PSI from PaXoS: Fast, Malicious Private Set Intersection - - PowerPoint PPT Presentation

psi from paxos
SMART_READER_LITE
LIVE PREVIEW

PSI from PaXoS: Fast, Malicious Private Set Intersection - - PowerPoint PPT Presentation

Aug 29, 2023 14 likes •1.04k views

PSI from PaXoS: Fast, Malicious Private Set Intersection ia.cr/2020/193 Benny Pinkas Bar-Ilan University Mike Rosulek Oregon State University Ni Trieu UC Berkeley Avishay Yanai VMware Eurocrypt 2020, COVID-19 edition what is private set

slide-1
SLIDE 1

PSI from PaXoS:

Fast, Malicious Private Set Intersection

ia.cr/2020/193

Benny Pinkas Bar-Ilan University Mike Rosulek Oregon State University Ni Trieu UC Berkeley Avishay Yanai VMware

Eurocrypt 2020, COVID-19 edition

slide-2
SLIDE 2

what is private set intersection (PSI)?

Alice

e u r

  • c

r y p t

Bob

c

  • v

i d 1 9 s u x

slide-3
SLIDE 3

what is private set intersection (PSI)?

Alice

e u r

  • c

r y p t

Bob

c

  • v

i d 1 9 s u x

slide-4
SLIDE 4

what is private set intersection (PSI)?

Alice

e u r

  • c

r y p t

Bob

c

  • v

i d 1 9 s u x

?? ?? ?? ?? ?? ?? ??

slide-5
SLIDE 5

what is private set intersection (PSI)?

Alice

e u r

  • c

r y p t

Bob

c

  • v

i d 1 9 s u x

?? ?? ?? ?? ?? ??

slide-6
SLIDE 6

what is private set intersection (PSI)?

{my phone contacts} ∩ {users of your service}

slide-7
SLIDE 7

what is private set intersection (PSI)?

{my passwords} ∩ {passwords found in breaches}

slide-8
SLIDE 8

what is private set intersection (PSI)?

{people who saw ad} ∩ {customers who made purchases}

slide-9
SLIDE 9

state of the art: PSI for 1 million items:

20 22 24 26 28 210 212 24 26 28 210 212 214

PRTY19 KKRT16 classic DH

  • semi-honest

insecure hashing running time (s) communication (MB) DKT10 = ia.cr/2010/469 KKRT16 = ia.cr/2016/799 RR17a = ia.cr/2016/746 RR17b = ia.cr/2017/769 PRTY19 = ia.cr/2019/634

slide-10
SLIDE 10

state of the art: PSI for 1 million items:

20 22 24 26 28 210 212 24 26 28 210 212 214

PRTY19 KKRT16 classic DH RR17b RR17a DKT10

  • semi-honest
  • malicious

insecure hashing running time (s) communication (MB) DKT10 = ia.cr/2010/469 KKRT16 = ia.cr/2016/799 RR17a = ia.cr/2016/746 RR17b = ia.cr/2017/769 PRTY19 = ia.cr/2019/634

slide-11
SLIDE 11

state of the art: PSI for 1 million items:

20 22 24 26 28 210 212 24 26 28 210 212 214

this work PRTY19 KKRT16 classic DH RR17b RR17a DKT10

  • semi-honest
  • malicious

insecure hashing running time (s) communication (MB)

vs prior malicious:

◮ ∼3× faster ◮ 8× less comm

vs semi-honest:

◮ 25% slower ◮ 60–150% more comm

asymptotically:

◮ first O(n) malicious

from OT extension

DKT10 = ia.cr/2010/469 KKRT16 = ia.cr/2016/799 RR17a = ia.cr/2016/746 RR17b = ia.cr/2017/769 PRTY19 = ia.cr/2019/634

slide-12
SLIDE 12
  • 1. why is existing semi-honest PSI so efficient?
  • 2. why is malicious security harder?
  • 3. how do we overcome this limitation?
slide-13
SLIDE 13
  • 1. why is existing semi-honest PSI so efficient?
  • 2. why is malicious security harder?
  • 3. how do we overcome this limitation?

what does “PaXoS” mean?

slide-14
SLIDE 14

batch oblivious PRF (OPRF)

Alice Bob

1 2 3 4 5 6 7 8 9 . . .

slide-15
SLIDE 15

batch oblivious PRF (OPRF)

Alice Bob

1 2 3 4 5 6 7 8 9 . . .

x1 x2 x3 x4 x5 x6 x7 x8 x9

slide-16
SLIDE 16

batch oblivious PRF (OPRF)

Alice Bob

1 2 3 4 5 6 7 8 9 . . .

F1(x1) F1(·) F2(x2) F2(·) F3(x3) F3(·) F4(x4) F4(·) F5(x5) F5(·) F6(x6) F6(·) F7(x7) F7(·) F8(x8) F8(·) F9(x9) F9(·)

slide-17
SLIDE 17

batch oblivious PRF (OPRF)

Alice Bob

1 2 3 4 5 6 7 8 9 . . .

