Download presentation

Presentation is loading. Please wait.

Published byZachary Willis Modified over 4 years ago

1
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress

2
Outline 1.Private approximation of L 2 distance 2.Private near neighbor 3.Private approximate near neighbor

3
1. Private approximation of L 2 distance

4
a {0,1} n b {0,1} n Want to compute some function F(a,b) Security: protocol does not reveal anything except for the value F(a,b) –Semi-honest: both parties follow protocol –Malicious: parties are adversarial Efficiency: want to exchange few bits Secure communication Alice Bob

5
Secure Function Evaluation (SFE) [Yao, GMW]: If F computed by circuit C, then F can be computed securely with O~(|C|) bits of communication [GMW] + … + [NN]: can assume parties semi- honest –Semi-honest protocol can be compiled to give security against malicious parties Problem: circuit size at least linear in n * O~() hides factors poly(k, log n)

6
Secure and Efficient Function Evaluation Can we achieve sublinear communication? Ideally: secure computation with communication comparable to insecure case With sublinear communication, many interesting problems can be solved only approximately. What does it mean to have a private approximation?

7
Private Approximation [FIMNSW01]: A protocol computing an approximation G(a,b) of F(a,b) is private, if each party can simulate its view of the protocol given the exact value F(a,b) Note: not sufficient to simulate non-private G(a,b) using SFE Example: –Define G(a,b): bin(G(a,b)) i =bin( (a,b)) i if i>0 bin(G(a,b)) 0 =a 0 –G(a,b) is a 1 -approximation of (a,b), but not private

8
Concrete Pitfall: Dimension Reduction A basic problem: Hamming distance (a,b) Approximate decision version: with prob. 1-, –If (a,b)r, answer NO –If (a,b)r(1+ ), answer YES [Kushilevitz-Ostrovsky-Rabani98]: –Create m n binary matrix D, where Pr[D ij =1]= 1/(2r) for m= O~(log 1/ / 2 ) –Exchange Da, Db (mod 2) –Answer YES if wt[D(a-b)]>r, r function of r, NOTE: This protocol was not designed to be private

9
Non-Privacy of KOR Let x = a – b. If, wt(x) = r, r log n ¼ m then can recover x from D, Dx in O(mn) time! Algorithm: for j=1…n, estimate Pr[ =1| d ij =1] = Pr[ =1 d ij =1]/Pr[d ij =1] –If x j =1 then Pr[ =1|d ij =1] is high –If x j =0 then Pr[ =1|d ij =1] is low

10
Approximating Hamming Distance [FIMNSW01]: A private protocol with complexity O~(n 1/2 / ) –wt(x) small: compute wt(x) using O~(wt(x)) bits –wt(x) high: sample O~(n/wt(x)) x i, estimate wt(x) Our result: –Complexity: O~(1/ 2 ) bits –Works even for L 2 norm, i.e., estimates ||x|| 2 for a,b {1…M} n * O~() hides factors poly(k, log n, log M, log 1/ )

11
Crypto Tools SFE of circuits [Yao86]: O~(|circuit|) communication Efficient SPIR or OT 1 n : –Alice has A[1] … A[n] 2 {0,1} m, Bob has i 2 [n] –Goal: Bob privately learns A[i] and thats it –Can be done using O~(m) communication [CMS99, NP99] Circuits with ROM [Naor, Nissim01]: –Standard AND/OR/NOT gates –Lookup gates: In: i Out: M gate [i] –Takes care of the security of computation: begin secure … end secure –Can just focus on privacy of the output Communication at most O~(m|C|)

12
High-dimensional tools Random projection: –Take a random orthonormal n n matrix D, that is ||Dx|| = ||x|| for all x. –There exists c>0 s.t. for any x R n, i=1…n Pr[ (Dx) i 2 > ||Dx|| 2 /n * k] < e -ck

13
Approximating ||a-b|| 2 Recall: –Alice has a 2 [M] d, Bob has b 2 [M] d –Goal: estimate ||x|| 2, x=a-b

14
Algorithm Alice and Bob create random orthonormal matrix D such that, for each i=1…n (Dx) i 2 < k||x|| 2 /n T=M 2 n+1 Repeat –{Assertion: ||x|| 2 T} –Invoke P RIVATE S AMPLE to get L=O~(1/ 2 ) independent bits z i such that Pr[z i =1]=||Dx|| 2 /(Tk) –T = T/2 Until Σ i z i L/(4k) Output E= Σ i z i /L * 2Tk as an estimate of ||x|| 2 Correctness: –Unbiased estimator –High probablity from Chernoff bound SECURE!

