improved efficiency for private stable matching

Improved Efficiency for Private Stable Matching

Matthew Franklin, Mark Gondree, and Payman MohasselUniversity of California, Davis

02/07/07 - Session Code: CRYP-203

Insert presenter logo here on slide master

Stable Matching

•Stable Matching (Marriage):

•N men, N women, each with their own preference list

•Matching M has an unstable pair (A,B) if:

(A,B’), (A’,B) in M A prefers B over B’ B prefers A over A’

•M is stable if no unstable pairs exist in M

2

A

A1

A’

A2

B’

B1

B

B2

Insert presenter logo here on slide master

Applications

•Assigning Medical students to Hospitals

— In US, Canada, and Scotland

•Assigning students to schools and universities

— In Norway and Singapore

•National Matching Services

Inc.

3

Insert presenter logo here on slide master

Outline

•Introduction

— Stable matching problem

— Gale-Shapley Algorithm

— Privacy Issues

•Contributions

•Open problems

4

Insert presenter logo here on slide master

The Gale-Shapley Algorithm

• Notation:

─ N men :{A1, …, AN}

─ N women: {B1, …, BN}

─ Preference list for man i: Ai[1…N]

─ Preference list for woman i: Bi[1…N]

─ List of free men in round k : Fk

─ List of engaged men in round k: Ek

5

Insert presenter logo here on slide master

Gale-Shapley

• k=1;Fk = {A1, … , AN}

• While Fk is non-empty:

• Randomly select A from Fk

• A proposes to “next” woman B:

(Where he ranks B highest among the women to whom he has never proposed before)

• If B is free then she becomes engaged to A

• If B is engaged to some A’ then

• If B prefers A over A’ then remove A and add A’ to Fk

• Otherwise, Fk stays the same

• Fk+1= Fk; k= k+16

Insert presenter logo here on slide master

Remarks on Gale-Shapley

• Round by Round

─ Matches made and broken every round

─ Man optimal

• Privacy Issues

─ Naïve implementation

─ Matching Authority learns participants’ preference lists

─ Naively distributed computation

─ Traffic pattern: history of matches made and broken

7

Insert presenter logo here on slide master

Setting [Golle, FC06]

•Have multiple (t) Matching Authorities (MAs)

•MAs receive encrypted preference lists

•MAs compute the stable matching

•MAs don’t learn anything

•Participants only learn their own partner

•Assume: passive adversaries

•Security Guaranteed (assuming ≥ 1 honest MA)

8

Insert presenter logo here on slide master

Our Contribution

•Revisit [Golle]

— High Communication complexity

(Partly due to the chosen variant of Gale-Shapely used)

•Design a Private and Efficient Protocol

— Design a new variant of Gale-Shapely

— Tune it for private implementation

— Crypto assumptions comparable to [Golle]

— Lower round and communication complexities

9

Insert presenter logo here on slide master

Our Contributions, Cont’d

Summary of protocols and efficiency:

10

Insert presenter logo here on slide master

Our variant of Gale-Shapley

•Real men: {A1, …, AN}, Fake men: {AN+1, …, A2N}

•Real women: {B1,…,BN}, Fake women:{BN+1,…,B2N}

•Preference lists:

— Real men: ( [actual preference list], [BN+1, . . . ,B2N, in any order] )

— Real women: ( [actual preference list], [AN+1, . . . ,A2N, in any order] )

— Fake women:( [AN+1, . . . ,A2N, in any order],[A1, . . . ,AN, in any order])

— Fake men: ( [BN+2, . . . ,B2N, in any order], BN+1, [B1, . . . ,BN, in any

order] )

11

Insert presenter logo here on slide master

Our Variant, Cont’d

•Initialization:

— F1 = {A1}

— {A2, …, AN} are engaged to {BN+2,…,B2N}, respectively

— {AN+1, …, A2N} are engaged to {B1,…, BN}, respectively

•While Fk is not empty:

— The free man A in Fk proposes to B

(The next woman in his preference list to whom he hasn’t proposed)

— If B is engaged to some man A’

•If B prefers A over A’, let Fk+1= {A’}, and pair A and B

•Otherwise, Fk+1 = Fk 12

Insert presenter logo here on slide master

Our Variant, Cont’d 2

•Claim: Once a fake man proposes to woman BN+1,

we have a stable matching

•Thus, the algorithm’s complexity is O(N2)

•Also, “Tuned for privacy”

— every round k, |Fk| = 1

•We implement a private version

13

Insert presenter logo here on slide master

Protocol

•Bids

— Two types: Free and Engaged

— Set of ciphertexts (constant sized)

— Fk = {Free Bids in round k}

— Ek = {Engaged Bids in round k}

•Preference Lists

— Encrypted, held by an MA (the “Database”)

•Everything encrypted with threshold homomorphic enc.

14

Insert presenter logo here on slide master

Protocol

•For k = 1 to 2N2:

— Select a single free bid from Fk.

