A new technique uses cryptography to keep most of an individual's entire genome secure, only allowing others to access information on specific genes (Credit: SSilver/Depositphotos)

DNA security and privacy is a looming problem that scientists and researchers are only just starting to grapple with. A team at Stanford has now developed a technique that can "cloak" irrelevant genomic information, allowing scientists to access key disease-related mutations without revealing an individual's broader genome sequence.

In a world where everything from dating profiles to medical diagnoses are drawing on DNA data, we're currently just forced to hope that each company with access to our DNA is acting responsibly with out genetic fingerprints. But for many, hope is not enough, and nor should it be. With genomic information becoming increasingly of value, a demand has arisen for a way to secure that data while still being able to enjoy the benefits of DNA analysis.

"Often people who have diseases, or those who know that a particular genetic disease runs in their family, are the most reluctant to share their genomic information because they know it could potentially be used against them in some way," says Gill Bejerano, associate professor of developmental biology, of pediatrics and of computer science. "They are missing out on helping themselves and others by allowing researchers and clinicians to learn from their DNA sequences."

To address such concerns, the Stanford team developed a technique based on a classic cryptographic protocol, known as garbled circuit or Yao's protocol. The individual encrypts their own genome using an algorithm on their smartphone or computer, which translates specific gene variants into a linear set of values that are securely uploaded into the cloud. On the other end of the transaction, the researcher (or any second-party) accesses only the data that is pertinent to their investigation.

"In this way, no person or computer, other than the individuals themselves, has access to the complete set of genetic information," says Bejerano.

The team demonstrated the process by executing several practical demonstrations, including identifying specific gene mutations in patients with rare diseases and comparing a baby's DNA with his parents to target the likely cause of a genetic disease. In all tested instances, at least 97 percent of each subject's unique DNA information was completely hidden from the researchers.

As well as protecting a person's privacy when having their DNA processed for medical reasons, this technique could theoretically be applied to more commercial contexts, such as ancestry genome studies or even the rising field of nutrigenomics.

"There is a general conception that we can only find meaningful differences by surveying the entire genome," says Bejerano. "But these meaningful differences make up only a very tiny proportion of our DNA. There are now amazing tools in computer science and cryptography that allow researchers to pinpoint only these differences while keeping the remainder of the genome completely private."

Just recently it was demonstrated that synthetic DNA could be created containing malware that allows a malicious party to gain control of the computer that sequences it. As we learn more and more about what our genetic fingerprint means, the value of that fingerprint will only increase. In the future, the DNA marketplace will be big business and security protocols such as this new Stanford technique are going to be important.

The team's research was published in the journal Science.

Source: Stanford Medicine

Follow this link:
Genome cryptography is the new way to secure your DNA data - New Atlas

How does one design a blockchain protocol? Back in 2013, while in Athens, I set out to design a non-proof-of-work-based blockchain protocol motivated by the debt crisis in Greece, looming bank liquidity problems and the increasing discussions about the possibility of having a parallel currency. The new protocol had to be based on proof of stake to make sure that it can run even on cellphones and be secure independent of any computational power existing that is external to it.

Very soon it became clear that the problem was going to need much more than a few months' work. Fast-forward three years to 2016: I was at the University of Edinburgh and had joined forces with IOHK whose CEO, Charles Hoskinson, was poised to solve the same problem. The protocol, "Ouroboros" as it would be eventually named, was there but the core of the security proof was still elusive when my good friend Alexander Russell visited me.

Together, we tackled the problem of proving the security of the system. Whiteboards were filled over and over again until we felt we mined a true gem: a clean combinatorial argument that enabled us to argue mathematically the security of the scheme.

Security is an elusive concept. Take a system that is able to withstand a given set of adverse operational conditions. When can we call it secure? What if it collapses in the next moment when it is subjected to a slightly different set of conditions? Or when it is given inputs different from any that have been tried before?

Security cannot be demonstrated via experiment alone since attacker ingenuity can rarely be completely enumerated within any reasonable timeframe. Cryptographic design, thus, has to somehow scale this "universal quantifier": the system should be called secure only if it withstands all possible attacks.

