Secure Computation of Constant-Depth Circuits with Applications to Database Search Problems Omer Barkol Yuval Ishai Technion

Motivation: private database search Client Server q D “fermat” and (“last theorem” or “great theorem”) q? What is he working on? Article on Fermat’s Last Theorem f(q,D) Want: Server work: O(|D|) Client work: O(|q|) Communication: O(|q|) PIR [CGKS95]: f(q,D)=Dq OT/SPIR

Oh no! This might take me 7 years! Current approaches q D Send all of D to the client Too much communication (|D|) No server privacy Use general purpose secure computation [Yao86,GMW87] Communication > circuit size > |D| Use PIR as a building block: PIR + data-structures [CGN97,FIPR05,OS05] Applies to a very limited class of problems: set membership / keyword search approximate nearest neighbor Communication preserving protocol compiler [NN01] Generally requires exponential computation f(q,D) Oh no! This might take me 7 years! Benchmark: partial match? f( *1*0 , 0010 0110 1111 )=1 Nothing

Observation: Many database search problems can be implemented by constant-depth circuits output depth 2 x1 x2 xm inputs Gates: OR,AND,NOT and XOR Unbounded fan-in and fan-out Depth: length of the longest input→output path

Observation: Many database search problems can be implemented by constant-depth circuits q D f(q,D) C x C(x) = f(q,D)

Example: partial match 1010 *1*0 0110 0110 1011 1110 Preprocess: 0 → 10 1 → 01 * → 11 1

Observation: Many database search problems can be implemented by constant-depth circuits q D f(q,D) C x C(x) “Computing on encrypted data” – longstanding question Case of 2-DNF recently solved [BGN05] = f(q,D)

Relaxation: multiple servers C x C C x? C(x) t servers Used in information theoretic PIR Replicated databases are common p2p networks Web content delivery (e.g., Akamai) t-privacy Client can choose servers he trusts

Communication and work are optimal up to polylog factors Main results t-secure protocol with: Servers: t·(log|C|)depth-1 Communication: Õ(|x|) Client computation: Õ(|x|) Server computation: Õ(|C|) Rounds: 1 Communication and work are optimal up to polylog factors Yeh! C C C

Main results: DNF/CNF/partial match n-term DNF / database with n entries Security threshold 1 Secure protocol with: Servers: ½logn Communication: Õ(|x|) Client computation: Õ(|x|) Server computation: Õ(n) D has 230 entries We need ~15 servers C C C

Second model: multiparty computation input: x2 party party input: x3 input: x1 Const-depth circuit C C(x) x=x1°x2°.... °xk party party input: x4 input: x5 General purpose secure computation [GMW87,BGW88,CCD88] Communication > circuit size Communication efficient multiparty computation [BFKR90] Computation exponential in |x| Number of servers

Results: multiparty setting t-secure multiparty protocol with Parties: t·(log|C|)depth-1 Communication: Õ(|x|·poly(#parties)) Computation: Õ(|C|) Rounds: O(1) optimal up to polylog factors

From database search to protocol Roadmap From database search to protocol n Database D Server Circuit Server 1 Polynomials p1(x) p2(x) pj(x) Server 2 Polynomials 3 Server Client

From database search to circuit Roadmap From database search to circuit n Database D Server Circuit Server 1 Polynomials p1(x) p2(x) pj(x) Server 2 Polynomials 3 Server Client

From circuit to polynomials Roadmap From circuit to polynomials n Database D Server Circuit Server 1 Polynomials p1(x) p2(x) pj(x) Server 2 Polynomials 3 Server Client

From circuit to polynomials Step A: Represent a circuit by a low-degree randomized multivariate polynomial Field = GF(2) Rely on technique of [Raz87, Smo87] deg 1 no error x1+x2+x4 x1 x2 x4 Goal: x: Probr[pr(x) ≠ C(x)] ≤ 2-σ

