Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Combinatorial Privacy: Private Multi-Party Bitstream Grand Sum by Hiding in Birkhoff Polytopes

Praneeth Vepakomma

Abstract

We introduce PolyVeil, a protocol for private Boolean summation across $k$ clients that encodes private bits as permutation matrices in the Birkhoff polytope. A two-layer architecture gives the server perfect simulation-based security (statistical distance zero) while a separate aggregator faces \#P-hard likelihood inference via the permanent and mixed discriminant. Two variants (full and compressed) differ in what the aggregator observes. We develop a finite-sample $(\varepsilon,δ)$-DP analysis with explicit constants. In the full variant, where the aggregator sees a doubly stochastic matrix per client, the log-Lipschitz constant grows as $n^4 K_t$ and a signal-to-noise analysis shows the DP guarantee is non-vacuous only when the private signal is undetectable. In the compressed variant, where the aggregator sees a single scalar, the univariate density ratio yields non-vacuous $\varepsilon$ at moderate SNR, with the optimal decoy count balancing CLT accuracy against noise concentration. This exposes a fundamental tension. \#P-hardness requires the full matrix view (Birkhoff structure visible), while non-vacuous DP requires the scalar view (low dimensionality). Whether both hold simultaneously in one variant remains open. The protocol needs no PKI, has $O(k)$ communication, and outputs exact aggregates.

Combinatorial Privacy: Private Multi-Party Bitstream Grand Sum by Hiding in Birkhoff Polytopes

Abstract

We introduce PolyVeil, a protocol for private Boolean summation across clients that encodes private bits as permutation matrices in the Birkhoff polytope. A two-layer architecture gives the server perfect simulation-based security (statistical distance zero) while a separate aggregator faces \#P-hard likelihood inference via the permanent and mixed discriminant. Two variants (full and compressed) differ in what the aggregator observes. We develop a finite-sample -DP analysis with explicit constants. In the full variant, where the aggregator sees a doubly stochastic matrix per client, the log-Lipschitz constant grows as and a signal-to-noise analysis shows the DP guarantee is non-vacuous only when the private signal is undetectable. In the compressed variant, where the aggregator sees a single scalar, the univariate density ratio yields non-vacuous at moderate SNR, with the optimal decoy count balancing CLT accuracy against noise concentration. This exposes a fundamental tension. \#P-hardness requires the full matrix view (Birkhoff structure visible), while non-vacuous DP requires the scalar view (low dimensionality). Whether both hold simultaneously in one variant remains open. The protocol needs no PKI, has communication, and outputs exact aggregates.
Paper Structure (111 sections, 37 theorems, 214 equations, 6 figures, 4 algorithms)

This paper contains 111 sections, 37 theorems, 214 equations, 6 figures, 4 algorithms.

Table of Contents

  1. Introduction
  2. Related Work
  3. Secure multi-party computation.
  4. Homomorphic encryption.
  5. Differential privacy.
  6. Instance mixing and data obfuscation.
  7. Secret sharing.
  8. Preliminaries
  9. Doubly Stochastic Matrices and the Birkhoff Polytope
  10. Uniform Sampling of Permutation Matrices
  11. Permutation Encoding of Binary Data
  12. Algebraic Bit Count Extraction
  13. The PolyVeil Protocol
  14. Problem Statement
  15. Threat Model
  16. ...and 96 more sections

Key Result

Theorem 3.3

The vertices of $\mathcal{B}_m$ are precisely the $m \times m$ permutation matrices. Every doubly stochastic matrix $A \in \mathcal{B}_m$ can be written as a convex combination of permutation matrices where each $P_i$ is a permutation matrix. This is a Birkhoff--von Neumann (BvN) decomposition of $A$.

Figures (6)

  • Figure 1: The two-layer PolyVeil protocol. Each client encodes its private bit vector as a masked doubly stochastic matrix $D_t$ and sends it (or the scalar $f_t$) to the aggregator, and the noise $\eta_t$ to a separate noise aggregator. The two aggregators do not communicate (dashed line). The server receives only the aggregate scalars $F$ and $H$, from which it recovers $S$ exactly. The server has information-theoretic security (its view depends only on $S$). The aggregator faces #P-hard inference (it sees $D_t$ but cannot efficiently extract $M_t$).
  • Figure 2: Structure of the simulation proof for the server's information-theoretic security (Theorem \ref{['thm:server_it']}). Left: the real protocol execution with actual private inputs. Right: the simulator, which knows only the aggregate $S$ (not individual $\mathbf{b}_t$) and fabricates a view with identical distribution. The equivalence $\equiv$ means identical distributions, holding against computationally unbounded adversaries. The dashed box states the key structural property that makes the proof work.
  • Figure 3: The density derivation: from the aggregator's inference problem to the key formula. The aggregator's MAP estimator requires evaluating $\nu(R')$ (Steps 1--2). The density marginalizes over all $((2n)!)^K$ permutation tuples (Step 3), but most contribute zero --- only tuples in $\mathrm{Supp}(R')^K$ survive (Step 4). The resulting formula (Step 5) is a sum of polytope volumes over valid tuples, raising two questions answered in Figure \ref{['fig:hardness_branches']}.
  • Figure 4: The two branches of the #P-hardness argument, continuing from the density formula in Figure \ref{['fig:hardness_roadmap']}. Left branch (Question a): the number of valid tuples equals the permanent of the support matrix $A(R')$, which counts perfect matchings in a bipartite graph; computing this is #P-complete (Valiant, 1979). Right branch (Question b): each valid tuple's contribution is a polytope volume expressible as a mixed discriminant; computing this is #P-hard (Barvinok, 1997). Both branches converge: the density is a #P-hard number of individually #P-hard terms, with no cancellation.
  • Figure 5: Non-interactive multi-statistic extraction. In the full two-layer protocol (Algorithm \ref{['alg:twolayer']}), each client transmits the masked matrix $D_t$ to the aggregator once. After clients go offline, the aggregator applies different extraction vectors to the stored matrices to compute multiple aggregate statistics, each recovered exactly by the server via noise cancellation. No additional client communication is required for new queries. Additive secret sharing requires a new round of client participation for each statistic.
  • ...and 1 more figures

Theorems & Definitions (105)

  • Definition 3.1: Doubly stochastic matrix
  • Definition 3.2: Birkhoff polytope
  • Theorem 3.3: Birkhoff--von Neumann ziegler2012schrijver2003
  • Theorem 3.4: Decomposition multiplicity, Brualdi brualdi1982
  • Theorem 3.5: Marcus--Ree marcus1959
  • Definition 3.6: Bit-to-permutation encoding
  • Example 3.7: Encoding of a 2-bit stream
  • Definition 3.8: Extraction vectors for the bit count
  • Lemma 3.9: Bit count extraction
  • proof
  • ...and 95 more