We have long known that encryption has some amazing properties. Those of us who don't think in terms of mathematical formulas often think of encryption as "putting a message in a secure vault, or a tamper-proof envelope, or some other such physical model". These analogies are useful, but they hide some of the magic powers of encryption. For example, it would be hard to see how we could prove to others that we know the contents of the "vault" without opening it for them and revealing at least some of the contents. Yet encryption does allow us to do this. These so-called zero-knowledge proofs of knowledge are at the core of many practical applications. There is much more magic that we haven't yet fully exploited.
NSTIC (the National Strategy for Trusted Identities in Cyberspace) views a digital identity as a set of encrypted attributes. An individual protects his or her privacy in transactions by proving statements (e.g. "I am eligible to vote in Maryland") about these attributes without disclosing the set of attributes itself. This functionality is sometimes called "selective disclosure", and its value in enhancing privacy is readily apparent. Are there other cryptographic techniques that can protect privacy in the digital era?
In a recent application, over a thousand Danish traders needed to compute the market-clearing price (the price per unit at which total supply equals total demand) of sugar beet. However, the traders were not willing to disclose their supply and demand curves. Instead, they provided their bids in encrypted form and were able to compute the clearing price without ever disclosing the actual bids.
It is believed that having the ability to measure household consumption of electricity every 15 minutes or so would allow a more efficient routing of power across the national grid. Some, however, point out that deploying such a system could lead to serious violations of consumer privacy. The fact that per-household readings are transmitted in encrypted form does not fully solve the problem, as decryption is needed in real time for optimal routing. Or is it? Actually, it would be sufficient to monitor the power consumption at, say, the neighborhood level. Cryptographers know how to aggregate across a set of meters without having to decrypt the individual meter's reading.
Ostensibly, many other privacy-enhancing applications should follow from our ability to operate on encrypted data without decrypting it. Cryptographers need guidance regarding what processes and procedures can benefit from privacy-enhancing technologies. Technology consumers need a better understanding of the new functionalities of privacy enhancing technologies and its potentials. Everybody needs a better feel for which technologies are, or can be made to be, cost-efficient.
Dan Boneh, Stanford (functional encryption)
Rafail Ostrovsky, UCLA (private information retrieval)
Ernie Brickell, Intel (EPID)
Stanislaw Jarecki, UC Irvine (SPAR/NICECAP pilots)
Kazue Sako, NEC (group signatures)
Brian LaMacchia, Microsoft (U-Prove)
Christian Paquin, Microsoft (U-Prove)
Gregory Neven, IBM-Zurich (Idemix)
George Danezis, Microsoft Research Cambridge (smart meters)
Tomas Toft, University of Aarhus (SMC applied to sugar beet auctions)
Michael Fischer, Yale University (auctions, shared randomness)
Serge Fehr, CWI (secure multi-party computation)
Claire Vishik, Intel UK (privacy standards and policy)
Juan Garay, AT&T Labs (multiparty computation)
Melissa Chase, Microsoft (Health Records)
Terence Spies, Voltage (Format Preserving Encryption)
Benjamin Benoy, National Security Agency (Anonymous Attestation)
Anna Lysyanskaya, Brown (Conditional And Revocable Anonymity)
Marc Rotenberg, EPIC (privacy in the identification domain)