Download 14crypt_multiround

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
Document related concepts
no text concepts found
Transcript 
“Secure” Multiparty Computation –
Multi-round protocols
Li Xiong
CS573 Data Privacy and Security
Secure multiparty computation
 General circuit based secure multiparty computation
methods
 Specialized secure multiparty computation protocols



Decision tree mining across horizontally partitioned data
Secure sum, secure union
Association rule mining across horizontally partitioned data
 Most of them rely on cryptographic primitives and are still
expensive
 Multi-round protocols as an alternative
Multi-round protocols
 Max/min, top k
 k-th element protocol using secure
comparison (Aggarwal ‘04)
 Multi-round probabilistic protocols (Xiong ‘07)
 OR (Union)
 Commutative encryption based
 Multi-round probabilistic protocols (Bawa ’03)
Secure computation of the k-ranked element, Aggarwal, 2004
Preserving Privacy for outsourcing aggregation services, Xiong, 2007
Privacy Preserving Indexing of Documents on the Network, Bawa, 2003
K-th element (Aggarwal 04)
 Input
 Di, i = 1, 2, …, s
k
 Range of data values: [alpha, beta].
 Size of the union of database: n
 Output
 The k-th ranked elements in the union of Di
Secure computation of the k-ranked element, Aggarwal, 2004
kth element protocol
 Initialize
 Each party ranks its elements in ascending
order. Initialize current range [a,b] to [alpha,
beta], set n= sum |Di|
 Repeat until done
 Set m = (a+b)/2
 Each party computes li, number of elements
less than m, and gi, number of elements
greater than m
 If sum(li) <= k-1 and sum(gi) <= n-k, done
 If sum(li) >=k, set b = m-1, output 0
 If sum(gi) >= n-k+1, set a = m+1, output 1
Cost
 Number of rounds: logM where M is the
range size
 Each round requires two secure sums and
two secure comparisons
Multi-round protocols
 Can we get away from cryptographic primitives?
 Multi-round protocols idea
 Use randomizations (random response)
 Utilize inherent network anonymity of multiple
nodes
 Multi-round protocols
 May not be completely secure
 May not be completely accurate
Multi-round protocols
 Multi-round probabilistic protocols for
max/min and top k (Xiong ‘07)
 Multi-round OR (union) protocol (Aggarwal ’04)
Protocol Structure
 Random response
(Warner 1965)
 Multi-round
randomized
protocol


Randomized local
computation
Multi-node
anonymity
 Assumption: semi-
Social Survey
Output
Input
D1
D2
Local
Computation
Local
Private
Computation
Data
Private
Data
Input
Output
Output
Input
D3
Dn
Local
Computation
honest model
Input
Local
Computation
Private
Data
…
Preserving Privacy for outsourcing aggregation services, Xiong, 2007
Output
Private
Data
9
A Naïve Max/Min Protocol
gi-1
gi
i
vi
start
30
2
1
30
10
40
gi-1>=vi
gi gi-1
30
gi-1<vi
vi
40
20
4
3
40

Add in randomization – how, when, and how
much?
10
Max Protocol – Random response
 Random response at node i:
gi-1
i
vi
gi
gi(r)
gi-1>=vi
gi-1(r)<vi
gi-1(r)
w/ prob Pr:
random number
w/ prob 1-Pr:
vi
11
Max Protocol – multi-round random
response
 Multiple rounds
 Randomization Probability at round r :

