Create Presentation
Download Presentation

Download Presentation
## How Should We Solve Search Problems Privately?

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -

**How Should We Solve Search Problems Privately?**Kobbi Nissim – BGU A. Beimel, T. Malkin, and E. Weinreb**Secure Function Evaluation**[Yao,GMW,BGW,…] • n players with private inputs x1,…,xn • Can compute any function f() over their private inputs • No information beyond f() is leaked • SFE tells • HOW to compute f() • But not • Whatf() to compute CRYPTO 2007**A Client-Server Setting**• SFE reduces many of the general cases to the client-server setting Server Client G CRYPTO 2007**WHAT should we compute?**• Server must/is willing to reveal a function f() of the data • Secure function evaluation: Reveal f(), but no other information • ??? • Server should preserve individual privacy • Private data analysis: (rand) functions f() satisfying differential privacy CRYPTO 2007**In Between (1)**• Server must/is willing to reveal a function f() of the data • But… Computing f() is inefficient or intractable • And, an efficient approx f*() exists • Idea: Use SFE to compute an approx f*() to f() CRYPTO 2007**G**What Can Go Wrong? [FIMNSW01] • Server holds a graph G • Client asks for size of min VC fvc(G) • Approx: fvc*(G) = 2MaxMatch(G) Hmmm... fVC2 2 2MaxMatch2 4 CRYPTO 2007**Private Approximations [FIMNSW01]**• Require:f*(G) simulatable given f(G) • Hence approximation does not leak more information than exact computation • Implied:f(G) = f(G’) f*(G) ≈ f*(G’) • Sometimes feasible: • Hamming distance [FIMNSW01, IW06] • Permanent [FIMNSW01] • Sometimes not feasible: • fVC not privately approx within ratio n1-ε [HKKN01] • Approx feasible with a small leakage CRYPTO 2007**In Between (2)**• Server must/is willing to solve a search problem over the data • Idea: Use SFE to compute a solution? • Or an approximate solution CRYPTO 2007**4**4 5 5 1 1 2 2 3 3 G What Can Go Wrong? [BCNW06] • Server holds a graph G • Client asks for VC(G) • Approx: A*VC(G) = MaxMatch(G) Hmmm... VC{2} {2} A*VC{2,3} {2,1} CRYPTO 2007**Private Algorithms [BCNW06]**R – Equivalence Relation over {0,1}* • E.g. G1 ≈ G2 if VC(G1) = VC(G2) Algorithm A is private with respect toR if: A( ) A( ) ≈ x x y y CRYPTO 2007**Is Private Search Good?**Too strong: • VC does not admit private search approx algs • Even with a significant relaxation [BCNW06,BHN07] • If NP not in P/poly, there is a search problem in P that has no polynomial time private algorithm [BCNW06] Too weak: • A private search algorithm may reveal all the solutions • Does not rule out simple ways of plausible leakage CRYPTO 2007**Some Possible Weaknesses**• Randomized Algorithms: More solutions learned by repeated querying Fuzziness • Deterministic Algorithms: Repeated querying ineffective Definite information learned • Can we get the best of both worlds? CRYPTO 2007**Framework: Seeded Algorithms**• A– randomized algorithm • Server fixes a seed s for all queries • Allows selecting random solutions • Prevents abuse of repeated queries G1 G2 A(G1,s) A(G2,s) A s CRYPTO 2007**Rest of the Talk**• Propose two new definitions • Equivalence protecting • Resemblance preserving • Show basic implementation methodologies • Summary/discuss CRYPTO 2007**First Definition: Equivalence Protecting**• Consistent oracle : • (x)S(x) • (x)=(y) for all x ≈Py • A seeded algorithm Ais equivalence protecting: Random consistent oracle A(· , ) s ≡c (x1) (x2) x1 x2 x1 x2 Distinguisher CRYPTO 2007**1**s 2 t 3 Equivalence Protecting: Shortest Path • Def: An edge is relevant in G if it appears in some shortest path from s to t • Fact I: Relevance depends only on S(G) • Fact II: There exists an algorithm Arand(G,r ) that outputs a random shortest path in G CRYPTO 2007**Equivalence Protecting: Shortest Path**Input: • A graph G • A seed s for a family {fs} of pseudorandom functions Output: A path in S(G) The algorithm: • H = relevant edges of G • Compute r=fs(H) • Output: p= Arand(H,r ) CRYPTO 2007**Other Equivalence Preserving Algorithms**• Perfect matching in bipartite graphs • Solution of a linear system of equations • Shortest path: weighted directed graphs CRYPTO 2007**Fact: 0 ≤ r(x,y) ≤ 1**|S(x)S(y)| r(x,y) = |S(x)S(y)| Second Definition: Resemblance Preserving • Motivation: protect inputs with similar solution sets • Resemblance between instances x,y: • A seeded algorithm A is resemblance preserving if for all instances x,y: Pr[A(x,s)=A(y,s)] ≥ r(x,y) CRYPTO 2007**Tool: Min-wise Independent Permutations**[BroderCharikarFriezeMitzenmacher98] • A family of permutations is min-wise independent if for every set A Uand aA: • Observation: CRYPTO 2007**A Generic Resemblance Preserving Algorithm**Input: • An input x • A seed s for a family of min-wise independent permutations Output: A solution in S(x) Algorithm: • Output sol S(x) such that • Algorithmic challenge: Find sol efficiently. CRYPTO 2007**Other Resemblance Preserving Algorithms**• (non-) Roots of polynomials • Solution of a linear system of equations • Satisfying assignment of a DNF formula CRYPTO 2007**Summary**• Presented two intuitive variants of private search • Equivalence protecting • Resemblance preserving • Constructed algorithms satisfying definitions • Privacy implications of search problems are not well understood • Even (seemingly minimal) requirements of privacy are hard to attain Different privacy requirements for different setups • Is there an order in the mess? • A methodology for comparing/justifying definitions CRYPTO 2007**BSF-DIMACS Privacy Workshop**• @DIMACS/Rutgers University • Interdisciplinary • February 4-7 • Organizers: B. Pinkas, K.N., and R. Wright • (some) Funding available • To be added to mailing list: kobbi@cs.bgu.ac.il CRYPTO 2007**A (Seemingly) Minimal Requirement**Private search algorithm[BCNW06]: VC(G) = VC(G’) A*VC(G) ≈ A*VC(G’) A*VC should not distinguish graphs that have the same set of solutions A generalization of private approximation [FIMNSW01] CRYPTO 2007