IPS177 F. Ricciato et al.
                  mechanism called "cell key method" is adopted to ensure that the injected
                  perturbations are consistent across multiple queries. This approach is robust
                  to  differential  attacks  that,  instead,  represent  the  main  limitation  of  pure
                  randomized systems (where noise varies across queries). The cell key method
                  is  recommended  for  protection  of  European  census  2021  round  [13].  It  is
                  expected that it will ensure consistent protection of the census data in view of
                  making them available via various channels and access systems.

                  4.  Solution approaches to Input Privacy problem
                      When the input data are held by multiple IPs, and the computation cannot
                  be  factorized  into  independent  (sequential  or  parallel)  components,  one
                  possible solution approach to the input privacy problem is given by Secure
                  Multi-Party  Computation  (SMC)  methods  based  on  the  principle  of  secret
                  sharing.  In  a  nutshell,  with  SMC  every  individual  input  data  element  is
                  transformed into a set of so-called secret shares that are passed to a set of
                  (three  or  more)  intermediate  ‘computing  parties’  (CP).  The  CPs  form
                  collectively the SMC infrastructure. The secret shares are produced in a way
                  that yields two important properties. First, under certain conditions, defined
                  by the applicable attack model, secret shares do not reveal anything about the
                  input source data to the individual CPs (non-invertibility). Second, they allow
                  to compute exactly the correct output that would be obtained by a  direct
                  computation on the clear input (homomorphism). A general introduction to
                  SMC  and  secret  sharing  can  be  found  in  [6]  while  examples  of  practical
                  applications  are found in [7, 8].
                              1
                      To preserve confidentiality, each CP must not disclose the received secret
                  shares to other CPs, i.e., CPs must not collude among themselves to break the
                  confidentiality of IP data. SMC can be tuned to be robust against a subset of
                  colluding CPs. In other words, the system preserves input confidentiality as far
                  as at least one CP does not collude with the others. That means, the CPs must
                  be  trusted  collectively,  not  individually.  Then  the  problem  of  ensuring  be
                  trusted  collectively,  not  individually.  Then  the  problem  of  ensuring
                  confidentiality moves up to an institutional level, and translates into the task
                  of identifying a suitable set of CP. An important property of SMC plays in our
                  favour: in practical deployment, the same institution can play multiple roles.
                  For example, one data holder serving as IP can at the same time host one CP
                  instance – obviously he would never collude with other CPs against himself.
                  Also, one entity (e.g., the SO) can play contemporarily the roles of IP, OP and
                  CP.



                  1  The relationship between SMC and personal data protection legislation presents some
                  open issues that go beyond the scope of the present contribution, see e.g. the discussion in
                  [15].
                                                                     461 | I S I   W S C   2 0 1 9