Prio: Private, Robust, and Efficient Computation of Aggregate - - PowerPoint PPT Presentation

Prio: Private, Robust, and Efficient Computation of Aggregate Statistics

Henry Corrigan-Gibbs and Dan Boneh
 Stanford University

NSDI 2017

Twitter usage Blood pressure

Today: Non-private
 aggregation

StressTracker

Twitter usage Blood pressure

Today: Non-private
 aggregation

Each user has a
 private data point StressTracker

StressTracker

Blood pressure

Today: Non-private
 aggregation

Twitter usage

StressTracker

Blood pressure

Today: Non-private
 aggregation

Twitter usage

StressTracker

Blood pressure

B(T) = c

1

· T + c

Today: Non-private
 aggregation

Twitter usage

StressTracker

Blood pressure

B(T) = c

1

· T + c

Today: Non-private
 aggregation

The app provider learned more than it needed

Twitter usage

StressTracker

Blood pressure

Today: Non-private
 aggregation

Twitter usage

StressTracker

App store

Blood pressure

This paper:
 Private aggregation

Twitter usage

StressTracker

App store

Blood pressure

This paper:
 Private aggregation

Clients send an
 encrypted share of their data to each aggregator

Twitter usage

StressTracker

App store

Blood pressure

This paper:
 Private aggregation

Clients send an
 encrypted share of their data to each aggregator

Twitter usage

StressTracker

App store

Blood pressure

This paper:
 Private aggregation

Clients send an
 encrypted share of their data to each aggregator

Twitter usage

Blood pressure

The aggregators
 learn no private client data

This paper:
 Private aggregation

B(T) = c

1

· T + c

StressTracker

App store

Twitter usage

Private aggregation

f(x1, …, xN)

x1 x3 xN x2

…

• 1. Exact correctness

If all servers are honest, servers learn f(·)

• 2. Privacy

If one server is honest, servers learn only* f(·)

• 3. Robustness

Malicious clients have bounded influence

• 4. Efficiency

No public-key crypto (apart from TLS)
 1000s of submissions per second

Blood pressure

200 100,000,000

StressTracker

App store

Twitter usage

Blood pressure

200 100,000,000

StressTracker

App store

Twitter usage

Private aggregation

f(x1, …, xN)

x1 xN x2

…

• 1. Exact correctness

If all servers are honest, servers learn f(·)

• 2. Privacy

If one server is honest, servers learn only* f(·)

• 3. Robustness

Malicious clients have bounded influence

• 4. Efficiency

No public-key crypto (apart from TLS)
 1000s of submissions per second

Prio is the first system to achieve all four.

x3

Private aggregation

f(x1, …, xN)

x1 xN x2

…

• 1. Exact correctness

If all servers are honest, servers learn f(·)

• 2. Privacy

If one server is honest, servers learn only* f(·)

• 3. Robustness

Malicious clients have bounded influence

• 4. Efficiency

No public-key crypto (apart from TLS)
 1000s of submissions per second

Prio is the first system to achieve all four.

…and Prio supports a wide range of aggregation
 functions f(·)

x3

Private aggregation

f(x1, …, xN)

x1 xN x2

…

• 1. Exact correctness

If all servers are honest, servers learn f(·)

• 2. Privacy

If one server is honest, servers learn only* f(·)

• 3. Robustness

Malicious clients have bounded influence

• 4. Efficiency

No public-key crypto (apart from TLS)
 1000s of submissions per second

Prio is the first system to achieve all four.

x3

Contributions

• 1. Secret-shared non-interactive proofs (SNIPs)


– Client proves that its encoded submission is well-formed
 – We do not need the power of traditional “heavy” crypto tools
 


• 2. Aggregatable encodings


Can compute sums privately ⟹ Can compute f(·) privately


…for many f’s of interest


Related systems

• Additively homomorphic encryption


P4P (2010), Private stream aggregation (2011), Grid aggregation (2011),
 PDDP (2012), SplitX (2013), PrivEx (2014), PrivCount (2016),
 Succinct sketches (2016), …

• Multi-party computation [GMW87], [BGW88]


FairPlay (2004), Brickell-Shmatikov (2006), FairplayMP (2008), SEPIA (2010),
 Private matrix factorization (2013), JustGarble (2013), …

• Anonymous credentials/tokens


VPriv (2009), PrivStats (2011), ANONIZE (2014), …

• Randomized response [W65], [DMNS06], [D06]


RAPPOR (2014, 2016)

Prio is the first system to achieve
 exact correctness, privacy, robustness, efficiency.

