Professional Documents
Culture Documents
Textbook Ict Systems Security and Privacy Protection 30Th Ifip TC 11 International Conference Sec 2015 Hamburg Germany May 26 28 2015 Proceedings 1St Edition Hannes Federrath Ebook All Chapter PDF
Textbook Ict Systems Security and Privacy Protection 30Th Ifip TC 11 International Conference Sec 2015 Hamburg Germany May 26 28 2015 Proceedings 1St Edition Hannes Federrath Ebook All Chapter PDF
https://textbookfull.com/product/trust-management-ix-9th-ifip-
wg-11-11-international-conference-ifiptm-2015-hamburg-germany-
may-26-28-2015-proceedings-1st-edition-christian-damsgaard-
jensen/
https://textbookfull.com/product/computer-science-and-its-
applications-5th-ifip-tc-5-international-conference-
ciia-2015-saida-algeria-may-20-21-2015-proceedings-1st-edition-
abdelmalek-amine/
https://textbookfull.com/product/health-information-science-4th-
international-conference-his-2015-melbourne-australia-
may-28-30-2015-proceedings-1st-edition-xiaoxia-yin/
Open Source Systems Adoption and Impact 11th IFIP WG 2
13 International Conference OSS 2015 Florence Italy May
16 17 2015 Proceedings 1st Edition Ernesto Damiani
https://textbookfull.com/product/open-source-systems-adoption-
and-impact-11th-ifip-wg-2-13-international-conference-
oss-2015-florence-italy-may-16-17-2015-proceedings-1st-edition-
ernesto-damiani/
https://textbookfull.com/product/information-theoretic-
security-8th-international-conference-icits-2015-lugano-
switzerland-may-2-5-2015-proceedings-1st-edition-anja-lehmann/
https://textbookfull.com/product/information-security-practice-
and-experience-11th-international-conference-ispec-2015-beijing-
china-may-5-8-2015-proceedings-1st-edition-javier-lopez/
https://textbookfull.com/product/end-user-development-5th-
international-symposium-is-eud-2015-madrid-spain-
may-26-29-2015-proceedings-1st-edition-paloma-diaz/
IFIP AICT 455
Hannes Federrath
Dieter Gollmann
(Eds.)
123
IFIP Advances in Information
and Communication Technology 455
Editor-in-Chief
Editorial Board
Foundation of Computer Science
Jacques Sakarovitch, Télécom ParisTech, France
Software: Theory and Practice
Michael Goedicke, University of Duisburg-Essen, Germany
Education
Arthur Tatnall, Victoria University, Melbourne, Australia
Information Technology Applications
Erich J. Neuhold, University of Vienna, Austria
Communication Systems
Aiko Pras, University of Twente, Enschede, The Netherlands
System Modeling and Optimization
Fredi Tröltzsch, TU Berlin, Germany
Information Systems
Jan Pries-Heje, Roskilde University, Denmark
ICT and Society
Diane Whitehouse, The Castlegate Consultancy, Malton, UK
Computer Systems Technology
Ricardo Reis, Federal University of Rio Grande do Sul, Porto Alegre, Brazil
Security and Privacy Protection in Information Processing Systems
Yuko Murayama, Iwate Prefectural University, Japan
Artificial Intelligence
Tharam Dillon, Curtin University, Bentley, Australia
Human-Computer Interaction
Jan Gulliksen, KTH Royal Institute of Technology, Stockholm, Sweden
Entertainment Computing
Matthias Rauterberg, Eindhoven University of Technology, The Netherlands
IFIP – The International Federation for Information Processing
IFIP was founded in 1960 under the auspices of UNESCO, following the First World
Computer Congress held in Paris the previous year. An umbrella organization for soci-
eties working in information processing, IFIP’s aim is two-fold: to support information
processing within its member countries and to encourage technology transfer to devel-
oping nations. As its mission statement clearly states,
The flagship event is the IFIP World Computer Congress, at which both invited and
contributed papers are presented. Contributed papers are rigorously refereed and the
rejection rate is high.
As with the Congress, participation in the open conferences is open to all and papers
may be invited or submitted. Again, submitted papers are stringently refereed.
The working conferences are structured differently. They are usually run by a work-
ing group and attendance is small and by invitation only. Their purpose is to create an
atmosphere conducive to innovation and development. Refereeing is also rigorous and
papers are subjected to extensive group discussion.
Publications arising from IFIP events vary. The papers presented at the IFIP World
Computer Congress and at open conferences are published as conference proceedings,
while the results of the working conferences are often published as collections of se-
lected and edited papers.
Any national society whose primary activity is about information processing may
apply to become a full member of IFIP, although full membership is restricted to one
society per country. Full members are entitled to vote at the annual General Assembly,
National societies preferring a less committed involvement may apply for associate or
corresponding membership. Associate members enjoy the same benefits as full mem-
bers, but without voting rights. Corresponding members are not represented in IFIP
bodies. Affiliated membership is open to non-national societies, and individual and hon-
orary membership schemes are also offered.
ABC
Editors
Hannes Federrath Dieter Gollmann
Universität Hamburg Technische Universität Hamburg-Harburg
Hamburg Hamburg
Germany Germany
These proceedings contain the papers presented at the 30th IFIP International Informa-
tion Security and Privacy Conference (SEC 2015), hosted in Hamburg, Germany, May
26–28, 2015.
IFIP SEC conferences are the flagship events of the International Federation for
Information Processing (IFIP) Technical Committee 11 on Information Security and
Privacy Protection in Information Processing Systems (TC-11).
In response to the call for papers, 232 papers were submitted to the conference,
of which 20 were withdrawn by the authors. Thus, 212 papers were distributed to the
reviewers. These papers were evaluated on the basis of their significance, novelty, and
technical quality.
Using EasyChair, each paper was reviewed by four members of the Program Com-
mittee and Additional Reviewers. The Program Committee meeting was held electron-
ically with a discussion period of one week. Of the papers submitted, 42 full papers
were accepted for presentation at the conference.
We wish to thank the 126 Program Committee members and the 180 additional re-
viewers for their great effort in managing the unexpected quantity and variety of the
papers submitted to IFIP SEC 2015. Additionally, we thank all authors for their sub-
missions and contributions to the conference.
We thank the University of Hamburg for hosting this conference, HITeC e.V. for
their organizational support, and all people who spent their time on various organization
tasks in the background and at the conference desk. A very special thank is dedicated
to the Organizing Chair Dominik Herrmann.
IFIP SEC 2015 was organized by the Department of Computer Science, University of
Hamburg, Germany.
