View
223
Download
3
Category
Preview:
Citation preview
Private Set Intersection:
Are Garbled Circuits Better than Custom Protocols?
Yan Huang, David Evans, Jonathan KatzUniversity of Virginia, University of Maryland
www.MightBeEvil.org
Motivation --- Common Acquaintances
http://www.mightbeevil.com/mobile/
EUROCRYPT 2004
CRYPTO 2005TCC 2008
Financial Crypto 2010
Custom Protocols Generic Protocols
e.g., Garbled Circuit
Protocols
Cannot be easily composed with other secure computations
Designed around specific crypto assumptions and primitives
New Design and security proofs need to be done for
every individual scheme.
Uses generic and flexible cryptographic primitives
Can securely compute arbitrary function
Security proofs automatically derived
from the generic proof.
Garbled Circuits & Oblivious Transfers
Y. Huang, D. Evans, J. Katz, L. Malka, Faster Secure Computation Using Garbled Circuits, USENIX Security 2011.
And Gate 1
Enca10,
b11(x10)
Enca11,b11(x1
1)
Enca11,b10(x1
0)
Enca10,b10(x1
0)
Or Gate 2
Encx00,
x11(x21)
Encx01,x11(x21
)
Encx01,x10(x21
)
Encx00,x10(x20
)
AND
a0 b0
x0
AND
a1 b1
x1
OR
x2
…Andrew Yao, 1982/1986
Alice Bob
Oblivious Transfer Protocol
Rabin, 1981; Even, Goldreich, and Lempel, 1985; Naor and Pinkas 2001, Ishai et al., 2003
Free-XOR technique, Kolesnikov and Shneider, 2008
Threat Model
Semi-Honest Adversary: follows the protocol as specified, but tries to learn more from the protocol execution transcript
Generic PSI Protocols Overview
– the number of bits used to denote a set element – the size of the sets
Protocols Cost in non-XOR gates
Best for
Bitwise-AND (BWA) Small element space
Pairwise-Comparison (PWC)
Sort-Compare-Shuffle-WN (SCS-WN) Large element space
Generic PSI Protocols Overview
– the number of bits used to denote a set element – the size of the sets
Protocols Cost in non-XOR gates
Best for
Bitwise-AND (BWA) Small element space
Pairwise-Comparison (PWC)
Sort-Compare-Shuffle-WN (SCS-WN) Large element space
PSI: Needn’t be Complex
[ 0, 0, 1, 0, 0, 0, 1, 0, 1, 1, 0] [ 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0]
ANDANDAND . . .Bitwise-AND
. . .
Encode set elements as bit vectors
Recessive genes: { 5283423, 1425236, 839523, … }
Recessive genes: { 5823527, 839523, 169325, … }
[ PAH, PKU, CF, … ]
BWA Performance
8 9 10 11 12 13 14 15 160
0.5
1
1.5
2
2.5
3
OT Circuit
σ
Tim
e (s
econ
ds)
What if the element space is large?
Sort
-Com
pare
-Shu
ffle Sort: Take
advantage of total order of elements
Compare adjacent elements
Shuffle to hide positions
Sort
-Com
pare
-Shu
ffle Sort: Take
advantage of total order of elements
Compare adjacent elements
Shuffle to hide positions
Bito
nic
Sorti
ng1
4
9
7
5
4
3
2
1
5
4
4
3
9
2
7
1
3
2
4
5
9
4
7
1
2
3
4
4
5
7
9
1
2
3
4
4
5
7
9
Sorting Networks and their Applications, Ken Batcher, 1968
CMPFilter
CMPFilter
CMPFilter …
CMP3Filter
CMP3Filter
CMP3Filter
Can’t reveal results yet! Position leaks information.
Journal of the ACM, January 1968
Waksman Network
Same circuit can generate any permutation: select a random permutation, and pick swaps
gates( log 1)
3
n n n
FreeGates to generate and evaluate
Private Set Intersection Protocol
( log 1)
3
n n n
– the number of bits used to denote a set element – the size of the sets
SCS-WN Protocol Results
32-bit values
1
10
100Theoretical Projection
Experimental Observation
Set Size (each set)
Seco
nds
( log 1)[2 log(2 ) (3 1)( 1) (2 1) ]
3
n n nn n n rate
ultra-short short medium long ultra-long0
200
400
600
800
1000
1200
1400
1600
1800
2000
10.9 62.4126.0
369.0
1972.0
51.5 57.1 61.5 97.3 122.710.5 11.8 12.4 18.6 22.7
[DT10] One-more-DL-basedSCS-WN (σ=160)SCS-WN (σ=32)
Tim
e (s
econ
ds)
Relating Performance to Security
(1024, 160) (2048, 224) (3072, 256) (7680, 384) (15360, 512)
80 112 128 192 256
DL Key-sizes:
Symmetric:
Generic protocols offer many advantagesComposabilityFlexibility on hardness assumptionsDesign costPerformance
Conclusion
Q & A?
Recommended