Presentation is loading. Please wait.

Presentation is loading. Please wait.

Efficient Private Matching and Set Intersection Mike Freedman, NYU Kobbi Nissim, MSR Benny Pinkas, HP Labs EUROCRYPT 2004.

Published byAlbert Flowers Modified over 8 years ago

Similar presentations

Presentation on theme: "Efficient Private Matching and Set Intersection Mike Freedman, NYU Kobbi Nissim, MSR Benny Pinkas, HP Labs EUROCRYPT 2004."— Presentation transcript:

1 Efficient Private Matching and Set Intersection Mike Freedman, NYU Kobbi Nissim, MSR Benny Pinkas, HP Labs EUROCRYPT 2004

2 Is there any chance we might be compatible? Maybe… We could see if we have similar interests? I don’t really like to give personal information Have you heard of “secure function evaluation” ? I don’t want to waste my entire night… A Story…

3 We could see if we have similar interests? Have you heard of “secure function evaluation” ? I don’t want to waste my entire night… Making SFE more efficient… 1.Improvements to generic primitives (SFE, OT) 2.Improvements in specific protocol examples

4 XY F(x,y) and nothing else Input: Output: XY As if… F(x,y) Secure Function Evaluation What if such trustworthy barkeeps don’t exist?

5 XY XY F(x,y) Proving SFE Protocols… Real World Ideal World ≈ Views Can consider semi-honest and malicious models F(x,y)

6 Client Server Input: X = x 1 … x k Y = y 1 … y k Output: X  Y only nothing Our Specific Scenario Shared interests (research, music) Dating, genetic compatibility, etc. Credit card rating Terrorist watch list (CAPS II)

7 Related work Generic constructions [Yao,GMW,BGW,CCD] Represent function as a circuit with combinatorial gates Concern is size of circuit (as communication is O(|C|) Simplest uses k 2 comparisons Diffie-Hellman based solutions [FHH99, EGS03] Insecure against malicious adversaries Considered in the “random oracle” model Our work: O(k ln ln k) overhead. “Semi-honest” adversaries – in standard model “Malicious” adversaries – in RO model

8 This talk… Overview Basic protocol in semi-honest model Efficient Improvements Extending protocol to malicious model Other results…

9 Basic tool: Homomorphic Encryption Semantically-secure public-key encryption Given Enc(M1), Enc(M2) can compute, without knowing decryption key, Enc(M1+M2) = Enc(M1) · Enc(M2) Enc(c · M1) = [Enc(M1)] c, for any constant c Examples: El Gamal variant, Paillier, DJ

10 The Protocol Client (C) defines a polynomial of degree k whose roots are his inputs x 1,…,x k P(y) = (x 1 -y)(x 2 -y)…(x k -y) = a 0 + a 1 y +…+ a k y k C sends to server (S) homomorphic encryptions of polynomial’s coefficients Enc(a 0 ),…, Enc(a k ) Enc( P(y) ) = Enc( a 0 + a 1 · y 1 + … + a k · y k ) Enc(a 0 ) · Enc (a 1 ) y 1 · … · Enc (a k ) y k

11 The Protocol S uses homomorphic properties to compute,  y, r y ← random Enc( r y · P(y) + y ) S sends (permuted) results back to C C decrypts results, identifies y’s Enc (y)Enc (random) if y  X  Y otherwise

12 Variant protocols…cardinality Enc( r y · P(y) + 1 ) Computes size of intersection: # Enc (1) Others… Output 1 iff | X  Y | > t Enc (1)Enc (random) if y  X  Y otherwise

13 Security (semi-honest case) Client’s privacy S only sees semantically-secure enc’s Learning about C’s input = breaking enc’s Server’s privacy (proof via simulation) Client gets X  Y in ideal (TTP) model Given that, can compute E(y)’s and E(rand)’s and thus simulate real model

14 Efficiency Communication is O(k) C sends k coefficients S sends k evaluations on polynomial Computation Client encrypts and decrypts k values  Server:  y  Y, computes Enc(r y · P(y)+y), using k exponentiations Total O(k 2 ) exponentiations

15 Improving Efficiency (1) Inputs typically from a “small” domain of D values. Represented by log D bits (…20) Use Horner’s rule P(y)= a 0 + y (a 1 +…y (a n-1 +ya n )...) That is, exponents are only log D bits Overhead of exponentiation is linear in | exponent | → “Improve” by factor of | modulus | / log D e.g., 1024 / 20 ≈ 50

