#### DMCA

## Private Set Intersection: Are Garbled Circuits Better than Custom Protocols? (2012)

### Cached

### Download Links

Citations: | 46 - 7 self |

### Citations

724 |
How to Generate and Exchange Secrets
- Yao
- 1986
(Show Context)
Citation Context ... these works develop custom PSI protocols using asymmetric cryptography, usually with the explicit remark that they do so because solving PSI via generic techniques (such as garbled-circuit protocols =-=[39]-=-) would be impractical. 1 However, this claim has never been substantiated. The belief that generic techniques for solving PSI are inefficient may stem from several factors: a general feeling that gen... |

653 | Sorting networks and their applications
- Batcher
- 1968
(Show Context)
Citation Context ...must be done by a sorting algorithm that uses a fixed (i.e., oblivious) sequence of comparisons. Most commonly used sorting algorithms do not lead to a size-optimal circuit. However, sorting networks =-=[3]-=- provide a fast circuit implementation of sorting. We further take advantage of the property that each party’s inputs are independently sorted in designing a circuit that merges the two sorted lists t... |

287 | Efficient Private Matching and Set Intersection - Freedman, Nissim, et al. |

238 |
An O (n log n) sorting network
- Ajtai, Komlos, et al.
- 1983
(Show Context)
Citation Context ...e possibilities, but found that they are less efficient than the shuffling network presented in Section 5.3.3. In principle, sorting can also be done with Θ(nlogn) gates using the AKS sorting network =-=[1]-=-, but the huge constant factor makes this approach impractical. One scenario where sorting could be preferable, however, is when the size ˆn of the intersection is small relative to the size n of the ... |

221 |
Efficient oblivious transfer protocols
- Naor, Pinkas
- 2001
(Show Context)
Citation Context ...ined within a high-level programming framework. All of our garbled-circuit protocols are implemented using this framework. For the oblivious transfer, our implementation uses the Naor-Pinkas protocol =-=[34]-=-. We also use oblivious transfer extension [19] which achieves an unlimited number of OTs at the cost of (essentially) k OTs, where k is a (statistical) security parameter. In our experiments, we vary... |

220 | Fairplay – a secure two-party computation system
- Malkhi, Nisan, et al.
- 2004
(Show Context)
Citation Context ...cols in certain settings. Using generic techniques to generate privacy-preserving protocols has several advantages: by relying on existing software packages for constructing garbled-circuit protocols =-=[17, 32, 33, 36]-=-, one need only write down a circuit for the function to be computed rather than having to design and implement a new protocol from scratch. Generic protocols are also inherently more modular than cus... |

178 |
Mathematical Theory of Connecting Networks and Telephone Traffic
- Benes
- 1965
(Show Context)
Citation Context ...proach, a unary gate would require two ciphertexts, but using the garbled-row reduction technique we can reduce this to a single ciphertext.) The Waksman network [38], improving on the Bene˘s network =-=[5]-=-, is a realization of a switching network using exactly nlogn−n+1 2-Swappers when n is a power of 2. (Constant-factor improvements when n is not a power of two were developed by Inria et al. [18], but... |

152 | Privacy-preserving set operations - Kissner, Song - 2005 |

116 | An efficient protocol for secure two-party computation in the presence of malicious adversaries
- Lindell, Pinkas
(Show Context)
Citation Context ...tees when only the party that evaluates the circuit receives the result and the oblivious transfers are done using an OT protocol secure against malicious behavior. Finally, several techniques (e.g., =-=[21,28,30,37]-=-) are available for converting protocols secure in the semi-honest setting to protocols secure under stronger notions of security (although the best known techniques still impose substantial cost). Th... |

106 | Improved garbled circuit: Free XOR gates and applications
- Kolesnikov, Schneider
- 2008
(Show Context)
Citation Context ...set element, and the size ˆn of the intersection. XOR gates are not counted since these can be implemented “for free” (without performing any cryptographic operations) using the free-XOR optimization =-=[26]-=-. For the BWA and SCS-HE protocols, there are substantial other costs so gate counts alone do not capture the full cost of those protocols. 1.3 Related Work Most prior work on PSI has focused on devel... |

100 | Secure two-party computation is practical
- Pinkas, Schneider, et al.
- 2009
(Show Context)
Citation Context ...cols in certain settings. Using generic techniques to generate privacy-preserving protocols has several advantages: by relying on existing software packages for constructing garbled-circuit protocols =-=[17, 32, 33, 36]-=-, one need only write down a circuit for the function to be computed rather than having to design and implement a new protocol from scratch. Generic protocols are also inherently more modular than cus... |

92 | Sharemind: A framework for fast privacy-preserving computations
- Bogdanov, Laur, et al.
- 2008
(Show Context)
Citation Context ...intersection (weighted-PSI) problem. They design a circuit for their problem and then use a (different) generic approach to obtain a secure protocol that they implement within the Sharemind framework =-=[6]-=-. However, their approach only works in a multi-party setting with an assumed honest majority. Thus, some of their techniques do not apply to the twoparty setting we consider, where there is no honest... |

