h s i l a c o L Distributed Models for Statistical Data - - PowerPoint PPT Presentation
h s i l a c o L Distributed Models for Statistical Data Privacy Adam Smith Based on L. Reyzin, A. Smith, S. Yakoubov BU Computer Science https://eprint.iacr.org/2018/997 PPML 2018 Workshop A. Cheu, A. Smith, J. Ullman, D.
BU Computer Science PPML 2018 Workshop December 8, 2018
Based on
https://eprint.iacr.org/2018/997
Zhilayev https://arxiv.org/abs/1808.01394
3
queries answers
Summaries Complex models Synthetic data
…
4
queries answers
Summaries Complex models Synthetic data
…
5
6
local random coins
A(x’)
!’ is a neighbor of ! if they differ in one data point
local random coins
A(x)
Definition: A is #, % -differentially private if, for all neighbors !, !’, for all sets of outputs & Pr
)*+,- *. / 0 ! ∈ & ≤ 34 ⋅
Pr
)*+,- *. / 0 !6 ∈ & + %
Neighboring databases induce close distributions
Ø“From HATE to LOVE MPC”
Ø“Differential Privacy via Shuffling”
7
Ø Person ! randomizes their own data Ø Attacker sees everything except player !’s local state
Ø for all neighbors #, #’, Ø for all behavior % of other parties, Ø for all sets of transcripts &: Pr
)*+,- ./ 0 #, % = 3 ≤ 56 ⋅
Pr
)*+,- ./ 0 #8, % = 3
8
local random coins
Untrusted aggregator
A
9: 9; 9< = = 0 w.l.o.g.
Equivalent to [Efvimievski, Gehrke, Srikant ‘03]
9
local random coins
Untrusted aggregator
A
!" !# !$
https://developer.apple.com/ videos/play/wwdc2016/709/ https://github.com/google/rappor
Ø No trusted curator Ø No single point of failure Ø Highly distributed Ø Beautiful algorithms
Ø Low accuracy
" # $ error [BMO’08,CSS’12] vs %( " $#) central
Ø Correctness requires honesty
10
local random coins
Untrusted aggregator
A
(" () ($
[McSherry Talwar ‘07]
with nontrivial error requires ' = Ω(! log(!) /.0)
Ø [DJW’13, Ullman ‘17] Ø (No lower bound known for interactive protocols)
12
people
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
data
13
local random coins
Untrusted aggregator
A
!" !# !$
Ø“From HATE to LOVE MPC”
Ø“Differential Privacy via Shuffling”
14
(MPC) protocol for ! (randomized), and either
Ø Secure channels + honest majority Ø Computational assumptions + PKI
Ø What definition does this achieve? Ø Are there special-purpose protocols that are more efficient than generic reductions? Ø What models make sense? Ø What primitives are needed?
15
16
Definition: A is ((, ", $)-computationally differentially private if, for all neighbors ), )’, for all distinguishers + ∈ (-./(() Pr
23456 37 ' + 8 )
= 1 ≤ /< ⋅ Pr
23456 37 ' + 8 )>
= 1 + $ Not equivalent
Ø⇒ honest-majority MPC ØSatisfies simulation, follows existing MPC models ØLots of follow-up work
Mazloom, Gordon ’17, maybe others?]
ØLeaks more than ideal functionality
17
ØCommunication between all pairs of parties ØMultiple rounds, so parties have to stay online
18
Applications of DP suggest a few different settings
Ø Small set of computationally powerful data holders Ø Each holds many participants’ data Ø Data holders have their own privacy-related concerns
Machanavajjhala, Abowd, Graham, Kutzbach, Vilhuber ‘17]
Ø Many weak clients (individual data holders) Ø One server or small set of servers Ø Unreliable, client-server network Ø Calls for lightweight MPC protocols, e.g.
