“The concrete implications of this were something I held dear and wanted to think about more,” says Brown’s Qin. “I knew we had to get our minds together because to me it wasn’t obvious at first how you would do all of this. Secure multistakeholder computing is resource-intensive and we had to take into account legislative nuances. “
In addition to all the other challenges, the system must also be easy to use for government officials who would likely have no specific knowledge of cryptography. And it also requires other built-in protections, like “rate limiting”, so that authorities can automatically prevent someone from executing a suspicious number of queries.
The basic structure of the system the researchers designed looks like this: Every local official who manages gun registry data in their county would hold the key to encrypting that data on a physical authentication token, like a Yubikey. . To respond to queries – in other words, publish data – about current or former voters in the county, the official would authenticate himself and authorize the data requests by producing the physical key. When a new person took over the post, the departing official handed over the physical token as he would with the key to a filing cabinet.
The system has a mechanism to reconstruct the key in the event that a local official becomes unwell or loses their token. It works by asking the official to donate “key shares” to trusted colleagues or peers in neighboring counties. At least two of the three actions must be met to authenticate. The idea is to create a fallback mechanism that allows officials to choose like-minded or trusted custodians, thereby reducing potential fears of abuse. Key shares could also be revoked, so that when a position is transferred, the new official can appoint their own key shareholders.
To query the database at the national level, or run a gun trace, there has to be some type of “global directory” as the researchers call it, which indexes all data in one form or another. . This way, someone who makes a request is automatically redirected to the right location rather than having to individually ask if someone has registered a gun in each of the 3,006 counties in the United States. But if the global directory just compiled all the data, it would defeat the purpose of the whole project. The researchers therefore devised two crucial elements to solve the problem.
First, the Global Directory only indexes identifiers such as gun serial numbers and registration IDs, rather than a full suite of information. And a more nuanced feature proposed by the researchers is that two or more groups, potentially non-governmental organizations with competing interests, hold key shares that are needed to query or even update the global directory. Researchers use the National Rifle Association and the American Civil Liberties Union as examples of entities that probably would not have an interest in colluding to undermine the integrity of the system by pooling their actions to authorize abusive activity. But if both agreed to be the custodians of the global directory, they would provide their shares for legitimate queries and maintenance of the system.
These organizations could not covertly access Global Directory information without each other, and even if they could, Global Directory information is limited and everything in it remains fully encrypted at all times. The only decrypted information accessible to entities authorized to execute queries is the information that would come back if local authorities chose to publish it.
“The global directory directs people to the right local databases, and then the local managers in charge of those databases have to approve it in order to actually get the whole file,” says Kamara. “The idea of the global directory is that there is no single entity that manages it. It’s a coalition, and no one ever sees what’s going on in the black box. Keys, requests, and responses are all done cryptographically, so everything remains secret. “
The system obviously has many requirements, both technical and societal. But the researchers say their goal was to tackle crypto challenges to show that such a system could be built. Political and ideological obstacles must be overcome by lawmakers, they say.