slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Secure Computation of Constant-Depth Circuits with Applications to Database Search Problems Omer Barkol Yuval Ishai Te PowerPoint Presentation
Download Presentation
Secure Computation of Constant-Depth Circuits with Applications to Database Search Problems Omer Barkol Yuval Ishai Te

Loading in 2 Seconds...

play fullscreen
1 / 28

Secure Computation of Constant-Depth Circuits with Applications to Database Search Problems Omer Barkol Yuval Ishai Te - PowerPoint PPT Presentation


  • 391 Views
  • Uploaded on

Secure Computation of Constant-Depth Circuits with Applications to Database Search Problems Omer Barkol Yuval Ishai Technion. Motivation: private database search. D?. Client. Server. q. D. “fermat” and (“last theorem” or “great theorem”). q?. What is he working on?.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Secure Computation of Constant-Depth Circuits with Applications to Database Search Problems Omer Barkol Yuval Ishai Te' - oshin


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1
Secure Computation ofConstant-Depth Circuits with Applications to Database Search ProblemsOmer BarkolYuval IshaiTechnion
slide2

Motivation: private database search

D?

Client

Server

q

D

“fermat” and

(“last theorem” or

“great theorem”)

q?

What is he working on?

Article on Fermat’s Last Theorem

f(q,D)

  • Want:
  • Server work: O(|D|)
  • Client work: O(|q|)
  • Communication: O(|q|)

PIR [CGKS95]: f(q,D)=Dq

OT/SPIR

slide3

Current approaches

q

D

  • Send all of D to the client
      • Too much communication (|D|)
      • No server privacy
  • Use general purpose secure computation[Yao86,GMW87]
      • Communication > circuit size > |D|
  • Use PIR as a building block:
    • PIR + data-structures [CGN97,FIPR05,OS05]
      • Applies to a very limited class of problems:
        • set membership / keyword search
        • approximate nearest neighbor
    • Communication preserving protocol compiler[NN01]
      • Generally requires exponential computation

f(q,D)

Oh no! This might take me 7 years!

Benchmark: partial match?

f( *1*0 , 0010 0110 1111 )=1

Nothing

slide4

Observation:Many database search problems can be implemented by constant-depth circuits

output

depth 2

x1

x2

xm

inputs

  • Gates: OR,AND,NOT and XOR
  • Unbounded fan-in and fan-out
  • Depth: length of the longest input→output path
slide5

q

D

f(q,D)

C

x

C(x)

Observation:Many database search problems can be implemented by constant-depth circuits

= f(q,D)

example partial match

Preprocess:

0 → 10

1 → 01

* → 11

1

1

0

1

1

1

1

0

Example: partial match

1010

*1*0

0110

0110

1011

1110

slide7

q

D

f(q,D)

C

x

C(x)

Observation:Many database search problems can be implemented by constant-depth circuits

  • “Computing on encrypted data” – longstanding question
  • Case of 2-DNF recently solved [BGN05]

= f(q,D)

slide8

Relaxation: multiple servers

C

x

C

C

x?

C(x)

t servers

  • Used in information theoretic PIR
  • Replicated databases are common
    • p2p networks
    • Web content delivery (e.g., Akamai)
  • t-privacy
    • Client can choose servers he trusts
slide9

Main results

t-secure protocol with:

  • Servers: t·(log|C|)depth-1
  • Communication: Õ(|x|)
  • Client computation: Õ(|x|)
  • Server computation: Õ(|C|)
  • Rounds: 1

Communication and work are optimal up to polylog factors

Yeh!

C

C

C

slide10

Main results: DNF/CNF/partial match

  • n-term DNF / database with n entries
  • Security threshold 1
  • Secure protocol with:
    • Servers: ½logn
    • Communication: Õ(|x|)
    • Client computation: Õ(|x|)
    • Server computation: Õ(n)

D has 230 entries

We need ~15 servers

C

C

C

second model multiparty computation
Second model: multiparty computation

party

input: x2

party

party

input: x3

input: x1

Const-depth circuit C

C(x)

x=x1°x2°.... °xk

party

party

input: x4

input: x5

  • General purpose secure computation[GMW87,BGW88,CCD88]
      • Communication > circuit size
  • Communication efficient multiparty computation[BFKR90]
      • Computation exponential in |x|
      • Number of servers
slide12

Results: multiparty setting

t-secure multiparty protocol with

  • Parties: t·(log|C|)depth-1
  • Communication: Õ(|x|·poly(#parties))
  • Computation: Õ(|C|)
  • Rounds: O(1)
  • optimal up to polylog factors
roadmap

Server

Server

Server

Server

Server

Server

Server

p1(x)

Server

Database

D

p2(x)

n

1

2

3

Polynomials

Circuit

pj(x)

Polynomials

Client

Roadmap

From database search to protocol

roadmap1

Server

Server

Server

Server

Server

Server

Server

p1(x)

Server

Database

D

p2(x)

n

1

2

3

Polynomials

Circuit

pj(x)

Polynomials

Client

Roadmap

From database search to circuit

roadmap2

Server

Server

Server

Server

Server

Server

Server

p1(x)

Server

Database

D

p2(x)

n

1

2

3

Polynomials

Circuit

pj(x)

