Title: Efficient%20Private%20Approximation%20Protocols
1Efficient Private Approximation Protocols
Piotr IndykDavid Woodruff
Work in progress
2Outline
- Private approximation of L2 distance
- Private near neighbor
- Private approximate near neighbor
31. Private approximation of L2 distance
4Secure communication
Alice
Bob
- a ? 0,1n
b ? 0,1n - Want to compute some function F(a,b)
- Security protocol does not reveal anything
except for the value F(a,b) - Semi-honest both parties follow protocol
- Malicious parties are adversarial
- Efficiency want to exchange few bits
5Secure Function Evaluation (SFE)
- Yao, GMW If F computed by circuit C, then F
can be computed securely with O(C) bits of
communication - GMW NN can assume parties semi-honest
- Semi-honest protocol can be compiled to give
security against malicious parties - Problem circuit size at least linear in n
- O() hides factors poly(k, log n)
6Secure and Efficient Function Evaluation
- Can we achieve sublinear communication?
- Ideally secure computation with communication
comparable to insecure case - With sublinear communication, many interesting
problems can be solved only approximately. -
- What does it mean to have a private approximation?
7Private Approximation
- FIMNSW01 A protocol computing an
approximation G(a,b) of F(a,b) is private, if
each party can simulate its view of the protocol
given the exact value F(a,b) - Note not sufficient to simulate non-private
G(a,b) using SFE - Example
- Define G(a,b)
- bin(G(a,b))i bin(?(a,b))i if igt0
- bin(G(a,b))0a0
- G(a,b) is a ?1 -approximation of ?(a,b), but not
private
8Concrete Pitfall Dimension Reduction
- A basic problem Hamming distance ?(a,b)
- Approximate decision version with prob. 1-?,
- If ?(a,b)r, answer NO
- If ?(a,b)r(1?) , answer YES
- Kushilevitz-Ostrovsky-Rabani98
- Create m?n binary matrix D, where
- PrDij1 1/(2r)
- for m O(log 1/? / ?2)
- Exchange Da, Db (mod 2)
- Answer YES if wtD(a-b)gtr, r function of r, ?
NOTE This protocol was not designed to be private
9Non-Privacy of KOR
- Let x a b. If,
- wt(x) r,
- r log n ¼ m
- then can recover x from D, Dx in O(mn) time!
- Algorithm for j1n, estimate
- Prltdi, xgt 1 dij 1
- Prltdi, xgt 1 ? dij 1/Prdij 1
- If xj1 then Prltdi, xgt 1dij 1 is high
- If xj0 then Prltdi xgt 1dij1 is low
10Approximating Hamming Distance
- FIMNSW01 A private protocol with complexity
O(n1/2/? ) - wt(x) small compute wt(x) using O(wt(x)) bits
- wt(x) high sample O(n/wt(x)) xi, estimate wt(x)
- Our result
- Complexity O(1/?2) bits
- Works even for L2 norm, i.e., estimates x2
for a,b ? 1Mn
O() hides factors poly(k, log n, log M, log
1/?)
11Crypto Tools
- SFE of circuits Yao86 O(circuit)
communication - Efficient SPIR or OT1n
- Alice has A1 An 2 0,1m , Bob has i 2 n
- Goal Bob privately learns Ai and thats it
- Can be done using O(m) communication CMS99,
NP99 - Circuits with ROM Naor, Nissim01
- Standard AND/OR/NOT gates
- Lookup gates
- In i
- Out Mgatei
- Takes care of the security of computation
- begin secure end secure
- Can just focus on privacy of the output
Communication at most O(mC)
12High-dimensional tools
- Random projection
- Take a random orthonormal n?n matrix D,
- that is Dx x for all x.
- There exists cgt0 s.t. for any x?Rn, i1n
- Pr (Dx)i2 gt Dx2/n k lt e-ck
13Approximating a-b2
- Recall
- Alice has a 2 Md, Bob has b 2 Md
- Goal estimate x2, xa-b
14Algorithm
- Alice and Bob create random orthonormal matrix D
such that, for each i1n - (Dx)i2 lt kx2/n
- TM2 n1
- Repeat
- Assertion x2 T
- Invoke PRIVATESAMPLE to get LO(1/ ?2)
independent bits zi such that - Przi1Dx2/(Tk)
- T T/2
- Until Si zi L/(4k)
- Output E Si zi /L 2Tk as an estimate of x2
- Correctness
- Unbiased estimator
- High probablity from Chernoff bound
SECURE!
