In many distributed computing contexts, a need arises for two mutually-distrusting parties to undertake a joint calculation, often without the disclosure of the unprocessed data from one or both sides to the other. Sometimes a 'trusted third party' is used for this purpose - but immediately the verification of the trustworthiness of that party becomes a challenge. The cryptographic world has addressed this through the paradigm of secure multi-party computation - and the related problem of an untrusted processor through various schemes of homomorphic encryption. These are successful in many contexts, but imply certain overheads and complexities.

We propose a different model, wherein the technologies of Trusted Computing are used to create an assured Trustworthy Remote Entity (TRE): this also enables us to develop duplex communications, which are seldom considered in the approaches described above. The main part of this project is devoted to developing and verifying a TRE-based solution for the substantial and far-reaching challenges of security and privacy in smart power grids: later in the project we consider the generalization of the approach to other similar problems, such as those in dynamic location-based road pricing. The 'big idea' is that the user can be signed up with a TRE, and have a high degree of confidence that their data (e.g. the information on how much electricity is being used right now) is not going to get in to the hands of someone who might use it against them (e.g. to work out when the home is unoccupied) - but the power company can also have from their side confidence that the data they receive is coming from one of their customers. If they need to reduce demand - in the extreme case by, say, remotely switching off somone's air conditioning unit fora time - they can send a signal back, confident that it will go to the right user, without knowing which customer that is.

This approach can be generalised to many other situations: for example, the TRE could help to calculate a price for you to drive on a particular road at a particular time, without disclosing your movements to the transport authority. It could also pass back personalized (but anonymous) instructions on how to find a better route at the time.

Potential Impact:
When these research objectives are achieved, we will be able to provide service providers with a building-block solution which enables them cheaply and easily to deliver highly-assured centralized processing of personal data, with strong guarantees that the privacy of the individuals involved cannot be compromised. This is good for those businesses (since they seldom want the liability of processing personal data, but want to be able to offer customized services) as well as being good for individual consumers and society at large, buy keeping each person in control of their own personal data.

We expect this approach to open up many new opportunities in research - for researchers and companies to explore different scenarios in which such a capability will be useful. It will also help those who design tools for system verification to hone those tools against realistic scenarios: many practical deployments are difficult to verify because they are too large and complex. Our scenario abstracts away one key component and reduces it to a tractable verification task.