Two-Party Privacy-Preserving Set Intersection with FHE

Abstract

A two-party private set intersection allows two parties, the client and the server, to compute an intersection over their private sets, without revealing any information beyond the intersecting elements. We present a novel private set intersection protocol based on Shuhong Gao’s fully homomorphic encryption scheme and prove the security of the protocol in the semi-honest model. We also present a variant of the protocol which is a completely novel construction for computing the intersection based on Bloom filter and fully homomorphic encryption, and the protocol’s complexity is independent of the set size of the client. The security of the protocols relies on the learning with errors and ring learning with error problems. Furthermore, in the cloud with malicious adversaries, the computation of the private set intersection can be outsourced to the cloud service provider without revealing any private information.

1. Introduction

In 1978, Rivest first presented the idea of fully homomorphic encryption (FHE) [1]. Gentry constructed the first specific FHE scheme in 2009 [2]. Since then, dramatic progress in FHE is made by Gentry and many other researchers around the world. The first generation is based on an approximate GCD problem of integers and ideal lattices [2,3]; the second generation is based on ring learning with errors (RLWE) and learning with errors (LWE) problems, and developed several techniques, including re-linearization, key switch and modulus reduction, for decreasing noise growth [4,5]; the third generation involves the GSW scheme, which is based on approximate eigenvalues and RLWE [6]. Shuhong Gao’s scheme [7] is a compressed fully homomorphic encryption scheme, denoted by SGFHE below, and this scheme has three features: (1) The cipher with private key encryption is expanded six times and with public key encryption is $10+log2(n)$, where n (a power of 2) is the block length of the message; the computation of all ciphertexts is modulo r, where $r=16n$; and the boundary of noise size is $n-1$. (2) The bootstrapping algorithm needs only a bootstrapping key and the boundaries of the noise size of the output ciphers are still $n-1$ with no failure at all. (3) the security of Shuhong Gao’s scheme is based on the learning with errors problems and ring learning with errors problems, and for the block length of any message $n\ge 512$, it costs at least $2^{160}$ bit operations for breaking the scheme with the current approaches. In addition, with TFHE bootstrapping [8], the LWE cipher produced could be invalid with a probability of about $2^{-33}$ (for $n=500$). That probability is very small, and for computing many functions it is useful; however, it cannot be applied to functions that require more than $2^{33}$ bit operations (unless increasing n). In SGFHE, the error size of the $LWE$ ciphers after bootstrapping are always bound by $n-1$; this feature is not available in other FHE schemes. The total time cost for the bootstrapping procedure of the SGFHE scheme is about 130 ms, that is, 10 times as much as TFHE.

Secure multi-party computing (SMPC) is mainly about how to compute a function safely without a trusted third party. Secure multi-party computing was first proposed by Yao Qizhi in 1982. After being developed by Goldreich, Micali, Wigderson et al. [9], secure multi-party computing became a very active research field in modern cryptography. The research on MPC [10] is divided into general schemes and specific schemes designed for certain computing scenarios; the general scheme is not as efficient as a specific optimized scheme that is specially designed for a certain application. In practical applications, specific schemes are more widely used [11]. Secret sharing [12], garbled circuit [13,14], oblivious transfer [15], commitment schemes [16] and homomorphic encryption [17] are the key pieces of technology to realize SMPC, and SMPC is of great significance in the study of secret sharing schemes and privacy protection, where it is widely used in correlation analysis, data security queries, trusted data exchanges, etc. [18,19,20,21,22].

Private preserving set intersection (PSI) computing is an important aspect in secure multi-party computing. It not only performs well in scientific computing, but in real life many data can be represented by sets, so it can be used in privacy protection computing to complete corresponding data computing in the sets. The private preserving set intersection computing is the basic operation in many applications, such as machine learning, data mining [23], secure distributed data connection [24] and in privacy protection law enforcement, where it is especially widely used.

1.1. Related Work

Several specialized PSI protocols have been proposed in the literature which are more efficient than using general secure computation [33]. The main methods are: based on oblivious polynomial evaluation [25], based on an oblivious pseudo-random function [26], based on a blind signature [27], based on homomorphic encryption [28], based on the Bloom filter [29], etc. Shen Liyan et al. [30] gave a detailed overview of the development prospects of private preserving set intersection computing, the protocol developed by Google scholar. Mihaela Ion et al. [11] applied private preserving set intersection computing to advertising cooperation.

1.2. Contributions

We present three private set intersection protocols. First, we propose a novel private set intersection protocol based on Shuhong Gao’s fully homomorphic encryption scheme and prove the security of the protocol in the honest-but-curious model. We then present a variant of promoted protocol. We also present a variant of the protocol which is a completely novel construction for computing the intersection based on the Bloom filter and a fully homomorphic encryption; this protocol’s complexity is independent of the set size of the client. The security of the protocol relies on the learning with errors and ring learning with errors problems. Furthermore, in a cloud with malicious adversaries, the computation of the private set intersection can be outsourced to the cloud service provider without revealing any private information. The ciphertext extension of the protocols is small so that the protocols have strong practicability.

The remainder of the paper is structured as follows: We next review the basic concepts and techniques used in Section 2. In Section 3, we introduce the homomorphic operation used. We describe the basic two-party computing protocol, the improvement protocol and the two-party computing protocol based on the Bloom filter in Section 4. We present our conclusions in Section 5.

2. Basic Concepts and Techniques

2.1. Notation

Let $\chi$ be an error distribution; according to the distribution $\chi$, $x\leftarrow \chi$ is randomly chosen. For an integer $n\ge 1$, let $R_n=\mathbb{Z}\left[x\right]/(x^n+1)$, $R_{n,q}=\mathbb{Z}\left[x\right]/(x^n+1,q)$, where $(x^n+1,q)$ represents the ideal of $\mathbb{Z}\left[x\right]$ generated by $x^n+1$ and q. For any polynomial $f(x)={\sum }_{i=0}^d{f}_i(x^i)\in \mathbb{R}(x)$, we define the ∞-norm as ${\left|\right|f(x)\left|\right|}_{\infty }=\underset{0\le i\le d}{max}\left|f_i\right|$.

