How Should We Solve Search Problems Privately?

# How Should We Solve Search Problems Privately?

## How Should We Solve Search Problems Privately?

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
##### Presentation Transcript

1. How Should We Solve Search Problems Privately? Kobbi Nissim – BGU A. Beimel, T. Malkin, and E. Weinreb

2. Secure Function Evaluation [Yao,GMW,BGW,…] • n players with private inputs x1,…,xn • Can compute any function f() over their private inputs • No information beyond f() is leaked • SFE tells • HOW to compute f() • But not • Whatf() to compute CRYPTO 2007

3. A Client-Server Setting • SFE reduces many of the general cases to the client-server setting Server Client G CRYPTO 2007

4. WHAT should we compute? • Server must/is willing to reveal a function f() of the data • Secure function evaluation: Reveal f(), but no other information • ??? • Server should preserve individual privacy • Private data analysis: (rand) functions f() satisfying differential privacy CRYPTO 2007

5. In Between (1) • Server must/is willing to reveal a function f() of the data • But… Computing f() is inefficient or intractable • And, an efficient approx f*() exists • Idea: Use SFE to compute an approx f*() to f() CRYPTO 2007

6. G What Can Go Wrong? [FIMNSW01] • Server holds a graph G • Client asks for size of min VC fvc(G) • Approx: fvc*(G) = 2MaxMatch(G) Hmmm... fVC2 2 2MaxMatch2 4 CRYPTO 2007

7. Private Approximations [FIMNSW01] • Require:f*(G) simulatable given f(G) • Hence approximation does not leak more information than exact computation • Implied:f(G) = f(G’)  f*(G) ≈ f*(G’) • Sometimes feasible: • Hamming distance [FIMNSW01, IW06] • Permanent [FIMNSW01] • Sometimes not feasible: • fVC not privately approx within ratio n1-ε [HKKN01] • Approx feasible with a small leakage CRYPTO 2007

8. In Between (2) • Server must/is willing to solve a search problem over the data • Idea: Use SFE to compute a solution? • Or an approximate solution CRYPTO 2007

9. 4 4 5 5 1 1 2 2 3 3 G What Can Go Wrong? [BCNW06] • Server holds a graph G • Client asks for VC(G) • Approx: A*VC(G) = MaxMatch(G) Hmmm... VC{2} {2} A*VC{2,3} {2,1} CRYPTO 2007

10. CRYPTO 2007

11. Private Algorithms [BCNW06] R – Equivalence Relation over {0,1}* • E.g. G1 ≈ G2 if VC(G1) = VC(G2) Algorithm A is private with respect toR if: A( ) A( ) ≈ x x y y CRYPTO 2007

12. Is Private Search Good? Too strong: • VC does not admit private search approx algs • Even with a significant relaxation [BCNW06,BHN07] • If NP not in P/poly, there is a search problem in P that has no polynomial time private algorithm [BCNW06] Too weak: • A private search algorithm may reveal all the solutions • Does not rule out simple ways of plausible leakage CRYPTO 2007

13. Some Possible Weaknesses • Randomized Algorithms:  More solutions learned by repeated querying  Fuzziness • Deterministic Algorithms:  Repeated querying ineffective  Definite information learned • Can we get the best of both worlds? CRYPTO 2007

14. Framework: Seeded Algorithms • A– randomized algorithm • Server fixes a seed s for all queries • Allows selecting random solutions • Prevents abuse of repeated queries G1 G2 A(G1,s) A(G2,s) A s CRYPTO 2007

15. Rest of the Talk • Propose two new definitions • Equivalence protecting • Resemblance preserving • Show basic implementation methodologies • Summary/discuss CRYPTO 2007

16. First Definition: Equivalence Protecting • Consistent oracle : • (x)S(x) • (x)=(y) for all x ≈Py • A seeded algorithm Ais equivalence protecting: Random consistent oracle A(· , ) s ≡c (x1) (x2) x1 x2 x1 x2 Distinguisher  CRYPTO 2007

17. 1 s 2 t 3 Equivalence Protecting: Shortest Path • Def: An edge is relevant in G if it appears in some shortest path from s to t • Fact I: Relevance depends only on S(G) • Fact II: There exists an algorithm Arand(G,r ) that outputs a random shortest path in G CRYPTO 2007

18. Equivalence Protecting: Shortest Path Input: • A graph G • A seed s for a family {fs} of pseudorandom functions Output: A path in S(G) The algorithm: • H = relevant edges of G • Compute r=fs(H) • Output: p= Arand(H,r ) CRYPTO 2007

19. Other Equivalence Preserving Algorithms • Perfect matching in bipartite graphs • Solution of a linear system of equations • Shortest path: weighted directed graphs CRYPTO 2007

20. Fact: 0 ≤ r(x,y) ≤ 1 |S(x)S(y)| r(x,y) = |S(x)S(y)| Second Definition: Resemblance Preserving • Motivation: protect inputs with similar solution sets • Resemblance between instances x,y: • A seeded algorithm A is resemblance preserving if for all instances x,y: Pr[A(x,s)=A(y,s)] ≥ r(x,y) CRYPTO 2007

21. Tool: Min-wise Independent Permutations [BroderCharikarFriezeMitzenmacher98] • A family of permutations is min-wise independent if for every set A Uand aA: • Observation: CRYPTO 2007

22. A Generic Resemblance Preserving Algorithm Input: • An input x • A seed s for a family of min-wise independent permutations Output: A solution in S(x) Algorithm: • Output sol S(x) such that • Algorithmic challenge: Find sol efficiently. CRYPTO 2007

23. Other Resemblance Preserving Algorithms • (non-) Roots of polynomials • Solution of a linear system of equations • Satisfying assignment of a DNF formula CRYPTO 2007

24. Summary • Presented two intuitive variants of private search • Equivalence protecting • Resemblance preserving • Constructed algorithms satisfying definitions • Privacy implications of search problems are not well understood • Even (seemingly minimal) requirements of privacy are hard to attain  Different privacy requirements for different setups • Is there an order in the mess? • A methodology for comparing/justifying definitions CRYPTO 2007

25. BSF-DIMACS Privacy Workshop • @DIMACS/Rutgers University • Interdisciplinary • February 4-7 • Organizers: B. Pinkas, K.N., and R. Wright • (some) Funding available • To be added to mailing list: kobbi@cs.bgu.ac.il CRYPTO 2007

26. A (Seemingly) Minimal Requirement Private search algorithm[BCNW06]: VC(G) = VC(G’)  A*VC(G) ≈ A*VC(G’) A*VC should not distinguish graphs that have the same set of solutions A generalization of private approximation [FIMNSW01] CRYPTO 2007