An Efficient and Secure Protocol for Privacy Preserving Set Intersection

Transcription

1 An Efficient and Secure Protocol for Privacy Preserving Set Intersection Yingpeng Sang 1, Hong Shen 2, Laurence T. Yang 3, Naixue Xiong 1, Yasuo Tan 1 1 School of Information Science, Japan Advanced Institute of Science and Technology Asahidai, Nomi, Ishikawa, Japan, {yingpeng, naixue, ytan}@jaist.ac.jp 2 School of Computer Science, The University of Adelaide SA 5005, Australia hong@cs.adelaide.edu.au 3 Department of Computer Science, St. Francis Xavier University Antigonish, NS, B2G 2W5, Canada lyang@stfx.ca Abstract When datasets are distributed on different sources, finding out their intersection while preserving the privacy of the datasets is a widely required task. In this paper, we address the Privacy Preserving Set Intersection (PPSI) problem, in which each party learns no elements other than the intersection of the N private datasets. We propose an efficient protocol based on a threshold cryptosystem which is additive homomorphic. The protocol is firstly constructed assuming the adversary is semi-honest and controls arbitrary number of parties, then it s extended to resist the malicious behaviors of the adversary. In comparisons with the related work in [7], [11] and [12], our PPSI protocols in the semi-honest and malicious models achieve lower computation and communication costs. Keywords : cryptographic protocol, privacy preservation, distributed datasets, set intersection. 1 Introduction For datasets distributed on different sources, intersection among these sets is always required to gain useful information. For example, supermarkets need find out the same card numbers which have consuming records in all of their databases, and then provide better service for the card owners. For such kind of applications, privacy may be a critical concern of the data owners, so they are reluctant to directly publish their datasets. Specifically, one supermarket doesn t want other supermarkets to know the card numbers in its database except those in the intersection. Therefore, there should be some 1

2 privacy preserving techniques for them to determine the results of set intersection, without the datasets being directly published. In this paper, we address the problem of Privacy Preserving Set Intersection (PPSI), in which there are N (N 2) parties, each party P i (i = 1,..., N) has a set (or multiset) T i and T i = S, all parties want to learn the intersection T I = T 1... T N, without gleaning any information other than those computed from a coalition of parties inputs and outputs. Basically, we solve PPSI by efficiently constructing and evaluating polynomials whose roots are elements of the set intersection. This paper is an extended version of [18]. In [18] we have proposed an efficient PPSI protocol for the semi-honest model, which has lower computation and communication costs than the PPSI protocols in [11] and [7]. In this paper we give formal definitions of PPSI in both the semi-honest and malicious models, improve the PPSI protocol in the semi-honest model to be secure in the malicious model, and prove its security in the malicious model by the definition. A PPSI protocol for the malicious model has also been proposed in [12], but our protocol achieves lower computation and communication costs in comparisons. The remainder of the paper is organized as follows: Section 2 discusses some related work. The problem of PPSI is defined in Section 3. Section 4 lists the basic tools for our protocol. Section 5 and 6 propose the PPSI protocol for the semi-honest and malicious model respectively. In Section 7 we analyze the security of our PPSI protocol. In Section 8 we compare our protocols with the related work considering the computation and communication costs. Section 9 concludes the whole paper. 2 Related Work PPSI is a specific problem belonging to the general Secure Multiparty Computation (SMC) problem. There have been general solutions for the SMC problem ([9], [20]). In general SMC, the function to be computed is represented by a circuit, and every gate of the circuit is privately evaluated. However, when this general solution is used for a specific problem, the large size of the circuit and high cost of evaluating all gates will result in a much less efficient protocol than the non-private protocol for this problem. Therefore, many efficient private protocols for the specific problems have been proposed based on the specific properties of these problems. PPSI can be traced back to the specific problem of private equality test (PET) in two-party case, where each party has a single element and wants to test whether they are equal without publishing the elements. The problem of PET was considered in [1], [4], [14] and [15]. PET solutions can t be simply used for the multi-party cases of PPSI, otherwise too much sensitive information will be leaked, e.g., any two parties will know the intersection of their private sets. A solution for the multi-party case of PPSI was firstly proposed in [7]. The solution is based on evaluating polynomials representing elements in the sets. In [11], another solution for PPSI was proposed, in 2

3 which each polynomial representing each set is multiplied by a random polynomial which has the same degree with the former polynomial. In this paper, to get a solution with lower cost than [7] and [11], we multiply each polynomial representing each set by a random polynomial which has a low enough degree without compromising the security of the solution. We also multiply the randomized polynomials by a nonsingular matrix to improve the correctness of our solution. We will compare our solution for PPSI with [7] and [11] in details in Section 8. The PPSI protocol in the semi-honest model in [11] was fixed to be secure in the malicious model in [12]. We will also extend our PPSI protocol in the semi-honest model to the malicious model, and compare it with the work in [12]. 3 Problem Definition 3.1 Preliminaries Our PPSI problem aims to securely compute the set intersection among N (N 2) parties. Generally speaking there are two types of probabilistic polynomial-time (PPT) bounded adversaries in SMC: semi-honest and malicious. A semi-honest party is assumed to follow the protocol exactly as what is prescribed by the protocol, except that it keeps a record of all its intermediate computations. A malicious party will arbitrarily deviate from the protocol. For some practical applications, we assume that the number of parties that deviate from the protocol is also arbitrary, other than strictly less than half the total number of parties. Then a protocol secure against the malicious adversary should be tolerable to the following behaviors: refusing to participate in the protocol when the protocol is first invoked, arbitrarily substituting its original local input, and aborting the protocol whenever obtaining the desired result. The security in both types of adversaries is argued by the computational indistinguishability of the views in the ideal model and real model ([8, 13]). Suppose an ensemble X = {X n } n N be a sequence of random variables X n for n N, which are ranging over strings of length poly(n). Two ensembles X = {X n } n N and Y = {Y n } n N are computationally indistinguishable, denoted by X c Y, if for every PPT algorithm A, and every c > 0, there exists an integer N such that for all n N, P r[a(x n ) = 1] P r[a(y n ) = 1] < 1 n. P r[a(x) = 1] is the probability that A outputs 1 on input x. c 3.2 Privacy Preserving Set Intersection Suppose all sets held by the parties are subsets of a common set T, firstly we should prevent the dictionary attack, in which an adversary may defraud the honest party of inputs using T. Therefore, we assume that each party holds a set (or multiset) of the same size S and S T, such that given two arbitrarily selected subsets T i and T i, the probability that an input a T i equals any input a T i is 3

