Multi-party private set union (MPSU) protocol enables $m$ $(m > 2)$ parties, each holding a set, to collectively compute the union of their sets without revealing any additional information to other parties. There are two main categories of MPSU protocols: The first builds on public-key techniques. All existing works in this category involve a super-linear number of public-key operations, resulting in poor practical efficiency. The second builds on oblivious transfer and symmetric-key techniques. The only existing work in this category is proposed by Liu and Gao (ASIACRYPT 2023), which features the best concrete performance among all existing protocols, despite its super-linear computation and communication. Unfortunately, it does not achieve the standard semi-honest security, as it inherently relies on a non-collusion assumption, which is unlikely to hold in practice. Therefore, the problem of constructing a practical MPSU protocol based on oblivious transfer and symmetric-key techniques in standard semi-honest model remains open. Furthermore, there is no MPSU protocol achieving both linear computation and linear communication complexity, which leaves another unresolved problem. In this work, we resolve these two open problems. We propose the first MPSU protocol based on oblivious transfer and symmetric-key techniques in the standard semi-honest model. This protocol is $4.9-9.3 \times$ faster than Liu and Gao in the LAN setting. Concretely, our protocol requires only $3.6$ seconds in online phase for 3 parties with sets of $2^{20}$ items each. We propose the first MPSU protocol achieving both linear computation and linear communication complexity, based on public-key operations. This protocol has the lowest overall communication costs and shows a factor of $3.0-36.5\times$ improvement in terms of overall communication compared to Liu and Gao.

翻译：多方隐私集合并集（MPSU）协议允许$m$个（$m > 2$）参与方，各自持有一个集合，在不向其他方泄露任何额外信息的情况下，共同计算这些集合的并集。现有的MPSU协议主要分为两类：第一类基于公钥技术构建。该类别中的所有现有方案均涉及超线性数量的公钥操作，导致实际效率低下。第二类基于不经意传输与对称密钥技术构建。该类别中唯一的现有方案由Liu和Gao（ASIACRYPT 2023）提出，尽管其计算与通信复杂度为超线性，但在所有现有协议中具有最佳的实际性能。遗憾的是，该方案未能达到标准半诚实安全性，因其本质上依赖于非共谋假设，而该假设在实践中往往难以成立。因此，在标准半诚实模型中，基于不经意传输与对称密钥技术构建实用的MPSU协议仍是一个悬而未决的问题。此外，目前尚无同时实现线性计算与线性通信复杂度的MPSU协议，这构成了另一个待解决的难题。本文中，我们成功解决了这两个开放性问题。我们提出了首个在标准半诚实模型下基于不经意传输与对称密钥技术的MPSU协议。该协议在局域网（LAN）环境下的性能比Liu和Gao的方案快$4.9-9.3$倍。具体而言，对于三个参与方各持有$2^{20}$个集合元素的情况，我们的协议在线阶段仅需$3.6$秒。同时，我们提出了首个基于公钥操作、同时实现线性计算与线性通信复杂度的MPSU协议。该协议具有最低的总通信开销，与Liu和Gao的方案相比，总通信量提升了$3.0-36.5$倍。