From circuit to polynomials Goal: x: Probr[pr(x) ≠ C(x)] ≤ 2-σ deg t no error deg 1 err ½ deg γ err 2-γ rγ1 … r11 r1 set γ = σ rγ2 … r12 r2 … … … … rγt … r1t rt ε-biased PRG x1 x2 … xt r

From circuit to polynomials Goal: x: Probr[pr(x) ≠ C(x)] ≤ 2-σ Prob[pr(x) ≠ C(x)] ≤ (n+1)·2-γ n-term DNF For error 2-σ set γ = σ + log(n+1) deg γ err 2-γ Total degree γ2 = ( σ + log(n+1))2 deg γ err 2-γ deg γ err 2-γ deg γ err 2-γ deg γ err 2-γ x1 x2 x3 x4 x5 x6

From circuit to polynomials Step B: Optimizations – example for n-term DNF Goal: Vector pr(x) s.t. x: Probr[R(pr(x)) ≠ C(x)] ≤ 2-σ Prob[pr(x) ≠ C(x)] ≤ n·2-γ +⅛ ≤¼ pr1(x) For error ¼ set set γ = logn + 3 deg γ err 2-γ deg 3 err ⅛ Total degree 3γ = 3( logn+3) x1 x2 x3 x4 x5 x6

From circuit to polynomials Step B: Optimizations – example for n-term DNF degree logn+2 C(x)=0: Prob[p(x)=1] ≤ ⅛ C(x)=1: Prob[p(x)=1] ≥⅜ More careful analysis: Recover C(x) using Threshold ¼ Recover C(x) using Majority deg 3logn err ¼ x r1 pr1(x) x r2 pr2(x) x r3 pr3(x) … x rO(σ) prO(σ)(x)

From circuit to polynomials Step B: Optimizations – example for n-term DNF O(σ) polynomials of degree logn+2 ¼ ⅜ ⅛ C(x)=0 C(x)=1 pr1(x) pr2(x) Prob[th¼(pr(x)) ≠ C(x)] ≤ 2-σ n Server prO(σ)(x) I have no privacy!

From circuit to polynomials Step C: Server Privacy pr1(x,ρ) pr2(x,ρ) n Server pr1(x) th¼:{0,1}O(σ)→{0,1} pr2(x) Randomizing polynomials for threshold [IK00] prO(σ)(x) prσO(1)(x,ρ) private randomness

From polynomials to protocol Roadmap From polynomials to protocol n Database D Server Circuit Server 1 Polynomials p1(x) p2(x) pj(x) Server 2 Polynomials 3 Server Client

Client-Servers protocols from polynomials Goal: evaluate multivariate polynomials held by the servers on a point held by the client. Standard techniques for secure computation [BGW88, CCD88, BF90] Number of servers proportional to the degree Communication proportional to # of polynomials (and client’s input) Enhancements: Protecting server privacy [GIKM98] Reducing number of servers [WY05] p x Shamir-shares of x Public randomness r Evaluate pr on shares Recover pr(x) by interpolation

Multiparty protocols from polynomials Goal: evaluate multivariate polynomials known to all on distributed input and randomness. Standard techniques for secure computation [BGW88, CCD88, GRR98] Number of parties proportional to the degree Communication proportional to # of polynomials (and input lenght) Randomness: Public randomness (r) independent of the inputs Private randomness (ρ) should remain a secret

Roadmap Secure computation of constant-depth circuits with applications to database search problems n Database D Server Circuit Server 1 Polynomials pr1(x,ρ) pr2(x,ρ) prj(x,ρ) Server 2 Polynomials 3 Server Client

Conclusions Practically feasible solutions to large scale database search problems, e.g., partial match Nearly optimal communication and computation Reasonable number of servers (½logn for partial match) No expensive crypto (e.g., public key operations) Challenge: obtain similar protocols in 2-party setting Extend [BGN05] from degree 2 to degree logn? Multiparty setting: Nearly optimal communication and computation for a useful class of functions (AC0) Communication almost does not grow with circuit size Challenge: Higher complexity classes, e.g., NC1

Questions? n Database D Server Server 1 Pρ1(x,r) Pρ2(x) r) Server 2 3