an efﬁcient and secure protocol for privacy preserving set

JAIST COE Symposium 2007 – 1 / 23

An Efficient and Secure Protocol for Privacy

Preserving Set Intersection

PhD Candidate: Yingpeng SangAdvisor : Associate Professor Yasuo Tan

School of Information Science

Japan Advanced Institute of Science and Technology

Overview

Problem Background

Privacy Preserving SetIntersection amongMultiple Parties

Conclusions andFuture Work


Problem Background

Privacy Preserving Set Intersection among Multiple Partie s

Conclusions and Future Work

Problem Background

Problem Background

Privacy PreservingComputations

Two Models ofAdversarial Parties




Privacy Preserving Computations

Problem Background






■ Inputs:(x1, x2, ..., xN ) held by distributed parties (P1, P2, ..., PN )respectively.

■ Outputs:some function f(x1, x2, ..., xN ), e.g., intersection, maximum,minimum, etc.

■ Privacy Requirement:Pi(i = 1, ..., N) knows nothing about xi′ (i′ 6= i), except theinformation I(xi, f).

■ Difficulties:

— Some parties may have adversarial behaviors;— There may be no party that can be trusted by all the other

parties.

Two Models of Adversarial Parties

Problem Background






■ Assumption: only one adversary, who controls arbitrarynumber of parties.

■ Semi-honest Model : the adversary follows the protocolproperly, but may analyze its intermediate computations.

■ Malicious Model : the adversary arbitrarily deviates from theprotocol, i.e.,

— refusing to participate in the protocol when the protocol isfirst invoked;

— arbitrarily substituting its original local input and entering theprotocol with an input other than the one provided to them;

— aborting the protocol whenever obtaining the desired result.

Privacy Preserving Set

Intersection among

Multiple Parties

Problem Background


One Application

Problem Definition

Related Work

Basic ToolsPPSI Protocol 1 for theSemi-honest ModelPPSI Protocol 2 for theMalicious ModelComparisons withPrevious Results



One Application

Problem Background


One Application

Problem Definition

Related Work




■ Government : A = {No − flight Name List}■ Airline Company : B = {Customer Name List}■ Preventing Terrorism :

— A ∩ B

— Government’s Privacy: A 9 Air Flight Company— Company’s Privacy: B 9 Government

Problem Definition

Problem Background


One Application

Problem Definition

Related Work




Privacy Preserving Set Intersection (PPSI): For Semi-honestModel

■ Inputs : N (N ≥ 2) parties.Each party Pi (i = 1, ..., N) has a set (or multiset) Ti:Ti = {T (i, j)|j = 1, ..., S}.

■ Outputs : Each party Pi learns TI = T1 ∩ ... ∩ TN ,without knowing the elements in Ti′ (i′ 6= i) except TI .

■ Π is a secure PPSI protocol in the semi-honest model, if

{S(I, (Ti1 , ..., Tic), fI(T ))} ≡c {V IEWΠ

I (T )}

in which,

— S: a PPT algorithm;— I = {i1, ..., ic}: the index set of adversarial parties;— f: the intersection function;— V IEWΠ

I (T ): the view of adversarial parties during Π;

Problem Definition (contd.)

Problem Background


One Application

Problem Definition

Related Work




PPSI: For Malicious Model

■ Inputs : N (N ≥ 2) parties.Pi (i = 1, ..., N) has a set (or multiset) Ti.

■ Outputs : Each party Pi learns TI = T1 ∩ ... ∩ TN ,without knowing the elements in Ti′ (i′ 6= i) except TI .

■ Π is a secure PPSI protocol in the malicious model, if

{IDEALf,I,B(T )} ≡c {REALΠ,I,A(T )}.

in which,

— A: PPT algorithm of the adversary in Π;— B: PPT algorithm of the adversary in the ideal model, where there is an

available trusted party;— REALΠ,I,A(T ): Output of A in Π;— IDEALf,I,B(T ): Output of B in the ideal execution.

Related Work

Problem Background


One Application

Problem Definition

Related Work




1) L. Kissner and D. Song, “Privacy-Preserving Set Operations”, inAdvances in Cryptology - CRYPTO 2005.

— fi = (x − T (i, 1)) · · · (x − T (i, S)),

F =∑N

i=1 fi ∗∑N

k=1 ri,k.

— Security: semi-honest and malicious models.

2) M. Freedman, K. Nissim and B. Pinkas, “Efficient PrivateMatching and Set Intersection”, in Proc. of Eurocrypt ’04.

— PN evaluates its elements T (N, j) on fi (i = 1, ..., N − 1).

— Security: semi-honest model

■ Our aims: less costs while keeping the same security.

Basic Tools

Problem Background


One Application

Problem Definition

Related Work




■ Threshold version of additive homomorphic encryption: Paillier’sscheme.

■ Calculations on encrypted polynomials:

— For f(x) =∑m

i=0 aixi, E(f(x)) = {E(ai)|i = 0, ...,m};

— The evaluation E(f(x)) for x = v;— The scalar product E(cf(x)), given c;— The sum E(f(x) + g(x)), given E(f(x)) and E(g(x));— The polynomials multiplication E(f(x) ∗ g(x)), given f(x)

and E(g(x)).

PPSI Protocol 1 for the Semi-honest Model

Problem Background


One Application

Problem Definition

Related Work




1) Constructing the Polynomial Vector F

1.1) Pi computes fi = (x − T (i, 1)) · · · (x − T (i, S)) mod N torepresent its set Ti.

1.2) Pi computes E(fi ∗∑N

j=1 ri,j), in which ri,j is generated byPj , ri,j = ai,jx + bi,j , ai,j, bi,j ∈R ZN .

