1 / 29

Linear-Complexity Private Set Intersection Protocols Secure in Malicious Model

ASIACRYPT 2010. December 6, 2010. Linear-Complexity Private Set Intersection Protocols Secure in Malicious Model. Emiliano De Cristofaro 1 , Jihye Kim 2 , and Gene Tsudik 1 1 University of California, Irvine 2 Seoul National University. Outline. Motivation

nardo
Download Presentation

Linear-Complexity Private Set Intersection Protocols Secure in Malicious Model

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. ASIACRYPT 2010 December 6, 2010 Linear-ComplexityPrivate Set Intersection Protocols Secure in Malicious Model Emiliano De Cristofaro1, Jihye Kim2, and Gene Tsudik11 University of California, Irvine2 Seoul National University

  2. Outline • Motivation • Private Set Intersection Primitives • 1. Authorized Private Set Intersection (APSI) construct2. Plain Private Set Intersection (PSI) construct • Linear-complexity constructions secure in the malicious model • Performance Comparison • Future Work

  3. Privacy • Privacy and society • Basic individual right & desire • Relevant to entities, e.g., corporations & governments • Recently increased awareness • Privacy and technology • Information disclosed (mostly on the Internet) • Handling and transfer of sensitive information • Need to combine Privacy and Accountability • Goal: Design protocols allowing to “share” only what needs to be shared and nothing else (or as little as possible). (Image from geekologie.com)

  4. Private Set Intersection • IRS <--- Foreign Bank • Learn if suspected tax evaders have bank accounts • Governmental Agency <--- Industrial Contractor • Learn if any employee has criminal records • CIA <---> MI5 • Compare databases of terrorist suspects • DHS <--- Airline Company • Check if any passenger is on the DHS Terrorist Watch List

  5. Private Set Intersection (PSI) {ci|ci  CS} [Freedman, Nissim, and Pinkas, Eurocrypt’04], [Hazay and Lindell, TCC’08], [Jarecki and Liu, TCC’09], [Dachman-Soled et al., ACNS’10], [De Cristofaro and Tsudik, FC’10], [Hazay and Nissim, PKC’10],[Jarecki and Liu, SCN’10] Airline with Passenger List DHS with Terror Watchlist One-Way PrivateSet-Intersection CLIENT SERVER C= {c1,…,cv} S = {s1,…,sw}

  6. PSI with Data Transfer {(ci,DATAi)|ci CS } [Freedman, Nissim, and Pinkas, Eurocrypt’04],[Hazay and Lindell, TCC’08], [Jarecki and Liu, TCC’09],[De Cristofaro and Tsudik, FC’10], [Jarecki and Liu, SCN’10] PSI with Data Transfer CLIENT SERVER C= {c1,…,cv}

  7. Authorized PSI (APSI) {(ci,DATAi)|ci  CSand Auth(ci) is valid} [De Cristofaro and Tsudik, FC’10], [De Cristofaro, Jarecki, Kim, and Tsudik, PETS’09], [Camenisch and Zaverucha, FC’09] Authorized-PSI Data Transfer CLIENT SERVER C = {(c1, Auth(c1)), …, (cv, Auth(cv))} Authorizations: digital signatures issued byan offline trusted Certification Authority

  8. Authorized PSI SERVER(UC Irvine) CLIENT (FBI Agent) 568-47-0008 Emiliano De Cristofaro, …. Digital signature Court/CA APSI 568-47-0008 (Suspect’s SSN) (UC Irvine Employees DB) Authorize

  9. Our Contribution • APSI Construction • Linear communication and computation complexity • Standard cryptographic assumptions: RSA and DDH (ROM) • Malicious-model security • Prior work: quadratic complexity or semi-honest adversaries • PSI Construction • Linear communication and computation complexity • Short exponents (160-bit) • Malicious-model security under DDH in ROM • Prior work with linear-complexity and malicious security: long exponents/moduli or stronger assumptions (OneMore-DH, again in ROM)

  10. Outline • Motivation • Private Set Intersection Primitives • 1. Authorized Private Set Intersection (APSI) construct2. Plain Private Set Intersection (PSI) construct • Performance Comparison • Future Work

  11. APSI: Preliminaries • Setup • Executed by the CA, on input sec. par. λ • (n,e,d) <- RSA.KeyGen(1λ) on safe primes • Pick g, g’ generators of QRn • Select H1: {0,1}*--> Zn (full-domain hash) • Select H2: {0,1}*--> {0,1}λ • Public parameters • n, e, g, g’,H1(), H2() • Authorize • On item ci, CA releases i = H(ci)d mod n • Notation • Client has v items, (c1, …, cv) and ci denotes i-th generic element • Server has w items, (s1, …, sw) and sj denotes j-th generic element • hsj=H(sj) hci=H(ci) i = (hci)d