[Shi, Chan, Rieffel, Chow, Song ‘11, Boneh, Corrigan-Gibbs ‘17, Bonawitz, Ivanov, Kreuter, Marcedone, McMahan, Patel, Ramage, Segal, Seth ’17]
DP does not need full MPC
Ø Sometimes, leakage helps [HMFS ’17, MG’17] Ø Sometimes, we do not know how to take advantage of it [McGregor Mironov Pitassi Reingold Talwar Vadhan ’10]
19
! = $(&
', … , &*)! = $(&1, … , &*)
Ø Addition + Laplace/Gaussian noise Ø Threshold(summation + noise)
Ø Relevant for PATE framework
Ø “Federated learning” Ø Relies on users to introduce small amounts of noise
Ø Because highly nonlinear Ø Though maybe approximate thresholding easier (e.g. HEEAN)
Ø Shufflers as a useful primitive [Erlingsson, Feldman, Mironov, Raghunathan, Talwar, Thakurta] [Cheu, Smith, Ullman, Zeber, Zhilyaev 2018]
20
Ø“From HATE to LOVE MPC”
Ø“Differential Privacy via Shuffling”
21
Leonid Reyzin, Adam Smith, Sophia Yakoubov
https://eprint.iacr.org/2018/997
[Goldreich,Micali,Widgerson87,Yao87] X2 X3 X1 X4 Y = f(X1, X2, X3, X4) Y = f(X1, X2, X3, X4) Y = f(X1, X2, X3, X4) Y = f(X1, X2, X3, X4) No party learns anything other than the output!
X2 X3 X1 X4 Y = A(X1, X2, X3, X4) Y = A(X1, X2, X3, X4) Y = A(X1, X2, X3, X4) Y = A(X1, X2, X3, X4) Can compute differentially private statistic A(X) without server learning anything but the output!
[Dwork,Kenthapadi,McSherry,Mironov,Naor06]
X4= Central model level accuracy! Local model level privacy!
X2 X3 X1 X4 Y = A(X1, X2, X3, X4) Y = A(X1, X2, X3, X4) Y = A(X1, X2, X3, X4) Y = A(X1, X2, X3, X4) Can compute differentially private statistic A(X) without server learning anything but the output! A(X) is often linear, so we will focus on MPC for addition X4= Central model level accuracy! Local model level privacy!
X2 X3 Y = f(X1, X2, X3, X4) X1 Clients Server Computational power weak strong X4
X2 X3 X1 Clients Server Computational power weak strong Y = f(X1, X2, X3, X4) X4
Clients Server Computational power weak strong Y = f(X1, X2, … Xn)
Y = f(X1, X2, … Xn) Clients Server Computational power weak strong Direct communication
to everyone
as in noninteractive multiparty computation (NIMPC)
[Beimel,Gabizon,Ishai,Kushilevitz,Meldgaard,PaskinCherniavsky14]
Y = f(X1, X2, … Xn) Clients Server Computational power weak strong Direct communication
to everyone Network unreliable reliable
even if some clients abort
Y = f(X1, X2, … Xn)
even if some clients abort
in the all-to-all communication graph [Badrinarayanan,Jain,Manohar,Sahai18]
in star communication graph, achieved in 5 message flows
What’s the best we can do?
