1 / 34

Efficient Private Approximation Protocols

Efficient Private Approximation Protocols. Piotr Indyk David Woodruff. Work in progress. Outline. Private approximation of L 2 distance Private near neighbor Private approximate near neighbor. 1. Private approximation of L 2 distance. Secure communication. Alice. Bob.

luna
Download Presentation

Efficient Private Approximation Protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Efficient Private Approximation Protocols Piotr IndykDavid Woodruff Work in progress

  2. Outline • Private approximation of L2 distance • Private near neighbor • Private approximate near neighbor

  3. 1. Private approximation of L2 distance

  4. Secure communication Alice Bob a  {0,1}nb  {0,1}n • Want to compute some function F(a,b) • Security: protocol does not reveal anything except for the value F(a,b) • Semi-honest: both parties follow protocol • Malicious: parties are adversarial • Efficiency: want to exchange few bits

  5. Secure Function Evaluation (SFE) • [Yao, GMW]: If F computed by circuit C, then F can be computed securely with O~(|C|) bits of communication • [GMW] + … + [NN]: can assume parties semi-honest • Semi-honest protocol can be compiled to give security against malicious parties • Problem: circuit size at least linear in n *O~() hides factors poly(k, log n)

  6. Secure and Efficient Function Evaluation • Can we achieve sublinear communication? • Ideally: secure computation with communication comparable to insecure case • With sublinear communication, many interesting problems can be solved only approximately. • What does it mean to have a private approximation?

  7. Private Approximation • [FIMNSW’01]: A protocol computing an approximation G(a,b) of F(a,b) is private, if each party can simulate its view of the protocol given the exact value F(a,b) • Note: not sufficient to simulate non-private G(a,b) using SFE • Example: • Define G(a,b): • bin(G(a,b))i =bin((a,b))i if i>0 • bin(G(a,b))0=a0 • G(a,b) is a 1 -approximation of (a,b), but not private

  8. Concrete Pitfall: Dimension Reduction • A basic problem: Hamming distance (a,b) • Approximate decision version: with prob. 1-, • If (a,b)≤r, answer NO • If (a,b)≥r(1+) , answer YES • [Kushilevitz-Ostrovsky-Rabani’98]: • Create mn binary matrix D, where Pr[Dij=1]= 1/(2r) for m= O~(log 1/ / 2) • Exchange Da, Db (mod 2) • Answer YES if wt[D(a-b)]>r’, r’ function of r,  NOTE: This protocol was not designed to be private

  9. Non-Privacy of KOR • Let x = a – b. If, wt(x) = r, r log n ¼ m then can recover x from D, Dx in O(mn) time! • Algorithm: for j=1…n, estimate Pr[<di, x> =1| dij =1] = Pr[<di, x> =1  dij=1]/Pr[dij =1] • If xj=1 then Pr[<di, x> =1|dij =1] is high • If xj=0 then Pr[<di x> =1|dij=1] is low

  10. Approximating Hamming Distance • [FIMNSW’01]: A private protocol with complexity O~(n1/2/ ) • wt(x) small: compute wt(x) using O~(wt(x)) bits • wt(x) high: sample O~(n/wt(x))xi, estimate wt(x) • Our result: • Complexity: O~(1/2) bits • Works even for L2 norm, i.e., estimates ||x||2for a,b  {1…M}n * O~() hides factors poly(k, log n, log M, log 1/)

  11. Crypto Tools • SFE of circuits [Yao’86]: O~(|circuit|) communication • Efficient SPIR or OT1n: • Alice has A[1] … A[n] 2 {0,1}m , Bob has i 2 [n] • Goal: Bob privately learns A[i] and that’s it • Can be done using O~(m) communication [CMS99, NP99] • Circuits with ROM [Naor, Nissim’01]: • Standard AND/OR/NOT gates • Lookup gates: • In: i • Out: Mgate[i] • Takes care of the security of computation: • begin secure … end secure • Can just focus on privacy of the output Communication at most O~(m|C|)

  12. High-dimensional tools • Random projection: • Take a random orthonormal nn matrix D, that is ||Dx|| = ||x|| for all x. • There exists c>0 s.t. for any xRn, i=1…n Pr[ (Dx)i2 > ||Dx||2/n * k] < e-ck