Outline

• Background: The private aggregation problem
• A straw-man solution for private sums
• Providing robustness with SNIPs
• Evaluation
• Encodings for complex aggregates

Outline

• Background: The private aggregation problem
• A straw-man solution for private sums
• Providing robustness with SNIPs
• Evaluation
• Encodings for complex aggregates

Warm-up: Computing private sums

Warm-up: Computing private sums

• Every device i holds a value xi
• We want to compute


f(x1, …, xN) = x1 + … + xN 
 without learning any users’ private value xi.

Warm-up: Computing private sums

• Every device i holds a value xi
• We want to compute


f(x1, …, xN) = x1 + … + xN 
 without learning any users’ private value xi. 
 Example: Privately measuring traffic congestion. xi = 1 if user i is on the Bay Bridge
 = 0

• therwise

The sum x1 + … + xN yields the number of app users


• n the Bay Bridge.

Private sums:
 A “straw-man” scheme

Server A Server B Server C

[Chaum88], [BGW88], …
 [KDK11] [DFKZ13] [PrivEx14] …

Private sums:
 A “straw-man” scheme

Server A Server B Server C

Assume that the servers are non-colluding. Equivalently: that at least one server is honest.

[Chaum88], [BGW88], …
 [KDK11] [DFKZ13] [PrivEx14] …

Private sums:
 A “straw-man” scheme

Server A Server B Server C

Assume that the servers are non-colluding. Equivalently: that at least one server is honest.

[Chaum88], [BGW88], …
 [KDK11] [DFKZ13] [PrivEx14] …

Imagine: app store and app

StressTracker App store App

Private sums:
 A “straw-man” scheme

Server A Server B Server C

Assume that the servers are non-colluding. Equivalently: that at least one server is honest.

[Chaum88], [BGW88], …
 [KDK11] [DFKZ13] [PrivEx14] …

Imagine: app store and app

StressTracker App store App

Imagine: app store and app

Private sums:
 A “straw-man” scheme

Server A Server B Server C

Assume that the servers are non-colluding. Equivalently: that at least one server is honest.

[Chaum88], [BGW88], …
 [KDK11] [DFKZ13] [PrivEx14] …

Imagine: app store and app

StressTracker App store App

Imagine: app store and app

Spain Germany Iceland

Private sums:
 A “straw-man” scheme

Server A Server B Server C

[Chaum88], [BGW88], …
 [KDK11] [DFKZ13] [PrivEx14] …

Server A Server B Server C

1

Secret sharing Pick three random “shares” that sum to 1. 1 = 15 + (-12) + (- 2) (mod 31)

Private sums:
 A “straw-man” scheme

Need all three shares to recover the shared value.

Server A Server B Server C

1

Secret sharing Pick three random “shares” that sum to 1. 1 = 15 + (-12) + (- 2) (mod 31)

Private sums:
 A “straw-man” scheme

In real system, we
 use a “big” prime

Need all three shares to recover the shared value.

Server A Server B Server C

1

Secret sharing Pick three random “shares” that sum to 1. 1 = 15 + (-12) + (- 2) (mod 31)

Private sums:
 A “straw-man” scheme

Need all three shares to recover the shared value.

Server A Server B Server C

1

Secret sharing Pick three random “shares” that sum to 1. 1 = 15 + (-12) + (- 2) (mod 31)

Private sums:
 A “straw-man” scheme

Need all three shares to recover the shared value.

Server A Server B Server C

1

Secret sharing Pick three random “shares” that sum to 1. 1 = 15 + (-12) + (- 2) (mod 31)

Private sums:
 A “straw-man” scheme

15

• 12
• 2

Need all three shares to recover the shared value.

