Malicious-Secure Private Set Intersection via Dual Execution Peter Rindal Mike Rosulek

Private Set Intersection (PSI) 𝑋 𝑌 𝑋∩𝑌

Private Set Intersection (PSI) “Sender” “Receiver” 𝑋 𝑌 PSI 𝑋∩𝑌

App: Ad Efficiency Ad Views Customer PSI 𝑋∩𝑌

App: Voter Registration Registered Voters Registered Voters PSI Double Registered

A Sampling of PSI Over the Decades [Meadows86] Private equality test [HubermanFranklinHogg99] Private equality test to PSI [DeCristofaroKimTsudik10] Malicious secure 𝑥 𝛼𝛽 = 𝑦 𝛽𝛼 ⇒𝑥=𝑦 Diffie-Hellman 1985 1990 1995 2000 2005 2010 2015 2020 One of the first techniques for PSI was in produced by Meadows in 86. This approach builds on the communitive property in the exponent of diffie-hellman. Huberman and friends later framed this result in terms of PSI. More recently De Cristofaro et al, extend this approach to the malicious setting using Blind RSA.

A Sampling of PSI Over the Decades [Meadows86] Private equality test [HubermanFranklinHogg99] Private equality test to PSI [DeCristofaroKimTsudik10] Malicious secure Diffie-Hellman Oblivious Polynomial Evaluation [NaorPinkas99] Semi-honest PSI [FreedmanNissimPinkas04] Hash table base PSI [DachmanMalkinRaykovaYung09] Malicious secure 𝑄 𝑥 ≔(𝑥−𝑦) 𝑄 𝑥 =0 ⇒𝑥=𝑦 𝑓 𝑥 +𝑔 𝑥 =𝑓 𝑦 +𝑔(𝑦) ⇒𝑥=𝑦 1985 1990 1995 2000 2005 2010 2015 2020 One of the first techniques for PSI was in produced by Meadows in 86. This approach builds on the communitive property in the exponent of diffie-hellman. Huberman and friends later framed this result in terms of PSI. More recently De Cristofaro et al, extend this approach to the malicious setting using Blind RSA.

A Sampling of PSI Over the Decades [Meadows86] Private equality test [HubermanFranklinHogg99] Private equality test to PSI [DeCristofaroKimTsudik10] Malicious secure Diffie-Hellman [HuangEvansKatz12] Garbled Circuit base PSI Generic MPC Oblivious Polynomial Evaluation [NaorPinkas99] Semi-honest PSI [FreedmanNissimPinkas04] Hash table base PSI [DachmanMalkinRaykovaYung09] Malicious secure 1985 1990 1995 2000 2005 2010 2015 2020 One of the first techniques for PSI was in produced by Meadows in 86. This approach builds on the communitive property in the exponent of diffie-hellman. Huberman and friends later framed this result in terms of PSI. More recently De Cristofaro et al, extend this approach to the malicious setting using Blind RSA.

A Sampling of PSI Over the Decades [Meadows86] Private equality test [HubermanFranklinHogg99] Private equality test to PSI [DeCristofaroKimTsudik10] Malicious secure Diffie-Hellman Oblivious Polynomial Evaluation [NaorPinkas99] Semi-honest PSI [FreedmanNissimPinkas04] Hash table base PSI [DachmanMalkinRaykovaYung09] Malicious secure [HuangEvansKatz12] Garbled Circuit base PSI Generic MPC 1985 1990 1995 2000 2005 2010 2015 2020 One of the first techniques for PSI was in produced by Meadows in 86. This approach builds on the communitive property in the exponent of diffie-hellman. Huberman and friends later framed this result in terms of PSI. More recently De Cristofaro et al, extend this approach to the malicious setting using Blind RSA. [DongChenWen13] Oblivious Transfer & Bloom filter [ RR17a ] Malicious Oblivious Transfer + Bloom filter base PSI Oblivious Transfer + Bloom filter base PSI

A Sampling of PSI Over the Decades [Meadows86] Private equality test [HubermanFranklinHogg99] Private equality test to PSI [DeCristofaroKimTsudik10] Malicious secure Diffie-Hellman Oblivious Polynomial Evaluation [NaorPinkas99] Semi-honest PSI [FreedmanNissimPinkas04] Hash table base PSI [DachmanMalkinRaykovaYung09] Malicious secure [HuangEvansKatz12] Garbled Circuit base PSI Generic MPC 1985 1990 1995 2000 2005 2010 2015 2020 One of the first techniques for PSI was in produced by Meadows in 86. This approach builds on the communitive property in the exponent of diffie-hellman. Huberman and friends later framed this result in terms of PSI. More recently De Cristofaro et al, extend this approach to the malicious setting using Blind RSA. Oblivious Transfer Encoding [FaginNaorWinkler96] Private equality test [PinkasSchneiderZohner14, …] Cuckoo hashing PSI [ This ] Hash Table base PSI OT 𝑥 𝑚 𝑥 𝑚 𝑚 𝑥 = 𝑚 𝑦 ⇒𝑥=𝑦 [DongChenWen13] Oblivious Transfer & Bloom filter [ RR17a ] Malicious Oblivious Transfer + Bloom filter base PSI Oblivious Transfer + Bloom filter base PSI

