Li Xiong CS573 Data Privacy and Security “Secure” Multiparty Computation – Multi-round protocols
Mar 20, 2016
Li Xiong
CS573 Data Privacy and Security
“Secure” Multiparty Computation – Multi-round protocols
Secure multiparty computation
General circuit based secure multiparty computation methods
Specialized secure multiparty computation protocols Decision tree mining across horizontally partitioned data Secure sum, secure union Association rule mining across horizontally partitioned data
Most of them rely on cryptographic primitives and are still expensive
Multi-round protocols as an alternative
Multi-round protocols
Max/min, top k k-th element protocol using secure
comparison (Aggarwal ‘04) Multi-round probabilistic protocols (Xiong ‘07)
OR (Union) Commutative encryption based Multi-round probabilistic protocols (Bawa ’03)
Secure computation of the k-ranked element, Aggarwal, 2004Preserving Privacy for outsourcing aggregation services, Xiong, 2007Privacy Preserving Indexing of Documents on the Network, Bawa, 2003
K-th element (Aggarwal 04)
Input Di, i = 1, 2, …, s k Range of data values: [alpha, beta]. Size of the union of database: n
Output The k-th ranked elements in the union of Di
Secure computation of the k-ranked element, Aggarwal, 2004
kth element protocol Initialize
Each party ranks its elements in ascending order. Initialize current range [a,b] to [alpha, beta], set n= sum |Di|
Repeat until done Set m = (a+b)/2 Each party computes li, number of elements less
than m, and gi, number of elements greater than m If sum(li) <= k-1 and sum(gi) <= n-k, done If sum(li) >=k, set b = m-1, output 0 If sum(gi) >= n-k+1, set a = m+1, output 1
Cost Number of rounds: logM where M is the range size Each round requires two secure sums and two secure comparisons
Multi-round protocols
Can we get away from cryptographic primitives? Multi-round protocols idea
Use randomizations (random response) Utilize inherent network anonymity of multiple
nodes Multi-round protocols
May not be completely secure May not be completely accurate
Multi-round protocols
Multi-round probabilistic protocols for max/min and top k (Xiong ‘07)
Multi-round OR (union) protocol (Aggarwal ’04)
9
Protocol Structure
Random response (Warner 1965)
Multi-round randomized protocol Randomized local
computation Multi-node
anonymity Assumption: semi-
honest model
Social Survey
Private Data
D1
Private Data
D3
Private Data
D2
Private Data
Dn
…
Output Input
OutputInput
Input
Input Output
Output
Local Computation
Local Computation
Local Computation
Local Computation
Preserving Privacy for outsourcing aggregation services, Xiong, 2007
10
A Naïve Max/Min Protocol
gi-1>=vi gi-1<vi
gi gi-1 vi
igi-1 gi
vi 1
3
2
4
30
20 40
10
30
30
40
40
start
Add in randomization – how, when, and how much?
Random response at node i:
11
Max Protocol – Random response
gi-1>=vi gi-1(r)<vi
gi(r) gi-1(r) w/ prob Pr: random numberw/ prob 1-Pr: vi
igi-1 gi
vi
Multiple rounds Randomization Probability at round r :
Pr(r) =
Local algorithm at round r and node i:
12
Max Protocol – multi-round random response
gi-1(r)>=vi gi-1(r)<vi
gi(r) gi-1(r) w/ prob Pr: rand [gi-1(r), vi)
w/ prob 1-Pr: vi
10 * rdP
igi-1(r) gi(r)
vi
13
Max Protocol - Illustration
Start 18 3532
32 4035
D2
D3
D2
D4
30
20 40
10
18 3532
32 4035
0
04/24/23 14
PrivateTopK Protocol
Gi’(r)=topk(Gi-1(r) U Vi);
Vi’ = Gi’(r) – Gi-1’(r);
m = |Vi’|;
if m=0 then Gi(r)= Gi-1(r);else with probability 1-Pr(r): Gi(r)= Gi-1(r) with probability Pr: Gi(r)[1:k-m] = Gi-1(r)[1:k-m]
Gi(r)[k-m+1:k] = a sorted list of m
random values generated from [min(Gi
’(r)[k]-delta,Gi-1(r-1)[k-m+1]),
Gi’(r)[k])end
Gi(r)
Gi-1(r)10
60
80
100
125
145
Vi
40
50
80
110
130
150
D1
…
D2
Dn
15
Min/Max Protocol - Correctness
Precision bound: Converges with r Smaller p0 and d provides faster convergence
2)1(
01*1)Pr(1
rrrr
jdPj
16
Min/Max Protocol - Cost
Communication cost single round: O(n) Minimum # of rounds given precision guarantee (1-e):
17
Min/Max Protocol - Security Probability/confidence based metric: P(C|IR,R)
Different types of exposures based on claim Data value: vi=a Data ownership: Vi contains a
Loss of Privacy (LoP) = | P(C|IR,R) – P(C|R) | Information entropy based metric:
Loss of privacy as a measure of randomness of information: H(D|R) - H(D|IR,R)
0.50 1
Absolute Privacy Provable Exposure
18
Min/Max Protocol – Security (Analysis)
Upper bound for average expected LoP: max r 1/2r-1 * (1-P0*dr-1)
Larger p0 and d provides better privacy
19
Loss of privacy decreases with increasing number of nodes Probabilistic protocol achieves better privacy (close to 0) When n is large, anonymous protocol is actually okay!
Min/Max Protocol – Security (Experiments)
Union
Commutative encryption based approach Number of rounds: 2 rounds Each round: encryption and decryption
Multi-round random-response approach?
Vector
Each database has a boolean vector of the data items
Union vector is a logical OR of all vectors
0
10b1
b2
bL
…p1
0
01
…
p2
0
10
…
pc
OR OR OR… =
0
11
VG
…
Privacy Preserving Indexing of Documents on the Network, Bawa, 2003
Group Vector Protocol
…
0
00
…
vG’
0
01
…
vG’
r=1, Pex=1/2, Pin=1/2
Pex=1/2r, Pin=1-Pexfor(i=1; i<L; i++) if (Vs[i]=1 and VG’[i]=0) Set VG’[i]=1 with prob. Pin
if (Vs[i]=0 and VG’[i]=1) Set VG’[i]=0 with prob. Pex
Processing of VG’ at ps of round r…
0
10
v1
0
01
…
v2
0
10
…
vc
r=2, Pex=1/4, Pin=3/4 0
01
…
vG’
0
11
…
vG’
0
11
…
vG’
0
01
…
vG’
0
11
…
vG’
p1 p2 pc
Open issues
Tradeoff between accuracy, efficiency, and security How to quantify security How to design adjustable protocols
Can we generalize the algorithms for a set of operators based on their properties Operators: sum, union, max, min … Properties: commutative, associative,
invertible, randomizable
Enjoy the spring break!