Presentation is loading. Please wait.

Presentation is loading. Please wait.

Private Inference Control David Woodruff MIT Joint work with Jessica Staddon (PARC)

Published byJuan McLean Modified over 11 years ago

Similar presentations

Presentation on theme: "Private Inference Control David Woodruff MIT Joint work with Jessica Staddon (PARC)"— Presentation transcript:

1 Private Inference Control David Woodruff MIT dpwood@mit.edu Joint work with Jessica Staddon (PARC)

2 Contents 1.Background 1.Access Control and Inference Control 2.Our contribution: Private Inference Control (PIC) 3.Related Work 2.PIC model & definitions 3.Our Results 4.Conclusions

3 Access Control Server DB of n records User queries a database. Some info in DB sensitive. Access control prevents user from learning individual sensitive relations/attributes. Does access control prevent user from learning sensitive info? Whats Bobs salary? Sensitive: Access denied

4 Inference Control NameJobSalary Alyssa P. Hacker Software Engineer $90,000 Paul E. NomialMathematician$31,415 ……… Combining non-sensitive info may yield something sensitive Inference Channel: {(name, job), (job, salary)} Inference Control : block all inference channels Query 1How much does Alyssa make? Query 2What is Alyssas job? Query 3How much do software engineers make? Sensitive. Software Engineer $90,000

5 Inference Control Database x 2 ({0,1} m ) n DB of n records, m attributes 1, …, m per record n tending to infinity, m = O(1) Inference engine: generates collection C of subsets of [m] denoting all the inference channels We assume have an engine [QSKLG93] (exhaustive search) F 2 C means for all i, user shouldnt learn x i, j for all j 2 F Assume C is monotone. Assume C input to both user and server User learns C anyway when his queries are blocked C is data-independent, reveals info only about attributes

6 Our contribution: Private Inference Control Existing inference control schemes require server to learn user queries to check if they form an inference Our goal: user Privacy + Inference Control = PIC This talk: arbitrary malicious users U*, semi-honest S Privacy: polytime S learns nothing about honest users queries except # made so far # queries made so far enables S to do inference control Private and symmetrically-private information retrieval Not sufficient since they are stateless Users permissions change over time Generic secure function evaluation Not efficient – our communication exponentially smaller

7 Application Government analysts inspect repositories for terrorist patterns 1. Inference Control: prevent analysts from learning sensitive info about non-terrorists. 2. User Privacy: prevent server from learning what analysts are tracking – if discovered this info could go to terrorists! DB

8 Related Work Data perturbation [AS00, B80, TYW84] So much noise required data not as useful [DN03] Adaptive Oblivious Transfer [NP99] One record can be queried adaptively at most k times Priced Oblivious Transfer [AIR01] One record, supports more inference channels than threshold version considered in [NP99] We generalize [NP99] and [AIR01] Arbitrary inference channels and multiple records More efficient/private than parallelizing NP99 and AIR01 on each record

9 The Model Offline Stage: S given x, C, 1 k, and can preprocess x Online Stage: at time t, honest U generates query (i t, j t ) (i t, j t ) can depend on all prior info/transactions with S Let T denote all queries U makes, (i 1, j 1 ), …, (i |T|, j |T| ) T r.v. - depends on Us code, x, and randomness T permissable if no i s.t. (i,j) 2 T for all j 2 F for some F 2 C. We require honest U to generate permissable T. U and S interact in a multiround protocol, then U outputs out t View U consists of C, n, m, 1 k, all messages from S, randomness View S consists of C, n, m, 1 k, x, all messages from U, randomness

10 Security Definitions Correctness: For all x, C, for all honest users U, for all 2 [|T(U, x)|], out = x i, j User Privacy: For all x, C, for all honest U, for any two sequences T 1, T 2 with |T 1 | = |T 2 |, for all semi-honest servers S * and random coin tosses of S * (View S* | T(U, x) = T 1 ) (View S* | T(U, x) = T 2 ) Inference Control: Comparison with ideal model – for every U *, every x, any random coins of U *, for every C there exists a simulator U interacting with trusted party Ch for which View U* View, where U just asks Ch for tuples (i t, j t ) that are permissable

11 Efficiency Efficiency measures are per query Minimize communication & round complexity Ideally O(polylog(n)) bits and 1 round Minimize servers time-complexity Ideally O(n) without preprocessing W/preprocessing, potentially better, but O(n) optimal w.r.t. known single-server PIR schemes

12 Our Results For any PIR scheme, let C(n) W(n) denote communication and server work for DB size n PIC scheme #1 Communication: O(k log n C(n 2 )), 1-round Work: O(k log n W(n 2 )) PIC scheme #2 Communication: O(k(n + C(n))), O(1)-round Work: O(k(n + W(n))) Plugging in best PIR parameters, Scheme #1: comm. O(polylog(n)), work O(n 2 ) Scheme #2: comm. & work: O(npolylog(n))

13 A Generic Reduction A protocol is a threshold PIC (TPIC) if it satisfies the definitions of a PIC scheme assuming C = {[m]}. Theorem (roughly speaking): If there exists a TPIC with communication C(n), work W(n), and round complexity R(n), then there exists a PIC with communication O(C(n)), work O(W(n)), and round complexity O(R(n)).

