A Survey on Private Set Intersection

A Survey on Private Set Intersection

Presented by Hongrui Cui

[email protected]

October 17, 2019

Cui Hongrui (SJTU) PSI October 17, 2019 1 / 27

Overview

1 IntroductionPSI LiteratureNotationsThe Core of PSI

2 Semi-Honest PSICuckoo HashingThe Paradigm of [PSZ14]

3 Malicious PSIMalicious PSI via Dual Execution

4 Multiparty PSIMultiparty PSI from OPPRF


Content






Private Set Intersection

Research Background

I Multiparty computation of set intersection

Functionality Classification

I Security: Semi-Honest/Malicious

I Players: Two Party/Multi Party

I Output: Plain Intersection/Post-Processing


Literature of Private Set Intersection

Paper Parties Security Building Blocks

[PSZ14] 2 Semi-Honest OT(OPRF)

[HEK12] 2 Semi-Honest GC,GMW

[CHLR18] 2 Hybrid (leveled-)FHE

[RR17] 2 Malicious OT(OPRF)

[KMP+17] n Semi-Honest OT(OPPRF)

Table: Comparison of Different Private Set Intersection Protocols


Notations

PSI Notations:

I X ,Y ⊂ {0, 1}σ: Input sets

I X ∗,Y ∗ ⊂ {0, 1}λ+log(|X |)+log(|Y |): Processed input sets

I(m1

)− OT k

v : k instances of m-choose-1 oblivious transfer on v -bitstrings

I FPSM: Private set membership protocol (i.e. y ∈ X )


Notations

Cuckoo Hashing Notations:

I B: Hash table “bins”

I m ∈ N: Hash table size

I h1, h2, h3 : {0, 1}∗ → [m]: Hash function


A Naıve PSI Protocol

Compute Intersection on Hashed Values

Sender ReceiverX∗:={H(x)|x∈X}−−−−−−−−−−−→ Output X ∩ Y :=

{y ∈ Y |H(y) ∈ X ∗}X∩Y (optionally)←−−−−−−−−−−

Output X ∩ Y


A Naıve PSI Protocol

Why Naıve

I Hashed set X ∗ has the same entropy as X

I This entropy is usually low

I Feasible brute-force attack

When the entropy is acceptable (e.g. 80 bits), this is secure.


Content






Semi-Honest PSI

I 2-Party Semi-Honest PSI receives most attention

I State-of-the-art only incurs 1− 10 times overhead


Cuckoo Hashing

Cuckoo Hashing

I A special hashing function

I Using eviction to resolve collision


Cuckoo Hashing

Insertion

I Let i = 1, compute index l = hi (x)

I If B[l ] = ⊥, then insert 〈x , i〉I If not, insert anyway

I Let 〈y , j〉 be the original content, let x := y i$← [3] \ {j}, goto step 1

If the process iterates more than t times, put the item in a stash s.

Lookup

I For inserted item x , there are only 3 + |s| possible locations


Cuckoo Hashing

Receiver: "Thin" Table Sender: "Thick" Table

T1[h1(x)]

T1[h2(x)]

Cuckoo Hashing with h1; h2 Regular Hashing with h1; h2

T1[1]...

...

...

T1[m]

T2[h1(x)]

T2[h2(x)]

T2[1]...

...

...

T2[m]

Figure: Cuckoo Hash TableCui Hongrui (SJTU) PSI October 17, 2019 14 / 27

The Paradigm of [PSZ14]

FPSI ≤ FPSM

I Receiver does cuckoo hashing, while the sender does regular hashing

I They then perform m instances of FPSM (m = |B|)

Discussion

I Most works in the semi-honest model follow this paradigm

I Various means to implement FPSM, e.g. OT, FHE, GC/GMW

I Cuckoo Hashing may be inherently unsuitable for malicious world


Set Membership from Oblivious Transfer

OT as OPRF

I FPSM from Oblivious PRF is quite easy

I (One-Time) Oblivious PRF can be considered some(2σ1

)− ROT

I OT-Extension can efficiently implement this primitive


A Brief Review on OT-Extension

The idea is to “bootstrap” a large number of OT instances from a smallnumber of base OT’s.

