Presentation is loading. Please wait.

Presentation is loading. Please wait.

Limits of Practical Sublinear Secure Computation

Similar presentations


Presentation on theme: "Limits of Practical Sublinear Secure Computation"— Presentation transcript:

1 Limits of Practical Sublinear Secure Computation
CRYPTO 2018 Limits of Practical Sublinear Secure Computation Elette Boyle, IDC Herzliya Yuval Ishai, Technion Antigoni Polychroniadou, Cornell Tech

2 Secure Two-Party Computation
x1 f(x1, x2) = (y1, y2 ) y2 y1 x2 Goal: Correctness: Everyone computes f(x1,x2) Security: Nothing else but the output is revealed Adversary Semi-honest

3 Secure Computation on Big Data
The age of Big Data Secure Computation on Big Data EXAMPLE EXPLANATION JOURNEY THIS IS GREAT – CHECK THIS OUT WANT IT TO BE TECHNOLOGY GEOMETRY TECHY COMPUTER GADGET EXAMPLE EXPLANATION JOURNEY THIS IS GREAT WANT IT TO BE TECHNOLOGY GEOMETRY

4 Communication Complexity Computational Complexity
Secure Computation on BIG DATA Efficiency Metrics Communication Complexity Computational Complexity Ω(n) o(n) ω(n) Where n is the # of bits in the database Almost all protocols with sublinear communication complexity suffer in computational complexity (e.g. FHE\PIR-based protocols)

5 Sublinear Communication 2PC
Sublinear computation Linear computation PIR [Chor-Goldreich-Kushilevitz-Sudan'95, Kushilevitz-Ostrovsky'97] MST FHE [Gentry09] Median Convex Hull Single source shortest distances Approximate Set cover All pairs shortest distance [Aggarwal-Mishra-Pinkas04,Brickell-Shmatikov05,Shelat-Venkitasubramaniam15]

6 be securely computed with
Motivation Which functions can be securely computed with sublinear overhead? Secure Computation on Big Data

7 Our Results Provide framework for identifying “provably hard” sublinear secure computation tasks on big data. Provide formal reductions showing that many natural problems are inherently “hard”. (Including variants of the problems in [AMP'04,BS'05,SV'15]) (Akin to NP-hardness) Define intermediate hardness to capture natural problems that are neither “hard” or “easy”. HARD EASY

8 Types of Functionalities
Two-sided Functionalities One-sided Functionalities Secret-Shared output Functionalities Useful for MPC composition f(x1, x2) = ( [y] , [y] ) f(x1, x2) = ( [y] , ⊥ ) f(x1, x2) = (y, y) f(x1, x2) = (y, ⊥) x1 x2 [y] y y [y]

9 One-Sided Functionalities
Sublinear computation Linear computation PIR One-sided Convex Hull, Median etc… FHE Secret-shared Convex Hull, Median etc… Two-sided Convex Hull, Median, MST Single source shortest Distances, Approximate Set cover, All pairs shortest distance

10 One-Sided Functionalities
Sublinear computation Linear computation PIR One-sided Convex Hull, Median etc… Are these variants of problems hard? FHE Secret-shared Convex Hull, Median etc… TRUE CORRECT Two-sided Convex Hull, Median, MST Single source shortest Distances, Approximate Set cover, All pairs shortest distance FALSE INCORRECT!

11 Our Framework Benchmark metric for measuring computation complexity in the sublinear communication regime: PIR

12 Private Information Retrival (PIR)
[Chor-Goldreich-Kushilevitz-Sudan'95,Kushilevitz-Ostrovsky'97] Request entry i Di Database D=D1D2...Dn Goal: Correctness: User obtains Di Privacy: Server learns nothing about i

13 Private Information Retrival (PIR)
[Chor-Goldreich-Kushilevitz-Sudan'95,Kushilevitz-Ostrovsky'97] “Hello, wake up” Return all the entries in D Database D=D1D2...Dn Privacy is perfect but the overhead is prohibitively large. Non-triviality requirement: Communication cost must be in o(n)

14 1-server PIR State-of-the-art efficiency
Communication Complexity Computational Complexity o(n) O(n) Where n is the # of bits in the database Drawbacks: PIR (without preprocessing) inherently requires linear computation. Heavy public key operations. slower than symmetric encryption by orders of magnitude -XPIR, SealPIR 1-server IT PIR is impossible Even with preprocessing, sublinear-time PIR protocols are slow [BIM00, BIPW17, CHS17] PIR forms a computational barrier for 2PC on big data

15 Our Framework (PIR Hardness)
any secure protocol for the problem implies nontrivial PIR on a large database. Problem is PIR-Hard when: EASY

