Improved Private Set Intersection against Malicious Adversaries - PowerPoint PPT Presentation

Improved Private Set Intersection against Malicious Adversaries Peter Rindal Mike Rosulek

Private Set Intersection (PSI) 𝑌 𝑍 𝑌 ∩ 𝑍

Private Set Intersection (PSI) “Sender” “Receiver” 𝑌 𝑍 PSI 𝑌 ∩ 𝑍

App: Contact discovery Users Contacts PSI 𝑌 ∩ 𝑍

Oblivious Transfer (OT) Alice Bob 𝑃𝑈 𝑛 0 , 𝑛 1 ∈ 0,1 𝑚 𝑑 ∈ {0,1} 𝑛 𝑑 • Highly efficient and secure protocols exists • Motivates it use as the basis for PSI

Bloom Filter Plain text data structure similar to hash table • Allows for testing set membership • Paramerterized by hash functions ℎ 1 , … , ℎ 𝑙 , set • • 𝑐 ℎ 𝑗 (𝑦) = 1 , ∀𝑗 0 0 0 0 0 0 0 0 0 0 0 0 𝑐 = 0 0 0

Bloom Filter Plai n 𝑗 ( 𝑦 ) =1 , ∀ 𝑗 ext data structure similar to hash table • Allows for testing set membership • Paramerterized by hash functions ℎ 1 , … , ℎ 𝑙 • To insert 𝑦 , set • 𝑐 ℎ 𝑗 ℎ 𝑗 (𝑦) = 1 , ∀𝑗 … ℎ 2 (𝑦) ℎ 𝑙 (𝑦) ℎ 1 (𝑦) 0 0 0 0 0 0 0 0 0 0 𝑐 = 1 0 0 1 1

Bloom Filter Plai n 𝑗 ( 𝑦 ) =1 , ∀ 𝑗 ext data structure similar to hash table • Allows for testing set membership • Paramerterized by hash functions ℎ 1 , … , ℎ 𝑙 • To insert 𝑦 , set • 𝑐 ℎ 𝑗 ℎ 𝑗 (𝑦) = 1 , ∀𝑗 … ℎ 2 (𝑨) ℎ 𝑙 (𝑨) ℎ 1 (𝑨) 0 0 0 0 0 0 𝑐 = 0 1 1 1 1 1 1 1 1

Bloom Filter • Plain text data structure similar to hash table • Allows for testing set membership • Paramerterized by hash functions ℎ 1 , … , ℎ 𝑜 • To insert 𝑦 , set • 𝑐 ℎ 𝑗 (𝑦) = 1 , ∀𝑗 • To test membership • Return ∧ 𝑗 𝑐 ℎ 𝑗 𝑦 0 0 0 0 0 0 𝑐 = 1 0 1 1 1 1 1 1 1

Bloom Filter • Plain text data structure similar to hash table • Allows for testing set membership • Paramerterized by hash functions ℎ 1 , … , ℎ 𝑜 • To insert 𝑦 , set • 𝑐 ℎ 𝑗 (𝑦) = 1 , ∀𝑗 • To test membership … ℎ 2 (𝑦) ℎ 𝑙 (𝑦) ℎ 1 (𝑦) • Return ∧ 𝑗 𝑐 ℎ 𝑗 𝑦 0 0 0 0 0 0 𝑐 = 1 0 1 1 1 1 1 1 1

Bloom Filter 𝑜 items → Bloom filter with 𝑛 slots and 𝑙 hash functions • Membership: • Pr[ false negatives ] = 0 𝑙𝑜 𝑛 𝑙 • 1 − 𝑓 − ≈ 2 −𝑙 … ℎ 2 (𝑦) ℎ 𝑙 (𝑦) ℎ 1 (𝑦) 0 0 0 0 0 0 𝑐 = 1 0 1 1 1 1 1 1 1

