SLIDE 1 Are you the one to share? Secret Transfer with Access Structure
Yongjun Zhao, Sherman S.M. Chow Department of Information Engineering The Chinese University of Hong Kong, Hong Kong
SLIDE 2 Private Set Intersection (PSI)
- Compute the intersection π΅ β© πΆ
- without revealing elements β π΅ β© πΆ
? ?
SLIDE 3
Applications of PSI: Common Interests
SLIDE 4
Applications of PSI: Common Customers
SLIDE 5 Classical Definition for PSI
- β±πππ½: π, π β π β© π, β₯
- Well established notion in crypto and security communities
- Other variants: fair PSI (both parties obtain π β© π), multi-party PSI (>2 participants), etc.
π = {π¦1, β¦ , π¦π} π = {π§1, β¦ , π§π} π β© π Input: Output: β₯ client server
SLIDE 6 Classical Definition for PSI (limitation)
- β±πππ½: π, π β (
, β₯)
- One party ALAWYS learns the outcome
π = {π¦1, β¦ , π¦π} π = {π§1, β¦ , π§π} Input: Output: β₯ π β© π client server
SLIDE 7
They do not really match that well
SLIDE 8 Classical Definition (limitation)
- Traditional PSI always reveals the intersection
- Intersection set itself could be:
- Sensitive: threat information
- Commercial asset: customer list
- Personal info: friend list, hobbies, preferences
- Intersection should only be revealed when
necessary (i.e., the interaction satisfying some policy π(β
))
- e.g., the size exceeds some threshold number
SLIDE 9 More βPrivacy-Friendlyβ PSI
- Our new notion: PSI with (monotone) access structure
- Reveal π΅ β© πΆ only if
- Special cases:
- (over) threshold PSI
- Applications:
- Private match-making
- Auditing leakage in information sharing
- Intersection of threat information / suspect lists / customer list
π π΅ β© πΆ = 1 if π΅ β© πΆ β₯ π’ 0 if π΅ β© πΆ < π’ π π΅ β© πΆ = 1
SLIDE 10 Concrete Construction
- We construct PSI with access structure in a modular way
- Roadmap:
OTSA STAS PSI w/ AS
Secret Transfer with Access Structure PSI with Access Structure Oblivious Transfer for a Sparse Array
SLIDE 11 Oblivious Transfer for a Sparse Array
OTSA STAS PSI w/ AS
Secret Transfer with Access Structure PSI with Access Structure Oblivious Transfer for a Sparse Array
SLIDE 12 Oblivious Transfer for a Sparse Array (OTSA)
- β±ππππ΅: π¦, π§ β (πΈ, β₯)
- Generalizing standard π-out-of-π OT:
- π¦1, β¦ , π¦π β {π§1, β¦ , π§π}
- π¦1, β¦ , π¦π β© {π§1, β¦ , π§π} is hidden from receiver
π¦ = {π¦1, β¦ , π¦π} π§ = {(π§1, π1), β¦ , (π§π, ππ)} πΈ = {ππ|π§π β {π¦1, π¦2, β― , π¦π}} Input: Output: β₯
SLIDE 13 Oblivious Polynomial Evaluation (OPE)
- Encode the set {π¦1, β¦ , π¦π} as polynomial:
π = π¦ β π¦1 π¦ β π¦2 β― π¦ β π¦π = π0 + π1π¦ + β― + πππ¦π
- Observation: π§π β π βΊ π π§π = 0
- Given encrypted coefficients π0, π1, β¦ , ππ of a polynomial π
- We can evaluate its value at π¦ via homomorphic encryption:
πΉππππ π π¦ = πΉππππ π0 + π1π¦ + β― + πππ¦π = πΉππππ π0 β πΉππππ π1 β¨π¦ β β― β (πΉππππ(ππ)β¨π¦π)
SLIDE 14 OTSA from Oblivious Polynomial Evaluation
(ππ, π‘π) {π¦1, β¦ , π¦π} {π§1, β¦ , π§π} ππ, πΉππππ π0 , β¦ , πΉππππ(ππ) π¨π = πΉππππ(π
π β
π π§π + ππ)
