>> Seny Kamara: Okay, so, we’re gonna have the second invited talk today. So, it’s our pleasure to have David Evans speaking. David is a professor at University of Virginia. He’s worked in many different areas in security: so in wireless networks, sensor networks, especially in software security, a lot of work there, he’s also been very active in computer science education. He’s been working with Udacity, which is one of the big on-line… massive on-line courses–MOOCs. So, he’s teaching an intro to computer science class and a cryptography class as well. David has also written a book, an introduction to computer science, which is really nice and I think is freely available, so if you want to check that out you should. And, of course, sort of more relevant to this audience, he’s done a lot of work on applied multiparty computation and he’s worked on the fast double circuit framework, and also done work on progress and intersection and has looked at how to, sort of, how to generate circuits for MPC, and, yeah, and also, I guess, one of his students has a talk this afternoon on data-oblivious computation as well. So, with that, I’ll let him get started. >> David Evans: Okay, well, thank you, Seny. I much appreciate the introduction, especially that the plug for my book and I actually have a new book that just released this week that I’m going to plug later, so, I take that as permission that I can plug my book. There were a lot of interesting technical talks yesterday and more interesting technical… or additional interesting technical talks today. I won’t presume which ones are going to be more interesting. I’m going to try to balance that by not having anything technical at all in my talk. So, I hope you’ll be okay with that. Yehuda asked for a proof, but I’m afraid that I won’t have one. >>: You’re going to prove to us that you’re a practical person by not giving us any proofs? >> David Evans: Yes, I guess it is a self-proving talk. Several people wondered about my title - why 2029? And this is a good question, so, I should try to explain that. And there’s an obvious answer to that – that it’s fifteen years from now. So, why fifteen years? And there are lots of answers to this. The one I’m going to give is actually from a talk that Neil DeGrasse Tyson gave at a conference about fifteen years ago and it got turned into an essay, which I do have posted on my site–I hope people will read this. What he talks about is this inevitable progress in science–having this golden age. And he explains it by talking about going into the library at Princeton, and he’s an astrophysicist so he was looking at the astrophysics journals and trying to figure out what the rate of new knowledge is. And so he went into the library and he tried to figure out where the midpoint of the width of all the journals is, and he found that that was fifteen years ago. And so, fifteen years ago was half-way–and then he figured, well, “what’s the midpoint between here and there?” And that was also fifteen years ago. And he kept doing this and found that—you know—the amount of knowledge, if you can measure it by the thickness of this astrophysical journal, which I guess in astrophysics is a reasonable way to measure knowledge, [laughter] was doubling every fifteen years, and that keeps going. And there are lots of reasons for this. We talk about Moore’s law a lot in computing and saying, “well maybe Moore’s law is running out.” But there are lots of other things that will extend beyond that and there are lots of things that happened before that, that whether it’s the printing press or telephones or getting on airplanes–things that make it easier for people to communicate and keep track of knowledge or ways that you can build on previous work–there are lots of reasons why fields like science, astrophysics and computing and MPC are all experiencing exponential growth and endless golden ages. So, in order to look at my predictions for the next fifteen years we want to start by going back a little bit and see what happened in the last, the last two doublings. And if you look just to measure the state of where we are now this is just the search for all the–oops, oh, what did I do? Oops…okay, maybe my inking isn’t working–but I don’t really… So, this is all the papers that have multiparty computation in their title or abstract in the last year and there’s about seven hundred of them. And I talked yesterday on the panel that we’re writing too many papers, don’t know—I have not read all seven hundred so there may be some gems in there that we’ve all missed, but if anyone has read all six hundred and ninety-seven of them, my guess is the average quality is probably pretty small… or at least the average size of contribution is probably pretty small if we’re able to make that many papers in a year. So, if we go back fifteen years to 1999, there were a hundred sixty-two papers and the fifteen years between 1985 and 1999, so that fits pretty well – actually it’s much more rapid than the doubling amount of content that Neil DeGrasse Tyson was talking about in astrophysics. But there were some really important papers being written in that era, and the one that I’ll highlight that I think is quite interesting for this talk, so, Shafi Goldwasser gave a talk at Potsy in 1997 talking about the past and present of multiparty computations, and she was smart enough not to put a date on her predictions about the future, so, but was talking about “we believe the field is today where public-key crypto was ten years ago,” so this was… would be where public-key crypto was in 1987, and an extremely powerful tool and rich theory whose real life usage is at this time only beginning. And so I think that is probably a good prediction for today rather than 1997. So I could end my talk there and not risk making any of my own predictions, but I think I have another forty minutes, so I won’t do that. Okay, so that was 1997. Let’s go back another fifteen years. What were people doing in 1984? Well, they were, at least according to google scholar, eight results. You’ll see one that Payman