Two-Client and Multi-client Functional Encryption for Set - PowerPoint PPT Presentation

Two-Client and Multi-client Functional Encryption for Set Intersection and Variants Tim van de Kamp David Stritzl Willem Jonker Andreas Peter ACISP 2019

Functional Encryption for Set Operations � n evaluate i = 1 S i S 1 S 2 S n · · · Privacy-preserving information sharing Two-client and multi-client constructions for various set operations Evaluation using a proof-of-concept implementation 2

Privacy-Preserving Information Sharing Private Set Intersection computing f ( S 1 , S 2 ) using MPC S 1 S 2 Computes a set operation using an interactive protocol A participant learns the evaluation result 3

Privacy-Preserving Information Sharing Private Set Intersection computing f ( S 1 , S 2 ) using MPC S 1 S 2 Computes a set operation using an interactive protocol A participant learns the evaluation result 3

Privacy-Preserving Information Sharing Functional Encryption for Set Operations Computes a set operation using a non-interactive scheme A third-party (the evaluator) learns the evaluation result Use cases include privacy-preserving profiling simple data mining one-way data sharing 3

Multi-client Non-interactive Set Intersection Functionality f ( S 1 , S 2 , . . . , S n ) ( ID , S 1 ) ( ID , S 2 ) ( ID , S n ) · · · S 1 S 2 S n 1 2 n 4

Multi-client Non-interactive Set Intersection Functionality FUNCTIONALITIES f � f ( S 1 , S 2 , . . . , S n ) intersection: i S i � � �� cardinality: i S i � � ? � � �� � threshold: i S i > t ⇒ i S i (also “with data transfer”) ( ID , S 1 ) ( ID , S 2 ) ( ID , S n ) · · · S 1 S 2 S n 1 2 n 4

Multi-client Non-interactive Set Intersection Security Requirements f ( S 1 , S 2 , . . . , S n ) doesn’t learn the individual clients’ sets S 1 , . . . , S n ( ID , S 1 ) ( ID , S 2 ) ( ID , S n ) · · · S 1 S 2 S n 1 2 n 4

Multi-client Non-interactive Set Intersection Security Requirements f ( S 1 , S 2 , . . . , S n ) cannot mix-and-match old and new inputs ( ID ′ , S 1 ) ( ID ′ , S n ) ( ID , S 2 ) · · · S 1 S 2 S n 1 2 n 4

Multi-client Non-interactive Set Intersection Security Requirements f ( S 1 , S 2 , . . . , S n ) collusion between the evaluator and client(s) does not reveal other clients’ inputs ( ID , S 1 ) ( ID , S 2 ) ( ID , S n ) · · · S 1 S 2 S n 1 2 n 4

Construction: Two-Client Set Intersection Cardinality 5

Construction: Two-Client Set Intersection Cardinality | S 1 ∩ S 2 | = | ct 1 ∩ ct 2 | ct 1 ct 2 S 1 S 2 ct 1 = { ϕ msk ( ID , x j ) | x j ∈ S 1 } ct 2 = { ϕ msk ( ID , x j ) | x j ∈ S 2 } 5

Construction: Two-Client Set Intersection � � ϕ − 1 S 1 ∩ S 2 = k ID , j ( c ) | c ∈ ct 1 ∩ ct 2 ct 1 ct 2 S 1 S 2 � � � � � � � � ct 1 = ϕ k ID , j ( x j ) | x j ∈ S 1 ct 2 = ϕ k ID , j ( x j ) | x j ∈ S 2 k ID , j = ϕ msk ( ID , x j ) 6

Construction: Two-Client Set Intersection � � ϕ − 1 S 1 ∩ S 2 = k ID , j ( c ) | c ∈ ct 1 ∩ ct 2 k ID , j = k usk 1 ID , j · k usk 2 ID , j ct 1 ct 2 S 1 S 2 � � k usk 1 � � � k usk 2 � � � ct 1 = ID , j , ϕ k ID , j ( x j ) | x j ∈ S 1 ct 2 = ID , j , ϕ k ID , j ( x j ) | x j ∈ S 2 usk 1 + usk 2 = 1 k ID , j = ϕ msk ( ID , x j ) 6

Construction: Two-Client Set Intersection � � ϕ − 1 S 1 ∩ S 2 = k ID , j ( c ) | c ∈ ct 1 ∩ ct 2 k ID , j = k usk 1 ID , j · k usk 2 ID , j ct 1 ct 2 Doesn’t have to be x j ∈ S 1 ; can be any associated data S 1 S 2 � � k usk 1 � � � k usk 2 � � � ct 1 = ID , j , ϕ k ID , j ( x j ) | x j ∈ S 1 ct 2 = ID , j , ϕ k ID , j ( x j ) | x j ∈ S 2 usk 1 + usk 2 = 1 k ID , j = ϕ msk ( ID , x j ) 6