General Chairs
Kai Rannenberg Goethe-Universität Frankfurt, Germany
Steven Furnell Plymouth University, UK
Program Chairs
Hannes Federrath University of Hamburg, Germany
Dieter Gollmann Technische Universität Hamburg-Harburg,
Germany
Organizing Chair
Dominik Herrmann University of Hamburg, Germany
Program Committee
Luca Allodi University of Trento, Italy
Frederik Armknecht University of Mannheim, Germany
Vijay Atluri Rutgers University, USA
Matt Bishop University of California, Davis, USA
Joan Borrell Universitat Autònoma de Barcelona, Spain
Joppe W. Bos NXP Semiconductors, Belgium
Christina Brzuska Microsoft Research, UK
Rainer Böhme University of Münster, Germany
William Caelli International Information Security Consultants
Pty Ltd, Australia
Jan Camenisch IBM Research, Zurich, Switzerland
Iliano Cervesato Carnegie Mellon University, USA
Eric Chan-Tin Oklahoma State University, USA
Nathan Clarke Plymouth University, UK
Frédéric Cuppens Télécom Bretagne, France
Nora Cuppens-Boulahia Télécom Bretagne, France
VIII Organization
Additional Reviewers
Abdali, Jamal Arp, Daniel Bilzhause, Arne
Ahn, Soohyun Bal, Gökhan Bkakria, Anis
Albarakati, Abdullah Barrère, Martín Blanco-Justicia, Alberto
Alcaraz, Cristina Beck, Martin Bottineli, Paul
Aminanto, Muhamad Erza Belgacem, Boutheyna Bou-Harb, Elias
Organization XI
Privacy
Strategic Noninterference. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Wojciech Jamroga and Masoud Tabatabaei
Web Security
Network Security
Software Security
Applied Cryptography
1 Introduction
Cloud computing allows clients with limited computation and storage capabili-
ties to outsource their private data and at a later time, ask the cloud to perform
computation on them. Delegation of data storage and computation to the cloud
has become common practice for individuals and big enterprises alike [1,2]. As
a result, often the need arises for clients to perform computation on their out-
sourced private data jointly, ideally without the need to download the data.
In this paper, we consider a particular such scenario, in which the private
data take the form of sets and the computation of interest is set intersection, i.e.
private set intersection (PSI).
In PSI, two parties want to find out the intersection of their sets and also
want to prevent the other party from finding out anything more about their own
set than the elements of the intersection. In general, PSI captures a wide range
of real-world applications such as privacy preserving data mining [3], homeland
security [4] and so on. For example, consider a case where a law enforcement
agency has a list of suspects and wants to compare it against flight passenger
lists. Here the names of the suspects should be kept hidden from the airlines
c IFIP International Federation for Information Processing 2015
H. Federrath and D. Gollmann (Eds.): SEC 2015, IFIP AICT 455, pp. 3–17, 2015.
DOI: 10.1007/978-3-319-18467-8 1
4 A. Abadi et al.
while the agency should not be able to find out about other passengers in order
to protect their privacy. As another example, consider the situation where a
social welfare organization wants to know whether any of its members receives
income from another organization, but neither organization can reveal their list
of members.
Although a number of protocols have been proposed for PSI (see section 2
for a survey), cloud computing introduces additional challenges as the private
datasets are outsourced and the private set intersection is delegated to cloud
servers. In addition to keeping their sets confidential, clients are also interested
in preventing cloud servers from finding out anything about their sets and the
intersection. In other words, clients are interested in delegated private set inter-
section on outsourced data. To allow for more flexibility it is desirable that clients
should be able to engage in PSI computation with any other client of the cloud
provider. However, they should remain in charge of deciding which clients are
allowed to use their sets. To fully take advantage of the cloud capabilities and
minimize costs, clients should not have to keep locally or download their datasets
every time an intersection needs to be computed, while their involvement to the
computation should be limited.
We propose O-PSI, a PSI protocol that addresses these requirements. Our
protocol uses homomorphic encryption and a novel point-value polynomial rep-
resentation for datasets that allows clients to independently secure their sets
and outsource them to the cloud, while cloud servers are able to calculate their
intersection. The protocol ensures that intersections can only be computed with
the permission of the clients and that the result will remain secret from the
server. The protocol also allows outsourced sets to be used an unlimited number
of times securely without the need to secure them again. More interestingly, the
novel set representation means that computation and communication costs are
linear to the size of the sets.
The paper starts with a survey of related work in section 2, followed by a
brief overview of our security model and key concepts we rely on in section 3.
Section 4 presents the design of our protocol, while section 5 proves its security.
Section 6 proposes extensions to support data integrity verification and multiple
clients, while section 7 presents an analysis of its computation and communica-
tion complexity, and a comparison to work that is closest to our aims. Section 8
concludes the paper and identifies directions for future work.
2 Related Work
Private set intersection (PSI) was introduced in [5]. Following that [6] proposed
a number of protocols supporting further set operations and multiple clients
based on additive homomorphic encryption and polynomial representation of
sets. More recently, several efficient protocols have been proposed. For exam-
ple, [4,7] use blind signatures and hash functions to provide efficient PSI in the
semi-honest and the malicious security models respectively, [8] uses Bloom fil-
ters, secret sharing and oblivious transfer to offer even more efficient protocols,
O-PSI: Delegated Private Set Intersection on Outsourced Datasets 5
and [9] extends [8] and uses hash tables and a more efficient oblivious transfer
extension protocol for better efficiency. However, all these regular PSI protocols
are interactive, in the sense that clients jointly compute the intersection. They
are not designed with the capability to outsource any data or delegate any of
the computation to a third party.
In another line of research, in [10,11] the protocols proposed for outsourced
verifiable dynamic set operations, including set intersection. These protocols
make use of bilinear map accumulators and authenticated hash tables (i.e. accu-
mulator trees) to verify the correctness of operations carried out by a server on
outsourced sets. However, these protocols are designed for a single client to out-
source a collection of sets to a server and later to compute the intersections of its
own sets. The protocols are designed to provide verifiability of computation, not
data privacy. Data are outsourced in plaintext and the protocols do not work if
data are encrypted.
More interestingly, a number of PSI protocols have been proposed in which
clients delegate computation to a server [12–16]. A protocol proposed in [14] allows
clients to outsource their sets to a server by hashing each element and adding a ran-
dom value. They then delegate the computation of the intersection to the server.
However, this protocol is not fully private, as it reveals to the server the cardi-
nality of the intersection. In addition to the above issue, because of the way the
sets are encoded if the intersection between the sets of client A and B is com-
puted, followed by that between the sets of client A and C, then the server will
also find out whether some elements are common in the sets of client B and C
without their consent. In [16] clients also delegate the computation to a server.
Clients encrypt their sets and outsource them. The server also provides a proof
that allows the clients to verify the correctness of the result. However, the proto-
col is not fully private and suffers from the same issues described above. Another
protocol that delegates computation to a server is proposed in [12]. The protocol
is based on a pseudorandom permutation (PRP) of the set elements with the key
for the PRP generated jointly by the clients at setup. One variant of the protocol
can hide the cardinality of the intersection. However, in this variant computation
is delegated to one of the clients rather than the server. The server’s role is limited
to re-encoding one client’s set to maintain the privacy of the computation. In the
protocol, clients can detect if the server provided incorrect results at the cost of
replicating a number of times all elements of the sets.
In a similar line of research, a protocol proposed in [13] allows one client, say
client A, to encrypt and outsource its set, and delegate computation to a server.
The server can then engage in a PSI protocol on this client’s behalf with another
client, say client B. However, this delegation is one-off: if A wants to compute set
intersection with C, then A must encrypt its set with a new key and re-delegate
to the server. In addition to this protocol, in [15] two clients can delegate the PSI
computation to a server. In this protocol rather than encrypting and outsourcing
their sets, the clients encrypt and outsource bloom filters of their sets that are then
used by the server to privately compute their intersection. However, in this case in
order for the clients to get the result of the intersection they need to keep a local
copy of their sets. So, this protocol does not really allow outsourcing the sets.
