Estimating Incidental Collection in Foreign Intelligence Surveillance
Large Scale Multiparty Private Set Intersection with Union and Sum
Instructions
This example is a gross simplification. Please refer to the paper for the exact protocol. In this example, there are 4 participants: Intelligence Community, Email Service 1, Email Service 2, Email Service 3. For simplicity, all participants have input tables of the same size. Hover over each table to view a list of participants it is visible to. Random tables can be generated by selecting the table and intersection sizes below.
5
3
Setup
Each participant builds an input table consisting of email addresses. Intelligence Community's input table X0 contains all addresses they incidentally collected emails to or from. Service providers' input tables X1, X2, X3 contain all email addresses believed to be controlled by users located in the U.S. πΊπΈ
X0 (Intelligence Community)
verify_732@email1.com
bundle.1187@email4.com
large.486@email3.com
hill_1956@email1.com
else_1929@email4.com
X1 (Email Service 1)
scrap_535@email1.com πΊπΈ
brown.436@email1.com πΊπΈ
verify_732@email1.com πΊπΈ
hill_1956@email1.com πΊπΈ
adjust_545@email1.com πΊπΈ
X2 (Email Service 2)
dial1695@email2.com πΊπΈ
game_642@email2.com πΊπΈ
fashio_1107@email2.com πΊπΈ
salt_160@email2.com πΊπΈ
chuckl1868@email2.com πΊπΈ
X3 (Email Service 3)
large.486@email3.com πΊπΈ
pole_488@email3.com πΊπΈ
entry_948@email3.com πΊπΈ
cushio_1191@email3.com πΊπΈ
best600@email3.com πΊπΈ
Protocol
The Intelligence Community generates a random blinding key and blinds its input table as elliptic curve points in M.
Email Service 1 uses M, X1 to build R1. Email Service 2 uses M, X2, R1 to build R2. Email Service 3 uses M, X3, R2 to build R3. R1, R2, and R3 contain two elliptic curve points in each row.
M
d43852...d23a3b
72c40b...0b3c5e
3ecfc9...892145
b6a07a...59287f
90d0ba...edf206
R1
94f8a4...c46e7a & b0c555...fe2a1b
f26662...a95e38 & aebf4b...db3c4e
eadbaa...bbd21e & f20b28...4db63c
bc1a59...4dc728 & e8562b...7c5f6c
9e3e67...eb0d3d & 0ee1a1...4cce50
R2
262870...e49b0a & 80d6e6...b41c38
2c5205...7dd804 & 0a762b...244b71
a4c922...d85169 & d4fa2f...6a137a
4e0115...77692b & c254de...265f58
00388c...53da62 & 40e5d6...2ff210
R3
ead6a6...3ca213 & 90e559...bdeb63
56d499...da5576 & 767898...84645c
c8c994...c3400e & 7a3c98...8eaf0d
1cad5a...feda09 & 8000f7...405915
10994a...413337 & 9cb7ce...1db645
Email Service 3 uses M, R3 to build a shuffled and encrypted table B.
M
d43852...d23a3b
72c40b...0b3c5e
3ecfc9...892145
b6a07a...59287f
90d0ba...edf206
R (created by Service 3)
ead6a6...3ca213 & 90e559...bdeb63
56d499...da5576 & 767898...84645c
c8c994...c3400e & 7a3c98...8eaf0d
1cad5a...feda09 & 8000f7...405915
10994a...413337 & 9cb7ce...1db645
B
56d499...da5576 & fa902b...8fe816
1cad5a...feda09 & a55ca0...3227a6
ead6a6...3ca213 & 90178b...d9becb
c8c994...c3400e & 66c1cf...37d3f8
10994a...413337 & 16b0b3...211b97
Intelligence Community computes the intersection size using B and the blinding key .