Private set intersection (PSI) is a cryptographic technique that is applicable to many privacy-sensitive scenarios. For decades, researchers have been focusing on improving its efficiency in both communication and computation. However, most of the existing solutions are inefficient for an unequal number of inputs, which is common in conventional client-server settings. In this paper, we analyze and optimize the efficiency of existing PSI protocols to support precomputation so that they can efficiently deal with such input sets. We transform four existing PSI protocols into the precomputation form such that in the setup phase the communication is linear only in the size of the larger input set, while in the online phase the communication is linear in the size of the smaller input set. We implement all four protocols and run experiments between two PCs and between a PC and a smartphone and give a systematic comparison of their performance. Our experiments show that a protocol based on securely evaluating a garbled AES circuit achieves the fastest setup time by several orders of magnitudes, and the fastest online time in the PC setting where AES-NI acceleration is available. In the mobile setting, the fastest online time is achieved by a protocol based on the Diffie-Hellman assumption.
[1] M. R. Albrecht, C. Rechberger, T. Schneider, T. Tiessen, and M. Zohner, “Ciphers for MPC and FHE,” in Advances in Cryptology – EUROCRYPT’15, ser. LNCS, vol. 9056. Springer, 2015, pp. 430–454.
[2] G. Asharov, Y. Lindell, T. Schneider, and M. Zohner, “More efficient oblivious transfer and extensions for faster secure computation,” in ACM Computer and Communications Security (CCS’13). ACM, 2013, pp. 535–548.
[3] ——, “More efficient oblivious transfer extensions with security for malicious adversaries,” in Advances in Cryptology – EUROCRYPT’15, ser. LNCS, vol. 9056. Springer, 2015, pp. 673–701.
[4] N. Asokan, A. Dmitrienko, M. Nagy, E. Reshetova, A. Sadeghi, T. Schneider, and S. Stelle, “CrowdShare: Secure mobile resource sharing,” in Applied Cryptography and Network Security (ACNS’13), ser. LNCS, vol. 7954. Springer, 2013, pp. 432–440.
[5] P. Baldi, R. Baronio, E. De Cristofaro, P. Gasti, and G. Tsudik, “Countering GATTACA: efficient and secure testing of fully-sequenced human genomes,” in ACM Computer and Communications Security (CCS’11). ACM, 2011, pp. 691–702.
[6] D. Beaver, “Precomputing oblivious transfer,” in Advances in Cryptology – CRYPTO’95, ser. LNCS, vol. 963. Springer, 1995, pp. 97–109.
[7] M. Bellare, V. T. Hoang, S. Keelveedhi, and P. Rogaway, “Efficient garbling from a fixed-key blockcipher,” in IEEE Symposium on Security and Privacy (S&P’13). IEEE, 2013, pp. 478–492.
[8] L. Bouncy Castle Inc., “Bouncy Castle crypto APIs,” https://www.bouncycastle.org/, 2017, accessed: 2017-03-10.
[9] J. Boyar and R. Peralta, “A new combinational logic minimization technique with applications to cryptology,” in Symposium on Experimental Algorithms (SEA’10), ser. LNCS, vol. 6049. Springer, 2010, pp. 178–189.
[10] H. Carter, C. Amrutkar, I. Dacosta, and P. Traynor, “For your phone only: custom protocols for efficient secure function evaluation on mobile devices,” Security and Communication Networks, vol. 7, no. 7, pp. 1165–1176, 2014.
[11] E. D. Cristofaro and G. Tsudik, “Practical private set intersection protocols with linear complexity,” in Financial Cryptography and Data Security (FC’10), ser. LNCS, vol. 6052. Springer, 2010, pp. 143–159.
[12] ——, “Experimenting with fast private set intersection,” in Trust and Trustworthy Computing (TRUST’12), ser. LNCS, vol. 7344. Springer, 2012, pp. 55–73.
[13] D. Demmler, T. Schneider, and M. Zohner, “Ad-hoc secure two-party computation on mobile devices using hardware tokens,” in USENIX Security Symposium’14. USENIX, 2014, pp. 893–908.
[14] ——, “ABY - A framework for efficient mixed-protocol secure two-party computation,” in Network and Distributed System Security Symposium (NDSS’15). The Internet Society, 2015.
[15] W. Diffie and M. E. Hellman, “New directions in cryptography,” IEEE Trans. Information Theory, vol. 22, no. 6, pp. 644–654, 1976.
[16] I. Dinur, Y. Liu, W. Meier, and Q. Wang, “Optimized interpolation attacks on LowMC,” in Advances in Cryptology – ASIACRYPT’15, ser. LNCS, vol. 9453. Springer, 2015, pp. 535–560.
[17] C. Dobraunig, M. Eichlseder, and F. Mendel, “Higher-order cryptanalysis of LowMC,” in Information Security and Cryptology (ICISC’15), ser. LNCS, vol. 9558. Springer, 2015, pp. 87–101.
[18] C. Dong, L. Chen, and Z. Wen, “When private set intersection meets big data: an efficient and scalable protocol,” in ACM Computer and Communications Security (CCS’13). ACM, 2013, pp. 789–800.
