A Practical Multiparty Private Set Intersection Protocol Based on Bloom Filters for Unbalanced Scenarios

Abstract

Multiparty Private Set Intersection (MPSI) is dedicated to finding the intersection of datasets of multiple participants without disclosing any other information. Although many MPSI protocols have been presented, there are still some important practical scenarios that require in-depth consideration such as an unbalanced scenario, where the server’s dataset is much larger than the clients’ datasets, and in cases where the number of participants is large. This paper proposes a practical MPSI protocol for unbalanced scenarios. The protocol uses the Bloom filter, an efficient data structure, and the ElGamal encryption algorithm to reduce the computation of clients and the server; adopts randomization technology to solve the encryption problem of the 0s in the Bloom filter; and introduces the idea of the Shamir threshold secret-sharing scheme to adapt to multiple environments. A formal security proof and three detailed experiments are given. The results of the experiments showed that the new protocol is very suitable for unbalanced scenarios with a large number of participants, and it has a significant improvement in efficiency compared with the typical related protocol (TIFS 2022).

1. Introduction

In the era of Big Data, the intersection of large amounts of data becomes inevitable. Private Set Intersection (PSI) addresses the current need for a solution to compute the intersection of two or more datasets without disclosing information about the data of each party, except for the intersection itself. PSI has wide applications such as social discovery [1,2,3], document-like detection [4], joint learning in neural network models [5], suspect detection [6], privacy-preserving data mining [7], privacy-preserving retrieval systems [8], cloud-based applications [9], and so on. Many high-performance PSI protocols have been proposed recently [10,11,12,13,14,15,16]. Additionally, there are some PSI protocols [10,17,18,19,20,21] specifically designed for unbalanced scenarios, where the server has a large dataset and the client has a dataset much smaller than the server’s size.

Multiparty Private Set Intersection (MPSI) protocols are designed to solve the intersection problem among multiple participants. Traditional approaches for designing MPSI protocols mainly use the homomorphic encryption technology of public keys [22,23,24,25,26,27,28] and oblivious transfer methods [29,30,31,32,33,34,35]. For MPSI protocols, the unbalanced scenario is also a common real-life situation in which the server possesses a large dataset, while multiple clients have smaller datasets. For example, some WeChat (version 3.9.8) users want to find their mutual friends in order to create a friend circle or group chat. In this scenario, there are a server that has information about all registered users and their phone numbers and multiple clients with their own phone address books who want to perform MPSI with the server in order to find common phone numbers among them. We refer to this as a Multiparty Private Set Intersection for an unbalanced scenario, where the clients’ address books consist of small datasets, while the server’s database is very large.

However, most of the existing MPSI protocols are not applicable to such unbalanced scenarios. For example, the protocol in [22] can only derive the approximate number of intersections; the protocols in [23,24] require the participants’ datasets to be of equal size; the protocol in [25] is only applicable to three participants and small datasets; the protocol in [28] can be applied to such scenarios, but the computation for the clients and the server is high.

This paper presents a practical MPSI protocol for unbalanced scenarios in which the server with high computational power handles the majority of the computations, while the clients only need to perform a small amount of computation. Moreover, the protocol has a minimal impact on the execution time of clients as the number of participants increases.

1.1. Related Works

Freedman et al. [22] proposed the first MPSI protocol based on the additive homomorphic encryption technique. This protocol represents the set elements as the roots of polynomials and implements two-party PSI under the semi-honest adversary model. Additionally, they introduced the idea of constructing a Multiparty PSI protocol for the case of malicious adversaries. In 2005, Kissner et al. [23] used additive homomorphic encryption and private key secret-sharing techniques to design an MPSI protocol, whose computational and communication complexity was twice the size of the set and the number of participants. The computational complexity of such algorithms does not meet the requirements of practical applications. After that, reducing the computational and communication overhead of MPSI protocols based on homomorphic cryptography has become an important research goal.

In 2017, Miyaji et al. [26] gave an MPSI protocol based on Bloom filters and homomorphic encryption. This protocol maps the set into a Bloom filter, encrypts it, and performs a homomorphic multiplication operation on the encrypted Bloom filter. The intersection set is then obtained by comparing the results based on the corresponding decryption operation. However, the protocol of Miyaji et al. [26] has a rather obvious drawback that the Bloom filter to be encrypted by each participant is equally large, even if the original set is small.

In the same year, Davidson et al. [27] also proposed a PSI protocol based on Bloom filters and Paillier homomorphic encryption, which overcomes the drawback of Miyaji et al. [26]. In the protocol [27], the operations of mapping the aggregate data and encrypting the Bloom filter are basically the same as in [26]. The difference is that the participant who wants to obtain the intersection maps his/her aggregate data into the encrypted Bloom filter using the same hash functions as those used in the mapping. The intersection is obtained by performing the interactive decryption operation and utilizing the homomorphic properties of the Paillier encryption scheme.

In 2022, Bay et al. [28] extended the protocol [27] to multiple participants by performing threshold Paillier additive homomorphic encryptions on the Bloom filters of each of them. They conducted interactive decryption operations, utilized homomorphic properties, and obtained the intersection as long as the number of decryptors exceeded the threshold. Although their protocol has a longer runtime, it is an open-source Multiparty PSI protocol, and it has a greater advantage in scenarios where multiple participants have small datasets.

1.2. Our Contribution

This paper presents a secure MPSI protocol based on the Bloom filter and Shamir threshold secret-sharing scheme for a large number of participants and unbalanced scenarios.

Our protocol follows the methods of [27,28], which were based on the Bloom filter and homomorphic encryption. The Bloom filter is an efficient data structure, which can be used to reduce the computation for both clients and server. The main difference is that we used the relatively efficient ElGamal multiplicative homomorphic encryption algorithm instead of the Paillier additive homomorphic encryption algorithm. The ElGamal encryption algorithm cannot encrypt 0. To address this issue, we randomized the 0s in the Bloom filter, i.e., we obtained the encrypted Bloom filter by following this process: if an item in the Bloom filter is 1, it is encrypted directly; otherwise, if the item is 0, we select a random value to represent it and, then, encrypt the random value. To ensure that participants can obtain the intersection properly, we adopted the idea of the Shamir t-threshold secret-key-sharing scheme, in which the private key is divided into n copies and at least t shares are needed for decryption.

The contributions of this paper are as follows:

(1) A secure MPSI protocol based on the Bloom filter and threshold ElGamal encryption scheme for unbalanced scenarios is proposed. In this protocol, the runtime of the client hardly varies with the number of participants, and it is linearly correlated with the data size of the server.

(2) We present three comprehensive experiments, and the results showed that, in our protocol, the number (t) of participants has a minimal influence on the computation and runtime of the client. When $t\ge 2^4$, the client’s runtime is approximately $1/\left(2^{log\left(t\right)}\right)$ of the server’s runtime. Therefore, our protocol is highly suitable for unbalanced scenarios with a large number of participants. Furthermore, our protocol exhibited significant efficiency improvement compared to the related protocol [28], and the sever and clients’ runtimes were approximately $1/6$ of [28].

(3) We provide a formal security proof of our protocol against semi-honest adversaries.

2. Materials and Methods

This section first describes the notations used in the paper and, then, provides an overview of the preliminaries about the protocol.

2.1. Notations

We show the notations used in the paper in

Table 1. Table of notations.

