Presentation is loading. Please wait.

Presentation is loading. Please wait.

Limits of Practical Sublinear Secure Computation

Published byあきひさ みのしま Modified over 5 years ago

Similar presentations

Presentation on theme: "Limits of Practical Sublinear Secure Computation"— Presentation transcript:

1 Limits of Practical Sublinear Secure Computation
CRYPTO 2018 Limits of Practical Sublinear Secure Computation Elette Boyle, IDC Herzliya Yuval Ishai, Technion Antigoni Polychroniadou, Cornell Tech

2 Secure Two-Party Computation
x1 f(x1, x2) = (y1, y2 ) y2 y1 x2 Goal: Correctness: Everyone computes f(x1,x2) Security: Nothing else but the output is revealed Adversary Semi-honest

3 Secure Computation on Big Data
The age of Big Data Secure Computation on Big Data EXAMPLE EXPLANATION JOURNEY THIS IS GREAT – CHECK THIS OUT WANT IT TO BE TECHNOLOGY GEOMETRY TECHY COMPUTER GADGET EXAMPLE EXPLANATION JOURNEY THIS IS GREAT WANT IT TO BE TECHNOLOGY GEOMETRY

4 Communication Complexity Computational Complexity
Secure Computation on BIG DATA Efficiency Metrics Communication Complexity Computational Complexity Ω(n) o(n) ω(n) Where n is the # of bits in the database Almost all protocols with sublinear communication complexity suffer in computational complexity (e.g. FHE\PIR-based protocols)

5 Sublinear Communication 2PC
Sublinear computation Linear computation PIR [Chor-Goldreich-Kushilevitz-Sudan'95, Kushilevitz-Ostrovsky'97] MST FHE [Gentry09] Median Convex Hull Single source shortest distances Approximate Set cover All pairs shortest distance [Aggarwal-Mishra-Pinkas04,Brickell-Shmatikov05,Shelat-Venkitasubramaniam15]

6 be securely computed with
Motivation Which functions can be securely computed with sublinear overhead? Secure Computation on Big Data

7 Our Results Provide framework for identifying “provably hard” sublinear secure computation tasks on big data. Provide formal reductions showing that many natural problems are inherently “hard”. (Including variants of the problems in [AMP'04,BS'05,SV'15]) (Akin to NP-hardness) Define intermediate hardness to capture natural problems that are neither “hard” or “easy”. HARD EASY

8 Types of Functionalities
Two-sided Functionalities One-sided Functionalities Secret-Shared output Functionalities Useful for MPC composition f(x1, x2) = ( [y] , [y] ) f(x1, x2) = ( [y] , ⊥ ) f(x1, x2) = (y, y) f(x1, x2) = (y, ⊥) x1 x2 [y] y y [y]

9 One-Sided Functionalities
Sublinear computation Linear computation PIR One-sided Convex Hull, Median etc… FHE Secret-shared Convex Hull, Median etc… Two-sided Convex Hull, Median, MST Single source shortest Distances, Approximate Set cover, All pairs shortest distance

10 One-Sided Functionalities
Sublinear computation Linear computation PIR One-sided Convex Hull, Median etc… Are these variants of problems hard? FHE Secret-shared Convex Hull, Median etc… TRUE CORRECT Two-sided Convex Hull, Median, MST Single source shortest Distances, Approximate Set cover, All pairs shortest distance FALSE INCORRECT!

11 Our Framework Benchmark metric for measuring computation complexity in the sublinear communication regime: PIR

12 Private Information Retrival (PIR)
[Chor-Goldreich-Kushilevitz-Sudan'95,Kushilevitz-Ostrovsky'97] Request entry i Di Database D=D1D2...Dn Goal: Correctness: User obtains Di Privacy: Server learns nothing about i

13 Private Information Retrival (PIR)
[Chor-Goldreich-Kushilevitz-Sudan'95,Kushilevitz-Ostrovsky'97] “Hello, wake up” Return all the entries in D Database D=D1D2...Dn Privacy is perfect but the overhead is prohibitively large. Non-triviality requirement: Communication cost must be in o(n)

