Privacy Protection Based on Special Identifiers of Intersection Base Computing Technology

Abstract

Private Set Intersection Cardinality (PSI-CA) and Private Set Union Cardinality (PSU-CA) are two cryptographic primitives whereby two or more parties are able to obtain the cardinalities of the intersection and the union of their respective private sets, and the privacy of their sets is preserved. In this paper, we propose a new privacy protection intersection cardinality protocol, which can quickly deal with set inequality and asymmetry problems and can obtain 100% correct results, and, in terms of efficiency, we are much faster than using the polynomial method. Our protocol adopts the Paillier addition homomorphic encryption scheme and applies the identifier guidance technology, using identifier determination, to the semi-homomorphic encryption ciphertext environment, excluding a large number of different options and quickly finding the base of the intersection of two sides.

1. Introduction

In today’s digital age, more and more companies are reaping great rewards by collecting data and using them based on their own legitimate needs, such as intelligent AD recommendation systems, privacy data queries, and more. In the above application scenarios, the user’s personal privacy is difficult to protect, and a large amount of personal information will be disclosed during the process, such as various marketing activities, so data privacy computing technology becomes more and more important. In various countries around the world, legislation has been enacted to protect data privacy security, such as the HIPAA, GLBA, COPPA, DPP, and so on, so data privacy computing technology has gradually boomed in the current academic research.

However, at present, it is either difficult to guarantee security with the international privacy protection protocol, or its efficiency is particularly low. If the calculation costs are too large, they will bring a major burden to the user’s privacy protection process, and if security is difficult to guarantee, then the privacy protection will become a joke. Therefore, with a reasonable security protocol, there will be huge benefits.

The two-party PSI problem is the most basic kind of problem in the two-party computing model of security. In the two-party PSI problem, we assume that the two parties are Alice and Bob, and we assume that X and Y are any set of strings held by the two parties. At the completion of a series of interactions, we require that at least one party is able to obtain the intersection XY of both parties, and that no one participant is able to know the elements of the other party’s set.

The two-party PSI-CA/PSU-CA problem is an extension of the two-party PSI problem. One only needs to calculate the cardinality of the intersection of the two parties, without revealing any elements of the other party’s set in the process, and this problem is useful for many privacy computing scenarios in reality. For example, in a social network, two users can calculate their degree of social compatibility by comparing the proportion of their mutual friends without revealing their specific friends. In health, customers with private genetic data can confidently interact with public risk genetic databases to know their probability of contracting a disease. The purpose of this article is to discuss the related protocols for solving the PSI-CA/PSU-CA problem.

In general, all privacy computing problems can theoretically be solved with common secure computing protocols (e.g., GMW protocol [1], obfuscated circuit [2]).But these generic schemes require high computing and communication costs. Therefore, for specific secure computing problems, we usually use dedicated efficient protocols. Specifically, for solving the PSI-CA/PSU-CA problem, from the accuracy of the output results to classify, we can be divided into the following two categories.

• The first type of protocol is the perfect computation protocol, which outputs accurate results. Taking the work in literature [3,4,5,6,7,8] as an example, it uses the evaluation method of fuzzy polynomials, selects a polynomial to represent the input set, and combines the intersection of the evaluation set using homomorphic encryption technology.
• The second type of protocol is the imperfect calculation protocol, and the output result of the protocol [9,10] allows a certain amount of error. When faced with a small amount of data, it is often difficult to strike a good balance between efficiency and availability with this type of protocol, and it is often abandoned because of the large errors.

Our contribution:

Although imperfect computing protocols have good applications in many application scenarios, imperfect protocols tend to perform particularly poorly for certain small data sets, because in the case of small data sets, imperfect computing protocols may lead to consistent matching errors at a certain probability, so as to completely affect the final results. The efficiency gap between an imperfect protocol and a perfect protocol is not particularly obvious, but the accuracy is obviously different. Therefore, this paper constructs a class of perfect computing protocol for small data sets. Our contributions are as follows:

• We propose a new privacy protection intersection cardinality protocol, and this protocol can quickly obtain the union of both sides.
• This protocol has extremely strong compatibility for the intersection of two sets of elements, it can accept any type of data, without knowing any information from either side, and can be 100% accurate in calculating the intersection base of both privacy sets.
• The protocol only needs two rounds of communication to complete, and the efficiency in the offline phase is much better than for the polynomial intersection cardinality protocol.