4 negligible (i.e., S T 0). Let N (N 2) be the number of parties, each party P i (i = 1,..., N) has a set (or multiset): T i = {T (i, j) j = 1,..., S}. Let T I = T 1... T N. Let f be an N-ary function: f(t 1,..., T N ) = f(t ) = ({0, 1}) S N, with the (i, j)-th element f ij (T ) = 1 if T (i, j) T I, and f ij (T ) = 0 if T (i, j) / T I for i = 1,..., N, j = 1,..., S. Suppose I = {i 1,..., i c } {1,..., N} be the index set of c (1 c N 1) colluded parties controlled by an adversary. Let f i (T ) = {f ij (T ) j = 1,..., S} and f I (T ) = {f i1 (T ),..., f ic (T )}. Below we define the problem of privacy preserving set intersection in the semi-honest model and malicious model respectively. Definition 1 (PPSI in the semi honest model) Let Π be an N-party protocol for computing f. Let V IEWi Π (T ) denote the view of the i-th party on its input, output, randomness and public transcript during an execution of Π. Let V IEWI Π (x) = (I, V IEW Π i 1 (T ),..., V IEWi Π c (T )). Π is said to privately solve the problem of Privacy Preserving Set Intersection with respect to the semi-honest behavior, if there exists a PPT algorithm S, such that {S(I, (T i1,..., T ic ), f I (T ))} c {V IEW Π I (T )} (1) Definition 2 (PPSI in the malicious model) Let Π be an N-party protocol for computing f. Let a pair (I, A), where A is a PPT algorithm, represent an adversary in the real model. The joint execution of Π under (I, A) in the real model, denoted REAL Π,I,A (T ), is defined as the output sequence resulting from the interaction among the N parties in the execution of Π. Let a pair (I, B), where B is a PPT algorithm, represent an adversary in the ideal model, where there is an available trusted third party. The joint execution of f under (I, B) in the ideal model, denoted IDEAL f,i,b (T ), is defined as the output pair of B and the honest parties in the ideal execution. Π is said to securely solve the problem of privacy preserving set intersection in the malicious model, if for every PPT algorithm A (representing a real-model adversary strategy), there exists a PPT algorithm B (representing an ideal-model adversary strategy), such that {IDEAL f,i,b (T )} c {REAL Π,I,A (T )}. (2) It should be pointed out that both definitions of security have implied the correctness of Π. The views of parties in the real execution of Π should be computationally indistinguishable from their views in the ideal model, so it s necessary that the output of Π on T should also be computationally indistinguishable from the output of f on T. 4

5 4 Basic Tools 4.1 Homomorphic Encryption Our protocol is based on an additive Homomorphic Encryption (HE) scheme. Let ε be a probabilistic encryption scheme. Let M be the message space and C the ciphertext space such that M is a group under operation and C is a group under operation. ε is a (, )-HE scheme if for any instance E R ( ) of the encryption scheme, given c 1 = E r1 (m 1 ) and c 2 = E r2 (m 2 ), there exists an r such that c 1 c 2 = E r1 (m 1 ) E r2 (m 2 ) = E r (m 1 m 2 ). ε is additive when it s a (+, ) scheme, and multiplicative when it s a (, ) scheme. The HE scheme in our protocol is also required to support secure (N, N)-threshold decryption. The corresponding secret key is shared by a group of N parties, and the decryption can t be performed by any single party, unless all parties act together. Thus, we can use Paillier s cryptosystem ([16]) for its following properties: 1) it s an additive homomorphic encryption scheme. Given two encryptions E(m 1 ) and E(m 2 ), E(m 1 + m 2 ) = E(m 1 ) E(m 2 ); 2) given an encryption E(m) and a scalar a, E(a m) = E(m) a ; 3) (N, N)-threshold decryption can be supported (by [5],[6]). In this paper, N is the RSA-modulus which is the multiplication of two large prime numbers, and Z N is the plaintext space of Paillier s cryptosystem. 4.2 Calculations on encrypted polynomials In our protocol, we need do some calculations on encrypted polynomials. For a polynomial f(x) = m i=0 a ix i, we use E(f(x)) to denote the sequence of encrypted coefficients {E(a i ) i = 0,..., m}. Given E(f(x)), where E( ) is an additive HE scheme (e.g., Paillier), some computations can be made as follows (which have also been used in [7] and [11]): 1) At a value v, we can evaluate E(f(x)): E(f(v)) = E(a m v m +a m 1 v m a 0 ) = E(a m ) vm E(a m 1 ) vm 1 E(a 0 ). 2) Given E(f(x)), we can compute E(c f(x)) = {E(a m ) c,..., E(a 0 ) c }. 3) Given E(f(x)) and E(g(x)), g(x) = m j=0 b jx j, we can compute E(f(x)+g(x)) = {E(a m )E(b m ),..., E(a 0 )E(b 0 )}. 4) Given f(x) and E(g(x)), we can compute E(f(x) g(x)). Suppose that g(x) = n j=0 b jx j, f(x) g(x) = m+n k=0 c kx k, then E(c k ) = E(a 0 b k + a 1 b k a k b 0 ) = E(b k ) a0 E(b 0 ) a k. a i or b j are treated as zero if i > m or j > n. 4.3 Notations The major notations in this paper are listed in Table 1. 5

