal [laughter] which last week cost more than all of this, and if they just wait a
couple weeks it all goes away so that really seems like a waste [laughter] compared to what we’re doing.
But the taxpayers making these investments should be expecting to get something pretty big out of it.
And for us—you know—acceptable results for that—well, we’re academics—you know—it’s acceptable
to us, at least at some level, if what we’re getting out of it is lots of fun, intellectually interesting
problems to work on, and exciting results to learn about, and getting to go to meetings in nice sunny
places with beaches, like Seattle and [laughter] all those kinds of good things that make our lives fun as
researchers. For the taxpayers, that’s probably not enough. Really, something should be coming out of
this that will create a multibillion dollar industry and things that regular people can relate to as making
their lives better, so I think we’re quite a long way from doing that.
So, I’ll make my first bold claim—and I’m calling my things claims instead of predictions ‘cause that’s a
little safer. So, my claim is that the industry that grows out of multiparty computation by 2029 should
be bigger than the malware industry. And I should clarify: I mean the anti-malware industry, not the
[laughter] pro-malware industry which is much smaller—we shouldn’t have any trouble getting bigger
than the pro-malware industry. And if you look at how big that is today: according to Gartner, it’s about
seventy billion dollars a year—all of the IT security which I’m counting as mostly anti-malware, so, if that
continues growing at the rate they expect or the rate that it has the last few years, that means we need
to—you know—create a few hundred billion dollars of value. Putting that in context, Microsoft last
year: revenue was about seventy-seven billion–so creating three or four, maybe two companies about
the size of Microsoft would be doing this. Claudio’s laughing at my prediction.
Now, there’s an easier way to achieve this which is why I’m more confident in this prediction, which is
that maybe what should happen [laughter] is the anti-malware industry should become much less
relevant as we actually learn how to make software systems that are not quite so vulnerable. And I’m
actually pretty optimistic about this curve being something like that, so we may not need to create a
couple hundred billion dollars to make this prediction true.
Okay. Yeah, yeah, I’m not going to try to draw it. Yeah. This is the line for the IT security industry, not
for Microsoft’s—I would not presume to predict what’s going to happen to Microsoft over the next
fifteen years.
Okay, so… the next claim I’m going to make is that the perceived high cost is no longer the real main
impediment to widespread use of secure multiparty computation, at least if we’re talking about two
parties. So to explain why I think this, I’m gonna go back to the motivating problem that Yehuda used
yesterday which I think is sort of the most compelling example of multiparty computation. Just to
remind you, so this is the scenario where two people meet in some drinking establishment, and they
want to decide whether it’s worth pursuing this archaic courtship ritual, and they want to know if they
have a good chance of having successful, healthy children if things go in that direction. So they want to
do a secure computation with their mobile devices and figure out—you know—either they have the
green light and their offspring have a good chance of being healthy, or get the warning and [laughter]
save themselves the effort. So, the fact that we’re talking about this as our canonical example and I
hope everyone is—not just Yehuda and me, is a real sign of progress in our field. If you go back the
previous thirty years, you know the motivating problem was this millionaire’s problem that Andrew Yao
introduced of the two millionaires that want to figure out who’s richer without revealing their income or
their net worth. And this, moving up to the genetic dating application is a big advance on that, both
because it’s actually doing some interesting computation—it’s not just a less than comparison—but it’s
also a real practical application, unlike this one, which I don’t think anyone actually wants to do. And I
used to think it was just a toy application and I talked about this before as a toy application, and then
someone pointed out to me that there actually is a real app for this and it’s quite popular in Iceland,
apparently, I don’t know if we have any Icelanders here… They actually won an award for it, and you
can [laughter] read that review… Note the use of “probably” in the [laughter]… So, this is an important
motivating problem, and what I’m going to look at is the cost of actually doing this, and part of it is
having your genome sequenced, right? The app… in Iceland, everyone’s pretty closely related, and they
have a national database—not of complete genomes, but of enough genetic information to actually do
that—but they’re actually just doing it based on known relationships, not on genetics. But the cost of
sequencing a genome, if you look at that, going back to about 2000 is when the human genome project
concluded and—y’know—declared victory and said we’ve sequenced either Craig Venter’s genome or
some mix of twelve other people’s genome, depending on which version of the project they think won,
and they sort of declared a tie. And that was projected to cost about a billion dollars, and the cost for
sequencing one genome was around a hundred million. In 2001 it was going down very well along this
path that you would predict from just the Moore’s law decrease in computing cost, and then things
really changed. And so, this is mostly due to improvements in algorithms, but also due to some
improvements in biochemistry and other things. And you see that the cost really plummeted–you can
see it sort of stopped dropping and started actually going up. And the way the NIH is estimating this
cost, it actually includes the administrative cost of doing it as well—so, it’s probably gonna mostly go up
from now. And it’s also sort of fuzzy—you know—what it means to actually sequence a genome,
because you’ve gotta look at how much coverage you do and how much you actually read, and when
you do—sort of—the twenty-three and me, and it’s less than a hundred dollars to do it, they’re
definitely not sequencing the whole genome, and they’re doing it more at the “useful for recreation”
level not “useful for medicine.”
