Improved Private Set Intersection against Malicious Adversaries - - PowerPoint PPT Presentation

Improved Private Set Intersection

against

Malicious Adversaries

Peter Rindal

Mike Rosulek

Private Set Intersection (PSI)

𝑌 𝑍 𝑌 ∩ 𝑍

Private Set Intersection (PSI)

𝑌 𝑍 𝑌 ∩ 𝑍 PSI

“Sender” “Receiver”

App: Contact discovery Users

Contacts

𝑌 ∩ 𝑍 PSI

Oblivious Transfer (OT)

• Highly efficient and secure protocols exists
• Motivates it use as the basis for PSI

𝑃𝑈

Alice 𝑛0, 𝑛1 ∈ 0,1 𝑚 Bob 𝑑 ∈ {0,1} 𝑛𝑑

Bloom Filter

Plain text data structure similar to hash table

• Allows for testing set membership
• Paramerterized by hash functions ℎ1, … , ℎ𝑙
• , set
• 𝑐 ℎ𝑗(𝑦) = 1

, ∀𝑗 𝑐 =

ℎ𝑙(𝑦) 1

Bloom Filter

Plain 𝑗 (𝑦) =1 , ∀𝑗 ext data structure similar to hash table

• Allows for testing set membership
• Paramerterized by hash functions ℎ1, … , ℎ𝑙
• To insert 𝑦, set
• 𝑐 ℎ 𝑗 ℎ 𝑗 (𝑦) = 1

, ∀𝑗 𝑐 = … ℎ1(𝑦) 1 ℎ2(𝑦) 1

ℎ1(𝑨) ℎ𝑙(𝑨) 1 ℎ2(𝑨) 1

Bloom Filter

Plain 𝑗 (𝑦) =1 , ∀𝑗 ext data structure similar to hash table

• Allows for testing set membership
• Paramerterized by hash functions ℎ1, … , ℎ𝑙
• To insert 𝑦, set
• 𝑐 ℎ 𝑗 ℎ 𝑗 (𝑦) = 1

, ∀𝑗 𝑐 = … 1 1 1 1 1 1

Bloom Filter

• Plain text data structure similar to hash table
• Allows for testing set membership
• Paramerterized by hash functions ℎ1, … , ℎ𝑜
• To insert 𝑦, set
• 𝑐 ℎ𝑗(𝑦) = 1

, ∀𝑗

• To test membership
• Return ∧𝑗 𝑐 ℎ𝑗 𝑦

𝑐 = 1 1 1 1 1 1 1 1

Bloom Filter

• Plain text data structure similar to hash table
• Allows for testing set membership
• Paramerterized by hash functions ℎ1, … , ℎ𝑜
• To insert 𝑦, set
• 𝑐 ℎ𝑗(𝑦) = 1

, ∀𝑗

• To test membership
• Return ∧𝑗 𝑐 ℎ𝑗 𝑦

𝑐 = … ℎ1(𝑦) ℎ𝑙(𝑦) ℎ2(𝑦) 1 1 1 1 1 1 1 1

… ℎ1(𝑦) ℎ𝑙(𝑦) ℎ2(𝑦)

Bloom Filter

𝑜 items → Bloom filter with 𝑛 slots and 𝑙 hash functions

• Membership:
• Pr[ false negatives ] = 0
• 1 − 𝑓−

𝑙𝑜 𝑛 𝑙

≈ 2−𝑙

𝑐 = 1 1 1 1 1 1 1 1

… ℎ𝑙(𝑧) ℎ2(𝑧)

Bloom Filter

𝑙𝑜 𝑛 𝑙𝑙𝑜𝑜 𝑙𝑜 𝑛 𝑛𝑛 𝑙𝑜 𝑛 𝑓 − 𝑙𝑜 𝑛 1 − 𝑓 − 𝑙𝑜 𝑛 1 − 𝑓 − 𝑙𝑜 𝑛 𝑙 𝑙𝑙 1 − 𝑓 − 𝑙𝑜 𝑛 𝑙 𝑓 − 𝑙𝑜 𝑛 𝑓𝑓 𝑓 − 𝑙𝑜 𝑛 − − 1 − 𝑓 − 𝑙𝑜 𝑛 𝑙 1 − 𝑓 − 𝑙𝑜 𝑛 1𝑜 items → Bloom filter with 𝑛

slots and 𝑙 hash functions

• Membership:
• Pr[ false negatives ] = 0
• Pr[ false positives ] = 1 − 𝑓−

𝑙𝑜 𝑛 𝑙

≈ 2−𝑙

𝑐 = 1 1 1 1 1 1 1 1 ℎ1(𝑧)

… ℎ𝑙(𝑧) ℎ2(𝑧)

Bloom Filter

≈ 2 −𝑙 2 2 −𝑙 −𝑙𝑙 2 −𝑙 ≈ 2 −𝑙 2 2 −𝑙 −𝑙𝑙 2 −𝑙 𝑙𝑜 𝑛 𝑙𝑙𝑜𝑜 𝑙𝑜 𝑛 𝑛𝑛 𝑙𝑜 𝑛 𝑓 − 𝑙𝑜 𝑛 1 − 𝑓 − 𝑙𝑜 𝑛 1 − 𝑓 − 𝑙𝑜 𝑛 𝑙 𝑙𝑙 1 − 𝑓 − 𝑙𝑜 𝑛 𝑙 𝑓 − 𝑙𝑜 𝑛 𝑓𝑓 𝑓 − 𝑙𝑜 𝑛 − − 1 − 𝑓 − 𝑙𝑜 𝑛 𝑙 1 − 𝑓 − 𝑙𝑜 𝑛 1𝑜 items → Bloom filter with 𝑛

slots and 𝑙 hash functions

• Membership:

≈ 2−𝑙 ≈ 2−𝑙 ≈ 2−𝑙

𝑐 = 1 1 1 1 1 1 1 1 ℎ1(𝑧)

Bloom Filter Intersection

• Bitwise AND 𝐶𝑌 ∧ 𝐶𝑍

is a Bloom filter for 𝑌 ∩ 𝑍

1 1 1 1 1 1 1 1 𝐶𝑌 ℎ𝑗(𝑏) ℎ𝑗(𝑐) ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝐶𝑍 𝑌 = {𝑏, 𝑐} 𝑍 = {𝑏, 𝑑}

Bloom Filter Intersection

• Bitwise AND 𝐶𝑌 ∧ 𝐶𝑍

is a Bloom filter for 𝑌 ∩ 𝑍

1 1 1 1 1 1 1 1 𝐶𝑌 ℎ𝑗(𝑏) ℎ𝑗(𝑐) ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝐶𝑍 𝑌 = {𝑏, 𝑐} 𝑍 = {𝑏, 𝑑} 1 1 𝟐 𝐶𝑌 ∧ 𝐶𝑍 ℎ𝑗(𝑏)

Bloom Filter Protocol

1 1 1 1 ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝐶𝑍 𝑍 = {𝑏, 𝑑}

⊥ 𝒏𝟏 𝒏𝟐 𝒏𝟑 ⋮ 𝒏𝟒 𝒏𝟓 𝒏𝟔 ⊥ 𝒏𝟕

𝒏𝒋 ← 𝟏, 𝟐 𝝀 [DongChenWen13, PinkasSchniederZohner14]

Bloom Filter Protocol

1 1 1 1 ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝐶𝑍 𝑍 = {𝑏, 𝑑}

𝑃𝑈 𝑃𝑈

…

⊥ 𝒏𝟏 𝒏𝟐 𝒏𝟑 ⋮ 𝒏𝟒 𝒏𝟓 𝒏𝟔 ⊥ 𝒏𝟕

𝒏𝒋 ← 𝟏, 𝟐 𝝀 [DongChenWen13, PinkasSchniederZohner14]

Bloom Filter Protocol

1 1 1 1 ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝐶𝑍 𝑍 = {𝑏, 𝑑}

𝑃𝑈 𝑃𝑈

…

⊥ 𝒏𝟏 𝒏𝟐 𝒏𝟑 ⋮ 𝒏𝟒 𝒏𝟓 𝒏𝟔 ⊥ 𝒏𝟕 𝒏𝟏 ⊥ ⊥ 𝒏𝟒 ⊥ 𝒏𝟔 𝒏𝟕

Garbled Bloom filter [DongChenWen13, PinkasSchniederZohner14]

Bloom Filter Protocol

1 1 1 1 ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝐶𝑍 𝑍 = {𝑏, 𝑑}

𝑃𝑈 𝑃𝑈

…

⊥ 𝒏𝟏 𝒏𝟐 𝒏𝟑 ⋮ 𝒏𝟒 𝒏𝟓 𝒏𝟔 ⊥ 𝒏𝟕 𝒏𝟏 ⊥ ⊥ 𝒏𝟒 ⊥ 𝒏𝟔 𝒏𝟕

𝑌 = {𝑏, 𝑐} 1 1 1 1 𝐶𝑌 ℎ𝑗(𝑏) ℎ𝑗(𝑐) Garbled Bloom filter [DongChenWen13, PinkasSchniederZohner14]

Bloom Filter Protocol

1 1 1 1 ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝐶𝑍 𝑍 = {𝑏, 𝑑}

𝑃𝑈 𝑃𝑈

…

⊥ 𝒏𝟏 𝒏𝟐 𝒏𝟑 ⋮ 𝒏𝟒 𝒏𝟓 𝒏𝟔 ⊥ 𝒏𝟕 𝒏𝟏 ⊥ ⊥ 𝒏𝟒 ⊥ 𝒏𝟔 𝒏𝟕

𝒀 = 𝒏𝟏 ⊕ 𝒏𝟔, 𝒏𝟑 ⊕ 𝒏𝟒

𝑌 = {𝑏, 𝑐} 1 1 1 1 𝐶𝑌 ℎ𝑗(𝑏) ℎ𝑗(𝑐) Garbled Bloom filter [DongChenWen13, PinkasSchniederZohner14]

Bloom Filter Protocol

1 1 1 1 ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝐶𝑍 𝑍 = {𝑏, 𝑑}

𝑃𝑈 𝑃𝑈

…

⊥ 𝒏𝟏 𝒏𝟐 𝒏𝟑 ⋮ 𝒏𝟒 𝒏𝟓 𝒏𝟔 ⊥ 𝒏𝟕 𝒏𝟏 ⊥ ⊥ 𝒏𝟒 ⊥ 𝒏𝟔 𝒏𝟕

𝒀 = 𝒏𝟏 ⊕ 𝒏𝟔, 𝒏𝟑 ⊕ 𝒏𝟒

𝑌 = {𝑏, 𝑐} 1 1 1 1 𝐶𝑌 ℎ𝑗(𝑏) ℎ𝑗(𝑐)

Output the intersection

𝒀 ∩ 𝒏𝟏 ⊕ 𝒏𝟔, 𝒏𝟒 ⊕ 𝒏𝟕

Garbled Bloom filter [DongChenWen13, PinkasSchniederZohner14]

Semi-Honest Security

[DongChenWen13, PinkasSchniederZohner14]

⊥ 𝒏𝟏 𝒏𝟐 𝒏𝟑 ⋮ 𝒏𝟒 𝒏𝟓 𝒏𝟔 ⊥ 𝒏𝟕

ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑}

OT

… 𝒀 = 𝒏𝟏 ⊕ 𝒏𝟔, 𝒏𝟑 ⊕ 𝒏𝟒

Output: 𝒀 ∩ 𝒏𝟏 ⊕ 𝒏𝟔,

𝒏𝟒 ⊕ 𝒏𝟕 𝑌 = {𝑏, 𝑐}

OT

𝒏𝟏 ⊥ ⊥ 𝒏𝟒 ⊥ 𝒏𝟔 𝒏𝟕

1 1 1 1

Naturally secure against Sender.