Server A Server B Server C

Private sums:
 A “straw-man” scheme

15

• 12
• 2

1

Server A Server B Server C

15

• 12
• 2

Private sums:
 A “straw-man” scheme

1

Server A Server B Server C

Private sums:
 A “straw-man” scheme

15

• 12
• 2

Server A Server B Server C

Private sums:
 A “straw-man” scheme

15

• 12
• 2

= (-10) + 7 + 3

Server A Server B Server C

Private sums:
 A “straw-man” scheme

15

• 12
• 2

= (-10) + 7 + 3

Server A Server B Server C

• 10

Private sums:
 A “straw-man” scheme

15

• 12
• 2

7 3 = (-10) + 7 + 3

Server A Server B Server C

• 10

Private sums:
 A “straw-man” scheme

15

• 12
• 2

7 3

Server A Server B Server C

Private sums:
 A “straw-man” scheme

15

• 12
• 2

7 3

• 10

Server A Server B Server C

Private sums:
 A “straw-man” scheme

15-10

• 12+7
• 2+3

Server A Server B Server C

…

Private sums:
 A “straw-man” scheme

15-10+…

• 12+7+…
• 2+3+…

Server A Server B Server C

SB SC SA

Private sums:
 A “straw-man” scheme

Server A Server B Server C

SB SC SA

Private sums:
 A “straw-man” scheme

SA + SB + SC = 15 + -10 + …

Server A Server B Server C

SB SC SA

Private sums:
 A “straw-man” scheme

SA + SB + SC = 15 + -10 + …

Server A Server B Server C

SB SC SA SA + SB + SC = 1 + 0 + … + 1

Private sums:
 A “straw-man” scheme

SA + SB + SC = 15 + -10 + …

Server A Server B Server C

SB SC SA SA + SB + SC = 1 + 0 + … + 1 Servers learn the
 sum of client values and learn nothing else.

Private sums:
 A “straw-man” scheme

SA + SB + SC = 15 + -10 + …

Server A Server B Server C

SB SC SA SA + SB + SC = 1 + 0 + … + 1 Servers learn the
 sum of client values and learn nothing else.

Private sums:
 A “straw-man” scheme

SA + SB + SC = 15 + -10 + …

Server A Server B Server C

SB SC SA SA + SB + SC = 1 + 0 + … + 1 Servers learn the
 sum of client values and learn nothing else.

Private sums:
 A “straw-man” scheme

SA + SB + SC = 15 + -10 + …

Learn that three phones are on the Bay Bridge— don’t know which three

Computing private sums

Computing private sums

Exact correctness: If everyone follows the protocol, servers compute the sum of all xis. Privacy: Any proper subset of the servers learns nothing but the sum of the xis. Efficiency: Follows by inspection.

Computing private sums

Exact correctness: If everyone follows the protocol, servers compute the sum of all xis. Privacy: Any proper subset of the servers learns nothing but the sum of the xis. Efficiency: Follows by inspection. Robustness: ???

Server A Server B Server C

F

Private sums:
 A “straw-man” scheme

x

15-10

• 12+7
• 2+3

Server A Server B Server C

F

Private sums:
 A “straw-man” scheme

x

x is supposed to be a 0/1 value

15-10

• 12+7
• 2+3

Server A Server B Server C

F

Private sums:
 A “straw-man” scheme

x

15-10

• 12+7
• 2+3

Server A Server B Server C

Private sums:
 A “straw-man” scheme

15-10

• 12+7
• 2+3

Server A Server B Server C

Private sums:
 A “straw-man” scheme

An evil client needn’t follow the rules!

15-10

• 12+7
• 2+3

+ + = 21

Server A Server B Server C

Private sums:
 A “straw-man” scheme

An evil client needn’t follow the rules!

10 4 7

15-10

• 12+7
• 2+3

Server A Server B Server C

Private sums:
 A “straw-man” scheme

10 4 7

15-10

• 12+7
• 2+3

Server A Server B Server C

F

Private sums:
 A “straw-man” scheme

garbage garbage garbage

Server A Server B Server C

F

Private sums:
 A “straw-man” scheme

garbage garbage garbage

Users have incentives to cheat Typical defenses
 (NIZKs) are costly A single bad client can undetectably corrupt the sum

Outline

• Background: The private aggregation problem
• A straw-man solution for private sums
• Providing robustness with SNIPs
• Evaluation
• Encodings for complex aggregates

Outline

• Background: The private aggregation problem
• A straw-man solution for private sums
• Providing robustness with SNIPs
• Evaluation
• Encodings for complex aggregates

Server A Server B Server C

Contribution 1
 Secret-shared
 non-interactive
 proofs (SNIPs) x = 1

Server A Server B Server C

Contribution 1
 Secret-shared
 non-interactive
 proofs (SNIPs) x = 1

+ ( ) + ( ) = 1

Server A Server B Server C

15

• 12
• 2

Contribution 1
 Secret-shared
 non-interactive
 proofs (SNIPs) x = 1

Server A Server B Server C

15

• 12
• 2

Contribution 1
 Secret-shared
 non-interactive
 proofs (SNIPs) x = 1

Server A Server B Server C

15

• 12
• 2

Contribution 1
 Secret-shared
 non-interactive
 proofs (SNIPs) x = 1

Server A Server B Server C

15

• 12
• 2

Contribution 1
 Secret-shared
 non-interactive
 proofs (SNIPs)