This paper is divided into five parts, of which the first part is the introduction part, which mainly introduces the background and development prospects of the paper, as well as the contribution made by this paper. The second part introduces some preparatory knowledge for this article, including giving a security definition, and some important knowledge for this article. The third part is mainly the protocol design, which is divided into two stages, which are the offline stage and online stage. The fourth part is an efficiency analysis, which explains the contribution of this paper using qualitative and quantitative analysis. The fifth part is a summary and prospects.

2. Materials and Methods

2.1. Security Definition

Semi-honest ideal reality model: Executing the protocol under security parameter $\kappa$, each party $P_i$ will honestly execute the agreement using their own private input $x_i$. Let $V_i$ be the final perspective of participant $P_i$ and let $y_i$ be the final output of the player: ${\mathrm{Real}}_{\pi }(\kappa ,\mathcal{C};x_1,\dots ,x_n)$ input $P_i$

$$\begin{gathered} Idea{l}_{\mathcal{F},\mathrm{Sim}}(\kappa ,\mathcal{C};x_1,\dots ,x_n): \mathrm{compute} (y_1,\dots ,y_n)\leftarrow \mathcal{F}(x_1,\dots ,x_n) \\ \mathrm{Input} \mathrm{Sim}(\mathcal{C},\{(x_i,y_i)|i\in \mathcal{C}\}),(y_1,\dots ,y_n) \end{gathered}$$

If the perspective of the attacker in the ideal world is indistinguishable from the perspective of the attacker in the real world, then the protocol is safe from a semi-honest attacker.

Definition 1.

Given the protocol $\pi$, if there exists an emulator Sim, such that for all subsets of the compromised participant set $\mathcal{C}$, for all inputs $x_1,\dots ,x_n$, the probability distribution

$${\mathrm{Real}}_{\pi }(\kappa ,\mathcal{C};x_1,\dots ,x_n) and {\mathrm{Ideal}}_{\mathcal{F},\mathrm{Sim}}(\kappa ,\mathcal{C};x_1,\dots ,x_n)$$

is (under $\kappa$) indistinguishable, then the protocol is safely implemented $\mathcal{F}$in the presence of a semi-honest attacker.

2.2. Paillier Homomorphic Encryption System

Paillier homomorphic encryption [11]: Paillier homomorphic encryption is a public key encryption method that satisfies the addition of homomorphism, and the scheme has been proved secure, specifically described as follows:

Key generation: Given the security parameter $\kappa$, generate two $\kappa$ primes $p,q \mathrm{and} p\ne q$ (this property guarantees that two primes have the same length), and compute $N=pq$, $\lambda =lcm(p-1,q-1)$.

Key generation: Given safety parameter $\kappa$, generate two prime numbers $p,q \mathrm{and} p\ne q$ that are particularly specifically large $\kappa$ (this property ensures that two prime numbers have the same length), and compute $N=pq$, $\lambda =lcm(p-1,q-1)$. In defining the Fractional Division Functions $L(x)=\frac{x-1}{N}$, select a positive integer $g\in Z_N^{*}(\mathrm{such} \mathrm{as}: g=n+1)$, making $\gcd (L(g^{\lambda }\mathrm{mod}{N}^2),N)=1$. Then, the public key of the system is pk = $(g,N)$, and the private key is sk = $\lambda$. Paillier’s plaintext space and ciphertext space are $Z_N$ and $Z_{N^2}^{*}$. In the following text, the encryption algorithm and decryption algorithm are denoted as E and D.

Encryption process: To encrypt plaintext $m\in Z_N$, select the random number $r\in Z_N^{*}$, and calculate the ciphertext:

$$C=g^m{r}^N\mathrm{mod}{N}^2$$

Decryption process: For the ciphertext $C\in Z_{N^2}^{*}$, calculate:

$$m=\frac{L(c^{\lambda }\mathrm{mod}{N}^2)}{L(g^{\lambda }\mathrm{mod}{N}^2)}\mathrm{mod}N$$

Additive homomorphism:

$$\begin{array}{l}E(m_1)\times E(m_2)=g^{m_1}{r}_1^N{g}^{m_2}{r}_2^N\mathrm{mod}{N}^2\\ \hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em} =g^{m_1+m_2}{(r_1{r}_2)}^N\mathrm{mod}{N}^2\\ \hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em} =E(m_1+m_2)\mathrm{mod}{N}^2\end{array}$$

Scalar multiplication: $E{(m_1)}^{m_2}\mathrm{mod}{N}^2=E(m_1{m}_2)$.