2.2. LWE Ciphers and Modulus Reduction

Regev proposed LWE problem [31,32] over ${\mathbb{Z}}_q$. Let $\chi$ be a probabilistic distribution, and $s\in {\mathbb{Z}}_q^n$ be an arbitrary vector that is a secret key of any user. $(\mathbf{a},b)$ is an LWE sample, where $\mathbf{a}\in {\mathbb{Z}}_q^n$ is selected randomly and uniformly, $b\equiv 〈s,\mathbf{a}〉+e(modq)$, $e\leftarrow \chi$.

Let $D_q=⌊q/4⌋$, $1\le \tau \le D_q/2$, $\mathbf{a}\leftarrow {\mathbb{Z}}_q^n$, and compute $b\equiv 〈\mathbf{s},\mathbf{a}〉+e+x{D}_q(modq)$ for encrypting one bit, $e\in \left[-\tau ,\tau \right]$. Let $E_s(x)=(\mathbf{a},b)\in {\mathbb{Z}}_q^n\times {\mathbb{Z}}_q$, $(\mathbf{a},b)$ is the LWE ciphertext for $x\in \{0,1\}$. Note that $D_q=⌊q/2⌋$ in Regev’s but $D_q=⌊q/4⌋$ in SGFHE scheme for homomorphic bit operations.

Modulus reduction can reduce the LWE ciphers of ${\mathbb{Z}}_q$ to ${\mathbb{Z}}_r$ where r is far less than q.

Lemma 1 

([7]). Let $\mathit{s},\mathit{a}\in {\mathbb{Z}}_q^n$, $e\in {\mathbb{Z}}_q^n$ with $\left|e\right|\le \tau$, $D_r=⌊r/4⌋$, and $b\equiv 〈\mathit{s},\mathit{a}〉+e+x{D}_q(modq).$

(1) Suppose $\tau \in q(n-3)/(2r),q\ge 4r$ and $\mathit{s}\in {\{0,1\}}^n$. $b^{\prime }=⌊rb/q⌉,{\mathit{a}}^{\prime }=⌊r\mathit{a}/q⌉$; then

$$b^{\prime }\equiv 〈\mathit{s},{\mathit{a}}^{\prime }〉+e+x{D}_r(modr).$$

(2) Let $\ell =⌈lo{g}_2^q⌉$, $q\ge 16$. Suppose that $\tau \le q(n\ell -5)/(2r)$ with $s\leftarrow {\mathbb{Z}}_q^n$. Then there exist ${\mathit{s}}^{\prime }\in {\{0,1\}}^{nl},{\mathit{a}}^{\prime }\in {\mathbb{Z}}_r^{n\ell }$ and $b^{\prime }\in {\mathbb{Z}}_r$, satisfying

$$b^{\prime }\equiv {\mathit{s}}^{\prime }{({\mathit{a}}^{\prime })}^t+e^{\prime }+x{D}_r(modr),$$

where $e^{\prime }\in \mathbb{Z}$, $|e^{\prime }|\le n\ell$.

2.3. RLWE Ciphers

Lyubashevsky et al. introduced the RLWE problem to acquire more efficient encryption schemes [33]. An RLWE sample $\mathbf{v}=(a(x),b(x))\in {\mathbb{R}}_n^2$, where $a(x)\leftarrow R_{n,q},a(x)={\sum }_{i=0}^{n-1}{a}_i{x}^i$, and

$$b(x):=s(x)a(x)+e(x)(mod(x^n+1,q))$$

for some $e(x)\leftarrow R_n$, ${\left|\right|e(x)\left|\right|}_{\infty }\le \tau$, $\tau$ is the bound of error.

$$\mathbf{v}{(-s(x),1)}^t\equiv e(x)(mod(x^n+1,q)).$$

Let $m(x)={\sum }_{i=0}^{n-1}{m}_i{x}^i$, where $m_i\in \{0,1\}$ denotes an n-bit message. The RLWE cipher of $m(x)$ with error size $\tau$ is

$$R{E}_s(m(x))=\mathbf{v}+m(x)D_q(0,1)\in R_{n,q}^2.$$

Suppose $R{E}_s(m(x))=(a(x),b(x))$. We have

$$b(x)-s(x)a(x)\equiv m(x)D_q+e(x)(mod(x^n+1,q)),$$

when $\tau \le D_q/2$, the message $m(x)$ can be recovered from $m(x)\equiv b(x)-s(x)a(x)(mod(x^n+1,q))$.

2.4. GSW Ciphers and External Product

2.4.1. Gadget Matrix

Suppose that B and l are positive integers so that $B^{\ell }\ge q$. Suppose that when $g=(1,B,\cdots ,B^{\ell -1})$, an arbitrary $a\in {\mathbb{Z}}_q$ could be denoted by

$$a=a_0+a_1+\cdots +a_{\ell -1}{B}^{\ell -1}=(a_0+a_1,\cdots +a_{\ell -1})g^t,$$

where $a_i\in \mathbb{Z}$ has a small size. Let $-B/2\le a_i\le B/2$; then $(a_0+a_1,\cdots +a_{\ell -1})$ is unique. Let $-2B\le a_i\le 2B$; the lemma as following is straightforward to prove.

Lemma 2

([7]). Let $B^{\ell }\ge q$, $a\in \mathbb{Z}$. For $0\le i\le \ell -1$, choose $x_i\leftarrow \mathbb{Z},\left|x_i\right|\le 3B/2$, which is uniform, random and independent. Suppose that

$$\begin{array}{c}a-(x_0+x_{1}B+\cdots +x_{\ell -1}{B}^{\ell -1})\hfill \\ \equiv y_0+y_{1}B+\cdots +y_{\ell -1}{B}^{\ell -1}(modq)\hfill \end{array}$$

where $|y_i|\le B/2$. Set $a_i=x_i+y_i$; then $(a_0,a_1,\cdots ,a_{\ell -1})$ is uniform random solution to

$$a\equiv a_0+a_{1}B+\cdots +a_{\ell -1}{B}^{\ell -1}(modq)$$

with $|a_i|\le B/2$.

