SLIDE 1
Two-Client and Multi-client Functional Encryption for Set - - PowerPoint PPT Presentation
Two-Client and Multi-client Functional Encryption for Set - - PowerPoint PPT Presentation
Two-Client and Multi-client Functional Encryption for Set Intersection and Variants Tim van de Kamp David Stritzl Willem Jonker Andreas Peter ACISP 2019 Functional Encryption for Set Operations n evaluate i = 1 S i S 1 S 2 S n
SLIDE 2
SLIDE 3
Privacy-Preserving Information Sharing
S1 S2
Private Set Intersection
computing f(S1, S2) using MPC Computes a set operation using an interactive protocol A participant learns the evaluation result
3
SLIDE 4
Privacy-Preserving Information Sharing
S1 S2
Private Set Intersection
computing f(S1, S2) using MPC Computes a set operation using an interactive protocol A participant learns the evaluation result
3
SLIDE 5
Privacy-Preserving Information Sharing
Functional Encryption for Set Operations
Computes a set operation using a non-interactive scheme A third-party (the evaluator) learns the evaluation result Use cases include privacy-preserving profiling simple data mining
- ne-way data sharing
3
SLIDE 6
Multi-client Non-interactive Set Intersection
Functionality
f(S1, S2, . . . , Sn)
(ID, S1) (ID, S2) (ID, Sn)
S1 S2 · · · Sn
1 2 n
4
SLIDE 7
Multi-client Non-interactive Set Intersection
Functionality
f(S1, S2, . . . , Sn)
(ID, S1) (ID, S2) (ID, Sn)
S1 S2 · · · Sn
1 2 n
FUNCTIONALITIES f
intersection:
- i Si
cardinality:
- i Si
- threshold:
- i Si
- ?
> t ⇒
- i Si
(also “with data transfer”) 4
SLIDE 8
Multi-client Non-interactive Set Intersection
Security Requirements
f(S1, S2, . . . , Sn)
(ID, S1) (ID, S2) (ID, Sn)
S1 S2 · · · Sn
1 2 n
doesn’t learn the individual clients’ sets S1, . . . , Sn
4
SLIDE 9
Multi-client Non-interactive Set Intersection
Security Requirements
f(S1, S2, . . . , Sn)
(ID′, S1) (ID, S2) (ID′, Sn)
S1 S2 · · · Sn
1 2 n
cannot mix-and-match
- ld and new inputs
4
SLIDE 10
Multi-client Non-interactive Set Intersection
Security Requirements
f(S1, S2, . . . , Sn)
(ID, S1) (ID, S2) (ID, Sn)
S1 S2 · · · Sn
1 2 n
collusion between the evaluator and client(s) does not reveal other clients’ inputs
4
SLIDE 11
Construction: Two-Client Set Intersection Cardinality
5
SLIDE 12
Construction: Two-Client Set Intersection Cardinality
|S1 ∩ S2| = |ct1 ∩ ct2|
ct1 ct2
S1 S2
ct1 = { ϕmsk(ID, xj) | xj ∈ S1 } ct2 = { ϕmsk(ID, xj) | xj ∈ S2 }
5
SLIDE 13
Construction: Two-Client Set Intersection
S1 ∩ S2 =
- ϕ−1
kID,j (c) | c ∈ ct1 ∩ ct2
- ct1
ct2
