prio private robust and efficient computation of
play

Prio: Private, Robust, and Efficient Computation of Aggregate - PowerPoint PPT Presentation

Prio: Private, Robust, and Efficient Computation of Aggregate Statistics Henry Corrigan-Gibbs and Dan Boneh Stanford University NSDI 2017 Today: Non-private aggregation StressTracker Blood pressure Twitter usage Today: Non-private


  1. Private sums: 
 Server A Server B Server C A “straw-man” scheme S A S B S C S A + S B + S C = 15 + -10 + …

  2. Private sums: 
 Server A Server B Server C A “straw-man” scheme S A S B S C S A + S B + S C = 15 + -10 + …

  3. Private sums: 
 Server A Server B Server C A “straw-man” scheme S A S B S C S A + S B + S C = 15 + -10 + … S A + S B + S C = 1 + 0 + … + 1

  4. Private sums: 
 Server A Server B Server C A “straw-man” scheme S A S B S C S A + S B + S C = 15 + -10 + … S A + S B + S C = 1 + 0 + … + 1 Servers learn the 
 sum of client values and learn nothing else .

  5. Private sums: 
 Server A Server B Server C A “straw-man” scheme S A S B S C S A + S B + S C = 15 + -10 + … S A + S B + S C = 1 + 0 + … + 1 Servers learn the 
 sum of client values and learn nothing else .

  6. Private sums: 
 Server A Server B Server C A “straw-man” scheme S A S B S C S A + S B + S C = 15 + -10 + … S A + S B + S C = 1 + 0 + … + 1 Learn that three phones Servers learn the 
 are on the Bay Bridge— sum of client values don’t know which three and learn nothing else .

  7. Computing private sums

  8. Computing private sums Exact correctness: If everyone follows the protocol, servers compute the sum of all x i s. Privacy: Any proper subset of the servers learns nothing but the sum of the x i s. Efficiency: Follows by inspection.

  9. Computing private sums Exact correctness: If everyone follows the protocol, servers compute the sum of all x i s. Privacy: Any proper subset of the servers learns nothing but the sum of the x i s. Efficiency: Follows by inspection. Robustness: ???

  10. Private sums: 
 Server A Server B Server C A “straw-man” scheme 15-10 -12+7 -2+3 F x

  11. Private sums: 
 Server A Server B Server C A “straw-man” scheme 15-10 -12+7 -2+3 x is supposed to be F a 0/1 value x

  12. Private sums: 
 Server A Server B Server C A “straw-man” scheme 15-10 -12+7 -2+3 F x

  13. Private sums: 
 Server A Server B Server C A “straw-man” scheme 15-10 -12+7 -2+3

  14. Private sums: 
 Server A Server B Server C A “straw-man” scheme 15-10 -12+7 -2+3 An evil client needn’t follow the rules!

  15. Private sums: 
 Server A Server B Server C A “straw-man” scheme 15-10 -12+7 -2+3 + + = 21 An evil client needn’t 10 4 7 follow the rules!

  16. Private sums: 
 Server A Server B Server C A “straw-man” scheme 15-10 -12+7 -2+3 10 4 7

  17. Private sums: 
 Server A Server B Server C A “straw-man” scheme garbage garbage garbage F

  18. Private sums: 
 Server A Server B Server C A “straw-man” scheme garbage garbage garbage A single bad client can undetectably F corrupt the sum Users have incentives to cheat Typical defenses 
 (NIZKs) are costly

  19. Outline • Background: The private aggregation problem • A straw-man solution for private sums • Providing robustness with SNIPs • Evaluation • Encodings for complex aggregates

  20. Outline • Background: The private aggregation problem • A straw-man solution for private sums • Providing robustness with SNIPs • Evaluation • Encodings for complex aggregates

  21. Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) 0 0 0 x = 1

  22. Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) 0 0 0 x = 1

  23. Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) 0 0 0 15 + ( ) + ( ) = 1 -12 -2 x = 1

  24. Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) 0 0 0 15 -12 -2 x = 1

  25. Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) 0 0 0 15 -12 -2 x = 1

  26. Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) 0 0 0 15 -12 -2 The servers want to ensure that their x = 1 shares sum to 0 or 1 
 …without learning x.

  27. Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) 0 0 0 x a x b x c More generally, servers x = 1 hold shares of the client’s private value x • hold an arbitrary public predicate Valid( · ) 
 • – expressed as an arithmetic circuit want to test if “Valid(x)” holds, without leaking x •

  28. Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) 0 0 0 x a x b x c More generally, servers x = 1 hold shares of the client’s private value x • hold an arbitrary public predicate Valid( · ) 
 • – expressed as an arithmetic circuit want to test if “Valid(x)” holds, without leaking x For our running example: 
 • Valid(x) = “x ∈ {0,1}”

  29. Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) 0 0 0 x a x b x c More generally, servers x = 1 hold shares of the client’s private value x • hold an arbitrary public predicate Valid( · ) 
 • – expressed as an arithmetic circuit want to test if “Valid(x)” holds, without leaking x •

  30. Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) 0 0 0 x a x b x c x = 1

  31. Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) 0 0 0 x a x b x c π a x = 1

  32. Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) 0 0 0 x a x b x c π a π b x = 1

  33. Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) 0 0 0 x a x b x c π a π b x = 1 π c

  34. Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) 0 0 0 π a , x a π b , x b x c π c , x = 1

  35. Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) 0 0 0 π a , x a π b , x b x c π c , x = 1

  36. Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) 0 0 0 Servers gossip π a , x a π b , x b x c π c , x = 1

  37. Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) 0 0 0 π a , x a π b , x b x c π c , x = 1

  38. Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) Ok. 0 0 0 π a , x a π b , x b x c π c , x = 1

  39. Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) Ok. Ok. 0 0 0 π a , x a π b , x b x c π c , x = 1

  40. Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) Ok. Ok. Ok. 0 0 0 π a , x a π b , x b x c π c , x = 1

  41. Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) 0 0 0 π a , x a π b , x b x c π c , x = 1

  42. Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) x a x b x c x = 1

  43. Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) 0 0 0 π a , x a π b , x b x c π c , x = 1

  44. Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) Fail 0 0 0 π a , x a π b , x b x c π c , x = 1

  45. Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) Fail Fail 0 0 0 π a , x a π b , x b x c π c , x = 1

  46. Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) Fail Fail Fail 0 0 0 π a , x a π b , x b x c π c , x = 1

  47. Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) 0 0 0 π a , x a π b , x b x c π c , x = 1

  48. Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) 0 0 0 X X X x a x b x c x = 1 • Prio servers detect and reject malformed client submissions • In this example, each client can influence the aggregate statistic by +/- 1, at most

  49. Server A Server B Server C How SNIPs work 0 0 0 x a x b x c The servers want to ensure that 
 x = 1 Valid(x) = Valid(x a +x b +x c ) = 1 
 …without learning x.

  50. Server A Server B Server C How SNIPs work x a x b x c

  51. Server A Server B Server C How SNIPs work x a x b x c Could run secure multiparty computation to check that Valid(x) = 1. 
 [GMW87], [BGW88]

  52. Server A Server B Server C How SNIPs work x a x b x c Could run secure multiparty computation to check that Valid(x) = 1. 
 [GMW87], [BGW88]

Recommend


More recommend