Practical Multi-Party Private Set Intersection Protocols

—Privacy-preserving techniques for processing sets of information have attracted the research community’s attention in recent years due to society’s increasing dependency on the availability of data at any time. One of the fundamental problems in set operations is known as Private Set Intersection (PSI). The problem requires two parties to compute the intersection between their sets while preserving correctness and privacy. Although several efﬁcient two-party PSI protocols already exist, protocols for PSI in the multi-party setting (MPSI) currently scale poorly with a growing number of parties, even though this applies to many real-life scenarios. This paper ﬁlls this gap by proposing two multi-party protocols based on Bloom ﬁlters and threshold homomorphic PKEs, which are secure in the semi-honest model. The ﬁrst protocol is a multi-party PSI, whereas the second provides a more subtle functionality - threshold multi-party PSI (T-MPSI) - which outputs items of the server that appear in at least some number of other private sets. The protocols are inspired by the Davidson-Cid protocol based on Bloom ﬁlters. We compare our MPSI protocol against Kolesnikov et al. , which is among the fastest known MPSI protocols. Our MPSI protocol performs better than Kolesnikov et al. in terms of run time, given that the sets are small and there is a large number of parties. Our T-MPSI protocol performs better than other existing works: the computational and communication complexities are linear in the number of elements in the largest set given a ﬁxed number of colluding parties. We conclude that our MPSI and T-MPSI protocols are practical solutions suitable for emerging use-case scenarios with many parties, where previous solutions did not scale well.

received more attention from the industry due to the General Data Protection Regulation (GDPR), which was introduced in the European Union in May 2018.
In this paper, we focus on a specific MPC problem, namely Private Set Intersection (PSI), which aims at calculating the intersection of two or more sets without revealing the set items of the involved parties or in certain settings, even the set sizes.The problem in the two-party setting has attracted significant attention from the research community in the last decades [1]- [9].Some of these protocols have been extended to the multi-party setting, commonly referred to as Multi-party Private Set Intersection (MPSI).A much less common type of protocol is Threshold MPSI (T-MPSI), which returns all elements that are in at least a threshold amount of sets.This type of protocol is also sometimes referred to as over-threshold or d-and-over intersection.
So far, MPSI solutions have been designed towards numerous applications: Online recommendation systems including dating sites [10], confidential data sharing such as security incident information [11], border protection against criminal attempts [12], comparison of no-fly lists [7], network security operations such as botnet detection and detecting intrusions by finding the sets' suspicious IPs [13].Of course, these methods reach much further than only these examples: MPSI protocols can be used among several commercial companies to find the intersection of customer lists where each list, except the intersection, is protected.The list of common customers can be used to plan promotions for such customers [14]; MPSI can be used among the community of medical professionals to find out the patients of a hospital who has participated in the medical tests of different research labs [15]; MPSI can also be used in multi-party access control, where several co-owners of a common content each specify a set of users who are permitted to access data.The ones in the intersection are allowed to access the content [16]; MPSI can be employed among several enterprises which have private audit logs of connections to their corporate networks and are interested in identifying similar activities in all networks [17].
Most of these multi-party applications feature only a few parties t and generally large numbers of items n.Many works have therefore reasonably focused on time and bandwidth-efficient protocols in the case where n t.However, these protocols typically translate poorly to a situation with many parties and few elements.Two exemplary and increasingly relevant applications are the following.
Identifying High-Risk Individuals in the Spread of Disease: If a disease spreads in an organization, it is important to identify those who form a high risk of exposure, particularly if the disease is hard to detect otherwise.Through contact tracing, we can identify those at risk who have been in contact with someone infected.This process requires those at risk to share an exhaustive list of recent encounters.While this is an important practice, this list might reveal additional sensitive information such as visited locations and other specific behaviors.In situations where the collection of this information is impermissible, a (threshold) MPSI can be used to identify individuals that form a high risk while preserving the privacy of others.For example, by performing an MPSI with threshold T on a group of people's contact details, we can identify those individuals that have had contact with at least T other people, which means that these people run a higher risk of infection.The protocol only reveals those individuals that met many others, and it does not reveal any other information.
Criminal Activities on Smart Roads: In our EU project SECREDAS, 1 we aim at enabling autonomous vehicles on smart roads.Achieving this goal will have an enormous impact on changing transportation in general, including but not limited to reducing traffic jams and thus CO2 emission, better planning for building roads, and most importantly, improving safety.Given that smart roads and autonomous vehicles will heavily rely on several types of sensory data and computation, it is also mandatory to provide security and privacy while preserving functional safety and operational performance.
While security and privacy are essential requirements in the project, it is also essential to provide auditing functionality in case of urgency where criminal activities are involved.One such use case is detecting theft that happens at high-way parking areas (this use case was first addressed in [18]).Within a network of smart roads with parking areas, it is necessary to identify a particular vehicle or vehicles that appear in a number of parking areas.The ideal privacy-preserving solution for a vehicle tracking system would be hiding the identifiers of each car, thus providing privacy for the vehicle owners, but in case of detecting criminal activity, it should be possible to identify the vehicle that visits certain parking areas.More precisely, it is possible to use cameras and other sensors to detect vehicles in parking areas.What we are interested in is the vehicles visiting more than a threshold number of parking areas.Thus, our problem can be formalized as a T-MPSI problem.
Anonymous Voting and Consensus: In voting, we often encounter the situation where there are many voters t and few candidates n.Consider an approval voting scheme, where we let voters vote on multiple candidates to find which candidates are approved in consensus or which candidates pass at least T votes.In the simplest form, such a vote works by counting up all votes and releasing the final counts.However, a candidate might reason about voting behavior from these results and trouble those from whom they had expected a vote.Another example of a bad consequence of releasing all counts is that voters might be urged to change their behavior in future votes, dropping support for candidates close to surpassing the threshold, while they might not necessarily disapprove.Thus it is prudent that no other information than the set of approved candidates is revealed, but at the same time, the voters can be sure that the count was done securely.This can be achieved using an MPSI protocol: Every voter submits the set of candidates they approve of, and the final intersection represents the vote results.In the same way, a (threshold) MPSI protocol can be used for determining threshold-approval.

