linear-complexity private set intersection protocols secure in malicious model
DESCRIPTION
ASIACRYPT 2010. December 6, 2010. Linear-Complexity Private Set Intersection Protocols Secure in Malicious Model. Emiliano De Cristofaro 1 , Jihye Kim 2 , and Gene Tsudik 1 1 University of California, Irvine 2 Seoul National University. Outline. Motivation - PowerPoint PPT PresentationTRANSCRIPT
Linear-ComplexityPrivate Set Intersection Protocols
Secure in Malicious Model
1
Emiliano De Cristofaro1, Jihye Kim2, and Gene Tsudik1
1 University of California, Irvine2 Seoul National University
ASIACRYPT 2010
December 6, 2010
Outline
Motivation Private Set Intersection Primitives 1. Authorized Private Set Intersection (APSI) construct
2. Plain Private Set Intersection (PSI) construct• Linear-complexity constructions secure in the malicious model
Performance Comparison Future Work
2
Privacy Privacy and society
• Basic individual right & desire• Relevant to entities, e.g., corporations & governments• Recently increased awareness
Privacy and technology• Information disclosed (mostly on the Internet)• Handling and transfer of sensitive information • Need to combine Privacy and Accountability
Goal: Design protocols allowing to “share” only what needs to be shared and nothing else (or as little as possible).
3
(Image from geekologie.com)
4
Private Set Intersection
IRS <--- Foreign Bank• Learn if suspected tax evaders have bank accounts
Governmental Agency <--- Industrial Contractor• Learn if any employee has criminal records
CIA <---> MI5• Compare databases of terrorist suspects
DHS <--- Airline Company • Check if any passenger is on the DHS Terrorist Watch List
Private Set Intersection (PSI)
CLIENT
S = {s1, … , sw}
SERVER One-Way PrivateSet-Intersection
C= {c1, … , cv}
{ ci| ci CS }
[Freedman, Nissim, and Pinkas, Eurocrypt’04], [Hazay and Lindell, TCC’08],[Jarecki and Liu, TCC’09], [Dachman-Soled et al., ACNS’10],
[De Cristofaro and Tsudik, FC’10], [Hazay and Nissim, PKC’10],[Jarecki and Liu, SCN’10]
Airline with Passenger List DHS with Terror Watchlist
5
PSI with Data Transfer
CLIENTPSI withData Transfer
ID DATA
s1 Data1
s2 Data2
… …
sw Dataw {(ci,DATAi)|ci CS }
SERVER
C= {c1, … , cv}
[Freedman, Nissim, and Pinkas, Eurocrypt’04],[Hazay and Lindell, TCC’08], [Jarecki and Liu, TCC’09],
[De Cristofaro and Tsudik, FC’10], [Jarecki and Liu, SCN’10]
6
Authorized PSI (APSI)
CLIENTAuthorized-PSI Data Transfer
ID DATA
s1 Data1
s2 Data2
… …
sw Dataw {(ci, DATAi)|ci CSand Auth(ci) is valid}
SERVER
C = {(c1, Auth(c1)), …, (cv, Auth(cv))}
Authorizations: digital signatures issued byan offline trusted Certification Authority
[De Cristofaro and Tsudik, FC’10],[De Cristofaro, Jarecki, Kim, and Tsudik, PETS’09], [Camenisch and Zaverucha, FC’09]
7
Authorized PSI
8
SERVER(UC Irvine)
CLIENT(FBI Agent)
Court/CA
568-47-0008
Authorize
Emiliano De Cristofaro, ….