The servers want to ensure that their shares sum to 0 or 1
 …without learning x.

x = 1

Server A Server B Server C

• hold shares of the client’s private value x
• hold an arbitrary public predicate Valid(·) 


– expressed as an arithmetic circuit

• want to test if “Valid(x)” holds, without leaking x

Contribution 1
 Secret-shared
 non-interactive
 proofs (SNIPs)

More generally, servers

x = 1 xa xb xc

Server A Server B Server C

• hold shares of the client’s private value x
• hold an arbitrary public predicate Valid(·) 


– expressed as an arithmetic circuit

• want to test if “Valid(x)” holds, without leaking x

Contribution 1
 Secret-shared
 non-interactive
 proofs (SNIPs)

More generally, servers

x = 1 xa xb xc

For our running example:
 Valid(x) = “x ∈ {0,1}”

Server A Server B Server C

• hold shares of the client’s private value x
• hold an arbitrary public predicate Valid(·) 


– expressed as an arithmetic circuit

• want to test if “Valid(x)” holds, without leaking x

Contribution 1
 Secret-shared
 non-interactive
 proofs (SNIPs)

More generally, servers

x = 1 xa xb xc

Server A Server B Server C

Contribution 1
 Secret-shared
 non-interactive
 proofs (SNIPs) x = 1 xa xb xc

Server A Server B Server C

πa Contribution 1
 Secret-shared
 non-interactive
 proofs (SNIPs) x = 1 xa xb xc

Server A Server B Server C

πb πa Contribution 1
 Secret-shared
 non-interactive
 proofs (SNIPs) x = 1 xa xb xc

Server A Server B Server C

πb πa πc Contribution 1
 Secret-shared
 non-interactive
 proofs (SNIPs) x = 1 xa xb xc

xa xb xc

Server A Server B Server C

πa, πb, πc, Contribution 1
 Secret-shared
 non-interactive
 proofs (SNIPs) x = 1

xa xb xc

Server A Server B Server C

πa, πb, πc, Contribution 1
 Secret-shared
 non-interactive
 proofs (SNIPs) x = 1

xa xb xc

Server A Server B Server C

πa, πb, πc, Servers gossip Contribution 1
 Secret-shared
 non-interactive
 proofs (SNIPs) x = 1

xa xb xc

Server A Server B Server C

πa, πb, πc, Contribution 1
 Secret-shared
 non-interactive
 proofs (SNIPs) x = 1

xa xb xc

Server A Server B Server C

Ok.

πa, πb, πc, Contribution 1
 Secret-shared
 non-interactive
 proofs (SNIPs) x = 1

xa xb xc

Server A Server B Server C

Ok. Ok.

πa, πb, πc, Contribution 1
 Secret-shared
 non-interactive
 proofs (SNIPs) x = 1

xa xb xc

Server A Server B Server C

Ok. Ok. Ok.

πa, πb, πc, Contribution 1
 Secret-shared
 non-interactive
 proofs (SNIPs) x = 1

xa xb xc

Server A Server B Server C

πa, πb, πc, Contribution 1
 Secret-shared
 non-interactive
 proofs (SNIPs) x = 1

Server A Server B Server C

xa xb xc

Contribution 1
 Secret-shared
 non-interactive
 proofs (SNIPs) x = 1

xa xb xc

Server A Server B Server C

πa, πb, πc, Contribution 1
 Secret-shared
 non-interactive
 proofs (SNIPs) x = 1

xa xb xc

Server A Server B Server C

Fail

πa, πb, πc, Contribution 1
 Secret-shared
 non-interactive
 proofs (SNIPs) x = 1

xa xb xc

Server A Server B Server C

Fail Fail

πa, πb, πc, Contribution 1
 Secret-shared
 non-interactive
 proofs (SNIPs) x = 1

xa xb xc

Server A Server B Server C

Fail Fail Fail

πa, πb, πc, Contribution 1
 Secret-shared
 non-interactive
 proofs (SNIPs) x = 1

xa xb xc

Server A Server B Server C

πa, πb, πc, Contribution 1
 Secret-shared
 non-interactive
 proofs (SNIPs) x = 1

xa xb xc

Server A Server B Server C

X X X

• Prio servers detect and reject malformed

client submissions

• In this example, each client can influence

the aggregate statistic by +/- 1, at most

Contribution 1
 Secret-shared
 non-interactive
 proofs (SNIPs) x = 1

Server A Server B Server C

The servers want to ensure that
 Valid(x) = Valid(xa+xb+xc) = 1
 …without learning x.

x = 1 xa xb xc How SNIPs work

xa xb xc

Server A Server B Server C

How SNIPs work

xa xb xc

Server A Server B Server C

How SNIPs work

Could run secure multiparty computation to check that Valid(x) = 1.


