Prio: Private, Robust, and Efficient Computation of Aggregate - PowerPoint PPT Presentation

Private sums: 
 Server A Server B Server C A “straw-man” scheme S A S B S C S A + S B + S C = 15 + -10 + …

Private sums: 
 Server A Server B Server C A “straw-man” scheme S A S B S C S A + S B + S C = 15 + -10 + …

Private sums: 
 Server A Server B Server C A “straw-man” scheme S A S B S C S A + S B + S C = 15 + -10 + … S A + S B + S C = 1 + 0 + … + 1

Private sums: 
 Server A Server B Server C A “straw-man” scheme S A S B S C S A + S B + S C = 15 + -10 + … S A + S B + S C = 1 + 0 + … + 1 Servers learn the 
 sum of client values and learn nothing else .

Private sums: 
 Server A Server B Server C A “straw-man” scheme S A S B S C S A + S B + S C = 15 + -10 + … S A + S B + S C = 1 + 0 + … + 1 Servers learn the 
 sum of client values and learn nothing else .

Private sums: 
 Server A Server B Server C A “straw-man” scheme S A S B S C S A + S B + S C = 15 + -10 + … S A + S B + S C = 1 + 0 + … + 1 Learn that three phones Servers learn the 
 are on the Bay Bridge— sum of client values don’t know which three and learn nothing else .

Computing private sums

Computing private sums Exact correctness: If everyone follows the protocol, servers compute the sum of all x i s. Privacy: Any proper subset of the servers learns nothing but the sum of the x i s. Efficiency: Follows by inspection.

Computing private sums Exact correctness: If everyone follows the protocol, servers compute the sum of all x i s. Privacy: Any proper subset of the servers learns nothing but the sum of the x i s. Efficiency: Follows by inspection. Robustness: ???

Private sums: 
 Server A Server B Server C A “straw-man” scheme 15-10 -12+7 -2+3 F x

Private sums: 
 Server A Server B Server C A “straw-man” scheme 15-10 -12+7 -2+3 x is supposed to be F a 0/1 value x

Private sums: 
 Server A Server B Server C A “straw-man” scheme 15-10 -12+7 -2+3 F x

Private sums: 
 Server A Server B Server C A “straw-man” scheme 15-10 -12+7 -2+3

Private sums: 
 Server A Server B Server C A “straw-man” scheme 15-10 -12+7 -2+3 An evil client needn’t follow the rules!

Private sums: 
 Server A Server B Server C A “straw-man” scheme 15-10 -12+7 -2+3 + + = 21 An evil client needn’t 10 4 7 follow the rules!

Private sums: 
 Server A Server B Server C A “straw-man” scheme 15-10 -12+7 -2+3 10 4 7

Private sums: 
 Server A Server B Server C A “straw-man” scheme garbage garbage garbage F

Private sums: 
 Server A Server B Server C A “straw-man” scheme garbage garbage garbage A single bad client can undetectably F corrupt the sum Users have incentives to cheat Typical defenses 
 (NIZKs) are costly

Outline • Background: The private aggregation problem • A straw-man solution for private sums • Providing robustness with SNIPs • Evaluation • Encodings for complex aggregates

Outline • Background: The private aggregation problem • A straw-man solution for private sums • Providing robustness with SNIPs • Evaluation • Encodings for complex aggregates

Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) 0 0 0 x = 1

Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) 0 0 0 x = 1

Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) 0 0 0 15 + ( ) + ( ) = 1 -12 -2 x = 1

Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) 0 0 0 15 -12 -2 x = 1

Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) 0 0 0 15 -12 -2 x = 1

Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) 0 0 0 15 -12 -2 The servers want to ensure that their x = 1 shares sum to 0 or 1 
 …without learning x.

Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) 0 0 0 x a x b x c More generally, servers x = 1 hold shares of the client’s private value x • hold an arbitrary public predicate Valid( · ) 
 • – expressed as an arithmetic circuit want to test if “Valid(x)” holds, without leaking x •

Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) 0 0 0 x a x b x c More generally, servers x = 1 hold shares of the client’s private value x • hold an arbitrary public predicate Valid( · ) 
 • – expressed as an arithmetic circuit want to test if “Valid(x)” holds, without leaking x For our running example: 
 • Valid(x) = “x ∈ {0,1}”

Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) 0 0 0 x a x b x c More generally, servers x = 1 hold shares of the client’s private value x • hold an arbitrary public predicate Valid( · ) 
 • – expressed as an arithmetic circuit want to test if “Valid(x)” holds, without leaking x •

Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) 0 0 0 x a x b x c x = 1

Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) 0 0 0 x a x b x c π a x = 1

Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) 0 0 0 x a x b x c π a π b x = 1

Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) 0 0 0 x a x b x c π a π b x = 1 π c

Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) 0 0 0 π a , x a π b , x b x c π c , x = 1

Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) 0 0 0 π a , x a π b , x b x c π c , x = 1

Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) 0 0 0 Servers gossip π a , x a π b , x b x c π c , x = 1

Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) 0 0 0 π a , x a π b , x b x c π c , x = 1

Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) Ok. 0 0 0 π a , x a π b , x b x c π c , x = 1

Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) Ok. Ok. 0 0 0 π a , x a π b , x b x c π c , x = 1

Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) Ok. Ok. Ok. 0 0 0 π a , x a π b , x b x c π c , x = 1

Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) 0 0 0 π a , x a π b , x b x c π c , x = 1

Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) x a x b x c x = 1

Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) 0 0 0 π a , x a π b , x b x c π c , x = 1

Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) Fail 0 0 0 π a , x a π b , x b x c π c , x = 1

Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) Fail Fail 0 0 0 π a , x a π b , x b x c π c , x = 1

Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) Fail Fail Fail 0 0 0 π a , x a π b , x b x c π c , x = 1

Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) 0 0 0 π a , x a π b , x b x c π c , x = 1

Server A Server B Server C Contribution 1 
 Secret-shared 
 non-interactive 
 proofs (SNIPs) 0 0 0 X X X x a x b x c x = 1 • Prio servers detect and reject malformed client submissions • In this example, each client can influence the aggregate statistic by +/- 1, at most

Server A Server B Server C How SNIPs work 0 0 0 x a x b x c The servers want to ensure that 
 x = 1 Valid(x) = Valid(x a +x b +x c ) = 1 
 …without learning x.

Server A Server B Server C How SNIPs work x a x b x c

Server A Server B Server C How SNIPs work x a x b x c Could run secure multiparty computation to check that Valid(x) = 1. 
 [GMW87], [BGW88]

Server A Server B Server C How SNIPs work x a x b x c Could run secure multiparty computation to check that Valid(x) = 1. 
 [GMW87], [BGW88]