Presentation is loading. Please wait.

Presentation is loading. Please wait.

Polylogarithmic Private Approximations and Efficient Matching

Published byMiguel Williamson Modified over 11 years ago

Similar presentations

Presentation on theme: "Polylogarithmic Private Approximations and Efficient Matching"— Presentation transcript:

1 Polylogarithmic Private Approximations and Efficient Matching
David Woodruff MIT, Tsinghua Piotr Indyk MIT TCC 2006

2 Secure communication a  {0,1}n b  {0,1}n
Alice Bob a  {0,1}n b  {0,1}n Want to compute some function F(a,b) Security: protocol does not reveal anything except for the value F(a,b) Semi-honest: both parties follow protocol Malicious: parties are adversarial Efficiency: want to exchange few bits

3 Secure Function Evaluation (SFE)
[Yao, GMW]: If F computed by circuit C, then F can be computed securely with O~(|C|) bits of communication [GMW] + … + [NN]: can assume parties semi-honest Semi-honest protocol can be compiled to give security against malicious parties Problem: circuit size at least linear in n * O~() hides factors poly(k, log n)

4 Secure and Efficient Function Evaluation
Can we achieve sublinear communication? With sublinear communication, many interesting problems can be solved only approximately. What does it mean to have a private approximation? Efficiency: want SFE with communication comparable to insecure case

5 Private Approximation
[FIMNSW’01]: A protocol computing an approximation G(a,b) of F(a,b) is private, if each party can simulate its view of the protocol given the exact value F(a,b) Not sufficient to simulate non-private G(a,b) using SFE Example: Define G(a,b): bin(G(a,b))i =bin((a,b))i if i>0 bin(G(a,b))0=a0 G(a,b) is a 1 -approximation of (a,b), but not private Popular protocols for approximating (a,b), e.g., [KOR98], are not private

6 Approximating Hamming Distance
[FIMNSW01]: A private protocol with complexity O~(n1/2/ ) (a,b) small: compute (a,b) exactly in O~((a,b)) bits (a,b) high: sample O~(n/(a,b)) (a-b)i, estimate (a,b) Our main result: Complexity: O~(1/2) bits Works even for L2 norm, i.e., estimates ||a-b||2 for a,b  {1…M}n * O~() hides factors poly(k, log n, log M, log 1/)

7 Crypto Tools Efficient OT1n:
P1 has A[1] … A[n] 2 {0,1}m , P2 has i 2 [n] Goal: P2 privately learns A[i], P1 learns nothing Can be done using O~(m) communication [CMS99, NP99] Circuits with ROM [NN01] (augments [Yao86]) Standard AND/OR/NOT gates Lookup gates: In: i Out: Mgate[i] Can just focus on privacy of the output Communication at most O~(m|C|)

8 High-dimensional tools
Random projection: Take a random orthonormal nn matrix D, that is ||Dx|| = ||x|| for all x. There exists c>0 s.t. for any xRn, i=1…n Pr[ (Dx)i2 > ||Dx||2/n * k] < e-ck

9 Approximating ||a-b||
Recall: Alice has a 2 [M]d, Bob has b 2 [M]d Goal: privately estimate ||a-b||, x=a-b Suffices to estimate ||a-b||2

10 Protocol Intuition Alice and Bob agree upon a random orthonormal matrix D Efficient by exchanging a seed of a PRG Alice and Bob rotate vectors a,b, obtaining Da, Db ||Da-Db|| = ||a-b|| D “spreads the mass” of the difference vector uniformly across the n coordinates. Can now try obliviously sampling coordinates as in [FIMNSW01]

11 Protocol Intuition Con’d
Alice and Bob agree upon random orthonormal D Alice and Bob rotate a,b, obtaining Da, Db Use secure circuit with ROMs Da and Db to: Circuit obtains (Da)i and (Db)i for many random indices i Problem: Now what? Samples leak a lot of info! Fix: - Suppose you know upper bound T with T ¸ ||a-b||2 - Flip a coin z with heads probability n((Da)i – (Db)i)2/(kT) - Then E[z] = n||Da-Db||2/(nkT) = ||a-b||2/(kT) - E[z] only depends on ||a-b||, and z only depends on E[z]!

12 Protocol Intuition Con’d
Alice and Bob agree upon random orthonormal D Alice and Bob rotate a,b, obtaining Da, Db Use secure circuit with ROMs Da, Db, to: Obtain (Da)i and (Db)i for L random i Generate Bernoulli z1, … , zL with E[zi] = ||a-b||2/(kT) Output kT  zi/L Privacy: View only depends on ||a-b|| Problem: Correctness! A priori bound T=M2 n, but ||a-b||2 may be (1), so (n) samples required. Fix: Private binary search on T

13 Protocol Intuition Con’d
Use secure circuit with ROMs Da, Db to: Obtain (Da)i and (Db)i for L random i Generate Bernoulli z1, … , zL with E[zi] = ||a-b||2/(kT) Output kT  zi/L Fix: - Private binary search on T - If many zi = 0, then intuitively can replace T with T/2 - Eventually T = ~(||a-b||2) - We will show: final choice of T is simulatable!

