Fair private set intersection with a semi-trusted arbiter

A private set intersection (PSI) protocol allows two parties to compute the intersection of their input sets privately. Most of the previous PSI protocols only output the result to one party and the other party gets nothing from running the protocols. However, a mutual PSI protocol in which both parties can get the output is highly desirable in many applications. A major obstacle in designing a mutual PSI protocol is how to ensure fairness. In this paper we present the first fair mutual PSI protocol which is efficient and secure. Fairness of the protocol is obtained in an optimistic fashion, i.e. by using an offline third party arbiter. In contrast to many optimistic protocols which require a fully trusted arbiter, in our protocol the arbiter is only required to be semi-trusted, in the sense that we consider it to be a potential threat to both parties' privacy but believe it will follow the protocol. The arbiter can resolve disputes without knowing any private information belongs to the two parties. This feature is appealing for a PSI protocol in which privacy may be of ultimate importance

Fair mPSI and mPSI-CA: Efficient Constructions in Prime Order Groups with Security in the Standard Model against Malicious Adversary

In this paper, we propose a construction of fair and efficient mutual Private Set Intersection (mPSI) with linear communication and computation complexities, where the underlying group is of prime order. The main tools in our approach include: (i) ElGamal and Distributed ElGamal Cryptosystems as multiplicatively Homomorphic encryptions, (ii) Cramer-Shoup Cryptosystem as Verifiable encryption. Our mPSI is secure in standard model against malicious parties under Decisional Diffie-Hellman (DDH) assumption. Fairness is achieved using an off-line semi-trusted arbiter. Further, we extend our mPSI to mutual Private Set Intersection Cardinality (mPSI-CA) retaining all the security properties of mPSI. More interestingly, our mPSI-CA is the first fair mPSI-CA with linear complexity

Secure and efficient multiparty private set intersection cardinality

17 USC 105 interim-entered record; under review.The article of record as published may be found at http://dx.doi.org/10.3934/amc.2020071In the field of privacy preserving protocols, Private Set Intersection (PSI) plays an important role. In most of the cases, PSI allows two parties to securely determine the intersection of their private input sets, and no other information. In this paper, employing a Bloom filter, we propose a Multiparty Private Set Intersection Cardinality (MPSI-CA), where the number of participants in PSI is not limited to two. The security of our scheme is achieved in the standard model under the Decisional Diffie-Hellman (DDH) assumption against semi-honest adversaries. Our scheme is flexible in the sense that set size of one participant is independent from that of the others. We consider the number of modular exponentiations in order to determine computational complexity. In our construction, communication and computation overheads of each participant is O(vmaxk) except that the complexity of the designated party is O(v1), where vmax is the maximum set size, v1 denotes the set size of the designated party and k is a security parameter. Particularly, our MSPI-CA is the first that incurs linear complexity in terms of set size, namely O(nvmaxk), where n is the number of participants. Further, we extend our MPSI-CA to MPSI retaining all the security attributes and other properties. As far as we are aware of, there is no other MPSI so far where individual computational cost of each participant is independent of the number of participants. Unlike MPSI-CA, our MPSI does not require any kind of broadcast channel as it uses star network topology in the sense that a designated party communicates with everyone else

Secure and Efficient Multiparty Private Set Intersection Cardinality

The article of record as published may be found at http://dx.doi.org/10.3934/amc.2020071In the field of privacy preserving protocols, Private Set Intersection (PSI) plays an important role. In most of the cases, PSI allows two parties to securely determine the intersection of their private input sets, and no other information. In this paper, employing a Bloom filter, we propose a Multiparty Private Set Intersection Cardinality (MPSI-CA), where the number of participants in PSI is not limited to two. The security of our scheme is achieved in the standard model under the Decisional Diffie-Hellman (DDH) assumption against semi-honest adversaries. Our scheme is flexible in the sense that set size of one participant is independent from that of the others. We consider the number of modular exponentiations in order to determine computational complexity. In our construction, communication and computation overheads of each participant is O(v max k) except that the complexity of the designated party is O(v1), where v max is the maximum set size, v1 denotes the set size of the designated party and k is a security parameter. Particularly, our MSPI-CA is the first that incurs linear complexity in terms of set size, namely O(nv max k), where n is the number of participants. Further, we extend our MPSI-CA to MPSI retaining all the security attributes and other properties. As far as we are aware of, there is no other MPSI so far where individual computational cost of each participant is independent of the number of participants. Unlike MPSI-CA, our MPSI does not require any kind of broadcast channel as it uses star network topology in the sense that a designated party communicates with everyone else

Recurring Contingent Service Payment

Fair exchange protocols let two mutually distrustful parties exchange digital data in a way that neither party can cheat. They have various applications such as the exchange of digital items, or the exchange of digital coins and digital services between a buyer and seller. At CCS 2017, two blockchain-based protocols were proposed to support the fair exchange of digital coins and a certain service; namely, "proofs of retrievability" (PoR). In this work, we identify two notable issues of these protocols, (1) waste of the seller's resources, and (2) real-time information leakage. To rectify these issues, we formally define and propose a blockchain-based generic construction called "recurring contingent service payment" (RC-S-P). RC-S-P lets a fair exchange of digital coins and verifiable service occur periodically while ensuring that the buyer cannot waste the seller's resources, and the parties' privacy is preserved. It supports arbitrary verifiable services, such as PoR, or verifiable computation and imposes low on-chain overheads. Also, we present a concrete efficient instantiation of RC-S-P when the verifiable service is PoR. The instantiation is called "recurring contingent PoR payment" (RC-PoR-P). We have implemented RC-PoR-P and analysed its cost. When it deals with a 4-GB outsourced file, a verifier can check a proof in 90 milliseconds, and a dispute between prover and verifier is resolved in 0.1 milliseconds

