Improved Efficiency for Private Stable Matching
description
Transcript of Improved Efficiency for Private Stable Matching
Improved Efficiency for Private Stable Matching
Matthew Franklin, Mark Gondree, and Payman MohasselUniversity of California, Davis
02/07/07 - Session Code: CRYP-203
Insert presenter logo here on slide master
Stable Matching
•Stable Matching (Marriage):
•N men, N women, each with their own preference list
•Matching M has an unstable pair (A,B) if:
(A,B’), (A’,B) in M A prefers B over B’ B prefers A over A’
•M is stable if no unstable pairs exist in M
2
A
A1
A’
A2
B’
B1
B
B2
Insert presenter logo here on slide master
Applications
•Assigning Medical students to Hospitals
— In US, Canada, and Scotland
•Assigning students to schools and universities
— In Norway and Singapore
•National Matching Services
Inc.
3
Insert presenter logo here on slide master
Outline
•Introduction
— Stable matching problem
— Gale-Shapley Algorithm
— Privacy Issues
•Contributions
•Open problems
4
Insert presenter logo here on slide master
The Gale-Shapley Algorithm
• Notation:
─ N men :{A1, …, AN}
─ N women: {B1, …, BN}
─ Preference list for man i: Ai[1…N]
─ Preference list for woman i: Bi[1…N]
─ List of free men in round k : Fk
─ List of engaged men in round k: Ek
5
Insert presenter logo here on slide master
Gale-Shapley
• k=1;Fk = {A1, … , AN}
• While Fk is non-empty:
• Randomly select A from Fk
• A proposes to “next” woman B:
(Where he ranks B highest among the women to whom he has never proposed before)
• If B is free then she becomes engaged to A
• If B is engaged to some A’ then
• If B prefers A over A’ then remove A and add A’ to Fk
• Otherwise, Fk stays the same
• Fk+1= Fk; k= k+16
Insert presenter logo here on slide master
Remarks on Gale-Shapley
• Round by Round
─ Matches made and broken every round
─ Man optimal
• Privacy Issues
─ Naïve implementation
─ Matching Authority learns participants’ preference lists
─ Naively distributed computation
─ Traffic pattern: history of matches made and broken
7
Insert presenter logo here on slide master
Setting [Golle, FC06]
•Have multiple (t) Matching Authorities (MAs)
•MAs receive encrypted preference lists
•MAs compute the stable matching
•MAs don’t learn anything
•Participants only learn their own partner
•Assume: passive adversaries
•Security Guaranteed (assuming ≥ 1 honest MA)
8
Insert presenter logo here on slide master
Our Contribution
•Revisit [Golle]
— High Communication complexity
(Partly due to the chosen variant of Gale-Shapely used)
•Design a Private and Efficient Protocol
— Design a new variant of Gale-Shapely
— Tune it for private implementation
— Crypto assumptions comparable to [Golle]
— Lower round and communication complexities
9
Insert presenter logo here on slide master
Our Contributions, Cont’d
Summary of protocols and efficiency:
10
Insert presenter logo here on slide master
Our variant of Gale-Shapley
•Real men: {A1, …, AN}, Fake men: {AN+1, …, A2N}
•Real women: {B1,…,BN}, Fake women:{BN+1,…,B2N}
•Preference lists:
— Real men: ( [actual preference list], [BN+1, . . . ,B2N, in any order] )
— Real women: ( [actual preference list], [AN+1, . . . ,A2N, in any order] )
— Fake women:( [AN+1, . . . ,A2N, in any order],[A1, . . . ,AN, in any order])
— Fake men: ( [BN+2, . . . ,B2N, in any order], BN+1, [B1, . . . ,BN, in any
order] )
11
Insert presenter logo here on slide master
Our Variant, Cont’d
•Initialization:
— F1 = {A1}
— {A2, …, AN} are engaged to {BN+2,…,B2N}, respectively
— {AN+1, …, A2N} are engaged to {B1,…, BN}, respectively
•While Fk is not empty:
— The free man A in Fk proposes to B
(The next woman in his preference list to whom he hasn’t proposed)
— If B is engaged to some man A’
•If B prefers A over A’, let Fk+1= {A’}, and pair A and B
•Otherwise, Fk+1 = Fk 12
Insert presenter logo here on slide master
Our Variant, Cont’d 2
•Claim: Once a fake man proposes to woman BN+1,
we have a stable matching
•Thus, the algorithm’s complexity is O(N2)
•Also, “Tuned for privacy”
— every round k, |Fk| = 1
•We implement a private version
13
Insert presenter logo here on slide master
Protocol
•Bids
— Two types: Free and Engaged
— Set of ciphertexts (constant sized)
— Fk = {Free Bids in round k}
— Ek = {Engaged Bids in round k}
•Preference Lists
— Encrypted, held by an MA (the “Database”)
•Everything encrypted with threshold homomorphic enc.
14
Insert presenter logo here on slide master
Protocol
•For k = 1 to 2N2:
— Select a single free bid from Fk.