Okay, so let’s try to put the cost of doing the secure computation that is comparing the genomes on
here, and this is, as we talked about last time, bench-marking’s really hard and it’s hard to sort of extract
from papers what the actual cost of doing some other application is. So I’ve done the best I can to try to
extrapolate that. Don’t read too much into the specific numbers I have here, because there’s lots of
guess-work. But it would be, roughly, in 2004 when Fairplay was released and was the—in many ways,
the first system to try to do real computation as an MPC—it would have cost about a hundred million
dollars to do this comparison between two genomes. And that cost has really plummeted, and today,
we’re probably the same thing with cost orders of a tenth of a cent or so. This is doing a few billion
gates to execute this computation. And there’s lots of reasons the cost has dropped, alright. Some of it
is just the cost of computing dropping, so that’s maybe an order of magnitude here. Some of it is the
improvements in how to do the garbling and how much less expensive it is with techniques like
JustGarble, and some of it is making the circuits smaller. But the combined impact of all of that is taking
something that used to be a hundred million dollars down to a fraction of a cent. Now this is all semihonest, so if we want to add the active-level of security or fully malicious security we need to make our
chart go up a little higher to fit it in. And probably it would have been orders of ten billion dollars or so
for Alice and Bob to do this if they really didn’t trust each other back in 2004, so probably was not too
practical, but that cost has also—you know—really plummeted. And if the batching that Yehuda talks
about can be applied to this scenario, and I guess that depends a lot on Bob’s activities, whether the
batching up to a thousand works, then the cost is really getting down to fractions of cents, even for
active level security. So of course, there are computations that we want to do that are larger and more
complicated than this, and cost is still a factor there, but there should be lots of interesting
computations where the cost of doing it as a secure multiparty computation is very low. And we should
be wondering, given that, why are we not seeing lots of actual MPC applications deployed?
So, I think there are some costs that still matter, and none of these answer that question of why we’re
not seeing MPC applications deployed yet, at least on any large scale. So that all these results are for
two party, and scaling beyond two parties is still very expensive, and that’s something where most of
the techniques that are designed to scale to many parties, maybe they scale to three or four, but
become—you know—horrendously impractical beyond that. And lots of interesting applications need
millions of parties. And Mutti talked about yesterday trying to scale the things like Twitter and social
networks where you’ve got millions of parties and there are plenty of interesting applications that
require that. The other cost that I don’t think we’ll ever get rid of, and this I think is important for the
uses of MPC where people talk about outsourcing computation or using a service where you’re keeping
your data encrypted, is the energy cost is–I don’t see any way to get the energy cost down to sort of at
least less than a factor of a thousand above regular computation. That, just the cost… as long as you’re
doing any kind of protocol like anything we’re familiar with today, the energy cost is going to be—you
know—thousands of times higher. And energy is a big part of the actual cost of running the data center.
