TY - JOUR
T1 - Efficient Set Intersection with Simulation-Based Security
AU - Freedman, Michael J.
AU - Hazay, Carmit
AU - Nissim, Kobbi
AU - Pinkas, Benny
N1 - Publisher Copyright:
© 2014, International Association for Cryptologic Research.
PY - 2016/1/1
Y1 - 2016/1/1
N2 - We consider the problem of computing the intersection of private datasets of two parties, where the datasets contain lists of elements taken from a large domain. This problem has many applications for online collaboration. In this work, we present protocols based on the use of homomorphic encryption and different hashing schemes for both the semi-honest and malicious environments. The protocol for the semi-honest environment is secure in the standard model, while the protocol for the malicious environment is secure in the random oracle model. Our protocols obtain linear communication and computation overhead. We further implement different variants of our semi-honest protocol. Our experiments show that the asymptotic overhead of the protocol is affected by different constants. (In particular, the degree of the polynomials evaluated by the protocol matters less than the number of polynomials that are evaluated.) As a result, the protocol variant with the best asymptotic overhead is not necessarily preferable for inputs of reasonable size.
AB - We consider the problem of computing the intersection of private datasets of two parties, where the datasets contain lists of elements taken from a large domain. This problem has many applications for online collaboration. In this work, we present protocols based on the use of homomorphic encryption and different hashing schemes for both the semi-honest and malicious environments. The protocol for the semi-honest environment is secure in the standard model, while the protocol for the malicious environment is secure in the random oracle model. Our protocols obtain linear communication and computation overhead. We further implement different variants of our semi-honest protocol. Our experiments show that the asymptotic overhead of the protocol is affected by different constants. (In particular, the degree of the polynomials evaluated by the protocol matters less than the number of polynomials that are evaluated.) As a result, the protocol variant with the best asymptotic overhead is not necessarily preferable for inputs of reasonable size.
UR - http://www.scopus.com/inward/record.url?scp=84955414958&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84955414958&partnerID=8YFLogxK
U2 - 10.1007/s00145-014-9190-0
DO - 10.1007/s00145-014-9190-0
M3 - Article
AN - SCOPUS:84955414958
SN - 0933-2790
VL - 29
SP - 115
EP - 155
JO - Journal of Cryptology
JF - Journal of Cryptology
IS - 1
ER -