Are you the one to share? Secret Transfer with Access Structure Yongjun Zhao, Sherman S.M. Chow Department of I nformation E ngineering The C hinese U niversity of H ong K ong, Hong Kong
Private Set Intersection (PSI) β’ Compute the intersection π΅ β© πΆ β’ without revealing elements β π΅ β© πΆ ? ?
Applications of PSI: Common Interests
Applications of PSI: Common Customers
Classical Definition for PSI β’ β± πππ½ : π, π β π β© π, β₯ β’ Well established notion in crypto and security communities client server Input : π = {π§ 1 , β¦ , π§ π } π = {π¦ 1 , β¦ , π¦ π } Output : β₯ π β© π β’ Other variants: fair PSI (both parties obtain π β© π ), multi-party PSI (>2 participants), etc.
Classical Definition for PSI (limitation) β’ β± πππ½ : π, π β ( , β₯) client server Input : π = {π§ 1 , β¦ , π§ π } π = {π¦ 1 , β¦ , π¦ π } Output : β₯ π β© π β’ One party ALAWYS learns the outcome
They do not really match that well
Classical Definition (limitation) β’ Traditional PSI always reveals the intersection β’ Intersection set itself could be: β’ Sensitive: threat information β’ Commercial asset: customer list β’ Personal info: friend list, hobbies, preferences β’ Intersection should only be revealed when necessary (i.e., the interaction satisfying some policy π(β ) ) β’ e.g., the size exceeds some threshold number
More βPrivacy - Friendlyβ PSI β’ Our new notion: PSI with (monotone) access structure β’ Reveal π΅ β© πΆ only if π π΅ β© πΆ = 1 β’ Special cases: π π΅ β© πΆ = 1 if π΅ β© πΆ β₯ π’ β’ (over) threshold PSI 0 if π΅ β© πΆ < π’ β’ Applications: β’ Private match-making β’ Auditing leakage in information sharing β’ Intersection of threat information / suspect lists / customer list
Concrete Construction β’ We construct PSI with access structure in a modular way β’ Roadmap: OTSA STAS PSI w/ AS Oblivious Transfer Secret Transfer with PSI with Access for a Sparse Array Access Structure Structure
Oblivious Transfer for a Sparse Array β’ Roadmap: OTSA STAS PSI w/ AS Oblivious Transfer Secret Transfer with PSI with Access for a Sparse Array Access Structure Structure
Oblivious Transfer for a Sparse Array (OTSA) β’ β± ππππ΅ : π¦, π§ β (πΈ, β₯) Input : π¦ = {π¦ 1 , β¦ , π¦ π } π§ = {(π§ 1 , π 1 ), β¦ , (π§ π , π π )} Output : πΈ = {π π |π§ π β {π¦ 1 , π¦ 2 , β― , π¦ π }} β₯ β’ Generalizing standard π -out-of- π OT: β’ π¦ 1 , β¦ , π¦ π β {π§ 1 , β¦ , π§ π } π¦ 1 , β¦ , π¦ π β© {π§ 1 , β¦ , π§ π } is hidden from receiver β’
Oblivious Polynomial Evaluation (OPE) β’ Encode the set {π¦ 1 , β¦ , π¦ π } as polynomial: π¦ β π¦ 2 β― π¦ β π¦ π = π 0 + π 1 π¦ + β― + π π π¦ π π = π¦ β π¦ 1 β’ Observation: π§ π β π βΊ π π§ π = 0 β’ Given encrypted coefficients π 0 , π 1 , β¦ , π π of a polynomial π β’ We can evaluate its value at π¦ via homomorphic encryption: = πΉππ ππ π 0 + π 1 π¦ + β― + π π π¦ π πΉππ ππ π π¦ = πΉππ ππ π 0 β πΉππ ππ π 1 β¨π¦ β β― β (πΉππ ππ (π π )β¨π¦ π )
OTSA from Oblivious Polynomial Evaluation ππ, πΉππ ππ π 0 , β¦ , πΉππ ππ (π π ) π¨ π = πΉππ ππ (π π β π π§ π + π π ) {π¨ 1 , β¦ , π¨ π } (permuted) (ππ, π‘π) {π§ 1 , β¦ , π§ π } {π¦ 1 , β¦ , π¦ π } {π 1 , β¦ , π π } if π§ π β {π¦ 1 , β¦ , π¦ π } π¨ π will be decrypted to π π π¨ π will be decrypted to random if π§ π β {π¦ 1 , β¦ , π¦ π }
