1. Malicious-Secure Private Set Intersection via Dual Execution
Peter Rindal
Mike Rosulek

2. Private Set Intersection (PSI)𝑋 𝑌
𝑋∩𝑌

3. Private Set Intersection (PSI)
“Sender”
“Receiver” 𝑋 𝑌
PSI
𝑋∩𝑌

4. App: Ad Efficiency
Ad Views
Customer
PSI
𝑋∩𝑌

5. App: Voter Registration
Registered Voters
Registered Voters
PSI
Double Registered

6. A Sampling of PSI Over the Decades
[Meadows86]
Private equality test
[HubermanFranklinHogg99]
Private equality test to PSI
[DeCristofaroKimTsudik10]
Malicious secure
𝑥 𝛼𝛽 = 𝑦 𝛽𝛼
⇒𝑥=𝑦
Diffie-Hellman
1985
1990
1995
2000
2005
2010
2015
2020
One of the first techniques for PSI was in produced by Meadows in 86. This approach builds on the communitive property in the exponent of diffie-hellman.
Huberman and friends later framed this result in terms of PSI. More recently De Cristofaro et al, extend this approach to the malicious setting using Blind RSA.

7. A Sampling of PSI Over the Decades
[Meadows86]
Private equality test
[HubermanFranklinHogg99]
Private equality test to PSI
[DeCristofaroKimTsudik10]
Malicious secure
Diffie-Hellman
Oblivious Polynomial Evaluation
[NaorPinkas99]
Semi-honest PSI
[FreedmanNissimPinkas04]
Hash table base PSI
[DachmanMalkinRaykovaYung09]
Malicious secure
𝑄 𝑥 ≔(𝑥−𝑦)
𝑄 𝑥 =0
⇒𝑥=𝑦
𝑓 𝑥 +𝑔 𝑥 =𝑓 𝑦 +𝑔(𝑦)
⇒𝑥=𝑦
1985
1990
1995
2000
2005
2010
2015
2020
One of the first techniques for PSI was in produced by Meadows in 86. This approach builds on the communitive property in the exponent of diffie-hellman.
Huberman and friends later framed this result in terms of PSI. More recently De Cristofaro et al, extend this approach to the malicious setting using Blind RSA.

8. A Sampling of PSI Over the Decades
[Meadows86]
Private equality test
[HubermanFranklinHogg99]
Private equality test to PSI
[DeCristofaroKimTsudik10]
Malicious secure
Diffie-Hellman
[HuangEvansKatz12]
Garbled Circuit base PSI
Generic MPC
Oblivious Polynomial Evaluation
[NaorPinkas99]
Semi-honest PSI
[FreedmanNissimPinkas04]
Hash table base PSI
[DachmanMalkinRaykovaYung09]
Malicious secure
1985
1990
1995
2000
2005
2010
2015
2020
One of the first techniques for PSI was in produced by Meadows in 86. This approach builds on the communitive property in the exponent of diffie-hellman.
Huberman and friends later framed this result in terms of PSI. More recently De Cristofaro et al, extend this approach to the malicious setting using Blind RSA.

9. A Sampling of PSI Over the Decades
[Meadows86]
Private equality test
[HubermanFranklinHogg99]
Private equality test to PSI
[DeCristofaroKimTsudik10]
Malicious secure
Diffie-Hellman
Oblivious Polynomial Evaluation
[NaorPinkas99]
Semi-honest PSI
[FreedmanNissimPinkas04]
Hash table base PSI
[DachmanMalkinRaykovaYung09]
Malicious secure
[HuangEvansKatz12]
Garbled Circuit base PSI
Generic MPC
1985
1990
1995
2000
2005
2010
2015
2020
One of the first techniques for PSI was in produced by Meadows in 86. This approach builds on the communitive property in the exponent of diffie-hellman.
Huberman and friends later framed this result in terms of PSI. More recently De Cristofaro et al, extend this approach to the malicious setting using Blind RSA.
[DongChenWen13]
Oblivious Transfer & Bloom filter
[ RR17a ]
Malicious Oblivious Transfer + Bloom filter base PSI
Oblivious Transfer + Bloom filter base PSI