— “Open it” to recover the (encrypted) pointers into the database
— Access database to get next fiancée's (encrypted) identity
— Form the engaged bid
— Privately find the conflicting engaged bid (mix, private equality test)
— Mix these two engaged bids
— “Resolve the conflict” to find the winner and loser (private comparison)
— “Break the engagement” for the loser and add him to Fk+1
— Add the winner to Ek
— Mix all the bids
— Let Ek+1 = Ek
15
Insert presenter logo here on slide master
Protocol
•For k = 1 to 2N2:
— Select a single free bid from Fk.
— “Open it” to recover the (encrypted) pointers into the database
— Access database to get next fiancée's (encrypted) identity
— Form the engaged bid
— Privately find the conflicting engaged bid (mix, private equality test)
— Mix these two engaged bids
— “Resolve the conflict” to find the winner and loser (private comparison)
— “Break the engagement” for the loser and add him to Fk+1
— Add the winner to Ek
— Mix all the bids
— Let Ek+1 = Ek
16
Insert presenter logo here on slide master
Protocol
•For k = 1 to 2N2:
— Select a single free bid from Fk.
— “Open it” to recover the (encrypted) pointers into the database
— Access database to get next fiancée's (encrypted) identity
— Form the engaged bid
— Privately find the conflicting engaged bid (mix, private equality test)
— Mix these two engaged bids
— “Resolve the conflict” to find the winner and loser (private comparison)
— “Break the engagement” for the loser and add him to Fk+1
— Add the winner to Ek
— Mix all the bids
— Let Ek+1 = Ek
17
Insert presenter logo here on slide master
Protocol
•For k = 1 to 2N2:
— Select a single free bid from Fk.
— “Open it” to recover the (encrypted) pointers into the database
— Access database to get next fiancée's (encrypted) identity
— Form the engaged bid
— Privately find the conflicting engaged bid (mix, private equality test)
— Mix these two engaged bids
— “Resolve the conflict” to find the winner and loser (private comparison)
— “Break the engagement” for the loser and add him to Fk+1
— Add the winner to Ek
— Mix all the bids
— Let Ek+1 = Ek
18
Insert presenter logo here on slide master
Protocol
•For k = 1 to 2N2:
— Select a single free bid from Fk.
— “Open it” to recover the (encrypted) pointers into the database
— Access database to get next fiancée's (encrypted) identity
— Form the engaged bid
— Privately find the conflicting engaged bid (mix, private equality test)
— Mix these two engaged bids
— “Resolve the conflict” to find the winner and loser (private comparison)
— “Break the engagement” for the loser and add him to Fk+1
— Add the winner to Ek
— Mix all the bids
— Let Ek+1 = Ek
19
Insert presenter logo here on slide master
Accessing the database
•Database D, an array of n=(2N)2 ciphertexts
•Given E(i), we want to recover element D[i]
•Our subprotocol:
— Modification of an efficient (1-out-of-n) OT protocol
— MAs process E(i) into queries of the protocol
— MAs process database’s reply to recover D[i], a ciphertext
•Our construction
— Uses Stern’s OT (1 round, polylog CC)
— Again, using threshold homomorphic encryption
20
Insert presenter logo here on slide master
A protocol for 2 MAs
•A more efficient protocol for 2-MA case
•Private Table Look Ups (LUT) [NN01]
(For two-party computation)
•Private Computation of Turing Machines with a RAM
— Circuits equipped with Private LUT
•Our algorithm can be presented as a TM with RAM
•Implement privately using [NN01]
•Extending to multiparty
— Not completely distributed
21
Insert presenter logo here on slide master
New Developments
•Extending [NN01] to multiparty
— Automatically leads to more efficient private stable matching
— Leads to nearly optimal communication
22
Insert presenter logo here on slide master
Thank you!! Questions?
Insert presenter logo here on slide master
Insert presenter logo here on slide master
Golle’s approach
•Golle’s variant of Gale-Shapley:
•N real men: {A1,…, AN}, N real women:{B1,…,BN}
•N fake men: {AN+1,…,A2N}
•Arbitrary preference lists for fake men
•Each woman ranks fake men lower than real ones
•Initialization
— All real men are free
— All fake men are engaged (in an arbitrary way)
Insert presenter logo here on slide master
Golle’s Approach Cont’d
•For K = 1 to n:
— While FK is non-empty:
•Randomly select A from Fk
• A proposes to woman B:• The woman he ranks highest among the women to whom he has never
proposed before
• B is always engaged to some woman A’:
• If B prefers A over A’; Remove A from FK, add A’ to Fk+1
• Otherwise, add A to Fk+1
• Number of free men always N: |FK| = N for all 1≤ K ≤ N
Insert presenter logo here on slide master
Shortcomings
•Golle implements this variant privately
— Re-encryption mix-networks
— Threshold homomorphic cryptosystems (Paillier encryption)
•Inefficiencies:
— Golle’s variant needs O(N2) rounds to reach a stable matching
•Complexity of algorithm increases by a factor of N
— Another factor N increase
•size of ciphertext used in Mix-network: O(N) not constant!