Predicate Private Set Intersection with Linear Complexity

Abstract

Private Set Intersection (PSI) enables two parties to learn the intersection of their input sets without exposing other items that are not within the intersection. However, real-world applications often require more complex computations than just obtaining the intersection. In this paper, we consider the setting where each item in the input set has an associated payload, and the desired output is a subset of the intersection obtained by evaluating certain conditions over the payload. We call this new primitive Predicate Private Set Intersection (PPSI) and show its applicability in many different scenarios. While a PPSI protocol can be obtained by combining existing circuit-PSI and generic circuit-based secure computation, this naive approach is not efficient. Therefore, we also provide a specially designed PPSI protocol with linear complexity and good concrete efficiency. We implemented the protocol and evaluated it with extensive experiments. The results validated the efficacy of our PPSI protocol.

Appendices

Appendix 1: Secure Comparison

To compare \(x \in \{0,1\}^\ell \) provided by \(\mathcal {C}\) and \(y \in \{0,1\}^\ell \) provided by \(\mathcal {S}\), the secure comparison protocol performs the following four stages:

Splitting stage: \(\mathcal {C}\) and \(\mathcal {S}\) split their inputs x and y equally into q parts, and q is a power of 2. Each part has k bits, and assume k divides \(\ell \). Let K be a parameter and \(K=2^k\). That is \(x=x^{q-1}||...||x^0\) and \(y=y^{q-1}||...||y^0\), where \(x^t,y^t \in \{0,1\}^k\), \(t \in [0,q-1]\).

Masking stage: For each part \(t \in [0,q-1]\), \(\mathcal {C}\) prepares \(\langle \textrm{lt}_0^t \rangle _\mathcal {C}^B, \langle \textrm{eq}_0^t \rangle _\mathcal {C}^B {\mathop {\leftarrow }\limits ^{\$}}\{0,1\}\). For all \(u \in [0,K-1]\), \(\mathcal {C}\) sets \(s_u^t = \langle \textrm{lt}_0^t \rangle _\mathcal {C}^B \oplus 1\{x^t <u\}\) and \(v_u^t = \langle \textrm{eq}_0^t \rangle _\mathcal {C}^B \oplus 1\{x^t = u\}\).

Choosing stage: \(\mathcal {C}\) and \(\mathcal {S}\) invoke an instance of \(\left( {\begin{array}{c}K\\ 1\end{array}}\right) \)-OT\(_{\ell }\) where \(\mathcal {C}\) inputs \(\{s_u^t\}_{u \in [0,K-1]}\) and \(\mathcal {S}\) inputs the choose bit \(y^t\). Then \(\mathcal {S}\) gets the output \(\langle \textrm{lt}_0^t \rangle _\mathcal {S}^B\). Similarly, \(\mathcal {C}\) and \(\mathcal {S}\) invoke another instance of \(\left( {\begin{array}{c}K\\ 1\end{array}}\right) \)-OT\(_{\ell }\) where \(\mathcal {C}\) inputs \(\{v_u^t\}_{u \in [0,K-1]}\) and \(\mathcal {S}\) inputs the choose bit \(y^t\). Then \(\mathcal {S}\) gets the output \(\langle \textrm{eq}_0^t \rangle _\mathcal {S}^B\).

Merging stage: \(\mathcal {C}\) and \(\mathcal {S}\) recursively compute the shares they have using the idea of Equation (3). For \(i \in [1,\textrm{log} q]\) and \(t \in [1,(q/(2^i)-1)]\), \(\mathcal {C}\) and \(\mathcal {S}\) invoke \(F_\textrm{AND}\) to compute \(\langle \textrm{lt}_{i}^{t} \rangle ^B_\mathcal {C} = \langle \textrm{lt}_{i-1}^{2t} \rangle ^B_\mathcal {C} \wedge \langle \textrm{eq}_{i-1}^{2t+1} \rangle ^B_\mathcal {C} \oplus \langle \textrm{lt}_{i-1}^{2t+1} \rangle ^B_\mathcal {C}\) and \(\langle \textrm{lt}_{i}^{t} \rangle ^B_\mathcal {S} = \langle \textrm{lt}_{i-1}^{2t} \rangle ^B_\mathcal {S} \wedge \langle \textrm{eq}_{i-1}^{2t+1} \rangle ^B_\mathcal {S} \oplus \langle \textrm{lt}_{i-1}^{2t+1} \rangle ^B_\mathcal {S}\). Then \(\mathcal {C}\) and \(\mathcal {S}\) can compute \(\langle \textrm{eq}_{i}^{t} \rangle ^B_\mathcal {C} = \langle \textrm{lt}_{i-1}^{2t} \rangle ^B_\mathcal {C} \wedge \langle \textrm{eq}_{i-1}^{2t+1} \rangle ^B_\mathcal {C}\) and \(\langle \textrm{eq}_{i}^{t} \rangle ^B_\mathcal {S} = \langle \textrm{lt}_{i-1}^{2t} \rangle ^B_\mathcal {S} \wedge \langle \textrm{eq}_{i-1}^{2t+1} \rangle ^B_\mathcal {S}\). Final, \(\mathcal {C}\) gets \(\langle \textrm{lt}_{i}^{0} \rangle ^B_\mathcal {C} \) and \(\mathcal {S}\) gets \(\langle \textrm{lt}_{i}^{0} \rangle ^B_\mathcal {S}\).

