# Revealing Information while Preserving Privacy

Save this PDF as:

Size: px
Start display at page:

## Transcription

4 Proof. Let A be within E perturbation for E = o(n). Let M be the following algorithm: [Query Phase] For all q [n]: let ã q A(q). [Weeding Phase] For all c {0, 1} n : if i q ci ãq E for all q [n] then output c and halt. It is easy to verify that M runs in exponential time. Note that M always halts and outputs some candidate c because the real database d is never weeded out. We now show that the output candidate c satisfies dist(d, c) 4E = o(n). Assume this is not the case, i.e. dist(d, c) > 4E. Let q 0 = { i d i = 1, c i = 0} and q 1 = { i d i = 0, c i = 1}. Since q 1 + q 0 = dist(d, c) > 4E, at least one of the disjoint sets q 1, q 2 has size 2E +1 or more. W.l.o.g. assume q 1 > 2E. We have that i q 1 d i = 0 and hence it must be that ã q1 E. On the other hand i q 1 c i = q 1 > 2E. We get that i q 1 c i ã q1 > E, contradicting the fact that c survives the weeding phase. 3.2 Polynomially Bounded Adversary Ω( n) Perturbation Needed for Privacy We next turn to the more interesting (and perhaps realistic) case where the adversary is polynomially bounded. We show that a minimal perturbation level of Ω( n) is necessary for achieving even weak privacy in our model. More concretely, we show that any database algorithm that is within E = o( n) perturbation is non-private. We prove this by presenting for every ε > 0 a linear-programming algorithm, with which we reconstruct, in polynomial-time, a candidate database c and prove that dist(c, d) < εn. Theorem 3. Let D = (d, A) be a database where A is within o( n) perturbation then D is poly(n)-non-private. Proof. Let A be within E perturbation for E = o( n). We fix ε > 0 arbitrarily, and show how to find some candidate database c for which dist(c, d) < εn with high probability. Let M A be the following algorithm: [Query Phase] Let t = n(log n) 2. For 1 j t choose uniformly at random q j R [n], and set ã qj A(q j). [Weeding Phase] Solve the following linear program with unknowns c 1,..., c n: ã qj E i q j c i ã qj + E for 1 j t 0 c i 1 for 1 i n [Rounding phase] Let c i = 1 if c i > 1/2 and c i = 0 otherwise. Output c. It is easy to see that the LP in our algorithm always has a solution (in particular c = d is a feasible solution), and hence the algorithm always has an output c. We next prove that dist(c, d) < εn. We use the probabilistic method to show that a random choice of q 1,.., q t will weed out all possible candidate databases c that are far from the original one. Fix a precision parameter k = n and define K = {0, 1, k 2 k 1,..,, 1}. For any x [0, k k 1]n denote by x K n the vector obtained by rounding each coordinate of x to the nearest (1) integer multiple of 1. Applying the triangle inequality with k Eq. (1) we get that for 1 j t, i q j ( c i d i) i q j ( c i c i) + i q j c i ã qj + ã qj i q j d i q j k + E + E 1 + 2E. For any x [0, 1] n, we say that a query q [n] disqualifies x if i q ( xi di) > 2E + 1. If q happens to be one of the queries in our algorithm, this means that x is an invalid solution to the LP system. We now show that if x is far from d on many coordinates, then (with high probability) x is disqualified by at least one of the queries q 1,..., q t. We use the following lemma (see proof in Appendix A): Lemma 4 (Disqualifying Lemma). Let x, d [0, 1] n and E = o( n). If Pr i[ x i d i 1 ] > ε then there exists a 3 constant δ > 0 such that [ ] Pr q R [n] i q (x i d i) > 2E + 1 > δ. Define the set of discrete x s that are far from d: { X = x K n Pr[ x i d i i 1 } 3 ] > εn. Consider x X. By Lemma 4 there exists a constant δ > 0 such that Pr q R [n][q disqualifies x] δ. By choosing t independent random queries q 1,.., q t, of [n] we get that at least one of them disqualifies x with probability 1 (1 δ) t. I.e. for each x X there is just a tiny (1 δ) t fraction of the selections q 1,..., q t do not disqualify it. Taking the union bound over X, noting X K n = (k + 1) n, we have that Pr [ x X i, qi disqualifies x] q 1,..,q t R [n] 1 (k + 1) n (1 δ) t > 1 neg(n). The last inequality holds assuming we take t to be large enough (t = n(log n) 2 will work). To complete the proof, observe that c is not disqualified by any of the random subsets q 1,.., q t [n] chosen by our algorithm (recall that c is the solution to the LP system, and c is the vector obtained from rounding it to the nearest integer multiple of 1 ). Thus, if these q1,.., qt disqualify all k x X, it must be that c X so dist(c, d) εn. Note that the proof relies on the fact that a random subset of linear size deviates from the expectation by roughly n. We are bounding from below the deviation from expectation, converse to the standard use of tail-inequalities in which the upper bound is needed. We stress that the reconstruction algorithm presented in the proof above is oblivious of the perturbation method used by the database and of the database distribution. 3.3 Tightness of the Impossibility Results Theorem 3 shows that for any database distribution a perturbation of magnitude Ω( n) is necessary for having (even a very weak notion of) privacy. We next show that this bound is tight by exemplifying a database algorithm that is within Õ( n) perturbation and is private against