Hence, any list of elements in ${\mathbb{Z}}_q$ can be extended. That is, each polynomial $a(x)\in R_{n,q}$ can be denoted by

$$\begin{array}{cc}\hfill a(x)& =a_0(x)+a_1(x)B+\cdots +a_{\ell -1}(x)B^{\ell -1}\hfill \\ \hfill & =(a_0(x),a_1(x),\cdots ,a_{\ell -1}(x))g^t,\hfill \end{array}$$

where $\left|\right|a_i(x){\left|\right|}_{\infty }\le 2B$. A gadget matrix of $(2\ell )\times 2$ is defined as

$$G=\left(\begin{array}{cc}{g}^t& 0\\ 0& g^t\end{array}\right).$$

Any $(a(x),b(x))\in R_{n,q}^2$ can be denoted by

$$(a(x),b(x))=\mathbf{u}(x)G$$

(1)

where $\mathbf{u}(x)\in R_n^{2\ell }$ is selected randomly and uniformly, and ${\left|\right|\mathbf{u}(x)\left|\right|}_{\infty }\le 2B$. Here $G^{-1}$, only as an operator, acts on the right of $(a(x),b(x))$(G is not a square matrix, so it has no inverse).

$$\mathbf{u}(x)=(a(x),b(x))◃G^{-1}$$

A row vector $\mathbf{u}(x)$ has $2\ell$ polynomials; the coefficients of the polynomials are small and at most $2B$. This can increase the dimension to decease the coefficient. By the above definition, we have the following equation.

$$(\mathbf{v}◃G^{-1})G=\mathbf{v},\forall \mathbf{v}\in R_{n,q}^2$$

2.4.2. External Product

Suppose that a row vector $\mathbf{v}=(a(x),b(x))\in R_{n,q}^2$, and arbitrary matrices $A\in R_{n,q}^{2\ell \times 2}$ of $2\ell \times 2$, define the external product of $\mathbf{v}$ and A as

$$\mathbf{v}\odot A=(\mathbf{v}◃G^{-1})A\in R_{n,q}^2;$$

it is a random vector; for $\mathbf{v}◃G^{-1}$ is a random vector of $1\times 2\ell$. By definition, the external product satisfies the right distributive, namely, for arbitrary two matrices $A,B\in R_{n,q}^{(2\ell )\times 2}$ of $2\ell \times 2$, we have

$$\begin{array}{cc}\hfill \mathbf{v}\odot (A+B)& \equiv (\mathbf{v}◃G^{-1})(A+B)\hfill \\ \hfill & =(\mathbf{v}◃G^{-1})A+(\mathbf{v}◃G^{-1})B\hfill \\ \hfill & =\mathbf{v}\odot A+\mathbf{v}\odot B(mod(x^n+1,q)).\hfill \end{array}$$

2.4.3. GSW Ciphers

Let an n-bit secret key $s(x)={\sum }_{i=0}^{n-1}{s}_i{x}^i$, where $s_i\in \{0,1\}$, $RLWE$ sample $A\leftarrow R_{n,q}^{2\ell \times 2}$ (the rows of A are $RLWE$ samples) and a GSW cipher for $m(x)\in R_n$ is

$$GS{W}_s(m(x))=A+m(x)G\in R_{n,q}^{2\ell \times 2};$$

according to the definition of $RLWE$ sample

$$A{(-s(x),-1)}^t\equiv \mathbf{w}(x)(mod(x^n+1,q)),$$

where $\mathbf{w}(x)\in R_n^{2\ell }$, and $\left|\right|\mathbf{w}(x)\left|\right|\le \tau$; $\tau$ is the error size of GSW ciphers.

Lemma 3

([7]). Let $m_0(x),m_1(x)\in R_n$ be any two polynomials. For any $R{E}_s(m_0(x))$ with error size τ and any $GS{W}_s(m_1(x))$ with error size ${\tau }_1$, we have

$$R{E}_s(m_0(x))\odot GS{W}_s(m_1(x))=R{E}_s(m_0(x)m_1(x))$$

and $R{E}_s(m_0(x)m_1(x))$ which has an error size of at most $\tau \left|\right|m_1(x){\left|\right|}_{\infty }+4Bn\ell {\tau }_1$.

2.5. Bloom Filter

A Bloom filter [34] is a compact data structure for probabilistic set membership testing, and can insert and query data efficiently. The Bloom filter provides a time and space-efficient method to check whether there is an element in the set. A Bloom filter consists of a binary vector and a set of hash functions; $b_j$ represents the j-th bit of the Bloom filter b and all elements of the empty Bloom filter are 0. Any Bloom filter b includes the three steps as follows:

$Create(\alpha ):$ Create an empty Bloom filter with $\alpha$ bits; the hash function $\left\{h_i\right|0\le i<\beta \}$ is:

$$h_i:{\{0,1\}}^{*}\to \{0,\dots ,\alpha -1\}.$$

$Add(x):$ Compute $\beta$ hash values $g_i=h_i(x)$ of the element x using the hash function $h_i(0\le i<\beta )$. Set the Bloom filter cell with subscript $g_i$ to 1.

$$g_i=h_i(x)⟹b_{g_i}=1$$

$Test(x):$ Test whether the element x is in the Bloom filter b. Compute $\beta$ hash values $g_i=h_i(x)$ of the element x; if the $\beta$ cells with subscript $g_i$ are 1 ($b_{g_i}=1$), then return 1 (true).

