In the broadest definition of the technology industry, orthodoxy demands we name our initiatives in one of two ways:
- Overly Specific / Shock and Awe (think Generative Artificial intelligence - something that is neither truly generative nor truly intelligent… yet).
- Far too vague (think Smart Contracts - a sophisticated computer-enforced contract that executes itself is massively undersold as simply… “smart”)
Within the data economy, an aggregation of complex cryptographic concepts have been lumped together into a catchy acronym that follows the blueprint of the latter: PETs, or Privacy Enhancing Technologies. Complexity is generally speaking the enemy of comprehension - but often, when we oversimplify and overgeneralize we often limit “the democracy of thought” to only the players on the field - and not the viewers in the stands. Today, let’s cover two of the most important PETs - where they came from and the problems they do and don’t solve - and how they do and don’t work together:
- Multi-Party Computation (MPC) is a cryptographic technique that allows multiple parties to compute data with no single party having access to the raw data. Like many similar technologies, the origin far predates modern computing, the blockchain and data-driven advertising by a few decades at least. For example, three parties can compute the sum of three different secret user values (think total viewership across 3 television networks) without disclosing their individual numbers. As much as privacy and data security, the big winner is the ability to collaborate between frenemies - a win worth celebrating to be sure. MPC has become (or is becoming) table stakes for the Clean Room extended universe (of which we at Caden are very much a part), so much so that collaboration on encrypted data has become the sole and primary theme of our industry’s preeminent conference. Unfortunately, the biggest winners, as always, will be cloud and infrastructure providers - simply put, running computations on encrypted data is intensive and expensive.
- For the cryptography geeks: Andrew Yao’s 1982 “Millionaire Problem” proof/parable [Two millionaires want to know who’s richer without revealing their actual wealth - perhaps not the most relatable example but an apt one] was far ahead of its time and the protocols built on top of it, particularly Private Set Intersections, form the basis of modern industry standards like the IAB’s OPJA spec.
- Zero-knowledge proof (ZKP) is a cryptographic technique that allows one party to prove to another party that they know (or have access to) some secret information without revealing the information itself. Unsurprisingly, this is a cornerstone of the blockchain albeit an independently powerful one. The use cases of ZKP range from intuitive consumer-facing applications (for example, applying for a loan without providing your actual credit score or verifying that your vote has been counted in an election) to the novel and niche (imagine verifying cookie consent opt-outs). To understand where the proof applies to the consumer data ecosystem requires a bit of understanding of the pillars within the name itself:
- The “P” itself deals with the ability and reliability of the transaction in which a verifying party is “convinced”. In a very real way, this means that the ZKP needs to be able to provide complete enough information (without revealing the data being protected) to enable appropriate levels of computational confidence. Even more so, the system needs to be architected in such a way that the possibility of a false validation (Let’s call this the “con man”) is near zero. For us at Caden, Zero Trust is a foundational principle - why incentivize compliance when you can eliminate the ability not to comply?
- The “ZK” for our purposes is the central theme and the one that has both the most historical use and in my opinion - the most potential.
- Zero Knowledge is best portrayed in an adapted fable come mathematical hypothesis called Alibaba’s Cave (“adapted” is a stretch here as the concept goes far beyond eavesdropping on the password “Open Sesame”).
- In this version of the story, two compatriots encounter a ring-shaped cave with a magic door at the other end, a magic door that is activated by a password one of the two claims to know, but refuses to share.
- Our less informed character wants proof that his traveling companion does in fact know this magic password - and devises an experiment to do so.
- In a simplified sense, the parameters of this experiment limit the realm of possibility such that (over time) it would be impossible for the 2nd companion to have returned at all if they did not in fact know this password.
- Zero Knowledge Proof is central to the infrastructure of cryptocurrency - from smart contracts on the Ethereum network to the treatment of transactions in any blockchain network. Much of the internal contradiction of crypto (complete transparency and complete anonymity coexisting in real time) - is solved by ZKP.
Math problems and obtuse parables aside, what does Zero Trust mean? Why do we need it if we can already collaborate and calculate on encrypted data? The answer lies in a torrential downpour of examples of broken consumer trust when it comes to security, privacy, informed consent, and compliance. The opportunity for a population that has been fooled (more than once) is finally getting rid of the key we hide under the doormat or the flowerpot by the front door.
We would purport that the surface has only been scratched (for MPC and ZKP) with clean rooms and crypto transactions - already we see the world of credential and password management (unsurprisingly) not only incorporating but branding these Zero Trust platforms. Next week, we’ll examine some of the novel use cases we see that are closer to us as consumers - including the one we’ve built into our app and data platform today - a zero-trust view of verifying consent. We believe you’re in the cockpit of your own journey of informed consent, and you shouldn’t have to trust us to get flying.