• OT hides select bits
• Final message sent to Receiver
• ∉ 𝑍, Receiver learns encoding

e.g. Encode 𝑧′ = 𝑛3 ⊕ 𝑛4

• DCW13 show equivalence to false positive in

standard bloom filter

• Pr[ false positives ] ≈ 2−𝑙

Semi-Honest Security

[DongChenWen13, PinkasSchniederZohner14]

⊥ 𝒏𝟏 𝒏𝟐 𝒏𝟑 ⋮ 𝒏𝟒 𝒏𝟓 𝒏𝟔 ⊥ 𝒏𝟕

ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑}

OT

… 𝒀 = 𝒏𝟏 ⊕ 𝒏𝟔, 𝒏𝟑 ⊕ 𝒏𝟒

Output: 𝒀 ∩ 𝒏𝟏 ⊕ 𝒏𝟔,

𝒏𝟒 ⊕ 𝒏𝟕 𝑌 = {𝑏, 𝑐}

OT

𝒏𝟏 ⊥ ⊥ 𝒏𝟒 ⊥ 𝒏𝟔 𝒏𝟕

1 1 1 1

𝑧 ′ ∉𝑍𝑍, Receiver learns encoding

Naturally secure against Sender.

• OT hides select bits
• Final message sent to Receiver
• Secure against Receiver
• Attack: For 𝑧 ′ ′ ′ ∉ 𝑍, Receiver learns encoding

e.g. Encode 𝑧′ = 𝑛3 ⊕ 𝑛4

• DCW13 show equivalence to false positive in

standard bloom filter

• Pr[ false positives ] ≈ 2−𝑙

Semi-Honest Security

[DongChenWen13, PinkasSchniederZohner14]

⊥ 𝒏𝟏 𝒏𝟐 𝒏𝟑 ⋮ 𝒏𝟒 𝒏𝟓 𝒏𝟔 ⊥ 𝒏𝟕

ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑}

OT

… 𝒀 = 𝒏𝟏 ⊕ 𝒏𝟔, 𝒏𝟑 ⊕ 𝒏𝟒

Output: 𝒀 ∩ 𝒏𝟏 ⊕ 𝒏𝟔,

𝒏𝟒 ⊕ 𝒏𝟕 𝑌 = {𝑏, 𝑐}

OT

𝒏𝟏 ⊥ ⊥ 𝒏𝟒 ⊥ 𝒏𝟔 𝒏𝟕

1 1 1 1

e.g. Encode 𝑧′ 𝑧𝑧′ 𝑧′ = 𝑛 3 𝑛𝑛 𝑛 3 3 𝑛 3 ⊕ 𝑛 4 𝑛𝑛 𝑛 4 4 𝑛 4 𝑧 ′ ∉𝑍𝑍, Receiver learns encoding

Naturally secure against Sender.

• OT hides select bits
• Final message sent to Receiver
• Secure against Receiver

ncode 𝑧′ = 𝑛3 ⊕ 𝑛4 e.g. Encode 𝑧′ = 𝑛3 ⊕ 𝑛4

• DCW13 show equivalence to false positive in

standard bloom filter

• Pr[ false positives ] ≈ 2−𝑙

Semi-Honest Security

[DongChenWen13, PinkasSchniederZohner14]

⊥ 𝒏𝟏 𝒏𝟐 𝒏𝟑 ⋮ 𝒏𝟒 𝒏𝟓 𝒏𝟔 ⊥ 𝒏𝟕

ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑}

OT

… 𝒀 = 𝒏𝟏 ⊕ 𝒏𝟔, 𝒏𝟑 ⊕ 𝒏𝟒

Output: 𝒀 ∩ 𝒏𝟏 ⊕ 𝒏𝟔,

𝒏𝟒 ⊕ 𝒏𝟕 𝑌 = {𝑏, 𝑐}

OT

𝒏𝟏 ⊥ ⊥ 𝒏𝟒 ⊥ 𝒏𝟔 𝒏𝟕

1 1 1 1

e.g. Encode 𝑧′ 𝑧𝑧′ 𝑧′ = 𝑛 3 𝑛𝑛 𝑛 3 3 𝑛 3 ⊕ 𝑛 4 𝑛𝑛 𝑛 4 4 𝑛 4 𝑧 ′ ∉𝑍𝑍, Receiver learns encoding

Naturally secure against Sender.

• OT hides select bits
• Final message sent to Receiver
• Secure against Receiver

ncode 𝑧′ = 𝑛3 ⊕ 𝑛4 e.g. Encode 𝑧′ = 𝑛3 ⊕ 𝑛4

• DCW13 show equivalence to false positive in

standard bloom filter

• DCW13 show equivalence to false positive in

standard bloom filter

• Pr[ false positives ] ≈ 2−𝑙

Semi-Honest Security

[DongChenWen13, PinkasSchniederZohner14]

⊥ 𝒏𝟏 𝒏𝟐 𝒏𝟑 ⋮ 𝒏𝟒 𝒏𝟓 𝒏𝟔 ⊥ 𝒏𝟕

ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑}

OT

… 𝒀 = 𝒏𝟏 ⊕ 𝒏𝟔, 𝒏𝟑 ⊕ 𝒏𝟒

Output: 𝒀 ∩ 𝒏𝟏 ⊕ 𝒏𝟔,

𝒏𝟒 ⊕ 𝒏𝟕 𝑌 = {𝑏, 𝑐}

OT

𝒏𝟏 ⊥ ⊥ 𝒏𝟒 ⊥ 𝒏𝟔 𝒏𝟕

1 1 1 1

2 −𝑙 2 2 −𝑙 −𝑙𝑙 2 −𝑙 e.g. Encode 𝑧′ 𝑧𝑧′ 𝑧′ = 𝑛 3 𝑛𝑛 𝑛 3 3 𝑛 3 ⊕ 𝑛 4 𝑛𝑛 𝑛 4 4 𝑛 4 𝑧 ′ ∉𝑍𝑍, Receiver learns encoding

Naturally secure against Sender.

• OT hides select bits
• Final message sent to Receiver
• Secure against Receiver

ncode 𝑧′ = 𝑛3 ⊕ 𝑛4 e.g. Encode 𝑧′ = 𝑛3 ⊕ 𝑛4

• DCW13 show equivalence to false positive in standard

bloom filter

• Pr[ false positives ] ≈ 2−𝑙
• Pr[ false positives ] ≈ 2−𝑙

Malicious Receiver

Insecure against Receiver

• Bloom filter
• Receiver will obtain all 𝑛𝑗
• Can probe for 𝒏𝟑 ⊕ 𝒏𝟒

⊥ 𝒏𝟏 𝒏𝟐 𝒏𝟑 ⋮ 𝒏𝟒 𝒏𝟓 𝒏𝟔 ⊥ 𝒏𝟕

ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑}

OT

… 𝒀 = 𝒏𝟏 ⊕ 𝒏𝟔, 𝒏𝟑 ⊕ 𝒏𝟒

Output: 𝒀 ∩ 𝒏𝟏 ⊕ 𝒏𝟔,

𝒏𝟒 ⊕ 𝒏𝟕 𝑌 = {𝑏, 𝑐}

OT

𝒏𝟏 ⊥ ⊥ 𝒏𝟒 ⊥ 𝒏𝟔 𝒏𝟕

1 1 1 1

Malicious Receiver

Bloom filter Insecure against Receiver

• Consider all 1 Bloom filter
• Receiver will obtain all 𝑛𝑗
• Can probe for 𝒏𝟑 ⊕ 𝒏𝟒

⊥ 𝒏𝟏 𝒏𝟐 𝒏𝟑 ⋮ 𝒏𝟒 𝒏𝟓 𝒏𝟔 ⊥ 𝒏𝟕

ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑}

OT

… 𝒀 = 𝒏𝟏 ⊕ 𝒏𝟔, 𝒏𝟑 ⊕ 𝒏𝟒

Output: 𝒀 ∩ 𝒏𝟏 ⊕ 𝒏𝟔,

𝒏𝟒 ⊕ 𝒏𝟕 𝑌 = {𝑏, 𝑐}

OT

𝒏𝟏 ⊥ ⊥ 𝒏𝟒 ⊥ 𝒏𝟔 𝒏𝟕

1 1 1 1 1 1 1

Malicious Receiver

Bloom filter Insecure against Receiver

• Receiver will obtain all 𝑛 𝑗
• 𝑗 𝑗 𝑗
• Receiver will obtain all 𝑛𝑗
• Can probe for 𝒏𝟑 ⊕ 𝒏𝟒

⊥ 𝒏𝟏 𝒏𝟐 𝒏𝟑 ⋮ 𝒏𝟒 𝒏𝟓 𝒏𝟔 ⊥ 𝒏𝟕

ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑}

OT

… 𝒀 = 𝒏𝟏 ⊕ 𝒏𝟔, 𝒏𝟑 ⊕ 𝒏𝟒

Output: 𝒀 ∩ 𝒏𝟏 ⊕ 𝒏𝟔,

𝒏𝟒 ⊕ 𝒏𝟕 𝑌 = {𝑏, 𝑐}

OT

𝒏𝟏 𝒏𝟐 𝒏𝟑 𝒏𝟒 𝒏𝟓 𝒏𝟔 𝒏𝟕

1 1 1 1 1 1 1

Malicious Receiver

𝒏 𝟒 𝒏𝒏 𝒏 𝟒 𝟒𝟒 𝒏 𝟒

Bloom filter Insecure against Receiver

• Receiver will obtain all 𝑛 𝑗
• Can probe for 𝒏 𝟑 ⊕ 𝟑 𝟑 𝟑 ⊕ 𝒏𝟒
• Receiver will obtain all 𝑛𝑗
• Can probe for 𝒏𝟑 ⊕ 𝒏𝟒

⊥ 𝒏𝟏 𝒏𝟐 𝒏𝟑 ⋮ 𝒏𝟒 𝒏𝟓 𝒏𝟔 ⊥ 𝒏𝟕

ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑}

OT

…

Output: 𝒀 ∩ 𝒏𝟏 ⊕ 𝒏𝟔,

𝒏𝟒 ⊕ 𝒏𝟕 𝑌 = {𝑏, 𝑐}

OT

𝒏𝟏 𝒏𝟐 𝒏𝟑 𝒏𝟒 𝒏𝟓 𝒏𝟔 𝒏𝟕

1 1 1 1 1 1 1 𝒀 = 𝒏𝟏 ⊕ 𝒏𝟔, 𝒏𝟑 ⊕ 𝒏𝟒

⊥ 𝒏𝟏 𝒏𝟐 𝒏𝟑 ⋮ 𝒏𝟒 𝒏𝟓 𝒏𝟔 ⊥ 𝒏𝟕 𝒏𝟏 𝒏𝟐 𝒏𝟑 𝒏𝟒 𝒏𝟓 𝒏𝟔 𝒏𝟕

Warm-Up: The DongChenWen13 Approach

Goal − restrict the Receiver to a valid Bloom filter

• bits contains 1

2 𝑛 ones

• Make Receiver prove zero choice bits
• Sample random key 𝑡 ← 0,1 𝜆
• Generate a 𝑛

2 out of 𝑛 secret sharing of 𝑡

• 𝑡1, … , 𝑡𝑛
• Transmit 𝑡𝑗 as the 𝑗th zero OT message
• Encrypt summary values with 𝑡

1 1 1 1 ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑}

OT

… 𝑌 = {𝑏, 𝑐}

OT

1 1 1

Output: 𝒀 ∩ 𝒏𝟏 ⊕ 𝒏𝟔,

𝒏𝟒 ⊕ 𝒏𝟕 𝒀 = 𝒏𝟏 ⊕ 𝒏𝟔, 𝒏𝟑 ⊕ 𝒏𝟒

⊥ 𝒏𝟏 𝒏𝟐 𝒏𝟑 ⋮ 𝒏𝟒 𝒏𝟓 𝒏𝟔 ⊥ 𝒏𝟕 𝒏𝟏 𝒏𝟐 𝒏𝟑 𝒏𝟒 𝒏𝟓 𝒏𝟔 𝒏𝟕

Warm-Up: The DongChenWen13 Approach

1 2 2 1 2 𝑛𝑛 ones

Goal − restrict the Receiver to a valid

Bloom filter

• Bloom filter of 𝑛 bits contains 1 2 𝑛 ones
• Make Receiver prove zero choice bits
• Sample random key 𝑡 ← 0,1 𝜆
• Generate a 𝑛

2 out of 𝑛 secret sharing of 𝑡

• 𝑡1, … , 𝑡𝑛
• Transmit 𝑡𝑗 as the 𝑗th zero OT message
• Encrypt summary values with 𝑡

