how should we solve search problems privately?

26
How Should We Solve Search Problems Privately? Kobbi Nissim – BGU A. Beimel, T. Malkin, and E. Weinreb

Upload: aleron

Post on 02-Feb-2016

33 views

Category:

Documents


0 download

DESCRIPTION

How Should We Solve Search Problems Privately?. Kobbi Nissim – BGU A. Beimel, T. Malkin, and E. Weinreb. Secure Function Evaluation. [Yao,GMW,BGW,…] n players with private inputs x 1 ,…,x n Can compute any function f() over their private inputs No information beyond f() is leaked - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: How Should We Solve Search Problems Privately?

How Should We Solve Search Problems Privately?

Kobbi Nissim – BGU

A. Beimel, T. Malkin, and E. Weinreb

Page 2: How Should We Solve Search Problems Privately?

Secure Function Evaluation[Yao,GMW,BGW,…] n players with private inputs x1,…,xn

Can compute any function f() over their private inputs

No information beyond f() is leaked

SFE tells HOW to compute f()

But not What f() to compute

Page 3: How Should We Solve Search Problems Privately?

A Client-Server Setting

SFE reduces many of the general cases to the client-server setting

G

ClientServer

Page 4: How Should We Solve Search Problems Privately?

WHAT should we compute?

Server must/is willing to reveal a function f() of the data Secure function evaluation: Reveal f(), but

no other information

???

Server should preserve individual privacy Private data analysis: (rand) functions f()

satisfying differential privacy

Page 5: How Should We Solve Search Problems Privately?

In Between (1)

Server must/is willing to reveal a function f() of the data But… Computing f() is inefficient or intractable And, an efficient approx f*() exists

Idea: Use SFE to compute an approx f*() to f()

Page 6: How Should We Solve Search Problems Privately?

What Can Go Wrong? [FIMNSW01]

Server holds a graph G Client asks for size of min VC fvc(G) Approx: fvc*(G) = 2MaxMatch(G)

Hmmm...

ffVCVC 2 2

2MaxMatch2MaxMatch 2 4 G

Page 7: How Should We Solve Search Problems Privately?

Private Approximations [FIMNSW01]

Require: f*(G) simulatable given f(G) Hence approximation does not leak more information

than exact computation

Implied: f(G) = f(G’) f*(G) ≈ f*(G’)

Sometimes feasible: Hamming distance [FIMNSW01, IW06] Permanent [FIMNSW01]

Sometimes not feasible: fVC not privately approx within ratio n1-ε [HKKN01]

Approx feasible with a small leakage

Page 8: How Should We Solve Search Problems Privately?

In Between (2)

Server must/is willing to solve a search problem over the data

Idea: Use SFE to compute a solution? Or an approximate solution

Page 9: How Should We Solve Search Problems Privately?

What Can Go Wrong? [BCNW06]

Server holds a graph G Client asks for VC(G) Approx: A*VC(G) = MaxMatch(G)

Hmmm...

G

21

3

5

4

21

3

5

4

VCVC {2} {2} {2} {2}

A*A*VCVC {2,3} {2,1}{2,3} {2,1}

Page 10: How Should We Solve Search Problems Privately?
Page 11: How Should We Solve Search Problems Privately?

Private Algorithms [BCNW06]

R – Equivalence Relation over {0,1}* E.g. G1 ≈ G2 if VC(G1) = VC(G2)

Algorithm A is private with respect to R if:

x y

A( ) A( )≈

x y

Page 12: How Should We Solve Search Problems Privately?

Is Private Search Good?

Too strong: VC does not admit private search approx algs

Even with a significant relaxation [BCNW06,BHN07]

If NP not in P/poly, there is a search problem in P that has no polynomial time private algorithm [BCNW06]

Too weak: A private search algorithm may reveal all the

solutions Does not rule out simple ways of plausible

leakage

Page 13: How Should We Solve Search Problems Privately?

Some Possible Weaknesses

Randomized Algorithms: More solutions learned by repeated

querying Fuzziness

Deterministic Algorithms: Repeated querying ineffective Definite information learned

Can we get the best of both worlds?