A Sampling of PSI Over the Decades [HubermanFranklinHogg99] Extended Diffie-Hellman private equality test to PSI [DeCristofaroKimTsudik10] Diffie-Hellman base PSI [DongChenWen13] [DongChenWen13] Oblivious Transfer + Bloom filter base PSI [NaorPinkas99] Oblivious Transfer base PSI using Polynomial Evaluation [DachmanMalkinRaykovaYung09] Homomorphic Enc base PSI using Polynomial Evaluation [Meadows86] First to define private equality test using Diffie-Hellman [ This ] Malicious Oblivious Transfer + Bloom filter base PSI 1985 1990 1995 2000 2005 2010 2015 2020 And this is by no means all of the works on PSI. Shown here is all the papers I was able to find in a few minutes. As you can see, 2017 was a very good year for PSI [FreedmanNissimPinkas04] Homomorphic Enc base PSI using Polynomial Evaluation and hashing [KolesnikovKumaresanRosulekTrieu16] Element-wise Oblivious Transfer encoding PSI [FaginNaorWinkler96] Bitwise Oblivious Transfer encoding for private equality test [PinkasSchneiderZohner14] Cuckoo hashing + Bitwise Oblivious Transfer encoding PSI [HuangEvansKatz12] Garbled Circuit base PSI

Oblivious Transfer (OT) Sender 𝑚 0 , 𝑚 1 ∈ 0,1 𝑙 Receiver 𝑥∈{0,1} OT 𝑚 𝑥 Highly efficient and secure protocols exists Motivates it use as the basis for PSI

Oblivious Transfer (1-out-of-N OT) Sender Receiver 𝑥∈{1,…,𝑁} OT 𝑚 1 ,…, 𝑚 𝑁 ← 0,1 𝑙 𝑚 𝑥 Highly efficient and secure protocols exists Motivates it use as the basis for PSI 1-out-of-N OT allows for exponentially many random messages, e.g. 𝑁= 2 128

Oblivious Transfer (1-out-of-N OT) Sender Receiver 𝑥∈{1,…,𝑁} OT ⋅ ≔ 𝑚 1 ,…, 𝑚 𝑁 ← 0,1 𝑙 𝑥 ≔ 𝑚 𝑥 Highly efficient and secure protocols exists Motivates it use as the basis for PSI 1-out-of-N OT allows for exponentially many random messages, e.g. 𝑁= 2 128

Warm-up: Private Equality Test [PinkasSchneiderZohner14] How to compare 𝑥 and 𝑦 for equality Oblivious Transfer Correctness: If 𝑥=𝑦, the encoding will be equal. Security: If 𝑥≠𝑦, the Receiver see 𝑥 which looks completely random OT 𝑦 ⋅ 𝑦 𝑥 Output: 𝑥 = 𝑦 ?

Warm-up: Private Membership Test [PinkasSchneiderZohner14] How to check for membership 𝑦∈𝑋 Oblivious Transfer OT 𝑦 ⋅ 𝑦 { 𝑥 1 ,…, 𝑥 𝑛 } Output: { 𝑥 1 ,…, 𝑥 𝑛 }∈ 𝑦 ?

Warm-up: Private Membership Test [PinkasSchneiderZohner14] How to check for membership 𝑦∈𝑋 Oblivious Transfer Optimizations Optimized to require 1 OT [KolesnikovKumaresanRosulekTrieu 16] Malicious secure [OrrùOrsiniScholl16] Limitations Communication/Computation 𝑂(𝑛) per test PSI: for 𝑦∈𝑌, test membership 𝑦∈𝑋 ⇒ 𝑂 𝑛 2 𝑋 PMT 𝑦 ? 𝑦∈𝑋

Membership + Hash Table [PinkasScheiderZohner14] Use hash table to reduce PSI complexity ℎ( 𝑥 1 ) 𝑥 1 𝐵 bins ℎ ⋅ : 0,1 ∗ →{1,…,𝐵}

Membership + Hash Table [PinkasScheiderZohner14] Use hash table to reduce PSI complexity ℎ( 𝑥 1 ) ℎ( 𝑥 2 ) 𝑥 1 𝐵 bins 𝑥 2 ℎ ⋅ : 0,1 ∗ →{1,…,𝐵}

