Abstract
Many recent private set intersection (PSI) protocols encode input sets as polynomials. We consider the more general notion of an oblivious key-value store (OKVS), which is a data structure that compactly represents a desired mapping \(k_i \mapsto v_i\). When the \(v_i\) values are random, the OKVS data structure hides the \(k_i\) values that were used to generate it. The simplest (and size-optimal) OKVS is a polynomial p that is chosen using interpolation such that \(p(k_i)=v_i\).
We initiate the formal study of oblivious key-value stores, and show new constructions resulting in the fastest OKVS to date.
Similarly to cuckoo hashing, current analysis techniques are insufficient for finding concrete parameters to guarantee a small failure probability for our OKVS constructions. Moreover, it would cost too much to run experiments to validate a small upperbound on the failure probability. We therefore show novel techniques to amplify an OKVS construction which has a failure probability p, to an OKVS with a similar overhead and failure probability \(p^c\). Setting p to be moderately small enables to validate it by running a relatively small number of O(1/p) experiments. This validates a \(p^c\) failure probability for the amplified OKVS.
Finally, we describe how OKVS can significantly improve the state of the art of essentially all variants of PSI. This leads to the fastest two-party PSI protocols to date, for both the semi-honest and the malicious settings. Specifically, in networks with moderate bandwidth (e.g., 30–300 Mbps) our malicious two-party PSI protocol has 40% less communication and is 20–40% faster than the previous state of the art protocol, even though the latter only has heuristic confidence.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
We note that there are also PSI constructions which use arithmetic manipulations of polynomials. These constructions encode input values as roots of polynomials [12, 13, 22] or into separate monomials of a polynomial [14], and manipulate the polynomials in order to compute set operations. Our focus is on encodings, which is the more efficient versions of PSI, and do not require arithmetic manipulation of polynomials in order to compute the intersection.
- 2.
The slow network (33 Mib/s); medium network (260 Mib/s); fast network (4.6 Gib/s).
- 3.
We abuse notation herein and use H to denote a random oracle rather than the underlying OKVS parameter, which remains implicit.
- 4.
For uniformly random d-regular hypergraphs (we use \(d=3\)), increasing d improves the threshold of memory utilization that enables mapping values to hyperedges. Namely, increasing d enables to use a graph of fewer nodes in order to successfully orient the same number of hyperedges towards different nodes. Successfully orienting the nodes implies that it is possible to assign values to nodes to enable the recovery all values associated with hyperedges. However, this does not imply that mapping values to nodes can be efficiently found in linear time, such as by running by a peeling process. Unfortunately, increasing the degree d also makes it harder to succeed in peeling, and requires a substantially higher ratio between the number of nodes and the number of hyperedges in order for peeling to succeed (see first row of Table 1 in [43].) Our construction is based on peeling, and therefore our usage of hyperedges of size \(d=3\) is optimal.
- 5.
The hyperedge is sampled uniformly at random from all subsets of 3 different nodes in the graph. We simplify the notation by referring to hash functions \(h_1,h_2,h_3\), but these functions are invoked together under the constraint that the outputs of the three hash functions are distinct from each other.
- 6.
An alternative approach is to use a graph without an R component, and try to solve the system of equations for the \(l(k_i)\) nodes of the 2-core alone. However, experiments that we ran show that in many cases where the 2-core is small but not empty, the 2-core includes only two hyperedges. This means that these two hyperedges are mapped to exactly the same set of 3 nodes, and therefore the two associated linear equations are identical and cannot be solved.
We additionally note that PSI applications require using a Binary linear combination of the OKVS values. Other applications might allow using linear combinations with larger coefficients. In these cases there will likely be no need for adding the R nodes to the graph.
- 7.
For cuckoo hashing, the relation between the number of items n, number of hash functions k, number of bins \(m=(1\,+\,\beta )n\) for \(\beta \in (0,1)\), stash size s, and the insertion failure probability \(\varepsilon \), is proven in [21]: for any \(k\ge 2(1+\beta )\ln {\frac{1}{\beta }}\) and \(s>0\), mapping n items to \((1+\beta )n\) bins fails with probability \(O(n^{1-c(s+1)})\) for a constant c and \(n\rightarrow \infty \). However, the constants in the big “O” notation are unclear and therefore we do not know which concrete parameters are needed in order to instantiate such constructions.
- 8.
We stress that the failure events in Cuckoo hashing and in OKVS are slightly different. Specifically, an OKVS fails if the size of the 2-core is too large whereas CH can handle a large 2-core, as long as there are not too many intersecting cycles.
- 9.
We assume that if \(\Pr [\mathsf{Encode} _H(\{(k_i,v_i)\}) = \bot ] =\varepsilon \) for encoding \(n'\) items then the same probability \(\varepsilon \) applies also to \(n''>n'\).
- 10.
[32] describe another protocol, spot-fast, which also uses polynomials. Instead of using one polynomial of large degree n, spot-fast uses many polynomials of very small degree (and by this incurs a larger communication overhead). Due to the low degree, replacing these polynomials with an OKVS would have minimal effect.
- 11.