A. Related Work
PSI protocols have been thoroughly studied, and some works are already fast enough to compute the intersection of large sets in the order of seconds [1], [2].There are also many other works that compute the private intersection of multiple sets (MPSI) [13], [17], [19]- [24].However, related to our problem, namely the threshold MPSI (T-MPSI), existing work is limited [19], [21].
Several different techniques are used to design PSIs and MPSIs, such as oblivious transfer, permutation-based hashing, circuit-based computations, Bloom filters, cuckoo hashing, and oblivious programmable hashing.
Among those methods, the fastest PSI protocols are by Pinkas et al. [8], [9], where the former uses oblivious transfer and permutation-based hashing and the latter is based on a generic circuit-based multi-party computation.
One of the earliest works proposing an MPSI protocol is by Lai et al. [20].However, this protocol leaks information to the involved parties about the contents of each party's set, as it sends part of each party's set encoded as a Bloom filter to other parties in plain text.Like a hash map, a Bloom filter consists of bins, although these are Booleans for Bloom filters.The parties compute the Bloom filter representing the intersection using a logical AND operation between the bins of each filter.
Miyaji and Nishida in [21], [22] propose a multi-party PSI protocol based on Bloom filters and an additively homomorphic encryption scheme.They also introduce a threshold PSI [21] but do not provide a security analysis.Their computational complexity is linear in the number of items in the largest data set and linear in the size of the Bloom filter.
Another work proposed by Many and Dimitropoulos [25] is based on Counting Bloom Filters.Similar work is done by Karapiperis et al. [26], in which they use a Count-Min sketch data structure.In this work, by using homomorphic operations and symmetric noise addition techniques, sketches are used to represent the elements of local data sets which are then intersected to provide a global synopsis [27], [28].However, in both [25] and [26], the T-MPSI definition is different from ours.Namely, our protocol outputs the set of elements that appear in at least a threshold number of parties' data sets (including the server's), while their protocols also output the number of times such an element appeared in all data sets.For this reason, we do not compare them against our protocol.
Several PSI protocols use Cuckoo filters.Like Bloom filters, they are an approximate set representation, but in the context of PSI, they serve a fundamentally different purpose.While Bloom filters contain bits that can be combined using a logical AND operation to compute the Bloom filter representing the intersection, a Cuckoo filter cannot be combined in such a way.
Instead, such a filter contains bins that can contain multiple entries, and they are merely used as a binning technique to limit the number of pairwise comparisons.There exist other such binning techniques as well [29], [30].The protocol by Pinkas et al. [30], for example, performs a private set inclusion protocol for each element in one party's set with regard to the others set to find the intersection.By first distributing the elements over bins, the problem is reduced to set inclusions between respective bins rather than interactions between all elements.Kolesnikov et al. [31] use a similar trick to reduce the number of oblivious PRF interactions.
In addition to [21], Kissner and Song in [19] also address the threshold PSI problem, using additively homomorphic encryption, equivocal commitments, mix-net, and a shuffling protocol.The proposed protocols, which are in the semi-honest and malicious models, have cubic and quartic complexity in the number of sets.
A radically different approach was presented by Kolesnikov et al. [17], which uses a novel primitive based on oblivious transfer to evaluate whether all parties have a specific item in their sets.The authors also implemented this scheme, and they showed that it is highly time-efficient for large amounts of items.However, the time complexity scales quadratically in the number of parties.Another scheme by Inbar et al. [13] is also based on Oblivious Transfer and aims to evaluate a Garbled Bloom Filter.This scheme was also implemented, but the implementation is not readily available.Interestingly, the authors also propose a scheme proven secure in the augmented semi-honest model where communication scales logarithmically in a hyper-cube optimization.
There is also a recent paper by Badrinarayanan et al. [32] which provides threshold MPSIs which have sublinear communication complexities with a threshold number T that can be sublinear in the number of elements in data sets (namely, n).However, their threshold MPSI functionalities are completely different than ours.Namely, for t parties P 1 , P 2 , . . ., P t each of which holds a private data set S i of size n, their first threshold functionality allows the parties to learn the intersection S = ∩ t i=1 S i only if |S| ≥ n − T , while the second functionality provides intersection if |∪ t i=1 S i −S| ≤ T .Neither of the two matches our threshold definition so their work is not comparable to ours.
Finally, a line of interesting research, although not directly comparable to the other works we discussed, uses ε-differential privacy [33] to achieve various operations while providing some level of privacy.In general, differential privacy cannot offer a provable guarantee of privacy and is always accompanied by a trade-off between accuracy and security.Still, it is widely used in practice, for example, by both Google and Apple to aggregate and analyze user's data [34], [35].While usually not a strictly PSI technique, it can be used for finding (approximate) intersections. 2 One dedicated PSI algorithm using differential privacy is the one by Xue et al. [36].It is an MPSI protocol where each client locally perturbs their data set using a randomized mechanism that satisfies ε-differential privacy and sends their data set in this new form to the server.Then the server computes the set intersection privately.While the protocol has linear complexity in the number of parties, it also scales with the size of the universal set, which is typically significantly larger than the size of a party's set.

B. Our Contribution
We consider a scenario where many (t) parties -each with their own small set of n items -want to compute the intersection of all sets through communication with a single leader -that we call server (as opposed to pairwise communication).Secondly, we consider a scenario where many parties want to compute the collection of items that a leader shares with at least parties.In both cases, no party may learn the other parties' sets.
In particular, we propose two protocols in the semi-honest security model -namely an MPSI protocol inspired by the PSI of Davidson and Cid [3] that functions in a star topology and solves the problem from the first scenario; and an efficient threshold MPSI (T-MPSI) that solves the problem from the second scenario.We use Bloom filters, which are efficient probabilistic data structures for representing sets in a finite space.Note that Bloom filters have been used before for PSI in [3]- [7] and also for computing MPSIs in [13], [21], [22].For the construction of our T-MPSI, we further use a secure comparison protocol (SCP) as a sub-protocol.Here we describe and use in our implementation a modification of the Kerschbaum et al.SCP [37].The modification is necessary to prevent leakage of private data.Note that it is possible to use a different SCP as long as it satisfies our security requirements.
Our MPSI scheme bears some similarities with the MPSI from [21], [22]: However, their protocol is not secure against collusion that involves the dealer.Our proposed MPSI protocol circumvents this issue by letting each party randomize individually.Furthermore, our scheme is significantly more efficient by at least a factor of λ -the statistical security parameter -and has the advantage that the functioning of the protocol does not depend on an outside party. 3ur contributions can be summarized as follows: • An MPSI protocol that scales linearly with the number of parties.The protocol improves the state of the art significantly for large numbers of (corruptible) parties, for instance, when there are 10 or more parties with sets of around 64 elements.ones: the computational and communication complexities are linear in the number of items in the largest data set.
For the comparison of the existing MPSI and T-MPSI, we refer the reader to Table I, where we give separate complexities for the server and clients.4• An implementation of both of our protocols in C++. 5t is to our knowledge the first T-MPSI protocol to be implemented and open-sourced.• Both protocols require no trusted dealer but only a server that can be corrupted and can be freely chosen from the involved parties.• Both protocols are secure in the semi-honest model, meaning that no party learns anything about the other parties' sets beyond their size.We provide a formal simulation-based security proof for both of the protocols to justify our security and privacy claims.The rest of the paper is organized as follows: In Section II, we give the necessary preliminaries and notations.In Section III, our new MPSI protocol is introduced with its security proof and complexity analysis.Later in Section IV, we describe our T-MPSI and provide its security proof and complexity analysis.Afterwards, we compare our implementation to the state of the art in Section V, and we conclude our paper in Section VI.

