Li Xiong CS573 Data Privacy and Security

Li Xiong

CS573 Data Privacy and Security

“Secure” Multiparty Computation – Multi-round protocols

Secure multiparty computation

General circuit based secure multiparty computation methods

Specialized secure multiparty computation protocols Decision tree mining across horizontally partitioned data Secure sum, secure union Association rule mining across horizontally partitioned data

Most of them rely on cryptographic primitives and are still expensive

Multi-round protocols as an alternative

Multi-round protocols

Max/min, top k k-th element protocol using secure

comparison (Aggarwal ‘04) Multi-round probabilistic protocols (Xiong ‘07)

OR (Union) Commutative encryption based Multi-round probabilistic protocols (Bawa ’03)

Secure computation of the k-ranked element, Aggarwal, 2004Preserving Privacy for outsourcing aggregation services, Xiong, 2007Privacy Preserving Indexing of Documents on the Network, Bawa, 2003

K-th element (Aggarwal 04)

Input Di, i = 1, 2, …, s k Range of data values: [alpha, beta]. Size of the union of database: n

Output The k-th ranked elements in the union of Di

Secure computation of the k-ranked element, Aggarwal, 2004

kth element protocol Initialize

Each party ranks its elements in ascending order. Initialize current range [a,b] to [alpha, beta], set n= sum |Di|

Repeat until done Set m = (a+b)/2 Each party computes li, number of elements less

than m, and gi, number of elements greater than m If sum(li) <= k-1 and sum(gi) <= n-k, done If sum(li) >=k, set b = m-1, output 0 If sum(gi) >= n-k+1, set a = m+1, output 1

Cost Number of rounds: logM where M is the range size Each round requires two secure sums and two secure comparisons

Multi-round protocols

Can we get away from cryptographic primitives? Multi-round protocols idea

Use randomizations (random response) Utilize inherent network anonymity of multiple

nodes Multi-round protocols

May not be completely secure May not be completely accurate

Multi-round protocols

Multi-round probabilistic protocols for max/min and top k (Xiong ‘07)

Multi-round OR (union) protocol (Aggarwal ’04)

9

Protocol Structure

Random response (Warner 1965)

Multi-round randomized protocol Randomized local

computation Multi-node

anonymity Assumption: semi-

honest model

Social Survey

Private Data

D1

Private Data

D3

Private Data

D2

Private Data

Dn

…

Output Input

OutputInput

Input

Input Output

Output

Local Computation

Local Computation

Local Computation

Local Computation

Preserving Privacy for outsourcing aggregation services, Xiong, 2007

10

A Naïve Max/Min Protocol

gi-1>=vi gi-1<vi

gi gi-1 vi

igi-1 gi

vi 1

3

2

4

30

20 40

10

30

30

40

40

start

Add in randomization – how, when, and how much?

Random response at node i:

11

Max Protocol – Random response

gi-1>=vi gi-1(r)<vi

gi(r) gi-1(r) w/ prob Pr: random numberw/ prob 1-Pr: vi

igi-1 gi

vi

Multiple rounds Randomization Probability at round r :

Pr(r) =

Local algorithm at round r and node i:

12

Max Protocol – multi-round random response

gi-1(r)>=vi gi-1(r)<vi

gi(r) gi-1(r) w/ prob Pr: rand [gi-1(r), vi)

w/ prob 1-Pr: vi

10 * rdP

igi-1(r) gi(r)

vi

13

Max Protocol - Illustration

Start 18 3532

32 4035

D2

D3

D2

D4

30

20 40

10

18 3532

32 4035

0

04/24/23 14

PrivateTopK Protocol

Gi’(r)=topk(Gi-1(r) U Vi);

Vi’ = Gi’(r) – Gi-1’(r);

m = |Vi’|;

if m=0 then Gi(r)= Gi-1(r);else with probability 1-Pr(r): Gi(r)= Gi-1(r) with probability Pr: Gi(r)[1:k-m] = Gi-1(r)[1:k-m]

Gi(r)[k-m+1:k] = a sorted list of m

random values generated from [min(Gi

’(r)[k]-delta,Gi-1(r-1)[k-m+1]),

Gi’(r)[k])end

Gi(r)

Gi-1(r)10

60

80

100

125

145

Vi

40

50

80

110

130

150

D1

…

D2

Dn

15

Min/Max Protocol - Correctness

Precision bound: Converges with r Smaller p0 and d provides faster convergence

2)1(

01*1)Pr(1

rrrr

jdPj

16

Min/Max Protocol - Cost

Communication cost single round: O(n) Minimum # of rounds given precision guarantee (1-e):

17

Min/Max Protocol - Security Probability/confidence based metric: P(C|IR,R)

Different types of exposures based on claim Data value: vi=a Data ownership: Vi contains a

Loss of Privacy (LoP) = | P(C|IR,R) – P(C|R) | Information entropy based metric:

Loss of privacy as a measure of randomness of information: H(D|R) - H(D|IR,R)

0.50 1

Absolute Privacy Provable Exposure

18

Min/Max Protocol – Security (Analysis)

Upper bound for average expected LoP: max r 1/2r-1 * (1-P0*dr-1)

Larger p0 and d provides better privacy

19

Loss of privacy decreases with increasing number of nodes Probabilistic protocol achieves better privacy (close to 0) When n is large, anonymous protocol is actually okay!

Min/Max Protocol – Security (Experiments)

Union

Commutative encryption based approach Number of rounds: 2 rounds Each round: encryption and decryption

Multi-round random-response approach?

Vector

Each database has a boolean vector of the data items

Union vector is a logical OR of all vectors

0

10b1

b2

bL

…p1

0

01

…

p2

0

10

…

pc

OR OR OR… =

0

11

VG

…

Privacy Preserving Indexing of Documents on the Network, Bawa, 2003

Group Vector Protocol

…

0

00

…

vG’

0

01

…

vG’

r=1, Pex=1/2, Pin=1/2

Pex=1/2r, Pin=1-Pexfor(i=1; i<L; i++) if (Vs[i]=1 and VG’[i]=0) Set VG’[i]=1 with prob. Pin

if (Vs[i]=0 and VG’[i]=1) Set VG’[i]=0 with prob. Pex

Processing of VG’ at ps of round r…

0

10

v1

0

01

…

v2

0

10

…

vc

r=2, Pex=1/4, Pin=3/4 0

01

…

vG’

0

11

…

vG’

0

11

…

vG’

0

01

…

vG’

0

11

…

vG’

p1 p2 pc

Open issues

Tradeoff between accuracy, efficiency, and security How to quantify security How to design adjustable protocols

Can we generalize the algorithms for a set of operators based on their properties Operators: sum, union, max, min … Properties: commutative, associative,

invertible, randomizable

Enjoy the spring break!