$$Test(x)=\underset{i=0}{\overset{\beta -1}{\wedge }}{b}_{h_i(x)}=\underset{i=0}{\overset{\beta -1}{\wedge }}{b}_{g_i}$$

(2)

The Bloom filter has a negligible false positive probability; $Test(x)$ will return 1, although x cannot be added to the Bloom filter. Given $\omega$ elements to be added and the expected maximum false positive probability $2^{-k}$, the Bloom filter size $\alpha$ needs to satisfy:

$$\alpha \ge \frac{\omega k}{l{n}^{2}2}.$$

A Bloom filter is widely used in cryptography. Bellovin and Cheswick [35] and Goh [36] implemented a securely document search using a Bloom filter. Raykov and Bellovin [37] realized a secure database query. Qiu L and Li Y [38] realized privacy data mining and BIP-0037 put forward the application of a Bloom filter in Bitcoin. Reference [39,40,41] realized the set intersection computing based on Bloom filters.

3. Homomorphic Operations

In SGFHE scheme, let any two LWE ciphers be $E_s(x_1)$ and $E_s(x_2)$ with $x_1,x_2\in \{0,1\}$; one bootstrapping can compute three bit operations $E_s(x_1\wedge x_2),E_s(x_1\vee x_2)$ and $E_s(x_1\oplus x_2)$; the scheme follows the approach in Ducas et al. [42] and Chillotti [43], but does not need to perform a key switch.

3.1. Key Generations

Let n be a power of 2, $n\ge 64$. Suppose that r can be divided by 8; $m=r/2,B=35r^{2}n$,

$$r\ge 16n,q\ge nr,1220r^4{n}^2\le Q<1225r^4{n}^2=B^2.$$

(3)

$$D_r=⌊r/4⌋,D_q=⌊q/4⌋,{\tilde{D}}_Q=⌊Q/8⌋,andG=\left(\begin{array}{cc}1& 0\\ B& 0\\ 0& 1\\ 0& B\end{array}\right).$$

Secret key Pick $\mathbf{s}\leftarrow {\{0,1\}}^n$ uniformly and randomly; let $s(x)={\sum }_{i=0}^{n-1}{s}_i{x}^i$.

Public key$pk=(k_0(x),k_1(x)),k_0(x)\leftarrow R_{n,q}$,

$$k_1(x)\equiv k_0(x)s(x)+e(x)(mod{x}^n+1,q),$$

where $e(x)\leftarrow R_n{,\left|\right|e(x)\left|\right|}_{\infty }<D_q/(41n)$.

Bootstrapping key A bootstrapping key $bk=(C_0,C_1,\dots ,C_{n-1})$ can be generated as follows:

For $1\le i\le n-1$ do:

(1)

Pick $a_{ji}\leftarrow R_{m,Q}$, $1\le j\le 4$;

(2)

Pick $e_{ji}(x)\in R_m$, $\left|\right|e_{ji}{\left|\right|}_{\infty }\le n$, $1\le j\le 4$;

(3)

Compute $b_{ji}(x):=a_{ji}(x)s(x)+e_{ji}(x)(mod{x}^m+1,Q)$, $1\le j\le 4$;

(4)

Set $C_i:=\left(\begin{array}{cc}{a}_{1i}(x)& b_{1i}(x)\\ a_{2i}(x)& b_{3i}(x)\\ a_{3i}(x)& b_{2i}(x)\\ a_{4i}(x)& b_{4i}(x)\end{array}\right)+s_{i}G(modQ)$.

3.2. Bootstrapping Algorithm

Lemma 4.

Suppose that a bootstrapping key $bk$ has an error size at most ${\tau }_1$; r is divisible by 8 and $r\ge 16n,Q\ge \frac{n}{n-3}16B{r}^2\ell {\tau }_1$. Then, for any two LWE ciphers $E_s(x_i)={\mathit{v}}_i\in {\mathbb{Z}}_r^n\times \mathbb{Z}$, with error size $\le D_r/4$ where $x_i\in \{0,1\}$ for $i=1,2$, the bootstrapping algorithm in Algorithm 1 outputs random LWE ciphers $E_s(x_1\wedge x_2),E_s(x_1\vee x_2),E_s(x_1\oplus x_2)\in {\mathbb{Z}}_r^n\times {\mathbb{Z}}_r$ all with error size $<n\le D_r/4$ [7].

Algorithm 1 Bootstrapping Algorithm: $B{T}_{bk}({\mathbf{v}}_1,{\mathbf{v}}_2)\to {\mathbf{c}}_1,{\mathbf{c}}_2,{\mathbf{c}}_3$.

Input:$bk=(C_0,C_1,\dots ,C_{n-1})\in R_{m,Q}^{2\ell \times 2}$: bootstrapping key;

$({\mathbf{v}}_1,{\mathbf{v}}_2)\in {\mathbb{Z}}_r^n\times {\mathbb{Z}}_r$:${\mathbf{v}}_i=E_s(x_i),x_1,x_2\in \{0,1\}$;

