Maliciously Secure Multi-party PSI with Lower Bandwidth and Faster Computation

Abstract

Private Set Intersection (PSI) allows a set of mutually distrustful parties, each holds a private data set, to compute the intersection of all sets, such that no information is revealed except for the intersection. The state-of-the-art PSI protocol (Garimella et al., CRYPTO’21) in the multi-party setting tolerating any number of malicious corruptions requires the communication bandwidth of \(O(n\ell |\mathbb F |)\) bits for the central party \(P_0\) due to the star architecture, where n is the number of parties, \(\ell \) is the size of each set and \(|\mathbb F |\) is the size of an exponentially large field \(\mathbb F \). When n and \(\ell \) are large, this forms an efficiency bottleneck (especially for networks with restricted bandwidthes). In this paper, we present a new multi-party PSI protocol in dishonest-majority malicious setting, which reduces the communication bandwidth of the central party \(P_0\) from \(O(n\ell |\mathbb F |)\) bits to \(O(\ell |\mathbb F |)\) bits using a tree architecture. Furthermore, our PSI protocol reduces the expensive LPN encoding operations performed by \(P_0\) by a factor of n as well as the computational cost by \(2n\ell \) hash operations in total. Additionally, while the multi-party PSI protocol (Garimella et al., CRYPTO’21) with a single output is secure, we present a simple attack against its multi-output extension, which allows an adversary to learn more information on the sets of honest parties beyond the intersection of all sets.

A OKVS Overfitting

For the security proof of a maliciously secure PSI protocol, the simulator obtains an OKVS from a corrupted party, and needs to extract the keys that are encoded in the OKVS. In general, this is done by defining \(v_i=\textsf{H} (k_i)\) for \(i \in [1,\ell ]\) where \(\textsf{H} \) is a random oracle. Then, the simulator can observe the queries to \(\textsf{H} \) made by the adversary, and then check which of the keys k satisfy \(\textsf{Decode} (\textbf{S}, k)=\textsf{H} (k)\). An OKVS whose parameters are chosen to encode \(\ell \) keys may often hold even more than \(\ell \) keys, when it is generated by the adversary. In the context of PSI, this allows the adversary to encode more keys than advertised. Therefore, we need to bound the number of keys that the adversary can “overfit” into an OKVS. Following the previous work [14], we model the property in the following definition.

Definition 4

([14]). The \((\ell , \ell ')\)-OKVS overfitting game is defined as follows.

• Let \((\textsf{Encode}, \textsf{Decode})\) be an OKVS with parameters chosen to support \(\ell \) items, and \(\mathcal {A}\) be any PPT adversary. Let \(\textsf{H}: \mathcal K \rightarrow \mathcal V \) be a random oracle.

• Run \(\textbf{S} \leftarrow \mathcal {A}^{\textsf{H} (\cdot )}(1^{\kappa })\).

• Define the following set:

  $$X=\{k \, | \, \mathcal {A}\text { made a query } (k) \text { to } \textsf{H} \text { and } \textsf{Decode} (\textbf{S}, k) = \textsf{H} (k)\}.$$

• If \(|X| > \ell '\), then the adversary \({{\mathcal {A}_{}}} \) wins.

We say that the \((\ell ,\ell ')\)-OKVS overfitting problem is hard for an OKVS, if no PPT adversary wins this game except with negligible probability.

For \({\kappa } =128\) and \(\lambda =40\), according to the analysis [27], when \(\textsf{H}: \mathcal K \rightarrow \mathbb F \) is used to define the values, a linear OKVS with a field size \(|\mathbb F |=128\) can guarantee that the successful probability of the adversary in the above overfitting game is less than \(1/2^{40}\), even though the adversary is allowed to make \(2^{80}\) queries to \(\textsf{H} \).