Private Set Intersection: Are Garbled Circuits Better than Custom Protocols? Yan Huang, David Evans, Jonathan Katz University of Virginia, University of Maryland www.MightBeEvil.org Motivation --- Common Acquaintances http://www.mightbeevil.com/mobile/ Custom Protocols Generic Protocols Designed around specific crypto assumptions and primitives Uses generic and flexible cryptographic primitives Cannot be easily composed with other secure computations Can securely compute arbitrary function New Design and security proofs need to be done for every individual scheme. Security proofs automatically derived from the generic proof. e.g., Garbled Circuit Protocols Garbled Circuits & Oblivious Transfers a0 a1 b0 b1 AND AND x1 x0 And Gate 1 Or Gate 2 Encx00, x11(x21) OR Encx01,x11(x21) Encx01,x10(x21) Encx00,x10(x20) x2 … Enca10, b11(x10) Alice Bob Enca11,b11(x11) Enca11,b10(x10) Enca10,b10(x10) Oblivious Transfer Protocol Andrew Yao, 1982/1986 Free-XOR technique, Kolesnikov and Shneider, 2008 Rabin, 1981; Even, Goldreich, and Lempel, 1985; Naor and Pinkas 2001, Ishai et al., 2003 Y. Huang, D. Evans, J. Katz, L. Malka, Faster Secure Computation Using Garbled Circuits, USENIX Security 2011. Threat Model Semi-Honest Adversary: follows the protocol as specified, but tries to learn more from the protocol execution transcript Generic PSI Protocols Overview Protocols Cost in nonXOR gates Bitwise-AND 𝜎 2 (BWA) Pairwise-Comparison 2) 𝑂(𝜎𝑛 (PWC) Sort-Compare-Shuffle-WN 𝑂 𝜎𝑛log𝑛 (SCS-WN) Best for Small element space Large element space 𝜎 – the number of bits used to denote a set element 𝑛 – the size of the sets Generic PSI Protocols Overview Protocols Cost in nonXOR gates Bitwise-AND 𝜎 2 (BWA) Pairwise-Comparison 2) 𝑂(𝜎𝑛 (PWC) Sort-Compare-Shuffle-WN 𝑂 𝜎𝑛log𝑛 (SCS-WN) Best for Small element space Large element space 𝜎 – the number of bits used to denote a set element 𝑛 – the size of the sets PSI: Needn’t be Complex Recessive genes: { 5283423, 1425236, 839523, … } Recessive genes: { 5823527, 839523, 169325, … } Encode set elements as bit vectors [ PAH, PKU, CF, … ] [ 0, 0, 1, 0, 0, 0, 1, 0, 1, 1, 0] AND AND AND [ 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0] ... ... Bitwise-AND BWA Performance 3 Time (seconds) What if the element space is large? 2.5 OT Circuit 2 1.5 1 0.5 0 8 9 10 11 12 σ 13 14 15 16 Sort-Compare-Shuffle Sort: Take advantage of total order of elements Compare adjacent elements Shuffle to hide positions Sort-Compare-Shuffle Sort: Take advantage of total order of elements Compare adjacent elements Shuffle to hide positions Bitonic Sorting 1 1 1 2 4 4 3 9 4 3 2 3 4 2 7 5 1 5 5 9 7 3 4 4 5 7 9 7 2 3 4 4 4 2 1 9 4 5 7 9 Sorting Networks and their Applications, Ken Batcher, 1968 CMP Filter CMP Filter CMP Filter … CMP3 Filter CMP3 Filter CMP3 Filter Can’t reveal results yet! Position leaks information. Journal of the ACM, January 1968 Waksman Network Same circuit can generate any permutation: select a random permutation, and pick swaps (n log n n 1) 3 gates Private Set Intersection Protocol Gates to generate and evaluate Free (n log n n 1) 𝜎 – the number of bits used to denote a set element 𝑛 – the size of the sets 3 SCS-WN Protocol Results 1000 Theoretical Projection Seconds Experimental Observation 100 10 [2 n log(2n) (3 1)( n 1) (2 1) 1 128 256 512 1024 2048 Set Size (each set) 32-bit values 4096 8192 (n log n n 1) 3 ] rate Relating Performance to Security 2000 1800 Time (seconds) 1600 1972.0 [DT10] One-more-DL-based SCS-WN (σ=160) SCS-WN (σ=32) 1400 1200 1000 800 600 369.0 400 200 0 10.9 51.5 10.5 ultra-short DL Key-sizes: (1024, 160) Symmetric: 80 62.4 57.1 126.0 11.8 short 61.5 12.4 medium 97.3 122.7 22.7 18.6 long ultra-long (2048, 224) (3072, 256) (7680, 384) (15360, 512) 112 128 192 256 Conclusion Generic protocols offer many advantages Composability Flexibility on hardness assumptions Design cost Performance Q & A?