SpOT-Light: Lightweight Private Set Intersection from Sparse OT - PowerPoint PPT Presentation

SpOT-Light: Lightweight Private Set Intersection from Sparse OT Extension Benny Pinkas Mike Rosulek Ni Trieu Avishay Yanai Presented by Cui Hongrui October 18, 2019 PRTY (BIU&OSU) SpOT October 18, 2019 1 / 30

Overview Introduction 1 Notations Preliminary SpOT Protocol 2 Sparse OT Extension Communication-Optimized: spot-low Computation-Optimized: spot-fast Security 3 Semi-Honest Simulation Malicious Sender Security with RO Performance Evaluation 4 Theoretical Communication Cost Experiment Result PRTY (BIU&OSU) SpOT October 18, 2019 2 / 30

Content Introduction 1 Notations Preliminary SpOT Protocol 2 Sparse OT Extension Communication-Optimized: spot-low Computation-Optimized: spot-fast Security 3 Semi-Honest Simulation Malicious Sender Security with RO Performance Evaluation 4 Theoretical Communication Cost Experiment Result PRTY (BIU&OSU) SpOT October 18, 2019 3 / 30

Introduction This work builds up on several works: ◮ OT-Extension: [IKNP03, KK13] ◮ OT-Based PSI: [KKRT16, PSSZ15] ◮ Difference Encoding: [TLP + 17] ◮ Hashing Assignment: [SEK00] PRTY (BIU&OSU) SpOT October 18, 2019 4 / 30

Notations and Definitions Participants ◮ Sender (Alice), | X | = n 1 ◮ Receiver (Bob), | Y | = n 2 Symbols ◮ Let κ, λ be the computational and statistical security parameters ◮ Let N be large enough that X , Y ⊂ [ N ] ◮ Let F be a finite field and l = log | F | ◮ Let F : { 0 , 1 } κ × [ N ] → { 0 , 1 } be a PRF (or RO) ◮ Let H be a hash function PRTY (BIU&OSU) SpOT October 18, 2019 5 / 30

Hash Function Assumptions I Authors of [IKNP03, KKRT16] uses a d -Hamming Correlation Robust assumption to prove security, as stated below. Definition (Correlation Robust) Let H be a function with input length n . Then H is d- Hamming correlation robust function (CRF) if, for any a 1 , . . . , a m , b 1 , . . . , b m with a i , b i ∈ { 0 , 1 } n and w H ( b i ) ≥ d for all i ∈ [ m ], ← { 0 , 1 } n is pseudorandom: $ the following distribution, induced by random sampling of s H ( a 1 ⊕ [ b 1 · s ]) , . . . , H ( a m ⊕ [ b m · s ]) PRTY (BIU&OSU) SpOT October 18, 2019 6 / 30

Hash Function Assumptions II This works also proves the security against a malicious sender when the hash function is modeled as a non-programmable random oracle, which adds power to the simulator. PRTY (BIU&OSU) SpOT October 18, 2019 7 / 30

OT Extension of [IKNP03] We briefly recall the OT Extension technique of [IKNP03] (and settle the notations hereafter). Alice (Sender) Bob (Receiver) PRG G : { 0 , 1 } κ → { 0 , 1 } l Input : r 1 , . . . , r m ∈ { 0 , 1 } $ ← { 0 , 1 } l s s 1 , . . . , s l ¯ t 1 , . . . , ¯ t l t i = G (¯ � 2 � t i ) , u i = G (¯ u i ) − ROT κ l 1 ¯ u 1 , . . . , ¯ u l � t 1 || � q 1 , . . . , ¯ ¯ T = . . . || t l q l q i = G (¯ q i ) � u 1 || � U = . . . || u l q i = t i ⊕ s i · ( t i ⊕ u i )  r l    r 1 r 1 . . . r 1 q i , t i , u i ∈ { 0 , 1 } l 1 Q = � q 1 || || q l � . . . . . . ... . C = .  = . . .     . . . .    Q j = T j ⊕ s · ( T j ⊕ U j ) r l r m r m . . . r m m P = T ⊕ U ⊕ C Q j ⊕ s · P j = T j ⊕ s · C j m j, 0 = H ( Q j ⊕ s · P j ) m j,r j = H ( T j ) = H ( Q j ⊕ s · P j ⊕ s · C j ) m j, 1 = H ( Q j ⊕ s · P j ⊕ s ) PRTY (BIU&OSU) SpOT October 18, 2019 8 / 30

