are you the one to share secret transfer with access
play

Are you the one to share? Secret Transfer with Access Structure - PowerPoint PPT Presentation

Are you the one to share? Secret Transfer with Access Structure Yongjun Zhao, Sherman S.M. Chow Department of I nformation E ngineering The C hinese U niversity of H ong K ong, Hong Kong Private Set Intersection (PSI) Compute the intersection


  1. Are you the one to share? Secret Transfer with Access Structure Yongjun Zhao, Sherman S.M. Chow Department of I nformation E ngineering The C hinese U niversity of H ong K ong, Hong Kong

  2. Private Set Intersection (PSI) β€’ Compute the intersection 𝐡 ∩ 𝐢 β€’ without revealing elements βˆ‰ 𝐡 ∩ 𝐢 ? ?

  3. Applications of PSI: Common Interests

  4. Applications of PSI: Common Customers

  5. Classical Definition for PSI β€’ β„± 𝑄𝑇𝐽 : π‘Œ, 𝑍 β†’ π‘Œ ∩ 𝑍, βŠ₯ β€’ Well established notion in crypto and security communities client server Input : 𝑍 = {𝑧 1 , … , 𝑧 𝑛 } π‘Œ = {𝑦 1 , … , 𝑦 π‘œ } Output : βŠ₯ π‘Œ ∩ 𝑍 β€’ Other variants: fair PSI (both parties obtain π‘Œ ∩ 𝑍 ), multi-party PSI (>2 participants), etc.

  6. Classical Definition for PSI (limitation) β€’ β„± 𝑄𝑇𝐽 : π‘Œ, 𝑍 β†’ ( , βŠ₯) client server Input : 𝑍 = {𝑧 1 , … , 𝑧 𝑛 } π‘Œ = {𝑦 1 , … , 𝑦 π‘œ } Output : βŠ₯ π‘Œ ∩ 𝑍 β€’ One party ALAWYS learns the outcome

  7. They do not really match that well

  8. Classical Definition (limitation) β€’ Traditional PSI always reveals the intersection β€’ Intersection set itself could be: β€’ Sensitive: threat information β€’ Commercial asset: customer list β€’ Personal info: friend list, hobbies, preferences β€’ Intersection should only be revealed when necessary (i.e., the interaction satisfying some policy 𝑄(β‹…) ) β€’ e.g., the size exceeds some threshold number

  9. More β€œPrivacy - Friendly” PSI β€’ Our new notion: PSI with (monotone) access structure β€’ Reveal 𝐡 ∩ 𝐢 only if 𝑄 𝐡 ∩ 𝐢 = 1 β€’ Special cases: 𝑄 𝐡 ∩ 𝐢 = 1 if 𝐡 ∩ 𝐢 β‰₯ 𝑒 β€’ (over) threshold PSI 0 if 𝐡 ∩ 𝐢 < 𝑒 β€’ Applications: β€’ Private match-making β€’ Auditing leakage in information sharing β€’ Intersection of threat information / suspect lists / customer list

  10. Concrete Construction β€’ We construct PSI with access structure in a modular way β€’ Roadmap: OTSA STAS PSI w/ AS Oblivious Transfer Secret Transfer with PSI with Access for a Sparse Array Access Structure Structure

  11. Oblivious Transfer for a Sparse Array β€’ Roadmap: OTSA STAS PSI w/ AS Oblivious Transfer Secret Transfer with PSI with Access for a Sparse Array Access Structure Structure

  12. Oblivious Transfer for a Sparse Array (OTSA) β€’ β„± π‘ƒπ‘ˆπ‘‡π΅ : 𝑦, 𝑧 β†’ (𝐸, βŠ₯) Input : 𝑦 = {𝑦 1 , … , 𝑦 π‘œ } 𝑧 = {(𝑧 1 , 𝑒 1 ), … , (𝑧 𝑛 , 𝑒 𝑛 )} Output : 𝐸 = {𝑒 𝑗 |𝑧 𝑗 ∈ {𝑦 1 , 𝑦 2 , β‹― , 𝑦 π‘œ }} βŠ₯ β€’ Generalizing standard π‘œ -out-of- 𝑛 OT: β€’ 𝑦 1 , … , 𝑦 π‘œ ⊈ {𝑧 1 , … , 𝑧 𝑛 } 𝑦 1 , … , 𝑦 π‘œ ∩ {𝑧 1 , … , 𝑧 𝑛 } is hidden from receiver β€’