10. A Sampling of PSI Over the Decades
[Meadows86]
Private equality test
[HubermanFranklinHogg99]
Private equality test to PSI
[DeCristofaroKimTsudik10]
Malicious secure
Diffie-Hellman
Oblivious Polynomial Evaluation
[NaorPinkas99]
Semi-honest PSI
[FreedmanNissimPinkas04]
Hash table base PSI
[DachmanMalkinRaykovaYung09]
Malicious secure
[HuangEvansKatz12]
Garbled Circuit base PSI
Generic MPC
1985
1990
1995
2000
2005
2010
2015
2020
One of the first techniques for PSI was in produced by Meadows in 86. This approach builds on the communitive property in the exponent of diffie-hellman.
Huberman and friends later framed this result in terms of PSI. More recently De Cristofaro et al, extend this approach to the malicious setting using Blind RSA.
Oblivious Transfer Encoding
[FaginNaorWinkler96]
Private equality test
[PinkasSchneiderZohner14, …] Cuckoo hashing PSI
[ This ]
Hash Table base PSI OT 𝑥
𝑚 𝑥 𝑚
𝑚 𝑥 = 𝑚 𝑦
⇒𝑥=𝑦
[DongChenWen13]
Oblivious Transfer & Bloom filter
[ RR17a ]
Malicious Oblivious Transfer + Bloom filter base PSI
Oblivious Transfer + Bloom filter base PSI

11. A Sampling of PSI Over the Decades
[HubermanFranklinHogg99]
Extended Diffie-Hellman private equality test to PSI
[DeCristofaroKimTsudik10]
Diffie-Hellman base PSI
[DongChenWen13]
[DongChenWen13]
Oblivious Transfer + Bloom filter base PSI
[NaorPinkas99]
Oblivious Transfer base PSI using Polynomial Evaluation
[DachmanMalkinRaykovaYung09]
Homomorphic Enc base PSI using Polynomial Evaluation
[Meadows86]
First to define private equality test using Diffie-Hellman
[ This ]
Malicious Oblivious Transfer + Bloom filter base PSI
1985
1990
1995
2000
2005
2010
2015
2020
And this is by no means all of the works on PSI. Shown here is all the papers I was able to find in a few minutes. As you can see, 2017 was a very good year for PSI
[FreedmanNissimPinkas04]
Homomorphic Enc base PSI using Polynomial Evaluation and hashing
[KolesnikovKumaresanRosulekTrieu16] Element-wise Oblivious Transfer encoding PSI
[FaginNaorWinkler96]
Bitwise Oblivious Transfer encoding for private equality test
[PinkasSchneiderZohner14] Cuckoo hashing + Bitwise Oblivious Transfer encoding PSI
[HuangEvansKatz12]
Garbled Circuit base PSI

12. Oblivious Transfer (OT)
Sender
𝑚 0 , 𝑚 1 ∈ 0,1 𝑙
Receiver
𝑥∈{0,1} OT
𝑚 𝑥
Highly efficient and secure protocols exists
Motivates it use as the basis for PSI

13. Oblivious Transfer (1-out-of-N OT)
Sender
Receiver
𝑥∈{1,…,𝑁} OT
𝑚 1 ,…, 𝑚 𝑁 ← 0,1 𝑙
𝑚 𝑥
Highly efficient and secure protocols exists
Motivates it use as the basis for PSI
1-out-of-N OT allows for exponentially many random messages, e.g. 𝑁= 2 128

14. Oblivious Transfer (1-out-of-N OT)
Sender
Receiver
𝑥∈{1,…,𝑁} OT
⋅ ≔
𝑚 1 ,…, 𝑚 𝑁 ← 0,1 𝑙
𝑥 ≔
𝑚 𝑥
Highly efficient and secure protocols exists
Motivates it use as the basis for PSI
1-out-of-N OT allows for exponentially many random messages, e.g. 𝑁= 2 128

15. Warm-up: Private Equality Test
[PinkasSchneiderZohner14]
How to compare 𝑥 and 𝑦 for equality
Oblivious Transfer
Correctness:
If 𝑥=𝑦, the encoding will be equal.
Security:
If 𝑥≠𝑦, the Receiver see 𝑥 which looks completely random OT 𝑦 ⋅ 𝑦 𝑥
Output: 𝑥 = 𝑦 ?

16. Warm-up: Private Membership Test
[PinkasSchneiderZohner14]
How to check for membership 𝑦∈𝑋
Oblivious Transfer OT 𝑦 ⋅ 𝑦
{ 𝑥 1 ,…, 𝑥 𝑛 }
Output: { 𝑥 1 ,…, 𝑥 𝑛 }∈ 𝑦 ?

