A Novel Edge Cache-Based Private Set Intersection Protocol via Lightweight Oblivious PRF

Abstract

With the rapid development of edge computing and the Internet of Things, the problem of information resource sharing can be effectively solved through multi-party collaboration, but the risk of data leakage is also increasing. To address the above issues, we propose an efficient multi-party private set intersection (MPSI) protocol via a multi-point oblivious pseudorandom function (OPRF). Then, we apply it to work on a specific commercial application: edge caching. The proposed MPSI uses oblivious transfer (OT) together with a probe-and-XOR of strings (PaXoS) as the main building blocks. It not only provides one-sided malicious security, but also achieves a better balance between communication and computational overhead. From the communication pattern perspective, the client only needs to perform OT with the leader and send a data structure PaXoS to the designated party, making the protocol extremely efficient. Moreover, in the setting of edge caching, many parties hold a set of items containing an identity and its associated value. All parties can identify a set of the most frequently accessed common items without revealing the underlying data.

1. Introduction

Co-creation and sharing gained significance in the transition from the era of information technology to the era of digital technology. While information sharing brings convenience, the risk of privacy breaches also rises. The private set intersection (PSI) protocol is a widely used approach to distributed set computation. It is devoted to the joint intersection calculation of data from two or more parties. The PSI protocol guarantees that all parties can collaboratively calculate the intersection of the sets without disclosing anything beyond that intersection. PSI plays an important role in improving pattern matching [1], private contact discovery [2], advertisement conversion rate [3], and edge caching [4]. Edge caching is a key technology for communication networks. In order to utilize cache resources more efficiently, individual operators tend to keep their public items in a shared cache that can be accessed by all parties. However, since the cache is shared among multiple parties, these parties aim to identify the set of most frequently visited common data items and add them to the network edge cache. Their objective is to achieve this without revealing the actual underlying data. This is known as the multi-party shared cache problem, where determining the common term is a typical private set intersection problem.

Most of the current efficient PSI protocols are built on OT [5,6,7]. The OT-based PSI protocols offer greater advantages in terms of communication and computation when compared with PSI based on public key encryption [8,9] and PSI based on a garbled circuit [10,11,12]. Efficient OT extension techniques allow parties to generate many OT protocol instances at a low computational cost through a few public key operations. Chase et al. [5] implemented a two-party PSI protocol with one-sided malicious security. This protocol uses OT and a multi-point OPRF to achieve a good balance between computational and communication overhead. The protocol can only interact between two parties, and multiple runs are required to accomplish the intersection computation with multiple parties involved. Kavousi et al. [13] proposed a MPSI based on OT and multi-point OPRF. This protocol can only be implemented in the semi-honest model. Inbar et al. [14] presented an enhanced semi-honest MPSI protocol based on OT and a garbled Bloom filter (GBF). However, the protocols [13,14] require the transmission of the GBF for communication, creating a certain degree of communication burden.

In response to the above issues, we constructed an MPSI protocol for malicious actors that combines a PaXoS and multi-point OPRF based on OT. The protocol relies only on symmetric keys, hashing, coding techniques, and bitwise operations, thus providing good computational performance. This protocol can solve the problem of privacy-preserving edge cooperative cache sharing by making a simple transformation of this protocol. We show the following contributions:

• Multi-party PSI protocol: We propose a specifically efficient MPSI protocol utilizing OT and a PaXoS. The PaXoS can be seen as a corresponding Encode/Decode algorithm achieving a constant rate. Therefore, our protocol has good computational performance. The protocol has low communication overhead since the clients only need to send a data structure. Theoretical analysis shows that the protocol leads to a better balance between communication and computational cost.
• Security against malicious clients: We present that our protocol uses the data structure PaXoS to hide the key during encoding to resist malicious adversaries, which can achieve one-sided malicious security against the clients with almost no additional overhead. At the same time, we prove that the protocol can also resist any possible collusion attack from malicious clients.
• Multi-party cooperative cache: Our MPSI protocol can be applied to edge caching scenarios by using cuckoo hashing and simple hashing. The protocol supports having data associated with each input and the extension of payloads to multi-party. In a multi-party cooperative cache (MPCCache) setting, the MPCCache protocol allows parties to compute a sum depending on the data associated with the intersection items. Compared with [4], our MPCCache protocol eliminates the computing burden associated with polynomial interpolation and improves computational efficiency.

2. Related Work

PSI. The development of efficient constructions for PSI functionality has received considerable research attention in the last decade or more. Some of the recent relevant works on PSI are illustrated in

Table 1. The related work of PSI.

Protocol	Technical	Number of Parties	Security Model
[15]	OLE	multi-party	Malicious
[16]	OT	two-party	Semi-Honest
[17]	GBF + OT	two-party	Semi-Honest
[18]	OPPRF + OKVS	multi-party	Malicious
[19]	PaXoS	two-party	Malicious
[20]	GBF	multi-party	Malicious
[21]	PCG	two-party	Semi-Honest

. Ghosh et al. [15] presented a MPSI protocol using oblivious linear function evaluation (OLE) with optimal asymptotic communication complexity. However, the balance between communication and computation cost is not good. Kolesniko [16] proposed a two-party PSI protocol against semi-honest adversaries. The protocol is mainly based on OT techniques for security string equivalence testing and is computationally efficient. Pinkas [17] proposed a two-party semi-honest PSI protocol based on OT and a GBF. The parallelized processing of the protocol allows for some improvement in protocol efficiency. Nevo [18] proposed a malicious PSI protocol utilizing oblivious programmable PRF (OPPRF) and oblivious key-value store (OKVS) technology, which solves the problem of multi-party PSI against malicious adversaries. However, this protocol does not lead to a better trade-off between communication and computational overhead. Pinkas [19] also proposed a PSI protocol for two parties in the malicious model which uses a PaXoS to implement, for the first time, a malicious secure PSI using cuckoo hashing. Ben-Efraim et al. [20] implemented malicious MPSI based on a GBF for multiple parties. However, GBFs suffer from a certain false positive rate and their high communication overhead. Bui et al. [21] constructed an optimized semi-honest PSI based on a pseudorandom correlation generator (PCG). Additionally, they can use the PCG to construct protocols with fully malicious security in the standard model.