6 Notation N P i Table 1: Major Notations in This Paper Definition Total number of parties The i-th party T i S T (i, j) The set or multiset on P i Total number of elements on each party The j-th element on P i, j = 1,..., S c Total number of colluded parties, 1 c N 1 I The index set of c colluded parties, {i 1,..., i c } I f i Z N The index set of honest parties, {1,..., N} \ I The polynomial whose roots are elements in T i. f i = S j=1 (x T (i, j)) The plaintext space of Paillier s cryptosystem 5 Protocol for Privacy Preserving Set Intersection in the semi-honest model 5.1 Main Idea Our protocol for PPSI is based on evaluating randomized polynomials representing the intersection, which is a similar way with [7] and [11], but achieves lower cost. Each P i can compute a polynomial f i to represent its set T i : f i = (x T (i, 1)) (x T (i, S)). Then it randomizes f i to be f i N j=1 r i,j by the help of other parties, in which r i,j is generated by P j, r i,j = a i,j x + b i,j, a i,j and b i,j are uniformly selected from the plaintext space of the threshold HE scheme (for Paillier s scheme, it s Z N ). The N parties get a polynomial vector F = (f 1 N j=1 r 1,j,..., f N N j=1 r N,j) and compute G = F R, in which R is an N N nonsingular matrix whose entries R uv (1 u, v N) are random numbers. The resulting G is another polynomial vector (g 1,..., g N ) as following: N N g 1 = f 1 r 1,j R f N r N,j R N1 j=1 j=1... N N g N = f 1 r 1,j R 1N f N r N,j R NN j=1 j=1 (3) Then, each P i evaluates (g 1,..., g N ) at the element T (i, j). If for k = 1,..., N g k (T (i, j)) = 0, then P i determines T (i, j) T I. The correctness of this determination will be proved in Lemma 1. In the computation of G, to protect the privacy of each f i, f i is encrypted by P i, and the encryption of f i N j=1 r i,j is computed. Then each party P i generates a random matrix R i so that R = N i=1 R i is 6

7 nonsingular but no one knows what R is without publishing all R i. The encryptions of F R 1, F R 1 R 2,..., F R 1 R N are computed respectively on P 1, P 2,..., P N. Finally, the N parties get the encryption of G = F R. After decryption, each P i knows G, but not f i for i i. 5.2 The Protocol Protocol 1: Protocol for Privacy Preserving Set Intersection in the semi-honest model Inputs: There are N (N 2) parties, any of which may be semi-honest. Each party has a private set of S elements, denoted T i. Each party holds the public key and it s own share of the secret key for the threshold Paillier s cryptosystem. Output: Each party P i knows T I = T 1... T N. 1) Computing E(F ): For i = 1,..., N, 1.1) P i computes f i = (x T (i, 1)) (x T (i, S)), encrypts the coefficients to get E(f i ), and sends E(f i ) to all the other N 1 parties. 1.2) on each P j (j i), r i,j is generated as a i,j x + b i,j, in which a i,j and b i,j are uniformly selected from Z N. P j computes E(f i r i,j ) by computation 4) in Section 3.3, and sends it to P i. 1.3) P i also generates r i,i and computes E(f i r i,i ). Then P i computes E(f i N j=1 r i,j) by computation 3) in Section 3.3, and sends it to P 1. In the end, P 1 gets E(F ) in which F = (f 1 N j=1 r 1,j,..., f N N j=1 r N,j). 2) Computing E(G) : For i = 1,..., N, 2.1) P i generates a nonsingular N N matrix R i which is uniformly distributed over Z N ( by the method in [17]). 2.2) P i computes E(F R 1 R i ) according to computation 2) and 3) in Section 3.3, and sends it to P i+1 if i + 1 N. In the end, P N gets E(G) = E(F N i=1 R i) and sends it to all the other parties. 3) Decryption and Evaluation : 3.1) The parties cooperatively decrypt E(G) and gets G = F ( N i=1 R i). Let R = N i=1 R i, and R u,v (1 u, v N) is the (u, v)-th entry of R, G is a polynomial vector (g 1,..., g N ) as described in equation 2) of Section ) Every P i evaluates T (i, j) in G for j = 1,..., S by computation 1) in Section 3.3. If G(T (i, j)) = ( g 1 (T (i, j)),..., g N (T (i, j)) ) = (0,..., 0), the T (i, j) T I; otherwise, T (i, j) / T I. 7