{π¨1, β¦ , π¨π} if π§π β {π¦1, β¦ , π¦π} π¨π will be decrypted to ππ π¨π will be decrypted to random {π1, β¦ , ππ} if π§π β {π¦1, β¦ , π¦π}
(permuted)
SLIDE 15 Construction of OTSA
- Honest-but-curious model
- extended to malicious model using zero-knowledge proofs (details in the paper)
- Computational complexity: π(ππ) (worse than π(π log π) via generic approach)
- π(π) construction (honest-but-curious) in the paper
- based on garbled Bloom filter [Dong-Chen@CCSβ13]
ππ, πΉππππ π0 , β¦ , πΉππππ(ππ) π¨π = πΉππππ(π
π β
π π§π + ππ)
π¨1, β¦ , π¨π
SLIDE 16 PSI with Access Structure
OTSA STAS PSI w/ AS
Secret Transfer with Access Structure PSI with Access Structure Oblivious Transfer for a Sparse Array
SLIDE 17 Secret Sharing
- Split a secret π‘ into shares
- π‘ can be reconstructed only if βqualifiedβ subset of shares are combined
SecretShare(π‘) β {π‘1, π‘2, β¦ , π‘π} Reconstruct(π‘π1, π‘π2, β¦ , π‘ππ) β π‘ or β₯
access structure: π‘1 AND {π‘2 OR π‘3} AND π‘4 AND π‘5 {π‘1, π‘2, π‘3, π‘4, π‘5} {π‘1, π‘2, π‘4, π‘5} {π‘1, π‘3, π‘4, π‘5} βqualifiedβ subsets:
SLIDE 18 Secret Transfer with Access Structure
π = {π¦1, β¦ , π¦π} π‘, π = π§1, β¦ , π§π π‘ iff π π β© π = 1 Input: Output: β₯ |π β© π| and
SLIDE 19 OTSA + Secret Sharing = STAS
(ππ, π‘π) π = {π¦1, β¦ , π¦π} π = {π§1, β¦ , π§π} ππ, πΉππππ π0 , β¦ , πΉππππ(ππ) π¨π = πΉππππ(π
π β
ππ π§π + π‘π)
π¨1, β¦ , π¨π if π§π β π π¨π will be decrypted to π‘π if π§π β π π¨π will be decrypted to random π‘
SecretShare(π‘) β {π‘1, π‘2, β¦ , π‘π}
SLIDE 20 OTSA + Secret Sharing = STAS
If π β© π satisfies the access structure The receiver can reconstruct the secret π‘ ! (ππ, π‘π) π = {π¦1, β¦ , π¦π} π = {π§1, β¦ , π§π} ππ, πΉππππ π0 , β¦ , πΉππππ(ππ) π¨π = πΉππππ(π
π β
ππ π§π + π‘π)
π¨1, β¦ , π¨π π‘
SecretShare(π‘) β {π‘1, π‘2, β¦ , π‘π}
SLIDE 21 PSI with Access Structure
PSI w/ DT STAS
PSI w/ AS
Secret Transfer with Access Structure PSI with Access Structure Oblivious Transfer for a Sparse Array
SLIDE 22
PSI with Access Structure from STAS
π = {π¦1, β¦ , π¦π} π = {π§1, β¦ , π§π} and π‘ STAS protocol The receiver can reconstruct the secret π‘ if and only if π β© π satisfies the access structure
SLIDE 23
STAS + PSI = PSI with Access Structure
πβ² = {π¦1| π‘, β¦ , π¦π |π‘} Normal PSI πβ² = {π§1| π‘, β¦ , π§π |π‘} If π β© π satisfies the access structure The receiver can learn πβ² β© πβ², which is essentially π β© π
SLIDE 24
PSI with Access Structure
πβ² = {π¦1||π‘β², β¦ , π¦π||π‘β²} If π β© π does not satisfies the access structure The receiver can learn πβ² β© πβ², which is an empty set Normal PSI πβ² = {π§1| π‘, β¦ , π§π |π‘}
SLIDE 25 Concluding Remarks
- We introduce the notions of
- Oblivious Transfer with Spare Array (OTSA)
- Secret Transfer with Access Structure (STAS)
- PSI with Access Structure
- We then construct
- Two OTSA schemes (from OPE / garbled Bloom filter)
- OTSA + Secret Sharing = STAS
- STAS + PSI = PSI with Access Structure
- Future work 1: can we hide |π β© π| in STAS?
- Future work 2: can we support non-monotone access structure?
- {zy113, sherman}@ie.cuhk.edu.hk
Under submission
