Ágnes kiss*, jian liu, thomas schneider, n. asokan, and ... · 1 introduction private set...

Proceedings on Privacy Enhancing Technologies ; 2017 (4):177–197

Ágnes Kiss*, Jian Liu, Thomas Schneider, N. Asokan, and Benny Pinkas

Private Set Intersection for Unequal Set Sizeswith Mobile ApplicationsAbstract: Private set intersection (PSI) is a crypto-graphic technique that is applicable to many privacy-sensitive scenarios. For decades, researchers have beenfocusing on improving its efficiency in both communi-cation and computation. However, most of the existingsolutions are inefficient for an unequal number of inputs,which is common in conventional client-server settings.In this paper, we analyze and optimize the efficiencyof existing PSI protocols to support precomputation sothat they can efficiently deal with such input sets. Wetransform four existing PSI protocols into the precom-putation form such that in the setup phase the commu-nication is linear only in the size of the larger input set,while in the online phase the communication is linear inthe size of the smaller input set. We implement all fourprotocols and run experiments between two PCs andbetween a PC and a smartphone and give a systematiccomparison of their performance. Our experiments showthat a protocol based on securely evaluating a garbledAES circuit achieves the fastest setup time by severalorders of magnitudes, and the fastest online time in thePC setting where AES-NI acceleration is available. Inthe mobile setting, the fastest online time is achievedby a protocol based on the Diffie-Hellman assumption.

Keywords: Private set intersection, Bloom filter, oblivi-ous pseudorandom function

DOI 10.1515/popets-2017-0044Received 2017-02-28; revised 2017-06-01; accepted 2017-06-02.

*Corresponding Author: Ágnes Kiss: TU Darmstadt,E-mail: [email protected] Liu: Aalto University, E-mail: [email protected] Schneider: TU Darmstadt, E-mail:[email protected]. Asokan: Aalto University and University of Helsinki, E-mail: [email protected] Pinkas: Bar Ilan University, E-mail:[email protected]

1 IntroductionPrivate set intersection (PSI) enables two parties tocompute the intersection of their inputs in a privacy-preserving way, such that only the common inputs arerevealed. PSI has been used in many privacy-sensitivescenarios such as common friends discovery [47], fully-sequenced genome test [5], online matching [24], collab-orative botnet detection [46], location sharing [49] aswell as measuring the rate of converting ad viewers tocustomers [53].

In the above mentioned scenarios, both parties havean equal number of inputs, i.e., the input sets havesimilar sizes. However, an unequal number of inputscommonly appears in client-server settings, where theserver’s data set is significantly larger than that of theclient, such as applications in the mobile setting. More-over, in many scenarios, the server’s large database mayundergo frequent updates, which poses another chal-lenge for the design of PSI protocols when unequal setsizes are considered. In these scenarios, the client alsohas limited computational power and storage capacitycompared to the server.

In the following, we detail example application sce-narios where the client’s input set is significantly smallerthan the server’s input set, which may be frequentlyupdated. In our scenarios, since the database can be atrade secret of a provider and thus a business advantage,it should be kept private (as in [58, 60]).

Mobile malware detection service. An an-tivirus company which holds a large malware databasewants to provide a malware detection service in aprivacy-preserving way, i.e., an end-user can use thisservice to check a small set of applications such thatthe company learns nothing about these applicationsand the user learns nothing about the database exceptfor the detected malware. Here, the number of malwaresignatures in the database is significantly larger thanthe number of applications on the user’s device. Natu-rally, malware signatures need to be frequently insertedto or removed from the server’s database. A similar ap-plication was presented in [60] where a solution usingtrusted hardware was proposed.

UnauthenticatedDownload Date | 10/17/17 10:18 PM

Article title 178

Mobile messaging service. A messaging servicefor mobile devices has a large set of users, stored in aserver-side database. Once it is installed on a mobile de-vice, the user wants to check if anyone on its contact listis using that messaging service, i.e., if any of the user’scontacts are in the database. The number of contacts ofthe user is significantly smaller than that stored in thedatabase. The messaging service should allow new usersto register and old users to unregister.

Discovery of leaked passwords. A databasestoring breached or stolen passwords could provide aservice that allows a user to detect if its passwords areamong the stolen ones stored in the database or not. Inthis case, the number of passwords used by the client issignificantly smaller than the number of entries in thedatabase, which might be updated with new passwordleaks continuously. A scenario where the account nameis stored instead of the stolen passwords can also be con-sidered. Here, even though the account name of the usermight be public, revealing the different account namesof the same user might violate its privacy.

Search for chemical compound databases.In [58], the authors consider a scenario where similarcompounds are to be recovered by searching a databasefor an existing chemical compound. However, in certainscenarios we can assume that only exact matches areinteresting. Then, private set intersection for unequalnumber of inputs and efficient updates can provide amore efficient solution than the protocol in [58].

A PSI scheme with sublinear complexity in bothcomputation and communication seems to be impossi-ble since the server has to touch the whole database.Otherwise, the server would learn that the elements leftuntouched are not in the client’s input set which wouldcompromise the client’s privacy. There are promis-ing research directions such as random-access ma-chine (RAM) model secure computation (e.g., [28]),fully homomorphic encryption (e.g., [25]), or proto-cols based on (symmetric/single-server) private infor-mation retrieval (PIR) (e.g., [41]), that may providesolutions with sub-linear complexity if adapted to theoffline/online setting. However, currently all these so-

lutions have substantially higher constant factors thanthe protocols studied in this work.1

Three phases of the protocols. In this paper,we propose a practical solution to the problem de-scribed above by exploiting the offline/online character-istics of the scenarios of interest, similarly to the strat-egy of [13] for generic secure two-party computation.Throughout this paper, we refer to the following threephases for our different protocols: the base phase wheredata-independent precomputation takes place; the setupphase with communication linear in the server’s largerset, and the online phase with communication linear inthe client’s smaller set. Moreover, our main aim is toshift most of the communication and computation intothe base and setup phases and have a very efficient on-line phase for unequal number of inputs with efficient se-cure updates in the database, since the other two phasesneed to be run once and the online phase is required foreach query.

By having the server transfer O(NS ) data once ina setup phase, where NS is the size of the the server’sdatabase, we are able to shift the bulk of the communi-cation offline. After this, communication and computa-tion linear only in the size of the client’s input set NC

is required in the online phase, which is assumed to besignificantly smaller than NS . For instance, in our firstmotivating scenario, after installing the service providedby the malware database, the user may run the baseand setup phases overnight. Then, by running the onlinephase, the client can get access to the list of installedmalwares on its device within a short period of time.Thereafter, efficient updates (i.e., insertion or deletion)on the database can be performed without recomputingthe base and setup phases. An update in the client’s in-put set requires running only the efficient online phase.

1.1 Our Contributions

In this paper we investigate the efficiency of PSI proto-cols in the precomputation setting, especially when oneparty has significantly more inputs than the other. Moredetailed, our contributions are as follows:

1 All known single-server PIR constructions require the serverto compute for each query one public-key operation per item inits database. Therefore, even though communication might besmall, the computation overhead of the server is O(NS) expen-sive operations per query and downloading the database is inmany cases more efficient than PIR [59].


Article title 179

Improving existing PSI protocols (§2).We in-vestigate four existing PSI protocols with linear com-munication complexity: RSA-based PSI (RSA-PSI) of[11], Diffie-Hellman-based PSI (DH-PSI) of [35], Naor-Reingold OPRF-based PSI (NR-PSI) of [31, 48], andPSI using AES evaluated with a garbled circuit (GC-PSI) of [54]. We show that these protocols can be usedin the setting of PSI with an unequal number of inputssuch that the complexity in the online phase dependsonly on the size of the client’s small input set. We de-scribe how the larger input set can be updated efficientlywithout running the setup phase again. Moreover, weextend these protocols by using Bloom filters to reducethe communication and storage overhead.

Experimental comparison (§3). We imple-mented all four PSI protocols and systematically com-pare their performance. We built a prototype for theclient’s application both on PC and on an Android plat-form. To the best of our knowledge, this is the firstcomparison of PSI protocols with linear complexity ona smartphone. Our experiments show that the protocolbased on the secure evaluation of a garbled AES cir-cuit achieves the best overall performance but requiresthe most online communication and client storage ca-pacity. Its setup phase is orders of magnitude moreefficient than that of any other protocol, since it em-ploys only very efficient AES evaluations on the server’slarge database. Its online phase is also the most effi-cient in our PC implementation using hardware accel-erated AES, while in the smartphone setting the proto-col based on the Diffie-Hellman assumption is more effi-cient. Our results on PC indicate that advancements onhardware-accelerated encryption on smartphones couldgreatly improve the performance of PSI with unequalset sizes.

Further extensions (§4). We show that some ofthe protocols can serve multiple clients over a broadcastcommunication channel or a content distribution net-work and can easily be secured against malicious clients.

1.2 Related Work on PSI

Among the first protocols for PSI was the PSI protocolof [23] which is based on Oblivious Polynomial evalua-tion (OPE). However, this protocol requires (NS )2 com-putationally heavy public-key operations in the onlinephase. In this work, we are interested in protocols withlinear computation and communication complexity.

The first PSI protocol with linear computation andcommunication complexity was proposed in [44], and isbased on the Diffie-Hellman protocol (DH).

PSI using oblivious pseudorandom function (OPRF)evaluation was proposed in [22, 31], where the Naor-Reingold (NR) pseudorandom function [48] was used.In this protocol, S randomly chooses a symmetric keyk and sends PRFk(xi) for all its elements xi ∈ X to C.Then, they invoke an OPRF protocol, where C inputs itselements yi ∈ Y , S inputs k and C obliviously obtainsPRFk(yi) as output. Using these values, C can computethe intersection. A variant of this protocol where thePRF is instantiated with AES has been proposed in[54]. The OPRF can also be instantiated using RSAblind signatures [11].

Today’s most recent and most efficient PSI pro-tocols are based on efficient OT extension and useeither garbled Bloom filters [18] or hashing to bins[39, 53, 55, 56]. The basic idea of all OT-based PSIprotocols is having S and C run a random OT for eachbit of C’s input yi, such that S gets two random valuesand C gets one of them corresponding to its input bits.Then, both of them XOR the random values for eachof their input elements. S sends the results to C, wholocally checks the existence of its inputs. The data sentby S is linear in the size of its input set, and it must besent for each query since the randomness can be usedonly once. Therefore, such protocols are not suitable forthe online/offline setting.

Existing PSI protocols are compared in [56], whereexperiments are performed for both equal and unequalnumber of inputs. We reviewed the different PSI pro-tocols surveyed in [55, 56] for their adaptability in oursetting, i.e., if they can be transformed to have an on-line phase dependent only on one of the parties’ inputs.Most of the existing protocols require linear work in thesize of both sets for each query and therefore are notadaptable for our setting, as depicted in Tab. 1.