So, in order to make the business case—and hope we’ll hear more about this on the panel later today—
for lots of these applications, the energy cost—you know—if the customer’s aren’t willing to pay
thousands of times as much to have it done securely, which for most applications where what the
customer’s getting is privacy, that’s probably a very hard sale. And—you know—data centers are
already using one or two percent of all the energy; if we scaled that by a factor of a thousand to make
everything an MPC, then that’s an awful lot of energy.
The other things that I think do matter—and this is why even the sort of simple applications like our
“Genetic Dating” or equivalent are not really useful in practice today and not being widely deployed—
are these kinds of questions. So, our moral, and as both theoreticians and practitioners in this field we
always make this assumption that your goal is to not leak anything when you do the computation, and
then you get to the end of it, and you blast this output out that probably reveals a lot of things you
might not want someone to infer from the sensitive data you started with. And so, I think that’s a really
important question to try to understand—are there ways to measure or to limit or at least reason about
how much information the adversary can infer from what gets released as output? And I think that’s an
area where there’s very little progress in understanding that or figuring out how to do that.
The other thing, at least for a lot of scenarios is, if you want an end user to understand and get some
value from this, there has to be some way to convey that or to make that meaningful to them. And my
example of this—we built a… sort of a toy application maybe a little less toy than the genetic dating one,
where you would be able to compare your contact lists and two people with their mobile phones would
be able to find out if they know anyone in common and otherwise not reveal anything about their
contact list. And this was a nice demo and it took about a minute or two to run, back a couple of years
ago when we were first showing it, and that was enough time to show a little animation on the screen,
and be able to tell people—you know—here’s why this is so cool and you’re getting all these extra
privacy guarantees. Unfortunately, films got faster, and so if you do this now, it only takes a few
seconds, and then no one believes anything as interesting is going on. So maybe the way to convey enduser value is to have, like, long time-outs and animations, and I know there are commercial products
that do this, that have the sort of progress bar running the super super-duper encryption. So, the longer
that takes the more confident your users are. I hope that is not the answer for us.
And the third reason is, it still requires a lot of expertise and a lot of effort and a lot of work to build an
MPC system, especially one if you want to actually do the entire system not just the part of the
computation that we tend to focus on. So to build an end-to-end system that includes a user interface
or whatever it includes to make it meaningful and connects with all the things that are necessary to
make a real application. So those things involve a lot of work, and I don’t think much has… there’s been
some progress in recent net costs, but it’s still very high.
Okay. So, my third claim is that we don’t yet know what the “killer app” for MPC is and maybe we’ll get
some more insight at the business panel today, but I think most of the apps that we talk about are
probably not the thing that’s going to get MPC widely deployed—and it’s probably not really privacy.
Alright, I think a lot of us, including me, are motivated to work in this area because we care about
individual privacy and want to empower individuals to be able to interact with services or other people
in ways that give them control over their data. The reality is that the value and the amount that people
will pay for that is very little. So, unless there’s some magic way to get over this factor of a thousand
energy cost, it would be great to have sort of a privacy preserving version of our web mail or search
engines, all these things, but unless people are willing to pay for them in some other way than having
them free with advertising, it seems really hard to make that successful.
Okay, so I’m gonna show a little movie that hopefully will get people thinking about what that “killer
app” should be. I don’t know what it is, but I hope someone here will be able to tell me before the end
of the talk today or at least by the end of the day.
>> Movie: [music] Have you ever borrowed a book from thousands of miles away… across the country…
without stopping for directions? Or sent someone a fax… from the beach? You will. And the company
that will bring it to you: AT&T. Have you ever paid a toll … without slowing down? Bought concert
tickets… from cash machines? Or tucked your baby in… from a phone booth? You will. And the
company that’ll… [sound fades]
>> David Evans: So, there’s more of those that I… and in some ways AT&T was very prescient about lots
of things, but there’s this weird kind of irony of… all those things they’re talking about don’t actually
exist today and have disappeared: that we don’t know what phone booths are anymore or faxes, and I
have my students in my Operating Systems class last semester watch some of these ads and complete a
survey about which ones of them they had actually done, and there’s obviously some fuzziness on how
you interpret these things. The one that actually got the lowest rating was not in the clip that I showed
you but was doing business in a language that you don’t understand. I think that’s probably mostly
because the students aren’t actually doing business, but in terms of the automatic translation that’s
definitely something people perceived as a very hard problem. And this quote, which is often
misattributed to Neils Bohr, but I’m sure people have heard it before. If you don’t speak Danish, you
can, of course, translate it and get a pretty good translation automatically, and it certainly is difficult to
make translations. I don’t know if there will be a secure multiparty computation way of doing automatic
translation in the future, but maybe that would be a nice application to be able to get a service to
translate for you without telling them what you want translated. I’m not sure there’s a business case for
it though… but it could be nice.