1.3) The N parties get:

E(F ) = ( E(f1 ∗N∑

j=1

r1,j), ..., E(fN ∗N∑

j=1

rN,j) )

PPSI Protocol 1 for the Semi-honest Model (contd.)

Problem Background


One Application

Problem Definition

Related Work




2) Multiplication with Nonsingular Matrices

2.1) Pi generates a random and nonsingular matrix Ri;2.2) Pi computes E(FR1 · · · Ri);2.3) The N parties get E(G) = E(FR1 · · · RN) = E(FR) and

decrypt it:

g1 = f1 ∗N∑

j=1

r1,jR11 + ... + fN ∗N∑

j=1

rN,jRN1

...

gN = f1 ∗N∑

j=1

r1,jR1N + ... + fN ∗N∑

j=1

rN,jRNN

in which Ruv is the (u, v) entry of R (1 ≤ u, v ≤ N).

2.4) Pi evaluates (g1, ..., gN) at the element T (i, j).


Problem Background


One Application

Problem Definition

Related Work




■ Correctness Lemma :If for k = 1, ..., N , gk(T (i, j)) = 0, then T (i, j) ∈ TI with anoverwhelming probability (> 1 − 1

280 ).

— Proof Sketch:

▲ R is nonsingular,▲ If G(T (i, j)) = F (T (i, j)) · R = (0, 0, ..., 0),

then F (T (i, j)) = (0, 0, ..., 0).


Problem Background


One Application

Problem Definition

Related Work




■ Security :

— Semi-honest attacks: analyze the coefficients in G, andinfer the roots of fi′ from Pi′ (i′ ∈ I ′, I ′ is the index set ofhonest parties).

Lemma 1 In PPSI Protocol, any Pi in the coalition of

c (1 ≤ c ≤ N − 1) semi-honest parties (PI ) can know no more

elements than TI in any Ti′ for ∀i′ ∈ I ′.

Theorem 1 Protocol 1 is a secure protocol Π, which privately solves

the PPSI problem with respect to the semi-honest behaviors of

arbitrary number of parties.

PPSI Protocol 2 for the Malicious Model

Problem Background


One Application

Problem Definition

Related Work




Main Ideas

■ We assume the adversary controls arbitrary number of parties.■ Protocol 2 for the malicious model is based on Protocol 1 for the

semi-honest model.■ Blocks are added to prevent malicious behaviors:

Attack 1) : sending to others an arbitrarily encryptedpolynomial without knowing its coefficients.Solution: Pi should prove that:

1.1) knowing the plaintexts of E(f), PK{f : E(f)}.1.2) correct polynomials multiplication,

PK{r : M = E(f ∗ r)∧

E(f)∧

E(r)}

PPSI Protocol 2 for the Malicious Model (contd.)

Problem Background


One Application

Problem Definition

Related Work




Attack 2) : encrypting a polynomial whose coefficients are allzeros.Solution: The honest parties can reset the leading coefficient ofpolynomials received from others to be E(1).Attack 3) : generating a singular matrix Ri, then the protocolwon’t be correct.Solution: Pi should prove that Ri it generates is nonsingular:PK{Ri : D = E(det(Ri))

∧D 6= E(0)

∧R = E(Ri)}.

det(Ri) is the determinant of Ri.

PPSI Protocol 2 for the Malicious Model (contd.)

Problem Background


One Application

Problem Definition

Related Work




Attack 4) : doing multiplication with a matrix R′i other than the

committed matrix Ri.Solution: Each party should prove that he does correct matrix

multiplication with the matrix Ri it has committed:

PK{R : G = E(FR)∧

F = E(F )∧

R = E(R)}.F = (f1, ..., fN ), R is an N × N matrix, and E(R) are the encryptedentries of R.

Comparisons with Previous Results

Problem Background


One Application

Problem Definition

Related Work




Table 1: Comparisons of solutions for PPSI in the semi-honest modelComputation Cost Communication Cost Security Model

Ours 2(c(S + 2)(N − 1) − 2)lgN+c(S + 2)(N + 3) 2cN(4S + 5)lgN Semi-honest

Kissner’s 2(c(S + 1)2 + 5S + 3)lgN

+c(S2 + 4S + 2) 2cN(5S + 2)lgN Semi-honest

Freedman’s ((S + 1)(S + 2) + 3S(N − 1) − 1)2lgN

+S(S + 1) 10S(N − 1)2lgN Semi-honest

A quantitative analysis:

■ S = 20, N = 5, c = 3, lgN = 1024.■ Our protocol saves about 81% and 63% computation costs,

17% and 20% communication costs in comparison withKissner’s and Freedman’s solutions.

Comparisons with Previous Results (contd.)

Problem Background


One Application

Problem Definition

Related Work




Table 2: Comparisons of solutions for PPSI in the malicious modelComputation Cost Communication Cost Security Model

Ours O(cSNlgN ) O(cSNlgN ) Malicious

Kissner’s O(cS2lgN ) O(cSNlgN ) Malicious

In practical applications:

■ S (the size of a set ) ≫ N (the number of parties );■ Our Protocol can be faster than Kissner’s solution.

Conclusions and Future

Work

Problem Background


Conclusions andFuture WorkConclusions andFuture Work


Conclusions and Future Work

Problem Background




We propose:

■ PPSI protocols in the semi-honest and malicious models whichcost less computation time and bandwidth in practicalapplications than previous results.

Future Work:

■ Doing comparisons between data disguising techniques andcryptographic techniques.

■ Proposing secure and efficient solutions for some basiccomputation problems.

■ Proposing secure solutions for some large-scale data miningtasks.

The End

Problem Background




Thank You Very Much!

an efﬁcient and secure protocol for privacy preserving set

Documents