1 / 32

Policy-Enhanced Private Set Intersection: Sharing Information While Enforcing Privacy Policies

Policy-Enhanced Private Set Intersection: Sharing Information While Enforcing Privacy Policies. UC Berkeley. http://www.emilstefanov.net/Research /. Private Set Intersection (PSI). Alice’s set. Bob’s set. Alice has a set of elements. Bob has a set of elements. Goal:

varen
Download Presentation

Policy-Enhanced Private Set Intersection: Sharing Information While Enforcing Privacy Policies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Policy-Enhanced Private Set Intersection:Sharing Information While Enforcing Privacy Policies UC Berkeley http://www.emilstefanov.net/Research/

  2. Private Set Intersection (PSI) Alice’s set Bob’s set • Alice has a set of elements. • Bob has a set of elements. • Goal: • Reveal elements that are both sets. • Hide all other elements Revealed [CKT10], [CT10], [DMR09], [FIP05], [HL08], [HN10], [JL09], [JL10], [LS05], …

  3. Alternative Approaches • Trusted third party • Trivial solution • Does not always exist. • Who can both parties trust? • Generic SMC (e.g., garbled circuits) • Less efficient in most scenarios • Homomorphic encryption • Not practical

  4. Applications • Healthcare • Common patients • Common symptoms • Social Networks • Common friends • Common group memberships • Distributed databases • JOIN operations • Many more • Set intersection is a fundamental operation

  5. The Problem with PSI • No restriction on sets. • Either party can insert fictitious elements. • Can be used to violate privacy.

  6. Known-Element Attack Alice’s set Bob’s set • Bob wants to learn if Alice has . • Bob inserts into his own set • They perform a private set intersection. • is in result  Bob learns that Alice has . c f a c d h b g d e i c d

  7. Our Contributions • Technique to authenticate elements • Rich privacy policies • Multiple authorities • Can be used to extend any private set intersection protocol.

  8. PPSI Problem Definition(single authority, symmetric) • Alice’s input: • Bob’s input: • Signature verification: • Define valid sets: • Output:

  9. Known-Element Attack not Possible Alice’s set Bob’s set • Bob wants to learn if Alice has . • Bob inserts into his own set (with invalid signature) • They perform PPSI • PPSI removes from result (Bob has an invalid signature) • Bob cannot learn if Alice has . c c f a c d d h b g d e i

  10. PPSI Problem Definition(multiple authorities, symmetric) • Alice: • Bob: • Privacy policy (known to both Alice and Bob) • Signer (authority) depends on the element • Authority for element : • Signature verification: • Verifies against public key of • Multiple signatures/authorities per element • , can be a sets • can be a Boolean expression (DNF).

  11. PPSI Problem Definition(multiple authorities, asymmetric) • Alice: • Bob: • Authorities depend on the element and party • Authority for element and Alice: • Authority for element and Bob: • Alice and Bob both know and

  12. Additional Goals • Signatures must be bound to a party • : Alice is allowed to have in her set. • Non-transferable  is useless to Bob • Require interaction • Bob must not be able to later re-run the protocol with a different set (without Alice’s cooperation). • Efficient. Complexity… • … depends on: • Set size • Authorities per element • … independent of: • Element universe • Authority universe

  13. So, how can we achieve this?

  14. Intersect then verify? Alice’s set Bob’s set • After intersecting, Bob already learns . • Verifying afterwards ensures integrity... • … but not confidentiality (already revealed ) c c f a c d d h b g d e i

  15. Verify then intersect? • E.g., using commitments and zero-knowledge proofs. • Problem: which authorities to verify elements against? • Complexity is linear with size of authority universe! c c f a c b d h g d e i

  16. Challenge • Can’tintersectthen verify. • Can’tverifythen intersect. • So what do we do? • Must simultaneouslyintersectand verify. • But how?

  17. Intersect signatures using PSI? • Both parties must have identical signatures • Not possible to bind signatures to parties • for Alice and for Bob. • Does not work for asymmetric policies.

  18. Key technique: encode each element then intersect encodings

  19. Main Property of Encodings • Alice’s encoding of should match Bob’s encoding • if and only if the policy is satisfied • even though the signatures are different • even though the authorities might be different • Secret keys of two authorities: • Alice has Bob has • Property:

  20. PPSI Protocol Alice Bob RA RB Exchange Challenges Generate Encodings Generate Encodings Regular Private Set Intersection Protocol Over Encodings Recover from result Recover from result Done

  21. Encoding Challenge • Need: • Encoding is a function of both and • Alice doesn’t know • Bob doesn’t know • So how can they generate the same encoding for ? • Answer: • Specially chosen signature scheme: BLS signatures • Challenge phase • Our special encodings

  22. Signatures • We use standard BLS signatures. • In a group of prime order • With bilinear map: • Generators: • Signature key of an authority • Verification key of the authority • Authority’s signature to Alice for element :

  23. Challenge Phase • Alice generates random: • Bob generates random: • Alice sends to Bob • Bob sends to Alice • Note that: • Only Alice knows • Only Bob knows

  24. Special Encodings • Alice’s encoding of to match Bob’s encoding of : • Bob’s encoding of to match Alice’s encoding of : Alice knows signature Bob knows signature Alice knows Bob knows encodingsmatch

  25. Encodings for More Complex Policies • Suppose that • Signing key for is • Alice’s encoding for : • Bob’s encoding for :

  26. Summary Alice Bob RA RB Exchange Challenges Generate Encodings Generate Encodings Regular Private Set Intersection Protocol Over Encodings Recover from result Recover from result Done

  27. Extensions • Attributes • Bundles • Merge encodings of all elements in bundle. • Disjunctions and DNF’s • One encoding per conjunctive clause of the DNF.

  28. Security • Assumptions: • CBDH, random oracle, underlying PSI security • Proof technique: • Define ideal world: A third party is doing the intersection and verifying the signatures. • Computationally indistinguishable from ideal world. • Secure against malicious adversaries.

  29. Performance • elements • authorities per element • Computation: • e.g., • Bandwidth: • e.g., • Rounds: • e.g., Time to encode an element with signatures/authorities (in ms)

  30. Example Finding the customers who both bought a computer from Dell and a monitor from Newegg. • Elements: customers • Attributes: product • Authorities: MasterCard, Visa • Policy: bought a computer from Dell and a monitor from Newegg • Result: {“David Thompson”, “Maria Hall”} Dell’s Sales Table Newegg’s Sales Table Jennifer Robinson James Young David Thompson Ronald Miller Linda Clark Karen Carter Maria Hall Donald Green Donald Green

  31. Related Work • Private Set Intersection (PSI) • FNP04, FIP05, KS05, HL08, JL09, DMR09, HN10, CKT10, JL10, … • Authorized Private Set Intersection (APSI) • CKT09, CZ09, CT10, …

  32. Summary • Technique to authenticate elements • Rich privacy policies • Symmetric & asymmetric • Authority can depend on the element • Multiple authorities (per element) • Attributes • Bundles • Boolean expression (DNF) policy • Can be used to extend anyprivate set intersection protocol.

More Related