In response to this fundamental problem, "provable security" emerged as a rigorous discipline within cryptography that promotes the co-development of algorithms and (so-called) proofs of security. Such proofs come in the form of theorems that, under certain assumptions and threat models that describe what the attacker can and cannot do, establish the security of cryptographic algorithms. In this fashion, modern cryptographic design pushes the "burden of proof" to the proposer of an algorithm.

In the world of academic cryptography, gone are the days when someone could propose a protocol or algorithm and proclaim it secure because it was able to withstand a handful of known attacks. Instead, modern cryptographic design requires due diligence by the designers to ensure that no attack exists within a convincing and well-defined threat model.

This approach has been a tremendously powerful and inspiring paradigm within cryptography. For instance, the notion of a secure channel has been studied for more than 40 years. This is the fundamental cryptographic primitive that allows the proverbial Alice and Bob to send messages to each other safely in the presence (and possibly active interference) of an attacker. Today's provable security analysis, even using automated tools, has unearthed attacks against secure channel protocols like TLS that were unanticipated by the security community.

Back in 2009 though, the blockchain was a concept that was presented outside regular academic cryptographic discourse. A brief white paper and a software implementation were sufficient to fuel its initial adoption that expanded rapidly. In retrospect, this was perhaps the only way for this fringe idea to ripple the waters of scientific discourse sufficiently and force a paradigm shift (in the sense of Thomas S. Kuhn's " Structure of Scientific Revolutions ") in terms of how the consensus problem was to be studied henceforth.

As the shift settled though, a principled approach became direly needed. The newly discovered design space appears to be vast and the avenues of exploring it too numerous. The "burden of proof" needs to return to the designer.

Blockchain protocols need to become systematized, as they have gradually become one of the dominant themes in distributed consensus literature. The blockchain is not the problem; it is the solution. But in this case, one may wonder, what was the problem?

In 2014, jointly with Juan Garay and Nikos Leonardos, we put forth a first description of "the problem" in the form of what we called a "robust transaction ledger." Such a ledger is implemented by a number of unauthenticated nodes and provides two properties, called persistence and liveness. Persistence mandates that nodes never disagree about the placement of transactions once they become stable, while liveness requires that all (honestly generated) transactions eventually become stable. Using this model, we provided a proof of security for the core of the Bitcoin protocol (a suitably simplified version of the protocol that we nicknamed the "bitcoin backbone").

Given this proof, a natural question a cryptographer will ask is whether this protocol is really the best possible solution to the problem. "Best" here is typically interpreted in two ways: first, in terms of the efficiency of the solution; and second, in terms of the relevance and applicability of the threat model and the assumptions used in the security proof.

Efficiency is a particular concern for the Bitcoin blockchain. With all its virtues, the protocol is not particularly efficient in terms of processing time or resource consumption. This is exactly where "proof of stake" emerged as a possible alternative and a more efficient primitive for building blockchain protocols.

So, is it possible to use proof of stake to provably implement a robust transaction ledger? By 2016, with our Bitcoin backbone work already presented, this was a well-defined question; and the answer came with Ouroboros: our proof-of-stake-based blockchain protocol.

The unique characteristic of Ouroboros is that the protocol was developed in tandem with a proof of security that aims to communicate in a succinct way that the proposed blockchain protocol satisfies the properties of a robust transaction ledger. Central to the proof is a combinatorial analysis of a class of strings that admit a certain discrete structure that maps to a blockchain fork. We called "forkable" those strings that admit a non-trivial such structure, and our proof shows that their density becomes minutely small as the length of the string grows.

With this argument, we showed how there is an opportunity for the nodes running the protocol to converge to a unique history. The protocol then dictates how to take advantage of this opportunity by running a cryptographic protocol that enables the nodes to produce a random seed, which, in turn, is used to sample the next sequence of parties to become active. As a result, the protocol facilitates the next convergence step to take place; in this way, it can continue ad infinitum following a cyclical process that was also the inspiration for its name. Ouroboros is the Greek word for the snake that eats its tail, an ancient Greek symbol for re-creation.

