Sharemind MPC Platform

Deployment Overview

With Sharemind, all input data is encrypted at the data source. Each individual value is split into random pieces that are distributed among several Sharemind Application Server computation nodes. None of the individual pieces provide any information about the original value. This process is called secret sharing and can be thought as encryption without a key. No plaintext value leaves data owner's premises unencrypted.

Data encrypted by secret sharing has homomorphic properties that allow computations on it without decrypting it first. Sharemind employs secure multi-party computation (MPC) technology, where several computation nodes engage in cryptographic protocols to compute on encrypted values. During this process, no values are decrypted and the computation result also remains secret. This allows using an output of one primitive MPC protocol as an input for the next to build privacy-preserving algorithms and applications. The final computation result can be decrypted by an authorised analyst if all computation nodes agree to send their computation output (random pieces) to this party.

Sharemind Application Server (multi-party computation) deployment

Programming privacy-preserving applications

Building apps with Sharemind does not mean that you have to be a cryptographer. Applications running on Sharemind MPC Application Server are written in the SecreC programming language. SecreC separates encrypted and public data workflows and hides the complicated cryptography from the application developer.

The developer marks the necessary value as sensitive and SecreC takes care of enforcing the data usage policies throughout the application lifecycle, from data input to application output.

SecreC code can in principle compiled for an unlimited number of secure computation backends, including fully homomorphic encryption

Product Modules

The Sharemind MPC platform has several ready-made modules that reduce the cost of building your privacy-preserving service.

CSV Importer

The CSV Importer imports a CSV formatted database or Excel spreadsheet export into a Sharemind installation. CSV Importer validates input file according to a given data model description, secret shares each individual value in the CSV input file and distributes the shares among the Sharemind Application Servers in a given installation. CSV Importer is the last step, where sensitive values are available in plaintext, and therefore the tool should be used by Data Owner.

CSV Importer supports comma-, semicolon-, tab- and space-separated input files and various data types, including automatic generation of enumeration types.

Encrypted Computing Engine (three-party secure computing)

Encrypted Computing Engine is an application server and a core component of the Sharemind platform that facilitates running secure multi-party computation programs. These programs are written in the SecreC language that separates public and encrypted data work flows.

Sharemind Encrypted Computing Engine implements secure computation protocols based on 3-party additive secret sharing. Therefore, a Sharemind deployment consists of three parties, each hosting their own Encrypted Computing Engine.

Encrypted Computing Emulator

Encrypted Computing Emulator provides the same user experience as Sharemind Encrypted Computing Engine, but emulates the secure computing locally without the network communication overhead. Encrypted Computing Emulator is used for developing and testing SecreC programs before deploying them on Encrypted Computing Engine.

Encrypted Computing Emulator provides performance models for secure multi-party computation protocols, so you can evaluate the running time breakdown of you SecreC programs even before deploying them on real installation.

Add-on: Web Application Gateway

Web Application Gateway provides a HTTP/HTTPS interface for your Sharemind Encrypted Computing Engine, so you can build privacy-preserving web applications, where data is encrypted in end user's browser.

Each of the three Encrypted Computing Engines needs its own Web Application Gateway that may be deployed at the same host computer. The Web Application Gateway may also handle application-specific business logic, e.g. cache input shares and starting a secure computing periodically on larger batches of input values. Sharemind Web Application Gateway is provided as a NodeJS module.

Add-on: Encrypted Storage (Embedded HDF5)

The Encrypted Storage (Embedded HDF5) provides a persistent storage layer for the Sharemind Application Servers (Encrypted Computing Engine and Emulator). It is used to store input values and computation results, both of which may be either public or encrypted.

The Encrypted Storage add-on is based on HDF5 technology, which provides an efficient column-optimised storage of high volume data.

Add-on: Encrypted NoSQL Storage (Redis adapter)

The Encrypted NoSQL Storage (Redis adapter) provides a persistent storage layer for the Sharemind Application Servers (Encrypted Computing Engine and Emulator). It is used to store input values and computation results, both of which may be either public or encrypted.

This add-on provides an efficient key-value interface for data storage. It requires a Redis backend at each Sharemind Application Server host.

Rmind

Rmind is a statistical analysis suite that works on encrypted data. Rmind supports a wide variety of data manipulation and statistical functionality, including descriptive statistics, merging (joining) data tables, aggregations, statistical models as well as visualisations. Analyst will only see statistical aggregate results, while all individual values and intermediary results will stay encrypted on the Sharemind Application Server. People who have previous experience with the R language and tools can appreciate the familiarity of Rmind data mining software.

Client API

Sharemind Client API provides the necessary tools for building custom client application for the Sharemind platform and integrating secure computation technology into existing information systems.

The Client API consists of libraries, header files and documentation for building and integrating privacy-preserving applications in C, C++, Haskell and JavaScript (to be used with Sharemind Web Application Gateway).

Learn more:

Technical Overview