Practical and Malicious Multiparty Private Set Intersection for Small Sets

Abstract

Private set intersection (PSI) is a pivotal subject in the realm of privacy computation. Numerous research endeavors have concentrated on situations involving vast and imbalanced sets. Nevertheless, there is a scarcity of existing PSI protocols tailored for small sets. Those that exist are either restricted to interactions between two parties or necessitate resource-intensive homomorphic operations. To bring forth practical multiparty private set intersection solutions for small sets, we present two multiparty PSI protocols founded on the principles of Oblivious Key–Value Stores (OKVSs), polynomials, and gabled cuckoo tables. Our security analysis underscores the resilience of these protocols against malicious models and collision attacks. Through experimental evaluations, we establish that, in comparison to related endeavors, our protocols excel in small-set contexts, particularly in low-bandwidth wide area network (WAN) settings.

1. Introduction

With the successive promulgation of data protection laws like the General Data Protection Regulation (GDPR), privacy preservation has garnered significant attention. Enabling data circulation and computation while safeguarding data privacy poses a challenge. Secure Multiparty Computation (MPC) has emerged as an important solution. MPC encompasses three key functionalities: element-to-element computations, such as basic MPC operations [1]; element-to-set computations, such as Private Information Retrieval (PIR) [2]; and set-to-set computations, like private set intersection [3], which is the focus of our interest. PSI allows two or more parties to compute the intersection of their sets without revealing the privacy of the set differences. PSI has practical applications in various scenarios, including evaluating the scale of incidental intelligence collection [4], safeguarding the plaintext privacy of users in biometric systems [5], privacy protection in vehicular networks [6], and data alignment in federated learning [7].

Data alignment constitutes a crucial preliminary step in federated learning, which is divided into horizontal federated learning and vertical federated learning. Horizontal federated learning, also termed sample-aligned federated learning, requires each party to execute the PSI protocol on the samples, typically characterized by a larger quantity. Vertical federated learning, also known as feature-aligned federated learning, mandates that parties run the PSI protocol on features, usually fewer in number. Presently, most PSI protocols are tailored for large sets, proving effective in horizontal federated learning scenarios. While large-set PSI can achieve feature alignment, it fails to fully consider scenarios with a limited number of features, lacking opportunities for further runtime optimization. Our primary focus lies in developing appropriate PSI protocols tailored for horizontal federated learning contexts. Beyond horizontal federated learning, numerous applications exist for small sets, such as identifying shared friends across hundreds of items or discovering social circles with common interests through a handful of shared tags. In analogous settings, an efficient protocol holds the potential to enhance the end-user experience significantly. The relationship between federated learning and private set intersection is shown in Figure 1.

To the best of our knowledge, the most efficient large-set PSI protocol is based on the Oblivious Transfer (OT) extension primitive [3,8,9]. The OT extension protocol involves a period of public key operations before formal symmetric cryptographic operations commence, and in the context of small-set scenarios, the pre-processing time for public key operations cannot be overlooked. Hence, directly applying large-set PSI protocols to small-set scenarios is not the optimal solution. Rosulek et al. proposed a PSI protocol based on key agreement, which is well-suited for small-set scenarios [10]. However, this protocol is limited to two parties, whereas parties in federated learning are not restricted to pairs. Therefore, its practicality needs further enhancement. Some scholars have introduced PSI protocols for unbalanced sets using fully homomorphic encryption. While theoretically applicable to small-set scenarios, as pointed out by Rosulek et al., these protocols exhibit computational complexities several orders of magnitude higher than key agreement and are also limited to two-party interactions. Although there are existing multiparty PSI protocols, such as OT-extension-based multiparty PSI protocols [11] and homomorphic multiparty PSI protocols [12], they are not optimal for multiparty small-set scenarios. OT-extension-based multiparty PSI protocols still require a warm-up period, and homomorphic multiparty PSI protocols involve expensive homomorphic operations. Incorporating the advantages of the key agreement into multiparty PSI scenarios constitutes a research direction that needs to be pursued.

We integrate the benefits of key agreement into multiparty PSI scenarios while also exploring other optimization strategies. In recent years, research on index structures has become a hot topic. Index structures can be effectively integrated into various fields. For example, incorporating optimized index structures in the field of machine learning significantly improves efficiency [13,14]. Similarly, in studies related to PSI, various index structures such as cuckoo hash and Bloom filters have been introduced [3,11,15]. In order to enhance security against malicious attacks, researchers have proposed more robust index structures such as gabled Bloom filters (GBFs) and gabled cuckoo tables (GCTs) [8,16]. Integrating these advanced index structures into new PSI protocols poses a significant challenge.

In this paper, we propose practical multiparty private set intersection protocols for small sets. In sum, the contributions of our work are shown below:

1.

We innovatively introduce two multiparty private set intersection protocols designed for small sets, leveraging distinct structures of oblivious key–value stores. These protocols employ key agreement and zero-sharing techniques to achieve our objectives.

2.

We analyze both protocols’ security and demonstrate that both of our protocols are correct and secure under the malicious security model against collision attacks.

3.

We implement the two protocols using Rust, and the experimental results demonstrate that, compared with related works, our protocols are more suitable for small-set scenarios, especially in bandwidth-constrained simulations.

1.1. Related Work

The original PSI was based on the idea of DH. Meadows et al. [17] proposed the first DH-based PSI protocol. Nowadays, the work on PSI aims at enhancing the security model, improving its efficiency, adapting to different scenarios, and so on.

Enhanced security model: De Cristofaro et al. [18] constructed a DH-based PSI protocol under the malicious model, while Orrù et al. [19] constructed an OT-extension-based PSI protocol under the malicious model. With the introduction of Oblivious Key–Value Store structures, the performance gap between the two approaches is gradually narrowing.

Improved efficiency: Ishai et al. [20] proposed an OT extension that reduces public key operations; Kolesnikov et al. [3,21] improved the OT-extension, permitting longer elements to be input; Garimella and Pinkas et al. [8,16] proposed an OT-extension-based PSI protocol under the malicious model, while Orrù et al. [19] constructed an OT-extension-based PSI protocol under the malicious model. Garimella et al. [16] proposed OKVSs to improve the computational efficiency. Theoretically, the 3H-GCT provided the best results, while the GBF, although more communicative, still requires some improvement. For example, Ben-Efra et al. [22] used the GBF to solve specific problems, Boyle et al. [23] proposed silent OT, and Rindal et al. [24] introduced silent OT into PSI to reduce the communication cost. Similarly, Rosulek et al. [10] reduced the communication volume by half compared to the original DH-based PSI protocol.

Adaptation scenarios: Kolesnikov et al. [11] proposed a multiparty PSI protocol using IKNP-OT extension; Rosulek et al. [10] proposed a two-party PSI for small sets; Nevo et al. [9] proposed an arbitrary conspiratorial mutltiparty PSI protocol; and Dui et al. [25] proposed a small-entries PSI protocol with a length of approximately 32 bits per element. Related works have been published [26,27] that require the number of intersection elements to exceed a certain value. Additionally, Bay et al. [12] introduced a different threshold, which characterizes an element appearing in at least t parties. Wei et al. [28] also recently proposed a PSI protocol for small sets of multiple participants based on a different zero-sharing structure to ours, which can be further optimized.

1.2. Organization

We introduce the prerequisite knowledge for the subsequent protocols in Section 2. Section 3 provides the definitions of functionality and security. Section 4 and Section 5 discuss two specific protocols. Section 6 presents the security analysis. Section 7 covers the experimental details. Finally, Section 8 discusses the findings, and Section 9 concludes the paper.

2. Preliminaries

2.1. Key Agreement

We focus on a type of one-round key agreement (KA), namely Diffie–Hellman key agreement (DHKA). Given security parameter $\kappa$, the size of the output keys space $|\mathrm{KA}.\mathit{K}|\ge 2^{\kappa }$. The algorithm corresponding to the KA is as follows:

1.

$\mathrm{KA}.\mathit{R}$ is a space of private randomness.

2.

$\mathrm{KA}.\mathrm{msg}\left(a\right)=aG$, where a is a secret key, and G is the base point.

3.

$\mathrm{KA}.\mathrm{key}(a,y)=ay$, where y is msg (public key).

Elliptic curves have distinctive features that can be easily identified from random strings. In certain scenarios, it is necessary to encode an elliptic curve into a uniformly distributed random string. This functionality was achieved in related work [29]. The algorithm for Elligator-DHKA is as follows:

1.

$\mathrm{KA}.{\mathit{R}}^e=\{r\in {\mathbb{Z}}_q:rG\in im\left(dec\right)\}$

2.

$\mathrm{KA}.{\mathrm{msg}}^e\left(a\right)=enc\left(aG\right)$

3.