6 A. Abadi et al.
From the above discussion, it should be clear that none of the protocols above
allows clients to fully delegate PSI computation to the server without the need
to either maintain the sets locally or having to re-encode and re-upload the sets
for each intersection computation, namely none support delegated private set
intersection on outsourced sets. As a result, none of them are particularly suited
for a cloud computing setting.
3 Preliminaries
3.1 Security Model
Key Generation: Choose two random large primes p and q according to a given
security parameter, and set N = pq. Let u be the Carmichael value of N , i.e.
u = lcm(p − 1, q − 1) where lcm stands for the least common multiple. Choose
a random g ∈ Z∗N 2 , and ensure that s = (L(g u mod N 2 ))−1 mod N exists where
L(x) = (x−1)
N . The public key is pk = (N, g) and the secret key is sk = (u, s).
d
of polynomial’s coefficients. They represent a degree d polynomial ρ = i=0 ai xi
as a vector a = (a0 , a1 , ..., ad ). This representation, while it allows the protocols
to correctly compute the result, has a major disadvantage. The complexity of
multiplying two polynomials of degree d in co-efficient representation is O(d2 ). In
PSI protocols, this leads to significant computational overheads. Usually in such
protocols, one polynomial needs to be encrypted and the polynomial multiplica-
tion has to be done homomorphically. Homomorphic multiplication operations
are computationally expensive. Thus using a co-efficient representation means
that the protocols are not scalable.
In O-PSI, we solve this problem by representing the polynomials in another
well-known form, point-value. A degree d polynomial ρ can be represented as a
set of n (n > d) point-value pairs {(x0 , y0 ), ..., (xn−1 , yn−1 )} such that all xi are
distinct and yi = ρ(xi ) for 0 ≤ i ≤ n − 1. If the x values are fixed, we can omit
them and represent polynomials as vectors y = (y0 , y1 , ..., yn−1 ). A polynomial
in point-value form can be translated into co-efficient form by polynomial inter-
polation [21]. Polynomial arithmetic in point-value representation can be done by
point-wise addition or multiplication. For two degree d polynomials ρA and ρB
represented in point-value form by two vectors y(A) and y(B) , ρA + ρB can be com-
1 + y 1 , y 2 + y 2 , ..., yn−1 + yn−1 ), and ρA · ρB can be computed as
(A) (B)
puted as (y (A) (B) (A) (B)
v ( A)
=[
(B
) ] y ( A)
· rn −1 e ( A) 0 · r ( A)
(B
)
−1 ., =[ 0 ,
yn Ep ..
,. .., (B ) )
,.. kB . , y (A
B)
)
( r (B ) (1)
y 0 (B) 1))]
(
(B
) ·r 0
(1) (B ·
) 0 · (r (A (3
n− )
1 · r ( A)
[y · y n−
+ w (Bn−1
0 0
0 ) −1) n−
) )
B) = )
1]
(4A) ) · y
(A
+w ), .
(
v (
0 )
(A . .,E
1
· (w
0
) ) · y n− pk
(B
1 (A ( r (B )
( r 0 ) · ( w n−
B
n−
[E pk (r(Bn−1
B 1 · ( r (A
t= n− ) −
1) 1
E pk B e(B) = [EpkB (r (B)
), . . . , EpkB (rn−1 )](B) )]
0
(2)
Client A
Client B
client B, wants to compute the intersection of its own set and another client’s
set, say client A’s set, it must obtain permission from A. If A agrees, A can
compute jointly with B some encrypted values. The encrypted values will be
used by the server to remove part of the blinding factors from A’s data, and
this then allows the set intersection to be computed. At the end of the protocol
client B receives an encrypted vector which it can decrypt and use the decrypted
values to interpolate a polynomial that encodes the intersection. The protocol is
described below. We will explain the rationale behind the protocol design after
the protocol description.
1. Setup Let U be the universe of set elements. There is a public finite field
R that is big enough to encode all elements in U and also when an element
is picked uniformly at random from R has only negligible probability of
representing an element of a set. Client A has a set SA ⊂ U and client B has
a set SB ⊂ U. Without loss of generality, we let |SA | = |SB | = d. The server
publishes a vector x containing n = 2d + 1 random distinct values from R.
The server also publishes a pseudorandom function f : {0, 1}l × Z → R,
which maps an l-bit string to an element in R pseudorandomly.
2. Outsource This step is the same at both clients. Let I ∈ {A, B}, then the
client I does the following:
(a) Generates a Paillier key pair (pkI , skI ) (see section 3.2) and publishes
the public key. It also chooses a random private key kI for the pseudo-
random function f . All keys are generated according to a given security
parameter.
(b) Constructs a polynomial τI = s(I) ∈SI (x − s(I) i ) that represents its set
i
SI . Evaluates τI at every value in the x published by the server producing
i = τI (xi ) for 0 ≤ i ≤ n − 1.
y(I) such that y (I)
(c) Sends v(I) to the server, where ∀v (I) i ∈ v , v i = y i · r i , y i is the ith
(I) (I) (I) (I) (I)
(I)
element in y(I) , r i = f (kI , i). Here, v(I) is a blinded version of its set
polynomial.
3. Set Intersection In this step, client B wants to know the intersection of
its set and client A’s set.
(a) Client B sends a request to client A. Along with the request, client B
also sends its ID and a vector e(B) , such that e(B) (B)
i = EpkB (r i ) where
r i = f (kB , i) for 0 ≤ i ≤ n − 1 are the values used to blind its set
(B)
polynomial.
(b) Client A can send a Deny message to end the protocol here, or if it
agrees to engage in the computation of the set intersection, it sends a
Permit message to client B. It also sends a Compute message that
contains its own and B’s IDs, and a vector e(A) to the server. The vector
(A) −1
e(A) is computed as follows: for 0 ≤ i ≤ n − 1, e(A) (B) (r
i = (e i )
i ) =
(A) −1
EpkB (r i · (r i ) ) where r i = f (kI , i) for I ∈ {A, B} are the values
(B) (I)
two vectors w(I) (I ∈ {A, B}) such that w(I)i = ωI (xi ) for 0 ≤ i ≤ n − 1
where xi is the ith element in the public vector x.
(d) The server computes a result vector t such that for 0 ≤ i ≤ n − 1:
(A) (A)
i ·w i · EpkB (w(B)
ti = (e(A) i ·v i )
v (B)
i )
(A) −1
i · (r i )
= EpkB (r(B) · y (A)
i · r i · w i ) · EpkB (w i · y i · r i )
(A) (A) (B) (B) (B)
i · (w i · y i + w i · y i ))
= EpkB (r(B) (A) (A) (B) (B)
=w i ·y i +w i ·y i
(A) (A) (B) (B)
Remark 1: In the Setup step, the server needs to publish a vector x that has
2d + 1 elements, because the polynomial ζ in step 3e is of degree 2d and at
least 2d + 1 points are needed to interpolate it. The elements in x are picked at
random from R so that the probability of xi being a root of a client’s polynomial
is negligible.