S1 S2
ct1 = ϕkID,j (xj)
- | xj ∈ S1
- ct2 =
ϕkID,j (xj)
- | xj ∈ S2
- kID,j = ϕmsk(ID, xj)
6
SLIDE 14
Construction: Two-Client Set Intersection
S1 ∩ S2 =
- ϕ−1
kID,j (c) | c ∈ ct1 ∩ ct2
- kID,j = kusk1
ID,j · kusk2 ID,j
ct1 ct2
S1 S2
ct1 = kusk1
ID,j , ϕkID,j (xj)
- | xj ∈ S1
- ct2 =
kusk2
ID,j , ϕkID,j (xj)
- | xj ∈ S2
- usk1 + usk2 = 1
kID,j = ϕmsk(ID, xj)
6
SLIDE 15
Construction: Two-Client Set Intersection
S1 ∩ S2 =
- ϕ−1
kID,j (c) | c ∈ ct1 ∩ ct2
- kID,j = kusk1
ID,j · kusk2 ID,j
ct1 ct2
S1 S2
ct1 = kusk1
ID,j , ϕkID,j (xj)
- | xj ∈ S1
- ct2 =
kusk2
ID,j , ϕkID,j (xj)
- | xj ∈ S2
- usk1 + usk2 = 1
kID,j = ϕmsk(ID, xj) Doesn’t have to be xj ∈ S1; can be any associated data
6
SLIDE 16
Intuition: Two-Client Threshold Set Intersection
S1 ∩ S2 =
- ϕ−1
kID,j (c) | c ∈ ct1 ∩ ct2
- kID,j = kusk1
ID,j · kusk2 ID,j
ct1 ct2
S1 S2
ct1 = kusk1
ID,j , ϕkID,j (xj)
- | xj ∈ S1
- ct2 =
kusk2
ID,j , ϕkID,j (xj)
- | xj ∈ S2
- usk1 + usk2 = 1
kID,j = ϕmsk(ID, xj) We also encrypt this value and require at least t secret shares for decryption
7
SLIDE 17
Efficiency of the 2C-FE Constructions
101 102 103 104 105 10−6 10−5 10−4 10−3 10−2 10−1 100 Size of each client’s set Mean evaluation time (seconds) CA 8
SLIDE 18
Efficiency of the 2C-FE Constructions
101 102 103 104 105 10−6 10−5 10−4 10−3 10−2 10−1 100 Size of each client’s set Mean evaluation time (seconds) CA SI 8
SLIDE 19
Efficiency of the 2C-FE Constructions
101 102 103 104 105 10−6 10−5 10−4 10−3 10−2 10−1 100 Size of each client’s set Mean evaluation time (seconds) CA SI Th-CA Th-SI 8
SLIDE 20
Construction: Multi-client Set Intersection Cardinality
count n
i=1 H(ID, xj)uski
?
= 1
ct1 ct2 ctn
S1 S2 · · · Sn
cti =
- H(ID, xj)uski | xj ∈ Si
- n
i=1 uski = 0 9
SLIDE 21
Efficiency of the MC-FE Construction
Theoretical
Polynomial in the number of set elements per client: O
- i |Si|
- Practice
100 200 200 400 Size of each client’s set Mean evaluation time (seconds) CA n = 5 CA n = 3 10
SLIDE 22
Improved Set Intersection Cardinality Scheme
Intuition
1 Compute the set intersection
- i Si “in the encrypted domain”;
2 For some client i′, determine how many set elements ej ∈ Si′ are in the
encrypted set intersection, i.e.,
- ej | ej ∈
n
- i=1
Si, ej ∈ Si′
- .
11
SLIDE 23
Improved Set Intersection Cardinality Scheme
Intuition
1 Compute the set intersection
- i Si “in the encrypted domain”;
2 For some client i′, determine how many set elements ej ∈ Si′ are in the
encrypted set intersection, i.e.,
- ej | ej ∈
n
- i=1
Si, ej ∈ Si′
- .
