Policy-Enhanced Private Set Intersection:Sharing Information While Enforcing Privacy Policies

Emil Stefanov Elaine Shi Dawn Songemil@cs.berkeley.edu elaines@cs.berkeley.edu dawnsong@cs.berkeley.edu

http://www.emilstefanov.net/Research/

UC Berkeley

Private Set Intersection (PSI)Alice’s set Bob’s set

• Alice has a set of elements.• Bob has a set of elements.• Goal:

– Reveal elements that are both sets.– Hide all other elements

Revealed

[CKT10], [CT10], [DMR09], [FIP05], [HL08], [HN10], [JL09], [JL10], [LS05], …

Alternative Approaches

• Trusted third party– Trivial solution– Does not always exist.• Who can both parties trust?

• Generic SMC (e.g., garbled circuits)– Less efficient in most scenarios

• Homomorphic encryption– Not practical

Applications• Healthcare– Common patients– Common symptoms

• Social Networks– Common friends– Common group memberships

• Distributed databases– JOIN operations

• Many more– Set intersection is a fundamental operation

The Problem with PSI

• No restriction on sets.• Either party can insert fictitious elements.• Can be used to violate privacy.

cd

ab

e

Known-Element Attack

c fgi

h

Alice’s set Bob’s set

dcd

• Bob wants to learn if Alice has .• Bob inserts into his own set• They perform a private set intersection.• is in result Bob learns that Alice has .

Our Contributions

• Technique to authenticate elements• Rich privacy policies• Multiple authorities• Can be used to extend any private set

intersection protocol.

PPSI Problem Definition(single authority, symmetric)

• Alice’s input:

• Bob’s input:

• Signature verification:• Define valid sets:

• Output:

cd

ab

e

Known-Element Attack not Possible

c fgi

h

Alice’s set Bob’s set

dcd

• Bob wants to learn if Alice has .• Bob inserts into his own set (with invalid signature)• They perform PPSI

– PPSI removes from result (Bob has an invalid signature)• Bob cannot learn if Alice has .

PPSI Problem Definition(multiple authorities, symmetric)

• Alice: • Bob: • Privacy policy (known to both Alice and Bob)– Signer (authority) depends on the element– Authority for element :

• Signature verification: – Verifies against public key of

• Multiple signatures/authorities per element– , can be a sets– can be a Boolean expression (DNF).

PPSI Problem Definition(multiple authorities, asymmetric)

• Alice: • Bob: • Authorities depend on the element and party– Authority for element and Alice:– Authority for element and Bob:

• Alice and Bob both know and

Additional Goals

• Signatures must be bound to a party– : Alice is allowed to have in her set.– Non-transferable is useless to Bob

• Require interaction– Bob must not be able to later re-run the protocol

with a different set (without Alice’s cooperation).• Efficient. Complexity…

… depends on:• Set size• Authorities per element

… independent of:• Element universe• Authority universe

So, how can we achieve this?

Intersect then verify?

• After intersecting, Bob already learns .• Verifying afterwards ensures integrity...• … but not confidentiality (already revealed )

cd

ab

e

c fgi

h

Alice’s set Bob’s set

dcd

c

d

abe

Verify then intersect?

c fgi

hc

• E.g., using commitments and zero-knowledge proofs.• Problem: which authorities to verify elements against?• Complexity is linear with size of authority universe!

d

Challenge

• Can’t intersect then verify.• Can’t verify then intersect.• So what do we do?• Must simultaneously intersect and verify.• But how?

𝝈𝒄

𝝈𝒅

𝝈𝒂𝝈𝒃

𝝈𝒆

Intersect signatures using PSI?

𝝈𝒄

𝝈𝒅′

𝝈 𝒇

𝝈𝒈𝝈𝒊

𝝈𝒉𝝈𝒄

• Both parties must have identical signatures– Not possible to bind signatures to parties• for Alice and for Bob.

– Does not work for asymmetric policies.

Key technique:encode each element

then intersect encodings

𝜽𝒄

𝜽𝒅

𝜽𝒂𝜽𝒃

𝜽𝒆𝜽𝒄

𝜽𝒅′

𝜽 𝒇

𝜽𝒈𝜽 𝒊

𝜽𝒉𝜽𝒄

Main Property of Encodings• Alice’s encoding of should match Bob’s encoding– if and only if the policy is satisfied– even though the signatures are different– even though the authorities might be different

• Secret keys of two authorities: • Alice has Bob has • Property:

PPSI ProtocolAlice Bob

RBRA

Regular Private Set Intersection Protocol

Over Encodings

Generate Encodings

Generate Encodings

Recover from result

Recover from result

Done

Exchange Challenges

Encoding Challenge• Need:

• Encoding is a function of both and • Alice doesn’t know • Bob doesn’t know • So how can they generate the same encoding for ?• Answer:– Specially chosen signature scheme: BLS signatures– Challenge phase– Our special encodings

Signatures

• We use standard BLS signatures.• In a group of prime order – With bilinear map: – Generators:

• Signature key of an authority

• Verification key of the authority

• Authority’s signature to Alice for element :

Challenge Phase

• Alice generates random:• Bob generates random:• Alice sends to Bob• Bob sends to Alice• Note that:– Only Alice knows – Only Bob knows

Special Encodings• Alice’s encoding of

to match Bob’s encoding of :

• Bob’s encoding of to match Alice’s encoding of :

Alice knows signature Alice knows

Bob knows signatureBob knows

encodingsmatch

Encodings for More Complex Policies• Suppose that

– Signing key for is • Alice’s encoding for :

• Bob’s encoding for :

𝑭 (𝒛 , 𝑨 )

𝑭 (𝒛 , 𝑨 )

𝑭 (𝒛 ,𝑩 )

𝑭 (𝒛 ,𝑩 )

SummaryAlice Bob

RBRA

Regular Private Set Intersection Protocol

Over Encodings

Generate Encodings

Generate Encodings

Recover from result

Recover from result

Done

Exchange Challenges

Extensions

• Attributes

• Bundles– Merge encodings of all elements in bundle.

• Disjunctions and DNF’s– One encoding per conjunctive clause of the DNF.

Security

• Assumptions:– CBDH, random oracle, underlying PSI security

• Proof technique:– Define ideal world: A third party is doing the

intersection and verifying the signatures. – Computationally indistinguishable from ideal world.

• Secure against malicious adversaries.

Performance

m 1 2 3 4 5Average 1.70 3.10 4.45 5.65 7.07

Standard Deviation 0.06 0.17 0.22 0.04 0.27

• elements• authorities per element• Computation:

– e.g., • Bandwidth:

– e.g., • Rounds:

– e.g.,

Time to encode an element with signatures/authorities (in ms)

Example

Dell’s Sales Table Newegg’s Sales TableID Customer Product Card

D1 Jennifer Robinson Computer

D2 David Thompson Computer

D3 Ronald Miller Computer

D4 Karen Carter Computer

D5 Maria Hall Computer

D6 Donald Green Printer

ID Customer Product Card

N1 David Thompson Monitor

N2 James Young Monitor

N3 Maria Hall Monitor

N4 Linda Clark Monitor

N5 Donald Green Monitor

David Thompson

Maria Hall

Ronald Miller

Karen Carter

Donald Green

Jennifer Robinson

Linda Clark

Donald Green

James Young

Finding the customers who both bought a computer from Dell and a monitor from Newegg.

• Elements: customers• Attributes: product• Authorities: MasterCard, Visa• Policy: bought a computer from Dell and

a monitor from Newegg• Result: {“David Thompson”, “Maria Hall”}

Related Work

• Private Set Intersection (PSI)– FNP04, FIP05, KS05, HL08, JL09, DMR09, HN10,

CKT10, JL10, …• Authorized Private Set Intersection (APSI)– CKT09, CZ09, CT10, …

Summary

• Technique to authenticate elements• Rich privacy policies– Symmetric & asymmetric– Authority can depend on the element– Multiple authorities (per element)– Attributes– Bundles– Boolean expression (DNF) policy

• Can be used to extend any private set intersection protocol.