Membership + Hash Table [PinkasScheiderZohner14] Use hash table to reduce PSI complexity For each bin, compare all pairs ℎ( 𝑥 1 ) ℎ( 𝑦 𝑛 ) ℎ( 𝑦 2 ) ℎ( 𝑦 1 ) … 𝑥 𝑛 𝑥 4 𝑦 1 𝑦 2 𝑦 𝑛 𝑦 3 𝑦 4 ℎ( 𝑥 2 ) 𝑥 3 𝑥 1 … 𝑂 (𝑛/ log 𝑛 ) ℎ( 𝑥 𝑛 ) 𝑥 2 𝑂 (log 𝑛)

Semi-Honest Bin Comparison [PinkasScheiderZohner14] … … 𝑥 𝑛 𝑦 2 𝑥 4 𝑦 4 𝑂 ( log 𝑛 ) 𝑥 3 𝑦 1 … … For each bin, compare all pairs Bin size =𝑂(log 𝑛) Quadratic complexity =𝑂( log 2 𝑛)

Semi-Honest Bin Comparison [PinkasScheiderZohner14] 𝑋 𝑥 𝑛 𝑦 2 PMT 𝑥 4 𝑋 𝑦 4 PMT 𝑥 3 𝑋 𝑦 1 PMT For each bin, compare all pairs Bin size =𝑂(log 𝑛) Quadratic complexity =𝑂( log 2 𝑛) Semi-honest state of art: [PinkasScheiderZohner16], [KolesnikovKumaresanRosulekTrieu16] Improved with more advanced hashing

Malicious Security For each bin, compare all pairs Issue: [RindalRosulek17b] 𝑥 𝑛 =𝑋 𝑦 2 PMT 𝑥 3 ′ 𝑥 4 ′ 𝑥 𝑛 ′ 𝑥 4 =𝑋′ 𝑦 4 PMT 𝑥 3 ′′ 𝑥 4 ′′ 𝑥 𝑛 ′′ 𝑥 3 =𝑋′′ 𝑦 1 PMT For each bin, compare all pairs Issue: Malicious sender uses 𝑋, 𝑋 ′ ,𝑋′′ for each PMT Can not be simulated, Adversary has 𝑂 log 2 𝑛 input No consistent simulation

Malicious Security PSI 𝑌 𝑋 ∗ ∩𝑌 [RindalRosulek17b] Simulator No 𝑋 ∗ exists 𝑥 3 𝑥 4 𝑥 𝑛 =𝑋 𝑌 𝑥 3 ′ 𝑥 4 ′ 𝑥 𝑛 ′ 𝑋 ∗ =𝑋′ PSI 𝑥 3 ′′ 𝑥 4 ′′ 𝑥 𝑛 ′′ =𝑋′′ 𝑋 ∗ ∩𝑌 For each bin, perform 𝑂( log 𝑛 ) membership tests Issue: Malicious sender uses 𝑋, 𝑋 ′ ,𝑋′′ for each PMT Can not be simulated, Adversary has 𝑂 log 2 𝑛 input No consistent simulation

Malicious Security Need to restrict sender to a single set [RindalRosulek17b] 𝑥 𝑛 𝑦 2 PMT 𝑥 4 𝑦 4 PMT 𝑥 3 𝑦 1 PMT Need to restrict sender to a single set

Malicious Security OT OT OT Need to restrict sender to a single set [RindalRosulek17b] 𝑥 𝑛 OT 𝑦 2 ⋅ 1 𝑦 2 1 𝑥 4 OT 𝑦 4 ⋅ 2 𝑦 4 2 OT 𝑥 3 ⋅ 3 𝑦 1 𝑦 1 3 Need to restrict sender to a single set

Malicious Security Need to restrict sender to a single set [RindalRosulek17b] ⋅ 1 𝐴 𝑥 𝑛 𝑦 2 𝑦 2 1 𝐴 ⋅ 2 𝐴 𝑥 4 𝑦 4 𝑦 4 2 𝐴 ⋅ 3 𝐴 𝑥 3 𝑦 1 𝑦 1 3 𝐴 Need to restrict sender to a single set

Malicious Security OT OT OT Need to restrict sender to a single set [RindalRosulek17b] ⋅ 1 𝐴 𝑥 𝑛 𝑦 2 1 𝐴 OT ⋅ 1 𝐵 𝑦 2 𝑥 𝑛 1 𝐵 ⋅ 2 𝐴 𝑥 4 OT ⋅ 2 𝐵 𝑦 4 𝑦 4 2 𝐴 𝑥 4 2 𝐵 OT ⋅ 3 𝐵 ⋅ 3 𝐴 𝑥 3 𝑦 1 𝑦 1 3 𝐴 𝑥 3 3 𝐵 Need to restrict sender to a single set