Content Introduction 1 Notations Preliminary SpOT Protocol 2 Sparse OT Extension Communication-Optimized: spot-low Computation-Optimized: spot-fast Security 3 Semi-Honest Simulation Malicious Sender Security with RO Performance Evaluation 4 Theoretical Communication Cost Experiment Result PRTY (BIU&OSU) SpOT October 18, 2019 9 / 30

SpOT The PSI protocol in this work is based on an extension on the [IKNP03] scheme. ◮ Every row of the OT extension matrix can be viewed as a one-time OPRF instance ◮ This work viewed the entire extension process as a multi-point PRF With multi-point OPRF, PSI can be directly achieved. PRTY (BIU&OSU) SpOT October 18, 2019 10 / 30

Modify the IKNP Paradigm Consider a PRF F : { 0 , 1 } κ × [ N ] → { 0 , 1 } v ( H : { 0 , 1 } l → { 0 , 1 } v ) Alice (Sender) Bob (Receiver) PRF F : { 0 , 1 } κ × [ N ] → { 0 , 1 } Input : Y = { y 1 , . . . , y n 2 } ⊂ [ N ] $ ← { 0 , 1 } l F (¯ s  t i , 1)   F (¯ u i , 1)  . . . . t i = u i =     . .     s 1 , . . . , s l F (¯ t i , N ) F (¯ u i , N )  F (¯ q i , 1)  t 1 , . . . , ¯ ¯ t l . � 2 � q i = .   . − ROT κ l   1 u 1 , . . . , ¯ ¯ u l � t 1 || � q 1 , . . . , ¯ ¯ q l T = . . . || t l F (¯ q i , N ) U = � u 1 || || u l � . . . q i = t i ⊕ s i · ( t i ⊕ u i ) C = � ( e y 1 + . . . + e y n 2 ) l � � � Q = q 1 || . . . || q l � 0 l , j �∈ Y C j = Q j = T j ⊕ s · ( T j ⊕ U j ) 1 l , j ∈ Y P = T ⊕ U ⊕ C Q j ⊕ s · P j = T j ⊕ s · C j F (( s, Q, P ) , y i ) = H ( T y i ) , y i ∈ Y F (( s, Q, P ) , y ∗ ) = H ( T y ∗ ⊕ s · ( P y ∗ ⊕ R y ∗ )) , y ∗ �∈ Y F (( s, Q, P ) , j ) = H ( Q j ⊕ s · P j ) PRTY (BIU&OSU) SpOT October 18, 2019 11 / 30

Problems Consider the complexity of the above scheme: ◮ When log( N ) = poly ( κ ), the computation and communication is exponential ◮ Bob only needs to know | Y | of the entire output ◮ We can use a polynomial to interpolate ( y , R ( y )), since R = T ⊕ U is pseudorandom for Alice. PRTY (BIU&OSU) SpOT October 18, 2019 12 / 30

Sparse OT We now use a polynomial P over F (log | F | = l ), to compress the huge matrix. Alice (Sender) Bob (Receiver) PRF F : { 0 , 1 } κ × [ N ] → { 0 , 1 } Input : Y = { y 1 , . . . , y n 2 } ⊂ [ N ] $ ← { 0 , 1 } l s s 1 , . . . , s l t 1 , . . . , ¯ ¯ t l � F (¯ || F (¯ � 2 � t l , y ) � T ( y ) := t 1 , y ) || . . . − ROT κ l 1 u 1 , . . . , ¯ ¯ u l q 1 , . . . , ¯ ¯ q l � F (¯ u l , y ) � U ( y ) := u 1 , y ) || . . . || F (¯ R ( y ) := T ( y ) ⊕ U ( y ) Q ( x ) := � F (¯ q 1 , x ) || || F (¯ q l , x ) � . . . Degree ( n 2 − 1) polynomial P ( y ) interpolates { ( y, R ( y )) } y ∈ Y P Q ( x ) ⊕ s · P ( x ) = T ( x ) ⊕ s · ( R ( x ) ⊕ P ( x )) F (( s, Q, P ) , y i ) = H ( T ( y )) , y ∈ Y F (( s, Q, P ) , y ∗ ) = H ( T ( y ∗ ) ⊕ s · ( P ( y ∗ ) ⊕ R ( y ∗ ))) , y ∗ �∈ Y F (( s, Q, P ) , x ) = H ( Q ( x ) ⊕ s · P ( x )) PRTY (BIU&OSU) SpOT October 18, 2019 13 / 30