Implementations of PSI protocols on smartphonessuch as [4, 10, 33] can be found in the literature, butthey either do not achieve linear complexity or do notconsider the offline/online setting, and hence are notsuited for our scenario.

Our work is similar to [50], where protocols wereinstantiated using RSA blind signatures and the Naor-Reingold OPRF. Our RSA-PSI is an improvement overtheir RSA-based protocol by shifting all possible com-putation offline in order to achieve a more efficient on-line phase. Our NR-PSI is different from their Naor-Reingold OPRF-based protocol since they need to runmultiple OPRF instances to calculate the Bloom filter


Article title 180

Type Protocol Reference Adaptable

Public-keyOPE [23] ×RSA [11] X (§2.1)DH [44] X (§2.2)NR-PRF [31] X (§2.3)

CircuitSort-Compare-Shuffle [34] ×Circuit-Phasing [53] ×AES-OPRF [54] X (§2.4)

OTGarbled BF [18] ×Random Garbled BF [55] ×OT + Hashing [55] ×

Table 1. PSI protocols surveyed in [55, 56] and their adaptabilityto our setting. We mark with X if a protocol can be modifiedsuch that its online complexity only depends on the size of one ofthe input sets and with × otherwise.

positions for each query, whereas we only need to runa single OPRF instance. [45, 57] provide another con-struction based on the Goldwasser-Micali homomorphicencryption scheme. However, their protocol reveals sev-eral bits of the BF for each query, and clients can learninformation from these bits. They improved the Naor-Reingold OPRF-based scheme from [50] using garbledcircuits, but still require multiple OPRFs.

Trusted hardware can also be used to instantiate PSIefficiently. The protocol of [30] uses standard smartcardsand was extended in [20] to settings where the hardwaretoken(s) are no longer fully trusted. Trusted executionenvironments such as Intel SGX or ARM TrustZone canbe used for PSI as shown in [60].

2 PSI with PrecomputationIn this section, we describe the four existing PSI proto-cols which we experimentally compare in §3. We adaptPSI protocols from the literature to the offline/onlinesetting with online communication linear in the client’ssmaller set. We give the necessary preliminaries to ourprotocols in Appendix A, and further on assume thatthe reader is familiar with the notion of Bloom filters,oblivious transfers and Yao’s garbled circuit protocol.Throughout this paper, we use the notations shownin Tab. 2. In three of the four protocols that we de-scribe, the server sends to the client a database of en-crypted elements. To reduce the size of the server’s en-crypted database before transfer, we do not send theraw database of encrypted elements, but rather encodeall encrypted elements in a Bloom filter (BF) and sendthis data structure to the client. We note that the server

S Server party, with large input set and compu-tational power

C Client party, with significantly smaller data setand computational power

NS Number of server inputsNC Number of client inputs

NmaxC Maximal number of client inputs, NC ≤ Nmax

CNU Number of server inputs for update

X = x1, ..., xNS Server inputsY = y1, ..., yNC

Client inputsxi or yi ith input

xi[j] or yi[j] jth bit of ith inputn Number of bits of inputs xi or yim Bitlength of the ciphertext in protocols

BF Bloom filter of length 1.44εNS bitsBF .Insert(e) Insert element e in BF .BF .Check(e) Check if element e is in BF .

BF .Pos(e) Calculate positions to be changed for elemente in BF .

ε BF parameter s.t. the false positive rate is 2−ε

l Number of hash functions in the Bloom filterσ Symmetric security parameter defining m, the

number of base OTs, the size of the exponentsPRFk(·) Pseudorandom function with secret key kAESk(·) AES encryption under secret key kAESk Garbled tables for AES circuit with key k

Table 2. Notation used throughout the paper.

cannot simply encode its plaintext elements in a BF andsend it to the client, since the Bloom filter leaks informa-tion about the server’s elements [18]. The ciphertexts inthe encrypted database are either 128 bit long (AES en-cryption), 284 or 256 bit long (elliptic curve) or 2048 bitlong (finite field for public-key encryption), and there-fore using a Bloom filter significantly reduces the size ofthe transferred and stored data. We note that the usageof a BF introduces potential false positives, but theirrate can be controlled (cf. §A.3).

Since our aim is to shift as much communication andcomputation as possible to the offline phase, we describethe protocols in three phases. Firstly, the base phase in-cludes the data-independent precomputation and mustbe performed in order to setup the underlying primi-tives within the protocol. The setup phase includes theprecomputation steps that depend on the elements inthe server’s database. We note that in three of our pro-tocols the client is not required to do work proportionalto the server’s set even in this phase, it only receivesa Bloom filter in size proportional to the server’s set,the size of which is greatly reduced compared to theencrypted database. The online phase in all cases in-cludes the query-dependent phase, i.e., the phase wherethe client’s input is required.


Article title 181

Correctness guarantees with our modifications.The correctness guarantees of the modified protocolsfollow from the correctness of the original protocolsin [11, 31, 35, 54] and from the correctness of the Bloomfilter (up to false positives). This is due to the fact thatthe same messages are exchanged between the partiesafter the same computational steps; the only differenceis the order of these messages and the data structure(BF) for storing the encrypted database.

Security guarantees for our modifications.The security guarantees of our protocols follow fromthe security of the original protocols. The underlyingassumptions on which the basic protocols depend aredetailed in the respective sections. We apply two modi-fications to the protocols that do not affect security:

The first modification is shifting operations into thebase and setup phases, which only means changing theorder of messages or operations compared to the originalprotocols. Since the operations and the communicationare the same, the security of the original protocols is notviolated when semi-honest adversaries are considered.

The second modification is replacing sending theserver’s encrypted elements to the client, with sendinga Bloom filter which encodes these elements. However,sending a BF encoding of a set of values does not re-veal any more information than sending the set itself.More precisely, it is possible to show a simple reductiondemonstrating that any attack on the modified proto-col, which uses a BF, can be changed to an attack onthe original protocol which sends the original values:Assume that there is an algorithm A which the clientcan apply to the modified algorithm (with a BF), andbreak security with non-negligible probability p. It iseasy to devise an algorithm A′ which the client can useto break the original protocol. The algorithm A′ runsthe protocol and feeds all messages that it receives tothe algorithm A, with the following change: when it re-ceives the raw set of encrypted elements from the serverit first encodes it as a BF and only then feeds it to A.The algorithm A therefore observes the same view as ina run of the modified protocol, and therefore can breaksecurity with probability p. This results in A′ breakingsecurity with the same probability.

Efficient and secure updates.Our proposed protocols allow efficient updates to thedatabase: Bloom filters suffice for insertion, whereasdeletion requires to use counting Bloom filters.

For an insertion in the Bloom filter, the server doesnot need to perform the base and setup phases againand send a whole new BF, it suffices to send the modifi-cations to the BF. This can be done efficiently in eitherof the following two ways: 1) The server may send theencrypted element that needs to be inserted in the BF tothe client, or alternatively, 2) the server may send thosepositions of the Bloom filter that need to be changed.For insertion, the bits in the specified positions need tobe set to one. Since the elements inserted in the BF areencrypted, the client cannot learn which element was in-serted, except when the element is in its set as well. Thisinformation, however, leaks also when comparing the re-sults of a PSI run before and one after the change, evenif the encrypted database is re-generated by the serverusing a different key.

A counting Bloom filter (CBF) is an extension ofBloom filters that does not only allow for insertion andlookup, but also for delete operations [19]. Instead ofstoring bits, the CBF stores small counter values of t bitsthat are increased by one on insert and decreased byone on delete. In scenarios where deleting elements isof interest (e.g. the messaging application or the mal-ware checking service described in §1), counting Bloomfilters can replace BFs in our protocols. Depending onthe bit length t of the counters in the Bloom filter, itssize becomes 1.44εNS t bits for NS elements. Insertion ordeletion in the counting Bloom filter is the same as theinsertion into the BF described above: the server eithersends the encrypted elements that should be updated orthe positions of the counters that need to be increased(for insert) or decreased (for delete) by one. Once again,the client can only learn which element was deleted, ifthe element was in the intersection beforehand (other-wise the client cannot decrypt it). This, however, doesnot reveal any additional information than what wouldbe revealed by comparing two PSI protocol runs beforeand after the deletion.

The above mentioned updates are very efficient. Thefirst option that sends the encrypted elements dependson the underlying encryption scheme, i.e., on the size ofthe ciphertext. The second option depends on the sizeof the BF or CBF, and the number of hash functions l.These are l · log2(1.44εNS ) bits per element for a BF orl · log2(t · 1.44εNS ) bits per element for a CBF.

Outline.We give the following protocols with our modifications:the RSA blind signature-based protocol (RSA-PSI) in§2.1, the Diffie-Hellman-based PSI protocol (DH-PSI)


Article title 182

S CInput: X = x1, ..., xNS ; Output: ⊥ Input: Y = y1, ..., yNC

; Output: X ∩ YB,P := Base Phase A,S := Generate RSA private key d Agree on ε, m-bit RSA modulus N , exponent e Generate r1, . . . , rNmax

Crandom

For i = 1 to NmaxC :

rinvi = r−1i mod N

r′i = (ri)e mod N

Initialize BF of length 1.44εNS . Setup PhaseFor i = 1 to NS :

BF .Insert((xi)d mod N) BF−−−−−−−−−−−−−−−−−−→

Online Phase For i = 1 to NC :A A[i] = yi · r′i mod N

For i = 1 to NC : ←−−−−−−−−−−−−−−−−−−B[i] = (A[i])d mod N B If BF .Check(B[i] · rinvi mod N) then

−−−−−−−−−−−−−−−−−−→ put yi into SOutput S .

For i = 1 to NU Update NU elementsput BF .Pos((ui)d mod N) into P P

−−−−−−−−−−−−−−−−−−→ Modify BF in positions P

Fig. 1. The RSA Blind Signature based PSI protocol (RSA-PSI).

in §2.2, the Naor-Reingold OPRF-based protocol (NR-PSI) in §2.3, and the OPRF-based protocol using secureevaluation of a garbled AES circuit (GC-PSI) in §2.4.

2.1 RSA Blind Signature-based PSI(RSA-PSI)

A protocol based on RSA blind signature (RSA-PSI)was proposed in [11] and implemented later in [12]. Thisprotocol is a candidate for PSI with unequal number ofinputs due to its communication efficiency and its lowcomputation on the client side. The protocol proposedin [11] is such that the client only performs O(NC ) mod-ular multiplications in the online phase. The originallyproposed protocol uses a cryptographic hash function Hwhich we substitute with a Bloom filter BF in orderto achieve better communication complexity and lowerclient storage.

