Data has become a far more valuable resource for businesses in recent years. It facilitates swift decision-making for firms, increasing their chances of success. However, businesses also have to contend with an ever-growing array of data risk issues. Hence, there are several measures taken to ensure data protection.
The ever-evolving exploration of technology has paved the way for more data theft by bad actors. On the other hand, it has also provided more exposure for developers to create solutions to counter the actions of these bad actors, hence giving organizations a range of options to utilize in protecting their consumers’ data. A class of these solutions tending to the protection of users’ privacy is referred to as “privacy-enhancing technologies”.
What are Privacy-Enhancing Technologies?
Privacy-enhancing technologies (PETs) are technologies and approaches that allow data to remain private even while it is being computed, hence preserving sensitive data. They maximize data security by helping minimize the use of personal data (personally identifiable information, PII), thereby giving people more control over their data.
These technologies or solutions may be software or hardware components and they encompass all technologies that serve as the fundamental building blocks of data security and privacy.
The main goals of PETs:
Some PETs aim to allow users to choose which personal information to share with third parties like online service providers. It’s no secret that these online service providers collect users' data and utilize them for several activities, including selling them.
Some PETs are aimed at giving users anonymity such that their data is being shared and utilized online but they are kept private because they use anonymous or pseudonymous credentials.
Some PETs employ cryptographic methods to ensure that users' data are kept private even while they are being processed. This piece will focus on this category of PETs.
Data can be kept private through various means such as encryption, pseudonymization, obfuscation or masking, opaqueness, and inaccessibility.
As the world changes and adopts big tech, there is a rapid acceptance of the huge potential of technologies in solving many problems in various industries. Before now, sharing personal data with online service providers seemed like the only way to go about becoming a member of this “global village”. However, now we know better. Now we know that these providers are not looking out for us. Now we know that our data is not safe and is at risk of being stolen.
The emergence of privacy-enhancing technologies can be regarded as a much-needed breakthrough in the aspect of data security. The next section of this article extensively explains some privacy-enhancing technologies (PETs) that are based on cryptography. You’ll also see examples of blockchains, blockchain-based applications, or protocols that use some of these PET solutions.
Types of Privacy-Enhancing Technologies (PETs): Cryptographic Techniques
Homomorphic Encryption:
Typically, encrypted data can only be worked on after it has been decrypted. Say Alice wants to send Bob some information that she doesn’t want any other eye peeking into, she sends it as an encrypted file, Bob can only access the file after he has decrypted it…or so we thought. With homomorphic encryption, this file can be accessed and worked on even while it is still encrypted. This concept is known as homomorphic encryption and it has been around for over three decades.
Homomorphic encryption is an encryption technique that makes it possible to compute with encrypted data. The result obtained after computational operations have been carried out is usually encrypted but can be decrypted thereafter. This is an interesting model of how two parties can work together on a single piece of data because it prevents disclosure of private information to peeking pairs of “online eyes” that might be on the lookout for an opportunity to steal or hack data.
With homomorphic encryption, Alice can send Bob that piece of information in an encrypted file, Bob can compute with it while encrypted and even send it back to Alice still encrypted. This way, they’ve avoided the risk of exposing the data to any hacker who might have been watching online. There are three types of homomorphic encryption namely: Fully Homomorphic Encryption (FHE), Partial Homomorphic Encryption (PHE), and Somewhat Homomorphic Encryption (SHE).
One downside of homomorphic encryption is that it requires high and multiple computations (i.e., it is compute-intensive).
Zero-Knowledge Proofs (ZKPs):
If you’ve been following through with CodeTavern, you should be familiar with zero-knowledge proofs by now. If you wish to learn more, check out this piece that expansively discusses ZKPs. Zero-knowledge tech is a cryptographic mechanism by which transactions are validated on the blockchain and it involves two parties, the prover who proves the truth of a statement, and the verifier who checks to validate the authenticity of the statement.
The prover, in a bid not to reveal the content of the transactions, provides the verifier with nothing but a cryptographic proof which is a summarized piece of the transactions and a computation that proves his knowledge of the secret. The verifier then throws a challenge to the prover to ascertain that he indeed knows the secret (Interactive ZKPs). Only when the verifier is convinced does he validate the transactions and send them to the blockchain.
Zero-knowledge proofs are employed in different industries today. They have found wide usage in the web3 industry, particularly, in blockchain projects. Some ZKP blockchain-specific solutions are zk Rollups, zk DEXs, privacy coins, and more.
Examples of blockchain networks that utilize zero knowledge are Aleph Zero, Polygon zkEVM, Linea, zkSync Era, Taiko, Mina Protocol, Scroll, Loopring, StarkNet, etc.
Secure Multi-Party Computation (sMPC):
This is a cryptographic technique that allows multiple parties (each with encrypted data) to work together on joint computational tasks without any of the parties revealing private data to one another. This is particularly effective in cases that involve more than two parties computing values from multiple encrypted data sources. Each party shares inputs but doesn’t reveal their secret data; these inputs are used during computations to obtain results.
This technique has found use cases in areas like e-voting, machine learning, private auctions, medical research, data analysis, blockchain, genetic testing, etc. The combination of the distributed processing and encryption of sMPC can significantly impact data security and privacy. In summary, sMPC technology allows networks and protocols to protect "secrets" by breaking them into several parts, making it impossible for anyone to know the underlying "truth."
Examples of blockchain infrastructures and other distributed ledger technologies (DLTs) that utilize sMPC are Qredo Network, Partisia Blockchain, Aleph Zero, Nillion Network, Secret Network, Continuum DAO, IOTA MPC, Hedera, Oasis Network, etc.