PK Size Communication Per Party Message Space Size Assumption Family [BIKMMPRSS17] O(1) O(n) any
PK Size Communication Per Party Message Space Size Assumption Family [BIKMMPRSS17] O(1) O(n) any Fully Homomorphic ATE
[Badrinarayanan, Jain, Manohar, Sahai 2018]
O(1) poly(n) any lattices Shamir-and- ElGamal O(1) O(n) small DDH CRT-and-Paillier O(1) O(n) any factoring Obfuscation poly(n) O(1) small iO LOVE MPC from HATE OUR WORK
PK Size Communication Per Party Message Space Size Assumption Family Number of Rounds [BIKMMPRSS17] O(1) O(n) any 5 Fully Homomorphic ATE
[Badrinarayanan, Jain, Manohar, Sahai 2018]
O(1) poly(n) any lattices 3 Shamir-and- ElGamal O(1) O(n) small DDH 3 CRT-and-Paillier O(1) O(n) any factoring 3 Obfuscation poly(n) O(1) small iO 3 LOVE MPC from HATE OUR WORK
PK Size Communication Per Party Message Space Size Assumption Family Number of Rounds 1st nth 1st nth [BIKMMPRSS17] O(1) O(n) O(n) any 5 5 Fully Homomorphic ATE
[Badrinarayanan, Jain, Manohar, Sahai 2018]
O(1) poly(n) poly(n) any lattices 3 3 Shamir-and- ElGamal O(1) O(n) O(n) small DDH 3 3 CRT-and-Paillier O(1) O(n) O(n) any factoring 3 3 Obfuscation poly(n) O(1) O(1) small iO 3 3 LOVE MPC from HATE OUR WORK
PK Size Communication Per Party Message Space Size Assumption Family Number of Rounds 1st nth 1st nth [BIKMMPRSS17] O(1) O(n) O(n) any 5 5 Fully Homomorphic ATE
[Badrinarayanan, Jain, Manohar, Sahai 2018]
O(1) poly(n) poly(n) any lattices 3 3 Shamir-and- ElGamal O(1) O(n) O(n) small DDH 3 3 CRT-and-Paillier O(1) O(n) O(n) any factoring 3 3 Obfuscation poly(n) O(1) O(1) small iO 3 3 Threshold ElGamal O(1) O(n) O(1) small DDH 5 3 LOVE MPC from HATE OUR WORK
PK Size Communication Per Party Message Space Size Assumption Family Number of Rounds 1st nth 1st nth [BIKMMPRSS17] O(1) O(n) O(n) any 5 5 Fully Homomorphic ATE
[Badrinarayanan, Jain, Manohar, Sahai 2018]
O(1) poly(n) poly(n) any lattices 3 3 Shamir-and- ElGamal O(1) O(n) O(n) small DDH 3 3 CRT-and-Paillier O(1) O(n) O(n) any factoring 3 3 Obfuscation poly(n) O(1) O(1) small iO 3 3 Threshold ElGamal O(1) O(n) O(1) small DDH 5 3 ? O(1) O(1) O(1) 3 3 LOVE MPC from HATE OUR WORK
SK C Decrypt Plaintext X PK Encrypt Ciphertext C X
Partial Decryption d Partial Decryption d Partial Decryption d
C PartDecrypt PartDecrypt PartDecrypt C C FinalDecrypt Plaintext X PK Encrypt Ciphertext C X
Partial Decryption d Partial Decryption d Partial Decryption d
C PartDecrypt PartDecrypt PartDecrypt C C FinalDecrypt Plaintext X PK Encrypt Ciphertext C X Can recover X iff t of n parties provide d
Partial Decryption d
C PartDecrypt PartDecrypt PartDecrypt C C Partial Decryption d Partial Decryption d FinalDecrypt Plaintext X Can recover X iff t of n parties provide d PK PK PK Encrypt Ciphertext C X
Encrypt f C3 C1 C2 C X3 X2 X1 SK PartDecrypt PartDecrypt PartDecrypt FinalDecrypt X = f(X1,X2,X3)
PK Size Ciphertext Size Message Space Size Assumption Family Fully Homomorphic ATE
[Badrinarayanan, Jain, Manohar, Sahai 2018]
O(1) poly(n) any lattices Shamir-and- ElGamal O(1) O(n) small DDH CRT-and-Paillier O(1) O(n) any factoring Obfuscation poly(n) O(1) small iO OUR WORK
Ø“From HATE to LOVE MPC”
Ø“Differential Privacy via Shuffling”
22
ØNonprivate ØCentral-model DP ØLocal-model DP
23