  13. Approximating ||a-b||2 • Recall: • Alice has a 2 [M]d, Bob has b 2 [M]d • Goal: estimate ||x||2, x=a-b

  14. Algorithm • Alice and Bob create random orthonormal matrix D such that, for each i=1…n (Dx)i2 < k||x||2/n • T=M2 n+1 • Repeat • {Assertion: ||x||2≤ T} • Invoke PRIVATESAMPLE to get L=O~(1/ 2) independent bits zisuch that Pr[zi=1]=||Dx||2/(Tk) • T = T/2 • Until Σi zi ≥ L/(4k) • Output E= Σi zi /L * 2Tk as an estimate of ||x||2 Correctness: • Unbiased estimator • High probablity from Chernoff bound SECURE!

  15. PRIVATESAMPLE Generate independent bits zi with E[zi] = ||Dx||2/(Tk) • P=Tk/n • Pick random t[n] • Retrieve (Da)t, (Db)t • Compute (Dx)t = (Da)t - (Db)t • Define v=[(Dx)t]2 • If v ≤ P then generate z s.t. Pr[z=1]=v/P Else output fail • Output z Correct as long as (Dx)2i < Tk/n for each i=1…n SECURE!

  16. Algorithm, again • Alice and Bob create random* orthonormal** matrix D such that, for each i=1…n (Dx)i2 < ||x||2/n * k • T=M2 n+1 • Repeat • {Assertion: ||x||2≤ T} • Invoke PRIVATESAMPLE to get L=O~(1/ 2) independent bits zisuch that Pr[zi=1]= ||Dx||2/Tk { Works as long as (Dx)2i < Tk/n for each i=1…n} • T=T/2 • Until Σi zi ≥ L/(4k) • Output E= Σi zi /L * 2Tk as an estimate of ||x||2 If Assertion not true, then Pr[zi=1]>1/(2k)  E[Σi zi ] > L/(2k) >> L/(4k)

  17. Simulation SIMULATION • Repeat • Choose L independent bits zi such that Pr[zi=1]= ||x||2/Tk • T=T/2 • Until Σi zi ≥ (L/k) • Output E= Σi zi /L * 2Tk as an estimate of ||x||2 ALGORITHM • Repeat • {Assertion: ||x||2≤ T} • Invoke PRIVATESAMPLE to get L independent bits zi such that Pr[zi=1]= ||Dx||2/Tk • T=T/2 • Until Σi zi ≥ (L/k) • Output E= Σi zi /L * 2Tk as an estimate of ||x||2 Recall: • ||Dx||=||x|| Communication: O~(1/2)

  18. 2. Private near neighbor

  19. Private Near Neighbor Alice Bob P = p1, p2, …, pn2 {1, 2, …, U}d = [U]d q 2 [U]d • Distance function:f(x,y) • Correctness: Bob learns mini f(q, pi) • Privacy: Alice learns nothing, Bob learns nothing else • Goal: Minimize communication

  20. Private Near Neighbor • n points, dimension d, universe [U] • [DA] needs 3rd party, we don’t • Approach: homomorphic encryption + secure function evaluation (SFE)

  21. “Coordinate-wise” distance functions Alice Bob P = p1, p2, …, pn2 [U]d q 2 [U]d “Coordinate-wise” distance functions: f(a,b) =  fi(ai, bi) Bob:1. For each coordinate, create a degree-(U-1) polynomial gj(x) = i ai,j xi such that gj(u) = fj(qj, u) for all u 2 [U] 2. Generate (SK, PK) for Paillier Encryption scheme. Send PK and EPK(ai, j) for all i,j Alice:1. For all i, E(j gj(pi,j)) = E(f(q, pi)) SFE: Inputs: Alice – E(f(q, pi)) Bob - SK 1. Bob gets mini DSK (E(f(q, pi))) E(x), E(y) -> E(x + y) E(x), c -> E(cx)

  22. Generic distance functions • Security: 1. Replace SFE with oracle 2. Alice View indistinguishable from PK, E(0), E(0), …, E(0) – E semantically secure 3. Bob View just = output • Efficiency: 1. Send polynomials = O~(dU) 2. SFE = O~(n) (simple circuit)

  23. Private Near Neighbor • n points, dimension d, universe [U] • Alice x1, …, xn2 {0,1}d , Bob y1, …, yn2 {0,1}d , Threshold t • Bob gets all xi s.t. (xi, yj) < t for some j • Communication: O~(n2 + nd2). Resolves open question of [FNP04]: • [FNP04] achieve O~((d choose t)nt)  May be superpolynomial in n (homomorphic tricks)

  24. 3. Private Approximate Near Neighbor

  25. Private Near Neighbor • Drawback: Protocols depend linearly on # points n • Necessary? Not if algebraically homomorphic E exists • Our approach: solve the approximate problem

  26. Private c-Approximate Near Neighbor Alice has P = {p1, …, pn}  {0,1}d, Bob has q {0,1}d Notation: Pr = P  B(q, r) Correctness: Prnonempty  Bob learns some element of Pcr Privacy: Bob’s view simulatable given q and Pcr Pcr Pr

  27. Private Approximate Near Neighbor • Definition Remarks: Privacy: Don’t care what Bob gets as long as it follows from Pcr  Simulator gets Pcr Correctness: Don’t specify anything if Pr empty, but view still simulatable • Our results: - O~(n1/2 + d) - If Bob just wants some coordinate of an element of Pcr, then improve to O~(n1/2 + polylog(d))

  28. Private Approximate Near Neighbor Two approaches: 1. Dimensionality Reduction in Hamming Cube [KOR98] 2. Locality Sensitive Hashing [IM98] This talk: protocol using #1

  29. Dimensionality Reduction • [KOR]: Let A be random m times d binary matrix, m = O(log d /2) • Then there is a separator r’ s.t. with probability 1-1/n2 , for any p,q  {0,1}d 1. (p,q) > cr (Ap, Aq) > r’ 2. (p,q) · r (Ap, Aq) < r’ Idea: Alice 1. Applies A to P  dimension small 2. Enumerates all w  {0,1}m, forms array: B[w]={p 2 P s.t. (Ap, w) < r’} 3. Use Oblivious ROM

  30. Dimensionality reduction protocol 2. Agree on k matrices A1, …, Ak 3. Create array Bi based on Ai 4. Bi[p] contains any n1/2 points p’ 2 P s.t. (Aip’, p) < r’ 5. Alice sets ROM to be the Bis Protocol: 1. Randomly sample O~(n1/2) points P1 2. If |Pcr| > n1/2, then P1Å Pcr;, w.h.p. Pcr 6. If P1Å Pcr;, SFE outputs a random element of P1. Otherwise, SFE uses [i B i[Aiq] to output a random element of Pr

  31. Dimensionality Reduction Analysis Properties: 1. If |Pcr| > n1/2, we output random element of Pcr ,w.h.p. 2. If |Pcr| < n1/2 , by properties of A, for any p  Pr , PrA [8 p 2 Pr, (Ap, Aq) < r’ and8 p 2 Pcr, (Ap, Aq) > r’] > 1- 1/n 3. Since bucket size is n1/2 and |Pcr| < n1/2, pBi[Aiq], Pr i Bi[Aiq] Correctness: If |Pcr| > n1/2, output element from Pcr Else output an element from Pr

  32. Dimensionality Reduction Analysis • Communication: 1. Sampling O~(n1/2) elements to ensure |Pcr| < n1/2 2. OT on O~(1) buckets of size n1/2 Thus, balanced steps 1 & 2 O~(dn1/2) total communication • Simulatability: • Output either a random element of Pcr , or a random • element of Pr

  33. Dimensionality Reduction Analysis • Dependence on d: • 1. Homomorphic encryption: O~(d + n1/2) • 1. Bob sends E(q1), …, E(qd) • 2. Alice computes E((pi, q)) • - Uses these for sampling and bucketing • 2. Reduce to O~(polylog(d) + n1/2) if Bob just wants • a coordinate of point in Pcr– use approximations

  34. Conclusions • Extensions: Can achieve O(n1/3 + d) communication if you allow the protocol to “leak” k bits of information • Open problems: 1. Polylogarithmic Private Approximation of other distances 2. More efficient protocols for exact near neighbor. Tricks for PIR may be useful 3. Polylogarithmic c-approx NN protocol

More Related