Okay, so before I wrap up, I want to mention a little bit—so we had this panel yesterday on theory
versus practice, and Payman wanted to get this—you know—battle between myself and Yehuda going,
and I think I was supposed to represent practice in that, although it’s a little murky. And part of my… I
certainly am more of a systems person than a theory person, but I have now written a theory of
computation book, so my loyalties are much less clear. And I’m not sure if many people here are the
target audience for my book, because it’s not quite at the graduate level—it’s more targeted to two or
three year-olds, but it’s definitely something that I hope that many of you would read and appreciate. If
anyone does have a two or three year-old who is behind on her theoretical computer science education
[laughter] and is willing to admit this in front of this audience, I do have a few copies to give away today.
So okay, oh, we have some takers… good. Okay…
>>: Awesome.
>>: Sweet.
>> David Evans: those who don’t get copies, you can buy one on amazon dot com… okay… alright, so
one last copy… highest bidder… okay, you’re closest, okay. For those not getting copies, I also have
some flyers, which is not quite as good as a copy but… oh, I have one more copy. Did you want a flyer or
copy?
>>: Thank you.
>> David Evans: This is your consolation prize. And you can push those around Microsoft. And—you
know—since it was just released this week, I don’t have a lot of reviews to show you yet, but I do have
one from the founder of Mic-Soft Corporation, so I hope that that will convince people they should
definitely read my book. I apologize… I have not yet updated to support mini-Lego. It only works for
large, full-size Legos, but maybe after the talk yesterday we’ll have a mini-Lego version.
Okay, so how do we find the “killer app” for multiparty computation, and as I said, I don’t know what it
is but I hope people in this room will start thinking about it. And most of what we are doing is sort of
what the AT&T commercial was doing. Alright, we’re doing things like sending faxes from the beach,
taking things that people do today and saying let’s add a little… maybe a little or a lot of privacy to that.
Okay, so we’re sending faxes from the beach, tucking babies in from phone booths, things that look like
pretty silly predictions today. And I hope that there are applications for MPC, and what the ultimate
killer applications for it will be are things that enable people to do things they’re not doing today, not
add some privacy to things that they’re already doing. And as two examples, these go back before the
AT&T commercial, Tim Berners-Lee was trading the World Wide Web, Nicholas Negroponte, and this is
going back two doublings, back thirty years ago, was talking about multitouch interfaces with pressure
sensitivity. So, I would be happy to take questions. If anyone has ideas what that “killer app” for MPC
is, I’d be very happy to hear about them. Yes?
>>: So I’m curious… How did you compute the cost of those secure communications?
>> David Evans: How did I make up my numbers for my slide?
>>: Yeah. [laughter]
>> David Evans: So, It’s pretty hard to get accurate numbers. That’s why the line is really thick and
fuzzy. I did my best to look at the—sort of—try to figure out the cost per gate and the number of gates
and scale that and then looked at the cost of computing on EC2 as sort of scaling the cost of computing.
There’s certainly… I wouldn’t place a lot of faith in the actual numbers that I came up with, whether it’s
a tenth of a cent or… actually the more recent ones are probably more accurate, ‘cause we do have
more—I guess—closer to benchmarks that match what I’m doing. But whether it’s a hundred billion
dollars or—you know—fifty billion dollars to do the active security version, I wouldn’t have a lot of
confidence in… but it’s definitely—y’ know—orders of tens of billions, not—you know—few millions.
Yeah?