1 1 1 1 ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑}

OT

… 𝑌 = {𝑏, 𝑐}

OT

1 1 1

Output: 𝒀 ∩ 𝒏𝟏 ⊕ 𝒏𝟔,

𝒏𝟒 ⊕ 𝒏𝟕 𝒀 = 𝒏𝟏 ⊕ 𝒏𝟔, 𝒏𝟑 ⊕ 𝒏𝟒

⊥ 𝒏𝟏 𝒏𝟐 𝒏𝟑 ⋮ 𝒏𝟒 𝒏𝟓 𝒏𝟔 ⊥ 𝒏𝟕 𝒏𝟏 𝒏𝟐 𝒏𝟑 𝒏𝟒 𝒏𝟓 𝒏𝟔 𝒏𝟕

Warm-Up: The DongChenWen13 Approach

0,1 𝜆 0,1 0,1 0,1 0,1 𝜆 𝜆𝜆 0,1 𝜆 1 2 2 1 2 𝑛𝑛 ones

Goal − restrict the Receiver to a valid Bloom

filter

• Bloom filter of 𝑛 bits contains 1 2 𝑛 ones
• Make Receiver prove zero choice bits
• Sample random key 𝑡 ← 0,1 𝜆
• Sample random key 𝑡 ← 0,1 𝜆
• Generate a 𝑛

2 out of 𝑛 secret sharing of 𝑡

• 𝑡1, … , 𝑡𝑛
• Transmit 𝑡𝑗 as the 𝑗th zero OT message
• Encrypt summary values with 𝑡

1 1 1 1 ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑}

OT

… 𝑌 = {𝑏, 𝑐}

OT

1 1 1

Output: 𝒀 ∩ 𝒏𝟏 ⊕ 𝒏𝟔,

𝒏𝟒 ⊕ 𝒏𝟕 𝒀 = 𝒏𝟏 ⊕ 𝒏𝟔, 𝒏𝟑 ⊕ 𝒏𝟒

⊥ 𝒏𝟏 𝒏𝟐 𝒏𝟑 ⋮ 𝒏𝟒 𝒏𝟓 𝒏𝟔 ⊥ 𝒏𝟕 𝒏𝟏 𝒏𝟐 𝒏𝟑 𝒏𝟒 𝒏𝟓 𝒏𝟔 𝒏𝟕

Warm-Up: The DongChenWen13 Approach

𝑡 1 ,…, 𝑡 𝑛 𝑡𝑡 𝑡 𝑛 𝑛𝑛 𝑡 𝑛 𝑛 2 out of 𝑛𝑛 secret sharing of 𝑡𝑡 0,1 𝜆 0,1 0,1 0,1 0,1 𝜆 𝜆𝜆 0,1 𝜆 1 2 2 1 2 𝑛𝑛 ones

Goal − restrict the Receiver to a valid Bloom filter

• Bloom filter of 𝑛 bits contains 1 2 𝑛 ones
• Make Receiver prove zero choice bits
• 𝑡 1 1 1 , … , 𝑡𝑛
• Sample random key 𝑡 ← 0,1 𝜆
• Generate a

𝑛 2 out of 𝑛 secret sharing of 𝑡

• 𝑡1, … , 𝑡𝑛
• Transmit 𝑡𝑗 as the 𝑗th zero OT message
• Encrypt summary values with 𝑡

1 1 1 1 ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑}

OT

… 𝑌 = {𝑏, 𝑐}

OT

1 1 1

Output: 𝒀 ∩ 𝒏𝟏 ⊕ 𝒏𝟔,

𝒏𝟒 ⊕ 𝒏𝟕 𝒀 = 𝒏𝟏 ⊕ 𝒏𝟔, 𝒏𝟑 ⊕ 𝒏𝟒

𝒏𝟏 𝒏𝟐 𝒏𝟑 𝒏𝟒 𝒏𝟓 𝒏𝟔 𝒏𝟕

Warm-Up: The DongChenWen13 Approach

as the 𝑗𝑗th zero OT message 𝑡 1 ,…, 𝑡 𝑛 𝑡𝑡 𝑡 𝑛 𝑛𝑛 𝑡 𝑛 𝑛 2 out of 𝑛𝑛 secret sharing of 𝑡𝑡 0,1 𝜆 0,1 0,1 0,1 0,1 𝜆 𝜆𝜆 0,1 𝜆 1 2 2 1 2 𝑛𝑛 ones

Goal − restrict the Receiver to a valid Bloom filter

• Bloom filter of 𝑛 bits contains 1 2 𝑛 ones
• Make Receiver prove zero choice bits
• 𝑡 1 1 1 , … , 𝑡𝑛
• Transmit 𝑡 𝑗 𝑗 𝑗 𝑗 as the 𝑗th zero OT message
• Generate a 𝑛

2 out of 𝑛 secret sharing of 𝑡

• 𝑡1, … , 𝑡𝑛
• Transmit 𝑡𝑗 as the 𝑗th zero OT message
• Encrypt summary values with 𝑡

1 1 1 1 ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑}

OT

… 𝑌 = {𝑏, 𝑐}

OT

1 1 1

Output: 𝒀 ∩ 𝒏𝟏 ⊕ 𝒏𝟔,

𝒏𝟒 ⊕ 𝒏𝟕 𝒀 = 𝒏𝟏 ⊕ 𝒏𝟔, 𝒏𝟑 ⊕ 𝒏𝟒

𝒕𝟏 𝒏𝟏 𝒕𝟐 𝒏𝟐 𝒕𝟑 𝒏𝟑 𝒕𝟒 𝒏𝟒 𝒕𝟓 𝒏𝟓 𝒕𝟔 𝒏𝟔 𝒕𝟕 𝒏𝟕

𝒏𝟏 𝒏𝟐 𝒏𝟑 𝒏𝟒 𝒏𝟓 𝒏𝟔 𝒏𝟕

Warm-Up: The DongChenWen13 Approach

as the 𝑗𝑗th zero OT message 𝑡 1 ,…, 𝑡 𝑛 𝑡𝑡 𝑡 𝑛 𝑛𝑛 𝑡 𝑛 𝑛 2 out of 𝑛𝑛 secret sharing of 𝑡𝑡 0,1 𝜆 0,1 0,1 0,1 0,1 𝜆 𝜆𝜆 0,1 𝜆 1 2 2 1 2 𝑛𝑛 ones

Goal − restrict the Receiver to a valid Bloom filter

• Bloom filter of 𝑛 bits contains 1 2 𝑛 ones
• Make Receiver prove zero choice bits
• 𝑡 1 1 1 , … , 𝑡𝑛
• Encrypt summary values with 𝑡Generate a 𝑛

2 out of 𝑛 secret

sharing of 𝑡

• 𝑡1, … , 𝑡𝑛
• Transmit 𝑡𝑗 as the 𝑗th zero OT message
• Encrypt summary values with 𝑡

1 1 1 1 ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑}

OT

… 𝑌 = {𝑏, 𝑐}

OT

1 1 1

Output: 𝒀 ∩ 𝒏𝟏 ⊕ 𝒏𝟔,

𝒏𝟒 ⊕ 𝒏𝟕

𝒕𝟏 𝒏𝟏 𝒕𝟐 𝒏𝟐 𝒕𝟑 𝒏𝟑 𝒕𝟒 𝒏𝟒 𝒕𝟓 𝒏𝟓 𝒕𝟔 𝒏𝟔 𝒕𝟕 𝒏𝟕

𝒀 = 𝔽𝒕 𝒏𝟏 ⊕ 𝒏𝟔, 𝒏𝟑 ⊕ 𝒏𝟒

𝒏𝟏 𝒏𝟐 𝒏𝟑 𝒏𝟒 𝒏𝟓 𝒏𝟔 𝒏𝟕

Warm-Up: The DongChenWen13 Approach

as the 𝑗𝑗th zero OT message 𝑡 1 ,…, 𝑡 𝑛 𝑡𝑡 𝑡 𝑛 𝑛𝑛 𝑡 𝑛 𝑛 2 out of 𝑛𝑛 secret sharing of 𝑡𝑡 0,1 𝜆 0,1 0,1 0,1 0,1 𝜆 𝜆𝜆 0,1 𝜆 1 2 2 1 2 𝑛𝑛 ones

Goal − restrict the Receiver to a valid Bloom filter

• Bloom filter of 𝑛 bits contains 1 2 𝑛 ones
• Make Receiver prove zero choice bits
• 𝑡 1 1 1 , … , 𝑡𝑛
• Encrypt summary values with 𝑡Generate a 𝑛

2 out of 𝑛 secret

sharing of 𝑡

• 𝑡1, … , 𝑡𝑛
• Transmit 𝑡𝑗 as the 𝑗th zero OT message
• Encrypt summary values with 𝑡

1 1 1 1 ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑}

OT

… 𝑌 = {𝑏, 𝑐}

OT

1 1 1

Output:

𝒕𝟏 𝒏𝟏 𝒕𝟐 𝒏𝟐 𝒕𝟑 𝒏𝟑 𝒕𝟒 𝒏𝟒 𝒕𝟓 𝒏𝟓 𝒕𝟔 𝒏𝟔 𝒕𝟕 𝒏𝟕

𝒀 = 𝔽𝒕 𝒏𝟏 ⊕ 𝒏𝟔, 𝒏𝟑 ⊕ 𝒏𝟒

Output: 𝔼𝒕( 𝒀) ∩ 𝒏𝟏 ⊕ 𝒏𝟔,

𝒏𝟒 ⊕ 𝒏𝟕

𝒏𝟏 𝒏𝟐 𝒏𝟑 𝒏𝟒 𝒏𝟓 𝒏𝟔 𝒏𝟕

Warm-Up: The DongChenWen13 Approach

as the 𝑗𝑗th zero OT message 𝑡 1 ,…, 𝑡 𝑛 𝑡𝑡 𝑡 𝑛 𝑛𝑛 𝑡 𝑛 𝑛 2 out of 𝑛𝑛 secret sharing of 𝑡𝑡 0,1 𝜆 0,1 0,1 0,1 0,1 𝜆 𝜆𝜆 0,1 𝜆 1 2 2 1 2 𝑛𝑛 ones

Goal − restrict the Receiver to a valid Bloom filter

• Bloom filter of 𝑛 bits contains 1 2 𝑛 ones
• Make Receiver prove zero choice bits
• 𝑡 1 1 1 , … , 𝑡𝑛
• Encrypt summary values with 𝑡Generate a 𝑛

2 out of 𝑛 secret

sharing of 𝑡

• 𝑡1, … , 𝑡𝑛
• Transmit 𝑡𝑗 as the 𝑗th zero OT message
• Encrypt summary values with 𝑡

1 1 1 1 ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑}

OT

… 𝑌 = {𝑏, 𝑐}

OT

1 1 1

Output:

𝒕𝟏 𝒏𝟏 𝒕𝟐 𝒏𝟐 𝒕𝟑 𝒏𝟑 𝒕𝟒 𝒏𝟒 𝒕𝟓 𝒏𝟓 𝒕𝟔 𝒏𝟔 𝒕𝟕 𝒏𝟕

𝒀 = 𝔽𝒕 𝒏𝟏 ⊕ 𝒏𝟔, 𝒏𝟑 ⊕ 𝒏𝟒

Output: 𝔼𝒕( 𝒀) ∩ 𝒏𝟏 ⊕ 𝒏𝟔,

𝒏𝟒 ⊕ 𝒏𝟕 1 1 1

Warm-Up: The DongChenWen13 Approach

• Goal − restrict the Receiver to a valid

Bloom filter

• Bloom filter of 𝑛 bits contains 1

2 𝑛 ones

• Make Receiver prove zero choice bits
• Sample random key 𝑡 ← 0,1 𝜆
• Generate a 𝑛

2 out of 𝑛 secret sharing of 𝑡

• 𝑡1, … , 𝑡𝑛
• Transmit 𝑡𝑗 as the 𝑗th zero OT message
• Encrypt summary values with 𝑡

ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑}

OT

… 𝑌 = {𝑏, 𝑐}

OT

𝒕𝟏 𝒏𝟏 𝒕𝟐 𝒏𝟐 𝒕𝟑 𝒏𝟑 𝒕𝟒 𝒏𝟒 𝒕𝟓 𝒏𝟓 𝒕𝟔 𝒏𝟔 𝒕𝟕 𝒏𝟕

Output:

𝒀 = 𝔽𝒕 𝒏𝟏 ⊕ 𝒏𝟔, 𝒏𝟑 ⊕ 𝒏𝟒

𝔼𝒕( 𝒀) ∩ 𝒏𝟏 ⊕ 𝒏𝟔,

𝒏𝟒 ⊕ 𝒏𝟕

𝒏𝟏 𝒕𝟐 𝒕𝟑 𝒏𝟒 𝒕𝟓 𝒏𝟔 𝒏𝟕

1 1 1 1

Warm-Up: The DongChenWen13 Approach

Is this secure?

