Improved Efficiency for Private Stable Matching

Improved Efficiency for Private Stable Matching

Matthew Franklin, Mark Gondree, and Payman MohasselUniversity of California, Davis

02/07/07 - Session Code: CRYP-203

Insert presenter logo here on slide master

Stable Matching

•Stable Matching (Marriage):

•N men, N women, each with their own preference list

•Matching M has an unstable pair (A,B) if:

(A,B’), (A’,B) in M A prefers B over B’ B prefers A over A’

•M is stable if no unstable pairs exist in M

2

A

A1

A’

A2

B’

B1

B

B2


Applications

•Assigning Medical students to Hospitals

— In US, Canada, and Scotland

•Assigning students to schools and universities

— In Norway and Singapore

•National Matching Services

Inc.

3


Outline

•Introduction

— Stable matching problem

— Gale-Shapley Algorithm

— Privacy Issues

•Contributions

•Open problems

4


The Gale-Shapley Algorithm

• Notation:

─ N men :{A1, …, AN}

─ N women: {B1, …, BN}

─ Preference list for man i: Ai[1…N]

─ Preference list for woman i: Bi[1…N]

─ List of free men in round k : Fk

─ List of engaged men in round k: Ek

5


Gale-Shapley

• k=1;Fk = {A1, … , AN}

• While Fk is non-empty:

• Randomly select A from Fk

• A proposes to “next” woman B:

(Where he ranks B highest among the women to whom he has never proposed before)

• If B is free then she becomes engaged to A

• If B is engaged to some A’ then

• If B prefers A over A’ then remove A and add A’ to Fk

• Otherwise, Fk stays the same

• Fk+1= Fk; k= k+16


Remarks on Gale-Shapley

• Round by Round

─ Matches made and broken every round

─ Man optimal

• Privacy Issues

─ Naïve implementation

─ Matching Authority learns participants’ preference lists

─ Naively distributed computation

─ Traffic pattern: history of matches made and broken

7


Setting [Golle, FC06]

•Have multiple (t) Matching Authorities (MAs)

•MAs receive encrypted preference lists

•MAs compute the stable matching

•MAs don’t learn anything

•Participants only learn their own partner

•Assume: passive adversaries

•Security Guaranteed (assuming ≥ 1 honest MA)

8


Our Contribution

•Revisit [Golle]

— High Communication complexity

(Partly due to the chosen variant of Gale-Shapely used)

•Design a Private and Efficient Protocol

— Design a new variant of Gale-Shapely

— Tune it for private implementation

— Crypto assumptions comparable to [Golle]

— Lower round and communication complexities

9


Our Contributions, Cont’d

Summary of protocols and efficiency:

10


Our variant of Gale-Shapley

•Real men: {A1, …, AN}, Fake men: {AN+1, …, A2N}

•Real women: {B1,…,BN}, Fake women:{BN+1,…,B2N}

•Preference lists:

— Real men: ( [actual preference list], [BN+1, . . . ,B2N, in any order] )

— Real women: ( [actual preference list], [AN+1, . . . ,A2N, in any order] )

— Fake women:( [AN+1, . . . ,A2N, in any order],[A1, . . . ,AN, in any order])

— Fake men: ( [BN+2, . . . ,B2N, in any order], BN+1, [B1, . . . ,BN, in any

order] )

11


Our Variant, Cont’d

•Initialization:

— F1 = {A1}

— {A2, …, AN} are engaged to {BN+2,…,B2N}, respectively

— {AN+1, …, A2N} are engaged to {B1,…, BN}, respectively

•While Fk is not empty:

— The free man A in Fk proposes to B

(The next woman in his preference list to whom he hasn’t proposed)

— If B is engaged to some man A’

•If B prefers A over A’, let Fk+1= {A’}, and pair A and B

•Otherwise, Fk+1 = Fk 12


Our Variant, Cont’d 2

•Claim: Once a fake man proposes to woman BN+1,

we have a stable matching

•Thus, the algorithm’s complexity is O(N2)

•Also, “Tuned for privacy”

— every round k, |Fk| = 1

•We implement a private version

13


Protocol

•Bids

— Two types: Free and Engaged

— Set of ciphertexts (constant sized)

— Fk = {Free Bids in round k}

— Ek = {Engaged Bids in round k}

•Preference Lists

— Encrypted, held by an MA (the “Database”)

•Everything encrypted with threshold homomorphic enc.

14


Protocol

•For k = 1 to 2N2:

— Select a single free bid from Fk.

— “Open it” to recover the (encrypted) pointers into the database

— Access database to get next fiancée's (encrypted) identity

— Form the engaged bid

— Privately find the conflicting engaged bid (mix, private equality test)

— Mix these two engaged bids

— “Resolve the conflict” to find the winner and loser (private comparison)

— “Break the engagement” for the loser and add him to Fk+1

— Add the winner to Ek

— Mix all the bids

— Let Ek+1 = Ek

15


Protocol

•For k = 1 to 2N2:











— Let Ek+1 = Ek

16


Protocol

•For k = 1 to 2N2:











— Let Ek+1 = Ek

17


Protocol

•For k = 1 to 2N2:











— Let Ek+1 = Ek

18


Protocol

•For k = 1 to 2N2:











— Let Ek+1 = Ek

19


Accessing the database

•Database D, an array of n=(2N)2 ciphertexts

•Given E(i), we want to recover element D[i]

•Our subprotocol:

— Modification of an efficient (1-out-of-n) OT protocol

— MAs process E(i) into queries of the protocol

— MAs process database’s reply to recover D[i], a ciphertext

•Our construction

— Uses Stern’s OT (1 round, polylog CC)

— Again, using threshold homomorphic encryption

20


A protocol for 2 MAs

•A more efficient protocol for 2-MA case

•Private Table Look Ups (LUT) [NN01]

(For two-party computation)

•Private Computation of Turing Machines with a RAM

— Circuits equipped with Private LUT

•Our algorithm can be presented as a TM with RAM

•Implement privately using [NN01]

•Extending to multiparty

— Not completely distributed

21


New Developments

•Extending [NN01] to multiparty

— Automatically leads to more efficient private stable matching

— Leads to nearly optimal communication

22


Thank you!! Questions?


Golle’s approach

•Golle’s variant of Gale-Shapley:

•N real men: {A1,…, AN}, N real women:{B1,…,BN}

•N fake men: {AN+1,…,A2N}

•Arbitrary preference lists for fake men

•Each woman ranks fake men lower than real ones

•Initialization

— All real men are free

— All fake men are engaged (in an arbitrary way)


Golle’s Approach Cont’d

•For K = 1 to n:

— While FK is non-empty:

•Randomly select A from Fk

• A proposes to woman B:• The woman he ranks highest among the women to whom he has never

proposed before

• B is always engaged to some woman A’:

• If B prefers A over A’; Remove A from FK, add A’ to Fk+1

• Otherwise, add A to Fk+1

• Number of free men always N: |FK| = N for all 1≤ K ≤ N


Shortcomings

•Golle implements this variant privately

— Re-encryption mix-networks

— Threshold homomorphic cryptosystems (Paillier encryption)

•Inefficiencies:

— Golle’s variant needs O(N2) rounds to reach a stable matching

•Complexity of algorithm increases by a factor of N

— Another factor N increase

•size of ciphertext used in Mix-network: O(N) not constant!

Improved Efficiency for Private Stable Matching

Documents

Transcript of Improved Efficiency for Private Stable Matching