Modeling Signalized-Intersection Safety with Corner Clearance
A Survey on Private Set Intersection
-
Upload
khangminh22 -
Category
Documents
-
view
1 -
download
0
Transcript of A Survey on Private Set Intersection
A Survey on Private Set Intersection
Presented by Hongrui Cui
October 17, 2019
Cui Hongrui (SJTU) PSI October 17, 2019 1 / 27
Overview
1 IntroductionPSI LiteratureNotationsThe Core of PSI
2 Semi-Honest PSICuckoo HashingThe Paradigm of [PSZ14]
3 Malicious PSIMalicious PSI via Dual Execution
4 Multiparty PSIMultiparty PSI from OPPRF
Cui Hongrui (SJTU) PSI October 17, 2019 2 / 27
Content
1 IntroductionPSI LiteratureNotationsThe Core of PSI
2 Semi-Honest PSICuckoo HashingThe Paradigm of [PSZ14]
3 Malicious PSIMalicious PSI via Dual Execution
4 Multiparty PSIMultiparty PSI from OPPRF
Cui Hongrui (SJTU) PSI October 17, 2019 3 / 27
Private Set Intersection
Research Background
I Multiparty computation of set intersection
Functionality Classification
I Security: Semi-Honest/Malicious
I Players: Two Party/Multi Party
I Output: Plain Intersection/Post-Processing
Cui Hongrui (SJTU) PSI October 17, 2019 4 / 27
Literature of Private Set Intersection
Paper Parties Security Building Blocks
[PSZ14] 2 Semi-Honest OT(OPRF)
[HEK12] 2 Semi-Honest GC,GMW
[CHLR18] 2 Hybrid (leveled-)FHE
[RR17] 2 Malicious OT(OPRF)
[KMP+17] n Semi-Honest OT(OPPRF)
Table: Comparison of Different Private Set Intersection Protocols
Cui Hongrui (SJTU) PSI October 17, 2019 5 / 27
Notations
PSI Notations:
I X ,Y ⊂ {0, 1}σ: Input sets
I X ∗,Y ∗ ⊂ {0, 1}λ+log(|X |)+log(|Y |): Processed input sets
I(m1
)− OT k
v : k instances of m-choose-1 oblivious transfer on v -bitstrings
I FPSM: Private set membership protocol (i.e. y ∈ X )
Cui Hongrui (SJTU) PSI October 17, 2019 6 / 27
Notations
Cuckoo Hashing Notations:
I B: Hash table “bins”
I m ∈ N: Hash table size
I h1, h2, h3 : {0, 1}∗ → [m]: Hash function
Cui Hongrui (SJTU) PSI October 17, 2019 7 / 27
A Naıve PSI Protocol
Compute Intersection on Hashed Values
Sender ReceiverX∗:={H(x)|x∈X}−−−−−−−−−−−→ Output X ∩ Y :=
{y ∈ Y |H(y) ∈ X ∗}X∩Y (optionally)←−−−−−−−−−−
Output X ∩ Y
Cui Hongrui (SJTU) PSI October 17, 2019 8 / 27
A Naıve PSI Protocol
Why Naıve
I Hashed set X ∗ has the same entropy as X
I This entropy is usually low
I Feasible brute-force attack
When the entropy is acceptable (e.g. 80 bits), this is secure.
Cui Hongrui (SJTU) PSI October 17, 2019 9 / 27
A Naıve PSI Protocol
Why Naıve
I Hashed set X ∗ has the same entropy as X
I This entropy is usually low
I Feasible brute-force attack
When the entropy is acceptable (e.g. 80 bits), this is secure.
Cui Hongrui (SJTU) PSI October 17, 2019 9 / 27
Content
1 IntroductionPSI LiteratureNotationsThe Core of PSI
2 Semi-Honest PSICuckoo HashingThe Paradigm of [PSZ14]
3 Malicious PSIMalicious PSI via Dual Execution
4 Multiparty PSIMultiparty PSI from OPPRF
Cui Hongrui (SJTU) PSI October 17, 2019 10 / 27
Semi-Honest PSI
I 2-Party Semi-Honest PSI receives most attention
I State-of-the-art only incurs 1− 10 times overhead
Cui Hongrui (SJTU) PSI October 17, 2019 11 / 27
Cuckoo Hashing
Cuckoo Hashing
I A special hashing function
I Using eviction to resolve collision
Cui Hongrui (SJTU) PSI October 17, 2019 12 / 27
Cuckoo Hashing
Insertion
I Let i = 1, compute index l = hi (x)
I If B[l ] = ⊥, then insert 〈x , i〉I If not, insert anyway
I Let 〈y , j〉 be the original content, let x := y i$← [3] \ {j}, goto step 1
If the process iterates more than t times, put the item in a stash s.
Lookup
I For inserted item x , there are only 3 + |s| possible locations
Cui Hongrui (SJTU) PSI October 17, 2019 13 / 27
Cuckoo Hashing
Insertion
I Let i = 1, compute index l = hi (x)
I If B[l ] = ⊥, then insert 〈x , i〉I If not, insert anyway
I Let 〈y , j〉 be the original content, let x := y i$← [3] \ {j}, goto step 1
If the process iterates more than t times, put the item in a stash s.