F1(x1) F1(·) F2(x2) F2(·) F3(x3) F3(·) F4(x4) F4(·) F5(x5) F5(·) F6(x6) F6(·) F7(x7) F7(·) F8(x8) F8(·) F9(x9) F9(·) learns nothing about xi’s

slide-18
SLIDE 18

batch oblivious PRF (OPRF)

Alice Bob

1 2 3 4 5 6 7 8 9 . . .

F1(x1) F1(·) F2(x2) F2(·) F3(x3) F3(·) F4(x4) F4(·) F5(x5) F5(·) F6(x6) F6(·) F7(x7) F7(·) F8(x8) F8(·) F9(x9) F9(·) learns nothing about xi’s all other Fi(x∗) look random

slide-19
SLIDE 19

batch oblivious PRF (OPRF)

Alice Bob

1 2 3 4 5 6 7 8 9 . . .

F1(x1) F1(·) F2(x2) F2(·) F3(x3) F3(·) F4(x4) F4(·) F5(x5) F5(·) F6(x6) F6(·) F7(x7) F7(·) F8(x8) F8(·) F9(x9) F9(·) learns nothing about xi’s all other Fi(x∗) look random achieved very efficiently from OT extension

slide-20
SLIDE 20

the KKRT16 (PSZ14) protocol

Alice Bob

a b c d c d e f

slide-21
SLIDE 21

the KKRT16 (PSZ14) protocol

Alice Bob m bins

1 2 3 4 5 6 7 8 9 10

a b c d c d e f

  • 1. Agree on random

h1, h2 : {0, 1}∗ → [m]

slide-22
SLIDE 22

the KKRT16 (PSZ14) protocol

Alice Bob m bins

1 2 3 4 5 6 7 8 9 10

a b c d c d e f

h1(a) h2(a)

  • 1. Agree on random

h1, h2 : {0, 1}∗ → [m]

slide-23
SLIDE 23

the KKRT16 (PSZ14) protocol

Alice Bob m bins

1 2 3 4 5 6 7 8 9 10

a b c d c d e f

h1(b) h2(b)

  • 1. Agree on random

h1, h2 : {0, 1}∗ → [m]

slide-24
SLIDE 24

the KKRT16 (PSZ14) protocol

Alice Bob m bins

1 2 3 4 5 6 7 8 9 10

a b c d c d e f

  • 1. Agree on random

h1, h2 : {0, 1}∗ → [m]

slide-25
SLIDE 25

the KKRT16 (PSZ14) protocol

Alice Bob m bins

1 2 3 4 5 6 7 8 9 10

a b c d c d e f a c d b

  • 1. Agree on random

h1, h2 : {0, 1}∗ → [m]

  • 2. Alice places each x into

bin h1(x) or h2(x)

slide-26
SLIDE 26

the KKRT16 (PSZ14) protocol

Alice Bob m bins

1 2 3 4 5 6 7 8 9 10

a b c d c d e f a c d b c, e d e f c, d f

  • 1. Agree on random

h1, h2 : {0, 1}∗ → [m]

  • 2. Alice places each x into

bin h1(x) or h2(x)

  • 3. Bob places each x into

bins h1(x) and h2(x)

slide-27
SLIDE 27

the KKRT16 (PSZ14) protocol

Alice Bob m bins

1 2 3 4 5 6 7 8 9 10

a b c d c d e f

F2(a) F3(c) F7(d) F9(b)

c, e d e f c, d f

F1(·) F2(·) F3(·) F4(·) F5(·) F6(·) F7(·) F8(·) F9(·) F10(·)

  • 1. Agree on random

h1, h2 : {0, 1}∗ → [m]

  • 2. Alice places each x into

bin h1(x) or h2(x)

  • 3. Bob places each x into

bins h1(x) and h2(x)

  • 4. OPRF in each bin:

Alice learns one Fi(x); Bob learns entire Fi(·)

slide-28
SLIDE 28

the KKRT16 (PSZ14) protocol

Alice Bob m bins

1 2 3 4 5 6 7 8 9 10

a b c d c d e f

F2(a) F3(c) F7(d) F9(b)

c, e d e f c, d f

F1(·) F2(·) F3(·) F4(·) F5(·) F6(·) F7(·) F8(·) F9(·) F10(·)

  • F3(c),
  • 1. Agree on random

h1, h2 : {0, 1}∗ → [m]

  • 2. Alice places each x into

bin h1(x) or h2(x)

  • 3. Bob places each x into

bins h1(x) and h2(x)

  • 4. OPRF in each bin:

Alice learns one Fi(x); Bob learns entire Fi(·)

  • 5. Bob sends all Fi(x) values
slide-29
SLIDE 29

the KKRT16 (PSZ14) protocol

Alice Bob m bins

1 2 3 4 5 6 7 8 9 10

a b c d c d e f

F2(a) F3(c) F7(d) F9(b)

c, e d e f c, d f

F1(·) F2(·) F3(·) F4(·) F5(·) F6(·) F7(·) F8(·) F9(·) F10(·)

  • F3(c), F3(e),
  • 1. Agree on random

h1, h2 : {0, 1}∗ → [m]