Polynomials

Client

Roadmap

From circuit to polynomials

from circuit to polynomials

deg 1

no error

Goal: x: Probr[pr(x) ≠ C(x)] ≤2-σ

From circuit to polynomials

Step A:

  • Represent a circuit by a low-degree randomized multivariate polynomial
  • Field = GF(2)
  • Rely on technique of [Raz87, Smo87]

x1+x2+x4

x1

x2

x4

from circuit to polynomials1

deg t

no error

deg 1

err ½

deg γ

err 2-γ

Goal: x: Probr[pr(x) ≠ C(x)] ≤2-σ

From circuit to polynomials

rγ1

r11

r1

set γ = σ

rγ2

r12

r2

rγt

r1t

rt

ε-biased

PRG

x1

x2

xt

r

slide18

deg γ

err 2-γ

deg γ

err 2-γ

deg γ

err 2-γ

deg γ

err 2-γ

deg γ

err 2-γ

Goal: x: Probr[pr(x) ≠ C(x)] ≤2-σ

From circuit to polynomials

Prob[pr(x) ≠ C(x)] ≤ (n+1)·2-γ

n-term DNF

For error 2-σ set γ = σ + log(n+1)

Total degree γ2

= (σ + log(n+1))2

x1

x2

x3

x4

x5

x6

slide19

Goal: Vector pr(x) s.t. x: Probr[R(pr(x)) ≠ C(x)] ≤2-σ

deg 3

err ⅛

deg γ

err 2-γ

deg γ

err 2-γ

deg γ

err 2-γ

deg γ

err 2-γ

From circuit to polynomials

Step B: Optimizations – example for n-term DNF

Prob[pr(x) ≠ C(x)] ≤ n·2-γ+⅛ ≤¼

pr1(x)

For error ¼ set set γ = logn + 3

Total degree 3γ

= 3(logn+3)

x1

x2

x3

x4

x5

x6

slide20

pr1(x)

pr2(x)

pr3(x)

deg 3logn

err ¼

r1

r2

r3

x

x

x

prO(σ)(x)

rO(σ)

x

From circuit to polynomials

Step B: Optimizations – example for n-term DNF

degree logn+2

C(x)=0: Prob[p(x)=1] ≤ ⅛

C(x)=1: Prob[p(x)=1] ≥⅜

More careful analysis:

Recover C(x) using Threshold ¼

Recover C(x) using Majority

slide21

Server

n

C(x)=0

C(x)=1

¼

0

From circuit to polynomials

Step B: Optimizations – example for n-term DNF

O(σ) polynomials of degree logn+2

pr1(x)

pr2(x)

Prob[th¼(pr(x)) ≠ C(x)] ≤ 2-σ

prO(σ)(x)

I have no privacy!

slide22

Server

n

From circuit to polynomials

Step C: Server Privacy

pr1(x,ρ)

pr2(x,ρ)

pr1(x)

th¼:{0,1}O(σ)→{0,1}

pr2(x)

Randomizing polynomials for threshold [IK00]

prO(σ)(x)

prσO(1)(x,ρ)

private randomness

roadmap3

Server

Server

Server

Server

Server

Server

Server

p1(x)

Server

Database

D

p2(x)

n

1

2

3

Polynomials

Circuit

pj(x)

Polynomials

Client

Roadmap

From polynomials to protocol

client servers protocols from polynomials

p

p

p

p

x

p

Client-Servers protocols from polynomials
  • Goal: evaluate multivariate polynomials held by the servers on a point held by the client.
  • Standard techniques for secure computation[BGW88, CCD88, BF90]
  • Number of servers proportional to the degree
  • Communication proportional to # of polynomials (and client’s input)
  • Enhancements:
    • Protecting server privacy[GIKM98]
    • Reducing number of servers[WY05]

Shamir-shares of x

Public randomness r

Evaluate pr on shares

Recover pr(x) by interpolation

multiparty protocols from polynomials
Multiparty protocols from polynomials
  • Goal: evaluate multivariate polynomials known to all on distributed input and randomness.
  • Standard techniques for secure computation[BGW88, CCD88, GRR98]
  • Number of parties proportional to the degree
  • Communication proportional to # of polynomials (and input lenght)
  • Randomness:
    • Public randomness (r) independent of the inputs
    • Private randomness (ρ) should remain a secret
roadmap4

Server

Server

Server

Server

Server

Server

Server

pr1(x,ρ)

Server

Database

D

pr2(x,ρ)

n

1

2

3

Polynomials

Circuit

prj(x,ρ)

Polynomials

Client

Roadmap

Secure computation of constant-depth circuits with applications to database search problems

conclusions
Conclusions
  • Practically feasible solutions to large scale database search problems, e.g., partial match
    • Nearly optimal communication and computation
    • Reasonable number of servers (½logn for partial match)
    • No expensive crypto (e.g., public key operations)
  • Challenge: obtain similar protocols in 2-party setting
    • Extend [BGN05] from degree 2 to degree logn?
  • Multiparty setting:
    • Nearly optimal communication and computation for a useful class of functions (AC0)
    • Communication almost does not grow with circuit size
  • Challenge: Higher complexity classes, e.g., NC1
slide28

Ser

Server

Server

Server

Server

Ser

ver

Pρ1(x,r)

Ser

Database

D

Pρ2(x)

n

3

1

2

r)

Questions?