was already [laughter] working in multiparty computing back in 1908 [laughter]. I wasn’t aware of that until doing this search, but apparently his record in this field goes back further than we understood. Okay so, going back to 1969, we had things that were a little different in terms of multiparty computation. But this was really when computing started to get cheap and practical. This is the investment by NASA to build the control for the Apollo Guidance computer as well as for ICBM’s was what got integrated circuits and started a lot of what made computing practical enough that everyone can use it. So… have to go back a few doublings to get to that and the free NOR gate required quite a bit of silicon back then. Okay, so, now that we’ve gone back a little bit, we should try to go forward, and that’s what I’m gonna do the rest of the talk. So, where should we be in 2029? And… there’s been a lot of investment in this area–it’s fairly hard to get a really good, accurate estimate, but it’s order of a hundred million dollars or so, I think, and that’s just in the US, and probably another hundred million in the rest of the world. So, that’s enough that we should expect something pretty big to come of this. For comparison, that’s about what the government spends on Art, Dance, Literature, Music, Museums, Opera, and Visual Arts and Theater in a year… is what’s getting spent on our community. >>: What’s the entire span for this one hundred million dollars? >> David Evans: So, that’s a good question. So this is probably over more than one year. Right? And for comparison, a hair over a year, but not more than two or three years and—yeah—it would be good and maybe someone with more understanding of how funding agencies work can figure out more accurately what the spend per year… but I’d say the spend per year is at least fifty million, and the spend over the last three years is definitely at least a hundred million. Okay… now, before we get too embarrassed about not making contributions at the level of Music, Opera, Theater, Art and Literature, we can also compare it to snow removal [laughter] which last week cost more than all of this, and if they just wait a couple weeks it all goes away so that really seems like a waste [laughter] compared to what we’re doing. But the taxpayers making these investments should be expecting to get something pretty big out of it. And for us—you know—acceptable results for that—well, we’re academics—you know—it’s acceptable to us, at least at some level, if what we’re getting out of it is lots of fun, intellectually interesting problems to work on, and exciting results to learn about, and getting to go to meetings in nice sunny places with beaches, like Seattle and [laughter] all those kinds of good things that make our lives fun as researchers. For the taxpayers, that’s probably not enough. Really, something should be coming out of this that will create a multibillion dollar industry and things that regular people can relate to as making their lives better, so I think we’re quite a long way from doing that. So, I’ll make my first bold claim—and I’m calling my things claims instead of predictions ‘cause that’s a little safer. So, my claim is that the industry that grows out of multiparty computation by 2029 should be bigger than the malware industry. And I should clarify: I mean the anti-malware industry, not the [laughter] pro-malware industry which is much smaller—we shouldn’t have any trouble getting bigger than the pro-malware industry. And if you look at how big that is today: according to Gartner, it’s about seventy billion dollars a year—all of the IT security which I’m counting as mostly anti-malware, so, if that continues growing at the rate they expect or the rate that it has the last few years, that means we need to—you know—create a few hundred billion dollars of value. Putting that in context, Microsoft last year: revenue was about seventy-seven billion–so creating three or four, maybe two companies about the size of Microsoft would be doing this. Claudio’s laughing at my prediction. Now, there’s an easier way to achieve this which is why I’m more confident in this prediction, which is that maybe what should happen [laughter] is the anti-malware industry should become much less relevant as we actually learn how to make software systems that are not quite so vulnerable. And I’m actually pretty optimistic about this curve being something like that, so we may not need to create a couple hundred billion dollars to make this prediction true. Okay. Yeah, yeah, I’m not going to try to draw it. Yeah. This is the line for the IT security industry, not for Microsoft’s—I would not presume to predict what’s going to happen to Microsoft over the next fifteen years. Okay, so… the next claim I’m going to make is that the perceived high cost is no longer the real main impediment to widespread use of secure multiparty computation, at least if we’re talking about two parties. So to explain why I think this, I’m gonna go back to the motivating problem that Yehuda used yesterday which I think is sort of the most compelling example of multiparty computation. Just to remind you, so this is the scenario where two people meet in some drinking establishment, and they want to decide whether it’s worth pursuing this archaic courtship ritual, and they want to know if they have a good chance of having successful, healthy children if things go in that direction. So they want to do a secure computation with their mobile devices and figure out—you know—either they have the green light and their offspring have a good chance of being healthy, or get the warning and [laughter] save themselves the effort. So, the fact that we’re talking about this as our canonical example and I hope everyone is—not just Yehuda and me, is a real sign of progress in our field. If you go back the previous thirty years, you know the motivating problem was this millionaire’s problem that Andrew Yao introduced of the two millionaires that want to figure out who’s richer without revealing their income or their net worth. And