Secure Computation of the k’th Ranked Element
description
Transcript of Secure Computation of the k’th Ranked Element
Secure Computation of the k’th Ranked Element
Gagan AggarwalStanford University
Joint work with Nina Mishra and Benny Pinkas, HP Labs
A story …A story …
I bet the dumbest student in Gryffindor has a higher IQ than the median IQ of all students in the school.
But you don’t even know what the median IQ is …
But, what about privacyof the students.
We can do “Securefunction evaluation” … This is all “theory”.
It can’t be efficient.
Let us compute it...
Rising Need for PrivacyRising Need for PrivacyMany opportunities of interaction between
institutions and agencies holding sensitive data.
Privacy cannot be sacrificed.I.e. different agencies might hold data
which they are not allowed to share.
A need for protocols to evaluate functions while preserving privacy of data.
Privacy-preserving Computation: Privacy-preserving Computation: the ideal casethe ideal case
x y F(x,y) and nothing else
Input:Output:
x y
F(x,y) F(x,y)
Trusted third parties are rareTrusted third parties are rarex y
F(x,y) F(x,y)
• Run a protocol to evaluate F(x,y) without a trusted party.•Two kinds of adversaries:
•Semi-honest – Follows the protocol, but is curious to learn more than F(x,y).•Malicious - Might do anything.
Definition of security:Definition of security:semi-honest modelsemi-honest model
…x y
F(x,y)
Protocol is secure if Bob can generate the sequence of messages exchanged from his own input y and the value of F(x,y).
Definition of security:Definition of security:malicious modelmalicious model
…x
Protocol is secure if adversary Bob, an input y s.t. Bob’s actions correspond to him presenting y to a trusted third party.
Secure Function EvaluationSecure Function Evaluation [Yao,GMW,BGW,CCD]
x yC(x,y) and nothing else
Input:Output:
• F(x,y) – A public function. • Represented as a Boolean circuit C(x,y).
Implementation:• O(|X|) “oblivious transfers”. • O(|C|) communication.• Pretty efficient for small circuits! e.g. Is x > y? (Millionaire’s problem)
C(x,y) and nothing else
Some useful primitivesSome useful primitives• Useful to have efficient solutions
for simple primitives.• Let X and Y be sets of elements:
–X Y (first talk)–Statistics over X Y:
•Max, Min, Average, Median, kth-ranked element.
kkthth-ranked element-ranked element• Inputs:
– Alice: SA Bob: SB – Large sets of unique items (є S).– The rank k
• Could depend on the size of input datasets. • Median: k = (|SA| + |SB|) / 2
• Output: – x SA SB s.t. x has k-1 elements
smaller than it.
ResultsResultsFinding the kth ranked item (D=|domain|)
– Two-party: reduction to log k secure comparisons of log D bit numbers.• log k rounds * O(log D)
– Multi-party: reduction to log D simple computations with log D bit numbers.• log D rounds * O(log D)
– Also, security against malicious parties.– Can hide the size of the datasets.
Related workRelated work• Lower bound: Ω(log D)
– From communication complexity.• Generic constructions
– Using circuits [Yao …]:• Overhead at least linear in k.
– Naor-Nissim:• Overhead of Ω(D).
RA
An (insecure) two-party median An (insecure) two-party median protocolprotocol
LASA
SB
mA
RBLB mB
LA lies below the median, RB lies above the median.
New median is same as original median.Recursion Need log n rounds
mA < mB
(assume each set contains n=2i items)
SecureSecure two-party median two-party median protocolprotocol
A finds its median mA .
B finds itsmedian mB .
mA < mB
A deletes elements ≤ mA.B deletes elements > mB.
A deletes elements > mA.B deletes elements ≤ mB.
YES
NO
Secure comparison(e.g. a small circuit)
An exampleAn exampleA B
mA>mB
mA<mB
mA<mB
mA>mB
mA<mB
Medianfound!!