14 One last detail Want to show final choice of T is simulatable
Estimate is kT zi/L and we stop when “many” zi = 1 Recall E[zi] = ||a-b||2/(kT) Key Observation: Since orthonormal D is uniformly random, can guarantee that if many zi = 0, then ||a-b||2 << T. Note: - Suppose didn’t use D, and a = (M, 0, …, 0), b = (0, …, 0) - Then ||a-b||2 = M2 is large, but almost always zi = 0, so you’ll choose T < ||a-b||2. - Not simulatable since T depends on the structure of a, b

15 Algorithm vs. Simulation
Repeat Generate L independent bits zi such that Pr[zi=1]= ||a-b|| 2/Tk T=T/2 Until Σi zi ≥ (L/k) Output E= Σi zi /L * 2Tk as an estimate of ||a-b||2 ALGORITHM Repeat Generate L independent bits zi such that Pr[zi=1]= ||D(a-b)|| 2/Tk T=T/2 Until Σi zi ≥ (L/k) Output E= Σi zi /L * 2Tk as an estimate of ||a-b||2 Recall:||D(a-b)||=||a-b|| Communication = O~(L) = O~(1/2)

16 Other Results Use homomorphic encryption tricks to get better upper bounds for private nearest neighbor and private all-pairs nearest neighbors. Define private approximate nearest neighbor problem: Requires a new definition of private approximations for functionalities that can return sets of values. Achieve small communication in this setting.

Download ppt "Polylogarithmic Private Approximations and Efficient Matching"

Similar presentations

Constant-Round Private Database Queries Nenad Dedic and Payman Mohassel Boston UniversityUC Davis.

Constant-Round Private Database Queries Nenad Dedic and Payman Mohassel Boston UniversityUC Davis.
Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.
Fast Moment Estimation in Data Streams in Optimal Space Daniel Kane, Jelani Nelson, Ely Porat, David Woodruff Harvard MIT Bar-Ilan IBM.

Fast Moment Estimation in Data Streams in Optimal Space Daniel Kane, Jelani Nelson, Ely Porat, David Woodruff Harvard MIT Bar-Ilan IBM.
1+eps-Approximate Sparse Recovery Eric Price MIT David Woodruff IBM Almaden.

1+eps-Approximate Sparse Recovery Eric Price MIT David Woodruff IBM Almaden.
Tight Bounds for Distributed Functional Monitoring David Woodruff IBM Almaden Qin Zhang Aarhus University MADALGO Based on a paper in STOC, 2012.

Tight Bounds for Distributed Functional Monitoring David Woodruff IBM Almaden Qin Zhang Aarhus University MADALGO Based on a paper in STOC, 2012.
Tight Bounds for Distributed Functional Monitoring David Woodruff IBM Almaden Qin Zhang Aarhus University MADALGO.

Tight Bounds for Distributed Functional Monitoring David Woodruff IBM Almaden Qin Zhang Aarhus University MADALGO.
Quantum t-designs: t-wise independence in the quantum world Andris Ambainis, Joseph Emerson IQC, University of Waterloo.

Quantum t-designs: t-wise independence in the quantum world Andris Ambainis, Joseph Emerson IQC, University of Waterloo.
Private Inference Control David Woodruff MIT Joint work with Jessica Staddon (PARC)

Private Inference Control David Woodruff MIT Joint work with Jessica Staddon (PARC)
Numerical Linear Algebra in the Streaming Model Ken Clarkson - IBM David Woodruff - IBM.

Numerical Linear Algebra in the Streaming Model Ken Clarkson - IBM David Woodruff - IBM.
Private Inference Control

Private Inference Control
The Average Case Complexity of Counting Distinct Elements David Woodruff IBM Almaden.

The Average Case Complexity of Counting Distinct Elements David Woodruff IBM Almaden.
Optimal Bounds for Johnson- Lindenstrauss Transforms and Streaming Problems with Sub- Constant Error T.S. Jayram David Woodruff IBM Almaden.

Optimal Bounds for Johnson- Lindenstrauss Transforms and Streaming Problems with Sub- Constant Error T.S. Jayram David Woodruff IBM Almaden.
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Sublinear-time Algorithms for Machine Learning Ken Clarkson Elad Hazan David Woodruff IBM Almaden Technion IBM Almaden.

Sublinear-time Algorithms for Machine Learning Ken Clarkson Elad Hazan David Woodruff IBM Almaden Technion IBM Almaden.
Tight Lower Bounds for the Distinct Elements Problem David Woodruff MIT Joint work with Piotr Indyk.

Tight Lower Bounds for the Distinct Elements Problem David Woodruff MIT Joint work with Piotr Indyk.
Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.

Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.
Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,

Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
The Round Complexity of Two-Party Random Selection Saurabh Sanghvi and Salil Vadhan Harvard University.

The Round Complexity of Two-Party Random Selection Saurabh Sanghvi and Salil Vadhan Harvard University.

Similar presentations

Ads by Google