Notation	Meaning
p	p is a large prime number.
$Z_p^{*}$	$Z_p^{*}$ is a modulo-p multiplicative group.
$Enc\left(M\right)$	The result of encrypting the plaintext M.
$Dec\left(C\right)$	The result of decrypting the ciphertext C.
t	The number of participants in the protocol is t.
$P_i$	The i-th participant. $P_1,\dots ,P_{t-1}$ are the clients, and $P_t$ is the server.
$S_i$	Vector of datasets for participant $P_i$, $i\in \{1,2,\dots ,t\}$.
$n_i$	The dataset size of $S_i$, $i\in \{1,2,\dots ,t\}$.
$S_i\left[j\right]$	The j-th element in the dataset vector $S_i$ of participant $P_i$, $i\in \{1,2,\dots ,t\}$, $j\in \{1,2,\dots ,n_i\}$.
m	The length of the Bloom filter.
k	The number of hash functions used by the Bloom filter.
$h_u$	The u-th hash function, $u\in \{1,2,\dots ,k\}$.
$h_u\left(x\right)$	The hash value of x by using the $h_u$ that is in $\{1,2,\dots ,m\}$, where $u\in \{1,2,\dots ,k\}$.
$B{F}_i$	The Bloom filter obtained by mapping the dataset $S_i$, $i\in \{1,2,\dots ,t\}$.
$B{F}_i\left[l\right]$	The l-th bit of $B{F}_i$, $i\in \{1,2,\dots ,t\}$, $l\in \{1,2,\dots ,m\}$.
$RB{F}_i$	The randomized Bloom filter obtained by randomizing $B{F}_i$, $i\in \{1,2,\dots ,t\}$.
$RB{F}_i\left[l\right]$	The l-th element of $RB{F}_i$, $i\in \{1,2,\dots ,t\}$, $l\in \{1,2,\dots ,m\}$.
$ERB{F}_i$	The encrypted randomized Bloom filter obtained by encrypting $RB{F}_i$, $i\in \{1,2,\dots ,t\}$.
$ERB{F}_i\left[l\right]$	The l-th element of $ERB{F}_i$, $i\in \{1,2,\dots ,t\}$, $l\in \{1,2,\dots ,m\}$.
$rand\left(\right)$	Generate a random number between 1 and $p-1$.
$pk$	The public key.
$sk$	The private key.
$s{k}_i$	The share of private key $sk$ distributed to the i-th participant.
$c_{j,i}^u$	$c_{j,i}^u=ERB{F}_i\left[h_u\left(S_t\left[j\right]\right)\right]$, where $i\in \{1,2,\dots ,t\}$, $j\in \{1,2,\dots ,n_t\}$, $u\in \{1,2,\dots ,k\}$.
$Comb(s{h}_{j,1},\dots ,s{h}_{j,t})$	For $j\in \{1,2,\dots ,n_t\}$, joint decryption on $(s{h}_{j,1},\dots ,s{h}_{j,t})$.
${\Delta }_i$	${\Delta }_i={\displaystyle \prod _{j^{{}^{\prime }}=1,j^{{}^{\prime }}\ne i}^t}\frac{j^{{}^{\prime }}}{j^{{}^{\prime }}-i}$, where $i\in \{1,2,\dots ,t\}$.
$s{h}_{j,i}$	$s{h}_{j,i}={\left(c_j\right)}^{{\Delta }_i·s{k}_i}$, where $i\in \{1,2,\dots ,t\}$, $j\in \{1,2,\dots ,n_t\}$.
$s{h}_i$	$s{h}_i=\{s{h}_{1,i},\dots ,s{h}_{j,i},\dots ,s{h}_{n_t,i}\}$, where $i\in \{1,2,\dots ,t\}$.
×	Homomorphic multiplication calculations. All computations between ciphertexts in the article are homomorphic multiplicative computations.

.

2.2. Preliminaries

2.2.1. ElGamal Encryption Algorithm

In 1985, Taher ElGamal [36] proposed an asymmetric encryption algorithm based on the Diffie–Hellman key exchange. The security of the system primarily relies on the difficulty of solving the discrete logarithm problem in a finite field. The ElGamal encryption algorithm can be divided into three main parts: key generation, encryption, and decryption.

Key generation: First, randomly select a large prime number, p, such that $p-1$ has large prime factors. Next, choose a primitive element g modulo p. Finally, choose d ($2\le d\le p-2$) as the private key, then $y=g^d$$mod$ p is the public key.

Encryption: Suppose the plaintext is x. Calculate the ciphertext pair $C_1=g^r$$mod$ p and $C_2=x·y^r$$mod$ p, where r is a random number with $2\le r\le p-2$.

Decryption: Compute the plaintext $x=\frac{C_2}{C_1^d}=\frac{x·y^r}{g^{r·d}}=\frac{x·g^{r·d}}{g^{r·d}}$$mod$ p.

Multiplicative homomorphism: Assuming that the encrypted plaintexts are $m_1$ and $m_2$, the ciphertext pair generated by encrypting $m_1$ is $(C_1^1,C_2^1)$, and the ciphertext pair generated by encrypting $m_2$ is $(C_1^2,C_2^2)$, where $C_1^1=g^{r_1}$ mod p, $C_2^1=m_1·g^{d·r_1}$ mod p, $C_1^2=g^{r_2}$ mod p, $C_2^2=m_2·g^{d·r_2}$ mod p, then:

$$\begin{array}{cc}\hfill C_1^1\times C_1^2\hfill & =g^{r_1}\times g^{r_2}=g^{r_1+r_2}modp\hfill \end{array}$$

(1)

$$\begin{array}{cc}\hfill C_2^1\times C_2^2\hfill & =m_1·g^{d·r_1}\times m_2·g^{d·r_2}\hfill \\ \hfill \hfill & =m_1·m_2·g^{d·(r_1+r_2)}modp\hfill \end{array}$$

(2)

Therefore, two ciphertexts encrypted by random numbers $r_1$ and $r_2$ are modulo multiplied equivalent to the result of multiplying the corresponding plaintexts of these two ciphertexts choosing the random numbers $r_1+r_2$ for encryption, and they decrypt the same result as shown in Equation (3):

$$Dec\left(Enc(m_1·m_2)\right)=Dec(Enc\left(m_1\right)·Enc\left(m_2\right))$$

(3)

2.2.2. Bloom Filters

A Bloom filter, $BF=\left\{BF\right[1],BF[2],\dots ,BF[m\left]\right\}$, is an array of bits of length m with random k hash functions $\{h_1,h_2,\dots ,h_k\}$, which was proposed by Bloom [37] in 1970. According to the analysis by Dong [38], when a set’s size is n and the error rate is $P_{err}$, we can generally set m and k as follows:

$$m\ge -n·{log}_{2}e·lo{g}_2{P}_{err},k\ge -lo{g}_2{P}_{err}$$

(4)

Bloom filter for dataset X: Each bit of the Bloom filter is initialized to 0. Each $x_i$ in the dataset $X=\{x_1,\dots ,x_n\}$ is hashed k times as ($h_1\left(x_i\right),\dots ,h_k\left(x_i\right)$), and set $BF\left[h_u\left(x_i\right)\right]=1$ for $u\in \{1,2,\dots ,k\}$.

Verify whether an element x belongs to a set X: If $BF\left[h_u\left(x\right)\right]=1$ is held for each u, $u\in \{1,2,\dots ,k\}$, x is considered to belong to the set X at an acceptable error rate $P_{err}$.