$\mathrm{KA}.{\mathrm{key}}^e(a,y)=a·dec\left(y\right)$

The function $enc(·)$ encodes points on an elliptic curve into random strings. Approximately 50% of the points can be successfully encoded. $rG$ represents a subset of the elliptic curve denoted as $im\left(dec\right)$, where $dec(·)$ is the function that decodes random strings into points on the elliptic curve.

2.2. Zero Sharing

We adopt an unconditional zero-sharing structure, which allows for a maximum of $m-2$ corrupt parties [11]. For any element x, the zero-sharing value of party $P_i$ is denoted as $S_i\left(x\right)$ and satisfies ${\sum }_{i=0}^{m-1}{S}_i\left(x\right)=0$, where m is the number of parties.

2.3. Oblivious Key–Value Store

The Oblivious Key–Value Store (OKVS) is a structure abstracted by Garimella and Pinkas et al. [8,16]. It allows for the preservation of the key–value mapping while hiding the actual keys. An OKVS consists of two steps: encoding and decoding. We referred to related works [16] and provide a specific step-by-step procedure for a three-hashing gabled cuckoo table (3H-GCT).

The encoding of 3H-GCT is shown in Algorithm 1, and the decoding of 3H-GCT is shown in Algorithm 2. The common parameters required for encoding and decoding are as follows:

∘

The parameter of statistical security $\lambda =40$;

∘

Random functions $H_0,H_1,H_2:{\{0,1\}}^{*}\to \{0,1,\cdots ,\frac{1.3n}{3}-1\}$;

∘

Random function $R:{\{0,1\}}^{*}\to {\{0,1\}}^{\lambda +logn}$;

∘

Function $L\left(k\right):k\to \underset{\times H_0\left(k\right)}{\underbrace{0}}1000\cdots \left|\right|\underset{\times H_1\left(k\right)}{\underbrace{0}}1000\cdots \left|\right|\underset{\times H_2\left(k\right)}{\underbrace{0}}1000\cdots$

Algorithm 1: Encoding of 3H-GCT

Input: set size n, key–value pairs $\{(k_j,v_j):0\le j<n\}$   Output: coefficient vector D 1  Initialize three spaces ${\mathrm{V}}_0,{\mathrm{V}}_1,{\mathrm{V}}_2$ with buckets of fixed length $\frac{1.3n}{3}$ 2  Store $\{k_i,v_i\}$ in the bucket at position $H_0\left(k_i\right)$ of ${\mathrm{V}}_0$, the bucket at position $H_1\left(k_i\right)$ of ${\mathrm{V}}_1$, and the bucket at position $H_2\left(k_i\right)$ of ${\mathrm{V}}_2$ 3  Continuously search the bucket containing only one element in three spaces, peeling the element of that bucket onto the stack S and removing that element from the other two spaces 4  Solve the equation $\langle L\left(k_i\right)\left|\right|R\left(k_i\right),D^{\prime }\rangle =v_i$ for $(k_i,v_i)\notin S$ using Gaussian elimination and obtain the vector $D^{\prime }$ 5  Pop the elements from the stack S, map them onto the matrix, and modify vector D to satisfy $\langle L\left(k_i\right)\left|\right|R\left(k_i\right),D\rangle =v_i$. If there are three (or two) undefined elements in the corresponding position in D, fill two (or one) of the positions randomly and adjust the remaining one to satisfy the equation 6  return D

Algorithm 2: Decoding of 3H-GCT

Input: set size n, coefficient vector D, key k   Output: value v 1  Determine the output lengths of $L(·)$ and $R(·)$ based on n; 2  Compute $v=\langle L\left(k\right)\left|\right|R\left(k\right),D\rangle$; 3  return v

Where, $\langle x,y\rangle$ represents the inner product of vector x and vector y.

The 3H-GCT is essentially a hypergraph. Graphs have been extensively studied in various fields, such as graph decomposition [30] and research on symbolic networks [31]. In theory, optimizing graphs or hypergraphs could further enhance our protocol.

2.4. Oblivious Programmable PRF

Pseudorandom function (PRF): Given PRF key k, input x, output pseudorandom value $PR{F}_k\left(x\right)$.

Oblivious programmable pseudorandom function (OPPRF): Sender $\mathit{S}$ input $\mathit{P}=\{(k_j,v_j):0\le j<n\}$, and receiver $\mathit{R}$ input queries $(q_0,q_1,\cdots ,q_{t-1})$. Run $(k,hint)\leftarrow keyGen\left(\mathit{P}\right)$, give $(k,hint)$ to $\mathit{S}$, and give ($hint$, $PR{F}_k\left(q_0\right)$, $PR{F}_k\left(q_1\right)$, ⋯, $PR{F}_k\left(q_{t-1}\right))$ to $\mathit{R}$.

3. Security Definitions

Ideal Functionality of MPSI

Definition 1

(MPSI ideal functionality ${\mathit{F}}_{\mathrm{MPSI}}$). For $i\in [0,m)$, each party $P_i$ holds his own set $X_i=\{x_{i,j}:j\in [0,n_i)\}$ as the inputs of ${\mathit{F}}_{\mathit{MPSI}}$, where $n_i=\left|X_i\right|$. Then, ${\mathit{F}}_{\mathit{MPSI}}$ returns the output ${\bigcap }_{i=0}^{m-1}{X}_i$ to $P_{m-1}$ without leaking extra information.

MPSI is based on the malicious security model. In the malicious security model, corrupted parties can deviate from the protocol and try to reveal other parties’ private input.

Let $Rea{l}_{\mathsf{\Pi }}(input(·),output(·))$ be the view of the adversaries in the execution of the real protocol $\mathsf{\Pi }$ with input $input(·)$ and the real output $output(·)$ of corrupted parties $P_i\in C$, where C is the set of corrupted parties. Let $Idea{l}_{\mathsf{\Pi }}(input(·),output(·))$ be the view of the adversaries in the execution of the ideal protocol $\mathit{F}$ with input $input(·)$ and the ideal functionality $\mathit{F}$ controlled by a simulator $Sim$.

Definition 2

(Malicious security model). Given the MPSI protocol ${\mathsf{\Pi }}_{MPSI}$ and the corresponding ideal functionality ${\mathit{F}}_{MPSI}$, if there exists a probabilistic polynomial time (PPT) simulator $Sim$ using the random input $R_i$ of any party and output of ${\mathit{F}}_{MPSI}$ to generate a simulated view that is computationally indistinguishable from the view of an arbitrary PPT adversary in the real world,

$$\begin{array}{cc}& Idea{l}_{{\mathit{F}}_{MPSI}}(input\left(R_i\right),output\left({\mathit{F}}_{MPSI}\left(input\left(R_i\right)\right)\right))\hfill \\ \hfill \stackrel{c}{\approx }& Rea{l}_{{\mathsf{\Pi }}_{MPSI}}(input\left(R_i\right),output({\mathsf{\Pi }}_{MPSI}(input\left(R_i\right),input\left(X_C\right)),\hfill \end{array}$$

where $input\left(X_C\right)$ is the set of inputs of the parties in C, the protocol ${\mathsf{\Pi }}_{MPSI}$ is secure in the malicious security model to achieve ${\mathit{F}}_{MPSI}$.

4. Poly-DH MPSI Protocol

We were inspired by the works of Rosulek et al. [10] and Kolesnikov et al. [11] to describe an MPSI protocol based on key agreement and zero sharing, and we implemented the OPPRF functionality using KA and zero sharing. We coined the term “Poly-DH MPSI protocol” for this specific protocol, and we offer an encompassing framework diagram in Figure 2.

The protocol employs a star-shaped topology, with party $P_{m-1}$ designated as the central node. $P_{m-1}$ and parties $P_i,(0\le i\le n-2)$ execute the OPPRF protocol. $P_{m-1}$ collects the OPPRF results from the other parties and, ultimately, outputs the intersection. Our OPPRF protocol was based on a one-round key agreement construction. The process whereby $P_{m-1}$ sends messages to $P_i,(0\le i\le n-2)$ is referred to as PSI Request, and the process whereby $P_i,(0\le i\le n-2)$ sends messages to $P_{m-1}$ is called PSI Response. Of course, before the steps of request and response, there are the zero-sharing and preprocessing stages. We refer to the preprocessing stage as PSI Preparation.

4.1. Initialization

Determine the m parties $P_0,P_1,\cdots ,P_{m-1}$ and the set of parties in the PSI protocol $X_0,X_1,\cdots ,X_{m-1}$. In the case of unconditional zero sharing, agree on a specific implementation of the PRF. Agree on random oracle $H:{\{0,1\}}^{*}\to \mathbb{F}$, ideal permutation $\mathsf{\Pi }/{\mathsf{\Pi }}^{-1}:\mathbb{F}\to \mathbb{F}$, and the specific KA implementation.

The ideal permutation is the weaker model of the ideal cipher, fixed to one key. It acts like a random oracle, but it is reversible.

4.2. Zero Sharing

We use an example to explain why we chose the zero-sharing technique to extend the two-party protocol of [10] to m parties.

