Malicious-Secure Threshold Multi-Party Private Set Intersection for Anonymous Electronic Voting

Abstract

Threshold Multi-Party Private Set Intersection (TMP-PSI) is a cryptographic protocol that enables an element from the receiver’s set to be included in the intersection result if it appears in the sets of at least $t-1$ other participants, where t represents the threshold. This protocol is crucial for a variety of applications, such as anonymous electronic voting, online ride-sharing, and close-contact tracing programs. However, most existing TMP-PSI schemes are designed based on threshold homomorphic encryption, which faces significant challenges, including low computational efficiency and a high number of communication rounds. To overcome these limitations, this study introduces the Threshold Oblivious Pseudo-Random Function (tOPRF) to fulfill the requirements of threshold encryption and decryption. Additionally, we extend the concept of the Oblivious Programmable Pseudo-Random Function (OPPRF) to develop a novel cryptographic primitive termed the Partially OPPRF (P-OPPRF). This new primitive retains the critical properties of obliviousness and randomness, along with the security assurances inherited from the OPPRF, while also offering strong resistance against malicious adversaries. Leveraging this primitive, we propose the first malicious-secure TMP-PSI protocol, named QMP-PSI, specifically designed for applications like anonymous electronic voting systems. The protocol effectively counters collusion attacks among multiple parties, ensuring robust security in multi-party environments. To further enhance voting efficiency, this work presents a cloud-assisted QMP-PSI to outsource the computationally intensive phases. This ensures that the computational overhead for participants is solely dependent on the set size and statistical security parameters, thereby maintaining security while significantly reducing the computational burden on voting participants. Finally, this work validates the protocol’s performance through extensive experiments under various set sizes, participant numbers, and threshold values. The results demonstrate that the protocol surpasses existing schemes, achieving state-of-the-art (SOTA) performance in communication overhead. Notably, in small-scale voting scenarios, it exhibits exceptional performance, particularly when the threshold is small or close to the number of participants.

1. Introduction

Data resources have become a significant driving force in modern society, with various industries generating vast amounts of data every moment. The true value of these data can only be unlocked through analysis and computation. However, data often contain sensitive user information, and direct analysis without protective measures can lead to serious privacy breaches. To facilitate privacy-preserving data analysis, researchers have introduced Secure Multi-Party Computation (SMPC). This framework enables multiple participants to jointly compute a function while ensuring that only the final result is disclosed to the intended party. Within SMPC, Private Set Intersection (PSI) serves as a specialized application, allowing parties to determine the common elements of their respective private sets without exposing any extraneous information. PSI has found widespread use in applications such as blacklist matching [1], conversion of advertising effectiveness [2], and sample alignment in vertical federated learning [3].

Standard PSI protocols can be categorized into two-party and multi-party protocols. Two-party PSI protocols [4,5,6,7,8,9] have been extensively studied, achieving computational and communication costs that scale linearly with set size. Multi-party PSI protocols (MP-PSI) [10,11,12,13] extend this capability to three or more parties, allowing them to collectively determine the common elements within their datasets. However, as the participant count rises, the overhead increases substantially to counteract collusion attacks. Existing MP-PSI protocols typically leverage Oblivious Programmable Pseudo-Random Functions (OPPRFs) and Zero-Sharing Protocols, achieving high efficiency for scenarios with fewer than 10 parties and set sizes exceeding ${10}^{24}$. Recent work [12] has focused on MP-PSI with smaller set sizes but larger numbers of parties, removing cryptographic primitives with fixed overhead to achieve superior communication and computational efficiency.

Despite these advancements, existing MP-PSI protocols are increasingly inadequate for certain specialized applications, such as anonymous electronic voting, online ride-sharing, and close-contact tracing programs. For instance, in close-contact tracing programs [11], a user is classified as a close contact only if they have interacted with at least t infected individuals. Threshold Multi-Party Private Set Intersection (TMP-PSI) addresses these challenges by allowing an element in the receiver’s set to be included in the intersection result if it appears in the sets of at least $t-1$ other participants, where t is the threshold. This capability makes TMP-PSI particularly well suited for applications requiring flexible and efficient threshold-based computations.

Among these applications, TMP-PSI is especially promising for anonymous electronic voting systems. In these systems, the participant count of voters usually significantly surpasses the number of candidates (typically ≤5), and each candidate’s vote tally must reach a predetermined threshold to be deemed valid. Traditional approaches, such as publishing vote counts after the election, risk influencing voter behavior, as voters may strategically shift their support to candidates whose vote counts are close to the threshold. Existing anonymous electronic voting schemes, often based on public-key encryption and blockchain [14,15,16], face challenges such as deployment complexity and high system overhead. In contrast, TMP-PSI offers a more efficient and flexible solution, enabling high communication and computational efficiency while ensuring privacy and security. Figure 1 illustrates an anonymous electronic voting system built on TMP-PSI. In this system, the administrator inputs the list of candidates and voters cast their votes flexibly, with random values used to pad insufficient votes. The administrator can only determine the final list of candidates whose vote counts meet or exceed the threshold t, ensuring both privacy and fairness.

To address the specific requirements of such scenarios, Bay et al. [17] introduced the TMP-PSI protocol, which enables a receiver and multiple senders to jointly compute an intersection. The receiver outputs the result only if an element in its set appears in at least $t-1$ senders’ sets. However, the primary challenge in TMP-PSI [18] lies in recovering the intersection result through threshold encryption and decryption. Most existing schemes [17,19,20,21] rely on threshold homomorphic encryption, which incurs high computational and communication costs. Consequently, designing TMP-PSI protocols with lower overhead and enhanced security remains a critical research direction, particularly for applications such as anonymous electronic voting, where efficiency and scalability are paramount.

1.1. Related Work

This section reviews recent advancements in TMP-PSI, an algorithm that facilitates collaborative computations that preserve privacy. Current research on TMP-PSI can be divided into two primary categories.

The first category of protocols imposes constraints on the intersection size, outputting the intersection only if its cardinality meets or exceeds a predefined threshold. Ghosh et al. [22] pioneered the concept of TMP-PSI. Their approach utilizes threshold additive homomorphic encryption (TAHE) and matrix singularity testing to construct a private intersection cardinality testing protocol, which serves as the foundation for a TMP-PSI. They state that the lower bound for the communication cost for such protocols is $O\left(t\right)$, and their implementation achieves $O\left(t^2\right)$ communication complexity. While their work significantly optimizes communication overhead, the computational overhead remains high due to the reliance on homomorphic encryption.

Building on their earlier research, Ghosh et al. [23] expanded their two-party framework to accommodate multiple participants. Utilizing TAHE and Oblivious Transfer (OT), they developed an MP-PSI protocol with communication overhead scaling linearly with the threshold t. While this represents a notable theoretical improvement, the protocol’s real-world applicability is still constrained by efficiency challenges.