• 𝑛

2 ones

• Selective failure attack by the Sender…

ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑}

OT

… 𝑌 = {𝑏, 𝑐}

OT

𝒕𝟏 𝒏𝟏 𝒕𝟐 𝒏𝟐 𝒕𝟑 𝒏𝟑 𝒕𝟒 𝒏𝟒 𝒕𝟓 𝒏𝟓 𝒕𝟔 𝒏𝟔 𝒕𝟕 𝒏𝟕

Output:

𝒀 = 𝔽𝒕 𝒏𝟏 ⊕ 𝒏𝟔, 𝒏𝟑 ⊕ 𝒏𝟒

𝔼𝒕( 𝒀) ∩ 𝒏𝟏 ⊕ 𝒏𝟔,

𝒏𝟒 ⊕ 𝒏𝟕

𝒏𝟏 𝒕𝟐 𝒕𝟑 𝒏𝟒 𝒕𝟓 𝒏𝟔 𝒏𝟕

1 1 1 1 [RindalRosulek17, Lambaek17]

Warm-Up: The DongChenWen13 Approach

𝑛 2 𝑛𝑛 𝑛 2 2 𝑛 2 ones

Is this secure?

• Receiver is forced to use ≤ 𝑛

2 ones

• Selective failure attack by the Sender…

ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑}

OT

… 𝑌 = {𝑏, 𝑐}

OT

𝒕𝟏 𝒏𝟏 𝒕𝟐 𝒏𝟐 𝒕𝟑 𝒏𝟑 𝒕𝟒 𝒏𝟒 𝒕𝟓 𝒏𝟓 𝒕𝟔 𝒏𝟔 𝒕𝟕 𝒏𝟕

Output:

𝒀 = 𝔽𝒕 𝒏𝟏 ⊕ 𝒏𝟔, 𝒏𝟑 ⊕ 𝒏𝟒

𝔼𝒕( 𝒀) ∩ 𝒏𝟏 ⊕ 𝒏𝟔,

𝒏𝟒 ⊕ 𝒏𝟕

𝒏𝟏 𝒕𝟐 𝒕𝟑 𝒏𝟒 𝒕𝟓 𝒏𝟔 𝒏𝟕

1 1 1 1 [RindalRosulek17, Lambaek17]

Warm-Up: The DongChenWen13 Approach

𝑛 2 𝑛𝑛 𝑛 2 2 𝑛 2 ones

Is this secure?

• Selective failure attack by the Sender…

Selective failure attack by the Sender… ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑}

OT

… 𝑌 = {𝑏, 𝑐}

OT

𝒕𝟏 𝒏𝟏 𝒕𝟐 𝒏𝟐 𝒕𝟑 𝒏𝟑 𝒕𝟒 𝒏𝟒 𝒕𝟓 𝒏𝟓 𝒕𝟔 𝒏𝟔 𝒕𝟕 𝒏𝟕

Output:

𝒀 = 𝔽𝒕 𝒏𝟏 ⊕ 𝒏𝟔, 𝒏𝟑 ⊕ 𝒏𝟒

𝔼𝒕( 𝒀) ∩ 𝒏𝟏 ⊕ 𝒏𝟔,

𝒏𝟒 ⊕ 𝒏𝟕

𝒏𝟏 𝒕𝟐 𝒕𝟑 𝒏𝟒 𝒕𝟓 𝒏𝟔 𝒏𝟕

1 1 1 1 [RindalRosulek17, Lambaek17]

𝒏𝟏 𝒕𝟐 𝒕𝟑 𝒏𝟒 𝒕𝟓 𝒏𝟔 𝒏𝟕

1 1 1 1

Warm-Up: The DongChenWen13 Approach

• Is this secure?
• Receiver is forced to use ≤ 𝑛

2 ones

• Selective failure attack by the Sender…
• Example Attack:
• replace 𝑡4 with random value 𝑠

ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑}

OT

… 𝑌 = {𝑏, 𝑐}

OT

𝒕𝟏 𝒏𝟏 𝒕𝟐 𝒏𝟐 𝒕𝟑 𝒏𝟑 𝒕𝟒 𝒏𝟒 𝒏𝟓 𝒕𝟔 𝒏𝟔 𝒕𝟕 𝒏𝟕

Output:

𝒀 = 𝔽𝒕 𝒏𝟏 ⊕ 𝒏𝟔, 𝒏𝟑 ⊕ 𝒏𝟒

𝔼𝒕( 𝒀) ∩ 𝒏𝟏 ⊕ 𝒏𝟔,

𝒏𝟒 ⊕ 𝒏𝟕 𝑠 [RindalRosulek17, Lambaek17]

𝒏𝟏 𝒕𝟐 𝒕𝟑 𝒏𝟒 𝒏𝟔 𝒏𝟕

1 1 1 1

Warm-Up: The DongChenWen13 Approach

Is this secure?

• Receiver is forced to use ≤ 𝑛

2 ones

• Selective failure attack by the Sender…
• Example Attack:
• replace 𝑡4 with random value 𝑠
• Can not reconstruct 𝑡 if 𝑠 is picked up
• ∀𝑧 ∈ 𝑍 ∶

ℎ𝑗 𝑧 ≠ 4

• Can not be simulated!

ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑}

OT

… 𝑌 = {𝑏, 𝑐}

OT

𝒕𝟏 𝒏𝟏 𝒕𝟐 𝒏𝟐 𝒕𝟑 𝒏𝟑 𝒕𝟒 𝒏𝟒 𝒏𝟓 𝒕𝟔 𝒏𝟔 𝒕𝟕 𝒏𝟕

Output:

𝒀 = 𝔽𝒕 𝒏𝟏 ⊕ 𝒏𝟔, 𝒏𝟑 ⊕ 𝒏𝟒

𝔼𝒕( 𝒀) ∩ 𝒏𝟏 ⊕ 𝒏𝟔,

𝒏𝟒 ⊕ 𝒏𝟕 𝑠 𝑠 [RindalRosulek17, Lambaek17]

𝒏𝟏 𝒕𝟐 𝒕𝟑 𝒏𝟒 𝒏𝟔 𝒏𝟕

1 1 1 1

Warm-Up: The DongChenWen13 Approach

∀𝑧𝑧∈𝑍𝑍 : ℎ 𝑗 ℎ ℎ 𝑗 𝑗𝑗 ℎ 𝑗 𝑧 𝑧𝑧 𝑧 ≠4 Is this secure?

• Receiver is forced to use ≤ 𝑛

2 ones

• Selective failure attack by the Sender…
• Example Attack:
• replace 𝑡4 with random value 𝑠
• Can not reconstruct 𝑡 if 𝑠 is picked up
• Can not be simulated! Can not be simulated!

ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑}

OT

… 𝑌 = {𝑏, 𝑐}

OT

𝒕𝟏 𝒏𝟏 𝒕𝟐 𝒏𝟐 𝒕𝟑 𝒏𝟑 𝒕𝟒 𝒏𝟒 𝒏𝟓 𝒕𝟔 𝒏𝟔 𝒕𝟕 𝒏𝟕

Output:

𝒀 = 𝔽𝒕 𝒏𝟏 ⊕ 𝒏𝟔, 𝒏𝟑 ⊕ 𝒏𝟒

𝔼𝒕( 𝒀) ∩ 𝒏𝟏 ⊕ 𝒏𝟔,

𝒏𝟒 ⊕ 𝒏𝟕 𝑠 𝑠 [RindalRosulek17, Lambaek17]

Cut and Choose Approach

Make Receiver p

OT

…

OT

1 1 1 Random 1

𝒔𝟏 𝒔𝟐 𝒔𝟒 𝒔𝟓 𝒔𝟔 𝒔𝟖 𝒔𝟗 𝒏𝟏 𝒏𝟐 𝒏𝟒 𝒏𝟓 𝒏𝟔 𝒏𝟖 𝒏𝟗 𝒔𝟏 𝒏𝟐 𝒏𝟒 𝒏𝟓 𝒔𝟔 𝒔𝟖 𝒏𝟗

1

𝒔𝟑 𝒔𝟕 𝒏𝟑 𝒏𝟕 𝒔𝟑 𝒏𝟕

[RindalRosulek17]

Cut and Choose Approach

Make Receiver p

• Sender challenges on a subset of OT
• Receiver must reveal select bits

OT

…

OT

1 1 1 Random 1

𝒔𝟏 𝒔𝟐 𝒔𝟒 𝒔𝟓 𝒔𝟔 𝒔𝟖 𝒔𝟗 𝒏𝟏 𝒏𝟐 𝒏𝟒 𝒏𝟓 𝒏𝟔 𝒏𝟖 𝒏𝟗 𝒔𝟏 𝒏𝟐 𝒏𝟒 𝒏𝟓 𝒔𝟔 𝒔𝟖 𝒏𝟗

1

𝒔𝟑 𝒔𝟕 𝒏𝟑 𝒏𝟕 𝒔𝟑 𝒏𝟕

[RindalRosulek17]

Cut and Choose Approach

Make Receiver p

• Sender challenges on a subset of OT
• Receiver must reveal select bits

OT

…

OT

1 1 1 Random 1

𝒔𝟏 𝒔𝟐 𝒔𝟒 𝒔𝟓 𝒔𝟔 𝒔𝟖 𝒔𝟗 𝒏𝟏 𝒏𝟐 𝒏𝟒 𝒏𝟓 𝒏𝟔 𝒏𝟖 𝒏𝟗 𝒔𝟏 𝒏𝟐 𝒏𝟒 𝒏𝟓 𝒔𝟔 𝒔𝟖 𝒏𝟗

1

𝒔𝟑 𝒔𝟕 𝒏𝟑 𝒏𝟕 𝒔𝟑 𝒏𝟕

[RindalRosulek17]

Cut and Choose Approach

Make Receiver p 2 zero bits, aborts otherwise

• Sender challenges on a subset of OT
• Receiver must reveal select bits
• Expect to see 1 2 zero bits, aborts otherwise

OT

…

OT

1 1 1 Random 1

𝒔𝟏 𝒔𝟐 𝒔𝟒 𝒔𝟓 𝒔𝟔 𝒔𝟖 𝒔𝟗 𝒏𝟏 𝒏𝟐 𝒏𝟒 𝒏𝟓 𝒏𝟔 𝒏𝟖 𝒏𝟗 𝒔𝟏 𝒏𝟐 𝒏𝟒 𝒏𝟓 𝒔𝟔 𝒔𝟖 𝒏𝟗

1

𝒔𝟑 𝒔𝟕 𝒏𝟑 𝒏𝟕 𝒔𝟑 𝒏𝟕 𝒔𝟑 𝒏𝟕

[RindalRosulek17]

Cut and Choose Approach

• Make Receiver prove zero bits in an

input-independent way

• Receiver uses random OT select bits
• Sender challenges on a subset of OT
• Receiver must reveal select bits
• Expect to see 1

2 zero bits, aborts otherwise

OT

1 Random

𝒔𝟏 𝒔𝟐 𝒏𝟏 𝒏𝟐 𝒔𝟏 𝒏𝟐 𝒔𝟒

… 1 1

𝒔𝟓 𝒔𝟔 𝒏𝟒 𝒏𝟓 𝒏𝟔 𝒏𝟒 𝒏𝟓 𝒔𝟔 OT

1

𝒔𝟖 𝒔𝟗 𝒏𝟖 𝒏𝟗 𝒔𝟖 𝒏𝟗

[RindalRosulek17]

Cut and Choose Approach

• Issue: Remaining OTs do not form valid Bloom

filter

ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑} [RindalRosulek17]