Example 1

(Why did we choose zero sharing?). We represent by $\left[\right[x\left]\right]$ the “ciphertext” obtained by a series of DHKA transformations of element x. Assuming Alice has a set $X_A=\{a,d,e,g\}$, Bob has a set $X_B=\{b,d,f,g\}$, and Carol has a set $X_C=\{c,e,f,g\}$, the set relationship is shown in Figure 3.

We can obtain the intersection $X_A\cap X_B=\{d,g\}$ through the two-party PSI protocol, because $\left[\right[d\left]\right]=\left[\right[d\left]\right]$ and $\left[\right[g\left]\right]=\left[\right[g\left]\right]$. We can obtain the intersection $X_A\cap X_C=\{e,g\}$ through the two-party PSI protocol, because $\left[\right[e\left]\right]=\left[\right[e\left]\right]$ and $\left[\right[g\left]\right]=\left[\right[g\left]\right]$. We can obtain the intersection $X_B\cap X_C=\{f,g\}$ through the two-party PSI protocol, because $\left[\right[f\left]\right]=\left[\right[f\left]\right]$ and $\left[\right[g\left]\right]=\left[\right[g\left]\right]$.

Although the intersection $X_A\cap X_B\cap X_C$ can be obtained through $(X_A\cap X_C)\cap (X_B\cap X_C)$, this can leak information because the multiparty PSI protocol can only expose g to Alice, Bob, and Carol. However, implementing the two-party PSI protocol twice in this way will expose e to Alice and Carol and f to Bob and Carol.

If we apply zero sharing for each element, such as $\left[\left[{\alpha }_a\right]\right]+\left[\left[{\beta }_a\right]\right]+\left[\left[{\gamma }_a\right]\right]=0$, then the “ciphertext” of each element of Alice becomes $\left[\left[{\alpha }_x\right]\right]-\left[\left[x\right]\right]$, the “ciphertext” of each element of Bob becomes $\left[\left[{\beta }_x\right]\right]-\left[\left[x\right]\right]$, and the “ciphertext” of each element of Carol becomes $\left[\left[{\gamma }_x\right]\right]-\left[\left[x\right]\right]$.

Therefore, $(\left[\left[{\alpha }_g\right]\right]-\left[\left[g\right]\right])+(\left[\left[{\beta }_g\right]\right]-\left[\left[g\right]\right])+(\left[\left[{\gamma }_g\right]\right]-\left[\left[g\right]\right])=-3\left[\left[g\right]\right]$, and any one of Alice, Bob, or Carol has the element g, so $-3\left[\right[g\left]\right]$ can be calculated to determine whether the equation is equal to obtain the intersection. For Carol, the reason why e and f are not leaked is that Carol can only obtain $\left[\left[{\alpha }_e\right]\right]=(\left[\left[{\alpha }_e\right]\right]-\left[\left[e\right]\right])+\left[\left[e\right]\right]\ne 0$ and $\left[\left[{\beta }_f\right]\right]=(\left[\left[{\beta }_f\right]\right]-\left[\left[f\right]\right])+\left[\left[f\right]\right]\ne 0$ and cannot determine whether they are intersecting elements. If Carol is the central node, there is an equivalent judgment formula: $\left((\left[\left[{\alpha }_g\right]\right]-\left[\left[g\right]\right])+\left[\left[g\right]\right]\right)+\left((\left[\left[{\beta }_g\right]\right]-\left[\left[g\right]\right])+\left[\left[g\right]\right]\right)+\left[\left[{\gamma }_g\right]\right]=0$.

Parties $P_0,P_1,\cdots ,P_{m-1}$ in the zero-sharing protocol are connected in a fully connected topology.

1.

Party $P_i$ randomly generates a set of PRF keys $\{k_{ij}:i<j<m\}$ and sends PRF key $k_{ij}$ to party $P_j$.

2.

Party $P_j$ receives PRF keys $k_{ij}$ from $P_i(0<i<j)$ and obtains a set of PRF keys $\{k_{ij}:0<i<j\}$.

3.

Party $P_i$ obtains the zero-sharing function handle $S_i(·)$ through Equation (1).

$$S_i(·)=\left(\sum _{j=0}^{i-1}{PRF}_{k_{ji}}(·)\right)-\left(\sum _{j=i+1}^{m-1}{PRF}_{k_{ij}}(·)\right).$$

(1)

Here, $PR{F}_k(·)$ denotes a pseudorandom function.

4.3. PSI Preparation

This stage is the preprocessing stage of PSI and can be performed in advance during the offline phase, such as generating the required DH public–private key pairs $(a,aG)$. Our zero-sharing protocol and PSI protocol are two independent protocols in real application scenarios, and multiple PSI tasks can reuse the same zero-sharing task, which is an advantage over the work of Wei et al. [28].

Execution for $P_i(0\le i<m-1)$:

1.

Party $P_i$ randomly generates secret key $a_i$ and obtains public key $y_i$ through Equation (2). Then, $P_i$ sends $y_i$ to party $P_{m-1}$.

$$y_i=\mathrm{KA}.\mathrm{msg}\left(a_i\right).$$

(2)

Execution for $P_{m-1}$:

1.

Party $P_{m-1}$ randomly generates a set of secret keys $\{a_{m-1,j}:0\le j<n_{m-1})\}$ in $\mathrm{KA}.{\mathcal{R}}^e$ and obtains a set of public keys $\{y_{m-1,j}:0\le j<n_{m-1}\}$. Here, $n_{m-1}$ is the set size of $P_{m-1}$’s set $X_{m-1}$.

2.

Party $P_{m-1}$ receives a set of public keys $\{y_i:0\le i<m-1\}$ from $P_i(0<i<m-1)$ and obtains a set of KA keys $\{ke{y}_{i,j}:0\le i<m-1,0\le j<n_{m-1}\}$ through Equation (3).

$$ke{y}_{i,j}=\mathrm{KA}.\mathrm{key}(a_{m-1,j},y_i).$$

(3)

4.4. PSI Request Flow

This subsection mainly describes the relevant steps for $P_{m-1}$ to send messages to the other parties.

Interpolation for $P_{m-1}$:

1.

Party $P_{m-1}$ inputs set $X_{m-1}=\{x_{m-1,j}:0\le j<n_{m-1}\}$ and obtains interpolation polynomial $Po{l}_{m-1}$ through Equation (4). Then, $P_{m-1}$ sends $Po{l}_{m-1}$ to party $P_i(0\le i<m-1)$. Here, $\mathrm{interpol}(k,v)$ represents polynomial interpolation over the field $\mathbb{F}$, where $(k,v)$ is a key–value pair. H is the random oracle, and ${\mathsf{\Pi }}^{-1}$ is the inverse of the ideal permutation.

$$Po{l}_{m-1}=\mathrm{interpol}\left(\right\{\left(H\left(x_{m-1,j}\right),{\mathsf{\Pi }}^{-1}\left(y_{m-1,j}\right)\right):0\le j<n_{m-1}\left\}\right).$$

(4)

Evaluation for $P_i(0\le i<m-1)$:

1.

Party $P_i$ receives interpolation polynomial $Po{l}_{m-1}$ from party $P_{m-1}$ and obtains a set of interpolated values $\{y_{m-1,j}^i:0\le j<n_i\}$ through Equation (5). Here, $v=Pol\left(k\right)$ represents the evaluation of k to obtain v, $\mathsf{\Pi }$ is the ideal permutation, and $n_i$ is the set size for set $X_i$ of party $P_i$.

2.

Party $P_i$ obtains a set of KA keys $\{ke{y}_{m-1,j}^i:0\le j<n_i\}$ through Equation (6).

3.

Party $P_i$ obtains a set $Z_i=\{z_{i,j}:0\le j<n_i\}$ through Equation (7). Here, $S_i\left(x\right)$ represents the zero-sharing shares of element x.

$$y_{m-1,j}^i=\mathsf{\Pi }\left(Po{l}_{m-1}\left(H\left(x_{i,j}\right)\right)\right).$$

(5)

$$ke{y}_{m-1,j}^i=\mathrm{KA}.{\mathrm{key}}^e(a_i,y_{m-1,j}^i).$$

(6)

$$z_{i,j}=S_i\left(x_{i,j}\right)-ke{y}_{m-1,j}^i.$$

(7)

4.5. PSI Response Flow

This step mainly describes the relevant steps for $P_i(0\le i<m-1)$ to send messages to $P_{m-1}$.

Interpolation for $P_i(0\le i<m-1)$:

1.

Party $P_i$ obtains interpolation polynomial $Po{l}_{m-1}$ through Equation (8). Then, $P_i$ sends $Po{l}_i$ to party $P_{m-1}$.

$$Po{l}_i=\mathrm{interpol}\left(\left\{\left(H\left(x_{i,j}\right),z_{i,j}\right):0\le j<n_i\right\}\right).$$

(8)

Evaluation for $P_{m-1}$:

1.