Besides encoding these “corrections” as a polynomial, [24] actually propose two other methods. One method is a garbled Bloom filter [11], which is indeed an OKVS (with expansion \(\lambda \)). Another method that they refer to as the “table” construction is not a true OKVS, as it only is oblivious when the mapping \(k_i \mapsto v_i\) is such that all of the \(k_i\) (not just the \(v_i\)) are uniformly distributed except possibly one \(k_i\) which can be known to the distinguisher. As such, this “table” construction is suitable only when the receiver learns one output from the underling OPRF/OPPRF.
References
Ben-Efraim, A., Nissenbaum, O., Omri, E., Paskin-Cherniavsky, A.: PSImple: practical multiparty maliciously-secure private set intersection. ePrint, 2021/122 (2021)
Botelho, F.C., Pagh, R., Ziviani, N.: Practical perfect hashing in nearly optimal space. Inf. Syst. 38(1), 108–131 (2013)
Boyle, E., Couteau, G., Gilboa, N., Ishai, Y.: Compressing vector OLE. In: ACM Conference on Computer and Communications Security, pp. 896–912. ACM (2018)
E. Boyle, G. Couteau, N. Gilboa, Y. Ishai, L. Kohl, and P. Scholl. Efficient pseudorandom correlation generators: Silent OT extension and more. In CRYPTO (3), volume 11694 of LNCS, pages 489–518. Springer, 2019
Chandran, N., Dasgupta, N., Gupta, D., Obbattu, S.L.B., Sekar, S., Shah, A.: Efficient linear multiparty PSI and extensions to circuit/quorum psi. ePrint 2021/172 (2021)
Chandran, N., Gupta, D., Shah, A.: Circuit-PSI with linear complexity via relaxed batch OPPRF. Cryptology ePrint Archive, Report 2021/034 (2021)
Chase, M., Miao, P.: Private set intersection in the internet setting from lightweight oblivious PRF. CRYPTO 2020. Part III, volume 12172 of LNCS, pp. 34–63. Springer, Heidelberg (2020)
Chen, H., Laine, K., Rindal, P.: Fast private set intersection from homomorphic encryption. In: Thuraisingham, B.M., Evans, D., Malkin, T., Xu, D. (eds.) ACM CCS 2017, pp. 1243–1255. ACM Press, October/November 2017
Cho, C., Dachman-Soled, D., Jarecki, S.: Efficient concurrent covert computation of string equality and set intersection. In: Sako, K. (ed.) CT-RSA 2016, volume 9610 of LNCS, pp. 164–179. Springer, Heidelberg, Feb. / (2016)
C. J. Clopper and E. S. Pearson. The use of confidence or fiducial limits illustrated in the case of the binomial. Biometrika, 26(4), pp. 404–413, 1934
Dong, C., Chen, L., Wen, Z.: When private set intersection meets big data: an efficient and scalable protocol. In: Sadeghi, A.-R., Gligor, V.D., Yung, M. (eds.) ACM CCS 2013, pp. 789–800. ACM Press, November 2013
Freedman, M.J., Nissim, K., Pinkas, B.: Efficient private matching and set intersection. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 1–19. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_1
Ghosh, S., Nilges, T.: An algebraic approach to maliciously secure private set intersection. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. Part III, volume 11478 of LNCS, pp. 154–185. Springer, Heidelberg (2019)
S. Ghosh and M. Simkin. The communication complexity of threshold private set intersection. In CRYPTO (2), volume 11693 of LNCS, pages 3–29, 2019
Graf, T.M., Lemire, D.: XOR filters: faster and smaller than bloom and cuckoo filters. CoRR, abs/1912.08258 (2019)
Hazay, C., Lindell, Y.: A note on the relation between the definitions of security for semi-honest and malicious adversaries. Cryptology ePrint Archive, Report 2010/551 (2010). http://eprint.iacr.org/2010/551
C. Hazay and M. Venkitasubramaniam. Scalable multi-party private set-intersection. In PKC 2017, Part I, volume 10174 of LNCS, pages 175–203, 2017
R. Inbar, E. Omri, and B. Pinkas. Efficient scalable multiparty private set-intersection via garbled bloom filters. In SCN, pages 235–252, 2018
Ishai, Y., Kilian, J., Nissim, K., Petrank, E.: Extending oblivious transfers efficiently. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 145–161. Springer, Heidelberg (2003)
Kilian, J.: More general completeness theorems for secure two-party computation. In: 32nd ACM STOC, pp. 316–324. ACM Press, May 2000
Kirsch, A., Mitzenmacher, M., Wieder, U.: More robust hashing: Cuckoo hashing with a stash. SIAM J. Comput. 39(4), 1543–1561 (2009)
Kissner, L., Song, D.X.: Privacy-preserving set operations. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 241–257. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_15
Kolesnikov, V., Kumaresan, R., Rosulek, M., Trieu, N.: Efficient batched oblivious PRF with applications to private set intersection. In: ACM CCS 2016, pp. 818–829 (2016)
