Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Computation of Constant-Depth Circuits with Applications to Database Search Problems Omer Barkol Yuval Ishai Technion.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Secure Computation of Constant-Depth Circuits with Applications to Database Search Problems Omer Barkol Yuval Ishai Technion."— Presentation transcript:

1 Secure Computation of Constant-Depth Circuits with Applications to Database Search Problems Omer Barkol Yuval Ishai Technion

2 “fermat” and (“last theorem” or “great theorem”) Server Motivation: private database search Article on Fermat’s Last Theorem Client q D f(q,D) PIR [CGKS95] : f(q,D)=D q What is he working on? OT/SPIR q? D? Want: Server work: O(|D|) Client work: O(|q|) Communication: O(|q|)

3 Current approaches Dq f(q,D) Benchmark: partial match? Send all of D to the client Too much communication (|D|) No server privacy Use general purpose secure computation [Yao86,GMW87] Communication > circuit size > |D| Use PIR as a building block: –PIR + data-structures [CGN97,FIPR05,OS05] Applies to a very limited class of problems: –set membership / keyword search –approximate nearest neighbor –Communication preserving protocol compiler [NN01] Generally requires exponential computation Nothing f( *1*0, 0010 0110 1111 )=1 Oh no! This might take me 7 years!

4 Observation: Many database search problems can be implemented by constant-depth circuits x1x1 xmxm x2x2 depth 2 Gates: OR,AND,NOT and XOR Unbounded fan-in and fan-out Depth: length of the longest input→output path output inputs

5 Observation: Many database search problems can be implemented by constant-depth circuits q D f(q,D) C x C(x) = f(q,D)

6 Example: partial match *1*0 1010 0110 1110 Preprocess: 0 → 10 1 → 01 * → 11 11011110 1011 0110

7 Observation: Many database search problems can be implemented by constant-depth circuits “Computing on encrypted data” – longstanding question Case of 2-DNF recently solved [BGN05] q D f(q,D) C x C(x) = f(q,D)

8 Relaxation: multiple servers C C C Used in information theoretic PIR Replicated databases are common –p2p networks –Web content delivery (e.g., Akamai) t-privacy –Client can choose servers he trusts t servers x C(x) x?

9 Main results t-secure protocol with: –Servers: t·(log|C|) depth-1 –Communication: Õ(|x|) –Client computation: Õ(|x|) –Server computation: Õ(|C|) –Rounds: 1 C C C Yeh! Communication and work are optimal up to polylog factors

10 Main results: DNF/CNF/partial match n-term DNF / database with n entries Security threshold 1 Secure protocol with: –Servers: ½logn –Communication: Õ(|x|) –Client computation: Õ(|x|) –Server computation: Õ(n) D has 2 30 entries We need ~15 servers C C C

11 Second model: multiparty computation input: x 1 party Const-depth circuit C C(x) x=x 1 ° x 2 °.... ° x k party input: x 2 input: x 3 party General purpose secure computation [GMW87,BGW88,CCD88] Communication > circuit size Communication efficient multiparty computation [BFKR90] Computation exponential in |x| Number of servers input: x 4 party input: x 5 party

12 Results: multiparty setting t-secure multiparty protocol with –Parties: t·(log|C|) depth-1 –Communication: Õ(|x|·poly(#parties)) –Computation: Õ(|C|) –Rounds: O(1)  optimal up to polylog factors

13 n Database D Server Circuit Server 1 Roadmap Polynomials p 1 (x) p 2 (x) p j (x) Server 2 Polynomials 3 Server Client From database search to protocol

14 n Database D Server Circuit Server 1 Roadmap Polynomials p 1 (x) p 2 (x) p j (x) Server 2 Polynomials 3 Server Client From database search to circuit

15 n Database D Server Circuit Server 1 Roadmap Polynomials p 1 (x) p 2 (x) p j (x) Server 2 Polynomials 3 Server Client From circuit to polynomials

16 x1x1 x2x2 x4x4 x 1 +x 2 +x 4 deg 1 no error Step A: Represent a circuit by a low-degree randomized multivariate polynomial Field = GF(2) Rely on technique of [Raz87, Smo87] Goal: x: Prob r [p r (x) ≠ C(x)] ≤ 2 -σ

17 r1r1 r2r2 … rtrt x1x1 x2x2 …xtxt deg γ err 2 - γ r 11 r 12 … r 1t rγ1rγ1 rγ2rγ2 … rγtrγt … deg 1 err ½ … … … set γ = σ From circuit to polynomials Goal: x: Prob r [p r (x) ≠ C(x)] ≤ 2 -σ r ε-biased PRG deg t no error

18 x1x1 x2x2 x3x3 x4x4 x5x5 x6x6 n-term DNF deg γ err 2 - γ deg γ err 2 - γ deg γ err 2 - γ deg γ err 2 - γ deg γ err 2 - γ Prob[p r (x) ≠ C(x)] ≤ (n+1)·2 - γ = ( σ + log(n+1)) 2 Total degree γ 2 From circuit to polynomials For error 2 -σ set γ = σ + log(n+1) Goal: x: Prob r [p r (x) ≠ C(x)] ≤ 2 -σ

19 p r 1 (x) x1x1 x2x2 x3x3 x4x4 x5x5 x6x6 deg γ err 2 - γ deg γ err 2 - γ deg γ err 2 - γ deg γ err 2 - γ deg 3 err ⅛ From circuit to polynomials Step B: Optimizations – example for n-term DNF Goal: Vector p r (x) s.t. x: Prob r [R(p r (x)) ≠ C(x)] ≤ 2 -σ Prob[p r (x) ≠ C(x)] ≤ n·2 - γ +⅛ ≤¼ = 3( logn+3)Total degree 3 γ For error ¼ set set γ = logn + 3