17. Warm-up: Private Membership Test
[PinkasSchneiderZohner14]
How to check for membership 𝑦∈𝑋
Oblivious Transfer
Optimizations
Optimized to require 1 OT [KolesnikovKumaresanRosulekTrieu 16]
Malicious secure [OrrùOrsiniScholl16]
Limitations
Communication/Computation 𝑂(𝑛) per test
PSI: for 𝑦∈𝑌, test membership 𝑦∈𝑋 ⇒ 𝑂 𝑛 2 𝑋
PMT 𝑦 ?
𝑦∈𝑋

18. Membership + Hash Table
[PinkasScheiderZohner14]
Use hash table to reduce PSI complexity
ℎ( 𝑥 1 )
𝑥 1
𝐵 bins
ℎ ⋅ : 0,1 ∗ →{1,…,𝐵}

19. Membership + Hash Table
[PinkasScheiderZohner14]
Use hash table to reduce PSI complexity
ℎ( 𝑥 1 )
ℎ( 𝑥 2 )
𝑥 1
𝐵 bins
𝑥 2
ℎ ⋅ : 0,1 ∗ →{1,…,𝐵}

20. Membership + Hash Table
[PinkasScheiderZohner14]
Use hash table to reduce PSI complexity
For each bin, compare all pairs
ℎ( 𝑥 1 )
ℎ( 𝑦 𝑛 )
ℎ( 𝑦 2 )
ℎ( 𝑦 1 ) …
𝑥 𝑛
𝑥 4
𝑦 1
𝑦 2
𝑦 𝑛
𝑦 3
𝑦 4
ℎ( 𝑥 2 )
𝑥 3
𝑥 1 …
𝑂 (𝑛/ log 𝑛 )
ℎ( 𝑥 𝑛 )
𝑥 2
𝑂 (log 𝑛)

21. Semi-Honest Bin Comparison
[PinkasScheiderZohner14] … …
𝑥 𝑛
𝑦 2
𝑥 4
𝑦 4
𝑂 ( log 𝑛 )
𝑥 3
𝑦 1 … …
For each bin, compare all pairs
Bin size =𝑂(log 𝑛)
Quadratic complexity =𝑂( log 2 𝑛)

22. Semi-Honest Bin Comparison
[PinkasScheiderZohner14] 𝑋
𝑥 𝑛
𝑦 2
PMT
𝑥 4 𝑋
𝑦 4
PMT
𝑥 3 𝑋
𝑦 1
PMT
For each bin, compare all pairs
Bin size =𝑂(log 𝑛)
Quadratic complexity =𝑂( log 2 𝑛)
Semi-honest state of art:
[PinkasScheiderZohner16], [KolesnikovKumaresanRosulekTrieu16]
Improved with more advanced hashing

23. Malicious Security For each bin, compare all pairs Issue:
[RindalRosulek17b]
𝑥 𝑛 =𝑋
𝑦 2
PMT
𝑥 3 ′
𝑥 4 ′
𝑥 𝑛 ′
𝑥 4
=𝑋′
𝑦 4
PMT
𝑥 3 ′′
𝑥 4 ′′
𝑥 𝑛 ′′
𝑥 3
=𝑋′′
𝑦 1
PMT
For each bin, compare all pairs
Issue:
Malicious sender uses 𝑋, 𝑋 ′ ,𝑋′′ for each PMT
Can not be simulated,
Adversary has 𝑂 log 2 𝑛 input
No consistent simulation

24. Malicious Security PSI 𝑌 𝑋 ∗ ∩𝑌
[RindalRosulek17b]
Simulator
No 𝑋 ∗ exists
𝑥 3
𝑥 4
𝑥 𝑛 =𝑋 𝑌
𝑥 3 ′
𝑥 4 ′
𝑥 𝑛 ′
𝑋 ∗
=𝑋′
PSI
𝑥 3 ′′
𝑥 4 ′′
𝑥 𝑛 ′′
=𝑋′′
𝑋 ∗ ∩𝑌
For each bin, perform 𝑂( log 𝑛 ) membership tests
Issue:
Malicious sender uses 𝑋, 𝑋 ′ ,𝑋′′ for each PMT
Can not be simulated,
Adversary has 𝑂 log 2 𝑛 input
No consistent simulation

25. Malicious Security Need to restrict sender to a single set
[RindalRosulek17b]
𝑥 𝑛
𝑦 2
PMT
𝑥 4
𝑦 4
PMT
𝑥 3
𝑦 1
PMT
Need to restrict sender to a single set

26. Malicious Security OT OT OT Need to restrict sender to a single set
[RindalRosulek17b]
𝑥 𝑛 OT
𝑦 2
⋅ 1
𝑦 2 1
𝑥 4 OT
𝑦 4
⋅ 2
𝑦 4 2 OT
𝑥 3
⋅ 3
𝑦 1
𝑦 1 3
Need to restrict sender to a single set

27. Malicious Security Need to restrict sender to a single set
[RindalRosulek17b]
⋅ 1 𝐴
𝑥 𝑛
𝑦 2
𝑦 𝐴
⋅ 2 𝐴
𝑥 4
𝑦 4
𝑦 𝐴
⋅ 3 𝐴
𝑥 3
𝑦 1
𝑦 𝐴
Need to restrict sender to a single set