The modified RSA-PSI protocol is depicted inFig. 1. In the base phase, S and C agree on the RSA pub-lic key (N, e) and the false positive rate for the Bloomfilter BF , and S generates the RSA private key d. In thisphase, C chooses Nmax

C random numbers and calculatestheir inverses as well as their modular exponentiationsto the power e (the RSA public key). Thereafter, in thesetup phase, S encrypts its inputs using its private key dand inserts the ciphertexts into the Bloom filter BF ini-tialized before, and sends the BF to C. The online phase

starts with C blinding its inputs with the encryption ofthe respective random values and sending the resultingvalues to S. S encrypts these using its private key d

and sends the result back to C. C can then unblind theencrypted blinded values by multiplying each of its in-puts with the inverse of the respective random number,due to the property of RSA that xed ≡ x mod N . Af-terwards C can define the intersection by checking if theunblinded encrypted elements are in the Bloom filter BFthat was sent by S in the setup phase.

Update. For a set of parameters, S can decidewhich option for an update is more efficient. In thefirst option, the server sends 2,048-bit ciphertexts perelement to the client. In the second option, S sendsper updated element l · log2(1.44εNS ) bits for a BF,or l · log2(t · 1.44εNS ) bits for a CBF. This means,e.g., 1,063 bits per element for a BF for NS = 230

and FPR= 10−9 and only 238 bits for NS = 220 andFPR= 10−3, so for most realistic parameters, this op-tion is more efficient.

Security. The security of the modified RSA-PSIprotocol follows from the security of the original proto-col described in [11]. As in [11], privacy of both parties isachieved under the RSA assumption which relies on in-teger factorization being hard. This means that given anm-bit integer N that is the product of two large primes pand q, there exists no polynomial time algorithm to findthe two prime factors of N . Different randomness willbe used for the inputs of C if the protocol is run multiple


Article title 183


; Output: X ∩ YA, C , P := Base Phase B, S := Generate secret key α Agree on ε, m-bit prime p Generate secret key βRandomly permute elements in X Setup PhaseFor i = 1 to NS : Initialize BF of length 1.44εNS

A[i] = (xi)α mod p A For i = 1 to NS :−−−−−−−−−−−−−−−−−−→ BF .Insert((A[i])β mod p)

Online Phase For i = 1 to NC :B B[i] = (yi)β mod p

For i = 1 to NC : ←−−−−−−−−−−−−−−−−−−C [i] = (B[i])α mod p C If BF .Check(C [i]) then

−−−−−−−−−−−−−−−−−−→ put yi into S .Output S .

For i = 1 to NU Update NU elementsput BF .Pos((ui)d mod p) into P P

−−−−−−−−−−−−−−−−−−→ Modify BF in positions P

Fig. 2. The Diffie-Hellman-based PSI protocol (DH-PSI).

times, and therefore, unlinkability of the client’s inputscan also be achieved.

Online communication. In the online phase, Csends its blinded inputs to S, which aremNC bits, wherem is the bit length of N . S responds with mNC bits,which yields a total of 2mNC bits communication.

Online computation of C. The online compu-tation performed by the computationally restrictedparty C is 2NC efficient modular multiplications and NC

checks if an element is in the Bloom filter or not. Thisis performed by lNC hash function evaluations.

2.2 Diffie-Hellman-based PSI (DH-PSI)

The first PSI protocol with linear communication com-plexity, based on the Diffie-Hellmann protocol [15],was proposed in [35] (DH-PSI). It was proposed for ascenario where private preferences of two parties arematched using a known preference-matching function.The Diffie-Hellman-based PSI protocol has previouslybeen used in [44] for a matchmaking protocol whereusers verify their matching credentials without revealingthem to each other or to a trusted third party. This pro-tocol can be implemented based on elliptic-curve cryp-tography and has linear communication complexity.

The modified DH-based PSI protocol, which placesthe encryptions into Bloom filters instead of using hashfunctions, is shown in Fig. 2. In a nutshell, the protocolstarts by the parties agreeing on a cyclic group of primeorder p and a parameter ε for the false positive rate ofthe Bloom filter, and generating their secret exponents

in the base phase. Later in the setup phase, the server Scomputes the encryptions of its inputs by raising themto its secret exponent, and sends them over to C. C ini-tializes the Bloom filter BF , into which C inserts theencryptions of the received values with its secret ex-ponent. We note that this protocol is the only studiedprotocol where the client needs to generate the Bloomfilter and cannot receive it from the server directly. Theonline phase consists of the client C first encrypting itsinput with its secret key and sending it over to S. S thenraises the received values to its own exponent and sendsback the results to the client C. In our scenario onlythe client C learns the output of the PSI protocol, bychecking if its encrypted inputs are in the Bloom filter.

Update. The efficiency of an update for DH-PSIis the same as for RSA-PSI (cf. §2.1), except when im-plemented using elliptic curve cryptography. E.g., thepopular curve P-256 for 128-bit security has 256-bit ci-phertexts and therefore, in many cases the first option(sending the encrypted elements) is more efficient.

Security. The security of the modified Diffie-Hellman based PSI (DH-PSI) protocol follows from thesecurity of the protocol described in [35]. The privacy ofthe inputs of both S and C is achieved under the deci-sional Diffie-Hellman hardness assumption. This meansthat in a cyclic group G with generator g, for uniformlyrandom elements α, β, γ, it is impossible to distinguish(gα, gβ , gαβ) from (gα, gβ , gγ). Note that if C queries thesame item twice, S will notice this fact. To remedy this,C needs to generate a new secret key for each protocolrun. However, in this case, C can no longer use a Bloomfilter to save storage.


Article title 184


; Output: X ∩ YC , P := Base Phase S := Generate p, q, g, a0 = (a0

1, . . . , a0n) and

a1 = (a11, . . . , a

1n)a

Agree on ε, σ, p, q

−−−−−−−−−−−−−−−−−−→ Precompute nNmaxC OTs ←−−−−−−−−−−−−−−−−−−

For i = 1 to NmaxC : via OT extension −−−−−−−−−−−−−−−−−−→

For j = 1 to n:Generate an n-bit random number ri,jR0i,j = ri,j · a0

j

R1i,j = ri,j · a1

j

rinvi = (∏n

j=1 ri,j)−1 mod q

gi = grinvi mod p gi

−−−−−−−−−−−−−−−−−−→Initialize BF of length 1.44εNS Setup PhaseFor i = 1 to NS :Ci =

∏n

j=1 axi[j]j mod q

BF .Insert(gCi mod p) BF−−−−−−−−−−−−−−−−−−→

For i = 1 to NC : Online Phase For i = 1 to NC :For j = 1 to n: For j = 1 to n:

R0i,j , R

1i,j yi[j]

−−−−−−−−−−−−−−−−−−→ ←−−−−−−−−−−−−−−−−−−OT via precomputationb R

yi[j]i,j

−−−−−−−−−−−−−−−−−−→C′i =

∏n

j=1 Ryi[j]i,j mod q

If BF .Check(gC′i

i mod p) thenput yi into S .

Output S .For i = 1 to NU : Update NU elementsCi =

∏n

j=1 aui[j]j mod q

put BF .Pos(gCi mod p) into P P−−−−−−−−−−−−−−−−−−→ Modify BF in positions P

a p is prime, q is a prime divisor of p− 1, g ∈ Z∗p is of order q, and a01, . . . , a

0n, a

11, . . . , a

1n are n-bit random numbers

b Instead of performing actual OTs, the parties use nNmaxC precomputed OTs and only exchange messages in the online phase as

described in §A.1. We omit the details of OT precomputation which we use throughout our performance evaluation.

Fig. 3. Naor-Reingold PRF-based protocol (NR-PSI).

Online communication. In the online phase, Csends its encrypted inputs to S, with a total ofmNC bits,where m is the length of a group element. Afterwards,S sends back mNC bits to C. Therefore, the total onlinecommunication of the protocol is 2mNC bits.

Online computation of C. In the online phase,the client needs to compute NC modular exponentia-tions and check NC elements in the Bloom filter, whichrequires lNC hash function evaluations.

2.3 Naor-Reingold PRF-based PSI(NR-PSI)

A PSI protocol based on the Naor-Reingold pseudo-random function (PRF) [48] (NR-PSI) was proposedin [31]. The idea of evaluating PRFs in an obliviousmanner was presented in [23] where its application toPSI was first mentioned and later studied in [37]. Theplain computation of the Naor-Reingold PRF is veryefficient, PRFa(x) can be computed with one modularexponentiation and n modular multiplications.

The protocol shown in Fig. 3 works as follows: in thebase phase, the parties agree on all parameters: a primenumber p, a prime divisor of p − 1 denoted by q, an


Article title 185


; Output: X ∩ YP := Base Phase S := Expand 128-bit AES key k′ to 1408-bit k Agree on εFor i = 1 to Nmax

C

(AESi

k, si,0, si,1) := GC .Build(AES, k); AESi

k

−−−−−−−−−−−−−−−−−−→−−−−−−−−−−−−−−−−−−→ Precompute nNmax

C OTs ←−−−−−−−−−−−−−−−−−−via OT extension −−−−−−−−−−−−−−−−−−→

Initialize BF of length 1.44εNS Setup PhaseFor i = 1 to NS :

BF .Insert(AESk(xi)) BF−−−−−−−−−−−−→

For i = 1 to NC : Online Phase For i = 1 to NC :For j = 1 to n: For j = 1 to n:

si,0[j], si,1[j] yi[j]−−−−−−−−−−−−→ ←−−−−−−−−−−−−−−−−−−

OT via precomputation si,yi[j][j]−−−−−−−−−−−−−−−−−−→AESk(yi)← GC .Eval(AES

i

k, si,yi)

If BF .Check(AESk(yi)) thenput yi into S .

Output S .For i = 1 to NU Update NU elements

put (AESk(ui)) into P P−−−−−−−−−−−−−−−−−−→ BF .Insert(P [i])

Fig. 4. The AES GC-based PSI protocol (GC-PSI).

element g ∈ Z∗p of multiplicative order q, ε the FPR pa-rameter of BF and σ the symmetric security parameter.Then Nmax

C random numbers are generated, and eachone is split into the multiplication of n random values.Inverses of all the Nmax

C random numbers are calculatedby S. In this phase, nNmax

C oblivious transfers are pre-computed using OT extension, for which σ base OTs arecomputed as a first step. Thereafter, in the data depen-dent setup phase, the server S encrypts its elements withthe Naor-Reingold PRF using the key generated before.S inserts these values into the BF and sends it to C.In the online phase, for each bit of each element of C,the parties exchange the necessary information in orderfor the client C to recover the exponents for calculatingthe Naor-Reingold PRF evaluation of its inputs. This isdone efficiently by making use of the precomputed OTs.Then, by checking if its encrypted elements are in theBF or not, C is able to define the set intersection.