Lookup
I For inserted item x , there are only 3 + |s| possible locations
Cui Hongrui (SJTU) PSI October 17, 2019 13 / 27
Cuckoo Hashing
Receiver: "Thin" Table Sender: "Thick" Table
T1[h1(x)]
T1[h2(x)]
Cuckoo Hashing with h1; h2 Regular Hashing with h1; h2
T1[1]...
...
...
T1[m]
T2[h1(x)]
T2[h2(x)]
T2[1]...
...
...
T2[m]
Figure: Cuckoo Hash TableCui Hongrui (SJTU) PSI October 17, 2019 14 / 27
The Paradigm of [PSZ14]
FPSI ≤ FPSM
I Receiver does cuckoo hashing, while the sender does regular hashing
I They then perform m instances of FPSM (m = |B|)
Discussion
I Most works in the semi-honest model follow this paradigm
I Various means to implement FPSM, e.g. OT, FHE, GC/GMW
I Cuckoo Hashing may be inherently unsuitable for malicious world
Cui Hongrui (SJTU) PSI October 17, 2019 15 / 27
The Paradigm of [PSZ14]
FPSI ≤ FPSM
I Receiver does cuckoo hashing, while the sender does regular hashing
I They then perform m instances of FPSM (m = |B|)
Discussion
I Most works in the semi-honest model follow this paradigm
I Various means to implement FPSM, e.g. OT, FHE, GC/GMW
I Cuckoo Hashing may be inherently unsuitable for malicious world
Cui Hongrui (SJTU) PSI October 17, 2019 15 / 27
Set Membership from Oblivious Transfer
OT as OPRF
I FPSM from Oblivious PRF is quite easy
I (One-Time) Oblivious PRF can be considered some(2σ1
)− ROT
I OT-Extension can efficiently implement this primitive
Cui Hongrui (SJTU) PSI October 17, 2019 16 / 27
A Brief Review on OT-Extension
The idea is to “bootstrap” a large number of OT instances from a smallnumber of base OT’s.
Sender Receiver
b$← {0, 1}v T0,T1
$← {0, 1}m×vbj−−−−−−−−→Tb,j←−−−−−−−−−
(2
1
)− OT v
m(T0,j ,T1,j )←−−−−−−−−−−−−−
C i=T io⊕T i
1⊕ECC(wi )←−−−−−−−−−−−−−Q i = T i
b ⊕ s · C i
Output (s,Q i ) Output H(i ||T i0)
Cui Hongrui (SJTU) PSI October 17, 2019 17 / 27
Set Membership from Homomorphic Encryption
Naive Approach
Sender ReceiverEnc(pk,y)←−−−−−−−−−−−−−
r$← Rq
c=Eval(r ·∏
x∈X (y−x))−−−−−−−−−−−−−−→
Output 1 if Dec(sk , c) = 0Output 0 otherwise
Several Optimizations
I Batching: reduce communication by n/d
I Partitioning: reduce polynomial degree by α
I Windowing: reduce circuit depth logarithmally
I Pre-Processing: reduce circuit depth by 1
Cui Hongrui (SJTU) PSI October 17, 2019 18 / 27
Set Membership from Homomorphic Encryption
Naive Approach
Sender ReceiverEnc(pk,y)←−−−−−−−−−−−−−
r$← Rq
c=Eval(r ·∏
x∈X (y−x))−−−−−−−−−−−−−−→
Output 1 if Dec(sk , c) = 0Output 0 otherwise
Several Optimizations
I Batching: reduce communication by n/d
I Partitioning: reduce polynomial degree by α
I Windowing: reduce circuit depth logarithmally
I Pre-Processing: reduce circuit depth by 1
Cui Hongrui (SJTU) PSI October 17, 2019 18 / 27
Set Membership from General Framework
The main advantage is arbitrary post-processing can be applied (byconcatenation of circuits), but shuffling the output may be needed.