Party $P_{m-1}$ receives interpolation polynomial $Po{l}_i$ from party $P_i(0\le i<m-1)$ and obtains a set of interpolated values $\{z_{i,j}^{m-1}:0\le j<n_{m-1}\}$ through Equation (9).

2.

Party $P_{m-1}$ obtains a set $\{t_j:0\le j<n_{m-1}\}$ through Equation (10).

3.

Party $P_{m-1}$ outputs set intersection $\{x_{m-1,j}:t_j=0\mathrm{and}0\le j<n_{m-1})\}$.

$$z_{i,j}^{m-1}=Po{l}_i\left(H\left(x_{m-1,j}\right)\right).$$

(9)

$$t_j=S_{m-1}\left(x_{m-1,j}\right)+\sum _{i=0}^{m-2}\left(z_{i,j}^{m-1}+ke{y}_{i,j}\right).$$

(10)

We summarize the Poly-DH MPSI protocol in Figure 4.

5. Cuckoo-DH MPSI Protocol

In Section 4, we implemented a small-set MPSI protocol using polynomial interpolation. In the OKVS structure, polynomial interpolation incurs the lowest communication overhead but has relatively high computational complexity. If we allow a slight increase in the communication overhead to reduce the computational costs, an alternative protocol construction approach is possible. This involves replacing the previous polynomial interpolation component with the structure of the 3H-GCT. The communication overhead of the 3H-GCT is roughly 1.3 times that of polynomial interpolation, but the computational complexity significantly decreases. Therefore, we propose a small-set MPSI protocol based on the 3H-GCT. We coined the term “Cuckoo-DH MPSI protocol” for this specific protocol, and we offer an encompassing framework diagram in Figure 5.

Compared to Poly-DH MPSI, Cuckoo-DH MPSI incurs a slight increase in communication overhead. Therefore, it is suitable for scenarios where the bandwidth is not extremely limited.

5.1. Initialization

Determine the m parties $P_0,P_1,\cdots ,P_{m-1}$ and the set of parties in the PSI protocol $X_0,X_1,\cdots ,X_{m-1}$. In the case of unconditional zero sharing, agree on a specific implementation of the PRF. Agree on random oracle $H:{\{0,1\}}^{*}\to \mathbb{F}$, $H_0,H_1,H_2:{\{0,1\}}^{*}\to \{0,1,\cdots ,\frac{1.3n}{3}-1\}$, and $R:{\{0,1\}}^{*}\to {\{0,1\}}^{\lambda +logn}$; ideal permutation $\mathsf{\Pi }/{\mathsf{\Pi }}^{-1}:\mathbb{F}\to \mathbb{F}$; and the specific KA implementation.

5.2. Zero Sharing and PSI Preparation

These two steps are consistent with the zero-sharing step and PSI preparation step of the Poly-DH MPSI protocol, and there is no need to modify any relevant parameters.

5.3. PSI Request Flow with 3H-GCT

We abstracted the interpolation and evaluation as encode and decode operations. Therefore, the improved steps are as follows.

Encode for $P_{m-1}$:

1.

Party $P_{m-1}$ inputs set $X_{m-1}=\{x_{m-1,j}:0\le j<n_{m-1}\}$ and obtains coefficient vector $D_{m-1}$ through Equation (11). Then, $P_{m-1}$ sends $D_{m-1}$ to party $P_i(0\le i<m-1)$. Here, $\mathrm{E}(k,v)$ represents the OKVS decoding.

$$D_{m-1}=\mathrm{E}\left(\left\{\left(H\left(x_{m-1,j}\right),{\mathsf{\Pi }}^{-1}\left(y_{m-1,j}\right)\right):0\le j<n_{m-1}\right\}\right).$$

(11)

Decode for $P_i(0\le i<m-1)$:

1.

Party $P_i$ receives coefficient vector $D_{m-1}$ from party $P_{m-1}$ and obtains a set of decoded values $\{y_{m-1,j}^i:0\le j<n_i\}$ through Equation (12). Here, $v=D\left(k\right)$ represents the decoding of k to obtain v.

2.

Party $P_i$ obtains a set of KA keys $\{ke{y}_{m-1,j}^i:0\le j<n_i\}$ through Equation (6).

3.

Party $P_i$ obtains a set $Z_i=\{z_{i,j}:0\le j<n_i\}$ through Equation (7).

$$y_{m-1,j}^i=\mathsf{\Pi }\left(D_{m-1}\left(H\left(x_{i,j}\right)\right)\right).$$

(12)

5.4. PSI Response Flow with 3H-GCT

Similarly, in this step, the polynomial is replaced with the 3H-GCT.

Encode for $P_i(0\le i<m-1)$:

1.

Party $P_i$ obtains coefficient vector $D_{m-1}$ through Equation (13). Then, $P_i$ sends $D_i$ to party $P_{m-1}$.

$$D_i=\mathrm{E}\left(\left\{\left(H\left(x_{i,j}\right),z_{i,j}\right):0\le j<n_i\right\}\right).$$

(13)

Decode for $P_{m-1}$:

1.

Party $P_{m-1}$ receives coefficient vector $D_i$ from party $P_i(0\le i<m-1)$ and obtains a set of decoded values $\{z_{i,j}^{m-1}:0\le j<n_{m-1}\}$ through Equation (14)

2.

Party $P_{m-1}$ obtains a set $\{t_j:0\le j<n_{m-1}\}$ through Equation (10)

3.

Party $P_{m-1}$ outputs set intersection $\{x_{m-1,j}:t_j=0\mathrm{and}0\le j<n_{m-1})\}$.

$$z_{i,j}^{m-1}=D_i\left(H\left(x_{m-1,j}\right)\right).$$

(14)

We summarize the Cuckoo-DH MPSI protocol in Figure 6.

6. Security Analysis

6.1. Correctness

Theorem 1. 

The two protocols, Poly-DH MPSI and Cuckoo-DH MPSI, are correct with overwhelming probability.

Proof. 

For each $x_{i,q}=x_{m-1,j}\in X_i\cap X_{m-1}$, $P_i$ can compute $Po{l}_{m-1}\left(x_{i,q}\right)$ or $D_{m-1}\left(x_{i,q}\right)$ and obtain $y_{m-1,q}^i=y_{m-1,j}$. Consequently, $ke{y}_{m-1,q}^i=a_i{y}_{m-1,q}^i=a_i{y}_{m-1,j}$ and $z_{i,q}=S_i\left(x_{i,q}\right)-ke{y}_{m-1,q}^i=S_i\left(x_{m-1,j}\right)-a_i{y}_{m-1,j}$. $P_{m-1}$ can compute $Po{l}_i\left(x_{m-1,j}\right)$ or $D_i\left(x_{m-1,j}\right)$ and obtain $z_{i,j}^{m-1}=z_{i,q}=S_i\left(x_{m-1,j}\right)-a_i{y}_{m-1,j}$. $P_{m-1}$ can also compute $ke{y}_{i,j}=a_{m-1,j}{y}_i=a_i{y}_{m-1,j}$; therefore, $z_{i,j}^{m-1}+ke{y}_{i,j}=S_i\left(x_{m-1,j}\right)$.

For each $x_{i,q}\notin X_{m-1}$, $P_i$ can compute $Po{l}_{m-1}\left(x_{i,q}\right)$ or $D_{m-1}\left(x_{i,q}\right)$ and obtain $y_{m-1,q}^i=\nabla$. Consequently, $ke{y}_{m-1,q}^i=a_i{y}_{m-1,q}^i=a_i\nabla$ and $z_{i,q}=S_i\left(x_{i,q}\right)-ke{y}_{m-1,q}^i=S_i\left(x_{m-1,j}\right)-a_i\nabla$. In this context, $\nabla$ is indistinguishable from random values.

For each $x_{m-1,j}\notin X_i$, $P_{m-1}$ can compute $Po{l}_i\left(x_{m-1,j}\right)$ or $D_i\left(x_{m-1,j}\right)$ and obtain $z_{i,j}^{m-1}={\nabla }^{\prime }$. $P_{m-1}$ can also compute $ke{y}_{i,j}=a_{m-1,j}{y}_i=a_i{y}_{m-1,j}$; therefore, $z_{i,j}^{m-1}+ke{y}_{i,j}={\nabla }^{\prime }+a_{m-1,j}{y}_i={\nabla }^{\prime \prime }$. In this context, ${\nabla }^{\prime }$ and ${\nabla }^{\prime \prime }$ are indistinguishable from random values.