In a more recent development, Liu et al. [24] propose a probabilistic threshold PSI protocol, leveraging probabilistic techniques to improve both efficiency and scalability. Their approach allows participants to estimate the threshold intersection with a likelihood corresponding to the size of the shared elements. Furthermore, they developed an optimized multi-party probabilistic protocol for testing set size, which determines whether the intersection exceeds the predefined threshold—a critical element of threshold PSI. Their solution also guarantees security under the malicious adversary model. Nevertheless, the probabilistic framework of the protocol may restrict its use in applications that demand deterministic results.

The second category of protocols imposes constraints on the number of participants, requiring that an element in the receiver’s set must appear in at least $t-1$ other participants’ sets to be included in the intersection. Chandran et al. [19] propose a weak private membership testing protocol and integrate it with a Boolean circuit to develop a TMP-PSI protocol with a communication complexity of $O\left(mnt\right(\lambda +\kappa logn\left)\right)$, demonstrating high efficiency. They further investigate the relationship between the t and m, introducing two TMP-PSI protocols, Quorum-I and Quorum-II, tailored for different threshold scenarios. While Quorum-I outperforms Quorum-II in efficiency, both protocols experience a significant increase in communication rounds and overhead as the number of participants and set sizes expand.

Bay et al. [17] employed TAHE and Encrypted Bloom Filters (EBFs) to design a multi-party secure comparison protocol, which was subsequently utilized to construct a TMP-PSI protocol. However, the communication overhead of their protocol increases exponentially as the participant count rises, significantly restricting its scalability. Moreover, the reliance on threshold additive homomorphic encryption results in computational overhead that escalates rapidly with set size.

Mahdavi et al. [20] investigated a variant known as Over-Threshold Multi-Party Private Set Intersection (Over-TMP-PSI), enabling all participants to receive results for elements in their sets that meet the threshold intersection criteria. Their protocol leverages Paillier homomorphic encryption and polynomial interpolation, but this approach incurs substantial computational and communication overhead. Wei et al. [25] address this variant using symmetric-key encryption, introducing a novel cryptographic primitive called the Oblivious Programmable Pseudo-Random Function with Secret Sharing (OPPRF-SS), which reduces communication overhead to $O\left(n\right)$. However, their protocol relies on two powerful cloud servers for assistance, posing practical deployment challenges.

In summary, while significant progress has been made in TMP-PSI protocols, challenges remain in balancing efficiency, scalability, and practical applicability, particularly as the number of participants and set sizes increase.

1.2. Contributions

This work focuses on TMP-PSI with restrictions on the participant count. To distinguish it from the first category, we adopt the same naming convention as Chandran et al. [19], referring to the second category as Quorum MP-PSI (QMP-PSI). The distinctions between the two protocols are depicted in Figure 2. In Figure 2a, when the threshold is set to 3, the intersection will be sent to the receiver only if the intersection size among participants from Sender1 to Sender3 is greater than or equal to 3. In Figure 2b, since the elements $\{a,b,c,e\}$ in the receiver’s set also appear in at least two other participants’ sets, such as a and $b,c$ in all participants’ sets and e in the Sender2 and Sender3 sets, they are included in the final intersection set. In the anonymous electronic voting example, Sender1, Sender2, and Sender3 represent voters. The receiver possesses the complete set of candidates. Through the QMP-PSI protocol, the receiver can obtain the list of candidates whose votes exceed a certain threshold, while being unable to access each voter’s specific voting information or the exact vote counts for candidates.

To address the issues of excessive communication overhead and limited computational efficiency in existing QMP-PSI protocols based on threshold homomorphic encryption, we use the Threshold Oblivious Pseudo-Random Function (tOPRF) and construct a new cryptographic primitive called the Partially Oblivious Programmable Pseudo-Random Function (P-OPPRF). When an element in the receiver’s set also exists in the sender’s set, the P-OPPRF returns a partial OPRF value computed by using the tOPRF key share; otherwise, it returns a random value. The P-OPPRF retains the security, obliviousness, and randomness properties of a traditional OPRF. Furthermore, by leveraging a trusted cloud server to handle the computationally intensive secret reconstruction tasks, we construct a new QMP-PSI protocol that achieves malicious security, the lowest communication overhead, and fast computational efficiency for small sets for anonymous electronic voting.

The novel contributions of our research are summarized as follows:

(1)

We introduce a novel cryptographic primitive, the P-OPPRF, which allows the voting receiver to obtain a partial OPRF value computed using the tOPRF key share if an element exists in the voting sender’s set; otherwise, it returns a random value. This primitive retains the security, obliviousness, and randomness properties of a traditional OPRF. Based on the P-OPPRF, we propose the first QMP-PSI protocol under the malicious security model that can resist collusion attacks from up to $t-1$ parties, significantly enhancing the protocol’s security.

(2)

We present a cloud-assisted QMP-PSI protocol to outsource the computationally intensive tasks in anonymous electronic voting, ensuring that the computational overhead for the voting senders and receivers depends only on the set size and statistical security parameters. By offloading the complex secret reconstruction computations to the cloud server, the proposed QMP-PSI protocol maintains security while significantly reducing the computational burden on participants.

(3)

We conduct an experimental evaluation of our QMP-PSI protocol, assessing its performance in terms of communication and computational efficiency across varying set sizes, participant counts, and threshold values. The results demonstrate that our QMP-PSI protocol achieves a speedup of 21.2 times compared to the protocol in [17] under the conditions of participants $m=10$ and threshold $t=6$, and a set size of $n=2^6$. For $n=2^{12}$, the communication cost is reduced by a factor of 200 compared to [19]. Additionally, we investigate the correlation between the threshold and the participant count, revealing that our protocol performs optimally when the threshold t is either small or approaches the participant count m. The experimental results further confirm that our protocol outperforms existing solutions for set sizes below $2^{10}$.

2. Preliminaries

This section outlines the cryptographic primitives and security models employed in this work.

2.1. Notations

In this work, $\kappa$ and $\lambda$ represent the computational and statistical security parameters, respectively. The number of participants is denoted by m, the size of each set by n, and the threshold by t. The notation $[a,b]$ refers to the set of integers $\{a,a+1,\cdots ,b-1,b\}$, while $\left[b\right]$ is shorthand for $[1,b]$. Each participant is labeled as $P_i$, and their private set is represented by $X_i$. The length of the elliptic curve, set to 256, is denoted by $\varphi$. Finally, $s\leftarrow S$ indicates the uniform and random selection of an element from set S.

2.2. Secret Sharing

$(t,m)$-secret sharing involves dividing a secret k into m distinct shares, with the condition that a minimum of t shares (where $1<t\le m$) are necessary to recover the original secret k. If fewer than t shares are obtained, the secret remains unrecoverable. This work employs Shamir’s secret sharing scheme [26], which utilizes Lagrange interpolation for its operations. The sharing process is detailed in Algorithm 1, while the reconstruction process is outlined in Algorithm 2.

Algorithm 1: Secret Sharing Algorithm ($F_{ss-\mathit{Share}}$)

Algorithm 2: Secret Reconstruction Algorithm ($F_{ss-Recon}$)

Input: Any t secret shares $\{x_i,y_i\}$ Output: Secret k $$k=P\left(0\right)=\sum _{j=1}^t{y}_j·L_j\left(0\right),$$ where $L_j\left(x\right)$ is the Lagrange basis polynomial, defined as $$L_j\left(x\right)=\prod _{\begin{array}{c}1\le m\le t\\ m\ne j\end{array}}{\displaystyle \frac{x-x_m}{x_j-x_m}}.$$

2.3. Threshold Oblivious Pseudo-Random Function

The Threshold Oblivious Pseudo-Random Function (tOPRF) builds upon the OPRF framework introduced in [27], with its ideal functionality illustrated in Figure 3. This protocol decentralizes the OPRF server across n participants, mandating that at least t participants collaborate to execute the OPRF computation. Its design relies on the One-More Diffie–Hellman (OMDH) and Threshold One-More Diffie–Hellman (T-OMDH) assumptions, incorporating two hash functions. However, as highlighted in [28], the Two-Hash Diffie–Hellman (2HashTDH) variant of the tOPRF is susceptible to man-in-the-middle attacks. To address this, a Three-Hash Diffie–Hellman (3HashTDH) construction is proposed. The specific implementation steps of the ${\Pi }_{tOPRF}$ protocol are detailed in Figure 4.

The tOPRF protocol’s security is grounded in the Gap One-More Bilinear Diffie–Hellman (Gap-OMBDH) problem, which is derived from the Gap-DH problem and the One-More assumption. The robustness of the 3HashTDH-based tOPRF protocol against malicious adversary attacks is analyzed in Appendix B of [28], demonstrating its resilience in such scenarios.

2.4. Oblivious Key-Value Stores

The Oblivious Key–Value Store (OKVS) is a highly efficient data structure for packing key–value pairs, extensively utilized in private set operation protocols [8,29,30,31]. It comprises two core algorithms: $Encod{e}_H\{(x_1,y_1),\cdots ,(x_n,y_n)\}$, which compresses the input key–value pairs $\left\{(x_i,y_i)\right\}$ into an object D (returning ⊥ if the packing process fails), and $Decod{e}_H(D,x)$, which retrieves the value y associated with key x from the object D. OKVS can be realized through multiple methods, including polynomial interpolation, garbled Bloom filters [32], Paxos [29], and random band matrices [33]. Among these, the most efficient implementation [9] leverages Vector Oblivious Linear Evaluation (VOLE), achieving a packing efficiency of $O\left(n\lambda \right)$ and a query efficiency of $O\left(\lambda \right)$, with a size ratio of the packed object D to the key–value pair space n ranging between 1.03 and 1.09. This ratio indicates the compactness of the packed object relative to the original data size.

A secure OKVS must also satisfy two important properties: obliviousness and randomness. Obliviousness ensures that the output of the OKVS for different key–value pairs is indistinguishable in probabilistic polynomial time (PPT). Randomness ensures that when querying a key not in the key–value pair, the OKVS generates a value that is uniformly and randomly distributed across the value space.

2.5. Bloom Filter

A Bloom filter (BF) [34] of size m, denoted as $BF=\left\{BF\right[0],BF[1],\cdots ,BF[m-1\left]\right\}$, is a probabilistic data structure designed to efficiently encode a set S of size n. The construction process involves the following steps:

1.

Hash Function Selection: k independent hash functions $(h_1,h_2,\cdots ,h_k)$ are chosen, where each $h_i:{\{0,1\}}^{*}\to [0,m-1]$ maps an input to a position within the filter.

2.

Initialization: All bits in the BF are initialized to 0.

3.

Encoding Elements: For each element $x\in S$, the hash values $h_1\left(x\right),h_2\left(x\right),\cdots ,h_k\left(x\right)$ are computed. The corresponding positions in the BF are set to 1. If a position is already 1, it remains unchanged.

This design enables efficient set membership queries while maintaining a controlled probability of false positives. The Bloom filter’s compact representation and low computational overhead make it a widely used tool in applications requiring space-efficient set storage and fast lookups.

3. Security Models and Definitions

3.1. Security Models

In the QMP-PSI protocol, adversaries are categorized into semi-honest and malicious types based on their behavior. A semi-honest adversary adheres to the protocol but attempts to gather and analyze protocol data to infer sensitive information. In contrast, a malicious adversary actively disrupts the protocol by deviating from its prescribed steps. The QMP-PSI protocol constructed in this work allows the adversary to control up to $t-1$ participants in the malicious adversary security model.

3.2. Security Definitions

Definition 1

(Semi-Honest Security Model). Given the QMP-PSI protocol ${\Pi }_{QMP-PSI}$ and its corresponding ideal functionality ${\mathcal{F}}_{QMP-PSI}$, if there exists a PPT algorithm Sim that, using only the inputs from the set C of participants controlled by the adversary, can output the ideal functionality ${\mathcal{F}}_{QMP-PSI}$ and the participants in set C in the ideal world, and generate a simulated view indistinguishable from the adversary’s view in the real world, expressed as

$$\mathit{Sim}\left(\left(X,Y\right),f_i\left(X,Y\right)\right)\stackrel{\mathrm{C}}{\approx }{\mathit{View}}_i^{\Pi }\left(\left(X,Y\right),{\mathit{output}}_i^{\Pi }\left(X,Y\right)\right)$$

(1)

where $i\in C$, then the protocol ${\Pi }_{QMP-PSI}$ is secure in the semi-honest security model and consistent with the ideal functionality ${\mathcal{F}}_{QMP-PSI}$.

Definition 2

(Malicious Security Model). Given the QMP-PSI protocol ${\Pi }_{QMP-PSI}$ and its corresponding ideal functionality ${\mathcal{F}}_{QMP-PSI}$, if there exists a PPT algorithm Sim that, using random inputs $S_i$ from any participant instead of inputs from the set C of participants controlled by the adversary, can output the ideal functionality ${\mathcal{F}}_{QMP-PSI}$ and any input $S_i$ in the ideal world, and generate a simulated view indistinguishable from the adversary’s view in the real world, expressed as

$$\mathit{Sim}\left(\left(S_i\right),f_i\left(S_i\right)\right)\stackrel{\mathrm{C}}{\approx }{\mathit{View}}_i^{\Pi }\left(\left(S_i\right),{\mathit{output}}_i^{\Pi }\left(S_i\right)\right)$$

(2)

where $S_i$ represents random inputs from uncorrupted participants and controlled inputs from corrupted participants, then the protocol ${\Pi }_{QMP-PSI}$ is secure in the malicious security model and consistent with the ideal functionality ${\mathcal{F}}_{QMP-PSI}$.

4. Partially Oblivious Programmable Pseudo-Random Function

4.1. Constructions

When the Oblivious Programmable Pseudo-Random Function (OPPRF) allows the sender to input a set $\left\{(x_i,y_i)\right\}$, and the receiver to input an element x. If $x\in \left\{x_i\right\}$, the corresponding $y_i$ is returned; otherwise, a random value is returned. Programmability allows the sender to edit the value of $y_i$. Existing OPPRF implementations typically use the OPRF value of $x_i$ as $y_i$. To meet the requirements of building the QMP-PSI, we design a new OPPRF where the $y_i$ value is a partial OPRF value computed using a partial key derived from the master key. This new OPPRF is known as the Partially OPPRF (P-OPPRF), and its ideal functionality ${\mathcal{F}}_{P-OPPRF}$ is shown in Figure 5.

The construction of protocol ${\Pi }_{P-OPPRF}$ is shown in Figure 6.

In the protocol construction, for simplicity, it is assumed that k, z, and r are chosen uniformly at random. However, in practical implementations, these values should be derived from the master key shares.

4.2. Correctness Analysis

When $x_i\in Y$, the receiver can accurately decode the corresponding partial OPRF value from the OKVS object due to the correctness of the OKVS. When $x\notin Y$, the probability of the receiver inferring the correct OPRF value is $2^{-\varphi }$, with $\varphi =256$, making it negligible in polynomial time. Similarly, the likelihood of the sender deducing the value of $a_i$ is also negligible. The false positive probability for OKVS decoding is $2^{-\lambda }$, usually set to $\lambda =40$, which is negligible.

4.3. Security Proof

Theorem 1.

The protocol ${\Pi }_{P-OPPRF}$ implements the semi-honest secure ${\mathcal{F}}_{P-OPPRF}$ functionality in the ${\mathcal{F}}_{tOPRF}$ hybrid model.

Proof. 

The security of the protocol ${\Pi }_{tOPRF}$ has been proven in [28]. Therefore, we only need to prove the following two lemmas. □

Lemma 1.

When the OKVS has obliviousness and randomness, the protocol ${\Pi }_{P-OPPRF}$ securely implements the ${\mathcal{F}}_{P-OPPRF}$ functionality against a semi-honest sender $\mathcal{A}$ in the ${\mathcal{F}}_{tOPRF}$ hybrid model.

Proof. 

The simulator $\mathcal{S}$ interacts with the sender as outlined below:

• $\mathcal{A}$ randomly selects keys r, k, and z.
• $\mathcal{A}$ blinds the set elements, computes $a_i=\mathrm{tOPRF}.\mathrm{blind}(r,y_i)$, computes the partial OPRF value $v_i=\mathrm{tOPRF}.\mathrm{teval}(k,z,a_i)$, and constructs the OKVS object $D_s={\mathrm{Encode}}_H(y_i,v_i)$.
• $\mathcal{A}$ sends $D_s$ to $\mathcal{S}$, and $\mathcal{S}$ computes $v={\mathrm{Decode}}_H(D_s,x_i)$.

The indistinguishability of the simulation is proven using the following hybrids:

-

Hybrid0: Identical to the real protocol.

-

Hybrid1: $\mathcal{S}$ randomly selects keys r, k, and z in this hybrid. Since the keys are uniformly distributed, the selected keys are statistically indistinguishable. Thus, Hybrid1 is identical to Hybrid0.

-

Hybrid2: $\mathcal{A}$ randomly samples the blinded values $a_i$ of the elements $x_i$ in this hybrid. Since $a_i$ is a random and uniformly distributed elliptic curve point, Hybrid2 is identical to Hybrid0.

-

Hybrid3: $\mathcal{A}$ randomly samples $v_i$ in this hybrid. Given that the hash function output in $\mathrm{tOPRF}.\mathrm{teval}\left(\right)$ follows a uniform distribution, Hybrid3 is identical to Hybrid0.

-

Hybrid4: $\mathcal{A}$ randomly generates $D_s$ in this hybrid. The obliviousness of the OKVS ensures that the outputs of ${\mathrm{Encode}}_H$ for different key–value pairs are indistinguishable in PPT. Thus, Hybrid4 is identical to Hybrid0.

-

Hybrid5: $\mathcal{S}$ decodes $D_s$ in this hybrid. The randomness of the OKVS ensures that $\mathcal{S}$ cannot distinguish whether the output is a random value or $v_i$. Thus, Hybrid5 is identical to Hybrid0.

□

Lemma 2.

When the OKVS has obliviousness and randomness, the protocol ${\Pi }_{P-OPPRF}$ securely implements the ${\mathcal{F}}_{P-OPPRF}$ functionality against a semi-honest receiver $\mathcal{A}$ in the ${\mathcal{F}}_{tOPRF}$ hybrid model.

Proof. 

The simulator $\mathcal{S}$ interacts with the receiver as outlined below:

(1)

$\mathcal{S}$ randomly selects an OKVS object $D_s$ and sends it to $\mathcal{A}$.

(2)

$\mathcal{A}$ receives the OKVS object $D_s$ from $\mathcal{S}$ and computes $v_i^{\prime }={\mathrm{Decode}}_H(D_s,x_i)$.

Since the obliviousness of the OKVS ensures that the outputs of ${\mathrm{Encode}}_H$ for different key–value pairs are uniformly distributed and indistinguishable in PPT, and the randomness ensures that the results of ${\mathrm{Decode}}_H$ are indistinguishable from random values in PPT, the protocol ${\Pi }_{P-OPPRF}$ is secure against a semi-honest receiver.

□

Theorem 2.

The protocol ${\Pi }_{P-OPPRF}$ implements the maliciously secure ${\mathcal{F}}_{P-OPPRF}$ functionality in the ${\mathcal{F}}_{tOPRF}$ hybrid model.

Proof. 

The security of the protocol ${\Pi }_{tOPRF}$ has been proven in [28]. Therefore, we only need to prove the following two lemmas. □

Lemma 3.

When the OKVS has obliviousness and randomness and a random oracle $H:{\{0,1\}}^{*}\to {\{0,1\}}^{\kappa }$, the protocol ${\Pi }_{P-OPPRF}$ securely implements the ${\mathcal{F}}_{P-OPPRF}$ functionality against a malicious sender $\mathcal{A}$ in the ${\mathcal{F}}_{tOPRF}$ hybrid model.

Proof. 

Consider a malicious sender. The simulator interacts with the sender as described below:

(1)

The simulator acts as the ${\mathcal{F}}_{tOPRF}$ functionality and records all inputs y from the sender as a set $Y^{★}$.

(2)

When the sender uses ${\mathcal{F}}_{tOPRF}.\mathrm{teval}\left(\right)$ to compute the set $V=\{v_1,v_2,\cdots ,v_i\}$ and sends it to the simulator, if an element y in $Y^{★}$ does not have another element $y^{\prime }$ ($y\ne y^{\prime }$) such that ${\mathcal{F}}_{tOPRF}$ values are the same, then y is added to the set $\widehat{Y}$. The simulator sends $\widehat{Y}$ to ${\mathcal{F}}_{P-OPPRF}$ after encoding it with the OKVS.

Since there is no $y^{\prime }$ such that ${\mathcal{F}}_{tOPRF}.\mathrm{teval}\left(y\right)={\mathcal{F}}_{tOPRF}.\mathrm{teval}\left(y^{\prime }\right)$, it is easy to prove that the simulation is indistinguishable. Suppose that there is a collision ${\mathcal{F}}_{tOPRF}.\mathrm{teval}\left(y\right)={\mathcal{F}}_{tOPRF}.\mathrm{teval}\left(y^{\prime }\right)$, i.e., $y^{\prime }$ has a high probability of belonging to X, and there exists ${\mathcal{F}}_{tOPRF}.\mathrm{teval}\left(y\right)={\mathcal{F}}_{tOPRF}.\mathrm{teval}\left(x\right)$. Given $\left|X\right|=n=O\left(\kappa \right)$, the probability that the sender can find a $y^{\prime }$ that collides with an element in X is $O\left(2^{-\kappa }\right)$, which is negligible. □

Lemma 4.

When the OKVS has obliviousness and randomness and a random oracle $H:{\{0,1\}}^{*}\to {\{0,1\}}^{\kappa }$, the protocol ${\Pi }_{P-OPPRF}$ securely implements the ${\mathcal{F}}_{P-OPPRF}$ functionality against a malicious receiver $\mathcal{A}$ in the ${\mathcal{F}}_{tOPRF}$ hybrid model.

Proof. 

Consider a malicious receiver. The simulator interacts with the receiver as described below:

The simulator generates a random OKVS object $D_s$ and sends it to the receiver.

The receiver tries to identify a collision $H\left(x\right)=H\left(y\right)$ where $x\ne y$. Given that the output length of H is $\kappa$, the probability of such a collision is $O\left(2^{-\kappa }\right)$, which makes it negligible. □

5. A Cloud-Assisted QMP-PSI Protocol for Anonymous Electronic Voting

5.1. Constructions

QMP-PSI allows m participants to jointly compute the elements in the receiver’s set that appear at least t times among all participants. The ideal functionality ${\mathcal{F}}_{QMP-PSI}$ for QMP-PSI is illustrated in Figure 7.

In the construction of the QMP-PSI, the receiver needs to compare the threshold-recovered OPRF value with the directly computed OPRF value, which incurs significant overhead. To address this, we outsource to a cloud server to play the role of threshold recovery in the tOPRF, computing the OPRF value from the partial OPRF values received from different participants.The protocol guarantees that an element from the receiver’s set is added to the intersection result if and only if it is present in at least $t-1$ of the sender sets.The protocol consists of three phases:

(1)

Secret Sharing Phase: The receiver splits the secret into n shares using tOPRF secret sharing and distributes them to other participants except the cloud server.

(2)

P-OPPRF Computation Phase: The cloud server and other participants execute the P-OPPRF protocol to receive partial OPRF values.

(3)

Threshold Reconstruction and Intersection Computation Phase: The cloud server reconstructs the OPRF values using the partial OPRF values provided by the participants. If at least t valid shares are available, the correct OPRF value can be successfully reconstructed. The cloud server then encodes all OPRF values into a BF and transmits it to the receiver. Upon receiving the BF, the receiver computes the OPRF values locally and queries the filter to identify whether each element in its set is part of the QMP-PSI result.

The specific construction of the QMP-PSI protocol ${\Pi }_{QMP-PSI}$ is shown in Figure 8.

5.2. Correctness Analysis

As shown in Figure 9, a simple scenario is used to verify the correctness of our protocol. Assume there are three participants and one server, with a threshold $t=2$. $P_1$ and $P_3$ hold the same element a, and $P_3$ is responsible for outputting the intersection. The following modification is performed: During the P-OPPRF phase, $v_1$, $v_2$, and $v_3$ are distinct random numbers because the OPRF blinding elements differ. Decoding the key–value pair object of $P_2$ outputs a random value. Since the output of OKVS is randomly distributed, C cannot distinguish which of $v_1$, $v_2$, and $v_3$ is the actual value and which is random. The probability that C can infer the partial OPRF value computed by $P_2$ is $2^{-\varphi }$, which is negligible. During the threshold reconstruction and intersection computation phase, C can reconstruct the complete OPRF value using the partial OPRF values computed by $P_1$ and $P_3$, which matches the OPRF value computed by $P_3$. The false positive rate of the BF is determined by the statistical security parameter $\lambda$, which is $2^{-\lambda }$ ($\lambda =40$), and is negligible. Therefore, the proposed ${\Pi }_{QMP-PSI}$ protocol correctly implements the functionality of ${\mathcal{F}}_{QMP-PSI}$.

5.3. Security Proof

Definition 3.

The protocol ${\Pi }_{QMP-PSI}$ implements the maliciously secure ${\mathcal{F}}_{QMP-PSI}$ functionality in the $({\mathcal{F}}_{tOPRF},{\mathcal{F}}_{P-OPPRF})$ hybrid model.

Proof. 

The entities in the protocol ${\Pi }_{QMP-PSI}$ can be divided into four categories: senders $P_i$, $i\in [m-1]$ and $i\notin C$; receiver $P_m$; cloud server C; and collusion set H. Assume all participants and the cloud server strictly follow the protocol steps but actively collect and infer information during the protocol execution. Assume the cloud server C is trusted and does not collude with any participant. To demonstrate the protocol’s security, we analyze the following two cases, assuming $\eta <t$:

• Scenario (1): The receiver $P_m$ and C are honest, and a subset $H_I$ of $\eta$ senders is corrupted.
• Scenario (2): C is honest, $P_m$ is corrupted, and a subset $H_I$ of $\eta$ senders is corrupted.

For Scenario (1): In Scenario (1), both $P_m$ and C are honest, while the corrupted set $H_I$ aims to extract the private set information of the honest senders $P_i$ (where $i\in [m-1]$ and $i\notin H_I$) as well as $P_m$. Since there is no direct data interaction between honest senders $P_i$ and the corrupted set, $H_I$ cannot obtain any information about the sets of $P_i$. The data interaction between $H_I$ and $P_m$ is as follows: $H_I$ receives $(k_I,z_I,r)$ from $P_m$. Here, $k_I$, $z_I$, and r have lengths equal to the elliptic curve length. If $H_I$ attempts to infer their actual values, the probability is $2^{-\varphi }$, which is negligible. If $H_I$ tries to reconstruct the keys K and $zeroK$ chosen by $P_m$ through secret reconstruction, since $|H_I|<t$, the original keys cannot be reconstructed due to the requirement of at least t shares in Shamir’s secret sharing scheme. Thus, under the condition that both $P_m$ and C remain honest and the number of corrupted senders does not exceed $t-1$, the protocol ${\Pi }_{QMP-PSI}$ securely realizes the functionality of ${\mathcal{F}}_{QMP-PSI}$.

For Scenario (2): In Scenario (2), $P_m$ is also compromised, and the objective of the adversarial set $H_I$ is to extract the private set data of other honest participants $P_i$, where $i\ne m$ and $i\notin \left[H\right]$. Since $P_m$ solely handles the distribution of key shares during the key sharing phase, a compromised $P_m$ is unable to deduce the private set details of other honest participants. The adversarial set $H_I$ can access the keys K and $zeroK$ via $P_m$. However, as established in the analysis of Scenario (1), $H_I$ remains incapable of uncovering the private set information of honest participants. Therefore, when C is honest, $P_m$ belongs to the corrupted set $H_I$, and $|H_I|<t$, the protocol ${\Pi }_{QMP-PSI}$ securely implements the ${\mathcal{F}}_{QMP-PSI}$ functionality.

In conclusion, the protocol ${\Pi }_{QMP-PSI}$ implements the maliciously secure ${\mathcal{F}}_{QMP-PSI}$ functionality in the $({\mathcal{F}}_{tOPRF},{\mathcal{F}}_{P-OPPRF})$ hybrid model with trusted cloud assistance, resisting collusion attacks from up to $t-1$ parties. □

6. Experimental Results and Analysis

To evaluate the efficiency of the proposed QMP-PSI protocol, we implemented it in C++. The experiments were performed on an Aliyun server equipped with Ubuntu 20.04, an Intel(R) Xeon(R) Platinum CPU(Intel Corporation, Santa Clara, CA, USA) @ 2.50 GHz, and 64 GB of RAM. The implementation utilizes the Ristretto255 elliptic curve of libSodium [35], with parameters $\kappa =128$ and $\lambda =40$. For the OKVS data structure, we adopted the approach from [9], setting the weight parameter to 3 and packing a packing ratio of 1.23.

6.1. Theoretical Analysis

The efficiency of PSI can be analyzed in terms of communication rounds, communication overhead, and computational overhead. A qualitative theoretical comparison with existing QMP-PSI protocols demonstrates the advantages of our protocol.

Communication Rounds: Our protocol consists of three phases. In the secret sharing phase, $P_m$ splits the secret and sends the shares along with the blinding factor to participants $P_i,i\in [m-1]$, requiring 1 communication round. In the P-OPPRF phase, C and $P_m$, $P_i$ execute the ${\Pi }_{P-OPPRF}$ protocol, requiring 1 communication round. In the threshold reconstruction and intersection computation phase, C sends the constructed Bloom filter (BF) to $P_m$, requiring 1 communication round. Thus, our protocol requires only 3 communication rounds.

Communication Overhead: During the secret sharing phase, $P_m$ allocates keys to $P_i$. Given that the length of an elliptic curve point is $\varphi$, the communication overhead for this phase is $O\left(3\right(m-1\left)\varphi \right)$. In the P-OPPRF phase, C collects OKVS objects from all participants, incurring a communication cost of $m\rho \left(\varphi n\right)$. In the threshold reconstruction and intersection computation phase, C transmits a BF object to $P_m$, with a communication cost of $O(m/8)$ (where m represents the size of the BF bit array), and $P_m$ sends set hash values to C, resulting in a communication overhead of $O\left(n\right)$. Consequently, the overall communication overhead of our ${\Pi }_{QMP-PSI}$ protocol is $O\left(3\right(m-1\left)\varphi \right)+m\rho \left(\varphi n\right)+O(m/8)+O\left(n\right)$.

Computational Overhead: During the secret sharing phase, $P_m$ generates two polynomials of degree $t-1$, each requiring $O(t-1)$ operations. The computation of blinding elements and OPRF values incurs an overhead of $O\left(n\right)$, leading to a total phase overhead of $O(t+n)$. For participants $P_i$ (where $i\ne m$), the computation of partial OPRF values and the $Encod{e}_H$ operation for the OKVS introduce overheads of $O\left(n\right)$ and $O\left(\lambda n\right)$, respectively, resulting in a combined overhead of $O\left(\right(1+\lambda \left)n\right)$. For C, each element necessitates $\left({\displaystyle \genfrac{}{}{0pt}{}{m}{t}}\right)$ Lagrange interpolation operations, with an overhead of $O\left(t^2\right)$, contributing to a total overhead of $O(n·\left({\displaystyle \genfrac{}{}{0pt}{}{m}{t}}\right)·t^2)$. Thus, the overall computational overhead of the protocol can be simplified to $O\left(n(1+\lambda +\left({\displaystyle \genfrac{}{}{0pt}{}{m}{t}}\right)·t^2)\right)$.

Table 1. Comparison of theoretical communication rounds, communication costs, and computational costs between the QMP-PSI protocol in this work and those in references [17,19].

Protocol	Rounds	Secret Reconstructor		Secret Distributor		Other Participants
		Comp.	Comm.	Comp.	Comm.	Comp.	Comm.
Bay [17]	t	$O\left(nm\right)$	$O(nmtlogn\kappa )$	$O\left(nm\right)$	$O(nmtlogn\kappa )$	–	–
Chandran (Quorum-I) [19]	$O(log\sigma +t^{\prime })$	–	–	$O\left(nm\kappa \sigma \right)$	$O\left(nm\sigma \right)$	$O\left(nm\kappa \right)$	$O\left(nm\kappa \sigma \right)$
Chandran (Quorum-II) [19]	$O(log\sigma +logm)$	–	–	$O\left(nm{(logm)}^3\right)$	$O\left(nm\kappa \right)$	$O(nmlogm)$	$O\left(nm\kappa \sigma \right)$
Our Protocol	3	$O\left(n{(mlogn/t)}^{2t}\right)$	$O\left(nm\lambda \right)$	$O\left(n\right)$	$O\left(nm\lambda \right)$	$O\left(n\right)$	$O\left(\lambda n\right)$

compares the communication rounds, communication overhead, and computational overhead of our ${\Pi }_{QMP-PSI}$ protocol with those of the protocols in [17,19]. The protocol in [19] constructs two QMP-PSI protocols: Quorum-I is more efficient when the threshold t is close to 1 or $m-1$, while Quorum-II is more efficient when t is close to $m/2$. Our comparison includes the communication and computational overhead of the secret reconstructor, secret distributor, and other participants. In [19], the secret distributor and reconstructor are the same party, and their overhead is the same. Here, $t^{\prime }=min\{t,m-t+1\}$, $\sigma =\lambda +\lceil logn\rceil +\lceil logm\rceil +2$, and $\lceil logp\rceil =\lceil logm\rceil +1$. From the comparison, it is evident that our QMP-PSI protocol has the lowest communication cost. The computational cost for the secret distributor is primarily determined by the set size, as the overhead associated with secret sharing is minimal. For other participants, the computational overhead depends exclusively on the set size and the statistical security parameter, unaffected by the participant count. The majority of the computational burden falls on the secret reconstructor, a characteristic shared with other protocols. Consequently, our QMP-PSI protocol achieves optimal communication efficiency and demonstrates strong performance for small datasets.

6.2. Experimental Analysis

The experiments first analyze the overhead of threshold reconstruction in the QMP-PSI protocol, as illustrated in Figure 10. The number of participants is set to $\{3,4,5,7,10\}$, with thresholds of $0.3m$, $0.6m$, and $0.9m$, and set sizes of $\{2^7,2^8,2^9,2^{10}\}$. From Figure 10a, the highest overhead occurs with 10 participants and a set size of $2^{10}$. This is because the combination number $\left({\displaystyle \genfrac{}{}{0pt}{}{10}{3}}\right)=120$, meaning that for each set element, 120 attempts are required for secret reconstruction, resulting in a total of 122,880 secret reconstructions, which is the main cause of the overhead. Since $\left({\displaystyle \genfrac{}{}{0pt}{}{10}{6}}\right)=210$ and $\left({\displaystyle \genfrac{}{}{0pt}{}{10}{9}}\right)=10$, the overhead in Figure 10b is higher than in Figure 10c. This analysis shows that the overhead of the threshold reconstruction phase mainly depends on the relationship between t and m. When t is close to $m/2$, our QMP-PSI protocol incurs significant overhead. Therefore, our cloud-assisted QMP-PSI protocol is suitable for scenarios where t is small or close to m. It is noteworthy that introducing the Fast Fourier Transform into the Shamir’s secret sharing scheme can reduce the efficiency of polynomial interpolation from $O\left(n^2\right)$ to $O\left(n{log}^{2}n\right)$, which will further enhance the computational efficiency of the reciever and the cloud server.

Table 2. Overall running time of the QMP-PSI protocol (in Seconds).

Threshold	Participants	$2^7$			$2^8$			$2^9$			$2^{10}$
		Sender	Receiver	Cloud	Sender	Receiver	Cloud	Sender	Receiver	Cloud	Sender	Receiver	Cloud
$t=0.3m$	3	0.016	0.022	0.032	0.029	0.039	0.058	0.055	0.072	0.107	0.117	0.142	0.208
	4	0.012	0.026	0.045	0.038	0.047	0.074	0.072	0.087	0.163	0.151	0.178	0.297
	5	0.014	0.030	0.062	0.046	0.057	0.110	0.097	0.103	0.231	0.182	0.214	0.395
	7	0.013	0.041	0.109	0.063	0.076	0.208	0.132	0.141	0.377	0.188	0.239	0.657
	10	0.042	0.050	0.402	0.074	0.099	0.825	0.173	0.203	1.590	0.359	0.397	2.300
$t=0.6m$	3	0.016	0.022	0.032	0.029	0.039	0.058	0.055	0.072	0.107	0.117	0.142	0.208
	4	0.015	0.028	0.047	0.037	0.050	0.086	0.072	0.088	0.131	0.144	0.196	0.319
	5	0.019	0.029	0.079	0.049	0.057	0.149	0.091	0.109	0.265	0.183	0.212	0.459
	7	0.032	0.043	0.200	0.060	0.071	0.431	0.118	0.142	0.669	0.257	0.282	1.367
	10	0.029	0.056	1.224	0.090	0.100	2.452	0.180	0.202	4.883	0.359	0.401	9.705
$t=0.9m$	3	0.016	0.022	0.032	0.029	0.039	0.058	0.055	0.072	0.107	0.117	0.142	0.208
	4	0.015	0.028	0.047	0.037	0.050	0.086	0.072	0.088	0.131	0.144	0.196	0.319
	5	0.014	0.032	0.064	0.048	0.054	0.116	0.091	0.106	0.216	0.161	0.226	0.432
	7	0.032	0.037	0.081	0.067	0.073	0.154	0.117	0.142	0.301	0.254	0.287	0.608
	10	0.041	0.049	0.138	0.088	0.099	0.269	0.169	0.201	0.586	0.366	0.392	1.066

presents the execution time of our ${\Pi }_{QMP-PSI}$ across varying numbers of participants, thresholds, and set sizes. The computational time overhead for the sender, receiver, and cloud server is documented. Since the receiver needs to wait for the BF data from the cloud server, the receiver’s time in Table 2 is recorded up to the point before receiving the BF. The overhead of BF insertion and querying is minimal, requiring only 3.921 s for a set size of $2^{20}$. From the data, it can be observed that the sender’s time overhead is mainly affected by the set size, while the receiver’s key splitting time increases with the number of participants.

Table 3. Communication overhead of QMP-PSI (in MegaBytes) when $t=0.9m$.

Threshold	Participants	$2^7$	$2^8$	$2^{10}$
$t=0.9m$	3	0.006	0.012	0.047
	4	0.006	0.012	0.047
	5	0.007	0.013	0.048
	7	0.007	0.013	0.048
	10	0.007	0.013	0.048

illustrates the communication overhead for the case where $t=0.9m$. Given that the communication overhead of our ${\Pi }_{QMP-PSI}$ is predominantly influenced by the set size and exhibits minimal dependence on the number of participants and the threshold, only the total overhead under the $t=0.9m$ setting is provided.

Table 4. Comparison of running time between our ${\Pi }_{QMP-PSI}$ and the work [17]. Best results are marked in bold.

Participants	Threshold	Protocol	Running Time (s)
		Set Size	${\mathbf{2}}^{\mathbf{2}}$	${\mathbf{2}}^{\mathbf{4}}$	${\mathbf{2}}^{\mathbf{6}}$
5	2	Bay [17]	0.972	3.829	13.334
		Ours	0.010	0.011	0.033
	3	Bay [17]	1.189	4.791	18.664
		Ours	0.012	0.013	0.040
7	2	Bay [17]	1.344	5.407	21.520
		Ours	0.016	0.018	0.056
	5	Bay [17]	2.206	8.762	35.677
		Ours	0.031	0.022	0.095
10	2	Bay [17]	1.978	7.751	30.951
		Ours	0.030	0.033	0.102
	6	Bay [17]	3.522	14.139	56.683
		Ours	0.102	0.174	0.631

compares the running time of our ${\Pi }_{\mathrm{QMP}-\mathrm{PSI}}$ protocol with the QMP-PSI protocol in [17], focusing on smaller set sizes and a limited number of participants due to the significant performance degradation of the latter with larger datasets. The experimental results reveal that our protocol consistently outperforms the protocol in [17] across all tested scenarios. Notably, the protocol in [17] exhibits a more significant efficiency decline as the set size grows. For instance, with 10 participants and a threshold of 6, as the set size increases from $2^2$ to $2^6$, our protocol achieves a speedup ranging from 34.5× to 89.8×. Furthermore, when the number of participants rises from 5 to 10 and the threshold increases from 2 to 6, with a set size of $2^6$, our protocol is 21.2× faster (0.102 s vs. 56.683 s). In conclusion, our protocol demonstrates superior efficiency compared to the protocol in [17] for scenarios with fewer than 10 participants and set sizes smaller than $2^8$.

Table 5. The communication overhead comparison between our ${\Pi }_{QMP-PSI}$ and the work in [19]. Best results are marked in bold.

Participants	Threshold	Protocol	Communication Overhead (MB)
		Set Size	${\mathbf{2}}^{\mathbf{12}}$	${\mathbf{2}}^{\mathbf{16}}$	${\mathbf{2}}^{\mathbf{18}}$
4	3	Chandran [19]	16.980	209.860	874.230
		Ours	0.188	3.001	12.001
5	4	Chandran [19]	24.640	290.680	1166.280
		Ours	0.188	3.001	12.001
10	9	Chandran [19]	55.440	667.730	2627.010
		Ours	0.189	3.002	12.002
15	14	Chandran [19]	86.240	1038.680	4086.450
		Ours	0.190	3.003	12.003

compares the communication overhead of our QMP-PSI protocol with that of the protocol in [19] across varying numbers of participants and set sizes. As the implementation of [19] is not publicly accessible, the data presented are entirely derived from Table 5 of [19]. The comparison clearly demonstrates that our proposed protocol ${\Pi }_{QMP-PSI}$ achieves a substantial reduction in communication cost compared to the protocol in [19]. For instance, with 4 participants and a threshold of 3, the communication cost of ${\Pi }_{QMP-PSI}$ is approximately 90×, 70×, and 73× lower for set sizes of $2^{12}$, $2^{16}$, and $2^{18}$, respectively. The advantage of ${\Pi }_{QMP-PSI}$ becomes even more significant as the number of participants increases. For example, with 15 participants and a threshold of 14, the communication cost of ${\Pi }_{QMP-PSI}$ is approximately 454×, 346×, and 340× lower for set sizes of $2^{12}$, $2^{16}$, and $2^{18}$, respectively. Additionally, the communication cost of ${\Pi }_{QMP-PSI}$ increases more gradually with larger set sizes, as it is primarily dependent on the set size and only marginally influenced by the participant count. In contrast, the communication cost of the protocol in [19] escalates rapidly, highlighting the superior scalability and practicality of ${\Pi }_{QMP-PSI}$. In summary, ${\Pi }_{QMP-PSI}$ achieves remarkable improvements in communication efficiency, establishing itself as the most communication-efficient QMP-PSI protocol to date.

In Figure 11a, with the participant count fixed at 10 and the set size fixed at $2^{10}$, the running time overhead for different thresholds is analyzed. The computational overhead of the receiver and sender is relatively low, with the primary time consumption stemming from the cloud server’s key reconstruction, whose efficiency is influenced by the relationship between t and m. This observation aligns with the conclusions drawn in the previous analysis of the secret reconstruction phase. The figure also highlights the advantage of introducing a cloud server, as in real-world scenarios, participants typically use resource-constrained personal devices. If the key reconstruction were delegated to the receiver, the overall protocol overhead would increase significantly.

In Figure 11b, with the set size held constant at $2^{10}$ and the threshold set to $m-1$, the running time overhead is evaluated as the participant count grows. The sender’s computational cost remains independent of the number of participants or the threshold, being solely determined by the set size. The receiver’s time overhead, excluding the cloud server’s response time, comprises two phases, secret sharing and OPRF value computation, both of which are influenced by the set size and the participant count. As the participant count m rises, the number of combinations $\left({\displaystyle \genfrac{}{}{0pt}{}{m}{t}}\right)$ also increases, resulting in higher computational demands on the cloud server. For instance, when the participant count grows from 3 to 21, the cloud server’s running time escalates from 0.212 s to 3.843 s.

In Figure 11c, with the participant count fixed at 5 and the threshold set to 3, the running time is evaluated as the set size grows. When m and t remain constant, the computational overhead of the ${\Pi }_{\mathrm{QMP}-\mathrm{PSI}}$ protocol scales with the set size. The tOPRF implementation in this work relies on elliptic curves, and as the set size expands, the computational load for exponential operations also rises. For example, when the set size increases from $2^8$ to $2^{14}$, the cloud server’s running time escalates from 0.123 s to 7.052 s. Consequently, the ${\Pi }_{\mathrm{QMP}-\mathrm{PSI}}$ protocol is particularly well suited for scenarios involving set sizes smaller than $2^{10}$.

In Figure 11d, the communication overhead of the protocol is examined across different participant counts, thresholds, and set sizes. When the set size is held constant, variations in the participant count and threshold have a negligible effect on the communication overhead. This is largely due to the fact that an increase in the participant count only slightly raises the communication overhead of the corresponding OKVS objects, which remains unaffected by the threshold. For instance, with a set size of $2^{11}$, as the participant count rises from 5 to 10 and the threshold increases from 4 to 7, the protocol’s communication overhead increases by a mere $0.001$ MB.

In conclusion, the QMP-PSI protocol introduced in this study delivers rapid execution times and minimal communication overhead for set sizes below $2^{10}$ and participant counts up to 10. Moreover, when the threshold t is either small or approaches the participant count m, the protocol can accommodate a greater number of participants and larger set sizes.

7. Conclusions

This study introduces an innovative approach for developing an anonymous electronic voting system utilizing QMP-PSI. To overcome the constraints of current QMP-PSI protocols, such as their reliance on semi-honest security assumptions and their rapidly escalating protocol overhead with increasing participant numbers, we introduce a new cryptographic primitive, the P-OPPRF. By integrating the properties of the OPRF and partial OPRF, the P-OPPRF enables both enhanced security and improved efficiency. We are the first to develop a QMP-PSI protocol under the malicious security model capable of withstanding collusion attacks from up to $t-1$ parties. By delegating computationally intensive tasks to a cloud server, we substantially alleviate the computational load on voting participants in anonymous electronic voting systems. Experimental evaluations reveal that our QMP-PSI protocol achieves the minimal communication overhead compared to existing solutions, with the sender’s communication cost solely determined by the set size and statistical security parameters. Additionally, our protocol demonstrates superior performance for set sizes under $2^{10}$ and when the threshold t is either low or nearly equal to the participant count m. When applied to anonymous electronic voting in a small organization, our solution offers advantages, including ease of deployment, high communication efficiency, and computational efficiency.

In the future, we aim to further reduce the overhead of the key reconstruction phase by exploring elastic secret sharing to eliminate combinatorial operations during reconstruction. Additionally, we plan to extend our approach to over-threshold MP-PSI scenarios, broadening its applicability and impact.