Approximate Privacy: Foundations and Quantification Michael Schapira (Yale and UC Berkeley) Joint work with Joan Feigenbaum (Yale) and Aaron D. Jaggard (DIMACS)

Starting Point: Agents’ Privacy in MD Traditional goal of mechanism design: Incent agents to reveal private information that is needed to compute “good” outcomes. Complementary, newly important goal: Enable agents not to reveal private information that is not needed to compute “good” outcomes. Example (Naor-Pinkas-Sumner, EC ’99): It’s undesirable for the auctioneer to learn the winning bid in a 2 nd –price Vickrey auction.

Privacy is Important! Sensitive Information: Information that can harm data subjects, data owners, or data users, if it is mishandled There’s a lot more of it than there used to be! –Increased use of computers and networks –Increased processing power and algorithmic knowledge  Decreased storage costs “Mishandling” can be very harmful. −ID theft −Loss of employment or insurance −“You already have zero privacy. Get over it.” (Scott McNealy, 1999)

Private, Multiparty Function Evaluation... x1x1 x2x2 x 3x 3 x n-1 x nx n y = f (x 1, …, x n ) Each i learns y. No i can learn anything about x j (except what he can infer from x i and y ). Very general positive results.

Drawbacks of PMFE Protocols Information-theoretically private MFE: Requires that a substantial fraction of the agents be obedient rather than strategic. Cryptographically private MFE: Requires (plausible but) currently unprovable complexity-theoretic assumptions and (usually) heavy communication overhead. –Not used in many real-life environments Brandt and Sandholm (TISSEC ’08): Which auctions of interest are unconditionally privately computable?

Minimum Knowledge Requirements for 2 nd –Price Auction 2, 1 winner price 2, 0 1, 0 1, 1 1, 2 2, 2 1, bidder 1 bidder 2 Perfect Privacy Auctioneer learns only which region corresponds to the bids. ≈ input (2,0)

Ascending-Price English Auction Same execution for the inputs (1,1), (2,1), and (3,1) bidder 1 bidder 2

Perfect Privacy for 2 nd –Price Auction [Brandt and Sandholm (TISSEC ’08)] The ascending-price, English-auction protocol is perfectly private.  It is essentially the only perfectly private protocol for 2 nd –price auctions. Note the exponential communication cost of perfect privacy!

Worse Yet… (The Millionaires’ Problem) millionaire 1 x 1 f(x 1,x 2 ) = 1 if x 1 ≥ x 2 ; else f(x 1,x 2 ) = 2 millionaire 2 x 2 The Millionaires’ Problem is not perfectly privately computable. [Kushilevitz (SJDM ’92)]

So, What Can We Do? Insist on achieving perfect privacy. –sometimes there is no reasonable alternative –can be costly (communication, PKI, etc.) Treat privacy as a design goal. –alongside complexity, optimization, etc. We need a way to quantify privacy.

Privacy Approximation Ratios (PARs) Intutitively, captures the indistinguishability of inputs. –natural first step –general distributed function computation Other possible definitions: –Semantic (context-specific) –Entropy-based

Outline Background –Two-party communication (Yao) –“Tiling” characterization of privately computable functions (Chor + Kushilevitz) Privacy Approximation Ratios (PARs) Bisection auction protocol: exponential gap between worst-case and average-case PARs Summary of Our Results Open Problems

Two-party Communication Model f: {0,1} k x {0,1} k  {0,1} m Party 1 Party 2 q j  {0,1} is a function of (q 1, …, q j-1 ) and one player’s private input. s(x 1,x 2 ) = (q 1,…,q r ) Δ q r = f(x 1, x 2 ) q r-1 q2q2 q1q1 x 1  {0, 1} k x 2  {0, 1} k

Example: Millionaires’ Problem millionaire 1 millionaire 2 A(f) f(x 1,x 2 ) = 1 if x 1 ≥ x 2 ; else f(x 1,x 2 ) =

