Malicious Secure, Structure-Aware Private Set Intersection

Abstract

Structure-Aware private set intersection (sa-PSI) is a variant of PSI where Alice’s input set A has some publicly known structure, Bob’s input B is an unstructured set of points, and Alice learns the intersection \(A \cap B\). sa-PSI was recently introduced by Garimella et al. (Crypto 2022), who described a semi-honest protocol with communication that scales with the description size of Alice’s set, instead of its cardinality. In this paper, we present the first sa-PSI protocol secure against malicious adversaries.

sa-PSI protocols are built from function secret sharing (FSS) schemes, and the main challenge in our work is ensuring that multiple FSS sharings encode the same structured set. We do so using a cut-and-choose approach. In order to make FSS compatible with cut-and-choose, we introduce a new variant of function secret sharing, called derandomizable FSS (dFSS).

We show how to construct dFSS for union of geometric balls, leading to a malicious-secure sa-PSI protocol where Alice’s input is a union of balls. We also improve prior FSS constructions, giving asymptotic improvements to semi-honest sa-PSI.

G. Garimella, M. Rosulek and J. Singh—Authors partially supported by NSF award S2356A.

Appendices

Appendix

A Weak Boolean FSS Definition

Here we present the original weak boolean FSS formulation from [24] with no false positives.

Definition 14

(bFSS syntax). Let \(\mathcal {S} \subseteq 2^{\mathcal {U}}\) denote a family of sets over input domain \(\mathcal {U} \), security parameter \(\kappa \). A 2-party \(\rho \)-bFSS scheme with algorithms (Share, Eval) has the following syntax:

• \((k_0,k_1)\leftarrow \textsf {Share} (1^\kappa ,S)\): is an algorithm with input the security parameter and (the description of) a set \(S \in \mathcal {S} \) and it outputs key shares \((k_0, k_1)\).

• \(y_\textsf {idx} \leftarrow \textsf {Eval} (1^\kappa ,\textsf {idx},k_\textsf {idx},x)\): is a deterministic algorithm with input security parameter \(\kappa \), party index \(\textsf {idx} \in \{0,1\}\), key share \(k_\textsf {idx} \) and any \(x \in \mathcal {U} \). It outputs a binary string \(y_\textsf {idx} \) of length \(\rho \).

Definition 15

(bFSS security). A 2-party \(\rho \)-bFSS scheme \((\textsf {Share},\textsf {Eval})\) for \(\mathcal {S} \subseteq 2^{\mathcal {U}}\) is secure if is satisfies the following conditions:

• Correctness for yes-instances: For every \(S \in \mathcal {S} \), \(x \in S\):

  $$ \Pr \left( y_0 \oplus y_1 = 0^{\rho } \ \left| \begin{array}{l} (k_0,k_1) \leftarrow \textsf {Share} (1^\kappa ,S) \\ y_0 \leftarrow \textsf {Eval} (1^\kappa ,0,k_0,x) \\ y_1 \leftarrow \textsf {Eval} (1^\kappa ,1,k_1,x) \end{array}\right) \right. = 1 $$

• Correctness for no-instances: For every set \(S \in \mathcal {S} \), \(x \in \mathcal {U} {\setminus } S\):

  $$ \Pr \left( y_0 \oplus y_1 \ne 0^{\rho } \ \left| \begin{array}{l} (k_0,k_1) \leftarrow \textsf {Share} (1^\kappa ,S) \\ y_0 \leftarrow \textsf {Eval} (1^\kappa ,0,k_0,x) \\ y_1 \leftarrow \textsf {Eval} (1^\kappa ,1,k_1,x) \end{array}\right) \right. = 1 $$

• Privacy: For every set \(S \in \mathcal {S} \) and index \(\textsf {idx} \in \{0,1\}\) there exists a simulator Sim such that the following distributions are computationally indistinguishable in the security parameter:

  

B dFSS Proofs/Constructions

1.1 B.1 dFSS for Singleton Sets, Intervals and a d-Dimensional Ball

The construction for the following theorem can be found in Fig. 11.