Randomized Bloom filter ($RBF$): The $BF$ after performing the following operation is denoted as the $RBF$: for each element $BF\left[i\right]$ of the $BF$, $i\in \{1,2,\dots ,m\}$, modify $BF\left[i\right]=rand\left(\right)$ if $BF\left[i\right]=0$; if $BF\left[i\right]=1$, then no other operation is performed.

Encrypted randomized Bloom filters ($ERBF$): The encrypted randomized Bloom filter is denoted as $ERBF$, where $ERBF=\left\{Enc\right(RBF\left[1\right]),Enc(RBF\left[2\right]),\dots ,Enc(RBF\left[m\right]\left)\right\}$.

2.2.3. Lagrange Interpolation

Lagrange interpolation is a polynomial interpolation method named after Joseph Lagrange. Given n points ($(x_1,y_1),\dots ,(x_n,y_n)$), a polynomial passing through all points and having a polynomial degree at most $n-1$ can be expressed as follows:

$$f\left(x\right)={\displaystyle \sum _{j=1}^n}{y}_j·f_j\left(x\right)$$

(5)

where

$$f_j\left(x\right)={\displaystyle \prod _{i=1,i\ne j}^n}{\displaystyle \frac{x-x_i}{x_j-x_i}}$$

(6)

then

$$f\left(x\right)={\displaystyle \sum _{i=1}^n}(y_i·{\displaystyle \prod _{j=1,j\ne i}^n}\frac{x-x_j}{x_i-x_j})$$

(7)

2.2.4. Shamir Threshold Secret-Sharing Scheme

The Shamir threshold secret-sharing scheme [39], also known as Shamir secret sharing, is a threshold secret-sharing scheme based on the Lagrange interpolation formula.

There are two important parameters in the threshold secret-sharing scheme: t and n. In this scheme, n represents the number of parties involved in splitting the secret, and t is the minimum number of participants needed to recover the secret. The basic principle of the threshold secret-sharing scheme is as follows: a secret s is divided into n sub-secrets, and each party holds one sub-secret. When the secret s needs to be restored, at least t parties need to retrieve the sub-secret and restore the secret s.

The Shamir threshold secret-sharing scheme is as follows:

(i) Choose a large prime p, and assume that $s(s\in Z_p^{*})$ is the secret that requires at least t parties to recover.

(ii) Construct a random-degree $t-1$ polynomial $f\left(x\right)=a_0+a_1·x+\dots +a_{t-1}·x^{t-1}$, where $a_0=s$ and $a_1,\dots ,a_{t-1}\in Z_p^{*}$.

(iii) Each participant i, $i\in \{1,\dots ,n\}$, holds a sub-secret $(i,f(i\left)\right)$, which can be viewed as a point $(x_i,y_i)$ in the Lagrangian interpolation formula.

(iv) Since $a_0=s$, calculating $f\left(0\right)=a_0$ restores the secret. Using Lagrange interpolation, $f\left(x\right)$ is restored with the sub-secrets of any t parties, and then, $f\left(0\right)$ is computed as follows:

$$f\left(x\right)={\displaystyle \sum _{i=1}^t}(f\left(i\right)·{\displaystyle \prod _{j=1,j\ne i}^t}\frac{x-j}{i-j})modp$$

(8)

$$f\left(0\right)={\displaystyle \sum _{i=1}^t}(f\left(i\right)·{\displaystyle \prod _{j=1,j\ne i}^t}\frac{j}{j-i})modp$$

(9)

2.2.5. Threshold ElGamal Encryption Scheme

Based on the Shamir secret-sharing scheme [39] and the threshold Paillier encryption scheme proposed by Bay et al. [28], we present a threshold ElGamal encryption scheme. The basic idea of the threshold ElGamal encryption scheme is to divide the private key of the ElGamal encryption algorithm into n copies using the Shamir threshold secret-sharing scheme. Decryption can then be achieved when at least t copies are gathered together.

For a $(t,n)$ threshold ElGamal encryption algorithm, where n is the total number of participants and t is the minimum number of participants required for decryption, the basic scheme is described as follows:

Key generation: Randomly select a large prime p, and then, choose a prime element g modulo p. Randomly pick a $sk=d$ as the private key for the ElGamal algorithm such that $2\le d\le p-2$. Compute $y=g^d$$mod$ p and $pk=y$ as the public key. The private key is shared as follows: let $a_0=d$, and generate the polynomial $f\left(x\right)={\displaystyle \sum _{i=0}^{t-1}}{a}_i{x}^i$$mod$ p; the key sharingof the j-th participant is $s{k}_j=f\left(j\right)$ mod p, where $j\in \{1,\dots ,n\}$.

Encryption: Assume that the message to be encrypted is M. Choose a random $r\in Z_p^{*}$, and compute the ciphertexts $c_1=g^r$ and $c_2=M{y}^r=M{g}^{dr}$.

Share decryption: Among the t participants involved in decryption, the i-th participant calculates $c_{1,i}={\left(c_1\right)}^{{\Delta }_i·s{k}_i}$, where ${\Delta }_i={\displaystyle \prod _{j=1,j\ne i}^t}\frac{j}{j-i}$.

Combination calculation (Comb): The results of decryption are obtained by performing ElGamal homomorphic multiplication operations on the shared decryption results of the t participants:

$${\displaystyle \prod _{i=1}^t}{c}_{1,i}={\left(c_1\right)}^{{\displaystyle \sum _{i=1}^t}{\Delta }_i·f\left(i\right)}$$

(10)

From the Shamir threshold secret-sharing scheme (Section 2.2.4), it is known that restoring the key $sk=d$ is calculated as follows:

$$sk=f\left(0\right)=d={\displaystyle \sum _{i=1}^t}(f\left(i\right)·{\displaystyle \prod _{j=1,j\ne i}^t}\frac{j}{j-i})={\displaystyle \sum _{i=1}^t}{\Delta }_i·f\left(i\right)$$

(11)

where ${\Delta }_i={\displaystyle \prod _{j=1,j\ne i}^t}\frac{j}{j-i}$.

Thus, the decryption result can be obtained as follows:

$$M=\frac{c_2}{c_1^d}=\frac{c_2}{{\left(c_1\right)}^{{\displaystyle \sum _{i=1}^t}{\Delta }_i·f\left(i\right)}}=\frac{c_2}{{\displaystyle \prod _{i=1}^t}{c}_{1,i}}$$

(12)

2.2.6. Security Model

Negligible function: For a security parameter $\lambda$, we call a function $negl\left(\lambda \right)$ negligible if it satisfies the following condition: $negl\left(\lambda \right)<{\displaystyle \frac{1}{p\left(\lambda \right)}}$ for all possible polynomials p and sufficiently large $\lambda$.

Computational indistinguishability: For a sufficiently large $\lambda$, $X={\left\{X_{\lambda }\right\}}_{\lambda \in N}$ and $Y={\left\{Y_{\lambda }\right\}}_{\lambda \in N}$ represent two distributions of length $\lambda$. X and Y are computationally indistinguishable if, for any possible polynomial-time algorithm T, the following condition is satisfied:

$$|Pr[T\left(X_{\lambda }\right)\to 1]-Pr[T\left(Y_{\lambda }\right)\to 1]|\le negl\left(\lambda \right)$$

(13)

where $Pr\left[E\right]$ represents the probability of the event E occurring.

We call it $X\simeq Y$.