this, moving up to the genetic dating application is a big advance on that, both because it’s actually doing some interesting computation—it’s not just a less than comparison—but it’s also a real practical application, unlike this one, which I don’t think anyone actually wants to do. And I used to think it was just a toy application and I talked about this before as a toy application, and then someone pointed out to me that there actually is a real app for this and it’s quite popular in Iceland, apparently, I don’t know if we have any Icelanders here… They actually won an award for it, and you can [laughter] read that review… Note the use of “probably” in the [laughter]… So, this is an important motivating problem, and what I’m going to look at is the cost of actually doing this, and part of it is having your genome sequenced, right? The app… in Iceland, everyone’s pretty closely related, and they have a national database—not of complete genomes, but of enough genetic information to actually do that—but they’re actually just doing it based on known relationships, not on genetics. But the cost of sequencing a genome, if you look at that, going back to about 2000 is when the human genome project concluded and—y’know—declared victory and said we’ve sequenced either Craig Venter’s genome or some mix of twelve other people’s genome, depending on which version of the project they think won, and they sort of declared a tie. And that was projected to cost about a billion dollars, and the cost for sequencing one genome was around a hundred million. In 2001 it was going down very well along this path that you would predict from just the Moore’s law decrease in computing cost, and then things really changed. And so, this is mostly due to improvements in algorithms, but also due to some improvements in biochemistry and other things. And you see that the cost really plummeted–you can see it sort of stopped dropping and started actually going up. And the way the NIH is estimating this cost, it actually includes the administrative cost of doing it as well—so, it’s probably gonna mostly go up from now. And it’s also sort of fuzzy—you know—what it means to actually sequence a genome, because you’ve gotta look at how much coverage you do and how much you actually read, and when you do—sort of—the twenty-three and me, and it’s less than a hundred dollars to do it, they’re definitely not sequencing the whole genome, and they’re doing it more at the “useful for recreation” level not “useful for medicine.” Okay, so let’s try to put the cost of doing the secure computation that is comparing the genomes on here, and this is, as we talked about last time, bench-marking’s really hard and it’s hard to sort of extract from papers what the actual cost of doing some other application is. So I’ve done the best I can to try to extrapolate that. Don’t read too much into the specific numbers I have here, because there’s lots of guess-work. But it would be, roughly, in 2004 when Fairplay was released and was the—in many ways, the first system to try to do real computation as an MPC—it would have cost about a hundred million dollars to do this comparison between two genomes. And that cost has really plummeted, and today, we’re probably the same thing with cost orders of a tenth of a cent or so. This is doing a few billion gates to execute this computation. And there’s lots of reasons the cost has dropped, alright. Some of it is just the cost of computing dropping, so that’s maybe an order of magnitude here. Some of it is the improvements in how to do the garbling and how much less expensive it is with techniques like JustGarble, and some of it is making the circuits smaller. But the combined impact of all of that is taking something that used to be a hundred million dollars down to a fraction of a cent. Now this is all semihonest, so if we want to add the active-level of security or fully malicious security we need to make our chart go up a little higher to fit it in. And probably it would have been orders of ten billion dollars or so for Alice and Bob to do this if they really didn’t trust each other back in 2004, so probably was not too practical, but that cost has also—you know—really plummeted. And if the batching that Yehuda talks about can be applied to this scenario, and I guess that depends a lot on Bob’s activities, whether the batching up to a thousand works, then the cost is really getting down to fractions of cents, even for active level security. So of course, there are computations that we want to do that are larger and more complicated than this, and cost is still a factor there, but there should be lots of interesting computations where the cost of doing it as a secure multiparty computation is very low. And we should be wondering, given that, why are we not seeing lots of actual MPC applications deployed? So, I think there are some costs that still matter, and none of these answer that question of why we’re not seeing MPC applications deployed yet, at least on any large scale. So that all these results are for two party, and scaling beyond two parties is still very expensive, and that’s something where most of the techniques that are designed to scale to many parties, maybe they scale to three or four, but become—you know—horrendously impractical beyond that. And lots of interesting applications need millions of parties. And Mutti talked about yesterday trying to scale the things like Twitter and social networks where you’ve got millions of parties and there are plenty of interesting applications that require that. The other cost that I don’t think we’ll ever get rid of, and this I think is important for the uses of MPC where people talk about outsourcing computation or using a service where you’re keeping your data encrypted, is the energy cost is–I don’t see any way to get the energy cost down to sort of at least less than a factor of a thousand above regular computation. That, just the cost… as long as you’re doing any kind of protocol like anything we’re familiar with today, the energy cost is going to be—you know—thousands of