1

Efficient Private Matching and Set Intersection (EUROCRYPT, 2004)

Author ： Michael J.Freedman Kobbi Nissim

Benny Pinkas

Presentered by Chia Jui Hsu Date ： 2009-02-10

2

Outline

IntroductionPrivate Matching SchemeAdversary modelsSecurityConclusionReferences

3

Introduction (1/3)

DataSets

A B

Intersection

4

Introduction (2/3)

Oblivious Transfer( 忘卻式傳輸 / 模糊傳送 )

Sender Receiver

模糊傳送

OR

1. 傳送者不知道接收者是否得到密文2. 接收者只能得到他選擇的密文

M. Rabin, "How to Exchange Secrets by Oblivious Transfer", Technical Report TR-81,Aiken Computation Laboratory, Harvard Univ.,1981.

1 out of 2 OT

5

Introduction (3/3)

Homomorphic encryption systemE(m1)⊙E(m2)= E(m1 m2)c=E(m), ck=E(km)

Θ

6

Private Matching Scheme (1/4)

PM Schemeclient/chooser (C) and server/sender (S)C inputs X = {x1,…,xkc} and S inputs Y = {y1,

…,yks} C learns X∩Y ： PM(X,Y)

Polynomial

讓 S 算的變數C

input of size

7

Private Matching Scheme (2/4)

Horner scheme

example

若 y=3 ，則 P(y)=5

kckc yayayaayP ...)( 2

210

)...)))(...((()( 13210 kckc yaayayayayayP

1262)( 23 yyyyP

8

Private Matching Scheme (3/4)

法二

法三

1)2)62(()(

1262)( 23

yyyyP

yyyyP

y=3,P(y)=5

9

Private Matching Scheme (4/4)

uu

kcu yayP 0)(

)}(),...,({ 0 kcaEncaEnc

Client ServerX={x1,…xkc} Y={y1,…yks}

1. 內插法算出多項式

2. 對多項式的係數做同態加密

3. 上傳至 Server

4. 選擇一個亂數值 γ

))((

)())((

yyrPEnc

yEncyPEncr

5.

6. 重新排列後回傳 KS 個7. 解密，若一樣，則解出 y 不一樣，則解出亂數

10

Adversary models

Semi-honest1.pretecting the client

indistinguishability2.protecting the sender

comparison to the ideal model

Maliciousadversary may behave arbitrarily

1. 拒絕參與協定 (PM)2. 用任意值代替輸入3. 過早中止協定 (PM)

11

Security

Correctness

C’s privacy is preserved

S’s privacy is preserved

12

Conclusion

use homomorphic encryption and balanced hashing for both semi-honest (standard model) and malicious (random oracle model) environments.

list length k, communication O(k), and computation is OO((kklnlnlnlnkk))..

13

References

Efficient Private Matching and Set Intersection, 2004

http://en.wikipedia.org/wiki/Horner_scheme