#### DMCA

## Efficient private matching and set intersection (2004)

### Cached

### Download Links

- [www.cs.bgu.ac.il]
- [www.cs.princeton.edu]
- [www.cs.princeton.edu:80]
- [www.cs.princeton.edu.nyud.net]
- [www.pdos.lcs.mit.edu]
- [www.cs.princeton.edu]
- [www.scs.cs.nyu.edu]
- [www.freehaven.net]
- [www278.pair.com]
- [www.pinkas.net]
- [freehaven.net]
- [hostmaster.freehaven.net]
- [www.cs.ru.nl]
- [www.cs.ru.nl]
- [www.iacr.org]
- [www.iacr.org]
- [www.scs.cs.nyu.edu]
- [www.cs.princeton.edu.nyud.net]
- DBLP

### Other Repositories/Bibliography

Citations: | 287 - 12 self |

### Citations

981 | Public-key cryptosystems based on composite residuosity classes
- Paillier
- 1999
(Show Context)
Citation Context ... use a semantically-secure public-key encryption scheme that preserves the group homomorphism of addition and allows multiplication by a constant. This property is obtained by Paillier’s cryptosyste=-=m [20]-=- and subsequent constructions [21, 7]. That is, it supports the following operations that can be performed without knowledge of the private key: (i) Given two encryptions Enc(m1) and Enc(m2), we can e... |

822 | Universally Composable Security: A New Paradigm for Cryptographic Protocols. Cryptology ePrint Archive, Report 2000/067
- Canetti
- 2000
(Show Context)
Citation Context ...in our security definitions—both for semi-honest and malicious parties—as they only take into account the parties that “formally” participate in the protocol (unlike, e.g., in universal compos=-=ability [6]-=-). In particular, these definitions allow for any information that is learned by all the participating parties to be sent in the clear. While it may be that creating secure channels for the protocol (... |

327 | Balanced allocations
- Azar, Broder, et al.
- 1999
(Show Context)
Citation Context ...ith high probability (over the selection of h), each bin contains at most kC/B +O( � (kC/B) log B+log B) elements. A better allocation is obtained using the balanced allocation hashing by Azar et al=-=. [2]-=-. The function h now chooses two distinct bins for each item, and the item is mapped into the bin which is less occupied at the time of placement. In the resulting protocol, the server uses h to locat... |

297 | Limiting privacy breaches in privacy preserving data mining
- Evfimievski, Gehrke, et al.
- 2003
(Show Context)
Citation Context ...educed to O(k log N), while retaining the O(k 2 log N) communication overhead [18]. There are additional constructions that solve the private matching problem at the cost of only O(k) exponentiations =-=[12, 8]-=-. However, these constructions were only analyzed in the random oracle model, against semi-honest parties. Disjointness and set intersection. Protocols for computing (or deciding) the intersection of ... |

257 | Computationally private information retrieval with polylogarithmic communication, Eurocrypt
- Cachin, Micali, et al.
- 1999
(Show Context)
Citation Context ...protocol in use. Naor and Pinkas [19] showed how to combine a the � N 1 OT protocol with any computational PIR scheme, under the DDH assumption. Combining this result with PIR scheme of Cachin et al=-=. [5] (or of -=-Kiayias and Yung [15]) results in λ polylog(N) communication, for security parameter λ. Our protocol Intersect-Approx repeatedly invokes Private-Sample-B with B(α, β) = α∧β, for a maximum of M... |

232 |
Oblivious transfer and polynomial evaluation
- Naor, Pinkas
- 1999
(Show Context)
Citation Context ...om a domain of size N. A circuit computing this function has O(log N) gates, and therefore can be securely evaluated with this overhead. Specialized protocols for this function were also suggested in =-=[9, 18, 17]-=-, and they essentially have the same overhead. A solution in [3] provides fairness in addition to security. A circuit-based solution for computing PM of datasets of length k requires O(k 2 log N) comm... |

221 |
Efficient oblivious transfer protocols
- Naor, Pinkas
- 2001
(Show Context)
Citation Context ...ations that led to it. This may be achieved, e.g., by multiplying the result by a random encryption of 1. 7 This construction can be considered a generalization of the oblivious transfer protocols of =-=[19, 1, 17]-=-. In those, a client retrieving item i sends to the server a predicate which is 0 if and only if i = j where j ∈ [N]. 8 It is sufficient for Step 3 of the protocol that C is able to decide whether som... |