28. Malicious Security OT OT OT Need to restrict sender to a single set
[RindalRosulek17b]
⋅ 1 𝐴
𝑥 𝑛
𝑦 𝐴 OT
⋅ 1 𝐵
𝑦 2
𝑥 𝑛 1 𝐵
⋅ 2 𝐴
𝑥 4 OT
⋅ 2 𝐵
𝑦 4
𝑦 𝐴
𝑥 𝐵 OT
⋅ 3 𝐵
⋅ 3 𝐴
𝑥 3
𝑦 1
𝑦 𝐴
𝑥 𝐵
Need to restrict sender to a single set

29. Malicious Security OT OT OT Need to restrict sender to a single set
[RindalRosulek17b]
𝑥 𝑛 1 𝐵
⋅ 1 𝐴
𝑥 𝑛
𝑦 2
𝑦 𝐴 OT
⋅ 1 𝐵
𝑥 𝐵
⋅ 2 𝐴
𝑥 4 OT
𝑦 4
𝑦 𝐴
⋅ 2 𝐵 OT
𝑥 𝐵
⋅ 3 𝐴
𝑥 3
𝑦 1
𝑦 𝐴
⋅ 3 𝐵
Need to restrict sender to a single set
Define common encoding: 𝑧 𝑎,𝑏 = 𝑧 𝑎 𝐴 ⊕ 𝑧 𝑏 𝐵
Each party knows exactly 9 common encodings of 3 values

30. Malicious Security OT OT OT Need to restrict sender to a single set
[RindalRosulek17b] ⊕
⋅ 1 𝐴 ⋅ 2 𝐴 ⋅ 3 𝐴
𝑥 𝑛
𝑦 2
𝑦 𝐴
𝑥 𝑛 1 𝐵 𝑥 𝑛 1,1 , 𝑥 𝑛 2,1 , 𝑥 𝑛 3,1 OT
⋅ 1 𝐵
𝑥 𝐵
⋅ 2 𝐴
𝑥 4 OT
𝑦 4
𝑦 𝐴
⋅ 2 𝐵 OT
𝑥 𝐵
⋅ 3 𝐴
𝑥 3
𝑦 1
𝑦 𝐴
⋅ 3 𝐵
Need to restrict sender to a single set
Define common encoding: 𝑧 𝑎,𝑏 = 𝑧 𝑎 𝐴 ⊕ 𝑧 𝑏 𝐵
Each party knows exactly 9 common encodings of 3 values

31. Malicious Security OT OT OT Need to restrict sender to a single set
[RindalRosulek17b] ⊕
⋅ 1 𝐴 ⋅ 2 𝐴 ⋅ 3 𝐴
𝑥 𝑛 1 𝐵 𝑥 𝑛 1,1 , 𝑥 𝑛 2,1 , 𝑥 𝑛 3,1
𝑥 𝑛
𝑦 𝐴 OT
𝑦 2
⋅ 1 𝐵
𝑥 𝐵 𝑥 4 1,2 , 𝑥 4 2,2 , 𝑥 4 3,2
𝑥 4 OT
𝑦 4
𝑦 𝐴
⋅ 2 𝐵 OT
𝑥 𝐵 𝑥 3 1,3 , 𝑥 3 2,3 , 𝑥 3 3,3
𝑥 3
𝑦 1
𝑦 𝐴
⋅ 3 𝐵
Need to restrict sender to a single set
Define common encoding: 𝑧 𝑎,𝑏 = 𝑧 𝑎 𝐴 ⊕ 𝑧 𝑏 𝐵
Each party knows exactly 9 common encodings of 3 values

32. Malicious Security OT OT OT Need to restrict sender to a single set
[RindalRosulek17b] ⊕
⋅ 1 𝐴 ⋅ 2 𝐴 ⋅ 3 𝐴 ⊕
𝑦 𝐴 𝑦 𝐴 𝑦 𝐴
𝑥 𝑛 1 𝐵 𝑥 𝑛 1,1 , 𝑥 𝑛 2,1 , 𝑥 𝑛 3,1
𝑥 𝑛 OT
𝑦 2
⋅ 1 𝐵 𝑦 2 1,1 , 𝑦 4 2,1 , 𝑦 1 3,1
𝑥 𝐵 𝑥 4 1,2 , 𝑥 4 2,2 , 𝑥 4 3,2
𝑥 4 OT
𝑦 4
⋅ 2 𝐵 𝑦 2 1,2 , 𝑦 4 2,2 , 𝑦 1 3,2 OT
𝑥 𝐵 𝑥 3 1,3 , 𝑥 3 2,3 , 𝑥 3 3,3
𝑥 3
𝑦 1
⋅ 3 𝐵 𝑦 2 1,3 , 𝑦 4 2,3 , 𝑦 1 3,3
Send 𝑋
Output 𝑦 if 𝑦 𝑎,𝑏 ∈ 𝑋
Need to restrict sender to a single set
Define common encoding: 𝑧 𝑎,𝑏 = 𝑧 𝑎 𝐴 ⊕ 𝑧 𝑏 𝐵
Each party knows exactly 9 common encodings of 3 values

