Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Computation of Constant-Depth Circuits with Applications to Database Search Problems Omer Barkol Yuval Ishai Technion.

Published byElwin Hancock Modified over 5 years ago

Similar presentations

Presentation on theme: "Secure Computation of Constant-Depth Circuits with Applications to Database Search Problems Omer Barkol Yuval Ishai Technion."— Presentation transcript:

1 Secure Computation of Constant-Depth Circuits with Applications to Database Search Problems Omer Barkol Yuval Ishai Technion

2 Motivation: private database search
Client Server q D “fermat” and (“last theorem” or “great theorem”) q? What is he working on? Article on Fermat’s Last Theorem f(q,D) Want: Server work: O(|D|) Client work: O(|q|) Communication: O(|q|) PIR [CGKS95]: f(q,D)=Dq OT/SPIR

3 Oh no! This might take me 7 years!
Current approaches q D Send all of D to the client Too much communication (|D|) No server privacy Use general purpose secure computation [Yao86,GMW87] Communication > circuit size > |D| Use PIR as a building block: PIR + data-structures [CGN97,FIPR05,OS05] Applies to a very limited class of problems: set membership / keyword search approximate nearest neighbor Communication preserving protocol compiler [NN01] Generally requires exponential computation f(q,D) Oh no! This might take me 7 years! Benchmark: partial match? f( *1*0 , )=1 Nothing

4 Observation: Many database search problems can be implemented by constant-depth circuits
output depth 2 x1 x2 xm inputs Gates: OR,AND,NOT and XOR Unbounded fan-in and fan-out Depth: length of the longest input→output path

5 Observation: Many database search problems can be implemented by constant-depth circuits
q D f(q,D) C x C(x) = f(q,D)

6 Example: partial match
1010 *1*0 0110 0110 1011 1110 Preprocess: 0 → 10 1 → 01 * → 11 1

7 Observation: Many database search problems can be implemented by constant-depth circuits
q D f(q,D) C x C(x) “Computing on encrypted data” – longstanding question Case of 2-DNF recently solved [BGN05] = f(q,D)

8 Relaxation: multiple servers
C x C C x? C(x) t servers Used in information theoretic PIR Replicated databases are common p2p networks Web content delivery (e.g., Akamai) t-privacy Client can choose servers he trusts

9 Communication and work are optimal up to polylog factors
Main results t-secure protocol with: Servers: t·(log|C|)depth-1 Communication: Õ(|x|) Client computation: Õ(|x|) Server computation: Õ(|C|) Rounds: 1 Communication and work are optimal up to polylog factors Yeh! C C C

10 Main results: DNF/CNF/partial match
n-term DNF / database with n entries Security threshold 1 Secure protocol with: Servers: ½logn Communication: Õ(|x|) Client computation: Õ(|x|) Server computation: Õ(n) D has 230 entries We need ~15 servers C C C

11 Second model: multiparty computation
input: x2 party party input: x3 input: x1 Const-depth circuit C C(x) x=x1°x2°.... °xk party party input: x4 input: x5 General purpose secure computation [GMW87,BGW88,CCD88] Communication > circuit size Communication efficient multiparty computation [BFKR90] Computation exponential in |x| Number of servers

12 Results: multiparty setting
t-secure multiparty protocol with Parties: t·(log|C|)depth-1 Communication: Õ(|x|·poly(#parties)) Computation: Õ(|C|) Rounds: O(1) optimal up to polylog factors

13 From database search to protocol
Roadmap From database search to protocol n Database D Server Circuit Server 1 Polynomials p1(x) p2(x) pj(x) Server 2 Polynomials 3 Server Client

14 From database search to circuit
Roadmap From database search to circuit n Database D Server Circuit Server 1 Polynomials p1(x) p2(x) pj(x) Server 2 Polynomials 3 Server Client