Monochromatic Tilings A region of A(f) is any subset of entries (not necessarily a submatrix). A partition of A(f) is a set of disjoint regions whose union is A(f). A rectangle in A(f) is a submatrix. A tiling is a partition into rectangles. Monochromatic regions and partitions

Bisection Protocol In each round, a player “bisects” an interval. Example: f(2,3) A communication protocol “zeroes in” on a monochromatic rectangle. millionaire 1 millionaire 2

A Protocol “Zeros in on” a Monochromatic Rectangle Let A(f) = R x C While R x C is not monochromatic –Party i sends bit q. –If i = 1, q indicates whether x 1 is in R 1 or R 2, where R = R 1 ⊔ R 2. If x 1  R k, both parties set R  R k. –If i = 2, q indicates whether x 2 is in C 1 or C 2, where C = C 1 ⊔ C 2. If x 2  C k, both parties set C  C k. One party sends the value of f in R x C.

Perfectly Private Protocols Protocol P for f is perfectly private with respect to party 1 if f(x 1, x 2 ) = f(x’ 1, x 2 ) s(x 1, x 2 ) = s(x’ 1, x 2 ) Similarly, perfectly private wrt party 2 P achieves perfect subjective privacy if it is perfectly private wrt both parties. P achieves perfect objective privacy if f(x 1, x 2 ) = f(x’ 1, x’ 2 ) s(x 1, x 2 ) = s(x’ 1, x’ 2 )

Ideal Monochromatic Partitions The ideal monochromatic partition of A(f) consists of the maximal monochromatic regions. This partition is unique

Characterization of Perfect Privacy Protocol P for f is perfectly privacy- preserving iff the tiling induced by P is the ideal monochromatic partition of A(f). 2, 1 winner price 2, 0 1, 0 1, 1 1, 2 2, 2 1, bidder 1 bidder

Privacy and Communication Complexity [Kushilevitz (SJDM ’92)] f is perfectly privately computable if and only if A(f) has no forbidden submatrix. The Millionaires’ Problem is not perfectly privately computable. f(x 1, x 2 ) = f ( x’ 1, x 2 ) = f(x’ 1, x’ 2 ) = a, but f ( x 1, x’ 2 ) ≠ a x 1 x’ 1 x 2 x’ 2

Objective PAR (1) Privacy with respect to an outside observer –e.g., auctioneer Worst-case objective PAR of protocol P for function f: Worst-case PAR of f is the minimum, over all P for f, of worst-case PAR of P. |R (x 1, x 2 )| I P MAX (x 1, x 2 )

Objective PAR (2) Average-case objective PAR of P for f wrt distribution D on {0,1} k x {0,1} k : Average-case PAR of f is the minimum, over all P for f, of average-case PAR of P. |R (x 1, x 2 )| I P EDED []

Bisection Auction Protocol (BAP) [Grigorieva, Herings, Muller, & Vermeulen (ORL’06)] Bisection protocol on [0,2 k -1] to find an interval [L,H] that contains lower bid but not higher bid. Bisection protocol on [L,H] to find lower bid p. Sell the item to higher bidder for price p.

Bisection Auction Protocol (BAP) A(f) Example: f(7, 4) bidder 1 bidder 2

Objective PARs for BAP(k) Theorem: Average-case objective PAR of BAP(k) with respect to the uniform distribution is +1. Observation: Worst-case objective PAR of BAP(k) is at least 2. Conjecture: The average-case objective PAR of 2 nd -Price-Auction(k) is linear in k wrt all distributions. k k/2 2

Proof (1) The monochromatic tiling induced by the Bisection Auction Protocol for k=4 a k = number of rectangles in induced tiling for BAP(k). a 0 =1, a k = 2a k-1 +2 k a k = (k+1)2 k 2 k Δ

Proof (2) R = {R 1,…,R a } is the set of rectangles in the BAP(k) tiling R I = rectangle in the ideal partition that contains R s j s = 2 k - |R I | b k =  R j s Δ Δ Δ Δ s s s k

