View
226
Download
1
Embed Size (px)
Citation preview
P4P: A Practical Framework for Privacy-Preserving Distributed Computation
Yitao Duan (Advisor Prof. John Canny)http://www.cs.berkeley.edu/~duan
Berkeley Institute of DesignComputer Science Division
University of California, Berkeley11/27/2007
Research Goal To provide practical solutions with
provable privacy and adequate efficiency in a realistic adversary model at reasonably large scale
Research Goal To provide practical solutions with
provable privacy and adequate efficiency in a realistic adversary model at reasonably large scale
Model
……u1
d1
u2
d2
un-1
dn-1
un
dn
fChallenge: standard cryptographic tools not feasible at large scale
Must be obfuscated
A Practical Solution Provable privacy: Cryptography Efficiency: Minimize the number of
expensive primitives and rely on probabilistic guarantee
Realistic adversary model: Must handle malicious users who may try to bias the computation by inputting invalid data
Basic Approach
……u1
d1
u2
d2
un-1
dn-1
un
dn
Σ
gj(di
)gj(dn
)gj(d2
)gj(dn-1)
Cryptographic privacy
f =
di in D, gj: j = 1, 2, …, m
No leakage beyond final result for many algorithms
The Power of Addition A large number of popular algorithms can be
run with addition-only steps
Linear algorithms: voting and summation, nonlinear algorithm: regression, classification, SVD, PCA, k-means, ID3, EM etc
All algorithms in the statistical query model [Kearns 93]
Many other gradient-based numerical algorithms
Addition-only framework has very efficient private implementation in cryptography and admits efficient ZKPs
Peers for Privacy: The Nomenclature
Privacy is a right that one must fight for. Some agents must act on behalf of user’s privacy in the computation. We call them privacy peers
Our method aggregates across many user data. We can prove that the aggregation provides privacy: the data from the peers protects each other
Private Addition – P4P Style
The computation: secret sharing over small field
Malicious users: efficient zero-knowledge proof to bound the L2-norm of the user vector
Big Integers vs. Small Ones Most applications work with “regular-sized”
integers (e.g. 32- or 64-bit). Arithmetic operations are very fast when each operand fits into a single memory cell (~10-9 sec)
Public-key operations (e.g. used in encryption and verification) must use keys with sufficient length (e.g. 1024-bit) for security. Existing private computation solutions must work with large integers extensively (~10-3 sec)
A 6 orders of magnitude difference!
Private Arithmetic: Two Paradigms
Homomorphism: User data is encrypted with a public key cryptosystem. Arithmetic on this data mirrors arithmetic on the original data, but the server cannot decrypt partial results.
Secret-sharing: User sends shares of their data to several servers, so that no small group of servers gains any information about it.
Arithmetic: Homomorphism vs VSS
Homomorphism+ Can tolerate t < n corrupted players as far as
privacy is concerned - Use public key crypto, works with large fields
(e.g. 1024-bit), 10,000x more expensive than normal arithmetic (even for addition)
Secret sharing+ Addition is essentially free. Can use any size field - Can’t do two party multiplication - Most schemes also use public key crypto for
verification - Doesn’t fit well into existing service architecture
P4P: Peers for Privacy Some parties, called Privacy Peers, actively
participate in the computation, working for users’ privacy
Privacy peers provide privacy when they are available, but cant access data themselves
P
P
UU
U
U
U
U
S
PeerGroup
P4P The server provides data archival,
and synchronizes the protocol Server only communicates with
privacy peers occasionally (2AM)
P
P
UU
U
U
U
U
S
PeerGroup
Privacy Peers Roles of privacy peers
Anonymizing communication Sharing information Participating in computation Others infrastructure support
They work on behalf of users privacy
But we need a higher level of trust on privacy peers
Candidates for Privacy Peers
Some players are more trustworthy than others
In workspace, a union representative In a community, a few members with good
reputation Or a third party commercial provider A very important source of security and
efficiency The key is that privacy peers should
have different incentives from the server, a mutual distrust between them
Security from Heterogeneity Server is secure against outside attacks and won’t
actively cheat Companies spend $$$ to protect their servers The server often holds much more valuable info
than what the protocol reveals Server benefits from accurate computation
Privacy peers won’t collude with the server Interests conflicts, mutual distrust, laws Server can’t trust clients can keep conspiracy secret
Users can actively cheat Rely on server for protection against outside
attacks, privacy peers for defending against a curious server
viui
ui + vi = di
Private Addition
di: user i’s private vector. ui,,vi and di are all in a small integer field
μ = Σui ν = Σvi
ui + vi = di
Private Addition
ui + vi = di
μ = Σui ν = Σvi
μ
ν
Private Addition
μ + ν
Private Addition
Provable privacy Computation on both the server and the
privacy peer is over small field: same cost as non-private implementation
Fits existing server-based schemes Server is always online. Users and privacy peers can
be on and off. Only two parties performing the computation, users
just submit their data (and provide a ZK proof, see later)
Extra communication for the server is only with the privacy peer, independent of n
P4P’s Private Addition
The Need for Verification This scheme has a glaring
weakness. Users can use any number in the small field as their data.
