Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Differentially Private Secure Multiplication: Hiding Information in the Rubble of Noise

Viveck R. Cadambe, Ateet Devulapalli, Haewon Jeong, Flavio P. Calmon

TL;DR

The paper studies private distributed multiplication when the honest-node count is below the BGW threshold, using differential privacy to cap information leakage and mean-squared error to quantify accuracy. It introduces a novel layered noise scheme that blends Shamir secret-sharing concepts with DP mechanisms, achieving a tight privacy-accuracy frontier for $N less 2t+1$ via two SNR metrics, $ exttt{SNR}_p$ and $ exttt{SNR}_a$, and a key relation $(1+ exttt{SNR}_a)=(1+ exttt{SNR}_p)^2$. The main results include an achievable scheme that, for $N>t$, attains $ exttt{SNR}_a o 2 exttt{SNR}_p + exttt{SNR}_p^2$ (up to an arbitrary δ), and a converse showing LMSE lower bounds governed by the DP noise via $ ext{σ}^*( ext{ε})$, with BGW-like perfect privacy recoverable when $N \, leq\ 2t$. The work extends to matrix multiplication with an equivalence between scalar and matrix LMSE under mild assumptions and discusses precision implications, revealing a fundamental compute-precision cost for differentially private secure MPC implementations.

Abstract

We consider the problem of private distributed multi-party multiplication. It is well-established that Shamir secret-sharing coding strategies can enable perfect information-theoretic privacy in distributed computation via the celebrated algorithm of Ben Or, Goldwasser and Wigderson (the "BGW algorithm"). However, perfect privacy and accuracy require an honest majority, that is, $N \geq 2t+1$ compute nodes are required to ensure privacy against any $t$ colluding adversarial nodes. By allowing for some controlled amount of information leakage and approximate multiplication instead of exact multiplication, we study coding schemes for the setting where the number of honest nodes can be a minority, that is $N< 2t+1.$ We develop a tight characterization privacy-accuracy trade-off for cases where $N < 2t+1$ by measuring information leakage using {differential} privacy instead of perfect privacy, and using the mean squared error metric for accuracy. A novel technical aspect is an intricately layered noise distribution that merges ideas from differential privacy and Shamir secret-sharing at different layers.

Differentially Private Secure Multiplication: Hiding Information in the Rubble of Noise

TL;DR

The paper studies private distributed multiplication when the honest-node count is below the BGW threshold, using differential privacy to cap information leakage and mean-squared error to quantify accuracy. It introduces a novel layered noise scheme that blends Shamir secret-sharing concepts with DP mechanisms, achieving a tight privacy-accuracy frontier for via two SNR metrics, and , and a key relation . The main results include an achievable scheme that, for , attains (up to an arbitrary δ), and a converse showing LMSE lower bounds governed by the DP noise via , with BGW-like perfect privacy recoverable when . The work extends to matrix multiplication with an equivalence between scalar and matrix LMSE under mild assumptions and discusses precision implications, revealing a fundamental compute-precision cost for differentially private secure MPC implementations.

Abstract

We consider the problem of private distributed multi-party multiplication. It is well-established that Shamir secret-sharing coding strategies can enable perfect information-theoretic privacy in distributed computation via the celebrated algorithm of Ben Or, Goldwasser and Wigderson (the "BGW algorithm"). However, perfect privacy and accuracy require an honest majority, that is, compute nodes are required to ensure privacy against any colluding adversarial nodes. By allowing for some controlled amount of information leakage and approximate multiplication instead of exact multiplication, we study coding schemes for the setting where the number of honest nodes can be a minority, that is We develop a tight characterization privacy-accuracy trade-off for cases where by measuring information leakage using {differential} privacy instead of perfect privacy, and using the mean squared error metric for accuracy. A novel technical aspect is an intricately layered noise distribution that merges ideas from differential privacy and Shamir secret-sharing at different layers.
Paper Structure (24 sections, 9 theorems, 190 equations, 4 figures, 1 table)

This paper contains 24 sections, 9 theorems, 190 equations, 4 figures, 1 table.

Table of Contents

  1. Introduction
  2. Summary of Main Results and Key Ideas
  3. Related Work
  4. System Model and Statement of Main Results
  5. System Model
  6. Signal-to-Noise Ratios
  7. Statement of Main Results
  8. Achievability: Proofs of Theorem \ref{['thm:main_achievability']} and Corollary \ref{['cor:achievability']}
  9. Description of Coding Scheme
  10. Privacy Analysis
  11. Accuracy Analysis
  12. Proof of Corollary \ref{['cor:achievability']}
  13. Proofs of Theorem \ref{['thm:main_converse']} and Corollary \ref{['cor:converse']}
  14. Proof of Corollary \ref{['cor:converse']}
  15. Extension to Matrix Multiplication
  16. ...and 9 more sections

Key Result

Lemma 3.1

Let $X$ be a random variable with $\mathbb{E}[X] = 0$ and $\mathbb{E}[X^2] = \gamma^2$. Let $(Z_1, \ldots, Z_n)$ be a noise random vector that is independent of $X$ and let where $\nu_1, \ldots, \nu_n \in \mathbb{R}$. Then, where $\cdot$ denotes the vector dot product, and where $\mathbf{K}_1$ is an $n \times n$ matrix whose $(i,j)$-th entry is $\mathbb{E}[y_i y_j] = \nu_i\nu_j \gamma^2 + \math

Figures (4)

  • Figure 1: Pictorial depiction of our problem formulation and comparison with the coding scheme used in the BGW algorithm.
  • Figure 2: Performance of our optimal scheme of for $N=3,t=2$ in comparison to baselines (i) complex-valued Shamir Secret Sharing and (ii) independent noise across nodes.
  • Figure 3: Pictorial depiction of our layered coding scheme for $t=2, N=3$ with matrix, see \ref{['eq:coding1']}-\ref{['eq:coding6']}
  • Figure 4: Plotting the gap between $1+\text{SNR}_a$ and $(1+\text{SNR}_p)^2$ for the achievable scheme for $t=2,3,4$ and $N=t+1$. We vary $n$ from 10 to 10,000 and we observe that as $n$ grows the gap reduces.

Theorems & Definitions (23)

  • Remark 1
  • Remark 2
  • Definition 3.1
  • Definition 3.2: Linear Mean Square Error ($\texttt{LMSE}$)
  • Lemma 3.1
  • Definition 3.3
  • Remark 3
  • Definition 3.4
  • Lemma 3.2
  • Theorem 3.3
  • ...and 13 more