private set intersection: are garbled circuits better than custom protocols? yan huang, david evans,...
TRANSCRIPT
![Page 1: Private Set Intersection: Are Garbled Circuits Better than Custom Protocols? Yan Huang, David Evans, Jonathan Katz University of Virginia, University of](https://reader034.vdocument.in/reader034/viewer/2022052603/56649c755503460f94928d2c/html5/thumbnails/1.jpg)
Private Set Intersection:
Are Garbled Circuits Better than Custom Protocols?
Yan Huang, David Evans, Jonathan KatzUniversity of Virginia, University of Maryland
www.MightBeEvil.org
![Page 2: Private Set Intersection: Are Garbled Circuits Better than Custom Protocols? Yan Huang, David Evans, Jonathan Katz University of Virginia, University of](https://reader034.vdocument.in/reader034/viewer/2022052603/56649c755503460f94928d2c/html5/thumbnails/2.jpg)
Motivation --- Common Acquaintances
http://www.mightbeevil.com/mobile/
![Page 3: Private Set Intersection: Are Garbled Circuits Better than Custom Protocols? Yan Huang, David Evans, Jonathan Katz University of Virginia, University of](https://reader034.vdocument.in/reader034/viewer/2022052603/56649c755503460f94928d2c/html5/thumbnails/3.jpg)
EUROCRYPT 2004
CRYPTO 2005TCC 2008
Financial Crypto 2010
![Page 4: Private Set Intersection: Are Garbled Circuits Better than Custom Protocols? Yan Huang, David Evans, Jonathan Katz University of Virginia, University of](https://reader034.vdocument.in/reader034/viewer/2022052603/56649c755503460f94928d2c/html5/thumbnails/4.jpg)
Custom Protocols Generic Protocols
e.g., Garbled Circuit
Protocols
Cannot be easily composed with other secure computations
Designed around specific crypto assumptions and primitives
New Design and security proofs need to be done for
every individual scheme.
Uses generic and flexible cryptographic primitives
Can securely compute arbitrary function
Security proofs automatically derived
from the generic proof.
![Page 5: Private Set Intersection: Are Garbled Circuits Better than Custom Protocols? Yan Huang, David Evans, Jonathan Katz University of Virginia, University of](https://reader034.vdocument.in/reader034/viewer/2022052603/56649c755503460f94928d2c/html5/thumbnails/5.jpg)
Garbled Circuits & Oblivious Transfers
Y. Huang, D. Evans, J. Katz, L. Malka, Faster Secure Computation Using Garbled Circuits, USENIX Security 2011.
And Gate 1
Enca10,
b11(x10)
Enca11,b11(x1
1)
Enca11,b10(x1
0)
Enca10,b10(x1
0)
Or Gate 2
Encx00,
x11(x21)
Encx01,x11(x21
)
Encx01,x10(x21
)
Encx00,x10(x20
)
AND
a0 b0
x0
AND
a1 b1
x1
OR
x2
…Andrew Yao, 1982/1986
Alice Bob
Oblivious Transfer Protocol
Rabin, 1981; Even, Goldreich, and Lempel, 1985; Naor and Pinkas 2001, Ishai et al., 2003
Free-XOR technique, Kolesnikov and Shneider, 2008
![Page 6: Private Set Intersection: Are Garbled Circuits Better than Custom Protocols? Yan Huang, David Evans, Jonathan Katz University of Virginia, University of](https://reader034.vdocument.in/reader034/viewer/2022052603/56649c755503460f94928d2c/html5/thumbnails/6.jpg)
Threat Model
Semi-Honest Adversary: follows the protocol as specified, but tries to learn more from the protocol execution transcript
![Page 7: Private Set Intersection: Are Garbled Circuits Better than Custom Protocols? Yan Huang, David Evans, Jonathan Katz University of Virginia, University of](https://reader034.vdocument.in/reader034/viewer/2022052603/56649c755503460f94928d2c/html5/thumbnails/7.jpg)
Generic PSI Protocols Overview
– the number of bits used to denote a set element – the size of the sets
Protocols Cost in non-XOR gates
Best for
Bitwise-AND (BWA) Small element space
Pairwise-Comparison (PWC)
Sort-Compare-Shuffle-WN (SCS-WN) Large element space