8 We prove the correctness of Protocol 1 in the following lemma: Lemma 1 Protocol 1 is a correct protocol for the PPSI problem. Proof: Protocol 1 determines whether T (i, j) T I by G(T (i, j)). If T (i, j) T I, T (i, j) is a root of all f i for i = 1,..., N, then F (T (i, j)) = (f 1 (T (i, j)) N j=1 r 1,j,..., f N (T (i, j)) N j=1 r N,j) = (0,..., 0), G(T (i, j)) = F (T (i, j))r = (0,..., 0). That is, if the evaluation G(T (i, j)) (0,..., 0), T (i, j) / T I. Then we prove that if G(T (i, j)) = (0,..., 0), overwhelmingly T (i, j) T I. G = F R 1 R N = F ( N i=1 R i) = F R. Because R i for i = 1,..., N are generated to be nonsingular, R = N i=1 R i is also nonsingular. If G(T (i, j)) = (0,..., 0), a linear system F (T (i, j))r = (0,..., 0) can be made, and it has only one solution: F (T (i, j)) = (0,..., 0), i.e.,f l (T (i, j)) N j=1 r l,j(t (i, j)) = 0 for l = 1,..., N. The coefficients of r l,j are uniformly selected from Z N. Suppose N j=1 r l,j = a l x + b l, a l and b l are also uniformly distributed over Z N. The probability that any T (i, j) Z N is a root of a l x + b l is 1/N. If T (i, j), l {1,..., N}, f l (T (i, j)) N j=1 r l,j(t (i, j)) = 0, because f l (T (i, j)) must be 0 when l = i, so the probability that l (l i) f l (T (i, j)) = 0 is p = (1 1/N ) N 1. N is the number of parties and practically N N. When N is large enough, p 1, then overwhelmingly T (i, j) is a root of all f l and T (i, j) T I. 6 Protocol for Privacy Preserving Set Intersection in the malicious model 6.1 Zero-Knowledge Proofs Efficiently we can construct the following proofs based on proofs of knowledge on statements about discrete logarithms ([2, 10]), the completeness and soundness of which have been argued respectively in the related work. Our constructions compose the basic proofs using AN D ( ) operations, the closure of which is also argued in [3]. These proofs are used in our protocol for the malicious model. 1) Proof of knowing the plaintexts of the encrypted coefficients, P K{f : E(f)}. E(f) are encrypted coefficients of the polynomial f. This is from the proof of knowing a plaintext in [2]. 2) Proof of correct polynomials multiplication, P K{r : M = E(f r) E(f) E(r)}. f r is the multiplication of polynomials f and r. This is from the proof of correct multiplications in [2]. 3) Proof of the nonsingularity of an encrypted matrix, P K{R : D E(0) D = E(det(R)) R = E(R)}. R is an N N matrix, E(R) are the encrypted entries of R, det(r) is the determinant of R. This is from the proof of correct multiplications in [2] and private equality test in [10]. 4) Proof of correct matrix multiplication, P K{R : G = E(F R) F = E(F ) R = E(R)}. F = (f 1,..., f N ) is a vector of polynomials in which the i-th entry is a polynomial f i for i = 1,..., N. 8

9 R is an N N matrix, and E(R) are the encrypted entries of R. This is also from the proof of correct multiplications in [2]. 6.2 Protocols for the Malicious Model We assume the adversary controls arbitrary number of parties, i.e., suppose the number is c, then 1 c N 1. We improve Protocol 1 to be Protocol 2, preventing the following malicious behaviors of the adversary by the zero-knowledge proofs in Section 6.1: 1) arbitrarily sending to others an encrypted polynomial without knowing its coefficients, e.g., just sending to others the encrypted polynomial received from other parties. Therefore, each party P i should prove that he knows the coefficients of the polynomial he encrypts or multiplies, with the proof 1) and 2) of Section ) encrypting a polynomial whose coefficients are all zeros, then in equation 2) the malicious adversary will know the intersection of all honest parties. In Protocol 2, the honest parties can reset the leading coefficient of polynomials received from others to be E(1), and then g k for k = 1,..., N can still hide the polynomials of the honest parties. 3) generating a singular matrix R i, then if G(T (i, j)) = (0,..., 0), it s unnecessary that all f l (T (i, j)) = 0 for l = 1,..., N. Therefore, each party P i should prove that R i it generates is nonsingular with the proof 3) of Section ) doing multiplication with a matrix R i other than the committed matrix R i. Each party should prove that he does correct matrix multiplication with the matrix R i it has committed, with the proof 4) of Section 6.1. Under these zero-knowledge proofs, each party should either behave in a semi-honest manner or being detected as cheating. Protocol 2: Protocol for Privacy Preserving Set Intersection in the malicious model Inputs: There are N (N 2) parties, any of which may be malicious. Each party has a private set of S elements, denoted T i. Each party holds the public key and it s own share of the secret key for the threshold HE cryptosystem. Output: Each party P i knows T I = T 1... T N. Steps: 1) Computing E(F ): For i = 1,..., N, 9

10 1.1) P i computes f i = (x T (i, 1)) (x T (i, S)), encrypts the coefficients to get E(f i ), and sends E(f i ) to all the other parties with the proof of knowing the plaintexts of the encrypted coefficients, P K{f i : E(f i )}, excluding the leading coefficient. 1.2) For j = 1,..., N, each P j sets the leading coefficient of E(f i ) to be E(1), generates a random polynomial r i,j. P j computes M i,j = E(f i r i,j ), P i,j = E(r i,j ), and sends them to all the other partes, with the proof of correct polynomials multiplication P K{r i,j : M i,j = E(f i r i,j ) E(f i ) P i,j = E(r i,j )}. 1.3) All P j for j = 1,..., N compute E(f i N j=1 r i,j). In the end, all P i for i = 1,..., N get E(F ) in which F = (f 1 N j=1 r 1,j,..., f N N j=1 r N,j). 2) Computing E(G) : For i = 1,..., N, 2.1) P i generates a random nonsingular N N matrix R i, and sends R i = E(R i ) and D i = E(det(R i )) to all the other parties, with the proof of the nonsingularity of the encrypted matrix P K{R i : D i E(0) D i = E(det(R i )) R i = E(R i )}. 2.2) P i computes G i = E(F R 1 R i ), and sends it to all the other parties, with the proof of correct matrix multiplication P K{R i : G i = E(F R 1 R i ) G i 1 = E(F R 1 R i 1 ) R i = E(R i )}. In the end, all P i for i = 1,..., N get E(G) = E(F N i=1 R i). 3) Decryption and Evaluation : 3.1) All parties cooperatively decrypt E(G). 3.2) Every P i evaluates T (i, j) in G for j = 1,..., S. If G(T (i, j)) = (0,..., 0), the T (i, j) T I; otherwise, T (i, j) / T I. 7 Security Analysis 7.1 Security Analysis on Protocol The Inferred Information by the Definition of PPSI Suppose there are c colluded parties P I, I = {i 1,..., i c }. It s unavoidable for P I to combine their inputs and outputs to infer information. However, by the definition of PPSI in Section 1, they should know no more information than T I in each T i, i I, I = {1,..., N} \ I. That is, 1) On P i P I, if T (i, j) T I, they know each T i has T (i, j). 2) On P i P I, if T (i, j) / T I, they don t know whether T (i, j) T i for i I. 10

11 7.1.2 The Inferred Information after Participating in Protocol 1 In Protocol 1, each P i gets G = (g 1,..., g N ), so P I may infer the roots of f i for i I by analyzing the coefficients in G. By the following lemma, we prove that G resists such kind of analysis. Lemma 2 In Protocol 1, any P i in the coalition of c (1 c N 1) semi-honest parties (P I ) can know no more elements than T I in any T i for i I. Proof: Due to the security of the threshold HE cryptosystem, P I can t know any information on the plaintexts of the encryptions unless they are decrypted. We use P i to denote any party in P I. P i gets only the decryption of E(G). If G(T (i, j)) = (0,..., 0), by Lemma 1, P i knows T (i, j) is a root for all f l (l = 1,..., N) and each T i has T (i, j). This accords with the case 1) in Section ) We firstly prove that, if G(T (i, j)) (0,..., 0), P i doesn t know whether T (i, j) T i for i I, that is, whether T (i, j) is a root of any f i. From the view of P i, G = F ( i I R i i I R i ), i I R i is generated by P I, and i I R i is generated by P I. P i doesn t know i I R i, thus if G(T (i, j)) (0,..., 0), P i can t compute F (T (i, j)). Then P i can t know any f i (T (i, j)) and whether T (i, j) T i for i I. This accords with the case 2) in Section ) P i may also analyze the coefficients of a single g l (l = 1,..., N). g l = f T I (F I + F I ), in which f T I is the polynomial whose roots are T I, F I = i I (f i/f T I N j=1 r i,jr il ), and F I = i I (f i /f T I N j=1 r i,jr i l). We should also prove that P i can t know F I, otherwise he will know i I T i by factoring F I. From the view of P i, in F I, i I, N j=1 r i,jr il can be supposed as b i,1 x + b i,0, in which b i,1 and b i,0 are random numbers. Given f i /f T I = S T I k=0 a i,k x k, suppose f i /f T I N j=1 r i,jr il = S T I +1 k=0 c i,k x k, then c i,k = a i,k b i,0 + a i,k 1 b i,1. Suppose F I = S T I +1 k=0 e k x k, then e k = i I c i,k. Suppose F I = S T I +1 k=0 e k xk, then the k-th coefficient of F I + F I : e k = e k + e k = i I (a i,kb i,0 + a i,k 1 b i,1 ) + e k. P i knows all e k from g l/f T I, and all a i,k from f i /f T I, but doesn t know all b i,1, b i,0, and e k. Thus from e k = i I (a i,kb i,0 + a i,k 1 b i,1 ) + e k, P i gets a set of S T I + 2 linear equations with 2c+S T I +2 unknowns. For 1 c N 1, P i can t compute the solutions for these unknowns. Therefore, P i can t know e k for k = 0,..., S T I + 1, and can t know any root of F I. In each g l (l = 1,..., N), P i can t know F I, which makes P i fail to know any f i /f T I in F I. In sum, in Protocol 1, P i P I can know no more roots than T I in any T i for i I. Theorem 1 Protocol 1 is a secure protocol Π in Definition 1, which privately solves the PPSI problem with respect to the semi-honest behaviors of arbitrary number of parties. 11

