Skip to main content

Invertible Polynomial Representation for Private Set Operations

  • Conference paper
  • First Online:
Information Security and Cryptology -- ICISC 2013 (ICISC 2013)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8565))

Included in the following conference series:

  • 1156 Accesses


In many private set operations, a set is represented by a polynomial over a ring \(\mathbb {Z}_\sigma \) for a composite integer \(\sigma \), where \(\mathbb {Z}_\sigma \) is the message space of some additive homomorphic encryption. While it is useful for implementing set operations with polynomial additions and multiplications, it has a limitation that it is hard to recover a set from a polynomial due to the hardness of polynomial factorization over \(\mathbb {Z}_\sigma \).

We propose a new representation of a set by a polynomial over \(\mathbb {Z}_\sigma \), in which \(\sigma \) is a composite integer with known factorization but a corresponding set can be efficiently recovered from a polynomial except negligible probability. Since \(\mathbb {Z}_\sigma [x]\) is not a unique factorization domain, a polynomial may be written as a product of linear factors in several ways. To exclude irrelevant linear factors, we introduce a special encoding function which supports early abort strategy. Our representation can be efficiently inverted by computing all the linear factors of a polynomial in \(\mathbb {Z}_\sigma [x]\) whose roots locate in the image of the encoding function.

As an application of our representation, we obtain a constant-round private set union protocol. Our construction improves the complexity than the previous without honest majority.

This work includes some part of the third author’s PhD thesis [14].

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or Ebook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others


  1. 1.

    Note that one has to solve \(\bar{\ell }\) DLPs over a group of order \(q_j\) for one decryption in the NS encryption scheme. In Step 3 (b), one has to solve \(2d=2nk\) DLPs over a group of order \(q_j\) for each \(q_j\). It requires \(O(\sqrt{dq_j})\) multiplications to solve \(d\) DLPs over a group of order \(q_j\) [13] and hence total complexity of this step is \(O(\bar{\ell }\sqrt{dq_j})\) multiplications.

  2. 2.

    Due to the space limitation, the detailed computation of Eqs. (5) and (6) are given in the full version of this paper [3].


  1. Ben-Or, M., Goldwasser, S., Wigderson, A.: Completeness theorems for non-cryptographic fault-tolerant distributed computation (extended abstract). In: Simon, J. (ed.) ACM Symposium on Theory of Computing (STOC), pp. 1–10. ACM (1988)

    Google Scholar 

  2. Camenisch, J., Shoup, V.: Practical verifiable encryption and decryption of discrete logarithms. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 126–144. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  3. Cheon, J.H., Hong, H., Lee, H.T.: Invertible polynomial representation for set operations. Cryptology ePrint Archive, Report 2012/526 (2012).

  4. De Cristofaro, E., Kim, J., Tsudik, G.: Linear-complexity private set intersection protocols secure in malicious model. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 213–231. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  5. De Cristofaro, E., Tsudik, G.: Practical private set intersection protocols with linear complexity. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 143–159. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  6. Fouque, P.-A., Poupard, G., Stern, J.: Sharing decryption in the context of voting or lotteries. In: Frankel, Y. (ed.) FC 2000. LNCS, vol. 1962, pp. 90–104. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  7. Freedman, M.J., Nissim, K., Pinkas, B.: Efficient private matching and set intersection. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 1–19. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  8. Frikken, K.B.: Privacy-preserving set union. In: Katz, J., Yung, M. (eds.) ACNS 2007. LNCS, vol. 4521, pp. 237–252. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  9. Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game or a completeness theorem for protocols with honest majority. In: Aho, A.V. (ed.) ACM Symposium on Theory of Computing (STOC), pp. 218–229. ACM (1987)

    Google Scholar 

  10. Hong, J., Kim, J.W., Kim, J., Park, K., Cheon, J.H.: Constant-round privacy preserving multiset union. Bull. Korean Math. Soc. 50(6), 1799–1816 (2013)

    Article  MathSciNet  MATH  Google Scholar 

  11. Jarecki, S., Liu, X.: Efficient oblivious pseudorandom function with applications to adaptive OT and secure computation of set intersection. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 577–594. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  12. Kissner, L., Song, D.: Privacy-preserving set operations. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 241–257. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  13. Kuhn, F., Struik, R.: Random walks revisited: extensions of pollard’s rho algorithm for computing multiple discrete logarithms. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp. 212–229. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  14. Lee, H.T.: Polynomial Factorization and Its Applications. Ph.D. thesis, Seoul National University, February 2013

    Google Scholar 

  15. Naccache, D., Stern, J.: A new public key cryptosystem based on higher residues. In: Gong, L., Reiter, M.K. (eds.) ACM Conference on Computer and Communications Security (ACM CCS), pp. 59–66. ACM (1998)

    Google Scholar 

  16. Okamoto, T., Uchiyama, S.: A new public-key cryptosystem as secure as factoring. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 308–318. Springer, Heidelberg (1998)

