SpOT-Light: Lightweight Private Set Intersection from Sparse OT - - PowerPoint PPT Presentation

SpOT-Light: Lightweight Private Set Intersection from Sparse OT Extension

Benny Pinkas Mike Rosulek Ni Trieu Avishay Yanai

Presented by Cui Hongrui

October 18, 2019

PRTY (BIU&OSU) SpOT October 18, 2019 1 / 30

Overview

1

Introduction Notations Preliminary

2

SpOT Protocol Sparse OT Extension Communication-Optimized: spot-low Computation-Optimized: spot-fast

3

Security Semi-Honest Simulation Malicious Sender Security with RO

4

Performance Evaluation Theoretical Communication Cost Experiment Result

PRTY (BIU&OSU) SpOT October 18, 2019 2 / 30

Content

1

Introduction Notations Preliminary

2

SpOT Protocol Sparse OT Extension Communication-Optimized: spot-low Computation-Optimized: spot-fast

3

Security Semi-Honest Simulation Malicious Sender Security with RO

4

Performance Evaluation Theoretical Communication Cost Experiment Result

PRTY (BIU&OSU) SpOT October 18, 2019 3 / 30

Introduction

This work builds up on several works: ◮ OT-Extension: [IKNP03, KK13] ◮ OT-Based PSI: [KKRT16, PSSZ15] ◮ Difference Encoding: [TLP+17] ◮ Hashing Assignment: [SEK00]

PRTY (BIU&OSU) SpOT October 18, 2019 4 / 30

Notations and Definitions

Participants ◮ Sender (Alice), |X| = n1 ◮ Receiver (Bob), |Y | = n2 Symbols ◮ Let κ, λ be the computational and statistical security parameters ◮ Let N be large enough that X, Y ⊂ [N] ◮ Let F be a finite field and l = log |F| ◮ Let F : {0, 1}κ × [N] → {0, 1} be a PRF (or RO) ◮ Let H be a hash function

PRTY (BIU&OSU) SpOT October 18, 2019 5 / 30

Hash Function Assumptions I

Authors of [IKNP03, KKRT16] uses a d-Hamming Correlation Robust assumption to prove security, as stated below.

Definition (Correlation Robust)

Let H be a function with input length n. Then H is d-Hamming correlation robust function (CRF) if, for any a1, . . . , am, b1, . . . , bm with ai, bi ∈ {0, 1}n and wH(bi) ≥ d for all i ∈ [m], the following distribution, induced by random sampling of s

$

← {0, 1}n is pseudorandom: H(a1 ⊕ [b1 · s]), . . . , H(am ⊕ [bm · s])

PRTY (BIU&OSU) SpOT October 18, 2019 6 / 30

Hash Function Assumptions II

This works also proves the security against a malicious sender when the hash function is modeled as a non-programmable random oracle, which adds power to the simulator.

PRTY (BIU&OSU) SpOT October 18, 2019 7 / 30

OT Extension of [IKNP03]

We briefly recall the OT Extension technique of [IKNP03] (and settle the notations hereafter).

Alice (Sender) Bob (Receiver) s

$

← {0, 1}l 2 1

• −ROTκ

l

s1, . . . , sl ¯ q1, . . . , ¯ ql ¯ t1, . . . , ¯ tl ¯ u1, . . . , ¯ ul qi, ti, ui ∈ {0, 1}l T = t1|| . . . ||tl

• U =

u1|| . . . ||ul

• P = T ⊕ U ⊕ C

C =    rl

1

. . . rl

m

   =    r1 r1 . . . r1 . . . . . . ... . . . rm rm . . . rm    qi = ti ⊕ si · (ti ⊕ ui) Q = q1|| . . . ||ql

• Qj = T j ⊕ s · (T j ⊕ U j)

Qj ⊕ s · P j = T j ⊕ s · Cj mj,0 = H(Qj ⊕ s · P j) mj,1 = H(Qj ⊕ s · P j ⊕ s) mj,rj = H(T j) = H(Qj ⊕ s · P j ⊕ s · Cj) PRG G : {0, 1}κ → {0, 1}l Input : r1, . . . , rm ∈ {0, 1} qi = G(¯ qi) ti = G(¯ ti), ui = G(¯ ui)

