Publicly Verifiable Private Set Intersection from Homomorphic Encryption

Abstract

Private Set Intersection (PSI) enables two mistrusting parties to securely evaluate the intersection of their private inputs, without revealing any additional information. With its wide application in privacy protection, it is required to ensure the correctness of the evaluation, especially in conventional client-server setting (also known as unbalanced PSI). Unfortunately, most existing work cannot verify the integrity of the data and the correctness of the evaluation. In this paper, we propose a new publicly verifiable private set intersection protocol in the malicious setting, based on oblivious pseudo-random function (OPRF), fully homomorphic encryption (FHE), and verifiable computation (VC). The key tool to obtain our new protocol is a new publicly verifiable inner product computation on encrypted data. The protocol supports public verification for computation correctness and integrity under preserving privacy with less round number (only requiring 2 rounds), allows batching technique under Residue Number System (RNS). That is used for enhancing the FHE. Also, we implement our protocol, and the result is close to the most effective unbalanced PSI.

A Fiore et al.’s Hash Function for RNS Representation

Lemma 3

Let \(\mathcal {B}=\{q_1,\cdots ,q_\ell \}\) be a RNS base of relatively prime moduli which size \(\ell \) is its number of elements, \(q=\prod _{i=1}^\ell q_i\). If x and g are given in their RNS form \((x_1,\cdots ,x_\ell )\) and \((g_1,\cdots ,g_\ell )\), then \(|g^x|_q\) is in the RNS form \((|g_1^{x_1}|_{q_1}\), \(\cdots \), \(|g_\ell ^{x_\ell }|_{q_\ell })\).

Proof

The Chinese Remainder Theorem (CRT) ensures the uniqueness of this representation \( |g^x|_q =|g^{|\sum _{i=1}^\ell |x_i\frac{q_i}{q}|_{q_i}\times \frac{q}{q_i}|_q}|_q =\prod _{i=1}^n |g^{||x_i\frac{q_i}{q}|_{q_i}\times \frac{q}{q_i}|_q}|_q, \) where \(\frac{q_i}{q}\) is the multiplicative inverse of \(\frac{q}{q_i}\) on \(q_i\). Due to \( \frac{q}{q_i}\cdot \frac{q_i}{q}=1 \bmod q_i, \frac{q}{q_i}\cdot \frac{q_j}{q}=0 \bmod q_i, i\ne j, \)

$$ |g^x|_q \bmod q_i=|g^{||x_i\frac{q_i}{q}|_{q_i}\times \frac{q}{q_i}|_q}|_q=g^{x_i} \bmod q_i=g_i^{x_i} \bmod q_i. $$

Therefore, the RNS form of \(g^x\) is \((|g_1^{x_1}|_{q_1},\cdots ,|g_\ell ^{x_\ell }|_{q_\ell })\).    \(\square \)

Lemma 4

Let n be positive integer and q be prime, \(\mathcal {R}_q=\mathbb {Z}_q[X]/(X^n+1)\). On \(\mathcal {D}=\{c\in \mathcal {R}_q[Y]: \deg _X(c)<n, \deg _Y(c)\le 1\}\), for all \(c,c'\in \mathcal {D}\), the probability of a collision \( \Pr [c\ne c'\wedge \texttt{H}(c)=\texttt{H}(c')]\le (\frac{n^2+qn+2}{q^2}-\frac{(n-1)^3}{q^3})^2. \)

Proof

If \(\texttt{H}(c)=\texttt{H}(c')\), then \(g^{\hat{H}_{\alpha , \beta }(c)}=g^{\hat{H}_{\alpha , \beta }(c)}\wedge h^{\hat{H}_{\alpha , \beta }(c')}=h^{\hat{H}_{\alpha , \beta }(c')}\). Let \(\varDelta =c-c'\in \mathcal {R}_q[Y]\). Then, \(\varDelta \) is a non-zero polynomial of degree less than n in X and degree at most 1 in Y. Let \(\alpha , \beta \) be random in \(\mathbb {Z}_q\). Every collison is either \(\varDelta (x,\beta )=0\) or \(\varDelta (x ,\beta )\ne 0 \wedge \varDelta (\alpha ,\beta )=0\). In the first case, assuming \(\varDelta (x,\beta )=a_1(x)\beta +a_0(x)=0\). If \(a_1(x)=0\wedge a_0(x)=0\), then we have \(\varDelta (x,\beta )\) must be equal to zero for all \(\beta \in \mathbb {Z}_q\). The probability is at most \(\frac{n-1}{q}\times \frac{n-1}{q}\). If \(a_1(x)\ne 0\), then we have \(\beta =-\frac{a_0(x)}{a_1(x)}\in \mathbb {Z}_q\). The probability that \(\beta \) has a solution is at most \((1-\frac{n-1}{q})\times \frac{1}{q}\). In the second case, the probability that \(\varDelta (x ,\beta )\) is not equal to zero is at most \(1-\frac{n-1}{q}\times \frac{n-1}{q}-(1-\frac{n-1}{q}\times \frac{1}{q})\times \frac{1}{q}\) and the probability that \(\alpha \) has a solution is at most \(\frac{n-1}{q}\). So we conclude that the the probability

$$\begin{aligned} \Pr [\texttt{H}(c)=\texttt{H}(c')\wedge \varDelta \ne 0] =&\Pr [\varDelta (x,\beta )=0]+\Pr [\varDelta (\alpha ,\beta )=0|\varDelta (x,\beta )\ne 0]\\ \le&(\frac{n^2+qn+2}{q^2}-\frac{(n-1)^3}{q^3})^2. \end{aligned}$$

   \(\square \)