260 likes | 276 Views
How Should We Solve Search Problems Privately?. Kobbi Nissim – BGU A. Beimel, T. Malkin, and E. Weinreb. Secure Function Evaluation. [Yao,GMW,BGW,…] n players with private inputs x 1 ,…,x n Can compute any function f() over their private inputs No information beyond f() is leaked
E N D
How Should We Solve Search Problems Privately? Kobbi Nissim – BGU A. Beimel, T. Malkin, and E. Weinreb
Secure Function Evaluation [Yao,GMW,BGW,…] • n players with private inputs x1,…,xn • Can compute any function f() over their private inputs • No information beyond f() is leaked • SFE tells • HOW to compute f() • But not • Whatf() to compute CRYPTO 2007
A Client-Server Setting • SFE reduces many of the general cases to the client-server setting Server Client G CRYPTO 2007
WHAT should we compute? • Server must/is willing to reveal a function f() of the data • Secure function evaluation: Reveal f(), but no other information • ??? • Server should preserve individual privacy • Private data analysis: (rand) functions f() satisfying differential privacy CRYPTO 2007
In Between (1) • Server must/is willing to reveal a function f() of the data • But… Computing f() is inefficient or intractable • And, an efficient approx f*() exists • Idea: Use SFE to compute an approx f*() to f() CRYPTO 2007
G What Can Go Wrong? [FIMNSW01] • Server holds a graph G • Client asks for size of min VC fvc(G) • Approx: fvc*(G) = 2MaxMatch(G) Hmmm... fVC2 2 2MaxMatch2 4 CRYPTO 2007
Private Approximations [FIMNSW01] • Require:f*(G) simulatable given f(G) • Hence approximation does not leak more information than exact computation • Implied:f(G) = f(G’) f*(G) ≈ f*(G’) • Sometimes feasible: • Hamming distance [FIMNSW01, IW06] • Permanent [FIMNSW01] • Sometimes not feasible: • fVC not privately approx within ratio n1-ε [HKKN01] • Approx feasible with a small leakage CRYPTO 2007
In Between (2) • Server must/is willing to solve a search problem over the data • Idea: Use SFE to compute a solution? • Or an approximate solution CRYPTO 2007
4 4 5 5 1 1 2 2 3 3 G What Can Go Wrong? [BCNW06] • Server holds a graph G • Client asks for VC(G) • Approx: A*VC(G) = MaxMatch(G) Hmmm... VC{2} {2} A*VC{2,3} {2,1} CRYPTO 2007
Private Algorithms [BCNW06] R – Equivalence Relation over {0,1}* • E.g. G1 ≈ G2 if VC(G1) = VC(G2) Algorithm A is private with respect toR if: A( ) A( ) ≈ x x y y CRYPTO 2007
Is Private Search Good? Too strong: • VC does not admit private search approx algs • Even with a significant relaxation [BCNW06,BHN07] • If NP not in P/poly, there is a search problem in P that has no polynomial time private algorithm [BCNW06] Too weak: • A private search algorithm may reveal all the solutions • Does not rule out simple ways of plausible leakage CRYPTO 2007
Some Possible Weaknesses • Randomized Algorithms: More solutions learned by repeated querying Fuzziness • Deterministic Algorithms: Repeated querying ineffective Definite information learned • Can we get the best of both worlds? CRYPTO 2007
Framework: Seeded Algorithms • A– randomized algorithm • Server fixes a seed s for all queries • Allows selecting random solutions • Prevents abuse of repeated queries G1 G2 A(G1,s) A(G2,s) A s CRYPTO 2007
Rest of the Talk • Propose two new definitions • Equivalence protecting • Resemblance preserving • Show basic implementation methodologies • Summary/discuss CRYPTO 2007
First Definition: Equivalence Protecting • Consistent oracle : • (x)S(x) • (x)=(y) for all x ≈Py • A seeded algorithm Ais equivalence protecting: Random consistent oracle A(· , ) s ≡c (x1) (x2) x1 x2 x1 x2 Distinguisher CRYPTO 2007
1 s 2 t 3 Equivalence Protecting: Shortest Path • Def: An edge is relevant in G if it appears in some shortest path from s to t • Fact I: Relevance depends only on S(G) • Fact II: There exists an algorithm Arand(G,r ) that outputs a random shortest path in G CRYPTO 2007
Equivalence Protecting: Shortest Path Input: • A graph G • A seed s for a family {fs} of pseudorandom functions Output: A path in S(G) The algorithm: • H = relevant edges of G • Compute r=fs(H) • Output: p= Arand(H,r ) CRYPTO 2007
Other Equivalence Preserving Algorithms • Perfect matching in bipartite graphs • Solution of a linear system of equations • Shortest path: weighted directed graphs CRYPTO 2007
Fact: 0 ≤ r(x,y) ≤ 1 |S(x)S(y)| r(x,y) = |S(x)S(y)| Second Definition: Resemblance Preserving • Motivation: protect inputs with similar solution sets • Resemblance between instances x,y: • A seeded algorithm A is resemblance preserving if for all instances x,y: Pr[A(x,s)=A(y,s)] ≥ r(x,y) CRYPTO 2007
Tool: Min-wise Independent Permutations [BroderCharikarFriezeMitzenmacher98] • A family of permutations is min-wise independent if for every set A Uand aA: • Observation: CRYPTO 2007
A Generic Resemblance Preserving Algorithm Input: • An input x • A seed s for a family of min-wise independent permutations Output: A solution in S(x) Algorithm: • Output sol S(x) such that • Algorithmic challenge: Find sol efficiently. CRYPTO 2007
Other Resemblance Preserving Algorithms • (non-) Roots of polynomials • Solution of a linear system of equations • Satisfying assignment of a DNF formula CRYPTO 2007
Summary • Presented two intuitive variants of private search • Equivalence protecting • Resemblance preserving • Constructed algorithms satisfying definitions • Privacy implications of search problems are not well understood • Even (seemingly minimal) requirements of privacy are hard to attain Different privacy requirements for different setups • Is there an order in the mess? • A methodology for comparing/justifying definitions CRYPTO 2007
BSF-DIMACS Privacy Workshop • @DIMACS/Rutgers University • Interdisciplinary • February 4-7 • Organizers: B. Pinkas, K.N., and R. Wright • (some) Funding available • To be added to mailing list: kobbi@cs.bgu.ac.il CRYPTO 2007
A (Seemingly) Minimal Requirement Private search algorithm[BCNW06]: VC(G) = VC(G’) A*VC(G) ≈ A*VC(G’) A*VC should not distinguish graphs that have the same set of solutions A generalization of private approximation [FIMNSW01] CRYPTO 2007