Multi-party private set union (MPSU) protocol enables $m$ $(m > 2)$ parties, each holding a set, to collectively compute the union of their sets without revealing any additional information to other parties. There are two main categories of MPSU protocols: The first builds on public-key techniques. All existing works in this category involve a super-linear number of public-key operations, resulting in poor practical efficiency. The second builds on oblivious transfer and symmetric-key techniques. The only existing work in this category is proposed by Liu and Gao (ASIACRYPT 2023), which features the best concrete performance among all existing protocols, despite its super-linear computation and communication. Unfortunately, it does not achieve the standard semi-honest security, as it inherently relies on a non-collusion assumption, which is unlikely to hold in practice. Therefore, the problem of constructing a practical MPSU protocol based on oblivious transfer and symmetric-key techniques in standard semi-honest model remains open. Furthermore, there is no MPSU protocol achieving both linear computation and linear communication complexity, which leaves another unresolved problem. In this work, we resolve these two open problems. We propose the first MPSU protocol based on oblivious transfer and symmetric-key techniques in the standard semi-honest model. This protocol is $4.9-9.3 \times$ faster than Liu and Gao in the LAN setting. Concretely, our protocol requires only $3.6$ seconds in online phase for 3 parties with sets of $2^{20}$ items each. We propose the first MPSU protocol achieving both linear computation and linear communication complexity, based on public-key operations. This protocol has the lowest overall communication costs and shows a factor of $3.0-36.5\times$ improvement in terms of overall communication compared to Liu and Gao.
翻译:多方隐私集合并集(MPSU)协议使得$m$个($m > 2$)参与方能够在不向其他方泄露任何额外信息的前提下,共同计算各自持有集合的并集。现有MPSU协议主要分为两类:第一类基于公钥技术构建。该类别所有现有方案均涉及超线性数量的公钥运算,导致实际效率低下。第二类基于不经意传输与对称密钥技术构建。该类别唯一现有方案由Liu和Gao提出(ASIACRYPT 2023),虽然具有超线性的计算与通信开销,但在所有现有协议中展现出最佳实际性能。然而该方案无法达到标准半诚实安全性,因其本质上依赖于实践中难以成立的非共谋假设。因此,在标准半诚实模型下基于不经意传输与对称密钥技术构建实用MPSU协议的问题仍未解决。此外,目前尚无同时实现线性计算复杂度与线性通信复杂度的MPSU协议,这构成了另一个悬而未决的问题。本工作成功解决了这两个开放性问题。我们提出了首个在标准半诚实模型下基于不经意传输与对称密钥技术的MPSU协议,该协议在局域网环境下的性能比Liu-Gao方案提升$4.9-9.3$倍。具体而言,对于3个参与方各持有$2^{20}$个集合元素的场景,我们协议的在线阶段仅需$3.6$秒。同时,我们提出了首个基于公钥运算且同时实现线性计算与线性通信复杂度的MPSU协议。该协议具有最低的整体通信开销,与Liu-Gao方案相比,整体通信量减少$3.0-36.5$倍。