If $x_{m-1,j}\in {\bigcap }_{i=0}^{m-1}{X}_i$, then $({\sum }_{i=0}^{m-2}{z}_{i,j}^{m-1}+ke{y}_{i,j})+S_{m-1}\left(x_{m-1,j}\right)=\left({\sum }_{i=0}^{m-2}{S}_i\left(x_{m-1,j}\right)\right)+S_{m-1}\left(x_{m-1,j}\right)={\sum }_{i=0}^{m-1}\left(x_{m-1,j}\right)=0$. If $x_{m-1,j}\notin {\bigcap }_{i=0}^{m-1}{X}_i$, meaning that at least one random value ${\nabla }^{\prime \prime }$ is added, the final sum will still result in a random value.

Therefore, Poly-DH MPSI and Cuckoo-DH MPSI are correct with overwhelming probability. □

6.2. Malicious Secure MPSI

Theorem 2.

Poly-DH MPSI and Cuckoo-DH MPSI are secure against up to $m-2$ collision attacks in a malicious model. If KA is an Elligator-DHKA, H is a secure hash function and $\mathsf{\Pi },{\mathsf{\Pi }}^{-1}$ are a pair of ideal permutations.

Proof. 

We notate the set of corrupted and colluding parties as C. We considered two collusion attacks, $P_{m-1}\in C$ and $P_{m-1}\notin C$, to perform the simulation experiment between the ideal world and the real world.

With $P_{m-1}\in C$ in Poly-DH MPSI, we used a series of hybrid experiments to prove that the real-world protocol execution was indistinguishable from the ideal-world simulation.

$Hybri{d}_0.$ The experiment comprises a realistic protocol execution.

$Hybri{d}_1.$ In the zero-sharing step, $Sim$ plays the role of the honest parties $P_i\notin C$ to send $k_{ij}$ to $P_j\in C$ and generates $S_i{(·)}^{\prime }$ with $k_{ij}$ from $P_j\in C$. In the other part of the protocol, $Sim$ executes as $Hybri{d}_0.$ Obviously, $Hybri{d}_1$ is computationally indistinguishable from $Hybri{d}_0$ since the zero sharing is unconditionally secure against up to $m-2$ collusion attacks.

$Hybri{d}_2.$ In the PSI preparation step, $Sim$ plays the role of the honest party $P_i\notin C$, chooses $a_i\in \mathrm{KA}.\mathit{R}$ to compute $y_i=\mathrm{KA}.{\mathrm{msg}}^e\left(a_i\right)$, and sends $y_i$ to the adversary $P_{m-1}\in C$. In the other part of the protocol, $Sim$ executes as $Hybri{d}_1.$ Obviously, $Hybri{d}_2$ is computationally indistinguishable from $Hybri{d}_1$ since $y_i$ is uniformly randomly chosen for $a_i\leftarrow \mathrm{KA}.\mathit{R}$.

$Hybri{d}_3.$ In the PSI request flow, $Sim$ runs the random oracle H, records every query $H(x,k)$ made by C, and stores the input–output tuple $(x,k,H(x,k\left)\right)$ in the list $L_1$. $Sim$ also runs the ideal permutation ${\mathsf{\Pi }}^{-1}$, records ${\mathsf{\Pi }}^{-1}(\mathrm{KA}.{\mathrm{msg}}^e\left(b\right))$, and stores $\mathrm{KA}.{\mathrm{msg}}^e\left(b\right)$ in the list $L_2$. Then, the adversary $P_{m-1}$ in C returns the polynomial $pol{y}_{m-1}$ to $Sim$. In the other part of the protocol, $Sim$ executes as $Hybri{d}_2.$ Obviously, $Hybri{d}_3$ is computationally indistinguishable from $Hybri{d}_2$ since H is a cryptographically secure hash modeled as a random oracle, and $\mathsf{\Pi },{\mathsf{\Pi }}^{-1}$ are a pair of ideal permutations.

$Hybri{d}_4.$ The experiment is a complete ideal-world experiment similar to $Hybri{d}_3$ except for the PSI response flow. In the PSI response flow, for the honest party $P_i\notin C$, $Sim$ executes polynomial $Po{l}_{P_i\in C}$ as the protocol. Using the records in $L_1$ and $L_2$, $Sim$ can compute the intersection of the adversaries’ sets

$$S^{\prime }=\left\{x\right|x\in L_{1}and\mathsf{\Pi }\left(H\left(x\right)\right)\in L_2\}.$$

$Sim$ uses $S^{\prime }$ as the inputs of parties in C and sends them and $X_i^{\prime }$ simulated by $Sim$ as the honest parties $P_i\notin C$ to the MPSI ideal functionality. $Sim$ obtains the intersection $I={\bigcap }_{P_i\notin C}{X}_i^{\prime }\bigcap S^{\prime }$ from the MPSI ideal functionality and computes for each honest party $P_i$

$$z_{i,j}=S_i^{\prime }\left(x_{i,j}^{\prime }\right)-\mathrm{KA}.{\mathrm{key}}^{\mathrm{e}}(a_i,\mathsf{\Pi }\left(Po{l}_{m-1}\left(H\left(x_{i,j}^{\prime }\right)\right)\right))$$

where $x_{i,j}^{\prime }\in X_i^{\prime }$ and $x_{i,j}^{\prime }\notin I$. Thus, $Sim$ can construct the polynomial $Po{l}_i^{\prime }$ and send it to $P_{m-1}$. Obviously, $Hybri{d}_4$ is computationally indistinguishable from $Hybri{d}_3$ since H is a cryptographically secure hash modeled as a random oracle, and the KA is an Elligator-DHKA.

Therefore, $Hybri{d}_4$ is computationally indistinguishable from $Hybri{d}_0$, that is, the real-world protocol execution is computationally indistinguishable from the ideal-world simulation. In this way, we prove that Poly-DH MPSI is secure against up to $m-2$ collision attacks in a malicious model if KA is an Elligator-DHKA, H is a secure hash function, and $\mathsf{\Pi },{\mathsf{\Pi }}^{-1}$ are a pair of ideal permutations when $P_{m-1}\in C$.

With $P_{m-1}\notin C$ in Poly-DH MPSI, we also used a series of hybrid experiments to prove that the real-world protocol execution is indistinguishable from the ideal-world simulation.

$Hybri{d}_{1,0}.$ The experiment comprises a realistic protocol execution.

$Hybri{d}_{1,1}.$ In the zero-sharing step, $Sim$ plays the role of the honest party $P_i\notin C$ to send $k_{ij}$ to $P_j\in C$ and generates $S_i{(·)}^{\prime }$ with $k_{ij}$ from $P_j\in C$. In the other part of the protocol, $Sim$ executes as $Hybri{d}_{1,0}.$ Obviously, $Hybri{d}_{1,1}$ is computationally indistinguishable from $Hybri{d}_{1,0}$, since the zero sharing is unconditionally secure against up to $m-2$ collusion attacks.

$Hybri{d}_{1,2}.$ In the PSI preparation step, $Sim$ plays the role of the honest party $P_i\notin C$, chooses $a_i\in \mathrm{KA}.\mathit{R}$ to compute $y_i=\mathrm{KA}.{\mathrm{msg}}^e\left(a_i\right)$, and records $y_i$ as the role of the honest party $P_{m-1}$. In the other part of the protocol, $Sim$ executes as $Hybri{d}_{1,1}.$ Obviously, $Hybri{d}_{1,2}$ is computationally indistinguishable from $Hybri{d}_{1,1}$, since $y_i$ is uniformly randomly chosen for $a_i\leftarrow \mathrm{KA}.\mathit{R}$.

$Hybri{d}_{1,3}.$ In the PSI request flow, $Sim$ runs the random oracle H, records every query $H(x,k)$ made by C, and stores the input–output tuple $(x,k,H(x,k\left)\right)$ in the list $L_1$. $Sim$ also runs the ideal permutation ${\mathsf{\Pi }}^{-1}$, records ${\mathsf{\Pi }}^{-1}(\mathrm{KA}.{\mathrm{msg}}^e\left(b\right))$, and stores $\mathrm{KA}.{\mathrm{msg}}^e\left(b\right)$ in the list $L_2$. Then, $Sim$ records the polynomial $pol{y}_{m-1}$ from the role of the honest party $P_{m-1}$ and sends it to $P_i\notin C$. In the other part of the protocol, $Sim$ executes as $Hybri{d}_{1,2}.$ Obviously, $Hybri{d}_{1,3}$ is computationally indistinguishable from $Hybri{d}_{1,2}$, since H is a cryptographically secure hash modeled as a random oracle, and $\mathsf{\Pi },{\mathsf{\Pi }}^{-1}$ are a pair of ideal permutations.