Intuition: Two-Client Threshold Set Intersection � � ϕ − 1 S 1 ∩ S 2 = k ID , j ( c ) | c ∈ ct 1 ∩ ct 2 k ID , j = k usk 1 ID , j · k usk 2 ID , j ct 1 ct 2 We also encrypt this value and require at least t secret shares for decryption S 1 S 2 � � k usk 1 � � � k usk 2 � � � ct 1 = ID , j , ϕ k ID , j ( x j ) | x j ∈ S 1 ct 2 = ID , j , ϕ k ID , j ( x j ) | x j ∈ S 2 usk 1 + usk 2 = 1 k ID , j = ϕ msk ( ID , x j ) 7

Efficiency of the 2C-FE Constructions 10 0 CA 10 − 1 Mean evaluation time (seconds) 10 − 2 10 − 3 10 − 4 10 − 5 10 − 6 10 1 10 2 10 3 10 4 10 5 Size of each client’s set 8

Efficiency of the 2C-FE Constructions 10 0 CA SI 10 − 1 Mean evaluation time (seconds) 10 − 2 10 − 3 10 − 4 10 − 5 10 − 6 10 1 10 2 10 3 10 4 10 5 Size of each client’s set 8

Efficiency of the 2C-FE Constructions 10 0 CA SI 10 − 1 Th-CA Mean evaluation time (seconds) Th-SI 10 − 2 10 − 3 10 − 4 10 − 5 10 − 6 10 1 10 2 10 3 10 4 10 5 Size of each client’s set 8

Construction: Multi-client Set Intersection Cardinality � n i = 1 H ( ID , x j ) usk i ? count = 1 ct 1 ct n ct 2 · · · S 1 S 2 S n H ( ID , x j ) usk i | x j ∈ S i � � ct i = � n i = 1 usk i = 0 9

Efficiency of the MC-FE Construction Theoretical Polynomial in the number of set elements per client: �� � i | S i | O Practice CA n = 5 Mean evaluation time (seconds) CA n = 3 400 200 0 0 100 200 Size of each client’s set 10

Improved Set Intersection Cardinality Scheme Intuition � 1 Compute the set intersection i S i “in the encrypted domain”; 2 For some client i ′ , determine how many set elements e j ∈ S i ′ are in the encrypted set intersection, i.e., � �� � n � � � e j | e j ∈ S i , e j ∈ S i ′ � . � � � � i = 1 � 11

Improved Set Intersection Cardinality Scheme Intuition � 1 Compute the set intersection i S i “in the encrypted domain”; 2 For some client i ′ , determine how many set elements e j ∈ S i ′ are in the encrypted set intersection, i.e., � �� � n � � � e j | e j ∈ S i , e j ∈ S i ′ � . � � � � i = 1 � “Tools” Bloom filters → to represent sets in a single data structure Homomorphic encryption → to compute in the encrypted domain Functional encryption → to determine whether an element is in a set 11

Preliminaries: Bloom filters Set Intersection bs [ 1 ] bs [ 2 ] bs [ 3 ] bs [ 4 ] bs [ 5 ] bs [ 6 ] bs [ 7 ] bs [ 8 ] bs [ 9 ] S 1 0 1 0 1 1 1 0 0 0 ∩ ∧ S 2 0 0 0 1 0 1 0 0 1 = S 1 ∩ S 2 0 0 0 1 0 1 0 0 0 12

Construction (simplified) Set Intersection using Secret Sharing bs [ 1 ] bs [ 2 ] bs [ 3 ] bs [ 4 ] bs [ 5 ] bs [ 6 ] bs [ 7 ] bs [ 8 ] bs [ 9 ] Enc( S 1 ) r 1 , 1 s 1 , 2 r 1 , 3 s 1 , 4 s 1 , 5 s 1 , 6 r 1 , 7 r 1 , 8 r 1 , 9 + r 2 , 1 r 2 , 2 r 2 , 3 s 2 , 4 r 2 , 5 s 2 , 6 r 2 , 7 r 2 , 8 s 2 , 9 Enc( S 2 ) = Enc( S 1 ∩ S 2 ) ˜ ˜ ˜ ˜ ˜ ˜ ˜ r 1 r 2 r 3 1 r 5 1 r 7 r 8 r 9 13

