Are you the one to share? Secret Transfer with Access Structure - PowerPoint PPT Presentation

Are you the one to share? Secret Transfer with Access Structure Yongjun Zhao, Sherman S.M. Chow Department of I nformation E ngineering The C hinese U niversity of H ong K ong, Hong Kong

Private Set Intersection (PSI) • Compute the intersection 𝐵 ∩ 𝐶 • without revealing elements ∉ 𝐵 ∩ 𝐶 ? ?

Applications of PSI: Common Interests

Applications of PSI: Common Customers

Classical Definition for PSI • ℱ 𝑄𝑇𝐽 : 𝑌, 𝑍 → 𝑌 ∩ 𝑍, ⊥ • Well established notion in crypto and security communities client server Input : 𝑍 = {𝑧 1 , … , 𝑧 𝑛 } 𝑌 = {𝑦 1 , … , 𝑦 𝑜 } Output : ⊥ 𝑌 ∩ 𝑍 • Other variants: fair PSI (both parties obtain 𝑌 ∩ 𝑍 ), multi-party PSI (>2 participants), etc.

Classical Definition for PSI (limitation) • ℱ 𝑄𝑇𝐽 : 𝑌, 𝑍 → ( , ⊥) client server Input : 𝑍 = {𝑧 1 , … , 𝑧 𝑛 } 𝑌 = {𝑦 1 , … , 𝑦 𝑜 } Output : ⊥ 𝑌 ∩ 𝑍 • One party ALAWYS learns the outcome

They do not really match that well

Classical Definition (limitation) • Traditional PSI always reveals the intersection • Intersection set itself could be: • Sensitive: threat information • Commercial asset: customer list • Personal info: friend list, hobbies, preferences • Intersection should only be revealed when necessary (i.e., the interaction satisfying some policy 𝑄(⋅) ) • e.g., the size exceeds some threshold number

More “Privacy - Friendly” PSI • Our new notion: PSI with (monotone) access structure • Reveal 𝐵 ∩ 𝐶 only if 𝑄 𝐵 ∩ 𝐶 = 1 • Special cases: 𝑄 𝐵 ∩ 𝐶 = 1 if 𝐵 ∩ 𝐶 ≥ 𝑢 • (over) threshold PSI 0 if 𝐵 ∩ 𝐶 < 𝑢 • Applications: • Private match-making • Auditing leakage in information sharing • Intersection of threat information / suspect lists / customer list

Concrete Construction • We construct PSI with access structure in a modular way • Roadmap: OTSA STAS PSI w/ AS Oblivious Transfer Secret Transfer with PSI with Access for a Sparse Array Access Structure Structure

Oblivious Transfer for a Sparse Array • Roadmap: OTSA STAS PSI w/ AS Oblivious Transfer Secret Transfer with PSI with Access for a Sparse Array Access Structure Structure

Oblivious Transfer for a Sparse Array (OTSA) • ℱ 𝑃𝑈𝑇𝐵 : 𝑦, 𝑧 → (𝐸, ⊥) Input : 𝑦 = {𝑦 1 , … , 𝑦 𝑜 } 𝑧 = {(𝑧 1 , 𝑒 1 ), … , (𝑧 𝑛 , 𝑒 𝑛 )} Output : 𝐸 = {𝑒 𝑗 |𝑧 𝑗 ∈ {𝑦 1 , 𝑦 2 , ⋯ , 𝑦 𝑜 }} ⊥ • Generalizing standard 𝑜 -out-of- 𝑛 OT: • 𝑦 1 , … , 𝑦 𝑜 ⊈ {𝑧 1 , … , 𝑧 𝑛 } 𝑦 1 , … , 𝑦 𝑜 ∩ {𝑧 1 , … , 𝑧 𝑛 } is hidden from receiver •