II. PRELIMINARIES AND NOTATIONS
Throughout the paper we use the following notations: Z N : the ring of residue classes modulo N. When N is a prime p, it is denoted by Z p .Z p [X]: the ring of polynomials with coefficients from Z p .t : the number of parties.u : the cardinality of the Universal set.P i : i -th party -a client for i ∈ {1, . . ., t − 1} and a server for i = t.
S i : a private data set of i -th party.n i : the size of S i .
n: the size of the biggest data set among all, n = max{n 1 , n 2 , . . ., n t }.
: a threshold of the homomorphic PKE.PSI: private set intersection.MPSI: multi-party private set intersection.T-MPSI: threshold multi-party private set intersection.κ: the computational security parameter.λ: the statistical security parameter.log |X|: the size of the ciphertext X in bits.

S: the intersection of
In order to insert S into a Bloom filter, this is first done by initializing all indices to 0, and then for every x ∈ S, we set the indices h 1 (x), h 2 (x), . . ., h k (x) to 1.If the index is already 1, we do nothing.Any party can verify whether an element is stored in a Bloom filter or not by a simple checking procedure.Bloom filters do not have a false negative error as they are deterministic and when an element is represented in a Bloom filter, in the query phase, their indices are all one.However, they yield a false positive error as the values BF i [h i (x)] might be all one for every i ∈ {1, . . ., k}.As shown in [39], the probability that a particular bit in the Bloom filter is , where e is the base of natural algorithm and the number of hash functions is k = m n ln 2. When substituting the minimal m, we get the number of hash functions as k = log 2 1/ε.For example, when ε = 2 −50 , then we need k = 50 hash functions.We make use of inverted and encrypted Bloom filters defined in [3] as follows: Inverted Bloom Filter: For a given Bloom filter BF i of S i of a client i , the corresponding inverted Bloom filter IBF i is defined as Encrypted Bloom Filter: Let BF i be the Bloom filter of a data set S i of a client i , the corresponding encrypted Bloom filter is EBF i [ j ] = Enc pk (BF i [ j ]), where pk is a public key of a secret key sk.

B. Security Definitions
We will need the following standard security definitions.A function μ is called negligible (in k) if for every positive polynomial p, and sufficiently large k it holds that μ(k) < 1/ p(k).We denote negligible functions by negl(k).
Definition 1 (Computational Indistinguishability): We say that two distribution ensembles X = {X k } k∈N and Y = {Y k } k∈N indexed by a security parameter k are computationally indistinguishable if for any probabilistic polynomial time algorithm A: We will denote this by X ≈ c Y .
We prove the security of our protocols in the semi-honest model with static adversaries where all protocol participants are assumed to run in probabilistic polynomial time.We have: • Adversaries -can be any subset of the protocol participants.We will typically refer to them as the corrupted parties.As usual, we do not consider outside adversaries, because they can be mitigated by standard network security techniques.• Static adversaries -the set of corrupted parties is determined before the execution of the protocol and does not change during the execution.This means that the honest parties cannot become corrupted and reveal their secret values during the execution of the protocol.
• Semi-honest model -the corrupted parties follow the protocol honestly: they cooperate collude) to infer information about the honest parties, but do not exhibit active malicious behavior and do not deviate from the protocol.This is in contrast to the malicious model where the adversaries can behave in unpredictable ways and modify and suppress messages or leave the protocol execution altogether.While the semi-honest model offers weaker security than in the malicious model, it is appropriate in our privacy-preserving setting, since it guarantees that there is no unintentional leakage of private information.We emphasize that with appropriate extensions, the protocols can be turned into ones secure in the malicious model, but much less efficient.We use the following definition to define security against semi-honest adversaries.
Definition 2 (Semi-Honest Security for Deterministic Functionalities [40]): Let f : ({0, 1} * ) t → ({0, 1} * ) t be a deterministic functionality of a t-party protocol , where We assume that t-party protocol computes f .Then, the view of i -th party during an execution of the protocol on input x = (x 1 , . . ., x t ) is denoted by VIEW We say that privately computes f , if there exists a polynomial-time algorithm denoted by a simulator S such that for every I: This security definition states that the view of each party in I can be simulated by only looking at their inputs and outputs.
Remark 1: Note that if we are dealing with probabilistic functionalities, the output of the protocol during the execution corresponding to VIEW I (x) need not be the same as f (x).Therefore, these need to be appended to the view of the semi-honest coalition of parties in I and to the simulated view, respectively.
Definition 3 (Public Key Encryption (PKE)): A public key encryption scheme = (KGen, Enc, Dec) consists of three algorithms that for security parameter k ∈ N and two finite sets M, R ⊆ {0, 1} * are defined as follows: • The key-generation algorithm KGen is a probabilistic algorithm that on input 1 k and a random string outputs a public and private key pair (pk, sk).• The encryption algorithm Enc is a probabilistic algorithm that on input public key pk, message M ∈ M and random r ∈ R outputs C = Enc(pk, M, r ) as the ciphertext.
Informally, a public key encryption scheme is additively homomorphic, if given two ciphertexts c 1 = Enc(pk, M 1 ) and c 2 = Enc(pk, M 2 ) one can efficiently compute Enc(pk, M 1 + M 2 ) without the knowledge of the secret key.More formally, we have the following definition.
A useful algorithm for an additively homomorphic scheme is a ReRand algorithm, that allows anyone knowing the public key to rerandomize the ciphertext.
Definition 6: Given pk and a ciphertext C = Enc(pk, M), encrypted using additively homomorphic PKE scheme, the algorithm ReRand is defined as ReRand(C) = C + H Enc(pk, 0), i.e. an encryption of 0 is added to the ciphertext.
Note that rerandomization does not change the plaintext of C. On the other hand, rerandomization refreshes the ciphertext, and this is necessary in order to assure that the randomness in the final ciphertext is not related to the randomness used to produce the initial ciphertext.Typically, one needs to refresh/rerandomize the ciphertext after every homomorphic operation.
Threshold Public Key Encryption Often it is desirable that the secret key sk of a PKE is distributed among several parties where each party holds a share of the key sk i , and decryption is only possible if enough parties ( out of t) combine their decrypted shares of the message.In this setting, the KGen algorithm generates several secret keys sk i instead of one; the encryption algorithm Enc works the same as in a regular PKE; The decryption is realized through two separate algorithms -a share decryption algorithm ShDec with which involved parties holding a secret key sk i produce their decryption share C i , and a combining algorithm Comb which using only the public key and the decryption shares outputs a message M (or ⊥ to indicate invalid).We will denote such a scheme as (, t) TPKE.Note that parties in such a scheme can either generate these keys using a suitable distributed key generation protocol [41], or they can trust a third party to do so.
Following the approach of [24] we require an extension of the decryption algorithm of an additively homomorphic threshold PKE that allows the involved parties to learn whether a ciphertext is encryption of zero or not, but nothing else.We will call such decryption algorithm "Decryption-to-zero" and denote it by ShDec0.This property can typically be achieved by randomizing the ciphertext by each of the involved parties, combining the results in a new value, and jointly decrypting this obtained value.The result is that the decrypted value is randomized if it was different from 0 and nothing can be learned from it, apart from not being zero.