OT

1

𝒔𝟏 𝒔𝟐 𝒏𝟏 𝒏𝟐 𝒔𝟏 𝒏𝟐 𝒔𝟒

… 1 1

𝒔𝟓 𝒔𝟔 𝒏𝟒 𝒏𝟓 𝒏𝟔 𝒏𝟒 𝒏𝟓 𝒔𝟔 OT

1

𝒔𝟖 𝒔𝟗 𝒏𝟖 𝒏𝟗 𝒔𝟖 𝒏𝟗

Cut and Choose Approach

I

ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑} [RindalRosulek17]

OT

1

𝒔𝟏 𝒏𝟏 𝒔𝟏

1

𝒔𝟐 𝒏𝟐 𝒏𝟐

… 1 1

𝒔𝟒 𝒏𝟒 𝒏𝟒

1

𝒔𝟓 𝒏𝟓 𝒏𝟓 𝒔𝟔 𝒏𝟔 𝒔𝟔 OT

1 1

𝒔𝟖 𝒏𝟖 𝒔𝟖

1

𝒔𝟗 𝒏𝟗 𝒏𝟗

Cut and Choose Approach

I andom OTs →desired 𝐶𝐺

• Randomly permute OTs to form Bloom filter
• 𝜌 𝑠andom OTs → desired 𝐶𝐺

ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑} [RindalRosulek17]

OT

1

𝒔𝟏 𝒏𝟏 𝒔𝟏

1

𝒔𝟐 𝒏𝟐 𝒏𝟐

… 1 1

𝒔𝟒 𝒏𝟒 𝒏𝟒

1

𝒔𝟓 𝒏𝟓 𝒏𝟓 𝒔𝟔 𝒏𝟔 𝒔𝟔 OT

1 1

𝒔𝟖 𝒏𝟖 𝒔𝟖

1

𝒔𝟗 𝒏𝟗 𝒏𝟗

𝜌

𝒔𝟏 𝒏𝟏 𝒔𝟏

Cut and Choose Approach

• Issue: Remaining OTs do not form valid Bloom

filter

• Constructs desired Bloom filter
• Randomly permute OTs to form Bloom filter
• 𝜌 random OTs

→ desired 𝐶𝐺 ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑} [RindalRosulek17]

OT

1 1

𝒔𝟐 𝒏𝟐 𝒏𝟐

… 1 1

𝒔𝟒 𝒏𝟒 𝒏𝟒 𝒔𝟔 𝒏𝟔 𝒔𝟔 OT

1 1

𝒔𝟖 𝒏𝟖 𝒔𝟖

1

𝒔𝟗 𝒏𝟗 𝒏𝟗

1

𝒔𝟓 𝒏𝟓 𝒏𝟓

𝜌

Cut and Choose Approach

• Issue: Remaining OTs do not form valid Bloom

filter

• Constructs desired Bloom filter
• Randomly permute OTs to form Bloom filter
• 𝜌 random OTs

→ desired 𝐶𝐺 ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑} [RindalRosulek17]

OT

1 1

𝒔𝟐 𝒏𝟐 𝒏𝟐

… 1 1

𝒔𝟒 𝒏𝟒 𝒏𝟒 𝒔𝟔 𝒏𝟔 𝒔𝟔 OT

1 1

𝒔𝟖 𝒏𝟖 𝒔𝟖

1

𝒔𝟗 𝒏𝟗 𝒏𝟗

𝜌 1

𝒔𝟓 𝒏𝟓 𝒏𝟓 𝒔𝟏 𝒏𝟏 𝒔𝟏

Cut and Choose Approach

• Issue: Remaining OTs do not form valid Bloom

filter

• Constructs desired Bloom filter
• Randomly permute OTs to form Bloom filter
• 𝜌 random OTs

→ desired 𝐶𝐺 ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑} [RindalRosulek17]

OT

1 1

𝒔𝟐 𝒏𝟐 𝒏𝟐

… 1 1

𝒔𝟒 𝒏𝟒 𝒏𝟒 𝒔𝟔 𝒏𝟔 𝒔𝟔 OT

1 1 1

𝒔𝟗 𝒏𝟗 𝒏𝟗

𝜌 1

𝒔𝟓 𝒏𝟓 𝒏𝟓 𝒔𝟏 𝒏𝟏 𝒔𝟏 𝒔𝟖 𝒏𝟖 𝒔𝟖

Cut and Choose Approach

• Issue: Remaining OTs do not form valid Bloom

filter

• Constructs desired Bloom filter
• Randomly permute OTs to form Bloom filter
• 𝜌 random OTs

→ desired 𝐶𝐺 ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑} [RindalRosulek17]

OT

1 1

𝒔𝟐 𝒏𝟐 𝒏𝟐

… 1 1

𝒔𝟒 𝒏𝟒 𝒏𝟒 𝒔𝟔 𝒏𝟔 𝒔𝟔 OT

1 𝜌 1

𝒔𝟓 𝒏𝟓 𝒏𝟓 𝒔𝟏 𝒏𝟏 𝒔𝟏 𝒔𝟖 𝒏𝟖 𝒔𝟖

1 1

𝒔𝟗 𝒏𝟗 𝒏𝟗

Cut and Choose Approach

• Issue: Remaining OTs do not form valid Bloom

filter

• Constructs desired Bloom filter
• Randomly permute OTs to form Bloom filter
• 𝜌 random OTs

→ desired 𝐶𝐺 ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑} [RindalRosulek17]

OT

1 1

𝒔𝟐 𝒏𝟐 𝒏𝟐

… 1 1

𝒔𝟒 𝒏𝟒 𝒏𝟒 OT

1 𝜌 1

𝒔𝟓 𝒏𝟓 𝒏𝟓 𝒔𝟏 𝒏𝟏 𝒔𝟏 𝒔𝟖 𝒏𝟖 𝒔𝟖

1 1

𝒔𝟗 𝒏𝟗 𝒏𝟗 𝒔𝟔 𝒏𝟔 𝒔𝟔

Cut and Choose Approach

• Issue: Remaining OTs do not form valid Bloom

filter

• Constructs desired Bloom filter
• Randomly permute OTs to form Bloom filter
• 𝜌 random OTs

→ desired 𝐶𝐺 ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑} [RindalRosulek17]

OT

1 … 1 1

𝒔𝟒 𝒏𝟒 𝒏𝟒 OT

1 𝜌 1

𝒔𝟓 𝒏𝟓 𝒏𝟓 𝒔𝟏 𝒏𝟏 𝒔𝟏 𝒔𝟖 𝒏𝟖 𝒔𝟖

1

𝒔𝟗 𝒏𝟗 𝒏𝟗 𝒔𝟔 𝒏𝟔 𝒔𝟔

1

𝒔𝟐 𝒏𝟐 𝒏𝟐

1

Cut and Choose Approach

• Issue: Remaining OTs do not form valid Bloom

filter

• Constructs desired Bloom filter
• Randomly permute OTs to form Bloom filter
• 𝜌 random OTs

→ desired 𝐶𝐺 ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑} [RindalRosulek17]

OT

…

OT

𝜌 1

𝒔𝟓 𝒏𝟓 𝒏𝟓 𝒔𝟏 𝒏𝟏 𝒔𝟏 𝒔𝟖 𝒏𝟖 𝒔𝟖

1

𝒔𝟗 𝒏𝟗 𝒏𝟗 𝒔𝟔 𝒏𝟔 𝒔𝟔

1

𝒔𝟐 𝒏𝟐 𝒏𝟐

1

𝒔𝟒 𝒏𝟒 𝒏𝟒

Cut and Choose Approach

• Issue: Remaining OTs do not form valid Bloom

filter

• Constructs desired Bloom filter
• Randomly permute OTs to form Bloom filter
• 𝜌 random OTs

→ desired 𝐶𝐺 ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑} [RindalRosulek17]

OT

…

OT

𝜌 1

𝒔𝟓 𝒏𝟓 𝒏𝟓 𝒔𝟏 𝒏𝟏 𝒔𝟏 𝒔𝟖 𝒏𝟖 𝒔𝟖

1

𝒔𝟗 𝒏𝟗 𝒏𝟗 𝒔𝟔 𝒏𝟔 𝒔𝟔

1

𝒔𝟐 𝒏𝟐 𝒏𝟐

𝒀 = 𝒏𝟓 ⊕ 𝒏𝟐, 𝒏𝟑 ⊕ 𝒏𝟒

Output: 𝒀 ∩ 𝒏𝟓 ⊕ 𝒏𝟐,

𝒏𝟗 ⊕ 𝒏𝟒 1

𝒔𝟒 𝒏𝟒 𝒏𝟒

OT

1

𝒔𝟖 𝒔𝟗 𝒏𝟖 𝒏𝟗 𝒔𝟖 𝒏𝟗

… 1 1

𝒔𝟒 𝒔𝟓 𝒔𝟔 𝒏𝟒 𝒏𝟓 𝒏𝟔 𝒏𝟒 𝒏𝟓 𝒔𝟔 OT

1

𝒔𝟏 𝒔𝟐 𝒏𝟏 𝒏𝟐 𝒔𝟏 𝒏𝟐

Cut and Choose Parameters

[RindalRosulek17] Random

𝒔𝟑 𝒏𝟑 𝒔𝟑

1

𝒔𝟕 𝒏𝟕 𝒏𝟕

• Issue: Random OTs/Cut-and-Choose may not

result in exactly

1 2 zero select bits!

OT

1

𝒔𝟖 𝒔𝟗 𝒏𝟖 𝒏𝟗 𝒔𝟖 𝒏𝟗

… 1 1

𝒔𝟒 𝒔𝟓 𝒔𝟔 𝒏𝟒 𝒏𝟓 𝒏𝟔 𝒏𝟒 𝒏𝟓 𝒔𝟔 OT

1

𝒔𝟏 𝒔𝟐 𝒏𝟏 𝒏𝟐 𝒔𝟏 𝒏𝟐

Cut and Choose Parameters

[RindalRosulek17] Random

𝒔𝟑 𝒏𝟑 𝒔𝟑

1

𝒔𝟕 𝒏𝟕 𝒏𝟕 𝒔𝟑 𝒏𝟕

1

• Issue: Random OTs/Cut-and-Choose may not

result in exactly

1 2 zero select bits!

𝒔𝟑 𝒏𝟑 𝒔𝟑

Cut and Choose Parameters

• Issue: Random OTs/Cut-and-Choose may not

result in exactly

1 2 zero select bits!

[RindalRosulek17]

OT

…

OT

1 1 Random 1

𝒔𝟏 𝒔𝟒 𝒔𝟓 𝒔𝟔 𝒔𝟖 𝒔𝟗 𝒏𝟏 𝒏𝟒 𝒏𝟓 𝒏𝟔 𝒏𝟖 𝒏𝟗 𝒔𝟏 𝒏𝟒 𝒏𝟓 𝒔𝟔 𝒔𝟖 𝒏𝟗

1

𝒔𝟕 𝒏𝟕 𝒏𝟕 𝒏𝟕

1

𝒔𝟐 𝒏𝟐 𝒏𝟐 𝒏𝟐

1 1

𝒔𝟑 𝒏𝟑 𝒔𝟑

Cut and Choose Parameters

• Issue: Random OTs/Cut-and-Choose may not

result in exactly

1 2 zero select bits!

• Need robust checking of zero bits

[RindalRosulek17]

OT

…

OT

1 1 Random 1

𝒔𝟏 𝒔𝟒 𝒔𝟓 𝒔𝟔 𝒔𝟖 𝒔𝟗 𝒏𝟏 𝒏𝟒 𝒏𝟓 𝒏𝟔 𝒏𝟖 𝒏𝟗 𝒔𝟏 𝒏𝟒 𝒏𝟓 𝒔𝟔 𝒔𝟖 𝒏𝟗

1

𝒔𝟕 𝒏𝟕 𝒏𝟕 𝒏𝟕

1

𝒔𝟐 𝒏𝟐 𝒏𝟐 𝒏𝟐

1 1

Cut and Choose Parameters

[RindalRosulek17] #𝑨𝑓𝑠𝑝𝑡 seen

𝐹[𝑕𝑝𝑝𝑒 𝑕𝑣𝑧]

Issue: Random OTs/Cut-and-Choose may not result in exactly

1 2 zero select bits!