7 Conditioned on this we show that the expectation of step l is very small, and that step l is small. We use Azuma s inequality to conclude the proof. Details follow. To bound the expectation of step l compare it with a random variable B that takes the value log (k/(r k)) with probability ( R k) /2 R. Clearly E[B] = 0 because Pr[B = log (k/(r k))] = Pr[B = log (k/(r k))] and hence E[step l ] = E[step l B] = ( ) R k log ((k + 1)/k) 2R = ( ) R k log (1 + 1/k) 2R Since for small x log(1 + x) x we have log ((k + 1)/k) = O(1/R) for k K, and E[step l ] = O(1/R) ( ) R k 2 = O(1/R). R Thus, E[ t step l ] t O(1/R) = O(1/(log µ n)). l=1 To bound step l note that it reaches its maximum on the ends of the interval K, hence we get step l < log ( (R/2 + R log 2 n)/(r/2 R log 2 n) ) = log ( 1 + log 2 n/ R ) = O(log 2 n/ R). Define the random variable s l = l j=1 stepj E l j=1 stepj. This is a martingale with expectation zero, satisfying s l s l 1 = O(log 2 n) 2 / R). Using Azuma s inequality (Theorem 1) we get that Pr[ s l > λ O(log 2 n/ R) l] < 2e λ2 /2. Setting λ = log 2 1 n we get that Pr[ s l > ] < log µ/2 4 n neg(n), so choosing µ = 9 makes s l < O(1/ log n) almost always. Hence, [ l ] Pr[conf l > O(1/ log n)] = Pr step l > O(1/ log n) Pr [ j=0 s l > O(1/ log n) E[ ] l step l ] neg(n) j=0 Taking the union bound (for 0 < l t) completes the proof. 5. ACKNOWLEDGMENTS We thank Ronitt Rubinfeld for suggesting the problem of database privacy and for pointing to us some of the work done in the area. We thank Cynthia Dwork for in-depth discussions. The work in Section 4 is joint with Cynthia Dwork. 6. REFERENCES [1] J. O. Achugbue and F. Y. Chin, The effectiveness of output modification by rounding for protection of statistical databases, INFOR 17, 3: , [2] N. R. Adam and J. C. Wortmann, Security-Control Methods for Statistical Databases: A Comparative Study, ACM Computing Surveys 21(4): (1989). [3] D. Agrawal and C. C. Aggarwal, On the design and quantification of privacy preserving data mining algorithms, Symposium on Principles of Database Systems, [4] R. Agrawal and R. Srikant, Privacy-preserving data mining, Proc. of the ACM SIGMOD Conference on Management of Data, pages , [5] N. Alon and J. H. Spencer, The probabilistic method, Wiley-Interscience [John Wiley & Sons], New York, second edition, [6] L. L. Beck, A security mechanism for statistical databases, ACM TODS, 5(3): , September [7] F. Y. Chin and G. Ozsoyoglu, Auditing and infrence control in statistical databases, IEEE Trans. Softw. Eng., SE-8(6): , April [8] D. Denning, P. Denning, and M. Schwartz, The tracker: A threat to statistical database security, ACM Trans. on Database Systems, 4(1):76 96, March [9] D. E. Denning, Secure statistical databases with random sample queries, ACM Transactions on Database Systems, 5(3): , September [10] D. E. Denning, Cryptography and data security, Addison-Wesley, Reading MA, [11] I. Fellegi, On the question of statistical confidentiality, Journal of the American Statistical Association, 1972, pp [12] O. Goldreich, S. Micali and A. Wigderson, How to Play any Mental Game or A Completeness Theorem for Protocols with Honest Majority, STOC 1987: [13] V. Guruswami and M. Sudan, Improved Decoding of Reed-Solomon and Algebraic-Geometric Codes, IEEE Symposium on Foundations of Computer Science, 1998, [14] J. M. Kleinberg, C. H. Papadimitriou and P. Raghavan, Auditing Boolean Attributes, PODS 2000: [15] C. K. Liew, U. J. Choi, and C. J. Liew, A data distortion by probability distribution, ACM TODS, 10(3): , [16] E. Lefons, A. Silvestri, and F. Tangorra, An analytic approach to statistical databases, In 9th Int. Conf. Very Large Data Bases, pages Morgan Kaufmann, Oct-Nov [17] S. Reiss, Practical Data Swapping: The First Steps, ACM TODS, 9, 1, pp , [18] A. Shoshani, Statistical databases: Characteristics, problems and some solutions, Proceedings of the 8th International Conference on Very Large Data Bases (VLDB 82), pages , [19] M. Sudan, Decoding of Reed Solomon Codes beyond the Error-Correction Bound, Journal of Complexity,

8 13 (1), , [20] J. Traub, Y. Yemini, H. Wozniakowksi, The Statistical Security of a Statistical Database, ACM TODS, 9, 4 pp , [21] A. Yao, Protocols for Secure Computations (Extended Abstract), FOCS 1982: APPENDIX A. THE DISQUALIFYING LEMMA Lemma 4. Let x, d [0, 1] n and E = o( n). If Pr i[ x i d i 1 ] > ε then there exists a constant δ > 0 such that 3 [ ] Pr q R [n] i q (x i d i) > 2E + 1 > δ. Proof. Let X 1,.., X n be independent random variables such that X i takes value x i d i with probability 1 and 0 2 with probability 1 def, and define X = n 2 i=1 Xi. Observe that all we need to prove is that Pr[ X > 2E + 1] > Ω(1). We divide the proof to two cases according to the size of E[X]. Let T ε be some constant to be specified later. 500 First assume E[X] T n, in which case the proof follows simply from Azuma s inequality (see Theorem 1). We apply this inequality by setting q i = i j=1 (Xj E[Xj]), noting that E[X j E[X j]] = 0 so 0 = q 0, q 1,.., q n is a martingale (i.e. E[q i q i 1] = q i 1), and also q i q i 1 = X i E[X i] 1. Since X E[X] = q n and E n, we deduce Pr[ X > 2E + 1] Pr[ X > T 2 n] Pr[ X E[X] < T 2 n] 1 2e T 2 /8 = Ω(1) The second and more interesting case is when E[X] < T n. We will prove that Pr[ X E[X] > 2T n] > Ω(1) and obtain the desired result since Pr[ X > 2E + 1] Pr[ X E[X] > 2T n] (recall E n). This inequality can fail to hold only if X is very concentrated around E[X], so let us examine X s variance. We set Y = (X E[X]) 2 and observe that since the X i are independent, for some α ε 36 n n (x i d i) 2 E[Y ] = V arx = V ar(x i) = = α n. 4 i=1 Now partitioning into three regions, with β to be chosen later, A = { Y < 1 αn}, B = { 1 αn Y βn} and C = 3 3 {Y > βn} we can write: αn = E[Y ] i=1 = Pr[A] E[Y A] + Pr[B] E[Y B] + Pr[C] E[Y C] 1 1 αn + Pr[B] βn + Pr[C] E[Y C] 3 To complete our proof, we have the following claim, Claim 7. There exists a constant β = β(α), s.t. Pr[C] E[Y C] = Pr[Y > βn] E[Y Y > βn] < 1 3 αn Proof. Whenever X i are independent random variables, and X i E[X i] 1 and setting q i = X X i, then q i E[q i] is a martingale, and by Azuma s inequality (see Theorem 1), Now, P r[q n > E[q n] + t n] < 2e t2 /2 C = {Y > βn} = { X E[X] > βn} = { q n E[q n] > βn} so Pr[Y > βn] < 2e β/2 and setting I k = [k βn, (k+1) βn] for k 0: Pr[C] E[Y C] = t Pr[Y = t] t>βn Pr[Y I k ] (k + 1) βn n 2 k=1 Pr[Y > k βn] (k + 1) βn n 2 k=1 n (k + 1)βe k β/2 k=1 Since k=1 β e k β/2 (k+1) converges to a function of β that is decreasing as β increases, we can choose β large enough so that k=1 β e k β/2 (k + 1) < α 3. Going back to (1), and choosing T = α ε, we can now deduce that Pr[ X E[X] > 2T n] = Pr[Y > αn 3 ] Pr[B] αn 1 3 αn 1 3 αn βn = α 3β = Ω(1) B. SELF AUDITING Auditing is a query restriction method in which a log of the queries is saved, and every query is checked for possible compromise allowing or disallowing the query accordingly [7]. One problem with this approach is of efficiency the problem of deciding whether a sequence of queries violates privacy was shown to be computationally hard ([14] show that it is NP-hard to decide, given a database d and a set of queries, whether an exact answer to these queries lead to fully determining the value of at least one database entry). Another, perhaps more acute problem, is that the auditor s approvals/refusals leak information about the database. It is conceivable that this information helps an adversary to violate the database privacy. We give a simple example to illustrate this problem. Consider a statistical database with n binary entries d = d 1,..., d n. The access to d is monitored by an auditor, with the notion of privacy as in [14] i.e. privacy is violated when one or more of the database entries is fully determined by the queries. Our attacker queries the sets {i, i + 1} for 1 i < n, and records for each query whether it was allowed or not. Note that the auditor refuses to answer queries exactly when both entries are zero or both are one (since in these cases the answer reveals the exact value of both entries). Hence, if a query {i, i+1} is approved, the attacker learns that d i d i+1 otherwise, she learns that d i = d i+1. As a result the attacker remains with only two (complementary) candidates for the database, namely d 1,..., d n and 1 d 1,..., 1 d n.

9 The attacker can learn the entire database if it manages to distinguish between these two candidates. Only a little more information is needed, such as whether there are more zeros than ones in the database. The reason the above auditing paradigm fails to provide privacy is that the auditor function takes into account not only the data that is already known to the user, but also the answer to the query in question. To avoid leakage from the auditor we suggest to construct it such that its decision whether to disqualify a query is based solely on information that is already known to the potential attacker. It follows that, in principle, this function may be computed by every user, hence the term self auditing. Our analysis in the proof of Theorem 5 suggests a possible self auditing function, assuming that the database distribution DB is known. The self-auditor algorithm is based on the analysis of the confidence a potential attacker may have in the database sensitive entries. The auditor maintains the confidence the attacker has in each of these entries. The auditor then checks whether a query should be allowed by estimating the random variable that measures how an answer to the query may contribute to the confidence. The distribution of this random variable (or its estimate) may be computed, in an analogous manner to the computation in Theorem 5, from the history of query-answer pairs, the current query and the properties of the distribution. A query should be disallowed if it may, with too high probability, increase the confidence in any of the database entries so as to violate its privacy.