Output:$E_s(x_1\wedge x_2),E_s(x_1\vee x_2),E_s(x_1\oplus x_2)\in {\mathbb{Z}}_r^n\times {\mathbb{Z}}_r$; 1: Compute $\mathbf{u}:={\mathbf{v}}_1+{\mathbf{v}}_2=(u_0,u_1,\dots ,u_{n-1},u_n)\in {\mathbb{Z}}_r^n\times {\mathbb{Z}}_r$; 2: $T:=\{j\in \mathbf{Z}:-D_r\le j\le D_r\},t(x):={\sum }_{j\in T}{x}^j$; 3: $A:=(0,t(x)x^{-u_n}{\tilde{D}}_Q)\in R_{m,Q}^2$; 4: for$\mathrm{k}\mathrm{from}0\mathrm{to}\mathrm{n}-1$do 5:   $A:=A\odot (G+(x^{u_k}-1)C_k)$; 6: end for 7: Let $A=({\sum }_{i=0}^{m-1}{a}_i{x}^i,{\sum }_{i=0}^{m-1}{b}_i{x}^i)$. Set  ${\mathbf{a}}_1:=(Extract(a(x),3m/4),{\tilde{D}}_Q+b_{3m/4})\in {\mathbb{Z}}_Q^n\times {\mathbb{Z}}_Q$;  ${\mathbf{a}}_2:=(Extract(a(x),m/4),{\tilde{D}}_Q-b_{m/4})\in {\mathbb{Z}}_Q^n\times {\mathbb{Z}}_Q$;  ${\mathbf{a}}_3:={\mathbf{a}}_2-{\mathbf{a}}_1\in {\mathbb{Z}}_Q^n\times {\mathbb{Z}}_Q$; 8: for$\mathrm{i}\mathrm{from}1\mathrm{to}3$do 9:   ${\mathbf{c}}_i:=⌊r\mathbf{a}/Q⌉\in {\mathbb{Z}}_r^n\times {\mathbb{Z}}_r$; 10: end for 11: Return ${\mathbf{c}}_1,{\mathbf{c}}_2,{\mathbf{c}}_3$;

3.3. Encryption Scheme

Lemma 5.

Suppose that $r=2^{t+1}$; $(a(x),b(x))\in R_{n,r}^2$ can be computed from Algorithm 2. Then for some ${\omega }_3(x),\left|\right|{\omega }_3(x){\left|\right|}_{\infty }\le D_r/4$, so that

$$2^{t-4}b(x)-s(x)a(x)\equiv {\omega }_3(x)+m(x)D_r(mod{x}^n+1,r).$$

Specifically, if $r=16n$, then $(u,\mathit{v})$ returned in Algorithm 2 has 6n bits and represents an $RLWE$ cipher $R{E}_s(m(x))$, and the error size $<n$ [7].

Algorithm 2 Encryption with private key:$R{E}_s(m(x))\to (u,\mathbf{v}$).

Input:n-bit secret key $s(x)={\sum }_{i=0}^{n-1}{s}_i{x}^i,s_i\in \{0,1\}$;

n-bit message $m(x)={\sum }_{i=0}^{n-1}{m}_i{x}^i,m_i\in \{0,1\}$;

$t:=⌈lo{g}_2(r)⌉$, hence $2^t\le r\le 2^{t-1}$;

$P:\{0,1\}\to {\{0,1\}}^{n(t+1)}$;

Output:$(u,\mathbf{v})\in {\{0,1\}}^n\times {\{{\{0,1\}}^5\}}^n$

1: $u\leftarrow {\{0,1\}}^n,a(x):=P(u,x)\in R_{n,r}$; 2: $\omega (x)\leftarrow R_n{,\left|\right|\omega (x)\left|\right|}_{\infty }\le D_r/8,b_1(x):=a(x)s(x)+\omega (x)+m(x)D_r(mod{x}^n+1,r)$; 3: $b(x)={\sum }_{i=0}^{n-1}{b}_i{x}^i:=⌊b_1(x)/2^{t-4}⌋$; 4: $\mathbf{v}=(b_1,b_2,\dots ,b_{n-1})\in {({\{0,1\}}^5)}^n$; 5: return $(u,\mathbf{v});$

Lemma 6.

Suppose that $r=2^{t+1},r\ge 16n,q\ge 4randn\ge 164$. Suppose that $R{E}_{pk}(m(x)):=(a(x),b(x))\in R_{n,r}^2$ be any ciphertext output by Algorithm 3. Then $2^{t-5}b(x)-s(x)a(x)\equiv {\omega }_3(x)+m(x)D_r(mod{x}^n+1,r)$ for some ${\omega }_3(x)\in R_n$ with $\left|\right|{\omega }_3(x){\left|\right|}_{\infty }\le D_r/4$.

Specifically, if $r=16n$, then any ciphertext $(a(x),b(x))$ has $n(10+lo{g}_2(n))$ bits and the error, that is, each coefficient of ${\omega }_3(x)$, is in $(-n,n)$ randomly [7].

We can divide the data $\mathbf{x}$ into d blocks of length n. Let $N=dn$, $\mathbf{x}=({\mathbf{x}}_1,{\mathbf{x}}_2,\dots ,{\mathbf{x}}_d)\in {\{0,1\}}^N$, ${\mathbf{x}}_k=(x_{k,0},x_{k,1},\cdots ,x_{k,n-1}),{\mathbf{x}}_k\in {\{0,1\}}^n$. Each ${\mathbf{x}}_k$ can be expressed as a polynomial ${\sum }_{i=0}^{n-1}{x}_{k,i}{x}^i\in R_n$. Then—encrypted using the private-key scheme ${\mathbf{c}}_k=R{E}_s({\mathbf{x}}_k),1\le k\le d$ by Algorithm 2—note that the cipher text size ${\mathbf{c}}_k$ is about 6N bits and then encrypted using the public-key scheme ${\mathbf{c}}_k^{\prime }=R{E}_{pk}({\mathbf{x}}_k),1\le k\le d$ by Algorithm 3; note that the cipher text size ${\mathbf{c}}_k$’ is about $N(10+lo{g}_2(n))$. Homomorphic computing can be performed in three steps as follows:

Algorithm 3 Encryption under public key: $R{E}_{pk}(m(x))\to (a(x),b(x))\in R_{n,r}^2$.

