Linear Complexity Private Set Intersection for Secure Two-Party Protocols

Abstract

In this paper, we propose a new private set intersection (PSI) protocol with bi-oblivious data transfer that computes the following functionality. The two parties (\(P_1\) and \(P_2\)) input two sets of items (X and Y, respectively) and one of the parties (\(P_2\)) outputs \(f_i(b_i)\) for each \(y_i \in Y\), where \(b_i\) is 0 or 1 depending on the truth value of \(y_i {\mathop {\in }\limits ^{?}} X\) and \(f_i\) is defined by the other party (\(P_1\)) as taking 1-bit input and outputting the party’s (\(P_1\)’s) data to be transferred. This functionality is generally required when the PSI protocol is used as a part of a larger secure two-party secure computation such as threshold PSI or any function of the whole intersecting set in general. Pinkas et al. presented a PSI protocol at Eurocrypt 2019 for this functionality, which has linear complexity only in communication. While there are PSI protocols with linear computation and communication complexities in the classical PSI setting where the intersection itself is revealed to one party, to the best of our knowledge, there is no PSI protocol, which outputs a function of the membership results and satisfies linear complexity in both communication and computation. We present the first PSI protocol that outputs only a function of the membership results with linear communication and computation complexities. While creating the protocol, as a side contribution, we provide a one-time batch oblivious programmable pseudo-random function based on garbled Bloom filters. We also implemented our protocol and provide performance results.