Download 14crypt_multiround

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts
no text concepts found
Transcript
“Secure” Multiparty Computation –
Multi-round protocols
Li Xiong
CS573 Data Privacy and Security
Secure multiparty computation
 General circuit based secure multiparty computation
methods
 Specialized secure multiparty computation protocols



Decision tree mining across horizontally partitioned data
Secure sum, secure union
Association rule mining across horizontally partitioned data
 Most of them rely on cryptographic primitives and are still
expensive
 Multi-round protocols as an alternative
Multi-round protocols
 Max/min, top k
 k-th element protocol using secure
comparison (Aggarwal ‘04)
 Multi-round probabilistic protocols (Xiong ‘07)
 OR (Union)
 Commutative encryption based
 Multi-round probabilistic protocols (Bawa ’03)
Secure computation of the k-ranked element, Aggarwal, 2004
Preserving Privacy for outsourcing aggregation services, Xiong, 2007
Privacy Preserving Indexing of Documents on the Network, Bawa, 2003
K-th element (Aggarwal 04)
 Input
 Di, i = 1, 2, …, s
k
 Range of data values: [alpha, beta].
 Size of the union of database: n
 Output
 The k-th ranked elements in the union of Di
Secure computation of the k-ranked element, Aggarwal, 2004
kth element protocol
 Initialize
 Each party ranks its elements in ascending
order. Initialize current range [a,b] to [alpha,
beta], set n= sum |Di|
 Repeat until done
 Set m = (a+b)/2
 Each party computes li, number of elements
less than m, and gi, number of elements
greater than m
 If sum(li) <= k-1 and sum(gi) <= n-k, done
 If sum(li) >=k, set b = m-1, output 0
 If sum(gi) >= n-k+1, set a = m+1, output 1
Cost
 Number of rounds: logM where M is the
range size
 Each round requires two secure sums and
two secure comparisons
Multi-round protocols
 Can we get away from cryptographic primitives?
 Multi-round protocols idea
 Use randomizations (random response)
 Utilize inherent network anonymity of multiple
nodes
 Multi-round protocols
 May not be completely secure
 May not be completely accurate
Multi-round protocols
 Multi-round probabilistic protocols for
max/min and top k (Xiong ‘07)
 Multi-round OR (union) protocol (Aggarwal ’04)
Protocol Structure
 Random response
(Warner 1965)
 Multi-round
randomized
protocol


Randomized local
computation
Multi-node
anonymity
 Assumption: semi-
Social Survey
Output
Input
D1
D2
Local
Computation
Local
Private
Computation
Data
Private
Data
Input
Output
Output
Input
D3
Dn
Local
Computation
honest model
Input
Local
Computation
Private
Data
…
Preserving Privacy for outsourcing aggregation services, Xiong, 2007
Output
Private
Data
9
A Naïve Max/Min Protocol
gi-1
gi
i
vi
start
30
2
1
30
10
40
gi-1>=vi
gi gi-1
30
gi-1<vi
vi
40
20
4
3
40

Add in randomization – how, when, and how
much?
10
Max Protocol – Random response
 Random response at node i:
gi-1
i
vi
gi
gi(r)
gi-1>=vi
gi-1(r)<vi
gi-1(r)
w/ prob Pr:
random number
w/ prob 1-Pr:
vi
11
Max Protocol – multi-round random
response
 Multiple rounds
 Randomization Probability at round r :

Pr(r) = P0 * d r 1
 Local algorithm at round r and node i:
gi-1(r)>=vi gi-1(r)<vi
gi-1(r)
i
vi
gi(r)
gi(r)
gi-1(r)
w/ prob Pr:
rand [gi-1(r), vi)
w/ prob 1-Pr:
vi
12
Max Protocol - Illustration
Start
18
0
32
35
D2
D2
30
32
35
10
40
18
20
32
35
40
D4
D3
32
35
40
13
PrivateTopK Protocol
145
125
100
150
80
130
60
110
10
80
Gi-1(r)
50
40
D1
D2
Vi
Gi(r)
Dn
5/22/2017
…
Gi’(r)=topk(Gi-1(r) U Vi);
Vi’ = Gi’(r) – Gi-1’(r);
m = |Vi’|;
if m=0 then
Gi(r)= Gi-1(r);
else
with probability 1-Pr(r):
Gi(r)= Gi-1(r)
with probability Pr:
Gi(r)[1:k-m] = Gi-1(r)[1:k-m]
Gi(r)[k-m+1:k] = a sorted list of m
random values generated from
[min(Gi’(r)[k]-delta,Gi-1(r-1)[k-m+1]),
Gi’(r)[k])
end
14
Min/Max Protocol - Correctness
 Precision bound:


r ( r 1)
2
Converges with r 1   j 1 Pr( j )  1  P0 * d
Smaller p0 and d provides faster convergence
r
r
15
Min/Max Protocol - Cost
 Communication cost


single round: O(n)
Minimum # of rounds given
precision guarantee (1-e):
16
Min/Max Protocol - Security
 Probability/confidence based metric: P(C|IR,R)
Provable Exposure
Absolute Privacy
0

1
Different types of exposures based on claim



0.5
Data value: vi=a
Data ownership: Vi contains a
Loss of Privacy (LoP) = | P(C|IR,R) – P(C|R) |
 Information entropy based metric:

Loss of privacy as a measure of randomness of information:
H(D|R) - H(D|IR,R)
17
Min/Max Protocol – Security (Analysis)
 Upper bound for average expected LoP:
max r 1/2r-1 * (1-P0*dr-1)
 Larger p0 and d provides better privacy
18
Min/Max Protocol – Security
(Experiments)
 Loss of privacy decreases with increasing number of nodes
 Probabilistic protocol achieves better privacy (close to 0)
 When n is large, anonymous protocol is actually okay!
19
Union
 Commutative encryption based approach
 Number of rounds: 2 rounds
 Each round: encryption and decryption
 Multi-round random-response approach?
Vector
p
p2
pc
VG
0
1
1
0
0
1
1
1
1
b1
b2
OR
…
=
…
…
…
OR
…
OR
0
0
0
0
bL
 Each database has a boolean vector of the data
items
 Union vector is a logical OR of all vectors
Privacy Preserving Indexing of Documents on the Network, Bawa, 2003
Group Vector Protocol
1
0
1
0
1
…
…
…
…
0
0
0
v1
v2
vc
p1
p2
pc
1
0
11
01
0
0
00
vG’
vvGG’’ vG’
0
Pex=1/2r, Pin=1-Pex
for(i=1; i<L; i++)
if (Vs[i]=1 and VG’[i]=0)
Set VG’[i]=1 with prob. Pin
if (Vs[i]=0 and VG’[i]=1)
Set VG’[i]=0 with prob. Pex
11
01
…
1
…
…
1
0
…
…
0
Processing of VG’ at ps of round r
00
vvGG’’
r=1, Pex=1/2, Pin=1/2
r=2, Pex=1/4, Pin=3/4
Open issues
 Tradeoff between accuracy, efficiency, and
security
 How to quantify security
 How to design adjustable protocols
 Can we generalize the algorithms for a set of
operators based on their properties
 Operators: sum, union, max, min …
 Properties: commutative, associative,
invertible, randomizable
Enjoy the spring break!