1 / 28

“fermat” and (“last theorem” or “great theorem”)

Secure Computation of Constant-Depth Circuits with Applications to Database Search Problems Omer Barkol Yuval Ishai Technion. Motivation: private database search. D?. Client. Server. q. D. “fermat” and (“last theorem” or “great theorem”). q?. What is he working on?.

wattan
Download Presentation

“fermat” and (“last theorem” or “great theorem”)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure Computation ofConstant-Depth Circuits with Applications to Database Search ProblemsOmer BarkolYuval IshaiTechnion

  2. Motivation: private database search D? Client Server q D “fermat” and (“last theorem” or “great theorem”) q? What is he working on? Article on Fermat’s Last Theorem f(q,D) • Want: • Server work: O(|D|) • Client work: O(|q|) • Communication: O(|q|) PIR [CGKS95]: f(q,D)=Dq OT/SPIR

  3. Current approaches q D • Send all of D to the client • Too much communication (|D|) • No server privacy • Use general purpose secure computation[Yao86,GMW87] • Communication > circuit size > |D| • Use PIR as a building block: • PIR + data-structures [CGN97,FIPR05,OS05] • Applies to a very limited class of problems: • set membership / keyword search • approximate nearest neighbor • Communication preserving protocol compiler[NN01] • Generally requires exponential computation f(q,D) Oh no! This might take me 7 years! Benchmark: partial match? f( *1*0 , 0010 0110 1111 )=1 Nothing

  4. Observation:Many database search problems can be implemented by constant-depth circuits output depth 2 x1 x2 xm inputs • Gates: OR,AND,NOT and XOR • Unbounded fan-in and fan-out • Depth: length of the longest input→output path

  5. q D f(q,D) C x C(x) Observation:Many database search problems can be implemented by constant-depth circuits = f(q,D)

  6. Preprocess: 0 → 10 1 → 01 * → 11 1 1 0 1 1 1 1 0 Example: partial match 1010 *1*0 0110 0110 1011 1110

  7. q D f(q,D) C x C(x) Observation:Many database search problems can be implemented by constant-depth circuits • “Computing on encrypted data” – longstanding question • Case of 2-DNF recently solved [BGN05] = f(q,D)

  8. Relaxation: multiple servers C x C C x? C(x) t servers • Used in information theoretic PIR • Replicated databases are common • p2p networks • Web content delivery (e.g., Akamai) • t-privacy • Client can choose servers he trusts

  9. Main results t-secure protocol with: • Servers: t·(log|C|)depth-1 • Communication: Õ(|x|) • Client computation: Õ(|x|) • Server computation: Õ(|C|) • Rounds: 1 Communication and work are optimal up to polylog factors Yeh! C C C

  10. Main results: DNF/CNF/partial match • n-term DNF / database with n entries • Security threshold 1 • Secure protocol with: • Servers: ½logn • Communication: Õ(|x|) • Client computation: Õ(|x|) • Server computation: Õ(n) D has 230 entries We need ~15 servers C C C

  11. Second model: multiparty computation party input: x2 party party input: x3 input: x1 Const-depth circuit C C(x) x=x1°x2°.... °xk party party input: x4 input: x5 • General purpose secure computation[GMW87,BGW88,CCD88] • Communication > circuit size • Communication efficient multiparty computation[BFKR90] • Computation exponential in |x| • Number of servers

  12. Results: multiparty setting t-secure multiparty protocol with • Parties: t·(log|C|)depth-1 • Communication: Õ(|x|·poly(#parties)) • Computation: Õ(|C|) • Rounds: O(1) • optimal up to polylog factors

  13. Server Server Server Server Server Server Server p1(x) Server Database D p2(x) n 1 2 3 Polynomials Circuit pj(x) Polynomials Client Roadmap From database search to protocol

  14. Server Server Server Server Server Server Server p1(x) Server Database D p2(x) n 1 2 3 Polynomials Circuit pj(x) Polynomials Client Roadmap From database search to circuit

  15. Server Server Server Server Server Server Server p1(x) Server Database D p2(x) n 1 2 3 Polynomials Circuit pj(x) Polynomials Client Roadmap From circuit to polynomials

  16. deg 1 no error Goal: x: Probr[pr(x) ≠ C(x)] ≤2-σ From circuit to polynomials Step A: • Represent a circuit by a low-degree randomized multivariate polynomial • Field = GF(2) • Rely on technique of [Raz87, Smo87] x1+x2+x4 x1 x2 x4