[GMW87], [BGW88]

xa xb xc

Server A Server B Server C

How SNIPs work

Could run secure multiparty computation to check that Valid(x) = 1.


[GMW87], [BGW88]

xa xb xc

Server A Server B Server C

How SNIPs work

Server A Server B Server C

How SNIPs work x xa xb xc

Server A Server B Server C

How SNIPs work x

Idea: Client generates the transcripts that servers would have observed in a multi-party computation

See also [IKOS07]

xa xb xc

xa xb xc

Server A Server B Server C

How SNIPs work x

Idea: Client generates the transcripts that servers would have observed in a multi-party computation

See also [IKOS07]

xa xb xc

xa xb xc

Server A Server B Server C

How SNIPs work x

xa xb xc

xa xb xc

Server A Server B Server C

How SNIPs work x xa xb xc

Server A Server B Server C

How SNIPs work x

Servers check that the transcripts are valid and consistent.

xa xb xc

Server A Server B Server C

How SNIPs work x

Servers check that the transcripts are valid and consistent.

πa πb πc xa xb xc

Server A Server B Server C

How SNIPs work x

Servers check that the transcripts are valid and consistent. Checking a transcript is
 much easier than generating it!

πa πb πc xa xb xc

Server A Server B Server C

How SNIPs work πa πb πc xa xb xc

Server A Server B Server C

How SNIPs work πa πb πc Da Db Dc xa xb xc

Server A Server B Server C

How SNIPs work πa πb πc Da Db Dc xa xb xc

“Randomized digest”


• f the transcript

Server A Server B Server C

How SNIPs work πa πb πc Da Db Dc xa xb xc

Server A Server B Server C

How SNIPs work Da Db Dc

[BFO12]

Server A Server B Server C

How SNIPs work Da Db Dc

[BFO12]

• If x is valid,

Da + Db + Dc = 0

• If x is invalid,

Da + Db + Dc ≠ 0 with high probability 
 Servers run lightweight multi-party computation to check that 
 Da + Db + Dc = 0 If so, servers accept x is valid.

Server A Server B Server C

How SNIPs work Da Db Dc

[BFO12]

• If x is valid,

Da + Db + Dc = 0

• If x is invalid,

Da + Db + Dc ≠ 0 with high probability 
 Servers run lightweight multi-party computation to check that 
 Da + Db + Dc = 0 If so, servers accept x is valid.

Server A Server B Server C

How SNIPs work Da Db Dc

O(1) O(1) O(1)

[BFO12]