Bloom Filter 𝑙𝑜 𝑛 𝑙𝑙𝑜𝑜 𝑙𝑜 𝑛 𝑛𝑛 𝑙𝑜 𝑛 𝑓 − 𝑙𝑜 𝑛 1 − 𝑓 − 𝑙𝑜 𝑛 1 − 𝑓 − 𝑙𝑜 𝑛 𝑙 𝑙𝑙 1 − 𝑓 − 𝑙𝑜 𝑛 𝑙 𝑓 − 𝑙 1 − 𝑓 − 𝑙𝑜 𝑛 1𝑜 items → Bloom filter with 𝑛 𝑙𝑜 𝑛 𝑓𝑓 𝑓 − 𝑙𝑜 𝑛 − − 1 − 𝑓 − 𝑙𝑜 𝑛 slots and 𝑙 hash functions • Membership: • Pr[ false negatives ] = 0 𝑙𝑜 𝑛 𝑙 • Pr[ false positives ] = 1 − 𝑓 − … ℎ 2 (𝑧) ℎ 𝑙 (𝑧) ℎ 1 (𝑧) ≈ 2 −𝑙 0 0 0 0 0 0 𝑐 = 1 0 1 1 1 1 1 1 1

Bloom Filter ≈ 2 − 𝑙 2 2 − 𝑙 − 𝑙𝑙 2 − 𝑙 ≈ 2 − 𝑙 2 2 − 𝑙 − 𝑙𝑙 2 − 𝑙 𝑙𝑜 𝑛 𝑙𝑙𝑜𝑜 𝑙𝑜 𝑛 𝑛𝑛 𝑙𝑜 𝑛 𝑓 − 𝑙𝑜 𝑛 1 − 𝑓 − 𝑙𝑜 𝑛 1 − 𝑓 − 𝑙𝑜 𝑛 𝑙 𝑙𝑙 1 − 𝑓 − 𝑙𝑜 𝑛 𝑙 𝑓 − 𝑙 1 − 𝑓 − 𝑙𝑜 𝑛 1𝑜 items → Bloom filter with 𝑛 𝑙𝑜 𝑛 𝑓𝑓 𝑓 − 𝑙𝑜 𝑛 − − 1 − 𝑓 − 𝑙𝑜 𝑛 slots and 𝑙 hash functions • Membership: … ℎ 2 (𝑧) ℎ 𝑙 (𝑧) ℎ 1 (𝑧) ≈ 2 −𝑙 ≈ 2 −𝑙 ≈ 2 −𝑙 0 0 0 0 0 0 𝑐 = 1 0 1 1 1 1 1 1 1

Bloom Filter Intersection • Bitwise AND 𝐶 𝑌 ∧ 𝐶 𝑍 is a Bloom filter for 𝑌 ∩ 𝑍 𝑌 = {𝑏, 𝑐} 𝐶 𝑌 𝑍 = {𝑏, 𝑑} 𝐶 𝑍 1 1 ℎ 𝑗 (𝑏) ℎ 𝑗 (𝑏) 1 ℎ 𝑗 (𝑐) 1 1 ℎ 𝑗 (𝑑) 1 1 1

Bloom Filter Intersection • Bitwise AND 𝐶 𝑌 ∧ 𝐶 𝑍 is a Bloom filter for 𝑌 ∩ 𝑍 𝑌 = {𝑏, 𝑐} 𝐶 𝑌 𝑍 = {𝑏, 𝑑} 𝐶 𝑌 ∧ 𝐶 𝑍 𝐶 𝑍 1 1 1 ℎ 𝑗 (𝑏) ℎ 𝑗 (𝑏) ℎ 𝑗 (𝑏) 1 ℎ 𝑗 (𝑐) 1 1 𝟐 ℎ 𝑗 (𝑑) 1 1 1 1

Bloom Filter Protocol [DongChenWen13, PinkasSchniederZohner14] 𝑍 = {𝑏, 𝑑} 𝐶 𝑍 1 ⊥ 𝒏 𝟏 ℎ 𝑗 (𝑏) 𝒏 𝟐 𝒏 𝟑 𝒏 𝒋 ← 𝟏, 𝟐 𝝀 ⋮ 𝒏 𝟒 1 𝒏 𝟓 ℎ 𝑗 (𝑑) 1 𝒏 𝟔 ⊥ 𝒏 𝟕 1

Bloom Filter Protocol [DongChenWen13, PinkasSchniederZohner14] 𝑍 = {𝑏, 𝑑} 𝐶 𝑍 𝑃𝑈 1 ⊥ 𝒏 𝟏 ℎ 𝑗 (𝑏) 𝒏 𝟐 𝒏 𝟑 … 𝒏 𝒋 ← 𝟏, 𝟐 𝝀 ⋮ 𝒏 𝟒 1 𝒏 𝟓 ℎ 𝑗 (𝑑) 1 𝒏 𝟔 𝑃𝑈 ⊥ 𝒏 𝟕 1

