Secure Computation of ConstantDepth Circuits with Applications to Database Search Problems Omer Bark

1
Secure Computation ofConstant-Depth Circuits
with Applications to Database Search
ProblemsOmer Barkol Yuval IshaiTechnion
2
Motivation private database search
D?
Client
Server
q
D
fermat and (last theorem or great theorem)
q?
What is he working on?
Article on Fermats Last Theorem
f(q,D)

• Want
• Server work O(D)
• Client work O(q)
• Communication O(q)

PIR CGKS95 f(q,D)Dq
OT/SPIR
3
Current approaches
D
q
f(q,D)

• Send all of D to the client
• Too much communication (D)
• No server privacy
• Use general purpose secure computation
  Yao86,GMW87
• Communication circuit size D
• Use PIR as a building block
• PIR data-structures CGN97,FIPR05,OS05
• Applies to a very limited class of problems
• set membership / keyword search
• approximate nearest neighbor
• Communication preserving protocol compiler NN01
• Generally requires exponential computation

Oh no! This might take me 7 years!
Benchmark partial match?
f( 10 , 0010 0110 1111 )1
Nothing
4
Observation Many database search problems can be
implemented by constant-depth circuits
output
depth 2
x1
xm
x2
inputs

• Gates OR,AND,NOT and XOR
• Unbounded fan-in and fan-out
• Depth length of the longest input?output path

5
Observation Many database search problems can be
implemented by constant-depth circuits
f(q,D)
6
Example partial match
1010
10
0110
0110
1011
1110
7
Observation Many database search problems can be
implemented by constant-depth circuits

• Computing on encrypted data longstanding
  question
• Case of 2-DNF recently solved BGN05

f(q,D)
8
Relaxation multiple servers
C
x
C
C
x?
C(x)
t servers

• Used in information theoretic PIR
• Replicated databases are common
• p2p networks
• Web content delivery (e.g., Akamai)
• t-privacy
• Client can choose servers he trusts

9
Main results

• t-secure protocol with
• Servers t(logC)depth-1
• Communication Õ(x)
• Client computation Õ(x)
• Server computation Õ(C)
• Rounds 1

Communication and work are optimal up to polylog
factors
Yeh!
C
C
C
10
Main results DNF/CNF/partial match

• n-term DNF / database with n entries
• Security threshold 1
• Secure protocol with
• Servers ½logn
• Communication Õ(x)
• Client computation Õ(x)
• Server computation Õ(n)

D has 230 entries
We need 15 servers
C
C
C
11
Second model multiparty computation
party
input x2
party
party
input x3
input x1
Const-depth circuit C
C(x) xx1x2.... xk
party
party
input x4
input x5

• General purpose secure computation
  GMW87,BGW88,CCD88
• Communication circuit size
• Communication efficient multiparty computation
  BFKR90
• Computation exponential in x
• Number of servers

12
Results multiparty setting

• t-secure multiparty protocol with
• Parties t(logC)depth-1
• Communication Õ(xpoly(parties))
• Computation Õ(C)
• Rounds O(1)
• optimal up to polylog factors

13
Roadmap
From database search to protocol
14
Roadmap
From database search to circuit
15
Roadmap
From circuit to polynomials
16
From circuit to polynomials

• Step A
• Represent a circuit by a low-degree randomized
  multivariate polynomial
• Field GF(2)
• Rely on technique of Raz87, Smo87

x1x2x4
x1
x2
x4
17
From circuit to polynomials
r1
r11
r?1

set ? s
r2
r12
r?2





rt
r1t
r?t

e-biased PRG
x1
x2

xt
r
18
From circuit to polynomials
Probpr(x) ? C(x) (n1)2-?
n-term DNF
For error 2-s set ? s log(n1)
( s log(n1))2
Total degree ?2
x1
x2
x3
x4
x5
x6
19
From circuit to polynomials
Step B Optimizations example for n-term DNF
Probpr(x) ? C(x) n2-? ? ¼
pr1(x)
For error ¼ set set ? logn 3
3( logn3)
Total degree 3?

x1
x2
x3
x4
x5
x6
20
From circuit to polynomials
Step B Optimizations example for n-term DNF
degree logn2 C(x)0 Probp(x)1 ? C(x)1
Probp(x)1 ?
More careful analysis
Recover C(x) using Majority
Recover C(x) using Threshold ¼

21
From circuit to polynomials
Step B Optimizations example for n-term DNF
O(s) polynomials of degree logn2
pr1(x)
pr2(x)
Probth¼(pr(x)) ? C(x) 2-s
prO(s)(x)
I have no privacy!
22
From circuit to polynomials
Step C Server Privacy
pr1(x,?)
pr2(x,?)
pr1(x)
th¼0,1O(s)?0,1
pr2(x)
Randomizing polynomials for threshold IK00
prO(s)(x)
prsO(1)(x,?)
private randomness
23
Roadmap
From polynomials to protocol
24
Client-Servers protocols from polynomials

• Goal evaluate multivariate polynomials held by
  the servers on a point held by the client.
• Standard techniques for secure computation
  BGW88, CCD88, BF90
• Number of servers proportional to the degree
• Communication proportional to of polynomials
  (and clients input)
• Enhancements
• Protecting server privacy GIKM98
• Reducing number of servers WY05

Shamir-shares of x
Public randomness r
Evaluate pr on shares
Recover pr(x) by interpolation
25
Multiparty protocols from polynomials

• Goal evaluate multivariate polynomials known to
  all on distributed input and randomness.
• Standard techniques for secure computation
  BGW88, CCD88, GRR98
• Number of parties proportional to the degree
• Communication proportional to of polynomials
  (and input lenght)
• Randomness
• Public randomness (r) independent of the inputs
• Private randomness (?) should remain a secret

26
Roadmap
Secure computation of constant-depth circuits
with applications to database search problems
27
Conclusions

• Practically feasible solutions to large scale
  database search problems, e.g., partial match
• Nearly optimal communication and computation
• Reasonable number of servers (½logn for partial
  match)
• No expensive crypto (e.g., public key operations)
• Challenge obtain similar protocols in 2-party
  setting
• Extend BGN05 from degree 2 to degree logn?
• Multiparty setting
• Nearly optimal communication and computation for
  a useful class of functions (AC0)
• Communication almost does not grow with circuit
  size
• Challenge Higher complexity classes, e.g., NC1

28

• Questions?