secure computation of the k’th ranked element
If you can't read please download the document
DESCRIPTION
Secure Computation of the k’th Ranked Element. Gagan Aggarwal Stanford University Joint work with Nina Mishra and Benny Pinkas, HP Labs. A story …. I bet the dumbest student in Gryffindor has a higher IQ than the median IQ of all students in the school. But you don’t even know - PowerPoint PPT PresentationTRANSCRIPT
-
Secure Computation of the kth Ranked ElementGagan AggarwalStanford University
Joint work with Nina Mishra and Benny Pinkas, HP Labs
-
A story I bet the dumbest student in Gryffindor has a higher IQ than the median IQ of all students in the school.But you dont even know what the median IQ is But, what about privacyof the students.We can do Securefunction evaluation This is all theory. It cant be efficient.Let us compute it...
-
Rising Need for PrivacyMany opportunities of interaction between institutions and agencies holding sensitive data.
Privacy cannot be sacrificed.I.e. different agencies might hold data which they are not allowed to share.
A need for protocols to evaluate functions while preserving privacy of data.
-
Privacy-preserving Computation: the ideal casex y F(x,y) and nothing elseInput:Output:x yF(x,y)F(x,y)
-
Trusted third parties are rarex yF(x,y)F(x,y) Run a protocol to evaluate F(x,y) without a trusted party.Two kinds of adversaries:Semi-honest Follows the protocol, but is curious to learn more than F(x,y).Malicious - Might do anything.
-
Is there anything better?x yF(x,y)F(x,y) Does the trusted party scenario make sense? Are the parties motivated to submit their true inputs? Can they tolerate the disclosure of F(x,y)? Our goal: Implement the scenario without a trusted party.
-
Definition of security:semi-honest modelxyF(x,y)Protocol is secure if Bob can generate the sequence of messages exchanged from his own input y and the value of F(x,y).
-
Definition of security:malicious modelxProtocol is secure if adversary Bob, an input y s.t. Bobs actions correspond to him presenting y to a trusted third party.
-
Secure Function Evaluation [Yao,GMW,BGW,CCD]x yC(x,y) and nothing elseInput:Output: F(x,y) A public function. Represented as a Boolean circuit C(x,y).Implementation: O(|X|) oblivious transfers. O(|C|) communication. Pretty efficient for small circuits! e.g. Is x > y? (Millionaires problem)C(x,y) and nothing else
-
Some useful primitivesUseful to have efficient solutions for simple primitives.Let X and Y be sets of elements:X Y (first talk)Statistics over X Y:Max, Min, Average, Median, kth-ranked element.
-
kth-ranked elementInputs:Alice: SA Bob: SB Large sets of unique items ( S).The rank k Could depend on the size of input datasets. Median: k = (|SA| + |SB|) / 2 Output: x SA SB s.t. x has k-1 elements smaller than it.
-
MotivationBasic statistical analysis of distributed data.E.g. histogram of salaries in all CS departments (Taulbee survey).
-
Faculty salary for top 12 CS departments(2001-2002)
-
ResultsFinding the kth ranked item (D=|domain|)Two-party: reduction to log k secure comparisons of log D bit numbers.log k rounds * O(log D)Multi-party: reduction to log D simple computations with log D bit numbers.log D rounds * O(log D)Also, security against malicious parties.Can hide the size of the datasets.
-
Related workLower bound: (log D)From communication complexity.Generic constructionsUsing circuits [Yao ]:Overhead at least linear in k.Naor-Nissim:Overhead of (D).
-
An (insecure) two-party median protocolRALASASBmARBLBmBLA lies below the median, RB lies above the median.
New median is same as original median.Recursion Need log n rounds mA < mB(assume each set contains n=2i items)
-
Secure two-party median protocolA finds its median mA .
B finds itsmedian mB .mA < mBA deletes elements mA.B deletes elements > mB.A deletes elements > mA.B deletes elements mB.YESNOSecure comparison(e.g. a small circuit)
- An exampleABmA>mBmA
- Proof of securityABmA>mBmA
-
Still to comeSecurity against malicious parties.Adapt the median protocol for arbitrary k and arbitrary input set size.Hide the size of the datasets.kth element for multi-party scenario.
-
Security against malicious partiesComparisons secure against malicious parties.Verify that parties inputs to comparisons are consistent. I.e., preventRound 1: mA = 1000. Is told to delete all x>1000.Round 2: mA = 1100Solution: Each round sends secure state to next round (i.e., boundaries for parties inputs). Implement reactive computation [C,CLOS]. Can implement in a single circuit. Efficient security against malicious parties.