>>: Sometimes windmills generate electricity when nobody’s there to use it. Could you have batch
processing for MPC to be used when the windmills would otherwise have to be shut down?
>> David Evans: So the question… yeah… If the problem is energy cost, can we take advantage of things
like batch processing and off-line processing to do things when energy is cheaper? We could… there’s
probably lots of other things people—there’s always something people can do with that energy—so if
there’s nothing more useful that people can do with it, then do an MPC… maybe that’s what it can be
used for. But I… so maybe—y’ know— if you can do all that instead of worrying about a factor of ten
thousand more expensive, it turns out to be more like a thousand, but I think it’s still pretty hard… and
most of the interesting applications do seem to have some part that latency is important for. So, if you
can do everything else off-line, that part that latency is important for is still a factor of a thousand or ten
thousand more expensive. Yes?
>>: It’s already done with dynamic energy pricing, right? So your windmill will be connected and the
pricing might be cheaper. So you can do…
>> David Evans: And computing the spot prices on EC2, probably on Escher.
>>: Also—you know—your ten thousand eggs, I mean probably reflects the real thing, but the
application that you’ll be running is not sensitive—you know—most of it will be… really, ninety-nine
point something percent will be not privacy sensitive. So, if you have a small thing like—you know—
uh… contacts or payment transaction, that’s a small thing, really, to speak of.
>> David Evans: Yeah, that’s a very good point, and I think part of the difficulty in building sort of real
applications that use MPC is to figure out how to connect the small part of our computation that really
needs to be done securely with all the things that don’t need to be done securely and balance that cost.
So I think if it is the case thing the actual part that needs to be secure is—y’know—a tenth of a percent
of the total cost of your computation, and you increase that cost by a factor of a thousand then maybe
it’s only doubling the total cost and that’s okay… or it could be an even smaller fraction. [pause] No one
has the killer application to tell me?
>>: The thing is… I have a new application I’ve been writing for myself. And it’s like a business thing, so…
>> David Evans: Oh, we’re all friends here. It’s okay. [laughter] You can tell me after though, if you’re
holding it out on us. Yeah?
>>: What do you think about the complexity of development. It’s… there’s a lot of these protocols are
very complicated…
>> David Evans: Yes.
>>: Do you see that as a barrier? Do you see that as well as lots of software that it’s not an issue?
What’s your…
>> David Evans: It’s certainly an issue so I think having libraries like scafee and that, well that Sammy’s
going to talk about later today may be part of that. Part of it—you know—software development is
expensive. The problem with developing an MPC is, it’s not—y’know—it’s not normal software
development. You need expertise in cryptography, and there’s a big risk of… if you get some little thing
wrong, you’ve lost all these security properties you’re trying to get. This is true for all cryptographic
software development: that it is much harder than—you know—regular software development’s hard
enough, but now you’ve got to implement crypto correctly, it gets much harder. And then the issues
with… maybe the costs will be low enough that you don’t have to worry about doing the kinds low-level
optimizations that you need to get an MPC to be reasonable efficient today… so that will reduce the cost
a lot or maybe more of that can be automated. But I think it’s that… I think, at least for this deployment
question, a lot of it is if you can separate your application in a way that only a small part of it needs to be
done as an MPC, and the rest of it can be done by your—y’know—lowly paid regular software engineers,
and they won’t mess up the security properties that your trying to get from the part that you’re doing
securely. But I think that’s still a hard problem. Yeah?
>>: So, with protocols like TLS and SSH, these are ways that crypto gets into the mainstream, but
sometimes they get in the mainstream, and they lose like the provable guarantees, and then
cryptographers have to follow along afterwards and try to prove the security of these bizarre protocols.
Do you worry about that for MPC? Or how can we avoid that?
