 Hi, this talk is about Laconic Private Set Intersection and Applications. I'm Pedro, and this is joint work with Navida Lamati, Niko Dottling, Sanjam Garg, Mohamed Ajabadi and Siang Pu. In this work, we study the framework of Laconic cryptography, which is a special case of two-party secure computation. Here, the first party, or the receiver, has a long input x. It first hashes the input into a small hash h. Then the sender computes a message m, depending on his input y and the hash h. Finally, given x and m, the receiver can compute f of x, y. In terms of efficiency, we require that the communication complexity of the protocol doesn't depend on the size of the receiver's input x. The Laconic cryptography framework allows for secure reverse delegation of computation, as opposed to fully homomorphic encryption, and allows for communication-efficient secure protocols. The Laconic cryptography framework was presented in the work of Sho et al., where a Laconic Oblivious Transfer Protocol is presented. This protocol can be based on several hardness assumptions, such as DDH, LWE or QR. Later, a Laconic protocol to compute any function was presented in a work of Quack et al. This protocol is based on the hardness of the LWE, with super polynomial modulus to noise ratio. Both of these works use non-blackbox techniques, which makes both schemes impratical for real-world applications. This raises two questions. The first one is whether we can build Laconic protocols for other functionalities from assumptions other than LWE. The second one is whether we can build efficient Laconic protocols. In this work, we focus on Laconic protocols for a specific functionality, namely private set intersection. Here, the receiver has a large input set X and the sender has a small input set Y. In the end of the protocol, the receiver should learn the intersection of both sets and nothing else. So what do we know about Laconic private set intersection? We know that Laconic function evaluation implies Laconic PSI, but at the cost of super polynomial modulus to noise ratio LWE and non-blackbox techniques. Hence, we ask two questions in this work. The first one is whether Laconic PSI can be based on assumptions other than LWE. The second one is whether we can build efficient Laconic PSI protocols. Our results are two-fold. We start by presenting a feasibility result. Namely, we construct the LPSI from anonymous hash encryption, which can be based on CDH or LWE, and garbled circuits. This construction builds on the Merkle Tree garbled circuit-based approach of dotting et al. showing how to use garbled circuits to perform binary search on a set of sorted values. The construction uses non-blackbox techniques. So, as our second contribution, we present a Laconic PSI protocol from PHY-HIDING, which uses only blackbox techniques. Then, we show how to extend the PHY-HIDING construction into a reusable LPSI, where the first message of the receiver can be reused across several executions of the protocol and which is secured against malicious senders. We do this by relying on the Decisional Composite Residuosity Assumption, the PHY-HIDING Assumption, and the Subgroup Decisional Assumption on pairings. As an additional result, we construct blackbox-designated verifier NISICs for range proofs for Damgard-Euric ciphertexts. This allows us to prove that the plaintext of a DJ ciphertext is within a certain range. For the rest of this talk, I'm going to focus on the blackbox LPSI from PHY-HIDING. For a detailed description and analysis of our feasibility result, please check the full version of the paper. We now describe our construction based on the PHY-HIDING Assumption. Our starting point is the construction of Goyal et al. for one-way functions with encryptions from PHY-HIDING. Recall that in a one-way function with encryption, given age, which is the result of a one-way function applied to a string of bits x, the encryptor can encrypt a message with respect to a position i and the bit b. The decryptor can recover m if and only if xi is equal to b. Otherwise, the message m remains hidden. In the one-way function with encryption by Goyal et al, the CRS is composed by an RSA modulus n and by two uniformly chosen prime numbers. To compute the one-way function on an input string x, we first choose a random element R and compute G to the R times the product of the prime's PI xi modulo n. Given age, a position i star and the bit b, the encryptor first chooses a random element rho and computes a ciphertext which is G to the rho times PI star b. Then it uses as a shared key the value h to the rho modulo n. Finally, the decryptor computes a key k prime, which is the ciphertext to the product of the prime's PI xi for i different than i star. It is easy to see that if xi prime is equal to b, then k prime is equal to k. Our first observation is that this scheme almost yields a laconic PSI scheme, as we'll see in the next slide. Let's see how we can build a laconic PSI protocol using the ideas from the previous slide. Let's assume for now that we have a universe of polynomial size. We will later explain how we can remove this condition. The CRS is composed by an RSA modulus, an element G in the multiplicative group Zn star, and prime's P1pl, each one encoding an element in the universe. Let's assume that the receiver has a set SR and that the sender has a set SS with only one element. The receiver starts by computing a hash value h, which is computed as G to the R times the product's PI for each i in SR. Then the sender computes an element f, which is G to the rho times Pw, which is a prime encoding the element w, and a value r, which is a randomness extractor applied to the hash value h to the rho. It sends the randomness extractor CDS, the value f, and the value r to the receiver. Now, for each element in the receiver set, the receiver computes a value ri, which is the extractor applied to f to the r times the product of the primes encoding the receiver set element except for the is position. If there is an element i such that the value ri is equal to r, then the receiver outputs the set element i. It is easy to see that the protocol is correct and laconic in