Secure Computation of the k’th Ranked Element

Gagan AggarwalStanford University

Joint work with Nina Mishra and Benny Pinkas, HP Labs

A story …A story …

I bet the dumbest student in Gryffindor has a higher IQ than the median IQ of all students in the school.

But you don’t even know what the median IQ is …

But, what about privacyof the students.

We can do “Securefunction evaluation” … This is all “theory”.

It can’t be efficient.

Let us compute it...

Rising Need for PrivacyRising Need for Privacy

Many opportunities of interaction between institutions and agencies holding sensitive data.

Privacy cannot be sacrificed.I.e. different agencies might hold data

which they are not allowed to share.

A need for protocols to evaluate functions while preserving privacy of data.

Privacy-preserving Computation: Privacy-preserving Computation: the ideal casethe ideal case

x y F(x,y) and nothing else

Input:Output:

x y

F(x,y) F(x,y)

Trusted third parties are rareTrusted third parties are rare

x y

F(x,y) F(x,y)

• Run a protocol to evaluate F(x,y) without a trusted party.•Two kinds of adversaries:

•Semi-honest – Follows the protocol, but is curious to learn more than F(x,y).•Malicious - Might do anything.

Definition of security:Definition of security:semi-honest modelsemi-honest model

…x y

F(x,y)

Protocol is secure if Bob can generate the sequence of messages exchanged from his own input y and the value of F(x,y).

Definition of security:Definition of security:malicious modelmalicious model

…x

Protocol is secure if adversary Bob, an input y s.t. Bob’s actions correspond to him presenting y to a trusted third party.

Secure Function EvaluationSecure Function Evaluation [Yao,GMW,BGW,CCD]

x yC(x,y) and nothing else

Input:Output:

• F(x,y) – A public function. • Represented as a Boolean circuit C(x,y).

Implementation:• O(|X|) “oblivious transfers”. • O(|C|) communication.• Pretty efficient for small circuits! e.g. Is x > y? (Millionaire’s problem)

C(x,y) and nothing else

Some useful primitivesSome useful primitives

• Useful to have efficient solutions for simple primitives.

• Let X and Y be sets of elements:–X Y (first talk)–Statistics over X Y:

•Max, Min, Average, Median, kth-ranked element.

kkthth-ranked element-ranked element

• Inputs:– Alice: SA Bob: SB

– Large sets of unique items (є S).– The rank k

• Could depend on the size of input datasets. • Median: k = (|SA| + |SB|) / 2

• Output: – x SA SB s.t. x has k-1 elements

smaller than it.

ResultsResults

Finding the kth ranked item (D=|domain|)– Two-party: reduction to log k secure

comparisons of log D bit numbers.• log k rounds * O(log D)

– Multi-party: reduction to log D simple computations with log D bit numbers.• log D rounds * O(log D)

– Also, security against malicious parties.– Can hide the size of the datasets.

Related workRelated work

• Lower bound: Ω(log D)– From communication complexity.

• Generic constructions– Using circuits [Yao …]:

• Overhead at least linear in k.

– Naor-Nissim:• Overhead of Ω(D).

RA

An (insecure) two-party median An (insecure) two-party median protocolprotocol

LASA

SB

mA

RBLB mB

LA lies below the median, RB lies above the median.

New median is same as original median.Recursion Need log n rounds

mA < mB

(assume each set contains n=2i items)

SecureSecure two-party median two-party median protocolprotocol

A finds its median mA .

B finds itsmedian mB .

mA < mB

A deletes elements ≤ mA.B deletes elements > mB.

A deletes elements > mA.B deletes elements ≤ mB.

YES

NO

Secure comparison(e.g. a small circuit)

An exampleAn exampleA B

mA>mB

mA<mB

mA<mB

mA>mB

mA<mB

Medianfound!!

8 9 16

1

5 1298

107 98

7 10

16 161 1

Proof of securityProof of securityA B

mA>mB

mA<mB

mA<mB

mA>mB

mA<mB

median

mA>mB

mA<mB

mA<mB

mA>mB

mA<mBMedian

Still to come…Still to come…• Security against malicious parties.• Adapt the median protocol for

arbitrary k and arbitrary input set size.

• Hide the size of the datasets.• kth element for multi-party scenario.

Security against malicious partiesSecurity against malicious parties• Comparisons secure against malicious

parties.• Verify that parties’ inputs to comparisons are

consistent. I.e., prevent– Round 1: mA = 1000. Is told to delete all x>1000.– Round 2: mA = 1100…

• Solution: Each round sends secure “state” to next round (i.e., boundaries for parties’ inputs). Implement “reactive computation” [C,CLOS].

• Can implement in a single circuit. Efficient security against malicious parties.

Security against malicious Security against malicious partiesparties

a4 < b4

a7 < b1

a2 < b6a6 < b2

a5 < b3 a3 < b5 a1 < b7

a8 < b1 a7 < b2

a6 < b3 a5 < b4

a4 < b5 a3 < b6

a2 < b7 a1 < b8

YES

YES

Y

YES

NY

YY N

NN

NO

NO

Security against malicious Security against malicious partiesparties

a4 < b4

a7 < b1

a2 < b6a6 < b2

a5 < b3 a3 < b5 a1 < b7

a8 < b1 a7 < b2

a6 < b3 a5 < b4

a4 < b5 a3 < b6

a2 < b7 a1 < b8

YES

YES

Y

YES

NY

YY N

NN

NO

NO

Security against malicious Security against malicious partiesparties

a4 < b4

a7 < b1

a2 < b6

a5 < b3 a3 < b5 a1 < b7

a8 < b1 a7 < b2

a5 < b4

a4 < b5 a3 < b6

a2 < b7 a1 < b8

YES

YES

Y

YES

NY

YY N

NN

NO

NO

a6 < b2

a6 < b3

Security against malicious Security against malicious partiesparties

• An adversary is fully defined by the input ai’s it gives for each of the nodes of this tree.

• These (consistent) ai’s form an input x which can be used with F(x,y) to generate a transcript.

+

Arbitrary input size, arbitrary kArbitrary input size, arbitrary k

SA

SB

k

Now, compute the median of two sets of size k.

Size should be a power of 2.

median of new inputs = kth element of original inputs

2i

+

-

Hiding size of inputsHiding size of inputs

• Can search for kth element without revealing size of input sets.

• However, k=n/2 (median) reveals input size.

• Solution: Let U=2i be a bound on input size.

|SA|U

-+

-+

|SB|

Median of new datasets is same

as median of original datasets.

The multi-party caseThe multi-party case

• Input: Party Pi has set Si, i=1..n.

(all values [a,b], where a and b are known)

• Output: kth element of S1 … Sn

• Basic Idea: Binary search on [a,b].

The multi-party caseThe multi-party case

• Protocol: Set m = (a+b)/2. Repeat:

– Pi inputs to a secure computation

Li = # elements in Si smaller than m.

Bi= # times m appears in Si.

- The following is computed securely:• If ΣLi k,

• Else, if ΣLi + Bi k,

• Otherwise, Upper half

Lower halfFound median

The multi-party caseThe multi-party case

• Can be made secure for malicious case.– Using consistency checks.

• Works for two-party case.– Can be used for non-distinct elements.

SummarySummary• Efficient secure computation of the

median.– Two-party: log k rounds * O(log D)– Multi-party: log D rounds * O(log D)– Communication overhead is very close to the

communication complexity lower bound of log D bits.

• Malicious case is efficient too.– Do not use generic tools.– Instead, we implement simple consistency

checks to get security against malicious parties.

Thanks for your attention! Thanks for your attention!