14 PIC ideas: … … cnvdselvuiaapxnw User/server do SPIR on table of encryptions Idea: Encryptions of both data and keys that will help user decrypt encryptions on future queries User can only decrypt if has appropriate keys – only possible if not in danger of making an inference

15 Stateless PIC Minimizing communication is a data structures problem What type of keys require least communication for user to: 1. Update as user makes new queries? 2. Prove user not in danger of making an inference on current/future queries? Keys must prevent replay attacks: cant use old keys to pretend made less queries to records than actually have

16 PIC Scheme #1 – Stage 1 E(i 1 ) -> E(r 1 (i 1 – i 3 )) E(i 2 ) -> E(r 2 (i 2 – i 3 )) (i 3, j 3 ) E(i 3 ), E(j 3 ), ZKPOK Let E by a homomorphic semantically secure encryption scheme (e.g., Pallier) Suppose we allow accessing each record at most once PK, SK PK Recovers r 1, r 2 iff hasnt previously accessed i 3 From r 1 and r 2 user can reconstruct a secret S 3

17 PIC Scheme #1 – Stage 2 (i 3, j 3 ) E(i 3 ), E(j 3 ), ZKPOK PK, SK PK Recovers S 3 E(r 1,1 (j-j 3 ) + r 1,1 (i – i 3 ) + S 3 + x 1,1 ) E(r 1,2 (j-j 3 ) + r 1,2 (i – i 3 ) + S 3 + x 1,2 ) E(r 2,1 (j-j 3 ) + r 2,1 (i – i 3 ) + S 3 + x 2,1 ) … User does SPIR on records on table of encryptions

18 PIC Scheme #1 - Wrapup To extend to querying a record < m times, on t-th query, let r 1, …, r t-1 be (t-m+1) out of (t-1) secret sharing of S t This scheme can be proven to be a TPIC – use generic reduction to get a PIC User Privacy: semantic security of E, ZK of proof, privacy of SPIR Inference Control: user can recover at most t-m r i if already queried record m-1 times – can build a simulator using SPIR w/knowledge extractor [NP99]

19 PIC Scheme #2 - Glimpse 1243 t K v, b K u, a K w,c K x,d K y,e K z,f polylog(n)-communication PIC Balanced binary tree B Leaves are attributes Parents of leaves are records Internal node n accessed when record r queried and n on path from r to root Keys encode # times nodes in B have been accessed. a+b =t

20 Conclusions Extensions not in this talk Multiple users (pseudonyms) Collusion resistance: c-resistance => m-channel becomes collection of (m-1)/c channels. Summary New Primitive – PIC (Almost) Communication-optimal implementations

Download ppt "Private Inference Control David Woodruff MIT Joint work with Jessica Staddon (PARC)"

Similar presentations

Polylogarithmic Private Approximations and Efficient Matching

Polylogarithmic Private Approximations and Efficient Matching
Constant-Round Private Database Queries Nenad Dedic and Payman Mohassel Boston UniversityUC Davis.

Constant-Round Private Database Queries Nenad Dedic and Payman Mohassel Boston UniversityUC Davis.
Asymptotically Optimal Communication for Torus- Based Cryptography David Woodruff MIT Joint work with Marten van Dijk Philips/MIT.

Asymptotically Optimal Communication for Torus- Based Cryptography David Woodruff MIT Joint work with Marten van Dijk Philips/MIT.
1 Cryptography: on the Hope for Privacy in a Digital World Omer Reingold VVeizmann and Harvard CRCS.

1 Cryptography: on the Hope for Privacy in a Digital World Omer Reingold VVeizmann and Harvard CRCS.
Private Inference Control

Private Inference Control
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Coin Tossing With A Man In The Middle Boaz Barak.

Coin Tossing With A Man In The Middle Boaz Barak.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
A Survey of Key Management for Secure Group Communications Celia Li.

A Survey of Key Management for Secure Group Communications Celia Li.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Multi-Dimensional Range Query over Encrypted Data Authors: Elaine Shi, Joint work with John Bethencourt, Hubert Chan, Dawn Song, Adrian Perrig Slides originated.

Multi-Dimensional Range Query over Encrypted Data Authors: Elaine Shi, Joint work with John Bethencourt, Hubert Chan, Dawn Song, Adrian Perrig Slides originated.
Oblivious Branching Program Evaluation

Oblivious Branching Program Evaluation
An Ω(n 1/3 ) Lower Bound for Bilinear Group Based Private Information Retrieval Alexander Razborov Sergey Yekhanin.

An Ω(n 1/3 ) Lower Bound for Bilinear Group Based Private Information Retrieval Alexander Razborov Sergey Yekhanin.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 5 Group Key Management.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 5 Group Key Management.
Protecting Privacy in Terrorist Tracking Applications Teresa Lunt, PI Jessica Staddon, Dirk Balfanz Glenn Durfee, Tomas Uribe (SRI) Diana Smetters, Jim.

Protecting Privacy in Terrorist Tracking Applications Teresa Lunt, PI Jessica Staddon, Dirk Balfanz Glenn Durfee, Tomas Uribe (SRI) Diana Smetters, Jim.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Similar presentations

Ads by Google