Semi-honest model: Each participant strictly adheres to the normal operation of the protocol, including the inputs, outputs, and intermediate processes. In the semi-honest adversary model, however, an adversary attempts to obtain any information about other participants.

Security model under semi-honest adversaries: In a general multiparty computation, one of the participants is called the server $P_t$, and the others are called the clients $(P_1,\dots ,P_{t-1})$. Let $S=S_1,\dots ,S_t$ represent the set of inputs from the clients and the server and $f\left(S\right)=(\perp ,\cap )$ represent a function in which the server $P_t$ obtains the intersection and the clients obtain nothing. Assume a protocol ${\prod }_t$ with t participants to compute the function $f\left(S\right)$. During the execution of the protocol ${\prod }_t$, the server’s view is $Vie{w}_{P_t}^{{\prod }_t}=(S_t,r_t,{\ell }_t,ou{t}_t)$, and the clients’ views are $Vie{w}_{P_i}^{{\prod }_t}=(S_i,r_i,{\ell }_i,ou{t}_i)$, in which $i\in \{1,\dots ,t-1\}$, $r_i$ and $r_t$ represent the random numbers generated by each of the clients $P_i$ and server $P_t$, ${\ell }_i$ and ${\ell }_t$ are the messages received by each of the clients $P_i$ and server $P_t$, respectively, and $ou{t}_i$ and $ou{t}_t$ represent the outputs of each of the clients $P_i$ and server $P_t$.

If ${\prod }_t$ satisfies the following conditions: there exist polynomial-time simulators $Si{m}_t(S_t,\cap )$ and $Si{m}_i(S_i,\perp )$ such that $Si{m}_t(S_t,\cap )$ and $Vie{w}_{P_t}^{{\prod }_t}$ and $Si{m}_i(S_i,\perp )$ and $Vie{w}_{P_i}^{{\prod }_t}$ are computationally indistinguishable, where $i\in \{1,\dots ,t-1\}$, ${\prod }_t$ securely computes the function $f\left(S\right)$.

$$\begin{array}{cc}\hfill Si{m}_t(S_t,\cap )\hfill & \simeq Vie{w}_{P_t}^{{\prod }_t}\hfill \\ \hfill Si{m}_i(S_i,\perp )\hfill & \simeq Vie{w}_{P_i}^{{\prod }_t}\hfill \end{array}$$

(14)

From Equation (14), it is clear that such a secure multiparty computation protocol ${\prod }_t$ is secure in the presence of a semi-honest adversary.

3. Our Multiparty Private Set Intersection Protocol

In the protocol, we used Bloom filters to reduce the computational complexity, ElGamal multiplicative homomorphic encryption to achieve message confidentiality, and Shamir secret sharing and Lagrange interpolation to apply to multiparty scenarios.

3.1. Protocol Description

This section presents our new MPSI protocol, which is based on the Bloom filter and a threshold ElGamal encryption scheme.

Firstly, the protocol uses an efficient data structure called the Bloom filter, which was also utilized in [27,28], to minimize the computation on both the clients and the server. Secondly, the protocol adopts a relatively efficient ElGamal encryption algorithm instead of the Paillier algorithm. The ElGamal encryption algorithm cannot be used to encrypt 0, but we can avoid this issue by randomizing the 0s in the Bloom filter. Thirdly, in order to be suitable for multiparty environments, a threshold ElGamal encryption scheme was designed by incorporating the concept of the Shamir threshold secret-key-sharing scheme. This scheme divides the private key into n copies for n participants and requires no less than t participants to decrypt the data accurately. Finally, we incorporated time-consuming encryptions into a preprocessing phase, which facilitates efficient execution during the online interaction stage.

The protocol is shown in Figure 1, which is described as follows:

Data input: Participant $P_i$’s dataset $S_i$, $i\in \{1,2,\dots ,t\}$.

Data output: The intersection set $S=\{S_1\cap S_2\cap \dots \cap S_t\}$.

Initialization:

(1) A trusted third-party generates an ElGamal public–private key pair $(pk,sk)$ and a $(t-1)$-th polynomial $f\left(x\right)=sk+a_{1}x+\dots +a_{t-1}{x}^{t-1}$ for $sk$, then distributes $pk$ to $P_1,...,P_t$ and $s{k}_i=f\left(i\right)$ to $P_i$, $i\in \{1,2,\dots ,t\}$.

(2) Then, he/she picks k hash functions $h_1,\dots ,h_k$ and sends them to participants $P_1,\dots ,P_t$.

Preprocessing stage:

(1) Each client $P_i$, $i\in \{1,2,\dots ,t-1\}$, generates a hash-mapped Bloom filter $B{F}_i$ for its own private set $S_i$, which is then randomized to obtain $RB{F}_i$, and finally, $ERB{F}_i$ is computed by encrypting each value in the randomized Bloom filter $RB{F}_i$ using public key $pk$.

(2) For each $j\in \{1,2,\dots ,n_t\}$, the server $P_t$ generates a random number $r_j$ and, then, calculates $w_j=Enc\left(r_j\right)\times Enc\left(S_t\left[j\right]\right)$$mod$ p.

Online stage: The server $P_t$ receives the encrypted randomized Bloom filters $\{ERB{F}_1,ERB{F}_2,\dots ,ERB{F}_{t-1}\}$ and starts the intersection calculation.

(1) i. For each of the data $S_t\left[j\right]$ of the server $P_t$, the hash value $h_u\left(S_t\left[j\right]\right)$ is computed, where $j\in \{1,\dots ,n_t\}$, $u\in \{1,\dots ,k\}$. Eventually, $n_t$ sets of data are obtained, each with k values, as follows:

$$\begin{array}{cccccc}\hfill \hfill & \{h_1\left(S_t\left[1\right]\right)\hfill & \hfill \cdots \hfill & h_u\left(S_t\left[1\right]\right)\hfill & \hfill \cdots \hfill & h_k\left(S_t\left[1\right]\right)\}\hfill \\ \hfill \hfill & ⋮\hfill & \hfill \hfill & ⋮\hfill & \hfill \hfill & ⋮\hfill \\ \hfill \hfill & \{h_1\left(S_t\left[j\right]\right)\hfill & \hfill \cdots \hfill & h_u\left(S_t\left[j\right]\right)\hfill & \hfill \cdots \hfill & h_k\left(S_t\left[j\right]\right)\}\hfill \\ \hfill \hfill & ⋮\hfill & \hfill \hfill & ⋮\hfill & \hfill \hfill & ⋮\hfill \\ \hfill \hfill & \{h_1\left(S_t\left[n_t\right]\right)\hfill & \hfill \cdots \hfill & h_u\left(S_t\left[n_t\right]\right)\hfill & \hfill \cdots \hfill & h_k\left(S_t\left[n_t\right]\right)\}\hfill \end{array}$$

