70 Views

Download Presentation
##### Secure Computation of the k’th Ranked Element

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -

**Secure Computation of the k’th Ranked Element**Gagan Aggarwal Stanford University Joint work with Nina Mishra and Benny Pinkas, HP Labs**A story …**I bet the dumbest student in Gryffindor has a higher IQ than the median IQ of all students in the school. But you don’t even know what the median IQ is … Let us compute it... But, what about privacy of the students. We can do “Secure function evaluation” … This is all “theory”. It can’t be efficient.**Rising Need for Privacy**Many opportunities of interaction between institutions and agencies holding sensitive data. Privacy cannot be sacrificed. I.e. different agencies might hold data which they are not allowed to share. A need for protocols to evaluate functions while preserving privacy of data.**Privacy-preserving Computation:**the ideal case y x Input: F(x,y) and nothing else Output: x y F(x,y) F(x,y)**Trusted third parties are rare**x y F(x,y) F(x,y) • Run a protocol to evaluate F(x,y) without a trusted party. • Two kinds of adversaries: • Semi-honest – Follows the protocol, but is curious to learn more than F(x,y). • Malicious - Might do anything.**Definition of security:semi-honest model**x y … F(x,y) Protocol is secure if Bob can generate the sequence of messages exchanged from his own input y and the value of F(x,y).**Definition of security:malicious model**x … • Protocol is secure if • adversary Bob, an input y s.t. Bob’s actions correspond to him presenting y to a trusted third party.**Secure Function Evaluation[Yao,GMW,BGW,CCD]**• F(x,y) – A public function. • Represented as a Booleancircuit C(x,y). y x Input: C(x,y) and nothing else Output: C(x,y) and nothing else • Implementation: • O(|X|) “oblivious transfers”. • O(|C|) communication. • Pretty efficient for small circuits! • e.g. Is x > y?(Millionaire’s problem)**Some useful primitives**• Useful to have efficient solutions for simple primitives. • Let X and Y be sets of elements: • X Y (first talk) • Statistics over X Y: • Max, Min, Average, Median, kth-ranked element.**kth-ranked element**• Inputs: • Alice: SABob: SB • Large sets of unique items (є S). • The rank k • Could depend on the size of input datasets. • Median:k = (|SA| + |SB|) / 2 • Output: • x SA SBs.t. x has k-1 elements smaller than it.**Results**Finding the kth ranked item (D=|domain|) • Two-party: reduction to log k secure comparisons of log D bit numbers. • log k rounds * O(log D) • Multi-party: reduction to log D simple computations with log D bit numbers. • log D rounds * O(log D) • Also, security against malicious parties. • Can hide the size of the datasets.**Related work**• Lower bound: Ω(log D) • From communication complexity. • Generic constructions • Using circuits [Yao …]: • Overhead at least linear in k. • Naor-Nissim: • Overhead of Ω(D).**An (insecure) two-party median protocol**SA LA mA RA mA < mB SB LB mB RB LA lies below the median, RB lies above the median. New median is same as original median. Recursion Need log n rounds (assume each set contains n=2i items)**Secure two-party median protocol**A deletes elements ≤ mA. B deletes elements > mB. YES A finds its median mA . B finds its median mB . mA<mB A deletes elements > mA. B deletes elements ≤ mB. NO Secure comparison (e.g. a small circuit)**1**16 16 1 1 8 9 16 5 8 9 12 7 8 9 10 7 10 An example B A mA>mB mA<mB mA<mB mA>mB Median found!! mA<mB**Proof of security**median B A mA>mB mA>mB mA<mB mA<mB mA<mB mA<mB mA>mB mA>mB mA<mB mA<mB Median**Still to come…**• Security against malicious parties. • Adapt the median protocol for arbitrary k and arbitrary input set size. • Hide the size of the datasets. • kth element for multi-party scenario.**Security against malicious parties**• Comparisons secure against malicious parties. • Verify that parties’ inputs to comparisons are consistent. I.e., prevent • Round 1: mA = 1000. Is told to delete all x>1000. • Round 2: mA = 1100… • Solution: Each round sends secure “state” to next round (i.e., boundaries for parties’ inputs). Implement “reactive computation” [C,CLOS]. • Can implement in a single circuit. Efficient security against malicious parties.**Security against malicious parties**a4<b4 YES NO a6<b2 a2<b6 YES YES NO a7<b1 a5<b3 a3<b5 a1<b7 Y N Y N Y N Y N a8<b1 a7<b2 a4<b5 a3<b6 a6<b3 a5<b4 a2<b7 a1<b8**Security against malicious parties**a4<b4 YES NO a6<b2 a2<b6 YES YES NO a7<b1 a5<b3 a3<b5 a1<b7 Y N Y N Y N Y N a8<b1 a7<b2 a4<b5 a3<b6 a6<b3 a5<b4 a2<b7 a1<b8**Security against malicious parties**a4<b4 YES NO a6<b2 a2<b6 YES YES NO a7<b1 a5<b3 a3<b5 a1<b7 Y N Y N Y N Y N a8<b1 a7<b2 a4<b5 a3<b6 a6<b3 a5<b4 a2<b7 a1<b8**Security against malicious parties**• An adversary is fully defined by the input ai’s it gives for each of the nodes of this tree. • These (consistent) ai’s form an input x which can be used with F(x,y) to generate a transcript.**-**2i + + Arbitrary input size, arbitrary k SA k SB Now, compute the median of two sets of size k. Size should be a power of 2. median of new inputs = kth element of original inputs**+**- U + - Hiding size of inputs • Can search for kthelement without revealing size of input sets. • However, k=n/2 (median) reveals input size. • Solution: Let U=2i be a bound on input size. Median of new datasets is same as median of original datasets. |SA| |SB|**The multi-party case**• Input: Party Pi has set Si, i=1..n. (all values [a,b], where a and b are known) • Output:kth element of S1 … Sn • Basic Idea: Binary search on [a,b].**The multi-party case**• Protocol:Set m = (a+b)/2. Repeat: • Pi inputs to a secure computation Li = # elements in Si smaller than m. Bi= # times m appears in Si. • The following is computed securely: • If ΣLi k, • Else, if ΣLi + Bi k, • Otherwise, Lower half Found median Upper half**The multi-party case**• Can be made secure for malicious case. • Using consistency checks. • Works for two-party case. • Can be used for non-distinct elements.**Summary**• Efficient secure computation of the median. • Two-party:log k rounds * O(log D) • Multi-party: log D rounds * O(log D) • Communication overhead is very close to the communication complexity lower bound of log D bits. • Malicious case is efficient too. • Do not use generic tools. • Instead, we implement simple consistency checks to get security against malicious parties.