• Need robust checking of zero bits
• Desired properties:
• Pr 𝑕𝑝𝑝𝑒 𝑕𝑣𝑧 𝑏𝑑𝑑𝑣𝑡𝑓𝑒

≤ 𝑜𝑓𝑕(𝜆)

• Sufficient to check 1% of the OTs!

Pr

Cut and Choose Parameters

[RindalRosulek17] #𝑨𝑓𝑠𝑝𝑡 seen

𝐹[𝑕𝑝𝑝𝑒 𝑕𝑣𝑧]

Abort threshold

Issue: Random OTs/Cut-and-Choose may not result in exactly

1 2 zero select bits!

• Need robust checking of zero bits
• Desired properties:
• Pr 𝑕𝑝𝑝𝑒 𝑕𝑣𝑧 𝑏𝑑𝑑𝑣𝑡𝑓𝑒

≤ 𝑜𝑓𝑕(𝜆)

• Sufficient to check 1% of the OTs!

Pr

Cut and Choose Parameters

[RindalRosulek17] #𝑨𝑓𝑠𝑝𝑡 seen

𝐹[𝑕𝑝𝑝𝑒 𝑕𝑣𝑧]

Abort threshold

Issue: Random OTs/Cut-and-Choose may not result in exactly

1 2 zero select bits!

• Need robust checking of zero bits
• Desired properties:
• Pr 𝑕𝑝𝑝𝑒 𝑕𝑣𝑧 𝑏𝑑𝑑𝑣𝑡𝑓𝑒

≤ 𝑜𝑓𝑕(𝜆)

• Sufficient to check 1% of the OTs!

Pr

Cut and Choose Parameters

[RindalRosulek17] #𝑨𝑓𝑠𝑝𝑡 seen

𝐹[𝑕𝑝𝑝𝑒 𝑕𝑣𝑧]

Abort threshold

Issue: Random OTs/Cut-and-Choose may not result in exactly

1 2 zero select bits!

• Need robust checking of zero bits
• Desired properties:
• Pr 𝑕𝑝𝑝𝑒 𝑕𝑣𝑧 𝑏𝑑𝑑𝑣𝑡𝑓𝑒

≤ 𝑜𝑓𝑕(𝜆)

• Use Chernoff Bounds
• Sufficient to check 1% of the OTs!

Pr

Cut and Choose Parameters

[RindalRosulek17] #𝑨𝑓𝑠𝑝𝑡 seen

𝐹[𝑕𝑝𝑝𝑒 𝑕𝑣𝑧]

Abort threshold

r Pr 𝐶𝑏𝑒 𝑕𝑣𝑧 𝑜𝑝𝑢 𝑑𝑏𝑣𝑕ℎ𝑢 ≤𝑜𝑓𝑕(𝜆) 𝐶𝑏𝑒 𝑕𝑣𝑧 𝑜𝑝𝑢 𝑑𝑏𝑣𝑕ℎ𝑢 𝐶𝐶𝑏 𝑏𝑒𝑒 𝑕𝑕𝑣𝑣𝑧𝑧 𝑜𝑜𝑝𝑝𝑢𝑢 𝑑𝑑𝑏𝑏𝑣𝑣𝑕𝑕ℎ𝑢𝑢 𝐶𝑏𝑒 𝑕𝑣𝑧 𝑜𝑝𝑢 𝑑𝑏𝑣𝑕ℎ𝑢 ≤𝑜𝑜𝑓 𝑓𝑕𝑕(𝜆𝜆) Pr 𝐶𝑏𝑒 𝑕𝑣𝑧 𝑜𝑝𝑢 𝑑𝑏𝑣𝑕ℎ𝑢 ≤𝑜𝑓𝑕(𝜆) Issue: Random OTs/Cut-and-Choose may not

result in exactly

1 2 zero select bits!

• Need robust checking of zero bits
• Desired properties:
• Pr 𝑕𝑝𝑝𝑒 𝑕𝑣𝑧 𝑏𝑑𝑑𝑣𝑡𝑓𝑒

≤ 𝑜𝑓𝑕(𝜆)

• 𝑄r 𝐶𝑏𝑒 𝑕𝑣𝑧 𝑜𝑝𝑢 𝑑𝑏𝑣𝑕ℎ𝑢 ≤ 𝑜𝑓𝑕(𝜆)
• Use Chernoff Bounds
• Sufficient to check 1% of the OTs!

Pr

Cut and Choose Parameters

[RindalRosulek17] #𝑨𝑓𝑠𝑝𝑡 seen

𝐹[𝑕𝑝𝑝𝑒 𝑕𝑣𝑧]

Abort threshold

r Pr 𝐶𝑏𝑒 𝑕𝑣𝑧 𝑜𝑝𝑢 𝑑𝑏𝑣𝑕ℎ𝑢 ≤𝑜𝑓𝑕(𝜆) 𝐶𝑏𝑒 𝑕𝑣𝑧 𝑜𝑝𝑢 𝑑𝑏𝑣𝑕ℎ𝑢 𝐶𝐶𝑏 𝑏𝑒𝑒 𝑕𝑕𝑣𝑣𝑧𝑧 𝑜𝑜𝑝𝑝𝑢𝑢 𝑑𝑑𝑏𝑏𝑣𝑣𝑕𝑕ℎ𝑢𝑢 𝐶𝑏𝑒 𝑕𝑣𝑧 𝑜𝑝𝑢 𝑑𝑏𝑣𝑕ℎ𝑢 ≤𝑜𝑜𝑓 𝑓𝑕𝑕(𝜆𝜆) Pr 𝐶𝑏𝑒 𝑕𝑣𝑧 𝑜𝑝𝑢 𝑑𝑏𝑣𝑕ℎ𝑢 ≤𝑜𝑓𝑕(𝜆) Issue: Random OTs/Cut-and-Choose may not

result in exactly

1 2 zero select bits!

• Need robust checking of zero bits
• Desired properties:
• Pr 𝑕𝑝𝑝𝑒 𝑕𝑣𝑧 𝑏𝑑𝑑𝑣𝑡𝑓𝑒

≤ 𝑜𝑓𝑕(𝜆)

• 𝑄r 𝐶𝑏𝑒 𝑕𝑣𝑧 𝑜𝑝𝑢 𝑑𝑏𝑣𝑕ℎ𝑢 ≤ 𝑜𝑓𝑕(𝜆)
• Use Chernoff Bounds
• Sufficient to check 1% of the OTs!

Pr

Cut and Choose Parameters

[RindalRosulek17] #𝑨𝑓𝑠𝑝𝑡 seen

𝐹[𝑕𝑝𝑝𝑒 𝑕𝑣𝑧]

𝑢 ≪

Abort threshold

r Pr 𝐶𝑏𝑒 𝑕𝑣𝑧 𝑜𝑝𝑢 𝑑𝑏𝑣𝑕ℎ𝑢 ≤𝑜𝑓𝑕(𝜆) 𝐶𝑏𝑒 𝑕𝑣𝑧 𝑜𝑝𝑢 𝑑𝑏𝑣𝑕ℎ𝑢 𝐶𝐶𝑏 𝑏𝑒𝑒 𝑕𝑕𝑣𝑣𝑧𝑧 𝑜𝑜𝑝𝑝𝑢𝑢 𝑑𝑑𝑏𝑏𝑣𝑣𝑕𝑕ℎ𝑢𝑢 𝐶𝑏𝑒 𝑕𝑣𝑧 𝑜𝑝𝑢 𝑑𝑏𝑣𝑕ℎ𝑢 ≤𝑜𝑜𝑓 𝑓𝑕𝑕(𝜆𝜆) Pr 𝐶𝑏𝑒 𝑕𝑣𝑧 𝑜𝑝𝑢 𝑑𝑏𝑣𝑕ℎ𝑢 ≤𝑜𝑓𝑕(𝜆) Issue: Random OTs/Cut-and-Choose may not

result in exactly

1 2 zero select bits!

• Need robust checking of zero bits
• Desired properties:
• Pr 𝑕𝑝𝑝𝑒 𝑕𝑣𝑧 𝑏𝑑𝑑𝑣𝑡𝑓𝑒

≤ 𝑜𝑓𝑕(𝜆)

• 𝑄r 𝐶𝑏𝑒 𝑕𝑣𝑧 𝑜𝑝𝑢 𝑑𝑏𝑣𝑕ℎ𝑢 ≤ 𝑜𝑓𝑕(𝜆)
• Use Chernoff Bounds
• Sufficient to check 1% of the OTs!

Pr

Cut and Choose Parameters

[RindalRosulek17] #𝑨𝑓𝑠𝑝𝑡 seen

𝐹[𝑕𝑝𝑝𝑒 𝑕𝑣𝑧]

𝑢 ≪

Abort threshold

r Pr 𝐶𝑏𝑒 𝑕𝑣𝑧 𝑜𝑝𝑢 𝑑𝑏𝑣𝑕ℎ𝑢 ≤𝑜𝑓𝑕(𝜆) 𝐶𝑏𝑒 𝑕𝑣𝑧 𝑜𝑝𝑢 𝑑𝑏𝑣𝑕ℎ𝑢 𝐶𝐶𝑏 𝑏𝑒𝑒 𝑕𝑕𝑣𝑣𝑧𝑧 𝑜𝑜𝑝𝑝𝑢𝑢 𝑑𝑑𝑏𝑏𝑣𝑣𝑕𝑕ℎ𝑢𝑢 𝐶𝑏𝑒 𝑕𝑣𝑧 𝑜𝑝𝑢 𝑑𝑏𝑣𝑕ℎ𝑢 ≤𝑜𝑜𝑓 𝑓𝑕𝑕(𝜆𝜆) Pr 𝐶𝑏𝑒 𝑕𝑣𝑧 𝑜𝑝𝑢 𝑑𝑏𝑣𝑕ℎ𝑢 ≤𝑜𝑓𝑕(𝜆) Issue: Random OTs/Cut-and-Choose may not

result in exactly

1 2 zero select bits!

• Need robust checking of zero bits
• Desired properties:
• Pr 𝑕𝑝𝑝𝑒 𝑕𝑣𝑧 𝑏𝑑𝑑𝑣𝑡𝑓𝑒

≤ 𝑜𝑓𝑕(𝜆)

• 𝑄r 𝐶𝑏𝑒 𝑕𝑣𝑧 𝑜𝑝𝑢 𝑑𝑏𝑣𝑕ℎ𝑢 ≤ 𝑜𝑓𝑕(𝜆)
• Use Chernoff Bounds
• Sufficient to check 1% of the OTs!

Pr

Cut and Choose Parameters

[RindalRosulek17] #𝑨𝑓𝑠𝑝𝑡 seen

𝐹[𝑕𝑝𝑝𝑒 𝑕𝑣𝑧]

𝑢 ≪

Abort threshold

% of the OTs!

r Pr 𝐶𝑏𝑒 𝑕𝑣𝑧 𝑜𝑝𝑢 𝑑𝑏𝑣𝑕ℎ𝑢 ≤𝑜𝑓𝑕(𝜆) 𝐶𝑏𝑒 𝑕𝑣𝑧 𝑜𝑝𝑢 𝑑𝑏𝑣𝑕ℎ𝑢 𝐶𝐶𝑏𝑏𝑒𝑒 𝑕𝑕𝑣

𝑣𝑧𝑧 𝑜𝑜𝑝𝑝𝑢𝑢 𝑑𝑑𝑏𝑏𝑣𝑣𝑕𝑕ℎ𝑢𝑢 𝐶𝑏𝑒 𝑕𝑣𝑧 𝑜𝑝𝑢 𝑑𝑏𝑣𝑕ℎ𝑢 ≤𝑜𝑜𝑓𝑓𝑕𝑕(𝜆𝜆) Pr 𝐶𝑏𝑒 𝑕𝑣𝑧 𝑜𝑝𝑢 𝑑𝑏𝑣𝑕ℎ𝑢 ≤𝑜𝑓𝑕(𝜆) Issue: Random OTs/Cut-and-Choose may not

result in exactly

1 2 zero select bits!