C. Additivelly Homomorphic Threshold PKE Schemes
Our protocols require the existence of an additively homomorphic threshold PKE that additionally has a decryption-tozero variant defined.The threshold ElGamal PKE [42] and the threshold Pailler PKE [43] are two well-known examples that satisfy these properties.Here we briefly explain the latter.
Threshold Paillier PKE [43].A (, t)-threshold version of the Paillier's scheme is briefly described as follows: Key Generation: Generate two primes p and q such that p = 2 p + 1 and q = 2q + 1 where p and q are two other primes and different from p and q, and gcd(N, φ(N)).Then set N = pq and M = p q .Let β be an element randomly chosen from The secret key sk = (β × M) is shared as follows: Let a 0 = β M and generate the polynomial f (X) = i=0 a i X i where a i ∈ R {0, . . ., N M − 1}.The private key share of the i -th party is sk i = f (i ) mod N M for t number of parties.The public key is pk = (g, N, θ = a Mβ mod N).
Encryption: Pick a random r ∈ Z * N and encrypt the message X by C = g X r N mod N 2 .
Share Decryption: The i -th party computes C i = C 2sk i mod N 2 , where C is the ciphertext and = t!.
Combining: Let S be a subset of different C i -s (of the involved parties).Combine the elements of S as follows: A Decryption-to-zero variant can be realized as follows: Each party raises the ciphertext C to a nonzero random power as C r i and the results of all parties are multiplied together to obtain C r i = g X (r i ) (r r i ) N mod N 2 .The obtained result is then jointly decrypted by the involved parties.If the result of the decryption is 0, they conclude that X = 0. Otherwise, they see a random value coming from the randomization of the ciphertext, from which nothing can be inferred about the plaintext.

D. Davidson-Cid Two-Party Private Set Intersection Protocol
Our work builds upon Davidson-Cid's two-party Private Set Intersection (PSI) protocol proposed in [3].In the protocol both parties P 1 and P 2 are given k hash functions h 1 , . . ., h k , P 1 has a pair of public pk (also available to P 2 ) and private key sk of an IND-CPA additively homomorphic scheme.They want to jointly find the intersection of their sets S 1 and S 2 , in such a way that P 1 learns the output, but no other information is leaked to any of the parties apart from the sizes of the sets, that is given as an input to both parties.
In essence, in the protocol P 1 encrypts the inverted Bloom filter IBF 1 that represents the set S 1 and sends it to P 2 .The other party P 2 , based on it's own set computes cumulative randomized values over the ciphertexts, without learning anything.This is made possible by the additive homomorphism property of the encryption scheme.Finally P 1 decrypts these values which decrypt to 0 if the corresponding element of P 2 's set is in the intersection.Otherwise, the result is a random value.We outline the protocol in Fig. 1.
Clearly, when y j ∈ S 1 , C j is encrypted to zero, so P 1 will correctly identify that y j needs to be added to the intersection.Otherwise (when y j / ∈ S 1 ), the decryption of p j will be a random number and will not disclose y j .This correctness is probabilistic due to the false positive rate of Bloom filters, however it is negligible in k as explained in Section II-A.

E. Multi-Party Secure Comparison
In our threshold MPSI we make use of a multi-party secure comparison protocol (SCP).Such a protocol compares two values x 0 and x 1 in a multi-party setting, with the objective that no party learns anything about x 0 and x 1 during the protocol execution.For many applications, it is desirable that the output of the protocol is also private as is in our case as well.
To the best of our knowledge, the problem of secure comparison is actually the first ever MPC problem considered in the literature known under the name of the millionaire's problem [44].But despite a broad range of applications of the two-party setting and numerous solutions proposed, we are not aware of any multi-party solution in the literature but the one of Kerschbaum et al. [37] that we describe shortly.
We use a slight modification of this protocol that addresses a minor security issue, and we evaluate the performance of our protocol including it as a sub-protocol.Notably, this means that our T-MPSI inherits a linear round complexity, which is not an artifact of the rest of our protocol.Since our protocol can use any secure multi-party SCP, this potentially allows an improvement in the round complexity if a constant round SCP is designed in the future.