Function-based PSI. Many studies have focused on developing efficient techniques for PSI construction. In addition, these studies have explored the output results of computing a function over intersections, allowing for potential extensions to various business scenarios.

Table 2. The related work of function-based PSI.

Protocol	Technical	Number of Parties	Protocol Type
[3]	DDH + HE	two-party	PI-Sum
[4]	OPPRF	multi-party	MPCCache
[11]	OPPRF + Circuit	multi-party	PSI- payload
[22]	OPRF + DDH	two-party	PIW-Sum
[23]	DOPRF	two-party	PSI-CA

shows recent related works on function-based PSI. Ion et al. [3] proposed a PI-Sum Protocol utilizing Diffie–Hellman (DDH) and homomorphic encryption (HE). Thinking about the advertising (Ad) conversion problem: Ad providers want to analyze Ad effectiveness by age, which obviously cannot be solved using the PI-Sum. Chida [22] proposed a new function based on OPRF and DDH assumptions to calculate the weighted sum of two-party privacy sets (PIW-sum), which has more practical application value. Pinkas et al. [11] proposed an idea of calculating payloads based on the circuit, OPPRF, and cuckoo hash constructs, which allows each input item from one party to have payload data attached to it, and finally to calculate some specific functions of the payloads in the intersection set. Based on a new shuffled distributed oblivious PRF (DOPRF), Miao et al. [23] constructed a two-party PSI cardinality (PSI-CA) protocol for malicious settings which achieves a good computation and communication cost. In the above protocols, only one party can own the payload data, which can be applied in limited practical scenarios. Nguyen et al. [4] extended payload data to the multi-party setting and proposed an MPCCache sharing framework based on polynomial interpolation and OPPRF, which enables multiple parties to calculate a sum of data payloads on each of common data items and can identify the most frequently accessed data items.

3. Preliminaries

3.1. Notions

The computational and statistical security parameters are denoted by $\lambda$ and $\sigma$. $[n]$ stands in for the set $\{1,\dots ,n\}$. $\stackrel{R}{\leftarrow }$ indicates uniformly random selection. The notation $\left|\right|$ denotes concatenation between strings. ${\{0,1\}}^{*}$ denotes the set of strings consisting of 0 and 1, where * means that the strings in the set can be of any length. We use $\stackrel{C}{{\displaystyle \approx }}$ to indicate that the real world is indistinguishable from the ideal world. We denote with $v[i]$ the i-th element of a vector $v$ of length $l$. The i-th column vector $i\in [n]$ of the matrix $M_{n\times m}$ is denoted by the symbol $M_i$. The Hamming weight of the binary string $x$ is represented by $\left|\right|x|{|}_{\mathrm{H}}$.

3.2. One-Sided Malicious Security

One-sided malicious security [5] is a security property found in cryptographic protocols wherein one party is allowed to engage in arbitrary malicious behavior in an attempt to compromise security while the other parties follow specified behavioral guidelines. In this context, only the targeted party is vulnerable to malicious action, whereas the other parties maintain their assigned roles and responsibilities. Our MPSI protocol achieves unilateral malicious security against the clients, as they are considered as a whole. We further prove that the proposed MPSI is secure against malicious clients.

3.3. Security Model

MPSI is a unique instance of secure multi-party computation (MPC). We adhere to the MPC standard security definition. The ideal functionality of MPSI is defined in Figure 1.

The security models [24] of secure multi-party computation are divided into semi-honest and malicious models. For the semi-honest model, an adversary can completely obey the protocol execution process, yet might record all the data in the protocol execution process and try to learn more from the data generated during the protocol execution process. The adversary under the malicious model can not only infer the sensitive information through the data of the protocol process but also refuse to participate in the protocol, alter the private input set information, or prematurely stop the protocol from running. Our protocol can achieve one-sided malicious security.

Definition 1.

(Malicious security against the clients) If there is a PPT adversary $\mathcal{A}$ who might unilaterally depart from the protocol in the real world, there exists a PPT adversary $\mathcal{S}$ who could modify the input to the ideal functionality and terminate the output in an ideal world. Then, the protocol Π can protect from malicious clients, such that for each input $X_1,\dots ,X_n$:

$${\mathrm{Real}}_{\mathcal{A}}^{\prod }\left(X_1,\dots ,X_n\right)\stackrel{c}{\approx }{\mathrm{Ideal}}_{\mathcal{S}}^{\mathcal{F}}\left(X_1,\dots ,X_n\right).$$

(1)

3.4. Oblivious Transfer

Rabin et al. [25] proposed a crucial cryptographic primitive OT. In a 1-out-of-2 OT configuration, the receiver can have a choice bit $b\in \{0,1\}$, while the sender can have input strings $(m_0,m_1)$. The OT acts to prevent the receiver from knowing nothing regarding $m_{1-b}$ and prevent the sender from learning anything about $b$. OT necessitates costly public-key operations. Ishai et al. [26] described an OT extension technique that permits many OT executions at the cost of doing few public-key procedures. We can use the instantiation OT in [15]. The ideal functionality of OT is defined in Figure 2.

3.5. PaXoS

The following is a way to encode key-value mapping into a brief data structure using a PaXoS [19]. The associated Encode/Decode methods are frequently more convenient to describe when describing a PaXoS than the $\mathrm{u}$ mapping.

$\mathrm{Encode}((x_1,y_1),\dots ,(x_t,y_t))$: Given $t$ items $(x_i,y_i)$, where $x_i\in {\{0,1\}}^{\ast }$ and $y_i\in {\{0,1\}}^w$, indicate via $M$ the $t\times m$ matrix where the i-th row is $\mathrm{u}(x_i)$. Note that $\mathrm{u}(x)$ is the result of using the mapping $\mathrm{u}$ to $x$. It is possible to find a data structure (matrix) $D={(d_1,\dots ,d_m)}^{\mathrm{T}}\in {({\{0,1\}}^w)}^m$ satisfying $M\times D={(y_1,\dots ,y_t)}^{\mathrm{T}}$. In particular, the subsequent linear system of equations is fulfilled when the $\mathrm{u}(x_i)$’s are linearly independent:

$$\left[\begin{array}{c}-\mathrm{u}(x_1)-\\ -\mathrm{u}(x_2)-\\ ⋮\\ -\mathrm{u}(x_t)-\end{array}\right]\times \left[\begin{array}{c}{d}_1\\ d_2\\ ⋮\\ d_m\end{array}\right]=\left[\begin{array}{c}{y}_1\\ y_2\\ ⋮\\ y_t\end{array}\right].$$

(2)

$\mathrm{Decode}(D,x)$: Given $D\in {({\{0,1\}}^w)}^m$ and $x\in {\{0,1\}}^{\ast }$, we can extract the corresponding “value” via $y=\langle \mathrm{u}(x),D\rangle \stackrel{\mathrm{def}}{=}\underset{j:v{(x)}_j=1}{\oplus }{d}_j$.

3.6. Multi-Point OPRF

Chase [5] presented a PSI protocol for two parties based on multi-point OPRF. The sender chooses a pseudorandom seed $s\stackrel{R}{\leftarrow }{\left\{0,1\right\}}^w$, and the receiver computes a pseudorandom function $v=F_k(x_i)$ based on its set elements to construct two matrices: $A_{m\times w}$ and $B_{m\times w}$. For each $x_i\in X_1$, the corresponding bits in matrices are the same, while others are different. The sender obtains a matrix $C_{m\times w}$ depending on seed $s$ and runs $w$ OTs with the receiver. Each column of the matrix is either $A_j$ or $B_j$ for all $j\in [w]$. Then, the sender computes $v=F_k(x_i)$ according to each element $x_i\in X_2$ to obtain all the resulting OPRFs $\phi =H\left(C_1[v[1]||\dots ||C_w[v[w]]\right)$ and sends them to the receiver. Eventually, the receiver can find the intersection of the two sets based on its computed OPRF value.

3.7. Hamming Correlation Robustness

Under the assumption of correlation robustness for the underlying hash function, our MPSI structure is demonstrated to be secure.

Definition 2.

(Hamming Correlation Robustness [5]) If the distribution produced by the sampling of $s\leftarrow {\{0,1\}}^n$ at random is pseudorandom for $a_1,\dots ,a_m$, $b_1,\dots ,b_m\in {\{0,1\}}^n$, and has $\left|\right|b_i|{|}_{\mathrm{H}}\ge d$ for each $i\in [m]$, $\mathrm{H}$ is d-Hamming correlation robust. Namely:

$$\left(H\left(a_1\oplus [b_1·s]\right),\dots ,H\left(a_m\oplus [b_m·s]\right)\right)\stackrel{c}{{\displaystyle \approx }}\left(F\left(a_1\oplus [b_1·s]\right),\dots ,F\left(a_m\oplus [b_m·s]\right)\right),$$

(3)

where ⊕ denotes bitwise-AND and bitwise-XOR, respectively, and $\mathrm{F}$ is a random function.

3.8. Cuckoo Hashing and Simple Hashing

Hash technology is one of the essential tools for optimizing communication and computational complexity in PSI protocols. There are two commonly used construction methods for hash technology: simple hashing and cuckoo hashing [10]. Simple hashing can map elements to $k$ positions in a hash table using $k$ hash functions, with each bucket being capable of storing multiple elements. Cuckoo hashing can map elements to a specific location in a hash table using a hash function, and its basic idea is to use multiple hash functions to handle collisions. When collisions occur, cuckoo hashing evicts the element occupying the original position, which can be rehomed to alternative positions. If alternative positions are already occupied, the process repeats until all elements can find their homes. Typically, cuckoo hashing and simple hashing are combined to achieve optimal results in PSI protocols.

4. Our MPSI Protocol

4.1. Overview

In this section, we show the MPSI protocol. A couple of parties $P_1,\dots ,P_n$ with respective private input sets $X_1,\dots ,X_n$ desire to collectively compute $X_1\cap \dots \cap X_n$ without disclosing any more information. Note that we regard $t$ as the set sizes for parties, $P_n$ as the leader, and $P_{i\in [n-1]}$ as the client. The system model of the MPSI protocol is shown in Figure 3.

$P_n$ constructs a random matrix $A_{m\times w}$ and chooses strings for $P_{i\in [n-1]}$ to generate the $A_j^i\stackrel{R}{\leftarrow }{\{0,1\}}^m$ and sets $A_j^n=A_j^1\oplus \dots \oplus A_j^{n-1}$, where $j\in [w]$. For each $i\in [n-1]$, from its input elements, $P_n$ constructs unique matrices $B_{m\times w}$. $P_n$ first initializes a matrix $E_{m\times w}$ to all 1’s. For $x\in X_n$ computing $v=F_k(H_1(x))$, $B_{m\times w}$ is designed such that $E_j[v[j]]=0$ for all $j\in [w]$, and hence $A_j^i[v[j]]=B_j^i[v[j]]=C_j^i[v[j]]$ for all $i\in [n-1]$ and $j\in [w]$. Then, $P_{i\in [n-2]}$ locally encode a data structure PaXoS of their input sets $D^i\leftarrow \mathrm{Encode}\left(\left\{\left(x,C_1^i[v[1]]\left|\right|\dots \left|\right|C_w^i[v[w]]\right)\right\}\right)$ using the entries of the received matrix and send $D^i$ to $P_{n-1}$. $P_{n-1}$ decodes all the $D^i$. Then, they compute and sends the OPRF values $\phi =H_2\left({\oplus }_{i=1}^{n-2}\mathrm{Decode}(D^i,x)\oplus \left(C_1^{n-1}[v[1]]\left|\right|\dots \left|\right|C_w^{n-1}[v[w]]\right)\right)$ to $P_n$. After receiving the OPRF values, $P_n$ computes $\phi =H_2\left(C_1^n[v[1]]\left|\right|\dots \left|\right|C_w^n[v[w]]\right)$ according to its input set, which allows $P_n$ to find the intersection. This implies that, if $x\in I$, the hash function’s input from $P_{n-1}$ and $P_n$ will be equal. While the output of the PRF would be pseudorandom to $P_n$ if $x\notin I$, the hash function’s input from $P_{n-1}$ will be dramatically different from any $P_n$’s input.

4.2. Our Protocol

We show our MPSI protocol in Figure 4. The selection of $m$, $w$, $l_1$, and $l_2$ in our MPSI protocol follows [5] and they show how to choose the parameters concretely.

4.3. Protocol Correctness

$P_n$ constructs the special matrices $A^i$ and $B^i$ for $P_{i\in [n-1]}$ such that $v=F_k(H_1(x))$ computed for each $x\in X_n$ satisfies $A_j^i[v[j]]=B_j^i[v[j]]$ for all $j\in w$. Let $x$ be the intersection element. Since each column of matrix $A_j^n$ is composed of uniform random shares as $A_j^n=A_j^1\oplus \dots \oplus A_j^{n-1}$ for $j\in w$, after the client $P_{i\in [n-1]}$ runs OTs with $P_n$, the matrix $C_j^i$ is obtained, satisfying $A_j^i[v[j]]=C_j^i[v[j]]$. It holds that $A_j^n[v[j]]={{\displaystyle \oplus }}_{i=1}^{n-1}{C}_j^i[v[j]]$ for each $x\in I$.

Based on the nature of the constructed data structure, we have $\mathrm{Decode}(D^i,x)=C_1^i[v[1]]||\dots ||C_w^i[v[w]]$. So, for $x\in I$, let $v=F_k(H_1(x))$, and we can always satisfy $H_2\left({\oplus }_{i=1}^{n-1}\left(C_1^i[v[1]]\left|\right|\dots \left|\right|C_w^i[v[w]]\right)\right)=H_2\left(A_1^i[v[1]]\left|\right|\dots \left|\right|A_w^i[v[w]]\right)$.

4.4. Protocol Security

Theorem 1.

If $\mathrm{F}$ is a PRF, ${\mathrm{H}}_1$ and ${\mathrm{H}}_2$ are random oracles, and the underlying OT is protected against malicious receivers, then our MPSI protocol has one-sided malicious security which can be secure against malicious clients when $m$, $w$, $l_1$, and $l_2$ are chosen appropriately.

Proof of Theorem 1.

We consider any client $P=\{P_1,\dots ,P_{n-1}\}$ corrupted by an adversary $\mathcal{A}$. Let $l$ clients $P_1,\dots ,P_l$ be corrupted, making the number of uncorrupted clients $(n-l-1)$. Given ${\left\{X_i\right\}}_{i\in [l]}$, the simulator $\mathcal{S}$ interacts with ${\left\{P_i\right\}}_{i\in [l]}$ as follows. $\mathcal{S}$ samples random matrices ${\left\{C_i\right\}}_{i\in [l]}\in {\{0,1\}}^{m\times w}$ and performs malicious OT simulator on ${\left\{P_i\right\}}_{i\in [l]}$ with outputs $C_1^i,\dots ,C_w^i$. $\mathcal{S}$ honestly chooses PRF key $k$ and sends $k$ to ${\left\{P_i\right\}}_{i\in [l]}$. The simulator $\mathcal{S}$ constructs random data structures representing honest parties according to the randomness of the matrices. $T_1$ and $T_2$ are initialized to an empty table. In $P_{i\in [n-1]}$’s query $x$ to $H_1$, $\mathcal{S}$ records $(x,H_1(x))$ in table $T_1^i$. In $P_{n-1}$’s query $y$ to $H_2$, $\mathcal{S}$ records $(y,H_2(y))$ in table $T_2$. When $P_n$ receives OPRF value $\Psi$, $\mathcal{S}$ finds all $\phi \in \Psi$ such that $\phi =H_2(y)$ for some $y$ in $T_2$, and $y={\oplus }_{i\in [l]}\left(C_1^i[v[1]]\left|\right|\dots \left|\right|C_w^i[v[w]]\right)\oplus \left({\oplus }_{j\in [n-t-1]}\left(C_1^j[v[1]]\left|\right|\dots \left|\right|C_w^j[v[w]]\right)\right)$ where $v=F_k(H_1(x))$ for $x\in T_1^1\cap \dots \cap T_1^{n-1}$. Finally, $\mathcal{S}$ can send these $x$ to ideal functionality.

Let ${\mathcal{Q}}_1^i,{\mathcal{Q}}_2$ be a set of queries $P_{i\in [n-1]}$ and $P_{n-1}$ make to $H_1$ and $H_2$, respectively, and let $Q={\displaystyle {\cap }_{i=1}^{n-1}{Q}_1^i}$, $Q_1^i=\left|{\mathcal{Q}}_1^i\right|$, and $Q_2=\left|{\mathcal{Q}}_2\right|$. We will misuse notation: for matrix $C_{m\times w}$ and vector $u\in {[m]}^w$, $C[v]$ means $C_1[v[1]]\left|\right|\dots \left|\right|C_w[v[w]]$. For the set $V$ of vectors in ${[m]}^w$, the set $\left\{C[V]|v\in V\right\}$ is denoted by $C[V]$.

We prove ${\mathrm{Real}}_{\mathcal{A}}^{\prod }\left(X_1,\dots ,X_n\right)\stackrel{c}{\approx }{\mathrm{Ideal}}_{\mathcal{S}}^{\mathcal{F}}\left(X_1,\dots ,X_n\right)$.

Hyb0

The outputs of parties in the real world.

Hyb1

Similar to $\mathrm{Hyb}0$, but $\mathcal{S}$ performs OT simulator on ${\left\{P_i\right\}}_{i\in [l]}$ to obtain $s_i$. If $s_i[j]=0$, it randomly chooses string $A_j^i$ of length $m$ and constructs matrix $B_j^i=A_j^i\oplus D_j$, and it randomly chooses string $B_j^i$ of length $m$ and constructs matrix $A_j^i=B_j^i\oplus D_j$; otherwise, it gives $C_1^i,\dots ,C_w^i$ to OT simulator as output. $\mathrm{Hyb}1$ is computationally indistinguishable from $\mathrm{Hyb}0$ due to OT security against malicious receiver.

Hyb2

Similar to $\mathrm{Hyb}1$ except that the protocol terminates if there exists $x^a,x^b\in X_1\cup X_2\cup \dots \cup X_n$, $x^a\ne x^b$ such that $H_1(x^a)=H_1(x^b)$. Since $H_1$ is a random oracle, the protocol is aborted with negligible probability.

Hyb3

Same as $\mathrm{Hyb}2$, but, for each OPRF value $\phi$ received by $P_n$, if $\phi \notin H_2({\mathcal{Q}}_2)$, then $P_n$ ignores $\phi$. Since $H_2$ is a random oracle, the probability of changing $P_n$’s output is negligible. $\phi$ equals the output of $H_2$ on one of $P_n$’s elements with negligible probability.

Hyb4

Same as $\mathrm{Hyb}3$ except that the protocol terminates if there exists $y\in {\mathcal{Q}}_2$, $y^{\prime }\in A\left[F_k(H_1(X_n))\right]$ with $y\ne y^{\prime }$ and $H_2(y)=H_2(y^{\prime })$. Since $H_2$ is a random oracle, the protocol is aborted with negligible probability.

Hyb5

Same as $\mathrm{Hyb}4$, but, for each OPRF value $\phi$ received by $P_n$, $P_n$ ignores $\phi$ when calculating the set intersection if $\phi =H_2(y)$ for some $y\in {\mathcal{Q}}_2$, where $y\notin \left({\oplus }_{i\in [t]}\left(C^i\left[F_k(H_1(\mathcal{Q}))\right]\right)\right)\oplus \left({\oplus }_{j\in [n-t-1]}\left(C^j\left[F_k(H_1(\mathcal{Q}))\right]\right)\right)$.

This hybrid changes output only if there exist $x\in X_n$ satisfying $\phi =H_2\left(A\left[F_k(H_1(x))\right]\right)$, which implies $y=A\left[F_k(H_1(x))\right]$ via the terminate condition added in $\mathrm{Hyb}4$.

Note that if $x\in X_n$ and $x\in \mathcal{Q}$, because of the construction of $E$, we then have $y=A\left[F_k(H_1(x))\right]={\oplus }_{i\in [l]}\left(C^i\left[F_k(H_1(x))\right]\right)\oplus \left({\oplus }_{j\in [n-l-1]}\left(C^j\left[F_k(H_1(x))\right]\right)\right)\in \left({\oplus }_{i\in [t]}\left(C^i\left[F_k(H_1(\mathcal{Q}))\right]\right)\right)$$\oplus \left({\oplus }_{j\in [n-l-1]}\left(C^j\left[F_k(H_1(\mathcal{Q}))\right]\right)\right)$. Therefore, we need only think about $x\in X_n\backslash \mathcal{Q}$. For all $x\in X_n$, $A\left[F_k(H_1(x))\right]={\oplus }_{i\in [l]}\left(C^i\left[F_k(H_1(x))\right]\right)\oplus \left({\oplus }_{j\in [n-l-1]}\left(C^j\left[F_k(H_1(x))\right]\right)\right)$, the output of $\mathrm{Hyb}5$ changes only if there exist $x\in X_n\backslash \mathcal{Q}$, $y\in {\mathcal{Q}}_2$ satisfying $y={\oplus }_{i\in [l]}\left(C^i\left[F_k(H_1(x))\right]\right)\oplus \left({\oplus }_{j\in [n-l-1]}\left(C^j\left[F_k(H_1(x))\right]\right)\right)$.

Suppose there is a PPT adversary $\mathcal{A}$ that, with non-negligible probability, produces $\mathcal{Q}$, ${\mathcal{Q}}_2$, and $X_n$ such that there exist $y\in {\mathcal{Q}}_2$, $x\in X_n\backslash \mathcal{Q}$ satisfying $y={\oplus }_{i\in [l]}\left(C^i\left[F_k(H_1(x))\right]\right)\oplus \left({\oplus }_{j\in [n-l-1]}\left(C^j\left[F_k(H_1(x))\right]\right)\right)$. Then, [5] shows we can break the security of the PRF.

Hyb6

Same as $\mathrm{Hyb}5$ except that the protocol terminates if there exists $x^a\in \mathcal{Q}$, $x^b\in X_n$ such that, $y={\oplus }_{i\in [l]}\left(C^i\left[F_k(H_1(x^a))\right]\right)\oplus \left({\oplus }_{j\in [n-l-1]}\left(C^j\left[F_k(H_1(x^a))\right]\right)\right)=A\left[F_k(H_1(x^b))\right]$ but $x^a\ne x^b$. The protocol is aborted with negligible probability because of the security of the PRF.

Hyb7

Same as $\mathrm{Hyb}6$ except that $P_n$’s outputs are substituted by its outputs in the ideal world. $\mathrm{Hyb}7$ can change $P_n$’s outputs if and only if there exists a value $\phi$ received by $P_n$ and considered by $P_n$ such that $\phi =H_2\left({\oplus }_{i\in \left[l\right]}\left(C^i\left[F_k(H_1(x^a))\right]\right)\oplus \left({\oplus }_{j\in \left[n-l-1\right]}\left(C^j\left[F_k(H_1(x^a))\right]\right)\right)\right)$ for some $x^a\in \mathcal{Q}$, and $\phi =A\left[F_k(H_1(x^b))\right]$ for some $x^b\in X_n$, $x^a\ne x^b$. Because $H_2$ is a random oracle, ${\oplus }_{i\in [l]}\left(C^i\left[F_k(H_1(x^a))\right]\right)\oplus \left({\oplus }_{j\in [n-l-1]}\left(C^j\left[F_k(H_1(x^a))\right]\right)\right)\ne A\left[F_k(H_1(x^b))\right]$ is aborted via terminate condition in $\mathrm{Hyb}6$ with negligible probability.

Hyb8

Same as $\mathrm{Hyb}7$ except that the protocol does not terminate. $\mathrm{Hyb}7$ and $\mathrm{Hyb}8$ are computationally indistinguishable since $H_1$ and $H_2$ are random oracles and $F_k$ is a PRF.

Hyb9

The output in the ideal world. The difference between $\mathrm{Hyb}9$ and $\mathrm{Hyb}8$ is that $\mathcal{S}$ samples a random matrix $C$ and encodes a data structure PaXoS, which is identically distributed.

□

5. Performance Evaluation

5.1. Complexity Analysis

To better evaluate the complexity of the protocol, we first need to perform a simple analysis of the overall protocol process. It is important to note that this protocol uses only inexpensive tools such as OTs and bitwise operations, making it concretely efficient. We treat $t$ as the set sizes and set $m=t$ as in [5]. So, $w$ can be viewed as a value dependent on $\lambda$ by fixing $m$ and $t$.

Party $P_n$ is referred to as the leader carrying the majority overhead of the protocol, while the others are referred to as clients. Regarding the complexity of the protocol, $P_n$ designs matrices of a particular form, requiring linear complexity in $t$. Then, they perform $w$ OTs for clients independently, resulting in linear complexity in the number of OTs. Moreover, $P_{i\in [n-2]}$ just do encoding operations for data structure $D^i$, and $P_{n-1}$ does hashing, bitwise-XOR, and decoding operations, which require linear communication and computation complexities. Although the computational overhead of $P_{n-1}$ is larger than that of other clients, they do not need to encode and send a data structure. From this, we can regard the overall communication and computation costs as uniformly distributed across all clients.

Note that our protocol can be divided into offline and online phases. Only lightweight procedures are required in the online phase, and communication and computation costs associated with performing OT can be handled in the offline phase. In addition, the bits exchanged among the parties concerning the random OT and the optimized malicious OT extension are summarized in

Table 3. Bits sent for leader and client.

Communication Party	Total Bit Transmission
$P_n\to P_{i\in [n-1]}$	$tw$
$P_{i\in [n-1]}\to P_n$	$w\left(\lambda -1\right)$
$P_{i\in [n-2]}\to P_{n-1}$	$tw$
$P_{n-1}\to P_n$	$t{l}_2$

.

5.2. Comparison

It should be noted that, due to the variations in architectures and security levels, making a fair comparison is challenging. Nevertheless, we have endeavored to include some recent studies pertaining to diverse security models (e.g., semi-honest, malicious, etc.). So, we contrast the complexity of communication and computation with [13,14,15] in

Table 4. Complexity of MPSI protocols.

Protocol	Communication		Computation		Security Model
	Leader	Clients	Leader	Clients
[13]	$O(tn\lambda )$	$O(t\lambda k)$	$O(tn\lambda )$	$O(tn\lambda )$	Semi-Honest
[14]	$O\left(\log (n)tn\lambda k\right)$	$O\left(\log (n)tn\lambda k\right)$	$O\left(tn\lambda k\right)$	$O\left(tn\lambda k\right)$	Aug Semi-Honest
[15]	$O((n^2+tn)\lambda )$	$O(t\lambda )$	$O(tn\log (t))$	$O(t\log (t))$	Malicious
Ours	$O(tn\lambda )$	$O(t\lambda )$	$O(tn\lambda )$	$O(t\lambda )$	One-sided Malicious

, where $n$ is the number of parties, $k$ is the number of hash functions, $t$ is the size of input sets, and $\lambda$ is the security parameter. In our MPSI protocol, the communication and computation complexity of the leader are $O(tn\lambda )$, which is linear in the number of parties. Meanwhile, the complexity for the client remains constant regardless of the number of parties involved (namely, $O(t\lambda )$) because the client $P_{i\in [n-1]}$ only needs to compute and send a data structure $D^i$ and does not need to perform additional data transfers with other parties. Therefore, our protocol achieves a good trade-off between communication and computation overhead.

Figure 5 shows the security levels of the discussed protocols. Compared with [13], our protocol achieves a stronger security model without sacrificing communication and computation costs. We implement one-sided malicious security and [14] implements the Aug semi-honest model. It is difficult to define which security model is more practical, but our protocol has better computation and communication performance. Although the security model in [15] is higher-performing, our protocol has greater communication performance and achieves a better trade-off between communication and computation.

5.3. Experimental Evaluation

In order to compare the runtime overhead of each protocol more intuitively, simulation experiments and a results analysis were performed. It should be noted that the time consumed by this protocol is the average time of multiple experiments. The experimental platform was Windows 10, Intel (R) Core (TM) i5-8250U CPU @ 1.60 GHz 1.80 GHz, 8.00 GB of RAM, and a compiled environment of Dev-C++5.11.

We first consider the total time required for each protocol to execute with different numbers of set elements. It is assumed that $n=100$, $k=\lambda =128$, and $t=2^{10},2^{11},2^{12},2^{13}$ are chosen for the comparison experiment, and Figure 6 shows the total running time of the protocol as a function of the number of elements contained in the set.

From Figure 6, the total time overhead in each protocol grows essentially linearly as the number of set elements continues to increase. However, the time of our MPSI protocol increases the slowest when the fixed set cardinality is small. Our MPSI protocol has the slowest time growth rate.

In addition, the effect of the change in the number of parties on the running time of the protocol is further considered. Suppose that the maximum number of elements contained in the set is $t=1000$, the security parameters are kept fixed at $k=\lambda =128$, and the number of parties $n={10}^1,{10}^2,{10}^3,{10}^4$ is selected for the comparison experiment. The total protocol runtime as a function of the number of parties is shown in Figure 7.

From Figure 7, the running time of all protocols increases gradually with the number of parties. The time overheads of our MPSI protocol are lower than those of the other protocols when n is fixed. In addition, our MPSI protocol has the slowest time growth rate.

6. MPCCache in Edge Computing

This section aims to address the problem of edge collaborative content caching, wherein all parties can jointly cache the most frequently accessed common data items in shared caches. Figure 8 shows the difference between the traditional cache model and edge cache model. Our challenge is to find how to determine a set of the most frequently accessed common items without revealing any underlying data.

6.1. Our MPCCache

We describe how to use our MPCCache protocol to handle the edge cache case. The network operators $P_{i\in [n]}$ respectively own set $K_i=\{(x_1^i,z_1^i),\dots ,(x_t^i,z_t^i)\}$, where $x^i\in {\{0,1\}}^{\ast }$ denotes an identify element and $z^i\in {\{0,1\}}^w$ denotes its associated value. Note that the latter may represent the anticipated frequency of content being accessed or the value to network operators of the cached content. Let the common items $I={\cap }_{i=1}^n{X}_i=\{x_1,x_2\dots \}$ be the intersection of the identifiers, where $X_i=\{x_1^i,\dots ,x_t^i\}$ is the set of identity for $P_{i\in [n]}$. For each common item $x\in I$, calculate a sum of the associated values $z$; that is, $su{m}^{\left(x\right)}={\displaystyle {\sum }_{i=1}^n{z}^{(x)}}$. The sum of a common item is determined as the total of the individual values of the operators for the item.

We present the MPCCache protocol in Figure 9. $P_{i\in [n-1]}$ conduct simple hashing and $P_n$ conducts cuckoo hashing that maps common items to the same bucket. According to the PaXoS, all the buckets are compressed into a data structure so that $P_n$ can efficiently compute the MPCCache. In detail, $P_{i\in [n-1]}$ choose $q_j^n$ and $s_j^n$ uniformly at random for $j\in [\beta ]$. Notice that $A_j^n[v[j]]={{\displaystyle \oplus }}_{i=1}^{n-1}{C}_j^i[v[j]]$ for each $x\in I$. For $(x,z)\in K_i$ and $v=F_k(H_1(x))$, $P_{i\in [n-1]}$ compute $f_{x_j}^i\stackrel{def}{{\displaystyle =}}\left(C_1^1[v[1]]\left|\right|,\dots ,\left|\right|C_w^1[v[w]]\right)\oplus q_j^i$ and $g_{x_j}^i\stackrel{def}{{\displaystyle =}}z-s_j^i$, and send the encoding $\mathrm{Encode}\left(x\right||j,f_{x_j}^i)$ and $\mathrm{Encode}\left(x\right||j,g_{x_j}^i)$ to $P_n$, where $x_j=(\mathrm{HT}[j]||j)$ means that $x$ is in $j-\mathrm{th}$ bucket. $P_n$ can use $x_j^n\in {\left\{(x||j)|x\in {\mathrm{GT}}_n[j]\right\}}_{j\in [\beta ]}$ to obtain the correct decoding $f_{x_j}^i$ and $g_{x_j}^i$ if $x_j^n=x_j^i$; it is otherwise random. Then, $P_n$ computes $q_j^n\stackrel{def}{{\displaystyle =}}{\oplus }_{i=1}^{n-1}{f}_{x_j}^i\oplus \left(A_1^n[v[1]]\left|\right|\dots \left|\right|A_w^n[v[w]]\right)$ and $s_j^n\stackrel{def}{{\displaystyle =}}{\displaystyle {\sum }_{i=1}^{n-1}{g}_{x_j}^i}+z$. Finally, $P_{i\in [n]}$ input $q_{j\in [\beta ]}^n$ and $s_{j\in [\beta ]}^n$, respectively, to check whether ${\oplus }_{i=1}^n{q}_j^i=0$ is based on a garbled circuit, and, if so, obtain the sum of the corresponding common item ${\oplus }_{i=1}^n{s}_j^i$.