15PRIVATESAMPLE
Generate independent bits zi with Ezi
Dx2/(Tk)
- PTk/n
- Pick random t?n
- Retrieve (Da)t, (Db)t
- Compute (Dx)t (Da)t - (Db)t
- Define v(Dx)t2
- If v P then generate z s.t. Prz1v/P
- Else output fail
- Output z
- Correct as long as (Dx)2i lt Tk/n for each i1n
SECURE!
16Algorithm, again
- Alice and Bob create random orthonormal matrix
D such that, for each i1n - (Dx)i2 lt x2 /n k
- TM2 n1
- Repeat
- Assertion x2 T
- Invoke PRIVATESAMPLE to get LO(1/ ?2)
independent bits zi such that - Przi1 Dx2/Tk
- Works as long as (Dx)2i lt
Tk/n for each i1n - TT/2
- Until Si zi L/(4k)
- Output E Si zi /L 2Tk as an estimate of x2
- If Assertion not true, then Przi1gt1/(2k) ?
ESi zi gt L/(2k) gtgt L/(4k)
17Simulation
- SIMULATION
- Repeat
- Choose L independent bits zi such that
- Przi1 x 2/Tk
- TT/2
- Until Si zi ?(L/k)
- Output E Si zi /L 2Tk as an estimate of x2
- ALGORITHM
- Repeat
- Assertion x2 T
- Invoke PRIVATESAMPLE to get L independent bits zi
such that - Przi1 Dx 2/Tk
- TT/2
- Until Si zi ?(L/k)
- Output E Si zi /L 2Tk as an estimate of x2
- Recall
- Dxx
Communication O(1/?2)
18 19Private Near Neighbor
Alice
Bob
q 2 Ud
P p1, p2, , pn 2 1, 2, , Ud Ud
- Distance function f(x,y)
- Correctness Bob learns mini f(q, pi)
- Privacy Alice learns nothing, Bob learns
nothing else - Goal Minimize communication
-
20Private Near Neighbor
- n points, dimension d, universe U
f(a,b) ?i fi(ai, bi) L2 Generalized Hamming Set Difference
Previous DA O(ndU) O(nd) O(ndU) O(ndU)
Our Results O(dUn) O(nd) O(d2 n) O(nd)
- DA needs 3rd party, we dont
- Approach homomorphic encryption
- secure function evaluation
(SFE)
21Coordinate-wise distance functions
Alice
Bob
q 2 Ud
P p1, p2, , pn 2 Ud
Coordinate-wise distance functions
f(a,b) ? fi(ai, bi)
Bob 1. For each coordinate, create a
degree-(U-1) polynomial gj(x) ?i
ai,j xi such that gj(u) fj(qj, u) for all u 2
U 2. Generate (SK, PK) for
Paillier Encryption scheme. Send PK
and EPK(ai, j) for all i,j Alice 1. For all i,
E(?j gj(pi,j)) E(f(q, pi)) SFE Inputs
Alice E(f(q, pi)) Bob - SK 1. Bob
gets mini DSK (E(f(q, pi)))
E(x), E(y) -gt E(x y) E(x), c -gt E(cx)
22Generic distance functions
- Security 1. Replace SFE with oracle
- 2. Alice View indistinguishable
from PK, - E(0), E(0), , E(0) E
semantically secure - 3. Bob View just output
- Efficiency 1. Send polynomials O(dU)
- 2. SFE O(n) (simple
circuit)
23Private Near Neighbor
- n points, dimension d, universe U
Pointwise distance L2 Generalized Hamming Set Difference
Previous DA O(ndU) O(nd) O(ndU) O(ndU)
Our Results O(dUn) O(nd) O(d2 n) O(nd)
(homomorphic tricks)
- Alice x1, , xn 2 0,1d , Bob y1, , yn 2 0,1d
, Threshold t - Bob gets all xi s.t. ?(xi, yj) lt t for some j
- Communication O(n2 nd2). Resolves open
question of FNP04 - FNP04 achieve O((d choose t)nt) ? May be
superpolynomial in n
24 - 3. Private Approximate Near Neighbor
25Private Near Neighbor
- Drawback Protocols depend linearly on points n