92 | Extending oblivious transfers efficiently
- Ishai, Kilian, et al.
- 2003
(Show Context)
Citation Context ... All of our garbled-circuit protocols are implemented using this framework. For the oblivious transfer, our implementation uses the Naor-Pinkas protocol [34]. We also use oblivious transfer extension =-=[19]-=- which achieves an unlimited number of OTs at the cost of (essentially) k OTs, where k is a (statistical) security parameter. In our experiments, we vary k according to the desired security level (see... |

91 | The one-more-rsa-inversion problems and the security of chaum’s blind signature scheme
- Bellare, Namprempre, et al.
(Show Context)
Citation Context ...SI protocols (in the semi-honest setting) are those of De Cristofaro and Tsudik [10]. Security of their protocols is based on the (non-standard) one-morediscrete-logarithm or one-more-RSA assumptions =-=[4]-=- in the random oracle model. Garbled circuits. Yao’s garbled-circuit approach provides a generic mechanism for constructing a (semihonest) secure two-party protocol for computing f start3ing from any... |

90 | A proof of security of Yao’s protocol for two-party computation
- Lindell, Pinkas
(Show Context)
Citation Context ...t protocols.) Thus, we need only describe the different types of circuits we construct and can rely on established proofs of security properties for garbled-circuit protocols in the semi-honest model =-=[29]-=-. Our first protocol (Bitwise-AND (BWA)), described in Section 3, uses a circuit based on a bit-vector representation of the parties’ sets. The protocol is only practical for small universes; in that ... |

88 | A permutation network
- Waksman
- 1968
(Show Context)
Citation Context ...the output also, the second party applies another random permutation to the output elements (or simply sorts them) before sending them back. Switching networks can be constructed using O(nlogn) gates =-=[38]-=-. The core component of a switching network is an oblivious swapper (2-Swapper) that takes as input two σ-bit values x and y, and an additional control bit s. If the value of s is 0, the output is x a... |

84 | Efficient protocols for set intersection and pattern matching with security against malicious and covert adversaries,” in TCC’08 - Hazay, Lindell - 2008 |

83 | Tasty: tool for automating secure two-party computations
- Henecka, Kögl, et al.
- 2010
(Show Context)
Citation Context ...mplementation. Fairplay [33] provided the first implementation of Yao’s garbled-circuit approach, and several subsequent works (e.g., [31,36]) have explored extensions to the malicious setting. TASTY =-=[16]-=- extended Fairplay to give programmers the flexibility of switching between garbled circuits and approaches using homomorphic encryption. The main drawback of Fairplay (and other tools built on it) is... |

59 | Towards practical privacy for genomic computation
- Jha, Kruger, et al.
- 2008
(Show Context)
Citation Context ...phic encryption. The main drawback of Fairplay (and other tools built on it) is that it requires generating and storing the entire garbled circuit before evaluation can begin. Previous authors (e.g., =-=[22, 35]-=-) have thus inappropriately concluded that the garbled-circuit approach cannot scale to large circuits. Recently, Huang et al. [17] developed a garbled-circuit implementation that uses pipelining to a... |

58 | Efficient two-party secure computation on committed inputs
- Jarecki, Shmatikov
- 2007
(Show Context)
Citation Context ...tees when only the party that evaluates the circuit receives the result and the oblivious transfers are done using an OT protocol secure against malicious behavior. Finally, several techniques (e.g., =-=[21,28,30,37]-=-) are available for converting protocols secure in the semi-honest setting to protocols secure under stronger notions of security (although the best known techniques still impose substantial cost). Th... |

58 | Secure two-party computation via cut-andchoose oblivious transfer
- Lindell, Pinkas
(Show Context)
Citation Context ...tees when only the party that evaluates the circuit receives the result and the oblivious transfers are done using an OT protocol secure against malicious behavior. Finally, several techniques (e.g., =-=[21,28,30,37]-=-) are available for converting protocols secure in the semi-honest setting to protocols secure under stronger notions of security (although the best known techniques still impose substantial cost). Th... |

55 | Improved garbled circuit building blocks and applications to auctions and computing minima,” in Cryptology and Network Security (CANS
- Kolesnikov, Sadeghi, et al.
- 2009
(Show Context)
Citation Context ...ure 2(a) depicts a straightforward implementation of a 2-Sorter circuit. This design uses 4σ non-free binary gates to sort two σ-bit numbers, since the MIN and MAX circuits each use 2σ non-free gates =-=[25]-=-. We observe that the MIN and MAX circuits each contain a GT (greater than) circuit, and they each share the same input. So we can eliminate one GT component to reduce the cost to 3σ non-free binary g... |

53 | Implementing two-party computation efficiently with security against malicious adversaries
- Lindell, Pinkas, et al.
- 2008
(Show Context)
Citation Context ...n (used for our instantiation of OT) in the random oracle model. Implementation. Fairplay [33] provided the first implementation of Yao’s garbled-circuit approach, and several subsequent works (e.g., =-=[31,36]-=-) have explored extensions to the malicious setting. TASTY [16] extended Fairplay to give programmers the flexibility of switching between garbled circuits and approaches using homomorphic encryption.... |

