The kidney exchange problem (KEP) seeks to find possible exchanges among pairs of patients and their incompatible kidney donors while meeting specific optimization criteria such as maximizing the overall number of possible transplants. In practice, patient-donor pairs register with so-called kidney exchange platforms which determine exchange cycles in a centralized fashion. Such a centralized approach raises numerous security concerns. Thus, several privacy-preserving protocols for solving the KEP have been proposed recently. However, the protocols known to date lack scalability in practice since the KEP is an NP-complete problem. We address this issue by proposing a novel privacy-preserving protocol which computes an approximate solution to the KEP that scales well for the large numbers of patient-donor pairs encountered in practice. In contrast to the only other existing protocol that computes an approximate solution to the KEP, our protocol is entirely data oblivious and it exhibits a far superior run time performance without suffering a loss in the quality of the approximation. As a second contribution, we simulate the application of our novel protocol as part of a kidney exchange platform, where patient-donor pairs register and de-register over time and exchanges are determined on a regular basis. In this dynamic setting, the application of our novel privacy-preserving approximation protocol yields a larger number of transplants over time than using the best known privacy-preserving protocol for solving the KEP. Our simulation further shows that the difference between the number of transplants found when using our novel protocol in this dynamic setting compared to the non-privacy-preserving state-of-the-art approach is negligible in practice.

翻译：肾脏交换问题（KEP）旨在寻找患者与其不兼容捐赠者配对之间的可能交换方案，同时满足特定优化标准（如最大化可能的移植总数）。在实际操作中，患者-捐赠者配对会注册到所谓的肾脏交换平台，由平台集中确定交换周期。这种集中式方法引发了诸多安全隐患，因此近年来出现了多种用于解决KEP的隐私保护协议。然而，由于KEP属于NP完全问题，现有协议在实际应用中缺乏可扩展性。我们针对这一问题提出了一种新型隐私保护协议，该协议能够计算KEP的近似解，且可良好扩展至实际中遇到的大量患者-捐赠者配对场景。与现有唯一一种计算KEP近似解的协议相比，我们的协议完全实现数据不透明化，且运行时间性能显著更优，同时近似质量无损。作为第二项贡献，我们模拟了在新协议应用于肾脏交换平台的场景：患者-捐赠者配对随时间动态注册和注销，交换方案定期确定。在这种动态设置中，采用新型隐私保护近似协议所获得的长期移植总数，优于使用已知最佳隐私保护KEP求解协议的结果。模拟进一步表明，在该动态环境中，使用新型协议与使用非隐私保护的最新方法所找到的移植数量之差，在实际应用中可忽略不计。