After the above four stages, \(\mathcal {C}\) and \(\mathcal {S}\) get the boolean shares of the comparison result of x and y.

Appendix 2: Security Proof

The proof of Theorem 1 is as follows.

Proof

As shown in Algorithm 1, for \(\mathcal {C}\), the view during the protocol execution will be \({\textbf {view}}_\mathcal {C}=(\langle p^* \rangle _\mathcal {C}^B,z)\). Since z is generated by ROT protocol and is a random value, according to Lemma 1, it is trivial to see that all values of \(\mathcal {C}\)’s view are uniformly random. \(\mathcal {C}\) outputs nothing during this protocol. Therefore, \({\textbf {view}}_\mathcal {C}\) and \({\textbf {output}}_\mathcal {C}\) can be simulated by a simulator \(Sim_\mathcal {C}\). Then \(Sim_\mathcal {C}\) can generate a view for the adversary \(Adv_\mathcal {C}\), who can not distinguish the generated view from its real view.

For \(\mathcal {S}\), the view during the protocol execution will be \({\textbf {view}}_\mathcal {S}=(\langle p^* \rangle _\mathcal {S}^B)\). Then \(\mathcal {S}\) outputs \(R_0,R_1\) during this protocol. Since \(R_0,R_1\) is generated by ROT protocol and are random values, according to Lemma 1, all values of \(\mathcal {S}\)’s view are uniformly random. Therefore, \({\textbf {view}}_\mathcal {S}\) and \({\textbf {output}}_\mathcal {S}\) can be simulated by a simulator \(Sim_\mathcal {S}\). Then \(Sim_\mathcal {S}\) can generate a view for the adversary \(Adv_\mathcal {S}\), who can not distinguish the generated view from its real view.

The proof of Theorem 2 is as follows.

Proof

As shown in Algorithm 5.3, for \(\mathcal {C}\), the view in the protocol execution will be \({\textbf {view}}_\mathcal {C}=(\alpha ,\{\textrm{s}_{1,\alpha ^t}^t||...||\textrm{s}_{n,\alpha ^t}^t\},\{\textrm{v}_{1,\alpha ^t}^t||\) \(...||\textrm{v}_{n,\alpha ^t}^t\})\). Since \(\{\textrm{s}_{1,\alpha ^t}^t||...||\textrm{s}_{n,\alpha ^t}^t\},\{\textrm{v}_{1,\alpha ^t}^t||...||\textrm{v}_{n,\alpha ^t}^t\}\) are generated from the random elements (step 7–8 in Algorithm 5.3), according to Lemma 1, it is trivial to see that all values of \(\mathcal {C}\)’s view are uniformly random. The output of \(\mathcal {C}\) is \({\textbf {output}}_\mathcal {C}=\langle 1\{\alpha < p_i\} \rangle _\mathcal {C}\), which is generated from the random values \(\{\textrm{s}_{1,\alpha ^t}^t||...||\textrm{s}_{n,\alpha ^t}^t\},\{\textrm{v}_{1,\alpha ^t}^t||...||\textrm{v}_{n,\alpha ^t}^t\}\) (step 14–20 in Algorithm 5.3). Therefore, \({\textbf {view}}_\mathcal {C}\) and \({\textbf {output}}_\mathcal {C}\) can be simulated by a simulator \(Sim_\mathcal {C}\). Then \(Sim_\mathcal {C}\) can generate a view for the adversary \(Adv_\mathcal {C}\), who can not distinguish the generated view from its real view.

For \(\mathcal {S}\), the view in the protocol execution will be \({\textbf {view}}_\mathcal {S}=({\textbf {p}},\langle lt_{0,j}^t \rangle ,\langle eq_{0,j}^t \rangle \})\). Since \(\{\langle lt_{0,j}^t \rangle ,\langle eq_{0,j}^t \rangle \}\) are generated from the random elements (step 5 in Algorithm 5.3), all values of \(\mathcal {S}\)’s view are uniformly random. The output of \(\mathcal {S}\) is \({\textbf {output}}_\mathcal {S}=\langle 1\{\alpha < p_i\} \rangle _\mathcal {S}\), which is generated from the random values \(\{\langle lt_{0,j}^t \rangle ,\langle eq_{0,j}^t \rangle \}\) (step 6–8 in Algorithm 5.3). Therefore, \({\textbf {view}}_\mathcal {S}\) and \({\textbf {output}}_\mathcal {S}\) can be simulated by a simulator \(Sim_\mathcal {S}\). Then \(Sim_\mathcal {S}\) can generate a view for the adversary \(Adv_\mathcal {S}\), who can not distinguish the generated view from its real view.