  • 2. Alice places each x into

bin h1(x) or h2(x)

  • 3. Bob places each x into

bins h1(x) and h2(x)

  • 4. OPRF in each bin:

Alice learns one Fi(x); Bob learns entire Fi(·)

  • 5. Bob sends all Fi(x) values
slide-30
SLIDE 30

the KKRT16 (PSZ14) protocol

Alice Bob m bins

1 2 3 4 5 6 7 8 9 10

a b c d c d e f

F2(a) F3(c) F7(d) F9(b)

c, e d e f c, d f

F1(·) F2(·) F3(·) F4(·) F5(·) F6(·) F7(·) F8(·) F9(·) F10(·)

  • F3(c), F3(e), F4(d),
  • 1. Agree on random

h1, h2 : {0, 1}∗ → [m]

  • 2. Alice places each x into

bin h1(x) or h2(x)

  • 3. Bob places each x into

bins h1(x) and h2(x)

  • 4. OPRF in each bin:

Alice learns one Fi(x); Bob learns entire Fi(·)

  • 5. Bob sends all Fi(x) values
slide-31
SLIDE 31

the KKRT16 (PSZ14) protocol

Alice Bob m bins

1 2 3 4 5 6 7 8 9 10

a b c d c d e f

F2(a) F3(c) F7(d) F9(b)

c, e d e f c, d f

F1(·) F2(·) F3(·) F4(·) F5(·) F6(·) F7(·) F8(·) F9(·) F10(·)

  • F3(c), F3(e), F4(d), F5(e), . . . , F7(d), . . .
  • 1. Agree on random

h1, h2 : {0, 1}∗ → [m]

  • 2. Alice places each x into

bin h1(x) or h2(x)

  • 3. Bob places each x into

bins h1(x) and h2(x)

  • 4. OPRF in each bin:

Alice learns one Fi(x); Bob learns entire Fi(·)

  • 5. Bob sends all Fi(x) values
slide-32
SLIDE 32

the KKRT16 (PSZ14) protocol

Alice Bob m bins

1 2 3 4 5 6 7 8 9 10

a b c d c d e f

F2(a) F3(c) F7(d) F9(b)

c, e d e f c, d f

F1(·) F2(·) F3(·) F4(·) F5(·) F6(·) F7(·) F8(·) F9(·) F10(·)

  • F3(c), F3(e), F4(d), F5(e), . . . , F7(d), . . .
  • 1. Agree on random

h1, h2 : {0, 1}∗ → [m]

  • 2. Alice places each x into

bin h1(x) or h2(x)

  • 3. Bob places each x into

bins h1(x) and h2(x)

  • 4. OPRF in each bin:

Alice learns one Fi(x); Bob learns entire Fi(·)

  • 5. Bob sends all Fi(x) values
slide-33
SLIDE 33

why isn’t it secure against malicious parties?

slide-34
SLIDE 34

why isn’t it secure against malicious parties?

Alice Bob

1 2 3 4 5 6 7 8 9 10

c d e f c, e d e f c, d f

F1(·) F2(·) F3(·) F4(·) F5(·) F6(·) F7(·) F8(·) F9(·) F10(·)

  • F3(c), F3(e), F4(d), . . . , F7(c), . . .
slide-35
SLIDE 35

why isn’t it secure against malicious parties?

Alice Bob

1 2 3 4 5 6 7 8 9 10

c d e f c, e d e f c, d f

F1(·) F2(·) F3(·) F4(·) F5(·) F6(·) F7(·) F8(·) F9(·) F10(·)

  • F3(c), F3(e), F4(d), . . . , F7(c), . . .
  • Bob should send two

F-values per item

slide-36
SLIDE 36

why isn’t it secure against malicious parties?

Alice Bob

1 2 3 4 5 6 7 8 9 10

c d e f c, e d e f c, d f

F1(·) F2(·) F3(·) F4(·) F5(·) F6(·) F7(·) F8(·) F9(·) F10(·)

  • F3(c), F3(e), F4(d), . . . , F7(c), . . .
  • Bob should send two

F-values per item , what if he sends only one?

slide-37
SLIDE 37

why isn’t it secure against malicious parties?

Alice Bob

1 2 3 4 5 6 7 8 9 10

c

  • F3(c), F3(e), F4(d), . . . , F7(c), . . .
  • Bob should send two

F-values per item , what if he sends only one? Alice has c; does she include it in output?

slide-38
SLIDE 38

why isn’t it secure against malicious parties?

Alice Bob

1 2 3 4 5 6 7 8 9 10

c

F3(c)

  • F3(c), F3(e), F4(d), . . . , F7(c), . . .
  • Bob should send two

F-values per item , what if he sends only one? Alice has c; does she include it in output?

slide-39
SLIDE 39

why isn’t it secure against malicious parties?

Alice Bob

1 2 3 4 5 6 7 8 9 10

c

F3(c)

  • F3(c), F3(e), F4(d), . . . , F7(c), . . .
  • Bob should send two

F-values per item , what if he sends only one? Alice has c; does she include it in output?

slide-40
SLIDE 40

why isn’t it secure against malicious parties?

