Skip to main content
SpringerLink
Log in

Oblivious Key-Value Stores and Amplification for Private Set Intersection

  • Conference paper
  • First Online:
Advances in Cryptology – CRYPTO 2021 (CRYPTO 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12826))

Included in the following conference series:

Abstract

Many recent private set intersection (PSI) protocols encode input sets as polynomials. We consider the more general notion of an oblivious key-value store (OKVS), which is a data structure that compactly represents a desired mapping \(k_i \mapsto v_i\). When the \(v_i\) values are random, the OKVS data structure hides the \(k_i\) values that were used to generate it. The simplest (and size-optimal) OKVS is a polynomial p that is chosen using interpolation such that \(p(k_i)=v_i\).

We initiate the formal study of oblivious key-value stores, and show new constructions resulting in the fastest OKVS to date.

Similarly to cuckoo hashing, current analysis techniques are insufficient for finding concrete parameters to guarantee a small failure probability for our OKVS constructions. Moreover, it would cost too much to run experiments to validate a small upperbound on the failure probability. We therefore show novel techniques to amplify an OKVS construction which has a failure probability p, to an OKVS with a similar overhead and failure probability \(p^c\). Setting p to be moderately small enables to validate it by running a relatively small number of O(1/p) experiments. This validates a \(p^c\) failure probability for the amplified OKVS.

Finally, we describe how OKVS can significantly improve the state of the art of essentially all variants of PSI. This leads to the fastest two-party PSI protocols to date, for both the semi-honest and the malicious settings. Specifically, in networks with moderate bandwidth (e.g., 30–300 Mbps) our malicious two-party PSI protocol has 40% less communication and is 20–40% faster than the previous state of the art protocol, even though the latter only has heuristic confidence.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 99.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 129.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    We note that there are also PSI constructions which use arithmetic manipulations of polynomials. These constructions encode input values as roots of polynomials [12, 13, 22] or into separate monomials of a polynomial [14], and manipulate the polynomials in order to compute set operations. Our focus is on encodings, which is the more efficient versions of PSI, and do not require arithmetic manipulation of polynomials in order to compute the intersection.

  2. 2.

    The slow network (33 Mib/s); medium network (260 Mib/s); fast network (4.6 Gib/s).

  3. 3.

    We abuse notation herein and use H to denote a random oracle rather than the underlying OKVS parameter, which remains implicit.

  4. 4.

    For uniformly random d-regular hypergraphs (we use \(d=3\)), increasing d improves the threshold of memory utilization that enables mapping values to hyperedges. Namely, increasing d enables to use a graph of fewer nodes in order to successfully orient the same number of hyperedges towards different nodes. Successfully orienting the nodes implies that it is possible to assign values to nodes to enable the recovery all values associated with hyperedges. However, this does not imply that mapping values to nodes can be efficiently found in linear time, such as by running by a peeling process. Unfortunately, increasing the degree d also makes it harder to succeed in peeling, and requires a substantially higher ratio between the number of nodes and the number of hyperedges in order for peeling to succeed (see first row of Table 1 in [43].) Our construction is based on peeling, and therefore our usage of hyperedges of size \(d=3\) is optimal.

  5. 5.

    The hyperedge is sampled uniformly at random from all subsets of 3 different nodes in the graph. We simplify the notation by referring to hash functions \(h_1,h_2,h_3\), but these functions are invoked together under the constraint that the outputs of the three hash functions are distinct from each other.

  6. 6.

    An alternative approach is to use a graph without an R component, and try to solve the system of equations for the \(l(k_i)\) nodes of the 2-core alone. However, experiments that we ran show that in many cases where the 2-core is small but not empty, the 2-core includes only two hyperedges. This means that these two hyperedges are mapped to exactly the same set of 3 nodes, and therefore the two associated linear equations are identical and cannot be solved.

    We additionally note that PSI applications require using a Binary linear combination of the OKVS values. Other applications might allow using linear combinations with larger coefficients. In these cases there will likely be no need for adding the R nodes to the graph.

  7. 7.

    For cuckoo hashing, the relation between the number of items n, number of hash functions k, number of bins \(m=(1\,+\,\beta )n\) for \(\beta \in (0,1)\), stash size s, and the insertion failure probability \(\varepsilon \), is proven in [21]: for any \(k\ge 2(1+\beta )\ln {\frac{1}{\beta }}\) and \(s>0\), mapping n items to \((1+\beta )n\) bins fails with probability \(O(n^{1-c(s+1)})\) for a constant c and \(n\rightarrow \infty \). However, the constants in the big “O” notation are unclear and therefore we do not know which concrete parameters are needed in order to instantiate such constructions.