Malicious Security OT OT OT Need to restrict sender to a single set [RindalRosulek17b] 𝑥 𝑛 1 𝐵 ⋅ 1 𝐴 𝑥 𝑛 𝑦 2 𝑦 2 1 𝐴 OT ⋅ 1 𝐵 𝑥 4 2 𝐵 ⋅ 2 𝐴 𝑥 4 OT 𝑦 4 𝑦 4 2 𝐴 ⋅ 2 𝐵 OT 𝑥 3 3 𝐵 ⋅ 3 𝐴 𝑥 3 𝑦 1 𝑦 1 3 𝐴 ⋅ 3 𝐵 Need to restrict sender to a single set Define common encoding: 𝑧 𝑎,𝑏 = 𝑧 𝑎 𝐴 ⊕ 𝑧 𝑏 𝐵 Each party knows exactly 9 common encodings of 3 values

Malicious Security OT OT OT Need to restrict sender to a single set [RindalRosulek17b] ⊕ ⋅ 1 𝐴 ⋅ 2 𝐴 ⋅ 3 𝐴 𝑥 𝑛 𝑦 2 𝑦 2 1 𝐴 𝑥 𝑛 1 𝐵 𝑥 𝑛 1,1 , 𝑥 𝑛 2,1 , 𝑥 𝑛 3,1 OT ⋅ 1 𝐵 𝑥 4 2 𝐵 ⋅ 2 𝐴 𝑥 4 OT 𝑦 4 𝑦 4 2 𝐴 ⋅ 2 𝐵 OT 𝑥 3 3 𝐵 ⋅ 3 𝐴 𝑥 3 𝑦 1 𝑦 1 3 𝐴 ⋅ 3 𝐵 Need to restrict sender to a single set Define common encoding: 𝑧 𝑎,𝑏 = 𝑧 𝑎 𝐴 ⊕ 𝑧 𝑏 𝐵 Each party knows exactly 9 common encodings of 3 values

Malicious Security OT OT OT Need to restrict sender to a single set [RindalRosulek17b] ⊕ ⋅ 1 𝐴 ⋅ 2 𝐴 ⋅ 3 𝐴 𝑥 𝑛 1 𝐵 𝑥 𝑛 1,1 , 𝑥 𝑛 2,1 , 𝑥 𝑛 3,1 𝑥 𝑛 𝑦 2 1 𝐴 OT 𝑦 2 ⋅ 1 𝐵 𝑥 4 2 𝐵 𝑥 4 1,2 , 𝑥 4 2,2 , 𝑥 4 3,2 𝑥 4 OT 𝑦 4 𝑦 4 2 𝐴 ⋅ 2 𝐵 OT 𝑥 3 3 𝐵 𝑥 3 1,3 , 𝑥 3 2,3 , 𝑥 3 3,3 𝑥 3 𝑦 1 𝑦 1 3 𝐴 ⋅ 3 𝐵 Need to restrict sender to a single set Define common encoding: 𝑧 𝑎,𝑏 = 𝑧 𝑎 𝐴 ⊕ 𝑧 𝑏 𝐵 Each party knows exactly 9 common encodings of 3 values

Malicious Security OT OT OT Need to restrict sender to a single set [RindalRosulek17b] ⊕ ⋅ 1 𝐴 ⋅ 2 𝐴 ⋅ 3 𝐴 ⊕ 𝑦 2 1 𝐴 𝑦 4 2 𝐴 𝑦 1 3 𝐴 𝑥 𝑛 1 𝐵 𝑥 𝑛 1,1 , 𝑥 𝑛 2,1 , 𝑥 𝑛 3,1 𝑥 𝑛 OT 𝑦 2 ⋅ 1 𝐵 𝑦 2 1,1 , 𝑦 4 2,1 , 𝑦 1 3,1 𝑥 4 2 𝐵 𝑥 4 1,2 , 𝑥 4 2,2 , 𝑥 4 3,2 𝑥 4 OT 𝑦 4 ⋅ 2 𝐵 𝑦 2 1,2 , 𝑦 4 2,2 , 𝑦 1 3,2 OT 𝑥 3 3 𝐵 𝑥 3 1,3 , 𝑥 3 2,3 , 𝑥 3 3,3 𝑥 3 𝑦 1 ⋅ 3 𝐵 𝑦 2 1,3 , 𝑦 4 2,3 , 𝑦 1 3,3 Send 𝑋 Output 𝑦 if 𝑦 𝑎,𝑏 ∈ 𝑋 Need to restrict sender to a single set Define common encoding: 𝑧 𝑎,𝑏 = 𝑧 𝑎 𝐴 ⊕ 𝑧 𝑏 𝐵 Each party knows exactly 9 common encodings of 3 values