Remark 2: In step 2c, the client blinds its vector. If the client stores y directly
on the server without blinding, then the server can use y and x to interpolate
the client’s polynomial, thus revealing the client’s set. With blinding this is
not possible unless the server knows the pseudorandom function key used by
the client. The protocol blinds values by multiplication. However, multiplication
cannot blind a value if the value is 0. This is why we require the probability of
xi in x being a root of a client’s polynomial to be negligible. If xi is a root then
yi is 0 and cannot be blinded.
Remark 3: The data values stored on the server are blinded by their owner. To
compute the set intersection those blinding factors (r(I) i in the protocol) must
be eliminated. In step 3b, client A and B jointly compute the vector e(A) to
“switch” A’s blinding factors to B’s blinding factors. In step 3d, e(A) is used to
eliminate r(A) (B)
i and replace it with r i . This factor switching makes it possible
(B)
later to eliminate r i in step 3e. The values in e(A) are encrypted with B’s public
key, so the server learns nothing in this process.
Remark 4: The client’s original blinded dataset remains unchanged in the
server. In fact in step 3c, the server multiplies a copy of the client’s blinded
dataset by the vector w(I) .
O-PSI: Delegated Private Set Intersection on Outsourced Datasets 11
5 Proof of Security
Now we sketch the security proof of O-PSI in the semi-honest model (see
section 3.1). We conduct the security analysis for the three cases where one
of the parties is corrupted.
Proof. We will prove the theorem by considering in turn the case where each of
the parties has been corrupted. In each case we invoke the simulator with the
corresponding party’s input and output. Our focus is in the case where party
A wants to engage in the computation of the intersection. If party A does not
want to proceed in the protocol, the views can be simulated in the same way up
to the point where the execution stops.
Case 1: Corrupted server In this case, we show that we can construct a
simulator SimP that can produce a computationally indistinguishable view. In
the real execution, the server’s view is as follows:
where rP are the random coins of the server, v(A) , v(B) are the blinded set
representations of A’s and B’s sets, Compute is the command to proceed from
A, and e(A) is the encrypted vector that is used in the protocol to switch blinding
factors.
To simulate the view, SimP does the following: it creates an empty view,
then appends Λ and uniformly at random chosen coins rP to the view. It then
randomly generates two d-element sets SA and SB . It also chooses two random
keys kA and kB for a pseudorandom function f . It encodes SA into its polynomial
representation, evaluates the polynomial with the public values x, and blinds the
(A)
evaluation results with ri = f (kA , i) for 0 ≤ i ≤ n − 1. The result is v(A) .
Similarly it can generate v(B) . Then v(A) and v(B) are appended to the view.
Following that, the simulator generates the Compute command string with the
(B) (A)
correct format and appends it to the view. It then computes ri · (ri )−1 and
encrypts the results with B’s public key. This produces e(A) that is appended
to the view. Finally, the simulator appends Λ to the view and outputs the view.
We argue that the simulated view is computationally indistinguishable from
the real view. In both views, the input parts are identical, the random coins
are both uniformly random, and so they are indistinguishable. In the real view
v(A) , v(B) are blinded with the outputs of a pseudorandom function, so do the
vectors in the simulated view. Since the outputs of the pseudorandom function
are computationally indistinguishable, the distributions of v(A) , v(B) , v(A) , v(B)
are therefore computationally indistinguishable. If the homomorphic encryption
is semantically secure, then e(A) and e(A) are also computationally indistin-
guishable. The output parts in both views are identical. So, we conclude that
the views are indistinguishable.
12 A. Abadi et al.
Case 2: Corrupted client A In the real execution, the A’s view is as follows:
The simulator SimA does the following: it creates an empty view, then appends
Λ and uniformly at random chosen coins rA to the view. It then chooses n random
values ri and encrypts each ri with B’s public key. The result is e(B) and it is
appended to the view. The simulator then appends Λ to the view. It is easy to see
that If the homomorphic encryption is semantically secure, then e(B) and e(B)
are computationally indistinguishable. So, the two views are indistinguishable.
Case 3: Corrupted client B In the real execution, the B’s view is as follows:
The simulator SimB does the following: it creates an empty view, and appends
Λ and uniformly at random chosen coins rB to the view. Then it generates
the Permit command string with the correct format and appends it to the
view. Following that, it creates two d-element sets SA and SB such that SA ∩
SB = f∩ (SA , SB ), converts SA to its polynomial representation, evaluates the
polynomial using the public values x and obtains y(A) . Similarly the simulator
can obtain y(B) . The simulator chooses randomly two degree d polynomials
ωA and ωB , evaluates them using the public values x and obtains w(A) and
w(B) . It also chooses a random key kB for a pseudorandom function f and
(B)
computes ri = f (kB , i) for 0 ≤ i ≤ n − 1. Then the simulator computes for
(B) (A) (A) (B) (B)
each i, EpkB (r i · (w i · y i + w i · y i )). The result is t . The simulator
appends t to the view and then appends f∩ (SA , SB ). It is easy to see that the
distributions of t and t are computationally indistinguishable. So, the two views
are indistinguishable.
Combining the above, we conclude the protocol is secure and complete our
proof.
6 Extensions
To add data integrity verification to O-PSI we can use the verification mechanism
of any provable data possession protocol that does not reveal any information
about the confidential data to the server. For this purpose, we can adopt the
homomorphic verification tags proposed in [22]. These tags are homomorphic in
the sense that given two tags Ta and Tb for elements a and b one can combine
them Ta ·Tb which is equal to the tag T aga+b of the sum a+b of the two elements.
O-PSI: Delegated Private Set Intersection on Outsourced Datasets 13
i = y i · r i is a uniformly ran-
to compute a proof for a different value. Note, v (I) (I) (I)
dom value. Consequently, each tag Tv(I) does not leak any information about the
i
private value y (I)
i to the server. In this protocol client I, along with its blinded
dataset, outsources a vector tag(I) comprising values Tv(I) (0 ≤ i ≤ n − 1) to the
i
server. The challenge, proof generation and verification phases of the protocol
remain unchanged to those described in [22].
1≤j≤m
(Aj ) (Aj )
= EpkB (r (B)
i · (w (B)
i · y (B)
i + w i ·y i ))
1≤j≤m
Then the server sends t to client B, that carries out the final step, step 3e,
unchanged. Note that in this protocol, even if m − 1 clients collude, none can
infer the set elements of the non-corrupted client, as the random polynomials
(A )
ωI j , picked by the server, are unknown to the clients.
7 Evaluation
Properties. The protocols in [12,13] require clients to interact with each other
at setup. In [12] clients need to generate jointly the key of the pseudorandom per-
mutation used to encode the datasets, while in [13] they need to jointly compute
some parameters that are used in the encryption of their datasets. In contrast to
14 A. Abadi et al.
Table 1. Comparison of different delegated PSI protocols. Set cardinality and inter-
section cardinality are denoted by d and k respectively.
these protocols, in [14–16] and O-PSI the clients can independently prepare and
outsource their private datasets. This is desirable in a cloud computing context
as organizations and individuals can take advantage of the storage capabilities
of the cloud and outsource their data at different points in time and without
prior consideration of who is going to use them.
