Presentation is loading. Please wait.

Presentation is loading. Please wait.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Published byZachary Willis Modified over 10 years ago

Similar presentations

Presentation on theme: "Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress."— Presentation transcript:

1 Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress

2 Outline 1.Private approximation of L 2 distance 2.Private near neighbor 3.Private approximate near neighbor

3 1. Private approximation of L 2 distance

4 a {0,1} n b {0,1} n Want to compute some function F(a,b) Security: protocol does not reveal anything except for the value F(a,b) –Semi-honest: both parties follow protocol –Malicious: parties are adversarial Efficiency: want to exchange few bits Secure communication Alice Bob

5 Secure Function Evaluation (SFE) [Yao, GMW]: If F computed by circuit C, then F can be computed securely with O~(|C|) bits of communication [GMW] + … + [NN]: can assume parties semi- honest –Semi-honest protocol can be compiled to give security against malicious parties Problem: circuit size at least linear in n * O~() hides factors poly(k, log n)

6 Secure and Efficient Function Evaluation Can we achieve sublinear communication? Ideally: secure computation with communication comparable to insecure case With sublinear communication, many interesting problems can be solved only approximately. What does it mean to have a private approximation?

7 Private Approximation [FIMNSW01]: A protocol computing an approximation G(a,b) of F(a,b) is private, if each party can simulate its view of the protocol given the exact value F(a,b) Note: not sufficient to simulate non-private G(a,b) using SFE Example: –Define G(a,b): bin(G(a,b)) i =bin( (a,b)) i if i>0 bin(G(a,b)) 0 =a 0 –G(a,b) is a 1 -approximation of (a,b), but not private

8 Concrete Pitfall: Dimension Reduction A basic problem: Hamming distance (a,b) Approximate decision version: with prob. 1-, –If (a,b)r, answer NO –If (a,b)r(1+ ), answer YES [Kushilevitz-Ostrovsky-Rabani98]: –Create m n binary matrix D, where Pr[D ij =1]= 1/(2r) for m= O~(log 1/ / 2 ) –Exchange Da, Db (mod 2) –Answer YES if wt[D(a-b)]>r, r function of r, NOTE: This protocol was not designed to be private

9 Non-Privacy of KOR Let x = a – b. If, wt(x) = r, r log n ¼ m then can recover x from D, Dx in O(mn) time! Algorithm: for j=1…n, estimate Pr[ =1| d ij =1] = Pr[ =1 d ij =1]/Pr[d ij =1] –If x j =1 then Pr[ =1|d ij =1] is high –If x j =0 then Pr[ =1|d ij =1] is low

10 Approximating Hamming Distance [FIMNSW01]: A private protocol with complexity O~(n 1/2 / ) –wt(x) small: compute wt(x) using O~(wt(x)) bits –wt(x) high: sample O~(n/wt(x)) x i, estimate wt(x) Our result: –Complexity: O~(1/ 2 ) bits –Works even for L 2 norm, i.e., estimates ||x|| 2 for a,b {1…M} n * O~() hides factors poly(k, log n, log M, log 1/ )

11 Crypto Tools SFE of circuits [Yao86]: O~(|circuit|) communication Efficient SPIR or OT 1 n : –Alice has A[1] … A[n] 2 {0,1} m, Bob has i 2 [n] –Goal: Bob privately learns A[i] and thats it –Can be done using O~(m) communication [CMS99, NP99] Circuits with ROM [Naor, Nissim01]: –Standard AND/OR/NOT gates –Lookup gates: In: i Out: M gate [i] –Takes care of the security of computation: begin secure … end secure –Can just focus on privacy of the output Communication at most O~(m|C|)

12 High-dimensional tools Random projection: –Take a random orthonormal n n matrix D, that is ||Dx|| = ||x|| for all x. –There exists c>0 s.t. for any x R n, i=1…n Pr[ (Dx) i 2 > ||Dx|| 2 /n * k] < e -ck

13 Approximating ||a-b|| 2 Recall: –Alice has a 2 [M] d, Bob has b 2 [M] d –Goal: estimate ||x|| 2, x=a-b

14 Algorithm Alice and Bob create random orthonormal matrix D such that, for each i=1…n (Dx) i 2 < k||x|| 2 /n T=M 2 n+1 Repeat –{Assertion: ||x|| 2 T} –Invoke P RIVATE S AMPLE to get L=O~(1/ 2 ) independent bits z i such that Pr[z i =1]=||Dx|| 2 /(Tk) –T = T/2 Until Σ i z i L/(4k) Output E= Σ i z i /L * 2Tk as an estimate of ||x|| 2 Correctness: –Unbiased estimator –High probablity from Chernoff bound SECURE!