PRTY (BIU&OSU) SpOT October 18, 2019 8 / 30

Content

1

Introduction Notations Preliminary

2

SpOT Protocol Sparse OT Extension Communication-Optimized: spot-low Computation-Optimized: spot-fast

3

Security Semi-Honest Simulation Malicious Sender Security with RO

4

Performance Evaluation Theoretical Communication Cost Experiment Result

PRTY (BIU&OSU) SpOT October 18, 2019 9 / 30

SpOT

The PSI protocol in this work is based on an extension on the [IKNP03] scheme. ◮ Every row of the OT extension matrix can be viewed as a one-time OPRF instance ◮ This work viewed the entire extension process as a multi-point PRF With multi-point OPRF, PSI can be directly achieved.

PRTY (BIU&OSU) SpOT October 18, 2019 10 / 30

Modify the IKNP Paradigm

Consider a PRF F : {0, 1}κ × [N] → {0, 1}v (H : {0, 1}l → {0, 1}v)

Alice (Sender) Bob (Receiver) s

$

← {0, 1}l 2 1

• −ROTκ

l

s1, . . . , sl ¯ q1, . . . , ¯ ql ¯ t1, . . . , ¯ tl ¯ u1, . . . , ¯ ul T = t1|| . . . ||tl

• U =

u1|| . . . ||ul

• P = T ⊕ U ⊕ C

C = (ey1 + . . . + eyn2 )l qi = ti ⊕ si · (ti ⊕ ui) Q =

• q1||

. . . ||ql

• Qj = T j ⊕ s · (T j ⊕ U j)

Qj ⊕ s · P j = T j ⊕ s · Cj PRF F : {0, 1}κ × [N] → {0, 1} Input : Y = {y1, . . . , yn2} ⊂ [N] qi =    F(¯ qi, 1) . . . F(¯ qi, N)    ui =    F(¯ ui, 1) . . . F(¯ ui, N)    ti =    F(¯ ti, 1) . . . F(¯ ti, N)    Cj =

• 0l,

j ∈ Y 1l, j ∈ Y F((s, Q, P), j) = H(Qj ⊕ s · P j) F((s, Q, P), yi) = H(T yi), yi ∈ Y F((s, Q, P), y∗) = H(T y∗ ⊕ s · (P y∗ ⊕ Ry∗)), y∗ ∈ Y

PRTY (BIU&OSU) SpOT October 18, 2019 11 / 30

Problems

Consider the complexity of the above scheme: ◮ When log(N) = poly(κ), the computation and communication is exponential ◮ Bob only needs to know |Y | of the entire output ◮ We can use a polynomial to interpolate (y, R(y)), since R = T ⊕ U is pseudorandom for Alice.

PRTY (BIU&OSU) SpOT October 18, 2019 12 / 30

Sparse OT

We now use a polynomial P over F (log |F| = l), to compress the huge matrix.

Alice (Sender) Bob (Receiver) s

$

← {0, 1}l 2 1

• −ROTκ

l

s1, . . . , sl ¯ q1, . . . , ¯ ql ¯ t1, . . . , ¯ tl ¯ u1, . . . , ¯ ul P Q(x) ⊕ s · P(x) = T(x) ⊕ s · (R(x) ⊕ P(x)) PRF F : {0, 1}κ × [N] → {0, 1} Input : Y = {y1, . . . , yn2} ⊂ [N] F((s, Q, P), x) = H(Q(x) ⊕ s · P(x)) F((s, Q, P), yi) = H(T(y)), y ∈ Y F((s, Q, P), y∗) = H(T(y∗) ⊕ s · (P(y∗) ⊕ R(y∗))), y∗ ∈ Y Q(x) := F(¯ q1, x)|| . . . ||F(¯ ql, x) T(y) := F(¯ t1, y)|| . . . ||F(¯ tl, y) U(y) := F(¯ u1, y)|| . . . ||F(¯ ul, y) R(y) := T(y) ⊕ U(y) P(y) interpolates {(y, R(y))}y∈Y Degree (n2 − 1) polynomial PRTY (BIU&OSU) SpOT October 18, 2019 13 / 30

Communication-Optimized: spot-low

When we directly apply the above scheme to produce a PSI, resulting protocol has the best communication possible.

