Presentation is loading. Please wait.

Presentation is loading. Please wait.

How Should We Solve Search Problems Privately? Kobbi Nissim – BGU A. Beimel, T. Malkin, and E. Weinreb.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "How Should We Solve Search Problems Privately? Kobbi Nissim – BGU A. Beimel, T. Malkin, and E. Weinreb."— Presentation transcript:

1 How Should We Solve Search Problems Privately? Kobbi Nissim – BGU A. Beimel, T. Malkin, and E. Weinreb

2 August 20, 2007CRYPTO 20072 Secure Function Evaluation [Yao,GMW,BGW,…] n players with private inputs x 1,…,x n Can compute any function f() over their private inputs No information beyond f() is leaked SFE tells HOW to compute f() But not What f() to compute

3 August 20, 2007CRYPTO 20073 A Client-Server Setting SFE reduces many of the general cases to the client-server setting G ClientServer

4 August 20, 2007CRYPTO 20074 WHAT should we compute? Server must/is willing to reveal a function f() of the data Secure function evaluation: Reveal f(), but no other information ??? Server should preserve individual privacy Private data analysis: (rand) functions f() satisfying differential privacy

5 August 20, 2007CRYPTO 20075 In Between (1) Server must/is willing to reveal a function f() of the data But… Computing f() is inefficient or intractable And, an efficient approx f*() exists Idea: Use SFE to compute an approx f*() to f()

6 August 20, 2007CRYPTO 20076 What Can Go Wrong? [FIMNSW01] Server holds a graph G Client asks for size of min VC f vc (G) Approx: f vc *(G) = 2MaxMatch(G) Hmmm... f VC f VC 2 2 2MaxMatch 2MaxMatch 2 4 G

7 August 20, 2007CRYPTO 20077 Private Approximations [FIMNSW01] Require: f*(G) simulatable given f(G) Hence approximation does not leak more information than exact computation Implied: f(G) = f(G’)  f*(G) ≈ f*(G’) Sometimes feasible: Hamming distance [FIMNSW01, IW06] Permanent [FIMNSW01] Sometimes not feasible: f VC not privately approx within ratio n 1-ε [HKKN01] Approx feasible with a small leakage

8 August 20, 2007CRYPTO 20078 In Between (2) Server must/is willing to solve a search problem over the data Idea: Use SFE to compute a solution? Or an approximate solution

9 August 20, 2007CRYPTO 20079 What Can Go Wrong? [BCNW06] Server holds a graph G Client asks for VC(G) Approx: A* VC (G) = MaxMatch(G) Hmmm... G 2 1 3 5 4 2 1 3 5 4 VC {2} {2} A* VC {2,3} {2,1}

10 August 20, 2007CRYPTO 200710

11 August 20, 2007CRYPTO 200711 Private Algorithms [BCNW06] R – Equivalence Relation over {0,1}* E.g. G 1 ≈ G 2 if VC(G 1 ) = VC(G 2 ) Algorithm A is private with respect to R if: x y A( ) ≈ x y

12 August 20, 2007CRYPTO 200712 Is Private Search Good? Too strong: VC does not admit private search approx algs Even with a significant relaxation [BCNW06,BHN07] If NP not in P/poly, there is a search problem in P that has no polynomial time private algorithm [BCNW06] Too weak: A private search algorithm may reveal all the solutions Does not rule out simple ways of plausible leakage

13 August 20, 2007CRYPTO 200713 Some Possible Weaknesses Randomized Algorithms:  More solutions learned by repeated querying  Fuzziness Deterministic Algorithms:  Repeated querying ineffective  Definite information learned Can we get the best of both worlds?