Alice Bob

1 2 3 4 5 6 7 8 9 10

c

F7(c)

  • F3(c), F3(e), F4(d), . . . , F7(c), . . .
  • Bob should send two

F-values per item , what if he sends only one? Alice has c; does she include it in output?

slide-41
SLIDE 41

why isn’t it secure against malicious parties?

Alice Bob

1 2 3 4 5 6 7 8 9 10

c

F7(c)

  • F3(c), F3(e), F4(d), . . . , F7(c), . . .
  • ??

Bob should send two F-values per item , what if he sends only one? Alice has c; does she include it in output? Only if c placed in bin 3!

slide-42
SLIDE 42

why isn’t it secure against malicious parties?

Alice Bob

1 2 3 4 5 6 7 8 9 10

c

  • F3(c), F3(e), F4(d), . . . , F7(c), . . .
  • Bob should send two

F-values per item , what if he sends only one? Alice has c; does she include it in output? Only if c placed in bin 3!

◮ Depends on Alice’s

entire input! ⇒ can’t simulate!

slide-43
SLIDE 43

how do we overcome this problem?

slide-44
SLIDE 44

batch OPRF for malicious PSI

Alice Bob

1 2 3 4 5 6 7 8 9 . . .

F1(x1) F1(·) F2(x2) F2(·) F3(x3) F3(·) F4(x4) F4(·) F5(x5) F5(·) F6(x6) F6(·) F7(x7) F7(·) F8(x8) F8(·) F9(x9) F9(·)

slide-45
SLIDE 45

batch OPRF for malicious PSI

Alice Bob

1 2 3 4 5 6 7 8 9 . . .

F1(x1) F1(·) F2(x2) F2(·) F3(x3) F3(·) F4(x4) F4(·) F5(x5) F5(·) F6(x6) F6(·) F7(x7) F7(·) F8(x8) F8(·) F9(x9) F9(·) State of the art malicious batch OPRF [OOS17]

◮ essentially same cost as semi-honest

slide-46
SLIDE 46

batch OPRF for malicious PSI

Alice Bob

1 2 3 4 5 6 7 8 9 . . .

F1(x1) F1(·) F2(x2) F2(·) F3(x3) F3(·) F4(x4) F4(·) F5(x5) F5(·) F6(x6) F6(·) F7(x7) F7(·) F8(x8) F8(·) F9(x9) F9(·) State of the art malicious batch OPRF [OOS17]

◮ essentially same cost as semi-honest ◮ consistency check relies on an additive homomorphism:

Fi(x) ⊕ Fj(y) = Fij(x ⊕ y)

∗: a gross oversimplification

slide-47
SLIDE 47
  • ur protocol main idea:

Alice Bob

1 2 3 4 5 6 7 8 9 10

a b c d c d e f

slide-48
SLIDE 48
  • ur protocol main idea:

Alice Bob

1 2 3 4 5 6 7 8 9 10

a b c d c d e f

slide-49
SLIDE 49
  • ur protocol main idea:

Alice Bob

1 2 3 4 5 6 7 8 9 10

a b c d

s2 ⊕ s7 =

c d e f

s2 s7 Alice secret-shares x into bins h1(x) and h2(x)

slide-50
SLIDE 50
  • ur protocol main idea:

Alice Bob

1 2 3 4 5 6 7 8 9 10

a b c d

s2 ⊕ s7 =

c d e f

s2 s7 Alice secret-shares x into bins h1(x) and h2(x)

slide-51
SLIDE 51
  • ur protocol main idea:

Alice Bob

1 2 3 4 5 6 7 8 9 10

a b c d

s2 ⊕ s7 = s3 ⊕ s9 =

c d e f

s2 s7 s3 s9 Alice secret-shares x into bins h1(x) and h2(x)

slide-52
SLIDE 52
  • ur protocol main idea:

Alice Bob

1 2 3 4 5 6 7 8 9 10

a b c d

s2 ⊕ s7 = s3 ⊕ s9 = s3 ⊕ s7 = s4 ⊕ s7 =

c d e f

s2 s7 s3 s9 s1 s4 s5 s6 s8 s10 Alice secret-shares x into bins h1(x) and h2(x)

slide-53
SLIDE 53
  • ur protocol main idea:

Alice Bob

1 2 3 4 5 6 7 8 9 10

a b c d

s2 ⊕ s7 = s3 ⊕ s9 = s3 ⊕ s7 = s4 ⊕ s7 =

c d e f

F1(s1) F2(s2) F3(s3) F4(s4) F5(s5) F6(s6) F7(s7) F8(s8) F9(s9) F10(s10) F1(·) F2(·) F3(·) F4(·) F5(·) F6(·) F7(·) F8(·) F9(·) F10(·) Alice secret-shares x into bins h1(x) and h2(x)

slide-54
SLIDE 54
  • ur protocol main idea:

Alice Bob

1 2 3 4 5 6 7 8 9 10

a b c d

s2 ⊕ s7 = s3 ⊕ s9 = s3 ⊕ s7 = s4 ⊕ s7 =

c d e f

F1(s1) F2(s2) F3(s3) F4(s4) F5(s5) F6(s6) F7(s7) F8(s8) F9(s9) F10(s10) F2(s2) ⊕ F7(s7) = F27(a) F1(·) F2(·) F3(·) F4(·) F5(·) F6(·) F7(·) F8(·) F9(·) F10(·) Alice secret-shares x into bins h1(x) and h2(x)

slide-55
SLIDE 55
  • ur protocol main idea:

Alice Bob

1 2 3 4 5 6 7 8 9 10

a b c d

s2 ⊕ s7 = s3 ⊕ s9 = s3 ⊕ s7 = s4 ⊕ s7 =

c d e f

F1(s1) F2(s2) F3(s3) F4(s4) F5(s5) F6(s6) F7(s7) F8(s8) F9(s9) F10(s10) F2(s2) ⊕ F7(s7) = F27(a) F3(s3) ⊕ F9(s9) = F39(b) F1(·) F2(·) F3(·) F4(·) F5(·) F6(·) F7(·) F8(·) F9(·) F10(·) Alice secret-shares x into bins h1(x) and h2(x)

slide-56
SLIDE 56
  • ur protocol main idea:

Alice Bob

1 2 3 4 5 6 7 8 9 10

a b c d

s2 ⊕ s7 = s3 ⊕ s9 = s3 ⊕ s7 = s4 ⊕ s7 =

c d e f

F1(s1) F2(s2) F3(s3) F4(s4) F5(s5) F6(s6) F7(s7) F8(s8) F9(s9) F10(s10) F2(s2) ⊕ F7(s7) = F27(a) F3(s3) ⊕ F9(s9) = F39(b) F3(s3) ⊕ F7(s7) = F37(c) F4(s4) ⊕ F7(s7) = F47(d) F1(·) F2(·) F3(·) F4(·) F5(·) F6(·) F7(·) F8(·) F9(·) F10(·) Alice secret-shares x into bins h1(x) and h2(x)

slide-57
SLIDE 57
  • ur protocol main idea:

Alice Bob

1 2 3 4 5 6 7 8 9 10

a b c d

s2 ⊕ s7 = s3 ⊕ s9 = s3 ⊕ s7 = s4 ⊕ s7 =

c d e f

F1(s1) F2(s2) F3(s3) F4(s4) F5(s5) F6(s6) F7(s7) F8(s8) F9(s9) F10(s10) F2(s2) ⊕ F7(s7) = F27(a) F3(s3) ⊕ F9(s9) = F39(b) F3(s3) ⊕ F7(s7) = F37(c) F4(s4) ⊕ F7(s7) = F47(d) F1(·) F2(·) F3(·) F4(·) F5(·) F6(·) F7(·) F8(·) F9(·) F10(·) Alice secret-shares x into bins h1(x) and h2(x)

slide-58
SLIDE 58
  • ur protocol main idea:

Alice Bob

1 2 3 4 5 6 7 8 9 10

a b c d

s2 ⊕ s7 = s3 ⊕ s9 = s3 ⊕ s7 = s4 ⊕ s7 =

c d e f

F1(s1) F2(s2) F3(s3) F4(s4) F5(s5) F6(s6) F7(s7) F8(s8) F9(s9) F10(s10) F2(s2) ⊕ F7(s7) = F27(a) F3(s3) ⊕ F9(s9) = F39(b) F3(s3) ⊕ F7(s7) = F37(c) F4(s4) ⊕ F7(s7) = F47(d) F1(·) F2(·) F3(·) F4(·) F5(·) F6(·) F7(·) F8(·) F9(·) F10(·)

  • F37(c),
  • Alice secret-shares x into

bins h1(x) and h2(x)

slide-59
SLIDE 59
  • ur protocol main idea:

Alice Bob

1 2 3 4 5 6 7 8 9 10

a b c d

s2 ⊕ s7 = s3 ⊕ s9 = s3 ⊕ s7 = s4 ⊕ s7 =

c d e f

F1(s1) F2(s2) F3(s3) F4(s4) F5(s5) F6(s6) F7(s7) F8(s8) F9(s9) F10(s10) F2(s2) ⊕ F7(s7) = F27(a) F3(s3) ⊕ F9(s9) = F39(b) F3(s3) ⊕ F7(s7) = F37(c) F4(s4) ⊕ F7(s7) = F47(d) F1(·) F2(·) F3(·) F4(·) F5(·) F6(·) F7(·) F8(·) F9(·) F10(·)

  • F37(c), F47(d),
  • Alice secret-shares x into

bins h1(x) and h2(x)

slide-60
SLIDE 60
  • ur protocol main idea:

Alice Bob

1 2 3 4 5 6 7 8 9 10

a b c d

s2 ⊕ s7 = s3 ⊕ s9 = s3 ⊕ s7 = s4 ⊕ s7 =

c d e f

F1(s1) F2(s2) F3(s3) F4(s4) F5(s5) F6(s6) F7(s7) F8(s8) F9(s9) F10(s10) F2(s2) ⊕ F7(s7) = F27(a) F3(s3) ⊕ F9(s9) = F39(b) F3(s3) ⊕ F7(s7) = F37(c) F4(s4) ⊕ F7(s7) = F47(d) F1(·) F2(·) F3(·) F4(·) F5(·) F6(·) F7(·) F8(·) F9(·) F10(·)

  • F37(c), F47(d), F35(e), F69(f)
  • Alice secret-shares x into

bins h1(x) and h2(x) Bob sends only one F-value per item

slide-61
SLIDE 61
  • ur protocol main idea:

Alice Bob

1 2 3 4 5 6 7 8 9 10

a b c d

s2 ⊕ s7 = s3 ⊕ s9 = s3 ⊕ s7 = s4 ⊕ s7 =

c d e f

F1(s1) F2(s2) F3(s3) F4(s4) F5(s5) F6(s6) F7(s7) F8(s8) F9(s9) F10(s10) F2(s2) ⊕ F7(s7) = F27(a) F3(s3) ⊕ F9(s9) = F39(b) F3(s3) ⊕ F7(s7) = F37(c) F4(s4) ⊕ F7(s7) = F47(d) F1(·) F2(·) F3(·) F4(·) F5(·) F6(·) F7(·) F8(·) F9(·) F10(·)

  • F37(c), F47(d), F35(e), F69(f)
  • Alice secret-shares x into

bins h1(x) and h2(x) Bob sends only one F-value per item

slide-62
SLIDE 62

[how] can Alice secret-share all items?

s1 s2 s3 s4 s5 s6 s7 s8 s9 s10

a b c d

s2 ⊕ s7 = s3 ⊕ s9 = s3 ⊕ s7 = s4 ⊕ s7 =

slide-63
SLIDE 63

[how] can Alice secret-share all items?

– – – – – – – – – –

a b c d

s2 ⊕ s7 = s3 ⊕ s9 = s3 ⊕ s7 = s4 ⊕ s7 =

slide-64
SLIDE 64

[how] can Alice secret-share all items?

– s2 – – – – – – – –

a b c d

s2 ⊕ s7 = s3 ⊕ s9 = s3 ⊕ s7 = s4 ⊕ s7 = algorithm: set one location arbitrarily

slide-65
SLIDE 65

[how] can Alice secret-share all items?

– s2 – – – – – – – –

a b c d

s2 ⊕ s7 = s3 ⊕ s9 = s3 ⊕ s7 = s4 ⊕ s7 = algorithm: set one location arbitrarily find item with one unset location

slide-66
SLIDE 66

[how] can Alice secret-share all items?

– s2 – – – – s7 – – –

a b c d

s2 ⊕ s7 = s3 ⊕ s9 = s3 ⊕ s7 = s4 ⊕ s7 = algorithm: set one location arbitrarily find item with one unset location solve for that unset location

slide-67
SLIDE 67

[how] can Alice secret-share all items?

– s2 – – – – s7 – – –

a b c d

s2 ⊕ s7 = s3 ⊕ s9 = s3 ⊕ s7 = s4 ⊕ s7 = algorithm: set one location arbitrarily repeat: find item with one unset location solve for that unset location

slide-68
SLIDE 68

[how] can Alice secret-share all items?

– s2 s3 – – – s7 – – –

a b c d

s2 ⊕ s7 = s3 ⊕ s9 = s3 ⊕ s7 = s4 ⊕ s7 = algorithm: set one location arbitrarily repeat: find item with one unset location solve for that unset location

slide-69
SLIDE 69

[how] can Alice secret-share all items?

– s2 s3 – – – s7 – – –

a b c d

s2 ⊕ s7 = s3 ⊕ s9 = s3 ⊕ s7 = s4 ⊕ s7 = algorithm: set one location arbitrarily repeat: find item with one unset location solve for that unset location

slide-70
SLIDE 70

[how] can Alice secret-share all items?

– s2 s3 – – – s7 – s9 –

a b c d

s2 ⊕ s7 = s3 ⊕ s9 = s3 ⊕ s7 = s4 ⊕ s7 = algorithm: set one location arbitrarily repeat: find item with one unset location solve for that unset location

slide-71
SLIDE 71

[how] can Alice secret-share all items?

– s2 s3 – – – s7 – s9 –

a b c d

s2 ⊕ s7 = s3 ⊕ s9 = s3 ⊕ s7 = s4 ⊕ s7 = algorithm: set one location arbitrarily repeat: find item with one unset location solve for that unset location

slide-72
SLIDE 72

[how] can Alice secret-share all items?