Alice (Sender) Bob (Receiver) s

$

← {0, 1}l 2 1

• −ROTκ

l

s1, . . . , sl ¯ q1, . . . , ¯ ql ¯ t1, . . . , ¯ tl ¯ u1, . . . , ¯ ul P Q(x) ⊕ s · P(x) = T(x) ⊕ s · (R(x) ⊕ P(x)) PRF F : {0, 1}κ × [N] → {0, 1} Input : Y = {y1, . . . , yn2} ⊂ [N] F((s, Q, P), x) = H(Q(x) ⊕ s · P(x)) F((s, Q, P), yi) = H(T(y)), y ∈ Y F((s, Q, P), y∗) = H(T(y∗) ⊕ s · (P(y∗) ⊕ R(y∗))), y∗ ∈ Y Q(x) :=

• F(¯

q1, x)|| . . . ||F(¯ ql, x)

• T(y) :=

F(¯ t1, y)|| . . . ||F(¯ tl, y) U(y) := F(¯ u1, y)|| . . . ||F(¯ ul, y) R(y) := T(y) ⊕ U(y) P(y) interpolates {(y, R(y))}y∈Y Degree (n2 − 1) polynomial O = {H(Q(x) ⊕ s · P(x))}x∈X Input : X = {x1, . . . , xn1} ⊂ [N] O Outputs {y ∈ Y |H(T(y)) ∈ O} PRTY (BIU&OSU) SpOT October 18, 2019 14 / 30

Improving Speed

◮ In practice, interpolating a high-degree (e.g. 220) polynomial over a large field F is not so efficient. ◮ This paper proposed a solution based on 2-choice hashing, which generalizes cuckoo hashing.

PRTY (BIU&OSU) SpOT October 18, 2019 15 / 30

Some Results on 2-choice hashing

Theorem (CRS03)

Let h1, h2 : {0, 1}∗ → [m] be two random functions. Suppose there are n items and m bins, where each item x can be placed in either h1(x) or h2(x). Let L = ⌈n/m⌉. If n = Ω(m log m) then with high probability there exists an optimal assignment, where each bin contains no more than L items.

Theorem ([SEK00])

Let n, m, h1, h2 be as above, with L = ⌈n/m⌉. There is a deterministic algorithm running in time O(n log n) that assigns at most L + 1 items to each bin, with probability 1 − O(1/m)L

• ver the choice of h1, h2.

PRTY (BIU&OSU) SpOT October 18, 2019 16 / 30

2-choice hashing

In practice, this work uses a heuristic algorithm to find assignment of items FindAssignment(X, m, h1, h2)

1 for x ∈ X do 2

Assign item x to h1(x)

3 for x ∈ X do 4

Assign item x to h1(x), h2(x) currently has fewest items

PRTY (BIU&OSU) SpOT October 18, 2019 17 / 30

Computation-Optimized: spot-fast

The computation-optimized scheme let Bob hash his input into bins, each at most ⌈n2/m⌉ + 1

• items. Thus the total communication increase by at most 1 + m/n2.

Alice (Sender) Bob (Receiver) s

$

← {0, 1}l 2 1

• −ROTκ

l

s1, . . . , sl ¯ q1, . . . , ¯ ql ¯ t1, . . . , ¯ tl ¯ u1, . . . , ¯ ul P1, . . . , Pm PRF F : {0, 1}κ × [N] → {0, 1} Input : Y = {y1, . . . , yn2} ⊂ [N] F((s, Q, P), x) = H(Q(x) ⊕ s · P(x)) F((s, Q, P), yi) = H(T(y)), y ∈ Y F((s, Q, P), y∗) = H(T(y∗) ⊕ s · (P(y∗) ⊕ R(y∗))), y∗ ∈ Y Q(x) := F(¯ q1, x)|| . . . ||F(¯ ql, x) T(y) :=

• F(¯

t1, y)|| . . . ||F(¯ tl, y)

• U(y) :=
• F(¯

u1, y)|| . . . ||F(¯ ul, y)

• R(y) := T(y) ⊕ U(y)

