Efficient Noise Generation to Achieve Differential Privacy with Applications to Secure Multiparty Computation

Abstract

This paper studies the problem of constructing secure multiparty computation protocols whose outputs satisfy differential privacy. We first provide a general framework for multiparty protocols generating shares of noise drawn from distributions capable of achieving differential privacy. Then, using this framework, we propose two kinds of protocols based on secret sharing. The first one is a constant-round protocol which enables parties to jointly generate shares of noise drawn from the discrete Laplace distribution. This protocol always outputs shares of noise while the previously known protocol fails with non-zero probability. The second protocol allows the parties to non-interactively obtain shares of noise following the binomial distribution by predistributing keys for pseudorandom functions in the setup phase. As a result, the parties can compute a share of noise enough to provide the computational analogue of \(\epsilon \)-differential privacy with communication complexity independent of \(\epsilon \). It is much more efficient than the previous protocols which require communication complexity proportional to \(\epsilon ^{-2}\) to achieve (information-theoretic) \((\epsilon ,\delta )\)-differential privacy for some \(\delta >0\).

A Appendix

1.1 A.1 The Protocol for Discrete Laplace Noise Generation [17]

The authors of [17] show that sampling an integer g from the truncated geometric distribution with support \(\{z\in \mathbb {Z}:0\le z<N\}\) is reduced to generating \(\log N\) independent biased bits. They implicitly show the following lemma. Define \(\mathbb {Z}_{\ge c}=\{z\in \mathbb {Z}:z\ge c\}\) for \(c\in \mathbb {Z}\). Let \(0<p<1\) and \(t_i=(1+p^{-2^i})^{-1}\) for \(i\in \mathbb {Z}_{\ge 0}\).

Lemma 1

Let \(X_i\) be the random variable with \(\text {Ber}(t_i)\). Then \(G:=\sum _{i\in \mathbb {Z}_{\ge 0}}X_i2^i\) has the geometric distribution \(\text {Geo}(p)\), i.e., \({\mathrm {Pr}\left[ G=g \right] }=(1-p)p^g\) for \(g\ge 0\).

To obtain a concrete protocol, we provide the probability distribution of the truncated sum of the \(X_i\)’s. Let \(c\in \mathbb {N}\) and \(N=2^c\). It follows from the above lemma that \(\sum _{i\in [0..c)}X_i2^i\) follows the truncated geometric distribution, i.e., \({\mathrm {Pr}\left[ \sum _{i\in [0..c)}X_i2^i=g \right] }=D(1-p)p^g\) for \(g\in [0..N)\), where \(D=(1-p^N)^{-1}\). Indeed, the lemma implies that for every finite set \(I\subseteq \mathbb {Z}_{\ge 0}\),

$$\begin{aligned} {\mathrm {Pr}\left[ X_i=1~(\forall i\in I)\wedge X_i=0~(\forall i\in (\mathbb {Z}_{\ge 0}\setminus I)) \right] }=(1-p)p^{y(I)}, \end{aligned}$$

where we define \(y(I)=\sum _{i\in I}2^i\). Let \(g\in [0..N)\) and \(I\subseteq [0..c)\) be such that \(g=y(I)\).

$$\begin{aligned} {\mathrm {Pr}\left[ \sum _{i\in [0..c)}X_i2^i=g \right] }&={\mathrm {Pr}\left[ X_i=1~(\forall i\in I)\wedge X_i=0~(\forall i\in ([0..c)\setminus I)) \right] }\\&=\sum _{J\subseteq \mathbb {Z}_{\ge c}}(1-p)p^{y(I\cup J)}\\&=(1-p)p^{g}\sum _{J\subseteq \mathbb {Z}_{\ge c}}p^{y(J)}. \end{aligned}$$

Since \(\sum _{g\in [0..N)}{\mathrm {Pr}\left[ \sum _{i\in [0..c)}X_i2^i=g \right] }=1\), we have \(\sum _{J\subseteq \mathbb {Z}_{\ge c}}p^{y(J)}=(\sum _{g\in [0..N)}(1-p)p^g)^{-1}=D\).

Then, according to [11], \(L:=\sigma G\) conditioned on \((G,\sigma )\ne (0,-1)\) follows \(\text {TDL}(p,N)\) if and \(G=\sum _{i\in [0..c)}X_i2^i\) for \(X_i\sim \text {Ber}(t_i)\).

The protocol [17] evaluates a certain Boolean circuit to generate biased bits \(X_i\). It also needs to invoke an equality test protocol to verify \((\sigma ,g)\ne (0,-1)\) and hence it fails with probability \({\mathrm {Pr}\left[ (\sigma ,g)=(0,-1) \right] }=(1-p)/2\). The statistical distance between \(\text {TDL}(p,N)\) and the output is at most \(2^{-d}\log N\).

1.2 A.2 The Protocol for Binomial Noise Generation [17]

First, the authors in [17] propose a protocol, in which the parties jointly \(\ell \) random bits \(b_k\), \(k\in [\ell ]\) and securely compute a share of \((1/M)\cdot (\sum _{k\in [\ell ]}b_k-\ell /2)\). For a function with sensitivity \(\varDelta \), the protocol achieves \((\epsilon ,\delta )\)-differential privacy for \(\epsilon \ge \epsilon (\delta ,\ell ,M,\varDelta )\) and the mean squared error is given by \(\ell /4M^2\). The protocol requires the communication complexity \(\mathcal {O} \left( \ell \text {Mult}(\varPi _{\text {Bit}}) \right) \) if the functionality \(\mathcal {F}_\text {Bit}\) is realized by a protocol \(\varPi _{\text {Bit}}\). As we mentioned in Sect. 2.2, if we implement \(\varPi _{\text {Bit}}\) with \(\textsc {xor}^*\) (resp. \(\textsc {ran}_2\)), then \(\text {Mult}(\varPi _{\text {Bit}})\) is \(\mathcal {O} \left( n \right) \) (resp. \(\mathcal {O} \left( 1 \right) \)).

In addition, a protocol simultaneously flipping n bits is proposed in [17]. Technically, each party \(i\in [n]\) shares his local random bit \(s_i\) among the other parties and then the parties obtain n shares \({\llbracket s_i\rrbracket }\), \(i\in [n]\). This can reduce the communication complexity to \(\mathcal {O} \left( \ell /n \right) \). However, since \(t\ell /n\) out of the \(\ell \) bits are revealed to the adversary, the modified protocol is \((\epsilon ,\delta )\)-differentially private only for \(\epsilon \ge \epsilon (\delta ,\ell (1-t/n),M,\varDelta )\).