(15)

ii. Substitute $h_u\left(S_t\left[j\right]\right)$ into each client’s encrypted randomized Bloom filter $ERB{F}_i$ to obtain $c_{j,i}^u$, where $i\in \{1,\dots ,t-1\}$, $j\in \{1,\dots ,n_t\}$, $u\in \{1,\dots ,k\}$ and $c_{j,i}^u=ERB{F}_i\left[h_u\left(S_t\left[j\right]\right)\right]$, as follows:

$$\begin{array}{cccccc}& \left\{\right\{c_{1,1}^1,\dots ,c_{1,1}^k\}\hfill & \hfill \cdots \hfill & \{c_{1,i}^1,\dots ,c_{1,i}^k\}\hfill & \hfill \cdots \hfill & \{c_{1,t-1}^1,\dots ,c_{1,t-1}^k\}\}\hfill \\ \hfill \hfill & ⋮\hfill & \hfill \hfill & ⋮\hfill & \hfill \hfill & ⋮\hfill \\ & \left\{\right\{c_{j,1}^1,\dots ,c_{j,1}^k\}\hfill & \hfill \cdots \hfill & \{c_{j,i}^1,\dots ,c_{j,i}^k\}\hfill & \hfill \cdots \hfill & \{c_{j,t-1}^1,\dots ,c_{j,t-1}^k\}\}\hfill \\ \hfill \hfill & ⋮\hfill & \hfill \hfill & ⋮\hfill & \hfill \hfill & ⋮\hfill \\ & \left\{\right\{c_{n_t,1}^1,\dots ,c_{n_t,1}^k\}\hfill & \hfill \cdots \hfill & \{c_{n_t,i}^1,\dots ,c_{n_t,i}^k\}\hfill & \hfill \cdots \hfill & \{c_{n_t,t-1}^1,\dots ,c_{n_t,t-1}^k\}\}\hfill \end{array}$$

(16)

iii. For each set of data in Equation (16), a homomorphic multiplication is performed to compute $c_{j,i}=c_{j,i}^1\times \dots \times c_{j,i}^k$, where $i\in \{1,\dots ,t-1\}$, $j\in \{1,\dots ,n_t\}$. The resulting data are as follows:

$$\begin{array}{cccccc}\hfill \hfill & \{c_{1,1}\hfill & \hfill \cdots \hfill & c_{1,i}\hfill & \hfill \cdots \hfill & c_{1,t-1}\}\hfill \\ \hfill \hfill & ⋮\hfill & \hfill \hfill & ⋮\hfill & \hfill \hfill & ⋮\hfill \\ \hfill \hfill & \{c_{j,1}\hfill & \hfill \cdots \hfill & c_{j,i}\hfill & \hfill \cdots \hfill & c_{j,t-1}\}\hfill \\ \hfill \hfill & ⋮\hfill & \hfill \hfill & ⋮\hfill & \hfill \hfill & ⋮\hfill \\ \hfill \hfill & \{c_{n_t,1}\hfill & \hfill \cdots \hfill & c_{n_t,i}\hfill & \hfill \cdots \hfill & c_{n_t,t-1}\}\hfill \end{array}$$

(17)

iv. For each set of data in Equation (17), homomorphic multiplication is performed to compute $c_j=c_{j,1}\times \dots \times c_{j,t-1}\times w_j$, where $j\in \{1,\dots ,n_t\}$.

(2) $P_i$ performs the computation of the shareddecryption after obtaining the data $c_j$, which is computed as follows:

$$s{h}_{j,i}={\left(c_j\right)}^{{\Delta }_i·s{k}_i}$$

(18)

where ${\Delta }_i={\displaystyle \prod _{j^{{}^{\prime }}=1,j^{{}^{\prime }}\ne i}^t}\frac{j^{{}^{\prime }}}{j^{{}^{\prime }}-i}$, $i\in \{1,\dots ,t\}$, $j\in \{1,2,\dots ,n_t\}$.

(3) $P_t$ performs the combination computation, which is denoted as $Comb(s{h}_{j,1},\dots ,s{h}_{j,t})$. Then, $Dec\left(c_j\right)$ can be obtained by $Comb(s{h}_{j,1},\dots ,s{h}_{j,t})$. If $Dec\left(c_j\right)=w_j=S_t\left[j\right]{\dot{r}}_j$, the server adds the corresponding $S_t\left[j\right]$ to the intersection $S=\left\{S_t\left[j\right]\right\}\cup S$. The range of j above is $\{1,2,\dots ,n_t\}$.

3.2. Protocol Correctness

In the protocol, the server obtains the final intersection result, from which we start to illustrate the correctness of our protocol.

For $j\in \{1,2,\dots ,n_t\}$:

$$\begin{array}{cc}\hfill Dec\left(c_j\right)\hfill & =Dec(c_{1,j}\times \dots \times c_{t-1,j}\times w_j)\hfill \\ \hfill \hfill & =Dec((c_{j,1}^1\times \dots \times c_{j,1}^k)\times \dots \times (c_{j,t-1}^1\times \dots \times c_{j,t-1}^k)\hfill \\ \hfill \hfill & \times Enc\left(r_j\right)\times Enc\left(S_t\left[j\right]\right))\hfill \\ \hfill \hfill & =Dec((ERB{F}_1\left(h_1\left(S_t\left[j\right]\right)\right)\times \dots \times ERB{F}_1\left(h_k\left(S_t\left[j\right]\right)\right))\times \dots \hfill \\ \hfill \hfill & \times (ERB{F}_{t-1}\left(h_1\left(S_t\left[j\right]\right)\right)\times \dots \times ERB{F}_{t-1}\left(h_k\left(S_t\left[j\right]\right)\right))\hfill \\ \hfill \hfill & \times Enc\left(r_j\right)\times Enc\left(S_t\left[j\right]\right))\hfill \\ \hfill \hfill & =(RB{F}_1\left(h_1\left(S_t\left[j\right]\right)\right)\times RB{F}_1\left(h_k\left(S_t\left[j\right]\right)\right))\times \dots \hfill \\ \hfill \hfill & \times (RB{F}_{t-1}\left(h_1\left(S_t\left[j\right]\right)\right)\times RB{F}_{t-1}\left(h_k\left(S_t\left[j\right]\right)\right))\times r_j\times S_t\left[j\right]\hfill \end{array}$$

If there is $Dec\left(c_j\right)=r_j\times S_t\left[j\right]$$mod$ p, then

$$\forall i\in \{1,\dots ,t-1\},B{F}_i\left(h_1\left(S_t\left[j\right]\right)\right)\times \dots \times B{F}_i\left(h_k\left(S_t\left[j\right]\right)\right)=1$$

(19)

In this case, by the nature of Bloom filters, we know that $S_t\left[j\right]$ is in the sets of all {$S_1,\dots ,S_{t-1}$}, i.e., $S_t\left[j\right]$ is an intersection element of the participants {$P_1,\dots ,P_t$}.

If there is $Dec\left(c_j\right)\ne r_j\times S_t\left[j\right]$$mod$ p, then

$$\exists i\in \{1,\dots ,t-1\},RB{F}_i\left(h_1\left(S_t\left[j\right]\right)\right)\times \dots \times RB{F}_i\left(h_k\left(S_t\left[j\right]\right)\right)\ne 1$$

(20)

In this case, there exists $i\in \{1,...,t-1\}$ such that the values in the randomized Bloom filter $RB{F}_i$ that $S_t\left[j\right]$ maps to are not all 1, i.e., $S_t\left[j\right]$ is not an intersection element of the participants {$P_1,\dots ,P_t$}.

In summary, we can determine whether an element belongs to the intersection by using the nature of the Bloom filter. Therefore, the protocol for secure computation of the intersection of non-equilibrium multiparty sets based on the threshold ElGamal encryption scheme is correct.

3.3. Security Analysis

We employed the widely accepted simulation paradigm [40] to demonstrate the security of the new protocol. The essence of the simulation paradigm is that an actual multiparty computation protocol is considered secure if the participants do not gain more information from it than they would from an ideal protocol.

