Approximate Privacy: Foundations and Quantification Michael Schapira (Yale and UC Berkeley) Joint work with Joan Feigenbaum (Yale) and Aaron D. Jaggard.

Approximate Privacy:Foundations and

Quantification

Michael Schapira

(Yale and UC Berkeley)

Joint work with Joan Feigenbaum (Yale) and Aaron D. Jaggard (DIMACS)

Starting Point: Agents’ Privacy in MD

• Traditional goal of mechanism design: Incent agents to reveal private information that is needed to compute “good” outcomes.

• Complementary, newly important goal: Enable agents not to reveal private information that is not needed to compute “good” outcomes.

• Example (Naor-Pinkas-Sumner, EC ’99): It’s undesirable for the auctioneer to learn the winning bid in a 2nd–price Vickrey auction.

Privacy is Important!• Sensitive Information: Information that can

harm data subjects, data owners, or data users, if it is mishandled

• There’s a lot more of it than there used to be!– Increased use of computers and networks– Increased processing power and algorithmic knowledge Decreased storage costs

• “Mishandling” can be very harmful.− ID theft− Loss of employment or insurance− “You already have zero privacy. Get over it.”

(Scott McNealy, 1999)

Private, MultipartyFunction Evaluation

. . .

x1

x2

x 3 x n-1

x n

y = f (x 1, …, x n)

• Each i learns y.

• No i can learn anything about xj

(except what he can infer from xi and y ).

• Very general positive results.

Drawbacks of PMFE Protocols

• Information-theoretically private MFE: Requires that a substantial fraction of the agents be obedient rather than strategic.

• Cryptographically private MFE: Requires (plausible but) currently unprovable complexity-theoretic assumptions and (usually) heavy communication overhead.– Not used in many real-life environments

• Brandt and Sandholm (TISSEC ’08): Which auctions of interest are unconditionally privately computable?

Minimum Knowledge Requirements for 2nd–Price

Auction

2, 1

winnerprice

2, 01, 0

1, 1

1, 2 2, 2

1, 3

0

1

2

3

bidder 1

bidder 2

PerfectPrivacy

Auctioneer learns only whichregion corresponds to the bids.

≈

0 1 2 3

input(2,0)

Ascending-Price English Auction

0

1

2

3

0 1 2 3

Same execution for the inputs (1,1), (2,1), and (3,1)

bidder 1

bidder 2

Perfect Privacy for 2nd–Price Auction

[Brandt and Sandholm (TISSEC ’08)]

• The ascending-price, English-auction protocol is perfectly private.

It is essentially the only perfectly private protocol for 2nd–price auctions.

• Note the exponential communication cost of perfect privacy!

Worse Yet…(The Millionaires’ Problem)

0

1

2

3

0 1 2 3

millionaire 1

x1

f(x1,x2) = 1 if x1 ≥ x2 ; else f(x1,x2) = 2

millionaire 2

x2

The Millionaires’ Problem is not perfectly privately computable. [Kushilevitz (SJDM ’92)]

So, What Can We Do?

• Insist on achieving perfect privacy.– sometimes there is no reasonable

alternative– can be costly (communication, PKI, etc.)

• Treat privacy as a design goal.– alongside complexity, optimization, etc.

• We need a way to quantify privacy.

Privacy Approximation Ratios (PARs)

• Intutitively, captures the indistinguishability of inputs.

– natural first step– general distributed function computation

• Other possible definitions:– Semantic (context-specific)– Entropy-based

Outline• Background

– Two-party communication (Yao)– “Tiling” characterization of privately computable

functions (Chor + Kushilevitz)

• Privacy Approximation Ratios (PARs)

• Bisection auction protocol: exponential gap between worst-case and average-case PARs

• Summary of Our Results

• Open Problems

Two-party Communication Model

f: {0,1}k x {0,1}k {0,1}m

Party 1 Party 2

qj {0,1}is a functionof (q1, …, qj-1)

and one player’s

private input.

s(x1,x2) = (q1,…,qr)Δ

qr = f(x1, x2)

qr-1

•••

q2

q1

x1 {0, 1}k x2 {0, 1}k

Example: Millionaires’ Problem

0

1

2

3

0 1 2 3

millionaire 1

millionaire 2

A(f)

f(x1,x2) = 1 if x1 ≥ x2 ; else f(x1,x2) = 2

1

1

1

1

1

1 1

1 1 1

2 2 2

2 2

2

Monochromatic Tilings

• A region of A(f) is any subset of entries (not necessarily a submatrix).A partition of A(f) is a set of disjoint regions whose union is A(f).

