1 / 26

How Should We Solve Search Problems Privately?

How Should We Solve Search Problems Privately?. Kobbi Nissim – BGU A. Beimel, T. Malkin, and E. Weinreb. Secure Function Evaluation. [Yao,GMW,BGW,…] n players with private inputs x 1 ,…,x n Can compute any function f() over their private inputs No information beyond f() is leaked

aleron
Download Presentation

How Should We Solve Search Problems Privately?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. How Should We Solve Search Problems Privately? Kobbi Nissim – BGU A. Beimel, T. Malkin, and E. Weinreb

  2. Secure Function Evaluation [Yao,GMW,BGW,…] • n players with private inputs x1,…,xn • Can compute any function f() over their private inputs • No information beyond f() is leaked • SFE tells • HOW to compute f() • But not • Whatf() to compute CRYPTO 2007

  3. A Client-Server Setting • SFE reduces many of the general cases to the client-server setting Server Client G CRYPTO 2007

  4. WHAT should we compute? • Server must/is willing to reveal a function f() of the data • Secure function evaluation: Reveal f(), but no other information • ??? • Server should preserve individual privacy • Private data analysis: (rand) functions f() satisfying differential privacy CRYPTO 2007

  5. In Between (1) • Server must/is willing to reveal a function f() of the data • But… Computing f() is inefficient or intractable • And, an efficient approx f*() exists • Idea: Use SFE to compute an approx f*() to f() CRYPTO 2007

  6. G What Can Go Wrong? [FIMNSW01] • Server holds a graph G • Client asks for size of min VC fvc(G) • Approx: fvc*(G) = 2MaxMatch(G) Hmmm... fVC2 2 2MaxMatch2 4 CRYPTO 2007

  7. Private Approximations [FIMNSW01] • Require:f*(G) simulatable given f(G) • Hence approximation does not leak more information than exact computation • Implied:f(G) = f(G’)  f*(G) ≈ f*(G’) • Sometimes feasible: • Hamming distance [FIMNSW01, IW06] • Permanent [FIMNSW01] • Sometimes not feasible: • fVC not privately approx within ratio n1-ε [HKKN01] • Approx feasible with a small leakage CRYPTO 2007

  8. In Between (2) • Server must/is willing to solve a search problem over the data • Idea: Use SFE to compute a solution? • Or an approximate solution CRYPTO 2007

  9. 4 4 5 5 1 1 2 2 3 3 G What Can Go Wrong? [BCNW06] • Server holds a graph G • Client asks for VC(G) • Approx: A*VC(G) = MaxMatch(G) Hmmm... VC{2} {2} A*VC{2,3} {2,1} CRYPTO 2007

  10. CRYPTO 2007

  11. Private Algorithms [BCNW06] R – Equivalence Relation over {0,1}* • E.g. G1 ≈ G2 if VC(G1) = VC(G2) Algorithm A is private with respect toR if: A( ) A( ) ≈ x x y y CRYPTO 2007

  12. Is Private Search Good? Too strong: • VC does not admit private search approx algs • Even with a significant relaxation [BCNW06,BHN07] • If NP not in P/poly, there is a search problem in P that has no polynomial time private algorithm [BCNW06] Too weak: • A private search algorithm may reveal all the solutions • Does not rule out simple ways of plausible leakage CRYPTO 2007

  13. Some Possible Weaknesses • Randomized Algorithms:  More solutions learned by repeated querying  Fuzziness • Deterministic Algorithms:  Repeated querying ineffective  Definite information learned • Can we get the best of both worlds? CRYPTO 2007

  14. Framework: Seeded Algorithms • A– randomized algorithm • Server fixes a seed s for all queries • Allows selecting random solutions • Prevents abuse of repeated queries G1 G2 A(G1,s) A(G2,s) A s CRYPTO 2007

  15. Rest of the Talk • Propose two new definitions • Equivalence protecting • Resemblance preserving • Show basic implementation methodologies • Summary/discuss CRYPTO 2007

  16. First Definition: Equivalence Protecting • Consistent oracle : • (x)S(x) • (x)=(y) for all x ≈Py • A seeded algorithm Ais equivalence protecting: Random consistent oracle A(· , ) s ≡c (x1) (x2) x1 x2 x1 x2 Distinguisher  CRYPTO 2007

  17. 1 s 2 t 3 Equivalence Protecting: Shortest Path • Def: An edge is relevant in G if it appears in some shortest path from s to t • Fact I: Relevance depends only on S(G) • Fact II: There exists an algorithm Arand(G,r ) that outputs a random shortest path in G CRYPTO 2007

  18. Equivalence Protecting: Shortest Path Input: • A graph G • A seed s for a family {fs} of pseudorandom functions Output: A path in S(G) The algorithm: • H = relevant edges of G • Compute r=fs(H) • Output: p= Arand(H,r ) CRYPTO 2007

  19. Other Equivalence Preserving Algorithms • Perfect matching in bipartite graphs • Solution of a linear system of equations • Shortest path: weighted directed graphs CRYPTO 2007

  20. Fact: 0 ≤ r(x,y) ≤ 1 |S(x)S(y)| r(x,y) = |S(x)S(y)| Second Definition: Resemblance Preserving • Motivation: protect inputs with similar solution sets • Resemblance between instances x,y: • A seeded algorithm A is resemblance preserving if for all instances x,y: Pr[A(x,s)=A(y,s)] ≥ r(x,y) CRYPTO 2007

  21. Tool: Min-wise Independent Permutations [BroderCharikarFriezeMitzenmacher98] • A family of permutations is min-wise independent if for every set A Uand aA: • Observation: CRYPTO 2007

  22. A Generic Resemblance Preserving Algorithm Input: • An input x • A seed s for a family of min-wise independent permutations Output: A solution in S(x) Algorithm: • Output sol S(x) such that • Algorithmic challenge: Find sol efficiently. CRYPTO 2007

  23. Other Resemblance Preserving Algorithms • (non-) Roots of polynomials • Solution of a linear system of equations • Satisfying assignment of a DNF formula CRYPTO 2007

  24. Summary • Presented two intuitive variants of private search • Equivalence protecting • Resemblance preserving • Constructed algorithms satisfying definitions • Privacy implications of search problems are not well understood • Even (seemingly minimal) requirements of privacy are hard to attain  Different privacy requirements for different setups • Is there an order in the mess? • A methodology for comparing/justifying definitions CRYPTO 2007

  25. BSF-DIMACS Privacy Workshop • @DIMACS/Rutgers University • Interdisciplinary • February 4-7 • Organizers: B. Pinkas, K.N., and R. Wright • (some) Funding available • To be added to mailing list: kobbi@cs.bgu.ac.il CRYPTO 2007

  26. A (Seemingly) Minimal Requirement Private search algorithm[BCNW06]: VC(G) = VC(G’)  A*VC(G) ≈ A*VC(G’) A*VC should not distinguish graphs that have the same set of solutions A generalization of private approximation [FIMNSW01] CRYPTO 2007

More Related