— “Open it” to recover the (encrypted) pointers into the database

— Access database to get next fiancée's (encrypted) identity

— Form the engaged bid

— Privately find the conflicting engaged bid (mix, private equality test)

— Mix these two engaged bids

— “Resolve the conflict” to find the winner and loser (private comparison)

— “Break the engagement” for the loser and add him to Fk+1

— Add the winner to Ek

— Mix all the bids

— Let Ek+1 = Ek

15

Insert presenter logo here on slide master

Protocol

•For k = 1 to 2N2:

— Select a single free bid from Fk.

— “Open it” to recover the (encrypted) pointers into the database

— Access database to get next fiancée's (encrypted) identity

— Form the engaged bid

— Privately find the conflicting engaged bid (mix, private equality test)

— Mix these two engaged bids

— “Resolve the conflict” to find the winner and loser (private comparison)

— “Break the engagement” for the loser and add him to Fk+1

— Add the winner to Ek

— Mix all the bids

— Let Ek+1 = Ek

16

Insert presenter logo here on slide master

Protocol

•For k = 1 to 2N2:

— Select a single free bid from Fk.

— “Open it” to recover the (encrypted) pointers into the database

— Access database to get next fiancée's (encrypted) identity

— Form the engaged bid

— Privately find the conflicting engaged bid (mix, private equality test)

— Mix these two engaged bids

— “Resolve the conflict” to find the winner and loser (private comparison)

— “Break the engagement” for the loser and add him to Fk+1

— Add the winner to Ek

— Mix all the bids

— Let Ek+1 = Ek

17

Insert presenter logo here on slide master

Protocol

•For k = 1 to 2N2:

— Select a single free bid from Fk.

— “Open it” to recover the (encrypted) pointers into the database

— Access database to get next fiancée's (encrypted) identity

— Form the engaged bid

— Privately find the conflicting engaged bid (mix, private equality test)

— Mix these two engaged bids

— “Resolve the conflict” to find the winner and loser (private comparison)

— “Break the engagement” for the loser and add him to Fk+1

— Add the winner to Ek

— Mix all the bids

— Let Ek+1 = Ek

18

Insert presenter logo here on slide master

Protocol

•For k = 1 to 2N2:

— Select a single free bid from Fk.

— “Open it” to recover the (encrypted) pointers into the database

— Access database to get next fiancée's (encrypted) identity

— Form the engaged bid

— Privately find the conflicting engaged bid (mix, private equality test)

— Mix these two engaged bids

— “Resolve the conflict” to find the winner and loser (private comparison)

— “Break the engagement” for the loser and add him to Fk+1

— Add the winner to Ek

— Mix all the bids

— Let Ek+1 = Ek

19

Insert presenter logo here on slide master

Accessing the database

•Database D, an array of n=(2N)2 ciphertexts

•Given E(i), we want to recover element D[i]

•Our subprotocol:

— Modification of an efficient (1-out-of-n) OT protocol

— MAs process E(i) into queries of the protocol

— MAs process database’s reply to recover D[i], a ciphertext

•Our construction

— Uses Stern’s OT (1 round, polylog CC)

— Again, using threshold homomorphic encryption

20

Insert presenter logo here on slide master

A protocol for 2 MAs

•A more efficient protocol for 2-MA case

•Private Table Look Ups (LUT) [NN01]

(For two-party computation)

•Private Computation of Turing Machines with a RAM

— Circuits equipped with Private LUT

•Our algorithm can be presented as a TM with RAM

•Implement privately using [NN01]

•Extending to multiparty

— Not completely distributed

21

Insert presenter logo here on slide master

New Developments

•Extending [NN01] to multiparty

— Automatically leads to more efficient private stable matching

— Leads to nearly optimal communication

22

Insert presenter logo here on slide master

Thank you!! Questions?

Insert presenter logo here on slide master

Insert presenter logo here on slide master

Golle’s approach

•Golle’s variant of Gale-Shapley:

•N real men: {A1,…, AN}, N real women:{B1,…,BN}

•N fake men: {AN+1,…,A2N}

•Arbitrary preference lists for fake men

•Each woman ranks fake men lower than real ones

•Initialization

— All real men are free

— All fake men are engaged (in an arbitrary way)

Insert presenter logo here on slide master

Golle’s Approach Cont’d

•For K = 1 to n:

— While FK is non-empty:

•Randomly select A from Fk

• A proposes to woman B:• The woman he ranks highest among the women to whom he has never

proposed before

• B is always engaged to some woman A’:

• If B prefers A over A’; Remove A from FK, add A’ to Fk+1

• Otherwise, add A to Fk+1

• Number of free men always N: |FK| = N for all 1≤ K ≤ N

Insert presenter logo here on slide master

Shortcomings

•Golle implements this variant privately

— Re-encryption mix-networks

— Threshold homomorphic cryptosystems (Paillier encryption)

•Inefficiencies:

— Golle’s variant needs O(N2) rounds to reach a stable matching

•Complexity of algorithm increases by a factor of N

— Another factor N increase

•size of ciphertext used in Mix-network: O(N) not constant!