[19] L. Fan, P. Cao, J. M. Almeida, and A. Z. Broder, “Summary cache: A scalable wide-area web cache sharing protocol,” in SIGCOMM’98. ACM, 1998, pp. 254–265.
[20] M. Fischlin, B. Pinkas, A. Sadeghi, T. Schneider, and I. Visconti, “Secure set intersection with untrusted hardware tokens,” in Topics in Cryptology – CT-RSA’11, ser. LNCS, vol. 6558. Springer, 2011, pp. 1–16.
[21] F. S. Foundation, “The GNU multiple precision arithmetic library,” https://gmplib.org, 2017, accessed: 2017-03-10.
[22] M. J. Freedman, Y. Ishai, B. Pinkas, and O. Reingold, “Keyword search and oblivious pseudorandom functions,” in Theory of Cryptography Conference (TCC’05), ser. LNCS, vol. 3378. Springer, 2005, pp. 303–324.
[23] M. J. Freedman, K. Nissim, and B. Pinkas, “Efficient private matching and set intersection,” in Advances in Cryptology – EUROCRYPT’04, ser. LNCS, vol. 3027. Springer, 2004, pp. 1–19.
[24] P. Gasti and K. B. Rasmussen, “Privacy-preserving user matching,” in ACM Workshop on Privacy in the Electronic Society (WPES’15). ACM, 2015, pp. 111–120.
[25] C. Gentry, “Fully homomorphic encryption using ideal lattices,” in ACM Symposium on Theory of Computing (STOC’09). ACM, 2009, pp. 169–178.
[26] N. Gilboa and Y. Ishai, “Distributed point functions and their applications,” in Advances in Cryptology – EUROCRYPT’ 14, ser. LNCS, vol. 8441. Springer, 2014, pp. 640–658.
[27] D. Giry, “BlueKrypt cryptogrphic key length recommendation,” http://www.keylength.com, 2017, accessed: 2017-02-28.
[28] S. D. Gordon, J. Katz, V. Kolesnikov, F. Krell, T. Malkin, M. Raykova, and Y. Vahlis, “Secure two-party computation in sublinear (amortized) time,” in ACM Conference on Computer and Communications Security (CCS’12). ACM, 2012, pp. 513–524.
[29] L. Grassi, C. Rechberger, D. Rotaru, P. Scholl, and N. P. Smart, “MPC-friendly symmetric key primitives,” in ACM Computer and Communications Security (CCS’16). ACM, 2016, pp. 430–443.
[30] C. Hazay and Y. Lindell, “Constructions of truly practical secure protocols using standard smartcards,” in ACM Computer and Communications Security (CCS’08). ACM, 2008, pp. 491–500.
[31] ——, “Efficient protocols for set intersection and pattern matching with security against malicious and covert adversaries,” in Theory of Cryptography Conference (TCC’08), ser. LNCS, vol. 4948. Springer, 2008, pp. 155–175.
[32] W. Henecka and T. Schneider, “Faster secure two-party computation with less memory,” in Computer and Communications Security (ASIACCS’13). ACM, 2013, pp. 437–446.
[33] Y. Huang, P. Chapman, and D. Evans, “Privacy-preserving applications on smartphones,” in USENIX Workshop on Hot Topics in Security (HotSec’11). USENIX, 2011.
[34] Y. Huang, D. Evans, and J. Katz, “Private set intersection: Are garbled circuits better than custom protocols?” in Network and Distributed System Security Symposium (NDSS’12). The Internet Society, 2012.
[35] B. A. Huberman, M. K. Franklin, and T. Hogg, “Enhancing privacy and trust in electronic communities,” in ACM Conference on Electronic Commerce (EC’99), 1999, pp. 78–86.
[36] Y. Ishai, J. Kilian, K. Nissim, and E. Petrank, “Extending oblivious transfers efficiently,” in Advances in Cryptology – CRYPTO’03, ser. LNCS, vol. 2729. Springer, 2003, pp. 145–161.
[37] S. Jarecki and X. Liu, “Efficient oblivious pseudorandom function with applications to adaptive OT and secure computation of set intersection,” in Theory of Cryptography Conference (TCC’09), ser. LNCS, vol. 5444. Springer, 2009, pp. 577–594.
[38] M. Keller, E. Orsini, and P. Scholl, “Actively secure OT extension with optimal overhead,” in Advances in Cryptology – CRYPTO’15, ser. LNCS, vol. 9215. Springer, 2015, pp. 724–741.
[39] V. Kolesnikov, R. Kumaresan, M. Rosulek, and N. Trieu, “Efficient batched oblivious PRF with applications to private set intersection,” in ACM Computer and Communications Security (CCS’16). ACM, 2016, pp. 818–829.
[40] V. Kolesnikov and T. Schneider, “Improved garbled circuit: Free XOR gates and applications,” in International Colloquium on Automata, Languages and Programming (ICALP’08), ser. LNCS, vol. 5126. Springer, 2008, pp. 486–498.
