Efficient%20Private%20Approximation%20Protocols

1
Efficient Private Approximation Protocols
Piotr IndykDavid Woodruff
Work in progress
2
Outline

1. Private approximation of L2 distance
2. Private near neighbor
3. Private approximate near neighbor

3
1. Private approximation of L2 distance
4
Secure communication
Alice
Bob

• a ? 0,1n
  b ? 0,1n
• Want to compute some function F(a,b)
• Security protocol does not reveal anything
  except for the value F(a,b)
• Semi-honest both parties follow protocol
• Malicious parties are adversarial
• Efficiency want to exchange few bits

5
Secure Function Evaluation (SFE)

• Yao, GMW If F computed by circuit C, then F
  can be computed securely with O(C) bits of
  communication
• GMW NN can assume parties semi-honest
• Semi-honest protocol can be compiled to give
  security against malicious parties
• Problem circuit size at least linear in n
• O() hides factors poly(k, log n)

6
Secure and Efficient Function Evaluation

• Can we achieve sublinear communication?
• Ideally secure computation with communication
  comparable to insecure case
• With sublinear communication, many interesting
  problems can be solved only approximately.
• What does it mean to have a private approximation?

7
Private Approximation

• FIMNSW01 A protocol computing an
  approximation G(a,b) of F(a,b) is private, if
  each party can simulate its view of the protocol
  given the exact value F(a,b)
• Note not sufficient to simulate non-private
  G(a,b) using SFE
• Example
• Define G(a,b)
• bin(G(a,b))i bin(?(a,b))i if igt0
• bin(G(a,b))0a0
• G(a,b) is a ?1 -approximation of ?(a,b), but not
  private

8
Concrete Pitfall Dimension Reduction

• A basic problem Hamming distance ?(a,b)
• Approximate decision version with prob. 1-?,
• If ?(a,b)r, answer NO
• If ?(a,b)r(1?) , answer YES
• Kushilevitz-Ostrovsky-Rabani98
• Create m?n binary matrix D, where
• PrDij1 1/(2r)
• for m O(log 1/? / ?2)
• Exchange Da, Db (mod 2)
• Answer YES if wtD(a-b)gtr, r function of r, ?

NOTE This protocol was not designed to be private
9
Non-Privacy of KOR

• Let x a b. If,
• wt(x) r,
• r log n ¼ m
• then can recover x from D, Dx in O(mn) time!
• Algorithm for j1n, estimate
• Prltdi, xgt 1 dij 1
• Prltdi, xgt 1 ? dij 1/Prdij 1
• If xj1 then Prltdi, xgt 1dij 1 is high
• If xj0 then Prltdi xgt 1dij1 is low

10
Approximating Hamming Distance

• FIMNSW01 A private protocol with complexity
  O(n1/2/? )
• wt(x) small compute wt(x) using O(wt(x)) bits
• wt(x) high sample O(n/wt(x)) xi, estimate wt(x)
• Our result
• Complexity O(1/?2) bits
• Works even for L2 norm, i.e., estimates x2
  for a,b ? 1Mn

O() hides factors poly(k, log n, log M, log
1/?)
11
Crypto Tools

• SFE of circuits Yao86 O(circuit)
  communication
• Efficient SPIR or OT1n
• Alice has A1 An 2 0,1m , Bob has i 2 n
• Goal Bob privately learns Ai and thats it
• Can be done using O(m) communication CMS99,
  NP99
• Circuits with ROM Naor, Nissim01
• Standard AND/OR/NOT gates
• Lookup gates
• In i
• Out Mgatei
• Takes care of the security of computation
• begin secure end secure
• Can just focus on privacy of the output

Communication at most O(mC)
12
High-dimensional tools

• Random projection
• Take a random orthonormal n?n matrix D,
• that is Dx x for all x.
• There exists cgt0 s.t. for any x?Rn, i1n
• Pr (Dx)i2 gt Dx2/n k lt e-ck

13
Approximating a-b2

• Recall
• Alice has a 2 Md, Bob has b 2 Md
• Goal estimate x2, xa-b

14
Algorithm

• Alice and Bob create random orthonormal matrix D
  such that, for each i1n
• (Dx)i2 lt kx2/n
• TM2 n1
• Repeat
• Assertion x2 T
• Invoke PRIVATESAMPLE to get LO(1/ ?2)
  independent bits zi such that
• Przi1Dx2/(Tk)
• T T/2
• Until Si zi L/(4k)
• Output E Si zi /L 2Tk as an estimate of x2
  
