Secure Computation of the k’th Ranked Element

1 / 29

# Secure Computation of the k’th Ranked Element - PowerPoint PPT Presentation

##### Secure Computation of the k’th Ranked Element

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
##### Presentation Transcript

1. Secure Computation of the k’th Ranked Element Gagan Aggarwal Stanford University Joint work with Nina Mishra and Benny Pinkas, HP Labs

2. A story … I bet the dumbest student in Gryffindor has a higher IQ than the median IQ of all students in the school. But you don’t even know what the median IQ is … Let us compute it... But, what about privacy of the students. We can do “Secure function evaluation” … This is all “theory”. It can’t be efficient.

3. Rising Need for Privacy Many opportunities of interaction between institutions and agencies holding sensitive data. Privacy cannot be sacrificed. I.e. different agencies might hold data which they are not allowed to share. A need for protocols to evaluate functions while preserving privacy of data.

4. Privacy-preserving Computation: the ideal case y x Input: F(x,y) and nothing else Output: x y F(x,y) F(x,y)

5. Trusted third parties are rare x y F(x,y) F(x,y) • Run a protocol to evaluate F(x,y) without a trusted party. • Two kinds of adversaries: • Semi-honest – Follows the protocol, but is curious to learn more than F(x,y). • Malicious - Might do anything.

6. Definition of security:semi-honest model x y … F(x,y) Protocol is secure if Bob can generate the sequence of messages exchanged from his own input y and the value of F(x,y).

7. Definition of security:malicious model x … • Protocol is secure if • adversary Bob,  an input y s.t. Bob’s actions correspond to him presenting y to a trusted third party.

8. Secure Function Evaluation[Yao,GMW,BGW,CCD] • F(x,y) – A public function. • Represented as a Booleancircuit C(x,y). y x Input: C(x,y) and nothing else Output: C(x,y) and nothing else • Implementation: • O(|X|) “oblivious transfers”. • O(|C|) communication. • Pretty efficient for small circuits! • e.g. Is x > y?(Millionaire’s problem)

9. Some useful primitives • Useful to have efficient solutions for simple primitives. • Let X and Y be sets of elements: • X  Y (first talk) • Statistics over X  Y: • Max, Min, Average, Median, kth-ranked element.

10. kth-ranked element • Inputs: • Alice: SABob: SB • Large sets of unique items (є S). • The rank k • Could depend on the size of input datasets. • Median:k = (|SA| + |SB|) / 2 • Output: • x  SA SBs.t. x has k-1 elements smaller than it.

11. Results Finding the kth ranked item (D=|domain|) • Two-party: reduction to log k secure comparisons of log D bit numbers. • log k rounds * O(log D) • Multi-party: reduction to log D simple computations with log D bit numbers. • log D rounds * O(log D) • Also, security against malicious parties. • Can hide the size of the datasets.

12. Related work • Lower bound: Ω(log D) • From communication complexity. • Generic constructions • Using circuits [Yao …]: • Overhead at least linear in k. • Naor-Nissim: • Overhead of Ω(D).

13. An (insecure) two-party median protocol SA LA mA RA mA < mB SB LB mB RB LA lies below the median, RB lies above the median. New median is same as original median. Recursion  Need log n rounds (assume each set contains n=2i items)

14. Secure two-party median protocol A deletes elements ≤ mA. B deletes elements > mB. YES A finds its median mA . B finds its median mB . mA<mB A deletes elements > mA. B deletes elements ≤ mB. NO Secure comparison (e.g. a small circuit)

15. 1 16 16 1 1 8 9 16 5 8 9 12 7 8 9 10 7 10 An example B A mA>mB mA<mB mA<mB mA>mB Median found!! mA<mB

16. Proof of security median B A mA>mB mA>mB mA<mB mA<mB mA<mB mA<mB mA>mB mA>mB mA<mB mA<mB Median

17. Still to come… • Security against malicious parties. • Adapt the median protocol for arbitrary k and arbitrary input set size. • Hide the size of the datasets. • kth element for multi-party scenario.

18. Security against malicious parties • Comparisons secure against malicious parties. • Verify that parties’ inputs to comparisons are consistent. I.e., prevent • Round 1: mA = 1000. Is told to delete all x>1000. • Round 2: mA = 1100… • Solution: Each round sends secure “state” to next round (i.e., boundaries for parties’ inputs). Implement “reactive computation” [C,CLOS]. • Can implement in a single circuit. Efficient security against malicious parties.

19. Security against malicious parties a4<b4 YES NO a6<b2 a2<b6 YES YES NO a7<b1 a5<b3 a3<b5 a1<b7 Y N Y N Y N Y N a8<b1 a7<b2 a4<b5 a3<b6 a6<b3 a5<b4 a2<b7 a1<b8

20. Security against malicious parties a4<b4 YES NO a6<b2 a2<b6 YES YES NO a7<b1 a5<b3 a3<b5 a1<b7 Y N Y N Y N Y N a8<b1 a7<b2 a4<b5 a3<b6 a6<b3 a5<b4 a2<b7 a1<b8

21. Security against malicious parties a4<b4 YES NO a6<b2 a2<b6 YES YES NO a7<b1 a5<b3 a3<b5 a1<b7 Y N Y N Y N Y N a8<b1 a7<b2 a4<b5 a3<b6 a6<b3 a5<b4 a2<b7 a1<b8

22. Security against malicious parties • An adversary is fully defined by the input ai’s it gives for each of the nodes of this tree. • These (consistent) ai’s form an input x which can be used with F(x,y) to generate a transcript.

23. - 2i + + Arbitrary input size, arbitrary k SA k SB Now, compute the median of two sets of size k. Size should be a power of 2. median of new inputs = kth element of original inputs

24. + - U + - Hiding size of inputs • Can search for kthelement without revealing size of input sets. • However, k=n/2 (median) reveals input size. • Solution: Let U=2i be a bound on input size. Median of new datasets is same as median of original datasets. |SA| |SB|

25. The multi-party case • Input: Party Pi has set Si, i=1..n. (all values [a,b], where a and b are known) • Output:kth element of S1 …  Sn • Basic Idea: Binary search on [a,b].

26. The multi-party case • Protocol:Set m = (a+b)/2. Repeat: • Pi inputs to a secure computation Li = # elements in Si smaller than m. Bi= # times m appears in Si. • The following is computed securely: • If ΣLi  k, • Else, if ΣLi + Bi  k, • Otherwise, Lower half Found median Upper half

27. The multi-party case • Can be made secure for malicious case. • Using consistency checks. • Works for two-party case. • Can be used for non-distinct elements.

28. Summary • Efficient secure computation of the median. • Two-party:log k rounds * O(log D) • Multi-party: log D rounds * O(log D) • Communication overhead is very close to the communication complexity lower bound of log D bits. • Malicious case is efficient too. • Do not use generic tools. • Instead, we implement simple consistency checks to get security against malicious parties.

29. Thanks for your attention! 