Input:$pk=(k_0(x),k_1(x)),k_0(x)\leftarrow R_{n,q}$;

$m(x)={\sum }_{i=0}^{n-1}{m}_i{x}^i$:n-bit message where each

$m_i\in \{0,1\}$;

$t:=⌈lo{g}_2(r)⌉$;

Output:$(a(x),b(x))\in R_{n,r}^2$$u(x)\leftarrow R_n$,

1: $u(x)\leftarrow R_n$, each coefficient random from $\{-1,0,1\}$; 2: ${\omega }_1(x)\leftarrow R_n,\left|\right|{\omega }_1(x){\left|\right|}_{\infty }\le D_q/(41n)$; 3: ${\omega }_2(x)\leftarrow R_n,\left|\right|{\omega }_2(x){\left|\right|}_{\infty }\le D_q/82$; 4: $a_1(x):=k_0(x)u(x)+{\omega }_1(x)(mod{x}^n+1,q)$; 5: $b_1(x):=k_1(x)u(x)+{\omega }_2(x)+m(x)D_q(mod{x}^n+1,q)$; 6: $a(x):=⌊\frac{r}{q}{a}_1(x)⌉,b(x):=⌊\frac{r}{2^{t-5}q}{b}_1(x)⌉$; 7: Return $(a(x),b(x))$

(1)

Unpacking the $RLWE$ ciphertexts $RE({\mathbf{x}}_k)$ to get $LWE$ ciphers in ${\mathbb{Z}}_r^n\times {\mathbb{Z}}_r$ for the bits of $\mathbf{x}$.

$$RE({\mathbf{x}}_k)\stackrel{unpack}{⟶}{E}_s(c_{k,i})$$

(2)

Homomorphic computing of $f(\mathbf{x})=\mathbf{y}=\{y_0,y_1,\dots ,y_M\}\in {\{0,1\}}^M$ on $LWE$ ciphers.

$$f(\mathbf{x})\stackrel{B{T}_{bk}}{⟶}\{E_s(y_0),E_s(y_1),\dots ,E_s(y_M)\}$$

(3)

Packing the $LWE$ ciphers $\{E_s(y_0),E_s(y_1),\dots ,E_s(y_M)\}$ of function f into $RLWE$ ciphers in $R_{n,r}^2$.

$$\{E_s(y_0),E_s(y_1),\dots ,E_s(y_M)\}\stackrel{pack}{⟶}R{E}_s(\mathbf{y})$$

4. Privacy-Preserving Set Intersection

We abstract the privacy set intersection computation model as follows. The client C owns a set $\{{\mathbf{c}}_{\mathbf{1}},\dots ,{\mathbf{c}}_{\mathbf{v}}\}$ of size v, and the server S holds a set $\{{\mathbf{s}}_{\mathbf{1}},\dots ,{\mathbf{s}}_{\omega }\}$ of size $\omega$. After the end of the protocol, the client C only obtains the intersection $\{{\mathbf{c}}_{\mathbf{1}},\dots ,{\mathbf{c}}_{\mathbf{v}}\}\bigcap \{{\mathbf{s}}_{\mathbf{1}},\dots ,{\mathbf{s}}_{\omega }\}$; however, the server cannot get any information for the input and the set intersection of the client (including the size of the intersection).

4.1. The Basic Two-Party Computing Protocol

The summary of basic private two-party intersection protocol is shown in Figure 1. The specific steps are as follows:

1.

The client C encrypts the set with private key and sends ciphertexts to the server S.

2.

The server S implements homomorphic computing with bootstrapping key and sends the result to the client C.

3.

The client C decrypts and computes the intersection of the two sets; the server S cannot acquire any information about the input and output.

Our basic two-party computing protocol is shown in Figure 2. At step $C\to S$, the client sends $pk,bk$ and $R{E}_{sk}({\mathbf{c}}_k)$ to the server. At step S, the server unpacks $R{E}_{sk}({\mathbf{c}}_k)$ to get $E_{sk}(c_{k,j})$, unpacks $R{E}_{pk}$ to get $E_{sk}(s_{i,j})$, samples $\mathbf{u}\in {\{0,1\}}^n$, calls bootstrapping operations to compute $E_{sk}(z_{k,i})$, computes $LWE$ ciphers $E_{sk}(w_{i,j})$, packs the resulted LWE ciphers $E_{sk}(w_{i,j})$ into RLWE ciphers $R{E}_{sk}({\mathbf{w}}_i)$ and sends them to the client. At step C, the client decrypts $R{E}_{sk}({\mathbf{w}}_i)$ to get ${\mathbf{w}}_i$ and computes the intersection.

4.2. Correctness of the Basic Two-Party Computing Protocol

First, the correctness of SGFHE scheme has been proven.

Let ${\mathbf{c}}_k,{\mathbf{s}}_i$ be the set elements’ binary representation of the client and server respectively. The insufficient bits are filled with 0s and we extend the length to n.

$${\mathbf{c}}_k=\{c_{k,1},\dots ,c_{k,n}\}={\{0,1\}}^n,1\le k\le v$$

$${\mathbf{s}}_i=\{s_{i,1},\dots ,s_{i,n}\}={\{0,1\}}^n,1\le i\le \omega$$

$$\mathbf{u}\stackrel{sample}{⟵}{\{0,1\}}^n$$

$$z_{k,i}=\underset{j=1}{\overset{n}{\bigvee }}(c_{k,j}\oplus s_{i,j})$$

(4)

If $z_{k,i}=1$, then ${\mathbf{c}}_k\ne {\mathbf{s}}_i$; if $z_{k,i}=0$, then ${\mathbf{c}}_k={\mathbf{s}}_i$.

The server can acquire $E_{sk}(z_{k,i})$ by $R{E}_{sk}({\mathbf{c}}_k)\stackrel{unpack}{⟶}{E}_{sk}(c_{k,j}),R{E}_{pk}({\mathbf{s}}_i)\stackrel{unpack}{⟶}{E}_{sk}(s_{i,j})$ and call $(2n-1)$ bootstrapping operations, denoted by $z_{k,i}=\underset{j=1}{\overset{n}{\bigvee }}(c_{k,j}\oplus s_{i,j})\stackrel{B{T}_{bk}}{⟶}{E}_{sk}(z_{k,i})$.

Remark: RE represents RLWE cipher; E represents LWE cipher.

Let

$$z_i=\underset{k=1}{\overset{v}{\bigwedge }}{z}_{k,i};$$

(5)

$E_{sk}(z_i)\in {\mathbb{Z}}_r^n\times {\mathbb{Z}}_r$ can be computed from $E_{sk}(z_{k,i})$ by implementing $(v-1)$ bootstrapping operations. Hence, implementing $(2n+v-2)$ bootstrapping operations by (6) can compute $E_{sk}(z_i)$.

$$z_i=\underset{k=1}{\overset{v}{\bigwedge }}{z}_{k,i}=\underset{k=1}{\overset{v}{\bigwedge }}\underset{j=1}{\overset{n}{\bigvee }}(c_{k,j}\oplus s_{i,j})\stackrel{B{T}_{bk}}{⟶}{E}_{sk}(z_i)$$

(6)

If $z_i=1$, then ${\mathbf{w}}_i=\mathbf{u}$ is a random value with $\forall k,{\mathbf{c}}_k\ne {\mathbf{s}}_i$; if $z_i=0$, then there $\exists k$ so that ${\mathbf{c}}_k={\mathbf{s}}_i,{\mathbf{w}}_i={\mathbf{c}}_k={\mathbf{s}}_i$ is in the intersection. For ${\mathbf{s}}_i$ and $\mathbf{u}$, each bit

$$w_{i,j}=z_k\wedge u_j\oplus (1-z_k)\wedge s_{i,j}$$

can be computed by

$${\mathbf{w}}_i=\{w_{i,1},\dots ,w_{k,n}\}=z_i\mathbf{u}\oplus (1-z_i){\mathbf{s}}_i$$

(7)

For plaintexts $u_j$ and $s_{i,j}$, an LWE cipher of any bit $z_k\wedge u_j\oplus (1-z_k)\wedge s_{i,j}$ can be computed as

$$u_j{E}_{sk}(z_i)+s_{i,j}(E_{sk}(1)-E_{sk}(z_k)),$$

which still has error size $<D_r/4$.

The $LWE$ cipher is

$$E_{sk}(w_{i,j})=u_j{E}_{sk}(z_i)+s_{i,j}(E_{sk}(1)-E_{sk}(z_k)).$$

(8)

The server can pack the resulted LWE ciphers $E_{sk}(w_{i,j})$ into RLWE ciphers $R{E}_{sk}({\mathbf{w}}_i)$ and send them to the client.

In the end, the client decrypts $Dec(R{E}_{sk}({\mathbf{w}}_i))⟹{\mathbf{w}}_i$ and computes the intersection

$\{{\mathbf{c}}_1,\dots ,{\mathbf{c}}_v\}\bigcap \{{\mathbf{w}}_1,\dots ,{\mathbf{w}}_{\omega }\}⟹$$\{{\mathbf{c}}_1,\dots ,{\mathbf{c}}_v\}\bigcap \{{\mathbf{s}}_1,\dots ,{\mathbf{s}}_{\omega }\}.$

4.3. Security Analysis of the Basic Two-Party Computing Protocol

We analyze the security of the protocol by comparing the real model and the ideal model. The real model is the actual implementation of the basic private intersection protocol and it is a trusted server for computing the intersection. The trusted server receives the input $\{{\mathbf{c}}_1,\dots ,{\mathbf{c}}_v\}$ of the client and the input $\{{\mathbf{s}}_1,\dots ,{\mathbf{s}}_{\omega }\}$ of the server, and will return the intersection with the client; however, the server cannot get any information about the output. The ideal model maintains all security evidence. In the semi-honest model, the participant’s view includes its own input and the information received from other participants during the progression of the protocol. The simulator can use the participant’s input and output to build a simulation that is computationally indistinguishable from the views. That proves that the participants cannot obtain any other information besides the inputs and outputs.

Theorem 1.

If SGFHE is held, then the basic two-party computing protocol can realize the private set intersection computing under the semi-honest model.

Proof. 

In the protocol, the server cannot obtain any other information besides receiving the $RLWE$ ciphers. Its view can only be simulated with ciphertexts and its security is based on IND-CPA security of $RLWE$ scheme.

The client only receives the $RLWE$ ciphers of the intersections and the random $RLWE$ ciphers. Therefore, it just includes the output information of the set intersection and the view of simulator is only the output information of the set intersection. □

4.4. The Improvement of the Basic Two-Party Computing Protocol

In the basic two-party computing protocol, the server will return the ciphertexts of the intersection elements or the random ciphertexts, and computes the intersection by decrypting the ciphertexts. In our improvement protocol shown in Figure 3, we just need to determine whether ${\mathbf{c}}_k$ is in $\{{\mathbf{s}}_1,\dots ,{\mathbf{s}}_{\omega }\}$ without computing the ciphertexts of the intersection elements by the server. On the one hand, it can reduce the computational complexity; on the other hand, it will not reveal the size of the server set.

Let ${\mathbf{c}}_k,{\mathbf{s}}_i$ be the set elements’ binary representations of the client and the server respectively. The insufficient bits are filled with 0s and we extend the length to n.

$${\mathbf{c}}_k=\{c_{k,1},\dots ,c_{k,n}\}={\{0,1\}}^n,1\le k\le v$$

$${\mathbf{s}}_i=\{s_{i,1},\dots ,s_{i,n}\}={\{0,1\}}^n,1\le i\le \omega$$

$$z_{k,i}=\underset{j=1}{\overset{n}{\bigvee }}(c_{k,j}\oplus s_{i,j})$$

(9)

If $z_{k,i}=1$, then ${\mathbf{c}}_k\ne {\mathbf{s}}_i$; if $z_{k,i}=0$, then ${\mathbf{c}}_k={\mathbf{s}}_i$.

The server can acquire $E_{sk}(z_{k,i})$ by $R{E}_{sk}({\mathbf{c}}_k)\stackrel{unpack}{⟶}{E}_{sk}(c_{k,j})$, $R{E}_{pk}({\mathbf{s}}_i)\stackrel{unpack}{⟶}{E}_{sk}(s_{i,j})$ and call $(2n-1)$ bootstrapping operations, denoted by $z_{k,i}=\underset{j=1}{\overset{n}{\bigvee }}(c_{k,j}\oplus s_{i,j})\stackrel{B{T}_{bk}}{⟶}{E}_{sk}(z_{k,i})$. The server packs $LWE$ ciphers $E_{sk}(z_{k,i})$ to $RLWE$ ciphers $R{E}_{sk}({\mathbf{z}}_k)$ and sends them to the client.

$$\{E_{sk}(z_{k,1}),E_{sk}(z_{k,2}),\dots ,E_{sk}(z_{k,\omega })\}\stackrel{pack}{⟶}R{E}_{sk}({\mathbf{z}}_k),$$

the client decrypts $R{E}_{sk}({\mathbf{z}}_k)$, if all ${\mathbf{z}}_k$ is 1, then

$${\mathbf{c}}_k\notin \{{\mathbf{c}}_1,\dots ,{\mathbf{c}}_v\}\bigcap \{{\mathbf{s}}_1,\dots ,{\mathbf{s}}_{\omega }\};$$

else ${\mathbf{c}}_k\in \{{\mathbf{c}}_1,\dots ,{\mathbf{c}}_v\}\bigcap \{{\mathbf{s}}_1,\dots ,{\mathbf{s}}_{\omega }\}.$

In the protocol, the server cannot obtain any other information besides $RLWE$ ciphers and the view can only be simulated by the ciphertexts. Its security is based on IND-CPA security of $RLWE$ scheme.

The client acquires $z_{k,i}$ by (9), however, the probability of obtaining $s_{i,j}$ from $z_{k,i}$ and ${\mathbf{c}}_{k,j}$ is $2^{-n}$, and it is negligible. The client only receives the output of the intersection; therefore, the view of simulator is just the output of the set intersection.

4.5. Two-Party Computing Protocol Based on a Bloom Filter

In this section, we construct a two-party protocol based on Bloom filter shown in Figure 4, in which the client C encrypts each bit of the Bloom filter with private key and sends it to the server S. The server S homomorphic computes $Test({\mathbf{s}}_j)$ with the bootstrapping key of client C and sends it to the client. C will obtain the intersection of the two sets by decrypting, but the server cannot get any information about the input and output (including the size of the intersection).

Let ${\mathbf{c}}_k,{\mathbf{s}}_i$ be the set elements’ binary representations of the client and the server respectively. The insufficient bits are filled with 0s and we extend the length to n.

$${\mathbf{c}}_k=\{c_{k,1},\dots ,c_{k,n}\}={\{0,1\}}^n,1\le k\le v.$$

$${\mathbf{s}}_j=\{s_{j,1},\dots ,s_{j,n}\}={\{0,1\}}^n,1\le j\le \omega .$$

The client C constructs a Bloom filter $b=create(\alpha )$ and sends $pk,bk,R{E}_{sk}(b)$ to the server S.

$$z_j=Test(s_j)=\underset{i=0}{\overset{\beta -1}{\wedge }}{b}_{h_i(s_j)}$$

(10)

According to (10), input $E_{sk}(b_1),\dots ,E_{sk}(b_{\alpha })$,

$$E_{sk}(z_j)=\underset{i=0}{\overset{\beta -1}{\wedge }}{E}_{sk}(b_{h_i(s_j)}).$$

Call $(\beta -1)$ bootstrapping operations to obtain $E_{sk}(z_j)$, denoted by

$$z_j=Test(s_j)=\underset{i=0}{\overset{\beta -1}{\wedge }}{b}_{h_i({\mathbf{s}}_j)}\stackrel{B{T}_{bk}}{⟶}{E}_{sk}(z_j).$$

$${\mathbf{w}}_j=\{w_{j,1},\dots ,w_{j,n}\}=z_j{\mathbf{s}}_j\oplus (1-z_j)\mathbf{u}$$

(11)

If $z_j=1$, then there $\exists k$ such that ${\mathbf{c}}_k={\mathbf{s}}_j$, and computing ${\mathbf{w}}_j={\mathbf{s}}_j$ by (11); similarly, if $z_j=0$, then $\forall k$ such that ${\mathbf{c}}_k\ne {\mathbf{s}}_j$, and computing ${\mathbf{w}}_j=\mathbf{u}$ by (11). For plaintexts ${\mathbf{s}}_j$ and $\mathbf{u}$, each bit can be computed by (11),

$$w_{j,t}=z_j\wedge s_{j,t}\oplus (1-z_j)\wedge u_t,1\le t\le n.$$

The corresponding $LWE$ cipher is

$$E_{sk}(w_{j,t})=s_{j,t}{E}_{sk}(z_j)+u_t(E_{sk}(1)-E_{sk}(z_j)).$$

(12)

The correctness and security of the two-party computing protocol based on Bloom filter is similar to the basic two-party computing protocol. Please refer to Section 4.2 and Section 4.3.

5. Conclusions

We constructed the set intersection two-party computing protocols based on a fully homomorphic encryption scheme. The protocols are simple and only need two rounds of communication, and the security is based on $RLWE$ and $LWE$ problems in the semi-honest model. The ciphertext extension of the protocols is small so that the protocols have strong practicability. Furthermore, we can extended the set intersection protocol by outsourcing computing under the malicious model. The limitation of our schemes is they are two-party protocols. In future work, we shall extend them to multi-party protocols. The disadvantage of the private set intersection protocols is they are not efficient enough due to bottleneck the bootstrapping operation. On the theoretical side, with the development of fully homomorphic encryption technology, its performance has been greatly improved, but the efficiency of it is still worthy of in-depth study. The bottleneck of the SGFHE scheme is its bootstrapping operation; therefore, its parallelization and hardware implementation will be further studied to improve the overall efficiency of the protocol.