Download
improved efficiency for private stable matching n.
Skip this Video
Loading SlideShow in 5 Seconds..
Improved Efficiency for Private Stable Matching PowerPoint Presentation
Download Presentation
Improved Efficiency for Private Stable Matching

Improved Efficiency for Private Stable Matching

115 Vues Download Presentation
Télécharger la présentation

Improved Efficiency for Private Stable Matching

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Improved Efficiency for Private Stable Matching Matthew Franklin, Mark Gondree, and Payman MohasselUniversity of California, Davis02/07/07 - Session Code: CRYP-203

  2. Stable Matching • Stable Matching (Marriage): • N men, N women, each with their own preference list • MatchingM has an unstable pair (A,B) if: • (A,B’), (A’,B) in M • A prefers B over B’ • B prefers A over A’ • M is stable if no unstable pairs exist in M A B’ A1 B1 A’ B A2 B2 2

  3. Applications • Assigning Medical students to Hospitals • In US, Canada, and Scotland • Assigning students to schools and universities • In Norway and Singapore • National Matching Services Inc. 3

  4. Outline • Introduction • Stable matching problem • Gale-Shapley Algorithm • Privacy Issues • Contributions • Open problems 4

  5. The Gale-Shapley Algorithm • Notation: • N men :{A1, …, AN} • N women: {B1, …, BN} • Preference list for man i: Ai[1…N] • Preference list for woman i: Bi[1…N] • List of free men in round k : Fk • List of engaged men in round k: Ek 5

  6. Gale-Shapley • k=1;Fk = {A1, … , AN} • While Fk is non-empty: • Randomly select A from Fk • A proposes to “next” woman B: (Where he ranks B highest among the women to whom he has never proposed before) • If B is free then she becomes engaged to A • If B is engaged to some A’ then • If B prefers A over A’ then remove A and add A’ to Fk • Otherwise, Fk stays the same • Fk+1= Fk; k= k+1 6

  7. Remarks on Gale-Shapley • Round by Round • Matches made and broken every round • Man optimal • Privacy Issues • Naïve implementation • Matching Authority learns participants’ preference lists • Naively distributed computation • Traffic pattern: history of matches made and broken 7

  8. Setting [Golle, FC06] • Have multiple (t) Matching Authorities (MAs) • MAs receive encrypted preference lists • MAs compute the stable matching • MAs don’t learn anything • Participants only learn their own partner • Assume: passive adversaries • Security Guaranteed (assuming ≥ 1 honest MA) 8

  9. Our Contribution • Revisit [Golle] • High Communication complexity (Partly due to the chosen variant of Gale-Shapely used) • Design a Private and Efficient Protocol • Design a new variant of Gale-Shapely • Tune it for private implementation • Crypto assumptions comparable to [Golle] • Lower round and communication complexities 9

  10. Our Contributions, Cont’d Summary of protocols and efficiency: 10

  11. Our variant of Gale-Shapley • Real men: {A1, …, AN}, Fake men: {AN+1, …, A2N} • Real women: {B1,…,BN}, Fake women:{BN+1,…,B2N} • Preference lists: • Real men: ( [actual preference list], [BN+1, . . . ,B2N, in any order] ) • Real women: ( [actual preference list], [AN+1, . . . ,A2N, in any order] ) • Fake women:( [AN+1, . . . ,A2N, in any order],[A1, . . . ,AN, in any order]) • Fake men: ( [BN+2, . . . ,B2N, in any order], BN+1, [B1, . . . ,BN, in any order] ) 11

  12. Our Variant, Cont’d • Initialization: • F1 = {A1} • {A2, …, AN} are engaged to {BN+2,…,B2N}, respectively • {AN+1, …, A2N} are engaged to {B1,…, BN}, respectively • While Fk is not empty: • The free man A in Fk proposes to B (The next woman in his preference list to whom he hasn’t proposed) • If B is engaged to some man A’ • If B prefers A over A’, let Fk+1= {A’}, and pair A and B • Otherwise, Fk+1 = Fk 12

  13. Our Variant, Cont’d 2 • Claim: Once a fake man proposes to woman BN+1, we have a stable matching • Thus, the algorithm’s complexity is O(N2) • Also, “Tuned for privacy” • every round k, |Fk| = 1 • We implement a private version 13

  14. Protocol • Bids • Two types: Free and Engaged • Set of ciphertexts (constant sized) • Fk = {Free Bids in round k} • Ek = {Engaged Bids in round k} • Preference Lists • Encrypted, held by an MA (the “Database”) • Everything encrypted with threshold homomorphic enc. 14