15 P RIVATE S AMPLE P=Tk/n Pick random t [n] Retrieve (Da) t, (Db) t Compute (Dx) t = (Da) t - (Db) t Define v=[(Dx) t ] 2 If v P then generate z s.t. Pr[z=1]=v/P Else output fail Output z Correct as long as (Dx) 2 i < Tk/n for each i=1…n SECURE! Generate independent bits z i with E[z i ] = ||Dx|| 2 /(Tk)

16 Algorithm, again Alice and Bob create random * orthonormal ** matrix D such that, for each i=1…n (Dx) i 2 < ||x|| 2 /n * k T=M 2 n+1 Repeat –{Assertion: ||x|| 2 T} –Invoke P RIVATE S AMPLE to get L=O~(1/ 2 ) independent bits z i such that Pr[z i =1]= ||Dx|| 2 /Tk { Works as long as (Dx) 2 i < Tk/n for each i=1…n} – T=T/2 Until Σ i z i L/(4k) Output E= Σ i z i /L * 2Tk as an estimate of ||x|| 2 If Assertion not true, then Pr[z i =1]>1/(2k) E[Σ i z i ] > L/(2k) >> L/(4k)

17 Simulation SIMULATION Repeat –Choose L independent bits z i such that Pr[z i =1]= ||x|| 2 /Tk –T=T/2 Until Σ i z i (L/k) Output E= Σ i z i /L * 2Tk as an estimate of ||x|| 2 ALGORITHM Repeat –{Assertion: ||x|| 2 T} –Invoke P RIVATE S AMPLE to get L independent bits z i such that Pr[z i =1]= ||Dx|| 2 /Tk –T=T/2 Until Σ i z i (L/k) Output E= Σ i z i /L * 2Tk as an estimate of ||x|| 2 Recall: ||Dx||=||x|| Communication: O~(1/ 2 )

18 2. Private near neighbor

19 Private Near Neighbor q 2 [U] d P = p 1, p 2, …, p n 2 {1, 2, …, U} d = [U] d Distance function: f(x,y) Correctness: Bob learns min i f(q, p i ) Privacy: Alice learns nothing, Bob learns nothing else Goal: Minimize communication AliceBob

20 Private Near Neighbor f(a,b) = i f i (a i, b i ) L 2 Generalized Hamming Set Difference Previous [DA]O~(ndU)O~(nd)O~(ndU) Our ResultsO~(dU+n)O~(n+d)O~(d 2 + n)O~(n+d) [DA] needs 3 rd party, we dont Approach: homomorphic encryption + secure function evaluation (SFE) n points, dimension d, universe [U]

21 Coordinate-wise distance functions q 2 [U] d P = p 1, p 2, …, p n 2 [U] d AliceBob Bob: 1. For each coordinate, create a degree-(U-1) polynomial g j (x) = i a i,j x i such that g j (u) = f j (q j, u) for all u 2 [U] 2. Generate (SK, PK) for Paillier Encryption scheme. Send PK and E PK (a i, j ) for all i,j Alice: 1. For all i, E( j g j (p i,j )) = E(f(q, p i )) SFE: Inputs: Alice – E(f(q, p i )) Bob - SK 1. Bob gets min i D SK (E(f(q, p i ))) Coordinate-wise distance functions: f(a,b) = f i (a i, b i ) E(x), E(y) -> E(x + y) E(x), c -> E(cx)

22 Generic distance functions Security: 1. Replace SFE with oracle 2. Alice View indistinguishable from PK, E(0), E(0), …, E(0) – E semantically secure 3. Bob View just = output Efficiency: 1. Send polynomials = O~(dU) 2. SFE = O~(n) (simple circuit)