Pr(r) = P0 * d r 1
 Local algorithm at round r and node i:
gi-1(r)>=vi gi-1(r)<vi
gi-1(r)
i
vi
gi(r)
gi(r)
gi-1(r)
w/ prob Pr:
rand [gi-1(r), vi)
w/ prob 1-Pr:
vi
12
Max Protocol - Illustration
Start
18
0
32
35
D2
D2
30
32
35
10
40
18
20
32
35
40
D4
D3
32
35
40
13
PrivateTopK Protocol
145
125
100
150
80
130
60
110
10
80
Gi-1(r)
50
40
D1
D2
Vi
Gi(r)
Dn
5/22/2017
…
Gi’(r)=topk(Gi-1(r) U Vi);
Vi’ = Gi’(r) – Gi-1’(r);
m = |Vi’|;
if m=0 then
Gi(r)= Gi-1(r);
else
with probability 1-Pr(r):
Gi(r)= Gi-1(r)
with probability Pr:
Gi(r)[1:k-m] = Gi-1(r)[1:k-m]
Gi(r)[k-m+1:k] = a sorted list of m
random values generated from
[min(Gi’(r)[k]-delta,Gi-1(r-1)[k-m+1]),
Gi’(r)[k])
end
14
Min/Max Protocol - Correctness
 Precision bound:


r ( r 1)
2
Converges with r 1   j 1 Pr( j )  1  P0 * d
Smaller p0 and d provides faster convergence
r
r
15
Min/Max Protocol - Cost
 Communication cost


single round: O(n)
Minimum # of rounds given
precision guarantee (1-e):
16
Min/Max Protocol - Security
 Probability/confidence based metric: P(C|IR,R)
Provable Exposure
Absolute Privacy
0

1
Different types of exposures based on claim



0.5
Data value: vi=a
Data ownership: Vi contains a
Loss of Privacy (LoP) = | P(C|IR,R) – P(C|R) |
 Information entropy based metric:

Loss of privacy as a measure of randomness of information:
H(D|R) - H(D|IR,R)
17
Min/Max Protocol – Security (Analysis)
 Upper bound for average expected LoP:
max r 1/2r-1 * (1-P0*dr-1)
 Larger p0 and d provides better privacy
18
Min/Max Protocol – Security
(Experiments)
 Loss of privacy decreases with increasing number of nodes
 Probabilistic protocol achieves better privacy (close to 0)
 When n is large, anonymous protocol is actually okay!
19
Union
 Commutative encryption based approach
 Number of rounds: 2 rounds
 Each round: encryption and decryption
 Multi-round random-response approach?
Vector
p
p2
pc
VG
0
1
1
0
0
1
1
1
1
b1
b2
OR
…
=
…
…
…
OR
…
OR
0
0
0
0
bL
 Each database has a boolean vector of the data
items
 Union vector is a logical OR of all vectors
Privacy Preserving Indexing of Documents on the Network, Bawa, 2003
Group Vector Protocol
1
0
1
0
1
…
…
…
…
0
0
0
v1
v2
vc
p1
p2
pc
1
0
11
01
0
0
00
vG’
vvGG’’ vG’
0
Pex=1/2r, Pin=1-Pex
for(i=1; i<L; i++)
if (Vs[i]=1 and VG’[i]=0)
Set VG’[i]=1 with prob. Pin
if (Vs[i]=0 and VG’[i]=1)
Set VG’[i]=0 with prob. Pex
11
01
…
1
…
…
1
0
…
…
0
Processing of VG’ at ps of round r
00
vvGG’’
r=1, Pex=1/2, Pin=1/2
r=2, Pex=1/4, Pin=3/4
Open issues
 Tradeoff between accuracy, efficiency, and
security
 How to quantify security
 How to design adjustable protocols
 Can we generalize the algorithms for a set of
operators based on their properties
 Operators: sum, union, max, min …
 Properties: commutative, associative,
invertible, randomizable
Enjoy the spring break!
Related documents
NP – 01 About
NP – 01 About
Document
Document
Task Force on Desensitization
Task Force on Desensitization
Distributed Model
Distributed Model
Model Referensi TCP/IP
Model Referensi TCP/IP
Chapter 22 Distributed Applications
Chapter 22 Distributed Applications
Social Data Mining
Social Data Mining
Routing protocol
Routing protocol
Network Security - IST Akprind Yogyakarta
Network Security - IST Akprind Yogyakarta
HY3414631468
HY3414631468
A multicentre randomized trial of intensive versus minimalist strategy
A multicentre randomized trial of intensive versus minimalist strategy
10-Dynamic_Routing - Elista
10-Dynamic_Routing - Elista