Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy Preserving analytics Private Set Intersection(PSI)

Published byMerilyn Hannah Norris Modified over 5 years ago

Similar presentations

Presentation on theme: "Privacy Preserving analytics Private Set Intersection(PSI)"— Presentation transcript:

1 Privacy Preserving analytics Private Set Intersection(PSI)
Mentor: Vladimir Kolesnikov (Bell Labs) Presenter: Ni Trieu (Oregon State University) Joint work with Ranjit Kumaresan & Mike Rosulek Supported by Office of Naval Research My name is Ni. I am working with Vladimir Kolesnikov on security computation. My intern project is Privacy Preserving analytics, where we can access to the data to learn extra useful information while also protecting data privacy. Today, my talk focus on one area of Privacy Preserving analytics. This is Private Set Intersection(PSI)

2 PSI APP: Contact discovery
First, Let’ see an example of PSI application: here is contact discovery In this scenarios, we has Alice with a phone and a list of her contact and she want to use Skype, and she also want to find out which of her friends use Skype so that she can chat with them. Bob, on the other hand, is Skype service provider. He owns the database of the Skype users. Obliviously, they want to compute the intersection of their database. What is privacy here? Clearly Alice don’t want to reveal her address book to Bob because this is her personal data. On the other hand, Bob also don’t want to reveal his database because of customer privacy. So, we need a PSI.

3 PSI APP: Online Advertising
First, Let’ see an example of PSI application: here is contact discovery In this scenarios, we has Alice with a phone and a list of her contact and she want to use Skype, and she also want to find out which of her friends use Skype so that she can chat with them. Bob, on the other hand, is Skype service provider. He owns the database of the Skype users. Obliviously, they want to compute the intersection of their database. What is privacy here? Clearly Alice don’t want to reveal her address book to Bob because this is her personal data. On the other hand, Bob also don’t want to reveal his database because of customer privacy. So, we need a PSI.

4 A naïve & Insecure PSI protocol
Alice Bob X Y Hash each elements of X Hash each elements of Y Bob sends H(Y) to Alice H(X) H(Y) What is solution? If we think about private intersection. We might come up with a following solution. Here Alice has some input elements x, and Bob has some inputs elements y. They simply hash every of their elements. Then Bob sends the hashes value to Alice, who simply compares and checks whether it is intersection. Clearly, It is very fast [ just involve 1 hash functions call per element for each side . Bob only need to send his hash element]. Also, we use hash function, then nothing Alice can really do [ she can’t compute hash back to know the actual element due to high computation] [ Insecure because Alice can compute all hashes values for all possible input, then know which elements Bob may have) However, it is insecure, especially if the element are chose from small input domain, for instance telephone number (9 digits). Alice can simply computes hash of million phone numbers and compare with the hash value sent by Bob. Alice compares 2 sets of hash values, output the intersection X Pro: Fast, and low communication Con: Insecure, leak privacy of Bob's inputs H(#)

5 Current secure PSI protocol [PSZ14, pssz15]
Let’ see the simple case of psi. it is a private equality test when we want compare x and y in privacy If we can do that, we can extend to private inclusion test which we compare x to every elements of Y Finaly, if we want psi, we just simple run privet inclution test for each element of X. However , as you can see, we use n^2 comparision

6 Current secure PSI protocol[PSZ14, pssz15] hashing to bins
In order to reduce the comparison cost here, we use a hashing to bins technique. For a simple exaplme here, Alice has 3 input elements, Bob has also 3 input elements First, Alice and Bob agree on the same hash functions. Using this hash function , Alice compute hash of 1st element and map this element to the bin that identify by the hash of this element. She does this for the seconde element, and for the third elem . Bob on the other hand use the same hash function and put his input element to the corresponding bin. Now the both need to put some dummy elements to hide the size of bin. And just compare bin by bin. Clearly, if their input is the same element, the hash will map this element to the same bin. So the comparision succees.

7 Current secure PSI protocol[PSZ14, pssz15] hashing to bins
Another technique, to reduce the number of comparision is that We use 2 hash functions to map the element to bin. Alice use Cucoo hashing to map her element , now each bin of X has almost 1 element. On the other hand, Bob use simple hashing on Y. By doing this, we reduce number of comparision for

8 Current secure PSI protocol [PSZ14, pssz15]
OT In order to counter this problem, several private set intersection protocols has been introduced. The current protocol was proposed last year. Let’s see the private equality check where we want to compare x and y in security? since if we can solve this case, we can solve PSI by security compare each element of X to each element of Y (NOTE: this is simple explain…actual protocol run bin by bin….) For example, Alice has x=001, Bob has y=101. The high level idea of their protocol is to compare bit by bit of x and y (NOTE: this is simple explain…actual protocol run 1-oo-N….). In this case, they compare 0 and 1 as the first bit of x and y. How can they do? They use a secure black box called Oblivious transfer. In this scenarios , Bob has …. For example, b=1, after protocol Alice receive s1, and learn nothing about s0