  8. 8.

    We stress that the failure events in Cuckoo hashing and in OKVS are slightly different. Specifically, an OKVS fails if the size of the 2-core is too large whereas CH can handle a large 2-core, as long as there are not too many intersecting cycles.

  9. 9.

    We assume that if \(\Pr [\mathsf{Encode} _H(\{(k_i,v_i)\}) = \bot ] =\varepsilon \) for encoding \(n'\) items then the same probability \(\varepsilon \) applies also to \(n''>n'\).

  10. 10.

    [32] describe another protocol, spot-fast, which also uses polynomials. Instead of using one polynomial of large degree n, spot-fast uses many polynomials of very small degree (and by this incurs a larger communication overhead). Due to the low degree, replacing these polynomials with an OKVS would have minimal effect.

  11. 11.

    Besides encoding these “corrections” as a polynomial, [24] actually propose two other methods. One method is a garbled Bloom filter [11], which is indeed an OKVS (with expansion \(\lambda \)). Another method that they refer to as the “table” construction is not a true OKVS, as it only is oblivious when the mapping \(k_i \mapsto v_i\) is such that all of the \(k_i\) (not just the \(v_i\)) are uniformly distributed except possibly one \(k_i\) which can be known to the distinguisher. As such, this “table” construction is suitable only when the receiver learns one output from the underling OPRF/OPPRF.

References

  1. Ben-Efraim, A., Nissenbaum, O., Omri, E., Paskin-Cherniavsky, A.: PSImple: practical multiparty maliciously-secure private set intersection. ePrint, 2021/122 (2021)

    Google Scholar 

  2. Botelho, F.C., Pagh, R., Ziviani, N.: Practical perfect hashing in nearly optimal space. Inf. Syst. 38(1), 108–131 (2013)

    Article  Google Scholar 

  3. Boyle, E., Couteau, G., Gilboa, N., Ishai, Y.: Compressing vector OLE. In: ACM Conference on Computer and Communications Security, pp. 896–912. ACM (2018)

    Google Scholar 

  4. E. Boyle, G. Couteau, N. Gilboa, Y. Ishai, L. Kohl, and P. Scholl. Efficient pseudorandom correlation generators: Silent OT extension and more. In CRYPTO (3), volume 11694 of LNCS, pages 489–518. Springer, 2019

    Chapter  Google Scholar 

  5. Chandran, N., Dasgupta, N., Gupta, D., Obbattu, S.L.B., Sekar, S., Shah, A.: Efficient linear multiparty PSI and extensions to circuit/quorum psi. ePrint 2021/172 (2021)

    Google Scholar 

  6. Chandran, N., Gupta, D., Shah, A.: Circuit-PSI with linear complexity via relaxed batch OPPRF. Cryptology ePrint Archive, Report 2021/034 (2021)

    Google Scholar 

  7. Chase, M., Miao, P.: Private set intersection in the internet setting from lightweight oblivious PRF. CRYPTO 2020. Part III, volume 12172 of LNCS, pp. 34–63. Springer, Heidelberg (2020)

    Chapter  Google Scholar 

  8. Chen, H., Laine, K., Rindal, P.: Fast private set intersection from homomorphic encryption. In: Thuraisingham, B.M., Evans, D., Malkin, T., Xu, D. (eds.) ACM CCS 2017, pp. 1243–1255. ACM Press, October/November 2017

    Google Scholar 

  9. Cho, C., Dachman-Soled, D., Jarecki, S.: Efficient concurrent covert computation of string equality and set intersection. In: Sako, K. (ed.) CT-RSA 2016, volume 9610 of LNCS, pp. 164–179. Springer, Heidelberg, Feb. / (2016)

    Chapter  Google Scholar 

  10. C. J. Clopper and E. S. Pearson. The use of confidence or fiducial limits illustrated in the case of the binomial. Biometrika, 26(4), pp. 404–413, 1934

    Article  Google Scholar 

  11. Dong, C., Chen, L., Wen, Z.: When private set intersection meets big data: an efficient and scalable protocol. In: Sadeghi, A.-R., Gligor, V.D., Yung, M. (eds.) ACM CCS 2013, pp. 789–800. ACM Press, November 2013

    Google Scholar 

  12. Freedman, M.J., Nissim, K., Pinkas, B.: Efficient private matching and set intersection. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 1–19. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_1