We simulated the protocols for two scenarios: one where the adversary-controlled participant includes the server and another where the adversary-controlled participant does not include the server. We demonstrate that the information obtained from the actual protocol in both scenarios is computationally indistinguishable from that obtained from the ideal protocol, assuming a semi-honest adversary model.

Theorem 1.

If the threshold ElGamal encryption scheme in Section 2.2.5 is secure, then the unbalanced MPSI protocol ∏ in this paper is secure in the case of semi-honest adversaries.

Proof. 

To analyze the security of our protocol, we assumed that there are ℓ participants controlled by an adversary, where $\ell <t$. In the execution of our protocol, there were t participants, and we only considered the case where $\ell <t$. If all participants are controlled by the adversary, the analysis is meaningless. We divided the analysis into two cases: one is that the adversary controls ℓ clients and the server $P_t$ is not among the ℓ participants controlled by the adversary; the other is that the server $P_t$ is among the ℓ participants controlled by the adversary, and the adversary controls $\ell -1$ clients and the server $P_t$.

Scenario 1: Server $P_t$ is not among the ℓ participants controlled by the adversary.

Suppose there are ℓ participants $P_1,\dots ,P_{\ell }$ is controlled by the adversary, and the adversary can access the inputs of these ℓ participants, as well as the intermediates generated by the computation. From the Shamir threshold secret-sharing scheme, it is clear that, when $\ell <t$, the private key corresponding to the public key cannot be inferred from the information of the ℓ participants in our protocol. We denote the participants’, $P_1,\dots ,P_{\ell }$, views of the real protocol as $Vie{w}_{RN}^{\prod }$, shown in Equation (21), where $\{S_1,\dots ,S_{\ell }\}$ denote the original datasets of the participants $\{P_1,\dots ,P_{\ell }\}$, $\{ERB{F}_1,\dots ,ERB{F}_{\ell }\}$ are the encrypted randomized Bloom filters, and finally, $\{s{h}_1,\dots ,s{h}_{\ell }\}$ denote the intermediate results of the computation.

$$Vie{w}_{RN}^{\prod }=(\{S_1,\dots ,S_{\ell }\},\{ERB{F}_1,\dots ,ERB{F}_{\ell }\},\{s{h}_1,\dots ,s{h}_{\ell }\})$$

(21)

Construct a simulator $Si{m}_N$ to simulate a situation where the adversary controls ℓ participants, with inputs from these ℓ participants, and performs the following steps:

(1) Create an empty view $Si{m}_N(\{S_1,\dots ,S_{\ell }\},\perp )$, and add the sets $\{S_1,\dots ,S_{\ell }\}$ and the encrypted randomized Bloom filters $\{ERB{F}_1,\dots ,ERB{F}_{\ell }$} to the view.

(2) Simulate the inputs of the participants $\{P_{\ell +1},\dots ,P_t\}$, and create random sets $\{S_{\ell +1}^{{}^{\prime }},\dots ,S_{t-1}^{{}^{\prime }}\}$ and a random set $S_t^{{}^{\prime }}$ containing $n_t$ elements.

(3) Use the sets $\{S_{\ell +1}^{{}^{\prime }},\dots ,S_{t-1}^{{}^{\prime }}\}$ to generate the Bloom filters $\{B{F}_{\ell +1}^{{}^{\prime }},\dots ,B{F}_{t-1}^{{}^{\prime }}\}$ and the encrypted randomized Bloom filters $\{ERB{F}_{\ell +1}^{{}^{\prime }},\dots ,ERB{F}_{t-1}^{{}^{\prime }}\}$.

(4) Generate random values $r_j^{{}^{\prime }}$, then compute $w_j^{{}^{\prime }}$, where $j\in \{1,2,\dots ,n_t\}$.

$$w_j^{{}^{\prime }}=Enc\left(r_j^{{}^{\prime }}\right)\times Enc\left(S_t{\left[j\right]}^{{}^{\prime }}\right)modp$$

(22)

(5) For each $S_t{\left[j\right]}^{{}^{\prime }}$, $j\in \{1,2,\dots ,n_t\}$, and each $ERB{F}_i$ ($i\in \{1,...,\ell \}$) and each $ERB{F}_i{}^{\prime }$ ($i\in \{\ell +1,...,t-1\}$), compute $\{{\left(c_{j,i}^1\right)}^{{}^{\prime }},\dots ,{\left(c_{j,i}^k\right)}^{{}^{\prime }}\}$ and $c_{j,i}^{{}^{\prime }}$:

$$c_{j,i}^{{}^{\prime }}={\left(c_{j,i}^1\right)}^{{}^{\prime }}\times \dots \times {\left(c_{j,i}^k\right)}^{{}^{\prime }}modp$$

(23)

(6) For $j\in \{1,2,\dots ,n_t\}$, yield $c_j^{{}^{\prime }}$ by a homomorphic multiplication operation on all the mapped values in the encrypted Bloom filters corresponding to $S_t{\left[j\right]}^{{}^{\prime }}$.

$$c_j^{{}^{\prime }}=c_{j,1}^{{}^{\prime }}\times \dots \times c_{j,t-1}^{{}^{\prime }}\times w_j^{{}^{\prime }}modp$$

(24)

(7) Compute $s{h}_i^{{}^{\prime }}=\{s{h}_{1,i}^{{}^{\prime }},\dots ,s{h}_{n_t,i}^{{}^{\prime }}\}$ by the shareddecryption of $c_j^{{}^{\prime }}$ with private key sharing$s{k}_i$, which is expressed as Equation (25), where ${\Delta }_i={\displaystyle \prod _{j^{{}^{\prime }}=1,j^{{}^{\prime }}\ne i}^t}\frac{j^{{}^{\prime }}}{j^{{}^{\prime }}-i}$, $i\in \{1,\dots ,\ell \}$, $j\in \{1,2,\dots ,n_t\}$.

$$s{h}_{j,i}^{{}^{\prime }}={\left(c_j^{{}^{\prime }}\right)}^{{\Delta }_i·s{k}_i}modp$$

(25)

(8) Insert $\{s{h}_1^{{}^{\prime }},\dots ,s{h}_{\ell }^{{}^{\prime }}\}$ into the view. Thus, the view of simulator $Si{m}_N$ is:

$$\begin{array}{cc}\hfill Si{m}_N(\{S_1,\dots ,S_{\ell }\},\perp )=\hfill & (\{S_1,\dots ,S_{\ell }\},\{ERB{F}_1,\dots ,ERB{F}_{\ell }\},\hfill \\ \hfill \hfill & \{s{h}_1^{{}^{\prime }},\dots ,s{h}_{\ell }^{{}^{\prime }}\})\hfill \end{array}$$

(26)

Because the simulator $Si{m}_N$ controls only ℓ participants other than the server, it can only obtain the key shares of these ℓ participants, and the joint computation of the data in the threshold ElGamal encryption requires at least t participants’ shares of decrypted data, so the simulator $Si{m}_N$ cannot perform the joint computation in the threshold ElGamal to obtain the final decryption result.

