Scalable Multi-party Private Set Union from Multi-query Secret-Shared Private Membership Test

Abstract

Multi-party private set union (MPSU) allows \(k(k\ge 3)\) parties, each holding a dataset of known size, to compute the union of their sets without revealing any additional information. Although two-party PSU has made rapid progress in recent years, applying its effective techniques to the multi-party setting would render information leakage and thus cannot be directly extended. Existing MPSU protocols heavily rely on computationally expensive public-key operations or generic secure multi-party computation techniques, which are not scalable.

In this work, we present a new efficient framework of MPSU from multi-party secret-shared shuffle and a newly introduced protocol called multi-query secret-shared private membership test (mq-ssPMT). Our MPSU is mainly based on symmetric-key operations and is secure against any semi-honest adversary that does not corrupt the leader and clients simultaneously. We also propose new frameworks for computing other multi-party private set operations (MPSO), such as the intersection, and the cardinality of the union and the intersection, meeting the same security requirements.

We demonstrate the scalability of our MPSU protocol with an implementation and a comparison with the state-of-the-art MPSU. Experiments show that when computing on datasets of \(2^{10}\) elements, our protocol is \(109\times \) faster than the state-of-the-art MPSU, and the improvement becomes more significant as the set size increases. To the best of our knowledge, ours is the first protocol that reports on large-size experiments. For 7 parties with datasets of \(2^{20}\) elements each, our protocol requires only 46 s.

Appendices

A Symmetric-Key Encryption

A SKE scheme is a tuple of four algorithms:

• \(\textsf{Setup}(1^\kappa )\): on input the security parameter \(\kappa \) outputs public parameters \(pp\), which include the description of the message and ciphertext space \(\mathcal {M}, \mathcal {C}\).

• \(\textsf{KeyGen}(pp)\): on input public parameter \(pp\) outputs a key \(k\).

• \(\textsf{Enc}(k, m)\): on input a key \(k\) and a plaintext \(m\in \mathcal {M}\), outputs a ciphertext \(c\in \mathcal {C}\).

• \(\textsf{Dec}(k, c)\): on input a key \(k\) and a ciphertext \(c\in \mathcal {C}\), outputs a message \(m\in \mathcal {M}\) or an error symbol\(\perp \).

Correctness. For any \(pp\leftarrow \textsf{Setup}(1^\kappa )\), any \(k\leftarrow \textsf{KeyGen}(pp)\), any \(m\in \mathcal {M}\) and any \(c\leftarrow \textsf{Enc}(k, m)\), it holds \(\textsf{Dec}(k, c)=m\).

Security. To ensure the security of our mq-ssPMT, we require a security notion called multi-message multi-ciphertext pseudorandomness like the mq-RPMT in [49]. Formally, a SKE is multi-message multi-ciphertext pseudorandom if for any \(\textsf{PPT}\) \(\mathcal {A}= (\mathcal {A}_1, \mathcal {A}_2)\):

is negligible is \(\kappa \).

B Multi-party Secret-Shared Shuffle

The functionality of share correlation is given in Fig. 12. The protocol details of multi-party secret-shared shuffle in [18] are given in Fig. 13.

Fig. 12.

Share Correlation Functionality \(\mathcal {F}_\textsf{sc}\)

Fig. 13.

Multi-party Secret-Shared Shuffle Protocol \(\varPi _\textsf{ms}\)

C Garbled Cuckoo Table

The formal description of GCT in [43] is given in Fig. 14.

Fig. 14.

GCT algorithm in [43]

D Proof of Theorem 3

Below we give the details of the Proof of Theorem 3.

Proof

Let \(C\) and \(H\) be a coalition of corrupt and honest parties, respectively. \(|C| = \eta \). To show how to simulate \(C\)’s view in the ideal model, we consider two cases based on whether \(\mathcal {P}_1\) is corrupted.

\(\mathcal {P}_1\) is Honest. In this case, \(\mathcal {P}_1\notin C\). \(\textsf{Sim}_C(X_{i_1}, \cdots , X_{i_\eta })\) runs as follows:

1. 1.

   For all \(\mathcal {P}_i \in C\), \(\textsf{Sim}_C\) samples \(\boldsymbol{e}_{1i}^{\prime 1} \leftarrow \{0,1\}^n, \boldsymbol{r}_{1i}^{\prime 0}, \boldsymbol{r}_{1i}^{\prime 1} \leftarrow \mathbb {F}_{2^{\sigma + \ell }}^n, \boldsymbol{sh}_i^{\prime \prime }\leftarrow \mathbb {F}_{2^{\sigma + \ell }}^{n}\) and appends them to the view.

2. 2.

   For all \(\mathcal {P}_i \in C\), \(\textsf{Sim}_C\) invokes mq-ssPMT simulator \(\textsf{Sim}_\mathsf {mq\text {-}sspmt}^\mathcal {S}(X_i, \boldsymbol{e}_{i}^{\prime 1})\) and appends the output to the view.

3. 3.

   For all \(\mathcal {P}_i \in C\), \(\textsf{Sim}_C\) invokes ROT simulator \(\textsf{Sim}_\textsf{rot}^\mathcal {S}(\boldsymbol{r}_{1i}^{\prime 0}, \boldsymbol{r}_{1i}^{\prime 1})\) and appends the output to the view.

4. 4.

   For all \(\mathcal {P}_i \in C\), \(\textsf{Sim}_C\) creates \(\boldsymbol{sh}_i\) as Step 4 of \(\varPi _\textsf{mpsi}\). Then invokes multi-party secret-shared shuffle simulator \(\textsf{Sim}_\textsf{ms}^{\mathcal {P}_i}(\boldsymbol{sh}_i, \boldsymbol{sh}_i^{\prime \prime })\) and appends the output to the view.