M = # of multiplication gates in Valid(·) circuit

Public-key ops. Communication Slow- down Client Server C-to-S S-to-S

M = # of multiplication gates in Valid(·) circuit

Public-key ops. Communication Slow- down Client Server C-to-S S-to-S

Dishonest-maj. MPC

Θ(M) Θ(M) 5,000x


at server

[CLOS02], [DPSZ12], …

M = # of multiplication gates in Valid(·) circuit

Public-key ops. Communication Slow- down Client Server C-to-S S-to-S

Dishonest-maj. MPC

Θ(M) Θ(M) 5,000x


at server

Commits + NIZKs

Θ(M) Θ(M) Θ(M) Θ(M) 50x


at server

[FS86], [CP92], [CS97], … [CLOS02], [DPSZ12], …

M = # of multiplication gates in Valid(·) circuit

Public-key ops. Communication Slow- down Client Server C-to-S S-to-S

Dishonest-maj. MPC

Θ(M) Θ(M) 5,000x


at server

Commits + NIZKs

Θ(M) Θ(M) Θ(M) Θ(M) 50x


at server

Commits + SNARKs

Θ(M) O(1) O(1) O(1) 500x

at client

[FS86], [CP92], [CS97], … [GGPR13], [BCGTV13], … [CLOS02], [DPSZ12], …

M = # of multiplication gates in Valid(·) circuit

Public-key ops. Communication Slow- down Client Server C-to-S S-to-S

Dishonest-maj. MPC

Θ(M) Θ(M) 5,000x


at server

Commits + NIZKs

Θ(M) Θ(M) Θ(M) Θ(M) 50x


at server

Commits + SNARKs

Θ(M) O(1) O(1) O(1) 500x

at client

This work: SNIPs

Θ(M) O(1) 1x

[FS86], [CP92], [CS97], … [GGPR13], [BCGTV13], … [CLOS02], [DPSZ12], …

M = # of multiplication gates in Valid(·) circuit

Public-key ops. Communication Slow- down Client Server C-to-S S-to-S

Dishonest-maj. MPC

Θ(M) Θ(M) 5,000x


at server

Commits + NIZKs

Θ(M) Θ(M) Θ(M) Θ(M) 50x


at server

Commits + SNARKs

Θ(M) O(1) O(1) O(1) 500x

at client

This work: SNIPs

Θ(M) O(1) 1x

[FS86], [CP92], [CS97], … [GGPR13], [BCGTV13], …

For specific Valid() circuits, it is possible to eliminate this cost [BGI16]

[CLOS02], [DPSZ12], …

M = # of multiplication gates in Valid(·) circuit

Public-key ops. Communication Slow- down Client Server C-to-S S-to-S

Dishonest-maj. MPC

Θ(M) Θ(M) 5,000x


at server

Commits + NIZKs

Θ(M) Θ(M) Θ(M) Θ(M) 50x


at server

Commits + SNARKs

Θ(M) O(1) O(1) O(1) 500x

at client

This work: SNIPs

Θ(M) O(1) 1x

[FS86], [CP92], [CS97], … [GGPR13], [BCGTV13], … [CLOS02], [DPSZ12], …

Outline

• Background: The private aggregation problem
• A straw-man solution for private sums
• Providing robustness with SNIPs
• Evaluation
• Encodings for complex aggregates

Outline

• Background: The private aggregation problem
• A straw-man solution for private sums
• Providing robustness with SNIPs
• Evaluation
• Encodings for complex aggregates

Evaluation

• Implemented Prio in Go


(see optimizations described in paper)

• Five-server cluster in EC2
• System collects the sum

• f “N” 0/1 values


Four variants

• 1. No privacy
• 2. No robustness (“straw man”)
• 3. Prio

(privacy + robustness)

• 4. NIZK

(privacy + robustness)

Evaluation

• Implemented Prio in Go


(see optimizations described in paper)

• Five-server cluster in EC2
• System collects the sum

• f “N” 0/1 values


Four variants

• 1. No privacy
• 2. No robustness (“straw man”)
• 3. Prio

(privacy + robustness)

• 4. NIZK

(privacy + robustness)

E.g., for privately measuring telemetry data.

Evaluation

• Implemented Prio in Go


(see optimizations described in paper)

• Five-server cluster in EC2
• System collects the sum

• f “N” 0/1 values


Four variants

• 1. No privacy
• 2. No robustness (“straw man”)
• 3. Prio

(privacy + robustness)

• 4. NIZK

(privacy + robustness)

Evaluation

• Implemented Prio in Go


(see optimizations described in paper)

• Five-server cluster in EC2
• System collects the sum

• f “N” 0/1 values


Four variants

• 1. No privacy
• 2. No robustness (“straw man”)
• 3. Prio

(privacy + robustness)

• 4. NIZK

(privacy + robustness)

• ne server

Evaluation

• Implemented Prio in Go


(see optimizations described in paper)

• Five-server cluster in EC2
• System collects the sum

• f “N” 0/1 values


Four variants

• 1. No privacy
• 2. No robustness (“straw man”)
• 3. Prio

(privacy + robustness)

• 4. NIZK

(privacy + robustness)

• ne server

five servers

Five-server cluster in five Amazon data centers

24 26 28 210 212 214 216 Submission length (0/1 integers) 1 10 100 1000 10000 Submissions processed/s NIZK

Five-server cluster in five Amazon data centers

24 26 28 210 212 214 216 Submission length (0/1 integers) 1 10 100 1000 10000 Submissions processed/s Prio NIZK

Five-server cluster in five Amazon data centers

24 26 28 210 212 214 216 Submission length (0/1 integers) 1 10 100 1000 10000 Submissions processed/s Prio NIZK

Five-server cluster in five Amazon data centers

24 26 28 210 212 214 216 Submission length (0/1 integers) 1 10 100 1000 10000 Submissions processed/s Prio NIZK