33. Correctness OT OT OT Need to restrict sender to a single set
[RindalRosulek17b] ⊕
⋅ 1 𝐴 ⋅ 2 𝐴 ⋅ 3 𝐴 ⊕
𝑦 𝐴 𝑦 𝐴 𝑦 𝐴
𝑥 𝑛 1 𝐵 𝑥 𝑛 1,1 , 𝑥 𝑛 2,1 , 𝑥 𝑛 3,1
𝑥 𝑛 OT
𝑦 2
⋅ 1 𝐵 𝑦 2 1,1 , 𝑦 4 2,1 , 𝑦 1 3,1
𝑥 𝐵 𝑥 4 1,2 , 𝑥 4 2,2 , 𝑥 4 3,2
𝑥 4 OT
𝑦 4
⋅ 2 𝐵 𝑦 2 1,2 , 𝑦 4 2,2 , 𝑦 1 3,2 OT
𝑥 𝐵 𝑥 3 1,3 , 𝑥 3 2,3 , 𝑥 3 3,3
𝑥 3
𝑦 1
⋅ 3 𝐵 𝑦 2 1,3 , 𝑦 4 2,3 , 𝑦 1 3,3
Send 𝑋
Output 𝑦 if 𝑦 𝑎,𝑏 ∈ 𝑋
Need to restrict sender to a single set
Define common encoding: 𝑧 𝑎,𝑏 = 𝑧 𝑎 𝐴 ⊕ 𝑧 𝑏 𝐵
Each party knows exactly 9 common encodings of 3 values
Say, 𝑦 2 = 𝑥 𝑛

34. Correctness OT OT OT Need to restrict sender to a single set
[RindalRosulek17b] ⊕
⋅ 1 𝐴 ⋅ 2 𝐴 ⋅ 3 𝐴 ⊕
𝑦 𝐴 𝑦 𝐴 𝑦 𝐴
𝑥 𝑛 1 𝐵 𝑥 𝑛 1,1 , 𝑥 𝑛 2,1 , 𝑥 𝑛 3,1
𝑥 𝑛 OT
𝑦 2
⋅ 1 𝐵 𝑦 2 1,1 , 𝑦 4 2,1 , 𝑦 1 3,1
𝑥 𝐵 𝑥 4 1,2 , 𝑥 4 2,2 , 𝑥 4 3,2
𝑥 4 OT
𝑦 4
⋅ 2 𝐵 𝑦 2 1,2 , 𝑦 4 2,2 , 𝑦 1 3,2 OT
𝑥 𝐵 𝑥 3 1,3 , 𝑥 3 2,3 , 𝑥 3 3,3
𝑥 3
𝑦 1
⋅ 3 𝐵 𝑦 2 1,3 , 𝑦 4 2,3 , 𝑦 1 3,3
Send 𝑋
Output 𝑦 if 𝑦 𝑎,𝑏 ∈ 𝑋
Need to restrict sender to a single set
Define common encoding: 𝑧 𝑎,𝑏 = 𝑧 𝑎 𝐴 ⊕ 𝑧 𝑏 𝐵
Each party knows exactly 9 common encodings of 3 values
Say, 𝑦 2 = 𝑥 𝑛

35. Proof PSI 𝑌 𝑋 ∗ ∩𝑌 Strategy: Must show a simulator: [RindalRosulek17b]⊕
⋅ 1 𝐴 ⋅ 2 𝐴 ⋅ 3 𝐴
Simulator
𝑥 𝑛 1 𝐵 𝑥 𝑛 1,1 , 𝑥 𝑛 2,1 , 𝑥 𝑛 3,1
𝑥 𝑛
𝑦 𝑗 = 𝑥 𝑛 𝑌
𝑋 ∗
PSI
𝑥 𝐵 𝑥 4 1,2 , 𝑥 4 2,2 , 𝑥 4 3,2
𝑥 4
𝑥 𝐵 𝑥 4 1,2 , 𝑥 4 2,2 , 𝑥 4 3,2
𝑥 𝐵 𝑥 3 1,3 , 𝑥 3 2,3 , 𝑥 3 3,3
𝑥 𝑛 1 𝐵 𝑥 𝑛 1,1 , 𝑥 𝑛 2,1 , 𝑥 𝑛 3,1
𝑥 𝐵 𝑥 3 1,3 , 𝑥 3 2,3 , 𝑥 3 3,3
𝑥 3
𝑋 ∗ ∩𝑌
Send 𝑋
Strategy:
For each 𝑥 𝑖 , imagine 𝑥 𝑖 ∈𝑌
Logically place 𝑦 𝑗 = 𝑥 𝑖 at random bin position
E.g. 𝑥 𝑛 ∈𝑌, place 𝑦 𝑗 at position 2
Must show a simulator:
On input 𝑋 outputs 𝑋 ∗
Correct intersection must be 𝑋 ∗ ∩𝑌