• A rectangle in A(f) is a submatrix.A tiling is a partition into rectangles.

• Monochromatic regions and partitions

Bisection Protocol

0

1

2

3

0 1 2 3

In each round, a player “bisects” an interval.

Example: f(2,3)

A communication protocol “zeroes in” on a monochromatic rectangle.

millionaire 1

millionaire 2

Perfectly Private Protocols

• Protocol P for f is perfectly private with respect to party 1 if

f(x1, x2) = f(x’1, x2) s(x1, x2) = s(x’1, x2)

• Similarly, perfectly private wrt party 2

• P achieves perfect subjective privacy if it is perfectly private wrt both parties.

• P achieves perfect objective privacy if f(x1, x2) = f(x’1, x’2) s(x1, x2) = s(x’1, x’2)

Ideal Monochromatic Partitions

• The ideal monochromatic partition of A(f) consists of the maximal monochromatic regions.

• This partition is unique.

0

1

2

3

0 1 2 31

1

1

1

1

1 1

1 1 1

2 2 2

2 2

2

Characterization of Perfect Privacy

• Protocol P for f is perfectly privacy-preserving iff the tiling induced by P is the ideal monochromatic partition of A(f).

2, 1

winnerprice

2, 01, 0

1, 1

1, 2 2, 2

1, 3

0

1

2

3

bidder 1

bidder 2 0 1 2 3

Objective PAR (1)

• Privacy with respect to an outside observer– e.g., auctioneer

• Worst-case objective PAR of protocol P for function f:

• Worst-case PAR of f is the minimum, over all P for f, of worst-case PAR of P.

|R (x1, x2)|

|R (x1, x2)|

I

P

MAX (x1, x2)

Objective PAR (2)• Average-case objective PAR of P for f

wrt distribution D on {0,1}k x {0,1}k :

• Average-case PAR of f is the minimum, over all P for f, of average-case PAR of P.

|R (x1, x2)|

|R (x1, x2)|

I

PED [ ]

Bisection Auction Protocol (BAP)

[Grigorieva, Herings, Muller, & Vermeulen (ORL’06)]

• Bisection protocol on [0,2k-1] to find an interval [L,H] that contains lower bid but not higher bid.

• Bisection protocol on [L,H] to find lower bid p.

• Sell the item to higher bidder for price p.

0 1 2 3 4 5 6 7

0

1

2

3

4

5

6

7

Bisection Auction Protocol (BAP)

A(f)

Example: f(7, 4)

bidder 1

bidder 2

Objective PARs for BAP(k)

• Theorem: Average-case objective PAR of BAP(k) with respect to the uniform distribution is +1.

• Observation: Worst-case objective PAR of BAP(k) is at least 2 .

• Conjecture: The average-case objective PAR of 2nd-Price-Auction(k) is linear in k wrt all distributions.

k

k/2

2

Proof (1)

The monochromatic tiling induced by the Bisection Auction Protocol for k=4

• ak = number of rectangles in induced tiling for BAP(k).