Digital signature
APSI
568-47-0008
(UC Irvine Employees DB)
(Suspect’s SSN)
Our Contribution APSI Construction• Linear communication and computation complexity• Standard cryptographic assumptions: RSA and DDH (ROM)• Malicious-model security • Prior work: quadratic complexity or semi-honest adversaries
PSI Construction• Linear communication and computation complexity• Short exponents (160-bit)• Malicious-model security under DDH in ROM• Prior work with linear-complexity and malicious security:
long exponents/moduli or stronger assumptions (OneMore-DH, again in ROM)
9
Outline
Motivation Private Set Intersection Primitives 1. Authorized Private Set Intersection (APSI) construct
2. Plain Private Set Intersection (PSI) construct Performance Comparison Future Work
10
APSI: Preliminaries Setup• Executed by the CA, on input sec. par. λ• (n,e,d) <- RSA.KeyGen(1λ) on safe primes• Pick g, g’ generators of QRn
• Select H1 : {0,1}*--> Zn (full-domain hash)
• Select H2 : {0,1}*--> {0,1}λ
Public parameters• n, e, g, g’, H1(), H2()
Authorize• On item ci , CA releases i = H(ci )d mod n
Notation• Client has v items, (c1, …, cv) and ci denotes i-th generic element• Server has w items, (s1, …, sw) and sj denotes j-th generic element• hsj=H(sj ) hci=H(ci ) i = (hci)
d
• 11
APSI with linear complexity
{Mi ,Ni}
bi,b’i{0,1}
SERVER(s1, …, sw)
CLIENT((c1,1),…,(cv,v))
computation mod n
Rs N/2
Ks:j = (hsj)2Rs
Z, { M’i}, {Ts:j}
Rc:i N/2
Common Input: n, e, g, g’, H1(), H2()
KC:i = M’i · Z-Rc:i
Tc:i = H2(Kc:i | hci | ci)12
Mi = (-1)bi·i·gRc:i
Ni = (-1)b’i·hci·g’Rc:iM’i = (Mi)2eRs
Ts:j = H2(Ks:j | hsj | sj)
Z = g2eRs
ZKPc = ZK { Rc:i | Mi2e/Ni
2) = (ge/g’)2Rc:i}
ZKPs = ZK { Rs | Z = (g)2eRs, M’i=(Mi)2eRs }Client gets intersection CS:
ci in CS if and only if
Tc:i in {Tc:1,…,Tc:v}{Ts:1,…,Ts:w}
If hsj = (i)e then KS:j = (hsj)2Rs = Kc:i :
Kc:i = M’i · Z-Rc:i = Mi2eRs·g-Rc:i2eRs =
= Mi2eRs·g-Rc:i2eRs = i
2eRs·g2eRsRc:i·g-2eRsRc:i = = (hci)2Rs = (hsj)2Rs = KS:j
Complexity Input size:
• Client’s set contains v items• Server’s set contains w items
Computational Complexity:• Client computes O(v) modular exponentiations• Server computes O(w+v) modular exponentiations• Exponentiations: 1024-bit mod 1024-bit
• < 0.5ms on PC• ~20ms on a Nokia N900
Communication Complexity:• O(w+v)
13
Outline
Motivation Private Set Intersection Primitives 1. Authorized Private Set Intersection (APSI) construct
2. Plain Private Set Intersection (PSI) construct Performance Comparison Future Work
14
Plain PSI
CLIENT
S = {s1, … , sw}
SERVER One-Way PrivateSet-Intersection
C= {c1, … , cv}
{ ci| ci CS }
Airline with Passenger List DHS with Terror Watchlist
15
PSI with linear complexity
X, {Mi ,Ni}
PCH = hc1 · … · hcv
SERVER(s1, …, sw)
CLIENT(c1, …, cv)
computation mod p
Rs q
Ks:j = (hsj)Rs
Z, { M’i}, {Ts:j}
Rc:i q
Common Input: p, q, g, g’, g’’, H1(), H2()
KC:i = M’i · Z-Rc:i
Tc:i = H2(Kc:i | hci | ci)16
Mi = hci·(g’)Rc:i
Ni = PCHi· (g’’) Rc:iM’i = (Mi) Rs
Ts:j = H2(Ks:j | hsj | sj)
Z = (g’)Rs
PCHi = PCH / hci
X = PCH · g Rc
ZKPc = ZK { Rc,Rc:i | X/(MiNi) = gRc / (g’g’’)Rc:i}
ZKPs = ZK { Rs | Z = (g’)Rs, M’i=(Mi)Rs }
Client gets intersection CS:ci in CS if and only if
Tc:i in {Tc:1,…,Tc:v}{Ts:1,…,Ts:w}
If hsj = hci then KS:j = (hsj)Rs = Kc:i :
Kc:i = M’i · Z-Rc:i = MiRs·g-Rc:iRs =
= MiRs·g-Rc:iRs = hci