Update. The efficiency of an update for NR-PSIis the same as for RSA-PSI (cf. §2.1), i.e., the secondoption (sending positions) should be preferred.

Security. The security of the modified proto-col based on the Naor-Reingold OPRF (NR-PSI) is

based on the security guarantees of [31]. Its securityis proven under the decisional Diffie-Hellman assump-tion (cf. §2.2). When considering security against semi-honest adversaries, the OT extension protocol of [2] canbe used in the base phase of NR-PSI.

Online communication. The online communica-tion in NR-PSI consists of the client sending nNC bitsto the server, who then responds with 2nmNC bits andadditionally nNC bits. This adds up to a total commu-nication of 2nNC (1 +m) bits.

Online computation of C. In this protocol, theclient performs nNC (1+m) XOR operations for the pre-computed OTs, nNC modular multiplications and NC

modular exponentiation for evaluating the PRF and lNC

hash function evaluations for the Bloom filter check.

2.4 AES GC-based PSI (GC-PSI)

OPRF-based PSI can also be achieved by evaluatingAES with Yao’s garbled circuits protocol as proposedin [54]. This protocol is shown in Fig. 4. The base phasestarts with the server S generating and expanding the


Article title 186

secret key for AES, retrieving secret key k′. Then, NmaxC

garbled AES circuits are generated for each elementsof C, where Nmax

C ≥ NC is the maximal number of in-puts of C. These garbled AES circuits are then sent to C.Besides this, nNmax

C OTs are precomputed using OT ex-tension, where for random choice bits of C, a messagefrom a random message pair of S is received by C. Then,the setup phase consists of the server S inserting theAES encryptions of its NS elements to a BF and send-ing it to the client C. In the online phase, C obliviouslyretrieves the garbled Yao keys corresponding to its in-put bits using the precomputed OTs. Then, C evaluatesthe garbled AES circuits on each of its garbled inputsand checks if the resulting value is in the Bloom filtersent by S, which yields the intersection of the sets.

An AES circuit using the S-box of [9] has 5,120 ANDgates [32]. Alternatively, we could use the LowMC ci-pher of [1] with only 2,268 AND gates. Due to recentattacks on LowMC [16, 17], we choose to instantiate thePRF with AES. Recently, [29] proposed “MPC-friendly”PRFs that might provide more efficient primitives forOPRF-based PSI. We leave the examination of thesePRFs as future work. Note that the AES key may needto be changed after some time. In this case, the BFmust be rebuilt and the garbled circuits need to be re-generated.

Update. For GC-PSI, sending the 128 bit cipher-texts per updated element is more efficient already forNS = 215 and FPR= 10−3, and therefore this first solu-tion should always be preferred.

Security. The security of the GC-PSI protocol de-picted in Fig. 4 relies on the well-established assump-tion that AES is a PRF and on the security of Yao’sgarbled circuits protocol as proven in [42]. As for NR-PSI, for security against semi-honest adversaries we usethe semi-honest OT extension protocol of [2].

Online communication. The online communica-tion is defined by the nNC bits sent by C to S andthe 2nmNC bits sent back by S. This means altogethernNC (1 + 2m) bits of online communication.

Online computation of C. The client needs tocompute nNC bit-XOR operations, evaluate NC garbledcircuits and check if the encryption of its elements arein the Bloom filter BF . For evaluating a garbled circuit,due to the half-gates optimization of [63] and fixed-keyAES garbling of [7], two fixed-key AES evaluations needto be performed per AND gate.

3 Performance EvaluationWe have implemented all four protocols and systemat-ically compare their performance in this section. Ouropen-source implementation can be found at http://encrypto.de/code/MobilePSI.

Our performance results are given in Tab. 3 for thePC setting and in Tab. 4 for the smartphone setting.The communication and minimal necessary client stor-age are given in Tab. 5 (see Tab. 6 in Appendix B forthe formulas used to compute these). We detail our ex-periments next.

Parameters. We assume the inputs are 128-bitstrings (i.e., n = 128). To provide assessment for asufficient security level, we set our symmetric securityparameter σ to 128 and follow the recommendationsof [27]. Therefore, where oblivious transfer is used, weperform 128 base OTs for OT extension. In the PC set-ting, we used the semi-honest OT extension implemen-tation of [2] and in the smartphone setting, we used theOT extension protocol of [36]. This affects only the per-formance of the base phase since we use precomputedOTs as described in §A.1. For all protocols, we set thelength of the modulus as m = 2,048 bits (284 bits forECC with K-283 on PC and 256 bits for ECC with P-256 on smartphone) and use a small RSA public expo-nent e, while for DH-PSI and NR-PSI, we use 256-bitexponents to achieve the desired level of security [27].

Following the advices of a major AV vendor, we per-form experiments with realistic parameter choices in§3.1. Furthermore, we elaborate on the behavior of theprotocols when varying parameters in §3.2.

Environment. We ran our benchmarks in two dif-ferent settings, using x86-based PCs and an ARM-basedsmartphone. Each reported result is an average of 10runs. In our experiments, we do not make use of par-allelization techniques, which could further improve theperformance.

In the PC setting, the protocols were implementedin C/C++ and ran between two desktops, with IntelCore i7 with 3.5 GHz and 16 GB RAM. Our experi-ments were performed in LAN and Wifi settings, bothof which are with 1 Gbps switches. We used the GNUmultiple precision arithmetic library [21] for the crypto-graphic operations, the ABY framework [14] to generateand evaluate the garbled circuits efficiently, and the BFimplementation of [52]. The optimized AES circuit has5,440 AND gates. For ECC-DH-PSI, we modify the im-plementation of [55], which uses Koblitz curve K-283


http://encrypto.de/code/MobilePSI

http://encrypto.de/code/MobilePSI

Article title 187

for 128-bit security, where the bit size of the points ism = 284.

In the smartphone setting, the server-side programran on a laptop with Intel Core i7 with 4 cores at2.2 GHz, and the client-side program ran on an An-droid 6.0.1 phone (Samsung Galaxy S5) with Quad-core2.5 GHz Krait 400. The two devices were connectedvia a Wifi connection. We used Java for the Androidprogramming, Bouncy Castle APIs [8] for the crypto-graphic operations, and FlexSC [43] as the garbled cir-cuit backend. In the following text, we put the resultsfrom the smartphone setting in brackets. For ECC-DH-PSI, we used X9.62/SECG curve P-256 for 128-bit se-curity, where the bit size of the points is m = 256.

3.1 Experimental Evaluation with RealisticParameters

We set the maximum number of client inputs to NmaxC =

1,024 to measure the base phase and the number ofserver inputs to NS = 220 to measure the setup phase.We benchmark false positive rates (FPRs) 10−3 and10−9 to measure the time usage to build and send aBF. If the application allows for false positives, e.g.,the malware checking example from §1, a larger FPRleads to better performance. For more sensitive applica-tions such as the search in chemical compound database,only one false positive in a billion elements should be al-lowed, i.e., FPR= 10−9. In the online phase, we performour experiments with NC = 1 to retrieve the perfor-mance measurements for each of C’s inputs. Since theonline phase of all protocols scales linearly in NC , thesenumbers can be used to estimate the performance withlarger NC (cf. §3.2).

Base Phase. In the base phase of RSA-PSI, C needsto generate Nmax

C random numbers, and calculate theirinverse and modular exponentiation with the public ex-ponent. It takes 56 ms (5,492 ms) for a maximum ofNmax

C = 210 client inputs. In DH-PSI, S and C do notneed to do anything other than transferring a primenumber p. In the base phase of NR-PSI and GC-PSI,S and C need 82 ms (1,003 ms) to run 128 base OTs,and they also need 31 ms (44,032 ms) to run 128 ·Nmax

COT extensions. In addition, NR-PSI requires S to gen-erate Nmax

C 128-bit random numbers, multiply them tothe secrets, and also calculate their inverse. GC-PSI re-quires S to generate and transfer Nmax

C garbled circuitsin advance, which takes 1,199 ms (411,648 ms).

The communication for NR-PSI is defined by the128 base OTs and the 128 · Nmax

C OTs which means

transferring around 4 Mbytes, whereas in GC-PSI, Sadditionally sends 1,024 garbled circuits to C which addup to around 178 Mbytes. This additionally has to bestored on the client’s side as well, requiring a large stor-age capacity when large Nmax

C is considered.Setup Phase. In the setup phase, S needs to en-

crypt NS = 220 entries. The GC-PSI approach is farmore efficient than the other three schemes in this phase,since it only requires S to do efficient AES encryptionon each entry. However, all the other three schemesrequire expensive public-key operations on each entry.Our experiments validate this. Due to the hardware-accelerated AES using AES-NI, GC-PSI only takes70 ms (1,120 ms without AES-NI in Java)2 to encryptNS = 220 entries, while the other three schemes takeseveral minutes to encrypt the same number of entries.

The time usage to build and send a Bloom filteris the same for RSA-PSI, DH-PSI, and NR-PSI, whichtakes 309 ms (1,590 ms) for NS = 220 entries and 10−3

FPR, and 767 ms (7,364 ms) for the same number ofentries but 10−9 FPR. The exception is DH-PSI whichrequires S to transfer NS = 220 ciphertexts to C insteadof the BF. Furthermore, it is more expensive to builda Bloom filter on the Android platform, i.e., 15,365 msfor a FPR of 10−3 and 46,998 ms for a FPR of 10−9.

In RSA-PSI, NR-PSI and GC-PSI, the communica-tion in the setup phase is defined by the Bloom filtercreated for NS = 220 server inputs with 10−3 and 10−9

FPRs, and is therefore the same for all the three pro-tocols, i.e., around 1.8 Mbytes and 5.4 Mbytes for therespective FPR rates. However, the communication forDH-PSI and ECC-DH-PSI is independent from the FPRof the BF and is around 256 Mbytes and 36 Mbytes,respectively, for NS = 220 server inputs. For DH-PSI,however, the received values can be processed one byone and inserted to the BF, and therefore the requiredstorage is similar for all four schemes in this phase.

Online Phase. The online phase is measuredfrom the time that C sends a query until it gets theanswer. The query time for GC-PSI on Android islong (8,470 ms) since the garbled circuit evaluation isexpensive on a smartphone. However, the garbled circuitevaluation time is significantly improved by AES-NI onPC. If we do the same garbled circuit evaluation on a

2 We note here that our server-side implementation for thesmartphone setting is also in Java. The setup phases of the pro-tocols can be as efficient as shown in Tab. 3, except for the setupphase of DH-PSI and ECC-DH-PSI, where the bottleneck is thecomputation on the client side.


