Cryptology ePrint Archive: Report 2016/799

Efficient Batched Oblivious PRF with Applications to Private Set Intersection

Vladimir Kolesnikov and Ranjit Kumaresan and Mike Rosulek and Ni Trieu

Abstract: We describe a lightweight protocol for oblivious evaluation of a pseudorandom function (OPRF) in the presence of semi-honest adversaries. In an OPRF protocol a receiver has an input $r$; the sender gets output $s$ and the receiver gets output $F(s,r)$, where $F$ is a pseudorandom function and $s$ is a random seed. Our protocol uses a novel adaptation of 1-out-of-2 OT-extension protocols, and is particularly efficient when used to generate a large batch of OPRF instances. The cost to realize $m$ OPRF instances is roughly the cost to realize $3.5 m$ instances of standard 1-out-of-2 OTs (using state-of-the-art OT extension).

We explore in detail our protocol's application to semi-honest secure private set intersection (PSI). The fastest state-of-the-art PSI protocol (Pinkas et al., Usenix 2015) is based on efficient OT extension. We observe that our OPRF can be used to remove their PSI protocol's dependence on the bit-length of the parties' items. We implemented both PSI protocol variants and found ours to be 3.1--3.6$\times$ faster than Pinkas et al.\ for PSI of 128-bit strings and sufficiently large sets. Concretely, ours requires only 3.8 seconds to securely compute the intersection of $2^{20}$-size sets, regardless of the bitlength of the items. For very large sets, our protocol is only $4.3\times$ slower than the {\em insecure} na\"ıve hashing approach for PSI.

Category / Keywords: cryptographic protocols / oblivious prf, ot extension, private set intersection

Original Publication (in the same form): ACM CCS 2016
DOI:
10.1145/2976749.2978381

Date: received 20 Aug 2016, last revised 20 Aug 2016

Contact author: rosulekm at eecs oregonstate edu

Available format(s): PDF | BibTeX Citation

Version: 20160824:140732 (All versions of this report)

Short URL: ia.cr/2016/799

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]