Download
1 / 16
160 likes | 234 Views
Polylogarithmic Private Approximations and Efficient Matching. David Woodruff MIT, Tsinghua. Piotr Indyk MIT. TCC 2006. Secure communication. Alice. Bob. a {0,1} n b {0,1} n Want to compute some function F(a,b)
E N D
Polylogarithmic Private Approximations and Efficient Matching David WoodruffMIT, Tsinghua Piotr IndykMIT TCC 2006
Secure communication Alice Bob a {0,1}nb {0,1}n • Want to compute some function F(a,b) • Security: protocol does not reveal anything except for the value F(a,b) • Semi-honest: both parties follow protocol • Malicious: parties are adversarial • Efficiency: want to exchange few bits
Secure Function Evaluation (SFE) • [Yao, GMW]: If F computed by circuit C, then F can be computed securely with O~(|C|) bits of communication • [GMW] + … + [NN]: can assume parties semi-honest • Semi-honest protocol can be compiled to give security against malicious parties • Problem: circuit size at least linear in n *O~() hides factors poly(k, log n)
Secure and Efficient Function Evaluation • Can we achieve sublinear communication? • With sublinear communication, many interesting problems can be solved only approximately. • What does it mean to have a private approximation? • Efficiency: want SFE with communication comparable to insecure case
Private Approximation • [FIMNSW’01]: A protocol computing an approximation G(a,b) of F(a,b) is private, if each party can simulate its view of the protocol given the exact value F(a,b) • Not sufficient to simulate non-private G(a,b) using SFE • Example: • Define G(a,b): • bin(G(a,b))i =bin((a,b))i if i>0 • bin(G(a,b))0=a0 • G(a,b) is a 1 -approximation of (a,b), but not private • Popular protocols for approximating (a,b), e.g., [KOR98], are not private
Approximating Hamming Distance • [FIMNSW01]: A private protocol with complexity O~(n1/2/ ) • (a,b) small: compute (a,b)exactly inO~((a,b)) bits • (a,b) high: sample O~(n/(a,b))(a-b)i, estimate (a,b) • Our main result: • Complexity: O~(1/2) bits • Works even for L2 norm, i.e., estimates ||a-b||2for a,b {1…M}n * O~() hides factors poly(k, log n, log M, log 1/)
Crypto Tools Efficient OT1n: • P1 has A[1] … A[n] 2 {0,1}m , P2 has i 2 [n] • Goal: P2privately learns A[i], P1 learns nothing • Can be done using O~(m) communication [CMS99, NP99] Circuits with ROM [NN01] (augments [Yao86]) • Standard AND/OR/NOT gates • Lookup gates: • In: i • Out: Mgate[i] • Can just focus on privacy of the output Communication at most O~(m|C|)
High-dimensional tools • Random projection: • Take a random orthonormal nn matrix D, that is ||Dx|| = ||x|| for all x. • There exists c>0 s.t. for any xRn, i=1…n Pr[ (Dx)i2 > ||Dx||2/n * k] < e-ck
Approximating ||a-b|| • Recall: • Alice has a 2 [M]d, Bob has b 2 [M]d • Goal: privately estimate ||a-b||, x=a-b • Suffices to estimate ||a-b||2
Protocol Intuition • Alice and Bob agree upon a random orthonormal matrix D • Efficient by exchanging a seed of a PRG • Alice and Bob rotate vectors a,b, obtaining Da, Db • ||Da-Db|| = ||a-b|| • D “spreads the mass” of the difference vector uniformly across the n coordinates. • Can now try obliviously sampling coordinates as in [FIMNSW01]
Protocol Intuition Con’d • Alice and Bob agree upon random orthonormal D • Alice and Bob rotate a,b, obtaining Da, Db • Use secure circuit with ROMs Da and Db to: • Circuit obtains (Da)i and (Db)i for many random indices i Problem:Now what? Samples leak a lot of info! Fix: - Suppose you know upper bound T with T ¸ ||a-b||2 - Flip a coin z with heads probability n((Da)i – (Db)i)2/(kT) - Then E[z] = n||Da-Db||2/(nkT) = ||a-b||2/(kT) - E[z] only depends on ||a-b||, and z only depends on E[z]!
Protocol Intuition Con’d • Alice and Bob agree upon random orthonormal D • Alice and Bob rotate a,b, obtaining Da, Db • Use secure circuit with ROMs Da, Db, to: • Obtain (Da)i and (Db)i for L random i • Generate Bernoulli z1, … , zL with E[zi] = ||a-b||2/(kT) • Output kT zi/L Privacy: View only depends on ||a-b|| Problem: Correctness! A priori bound T=M2 n, but ||a-b||2 may be (1), so (n) samples required. Fix:Private binary search on T
Protocol Intuition Con’d … … • Use secure circuit with ROMs Da, Db to: • Obtain (Da)i and (Db)i for L random i • Generate Bernoulli z1, … , zL with E[zi] = ||a-b||2/(kT) • Output kT zi/L Fix: - Private binary search on T - If many zi = 0, then intuitively can replace T with T/2 - Eventually T = ~(||a-b||2) - We will show: final choice of T is simulatable!
One last detail • Want to show final choice of T is simulatable • Estimate is kT zi/L and we stop when “many” zi = 1 • Recall E[zi] = ||a-b||2/(kT) Key Observation: Since orthonormal D is uniformly random, can guarantee that if many zi = 0, then ||a-b||2 << T. Note: - Suppose didn’t use D, and a = (M, 0, …, 0), b = (0, …, 0) - Then ||a-b||2 = M2 is large, but almost always zi = 0, so you’ll choose T < ||a-b||2. - Not simulatable since T depends on the structure of a, b
Algorithm vs. Simulation SIMULATION • Repeat • GenerateL independent bits zi such that Pr[zi=1]= ||a-b|| 2/Tk • T=T/2 • Until Σi zi ≥ (L/k) • Output E= Σi zi /L * 2Tk as an estimate of ||a-b||2 ALGORITHM • Repeat • Generate L independent bits zi such that Pr[zi=1]= ||D(a-b)|| 2/Tk • T=T/2 • Until Σi zi ≥ (L/k) • Output E= Σi zi /L * 2Tk as an estimate of ||a-b||2 Recall:||D(a-b)||=||a-b|| Communication= O~(L) = O~(1/2)
Other Results • Use homomorphic encryption tricks to get better upper bounds for private nearest neighbor and private all-pairs nearest neighbors. • Define private approximate nearest neighbor problem: • Requires a new definition of private approximations for functionalities that can return sets of values. • Achieve small communication in this setting.