Article title 188

Base (ms) Setup (ms) Online (ms) Update (ms)Task Encryption BFFPR - 10−3 10−9 - 10−3 10−9

RSA-PSI (Fig. 1) 56 3,441,906 309 767 7.38 0.11 0.15DH-PSI (Fig. 2) 1 462,496 257 648 3.49 0.11 0.15ECC-DH-PSI (Fig. 2) 1 1,325,400 257 648 2.91 0.11 0.15NR-PSI (Fig. 3) 119 758,400 309 767 10.82 0.11 0.15GC-PSI (Fig. 4) 1,312 70 309 767 2.49 0.09 0.09

Table 3. Runtimes in milliseconds in the PC setting in LAN setting with AES-NI. The parameter choices are as follows: NS = 220,Nmax

C = 210, NC = 1, σ = 128, n = 128, m = 2,048 (284 for ECC), and False Positive Rates (FPRs) of 10−3 and 10−9. Best valuesmarked in bold.

Base (ms) Setup (ms) Online (ms) Update (ms)Task Encryption BFFPR - 10−3 10−9 - 10−3 10−9

RSA-PSI (Fig. 1) 5,492 19,892,745 1,590 7,364 60 8 11DH-PSI (Fig. 2) 1 3,014,656 50,880 172,896 23 8 11ECC-DH-PSI (Fig. 2) 1 167,837,696 50,880 172,896 363 8 11NR-PSI (Fig. 3) 45,035 12,100,105 1,590 7,364 247 8 11GC-PSI (Fig. 4) 456,683 1,851 1,590 7,364 8,470 4 4

Table 4. Runtimes in milliseconds in the smartphone setting with Wifi connection. The parameter choices are as follows: NS = 220,Nmax

C = 210, NC = 1, n = 128, m = 2,048 for RSA-PSI, DH-PSI, NR-PSI, 284 for ECC-DH-PSI and 128 for GC-PSI, and FalsePositive Rates (FPRs) of 10−3 and 10−9. Best values marked in bold.

Base (KB) Setup (KB) Online (KB) Client Storage (KB) Update (KB)FPR - 10−3 10−9 - 10−3 10−9 10−3 10−9

RSA-PSI (Fig. 1) 0 1,840 5,521 0.5 2,353 6,034 0.029 0.031DH-PSI (Fig. 2) 0 262,144 262,144 0.5 1,841 5,521 0.029 0.031ECC-DH-PSI (Fig. 2) 0 36,352 36,352 0.1 1,840 5,521 0.029 0.031NR-PSI (Fig. 3) 4,201 1,840 5,521 4.0 8,390 7,585 0.029 0.031GC-PSI (Fig. 4) 181,482 1,840 5,521 4.0 179,136 182,817 0.016 0.016

Table 5. Communication in Kilobytes in the different protocols and the storage capacity required by C. The parameter choices are asfollows: NS = 220, Nmax

C = 210, NC = 1, n = 128, m = 2,048 for RSA-PSI, DH-PSI, NR-PSI, 284 for ECC-DH-PSI on PC and 128for GC-PSI, and False Positive Rates (FPRs) of 10−3 and 10−9. Best values marked in bold.

machine that supports AES-NI, it takes only 2.49 ms,which is in the same order of magnitude as the otherthree schemes. Furthermore, in the PC setting, GC-PSIis the most efficient solution in the online phase, requir-ing the least expensive operations offline as well. In thesmartphone setting, due to the OTs needed in NR-PSIand GC-PSI, DH-PSI performs best in the online phase,providing a query response in just 23 ms. This shows thepracticality of our approach: for the maximal number ofclient inputs NC = Nmax

C = 210, our best approach hasan online runtime of only 2.55 seconds (23.55 seconds).

The communication in the online phase dependsonly on the client’s inputs. RSA-PSI and DH-PSI needto transfer only 0.5 Kbytes per query for two group el-ements, while NR-PSI and GC-PSI need to communi-

cate via the precomputed OTs. This requires around4 Kbytes of data transfer per query.

Update. As we discussed in §2, updates can bedone in two ways: 1) S sends the encryptions of thenewly added elements, or 2) S sends the positions thatneed to be changed. Based on our parameters, we chosethe first solution for GC-PSI and the second solution forthe other protocols. The rationale is that, for an FPR ofeither 10−3 or 10−9, l · log2(1.44εNS ) is larger than thesize of a symmetric cipher (i.e., 128-bit), but smallerthan a asymmetric cipher (i.e., 2048-bit). The resultsshow that updates can be done efficiently for all fourprotocols.

Summary. In conclusion, our experiments showthat DH-PSI has the most efficient base phase since it


Article title 189

100

101

102

103

104

25 26 27 28 29 210

Run

time

(ms)

Maximum number of client inputs NCmax

RSA-PSI(ECC)-DH-PSI

NR-PSIGC-PSI

(a) Runtime (ms)

100

101

102

103

104

105

106

25 26 27 28 29 210

Com

mun

icat

ion

(KBy

te)

Maximum number of client inputs NCmax

NR-PSIGC-PSI

(b) Communication (KBytes)

Fig. 5. Effect of varying maximum client input sizes in the base phase for NmaxC = 2i, i ∈ 5, . . . , 10.

only requires S and C to generate their secret keys. GC-PSI has the fastest setup phase, especially when AES-NIis supported. For the online phase, GC-PSI and DH-PSIare the most efficient solutions in the PC setting andsmartphone setting, respectively. The protocols requir-ing the highest communication are GC-PSI and DH-PSIdue to the garbled circuits and the transferred cipher-texts, respectively. The lowest communication and stor-age overhead is observed in RSA-PSI and NR-PSI.

3.2 Experimental Evaluation of VaryingParameters

In this section, we discuss the effect of varying certainparameters. We show that linear scaling can be observedwhen varying the parameters NS , NC , Nmax

C and thefalse positive rate (FPR). The runtime experiments inthis section were performed in the PC setting in LANas before, with the same security parameter σ = 128.We note that the figures in this section are depicted inlogarithmic scale in both axes.

3.2.1 Base Phase

The base phase of the protocols performs precomputa-tion that is independent of the parties’ inputs. Theseoperations are: key generation for RSA-PSI and DH-PSI, the generation of Nmax

C blinded random values inRSA-PSI, OT precomputation in NR-PSI and GC-PSI,GC precomputation in GC-PSI, and the generation andtransfer of Nmax

C group elements in NR-PSI.

Varying Maximum Client Input Size.This phase is only affected by the choice of the max-imum number of client inputs, as shown in Fig. 5 forNmax

C between 25 = 32 and 210 = 1,024.Runtimes (Fig. 5a). It can be observed that the

most computationally heavy protocol in the base phaseis GC-PSI due to the precomputation of Nmax

C gar-bled AES circuits, which requires up to 13.1 seconds forNmax

C = 1,024. The work performed in the base phaseof NR-PSI is mainly dominated by the base OTs whichcost 82 ms. For RSA-PSI, Nmax

C modular inverses andexponentiations with a small exponent (public key) arecomputed, the cost of which scale linearly in Nmax

C , andreach 56 ms for Nmax

C = 1,024. DH-PSI is independentof Nmax

C as only the secret keys are initialized.Communication (Fig. 5b). The only communi-

cation in NR-PSI and GC-PSI is the OT precompu-tation and transferring Nmax

C group elements or NmaxC

garbled circuits, respectively. The most communicationhappens in the case of GC-PSI, where for 1,024 ele-ments, 178 MBytes of garbled circuits need to be trans-ferred and stored by the client. However, in applicationswhere Nmax

C is an order of magnitude smaller, e.g., forNmax

C = 26 = 64, GC-PSI only uses 11 MBytes, whichis not prohibitive for a smartphone either. NR-PSI re-quires 8.1 MBytes of communication for Nmax

C = 1,024and 680 KBytes for Nmax

C = 26 = 64. RSA-PSI andDH-PSI do not require communication in this phase.

3.2.2 Setup Phase

In the setup phase, computation and communicationthat depend on the server’s input elements are per-formed. The following operations are performed: inRSA-PSI, NR-PSI and GC-PSI, the server encrypts its


Article title 190

100

101

102

103

104

105

106

215 220 225 230

Run

time

(ms)

Number of elements in database NS

FPR = 10-9 Generation timeFPR = 10-6 Generation timeFPR = 10-3 Generation time

FPR = 10-9 Sending timeFPR = 10-6 Sending timeFPR = 10-3 Sending time

(a) Runtime (ms)

101

102

103

104

105

106

107

215 220 225 230

Com

mun

icat

ion

(KBy

tes)


FPR = 10-9

FPR = 10-6

FPR = 10-3


Fig. 6. Bloom filter related effect of varying database sizes for NS = 2i, i ∈ 15, 20, 25, 30 and false positive rates for FPR= 10−i, i ∈3, 6, 9 in the setup phase.

100

101

102

103

104

105

106

107

108

109

1010

215 220 225 230

Run

time

(ms)


RSA-PSIDH-PSI

ECC-DH-PSINR-PSIGC-PSI

Fig. 7. Effect of varying database sizes for NS = 2i, i ∈ 15, 20, 25, 30 in the setup phase, independent from Bloom filter.

database of size NS and inserts the encrypted elementsinto a Bloom filter of size 1.44εNS that is sent to theclient. In DH-PSI, the client generates the Bloom filterafter receiving the encrypted elements from the server.ε is chosen in all case as a Bloom filter parameter suchthat the false positive rate in the BF is 2−ε. The sizeof the server’s set NS and ε determine the efficiency ofthis phase, which depends on the underlying applicationscenario.

Varying Database Size and False Positive Rate -Effect on Bloom Filter.The size of the database NS and the parameter for thefalse positive rate ε affect the size of the Bloom filter andtherefore the efficiency of the setup phase. Moreover, εdetermines the number of hash functions used in theBF that has impact on the runtime in the online phase.This cost, however, is negligible and therefore, we showexperimental results for the time generation and sizeof the BF for false positive rates 10−3, 10−6 and 10−9

and varying the size of the database NS between 215

and 230. Fig. 6 shows the effect on the runtime and thecommunication in the setup phase.

Runtimes (Fig. 6a). We can see that the growthin both runtime and communication is linear in the sizeof the server’s set NS . We separate the runtime used forgenerating and that used for sending the BF from theserver to the client for two reasons: firstly, this secondcost is not present in DH-PSI, where all encrypted el-ements are sent instead of the BF, and a BF is locallygenerated by the client. Secondly, the network settingcan affect the performance when it comes to sending theBF, but the generation in that case will stay constant.

