Cryptography, Security and Privacy
P.11.4
Lecture
Topics in Privacy and Cryptography

# Private Function Computation

## Date & Time

01:00 am – 01:00 am

## Abstract

In this paper, we study the problem of \textit{private function computation}, where a user wants to compute a function of some inputs, using $N \in \mathbb{N}$ servers, where the function is a private combination/composition of some $K\in \mathbb{N}$ public basic functions $\{f_1,f_2,\ldots,f_K\}$. More precisely, for some inputs $W_m$, $m\in [1: M]$, the user's goal is to calculate $h(W_m) = \sum_{j=1}^J\alpha_j h_j(W_m)$, for some $J\in \mathbb{N}$, some scalers $\alpha_j$, $j \in [1:J]$, and some functions $h_{j}(.)$, $j \in [1:J]$, where each is an arbitrary compositions of the basic functions $\{f_1,f_2,\ldots,f_K\}$. The computation is done through a sequence of queries to $N$ servers. In each query, the user sends an input $W$, which is a (possibly randomized) function of $W_{1:M}$ and the answers to the previous queries, to one of the servers, and asks the server to return $f_k(W)$, for some $k\in [1:K]$. The servers should not obtain any information about the structure of the function $h(.)$, i.e., the way the basic functions are combined to form $h(.)$, from the sequence of queries they received, even if $T$ of them collude, for some $T \in \mathbb{N}$. In this paper, we focus on the cases, where basic functions are linear and can be represented by (possibly large-scale) full-rank matrices, and each basic function may contribute in function $h(.)$ for at most once. We prove that $C$, defined as the supremum of the number of desired computations of the basic functions, normalized by the number of queries, in asymptotic regimes of large $M$, satisfies the following inequality: \begin{align*} \min\Big \{({1-\frac{T}{N}})/({1-\frac{1}{K}}), ({1-\frac{T-1}{N}})\Big\}\le C \le 1. \end{align*} The key idea is that in the proposed scheme, each server is asked to compute a specific order of basic functions, independent from the user's desired function. In addition, some random vectors are added to the inputs of the queries such that the sequence of the queries does not leak any information.

MIT