Improved Efficiency for Private Stable Matching Matthew Franklin, Mark Gondree, and Payman Mohassel University of California, Davis 02/07/07 - Session Code: CRYP-203

Insert presenter logo here on slide master Stable Matching Stable Matching (Marriage): N men, N women, each with their own preference list Matching M has an unstable pair (A,B) if: (A,B’), (A’,B) in M A prefers B over B’ B prefers A over A’ M is stable if no unstable pairs exist in M 2 A A1A1 A’ A2A2 B’ B1B1 B B2B2

Insert presenter logo here on slide master Applications Assigning Medical students to Hospitals — In US, Canada, and Scotland Assigning students to schools and universities — In Norway and Singapore National Matching Services Inc. 3

Insert presenter logo here on slide master Outline Introduction — Stable matching problem — Gale-Shapley Algorithm — Privacy Issues Contributions Open problems 4

Insert presenter logo here on slide master The Gale-Shapley Algorithm Notation: ─ N men :{A 1, …, A N } ─ N women: {B 1, …, B N } ─ Preference list for man i: A i [1…N] ─ Preference list for woman i: B i [1…N] ─ List of free men in round k : F k ─ List of engaged men in round k: E k 5

Insert presenter logo here on slide master Gale-Shapley k=1;F k = {A 1, …, A N } While F k is non-empty: Randomly select A from F k A proposes to “next” woman B: (Where he ranks B highest among the women to whom he has never proposed before) If B is free then she becomes engaged to A If B is engaged to some A’ then If B prefers A over A’ then remove A and add A’ to F k Otherwise, F k stays the same F k+1 = F k ; k= k+1 6

Insert presenter logo here on slide master Remarks on Gale-Shapley Round by Round ─ Matches made and broken every round ─ Man optimal Privacy Issues ─ Naïve implementation ─ Matching Authority learns participants’ preference lists ─ Naively distributed computation ─ Traffic pattern: history of matches made and broken 7

Insert presenter logo here on slide master Setting [Golle, FC06] Have multiple (t) Matching Authorities (MAs) MAs receive encrypted preference lists MAs compute the stable matching MAs don’t learn anything Participants only learn their own partner Assume: passive adversaries Security Guaranteed (assuming ≥ 1 honest MA) 8

Insert presenter logo here on slide master Our Contribution Revisit [Golle] — High Communication complexity (Partly due to the chosen variant of Gale-Shapely used) Design a Private and Efficient Protocol — Design a new variant of Gale-Shapely — Tune it for private implementation — Crypto assumptions comparable to [Golle] — Lower round and communication complexities 9

Insert presenter logo here on slide master Our Contributions, Cont’d Summary of protocols and efficiency : 10

Insert presenter logo here on slide master Our variant of Gale-Shapley Real men: {A 1, …, A N }, Fake men: {A N+1, …, A 2N } Real women: {B 1,…,B N }, Fake women:{B N+1,…,B 2N } Preference lists: — Real men: ( [actual preference list], [B N+1,...,B 2N, in any order] ) — Real women: ( [actual preference list], [A N+1,...,A 2N, in any order] ) — Fake women:( [A N+1,...,A 2N, in any order],[A 1,...,A N, in any order]) — Fake men: ( [B N+2,...,B 2N, in any order], B N+1, [B 1,...,B N, in any order] ) 11

Insert presenter logo here on slide master Our Variant, Cont’d Initialization: — F 1 = {A 1 } — {A 2, …, A N } are engaged to {B N+2,…,B 2N }, respectively — {A N+1, …, A 2N } are engaged to {B 1,…, B N }, respectively While F k is not empty: — The free man A in F k proposes to B (The next woman in his preference list to whom he hasn’t proposed) — If B is engaged to some man A’ If B prefers A over A’, let F k+1 = {A’}, and pair A and B Otherwise, F k+1 = F k 12

Insert presenter logo here on slide master Our Variant, Cont’d 2 Claim: Once a fake man proposes to woman B N+1, we have a stable matching Thus, the algorithm’s complexity is O(N 2 ) Also, “Tuned for privacy” — every round k, |F k | = 1 We implement a private version 13

Insert presenter logo here on slide master Protocol Bids — Two types: Free and Engaged — Set of ciphertexts (constant sized) — F k = {Free Bids in round k} — E k = {Engaged Bids in round k} Preference Lists — Encrypted, held by an MA (the “Database”) Everything encrypted with threshold homomorphic enc. 14

