Presentation is loading. Please wait.

Presentation is loading. Please wait.

Improved Efficiency for Private Stable Matching Matthew Franklin, Mark Gondree, and Payman Mohassel University of California, Davis 02/07/07 - Session.

Published bySerena Lavin Modified over 9 years ago

Similar presentations

Presentation on theme: "Improved Efficiency for Private Stable Matching Matthew Franklin, Mark Gondree, and Payman Mohassel University of California, Davis 02/07/07 - Session."— Presentation transcript:

1 Improved Efficiency for Private Stable Matching Matthew Franklin, Mark Gondree, and Payman Mohassel University of California, Davis 02/07/07 - Session Code: CRYP-203

2 Insert presenter logo here on slide master Stable Matching Stable Matching (Marriage): N men, N women, each with their own preference list Matching M has an unstable pair (A,B) if: (A,B’), (A’,B) in M A prefers B over B’ B prefers A over A’ M is stable if no unstable pairs exist in M 2 A A1A1 A’ A2A2 B’ B1B1 B B2B2

3 Insert presenter logo here on slide master Applications Assigning Medical students to Hospitals — In US, Canada, and Scotland Assigning students to schools and universities — In Norway and Singapore National Matching Services Inc. 3

4 Insert presenter logo here on slide master Outline Introduction — Stable matching problem — Gale-Shapley Algorithm — Privacy Issues Contributions Open problems 4

5 Insert presenter logo here on slide master The Gale-Shapley Algorithm Notation: ─ N men :{A 1, …, A N } ─ N women: {B 1, …, B N } ─ Preference list for man i: A i [1…N] ─ Preference list for woman i: B i [1…N] ─ List of free men in round k : F k ─ List of engaged men in round k: E k 5

6 Insert presenter logo here on slide master Gale-Shapley k=1;F k = {A 1, …, A N } While F k is non-empty: Randomly select A from F k A proposes to “next” woman B: (Where he ranks B highest among the women to whom he has never proposed before) If B is free then she becomes engaged to A If B is engaged to some A’ then If B prefers A over A’ then remove A and add A’ to F k Otherwise, F k stays the same F k+1 = F k ; k= k+1 6

7 Insert presenter logo here on slide master Remarks on Gale-Shapley Round by Round ─ Matches made and broken every round ─ Man optimal Privacy Issues ─ Naïve implementation ─ Matching Authority learns participants’ preference lists ─ Naively distributed computation ─ Traffic pattern: history of matches made and broken 7

8 Insert presenter logo here on slide master Setting [Golle, FC06] Have multiple (t) Matching Authorities (MAs) MAs receive encrypted preference lists MAs compute the stable matching MAs don’t learn anything Participants only learn their own partner Assume: passive adversaries Security Guaranteed (assuming ≥ 1 honest MA) 8

9 Insert presenter logo here on slide master Our Contribution Revisit [Golle] — High Communication complexity (Partly due to the chosen variant of Gale-Shapely used) Design a Private and Efficient Protocol — Design a new variant of Gale-Shapely — Tune it for private implementation — Crypto assumptions comparable to [Golle] — Lower round and communication complexities 9

10 Insert presenter logo here on slide master Our Contributions, Cont’d Summary of protocols and efficiency : 10

11 Insert presenter logo here on slide master Our variant of Gale-Shapley Real men: {A 1, …, A N }, Fake men: {A N+1, …, A 2N } Real women: {B 1,…,B N }, Fake women:{B N+1,…,B 2N } Preference lists: — Real men: ( [actual preference list], [B N+1,...,B 2N, in any order] ) — Real women: ( [actual preference list], [A N+1,...,A 2N, in any order] ) — Fake women:( [A N+1,...,A 2N, in any order],[A 1,...,A N, in any order]) — Fake men: ( [B N+2,...,B 2N, in any order], B N+1, [B 1,...,B N, in any order] ) 11

12 Insert presenter logo here on slide master Our Variant, Cont’d Initialization: — F 1 = {A 1 } — {A 2, …, A N } are engaged to {B N+2,…,B 2N }, respectively — {A N+1, …, A 2N } are engaged to {B 1,…, B N }, respectively While F k is not empty: — The free man A in F k proposes to B (The next woman in his preference list to whom he hasn’t proposed) — If B is engaged to some man A’ If B prefers A over A’, let F k+1 = {A’}, and pair A and B Otherwise, F k+1 = F k 12

13 Insert presenter logo here on slide master Our Variant, Cont’d 2 Claim: Once a fake man proposes to woman B N+1, we have a stable matching Thus, the algorithm’s complexity is O(N 2 ) Also, “Tuned for privacy” — every round k, |F k | = 1 We implement a private version 13

14 Insert presenter logo here on slide master Protocol Bids — Two types: Free and Engaged — Set of ciphertexts (constant sized) — F k = {Free Bids in round k} — E k = {Engaged Bids in round k} Preference Lists — Encrypted, held by an MA (the “Database”) Everything encrypted with threshold homomorphic enc. 14

15 Insert presenter logo here on slide master Protocol For k = 1 to 2N 2 : — Select a single free bid from F k. — “Open it” to recover the (encrypted) pointers into the database — Access database to get next fiancée's (encrypted) identity — Form the engaged bid — Privately find the conflicting engaged bid (mix, private equality test) — Mix these two engaged bids — “Resolve the conflict” to find the winner and loser (private comparison) — “Break the engagement” for the loser and add him to F k+1 — Add the winner to E k — Mix all the bids — Let E k+1 = E k 15

16 Insert presenter logo here on slide master Protocol For k = 1 to 2N 2 : — Select a single free bid from F k. — “Open it” to recover the (encrypted) pointers into the database — Access database to get next fiancée's (encrypted) identity — Form the engaged bid — Privately find the conflicting engaged bid (mix, private equality test) — Mix these two engaged bids — “Resolve the conflict” to find the winner and loser (private comparison) — “Break the engagement” for the loser and add him to F k+1 — Add the winner to E k — Mix all the bids — Let E k+1 = E k 16

17 Insert presenter logo here on slide master Protocol For k = 1 to 2N 2 : — Select a single free bid from F k. — “Open it” to recover the (encrypted) pointers into the database — Access database to get next fiancée's (encrypted) identity — Form the engaged bid — Privately find the conflicting engaged bid (mix, private equality test) — Mix these two engaged bids — “Resolve the conflict” to find the winner and loser (private comparison) — “Break the engagement” for the loser and add him to F k+1 — Add the winner to E k — Mix all the bids — Let E k+1 = E k 17

18 Insert presenter logo here on slide master Protocol For k = 1 to 2N 2 : — Select a single free bid from F k. — “Open it” to recover the (encrypted) pointers into the database — Access database to get next fiancée's (encrypted) identity — Form the engaged bid — Privately find the conflicting engaged bid (mix, private equality test) — Mix these two engaged bids — “Resolve the conflict” to find the winner and loser (private comparison) — “Break the engagement” for the loser and add him to F k+1 — Add the winner to E k — Mix all the bids — Let E k+1 = E k 18

19 Insert presenter logo here on slide master Protocol For k = 1 to 2N 2 : — Select a single free bid from F k. — “Open it” to recover the (encrypted) pointers into the database — Access database to get next fiancée's (encrypted) identity — Form the engaged bid — Privately find the conflicting engaged bid (mix, private equality test) — Mix these two engaged bids — “Resolve the conflict” to find the winner and loser (private comparison) — “Break the engagement” for the loser and add him to F k+1 — Add the winner to E k — Mix all the bids — Let E k+1 = E k 19

20 Insert presenter logo here on slide master Accessing the database Database D, an array of n=(2N) 2 ciphertexts Given E(i), we want to recover element D[i] Our subprotocol: — Modification of an efficient (1-out-of-n) OT protocol — MAs process E(i) into queries of the protocol — MAs process database’s reply to recover D[i], a ciphertext Our construction — Uses Stern’s OT (1 round, polylog CC) — Again, using threshold homomorphic encryption 20

21 Insert presenter logo here on slide master A protocol for 2 MAs A more efficient protocol for 2-MA case Private Table Look Ups (LUT) [NN01] (For two-party computation) Private Computation of Turing Machines with a RAM — Circuits equipped with Private LUT Our algorithm can be presented as a TM with RAM Implement privately using [NN01] Extending to multiparty — Not completely distributed 21

22 Insert presenter logo here on slide master New Developments Extending [NN01] to multiparty — Automatically leads to more efficient private stable matching — Leads to nearly optimal communication 22

23 Insert presenter logo here on slide master Thank you!! Questions?

24 Insert presenter logo here on slide master

25 Golle’s approach Golle’s variant of Gale-Shapley: N real men: {A 1,…, A N }, N real women:{B 1,…,B N } N fake men: {A N+1,…,A 2N } Arbitrary preference lists for fake men Each woman ranks fake men lower than real ones Initialization — All real men are free — All fake men are engaged (in an arbitrary way)

26 Insert presenter logo here on slide master Golle’s Approach Cont’d For K = 1 to n: — While F K is non-empty: Randomly select A from F k A proposes to woman B: The woman he ranks highest among the women to whom he has never proposed before B is always engaged to some woman A ’ : If B prefers A over A ’ ; Remove A from F K, add A ’ to F k+1 Otherwise, add A to F k+1 Number of free men always N: |F K | = N for all 1≤ K ≤ N

27 Insert presenter logo here on slide master Shortcomings Golle implements this variant privately — Re-encryption mix-networks — Threshold homomorphic cryptosystems (Paillier encryption) Inefficiencies: — Golle’s variant needs O(N 2 ) rounds to reach a stable matching Complexity of algorithm increases by a factor of N — Another factor N increase size of ciphertext used in Mix-network: O(N) not constant!

Download ppt "Improved Efficiency for Private Stable Matching Matthew Franklin, Mark Gondree, and Payman Mohassel University of California, Davis 02/07/07 - Session."

Similar presentations

Constant-Round Private Database Queries Nenad Dedic and Payman Mohassel Boston UniversityUC Davis.

Constant-Round Private Database Queries Nenad Dedic and Payman Mohassel Boston UniversityUC Davis.
Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:
Stable Matching Problems with Constant Length Preference Lists Rob Irving, David Manlove, Gregg OMalley University Of Glasgow Department of Computing Science.

Stable Matching Problems with Constant Length Preference Lists Rob Irving, David Manlove, Gregg OMalley University Of Glasgow Department of Computing Science.
Blah blah blah. Zoes shark Thanks to the conference artist Phoebe.

Blah blah blah. Zoes shark Thanks to the conference artist Phoebe.
Piyush Kumar (Lecture 3: Stable Marriage) Welcome to COT5405.

Piyush Kumar (Lecture 3: Stable Marriage) Welcome to COT5405.
PRAM Algorithms Sathish Vadhiyar. PRAM Model - Introduction Parallel Random Access Machine Allows parallel-algorithm designers to treat processing power.

PRAM Algorithms Sathish Vadhiyar. PRAM Model - Introduction Parallel Random Access Machine Allows parallel-algorithm designers to treat processing power.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Oblivious Branching Program Evaluation

Oblivious Branching Program Evaluation
Matching Theory.

Matching Theory.
Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,

Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Specialised N-ary Constraint for the Stable Marriage Problem By Chris Unsworth and Patrick Prosser.

Specialised N-ary Constraint for the Stable Marriage Problem By Chris Unsworth and Patrick Prosser.
Explorations in Anonymous Communication Andrew Bortz with Luis von Ahn Nick Hopper Aladdin Center, Carnegie Mellon University, 8/19/2003.

Explorations in Anonymous Communication Andrew Bortz with Luis von Ahn Nick Hopper Aladdin Center, Carnegie Mellon University, 8/19/2003.
On Efficient Spatial Matching Raymond Chi-Wing Wong (the Chinese University of Hong Kong) Yufei Tao (the Chinese University of Hong Kong) Ada Wai-Chee.

On Efficient Spatial Matching Raymond Chi-Wing Wong (the Chinese University of Hong Kong) Yufei Tao (the Chinese University of Hong Kong) Ada Wai-Chee.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Lecture 4 CSE 331 Sep 9, 2009. Blog posts for lectures Starts from today See Sep 8 post on the blog.

Lecture 4 CSE 331 Sep 9, Blog posts for lectures Starts from today See Sep 8 post on the blog.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Similar presentations

Ads by Google