Policy-Enhanced Private Set Intersection: Sharing Information While Enforcing Privacy Policies
description
Transcript of Policy-Enhanced Private Set Intersection: Sharing Information While Enforcing Privacy Policies
Policy-Enhanced Private Set Intersection:Sharing Information While Enforcing Privacy Policies
Emil Stefanov Elaine Shi Dawn [email protected] [email protected] [email protected]
http://www.emilstefanov.net/Research/
UC Berkeley
Private Set Intersection (PSI)Alice’s set Bob’s set
• Alice has a set of elements.• Bob has a set of elements.• Goal:
– Reveal elements that are both sets.– Hide all other elements
Revealed
[CKT10], [CT10], [DMR09], [FIP05], [HL08], [HN10], [JL09], [JL10], [LS05], …
Alternative Approaches
• Trusted third party– Trivial solution– Does not always exist.• Who can both parties trust?
• Generic SMC (e.g., garbled circuits)– Less efficient in most scenarios
• Homomorphic encryption– Not practical
Applications• Healthcare– Common patients– Common symptoms
• Social Networks– Common friends– Common group memberships
• Distributed databases– JOIN operations
• Many more– Set intersection is a fundamental operation
The Problem with PSI
• No restriction on sets.• Either party can insert fictitious elements.• Can be used to violate privacy.
cd
ab
e
Known-Element Attack
c fgi
h
Alice’s set Bob’s set
dcd
• Bob wants to learn if Alice has .• Bob inserts into his own set• They perform a private set intersection.• is in result Bob learns that Alice has .
Our Contributions
• Technique to authenticate elements• Rich privacy policies• Multiple authorities• Can be used to extend any private set
intersection protocol.
PPSI Problem Definition(single authority, symmetric)
• Alice’s input:
• Bob’s input:
• Signature verification:• Define valid sets:
• Output:
cd
ab
e
Known-Element Attack not Possible
c fgi
h
Alice’s set Bob’s set
dcd
• Bob wants to learn if Alice has .• Bob inserts into his own set (with invalid signature)• They perform PPSI
– PPSI removes from result (Bob has an invalid signature)• Bob cannot learn if Alice has .
PPSI Problem Definition(multiple authorities, symmetric)
• Alice: • Bob: • Privacy policy (known to both Alice and Bob)– Signer (authority) depends on the element– Authority for element :
• Signature verification: – Verifies against public key of
• Multiple signatures/authorities per element– , can be a sets– can be a Boolean expression (DNF).
PPSI Problem Definition(multiple authorities, asymmetric)
• Alice: • Bob: • Authorities depend on the element and party– Authority for element and Alice:– Authority for element and Bob:
• Alice and Bob both know and
Additional Goals
• Signatures must be bound to a party– : Alice is allowed to have in her set.– Non-transferable is useless to Bob
• Require interaction– Bob must not be able to later re-run the protocol
with a different set (without Alice’s cooperation).• Efficient. Complexity…
… depends on:• Set size• Authorities per element
… independent of:• Element universe• Authority universe
So, how can we achieve this?
Intersect then verify?
• After intersecting, Bob already learns .• Verifying afterwards ensures integrity...• … but not confidentiality (already revealed )
cd
ab
e
c fgi
h
Alice’s set Bob’s set
dcd
c
d
abe
Verify then intersect?
c fgi
hc
• E.g., using commitments and zero-knowledge proofs.• Problem: which authorities to verify elements against?• Complexity is linear with size of authority universe!
d
Challenge
• Can’t intersect then verify.• Can’t verify then intersect.• So what do we do?• Must simultaneously intersect and verify.• But how?
𝝈𝒄
𝝈𝒅
𝝈𝒂𝝈𝒃
𝝈𝒆
Intersect signatures using PSI?
𝝈𝒄
𝝈𝒅′
𝝈 𝒇
𝝈𝒈𝝈𝒊
𝝈𝒉𝝈𝒄
• Both parties must have identical signatures– Not possible to bind signatures to parties• for Alice and for Bob.
– Does not work for asymmetric policies.