In a delegated PSI protocol, privacy should be maintained and the server should
not learn anything about the intersection during the computation, including its
cardinality. This is the case for the size-hiding variation of [12], protocols in [13,15],
and O-PSI. However, as discussed in section 2 this is not the case for [14,16].
More interestingly, O-PSI is the only protocol in which clients can reuse
their outsourced datasets on the server in multiple delegated PSI computations
without the need to prepare their datasets for each computation, and computing
PSI on the outsourced dataset multiple times does not reveal any information
to the server. This is an important advantage in scenarios where outsourced
datasets are expected to be used a lot of times, as it significantly reduces the
overall communication and storage cost for the clients. This is not the case
for any of the other protocols, because the clients either do not outsource their
datasets, or need to re-encode them locally for each operation in order to prevent
the server from inferring information about the intersection over time.
As we showed in section 6.2, O-PSI can be easily extended to support multiple
clients. This is also the case for [12–14,16]. However, this is not possible for [15],
as this requires an additional logical operation that is not supported by the
homomorphic encryption scheme used.
O-PSI has been designed for the semi-honest security model and as a result
does not consider the case where the server maliciously deviates from the proto-
col and computes the wrong result. This is a reasonable assumption in a cloud
computing context where cloud providers are keen to preserve their reputation
and this assumption is widely considered in the literature [13–15,23,24]. How-
ever [16] allows the client to verify the correctness of the results, while as we
have seen in section 2, [12] can detect server misbehavior at an additional cost.
In conclusion, in contrast to other protocols, O-PSI has a unique combination
of properties that make it particularly appealing for a cloud computing setting.
Another random document with
no related content on Scribd:
apotheosis of womanhood, sketched by Guido Guinizelli, is
developed with mystical fullness, and there is even perhaps a hint of
some future work in honour of Beatrice that will deal with the world
beyond the grave. The two sonnets that follow are a kind of
supplement; the first:
“Love and the gentle heart are one same thing,” gives a definition of
love, elaborating the Guinizellian doctrine; the second:
“He seeth perfectly all bliss, who beholds my lady among the ladies”;
sonnets which are flawless gems of mediaeval poetry. Then abruptly,
in the composition of a canzone which should have shown how Love
by means of Beatrice regenerated his soul, the pen falls from his
hand: Beatrice has been called by God to Himself, to be glorious
under the banner of Mary, “How doth the city sit solitary that was full
of people!”
Some falling off may be detected here and there in the third part of
the Vita Nuova (xxix. to xli.), which includes the prose and poetry
connected with Beatrice’s death, the love for the lady who takes pity
upon the poet’s grief, his repentance and return to Beatrice’s
memory. A stately canzone:
“The eyes that grieve for pity of the heart,” is a companion piece to
the opening canzone of the second part; the poet now speaks of
Beatrice’s death in the same form and to the same love-illumined
ladies to whom he had formerly sung her praises. More beautiful are
the closing lines of the shorter canzone, written for Dante’s second
friend, who was apparently Beatrice’s brother. After the charming
episode of the poet drawing an Angel on her anniversary, the “gentle
lady, young and very fair,” inspires him with four sonnets; and his
incipient love for her is dispelled by a “strong imagination,” a vision of
Beatrice as he had first seen her in her crimson raiment of childhood.
The bitterness of Dante’s repentance is a foretaste of the confession
upon Lethe’s bank in the Purgatorio. The pilgrims pass through the
city on their way to Rome, “in that season when many folk go to see
that blessed likeness which Jesus Christ left us as exemplar of His
most beauteous face, which my lady sees in glory” (V. N. xli.); and
this third part closes with the sonnet in which Dante calls upon the
pilgrims to tarry a little, till they have heard how the city lies desolate
for the loss of Beatrice.
In the epilogue (xlii., xliii.), in answer to the request of two of those
noble ladies who throng the ways of Dante’s mystical city of youth
and love as God’s Angels guard the terraces of the Mount of
Purgation, Dante writes the last sonnet of the book; wherein a “new
intelligence,” born of Love, guides the pilgrim spirit beyond the
spheres into the Empyrean to behold the blessedness of Beatrice. It
is an anticipation of the spiritual ascent of the Divina Commedia,
which is confirmed in the famous passage which closes the “new life”
of Love:
“After this sonnet there appeared unto me a wonderful vision:
wherein I saw things which made me purpose to say no more of this
blessed one, until such time as I could discourse more worthily
concerning her. And to attain to that I labour all I can, even as she
knoweth verily. Wherefore if it shall be His pleasure, through whom is
the life of all things, that my life continue for some years, I hope that I
shall yet utter concerning her what hath never been said of any
woman. And then may it seem good unto Him, who is the Lord of
courtesy, that my soul may go hence to behold the glory of its lady:
to wit, of that blessed Beatrice who gazeth gloriously upon the
countenance of Him who is blessed throughout all ages.”[10]
From the mention of the pilgrimage, and this wonderful vision, it
has been sometimes supposed that the closing chapters of the Vita
Nuova were written in 1300. It seems, however, almost certain that
there is no reference whatever to the year of Jubilee in the first case.
When Dante’s positive statement in the Convivio, that he wrote the
Vita Nuova at the entrance of manhood (gioventute being the twenty
years from twenty-five to forty-five, Conv. iv. 24), is compared with
the internal evidence of the book itself, the most probable date for its
completion would be between 1291 and 1293. It should, however, be
borne in mind that, while there is documentary evidence that some of
the single poems were in circulation before 1300, none of the extant
manuscripts of the whole work can be assigned to a date much
earlier than the middle of the fourteenth century. It is, therefore, not
inconceivable that the reference to the vision may be associated with
the spiritual experience of 1300 and slightly later than the rest of the
book.[11]
The form of the Vita Nuova, the setting of the lyrics in a prose
narrative and commentary, is one that Dante may well have invented
for himself. If he had models before his eyes, they were probably, on
the one hand, the razos or prose explanations which accompanied
the poems of the troubadours, and, on the other, the commentaries
of St. Thomas Aquinas on the works of Aristotle, which Dante
imitates in his divisions and analyses of the various poems. His
quotations show that he had already studied astronomy, and made
some rudimentary acquaintance with Aristotle and with the four chief
Latin poets; the section in which he speaks of the latter, touching
upon the relations between classical and vernacular poetry (xxv.),
suggests the germ of the De Vulgari Eloquentia. The close of the
book implies that he regarded lack of scientific and literary
equipment as keeping him from the immediate fulfilment of the
greater work that he had even then conceived for the glory of
Beatrice.
In the Convivio, where all else is allegorical, Beatrice is still simply
his first love, lo primo amore (ii. 16). Even when allegorically
interpreting the canzone which describes how another lady took her
place in his heart, after her death, as referring to Philosophy, there is
no hint of any allegory about quella viva Beatrice beata, “that
blessed Beatrice, who lives in heaven with the Angels and on earth
with my soul” (Conv. ii. 2). When about to plunge more deeply into
allegorical explanations, he ends what he has to say concerning her
by a digression upon the immortality of the soul (Conv. ii. 9): “I so
believe, so affirm, and so am certain that I shall pass after this to
another better life, there where that glorious lady lives, of whom my
soul was enamoured.”
