We consider the private set union (PSU) problem, where two parties each hold a private set of elements, and they want one of the parties (the receiver) to learn the union of the two sets and nothing else. Our protocols are targeted for the unbalanced case where the receiver's set size is larger than the sender's set size, with the goal of minimizing the costs for the sender both in terms of communication volume and local computation time. This setting is motivated by applications where the receiver has significantly more data (input set size) and computational resources than the sender which might be realized on a small, low-power device. Asymptotically, we achieve communication cost linear in the sender's (smaller) set size, and computation costs for sender and receiver which are nearly-linear in their respective set sizes. To our knowledge, ours is the first algorithm to achieve nearly-linear communication and computation for PSU in this unbalanced setting. Our protocols utilize fully homomorphic encryption (FHE) and, optionally, linearly homomorphic encryption (LHE) to perform the necessary computations while preserving privacy. The underlying computations are based on univariate polynomial arithmetic realized within homomorphic encryption, namely fast multiplication, modular reduction, and multi-point evaluation. These asymptotically fast HE polynomial arithmetic algorithms may be of independent interest.

翻译：我们考虑私有集合并（PSU）问题，其中两方各自持有私有的元素集合，且希望一方（接收方）学习两个集合的并集而不泄露任何其他信息。我们的协议针对非平衡场景设计，即接收方的集合规模大于发送方，目标是最小化发送方的通信开销和本地计算时间。该场景源于实际应用：接收方拥有显著更多的数据（输入集规模）和计算资源，而发送方可能由小型低功耗设备实现。渐近地，我们实现了通信成本与发送方（较小）集合规模呈线性关系，发送方和接收方的计算成本与各自集合规模近线性相关。据我们所知，这是首个在非平衡PSU场景中实现近线性通信与计算量的算法。我们的协议利用全同态加密（FHE），并可选地使用线性同态加密（LHE）在保护隐私的同时执行必要计算。底层计算基于同态加密框架内的单变量多项式算术，包括快速乘法、模归约和多点求值。这些渐近快速的同态加密多项式算术算法可能具有独立的研究价值。