3

Bob and Alice each have a bit string they want to keep private. They each want to know what the bitwise AND of their two strings would be without telling the other or anyone else listening to their exchange their actual bit strings... how can they do this? Keep in mind that even once they both hold the AND of their two bit strings, they should still not be able to calculate the other person's string exactly (unless of course one of their strings was all 1s).

I know that I have seen something similar before in some sort of mutual key system/voting system but I couldn't remember where. It has to be something like make a private random key, xor it and use that somehow... but I couldn't work out the details. Any clever encryption design people out there?

D.W.
  • 36,982
  • 13
  • 107
  • 196
hackartist
  • 181
  • 7

2 Answers2

4

Aaron Roth on theoretical CS was kind enough to answer with the following answer for anyone out there who is interested.

What you want to do is called "Private Set Intersection". You can think of Alice and Bob as each holding sets (the indices for which their strings are "1"), and they want to compute the intersection (the bitwise AND) so that neither of them learns anything about the other's set except what is implied by the intersection itself.

This problem is well studied. See, for example, Freedman, Nissim, and Pinkas: http://www.pinkas.net/PAPERS/FNP04.pdf

Community
  • 1
hackartist
  • 181
  • 7
1

Garbled circuits might be a good way to do this. There are plenty of libraries that will allow you to do garbled circuits easy enough. The two that come to mind are Fairplay/FairplayMP, or a more updated system done by the University of Virginia.

The advantages of these systems over the paper you referenced is that they don't use Public-Key crypto, so they should be faster. If you go with the UVa system, I would expect your performance to be similar to their results on the hamming distance.

mikeazo
  • 39,117
  • 9
  • 118
  • 183