![Page 8: Private Set Intersection: Are Garbled Circuits Better than Custom Protocols? Yan Huang, David Evans, Jonathan Katz University of Virginia, University of](https://reader034.vdocument.in/reader034/viewer/2022052603/56649c755503460f94928d2c/html5/thumbnails/8.jpg)
Generic PSI Protocols Overview
– the number of bits used to denote a set element – the size of the sets
Protocols Cost in non-XOR gates
Best for
Bitwise-AND (BWA) Small element space
Pairwise-Comparison (PWC)
Sort-Compare-Shuffle-WN (SCS-WN) Large element space
![Page 9: Private Set Intersection: Are Garbled Circuits Better than Custom Protocols? Yan Huang, David Evans, Jonathan Katz University of Virginia, University of](https://reader034.vdocument.in/reader034/viewer/2022052603/56649c755503460f94928d2c/html5/thumbnails/9.jpg)
PSI: Needn’t be Complex
[ 0, 0, 1, 0, 0, 0, 1, 0, 1, 1, 0] [ 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0]
ANDANDAND . . .Bitwise-AND
. . .
Encode set elements as bit vectors
Recessive genes: { 5283423, 1425236, 839523, … }
Recessive genes: { 5823527, 839523, 169325, … }
[ PAH, PKU, CF, … ]
![Page 10: Private Set Intersection: Are Garbled Circuits Better than Custom Protocols? Yan Huang, David Evans, Jonathan Katz University of Virginia, University of](https://reader034.vdocument.in/reader034/viewer/2022052603/56649c755503460f94928d2c/html5/thumbnails/10.jpg)
BWA Performance
8 9 10 11 12 13 14 15 160
0.5
1
1.5
2
2.5
3
OT Circuit
σ
Tim
e (s
econ
ds)
What if the element space is large?
![Page 11: Private Set Intersection: Are Garbled Circuits Better than Custom Protocols? Yan Huang, David Evans, Jonathan Katz University of Virginia, University of](https://reader034.vdocument.in/reader034/viewer/2022052603/56649c755503460f94928d2c/html5/thumbnails/11.jpg)
Sort
-Com
pare
-Shu
ffle Sort: Take
advantage of total order of elements
Compare adjacent elements
Shuffle to hide positions
![Page 12: Private Set Intersection: Are Garbled Circuits Better than Custom Protocols? Yan Huang, David Evans, Jonathan Katz University of Virginia, University of](https://reader034.vdocument.in/reader034/viewer/2022052603/56649c755503460f94928d2c/html5/thumbnails/12.jpg)
Sort
-Com
pare
-Shu
ffle Sort: Take
advantage of total order of elements
Compare adjacent elements
Shuffle to hide positions
![Page 13: Private Set Intersection: Are Garbled Circuits Better than Custom Protocols? Yan Huang, David Evans, Jonathan Katz University of Virginia, University of](https://reader034.vdocument.in/reader034/viewer/2022052603/56649c755503460f94928d2c/html5/thumbnails/13.jpg)
Bito
nic
Sorti
ng1
4
9
7
5
4
3
2
1
5
4
4
3
9
2
7
1
3
2
4
5
9
4
7
1
2
3
4
4
5
7
9
1
2
3
4
4
5
7
9
Sorting Networks and their Applications, Ken Batcher, 1968
![Page 14: Private Set Intersection: Are Garbled Circuits Better than Custom Protocols? Yan Huang, David Evans, Jonathan Katz University of Virginia, University of](https://reader034.vdocument.in/reader034/viewer/2022052603/56649c755503460f94928d2c/html5/thumbnails/14.jpg)
CMPFilter
CMPFilter
CMPFilter …
![Page 15: Private Set Intersection: Are Garbled Circuits Better than Custom Protocols? Yan Huang, David Evans, Jonathan Katz University of Virginia, University of](https://reader034.vdocument.in/reader034/viewer/2022052603/56649c755503460f94928d2c/html5/thumbnails/15.jpg)
CMP3Filter
CMP3Filter
CMP3Filter
![Page 16: Private Set Intersection: Are Garbled Circuits Better than Custom Protocols? Yan Huang, David Evans, Jonathan Katz University of Virginia, University of](https://reader034.vdocument.in/reader034/viewer/2022052603/56649c755503460f94928d2c/html5/thumbnails/16.jpg)
Can’t reveal results yet! Position leaks information.