Key technique:encode each element
then intersect encodings
𝜽𝒄
𝜽𝒅
𝜽𝒂𝜽𝒃
𝜽𝒆𝜽𝒄
𝜽𝒅′
𝜽 𝒇
𝜽𝒈𝜽 𝒊
𝜽𝒉𝜽𝒄
Main Property of Encodings• Alice’s encoding of should match Bob’s encoding– if and only if the policy is satisfied– even though the signatures are different– even though the authorities might be different
• Secret keys of two authorities: • Alice has Bob has • Property:
PPSI ProtocolAlice Bob
RBRA
Regular Private Set Intersection Protocol
Over Encodings
Generate Encodings
Generate Encodings
Recover from result
Recover from result
Done
Exchange Challenges
Encoding Challenge• Need:
• Encoding is a function of both and • Alice doesn’t know • Bob doesn’t know • So how can they generate the same encoding for ?• Answer:– Specially chosen signature scheme: BLS signatures– Challenge phase– Our special encodings
Signatures
• We use standard BLS signatures.• In a group of prime order – With bilinear map: – Generators:
• Signature key of an authority
• Verification key of the authority
• Authority’s signature to Alice for element :
Challenge Phase
• Alice generates random:• Bob generates random:• Alice sends to Bob• Bob sends to Alice• Note that:– Only Alice knows – Only Bob knows
Special Encodings• Alice’s encoding of
to match Bob’s encoding of :
• Bob’s encoding of to match Alice’s encoding of :
Alice knows signature Alice knows
Bob knows signatureBob knows
encodingsmatch
Encodings for More Complex Policies• Suppose that
– Signing key for is • Alice’s encoding for :
• Bob’s encoding for :
𝑭 (𝒛 , 𝑨 )
𝑭 (𝒛 , 𝑨 )
𝑭 (𝒛 ,𝑩 )
𝑭 (𝒛 ,𝑩 )
SummaryAlice Bob
RBRA
Regular Private Set Intersection Protocol
Over Encodings
Generate Encodings
Generate Encodings
Recover from result
Recover from result
Done
Exchange Challenges
Extensions
• Attributes
• Bundles– Merge encodings of all elements in bundle.
• Disjunctions and DNF’s– One encoding per conjunctive clause of the DNF.
Security
• Assumptions:– CBDH, random oracle, underlying PSI security
• Proof technique:– Define ideal world: A third party is doing the
intersection and verifying the signatures. – Computationally indistinguishable from ideal world.
• Secure against malicious adversaries.
Performance
m 1 2 3 4 5Average 1.70 3.10 4.45 5.65 7.07
Standard Deviation 0.06 0.17 0.22 0.04 0.27
• elements• authorities per element• Computation:
– e.g., • Bandwidth:
– e.g., • Rounds:
– e.g.,
Time to encode an element with signatures/authorities (in ms)
Example
Dell’s Sales Table Newegg’s Sales TableID Customer Product Card
D1 Jennifer Robinson Computer
D2 David Thompson Computer
D3 Ronald Miller Computer
D4 Karen Carter Computer
D5 Maria Hall Computer
D6 Donald Green Printer
ID Customer Product Card
N1 David Thompson Monitor
N2 James Young Monitor
N3 Maria Hall Monitor
N4 Linda Clark Monitor
N5 Donald Green Monitor
David Thompson
Maria Hall
Ronald Miller
Karen Carter
Donald Green
Jennifer Robinson
Linda Clark
Donald Green
James Young
Finding the customers who both bought a computer from Dell and a monitor from Newegg.
• Elements: customers• Attributes: product• Authorities: MasterCard, Visa• Policy: bought a computer from Dell and
a monitor from Newegg• Result: {“David Thompson”, “Maria Hall”}
Related Work
• Private Set Intersection (PSI)– FNP04, FIP05, KS05, HL08, JL09, DMR09, HN10,
CKT10, JL10, …• Authorized Private Set Intersection (APSI)– CKT09, CZ09, CT10, …
Summary
• Technique to authenticate elements• Rich privacy policies– Symmetric & asymmetric– Authority can depend on the element– Multiple authorities (per element)– Attributes– Bundles– Boolean expression (DNF) policy
• Can be used to extend any private set intersection protocol.