Insert presenter logo here on slide master Protocol For k = 1 to 2N 2 : — Select a single free bid from F k. — “Open it” to recover the (encrypted) pointers into the database — Access database to get next fiancée's (encrypted) identity — Form the engaged bid — Privately find the conflicting engaged bid (mix, private equality test) — Mix these two engaged bids — “Resolve the conflict” to find the winner and loser (private comparison) — “Break the engagement” for the loser and add him to F k+1 — Add the winner to E k — Mix all the bids — Let E k+1 = E k 15

Insert presenter logo here on slide master Protocol For k = 1 to 2N 2 : — Select a single free bid from F k. — “Open it” to recover the (encrypted) pointers into the database — Access database to get next fiancée's (encrypted) identity — Form the engaged bid — Privately find the conflicting engaged bid (mix, private equality test) — Mix these two engaged bids — “Resolve the conflict” to find the winner and loser (private comparison) — “Break the engagement” for the loser and add him to F k+1 — Add the winner to E k — Mix all the bids — Let E k+1 = E k 16

Insert presenter logo here on slide master Protocol For k = 1 to 2N 2 : — Select a single free bid from F k. — “Open it” to recover the (encrypted) pointers into the database — Access database to get next fiancée's (encrypted) identity — Form the engaged bid — Privately find the conflicting engaged bid (mix, private equality test) — Mix these two engaged bids — “Resolve the conflict” to find the winner and loser (private comparison) — “Break the engagement” for the loser and add him to F k+1 — Add the winner to E k — Mix all the bids — Let E k+1 = E k 17

Insert presenter logo here on slide master Protocol For k = 1 to 2N 2 : — Select a single free bid from F k. — “Open it” to recover the (encrypted) pointers into the database — Access database to get next fiancée's (encrypted) identity — Form the engaged bid — Privately find the conflicting engaged bid (mix, private equality test) — Mix these two engaged bids — “Resolve the conflict” to find the winner and loser (private comparison) — “Break the engagement” for the loser and add him to F k+1 — Add the winner to E k — Mix all the bids — Let E k+1 = E k 18

Insert presenter logo here on slide master Protocol For k = 1 to 2N 2 : — Select a single free bid from F k. — “Open it” to recover the (encrypted) pointers into the database — Access database to get next fiancée's (encrypted) identity — Form the engaged bid — Privately find the conflicting engaged bid (mix, private equality test) — Mix these two engaged bids — “Resolve the conflict” to find the winner and loser (private comparison) — “Break the engagement” for the loser and add him to F k+1 — Add the winner to E k — Mix all the bids — Let E k+1 = E k 19

Insert presenter logo here on slide master Accessing the database Database D, an array of n=(2N) 2 ciphertexts Given E(i), we want to recover element D[i] Our subprotocol: — Modification of an efficient (1-out-of-n) OT protocol — MAs process E(i) into queries of the protocol — MAs process database’s reply to recover D[i], a ciphertext Our construction — Uses Stern’s OT (1 round, polylog CC) — Again, using threshold homomorphic encryption 20

Insert presenter logo here on slide master A protocol for 2 MAs A more efficient protocol for 2-MA case Private Table Look Ups (LUT) [NN01] (For two-party computation) Private Computation of Turing Machines with a RAM — Circuits equipped with Private LUT Our algorithm can be presented as a TM with RAM Implement privately using [NN01] Extending to multiparty — Not completely distributed 21

Insert presenter logo here on slide master New Developments Extending [NN01] to multiparty — Automatically leads to more efficient private stable matching — Leads to nearly optimal communication 22

Insert presenter logo here on slide master Thank you!! Questions?

Insert presenter logo here on slide master

Golle’s approach Golle’s variant of Gale-Shapley: N real men: {A 1,…, A N }, N real women:{B 1,…,B N } N fake men: {A N+1,…,A 2N } Arbitrary preference lists for fake men Each woman ranks fake men lower than real ones Initialization — All real men are free — All fake men are engaged (in an arbitrary way)

Insert presenter logo here on slide master Golle’s Approach Cont’d For K = 1 to n: — While F K is non-empty: Randomly select A from F k A proposes to woman B: The woman he ranks highest among the women to whom he has never proposed before B is always engaged to some woman A ’ : If B prefers A over A ’ ; Remove A from F K, add A ’ to F k+1 Otherwise, add A to F k+1 Number of free men always N: |F K | = N for all 1≤ K ≤ N

Insert presenter logo here on slide master Shortcomings Golle implements this variant privately — Re-encryption mix-networks — Threshold homomorphic cryptosystems (Paillier encryption) Inefficiencies: — Golle’s variant needs O(N 2 ) rounds to reach a stable matching Complexity of algorithm increases by a factor of N — Another factor N increase size of ciphertext used in Mix-network: O(N) not constant!