$Vie{w}_{RN}^{\prod }=(\{S_1,\dots ,S_{\ell }\},\{ERB{F}_1,\dots ,ERB{F}_{\ell }\},\{s{h}_1,\dots ,s{h}_{\ell }\})$ represents the view of the real protocol with participants $P_1,\dots ,P_{\ell }$, and $Si{m}_N(\{S_1,\dots ,S_{\ell }\},\perp )=(\{S_1,\dots ,S_{\ell }\},\{ERB{F}_1,\dots ,ERB{F}_{\ell }\},\{s{h}_1^{{}^{\prime }},\dots ,s{h}_{\ell }^{{}^{\prime }}\})$ represents the view of the simulator $Si{m}_N$, where $\{S_1,\dots ,S_{\ell }\}$ and $\{ERB{F}_1,\dots ,ERB{F}_{\ell }\}$ are the same. Since the threshold ElGamal encryption algorithm and random values are used, $\{s{h}_1,\dots ,s{h}_{\ell }\}$ and $\{s{h}_1^{{}^{\prime }},\dots ,s{h}_{\ell }^{{}^{\prime }}\}$ are computationally indistinguishable. Thus,

$$Vie{w}_{RN}^{\prod }\simeq Si{m}_N(\{S_1,\dots ,S_{\ell }\},\perp )$$

(27)

Scenario 2: Server $P_t$ is among the ℓ participants controlled by the adversary.

Suppose that clients {$P_1,\dots ,P_{\ell -1}$} and server $P_t$ are controlled by the adversary and the adversary can access the inputs and outputs of these ℓ participants. As in case 1, it is known that, when $\ell <t$, the private key corresponding to the public key cannot be inferred from the information of the ℓ participants. In the real protocol, the views of these ℓ participants are represented as $Vie{w}_{RY}^{\prod }$, as in Equation (28), where $\{S_1,\dots ,S_{\ell -1}\}$ denote the input sets of clients {$P_1,\dots ,P_{\ell -1}$}, $S_t$ is the original set of server $P_t$, $\{ERB{F}_1,\dots ,ERB{F}_{\ell -1}\}$ are the encrypted randomized Bloom filters, $\{s{h}_1,\dots ,s{h}_{\ell -1},s{h}_t\}$ denote the intermediate results of the computation, and ∩ is the final intersection obtained by server $P_t$.

$$\begin{array}{cc}\hfill Vie{w}_{RY}^{\prod }=\hfill & (\{S_1,\dots ,S_{\ell -1},S_t\},\{ERB{F}_1,\dots ,ERB{F}_{\ell -1}\},\hfill \\ \hfill \hfill & \{s{h}_1,\dots ,s{h}_{\ell -1},s{h}_t\},\cap )\hfill \end{array}$$

(28)

Construct a simulator $Si{m}_Y$ to simulate a situation where the adversary controls ℓ participants, including the server, with inputs and outputs from these ℓ participants, and performs the following steps:

(1) Create an empty view $Si{m}_Y(\{S_1,\dots ,S_{\ell -1},S_t\},\cap )$, and add the sets $\{S_1,...,S_{\ell -1},S_t\}$, the encrypted randomized Bloom filters $\{ERB{F}_1,...,ERB{F}_{\ell -1},ERB{F}_t\}$, and the intersection “∩” obtained by the server to the view.

(2) Simulate the inputs of the clients {$P_{\ell },\dots ,P_{t-1}$}, and create random sets $\{S_{\ell }^{{}^{\prime }},\dots ,S_{t-1}^{{}^{\prime }}\}$ that satisfy the intersection with the server as “∩”.

(3) Use the sets $\{S_{\ell }^{{}^{\prime }},\dots ,S_{t-1}^{{}^{\prime }}\}$ to generate the Bloom filters $\{B{F}_{\ell }^{{}^{\prime }},\dots ,B{F}_{t-1}^{{}^{\prime }}\}$ and the encrypted randomized Bloom filters $\{ERB{F}_{\ell }^{{}^{\prime }},\dots ,ERB{F}_{t-1}^{{}^{\prime }}\}$.

(4) Generate random values $r_j^{{}^{\prime }}$, and calculate $w_j^{{}^{\prime }}$, where $j\in \{1,2,\dots ,n_t\}$.

$$w_j^{{}^{\prime }}=Enc\left(r_j^{{}^{\prime }}\right)\times Enc\left(S_t\left[j\right]\right)modp$$

(29)

(5) For each $S_t\left[j\right]$ ($j\in \{1,2,\dots ,n_t\}$), each $ERB{F}_i$ ($i\in \{1,...,\ell -1\}$), and each $ERB{F}_i{}^{\prime }$ ($i\in \{\ell ,...,t-1\}$), compute $\{c_1^{j,i^{\prime }},\dots ,c_k^{j,i^{\prime }}\}$ and $c_{j,i}^{{}^{\prime }}$:

$$c_{j,i}^{{}^{\prime }}={\left(c_{j,i}^1\right)}^{{}^{\prime }}\times \dots \times {\left(c_{j,i}^k\right)}^{{}^{\prime }}modp$$

(30)

(6) For $j\in \{1,2,\dots ,n_t\}$, compute $c_j^{{}^{\prime }}$.

$$c_j^{{}^{\prime }}=c_{j,1}^{{}^{\prime }}\times \dots \times c_{j,t-1}^{{}^{\prime }}\times w_j^{{}^{\prime }}modp$$

(31)

(7) Compute $s{h}_i^{{}^{\prime }}=\{s{h}_{1,i}^{{}^{\prime }},\dots ,s{h}_{n_t,i}^{{}^{\prime }}\}$ by the shared decryption of $c_j^{{}^{\prime }}$ with private key sharing $s{k}_i$, which is expressed as Equation (32), where ${\Delta }_i={\displaystyle \prod _{j^{{}^{\prime }}=1,j^{{}^{\prime }}\ne i}^t}\frac{j^{{}^{\prime }}}{j^{{}^{\prime }}-i}$, $i\in \{1,\dots ,\ell -1,t\}$, $j\in \{1,2,\dots ,n_t\}$.

$$s{h}_{j,i}^{{}^{\prime }}={\left(c_j^{{}^{\prime }}\right)}^{{\Delta }_i·s{k}_i}modp$$

(32)

(8) Insert $\{s{h}_1^{{}^{\prime }},\dots ,s{h}_{\ell -1}^{{}^{\prime }},s{h}_t^{{}^{\prime }}\}$ into the view. Thus, the view of the simulator $Si{m}_Y$ is:

$$\begin{array}{cc}\hfill Si{m}_Y(\{S_1,\dots ,S_{\ell -1},S_t\},\cap )=\hfill & (\{S_1,\dots ,S_{\ell -1},S_t\},\hfill \\ \hfill \{ERB{F}_1,\dots ,ERB{F}_{\ell -1}\},& \{s{h}_1^{{}^{\prime }},\dots ,s{h}_{\ell -1}^{{}^{\prime }},s{h}_t^{{}^{\prime }}\})\hfill \end{array}$$

(33)

Because the simulator controls ℓ participants, it can only obtain the key shares of these ℓ participants, but the joint computation of the data in the threshold ElGamal encryption requires at least t participants’ shares, so the simulator cannot perform the joint computation of the threshold ElGamal encryption and cannot obtain the final decryption results. In this case, the simulator can obtain the final intersection because it controls server $P_t$.