Communication (Fig. 6b). We can observe thatthe required storage capacity is not prohibitive evenon a smartphone, since e.g., for NS = 220 elements(depending on FPR) the client needs between 1.8and 5.4 MBytes of storage. For applications on largerdatabases, e.g., NS = 225, the communication and stor-age required is between 57.5 and 172.5 Mbytes, whichis not prohibitive in the PC setting. The generation of


Article title 191

100

101

102

103

104

105

20 22 24 26 28 210

Run

time

(ms)

Actual number of client inputs NC

RSA-PSIDH-PSI

ECC-DH-PSINR-PSIGC-PSI

(a) Runtime (ms)

10-2

10-1

100

101

102

103

104

20 22 24 26 28 210

Com

mun

icat

ion

(KBy

te)

Actual number of client inputs NC

RSA-PSI, DH-PSIECC-DH-PSI

NR-PSI, GC-PSI


Fig. 8. Effect of varying client input sizes in the online phase for NC = 2i, i ∈ 0, 1, . . . , 10.

such a large database can take between 5.8 and 17.4 sec-onds, while sending these over a LAN network takes 0.8to 2.3 seconds.

Varying Database Size - Effect on Runtime.In RSA-PSI and NR-PSI, the server performs NS expen-sive public-key encryptions in the setup phase. In DH-PSI, both parties perform a public-key operation perelement in the database and the server has to transferNS group elements to the client. When using GC-PSI,the server performs only NS symmetric-key operations.

Runtimes (Fig. 7). The gap between public-keyoperations and symmetric encryption is clearly visibleand provides an advantage to GC-PSI (which, in turn,requires large storage capacity as mentioned before).NS = 225 elements in the setup phase of RSA-PSI(where both the modulus and the exponent have 2,048bits), are encrypted in around 30 hours. For NR-PSIand DH-PSI this takes only around 4 hours, while GC-PSI terminates within 2.2 seconds. We note here thatthe only protocol affected in this benchmark by the net-work setting is DH-PSI, where the ciphertexts need tobe exchanged between the two parties.

3.2.3 Online Phase

The online phase is only affected by the number of in-puts in the client’s set. Fig. 8 summarizes the perfor-mance of our protocols.

Varying Client Input Size. For all inputs of theclient, RSA-PSI and DH-PSI requires public-key oper-ations to be performed, NR-PSI requires an obliviousPRF evaluation with precomputed OT, and GC-PSI re-quires an AES garbled circuit evaluation.

Runtimes (Fig. 8a).We vary the number of clientinput NC from 1 to 1,024. For a realistic choice of NC =26 = 64, all protocols terminate in less than a second.GC-PSI provides the best performance of 159 ms. Forthe maximum number of inputs NC = 210 = 1,024, theprotocols require 11 minutes in the worst case (NR-PSI)and 2.5 minutes in the best case (GC-PSI).

Communication (Fig. 8b). In RSA-PSI and DH-PSI, the parties exchange two 2,048-bit messages foreach element in the client’s set, resulting in at most512 KBytes of data transfer for NC = 210 = 1,024. NR-PSI and GC-PSI use precomputed OTs for each bit ofthe client’s inputs and therefore require more commu-nication, around 4 KBytes per element., For 1,024 ele-ments this yields around 4 MBytes of communication.

4 ExtensionsIn this section, we propose two possible extensions forthe four PSI protocols detailed in §2. Three further ex-tensions are discussed in Appendix C.

4.1 Same Encrypted Database forMultiple Clients for RSA-PSI andDH-PSI

In our motivating scenarios in §1, the encrypteddatabase sent by the server during the setup phasecould be common for multiple clients. Thus, it can bedistributed to clients using a broadcast communicationchannel or caching content delivery networks.

All our protocols allow for generating such a com-mon encrypted database for multiple clients without


Article title 192

compromising the privacy of the server’s database.Though the number of queries per client is restrictedto Nmax

C , an adversary might register as k clients to runk ·Nmax

C interactive queries, which can suffice for guess-ing low-entropy inputs. In order to disallow the clientsguessing elements in the database, our protocols shouldonly be used in scenarios where the entropy of the in-puts is high, since otherwise the queries altogether canrecover the server’s set. As an example, it could be usedin the scenario of the messaging service, since phonenumbers have a relatively high entropy. However, in caseof the malware checking scenario it can only be appliedif high-entropy signatures of the applications are com-pared instead of identifiers such as application names,which follow certain patterns.

However, even though it allows the clients to per-form as many queries as they want on the same (count-ing) BF, the client cannot exploit the fact that the sameencrypted database is used, under the assumption thatthe underlying encryption scheme is secure.

Moreover, there is an advantage for the client whenthe same distributed database is used: the client cancheck if the server is cheating by using different inputsfor different users. In contrast, when running multipleindependent PSI instances, the server could use differentinputs for different clients.

4.2 Security Against Malicious Client forNR-PSI and GC-PSI

In NR-PSI and the GC-PSI protocols the only messagessent by the client are those in the OTs. Hence, these pro-tocols can easily be secured against a malicious clientby not using OT precomputation and using OT exten-sion with security against malicious receivers, e.g., thatfrom [3, 38]. These protocols are only slightly less effi-cient than the passively secure OT extension of [2] whichwe use in our experiments.

5 Conclusion and Future WorkIn this paper, we optimized the efficiency of privateset intersection via precomputation so that it can ef-ficiently deal with an unequal number of inputs. Wetransformed four existing protocols into the precompu-tation form, and give a systematic comparison of theirperformance in a PC setting and a smartphone setting.On the one hand, our results show that GC-PSI and

DH-PSI provide the most efficient online phase in thePC setting and smartphone setting, respectively. On theother hand, GC-PSI provides the most efficient setupphase especially when AES-NI is supported.Future work could improve the performance of GC-PSIon Android by making use of AES-NI or implement theextensions proposed in §4. Also our protocol implemen-tations could be turned into real-world applications forthe motivating scenarios described in §1 such as themalware detection service.

AcknowledgementsWe thank the anonymous reviewers for their valuablefeedback on the paper. This work has been co-fundedby the German Federal Ministry of Education andResearch (BMBF) and the Hessen State Ministry forHigher Education, Research and the Arts (HMWK)within CRISP, by the DFG as part of project E3 withinthe CRC 1119 CROSSING, by the Cloud Security Ser-vices (CloSer) project (3881/31/2016), funded by theFinnish Funding Agency for Innovation (TEKES), andby the BIU Center for Research in Applied Cryptogra-phy and Cyber Security in conjunction with the IsraelNational Cyber Bureau in the Prime Minsters Office.

References[1] M. R. Albrecht, C. Rechberger, T. Schneider, T. Tiessen,

and M. Zohner, “Ciphers for MPC and FHE,” in Advancesin Cryptology – EUROCRYPT’15, ser. LNCS, vol. 9056.Springer, 2015, pp. 430–454.

[2] G. Asharov, Y. Lindell, T. Schneider, and M. Zohner, “Moreefficient oblivious transfer and extensions for faster securecomputation,” in ACM Computer and Communications Se-curity (CCS’13). ACM, 2013, pp. 535–548.

[3] ——, “More efficient oblivious transfer extensions with se-curity for malicious adversaries,” in Advances in Cryptology– EUROCRYPT’15, ser. LNCS, vol. 9056. Springer, 2015,pp. 673–701.

[4] N. Asokan, A. Dmitrienko, M. Nagy, E. Reshetova,A. Sadeghi, T. Schneider, and S. Stelle, “CrowdShare:Secure mobile resource sharing,” in Applied Cryptographyand Network Security (ACNS’13), ser. LNCS, vol. 7954.Springer, 2013, pp. 432–440.

[5] P. Baldi, R. Baronio, E. De Cristofaro, P. Gasti, andG. Tsudik, “Countering GATTACA: efficient and secure test-ing of fully-sequenced human genomes,” in ACM Computerand Communications Security (CCS’11). ACM, 2011, pp.691–702.


Article title 193

[6] D. Beaver, “Precomputing oblivious transfer,” in Advancesin Cryptology – CRYPTO’95, ser. LNCS, vol. 963. Springer,1995, pp. 97–109.

[7] M. Bellare, V. T. Hoang, S. Keelveedhi, and P. Rogaway,“Efficient garbling from a fixed-key blockcipher,” in IEEESymposium on Security and Privacy (S&P’13). IEEE, 2013,pp. 478–492.

[8] L. Bouncy Castle Inc., “Bouncy Castle crypto APIs,” https://www.bouncycastle.org/, 2017, accessed: 2017-03-10.

[9] J. Boyar and R. Peralta, “A new combinational logic mini-mization technique with applications to cryptology,” in Sym-posium on Experimental Algorithms (SEA’10), ser. LNCS,vol. 6049. Springer, 2010, pp. 178–189.

[10] H. Carter, C. Amrutkar, I. Dacosta, and P. Traynor, “Foryour phone only: custom protocols for efficient secure func-tion evaluation on mobile devices,” Security and Communi-cation Networks, vol. 7, no. 7, pp. 1165–1176, 2014.

[11] E. D. Cristofaro and G. Tsudik, “Practical private set in-tersection protocols with linear complexity,” in FinancialCryptography and Data Security (FC’10), ser. LNCS, vol.6052. Springer, 2010, pp. 143–159.

[12] ——, “Experimenting with fast private set intersection,” inTrust and Trustworthy Computing (TRUST’12), ser. LNCS,vol. 7344. Springer, 2012, pp. 55–73.

[13] D. Demmler, T. Schneider, and M. Zohner, “Ad-hoc securetwo-party computation on mobile devices using hardwaretokens,” in USENIX Security Symposium’14. USENIX,2014, pp. 893–908.

[14] ——, “ABY - A framework for efficient mixed-protocol se-cure two-party computation,” in Network and DistributedSystem Security Symposium (NDSS’15). The InternetSociety, 2015.

[15] W. Diffie and M. E. Hellman, “New directions in cryptog-raphy,” IEEE Trans. Information Theory, vol. 22, no. 6, pp.644–654, 1976.

[16] I. Dinur, Y. Liu, W. Meier, and Q. Wang, “Optimized inter-polation attacks on LowMC,” in Advances in Cryptology –ASIACRYPT’15, ser. LNCS, vol. 9453. Springer, 2015, pp.535–560.

[17] C. Dobraunig, M. Eichlseder, and F. Mendel, “Higher-ordercryptanalysis of LowMC,” in Information Security and Cryp-tology (ICISC’15), ser. LNCS, vol. 9558. Springer, 2015,pp. 87–101.

[18] C. Dong, L. Chen, and Z. Wen, “When private set intersec-tion meets big data: an efficient and scalable protocol,” inACM Computer and Communications Security (CCS’13).ACM, 2013, pp. 789–800.

[19] L. Fan, P. Cao, J. M. Almeida, and A. Z. Broder, “Summarycache: A scalable wide-area web cache sharing protocol,” inSIGCOMM’98. ACM, 1998, pp. 254–265.