  12. APSI with linear complexity {Mi,Ni} Z, {M’i},{Ts:j} If hsj = (i)e then KS:j= (hsj)2Rs = Kc:i: Kc:i = M’i ·Z-Rc:i = Mi2eRs·g-Rc:i2eRs == Mi2eRs·g-Rc:i2eRs = i2eRs·g2eRsRc:i·g-2eRsRc:i = = (hci)2Rs = (hsj)2Rs = KS:j CLIENT((c1,1),…,(cv,v)) SERVER(s1, …, sw) computation mod n bi,b’i{0,1} Rs  N/2 Rc:i  N/2 Z = g2eRs Mi = (-1)bi·i·gRc:i M’i = (Mi)2eRs Ni = (-1)b’i·hci·g’Rc:i ZKPc = ZK { Rc:i | Mi2e/Ni2) = (ge/g’)2Rc:i} Ks:j = (hsj)2Rs Ts:j = H2(Ks:j|hsj|sj) Client gets intersection CS: ci in CS if and only if Tc:i in {Tc:1,…,Tc:v}{Ts:1,…,Ts:w} ZKPs = ZK { Rs | Z = (g)2eRs, M’i=(Mi)2eRs } KC:i = M’i ·Z-Rc:i Tc:i = H2(Kc:i|hci|ci) Common Input: n, e, g, g’, H1(), H2()

  13. Complexity • Input size: • Client’s set contains vitems • Server’s set contains witems • Computational Complexity: • Client computes O(v) modular exponentiations • Server computes O(w+v) modular exponentiations • Exponentiations: 1024-bit mod 1024-bit • < 0.5mson PC • ~20ms on a Nokia N900 • Communication Complexity: • O(w+v)

  14. Outline • Motivation • Private Set Intersection Primitives • 1. Authorized Private Set Intersection (APSI) construct2. Plain Private Set Intersection (PSI) construct • Performance Comparison • Future Work

  15. Plain PSI {ci|ci  CS} Airline with Passenger List DHS with Terror Watchlist One-Way PrivateSet-Intersection CLIENT SERVER C= {c1,…,cv} S = {s1,…,sw}

  16. PSI with linear complexity X,{Mi,Ni} Z, {M’i},{Ts:j} If hsj = hci then KS:j= (hsj)Rs = Kc:i: Kc:i = M’i ·Z-Rc:i = MiRs·g-Rc:iRs == MiRs·g-Rc:iRs = hciRs·gRsRc:i·g-RsRc:i = = (hci)Rs = (hsj)Rs = KS:j CLIENT(c1, …, cv) SERVER(s1, …, sw) computation mod p PCH = hc1·…·hcv PCHi = PCH / hci Rs  q X = PCH·gRc Z = (g’)Rs Rc:i  q Mi = hci·(g’)Rc:i M’i = (Mi) Rs Ni = PCHi·(g’’)Rc:i ZKPc = ZK { Rc,Rc:i | X/(MiNi) = gRc / (g’g’’)Rc:i} Ks:j = (hsj)Rs Ts:j = H2(Ks:j|hsj|sj) Client gets intersection CS: ci in CS if and only if Tc:i in {Tc:1,…,Tc:v}{Ts:1,…,Ts:w} ZKPs = ZK { Rs | Z = (g’)Rs, M’i=(Mi)Rs } KC:i = M’i ·Z-Rc:i Tc:i = H2(Kc:i|hci|ci) Common Input: p, q, g, g’, g’’, H1(), H2()

  17. Complexity • Computational Complexity: • Client computes O(v) modular exponentiations • Server computes O(w+v) modular exponentiations • Exponentiations: 160-bit mod 1024-bit • < 0.2mson PC • ~5ms on a Nokia N900 • Communication Complexity: • O(w+v)

  18. Proofs in Malicious Model • Secure Computation of (Authorized) Set Intersection • Use the Real World/Ideal World paradigm • From a malicious client C*, construct an ideal world simulator SIMC • SIMC interacts with C* and extracts C* inputs • SIMC interacts with the ideal-world server through a TTP to get the intersection • SIMC plays (with C*) the role of the server on input the intersection • C*’s views when interacting with the simulator or in the real-world interaction are indistinguishable (show a reduction) • From a malicious server S*, construct an ideal world simulator SIMS • Similar idea but easier since the server has no output

  19. PSI with Data Transfer {(ci,DATAi)|ci CS } [Freedman, Nissim, and Pinkas, Eurocrypt’04], [Hazay and Lindell, TCC’08], [Jarecki and Liu, TCC’09], [De Cristofaro and Tsudik, FC’10] PSI with Data Transfer CLIENT SERVER C= {c1,…,cv}