In the view $Vie{w}_{RY}^{\prod }$, as well as in the simulator’s view $Si{m}_Y(\{S_1,\dots ,S_{\ell -1},S_t\},\cap )$, $\{S_1,\dots ,S_{\ell -1},S_t\}$ and the encrypted Bloom filters $\{ERB{F}_1,\dots ,ERB{F}_{\ell -1}\}$ are identical. $\{s{h}_1,\dots ,s{h}_{\ell -1}\}$ and $\{s{h}_1^{{}^{\prime }},\dots ,s{h}_{\ell -1}^{{}^{\prime }},s{h}_t^{{}^{\prime }}\}$ are computationally indistinguishable due to the security of the threshold ElGamal encryption algorithm. Thus,

$$Vie{w}_{RY}^{\prod }\simeq Si{m}_Y(\{S_1,\dots ,S_{\ell -1},S_t\},\cap )$$

(34)

From the above two scenarios, it can be seen that, in the face of a semi-honest adversary who controls ℓ participants when $\ell <t$, the adversary cannot infer the inputs of the honest participants through the intermediate process and the final result, so the proposed protocol in this paper is secure in the face of a semi-honest adversary. □

4. Evaluation and Results’ Discussion

This section presents the C++ code implementation of the protocol in the thesis and a comparative analysis with Bay’s protocol [28].

4.1. Protocol Implementation

We implemented our protocol in C++ on a Linux platform and compared it with the related protocol [28]. In our experiments, we set the false probability $P_{err}$ of the Bloom filter to $2^{-30}$ and set the length m of the Bloom filter to $-size·lo{g}_{2}e·lo{g}_2{P}_{err}$, as well as the number of hash functions k to $-lo{g}_2{P}_{err}$, where $size$ is the server’s set size. For the ElGamal encryption used in the protocol, we used the security parameter of $k=1024$ bit.

4.2. Performance Analysis

We compared our MPSI protocol with the related protocol [28] by executing it multiple times in the same environment and calculating the average value. There were three experiments: Experiment 1, Experiment 2, and Experiment 3. In order to ensure the accuracy of the test, we modified the multithreaded computation in the source code of [28] to a single-threaded one. Additionally, we did not measure the time it took to generate encrypted Bloom filters for the clients of both protocols.

4.2.1. Experiment 1

The main difference between our protocol and [28] is the encryption algorithm. The Paillier encryption algorithm was used in [28], while we adopted the ElGamal encryption algorithm. Firstly, with the same security parameters, the ElGamal encryption algorithm produces two ciphertexts, while the Paillier encryption algorithm produces only one ciphertext. However, the ciphertexts produced by the Paillier encryption algorithm are twice as long as those produced by the ElGamal encryption algorithm. Therefore, both algorithm have the same communication complexity.

Secondly, we conducted experiments with these two algorithms using the NTL [41] library. We set the value of the encrypted data to ${10}^7$ and chose the security parameter of $k=1024$ bit for public key encryption. The size of the dataset was increased from ${10}^2$ to ${10}^5$, and the encryption process used the same random value. The experimental results are presented in

Table 2. Comparison of Paillier encryption algorithm and ElGamal encryption algorithm (in seconds).

	Data Size	${10}^2$	${10}^3$	${10}^4$	${10}^5$
Algorithm
Paillier	encryption	0.502	4.158	39.910	328.851
	decryption	0.404	3.735	39.926	366.583
ElGamal	encryption	0.184	1.957	16.695	160.772
	decryption	0.105	0.950	9.656	92.483

Select $k=1024$ bit security parameter for public key encryption. The value of the encrypted data was fixed at ${10}^7$. The encryption process used the same random number. The data volume increased from ${10}^2$ to ${10}^5$.

, which demonstrate that the ElGamal encryption algorithm is more efficient than the Paillier encryption algorithm. The former encrypts approximately twice as fast as the latter, and the former decrypts about four-times as fast as the latter.

4.2.2. Experiment 2

We set the amount of data for the client and server to $2^8$ and increased the number of participants from $2^4$ to $2^9$ for these experiments, which aimed at testing the runtime of individual clients and the server. The experimental results are shown in

Table 3. Comparison for different MPSI protocols with different numbers of participants (in seconds).

	No. of Participants	$2^4$	$2^5$	$2^6$	$2^7$	$2^8$	$2^9$
Protocols
Bay et al. [28]	Client	2.234	2.445	2.176	2.441	2.279	2.405
	Server	3.881	5.913	10.202	15.242	25.371	41.615
Ours	Client	0.356	0.422	0.387	0.401	0.390	0.381
	Server	0.389	0.785	1.504	3.350	6.845	12.807

The server and client dataset size was fixed at $2^8$. The number of participants gradually increased from $2^4$ to $2^9$.

and Figure 2. From the results, it is evident that the runtime of the clients remained constant in both our protocol and the protocol [28], regardless of the increase in the number (t) of participants. Moreover, in our protocol, the client’s runtime was approximately $1/\left(2^{log\left(t\right)}\right)$ of the server’s runtime when $t\ge 2^4$. Our protocol ran more efficiently than the protocol [28]. This is mainly because the clients in [28] performed the $ShDec0\left(\right)$ operation, which involves exponential operations on a large integer $n_t$ with large random values. The client $P_i$ in our protocol needs to compute ${\Delta }_i={\displaystyle \prod _{j^{{}^{\prime }}=1,j^{{}^{\prime }}\ne i}^t}\frac{j^{{}^{\prime }}}{j^{{}^{\prime }}-i}$ only once and $s{h}_{j,i}={\left(c_j\right)}^{{\Delta }_i·s{k}_i}$$n_t$ times, and the computation related to the number of participants is only once for ${\Delta }_i$, which is insignificant in the whole runtime of the client.

4.2.3. Experiment 3

We fixed the size of clients’ datasets at $2^8$ and the number of participants at $2^5$. Additionally, we increased the size of the server’s set from $2^{10}$ to $2^{14}$ for the experiment to test the runtime of the clients and the server. The experimental results are shown in

Table 4. Comparison for different MPSI protocols with different volumes of the server’s dataset (in seconds).

	Server Data Size	$2^{10}$	$2^{11}$	$2^{12}$	$2^{13}$	$2^{14}$
Protocols
Bay et al. [28]	Client	9.516	18.893	37.601	76.489	154.536
	Server	22.962	43.629	87.133	166.917	345.266
Ours	Client	1.486	3.000	5.903	13.320	28.393
	Server	3.096	6.078	13.614	27.983	56.617

The client’s dataset was fixed at $2^8$. The number of participants was fixed at $2^5$. The volume of the server dataset increased from $2^{10}$ to $2^{14}$.

and Figure 3. It can be seen that the client–server runtime of both our protocol and [28] was linearly related to the size of the server dataset. But, our protocol had a significant improvement in efficiency compared to the protocol of Bay et al. [28], and the runtimes of the server and clients were approximately $1/6$ of [28].

4.3. Discussion

From the analysis and comparison of the above experiments, we can conclude that our protocol offers the following advantages:

(1) In our protocol, the number (t) of participants has almost no impact on the computation and runtime of the client. When $t\ge 2^4$, the client’s runtime was about $1/\left(2^{log\left(t\right)}\right)$ of the server’s runtime. Therefore, our protocol is very suitable for unbalanced scenarios with a large number of participants.

(2) Compared to the typical related protocol [28], our protocol demonstrated a significant improvement in efficiency. The sever and client runtimes were approximately $1/6$ of [28].

5. Conclusions

This paper proposed an MPSI protocol based on the Bloom filter and Shamir threshold secret-sharing scheme, which is highly suitable for unbalanced scenarios with a large number of participants. Compared to the typical related protocol [28], our protocol demonstrated a significant improvement in efficiency. The server’s and clients’ runtimes were approximately $1/6$ of [28]. Extending the approach to the model of malicious adversaries is our future work.