Blockchains like Aleph Zero utilize both ZKPs and sMPC to improve privacy. Learn more about Liminal (Aleph Zero’s privacy-enhancing layer utilizing both ZKPs and sMPC) here.
Verifiable Credentials (VCs):
Verifiable Credentials (VCs) are cryptographically (digital) signed signatures made by an issuer to a verifier about a holder. Here’s how it works. VCs involve three parties: the issuer, the holder, and the verifier.
Say, I wish to work for a company and I claim to possess a certain certificate necessary for the role I’m applying for. This role requires me to share the certificate in question with the company but I don’t want to explicitly share this certificate because I don’t want my personal data exposed (I’m not a fugitive I promise). Instead, I go back to the university that issued me the certificate and ask for a VC (which is a cryptographically signed statement) asserting that I indeed possess the certificate in reference. The VC could state “Julia has a certificate from the University of Michigan” with a valid digital signature from the university without my personal information on it. With the VC, I can go back to the company and prove to them that the claim I made was indeed the truth. The university, in this case, is the issuer; I am the holder about whom the claim is being made; and the company I’m applying to is the verifier because they will need to verify that the VC is valid.
Source: Lastrust
Verifiable Credentials are useful in verifying truths about claims without disclosing private information about the individuals. They are mostly used in digital identity management. In an article published in 2021, Garner - a company focused on delivering actionable and objective insights to businesses, predicts that by 2024, a “truly global, portable, decentralized identity standard will emerge in the market to address business, personal, social, and societal, and identity-invisible use cases.” An example of such a standard is VCs.
Examples of blockchain-based projects that use VCs are Civic, Sovrin, etc.
Differential Privacy:
This is yet another cryptographic mechanism for enhancing privacy that requires the intended inclusion of a statistical “noise” layer to the dataset before computations are carried out. The essence of this “noise” is to mask certain private data or personal information of individuals in the set but it is not large enough to affect the results produced. The results produced can’t reveal the particular information used in computing them.
This technique is mainly utilized in mathematics, data analysis, and statistics. Although differential privacy can find good use in blockchains to protect the privacy of data stored in them, however, based on research, there is no standard record of any blockchain that currently utilizes differential privacy. On the other hand, experts and researchers have proposed a futuristic technique to incorporate differential privacy into blockchain layers.
Enhanced Privacy ID (EPID):
Like VCs, Enhanced Privacy ID (EPID) is a digital signature mechanism. Unlike conventional digital techniques where every party has a unique public key for verifying transactions and a unique private key for signing & approving transactions; in EPID, each party still has a unique private signature key but one common public verification key linked to all the private keys in the system. EPID also involves three parties: the issuer, the member, and the verifier.
For instance, in an organization of 20 employees. Each employee is given an EPID private signing key which verifies their status as an employee of the organization, cryptographically, without disclosing their "real name" identity. Meaning, there are 20 private keys. However, there is a single EPID public key common to all the employees of the organization. This public key can be used externally to verify these employees’ identities and the authenticity of their signatures (say, to know if they’re telling the truth about their employment status) without disclosing their personal information.
The issuer in this instance is the organization issuing out private keys. The member(s) is an employee(s). The verifier is the entity verifying the authenticity of a signature supposedly made by the organization.
EPID allows hardware devices to be remotely authenticated while maintaining their privacy, i.e., a device wouldn't have to reveal its identity to an outside party to demonstrate to them what kind of device it is. EPID is also used to provide anonymous and untraceable signatures. Even issuers of the private keys are not made aware of the content.
Intel Corporation introduced EPID in 2008 as its recommended algorithm for attestation of a trusted system and has since incorporated the scheme into its products.
Format-Preserving Encryption (FPE):
Format-Preserving Encryption is a type of PET solution that allows data to be encrypted while retaining its original format. This means turning plain texts into ciphertext (encrypted information that preserves the format of the underlying information) which cannot be understood without deciphering.
FPE differs from homomorphic encryption in that the former allows data to be encrypted whilst maintaining its original format; the latter is designed to allow computations on encrypted data.
Blinding:
This is a PET solution that involves concealing sensitive data from third parties while still allowing them to compute on it. The sensitive data is hidden by multiplying it with a random number, then the output is divided by the same random number. Blinding is used in blinding signatures where a signer digitally signs a message without learning of the content of that message.
Ring Signatures:
One kind of privacy-enhancing technology (PET) that can be used to safeguard data privacy is ring signatures. They are a type of digital signature based on cryptography that enables many users to sign a message.
The way ring signatures operate is by forming a group of users known as a ring, each of whom has a public key. So when a ring signature is used in signing a transaction, it will give the impression that several users have joined forces to form a ring and are carrying out a transaction together. But out of the transaction, nobody will be able to identify the real signer. To put it simply, numerous users will sign a single transaction instead of just one, just as opening a joint account at a bank would require multiple signatures from different individuals.
Ring signatures were introduced back in 2001, making them one of the earliest cryptographic solutions to be made, and they are still effective to date. They can be applied in e-voting systems and also in identity management applications.
An example of a blockchain that uses ring signatures is Monero. Monero utilizes ring signatures as one of its transaction-privacy techniques. Dash and Ethereum also use ring signatures to protect users’ privacy. An upgraded version of ring signatures is “linkable ring signatures.”
Conclusion
Data privacy is not just a trend or the “shiny new toy” that everyone is trying to play around it. Several solutions to protect users’ data privacy have been in existence long before now. What we’re experiencing is an evolution or rather an upgrade to previously used techniques and also their applications in blockchain. In the second part of this article, we’ll discuss other privacy-enhancing technologies (PETs) that are non-cryptographic.
Comments