### CMSC 858T: Randomized Algorithms Spring 2003 Handout 8: The Local Lemma

CMSC 858T: Randomized Algorithms Spring 2003 Handout 8: The Local Lemma Please Note: The references at the end are given for extra reading if you are interested in exploring these ideas further. You are

### A Brief Introduction to Property Testing

A Brief Introduction to Property Testing Oded Goldreich Abstract. This short article provides a brief description of the main issues that underly the study of property testing. It is meant to serve as

### Information Theory and Coding Prof. S. N. Merchant Department of Electrical Engineering Indian Institute of Technology, Bombay

Information Theory and Coding Prof. S. N. Merchant Department of Electrical Engineering Indian Institute of Technology, Bombay Lecture - 17 Shannon-Fano-Elias Coding and Introduction to Arithmetic Coding

### Victor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract

Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart

### A Practical Application of Differential Privacy to Personalized Online Advertising

A Practical Application of Differential Privacy to Personalized Online Advertising Yehuda Lindell Eran Omri Department of Computer Science Bar-Ilan University, Israel. lindell@cs.biu.ac.il,omrier@gmail.com

### Private Approximation of Clustering and Vertex Cover

Private Approximation of Clustering and Vertex Cover Amos Beimel, Renen Hallak, and Kobbi Nissim Department of Computer Science, Ben-Gurion University of the Negev Abstract. Private approximation of search

### Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring

Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring Eli Biham Dan Boneh Omer Reingold Abstract The Diffie-Hellman key-exchange protocol may naturally be extended to k > 2

### Simulation-Based Security with Inexhaustible Interactive Turing Machines

Simulation-Based Security with Inexhaustible Interactive Turing Machines Ralf Küsters Institut für Informatik Christian-Albrechts-Universität zu Kiel 24098 Kiel, Germany kuesters@ti.informatik.uni-kiel.de

### arxiv:1112.0829v1 [math.pr] 5 Dec 2011

How Not to Win a Million Dollars: A Counterexample to a Conjecture of L. Breiman Thomas P. Hayes arxiv:1112.0829v1 [math.pr] 5 Dec 2011 Abstract Consider a gambling game in which we are allowed to repeatedly

### Security Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012

Security Aspects of Database Outsourcing Dec, 2012 Vahid Khodabakhshi Hadi Halvachi Security Aspects of Database Outsourcing Security Aspects of Database Outsourcing 2 Outline Introduction to Database

### 2.1 Complexity Classes

15-859(M): Randomized Algorithms Lecturer: Shuchi Chawla Topic: Complexity classes, Identity checking Date: September 15, 2004 Scribe: Andrew Gilpin 2.1 Complexity Classes In this lecture we will look

### 1 Formulating The Low Degree Testing Problem

6.895 PCP and Hardness of Approximation MIT, Fall 2010 Lecture 5: Linearity Testing Lecturer: Dana Moshkovitz Scribe: Gregory Minton and Dana Moshkovitz In the last lecture, we proved a weak PCP Theorem,

### Notes 11: List Decoding Folded Reed-Solomon Codes

Introduction to Coding Theory CMU: Spring 2010 Notes 11: List Decoding Folded Reed-Solomon Codes April 2010 Lecturer: Venkatesan Guruswami Scribe: Venkatesan Guruswami At the end of the previous notes,

### On-Line/Off-Line Digital Signatures

J. Cryptology (996) 9: 35 67 996 International Association for Cryptologic Research On-Line/Off-Line Digital Signatures Shimon Even Computer Science Department, Technion Israel Institute of Technology,

### Limits of Computational Differential Privacy in the Client/Server Setting

Limits of Computational Differential Privacy in the Client/Server Setting Adam Groce, Jonathan Katz, and Arkady Yerukhimovich Dept. of Computer Science University of Maryland {agroce, jkatz, arkady}@cs.umd.edu

### CSC2420 Fall 2012: Algorithm Design, Analysis and Theory

CSC2420 Fall 2012: Algorithm Design, Analysis and Theory Allan Borodin November 15, 2012; Lecture 10 1 / 27 Randomized online bipartite matching and the adwords problem. We briefly return to online algorithms

### The Complexity of Online Memory Checking

The Complexity of Online Memory Checking Moni Naor Guy N. Rothblum Abstract We consider the problem of storing a large file on a remote and unreliable server. To verify that the file has not been corrupted,

### Applied Algorithm Design Lecture 5

Applied Algorithm Design Lecture 5 Pietro Michiardi Eurecom Pietro Michiardi (Eurecom) Applied Algorithm Design Lecture 5 1 / 86 Approximation Algorithms Pietro Michiardi (Eurecom) Applied Algorithm Design

### Lecture 5 - CPA security, Pseudorandom functions

Lecture 5 - CPA security, Pseudorandom functions Boaz Barak October 2, 2007 Reading Pages 82 93 and 221 225 of KL (sections 3.5, 3.6.1, 3.6.2 and 6.5). See also Goldreich (Vol I) for proof of PRF construction.