Construction of OTSA ππ, πΉππ ππ π 0 , β¦ , πΉππ ππ (π π ) π¨ π = πΉππ ππ (π π β π π§ π + π π ) π¨ 1 , β¦ , π¨ π β’ Honest-but-curious model β’ extended to malicious model using zero-knowledge proofs (details in the paper) β’ Computational complexity: π(ππ) (worse than π(π log π) via generic approach) β’ π(π) construction (honest-but-curious) in the paper β’ based on garbled Bloom filter [Dong- Chen@CCSβ13]
PSI with Access Structure β’ Roadmap: OTSA STAS PSI w/ AS Oblivious Transfer Secret Transfer with PSI with Access for a Sparse Array Access Structure Structure
Secret Sharing β’ Split a secret π‘ into shares β’ π‘ can be reconstructed only if β qualified β subset of shares are combined SecretShare( π‘ ) β {π‘ 1 , π‘ 2 , β¦ , π‘ π } Reconstruct( π‘ π 1 , π‘ π 2 , β¦ , π‘ π π ) β π‘ or β₯ β’ Example: β qualified β subsets: access structure: π‘ 1 AND {π‘ 2 OR π‘ 3 } AND π‘ 4 AND π‘ 5 {π‘ 1 , π‘ 2 , π‘ 4 , π‘ 5 } {π‘ 1 , π‘ 3 , π‘ 4 , π‘ 5 } {π‘ 1 , π‘ 2 , π‘ 3 , π‘ 4 , π‘ 5 }
Secret Transfer with Access Structure β’ β± πππ΅π : Input : π‘ , π = π = {π¦ 1 , β¦ , π¦ π } π§ 1 , β¦ , π§ π |π β© π| and Output : β₯ π‘ iff π π β© π = 1
OTSA + Secret Sharing = STAS SecretShare( π‘ ) β {π‘ 1 , π‘ 2 , β¦ , π‘ π } ππ, πΉππ ππ π 0 , β¦ , πΉππ ππ (π π ) π¨ π = πΉππ ππ (π π β π π π§ π + π‘ π ) π¨ 1 , β¦ , π¨ π π = {π§ 1 , β¦ , π§ π } (ππ, π‘π) π = {π¦ 1 , β¦ , π¦ π } π‘ π¨ π will be decrypted to π‘ π if π§ π β π if π§ π β π π¨ π will be decrypted to random
OTSA + Secret Sharing = STAS SecretShare( π‘ ) β {π‘ 1 , π‘ 2 , β¦ , π‘ π } ππ, πΉππ ππ π 0 , β¦ , πΉππ ππ (π π ) π¨ π = πΉππ ππ (π π β π π π§ π + π‘ π ) π¨ 1 , β¦ , π¨ π π = {π§ 1 , β¦ , π§ π } (ππ, π‘π) π = {π¦ 1 , β¦ , π¦ π } π‘ If π β© π satisfies the access structure The receiver can reconstruct the secret π‘ !
PSI with Access Structure β’ Roadmap: PSI w/ DT STAS PSI w/ AS Oblivious Transfer Secret Transfer with PSI with Access for a Sparse Array Access Structure Structure
PSI with Access Structure from STAS STAS protocol π = {π§ 1 , β¦ , π§ π } and π‘ π = {π¦ 1 , β¦ , π¦ π } The receiver can reconstruct the secret π‘ if and only if π β© π satisfies the access structure
STAS + PSI = PSI with Access Structure Normal PSI π β² = {π¦ 1 | π‘, β¦ , π¦ π |π‘} π β² = {π§ 1 | π‘, β¦ , π§ π |π‘} If π β© π satisfies the access structure The receiver can learn π β² β© π β² , which is essentially π β© π
PSI with Access Structure Normal PSI π β² = {π¦ 1 ||π‘ β² , β¦ , π¦ π ||π‘ β² } π β² = {π§ 1 | π‘, β¦ , π§ π |π‘} If π β© π does not satisfies the access structure The receiver can learn π β² β© π β² , which is an empty set
Concluding Remarks β’ We introduce the notions of β’ Oblivious Transfer with Spare Array (OTSA) β’ Secret Transfer with Access Structure (STAS) β’ PSI with Access Structure β’ We then construct β’ Two OTSA schemes (from OPE / garbled Bloom filter) β’ OTSA + Secret Sharing = STAS β’ STAS + PSI = PSI with Access Structure β’ Future work 1: can we hide |π β© π| in STAS? Under submission β’ Future work 2: can we support non-monotone access structure? β’ {zy113, sherman}@ie.cuhk.edu.hk
Recommend
More recommend