16 Our Framework (PIR Hardness)
A two-party functionality f with input size N is (n(N),1)-PIR-hard if there is a single-server PIR protocol on a database of size n(N) by making a single oracle call to f.   EASY

17 One-sided Median is PIR-Hard
Toy example D0 D1 If i=0: min Such that D0 < D1 Database D=D0D1 i∈ [n] Input phase: Output phase:

18 One-sided Median is PIR-Hard
Toy example D0 D1 If i=0: min Such that D0 < D1 If i=1: max D0 D1 Database D=D0D1...Dn i∈ [n] Input phase: max min D0 D1 min D0 D0 D1 max D1 Output phase: D0 D1

19 One-sided Median Protocol is PIR-Hard
Toy example D0 D1 If i=0: min Such that D0 < D1 If i=1: max D0 Database D=D0D1...Dn Fails for the 2-sided functionalities i∈ [n] Input phase: min D0 D1 Output phase: D0

20 PIR-Hard One-Sided Functionalities
Median Convex Hull Single source shortest Distances Approximate Set cover All pairs shortest distance Utilize combinatorial notion of VC-dimension [Vapnik,Chervonenkis71]

21 One-sided functionalities are PIR-Hard
Recall the ‘easy’ two-sided functionalities: Two-sided Convex Hull, Median, MST Single source shortest Distances, Approximate Set cover, All pairs shortest distance Are all two-sided functionalities ‘easy’?

22 Two-sided Nearest Neighbor Problem
(x,y) Input phase: Location (x,y) (a0,b0) (an,bn) Output to both parties the nearest restaurant to (x,y)

23 Our Framework (Semi-PIR Hardness)
Di D=D1D2...Dn Semi-PIR Semi-PIR: Correctness: User obtains Di Privacy: Server learns nothing about i only if Di=1. EASY

24 Two-sided Nearest Neighbor is Semi-PIR hard
If Di=0: choose (ai,bi) on the circle Two-sided Nearest Neighbor is Semi-PIR hard Toy example If Di=1: choose (ai,bi) outside the circle (a0,b0) If i=3 then (x,y) (a3,b3) (a1,b1) c i∈ [n] Database D=0101 (a2,b2) Input phase: c (a0,b0) (a3,b3) Location (x,y) Output to both parties the nearest restaurant to (x,y) If Di=1 output c and if Di=0 : output c and (ai,bi) Output phase:

25 Semi-PIR Hard Two-Sided Functionalities
Nearest Neighbor Single Source Single Destination shortest path Shortest list selection Closest destination ….?

26 Semi-PIR vs. PIR Semi-PIR is not PIR hard via 1 call.
Existence of polylogarithmic semi-PIR implies the existence of slightly sublinear PIR (via multiple adaptive calls to semi-PIR): Reduction uses LDCs polylogarithmic PIR from polylogarithmic semi-PIR? if ‘dream’ LDCs exist. PIR-hard * With constant query complexity and polynomial rate.

27 Polylogarithmic semi-PIR ⇒ weak PIR
Via q-query LDCs and O(2q) adaptive calls Rand 𝟏 𝟐 PIR Semi-PIR to Rand ½ PIR: Database Database D=D0D1...Dn Encode Database using LDCs (i1,…,i5) i∈ [n] PIR

28 Conclusion Introduce PIR-hardness for identifying “provably hard” sublinear secure computation tasks on big data. Provide formal reductions showing that many natural problems are PIR-Hard. (Including variants of the problems in [AMP'04,BS'05,SV'15]) (Akin to NP-hardness) Introduce semi-PIR hardness HARD Semi-PIR EASY

29 Our Taxonomy PIR One-sided Convex Hull, Median etc…
Easy problems Semi-PIR hard problems PIR-hard problems PIR One-sided Convex Hull, Median etc… Two-sided Single Source Single Dest. shortest path, Nearest Neighbor, Shortest list selection, closest destination. FHE Secret-shared Convex Hull, Median etc… Two-sided Convex Hull, Median, MST Single source shortest Distances, Approximate Set cover, All pairs shortest distance Two-sided local compressible MST, Median.

30 Future Directions Hierarchy of hardness classes beyond PIR-hardness and Semi-PIR-hardness? -- somewhat HE-hardness? Better understanding of the relation semi-PIR and PIR? VC-dimension analogue that captures PIR and semi-PIR-hardness for two-sided functionalities? Multi-party functionalities?

31 [Vapnik,Chervonenkis71]
PIR and VC-dimension [Vapnik,Chervonenkis71] [BIKO12]: exploit this relation to construction PIR protocols A one-sided functionality f is PIR-hard iff f has a certain efficiently computable VC-dimension. PIR-hard: High VC-dimension Easy: Low VC-dimension


Download ppt "Limits of Practical Sublinear Secure Computation"

Similar presentations


Ads by Google