Kerschbaum et al. Secure Comparison Protocol [37].
The protocol securely compares two values x 0 and x 1 given only their encrypted values Enc(x 0 ) and Enc(x 1 ) as input.The output is a single encrypted bit Enc(b) that determines whether x 0 ≤ x 1 .In their protocol, Z p (where p is prime) is represented by the upper half of the range [0, p − 1] as negative, that is The objective is to compute whether d = x 0 − x 1 is positive or not by hiding d through multiplication with a large random number r , i.e., d r .Also, in order to avoid obtaining a factor of d, they compute rd − r where r is random number which is smaller than r .Let there be t parties such that they receive Enc(x 0 ) and Enc(x 1 ) as input and run the following protocol: (1), Enc(0), Enc(c)) where, by picking two prime numbers r 1 and r 1 as explained above.To compute Enc(−x 1 ), P 1 needs to compute the multiplicative inverse of Enc(x 1 ).P 1 sends (a 1  1 , a 1 2 , a 1 3 ) to P 2 .
• For every party P i , 2 ≤ i ≤ t, P i selects r i < r i and flips a coin b i ∈ {0, 1}, then computes (a i 1 , a i 2 , a i 3 ) in the following way: If b i = 0, then 3 ) to P i+1 (mod t ) (P t sends to P 1 ).
• All parties P i , 1 ≤ i ≤ t, jointly decrypt a t 3 to decide the result.If Dec(a t 3 ) < 0, then a t 1 is the ciphertext of 1 (i.e.Enc(1)), that is [x 0 ≤ x 1 ] = 1, else a t 1 = Enc(0).For the correctness of the protocol, we refer the reader to [37].
We would like to emphasize that this protocol suffers from information leakage.In fact, the parameters r 1 and r 2 in r 1 (x 0 − x 1 ) + r 1 cannot securely protect the relation between x 0 and x 1 from an adversary.The reason is that r 1 is not large enough for multiplicative masking.To address this security issue, we can switch to additive masking by choosing a large r 1 at the computation cost of performing a homomorphic exponentiation.The bit length of r 1 should be not less than + κ + 1, where is the bit length of the x 0 and x 1 , and κ is a security parameter.The security proof for this can be found in [45].
For t parties, the asymptotic round complexity of this protocol is O(t).To compute c for all the parties, there are t rounds and one extra round to decrypt c (a t 3 ).Hence, the communicational and computational complexities are O(t) ciphertexts and O(t) homomorphic encryptions respectively.

III. OUR MULTI-PARTY PRIVATE SET INTERSECTION PROTOCOL
Our new multi-party private set intersection protocol is inspired by the Davidson-Cid two-party PSI (see Section II-D).In order to generalize their technique to the multi-party case, we need to slightly change the setting.Let P 1 , . . ., P t be the parties involved in the protocol, where t ≥ 3.Each party P i holds a private data set S i of n i elements.The goal of the protocol is to securely compute the intersection S = t j =1 S j , while no party learns anything else.Parties P 1 to P t −1 will be called clients, and P t server.Unlike in the Davidson-Cid two-party PSI, it is the server that computes the intersection.
For the sake of simplicity, we use the same notations with Davidson-Cid's paper.The formal description of the protocol is given Fig. 2. The detailed steps are as follows: Input: Each of the clients P i , i ∈ {1 . . ., t − 1} holds a shared decryption key sk i of an additively homomorphic threshold encryption scheme with decryption to zero algorithm ShDec0.The public key pk is available to all parties.
The size of the private sets |S i |, i ∈ {1 . . ., t} is also available to all parties.
Initialization: P t randomly selects a set of hash functions {h 1 , h 2 , . . ., h k } ∈ H and sends them to the clients Local EIBF generation: Each client P i , where 1 The rerandomization is necessary because of the deterministic nature of the homomorphic operation.
3) Sends (C 1 , C 2 , . . ., C n t ) to parties among t −1 parties and asks them to mutually decrypt-to-zero each C j .We allow ≤ t − 1 for more flexibility, although often = t − 1. 4) Each client P i computes their decryption share sh i, j for all j ∈ {1, . . ., n t } as follows: They first send a randomized C r i, j j to the server; the server combines them into C j = C r i, j j and sends C j to each party.Now each party decrypts to obtain their shares sh i, j for all j ∈ {1, . . ., n t }.Finally the shares are sent to the server.Note that in Figure 2 we have abused notation to improve the readability, and this whole step of producing shares with the ShDec0 algorithm is denoted as sh i, j = ShDec0(sk i , C j ) for all j ∈ {1, . . ., n t }. 5) For each j ∈ {1, . . ., n t } the server runs the combining algorithm on the obtained shares and computes Dec(C j ) ← Comb(sh 1, j , . . ., sh t −1, j ). 6) For each j ∈ {1, . . ., n t }, if Dec(C j ) = 0 the server adds the corresponding y j to the intersection S = {y j }∪ S, otherwise he discards y j .Output: P t outputs S.
A. Protocol Correctness P t can compute the intersection if the corresponding plaintexts of all C i j 's are zero.This happens only when y j appears in every S i , for i ∈ {1, . . ., t −1} simultaneously which results in y j ∈ S 1 ∩• • •∩ S t −1 .The correctness is not perfect as in [3], because of the false positive probability of Bloom filters.This probability is however can be made negligible in number of hash functions k (see Sec. II-A).

B. Security Against Semi-Honest Adversaries
We will prove the security of the protocol under the assumption of the existence of a IND-CPA-secure additively homomorphic threshold PKE scheme with threshold < t.Here, we consider the protocol participants as corrupted by the adversary where they are curious but honest.Outside adversaries are not considered in this context as they can be mitigated by standard network security techniques.
We remind that the inputs of the clients are The output of the clients is ∅, and of the server S = t j =1 S j .We will consider two scenarios in both of which we assume η < : 1) The server P t is honest, and a subset P I of the clients is corrupted.
2) The server P t is corrupted, and a subset P I of the clients is corrupted.In the first case, the simulator is given Inp I and no output and he needs to simulate the honest server towards the η corrupted parties.He needs to produce simulated ( C1 , C2 , . . ., Cn t ) indistinguishable from the real (C 1 , C 2 , . . ., C n t ), because this is the only message that appears in the view of the corrupted parties.The simulator S starts by choosing a random input for the honest parties that comply with what the corrupted parties know -the public hash functions h 1 , . . ., h k , and the sizes of the sets of the honest parties.Then S follows the protocol and produces ( C1 , C2 , . . ., Cn t ) from the EIBFs of the corrupted parties and the ones produced from random input of the honest parties.Suppose there is an adversary A that can distinguish between (C 1 , C 2 , . . ., C n t ) and ( C1 , C2 , . . ., Cn t ) with non-negligible probability.Since each of C i and C1 are rerandomized homomorphic sums, they both look like fresh encryptions of a IND-CPA secure scheme .Therefore, it is straightforward to construct an adversary A from A that breaks the IND-CPA-security of .
If the server P t is also corrupted, but the number of corrupted clients η is still smaller than the threshold , the corrupted parties learn also the output of the protocol, i.e. the intersection S = t j =1 S j .In this case, the simulator S needs to simulate the EIBFs of the honest parties, but also to be able to produce decryption shares without the knowledge of a secret share of the key.The simulated decryption shares must be such that, after combining all of the decryption shares, the result agrees with the output of P t .The simulator starts by choosing sets Si , i ∈ Ī, such that j ∈I S j ∩ j ∈ Ī S j = S.He then follows the protocol, forms the EIBFs corresponding to the sets Si and sends them to the corrupted server.The corrupted clients also send their randomized EIBFs to the server.The server then computes the ( C1 , C2 , . . ., Cn t ) as in the protocol and sends them to a subset of parties.Since the number of corrupted parties η is smaller than , there must be at least one honest party that receives ( C1 , C2 , . . ., Cn t ), in particular, there are − η honest parties, The simulator receives these, and simulates the shares of the honest parties as follows: It invokes the share decryption algorithm ShDec0 on Ci and random element from the secret key space, sk k for each of − η − 1 honest parties.For the last remaining honest party, if y j ∈ S, the simulator computes the decryption share from the decryption shares of the corrupted parties and the simulated honest parties, such that the combining algorithm Comb outputs 0. The simulator achieves this by calling a simulator for ShDec0.Note that such a simulator exists both for the Elgamal threshold encryption and Pailler generalized threshold encryption schemes.If y j / ∈ S, it forces the output to a random value.Now clearly the simulated EIBFs are indistinguishable from the real ones, otherwise the IND − CPA security of the TPKE breaks.Also, the decryption shares are produced by a simulator for ShDec0, so the adversary cannot distinguish them from the real execution.