Page 14: How Should We Solve Search Problems Privately?

Framework: Seeded Algorithms A – randomized algorithm Server fixes a seed s for all queries

Allows selecting random solutions Prevents abuse of repeated queries

G1G2

sAA(G2,s)

A(G1,s)

Page 15: How Should We Solve Search Problems Privately?

Rest of the Talk

Propose two new definitions Equivalence protecting Resemblance preserving

Show basic implementation methodologies

Summary/discuss

Page 16: How Should We Solve Search Problems Privately?

(x2)

First Definition: Equivalence Protecting Consistent oracle :

(x)S(x) (x)=(y) for all x ≈P y

A seeded algorithm A is equivalence protecting:

1( , )x sA

Distinguisher

≡c

A(· , )

x1

(x1)

x2

s

x1x2

2( , )x sA

Random consistentoracle

Page 17: How Should We Solve Search Problems Privately?

Equivalence Protecting: Shortest Path Def: An edge is relevant in G if it appears in

some shortest path from s to t

Fact I: Relevance depends only on S(G) Fact II: There exists an algorithm Arand(G,r )

that outputs a random shortest path in G

s 2 t

3

1

Page 18: How Should We Solve Search Problems Privately?

Equivalence Protecting: Shortest Path

Input: A graph G A seed s for a family {fs} of

pseudorandom functionsOutput: A path in S(G)

The algorithm:1. H = relevant edges of G2. Compute r=fs(H)

3. Output: p= Arand(H,r )

Page 19: How Should We Solve Search Problems Privately?

Other Equivalence Preserving Algorithms

Perfect matching in bipartite graphs

Solution of a linear system of equations

Shortest path: weighted directed graphs

Page 20: How Should We Solve Search Problems Privately?

Second Definition: Resemblance Preserving Motivation: protect inputs with similar

solution sets Resemblance between instances x,y:

A seeded algorithm A is resemblance preserving if for all instances x,y:

Pr[A(x,s)=A(y,s)] ≥ r(x,y)

|S(x)S(y)|

|S(x)S(y)|r(x,y) = Fact: 0 ≤ r(x,y)

≤ 1

Page 21: How Should We Solve Search Problems Privately?

Tool: Min-wise Independent Permutations [BroderCharikarFriezeMitzenmacher98]

A family of permutations is min-wise independent if for every set A U and aA:

Observation:

{ }s s S :s U U

1Pr[min( ( )) ( )]

| |s sA aA

Pr[min( ( ( ))) min( ( ( ))] ( , ).s sS x S y r x y

Page 22: How Should We Solve Search Problems Privately?

A Generic Resemblance Preserving Algorithm

Input: An input x A seed s for a family of min-wise

independent permutationsOutput: A solution in S(x)

Algorithm: Output sol S(x) such that

Algorithmic challenge: Find sol efficiently.

{ }s s S

(sol) min( ( ( ))).s s S x

Page 23: How Should We Solve Search Problems Privately?

Other Resemblance Preserving Algorithms (non-) Roots of polynomialsSolution of a linear system of

equationsSatisfying assignment of a DNF

formula

Page 24: How Should We Solve Search Problems Privately?

Summary

Presented two intuitive variants of private search Equivalence protecting Resemblance preserving

Constructed algorithms satisfying definitions Privacy implications of search problems are not well

understood Even (seemingly minimal) requirements of privacy

are hard to attain Different privacy requirements for different setups

Is there an order in the mess? A methodology for comparing/justifying definitions

Page 25: How Should We Solve Search Problems Privately?

BSF-DIMACS Privacy Workshop

@DIMACS/Rutgers University Interdisciplinary February 4-7 Organizers: B. Pinkas, K.N., and R.

Wright (some) Funding available

To be added to mailing list: [email protected]

Page 26: How Should We Solve Search Problems Privately?

A (Seemingly) Minimal Requirement

Private search algorithm [BCNW06]:

VC(G) = VC(G’) A*VC(G) ≈ A*VC(G’)

A*VC should not distinguish graphs that have the same set of solutions

A generalization of private approximation [FIMNSW01]