“The real-world implications of this were something I cared about and wanted to think about more,” Brown’s Qin says. “I knew we needed to put our minds together, because to me it did not seem obvious at first how you would do all of this. Secure multiparty computation is quite resource-intensive, and we needed to accommodate the legislative nuances.”
On top of all the other challenges, the system also needs to be easy to use for government officials who most likely wouldn’t have any specific knowledge of cryptography. And it requires other protections built in as well, like “rate limiting,” so officials could automatically prevent someone running a suspicious number of queries.
The basic structure of the system the researchers devised looks like this: Each local official who manages the gun registry data in their county would hold the encryption key for that data on a physical authentication token, like a Yubikey. To answer queries—release data, in other words—about the county’s current or former constituents, the official would authenticate themself and authorize data queries by producing the physical key. When a new person took over the job, the outgoing official would hand over the physical token as they would the key to a filing cabinet.
The system has a mechanism to reconstruct the key in the event that a local official is indisposed or loses their token. It works by having the official give “key shares” to colleagues, or trusted peers in neighboring counties. At least two of the three shares must come together to authenticate. The idea is to create a fallback mechanism that allows officials to choose like-minded or otherwise trusted custodians, reducing potential concerns about misuse. The key shares could also be revoked, so when a job turns over the new official can appoint their own key share holders.
To query the database at a national level, or run a gun trace, there needs to be some type of “global directory,” as the researchers call it, that indexes all the data in some form. This way someone making a query is automatically redirected to the right place rather than having to individually ask if someone has registered a firearm in each of the 3,006 counties in the US. But if the global directory simply compiled all of the data, it would defeat the purpose of the entire project. So the researchers devised two crucial components to solve the problem.
First, the global directory only indexes identifiers like firearm serial numbers and registrant IDs, rather than a full suite of information. And a more nuanced feature the researchers propose is that two or more groups, potentially nongovernmental organizations with opposing interests, hold key shares that are required to query or even update the global directory. The researchers use the National Rifle Association and the American Civil Liberties Union as examples of entities that likely would not have an interest in colluding to undermine the integrity of the system by putting their shares together to authorize abusive activity. But if both agreed to be custodians of the global directory, they would provide their shares for legitimate queries and system maintenance.
These organizations wouldn’t be able to clandestinely access information in the global directory without the other, and even if they could, the information in the global directory is limited, and everything in it remains fully encrypted at all times. The only decrypted information that’s accessible to entities authorized to run queries is the information that would come back if local officials chose to release it.
“The global directory points people to the right local databases, and then the local officials in charge of those databases have to approve it in order to actually get the entire record,” Kamara says. “The idea of the global directory is that there’s no single entity that manages it. It’s a coalition, and nobody ever actually sees what’s happening in the black box. The keys, the queries, and the responses are all done cryptographically, so everything about it remains secret.”
The system obviously has a lot of requirements both technical and societal. But the researchers say their goal was to work through the cryptographic challenges to show that such a system could be built. The political and ideological hurdles are for lawmakers to surmount, they say.