Movatterモバイル変換

[0]ホーム
URL:

Skip to main content

Advertisement

Springer Nature Link
Log in

Practically Efficient Private Set Intersection from Trusted Hardware with Side-Channels

  • Conference paper
  • First Online:

Abstract

Private set intersection (PSI) is one of the most important privacy-enhancing technologies with applications such as malware and spam detection, recognition of child pornography, contact discovery, or, more recently, contact tracing. In this paper, we investigate how PSI can be constructed and implemented simply and practically efficient. To this end, a natural possibility is the use of trusted execution environments (TEEs), which are commonly used in place of a trusted third party due to their presumed security guarantees. However, this trust is often not warranted: Today’s TEEs like Intel SGX suffer from a number of side-channels that allow the host to learn secrets of a TEE, unless countermeasures are taken. Furthermore, due to the high complexity and closed-source nature, it cannot be ruled out that a TEE is passively corrupted,i.e. leaks secrets to the manufacturer or a government agency such as the NSA. When constructing a protocol using TEEs, such (potential) vulnerabilities need to be accounted for. Otherwise, all security may be lost.

We propose a protocol for two-party PSI whose security holds in a setting where TEEs cannot be fully trusted,e.g. due to the existence of side-channels. In particular, we deal with the possibilities that i) the TEE is completely transparent for the host, except for very simple secure cryptographic operations or ii) that it leaksall secrets to a third party,e.g. the manufacturer. Even in this challenging setting, our protocol is not only very fast, but also conceptually simple, which is an important feature as more complex protocols tend to be implemented with subtle security faults.

To formally capture this setting, we define variants of the ideal functionality for TEEs due to Passet al. (EUROCRYPT 2017). Using these functionalities, we prove our protocol’s security, which holds under universal composition. To illustrate the usefulness of our model, we sketch other possible applications like (randomized) oblivious transfer or private computation of the Hamming distance.

Our PSI implementation, which uses Intel SGX as TEE, computes the intersection between two sets with\(2^{24}\) 128-bit elements in 7.3 s. This makes our protocol the fastest PSI protocol to date with respect to single-threaded performance.

This is a preview of subscription content,log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
¥17,985 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
JPY 3498
Price includes VAT (Japan)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
JPY 9151
Price includes VAT (Japan)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
JPY 11439
Price includes VAT (Japan)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide -see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Similar content being viewed by others

Notes

  1. 1.

    While this can be prevented in principle by using appropriate building blocks (e.g. by obtaining an independent key for the hash function using a coin-toss build from a non-malleable commitment scheme), we are not aware that this is done in practice.

  2. 2.

    Depending on the model considered, this approach may not yield provable security for technical reasons. For example the model of [39] provably requirestwo TEEs for any two-party functionality. However, as this is outside the scope of our paper, we will not further discuss it and refer the interested reader to [39].

  3. 3.

    In\(\mathcal {F}_\textrm{oPSI}\) and\(\pi _{\textrm{oPSI}}\), we assume that\(\ell = \kappa \). However, this can be easily generalized.

  4. 4.

References

  1. Ahmad, A., Kim, K., Sarfaraz, M.I., Lee, B.: OBLIVIATE: a data oblivious filesystem for intel SGX (2018)

    Google Scholar 

  2. Apple: Secure enclave (2022).https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/web. Accessed 31 Aug 2022

  3. Ateniese, G., De Cristofaro, E., Tsudik, G.: (If) size matters: Size-hiding private set intersection, pp. 156–173 (2011).https://doi.org/10.1007/978-3-642-19379-8_10

  4. Badertscher, C., Canetti, R., Hesse, J., Tackmann, B., Zikas, V.: Universal composition with global subroutines: capturing global setup within plain UC, pp. 1–30 (2020).https://doi.org/10.1007/978-3-030-64381-2_1