  13. Oblivious Polynomial Evaluation (OPE) β€’ Encode the set {𝑦 1 , … , 𝑦 π‘œ } as polynomial: 𝑦 βˆ’ 𝑦 2 β‹― 𝑦 βˆ’ 𝑦 π‘œ = 𝑏 0 + 𝑏 1 𝑦 + β‹― + 𝑏 π‘œ 𝑦 π‘œ π‘ž = 𝑦 βˆ’ 𝑦 1 β€’ Observation: 𝑧 𝑗 ∈ π‘Œ ⟺ π‘ž 𝑧 𝑗 = 0 β€’ Given encrypted coefficients 𝑏 0 , 𝑏 1 , … , 𝑏 π‘œ of a polynomial π‘ž β€’ We can evaluate its value at 𝑦 via homomorphic encryption: = πΉπ‘œπ‘‘ π‘žπ‘™ 𝑏 0 + 𝑏 1 𝑦 + β‹― + 𝑏 π‘œ 𝑦 π‘œ πΉπ‘œπ‘‘ π‘žπ‘™ π‘ž 𝑦 = πΉπ‘œπ‘‘ π‘žπ‘™ 𝑏 0 βŠ• πΉπ‘œπ‘‘ π‘žπ‘™ 𝑏 1 ⨂𝑦 βŠ• β‹― βŠ• (πΉπ‘œπ‘‘ π‘žπ‘™ (𝑏 π‘œ )⨂𝑦 π‘œ )

  14. OTSA from Oblivious Polynomial Evaluation π‘žπ‘™, πΉπ‘œπ‘‘ π‘žπ‘™ 𝑏 0 , … , πΉπ‘œπ‘‘ π‘žπ‘™ (𝑏 π‘œ ) 𝑨 𝑗 = πΉπ‘œπ‘‘ π‘žπ‘™ (𝑠 𝑗 β‹… π‘ž 𝑧 𝑗 + 𝑒 𝑗 ) {𝑨 1 , … , 𝑨 𝑛 } (permuted) (π‘žπ‘™, 𝑑𝑙) {𝑧 1 , … , 𝑧 𝑛 } {𝑦 1 , … , 𝑦 π‘œ } {𝑒 1 , … , 𝑒 𝑛 } if 𝑧 𝑗 ∈ {𝑦 1 , … , 𝑦 π‘œ } 𝑨 𝑗 will be decrypted to 𝑒 𝑗 𝑨 𝑗 will be decrypted to random if 𝑧 𝑗 βˆ‰ {𝑦 1 , … , 𝑦 π‘œ }

  15. Construction of OTSA π‘žπ‘™, πΉπ‘œπ‘‘ π‘žπ‘™ 𝑏 0 , … , πΉπ‘œπ‘‘ π‘žπ‘™ (𝑏 π‘œ ) 𝑨 𝑗 = πΉπ‘œπ‘‘ π‘žπ‘™ (𝑠 𝑗 β‹… π‘ž 𝑧 𝑗 + 𝑒 𝑗 ) 𝑨 1 , … , 𝑨 𝑛 β€’ Honest-but-curious model β€’ extended to malicious model using zero-knowledge proofs (details in the paper) β€’ Computational complexity: 𝑃(π‘›π‘œ) (worse than 𝑃(π‘œ log π‘œ) via generic approach) β€’ 𝑃(π‘œ) construction (honest-but-curious) in the paper β€’ based on garbled Bloom filter [Dong- Chen@CCS’13]

  16. PSI with Access Structure β€’ Roadmap: OTSA STAS PSI w/ AS Oblivious Transfer Secret Transfer with PSI with Access for a Sparse Array Access Structure Structure

  17. Secret Sharing β€’ Split a secret 𝑑 into shares β€’ 𝑑 can be reconstructed only if β€œ qualified ” subset of shares are combined SecretShare( 𝑑 ) β†’ {𝑑 1 , 𝑑 2 , … , 𝑑 π‘œ } Reconstruct( 𝑑 𝑗 1 , 𝑑 𝑗 2 , … , 𝑑 𝑗 𝑙 ) β†’ 𝑑 or βŠ₯ β€’ Example: β€œ qualified ” subsets: access structure: 𝑑 1 AND {𝑑 2 OR 𝑑 3 } AND 𝑑 4 AND 𝑑 5 {𝑑 1 , 𝑑 2 , 𝑑 4 , 𝑑 5 } {𝑑 1 , 𝑑 3 , 𝑑 4 , 𝑑 5 } {𝑑 1 , 𝑑 2 , 𝑑 3 , 𝑑 4 , 𝑑 5 }