$Hybri{d}_{1,4}.$ The experiment is a complete ideal-world experiment similar to $Hybri{d}_{1,3}$ except for the PSI response flow. In the PSI response flow, for the honest party $P_i\notin C$, $Sim$ executes polynomial $Po{l}_{P_i\in C}$ as the protocol. Using the records in $L_1$ and $L_2$, $Sim$ can compute the intersection of the adversaries’ sets

$$S^{\prime }=\left\{x\right|x\in L_{1}and\mathsf{\Pi }\left(H\left(x\right)\right)\in L_2\}.$$

$Sim$ uses $S^{\prime }$ as the inputs of the parties in C and sends them and $X_i^{\prime }$ simulated by $Sim$ as the honest parties $P_i\notin C$ to the MPSI ideal functionality. $Sim$ obtains the intersection $I={\bigcap }_{P_i\notin C}{X}_i^{\prime }\bigcap S^{\prime }$ from the MPSI ideal functionality, which is the same as the intersection computed based on the correctness proof in Theorem 1. Obviously, $Hybri{d}_{1,4}$ is computationally indistinguishable from $Hybri{d}_{1,3}$, since H is a cryptographically secure hash modeled as a random oracle and the KA.

Therefore, $Hybri{d}_{1,4}$ is computationally indistinguishable from $Hybri{d}_{1,0}$, that is, the real-world protocol execution is computationally indistinguishable from the ideal-world simulation. In this way, we prove that Poly-DH MPSI is secure against up to $m-2$ collision attacks in a malicious model if KA is an Elligator-DHKA, H is a secure hash function, and $\mathsf{\Pi },{\mathsf{\Pi }}^{-1}$ are a pair of ideal permutations when $P_{m-1}\in C$.

Similar to the security proof of Poly-DH MPSI, we can also use a simulation model based on the security analysis of the 3H-GCT [16] and prove that Cuckoo-DH MPSI is also secure against up to $m-2$ collision attacks in a malicious model if KA is an Elligator-DHKA, H is a secure hash function, and $\mathsf{\Pi },{\mathsf{\Pi }}^{-1}$ are a pair of ideal permutations. □

7. Experimental Results

7.1. Implementation

We will describe how the various components of the protocol were instantiated in this section. Our entire protocol revolved around a series of 256-bit operations.

Zero Sharing: The key in zero sharing was a uniformly distributed 256-bit random value, called the rand library of Rust; the PRF protocol took the keyed hash algorithm in BLAKE3.

Key Agreement: For one-round KA, we used Curve25519 [32] based on the Montgomery curve $B{y}^2=x^3+A{x}^2+x$, where B takes 1, A takes 486,662, and $x,y\in {\mathbb{F}}_{2^{255}-19}$. We followed the implementation in the work of Bernstein et al. [29]. The $enc(·)$ and $dec(·)$ functions satisfied the following definitions:

1.

$enc\left(x\right)=\left\{\begin{array}{cc}\sqrt{\frac{x}{-2(x+486662)}}\hfill & \mathrm{if}x\le \frac{q-1}{2}\hfill \\ \sqrt{\frac{x+486662}{-2x}}\hfill & \mathrm{otherwise}\hfill \end{array}\right.$

2.

Definition $dec\left(y\right)=ϵd-243331(1-ϵ)$ where $ϵ={(d^3+486662d^2+d)}^{\frac{q-1}{2}},q=2^{255}-19,d=\frac{-486662}{1+2y^2}$

Random Oracle: We used the hash method of BLAKE3. BLAKE3 is one of the best hashing algorithms available and has more performance advantages than the SHA2 algorithm used by Rosulek et al. [10].

Ideal Permutation: The ideal permutation [10] is a reversible permutation function that was simulated using a fixed-key Rijndael-256. AES was derived from Rijndael, but the block size was fixed at 128 bits, while the ideal permutation here required a 256-bit block size. We followed the definition of Daemen et al. [33] for the implementation.

Polynomial Interpolation: We used the Lagrangian interpolation method, with the number in $GF\left(2^{256}\right)$. Rust currently does not possess a cryptographic library similar to the C++ NTL and GMP library, and there is a lack of finite-field interpolation tools due to time constraints and excessive engineering.

Gabled Cuckoo Graph: We used the 3H-GCT structure shown in the work of Garimella et al. [16], where three hashes acted on each of the three regions. Our implementation referred to the C++ code of the 2H-GCT shown in the work of Pinkas et al. [8] and widened it to three hashes.

7.2. Experiments and Evaluation

We implemented our protocol in Rust and ran it on a 12th Gen Intel Core i7-12700H with 32 GB RAM and Ubuntu 22.04. We conducted experiments on the two protocols proposed in this article and compared them with the work of Kolesnikov et al. [11].

The MultipartyPSI (https://github.com/osu-crypto/MultipartyPSI (accessed on 6 April 2023)) library is also one of the few open-source libraries for multiparty PSI available at present. It provides PSI constructions based on the Poly, Table, and Bloom filter (BF) types, with the Table type utilizing cuckoo hashing for optimization. Our protocol was constructed based on the Poly and 3H-GCT designs. The Poly and 3H-GCT structures we used were advanced versions compared to the Poly and Table structures used in the work of Kolesnikov et al. [11], designed to be suitable for malicious models. However, we did not utilize the advanced version of the BF, i.e., the GBF, in constructing the PSI protocol due to its higher communication overhead.

We set the parameter of computational security $\kappa =128$ and the parameter of statistical security $\lambda =40$ for conducting experiments under both local area network (LAN) and wide area network (WAN) conditions.

Small sets with LAN setting: We set the scenario as PSI for small sets, taking the selected set size n as $2^4,2^5,\cdots ,2^{10}$ for the experiment. In the LAN setting, the main influencing factor was the computational cost. The work of Kolesnikov et al. [11] was based on the OT protocol, which had a certain startup cost, and we found that our protocol constructed based on DHKA had an advantage when the set size was smaller than $2^7$. Ref. [11] presented a semi-honest model protocol, which was more time-consuming to transform into a malicious model protocol; as a reference, the malicious OT-PSI protocol with PaXoS [8] consumed about $1.4$ times more time than the semi-honest OT-PSI protocol [3]. Due to the limited Rust ecology at present, there is no efficient computational library similar to C++ NTL/GMP; thus, we manually wrote some non-deeply optimized code for temporary replacement. The two-party PSI protocol [10] demonstrated that both the DHKA-based protocols had advantages when the set was smaller than $2^{10}$, and thus we believe that our protocol has much room for engineering improvement. To explore the impact of the number of parties on the protocol, we selected $5,10,20$ for our experiments. Since the protocol adopted a star topology, theoretically the time elapsed for the task and the number of parties would have a linear growth relationship (similar to [11]). The experimental results are shown in

Table 1. Running time (ms) of MPSI protocols (LAN setting) for m parties on sets with size n. “SH” and “M” refer to semi-honest and malicious protocols, respectively.

m	Protocol	Sec.	Running Time (ms)
			$\mathit{n}={\mathbf{2}}^{\mathbf{4}}$	$\mathit{n}={\mathbf{2}}^{\mathbf{5}}$	$\mathit{n}={\mathbf{2}}^{\mathbf{6}}$	$\mathit{n}={\mathbf{2}}^{\mathbf{7}}$	$\mathit{n}={\mathbf{2}}^{\mathbf{8}}$	$\mathit{n}={\mathbf{2}}^{\mathbf{9}}$	$\mathit{n}={\mathbf{2}}^{\mathbf{10}}$
5	[11] (Poly)	SH	55	62	79	145	421	404	1310
	[11] (Table)	SH	57	56	57	61	59	58	60
	[11] (BF)	SH	50	54	55	60	58	63	76
	Ours (Poly)	M	23	46	108	203	541	1860	6794
	Ours (3H-GCT)	M	18	21	39	59	132	194	382
10	[11] (Poly)	SH	88	102	118	202	537	592	1861
	[11] (Table)	SH	77	94	90	94	92	99	117
	[11] (BF)	SH	87	95	85	92	95	104	122
	Ours (Poly)	M	31	70	153	365	1137	3751	13,900
	Ours (3H-GCT)	M	24	41	56	99	199	350	698
20	[11] (Poly)	SH	194	207	261	375	900	1007	2948
	[11] (Table)	SH	176	174	187	189	186	199	215
	[11] (BF)	SH	191	198	203	207	205	213	272
	Ours (Poly)	M	50	117	285	690	2122	7376	27,549
	Ours (3H-GCT)	M	38	66	109	194	334	622	1286

.

Small sets with WAN setting: OT-based PSI protocols perform best without bandwidth limitations, but their relatively high communication costs, as highlighted by Google, have a more substantial impact in real-world deployments compared to computational costs [34]. Therefore, we limited the bandwidth and conducted simulation experiments for the cases of 20 Mbps, 10 Mbps, 5 Mbps, and 1 Mbps. From the experimental results, it was clear that our protocol based on DHKA had lower time consumption than the protocol based on OT in the case of bandwidth limitation. Under the settings of $5\mathrm{Mbps}$∼$20\mathrm{Mbps}$, there was an efficiency improvement of about $3\times$∼$7\times$, and under the worse network conditions of 1 Mbps, there was an efficiency improvement of more than $10\times$. Our proposed Cuckoo-DH MPSI protocol was able to balance the computation cost and communication cost and had the best performance in bandwidth-constrained situations. The experimental results are shown in

Table 2. Running time (ms) of MPSI protocols (WAN setting) for 5 parties on sets with size n. “SH” and “M” refer to semi-honest and malicious protocols, respectively.