44 | Efficient robust private set intersection - Dachman-Soled, Malkin, et al. - 2009 |

41 | SCiFI – a system for secure face identification
- Osadchy, Pinkas, et al.
- 2010
(Show Context)
Citation Context ...phic encryption. The main drawback of Fairplay (and other tools built on it) is that it requires generating and storing the entire garbled circuit before evaluation can begin. Previous authors (e.g., =-=[22, 35]-=-) have thus inappropriately concluded that the garbled-circuit approach cannot scale to large circuits. Recently, Huang et al. [17] developed a garbled-circuit implementation that uses pipelining to a... |

39 |
Foundations of Cryptography, vol. 2: Basic Applications
- Goldreich
- 2004
(Show Context)
Citation Context ...rd semi-honest (also known as honest-but-curious) model where parties are assumed to follow the protocol but may then try to learn additional information from the protocol execution. Goldreich’s text =-=[12]-=- provides a formal definition. Semi-honest security is sufficient in scenarios where it is difficult to modify software without detection (say, when parties’ represent large institutions or government... |

37 | Practical Private Set Intersection Protocols with Linear Computational and Bandwidth Complexity
- Cristofaro, Tsudik
(Show Context)
Citation Context ...formance by optimizing the underlying circuit design. We evaluate our protocols on a range of parameters, comparing them both to each other as well as to a recent protocol by De Cristofaro and Tsudik =-=[10]-=- that is the most efficient PSI protocol previously reported in the literature. Somewhat surprisingly, we found that the generic garbled-circuit approach can outperform the De Cristofaro-Tsudik protoc... |

36 | Private Intersection of Certified Sets - Camenisch, Zaverucha |

35 | Fast Secure Computation of Set Intersection - Jarecki, Liu |

28 | Two-output secure computation with malicious adversaries
- Shelat, Shen
- 2011
(Show Context)
Citation Context |

28 | A practical universal circuit construction and secure evaluation of private functions
- Kolesnikov, Schneider
- 2008
(Show Context)
Citation Context ... CondSwaps with 1-bit output (Figure 3(b)). The latter requires only one non-free gate. Thus, the overall cost of the 2-Sorter circuit is reduced to 2σ non-free binary gates. Kolesnikov and Schneider =-=[26, 27]-=- also designed a conditional-swap circuit (see [26, Fig. 2(b)]). Our CondSwap circuit has an explicit selection input bit, whereas in their case the selection bit is hardwired by the circuit generator... |

27 | Randomized shellsort: A simple oblivious sorting algorithm
- Goodrich
- 2010
(Show Context)
Citation Context ...more efficient than sorting-based approaches. Batcher’s sorting network provides a way to sort using Θ(nlog2 n) gates [3]. Another possibility is to use the randomized Shellsort algorithm of Goodrich =-=[13]-=-, which uses Θ(nlogn) gates but has non-zero error probability (corresponding to a small leak of information). We explored both these possibilities, but found that they are less efficient than the shu... |

27 | Efficient set operations in the presence of malicious adversaries - Hazay, Nissim - 2010 |

22 | Linear-complexity private set intersection protocols secure in malicious model
- Cristofaro, Kim, et al.
(Show Context)
Citation Context ...ply some filter, privately specified by the other party, to their input set before computing the intersection (using PSI for post-processing). Many other examples are provided by De Cristofaro et al. =-=[9]-=-. Because of its importance and wide applicability, many protocols for PSI and its variants have been proposed [7– 11, 14, 15, 20, 24]. All these works develop custom PSI protocols using asymmetric cr... |

22 | Vmcrypt - modular software architecture for scalable secure computation
- Malka, Katz
- 2011
(Show Context)
Citation Context ...cols in certain settings. Using generic techniques to generate privacy-preserving protocols has several advantages: by relying on existing software packages for constructing garbled-circuit protocols =-=[17, 32, 33, 36]-=-, one need only write down a circuit for the function to be computed rather than having to design and implement a new protocol from scratch. Generic protocols are also inherently more modular than cus... |

4 | Secure multi-party sorting and applications
- Jónsson, Kreitz, et al.
- 2011
(Show Context)
Citation Context ...ional private pre- or post-computation (simply by extending the circuit with the desired pre- or post1 Recently a generic implementation of PSI was considered in the less-accepted three-party setting =-=[23]-=-. We discuss this work further in Section 1.3.Protocol Bitwise-AND (BWA) Pairwise-Comparisons (PWC) Sort-Compare-Shuffle-SORT Number of Non-Free Gates 2σ ( ) (2n − ˆn) 2 + ˆn (σ − 1)/4 2σnlog(2n) + (... |

2 |
On arbitrary Waksman networks and their vulnerability. Research Report 3788
- Inria, Antipolis, et al.
- 1999
(Show Context)
Citation Context ...twork [5], is a realization of a switching network using exactly nlogn−n+1 2-Swappers when n is a power of 2. (Constant-factor improvements when n is not a power of two were developed by Inria et al. =-=[18]-=-, but we did not use those in our implementation.) Figure 7 illustrates a Waksman network for n inputs, assuming n is a power of 2. Its design is recursive: an n-input Waksman network is built out of ... |