Bloom Filter Protocol [DongChenWen13, PinkasSchniederZohner14] Garbled Bloom filter 𝑍 = {𝑏, 𝑑} 𝐶 𝑍 𝑃𝑈 1 ⊥ 𝒏 𝟏 𝒏 𝟏 ℎ 𝑗 (𝑏) 𝒏 𝟐 ⊥ 𝒏 𝟑 ⊥ … ⋮ 𝒏 𝟒 𝒏 𝟒 1 𝒏 𝟓 ⊥ ℎ 𝑗 (𝑑) 1 𝒏 𝟔 𝒏 𝟔 𝑃𝑈 ⊥ 𝒏 𝟕 1 𝒏 𝟕

Bloom Filter Protocol [DongChenWen13, PinkasSchniederZohner14] Garbled Bloom filter 𝑍 = {𝑏, 𝑑} 𝐶 𝑍 𝐶 𝑌 𝑌 = {𝑏, 𝑐} 1 𝑃𝑈 1 ⊥ 𝒏 𝟏 𝒏 𝟏 ℎ 𝑗 (𝑏) 𝒏 𝟐 ⊥ ℎ 𝑗 (𝑏) 1 𝒏 𝟑 ⊥ ℎ 𝑗 (𝑐) … 1 ⋮ 𝒏 𝟒 𝒏 𝟒 1 𝒏 𝟓 ⊥ ℎ 𝑗 (𝑑) 1 1 𝒏 𝟔 𝒏 𝟔 𝑃𝑈 ⊥ 𝒏 𝟕 1 𝒏 𝟕

Bloom Filter Protocol [DongChenWen13, PinkasSchniederZohner14] Garbled Bloom filter 𝑍 = {𝑏, 𝑑} 𝐶 𝑍 𝐶 𝑌 𝑌 = {𝑏, 𝑐} 1 𝑃𝑈 1 ⊥ 𝒏 𝟏 𝒏 𝟏 ℎ 𝑗 (𝑏) 𝒏 𝟐 ⊥ ℎ 𝑗 (𝑏) 1 𝒏 𝟑 ⊥ ℎ 𝑗 (𝑐) … 1 ⋮ 𝒏 𝟒 𝒏 𝟒 1 𝒏 𝟓 ⊥ ℎ 𝑗 (𝑑) 1 1 𝒏 𝟔 𝒏 𝟔 𝑃𝑈 ⊥ 𝒏 𝟕 1 𝒏 𝟕 𝒀 = 𝒏 𝟏 ⊕ 𝒏 𝟔 , 𝒏 𝟑 ⊕ 𝒏 𝟒

Bloom Filter Protocol [DongChenWen13, PinkasSchniederZohner14] Garbled Bloom filter 𝑍 = {𝑏, 𝑑} 𝐶 𝑍 𝐶 𝑌 𝑌 = {𝑏, 𝑐} 1 𝑃𝑈 1 ⊥ 𝒏 𝟏 𝒏 𝟏 ℎ 𝑗 (𝑏) 𝒏 𝟐 ⊥ ℎ 𝑗 (𝑏) 1 𝒏 𝟑 ⊥ ℎ 𝑗 (𝑐) … 1 ⋮ 𝒏 𝟒 𝒏 𝟒 1 𝒏 𝟓 ⊥ ℎ 𝑗 (𝑑) 1 1 𝒏 𝟔 𝒏 𝟔 𝑃𝑈 ⊥ 𝒏 𝟕 1 𝒏 𝟕 Output the intersection 𝒀 = 𝒏 𝟏 ⊕ 𝒏 𝟔 , 𝒏 𝟑 ⊕ 𝒏 𝟒 𝒀 ∩ 𝒏 𝟏 ⊕ 𝒏 𝟔 , 𝒏 𝟒 ⊕ 𝒏 𝟕

