When Germany implemented its Measles Protection Act in 2020, health departments faced an operational headache: verifying vaccination status across disconnected datasets. Children's vaccination records existed in school entry examination (ESU) databases, while enforcement actions lived in separate protection modules. Traditional data merging would violate strict privacy regulations, forcing manual verification that cost time and resources.

Enter secure multi-party computation (MPC), a cryptographic technique enabling joint computation on encrypted data without exposing raw information. Frankfurt's health department partnered with Polyteia and cronn to build a solution using the Polytune MPC engine. As lead developer Dr. Maximilian Golla explained: "MPC allows us to check whether a child has vaccination records in the ESU system without exchanging data in clear text. It replaces the need for a trusted third party with cryptographic guarantees."

How MPC Solves the Privacy-Precision Dilemma

MPC works by having multiple parties encrypt their data and split it into "shares" – essentially meaningless fragments that reveal nothing individually. As depicted below, parties exchange these shares and collaboratively evaluate a logical circuit (converted from the target function) to compute results while keeping inputs private:

"Instead of sending private data to a central entity, parties encrypt data and split it into shares. The protocol evaluates the computation through these shares, revealing only the final output," the Sine Foundation team elaborated.

Technical Implementation Breakdown

The Frankfurt team faced specific constraints:
- Data Separation: Vaccination records (ESU module) and enforcement cases (protection module) stored separately
- Identifier Mismatch: Different UUIDs for same individuals across modules
- Scale: Matching 1-5 protection cases against ~6000 ESU records

Their Garble DSL program performs pair-wise equality checks between UUID sets. For 5 vs 6000 records, this generates 3.8 million AND gates – computationally intensive but feasible with modern MPC. The Garble code snippet below shows their set intersection approach:

// Simplified Garble pseudocode for vaccination check
fn vaccination_check(esu_ids: [Uuid], protection_ids: [Uuid]) -> bool {
    let mut found_match = false;
    for p_id in protection_ids {
        for e_id in esu_ids {
            // Compare UUIDs via secret shares
            if p_id == e_id {
                found_match = true;
            }
        }
    }
    found_match
}

Deployment Architecture

Integration required Kubernetes pods with strict security:
1. Separate pods for measles/ESU connectors + Polytune instances
2. mTLS-secured communication via cronn-developed gateway
3. JWT authentication for intra-pod components

The architecture ensures even compromised components can't access raw data:

Why This Matters Beyond Healthcare

While this implementation solves a specific public health problem, its implications reach further:

  1. Internal Zero Trust: MPC isn't just for external parties. This deployment demonstrates how organizations can minimize internal data access through cryptographic enforcement
  2. GDPR Compliance Blueprint: Provides a template for processing sensitive data under strict regulations
  3. Practical Cryptography: Shows MPC moving from academic theory to production systems

Yet challenges remain: MPC integration requires significant engineering effort, and GDPR interpretations for cryptographic processing remain unsettled. As the team notes: "Legal uncertainty creates roadblocks for employing MPC for critical data. We're still on the path toward seamless usage."

This Frankfurt pilot proves MPC's viability for unlocking siloed data. With open-sourced components like Polytune and Garble, it offers a replicable model for privacy-preserving data collaboration across government and enterprise systems.

Source: Sine Foundation - MPC Vaccination Check