C. Complexity Analysis 1) Communicational Complexity:
Our protocol consists of five rounds.The amount of communicated data of the clients is dominated by the first round in which the clients send to the server their EIBFs each of which contains m ciphertexts.For an optimal Bloom filter size, m must be at least kn log e bits long (see Section II-A).Therefore, to define the complexity in terms of the size of the data sets n, one can safely say that each client sends O(λn) ciphertexts to the server, where λ = k is a statistical security parameter.To compare the complexity to that of previous designs, we set the server's communication cost to O(n) ciphertexts.Note that this cost is incurred only during the shared decryption (rounds 2 − 5), 2) Computational Complexity: The computational complexity is dominated by the first round in which each client performs O(m) (or equivalently O(λn)) encryptions.Here we focus on the concrete instantiation from the Elgamal or Paillier scheme, where the homomorphic addition + H is multiplication in Z N .The details are as follows.
In the first round, each client P i computes its Bloom filter of size m by computing k hash values of each element requiring O(kn) hash computations.Then, each client makes O(λn) encryptions for encrypting its Bloom filter.In the second round, for each element of his private set S t , the server P t makes k hash evaluations to retrieve the corresponding values in the encrypted inverted Bloom filters.This requires O(kn) hash computations.When considering all elements in its private set, P t makes O(n(t +k)) homomorphic additions in total.Afterwards, the server initiates shared decryption-to-zero for all C j 's.Each involved client runs the ShDec0 algorithm which essentially consists of two parts.First, each client randomizes the ciphertext by raising it to the power of a random value and sends back to the server.The server multiplies all randomized ciphertexts performing O(n) multiplications and resends to the clients.Then, each client calculates his decryption share.This requires O(n) exponentiation for each client.The server P t makes O(n) decryptions in total in the last round.

IV. OUR THRESHOLD MULTI-PARTY PSI PROTOCOL
A common requirement in real-world applications is to compute a set of elements that appear in the private sets of most of the involved parties, say in at least T private sets.More formally, we would like to compute the threshold set intersection S T = {x ∈ S t |∃S i 1 , . . ., S i T , x ∈ T j =1 S i j }.Based on the protocol described in Section III, we here propose a new protocol for achieving this goal.Our Threshold Multi-Party PSI Protocol makes use of a slightly modified version of the Secure Comparison Protocol of Kerschbaum et al. [37] (see Section II-E).The difference to this protocol is that the server that initiates the protocol does not actually take active part in it.Everything else is exactly the same, so all security arguments are naturally inherited.
The formal description of our T-MPSI protocol is given Fig. 3.The detailed steps are as follows: Input: As in our Multi-party PSI protocol from Section III we have t − 1 clients P 1 , . . ., P t −1 and a server P t , each of which holds a private data set S i of size n i .Let pk be the public key of a secret key sk shared among all t − 1 clients of an additivelly homomorphic threshold encryption scheme.The parties compute the threshold intersection S T as follows.
Initialization: P t randomly selects a set of hash functions {h 1 , h 2 , . . ., h k } ∈ H and sends them to the clients P i , where 1 ≤ i ≤ t − 1.
Local EBFs generation: Each client P i , where 1 ≤ i ≤ t − 1: 1) Computes their Bloom filter of their private data set S i , where 1 ≤ i ≤ t − 1. 2) Computes their encrypted Bloom filter EBF i by encrypting each element of BF i [ j ] using pk.3) Forward their EBF i 's to the server P t .We note that in this protocol, inverted Bloom filters are not required.
Set Intersection generation by the server: The server P t : 1) Computes k hash values of each element y j ∈ S t , and for each party k ) for each y j ∈ S t and for each party P i (1 ≤ i ≤ t − 1).We emphasize that if y j ∈ S i where i = t, then the corresponding plaintext of C i j must be k which corresponds to the number of entries of y j in the Bloom filter as all one.4) For each C i j computes a fresh encryption Enc(pk, k). 5) Runs t • n t SCP protocols ( [37]) in parallel with any clients P i to compare C i j to Enc(pk, k). 6) Gets the results Enc(pk, α i, j ) from the SCP.The output Enc(pk, α i, j ) will be the encryption of 1 if the decrypted value of C i j is greater than or equal to k and will be the encryption of 0 if the decrypted value of C i j is less than k.7) Computes, Enc(α j ) = ReRand(Enc(α 1, j ) + H • • • + H Enc(α t −2, j ) + H Enc(α t −1, j )).8) Runs n t SCPs in parallel with any clients to compare Enc(α j ) to a fresh encryption Enc(T ).9) Gets the results from the SCP (Enc(β 1 ), . . ., Enc(β n t )), randomizes each one of them and obtains C j = ReRand(Enc(β j )).10) Asks clients P i to perform joint decryption of C j , ∀ j (in a random order).11) After combining the shares from the involved clients obtains (Dec(C 1 ), . . ., Dec(C n t )).12) For all j , if Dec(C j ) = 1 then adds y j to S T , else discards y j .Output: P t outputs S T .