  15. Protocol • For k = 1 to 2N2: • Select a single free bid from Fk. • “Open it” to recover the (encrypted) pointers into the database • Access database to get next fiancée's (encrypted) identity • Form the engaged bid • Privately find the conflicting engaged bid (mix, private equality test) • Mix these two engaged bids • “Resolve the conflict” to find the winner and loser (private comparison) • “Break the engagement” for the loser and add him to Fk+1 • Add the winner to Ek • Mix all the bids • Let Ek+1 = Ek 15

  16. Protocol • For k = 1 to 2N2: • Select a single free bid from Fk. • “Open it” to recover the (encrypted) pointers into the database • Access database to get next fiancée's (encrypted) identity • Form the engaged bid • Privately find the conflicting engaged bid (mix, private equality test) • Mix these two engaged bids • “Resolve the conflict” to find the winner and loser (private comparison) • “Break the engagement” for the loser and add him to Fk+1 • Add the winner to Ek • Mix all the bids • Let Ek+1 = Ek 16

  17. Protocol • For k = 1 to 2N2: • Select a single free bid from Fk. • “Open it” to recover the (encrypted) pointers into the database • Access database to get next fiancée's (encrypted) identity • Form the engaged bid • Privately find the conflicting engaged bid (mix, private equality test) • Mix these two engaged bids • “Resolve the conflict” to find the winner and loser (private comparison) • “Break the engagement” for the loser and add him to Fk+1 • Add the winner to Ek • Mix all the bids • Let Ek+1 = Ek 17

  18. Protocol • For k = 1 to 2N2: • Select a single free bid from Fk. • “Open it” to recover the (encrypted) pointers into the database • Access database to get next fiancée's (encrypted) identity • Form the engaged bid • Privately find the conflicting engaged bid (mix, private equality test) • Mix these two engaged bids • “Resolve the conflict” to find the winner and loser (private comparison) • “Break the engagement” for the loser and add him to Fk+1 • Add the winner to Ek • Mix all the bids • Let Ek+1 = Ek 18

  19. Protocol • For k = 1 to 2N2: • Select a single free bid from Fk. • “Open it” to recover the (encrypted) pointers into the database • Access database to get next fiancée's (encrypted) identity • Form the engaged bid • Privately find the conflicting engaged bid (mix, private equality test) • Mix these two engaged bids • “Resolve the conflict” to find the winner and loser (private comparison) • “Break the engagement” for the loser and add him to Fk+1 • Add the winner to Ek • Mix all the bids • Let Ek+1 = Ek 19

  20. Accessing the database • Database D, an array of n=(2N)2 ciphertexts • Given E(i), we want to recover element D[i] • Our subprotocol: • Modification of an efficient (1-out-of-n) OT protocol • MAs process E(i) into queries of the protocol • MAs process database’s reply to recover D[i], a ciphertext • Our construction • Uses Stern’s OT (1 round, polylog CC) • Again, using threshold homomorphic encryption 20

  21. A protocol for 2 MAs • A more efficient protocol for 2-MA case • Private Table Look Ups (LUT) [NN01] (For two-party computation) • Private Computation of Turing Machines with a RAM • Circuits equipped with Private LUT • Our algorithm can be presented as a TM with RAM • Implement privately using [NN01] • Extending to multiparty • Not completely distributed 21

  22. New Developments • Extending [NN01] to multiparty • Automatically leads to more efficient private stable matching • Leads to nearly optimal communication 22

  23. Thank you!! Questions?

  24. Golle’s approach • Golle’s variant of Gale-Shapley: • N real men: {A1,…, AN}, N real women:{B1,…,BN} • N fake men: {AN+1,…,A2N} • Arbitrary preference lists for fake men • Each woman ranks fake men lower than real ones • Initialization • All real men are free • All fake men are engaged (in an arbitrary way)

  25. Golle’s Approach Cont’d • For K = 1 to n: • While FK is non-empty: • Randomly select A from Fk • A proposes to woman B: • The woman he ranks highest among the women to whom he has never proposed before • B is always engaged to some woman A’: • If B prefers A over A’; Remove A from FK, add A’ to Fk+1 • Otherwise, add A to Fk+1 • Number of free men always N: |FK| = N for all 1≤ K ≤ N

  26. Shortcomings • Golle implements this variant privately • Re-encryption mix-networks • Threshold homomorphic cryptosystems (Paillier encryption) • Inefficiencies: • Golle’s variant needs O(N2) rounds to reach a stable matching • Complexity of algorithm increases by a factor of N • Another factor N increase • size of ciphertext used in Mix-network: O(N) not constant!