Correctness OT OT OT Need to restrict sender to a single set [RindalRosulek17b] ⊕ ⋅ 1 𝐴 ⋅ 2 𝐴 ⋅ 3 𝐴 ⊕ 𝑦 2 1 𝐴 𝑦 4 2 𝐴 𝑦 1 3 𝐴 𝑥 𝑛 1 𝐵 𝑥 𝑛 1,1 , 𝑥 𝑛 2,1 , 𝑥 𝑛 3,1 𝑥 𝑛 OT 𝑦 2 ⋅ 1 𝐵 𝑦 2 1,1 , 𝑦 4 2,1 , 𝑦 1 3,1 𝑥 4 2 𝐵 𝑥 4 1,2 , 𝑥 4 2,2 , 𝑥 4 3,2 𝑥 4 OT 𝑦 4 ⋅ 2 𝐵 𝑦 2 1,2 , 𝑦 4 2,2 , 𝑦 1 3,2 OT 𝑥 3 3 𝐵 𝑥 3 1,3 , 𝑥 3 2,3 , 𝑥 3 3,3 𝑥 3 𝑦 1 ⋅ 3 𝐵 𝑦 2 1,3 , 𝑦 4 2,3 , 𝑦 1 3,3 Send 𝑋 Output 𝑦 if 𝑦 𝑎,𝑏 ∈ 𝑋 Need to restrict sender to a single set Define common encoding: 𝑧 𝑎,𝑏 = 𝑧 𝑎 𝐴 ⊕ 𝑧 𝑏 𝐵 Each party knows exactly 9 common encodings of 3 values Say, 𝑦 2 = 𝑥 𝑛

Correctness OT OT OT Need to restrict sender to a single set [RindalRosulek17b] ⊕ ⋅ 1 𝐴 ⋅ 2 𝐴 ⋅ 3 𝐴 ⊕ 𝑦 2 1 𝐴 𝑦 4 2 𝐴 𝑦 1 3 𝐴 𝑥 𝑛 1 𝐵 𝑥 𝑛 1,1 , 𝑥 𝑛 2,1 , 𝑥 𝑛 3,1 𝑥 𝑛 OT 𝑦 2 ⋅ 1 𝐵 𝑦 2 1,1 , 𝑦 4 2,1 , 𝑦 1 3,1 𝑥 4 2 𝐵 𝑥 4 1,2 , 𝑥 4 2,2 , 𝑥 4 3,2 𝑥 4 OT 𝑦 4 ⋅ 2 𝐵 𝑦 2 1,2 , 𝑦 4 2,2 , 𝑦 1 3,2 OT 𝑥 3 3 𝐵 𝑥 3 1,3 , 𝑥 3 2,3 , 𝑥 3 3,3 𝑥 3 𝑦 1 ⋅ 3 𝐵 𝑦 2 1,3 , 𝑦 4 2,3 , 𝑦 1 3,3 Send 𝑋 Output 𝑦 if 𝑦 𝑎,𝑏 ∈ 𝑋 Need to restrict sender to a single set Define common encoding: 𝑧 𝑎,𝑏 = 𝑧 𝑎 𝐴 ⊕ 𝑧 𝑏 𝐵 Each party knows exactly 9 common encodings of 3 values Say, 𝑦 2 = 𝑥 𝑛

Proof PSI 𝑌 𝑋 ∗ ∩𝑌 Strategy: Must show a simulator: [RindalRosulek17b] ⊕ ⋅ 1 𝐴 ⋅ 2 𝐴 ⋅ 3 𝐴 Simulator 𝑥 𝑛 1 𝐵 𝑥 𝑛 1,1 , 𝑥 𝑛 2,1 , 𝑥 𝑛 3,1 𝑥 𝑛 𝑦 𝑗 = 𝑥 𝑛 𝑌 𝑋 ∗ PSI 𝑥 4 2 𝐵 𝑥 4 1,2 , 𝑥 4 2,2 , 𝑥 4 3,2 𝑥 4 𝑥 4 2 𝐵 𝑥 4 1,2 , 𝑥 4 2,2 , 𝑥 4 3,2 𝑥 3 3 𝐵 𝑥 3 1,3 , 𝑥 3 2,3 , 𝑥 3 3,3 𝑥 𝑛 1 𝐵 𝑥 𝑛 1,1 , 𝑥 𝑛 2,1 , 𝑥 𝑛 3,1 𝑥 3 3 𝐵 𝑥 3 1,3 , 𝑥 3 2,3 , 𝑥 3 3,3 𝑥 3 𝑋 ∗ ∩𝑌 Send 𝑋 Strategy: For each 𝑥 𝑖 , imagine 𝑥 𝑖 ∈𝑌 Logically place 𝑦 𝑗 = 𝑥 𝑖 at random bin position E.g. 𝑥 𝑛 ∈𝑌, place 𝑦 𝑗 at position 2 Must show a simulator: On input 𝑋 outputs 𝑋 ∗ Correct intersection must be 𝑋 ∗ ∩𝑌

