p rivate s et i ntersection: are garbled circuits better than custom protocols?
DESCRIPTION
P rivate S et I ntersection: Are Garbled Circuits Better than Custom Protocols?. Yan Huang, David Evans, Jonathan Katz University of Virginia, University of Maryland. www.MightBeEvil.org. Motivation --- Common Acquaintances. http://www.mightbeevil.com/mobile/. Financial Crypto 2010. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: P rivate S et I ntersection: Are Garbled Circuits Better than Custom Protocols?](https://reader035.vdocuments.mx/reader035/viewer/2022062323/568163f0550346895dd56d10/html5/thumbnails/1.jpg)
Private Set Intersection:
Are Garbled Circuits Better than Custom Protocols?
Yan Huang, David Evans, Jonathan KatzUniversity of Virginia, University of Maryland
www.MightBeEvil.org
![Page 2: P rivate S et I ntersection: Are Garbled Circuits Better than Custom Protocols?](https://reader035.vdocuments.mx/reader035/viewer/2022062323/568163f0550346895dd56d10/html5/thumbnails/2.jpg)
Motivation --- Common Acquaintances
http://www.mightbeevil.com/mobile/
![Page 3: P rivate S et I ntersection: Are Garbled Circuits Better than Custom Protocols?](https://reader035.vdocuments.mx/reader035/viewer/2022062323/568163f0550346895dd56d10/html5/thumbnails/3.jpg)
EUROCRYPT 2004
CRYPTO 2005TCC 2008
Financial Crypto 2010
![Page 4: P rivate S et I ntersection: Are Garbled Circuits Better than Custom Protocols?](https://reader035.vdocuments.mx/reader035/viewer/2022062323/568163f0550346895dd56d10/html5/thumbnails/4.jpg)
Custom Protocols Generic Protocols
e.g., Garbled Circuit
Protocols
Cannot be easily composed with other secure computations
Designed around specific crypto assumptions and primitives
New Design and security proofs need to be done for
every individual scheme.
Uses generic and flexible cryptographic primitives
Can securely compute arbitrary function
Security proofs automatically derived
from the generic proof.
![Page 5: P rivate S et I ntersection: Are Garbled Circuits Better than Custom Protocols?](https://reader035.vdocuments.mx/reader035/viewer/2022062323/568163f0550346895dd56d10/html5/thumbnails/5.jpg)
Garbled Circuits & Oblivious Transfers
Y. Huang, D. Evans, J. Katz, L. Malka, Faster Secure Computation Using Garbled Circuits, USENIX Security 2011.
And Gate 1
Enca10,
b11(x10)
Enca11,b11(x11)
Enca11,b10(x10)
Enca10,b10(x10)
Or Gate 2
Encx00,
x11(x21)
Encx01,x11(x21
)
Encx01,x10(x21
)Encx00,x10(x20
)
AND
a0 b0
x0
AND
a1 b1
x1
OR
x2
…Andrew Yao, 1982/1986
Alice Bob
Oblivious Transfer Protocol
Rabin, 1981; Even, Goldreich, and Lempel, 1985; Naor and Pinkas 2001, Ishai et al., 2003
Free-XOR technique, Kolesnikov and Shneider, 2008
![Page 6: P rivate S et I ntersection: Are Garbled Circuits Better than Custom Protocols?](https://reader035.vdocuments.mx/reader035/viewer/2022062323/568163f0550346895dd56d10/html5/thumbnails/6.jpg)
Threat Model
Semi-Honest Adversary: follows the protocol as specified, but tries to learn more from the protocol execution transcript
![Page 7: P rivate S et I ntersection: Are Garbled Circuits Better than Custom Protocols?](https://reader035.vdocuments.mx/reader035/viewer/2022062323/568163f0550346895dd56d10/html5/thumbnails/7.jpg)
Generic PSI Protocols Overview
– the number of bits used to denote a set element – the size of the sets
Protocols Cost in non-XOR gates
Best for
Bitwise-AND (BWA) Small element space
Pairwise-Comparison (PWC)
Sort-Compare-Shuffle-WN (SCS-WN) Large element space
![Page 8: P rivate S et I ntersection: Are Garbled Circuits Better than Custom Protocols?](https://reader035.vdocuments.mx/reader035/viewer/2022062323/568163f0550346895dd56d10/html5/thumbnails/8.jpg)
Generic PSI Protocols Overview
– the number of bits used to denote a set element – the size of the sets
Protocols Cost in non-XOR gates
Best for
Bitwise-AND (BWA) Small element space
Pairwise-Comparison (PWC)
Sort-Compare-Shuffle-WN (SCS-WN) Large element space
![Page 9: P rivate S et I ntersection: Are Garbled Circuits Better than Custom Protocols?](https://reader035.vdocuments.mx/reader035/viewer/2022062323/568163f0550346895dd56d10/html5/thumbnails/9.jpg)
PSI: Needn’t be Complex
[ 0, 0, 1, 0, 0, 0, 1, 0, 1, 1, 0] [ 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0]
ANDANDAND . . . Bitwise-AND
. . .
Encode set elements as bit vectors
Recessive genes: { 5283423, 1425236, 839523, … }
Recessive genes: { 5823527, 839523, 169325, … }
[ PAH, PKU, CF, … ]
![Page 10: P rivate S et I ntersection: Are Garbled Circuits Better than Custom Protocols?](https://reader035.vdocuments.mx/reader035/viewer/2022062323/568163f0550346895dd56d10/html5/thumbnails/10.jpg)
BWA Performance
8 9 10 11 12 13 14 15 160
0.5
1
1.5
2
2.5
3
OT Circuit
σ
Tim
e (s
econ
ds)
What if the element space is large?
![Page 11: P rivate S et I ntersection: Are Garbled Circuits Better than Custom Protocols?](https://reader035.vdocuments.mx/reader035/viewer/2022062323/568163f0550346895dd56d10/html5/thumbnails/11.jpg)
Sort
-Com
pare
-Shu
ffle Sort: Take
advantage of total order of elements
Compare adjacent elements
Shuffle to hide positions
![Page 12: P rivate S et I ntersection: Are Garbled Circuits Better than Custom Protocols?](https://reader035.vdocuments.mx/reader035/viewer/2022062323/568163f0550346895dd56d10/html5/thumbnails/12.jpg)
Sort
-Com
pare
-Shu
ffle Sort: Take
advantage of total order of elements
Compare adjacent elements
Shuffle to hide positions
![Page 13: P rivate S et I ntersection: Are Garbled Circuits Better than Custom Protocols?](https://reader035.vdocuments.mx/reader035/viewer/2022062323/568163f0550346895dd56d10/html5/thumbnails/13.jpg)
Bito
nic
Sorti
ng1
4
9
7
5
4
3
2
1
5
4
4
3
9
2
7
1
3
2
4
5
9
4
7
1
2
3
4
4
5
7
9
1
2
3
4
4
5
7
9
Sorting Networks and their Applications, Ken Batcher, 1968
![Page 14: P rivate S et I ntersection: Are Garbled Circuits Better than Custom Protocols?](https://reader035.vdocuments.mx/reader035/viewer/2022062323/568163f0550346895dd56d10/html5/thumbnails/14.jpg)
CMPFilter
CMPFilter
CMPFilter …
![Page 15: P rivate S et I ntersection: Are Garbled Circuits Better than Custom Protocols?](https://reader035.vdocuments.mx/reader035/viewer/2022062323/568163f0550346895dd56d10/html5/thumbnails/15.jpg)
CMP3Filter
CMP3Filter
CMP3Filter
![Page 16: P rivate S et I ntersection: Are Garbled Circuits Better than Custom Protocols?](https://reader035.vdocuments.mx/reader035/viewer/2022062323/568163f0550346895dd56d10/html5/thumbnails/16.jpg)
Can’t reveal results yet! Position leaks information.
![Page 17: P rivate S et I ntersection: Are Garbled Circuits Better than Custom Protocols?](https://reader035.vdocuments.mx/reader035/viewer/2022062323/568163f0550346895dd56d10/html5/thumbnails/17.jpg)
Journal of the ACM, January 1968
![Page 18: P rivate S et I ntersection: Are Garbled Circuits Better than Custom Protocols?](https://reader035.vdocuments.mx/reader035/viewer/2022062323/568163f0550346895dd56d10/html5/thumbnails/18.jpg)
Waksman Network
Same circuit can generate any permutation: select a random permutation, and pick swaps
gates( log 1)
3n n n
![Page 19: P rivate S et I ntersection: Are Garbled Circuits Better than Custom Protocols?](https://reader035.vdocuments.mx/reader035/viewer/2022062323/568163f0550346895dd56d10/html5/thumbnails/19.jpg)
FreeGates to generate and evaluate
Private Set Intersection Protocol
( log 1)3
n n n
– the number of bits used to denote a set element – the size of the sets
![Page 20: P rivate S et I ntersection: Are Garbled Circuits Better than Custom Protocols?](https://reader035.vdocuments.mx/reader035/viewer/2022062323/568163f0550346895dd56d10/html5/thumbnails/20.jpg)
SCS-WN Protocol Results
32-bit values
1
10
100Theoretical Projection
Experimental Observation
Set Size (each set)
Seco
nds
( log 1)[2 log(2 ) (3 1)( 1) (2 1) ]3
n n nn n n rate
![Page 21: P rivate S et I ntersection: Are Garbled Circuits Better than Custom Protocols?](https://reader035.vdocuments.mx/reader035/viewer/2022062323/568163f0550346895dd56d10/html5/thumbnails/21.jpg)
ultra-short short medium long ultra-long0
200
400
600
800
1000
1200
1400
1600
1800
2000
10.9 62.4126.0
369.0
1972.0
51.5 57.1 61.5 97.3 122.710.5 11.8 12.4 18.6 22.7
[DT10] One-more-DL-basedSCS-WN (σ=160)SCS-WN (σ=32)
Tim
e (s
econ
ds)
Relating Performance to Security
(1024, 160) (2048, 224) (3072, 256) (7680, 384) (15360, 512)
80 112 128 192 256
DL Key-sizes:
Symmetric:
![Page 22: P rivate S et I ntersection: Are Garbled Circuits Better than Custom Protocols?](https://reader035.vdocuments.mx/reader035/viewer/2022062323/568163f0550346895dd56d10/html5/thumbnails/22.jpg)
Generic protocols offer many advantagesComposabilityFlexibility on hardness assumptionsDesign costPerformance
Conclusion
![Page 23: P rivate S et I ntersection: Are Garbled Circuits Better than Custom Protocols?](https://reader035.vdocuments.mx/reader035/viewer/2022062323/568163f0550346895dd56d10/html5/thumbnails/23.jpg)
Q & A?