Weakly Private Information Retrieval Under the Maximal Leakage Metric - - PowerPoint PPT Presentation

Weakly Private Information Retrieval Under the Maximal Leakage Metric

Ruida Zhou, Tao Guo, Chao Tian

Texas A&M University

ISIT 2020

• R. Zhou, T. Guo, C. Tian

Weakly PIR Under the Maximal Leakage Metric 1 / 20

Private Information Retrieval (PIR)

(N, K) non-colluding PIR:

...... server 0 server 1 server 2 server N-1

N servers: server 0, server 1, . . . , server N-1; K messages: W0, W1, . . . , WK−1;

• R. Zhou, T. Guo, C. Tian

Weakly PIR Under the Maximal Leakage Metric 2 / 20

Private Information Retrieval (PIR)

User wants the message WM, where M is a random variable in {0, 1, . . . , K − 1}.

• R. Zhou, T. Guo, C. Tian

Weakly PIR Under the Maximal Leakage Metric 3 / 20

Private Information Retrieval (PIR)

User wants the message WM, where M is a random variable in {0, 1, . . . , K − 1}. When M = k,

...... server 0 server 1 server 2 server N-1

• R. Zhou, T. Guo, C. Tian

Weakly PIR Under the Maximal Leakage Metric 3 / 20

Private Information Retrieval (PIR)

User wants the message WM, where M is a random variable in {0, 1, . . . , K − 1}. When M = k,

...... server 0 server 1 server 2 server N-1

User: uses a random key F to generate queries Q[k]

n ;

• R. Zhou, T. Guo, C. Tian

Weakly PIR Under the Maximal Leakage Metric 3 / 20

Private Information Retrieval (PIR)

User wants the message WM, where M is a random variable in {0, 1, . . . , K − 1}. When M = k,

...... server 0 server 1 server 2 server N-1

User: uses a random key F to generate queries Q[k]

n ;

Server n: return answer A[k]

n

after receiving the query;

• R. Zhou, T. Guo, C. Tian

Weakly PIR Under the Maximal Leakage Metric 3 / 20

Private Information Retrieval (PIR)

User wants the message WM, where M is a random variable in {0, 1, . . . , K − 1}. When M = k,

...... server 0 server 1 server 2 server N-1

User: uses a random key F to generate queries Q[k]

n ;

Server n: return answer A[k]

n

after receiving the query; User: recovers ˆ Wk = ψ(A[k]

0:N−1, k, F).

• R. Zhou, T. Guo, C. Tian

Weakly PIR Under the Maximal Leakage Metric 3 / 20

Private Information Retrieval (PIR)

User wants the message WM, where M is a random variable in {0, 1, . . . , K − 1}. When M = k,

...... server 0 server 1 server 2 server N-1

User: uses a random key F to generate queries Q[k]

n ;

Server n: return answer A[k]

n

after receiving the query; User: recovers ˆ Wk = ψ(A[k]

0:N−1, k, F).

Requirements: Correctness: ˆ Wk = Wk; Privacy: the query distribution Pr(Q[k]

n

= q) = Pr(Q[k′]

n

= q).

• R. Zhou, T. Guo, C. Tian

Weakly PIR Under the Maximal Leakage Metric 3 / 20

Private Information Retrieval (PIR)

User wants the message WM, where M is a random variable in {0, 1, . . . , K − 1}. When M = k,

...... server 0 server 1 server 2 server N-1

Requirements: Correctness: ˆ Wk = Wk; Privacy: for any n, Q[M]

n

does not leak the privacy of M.

• R. Zhou, T. Guo, C. Tian

Weakly PIR Under the Maximal Leakage Metric 4 / 20

How do we measure privacy leakage?

Privacy: for any n, Q[M]

n

does not leak any privacy of M.

• R. Zhou, T. Guo, C. Tian

Weakly PIR Under the Maximal Leakage Metric 5 / 20

How do we measure privacy leakage?

Privacy: for any n, Q[M]

n

does not leak any privacy of M. Mutual information; Differential privacy; Maximal leakage metric; etc.