- Necessary? Not if algebraically homomorphic E
exists - Our approach solve the approximate problem
26Private c-Approximate Near Neighbor
Alice has P p1, , pn ? 0,1d, Bob has q
? 0,1d
Notation Pr P ? B(q, r) Correctness Pr
nonempty ? Bob learns some
element of Pcr Privacy Bobs view simulatable
given q and Pcr
Pcr
Pr
27Private Approximate Near Neighbor
- Definition Remarks
- Privacy Dont care what Bob gets as long as it
follows from Pcr ? Simulator gets Pcr - Correctness Dont specify anything if Pr empty,
but view still simulatable - Our results
- - O(n1/2 d)
- - If Bob just wants some coordinate of an
element of Pcr, then improve to O(n1/2
polylog(d))
28Private Approximate Near Neighbor
- Two approaches
- 1. Dimensionality Reduction in Hamming Cube
KOR98 - 2. Locality Sensitive Hashing IM98
This talk protocol using 1
29Dimensionality Reduction
- KOR Let A be random m times d binary matrix,
- m O(log d /?2)
- Then there is a separator r s.t. with
probability 1-1/n2 , for any p,q ? 0,1d - 1. ?(p,q) gt cr ? ?(Ap, Aq) gt r
- 2. ?(p,q) r ? ?(Ap, Aq) lt r
Idea Alice 1. Applies A to P ? dimension
small 2.
Enumerates all w ? 0,1m, forms array
Bwp 2 P s.t. ?(Ap, w) lt
r 3. Use
Oblivious ROM
30Dimensionality reduction protocol
Protocol
1. Randomly sample O(n1/2) points P1 2. If Pcr
gt n1/2, then P1 Å Pcr ? , w.h.p.
Pcr
- 2. Agree on k matrices A1, , Ak
- 3. Create array Bi based on Ai
- 4. Bip contains any n1/2 points p 2 P s.t.
?(Aip, p) lt r - 5. Alice sets ROM to be the Bis
-
6. If P1 Å Pcr ? , SFE outputs a random
element of P1. Otherwise, SFE uses i B iAiq
to output a random element of Pr
31Dimensionality Reduction Analysis
- Properties
- 1. If Pcr gt n1/2 , we output random element
of Pcr ,w.h.p. - 2. If Pcr lt n1/2 , by properties of A, for
any p ? Pr , - PrA 8 p 2 Pr, ?(Ap, Aq) lt r and 8 p 2 Pcr,
?(Ap, Aq) gt r gt 1- 1/n -
- 3. Since bucket size is n1/2 and Pcr lt
n1/2, p?BiAiq, Pr ? ?i BiAiq - Correctness
- If Pcr gt n1/2 , output element from Pcr
- Else output an element from Pr
32Dimensionality Reduction Analysis
- Simulatability
-
- Output either a random element of Pcr , or a
random - element of Pr
- Communication
- 1. Sampling O(n1/2) elements to ensure
Pcr lt n1/2 -
- 2. OT on O(1) buckets of size n1/2
- Thus, balanced steps 1 2 O(dn1/2) total
communication
33Dimensionality Reduction Analysis
- Dependence on d
- 1. Homomorphic encryption O(d n1/2)
- 1. Bob sends E(q1), , E(qd)
- 2. Alice computes E(?(pi, q))
- - Uses these for sampling and
bucketing - 2. Reduce to O(polylog(d) n1/2) if Bob
just wants - a coordinate of point in Pcr use
approximations
34Conclusions
- Extensions Can achieve O(n1/3 d) communication
if you allow the protocol to leak k bits of
information - Open problems
- 1. Polylogarithmic Private Approximation of
other distances - 2. More efficient protocols for exact near
neighbor. - Tricks for PIR may be useful
- 3. Polylogarithmic c-approx NN protocol