36. Proof PSI 𝑌 𝑋 ∗ ∩𝑌 Strategy: Must show a simulator: [RindalRosulek17b]⊕
⋅ 1 𝐴 ⋅ 2 𝐴 ⋅ 3 𝐴
Simulator
𝑥 𝑛 1 𝐵 𝑥 𝑛 1,1 , 𝑥 𝑛 2,1 , 𝑥 𝑛 3,1
𝑥 𝑛
𝑦 𝑗 = 𝑥 𝑛 𝑌
𝑋 ∗
PSI
𝑥 𝐵 𝑥 4 1,2 , 𝑥 4 2,2 , 𝑥 4 3,2
𝑥 4
𝑥 𝐵 𝑥 4 1,2 , 𝑥 4 2,2 , 𝑥 4 3,2
𝑥 𝐵 𝑥 3 1,3 , 𝑥 3 2,3 , 𝑥 3 3,3
𝑥 𝑛 1 𝐵 𝑥 𝑛 1,1 , 𝑥 𝑛 2,1 , 𝑥 𝑛 3,1
𝑥 𝐵 𝑥 3 1,3 , 𝑥 3 2,3 , 𝑥 3 3,3
𝑥 3
𝑋 ∗ ∩𝑌
Send 𝑋
Strategy:
For each 𝑥 𝑖 , imagine 𝑥 𝑖 ∈𝑌
Logically place 𝑦 𝑗 = 𝑥 𝑖 at random bin position
E.g. 𝑥 𝑛 ∈𝑌, place 𝑦 𝑗 at position 2
Must show a simulator:
On input 𝑋 outputs 𝑋 ∗
Correct intersection must be 𝑋 ∗ ∩𝑌

37. Proof PSI 𝑌 𝑋 ∗ ∩𝑌 Strategy: Must show a simulator: [RindalRosulek17b]⊕
⋅ 1 𝐴 ⋅ 2 𝐴 ⋅ 3 𝐴
Simulator
𝑥 𝑛 1 𝐵 𝑥 𝑛 1,1 , 𝑥 𝑛 2,1 , 𝑥 𝑛 3,1
𝑥 𝑛
𝑦 𝑗′ = 𝑥 4 𝑌
𝑋 ∗
PSI
𝑥 𝐵 𝑥 4 1,2 , 𝑥 4 2,2 , 𝑥 4 3,2
𝑥 4
𝑥 𝑛
𝑥 𝐵 𝑥 4 1,2 , 𝑥 4 2,2 , 𝑥 4 3,2
𝑥 𝐵 𝑥 3 1,3 , 𝑥 3 2,3 , 𝑥 3 3,3
𝑥 𝑛 1 𝐵 𝑥 𝑛 1,1 , 𝑥 𝑛 2,1 , 𝑥 𝑛 3,1
𝑥 𝐵 𝑥 3 1,3 , 𝑥 3 2,3 , 𝑥 3 3,3
𝑥 3
𝑋 ∗ ∩𝑌
Send 𝑋
Strategy:
For each 𝑥 𝑖 , imagine 𝑥 𝑖 ∈𝑌
Pick a random bin position to store 𝑦 𝑗 = 𝑥 𝑖
E.g. 𝑥 𝑛 ∈𝑌 then store 𝑦 𝑗 randomly at position 2
Must show a simulator:
On input 𝑋 outputs 𝑋 ∗
Correct intersection must be 𝑋 ∗ ∩𝑌

38. Proof PSI 𝑌 𝑋 ∗ ∩𝑌 Strategy: Must show a simulator: [RindalRosulek17b]⊕
⋅ 1 𝐴 ⋅ 2 𝐴 ⋅ 3 𝐴
Simulator
𝑥 𝑛 1 𝐵 𝑥 𝑛 1,1 , 𝑥 𝑛 2,1 , 𝑥 𝑛 3,1
𝑥 𝑛
𝑦 𝑗′ = 𝑥 4 𝑌
𝑋 ∗
PSI
𝑥 𝐵 𝑥 4 1,2 , 𝑥 4 2,2 , 𝑥 4 3,2
𝑥 4
𝑥 𝑛
𝑥 𝐵 𝑥 4 1,2 , 𝑥 4 2,2 , 𝑥 4 3,2
𝑥 𝐵 𝑥 3 1,3 , 𝑥 3 2,3 , 𝑥 3 3,3
𝑥 𝑛 1 𝐵 𝑥 𝑛 1,1 , 𝑥 𝑛 2,1 , 𝑥 𝑛 3,1
𝑥 𝐵 𝑥 3 1,3 , 𝑥 3 2,3 , 𝑥 3 3,3
𝑥 3
𝑋 ∗ ∩𝑌
Send 𝑋
Strategy:
For each 𝑥 𝑖 , imagine 𝑥 𝑖 ∈𝑌
Logically place 𝑦 𝑗 = 𝑥 𝑖 at random bin position
E.g. 𝑥 𝑛 ∈𝑌, place 𝑦 𝑗 at position 2
Must show a simulator:
On input 𝑋 outputs 𝑋 ∗
Correct intersection must be 𝑋 ∗ ∩𝑌

39. Proof PSI 𝑌 𝑋 ∗ ∩𝑌 Strategy: Must show a simulator: [RindalRosulek17b]⊕
⋅ 1 𝐴 ⋅ 2 𝐴 ⋅ 3 𝐴
Simulator
𝑥 𝑛 1 𝐵 𝑥 𝑛 1,1 , 𝑥 𝑛 2,1 , 𝑥 𝑛 3,1
𝑥 𝑛
𝑦 𝑗′′ = 𝑥 3 𝑌
𝑋 ∗
PSI
𝑥 𝐵 𝑥 4 1,2 , 𝑥 4 2,2 , 𝑥 4 3,2
𝑥 4
𝑥 𝑛
𝑥 4
𝑥 𝐵 𝑥 4 1,2 , 𝑥 4 2,2 , 𝑥 4 3,2
𝑥 𝐵 𝑥 3 1,3 , 𝑥 3 2,3 , 𝑥 3 3,3
𝑥 𝑛 1 𝐵 𝑥 𝑛 1,1 , 𝑥 𝑛 2,1 , 𝑥 𝑛 3,1
𝑥 𝐵 𝑥 3 1,3 , 𝑥 3 2,3 , 𝑥 3 3,3
𝑥 3
𝑋 ∗ ∩𝑌
Send 𝑋
Strategy:
For each 𝑥 𝑖 , imagine 𝑥 𝑖 ∈𝑌
Logically place 𝑦 𝑗 = 𝑥 𝑖 at random bin position
E.g. 𝑥 𝑛 ∈𝑌, place 𝑦 𝑗 at position 2
Must show a simulator:
On input 𝑋 outputs 𝑋 ∗
Correct intersection must be 𝑋 ∗ ∩𝑌

40. Proof PSI 𝑌 𝑋 ∗ ∩𝑌 Strategy: Must show a simulator: [RindalRosulek17b]⊕
⋅ 1 𝐴 ⋅ 2 𝐴 ⋅ 3 𝐴
Simulator
𝑥 𝑛 1 𝐵 𝑥 𝑛 1,1 , 𝑥 𝑛 2,1 , 𝑥 𝑛 3,1
𝑥 𝑛 𝑌
𝑋 ∗
PSI
𝑥 𝐵 𝑥 4 1,2 , 𝑥 4 2,2 , 𝑥 4 3,2
𝑥 4
𝑥 3
𝑥 𝑛
𝑥 4
𝑥 𝐵 𝑥 4 1,2 , 𝑥 4 2,2 , 𝑥 4 3,2
𝑥 𝐵 𝑥 3 1,3 , 𝑥 3 2,3 , 𝑥 3 3,3
𝑥 𝑛 1 𝐵 𝑥 𝑛 1,1 , 𝑥 𝑛 2,1 , 𝑥 𝑛 3,1
𝑥 𝐵 𝑥 3 1,3 , 𝑥 3 2,3 , 𝑥 3 3,3
𝑥 3
𝑋 ∗ ∩𝑌
Send 𝑋
Strategy:
For each 𝑥 𝑖 , imagine 𝑥 𝑖 ∈𝑌
Logically place 𝑦 𝑗 = 𝑥 𝑖 at random bin position
E.g. 𝑥 𝑛 ∈𝑌, place 𝑦 𝑗 at position 2
𝒙 𝒊 ∈ 𝑿 ∗ iff that position is correct
Must show a simulator:
On input 𝑋 outputs 𝑋 ∗
Correct intersection must be 𝑋 ∗ ∩𝑌

41. Send all common encodings 𝑋
Overview
[RindalRosulek17b]
ℎ( 𝑥 1 )
𝑥 𝑛
𝑥 4
𝑦 1
𝑦 2
𝑦 𝑛
𝑦 3
𝑦 4
ℎ( 𝑥 2 )
𝑥 3
𝑥 1 …
𝑂 (𝑛/ log 𝑛 )
ℎ( 𝑥 𝑛 )
𝑥 2
𝑂 (log 𝑛)
Send all common encodings 𝑋
Output 𝑦 if 𝑦 𝑎,𝑏 ∈ 𝑋
For each bin, perform quadratic cost PSI.

42. Send all common encodings 𝑋
Bin Aggregation
[RindalRosulek17b]
𝟏,𝟏 , 𝟐,𝟏 , 𝟑,𝟏 , 𝟒,𝟏 , 𝟓,𝟏
𝑥 𝑛 1,4 , 𝑥 𝑛 2,4 , 𝑥 𝑛 3,4 , 𝑥 𝑛 4,4 , 𝑥 𝑛 5,4
𝟏,𝟐 , 𝟐,𝟐 , 𝟑,𝟐 , 𝟒,𝟐 , 𝟓,𝟐
𝑥 4 1,5 , 𝑥 4 2,5 , 𝑥 4 3,5 , 𝑥 4 4,5 , 𝑥 4 5,5
𝟏,𝟑 , 𝟐,𝟑 , 𝟑,𝟑 , 𝟒,𝟑 , 𝟓,𝟑
𝑥 𝑛
𝑥 4
𝑦 4
𝑥 3
𝑥 1
𝑦 1
𝑦 𝑛
𝑛/ log 𝑛
𝑦 3
𝑥 2
𝑦 2
≈4log 𝑛
Send all common encodings 𝑋
For each bin, perform quadratic cost PSI.
| 𝑋 |≈𝟏𝟔𝑛 log 𝑛 common encodings
¾ of which encode dummy items

43. Send all common encodings 𝑋
Bin Aggregation
[RindalRosulek17b]
𝑥 𝑛
𝑥 4
𝑦 4
𝑥 3
𝑥 1
𝑦 1
𝑦 𝑛
𝑛/ log 𝑛
𝑦 3
𝑥 2
𝑦 2
≈4log 𝑛
Send all common encodings 𝑋
For each bin, perform quadratic cost PSI.
| 𝑋 |≈𝟏𝟔𝑛 log 𝑛 common encodings
¾ of which encode dummy items
Skip all dummy encodings
𝑋 ≔ all real encodings
Send 𝑋 random order
Hides bin load

44. Send common encodings 𝑋
Final Protocol
[RindalRosulek17b]
𝑥 𝑛
𝑥 4
𝑦 4
𝑥 3
𝑥 1
𝑦 1
𝑦 𝑛
𝑛/ log 𝑛
𝑦 3
𝑥 2
𝑦 2
≈4log 𝑛
Send common encodings 𝑋
In random order
Output 𝑦 if 𝑦 𝑎,𝑏 ∈ 𝑋
Protocol:
Hash to bins
Compute common encodings
Send 𝑋 in random order
Overall complexity: 𝑂(𝑛 log 𝑛)

45. Protocol Extensions OT OT
[RindalRosulek17b]
Fastest protocol is in the Random Oracle Model
Utilizes “random” OT
Requires Random Oracle
Standard model variant:
Utilizes many 1-out-of-2 OT
20× more communication
As fast as prior work [RR17a]
Encode-Commit variant:
Random Oracle or Standard model
Communication-Computation tradeoff
Random Oracle 𝑦 ⋅ OT 𝑦 ⋅ OT

46. Comparison
[RindalRosulek17b]
DKT10 - Malicious Diffie-Hellman style approach: 𝑥 𝛼𝛽 = 𝑦 𝛽𝛼
RR17a – Malicious Bloom filter OPRF
12× 6×
450× 8×

47. Comparison
[RindalRosulek17b]
DKT10 - Malicious Diffie-Hellman style approach: 𝑥 𝛼𝛽 = 𝑦 𝛽𝛼
RR17a – Malicious Bloom filter OPRF
Only 3× slower than [KKRT16] (semi-honest)
[RR17b]
𝑂(𝑛) OTs
𝑂 𝑛 log 𝑛 computation/communication
[KKRT16]
𝑂 𝑛 computation/communication
Leverage cuckoo hashing
Very difficult to make malicious secure
12× 6×
450× 8×
[KKRT16]
Naïve

48. The End
Peter Rindal
Mike Rosulek

49. Future Work Cuckoo hashing with malicious security
Richer functionality
PSI cardinality
Google ad revenue
PSI with associated data (SQL-like join)
Multi-party PSI (third talk)
Threshold PSI
Composable PSI/Union
PSI as input to arbitrary secure computation
Join data before running machine learning algorithm