### Security Analysis for Order Preserving Encryption Schemes

Security Analysis for Order Preserving Encryption Schemes Liangliang Xiao University of Texas at Dallas Email: xll052000@utdallas.edu Osbert Bastani Harvard University Email: obastani@fas.harvard.edu I-Ling

### 1 Construction of CCA-secure encryption

CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of -secure encryption We now show how the MAC can be applied to obtain a -secure encryption scheme.

### When Random Sampling Preserves Privacy

When Random Sampling Preserves Privacy Kamalika Chaudhuri 1 and Nina Mishra 2 1 Computer Science Department, UC Berkeley, Berkeley, CA 94720 2 Computer Science Department, University of Virginia, Charlottesville,

### The Conference Call Search Problem in Wireless Networks

The Conference Call Search Problem in Wireless Networks Leah Epstein 1, and Asaf Levin 2 1 Department of Mathematics, University of Haifa, 31905 Haifa, Israel. lea@math.haifa.ac.il 2 Department of Statistics,

Adaptive Online Gradient Descent Peter L Bartlett Division of Computer Science Department of Statistics UC Berkeley Berkeley, CA 94709 bartlett@csberkeleyedu Elad Hazan IBM Almaden Research Center 650

### SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K,E,D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2 Correct

### Lattice-Based Threshold-Changeability for Standard Shamir Secret-Sharing Schemes

Lattice-Based Threshold-Changeability for Standard Shamir Secret-Sharing Schemes Ron Steinfeld (Macquarie University, Australia) (email: rons@ics.mq.edu.au) Joint work with: Huaxiong Wang (Macquarie University)

### A Bayesian Approach for on-line max auditing of Dynamic Statistical Databases

A Bayesian Approach for on-line max auditing of Dynamic Statistical Databases Gerardo Canfora Bice Cavallo University of Sannio, Benevento, Italy, {gerardo.canfora,bice.cavallo}@unisannio.it ABSTRACT In

### Lecture 7: Approximation via Randomized Rounding

Lecture 7: Approximation via Randomized Rounding Often LPs return a fractional solution where the solution x, which is supposed to be in {0, } n, is in [0, ] n instead. There is a generic way of obtaining

### An example of a computable

An example of a computable absolutely normal number Verónica Becher Santiago Figueira Abstract The first example of an absolutely normal number was given by Sierpinski in 96, twenty years before the concept

### Linear Codes. Chapter 3. 3.1 Basics

Chapter 3 Linear Codes In order to define codes that we can encode and decode efficiently, we add more structure to the codespace. We shall be mainly interested in linear codes. A linear code of length

### Efficient Recovery of Secrets

Efficient Recovery of Secrets Marcel Fernandez Miguel Soriano, IEEE Senior Member Department of Telematics Engineering. Universitat Politècnica de Catalunya. C/ Jordi Girona 1 i 3. Campus Nord, Mod C3,

### Non-Black-Box Techniques In Crytpography. Thesis for the Ph.D degree Boaz Barak

Non-Black-Box Techniques In Crytpography Introduction Thesis for the Ph.D degree Boaz Barak A computer program (or equivalently, an algorithm) is a list of symbols a finite string. When we interpret a

### Security in Outsourcing of Association Rule Mining

Security in Outsourcing of Association Rule Mining W. K. Wong The University of Hong Kong wkwong2@cs.hku.hk David W. Cheung The University of Hong Kong dcheung@cs.hku.hk Ben Kao The University of Hong

### The Online Set Cover Problem

The Online Set Cover Problem Noga Alon Baruch Awerbuch Yossi Azar Niv Buchbinder Joseph Seffi Naor ABSTRACT Let X = {, 2,..., n} be a ground set of n elements, and let S be a family of subsets of X, S

### 1 Message Authentication

Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions

### princeton univ. F 13 cos 521: Advanced Algorithm Design Lecture 6: Provable Approximation via Linear Programming Lecturer: Sanjeev Arora

princeton univ. F 13 cos 521: Advanced Algorithm Design Lecture 6: Provable Approximation via Linear Programming Lecturer: Sanjeev Arora Scribe: One of the running themes in this course is the notion of

### Co-Location-Resistant Clouds

Co-Location-Resistant Clouds Yossi Azar Tel-Aviv University azar@tau.ac.il Mariana Raykova SRI International mariana.raykova@sri.com Seny Kamara Microsoft Research senyk@microsoft.com Ishai Menache Microsoft

### Offline sorting buffers on Line

Offline sorting buffers on Line Rohit Khandekar 1 and Vinayaka Pandit 2 1 University of Waterloo, ON, Canada. email: rkhandekar@gmail.com 2 IBM India Research Lab, New Delhi. email: pvinayak@in.ibm.com

### Analysis of Approximation Algorithms for k-set Cover using Factor-Revealing Linear Programs

Analysis of Approximation Algorithms for k-set Cover using Factor-Revealing Linear Programs Stavros Athanassopoulos, Ioannis Caragiannis, and Christos Kaklamanis Research Academic Computer Technology Institute