the sense that the communication complexity of the protocol doesn't depend on the size of the receiver set. However, there is a drawback in this protocol. Namely, it only works for polynomial size universes and is only secure against a semi-honest sender. Now, let's see how we can prove semi-honest security against a semi-honest sender is trivial since the value h is indistinguishable from a uniform value. For security against a semi-honest receiver, we first replace the RSA modules in the CRS by a value n such that Pw divides phi of n. This change goes unnoticed under the phi-hiding assumption. Now we can argue that the value f, which is g to the rho times Pw, loses information about rho. This means that the value h to the rho has high mean entropy and thus we can replace r by a uniform value. Now we can change the RSA modules back to the normal mode and we can replace f by a uniform value. We now show the main ideas to extend this protocol into a protocol that supports exponential universes. The main idea is to describe the universe implicitly via a PRF key. This PRF should map into the prime numbers, but recall that in the security proof for a semi-honest receiver we need to program one of the primes to use the phi-hiding assumption. For that, we'll use a programmable PRF in which we can program one of the outputs of the PRF. We now show the main ideas on how to extend the protocol to allow for malicious sender. Recall that to prove security against a malicious sender, we need to extract the sender's input. For this, we can use general purpose NISIX to guarantee that the receiver's message is well formed, but this uses non-black box techniques. So observe that the sender's message is composed by the value f, which is g to the row times pw, and the value r, which is the extractor applied to h to the row. To prove malicious sender security, we need to extract both the values w and row. The high-level idea to extract both w and row is the following. We first perform a re-encryption step, which allows the simulator to extract the sender's input w. Then we switch to a DOM-guardiouric group, and this allows to extract both the value row pw and check that r is indeed well formed. Finally, we show how to construct range proof systems for a DOM-guardiouric ciphertext, and this guarantees that the simulator can extract the value with overwhelming probability. Let's first look at the re-encryption step. Here the observation is that the value r, computed by the sender, is uniform when the element is not in the receiver set. In the original protocol, the sender computes the value f and the value r and sends both of them to the receiver. The receiver then checks if there's an i, such that r i is equal to r, and outputs the element i if this happens for some element. We now modify the protocol in the following way. We add a public key of an inCPA public key encryption to the CRS, for which the simulator has a secret key. Then the sender sends the value f as before, but now it sends a ciphertext which encrypts his input element w with the randomness r. The receiver computes r i as before for all elements in his set, and it checks if the encryption of the set element i with randomness r i corresponds to the same as the ciphertext sent by the sender. In the security proof, the simulator now has the secret key for the public key, and can decrypt the ciphertext sent by the sender and recover the sender's input w. As a bonus, we get perfect correctness for our new protocol, and security against the receiver, since r is uniform, we can simply replace the ciphertext by encryptions of zero. Now to prove security against a malicious sender, the simulator, since it has the secret key of the public key, can extract w from the ciphertext as I mentioned before. But there's still an issue, which is the following. The simulator does not detect false positives. For example, consider the case where a malicious sender encrypts using a uniform value r, instead of computing it honestly. In this case, the simulator will extract the sender's input, but the honest receiver will fail with high probability. So to fix this, we need a way to extract the randomness rho from the value f. Our solution for this is simple. We simply replace the multiplicative group of the n by a Damgardeutic group. Recall that Damgardeutic groups have a very nice property, which is the following. Given phi of n, we can efficiently compute discrete logarithms. Let's see how we can use this fact about DJ groups to prove security against malicious senders. Assume for now that we have a reusable designated verifier Nizik, which given f, which is g to the a, allows us to show that the exponent a is within some range. For a complete description of such a scheme, please see the full version of our paper. Let's see how the final version of our protocol looks like. Now all parties compute their values in the DJ group. The sender now sends f and the ciphertext ct as before, but additionally proves that the exponent in g to the rho pw is within some range. For security against a malicious sender, we can replace the element g by an element g2, for which the simulator can compute delox. The simulator can now recover a rho times pw and perform the re-encryption step as before. To show the usefulness of laconic private set intersection, we show that we can use laconic psi to construct a new primitive that we call self-detecting encryption. Self-detecting encryption is essentially a polykey encryption, such that we can detect if a ciphertext is encrypting a special message. Let's see how we can build self-detecting encryption from laconic psi. First, an authority such as a government publishes a hash of the special database, which can be, for example, composed by illegal videos. Then ciphertexts are encrypted with respect to this hash. That is, ciphertexts correspond to the sender's message in the LPSI. Finally, anyone knowing the database can perform a private set intersection between the database and the ciphertext. If the ciphertext is encrypting a message, which is in the database, then we learn the message. Otherwise, we learn nothing about the encrypted message. That's all. Thanks!