A. Protocol Correctness
The server P t computes the threshold intersection of his data set if β j is greater than or equal to the predetermined threshold T .The reason is that β j counts the number of appearances of y j ∈ S t in clients' private data sets.As previously, the correctness is not perfect.

B. Security
As in our MPSI protocol from Section III, we will prove the security of the protocol under the assumption of existence of a IND-CPA-secure additively homomorphic threshold PKE scheme with threshold < t.We will use the notations from Section III.The difference is that the output of the server is now the threshold intersection S T = {x ∈ S t |∃S i 1 , . . ., S i T , x ∈ T j =1 S i j }.Again, we will consider two scenarios in both of which η < : 1) The server P t is honest, and a subset P I of η clients is corrupted.
2) The server P t is corrupted, and a subset P I of η clients is corrupted.
In the first case, given Inp I and no output, the simulator first needs to produce simulated ( Ci 1 , Ci 2 , . . ., Ci n t ), i ∈ {1, . . ., t − 1} that the corrupted parties receive as input in the SCP protocol.Similarly as in the MPSI protocol, S starts by choosing random inputs of the correct size for the honest parties, and follows the protocol to produce ( Ci 1 , Ci 2 , . . ., Ci n t ), i ∈ {1, . . ., t − 1}.Then S gets involved in the first run of the SCP protocol, simulating the actions of the honest parties.Basically, for each C i j there is one comparison to a fresh encryption of E(k) carried out using an atomic SCP.In particular, to simulate the output of a honest party, for received (a r 1,i, j , a r 2,i, j , a r 3,i, j ) from a corrupt party, the simulator produces (a r+1 1,i, j , a r+1 2,i, j , a r+1 3,i, j ) following exactly the SCP protocol and gives it to a corrupt party.The last a 3,i, j is then jointly decrypted by the involved parties.In the joint decryption, the corrupt parties send their decryption shares to the simulator.The simulator encrypts 0 n t times and randomizes Enc(α j ) for each j .Then it gets involved in the SCP once again, and follows the protocol: for received (a r 1,i, j , a r 2,i, j , a r 3,i, j ) from a corrupt party, the simulator produces (a r+1 1,i, j , a r+1 2,i, j , a r+1 3,i, j ) and sends to the next corrupt party.In the end, the simulator collects the decrypted shares, and rerandomizes the results, exactly as in the previous run.Once again, it sends the obtained C j to the corrupt parties for joint decryption, and they return their decryption shares.
Since everything that the simulator sends to the corrupted parties is rerandomized, it is indistinguishable from fresh encryption.Thus, an adversary that can distinguish the simulated run from the real one, can break the IND-CPA-security of the underlying .
If the server P t is also corrupted, the corrupted parties learn also the output of the protocol, i.e. the threshold intersection S T .Now, the simulator needs to simulate everything as in the previous case, plus the shares of the honest parties in the last joint decryption.This can be done by forcing the outcome of the algorithm Comb to 1, for all y ∈ S T , similarly as in the MPSI protocol from Section III where the result was forced to 0 by the simulator.The security argument is then essentially the same.

C. Complexity Analysis 1) Communicational Complexity:
The number of rounds of the protocol is O(t), which is dominated by the SCP protocol.The communication complexity of the server is dominated by the first execution of SCP in which the server sends O(nt) ciphertexts.As in our first protocol, the communicational complexity of each client in the first round is O(λn) ciphertexts.In the rest of the rounds, the communicational complexity of each (active) client is due to the execution of the SCP protocols which is O(nt) ciphertexts.Therefore, the dominating communicational complexity of each client is O(max(λ, t)n) ciphertexts.For the details of the analysis of the SCP protocol, we refer to Section II-E.
2) Computational Complexity: One of the dominating steps in terms of computational complexity of each of the clients is the construction of their encrypted Bloom filters which takes O(λn) operations.The second dominating computational step of the protocol is the execution of the SCP 's.We remind that each execution of SCP does O(1) homomorphic encryptions for each client and the server.As the SCP protocol is executed nt times, for the server and each (active) client, the computational complexity is for each of them O(nt) homomorphic encryptions.Therefore, the dominating complexity for each client is O(max(λ, t)n), and it is O(nt) for the server.

V. IMPLEMENTATION
We have developed a reference implementation of both protocols in C++.The implementation depends on the GMP [46] and NTL [47] libraries, as well as code for MurmurHash3 [48], which is used as a fast hash function for Bloom filters.The implementation for the MPSI protocol runs on one machine and spawns one thread for each client for concurrency, while the main thread represents the server.The T-MPSI protocol runs on a single thread so it demonstrates an upper bound of the run time, which we believe can still be reduced significantly using multi-threading.

A. Set-up
We evaluate the run time performance of the protocols by performing 10 set intersections for each combination of parameters, where all sets contain n random elements.We provide both the mean and standard deviation of these measurements.Our benchmarks were executed on a 64-bit Unix machine with an INTEL CORE I7-1065G7 processor at 8 × 1.30GHz and a memory capacity of 16GB.For our work, we choose security parameter κ = 1024 as is common for public-key encryption.

B. MPSI Protocol
We compare the run time of our private set intersection protocol with the protocol by Kolesnikov et al. [17] (with κ = 128 as is common for Oblivious Transfers) because their implementation is readily available and the empirical run time appears to be generally superior to that of similar works.While their protocol is time-efficient for large numbers of elements, our proposed protocol is efficient for larger numbers of parties t.Our bandwidth is also drastically lower for an increasing number of (corruptible) parties.To ensure an overwhelming probability of correctness we fixed the accuracy to a false positive rate of less than 1%, by choosing k = 7 hashes and m = 7n log 2 bits.We note that Kolesnikov et al.
[17] achieve a far higher probability of correctness (the probability of incorrectness is 2 −40 ) since an increase in their number of bits achieves an exponential reduction in the false positive rate.Applications that require such a low false positive rate can choose a larger m and k but they will incur longer run times and bandwidth.
1) Run Time Results: We present the results of our run time comparison in Figure 4 for a threshold = 1 2 t.We also evaluate the run time for = t − 1, the result of which is relatively similar and can be found in Table II.We capped the number of parties t at 50 for Kolesnikov et al. [17] but this was only due to memory constraints when running the protocol.Our protocol can be easily run with many more parties, and there are no theoretical reasons why the results could not be extended to a larger number of parties for Kolesnikov et al. as well.For this reason we extrapolated the results to t = 100 in Figure 4 using a quadratic fit.
2) Discussion: For every number of elements n there is a lower bound on the number of parties t where our protocol becomes more efficient than [17].For small n such as n = 16 our protocol already becomes more efficient at t ≥ 10 parties, and for a larger n = 64 our protocol is more efficient from t ≥ 30 parties onwards.Notably, even for 100 parties our runtime stays within 60 seconds for n = 64 and within 120 seconds for n = 128.As highlighted by the filled in areas in our plot that represent three standard deviations from the mean, our measurements are statistically consistent.For a different collusion threshold runtime changes only slightly as demonstrated in Table II.

