Policy-Enhanced Private Set Intersection:
Sharing Information While Enforcing Privacy Policies
Emil Stefanov
Elaine Shi
Dawn Song
emil@cs.berkeley.edu
elaines@cs.berkeley.edu
dawnsong@cs.berkeley.edu
UC Berkeley
http://www.emilstefanov.net/Research/
Private Set Intersection (PSI)
Alice’s set
Bob’s set
Revealed
• Alice has a set of elements.
• Bob has a set of elements.
• Goal:
– Reveal elements that are both sets.
– Hide all other elements
[CKT10], [CT10],
[DMR09], [FIP05],
[HL08], [HN10], [JL09],
[JL10], [LS05], …
Alternative Approaches
• Trusted third party
– Trivial solution
– Does not always exist.
• Who can both parties trust?
• Generic SMC (e.g., garbled circuits)
– Less efficient in most scenarios
• Homomorphic encryption
– Not practical
Applications
• Healthcare
– Common patients
– Common symptoms
• Social Networks
– Common friends
– Common group memberships
• Distributed databases
– JOIN operations
• Many more
– Set intersection is a fundamental operation
The Problem with PSI
• No restriction on sets.
• Either party can insert fictitious elements.
• Can be used to violate privacy.
Known-Element Attack
Alice’s set
b
Bob’s set
a
e
•
•
•
•
c c
d d
c
d
f
h
g
i
Bob wants to learn if Alice has 𝑑.
Bob inserts 𝑑 into his own set
They perform a private set intersection.
𝑑 is in result  Bob learns that Alice has 𝑑.
Our Contributions
•
•
•
•
Technique to authenticate elements
Rich privacy policies
Multiple authorities
Can be used to extend any private set
intersection protocol.
PPSI Problem Definition
(single authority, symmetric)
• Alice’s input:
𝑿 = 𝒙𝟏 , 𝒙𝟐 , … , 𝒙𝒏
𝚨 = 𝜶𝟏 , 𝜶𝟐 , … , 𝜶𝒏
• Bob’s input:
𝒀 = 𝒚𝟏 , 𝒚𝟐 , … , 𝒚𝒏
• Signature verification:
• Define valid sets:
𝚩 = 𝜷𝟏 , 𝜷𝟐 , … , 𝜷𝒏
𝑽 𝒛, 𝝈 ∈ T, F
𝑿′ = 𝒙𝒊 ∈ 𝑿 ∶ 𝑽 𝒙𝒊 , 𝜶𝒊 = T
𝒀′ = 𝒙𝒊 ∈ 𝒀 ∶ 𝑽 𝒚𝒊 , 𝜷𝒊 = T
• Output:
𝒁 = 𝑿′ ∩ 𝒀′
Known-Element Attack not Possible
Alice’s set
b
Bob’s set
a
e
c c
d d
c
d
f
h
g
i
• Bob wants to learn if Alice has 𝑑.
• Bob inserts 𝑑 into his own set (with invalid signature)
• They perform PPSI
– PPSI removes 𝑑 from result (Bob has an invalid signature)
• Bob cannot learn if Alice has 𝑑.
PPSI Problem Definition
(multiple authorities, symmetric)
• Alice: 𝑿 = 𝒙𝟏 , 𝒙𝟐 , … , 𝒙𝒏 𝚨 = 𝜶𝟏 , 𝜶𝟐 , … , 𝜶𝒏
• Bob: 𝒀 = 𝒚𝟏 , 𝒚𝟐 , … , 𝒚𝒏 𝚩 = 𝜷𝟏 , 𝜷𝟐 , … , 𝜷𝒏
• Privacy policy (known to both Alice and Bob)
– Signer (authority) depends on the element
– Authority for element 𝑧: 𝑭 𝒛
• Signature verification: 𝑽 𝒛, 𝝈
– Verifies 𝝈 against public key of 𝑭 𝒛
• Multiple signatures/authorities per element
– 𝑭 𝒛 , 𝜶𝒊 , and 𝜷𝒊 can be a sets
– 𝑭(𝒛) can be a Boolean expression (DNF).