Those critics who question the reality of the story of the Vita
Nuova, or find it difficult to accept without an allegorical or idealistic
interpretation, are best answered in Dante’s own words: Questo
dubbio è impossibile a solvere a chi non fosse in simile grado fedele
d’Amore; e a coloro che vi sono è manifesto ciò che solverebbe le
dubitose parole; “This difficulty is impossible to solve for anyone who
is not in similar grade faithful unto Love; and to those who are so,
that is manifest which would solve the dubious words” (V. N. xiv.).
2. The “Rime”
The Rime—for which the more modern title, Canzoniere, has
sometimes been substituted—comprise all Dante’s lyrical poems,
together with others that are more doubtfully attributed to him. In the
Vita Nuova were inserted three canzoni, two shorter poems in the
canzone mould, one ballata, twenty-five sonnets (including two
double sonnets). The “testo critico” of the Rime, edited by Michele
Barbi for the sexcentenary Dante, in addition to these accepts as
authentic sixteen canzoni (the sestina is merely a special form of
canzone), five ballate, thirty-four sonnets, and two stanzas. Dante
himself regards the canzone as the noblest form of poetry (V. E. ii.
3), and he expounded three of his canzoni in the Convivio. From the
middle of the fourteenth century onwards, a large number of MSS.
give these three and twelve others (fifteen in all) as a connected
whole in a certain definite order, frequently with a special rubric in
Latin or Italian prefixed to each; this order and these rubrics are due
to Boccaccio.[12] It has been more difficult to distinguish between the
certainly genuine and the doubtful pieces among the ballate and
sonnets, and the authenticity of some of those now included by Barbi
in the canon is still more or less open to question. The Rime, on the
whole, are the most unequal of Dante’s works; a few of the sonnets,
particularly some of the earlier ones and those in answer to other
poets, have but slight poetic merit, while several of the later canzoni
rank among the world’s noblest lyrics. In the sexcentenary edition
the arrangement of the lyrics is tentatively chronological, with
subsidiary groupings according to subject-matter. While following the
same general scheme, I slightly modify the arrangement, as certain
poems regarded by Barbi as “rime d’amore” appear to me to be
more probably allegorical.
(a) A first group belongs to the epoch of the Vita Nuova.
Conspicuous among them are two canzoni. One:
“Pitiless memory that still gazes back at the time gone by,” is
addressed directly to a woman (in this respect differing from Dante’s
other canzoni), who is probably the second lady represented as the
poet’s screen. The other:
“Beagles questing and huntsmen urging on,” reveals the poet taking
part in sport and appreciating a jape at his own expense. A number
of correspondence sonnets belong to this epoch, a small series
addressed to Dante da Maiano (of which no MS. has been
preserved) being probably earlier than the first sonnet of the Vita
Nuova. A note of pure romance is struck in the charming sonnet to
Guido Cavalcanti, in which the younger poet wishes that they two,
with Lapo Gianni and their three ladies (Dante’s being the first lady
who screened his love), might take a voyage over enchanted seas in
Merlin’s magic barque. Several admirable sonnets, now included in
this group, were formerly attributed to Cino da Pistoia.[14]
(b) The tenzone with Forese Donati forms a little group apart. Its
date is uncertain, but may be plausibly taken as between 1290 and
1296. These sonnets, though not free from bitterness which is
perhaps serious, may be regarded as exercises in that style of
burlesque and satirical poetry to which even Guido Guinizelli had
once paid tribute, and which Rustico di Filippo had made
characteristically Florentine.
(c) Next comes a group of poems, connected with the allegory of
the Convivio, in which an intellectual ideal is pursued with the
passion and wooed in the language of the lover who adores an
earthly mistress. “I say and affirm that the lady, of whom I was
enamoured after my first love, was the most beautiful and most pure
daughter of the Emperor of the Universe, to whom Pythagoras gave
the name Philosophy” (Conv. ii. 16). By some, not entirely
reconcilable, process the donna gentile, who appears at the end of
the Vita Nuova, has become a symbol of Philosophy, and the poet’s
love for her a most noble devotion. The canzone:
“Since love has left me utterly,” deals with leggiadria, the outward
expression of a chivalrous soul, and shows the influence of the
Tesoretto of Brunetto Latini. These two canzoni, which contain
transcripts from the Aristotelian Ethics, only here and there become
poetry. In the larger proportion of short lines in the stanza, Dante
seems feeling his way to a more popular metrical form and a freer
treatment, as well as a wider range of subject. The second has
satirical sketches of vicious or offensive types of men, with whom he
will deal more severely in the Commedia.
(e) There are certain lyrics of Dante’s which can hardly admit of an
allegorical interpretation, but are almost certainly the expression of
passionate love for real women. Most notable among these are a
group of four canzoni, known as the rime per la donna pietra, which
are characterised by a peculiar incessant playing upon the word
pietra, or “stone,” which has led to the hypothesis that they were
inspired by a lady named Pietra, or at least by one who had been as
cold and rigid as Beatrice had been the giver of blessing. The
canzone of the aspro parlare:
“To the short day and the large circle of shade have I come,” is the
first Italian example of that peculiar variety of the canzone which was
invented by Arnaut (V. E., ii. 10, 13). It gives a most wonderful
picture of this strange green-robed girl, her golden hair crowned with
grass like Botticelli’s Libyan Sibyl, in the meadow “girdled about with
very lofty hills.” Less beautiful and more artificial, the canzone:
Amor, tu vedi ben che questa donna,
“Love, thou seest well that this lady cares not for thy power,” is
likewise quoted with complacency, for its novelty and metrical
peculiarity, in the De Vulgari Eloquentia (ii. 13). And the passion of
the whole group is summed up in the poem on Love and Winter:
“I have been in company with love since the circling of my ninth sun,”
affords further testimony that, at certain epochs of his life, earthly
love took captive Dante’s freewill.
(f) To the earlier years of Dante’s exile belongs the noblest and
most sublime of his lyrics, the canzone:
“Three ladies are come around my heart and are seated without, for
within sits Love who is in lordship of my life.” They are Justice and
her spiritual children; Love prophesies the ultimate triumph of
righteousness, and the poet, with such high companionship in
outward misfortune, declares that he counts his exile as an honour.
While recalling the legend of the apparition of Lady Poverty and her
two companions to St. Francis of Assisi, and a poem of Giraut de
Borneil on the decay of chivalry, the canzone echoes Isaiah (ch. li.).
Its key may be found in the prophet’s words: “Hearken unto me, ye
that know Justice, the people in whose heart is my law; fear ye not
the reproach of men, neither be ye afraid of their revilings.” It was
probably written between 1303 and 1306; its opening lines have
been found transcribed in a document of 1310.[16] To about the
same epoch must be assigned the powerful canzone against vice in
general and avarice in particular:
3. The “Convivio”
The Convivio, or “Banquet,” bears a somewhat similar relation to
the work of Dante’s second period as the Vita Nuova did to that of
his adolescence. Just as after the death of Beatrice he collected his
earlier lyrics, furnishing them with prose narrative and commentary,
so now in exile he intended to put together fourteen of his later
canzoni and write a prose commentary upon them, to the honour
and glory of his mystical lady, Philosophy. Dante was certainly not
acquainted with Plato’s Symposium. It was from the De Consolatione
Philosophiae of Boëthius that the idea came to him of representing
Philosophy as a woman; but the “woman of ful greet reverence by
semblaunt,” who “was ful of so greet age, that men ne wolde nat
trowen, in no manere, that she were of oure elde” (so Chaucer
renders Boëthius), is transformed to the likeness of a donna gentile,
the idealised human personality of the poetry of the “dolce stil
nuovo”:
“And I imagined her fashioned as a gentle lady; and I could
not imagine her in any bearing save that of compassion;
wherefore so willingly did the sense of truth look upon her,
that scarcely could I turn it from her. And from this imagining I
began to go there where she revealed herself in very sooth, to
wit, in the schools of religious and at the disputations of
philosophers; so that in a short time, perchance of thirty
months, I began to feel so much of her sweetness, that her
love drove out and destroyed every other thought” (Conv. ii.
