Secure and efficient multiparty private set intersection cardinality

Abstract

<p style='text-indent:20px;'>In the field of privacy preserving protocols, Private Set Intersection (PSI) plays an important role. In most of the cases, PSI allows two parties to securely determine the intersection of their private input sets, and no other information. In this paper, employing a Bloom filter, we propose a Multiparty Private Set Intersection Cardinality (MPSI-CA), where the number of participants in PSI is not limited to two. The security of our scheme is achieved in the standard model under the Decisional Diffie-Hellman (DDH) assumption against semi-honest adversaries. Our scheme is flexible in the sense that set size of one participant is independent from that of the others. We consider the number of modular exponentiations in order to determine computational complexity. In our construction, communication and computation overheads of each participant is <inline-formula><tex-math id="M1">\begin{document}$ O(v_{\sf max}k) $\end{document}</tex-math></inline-formula> except that the complexity of the designated party is <inline-formula><tex-math id="M2">\begin{document}$ O(v_1) $\end{document}</tex-math></inline-formula>, where <inline-formula><tex-math id="M3">\begin{document}$ v_{\sf max} $\end{document}</tex-math></inline-formula> is the maximum set size, <inline-formula><tex-math id="M4">\begin{document}$ v_1 $\end{document}</tex-math></inline-formula> denotes the set size of the designated party and <inline-formula><tex-math id="M5">\begin{document}$ k $\end{document}</tex-math></inline-formula> is a security parameter. Particularly, our MSPI-CA is the <i>first</i> that incurs <i>linear</i> complexity in terms of set size, namely <inline-formula><tex-math id="M6">\begin{document}$ O(nv_{\sf max}k) $\end{document}</tex-math></inline-formula>, where <inline-formula><tex-math id="M7">\begin{document}$ n $\end{document}</tex-math></inline-formula> is the number of participants. Further, we extend our MPSI-CA to MPSI retaining all the security attributes and other properties. As far as we are aware of, there is no other MPSI so far where individual computational cost of each participant is independent of the number of participants. Unlike MPSI-CA, our MPSI does not require any kind of broadcast channel as it uses star network topology in the sense that a designated party communicates with everyone else.