16 Improving Efficiency (2): Hashing C uses PRF H(·) to hash inputs to B bins x1x1 x2x2 x3x3 x4x4 x5x5 x6x6 x7x7 …x k-1 xkxk H(·) B M Let M bound max # of items in a bin Client defines B polynomials of deg M. Each poly encodes x’s mapped to its bin + enough “other” roots P2P2 P1P1 P3P3 PBPB …

17 Improving Efficiency (2): Hashing H P2P2 P1P1 P3P3 PBPB Client sends B polynomials and H to server. For every y, S computes H(y) and evaluates the single corresponding poly of degree M  y, i ← H(y), r y ← rand Enc( r y · P i (y) + y )

18 Overhead with Hashing Communication: B · M (# bins · # items per) Server: k · M short exp ’ s, k full exp ’ s ( P i (y) ) ( r y ·P i (y) + y ) How to make M small as possible? Choose most balanced hash function

19 Balanced allocations [ABKU] H: Choose two bins, map to emptier bin B = k / ln ln k → M = O (ln ln k) M  5 [BM] Communication: O(k) Server: k ln ln k short exp, k full exp in practice xixi H(·)

20 This talk… Overview Basic protocol in semi-honest model Efficient Improvements Extending protocol to malicious model Other results…

21 Malicious Adversaries Malicious clients Without hashing is trivial: Ensure a 0 ≠ 0 With hashing Verify that total # of roots (in all B poly’s) is k Solution using cut-and-choose Exponentially small error probability Still standard model Malicious servers Privacy…easy: S receives semantically-secure encryptions

22 Security against Malicious Server Correctness: Ensure that there is an input of k items corresponding to S’s actions Problem: Server can compute r y · P(y) + y’ Solution: Server uses RO to commit to seed, then uses resulting randomness to “prove” correctness of encryption

23  y, s ← rand, r ← H 1 (s) [e,h] ← [ Enc ( r 1 ·P(y) + s ), H 2 (r 2,y) ] s* ← Dec (e), r* ← H 1 (s*) ?  x, s.t. e = Enc ( r* 1 ·P(x) + s* )  h = H 2 (r* 2, x) Security against Malicious Server Deterministic

24 Other results and open problems Approximating size of intersection (scalar product) Requires Ω(k) communication Provide secure approximation protocol PM protocol extends efficiently to multiple parties Malicious-party protocol in standard model? Fuzzy Matching? Databases are not always accurate or full Report iff entries match in t out of V “attributes”

25 Questions?

Download ppt "Efficient Private Matching and Set Intersection Mike Freedman, NYU Kobbi Nissim, MSR Benny Pinkas, HP Labs EUROCRYPT 2004."

Similar presentations

Polylogarithmic Private Approximations and Efficient Matching

Polylogarithmic Private Approximations and Efficient Matching
Constant-Round Private Database Queries Nenad Dedic and Payman Mohassel Boston UniversityUC Davis.

Constant-Round Private Database Queries Nenad Dedic and Payman Mohassel Boston UniversityUC Davis.
1 Cryptography: on the Hope for Privacy in a Digital World Omer Reingold VVeizmann and Harvard CRCS.

1 Cryptography: on the Hope for Privacy in a Digital World Omer Reingold VVeizmann and Harvard CRCS.
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Secure Computation of Linear Algebraic Functions

Secure Computation of Linear Algebraic Functions
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Oblivious Branching Program Evaluation

Oblivious Branching Program Evaluation
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Gillat Kol joint work with Ran Raz Competing Provers Protocols for Circuit Evaluation.

Gillat Kol joint work with Ran Raz Competing Provers Protocols for Circuit Evaluation.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
What Crypto Can Do for You: Solutions in Search of Problems Anna Lysyanskaya Brown University.

What Crypto Can Do for You: Solutions in Search of Problems Anna Lysyanskaya Brown University.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
How Should We Solve Search Problems Privately? Kobbi Nissim – BGU A. Beimel, T. Malkin, and E. Weinreb.

How Should We Solve Search Problems Privately? Kobbi Nissim – BGU A. Beimel, T. Malkin, and E. Weinreb.
1 Keyword Search and Oblivious Pseudo-Random Functions Mike Freedman NYU Yuval Ishai, Benny Pinkas, Omer Reingold.

1 Keyword Search and Oblivious Pseudo-Random Functions Mike Freedman NYU Yuval Ishai, Benny Pinkas, Omer Reingold.
Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.

Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.

Similar presentations

Ads by Google