15
P RIVATE S AMPLE P=Tk/n Pick random t [n] Retrieve (Da) t, (Db) t Compute (Dx) t = (Da) t - (Db) t Define v=[(Dx) t ] 2 If v P then generate z s.t. Pr[z=1]=v/P Else output fail Output z Correct as long as (Dx) 2 i < Tk/n for each i=1…n SECURE! Generate independent bits z i with E[z i ] = ||Dx|| 2 /(Tk)

16
Algorithm, again Alice and Bob create random * orthonormal ** matrix D such that, for each i=1…n (Dx) i 2 < ||x|| 2 /n * k T=M 2 n+1 Repeat –{Assertion: ||x|| 2 T} –Invoke P RIVATE S AMPLE to get L=O~(1/ 2 ) independent bits z i such that Pr[z i =1]= ||Dx|| 2 /Tk { Works as long as (Dx) 2 i < Tk/n for each i=1…n} – T=T/2 Until Σ i z i L/(4k) Output E= Σ i z i /L * 2Tk as an estimate of ||x|| 2 If Assertion not true, then Pr[z i =1]>1/(2k) E[Σ i z i ] > L/(2k) >> L/(4k)

17
Simulation SIMULATION Repeat –Choose L independent bits z i such that Pr[z i =1]= ||x|| 2 /Tk –T=T/2 Until Σ i z i (L/k) Output E= Σ i z i /L * 2Tk as an estimate of ||x|| 2 ALGORITHM Repeat –{Assertion: ||x|| 2 T} –Invoke P RIVATE S AMPLE to get L independent bits z i such that Pr[z i =1]= ||Dx|| 2 /Tk –T=T/2 Until Σ i z i (L/k) Output E= Σ i z i /L * 2Tk as an estimate of ||x|| 2 Recall: ||Dx||=||x|| Communication: O~(1/ 2 )

18
2. Private near neighbor

19
Private Near Neighbor q 2 [U] d P = p 1, p 2, …, p n 2 {1, 2, …, U} d = [U] d Distance function: f(x,y) Correctness: Bob learns min i f(q, p i ) Privacy: Alice learns nothing, Bob learns nothing else Goal: Minimize communication AliceBob

20
Private Near Neighbor f(a,b) = i f i (a i, b i ) L 2 Generalized Hamming Set Difference Previous [DA]O~(ndU)O~(nd)O~(ndU) Our ResultsO~(dU+n)O~(n+d)O~(d 2 + n)O~(n+d) [DA] needs 3 rd party, we dont Approach: homomorphic encryption + secure function evaluation (SFE) n points, dimension d, universe [U]

21
Coordinate-wise distance functions q 2 [U] d P = p 1, p 2, …, p n 2 [U] d AliceBob Bob: 1. For each coordinate, create a degree-(U-1) polynomial g j (x) = i a i,j x i such that g j (u) = f j (q j, u) for all u 2 [U] 2. Generate (SK, PK) for Paillier Encryption scheme. Send PK and E PK (a i, j ) for all i,j Alice: 1. For all i, E( j g j (p i,j )) = E(f(q, p i )) SFE: Inputs: Alice – E(f(q, p i )) Bob - SK 1. Bob gets min i D SK (E(f(q, p i ))) Coordinate-wise distance functions: f(a,b) = f i (a i, b i ) E(x), E(y) -> E(x + y) E(x), c -> E(cx)

22
Generic distance functions Security: 1. Replace SFE with oracle 2. Alice View indistinguishable from PK, E(0), E(0), …, E(0) – E semantically secure 3. Bob View just = output Efficiency: 1. Send polynomials = O~(dU) 2. SFE = O~(n) (simple circuit)

23
Private Near Neighbor Pointwise distance L 2 Generalized Hamming Set Difference Previous [DA]O~(ndU)O~(nd)O~(ndU) Our ResultsO~(dU+n)O~(n+d)O~(d 2 + n)O~(n+d) n points, dimension d, universe [U] (homomorphic tricks) Alice x 1, …, x n 2 {0,1} d, Bob y 1, …, y n 2 {0,1} d, Threshold t Bob gets all x i s.t. (x i, y j ) < t for some j Communication: O~(n 2 + nd 2 ). Resolves open question of [FNP04]: [FNP04] achieve O~((d choose t)nt) May be superpolynomial in n