Recurring Contingent Service Payment

Fair exchange protocols let two mutually distrustful parties exchange digital data in a way that neither party can cheat. They have various applications such as the exchange of digital items, or the exchange of digital coins and digital services between a buyer/client and seller/server. In this work, we formally define and propose a generic blockchain-based construction called "Recurring Contingent Service Payment" (RC-S-P). It (i) lets a fair exchange of digital coins and verifiable service reoccur securely between clients and a server while ensuring that the server is paid if and only if it delivers a valid service, and (ii) ensures the parties' privacy is preserved. RC-S-P supports arbitrary verifiable services, such as "Proofs of Retrievability" (PoR) or verifiable computation and imposes low on-chain overheads. Our formal treatment and construction, for the first time, consider the setting where either client or server is malicious. We also present a concrete efficient instantiation of RC- S-P when the verifiable service is PoR. We implemented the concrete instantiation and analysed its cost. When it deals with a 4-GB outsourced file, a verifier can check a proof in only 90 milliseconds, and a dispute between a prover and verifier is resolved in 0.1 milliseconds. At CCS 2017, two blockchain-based protocols were proposed to support the fair exchange of digital coins and a certain verifiable service; namely, PoR. In this work, we show that these protocols (i) are susceptible to a free-riding attack which enables a client to receive the service without paying the server, and (ii) are not suitable for cases where parties' privacy matters, e.g., when the server's proof status or buyer's file size must remain private from the public. RC- S-P simultaneously mitigates the above attack and preserves the parties' privacy

Recurring Contingent Payment for Proofs of Retrievability

Fair exchange protocols let two mutually distrusted parties exchange digital data in a way that neither can cheat. At CCS 2017, Campanelli et al. proposed two blockchain-based protocols for the fair exchange of digital coins and a certain service, i.e., “proofs of retrievability” (PoR), that take place between a buyer and seller. In this work, we identify two serious issues of these schemes; namely, (1) a malicious client can waste the seller’s resources, and (2) real-time leakage of information to non-participants in the exchange. To rectify the issues, we propose a “recurring contingent PoR payment” (RC-PoR-P). It lets the fair exchange reoccur while ensuring that the seller’s resources are not wasted, and the parties’ privacy is preserved. We implemented the RC- PoR-P. Our cost analysis indicates that the RC-PoR-P is efficient. The RC-PoR-P is the first of its kind that offers all the above features

VD-PSI : verifiable delegated private set intersection on outsourced private datasets

Private set intersection (PSI) protocols have many real world applications. With the emergence of cloud computing the need arises for PSI protocols on outsourced datasets where the computation is delegated to the cloud. However, due to the possibility of cloud misbehaviors, it is essential to verify the correctness of any delegated computation, and the integrity of any outsourced datasets. Verifiable Computation on private datasets that does not leak any information about the data is very challenging, especially when the datasets are outsourced independently by different clients. In this paper we present VD-PSI, a protocol that allows multiple clients to outsource their private datasets and delegate computation of set intersection to the cloud, while being able to verify the correctness of the result. Clients can independently prepare and upload their datasets, and with their agreement can verifiably delegate the computation of set intersection an unlimited number of times, without the need to download or maintain a local copy of their data. The protocol ensures that the cloud learns nothing about the datasets and the intersection. VD-PSI is efficient as its verification cost is linear to the intersection cardinality, and its computation and communication costs are linear to the dataset cardinality. Also, we provide a formal security analysis in the standard model

Secure Multi-Party Computation In Practice

Secure multi-party computation (MPC) is a cryptographic primitive for computing on private data. MPC provides strong privacy guarantees, but practical adoption requires high-quality application design, software development, and resource management. This dissertation aims to identify and reduce barriers to practical deployment of MPC applications. First, the dissertation evaluates the design, capabilities, and usability of eleven state-of-the-art MPC software frameworks. These frameworks are essential for prototyping MPC applications, but their qualities vary widely; the survey provides insight into their current abilities and limitations. A comprehensive online repository augments the survey, including complete build environments, sample programs, and additional documentation for each framework. Second, the dissertation applies these lessons in two practical applications of MPC. The first addresses algorithms for assessing stability in financial networks, traditionally designed in a full-information model with a central regulator or data aggregator. This case study describes principles to transform two such algorithms into data-oblivious versions and benchmark their execution under MPC using three frameworks. The second aims to enable unlinkability of payments made with blockchain-based cryptocurrencies. This study uses MPC in conjunction with other privacy techniques to achieve unlinkability in payment channels. Together, these studies illuminate the limitations of existing software, develop guidelines for transforming non-private algorithms into versions suitable for execution under MPC, and illustrate the current practical feasibility of MPC as a solution to a wide variety of applications