We consider the private set union (PSU) problem, where two parties each hold a private set of elements, and they want one of the parties (the receiver) to learn the union of the two sets and nothing else. Our protocols are targeted for the unbalanced case where the receiver's set size is larger than the sender's set size, with the goal of minimizing the costs for the sender both in terms of communication volume and local computation time. This setting is motivated by applications where the receiver has significantly more data (input set size) and computational resources than the sender which might be realized on a small, low-power device. Asymptotically, we achieve communication cost linear in the sender's (smaller) set size, and computation costs for sender and receiver which are nearly-linear in their respective set sizes. To our knowledge, ours is the first algorithm to achieve nearly-linear communication and computation for PSU in this unbalanced setting. Our protocols utilize fully homomorphic encryption (FHE) and, optionally, linearly homomorphic encryption (LHE) to perform the necessary computations while preserving privacy. The underlying computations are based on univariate polynomial arithmetic realized within homomorphic encryption, namely fast multiplication, modular reduction, and multi-point evaluation. These asymptotically fast HE polynomial arithmetic algorithms may be of independent interest.

翻译：我们研究私有集合并集（PSU）问题，其中双方各自持有一个私有元素集合，并希望其中一方（接收方）能够获知两个集合的并集且不泄露其他信息。我们的协议针对非平衡场景设计，即接收方集合规模大于发送方集合规模，旨在最小化发送方在通信量和本地计算时间两方面的开销。该场景的典型应用是接收方拥有显著更多数据（输入集合规模）和计算资源，而发送方可能部署在小型低功耗设备上。在渐近意义上，我们实现了与发送方（较小）集合规模呈线性关系的通信开销，以及发送方和接收方计算开销分别与其各自集合规模近似呈线性关系。据我们所知，我们的算法是首个在此类非平衡场景下为PSU实现近似线性通信与计算开销的方案。我们的协议利用全同态加密（FHE）及可选的线性同态加密（LHE）来执行必要计算并保护隐私。底层计算基于在同态加密中实现的单变量多项式运算，包括快速乘法、模约简和多点求值。这些渐近快速的多项式同态加密运算算法可能具有独立的研究价值。