70 likes | 206 Views
Asiacrypt 2010 Rump Session. December 7, 2010. Size Matters! Size-Hiding Private Set Intersection. To appear in PKC’11 – ePrint 2010/220. Emiliano De Cristofaro University of California, Irvine. Private Set Intersection. { c i | c i C S }. Airline with Passenger List.
E N D
Asiacrypt 2010Rump Session December 7, 2010 Size Matters!Size-Hiding Private Set Intersection To appear in PKC’11 – ePrint 2010/220 Emiliano De Cristofaro University of California, Irvine
Private Set Intersection {ci|ci CS} Airline with Passenger List DHS with Terror Watchlist One-Way PrivateSet-Intersection CLIENT SERVER C= {c1, … , cv} S = {s1, … , sw} w v
Sometimes, size matters… ClientServer • DHS: Terror Watch List <--- Airline : Passenger List • CDC: Contagious disease patients <--- Schools: Kids • Observe: 1. Size of client’s set is sensitive We need to hide set size. 2. The client is forcing the server to run PSI. In PSI, server overhead also depends on the size of client’s set. We would like the server to do work proportional only to the size of his set. • Note: • Size is private and size fluctuations are private • Size also affects communication overhead • Padding doesn’t work (exposes upper bound and fluctuations)
SHI-PSI X Z, {y1,…,yw} CLIENT(c1, …, cv) SERVER(s1, …, sw) Public Input: n, g, H(), F() computation mod n PCH = hc1…hcv (n,e,d) <- RSA.Kgen()g generator of QR_n PCHi = PCH / hci Rc n/2 X = gRc*PCH Rs n/2 Z = gRs Kj= XRs/hsj yj= F (Kj) K’i= ZRc*PCHi y’i= F (K’i) Client obtains ci in CS if: y'i in {y'1,…,y'v} {y1,…,yw}
SHI-PSI Features • “Surprising” result • 2PC has always assumed that input sizes *need* to be revealed • The only size-hiding protocol was ZK sets (different problem) • Security • Semi-honest players, RSA in ROM • Minimal Communication Complexity: O(w) [v.s. O(w+v) in PSI] • Computation Complexity: • Server O(w) modular exponentiations [v.s. O(w+v) in PSI] • It does not depend on client input size!!! • Client O(v·logv) modular exponentiations [v.s. O(v) in PSI] • Optimal if Client is imposing computation on the Server
Conclusion • We presented the first PSI construct that hides the set size • Efficient protocol (improved communication overhead!) … and … Graduating Summer 2011 (i.e., looking for a job ) Emiliano De CristofaroUC IRVINEhttp://www.ics.uci.edu/~edecrist