320 likes | 508 Views
ASIACRYPT 2010. December 6, 2010. Linear-Complexity Private Set Intersection Protocols Secure in Malicious Model. Emiliano De Cristofaro 1 , Jihye Kim 2 , and Gene Tsudik 1 1 University of California, Irvine 2 Seoul National University. Outline. Motivation
E N D
ASIACRYPT 2010 December 6, 2010 Linear-ComplexityPrivate Set Intersection Protocols Secure in Malicious Model Emiliano De Cristofaro1, Jihye Kim2, and Gene Tsudik11 University of California, Irvine2 Seoul National University
Outline • Motivation • Private Set Intersection Primitives • 1. Authorized Private Set Intersection (APSI) construct2. Plain Private Set Intersection (PSI) construct • Linear-complexity constructions secure in the malicious model • Performance Comparison • Future Work
Privacy • Privacy and society • Basic individual right & desire • Relevant to entities, e.g., corporations & governments • Recently increased awareness • Privacy and technology • Information disclosed (mostly on the Internet) • Handling and transfer of sensitive information • Need to combine Privacy and Accountability • Goal: Design protocols allowing to “share” only what needs to be shared and nothing else (or as little as possible). (Image from geekologie.com)
Private Set Intersection • IRS <--- Foreign Bank • Learn if suspected tax evaders have bank accounts • Governmental Agency <--- Industrial Contractor • Learn if any employee has criminal records • CIA <---> MI5 • Compare databases of terrorist suspects • DHS <--- Airline Company • Check if any passenger is on the DHS Terrorist Watch List
Private Set Intersection (PSI) {ci|ci CS} [Freedman, Nissim, and Pinkas, Eurocrypt’04], [Hazay and Lindell, TCC’08], [Jarecki and Liu, TCC’09], [Dachman-Soled et al., ACNS’10], [De Cristofaro and Tsudik, FC’10], [Hazay and Nissim, PKC’10],[Jarecki and Liu, SCN’10] Airline with Passenger List DHS with Terror Watchlist One-Way PrivateSet-Intersection CLIENT SERVER C= {c1,…,cv} S = {s1,…,sw}
PSI with Data Transfer {(ci,DATAi)|ci CS } [Freedman, Nissim, and Pinkas, Eurocrypt’04],[Hazay and Lindell, TCC’08], [Jarecki and Liu, TCC’09],[De Cristofaro and Tsudik, FC’10], [Jarecki and Liu, SCN’10] PSI with Data Transfer CLIENT SERVER C= {c1,…,cv}
Authorized PSI (APSI) {(ci,DATAi)|ci CSand Auth(ci) is valid} [De Cristofaro and Tsudik, FC’10], [De Cristofaro, Jarecki, Kim, and Tsudik, PETS’09], [Camenisch and Zaverucha, FC’09] Authorized-PSI Data Transfer CLIENT SERVER C = {(c1, Auth(c1)), …, (cv, Auth(cv))} Authorizations: digital signatures issued byan offline trusted Certification Authority
Authorized PSI SERVER(UC Irvine) CLIENT (FBI Agent) 568-47-0008 Emiliano De Cristofaro, …. Digital signature Court/CA APSI 568-47-0008 (Suspect’s SSN) (UC Irvine Employees DB) Authorize
Our Contribution • APSI Construction • Linear communication and computation complexity • Standard cryptographic assumptions: RSA and DDH (ROM) • Malicious-model security • Prior work: quadratic complexity or semi-honest adversaries • PSI Construction • Linear communication and computation complexity • Short exponents (160-bit) • Malicious-model security under DDH in ROM • Prior work with linear-complexity and malicious security: long exponents/moduli or stronger assumptions (OneMore-DH, again in ROM)
Outline • Motivation • Private Set Intersection Primitives • 1. Authorized Private Set Intersection (APSI) construct2. Plain Private Set Intersection (PSI) construct • Performance Comparison • Future Work
APSI: Preliminaries • Setup • Executed by the CA, on input sec. par. λ • (n,e,d) <- RSA.KeyGen(1λ) on safe primes • Pick g, g’ generators of QRn • Select H1: {0,1}*--> Zn (full-domain hash) • Select H2: {0,1}*--> {0,1}λ • Public parameters • n, e, g, g’,H1(), H2() • Authorize • On item ci, CA releases i = H(ci)d mod n • Notation • Client has v items, (c1, …, cv) and ci denotes i-th generic element • Server has w items, (s1, …, sw) and sj denotes j-th generic element • hsj=H(sj) hci=H(ci) i = (hci)d
APSI with linear complexity {Mi,Ni} Z, {M’i},{Ts:j} If hsj = (i)e then KS:j= (hsj)2Rs = Kc:i: Kc:i = M’i ·Z-Rc:i = Mi2eRs·g-Rc:i2eRs == Mi2eRs·g-Rc:i2eRs = i2eRs·g2eRsRc:i·g-2eRsRc:i = = (hci)2Rs = (hsj)2Rs = KS:j CLIENT((c1,1),…,(cv,v)) SERVER(s1, …, sw) computation mod n bi,b’i{0,1} Rs N/2 Rc:i N/2 Z = g2eRs Mi = (-1)bi·i·gRc:i M’i = (Mi)2eRs Ni = (-1)b’i·hci·g’Rc:i ZKPc = ZK { Rc:i | Mi2e/Ni2) = (ge/g’)2Rc:i} Ks:j = (hsj)2Rs Ts:j = H2(Ks:j|hsj|sj) Client gets intersection CS: ci in CS if and only if Tc:i in {Tc:1,…,Tc:v}{Ts:1,…,Ts:w} ZKPs = ZK { Rs | Z = (g)2eRs, M’i=(Mi)2eRs } KC:i = M’i ·Z-Rc:i Tc:i = H2(Kc:i|hci|ci) Common Input: n, e, g, g’, H1(), H2()
Complexity • Input size: • Client’s set contains vitems • Server’s set contains witems • Computational Complexity: • Client computes O(v) modular exponentiations • Server computes O(w+v) modular exponentiations • Exponentiations: 1024-bit mod 1024-bit • < 0.5mson PC • ~20ms on a Nokia N900 • Communication Complexity: • O(w+v)
Outline • Motivation • Private Set Intersection Primitives • 1. Authorized Private Set Intersection (APSI) construct2. Plain Private Set Intersection (PSI) construct • Performance Comparison • Future Work
Plain PSI {ci|ci CS} Airline with Passenger List DHS with Terror Watchlist One-Way PrivateSet-Intersection CLIENT SERVER C= {c1,…,cv} S = {s1,…,sw}
PSI with linear complexity X,{Mi,Ni} Z, {M’i},{Ts:j} If hsj = hci then KS:j= (hsj)Rs = Kc:i: Kc:i = M’i ·Z-Rc:i = MiRs·g-Rc:iRs == MiRs·g-Rc:iRs = hciRs·gRsRc:i·g-RsRc:i = = (hci)Rs = (hsj)Rs = KS:j CLIENT(c1, …, cv) SERVER(s1, …, sw) computation mod p PCH = hc1·…·hcv PCHi = PCH / hci Rs q X = PCH·gRc Z = (g’)Rs Rc:i q Mi = hci·(g’)Rc:i M’i = (Mi) Rs Ni = PCHi·(g’’)Rc:i ZKPc = ZK { Rc,Rc:i | X/(MiNi) = gRc / (g’g’’)Rc:i} Ks:j = (hsj)Rs Ts:j = H2(Ks:j|hsj|sj) Client gets intersection CS: ci in CS if and only if Tc:i in {Tc:1,…,Tc:v}{Ts:1,…,Ts:w} ZKPs = ZK { Rs | Z = (g’)Rs, M’i=(Mi)Rs } KC:i = M’i ·Z-Rc:i Tc:i = H2(Kc:i|hci|ci) Common Input: p, q, g, g’, g’’, H1(), H2()
Complexity • Computational Complexity: • Client computes O(v) modular exponentiations • Server computes O(w+v) modular exponentiations • Exponentiations: 160-bit mod 1024-bit • < 0.2mson PC • ~5ms on a Nokia N900 • Communication Complexity: • O(w+v)
Proofs in Malicious Model • Secure Computation of (Authorized) Set Intersection • Use the Real World/Ideal World paradigm • From a malicious client C*, construct an ideal world simulator SIMC • SIMC interacts with C* and extracts C* inputs • SIMC interacts with the ideal-world server through a TTP to get the intersection • SIMC plays (with C*) the role of the server on input the intersection • C*’s views when interacting with the simulator or in the real-world interaction are indistinguishable (show a reduction) • From a malicious server S*, construct an ideal world simulator SIMS • Similar idea but easier since the server has no output
PSI with Data Transfer {(ci,DATAi)|ci CS } [Freedman, Nissim, and Pinkas, Eurocrypt’04], [Hazay and Lindell, TCC’08], [Jarecki and Liu, TCC’09], [De Cristofaro and Tsudik, FC’10] PSI with Data Transfer CLIENT SERVER C= {c1,…,cv}