15 From circuit to polynomials
Roadmap From circuit to polynomials n Database D Server Circuit Server 1 Polynomials p1(x) p2(x) pj(x) Server 2 Polynomials 3 Server Client

16 From circuit to polynomials
Step A: Represent a circuit by a low-degree randomized multivariate polynomial Field = GF(2) Rely on technique of [Raz87, Smo87] deg 1 no error x1+x2+x4 x1 x2 x4 Goal: x: Probr[pr(x) ≠ C(x)] ≤ 2-σ

17 From circuit to polynomials
Goal: x: Probr[pr(x) ≠ C(x)] ≤ 2-σ deg t no error deg 1 err ½ deg γ err 2-γ rγ1 r11 r1 set γ = σ rγ2 r12 r2 rγt r1t rt ε-biased PRG x1 x2 xt r

18 From circuit to polynomials
Goal: x: Probr[pr(x) ≠ C(x)] ≤ 2-σ Prob[pr(x) ≠ C(x)] ≤ (n+1)·2-γ n-term DNF For error 2-σ set γ = σ + log(n+1) deg γ err 2-γ Total degree γ2 = ( σ + log(n+1))2 deg γ err 2-γ deg γ err 2-γ deg γ err 2-γ deg γ err 2-γ x1 x2 x3 x4 x5 x6

19 From circuit to polynomials
Step B: Optimizations – example for n-term DNF Goal: Vector pr(x) s.t. x: Probr[R(pr(x)) ≠ C(x)] ≤ 2-σ Prob[pr(x) ≠ C(x)] ≤ n·2-γ +⅛ ≤¼ pr1(x) For error ¼ set set γ = logn + 3 deg γ err 2-γ deg 3 err ⅛ Total degree 3γ = 3( logn+3) x1 x2 x3 x4 x5 x6

20 From circuit to polynomials
Step B: Optimizations – example for n-term DNF degree logn+2 C(x)=0: Prob[p(x)=1] ≤ ⅛ C(x)=1: Prob[p(x)=1] ≥⅜ More careful analysis: Recover C(x) using Threshold ¼ Recover C(x) using Majority deg 3logn err ¼ x r1 pr1(x) x r2 pr2(x) x r3 pr3(x) x rO(σ) prO(σ)(x)

21 From circuit to polynomials
Step B: Optimizations – example for n-term DNF O(σ) polynomials of degree logn+2 C(x)=0 C(x)=1 pr1(x) pr2(x) Prob[th¼(pr(x)) ≠ C(x)] ≤ 2-σ n Server prO(σ)(x) I have no privacy!

22 From circuit to polynomials
Step C: Server Privacy pr1(x,ρ) pr2(x,ρ) n Server pr1(x) th¼:{0,1}O(σ)→{0,1} pr2(x) Randomizing polynomials for threshold [IK00] prO(σ)(x) prσO(1)(x,ρ) private randomness

23 From polynomials to protocol
Roadmap From polynomials to protocol n Database D Server Circuit Server 1 Polynomials p1(x) p2(x) pj(x) Server 2 Polynomials 3 Server Client

24 Client-Servers protocols from polynomials
Goal: evaluate multivariate polynomials held by the servers on a point held by the client. Standard techniques for secure computation [BGW88, CCD88, BF90] Number of servers proportional to the degree Communication proportional to # of polynomials (and client’s input) Enhancements: Protecting server privacy [GIKM98] Reducing number of servers [WY05] p x Shamir-shares of x Public randomness r Evaluate pr on shares Recover pr(x) by interpolation

25 Multiparty protocols from polynomials
Goal: evaluate multivariate polynomials known to all on distributed input and randomness. Standard techniques for secure computation [BGW88, CCD88, GRR98] Number of parties proportional to the degree Communication proportional to # of polynomials (and input lenght) Randomness: Public randomness (r) independent of the inputs Private randomness (ρ) should remain a secret