• R. Zhou, T. Guo, C. Tian

Weakly PIR Under the Maximal Leakage Metric 5 / 20

How do we measure privacy leakage?

Privacy: for any n, Q[M]

n

does not leak any privacy of M. Mutual information; Differential privacy; Maximal leakage metric; etc. Use a metric to quantify the leakage of identity privacy; If allow certain amount of the leakage, we have the weakly private information retrieval.

• R. Zhou, T. Guo, C. Tian

Weakly PIR Under the Maximal Leakage Metric 5 / 20

Weakly Private Information Retrieval (WPIR)

User wants the message WM, where M is a random variable in {0, 1, . . . , K − 1}. When M = k,

...... server 0 server 1 server 2 server N-1

Requirements: Correctness: ˆ Wk = Wk; ρ-Privacy: Leak(M → Q[M]

n

) ≤ ρ

• R. Zhou, T. Guo, C. Tian

Weakly PIR Under the Maximal Leakage Metric 6 / 20

Performance measure – download cost

Message size L – length of the message L := H(W0) = H(W1) = · · · = H(WK−1); Answer length ℓn – number of symbols downloaded from server n Download cost D D := 1 L

N−1

• n=0

E(ℓn)

• .

We aim to have lower download cost.

• R. Zhou, T. Guo, C. Tian

Weakly PIR Under the Maximal Leakage Metric 7 / 20

Review of WPIR

By the type of leakage metric Leak(M → Q[M]

n

) Lin et al (ISIT 2019) : mutual information is used to measure leakage Samy-Tandon-Lazos (ISIT 2019): differential privacy is used to measure leakage Jia (MS Thesis 2019): conditional entropy is used to measure leakage

• R. Zhou, T. Guo, C. Tian

Weakly PIR Under the Maximal Leakage Metric 8 / 20

Review of WPIR

By the type of leakage metric Leak(M → Q[M]

n

) Lin et al (ISIT 2019) : mutual information is used to measure leakage Samy-Tandon-Lazos (ISIT 2019): differential privacy is used to measure leakage Jia (MS Thesis 2019): conditional entropy is used to measure leakage In this work, we use the maximal leakage metric L.

• R. Zhou, T. Guo, C. Tian

Weakly PIR Under the Maximal Leakage Metric 8 / 20

Maximal Leakage Metric

Operational meaning of L(X → Y ): When guessing a function of X upon observing Y , the leakage is the logarithm of the ratio of the probability of a correct guess when Y is observed, to the probability of a correct guess when Y is not observed. L(X → Y ) = sup

U−X−Y −ˆ U

log Pr(U = ˆ U) maxu PU(u)

• R. Zhou, T. Guo, C. Tian

Weakly PIR Under the Maximal Leakage Metric 9 / 20

Maximal Leakage Metric

Operational meaning of L(X → Y ): When guessing a function of X upon observing Y , the leakage is the logarithm of the ratio of the probability of a correct guess when Y is observed, to the probability of a correct guess when Y is not observed. L(X → Y ) = sup

U−X−Y −ˆ U

log Pr(U = ˆ U) maxu PU(u) Math formula: L(X → Y ) = log

• y∈Y

max

x∈X: PX (x)>0

PY |X(y|x).

• R. Zhou, T. Guo, C. Tian

Weakly PIR Under the Maximal Leakage Metric 9 / 20

Maximal Leakage Metric

Operational meaning of L(X → Y ): When guessing a function of X upon observing Y , the leakage is the logarithm of the ratio of the probability of a correct guess when Y is observed, to the probability of a correct guess when Y is not observed. L(X → Y ) = sup

U−X−Y −ˆ U

log Pr(U = ˆ U) maxu PU(u) Math formula: L(X → Y ) = log

• y∈Y

max

x∈X: PX (x)>0

PY |X(y|x). For WPIR system L(M → Q[M]

n

) = log

• q∈Qn

max

k∈[0:K−1]: PM(k)>0

PQ[M]

n

|M(q|M = k)

The distribution of M is unknown, and also not required for calculating L(M → Q[M]

n

).

• R. Zhou, T. Guo, C. Tian

Weakly PIR Under the Maximal Leakage Metric 9 / 20

Extreme cases

Define the worst case maximal leakage – maximum privacy leakage of all servers ρ = max

n∈[0:N−1] L(M → Q[M] n

).

• R. Zhou, T. Guo, C. Tian

Weakly PIR Under the Maximal Leakage Metric 10 / 20

Extreme cases

Define the worst case maximal leakage – maximum privacy leakage of all servers ρ = max

n∈[0:N−1] L(M → Q[M] n

). Two extreme cases D ρ

?

No privacy: “direct download” D = 1, ρ = log K. Perfect privacy: Sun-Jafar’s scheme[TIT17]; Tian-Sun-Chen’s scheme[TIT19] Dpir = 1 + 1

N + 1 N2 + · · · + 1 NK−1 ,

ρ = 0.

• R. Zhou, T. Guo, C. Tian

Weakly PIR Under the Maximal Leakage Metric 10 / 20

Gentle Start: WPIR (N, K, ρ) = (2, 2, 0)

Review of TSC’s scheme server 0 server 1 a1 a1 b1 b1 Coding scheme: F ∈

• ,
• 1

1

• server 0

server 1 ∅ a1 ; F ∈

• ,
• 1

1

• server 0

server 1 a1 + b1 b1 Use random code structure to maintain privacy;

• R. Zhou, T. Guo, C. Tian

Weakly PIR Under the Maximal Leakage Metric 11 / 20

Gentle Start: WPIR (N, K, ρ) = (2, 2, 0)

Review of TSC’s scheme server 0 server 1 a1 a1 b1 b1 Coding scheme: F ∈

• ,
• 1

1

• server 0

server 1 ∅ a1 ; F ∈

• ,
• 1

1

• server 0

server 1 a1 + b1 b1 Some choice of F may lead to “direct download” code structure;

• R. Zhou, T. Guo, C. Tian

Weakly PIR Under the Maximal Leakage Metric 12 / 20

From no privacy to perfect privacy F pF · · ·

(a)

F pF · · ·

?

(b)

F pF · · ·

(c) Figure: Between the extreme case of (a) where download cost is minimized and the other extreme case of (c) where the privacy is prefect, we can adjust the probability distribution to achieve the tradeoff between ρ and D.

What is the optimal behavior of TSC’ code in between the two extreme cases?

• R. Zhou, T. Guo, C. Tian

Weakly PIR Under the Maximal Leakage Metric 13 / 20

Gentle Start: WPIR (N, K, ρ) = (2, 2, 0)

Review of Sun-Jafar’s scheme server 0 server 1 a1, a2, a3, a4 a1, a2, a3, a4 b1, b2, b3, b4 b1, b2, b3, b4 Coding scheme: Π ∈

• 1
• ,
• 1
• ,

server 0 server 1 a1, b1 a2, b2 a3 ⊕ b2 a4 ⊕ b1 ; Π ∈

• 1
• ,
• 1
• ,

server 1 server 0 a1, b1 a2, b2 a3 ⊕ b2 a4 ⊕ b1 Randomly permute the servers to maintain privacy; There is only one code structure.

• R. Zhou, T. Guo, C. Tian

Weakly PIR Under the Maximal Leakage Metric 14 / 20

Generalized TSC scheme

Control random permutation by w k

π

Let P be the set of all permutations of [0 : N − 1]. For each k ∈ [0 : K − 1], let Πk be a random variable in P, with a distribution P(Πk = π) = wk

π

Control random code structure by pk,π

f

For any permutation π ∈ P, any message index k ∈ [0 : K − 1], let F k,π be a random vector distributed as follows P(F k,π = f ) = pk,π

f

, ∀ f ∈ F. (1)

When M = k, Πk = π, and F k,π = f , retrieve the message under TSC scheme with random key f from the servers permuted according to π.