Proof PSI 𝑌 𝑋 ∗ ∩𝑌 Strategy: Must show a simulator: [RindalRosulek17b] ⊕ ⋅ 1 𝐴 ⋅ 2 𝐴 ⋅ 3 𝐴 Simulator 𝑥 𝑛 1 𝐵 𝑥 𝑛 1,1 , 𝑥 𝑛 2,1 , 𝑥 𝑛 3,1 𝑥 𝑛 𝑦 𝑗 = 𝑥 𝑛 𝑌 𝑋 ∗ PSI 𝑥 4 2 𝐵 𝑥 4 1,2 , 𝑥 4 2,2 , 𝑥 4 3,2 𝑥 4 𝑥 4 2 𝐵 𝑥 4 1,2 , 𝑥 4 2,2 , 𝑥 4 3,2 𝑥 3 3 𝐵 𝑥 3 1,3 , 𝑥 3 2,3 , 𝑥 3 3,3 𝑥 𝑛 1 𝐵 𝑥 𝑛 1,1 , 𝑥 𝑛 2,1 , 𝑥 𝑛 3,1 𝑥 3 3 𝐵 𝑥 3 1,3 , 𝑥 3 2,3 , 𝑥 3 3,3 𝑥 3 𝑋 ∗ ∩𝑌 Send 𝑋 Strategy: For each 𝑥 𝑖 , imagine 𝑥 𝑖 ∈𝑌 Logically place 𝑦 𝑗 = 𝑥 𝑖 at random bin position E.g. 𝑥 𝑛 ∈𝑌, place 𝑦 𝑗 at position 2 Must show a simulator: On input 𝑋 outputs 𝑋 ∗ Correct intersection must be 𝑋 ∗ ∩𝑌

Proof PSI 𝑌 𝑋 ∗ ∩𝑌 Strategy: Must show a simulator: [RindalRosulek17b] ⊕ ⋅ 1 𝐴 ⋅ 2 𝐴 ⋅ 3 𝐴 Simulator 𝑥 𝑛 1 𝐵 𝑥 𝑛 1,1 , 𝑥 𝑛 2,1 , 𝑥 𝑛 3,1 𝑥 𝑛 𝑦 𝑗′ = 𝑥 4 𝑌 𝑋 ∗ PSI 𝑥 4 2 𝐵 𝑥 4 1,2 , 𝑥 4 2,2 , 𝑥 4 3,2 𝑥 4 𝑥 𝑛 𝑥 4 2 𝐵 𝑥 4 1,2 , 𝑥 4 2,2 , 𝑥 4 3,2 𝑥 3 3 𝐵 𝑥 3 1,3 , 𝑥 3 2,3 , 𝑥 3 3,3 𝑥 𝑛 1 𝐵 𝑥 𝑛 1,1 , 𝑥 𝑛 2,1 , 𝑥 𝑛 3,1 𝑥 3 3 𝐵 𝑥 3 1,3 , 𝑥 3 2,3 , 𝑥 3 3,3 𝑥 3 𝑋 ∗ ∩𝑌 Send 𝑋 Strategy: For each 𝑥 𝑖 , imagine 𝑥 𝑖 ∈𝑌 Pick a random bin position to store 𝑦 𝑗 = 𝑥 𝑖 E.g. 𝑥 𝑛 ∈𝑌 then store 𝑦 𝑗 randomly at position 2 Must show a simulator: On input 𝑋 outputs 𝑋 ∗ Correct intersection must be 𝑋 ∗ ∩𝑌

