Private Matching

1
Cryptography on the Hope for Privacy in a
Digital World
Omer Reingold VVeizmann
2
So, is there Hope for Privacy?

• No! Privacy is doomed! Enjoy your sandwiches
• 
  Is this what we
  
  invited you for?
• On second thought, the digital world gives new
  hope for privacy!
• Selling digital goods (w/ Bill Aiello and Yuval
  Ishai)
• Keyword database search (w/ Mike Freedman, Yuval
  Ishai, and Benny Pinkas)

3
Day to Day Breaches of Privacy

• When/how can it be better?

4
Anonymity?
Not in this Talk!
5
Selling Digital Goods

• How good are digital goods?
• Entertainment TV, music, video, books, software
• Business news, stock quotes, patents, layoff
  rumors
• Research papers, research databases, clip-art
• Whats special about digital goods?
• Typically of unlimited supply (easy to
  duplicate).
• Easy to communicate and manipulate
• Main goal protect the privacy of clients
• What
• When
• How much
• (But not who)

6
Example
Encrypted Individually
7
Oblivious Transfer (OT) R, 1-out-of-N EGL

• Input
• Vendor x1,x2,,xn
• Buyer 1 j n
• Output
• Vendor nothing
• Buyer xj
• Privacy
• Vendor learns nothing about j
• Buyer learns nothing about xi for i ? j
• 4
• Not necessarily two messages
• Related notions Private Information Retrievable
  CGKS / Symmetrically- Private Information
  Retrievable GIKM

j
Xj
8
Priced OT AIR
Vendor
Buyer
Initial payment b0
Set bb0
9
Comparison with E-cash Cha85,CFN88,...

• E-cash
  Priced OT

Payment digital
any Goods
any digital Hides
who what Access to
goods anonymous any
10
General Perspective

• Priced OT is an instance of secure two-party
  computation.
• Theoretical plausibility result are known
  Yao,GMW.
• However General solutions are costly
  (computation, bandwidth, rounds).
• A major endeavor in cryptography Identifying
  interesting specific problems and suggesting more
  efficient solutions.

11
Tool Homomorphic Encryption

• Plaintexts from (G,)
• E(a),E(b) ? E(ab)

• E(a),c ? E(ca)

• G large prime
• Can use either additive GZP or multiplicative
  G?ZP
• In particular, can use El-Gamal.

12
Conditional Disclosure of Secrets GIKM,AIR
E(q),pk
Buyer
Vendor
(sk,pk)
a
E(a)
E(CDS( a V(q) ))

• Honest Buyer V(q) True
• How to protect against a malicious Buyer?
• Method 1 Buyer proves in ZK that V(q) True
• Method 2 Vendor disclose a subject to the
  condition V(q) True.
• Notation CDS( a V(q) )

13
Conditional Disclosure of Secrets - Implementation
E(q),pk
Buyer
Vendor
(sk,pk)
a
E(CDS( a V(q) ))

• a,q,i ?G
• CDS(a qi) ar(q-i)
  r ?R1,,G
• E is homomorphic - E(CDS( a V(q) )) can be
  computed from E(q)
• Information-theoretic security for Vendor (hides
  a).
• Need to verify validity of pk Easy for
  El-Gamal!

14
Application 1-Round OT AIR,NP

• Weakened / incomparable notion of security vs.
  simulation
• Vendors security purely information-theoretic
• Buyers security privacy only.

15
Database Search

• OT/PIR/SPIR allow to privately retrieve the ith
  entry of a database. Efficiency depends linearly
  (at least) on the size of the database.
• Sometime this is not enough. For example,
  consider a list of fraudulent card numbers. A
  merchant wants to check if a particular number is
  in the least.
• Use OT/PIR?
• Table of 1016 253 entries, 1 if fraudulent, 0
  otherwise?
• Works on supporting more general database search.

16
Keyword Search (KS) definition

• Input
• Server database X (xi,pi ) , 1 i N
• xi is a keyword (e.g. number of a corrupt card)
• pi is the payload (e.g. why card is corrupt)
• Client search word w (e.g. credit card number)
• Output
• Server nothing
• Client
• pi if ? i xi w
• otherwise nothing

17
Conclusions

• Our expectation of privacy in the digital
  world should not be bounded to our physical
  world experiences.
• The ability to duplicate, manipulate and
  communicate digital information is key.
• Very powerful cryptographic tool in the form of
  secure function evaluation.
• Research on efficient instantiations, possibly
  with some security relaxations.