Oblivious Polynomial Evaluation (OPE) • Encode the set {𝑦 1 , … , 𝑦 𝑜 } as polynomial: 𝑦 − 𝑦 2 ⋯ 𝑦 − 𝑦 𝑜 = 𝑏 0 + 𝑏 1 𝑦 + ⋯ + 𝑏 𝑜 𝑦 𝑜 𝑞 = 𝑦 − 𝑦 1 • Observation: 𝑧 𝑗 ∈ 𝑌 ⟺ 𝑞 𝑧 𝑗 = 0 • Given encrypted coefficients 𝑏 0 , 𝑏 1 , … , 𝑏 𝑜 of a polynomial 𝑞 • We can evaluate its value at 𝑦 via homomorphic encryption: = 𝐹𝑜𝑑 𝑞𝑙 𝑏 0 + 𝑏 1 𝑦 + ⋯ + 𝑏 𝑜 𝑦 𝑜 𝐹𝑜𝑑 𝑞𝑙 𝑞 𝑦 = 𝐹𝑜𝑑 𝑞𝑙 𝑏 0 ⊕ 𝐹𝑜𝑑 𝑞𝑙 𝑏 1 ⨂𝑦 ⊕ ⋯ ⊕ (𝐹𝑜𝑑 𝑞𝑙 (𝑏 𝑜 )⨂𝑦 𝑜 )

OTSA from Oblivious Polynomial Evaluation 𝑞𝑙, 𝐹𝑜𝑑 𝑞𝑙 𝑏 0 , … , 𝐹𝑜𝑑 𝑞𝑙 (𝑏 𝑜 ) 𝑨 𝑗 = 𝐹𝑜𝑑 𝑞𝑙 (𝑠 𝑗 ⋅ 𝑞 𝑧 𝑗 + 𝑒 𝑗 ) {𝑨 1 , … , 𝑨 𝑛 } (permuted) (𝑞𝑙, 𝑡𝑙) {𝑧 1 , … , 𝑧 𝑛 } {𝑦 1 , … , 𝑦 𝑜 } {𝑒 1 , … , 𝑒 𝑛 } if 𝑧 𝑗 ∈ {𝑦 1 , … , 𝑦 𝑜 } 𝑨 𝑗 will be decrypted to 𝑒 𝑗 𝑨 𝑗 will be decrypted to random if 𝑧 𝑗 ∉ {𝑦 1 , … , 𝑦 𝑜 }

Construction of OTSA 𝑞𝑙, 𝐹𝑜𝑑 𝑞𝑙 𝑏 0 , … , 𝐹𝑜𝑑 𝑞𝑙 (𝑏 𝑜 ) 𝑨 𝑗 = 𝐹𝑜𝑑 𝑞𝑙 (𝑠 𝑗 ⋅ 𝑞 𝑧 𝑗 + 𝑒 𝑗 ) 𝑨 1 , … , 𝑨 𝑛 • Honest-but-curious model • extended to malicious model using zero-knowledge proofs (details in the paper) • Computational complexity: 𝑃(𝑛𝑜) (worse than 𝑃(𝑜 log 𝑜) via generic approach) • 𝑃(𝑜) construction (honest-but-curious) in the paper • based on garbled Bloom filter [Dong- Chen@CCS’13]

PSI with Access Structure • Roadmap: OTSA STAS PSI w/ AS Oblivious Transfer Secret Transfer with PSI with Access for a Sparse Array Access Structure Structure

Secret Sharing • Split a secret 𝑡 into shares • 𝑡 can be reconstructed only if “ qualified ” subset of shares are combined SecretShare( 𝑡 ) → {𝑡 1 , 𝑡 2 , … , 𝑡 𝑜 } Reconstruct( 𝑡 𝑗 1 , 𝑡 𝑗 2 , … , 𝑡 𝑗 𝑙 ) → 𝑡 or ⊥ • Example: “ qualified ” subsets: access structure: 𝑡 1 AND {𝑡 2 OR 𝑡 3 } AND 𝑡 4 AND 𝑡 5 {𝑡 1 , 𝑡 2 , 𝑡 4 , 𝑡 5 } {𝑡 1 , 𝑡 3 , 𝑡 4 , 𝑡 5 } {𝑡 1 , 𝑡 2 , 𝑡 3 , 𝑡 4 , 𝑡 5 }

Secret Transfer with Access Structure • ℱ 𝑇𝑈𝐵𝑇 : Input : 𝑡 , 𝑍 = 𝑌 = {𝑦 1 , … , 𝑦 𝑜 } 𝑧 1 , … , 𝑧 𝑛 |𝑌 ∩ 𝑍| and Output : ⊥ 𝑡 iff 𝑄 𝑌 ∩ 𝑍 = 1

