Title: Secure Computation of ConstantDepth Circuits with Applications to Database Search Problems Omer Bark
1Secure Computation ofConstant-Depth Circuits
with Applications to Database Search
ProblemsOmer Barkol Yuval IshaiTechnion
2Motivation private database search
D?
Client
Server
q
D
fermat and (last theorem or great theorem)
q?
What is he working on?
Article on Fermats Last Theorem
f(q,D)
- Want
- Server work O(D)
- Client work O(q)
- Communication O(q)
PIR CGKS95 f(q,D)Dq
OT/SPIR
3Current approaches
D
q
f(q,D)
- Send all of D to the client
- Too much communication (D)
- No server privacy
- Use general purpose secure computation
Yao86,GMW87 - Communication circuit size D
- Use PIR as a building block
- PIR data-structures CGN97,FIPR05,OS05
- Applies to a very limited class of problems
- set membership / keyword search
- approximate nearest neighbor
- Communication preserving protocol compiler NN01
- Generally requires exponential computation
Oh no! This might take me 7 years!
Benchmark partial match?
f( 10 , 0010 0110 1111 )1
Nothing
4Observation Many database search problems can be
implemented by constant-depth circuits
output
depth 2
x1
xm
x2
inputs
- Gates OR,AND,NOT and XOR
- Unbounded fan-in and fan-out
- Depth length of the longest input?output path
5Observation Many database search problems can be
implemented by constant-depth circuits
f(q,D)
6Example partial match
1010
10
0110
0110
1011
1110
7Observation Many database search problems can be
implemented by constant-depth circuits
- Computing on encrypted data longstanding
question - Case of 2-DNF recently solved BGN05
f(q,D)
8Relaxation multiple servers
C
x
C
C
x?
C(x)
t servers
- Used in information theoretic PIR
- Replicated databases are common
- p2p networks
- Web content delivery (e.g., Akamai)
- t-privacy
- Client can choose servers he trusts
9Main results
- t-secure protocol with
- Servers t(logC)depth-1
- Communication Õ(x)
- Client computation Õ(x)
- Server computation Õ(C)
- Rounds 1
Communication and work are optimal up to polylog
factors
Yeh!
C
C
C
10Main results DNF/CNF/partial match
- n-term DNF / database with n entries
- Security threshold 1
- Secure protocol with
- Servers ½logn
- Communication Õ(x)
- Client computation Õ(x)
- Server computation Õ(n)
D has 230 entries
We need 15 servers
C
C
C
11Second model multiparty computation
party
input x2
party
party
input x3
input x1
Const-depth circuit C
C(x) xx1x2.... xk
party
party
input x4
input x5
- General purpose secure computation
GMW87,BGW88,CCD88 - Communication circuit size
- Communication efficient multiparty computation
BFKR90 - Computation exponential in x
- Number of servers
12Results multiparty setting
- t-secure multiparty protocol with
- Parties t(logC)depth-1
- Communication Õ(xpoly(parties))
- Computation Õ(C)
- Rounds O(1)
- optimal up to polylog factors
13Roadmap
From database search to protocol
14Roadmap
From database search to circuit
15Roadmap
From circuit to polynomials
16From circuit to polynomials
- Step A
- Represent a circuit by a low-degree randomized
multivariate polynomial - Field GF(2)
- Rely on technique of Raz87, Smo87
x1x2x4
x1
x2
x4
17From circuit to polynomials
r1
r11
r?1
set ? s
r2
r12
r?2
rt
r1t
r?t
e-biased PRG
x1
x2
xt
r
18From circuit to polynomials
Probpr(x) ? C(x) (n1)2-?
n-term DNF
For error 2-s set ? s log(n1)
( s log(n1))2
Total degree ?2
x1
x2
x3
x4
x5
x6
19From circuit to polynomials
Step B Optimizations example for n-term DNF
Probpr(x) ? C(x) n2-? ? ¼
pr1(x)
For error ¼ set set ? logn 3
3( logn3)
Total degree 3?
x1
x2
x3
x4
x5
x6
20From circuit to polynomials
Step B Optimizations example for n-term DNF
degree logn2 C(x)0 Probp(x)1 ? C(x)1
Probp(x)1 ?
More careful analysis
Recover C(x) using Majority
Recover C(x) using Threshold ¼
21From circuit to polynomials
Step B Optimizations example for n-term DNF
O(s) polynomials of degree logn2
pr1(x)
pr2(x)
Probth¼(pr(x)) ? C(x) 2-s
prO(s)(x)
I have no privacy!
22From circuit to polynomials
Step C Server Privacy
pr1(x,?)
pr2(x,?)
pr1(x)
th¼0,1O(s)?0,1
pr2(x)
Randomizing polynomials for threshold IK00
prO(s)(x)
prsO(1)(x,?)
private randomness
23Roadmap
From polynomials to protocol
24Client-Servers protocols from polynomials
- Goal evaluate multivariate polynomials held by
the servers on a point held by the client. - Standard techniques for secure computation
BGW88, CCD88, BF90 - Number of servers proportional to the degree
- Communication proportional to of polynomials
(and clients input) - Enhancements
- Protecting server privacy GIKM98
- Reducing number of servers WY05
Shamir-shares of x
Public randomness r
Evaluate pr on shares
Recover pr(x) by interpolation
25Multiparty protocols from polynomials
- Goal evaluate multivariate polynomials known to
all on distributed input and randomness. - Standard techniques for secure computation
BGW88, CCD88, GRR98 - Number of parties proportional to the degree
- Communication proportional to of polynomials
(and input lenght) - Randomness
- Public randomness (r) independent of the inputs
- Private randomness (?) should remain a secret
26Roadmap
Secure computation of constant-depth circuits
with applications to database search problems
27Conclusions
- Practically feasible solutions to large scale
database search problems, e.g., partial match - Nearly optimal communication and computation
- Reasonable number of servers (½logn for partial
match) - No expensive crypto (e.g., public key operations)
- Challenge obtain similar protocols in 2-party
setting - Extend BGN05 from degree 2 to degree logn?
- Multiparty setting
- Nearly optimal communication and computation for
a useful class of functions (AC0) - Communication almost does not grow with circuit
size - Challenge Higher complexity classes, e.g., NC1
28