1 / 24

Li Xiong CS573 Data Privacy and Security

“Secure” Multiparty Computation – Multi-round protocols. Li Xiong CS573 Data Privacy and Security. Secure multiparty computation. General circuit based secure multiparty computation methods Specialized secure multiparty computation protocols

tim
Download Presentation

Li Xiong CS573 Data Privacy and Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. “Secure” Multiparty Computation – Multi-round protocols Li Xiong CS573 Data Privacy and Security

  2. Secure multiparty computation General circuit based secure multiparty computation methods Specialized secure multiparty computation protocols Decision tree mining across horizontally partitioned data Secure sum, secure union Association rule mining across horizontally partitioned data Most of them rely on cryptographic primitives and are still expensive Multi-round protocols as an alternative

  3. Multi-round protocols • Max/min, top k • k-th element protocol using secure comparison (Aggarwal ‘04) • Multi-round probabilistic protocols (Xiong ‘07) • OR (Union) • Commutative encryption based • Multi-round probabilistic protocols (Bawa ’03) Secure computation of the k-ranked element, Aggarwal, 2004 Preserving Privacy for outsourcing aggregation services, Xiong, 2007 Privacy Preserving Indexing of Documents on the Network, Bawa, 2003

  4. K-th element (Aggarwal 04) • Input • Di, i = 1, 2, …, s • k • Range of data values: [alpha, beta]. • Size of the union of database: n • Output • The k-th ranked elements in the union of Di Secure computation of the k-ranked element, Aggarwal, 2004

  5. kth element protocol • Initialize • Each party ranks its elements in ascending order. Initialize current range [a,b] to [alpha, beta], set n= sum |Di| • Repeat until done • Set m = (a+b)/2 • Each party computes li, number of elements less than m, and gi, number of elements greater than m • If sum(li) <= k-1 and sum(gi) <= n-k, done • If sum(li) >=k, set b = m-1, output 0 • If sum(gi) >= n-k+1, set a = m+1, output 1

  6. Cost • Number of rounds: logM where M is the range size • Each round requires two secure sums and two secure comparisons

  7. Multi-round protocols Can we get away from cryptographic primitives? Multi-round protocols idea Use randomizations (random response) Utilize inherent network anonymity of multiple nodes Multi-round protocols May not be completely secure May not be completely accurate

  8. Multi-round protocols Multi-round probabilistic protocols for max/min and top k (Xiong ‘07) Multi-round OR (union) protocol (Aggarwal ’04)

  9. Output Input D1 D2 Local Computation Local Computation Private Data Private Data Input Output Output Input Social Survey D3 Dn Local Computation Local Computation Private Data Private Data … Input Output Protocol Structure • Random response (Warner 1965) • Multi-round randomized protocol • Randomized local computation • Multi-node anonymity • Assumption: semi-honest model Preserving Privacy for outsourcing aggregation services, Xiong, 2007

  10. gi-1 gi i start 30 vi 2 1 30 10 40 30 40 20 4 3 40 A Naïve Max/Min Protocol • Add in randomization – how, when, and how much?

  11. gi-1 gi i vi Max Protocol – Random response • Random response at node i:

  12. gi-1(r) gi(r) i vi Max Protocol – multi-round random response • Multiple rounds • Randomization Probability at round r : • Pr(r) = • Local algorithm at round r and node i:

  13. Max Protocol - Illustration Start 18 32 35 0 D2 D2 30 10 32 35 40 18 32 35 20 40 D4 D3 32 35 40

  14. D2 D1 Dn … 150 145 130 125 110 100 80 80 50 60 40 Gi(r) 10 Vi Gi-1(r) PrivateTopK Protocol Gi’(r)=topk(Gi-1(r) U Vi); Vi’ = Gi’(r) – Gi-1’(r); m = |Vi’|; if m=0 then Gi(r)= Gi-1(r); else with probability 1-Pr(r): Gi(r)= Gi-1(r) with probability Pr: Gi(r)[1:k-m] = Gi-1(r)[1:k-m] Gi(r)[k-m+1:k] = a sorted list of m random values generated from [min(Gi’(r)[k]-delta,Gi-1(r-1)[k-m+1]), Gi’(r)[k]) end

  15. Min/Max Protocol - Correctness • Precision bound: • Converges with r • Smaller p0 and d provides faster convergence

  16. Min/Max Protocol - Cost • Communication cost • single round: O(n) • Minimum # of rounds given precision guarantee (1-e):

  17. Min/Max Protocol - Security • Probability/confidence based metric: P(C|IR,R) • Different types of exposures based on claim • Data value: vi=a • Data ownership: Vi contains a • Loss of Privacy (LoP) = | P(C|IR,R) – P(C|R) | • Information entropy based metric: • Loss of privacy as a measure of randomness of information: H(D|R) - H(D|IR,R) Provable Exposure Absolute Privacy 0 1 0.5

  18. Min/Max Protocol – Security (Analysis) • Upper bound for average expected LoP: max r 1/2r-1 * (1-P0*dr-1) • Larger p0 and d provides better privacy

  19. Min/Max Protocol – Security (Experiments) • Loss of privacy decreases with increasing number of nodes • Probabilistic protocol achieves better privacy (close to 0) • When n is large, anonymous protocol is actually okay!

  20. Union • Commutative encryption based approach • Number of rounds: 2 rounds • Each round: encryption and decryption • Multi-round random-response approach?

  21. 0 b1 1 b2 … 0 bL Vector p1 p2 pc VG • Each database has a boolean vector of the data items • Union vector is a logical OR of all vectors 1 0 1 0 1 1 … OR OR OR = … … … 0 0 0 Privacy Preserving Indexing of Documents on the Network, Bawa, 2003

  22. 0 1 0 1 0 1 … … … 0 0 0 vc v2 v1 0 1 1 1 1 1 1 0 1 1 0 1 0 0 … … … … … … … 0 0 0 0 0 0 0 vG’ vG’ vG’ vG’ vG’ vG’ vG’ Group Vector Protocol … Processing of VG’ at ps of round r Pex=1/2r, Pin=1-Pex for(i=1; i<L; i++) if (Vs[i]=1 and VG’[i]=0) Set VG’[i]=1 with prob. Pin if (Vs[i]=0 and VG’[i]=1) Set VG’[i]=0 with prob. Pex p2 pc p1 r=1, Pex=1/2, Pin=1/2 r=2, Pex=1/4, Pin=3/4

  23. Open issues • Tradeoff between accuracy, efficiency, and security • How to quantify security • How to design adjustable protocols • Can we generalize the algorithms for a set of operators based on their properties • Operators: sum, union, max, min … • Properties: commutative, associative, invertible, randomizable

  24. Enjoy the spring break!

More Related