– s2 s3 s4 – – s7 – s9 –

a b c d

s2 ⊕ s7 = s3 ⊕ s9 = s3 ⊕ s7 = s4 ⊕ s7 = algorithm: set one location arbitrarily repeat: find item with one unset location solve for that unset location

slide-73
SLIDE 73

[how] can Alice secret-share all items?

s1 s2 s3 s4 s5 s6 s7 s8 s9 s10

a b c d

s2 ⊕ s7 = s3 ⊕ s9 = s3 ⊕ s7 = s4 ⊕ s7 = algorithm: set one location arbitrarily repeat: find item with one unset location solve for that unset location

slide-74
SLIDE 74

[how] can Alice secret-share all items?

s1 s2 s3 s4 s5 s6 s7 s8 s9 s10

a b c d

s2 ⊕ s7 = s3 ⊕ s9 = s3 ⊕ s7 = s4 ⊕ s7 =

  • cuckoo graph

algorithm: set one location arbitrarily repeat: find item with one unset location solve for that unset location

  • nly works if cuckoo graph acyclic
slide-75
SLIDE 75

s1 s2 s3 s4 s5 s6 s7 s8 s9 s10

a b c d

s2 ⊕ s7 = s3 ⊕ s9 = s3 ⊕ s7 = s4 ⊕ s7 =

slide-76
SLIDE 76

s1 s2 s3 s4 s5 s6 s7 s8 s9 s10

a b c d

Encode encode so that for all x:

sh1(x) ⊕ sh2(x) = x

slide-77
SLIDE 77

probe-and-XOR-of-strings (PaXoS)

s1 s2 s3 s4 s5 s6 s7 s8 s9 s10

a b c d

Encode encode so that for all x:

  • i∈P(x)

si = x

slide-78
SLIDE 78

probe-and-XOR-of-strings (PaXoS)

s1 s2 s3 s4 s5 s6 s7 s8 s9 s10

a b c d

Encode encode so that for all x:

  • i∈P(x)

si = x

  • 1. system of linear constraints must be satisfiable with overwhelming probability
slide-79
SLIDE 79

probe-and-XOR-of-strings (PaXoS)

s1 s2 s3 s4 s5 s6 s7 s8 s9 s10

a b c d

Encode encode so that for all x:

  • i∈P(x)

si = x

  • 1. system of linear constraints must be satisfiable with overwhelming probability
  • 2. |

s| = number of OPRFs = communication cost of PSI, ideally O(# items)

slide-80
SLIDE 80

probe-and-XOR-of-strings (PaXoS)

s1 s2 s3 s4 s5 s6 s7 s8 s9 s10

a b c d

Encode encode so that for all x:

  • i∈P(x)

si = x

  • 1. system of linear constraints must be satisfiable with overwhelming probability
  • 2. |

s| = number of OPRFs = communication cost of PSI, ideally O(# items)

  • 3. ideally linear-time encoding of items into

s.

slide-81
SLIDE 81

PaXoS constructions

secret-shared cuckoo idea:

◮ requires acyclic cuckoo graph ◮ failure probability too high

slide-82
SLIDE 82

PaXoS constructions

secret-shared cuckoo idea:

◮ requires acyclic cuckoo graph ◮ failure probability too high

probe each position with probability 0.5:

◮ n items vector of size n + λ ◮ expensive O(n3) encoding

slide-83
SLIDE 83

PaXoS constructions

secret-shared cuckoo idea:

◮ requires acyclic cuckoo graph ◮ failure probability too high

probe each position with probability 0.5:

◮ n items vector of size n + λ ◮ expensive O(n3) encoding

garbled bloom filter [DCW13]:

◮ n items vector of size λn

slide-84
SLIDE 84

PaXoS constructions

secret-shared cuckoo idea:

◮ requires acyclic cuckoo graph ◮ failure probability too high

probe each position with probability 0.5:

◮ n items vector of size n + λ ◮ expensive O(n3) encoding

garbled bloom filter [DCW13]:

◮ n items vector of size λn

new garbled cuckoo PaXoS:

◮ n items vector of size ∼ 2.4n ◮ fast encoding: O(nλ)

slide-85
SLIDE 85

new garbled cuckoo PaXoS

s1 s2 s3 s4 s5 s6 s7 s8 s9 s10

a b c d e

for each item x:

◮ probe positions h1(x) and h2(x)

slide-86
SLIDE 86

new garbled cuckoo PaXoS

s1 s2 s3 s4 s5 s6 s7 s8 s9 s10

a b c d e

for each item x:

◮ probe positions h1(x) and h2(x)

slide-87
SLIDE 87

new garbled cuckoo PaXoS

s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 . . . s10+k          k aux positions

a b c d e

for each item x:

◮ probe positions h1(x) and h2(x)

slide-88
SLIDE 88

new garbled cuckoo PaXoS

s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 . . . s10+k          k aux positions

a b c d e

for each item x:

◮ probe positions h1(x) and h2(x) ◮ probe random subset of aux positions

slide-89
SLIDE 89

new garbled cuckoo PaXoS

s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 . . . s10+k          k

  • a

b c d e

for each item x:

◮ probe positions h1(x) and h2(x) ◮ probe random subset of aux positions

slide-90
SLIDE 90

new garbled cuckoo PaXoS

s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 . . . s10+k          k

  • a

b c d e

for each item x:

◮ probe positions h1(x) and h2(x) ◮ probe random subset of aux positions

  • 1. identify all items across all cycles
slide-91
SLIDE 91

new garbled cuckoo PaXoS

s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 . . . s10+k          k

  • a

b c d e

for each item x:

◮ probe positions h1(x) and h2(x) ◮ probe random subset of aux positions

  • 1. identify all items across all cycles

◮ solve linear system for the cycle items

slide-92
SLIDE 92

new garbled cuckoo PaXoS

s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 . . . s10+k          k

  • a

b c d e

for each item x:

◮ probe positions h1(x) and h2(x) ◮ probe random subset of aux positions

  • 1. identify all items across all cycles

◮ solve linear system for the cycle items ◮ solution exists whp if k > [# cycle items] + λ

slide-93
SLIDE 93

new garbled cuckoo PaXoS

s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 . . . s10+k          k

  • a

b c d e

  • for each item x:

◮ probe positions h1(x) and h2(x) ◮ probe random subset of aux positions

  • 1. identify all items across all cycles

◮ solve linear system for the cycle items ◮ solution exists whp if k > [# cycle items] + λ ◮ can be found in [# cycle items]3 time

slide-94
SLIDE 94

new garbled cuckoo PaXoS

s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 . . . s10+k          k

  • a

b c d e

  • for each item x:

◮ probe positions h1(x) and h2(x) ◮ probe random subset of aux positions

  • 1. identify all items across all cycles

◮ solve linear system for the cycle items ◮ solution exists whp if k > [# cycle items] + λ ◮ can be found in [# cycle items]3 time

  • 2. solve for remaining items iteratively (linear time)
slide-95
SLIDE 95

new garbled cuckoo PaXoS

s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 . . . s10+k          k

  • a

b c d e

  • for each item x:

◮ probe positions h1(x) and h2(x) ◮ probe random subset of aux positions

  • 1. identify all items across all cycles

◮ solve linear system for the cycle items ◮ solution exists whp if k > [# cycle items] + λ ◮ can be found in [# cycle items]3 time

  • 2. solve for remaining items iteratively (linear time)
slide-96
SLIDE 96

new garbled cuckoo PaXoS

s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 . . . s10+k          k

  • a

b c d e

  • for each item x:

◮ probe positions h1(x) and h2(x) ◮ probe random subset of aux positions

  • 1. identify all items across all cycles

◮ solve linear system for the cycle items ◮ solution exists whp if k > [# cycle items] + λ ◮ can be found in [# cycle items]3 time

  • 2. solve for remaining items iteratively (linear time)

◮ remaining cuckoo graph is acyclic

slide-97
SLIDE 97

new garbled cuckoo PaXoS

s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 . . . s10+k          k

  • a

b c d e

  • for each item x:

◮ probe positions h1(x) and h2(x) ◮ probe random subset of aux positions

  • 1. identify all items across all cycles

◮ solve linear system for the cycle items ◮ solution exists whp if k > [# cycle items] + λ ◮ can be found in [# cycle items]3 time

  • 2. solve for remaining items iteratively (linear time)

◮ remaining cuckoo graph is acyclic

slide-98
SLIDE 98

new garbled cuckoo PaXoS

s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 . . . s10+k          k

  • a

b c d e

  • for each item x:

◮ probe positions h1(x) and h2(x) ◮ probe random subset of aux positions

  • 1. identify all items across all cycles

◮ solve linear system for the cycle items ◮ solution exists whp if k > [# cycle items] + λ ◮ can be found in [# cycle items]3 time

  • 2. solve for remaining items iteratively (linear time)

◮ remaining cuckoo graph is acyclic

slide-99
SLIDE 99

new garbled cuckoo PaXoS

s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 . . . s10+k          k

a b c d e

  • for each item x:

◮ probe positions h1(x) and h2(x) ◮ probe random subset of aux positions

  • 1. identify all items across all cycles

◮ solve linear system for the cycle items ◮ solution exists whp if k > [# cycle items] + λ ◮ can be found in [# cycle items]3 time

  • 2. solve for remaining items iteratively (linear time)

◮ remaining cuckoo graph is acyclic

slide-100
SLIDE 100

new garbled cuckoo PaXoS

s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 . . . s10+k          k

a b c d e

  • for each item x:

◮ probe positions h1(x) and h2(x) ◮ probe random subset of aux positions

  • 1. identify all items across all cycles

◮ solve linear system for the cycle items ◮ solution exists whp if k > [# cycle items] + λ ◮ can be found in [# cycle items]3 time

  • 2. solve for remaining items iteratively (linear time)

◮ remaining cuckoo graph is acyclic

whp: [# cycle items] is O(log n)

slide-101
SLIDE 101

summary

20 22 24 26 28 210 212 24 26 28 210 212 214

PRTY19 KKRT16 classic DH RR17b RR17a DKT10 this work

  • semi-honest
  • malicious

insecure hashing running time (s) communication (MB)

new approach for malicious PSI:

◮ fastest, least communication ◮ first O(n) from OT extension ◮ almost as efficient as

semi-honest PaXoS data structure:

◮ encode items into a vector ◮ lookup is XOR of some

positions

◮ first linear-time, constant rate

construction

slide-102
SLIDE 102

thanks!