Fast, Private and Verifiable: Server-aided Approximate Similarity Computation over Large-Scale Datasets

Fast, Private and Veriﬁable:
Server-aided Approximate
Similarity Computation over
Large-Scale Datasets
Shuo Qiu, Boyang Wang, Ming Li, Jesse Victors, Jiqiang Liu,
Yangfeng Shi, Wei Wang
4th ACM International Workshop on Security in Cloud Computing
SCC 2016
Xi’an - China - 2016
SWIM Seminar
August 4, 2016
Mateus Cruz

Introduction Preliminaries Proposal Experiments Conclusion
OUTLINE
1 Introduction
2 Preliminaries
3 Proposal
4 Experiments
5 Conclusion

OVERVIEW
Use of Jaccard similarity (JS)
Privacy concerns
Wants to disclose only the similarity
Previous approaches use MPC1
High performance overheads
1Multi-party Computation
1 / 16

CONTRIBUTIONS
Protocol 1
Assumes semi-honest server
Uses MinHash and deterministic encryption
Only leaks Jaccard similarity
Protocol 2
Uses Protocol 1
Veriﬁes whether the server is malicious
2 / 16

JACCARD SIMILARITY (JS)
Measure similarity between sets A and B
JS(A,B) = A∩B
A∪B
Example
A = {1,2,4}
B = {2,4,8,9}
JS(A,B) = A∩B
A∪B
= 2
5
3 / 16

MINHASH
Approximation of Jaccard similarity
Calculates k hash functions: {h1,...,hk}
Uses the minimum hash value: min{hi(A)}
Generate signatures from sets
Compact representations of sets
Signatures of A: h(k)(A) = {min{hi(A)}}k
i=1
– Length k
JS(A,B) ≈
|h(k)(A)∩h(k)(B)|
k
4 / 16

DETERMINISTIC ENCRYPTION
Same ciphertext for the same message
m1 = m2 → Enc(m1) = Enc(m2)
Allows equality checks
Algorithms
sk ← KeyGen(1λ
)
– Security parameter λ, secret key sk
c ← Enc(sk,m)
– Message m, ciphertext c
m ← Dec(sk,c)
Dec(sk,Enc(sk,m)) = m
5 / 16

ADVERSARY MODEL
Semi-honest adversary (Protocol 1)
Follows the protocol
Tries to learn from the data
Malicious adversary (Protocol 2)
May not execute the protocol correctly
– Returns a random similarity (Case I)
– Returns a partial result (Case II)
– Returns a false approximation (Case III)
No collusion between parties
6 / 16

PROBLEM DEFINITION
Calculate similarity between sets
Using Jaccard similarity
Alice has set A
Bob has set B
Compute similarity on remote server
Security requirements
Alice, Bob and the server only learn JS(A,B)
Alice does not learn |B|
Bob does not learn |A|
The server does not learn |A|,|B|,|A∩B|
7 / 16

PROTOCOL 1 (SEMI-HONEST SERVER)
Each client...
1 Computes MinHash signatures
– Using k shared hash functions
2 Encrypts signatures
– Using deterministic encryption
– Secret key shared between Alice and Bob
Allows equality checks
between ciphertexts
3 Sends ciphertexts to the server
The server...
4 Calculates the JS(A,B)
– By comparing encrypted signatures
5 Returns JS(A,B) to clients
8 / 16

PROTOCOL 2 (MALICIOUS SERVER)
Two-round consistency check
Round 1
Calculate JS(A,B)
Round 2
Calculate JS(DA,DB)
– DA = A∪S0 ∪S1
– DB = B∪S0 ∪S2
– S0,S1,S2 are disjoint dummy sets
Check JS(A,B) and JS(DA,DB)
– Find out whether the server is really malicious
9 / 16

ADDITIONAL NOTATION
|A| = |B| = n and |S0| = |S1| = |S2| = t
: Approximation bias
= 1
k
, k is the number of hash functions
σ: Real similarity between A and B
σ = |A∩B|
2n−|A∩B|
σd: Real similarity between DA and DB
σd = |A∩B|+t
2n−|A∩B|+3t
σ1: Approx. similarity between A and B
σ1 ∈ [σ− ,σ+ ]
σ2: Approx. similarity between DA and DB
σ2 ∈ [σd − ,σd + ]
10 / 16