12 The proof of this theorem is postponed in the Appendix A. 7.2 Security Analysis on Protocol 2 Theorem 2 Assuming the threshold Paillier encryption is semantically secure and the zero-knowledge proofs in Protocol 2 can t be forged, Protocol 2 is a secure protocol Π in Definition 2, which securely solves the problem of PPSI when the number of malicious parties is arbitrary. This theorem can be proved following the ideal-vs.-real emulation paradigm. The detailed proof is postponed to the Appendix A. 8 Comparisons with Related Work 8.1 Comparisons for Protocol 1 Complexity of Protocol 1 : 1) Computation Cost: Each Paillier s encryption and decryption requires a cost of 2lgN modular multiplications (mod N 2 ). Each exponentiation has the same cost with the encryption. We compare our protocol with other related work regarding their computation cost on encryptions and multiplications of ciphertexts, and consider modular multiplication (mod N 2 ) as a basic computation. Thus, for each party in Protocol 1, the total encryptions are (S + 2)(N 1) 2 2, and the total multiplications of ciphertexts are (S + 2)(N 2 + 2N 3). Then the total computation cost for each party is 2((S + 2)(N 1) 2 2)lgN + (S + 2)(N 2 + 2N 3) modular multiplications. 2) Communication Cost: The length of each encryption is 2lgN. Then in Protocol 1, the total communication cost among all parties is 2N(N 1)(4S + 5)lgN bits. Speeding up techniques can be employed in Protocol 1. If all parties ensure that there is a coalition of c (1 c N 1) semi-honest parties, in Step 1) of Protocol 1 each E(f i ) can be randomized as E(f i c+1 j=1 r i,j) by sending E(f i ) to any c parties, instead of all the other N 1 parties. In Step 2) E(G) can be computed as E(F c+1 i=1 R i). What s more, in Step 1) the iterations i = 1,..., N can be made in parallel. Then the computation cost is 2(c(S + 2)(N 1) 2)lgN + c(s + 2)(N + 3) modular multiplications. The communication cost is 2cN(4S + 5)lgN bits. Kissner s Protocol : In Kissner s protocol for PPSI ([11]), a single polynomial F = N l=1 f l N k=1 r l,k is constructed and evaluated on each T (i, j). f l is a polynomial representing elements on P l, r l,k is a polynomial uniformly selected by P k and has the same degree with f l. In this protocol, it s easy 12

13 to see that T (i, j) T I is a sufficient condition for the evaluation F (T (i, j)) = 0, but F (T (i, j)) = 0 is not a sufficient condition for l {1,..., N} f l (T (i, j)) N k=1 r l,k(t (i, j)) = 0. In Lemma 1 we have proved that if l {1,..., N} f l (T (i, j)) N k=1 r l,k(t (i, j)) = 0, the probability that T (i, j) T I is (1 1/N ) N 1. Therefore, in Kissner s protocol, if F (T (i, j)) = 0, the probability that T (i, j) T I is less than the probability achieved by our Protocol 1. The major cost of this protocol is on computing the encrypted F. cryptosystem. shown in Table 2. It s also based on Paillier s The computation cost for each party and communication cost among all parties are Freedman s Protocol : In Freedman s protocol for PPSI ([7]), each party P i (i = 1,..., N 1) sends the encrypted polynomial f i representing its elements to P N. P N evaluates its elements T (N, j) for j = 1,..., S on all these polynomials, randomizes the evaluations and sends them to all the other parties. These parties decrypt and combine the evaluations to determine whether T (i, j) T I. In this protocol each party also generates a random matrix, but the matrices are used in a different way from our Protocol 1 for they aren t full rank and not for multiplications. The XOR of each row of the matrices is required to be zero, and they are used to randomize the decryptions on each party. The major cost of this protocol is on the evaluations of encrypted polynomials at all elements of P N. The protocol is also based on Paillier s cryptosystem. The average computation cost for each party and communication cost among all parties are shown in Table 2. In [7] only the protocol for the semi-honest model is given. Comparisons of 3 protocols : From Table 2, the computation costs of Protocol 1, protocol in [11] and [7] are respectively O(cSNlgN ), O(cS 2 lgn ), O(S(S + N)lgN ). Practically the size of a set, S, may be much larger than the number of parties, N. Then it s easy to see that Protocol 1 is more efficient in computation than [11] and [7], and more efficient in communication than [11]. For a quantitative analysis, we conservatively set S = 20, N = 5, and set c = 3, lgn = 1024, then Protocol 1 saves 81% and 63% computation costs, 17% and 20% communication costs in comparison with [11] and [7]. We also notice that if c = 4, i.e., all of the N parties are semi-honest, then the communication cost in Protocol 1 will increase by 6% in comparison with [7]. Thus Protocol 1 can utilize the knowledge on honest relationships among some of the N parties to reduce the communication cost. Table 2: Comparisons of solutions for the PPSI problem in the semi-honest model Computation Cost Communication Cost Security Model Our Protocol 1 2(c(S + 2)(N 1) 2)lgN + c(s + 2)(N + 3) 2cN(4S + 5)lgN Semi-honest Protocol in [11] 2(c(S + 1) 2 + 5S + 3)lgN + c(s 2 + 4S + 2) 2cN(5S + 2)lgN Semi-honest Protocol in [7] ((S + 1)(S + 2) + 3S(N 1) 1)2lgN + S(S + 1) 10S(N 1) 2 lgn Semi-honest 13

14 8.2 Comparisons for Protocol 2 The complexity of Protocol 2 is determined by the complexity of Protocol 1, and a linear combination of the complexity of the zero-knowledge proofs in Section 6.1. The proofs in Section 6.1 are based on the basic blocks, such as proof of knowing the plaintext, proof of correct multiplication, and private equality test, all of which have a computation cost of O(lgN ) modular multiplications, and a communication cost of O(lgN ) bits, according to [2] and [10]. Thus Protocol 2 keeps the same level of complexity as Protocol 1, that is, it has a computation cost of O(cSNlgN ) modular multiplications, and a communication cost of O(cSNlgN ) bits. In [12] the PPSI protocol for the semi-honest model is also extended to the malicious model. The computation cost of that protocol is O(cS 2 lgn ) modular multiplications, and the communication cost is O(cSNlgN ) bits. In the following Table 3, we list the costs of the two protocols. In practical applications, the size of a set S can be much larger than the number of parties N, so our Protocol 2 can be faster than the protocol in [12]. Table 3: Comparisons of solutions for the PPSI problem in the malicious model Computation Cost Communication Cost Security Model Our Protocol 2 O(cSN lgn ) O(cSN lgn ) Malicious Protocol in [12] O(cS 2 lgn ) O(cSNlgN ) Malicious 9 Concluding Remarks We address the problem of Privacy Preserving Set Intersection (PPSI) among N parties. The problem is solved by constructing polynomials representing elements in the set intersection, and evaluating the polynomials to determine whether an element is in the set intersection, without publishing the datasets on each party. Our protocol is firstly constructed and the security is analyzed assuming there is a coalition of arbitrary c (1 c N 1) semi-honest parties. Then the protocol is extended by some zero-knowledge proofs and the security is also analyzed assuming there is a coalition of arbitrary number of malicious parties. In comparison with related work in [11], [7] and [12], our protocol has less computation and communication costs in both models. In the future, we will utilize our protocol to protect the privacy in some practical problems, e.g., internet congestion control ([19]). 14

15 Acknowledgment This research is conducted as a program for the Fostering Talent in Emergent Research Fields in Special Coordination Funds for Promoting Science and Technology by Ministry of Education, Culture, Sports, Science and Technology, Japan. References [1] F. Boudot, B. Schoenmakers and J. Traor e, A Fair and Efficient Solution to the Socialist Millionaires Problem, in Discrete Applied Mathematics, 111(1-2), pp , [2] R. Cramer, I. Damgard, and J. Nielsen, Multiparty Computation from Threshold Homomorphic Encryption, in Advances in Cryptology - EUROCRYPT 2001, LNCS, Springer, vol. 2045, pp , [3] A. D. Santis, G. D. Crescenzo, G. Persiano, and M. Yung. On Monotone Formula Closure of SZK. in Proc. of the 35th Annual Symposium on Foundations of Computer Science, pp , IEEE Computer Society, [4] R. Fagin, M. Naor, and P. Winkler, Comparing Information without Leaking It, in Communications of the ACM, 39(5): 77-85, [5] P. Fouque, G. Poupard and J. Stern, Sharing Decryption in the Context of Voting or Lotteries, in Proc. of the 4th International Conference on Financial Cryptography, pp , [6] P. Fouque and D. Pointcheval, Threshold Cryptosystems Secure against Chosen-ciphertext Attacks, in Proc. of Asiacrypt 2001, pp , [7] M. Freedman, K. Nissim and B. Pinkas, Efficient Private Matching and Set Intersection, in Proc. of Eurocrypt 04, LNCS, Springer, vol. 3027, pp. 1-19, [8] O. Goldreich, Foundations of Cryptography: Volume 2, Basic Applications, Cambridge University Press, [9] O. Goldreich, S. Micali, and A. Wigderson, How to Play Any Mental Game, in Proc. of 19th STOC, pp , [10] M. Jakobsson and A. Juels, Mix and Match: Secure Function Evaluation via Ciphertexts, in ASIACRYPT 2000, pp , [11] L. Kissner and D. Song, Privacy-Preserving Set Operations, in Advances in Cryptology - CRYPTO 2005, LNCS, Springer, vol.3621, pp ,

16 [12] L. Kissner and D. Song, Privacy-Preserving Set Operations, in Technical Report CMU-CS , Carnegie Mellon University, June [13] Y. Lindell. Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation. in Journal of Cryptology, 16(3): pp , [14] H. Lipmaa, Verifiable Homomorphic Oblivious Transfer and Private Equality Test, in Advances in Cryptography ASIACRYPT 2003, pp , [15] M. Naor and B. Pinkas, Oblivious Transfer and Polynomial Evaluation, in Proc. of the 31st Annual ACM Symposium on Theory of Computing, pp , [16] P. Paillier, Public-key Cryptosystems based on Composite Degree Residuosity Classes, in Proc. of EUROCRYPT 1999, pp , [17] D. Randall, Efficient Generation of Random Nonsingular Matrices, in Random Structures and Algorithms, vol. 4(1), pp , [18] Y. Sang, H. Shen, Y. Tan and N. Xiong, Efficient Protocols for Privacy Preserving Matching Against Distributed Datasets, accepted by the 8th International Conference on Information and Communications Security (ICICS 06), LNCS, [19] N. Xiong, X. Defago, X. Jia, Y. Yang, and Y. He, Design and Analysis of a Self-tuning Proportional and Integral Controller for Active Queue Management Routers to support TCP Flows, in Proc. of IEEE INFOCOM, [20] A.C. Yao, Protocols for Secure Computations, in Proc. of the 23rd Annual IEEE Symposium on Foundations of Computer Science, pp , A Proofs of Theorems Theorem 1: Protocol 1 is a secure protocol Π in Definition 1, which privately solves the PPSI problem with respect to the semi-honest behaviors of arbitrary number of parties. Proof: Protocol 1 provides a Π to compute f. Given any coalition of c (c N 1) semi-honest parties indexed by I = {i 1,..., i c }, by Definition 1 in Section 3.2, we have to show that there exists a PPT algorithm S such that S(I, (T i1,..., T ic ), f I (T )) and V IEWI Π (T ) are computationally indistinguishable. V IEWI Π(T ) = {V 1, V 2, V 3, V 4 }: 1) V 1 is I = {i 1,..., i c }. 2)V 2 are T i1,..., T ic. 3)V 3 are E(G) and the intermediate encryptions received by P I. 4)V 4 are G(T (i t, j)) for any i t I. With these views, the coalition can do the following two types of analysis: 16

17 1) Cryptanalysis on (V 1, V 2, V 3 ): Due to the semantic security of the threshold HE cryptosystem, P i can t gain extra information from the encryptions in V 3. That is, supposing V 3 has s encryptions, with only negligible probability, P i can distinguish V 3 and ER 1 = (E(r 1 ),..., E(r s )) by randomly choosing R 1 = (r 1,..., r s ) over the plaintext space of the HE scheme. Thus, (V 1, V 2, V 3 ) c (V 1, V 2, R 1, ER 1 ). 2) Roots analysis on (V 1, V 2, V 4 ): From Lemma 2, P I can t know roots other than T I in any f i for i I. Thus, V 4 = (A, T I). A = {a it,j i t {i 1,..., i c }, j = 1,..., S} in which a it,j = 1 if G(T (i t, j)) = (0,..., 0), and a it,j = 0 otherwise. In sum, V IEW Π I (T ) c (V 1, V 2, R 1, ER 1, A, T I). f I (T ) = (A, T I) by the analysis in Section Let R 1 = {r i i = 1,..., s} are randomly chosen by P I, and ER 1 are the encryptions of the sequence in R 1, then S(I, (T i 1,..., T ic ), f I (T )) c (I, (T i1,..., T ic ), A, T I, R 1, ER 1) c (V 1, V 2, A, T I, R 1, ER 1 ) c V IEWI Π (T ). Then Protocol 1 privately computes PPSI against the coalition of any c (c N 1) semi-honest parties. Theorem 2: Assuming the threshold Paillier encryption is semantically secure and the zero-knowledge proofs in Protocol 2 can t be forged, Protocol 2 is a secure protocol Π in Definition 2, which securely solves the problem of PPSI when the number of malicious parties is arbitrary. Proof: Suppose A and B are respectively adversarial strategies in the real and ideal model, and they control the same set of parties P I (1 I N 1) during the executions. Protocol 2 actually provides a Π to compute the function f as defined in Section 3. We need to prove that the views of A and B are computationally indistinguishable, in order to prove the the joint executions {IDEAL f,i,b (T )} c {REAL Π,I,A (T )}. Firstly we analyze the view of A. In the real execution of Protocol 2, A can t know the plaintexts of encryptions received from the honest parties, can t extract information other than the statements in the zero-knowledge proofs in Step 1.1), 1.2), 2.1), 2.2), and can t convince the honest parties on any false statement. In Step 1.2), A can t commit zero polynomials so that in Step 3.1), k {1,..., N}, g k won t become l I f l N j=1 r l,jr l,k (I is the set of honest parties), otherwise A will know the intersection of i I P i. By Lemma 2, A can t know more elements than T I on P i (i I ). Secondly we analyze the view of B. In the ideal model, the honest parties (denoted by P I ) and malicious parties controlled by B compute f by the help of the trusted third party (TTP). B can be constructed using A as a subroutine as following: 1) Computing F : 1.1) B invokes A. A intentionally generates f j for each party P j in it, and sends E(f j ) to B. B sets the leading coefficient of E(f j ) to be E(1), and emulates the proof P K{f j : E(f j )} to 17

18 check whether a verifier will be convinced that P j knows the plaintexts of each coefficient in E(f j ) excluding the leading coefficient. If the verifier would be convinced, B sends f j to the TTP, otherwise he aborts. For the honest parties in P I, they send their polynomials directly to the TTP. 1.2) The TTP encrypts all f i for i = 1,..., N and sends them to the honest parties and B. B invokes A again. B forwards all E(f i ) to A. For i = 1,..., N, A generates a random polynomial r i,j for each party P j in it, computes M i,j = E(f i r i,j ), P i,j = E(r i,j ), and sends them to B. B checks whether a verifier will be convinced that the polynomials multiplication is correct by emulating the proof P K{r i,j : M i,j = E(f i r i,j ) E(f i ) P i,j = E(r i,j )}. If the verifier would be convinced, B sends all f i r i,j to the TTP, otherwise he aborts. For the honest parties P j in P I, they generate a random polynomial r i,j for i = 1,..., N and send all f i r i,j directly to the TTP. 1.3) The TTP computes F = (f 1 N j=1 r 1,j,..., f N N j=1 r N,j). 2) Computing G : The TTP sets R 0 to be an N N identity matrix. For j = 1,..., N, the TTP computes G j = F R 0 R j 1, and sends E(G j ) to P j. 2.1) If P j is in B, B invokes A. A generates a random nonsingular N N matrix R j for each P j, and sends R i = E(R j ) and D j = E(det(R j )) to B. B checks whether a verifier will be convinced that R j is nonsingular by emulating the proof of P K{R j : D j E(0) D j = E(det(R j )) R j = E(R j )}. Then A computes G j+1 = E(F R 0 R j ), and sends it to B. B checks whether a verifier will be convinced that the matrix multiplication is correct by emulating the proof P K{R j : G j+1 = E(F R 0 R j ) G j = E(F R 0 R j 1 ) R j = E(R j )}. If the verifier would be convinced by both proofs, B sends R j to the TTP, otherwise he aborts. 2.2) If P j is an honest party, he generates a nonsingular matrix R j and send it directly to the TTP. 3) Evaluation : 3.1) The TTP gets G = F R 0 R N and sends it to all parties. 3.2) Every P i evaluates T (i, j) in G for j = 1,..., S. If G(T (i, j)) = (0,..., 0), the T (i, j) T I; otherwise, T (i, j) / T I. According to the above procedure, in assumption of the Paillier encryption is semantically secure and the zero knowledge proofs can t be forged, the view of B is computationally indistinguishable from the view of A, so the joint executions {IDEAL f,i,b (T )} c {REAL Π,I,A (T )}. 18