Proof PSI 𝑌 𝑋 ∗ ∩𝑌 Strategy: Must show a simulator: [RindalRosulek17b] ⊕ ⋅ 1 𝐴 ⋅ 2 𝐴 ⋅ 3 𝐴 Simulator 𝑥 𝑛 1 𝐵 𝑥 𝑛 1,1 , 𝑥 𝑛 2,1 , 𝑥 𝑛 3,1 𝑥 𝑛 𝑦 𝑗′ = 𝑥 4 𝑌 𝑋 ∗ PSI 𝑥 4 2 𝐵 𝑥 4 1,2 , 𝑥 4 2,2 , 𝑥 4 3,2 𝑥 4 𝑥 𝑛 𝑥 4 2 𝐵 𝑥 4 1,2 , 𝑥 4 2,2 , 𝑥 4 3,2 𝑥 3 3 𝐵 𝑥 3 1,3 , 𝑥 3 2,3 , 𝑥 3 3,3 𝑥 𝑛 1 𝐵 𝑥 𝑛 1,1 , 𝑥 𝑛 2,1 , 𝑥 𝑛 3,1 𝑥 3 3 𝐵 𝑥 3 1,3 , 𝑥 3 2,3 , 𝑥 3 3,3 𝑥 3 𝑋 ∗ ∩𝑌 Send 𝑋 Strategy: For each 𝑥 𝑖 , imagine 𝑥 𝑖 ∈𝑌 Logically place 𝑦 𝑗 = 𝑥 𝑖 at random bin position E.g. 𝑥 𝑛 ∈𝑌, place 𝑦 𝑗 at position 2 Must show a simulator: On input 𝑋 outputs 𝑋 ∗ Correct intersection must be 𝑋 ∗ ∩𝑌

Proof PSI 𝑌 𝑋 ∗ ∩𝑌 Strategy: Must show a simulator: [RindalRosulek17b] ⊕ ⋅ 1 𝐴 ⋅ 2 𝐴 ⋅ 3 𝐴 Simulator 𝑥 𝑛 1 𝐵 𝑥 𝑛 1,1 , 𝑥 𝑛 2,1 , 𝑥 𝑛 3,1 𝑥 𝑛 𝑦 𝑗′′ = 𝑥 3 𝑌 𝑋 ∗ PSI 𝑥 4 2 𝐵 𝑥 4 1,2 , 𝑥 4 2,2 , 𝑥 4 3,2 𝑥 4 𝑥 𝑛 𝑥 4 𝑥 4 2 𝐵 𝑥 4 1,2 , 𝑥 4 2,2 , 𝑥 4 3,2 𝑥 3 3 𝐵 𝑥 3 1,3 , 𝑥 3 2,3 , 𝑥 3 3,3 𝑥 𝑛 1 𝐵 𝑥 𝑛 1,1 , 𝑥 𝑛 2,1 , 𝑥 𝑛 3,1 𝑥 3 3 𝐵 𝑥 3 1,3 , 𝑥 3 2,3 , 𝑥 3 3,3 𝑥 3 𝑋 ∗ ∩𝑌 Send 𝑋 Strategy: For each 𝑥 𝑖 , imagine 𝑥 𝑖 ∈𝑌 Logically place 𝑦 𝑗 = 𝑥 𝑖 at random bin position E.g. 𝑥 𝑛 ∈𝑌, place 𝑦 𝑗 at position 2 Must show a simulator: On input 𝑋 outputs 𝑋 ∗ Correct intersection must be 𝑋 ∗ ∩𝑌

Proof PSI 𝑌 𝑋 ∗ ∩𝑌 Strategy: Must show a simulator: [RindalRosulek17b] ⊕ ⋅ 1 𝐴 ⋅ 2 𝐴 ⋅ 3 𝐴 Simulator 𝑥 𝑛 1 𝐵 𝑥 𝑛 1,1 , 𝑥 𝑛 2,1 , 𝑥 𝑛 3,1 𝑥 𝑛 𝑌 𝑋 ∗ PSI 𝑥 4 2 𝐵 𝑥 4 1,2 , 𝑥 4 2,2 , 𝑥 4 3,2 𝑥 4 𝑥 3 𝑥 𝑛 𝑥 4 𝑥 4 2 𝐵 𝑥 4 1,2 , 𝑥 4 2,2 , 𝑥 4 3,2 𝑥 3 3 𝐵 𝑥 3 1,3 , 𝑥 3 2,3 , 𝑥 3 3,3 𝑥 𝑛 1 𝐵 𝑥 𝑛 1,1 , 𝑥 𝑛 2,1 , 𝑥 𝑛 3,1 𝑥 3 3 𝐵 𝑥 3 1,3 , 𝑥 3 2,3 , 𝑥 3 3,3 𝑥 3 𝑋 ∗ ∩𝑌 Send 𝑋 Strategy: For each 𝑥 𝑖 , imagine 𝑥 𝑖 ∈𝑌 Logically place 𝑦 𝑗 = 𝑥 𝑖 at random bin position E.g. 𝑥 𝑛 ∈𝑌, place 𝑦 𝑗 at position 2 𝒙 𝒊 ∈ 𝑿 ∗ iff that position is correct Must show a simulator: On input 𝑋 outputs 𝑋 ∗ Correct intersection must be 𝑋 ∗ ∩𝑌

Send all common encodings 𝑋 Overview [RindalRosulek17b] ℎ( 𝑥 1 ) 𝑥 𝑛 𝑥 4 𝑦 1 𝑦 2 𝑦 𝑛 𝑦 3 𝑦 4 ℎ( 𝑥 2 ) 𝑥 3 𝑥 1 … 𝑂 (𝑛/ log 𝑛 ) ℎ( 𝑥 𝑛 ) 𝑥 2 𝑂 (log 𝑛) Send all common encodings 𝑋 Output 𝑦 if 𝑦 𝑎,𝑏 ∈ 𝑋 For each bin, perform quadratic cost PSI.