times higher. And energy is a big part of the actual cost of running the data center. So, in order to make the business case—and hope we’ll hear more about this on the panel later today— for lots of these applications, the energy cost—you know—if the customer’s aren’t willing to pay thousands of times as much to have it done securely, which for most applications where what the customer’s getting is privacy, that’s probably a very hard sale. And—you know—data centers are already using one or two percent of all the energy; if we scaled that by a factor of a thousand to make everything an MPC, then that’s an awful lot of energy. The other things that I think do matter—and this is why even the sort of simple applications like our “Genetic Dating” or equivalent are not really useful in practice today and not being widely deployed— are these kinds of questions. So, our moral, and as both theoreticians and practitioners in this field we always make this assumption that your goal is to not leak anything when you do the computation, and then you get to the end of it, and you blast this output out that probably reveals a lot of things you might not want someone to infer from the sensitive data you started with. And so, I think that’s a really important question to try to understand—are there ways to measure or to limit or at least reason about how much information the adversary can infer from what gets released as output? And I think that’s an area where there’s very little progress in understanding that or figuring out how to do that. The other thing, at least for a lot of scenarios is, if you want an end user to understand and get some value from this, there has to be some way to convey that or to make that meaningful to them. And my example of this—we built a… sort of a toy application maybe a little less toy than the genetic dating one, where you would be able to compare your contact lists and two people with their mobile phones would be able to find out if they know anyone in common and otherwise not reveal anything about their contact list. And this was a nice demo and it took about a minute or two to run, back a couple of years ago when we were first showing it, and that was enough time to show a little animation on the screen, and be able to tell people—you know—here’s why this is so cool and you’re getting all these extra privacy guarantees. Unfortunately, films got faster, and so if you do this now, it only takes a few seconds, and then no one believes anything as interesting is going on. So maybe the way to convey enduser value is to have, like, long time-outs and animations, and I know there are commercial products that do this, that have the sort of progress bar running the super super-duper encryption. So, the longer that takes the more confident your users are. I hope that is not the answer for us. And the third reason is, it still requires a lot of expertise and a lot of effort and a lot of work to build an MPC system, especially one if you want to actually do the entire system not just the part of the computation that we tend to focus on. So to build an end-to-end system that includes a user interface or whatever it includes to make it meaningful and connects with all the things that are necessary to make a real application. So those things involve a lot of work, and I don’t think much has… there’s been some progress in recent net costs, but it’s still very high. Okay. So, my third claim is that we don’t yet know what the “killer app” for MPC is and maybe we’ll get some more insight at the business panel today, but I think most of the apps that we talk about are probably not the thing that’s going to get MPC widely deployed—and it’s probably not really privacy. Alright, I think a lot of us, including me, are motivated to work in this area because we care about individual privacy and want to empower individuals to be able to interact with services or other people in ways that give them control over their data. The reality is that the value and the amount that people will pay for that is very little. So, unless there’s some magic way to get over this factor of a thousand energy cost, it would be great to have sort of a privacy preserving version of our web mail or search engines, all these things, but unless people are willing to pay for them in some other way than having them free with advertising, it seems really hard to make that successful. Okay, so I’m gonna show a little movie that hopefully will get people thinking about what that “killer app” should be. I don’t know what it is, but I hope someone here will be able to tell me before the end of the talk today or at least by the end of the day. >> Movie: [music] Have you ever borrowed a book from thousands of miles away… across the country… without stopping for directions? Or sent someone a fax… from the beach? You will. And the company that will bring it to you: AT&T. Have you ever paid a toll … without slowing down? Bought concert tickets… from cash machines? Or tucked your baby in… from a phone booth? You will. And the company that’ll… [sound fades] >> David Evans: So, there’s more of those that I… and in some ways AT&T was very prescient about lots of things, but there’s this weird kind of irony of… all those things they’re talking about don’t actually exist today and have disappeared: that we don’t know what phone booths are anymore or faxes, and I have my students in my Operating Systems class last semester watch some of these ads and complete a survey about which ones of them they had actually done, and there’s obviously some fuzziness on how you interpret these things. The one that actually got the lowest rating was not in the clip that I showed you but was doing business in a language that you don’t understand. I think that’s probably mostly because the students aren’t actually doing business, but in terms of the automatic translation that’s definitely something people perceived as a very hard problem. And this quote, which is often misattributed to Neils Bohr, but I’m sure people have heard it before. If you don’t speak Danish, you can, of