• Correctness
• Unbiased estimator
• High probablity from Chernoff bound

SECURE!
15
PRIVATESAMPLE
Generate independent bits zi with Ezi
Dx2/(Tk)

• PTk/n
• Pick random t?n
• Retrieve (Da)t, (Db)t
• Compute (Dx)t (Da)t - (Db)t
• Define v(Dx)t2
• If v P then generate z s.t. Prz1v/P
• Else output fail
• Output z
• Correct as long as (Dx)2i lt Tk/n for each i1n

SECURE!
16
Algorithm, again

• Alice and Bob create random orthonormal matrix
  D such that, for each i1n
• (Dx)i2 lt x2 /n k
• TM2 n1
• Repeat
• Assertion x2 T
• Invoke PRIVATESAMPLE to get LO(1/ ?2)
  independent bits zi such that
• Przi1 Dx2/Tk
• Works as long as (Dx)2i lt
  Tk/n for each i1n
• TT/2
• Until Si zi L/(4k)
• Output E Si zi /L 2Tk as an estimate of x2
  
• If Assertion not true, then Przi1gt1/(2k) ?
  ESi zi gt L/(2k) gtgt L/(4k)

17
Simulation

• SIMULATION
• Repeat
• Choose L independent bits zi such that
• Przi1 x 2/Tk
• TT/2
• Until Si zi ?(L/k)
• Output E Si zi /L 2Tk as an estimate of x2

• ALGORITHM
• Repeat
• Assertion x2 T
• Invoke PRIVATESAMPLE to get L independent bits zi
  such that
• Przi1 Dx 2/Tk
• TT/2
• Until Si zi ?(L/k)
• Output E Si zi /L 2Tk as an estimate of x2
  
• Recall
• Dxx

Communication O(1/?2)
18

• 2. Private near neighbor

19
Private Near Neighbor
Alice
Bob
q 2 Ud
P p1, p2, , pn 2 1, 2, , Ud Ud

• Distance function f(x,y)
• Correctness Bob learns mini f(q, pi)
• Privacy Alice learns nothing, Bob learns
  nothing else
• Goal Minimize communication

20
Private Near Neighbor

• n points, dimension d, universe U

f(a,b) ?i fi(ai, bi) L2 Generalized Hamming Set Difference
Previous DA O(ndU) O(nd) O(ndU) O(ndU)
Our Results O(dUn) O(nd) O(d2 n) O(nd)

• DA needs 3rd party, we dont
• Approach homomorphic encryption
• secure function evaluation
  (SFE)

21
Coordinate-wise distance functions
Alice
Bob
q 2 Ud
P p1, p2, , pn 2 Ud
Coordinate-wise distance functions
f(a,b) ? fi(ai, bi)
Bob 1. For each coordinate, create a
degree-(U-1) polynomial gj(x) ?i
ai,j xi such that gj(u) fj(qj, u) for all u 2
U 2. Generate (SK, PK) for
Paillier Encryption scheme. Send PK
and EPK(ai, j) for all i,j Alice 1. For all i,
E(?j gj(pi,j)) E(f(q, pi)) SFE Inputs
Alice E(f(q, pi)) Bob - SK 1. Bob
gets mini DSK (E(f(q, pi)))
E(x), E(y) -gt E(x y) E(x), c -gt E(cx)
22
Generic distance functions

• Security 1. Replace SFE with oracle
• 2. Alice View indistinguishable
  from PK,
• E(0), E(0), , E(0) E
  semantically secure
• 3. Bob View just output
  

• Efficiency 1. Send polynomials O(dU)
• 2. SFE O(n) (simple
  circuit)

23
Private Near Neighbor

• n points, dimension d, universe U

Pointwise distance L2 Generalized Hamming Set Difference
Previous DA O(ndU) O(nd) O(ndU) O(ndU)
Our Results O(dUn) O(nd) O(d2 n) O(nd)
(homomorphic tricks)