    Chapter  Google Scholar 

  13. Ghosh, S., Nilges, T.: An algebraic approach to maliciously secure private set intersection. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. Part III, volume 11478 of LNCS, pp. 154–185. Springer, Heidelberg (2019)

    Chapter  Google Scholar 

  14. S. Ghosh and M. Simkin. The communication complexity of threshold private set intersection. In CRYPTO (2), volume 11693 of LNCS, pages 3–29, 2019

    Chapter  Google Scholar 

  15. Graf, T.M., Lemire, D.: XOR filters: faster and smaller than bloom and cuckoo filters. CoRR, abs/1912.08258 (2019)

    Google Scholar 

  16. Hazay, C., Lindell, Y.: A note on the relation between the definitions of security for semi-honest and malicious adversaries. Cryptology ePrint Archive, Report 2010/551 (2010). http://eprint.iacr.org/2010/551

  17. C. Hazay and M. Venkitasubramaniam. Scalable multi-party private set-intersection. In PKC 2017, Part I, volume 10174 of LNCS, pages 175–203, 2017

    Chapter  Google Scholar 

  18. R. Inbar, E. Omri, and B. Pinkas. Efficient scalable multiparty private set-intersection via garbled bloom filters. In SCN, pages 235–252, 2018

    Chapter  Google Scholar 

  19. Ishai, Y., Kilian, J., Nissim, K., Petrank, E.: Extending oblivious transfers efficiently. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 145–161. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  20. Kilian, J.: More general completeness theorems for secure two-party computation. In: 32nd ACM STOC, pp. 316–324. ACM Press, May 2000

    Google Scholar 

  21. Kirsch, A., Mitzenmacher, M., Wieder, U.: More robust hashing: Cuckoo hashing with a stash. SIAM J. Comput. 39(4), 1543–1561 (2009)

    Article  MathSciNet  Google Scholar 

  22. Kissner, L., Song, D.X.: Privacy-preserving set operations. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 241–257. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_15

  23. Kolesnikov, V., Kumaresan, R., Rosulek, M., Trieu, N.: Efficient batched oblivious PRF with applications to private set intersection. In: ACM CCS 2016, pp. 818–829 (2016)

    Google Scholar 

  24. Kolesnikov, V., Matania, N., Pinkas, B., Rosulek, M., Trieu, N.: Practical multi-party private set intersection from symmetric-key techniques. In: ACM CCS 2017, pp. 1257–1272. ACM Press, October/November 2017

    Google Scholar 

  25. V. Kolesnikov, M. Rosulek, N. Trieu, and X. Wang. Scalable private set union from symmetric-key techniques. In ASIACRYPT 2019, Part II, volume 11922 of LNCS, pages 636–666. Springer, Heidelberg, 2019

    Chapter  Google Scholar 

  26. M. Manulis, B. Pinkas, and B. Poettering. Privacy-preserving group discovery with linear complexity. In ACNS 10, volume 6123 of LNCS, pages 420–437, 2010

    Chapter  Google Scholar 

  27. Mitzenmacher, M., Upfal, E.: Probability and Computing: Randomized Algorithms and Probabilistic Analysis. Cambridge University Press, Cambridge (2005)

    Google Scholar 

  28. Moenck, R., Borodin, A.: Fast modular transforms via division. In: Switching and Automata Theory, pp. 90–96 (1972)

    Google Scholar 

  29. Molloy, M.: The pure literal rule threshold and cores in random hypergraphs. In: SODA, pp. 672–681. SIAM (2004)

    Google Scholar 

  30. Naor, M., Pinkas, B.: Oblivious transfer and polynomial evaluation. In: 31st ACM STOC, pp. 245–254. ACM Press, May 1999

    Google Scholar 

  31. Orrù, M., Orsini, E., Scholl, P.: Actively secure 1-out-of-N OT extension with application to private set intersection. In: Handschuh, H. (ed.) CT-RSA 2017. LNCS, vol. 10159, pp. 381–396. Springer, Heidelberg (2017)

    Chapter  Google Scholar 

  32. Pinkas, B., Rosulek, M., Trieu, N., Yanai, A.: SpOT-light: Lightweight private set intersection from sparse OT extension. CRYPTO 2019. Part III, volume 11694 of LNCS, pp. 401–431. Springer, Heidelberg (2019)