PPSI Problem Definition
(multiple authorities, asymmetric)
• Alice: 𝑿 = 𝒙𝟏 , 𝒙𝟐 , … , 𝒙𝒏 𝚨 = 𝜶𝟏 , 𝜶𝟐 , … , 𝜶𝒏
• Bob: 𝒀 = 𝒚𝟏 , 𝒚𝟐 , … , 𝒚𝒏 𝚩 = 𝜷𝟏 , 𝜷𝟐 , … , 𝜷𝒏
• Authorities depend on the element and party
– Authority for element 𝑧 and Alice:
– Authority for element 𝑧 and Bob:
𝑭 𝒛, 𝑨
𝑭 𝒛, 𝑩
• Alice and Bob both know 𝑭 ⋅, 𝑨 and 𝑭 ⋅, 𝑩
Additional Goals
• Signatures must be bound to a party
– 𝑆 𝑥, 𝐴 : Alice is allowed to have 𝑥 in her set.
– Non-transferable  𝑆 𝑥, 𝐴 is useless to Bob
• Require interaction
– Bob must not be able to later re-run the protocol
with a different set (without Alice’s cooperation).
• Efficient. Complexity…
… depends on:
• Set size
• Authorities per element
… independent of:
• Element universe
• Authority universe
So, how can we achieve this?
Intersect then verify?
Alice’s set
b
Bob’s set
a
e
c c
d d
c
d
f
h
g
i
• After intersecting, Bob already learns 𝑑.
• Verifying afterwards ensures integrity...
• … but not confidentiality (already revealed 𝒅)
Verify then intersect?
b
e
a
d
c
c
c
d
f
h
g
i
• E.g., using commitments and zero-knowledge proofs.
• Problem: which authorities to verify elements against?
• Complexity is linear with size of authority universe!
Challenge
•
•
•
•
•
Can’t intersect then verify.
Can’t verify then intersect.
So what do we do?
Must simultaneously intersect and verify.
But how?
Intersect signatures using PSI?
𝝈𝒃
𝝈𝒆
𝝈𝒇
𝝈𝒂
𝝈𝒄
𝝈𝒄
𝝈𝒄
𝝈𝒅
𝝈𝒈
′
𝝈𝒅
𝝈𝒉
𝝈𝒊
• Both parties must have identical signatures
– Not possible to bind signatures to parties
• 𝑺 𝒛, 𝑨 for Alice and 𝑺 𝒛, 𝑩 for Bob.
– Does not work for asymmetric policies.
Key technique:
encode each element
then intersect encodings
𝜽𝒃
𝜽𝒆
𝜽𝒇
𝜽𝒂
𝜽𝒄
𝜽𝒅
𝜽𝒄
𝜽𝒄
𝜽𝒈
′
𝜽𝒅
𝜽𝒉
𝜽𝒊
Main Property of Encodings
• Alice’s encoding of 𝑧 should match Bob’s encoding
– if and only if the policy is satisfied
– even though the signatures are different
– even though the authorities might be different
• Secret keys of two authorities: 𝑠𝑘1 , 𝑠𝑘2
• Alice has 𝑺𝒔𝒌𝟏 𝒛, 𝑨
Bob has 𝑺𝒔𝒌𝟐 𝒛, 𝑩
• Property:
𝑨𝒍𝒊𝒄𝒆𝑬𝒏𝒄𝒐𝒅𝒆 𝑺𝒔𝒌𝟏 𝒛, 𝑨
= 𝑩𝒐𝒃𝑬𝒏𝒄𝒐𝒅𝒆 𝑺𝒔𝒌𝟐 𝒛, 𝑩
PPSI Protocol
Alice
RA
RB
Exchange Challenges
Generate
Encodings
Generate
Encodings
Regular Private Set
Intersection Protocol
Over Encodings
Recover ∩
from result
Done
Recover ∩
from result
Bob
Encoding Challenge
• Need:
𝑨𝒍𝒊𝒄𝒆𝑬𝒏𝒄𝒐𝒅𝒆 𝑺𝒔𝒌𝟏 𝒛, 𝑨
•
•
•
•
•
= 𝑩𝒐𝒃𝑬𝒏𝒄𝒐𝒅𝒆 𝑺𝒔𝒌𝟐 𝒛, 𝑩
Encoding is a function of both 𝑺𝒔𝒌𝟏 𝒛, 𝑨 and 𝑺𝒔𝒌𝟐 𝒛, 𝑩
Alice doesn’t know 𝑺𝒔𝒌𝟐 𝒛, 𝑩
Bob doesn’t know 𝑺𝒔𝒌𝟏 𝒛, 𝑨
So how can they generate the same encoding for 𝑧?