“Tools”
Bloom filters → to represent sets in a single data structure Homomorphic encryption → to compute in the encrypted domain Functional encryption → to determine whether an element is in a set
11
SLIDE 24
Preliminaries: Bloom filters
Set Intersection
bs[1] bs[2] bs[3] bs[4] bs[5] bs[6] bs[7] bs[8] bs[9]
S1 1 1 1 1 ∩ ∧ S2 1 1 1 = S1 ∩ S2 1 1
12
SLIDE 25
Construction (simplified)
Set Intersection using Secret Sharing
bs[1] bs[2] bs[3] bs[4] bs[5] bs[6] bs[7] bs[8] bs[9]
Enc(S1) r1,1 s1,2 r1,3 s1,4 s1,5 s1,6 r1,7 r1,8 r1,9 + Enc(S2) r2,1 r2,2 r2,3 s2,4 r2,5 s2,6 r2,7 r2,8 s2,9 = Enc(S1 ∩ S2) ˜ r1 ˜ r2 ˜ r3 1 ˜ r5 1 ˜ r7 ˜ r8 ˜ r9
13
SLIDE 26
Construction (simplified)
Set Intersection using Secret Sharing
bs[1] bs[2] bs[3] bs[4] bs[5] bs[6] bs[7] bs[8] bs[9]
Enc(S1) r1,1 s1,2 r1,3 s1,4 s1,5 s1,6 r1,7 r1,8 r1,9 + Enc(S2) r2,1 r2,2 r2,3 s2,4 r2,5 s2,6 r2,7 r2,8 s2,9 = Enc(S1 ∩ S2) ˜ r1 ˜ r2 ˜ r3 1 ˜ r5 1 ˜ r7 ˜ r8 ˜ r9
Encrypt(uski, ID, Si)
H(ID, ℓ)ri,ℓ if bs[ℓ] = 0; H(ID, ℓ)si,ℓ if bs[ℓ] = 1
13
SLIDE 27
Construction (simplified)
Set Intersection using Secret Sharing
bs[1] bs[2] bs[3] bs[4] bs[5] bs[6] bs[7] bs[8] bs[9]
Enc(S1) r1,1 s1,2 r1,3 s1,4 s1,5 s1,6 r1,7 r1,8 r1,9 + Enc(S2) r2,1 r2,2 r2,3 s2,4 r2,5 s2,6 r2,7 r2,8 s2,9 = Enc(S1 ∩ S2) ˜ r1 ˜ r2 ˜ r3 1 ˜ r5 1 ˜ r7 ˜ r8 ˜ r9
Encrypt(uski, ID, Si)
H(ID, ℓ)ri,ℓ if bs[ℓ] = 0; H(ID, ℓ)si,ℓ if bs[ℓ] = 1
Evaluate(ct1, . . . , ctn)
H(ID, ℓ)s0,ℓ · n
i=1 H(ID, ℓ)si,ℓ
- 13
SLIDE 28
Construction (simplified)
Set Intersection using Secret Sharing
bs[1] bs[2] bs[3] bs[4] bs[5] bs[6] bs[7] bs[8] bs[9]
Enc(S1) r1,1 s1,2 r1,3 s1,4 s1,5 s1,6 r1,7 r1,8 r1,9 + Enc(S2) r2,1 r2,2 r2,3 s2,4 r2,5 s2,6 r2,7 r2,8 s2,9 = Enc(S1 ∩ S2) ˜ r1 ˜ r2 ˜ r3 1 ˜ r5 1 ˜ r7 ˜ r8 ˜ r9
Encrypt(uski, ID, Si)
H(ID, ℓ)ri,ℓ if bs[ℓ] = 0; H(ID, ℓ)si,ℓ if bs[ℓ] = 1
Evaluate(ct1, . . . , ctn)
H(ID, ℓ)s0,ℓ · n
i=1 H(ID, ℓ)si,ℓ
- Actual construction is more involved:
element testing uses
- H(ID, ℓ)s0,ℓgt·r
· n
i=1 H(ID, ℓ)si,ℓ
?
= (gr)t′ using Shamir secret sharing instead of additive secret sharing
13
SLIDE 29
Efficiency of the MC-FE Construction
Theoretical
Polynomial in the number of set elements per client: O
- x2
Practice
100 200 200 400 Size of each client’s set Mean evaluation time (seconds) CA n = 5 CA n = 3 14
SLIDE 30
Efficiency of the MC-FE Construction
Theoretical
Polynomial in the number of set elements per client: O
- x2
Practice
100 200 200 400 Size of each client’s set Mean evaluation time (seconds) CA n = 5 CA n = 3 CA-BF n = 5 CA-BF n = 3 14
SLIDE 31
Summary
Non-interactive privacy-preserving information sharing Efficient two-client constructions for various set operations Theoretical constructions for various multi-client set operations
15
SLIDE 32