1 / 6

Size Matters! Size-Hiding Private Set Intersection

Asiacrypt 2010 Rump Session. December 7, 2010. Size Matters! Size-Hiding Private Set Intersection. To appear in PKC’11 – ePrint 2010/220. Emiliano De Cristofaro University of California, Irvine. Private Set Intersection. { c i | c i  C  S }. Airline with Passenger List.

keith-callahan
Download Presentation

Size Matters! Size-Hiding Private Set Intersection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Asiacrypt 2010Rump Session December 7, 2010 Size Matters!Size-Hiding Private Set Intersection To appear in PKC’11 – ePrint 2010/220 Emiliano De Cristofaro University of California, Irvine

  2. Private Set Intersection {ci|ci  CS} Airline with Passenger List DHS with Terror Watchlist One-Way PrivateSet-Intersection CLIENT SERVER C= {c1, … , cv} S = {s1, … , sw} w v

  3. Sometimes, size matters… ClientServer • DHS: Terror Watch List <--- Airline : Passenger List • CDC: Contagious disease patients <--- Schools: Kids • Observe: 1. Size of client’s set is sensitive We need to hide set size. 2. The client is forcing the server to run PSI. In PSI, server overhead also depends on the size of client’s set. We would like the server to do work proportional only to the size of his set. • Note: • Size is private and size fluctuations are private • Size also affects communication overhead • Padding doesn’t work (exposes upper bound and fluctuations)

  4. SHI-PSI X Z, {y1,…,yw} CLIENT(c1, …, cv) SERVER(s1, …, sw) Public Input: n, g, H(), F() computation mod n PCH = hc1…hcv (n,e,d) <- RSA.Kgen()g generator of QR_n PCHi = PCH / hci Rc n/2 X = gRc*PCH Rs n/2 Z = gRs Kj= XRs/hsj yj= F (Kj) K’i= ZRc*PCHi y’i= F (K’i) Client obtains ci in CS if: y'i in {y'1,…,y'v}  {y1,…,yw}

  5. SHI-PSI Features • “Surprising” result • 2PC has always assumed that input sizes *need* to be revealed • The only size-hiding protocol was ZK sets (different problem) • Security • Semi-honest players, RSA in ROM • Minimal Communication Complexity: O(w) [v.s. O(w+v) in PSI] • Computation Complexity: • Server O(w) modular exponentiations [v.s. O(w+v) in PSI] • It does not depend on client input size!!! • Client O(v·logv) modular exponentiations [v.s. O(v) in PSI] • Optimal if Client is imposing computation on the Server

  6. Conclusion • We presented the first PSI construct that hides the set size • Efficient protocol (improved communication overhead!) … and … Graduating Summer 2011 (i.e., looking for a job ) Emiliano De CristofaroUC IRVINEhttp://www.ics.uci.edu/~edecrist

More Related