>> David Evans: Yeah, so where security tends to get broken the rule is not the mathematics of the
protocols and encryption systems. It’s in flaws in implementation or someone gets a key logger installed
on their machine and everything they type gets recorded. It doesn’t matter how secure everything after
that is. And I think this is definitely an issue for MPC that—at least lots of these applications, you end up
with a client program that an end user types their sensitive data into and is trusting to execute this
protocol correctly. And as—sort of—researchers in crypto we think of trust as—well you’re not
trusting… the fact that you don’t have to trust the other person’s client means you’ve achieved your
threat model goal, and you—of course—can trust all the code that you run yourself, because you wrote
it yourself or… [laughter]
>>: [indiscernible]
>> David Evans: Right, and it doesn’t use any underlying libraries or run on any untrusted machine or
anything else. But I think for, at least—you know—many of the apps people talk about for secure
computation, the big risk to their data is not in the execution of the MPC, it’s in all of the things that
happen around that. And I think it—sort of—maybe one of the reasons that it doesn’t make sense to
deploy this widely yet is if you can’t solve those problems, increasing the cost of the part of the
company that’s probably not gonna get broken in the first place, by a factor of thousand, is not the best
place to put your resources. But if you remember that the line that I have of the—sort of—drop of the
malware industry, I’m actually quite optimistic that some of those things will actually get better. Yeah?
>>: So, you mentioned that you think the killer app for MPC should be something not adding privacy to
something you can already do, but something new that you’re not doing. So, I like this concept, but it’s
hard for me to imagine MPC doing this, because whatever I think MPC can do—we can also always do it
unsecurely, right? So it seems like privacy will always be the motivation for using MPC…
>> David Evans: So, I’ll mention one example that Yehuda’s working on is: if you’re running a service
where you’ve got to maintain lots of accounts and you’ve got users and passwords or you’re acting as a
proxy for somebody and you’ve got to manage a bunch of keys, what you would like to do so you don’t
become the next… actually I won’t pick a particular… we’ve all heard of companies that have had their
encrypted password file exposed, and that is a big risk. And so what you want to do is store that file on
two machines that are very separate, in different jurisdictions, running different operating systems,
running different stacks of everything that you can make different, and use an MPC between those two
machines to validate a login. So you’re not having any one machine that if someone compromises it
they get your password data base. So that’s, I think, an example where you’re providing some
important security property using MPC, but it’s not privacy for end-users in the way we usually think
about privacy.
>>: Okay… when you’re saying privacy, this was for end-users you were thinking, right?
>> David Evans: Right, and this is privacy in the sense that the organization that wants to split up its
passwords in this way started knowing all the data. So there’s no enhanced privacy by using MPC, it’s
enhanced protection. Now if you believe my claim that the malware industry is going to become
unnecessary, then maybe that is not necessary anymore, but it certainly would be valuable to do for the
foreseeable future.
>>: I think the issue’s also it’s… there’s a slightly different mindset here in that we always think about
secure communication as being two different parties with different data who want to cooperate and
here we’re talking about a single party who just can’t trust the network. So, actually there’s a different
mindset there as well.
>> David Evans: Alright, yeah. It’s not Alice and Bob.
>>: No.
>>: David Evans: Yeah?
>>: I was going to comment on the same topic because one problem that we have nowadays that
systems are broken because usually they are… people can break an encryption but today will
compromise the machine and we all have a lot of computing devices these days. We have, like, one or
two cellphones and a laptop, and so on, and this is an area where you can think of one person trying to
add more resilience to—you know—their computing network.
>>: David Evans: Yeah, so you would like your three devices that you’re carrying around all day to do a
MPC for when you want to read your e-mail or…
>>: …honest party that will be compromised only if all the sub-parties are…
>> David Evans: So, if someone steals your phone, it’s not near your other devices, there’s nothing that
can be exposed to…
>>: Unless you are stealing…
>> David Evans: I think that’s an interesting application I hadn’t thought of it too much whether MPC is
really necessary for that or… but I think that if you want to take it to the extent that there is never any
key on the device that could be exposed, then MPC probably is necessary for it.
>>: …I think an application like what you’re saying, using MPC as an authentication mechanism. Here
are your three devices, and they’ve been combined to act as a passcode map, so the password is almost
never or never exposed in any one place, as an example of how that works.
>> David Evans: And you’re using that to authenticate yourself with some other system.
>>: Right.