C. T-MPSI Protocol
We also present an implementation of our T-MPSI protocol.Even though the runtime seems promising already, these results can be considered an upper bound as we believe a significant gain in efficiency can still be achieved through multi-threading.We evaluate the run time for T-MPSI on smaller instances of the problem than the MPSI protocol, with fewer parties and lower set sizes to perform the experiments in reasonable time.
1) Run Time Results: We present the results of our run time experiment in Figure 5, and the results for smaller instances can be found in Table III.We do not compare our protocol against another as there were no other threshold-intersection implementations available.As a set-intersection threshold we chose half of the number of parties: T = t 2 .2) Discussion: For smaller set sizes the experiments show that our protocol proves to scale efficiently.Specifically, when run with n = 4 elements, as might be the case in a voting scenario, the protocol takes roughly 1 minute for t = 50 parties.Even for n = 32 elements and t = 50 parties runtime stays within 8 minutes.While the protocol scales quadratically in the number of parties t these results demonstrate that for a small number of elements n the protocol can still be considered practical.Note that when the collusion threshold is chosen to be a fixed number, the protocol instead scales linearly with a growing number of parties t.

VI. CONCLUSION
In this paper, we describe two efficient multi-party private set intersection protocols for both regular and threshold intersections, which we prove to be secure in the semi-honest model.For threshold intersections, only those elements of the server that appear in at least a pre-determined threshold number of private sets are revealed.Our protocols are based on Bloom filters as an efficient set representation, and threshold homomorphic PKEs.To the best of our knowledge, our proposed protocols are the fastest tools for computing private set intersections and threshold set intersections in real-world problems where many parties are involved in the computation.

Fig. 2 .
Fig. 2. Our multi-party private set intersection protocol based on Bloom filters.

Fig. 3 .
Fig. 3. Our threshold multi-party private set intersection protocol based on Bloom filters.

Fig. 4 .
Fig. 4. Run time comparison for the MPSI protocol at = 1 2 t averaged over 10 runs.The gray line indicates the extrapolated results for Kolesnikov et al.The filled in areas represent the 99% confidence intervals (±3σ ).

TABLE I THE
COMPARISON OF PREVIOUS DESIGNS WITH OURS IN THE SEMI-HONEST SETTING.n IS THE NUMBER OF ELEMENTS IN A DATA SET; t IS NUMBER OF PARTIES; u IS THE SIZE OF THE UNIVERSAL SET; IS THE threshold OF HOMOMORPHIC PKE; κ IS THE COMPUTATIONAL SECURITY PARAMETER; λ IS THE STATISTICAL SECURITY PARAMETER; AND log |X| IS THE SIZE OF THE CIPHERTEXT X IN BITS.THE MERGED COLUMNS REFER TO A PROTOCOL'S TOTAL COMPLEXITY, WHILE SEPARATE SERVER AND CLIENT COLUMNS EXPRESS THE ISOLATED COMPLEXITIES OF THE SERVER AND A CLIENT. * , * * -THESE SOLUTIONS ARE BASED ON DIFFERENTIAL PRIVACY, WHILE ALL THE OTHER SOLUTIONS ARE CRYPTOGRAPHIC.* * IS NOT OPTIMIZED FOR PSI BUT IS A GENERAL PRIVACY PRESERVING CROWDSOURCING STATISTICS TECHNOLOGY sk): a pair of public and private key.sk i : a secret share of sk among t participants.Enc(pk, M) and Dec(sk, C) (shortly Enc(M) and Dec(C)): generic public-key encryption of M and decryption of C, respectively.BF Bloom Filter, BF = (BF[0], . . ., BF[ j ], . . ., BF[m − 1]) of length m encodes a set S of length at most n into mbit string by means of randomly chosen k hash function, (h 1 , h 2 , . . ., h k ), where h [38]a Bloom filter of size m on the set S i .IBF i : an inverted Bloom filter of size m on the set S i .EBF and EIBF: entry-wise encryption of a Bloom filter and an inverted Bloom filter, respectively.'+H':homomorphicoperation over ciphertexts.I: a set I = {i 1 , ..., i η } ⊂ {1, 2, ..., t − 1}.Ī: the complement of I with respect to {1, 2, ..., t − 1}.Inp i : the inputs of the clients where Inp i = (S i , |S j | t j =1 , pk, sk i ), i ∈ {1, ..., t − 1}.Inp t : the input of server, where Inp t = (S t , |S j | t j =1 , pk).A. Bloom FiltersBloom filters were introduced by Bloom[38]as an efficient representation of data sets.A Note that it is usually assumed that there is a trusted third party who sets up all public parameters A standard security notion for PKE is indistinguishability under chosen plaintext attack captured in the following definition.Definition 4 (IND-CPA Security): A PKE scheme is called IND-CPA-secure if any PPT algorithm A has only negligible advantage in the following Exp • The decryption algorithm Dec is a deterministic algorithm that takes as input a secret key sk and ciphertext C, and outputs either a message M = Dec(sk, C) ∈ M or a symbol ⊥ / ∈ M to indicate an invalid ciphertext.
1) Computes their corresponding Bloom filter BF i of their data set S i .2) Inverts BF i to obtain IBF i .3) Computes their encrypted inverted Bloom filter EIBF Computes k hash values of each element y j ∈ S t , and for each i , computes {C i by encrypting each element IBF i [ j ] in the inverted Bloom filter with the public key pk.4) Sends EIBF i to P t (server).Set Intersection computation: The server P t :1)

TABLE II MEAN
RUN TIME RESULTS IN SECONDS FOR THE MPSI PROTOCOL AVERAGED OVER 10 RUNS, WHERE ± REPRESENTS THE STANDARD DEVIATION σ .*FOR THESE RESULTS WE HAD TO CHOOSE = 30 TO STAY WITHIN MEMORY TABLE III MEAN RUN TIME RESULTS IN SECONDS FOR THE T-MPSI PROTOCOL AVERAGED OVER 10 RUNS, WHERE ± REPRESENTS THE STANDARD DEVIATION σ