Direct "headless" matching with an Optable DCN
The match CLI (Command Line Interface) is a utility designed to enable a partner to execute a directional secure ID match with a company's data collaboration node (Optable DCN). The operation is performed using data from a local file which contains a list of matchable identifiers.
The result of the match attempt is learned by the receiving company's Optable DCN, while the sender executing the operation with the match CLI learns only the size of the resulting intersection (note that some "noise" is added by the receiver DCN to the resulting match size communicated to the sender, in order to protect from various information discovery attacks).
The match CLI is not to be confused with the Optable CLI utility used by Optable customers to access and manage their DCN.
While both are CLI (Command Line Interface) utilities, the match CLI is used to stand up a temporary lightweight matching node, while the Optable CLI utility is designed to access and manage all of the functionality provided by a fully-featured data collaboration node (DCN).
Transferring your private list of identifiers to the receiver or a third-party broker leaks a significant amount of personal data. To protect against such leaks, data brokers typically request that you hash your private data prior to transfer. However, comparing hashed datasets requires sharing hash function parameters with the receiving or brokering party, leaving the door open to possible brute force attacks on your private data. In contrast, the match CLI utility performs a secure match which encrypts your data with your own private key prior to transferring it. Determining a match on fully encrypted data is possible thanks to a multi-party computation technique which is implemented by the match CLI. To learn more about how it works, see Secure Matching.
The match CLI utility is designed to be used by partners of Optable customers who are not also using DCN, also known as flash partners, but who wish to perform secure matching with a DCN customer without transferring their private data to a third-party.
Note that if you are also an Optable customer and have access to your own DCN, you can perform matches directly with other Optable customers from your collaboration node's UI. Therefore, you should not need to use the match CLI utility.
Note that on OS X or Linux you may need to
chmod +x ./optable-match-clibefore you can run the executable with
To begin, you should have received an invitation code from an Optable DCN customer to whom you would like to send a match. Note that the invitation code expires after a few hours, so if you haven't used it to establish a connection with the partner, you may need to request a fresh one.
First, connect to your partner by choosing a name to identify them in subsequent commands, and using your invitation code. You should replace
$ optable-match-cli partner connect <partner-name> "<invite-code>"
On success, you should see a JSON representation of the partner, similar to:
Be careful to keep your
private_keysecret since it is used to identify and authenticate you.
Next, create a descriptive name for the match in your connected partner's DCN. You can do this by running the following command, replacing
$ optable-match-cli match create <partner-name> <match-name>
On success, you should see a JSON representation of the newly created match along with a UUID associated with the match that you can reference when you send a match in Step 4:
You should prepare a list of type-prefixed and matchable IDs that you would like to perform a match with. See Identifier Types for the list of supported ID types, required encodings, and type prefix values to use. Note that you can mix ID types in a single match file.
Here is an example snippet of a match file containing several matchable ID types:
Finally, initiate a match attempt referring to a previously created match by its UUID and the path to your prepared data file:
$ optable-match-cli match run <partner-name> <match-uuid> <path-to-file>
Make sure to replace
Once initiated, the
optable-match-cliwill encrypt each of the IDs in your data file using your private key and execute a secure match protocol with your partner's Optable DCN. On successful completion, the number of matched IDs for each matched ID type will be displayed.
Example execution output follows -- note that the last line in the output displays the number of IDs by type which are in the match result:
$ optable-match-cli match run my-partner 1sia22TooI1o193UUL6Sh6bklzB ./my-data-file.dat
2021-05-18T13:23:12-04:00 INF running match 1sia22TooI1o193UUL6Sh6bklzB with a timeout of 30m0s cli=optable-match-cli
2021-05-18T13:23:12-04:00 INF loaded 3001 records from ./my-data-file.dat cli=optable-match-cli
2021-05-18T13:23:12-04:00 INF polling /match/run with a timeout of 1m0s to get match endpoint cli=optable-match-cli
2021-05-18T13:23:12-04:00 INF generated match result id 1sibwAJXyp8ptEr4W0CRIUs6deB cli=optable-match-cli
2021-05-18T13:23:12-04:00 INF still polling /match/run to get match endpoint cli=optable-match-cli
2021-05-18T13:23:18-04:00 INF still polling /match/run to get match endpoint cli=optable-match-cli
2021-05-18T13:23:23-04:00 INF still polling /match/run to get match endpoint cli=optable-match-cli
2021-05-18T13:23:23-04:00 INF got match endpoint receive-994c6fc7.match.partner.cloud.optable.co:25519 cli=optable-match-cli
2021-05-18T13:23:23-04:00 INF running dhpsi protocol on receive-994c6fc7.match.partner.cloud.optable.co:25519 cli=optable-match-cli
2021-05-18T13:27:48-04:00 INF successfully completed dhpsi protocol cli=optable-match-cli
2021-05-18T13:27:48-04:00 INF polling /match/get-result for results cli=optable-match-cli
2021-05-18T13:27:48-04:00 INF still polling /match/get-result for results cli=optable-match-cli
2021-05-18T13:27:53-04:00 INF still polling /match/get-result for results cli=optable-match-cli
2021-05-18T13:27:58-04:00 INF still polling /match/get-result for results cli=optable-match-cli
2021-05-18T13:27:59-04:00 INF got results from /match/get-result cli=optable-match-cli
Depending on the number of IDs in your data file, match execution may take some time. The optable-match-cli must be able to fully buffer your input data file in memory, so ensure to execute it on a suitably provisioned machine, with sufficient memory resources capable of handling the size of your match data.