## Cryptographic Techniques for Privacy-Preserving Data Mining (2002)

Venue: | SIGKDD Explorations |

Citations: | 71 - 0 self |

### BibTeX

@ARTICLE{Pinkas02cryptographictechniques,

author = {Benny Pinkas},

title = {Cryptographic Techniques for Privacy-Preserving Data Mining},

journal = {SIGKDD Explorations},

year = {2002},

volume = {4},

pages = {2002}

}

### Years of Citing Articles

### OpenURL

### Abstract

Research in secure distributed computation, which was done as part of a larger body of research in the theory of cryptography, has achieved remarkable results. It was shown that non-trusting parties can jointly compute functions of their different inputs while ensuring that no party learns anything but the defined output of the function. These results were shown using generic constructions that can be applied to any function that has an ecient representation as a circuit. We describe these results, discuss their efficiency, and demonstrate their relevance to privacy preserving computation of data mining algorithms. We also show examples of secure computation of data mining algorithms that use these generic constructions.

### Citations

726 |
Completeness theorems for non-cryptographic fault-tolerant distributed computation
- Ben-Or, Goldwasser, et al.
- 1988
(Show Context)
Citation Context ...t is, compute the function while attaining the same privacy as in the ideal model. This was shown to be possible in principle by Goldreich, Micali and Wigderson [10], Ben-Or, Goldwasser and Wigderson =-=[3-=-], and by Chaum, Crepau and Damgard [4], for dierent scenarios. These constructions, too, are based on representing the computed function as a circuit and evaluating it. The constructions do have, how... |

610 |
How to generate and exchange secrets
- Yao
- 1986
(Show Context)
Citation Context ...t of a k degree polynomial is (k + 1)-wise independent. Another motivation is that polynomials can be used for approximating functions that are dened over the Real numbers. 2.3 The two party case In [=-=19]-=-, Yao presented a constant-round protocol for privately computing any probabilistic polynomial-time function (where the adversary may be either semi-honest or malicious) . Denote the parties as Alice ... |

540 |
How to play any mental game – or – a completeness theorem for protocols with honest majority
- Goldreich, Micali, et al.
- 1987
(Show Context)
Citation Context ...other information about the inputs. That is, compute the function while attaining the same privacy as in the ideal model. This was shown to be possible in principle by Goldreich, Micali and Wigderson =-=[10-=-], Ben-Or, Goldwasser and Wigderson [3], and by Chaum, Crepau and Damgard [4], for dierent scenarios. These constructions, too, are based on representing the computed function as a circuit and evaluat... |

508 | A randomized protocol for signing contracts
- Even, Goldreich, et al.
- 1985
(Show Context)
Citation Context ...of oblivious transfer, and no other cryptographic primitive, one could construct any secure computation protocol.) The notion of 1-out-2 oblivious transfer was suggested by Even, Goldreich and Lempel =-=[7-=-] (as a variant of a dierent but equivalent type of oblivious transfer that has been suggested by Rabin [17]). The protocol involves two parties, the sender and the receiver. The sender's input is a p... |

471 |
Multi-party unconditionally secure protocols
- Chaum, Crépeau, et al.
- 1988
(Show Context)
Citation Context ...ning the same privacy as in the ideal model. This was shown to be possible in principle by Goldreich, Micali and Wigderson [10], Ben-Or, Goldwasser and Wigderson [3], and by Chaum, Crepau and Damgard =-=[4-=-], for dierent scenarios. These constructions, too, are based on representing the computed function as a circuit and evaluating it. The constructions do have, however, some additional drawbacks, compa... |

423 | Privacy preserving data mining
- Lindell, Pinkas
- 2003
(Show Context)
Citation Context ...titioned" database). The parties wish to compute a decision tree by applying the ID3 algorithm to the union of their databases. An ecient privacy preserving protocol for this problem was describe=-=d in [12]-=-. We describe its basic details below, and refer the readers to [12] for the complete solution. Obstacles. A naive approach for implementing a privacy preserving solution is to apply the generic Yao p... |

321 | How to exchange secrets by oblivious transfer - Rabin - 1981 |

249 |
Founding cryptography on oblivious transfer
- Kilian
- 1988
(Show Context)
Citation Context ...is a basic protocol that is the main building block of secure computation. It might seem strange atsrst, but its role in secure computation should become clear later. (In fact, it was shown by Kilian =-=[11]-=- that oblivious transfer is sucient for secure computation in the sense that given an implementation of oblivious transfer, and no other cryptographic primitive, one could construct any secure computa... |

213 |
Oblivious transfer and polynomial evaluation
- Naor, Pinkas
- 1999
(Show Context)
Citation Context ...hen each party does learn some information, namely that the other party's suspect is dierent than his/hers, but this is inevitable). There are several ecient solutions for this problem (described in [=-=8; 14]-=-). Note that a seemingly trivial solution, of the parties publishing and comparing the values H(x) and H(y), where H is a one-way function, is insecure (since given H(x) Bob can do an exhaustive searc... |

201 | Privacy preserving auctions and mechanism design
- Naor, Pinkas, et al.
- 1999
(Show Context)
Citation Context ...computing the result of an auction, where there is an obvious motivation for privacy and security, and also certain restrictions on the operation of the parties. The auction application, discussed in =-=[16]-=-, is not related to data mining, but it does exemplify some of the diculties of the multiparty case. The discussion below applies for any function that can be computed by a circuit of reasonable size.... |

109 |
Non-interactive Oblivious Transfer and Applications
- Bellare, Micali
- 1990
(Show Context)
Citation Context ...ates have two inputs and one output). The oblivious transfer stage requires communication linear in the number of input bits, of about three modular values per oblivious transfer (for the protocol of =-=[2]-=-). The major factor dominating the overhead is, therefore, the size of the circuit representation of f . There are many functions for which we do not know how to create linear size circuits (e.g. func... |

101 | The round complexity of secure protocols
- Beaver, Micali, et al.
- 1990
(Show Context)
Citation Context ...y. On the other hand, a specialized protocol can be designed for computing this algorithm, which uses Yao's protocol as a primitive. 1 The only exception is the protocol of Beaver, Micali and Rogaway =-=[1]-=- that requires a constant number of communication rounds, but this protocol uses general zero-knowledge proofs that are inecient. SIGKDD Explorations. Volume 4, Issue 2 - page 15 Classification, decis... |

66 | Comparing information without leaking it
- Fagin, Naor, et al.
- 1996
(Show Context)
Citation Context ...tion except for their designated output, and in many case such protocols can in fact be eciently constructed.) As an example for the denition of privacy, consider the following problem (described in [=-=8-=-]). Alice and Bob are both teaching the same class, and each of them suspects that one specic student is cheating. None of them is completely sure, though, about the identity of the cheater, and they ... |

37 |
Secure multi-party computation,” Manuscript. Preliminary version
- Goldreich
- 1998
(Show Context)
Citation Context ...based on virtually all known constructions of trapdoor functions, i.e. public key cryptosystems. In the case of semi-honest adversaries, there exist simple and ecient protocols for oblivious transfer =-=[7; -=-9]. One straightforward approach is for the receiver to generate two random public keys, a key P whose decryption key he knows, and a key P1 whose decryption key he does not know. The receiver then s... |

27 |
Ecient oblivious transfer protocols
- Naor, Pinkas
(Show Context)
Citation Context ...appropriately. This can be done using zeroknowledge proofs that are used by the receiver to prove that he chooses the keys correctly. Fortunately, there are very ecient proofs for this case, see e.g. =-=[15]-=-. Oblivious transfer is often the most computationally intensive operation of secure protocols, and is repeated many times. Each invocation of oblivious transfer typically reSIGKDD Explorations. Volum... |

5 |
Computational work and time on machines
- Savage
- 1972
(Show Context)
Citation Context ...ut are entered into input wires and are propagated through the gates. Note that it is known that any polynomial-time function can be expressed as a combinatorial circuit of polynomial size (see, e.g. =-=[18]). Encodin-=-g the circuit. Loosely speaking, Yao's protocol works by having one of the parties (say Alice)srst generate an \encrypted" or \garbled" circuit computing f and send its representation to Bob... |

3 |
Introduction to Secure Computation, 2000. Available at http://www.brics.dk/~cramer/papers/CRAMER_revised.ps
- Cramer
(Show Context)
Citation Context ...ding A preferred alternative to reading the original papers of secure computation is to read Ronald Cramer's lecture notes that provide an elementary introduction to the methods of secure computation =-=[5]-=-, or Oded Goldreich's manuscript details a rigorous introduction to secure multi-party computation [9]. 3. THE TWO-PARTY CASE: COMPUTING ID3 Yao's two-party protocol is pretty ecient, as long as the s... |

3 |
The Crypto++ library, benchmark of Nov
- Dai
(Show Context)
Citation Context ...rtized overhead can be reduced at the cost of increasing the communication overhead, see [15]. It is therefore reasonable to assume that about a hundred oblivious transfers can be computed per second =-=[6-=-]. The communication overhead is linear in the size of the circuit. More accurately, a table of about 320-512 bits (40-64 bytes) is generated and communicated for every gate (assuming that all gates ... |