Rs·gRsRc:i·g-RsRc:i = = (hci)Rs = (hsj)Rs = KS:j
Complexity Computational Complexity:
• Client computes O(v) modular exponentiations• Server computes O(w+v) modular exponentiations• Exponentiations: 160-bit mod 1024-bit
• < 0.2ms on PC• ~5ms on a Nokia N900
Communication Complexity:• O(w+v)
17
Proofs in Malicious Model Secure Computation of (Authorized) Set Intersection
• Use the Real World/Ideal World paradigm• From a malicious client C*, construct an ideal world simulator
SIMC
• SIMC interacts with C* and extracts C* inputs• SIMC interacts with the ideal-world server through a TTP to get the
intersection• SIMC plays (with C*) the role of the server on input the intersection• C*’s views when interacting with the simulator or in the real-world
interaction are indistinguishable (show a reduction)
• From a malicious server S*, construct an ideal world simulator SIMS
• Similar idea but easier since the server has no output
18
PSI with Data Transfer
CLIENTPSI withData Transfer
ID DATA
s1 Data1
s2 Data2
… …
sw Dataw {(ci,DATAi)|ci CS }
SERVER
C= {c1, … , cv}
[Freedman, Nissim, and Pinkas, Eurocrypt’04], [Hazay and Lindell, TCC’08],[Jarecki and Liu, TCC’09], [De Cristofaro and Tsudik, FC’10]
19
Adding Data Transfer Recall scenarios where server stores data records
associated to each item• S = [(s1,Data1), …, (sw,Dataw)]
Client, Server compute common Ks:j and Kc:i • Pick another hash function H3()• ξS:j = H3(KS:j|hsj |sj) used as encryption key for (Dataj) • ξc:i = H3(KC:i|hci |ci) used as corresponding decryption key
Asymptotic Complexity not affected
20
Comparison (APSI)
Tools Model Comm Server Op Client Op
Camenisch andZaverucha [FC09]
(Certified Sets)SRSA Std
Mal O(w·v) O(v·w) exps O(v+w) exps
De Cristofaro et al. [PETS09]
(PPIT)RSA ROM
HbC O(w·v) O(v+w) exps,O(v·w) mults O(v) exps
De Cristofaro- Tsudik [FC10] RSA ROM
HbC O(w+v) O(v+w) exps O(v) exps
Our APSI[Asiacrypt10] RSA ROM
Mal O(w+v) O(v+w) exps O(v) exps
21
Comparison (PSI)Tools Model Adv Server Op Client Op
Freedman et al. [Eurocr.04]
ObliviousPoly Eval
Standard/ROM
HbC/Malicious
O(wlglg(v)) 160-bitmod 1024 exps
O(w+v) 160-bit mod 1024 exps
Kissner-Song[Crypto’05]
ObliviousPoly Eval Standard HbC
Malicious*O(w·v) m-bit
mod 2048 expsO(w+v) m-bit
mod 2048 exps
Hazay-Lindell[TCC08] DDH Standard Covert O(w+v) 160-bit
mod 1024 expsO(v) 160-bit
mod 1024 exps
Jarecki-Liu[TCC09]
OPRFq-DDH (*)
StandardCRS Malicious O(w) m-bit
mod 2048 expsO(v) m-bit mod
2048 exps
Hazay-Nissim[PKC10] DDH Std Malicious O(wlglg(v)) 160
mod 1024-bit expsO(w+v) 160-bitmod 1024 exps
Jarecki-Liu[SCN10]
OneMore-DH ROM Malicious O(w+v) 160-bit mod
1024 expsO(v) 160-bit mod
1024 exps
De Cristofaro-Tsudik [FC10]
OneMore-RSA ROM HbC O(w+v) 1024-bit
mod 1024 exps O(v) mod mults
Our PSI[Asiacrypt] DDH ROM Malicious O(w+v) 160-bit mod
1024 expsO(v) 160-bit mod
1024 exps
22
Conclusions Motivated APSI and PSI applications First linear-complexity APSI secure in malicious model
• Security in ROM under the RSA and DDH assumptions Linear-complexity PSI secure in malicious model
• Security in ROM under the DDH assumptions• Enjoy short exponents
Current Work• Removing ROM assumption (journal version)• Extension to groups• Size-Hiding PSI: hiding the size of client’s set• Cardinality-only Private Set Intersection
23