>> David Evans: And by proving you have those three devices, that gives them a lot of confidence.
Yeah.
>>: And then you store the passwords and share your key.
>> David Evans: You’d be entering a password into two of the devices as part of that process.
>>: Yeah.
>> David Evans: Yes?
>>: If you compare MPC with public key, in the ‘70s the U. S. Navy did not use public key in the Walker
spy ring and had its liberal toast for breakfast. Is there any equivalent to not using MPC right now and
bad things happening?
>> David Evans: So, I think the military was still hand distributing keys at least… they may still be, but at
least as of five years ago, I knew that they were. They had—you know—people whose job it was to
carry—you know—a key out to someone else. I don’t know if that’s changed in the last five years. So
the question: is there something like that with MPC, where you can say people are doing things in a very
expensive, time-consuming, unsatisfying way because they’re not using MPC. Did you have an idea?
>>: No. [laughter]
>>: Dating in bars.
>> David Evans: Sorry…what?
>>: Dating in the bars.
>> David Evans: Oh, yeah, the Genetic Dating, well…
>>: [indiscernible]
>> David Evans: Yeah, okay, we have our killer application, but, yeah, I’m not sure that fits.
>>: So, when you read the history of MPC, you google MPC… but then most of the other things you said
were about two-party computations, so clearly you think the example of… no, never mind, [laughter]
so… so…
>> David Evans: I think the batch processing is enough there without worrying about the multiparty
issues.
>>: So, when you look at the performance [indiscernible] Very well, we will assume the modest majority
when we have settings automatically. So, the killer application will be a two-party computation. And
multiparty computation…?
>> David Evans: Yeah, I think that that’s a good point but, and I didn’t try to get—you know—more than
two parties onto my cost estimate ‘cause I really don’t think it’s even possible to figure out what the
cost of a…there are some implementations of three party but very little that has been done beyond that.
So, I think a lot of the interesting applications are things like, maybe auctions in voting that people talk
about that do require scaling to millions of parties and are usually done instead by having, sort of a small
number like the bead [?] auction where all the parties give their data to someone they trust, and then…
>>: Right ,right. But that could be the same with the example of the keys, right? Sharing the keys
among your machines…
>> David Evans: Right, if you have more than… so that’s probably still a small number scaling to—you
know—twenty machines but… and the things that involve—sort of—social networks and extending to
every individual involved in some large computation. I think those are still…there there’s definitely—
you know—the costs are many, many orders of magnitude beyond what would make that successful.
So, I think there are some big theoretical breakthroughs needed before we can really think about
making that practical… but there definitely are killer applications that would be enabled by having
millions of people, millions of parties in MPC. Yeah?
>>: I think that the good things about MPC is that sometimes having a lot of parties helps you instead of
being a risk or being a bad thing, because when you have a large number of parties then the cost for
each party’s going to break down to not a lot of parties. And if you can design a scalable algorithm the
cost is something like, the shape of the cost is decreasing with the number of parties. And it’s really,
maybe, helpful because—for example—you cannot have MPC for maybe four people, but you may have
MPC for two to the hundred people or two to the—I don’t know—fifteen people because then each
person do a little work to…
>> David Evans: So I think if they’re… and the things that you’re working on are maybe a good step in
that direction. I think that the more traditional MPC protocols don’t scale like that, that the work—the
total work—is scaling exponentially or…
>>: Oh, no, that’s not true, that’s not true.
>> David Evans: That’s not true? Then what’s the total work?
>>: [indiscernible] all this work is scalable. [indiscernible]
>> David Evans: and counting the off-line work as well?
>>: Yeah, yeah… oh. Well, the majority.
>> David Evans: Okay, so there may be cases… and the other thing I would say that argues in favor of
more parties is this question of what the output reveals. If you’ve got two parties and you have one
party is malicious and they’re able to control their data they can probably come up with inputs that are
going to reveal what they want about the other party’s data. If you’ve got many parties involved in a
conversation and you’re revealing an output that’s an aggregate of all those parties you’re much safer as
any individual participating in it that your personal data won’t leaked in the output. So, I think there are
definitely some big advantages of increasing the number of parties.