[20] M. Fischlin, B. Pinkas, A. Sadeghi, T. Schneider, and I. Vis-conti, “Secure set intersection with untrusted hardware to-kens,” in Topics in Cryptology – CT-RSA’11, ser. LNCS, vol.6558. Springer, 2011, pp. 1–16.

[21] F. S. Foundation, “The GNU multiple precision arithmeticlibrary,” https://gmplib.org, 2017, accessed: 2017-03-10.

[22] M. J. Freedman, Y. Ishai, B. Pinkas, and O. Reingold, “Key-word search and oblivious pseudorandom functions,” in The-ory of Cryptography Conference (TCC’05), ser. LNCS, vol.3378. Springer, 2005, pp. 303–324.

[23] M. J. Freedman, K. Nissim, and B. Pinkas, “Efficient privatematching and set intersection,” in Advances in Cryptology– EUROCRYPT’04, ser. LNCS, vol. 3027. Springer, 2004,pp. 1–19.

[24] P. Gasti and K. B. Rasmussen, “Privacy-preserving usermatching,” in ACM Workshop on Privacy in the ElectronicSociety (WPES’15). ACM, 2015, pp. 111–120.

[25] C. Gentry, “Fully homomorphic encryption using ideallattices,” in ACM Symposium on Theory of Computing(STOC’09). ACM, 2009, pp. 169–178.

[26] N. Gilboa and Y. Ishai, “Distributed point functions andtheir applications,” in Advances in Cryptology – EURO-CRYPT’14, ser. LNCS, vol. 8441. Springer, 2014, pp.640–658.

[27] D. Giry, “BlueKrypt cryptogrphic key length recommenda-tion,” http://www.keylength.com, 2017, accessed: 2017-02-28.

[28] S. D. Gordon, J. Katz, V. Kolesnikov, F. Krell, T. Malkin,M. Raykova, and Y. Vahlis, “Secure two-party computationin sublinear (amortized) time,” in ACM Conference on Com-puter and Communications Security (CCS’12). ACM, 2012,pp. 513–524.

[29] L. Grassi, C. Rechberger, D. Rotaru, P. Scholl, and N. P.Smart, “MPC-friendly symmetric key primitives,” in ACMComputer and Communications Security (CCS’16). ACM,2016, pp. 430–443.

[30] C. Hazay and Y. Lindell, “Constructions of truly practicalsecure protocols using standard smartcards,” in ACM Com-puter and Communications Security (CCS’08). ACM, 2008,pp. 491–500.

[31] ——, “Efficient protocols for set intersection and patternmatching with security against malicious and covert adver-saries,” in Theory of Cryptography Conference (TCC’08),ser. LNCS, vol. 4948. Springer, 2008, pp. 155–175.

[32] W. Henecka and T. Schneider, “Faster secure two-partycomputation with less memory,” in Computer and Communi-cations Security (ASIACCS’13). ACM, 2013, pp. 437–446.

[33] Y. Huang, P. Chapman, and D. Evans, “Privacy-preservingapplications on smartphones,” in USENIX Workshop on HotTopics in Security (HotSec’11). USENIX, 2011.

[34] Y. Huang, D. Evans, and J. Katz, “Private set intersec-tion: Are garbled circuits better than custom protocols?”in Network and Distributed System Security Symposium(NDSS’12). The Internet Society, 2012.

[35] B. A. Huberman, M. K. Franklin, and T. Hogg, “Enhancingprivacy and trust in electronic communities,” in ACM Con-ference on Electronic Commerce (EC’99), 1999, pp. 78–86.

[36] Y. Ishai, J. Kilian, K. Nissim, and E. Petrank, “Extendingoblivious transfers efficiently,” in Advances in Cryptology –CRYPTO’03, ser. LNCS, vol. 2729. Springer, 2003, pp.145–161.

[37] S. Jarecki and X. Liu, “Efficient oblivious pseudorandomfunction with applications to adaptive OT and secure com-putation of set intersection,” in Theory of CryptographyConference (TCC’09), ser. LNCS, vol. 5444. Springer,2009, pp. 577–594.

[38] M. Keller, E. Orsini, and P. Scholl, “Actively secure OTextension with optimal overhead,” in Advances in Cryptology– CRYPTO’15, ser. LNCS, vol. 9215. Springer, 2015, pp.724–741.


https://www.bouncycastle.org/

https://www.bouncycastle.org/

https://gmplib.org

http://www.keylength.com

Article title 194

[39] V. Kolesnikov, R. Kumaresan, M. Rosulek, and N. Trieu,“Efficient batched oblivious PRF with applications to privateset intersection,” in ACM Computer and CommunicationsSecurity (CCS’16). ACM, 2016, pp. 818–829.

[40] V. Kolesnikov and T. Schneider, “Improved garbled cir-cuit: Free XOR gates and applications,” in InternationalColloquium on Automata, Languages and Programming(ICALP’08), ser. LNCS, vol. 5126. Springer, 2008, pp.486–498.

[41] E. Kushilevitz and R. Ostrovsky, “Replication is NOTneeded: SINGLE database, computationally-private informa-tion retrieval,” in Foundations of Computer Science (FOCS’97). IEEE Computer Society, 1997, pp. 364–373.

[42] Y. Lindell and B. Pinkas, “A proof of security of Yao’s pro-tocol for two-party computation,” Journal of Cryptology,vol. 22, no. 2, pp. 161–188, 2009.

[43] C. Liu, X. S. Wang, K. Nayak, Y. Huang, and E. Shi,“ObliVM: A programming framework for secure computa-tion,” in Symposium on Security and Privacy (S&P’15).IEEE Computer Society, 2015, pp. 359–376, implementationavailable at: https://github.com/oblivm/ObliVMGC.

[44] C. A. Meadows, “A more efficient cryptographic match-making protocol for use in the absence of a continuouslyavailable third party,” in IEEE Symposium on Security andPrivacy (S&P’86). IEEE, 1986, pp. 134–137.

[45] T. Meskanen, J. Liu, S. Ramezanian, and V. Niemi, “Privatemembership test for Bloom filters,” in International Con-ference on Trust, Security and Privacy in Computing andCommunications (TrustCom’15). IEEE, 2015, pp. 515–522.

[46] S. Nagaraja, P. Mittal, C. Hong, M. Caesar, and N. Borisov,“Botgrep: Finding P2P bots with structured graph analysis,”in USENIX Security Symposium’10. USENIX, 2010, pp.95–110.

[47] M. Nagy, E. D. Cristofaro, A. Dmitrienko, N. Asokan,and A. Sadeghi, “Do I know you?: efficient and privacy-preserving common friend-finder protocols and applications,”in Annual Computer Security Applications Conference (AC-SAC’13), 2013, pp. 159–168.

[48] M. Naor and O. Reingold, “Number-theoretic constructionsof efficient pseudo-random functions,” J. ACM, vol. 51,no. 2, pp. 231–262, 2004.

[49] A. Narayanan, N. Thiagarajan, M. Lakhani, M. Hamburg,and D. Boneh, “Location privacy via private proximity test-ing,” in Network and Distributed System Security Sympo-sium (NDSS’11). The Internet Society, 2011.

[50] R. Nojima and Y. Kadobayashi, “Cryptographically secureBloom-filters,” Trans. Data Privacy, vol. 2, no. 2, pp. 131–139, 2009.

[51] A. Pagh, R. Pagh, and S. S. Rao, “An optimal Bloom fil-ter replacement,” in ACM-SIAM Symposium on DiscreteAlgorithms (SODA’05). SIAM, 2005, pp. 823–829.

[52] A. Partow, “Bloom filter implementation,” https://github.com/ArashPartow/bloom, 2017, accessed: 2017-03-10.

[53] B. Pinkas, T. Schneider, G. Segev, and M. Zohner, “Phas-ing: Private set intersection using permutation-based hash-ing,” in USENIX Security Symposium’15. USENIX, 2015,pp. 515–530.

[54] B. Pinkas, T. Schneider, N. P. Smart, and S. C. Williams,“Secure two-party computation is practical,” in Advancesin Cryptology – ASIACRYPT’09, ser. LNCS, vol. 5912.

Springer, 2009, pp. 250–267.[55] B. Pinkas, T. Schneider, and M. Zohner, “Faster private set

intersection based on OT extension,” in USENIX SecuritySymposium’14. USENIX, 2014, pp. 797–812.

[56] ——, “Scalable private set intersection based on OT exten-sion,” IACR Cryptology ePrint Archive, vol. 2016/930, 2016,http://ia.cr/2016/930.

[57] S. Ramezanian, “A Study of Privacy Preserving Querieswith Bloom Filters,” Master’s thesis, University of Turku,Finland, 2016.

[58] K. Shimizu, K. Nuida, H. Arai, S. Mitsunari, N. Attra-padung, M. Hamada, K. Tsuda, T. Hirokawa, J. Sakuma,G. Hanaoka, and K. Asai, “Privacy-preserving search forchemical compound databases,” BMC Bioinformatics,vol. 16, no. 18, p. S6, 2015.

[59] R. Sion and B. Carbunar, “On the practicality of privateinformation retrieval,” in Network and Distributed SystemSecurity Symposium (NDSS’07). The Internet Society,2007.

[60] S. Tamrakar, J. Liu, A. Paverd, J. Ekberg, B. Pinkas, andN. Asokan, “The circle game: Scalable private membershiptest using trusted hardware,” in ACM Asia Computer andCommunications Security (AsiaCCS’17). ACM, 2017, pp.31–44.

[61] A. C.-C. Yao, “How to generate and exchange secrets,” inFoundations of Computer Science (FOCS’86). IEEE, 1986,pp. 162–167.

[62] A. C. Yao, “Protocols for secure computations (extendedabstract),” in Foundations of Computer Science (FOCS’82).IEEE, 1982, pp. 160–164.

[63] S. Zahur, M. Rosulek, and D. Evans, “Two halves make awhole - reducing data transfer in garbled circuits using halfgates,” in Advances in Cryptology – EUROCRYPT’15, ser.LNCS, vol. 9057. Springer, 2015, pp. 220–250.

A BackgroundIn this section, we review the necessary background in-formation for the protocols described in §2.

A.1 Oblivious Transfer

1-out-of-2 oblivious transfer (OT) enables a message ex-change between two parties in an oblivious way: thesender inputs two messages s0 and s1 while the receiverinputs a choice bit b, after which the receiver receivesonly the message corresponding to its choice bit, sb. Thishappens in an oblivious way, i.e., on the one hand, thesender does not get to know which message was receivedby the receiver, who on the other hand, only learns sbbut nothing about s1−b.

