Are you the one to share? Secret Transfer with Access Structure

Transcription

1 Are you the one to share? Secret Transfer with Access Structure Yongjun Zhao, Sherman S.M. Chow Department of Information Engineering The Chinese University of Hong Kong, Hong Kong

2 Private Set Intersection (PSI) Compute the intersection A B without revealing elements A B??

3 Applications of PSI: Common Interests

4 Applications of PSI: Common Customers

5 Classical Definition for PSI F PSI : X, Y X Y, Well established notion in crypto and security communities client server Input: X = {x 1,, x n } Y = {y 1,, y m } Output: X Y Other variants: fair PSI (both parties obtain X Y), multi-party PSI (>2 participants), etc.

6 Classical Definition for PSI (limitation) F PSI : X, Y (, ) client server Input: X = {x 1,, x n } Y = {y 1,, y m } Output: X Y One party ALAWYS learns the outcome

7 They do not really match that well

8 Classical Definition (limitation) Traditional PSI always reveals the intersection Intersection set itself could be: Sensitive: threat information Commercial asset: customer list Personal info: friend list, hobbies, preferences Intersection should only be revealed when necessary (i.e., the interaction satisfying some policy P( )) e.g., the size exceeds some threshold number

9 More Privacy-Friendly PSI Our new notion: PSI with (monotone) access structure Reveal A B only if P A B = 1 Special cases: (over) threshold PSI P A B = 1 if A B t 0 if A B < t Applications: Private match-making Auditing leakage in information sharing Intersection of threat information / suspect lists / customer list

10 Concrete Construction We construct PSI with access structure in a modular way Roadmap: OTSA STAS PSI w/ AS Oblivious Transfer for a Sparse Array Secret Transfer with Access Structure PSI with Access Structure

11 Oblivious Transfer for a Sparse Array Roadmap: OTSA STAS PSI w/ AS Oblivious Transfer for a Sparse Array Secret Transfer with Access Structure PSI with Access Structure

12 Oblivious Transfer for a Sparse Array (OTSA) F OTSA : x, y (D, ) Input: Output: x = {x 1,, x n } y = {(y 1, d 1 ),, (y m, d m )} D = {d i y i {x 1, x 2,, x n }} Generalizing standard n-out-of-m OT: x 1,, x n {y 1,, y m } x 1,, x n {y 1,, y m } is hidden from receiver

13 Oblivious Polynomial Evaluation (OPE) Encode the set {x 1,, x n } as polynomial: p = x x 1 x x 2 x x n = a 0 + a 1 x + + a n x n Observation: y i X p y i = 0 Given encrypted coefficients a 0, a 1,, a n of a polynomial p We can evaluate its value at x via homomorphic encryption: Enc pk p x = Enc pk a 0 + a 1 x + + a n x n = Enc pk a 0 Enc pk a 1 x (Enc pk (a n ) x n )

14 OTSA from Oblivious Polynomial Evaluation pk, Enc pk a 0,, Enc pk (a n ) {z 1,, z m } (permuted) z i = Enc pk (r i p y i + d i ) (pk, sk) {x 1,, x n } if y i {x 1,, x n } if y i {x 1,, x n } {y 1,, y m } {d 1,, d m } z i will be decrypted to d i z i will be decrypted to random

15 Construction of OTSA pk, Enc pk a 0,, Enc pk (a n ) z i = Enc pk (r i p y i + d i ) z 1,, z m Honest-but-curious model extended to malicious model using zero-knowledge proofs (details in the paper) Computational complexity: O(mn) (worse than O(n log n) via generic approach) O(n) construction (honest-but-curious) in the paper based on garbled Bloom filter [Dong-Chen@CCS 13]

16 PSI with Access Structure Roadmap: OTSA STAS PSI w/ AS Oblivious Transfer for a Sparse Array Secret Transfer with Access Structure PSI with Access Structure

17 Secret Sharing Split a secret s into shares s can be reconstructed only if qualified subset of shares are combined SecretShare(s) {s 1, s 2,, s n } Reconstruct(s i1, s i2,, s ik ) s or Example: access structure: s 1 AND {s 2 OR s 3 } AND s 4 AND s 5 qualified subsets: {s 1, s 2, s 4, s 5 } {s 1, s 3, s 4, s 5 } {s 1, s 2, s 3, s 4, s 5 }

18 Secret Transfer with Access Structure F STAS : Input: X = {x 1,, x n } s, Y = y 1,, y m Output: X Y and s iff P X Y = 1

19 OTSA + Secret Sharing = STAS (pk, sk) X = {x 1,, x n } pk, Enc pk a 0,, Enc pk (a n ) z 1,, z m SecretShare(s) {s 1, s 2,, s m } z i = Enc pk (r i p X y i + s i ) Y = {y 1,, y m } s if y i X if y i X z i will be decrypted to s i z i will be decrypted to random

20 OTSA + Secret Sharing = STAS (pk, sk) X = {x 1,, x n } pk, Enc pk a 0,, Enc pk (a n ) z 1,, z m SecretShare(s) {s 1, s 2,, s m } z i = Enc pk (r i p X y i + s i ) Y = {y 1,, y m } s If X Y satisfies the access structure The receiver can reconstruct the secret s!

21 PSI with Access Structure Roadmap: PSI w/ DT STAS PSI w/ AS Oblivious Transfer for a Sparse Array Secret Transfer with Access Structure PSI with Access Structure

22 PSI with Access Structure from STAS STAS protocol X = {x 1,, x n } Y = {y 1,, y m } and s The receiver can reconstruct the secret s if and only if X Y satisfies the access structure

23 STAS + PSI = PSI with Access Structure Normal PSI X = {x 1 s,, x n s} Y = {y 1 s,, y m s} If X Y satisfies the access structure The receiver can learn X Y, which is essentially X Y

24 PSI with Access Structure Normal PSI X = {x 1 s,, x n s } Y = {y 1 s,, y m s} If X Y does not satisfies the access structure The receiver can learn X Y, which is an empty set

25 Concluding Remarks We introduce the notions of Oblivious Transfer with Spare Array (OTSA) Secret Transfer with Access Structure (STAS) PSI with Access Structure We then construct Two OTSA schemes (from OPE / garbled Bloom filter) OTSA + Secret Sharing = STAS STAS + PSI = PSI with Access Structure Future work 1: can we hide X Y in STAS? Future work 2: can we support non-monotone access structure? {zy113, sherman}@ie.cuhk.edu.hk Under submission