Fig. 11.

(RShare, DEval) functions of a dFSS for \(\textsf {PT} _{u,d}\)

Theorem 2. Given a strong \(\rho \)-bFSS construction for singleton sets, 1-dimensional interval and d dimensional intervals with an invertible Share function, there exists a corresponding \(\rho \)-dFSS for \(\{ \textsf {PT} _{u,d}, \textsf {INT} _{\delta ,u}, \textsf {BALL} _{\delta ,u,d} \}\).

Proof

We’ll show how this theorem holds for the class of point functions, but a similar proof would follow for the other two collections as well.

To encode collection of point functions, we define its encoding group \(\mathbb {G} _{\textsf {PT}}\) as \([2^{ud}+1]\). The group element \(2^{ud}\) would encode the null set. Which helps us define the Encode function as follows:

$$\begin{aligned} \textsf {Encode} _\textsf {PT} (\{ x \}) = \textsf {map} (x) \text { for } x \in \mathcal {U} _{u,d} \text { and } \textsf {Encode} _\textsf {PT} (\emptyset ) = 2^{ud} \end{aligned}$$

Furthermore, we can define \(\textsf {Encode} ^{-1}_\textsf {PT} \) using the inverse of map. The proposed construction is presented in Fig. 11. Here the RShare outputs keys for a random singleton set, which is later derandomized in DEval to a chosen element by using an appropriate offset. Note, here we can encode a null set as well, by making the offset derandomize the singleton set to \(\{ 2^{ud}\}\) - which is outside the domain of the dFSS. Next we show how each of the dFSS properties are satisfied (Fig. 12).

• Correctness: For any \(x,x^* \in PT_{u,d}\), and offset \(\textsf {offset} = \textsf {Encode} _\textsf {PT} (x^*)-r\), define \(y_\textsf {idx} \) to be \(F{.}\textsf {Eval} (1^\kappa ,\textsf {idx},k,\textsf {map} (x)-\textsf {offset})\). Then \(y_0 \oplus y_1 = 1 \iff \textsf {map} (x)=\textsf {map} (x^*)\) by the correctness of the underlying bFSS scheme, and else \(y_0 \oplus y_1 = 1\).

  If the underlying bFSS has a correctness error - in the sense that the keys \(k_0,k_1\) evaluate to a null set with negligible probability, then the dFSS would give incorrect output for the element \(x^*\) if its not \(\emptyset \). This leads to a negligible error for a yes-instance of this dFSS. This negligible error does arise in point function constructions in [3, 8], which we’ll assume in this work.

  For a no-instance of this dFSS, there is never any error in the output. Since the output \(y_0\oplus y_1\) is always zero when input \(x \ne x^*\).

• Security: This follows directly from the privacy of the underlying bFSS, and by the fact that r acts as a one-time in the offset \(\textsf {Encode} (x^*)-r\).

• Extractability: The Extract functions outputs the secret shared singleton element r, given the two keys \(k_0,k_1\). It can be constructed using the invertible Share function as follows:

  $$ \textsf {Extract} (k_0,k_1) = \textsf {Encode} (\textsf {Share} ^{-1}(1^\kappa ,k_0,k_1)) $$

Similarly a bFSS for 1 dimensional interval and d dimensional fixed radius \(\ell _\infty \) can give us a corresponding dFSS by “reducing the domain size” to ensure a null set can be encoded by a set outside the specified domain of dFSS.

Fig. 12.

(Share,Eval) of a bFSS for a collection of sets given a dFSS F for the same structure

1.2 B.2 bFSS from dFSS

Theorem 6. Given a \(\rho \)-dFSS for \(\mathcal {S} \) with share size \(\sigma \), there exists a corresponding \(\rho \)-bFSS construction for \(\mathcal {S} \) with share size \(\sigma \).

Proof

Note that each of these Encode function are efficiently invertible. The \(\textsf {RShare},\textsf {DEval} \) for all these collections have the same structure, depicted in Fig. 11.