9 Current secure PSI protocol [PSZ14, pssz15]
? (λ-bit each) OT Bob simple chooses lamda bit string for 0 and 1(lamda is security parameter) and they run OT when Alice input is her first bit. Afer the protocol, Alice obtain a string for 0, and Bob doesn’t know Alice’s input! They do OT for the second bit and for the third bits. Finally, Alice receives the string mask corresponding to her input bits on that particular positions Now, Bob takes the mask from OT corresponding to his input bit y. So he take masks, XOR them and send them to Alice Alice need XOR her masks and compare her random mask and mask from Bob. 1 1

10 OUR PSI Protocol SOT What do we want?
SOT What do we want? We want to reduce the runtime for the equality check protocol to make PSI more practical, and we want our computation cost is close to naïve PSI protocol. What do we do? Instead of compare bit by bit of x and y, we compare string by string using a new building block SOT which proposed by Vlad, and Ranjit 2012., we no-trivial improve protocol the SOT faster. This is our main work. In this scenarios , Bob has …. Simply, we run PSI using SOT, we improve PSI protocol by a factor 3, and we efficiently remove the gap btw our protocol and naïve one

11 Comparison Results Number of elements: 2^20
Length of elements : 128 bits Circuit-Based: +: general -: high run-time Public-key-Based: +: good communication OT-Based: +: best run-time +: best communication GMW'12 Yao'12 Opt. GMW OT+Hash'14 OT+Phasing'15 Here is the comparison of our protocol to other research. As the result, we improve the current PSI protocol by 3x. And get close to naïve protocol SOT DH'86 Na ï ve

12 Our next Plan PSI for multi party:
Limited research: [FNP’04], [CJS’12] Expensive crypto, Impractical.

13 Thank you

14 Reference KKRT16. Vladimir Kolesnikov, Ranjit Kumaresan, Mike Rosulek, and Ni Trieu. Efficient batched oblivious PRF with applications to private set intersection. In ACM Computer and Communications Security (CCS’16), pages 818–829. ACM, 2016 PSZ14. Benny Pinkas, Thomas Schneider, and Michael Zohner. Faster private set intersection based on OT extension. In USENIX Security Symposium’14, pages 797–812. USENIX, 2014. PSSZ15. Benny Pinkas, Thomas Schneider, Gil Segev, and Michael Zohner. Phasing: Private set intersection using permutation-based hashing. In USENIX Security Symposium’15, pages 515–530. USENIX, 2015. FNP04. Michael J. Freedman, Kobbi Nissim, and Benny Pinkas. Efficient private matching and set intersection. In Advances in Cryptology – EUROCRYPT’04, volume 3027 of LNCS, pages 1–19. Springer, 2004 CJS12 Jung Hee Cheon, Stanislaw Jarecki, and Jae Hong Seo. Multi-party privacy- preserving set intersection with quasi-linear complexity. IEICE Transactions, 95- A(8):1366–1378, 2012.

Download ppt "Privacy Preserving analytics Private Set Intersection(PSI)"

Similar presentations

Polylogarithmic Private Approximations and Efficient Matching

Polylogarithmic Private Approximations and Efficient Matching
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Yan Huang, David Evans, Jonathan Katz

Yan Huang, David Evans, Jonathan Katz
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Oblivious Branching Program Evaluation

Oblivious Branching Program Evaluation
Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,

Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,
ITIS 6200/8200. 2 Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.

ITIS 6200/ Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Recoverable and Untraceable E-Cash Dr. Joseph K. Liu The Chinese University of HongKong.

Recoverable and Untraceable E-Cash Dr. Joseph K. Liu The Chinese University of HongKong.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
What Crypto Can Do for You: Solutions in Search of Problems Anna Lysyanskaya Brown University.

What Crypto Can Do for You: Solutions in Search of Problems Anna Lysyanskaya Brown University.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Oblivious Transfer based on the McEliece Assumptions

Oblivious Transfer based on the McEliece Assumptions
Computers in Society Encryption. Representing Sensory Experience Some objects correspond to human sensory experience – these representations are created.

Computers in Society Encryption. Representing Sensory Experience Some objects correspond to human sensory experience – these representations are created.
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Private Analysis of Data Sets Benny Pinkas HP Labs, Princeton.

Private Analysis of Data Sets Benny Pinkas HP Labs, Princeton.
1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.

1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.

Similar presentations

Ads by Google