Adding Data Transfer • Recall scenarios where server stores data records associated to each item • S = [(s1,Data1), …, (sw,Dataw)] • Client, Server compute commonKs:j and Kc:i • Pick another hash function H3() • ξS:j = H3(KS:j|hsj|sj) used as encryption key for (Dataj) • ξc:i = H3(KC:i|hci|ci) used as corresponding decryption key • Asymptotic Complexity not affected
Conclusions • Motivated APSI and PSI applications • First linear-complexity APSI secure in malicious model • Security in ROM under the RSA and DDH assumptions • Linear-complexity PSI secure in malicious model • Security in ROM under the DDH assumptions • Enjoy short exponents • Current Work • Removing ROM assumption (journal version) • Extension to groups • Size-Hiding PSI: hiding the size of client’s set • Cardinality-only Private Set Intersection
Thank you! Image from truthdig.com
APSI with linear complexity {Mi,Ni} Z, {M’i},{Ts:j} If hsj = (i)e then KS:j= (hsj)2Rs = Kc:i: Kc:i = M’i ·Z-Rc:i = Mi2eRs·g-Rc:i2eRs == Mi2eRs·g-Rc:i2eRs = i2eRs·g2eRsRc:i·g-2eRsRc:i = = (hci)2Rs = (hsj)2Rs = KS:j CLIENT((c1,1),…,(cv,v)) SERVER(s1, …, sw) computation mod n bi,b’i{0,1} Rs N/2 Rc:i N/2 Z = g2eRs Z = g2eRs Mi = (-1) bi·i·gRc:i Mi = (-1) bi·i·gRc:i M’i = (Mi)2eRs M’i = (Mi)2eRs Ni = (-1)b’i·hci·g’Rc:i Ni = (-1)b’i·hci·g’Rc:i Ks:j = (hsj)2Rs Ts:j = H2(Ks:j|hsj|sj) Ts:j = H2(Ks:j|hsj|sj) Client gets intersection CS: ci in CS if and only if Tc:i in {Tc:1,…,Tc:v}{Ts:1,…,Ts:w} KC:i = M’i ·Z-Rc:i Tc:i = H2(Kc:i|hci|ci) Common Input: n, e, g, g’, H1(), H2()
PSI with linear complexity X,{Mi,Ni} Z, {M’i},{Ts:j} If hsj = hci then KS:j= (hsj)Rs = Kc:i: Kc:i = M’i ·Z-Rc:i = MiRs·g-Rc:iRs == MiRs·g-Rc:iRs = hciRs·gRsRc:i·g-RsRc:i = = (hci)Rs = (hsj)Rs = KS:j CLIENT(c1, …, cv) SERVER(s1, …, sw) computation mod p PCH = hc1…hcv Rs q PCHi = PCH / hci Z = (g’)Rs Z = (g’)Rs X = PCH·gRc X = PCH·gRc Rc:i q M’i = (Mi) Rs M’i = (Mi)Rs Mi = hci·(g’)Rc:i Mi = hci·(g’)Rc:i Ks:j = (hsj)Rs Ni = PCHi·(g’’)Rc:i Ni = PCHi·(g’’)Rc:i Ts:j = H2(Ks:j|hsj|sj) Ts:j = H2(Ks:j|hsj|sj) Client gets intersection CS: ci in CS if and only if Tc:i in {Tc:1,…,Tc:v}{Ts:1,…,Ts:w} KC:i = M’i ·Z-Rc:i Tc:i = H2(Kc:i|hci|ci) Common Input: p, q, g, g’, g’’, H1(), H2()
Honest-but-Curious/Malicious • Definition (informal): semi-honest or honest-but-curious player: faithfully follows all protocol specifications and does not misrepresent any information related to its input, i.e., set size and content, however, during or after protocol execution, attempts to infer additional information about the other party's input. • Definition (informal): malicious player: arbitrarily deviant behavior. Modify protocols to prove well-formed-ness of players’ inputs to the protocol
APSI -- Related Work • Secure Computation • Inefficient • Private Information Retrieval (PIR) • Server database is public (not the case of S-PIR) • Client input is an index, not an item (not the case of K-PIR) • How to obtain oblivious verification of authorizations? • Computational overhead might be high for large records? (later) • Oblivious Signature Based Envelope (OSBEs) • Single message, not scalable • Public Key Encryption with Keyword Search (PEKS) • Can be adapted to APSI (using Anonymous-IBE) but would incur quadratic overhead
Malicious Model • Malicious Client • Recall APSI: each element in Client set authorized by CA • Mitigates frivolous Client input due to Server’s implicit signature verification • But, server doesn’t detect malformed input • Malicious Server • Could introduce bilateral APSI: require server input to be also authorized (by same of diff. CA) • Would this be fair? • Client would still not detect malformed input… • Ideally, need proofs of well-formed-ness for both