Download presentation

Presentation is loading. Please wait.

Published byMiguel Williamson Modified over 2 years ago

1
Polylogarithmic Private Approximations and Efficient Matching Piotr Indyk MIT David Woodruff MIT, Tsinghua TCC 2006

2
a {0,1} n b {0,1} n Want to compute some function F(a,b) Security: protocol does not reveal anything except for the value F(a,b) –Semi-honest: both parties follow protocol –Malicious: parties are adversarial Efficiency: want to exchange few bits Secure communication Alice Bob

3
Secure Function Evaluation (SFE) [Yao, GMW]: If F computed by circuit C, then F can be computed securely with O~(|C|) bits of communication [GMW] + … + [NN]: can assume parties semi- honest –Semi-honest protocol can be compiled to give security against malicious parties Problem: circuit size at least linear in n * O~() hides factors poly(k, log n)

4
Secure and Efficient Function Evaluation Can we achieve sublinear communication? With sublinear communication, many interesting problems can be solved only approximately. What does it mean to have a private approximation? Efficiency: want SFE with communication comparable to insecure case

5
Private Approximation [FIMNSW01]: A protocol computing an approximation G(a,b) of F(a,b) is private, if each party can simulate its view of the protocol given the exact value F(a,b) Not sufficient to simulate non-private G(a,b) using SFE Example: –Define G(a,b): bin(G(a,b)) i =bin( (a,b)) i if i>0 bin(G(a,b)) 0 =a 0 –G(a,b) is a 1 -approximation of (a,b), but not private Popular protocols for approximating (a,b), e.g., [KOR98], are not private

6
Approximating Hamming Distance [FIMNSW01]: A private protocol with complexity O~(n 1/2 / ) – (a,b) small: compute (a,b) exactly in O~( (a,b)) bits – (a,b) high: sample O~(n/ (a,b)) (a-b) i, estimate (a,b) Our main result: –Complexity: O~(1/ 2 ) bits –Works even for L 2 norm, i.e., estimates ||a-b|| 2 for a,b {1…M} n * O~() hides factors poly(k, log n, log M, log 1/ )

7
Crypto Tools Efficient OT 1 n : –P1 has A[1] … A[n] 2 {0,1} m, P2 has i 2 [n] –Goal: P2 privately learns A[i], P1 learns nothing –Can be done using O~(m) communication [CMS99, NP99] Circuits with ROM [NN01] (augments [Yao86]) –Standard AND/OR/NOT gates –Lookup gates: In: i Out: M gate [i] –Can just focus on privacy of the output Communication at most O~(m|C|)

8
High-dimensional tools Random projection: –Take a random orthonormal n n matrix D, that is ||Dx|| = ||x|| for all x. –There exists c>0 s.t. for any x R n, i=1…n Pr[ (Dx) i 2 > ||Dx|| 2 /n * k] < e -ck

9
Approximating ||a-b|| Recall: –Alice has a 2 [M] d, Bob has b 2 [M] d –Goal: privately estimate ||a-b||, x=a-b –Suffices to estimate ||a-b|| 2

10
Protocol Intuition 1.Alice and Bob agree upon a random orthonormal matrix D Efficient by exchanging a seed of a PRG 2.Alice and Bob rotate vectors a,b, obtaining Da, Db ||Da-Db|| = ||a-b|| D spreads the mass of the difference vector uniformly across the n coordinates. Can now try obliviously sampling coordinates as in [FIMNSW01]

11
Protocol Intuition Cond 1.Alice and Bob agree upon random orthonormal D 2.Alice and Bob rotate a,b, obtaining Da, Db 3.Use secure circuit with ROMs Da and Db to: i.Circuit obtains (Da) i and (Db) i for many random indices i Problem: Now what? Samples leak a lot of info! Fix: - Suppose you know upper bound T with T ¸ ||a-b|| 2 - Flip a coin z with heads probability n((Da) i – (Db) i ) 2 /(kT) - Then E[z] = n||Da-Db|| 2 /(nkT) = ||a-b|| 2 /(kT) - E[z] only depends on ||a-b||, and z only depends on E[z]!

12
Protocol Intuition Cond 1.Alice and Bob agree upon random orthonormal D 2.Alice and Bob rotate a,b, obtaining Da, Db 3.Use secure circuit with ROMs Da, Db, to: i.Obtain (Da) i and (Db) i for L random i ii.Generate Bernoulli z 1, …, z L with E[z i ] = ||a-b|| 2 /(kT) iii.Output kT z i /L Privacy: View only depends on ||a-b|| Problem: Correctness! A priori bound T=M 2 n, but ||a-b|| 2 may be (1), so (n) samples required. Fix: Private binary search on T

13
Protocol Intuition Cond … 3.Use secure circuit with ROMs Da, Db to: i.Obtain (Da) i and (Db) i for L random i ii.Generate Bernoulli z 1, …, z L with E[z i ] = ||a-b|| 2 /(kT) iii.Output kT z i /L Fix: - Private binary search on T - If many z i = 0, then intuitively can replace T with T/2 - Eventually T = ~(||a-b|| 2 ) - We will show: final choice of T is simulatable!

14
One last detail Want to show final choice of T is simulatable Estimate is kT z i /L and we stop when many z i = 1 Recall E[z i ] = ||a-b|| 2 /(kT) Key Observation: Since orthonormal D is uniformly random, can guarantee that if many z i = 0, then ||a-b|| 2 << T. Note: - Suppose didnt use D, and a = (M, 0, …, 0), b = (0, …, 0) - Then ||a-b|| 2 = M 2 is large, but almost always z i = 0, so youll choose T < ||a-b|| 2. - Not simulatable since T depends on the structure of a, b

15
Algorithm vs. Simulation SIMULATION Repeat –Generate L independent bits z i such that Pr[z i =1]= ||a-b|| 2 /Tk –T=T/2 Until Σ i z i (L/k) Output E= Σ i z i /L * 2Tk as an estimate of ||a-b|| 2 ALGORITHM Repeat –Generate L independent bits z i such that Pr[z i =1]= ||D(a-b)|| 2 /Tk –T=T/2 Until Σ i z i (L/k) Output E= Σ i z i /L * 2Tk as an estimate of ||a-b|| 2 Recall:||D(a-b)||=||a-b|| Communication = O~(L) = O~(1/ 2 )

16
Other Results private nearest neighborprivate all-pairs nearest neighbors.Use homomorphic encryption tricks to get better upper bounds for private nearest neighbor and private all-pairs nearest neighbors. private approximate nearest neighbor problem:Define private approximate nearest neighbor problem: –Requires a new definition of private approximations for functionalities that can return sets of values. –Achieve small communication in this setting.

Similar presentations

© 2016 SlidePlayer.com Inc.

All rights reserved.

Ads by Google