14 August 20, 2007CRYPTO 200714 Framework: Seeded Algorithms A – randomized algorithm Server fixes a seed s for all queries Allows selecting random solutions Prevents abuse of repeated queries G1G1 G2G2 s A A(G 2,s) A(G 1,s)

15 August 20, 2007CRYPTO 200715 Rest of the Talk Propose two new definitions Equivalence protecting Resemblance preserving Show basic implementation methodologies Summary/discuss

16 August 20, 2007CRYPTO 200716 (x2)(x2) First Definition: Equivalence Protecting Consistent oracle  :  (x)  S(x)  (x)=  (y) for all x ≈ P y A seeded algorithm A is equivalence protecting: Distinguisher  ≡c≡c A(·, ) x1x1 (x1)(x1) x2x2 s x1x1 x2x2 Random consistent oracle

17 August 20, 2007CRYPTO 200717 Equivalence Protecting: Shortest Path Def: An edge is relevant in G if it appears in some shortest path from s to t Fact I: Relevance depends only on S(G) Fact II: There exists an algorithm A rand (G,r ) that outputs a random shortest path in G s 2 t 3 1

18 August 20, 2007CRYPTO 200718 Equivalence Protecting: Shortest Path Input: A graph G A seed s for a family {f s } of pseudorandom functions Output: A path in S(G) The algorithm: 1. H = relevant edges of G 2. Compute r=f s (H) 3. Output: p= A rand (H,r )

19 August 20, 2007CRYPTO 200719 Other Equivalence Preserving Algorithms Perfect matching in bipartite graphs Solution of a linear system of equations Shortest path: weighted directed graphs

20 August 20, 2007CRYPTO 200720 Second Definition: Resemblance Preserving Motivation: protect inputs with similar solution sets Resemblance between instances x,y: A seeded algorithm A is resemblance preserving if for all instances x,y: Pr[A(x,s)=A(y,s)] ≥ r(x,y) |S(x)  S(y)| |S(x)  S(y)| r(x,y) = Fact: 0 ≤ r(x,y) ≤ 1

21 August 20, 2007CRYPTO 200721 Tool: Min-wise Independent Permutations [BroderCharikarFriezeMitzenmacher98] A family of permutations is min-wise independent if for every set A  U and a  A: Observation:

22 August 20, 2007CRYPTO 200722 A Generic Resemblance Preserving Algorithm Input: An input x A seed s for a family of min-wise independent permutations Output: A solution in S(x) Algorithm: Output sol  S(x) such that Algorithmic challenge: Find sol efficiently.

23 August 20, 2007CRYPTO 200723 Other Resemblance Preserving Algorithms (non-) Roots of polynomials Solution of a linear system of equations Satisfying assignment of a DNF formula

24 August 20, 2007CRYPTO 200724 Summary Presented two intuitive variants of private search Equivalence protecting Resemblance preserving Constructed algorithms satisfying definitions Privacy implications of search problems are not well understood Even (seemingly minimal) requirements of privacy are hard to attain  Different privacy requirements for different setups Is there an order in the mess? A methodology for comparing/justifying definitions

25 August 20, 2007CRYPTO 200725 BSF-DIMACS Privacy Workshop @DIMACS/Rutgers University Interdisciplinary February 4-7 Organizers: B. Pinkas, K.N., and R. Wright (some) Funding available To be added to mailing list: kobbi@cs.bgu.ac.il kobbi@cs.bgu.ac.il

26 August 20, 2007CRYPTO 200726 A (Seemingly) Minimal Requirement Private search algorithm [BCNW06]: VC(G) = VC(G’)  A* VC (G) ≈ A* VC (G’) A* VC should not distinguish graphs that have the same set of solutions A generalization of private approximation [FIMNSW01]

Download ppt "How Should We Solve Search Problems Privately? Kobbi Nissim – BGU A. Beimel, T. Malkin, and E. Weinreb."

Similar presentations

Polylogarithmic Private Approximations and Efficient Matching

Polylogarithmic Private Approximations and Efficient Matching
NP-Hard Nattee Niparnan.