Now we argue that the view output by \(\textsf{Sim}_C\) is indistinguishable from the real one. In the real world, the output \(\boldsymbol{e}_{1i}^1\) of mq-ssPMT, the output \(\boldsymbol{r}_{1i}^0, \boldsymbol{r}_{1i}^1\) of ROT, and the output \(\boldsymbol{sh}_i^\prime \) of multi-party secret-shared shuffle are uniformly random. Moreover, the outputs of mq-ssPMT and ROT of all parties in \(C\) are mutually independent.

As for the output of multi-party secret-shared shuffle protocol, the share \(\boldsymbol{sh}_1^\prime \) is unknown and uniformly random for corrupted parties because \(\mathcal {P}_1\) is honest. So all \(\boldsymbol{sh}_i^\prime (\mathcal {P}_i\in C)\) are uniformly random and independent of each other from the perspective of \(C\). Notice that in the simulated view, all messages are uniformly random and mutually independent, so the output view of \(\textsf{Sim}_C\) is computationally indistinguishable from real.

\(\mathcal {P}_1\) is Corrupted. In this case, \(C = \{\mathcal {P}_1\}\). So the simulator \(\textsf{Sim}_C(X_1, \bigcap _{i=1}^k{X_i})\) needs to simulate \(\mathcal {P}_1\)’s view. \(\textsf{Sim}_C\) runs as follows:

1. 1.

   For \(2\le i\le k\), \(\textsf{Sim}_C\) samples \(\boldsymbol{e}_{1i}^{\prime 0} \leftarrow \{0,1\}^n\) and \(\boldsymbol{r}_{1i}^{\prime } \leftarrow \mathbb {F}_{2^{\sigma + \ell }}^n\). Then appends all these vectors to the view.

2. 2.

   \(\textsf{Sim}_C\) constructs \(\boldsymbol{z}^\prime \in \mathbb {F}_{2^{\sigma + \ell }}^n\) as follows:

   • Set \(\boldsymbol{z}^\prime \) uninitialized. For each \(x \in \bigcap _{i=1}^k{X_i}\), \(\textsf{Sim}_C\) computes \(x \Vert \textsf{H}(x)\) and set a random uninitialized position of \(\boldsymbol{z}^\prime \) to this value.

   • For all uninitialized positions of \(\boldsymbol{z}^\prime \), set a random value from \(\mathbb {F}_{2^{\sigma + \ell }}\).

3. 3.

   \(\textsf{Sim}_C\) samples \(\boldsymbol{sh}_i^{\prime \prime }\leftarrow \mathbb {F}_{2^{\sigma + \ell }}^n\) for all \(1\le i\le k\), which satisfies \(\bigoplus _{i=1}^k{\boldsymbol{sh}_i^{\prime \prime }} = \boldsymbol{z}^{\prime }\). \(\textsf{Sim}_C\) appends all \(\boldsymbol{sh}_i^{\prime \prime }\) to the view.

4. 4.

   \(\textsf{Sim}_C\) invokes mq-ssPMT simulator \(\textsf{Sim}_\mathsf {mq\text {-}sspmt}^\mathcal {R}(X_1, \boldsymbol{e}_{1i}^{\prime 1})\) for \(2\le i \le k\). Then appends the output to the view.

5. 5.

   \(\textsf{Sim}_C\) invokes ROT simulator \(\textsf{Sim}_\textsf{rot}^\mathcal {R}(\boldsymbol{e}_{1i}^{\prime 0}\oplus 1^n, \boldsymbol{r}_{1i}^{\prime })\) for \(2 \le i \le k\). Then appends the output to the view.

6. 6.

   \(\textsf{Sim}_C\) constructs \(\boldsymbol{sh}_1\) as Step 3 and Step 4 of \(\varPi _\textsf{mpsi}\). Then invokes multi-party secret-shared shuffle simulator \(\textsf{Sim}_\textsf{ms}^{\mathcal {P}_i}(\boldsymbol{sh}_1, \boldsymbol{sh}_1^{\prime \prime })\) and appends the output to the view.

Now we argue that the view output by \(\textsf{Sim}_C\) is indistinguishable from the real one. In the real world, the output \(\boldsymbol{e}_{1i}^0\) of mq-ssPMT, the output \(\boldsymbol{r}_{1i}\) of ROT, and the output \(\boldsymbol{sh}_i^\prime \) of multi-party secret-shared shuffle are uniformly random. Moreover, for different \(i\), they are independent of each other. We prove that \(\boldsymbol{sh}_i^\prime \) from each \(\mathcal {P}_i\) does not leak any other information except for the intersection. For each element \(x_1^t\) that belongs to \(X_1\), if there exists \(2\le i \le k\) that \(x_1^t\notin X_1\cap X_i\), we have \(e_{1i, t}^{\prime 0}\oplus e_{1i, t}^{\prime 1} = 0, r_{1i, t} = r_{1i, t}^{e_{1i, t}^0\oplus 1} \ne r_{ji, t}^{e_{ji, t}^1}\). Therefore, \(\bigoplus _{i=1}^k{sh_{i, t}} = \bigoplus _{i=1}^k{r_{1i, t}} = r \oplus r_{1i, t}^{e_{1i, t}^1} \oplus r_{1i, t}^{e_{1i, t}^0\oplus 1}\) is uniformly random from the perspective of \(\mathcal {P}_1\), where \(r\) is the sum of remaining terms. So in the real world, \(\bigoplus _{i=1}^k{\boldsymbol{sh}_i^\prime }\) is uniformly random except for \(|\bigcap _{i=1}^k{X_i}|\) positions. So the simulated view is computationally indistinguishable from the real.    \(\square \)