• Alice x1, , xn 2 0,1d , Bob y1, , yn 2 0,1d
  , Threshold t
• Bob gets all xi s.t. ?(xi, yj) lt t for some j
• Communication O(n2 nd2). Resolves open
  question of FNP04
• FNP04 achieve O((d choose t)nt) ? May be
  superpolynomial in n

24

• 3. Private Approximate Near Neighbor

25
Private Near Neighbor

• Drawback Protocols depend linearly on points n
• Necessary? Not if algebraically homomorphic E
  exists
• Our approach solve the approximate problem

26
Private c-Approximate Near Neighbor
Alice has P p1, , pn ? 0,1d, Bob has q
? 0,1d
Notation Pr P ? B(q, r) Correctness Pr
nonempty ? Bob learns some
element of Pcr Privacy Bobs view simulatable
given q and Pcr
Pcr
Pr
27
Private Approximate Near Neighbor

• Definition Remarks
• Privacy Dont care what Bob gets as long as it
  follows from Pcr ? Simulator gets Pcr
• Correctness Dont specify anything if Pr empty,
  but view still simulatable
• Our results
• - O(n1/2 d)
• - If Bob just wants some coordinate of an
  element of Pcr, then improve to O(n1/2
  polylog(d))

28
Private Approximate Near Neighbor

• Two approaches
• 1. Dimensionality Reduction in Hamming Cube
  KOR98
• 2. Locality Sensitive Hashing IM98

This talk protocol using 1
29
Dimensionality Reduction

• KOR Let A be random m times d binary matrix,
• m O(log d /?2)
• Then there is a separator r s.t. with
  probability 1-1/n2 , for any p,q ? 0,1d
• 1. ?(p,q) gt cr ? ?(Ap, Aq) gt r
• 2. ?(p,q) r ? ?(Ap, Aq) lt r

Idea Alice 1. Applies A to P ? dimension
small 2.
Enumerates all w ? 0,1m, forms array
Bwp 2 P s.t. ?(Ap, w) lt
r 3. Use
Oblivious ROM
30
Dimensionality reduction protocol
Protocol
1. Randomly sample O(n1/2) points P1 2. If Pcr
gt n1/2, then P1 Å Pcr ? , w.h.p.
Pcr

• 2. Agree on k matrices A1, , Ak
• 3. Create array Bi based on Ai
• 4. Bip contains any n1/2 points p 2 P s.t.
  ?(Aip, p) lt r
• 5. Alice sets ROM to be the Bis

6. If P1 Å Pcr ? , SFE outputs a random
element of P1. Otherwise, SFE uses i B iAiq
to output a random element of Pr
31
Dimensionality Reduction Analysis

• Properties
• 1. If Pcr gt n1/2 , we output random element
  of Pcr ,w.h.p.
• 2. If Pcr lt n1/2 , by properties of A, for
  any p ? Pr ,
• PrA 8 p 2 Pr, ?(Ap, Aq) lt r and 8 p 2 Pcr,
  ?(Ap, Aq) gt r gt 1- 1/n
• 3. Since bucket size is n1/2 and Pcr lt
  n1/2, p?BiAiq, Pr ? ?i BiAiq
• Correctness
• If Pcr gt n1/2 , output element from Pcr
• Else output an element from Pr

32
Dimensionality Reduction Analysis

• Simulatability
• Output either a random element of Pcr , or a
  random
• element of Pr

• Communication
• 1. Sampling O(n1/2) elements to ensure
  Pcr lt n1/2
• 2. OT on O(1) buckets of size n1/2
• Thus, balanced steps 1 2 O(dn1/2) total
  communication

33
Dimensionality Reduction Analysis

• Dependence on d
• 1. Homomorphic encryption O(d n1/2)
• 1. Bob sends E(q1), , E(qd)
• 2. Alice computes E(?(pi, q))
• - Uses these for sampling and
  bucketing
• 2. Reduce to O(polylog(d) n1/2) if Bob
  just wants
• a coordinate of point in Pcr use
  approximations

34
Conclusions

• Extensions Can achieve O(n1/3 d) communication
  if you allow the protocol to leak k bits of
  information
• Open problems
• 1. Polylogarithmic Private Approximation of
  other distances
• 2. More efficient protocols for exact near
  neighbor.
• Tricks for PIR may be useful
• 3. Polylogarithmic c-approx NN protocol