  20. Adding Data Transfer • Recall scenarios where server stores data records associated to each item • S = [(s1,Data1), …, (sw,Dataw)] • Client, Server compute commonKs:j and Kc:i • Pick another hash function H3() • ξS:j = H3(KS:j|hsj|sj) used as encryption key for (Dataj) • ξc:i = H3(KC:i|hci|ci) used as corresponding decryption key • Asymptotic Complexity not affected

  21. Comparison (APSI)

  22. Comparison (PSI)

  23. Conclusions • Motivated APSI and PSI applications • First linear-complexity APSI secure in malicious model • Security in ROM under the RSA and DDH assumptions • Linear-complexity PSI secure in malicious model • Security in ROM under the DDH assumptions • Enjoy short exponents • Current Work • Removing ROM assumption (journal version) • Extension to groups • Size-Hiding PSI: hiding the size of client’s set • Cardinality-only Private Set Intersection

  24. Thank you! Image from truthdig.com

  25. APSI with linear complexity {Mi,Ni} Z, {M’i},{Ts:j} If hsj = (i)e then KS:j= (hsj)2Rs = Kc:i: Kc:i = M’i ·Z-Rc:i = Mi2eRs·g-Rc:i2eRs == Mi2eRs·g-Rc:i2eRs = i2eRs·g2eRsRc:i·g-2eRsRc:i = = (hci)2Rs = (hsj)2Rs = KS:j CLIENT((c1,1),…,(cv,v)) SERVER(s1, …, sw) computation mod n bi,b’i{0,1} Rs  N/2 Rc:i  N/2 Z = g2eRs Z = g2eRs Mi = (-1) bi·i·gRc:i Mi = (-1) bi·i·gRc:i M’i = (Mi)2eRs M’i = (Mi)2eRs Ni = (-1)b’i·hci·g’Rc:i Ni = (-1)b’i·hci·g’Rc:i Ks:j = (hsj)2Rs Ts:j = H2(Ks:j|hsj|sj) Ts:j = H2(Ks:j|hsj|sj) Client gets intersection CS: ci in CS if and only if Tc:i in {Tc:1,…,Tc:v}{Ts:1,…,Ts:w} KC:i = M’i ·Z-Rc:i Tc:i = H2(Kc:i|hci|ci) Common Input: n, e, g, g’, H1(), H2()

  26. PSI with linear complexity X,{Mi,Ni} Z, {M’i},{Ts:j} If hsj = hci then KS:j= (hsj)Rs = Kc:i: Kc:i = M’i ·Z-Rc:i = MiRs·g-Rc:iRs == MiRs·g-Rc:iRs = hciRs·gRsRc:i·g-RsRc:i = = (hci)Rs = (hsj)Rs = KS:j CLIENT(c1, …, cv) SERVER(s1, …, sw) computation mod p PCH = hc1…hcv Rs  q PCHi = PCH / hci Z = (g’)Rs Z = (g’)Rs X = PCH·gRc X = PCH·gRc Rc:i  q M’i = (Mi) Rs M’i = (Mi)Rs Mi = hci·(g’)Rc:i Mi = hci·(g’)Rc:i Ks:j = (hsj)Rs Ni = PCHi·(g’’)Rc:i Ni = PCHi·(g’’)Rc:i Ts:j = H2(Ks:j|hsj|sj) Ts:j = H2(Ks:j|hsj|sj) Client gets intersection CS: ci in CS if and only if Tc:i in {Tc:1,…,Tc:v}{Ts:1,…,Ts:w} KC:i = M’i ·Z-Rc:i Tc:i = H2(Kc:i|hci|ci) Common Input: p, q, g, g’, g’’, H1(), H2()

  27. Honest-but-Curious/Malicious • Definition (informal): semi-honest or honest-but-curious player: faithfully follows all protocol specifications and does not misrepresent any information related to its input, i.e., set size and content, however, during or after protocol execution, attempts to infer additional information about the other party's input. • Definition (informal): malicious player: arbitrarily deviant behavior. Modify protocols to prove well-formed-ness of players’ inputs to the protocol

  28. APSI -- Related Work • Secure Computation • Inefficient • Private Information Retrieval (PIR) • Server database is public (not the case of S-PIR) • Client input is an index, not an item (not the case of K-PIR) • How to obtain oblivious verification of authorizations? • Computational overhead might be high for large records? (later) • Oblivious Signature Based Envelope (OSBEs) • Single message, not scalable • Public Key Encryption with Keyword Search (PEKS) • Can be adapted to APSI (using Anonymous-IBE) but would incur quadratic overhead

  29. Malicious Model • Malicious Client • Recall APSI: each element in Client set authorized by CA • Mitigates frivolous Client input due to Server’s implicit signature verification • But, server doesn’t detect malformed input • Malicious Server • Could introduce bilateral APSI: require server input to be also authorized (by same of diff. CA) • Would this be fair? • Client would still not detect malformed input… • Ideally, need proofs of well-formed-ness for both

More Related