50x performance improvement

Five-server cluster in five Amazon data centers

24 26 28 210 212 214 216 Submission length (0/1 integers) 1 10 100 1000 10000 Submissions processed/s No robustness Prio NIZK

24 26 28 210 212 214 216 Submission length (0/1 integers) 1 10 100 1000 10000 Submissions processed/s No robustness Prio NIZK No privacy

Five-server cluster in five Amazon data centers

24 26 28 210 212 214 216 Submission length (0/1 integers) 1 10 100 1000 10000 Submissions processed/s No robustness Prio NIZK No privacy

Five-server cluster in five Amazon data centers

Within 10x of
 no privacy

22 26 210 214 Submission length (0/1 integers) 256 B 4 KiB 64 KiB 1 MiB Per-server data transfer N I Z K Prio

22 26 210 214 Submission length (0/1 integers) 256 B 4 KiB 64 KiB 1 MiB Per-server data transfer N I Z K Prio

22 26 210 214 Submission length (0/1 integers) 256 B 4 KiB 64 KiB 1 MiB Per-server data transfer N I Z K Prio

Servers exchange
 a constant number


• f bytes

Outline

• Background: The private aggregation problem
• A straw-man solution for private sums
• Providing robustness with SNIPs
• Evaluation
• Encodings for complex aggregates

Outline

• Background: The private aggregation problem
• A straw-man solution for private sums
• Providing robustness with SNIPs
• Evaluation
• Encodings for complex aggregates

Known techniques: Complex statistics

If you can compute private sums, you can compute many

• ther interesting aggregates using known techniques
• Average
• Variance
• Standard deviation
• Most popular (approx)
• “Heavy hitters” (approx)
• Min and max (approx)
• Quality of arbitrary regression model (R2)
• Least-squares regression
• Stochastic gradient descent [Bonawitz et al. 2016]

[PrivStats11], [KDK11], [DFKZ13], [PrivEx14], [MDD16], …

Known techniques: Complex statistics

If you can compute private sums, you can compute many

• ther interesting aggregates using known techniques
• Average
• Variance
• Standard deviation
• Most popular (approx)
• “Heavy hitters” (approx)
• Min and max (approx)
• Quality of arbitrary regression model (R2)
• Least-squares regression
• Stochastic gradient descent [Bonawitz et al. 2016]

[PrivStats11], [KDK11], [DFKZ13], [PrivEx14], [MDD16], …

Contribution 2:
 SNIP-friendly encodings
 for these statistics

Known techniques: Complex statistics

If you can compute private sums, you can compute many

• ther interesting aggregates using known techniques
• Average
• Variance
• Standard deviation
• Most popular (approx)
• “Heavy hitters” (approx)
• Min and max (approx)
• Quality of arbitrary regression model (R2)
• Least-squares regression
• Stochastic gradient descent [Bonawitz et al. 2016]

[PrivStats11], [KDK11], [DFKZ13], [PrivEx14], [MDD16], …

Contribution 2:
 SNIP-friendly encodings
 for these statistics Prio can’t compute all statistics efficiently

Known techniques: Complex statistics

If you can compute private sums, you can compute many

• ther interesting aggregates using known techniques
• Average
• Variance
• Standard deviation
• Most popular (approx)
• “Heavy hitters” (approx)
• Min and max (approx)
• Quality of arbitrary regression model (R2)
• Least-squares regression
• Stochastic gradient descent [Bonawitz et al. 2016]

[PrivStats11], [KDK11], [DFKZ13], [PrivEx14], [MDD16], …

Contribution 2:
 SNIP-friendly encodings
 for these statistics See the paper for the details Prio can’t compute all statistics efficiently

StressTracker

Blood pressure

Today

Twitter usage

StressTracker

Blood pressure

Today

Twitter usage

StressTracker

App store

Blood pressure

With Prio…

Twitter usage

StressTracker

App store

Blood pressure

With Prio…

Twitter usage

StressTracker

App store

Blood pressure

With Prio…

Twitter usage

Blood pressure

With Prio…

B(T) = c

1

· T + c

StressTracker

App store

Twitter usage

Conclusions

• Wholesale collection of sensitive user data puts our

security at risk.

• Prio is the first system for aggregation that provides:

– exact correctness, – privacy, – robustness, and – efficiency.

• To do so, Prio uses SNIPs and aggregatable encodings.
• These techniques together bring private aggregation

closer to practical.

Thank you!

