1 / 23

P rivate S et I ntersection: Are Garbled Circuits Better than Custom Protocols?

P rivate S et I ntersection: Are Garbled Circuits Better than Custom Protocols?. Yan Huang, David Evans, Jonathan Katz University of Virginia, University of Maryland. www.MightBeEvil.org. Motivation --- Common Acquaintances. http://www.mightbeevil.com/mobile/. Financial Crypto 2010.

siran
Download Presentation

P rivate S et I ntersection: Are Garbled Circuits Better than Custom Protocols?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Private Set Intersection:Are Garbled Circuits Better than Custom Protocols? Yan Huang, David Evans, Jonathan Katz University of Virginia, University of Maryland www.MightBeEvil.org

  2. Motivation --- Common Acquaintances http://www.mightbeevil.com/mobile/

  3. Financial Crypto 2010 EUROCRYPT 2004 TCC 2008 CRYPTO 2005

  4. Generic Protocols Custom Protocols Designed around specific cryptoassumptions and primitives Uses generic and flexible cryptographic primitives Cannot be easily composedwith other secure computations Can securely compute arbitrary function New Designand security proofsneed to be done for every individual scheme. Security proofs automatically derived from the generic proof. e.g., Garbled Circuit Protocols

  5. Garbled Circuits & Oblivious Transfers a1 Alice a0 b1 Bob b0 Y. Huang, D. Evans, J. Katz, L. Malka, Faster Secure Computation Using Garbled Circuits, USENIX Security 2011. Oblivious Transfer Protocol AND AND x1 x0 OR Andrew Yao, 1982/1986 x2 Free-XOR technique, Kolesnikov and Shneider, 2008 … Rabin, 1981; Even, Goldreich, and Lempel, 1985; Naorand Pinkas 2001, Ishai et al., 2003

  6. Threat Model Semi-Honest Adversary: follows the protocol as specified, but tries to learn more from the protocol execution transcript

  7. Generic PSI Protocols Overview – the number of bits used to denote a set element – the size of the sets

  8. Generic PSI Protocols Overview – the number of bits used to denote a set element – the size of the sets

  9. PSI: Needn’t be Complex Recessive genes: { 5283423, 1425236, 839523, … } Recessive genes: { 5823527, 839523, 169325, … } Encode set elements as bit vectors [ PAH, PKU, CF, … ] [ 0, 0, 1, 0, 0, 0, 1, 0, 1, 1, 0] [ 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0] . . . AND AND AND . . . Bitwise-AND

  10. BWA Performance What if the element space is large?

  11. Sort-Compare-Shuffle Sort: Take advantage of total order of elements Compare adjacent elements Shuffle to hide positions

  12. Sort-Compare-Shuffle Sort: Take advantage of total order of elements Compare adjacent elements Shuffle to hide positions

  13. Bitonic Sorting 1 1 1 1 1 2 2 4 2 4 3 3 3 3 9 4 4 2 4 7 5 4 5 4 5 4 5 4 5 4 7 9 9 7 3 7 9 7 9 2 Sorting Networks and their Applications, Ken Batcher, 1968

  14. CMP Filter CMP Filter CMP Filter

  15. CMP3 Filter CMP3 Filter CMP3 Filter

  16. Can’t reveal results yet! Position leaks information.

  17. Journal of the ACM, January 1968

  18. Waksman Network Same circuit can generate any permutation: select a random permutation, and pick swaps gates

  19. Private Set Intersection Protocol Gates to generate and evaluate Free – the number of bits used to denote a set element – the size of the sets

  20. SCS-WN Protocol Results 32-bit values

  21. Relating Performance to Security DL Key-sizes: (1024, 160) (2048, 224) (3072, 256) (7680, 384) (15360, 512) Symmetric: 80 112 128 192 256

  22. Conclusion Generic protocols offer many advantages Composability Flexibility on hardness assumptions Design cost Performance

  23. Q & A?

More Related