PIR-PSI : SCALING PRIVATE CONTACT DISCOVERY PETS 2018 Peter Rindal - - PowerPoint PPT Presentation

pir psi scaling private contact discovery
SMART_READER_LITE
LIVE PREVIEW

PIR-PSI : SCALING PRIVATE CONTACT DISCOVERY PETS 2018 Peter Rindal - - PowerPoint PPT Presentation

Jan 30, 2023 361 likes •755 views

PIR-PSI : SCALING PRIVATE CONTACT DISCOVERY PETS 2018 Peter Rindal Daniel Demmler Mike Rosulek Ni Trieu Motivation Application: Contact Discovery Contact discovery tells social network users which of their contacts are in the social

slide-1
SLIDE 1

PIR-PSI: SCALING PRIVATE CONTACT DISCOVERY

Daniel Demmler Peter Rindal Mike Rosulek Ni Trieu PETS 2018

slide-2
SLIDE 2
  • Contact discovery tells social network users which of their contacts are in the social network
  • An insecure naïve hashing-based protocol is used in practice
  • Vulnerable to
  • Brute-force attacks (for small input domain, e.g. phone numbers)
  • Comparison with hashes from later sessions

Motivation – Application: Contact Discovery

2

Hashes of User Contacts Matching WhatsApp Contacts

slide-3
SLIDE 3
  • Contact Discovery should be efficient and scalable, and protect the privacy of user inputs.
  • It runs once when a user initially joins a social network
  • … and periodically to find contacts that join the social network later on.

Motivation – Application: Private Contact Discovery

3

WhatsApp Customers User Contacts WhatsApp Contacts PIR-PSI

slide-4
SLIDE 4

𝑌 𝑍 𝑌 ∩ 𝑍

Private Set Intersection (PSI)

4

slide-5
SLIDE 5

Private Set Intersection (PSI)

5

𝑌 𝑍 𝑌 ∩ 𝑍 PSI

“Receiver” “Sender”

Ideal World

slide-6
SLIDE 6

PSI for Contact Discovery

6

𝑌 = 𝑜 ≪ |𝑍| = 𝑂 𝑌 ∩ 𝑍 𝑌 𝑍

𝑌 ∩ 𝑍

slide-7
SLIDE 7
  • Communication linear in both sets 𝑃 𝑂 + 𝑜
  • What about 𝑂 ≫ 𝑜?
  • Insecure solution
  • Send small set to other party
  • Communication = 𝑃 min 𝑂, 𝑜
  • PIR-PSI
  • Communication = 𝑃 𝑜 log

𝑂 log 𝑜 𝑜

  • Client Computation = 𝑃 𝑜 log

𝑂 log 𝑜 𝑜

AES operations

  • Server Computation = 𝑃 𝑂 log 𝑜 AES operations

Status-Quo vs. PIR-PSI

7

Private Contact Discovery

𝑌 = 𝑜 Contacts 𝑍 = 𝑂 Customers

𝑌 ∩ 𝑍

PIR-PSI

slide-8
SLIDE 8

Plaintext Database Query

8

𝑗 𝑧𝑗 𝐸𝐶

TLS

𝑗

𝑧1 𝑧2 𝑧3 𝑧4 … 𝑧𝑂

slide-9
SLIDE 9

Private Information Retrieval (PIR)

9

𝑗 𝐸𝐶 𝐸𝐶[𝑗] PIR

Ideal World

𝑗 𝐸𝐶

𝑧1 𝑧2 𝑧3 𝑧4 … 𝑧𝑂

slide-10
SLIDE 10

2-Server PIR [CGKS95]

10

𝐸𝐶

#2 #1

𝐸𝐶

𝑧1 𝑧2 𝑧3 𝑧4 … 𝑧𝑂 𝑧1 𝑧2 𝑧3 𝑧4 … 𝑧𝑂

slide-11
SLIDE 11

2-Server PIR [CGKS95]

11

𝐸𝐶

#2

𝑟1 𝑠

1

𝑠

2

𝑟2

no collusion!