    Chapter  Google Scholar 

  33. Pinkas, B., Rosulek, M., Trieu, N., Yanai, A.: PSI from PaXoS: Fast, malicious private set intersection. EUROCRYPT 2020. Part II, volume 12106 of LNCS, pp. 739–767. Springer, Heidelberg (2020)

    Chapter  Google Scholar 

  34. Pinkas, B., Schneider, T., Tkachenko, O., Yanai, A.: Efficient circuit-based PSI with linear communication. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. Part III, volume 11478 of LNCS, pp. 122–153. Springer, Heidelberg (2019)

    Chapter  Google Scholar 

  35. Pinkas, B., Schneider, T., Zohner, M.: Faster private set intersection based on OT extension. In: Fu, K., Jung, J. (eds.) USENIX Security 2014, pp. 797–812. USENIX Association, August 2014

    Google Scholar 

  36. Pinkas, B., Schneider, T., Zohner, M.: Scalable private set intersection based on OT extension. ACM Trans. Priv. Secur. 21(2), 7:1–7:35 (2018)

    Google Scholar 

  37. M. Raab and A. Steger. "balls into bins" - a simple and tight analysis. In Workshop on Randomization and Approximation Techniques in Computer Science, RANDOM ’98, page 159–170. Springer-Verlag, 1998

    Chapter  MATH  Google Scholar 

  38. Rindal, P.: Cryptotools. https://github.com/ladnir/cryptoTools

  39. P. Rindal and M. Rosulek. Improved private set intersection against malicious adversaries. In EUROCRYPT 2017, Part I, volume 10210, pages 235–259, 2017

    Chapter  Google Scholar 

  40. Rindal, P., Rosulek, M.: Malicious-secure private set intersection via dual execution. In: ACM CCS 2017, pp. 1229–1242. ACM Press, October/November 2017

    Google Scholar 

  41. Rindal, P., Schoppmann, P.: VOLE-PSI: fast OPRF and circuit-psi from vector-ole. IACR Cryptol. ePrint Arch. 2021, 266 (2021)

    Google Scholar 

  42. Schoppmann, P., Gascón, A., Reichert, L., Raykova, M.: Distributed vector-OLE: improved constructions and implementation. In: ACM Conference on Computer and Communications Security, pp. 1055–1072. ACM (2019)

    Google Scholar 

  43. Walzer, S.: Peeling close to the orientability threshold - spatial coupling in hashing-based data structures. In: Marx, D. (ed.) SODA, pp. 2194–2211. SIAM (2021)

    Google Scholar 

  44. Zhang, E., Liu, F.-H., Lai, Q., Jin, G., Li, Y.: Efficient multi-party private set intersection against malicious adversaries. In: ACM SIGSAC Conference on Cloud Computing Security Workshop, CCSW 2019, pp. 93–104 (2019)

    Google Scholar 

Download references

Acknowledgements

We would like to thank Dan Boneh and Laliv Tauber, as well as the anonymous referees, for their valuable comments on earlier drafts of this paper. The first and third authors are partially supported by a Facebook research award. The second author is supported by the BIU Center for Research in Applied Cryptography and Cyber Security in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office, and by a grant from the Alter family. The fourth author is partially supported by NSF awards #2031799, #2115075.

Author information

Authors and Affiliations

  1. Oregon State University, Corvallis, Oregon, USA

    Gayathri Garimella & Mike Rosulek

  2. Bar-Ilan University, Ramat Gan, Israel

    Benny Pinkas

  3. Arizona State University, Tempe, Arizona, USA

    Ni Trieu

  4. VMware Research, Palo Alto, USA

    Avishay Yanai

Authors
  1. Gayathri Garimella
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Benny Pinkas
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mike Rosulek
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Ni Trieu
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Avishay Yanai
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Gayathri Garimella .

Editor information

Editors and Affiliations

  1. Columbia University, New York City, NY, USA

    Tal Malkin

  2. University of Michigan, Ann Arbor, MI, USA

    Chris Peikert

Rights and permissions

Reprints and permissions

Copyright information

© 2021 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Garimella, G., Pinkas, B., Rosulek, M., Trieu, N., Yanai, A. (2021). Oblivious Key-Value Stores and Amplification for Private Set Intersection. In: Malkin, T., Peikert, C. (eds) Advances in Cryptology – CRYPTO 2021. CRYPTO 2021. Lecture Notes in Computer Science(), vol 12826. Springer, Cham. https://doi.org/10.1007/978-3-030-84245-1_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-84245-1_14

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-84244-4

  • Online ISBN: 978-3-030-84245-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation