Improved Private Set Intersection against Malicious Adversaries Peter Rindal Mike Rosulek

Private Set Intersection (PSI) 𝑋 𝑌 𝑋∩𝑌

Private Set Intersection (PSI) “Sender” “Receiver” 𝑋 𝑌 PSI 𝑋∩𝑌

App: Contact discovery Users Contacts PSI 𝑋∩𝑌

App: Ad Efficiency Ad Views Customer PSI 𝑋∩𝑌

A Sampling of PSI Over the Decades [HubermanFranklinHogg99] Extended Diffie-Hellman private equality test to PSI [DeCristofaroKimTsudik10] Malicious Diffie-Hellman base PSI 𝑥 𝛼𝛽 = 𝑦 𝛽𝛼 ⇒𝑥=𝑦 [Meadows86] First to define private equality test using Diffie-Hellman 1985 1990 1995 2000 2005 2010 2015 2020 One of the first techniques for PSI was in produced by Meadows in 86. This approach builds on the communitive property in the exponent of diffie-hellman. Huberman and friends later framed this result in terms of PSI. More recently De Cristofaro et al, extend this approach to the malicious setting using Blind RSA.

A Sampling of PSI Over the Decades [HubermanFranklinHogg99] Extended Diffie-Hellman private equality test to PSI [DeCristofaroKimTsudik10] Malicious Diffie-Hellman base PSI [NaorPinkas99] Oblivious Polynomial Evaluation base PSI 𝑓 𝑥 +𝑔 𝑥 =𝑓 𝑦 +𝑔(𝑦) ⇒𝑥=𝑦 [DachmanMalkinRaykovaYung09] Homomorphic Enc base PSI using Polynomial Evaluation [Meadows86] First to define private equality test using Diffie-Hellman 1985 1990 1995 2000 2005 2010 2015 2020 Another paradigm was introduced in 99 by Naor and Pinkas which builds on Oblivious Polynomial evaluation. This was later improved in 04 and extended to the malicious setting in 09. 𝑄 𝑥 ≔(𝑥−𝑦) 𝑄 𝑥 =0 ⇒𝑥=𝑦 [FreedmanNissimPinkas04] Homomorphic Enc base PSI using Polynomial Evaluation and hashing

A Sampling of PSI Over the Decades [HubermanFranklinHogg99] Extended Diffie-Hellman private equality test to PSI [DeCristofaroKimTsudik10] Malicious Diffie-Hellman base PSI [NaorPinkas99] Oblivious Polynomial Evaluation base PSI [DachmanMalkinRaykovaYung09] Homomorphic Enc base PSI using Polynomial Evaluation [Meadows86] First to define private equality test using Diffie-Hellman 1985 1990 1995 2000 2005 2010 2015 2020 The use of generic MPC was also considered by Huang and friends. Somewhat surprisingly, this approach was competitive with special purpose protocols at the time. [FreedmanNissimPinkas04] Homomorphic Enc base PSI using Polynomial Evaluation and hashing [HuangEvansKatz12] Garbled Circuit base PSI

A Sampling of PSI Over the Decades [HubermanFranklinHogg99] Extended Diffie-Hellman private equality test to PSI [DeCristofaroKimTsudik10] Malicious Diffie-Hellman base PSI [NaorPinkas99] Oblivious Polynomial Evaluation base PSI [DachmanMalkinRaykovaYung09] Homomorphic Enc base PSI using Polynomial Evaluation [Meadows86] First to define private equality test using Diffie-Hellman 1985 1990 1995 2000 2005 2010 2015 2020 One of the most efficient paradigms saw its start in 96. This method builds on OT to allow a party to encode its elements which in tern reveals the intersection. In 2014 Pinkas and friends brought this approach into fashion with that addition of cuckoo hashing. Recently, Vlad, Mike and friends improved this methods with a more efficient OT based encoding. This protocol represents the start of the art in the semi-honest setting and is extremely fast. [KolesnikovKumaresanRosulekTrieu16] Element-wise Oblivious Transfer encoding PSI OT 𝑥 𝑚 𝑥 𝑚 𝑚 𝑥 = 𝑚 𝑦 ⇒𝑥=𝑦 [FreedmanNissimPinkas04] Homomorphic Enc base PSI using Polynomial Evaluation and hashing [FaginNaorWinkler96] Bitwise Oblivious Transfer encoding for private equality test [PinkasSchneiderZohner14, …] Cuckoo hashing + Bitwise Oblivious Transfer encoding PSI [HuangEvansKatz12] Garbled Circuit base PSI

A Sampling of PSI Over the Decades [HubermanFranklinHogg99] Extended Diffie-Hellman private equality test to PSI [DeCristofaroKimTsudik10] Malicious Diffie-Hellman base PSI [DongChenWen13] Oblivious Transfer + Bloom filter base PSI [NaorPinkas99] Oblivious Polynomial Evaluation base PSI [DachmanMalkinRaykovaYung09] Homomorphic Enc base PSI using Polynomial Evaluation [Meadows86] First to define private equality test using Diffie-Hellman [ This ] Malicious Oblivious Transfer + Bloom filter base PSI 1985 1990 1995 2000 2005 2010 2015 2020 Yet another paradigm was introduced by DongChenWen in 2013. Their approach builds on a data structure known as a bloom filter and is secure in the semi-honest setting. In this work, we extend this paradigm to the malicious setting to minimal overhead. [KolesnikovKumaresanRosulekTrieu16] Element-wise Oblivious Transfer encoding PSI [FreedmanNissimPinkas04] Homomorphic Enc base PSI using Polynomial Evaluation and hashing [FaginNaorWinkler96] Bitwise Oblivious Transfer encoding for private equality test [PinkasSchneiderZohner14] Cuckoo hashing + Bitwise Oblivious Transfer encoding PSI [HuangEvansKatz12] Garbled Circuit base PSI

A Sampling of PSI Over the Decades [HubermanFranklinHogg99] Extended Diffie-Hellman private equality test to PSI [DeCristofaroKimTsudik10] Diffie-Hellman base PSI [DongChenWen13] [DongChenWen13] Oblivious Transfer + Bloom filter base PSI [NaorPinkas99] Oblivious Transfer base PSI using Polynomial Evaluation [DachmanMalkinRaykovaYung09] Homomorphic Enc base PSI using Polynomial Evaluation [Meadows86] First to define private equality test using Diffie-Hellman [ This ] Malicious Oblivious Transfer + Bloom filter base PSI 1985 1990 1995 2000 2005 2010 2015 2020 And this is by no means all of the works on PSI. Shown here is all the papers I was able to find in a few minutes. As you can see, 2017 was a very good year for PSI [FreedmanNissimPinkas04] Homomorphic Enc base PSI using Polynomial Evaluation and hashing [KolesnikovKumaresanRosulekTrieu16] Element-wise Oblivious Transfer encoding PSI [FaginNaorWinkler96] Bitwise Oblivious Transfer encoding for private equality test [PinkasSchneiderZohner14] Cuckoo hashing + Bitwise Oblivious Transfer encoding PSI [HuangEvansKatz12] Garbled Circuit base PSI

Oblivious Transfer (OT) Alice 𝑚 0 , 𝑚 1 ∈ 0,1 𝑙 Bob 𝑐∈{0,1} 𝑂𝑇 𝑚 𝑐 Highly efficient and secure protocols exists Motivates it use as the basis for PSI

Bloom Filter Plain text data structure similar to hash table Allows for testing set membership Paramerterized by hash functions ℎ 1 ,…, ℎ 𝑘 To insert 𝑥, set 𝑏 ℎ 𝑖 (𝑥) =1 , ∀𝑖 A Bloom filter is a neat data structured that allows efficient set membership queries. A given Bloom filter is associated with k hash function. Initially, the Bloom filter is a bit vector of all zeros. To insert an item x, we simply set all bits indexed by the k hash functions to 1. ℎ 1 (𝑥) 1 ℎ 1 (𝑧) ℎ 2 (𝑧) 1 ℎ 2 (𝑥) 1 ℎ 𝑘 (𝑥) 1 ℎ 𝑘 (𝑧) 1 … 𝑏= 1 1 1 1 1 1

Bloom Filter Plain text data structure similar to hash table Allows for testing set membership Paramerterized by hash functions ℎ 1 ,…, ℎ 𝑛 To insert 𝑥, set 𝑏 ℎ 𝑖 (𝑥) =1 , ∀𝑖 To test membership Return ∧ 𝑖 𝑏 ℎ 𝑖 𝑥 To test set membership, we simply report the and of all the bits. ℎ 1 (𝑥) ℎ 2 (𝑥) ℎ 𝑘 (𝑥) … 𝑏= 1 1 1 1 1 1 1 1

Bloom Filter 𝑛 items → Bloom filter with 𝑚 slots and 𝑘 hash functions Membership: Pr[ false negatives ] = 0 Pr[ false positives ] = 1− 𝑒 − 𝑘𝑛 𝑚 𝑘 ≈ 2 −𝑘 It is easy to see that when inserting n items into a bloom filter with m slots, we get no false negatives. That is, we never report that an item in not in the set when it is. However, there is some chance that an item not in the set is reported incorrectly. Fortunately, this event can be bounded to be negligible by ensuring at least one hash function will index a zero ℎ 1 (𝑥) ℎ 2 (𝑦) ℎ 1 (𝑦) ℎ 2 (𝑥) ℎ 𝑘 (𝑥) … … ℎ 𝑘 (𝑦) 𝑏= 1 1 1 1 1 1 1 1

Bloom Filter Intersection Bitwise AND 𝐵 𝑋 ∧ 𝐵 𝑌 is a Bloom filter for 𝑋∩𝑌 𝑋={𝑎,𝑏} 𝐵 𝑋 𝐵 𝑋 ∧ 𝐵 𝑌 𝑌={𝑎,𝑐} 𝐵 𝑌 1 1 1 ℎ 𝑖 (𝑎) ℎ 𝑖 (𝑎) ℎ 𝑖 (𝑎) Another interesting property of a bloom filter is that the bitwise AND of a bloom filter is itself a valid bloom filter for the intersection of the two sets. This is easy to see since the corresponding bits are guenteed to be set in the bitwise AND. However, there is a good chance that other bits will be additional bits set as shown here in the middle. Because of this, simply taking the AND is insecure, which is easy to see since a simulator with knowledge of just the intersection could not be able to simulate it. Next, we will see how to fix this. 1 ℎ 𝑖 (𝑏) 1 𝟏 1 ℎ 𝑖 (𝑐) 1 1 1 1

Bloom Filter Protocol [DongChenWen13, PinkasSchniederZohner14] 𝑌={𝑎,𝑐} 𝐵 𝑌 𝑂𝑇 ⊥ 𝒎 𝟎 𝒎 𝟏 𝒎 𝟐 ⋮ 𝒎 𝟑 𝒎 𝟒 𝒎 𝟓 𝒎 𝟔 1 ℎ 𝑖 (𝑎) … 𝒎 𝒊 ← 𝟎,𝟏 𝜿 1 We start by having the receiver on the right construct a traditional Bloom filter. The sender on the left then samples a random vector of string with the same length. They then use OT to transfer these messages where the bloom filter is the select bit. ℎ 𝑖 (𝑐) 1 𝑂𝑇 1

Bloom Filter Protocol 𝑿 ∩ 𝒎 𝟎 ⊕ 𝒎 𝟓 , 𝒎 𝟑 ⊕ 𝒎 𝟔 [DongChenWen13, PinkasSchniederZohner14] Garbled Bloom filter 𝑌={𝑎,𝑐} 𝑋={𝑎,𝑏} 𝐵 𝑋 𝐵 𝑌 1 𝑂𝑇 ⊥ 𝒎 𝟎 𝒎 𝟏 𝒎 𝟐 ⋮ 𝒎 𝟑 𝒎 𝟒 𝒎 𝟓 𝒎 𝟔 𝒎 𝟎 ⊥ 𝒎 𝟑 𝒎 𝟓 𝒎 𝟔 1 ℎ 𝑖 (𝑎) ℎ 𝑖 (𝑎) 1 ℎ 𝑖 (𝑏) 1 … 1 We call the result of the Ots a Garbled Bloom filter The sender then constructs their own Bloom filter. The sender uses this to construct X hat which contains a single Summary value for each item in X which is the XOR of the corresponding OT messages. This is sent to the Receiver who performs a similar operation and computes the intersection with X hat. This allows the receiver to infer the final intersection. ℎ 𝑖 (𝑐) 1 1 𝑂𝑇 1 Output the intersection 𝑿 = 𝒎 𝟎 ⊕ 𝒎 𝟓 , 𝒎 𝟐 ⊕ 𝒎 𝟑 𝑿 ∩ 𝒎 𝟎 ⊕ 𝒎 𝟓 , 𝒎 𝟑 ⊕ 𝒎 𝟔

Semi-Honest Security Naturally secure against Sender. [DongChenWen13, PinkasSchniederZohner14] Naturally secure against Sender. OT hides select bits Final message sent to Receiver Secure against Receiver Attack: For 𝑦 ′ ∉𝑌, Receiver learns encoding e.g. Encode 𝑦′ = 𝑚 3 ⊕ 𝑚 4 DCW13 show equivalence to false positive in standard bloom filter Pr[ false positives ] ≈ 2 −𝑘 𝑋={𝑎,𝑏} 𝑌={𝑎,𝑐} ⊥ 𝒎 𝟎 𝒎 𝟏 𝒎 𝟐 ⋮ 𝒎 𝟑 𝒎 𝟒 𝒎 𝟓 𝒎 𝟔 OT 𝒎 𝟎 ⊥ 𝒎 𝟑 𝒎 𝟓 𝒎 𝟔 1 ℎ 𝑖 (𝑎) … 1 ℎ 𝑖 (𝑐) 1 It is not hard to see that this is naturally secure against a semi-honest sender, simply observe all arrows point away from the sender. In the case of a semi-honest receiver, there is a potential to leak information. Consider a y’ not in Y. If the receiver learns its encoding, m3 plus m4, then additional information is revealed. Fortunately, DongChenWhen showed that the probability of this happening is equivalent to a half positive in a traditional bloom filter. That is, with overwhelming probability we can ensure there exists at least one value in this sum which is unknown to the sender. OT 1 Output: 𝑿 = 𝒎 𝟎 ⊕ 𝒎 𝟓 , 𝒎 𝟐 ⊕ 𝒎 𝟑 𝑿 ∩ 𝒎 𝟎 ⊕ 𝒎 𝟓 , 𝒎 𝟑 ⊕ 𝒎 𝟔

Malicious Receiver Insecure against Receiver Output: Consider all 1 Bloom filter Receiver will obtain all 𝑚 𝑖 Can probe for 𝒎 𝟐 ⊕ 𝒎 𝟑 𝑋={𝑎,𝑏} 𝑌={𝑎,𝑐} ⊥ 𝒎 𝟎 𝒎 𝟏 𝒎 𝟐 ⋮ 𝒎 𝟑 𝒎 𝟒 𝒎 𝟓 𝒎 𝟔 OT 𝒎 𝟎 𝒎 𝟏 𝒎 𝟐 𝒎 𝟑 𝒎 𝟒 𝒎 𝟓 𝒎 𝟔 𝒎 𝟎 ⊥ 𝒎 𝟑 𝒎 𝟓 𝒎 𝟔 1 1 ℎ 𝑖 (𝑎) 1 … 1 1 ℎ 𝑖 (𝑐) 1 Unfortunately, things do not work quite as well in the malicious case. The key observation is that there is noting stopping a malicious receiver from using the all 1 bloom filter. This means the receiver learns all of the mi messages and can simply probe the final message to learn all of X. OT 1 Output: 𝑿 = 𝒎 𝟎 ⊕ 𝒎 𝟓 , 𝒎 𝟐 ⊕ 𝒎 𝟑 𝑿 = 𝒎 𝟎 ⊕ 𝒎 𝟓 , 𝒎 𝟐 ⊕ 𝒎 𝟑 𝑿 ∩ 𝒎 𝟎 ⊕ 𝒎 𝟓 , 𝒎 𝟑 ⊕ 𝒎 𝟔

Warm-Up: The DongChenWen13 Approach Goal − restrict the Receiver to a valid Bloom filter Bloom filter of 𝑚 bits contains 1 2 𝑚 ones Make Receiver prove zero choice bits Sample random key 𝑠← 0,1 𝜅 Generate a 𝑚 2 out of 𝑚 secret sharing of 𝑠 𝑠 1 ,…, 𝑠 𝑚 Transmit 𝑠 𝑖 as the 𝑖th zero OT message Encrypt summary values with 𝑠 𝑋={𝑎,𝑏} 𝑌={𝑎,𝑐} 𝒔 𝟎 𝒎 𝟎 𝒔 𝟏 𝒎 𝟏 𝒔 𝟐 𝒎 𝟐 𝒔 𝟑 𝒎 𝟑 𝒔 𝟒 𝒎 𝟒 𝒔 𝟓 𝒎 𝟓 𝒔 𝟔 𝒎 𝟔 ⊥ 𝒎 𝟎 𝒎 𝟏 𝒎 𝟐 ⋮ 𝒎 𝟑 𝒎 𝟒 𝒎 𝟓 𝒎 𝟔 OT 𝒎 𝟎 𝒎 𝟏 𝒎 𝟐 𝒎 𝟑 𝒎 𝟒 𝒎 𝟓 𝒎 𝟔 1 1 1 ℎ 𝑖 (𝑎) 1 1 … 1 1 1 ℎ 𝑖 (𝑐) 1 In the DongChenWhen paper, they suggest a fix to this problem. The goal is to force the receiver to using a valid bloom filter. A close approximation of this is to ensure that at least half the m bloom filter bits are bits are ones. The sender then encrypts X hat with the secret s. To do this, they have the receiver prove that they used many zero bits in the Ots. First the sender samples a random key s and generates a m over 2 out of m secret sharing of s, where I denote them as s_i. These s_i terms are then transmitted as the zero OT message. The sender then excrypts X hat with s. As such, the receiver must decrypt x hat to learn the intersection. However, the previous attack required the receiver no learning any of the zero messages. OT 1 Output: Output: 𝑿 = 𝔼 𝒔 𝒎 𝟎 ⊕ 𝒎 𝟓 , 𝒎 𝟐 ⊕ 𝒎 𝟑 𝑿 = 𝒎 𝟎 ⊕ 𝒎 𝟓 , 𝒎 𝟐 ⊕ 𝒎 𝟑 𝑿 ∩ 𝒎 𝟎 ⊕ 𝒎 𝟓 , 𝒎 𝟑 ⊕ 𝒎 𝟔 𝔻 𝒔 ( 𝑿 )∩ 𝒎 𝟎 ⊕ 𝒎 𝟓 , 𝒎 𝟑 ⊕ 𝒎 𝟔

Warm-Up: The DongChenWen13 Approach Goal − restrict the Receiver to a valid Bloom filter Bloom filter of 𝑚 bits contains 1 2 𝑚 ones Make Receiver prove zero choice bits Sample random key 𝑠← 0,1 𝜅 Generate a 𝑚 2 out of 𝑚 secret sharing of 𝑠 𝑠 1 ,…, 𝑠 𝑚 Transmit 𝑠 𝑖 as the 𝑖th zero OT message Encrypt summary values with 𝑠 𝑋={𝑎,𝑏} 𝑌={𝑎,𝑐} 𝒔 𝟎 𝒎 𝟎 𝒔 𝟏 𝒎 𝟏 𝒔 𝟐 𝒎 𝟐 𝒔 𝟑 𝒎 𝟑 𝒔 𝟒 𝒎 𝟒 𝒔 𝟓 𝒎 𝟓 𝒔 𝟔 𝒎 𝟔 OT 𝒎 𝟎 𝒔 𝟏 𝒔 𝟐 𝒎 𝟑 𝒔 𝟒 𝒎 𝟓 𝒎 𝟔 1 ℎ 𝑖 (𝑎) … 1 ℎ 𝑖 (𝑐) 1 Therefore, the receiver now must pick up many zero messages, preventing the previous attack. OT 1 Output: 𝑿 = 𝔼 𝒔 𝒎 𝟎 ⊕ 𝒎 𝟓 , 𝒎 𝟐 ⊕ 𝒎 𝟑 𝔻 𝒔 ( 𝑿 )∩ 𝒎 𝟎 ⊕ 𝒎 𝟓 , 𝒎 𝟑 ⊕ 𝒎 𝟔

Warm-Up: The DongChenWen13 Approach [RindalRosulek17, Lambaek17] Warm-Up: The DongChenWen13 Approach Is this secure? Receiver is forced to use ≤ 𝑚 2 ones Selective failure attack by the Sender… 𝑋={𝑎,𝑏} 𝑌={𝑎,𝑐} 𝒔 𝟎 𝒎 𝟎 𝒔 𝟏 𝒎 𝟏 𝒔 𝟐 𝒎 𝟐 𝒔 𝟑 𝒎 𝟑 𝒔 𝟒 𝒎 𝟒 𝒔 𝟓 𝒎 𝟓 𝒔 𝟔 𝒎 𝟔 OT 𝒎 𝟎 𝒔 𝟏 𝒔 𝟐 𝒎 𝟑 𝒔 𝟒 𝒎 𝟓 𝒎 𝟔 1 ℎ 𝑖 (𝑎) … 1 ℎ 𝑖 (𝑐) 1 This begs the question, is this secure? Well, we successfully prevented the receiver from launching their attack Unfortunately, we also introduced a selective failure attack on the part of the sender. This was discovered by us and in an independent work by Lambaek. OT 1 Output: 𝑿 = 𝔼 𝒔 𝒎 𝟎 ⊕ 𝒎 𝟓 , 𝒎 𝟐 ⊕ 𝒎 𝟑 𝔻 𝒔 ( 𝑿 )∩ 𝒎 𝟎 ⊕ 𝒎 𝟓 , 𝒎 𝟑 ⊕ 𝒎 𝟔

Warm-Up: The DongChenWen13 Approach [RindalRosulek17, Lambaek17] Warm-Up: The DongChenWen13 Approach Is this secure? Receiver is forced to use ≤ 𝑚 2 ones Selective failure attack by the Sender… Example Attack: replace 𝑠 4 with random value 𝑟 𝑋={𝑎,𝑏} 𝑌={𝑎,𝑐} 𝒔 𝟎 𝒎 𝟎 𝒔 𝟏 𝒎 𝟏 𝒔 𝟐 𝒎 𝟐 𝒔 𝟑 𝒎 𝟑 𝒎 𝟒 𝒔 𝟓 𝒎 𝟓 𝒔 𝟔 𝒎 𝟔 OT 𝒎 𝟎 𝒔 𝟏 𝒔 𝟐 𝒎 𝟑 𝒔 𝟒 𝒎 𝟓 𝒎 𝟔 1 ℎ 𝑖 (𝑎) … 1 𝑟 ℎ 𝑖 (𝑐) 1 Consider what will happen if the sender replaces s4 with some bogus value r. OT 1 Output: 𝑿 = 𝔼 𝒔 𝒎 𝟎 ⊕ 𝒎 𝟓 , 𝒎 𝟐 ⊕ 𝒎 𝟑 𝔻 𝒔 ( 𝑿 )∩ 𝒎 𝟎 ⊕ 𝒎 𝟓 , 𝒎 𝟑 ⊕ 𝒎 𝟔

Warm-Up: The DongChenWen13 Approach [RindalRosulek17, Lambaek17] Warm-Up: The DongChenWen13 Approach Is this secure? Receiver is forced to use ≤ 𝑚 2 ones Selective failure attack by the Sender… Example Attack: replace 𝑠 4 with random value 𝑟 Can not reconstruct 𝑠 if 𝑟 is picked up PSI fails if ∀𝑦∈𝑌 : ℎ 𝑖 𝑦 ≠4 Can not be simulated! 𝑋={𝑎,𝑏} 𝑌={𝑎,𝑐} 𝒔 𝟎 𝒎 𝟎 𝒔 𝟏 𝒎 𝟏 𝒔 𝟐 𝒎 𝟐 𝒔 𝟑 𝒎 𝟑 𝒎 𝟒 𝒔 𝟓 𝒎 𝟓 𝒔 𝟔 𝒎 𝟔 OT 𝒎 𝟎 𝒔 𝟏 𝒔 𝟐 𝒎 𝟑 𝒎 𝟓 𝒎 𝟔 1 ℎ 𝑖 (𝑎) … 1 𝑟 𝑟 ℎ 𝑖 (𝑐) 1 In the event the receiver picks r up in the OT, then the secret sharing will be incorrect and the PSI will fail by outputting the null set. Because this event depending on the receivers full set Y, a simulation knowing just the intersection can not simulate it. OT 1 Output: 𝑿 = 𝔼 𝒔 𝒎 𝟎 ⊕ 𝒎 𝟓 , 𝒎 𝟐 ⊕ 𝒎 𝟑 𝔻 𝒔 ( 𝑿 )∩ 𝒎 𝟎 ⊕ 𝒎 𝟓 , 𝒎 𝟑 ⊕ 𝒎 𝟔

Cut and Choose Approach [RindalRosulek17] Random Make Receiver prove zero bits in an input-independent way Receiver uses random OT select bits Sender challenges on a subset of OT Receiver must reveal select bits Expect to see 1 2 zero bits, aborts otherwise 𝒓 𝟎 𝒎 𝟎 OT 𝒓 𝟎 𝒓 𝟏 𝒎 𝟏 𝒎 𝟏 1 𝒓 𝟐 𝒎 𝟐 𝒓 𝟐 𝒎 𝟔 𝒓 𝟐 𝒓 𝟑 𝒎 𝟑 𝒎 𝟑 1 𝒓 𝟒 𝒎 𝟒 𝒎 𝟒 … 1 𝒓 𝟓 𝒎 𝟓 𝒓 𝟓 𝒓 𝟔 𝒎 𝟔 𝒎 𝟔 1 In this work, we go back to the drawing board and have the receiver prove that they picked up many zero messages in an input independent way. First we have the receiver use complexly random select bits in the Ots. The sender then challenges the receiver to reveal a small portion of their select bits. Having the receiver show the correspond messages is sufficient and the sender aborts if they see significantly fewer than ½ zeros. 𝒓 𝟕 𝒎 𝟕 𝒓 𝟕 𝒓 𝟖 𝒎 𝟖 OT 𝒎 𝟖 1

Cut and Choose Approach [RindalRosulek17] Random Make Receiver prove zero bits in an input-independent way Receiver uses random OT select bits Sender challenges on a subset of OT Receiver must reveal select bits Expect to see 1 2 zero bits, aborts otherwise 𝒓 𝟎 𝒎 𝟎 OT 𝒓 𝟎 𝒓 𝟏 𝒎 𝟏 𝒎 𝟏 1 𝒓 𝟑 … 1 𝒓 𝟒 𝒓 𝟓 𝒎 𝟑 𝒎 𝟒 𝒎 𝟓 We then throw out these Ots and consolidate the remaining. OT 1 𝒓 𝟕 𝒓 𝟖 𝒎 𝟕 𝒎 𝟖

Cut and Choose Approach [RindalRosulek17] Issue: Remaining OTs do not form valid Bloom filter 𝑌={𝑎,𝑐} 𝒓 𝟎 𝒎 𝟎 OT 𝒓 𝟎 𝒓 𝟏 𝒎 𝟏 𝒎 𝟏 1 ℎ 𝑖 (𝑎) 𝒓 𝟑 𝒎 𝟑 𝒎 𝟑 1 𝒓 𝟒 𝒎 𝟒 𝒎 𝟒 … 1 𝒓 𝟓 𝒎 𝟓 𝒓 𝟓 ℎ 𝑖 (𝑐) 𝒓 𝟕 𝒎 𝟕 𝒓 𝟕 𝒓 𝟖 𝒎 𝟖 OT 𝒎 𝟖 1 However, we have an issue in that the select bits no longer form the desired bloom filter.

Cut and Choose Approach [RindalRosulek17] Issue: Remaining OTs do not form valid Bloom filter Constructs desired Bloom filter Randomly permute OTs to form Bloom filter 𝜋 random OTs →desired 𝐵𝐹 𝑌={𝑎,𝑐} 𝒓 𝟎 𝒎 𝟎 OT 1 1 𝒓 𝟏 𝒎 𝟏 ℎ 𝑖 (𝑎) 1 𝒓 𝟑 𝒎 𝟑 1 𝒓 𝟒 𝒎 𝟒 … 1 𝒓 𝟓 𝒎 𝟓 ℎ 𝑖 (𝑐) 𝒓 𝟕 𝒎 𝟕 1 1 𝒓 𝟖 𝒎 𝟖 OT 1 To fix this, we first have the receiver construct the desired bloom filter. Based on this, they construct a random permutation which maps the Ots to the desired bloom filter. Because the Ots are already random, this reveals no information. 𝜋

Cut and Choose Approach [RindalRosulek17] Issue: Remaining OTs do not form valid Bloom filter Constructs desired Bloom filter Randomly permute OTs to form Bloom filter 𝜋 random OTs →desired 𝐵𝐹 𝑌={𝑎,𝑐} 𝒓 𝟎 𝒎 𝟎 OT 1 1 𝒓 𝟏 𝒎 𝟏 ℎ 𝑖 (𝑎) 1 𝒓 𝟑 𝒎 𝟑 1 𝒓 𝟒 𝒎 𝟒 … 1 𝒓 𝟓 𝒎 𝟓 ℎ 𝑖 (𝑐) 𝒓 𝟕 𝒎 𝟕 1 1 𝒓 𝟖 𝒎 𝟖 OT 1 𝜋

Cut and Choose Approach [RindalRosulek17] Issue: Remaining OTs do not form valid Bloom filter Constructs desired Bloom filter Randomly permute OTs to form Bloom filter 𝜋 random OTs →desired 𝐵𝐹 𝑌={𝑎,𝑐} 1 𝒓 𝟒 𝒎 𝟒 OT 1 1 𝒓 𝟏 𝒎 𝟏 ℎ 𝑖 (𝑎) 1 𝒓 𝟑 𝒎 𝟑 𝒓 𝟎 𝒎 𝟎 … 1 𝒓 𝟓 𝒎 𝟓 ℎ 𝑖 (𝑐) 𝒓 𝟕 𝒎 𝟕 1 1 𝒓 𝟖 𝒎 𝟖 OT 1 𝜋

Cut and Choose Approach [RindalRosulek17] Issue: Remaining OTs do not form valid Bloom filter Constructs desired Bloom filter Randomly permute OTs to form Bloom filter 𝜋 random OTs →desired 𝐵𝐹 𝑌={𝑎,𝑐} 1 𝒓 𝟒 𝒎 𝟒 OT 1 𝒓 𝟎 𝒎 𝟎 ℎ 𝑖 (𝑎) 1 𝒓 𝟑 𝒎 𝟑 1 𝒓 𝟏 𝒎 𝟏 … 1 𝒓 𝟓 𝒎 𝟓 ℎ 𝑖 (𝑐) 𝒓 𝟕 𝒎 𝟕 1 1 𝒓 𝟖 𝒎 𝟖 OT 1 𝜋

Cut and Choose Approach [RindalRosulek17] Issue: Remaining OTs do not form valid Bloom filter Constructs desired Bloom filter Randomly permute OTs to form Bloom filter 𝜋 random OTs →desired 𝐵𝐹 𝑌={𝑎,𝑐} 1 𝒓 𝟒 𝒎 𝟒 OT 1 𝒓 𝟎 𝒎 𝟎 ℎ 𝑖 (𝑎) 𝒓 𝟕 𝒎 𝟕 1 𝒓 𝟏 𝒎 𝟏 … 1 𝒓 𝟓 𝒎 𝟓 ℎ 𝑖 (𝑐) 1 𝒓 𝟑 𝒎 𝟑 1 1 𝒓 𝟖 𝒎 𝟖 OT 1 𝜋

Cut and Choose Approach [RindalRosulek17] Issue: Remaining OTs do not form valid Bloom filter Constructs desired Bloom filter Randomly permute OTs to form Bloom filter 𝜋 random OTs →desired 𝐵𝐹 𝑌={𝑎,𝑐} 1 𝒓 𝟒 𝒎 𝟒 OT 1 𝒓 𝟎 𝒎 𝟎 ℎ 𝑖 (𝑎) 𝒓 𝟕 𝒎 𝟕 1 𝒓 𝟖 𝒎 𝟖 … 1 𝒓 𝟓 𝒎 𝟓 ℎ 𝑖 (𝑐) 1 𝒓 𝟑 𝒎 𝟑 1 1 𝒓 𝟏 𝒎 𝟏 OT 1 𝜋

Cut and Choose Approach [RindalRosulek17] Issue: Remaining OTs do not form valid Bloom filter Constructs desired Bloom filter Randomly permute OTs to form Bloom filter 𝜋 random OTs →desired 𝐵𝐹 𝑌={𝑎,𝑐} 1 𝒓 𝟒 𝒎 𝟒 OT 1 𝒓 𝟎 𝒎 𝟎 ℎ 𝑖 (𝑎) 𝒓 𝟕 𝒎 𝟕 1 𝒓 𝟖 𝒎 𝟖 … 1 𝒓 𝟓 𝒎 𝟓 ℎ 𝑖 (𝑐) 1 𝒓 𝟑 𝒎 𝟑 1 1 𝒓 𝟏 𝒎 𝟏 OT 1 𝜋

Cut and Choose Approach [RindalRosulek17] Issue: Remaining OTs do not form valid Bloom filter Constructs desired Bloom filter Randomly permute OTs to form Bloom filter 𝜋 random OTs →desired 𝐵𝐹 𝑌={𝑎,𝑐} 1 𝒓 𝟒 𝒎 𝟒 OT 1 ℎ 𝑖 (𝑎) ℎ 𝑖 (𝑐) 𝒓 𝟎 𝒎 𝟎 𝒓 𝟕 𝒎 𝟕 1 𝒓 𝟖 𝒎 𝟖 … 𝒓 𝟓 𝒎 𝟓 1 𝒓 𝟏 𝒎 𝟏 1 𝒓 𝟑 𝒎 𝟑 OT 𝜋 Output: 𝑿 = 𝒎 𝟒 ⊕ 𝒎 𝟏 , 𝒎 𝟐 ⊕ 𝒎 𝟑 𝑿 ∩ 𝒎 𝟒 ⊕ 𝒎 𝟏 , 𝒎 𝟖 ⊕ 𝒎 𝟑

Cut and Choose Parameters [RindalRosulek17] Random Issue: Random OTs/Cut-and-Choose may not result in exactly 1 2 zero select bits! 𝒓 𝟎 𝒎 𝟎 OT 𝒓 𝟎 𝒓 𝟏 𝒎 𝟏 𝒎 𝟏 1 𝒓 𝟐 𝒎 𝟐 𝒓 𝟐 𝒎 𝟔 𝒓 𝟐 𝒓 𝟑 𝒎 𝟑 𝒎 𝟑 1 𝒓 𝟒 𝒎 𝟒 𝒎 𝟒 … 1 𝒓 𝟓 𝒎 𝟓 𝒓 𝟓 1 𝒓 𝟔 𝒎 𝟔 𝒎 𝟔 1 The second issue is that the random Ots and cut n choose may not result exactly half zero select bits. Shown here, it worked. 𝒓 𝟕 𝒎 𝟕 𝒓 𝟕 𝒓 𝟖 𝒎 𝟖 OT 𝒎 𝟖 1