	Protocol	Sec.	Running Time (ms)
			$\mathit{n}={\mathbf{2}}^{\mathbf{4}}$	$\mathit{n}={\mathbf{2}}^{\mathbf{5}}$	$\mathit{n}={\mathbf{2}}^{\mathbf{6}}$	$\mathit{n}={\mathbf{2}}^{\mathbf{7}}$	$\mathit{n}={\mathbf{2}}^{\mathbf{8}}$	$\mathit{n}={\mathbf{2}}^{\mathbf{9}}$	$\mathit{n}={\mathbf{2}}^{\mathbf{10}}$
20 Mbps	[11] (Poly)	SH	76	85	108	189	474	529	1524
	[11] (Table)	SH	84	99	120	171	235	461	873
	[11] (BF)	SH	106	171	280	507	954	2101	4111
	Ours (Poly)	M	24	51	97	229	574	1905	6855
	Ours (3H-GCT)	M	19	26	44	89	158	269	537
10 Mbps	[11] (Poly)	SH	106	134	151	256	554	665	1811
	[11] (Table)	SH	112	144	195	298	430	886	1728
	[11] (BF)	SH	169	290	522	997	1911	4256	8176
	Ours (Poly)	M	26	48	99	230	620	1906	6961
	Ours (3H-GCT)	M	28	45	75	109	183	326	700
5 Mbps	[11] (Poly)	SH	172	193	226	351	703	912	2229
	[11] (Table)	SH	197	255	351	547	806	1821	3611
	[11] (BF)	SH	296	544	1104	2062	3931	8433	16,729
	Ours (Poly)	M	42	78	105	240	638	2015	7043
	Ours (3H-GCT)	M	49	61	103	193	270	490	1173
1 Mbps	[11] (Poly)	SH	1926	2011	2324	2701	3424	5142	8347
	[11] (Table)	SH	1712	2076	2625	3969	5316	10,984	19,167
	[11] (BF)	SH	2664	3848	7801	12,773	21,377	44,312	84,851
	Ours (Poly)	M	109	152	247	448	994	2633	7974
	Ours (3H-GCT)	M	217	272	437	672	1200	2280	5194

.

The execution time of PSI is influenced by both computational and communication costs. In the LAN experiments, where messages were transmitted locally and communication time could be neglected, the execution time primarily hinged on the computational complexity of the protocol. As seen in Table 1, both the approach in reference [11] and our method based on polynomial interpolation demonstrated a notable increase as the set elements grew. This was primarily due to the time-consuming nature of polynomial interpolation, particularly evident for non-prime modulus $GF\left(2^{256}\right)$. The polynomial interpolation method used in reference [11] was derived from the C++ NTL library with a time complexity of $O\left(nlo{g}^{2}n\right)$, while our implementation using Rust code, currently not fully optimized, operated at a time complexity of $O\left(n^2\right)$. However, this does not imply that protocols based on polynomial interpolation lack value, a point that will be explained in subsequent experiments on a WAN. Table 1 demonstrates that in scenarios involving small sets, our DH-based protocol exhibited higher efficiency compared to the OT-based protocol in reference [11]. This discrepancy was attributed to not only the time-consuming nature of polynomial interpolation but also the significant time overhead from public key operations, as shown in

Table 3. Theoretical computation costs of MPSI protocols. “SH” and “M” refer to semi-honest and malicious protocols, respectively. $\kappa$ is the parameter of computational security. $\lambda$ is the parameter of statistical security. $n_i$ is the set size of party $P_i$. “Fixed-base Mul”, “Variable-base Mul”, and “Add” in the table represent operations on points of an elliptic curve. “Encode” is an indexing operation (including cuckoo hashing) for reference [11], while others refer to OKVS encoding. When $\kappa =128$, $L=1023$.

Protocol	Sec.	Party ${\mathbf{P}}_{\mathit{i}}(0\le \mathit{i}<\mathit{m}-1)$				Party ${\mathbf{P}}_{\mathit{m}-1}$
		Fixed-Base Mul	Variable-Base Mul	Add	Encode	Fixed-Base Mul	Variable-Base Mul	Add	Encode
[11] (Poly)	SH	$3.5\kappa$	$3.5\kappa$	$3.5\kappa$	$\mathcal{O}\left(n_i{log}^2{n}_i\right)$	$7\kappa$	$3.5(m-1)\kappa$	$3.5(m-1)\kappa$	$\mathcal{O}\left(n_{m-1}\right)$
[11] (Table)	SH	$3.5\kappa$	$3.5\kappa$	$3.5\kappa$	$\mathcal{O}\left(n_{m-1}\right)$	$7\kappa$	$3.5(m-1)\kappa$	$3.5(m-1)\kappa$	$\mathcal{O}\left(n_{m-1}\right)$
[11] (BF)	SH	$3.5\kappa$	$3.5\kappa$	$3.5\kappa$	$\mathcal{O}\left(n_i\right)$	$7\kappa$	$3.5(m-1)\kappa$	$3.5(m-1)\kappa$	$\mathcal{O}\left(n_{m-1}\right)$
COT (2H-GCT) *	M	L	L	L	$\mathcal{O}\left(\lambda n_i\right)$	$2L$	$(m-1)L$	$(m-1)L$	$\mathcal{O}\left(\lambda n_{m-1}\right)$
[28] (Poly)	M	1	$n_i$	$m-1+n_i$	$\mathcal{O}\left(n_i{log}^2{n}_i\right)$	$n_{m-1}$	$(m-1)n_{m-1}$	$m-1+n_{m-1}$	$\mathcal{O}\left(n_{m-1}{log}^2{n}_{m-1}\right)$
Ours (Poly)	M	1	$n_i$	0	$\mathcal{O}\left(n_i{log}^2{n}_i\right)$	$n_{m-1}$	$(m-1)n_{m-1}$	0	$\mathcal{O}\left(n_{m-1}{log}^2{n}_{m-1}\right)$
Ours (3H-GCT)	M	1	$n_i$	0	$\mathcal{O}\left(\lambda n_i\right)$	$n_{m-1}$	$(m-1)n_{m-1}$	0	$\mathcal{O}\left(\lambda n_{m-1}\right)$

* “COT (2H-GCT)” is the multiparty promotion of the two-party PSI protocol proposed in [8], where “2H-GCT” refers to the two-hashing gabled cuckoo table. The structure of silent OT [23] used by VOLE-PSI [24] is relatively complex. When the set is larger than $2^{20}$, it can evenly share the cost of computation and perform better, so VOLE-PSI is not compared here.

.

The DH-based PSI protocol conducted approximately $m·n_{m-1}$ public key operations, whereas the OT-based PSI protocol performed about $3.5(m+1)\kappa$ public key operations. Thus, when the set size was $n_{m-1}<3.5\kappa (1+\frac{1}{m})$, the DH-based PSI protocol had fewer public key operations. For example, when $m=2$ and $\kappa =128$, $n_{m-1}<672<2^{9.4}$; similarly, when $m=+\infty$ and $\kappa =128$, $n_{m-1}<448<2^{8.81}$. On the other hand, reference [11] explored the use of Bloom filters and cuckoo hash tables as alternative methods to polynomial interpolation. Bloom filters trade space for time, whereas cuckoo hash tables strike a balance between the two. However, these methods are suitable for semi-honest models and are not effectively applicable to malicious models. In contrast, our protocol introduced the 3H-GCT, an improved version of the cuckoo hash table suitable for malicious models but at the expense of increased time consumption.

Reference [10] employed polynomial interpolation to construct two-party PSI protocols, and experiments validated the significant advantage of this protocol in bandwidth-constrained scenarios, as evident from Table 2. Both the protocol based on polynomial interpolation in reference [11] and our own polynomial interpolation-based protocol performed well. The reason behind this was that polynomial interpolation incurs the lowest communication overhead. Of course, the DH-based PSI protocol also had lower communication overhead compared to the OT-based PSI protocol, resulting in strong performance for both of our proposed protocols in Table 2. Since reference [11] open-sourced its code and implemented various protocols based on polynomial interpolation, Bloom filters, cuckoo graphs, and other designs, it provided a valuable comparison for our two protocols based on polynomial interpolation and gabled cuckoo graphs. We conducted theoretical analyses on communication overhead, as depicted in

Table 4. Theoretical communication costs of zero sharing (in bits). “SH” and “M” refer to semi-honest and malicious protocols, respectively. $\kappa$ is the parameter of computational security.