  17. deg t no error deg 1 err ½ deg γ err 2-γ Goal: x: Probr[pr(x) ≠ C(x)] ≤2-σ From circuit to polynomials rγ1 … r11 r1 set γ = σ rγ2 … r12 r2 … … … … rγt … r1t rt ε-biased PRG x1 x2 … xt r

  18. deg γ err 2-γ deg γ err 2-γ deg γ err 2-γ deg γ err 2-γ deg γ err 2-γ Goal: x: Probr[pr(x) ≠ C(x)] ≤2-σ From circuit to polynomials Prob[pr(x) ≠ C(x)] ≤ (n+1)·2-γ n-term DNF For error 2-σ set γ = σ + log(n+1) Total degree γ2 = (σ + log(n+1))2 x1 x2 x3 x4 x5 x6

  19. Goal: Vector pr(x) s.t. x: Probr[R(pr(x)) ≠ C(x)] ≤2-σ deg 3 err ⅛ deg γ err 2-γ deg γ err 2-γ deg γ err 2-γ deg γ err 2-γ From circuit to polynomials Step B: Optimizations – example for n-term DNF Prob[pr(x) ≠ C(x)] ≤ n·2-γ+⅛ ≤¼ pr1(x) For error ¼ set set γ = logn + 3 Total degree 3γ = 3(logn+3) x1 x2 x3 x4 x5 x6

  20. pr1(x) pr2(x) pr3(x) deg 3logn err ¼ r1 r2 r3 x x x prO(σ)(x) rO(σ) x From circuit to polynomials Step B: Optimizations – example for n-term DNF degree logn+2 C(x)=0: Prob[p(x)=1] ≤ ⅛ C(x)=1: Prob[p(x)=1] ≥⅜ More careful analysis: Recover C(x) using Threshold ¼ Recover C(x) using Majority …

  21. Server n C(x)=0 C(x)=1 ⅛ ¼ ⅜ 0 From circuit to polynomials Step B: Optimizations – example for n-term DNF O(σ) polynomials of degree logn+2 pr1(x) pr2(x) Prob[th¼(pr(x)) ≠ C(x)] ≤ 2-σ prO(σ)(x) I have no privacy!

  22. Server n From circuit to polynomials Step C: Server Privacy pr1(x,ρ) pr2(x,ρ) pr1(x) th¼:{0,1}O(σ)→{0,1} pr2(x) Randomizing polynomials for threshold [IK00] prO(σ)(x) prσO(1)(x,ρ) private randomness

  23. Server Server Server Server Server Server Server p1(x) Server Database D p2(x) n 1 2 3 Polynomials Circuit pj(x) Polynomials Client Roadmap From polynomials to protocol

  24. p p p p x p Client-Servers protocols from polynomials • Goal: evaluate multivariate polynomials held by the servers on a point held by the client. • Standard techniques for secure computation[BGW88, CCD88, BF90] • Number of servers proportional to the degree • Communication proportional to # of polynomials (and client’s input) • Enhancements: • Protecting server privacy[GIKM98] • Reducing number of servers[WY05] Shamir-shares of x Public randomness r Evaluate pr on shares Recover pr(x) by interpolation

  25. Multiparty protocols from polynomials • Goal: evaluate multivariate polynomials known to all on distributed input and randomness. • Standard techniques for secure computation[BGW88, CCD88, GRR98] • Number of parties proportional to the degree • Communication proportional to # of polynomials (and input lenght) • Randomness: • Public randomness (r) independent of the inputs • Private randomness (ρ) should remain a secret

  26. Server Server Server Server Server Server Server pr1(x,ρ) Server Database D pr2(x,ρ) n 1 2 3 Polynomials Circuit prj(x,ρ) Polynomials Client Roadmap Secure computation of constant-depth circuits with applications to database search problems

  27. Conclusions • Practically feasible solutions to large scale database search problems, e.g., partial match • Nearly optimal communication and computation • Reasonable number of servers (½logn for partial match) • No expensive crypto (e.g., public key operations) • Challenge: obtain similar protocols in 2-party setting • Extend [BGN05] from degree 2 to degree logn? • Multiparty setting: • Nearly optimal communication and computation for a useful class of functions (AC0) • Communication almost does not grow with circuit size • Challenge: Higher complexity classes, e.g., NC1

  28. Ser Server Server Server Server Ser ver Pρ1(x,r) Ser Database D Pρ2(x) n 3 1 2 r) Questions?

More Related