## CryptoDB

### Gayathri Garimella

#### Publications

**Year**

**Venue**

**Title**

2024

CRYPTO

Computation Efficient Structure-Aware PSI From Incremental Function Secret Sharing
Abstract

Structure-Aware Private Set Intersection (sa-PSI), recently introduced by Garimella et al. (Crypto'22), is a PSI variant where Alice's input set $S_A$ has a publicly known structure (for example, interval, ball or union of balls) and Bob's input $S_B$ is an unstructured set of elements. Prior work achieves sa-PSI where the communication cost only scales with the description size of $S_A$ instead of the set cardinality. However, the computation cost remains linear in the cardinality of $S_A$, which could be prohibitively large.
In this work, we present a new semi-honest sa-PSI framework where both computation and communication costs only scale with the description size of $S_A$. Our main building block is a new primitive that we introduce called Incremental Boolean Function Secret Sharing (ibFSS), which is a generalization of FSS that additionally allows for evaluation on input prefixes. We formalize definitions and construct a weak ibFSS for a $d$-dimensional ball with $\ell_\infty$ norm, which may be of independent interest. Independently, we improve spatial hashing techniques (from prior work) when $S_A$ has structure union of $d$-dimensional balls in $(\{0,1\}^u)^d$, each of diameter $\delta$, from $O(u \cdot d \cdot (\log \delta)^d)$ to $O(\log \delta \cdot d)$ in terms of both computation and communication. Finally, we resolve the following open questions from prior work with communication and computation scaling with the description size of the structured set.
- Our PSI framework can handle a union of overlapping structures, while prior work strictly requires a disjoint union.
- We have a new construction that enables Bob with unstructured input $S_B$ to learn the intersection.
- We extend to a richer class of functionalities like structure-aware PSI Cardinality and PSI-Sum of associated values.

2023

CRYPTO

Malicious Secure, Structure-Aware Private Set Intersection
Abstract

Structure-Aware PSI (saPSI) is a variant of PSI where Alice's input set $A$ has some publicly known structure and Bob's input $B$ is an unstructured set of points and Alice wants to learn the intersection $A \cap B$. It was recently introduced by Garimella et al. (Crypto 2022); they present a semi-honest saPSI protocol with communication that scales with the description size of Alice's set, instead of its cardinality. In this paper, we present the first saPSI protocol secure against malicious-adversaries.
We use a cut-and-choose approach to ensure that Alice uses valid FSS sharings, of the same underlying object. In order to handle a technical issue that arises, we introduce a new variant of function secret sharing, called derandomizable FSS (dFSS).
We show how to extend prior FSS constructions for union of geometric balls, to meet the requirements of dFSS. Additionally, we improve FSS constructions that result in asymptotic improvements to the prior semi-honest structure-aware PSI protocol.

2022

CRYPTO

Structure-Aware Private Set Intersection, With Applications to Fuzzy Matching
📺
Abstract

In two-party private set intersection (PSI), Alice holds a set $X$, Bob holds a set $Y$, and they learn (only) the contents of $X \cap Y$.
We introduce \textbf{structure-aware PSI} protocols, which take advantage of situations where Alice's set $X$ is publicly known to have a certain structure.
The goal of structure-aware PSI is to have communication that scales with the \emph{description size} of Alice's set, rather its \emph{cardinality}.
We introduce a new generic paradigm for structure-aware PSI based on function secret-sharing (FSS).
In short, if there exists compact FSS for a class of structured sets, then there exists a semi-honest PSI protocol that supports this class of input sets, with communication cost proportional only to the FSS share size.
Several prior protocols for efficient (plain) PSI can be viewed as special cases of our new paradigm, with an implicit FSS for unstructured sets.
Our PSI protocol can be instantiated from a significantly weaker flavor of FSS, which has not been previously studied.
We develop several improved FSS techniques that take advantage of these relaxed requirements, and which are in some cases exponentially better than existing FSS.
Finally, we explore in depth a natural application of structure-aware PSI.
If Alice's set $X$ is the union of many radius-$\delta$ balls in some metric space, then an intersection between $X$ and $Y$ corresponds to \textbf{fuzzy PSI}, in which the parties learn which of their points are within distance $\delta$.
In structure-aware PSI, the communication cost scales with the number of balls in Alice's set, rather than their total volume.
Our techniques lead to efficient fuzzy PSI for $\ell_\infty$ and $\ell_1$ metrics (and approximations of $\ell_2$ metric) in high dimensions.
We implemented this fuzzy PSI protocol for 2-dimensional $\ell_\infty$ metrics.
For reasonable input sizes, our protocol requires 45--60\% less time and 85\% less communication than competing approaches that simply reduce the problem to plain PSI.

