Maliciously Secure Multi-party PSI with Lower Bandwidth and Faster Computation

Abstract

Private Set Intersection (PSI) allows a set of mutually distrustful parties, each holds a private data set, to compute the intersection of all sets, such that no information is revealed except for the intersection. The state-of-the-art PSI protocol (Garimella et al., CRYPTO’21) in the multi-party setting tolerating any number of malicious corruptions requires the communication bandwidth of O(nℓ| F| ) bits for the central party P0 due to the star architecture, where n is the number of parties, ℓ is the size of each set and | F| is the size of an exponentially large field F. When n and ℓ are large, this forms an efficiency bottleneck (especially for networks with restricted bandwidthes). In this paper, we present a new multi-party PSI protocol in dishonest-majority malicious setting, which reduces the communication bandwidth of the central party P0 from O(nℓ| F| ) bits to O(ℓ| F| ) bits using a tree architecture. Furthermore, our PSI protocol reduces the expensive LPN encoding operations performed by P0 by a factor of n as well as the computational cost by 2 nℓ hash operations in total. Additionally, while the multi-party PSI protocol (Garimella et al., CRYPTO’21) with a single output is secure, we present a simple attack against its multi-output extension, which allows an adversary to learn more information on the sets of honest parties beyond the intersection of all sets.