Private Set Intersection:

Are Garbled Circuits Better than Custom Protocols?

Yan Huang, David Evans, Jonathan KatzUniversity of Virginia, University of Maryland

www.MightBeEvil.org

Motivation --- Common Acquaintances

http://www.mightbeevil.com/mobile/

EUROCRYPT 2004

CRYPTO 2005TCC 2008

Financial Crypto 2010

Custom Protocols Generic Protocols

e.g., Garbled Circuit

Protocols

Cannot be easily composed with other secure computations

Designed around specific crypto assumptions and primitives

New Design and security proofs need to be done for

every individual scheme.

Uses generic and flexible cryptographic primitives

Can securely compute arbitrary function

Security proofs automatically derived

from the generic proof.

Garbled Circuits & Oblivious Transfers

Y. Huang, D. Evans, J. Katz, L. Malka, Faster Secure Computation Using Garbled Circuits, USENIX Security 2011.

And Gate 1

Enca10,

b11(x10)

Enca11,b11(x1

1)

Enca11,b10(x1

0)

Enca10,b10(x1

0)

Or Gate 2

Encx00,

x11(x21)

Encx01,x11(x21

)

Encx01,x10(x21

)

Encx00,x10(x20

)

AND

a0 b0

x0

AND

a1 b1

x1

OR

x2

…Andrew Yao, 1982/1986

Alice Bob

Oblivious Transfer Protocol

Rabin, 1981; Even, Goldreich, and Lempel, 1985; Naor and Pinkas 2001, Ishai et al., 2003

Free-XOR technique, Kolesnikov and Shneider, 2008

Threat Model

Semi-Honest Adversary: follows the protocol as specified, but tries to learn more from the protocol execution transcript

Generic PSI Protocols Overview

– the number of bits used to denote a set element – the size of the sets

Protocols Cost in non-XOR gates

Best for

Bitwise-AND (BWA) Small element space

Pairwise-Comparison (PWC)

Sort-Compare-Shuffle-WN (SCS-WN) Large element space

Generic PSI Protocols Overview

– the number of bits used to denote a set element – the size of the sets

Protocols Cost in non-XOR gates

Best for

Bitwise-AND (BWA) Small element space

Pairwise-Comparison (PWC)

Sort-Compare-Shuffle-WN (SCS-WN) Large element space

PSI: Needn’t be Complex

[ 0, 0, 1, 0, 0, 0, 1, 0, 1, 1, 0] [ 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0]

ANDANDAND . . .Bitwise-AND

. . .

Encode set elements as bit vectors

Recessive genes: { 5283423, 1425236, 839523, … }

Recessive genes: { 5823527, 839523, 169325, … }

[ PAH, PKU, CF, … ]

BWA Performance

8 9 10 11 12 13 14 15 160

0.5

1

1.5

2

2.5

3

OT Circuit

σ

Tim

e (s

econ

ds)

What if the element space is large?

Sort

-Com

pare

-Shu

ffle Sort: Take

advantage of total order of elements

Compare adjacent elements

Shuffle to hide positions

Sort

-Com

pare

-Shu

ffle Sort: Take

advantage of total order of elements

Compare adjacent elements

Shuffle to hide positions

Bito

nic

Sorti

ng1

4

9

7

5

4

3

2

1

5

4

4

3

9

2

7

1

3

2

4

5

9

4

7

1

2

3

4

4

5

7

9

1

2

3

4

4

5

7

9

Sorting Networks and their Applications, Ken Batcher, 1968

CMPFilter

CMPFilter

CMPFilter …

CMP3Filter

CMP3Filter

CMP3Filter

Can’t reveal results yet! Position leaks information.

Journal of the ACM, January 1968

Waksman Network

Same circuit can generate any permutation: select a random permutation, and pick swaps

gates( log 1)

3

n n n

FreeGates to generate and evaluate

Private Set Intersection Protocol

( log 1)

3

n n n

– the number of bits used to denote a set element – the size of the sets

SCS-WN Protocol Results

32-bit values

1

10

100Theoretical Projection

Experimental Observation

Set Size (each set)

Seco

nds

( log 1)[2 log(2 ) (3 1)( 1) (2 1) ]

3

n n nn n n rate

ultra-short short medium long ultra-long0

200

400

600

800

1000

1200

1400

1600

1800

2000

10.9 62.4126.0

369.0

1972.0

51.5 57.1 61.5 97.3 122.710.5 11.8 12.4 18.6 22.7

[DT10] One-more-DL-basedSCS-WN (σ=160)SCS-WN (σ=32)

Tim

e (s

econ

ds)

Relating Performance to Security

(1024, 160) (2048, 224) (3072, 256) (7680, 384) (15360, 512)

80 112 128 192 256

DL Key-sizes:

Symmetric:

Generic protocols offer many advantagesComposabilityFlexibility on hardness assumptionsDesign costPerformance

Conclusion

Q & A?