course, translate it and get a pretty good translation automatically, and it certainly is difficult to make translations. I don’t know if there will be a secure multiparty computation way of doing automatic translation in the future, but maybe that would be a nice application to be able to get a service to translate for you without telling them what you want translated. I’m not sure there’s a business case for it though… but it could be nice. Okay, so before I wrap up, I want to mention a little bit—so we had this panel yesterday on theory versus practice, and Payman wanted to get this—you know—battle between myself and Yehuda going, and I think I was supposed to represent practice in that, although it’s a little murky. And part of my… I certainly am more of a systems person than a theory person, but I have now written a theory of computation book, so my loyalties are much less clear. And I’m not sure if many people here are the target audience for my book, because it’s not quite at the graduate level—it’s more targeted to two or three year-olds, but it’s definitely something that I hope that many of you would read and appreciate. If anyone does have a two or three year-old who is behind on her theoretical computer science education [laughter] and is willing to admit this in front of this audience, I do have a few copies to give away today. So okay, oh, we have some takers… good. Okay… >>: Awesome. >>: Sweet. >> David Evans: those who don’t get copies, you can buy one on amazon dot com… okay… alright, so one last copy… highest bidder… okay, you’re closest, okay. For those not getting copies, I also have some flyers, which is not quite as good as a copy but… oh, I have one more copy. Did you want a flyer or copy? >>: Thank you. >> David Evans: This is your consolation prize. And you can push those around Microsoft. And—you know—since it was just released this week, I don’t have a lot of reviews to show you yet, but I do have one from the founder of Mic-Soft Corporation, so I hope that that will convince people they should definitely read my book. I apologize… I have not yet updated to support mini-Lego. It only works for large, full-size Legos, but maybe after the talk yesterday we’ll have a mini-Lego version. Okay, so how do we find the “killer app” for multiparty computation, and as I said, I don’t know what it is but I hope people in this room will start thinking about it. And most of what we are doing is sort of what the AT&T commercial was doing. Alright, we’re doing things like sending faxes from the beach, taking things that people do today and saying let’s add a little… maybe a little or a lot of privacy to that. Okay, so we’re sending faxes from the beach, tucking babies in from phone booths, things that look like pretty silly predictions today. And I hope that there are applications for MPC, and what the ultimate killer applications for it will be are things that enable people to do things they’re not doing today, not add some privacy to things that they’re already doing. And as two examples, these go back before the AT&T commercial, Tim Berners-Lee was trading the World Wide Web, Nicholas Negroponte, and this is going back two doublings, back thirty years ago, was talking about multitouch interfaces with pressure sensitivity. So, I would be happy to take questions. If anyone has ideas what that “killer app” for MPC is, I’d be very happy to hear about them. Yes? >>: So I’m curious… How did you compute the cost of those secure communications? >> David Evans: How did I make up my numbers for my slide? >>: Yeah. [laughter] >> David Evans: So, It’s pretty hard to get accurate numbers. That’s why the line is really thick and fuzzy. I did my best to look at the—sort of—try to figure out the cost per gate and the number of gates and scale that and then looked at the cost of computing on EC2 as sort of scaling the cost of computing. There’s certainly… I wouldn’t place a lot of faith in the actual numbers that I came up with, whether it’s a tenth of a cent or… actually the more recent ones are probably more accurate, ‘cause we do have more—I guess—closer to benchmarks that match what I’m doing. But whether it’s a hundred billion dollars or—you know—fifty billion dollars to do the active security version, I wouldn’t have a lot of confidence in… but it’s definitely—y’ know—orders of tens of billions, not—you know—few millions. Yeah? >>: Sometimes windmills generate electricity when nobody’s there to use it. Could you have batch processing for MPC to be used when the windmills would otherwise have to be shut down? >> David Evans: So the question… yeah… If the problem is energy cost, can we take advantage of things like batch processing and off-line processing to do things when energy is cheaper? We could… there’s probably lots of other things people—there’s always something people can do with that energy—so if there’s nothing more useful that people can do with it, then do an MPC… maybe that’s what it can be used for. But I… so maybe—y’ know— if you can do all that instead of worrying about a factor of ten thousand more expensive, it turns out to be more like a thousand, but I think it’s still pretty hard… and most of the interesting applications do seem to have some part that latency is important for. So, if you can do everything else off-line, that part that latency is important for is still a factor of a thousand or ten thousand more expensive. Yes? >>: It’s already done with dynamic energy pricing, right? So your windmill will be connected and the pricing might be cheaper. So you can do… >> David Evans: And computing the spot prices on EC2, probably on Escher. >>: Also—you know—your ten thousand eggs, I mean probably reflects the real thing, but the application that you’ll be running is not sensitive—you know—most of it will be… really, ninety-nine point something percent will be not privacy sensitive. So, if you have a small thing like—you know— uh… contacts or payment transaction, that’s a small thing, really, to speak of. >> David Evans: Yeah, that’s a very good point, and I think part of the difficulty in