![Page 17: Private Set Intersection: Are Garbled Circuits Better than Custom Protocols? Yan Huang, David Evans, Jonathan Katz University of Virginia, University of](https://reader034.vdocument.in/reader034/viewer/2022052603/56649c755503460f94928d2c/html5/thumbnails/17.jpg)
Journal of the ACM, January 1968
![Page 18: Private Set Intersection: Are Garbled Circuits Better than Custom Protocols? Yan Huang, David Evans, Jonathan Katz University of Virginia, University of](https://reader034.vdocument.in/reader034/viewer/2022052603/56649c755503460f94928d2c/html5/thumbnails/18.jpg)
Waksman Network
Same circuit can generate any permutation: select a random permutation, and pick swaps
gates( log 1)
3
n n n
![Page 19: Private Set Intersection: Are Garbled Circuits Better than Custom Protocols? Yan Huang, David Evans, Jonathan Katz University of Virginia, University of](https://reader034.vdocument.in/reader034/viewer/2022052603/56649c755503460f94928d2c/html5/thumbnails/19.jpg)
FreeGates to generate and evaluate
Private Set Intersection Protocol
( log 1)
3
n n n
– the number of bits used to denote a set element – the size of the sets
![Page 20: Private Set Intersection: Are Garbled Circuits Better than Custom Protocols? Yan Huang, David Evans, Jonathan Katz University of Virginia, University of](https://reader034.vdocument.in/reader034/viewer/2022052603/56649c755503460f94928d2c/html5/thumbnails/20.jpg)
SCS-WN Protocol Results
32-bit values
1
10
100Theoretical Projection
Experimental Observation
Set Size (each set)
Seco
nds
( log 1)[2 log(2 ) (3 1)( 1) (2 1) ]
3
n n nn n n rate
![Page 21: Private Set Intersection: Are Garbled Circuits Better than Custom Protocols? Yan Huang, David Evans, Jonathan Katz University of Virginia, University of](https://reader034.vdocument.in/reader034/viewer/2022052603/56649c755503460f94928d2c/html5/thumbnails/21.jpg)
ultra-short short medium long ultra-long0
200
400
600
800
1000
1200
1400
1600
1800
2000
10.9 62.4126.0
369.0
1972.0
51.5 57.1 61.5 97.3 122.710.5 11.8 12.4 18.6 22.7
[DT10] One-more-DL-basedSCS-WN (σ=160)SCS-WN (σ=32)
Tim
e (s
econ
ds)
Relating Performance to Security
(1024, 160) (2048, 224) (3072, 256) (7680, 384) (15360, 512)
80 112 128 192 256
DL Key-sizes:
Symmetric:
![Page 22: Private Set Intersection: Are Garbled Circuits Better than Custom Protocols? Yan Huang, David Evans, Jonathan Katz University of Virginia, University of](https://reader034.vdocument.in/reader034/viewer/2022052603/56649c755503460f94928d2c/html5/thumbnails/22.jpg)
Generic protocols offer many advantagesComposabilityFlexibility on hardness assumptionsDesign costPerformance
Conclusion
![Page 23: Private Set Intersection: Are Garbled Circuits Better than Custom Protocols? Yan Huang, David Evans, Jonathan Katz University of Virginia, University of](https://reader034.vdocument.in/reader034/viewer/2022052603/56649c755503460f94928d2c/html5/thumbnails/23.jpg)
Q & A?