Créer une présentation
Télécharger la présentation

Télécharger la présentation
## Improved Efficiency for Private Stable Matching

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -

**Improved Efficiency for Private Stable Matching**Matthew Franklin, Mark Gondree, and Payman MohasselUniversity of California, Davis02/07/07 - Session Code: CRYP-203**Stable Matching**• Stable Matching (Marriage): • N men, N women, each with their own preference list • MatchingM has an unstable pair (A,B) if: • (A,B’), (A’,B) in M • A prefers B over B’ • B prefers A over A’ • M is stable if no unstable pairs exist in M A B’ A1 B1 A’ B A2 B2 2**Applications**• Assigning Medical students to Hospitals • In US, Canada, and Scotland • Assigning students to schools and universities • In Norway and Singapore • National Matching Services Inc. 3**Outline**• Introduction • Stable matching problem • Gale-Shapley Algorithm • Privacy Issues • Contributions • Open problems 4**The Gale-Shapley Algorithm**• Notation: • N men :{A1, …, AN} • N women: {B1, …, BN} • Preference list for man i: Ai[1…N] • Preference list for woman i: Bi[1…N] • List of free men in round k : Fk • List of engaged men in round k: Ek 5**Gale-Shapley**• k=1;Fk = {A1, … , AN} • While Fk is non-empty: • Randomly select A from Fk • A proposes to “next” woman B: (Where he ranks B highest among the women to whom he has never proposed before) • If B is free then she becomes engaged to A • If B is engaged to some A’ then • If B prefers A over A’ then remove A and add A’ to Fk • Otherwise, Fk stays the same • Fk+1= Fk; k= k+1 6**Remarks on Gale-Shapley**• Round by Round • Matches made and broken every round • Man optimal • Privacy Issues • Naïve implementation • Matching Authority learns participants’ preference lists • Naively distributed computation • Traffic pattern: history of matches made and broken 7**Setting [Golle, FC06]**• Have multiple (t) Matching Authorities (MAs) • MAs receive encrypted preference lists • MAs compute the stable matching • MAs don’t learn anything • Participants only learn their own partner • Assume: passive adversaries • Security Guaranteed (assuming ≥ 1 honest MA) 8**Our Contribution**• Revisit [Golle] • High Communication complexity (Partly due to the chosen variant of Gale-Shapely used) • Design a Private and Efficient Protocol • Design a new variant of Gale-Shapely • Tune it for private implementation • Crypto assumptions comparable to [Golle] • Lower round and communication complexities 9**Our Contributions, Cont’d**Summary of protocols and efficiency: 10**Our variant of Gale-Shapley**• Real men: {A1, …, AN}, Fake men: {AN+1, …, A2N} • Real women: {B1,…,BN}, Fake women:{BN+1,…,B2N} • Preference lists: • Real men: ( [actual preference list], [BN+1, . . . ,B2N, in any order] ) • Real women: ( [actual preference list], [AN+1, . . . ,A2N, in any order] ) • Fake women:( [AN+1, . . . ,A2N, in any order],[A1, . . . ,AN, in any order]) • Fake men: ( [BN+2, . . . ,B2N, in any order], BN+1, [B1, . . . ,BN, in any order] ) 11**Our Variant, Cont’d**• Initialization: • F1 = {A1} • {A2, …, AN} are engaged to {BN+2,…,B2N}, respectively • {AN+1, …, A2N} are engaged to {B1,…, BN}, respectively • While Fk is not empty: • The free man A in Fk proposes to B (The next woman in his preference list to whom he hasn’t proposed) • If B is engaged to some man A’ • If B prefers A over A’, let Fk+1= {A’}, and pair A and B • Otherwise, Fk+1 = Fk 12**Our Variant, Cont’d 2**• Claim: Once a fake man proposes to woman BN+1, we have a stable matching • Thus, the algorithm’s complexity is O(N2) • Also, “Tuned for privacy” • every round k, |Fk| = 1 • We implement a private version 13**Protocol**• Bids • Two types: Free and Engaged • Set of ciphertexts (constant sized) • Fk = {Free Bids in round k} • Ek = {Engaged Bids in round k} • Preference Lists • Encrypted, held by an MA (the “Database”) • Everything encrypted with threshold homomorphic enc. 14**Protocol**• For k = 1 to 2N2: • Select a single free bid from Fk. • “Open it” to recover the (encrypted) pointers into the database • Access database to get next fiancée's (encrypted) identity • Form the engaged bid • Privately find the conflicting engaged bid (mix, private equality test) • Mix these two engaged bids • “Resolve the conflict” to find the winner and loser (private comparison) • “Break the engagement” for the loser and add him to Fk+1 • Add the winner to Ek • Mix all the bids • Let Ek+1 = Ek 15**Protocol**• For k = 1 to 2N2: • Select a single free bid from Fk. • “Open it” to recover the (encrypted) pointers into the database • Access database to get next fiancée's (encrypted) identity • Form the engaged bid • Privately find the conflicting engaged bid (mix, private equality test) • Mix these two engaged bids • “Resolve the conflict” to find the winner and loser (private comparison) • “Break the engagement” for the loser and add him to Fk+1 • Add the winner to Ek • Mix all the bids • Let Ek+1 = Ek 16**Protocol**• For k = 1 to 2N2: • Select a single free bid from Fk. • “Open it” to recover the (encrypted) pointers into the database • Access database to get next fiancée's (encrypted) identity • Form the engaged bid • Privately find the conflicting engaged bid (mix, private equality test) • Mix these two engaged bids • “Resolve the conflict” to find the winner and loser (private comparison) • “Break the engagement” for the loser and add him to Fk+1 • Add the winner to Ek • Mix all the bids • Let Ek+1 = Ek 17**Protocol**• For k = 1 to 2N2: • Select a single free bid from Fk. • “Open it” to recover the (encrypted) pointers into the database • Access database to get next fiancée's (encrypted) identity • Form the engaged bid • Privately find the conflicting engaged bid (mix, private equality test) • Mix these two engaged bids • “Resolve the conflict” to find the winner and loser (private comparison) • “Break the engagement” for the loser and add him to Fk+1 • Add the winner to Ek • Mix all the bids • Let Ek+1 = Ek 18**Protocol**• For k = 1 to 2N2: • Select a single free bid from Fk. • “Open it” to recover the (encrypted) pointers into the database • Access database to get next fiancée's (encrypted) identity • Form the engaged bid • Privately find the conflicting engaged bid (mix, private equality test) • Mix these two engaged bids • “Resolve the conflict” to find the winner and loser (private comparison) • “Break the engagement” for the loser and add him to Fk+1 • Add the winner to Ek • Mix all the bids • Let Ek+1 = Ek 19**Accessing the database**• Database D, an array of n=(2N)2 ciphertexts • Given E(i), we want to recover element D[i] • Our subprotocol: • Modification of an efficient (1-out-of-n) OT protocol • MAs process E(i) into queries of the protocol • MAs process database’s reply to recover D[i], a ciphertext • Our construction • Uses Stern’s OT (1 round, polylog CC) • Again, using threshold homomorphic encryption 20**A protocol for 2 MAs**• A more efficient protocol for 2-MA case • Private Table Look Ups (LUT) [NN01] (For two-party computation) • Private Computation of Turing Machines with a RAM • Circuits equipped with Private LUT • Our algorithm can be presented as a TM with RAM • Implement privately using [NN01] • Extending to multiparty • Not completely distributed 21**New Developments**• Extending [NN01] to multiparty • Automatically leads to more efficient private stable matching • Leads to nearly optimal communication 22**Thank you!!**Questions?**Golle’s approach**• Golle’s variant of Gale-Shapley: • N real men: {A1,…, AN}, N real women:{B1,…,BN} • N fake men: {AN+1,…,A2N} • Arbitrary preference lists for fake men • Each woman ranks fake men lower than real ones • Initialization • All real men are free • All fake men are engaged (in an arbitrary way)**Golle’s Approach Cont’d**• For K = 1 to n: • While FK is non-empty: • Randomly select A from Fk • A proposes to woman B: • The woman he ranks highest among the women to whom he has never proposed before • B is always engaged to some woman A’: • If B prefers A over A’; Remove A from FK, add A’ to Fk+1 • Otherwise, add A to Fk+1 • Number of free men always N: |FK| = N for all 1≤ K ≤ N**Shortcomings**• Golle implements this variant privately • Re-encryption mix-networks • Threshold homomorphic cryptosystems (Paillier encryption) • Inefficiencies: • Golle’s variant needs O(N2) rounds to reach a stable matching • Complexity of algorithm increases by a factor of N • Another factor N increase • size of ciphertext used in Mix-network: O(N) not constant!