Keywords

1 Introduction

Secure multi-party computation (MPC) has been the focus of an extensive amount of scientific works over the last few decades. It deals with the general problem of enabling a group of distrustful parties to jointly compute a function of their private inputs without revealing anything but the result. Due to the considerable progress in making the MPC protocols more and more efficient, they have become truly practical and therefore found much more applications in recent years.

Private set intersection (PSI) is one of the important and well-studied MPC protocols which allows a set of parties, each holding an input set, to compute their intersection without leaking any other information beyond their intersection. There exist many privacy-preserving potential applications for PSI such as advertising conversion [Mia+20], private contact discovery [Kal+19, Dem+18], and more. Recently and due to the spread of the COVID-19 pandemic, there has been an interdisciplinary quest to develop private contact tracing systems to contain the outbreak. In this case, PSI also plays a crucial role in building privacy-preserving solutions [DPT20, Dit+20].

During the last decade or so, many research-oriented works have been dedicated to proposing efficient constructions for the PSI functionality. In general, there are two main approaches to the design of these constructions. The first is using generic circuit-based protocols that deal with the computation of logical or arithmetic circuits by parties [HEK12, Pin+18, Pin+19b]. Although circuit-based protocols often yield computationally efficient constructions and are flexible to be adapted for different variants of PSI functionality, having high communication complexity for the PSI problem which requires the evaluation of large circuits is a big hurdle in making them to be practically useful. It should be remarked that it is now widely believed that communication and not computation, is the principal bottleneck in MPC protocols like PSI [Ash+13, Hal18]. Another approach is related to special purpose protocols that mainly rely on cryptographic primitives and various assumptions. Since this type of PSI protocols can achieve better performance compared to the previous one, it has gained significant attention among researchers.

Loosely speaking, existing special purpose PSI protocols can be categorized in the following way. PSI protocols built from oblivious polynomial evaluation [FNP04, HV17, Haz18, GS19], hard cryptographic assumptions [DT10, DT12], and oblivious transfer (OT) and hashing structures [Kol+16, Pin+20, CM20]. There has also been a branch of works on server-aided setting [KMS20, ATD20]. Since the OT-based PSI protocols achieve a good balance between communication and computation costs and indeed mainly benefit from cheap cryptographic tools, are often regarded as the fastest concretely efficient solutions in which by this term we refer to those constructions which do not use computationally too expensive tasks like polynomial evaluation and interpolation or vast public-key operations (see [PSZ18] for an overview on different PSI settings).Footnote 1

Notice that a large body of literature on two-party OT-based PSI uses a primitive named oblivious pseudorandom function (OPRF) which is often instantiated efficiently by means of symmetric-key techniques. Particularly, the recent work of Chase and Miao [CM20] aims to investigate the trade-offs between communication and computation costs and enjoy the best of both worlds. By introducing an interesting lightweight multi-point OPRF protocol, they propose a highly efficient semi-honest secure two-party PSI protocol that assuming random oracle model its security can be enhanced to one-sided malicious security. The idea of considering a multi-point OPRF construction instead of the common single-point version results in decreasing the communication complexity of the protocol by a constant factor due to the fact that evaluation of each element in the set will be required only for once.

Multi-party PSI. While two-party setting encompasses the majority of existing works, multi-party PSI has not attracted that much attention in the literature. This might account for the fact that there is a seemingly inevitable need to have interactions among parties which incurs an extreme communication cost to the protocol and hence makes it practically infeasible. More recently, however, few works including [Kol+17, HV17, IOP18, GN19] have come up with asymptotically efficient constructions for multi-party PSI in different security models. Regardless of the tools and primitives used, the core idea underlying all these constructions is considering a designated party who individually interacts with all other parties throughout the protocol execution (i.e., star topology network). This attitude towards multi-party PSI protocol appears to be useful since it results in a reduction in intermediate exchanges between parties but has the weakness of putting a high workload on the designated party which may be very problematic in practical scenarios. Very recently, the approaches of [Kol+17, IOP18], which led to concretely efficient constructions are extended by [Efr+21] in a maliciously secure model.

Additional Related Work. The authors in [DCW13] present a two-party OT-based PSI protocol using a variant of Bloom filter called garbled Bloom filter. [RR16] follows the approach of the aforementioned protocol and presents a maliciously secure protocol employing the cut-and-choose technique. A few constructions like [Yin+20, Bud+20] concentrate on some variants of PSI in which they study the problem of performing different sets of computations on the intersection. There are also a few works on threshold PSI such as [ZC18, GS19, Bad+20, BDP20]. In [ZC18], authors introduce a protocol based on oblivious polynomial evaluation for threshold PSI. The exciting work of [GS19] demonstrates a lower bound on the communication complexity of two-party threshold PSI. The most recent work of [Bad+20] takes this a stage further and extends the results to the multi-party setting.

