Download presentation

Presentation is loading. Please wait.

Published bySerena Lavin Modified over 2 years ago

1
Improved Efficiency for Private Stable Matching Matthew Franklin, Mark Gondree, and Payman Mohassel University of California, Davis 02/07/07 - Session Code: CRYP-203

2
Insert presenter logo here on slide master Stable Matching Stable Matching (Marriage): N men, N women, each with their own preference list Matching M has an unstable pair (A,B) if: (A,B’), (A’,B) in M A prefers B over B’ B prefers A over A’ M is stable if no unstable pairs exist in M 2 A A1A1 A’ A2A2 B’ B1B1 B B2B2

3
Insert presenter logo here on slide master Applications Assigning Medical students to Hospitals — In US, Canada, and Scotland Assigning students to schools and universities — In Norway and Singapore National Matching Services Inc. 3

4
Insert presenter logo here on slide master Outline Introduction — Stable matching problem — Gale-Shapley Algorithm — Privacy Issues Contributions Open problems 4

5
Insert presenter logo here on slide master The Gale-Shapley Algorithm Notation: ─ N men :{A 1, …, A N } ─ N women: {B 1, …, B N } ─ Preference list for man i: A i [1…N] ─ Preference list for woman i: B i [1…N] ─ List of free men in round k : F k ─ List of engaged men in round k: E k 5

6
Insert presenter logo here on slide master Gale-Shapley k=1;F k = {A 1, …, A N } While F k is non-empty: Randomly select A from F k A proposes to “next” woman B: (Where he ranks B highest among the women to whom he has never proposed before) If B is free then she becomes engaged to A If B is engaged to some A’ then If B prefers A over A’ then remove A and add A’ to F k Otherwise, F k stays the same F k+1 = F k ; k= k+1 6

7
Insert presenter logo here on slide master Remarks on Gale-Shapley Round by Round ─ Matches made and broken every round ─ Man optimal Privacy Issues ─ Naïve implementation ─ Matching Authority learns participants’ preference lists ─ Naively distributed computation ─ Traffic pattern: history of matches made and broken 7

8
Insert presenter logo here on slide master Setting [Golle, FC06] Have multiple (t) Matching Authorities (MAs) MAs receive encrypted preference lists MAs compute the stable matching MAs don’t learn anything Participants only learn their own partner Assume: passive adversaries Security Guaranteed (assuming ≥ 1 honest MA) 8

9
Insert presenter logo here on slide master Our Contribution Revisit [Golle] — High Communication complexity (Partly due to the chosen variant of Gale-Shapely used) Design a Private and Efficient Protocol — Design a new variant of Gale-Shapely — Tune it for private implementation — Crypto assumptions comparable to [Golle] — Lower round and communication complexities 9

10
Insert presenter logo here on slide master Our Contributions, Cont’d Summary of protocols and efficiency : 10

11
Insert presenter logo here on slide master Our variant of Gale-Shapley Real men: {A 1, …, A N }, Fake men: {A N+1, …, A 2N } Real women: {B 1,…,B N }, Fake women:{B N+1,…,B 2N } Preference lists: — Real men: ( [actual preference list], [B N+1,...,B 2N, in any order] ) — Real women: ( [actual preference list], [A N+1,...,A 2N, in any order] ) — Fake women:( [A N+1,...,A 2N, in any order],[A 1,...,A N, in any order]) — Fake men: ( [B N+2,...,B 2N, in any order], B N+1, [B 1,...,B N, in any order] ) 11

12
Insert presenter logo here on slide master Our Variant, Cont’d Initialization: — F 1 = {A 1 } — {A 2, …, A N } are engaged to {B N+2,…,B 2N }, respectively — {A N+1, …, A 2N } are engaged to {B 1,…, B N }, respectively While F k is not empty: — The free man A in F k proposes to B (The next woman in his preference list to whom he hasn’t proposed) — If B is engaged to some man A’ If B prefers A over A’, let F k+1 = {A’}, and pair A and B Otherwise, F k+1 = F k 12

13
Insert presenter logo here on slide master Our Variant, Cont’d 2 Claim: Once a fake man proposes to woman B N+1, we have a stable matching Thus, the algorithm’s complexity is O(N 2 ) Also, “Tuned for privacy” — every round k, |F k | = 1 We implement a private version 13

14
Insert presenter logo here on slide master Protocol Bids — Two types: Free and Engaged — Set of ciphertexts (constant sized) — F k = {Free Bids in round k} — E k = {Engaged Bids in round k} Preference Lists — Encrypted, held by an MA (the “Database”) Everything encrypted with threshold homomorphic enc. 14

15
Insert presenter logo here on slide master Protocol For k = 1 to 2N 2 : — Select a single free bid from F k. — “Open it” to recover the (encrypted) pointers into the database — Access database to get next fiancée's (encrypted) identity — Form the engaged bid — Privately find the conflicting engaged bid (mix, private equality test) — Mix these two engaged bids — “Resolve the conflict” to find the winner and loser (private comparison) — “Break the engagement” for the loser and add him to F k+1 — Add the winner to E k — Mix all the bids — Let E k+1 = E k 15

16
Insert presenter logo here on slide master Protocol For k = 1 to 2N 2 : — Select a single free bid from F k. — “Open it” to recover the (encrypted) pointers into the database — Access database to get next fiancée's (encrypted) identity — Form the engaged bid — Privately find the conflicting engaged bid (mix, private equality test) — Mix these two engaged bids — “Resolve the conflict” to find the winner and loser (private comparison) — “Break the engagement” for the loser and add him to F k+1 — Add the winner to E k — Mix all the bids — Let E k+1 = E k 16

17
Insert presenter logo here on slide master Protocol For k = 1 to 2N 2 : — Select a single free bid from F k. — “Open it” to recover the (encrypted) pointers into the database — Access database to get next fiancée's (encrypted) identity — Form the engaged bid — Privately find the conflicting engaged bid (mix, private equality test) — Mix these two engaged bids — “Resolve the conflict” to find the winner and loser (private comparison) — “Break the engagement” for the loser and add him to F k+1 — Add the winner to E k — Mix all the bids — Let E k+1 = E k 17

18
Insert presenter logo here on slide master Protocol For k = 1 to 2N 2 : — Select a single free bid from F k. — “Open it” to recover the (encrypted) pointers into the database — Access database to get next fiancée's (encrypted) identity — Form the engaged bid — Privately find the conflicting engaged bid (mix, private equality test) — Mix these two engaged bids — “Resolve the conflict” to find the winner and loser (private comparison) — “Break the engagement” for the loser and add him to F k+1 — Add the winner to E k — Mix all the bids — Let E k+1 = E k 18

19
Insert presenter logo here on slide master Protocol For k = 1 to 2N 2 : — Select a single free bid from F k. — “Open it” to recover the (encrypted) pointers into the database — Access database to get next fiancée's (encrypted) identity — Form the engaged bid — Privately find the conflicting engaged bid (mix, private equality test) — Mix these two engaged bids — “Resolve the conflict” to find the winner and loser (private comparison) — “Break the engagement” for the loser and add him to F k+1 — Add the winner to E k — Mix all the bids — Let E k+1 = E k 19

20
Insert presenter logo here on slide master Accessing the database Database D, an array of n=(2N) 2 ciphertexts Given E(i), we want to recover element D[i] Our subprotocol: — Modification of an efficient (1-out-of-n) OT protocol — MAs process E(i) into queries of the protocol — MAs process database’s reply to recover D[i], a ciphertext Our construction — Uses Stern’s OT (1 round, polylog CC) — Again, using threshold homomorphic encryption 20

21
Insert presenter logo here on slide master A protocol for 2 MAs A more efficient protocol for 2-MA case Private Table Look Ups (LUT) [NN01] (For two-party computation) Private Computation of Turing Machines with a RAM — Circuits equipped with Private LUT Our algorithm can be presented as a TM with RAM Implement privately using [NN01] Extending to multiparty — Not completely distributed 21

22
Insert presenter logo here on slide master New Developments Extending [NN01] to multiparty — Automatically leads to more efficient private stable matching — Leads to nearly optimal communication 22

23
Insert presenter logo here on slide master Thank you!! Questions?

24
Insert presenter logo here on slide master

25
Golle’s approach Golle’s variant of Gale-Shapley: N real men: {A 1,…, A N }, N real women:{B 1,…,B N } N fake men: {A N+1,…,A 2N } Arbitrary preference lists for fake men Each woman ranks fake men lower than real ones Initialization — All real men are free — All fake men are engaged (in an arbitrary way)

26
Insert presenter logo here on slide master Golle’s Approach Cont’d For K = 1 to n: — While F K is non-empty: Randomly select A from F k A proposes to woman B: The woman he ranks highest among the women to whom he has never proposed before B is always engaged to some woman A ’ : If B prefers A over A ’ ; Remove A from F K, add A ’ to F k+1 Otherwise, add A to F k+1 Number of free men always N: |F K | = N for all 1≤ K ≤ N

27
Insert presenter logo here on slide master Shortcomings Golle implements this variant privately — Re-encryption mix-networks — Threshold homomorphic cryptosystems (Paillier encryption) Inefficiencies: — Golle’s variant needs O(N 2 ) rounds to reach a stable matching Complexity of algorithm increases by a factor of N — Another factor N increase size of ciphertext used in Mix-network: O(N) not constant!

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google