Preventing misuse of a cryptographic key by receiving a request to carry out a cryptographic operation using a cryptographic key from a requesting entity, distributing the request to a quorum comprising multiple computerized devices, receiving a decision from the multiple computerized devices on whether or not the cryptographic operation using the cryptographic key is allowed, and carrying out the cryptographic operation using the cryptographic key according to the decision from the multiple computerized devices.

In one set of embodiments, each server executing a secure multi-party computation (MPC) protocol can receive shares of inputs to the MPC protocol from a plurality of clients, where each input is private to each client and where each share is generated from its corresponding input using a threshold secret sharing scheme. Each server can then verify whether the shares of the plurality of inputs are valid/invalid and, for each invalid share, determine whether a client that submitted the invalid share or a server that holds the invalid share is corrupted. If the client that submitted the invalid share is corrupted, each server can ignore the input of that corrupted client during a computation phase of the MPC protocol. Alternatively, if the server that holds the invalid share is corrupted, each server can prevent that corrupted server from participating in the computation phase.

The invention is directed to a system that enables an authentication process that involves secure multi-party computation. The authentication process can be performed between a user device operated by a user and an access device. The user device and the access device may conduct the authentication process such that enrollment information and authentication information input by the user is not transmitted between the devices. Instead, the user device may determine and utilize obfuscated values associated with the authentication information. The user device may also determine an obfuscated authentication function that can be utilized to determine an authentication result without revealing enrollment information and authentication information associated with the user. The user can be authenticated based on the authentication result.

An agreement apparatus P(i) (where i=0, . . . , n−1) which executes a consensus protocol generates an opinion value with a signature X.sub.ij=(x.sub.i, sig.sub._i(x.sub.i)) including an opinion value x.sub.i indicating an opinion and a signature sig.sub._i(x.sub.i) on the opinion value x.sub.i or information different from the opinion value with the signature X.sub.ij as an opinion value with a signature X′.sub.ij=(x′.sub.ij, e′.sub.ij) and outputs the opinion value with the signature X′.sub.ij to an agreement apparatus P(j) (where j=0, . . . , n−1, i≠j). The agreement apparatus P(j) accepts the opinion value with the signature X′.sub.ij and outputs the opinion value with the signature X′.sub.ij or information different from the opinion value with the signature X′.sub.ij to an agreement apparatus P(m) (where m=0, . . . , n−1, m≠i, m≠j) as an opinion value with a signature X″.sub.ij.

Some implementations disclosed herein enable matching identifiers across multiple sources. This may involve adding a unique attribute (e.g., anonymous unique homomorphic identifiers) and/or using randomization to enable comparing data from multiple sources, while also maintaining data privacy. In one example, matches across multiple sources are identified, for example, identifying that there are 100 user identifiers that are in private data sets of three different sources. Such matching may be used to enable private, multi-touch attribution. In another example, techniques are used to determine that data maintained by one source is not also within other sources (e.g., identifying that there are 200 user identifiers that are in data from a first source but not in data from a second source and not in data from a third source. Such determinations may be used to generate control group data that does not match data from other sources.

A method and apparatus are provided for secure multiparty computation. A set of first parties is selected from a plurality of first parties for computation. Inputs for computation associated with each party in the set of first parties are divided into shares to be sent to other parties in the set of first parties. The computation on the shares is performed by the set of first parties using multiparty computation functions. In response to a trigger event, shares of the set of first parties are transferred to a set of second parties selected from a plurality of second parties. The computation is completed by the set of second parties using the transferred shares. Finally, the transferred shares are recombined to reveal an output of the computation.

A method including at each of a number of client devices receiving a data item, receiving a public key from a second computing system, encrypting the data item using the public key to produce a singly encrypted data item, engaging in an oblivious pseudorandom function protocol with a first computing system using the singly encrypted data item to produce a seed, generating an encrypted secret share using a threshold secret sharing function under which the encrypted secret share cannot be decrypted until a threshold number of encrypted secret shares associated with the same singly encrypted data item are received, and transmitting the encrypted secret share to the first computing system and at the first computing system receiving a number of encrypted secret shares from the number of client devices, processing the number of encrypted secret shares to produce processed data, and transmitting the processed data to a second computing system.

The present invention implements high-speed right shift computation and division in secure computation. According to the present invention, a public value multiplication part calculates [a′]=[2.sup.ua] from a distributed value [a] of a value “a.” A first conversion part converts [a′] into additive secret sharing. A right shift computation part calculates <s>.sub.i=<a′>.sub.i>>b+u. A second conversion part converts <s> into linear secret sharing. A first bit conversion part converts lower u bits of <a′>.sub.i into {a′.sub.i mod 2.sup.u}. A quotient transfer part 16 obtains lower u bits of −Σ.sub.i<m{a′.sub.i mod 2.sup.u} as {q}. A second bit conversion part converts lower b+u bits of <a′>.sub.i into {a′.sub.iR}={a′.sub.i mod 2.sup.b+u}. An addition part calculates {z}=Σ.sub.i<m{a′.sub.iR}+{q}, and obtains a bit sequence {z.sub.Q} of a (b+u)-th bit and after of {z}. A third conversion part converts {q} and {z.sub.Q} into linear secret sharing. An output computation part outputs [s]−[2.sup.l−(b+u)q]+[z.sub.Q] as [a>>b].

Multiple systems may determine neural-network output data and neural-network parameter data and may transmit the data therebetween to train and run the neural-network model to predict an event given input data. A data-provider system may perform a dot-product operation using encrypted data, and a secure-processing component may decrypt and process that data using an activation function to predict an event. Multiple secure-processing components may be used to perform a multiplication operation using homomorphic encrypted data.

A first component determines encrypted data representing an event and encrypted threshold data corresponding to an outlier of the event. The first system may process the data using, for example, one or more composite integers, and may send the result to a second system. This second system may subtract the data to determine of the encrypted data is greater than, less than, or equal to the encrypted threshold. If so, the second system may determine that the encrypted data corresponds to an outlier of the data. The second system may send an indication of this determination to a third system.