How Should We Solve Search Problems Privately? Kobbi Nissim – BGU A. Beimel, T.
Download
Report
Transcript How Should We Solve Search Problems Privately? Kobbi Nissim – BGU A. Beimel, T.
How Should We Solve Search
Problems Privately?
Kobbi Nissim – BGU
A. Beimel, T. Malkin, and E. Weinreb
Secure Function Evaluation
[Yao,GMW,BGW,…]
n players with private inputs x1,…,xn
Can compute any function f() over their
private inputs
No information beyond f() is leaked
SFE tells
HOW to compute f()
But not
What f() to compute
A Client-Server Setting
SFE reduces many of the general cases to
the client-server setting
Server
Client
G
WHAT should we compute?
Server must/is willing to reveal a function
f() of the data
Secure function evaluation: Reveal f(), but
no other information
???
Server should preserve individual privacy
Private data analysis: (rand) functions f()
satisfying differential privacy
In Between (1)
Server must/is willing to reveal a function f() of
the data
But… Computing f() is inefficient or intractable
And, an efficient approx f*() exists
Idea: Use SFE to compute an approx f*() to f()
What Can Go Wrong? [FIMNSW01]
Server holds a graph G
Client asks for size of min VC fvc(G)
Approx: fvc*(G) = 2MaxMatch(G)
Hmmm...
fVC
2MaxMatch
2
2
2
4
G
Private Approximations [FIMNSW01]
Require: f*(G) simulatable given f(G)
Hence approximation does not leak more
information than exact computation
Implied: f(G) = f(G’) f*(G) ≈ f*(G’)
Sometimes feasible:
Hamming distance [FIMNSW01, IW06]
Permanent [FIMNSW01]
Sometimes not feasible:
fVC not privately approx within ratio n1-ε [HKKN01]
Approx feasible with a small leakage
In Between (2)
Server must/is willing to solve a search
problem over the data
Idea: Use SFE to compute a solution?
Or an approximate solution
What Can Go Wrong? [BCNW06]
Server holds a graph G
Client asks for VC(G)
Approx: A*VC(G) = MaxMatch(G)
4
4
5
2
3
VC
A*VC
Hmmm...
1
5
2
1
3
{2}
{2}
{2,3}
{2,1}
G
Private Algorithms [BCNW06]
R – Equivalence Relation over {0,1}*
E.g. G1 ≈ G2 if VC(G1) = VC(G2)
Algorithm A is private with respect to R if:
A( )
x
y
≈ A( )
Is Private Search Good?
Too strong:
VC does not admit private search approx algs
Even with a significant relaxation
[BCNW06,BHN07]
If NP not in P/poly, there is a search problem in P
that has no polynomial time private algorithm
[BCNW06]
Too weak:
A private search algorithm may reveal all the
solutions
Does not rule out simple ways of plausible leakage
Some Possible Weaknesses
Randomized Algorithms:
More solutions learned by repeated
querying
Fuzziness
Deterministic Algorithms:
Repeated querying ineffective
Definite information learned
Can we get the best of both worlds?
Framework: Seeded Algorithms
A – randomized algorithm
Server fixes a seed s for all queries
Allows selecting random solutions
Prevents abuse of repeated queries
G1
G2
A(G1,s)
A
A(G2,s)
s
Rest of the Talk
Propose two new definitions
Equivalence protecting
Resemblance preserving
Show basic implementation methodologies
Summary/discuss
First Definition: Equivalence
Protecting
Consistent oracle :
(x)S(x)
(x)=(y) for all x ≈P y
A seeded algorithm A is equivalence protecting:
Random
consistent
oracle
A(· , s )
A( x2 , s)A( x1, s)
≡c
x1 x2
(x1)(x2)
x1 x2
Distinguisher
Equivalence Protecting: Shortest
Path
Def: An edge is relevant in G if it appears in
some shortest path from s to t
1
s
2
t
3
Fact I: Relevance depends only on S(G)
Fact II: There exists an algorithm Arand(G,r )
that outputs a random shortest path in G
Equivalence Protecting: Shortest
Path
Input:
A graph G
A seed s for a family {fs} of pseudorandom
functions
Output: A path in S(G)
The algorithm:
H = relevant edges of G
2. Compute r=fs(H)
3. Output: p= Arand(H,r )
1.
Other Equivalence Preserving
Algorithms
Perfect matching in bipartite graphs
Solution of a linear system of
equations
Shortest path: weighted directed
graphs
Second Definition: Resemblance
Preserving
Motivation: protect inputs with similar
solution sets
Resemblance between instances x,y:
r(x,y) =
|S(x)S(y)|
|S(x)S(y)|
Fact: 0 ≤ r(x,y) ≤ 1
A seeded algorithm A is resemblance
preserving if for all instances x,y:
Pr[A(x,s)=A(y,s)] ≥ r(x,y)
Tool: Min-wise Independent Permutations
[BroderCharikarFriezeMitzenmacher98]
A family { s }sS of permutations s : U U is
min-wise independent if for every set A U
and aA:
1
Pr[min( s ( A)) s (a)]
| A|
Observation:
Pr[min( s (S ( x))) min( s (S ( y))] r ( x, y).
A Generic Resemblance Preserving
Algorithm
Input:
An input x
A seed s for a family { s }sS of min-wise
independent permutations
Output: A solution in S(x)
Algorithm:
Output sol S(x) such that
s (sol) min( s (S ( x))).
Algorithmic challenge: Find sol efficiently.
Other Resemblance Preserving
Algorithms
(non-) Roots of polynomials
Solution of a linear system of
equations
Satisfying assignment of a DNF
formula
Summary
Presented two intuitive variants of private search
Equivalence protecting
Resemblance preserving
Constructed algorithms satisfying definitions
Privacy implications of search problems are not well
understood
Even (seemingly minimal) requirements of privacy are
hard to attain
Different privacy requirements for different setups
Is there an order in the mess?
A methodology for comparing/justifying definitions
BSF-DIMACS Privacy Workshop
@DIMACS/Rutgers University
Interdisciplinary
February 4-7
Organizers: B. Pinkas, K.N., and R. Wright
(some) Funding available
To be added to mailing list:
[email protected]
A (Seemingly) Minimal Requirement
Private search algorithm
[BCNW06]:
VC(G) = VC(G’) A*VC(G) ≈ A*VC(G’)
A*VC should not distinguish graphs that have
the same set of solutions
A generalization of private approximation [FIMNSW01]