Polylogarithmic Private Approximations and Efficient Matching

1
Polylogarithmic Private Approximations and
Efficient Matching
David WoodruffMIT, Tsinghua
Piotr IndykMIT
TCC 2006
2
Secure communication
Alice
Bob

• a ? 0,1n
  b ? 0,1n
• Want to compute some function F(a,b)
• Security protocol does not reveal anything
  except for the value F(a,b)
• Semi-honest both parties follow protocol
• Malicious parties are adversarial
• Efficiency want to exchange few bits

3
Secure Function Evaluation (SFE)

• Yao, GMW If F computed by circuit C, then F
  can be computed securely with O(C) bits of
  communication
• GMW NN can assume parties semi-honest
• Semi-honest protocol can be compiled to give
  security against malicious parties
• Problem circuit size at least linear in n
• O() hides factors poly(k, log n)

4
Secure and Efficient Function Evaluation

• Can we achieve sublinear communication?
• With sublinear communication, many interesting
  problems can be solved only approximately.
• What does it mean to have a private
  approximation?
• Efficiency want SFE with communication
  comparable to insecure case

5
Private Approximation

• FIMNSW01 A protocol computing an
  approximation G(a,b) of F(a,b) is private, if
  each party can simulate its view of the protocol
  given the exact value F(a,b)
• Not sufficient to simulate non-private G(a,b)
  using SFE
• Example
• Define G(a,b)
• bin(G(a,b))i bin(?(a,b))i if igt0
• bin(G(a,b))0a0
• G(a,b) is a ?1 -approximation of ?(a,b), but not
  private
• Popular protocols for approximating ?(a,b), e.g.,
  KOR98, are not private

6
Approximating Hamming Distance

• FIMNSW01 A private protocol with complexity
  O(n1/2/? )
• ?(a,b) small compute ?(a,b) exactly in
  O(?(a,b)) bits
• ?(a,b) high sample O(n/?(a,b)) (a-b)i,
  estimate ?(a,b)
• Our main result
• Complexity O(1/?2) bits
• Works even for L2 norm, i.e., estimates a-b2
  for a,b ? 1Mn

O() hides factors poly(k, log n, log M, log
1/?)
7
Crypto Tools

• Efficient OT1n
• P1 has A1 An 2 0,1m , P2 has i 2 n
• Goal P2 privately learns Ai, P1 learns nothing
• Can be done using O(m) communication CMS99,
  NP99
• Circuits with ROM NN01 (augments Yao86)
• Standard AND/OR/NOT gates
• Lookup gates
• In i
• Out Mgatei
• Can just focus on privacy of the output

Communication at most O(mC)
8
High-dimensional tools

• Random projection
• Take a random orthonormal n?n matrix D,
• that is Dx x for all x.
• There exists cgt0 s.t. for any x?Rn, i1n
• Pr (Dx)i2 gt Dx2/n k lt e-ck

9
Approximating a-b

• Recall
• Alice has a 2 Md, Bob has b 2 Md
• Goal privately estimate a-b, xa-b
• Suffices to estimate a-b2

10
Protocol Intuition

• Alice and Bob agree upon a random orthonormal
  matrix D
• Efficient by exchanging a seed of a PRG
• Alice and Bob rotate vectors a,b, obtaining Da,
  Db
• Da-Db a-b
• D spreads the mass of the difference vector
  uniformly across the n coordinates.
• Can now try obliviously sampling coordinates as
  in FIMNSW01

11
Protocol Intuition Cond

• Alice and Bob agree upon random orthonormal D
• Alice and Bob rotate a,b, obtaining Da, Db
• Use secure circuit with ROMs Da and Db to
• Circuit obtains (Da)i and (Db)i for many random
  indices i
• Problem Now what? Samples leak a lot of info!
• Fix - Suppose you know upper bound T with T
  a-b2
• - Flip a coin z with heads probability
  n((Da)i (Db)i)2/(kT)
• - Then Ez nDa-Db2/(nkT)
  a-b2/(kT)
• - Ez only depends on a-b, and z only
  depends on Ez!

12
Protocol Intuition Cond

• Alice and Bob agree upon random orthonormal D
• Alice and Bob rotate a,b, obtaining Da, Db
• Use secure circuit with ROMs Da, Db, to
• Obtain (Da)i and (Db)i for L random i
• Generate Bernoulli z1, , zL with Ezi
  a-b2/(kT)
• Output kT ? zi/L
• Privacy View only depends on a-b
• Problem Correctness! A priori bound TM2 n, but
  a-b2 may be ?(1), so ?(n) samples required.
• Fix Private binary search on T

13
Protocol Intuition Cond

• Use secure circuit with ROMs Da, Db to
• Obtain (Da)i and (Db)i for L random i
• Generate Bernoulli z1, , zL with Ezi
  a-b2/(kT)
• Output kT ? zi/L
• Fix - Private binary search on T
• - If many zi 0, then intuitively can
  replace T with T/2
• - Eventually T ?(a-b2)
• - We will show final choice of T is
  simulatable!

14
One last detail

• Want to show final choice of T is simulatable
• Estimate is kT? zi/L and we stop when many zi
  1
• Recall Ezi a-b2/(kT)
• Key Observation Since orthonormal D is uniformly
  random,
• can guarantee that if many zi 0, then
  a-b2 ltlt T.
• Note - Suppose didnt use D, and a (M, 0, ,
  0), b (0, , 0)
• - Then a-b2 M2 is large, but
  almost always zi 0,
• so youll choose T lt a-b2.
• - Not simulatable since T depends on
  the structure of a, b

15
Algorithm vs. Simulation

• SIMULATION
• Repeat
• Generate L independent bits zi such that
• Przi1 a-b 2/Tk
• TT/2
• Until Si zi ?(L/k)
• Output E Si zi /L 2Tk as an estimate of
  a-b2

• ALGORITHM
• Repeat
• Generate L independent bits zi such that
• Przi1 D(a-b) 2/Tk
• TT/2
• Until Si zi ?(L/k)
• Output E Si zi /L 2Tk as an estimate of
  a-b2
• RecallD(a-b)a-b

Communication O(L) O(1/?2)
16
Other Results

• Use homomorphic encryption tricks to get better
  upper bounds for private nearest neighbor and
  private all-pairs nearest neighbors.
• Define private approximate nearest neighbor
  problem
• Requires a new definition of private
  approximations for functionalities that can
  return sets of values.
• Achieve small communication in this setting.