13).
The Convivio is an attempt to bring philosophy out of the schools
of religious and away from the disputations of philosophers, to
render her beauty accessible even, to the unlearned. “The Convivio”,
says Dr. Wicksteed, “might very well be described as an attempt to
throw into popular form the matter of the Aristotelian treatises of
Albertus Magnus and Thomas Aquinas.” Dante’s text is the opening
sentence of Aristotle’s Metaphysics: “All men by nature desire to
know”; which he elaborates from the commentary of Aquinas and the
latter’s Summa contra gentiles. He would gather up the crumbs
which fall from the table where the bread of Angels is eaten, and
give a banquet to all who are deprived of this spiritual food. It is the
first important work on philosophy written in Italian—an innovation
which Dante thinks necessary to defend in the chapters of the
introductory treatise, where he explains his reasons for commenting
upon these canzoni in the vernacular instead of Latin, and
incidentally utters an impassioned defence of his mother-tongue,
with noteworthy passages on the vanity of translating poetry into
another language and the potentialities of Italian prose (Conv. i. 7,
10).
In addition to this principal motive for writing the work, the desire of
giving instruction, Dante himself alleges another—the fear of infamy,
timore d’infamia (Conv. i. 2): “I fear the infamy of having followed
such great passion as whoso reads the above-mentioned canzoni
will conceive to have held sway over me; the which infamy ceases
entirely by the present speaking of myself, which shows that not
passion, but virtue, has been the moving cause.” It would seem that
Dante intended to comment upon certain of the canzoni connected
with real women, and to represent them as allegorical; it may be that,
consumed with a more than Shelleyan passion for reforming the
world, he chose this method of getting rid of certain episodes in the
past which he, with too much self-severity, regarded as rendering
him unworthy of the sublime office he had undertaken. And, by a
work of lofty style and authority, he would rehabilitate the man who,
in his exiled wanderings, had “perchance cheapened himself more
than truth wills” (i. 4).
Only the introductory treatise and three of the commentaries were
actually written: those on the canzoni Voi cite ’ntendendo, Amor che
ne la mente mi ragiona, Le dolci rime d’amor. If the whole work had
been completed on the same scale as these four treatises, a great
part of the field of knowledge open to the fourteenth century would
have been traversed in the ardent service of this mystical lady, whom
the poet in the second treatise—not without considerable
inconsistency—represents as the same as the donna gentile who
appeared towards the end of the Vita Nuova (Conv. ii. 2). As it is, the
movements of the celestial bodies, the ministry of the angelic orders,
the nature of the human soul and the grades of psychic life, the
mystical significance and universality of love, are among the subjects
discussed in the second and third treatises. The fourth treatise is
primarily ethical: nobility as inseparable from love and virtue, wealth,
the Aristotelian definition of moral virtue and human felicity, the goal
of human life, the virtues suitable to each age, are among the
themes considered. Under one aspect the Convivio is a vernacular
encyclopaedia (like the Trésor of Brunetto Latini), but distinguished
from previous mediaeval works of the kind by its peculiar form, its
artistic beauty, and its personal note. From the first treatise it is
evident that the whole work had been fully planned; but it is not
possible to reconstruct it with any plausibility, or to decide upon the
question of which of the extant canzoni were to be included, and in
what order. From iv. 26, it may be conjectured that the passionate
canzone, Così nel mio parlar voglio esser aspro (Rime ciii., O. canz.
xii.), was to be allegorised in the seventh treatise; while, from i. 12, ii.
1, iv. 27, it appears fairly certain that the canzone of the three ladies,
Tre donne intorno al cor (Rime civ., O. canz. xx.), would have been
expounded in the fourteenth, where Justice and Allegory were to
have been discussed; and, from i. 8 and iii. 15, that the canzone
against the vices, Doglia mi reca (Rime cvi., O. canz. x.), was
destined for the poetical basis of the last treatise of all. It is thus clear
that the Convivio would have ended with the two canzoni which form
the connecting link between the lyrical poems and the Divina
Commedia. For the rest, it is certain that there would have been no
mention of Beatrice in any of the unwritten treatises. In touching
upon the immortality of the soul (Conv. ii. 9), Dante had seen fit to
end what he wished to say of “that living blessed Beatrice, of whom I
do not intend to speak more in this book.” There seems also good
reason for supposing that the canzone for the beautiful lady of the
Casentino (Rime cxvi., O. canz. xi.), which may be of a slightly later
date than the others, would not have formed part of the completed
work.
Witte and others after him have supposed that the Convivio
represents an alienation from Beatrice; that the Philosophy, which
Dante defines as the amorous use of wisdom, is a presumptuous
human science leading man astray from truth and felicity along the
dangerous and deceptive paths of free speculation. There is,
however, nothing in the book itself to support this interpretation,[18]
and, indeed, a comparison between the second canzone, Amor che
ne la mente mi ragiona, and the first canzone of the Vita Nuova
points to the conclusion that the personification of philosophy is but a
phase in the apotheosis of Beatrice herself. The Convivio is the first
fruit of Dante’s labours to fulfil the promise made at the end of the
book of his youth; his knowledge of literature and philosophy has
immeasurably widened, his speculations on human life and nature
have matured, and his prose style, in its comparative freedom and
variety, its articulation and passages of spontaneous eloquence,
shows a vast progress from that of the Vita Nuova.
There are passages in the Convivio which appear to be
contradicted in the Divina Commedia. One of the most curious is the
treatment of Guido da Montefeltro, who, in Conv. iv. 28, is “our most
noble Italian,” and a type of the noble soul returning to God in the
last stage of life, whereas, in the Inferno (Canto xxvii.), he is found in
the torturing flames of the evil counsellors. Several opinions are
directly or indirectly withdrawn in the Paradiso; but these are to be
rather regarded as mistakes which, in the light of subsequent
knowledge, Dante desired to rectify or repudiate; such as the theory
of the shadow on the moon being caused by rarity and density,
based upon Averroës, and a peculiar arrangement of the celestial
hierarchies, derived from the Moralia of St. Gregory the Great. And,
in the Purgatorio, the poet discards his “dread of infamy,” when he
dares not meet Beatrice’s gaze in the Garden of Eden; he casts
aside the allegorical veil he had tried to draw over a portion of the
past, and makes the full confession which we find in Cantos xxx. and
xxxi. In the fourth treatise, an erroneous sentence attributed to
Frederick II. (in reality a mutilated version of the definition of nobility
given by Aristotle in the Politics) leads Dante to examine the limits
and foundation of the imperial authority, the divine origin of Rome
and the universal dominion of the Roman people, the relation of
philosophy to government; a theme which he will work out more fully
and scientifically in the Monarchia. The result is two singularly
beautiful chapters (iv.-v.); a prose hymn to Rome, an idealised
history of the city and her empire. It is the first indication of the poet’s
conversion from the narrower political creed of the Florentine citizen
to the ideal imperialism which inspires his later works.