218 | A generalisation, a simplification and some applications of Paillier’s probabilistic public-key system
- Damg˚ard, Jurik
- 2001
(Show Context)
Citation Context ...key encryption scheme that preserves the group homomorphism of addition and allows multiplication by a constant. This property is obtained by Paillier’s cryptosystem [20] and subsequent constructions =-=[21,7]-=-. That is, it supports the following operations that can be performed without knowledge of the private key: (i) Given two encryptions Enc(m1) and Enc(m2), we can efficiently compute Enc(m1+m2). (ii) G... |

200 | Limits on the provable consequences of one-way permutations
- Impagliazzo, Rudich
- 1989
(Show Context)
Citation Context ... strings, {0|b0, 1|b1}, and the chooser generates the list {σ|0, σ|1}. Then, they run the PM protocol, at the end of which the chooser learns σ|bσ. It follows by the results of Impagliazzo and Rud=-=ich [13]-=- that there is no black-box reduction of private matching from one-way functions. Since the reduction is used to show an impossibility result, it is sufficient to show it for the simplest form of OT, ... |

194 |
The probabilistic communication complexity of set intersection
- Kalyanasundaram, Schintger
(Show Context)
Citation Context ...ties in the protocol hold subsets a and b of {1, . . . , N}. The disjointness function Disj(a, b) is defined to be 1 if the sets a, b have an empty intersection. It is well known that Rɛ(Disj) = Θ(N=-=) [14, 22]. A-=-n immediate implication is that computing |a ∩ b| requires Θ(N) communication. Therefore, even without taking privacy into consideration, the communication complexity of private matching is at leas... |

123 | Priced oblivious transfer: How to sell digital goods
- Aiello, Ishai, et al.
- 2001
(Show Context)
Citation Context ...ations that led to it. This may be achieved, e.g., by multiplying the result by a random encryption of 1. 7 This construction can be considered a generalization of the oblivious transfer protocols of =-=[19, 1, 17]. -=-In those, a client retrieving item i sends to the server a predicate which is 0 if and only if i = j where j ∈ [N]. 8 It is sufficient for Step 3 of the protocol that C is able to decide whether som... |

106 | Secure multiparty computation of approximations
- Feigenbaum, Ishai, et al.
- 2001
(Show Context)
Citation Context ... or (iii) compute some other function of the intersection set. – We consider private approximation protocols for the intersection size (similar to the private approximation of the Hamming distance b=-=y [10]-=-). A simple reduction from the communication lower-bound on disjointness shows that this problem cannot have a sublinear worst-case communication overhead. We show a sampling-based private approximati... |

81 | Using multiple hash functions to improve IP lookups
- Broder, Mitzenmacher
(Show Context)
Citation Context ...ase that C is unlucky in her choice of h such that more than M items are mapped to some bin. The bound of [2] only guarantees that this happens with probability o(1). However, Broder and Mitzenmacher =-=[4] h-=-ave shown that asymptotically, when we map n items into n bins, the number of bins with i or more items falls approximately like 2−2.6i. This means that a bound of M = 5 suffices with probability 10... |

80 | Secure multi-party computation
- Goldreich
- 1998
(Show Context)
Citation Context ...ary models This paper considers both semi-honest and malicious adversaries. Due to space constraints, we only provide the intuition and informal definitions of these models. The reader is referred to =-=[11]-=- for the full definitions. Semi-honest adversaries. In this model, both parties are assumed to act according to their prescribed actions in the protocol. The security definition is straightforward, pa... |

78 | Comparing Information Without Leaking It
- Fagin, Naor, et al.
- 1996
(Show Context)
Citation Context ...om a domain of size N. A circuit computing this function has O(log N) gates, and therefore can be securely evaluated with this overhead. Specialized protocols for this function were also suggested in =-=[9, 18, 17]-=-, and they essentially have the same overhead. A solution in [3] provides fairness in addition to security. A circuit-based solution for computing PM of datasets of length k requires O(k 2 log N) comm... |