Cui Hongrui (SJTU) PSI October 17, 2019 19 / 27
Content
1 IntroductionPSI LiteratureNotationsThe Core of PSI
2 Semi-Honest PSICuckoo HashingThe Paradigm of [PSZ14]
3 Malicious PSIMalicious PSI via Dual Execution
4 Multiparty PSIMultiparty PSI from OPPRF
Cui Hongrui (SJTU) PSI October 17, 2019 20 / 27
Malicious PSI via Dual Execution
Ideas of [RR17]:
Sender ReceiverRandomly Permute X Randomly Permute Y
x−−−−−−−−→[x]i←−−−−−−−−−
FOPRF ki−−−−−−−−→
k ′i←−−−−−−−−FOPRF
y←−−−−−−−−[y ]′i−−−−−−−−−→
Q:={[x]i,j=[x]i⊕[x]′j}−−−−−−−−−−−−−−−−→Output X ∩ Y =
{y |∃i , [y ]i ⊕ [y ]′j ∈ Q}
Cui Hongrui (SJTU) PSI October 17, 2019 21 / 27
Optimizations
It is possible to use regular hashing to reduce the quadratic complexity:
I Assuming n bins, log(n) items per bin, the complexity is n log(n)2
I Cuckoo hashing cannot be used here
Cui Hongrui (SJTU) PSI October 17, 2019 22 / 27
Content
1 IntroductionPSI LiteratureNotationsThe Core of PSI
2 Semi-Honest PSICuckoo HashingThe Paradigm of [PSZ14]
3 Malicious PSIMalicious PSI via Dual Execution
4 Multiparty PSIMultiparty PSI from OPPRF
Cui Hongrui (SJTU) PSI October 17, 2019 23 / 27
Multiparty PSI
The authors of [KMP+17] proposed a simple protocol for semi-honest,multiparty PSI:
I Zero-Sharing
I Reconstruction
The protocol heavily uses the Oblivious Programmable PRF functionality,which can be implemented from FOPRF and polynomial interpolation.
Cui Hongrui (SJTU) PSI October 17, 2019 24 / 27
Multiparty PSI
The authors of [KMP+17] proposed a simple protocol for semi-honest,multiparty PSI:
I Zero-Sharing
I Reconstruction
The protocol heavily uses the Oblivious Programmable PRF functionality,which can be implemented from FOPRF and polynomial interpolation.
Cui Hongrui (SJTU) PSI October 17, 2019 24 / 27
Multiparty PSI
For every pair of parties Pi ,Pj :
Pi Pj
chooses s i ,1k , . . . , s i ,nk
such that⊕
l si ,lk = 0
chooses s j ,1k , . . . , s j ,nk
such that⊕
l sj ,lk = 0
{(x ik ,si,jk )}k−−−−−−−−−−−−−−→
ki,j←−−−−−−−−−−−−FOPPRF
{x jk}←−−−−−−−−−−{s i,jk }−−−−−−−−−−→
s jk =⊕
i si ,jk
Cui Hongrui (SJTU) PSI October 17, 2019 25 / 27
Multiparty PSI
Note that
I if x ∈⋂
i Xi
I then⊕
j sjk = 0
Reconsturction
I The n parties agree on a dealer, e.g. P1
I The party Pi uses (x ik , sik) to program a PRF
I P1 interacts with these parties and gets the sharings
I If x ∈ X 1 is in the intersection, then the n − 1 results from FOPPRF
with s1k (assuming x = s1k ) should form an additive sharing of 0
Cui Hongrui (SJTU) PSI October 17, 2019 26 / 27
Multiparty PSI
Note that
I if x ∈⋂
i Xi
I then⊕
j sjk = 0
Reconsturction
I The n parties agree on a dealer, e.g. P1
I The party Pi uses (x ik , sik) to program a PRF
I P1 interacts with these parties and gets the sharings
I If x ∈ X 1 is in the intersection, then the n − 1 results from FOPPRF
with s1k (assuming x = s1k ) should form an additive sharing of 0
Cui Hongrui (SJTU) PSI October 17, 2019 26 / 27
Reference I
Hao Chen, Zhicong Huang, Kim Laine, and Peter Rindal.Labeled PSI from fully homomorphic encryption with malicioussecurity.In David Lie, Mohammad Mannan, Michael Backes, and XiaoFengWang, editors, ACM CCS 2018: 25th Conference on Computer andCommunications Security, pages 1223–1237, Toronto, ON, Canada,October 15–19, 2018. ACM Press.
Yan Huang, David Evans, and Jonathan Katz.Private set intersection: Are garbled circuits better than customprotocols?In ISOC Network and Distributed System Security Symposium –NDSS 2012, San Diego, CA, USA, February 5–8, 2012. The InternetSociety.
Cui Hongrui (SJTU) PSI October 17, 2019 26 / 27
Reference II
Vladimir Kolesnikov, Naor Matania, Benny Pinkas, Mike Rosulek, andNi Trieu.Practical multi-party private set intersection from symmetric-keytechniques.In Thuraisingham et al. [TEMX17], pages 1257–1272.
Benny Pinkas, Thomas Schneider, and Michael Zohner.Faster private set intersection based on OT extension.In Kevin Fu and Jaeyeon Jung, editors, USENIX Security 2014: 23rdUSENIX Security Symposium, pages 797–812, San Diego, CA, USA,August 20–22, 2014. USENIX Association.
Peter Rindal and Mike Rosulek.Malicious-secure private set intersection via dual execution.In Thuraisingham et al. [TEMX17], pages 1229–1242.
Cui Hongrui (SJTU) PSI October 17, 2019 26 / 27
Reference III
Bhavani M. Thuraisingham, David Evans, Tal Malkin, and DongyanXu, editors.ACM CCS 2017: 24th Conference on Computer and CommunicationsSecurity, Dallas, TX, USA, October 31 – November 2, 2017. ACMPress.
Cui Hongrui (SJTU) PSI October 17, 2019 26 / 27