14 1-server PIR State-of-the-art efficiency
Communication Complexity Computational Complexity o(n) O(n) Where n is the # of bits in the database Drawbacks: PIR (without preprocessing) inherently requires linear computation. Heavy public key operations. slower than symmetric encryption by orders of magnitude -XPIR, SealPIR 1-server IT PIR is impossible Even with preprocessing, sublinear-time PIR protocols are slow [BIM00, BIPW17, CHS17] PIR forms a computational barrier for 2PC on big data

15 Our Framework (PIR Hardness)
any secure protocol for the problem implies nontrivial PIR on a large database. Problem is PIR-Hard when: EASY

16 Our Framework (PIR Hardness)
A two-party functionality f with input size N is (n(N),1)-PIR-hard if there is a single-server PIR protocol on a database of size n(N) by making a single oracle call to f.   EASY

17 One-sided Median is PIR-Hard
Toy example D0 D1 If i=0: min Such that D0 < D1 Database D=D0D1 i∈ [n] Input phase: Output phase:

18 One-sided Median is PIR-Hard
Toy example D0 D1 If i=0: min Such that D0 < D1 If i=1: max D0 D1 Database D=D0D1...Dn i∈ [n] Input phase: max min D0 D1 min D0 D0 D1 max D1 Output phase: D0 D1

19 One-sided Median Protocol is PIR-Hard
Toy example D0 D1 If i=0: min Such that D0 < D1 If i=1: max D0 Database D=D0D1...Dn Fails for the 2-sided functionalities i∈ [n] Input phase: min D0 D1 Output phase: D0

20 PIR-Hard One-Sided Functionalities
Median Convex Hull Single source shortest Distances Approximate Set cover All pairs shortest distance Utilize combinatorial notion of VC-dimension [Vapnik,Chervonenkis71]

21 One-sided functionalities are PIR-Hard
Recall the ‘easy’ two-sided functionalities: Two-sided Convex Hull, Median, MST Single source shortest Distances, Approximate Set cover, All pairs shortest distance Are all two-sided functionalities ‘easy’?

22 Two-sided Nearest Neighbor Problem
(x,y) Input phase: Location (x,y) (a0,b0) (an,bn) Output to both parties the nearest restaurant to (x,y)

23 Our Framework (Semi-PIR Hardness)
Di D=D1D2...Dn Semi-PIR Semi-PIR: Correctness: User obtains Di Privacy: Server learns nothing about i only if Di=1. EASY

24 Two-sided Nearest Neighbor is Semi-PIR hard
If Di=0: choose (ai,bi) on the circle Two-sided Nearest Neighbor is Semi-PIR hard Toy example If Di=1: choose (ai,bi) outside the circle (a0,b0) If i=3 then (x,y) (a3,b3) (a1,b1) c i∈ [n] Database D=0101 (a2,b2) Input phase: c (a0,b0) (a3,b3) Location (x,y) Output to both parties the nearest restaurant to (x,y) If Di=1 output c and if Di=0 : output c and (ai,bi) Output phase:

25 Semi-PIR Hard Two-Sided Functionalities
Nearest Neighbor Single Source Single Destination shortest path Shortest list selection Closest destination ….?

26 Semi-PIR vs. PIR Semi-PIR is not PIR hard via 1 call.
Existence of polylogarithmic semi-PIR implies the existence of slightly sublinear PIR (via multiple adaptive calls to semi-PIR): Reduction uses LDCs polylogarithmic PIR from polylogarithmic semi-PIR? if ‘dream’ LDCs exist. PIR-hard * With constant query complexity and polynomial rate.

