Multi-Party Fully Homomorphic Encryption as a Privacy-Preserving Framework for Naming Abusers

Introduction

Multi-party homomorphic encryption (MP-FHE) can be especially useful in applications for building collective power. It can be particularly useful for situations where expressing a viewpoint as a single person can result in risk, consequence, or retaliation, whereas the same viewpoint expressed by multiple people can create safety in numbers. Some examples of these kinds of situations include labor union organizing, whistleblowing, and reporting abuse. 

Given the framework of MP-FHE, it becomes possible to send encrypted information that stays private until some threshold of parties is reached before information is revealed. This can make it possible for multiple people to report the same bad actor, while maintaining privacy until sufficient social support can be attained. 

More than 1 in 3 women experience “rape, physical violence, or stalking by an intimate partner in their lifetime.” In cases of reporting abuse or intimate partner violence, survivors often have to balance many risks, including: possible retaliation or escalation of harm from the abuser, risks to physical and emotional safety, social stigma, trauma of being victim-blamed, invalidated, or not being believed, and more. The vast majority of sexual assault (70%) and domestic violence cases (95%) are never reported to an authority. In the case of campus assaults, “over 90% of cases are committed by repeat offenders, who offend an average [of] 6 times before they graduate. Despite the overwhelming statistics, less than 10% of student survivors report their assault.” 

Related Work

Callisto Vault is a project with similar aims that started in 2018 and uses a cryptographic approach for identifying repeat abusers. Their approach combines a few cryptographic components, namely: Shamir’s Secret Sharing, oblivious pseudo-random functions, symmetric encryption, and public key encryption. 

Emerging cryptographic techniques that have since become more computationally feasible and usable in recent years could be used for an even more robust system for identifying and matching privacy-preserving abuse reports, in particular, with the use of MP-FHE and zero-knowledge (ZK) email verification. 

Design 

A sample flow for a cryptographic system using MP-FHE and ZK-email:

  1. Person uses a privacy-preserving verification tool such as ZK-email to verify that they are a member of an institution, e.g. a university. 

  2. Person can submit a unique identifier of the perpetrator, such as through a university directory, so that matches can be made with precision. Having a directory with unique identifiers makes matching significantly more efficient, turning a potentially open problem to a discrete integer equivalence check. 

    • There may be an additional step to verify that the person submitting the identifier is not a malicious perpetrator themself, i.e. to reveal information of other survivors. 

  3. Using MP-FHE, the system can match when multiple people have reported the same perpetrator. 

    • Encrypted identifiers of those who have been reported are stored in the server. The encrypted identifier of the submitter is also stored. The encrypted reported identifier is mapped to a collection of encrypted submitter identifiers. 

    • When a new reporter submits the identifier of someone who has already been reported, the server checks for a match within the existing list of reports. If there is a match, the new submitter is added to the encrypted collection of reporters. 

  4. The system notifies existing reporters that there is a new match, and offers options for potential next steps. 

    • There can be various next steps after matching occurs. e.g. survivors can opt-in to being contacted by other survivors and make a collective decision for next steps. Additionally, survivors may have the option to specify what threshold of other reports is met before their contact information is shared.

Technical Stack

  • ZK-Email for privacy-preserving identity verification 

  • Phantom Zone: MP-FHE library, able to perform integer equivalence 

    • haunted: boilerplate and backend for Phantom Zone. 

  • lattigo: lattice-based multiparty homomorphic encryption library in Go

  • Both Phantom Zone and lattigo use Ring-Learning-With-Errors (RLWE) 

Additional Resources

  • mpz: multi-party computation libraries written in Rust, from PSE

  • awesome-mpc: compilation of libraries and tools for secure multi-party computation

  • awesome-fhe: compilation of libraries and tools for fully homomorphic encryption (not necessarily multi-party)

Considerations

A system like this may be limited in scope for now given the process of identify verification, e.g. survivors may only be able to name perpetrators who exist within the institution’s directory, and may need to verify their institutional email. At least with a tool such as ZK-email, this initial verification step can still be privacy-preserving. 

A malicious actor could potentially have another person submit their name in order to reveal matches. Currently, the way Callisto handles this is by involving an extra step where a lawyer, with client-attorney privileges, can verify cases independently before proceeding. While this extra step is certainly not error-proof, it does add additional layers of friction for a malicious actor to proceed. 

Further Applications

Similar systems can be built for applications in labor organizing (unionizing, pay transparency) and whistleblowing. Secure multi-party computation (MPC) can also be an extremely useful tool for strike pledges and commitments for labor organizing. 

MP-FHE can also be used in service of vulnerable communities in calculating statistics and performing data analysis on private data. This can be especially useful for communities where privacy protections have a significant impact on risk and safety, such as for undocumented populations, sex workers, those seeking gender-affirming care, and people seeking abortions. An MP-FHE data analysis library can make it possible to conduct research for improving the safety and well-being of already vulnerable communities.