Semi-Honest Security [DongChenWen13, PinkasSchniederZohner14] Naturally secure against Sender. • OT hides select bits 𝑌 = {𝑏, 𝑐} 𝑍 = {𝑏, 𝑑} • Final message sent to Receiver OT ⊥ 𝒏 𝟏 1 𝒏 𝟏 𝒏 𝟐 ⊥ ℎ 𝑗 (𝑏) 𝒏 𝟑 ⊥ … ⋮ 𝒏 𝟒 𝒏 𝟒 1 ∉ 𝑍, Receiver learns encoding • 𝒏 𝟓 ⊥ ℎ 𝑗 (𝑑) e.g. Encode 𝑧′ = 𝑛 3 ⊕ 𝑛 4 𝒏 𝟔 1 𝒏 𝟔 OT ⊥ 𝒏 𝟕 𝒏 𝟕 1 • DCW13 show equivalence to false positive in Output: standard bloom filter 𝒀 = 𝒏 𝟏 ⊕ 𝒏 𝟔 , 𝒀 ∩ 𝒏 𝟏 ⊕ 𝒏 𝟔 , • Pr[ false positives ] ≈ 2 −𝑙 𝒏 𝟑 ⊕ 𝒏 𝟒 𝒏 𝟒 ⊕ 𝒏 𝟕

Semi-Honest Security [DongChenWen13, PinkasSchniederZohner14] 𝑧 ′ ∉ 𝑍𝑍 , Receiver learns encoding Naturally secure against Sender. 𝑌 = {𝑏, 𝑐} 𝑍 = {𝑏, 𝑑} • OT hides select bits OT ⊥ 𝒏 𝟏 1 𝒏 𝟏 𝒏 𝟐 • Final message sent to Receiver ⊥ ℎ 𝑗 (𝑏) 𝒏 𝟑 ⊥ … ⋮ 𝒏 𝟒 𝒏 𝟒 1 • Secure against Receiver 𝒏 𝟓 ⊥ ℎ 𝑗 (𝑑) • Attack: For 𝑧 ′ ′ ′ ∉ 𝑍, Receiver learns encoding 𝒏 𝟔 1 𝒏 𝟔 OT ⊥ 𝒏 𝟕 e.g. Encode 𝑧′ = 𝑛 3 ⊕ 𝑛 4 𝒏 𝟕 1 Output: 𝒀 = 𝒏 𝟏 ⊕ 𝒏 𝟔 , • DCW13 show equivalence to false positive in 𝒀 ∩ 𝒏 𝟏 ⊕ 𝒏 𝟔 , 𝒏 𝟑 ⊕ 𝒏 𝟒 𝒏 𝟒 ⊕ 𝒏 𝟕 standard bloom filter • Pr[ false positives ] ≈ 2 −𝑙

Semi-Honest Security [DongChenWen13, PinkasSchniederZohner14] e.g. Encode 𝑧 ′ 𝑧𝑧 ′ 𝑧 ′ = 𝑛 3 𝑛𝑛 𝑛 3 3 𝑛 3 ⊕ 𝑛 4 𝑛𝑛 𝑛 4 4 𝑛 4 𝑌 = {𝑏, 𝑐} 𝑍 = {𝑏, 𝑑} 𝑧 ′ ∉ 𝑍𝑍 , Receiver learns encoding OT ⊥ 𝒏 𝟏 1 𝒏 𝟏 Naturally secure against Sender. 𝒏 𝟐 ⊥ ℎ 𝑗 (𝑏) • OT hides select bits 𝒏 𝟑 ⊥ … ⋮ 𝒏 𝟒 • Final message sent to Receiver 𝒏 𝟒 1 𝒏 𝟓 ⊥ ℎ 𝑗 (𝑑) 𝒏 𝟔 1 𝒏 𝟔 • Secure against Receiver OT ⊥ 𝒏 𝟕 𝒏 𝟕 1 e.g. ncode 𝑧′ = 𝑛 3 ⊕ 𝑛 4 Encode 𝑧′ = 𝑛 3 ⊕ 𝑛 4 Output: 𝒀 = 𝒏 𝟏 ⊕ 𝒏 𝟔 , 𝒀 ∩ 𝒏 𝟏 ⊕ 𝒏 𝟔 , 𝒏 𝟑 ⊕ 𝒏 𝟒 • DCW13 show equivalence to false positive in 𝒏 𝟒 ⊕ 𝒏 𝟕 standard bloom filter • Pr[ false positives ] ≈ 2 −𝑙