27 Polylogarithmic semi-PIR ⇒ weak PIR
Via q-query LDCs and O(2q) adaptive calls Rand 𝟏 𝟐 PIR Semi-PIR to Rand ½ PIR: Database Database D=D0D1...Dn Encode Database using LDCs (i1,…,i5) i∈ [n] PIR

28 Conclusion Introduce PIR-hardness for identifying “provably hard” sublinear secure computation tasks on big data. Provide formal reductions showing that many natural problems are PIR-Hard. (Including variants of the problems in [AMP'04,BS'05,SV'15]) (Akin to NP-hardness) Introduce semi-PIR hardness HARD Semi-PIR EASY

29 Our Taxonomy PIR One-sided Convex Hull, Median etc…
Easy problems Semi-PIR hard problems PIR-hard problems PIR One-sided Convex Hull, Median etc… Two-sided Single Source Single Dest. shortest path, Nearest Neighbor, Shortest list selection, closest destination. FHE Secret-shared Convex Hull, Median etc… Two-sided Convex Hull, Median, MST Single source shortest Distances, Approximate Set cover, All pairs shortest distance Two-sided local compressible MST, Median.

30 Future Directions Hierarchy of hardness classes beyond PIR-hardness and Semi-PIR-hardness? -- somewhat HE-hardness? Better understanding of the relation semi-PIR and PIR? VC-dimension analogue that captures PIR and semi-PIR-hardness for two-sided functionalities? Multi-party functionalities?

31 [Vapnik,Chervonenkis71]
PIR and VC-dimension [Vapnik,Chervonenkis71] [BIKO12]: exploit this relation to construction PIR protocols A one-sided functionality f is PIR-hard iff f has a certain efficiently computable VC-dimension. PIR-hard: High VC-dimension Easy: Low VC-dimension

Download ppt "Limits of Practical Sublinear Secure Computation"

Similar presentations

Polylogarithmic Private Approximations and Efficient Matching

Polylogarithmic Private Approximations and Efficient Matching
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Multi-Query Computationally-Private Information Retrieval with Constant Communication Rate Jens Groth, University College London Aggelos Kiayias, University.

Multi-Query Computationally-Private Information Retrieval with Constant Communication Rate Jens Groth, University College London Aggelos Kiayias, University.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
The Complexity of Information-Theoretic Secure Computation Yuval Ishai Technion 2014 European School of Information Theory.

The Complexity of Information-Theoretic Secure Computation Yuval Ishai Technion 2014 European School of Information Theory.
Nearest Neighbor Search in High Dimensions Seminar in Algorithms and Geometry Mica Arie-Nachimson and Daniel Glasner April 2009.

Nearest Neighbor Search in High Dimensions Seminar in Algorithms and Geometry Mica Arie-Nachimson and Daniel Glasner April 2009.
1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.

1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Lecture 15 Private Information Retrieval Stefan Dziembowski www.dziembowski.net MIM UW 25.01.13ver 1.0.

Lecture 15 Private Information Retrieval Stefan Dziembowski MIM UW ver 1.0.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.

Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.
New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of TexasTechnion Benny Applebaum Tel Aviv.

New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of TexasTechnion Benny Applebaum Tel Aviv.
General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.

General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Secure Computation of Constant-Depth Circuits with Applications to Database Search Problems Omer Barkol Yuval Ishai Technion.

Secure Computation of Constant-Depth Circuits with Applications to Database Search Problems Omer Barkol Yuval Ishai Technion.
How Should We Solve Search Problems Privately? Kobbi Nissim – BGU A. Beimel, T. Malkin, and E. Weinreb.

How Should We Solve Search Problems Privately? Kobbi Nissim – BGU A. Beimel, T. Malkin, and E. Weinreb.
1 Keyword Search and Oblivious Pseudo-Random Functions Mike Freedman NYU Yuval Ishai, Benny Pinkas, Omer Reingold.

1 Keyword Search and Oblivious Pseudo-Random Functions Mike Freedman NYU Yuval Ishai, Benny Pinkas, Omer Reingold.
Lecture 4: Divide and Conquer III: Other Applications and Examples Shang-Hua Teng.

Lecture 4: Divide and Conquer III: Other Applications and Examples Shang-Hua Teng.
Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.

Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.
Privacy-Preserving Computation and Verification of Aggregate Queries on Outsourced Databases Brian Thompson 1, Stuart Haber 2, William G. Horne 2, Tomas.

Privacy-Preserving Computation and Verification of Aggregate Queries on Outsourced Databases Brian Thompson 1, Stuart Haber 2, William G. Horne 2, Tomas.

Similar presentations

Ads by Google