Abstract
The problem of private set-intersection (PSI) has been traditionally treated as an instance of the more general problem of multi-party computation (MPC). Consequently, in order to argue security, or compose these protocols one has to rely on the general theory that was developed for the purpose of MPC. The pursuit of efficient protocols, however, has resulted in designs that exploit properties pertaining to PSI. In almost all practical applications where a PSI protocol is deployed, it is expected to be executed multiple times, possibly on related inputs. In this work we initiate a dedicated study of PSI in the multi-interaction (MI) setting. In this model a server sets up the common system parameters and executes set-intersection multiple times with potentially different clients. We discuss a few attacks that arise when protocols are naively composed in this manner and, accordingly, craft security definitions for the MI setting and study their inter-relation. Finally, we suggest a set of protocols that are MI-secure, at the same time almost as efficient as their parent, stand-alone, protocols.
Highlights
The problem of private set-intersection (PSI) involves two parties, a client and a server, each having its private set
An honest-but-curious (HbC) adversary aims at learning additional information without deviating from the protocol specification, whereas a malicious party can arbitrarily deviate from the protocol specification
The protocol Ψ is derived from [32] and set in cyclic groups of prime order. We prove that it is MI-secure under the assumption that gap Diffie-Hellman (GDH) problem is hard in these groups
Summary
The problem of private set-intersection (PSI) involves two parties, a client and a server, each having its private set. Our interest in the problem of private set intersection stems from the realistic application scenarios where the PSI protocol is executed multiple times between a server and possibly different clients, likely on related inputs. Arguing server privacy of even some of the basic PSI protocols using the simulation-based definition becomes quite involved and lengthy (e.g., see [20]) — things are bound to get further complex in the multi-interaction setting. The focus of the current work is to investigate the problem of constructing efficient PSI in the realistic multi-interaction setting In this context it’s worth recalling the works on security definition for two-party key exchange where both SIM and IND based notions were used [6, 4, 12, 13].
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