26 Roadmap Secure computation of constant-depth circuits with applications to database search problems n Database D Server Circuit Server 1 Polynomials pr1(x,ρ) pr2(x,ρ) prj(x,ρ) Server 2 Polynomials 3 Server Client

27 Conclusions Practically feasible solutions to large scale database search problems, e.g., partial match Nearly optimal communication and computation Reasonable number of servers (½logn for partial match) No expensive crypto (e.g., public key operations) Challenge: obtain similar protocols in 2-party setting Extend [BGN05] from degree 2 to degree logn? Multiparty setting: Nearly optimal communication and computation for a useful class of functions (AC0) Communication almost does not grow with circuit size Challenge: Higher complexity classes, e.g., NC1

28 Questions? n Database D Server Server 1 Pρ1(x,r) Pρ2(x) r) Server 2 3

Download ppt "Secure Computation of Constant-Depth Circuits with Applications to Database Search Problems Omer Barkol Yuval Ishai Technion."

Similar presentations

Constant-Round Private Database Queries Nenad Dedic and Payman Mohassel Boston UniversityUC Davis.

Constant-Round Private Database Queries Nenad Dedic and Payman Mohassel Boston UniversityUC Davis.
Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.
1 Cryptography: on the Hope for Privacy in a Digital World Omer Reingold VVeizmann and Harvard CRCS.

1 Cryptography: on the Hope for Privacy in a Digital World Omer Reingold VVeizmann and Harvard CRCS.
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Efficient Multiparty Protocols via Log-Depth Threshold Formulae Ron Rothblum Weizmann Institute Joint work with Gil Cohen, Ivan Damgard, Yuval Ishai, Jonas.

Efficient Multiparty Protocols via Log-Depth Threshold Formulae Ron Rothblum Weizmann Institute Joint work with Gil Cohen, Ivan Damgard, Yuval Ishai, Jonas.
The Complexity of Information-Theoretic Secure Computation Yuval Ishai Technion 2014 European School of Information Theory.

The Complexity of Information-Theoretic Secure Computation Yuval Ishai Technion 2014 European School of Information Theory.
Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI.

Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI.
Circuits Resilient to Additive Manipulation with Applications to Secure Computation Yuval Ishai Technion Daniel Genkin Manoj Prabhakaran Amit Sahai Eran.

Circuits Resilient to Additive Manipulation with Applications to Secure Computation Yuval Ishai Technion Daniel Genkin Manoj Prabhakaran Amit Sahai Eran.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Oblivious Branching Program Evaluation

Oblivious Branching Program Evaluation
1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.

1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Gillat Kol joint work with Ran Raz Competing Provers Protocols for Circuit Evaluation.

Gillat Kol joint work with Ran Raz Competing Provers Protocols for Circuit Evaluation.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
What Crypto Can Do for You: Solutions in Search of Problems Anna Lysyanskaya Brown University.

What Crypto Can Do for You: Solutions in Search of Problems Anna Lysyanskaya Brown University.
General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.

General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.
Secure Computation of Constant-Depth Circuits with Applications to Database Search Problems Omer Barkol Yuval Ishai Technion.

Secure Computation of Constant-Depth Circuits with Applications to Database Search Problems Omer Barkol Yuval Ishai Technion.
Secure Efficient Multiparty Computing of Multivariate Polynomials and Applications Dana Dachman-Soled, Tal Malkin, Mariana Raykova, Moti Yung.

Secure Efficient Multiparty Computing of Multivariate Polynomials and Applications Dana Dachman-Soled, Tal Malkin, Mariana Raykova, Moti Yung.
How to Share a Secret Amos Beimel. Secret Sharing [Shamir79,Blakley79,ItoSaitoNishizeki87] 1706 2538344113296634 ? 1706 2 bad.

How to Share a Secret Amos Beimel. Secret Sharing [Shamir79,Blakley79,ItoSaitoNishizeki87] ? bad.
1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.

1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.

Similar presentations

Ads by Google