-
Security against malicious partiesa4 < b4a7 < b1a2 < b6a6 < b2a5 < b3a3 < b5a1 < b7a8 < b1a7 < b2a6 < b3a5 < b4a4 < b5a3 < b6a2 < b7a1 < b8YESYESYYESNYYYNNNNONO
-
Security against malicious partiesa4 < b4a7 < b1a2 < b6a6 < b2a5 < b3a3 < b5a1 < b7a8 < b1a7 < b2a6 < b3a5 < b4a4 < b5a3 < b6a2 < b7a1 < b8YESYESYYESNYYYNNNNONO
-
Security against malicious partiesa4 < b4a7 < b1a2 < b6a5 < b3a3 < b5a1 < b7a8 < b1a7 < b2a5 < b4a4 < b5a3 < b6a2 < b7a1 < b8YESYESYYESNYYYNNNNONOa6 < b2a6 < b3
-
Security against malicious partiesAn adversary is fully defined by the input ais it gives for each of the nodes of this tree. These (consistent) ais form an input x which can be used with F(x,y) to generate a transcript.
-
Arbitrary input size, arbitrary kSASBkNow, compute the median of two sets of size k.Size should be a power of 2.median of new inputs = kth element of original inputs
-
Hiding size of inputsCan search for kth element without revealing size of input sets.However, k=n/2 (median) reveals input size.Solution: Let U=2i be a bound on input size.|SA||SB|Median of new datasets is same as median of original datasets.
-
The multi-party caseInput: Party Pi has set Si, i=1..n. (all values [a,b], where a and b are known)Output: kth element of S1 SnBasic Idea: Binary search on [a,b].
-
An exampleLeftRightRightDoneMedianfound!!ab
-
The multi-party caseProtocol: Set m = (a+b)/2. Repeat:Pi inputs to a secure computation Li = # elements in Si smaller than m. Bi= # times m appears in Si.The following is computed securely:If Li k, Else, if Li + Bi k,Otherwise, Upper halfLower halfFound median
-
The multi-party caseCan be made secure for malicious case.Using consistency checks.Works for two-party case.Can be used for non-distinct elements.
-
SummaryEfficient secure computation of the median.Two-party: log k rounds * O(log D)Multi-party: log D rounds * O(log D)Communication overhead is very close to the communication complexity lower bound of log D bits.Malicious case is efficient too.Do not use generic tools.Instead, we implement simple consistency checks to get security against malicious parties.
-
Thanks for your attention!
-
Open ProblemsApproximation protocols for NP-hard problems.Clustering does not admit exact poly-time solutions. At best, hope for a protocol that computes an approximation.Then, comparison to a trusted party which computes the exact solution doesnt seem fair.Need an appropriate notion of privacy.Efficient solutions for more primitives.
-
Definition of security:malicious modelRealmodelIdeal model/Trusted party modelx yF(x,y)F(x,y)Learns no more than
-
The multi-party caseInput: Party Pi has set Si, i=1..n. (all values [a,b], where a and b are known)Output: kth element of S1 SnProtocol: Set m = (a+b)/2. Repeat:Pi inputs to a secure computation Li = # elements in Si smaller than m. Bi= # times m appears in Si.The following is computed securely:If Li k, set b=m, m=(a+m)/2.Else, if Li + Bi k, stop. kth element is m.Otherwise, set a=m, m = (m+b)/2.RightLeftDone
-
Definition of security:semi-honest modelxyF(x,y)Protocol is secure if Bob can generate the transcript from his own input y and the value of F(x,y). s.t. T is computationally indistinguishable from the actual transcript of the protocol.
-
Definition of security:semi-honest modelxyF(x,y)Protocol is secure if Bob can generate the sequence of messages exchanged from his own input y and the value of F(x,y).
-
Definition of security:malicious modelxProtocol is secure if for every adversary Bob,there exists an input y s.t. Bob can generate acomputationally indistinguishable transcript from this input y and the value of F(x,y).
- Security against malicious partiesConsistency checks ensure thatAlong any execution path, ai < aj and bi
-
Previous workGeneric constructions using circuits[Yao ]:Overhead at least linear in k.Naor-Nissim: Any function which can be computed with communication complexity of c bits, can be privately computed with overhead 2C.Communication complexity of median is (log D) bits.Implies overhead of D using this approach.
For most real-world problem, specially involving large datasets, the circuits are huge and impractical.Should I change it to computationally indistinguishableAssume distinct inputsCheck out this overhead businessAssume this is the sorted list of As elements in ascending order
Animation for a6 > a4Highlight execution pathAnimation for a6 > a4Animation for a6=a6
Highlight execution pathAnimation for a6 > a4Animation for a6=a6
Can be used fpr two parties.Consistency checks ensure security against malicious parties.Should I change it to computationally indistinguishableShould I change it to computationally indistinguishableCheck out this overhead business