Private sums: Server A Server B Server C A “straw-man” scheme S A S B S C S A + S B + S C = 15 + -10 + …
Private sums: Server A Server B Server C A “straw-man” scheme S A S B S C S A + S B + S C = 15 + -10 + …
Private sums: Server A Server B Server C A “straw-man” scheme S A S B S C S A + S B + S C = 15 + -10 + … S A + S B + S C = 1 + 0 + … + 1
Private sums: Server A Server B Server C A “straw-man” scheme S A S B S C S A + S B + S C = 15 + -10 + … S A + S B + S C = 1 + 0 + … + 1 Servers learn the sum of client values and learn nothing else .
Private sums: Server A Server B Server C A “straw-man” scheme S A S B S C S A + S B + S C = 15 + -10 + … S A + S B + S C = 1 + 0 + … + 1 Servers learn the sum of client values and learn nothing else .
Private sums: Server A Server B Server C A “straw-man” scheme S A S B S C S A + S B + S C = 15 + -10 + … S A + S B + S C = 1 + 0 + … + 1 Learn that three phones Servers learn the are on the Bay Bridge— sum of client values don’t know which three and learn nothing else .
Computing private sums
Computing private sums Exact correctness: If everyone follows the protocol, servers compute the sum of all x i s. Privacy: Any proper subset of the servers learns nothing but the sum of the x i s. Efficiency: Follows by inspection.
Computing private sums Exact correctness: If everyone follows the protocol, servers compute the sum of all x i s. Privacy: Any proper subset of the servers learns nothing but the sum of the x i s. Efficiency: Follows by inspection. Robustness: ???
Private sums: Server A Server B Server C A “straw-man” scheme 15-10 -12+7 -2+3 F x
Private sums: Server A Server B Server C A “straw-man” scheme 15-10 -12+7 -2+3 x is supposed to be F a 0/1 value x
Private sums: Server A Server B Server C A “straw-man” scheme 15-10 -12+7 -2+3 F x
Private sums: Server A Server B Server C A “straw-man” scheme 15-10 -12+7 -2+3
Private sums: Server A Server B Server C A “straw-man” scheme 15-10 -12+7 -2+3 An evil client needn’t follow the rules!
Private sums: Server A Server B Server C A “straw-man” scheme 15-10 -12+7 -2+3 + + = 21 An evil client needn’t 10 4 7 follow the rules!
Private sums: Server A Server B Server C A “straw-man” scheme 15-10 -12+7 -2+3 10 4 7
Private sums: Server A Server B Server C A “straw-man” scheme garbage garbage garbage F
Private sums: Server A Server B Server C A “straw-man” scheme garbage garbage garbage A single bad client can undetectably F corrupt the sum Users have incentives to cheat Typical defenses (NIZKs) are costly
Outline • Background: The private aggregation problem • A straw-man solution for private sums • Providing robustness with SNIPs • Evaluation • Encodings for complex aggregates
Outline • Background: The private aggregation problem • A straw-man solution for private sums • Providing robustness with SNIPs • Evaluation • Encodings for complex aggregates
Server A Server B Server C Contribution 1 Secret-shared non-interactive proofs (SNIPs) 0 0 0 x = 1
Server A Server B Server C Contribution 1 Secret-shared non-interactive proofs (SNIPs) 0 0 0 x = 1
Server A Server B Server C Contribution 1 Secret-shared non-interactive proofs (SNIPs) 0 0 0 15 + ( ) + ( ) = 1 -12 -2 x = 1
Server A Server B Server C Contribution 1 Secret-shared non-interactive proofs (SNIPs) 0 0 0 15 -12 -2 x = 1
Server A Server B Server C Contribution 1 Secret-shared non-interactive proofs (SNIPs) 0 0 0 15 -12 -2 x = 1
Server A Server B Server C Contribution 1 Secret-shared non-interactive proofs (SNIPs) 0 0 0 15 -12 -2 The servers want to ensure that their x = 1 shares sum to 0 or 1 …without learning x.