• a0=1, ak = 2ak-1+2k

ak = (k+1)2k

2k-1

2k-1

2k-100

2k-1

Δ

Proof (2)

• R = {R1,…,Ra } is the set of rectangles in the BAP(k) tiling

• RI = rectangle in the ideal partition that contains Rs

• js = 2k - |RI|

• bk = R js

Δ

Δ

Δ

Δ

s

s

s

k

Proof (3)

PAR =

= =

122k

(x1,x2)

|RI(x1,x2)|

|RBAP(k)(x1,x2)|

122k

Rs

|RI|

|Rs|

s .|Rs|122k

Rs

s|RI|

(+)

contribution to (+)

of one (x1,x2) in Rs

number of (x1,x2)’s in Rs

Proof (4)

The monochromatic tiling induced by the Bisection Auction Protocol for k=4

• bk = bk-1+(bk-1+ak-12k-1)

+ ( i ) + ( i )

• b0=0, bk =2bk-1+(k+1)22(k-1)

bk = k22k-1

2k-1

2k-1

2k-100

2k-1

i=0

2k-1-1

i=1

2k-1

Proof (5)

= (2k-js)

= (ak2k-bk)

= ( (k+1)22k- k22k-1 )

= k+1-

= + 1

122k s|RI| 1

22k

122k

122k

k2

k2

QED

Bounded Bisection Auction Protocol (BBAP)

BBAP(r):

• Do (at most) r bisection steps.

• If the winner is still unknown, run the ascending English auction protocol on the remaining interval.

• Ascending auction protocol: BBAP(0)Bisection auction protocol: BBAP(k)

Average-Case Objective PARs for 2nd-price Auction Protocols

English Auction 1

Bounded Bisection Auction, r=1 7 – 1

Bounded Bisection Auction, r=2 19 - 3 k+1

Bounded Bisection Auction, r=3 47 – 7 k+1

Bounded Bisection Auction, general r’s

(1+r)

Bisection Auction k

Sealed-Bid Auction 2k+1 + 1

4 2k+1

8 2

16 2

2

+1

3

(3*2k)

Subjective PARs

• Objective privacy = privacy wrt an outside observer

• Subjective privacy =privacy wrt the other party

• In the millionaires’ problems we (mainly) care about subjective privacy.

• Similar definitions.

Subjective PARs (1)

• The 1-partition of region R in matrix A(f):

{ Rx1 = {x1} x {x2 s.t. (x1, x2) R} }

(similarly, 2-partition)

• The i-induced tiling of protocol P for f is obtained by i-partitioning each rectangle in the tiling induced by P.

• The i-ideal monochromatic partition of A(f) is obtained by i-partitioning each region in the ideal monochromatic partition of A(f).

(Ri defined analogously for protocol P)

P

Subjective PARs (1)The 1-partition of region R in matrix A(f):

{ Rx1 = {x1} x {x2 s.t. (x1, x2) R} }

(similarly, 2-partition)

0

1

2

3

0 1 2 3

millionaire 1

millionaire 2

I I

I IR1 (0, 1) = R1 (0, 2) = R1 (0, 3)I

R1 (1, 2) = R1 (1, 3)

Subjective PARs (2)• Worst-case PAR of protocol P for f wrt

i:

• Worst-case subjective PAR of P for f: maximize over i {1, 2}

• Worst-case subjective PAR of f: minimize over P

• Average-case subjective PAR wrt distribution D: use ED instead of MAX

|Ri (x1, x2)|

|Ri (x1, x2)|

I

P

MAX(x1, x2)

Average-Case PARs for the Millionaires Problem

2

+1

Obj. PAR Subj. PAR

Any protocol ≥ 2k - + 2-

(k+1)

Bisection Protocol

3*2k-1 - k

2

1

2

1

Other Results• More PARs for these problems.

• PARs of other problems– public-good – truthful-public-good [Babaioff-Blumrosen-Naor-Schapira]

– set-disjointness – set-intersection

• Other notions of privacy: first steps– Semantic definitions

( What is better, {1, 8} or {4, 5} ? )– Entropy-based definitions

Open Problems• Upper bounds on non-uniform average-case

PARs– Prove/refute our conjecture!

• Lower bounds on average-case PARs

• PARs of other functions of interest

• Extension to n-party case

• Other definitions of PAR– We take first steps in this direction.

• Relationship between PARs and h-privacy [Bar-Yehuda, Chor, Kushilevitz, and Orlitsky (IEEE-IT ’93)]

Thank You