23 Private Near Neighbor Pointwise distance L 2 Generalized Hamming Set Difference Previous [DA]O~(ndU)O~(nd)O~(ndU) Our ResultsO~(dU+n)O~(n+d)O~(d 2 + n)O~(n+d) n points, dimension d, universe [U] (homomorphic tricks) Alice x 1, …, x n 2 {0,1} d, Bob y 1, …, y n 2 {0,1} d, Threshold t Bob gets all x i s.t. (x i, y j ) < t for some j Communication: O~(n 2 + nd 2 ). Resolves open question of [FNP04]: [FNP04] achieve O~((d choose t)nt) May be superpolynomial in n

24 3. Private Approximate Near Neighbor

25 Private Near Neighbor Drawback: Protocols depend linearly on # points n Necessary? Not if algebraically homomorphic E exists Our approach: solve the approximate problem

26 Private c-Approximate Near Neighbor Alice has P = {p 1, …, p n } {0,1} d, Bob has q {0,1} d PrPr P cr Notation: P r = P B(q, r) Correctness: P r nonempty Bob learns some element of P cr Privacy: Bobs view simulatable given q and P cr

27 Private Approximate Near Neighbor Definition Remarks: Privacy: Dont care what Bob gets as long as it follows from P cr Simulator gets P cr Correctness: Dont specify anything if P r empty, but view still simulatable Our results: - O~(n 1/2 + d) - If Bob just wants some coordinate of an element of P cr, then improve to O~(n 1/2 + polylog(d))

28 Private Approximate Near Neighbor Two approaches: 1. Dimensionality Reduction in Hamming Cube [KOR98] 2. Locality Sensitive Hashing [IM98] This talk: protocol using #1

29 Dimensionality Reduction [KOR]: Let A be random m times d binary matrix, m = O(log d / 2 ) Then there is a separator r s.t. with probability 1-1/n 2, for any p,q {0,1} d 1. (p,q) > cr (Ap, Aq) > r 2. (p,q) · r (Ap, Aq) < r Idea: Alice 1. Applies A to P dimension small 2. Enumerates all w {0,1} m, forms array: B[w]={p 2 P s.t. (Ap, w) < r} 3. Use Oblivious ROM

30 Dimensionality reduction protocol 2. Agree on k matrices A 1, …, A k 3. Create array B i based on A i 4. B i [p] contains any n 1/2 points p 2 P s.t. (A i p, p) < r 5. Alice sets ROM to be the B i s P cr 1. Randomly sample O~(n 1/2 ) points P 1 2. If |P cr | > n 1/2, then P 1 Å P cr ;, w.h.p. Protocol: 6. If P 1 Å P cr ;, SFE outputs a random element of P 1. Otherwise, SFE uses [ i B i [A i q] to output a random element of P r

31 Dimensionality Reduction Analysis Properties: 1. If |P cr | > n 1/2, we output random element of P cr,w.h.p. 2. If |P cr | < n 1/2, by properties of A, for any p P r, Pr A [8 p 2 P r, (Ap, Aq) r] > 1- 1/n 3. Since bucket size is n 1/2 and |P cr | < n 1/2, p B i [A i q], P r i B i [A i q] Correctness: If |P cr | > n 1/2, output element from P cr Else output an element from P r

32 Dimensionality Reduction Analysis Communication: 1. Sampling O~(n 1/2 ) elements to ensure |P cr | < n 1/2 2. OT on O~(1) buckets of size n 1/2 Thus, balanced steps 1 & 2 O~(dn 1/2 ) total communication Simulatability: Output either a random element of P cr, or a random element of P r

33 Dimensionality Reduction Analysis Dependence on d: 1. Homomorphic encryption: O~(d + n 1/2 ) 1. Bob sends E(q 1 ), …, E(q d ) 2. Alice computes E( (p i, q)) - Uses these for sampling and bucketing 2. Reduce to O~(polylog(d) + n 1/2 ) if Bob just wants a coordinate of point in P cr – use approximations

34 Conclusions Extensions: Can achieve O(n 1/3 + d) communication if you allow the protocol to leak k bits of information Open problems: 1. Polylogarithmic Private Approximation of other distances 2. More efficient protocols for exact near neighbor. Tricks for PIR may be useful 3. Polylogarithmic c-approx NN protocol

Download ppt "Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress."

