Data-Mining on GBytes of

Transcription

1 Data-Mining on GBytes of Encrypted Data In collaboration with Dan Boneh (Stanford); Udi Weinsberg, Stratis Ioannidis, Marc Joye, Nina Taft (Technicolor).

2 Outline Motivation Background on cryptographic tools Linear regression Our solution Experiments and performance 2

3 Users Data Data Motivation Data mining engine Privacy concern! Data model Engine learns nothing more than the model! 3

4 Data Mining Classification Regression Clustering Summarization : linear regression Dependency modeling : matrix factorization Main challenge: make these algorithms privacy preserving and efficient. 4

5 Contribution Design of a practical system for privacy preserving linear regression Implementation Experiments on real datasets Comparison to state of the art: Hall et al. 11: 2 days vs 3 min Graepel et al. 12: 10 min vs 2 sec 5

6 Outline Motivation Background on cryptographic tools Linear regression Our solution Experiments and performance 6

7 Computations on Encrypted Data 2009, C. Gentry FHE (slow for our problems) 1979, A. Shamir Secret sharing 1988, BGW (huge communication overhead) 1982, A.C. Yao Garbled circuits Our approach: hybrid of Yao and hom. encryption 7

8 Yao s Garbled Circuits C(x) C(x) circuit garbled circuit G 0 1 G 1 1 G 0 2 G 1 2 G 0 3 G G 0 n G 1 n x= Nothing is leaked about x, other than C(x)! 8

9 Data Mining System Architecture User User i Evaluator Ĉ Ĉ Crypto Service Provider (CSP) Create garbled circuit Ĉ x i {G x1 1, G x2 2,, G xn n } Compute C(x 1,, x n ) {G 0 1, G 0 2,, G 0 n} {G 1 1, G 1 2,, G 1 n} C(x 1,, x n ) 9

10 System Properties Evaluator learns the model, not the inputs Problems: Not scalable with the number of users Users need to be online 10

11 Outline Motivation Background on cryptographic tools Linear regression Our solution Experiments and performance 11

12 Linear Regression I (f,r) from users solve for β r A β = b r = <f, β> f 12

13 Linear Regression II Users f 1, r 1 f n, r n Training engine β Training engine learns nothing about f s and r s, other than β! 13

14 Outline Motivation Background on cryptographic tools Linear regression Our solution Experiments and performance 14

15 Construct Matrices Phase1: compute A Users f 1T f 1 T = f i fi and Evaluator b T = f i ri f nt f n computes A = f it f i in the circuit For additions can use homomorphic encryption: [ HE ( A1 ), HE( A2 )] HE( A1 + A2 ) 15

16 Construct Matrices Phase1: compute A Users HE(f 1T f 1 ) T = f i fi and Evaluator b T = f i ri HE(f nt f n ) computes HE(A) = HE( f T it f i ) decrypts in the circuit For additions can use homomorphic encryption: [ HE ( A1 ), HE( A2 )] HE( A1 + A2 ) Circuit independent of the number of users Users offline 16

17 Solve Linear System Phase2: solve for β A β = b Input: HE(A),HE(b) Decrypt A and b Cholesky: compute L, s.t. A= LL T Solve for β: L(L T β)=b β 17

18 Privacy Preserving Regression System pk HE pk (f it f i ) Phase1 Evaluator pk Compute HE pk (A = f it f i ), HE pk (b = f it r i ) pk Crypto Service Provider (CSP) (pk, sk) HE.KeyGen Create garbled circuit Ĉ HE pk (f it r i ) Ĉ Send Ĉ Phase2 Garbled inputs Compute C(HE pk (A),HE pk (b)) {G 0 1, G 0 2,, G 0 n} {G 1 1, G 1 2,, G 1 n} β 18

19 System Properties Evaluator learns the model, not the inputs Scalable with the number of users Users can be offline Extensions: Masking instead of decryption in circuit Protection against malicious Evaluator and CSP 19

20 Outline Motivation Background on cryptographic tools Linear regression Our solution Experiments and performance 20

21 Performance Hybrid vs. Pure-Yao: 100 times improvement in time! For up to 20 features, 1000 s users time < 3 min communication < 1GB For 100 million of users, 20 features: 8.75 hours Tested on real datasets 21

22 Conclusion Privacy-preserving data-mining is efficient Our approach can be used in practice Current work: matrix factorization Future work: implement other data mining algorithms improving implementation to support high parallelization 22

23 Thank you! Questions? 23