How Should We Solve Search Problems Privately? Kobbi Nissim – BGU A. Beimel, T. Malkin, and E. Weinreb

August 20, 2007CRYPTO Secure Function Evaluation [Yao,GMW,BGW,…] n players with private inputs x 1,…,x n Can compute any function f() over their private inputs No information beyond f() is leaked SFE tells HOW to compute f() But not What f() to compute

August 20, 2007CRYPTO A Client-Server Setting SFE reduces many of the general cases to the client-server setting G ClientServer

August 20, 2007CRYPTO WHAT should we compute? Server must/is willing to reveal a function f() of the data Secure function evaluation: Reveal f(), but no other information ??? Server should preserve individual privacy Private data analysis: (rand) functions f() satisfying differential privacy

August 20, 2007CRYPTO In Between (1) Server must/is willing to reveal a function f() of the data But… Computing f() is inefficient or intractable And, an efficient approx f*() exists Idea: Use SFE to compute an approx f*() to f()

August 20, 2007CRYPTO What Can Go Wrong? [FIMNSW01] Server holds a graph G Client asks for size of min VC f vc (G) Approx: f vc *(G) = 2MaxMatch(G) Hmmm... f VC f VC 2 2 2MaxMatch 2MaxMatch 2 4 G

August 20, 2007CRYPTO Private Approximations [FIMNSW01] Require: f*(G) simulatable given f(G) Hence approximation does not leak more information than exact computation Implied: f(G) = f(G’)  f*(G) ≈ f*(G’) Sometimes feasible: Hamming distance [FIMNSW01, IW06] Permanent [FIMNSW01] Sometimes not feasible: f VC not privately approx within ratio n 1-ε [HKKN01] Approx feasible with a small leakage

August 20, 2007CRYPTO In Between (2) Server must/is willing to solve a search problem over the data Idea: Use SFE to compute a solution? Or an approximate solution

August 20, 2007CRYPTO What Can Go Wrong? [BCNW06] Server holds a graph G Client asks for VC(G) Approx: A* VC (G) = MaxMatch(G) Hmmm... G VC {2} {2} A* VC {2,3} {2,1}

August 20, 2007CRYPTO

August 20, 2007CRYPTO Private Algorithms [BCNW06] R – Equivalence Relation over {0,1}* E.g. G 1 ≈ G 2 if VC(G 1 ) = VC(G 2 ) Algorithm A is private with respect to R if: x y A( ) ≈ x y

August 20, 2007CRYPTO Is Private Search Good? Too strong: VC does not admit private search approx algs Even with a significant relaxation [BCNW06,BHN07] If NP not in P/poly, there is a search problem in P that has no polynomial time private algorithm [BCNW06] Too weak: A private search algorithm may reveal all the solutions Does not rule out simple ways of plausible leakage

August 20, 2007CRYPTO Some Possible Weaknesses Randomized Algorithms:  More solutions learned by repeated querying  Fuzziness Deterministic Algorithms:  Repeated querying ineffective  Definite information learned Can we get the best of both worlds?

August 20, 2007CRYPTO Framework: Seeded Algorithms A – randomized algorithm Server fixes a seed s for all queries Allows selecting random solutions Prevents abuse of repeated queries G1G1 G2G2 s A A(G 2,s) A(G 1,s)

August 20, 2007CRYPTO Rest of the Talk Propose two new definitions Equivalence protecting Resemblance preserving Show basic implementation methodologies Summary/discuss

August 20, 2007CRYPTO (x2)(x2) First Definition: Equivalence Protecting Consistent oracle  :  (x)  S(x)  (x)=  (y) for all x ≈ P y A seeded algorithm A is equivalence protecting: Distinguisher  ≡c≡c A(·, ) x1x1 (x1)(x1) x2x2 s x1x1 x2x2 Random consistent oracle

August 20, 2007CRYPTO Equivalence Protecting: Shortest Path Def: An edge is relevant in G if it appears in some shortest path from s to t Fact I: Relevance depends only on S(G) Fact II: There exists an algorithm A rand (G,r ) that outputs a random shortest path in G s 2 t 3 1

August 20, 2007CRYPTO Equivalence Protecting: Shortest Path Input: A graph G A seed s for a family {f s } of pseudorandom functions Output: A path in S(G) The algorithm: 1. H = relevant edges of G 2. Compute r=f s (H) 3. Output: p= A rand (H,r )

August 20, 2007CRYPTO Other Equivalence Preserving Algorithms Perfect matching in bipartite graphs Solution of a linear system of equations Shortest path: weighted directed graphs

August 20, 2007CRYPTO Second Definition: Resemblance Preserving Motivation: protect inputs with similar solution sets Resemblance between instances x,y: A seeded algorithm A is resemblance preserving if for all instances x,y: Pr[A(x,s)=A(y,s)] ≥ r(x,y) |S(x)  S(y)| |S(x)  S(y)| r(x,y) = Fact: 0 ≤ r(x,y) ≤ 1

August 20, 2007CRYPTO Tool: Min-wise Independent Permutations [BroderCharikarFriezeMitzenmacher98] A family of permutations is min-wise independent if for every set A  U and a  A: Observation:

August 20, 2007CRYPTO A Generic Resemblance Preserving Algorithm Input: An input x A seed s for a family of min-wise independent permutations Output: A solution in S(x) Algorithm: Output sol  S(x) such that Algorithmic challenge: Find sol efficiently.

August 20, 2007CRYPTO Other Resemblance Preserving Algorithms (non-) Roots of polynomials Solution of a linear system of equations Satisfying assignment of a DNF formula

August 20, 2007CRYPTO Summary Presented two intuitive variants of private search Equivalence protecting Resemblance preserving Constructed algorithms satisfying definitions Privacy implications of search problems are not well understood Even (seemingly minimal) requirements of privacy are hard to attain  Different privacy requirements for different setups Is there an order in the mess? A methodology for comparing/justifying definitions

August 20, 2007CRYPTO BSF-DIMACS Privacy University Interdisciplinary February 4-7 Organizers: B. Pinkas, K.N., and R. Wright (some) Funding available To be added to mailing list:

August 20, 2007CRYPTO A (Seemingly) Minimal Requirement Private search algorithm [BCNW06]: VC(G) = VC(G’)  A* VC (G) ≈ A* VC (G’) A* VC should not distinguish graphs that have the same set of solutions A generalization of private approximation [FIMNSW01]