2021

PKC

Private Set Operations from Oblivious Switching
📺
Abstract

Private set intersection reveals the intersection of two private sets, but many real-world applications require the parties to learn $\textit{only}$ partial information} about the intersection.
In this paper, we introduce a new approach for computing arbitrary functions of the intersection, provided that it is safe to also reveal the cardinality of the intersection. In the most general case, our new protocol provides the participants with secret shares of the intersection, which can be fed into any generic 2PC protocol. Certain computations on the intersection can also be done even more directly and efficiently, avoiding this secret-sharing step. These cases include computing $\textit{only}$ the cardinality of the intersection, or the ``cardinality-sum'' application proposed in Ion $\textit{et al.}$ (ePrint 2017). Compared to the state-of-the-art protocol for computing on the intersection (Pinkas et al., Eurocrypt 2019), our protocol has about $2.5-3\times$ less communication and has faster running time on slower (50Mbps) networks.
Our new techniques can also be used to privately compute the {\em union} of two sets as easily as computing the intersection. Our protocol concretely improves the leading private set union protocol (Kolesnikov et al., Asiacrypt 2020) by a factor of $2-2.5\times$, depending on the network speed. We then show how private set union can be used in a simple way to realize the ``Private-ID'' functionality suggested by Buddhavarapu et al.~(ePrint 2020). Our protocol is significantly faster than the prior Private-ID protocol, especially on fast networks.
All of our protocols are in the two-party setting and are secure against semi-honest adversaries.

2021

CRYPTO

Oblivious Key-Value Stores and Amplification for Private Set Intersection
📺
Abstract

Many recent private set intersection (PSI) protocols encode input sets as polynomials. We consider the more general notion of an oblivious key-value store (OKVS), which is a data structure that compactly represents a desired mapping $k_i$ to $v_i$. When the $v_i$ values are random, the OKVS data structure hides the $k_i$ values that were used to generate it. The simplest (and size-optimal) OKVS is a polynomial $p$ that is chosen using interpolation such that $p(k_i)=v_i$.
We initiate the formal study of oblivious key-value stores, and show new constructions resulting in the fastest OKVS to date.
Similarly to cuckoo hashing, current analysis techniques are insufficient for finding *concrete* parameters to guarantee a small failure probability for our OKVS constructions. Moreover,
it would cost too much to run experiments to validate a small upperbound on the failure probability. We therefore show novel techniques to amplify an OKVS construction which has a failure probability $p$, to an OKVS with a similar overhead and failure probability $p^c$. Setting $p$ to be moderately small enables to validate it by running a relatively small number of $O(1/p)$ experiments. This validates a $p^c$ failure probability for the amplified OKVS.
Finally, we describe how OKVS can significantly improve the state of the art of essentially all variants of PSI. This leads to the fastest two-party PSI protocols to date, for both the semi-honest and the malicious settings. Specifically, in networks with moderate bandwidth (e.g., 30 - 300 Mbps) our malicious two-party PSI protocol has 40\% less communication and is 20-40% faster than the previous state of the art protocol, even though the latter only has heuristic confidence.

#### Coauthors

- Gayathri Garimella (5)
- Benjamin Goff (1)
- Peihan Miao (1)
- Payman Mohassel (1)
- Benny Pinkas (1)
- Mike Rosulek (4)
- Saeed Sadeghian (1)
- Jaspal Singh (3)
- Ni Trieu (1)
- Avishay Yanai (1)