𝑠

1 ⊕ 𝑠 2 = DB i

𝑗

#1

𝐸𝐶

𝑧1 𝑧2 𝑧3 𝑧4 … 𝑧𝑂 𝑧1 𝑧2 𝑧3 𝑧4 … 𝑧𝑂

slide-12
SLIDE 12

Example: 2-Server Linear Summation PIR [CGKS95]

12

𝐸𝐶 𝐸𝐶

#2

𝑠

1 ⊕ 𝑠 2 = DB 2

#1

𝐸𝐶

𝑗 = 2 ⇒ 𝑟 = 001 000 𝑟1 chosen at random 𝑟2 = 𝑟 ⊕ 𝑟1 𝑠

𝑗 = 𝑟𝑗 ⋅ 𝐸𝐶

𝑧1 𝑧2 𝑧3 𝑧4 … 𝑧𝑂 𝑧1 𝑧2 𝑧3 𝑧4 … 𝑧𝑂

slide-13
SLIDE 13
  • Point Functions: 𝑄𝐺 = {𝑔

𝑗,𝑤: 𝑔 𝑗,𝑤 𝑗 = 𝑤,

𝑔

𝑗,𝑤 𝑦 = 0 ∀ 𝑦 ≠ 𝑗}.

  • Distributed PFs allow 2 parties the secret-

shared PF evaluation, without revealing 𝑗, 𝑤.

  • DPFs are described by short keys 𝑙1, 𝑙2 of

length 𝑃 log 𝑂 , where 𝑂 is the domain of 𝑗.

  • By using 𝑤 = 1, i.e., a DPF returning 1 only at

index 𝑗, we can express the plain text query 𝑟 and thus build 2-server PIR with 𝑃 log 𝑂 communication complexity.

  • Instantiated efficiently with AES.

PIR from Distributed Point Functions (DPFs)

13

𝑙1 𝑙2

Intuition: DPF Key Expansion

𝐿1 𝐿2

slide-14
SLIDE 14

Designated-Output PIR

14

𝐸𝐶 𝐸𝐶

#2

𝑟1, 𝑛 𝑟2

𝑗, 𝑛

#1

𝐸𝐶

𝑠

2 ⊕ 𝑠 1 ⊕ 𝑛

= DB i ⊕ 𝑛 𝑠

1 ⊕ 𝑛

𝑧1 𝑧2 𝑧3 𝑧4 … 𝑧𝑂 𝑧1 𝑧2 𝑧3 𝑧4 … 𝑧𝑂

slide-15
SLIDE 15

PIR Private Equality Test

15

𝐸𝐶 𝐸𝐶

#2

𝑟1, 𝑛 𝑟2

𝑦, 𝑗, 𝑛

#1

𝐸𝐶

𝑠

2 ⊕ 𝑠 1 ⊕ 𝑛

= DB i ⊕ 𝑛

PEQ

𝑦 ⊕ 𝑛 𝑦 == 𝐸𝐶[𝑗] 𝑠

1 ⊕ 𝑛

𝑧1 𝑧2 𝑧3 𝑧4 … 𝑧𝑂 𝑧1 𝑧2 𝑧3 𝑧4 … 𝑧𝑂

slide-16
SLIDE 16
  • Server performs Cuckoo hashing.

Cuckoo Hashing

16

𝑧1 ℎ(𝑧𝑂) ℎ(𝑧2) ℎ(𝑧1) … 𝑧1 𝑧2 𝑧3 𝑧4 … 𝑧𝑂

slide-17
SLIDE 17
  • Server performs Cuckoo hashing.

Cuckoo Hashing

17

𝑧1 𝑧2 ℎ(𝑧𝑂) ℎ(𝑧2) ℎ(𝑧1) … 𝑧1 𝑧2 𝑧3 𝑧4 … 𝑧𝑂

slide-18
SLIDE 18
  • Server performs Cuckoo hashing.

Cuckoo Hashing

18

𝑧1 𝑧2 𝑧3 ℎ(𝑧𝑂) ℎ(𝑧2) ℎ(𝑧1) … 𝑧1 𝑧2 𝑧3 𝑧4 … 𝑧𝑂

slide-19
SLIDE 19
  • Server performs Cuckoo hashing.

Cuckoo Hashing

19

𝑧1 𝑧2 𝑧3 𝑧𝑂 𝑧4 ℎ(𝑧𝑂) ℎ(𝑧2) ℎ(𝑧1) … 𝑧1 𝑧2 𝑧3 𝑧4 … 𝑧𝑂

slide-20
SLIDE 20
  • Server performs Cuckoo hashing.

Cuckoo Hashing

20

𝑧1 𝑧2 𝑧3 𝑧𝑂 𝑧4 ← Collision: ℎ 𝑧1 = ℎ(𝑧𝑂)

slide-21
SLIDE 21
  • Server performs Cuckoo hashing.
  • To avoid collisions: use multiple hash functions - in this example: ℎ, ℎ′.
  • In our implementation we used 3 hash functions and a cuckoo expansion factor of 𝑓 ≈ 1.4 for

a cuckoo failure probability of 2−20 during one-time initialization.

Cuckoo Hashing

21

𝑧2 𝑧3 𝑧4 ℎ′(𝑧1) ℎ′(𝑧2) 𝑧1 𝑧𝑂

slide-22
SLIDE 22
  • Every element can be located in two possible bins.
  • The client computes all hash functions for every element.

Cuckoo Hashing

22

𝑦1 𝑦2 𝑦𝑜 𝑦3 𝑦4 𝑦4 𝑦𝑜 𝑦1 𝑦3 𝑦2 𝑧2 𝑧3 𝑧4 𝑧1 𝑧𝑂

slide-23
SLIDE 23
  • Every element can be located in two possible bins.
  • To check if the server holds 𝑦1, the client runs a PIR-PEQ with the 2nd and 4th bin.
  • In the full protocol: instead of single PIR-PEQ, we run all of them together in a PSI protocol.

Cuckoo Hashing

23

𝑧2 𝑧3 𝑧4 𝑧1 𝑧𝑂 ℎ′(𝑧1) ℎ(𝑧1) 𝑦1 𝑦2 𝑦𝑜 𝑦3 𝑦4 𝑦4 𝑦𝑜 𝑦1 𝑦3 𝑦2

slide-24
SLIDE 24

1. Cuckoo Hashing

  • Both servers compute the same cuckoo hash table for their 𝑂 elements.

2. DPF-PIR Query

  • The client delegated extraction of 𝑜 elements from the cuckoo table.

3. Oblivious Shuffle

  • One server receives the other server’s masked output and obliviously

shuffles the PIR results to hide which Cuckoo hash function was used.

4. Small PSI

  • A standard PSI protocol is used to determine intersection.

PIR-PSI Overview

24

𝑧2 𝑧3 𝑧4 𝑧1 𝑧𝑂 𝑧1 𝑧2 𝑧3 𝑧4 … 𝑧𝑂 ℎ(𝑧𝑂) ℎ(𝑧2) ℎ(𝑧1) …

ℎ′(𝑧1) ℎ(𝑧1)

?

PSI

𝑦1 𝑦2 𝑦𝑜 𝑦3 𝑦4 𝑦4 𝑦𝑜 𝑦1 𝑦3 𝑦2 𝑧3 𝑧4 𝑧1 𝑧𝑂

slide-25
SLIDE 25
  • Binning
  • Instead of running full domain DPFs, we partition the server

cuckoo table into bins and a smaller DPFs per bin.

  • Parallelization!
  • Batching
  • Instead of running DPF queries separately,

run all queries in each bin in parallel.

  • Only a single pass over the cuckoo table for multiple queries.
  • Larger PIR Blocks
  • PIR queries can return multiple cuckoo table entries.
  • less communication, more computation in PSI.

Optimizations

25

𝑧1 𝑧2 𝑧3 𝑧4 … 𝑧𝑂 … 𝑧𝑂 𝑧1 𝑧2 𝑧1 𝑧2

slide-26
SLIDE 26

PIR-PSI with 3 PIR Servers

26

𝐸𝐶

#1

𝐸𝐶2

#2

𝐸𝐶3

#3

𝑙1, 𝑛 𝑙2 𝑙2 𝐸𝐶 = 𝐸𝐶2 ⊕ 𝐸𝐶3 (𝐿1⋅ 𝐸𝐶) ⊕ 𝑛 𝐿2 ⋅ 𝐸𝐶2 𝐿3 ⋅ 𝐸𝐶3 (𝐿2⋅ 𝐸𝐶2) ⊕ (𝐿2 ⋅ 𝐸𝐶3) ⊕ 𝐿1 ⋅ 𝐸𝐶 ⊕ 𝑛 = 𝐿2 ⋅ 𝐸𝐶2 ⊕ 𝐸𝐶3 ⊕ 𝐿1 ⋅ 𝐸𝐶 ⊕ 𝑛 = 𝐿2 ⋅ 𝐸𝐶 ⊕ 𝐿1 ⋅ 𝐸𝐶 ⊕ 𝑛 = 𝐸𝐶 𝑗 ⊕ 𝑛

slide-27
SLIDE 27
  • Communication and running time for

𝑜 = 1 024 client elements and server set sizes 𝑂 ∈ {220, 224, 226, 228}.

  • Benchmarked in Gigabit LAN, on

1 machine with 36 x 2.3 GHz. Implementation set to use 4 threads.

  • Client computation is ≈ 10% of total.
  • Parameters for communication /

computation trade-off

PIR-PSI Performance

27

0.1; 2.1 0.36; 8.61 0.94; 3.85 0.72; 12.7 3.65; 4.28 1.6; 28.3 13.22; 4.93 5 10 15 20 25 30 2 4 6 8 10 12 14

Communication in MiB Running time in seconds

2^20 2^24 2^26 2^28

slide-28
SLIDE 28
  • Combination of DPF-based PIR with state-of the art PSI to achieve scalable contact discovery.
  • Efficient open-source C++ implementation on Github: github.com/osu-crypto/libPSI
  • Many more details in the paper!
  • Security Analysis
  • Cuckoo Hashing Parameters
  • Detailed performance analysis and comparison with related work
  • Extensions

Conclusion

28

slide-29
SLIDE 29

Thank you!

Daniel Demmler Peter Rindal Mike Rosulek Ni Trieu

slide-30
SLIDE 30
  • Some icons are made by Freepik from flaticon.com

References

30

slide-31
SLIDE 31
  • Extra / Backup slides coming up next…

31

slide-32
SLIDE 32

[DeCristofaroKimTsudik10]

Malicious secure Diffie-Hellman

A Sampling of PSI Over the Decades

32 [Meadows86]

Private equality test

[HubermanFranklinHogg99]

Private equality test to PSI

1985 1990 1995 2000 2005 2010 2015 2020 𝑦𝛽𝛾 = 𝑧𝛾𝛽 ⇒ 𝑦 = 𝑧

slide-33
SLIDE 33

[FreedmanNissimPinkas04]

Hash table base PSI

[DachmanMalkinRaykovaYung09]

Malicious secure Oblivious Polynomial Evaluation

[NaorPinkas99]

Semi-honest PSI

A Sampling of PSI Over the Decades

33

1985 1990 1995 2000 2005 2010 2015 2020

[GhoshJasper17]

Malicious secure

𝑅 𝑦 ≔ (𝑦 − 𝑧) 𝑅 𝑦 = 0 ⇒ 𝑦 = 𝑧

slide-34
SLIDE 34

[HuangEvansKatz12]

Garbled Circuit based PSI Generic MPC

A Sampling of PSI Over the Decades

34

1985 1990 1995 2000 2005 2010 2015 2020

slide-35
SLIDE 35

[DongChenWen13]

Oblivious Transfer + Bloom filter base PSI

[RindalRosulek17a]

Malicious Oblivious Transfer + Bloom filter base PSI Oblivious Transfer & Bloom filter

A Sampling of PSI Over the Decades

35

1985 1990 1995 2000 2005 2010 2015 2020

slide-36
SLIDE 36

A Sampling of PSI Over the Decades

36

1985 1990 1995 2000 2005 2010 2015 2020

[FaginNaorWinkler96]

Private equality test

[RindalRosulek17b]

Hash Table based PSI from OT Oblivious Transfer Encoding

[KKRT16]

Element-wise OT encoding

[PinkasSchneiderZohner14, …]

Cuckoo hashing PSI

slide-37
SLIDE 37

[HuangEvansKatz12]

Garbled Circuit based PSI

[DeCristofaroKimTsudik10]

Malicious secure

[FreedmanNissimPinkas04]

Hash table base PSI

[DachmanMalkinRaykovaYung09]

Malicious secure

[DongChenWen13]

Oblivious Transfer + Bloom filter base PSI

[RindalRosulek17a]

Malicious Oblivious Transfer + Bloom filter base PSI Oblivious Transfer & Bloom filter Generic MPC Diffie-Hellman Oblivious Polynomial Evaluation

[NaorPinkas99]

Semi-honest PSI

A Sampling of PSI Over the Decades

37 [Meadows86]

Private equality test

[HubermanFranklinHogg99]

Private equality test to PSI

[FaginNaorWinkler96]

Private equality test

[RindalRosulek17b]

Hash Table based PSI from OT Oblivious Transfer Encoding

[ChenLaineRindal17]

Hash Table based PSI from HFE Fully Homomorphic Encryption

1985 1990 1995 2000 2005 2010 2015 2020

[KKRT16]

Element-wise OT encoding

[GhoshJasper17]

Malicious secure

[This Work]

PIR+PSI

[PinkasSchneiderZohner14, …]

Cuckoo hashing PSI

slide-38
SLIDE 38

A Sampling of PSI Over the Decades

38

1985 1990 1995 2000 2005 2010 2015 2020