Article Contents
Article Contents

# Secure and efficient multiparty private set intersection cardinality

• In the field of privacy preserving protocols, Private Set Intersection (PSI) plays an important role. In most of the cases, PSI allows two parties to securely determine the intersection of their private input sets, and no other information. In this paper, employing a Bloom filter, we propose a Multiparty Private Set Intersection Cardinality (MPSI-CA), where the number of participants in PSI is not limited to two. The security of our scheme is achieved in the standard model under the Decisional Diffie-Hellman (DDH) assumption against semi-honest adversaries. Our scheme is flexible in the sense that set size of one participant is independent from that of the others. We consider the number of modular exponentiations in order to determine computational complexity. In our construction, communication and computation overheads of each participant is $O(v_{\sf max}k)$ except that the complexity of the designated party is $O(v_1)$, where $v_{\sf max}$ is the maximum set size, $v_1$ denotes the set size of the designated party and $k$ is a security parameter. Particularly, our MSPI-CA is the first that incurs linear complexity in terms of set size, namely $O(nv_{\sf max}k)$, where $n$ is the number of participants. Further, we extend our MPSI-CA to MPSI retaining all the security attributes and other properties. As far as we are aware of, there is no other MPSI so far where individual computational cost of each participant is independent of the number of participants. Unlike MPSI-CA, our MPSI does not require any kind of broadcast channel as it uses star network topology in the sense that a designated party communicates with everyone else.

Mathematics Subject Classification: Primary: 94A60, 68M12; Secondary: 68P30.

 Citation:

• Figure 1.  Setup algorithm of our MPSI-CA

Figure 2.  Interaction among parties in ${\mbox{MPSI-CA}\sf .request}$

Figure 3.  Interaction among parties in ${\mbox{MPSI-CA}\sf .response}$

Figure 4.  Interaction among parties in ${\mbox{MPSI-CA}\sf .computation}$

Figure 5.  Interaction among parties in ${\mbox{MPSI} \sf .response}$

Figure 6.  Interaction among parties in ${\mbox{MPSI} \sf .computation}$

Table 1.  Complexity of MPSI and MPSI-CA

 MPSI-CA Exp GE Hash Inv $P_1$ $v_1$ $2v_1$ $kv_1$ $v_1$ $P_i,i\neq 1$ $2m+3v_1$ $2m+3v_1$ $kv_i$ MPSI Exp GE Hash Inv $P_1$ $v_1$ $2(n-1)v_1$ $kv_1$ $v_1$ $P_i,i\neq 1$ $2m+v_1$ $2m+v_1$ $kv_i$ $v_i=$ set size of $P_i$, $m = \lceil\frac{kv_{\sf max}}{\ln 2}\rceil=$ optimal size of Bloom filter, $v_{\sf max} =$ maximum of $\{v_1, \ldots, v_n\}$

Table 2.  Comparative summary of MPSI protocols

 Protocol Adv. Security Comm. Comp. Based model assumption on [46] Mal AHE $O(n^2v_{\sf max}^2)$ $O(n^2\log n v_{\sf max}^2)$ OPE [12] Mal DCR $O((nv_{\sf max} + 10v_{\sf max}\log^2v_{\sf max}))$ $O(nv_{\sf max}^2)$ MP [10] Mal AHE $O(nv_{\sf max}^2)$ $O(nv_{\sf max}^2)$ OPE [51] Mal DCR $O(n^2\log nv_{\sf max}^2)$ $O(\log nv_{\sf max}^2)$ OPE [52] Mal SD $O(nv_{\sf max}^2)$ $O(nv_{\sf max}^2)$ BG [49] SH DDH $O(nv_{\sf max})$ $D:O(nv_{\sf max}); P_i:O(v_{\sf max})$ BF Sch. 1[39] SH DDH $O(nv_{\sf max}\kappa)$ $D:O(nv_{\sf max}^2\kappa); P_i:O(v_{\sf max}\kappa)$ OPE Sch. 2[39] Mal DDH $O((n^2+nv_{\sf max}+nw\log v_{\sf max})\kappa)$ $D:O(nv_{\sf max}^2\kappa); P_i:O(v_{\sf max}\kappa)$ OPE [47] SH $O(nv_{\sf max}\kappa)$ $D:O(n\lambda); P_i:O(t\lambda)$ OPRF Our SH DDH $O(nv_{\sf max}k)$ $D:O(v_1); P_i:O(v_{\sf max}k)$ BF OPE= Oblivious Polynomial Evaluation, MP= Multivariate Polynomials, BF= Bloom Filter, SD= Subgroup Decision, BG= Bilinear Group, Mal= Malicious, AHE= Additively Homomorphic Encryption, DDH=Decisional Diffie-Hellman, DCR=Decisional Quadratic Residuosity, SH=Semi-honest, OPRF= Oblivious Pseudorandom Function, $D$= designated party, $P_i$= participants other than designated party, $n$= number of participants, $v_1$= set size of the designated party $D$, $t$= number of dishonestly colluding participants, $v_{\sf max}$= maximum set size, $\kappa, k, \lambda$= security parameters.

Table 3.  Comparative summary of MPSI-CA protocols

 Protocol Adv. Security Comm. Comp. Based model assumption on [46] SH AHE $O(n^2v_{\sf max})$ $O(n^2v_{\sf max}^2)$ OPE Our SH DDH $O(nv_{\sf max}k)$ $D:O(v_1); P_i:O(v_{\sf max}k)$ BF OPE= Oblivious Polynomial Evaluation, BF= Bloom Filter, SH=Semi-honest, AHE= Additively Homomorphic Encryption, DDH=Decisional Diffie-Hellman, $D$= designated party, $P_i$= participants other than designated party, $n$= number of participants, $v_1$= set size of the designated party $D$, $v_{\sf max}$= maximum set size.

Figures(6)

Tables(3)