>>: All of that said, that’s potentially an argument for security by obscurity [laughter].
>> David Evans: Not really. So, it’s the question of what you can infer from the output. So, you’re going
to have information, theoretic, strong claims that what you can infer if it’s a two party, one party can
infer everything about the other party’s data from the input. If it’s the three party and there’s no
collusion, then one party might be able to infer something but not know which of the two parties is the
one that has that weak mark in their data. So, I think there are pretty strong claims you can make
about… as long as you have a strong assumption about non-collusion, which is hard in the real world,
you can make some much stronger claims about what gets leaked. I guess it’s both non-collusion and
not having any outside information that you can use to infer more than you can get from just the
output. Yeah?
>>: So maybe this is a little… it’s related to a previous question, but do you think when you want to
move to many parties, there will be some considerably different constraints between the cases of two
to three parties and many parties? For example, with interactions do…
>> David Evans: Yeah, so definitely if your application is a social network, where you’re sharing data and
doing computation at all data from all the participants, you wouldn’t want to require that everyone in
the network is available on-line during that computation. So, I think there are interesting questions
about—you know—whether delegation is an answer, or being able to do things off-line and
asynchronously. I don’t know much about the work that’s being done on that, but I think probably quite
different protocols are going to be needed for some of these scenarios.
>>: I believe it’s better to design asynchronous. Sorry I’m a bad talk to speak English. [indiscernible] I
believe it’s better to design asynchronous [indiscernible], because you cannot want everybody be
online, but in some applications, you can offer to wait for result. For example, you can offer to wait for–
I don’t know–one day for your payment to be checked in. Still in banking system, you can wait for some
hours or one day for your payment to be approved by the bank system. So can wait for the application
and make sure that everybody is going to be online during some period of that time.
>> David Evans: I think people accept waiting for banking transactions to be slow just because that’s
always been the way they are, but we shouldn’t accept them being slow so they should happen very
quickly.
>>: These would happen very fast but… [indiscernible]
>> David Evans: That’s aside to your comment. There are things where, yeah, latency and things that
are important and there’s things you could do in off-line… absolutely.
>>: You can assume there are applications that people is waiting for them, now, today and they are
used to it, so, you can have an application that waiting is really… acceptable.
>> David Evans: If you’re trying to do something with the social network with millions of participants
and you’ve got to wait until everyone does some on-line interaction, you may be never getting a result.
>>: Not really, but for example, a good partition of them, for example…
>> David Evans: Right, so that’s two thirds of people, yeah… I think that makes sense. Yeah?
>>: You need some application that would help Bitcoin verification, because…
>> David Evans: So, do you need MPC to help Bitcoin verification?
>>: Of course.
>> David Evans: Because it’s a public ledger, there’s no…
>>: You can’t break in and steal your keys, how are you protecting your keys? What’s…
>> David Evans: Oh, I see, so, not the verification of the block chain but protecting your own Bitcoin
wallet. I think that makes sense.
>>: It does make sense, but the Bitcoin community doesn’t want to touch it just yet.
>>: [indiscernible]
>> David Evans: Yeah, it is a cryptos-heavy community. So, yeah, it’s worth thinking about. I’m not sure
if the killer… I guess Bitcoin has to become a killer app before something that aids Bitcoin itself could be
[laughter] a killer app, but it’s not clear to me whether Bitcoin is on that path or not.
>>: Are you planning to write a book on multiparty computations for toddlers?
>> David Evans: Ah, so, what’s the sequel to Dori-Mic and the Universal Machine? I have not figured
out a sequel yet. I think… I was thinking quantum computation would probably be the next one, maybe
multiparty would be the third but, at least, maybe she’ll be old enough by then that I’ll be able to use
more challenging concepts in the book. We’ll see, I don’t have an idea. If someone has an idea I can
help you find a good illustrator.
>>: Dori and her friends want to find out who has the most toys, [laughter] without revealing how many
toys they have? [laughter]
>> David Evans: They just want to steal each-others toys, so, yeah…
>> Seny Kamara: So, let’s thank David. [applause]