### Lecture 9 - Message Authentication Codes

Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,

### Lecture 3: Finding integer solutions to systems of linear equations

Lecture 3: Finding integer solutions to systems of linear equations Algorithmic Number Theory (Fall 2014) Rutgers University Swastik Kopparty Scribe: Abhishek Bhrushundi 1 Overview The goal of this lecture

### U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, 2009. Notes on Algebra

U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, 2009 Notes on Algebra These notes contain as little theory as possible, and most results are stated without proof. Any introductory

### Introduction to Algorithms. Part 3: P, NP Hard Problems

Introduction to Algorithms Part 3: P, NP Hard Problems 1) Polynomial Time: P and NP 2) NP-Completeness 3) Dealing with Hard Problems 4) Lower Bounds 5) Books c Wayne Goddard, Clemson University, 2004 Chapter

### A Sublinear Bipartiteness Tester for Bounded Degree Graphs

A Sublinear Bipartiteness Tester for Bounded Degree Graphs Oded Goldreich Dana Ron February 5, 1998 Abstract We present a sublinear-time algorithm for testing whether a bounded degree graph is bipartite

### Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs

### Discrete Mathematics and Probability Theory Fall 2009 Satish Rao,David Tse Note 11

CS 70 Discrete Mathematics and Probability Theory Fall 2009 Satish Rao,David Tse Note Conditional Probability A pharmaceutical company is marketing a new test for a certain medical condition. According

### Computational Soundness of Symbolic Security and Implicit Complexity

Computational Soundness of Symbolic Security and Implicit Complexity Bruce Kapron Computer Science Department University of Victoria Victoria, British Columbia NII Shonan Meeting, November 3-7, 2013 Overview

### Randomized algorithms

Randomized algorithms March 10, 2005 1 What are randomized algorithms? Algorithms which use random numbers to make decisions during the executions of the algorithm. Why would we want to do this?? Deterministic

### Lecture 2: Universality

CS 710: Complexity Theory 1/21/2010 Lecture 2: Universality Instructor: Dieter van Melkebeek Scribe: Tyson Williams In this lecture, we introduce the notion of a universal machine, develop efficient universal

### Chapter 11. 11.1 Load Balancing. Approximation Algorithms. Load Balancing. Load Balancing on 2 Machines. Load Balancing: Greedy Scheduling

Approximation Algorithms Chapter Approximation Algorithms Q. Suppose I need to solve an NP-hard problem. What should I do? A. Theory says you're unlikely to find a poly-time algorithm. Must sacrifice one

### Notes on Complexity Theory Last updated: August, 2011. Lecture 1

Notes on Complexity Theory Last updated: August, 2011 Jonathan Katz Lecture 1 1 Turing Machines I assume that most students have encountered Turing machines before. (Students who have not may want to look

### ! Solve problem to optimality. ! Solve problem in poly-time. ! Solve arbitrary instances of the problem. !-approximation algorithm.

Approximation Algorithms Chapter Approximation Algorithms Q Suppose I need to solve an NP-hard problem What should I do? A Theory says you're unlikely to find a poly-time algorithm Must sacrifice one of

### ECEN 5682 Theory and Practice of Error Control Codes

ECEN 5682 Theory and Practice of Error Control Codes Convolutional Codes University of Colorado Spring 2007 Linear (n, k) block codes take k data symbols at a time and encode them into n code symbols.

### Notes from Week 1: Algorithms for sequential prediction

CS 683 Learning, Games, and Electronic Markets Spring 2007 Notes from Week 1: Algorithms for sequential prediction Instructor: Robert Kleinberg 22-26 Jan 2007 1 Introduction In this course we will be looking

### On Combining Privacy with Guaranteed Output Delivery in Secure Multiparty Computation

On Combining Privacy with Guaranteed Output Delivery in Secure Multiparty Computation Yuval Ishai 1, Eyal Kushilevitz 1, Yehuda Lindell 2, and Erez Petrank 1 1 Technion ({yuvali,eyalk,erez}@cs.technion.ac.il)

### Post-Quantum Cryptography #4

Post-Quantum Cryptography #4 Prof. Claude Crépeau McGill University http://crypto.cs.mcgill.ca/~crepeau/waterloo 185 ( 186 Attack scenarios Ciphertext-only attack: This is the most basic type of attack

### The Classes P and NP

The Classes P and NP We now shift gears slightly and restrict our attention to the examination of two families of problems which are very important to computer scientists. These families constitute the

### Information Security in Big Data using Encryption and Decryption

International Research Journal of Computer Science (IRJCS) ISSN: 2393-9842 Information Security in Big Data using Encryption and Decryption SHASHANK -PG Student II year MCA S.K.Saravanan, Assistant Professor

### Diagonalization. Ahto Buldas. Lecture 3 of Complexity Theory October 8, 2009. Slides based on S.Aurora, B.Barak. Complexity Theory: A Modern Approach.