Pi(y) interpolates {(y||b, R(y||b))}y|b∈Bi Degree (⌈n2/m⌉) polynomial O1 = {H(Q(x||1) ⊕ s · Ph1(x)(x||1))}x∈X Input : X = {x1, . . . , xn1} ⊂ [N] O1, O2 Outputs {y ∈ Y |y ∈ Bhb(y) ∧ H(T(y||b)) ∈ Ob} Assign y ∈ Y to bins, using FindAssignment(Y, m, h1, h2) O2 = {H(Q(x||2) ⊕ s · Ph2(x)(x||2))}x∈X PRTY (BIU&OSU) SpOT October 18, 2019 18 / 30

Content

1

Introduction Notations Preliminary

2

SpOT Protocol Sparse OT Extension Communication-Optimized: spot-low Computation-Optimized: spot-fast

3

Security Semi-Honest Simulation Malicious Sender Security with RO

4

Performance Evaluation Theoretical Communication Cost Experiment Result

PRTY (BIU&OSU) SpOT October 18, 2019 19 / 30

Security

Security of PSI relies on the security of hash function H and PRF F.

Definition (Correlation Robust)

Let H be a function with input length n. Then H is d-Hamming correlation robust function (CRF) if, for any a1, . . . , am, b1, . . . , bm with ai, bi ∈ {0, 1}n and wH(bi) ≥ d for all i ∈ [m], the following distribution, induced by random sampling of s

$

← {0, 1}n is pseudorandom: H(a1 ⊕ [b1 · s]), . . . , H(am ⊕ [bm · s])

PRTY (BIU&OSU) SpOT October 18, 2019 20 / 30

Semi-Honest Simulation

For sake of succinctness only the security of spot-low version is presented here. First we present the simulation scheme, and then prove its indistinguishability. Simulation for Corrupted Alice

1 Randomly choose q∗

i $

← {0, 1}κ and sends to Alice (ROT-simulation)

2 Randomly choose a degree-(n2 − 1) polynomial P∗ over F and send to Alice.

Simulation for Corrupted Bob

1 Randomly choose t∗

i , u∗ i $

← {0, 1}κ and sends to Bob (ROT-simulation)

2 Let O∗ = {T ∗(y)|y ∈ X ∩ Y } ∪ {ri

$

← {0, 1}v|i ∈ [n1 − |X ∩ Y |]} and send to Bob.

PRTY (BIU&OSU) SpOT October 18, 2019 21 / 30

Semi-Honest Simulation

Consider the following hybrids for corrupted Alice: Semi-Honest Alice Hybrid 1 Real execution Hybrid 2 Consider s, for si = 0, replace F(ui, ·) with a random function; for si = 1, replace F(ti, ·) with a random function Hybrid 3 Simulated execution

PRTY (BIU&OSU) SpOT October 18, 2019 22 / 30

Choosing Parameters for Hamming Distance I

Before we prove security for corrupted Bob, first we show that with appropriate parameter P(x) ⊕ R(x) should have hamming distance ≥ κ.

Definition (Bad Polynomial)

Let BadPolyR

F (X, Y ) be the procedure as follows:

1 P = InterpF({(y, R(y))|y ∈ Y }) 2 Output 1 iff. ∃x ∈ X \ Y s.t. dH(P(x), R(x)) < κ PRTY (BIU&OSU) SpOT October 18, 2019 23 / 30

Choosing Parameters for Hamming Distance II

Hamming Distance Bound The probability that a polynomial interpolated over points in Y also passes “too close” to another point in X is bounded by n1

|F|

• i<κ

log |F|

i

• . Formally, for all X, Y with |X| = n1,

Pr[BadPolyR

F (X, Y ) = 1] ≤ n1

|F|

• i<κ

log |F| i

• where the probability is over choice of random function R : F → F

Choosing appropriate parameter for F so that Pr[BadPolyR

F (X, Y ) = 1] < 2−λ

PRTY (BIU&OSU) SpOT October 18, 2019 24 / 30

Semi-Honest Simulation

Consider the following hybrids for corrupted Bob: Semi-Honest Bob Hybrid 1 Real Execution Hybrid 2 Aborts when ∃x ∈ X \ Y such that P(x) ⊕ R(x) has hamming weight < κ Hybrid 3 Let O = O1 ∪ O2,O1 = {H(T(x))|x ∈ X ∩ Y }, O2 = {Q(x) ⊕ s · P(x)|x ∈ X \ Y }. Replace O2 with real random variables Hybrid 4 Continue when BadPolyR