Having the protocol and its proof in hand gave us the unique opportunity for peer review, i.e., asking fellow cryptographers to evaluate the construction and its associated security proof as part of the formal submission process to a major cryptology conference.

Peer reviewing at the top cryptology venues is a painstakingly rigorous process that goes on for months. Papers are first reviewed independently by at least three experts, and afterward a discussion for each paper rages on as the three reviewers, as well as other members of the scientific committee, get involved and try to converge on the intellectual merits of each submission.

As a result of successfully passing this rigorous peer review process, Ouroboros was accepted and included in the program of Crypto 2017 , the 37th annual cryptology conference. Crypto is one of the flagship conferences of the International Association for Cryptologic Research (IACR) and is one of the most exciting places for a cryptographer to be, as the program always contains research on the cutting edge of the discipline.

Furthermore, Ouroboros will be the settlement layer of the Cardano blockchain to be rolled out by IOHK in 2017, making it one of the swiftest technology transfer cases from a basic research publication to a system to be used by many thousands in just one year.

While all this may seem like a happy conclusion to the quest for a proof-of-stake blockchain, we are far from being done. On the contrary, we are still, as a community, at the very beginning of this expedition that will delve deep into blockchain design space. There are still too many open questions to solve, and new systems will be built on the foundations of the research that our community is laying out today.

Ouroboros image courtesy of Wikimedia Commons .

The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.

See the article here:
Op Ed: A Cryptographic Design Perspective of Blockchains: From Bitcoin to Ouroboros - Nasdaq

A cryptographer and a geneticist walk into a seminar room. An hour later, after a talk by the cryptographer, the geneticist approaches him with a napkin covered in scrawls. The cryptographer furrows his brow, then nods. Nearly two years later, they reveal the product of their combined prowess: an algorithm that finds harmful mutations without actually seeing anyones genes.

The goal of the scientists, Stanford University cryptographer Dan Boneh and geneticist Gill Bejerano, along with their students, is to protect the privacy of patients who have shared their genetic data. Rapid and affordable genome sequencing has launched a revolution in personalized medicine, allowing doctors to zero in on the causes of a disease and propose tailor-made solutions. The challenge is that such comparisons typically rely on inspecting the genes of many different patientsincluding patients from unrelated institutions and studies. The simplest means to do this is for the caregiver or scientist to obtain patient consent, then post every letter of every gene in an anonymized database. The data is usually protected by licensing agreements and restricted registration, but ultimately the only thing keeping it from being shared, de-anonymized or misused is the good behavior of users. Ideally, it should be not just illegal but impossible for a researchersay, one who is hacked or who joins an insurance companyto leak the data.

When patients share their genomes, researchers managing the databases face a tough choice. If the whole genome is made available to the community, the patient risks future discrimination. For example, Stephen Kingsmore, CEO of Rady Children's Institute for Genomic Medicine, encounters many parents in the military who refuse to compare their genomes with those of their sick children, fearing they will be discharged if the military learns of harmful mutations. On the other hand, if the scientists share only summaries or limited segments of the genome, other researchers may struggle to discover critical patterns in a diseases genetics or to pinpoint the genetic causes of individual patients health problems.

Boneh and Bejerano promise the best of both worlds using a cryptographic concept called secure multiparty computation (SMC). This is, in effect, an approach to the millionaires problema hypothetical situation in which two individuals want to determine who is richest without revealing their net worth. SMC techniques work beautifully for such conjectural examples, but with the exception of one Danish sugar beet auction, they have almost never been put into practice. The Stanford groups work, published last week in Science, is among the first to apply this mind-bending technology to genomics. The new algorithm lets patients or hospitals keep genomic data private while still joining forces with faraway researchers and clinicians to find disease-linked mutationsor at least that is the hope. For widespread adoption, the new method will need to overcome the same pragmatic barriers that often leave cryptographic innovations gathering dust.