20 x r1r1 p r 1 (x) x r2r2 p r 2 (x) x r3r3 p r 3 (x) x r O(σ) p r O(σ) (x) … deg 3logn err ¼ More careful analysis: degree logn+2 C(x)=0: Prob[p(x)=1] ≤ ⅛ C(x)=1: Prob[p(x)=1] ≥ ⅜ Recover C(x) using MajorityRecover C(x) using Threshold ¼ From circuit to polynomials Step B: Optimizations – example for n-term DNF

21 O(σ) polynomials of degree logn+2 n Server I have no privacy! Prob[th ¼ (p r (x)) ≠ C(x)] ≤ 2 -σ p r 1 (x) p r 2 (x) p r O(σ) (x) From circuit to polynomials Step B: Optimizations – example for n-term DNF ¼ ⅜⅛ 0 C(x)=0C(x)=1

22 n Server p r 1 (x,ρ) p r 2 (x,ρ) p r σ O(1) (x,ρ) Randomizing polynomials for threshold [IK00] private randomness th ¼ :{0,1} O(σ) →{0,1} p r 1 (x) p r 2 (x) p r O(σ) (x) Step C: Server Privacy From circuit to polynomials

23 n Database D Server Circuit Server 1 Roadmap Polynomials p 1 (x) p 2 (x) p j (x) Server 2 Polynomials 3 Server Client From polynomials to protocol

24 Client-Servers protocols from polynomials Goal: evaluate multivariate polynomials held by the servers on a point held by the client. Standard techniques for secure computation [BGW88, CCD88, BF90] Number of servers proportional to the degree Communication proportional to # of polynomials (and client’s input) Enhancements: –Protecting server privacy [GIKM98] –Reducing number of servers [WY05] p p p x p p Shamir-shares of x Evaluate p r on shares Public randomness r Recover p r (x) by interpolation

25 Multiparty protocols from polynomials Goal: evaluate multivariate polynomials known to all on distributed input and randomness. Standard techniques for secure computation [BGW88, CCD88, GRR98] Number of parties proportional to the degree Communication proportional to # of polynomials (and input lenght) Randomness: –Public randomness (r) independent of the inputs –Private randomness (ρ) should remain a secret

26 n Database D Server Circuit Server 1 Roadmap Secure computation of constant-depth circuits with applications to database search problems Polynomials p r 1 (x,ρ) p r 2 (x,ρ) p r j (x,ρ) Server 2 Polynomials 3 Server Client

27 Conclusions Practically feasible solutions to large scale database search problems, e.g., partial match –Nearly optimal communication and computation –Reasonable number of servers (½logn for partial match) –No expensive crypto (e.g., public key operations) Challenge: obtain similar protocols in 2-party setting –Extend [BGN05] from degree 2 to degree logn? Multiparty setting: –Nearly optimal communication and computation for a useful class of functions (AC 0 ) –Communication almost does not grow with circuit size Challenge: Higher complexity classes, e.g., NC 1

28 n Database D Server Questions? Server 1 Pρ 1 (x,r ) Pρ 2 (x) r) Server 2 3 Ser ver Ser Ser ver Ser

Download ppt "Secure Computation of Constant-Depth Circuits with Applications to Database Search Problems Omer Barkol Yuval Ishai Technion."

Similar presentations

Constant-Round Private Database Queries Nenad Dedic and Payman Mohassel Boston UniversityUC Davis.

Constant-Round Private Database Queries Nenad Dedic and Payman Mohassel Boston UniversityUC Davis.
Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.
1 Cryptography: on the Hope for Privacy in a Digital World Omer Reingold VVeizmann and Harvard CRCS.

1 Cryptography: on the Hope for Privacy in a Digital World Omer Reingold VVeizmann and Harvard CRCS.
Private Inference Control

Private Inference Control
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Efficient Multiparty Protocols via Log-Depth Threshold Formulae Ron Rothblum Weizmann Institute Joint work with Gil Cohen, Ivan Damgard, Yuval Ishai, Jonas.

Efficient Multiparty Protocols via Log-Depth Threshold Formulae Ron Rothblum Weizmann Institute Joint work with Gil Cohen, Ivan Damgard, Yuval Ishai, Jonas.
Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI.

Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI.
Circuits Resilient to Additive Manipulation with Applications to Secure Computation Yuval Ishai Technion Daniel Genkin Manoj Prabhakaran Amit Sahai Eran.

Circuits Resilient to Additive Manipulation with Applications to Secure Computation Yuval Ishai Technion Daniel Genkin Manoj Prabhakaran Amit Sahai Eran.
Secure Computation of Linear Algebraic Functions

Secure Computation of Linear Algebraic Functions
Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto

Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Oblivious Branching Program Evaluation

Oblivious Branching Program Evaluation
An Ω(n 1/3 ) Lower Bound for Bilinear Group Based Private Information Retrieval Alexander Razborov Sergey Yekhanin.

An Ω(n 1/3 ) Lower Bound for Bilinear Group Based Private Information Retrieval Alexander Razborov Sergey Yekhanin.
1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.

1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Gillat Kol joint work with Ran Raz Competing Provers Protocols for Circuit Evaluation.

Gillat Kol joint work with Ran Raz Competing Provers Protocols for Circuit Evaluation.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of TexasTechnion Benny Applebaum Tel Aviv.

New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of TexasTechnion Benny Applebaum Tel Aviv.
What Crypto Can Do for You: Solutions in Search of Problems Anna Lysyanskaya Brown University.

What Crypto Can Do for You: Solutions in Search of Problems Anna Lysyanskaya Brown University.

Similar presentations

Ads by Google