• Need robust checking of zero bits
• Desired properties:
• Pr 𝑕𝑝𝑝𝑒 𝑕𝑣𝑧 𝑏𝑑𝑑𝑣𝑡𝑓𝑒

≤ 𝑜𝑓𝑕(𝜆)

• 𝑄r 𝐶𝑏𝑒 𝑕𝑣𝑧 𝑜𝑝𝑢 𝑑𝑏𝑣𝑕ℎ𝑢 ≤ 𝑜𝑓𝑕(𝜆)
• Sufficient to check 1% of the OTs!
• Sufficient to check 1% of the OTs!

Pr

Cut and Choose Parameters

[RindalRosulek17] #𝑨𝑓𝑠𝑝𝑡 seen

𝐹[𝑕𝑝𝑝𝑒 𝑕𝑣𝑧]

𝑢 ≪

Abort threshold

% of the OTs! % of the OTs! r Pr 𝐶𝑏𝑒 𝑕𝑣𝑧 𝑜𝑝𝑢 𝑑𝑏𝑣𝑕ℎ𝑢 ≤𝑜𝑓𝑕(𝜆) 𝐶𝑏𝑒 𝑕𝑣𝑧 𝑜𝑝𝑢 𝑑𝑏𝑣𝑕ℎ𝑢 𝐶𝐶𝑏𝑏𝑒𝑒 𝑕𝑕𝑣𝑣𝑧𝑧 𝑜𝑜𝑝𝑝𝑢

𝑢 𝑑𝑑𝑏𝑏𝑣𝑣𝑕𝑕ℎ𝑢𝑢 𝐶𝑏𝑒 𝑕𝑣𝑧 𝑜𝑝𝑢 𝑑𝑏𝑣𝑕ℎ𝑢 ≤𝑜𝑜𝑓𝑓𝑕𝑕(𝜆𝜆) Pr 𝐶𝑏𝑒 𝑕𝑣𝑧 𝑜𝑝𝑢 𝑑𝑏𝑣𝑕ℎ𝑢 ≤𝑜𝑓𝑕 (𝜆) Issue: Random OTs/Cut-and-Choose may not result in exactly

1 2 zero select

bits!

• Need robust checking of zero bits
• Desired properties:
• Pr 𝑕𝑝𝑝𝑒 𝑕𝑣𝑧 𝑏𝑑𝑑𝑣𝑡𝑓𝑒

≤ 𝑜𝑓𝑕(𝜆)

• 𝑄r 𝐶𝑏𝑒 𝑕𝑣𝑧 𝑜𝑝𝑢 𝑑𝑏𝑣𝑕ℎ𝑢 ≤ 𝑜𝑓𝑕(𝜆)
• Sufficient to check 1% of the OTs!
• Sufficient to check 1% of the OTs!
• Sufficient to check 1% of the OTs!

Pr

Extracting 𝑍 with Random Oracle

ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑}

OT

…

OT

𝒀 = 𝒏𝟓 ⊕ 𝒏𝟐, 𝒏𝟑 ⊕ 𝒏𝟒

Output: 𝒀 ∩ 𝒏𝟓 ⊕ 𝒏𝟐,

𝒏𝟗 ⊕ 𝒏𝟒 [RindalRosulek17] 1

𝒔𝟓 𝒏𝟓 𝒏𝟓 𝒔𝟏 𝒏𝟏 𝒔𝟏 𝒔𝟖 𝒏𝟖 𝒔𝟖

1

𝒔𝟗 𝒏𝟗 𝒏𝟗 𝒔𝟔 𝒏𝟔 𝒔𝟔

1

𝒔𝟐 𝒏𝟐 𝒏𝟐

1

𝒔𝟒 𝒏𝟒 𝒏𝟒

Simulator must extract the effective input 𝑍

• 𝐺 is not naturally invertible
• 𝐶𝐺 may be malformed…
• Solution:
• Model hash function ℎ𝑗(⋅) as Random Oracle
• Non-programmable RO

Extracting 𝑍 with Random Oracle

ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑}

OT

…

OT

[RindalRosulek17] 1

𝒔𝟓 𝒏𝟓 𝒏𝟓 𝒔𝟏 𝒏𝟏 𝒔𝟏 𝒔𝟖 𝒏𝟖 𝒔𝟖

1

𝒔𝟗 𝒏𝟗 𝒏𝟗 𝒔𝟔 𝒏𝟔 𝒔𝟔

1

𝒔𝟐 𝒏𝟐 𝒏𝟐

1

𝒔𝟒 𝒏𝟒 𝒏𝟒

Simulator

PSI

𝑍 = {𝑏, 𝑑}

𝑌 𝑌 ∩ 𝑍 = {𝑏}

Simulator must extract the effective input 𝑍

• 𝐺 is not naturally invertible
• 𝐶𝐺 may be malformed…
• Solution:
• Model hash function ℎ𝑗(⋅) as Random Oracle
• Non-programmable RO

Extracting 𝑍 with Random Oracle

ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑}

OT

…

OT

[RindalRosulek17] 1

𝒔𝟓 𝒏𝟓 𝒏𝟓 𝒔𝟏 𝒏𝟏 𝒔𝟏 𝒔𝟖 𝒏𝟖 𝒔𝟖

1

𝒔𝟗 𝒏𝟗 𝒏𝟗 𝒔𝟔 𝒏𝟔 𝒔𝟔

1

𝒔𝟐 𝒏𝟐 𝒏𝟐

1

𝒔𝟒 𝒏𝟒 𝒏𝟒

Simulator

Simulator must extract the effective input 𝑍

• 𝐺 is not naturally invertible
• 𝐶𝐺 may be malformed…
• Solution:
• Model hash function ℎ𝑗(⋅) as Random Oracle
• Non-programmable RO

Extracting 𝑍 with Random Oracle

ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑}

OT

…

OT

[RindalRosulek17] 1

𝒔𝟓 𝒏𝟓 𝒏𝟓 𝒔𝟏 𝒏𝟏 𝒔𝟏 𝒔𝟖 𝒏𝟖 𝒔𝟖

1

𝒔𝟗 𝒏𝟗 𝒏𝟗 𝒔𝟔 𝒏𝟔 𝒔𝟔

1

𝒔𝟐 𝒏𝟐 𝒏𝟐

1

𝒔𝟒 𝒏𝟒 𝒏𝟒

Simulator 1 1 1 1 𝐶𝐺 =

Simulator must extract the effective input 𝑍

• Can extract OT select bits
• 𝐺 is not naturally invertible
• 𝐶𝐺 may be malformed…
• Solution:
• Model hash function ℎ𝑗(⋅) as Random Oracle
• Non-programmable RO

Extracting 𝑍 with Random Oracle

ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑}

OT

…

OT

[RindalRosulek17] 1

𝒔𝟓 𝒏𝟓 𝒏𝟓 𝒔𝟏 𝒏𝟏 𝒔𝟏 𝒔𝟖 𝒏𝟖 𝒔𝟖

1

𝒔𝟗 𝒏𝟗 𝒏𝟗 𝒔𝟔 𝒏𝟔 𝒔𝟔

1

𝒔𝟐 𝒏𝟐 𝒏𝟐

1

𝒔𝟒 𝒏𝟒 𝒏𝟒

Simulator 1 1 1 1 𝐶𝐺 = is not naturally invertible Simulator must extract the effective input 𝑍

• Can extract OT select bits
• Issues:
• 𝐶𝐺 is not naturally invertible
• 𝐶𝐺 may be malformed…
• Solution:
• Model hash function ℎ𝑗(⋅) as Random Oracle
• Non-programmable RO

Extracting 𝑍 with Random Oracle

ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑}

OT

…

OT

[RindalRosulek17] 1

𝒔𝟓 𝒏𝟓 𝒏𝟓 𝒔𝟏 𝒏𝟏 𝒔𝟏 𝒔𝟖 𝒏𝟖 𝒔𝟖

1

𝒔𝟗 𝒏𝟗 𝒏𝟗 𝒔𝟔 𝒏𝟔 𝒔𝟔

1

𝒔𝟐 𝒏𝟐 𝒏𝟐

1

𝒔𝟒 𝒏𝟒 𝒏𝟒

Simulator 1 1 1 1 𝐶𝐺 = may be malformed… is not naturally invertible Simulator must extract the effective input 𝑍

• Can extract OT select bits
• Issues:
• 𝐶𝐺 may be malformed…
• 𝐶𝐺 may be malformed…
• Solution:
• Model hash function ℎ𝑗(⋅) as Random Oracle
• Non-programmable RO

Extracting 𝑍 with Random Oracle

ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑}

OT

…

OT

[RindalRosulek17] 1

𝒔𝟓 𝒏𝟓 𝒏𝟓 𝒔𝟏 𝒏𝟏 𝒔𝟏 𝒔𝟖 𝒏𝟖 𝒔𝟖

1

𝒔𝟗 𝒏𝟗 𝒏𝟗 𝒔𝟔 𝒏𝟔 𝒔𝟔

1

𝒔𝟐 𝒏𝟐 𝒏𝟐

1

𝒔𝟒 𝒏𝟒 𝒏𝟒

Simulator 1 1 1 1 𝐶𝐺 = ℎ 𝑗 𝑗𝑗 ℎ 𝑗 (⋅) as Random Oracle may be malformed… is not naturally invertible Simulator must extract the effective input 𝑍

• Can extract OT select bits
• Issues:
• 𝐶𝐺 may be malformed…
• Solution:
• Model hash function ℎ 𝑗 (⋅) as Random Oracle
• Solution:
• Model hash function ℎ𝑗(⋅) as Random Oracle
• Non-programmable RO

Extracting 𝑍 with Random Oracle

ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑}

OT

…

OT

[RindalRosulek17] 1

𝒔𝟓 𝒏𝟓 𝒏𝟓 𝒔𝟏 𝒏𝟏 𝒔𝟏 𝒔𝟖 𝒏𝟖 𝒔𝟖

1

𝒔𝟗 𝒏𝟗 𝒏𝟗 𝒔𝟔 𝒏𝟔 𝒔𝟔

1

𝒔𝟐 𝒏𝟐 𝒏𝟐

1

𝒔𝟒 𝒏𝟒 𝒏𝟒

Simulator 1 1 1 1 𝐶𝐺 =

Random Oracle

𝑏, 𝑑 ℎ 𝑗 𝑗𝑗 ℎ 𝑗 (⋅) as Random Oracle may be malformed… is not naturally invertible Simulator must extract the effective input 𝑍

• Can extract OT select bits
• Issues:
• 𝐶𝐺 may be malformed…
• Solution:
• Model hash function ℎ 𝑗 (⋅) as Random Oracle
• Solution:
• Model hash function ℎ𝑗(⋅) as Random Oracle
• Non-programmable RO

Extracting 𝑍 with Random Oracle

ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑}

OT

…

OT

[RindalRosulek17] 1

𝒔𝟓 𝒏𝟓 𝒏𝟓 𝒔𝟏 𝒏𝟏 𝒔𝟏 𝒔𝟖 𝒏𝟖 𝒔𝟖

1

𝒔𝟗 𝒏𝟗 𝒏𝟗 𝒔𝟔 𝒏𝟔 𝒔𝟔

1

𝒔𝟐 𝒏𝟐 𝒏𝟐

1

𝒔𝟒 𝒏𝟒 𝒏𝟒

Simulator 1 1 1 1

𝑍 = {𝑏, 𝑑}

𝐶𝐺 =

Random Oracle

𝑏, 𝑑 ℎ 𝑗 𝑗𝑗 ℎ 𝑗 (⋅) as Random Oracle may be malformed… is not naturally invertible Simulator must extract the effective input 𝑍

• Can extract OT select bits
• Issues:
• 𝐶𝐺 may be malformed…
• Solution:
• Model hash function ℎ 𝑗 (⋅) as Random Oracle
• Solution:
• Model hash function ℎ𝑗(⋅) as Random Oracle
• Non-programmable RO

Extracting 𝑍 with Random Oracle

ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑}

OT

…

OT

[RindalRosulek17] 1

𝒔𝟓 𝒏𝟓 𝒏𝟓 𝒔𝟏 𝒏𝟏 𝒔𝟏 𝒔𝟖 𝒏𝟖 𝒔𝟖

1

𝒔𝟗 𝒏𝟗 𝒏𝟗 𝒔𝟔 𝒏𝟔 𝒔𝟔

1

𝒔𝟐 𝒏𝟐 𝒏𝟐

1

𝒔𝟒 𝒏𝟒 𝒏𝟒

Simulator 1 1 1 1

𝑍 = {𝑏, 𝑑}

𝐶𝐺 =

Random Oracle

𝑏, 𝑑 ℎ 𝑗 𝑗𝑗 ℎ 𝑗 (⋅) as Random Oracle may be malformed… is not naturally invertible Simulator must extract the effective input 𝑍

• Can extract OT select bits
• Issues:
• 𝐶𝐺 may be malformed…
• Solution:
• Model hash function ℎ 𝑗 (⋅) as Random Oracle
• Solution:
• Model hash function ℎ𝑗(⋅) as Random Oracle
• Non-programmable RO

, 𝑒 ℎ𝑗(𝑒)

Extracting 𝑍 with Random Oracle

ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑}

OT

…

OT

[RindalRosulek17] 1

𝒔𝟓 𝒏𝟓 𝒏𝟓 𝒔𝟏 𝒏𝟏 𝒔𝟏 𝒔𝟖 𝒏𝟖 𝒔𝟖

1

𝒔𝟗 𝒏𝟗 𝒏𝟗 𝒔𝟔 𝒏𝟔 𝒔𝟔

1

𝒔𝟐 𝒏𝟐 𝒏𝟐

1

𝒔𝟒 𝒏𝟒 𝒏𝟒

Simulator 1 1 1 1

PSI

𝑍 = {𝑏, 𝑑}

𝑌 𝐶𝐺 =

Random Oracle

𝑏, 𝑑 ℎ 𝑗 𝑗𝑗 ℎ 𝑗 (⋅) as Random Oracle may be malformed… is not naturally invertible Simulator must extract the effective input 𝑍

• Can extract OT select bits
• Issues:
• 𝐶𝐺 may be malformed…
• Solution:
• Model hash function ℎ 𝑗 (⋅) as Random Oracle
• Solution:
• Model hash function ℎ𝑗(⋅) as Random Oracle
• Non-programmable RO

Extracting 𝑍 with Random Oracle

ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑}

OT

…

OT

[RindalRosulek17] 1

𝒔𝟓 𝒏𝟓 𝒏𝟓 𝒔𝟏 𝒏𝟏 𝒔𝟏 𝒔𝟖 𝒏𝟖 𝒔𝟖

1

𝒔𝟗 𝒏𝟗 𝒏𝟗 𝒔𝟔 𝒏𝟔 𝒔𝟔

1

𝒔𝟐 𝒏𝟐 𝒏𝟐

1

𝒔𝟒 𝒏𝟒 𝒏𝟒

Simulator 1 1 1 1

PSI

𝑍 = {𝑏, 𝑑}

𝑌 𝑌 ∩ 𝑍 = {𝑏} 𝐶𝐺 =

Random Oracle

𝑏, 𝑑 ℎ 𝑗 𝑗𝑗 ℎ 𝑗 (⋅) as Random Oracle may be malformed… is not naturally invertible Simulator must extract the effective input 𝑍

• Can extract OT select bits
• Issues:
• 𝐶𝐺 may be malformed…
• Solution:
• Model hash function ℎ 𝑗 (⋅) as Random Oracle
• Solution:
• Model hash function ℎ𝑗(⋅) as Random Oracle
• Non-programmable RO

Extracting 𝑍 with Random Oracle

ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑}

OT

…

OT

[RindalRosulek17] 1

𝒔𝟓 𝒏𝟓 𝒏𝟓 𝒔𝟏 𝒏𝟏 𝒔𝟏 𝒔𝟖 𝒏𝟖 𝒔𝟖

1

𝒔𝟗 𝒏𝟗 𝒏𝟗 𝒔𝟔 𝒏𝟔 𝒔𝟔

1

𝒔𝟐 𝒏𝟐 𝒏𝟐

1

𝒔𝟒 𝒏𝟒 𝒏𝟒

Simulator 1 1 1 1

PSI

𝑍 = {𝑏, 𝑑}

𝑌 𝑌 ∩ 𝑍 = {𝑏} 𝐶𝐺 =

Random Oracle

𝑏, 𝑑 ℎ 𝑗 𝑗𝑗 ℎ 𝑗 (⋅) as Random Oracle may be malformed… is not naturally invertible Simulator must extract the effective input 𝑍

• Can extract OT select bits
• Issues:
• 𝐶𝐺 may be malformed…
• Solution:
• Non-programmable ROSolution:
• Model hash function ℎ𝑗(⋅) as Random Oracle
• Non-programmable RO

Generalized Encodings

Bloom filter of size ~2𝑜𝜆 allows a Receiver to insert 𝑜 items

𝐺(𝑏) = 𝒏𝟓 ⊕ 𝒏𝟐 𝐺 𝑑 = 𝒏𝟗 ⊕ 𝒏𝟒

• 𝐺( ⋅ )
• View Bloom filter protocol as an OPRF

ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑}

OT

…

OT

[RindalRosulek17] 1

𝒔𝟓 𝒏𝟓 𝒏𝟓 𝒔𝟏 𝒏𝟏 𝒔𝟏 𝒔𝟖 𝒏𝟖 𝒔𝟖

1

𝒔𝟗 𝒏𝟗 𝒏𝟗 𝒔𝟔 𝒏𝟔 𝒔𝟔

1

𝒔𝟐 𝒏𝟐 𝒏𝟐

1

𝒔𝟒 𝒏𝟒 𝒏𝟒

𝒏𝟓 ⊕ 𝒏𝟐, 𝒏𝟗 ⊕ 𝒏𝟒

Generalized Encodings

𝐺 𝐺 𝐺( ⋅ ) Bloom filter of size ~2𝑜𝜆 allows a Receiver to insert 𝑜 items

𝐺(𝑏) = 𝒏𝟓 ⊕ 𝒏𝟐 𝐺 𝑑 = 𝒏𝟗 ⊕ 𝒏𝟒

• Sender can generate any encoding 𝐺( ⋅ )
• View Bloom filter protocol as an OPRF

ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑}

OT

…

OT

[RindalRosulek17] 1

𝒔𝟓 𝒏𝟓 𝒏𝟓 𝒔𝟏 𝒏𝟏 𝒔𝟏 𝒔𝟖 𝒏𝟖 𝒔𝟖

1

𝒔𝟗 𝒏𝟗 𝒏𝟗 𝒔𝟔 𝒏𝟔 𝒔𝟔

1

𝒔𝟐 𝒏𝟐 𝒏𝟐

1

𝒔𝟒 𝒏𝟒 𝒏𝟒

𝒏𝟓 ⊕ 𝒏𝟐, 𝒏𝟗 ⊕ 𝒏𝟒

Generalized Encodings

𝐺 𝐺 𝐺( ⋅ ) Bloom filter of size ~2𝑜𝜆 allows a Receiver to insert 𝑜 items

𝐺(𝑏) = 𝒏𝟓 ⊕ 𝒏𝟐 𝐺 𝑑 = 𝒏𝟗 ⊕ 𝒏𝟒

• View Bloom filter protocol as an OPRF
• View Bloom filter protocol as an OPRF

ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑}

OT

…

OT

[RindalRosulek17] 1

𝒔𝟓 𝒏𝟓 𝒏𝟓 𝒔𝟏 𝒏𝟏 𝒔𝟏 𝒔𝟖 𝒏𝟖 𝒔𝟖

1

𝒔𝟗 𝒏𝟗 𝒏𝟗 𝒔𝟔 𝒏𝟔 𝒔𝟔

1

𝒔𝟐 𝒏𝟐 𝒏𝟐

1

𝒔𝟒 𝒏𝟒 𝒏𝟒

𝒏𝟓 ⊕ 𝒏𝟐, 𝒏𝟗 ⊕ 𝒏𝟒

OPRF

𝑍 𝐺 𝑧 ∶ 𝑧 ∈ 𝑍 𝐺

Generalized Encodings

𝐺 𝐺 𝐺( ⋅ ) Bloom filter of size ~2𝑜𝜆 allows a Receiver to insert 𝑜 items

𝐺(𝑏) = 𝒏𝟓 ⊕ 𝒏𝟐 𝐺 𝑑 = 𝒏𝟗 ⊕ 𝒏𝟒

• View Bloom filter protocol as an OPRF
• View Bloom filter protocol as an OPRF

ℎ𝑗(𝑏) ℎ𝑗(𝑑) 𝑍 = {𝑏, 𝑑}

OT

…

OT

[RindalRosulek17] 1

𝒔𝟓 𝒏𝟓 𝒏𝟓 𝒔𝟏 𝒏𝟏 𝒔𝟏 𝒔𝟖 𝒏𝟖 𝒔𝟖

1

𝒔𝟗 𝒏𝟗 𝒏𝟗 𝒔𝟔 𝒏𝟔 𝒔𝟔

1

𝒔𝟐 𝒏𝟐 𝒏𝟐

1

𝒔𝟒 𝒏𝟒 𝒏𝟒

𝒏𝟓 ⊕ 𝒏𝟐, 𝒏𝟗 ⊕ 𝒏𝟒

OPRF

𝑍 𝐺 𝑧 ∶ 𝑧 ∈ 𝑍 𝐺 𝐺 𝑦 ∶ 𝑦 ∈ 𝑌

0,25 1 4 16 64 256 1024 4096 16384 256 4096 65536 1048576 Running Time (seconds) DCW13 DKT10 RR17

Comparison – De Cristofaro, Kim, Tsudik10

• DKT10 - Malicious Diffie-Hellman style approach: 𝑦𝛽𝛾 = 𝑧𝛾𝛽

0,25 1 4 16 64 256 1024 4096 16384 256 4096 65536 1048576 Running Time (seconds) DCW13 DKT10 RR17

Comparison – De Cristofaro, Kim, Tsudik10

• DKT10 - Malicious Diffie-Hellman style approach: 𝑦𝛽𝛾 = 𝑧𝛾𝛽

1 4 16 64 256 1024 4096 16384 1 8 64 512 4096 32768

• Comm. (MB)

Running Time (seconds) DKT10 RR17

0,25 1 4 16 64 256 1024 4096 16384 256 4096 65536 1048576 Running Time (seconds) DCW13 DKT10 RR17

Comparison – De Cristofaro, Kim, Tsudik10

• DKT10 - Malicious Diffie-Hellman style approach: 𝑦𝛽𝛾 = 𝑧𝛾𝛽

1 4 16 64 256 1024 4096 16384 1 8 64 512 4096 32768

• Comm. (MB)

Running Time (seconds) DKT10 RR17

38x 23x

Comparison – De Cristofaro, Kim, Tsudik10

• DKT10 - Malicious Diffie-Hellman style approach: 𝑦𝛽𝛾 = 𝑧𝛾𝛽

0,25 1 4 16 64 256 1024 4096 16384 256 4096 65536 1048576 Running Time (seconds) DCW13 DKT10 RR17 1 4 16 64 256 1024 4096 16384 1 8 64 512 4096 32768

• Comm. (MB)

Running Time (seconds) DCW13 DKT10 RR17

Comparison – De Cristofaro, Kim, Tsudik10

• DKT10 - Malicious Diffie-Hellman style approach: 𝑦𝛽𝛾 = 𝑧𝛾𝛽

0,25 1 4 16 64 256 1024 4096 16384 256 4096 65536 1048576 Running Time (seconds) DCW13 DKT10 RR17 1 4 16 64 256 1024 4096 16384 1 8 64 512 4096 32768

• Comm. (MB)

Running Time (seconds) DCW13 DKT10 RR17

Naïve

Comparison – De Cristofaro, Kim, Tsudik10

• DKT10 - Malicious Diffie-Hellman style approach: 𝑦𝛽𝛾 = 𝑧𝛾𝛽

0,25 1 4 16 64 256 1024 4096 16384 256 4096 65536 1048576 Running Time (seconds) DCW13 DKT10 RR17 1 4 16 64 256 1024 4096 16384 1 8 64 512 4096 32768

• Comm. (MB)

Running Time (seconds) DCW13 DKT10 RR17

Naïve

[KKRT16,PSZ16]

The End

Peter Rindal

Mike Rosulek