[41] E. Kushilevitz and R. Ostrovsky, “Replication is NOT needed: SINGLE database, computationally-private information retrieval,” in Foundations of Computer Science (FOCS ’97). IEEE Computer Society, 1997, pp. 364–373.
[42] Y. Lindell and B. Pinkas, “A proof of security of Yao’s protocol for two-party computation,” Journal of Cryptology, vol. 22, no. 2, pp. 161–188, 2009.
[43] C. Liu, X. S. Wang, K. Nayak, Y. Huang, and E. Shi, “ObliVM: A programming framework for secure computation,” in Symposium on Security and Privacy (S&P’15). IEEE Computer Society, 2015, pp. 359–376, implementation available at: https://github.com/oblivm/ObliVMGC.
[44] C. A. Meadows, “A more efficient cryptographic matchmaking protocol for use in the absence of a continuously available third party,” in IEEE Symposium on Security and Privacy (S&P’86). IEEE, 1986, pp. 134–137.
[45] T. Meskanen, J. Liu, S. Ramezanian, and V. Niemi, “Private membership test for Bloom filters,” in International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom’15). IEEE, 2015, pp. 515–522.
[46] S. Nagaraja, P. Mittal, C. Hong, M. Caesar, and N. Borisov, “Botgrep: Finding P2P bots with structured graph analysis,” in USENIX Security Symposium’10. USENIX, 2010, pp. 95–110.
[47] M. Nagy, E. D. Cristofaro, A. Dmitrienko, N. Asokan, and A. Sadeghi, “Do I know you?: efficient and privacy-preserving common friend-finder protocols and applications,” in Annual Computer Security Applications Conference (ACSAC’ 13), 2013, pp. 159–168.
[48] M. Naor and O. Reingold, “Number-theoretic constructions of efficient pseudo-random functions,” J. ACM, vol. 51, no. 2, pp. 231–262, 2004.
[49] A. Narayanan, N. Thiagarajan, M. Lakhani, M. Hamburg, and D. Boneh, “Location privacy via private proximity testing,” in Network and Distributed System Security Symposium (NDSS’11). The Internet Society, 2011.
[50] R. Nojima and Y. Kadobayashi, “Cryptographically secure Bloom-filters,” Trans. Data Privacy, vol. 2, no. 2, pp. 131–139, 2009.
[51] A. Pagh, R. Pagh, and S. S. Rao, “An optimal Bloom filter replacement,” in ACM-SIAM Symposium on Discrete Algorithms (SODA’05). SIAM, 2005, pp. 823–829.
[52] A. Partow, “Bloom filter implementation,” https://github.com/ArashPartow/bloom, 2017, accessed: 2017-03-10.
[53] B. Pinkas, T. Schneider, G. Segev, and M. Zohner, “Phasing: Private set intersection using permutation-based hashing,” in USENIX Security Symposium’15. USENIX, 2015, pp. 515–530.
[54] B. Pinkas, T. Schneider, N. P. Smart, and S. C. Williams, “Secure two-party computation is practical,” in Advances in Cryptology – ASIACRYPT’09, ser. LNCS, vol. 5912. Springer, 2009, pp. 250–267.
[55] B. Pinkas, T. Schneider, and M. Zohner, “Faster private set intersection based on OT extension,” in USENIX Security Symposium’14. USENIX, 2014, pp. 797–812.
[56] ——, “Scalable private set intersection based on OT extension,” IACR Cryptology ePrint Archive, vol. 2016/930, 2016, http://ia.cr/2016/930.
[57] S. Ramezanian, “A Study of Privacy Preserving Queries with Bloom Filters,” Master’s thesis, University of Turku, Finland, 2016.
[58] K. Shimizu, K. Nuida, H. Arai, S. Mitsunari, N. Attrapadung, M. Hamada, K. Tsuda, T. Hirokawa, J. Sakuma, G. Hanaoka, and K. Asai, “Privacy-preserving search for chemical compound databases,” BMC Bioinformatics, vol. 16, no. 18, p. S6, 2015.
[59] R. Sion and B. Carbunar, “On the practicality of private information retrieval,” in Network and Distributed System Security Symposium (NDSS’07). The Internet Society, 2007.
[60] S. Tamrakar, J. Liu, A. Paverd, J. Ekberg, B. Pinkas, and N. Asokan, “The circle game: Scalable private membership test using trusted hardware,” in ACM Asia Computer and Communications Security (AsiaCCS’17). ACM, 2017, pp. 31–44.
[61] A. C.-C. Yao, “How to generate and exchange secrets,” in Foundations of Computer Science (FOCS’86). IEEE, 1986, pp. 162–167.
[62] A. C. Yao, “Protocols for secure computations (extended abstract),” in Foundations of Computer Science (FOCS’82). IEEE, 1982, pp. 160–164.
[63] S. Zahur, M. Rosulek, and D. Evans, “Two halves make a whole - reducing data transfer in garbled circuits using half gates,” in Advances in Cryptology – EUROCRYPT’15, ser. LNCS, vol. 9057. Springer, 2015, pp. 220–250.