    Chapter  Google Scholar 

  17. Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999)

    Chapter  Google Scholar 

  18. Sang, Y., Shen, H.: Efficient and secure protocols for privacy-preserving set operations. ACM Trans. Inf. Syst. Secur. 13(1), 9:1–9:35 (2009)

    Article  Google Scholar 

  19. Seo, J.H., Cheon, J.H., Katz, J.: Constant-round multi-party private set union using reversed Laurent series. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 398–412. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  20. Shamir, A.: On the generation of multivariate polynomials which are hard to factor. In: Kosaraju, S.R., Johnson, D.S., Aggarwal, A. (eds.) ACM Symposium on Theory of Computing (STOC), pp. 796–804. ACM (1993)

    Google Scholar 

  21. Shoup, V.: Practical threshold signatures. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 207–220. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  22. Umans, C.: Fast polynomial factorization and modular composition in small characteristic. In: Dwork, C. (ed.) ACM Symposium on Theory of Computing (STOC), pp. 481–490. ACM (2008)

    Google Scholar 

Download references


We thank Jae Hong Seo for helpful comments on our preliminary works and anonymous reviewers for their valuable comments. This work was supported by the IT R&D program of MSIP/KEIT. [No. 10047212, Development of homomorphic encryption supporting arithmetics on ciphertexts of size less than 1kB and its applications].

Author information

Authors and Affiliations


Corresponding author

Correspondence to Jung Hee Cheon .

Editor information

Editors and Affiliations

A Proof of Theorem 1

A Proof of Theorem 1

Let \({\mathsf E}_j\) be the expected number of linkable pairs of \(j\)-tuple in \(\mathbb {Z}_{q_1}\times \cdots \times \mathbb {Z}_{q_j}\) for \(j\ge 2\). For \(1\le j\le j'\le \bar{\ell }\), let \({\mathsf S}_{j'-j+1}(i_{j}, \ldots , i_{j'})\) be the event that \((s_{j}^{(i_j)}, \ldots , s_{j'}^{(i_{j'})})\) is a linkable pair. Then,

$$\begin{aligned} {\mathsf E}_2&= \sum _{i_1, i_2\in \{1, \ldots , d\}}1\cdot \Pr [{\mathsf S}_2(i_1, i_2)]\\&= \sum _{i_1,i_2\in \{1, \ldots , d\}} \Pr [{\mathsf S}_2(i_1, i_2)\wedge (i_1=i_2)] + \sum _{i_1,i_2\in \{1,\ldots , d\}} \Pr [{\mathsf S}_2(i_1, i_2)\wedge (i_1\ne i_2)]\\&= d+ d(d-1)\frac{1}{2^{2\tau }}=d\left( 1+\frac{d-1}{2^{2\tau }}\right) \end{aligned}$$

since \(\Pr [{\mathsf S}_2(i_1,i_1)]=1\) for \(i_1\in \{1,\ldots , d\}\) and \(\Pr [{\mathsf S}_2(i_1, i_2)]=\frac{1}{2^{2\tau }}\) for distinct \(i_1, i_2\in \{1,\ldots , d\}\) from the Eq. (1).

Now, we consider the relation between \({\mathsf E}_j\) and \({\mathsf E}_{j+1}\). When \((s_{1}^{(i_1)}, \ldots , s_{j}^{(i_j)})\) is a linkable pair, consider the case that \((s_{1}^{(i_1)}, \ldots , s_{j}^{(i_j)}, s_{j+1}^{(i_{j+1})})\) is a linkable pair. One can classify this case into the following three cases:

  1. 1.


  2. 2.

    \(\left( i_{j+1}\ne i_{j}\right) ~\wedge ~\left( i_{j+1}= i_{j-1}\right) \),

  3. 3.

    \(\left( i_{j+1}\ne i_{j}\right) ~\wedge ~\left( i_{j+1}\ne i_{j-1}\right) \).

At the first case, if \(i_{j+1}=i_{j}\) and \((s_{1}^{(i_1)}, \ldots , s_{j}^{(i_j)})\) is a linkable pair, then \((s_{1}^{(i_1)}, \ldots , s_{j}^{(i_j)}, s_{j+1}^{(i_{j+1})})\) is always a linkable pair. Hence,

$$\begin{aligned} {\mathsf E}_{j+1}^{(1)}&:= \sum _{i_1,\ldots , i_{j+1}} \Pr \left[ {\mathsf S}_{j+1}(i_1,\ldots ,i_{j}, i_{j+1}) \wedge (i_{j+1}=i_j)\right] \\&= \sum _{i_1,\ldots , i_j} \Pr \left[ {\mathsf S}_{j}(i_1,\ldots ,i_{j})\right] ={\mathsf E}_{j}. \end{aligned}$$

At the second case, if \(i_{j+1}=i_{j-1}\ne i_j\) and \((s_{1}^{(i_1)}, \ldots , s_{j}^{(i_j)})\) is a linkable pair, then the relation \(s_{i_{j-1}, j+1}=s_{i_{j}, j+1}=s_{i_{j+1}, j+1}\) is satisfied from the encoding rule of \(\iota \). Hence,Footnote 2

$$\begin{aligned} {\mathsf E}_{j+1}^{(2)}&:= \sum _{i_1,\ldots , i_{j+1}\in \{1,\ldots , d\}} \Pr [{\mathsf S}_{j+1}(i_1,\ldots ,i_{j}, i_{j+1})\wedge (i_{j+1}=i_{j-1}\ne i_{j})]\nonumber \\&\le \frac{1}{2^{\tau }}\sum _{i_1,\ldots , i_{j}\in \{1,\ldots , d\}} \Pr \left[ {\mathsf S}_{j}(i_1,\ldots ,i_{j})\right] =\frac{1}{2^{\tau }}{\mathsf E}_{j}. \end{aligned}$$

At the last case, we can obtain the following result:

$$\begin{aligned} {\mathsf E}_{j+1}^{(3)}&:= \sum _{i_1,\ldots , i_{j+1}\in \{1,\ldots , d\}} \Pr [{\mathsf S}_{j+1}(i_1,\ldots ,i_{j}, i_{j+1})\wedge \left( (i_{j+1}\ne i_{j}) ~\wedge ~(i_{j+1}\ne i_{j-1})\right) ]\nonumber \\&\le \frac{d-1}{2^{2\tau }}\sum _{i_1,\ldots , i_{j}\in \{1,\ldots , d\}} \Pr \left[ {\mathsf S}_{j}(i_1,\ldots ,i_{j})\right] =\frac{d-1}{2^{2\tau }}{\mathsf E}_{j}. \end{aligned}$$

From the above results, we obtain the recurrence formula of \({\mathsf E}_j\) as follows:

$$\begin{aligned} {\mathsf E}_{j+1} ={\mathsf E}_{j+1}^{(1)}+{\mathsf E}_{j+1}^{(2)}+{\mathsf E}_{j+1}^{(3)} \le \left( 1+\frac{1}{2^{\tau }}+\frac{d-1}{2^{2\tau }}\right) {\mathsf E}_j \end{aligned}$$

for \(j\ge 2\) and hence \( {\mathsf E}_{\bar{\ell }}\le d\left( 1+\frac{1}{2^{\tau }}+\frac{d-1}{2^{2\tau }}\right) ^{\bar{\ell }-1} \) since \({\mathsf E}_2=d\left( 1+\frac{d-1}{2^{2\tau }}\right) \le d\left( 1+\frac{1}{2^{\tau }}+\frac{d-1}{2^{2\tau }}\right) \).

Now, we show that \(\bar{\ell }\le \frac{2^{2\tau }}{2^{\tau }+d}\). From the parameter setting, it is satisfied that \(\bar{\ell }\le \min \{d, \frac{\lfloor \log {N}\rfloor -2}{3\tau }\}\). When \(d_0\ge 8d\), it holds

$$\begin{aligned} \min \left\{ d, \frac{\lfloor \log {N}\rfloor -2}{3\tau }\right\} \le d \le \frac{d_0^{1/3}d^{2/3}}{2}. \end{aligned}$$

Consider the case that \(d_0<8d\). Then, it also holds

$$\begin{aligned} \min \left\{ d, \frac{\lfloor \log {N}\rfloor -2}{3\tau }\right\} \le \frac{\lfloor \log {N}\rfloor -2}{3\tau }\le \frac{d_0}{3\tau }\le \frac{d_0^{1/3}d^{2/3}}{2} \end{aligned}$$

since \(\tau \ge 3\). Hence

$$\begin{aligned} \bar{\ell }\le \min \left\{ d, \frac{\lfloor \log {N}\rfloor -2}{3\tau }\right\} \le \frac{d_0^{1/3}d^{2/3}}{2} \le \frac{\left( {d_0^{2}d}\right) ^{2/3}}{2d_0}\le \frac{2^{2\tau }}{2^{\tau }+d} \end{aligned}$$

since \(2d_0>2^{\tau }+d\). Therefore we obtain the following result:

$$\begin{aligned} {\mathsf E}_{\bar{\ell }}\le d\left( 1+\frac{1}{2^{\tau }}+\frac{d-1}{2^{2\tau }}\right) ^{\bar{\ell }-1}<ed<3d, \end{aligned}$$

where \(e\approx 2.718\) is the base of the natural logarithm. In other words, the upper bound of the expected number of linkable pairs of \(\bar{\ell }\)-tuple is \(3d\). \(\Box \)

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Cheon, J.H., Hong, H., Lee, H.T. (2014). Invertible Polynomial Representation for Private Set Operations. In: Lee, HS., Han, DG. (eds) Information Security and Cryptology -- ICISC 2013. ICISC 2013. Lecture Notes in Computer Science(), vol 8565. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-12159-8

  • Online ISBN: 978-3-319-12160-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics