An Efficient PSI-CA Protocol Under the Malicious Model

Abstract

Private set intersection cardinality (PSI-CA) is a typical problem in the field of secure multi-party computation, which enables two parties calculate the cardinality of intersection securely without revealing any information about their sets. And it is suitable for private data protection scenarios where only the cardinality of the set intersection needs to be calculated. However, most of the currently available PSI-CA protocols only meet the security under the semi-honest model and can't resist the malicious behaviors of participants. To solve the problems above, by the application of the variant of Elgamal cryptography and Bloom filter, we propose an efficient PSI-CA protocol with high security. We also present two new operations on Bloom filter called IBF and BIBF, which could further enhance the safety of private data. Using zero-knowledge proof to ensure the safety under malicious adversary model. Moreover, in order to minimize the error in the results caused by the false positive problem, we use Garbled Bloom Filter and key-value pair packing creatively and present an improved PSI-CA protocol. Through experimental comparison with several existing representative protocols, our protocol runs with linear time complexity and more excellent characters, which is more suitable for practical application scenarios.

1. Introduction

Private set intersection (PSI) is a typical problem among the secure multi-party computation domain [1], which enables two or more participants to securely compute the intersection of their private sets without revealing any other information about their private sets [2]. For example, for two mutually distrustful participants P₁ and P₂, their private sets are S₁ and S₂, which |S₁| = m, |S₂| = n, and they want to compute S₁∩S₂. Private set intersection cardinality (PSI-CA) and private set union cardinality (PSU-CA) are the important variants of PSI which have caused attention of some researchers. The PSI-CA problem is when the participants are P₁ and P₂, and the sets they hold are S₁ and S₂, trying to compute |S₁∩S₂|. In many scenarios where data privacy needs to be protected, the technology of PSI-CA has significant meanings and has applied in many realistic scenarios such as advertisement conversion rate calculation [3], social network contacts exploration [4], gene sequence match detection [5], infectious disease patient tracing [6].

Take the problem of calculating the advertisement conversion rate for instance, the calculation of advertisement conversion rate is a kind of important application in PSI-CA which means the proportion of users who are influenced by the ad to make a purchase or register to the total number of clicks on the ad. In the real world, the merchants hold the information of people who purchase the products while the advertisers own the information of people who click the advertisement. In order to calculate the conversion rate, the advertisers need to compute the intersection of the set it holds with the set of the merchant side, so as to find the total number of people who have seen the advertisement and completed the transaction. Finally, the advertisement could calculate the advertisement conversion rate. In this scenario, PSI-CA is more applicable to solve this problem compared to PSI, because using PSI-CA could compute directly the number of people who have seen the advertisement and completed the transaction, and then divide that number by the total number of clicks on the advertisement. However, using the technology of PSI could only obtain the concrete information of users who have seen the advertisement and finished the transaction. But it could definitely leakage private data of users.

Nowadays, most researchers are dedicating to study PSI protocols and so neglecting the research on PSI-CA and PSU-CA. Therefore, it’s high time to expand the content of the private sets protection field to meet the current privacy protection needs of society better. What’s more, most of the currently available PSI protocols only meet the security under the semi-honest model, and it can’t guarantee security under the malicious model. Therefore, it can hardly apply in practical scenarios.

In addition, most of the current PSI-CA protocols are constructed by Bloom Filter and the homomorphic encryption algorithm. However, the Bloom Filter’s problem of false positive makes the final results exist error. In some practical application environments with high precision requirements for data, such as national defense and military. This kind of error is not allowed to exist. These existing protocols are therefore difficult to apply in this type of environment.

To address these issues above, using Elgamal cryptography and Bloom filter, we firstly present a local two-party PSI-CA protocol. Bloom filter is a special data structure which enables users to map the set elements to an array according to hash functions. To enhance the security of data, we propose two new operations on Bloom filter called IBF and BIBF. Using the variant of Elgamal cryptography for the sake of the security of data during interaction. The plaintext is not the message when decrypted, which is located in the index part of the decryption result. This property makes it easy for the participants to determine whether the element belongs to the set intersection. Utilizing zero-knowledge proof, our protocol satisfy security not only under the semi-honest model, but also the malicious model. After the protocol has been executed, only one side gets the result of intersection cardinality, the other gets nothing. To further improve the accuracy of the final results, we present an improved PSI-CA protocol. Innovatively using key-value pair packing technology and Garbled Bloom Filter, we have achieved a significant reduction in the mean relative error of the protocol. Finally, the accuracy of the resulting intersection cardinality is significantly improved.

1.1 Our Contributions

In this paper, we present two efficient two-party PSI-CA protocols with high security. Our main contributions are:

(1) Present two new operations on Bloom filter called IBF and BIBF, which could improve privacy of data;

(2) Design two efficient two-party PSI-CA protocols, the first protocol is secure under the malicious adversary model, which could resist the malicious behavior. The improved protocol has higher result accuracy compared to the previous one;

(3) Using ideal-reality simulation paradigm, we prove that our first protocol is secure under the malicious adversary model and provide a complete security proof process.

This paper is organized as follows: in section 2, we introduce some related work about PSI and PSI-CA, section 3 presents some main techniques and security model used in our scheme, while section 4 presents our two PSI-CA protocols. In section 5, we prove the security under malicious model of the protocol. Section 6 presents the analysis of efficiency, the accuracy of results and the functional comparison with other schemes. Finally, we summarize the paper and prospect the future research directions.

2. Related Work

Using homomorphic encryption and inadvertent polynomial valuation, the research of protocol was first put up by Freedman et al. [7] in 2004. And then a lot of researches on PSI have followed. In 2019, Pinkas et al. [8] presented a notation of multi-point OPRF and depended on the construction of high order polynomials, which could reduce communication cost while reducing the number of times the sender encrypts elements. Song et al. [9] presented a series of protocols on the set operations, which dramatically reduce the computational associated with traditional public key operations using oblivious transfer. However, the above protocols are all traditional local two-party PSI protocols. To better accommodate the involvement of multiple parties, scholars have presented a series of multi-party PSI protocols. Vos et al. [10] realized the “union” operation of private set elements based on elliptic curves, and implement a multi-party PSI protocol for large and small sets respectively. Zhang et al. [11] presented a three-party PSI protocol against semi-honest model, which based on bilinear mapping and three-party key negotiation protocol.

To better resist the malicious behaviors of the participants, using garbled bloom filter, BenEfraim et al. [12] presented a malicious secure multi-party protocol that can be used against any number of corrupt parties.

In the era of big data, with the surge in data processing, the advantages of cloud computing in the era of big data are coming to the fore, many more solutions have emerged as scholars have begun to investigate on outsourcing large amounts of heavy computing tasks to cloud servers. Abadi et al. [13] presented an outsourcing PSI protocol called O-PSI, which let the cloud server perform a large number of complex calculations. After that, Abadi et al. [14] presented a verifiable delegated PSI protocol named VD-PSI. This protocol introduced a verification protocol into the outsourcing PSI protocol, where the participants can verify the correctness of the results after receiving them. Based on the O-PSI protocol, Yang et al. [15] presented a delegated PSI protocol, which has more advantages in computational efficiency compared to O-PSI. In 2022, Wei et al. [16] presented a PSI protocol based on semi-trusted cloud server with the help of the oblivious pseudo-random functions.

PSI-CA, as a branch of the PSI, has not had much related research work compared to PSI. Egert et al. [17] presented a local two-party PSI-CA protocol based on Bloom filter and Elgamal cryptography, but it only satisfies the security under the semi-honest model. Mihaela et al. [18] proposed a two-party PSI-CA scheme based on Paillier homomorphic encryption algorithm. This protocol is secure under honest but curious model. However, the computation cost is too high because the Paillier homomorphic encryption algorithm. Davidson et al. [19] proposed a toolkit about the set operation, including the calculation of set union, set intersection and the cardinality of the intersection and union. It enriches the functionality of set operations but it can’t resist the malicious adversary attacks. To resist the malicious behaviors of adversary, combining zero-knowledge proof and homomorphic encryption, Debnath et al. [20] proposed a two-party PSI-CA protocol which has poor performance in terms of efficiency. Using zero-knowledge proofs, GM cryptography algorithm, Debnath et al. [21] also proposed another PSI-CA scheme under semi-honest model. However, all of these protocols have the disadvantage of not being able to resist the malicious behaviors of the participants or having high computation cost.

3. Preliminaries

Our protocol primarily utilizes Elgamal cryptography and Bloom filter and ideal-realistic simulation paradigm in the security proof process. Therefore, in this section, we mainly introduce Elgamal cryptography, Bloom filter, ideal-realistic simulation paradigm and the malicious model.

3.1 Elgamal cryptography

Elgamal cryptography is an algorithm based on DDH assumption which was proposed by Tather Elgamal [22] in 1985. We use a variant of Elgamal cryptography in our protocol. The concrete algorithm process is as follows:

(1) Key Generation: as for a multiplicative cyclic group G of order q, where g is a generator of the group G. Choose x ← Z_q randomly, compute y = g^x mod q. Then (pk, sk) = (y, x).

(2) Encryption: for plaintext m, compute c = Enc_pk(m) = (c₁, c₂), where c₁ = g^r mod q, c₂ = g^my^r mod q, r ← Z_q.

(3) Decryption: as for ciphertext c, it can be decrypted as g^m = Dec_sk(c) = (c₁)^-x⋅(c₂)mod q. Note that the result of the decryption of this algorithm is g^m, not plaintext m.

The Elgamal algorithm has additive homomorphic property. Let E be the Elgamal encryption algorithm, As for the ciphertext C₁ = E(m₁) and C₂ = E(m₂), it has E(m₁ + m₂) = E(m₁)⋅E(m₂) = C₁⋅C₂.

3.2 Bloom Filter

Bloom filter is a special data structure which was proposed by Burton Bloom [23] in 1970. It can be used to represent set elements and easy to query them. Bloom filter is composed by an array of m bits and k hash functions {h₁(),...,h_k()}. Initially all the bits in the filter are set to zero. If an element x ∈ S intends to insert into the Bloom filter, it should set the bits h_i(x) to one, where 1 ≤ i ≤ k. Fig. 1 presents the concrete algorithm about the insertion operation. As for an element, only when all the k positions it is mapped to are set to one [24], the element can be judged to belong to the set, otherwise it does not belong to the set. Fig. 2 presents the algorithm for the membership test process.

Fig. 1. Algorithm for Bloom filter insertion

Fig. 2. Algorithm for Bloom filter member test

However, the Bloom filter exists false positive problem, which is a situation that an element does not belong to the set S but can be tested successfully in the Bloom filter. False positive probability rate is related to the number of hash functions, number of bits in the Bloom filter and the number of elements to be inserted.

We present two operations on Bloom filter named IBF and BIBF.

Let BF be a Bloom filter, IBF is the inversed BF by bits. If a bit in BF is set to 1, then set it to 0. Otherwise, if a bit is set to 0, then set it to 1. Fig. 3 presents the algorithm for the process of inversing Bloom filter.

Fig. 3. Algorithm for inversing the Bloom filter.

On the basis of IBF, blinding each bit of the IBF by multiplying it by a random number, the obtained result is called BIBF. Fig. 4 shows the algorithm for the process of blinding the inversed Bloom filter.

Fig. 4. Algorithm for blinding inversed Bloom filter.

Garbled Bloom Filter is the variant of the traditional Bloom Filter. Comparing to the traditional Bloom Filter, the Garbled Bloom Filter has an array which contains random string rather than the character of 0 or 1. This feature could not only decrease the error caused by the problem of false positive but also improve the security of data storage. In our improved protocol, before the client C construct the Garbled Bloom Filter GBF_C, it should construct a set of key-value pair and then pack them into the GBF_C. As for a key-value pair (x, y), it has \(\begin{align}y=\sum_{i=1}^{t} G B F\left(h_{i}(x)\right)\end{align}\). The positions in the GBF_C that do not satisfy this condition are stored as random strings.

3.3 Ideal-realistic Simulation Paradigm

The ideal-realistic simulation paradigm is the main method used for security proofs in the domain of secure multi-party computing. It compares the implementation of the PSI-CA protocol by simulating an ideal model with a realistic situation, thus, it can indirectly prove the security of the protocol [25].

In the ideal model, the function of the protocol is computed by the trusted third party, and then sends the result to the participant. However, in the real model, it splits the function into multiple message functions and communicates between the participants to complete the computation. Finally, the security of the PSI-CA protocol is demonstrated by proving that the view of the ideal world achieves indistinguishability from the view of the real world.

3.4 the Malicious Model

The malicious model is another typical adversary model in secure multi-party computing. In the malicious adversary model, comparing to the honest model or semi-honest model, the participant will not execute the protocol honestly, but will perform malicious operations in the course of executing the protocol such as tampering the input information, terminating the protocol early, and refusing to participate in the protocol [25].

Our protocol contains two party named the client and the server which the client holds the set X and the server holds the set Y. Also, |X| = m, |Y| = n. Therefore, we define a two-party protocol π computing function f where f:({0,1}*)^m x ({0,1})ⁿ → f f_|∩| × ⊥, where {0,1}* denotes the field of input elements, m and n denote the cardinality of two sets respectively, and f_|∩| denotes the cardinality of intersection of two sets. We can conclude that the client obtains the cardinality of intersection |X∩Y| and the server obtains nothing.

Specifically speaking, the malicious party may execute the following types of attacks:

(1) A malicious party can tamper with the starting input. The malicious client C could forge the Bloom filter BF_C represented by its set in the first phase of the protocol to obtain more information about the set held by the server S. The malicious client will try to insert all elements of the universe set U into the Bloom filter, so that each bit of the resulting Bloom filter is set to 1. When performing subsequent steps, there has |X∩Y| = |U∩Y| =|Y|. That is, the size of the intersection is the size of the server’s set. So, it will leak the cardinality of the set held by server S.

(2) A malicious party could tamper the intermediate results or terminate the protocol in advance. It is possible for both S and C to execute the operation.

In order to resist both of these attacks, using the technology of zero-knowledge proof, constructing proofs to guarantee the correctness of transmitted messages before interaction. When the receiver obtains the message, it should verify the validity of the proof firstly, if the verification is successful, the receiver receives the message. Otherwise, the party terminates the protocol. This method can effectively resist the malicious behaviors of malicious parties.

3.5 the Zero-knowledge Proof

Our protocol uses zero-knowledge proofs techniques to ensure the security of the protocol under malicious models. The following describes a general zero-knowledge proof of the basic construction process [26].

In our scheme, the form of the proof is shown below

π = Pok{𝑎₁,..,𝑎₁)|∧^m_i=1 K_i = f_i(𝑎₁,..,𝑎_l)}

The specific interaction process between the prover and the verifier is described below.

(1) Commitment:

Firstly, the Prover picks t₁,...,t_l uniformly at random, then the prover computes a commitment \(\begin{align}\overline{K_i}\end{align}\) :

\(\begin{align}\overline{K_{i}}=g_{i}\left(t_{1}, \ldots, t_{l}\right), i=1, \ldots, m\end{align}\)

After that, the prover sends the commitment \(\begin{align}\overline {K_i}\end{align}\) to the verifier.

(2) Challenge:

Verifier picks a challenge number h randomly from space C, and sends h to the prover. After that, the prover computes n_j = t_j + c⋅𝑎_j, where j = 1,...l. The prover then sends {n₁,...,n_l} to the verifier.

(3) Verify

After receiving {n₁,...,n_l}, The verifier checks if \(\begin{align}g_{l}\left(n_{1}, \ldots n_{l}\right)=\overline{K_{i}} \cdot K_{i}^{h}\end{align}\) exist or not, where l = 1,...,m. If the equation exists then the verifier accepts the result otherwise rejects.

4. Our PSI-CA Protocol

In our PSI-CA protocol, the parties are the client C and the server S, and they hold sets X = {x₁,...,x_m} and Y = {y₁,...,y_n} respectively, which |X| = m, |Y|= n. C wants to find the set intersection cardinality with S. After the protocol is executed, the client C gets the output as the intersection cardinality.

The following Table 1 shows the relevant symbols and descriptions required in the protocol.

Table 1. Description of symbols

The PSI-CA protocol under malicious model.

Input: The client C inputs the private input set X = {x₁,...,x_m}, the server inputs the private input set Y = {y₁,...y_n}. And the public parameters P = (G,q,g) as their common input. The security parameter κ, λ.

Output: The client C outputs X∩Y; the server S outputs ⊥.

The general structure of our protocol is shown in Fig. 5:

Fig. 5. Structure of PSI-CA protocol

Step 1. Setup phase

(1) For a multiplicative cyclic group G with order q, and g is its generator. The client C picks an uniformly random value \(\begin{align}x \stackrel{R}{\longleftarrow} Z_{q}\end{align}\) and computes y = g^x mod q. The client C ’s key pair is (pk_C, sk_C) = (y, x).

(2) The client C inserts every element x_i ∈ X(1 ≤ i ≤ m) from the set X into the Bloom filter, executes the algorithm 1 shown in Fig. 1. And then gets the result BF_C.

(3) The client C performs the inversing algorithm shown in Fig. 3 for each bit of the BF_C. This gets IBF_C.

(4) Picking uniformly random values \(\begin{align}r_{1}, r_{2}, \ldots, r_{m} \stackrel{R}{\longleftarrow} Z_{q}^{*}\end{align}\) to blind every bit of IBF_C, where \(\begin{align}\overline{x_{i}}=r_{i} \cdot I B F_{C}\left(x_{i}\right)\end{align}\), 1 ≤ i ≤ m.

The client then gets BIBF_C.

(5) Using zero-knowledge proof, the client C constructs the proof π₁ = PoK{r₁,...,r_m)|∧^m_i=1 (BIBF_C[i] = r_i x IBF_C[i])}, the construction and verification processes are illustrated in preliminary. Then, let the proof π₁, \(\begin{align}\overline {X} = \{\overline {X_1}, \overline {X_2}, \ldots, \overline {X_m}\}\end{align}\) and k hash functions all send to the server S.

Step 2. Computation phase

(1) After receiving the message from the client C, S verifies the correctness of π₁ firstly. If the verification passes, then S receives message and continues the subsequent steps. Otherwise the server S aborts it.

(2) The server S hashes every element from Y by k hash functions, where ∀y_j ∈ Y, computing h₁(y_j),...,h_k(y_j), 1 ≤ j ≤ n.

(3) The server S finds the elements 𝑎_h1(yj),...,𝑎_hk(yj) from \(\begin{align}\bar{X}=\left\{\overline{x_{1}}, \overline{x_{2}}, \ldots, \overline{x_{m}}\right\}\end{align}\).

(4) Encrypting the elements with the client’s public key pk_C. That is \(\begin{align}E\left(\overline{y_{j}}\right)=\left\{\left(g^{z_{j}}, g^{a_{h_{1}}\left(y_{j}\right)} \cdot y^{z_{j}}\right), \ldots,\left(g^{z_{j}}, g^{a_{h_{k}}\left(y_{j}\right)} \cdot y^{z_{j}}\right)\right\}, 1 \leq j \leq n\end{align}\), where \(\begin{align}z_{j} \stackrel{R}{\longleftarrow} Z_{q}^{*}\end{align}\). The obtained results constitute the set \(\begin{align}E(\bar{Y})=\left\{E\left(\overline{y_{1}}\right), \ldots, E\left(\overline{y_{n}}\right)\right\}\end{align}\).

(5) Using zero-knowledge proof, the server S constructs the proof π₂ = PoK{(z₁,...z_j)|∧ⁿ_j=1(c_j = g^Z_j)}. Send the proof π₂, \(\begin{align}E(\bar{Y})=\left\{E\left(\overline{y_{1}}\right), \ldots, E\left(\overline{y_{n}}\right)\right\}\end{align}\) to the client C.

Step 3. Intersection computation phase

(1) When receiving the message from the server S, the client C verifies the correctness of π₂ firstly. If the verification passes, then receives the following message and continues the subsequent steps. Otherwise the server S aborts it.

(2) The client C performs the following operations on each element of the set \(\begin{align}E(\bar {Y})\end{align}\) : (g^Z_i)^-x(g^𝑎h_j(y_i)y^Z_i) = g^𝑎h_j(y_i), 1 ≤ i ≤n, 1 ≤ k ≤ j, where x is the private key of C.

If the result of decrypting an item of the set \(\begin{align}E(\bar {Y})\end{align}\) is all 1, then the counter adds 1.

The PSI-CA scheme could be extended to the PSU-CA protocol. Taking advantage of the relationship |X∪Y| = |X| + |Y| - |X∩Y|, the client could find the private set union cardinality with ease.

Fig. 6 displays the specific interaction process between the two participants in our protocol:

Fig. 6. Our first PSI-CA protocol

The above protocol uses the Bloom Filter to display the set. However, the Bloom Filter exists the problem of false positive and therefore there remain errors between the calculated results and the true results. We mainly use the Garbled Bloom Filter to solve the problem. Compared to the Bloom Filter, GBF's array holds strings rather than individual characters in each bit, this feature also further enhances the security. We next propose an improved PSI-CA protocol by using Garbled Bloom Filter and the additive homomorphic property of Elgamal algorithm.

Fig. 7 presents the process of improved PSI-CA protocol:

Fig. 7. The improved PSI-CA protocol

5. Security analysis

We assume that A_C and A_S are the real world adversaries. SIM_C and SIM_S is the corresponding adversaries in the ideal world. The A_C and A_S can corrupt C, SIM_C and S, SIM_S respectively. Let \(\begin{align}\bar {C}\end{align}\) and \(\begin{align}\bar {S}\end{align}\) be the honest party in ideal world. In the real world, the trusted third party generates the public parameter P = (G, q, g). However, in the ideal world, this process is realized by SIM_C and SIM_S. We define the combined output of C, S, A_C(A_S) is REAL_{Θ,AC(Z)AS(Z))}(X, Y) in real world, and the combined output of \(\begin{align}\bar {C}\end{align}\), \(\begin{align}\bar {S}\end{align}\), SIM_C(SIM_S) is IDEAL_{f,SIMC(Z)(SIMS(Z))}(X,Y) in ideal world.

Theorem. If the Elgamal cryptography algorithm is semantically secure, the proof protocol in our scheme is zero-knowledge proof, then our PSI-CA protocol could securely compute the function f : (X,Y) → (|X∩Y|, ⊥).

Proof. In order to prove the security of the PSI-CA protocol, we consider two cases which the client C is corrupted by A_C firstly and the server S is corrupted by A_S.

Case1. The client C is corrupted by A_C

We let Z be a distinguisher that can control the adversary A_C. The Z feeds the input of the receiver S and sees the output of S. In the real world, Z’s view includes A_C’s view and S’s output. In the ideal world, Z’s view includes A_C’s view and \(\begin{align}\bar {S}'s\end{align}\) output. We need to prove that Z’s view in the real world is indistinguishable with the view in the ideal world. Considering a range of games Game₀, Game₁, Game₂, where Game_i+1 could slightly modify Game_i (i = 0,1). Let the probability that Z can successfully distinguish the view in Gamei from the view in the real protocol be Pr[i]. And let the S_i be the simulator in Game_i.

Game₀ : This game corresponds to the execution process of the protocol in the real world. And the simulator S₀ has all information about the server S, also, it can interact with A_C. Therefore, it exists Pr[REAL_θ,AC(Z)(X,Y)] = Pr[Game₀].

Game₁ : Game₁ has the same process as Game₀, if the proof π₁ is valid, then the simulator S₁ executes the algorithm for π₁ with the client C to calculate the multiplier {r₁,...,r_m}. Using {r₁,...,r_m}, the simulator S₁ builds X = {x₁,...,x_m}. The simulator S₁ then extract {r₁⋅IBF_C[1],...,r_m⋅IBF_C[m]} from BIBF_C. Then the simulator S₁ computes \(\begin{align}I B F_{C}=\left\{I B F_{C}[1]=\frac{B I B F_{C}[1]}{r_{1}}, \ldots, I B F_{C}[m]=\frac{B I B F_{C}[m]}{r_{m}}\right\}\end{align}\) and then BF_C. After that, the simulator S₁ computes X = {x₁,...,x_m}. Since the simulation soundness property of the proof π₁, Z’s views in Game₀ and Game₁ are indistinguishable. Thus, |Pr[Game₁]-Pr[Game₀]| ≤ θ₁(k), where θ₁(k) is a negligible function.

Game₂ : The first few steps of Game₂ are exactly the same as those of Game₁. The only difference is that after constructing the set X = {x₁,...,x_m}, the simulator S₂ performs the steps as followed.

(1) calculate |X∩Y| ;

(2) construct the set Y' = {y'₁,...,y'_n}, where the set Y′ contains |X∩Y| random elements from the set X and n − |X∩Y| random elements from G ;

(3) using the set X, construct BIBF_C ;

(4) calculate \(\begin{align}E\left(\overline{Y^{\prime}}\right)=\left\{E\left(\overline{y_{1}^{\prime}}\right), \ldots, E\left(\overline{y_{n}^{\prime}}\right)\right\}\end{align}\), where \(\begin{align}E\left(\overline{y_{j}^{\prime}}\right)=\left\{\left(g^{z_{j}}, g^{a_{l_{1}\left(y_{j}\right)}} \cdot y^{z^{z_{j}}}\right), \ldots,\left(g^{z_{j}}, g^{a_{h_{k}\left(y_{j}\right)}} \cdot y^{z^{z_{j}}}\right)\right\}\end{align}\);

(5) sends \(\begin{align}E\left(\overline{Y^{\prime}}\right)=\left\{E\left(\overline{y_{1}^{\prime}}\right), \ldots, E\left(\overline{y_{n}^{\prime}}\right)\right\}\end{align}\) as E(Y) = {E(y₁),...,E(y_n)} and simulates the proof π₂ ; Because the related Elgamal encryption scheme is semantically secure, the distributions of \(\begin{align}E\left(\bar{Y}^{\prime}\right)=\left\{E\left(\overline{y_{1}^{\prime}}\right), \ldots, E\left(\overline{y_{n}^{\prime}}\right)\right\},\left\{y_{1}^{\prime}, \ldots, y_{n}^{\prime}\right\}\\\end{align}\) in Game₁ and Game₂ are identical. Also, since the zero-knowledge simulatability of the proof π₂ and indistinguishability of <\(\begin{align}E\left(\bar{Y}^{\prime}\right)=\left\{E\left(\overline{y_{1}^{\prime}}\right), \ldots, E\left(\overline{y_{n}^{\prime}}\right)\right\},\left\{y_{1}^{\prime}, \ldots, y_{n}^{\prime}\right\}\\\end{align}\)> in Game₁ and Game₂. Z’s views in Game₁ and Game₂ are indistinguishable. Therefore, it exists |Pr[Game₂]-Pr[Game₁]| ≤ θ₂(k), where θ₂(k) is a negligible function.

In the real world, the adversary SIM_C could simulate the honest party S and includes all steps from Game₂. The execution of the protocol in the real world is as follows:

(1) Firstly, SIM_C generates the public parameter P = (G,q,g). Next, SIM_C invokes A_C, and input X = {x₁,...,x_m} ;

(2) After receiving π₁ and \(\begin{align}\overline{X} = \{\overline{x_1}, \overline{x_2}, \ldots, \overline{x_m}\}\end{align}\), where \(\begin{align}\overline{x_i} = r_i{\cdot}IBF_C{(x_i)}\end{align}\) verifies the validity of the proof π₁. If the verification succeeds, SIM_C hashes every element from the set Y, and finds 𝑎_h1(yj),...,𝑎_hk(yj) from the set \(\begin{align}\overline{X} = \{\overline{x_i}, \overline {x_2}, \ldots, \overline{x_m}\}\end{align}\);

(3) SIM_C sends X and \(\begin{align}\bar {S}\end{align}\) sends Y to the trusted third party T, T uses X and Y as input and computes the functionality f, returns |X∩Y| to SIM_C.

(4) After SIM_C receiving |X∩Y|, the simulator performs the following operations:

(i) SIM_C builds \(\begin{align}\overline{Y} = \{\overline{y_1}, \ldots, \overline{y_n}\}\end{align}\), where \(\begin{align}\overline {Y} = \{\overline{y_1}, \ldots, \overline{y_n}\}\end{align}\) contains |X∩Y| random elements from the set X and n − |X∩Y| random elements from the group G ;

(ii) using the set X, constructs BIBF_C ;

(iii) computes \(\begin{align}E\left(\overline{Y^{\prime \prime}}\right)=\left\{E\left(\overline{y_{1}^{\prime \prime}}\right), \ldots, E\left(\overline{y_{n}^{\prime \prime}}\right)\right\}\end{align}\), where

\(\begin{align}E\left(\overline{y_{j}^{\prime \prime}}\right)=\left\{\left(g^{z_{j}}, g^{a_{h_{1}}\left(\overline{y_{j}^{\prime}}\right)} \cdot y^{z_{j}}\right), \ldots,\left(g^{z_{j}}, g^{a_{h_{k}\left(\overline{y_{j}}\right)}} \cdot y^{z_{j}}\right)\right\}\end{align}\);

(iv) sends \(\begin{align}E\left(\overline{Y^{\prime \prime}}\right)=\left\{E\left(\overline{y_{1}^{\prime \prime}}\right), \ldots, E\left(\overline{y_{n}^{\prime \prime}}\right)\right\}\end{align}\) as \(\begin{align}E\left(\overline{Y^{\prime}}\right)=\left\{E\left(\overline{y_{1}^{\prime }}\right), \ldots, E\left(\overline{y_{n}^{\prime}}\right)\right\}\end{align}\) and simulates the proof π₂.

Hence, the simulator SIM_C provides A_C the same simulation as the simulator S₂ in Game₂. Therefore, it has Pr[IDEAL_f,SIMC(Z)(X,Y)] = Pr[Game₂] and

|Pr[IDEAL_{f,SIMC(Z)(X,Y)}] - Pr[REAL_0,AC(Z)Game₂]|

|Pr[Game₂] - Pr[Game₀]|

≤ Σ¹_i=0(|Pr[Game_i+1] - Pr[Game_i]|)

≤ θ₂(k) + θ₁(k) = θ(k),

where θ(k) is a negligible function. So, it exists

\(\begin{align}I D E A L_{f, S I M_{\mathrm{C}}(z)}(X, Y) \stackrel{c} \equiv R E A L_{\theta, A_{c}(z)}(X, Y)\end{align}\)       (5)

where \(\begin{align}\stackrel{c} \equiv\end{align}\) means computationally indistinguishable.

The proof process of the case which A_S corrupts S is similar as the first case, therefore, the proof process is not described in detail.

6. Efficiency

6.1 Implementation details

We run our experiments on a laptop with an Intel i5-8300H 2.30Ghz, 8GB RAM, and Ubuntu 18.04.4 system. We have performed the PSI-CA protocols in C++. We choose the set element size of 128 bits, the safety parameter λ=40, and the computational security parameter κ=40.

6.2 Performance analysis

We choose the protocols proposed by Nan CHENG et al. [27] and Li H et al. [28] to compare the computation cost with our PSI-CA protocol. And the set sizes of 2¹⁰, 2¹¹, 2¹², 2¹³ and 2¹⁴ are selected for the five cases. We separately test the time cost by different participants to execute the protocol. A comparison of the overall computation cost of our PSI-CA protocol with other representative protocols can be obtained as shown in the following Table 2:

Table 2. Computational cost comparison

Fig. 8 and Fig. 9 show the time cost of the first protocol changes as the cardinality of the set held by each participant increases.

Fig. 8. Time cost of P₁

Fig. 9. Time cost of P₂

We can conclude that as the sets cardinality increases, the time cost by each participant in all three schemes increases linearly. Our scheme requires a slightly higher time cost than the other two schemes, but it can resist malicious behaviors by the malicious participants. And the interactive zero-knowledge proof protocol used in our scheme is bound to incur additional time cost. Therefore, the reader needs to make a reasonable tradeoff between security and time cost for this purpose.

In addition, we have also conducted comparative experiments on the accuracy of the results computed by the two protocols proposed in this paper under different conditions. The set size held by each participant is 2¹⁰. The experimental results are shown in Table 3.

Table 3. Comparison of the accuracy of the results of the two protocols

Through two comparative experiments on the two protocols, it is not difficult to find that the mean relative error of the improved protocol's calculation results is smaller than the former, resulting in more accurate calculation results.

Also, we select the scheme of Lv S et al. [3], Nan CHENG et al. [27] for the functional comparison with our first protocol. In order to ensure fairness, our selected protocols are all local two-party PSI-CA protocols in recent years. The selected properties are: security model, the adversary model, security assumption, etc. We present the functional comparison results in Table 4. In recent years there has been less researches on PSI-CA protocols under the malicious model, and most PSI-CA protocols are based on the semi-honest model. Table 4 shows that our protocol is secure under the standard model, and the adversary model used is malicious model, based on DDH assumption, and the set size is hidden. Therefore, our protocol has higher practical application value compared with other protocols.

Table 4. Function comparison

Note: the explanation of the meaning of abbreviations in the table. STD: Standard Model. ROM: Random Oracle Model. DDH: Decisional Diffie-Hellman assumption. ECDLP: Elliptic Curve Discrete Logarithm Problem.

7. Conclusion

In this paper, we come up with two local two-party PSI-CA protocol, and prove the security of the first protocol under the malicious model. Our schemes solve the main problem of most protocols in the PSI-CA research field being unable to resist malicious behaviors. And we innovatively utilize Garbled Bloom Filter to improve the accuracy of intersection cardinality. Meanwhile, the performance of our protocol is analyzed and compared functions with other protocols to demonstrate the excellence and practicality of our protocol. In the future research, we will consider how to refine our improved protocol to make it more practical for security under the malicious model.