Similar presentations

Polylogarithmic Private Approximations and Efficient Matching

Polylogarithmic Private Approximations and Efficient Matching
Constant-Round Private Database Queries Nenad Dedic and Payman Mohassel Boston UniversityUC Davis.

Constant-Round Private Database Queries Nenad Dedic and Payman Mohassel Boston UniversityUC Davis.
Estimating Distinct Elements, Optimally

Estimating Distinct Elements, Optimally
Rectangle-Efficient Aggregation in Spatial Data Streams Srikanta Tirthapura David Woodruff Iowa State IBM Almaden.

Rectangle-Efficient Aggregation in Spatial Data Streams Srikanta Tirthapura David Woodruff Iowa State IBM Almaden.
Fast Moment Estimation in Data Streams in Optimal Space Daniel Kane, Jelani Nelson, Ely Porat, David Woodruff Harvard MIT Bar-Ilan IBM.

Fast Moment Estimation in Data Streams in Optimal Space Daniel Kane, Jelani Nelson, Ely Porat, David Woodruff Harvard MIT Bar-Ilan IBM.
1+eps-Approximate Sparse Recovery Eric Price MIT David Woodruff IBM Almaden.

1+eps-Approximate Sparse Recovery Eric Price MIT David Woodruff IBM Almaden.
Tight Bounds for Distributed Functional Monitoring David Woodruff IBM Almaden Qin Zhang Aarhus University MADALGO Based on a paper in STOC, 2012.

Tight Bounds for Distributed Functional Monitoring David Woodruff IBM Almaden Qin Zhang Aarhus University MADALGO Based on a paper in STOC, 2012.
Tight Bounds for Distributed Functional Monitoring David Woodruff IBM Almaden Qin Zhang Aarhus University MADALGO.

Tight Bounds for Distributed Functional Monitoring David Woodruff IBM Almaden Qin Zhang Aarhus University MADALGO.
Optimal Space Lower Bounds for All Frequency Moments David Woodruff MIT

Optimal Space Lower Bounds for All Frequency Moments David Woodruff MIT
Quantum t-designs: t-wise independence in the quantum world Andris Ambainis, Joseph Emerson IQC, University of Waterloo.

Quantum t-designs: t-wise independence in the quantum world Andris Ambainis, Joseph Emerson IQC, University of Waterloo.
Private Inference Control David Woodruff MIT Joint work with Jessica Staddon (PARC)

Private Inference Control David Woodruff MIT Joint work with Jessica Staddon (PARC)
Numerical Linear Algebra in the Streaming Model Ken Clarkson - IBM David Woodruff - IBM.

Numerical Linear Algebra in the Streaming Model Ken Clarkson - IBM David Woodruff - IBM.
Private Inference Control

Private Inference Control
Optimal Space Lower Bounds for all Frequency Moments David Woodruff Based on SODA 04 paper.

Optimal Space Lower Bounds for all Frequency Moments David Woodruff Based on SODA 04 paper.
Optimal Bounds for Johnson- Lindenstrauss Transforms and Streaming Problems with Sub- Constant Error T.S. Jayram David Woodruff IBM Almaden.

Optimal Bounds for Johnson- Lindenstrauss Transforms and Streaming Problems with Sub- Constant Error T.S. Jayram David Woodruff IBM Almaden.
Sublinear-time Algorithms for Machine Learning Ken Clarkson Elad Hazan David Woodruff IBM Almaden Technion IBM Almaden.

Sublinear-time Algorithms for Machine Learning Ken Clarkson Elad Hazan David Woodruff IBM Almaden Technion IBM Almaden.
Xiaoming Sun Tsinghua University David Woodruff MIT

Xiaoming Sun Tsinghua University David Woodruff MIT
Tight Lower Bounds for the Distinct Elements Problem David Woodruff MIT Joint work with Piotr Indyk.

Tight Lower Bounds for the Distinct Elements Problem David Woodruff MIT Joint work with Piotr Indyk.
Subspace Embeddings for the L1 norm with Applications Christian Sohler David Woodruff TU Dortmund IBM Almaden.

Subspace Embeddings for the L1 norm with Applications Christian Sohler David Woodruff TU Dortmund IBM Almaden.
Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Similar presentations

Ads by Google