Our Data, Ourselves: Biased Coins and Privacy

In this work we provide efficient distributed protocols for generating shares of random noise, secure against malicious participants. The purpose of the noise generation is to come up with a distributed implementation of the privacy-preserving statistical databases described in recent papers (21, 6, 20). In these databases, privacy is obtained by perturbing the true answer to a database query by the addition of a small amount of Gaussian or exponentially distributed random noise. The computational power of even a simple form of these databases, when the query is just of the form P i f(di), that is, the sum over all rows i in the database of a function f applied to the data in row i, has been demonstrated in (6). A distributed implementation eliminates the need for a trusted database administrator. Exploiting the simplicity of secure function evaluation for addition, the principal technical difficulty in building a fault-tolerant distributed implementation of the privacy- preserving database is in generating shares of the noise according to the aforementioned distributions. The results for noise generation are of independent interest. The generation of Gaussian noise introduces a technique for distributing shares of many unbiased coins with fewer executions of verifiable secret sharing than would be needed using previous approaches (reduced by a factor of n). The generation of exponentially distributed noise uses two shallow circuits: one for generating many arbitrarily but identically biased coins at an amortized cost of two unbiased random bits apiece, independent of the bias, and the other to generate the exponential distribution from appropriately biased bits.