Server A Server B Server C Contribution 1 Secret-shared non-interactive proofs (SNIPs) 0 0 0 x a x b x c More generally, servers x = 1 hold shares of the client’s private value x • hold an arbitrary public predicate Valid( · ) • – expressed as an arithmetic circuit want to test if “Valid(x)” holds, without leaking x •
Server A Server B Server C Contribution 1 Secret-shared non-interactive proofs (SNIPs) 0 0 0 x a x b x c More generally, servers x = 1 hold shares of the client’s private value x • hold an arbitrary public predicate Valid( · ) • – expressed as an arithmetic circuit want to test if “Valid(x)” holds, without leaking x For our running example: • Valid(x) = “x ∈ {0,1}”
Server A Server B Server C Contribution 1 Secret-shared non-interactive proofs (SNIPs) 0 0 0 x a x b x c More generally, servers x = 1 hold shares of the client’s private value x • hold an arbitrary public predicate Valid( · ) • – expressed as an arithmetic circuit want to test if “Valid(x)” holds, without leaking x •
Server A Server B Server C Contribution 1 Secret-shared non-interactive proofs (SNIPs) 0 0 0 x a x b x c x = 1
Server A Server B Server C Contribution 1 Secret-shared non-interactive proofs (SNIPs) 0 0 0 x a x b x c π a x = 1
Server A Server B Server C Contribution 1 Secret-shared non-interactive proofs (SNIPs) 0 0 0 x a x b x c π a π b x = 1
Server A Server B Server C Contribution 1 Secret-shared non-interactive proofs (SNIPs) 0 0 0 x a x b x c π a π b x = 1 π c
Server A Server B Server C Contribution 1 Secret-shared non-interactive proofs (SNIPs) 0 0 0 π a , x a π b , x b x c π c , x = 1
Server A Server B Server C Contribution 1 Secret-shared non-interactive proofs (SNIPs) 0 0 0 π a , x a π b , x b x c π c , x = 1
Server A Server B Server C Contribution 1 Secret-shared non-interactive proofs (SNIPs) 0 0 0 Servers gossip π a , x a π b , x b x c π c , x = 1
Server A Server B Server C Contribution 1 Secret-shared non-interactive proofs (SNIPs) 0 0 0 π a , x a π b , x b x c π c , x = 1
Server A Server B Server C Contribution 1 Secret-shared non-interactive proofs (SNIPs) Ok. 0 0 0 π a , x a π b , x b x c π c , x = 1
Server A Server B Server C Contribution 1 Secret-shared non-interactive proofs (SNIPs) Ok. Ok. 0 0 0 π a , x a π b , x b x c π c , x = 1
Server A Server B Server C Contribution 1 Secret-shared non-interactive proofs (SNIPs) Ok. Ok. Ok. 0 0 0 π a , x a π b , x b x c π c , x = 1
Server A Server B Server C Contribution 1 Secret-shared non-interactive proofs (SNIPs) 0 0 0 π a , x a π b , x b x c π c , x = 1
Server A Server B Server C Contribution 1 Secret-shared non-interactive proofs (SNIPs) x a x b x c x = 1
Server A Server B Server C Contribution 1 Secret-shared non-interactive proofs (SNIPs) 0 0 0 π a , x a π b , x b x c π c , x = 1
Server A Server B Server C Contribution 1 Secret-shared non-interactive proofs (SNIPs) Fail 0 0 0 π a , x a π b , x b x c π c , x = 1
Server A Server B Server C Contribution 1 Secret-shared non-interactive proofs (SNIPs) Fail Fail 0 0 0 π a , x a π b , x b x c π c , x = 1
Server A Server B Server C Contribution 1 Secret-shared non-interactive proofs (SNIPs) Fail Fail Fail 0 0 0 π a , x a π b , x b x c π c , x = 1
Server A Server B Server C Contribution 1 Secret-shared non-interactive proofs (SNIPs) 0 0 0 π a , x a π b , x b x c π c , x = 1
Server A Server B Server C Contribution 1 Secret-shared non-interactive proofs (SNIPs) 0 0 0 X X X x a x b x c x = 1 • Prio servers detect and reject malformed client submissions • In this example, each client can influence the aggregate statistic by +/- 1, at most
Server A Server B Server C How SNIPs work 0 0 0 x a x b x c The servers want to ensure that x = 1 Valid(x) = Valid(x a +x b +x c ) = 1 …without learning x.
Server A Server B Server C How SNIPs work x a x b x c
Server A Server B Server C How SNIPs work x a x b x c Could run secure multiparty computation to check that Valid(x) = 1. [GMW87], [BGW88]
Server A Server B Server C How SNIPs work x a x b x c Could run secure multiparty computation to check that Valid(x) = 1. [GMW87], [BGW88]
Recommend
More recommend