Think of a voting scheme: “Please place your vote 0 or 1 in the envelope” Bush 100,000
Gore -100,000
Zero Knowledge Proofs I can prove that I know X without disclosing
what X is. I can prove that a given encrypted number
is a 0. Or I can prove that an encrypted number is a 1.
I can prove that an encrypted number is a ZERO OR ONE, i.e. a bit. (6 extra numbers needed)
I can prove that an encrypted number is a k-bit integer. I need 6k extra numbers to do this (!!!)
An Efficient ZKP of Boundedness
Luckily, we don’t need to prove that every number in a user’s vector is small, only that the vector is small.
The server asks for some random projections of the user’s vector, and expects the user to prove that the square sum of them is small.
• O(log m) public key crypto operations (instead of O(m)) to prove that the L-2 norm of an m-dim vector is smaller than L.
• Running time reduced from hours to seconds.
Bounding the L2-Norm A natural and effective way to restrict a
cheating user’s malicious influence You must have a big vector to produce
large influence on the sum Perturbation theory bounds system
change with norms:|σi(A) - σi(B)| ≤ ||A-B||2 [Weyl]
Can be the basis for other checks Setting L = 1 forces each user to have only 1
vote
Random Projection-basedL2-Norm ZKP Server generates N random m-vectors
in {-1, 0, +1}m
User projects his data to the N directions. provides ZKP that the square sum of the projections < NL2/2
Expensive public key operations are only on the projections and the square sum
Effectiveness
23/4/18
Acceptance/rejection probabilities
(a) Linear and (b) log plots of probability of user input acceptance as a function of |d|/L for N = 50. (b) also includes probability of rejection. In each case, the steepest (jagged curve) is the single-value vector (case 3), the middle curve is Zipf vector (case 2) and the shallow curve is uniform vector (case 1)
Performance Evaluation
(a) Verifier and (b) prover times in seconds for the validation protocol where (from top to bottom) L (the required bound) has 40, 20, or 10 bits. The x-axis is the vector length.
SVD Singular value decomposition is an
extremely useful tool for a lot of IR and data mining tasks (CF, clustering …)
SVD for a matrix A is a factorization A = UDVT.
If A encodes users x items, then VT gives us the best least-squares approximations to the rows of A in a user-independent way.
ATAV = VD SVD is an eigenproblem
SVD: P4P Style
Experiments: SVD Datasets
Dataset
Dimensions Density Range Type
Enron 150×150 0.0736 [0,1593] Social graph
EM 74424×1648
0.0229 [0, 1.0] Movie ratings
RAND 2000×2000 1.0 [-220, 220]
Random
Results
N: number of iterations. k: number of singular values. ε: relative residual error
Distributed Association Rule Mining
n users, m items. User i has dataset Di
Horizontally partitioned: Di contains the same attributes 1 0 0 0 1 ……
0 0
0 0 1 0 0 …… 1 0
……
D1
Dn
The Market-Basket Model A large set of items, e.g., things
sold in a supermarket. A large set of baskets, each of
which is a small set of the items, e.g., the things one customer buys on one day.
Support Simplest question: find sets of items
that appear “frequently” in the baskets.
Support for itemset I = the number of baskets containing all items in I.
Given a support threshold s, sets of items that appear in > s baskets are called frequent itemsets.
Example Items={milk, coke, pepsi, beer,
juice}. Support = 3 baskets.
B1 = {m, c, b} B2 = {m, p, j}
B3 = {m, b} B4 = {c, j}
B5 = {m, p, b} B6 = {m, c, b, j}
B7 = {c, b, j} B8 = {b, c} Frequent itemsets: {m}, {c}, {b},
{j}, {m, b}, {c, b}, {j, c}.
Association Rules If-then rules about the contents of
baskets. {i1, i2,…,ik} → j means: “if a basket
contains all of i1,…,ik then it is likely to contain j.”
Confidence of this association rule is the probability of j given i1,…,ik.
Step k of apriori-gen in P4P User i constructs an mk-Dimensional vector
in small field (mk: number of candidate itemset at step k)
Use P4P to compute the aggregate (with verification)
The result encodes the supports of all candidate itemsets
Step k of apriori-gen in P4P
1 0 0 0 1 …… 0 0
0 0 1 0 0 …… 1 0
……
D1
Dn
cj: jth candidate itemset
*
+ d1[j]
+ dn[j]
P4P
Support for cj
Analysis Privacy guaranteed by P4P Near optimal efficiency: cost
comparable to that of a direct implementation of the algorithms Main aggregation in small field Only a small number of large field
operations Deal with cheating users with P4P’s
built-in ZK user data verification
Privacy SVD: The intermediate sums are
implied by the final results ATA = VDVT
ARM: Sums treated as public by the applications
Guaranteed privacy regardless data distribution or size
Infrastructure Support Multicast encryption [RSA 06]
Scalable secure bidirectional communication [Infocom 07]
Data protection scheme [PET 04]
P4P: Current Status P4P has been implemented In Java using native code for big
integer Runs on Linux platform Will be made an open-source toolkit
for building privacy-preserving real-world applications.
Conclusion We can provide strong privacy protection with
little or no cost to a service provider for a broad class of problems in e-commerce and knowledge work.
Responsibility for privacy protection shifts to privacy peers
Within the P4P framework, private computation and many zero-knowledge verifications can be done with great efficiency