Send all common encodings 𝑋 Bin Aggregation [RindalRosulek17b] 𝟏,𝟏 , 𝟐,𝟏 , 𝟑,𝟏 , 𝟒,𝟏 , 𝟓,𝟏 𝑥 𝑛 1,4 , 𝑥 𝑛 2,4 , 𝑥 𝑛 3,4 , 𝑥 𝑛 4,4 , 𝑥 𝑛 5,4 𝟏,𝟐 , 𝟐,𝟐 , 𝟑,𝟐 , 𝟒,𝟐 , 𝟓,𝟐 𝑥 4 1,5 , 𝑥 4 2,5 , 𝑥 4 3,5 , 𝑥 4 4,5 , 𝑥 4 5,5 𝟏,𝟑 , 𝟐,𝟑 , 𝟑,𝟑 , 𝟒,𝟑 , 𝟓,𝟑 𝑥 𝑛 𝑥 4 𝑦 4 𝑥 3 𝑥 1 𝑦 1 𝑦 𝑛 𝑛/ log 𝑛 𝑦 3 𝑥 2 𝑦 2 ≈4log 𝑛 Send all common encodings 𝑋 For each bin, perform quadratic cost PSI. | 𝑋 |≈𝟏𝟔𝑛 log 𝑛 common encodings ¾ of which encode dummy items

Send all common encodings 𝑋 Bin Aggregation [RindalRosulek17b] 𝑥 𝑛 𝑥 4 𝑦 4 𝑥 3 𝑥 1 𝑦 1 𝑦 𝑛 𝑛/ log 𝑛 𝑦 3 𝑥 2 𝑦 2 ≈4log 𝑛 Send all common encodings 𝑋 For each bin, perform quadratic cost PSI. | 𝑋 |≈𝟏𝟔𝑛 log 𝑛 common encodings ¾ of which encode dummy items Skip all dummy encodings 𝑋 ≔ all real encodings Send 𝑋 random order Hides bin load

Send common encodings 𝑋 Final Protocol [RindalRosulek17b] 𝑥 𝑛 𝑥 4 𝑦 4 𝑥 3 𝑥 1 𝑦 1 𝑦 𝑛 𝑛/ log 𝑛 𝑦 3 𝑥 2 𝑦 2 ≈4log 𝑛 Send common encodings 𝑋 In random order Output 𝑦 if 𝑦 𝑎,𝑏 ∈ 𝑋 Protocol: Hash to bins Compute common encodings Send 𝑋 in random order Overall complexity: 𝑂(𝑛 log 𝑛)

Protocol Extensions OT OT [RindalRosulek17b] Fastest protocol is in the Random Oracle Model Utilizes “random” OT Requires Random Oracle Standard model variant: Utilizes many 1-out-of-2 OT 20× more communication As fast as prior work [RR17a] Encode-Commit variant: Random Oracle or Standard model Communication-Computation tradeoff Random Oracle 𝑦 ⋅ OT 𝑦 ⋅ OT

Comparison [RindalRosulek17b] DKT10 - Malicious Diffie-Hellman style approach: 𝑥 𝛼𝛽 = 𝑦 𝛽𝛼 RR17a – Malicious Bloom filter OPRF 12× 6× 450× 8×

Comparison [RindalRosulek17b] DKT10 - Malicious Diffie-Hellman style approach: 𝑥 𝛼𝛽 = 𝑦 𝛽𝛼 RR17a – Malicious Bloom filter OPRF Only 3× slower than [KKRT16] (semi-honest) [RR17b] 𝑂(𝑛) OTs 𝑂 𝑛 log 𝑛 computation/communication [KKRT16] 𝑂 𝑛 computation/communication Leverage cuckoo hashing Very difficult to make malicious secure 12× 6× 450× 8× [KKRT16] Naïve

The End Peter Rindal Mike Rosulek

Future Work Cuckoo hashing with malicious security Richer functionality PSI cardinality Google ad revenue PSI with associated data (SQL-like join) Multi-party PSI (third talk) Threshold PSI Composable PSI/Union PSI as input to arbitrary secure computation Join data before running machine learning algorithm