6.2. Correctness and Security

Correctness: Section 4.3 proves that $A_j^n[v[j]]={{\displaystyle \oplus }}_{i=1}^{n-1}{C}_j^i[v[j]]$ for each $x\in I$ and $v=F_k(H_1(x))$; that is, $A_1^n[v[1]]\left|\right|\dots \left|\right|A_w^n[v[w]]={\oplus }_{i=1}^{n-1}\left(C_1^1[v[1]]\left|\right|\dots \left|\right|C_w^1[v[w]]\right)$. Via the property of the data structure PaXoSs $D_x^i$ and $D_z^i$ constructed by $P_{i\in [n-1]}$, for $x\in I$, $j\in [\beta ]$, and $v=F_k(H_1(x))$, we always have ${\oplus }_{i=1}^{n-1}\mathrm{Decode}(D_x^i,x\left|\right|j)={\oplus }_{i=1}^{n-1}\left(\left(C_1^i[v[1]]\left|\right|\dots \left|\right|C_w^i[v[w]]\right)\oplus q_j^i\right)$, ${\oplus }_{i=1}^{n-1}\mathrm{Decode}(D_z^i,x\left|\right|j)={\displaystyle {\sum }_{i=1}^{n-1}(z^i-s_j^i)}$. At the same time, $P_n$ defines $q_j^n\stackrel{def}{{\displaystyle =}}\left({\oplus }_{i=1}^{n-1}\mathrm{Decode}(D_x^i,x||j)\right)\oplus \left(A_1^n[v[1]]\left|\right|\dots \left|\right|A_w^n[v[w]]\right)$ and $s_j^n\stackrel{def}{{\displaystyle =}}{\displaystyle {\sum }_{i=1}^{n-1}\mathrm{Decode}(D_z^i,x\left|\right|j)}+z$ in terms of the $D_x^i$ and $D_z^i$ they receive from $P_{i\in [n-1]}$. That is, when $x\in I$, it always satisfies that ${\oplus }_{i=1}^n{q}_j^i=0$ and ${\oplus }_{i=1}^n{s}_j^i={\displaystyle {\sum }_{i=1}^n{z}^i}$.

Theorem 2.

If $\mathrm{F}$ is a PRF and ${\mathrm{H}}_1$ is a random oracle, then the construction of our MPCCache protocol has colluding semi-honest security, given the OT, PaXoS, GC, and appropriate parameters.

Proof of Theorem 2.

If we consider $l$ parties ${\left\{P_i\right\}}_{i\in [l]}$ to be corrupted by an adversary $\mathcal{A}$, then the number of uncorrupted parties is $(n-l)$. Given ${\left\{K_i\right\}}_{i\in [l]}$, the simulator $\mathcal{S}$ interacts with ${\left\{P_i\right\}}_{i\in [l]}$ as follows. $\mathcal{S}$ samples random matrices, performs OT, chooses the PRF key $k$ and sends $k$ to ${\left\{P_i\right\}}_{i\in [l]}$. The simulator $\mathcal{S}$ constructs random data structures representing honest parties according to the randomness of the matrices. $\mathcal{S}$ sends two data structures $D_x^i$ and $D_z^i$ constructed on a PaXoS to ideal functionality. We prove ${\mathrm{Real}}_{\mathcal{A}}^{\prod }\left(K_1,\dots ,K_n\right)\stackrel{c}{\approx }{\mathrm{Ideal}}_{\mathcal{S}}^{\mathcal{F}}\left(K_1,\dots ,K_n\right)$.

Hyb0

The outputs of parties in the real world.

Hyb1

Same as $\mathrm{Hyb}1$, $\mathrm{Hyb}2$, and $\mathrm{Hyb}6$ in Section 4.4.

Hyb2

Similar to $\mathrm{Hyb}1$ except that the decoding executions of the PaXoS are replaced as follows. When ${\left\{P_i\right\}}_{i\in [l]}$ does not contain $P_n$, $\mathcal{S}$ receives nothing from the data structure PaXoS. When ${\left\{P_i\right\}}_{i\in [l]}$ contains $P_n$, if $x\in I$, $P_n$ receives $D_x^i$ and $D_z^i$, thus $\left(C_1^i[v[1]]\left|\right|\dots \left|\right|C_w^i[v[w]]\right)\oplus q_j^i$, $(z^i-s_j^i)$ for the PaXoS involving the non-colluding party ${\left\{P_i\right\}}_{i\in [n-l]}$ and $j\in [\beta ]$. Note that $q_j^i$ and $s_j^i$ are used in the above expression for each bin $j\in [\beta ]$. Since these values are uniform, so are $D_x^i$ and $D_z^i$. Therefore, we replace the decoding outputs of the PaXoS with random ones. Otherwise, all the decoding outputs of the PaXoS are uniformly random from the perspective of $P_n$ and ${\left\{P_i\right\}}_{i\in [l]}$. $\mathrm{Hyb}2$ is computationally indistinguishable from $\mathrm{Hyb}1$ due to the PaXoS’s security.

Hyb3

The output in the ideal world. The only difference between $\mathrm{Hyb}3$ and $\mathrm{Hyb}2$ is that $\mathcal{S}$ executes the output of the circuit.

□

7. Conclusions

In this work, we design an efficient MPSI protocol and the MPCCache protocol to better solve the information leakage problem in resource sharing. The proposed MPSI protocol derived from multi-point OPRF demonstrates concrete efficiency in achieving one-sided malicious security. The protocol also leads to a better trade-off between communication and computational overhead. It is based on OT and a data structure PaXoS and achieves linear computation and communication complexity concerning the input set size of each party. In our MPSI protocol, the asymptotic communication and computational complexity of the clients are largely determined by the size of the input sets rather than the number of parties (namely, $O(t\lambda )$). Overall, this research has contributed to the development of efficient MPSI protocols for multiple parties in practice. In fact, we apply the MPCCache protocol to edge caching scenarios using a simple transformation of the MPSI protocol. The MPCCache protocol under the semi-honest model can support the computation of specific functions on intersections. It is our belief that future work can improve the fairness of the MPSI protocol, as well as propose more application scenarios with practical application value.