Kolesnikov, V., Matania, N., Pinkas, B., Rosulek, M., Trieu, N.: Practical multi-party private set intersection from symmetric-key techniques. In: ACM CCS 2017, pp. 1257–1272. ACM Press, October/November 2017
V. Kolesnikov, M. Rosulek, N. Trieu, and X. Wang. Scalable private set union from symmetric-key techniques. In ASIACRYPT 2019, Part II, volume 11922 of LNCS, pages 636–666. Springer, Heidelberg, 2019
M. Manulis, B. Pinkas, and B. Poettering. Privacy-preserving group discovery with linear complexity. In ACNS 10, volume 6123 of LNCS, pages 420–437, 2010
Mitzenmacher, M., Upfal, E.: Probability and Computing: Randomized Algorithms and Probabilistic Analysis. Cambridge University Press, Cambridge (2005)
Moenck, R., Borodin, A.: Fast modular transforms via division. In: Switching and Automata Theory, pp. 90–96 (1972)
Molloy, M.: The pure literal rule threshold and cores in random hypergraphs. In: SODA, pp. 672–681. SIAM (2004)
Naor, M., Pinkas, B.: Oblivious transfer and polynomial evaluation. In: 31st ACM STOC, pp. 245–254. ACM Press, May 1999
Orrù, M., Orsini, E., Scholl, P.: Actively secure 1-out-of-N OT extension with application to private set intersection. In: Handschuh, H. (ed.) CT-RSA 2017. LNCS, vol. 10159, pp. 381–396. Springer, Heidelberg (2017)
Pinkas, B., Rosulek, M., Trieu, N., Yanai, A.: SpOT-light: Lightweight private set intersection from sparse OT extension. CRYPTO 2019. Part III, volume 11694 of LNCS, pp. 401–431. Springer, Heidelberg (2019)
Pinkas, B., Rosulek, M., Trieu, N., Yanai, A.: PSI from PaXoS: Fast, malicious private set intersection. EUROCRYPT 2020. Part II, volume 12106 of LNCS, pp. 739–767. Springer, Heidelberg (2020)
Pinkas, B., Schneider, T., Tkachenko, O., Yanai, A.: Efficient circuit-based PSI with linear communication. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. Part III, volume 11478 of LNCS, pp. 122–153. Springer, Heidelberg (2019)
Pinkas, B., Schneider, T., Zohner, M.: Faster private set intersection based on OT extension. In: Fu, K., Jung, J. (eds.) USENIX Security 2014, pp. 797–812. USENIX Association, August 2014
Pinkas, B., Schneider, T., Zohner, M.: Scalable private set intersection based on OT extension. ACM Trans. Priv. Secur. 21(2), 7:1–7:35 (2018)
M. Raab and A. Steger. "balls into bins" - a simple and tight analysis. In Workshop on Randomization and Approximation Techniques in Computer Science, RANDOM ’98, page 159–170. Springer-Verlag, 1998
Rindal, P.: Cryptotools. https://github.com/ladnir/cryptoTools
P. Rindal and M. Rosulek. Improved private set intersection against malicious adversaries. In EUROCRYPT 2017, Part I, volume 10210, pages 235–259, 2017
Rindal, P., Rosulek, M.: Malicious-secure private set intersection via dual execution. In: ACM CCS 2017, pp. 1229–1242. ACM Press, October/November 2017
Rindal, P., Schoppmann, P.: VOLE-PSI: fast OPRF and circuit-psi from vector-ole. IACR Cryptol. ePrint Arch. 2021, 266 (2021)
Schoppmann, P., Gascón, A., Reichert, L., Raykova, M.: Distributed vector-OLE: improved constructions and implementation. In: ACM Conference on Computer and Communications Security, pp. 1055–1072. ACM (2019)
Walzer, S.: Peeling close to the orientability threshold - spatial coupling in hashing-based data structures. In: Marx, D. (ed.) SODA, pp. 2194–2211. SIAM (2021)
Zhang, E., Liu, F.-H., Lai, Q., Jin, G., Li, Y.: Efficient multi-party private set intersection against malicious adversaries. In: ACM SIGSAC Conference on Cloud Computing Security Workshop, CCSW 2019, pp. 93–104 (2019)
Acknowledgements
We would like to thank Dan Boneh and Laliv Tauber, as well as the anonymous referees, for their valuable comments on earlier drafts of this paper. The first and third authors are partially supported by a Facebook research award. The second author is supported by the BIU Center for Research in Applied Cryptography and Cyber Security in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office, and by a grant from the Alter family. The fourth author is partially supported by NSF awards #2031799, #2115075.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 International Association for Cryptologic Research
About this paper
Cite this paper
Garimella, G., Pinkas, B., Rosulek, M., Trieu, N., Yanai, A. (2021). Oblivious Key-Value Stores and Amplification for Private Set Intersection. In: Malkin, T., Peikert, C. (eds) Advances in Cryptology – CRYPTO 2021. CRYPTO 2021. Lecture Notes in Computer Science(), vol 12826. Springer, Cham. https://doi.org/10.1007/978-3-030-84245-1_14
Download citation
DOI: https://doi.org/10.1007/978-3-030-84245-1_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-84244-4
Online ISBN: 978-3-030-84245-1
eBook Packages: Computer ScienceComputer Science (R0)