Proof (3) PAR =  =  =  1 2 2k (x 1,x 2 ) |R I (x 1,x 2 )| |R BAP(k) (x 1,x 2 )| 1 2 2k RsRs |R I | |R s | s k RsRs s |R I | (+) contribution to (+) of one (x 1,x 2 ) in R s number of (x 1,x 2 )’s in R s

Proof (4) The monochromatic tiling induced by the Bisection Auction Protocol for k=4 b k = b k-1 +(b k-1 +a k-1 2 k-1 ) + (  i ) + (  i ) b 0 =0, b k =2b k-1 +(k+1)2 2(k-1) b k = k2 2k-1 2 k i=0 2 k-1 -1 i=1 2 k-1

Proof (5)  =  (2 k -j s ) = (a k 2 k -b k ) = ( (k+1)2 2k - k2 2k-1 ) = k+1- = k s |R I | 1 2 2k 1 1 k 2 k 2 QED

Bounded Bisection Auction Protocol (BBAP) BBAP(r): Do (at most) r bisection steps. If the winner is still unknown, run the ascending English auction protocol on the remaining interval. Ascending auction protocol: BBAP(0) Bisection auction protocol: BBAP(k)

Average-Case Objective PAR Theorem: For positive g(k), the average- case objective PAR of BBAP(g(k)) with respect to the uniform distribution satisfies 3g(k)+6 ≥ PAR ≥ g(k) + 1 (for g(k)=0, this PAR is exactly 1) Observation: BBAP(g(k)) has communication complexity  (k + 2 k-g(k) ). 84

Average-Case Objective PARs for 2 nd -price Auction Protocols English Auction1 Bounded Bisection Auction, r=1 7 – 1 Bounded Bisection Auction, r= k+1 Bounded Bisection Auction, r=3 47 – 7 k+1 Bounded Bisection Auction, general r’s  (1+r) Bisection Auction k Sealed-Bid Auction 2 k k (3*2 k )

Subjective PARs Objective privacy = privacy wrt an outside observer Subjective privacy = privacy wrt the other party In the millionaires’ problems we (mainly) care about subjective privacy. Similar definitions.

Subjective PARs (1) The 1-partition of region R in matrix A(f): { R x 1 = {x 1 } x {x 2 s.t. (x 1, x 2 )  R} } (similarly, 2-partition) The i-induced tiling of protocol P for f is obtained by i-partitioning each rectangle in the tiling induced by P. The i-ideal monochromatic partition of A(f) is obtained by i-partitioning each region in the ideal monochromatic partition of A(f).

(R i defined analogously for protocol P) P Subjective PARs (1) The 1-partition of region R in matrix A(f): { R x 1 = {x 1 } x {x 2 s.t. (x 1, x 2 )  R} } (similarly, 2-partition) millionaire 1 millionaire 2 II II R 1 (0, 1) = R 1 (0, 2) = R 1 (0, 3) I R 1 (1, 2) = R 1 (1, 3)

Subjective PARs (2) Worst-case PAR of protocol P for f wrt i: Worst-case subjective PAR of P for f: maximize over i  {1, 2} Worst-case subjective PAR of f: minimize over P Average-case subjective PAR wrt distribution D: use E D instead of MAX |R i (x 1, x 2 )| I P MAX (x 1, x 2 )

Average-Case PARs for the Millionaires Problem 2 +1 Obj. PARSubj. PAR Any protocol ≥ 2 k ( k+1 ) Bisection Protocol 3 * 2 k-1 - k

Other Results More PARs for these problems. PARs of other problems –public-good –truthful-public-good [Babaioff-Blumrosen-Naor-Schapira] –set-disjointness –set-intersection Other notions of privacy: first steps –Semantic definitions ( What is better, {1, 8} or {4, 5} ? ) –Entropy-based definitions

Open Problems Upper bounds on non-uniform average-case PARs –Prove/refute our conjecture! Lower bounds on average-case PARs PARs of other functions of interest Extension to n-party case Other definitions of PAR –We take first steps in this direction. Relationship between PARs and h-privacy [Bar-Yehuda, Chor, Kushilevitz, and Orlitsky (IEEE-IT ’93)]

Thank You