CONSISTENCY CHECK
Can detect malicious servers
Apply a map f : σ → σd
σd = f (σ) = (2n+t)σ+t
3tσ+2n+3t
Given σ1 and σ2, Alice...
Outputs 1 if σ2 ∈ [f (σ1 − )− ,f (σ1 + )+ ]
Outputs 0 otherwise
11 / 16

ACCURACY OF CONSISTENCY CHECK
Evaluates whether the check works
False positives
Honest server, but check says it is malicious
False negatives
Malicious server, but check says it is honest
12 / 16

SETUP
Hardware
Client
– Windows Server 7 with 8 vCPUs
– 14GB RAM
Server
– Windows Server 2012 with 8 vCPUs
– 12GB RAM
Software
C++
Crypto++ library
AES-ECB cryptosystem
13 / 16

EFFICIENCY
Pipeline mode
Single thread
Parallel mode
Multiple threads
Calculate signatures concurrently
14 / 16

VERIFIABILITY
False Positive Rate (FPR)
False Negative Rate (FNR)
15 / 16

CONCLUSION
Secure and scalable similarity computation
Using MinHash and deterministic encryption
Beneﬁts from parallel execution
Speedups of about 5 times
Detection of malicious server
Can have false positives and false negatives
16 / 16

Detailed Protocols
EXTRA SLIDES

Detailed Protocols
PROTOCOL 1: SETUP
DE = {KeyGen,Enc,Dec}
Secret key sk ← DE.KeyGen(1λ
)
sk shared between Alice and Bob
Alice has input A, and Bob has input B
|A| = |B| = n
k random hash functions {h1,...,hk}

Detailed Protocols
PROTOCOL 1: STEPS
1 Alice (Bob) computes signatures of A (B)
h(k)(A) = {min{hi(A)k
i=1
}}
h(k)(B) = {min{hi(B)k
i=1
}}
2 Alice (Bob) calculates ciphertexts
TA ← DE.Enc(sk,h(k)(A))
TB ← DE.Enc(sk,h(k)(B))
3 Alice (Bob) sends TA (TB) to the server
4 The server computes the similarity σ
σ = |TA∩TB|
k
5 The server returns σ to both clients

Detailed Protocols
PROTOCOL 2: SETUP
DE = {KeyGen,Enc,Dec}
Secret key sk ← DE.KeyGen(1λ
)
sk shared between Alice and Bob
Alice has input A, and Bob has input B
|A| = |B| = n
A,B ⊆ D ⊆ E
– E is the whole data space
k random hash functions {h1,...,hk}

Detailed Protocols
PROTOCOL 2: STEPS
1 Alice chooses dummy sets S0,S1,S2
S0,S1,S2 ⊆ D ⊆ E
D∩D =
– A,B ⊆ D
S0 ∩S1 ∩S2 =
|S0| = |S1| = |S2| = t
– |A| = |B| = n
2 Alice and Bob obtain JS(A,B) = |TA∩TB|
k
Following Protocol 1
3 Alice (Bob) generate DA (DB)
DA = A∪S0 ∪S1
DB = B∪S0 ∪S2

Detailed Protocols
PROTOCOL 2: STEPS
4 Alice and Bob obtain JS(DA,DB) =
|TDA∩TDB|
k
Using Protocol 1
5 Given σ1 = JS(A,B) and σ2 = JS(DA,DB)
Output 1 if σ2 ∈ [f (σ1 − )− ,f (σ1 + )+ ]
– = 1
k
– f (x) = (2n+t)x+t
3tx+2n+3t
Output 0 otherwise

Fast, Private and Verifiable: Server-aided Approximate Similarity Computation over Large-Scale Datasets

Recommended

More Related Content

What's hot (19)

Viewers also liked (16)

Similar to Fast, Private and Verifiable: Server-aided Approximate Similarity Computation over Large-Scale Datasets (20)

Recently uploaded (20)

Fast, Private and Verifiable: Server-aided Approximate Similarity Computation over Large-Scale Datasets