Communication-Optimized: spot-low When we directly apply the above scheme to produce a PSI, resulting protocol has the best communication possible. Alice (Sender) Bob (Receiver) PRF F : { 0 , 1 } κ × [ N ] → { 0 , 1 } Input : X = { x 1 , . . . , x n 1 } ⊂ [ N ] Input : Y = { y 1 , . . . , y n 2 } ⊂ [ N ] $ s 1 , . . . , s l ← { 0 , 1 } l s t 1 , . . . , ¯ ¯ t l � F (¯ || F (¯ � 2 � T ( y ) := t 1 , y ) || t l , y ) � . . . − ROT κ l 1 u 1 , . . . , ¯ ¯ u l ¯ q 1 , . . . , ¯ q l � F (¯ u l , y ) � U ( y ) := u 1 , y ) || . . . || F (¯ R ( y ) := T ( y ) ⊕ U ( y ) � � Q ( x ) := F (¯ q 1 , x ) || . . . || F (¯ q l , x ) Degree ( n 2 − 1) polynomial P ( y ) interpolates { ( y, R ( y )) } y ∈ Y P Q ( x ) ⊕ s · P ( x ) = T ( x ) ⊕ s · ( R ( x ) ⊕ P ( x )) F (( s, Q, P ) , y i ) = H ( T ( y )) , y ∈ Y F (( s, Q, P ) , x ) = H ( Q ( x ) ⊕ s · P ( x )) F (( s, Q, P ) , y ∗ ) = H ( T ( y ∗ ) ⊕ s · ( P ( y ∗ ) ⊕ R ( y ∗ ))) , y ∗ �∈ Y O = { H ( Q ( x ) ⊕ s · P ( x )) } x ∈ X O Outputs { y ∈ Y | H ( T ( y )) ∈ O} PRTY (BIU&OSU) SpOT October 18, 2019 14 / 30

Improving Speed ◮ In practice, interpolating a high-degree (e.g. 2 20 ) polynomial over a large field F is not so efficient. ◮ This paper proposed a solution based on 2-choice hashing, which generalizes cuckoo hashing. PRTY (BIU&OSU) SpOT October 18, 2019 15 / 30

Some Results on 2-choice hashing Theorem (CRS03) Let h 1 , h 2 : { 0 , 1 } ∗ → [ m ] be two random functions. Suppose there are n items and m bins, where each item x can be placed in either h 1 ( x ) or h 2 ( x ) . Let L = ⌈ n / m ⌉ . If n = Ω( m log m ) then with high probability there exists an optimal assignment, where each bin contains no more than L items. Theorem ([SEK00]) Let n , m , h 1 , h 2 be as above, with L = ⌈ n / m ⌉ . There is a deterministic algorithm running in time O ( n log n ) that assigns at most L + 1 items to each bin, with probability 1 − O (1 / m ) L over the choice of h 1 , h 2 . PRTY (BIU&OSU) SpOT October 18, 2019 16 / 30

2-choice hashing In practice, this work uses a heuristic algorithm to find assignment of items FindAssignment ( X , m , h 1 , h 2 ) 1 for x ∈ X do Assign item x to h 1 ( x ) 2 3 for x ∈ X do Assign item x to h 1 ( x ) , h 2 ( x ) currently has fewest items 4 PRTY (BIU&OSU) SpOT October 18, 2019 17 / 30