Inferensys

Glossary

Multi-Party Computation Linkage

A PPRL protocol extending secure linkage to three or more parties, allowing collaborative entity resolution across a consortium without exposing individual-level data.
Data scientist building training data pipeline on laptop, data preprocessing visible, technical workspace.
CONSORTIUM-BASED PRIVACY-PRESERVING RECORD LINKAGE

What is Multi-Party Computation Linkage?

Multi-Party Computation Linkage is a privacy-preserving record linkage protocol that extends secure entity resolution to three or more data custodians, allowing a consortium to collaboratively identify matching records across their distributed databases without any party revealing its private input data to the others.

Multi-Party Computation Linkage is a cryptographic protocol enabling a consortium of three or more parties to jointly execute entity resolution across their siloed databases. Unlike two-party Privacy-Preserving Record Linkage (PPRL) schemes, this architecture distributes the computation such that no single party learns the plaintext identifiers of any other party's records. The protocol leverages secure multi-party computation (SMPC) primitives—including secret sharing, garbled circuits, and oblivious transfer—to compute matching functions directly on encrypted or secretly shared data, ensuring that only the final, agreed-upon matching record identifiers are revealed to authorized recipients.

The core technical challenge addressed by Multi-Party Computation Linkage is scaling private blocking and secure similarity computation—such as secure edit distance or Private Set Intersection Cardinality (PSI-CA)—across multiple mutually distrusting data custodians without a trusted third party. The protocol typically employs a combination of hardened Bloom filter encodings or Cryptographic Longterm Keys (CLKs) for initial data transformation, followed by distributed Felligi-Sunter probabilistic matching evaluated within an SMPC framework. This approach is critical for multi-institutional healthcare consortia and financial crime intelligence networks where collaborative golden record creation is essential but direct data sharing is legally prohibited.

CONSORTIUM PRIVACY

Key Features of MPC Linkage

Multi-Party Computation Linkage extends secure entity resolution beyond two parties, enabling a consortium to collaboratively identify matching records without any participant exposing their raw identifiers to peers or a central broker.

01

Secret-Shared Circuit Evaluation

The core cryptographic engine of MPC linkage. Each party splits its private identifiers into secret shares and distributes them. The linkage logic—often a Felligi-Sunter probabilistic model or a deterministic match key—is compiled into a Boolean or arithmetic circuit. Parties jointly evaluate this circuit on the shared fragments, learning only the final match result and nothing about non-matching records. This eliminates the single point of failure inherent in trusted third-party models.

02

Consortium Governance & Topology

MPC linkage supports flexible network topologies beyond simple pairwise connections:

  • Star Topology: A central hub coordinates the computation, but only sees secret shares, not plaintext.
  • Fully Connected Mesh: All parties communicate directly, increasing resilience but adding communication overhead.
  • Hierarchical Topology: Sub-groups perform local linkage before passing encrypted intermediate results to a global resolver. This allows a consortium of hospitals, for example, to agree on a common governance model that matches their regulatory trust framework.
03

Private Blocking at Scale

Comparing every record across all parties is computationally infeasible. MPC linkage integrates private blocking to reduce the quadratic search space without leaking similarity. Techniques include:

  • Locality-Sensitive Hashing (LSH) on secret-shared Bloom filters to cluster likely matches.
  • Private Set Intersection Cardinality (PSI-CA) to identify blocks with overlapping records before full comparison.
  • Reference Value Encoding where parties map records to a common, pre-agreed reference table using secure protocols. This ensures the MPC circuit only evaluates high-probability candidate pairs, making consortium-wide linkage practical.
04

Adversarial Robustness & Fairness

Standard two-party PPRL assumes semi-honest participants. MPC linkage for consortia must harden against malicious adversaries who may deviate from the protocol to learn others' data. Defenses include:

  • Commitment Schemes: Parties cryptographically commit to their inputs before the protocol begins, preventing later manipulation.
  • Zero-Knowledge Proofs: Each party proves in zero-knowledge that they correctly executed their step of the circuit without revealing their secret state.
  • Fair Output Delivery: Protocols ensure that if any party learns the output, all honest parties do, preventing an abort-and-learn attack.
05

Threshold Decryption & Output Control

The final match results are encrypted under a threshold public key. Decryption requires a quorum of parties to contribute their key shares. This prevents any single entity from unilaterally viewing the linked records. The consortium can set the threshold—e.g., requiring 7 of 10 hospitals to agree before the matched patient cohort is revealed. This cryptographically enforces the data use agreement and is critical for compliance with regulations like GDPR's data minimization principle.

06

Performance & Communication Trade-offs

MPC linkage introduces significant overhead compared to cleartext matching. Key bottlenecks:

  • Communication Complexity: The number of rounds scales with circuit depth. WAN latency between consortium members can dominate runtime.
  • Circuit Depth: Complex fuzzy matching like Jaro-Winkler or edit distance requires deep circuits. Approximations like Dice coefficient on n-grams are often preferred for efficiency.
  • Hardware Acceleration: Modern implementations leverage AES-NI instructions and GPU-accelerated oblivious transfer extensions to make consortium-scale linkage feasible for millions of records.
MULTI-PARTY COMPUTATION LINKAGE

Frequently Asked Questions

Clear, technical answers to the most common questions about extending privacy-preserving record linkage to three or more parties using secure multi-party computation protocols.

Multi-party computation (MPC) linkage is a privacy-preserving record linkage protocol that enables three or more data custodians to jointly identify matching records across their disparate databases without revealing any individual-level plaintext data to one another or to a central coordinator. Unlike two-party protocols, MPC linkage distributes the computation across all participants using cryptographic secret sharing. Each party splits its encoded identifiers into random shares and distributes them among the other parties. The matching algorithm—often a private set intersection or secure edit distance computation—is then executed collaboratively on these shares. No single party ever holds enough information to reconstruct the original identifiers. The final output reveals only the set of matching record identifiers to authorized recipients, ensuring that non-matching entities remain completely hidden. This architecture eliminates the need for a trusted third party, making it ideal for consortia in healthcare, finance, and government where mutual distrust exists.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.