1.1 Our Contribution

We study the problem of PSI in the case that there are more than two parties involved in the execution of the protocol, namely multi-party PSI. When practicality comes into play, most of the current protocols on multi-party PSI fail to meet the need because of suffering from either high communication or computational overhead for the considerable number of participating parties or the large set sizes. In this work, we aim to present a concretely efficient multi-party PSI protocol following the idea of [CM20] in employing an efficient multi-point OPRF construction that through leading to a better balance between communication and computation costs causes [CM20] to be the fastest two-party PSI in moderate bandwidth compared to the state-of-the-art protocols.

Our protocol leverages a combination of so-called star and path communication graphs which in the former, a designated party as the sender runs OTs with all other parties, and in the latter, each party only sends a garbled Bloom filter to his adjacent party in the direction of the last party. In light of this design, the construction can be very scalable since the communication and computation complexities of each party (except the designated party) only depend on his own input set size and not on the number of parties involved in the protocol. So, while the designated party has the asymptotic complexity of \(O(tn\lambda )\) which linearly scales with the number of parties t, the complexity of each other party is \(O(n\lambda k)\) where n is the party’s set size, k is the number of hash functions (used in garbled Bloom filter), and \(\lambda \) is the security parameter. Also, thanks to this fusion of star and path communication graphs, instead of having a designated party with significantly high communication overhead compared to others, the distribution of cost is rather fair with respect to the number of parties t and the number of hash functions k and therefore this prevents the designated party from taking a lot of bandwidth. We consider semi-honest security and prove the security of our protocol in this model.

2 Preliminaries

2.1 Notation

Throughout this paper, we consider t parties \(P_1, \dotsc , P_t\) who each owns an input set \(X_1,\dotsc , X_t\), respectively. We may refer to \(P_t\) as the leader and all the other parties as clients. \(\lambda \) and \(\sigma \) are used to denote the computational and statistical security parameters which the former deals with the hardness of problems in the face of computationally bounded adversaries and the latter is concerned with the attacks that may occur during protocol interactions. [n] concisely shows a set of n items \(\{1, \dotsc , n\}\). By v[i], we refer to the i-th element of the vector v. In an \(n \times m\) matrix M, the i-th column is denoted as \(M_i\) where \(i\in [m]\). \(\Vert x\Vert \) denotes the hamming weight of a string x. We consider negl(\(\lambda \)) as a negligible function that proceeds asymptotically towards zero faster than any inverse polynomial for appropriately large inputs. Finally, we use \(s\xleftarrow []{R}S\) to show that s is sampled uniformly at random from S.

2.2 Secret Sharing Scheme

Secret sharing [Sha79] is one of the pivotal tools in cryptography which has numerous applications in constructing secure computation protocols. In an (tn) secret sharing scheme, a secret s is distributed among n parties in a way that by having up to \(t-1\) shares no information about the secret is revealed. The simplest form of an (nn) secret sharing scheme can be achieved by means of bitwise-XOR operation. In fact, one chooses \(n-1\) random strings \((v_1,\dotsc , v_n-1)\), and then selects the last share by computing \(v_n = s \oplus v_1 \oplus \dotsc \oplus v_n-1\). This scheme has perfect security and for reconstructing the secret s having all shares are required.

2.3 Bloom Filter

Bloom filter (BF) [Blo70] is a probabilistic compact data structure which is used as a tool for efficient set membership checking. It randomly maps a set X containing n items to a binary array of size M, where every single element is mapped to a different subset of indices in the array. Bloom filter includes k independent uniform hash functions \(H =\{h_1, \dotsc , h_k\}\) that \(h_i : \{0,1\}^* \rightarrow \ [M]\). At first, all bits in the array are set to zero. To insert each element \(x \in X\), one sets \(BF[h_i(x)]=1\) for all \(i\in [k]\). To see whether the set X consists of an element \(x'\), one simply needs to check all the \(BF[h_i(x')]\) are equal to one. Even if one of the corresponding bits in the array be equal to zero, then it can be concluded that the element \(x'\) is not in the set. On the other hand, if all of the corresponding bits in the array are equal to one, then \(x'\) is in the set but for a determined false-positive probability \(\epsilon \). The computed upper bound on \(\epsilon \) is given by \( p^k(1+ O(\frac{k}{p}\sqrt{\frac{\ln M - k\ln p}{M}}))\) where \(p=1-(1-\frac{1}{M})^{nk}\). It is shown in [DCW13] that the optimal values to accomplish the best performance are \(k = \frac{M}{n}\ln 2\) and \(M \ge n\log _2(e).\log _2(\frac{1}{\epsilon })\).