Intuitively, Boneh and Bejeranos plan seems preposterous. If someone can see they can leak it. And how could they infer anything from a genome they cant see? But cryptographers have been grappling with just such problems for years. Cryptography lets you do a lot of things like [SMC]keep data hidden and still operate on that data, Boneh says. When Bejerano attended Bonehs talk on recent developments in cryptography, he realized SMC was a perfect fit for genomic privacy.

The particular SMC technique that the Stanford team wedded to genomics is known as Yaos protocol. Say, for instance, that Alice and Bobthe ever-present denizens of cryptographers imaginationswant to check whether they share a mutation in gene X. Under Yaos protocol Alice (who knows only her own genome) writes down the answer for every possible combination of her and Bobs genes. She then encrypts each one twiceanalogous to locking it behind two layers of doorsand works with Bob to find the correct answer by strategically arranging a cryptographic garden of forking paths for him to navigate.

She sets up outer doors to correspond to the possibilities for her gene. Call them Alice doors: If Bob enters door 3, any answers he finds inside will assume that Alice has genetic variant 3. Behind each Alice door, Alice adds a second layer of doorsthe Bob doorscorresponding to the options for Bobs gene. Each combination of doors leads to the answer for the corresponding pair of Alice and Bobs genes. Bob then simply has to get the right pair of keys (essentially passwords) to unlock the doors. By scrambling the order of the doors and carefully choosing who gets to see which keys and labels, Alice can ensure that the only answer Bob will be able to unlock is the correct one, although still preventing herself from learning Bobs gene or vice versa.

Using a digital equivalent of this process, the Stanford team demonstrated three different kinds of privacy-preserving genomic analyses. They searched for the most common mutations in patients with four rare diseases, in all cases finding the known causal gene. They also diagnosed a babys illness by comparing his genome with those of his parents. Perhaps the researchers biggest triumph was discovering a previously unknown disease gene by having two hospitals search their genome databases for patients with identical mutations. In all cases the patients full genomes never left the hands of their care providers.

In addition to patient benefits keeping genomes under wraps would do much to soothe the minds of the custodians of those genome databases, who fear the trust implications of a breach, says Giske Ursin, director of the Cancer Registry of Norway. We [must] always be slightly more neurotic, she says. Genomic privacy likewise offers help for second- and third-degree relatives, [who] share a significant fraction of the genome, notes Bejeranos student Karthik Jagadeesh, one of the papers first authors. Bejerano further points to the conundrums genomicists face when they spot harmful mutations unrelated to their work. The ethical question of what mutations a genomicist must scan for or discuss with the patient does not arise if most genes stayed concealed.

Bejerano argues the SMC technique makes genomic privacy a practical option. Its a policy statement, in some sense. It says, If you want to both keep your genome private and use it for your own good and the good of others, you can. You should just demand that this opportunity is given to you.

Other researchers and clinicians, although agreeing the technique is technically sound, worry that it faces an uphill battle on the practical side. Yaniv Erlich, a Columbia University assistant professor of computer science and computational biology, predicts the technology could end up like PGP (pretty good privacy) encryption. Despite its technical strengths as a tool for encrypting e-mails, PGP is used by almost no onelargely because cryptography is typically so hard to use. And usability is of particular concern to medical practitioners: Several echo Erlichs sentiment that their priority is diagnosing and treating a condition as quickly as possible, making any friction in the process intolerable. Its great to have it as a tool in the toolbox, Erlich says, but my senseis that the field is not going in this direction.

Kingsmore, Erlich and others are also skeptical that the papers approach would solve some of the real-world problems that concern the research and clinical communities. For example, they feel it would be hard to apply it directly to oncology, where genomes are useful primarily in conjunction with detailed medical and symptomatic records.

Still, Kingsmore and Erlich do see some potential for replacing todays clunky data-management mechanisms with more widespread genome sharing. In any case, the takeaway for Bejerano is not that genome hiding is destined to happen, but that it is a technological possibility. You would think we have no choice: If we want to use the data, it must be revealed. Now that we know that is not true, it is up to society to decide what to do next.

Go here to see the original:
Cryptographers and Geneticists Unite to Analyze Genomes They Can't See - Scientific American