building sort of real applications that use MPC is to figure out how to connect the small part of our computation that really needs to be done securely with all the things that don’t need to be done securely and balance that cost. So I think if it is the case thing the actual part that needs to be secure is—y’know—a tenth of a percent of the total cost of your computation, and you increase that cost by a factor of a thousand then maybe it’s only doubling the total cost and that’s okay… or it could be an even smaller fraction. [pause] No one has the killer application to tell me? >>: The thing is… I have a new application I’ve been writing for myself. And it’s like a business thing, so… >> David Evans: Oh, we’re all friends here. It’s okay. [laughter] You can tell me after though, if you’re holding it out on us. Yeah? >>: What do you think about the complexity of development. It’s… there’s a lot of these protocols are very complicated… >> David Evans: Yes. >>: Do you see that as a barrier? Do you see that as well as lots of software that it’s not an issue? What’s your… >> David Evans: It’s certainly an issue so I think having libraries like scafee and that, well that Sammy’s going to talk about later today may be part of that. Part of it—you know—software development is expensive. The problem with developing an MPC is, it’s not—y’know—it’s not normal software development. You need expertise in cryptography, and there’s a big risk of… if you get some little thing wrong, you’ve lost all these security properties you’re trying to get. This is true for all cryptographic software development: that it is much harder than—you know—regular software development’s hard enough, but now you’ve got to implement crypto correctly, it gets much harder. And then the issues with… maybe the costs will be low enough that you don’t have to worry about doing the kinds low-level optimizations that you need to get an MPC to be reasonable efficient today… so that will reduce the cost a lot or maybe more of that can be automated. But I think it’s that… I think, at least for this deployment question, a lot of it is if you can separate your application in a way that only a small part of it needs to be done as an MPC, and the rest of it can be done by your—y’know—lowly paid regular software engineers, and they won’t mess up the security properties that your trying to get from the part that you’re doing securely. But I think that’s still a hard problem. Yeah? >>: So, with protocols like TLS and SSH, these are ways that crypto gets into the mainstream, but sometimes they get in the mainstream, and they lose like the provable guarantees, and then cryptographers have to follow along afterwards and try to prove the security of these bizarre protocols. Do you worry about that for MPC? Or how can we avoid that? >> David Evans: Yeah, so where security tends to get broken the rule is not the mathematics of the protocols and encryption systems. It’s in flaws in implementation or someone gets a key logger installed on their machine and everything they type gets recorded. It doesn’t matter how secure everything after that is. And I think this is definitely an issue for MPC that—at least lots of these applications, you end up with a client program that an end user types their sensitive data into and is trusting to execute this protocol correctly. And as—sort of—researchers in crypto we think of trust as—well you’re not trusting… the fact that you don’t have to trust the other person’s client means you’ve achieved your threat model goal, and you—of course—can trust all the code that you run yourself, because you wrote it yourself or… [laughter] >>: [indiscernible] >> David Evans: Right, and it doesn’t use any underlying libraries or run on any untrusted machine or anything else. But I think for, at least—you know—many of the apps people talk about for secure computation, the big risk to their data is not in the execution of the MPC, it’s in all of the things that happen around that. And I think it—sort of—maybe one of the reasons that it doesn’t make sense to deploy this widely yet is if you can’t solve those problems, increasing the cost of the part of the company that’s probably not gonna get broken in the first place, by a factor of thousand, is not the best place to put your resources. But if you remember that the line that I have of the—sort of—drop of the malware industry, I’m actually quite optimistic that some of those things will actually get better. Yeah? >>: So, you mentioned that you think the killer app for MPC should be something not adding privacy to something you can already do, but something new that you’re not doing. So, I like this concept, but it’s hard for me to imagine MPC doing this, because whatever I think MPC can do—we can also always do it unsecurely, right? So it seems like privacy will always be the motivation for using MPC… >> David Evans: So, I’ll mention one example that Yehuda’s working on is: if you’re running a service where you’ve got to maintain lots of accounts and you’ve got users and passwords or you’re acting as a proxy for somebody and you’ve got to manage a bunch of keys, what you would like to do so you don’t become the next… actually I won’t pick a particular… we’ve all heard of companies that have had their encrypted password file exposed, and that is a big risk. And so what you want to do is store that file on two machines that are very separate, in different jurisdictions, running different operating systems, running different stacks of everything that you can make different, and use an MPC between those two machines to validate a login. So you’re not having any one machine that if someone compromises it they get your password data base. So that’s, I think, an example where you’re providing some important security property using MPC, but it’s not privacy for end-users in the way we usually think about privacy. >>: Okay… when you’re saying privacy, this was for end-users you were thinking, right? >> David Evans: Right, and this is privacy in the sense that the organization that wants to split up its passwords