• Correctness: The term \(\sum _{\textsf {idx} \in \{0,1\}} \) \(\textsf {Eval} (\textsf {idx},(k_\textsf {idx},\textsf {Encode} (S)-R),x) = \) \(\sum _{\textsf {idx} \in \{0,1\}}\) \(\textsf {Eval} (\textsf {idx},k_\textsf {idx},\textsf {Encode} (S)-R,x) \). Hence this follows directly from the correctness definition of dFSS.

• Security: The simulator for the bFSS simply runs the simulator for the dFSS.

1.3 B.3 concat

Fig. 13.

dFSS for cross product \(S_1 \times S_2\) given dFSS for \(S_1\) and \(S_2\)

Theorem 7. Given \(\rho _1\)-dFSS \(F_1\) for \(\mathcal {S} _1\) with share size \(\sigma _1\) and \(\rho _2\)-dFSS \(F_2\) for \(\mathcal {S} _2\) with share size \(\sigma _2\), there exists a \(\rho _1+\rho _2\)-dFSS \(\textsf {concat} [F_1,F_2]\) for \(\mathcal {S} _1 \times \mathcal {S} _2\) with share size \(\sigma _1+\sigma _2\). Furthermore, if \(F_1\) and \(F_2\) dFSS have pseduo-random keys, then so does \(\textsf {concat} [F_1,F_2]\).

Proof

Given encode functions \(\textsf {Encode} _1: \mathcal {S} _1 \rightarrow \mathbb {G} _1\) and \(\textsf {Encode} _2: \mathcal {S} _2 \rightarrow \mathbb {G} _2\) for dFSS \(F_1\) and \(F_2\) respectively, we define encode function for concat [\(F_1,F_2\)] \(\textsf {Encode}: \mathcal {S} _1 \times \mathcal {S} _2 \rightarrow \mathbb {G} _1 \times \mathbb {G} _2\) as:

$$ \textsf {Encode} (S_1,S_2) = (\textsf {Encode} _1(S_1),\textsf {Encode} _2(S_2)) $$

Note that this Encode function is efficiently invertible if the two component Encode functions are. Encodings with respect to the new Encode function form a group which is a direct product of the groups for the component FSS.

• Correctness: The correctness of \(F=\textsf {concat} [F_1,F_2]\) reduces to the correctness of \(F_1\) and \(F_2\). The first \(k_1\) bits of the term \(y=\sum _{\textsf {idx} \in \{0,1\}}\) \(F.\textsf {DEval} (\textsf {idx},(k_\textsf {idx} \) \(,\textsf {Encode} (S_1,S_2)-(R_1,R_2)),(x,y)) \) equal \(\sum _{\textsf {idx} \in \{0,1\}}\) \(F_1{.}\textsf {Eval} (\textsf {idx},(k_\textsf {idx},\textsf {Encode} (S_1)-R_1),x) \) and the last \(k_2\) bit of y equal \(\sum _{\textsf {idx} \in \{0,1\}}\) \(F_2{.}\textsf {Eval} (\textsf {idx},(k_\textsf {idx},\textsf {Encode} (S_2)-R_2),x) \). Hence, \(y=0^{k_1+k_2}\) for \((x,y) \in S_1 \times S_2\). And if \(x \not \in S_1\), the first \({k_1}\) bits are not all zero bits with probability at least \(p_1\), and if \(x \not \in S_2\), the last \({k_2}\) bits are not all zero bits with probability at least \(p_2\).

• Security: The simulator \(\textsf {Sim} \) for \(\textsf {concat} [F_1,F_2]\) invokes the simulators for \(F_1\) and \(F_2\), which output \((k_0,\textsf {offset} _0)\) and \((k_1,\textsf {offset} _1)\). Then \(\textsf {Sim} \) outputs \(((k_0,k_1),(\textsf {offset} _0,\textsf {offset} _1))\).

• Extractability: This is reduced to the extractability property of the two underlying dFSS \(F_1\) and \(F_2\) as shown in Fig. 13.