Invertible polynomial representation for private set operations

Abstract

In many private set operations, a set is represented by a polynomial over a ring ℤσfor a composite integer σ, where ℤσis the message space of some additive homomorphic encryption. While it is useful for implementing set operations with polynomial additions and multiplications, it has a limitation that it is hard to recover a set from a polynomial due to the hardness of polynomial factorization over ℤσ. We propose a new representation of a set by a polynomial over ℤσ, in which σ is a composite integer with known factorization but a corresponding set can be efficiently recovered from a polynomial except negligible probability. Since ℤσ[x] is not a unique factorization domain, a polynomial may be written as a product of linear factors in several ways. To exclude irrelevant linear factors, we introduce a special encoding function which supports early abort strategy. Our representation can be efficiently inverted by computing all the linear factors of a polynomial in ℤσ[x] whose roots locate in the image of the encoding function. As an application of our representation, we obtain a constant-round private set union protocol. Our construction improves the complexity than the previous without honest majority.