Cut and Choose Parameters [RindalRosulek17] Random Issue: Random OTs/Cut-and-Choose may not result in exactly 1 2 zero select bits! Need robust checking of zero bits 𝒓 𝟎 𝒎 𝟎 OT 𝒓 𝟎 1 𝒓 𝟏 𝒎 𝟏 𝒎 𝟏 𝒎 𝟏 1 𝒓 𝟐 𝒎 𝟐 𝒓 𝟐 𝒓 𝟑 𝒎 𝟑 𝒎 𝟑 1 𝒓 𝟒 𝒎 𝟒 𝒎 𝟒 … 1 𝒓 𝟓 𝒎 𝟓 𝒓 𝟓 1 𝒓 𝟔 𝒎 𝟔 𝒎 𝟔 𝒎 𝟔 1 However, a slightly different challenge results in all ones. We need a robust way of sampling these select bits 𝒓 𝟕 𝒎 𝟕 𝒓 𝟕 𝒓 𝟖 𝒎 𝟖 OT 𝒎 𝟖 1

Cut and Choose Parameters [RindalRosulek17] Issue: Random OTs/Cut-and-Choose may not result in exactly 1 2 zero select bits! Need robust checking of zero bits Desired properties: Pr 𝑔𝑜𝑜𝑑 𝑔𝑢𝑦 𝑎𝑐𝑐𝑢𝑠𝑒𝑑 ≤𝑛𝑒𝑔(𝜅) Pr 𝐵𝑎𝑑 𝑔𝑢𝑦 𝑛𝑜𝑡 𝑐𝑎𝑢𝑔ℎ𝑡 ≤𝑛𝑒𝑔(𝜅) Use Chernoff Bounds Sufficient to check 1% of the OTs! 𝑡 ≪ Pr 𝐸[𝑔𝑜𝑜𝑑 𝑔𝑢𝑦] One desired property is that the good guy is accused of cheating with neg. probability. IN this case, the number of zeros revealed in the cut and choose will follow a normal distribution centered at the expected value. The event that we see few zeros #𝑧𝑒𝑟𝑜𝑠 seen Abort threshold

Extracting 𝑌 with Random Oracle [RindalRosulek17] Simulator must extract the effective input 𝑌 Can extract OT select bits Issues: 𝐵𝐹 is not naturally invertible 𝐵𝐹 may be malformed… Solution: Model hash function ℎ 𝑖 (⋅) as Random Oracle Non-programmable RO 𝑌={𝑎,𝑐} Simulator Random Oracle 𝒓 𝟒 𝒎 𝟒 1 OT 𝒎 𝟒 1 𝒓 𝟎 𝒎 𝟎 𝒓 𝟎 ℎ 𝑖 (𝑎) 𝑎,𝑐 , 𝑑 𝒓 𝟕 𝒎 𝟕 𝒓 𝟕 𝐵𝐹= 𝒓 𝟖 𝒎 𝟖 𝒎 𝟖 … 1 𝒓 𝟓 𝒎 𝟓 𝒓 𝟓 ℎ 𝑖 (𝑐) 𝒓 𝟏 𝒎 𝟏 𝒎 𝟏 𝑋 PSI 𝑌={𝑎,𝑐} 1 𝒓 𝟑 𝒎 𝟑 OT 𝒎 𝟑 1 ℎ 𝑖 (𝑑) 𝑋∩𝑌={𝑎} Output: 𝑿 = 𝒎 𝟒 ⊕ 𝒎 𝟏 , 𝒎 𝟐 ⊕ 𝒎 𝟑 𝑿 ∩ 𝒎 𝟒 ⊕ 𝒎 𝟏 , 𝒎 𝟖 ⊕ 𝒎 𝟑

Generalized Encodings [RindalRosulek17] Bloom filter of size ~2𝑛𝜅 allows a Receiver to insert 𝑛 items 𝐹(𝑎)= 𝒎 𝟒 ⊕ 𝒎 𝟏 𝐹 𝑐 = 𝒎 𝟖 ⊕ 𝒎 𝟑 Sender can generate any encoding 𝐹( ⋅ ) View Bloom filter protocol as an OPRF 𝑌={𝑎,𝑐} 𝒓 𝟒 𝒎 𝟒 OT 𝒎 𝟒 1 𝒓 𝟎 𝒎 𝟎 𝒓 𝟎 ℎ 𝑖 (𝑎) 𝒓 𝟕 𝒎 𝟕 𝒓 𝟕 𝒓 𝟖 𝒎 𝟖 𝒎 𝟖 … 1 𝒓 𝟓 𝒎 𝟓 𝒓 𝟓 ℎ 𝑖 (𝑐) 𝒓 𝟏 𝒎 𝟏 𝒎 𝟏 1 OPRF 𝑌 𝒓 𝟑 𝒎 𝟑 OT 𝒎 𝟑 1 𝐹 𝐹 𝑦 :𝑦∈𝑌 𝒎 𝟒 ⊕ 𝒎 𝟏 , 𝒎 𝟖 ⊕ 𝒎 𝟑 𝐹 𝑥 :𝑥∈𝑋

Comparison – De Cristofaro, Kim, Tsudik10 DKT10 - Malicious Diffie-Hellman style approach: 𝑥 𝛼𝛽 = 𝑦 𝛽𝛼 38x 23x

Comparison – De Cristofaro, Kim, Tsudik10 DKT10 - Malicious Diffie-Hellman style approach: 𝑥 𝛼𝛽 = 𝑦 𝛽𝛼 [KKRT16,PSZ16] Naïve

Stay Tuned Semi-honest

The End Peter Rindal Mike Rosulek