A method to efficiently generate a large number ofOTs, called OT extension, was proposed in [36]. The


https://github.com/oblivm/ObliVMGC

https://github.com/ArashPartow/bloom

https://github.com/ArashPartow/bloom

http://ia.cr/2016/930

Article title 195

idea is that instead of computing a large number of OTsusing expensive public-key operations, it is possible topre-compute only a small number of so-called base OTs,from which any polynomial number of OTs can be com-puted using only efficient symmetric-key operations. OTextension with security against semi-honest adversarieswas introduced in [36] and its state-of-the-art improve-ments are described in [2]. OT extension secure againstmalicious adversaries is only slightly more expensive,cf. [3, 38].

Oblivious transfers can also be precomputed effi-ciently, by shifting the computationally expensive oper-ations into the offline phase as described in [6]. In theoffline phase, the OT protocol is run on randomly chosenbits and messages, which are used in the online phaseto mask the actual inputs. The outputs of the OTs arecalculated using only simple XOR operations.

More specifically, a single OT can be precomputedas follows [6]: in the offline phase, the parties run anOT on random messages m0 and m1 provided by thesender, and a random bit r provided by the receiver,such that the receiver obtains mr. Then, in the onlinephase, the receiver sends his choice bit b in a blindedform as b′ = r⊕b. The sender, given its true messages s0and s1 computes the following blinded values dependingon the value of b′: If b′ is 0, the sender computes s′0 =s0 ⊕ m0 and s′1 = s1 ⊕ m1. In the other case, whenthe received b′ is 1, the sender computes s′0 = s1 ⊕m0and s′1 = s0 ⊕ m1. The sender sends the computed s′0and s′1 values to the receiver, who then retrieves sb byunblinding the message sb = s′b ⊕mr.

A.2 Yao’s Garbled Circuit

Yao’s garbled circuit (GC) protocol was proposed in [61,62] and is a generic secure two-party computation proto-col for evaluating any function represented as a Booleancircuit. In this protocol, the garbler garbles the circuitby assigning symmetric keys to the input wires andencrypting the output wires with the keys on the in-put wires. We denote the GC generation process by(Cx, si,0, si,1) ←GC .Build(C, x), where C denotes thecircuit, x the garbler’s input, Cx the garbled circuitand si,0 and si,1 (i ∈ 1, . . . , |y|) denote the key pairsfor the evaluator’s input y.

The garbler stores si,0 and si,1 (i ∈ 1, . . . , |y|)and sends over the garbled circuit Cx to the evaluator.Then, the garbler and the evaluator run an OT proto-col, throughout which the evaluator obliviously asks forthe keys corresponding to its input bits, i.e., the evalu-

ator receives si,y[i] for every i ∈ 1, . . . , |y|. Using thisdata, the evaluator can compute the garbled circuit bydecrypting the wires one by one. We denote the evalu-ation by C(x, y) ←GC .Eval(Cx, si,y[i] ∀i ∈ 1, . . . , |y|),where C(x, y) is the evaluation result.

We use Yao’s garbled circuit protocol [61] withstate-of-the-art optimizations: free XOR [40], fixed-keyAES garbling [7], and half-gates [63]. The free-XOR op-timization allows for the evaluation of linear (XOR)gates without communication or cryptographic opera-tions and therefore the complexity only depends on thenumber of non-linear (AND) gates. Using fixed-key AESpermutation for garbling allows for AES encryptionswithout having to perform the key schedule multipletimes. The half-gates technique reduces the communi-cation 2 ciphertexts per AND gate.

A.3 Bloom Filter

A Bloom filter consists of an n-bit array initialized withzeros, together with l independent hash functions whoseoutput is uniformly distributed over [0, n− 1]. To insertan element x (BF .Insert(x)), we compute l hash values,and set the corresponding positions to 1. To check if anelement is in the Bloom filter (0, 1 ←BF .Check(x)),l positions are calculated in the same way. If any ofthese positions is 0, we can conclude that the elementhas not been added. Otherwise, the element is declaredto be added. For a false positive rate (FPR) of 2−ε, anoptimized Bloom filter needs 1.44εN bits to store N ele-ments [51]. Note that this is better (for a large N) thana naive storage of N hash values which would require atleast Ω(N logN) bits.

In some scenarios like malware checking, it is accept-able to exhibit a small false-positive rate. A user whoreceives a positive result will reveal the intersection toascertain the result and request further information. Ifthe FPR is sufficiently low, a small fraction of apps isnot enough for the dictionary provider to profile users.

B Asymptotic EfficiencyTab. 6 details the communication between S and C inthe different phases and gives the (minimum) storagecapacity needed by C.


Article title 196

Base Phase Setup Phase Online Phase Client StorageRSA-PSI (Fig. 1) - 1.44εNS 2mNC 1.44εNS + 2m(1 +Nmax

C )DH-PSI (Fig. 2) - mNS 2mNC m+ 1.44εNS +mNC

NR-PSI (Fig. 3) σ(5m+ 2n) + σn+ 2n2NmaxC +

nNmaxC (2n+ 1) + nNmax

C

1.44εNS nNC (1 + 2m) nNmaxC (1 + n) + 1.44εNS

GC-PSI (Fig. 4) σ(5m+ 2n) + σn+ 2n2NmaxC +

nNmaxC (2n+ 1) +Nmax

C (n+ 5,440 ·2 · 128)

1.44εNS nNC (1 + 2m) NmaxC (n2 + 5,440 · 2 · 128)

+1.44εNS

Table 6. Communication in the different protocols and the minimal storage capacity required by C, where σ denotes the number ofbase OTs in OT extension, n the message length, m the length of the ciphertexts, ε the FPR parameter for the Bloom filter, Nmax

Cthe upper bound of the client’s number of inputs, and NC and NS the client’s and the server’s number of inputs, respectively. For GC-PSI, the AES garbled circuit has 5,440 AND gates.

C Further ExtensionsIn this section, we describe further extensions besidesthe two described in §4. Specifically, we describe howwe can store the server’s database in a secret-sharedform (cf. §C.1), how we can generate the garbled circuitsin a distributed manner (cf. §C.2), or allow for privatekeyword search on encrypted data (cf. §C.3).

C.1 Distributed Data Encryption forGC-PSI

In some scenarios, S’s database may be highly sensitiveand should be protected against malicious insiders. Forexample, in the cloud-based malware checking scenario,the anti-malware vendor may put its malware databaseon a lookup server that is operated by a third party, suchas a content delivery network. Since the database is themain intellectual property of the anti-malware vendor,its content should be hidden from the lookup server.

To solve this problem, we introduce two semi-honest servers S1 and S2 that hold shares of the orig-inal database X = x1, . . . ,xNS , such that xi =xi,1⊕xi,2, where S1 holds x1,1, ...,xNS ,1 and S2 holdsx1,2, ...,xNS ,2. In addition, each server Si holds a se-cret key ki. We assume that at most one of these twoservers can be passively corrupted.

Then, the two servers S1 and S2 jointly encrypt thedatabase by computing AESk1⊕k2(xi,1 ⊕ xi,2). Finally,one of the servers (say S1) inserts the encrypted valuesin a Bloom filter and sends it to the client C (as in thesetup phase of the original protocol in Fig. 4).

According to [1, Table 7], the ABY framework [14]can securely and in parallel evaluate 100,000 blocks ofAES with the GMW protocol in 556 seconds on two

standard PCs. Hence, jointly encrypting a DB with 220

elements would take about 1.6 hours in the setup phase,which is a one-time expense.

In the online phase, C secret shares the element yinto two shares such that y = y1⊕y2 and sends yi to Si.Then, S1 and S2 jointly compute AESk1⊕k2(y1⊕y2) inthe same way as it was in the setup phase. However,this time, S2 obtains the result and sends it to C, whochecks if it is in the Bloom filter.

In this solution C has negligible workload in termsof both computation and communication as all crypto-graphic operations are outsourced to S1 and S2. How-ever, C has to trust the service provider that nobody hasaccess to both S1 and S2 simultaneously, since in thatcase one can recover C’s input y = y1 ⊕ y2.

C.2 Distributed Garbled CircuitGeneration for GC-PSI

Instead of having C split y into shares and send eachshare to each server, we can let the two data servers S1and S2 jointly generate the garbled circuit for AES.

Si chooses random wire labels ini

j for the inputs ini

of the garbled circuit. Then S1 and S2 jointly generatea garbled circuit GC for evaluating AESk1⊕k2(·) usingthe input wire labels in

i= in

i

1⊕ ini

2, and send it to C. Inthe online phase, C runs 128 OT extensions with S1 and128 OT extensions with S2 to obliviously obtain thewire labels y1 of in

i

1 and y2 of ini

2, respectively, thatcorrespond to his input y. Now the client sets the inputwire label y = y1⊕ y2 and evaluates the garbled circuitto obtain AESk(y) and checks if it is in the Bloom filter.

Compared to the online phase of GC-PSI, C onlyneeds to run twice the number of OT extensions; the sizeof the garbled circuit is the same. The servers need to


Article title 197

jointly generate a GC for AES which has at least 5,120AND gates. When using fixed-key AES garbling, half-gates, and free XOR, the cost for garbling an AND gateis dominated by 4 secure evaluations of fixed-key AES.Therefore, the two servers perform 5,120 · 4 = 20,480secure AES evaluations to garble an AES circuit. Usingthe performance results from ABY [1, Table 6] for singleblocks of AES, this takes about 50 ms · 20,480 = 17minutes, which is run in the base phase.

In terms of security, even when both S1 and S2 are(passively) corrupted they still do not learn any infor-mation about C’s inputs due to the security of the twoOT extension protocols. Hence, colluding S1 and S2 canonly learn the database, but not the clients’ queries.

C.3 Private Keyword Search on EncryptedData for GC-PSI

Offloading the Bloom filter to the setup phase preventsthe dataset from being updated frequently, which is acritical requirement for certain scenarios. In this case,C can run a private keyword search protocol, e.g., [26,§4.2].

Specifically, S1 and S2 jointly encrypt the databaseas we described in §C.1. This time both servers keepa copy of the encrypted database without sending itto C. When C wants to query a value y, it first runs theprocedure in §C.2 to get y = AESk(y). Then, C runsthe private keyword search protocol in [26, §4.2] on ywith both S1 and S2. If it outputs ⊥, C knows that y isnot in the database.

The disadvantage of this protocol is that the serversS1 and S2 need to do O(NS ) computation per query.However, any updates to the encrypted database need tobe performed only on the server side and the databasesof the clients do not need to be updated.

The private keyword search protocol in [26, §4.2]requires S1 and S2 to not collude with each other. Oth-erwise, clients’ queries will be recovered.


Ágnes kiss*, jian liu, thomas schneider, n. asokan, and ... · 1 introduction private set...

Documents