280 likes | 744 Views
Secure Computation of Constant-Depth Circuits with Applications to Database Search Problems Omer Barkol Yuval Ishai Technion. Motivation: private database search. D?. Client. Server. q. D. “fermat” and (“last theorem” or “great theorem”). q?. What is he working on?.
E N D
Secure Computation ofConstant-Depth Circuits with Applications to Database Search ProblemsOmer BarkolYuval IshaiTechnion
Motivation: private database search D? Client Server q D “fermat” and (“last theorem” or “great theorem”) q? What is he working on? Article on Fermat’s Last Theorem f(q,D) • Want: • Server work: O(|D|) • Client work: O(|q|) • Communication: O(|q|) PIR [CGKS95]: f(q,D)=Dq OT/SPIR
Current approaches q D • Send all of D to the client • Too much communication (|D|) • No server privacy • Use general purpose secure computation[Yao86,GMW87] • Communication > circuit size > |D| • Use PIR as a building block: • PIR + data-structures [CGN97,FIPR05,OS05] • Applies to a very limited class of problems: • set membership / keyword search • approximate nearest neighbor • Communication preserving protocol compiler[NN01] • Generally requires exponential computation f(q,D) Oh no! This might take me 7 years! Benchmark: partial match? f( *1*0 , 0010 0110 1111 )=1 Nothing
Observation:Many database search problems can be implemented by constant-depth circuits output depth 2 x1 x2 xm inputs • Gates: OR,AND,NOT and XOR • Unbounded fan-in and fan-out • Depth: length of the longest input→output path
q D f(q,D) C x C(x) Observation:Many database search problems can be implemented by constant-depth circuits = f(q,D)
Preprocess: 0 → 10 1 → 01 * → 11 1 1 0 1 1 1 1 0 Example: partial match 1010 *1*0 0110 0110 1011 1110
q D f(q,D) C x C(x) Observation:Many database search problems can be implemented by constant-depth circuits • “Computing on encrypted data” – longstanding question • Case of 2-DNF recently solved [BGN05] = f(q,D)
Relaxation: multiple servers C x C C x? C(x) t servers • Used in information theoretic PIR • Replicated databases are common • p2p networks • Web content delivery (e.g., Akamai) • t-privacy • Client can choose servers he trusts
Main results t-secure protocol with: • Servers: t·(log|C|)depth-1 • Communication: Õ(|x|) • Client computation: Õ(|x|) • Server computation: Õ(|C|) • Rounds: 1 Communication and work are optimal up to polylog factors Yeh! C C C
Main results: DNF/CNF/partial match • n-term DNF / database with n entries • Security threshold 1 • Secure protocol with: • Servers: ½logn • Communication: Õ(|x|) • Client computation: Õ(|x|) • Server computation: Õ(n) D has 230 entries We need ~15 servers C C C
Second model: multiparty computation party input: x2 party party input: x3 input: x1 Const-depth circuit C C(x) x=x1°x2°.... °xk party party input: x4 input: x5 • General purpose secure computation[GMW87,BGW88,CCD88] • Communication > circuit size • Communication efficient multiparty computation[BFKR90] • Computation exponential in |x| • Number of servers
Results: multiparty setting t-secure multiparty protocol with • Parties: t·(log|C|)depth-1 • Communication: Õ(|x|·poly(#parties)) • Computation: Õ(|C|) • Rounds: O(1) • optimal up to polylog factors
Server Server Server Server Server Server Server p1(x) Server Database D p2(x) n 1 2 3 Polynomials Circuit pj(x) Polynomials Client Roadmap From database search to protocol
Server Server Server Server Server Server Server p1(x) Server Database D p2(x) n 1 2 3 Polynomials Circuit pj(x) Polynomials Client Roadmap From database search to circuit
Server Server Server Server Server Server Server p1(x) Server Database D p2(x) n 1 2 3 Polynomials Circuit pj(x) Polynomials Client Roadmap From circuit to polynomials
deg 1 no error Goal: x: Probr[pr(x) ≠ C(x)] ≤2-σ From circuit to polynomials Step A: • Represent a circuit by a low-degree randomized multivariate polynomial • Field = GF(2) • Rely on technique of [Raz87, Smo87] x1+x2+x4 x1 x2 x4
deg t no error deg 1 err ½ deg γ err 2-γ Goal: x: Probr[pr(x) ≠ C(x)] ≤2-σ From circuit to polynomials rγ1 … r11 r1 set γ = σ rγ2 … r12 r2 … … … … rγt … r1t rt ε-biased PRG x1 x2 … xt r
deg γ err 2-γ deg γ err 2-γ deg γ err 2-γ deg γ err 2-γ deg γ err 2-γ Goal: x: Probr[pr(x) ≠ C(x)] ≤2-σ From circuit to polynomials Prob[pr(x) ≠ C(x)] ≤ (n+1)·2-γ n-term DNF For error 2-σ set γ = σ + log(n+1) Total degree γ2 = (σ + log(n+1))2 x1 x2 x3 x4 x5 x6
Goal: Vector pr(x) s.t. x: Probr[R(pr(x)) ≠ C(x)] ≤2-σ deg 3 err ⅛ deg γ err 2-γ deg γ err 2-γ deg γ err 2-γ deg γ err 2-γ From circuit to polynomials Step B: Optimizations – example for n-term DNF Prob[pr(x) ≠ C(x)] ≤ n·2-γ+⅛ ≤¼ pr1(x) For error ¼ set set γ = logn + 3 Total degree 3γ = 3(logn+3) x1 x2 x3 x4 x5 x6
pr1(x) pr2(x) pr3(x) deg 3logn err ¼ r1 r2 r3 x x x prO(σ)(x) rO(σ) x From circuit to polynomials Step B: Optimizations – example for n-term DNF degree logn+2 C(x)=0: Prob[p(x)=1] ≤ ⅛ C(x)=1: Prob[p(x)=1] ≥⅜ More careful analysis: Recover C(x) using Threshold ¼ Recover C(x) using Majority …
Server n C(x)=0 C(x)=1 ⅛ ¼ ⅜ 0 From circuit to polynomials Step B: Optimizations – example for n-term DNF O(σ) polynomials of degree logn+2 pr1(x) pr2(x) Prob[th¼(pr(x)) ≠ C(x)] ≤ 2-σ prO(σ)(x) I have no privacy!
Server n From circuit to polynomials Step C: Server Privacy pr1(x,ρ) pr2(x,ρ) pr1(x) th¼:{0,1}O(σ)→{0,1} pr2(x) Randomizing polynomials for threshold [IK00] prO(σ)(x) prσO(1)(x,ρ) private randomness
Server Server Server Server Server Server Server p1(x) Server Database D p2(x) n 1 2 3 Polynomials Circuit pj(x) Polynomials Client Roadmap From polynomials to protocol
p p p p x p Client-Servers protocols from polynomials • Goal: evaluate multivariate polynomials held by the servers on a point held by the client. • Standard techniques for secure computation[BGW88, CCD88, BF90] • Number of servers proportional to the degree • Communication proportional to # of polynomials (and client’s input) • Enhancements: • Protecting server privacy[GIKM98] • Reducing number of servers[WY05] Shamir-shares of x Public randomness r Evaluate pr on shares Recover pr(x) by interpolation
Multiparty protocols from polynomials • Goal: evaluate multivariate polynomials known to all on distributed input and randomness. • Standard techniques for secure computation[BGW88, CCD88, GRR98] • Number of parties proportional to the degree • Communication proportional to # of polynomials (and input lenght) • Randomness: • Public randomness (r) independent of the inputs • Private randomness (ρ) should remain a secret
Server Server Server Server Server Server Server pr1(x,ρ) Server Database D pr2(x,ρ) n 1 2 3 Polynomials Circuit prj(x,ρ) Polynomials Client Roadmap Secure computation of constant-depth circuits with applications to database search problems
Conclusions • Practically feasible solutions to large scale database search problems, e.g., partial match • Nearly optimal communication and computation • Reasonable number of servers (½logn for partial match) • No expensive crypto (e.g., public key operations) • Challenge: obtain similar protocols in 2-party setting • Extend [BGN05] from degree 2 to degree logn? • Multiparty setting: • Nearly optimal communication and computation for a useful class of functions (AC0) • Communication almost does not grow with circuit size • Challenge: Higher complexity classes, e.g., NC1
Ser Server Server Server Server Ser ver Pρ1(x,r) Ser Database D Pρ2(x) n 3 1 2 r) Questions?