• R. Zhou, T. Guo, C. Tian

Weakly PIR Under the Maximal Leakage Metric 15 / 20

Example: N = 3, K = 2

Messages a = (a1, a2), b = (b1, b2). When permutation of servers π = (0, 1, 2) Requesting message a Requesting message b prob. server 0 server 1 server 2 prob. server 0 server 1 server 2 pa,012

(0)

a1 a2 pb,012

(0)

b1 b2 pa,012

(1)

a2 ⊕ b1 b1 a1 ⊕ b1 pb,012

(1)

a1 ⊕ b2 a1 a1 ⊕ b1 pa,012

(2)

a1 ⊕ b2 a2 ⊕ b2 b2 pb,012

(2)

a2 ⊕ b1 a2 ⊕ b2 a2 When permutation of servers π = (1, 0, 2) Requesting message a Requesting message b prob. server 0 server 1 server 2 prob. server 0 server 1 server 2 pa,102

(0)

a1 a2 pb,102

(0)

b1 b2 pa,102

(1)

b1 a2 ⊕ b1 a1 ⊕ b1 pb,102

(1)

a1 a1 ⊕ b2 a1 ⊕ b1 pa,102

(2)

a2 ⊕ b2 a1 ⊕ b2 b2 pb,102

(2)

a2 ⊕ b2 a2 ⊕ b1 a2

• R. Zhou, T. Guo, C. Tian

Weakly PIR Under the Maximal Leakage Metric 16 / 20

Optimize under generalized TSC scheme

Study the tradeoff between download cost constraint D∗ and worst case maximal leakage ρ. minimize: ρ {w k

π}, {pk,π f

}

• max

n∈[0:N−1]{L(M → Q[M] n

)} subject to: w k

π ≥ 0, ∀k ∈ [0 : K − 1], π ∈ P

pk,π

f

≥ 0, ∀k ∈ [0 : K − 1], π ∈ P, f ∈ F

• π∈Π

w k

π = 1, ∀k ∈ [0 : K − 1]

• f ∈F

pk,π

f

= 1, ∀k ∈ [0 : K − 1], π ∈ P N − mink∈[0:K−1]

• π∈P w k

πpk,π

N − 1 ≤ D∗. Obtain the optimal solution by analyzing the Karush-Kuhn-Tucker (KKT) conditions.

• R. Zhou, T. Guo, C. Tian

Weakly PIR Under the Maximal Leakage Metric 17 / 20

Solving the optimization problem

Theorem The optimal tradeoff between ρ and D of the generalized TSC scheme is ρ = log

• 1 + (N − 1)(K − 1)(NK − 1)

NK − N −NK−1(N − 1)2(K − 1) NK − N D

• , D ∈ [1, DPIR]

which is achieved by the following distribution w k

π =

1

N ,

∀ k ∈ [0 : K − 1], π ∈ P0 0,

• therwise

where P0 is the set of cyclic (round-robin) permutations {(m : N − 1, 0 : m − 1) : m ∈ [0 : N − 1]}, and pk,π

f

=

• N − (N − 1)D,

∀ k ∈ [0 : K −1], π ∈ P, f ∈ F0“direct download”

1−[N−(N−1)D] NK−1−1

, ∀ k ∈ [0 : K −1], π ∈ P, f / ∈ F0.

• R. Zhou, T. Guo, C. Tian

Weakly PIR Under the Maximal Leakage Metric 18 / 20

From absolute private to not private at all F pF · · ·

(a)

F pF · · ·

(b)

F pF · · ·

(c) Figure: Between the extreme case of (a) where download cost is minimized and the other extreme case of (c) where the privacy is prefect, we can adjust the probability distribution to achieve the tradeoff between ρ and D.

• R. Zhou, T. Guo, C. Tian

Weakly PIR Under the Maximal Leakage Metric 19 / 20

Conclusion

Study WPIR under maximal leakage metric Generalized TSC scheme; Generalized TSC scheme contains almost all existing WPIR schemes; Optimize the tradeoff between ρ and D under generalized TSC scheme;

• R. Zhou, T. Guo, C. Tian

Weakly PIR Under the Maximal Leakage Metric 20 / 20