Garbled Bloom Filter. A different version of BF was introduced in [DCW13] which is called garbled Bloom Filter (GBF). To give a concise description of GBF, we can refer to it as an extended Bloom filter that instead of having an array consisting of single bits, it is an array consisting of bit strings where the length of the bit string is determined by security parameter. Like BF, insertion is done in GBF by computing the hash functions for each input element x with regard to a set of uniform hash functions \(H =\{h_1,\dotsc , h_k\}\), but instead of dealing with just single bits, some randomly chosen shares of x are placed in those indices corresponded to x subject to the constraint that \(\bigoplus _{i=1}^{k} GBF[h_i(x)]=x\). Garbled property of GBF makes it computationally impossible to know whether a given element x is in the set, unless one queries GBF on all the indices related to x. In this manner, the false-positive probability in GBF is equal to \(2^{-\lambda }\).

2.4 Oblivious Transfer

A foundational cryptographic primitive used as a building block in many secure computation protocols is oblivious transfer (OT) [Rab05] whose functionality is presented in Fig. 1. In an 1-out-of-2 OT, there exist a sender and a receiver, where the sender has two strings \((x_0, x_1)\) and the receiver has a choice bit c as their inputs, respectively. After the execution of OT, the sender learns nothing and the receiver learns \(x_c\) without obtaining any information about \(x_{1-c}\). As shown in [IR89], it cannot be possible to do OT without relying on public-key operations. Thus, this was considered as the main constraint when it comes to doing a great number of OTs which is a typical task in PSI protocols. However, [Ish+03] proposed a method called OT extension which makes it possible to do an extensive number of OTs while using only a limited number of public-key operations for initial OTs (known as base-OTs). Also, some variants of OT are available. Random OT (ROT) refers to a setting in which the sender and receiver do not choose their inputs and they are chosen by the functionality itself. By using ROT, the protocol can be performed with much less communication overhead compared to OT.

Fig. 1.
figure 1

The functionality of oblivious transfer (\( \mathcal {F}_{OT} \))

Full size image

2.5 Security Model

Definition 1

\((Computational Indistinguishably) \) Let \(X=\{X(\lambda )\}_{\lambda \in N}\) and \(Y=\{Y(\lambda )\}_{\lambda \in N}\) be two probability distribution ensembles, we say that X and Y are computationally indistinguishable, denoted as \(X \approx Y\), if for every probabilistic polynomial time (PPT) algorithm D, there exists a negligible function negl(\(\lambda \)) such that for all sufficiently large \(\lambda \)

\(|Pr[D(\lambda , X(\lambda ))] - Pr[D(\lambda , Y(\lambda ))]|\le negl(\lambda ) .\)

Our protocol is secure against semi-honest adversaries who follow the protocol as specified but try to obtain more information than what is allowed. Note that we assume the leader does not collude with any client. This assumption is widely used in the literature [Aba+17, Zha+19]. Having this in mind, our protocol can tolerate up to \(t-1\) corruptions.

The security of an MPC protocol is typically proven respecting real/ideal simulation paradigm. That is, a protocol is considered to be secure if the real execution of the protocol \(\varPi \) computationally looks like the ideal execution of the protocol \(\mathcal {F}\). To put in another way, imagine an ideal world where there exists a fully trusted entity that parties can privately send their inputs to and then it computes the result and returns it back to the parties. Surely, this ideal world execution captures all the required security we want. So, if we somehow show that for any real world adversary, the real and ideal execution of the protocol are computationally indistinguishable, then we can deduce the protocol \(\varPi \) is secure. Here, we give the formal definition of real/ideal simulation paradigm for two-party protocol introduced in [Gol04].

Definition 2

\((Semi-Honest Security) \) Let denote \(P_{i}\)’s view in the real execution of the protocol \(\varPi \) as \(view_{i}^{\varPi }(X_1,X_2)\) for \(i \in [2]\). \(\mathcal {F}_{i}(X_1,X_2)\) denotes the output of ideal functionality for \(P_i\). The protocol \(\varPi \) securely realizes the ideal functionality \(\mathcal {F}\) in the presence of static semi-honest adversaries if there exist PPT simulators \(\mathcal {S}_1\) and \(\mathcal {S}_2\) for all inputs such that

\(\{\mathcal {S}_1(\lambda , X_1, \mathcal {F}_{1}{(X_1,X_2))}\} \approx \{view_{1}^{\varPi }(X_1,X_2)) \}\),

\(\{\mathcal {S}_2(\lambda , X_2, \mathcal {F}_{2}{(X_1,X_2))}\} \approx \{view_{2}^{\varPi }(X_1,X_2)) \}\).

2.6 Hamming Correlation Robustness

The security of some protocols can be proven using a weaker assumption than random oracle model which is called correlation robustness [KK13, Pin+19a, CM20]. In this paper we use the definition presented in [Pin+19a, CM20] to prove the security of our protocol.

