Efficient and Robust Private Set Intersection

and multiparty multivariate polynomials

Dana Dachman-Soled1, Tal Malkin1, Mariana Raykova1, Moti Yung1,2

1Columbia University, 2Google Inc.

Efficient and Robust Private Set Intersection

Dana Dachman-Soled1, Tal Malkin1, Mariana Raykova1, Moti Yung1,2

1Columbia University, 2Google Inc.

Warning: many details skipped, some cheating!

Client: X

|X| = n

Server: Y

|Y| = m

Trusted Party

Set Intersection Functionality

Trusted Party

Set Intersection FunctionalityServer: Y

|Y| = m

Client: X

|X| = n

Trusted Party

Set Intersection Functionality

?

Client: X

|X| = n

Server: Y

|Y| = m

Widely used in area of Privacy Preserving Data Mining

Enables institutions to share personal information such as medical or financial records.

Wasn’t this already done?

• FNP04 – semi-honest case, malicious in the random oracle model

• KS05 – semi-honest + ZKN proofs• HL08 – one side simulatability and covert

adversaries• JL09 – malicious case, polynomial size

domains, Decisional q-Diffie-Hellman Inversion Assumption

Our Results• First Set Intersection protocol secure against

malicious parties in the standard simulation model

• Black-box construction assuming (singly) homomorphic encryption with a natural property (satisfied by known constructions)

• Additive El-Gamal (DDH) ; Paillier (DCR)Extensions:• multi-party set intersection• general multivariate polynomials

Homomorphic Encryption

• Additive homomorphic property– Enc(x,r1)*Enc(y,r2)=Enc(x+y,r3)

• Additional property:– Can compute r3 from r1 and r2

– Known schemes have this property

• ElGamal – additive homomorphism variant– Inefficient decryption, equality comparison possible

• Paillier

Our Results• Communication complexity: O(mk2log2(n)+nk)

– SMC circuit evaluation – size of cicuit + ZK proofs (at least nm, even before ZK)

– Realistic scenarios – m,n >> k

Overview of Technique(with missing steps)

– Start from semi-honest [FNP] using a polynomial– Add redundancy using [Shamir] polynomial secret

sharing (motivated by [CDMW08] techniques) – Rely on commutative nature of polynomials to

translate input shares to output shares for reconstruction (Lagrange interpolation)

– Cut and choose to enforce honest behavior

– Input preprocessing for degree reduction

Semi-Honest Protocol [FNP04]

• Client represents its input set X, |X| = n with a polynomial Q(x) of deg n, s.t. Q(xi) = 0 iff xi in X

• Client sends to Server encrypted coefficients of Q under homomorphic encryption Enc

• Server evaluates Enc of Q’(yi) := Q(yi)*ri + yi (deg n) for every yi in his input set Y and sends to Client ci=Enc(Q’(yi)).

• Client decrypts each ci and outputs Dec(ci) if and only if it is in X (=iff it is in the intersection)

Malicious Server

• Can use inconsistent values for its inputs

Q(yi)*ri + yiQ(yi)*ri + yi

an*yinan*yin an-1*yi

n-1an-1*yin-1 a1*yi

1a1*yi1

=

+ + … + + a0a0 yiyi+

yiyiyi’ yi”

Q’(yi)Q’(yi) =

Overview of Technique(with missing steps)

– Start from semi-honest [FNP] using a polynomial Add redundancy using [Shamir] polynomial

secret sharing (motivated by [CDDIM] techniques) – Rely on commutative nature of polynomials to

translate input shares to output shares for reconstruction (Lagrange interpolation)

– Cut and choose to enforce honest behavior

– Input preprocessing for degree reduction

Step 1: Input Sharing

Server shares and commits to preprocessed inputs using Shamir secret sharing (=Reed-Solomon) Code

For each preprocessed input:

Send commitments to client:

Server’s Computation

yi Pi where Pi(0) = yi, deg(Pi) = k

. . .Com(Pi(1)) Com(Pi(10kD))Com(Pi(2)) Com(Pi(3)) Com(Pi(4))

D = degree of output sharing polynomial: TBD

Step 2: Polynomial Evaluation on Shares

For each yi: Server evaluates (encrypted) Q’ on the corresponding shares, to get (encrypted versions of) output shares:

Server’s Computation

. . . Q’(Pi(1)) Q’(Pi(10kD)) Q’(Pi(2)) Q’(Pi(3)) Q’(Pi(4))

Client can decrypt, interpolate Q’Pi, and evaluate on 0 to get Q’(Pi(0))=Q’(yi) as wanted.