in this way started knowing all the data. So there’s no enhanced privacy by using MPC, it’s enhanced protection. Now if you believe my claim that the malware industry is going to become unnecessary, then maybe that is not necessary anymore, but it certainly would be valuable to do for the foreseeable future. >>: I think the issue’s also it’s… there’s a slightly different mindset here in that we always think about secure communication as being two different parties with different data who want to cooperate and here we’re talking about a single party who just can’t trust the network. So, actually there’s a different mindset there as well. >> David Evans: Alright, yeah. It’s not Alice and Bob. >>: No. >>: David Evans: Yeah? >>: I was going to comment on the same topic because one problem that we have nowadays that systems are broken because usually they are… people can break an encryption but today will compromise the machine and we all have a lot of computing devices these days. We have, like, one or two cellphones and a laptop, and so on, and this is an area where you can think of one person trying to add more resilience to—you know—their computing network. >>: David Evans: Yeah, so you would like your three devices that you’re carrying around all day to do a MPC for when you want to read your e-mail or… >>: …honest party that will be compromised only if all the sub-parties are… >> David Evans: So, if someone steals your phone, it’s not near your other devices, there’s nothing that can be exposed to… >>: Unless you are stealing… >> David Evans: I think that’s an interesting application I hadn’t thought of it too much whether MPC is really necessary for that or… but I think that if you want to take it to the extent that there is never any key on the device that could be exposed, then MPC probably is necessary for it. >>: …I think an application like what you’re saying, using MPC as an authentication mechanism. Here are your three devices, and they’ve been combined to act as a passcode map, so the password is almost never or never exposed in any one place, as an example of how that works. >> David Evans: And you’re using that to authenticate yourself with some other system. >>: Right. >> David Evans: And by proving you have those three devices, that gives them a lot of confidence. Yeah. >>: And then you store the passwords and share your key. >> David Evans: You’d be entering a password into two of the devices as part of that process. >>: Yeah. >> David Evans: Yes? >>: If you compare MPC with public key, in the ‘70s the U. S. Navy did not use public key in the Walker spy ring and had its liberal toast for breakfast. Is there any equivalent to not using MPC right now and bad things happening? >> David Evans: So, I think the military was still hand distributing keys at least… they may still be, but at least as of five years ago, I knew that they were. They had—you know—people whose job it was to carry—you know—a key out to someone else. I don’t know if that’s changed in the last five years. So the question: is there something like that with MPC, where you can say people are doing things in a very expensive, time-consuming, unsatisfying way because they’re not using MPC. Did you have an idea? >>: No. [laughter] >>: Dating in bars. >> David Evans: Sorry…what? >>: Dating in the bars. >> David Evans: Oh, yeah, the Genetic Dating, well… >>: [indiscernible] >> David Evans: Yeah, okay, we have our killer application, but, yeah, I’m not sure that fits. >>: So, when you read the history of MPC, you google MPC… but then most of the other things you said were about two-party computations, so clearly you think the example of… no, never mind, [laughter] so… so… >> David Evans: I think the batch processing is enough there without worrying about the multiparty issues. >>: So, when you look at the performance [indiscernible] Very well, we will assume the modest majority when we have settings automatically. So, the killer application will be a two-party computation. And multiparty computation…? >> David Evans: Yeah, I think that that’s a good point but, and I didn’t try to get—you know—more than two parties onto my cost estimate ‘cause I really don’t think it’s even possible to figure out what the cost of a…there are some implementations of three party but very little that has been done beyond that. So, I think a lot of the interesting applications are things like, maybe auctions in voting that people talk about that do require scaling to millions of parties and are usually done instead by having, sort of a small number like the bead [?] auction where all the parties give their data to someone they trust, and then… >>: Right ,right. But that could be the same with the example of the keys, right? Sharing the keys among your machines… >> David Evans: Right, if you have more than… so that’s probably still a small number scaling to—you know—twenty machines but… and the things that involve—sort of—social networks and extending to every individual involved in some large computation. I think those are still…there there’s definitely— you know—the costs are many, many orders of magnitude beyond what would make that successful. So, I think there are some big theoretical breakthroughs needed before we can really think about making that practical… but there definitely are killer applications that would be enabled by having millions of people, millions of parties in MPC. Yeah? >>: I think that the good things about MPC is that sometimes having a lot of parties helps you instead of being a risk or being a bad thing, because when you have a large number of parties then the cost for each party’s going to break down to not a lot of parties. And if you can design a scalable algorithm the cost is something like, the shape of the cost is decreasing with the number of parties. And it’s really, maybe, helpful because—for example—you cannot have MPC for maybe four people, but you may have MPC for two to the hundred people or two to the—I don’t know—fifteen people because then each person do a little work to… >> David Evans: So I think if they’re… and