OTSA + Secret Sharing = STAS SecretShare( 𝑡 ) → {𝑡 1 , 𝑡 2 , … , 𝑡 𝑛 } 𝑞𝑙, 𝐹𝑜𝑑 𝑞𝑙 𝑏 0 , … , 𝐹𝑜𝑑 𝑞𝑙 (𝑏 𝑜 ) 𝑨 𝑗 = 𝐹𝑜𝑑 𝑞𝑙 (𝑠 𝑗 ⋅ 𝑞 𝑌 𝑧 𝑗 + 𝑡 𝑗 ) 𝑨 1 , … , 𝑨 𝑛 𝑍 = {𝑧 1 , … , 𝑧 𝑛 } (𝑞𝑙, 𝑡𝑙) 𝑌 = {𝑦 1 , … , 𝑦 𝑜 } 𝑡 𝑨 𝑗 will be decrypted to 𝑡 𝑗 if 𝑧 𝑗 ∈ 𝑌 if 𝑧 𝑗 ∉ 𝑌 𝑨 𝑗 will be decrypted to random

OTSA + Secret Sharing = STAS SecretShare( 𝑡 ) → {𝑡 1 , 𝑡 2 , … , 𝑡 𝑛 } 𝑞𝑙, 𝐹𝑜𝑑 𝑞𝑙 𝑏 0 , … , 𝐹𝑜𝑑 𝑞𝑙 (𝑏 𝑜 ) 𝑨 𝑗 = 𝐹𝑜𝑑 𝑞𝑙 (𝑠 𝑗 ⋅ 𝑞 𝑌 𝑧 𝑗 + 𝑡 𝑗 ) 𝑨 1 , … , 𝑨 𝑛 𝑍 = {𝑧 1 , … , 𝑧 𝑛 } (𝑞𝑙, 𝑡𝑙) 𝑌 = {𝑦 1 , … , 𝑦 𝑜 } 𝑡 If 𝑌 ∩ 𝑍 satisfies the access structure The receiver can reconstruct the secret 𝑡 !

PSI with Access Structure • Roadmap: PSI w/ DT STAS PSI w/ AS Oblivious Transfer Secret Transfer with PSI with Access for a Sparse Array Access Structure Structure

PSI with Access Structure from STAS STAS protocol 𝑍 = {𝑧 1 , … , 𝑧 𝑛 } and 𝑡 𝑌 = {𝑦 1 , … , 𝑦 𝑜 } The receiver can reconstruct the secret 𝑡 if and only if 𝑌 ∩ 𝑍 satisfies the access structure

STAS + PSI = PSI with Access Structure Normal PSI 𝑌 ′ = {𝑦 1 | 𝑡, … , 𝑦 𝑜 |𝑡} 𝑍 ′ = {𝑧 1 | 𝑡, … , 𝑧 𝑛 |𝑡} If 𝑌 ∩ 𝑍 satisfies the access structure The receiver can learn 𝑌 ′ ∩ 𝑍 ′ , which is essentially 𝑌 ∩ 𝑍

PSI with Access Structure Normal PSI 𝑌 ′ = {𝑦 1 ||𝑡 ′ , … , 𝑦 𝑜 ||𝑡 ′ } 𝑍 ′ = {𝑧 1 | 𝑡, … , 𝑧 𝑛 |𝑡} If 𝑌 ∩ 𝑍 does not satisfies the access structure The receiver can learn 𝑌 ′ ∩ 𝑍 ′ , which is an empty set

Concluding Remarks • We introduce the notions of • Oblivious Transfer with Spare Array (OTSA) • Secret Transfer with Access Structure (STAS) • PSI with Access Structure • We then construct • Two OTSA schemes (from OPE / garbled Bloom filter) • OTSA + Secret Sharing = STAS • STAS + PSI = PSI with Access Structure • Future work 1: can we hide |𝑌 ∩ 𝑍| in STAS? Under submission • Future work 2: can we support non-monotone access structure? • {zy113, sherman}@ie.cuhk.edu.hk