It has sometimes been held that portions of the Convivio were
written before exile. Nevertheless, while two of the canzoni were
composed before 1300, it seems most probable that the prose
commentaries took their present shape between Dante’s breaking
with his fellow-exiles and the advent of Henry VII. A passage
concerning Frederick II., “the last emperor of the Romans with
respect to the present time, although Rudolph and Adolph and Albert
were elected after his death and that of his descendants” (Conv. iv.
3), shows that the fourth treatise was written before the election of
Henry VII., in November 1308; while a reference to Gherardo da
Cammino, lord of Treviso (iv. 14), seems to have been written after
his death in March 1306. From the mention of Dante’s wanderings in
exile through so many regions of Italy (i. 3), it has sometimes been
argued that the first is later than the subsequent treatises. It is
tempting to associate the breaking off the work with Boccaccio’s
story of the recovery of the beginning of the Inferno. Be that as it
may, the advent of the new Caesar, Dante’s own return for a while to
political activity, probably interrupted his life of study; and, when the
storm passed away and left the poet disillusioned, his ideals had
changed, another world lay open to his gaze, and the Convivio was
finally abandoned.
FOOTNOTES:
[10] Io spero di dicer di lei quello che mai non fue detto
d’alcuna: dicer (dire) and detta, have here (as elsewhere in
Dante) the sense of artistic utterance, and more particularly
composition in poetry, whether in Latin or the vernacular. Cf. V. N.
xxv.
[11] Livi has shown that the first documentary evidence of the
existence of the Vita Nuova as a book is found at Bologna in June
1306.
[12] The Sexcentenary Dante admits as authentic one canzone
not included in this series: Lo doloroso amor che mi conduce
(Rime lxviii., O. canz. xvi.*); which is evidently an early
composition.
[13] Cf. Rime xlviii., lvi., lxiii. and the later xcix.; O. son. xlviii.*,
ball. viii., son. I.*, son. xxxvii.*
[14] Note especially Rime lix., lxvi.; O. sonnets lv., xxxviii*.
[15] To this group I would assign the sonnet, Chi guarderà già
mai sanza paura, and the ballata, I’ mi son pargoletta bella e
nova, without attaching any special significance to the fact that
“pargoletta” (“maiden” or “young girl”) occurs also in the canzone,
Io son venuto al punto de la rota, and in Beatrice’s rebuke, Purg.
xxxi. 59.
[16] Cf. G. Livi, Dante suoi primi cultori sua gente in Bologna, p.
24.
[17] Barbi adds to the Rime written in exile the impressive
political sonnet, yearning for justice and peace, Se vedi li docchi
miei di pianger vaghi (of which the attribution to Dante has
sometimes been questioned), and the sonnet on Lisetta, Per
quella via che la bellezza corre, a beautiful piece of
unquestionable authenticity, but which may, perhaps, belong to an
earlier epoch in the poet’s life.
[18] But cf. Wicksteed, From Vita Nuova to Paradiso, pp. 93-
121.
CHAPTER III
DANTE’S LATIN WORKS
1. The “De Vulgari Eloquentia”
In the first treatise of the Convivio (i. 5), Dante announces his
intention of making a book upon Volgare Eloquenza, artistic
utterance in the vernacular. Like the Convivio, the De Vulgari
Eloquentia remains incomplete; only two books, instead of four, were
written, and of these the second is not finished. In the first book the
poet seeks the highest form of the vernacular, a perfect and imperial
Italian language, to rule in unity and concord over all the dialects, as
the Roman Empire over all the nations; in the second book he was
proceeding to show how this illustrious vulgar tongue should be used
for the art of poetry. Villani’s description of the work applies only to
the first book: “Here, in strong and ornate Latin, and with fair
reasons, he reproves all the dialects of Italy”; Boccaccio’s mainly to
the second: “A little book in Latin prose, in which he intended to give
instruction, to whoso would receive it, concerning composition in
rhyme.”[19]
Book I.—At the outset Dante strikes a slightly different note from
that of the Convivio, by boldly asserting that vernacular in general
(as the natural speech of man) is nobler than “grammar,” literary
languages like Latin or Greek, which he regards as artificially formed
(V. E. i. 1). To discover the noblest form of the Italian vernacular, the
poet starts from the very origin of language itself. To man alone of
creatures has the intercourse of speech been given: speech, the
rational and sensible sign needed for the intercommunication of
ideas. Adam and his descendants spoke Hebrew until the confusion
of Babel (cf. the totally different theory in Par. xxvi. 124), after which
this sacred speech remained only with the children of Heber (i. 2-7).
From this point onwards the work becomes amazingly modern. Of
the threefold language brought to Europe after the dispersion, the
southernmost idiom has varied into three forms of vernacular speech
—the language of those who in affirmation say oc (Spanish and
Provençal), the language of oil (French), the language of sì (Italian).
[20] And this Italian vulgar tongue has itself varied into a number of
dialects, of which Dante distinguishes fourteen groups, none of
which represent the illustrious Italian language which he is seeking.
“He attacks,” wrote Mazzini, “all the Italian dialects, but it is because
he intends to found a language common to all Italy, to create a form
worthy of representing the national idea.” The Roman is worst of all
(i. 11). A certain ideal language was indeed employed by the poets
at the Sicilian court of Frederick and Manfred, but it was not the
Sicilian dialect (i. 12). The Tuscans speak a degraded vernacular,
although Guido Cavalcanti, Lapo Gianni and another Florentine
(Dante himself), and Cino da Pistoia have recognised the excellence
of the ideal vulgar tongue (i. 13). Bologna alone has a “locution
tempered to a laudable suavity”; but which, nevertheless, cannot be
the ideal language, or Guido Guinizelli and other Bolognese poets
would not have written their poems in a form of speech quite
different from the special dialect of their city (i. 15). “The illustrious,
cardinal, courtly, and curial vulgar tongue in Italy is that which
belongs to every Italian city, and yet seems to belong to none, and
by which all the local dialects of the Italians are measured, weighed,
and compared” (i. 16). This is that ideal Italian which has been
artistically developed by Cino and his friend (Dante himself) in their
canzoni, and which makes its familiars so glorious that “in the
sweetness of this glory we cast our exile behind our back” (V. E. i.
17). Such should be the language of the imperial Italian court of
justice, and, although as far as Italy is concerned there is no prince,
and that court is scattered in body, its members are united by the
gracious light of reason (i. 18). This standard language belongs to
the whole of Italy, and is called the Italian vernacular (latinum
vulgare); “for this has been used by the illustrious writers who have
written poetry in the vernacular throughout Italy, as Sicilians,
Apulians, Tuscans, natives of Romagna, and men of both the
Marches” (i. 19).