Sender Receiver

b$← {0, 1}v T0,T1

$← {0, 1}m×vbj−−−−−−−−→Tb,j←−−−−−−−−−

(2

1

)− OT v

m(T0,j ,T1,j )←−−−−−−−−−−−−−

C i=T io⊕T i

1⊕ECC(wi )←−−−−−−−−−−−−−Q i = T i

b ⊕ s · C i

Output (s,Q i ) Output H(i ||T i0)


Set Membership from Homomorphic Encryption

Naive Approach

Sender ReceiverEnc(pk,y)←−−−−−−−−−−−−−

r$← Rq

c=Eval(r ·∏

x∈X (y−x))−−−−−−−−−−−−−−→

Output 1 if Dec(sk , c) = 0Output 0 otherwise

Several Optimizations

I Batching: reduce communication by n/d

I Partitioning: reduce polynomial degree by α

I Windowing: reduce circuit depth logarithmally

I Pre-Processing: reduce circuit depth by 1


Set Membership from General Framework

The main advantage is arbitrary post-processing can be applied (byconcatenation of circuits), but shuffling the output may be needed.


Content






Malicious PSI via Dual Execution

Ideas of [RR17]:

Sender ReceiverRandomly Permute X Randomly Permute Y

x−−−−−−−−→[x]i←−−−−−−−−−

FOPRF ki−−−−−−−−→

k ′i←−−−−−−−−FOPRF

y←−−−−−−−−[y ]′i−−−−−−−−−→

Q:={[x]i,j=[x]i⊕[x]′j}−−−−−−−−−−−−−−−−→Output X ∩ Y =

{y |∃i , [y ]i ⊕ [y ]′j ∈ Q}


Optimizations

It is possible to use regular hashing to reduce the quadratic complexity:

I Assuming n bins, log(n) items per bin, the complexity is n log(n)2

I Cuckoo hashing cannot be used here


Content






Multiparty PSI

The authors of [KMP+17] proposed a simple protocol for semi-honest,multiparty PSI:

I Zero-Sharing

I Reconstruction

The protocol heavily uses the Oblivious Programmable PRF functionality,which can be implemented from FOPRF and polynomial interpolation.


Multiparty PSI

For every pair of parties Pi ,Pj :

Pi Pj

chooses s i ,1k , . . . , s i ,nk

such that⊕

l si ,lk = 0

chooses s j ,1k , . . . , s j ,nk

such that⊕

l sj ,lk = 0

{(x ik ,si,jk )}k−−−−−−−−−−−−−−→

ki,j←−−−−−−−−−−−−FOPPRF

{x jk}←−−−−−−−−−−{s i,jk }−−−−−−−−−−→

s jk =⊕

i si ,jk


Multiparty PSI

Note that

I if x ∈⋂

i Xi

I then⊕

j sjk = 0

Reconsturction

I The n parties agree on a dealer, e.g. P1

I The party Pi uses (x ik , sik) to program a PRF

I P1 interacts with these parties and gets the sharings

I If x ∈ X 1 is in the intersection, then the n − 1 results from FOPPRF

with s1k (assuming x = s1k ) should form an additive sharing of 0


Reference I

Hao Chen, Zhicong Huang, Kim Laine, and Peter Rindal.Labeled PSI from fully homomorphic encryption with malicioussecurity.In David Lie, Mohammad Mannan, Michael Backes, and XiaoFengWang, editors, ACM CCS 2018: 25th Conference on Computer andCommunications Security, pages 1223–1237, Toronto, ON, Canada,October 15–19, 2018. ACM Press.

Yan Huang, David Evans, and Jonathan Katz.Private set intersection: Are garbled circuits better than customprotocols?In ISOC Network and Distributed System Security Symposium –NDSS 2012, San Diego, CA, USA, February 5–8, 2012. The InternetSociety.


Reference II

Vladimir Kolesnikov, Naor Matania, Benny Pinkas, Mike Rosulek, andNi Trieu.Practical multi-party private set intersection from symmetric-keytechniques.In Thuraisingham et al. [TEMX17], pages 1257–1272.

Benny Pinkas, Thomas Schneider, and Michael Zohner.Faster private set intersection based on OT extension.In Kevin Fu and Jaeyeon Jung, editors, USENIX Security 2014: 23rdUSENIX Security Symposium, pages 797–812, San Diego, CA, USA,August 20–22, 2014. USENIX Association.

Peter Rindal and Mike Rosulek.Malicious-secure private set intersection via dual execution.In Thuraisingham et al. [TEMX17], pages 1229–1242.


Reference III

Bhavani M. Thuraisingham, David Evans, Tal Malkin, and DongyanXu, editors.ACM CCS 2017: 24th Conference on Computer and CommunicationsSecurity, Dallas, TX, USA, October 31 – November 2, 2017. ACMPress.


Thank You


A Survey on Private Set Intersection

Documents

Transcript of A Survey on Private Set Intersection