F (X, Y ) happens, simulated execution

PRTY (BIU&OSU) SpOT October 18, 2019 25 / 30

Malicious Sender Security with RO

If we model the PRF F as a non-programmable random oracle, the protocol can be proved against a malicious sender. Malicious Alice Hybrid 1 Real Execution Hybrid 2 Abort if F(ti, ·) is queried for si = 1; or F(ui, ·) is queried for ti = 0 Hybrid 3 Sends a random polynomial P to Alice, instead of interpolating polynomial Hybrid 4 Extract ˜ X from the RO set C: ˜ X = {x ∈ C|Q(x) ⊕ s · P(x)} Hybrid 5 Simulated Execution

PRTY (BIU&OSU) SpOT October 18, 2019 26 / 30

Content

1

Introduction Notations Preliminary

2

SpOT Protocol Sparse OT Extension Communication-Optimized: spot-low Computation-Optimized: spot-fast

3

Security Semi-Honest Simulation Malicious Sender Security with RO

4

Performance Evaluation Theoretical Communication Cost Experiment Result

PRTY (BIU&OSU) SpOT October 18, 2019 27 / 30

Theoretical Communication Cost

PRTY (BIU&OSU) SpOT October 18, 2019 28 / 30

Experimental Result

PRTY (BIU&OSU) SpOT October 18, 2019 29 / 30

Reference I

Yuval Ishai, Joe Kilian, Kobbi Nissim, and Erez Petrank. Extending oblivious transfers efficiently. In Dan Boneh, editor, Advances in Cryptology – CRYPTO 2003, volume 2729 of Lecture Notes in Computer Science, pages 145–161, Santa Barbara, CA, USA, August 17–21,

• 2003. Springer, Heidelberg, Germany.

Vladimir Kolesnikov and Ranjit Kumaresan. Improved OT extension for transferring short secrets. In Ran Canetti and Juan A. Garay, editors, Advances in Cryptology – CRYPTO 2013, Part II, volume 8043 of Lecture Notes in Computer Science, pages 54–70, Santa Barbara, CA, USA, August 18–22, 2013. Springer, Heidelberg, Germany.

PRTY (BIU&OSU) SpOT October 18, 2019 29 / 30

Reference II

Vladimir Kolesnikov, Ranjit Kumaresan, Mike Rosulek, and Ni Trieu. Efficient batched oblivious PRF with applications to private set intersection. In Edgar R. Weippl, Stefan Katzenbeisser, Christopher Kruegel, Andrew C. Myers, and Shai Halevi, editors, ACM CCS 2016: 23rd Conference on Computer and Communications Security, pages 818–829, Vienna, Austria, October 24–28, 2016. ACM Press. Benny Pinkas, Thomas Schneider, Gil Segev, and Michael Zohner. Phasing: Private set intersection using permutation-based hashing. In Jaeyeon Jung and Thorsten Holz, editors, USENIX Security 2015: 24th USENIX Security Symposium, pages 515–530, Washington, DC, USA, August 12–14, 2015. USENIX Association.

PRTY (BIU&OSU) SpOT October 18, 2019 29 / 30

Reference III

Peter Sanders, Sebastian Egner, and Jan H. M. Korst. Fast concurrent access to parallel disks. In David B. Shmoys, editor, 11th Annual ACM-SIAM Symposium on Discrete Algorithms, pages 849–858, San Francisco, CA, USA, January 9–11, 2000. ACM-SIAM. Sandeep Tamrakar, Jian Liu, Andrew Paverd, Jan-Erik Ekberg, Benny Pinkas, and

• N. Asokan.

The circle game: Scalable private membership test using trusted hardware. In Ramesh Karri, Ozgur Sinanoglu, Ahmad-Reza Sadeghi, and Xun Yi, editors, ASIACCS 17: 12th ACM Symposium on Information, Computer and Communications Security, pages 31–44, Abu Dhabi, United Arab Emirates, April 2–6, 2017. ACM Press.

PRTY (BIU&OSU) SpOT October 18, 2019 29 / 30

Thank You

PRTY (BIU&OSU) SpOT October 18, 2019 30 / 30