Construction (simplified) Set Intersection using Secret Sharing bs [ 1 ] bs [ 2 ] bs [ 3 ] bs [ 4 ] bs [ 5 ] bs [ 6 ] bs [ 7 ] bs [ 8 ] bs [ 9 ] Enc( S 1 ) r 1 , 1 s 1 , 2 r 1 , 3 s 1 , 4 s 1 , 5 s 1 , 6 r 1 , 7 r 1 , 8 r 1 , 9 + r 2 , 1 r 2 , 2 r 2 , 3 s 2 , 4 r 2 , 5 s 2 , 6 r 2 , 7 r 2 , 8 s 2 , 9 Enc( S 2 ) = Enc( S 1 ∩ S 2 ) ˜ ˜ ˜ ˜ ˜ ˜ ˜ r 1 r 2 r 3 1 r 5 1 r 7 r 8 r 9 Encrypt( usk i , ID , S i ) H ( ID , ℓ ) r i ,ℓ if bs [ ℓ ] = 0 ; H ( ID , ℓ ) s i ,ℓ if bs [ ℓ ] = 1 13

Construction (simplified) Set Intersection using Secret Sharing bs [ 1 ] bs [ 2 ] bs [ 3 ] bs [ 4 ] bs [ 5 ] bs [ 6 ] bs [ 7 ] bs [ 8 ] bs [ 9 ] Enc( S 1 ) r 1 , 1 s 1 , 2 r 1 , 3 s 1 , 4 s 1 , 5 s 1 , 6 r 1 , 7 r 1 , 8 r 1 , 9 + r 2 , 1 r 2 , 2 r 2 , 3 s 2 , 4 r 2 , 5 s 2 , 6 r 2 , 7 r 2 , 8 s 2 , 9 Enc( S 2 ) = Enc( S 1 ∩ S 2 ) ˜ ˜ ˜ ˜ ˜ ˜ ˜ r 1 r 2 r 3 1 r 5 1 r 7 r 8 r 9 Encrypt( usk i , ID , S i ) Evaluate( ct 1 , . . . , ct n ) H ( ID , ℓ ) r i ,ℓ if bs [ ℓ ] = 0 ; �� n � H ( ID , ℓ ) s 0 ,ℓ · i = 1 H ( ID , ℓ ) s i ,ℓ H ( ID , ℓ ) s i ,ℓ if bs [ ℓ ] = 1 13

Construction (simplified) Set Intersection using Secret Sharing bs [ 1 ] bs [ 2 ] bs [ 3 ] bs [ 4 ] bs [ 5 ] bs [ 6 ] bs [ 7 ] bs [ 8 ] bs [ 9 ] Enc( S 1 ) r 1 , 1 s 1 , 2 r 1 , 3 s 1 , 4 s 1 , 5 s 1 , 6 r 1 , 7 r 1 , 8 r 1 , 9 Actual construction is more involved: + element testing uses � n = ( g r ) t ′ � H ( ID , ℓ ) s 0 ,ℓ g t · r � i = 1 H ( ID , ℓ ) s i ,ℓ ? · r 2 , 1 r 2 , 2 r 2 , 3 s 2 , 4 r 2 , 5 s 2 , 6 r 2 , 7 r 2 , 8 s 2 , 9 Enc( S 2 ) using Shamir secret sharing instead of additive secret sharing = Enc( S 1 ∩ S 2 ) ˜ ˜ ˜ ˜ ˜ ˜ ˜ r 1 r 2 r 3 1 r 5 1 r 7 r 8 r 9 Encrypt( usk i , ID , S i ) Evaluate( ct 1 , . . . , ct n ) H ( ID , ℓ ) r i ,ℓ if bs [ ℓ ] = 0 ; �� n � H ( ID , ℓ ) s 0 ,ℓ · i = 1 H ( ID , ℓ ) s i ,ℓ H ( ID , ℓ ) s i ,ℓ if bs [ ℓ ] = 1 13

Efficiency of the MC-FE Construction Theoretical Polynomial in the number of set elements per client: x 2 � � O Practice CA n = 5 Mean evaluation time (seconds) CA n = 3 400 200 0 0 100 200 Size of each client’s set 14

Efficiency of the MC-FE Construction Theoretical Polynomial in the number of set elements per client: � x 2 � O Practice CA n = 5 Mean evaluation time (seconds) CA n = 3 400 CA-BF n = 5 CA-BF n = 3 200 0 0 100 200 Size of each client’s set 14

Summary Non-interactive privacy-preserving information sharing Efficient two-client constructions for various set operations Theoretical constructions for various multi-client set operations 15