  5. Bahmani, R., et al.: Secure multiparty computation from SGX, pp. 477–497 (2017)

    Google Scholar 

  6. Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A concrete security treatment of symmetric encryption, pp. 394–403 (1997).https://doi.org/10.1109/SFCS.1997.646128

  7. Bhatotia, P., Kohlweiss, M., Martinico, L., Tselekounis, Y.: Steel: composable hardware-based stateful and randomised functional encryption, pp. 709–736 (2021).https://doi.org/10.1007/978-3-030-75248-4_25

  8. Boneh, D., Shoup, V.: A graduate course in applied cryptography. Draft 0.6 (2026)

    Google Scholar 

  9. Camenisch, J., Drijvers, M., Gagliardoni, T., Lehmann, A., Neven, G.: The wonderful world of global random oracles, pp. 280–312 (2018).https://doi.org/10.1007/978-3-319-78381-9_11

  10. Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols, pp. 136–145 (2001).https://doi.org/10.1109/SFCS.2001.959888

  11. Canetti, R.: Universally composable security. J. ACM67(5), 28:1–28:94 (2020).https://doi.org/10.1145/3402457

  12. Canetti, R., Dodis, Y., Pass, R., Walfish, S.: Universally composable security with global setup, pp. 61–85 (2007).https://doi.org/10.1007/978-3-540-70936-7_4

  13. Canetti, R., Fischlin, M.: Universally composable commitments, pp. 19–40 (2001).https://doi.org/10.1007/3-540-44647-8_2

  14. Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited (preliminary version), pp. 209–218 (1998).https://doi.org/10.1145/276698.276741

  15. Canetti, R., Goldreich, O., Halevi, S.: On the random-oracle methodology as applied to length-restricted signature schemes, pp. 40–57 (2004).https://doi.org/10.1007/978-3-540-24638-1_3

  16. Canetti, R., Jain, A., Scafuro, A.: Practical UC security with a global random oracle, pp. 597–608 (2014).https://doi.org/10.1145/2660267.2660374

  17. Canetti, R., Krawczyk, H.: Universally composable notions of key exchange and secure channels, pp. 337–351 (2002).https://doi.org/10.1007/3-540-46035-7_22

  18. Carter, J., Wegman, M.N.: Universal classes of hash functions. J. Comput. Syst. Sci.18(2), 143–154 (1979).https://doi.org/10.1016/0022-0000(79)90044-8,https://www.sciencedirect.com/science/article/pii/0022000079900448

  19. Costan, V., Devadas, S.: Intel SGX explained. Cryptology ePrint Archive, Report 2016/086 (2016).https://eprint.iacr.org/2016/086

  20. Diffie, W., Hellman, M.E.: New directions in cryptography,22(6), 644–654 (1976).https://doi.org/10.1109/TIT.1976.1055638

  21. Duong, T., Phan, D.H., Trieu, N.: Catalic: delegated PSI cardinality with applications to contact tracing, pp. 870–899 (2020).https://doi.org/10.1007/978-3-030-64840-4_29

  22. Garimella, G., Pinkas, B., Rosulek, M., Trieu, N., Yanai, A.: Oblivious key-value stores and amplification for private set intersection, pp. 395–425 (2021).https://doi.org/10.1007/978-3-030-84245-1_14

  23. Garriss, S., Kaminsky, M., Freedman, M.J., Karp, B., Mazières, D., Yu, H.: RE: reliable email. In: Peterson, L.L., Roscoe, T. (eds.) 3rd Symposium on Networked Systems Design and Implementation (NSDI 2006), 8–10 May 2007, San Jose, California, USA, Proceedings. USENIX (2006).http://www.usenix.org/events/nsdi06/tech/garriss.html

  24. Goldreich, O.: Towards a theory of software protection and simulation by oblivious RAMs, pp. 182–194 (1987).https://doi.org/10.1145/28395.28416

  25. Gueron, S.: Intel advanced encryption standard (AES) new instructions set (2010)

    Google Scholar 

  26. Hazay, C., Lindell, Y.: Efficient protocols for set intersection and pattern matching with security against malicious and covert adversaries, pp. 155–175 (2008).https://doi.org/10.1007/978-3-540-78524-8_10

  27. IBM: IBM secure execution for Linux (2022).https://www.ibm.com/downloads/cas/O158MBWG, Accessed 31 Aug 2022

  28. Intel: Intel software guard extensions (intel SGX) (2023).https://download.01.org/intel-sgx/sgx-linux/2.9.1/docs/Intel_SGX_Developer_Guide.pdf

  29. Johnson, S., Scarlata, V., Rozas, C., Brickell, E., Mckeen, F.: Intel software guard extensions: EPID provisioning and attestation services. White Paper1(1–10), 119 (2016)

    Google Scholar 

  30. Kulshrestha, A., Mayer, J.R.: Identifying harmful media in end-to-end encrypted communication: Efficient private membership computation. In: Bailey, M., Greenstadt, R. (eds.) 30th USENIX Security Symposium, USENIX Security 2021(August), pp. 11–13, 2021, pp. 893–910. USENIX Association (2021).https://www.usenix.org/conference/usenixsecurity21/presentation/kulshrestha

  31. Kumar, A.: Active platform management demystified: unleashing the power of intel VPro (TM) technology. Intel Press (2009)

    Google Scholar 

  32. Lu, Y., Zhang, B., Zhou, H.S., Liu, W., Zhang, L., Ren, K.: Correlated randomness teleportation via semi-trusted hardware - enabling silent multi-party computation, pp. 699–720 (2021).https://doi.org/10.1007/978-3-030-88428-4_34

  33. Marlinspike, M.: Private contact discovery for signal.https://signal.org/blog/private-contact-discovery/ (2017)

  34. McCune, J.M., Parno, B., Perrig, A., Reiter, M.K., Isozaki, H.: Flicker: an execution infrastructure for tcb minimization. In: Sventek, J.S., Hand, S. (eds.) Proceedings of the 2008 EuroSys Conference, Glasgow, Scotland, UK, April 1–4, 2008. pp. 315–328. ACM (2008).https://doi.org/10.1145/1352592.1352625,https://doi.org/10.1145/1352592.1352625

  35. Melotti, D., Rossi-Bellom, M., Continella, A.: Reversing and fuzzing the google titan m chip. In: Reversing and Offensive-oriented Trends Symposium, pp. 1–10 (2021)

    Google Scholar 

  36. Müller-Quade, J., Unruh, D.: Long-term security and universal composability,23(4), 594–671 (2010).https://doi.org/10.1007/s00145-010-9068-8

  37. Murdock, K., Oswald, D., Garcia, F.D., Van Bulck, J., Gruss, D., Piessens, F.: Plundervolt: software-based fault injection attacks against intel SGX, pp. 1466–1482 (2020).https://doi.org/10.1109/SP40000.2020.00057

  38. Nilsson, A., Bideh, P.N., Brorsson, J.: A survey of published attacks on intel SGX. CoRR abs/2006.13598 (2020).https://arxiv.org/abs/2006.13598

  39. Pass, R., Shi, E., Tramèr, F.: Formal abstractions for attested execution secure processors, pp. 260–289 (2017).https://doi.org/10.1007/978-3-319-56620-7_10

  40. Pinkas, B., Rosulek, M., Trieu, N., Yanai, A.: PSI from PaXoS: Fast, malicious private set intersection, pp. 739–767 (2020).https://doi.org/10.1007/978-3-030-45724-2_25

  41. Rindal, P., Raghuraman, S.: Blazing fast PSI from improved OKVS and subfield VOLE. IACR Cryptol. ePrint Arch. p. 320 (2022).https://eprint.iacr.org/2022/320

  42. Rindal, P., Rosulek, M.: Improved private set intersection against malicious adversaries, pp. 235–259 (2017).https://doi.org/10.1007/978-3-319-56620-7_9