Diagonalization Slides based on S.Aurora, B.Barak. Complexity Theory: A Modern Approach. Ahto Buldas Ahto.Buldas@ut.ee Background One basic goal in complexity theory is to separate interesting complexity

### Fairness in Routing and Load Balancing

Fairness in Routing and Load Balancing Jon Kleinberg Yuval Rabani Éva Tardos Abstract We consider the issue of network routing subject to explicit fairness conditions. The optimization of fairness criteria

### Practicing Differential Privacy in Health Care: A Review

TRANSACTIONS ON DATA PRIVACY 5 (2013) 35 67 Practicing Differential Privacy in Health Care: A Review Fida K. Dankar*, and Khaled El Emam* * CHEO Research Institute, 401 Smyth Road, Ottawa, Ontario E mail

### International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013

FACTORING CRYPTOSYSTEM MODULI WHEN THE CO-FACTORS DIFFERENCE IS BOUNDED Omar Akchiche 1 and Omar Khadir 2 1,2 Laboratory of Mathematics, Cryptography and Mechanics, Fstm, University of Hassan II Mohammedia-Casablanca,

### ORDERS OF ELEMENTS IN A GROUP

ORDERS OF ELEMENTS IN A GROUP KEITH CONRAD 1. Introduction Let G be a group and g G. We say g has finite order if g n = e for some positive integer n. For example, 1 and i have finite order in C, since

### ! Solve problem to optimality. ! Solve problem in poly-time. ! Solve arbitrary instances of the problem. #-approximation algorithm.

Approximation Algorithms 11 Approximation Algorithms Q Suppose I need to solve an NP-hard problem What should I do? A Theory says you're unlikely to find a poly-time algorithm Must sacrifice one of three

### Efficient General-Adversary Multi-Party Computation

Efficient General-Adversary Multi-Party Computation Martin Hirt, Daniel Tschudi ETH Zurich {hirt,tschudid}@inf.ethz.ch Abstract. Secure multi-party computation (MPC) allows a set P of n players to evaluate

### Competitive Analysis of On line Randomized Call Control in Cellular Networks

Competitive Analysis of On line Randomized Call Control in Cellular Networks Ioannis Caragiannis Christos Kaklamanis Evi Papaioannou Abstract In this paper we address an important communication issue arising

### Security Analysis of DRBG Using HMAC in NIST SP 800-90

Security Analysis of DRBG Using MAC in NIST SP 800-90 Shoichi irose Graduate School of Engineering, University of Fukui hrs shch@u-fukui.ac.jp Abstract. MAC DRBG is a deterministic random bit generator

### Approximation Algorithms

Approximation Algorithms or: How I Learned to Stop Worrying and Deal with NP-Completeness Ong Jit Sheng, Jonathan (A0073924B) March, 2012 Overview Key Results (I) General techniques: Greedy algorithms

### Introduction. Digital Signature

Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology

### Improved Online/Offline Signature Schemes

Improved Online/Offline Signature Schemes Adi Shamir and Yael Tauman Applied Math. Dept. The Weizmann Institute of Science Rehovot 76100, Israel {shamir,tauman}@wisdom.weizmann.ac.il Abstract. The notion

### Permutation Betting Markets: Singleton Betting with Extra Information

Permutation Betting Markets: Singleton Betting with Extra Information Mohammad Ghodsi Sharif University of Technology ghodsi@sharif.edu Hamid Mahini Sharif University of Technology mahini@ce.sharif.edu

### International Journal of Advanced Computer Technology (IJACT) ISSN:2319-7900 PRIVACY PRESERVING DATA MINING IN HEALTH CARE APPLICATIONS

PRIVACY PRESERVING DATA MINING IN HEALTH CARE APPLICATIONS First A. Dr. D. Aruna Kumari, Ph.d, ; Second B. Ch.Mounika, Student, Department Of ECM, K L University, chittiprolumounika@gmail.com; Third C.

### About the inverse football pool problem for 9 games 1

Seventh International Workshop on Optimal Codes and Related Topics September 6-1, 013, Albena, Bulgaria pp. 15-133 About the inverse football pool problem for 9 games 1 Emil Kolev Tsonka Baicheva Institute

### A generalized Framework of Privacy Preservation in Distributed Data mining for Unstructured Data Environment

www.ijcsi.org 434 A generalized Framework of Privacy Preservation in Distributed Data mining for Unstructured Data Environment V.THAVAVEL and S.SIVAKUMAR* Department of Computer Applications, Karunya University,

### 1 Limiting distribution for a Markov chain

Copyright c 2009 by Karl Sigman Limiting distribution for a Markov chain In these Lecture Notes, we shall study the limiting behavior of Markov chains as time n In particular, under suitable easy-to-check

MACs Message authentication and integrity Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction MACs Constructing Secure MACs Secure communication and

### Capture Resilient ElGamal Signature Protocols

Capture Resilient ElGamal Signature Protocols Hüseyin Acan 1, Kamer Kaya 2,, and Ali Aydın Selçuk 2 1 Bilkent University, Department of Mathematics acan@fen.bilkent.edu.tr 2 Bilkent University, Department

### I. INTRODUCTION. of the biometric measurements is stored in the database

122 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL 6, NO 1, MARCH 2011 Privacy Security Trade-Offs in Biometric Security Systems Part I: Single Use Case Lifeng Lai, Member, IEEE, Siu-Wai

### Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. #01 Lecture No. #10 Symmetric Key Ciphers (Refer

### 1 Pseudorandom Permutations

Theoretical Foundations of Cryptography Lecture 9 Georgia Tech, Spring 2010 PRPs, Symmetric Encryption 1 Pseudorandom Permutations Instructor: Chris Peikert Scribe: Pushkar Tripathi In the first part of

### How Efficient can Memory Checking be?

How Efficient can Memory Checking be? Cynthia Dwork Moni Naor Guy N. Rothblum Vinod Vaikuntanathan Abstract We consider the problem of memory checking, where a user wants to maintain a large database on

### Approximated Distributed Minimum Vertex Cover Algorithms for Bounded Degree Graphs

Approximated Distributed Minimum Vertex Cover Algorithms for Bounded Degree Graphs Yong Zhang 1.2, Francis Y.L. Chin 2, and Hing-Fung Ting 2 1 College of Mathematics and Computer Science, Hebei University,

### Lecture 22: November 10

CS271 Randomness & Computation Fall 2011 Lecture 22: November 10 Lecturer: Alistair Sinclair Based on scribe notes by Rafael Frongillo Disclaimer: These notes have not been subjected to the usual scrutiny

### Privacy-Preserving Aggregation of Time-Series Data

Privacy-Preserving Aggregation of Time-Series Data Elaine Shi PARC/UC Berkeley elaines@eecs.berkeley.edu Richard Chow PARC rchow@parc.com T-H. Hubert Chan The University of Hong Kong hubert@cs.hku.hk Dawn

### 1 Approximating Set Cover

CS 05: Algorithms (Grad) Feb 2-24, 2005 Approximating Set Cover. Definition An Instance (X, F ) of the set-covering problem consists of a finite set X and a family F of subset of X, such that every elemennt

### Lecture 3: One-Way Encryption, RSA Example

ICS 180: Introduction to Cryptography April 13, 2004 Lecturer: Stanislaw Jarecki Lecture 3: One-Way Encryption, RSA Example 1 LECTURE SUMMARY We look at a different security property one might require

### DEGREES OF ORDERS ON TORSION-FREE ABELIAN GROUPS

DEGREES OF ORDERS ON TORSION-FREE ABELIAN GROUPS ASHER M. KACH, KAREN LANGE, AND REED SOLOMON Abstract. We construct two computable presentations of computable torsion-free abelian groups, one of isomorphism

### Concrete Security of the Blum-Blum-Shub Pseudorandom Generator

Appears in Cryptography and Coding: 10th IMA International Conference, Lecture Notes in Computer Science 3796 (2005) 355 375. Springer-Verlag. Concrete Security of the Blum-Blum-Shub Pseudorandom Generator

### Near Optimal Solutions

Near Optimal Solutions Many important optimization problems are lacking efficient solutions. NP-Complete problems unlikely to have polynomial time solutions. Good heuristics important for such problems.

### INTRODUCTION TO CODING THEORY: BASIC CODES AND SHANNON S THEOREM

INTRODUCTION TO CODING THEORY: BASIC CODES AND SHANNON S THEOREM SIDDHARTHA BISWAS Abstract. Coding theory originated in the late 1940 s and took its roots in engineering. However, it has developed and

### Privacy-preserving Analysis Technique for Secure, Cloud-based Big Data Analytics

577 Hitachi Review Vol. 63 (2014),. 9 Featured Articles Privacy-preserving Analysis Technique for Secure, Cloud-based Big Data Analytics Ken Naganuma Masayuki Yoshino, Ph.D. Hisayoshi Sato, Ph.D. Yoshinori

### arxiv:1402.3426v3 [cs.cr] 27 May 2015

Privacy Games: Optimal User-Centric Data Obfuscation arxiv:1402.3426v3 [cs.cr] 27 May 2015 Abstract Consider users who share their data (e.g., location) with an untrusted service provider to obtain a personalized

### Factoring & Primality

Factoring & Primality Lecturer: Dimitris Papadopoulos In this lecture we will discuss the problem of integer factorization and primality testing, two problems that have been the focus of a great amount

### Private Inference Control For Aggregate Database Queries

Private Inference Control For Aggregate Database Queries Geetha Jagannathan geetha@cs.rutgers.edu Rebecca N. Wright Rebecca.Wright@rutgers.edu Department of Computer Science Rutgers, State University of

### On Generating the Initial Key in the Bounded-Storage Model

On Generating the Initial Key in the Bounded-Storage Model Stefan Dziembowski Institute of Informatics, Warsaw University Banacha 2, PL-02-097 Warsaw, Poland, std@mimuw.edu.pl Ueli Maurer Department of

### Lecture 3: Linear Programming Relaxations and Rounding

Lecture 3: Linear Programming Relaxations and Rounding 1 Approximation Algorithms and Linear Relaxations For the time being, suppose we have a minimization problem. Many times, the problem at hand can

### NP-Completeness and Cook s Theorem

NP-Completeness and Cook s Theorem Lecture notes for COM3412 Logic and Computation 15th January 2002 1 NP decision problems The decision problem D L for a formal language L Σ is the computational task:

### Using Generalized Forecasts for Online Currency Conversion

Using Generalized Forecasts for Online Currency Conversion Kazuo Iwama and Kouki Yonezawa School of Informatics Kyoto University Kyoto 606-8501, Japan {iwama,yonezawa}@kuis.kyoto-u.ac.jp Abstract. El-Yaniv