Answer:
– Specially chosen signature scheme: BLS signatures
– Challenge phase
– Our special encodings
Signatures
• We use standard BLS signatures.
• In a group 𝔾 of prime order 𝑝
– With bilinear map: 𝔾 × 𝔾 → 𝔾 𝑇
– Generators: 𝑔, 𝑔, 𝑔
• Signature key of an authority
– 𝑠𝑘 ∈𝑅 ℤ𝑝
• Verification key of the authority
– 𝑣𝑘 = 𝑔 𝑠𝑘
• Authority’s signature to Alice for element 𝑥:
– 𝑺𝒔𝒌 𝒙, 𝑨 = H 𝒙, 𝑨
𝒔𝒌
Challenge Phase
• Alice generates random: 𝑟𝑎 ∈𝑅 ℤ𝑝
• Bob generates random: 𝑟𝑏 ∈𝑅 ℤ𝑝
• Alice sends 𝑅𝐴 = 𝑔𝑟𝑎 to Bob
• Bob sends 𝑅𝐵 = 𝑔𝑟𝑏 to Alice
• Note that:
– Only Alice knows 𝑟𝑎
– Only Bob knows 𝑟𝑏
Special Encodings
• Alice’s encoding of 𝑺𝒔𝒌𝟏 𝒛, 𝑨
to match Bob’s encoding of 𝑺𝒔𝒌𝟐 𝒛, 𝑩 :
𝒆 𝑺𝒔𝒌𝟏 𝒛, 𝑨 , 𝑹𝑩 ⋅ 𝒆 𝑯 𝒛, 𝑩 , 𝒗𝒌𝟐
Alice knows signature
𝒔𝒌𝟏
𝒓𝒂
Alice knows 𝒓𝒂
𝒓𝒃
= 𝒆 𝑯 𝒛, 𝑨
, 𝒈 ⋅ 𝒆 𝑯 𝒛, 𝑩 , 𝒈
= 𝒆 𝑯 𝒛, 𝑨 , 𝒈 𝒔𝒌𝟏 ⋅𝒓𝒃 ⋅ 𝒆 𝑯 𝒛, 𝑩 , 𝒈
𝒔𝒌𝟐 𝒓𝒂
𝒔𝒌𝟐 ⋅𝒓𝒂
• Bob’s encoding of 𝑺𝒔𝒌𝟐 𝒛, 𝑩
to match Alice’s encoding of 𝑺𝒔𝒌𝟏 𝒛, 𝑨 :
𝒆 𝑯 𝒛, 𝑨 , 𝒗𝒌𝟏
𝒓𝒃
Bob knows 𝒓𝒃
= 𝒆 𝑯 𝒛, 𝑨
𝒓𝒃
𝒔𝒌
𝟏
,𝒈
𝒔𝒌𝟏 ⋅𝒓𝒃
⋅ 𝒆 𝑺𝒔𝒌𝟐 𝒛, 𝑩 , 𝑹𝑨
Bob knows signature
⋅ 𝒆 𝑯 𝒛, 𝑩
𝒔𝒌𝟐 , 𝒈𝒓𝒂
𝒔𝒌𝟐 ⋅𝒓𝒂
encodings
match
Encodings for More Complex Policies
• Suppose that
– 𝑭 𝒛, 𝑨 = auth𝟏 , auth𝟐 , auth𝟑
– 𝑭 𝒛, 𝑩 = auth𝟒 , auth𝟓
– Signing key for auth𝑖 is 𝑠𝑘𝑖
• Alice’s encoding for 𝑧:
𝒆 𝑺𝒔𝒌𝟏 𝒛, 𝑨 ⋅ 𝑺𝒔𝒌𝟐 𝒛, 𝑨 ⋅ 𝑺𝒔𝒌𝟑 𝒛, 𝑨 , 𝑹𝑩
⋅ 𝒆 𝑯 𝒛, 𝑩 , 𝒗𝒌𝟒
𝒓𝒂
⋅ 𝒗𝒌𝟓
𝒓𝒂
• Bob’s encoding for 𝑧:
𝒆 𝑺𝒔𝒌𝟒 𝒛, 𝑩 ⋅ 𝑺𝒔𝒌𝟓 𝒛, 𝑩 , 𝑹𝑨
⋅ 𝒆 𝑯 𝒛, 𝑨 , 𝒗𝒌𝟏
𝒓𝒃
⋅ 𝒗𝒌𝟐
𝒓𝒃
⋅ 𝒗𝒌𝟑
𝑭 𝒛, 𝑨
𝑭 𝒛, 𝑩
𝑭 𝒛, 𝑩
𝒓𝒃
𝑭 𝒛, 𝑨
Summary
Alice
RA
RB
Exchange Challenges
Generate
Encodings
Generate
Encodings
Regular Private Set
Intersection Protocol
Over Encodings
Recover ∩
from result
Done
Recover ∩
from result
Bob
Extensions
• Attributes
– 𝑺𝒔𝒌 𝒙𝒊 , attr, 𝑨 = H 𝒙𝒊 , attr, 𝑨
𝒔𝒌
• Bundles
– Merge encodings of all elements in bundle.
• Disjunctions and DNF’s
– One encoding per conjunctive clause of the DNF.
Security
• Assumptions:
– CBDH, random oracle, underlying PSI security
• Proof technique:
– Define ideal world: A third party is doing the
intersection and verifying the signatures.
– Computationally indistinguishable from ideal world.
• Secure against malicious adversaries.
Performance
• 𝑛 elements
• 𝑚 authorities per element
• Computation: 𝑂 𝑛𝑚 + 𝑃𝑆𝐼𝑐𝑜𝑚𝑝𝑢𝑡𝑎𝑡𝑖𝑜𝑛 𝑛
– e.g., 𝑂 𝑛𝑚 + 𝑛 log log 𝑛
• Bandwidth: 𝑂 𝑛 + 𝑃𝑆𝐼𝑏𝑎𝑛𝑑𝑤𝑖𝑑𝑡ℎ 𝑛
– e.g., 𝑂 𝑛
• Rounds: 0 + 𝑃𝑆𝐼𝑟𝑜𝑢𝑛𝑑𝑠 𝑛
– e.g., 𝑂 1
Time to encode an element with 𝒎 signatures/authorities (in ms)
m
1
Average 1.70
Standard
0.06
Deviation
2
3.10
3
4.45
4
5.65
5
7.07
0.17
0.22
0.04
0.27
Example
Finding the customers who both bought a computer from Dell and
a monitor from Newegg.
Dell’s Sales Table
•
•
•
•
ID
Customer
Product
D1
Jennifer Robinson
D2
Newegg’s Sales Table
Card
ID
Customer
Product
Computer
N1
David Thompson
Monitor
David Thompson
Computer
N2
James Young
Monitor
D3
Ronald Miller
Computer
N3
Maria Hall
Monitor
D4
Karen Carter
Computer
N4
Linda Clark
Monitor
D5
Maria Hall
Computer
N5
Donald Green
Monitor
D6
Donald Green
Printer
Elements: customers
Attributes: product
Authorities: MasterCard, Visa
Policy: bought a computer from Dell and
a monitor from Newegg
• Result: {“David Thompson”, “Maria Hall”}
Jennifer
Robinson
Ronald
Miller
Karen
Carter
Donald
Green
David
Thompson
Card
James
Young
Linda
Clark
Maria Hall
Donald
Green
Related Work
• Private Set Intersection (PSI)
– FNP04, FIP05, KS05, HL08, JL09, DMR09, HN10,
CKT10, JL10, …
• Authorized Private Set Intersection (APSI)
– CKT09, CZ09, CT10, …
Summary
• Technique to authenticate elements
• Rich privacy policies
–
–
–
–
–
–
Symmetric & asymmetric
Authority can depend on the element
Multiple authorities (per element)
Attributes
Bundles
Boolean expression (DNF) policy
• Can be used to extend any private set
intersection protocol.