Multiparty Cardinality Testing for Threshold Private Intersection

Abstract

Threshold Private Set Intersection (PSI) allows multiple parties to compute the intersection of their input sets if and only if the intersection is larger than \(n-t\), where n is the size of each set and t is some threshold. The main appeal of this primitive is that, in contrast to standard PSI, known upper-bounds on the communication complexity only depend on the threshold t and not on the sizes of the input sets. Current threshold PSI protocols split themselves into two components: A Cardinality Testing phase, where parties decide if the intersection is larger than some threshold; and a PSI phase, where the intersection is computed. The main source of inefficiency of threshold PSI is the former part.

In this work, we present a new Cardinality Testing protocol that allows N parties to check if the intersection of their input sets is larger than \(n-t\). The protocol incurs in \(\tilde{ \mathcal {O}} (Nt^2)\) communication complexity. We thus obtain a Threshold PSI scheme for N parties with communication complexity \(\tilde{\mathcal {O}}(Nt^2)\).

Appendices

A Preliminaries Cont’d

1.1 A.1 Threshold Public-Key Encryption

In this work, we will use Public-Key Encryption schemes and a variant of it: Threshold Public-key Encryption. We now define Threshold Public-key Encryption. Such schemes can be instantiated from several hardness assumptions such as DDH, DCR or pairing-based assumptions [21].

Definition 3

(Threshold Public-Key Encryption). A Threshold Public-Key Encryption (TPKE) scheme is defined by the following algorithms:

• takes as input a security parameter. It outputs a public key and N secret keys .

• takes as input a public key and a message \(m\in \{0,1\}^*\). It outputs a ciphertext c.

• takes as input one of the secret keys and a ciphertext. It outputs a share decryption \(c'\) of c.

Correctness. For any \(N\in \mathbb {N}\) and any permutation \(\pi :[N]\rightarrow [N]\), we have that

where .

IND-CPA Security. For any \(N\in \mathbb {N}\), any permutation \(\pi :[N]\rightarrow [N]\) and any adversary \(\mathcal {A}\), we require that

for any \(k<N\).

Additive Homomorphism. We also assume that the TPKE (or plain PKE) is homomorphic for additive operation.¹⁴ That is, for all , we can define two groups \((\mathcal {M},\oplus ),(\mathcal {C},\otimes )\) such that, given two ciphertexts and , we require that

By abuse of notation, we usually denote the operations of \(\mathcal {M}\) and \(\mathcal {C}\) as \(+\).

1.2 A.2 Linear Algebra

We first introduce minimal polynomials of a sequence and of a matrix. Then we present how they can be used to solve linear algebra related problems.

Minimal Polynomial of a Matrix. The minimal polynomial of a sequence \(\mathfrak {a}\) is the least degree polynomial m such that \(\langle m\rangle = Ann (\mathfrak a)\) where \( Ann (\mathfrak a)\) is the annihilator ideal of \(\mathfrak a\) (that is, the ideal such that every element f of \( Ann (\mathfrak a)\) satisfies \(f\cdot \mathfrak a=0\)).

Lemma 6

(Lemma 3 in [24]). Let \(\mathbf {A}\in \mathbb {F}^{n\times n}\) and let \(m_\mathbf {A}\) be the minimal polynomial of matrix \(\mathbf {A}\). For , we have \(m_\mathbf {A}= m_{\mathfrak {a}'}\) with probability at least \(1-2\deg (m_\mathbf {A})/|\mathbb {F}|\), where \(\mathfrak {a}'=(\mathbf {u}^{\mathsf {T}} \mathbf {A}^i \mathbf {v})_{i\in \mathbb {N}}\). Moreover, \(m_{\mathfrak {a}'}\) can be calculated using a Boolean circuit of size \(\mathcal {O}(nk\log n\log k\log \log k)\) where \(k=\log |\mathbb {F}|\).

Compute the Rank of a Matrix and Solve a Linear System

Lemma 7

([23]). Let \(\mathbf {A}\in \mathbb {F}^{n\times n}\) of (unknown) rank r. Let \(\mathbf {U}\) and \(\mathbf {L}\) be randomly chosen unit upper triangular and lower triangular Toeplitz matrices in \(\mathbb {F}^{n\times n}\), and let \(\mathbf {B}=\mathbf {U}\mathbf {A}\mathbf {L}\). Let us denote the \(i\times i\) leading principal of \(\mathbf {B}\) by \(\mathbf {B}_i\). The probability that \(\det (\mathbf {B}_i) \ne 0\) for all \(1\le i\le r\) is greater than \(1-n^2/|\mathbb {F}|\).

Lemma 8

([23]). Let \(\mathbf {B}\in \mathbb {F}^{n\times n}\) with leading invertible principals up to \(\mathbf {B}_r\) where r is the (unknown) rank of \(\mathbf {B}\). Let \(\mathbf {X}\) be a randomly chosen diagonal matrix in \(\mathbb {F}^{n\times n}\). Then, \(r = \deg (m_{\mathbf {X}\mathbf {B}})-1\) with probability greater than \(1-n^2/|\mathbb {F}|\).

B Oblivious Linear Algebra

1.1 B.1 Oblivious Matrix Multiplication

Protocol. The following Protocol 4 allows several parties to jointly compute the (encrypted) product of two encrypted matrices. Note that the protocol can also be used to compute the encryption of the product of two encrypted values in \(\mathbb {F}\).

Analysis. We proceed to the analysis of the protocol described above.

Lemma 9

(Correctness). The protocol \(\mathsf {secMult}\) is correct.

Proof

The correctness is straightforward.    \(\Box \)

Lemma 10

(Security). The protocol \(\mathsf {secMult}\) securely EUC-realizes \(\mathcal {F}_{\mathsf {OMM}}\) with shared ideal functionality \(\mathcal {F}_\mathsf {Gen}\) against semi-honest adversaries corrupting up to \(N-1\) parties, given that \(\mathsf {TPKE}\) is IND-CPA.

Proof

(Sketch). Assume that the adversary corrupts \(N-k\) parties. The simulator takes the inputs from these parties and send them to the ideal functionality. Upon receiving the encrypted value , it simulates the protocol as the honest parties would do.

We now prove that no set of at most \(N-1\) colluding parties can extract information about \(\mathbf {M}_l,\mathbf {M}_r\). First, observe that any set of \(N-1\) parties cannot extract any information about encrypted values that are not decrypted during the protocol (because there is always a missing secret key share) given that \(\mathsf {TPKE}\) is IND-CPA. Second, we analyze the matrix \(\mathbf {M}_l'\) (which is decrypted during the protocol). We have that \(\mathbf {M}_l'=\mathbf {M}_l+\sum _j \mathbf {R}_l^{(j)}\). Hence, there is always at least one matrix \(\mathbf {R}_l^{(\ell )}\) which is unknown to the adversary and that perfectly hides the matrix \(\mathbf {M}_l\) (the same happens \(\mathbf {M}_r'\).    \(\Box \)

Complexity. The communication complexity of the protocol is dominated by the messages carrying the (encrypted) matrix. Hence, assuming a broadcast channel between the parties, the protocol has communication complexity of \(\mathcal {O}(Nt^2)\) where t is the size of the input matrices and N the number of parties involved in the protocol.

1.2 B.2 Compute the Rank of a Matrix

Protocol. We present this protocol in the full version of this paper in [6].

Complexity. Each party broadcasts \(\mathcal {O}(t^2k\log t)\) bits of information, where \(k=\log | \mathbb {F}|\). To see this, note that the communication of the protocol is dominated by the computation of the circuit that computes the degree of \(\mathfrak {a}\) and this can be implemented with communication cost of \(\mathcal {O}(t^2k\log t)\) [24]. Assuming a broadcast channel, the communication complexity is \(\tilde{\mathcal {O}}(Nt^2)\).

1.3 B.3 Invert a Matrix

In this section, we present and analyze a protocol that allows N parties to invert an encrypted matrix. In this setting, each of the N parties holds a secret share of a public key of a TPKE. Given an encrypted matrix, they want to compute an encryption of the inverse of this matrix.

Ideal Functionality. The ideal functionality of oblivious rank computation is defined below.

Protocol. This protocol allows N parties to jointly compute the encryption of the inverse of a matrix, given that this matrix is non-singular. Please refer to the full version of this paper in [6] to see details.

Analysis. The proofs of the following lemmas follow the same lines as the proofs in the analysis of \(\mathsf {secMult}\) protocol. We state the lemmas but omit the proofs for briefness.

Lemma 11

The protocol \(\mathsf {secInv}\) is correct.

Lemma 12

The protocol \(\mathsf {secInv}\) securely EUC-realizes \(\mathcal {F}_\mathsf {OInv}\) with shared ideal functionality \(\mathcal {F}_\mathsf {Gen}\) against semi-honest adversaries corrupting up to \(N-1\) parties, given that \(\mathsf {TPKE}\) is IND-CPA.

Complexity. Each party broadcasts \(\mathcal {O}(t^2)\) bits of information. The communication complexity of the protocol is \(\mathcal {O}(Nt^2)\), assuming a broadcast channel.

1.4 B.4 Secure Unary Representation

Following [24], we present a protocol that allows to securely compute the unary representation of a matrix.

Ideal Functionality. The ideal functionality for Secure Unary Representation is given below.

Protocol. A protocol for secure unary representation can be implemented with the help of a binary-conversion protocol [37]. That is, given , all parties jointly compute , where \(\delta _i=1\), if \(i\le r\), and \(\delta _i=0\) otherwise, via a Boolean circuit (which can be securely implemented based on Paillier cryptosystem).

Communication Complexity. We can calculate the result using a Boolean circuit of size \(O(r\log t)\), thus the communication complexity is \(O(Nr\log t)\).

1.5 B.5 Solve a Linear System

Protocol. We now present the Protocol 5 that allows multiple parties to solve an encrypted linear system. In the following, we assume that the system has at least one solution (note that this can be guaranteed using the \(\mathsf {secRank}\) protocol).

Lemma 13

(Correctness). The protocol \(\mathsf {secLS}\) is correct.

Proof

The proof follows directly from [23, 24].    \(\Box \)

Lemma 14

The protocol \(\mathsf {secLS}\) securely EUC-realizes \(\mathcal {F}_\mathsf {OLS}\) with shared ideal functionality \(\mathcal {F}_\mathsf {Gen}\) in the \((\mathcal {F}_\mathsf {ORank},\mathcal {F}_\mathsf {OInv},\mathcal {F}_\mathsf {SUR})\)-hybrid model against semi-honest adversaries corrupting up to \(N-1\) parties, given that \(\mathsf {TPKE}\) is IND-CPA.

Communication Complexity. Each party broadcasts \(\mathcal {O}(t^2k\log t)\) bits of information where \(k=|\mathbb {F}|\). The total communication complexity is \(\tilde{\mathcal {O}}(t^2)\).