Definition 3

\((Hamming Correlation Robustness) \) Let H be a hash function with the input length n. Then H is d-Hamming correlation robust if, for any \(a_1,\dotsc , a_m,b_1,\dotsc , b_m \in \{0,1\}^n \) with \(\Vert b_i\Vert \ge d=\lambda \) for each \(i \in [m]\), the following distribution, induced by random sampling of \(s \xleftarrow {R} \{0,1\}^n,\) is pseudorandom.

\(H(a_1 \oplus [b_1 \cdot s]),\dotsc , H(a_m \oplus [b_m \cdot s])\),

where \(\cdot \) denotes bitwise-AND.

2.7 PSI from OPRF

An oblivious pseudorandom function (OPRF) is a secure two-party computation protocol which was introduced in [Fre+05]. In an OPRF protocol, the sender inputs a random PRF key K and the receiver inputs a single input x. By the end of the protocol, the sender learns nothing and the receiver learns the evaluation of the OPRF functionality on his input.

There are several works on two-party PSI protocol which use single-point OPRF construction [Pin+15, Kol+16]. At a high level, the general structure of these protocols is as follows. Firstly, the sender (\(P_1\)) and the receiver (\(P_2\)) run the OPRF protocol that at the end \(P_1\) obtains a random key K and \(P_2\) obtains the outcome of the functionality on his input OPRF\(_K(x_{1}^{2})\). They run the protocol for all items in the receiver’s set \(x_{1}^{2},\dotsc , x_{n_2}^{2} \in X_2\). As a result, the sender learns a set of random keys and the receiver learns a set of OPRF values. Then, \(P_1\) evaluates OPRF functionality on his set of inputs \(x_{1}^{1},\dotsc , x_{n_1}^{1} \in X_1\) and sends the resulting values to \(P_2\). We should note that in these protocols parties often use a Cuckoo hashing construction [PR04] to map every single of their elements to a separate bin and it is also assumed parties’ sets have the same size \(n_1 = n_2 = n\). Finally and by comparing the received values and his OPRFs, \(P_2\) can determine the intersection.

From Single-Point to Multi-point OPRF. In [Kol+16], a hash function (which is modeled as a random oracle) is considered an OPRF whose keys are in fact parts of its input argument. Pinkas et al. in [Pin+19a] proposed a PSI protocol based on multi-point OPRF construction in which it enables parties to instead of having to evaluate n instances of OPRF protocol, do it in a way that computing OPRF values requires far less communication cost, i.e., they no longer need to use Cuckoo hashing and perform several OPRFs for every single hash bin, so each element is only evaluated once. But, multi-point OPRF of [Pin+19a] incurs a high computational overhead compared to the single-point version of [Kol+16], since it needs to evaluate and interpolate a high-degree polynomial over a large field which obviously causes much more cost than just using symmetric primitives and bitwise operations as in [Kol+16].

Efficient Multi-point OPRF. To provide a more reasonable balance between communication and computation costs, Chase and Miao [CM20] introduced a two-party PSI protocol using a lightweight multi-point OPRF where oblivious transfer protocol is the only heavy cryptographic operation needed that also itself can be performed efficiently using OT extension. To perform the multi-point OPRF, a random seed of length w is picked by the sender, \(s\xleftarrow []{R}\{0,1\}^w\), and the receiver constructs two \(m \times w\) matrices of A and B where the entries of the former are selected randomly from \(\{0,1\}\) and those of the latter are determined by evaluating a pseudorandom function with the output length of \(w\cdot \log m\) on each element of the receiver’s set, \(v = F_K(x_{i}^{2})\). The matrix B is formed such that for every \(x^{2}_{i} \in X_2\), the corresponding bits in two matrices are the same while other bits differ. After running w OTs between parties, the sender who acts as a receiver obtains an \(m \times w\) matrix C that each of its columns is either \(A_i\) or \(B_i\) for all \(i \in [w]\) depending on the chosen seed s. Then, the sender evaluates the PRF on each of his input elements \(x^{1}_{i}\in X_1\) as \(v = F_K(x^{1}_{i})\) and computes the OPRF value \(\psi = H(C_1[v[1]]\parallel \dotsc \parallel C_w[v[w]])\) and sends all the resulting OPRFs to the receiver. Ultimately, the receiver computes the OPRF values of his input elements and finds the intersection of the two sets. Notice that if a sender’s element be in the intersection, \(x^{1}_{i}\in X_2\), its corresponding input to the OPRF is equal to one of the receiver’s element input to the OPRF, otherwise the inputs to OPRF are different with overwhelming probability.

3 Our Multi-party PSI Protocol

3.1 An Overview

In this section we introduce our proposed multi-party PSI protocol. As mentioned earlier, there is a group of parties \(P_{1},\dotsc , P_{t} \) with their private input sets \(X_{1},\dotsc , X_{t}\), respectively, who want to jointly compute their set intersection \(X_{1} \cap \dotsc \cap X_{t}\) without leaking any other private information relating to either individual or a proper subset of parties. As in many other multi-party protocols, we consider \(P_t\) as the party who learns the intersection at the end of the protocol. The functionality of multi-party PSI is defined in Fig. 2. We use the lightweight multi-point OPRF construction introduced in [CM20] to build an efficient and scalable multi-party PSI. The full description of our protocol which constitutes several steps is presented in Fig. 3.

Fig. 2.
figure 2

The functionality of multi-party private set intersection (\( \mathcal {F}_\mathrm {MPSI} \))

Full size image

Generally speaking, the protocol works as follows. At first, \(P_t\) constructs a random \(m \times w\) matrix A. In fact, to generate the i-th column of matrix A, \(P_t\) chooses \(t-1\) strings of length m uniformly at random and sets \(A_i = A_{i}^{1} \oplus \dotsc \oplus A_{i}^{t-1}\). In addition, for each \(j \in [t-1]\), party \(P_t\) generates the matrix \(B^j\) from the matrix \(A^j\) by computing a pseudorandom function \(F_K(\cdot )\) on all of his input elements and sets \(B = B^{1} \oplus \dotsc \oplus B^{t-1}\). After running w OTs between \(P_t\) as the sender and each \(\{P_j\}_{j\in [t-1]}\) as the receiver, every \(P_j\) ends up with a matrix \(C^{j}\) which its column vectors are just m-bit random strings. Then, each party locally constructs a garbled Bloom filter of his input set \(GBF_j\) using the entries of the received matrix. Afterwards, \(P_1\) sends \(GBF_1\) to \(P_2\) that upon getting it, he XORs \(GBF_1\) with \(GBF_2\) and sends the resulting GBF to the next party. This process continues until \(P_{t-1}\) computes the cumulative GBF and also OPRF values and then sends the OPRFs to the \(P_t\) to allow him to find the intersection.

Fig. 3.
figure 3

Our multi-party private set intersection protocol (\( \varPi _\mathrm {MPSI} \))

Full size image

Remark 1

We can consider an upper bound N on each party’s input set size. Meaning, parties \(P_{1},\dotsc , P_{t} \) can have different input set sizes up to N. In this way, parties’ exact set sizes would not be revealed during the execution of the protocol.

Remark 2

We assume that clients are connected by secure channels, i.e., party \(P_t\) is not able to learn useful information by observing communication between \(P_{1},\dotsc , P_{t-1} \). We stress that deploying such point-to-point channels is cheap and does not impose that much cost.

3.2 Protocol Correctness

Regarding the particular form of matrices \(A^j\) and \(B^j\) constructed by \(P_t\), for each \(x^t \in X_t\), let \(v = F_K(H_1(x^t))\), it holds that \(A_{i}^{j}[v[i]] = B_{i}^{j}[v[i]]\) for all \(i \in [w]\). Let x be an element which is in the intersection, i.e., it exists in all the parties’ input sets. Since \(P_t\) inputs uniformly random shares of each column of matrix A (using XOR secret sharing scheme) while performing OTs with clients, for each \(x \in I\) it holds that \(A_{i}[v[i]] = \bigoplus _{j=1}^{t-1} C_{i}^{j}[v[i]]\), for all \(i \in [w]\). Therefore, regardless of what random string \(s_j\) is chosen by the client \(P_j\), XORing the strings at all coordinates corresponded to x in \(GBF^{*}\) by \(P_{t-1}\) (Step 8) results in a string which is the same as one of the \(P_t\)’s elements input to the hash function \(H_2\). The correctness of the protocol is satisfied with all but negligible probability of a false-positive occurring.

3.3 Protocol Security

Security Analysis. In the protocol, \(P_t\) runs OTs independently with each client using randomly chosen shares of columns of the matrix A that itself is a random matrix sampled by \(P_t\). So, each matrix \(C^{j}\) formed by the \(P_j\) contains independent uniform strings as its columns. As a result, concerning the way each party computes his garbled Bloom filter (Step 7), receiving the GBF of \(P_i\) by \(P_j\) for any \(i, j \in [t-1]\) leaks no useful information about \(P_i\)’s input set. Also, by suitable choice of the parameters mw (as will be discussed later) and indeed security properties of GBF, for any item in the \(P_{t-1}\)’s input set which is not in the intersection I, the corresponding OPRF value is pseudorandom to \(P_t\). Thus, \(P_t\) is only able to obtain intersection over all parties’ input sets and learns nothing about partial set intersection (i.e., elements which exist in some but not all parties’ input sets).

The Parameters mw. Choosing m and w plays an important role in providing the security of the protocol. The mentioned parameters should be selected in a way that for any common element in clients’ sets which is not in the intersection (i.e., \(x \in I \backslash X_{t} \)), its OPRF value must be pseudorandom to \(P_t\). In view of this, we need to make sure that if F is a random function and \(H_1\) is a collision resistant hash function then for all \(i \in [w]\), there exist at least \(\lambda \) flipped bits in the positions \(B_{i}[v[i]]\), where \(v = F_K(H_1(x))\). This is essentially because of fulfilling the correlation robustness property of \(H_2\), and consequently preventing brute force searches by \(P_t\). It should also be noted that for any \(P_{t-1}\)’s element which is not in client’s intersection, its OPRF value is pseudorandom to \(P_t\) due to the obliviousness property of garbled Bloom filter.

Since the input to \(F_K(\cdot )\) is different for every \(x^t \in X_t\), the probability that any bit in each column of matrix B is flipped equals \(p = (1-\frac{1}{m})^{n_{t}}\). Thus, for any \(x \in I \backslash X_{t}\), the number of flipped bits in \(B_{1}[v[1]], \dotsc , B_{w}[v[w]]\) has a binomial distribution, which the probability of having d flips is equal to

$$ \left( {\begin{array}{c}w\\ d\end{array}}\right) p^{d}(1-p)^{w-d}. $$

So, by fixing m we can determine the proper value for w using the union bound as follows

$$ N\cdot \sum _{d=0}^{\lambda -1}\left( {\begin{array}{c}w\\ d\end{array}}\right) p^{d}(1-p)^{w-d} \le negl(\sigma ). $$

It is also worth mentioning that the parameter \(l_2\) which is the output length of \(H_2\) needs to be chosen such that the probability of having collision in PSI protocol (Step 9) be negligible. In a similar way to [Pin+19a, CM20], it can be calculated as \(l_{2} = \sigma + 2\log (N)\) for the semi-honest model.

Security Proof. In this part, we formally prove the security of our proposed multi-party protocol based on the notion of real/ideal simulation paradigm in the semi-honest model. Note that we consider two cases for corruption, in one case adversary corrupts a subset of clients and in the other case only leader is corrupted.

Theorem 1

Assume that F is a pseudorandom function, \(H_1\) is a collision resistant hash function, and \(H_2\) is a d-Hamming robust hash function, then protocol \(\varPi _\mathrm {MPSI}\) (Fig. 3) securely realizes the functionality \(\mathcal {F}_\mathrm {MPSI}\) (Fig. 2) in the presence of semi-honest adversaries for proper choice of parameters as discussed.

Proof

(\(P_t\) is not corrupted) We show that there exists a PPT simulator \(\mathcal {S}_Z\) that given corrupted parties’ inputs can generate simulated views which are computationally indistinguishable from joint distribution of corrupted parties’ views in the real execution of the protocol. Let us consider a subset \(\mathcal {Z}\) of parties \(P_{1}, \dotsc , P_{t-1}\) is corrupted by the adversary. Given \(\{X_j\}_{j\in Z}\), the simulator \(\mathcal {S}_{Z}\) honestly chooses random strings \(\{s_j\}_{j \in Z}\) and random matrices \(\{C^j\}_{j \in Z} \in \{0,1\}^{m \times w}\). Then, \(\mathcal {S}_{Z}\) runs OT simulator in order to simulate the view of each corrupted party \(P_j \in Z\) as the receiver with respect to the inputs \(s_j[1], \dotsc , s_j[w]\) and outputs \(C^{j}_{1},\dotsc , C^{j}_{w}\). Moreover, \(\mathcal {S}_{Z}\) sends a randomly picked PRF key to the corrupted parties. Knowing the description of garbled Bloom filter, the simulator also constructs random garbled Bloom filters on behalf of the honest parties from its randomness.

We now argue that \(\mathcal {S}_{Z}(\lambda , \{X_j\}_{j\in Z}, \bot ) \approx view_{Z}^{\varPi }(\lambda , X_1, \dotsc , X_t) \). To do so, we use a sequence of hybrid distributions in which each two adjacent distributions are computationally indistinguishable and thanks to the transitive property, it can be concluded that the two desired distributions are also computationally indistinguishable.

Hybrid\(_{0}\) : The view of corrupted parties \(\{P_j\}_{j\in Z}\) in the real execution of the protocol.

Hybrid\(_{1}\) : The same as Hybrid\(_{0}\), except, \(\mathcal {S}_{Z}\) instead of \(P_t\) does the following for every corrupt \(P_j\). That is, if \(s_{j}[i] = 0\), it randomly chooses an m-bit string \(A^{j}_{i}\) and does the same as in Step 3 to construct each corresponding column of matrix \(B^j\); on the other hand, if \(s_j[i] = 1\), it randomly picks an m-bit string \(B^j_{i}\) and computes \(A^{j}_{i}\) by flipping corresponding bits as mentioned in Step 3. So, this argument is essentially identical to Hybrid\(_{0}\).

Hybrid\(_{2}\) : The same as previous hybrid, except, \(\mathcal {S}_{Z}\) computes a garbled Bloom filter on behalf of each honest client (i.e., party \(P_j \notin Z\)) using its own randomness. Note that the indistinguishably of this hybrid and Hybrid\(_{1}\) stems from using XOR secret sharing scheme by \(P_t\) for his inputs to the OTs and also the special way the garbled Bloom filters are constructed.

Hybrid\(_{3}\): The simulated view of \(\mathcal {S}_Z\). Due to the security properties of OT protocol and garbled Bloom filter, this hybrid is computationally indistinguishable from Hybrid\(_{2}\).

Proof

(\(P_t\) is corrupted) We show that there exists a PPT simulator \(\mathcal {S}_t\) that given \(P_t\)’s input and output can generate a simulated view which is computationally indistinguishable from \(P_t\)’s view in the real execution of the protocol. The simulator can be considered as follows. \(\mathcal {S}_t\) first receives \(P_t\)’s input set \(X_t\), \(P_{t-1}\)’s set size \(n_{t-1}\), and the intersection I. Running the OT simulator, \(\mathcal {S}_t\) simulates \(P_t\)’s view as the sender by honestly constructing matrices \(A^j\) and \(B^j\) for all \(i \in [t-1]\). Moreover, for any \(x\in I\), it computes \( \psi = H_{2}(A_{1}[v[1]] \parallel \dotsc \parallel A_{w}[v[w]])\), where \(v = F_K(H_1(x))\). Let \({\Psi _\mathcal {I}}\) denote this set of OPRF values. It also picks a set of size \(n_{t-1}\) - |I| containing \(l_2\)-bit random strings. Let us denote this set by \({\Psi _\mathcal {R}}\). Then, simulator sends \({\Psi _\mathcal {I}} \cup {\Psi _\mathcal {R}}\) to \(P_t\). Eventually, \(\mathcal {S}_t\) outputs \(P_t\)’ simulated view as \(\mathcal {S}_t(\lambda , X_t, n_{t-1}, I)\).

We now argue that \(\mathcal {S}_t(\lambda , X_t, n_{t-1}, I) \approx view_{t}^{\varPi }(\lambda , X_1, \dotsc , X_t) \) by using a multi-step hybrid argument.

Hybrid\(_{0}\): The view of \(P_t\) in the real execution of the protocol.

Hybrid\(_{1}\): The same as Hybrid\(_{0}\), except, the protocol terminates if there is any \(x^{i}, x^{j} \in X_1\cup X_2 \cup \dotsc \cup X_t\), \(x^{i} \ne x^{j}\) that \(H_1(x^i) = H_1(x^j)\). The probability of termination is negligible by collision resistance property of \(H_1\).

Hybrid\(_{2}\): The same as Hybrid\(_{1}\), except, the protocol also terminates if there is any \(x \in I\ X_t\) that for all \(i \in [w]\) the number of flipped bits in \(B_{i}[v[i]]\), where \(v = F_K(H_1(x))\), be fewer than the security parameter \(\lambda \). As discussed earlier, the parameters m and w must be chosen such that the probability of termination be negligible.

Hybrid\(_{3}\): The same as Hybrid\(_{2}\), except, \(\mathcal {S}_t\) runs the OT simulator with honestly selected inputs \(\{A_{i}^{j}, B_i^j \}\) to simulate the view of \(P_t\) as the sender. On account of the security properties of OT protocol, this hybrid is computationally indistinguishable from Hybrid\(_{2}\).

Hybrid\(_{4}\): The same as Hybrid\(_{3}\), except, the OPRF values sent from \(P_{t-1}\) are replaced with \(l_2\)-bit random strings for all \(x \in I\backslash X_t\). Regarding correlation robustness property of the hash function \(H_2\), it can be shown that this hybrid is computationally indistinguishable from the previous one. More specifically, for all \(i \in [w]\), let \(a_i\) equals the concatenation of bits \(A_{i}[v[i]]\) and also \(b_i\) equals the concatenation of bits \(B_{i}[v[i]]\), where \(v= F_K(H_{1}(x))\). In Step 8, the hash function \(H_2\) takes the concatenation of bits \(\bigoplus _{j=1}^{t-1} C_{i}^{j}[v[i]]\) as its input which is equivalent to \(a_i \oplus [(a_i \oplus b_i) \cdot s]\). Since we know that \(\Vert a_i \oplus b_i\Vert \ge \lambda \) and also s is a random string unknown to \(P_t\), thanks to the correlation robustness property of \(H_2\), the OPRF value sent to \(P_2\) is pseudorandom.

Hybrid\(_5\): The same as Hybrid\(_{4}\), except, the protocol does not terminate. This hybrid is \(P_t\)’s view simulated by \(\mathcal {S}_t\). Indeed, what described above simply implies indistinguishably of this hybrid and Hybrid\(_{4}\).

Remark 1. It is important to mention that the two-party PSI protocol of [CM20] guarantees one-sided malicious security (i.e., against a malicious sender) in the random oracle model. We believe using the same assumption our protocol can also provide security against malicious clients.

4 Complexity Analysis

4.1 Asymptotic Complexity

Now, we analyze the asymptotic complexity of our multi-party PSI protocol. We should highlight the fact that the protocol is concretely efficient since it only relies on cheap tools including oblivious transfer extension, hashing, and bitwise operations. Without loss of generality, we consider n as the set size for all parties.Footnote 2 Also, as in [CM20], we set \(m = n\). So, by fixing m and n in our complexity analysis w can be regarded as a value depending on \(\lambda \) (Sect. 3.3).

Recall that we denote party \(P_t\) as the leader who takes the main overhead of the protocol and other parties as the clients. In terms of the asymptotic complexity of our protocol, \(P_t\) first constructs specially formed matrices \(A^j\) and \(B^j\) which preparing them takes him linear complexity in n. He then as the sender independently runs w OTs with each client which leads to linear communication and computation complexities in the number of OTs. Apart from running OTs, parties just do hashing and bitwise-XOR operation which regarding the optimal parameters for garbled Bloom filter (as discussed in Sect. 2.3), they incur linear complexity in both communication and computation. As shown in [CM20] for the case of two-party, it is possible to use random OT in our multi-party PSI protocol which causes the communication overhead from the leader to the clients to be dramatically decreased. We refer the reader to [CM20] to see how random OT can be used in the protocol. Thus, taking this into account and also concerning the optimized semi-honest OT extension of [Ash+13], the total amount of bits exchanged between parties are summarized in Table 1.

Table 1. Bits sent for leader and clients. Note that we do not consider the initial base-OTs which can be done ahead of time. Also, optimal parameters are considered for garbled Bloom filter.
Full size table

Remark 1. Our protocol can be separated into two phases of offline and online which the former can be done before even parties’ inputs are available and the latter is executed after learning the inputs. Therefore, a considerable part of the communication and computation costs of the protocol (which includes performing base-OTs, together with the messages sent from receiver to sender in the random OTs) can be done in the offline phase and only lightweight operations take place in the online phase.

Remark 2. Although the overall communication cost is not evenly distributed over all clients and \(P_{t-1}\) has less overhead compared to others, he needs to do more evaluation of hash functions in order to compute the OPRF values. So, we can think of it as a trade-off between the \(P_{t-1}\)’s communication and computation costs. In addition, the costs in our protocol is rather balanced which makes the protocol preferable in terms of not having a single designated party who has significantly higher overhead compared to others that may cause problem in practice.

Remark 3. An interesting feature of our protocol is that as the number of parties involved in the protocol increases, the communication and computation complexities of each client remain the same. This is a crucial point especially when it comes to having a large number of participants and indeed makes our protocol scale well with the number of parties.

4.2 Comparison

In Table 2, we compare the communication and computation complexities of our multi-party PSI protocol with those of [HV17, IOP18, GN19]. We should mention that having various structures and security levels makes it hard to provide a fair comparison, though, we have tried to pick some recent works with different security models. As in [HV17, GN19], the client’s complexities do not depend on the number of parties. However, the two mentioned protocols are not concretely efficient. We observe that the distribution of costs is asymptotically rather fair in our protocol concerning the number of parties t and the number of hash functions k. The workload of parties in [IOP18] is also balanced. We should note that the reported complexities of the augmented semi-honest secure version of [IOP18] are with regard to some optimizations and security relaxations.Footnote 3

Table 2. Comparison of communication and computation complexities of multi-party PSI protocols in different security models, where t is the number of parties, n is the size of input sets, k is the number of hash functions, and \(\lambda \) is the security parameter.
Full size table

5 Conclusion

In this work we proposed a multi-party PSI protocol utilizing a lightweight multi-point OPRF construction. Our protocol is concretely efficient because of involving oblivious transfer extension and garbled Bloom filter as its two core building blocks and achieves linear complexity in both computation and communication concerning each party’s input set size. In our protocol, interactions among parties are performed over a combination of star and path network topologies and as a consequence of this design, the asymptotic communication and computation complexities of each client only rely on his input set size and not on the number of parties, namely \(O(n\lambda k)\). In general, this study has gone some way towards presenting an efficient scalable multi-party PSI protocol that can be deployed in practice. This inevitably comes at a cost of relaxation on the security model, but we do believe that future works can focus on enhancing the security of multi-party PSI based on OPRF to obtain more robust security guarantees without that much compromising efficiency.