NP-Hard Nattee Niparnan.
Generalization and Specialization of Kernelization Daniel Lokshtanov.

Generalization and Specialization of Kernelization Daniel Lokshtanov.
Max Cut Problem Daniel Natapov.

Max Cut Problem Daniel Natapov.
COMP 553: Algorithmic Game Theory Fall 2014 Yang Cai Lecture 21.

COMP 553: Algorithmic Game Theory Fall 2014 Yang Cai Lecture 21.
Private Approximation of Search Problems Amos Beimel Paz Carmi Kobbi Nissim Enav Weinreb Ben Gurion University Research partially Supported by the Frankel.

Private Approximation of Search Problems Amos Beimel Paz Carmi Kobbi Nissim Enav Weinreb Ben Gurion University Research partially Supported by the Frankel.
Department of Computer Science & Engineering

Department of Computer Science & Engineering
1 NP-Complete Problems. 2 We discuss some hard problems:  how hard? (computational complexity)  what makes them hard?  any solutions? Definitions 

1 NP-Complete Problems. 2 We discuss some hard problems:  how hard? (computational complexity)  what makes them hard?  any solutions? Definitions 
15-251 Great Theoretical Ideas in Computer Science for Some.

Great Theoretical Ideas in Computer Science for Some.
© The McGraw-Hill Companies, Inc., 2005 8 - 1 Chapter 8 The Theory of NP-Completeness.

© The McGraw-Hill Companies, Inc., Chapter 8 The Theory of NP-Completeness.
1 The Monte Carlo method. 2 (0,0) (1,1) (-1,-1) (-1,1) (1,-1) 1 Z= 1 If  X 2 +Y 2  1 0 o/w (X,Y) is a point chosen uniformly at random in a 2  2 square.

1 The Monte Carlo method. 2 (0,0) (1,1) (-1,-1) (-1,1) (1,-1) 1 Z= 1 If  X 2 +Y 2  1 0 o/w (X,Y) is a point chosen uniformly at random in a 2  2 square.
A Fairy Tale of Greedy Algorithms Yuli Ye Joint work with Allan Borodin, University of Toronto.

A Fairy Tale of Greedy Algorithms Yuli Ye Joint work with Allan Borodin, University of Toronto.
Complexity ©D.Moshkovits 1 Hardness of Approximation.

Complexity ©D.Moshkovits 1 Hardness of Approximation.
Complexity 16-1 Complexity Andrei Bulatov Non-Approximability.

Complexity 16-1 Complexity Andrei Bulatov Non-Approximability.
Computability and Complexity 23-1 Computability and Complexity Andrei Bulatov Search and Optimization.

Computability and Complexity 23-1 Computability and Complexity Andrei Bulatov Search and Optimization.
Complexity 15-1 Complexity Andrei Bulatov Hierarchy Theorem.

Complexity 15-1 Complexity Andrei Bulatov Hierarchy Theorem.
1 Polynomial Church-Turing thesis A decision problem can be solved in polynomial time by using a reasonable sequential model of computation if and only.

1 Polynomial Church-Turing thesis A decision problem can be solved in polynomial time by using a reasonable sequential model of computation if and only.
1 Optimization problems such as MAXSAT, MIN NODE COVER, MAX INDEPENDENT SET, MAX CLIQUE, MIN SET COVER, TSP, KNAPSACK, BINPACKING do not have a polynomial.

1 Optimization problems such as MAXSAT, MIN NODE COVER, MAX INDEPENDENT SET, MAX CLIQUE, MIN SET COVER, TSP, KNAPSACK, BINPACKING do not have a polynomial.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
A general approximation technique for constrained forest problems Michael X. Goemans & David P. Williamson Presented by: Yonatan Elhanani & Yuval Cohen.

A general approximation technique for constrained forest problems Michael X. Goemans & David P. Williamson Presented by: Yonatan Elhanani & Yuval Cohen.

Similar presentations

Ads by Google