8 9 16
1
5 1298
107 98
7 10
16 161 1
Proof of securityProof of securityA B
mA>mB
mA<mB
mA<mB
mA>mB
mA<mB
median
mA>mB
mA<mB
mA<mB
mA>mB
mA<mBMedian
Still to come…Still to come…• Security against malicious parties.• Adapt the median protocol for
arbitrary k and arbitrary input set size.
• Hide the size of the datasets.• kth element for multi-party scenario.
Security against malicious partiesSecurity against malicious parties• Comparisons secure against malicious
parties.• Verify that parties’ inputs to comparisons are
consistent. I.e., prevent– Round 1: mA = 1000. Is told to delete all x>1000.– Round 2: mA = 1100…
• Solution: Each round sends secure “state” to next round (i.e., boundaries for parties’ inputs). Implement “reactive computation” [C,CLOS].
• Can implement in a single circuit. Efficient security against malicious parties.
Security against malicious Security against malicious partiesparties
a4 < b4
a7 < b1
a2 < b6a6 < b2
a5 < b3 a3 < b5 a1 < b7
a8 < b1 a7 < b2
a6 < b3 a5 < b4
a4 < b5 a3 < b6
a2 < b7 a1 < b8
YES
YES
Y
YES
NY Y Y NNN
NO
NO
Security against malicious Security against malicious partiesparties
a4 < b4
a7 < b1
a2 < b6a6 < b2
a5 < b3 a3 < b5 a1 < b7
a8 < b1 a7 < b2
a6 < b3 a5 < b4
a4 < b5 a3 < b6
a2 < b7 a1 < b8
YES
YES
Y
YES
NY Y Y NNN
NO
NO
Security against malicious Security against malicious partiesparties
a4 < b4
a7 < b1
a2 < b6
a5 < b3 a3 < b5 a1 < b7
a8 < b1 a7 < b2
a5 < b4
a4 < b5 a3 < b6
a2 < b7 a1 < b8
YES
YES
Y
YES
NY Y Y NNN
NO
NO
a6 < b2
a6 < b3
Security against malicious Security against malicious partiesparties
• An adversary is fully defined by the input ai’s it gives for each of the nodes of this tree.
• These (consistent) ai’s form an input x which can be used with F(x,y) to generate a transcript.
+
Arbitrary input size, arbitrary kArbitrary input size, arbitrary k
SA
SB
k
Now, compute the median of two sets of size k.Size should be a power of 2.
median of new inputs = kth element of original inputs
2i
+
-
Hiding size of inputsHiding size of inputs• Can search for kth element without
revealing size of input sets.• However, k=n/2 (median) reveals input
size.• Solution: Let U=2i be a bound on input size.
|SA|U
-+
-+
|SB|
Median of new datasets is same
as median of original datasets.
The multi-party caseThe multi-party case• Input: Party Pi has set Si, i=1..n.
(all values [a,b], where a and b are known)
• Output: kth element of S1 … Sn
• Basic Idea: Binary search on [a,b].
The multi-party caseThe multi-party case• Protocol: Set m = (a+b)/2. Repeat:
– Pi inputs to a secure computation Li = # elements in Si smaller than m. Bi= # times m appears in Si.- The following is computed securely:
• If ΣLi k, • Else, if ΣLi + Bi k,• Otherwise,
Upper half
Lower halfFound median
The multi-party caseThe multi-party case• Can be made secure for malicious
case.– Using consistency checks.
• Works for two-party case.– Can be used for non-distinct elements.
SummarySummary• Efficient secure computation of the
median.– Two-party: log k rounds * O(log D)– Multi-party: log D rounds * O(log D)– Communication overhead is very close to the
communication complexity lower bound of log D bits.
• Malicious case is efficient too.– Do not use generic tools.– Instead, we implement simple consistency
checks to get security against malicious parties.
Thanks for your attention! Thanks for your attention!