  18. Secret Transfer with Access Structure β€’ β„± π‘‡π‘ˆπ΅π‘‡ : Input : 𝑑 , 𝑍 = π‘Œ = {𝑦 1 , … , 𝑦 π‘œ } 𝑧 1 , … , 𝑧 𝑛 |π‘Œ ∩ 𝑍| and Output : βŠ₯ 𝑑 iff 𝑄 π‘Œ ∩ 𝑍 = 1

  19. OTSA + Secret Sharing = STAS SecretShare( 𝑑 ) β†’ {𝑑 1 , 𝑑 2 , … , 𝑑 𝑛 } π‘žπ‘™, πΉπ‘œπ‘‘ π‘žπ‘™ 𝑏 0 , … , πΉπ‘œπ‘‘ π‘žπ‘™ (𝑏 π‘œ ) 𝑨 𝑗 = πΉπ‘œπ‘‘ π‘žπ‘™ (𝑠 𝑗 β‹… π‘ž π‘Œ 𝑧 𝑗 + 𝑑 𝑗 ) 𝑨 1 , … , 𝑨 𝑛 𝑍 = {𝑧 1 , … , 𝑧 𝑛 } (π‘žπ‘™, 𝑑𝑙) π‘Œ = {𝑦 1 , … , 𝑦 π‘œ } 𝑑 𝑨 𝑗 will be decrypted to 𝑑 𝑗 if 𝑧 𝑗 ∈ π‘Œ if 𝑧 𝑗 βˆ‰ π‘Œ 𝑨 𝑗 will be decrypted to random

  20. OTSA + Secret Sharing = STAS SecretShare( 𝑑 ) β†’ {𝑑 1 , 𝑑 2 , … , 𝑑 𝑛 } π‘žπ‘™, πΉπ‘œπ‘‘ π‘žπ‘™ 𝑏 0 , … , πΉπ‘œπ‘‘ π‘žπ‘™ (𝑏 π‘œ ) 𝑨 𝑗 = πΉπ‘œπ‘‘ π‘žπ‘™ (𝑠 𝑗 β‹… π‘ž π‘Œ 𝑧 𝑗 + 𝑑 𝑗 ) 𝑨 1 , … , 𝑨 𝑛 𝑍 = {𝑧 1 , … , 𝑧 𝑛 } (π‘žπ‘™, 𝑑𝑙) π‘Œ = {𝑦 1 , … , 𝑦 π‘œ } 𝑑 If π‘Œ ∩ 𝑍 satisfies the access structure The receiver can reconstruct the secret 𝑑 !

  21. PSI with Access Structure β€’ Roadmap: PSI w/ DT STAS PSI w/ AS Oblivious Transfer Secret Transfer with PSI with Access for a Sparse Array Access Structure Structure

  22. PSI with Access Structure from STAS STAS protocol 𝑍 = {𝑧 1 , … , 𝑧 𝑛 } and 𝑑 π‘Œ = {𝑦 1 , … , 𝑦 π‘œ } The receiver can reconstruct the secret 𝑑 if and only if π‘Œ ∩ 𝑍 satisfies the access structure

  23. STAS + PSI = PSI with Access Structure Normal PSI π‘Œ β€² = {𝑦 1 | 𝑑, … , 𝑦 π‘œ |𝑑} 𝑍 β€² = {𝑧 1 | 𝑑, … , 𝑧 𝑛 |𝑑} If π‘Œ ∩ 𝑍 satisfies the access structure The receiver can learn π‘Œ β€² ∩ 𝑍 β€² , which is essentially π‘Œ ∩ 𝑍

  24. PSI with Access Structure Normal PSI π‘Œ β€² = {𝑦 1 ||𝑑 β€² , … , 𝑦 π‘œ ||𝑑 β€² } 𝑍 β€² = {𝑧 1 | 𝑑, … , 𝑧 𝑛 |𝑑} If π‘Œ ∩ 𝑍 does not satisfies the access structure The receiver can learn π‘Œ β€² ∩ 𝑍 β€² , which is an empty set

  25. Concluding Remarks β€’ We introduce the notions of β€’ Oblivious Transfer with Spare Array (OTSA) β€’ Secret Transfer with Access Structure (STAS) β€’ PSI with Access Structure β€’ We then construct β€’ Two OTSA schemes (from OPE / garbled Bloom filter) β€’ OTSA + Secret Sharing = STAS β€’ STAS + PSI = PSI with Access Structure β€’ Future work 1: can we hide |π‘Œ ∩ 𝑍| in STAS? Under submission β€’ Future work 2: can we support non-monotone access structure? β€’ {zy113, sherman}@ie.cuhk.edu.hk

Recommend


More recommend