Henry Corrigan-Gibbs henrycg@cs.stanford.edu 
 https://crypto.stanford.edu/prio/

Example Encoding: Average and Variance

[PrivStats11]

Example Encoding: Average and Variance

– Each of N clients holds a value xi – Servers want the AVG and VAR of the xis.

Each client i encodes her value x as the pair
 (x, y) = (x, x2) Simple to check that the encoding is valid:
 Valid(x, y) = (x2 - y) [outputs zero if valid]

[PrivStats11]

Example Encoding: Average and Variance

– Each of N clients holds a value xi – Servers want the AVG and VAR of the xis.

Each client i encodes her value x as the pair
 (x, y) = (x, x2) Simple to check that the encoding is valid:
 Valid(x, y) = (x2 - y) [outputs zero if valid] Use Prio to compute the sum of encodings ∑i (xi, yi)

[PrivStats11]

Example Encoding: Average and Variance

– Each of N clients holds a value xi – Servers want the AVG and VAR of the xis.

Each client i encodes her value x as the pair
 (x, y) = (x, x2) Simple to check that the encoding is valid:
 Valid(x, y) = (x2 - y) [outputs zero if valid] Use Prio to compute the sum of encodings ∑i (xi, yi) Then recover the statistics:
 AVG(X) = (∑i xi) / N
 AVG(X2) = (∑i yi) / N = (∑i xi2) / N
 VAR(X) = AVG(X2) - AVG(X)2

[PrivStats11]

BrCa

30x14-bit ints

Heart

13 mixed
 features

10 1 0.1 0.01 0.001

Using 128-bit
 integers

Submit
 data Using 128-bit
 integers

xa, πa

Submit
 data Using 128-bit
 integers

xa, πa

Submit
 data

xb, πb

Using 128-bit
 integers

xa, πa

Submit
 data

xb, πb xc, πc

Using 128-bit
 integers

xa, πa

Submit
 data Proportional to length

• f data submission and

size of “Valid” circuit

xb, πb xc, πc

Using 128-bit
 integers

xa, πa

Submit
 data

xb, πb xc, πc

Using 128-bit
 integers

xa, πa

Submit
 data

xb, πb xc, πc

Using 128-bit
 integers

AES key

xa, πa

AES key

Submit
 data

xb, πb xc, πc

Using 128-bit
 integers

AES key

xa, πa

AES key

Submit
 data Check that P(r) =? 0

xb, πb xc, πc

Using 128-bit
 integers

3 2 B 3 2 B 1 6 B 1 6 B 1 6 B 1 6 B

AES key

xa, πa

AES key

Submit
 data Check that P(r) =? 0 Accept/reject
 client data

xb, πb xc, πc

Using 128-bit
 integers

3 2 B 3 2 B 1 6 B 1 6 B 1 6 B 1 6 B

AES key

xa, πa

AES key Ok/fail bit Ok/fail bit

Submit
 data Check that P(r) =? 0 Accept/reject
 client data

xb, πb xc, πc

Using 128-bit
 integers

3 2 B 3 2 B 1 6 B 1 6 B 1 6 B 1 6 B

AES key

xa, πa

AES key Ok/fail bit Ok/fail bit

Submit
 data Check that P(r) =? 0 Accept/reject
 client data Does not grow with size

• f data or “Valid” circuit

xb, πb xc, πc

Using 128-bit
 integers

3 2 B 3 2 B 1 6 B 1 6 B 1 6 B 1 6 B

AES key

xa, πa

AES key Ok/fail bit Ok/fail bit

Submit
 data Check that P(r) =? 0 Accept/reject
 client data

xb, πb xc, πc

Using 128-bit
 integers

3 2 B 3 2 B 1 6 B 1 6 B 1 6 B 1 6 B

Example Encoding: Average and Variance

[PrivStats11]

Example Encoding: Average and Variance

– Each of N clients holds a 4-bit value xi – Servers want the AVG and VAR of the xis.


 Each client encodes her value x = b3b2b1b0 as the tuple
 (x, y) = (x, x2, b3, b2, b1, b0)

[PrivStats11]

Example Encoding: Average and Variance

– Each of N clients holds a 4-bit value xi – Servers want the AVG and VAR of the xis.


 Each client encodes her value x = b3b2b1b0 as the tuple
 (x, y) = (x, x2, b3, b2, b1, b0) 
 To test validity of the encoding, check that:
 
 Valid(x, y) = { (x2 - y) = 0 — y is x2
 { x - ∑j2j bj = 0 — b’s are the bits of x
 { bj ·(bj –1) = 0 — b’s are 0/1 values

[PrivStats11]