Protocol	Sec.	Party ${\mathbf{P}}_{\mathit{i}}(0\le \mathit{i}<\mathit{m}-1)$	Party ${\mathbf{P}}_{\mathit{m}-1}$
[11]	SH	$2(m-1)\kappa$	$2(m-1)\kappa$
VOLE *	M	$2(m-1)\kappa$	$2(m-1)\kappa$
[28] *	M	-	-
Ours	M	$2(m-1)\kappa$	$2(m-1)\kappa$

* VOLE-PSI is a two-party PSI protocol based on silent OT proposed in paper [24], which introduces the specific construction of OPPRF. OPPRF can be used to construct the MPSI protocol, so “VOLE” here refers to the protocol constructed based on paper [24] and combined with zero-sharing technology. There is a structural difference between the zero sharing mentioned in [28] and the unconditional zero sharing proposed in [11], and although the ideas are similar, the latter form of zero-sharing is heavily coupled with the subsequent DH-based MPSI; therefore, the zero sharing of the latter protocol is subsumed into the subsequent MPSI protocol.

and

Table 5. Theoretical communication costs of MPSI protocols (in bits). “SH” and “M” refer to semi-honest and malicious protocols, respectively. $\kappa$ is the parameter of computational security. $\lambda$ is the parameter of statistical security. The cost of base OTs are independent of input size and equal to $5\kappa$. $n_i$ is the set size of party $P_i$, and $n^{\prime }={max}_{i=0}^{m-2}{n}_i$. $\varphi$ is the size of elliptic curve group elements (256 was used here). ${\beta }_{i,1}$ and ${\beta }_{i,2}$ is the required bin size mapping $n_i$ elements to $1.2n_i$ and $0.2n_i$ bins using simple hashing, and ${\gamma }_i=3.6{\beta }_{i,1}+0.4{\beta }_{i,2}$. When $n_i=2^{14}$, ${\beta }_{i,1}=28$ and ${\beta }_{i,2}=63$. When $\kappa =128$, $L=1023$.

Protocol	Sec.	Party ${\mathbf{P}}_{\mathit{i}}(0\le \mathit{i}<\mathit{m}-1)$	Party ${\mathbf{P}}_{\mathit{m}-1}$
[11] (Poly)	SH	$5(\lambda +log\left(n^{\prime }{n}_{m-1}\right))n_i+4.9\kappa n_{m-1}+|baseOT|$	${\sum }_{i=0}^{m-2}\left[5(\lambda +log\left(n^{\prime }{n}_{m-1}\right))n_i+4.9\kappa n_{m-1}+|baseOT|\right]$
[11] (Table)	SH	${\gamma }_i(\lambda +log\left(n^{\prime }{n}_{m-1}\right))n_{m-1}+4.9\kappa n_{m-1}+\left|baseOT\right|$	${\sum }_{i=0}^{m-2}\left[{\gamma }_i(\lambda +log\left(n^{\prime }{n}_{m-1}\right))n_{m-1}+4.9\kappa n_{m-1}+\left|baseOT\right|\right]$
[11] (BF)	SH	$300(\lambda +log\left(n^{\prime }{n}_{m-1}\right))n_i+4.9\kappa n_{m-1}+|baseOT|$	${\sum }_{i=0}^{m-2}\left[300(\lambda +log\left(n^{\prime }{n}_{m-1}\right))n_i+4.9\kappa n_{m-1}+|baseOT|\right]$
COT(2H-GCT) *	M	$2.4\kappa n_i+2.4L{n}_{m-1}+\left|baseOT\right|$	${\sum }_{i=0}^{m-2}\left[2.4\kappa n_i+2.4L{n}_{m-1}+\left|baseOT\right|\right]$
VOLE(Poly) *	M	$\kappa n_i+2^{17}\kappa n_{m-1}^{0.05}+\kappa n_{m-1}+\left|baseOT\right|$	${\sum }_{i=0}^{m-2}\left[\kappa n_i+2^{17}\kappa n_{m-1}^{0.05}+\kappa n_{m-1}+\left|baseOT\right|\right]$
VOLE(2H-GCT) *	M	$2.4\kappa n_i+2^{17}\kappa n_{m-1}^{0.05}+2.4\kappa n_{m-1}+\left|baseOT\right|$	${\sum }_{i=0}^{m-2}\left[2.4\kappa n_i+2^{17}\kappa n_{m-1}^{0.05}+2.4\kappa n_{m-1}+\left|baseOT\right|\right]$
VOLE(3H-GCT) *	M	$1.3\kappa n_i+2^{17}\kappa n_{m-1}^{0.05}+1.3\kappa n_{m-1}+\left|baseOT\right|$	${\sum }_{i=0}^{m-2}\left[1.3\kappa n_i+2^{17}\kappa n_{m-1}^{0.05}+1.3\kappa n_{m-1}+\left|baseOT\right|\right]$
[28] (Poly)	M	$2\kappa n_i+\varphi n_{m-1}+(m-1)\varphi$	${\sum }_{i=0}^{m-2}\left[2\kappa n_i+\varphi n_{m-1}+\varphi \right]$
Ours (Poly)	M	$2\kappa n_i+\varphi n_{m-1}+\varphi$	${\sum }_{i=0}^{m-2}\left[2\kappa n_i+\varphi n_{m-1}+\varphi \right]$
Ours (3H-GCT)	M	$2.6\kappa n_i+1.3\varphi n_{m-1}+\varphi$	${\sum }_{i=0}^{m-2}\left[2.6\kappa n_i+1.3\varphi n_{m-1}+\varphi \right]$

* “COT (2H-GCT)” is the multiparty promotion of the two-party PSI protocol proposed in [8], where “2H-GCT” refers to the two-hashing gabled cuckoo table. “VOLE (Poly)” and “VOLE (2H-GCT)” are the multiparty promotions of the two-party PSI protocol proposed in [24], and “VOLE (3H-GCT)” is a multiparty promotion of the combination of [24] and [16].

, encompassing several other protocols. For instance, reference [24] introduced the VOLE-PSI protocol based on silent OT, along with the design of OPPRF, enabling the construction of a multiparty PSI protocol based on OPPRF. Although the reference did not elaborate further on multiparty PSI or provide code implementation for MPSI, we conducted theoretical analyses for its multiparty scenario. Table 4 and Table 5 reveal that our protocols theoretically exhibited lower communication overhead. Apart from these protocols amenable to theoretical analysis, we also conducted a comparison of experimental protocol content, as illustrated in Figure 7.

8. Discussion

In Section 6, we proved the security of our proposed protocol under a malicious model using unconditional zero sharing, withstanding attacks from $m-2$ colluding parties for m parties. To defend against attacks from $m-1$ colluding parties, conditional zero sharing is required, as demonstrated in [11]. Due to the lower efficiency of conditional zero sharing, we did not provide a detailed explanation of this type of protocol in the paper. However, conditional zero sharing can also be applied within our protocol, and its principles are similar to those outlined in [11].

In Section 7, we manually implemented interpolation with a time complexity of $O\left(n^2\right)$ and limited optimization, which was not as good as the work of Moenck et al. [35], whose method had a time complexity of $O\left(nlo{g}^{2}n\right)$; we hope to improve upon this in the future. If the structure of 2H-GCT is a graph, then the structure of 3H-GCT is a hypergraph. Solving the loop problem in a hypergraph is more complicated, and we adopted a polling-like approach for edge peeling, which may be combined with deeper knowledge of the hypergraph here for further optimization.

In addition, improving the encoding and decoding efficiency of the OKVS and reducing the space occupied by the coefficient vector after OKVS encoding are all ways to improve the efficiency of the PSI protocol. Our KA was specifically implemented through Curve25519, but KA is not limited to Curve25519. The new elliptic curve cryptography, and even the new cryptographic structure, may improve the efficiency of the PSI protocol. In addition, utilizing hardware acceleration protocols such as GPU and FPGA without introducing new cryptographic theories is also a future research focus.

Our protocol can be effectively utilized for feature alignment in federated learning. However, our protocol is not limited to this. For example, in [10], a scenario was discussed wherein two parties aim to schedule a meeting that must occur during a time slot when both parties are available. This requires computing the intersection of available time slots without disclosing any additional schedule information beyond the intersection. We extended this scenario to encompass multiple parties agreeing on a meeting, a common situation, and our protocol could fulfill this requirement. Identifying common friends among multiple users and privacy-preserving intelligent recommendations are potential subsequent applications.

9. Conclusions

This paper introduced two multiparty private set intersection protocols for small sets: Poly-DH MPSI and Cuckoo MPSI. These protocols were constructed using key agreement, zero sharing, and different OKVS structures. In small-set scenarios, both Poly-DH MPSI and Cuckoo MPSI showed higher efficiency than previous approaches, even in LAN settings. Particularly in scenarios with bandwidth constraints, our proposed protocol demonstrated distinct advantages. The protocol based on the gabled cuckoo table incurred lower computational costs but slightly higher communication costs compared to the polynomial-based protocol.