the things that you’re working on are maybe a good step in that direction. I think that the more traditional MPC protocols don’t scale like that, that the work—the total work—is scaling exponentially or… >>: Oh, no, that’s not true, that’s not true. >> David Evans: That’s not true? Then what’s the total work? >>: [indiscernible] all this work is scalable. [indiscernible] >> David Evans: and counting the off-line work as well? >>: Yeah, yeah… oh. Well, the majority. >> David Evans: Okay, so there may be cases… and the other thing I would say that argues in favor of more parties is this question of what the output reveals. If you’ve got two parties and you have one party is malicious and they’re able to control their data they can probably come up with inputs that are going to reveal what they want about the other party’s data. If you’ve got many parties involved in a conversation and you’re revealing an output that’s an aggregate of all those parties you’re much safer as any individual participating in it that your personal data won’t leaked in the output. So, I think there are definitely some big advantages of increasing the number of parties. >>: All of that said, that’s potentially an argument for security by obscurity [laughter]. >> David Evans: Not really. So, it’s the question of what you can infer from the output. So, you’re going to have information, theoretic, strong claims that what you can infer if it’s a two party, one party can infer everything about the other party’s data from the input. If it’s the three party and there’s no collusion, then one party might be able to infer something but not know which of the two parties is the one that has that weak mark in their data. So, I think there are pretty strong claims you can make about… as long as you have a strong assumption about non-collusion, which is hard in the real world, you can make some much stronger claims about what gets leaked. I guess it’s both non-collusion and not having any outside information that you can use to infer more than you can get from just the output. Yeah? >>: So maybe this is a little… it’s related to a previous question, but do you think when you want to move to many parties, there will be some considerably different constraints between the cases of two to three parties and many parties? For example, with interactions do… >> David Evans: Yeah, so definitely if your application is a social network, where you’re sharing data and doing computation at all data from all the participants, you wouldn’t want to require that everyone in the network is available on-line during that computation. So, I think there are interesting questions about—you know—whether delegation is an answer, or being able to do things off-line and asynchronously. I don’t know much about the work that’s being done on that, but I think probably quite different protocols are going to be needed for some of these scenarios. >>: I believe it’s better to design asynchronous. Sorry I’m a bad talk to speak English. [indiscernible] I believe it’s better to design asynchronous [indiscernible], because you cannot want everybody be online, but in some applications, you can offer to wait for result. For example, you can offer to wait for– I don’t know–one day for your payment to be checked in. Still in banking system, you can wait for some hours or one day for your payment to be approved by the bank system. So can wait for the application and make sure that everybody is going to be online during some period of that time. >> David Evans: I think people accept waiting for banking transactions to be slow just because that’s always been the way they are, but we shouldn’t accept them being slow so they should happen very quickly. >>: These would happen very fast but… [indiscernible] >> David Evans: That’s aside to your comment. There are things where, yeah, latency and things that are important and there’s things you could do in off-line… absolutely. >>: You can assume there are applications that people is waiting for them, now, today and they are used to it, so, you can have an application that waiting is really… acceptable. >> David Evans: If you’re trying to do something with the social network with millions of participants and you’ve got to wait until everyone does some on-line interaction, you may be never getting a result. >>: Not really, but for example, a good partition of them, for example… >> David Evans: Right, so that’s two thirds of people, yeah… I think that makes sense. Yeah? >>: You need some application that would help Bitcoin verification, because… >> David Evans: So, do you need MPC to help Bitcoin verification? >>: Of course. >> David Evans: Because it’s a public ledger, there’s no… >>: You can’t break in and steal your keys, how are you protecting your keys? What’s… >> David Evans: Oh, I see, so, not the verification of the block chain but protecting your own Bitcoin wallet. I think that makes sense. >>: It does make sense, but the Bitcoin community doesn’t want to touch it just yet. >>: [indiscernible] >> David Evans: Yeah, it is a cryptos-heavy community. So, yeah, it’s worth thinking about. I’m not sure if the killer… I guess Bitcoin has to become a killer app before something that aids Bitcoin itself could be [laughter] a killer app, but it’s not clear to me whether Bitcoin is on that path or not. >>: Are you planning to write a book on multiparty computations for toddlers? >> David Evans: Ah, so, what’s the sequel to Dori-Mic and the Universal Machine? I have not figured out a sequel yet. I think… I was thinking quantum computation would probably be the next one, maybe multiparty would be the third but, at least, maybe she’ll be old enough by then that I’ll be able to use more challenging concepts in the book. We’ll see, I don’t have an idea. If someone has an idea I can help you find a good illustrator. >>: Dori and her friends want to find out who has the most toys, [laughter] without revealing how many toys they have? [laughter] >> David Evans: They just want to steal each-others toys, so, yeah… >> Seny Kamara: So, let’s thank David. [applause]