24
3. Private Approximate Near Neighbor

25
Private Near Neighbor Drawback: Protocols depend linearly on # points n Necessary? Not if algebraically homomorphic E exists Our approach: solve the approximate problem

26
Private c-Approximate Near Neighbor Alice has P = {p 1, …, p n } {0,1} d, Bob has q {0,1} d PrPr P cr Notation: P r = P B(q, r) Correctness: P r nonempty Bob learns some element of P cr Privacy: Bobs view simulatable given q and P cr

27
Private Approximate Near Neighbor Definition Remarks: Privacy: Dont care what Bob gets as long as it follows from P cr Simulator gets P cr Correctness: Dont specify anything if P r empty, but view still simulatable Our results: - O~(n 1/2 + d) - If Bob just wants some coordinate of an element of P cr, then improve to O~(n 1/2 + polylog(d))

28
Private Approximate Near Neighbor Two approaches: 1. Dimensionality Reduction in Hamming Cube [KOR98] 2. Locality Sensitive Hashing [IM98] This talk: protocol using #1

29
Dimensionality Reduction [KOR]: Let A be random m times d binary matrix, m = O(log d / 2 ) Then there is a separator r s.t. with probability 1-1/n 2, for any p,q {0,1} d 1. (p,q) > cr (Ap, Aq) > r 2. (p,q) · r (Ap, Aq) < r Idea: Alice 1. Applies A to P dimension small 2. Enumerates all w {0,1} m, forms array: B[w]={p 2 P s.t. (Ap, w) < r} 3. Use Oblivious ROM

30
Dimensionality reduction protocol 2. Agree on k matrices A 1, …, A k 3. Create array B i based on A i 4. B i [p] contains any n 1/2 points p 2 P s.t. (A i p, p) < r 5. Alice sets ROM to be the B i s P cr 1. Randomly sample O~(n 1/2 ) points P 1 2. If |P cr | > n 1/2, then P 1 Å P cr ;, w.h.p. Protocol: 6. If P 1 Å P cr ;, SFE outputs a random element of P 1. Otherwise, SFE uses [ i B i [A i q] to output a random element of P r

31
Dimensionality Reduction Analysis Properties: 1. If |P cr | > n 1/2, we output random element of P cr,w.h.p. 2. If |P cr | < n 1/2, by properties of A, for any p P r, Pr A [8 p 2 P r, (Ap, Aq) r] > 1- 1/n 3. Since bucket size is n 1/2 and |P cr | < n 1/2, p B i [A i q], P r i B i [A i q] Correctness: If |P cr | > n 1/2, output element from P cr Else output an element from P r

32
Dimensionality Reduction Analysis Communication: 1. Sampling O~(n 1/2 ) elements to ensure |P cr | < n 1/2 2. OT on O~(1) buckets of size n 1/2 Thus, balanced steps 1 & 2 O~(dn 1/2 ) total communication Simulatability: Output either a random element of P cr, or a random element of P r

33
Dimensionality Reduction Analysis Dependence on d: 1. Homomorphic encryption: O~(d + n 1/2 ) 1. Bob sends E(q 1 ), …, E(q d ) 2. Alice computes E( (p i, q)) - Uses these for sampling and bucketing 2. Reduce to O~(polylog(d) + n 1/2 ) if Bob just wants a coordinate of point in P cr – use approximations

34
Conclusions Extensions: Can achieve O(n 1/3 + d) communication if you allow the protocol to leak k bits of information Open problems: 1. Polylogarithmic Private Approximation of other distances 2. More efficient protocols for exact near neighbor. Tricks for PIR may be useful 3. Polylogarithmic c-approx NN protocol

Similar presentations

OK

On the Cryptographic Complexity of the Worst Functions Amos Beimel (BGU) Yuval Ishai (Technion) Ranjit Kumaresan (Technion) Eyal Kushilevitz (Technion)

On the Cryptographic Complexity of the Worst Functions Amos Beimel (BGU) Yuval Ishai (Technion) Ranjit Kumaresan (Technion) Eyal Kushilevitz (Technion)

© 2018 SlidePlayer.com Inc.

All rights reserved.

To make this website work, we log user data and share it with processors. To use this website, you must agree to our Privacy Policy, including cookie policy.

Ads by Google