47 |
A generalization, a simplification and some applications of paillier’s probabilistic public-key system
- Damg˚ard, Jurik
- 1992
(Show Context)
Citation Context ...key encryption scheme that preserves the group homomorphism of addition and allows multiplication by a constant. This property is obtained by Paillier’s cryptosystem [20] and subsequent construction=-=s [21, 7]-=-. That is, it supports the following operations that can be performed without knowledge of the private key: (i) Given two encryptions Enc(m1) and Enc(m2), we can efficiently compute Enc(m1 +m2). (ii) ... |

42 | Hogg Enhancing privacy and trust in electronic communities
- Huberman, Franklin, et al.
(Show Context)
Citation Context ...educed to O(k log N), while retaining the O(k 2 log N) communication overhead [18]. There are additional constructions that solve the private matching problem at the cost of only O(k) exponentiations =-=[12, 8]-=-. However, these constructions were only analyzed in the random oracle model, against semi-honest parties. Disjointness and set intersection. Protocols for computing (or deciding) the intersection of ... |

41 | Verifiable homomorphic oblivious transfer and private equality test
- Lipmaa
- 2003
(Show Context)
Citation Context ...om a domain of size N. A circuit computing this function has O(log N) gates, and therefore can be securely evaluated with this overhead. Specialized protocols for this function were also suggested in =-=[9, 18, 17]-=-, and they essentially have the same overhead. A solution in [3] provides fairness in addition to security. A circuit-based solution for computing PM of datasets of length k requires O(k 2 log N) comm... |

40 | A fair and efficient solution to the socialist millionaires’ problem
- Boudot, Schoenmakers, et al.
(Show Context)
Citation Context ...tes, and therefore can be securely evaluated with this overhead. Specialized protocols for this function were also suggested in [9, 18, 17], and they essentially have the same overhead. A solution in =-=[3]-=- provides fairness in addition to security. A circuit-based solution for computing PM of datasets of length k requires O(k 2 log N) communication and O(k log N) oblivious transfers. Another trivial co... |

34 |
Applications of matrix methods to the theory of lower bounds in computational complexity
- Razborov
- 1990
(Show Context)
Citation Context ...ties in the protocol hold subsets a and b of {1, . . . , N}. The disjointness function Disj(a, b) is defined to be 1 if the sets a, b have an empty intersection. It is well known that Rɛ(Disj) = Θ(N=-=) [14, 22]. A-=-n immediate implication is that computing |a ∩ b| requires Θ(N) communication. Therefore, even without taking privacy into consideration, the communication complexity of private matching is at leas... |

29 |
Efficient oblivious transfer protocols
- Noar, Pinkas
- 2001
(Show Context)
Citation Context ...ations that led to it. This may be achieved, e.g., by multiplying the result by a random encryption of 1. 7 This construction can be considered a generalization of the oblivious transfer protocols of =-=[19, 1, 17]. -=-In those, a client retrieving item i sends to the server a predicate which is 0 if and only if i = j where j ∈ [N]. 8 It is sufficient for Step 3 of the protocol that C is able to decide whether som... |

22 | Trapdooring discrete logarithms on elliptic curves over rings
- Paillier
- 2000
(Show Context)
Citation Context ...key encryption scheme that preserves the group homomorphism of addition and allows multiplication by a constant. This property is obtained by Paillier’s cryptosystem [20] and subsequent construction=-=s [21, 7]-=-. That is, it supports the following operations that can be performed without knowledge of the private key: (i) Given two encryptions Enc(m1) and Enc(m2), we can efficiently compute Enc(m1 +m2). (ii) ... |

20 | Moti: Secure Games with Polynomial Expressions
- Kiayias, Yung
(Show Context)
Citation Context ...nkas [19] showed how to combine a the � N 1 OT protocol with any computational PIR scheme, under the DDH assumption. Combining this result with PIR scheme of Cachin et al. [5] (or of Kiayias and Yun=-=g [15]) result-=-s in λ polylog(N) communication, for security parameter λ. Our protocol Intersect-Approx repeatedly invokes Private-Sample-B with B(α, β) = α∧β, for a maximum of M invocations. We call an invo... |

2 | 3. Fabrice Boudot, Berry Schoenmakers, and Jacques Traore. A fair and efficient solution to the socialist millionaires' problem - Cachin, Micali, et al. - 1999 |