  43. Schwarz, M., et al.: ZombieLoad: cross-privilege-boundary data sampling, pp. 753–768 (2019).https://doi.org/10.1145/3319535.3354252

  44. Stapf, E., Jauernig, P., Brasser, F., Sadeghi, A.: In hardware we trust? from TPM to enclave computing on RISC-V. In: 29th IFIP/IEEE International Conference on Very Large Scale Integration, VLSI-SoC 2021, Singapore, 4–7 October 2021, pp. 1–6. IEEE (2021).https://doi.org/10.1109/VLSI-SoC53125.2021.9606968

  45. Sun, H., Su, J., Wang, X., Chen, R., Liu, Y., Hu, Q.: PriMal: cloud-based privacy-preserving malware detection, pp. 153–172 (2017)

    Google Scholar 

  46. Tamrakar, S., Liu, J., Paverd, A., Ekberg, J.E., Pinkas, B., Asokan, N.: The circle game: scalable private membership test using trusted hardware, pp. 31–44 (2017)

    Google Scholar 

  47. Tramèr, F., Zhang, F., Lin, H., Hubaux, J., Juels, A., Shi, E.: Sealed-glass proofs: using transparent enclaves to prove and sell knowledge. In: 2017 IEEE European Symposium on Security and Privacy, EuroS &P 2017, Paris, France, 26–28 April 2017, pp. 19–34. IEEE (2017).https://doi.org/10.1109/EuroSP.2017.28

  48. Van Bulck, J., et al.: Foreshadow: extracting the keys to the intel SGX kingdom with transient out-of-order execution, pp. 991–1008 (2018)

    Google Scholar 

  49. Zinkina, A.: UC-sichere private Schnittmengenberechnung mit transparenten Enklaven. KITopen Repository of the Karlsruhe Institute of Technology (2019).https://doi.org/10.5445/IR/1000099120

Download references

Acknowledgements

This work was supported by KASTEL Security Research Labs.

Felix Dörre: This work was supported by funding by the German Federal Ministry of Education and Research (BMBF) under the project “VE-ASCOT” (ID 16ME0275). Jeremias Mechler, Jörn Müller-Quade: This work was supported by funding from the topic Engineering Secure Systems of the Helmholtz Association (HGF).

We would like to thank Anastasia Zinkina for providing valuable feedback and laying the foundation for this work in her master’s thesis [49]. We would also like to thank the anonymous referees for their valuable and very detailed feedback.

Author information

Authors and Affiliations

  1. KASTEL Security Research Labs, Karlsruhe Institute of Technology, Karlsruhe, Germany

    Felix Dörre, Jeremias Mechler & Jörn Müller-Quade

Authors
  1. Felix Dörre

    You can also search for this author inPubMed Google Scholar

  2. Jeremias Mechler

    You can also search for this author inPubMed Google Scholar

  3. Jörn Müller-Quade

    You can also search for this author inPubMed Google Scholar

Corresponding author

Correspondence toJeremias Mechler.

Editor information

Editors and Affiliations

  1. Nanyang Technological University, Singapore, Singapore

    Jian Guo

  2. Monash University, Melbourne, VIC, Australia

    Ron Steinfeld

Rights and permissions

Copyright information

© 2023 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Dörre, F., Mechler, J., Müller-Quade, J. (2023). Practically Efficient Private Set Intersection from Trusted Hardware with Side-Channels. In: Guo, J., Steinfeld, R. (eds) Advances in Cryptology – ASIACRYPT 2023. ASIACRYPT 2023. Lecture Notes in Computer Science, vol 14441. Springer, Singapore. https://doi.org/10.1007/978-981-99-8730-6_9

Download citation

Publish with us

Access this chapter

Subscribe and save

Springer+ Basic
¥17,985 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
JPY 3498
Price includes VAT (Japan)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
JPY 9151
Price includes VAT (Japan)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
JPY 11439
Price includes VAT (Japan)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide -see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

[8]ページ先頭
©2009-2025 Movatter.jp