Step 3: Cut and Choose

Open k of the committed shares to show that Q’ was computed correctly for those shares:

Server’s Computation

. . . Q’(Pi(1)) Q’(Pi(10kD)) Q’(Pi(2)) Q’(Pi(3)) Q’(Pi(4))

Output Polynomial Degree

• Determines the number of output shares

• Total degree D = nk + k• Total number of shares 10kD

Q’(yi)Q’(yi) = Q(yi)*ri + yiQ(yi)*ri + yi = Q(Pi(j))*Rri(j) + Pi(j)Q(Pi(j))*Rri(j) + Pi(j)

deg n deg k

Overview of Technique(with missing steps)

– Start from semi-honest [FNP] using a polynomial– Add redundancy using [Shamir] polynomial secret

sharing (motivated by [CDMW] techniques) – Rely on commutative nature of polynomials to

translate input shares to output shares for reconstruction (Lagrange interpolation)

– Cut and choose to enforce honest behavior

Input preprocessing for degree reduction

Efficient Input Preprocessing

• Polynomial Degree Reduction• Change of variables• Polynomial Q(y) of degree n

Q(y)Q(y) Q(y0,y1,y2 …, ylog n )Q(y0,y1,y2 …, ylog n )

y0 = yy1 = y2

y2 = y4

……….

ylog n = y2log n

deg n deg log n

y

Other Components (skipped)

• Homomorphic Encryption Zero Knowledge Proofs of Knowledge for client’s and server’s polynomials

• Coin tossing for cut and choose • Etc.

Improved Communication Complexity: O(mk2log2(n)+nk)

Important in realistic scenarios with large input sets m,n >> k

Multi-Party Multivariate Polynomials

• Basic setting: public multivariate polynomial (poly size representation) over private inputs.

• Alternatively: coefficients are also private. • Optmizations for specific polynomials, including multi-party set

intersection

Our results:• Secure protocol (no honest majority, with broadcast) from

homomorphic encryption with threshold decryption (Paillier)• Round table protocol with constant rounds• Same approach as above, but several technical issues to

overcome (interpolating over encrypted values, handling errors, proofs of knowledge…)

Thank you!

Preprocessing Verification

• Correct computation of new variables• Correct degree of input sharing polynomials• HEPKPV Protocol

Party 1: x1,…,xn

Common: c1,…,cn, L

(x1,…,xn) in L ci = ENC(xi)

input proof outputParty 2: Accept/Reject

enc(r1)enc(r1) enc(r2)enc(r2) enc(rn)enc(rn)

c1 * enc(r1)c1 * enc(r1) c2 * enc(r2)c2 * enc(r2) … cn * enc(rn)cn * enc(rn) x1+r1,…,xn+rn in L

r1,…,rn in L

open0

1

Client Simulator

• Extract Client’s input in HEPKPV• Submit to TP and receives output• Shares output and commits as output shares• Simulates Server in interaction with Client

committing to random input• Makes sure can open correctly and verify

computation of k output shares• Rewinds coin-tossing for cut-and-choose to select

the above k shares

Server Simulator

• Simulates the Client in the interaction with the Server using random encryption of 0

• Extracts Server’s inputs in HEPKPV• Rewinds coin tossing to open all Server’s

shares• Makes sure that most output shares are

consistent with extracted input• If the above holds, submit extracted input to TP

Communication Complexity

• Improved Communication Complexity– O(mk2log2(n)+nk) – circuit evaluation – size of circuit– mn ZKN proofs– Important in realistic scenarios with large input

sets m,n >> k