2.3. Learning Framework Based on Privacy Protection

There is a lot of work in the process of privacy protection to construct a comprehensive and open privacy protection learning framework, among which the most famous framework of MPC mainly has two categories: one is the confusion circuit scheme proposed by the Mr. PSI protocol, which is a part of the above two protocols, such as in [12,13,14,15], etc. It is a privacy protection protocol constructed using a general framework. Although the general-purpose framework is not as efficient as the dedicated protocol, it still has great advantages in terms of operational stability. For the current research on secure multi-party computing frameworks, see

Table 1. Related mixed-protocol MPC frameworks with N parties, threshold t, and active (●) or passive (○) security.

Framework	N	t	Security	Protocols	License
ABY [16]	2	1	○	A/B/Y	Lgpl-3.0
PrivC [17]	2	1	○	A/B	--
ABY3 [18]	3	1	● or ○	A/B/Y	No license
Sharemind [19]	3	1	● or ○	A/B	Payware3
Trident [20]	4	1	●	A/B/Y
MP-SPDZ [21]	$\ge$2	N − 1	● or ○	A/B or Y	MIT-like
MOTION [22]	$\ge$2	N − 1	○	A/B/Y	MIT

.

2.4. Computer Coding

Computer coding refers to the mapping of plaintext information to ciphertext information, which is simply based on a known code, according to certain rules, and is converted into a string of numbers such as 0 and 1. Such coding technology is to facilitate computers recognizing the corresponding information because computer language is not interlinked with our human language. In order to enable computers to better recognize our language, people have formulated a set of rules, and the rules are combined with fixed lengths to represent numbers and characters. Thus was formed the earliest ASCII encoding rules (American Standard Code for Information Interchange). With the popularization of computing, computer coding schemes have also experienced development from localized coding to international coding, and finally formed Unicode’s unified coding scheme.

3. Protocol Process and Proof of Security

Problem description: The two-party PSU/PSI-CA problem is an extension of the two-party PSI problem, which requires the final calculation of $\left|X\cup Y\right|/\left|X\cap Y\right|$ without revealing any other information (including any element information on oneself and the size of one’s own set). This problem corresponds to many privacy computing scenarios in reality: for example, in social networks, two users can compare the proportion of their identical friends without disclosing their specific friend information to calculate social relationship overlap. In the field of health, customers holding private genetic data can confidently interact with public risk gene databases, thereby knowing their probability of contracting a certain disease. This agreement aims to discuss and solve the PSU-CA/PSI-CA problem.

Scheme idea: Based on the above problem description, we know that the application of this protocol may face situations where the number of sets is not equal and the security requirements are very high. In such cases, we pay more attention to the non equilibrium of sets and the corresponding security. Following this idea, we propose using appropriate encoding protocols and semi-homomorphic encryption methods to solve our real-world problems. By using the appropriate data encoding protocols, complex data can be transformed into binary data that are convenient for computation using internationally recognized computer encoding protocols. The detailed operation of the protocol in this paper is shown in Figure 1.

• The PSI-CA Construction of This Article

In this section, we will provide protocol construction and related proofs for solving the PSU-CA and PSI-CA problems. Firstly, we provide two protocol constructions (Section 3.1) to solve the PSU-CA and PSI-CA problems, and then provide their correctness proofs (Section 3.2).

3.1. Protocol Construction

In the execution of the two protocols, we may consider setting the participants as Alice and Bob, each holding a set of X and Y. Our agreement requires both parties to input elements composed of the same set of codes, and the generation process is as follows:

• Alice and Bob encode their elements according to the same encoding rules, converting the original data into binary data. Please refer to Section 2.4 for the specific conversion methods.
• Alice and Bob execute an online interaction protocol, ultimately obtaining ${\left|X\cap Y\right|}^{*}$.

3.1.1. Offline Phase

Alice, as the sender, and Bob, as the receiver, calls the method shown in Section 2.4 for encoding, maps all Alice’s data into binary data, and calculates the number of bits corresponding to the binary data. Offline operation is shown in Figure 2, online operation is shown in Figure 3.

The meaning of the above image:

Alice

Calculate the number of bites $x_i$ for ${\lambda }_i$

Encrypt $x_i$ to obtain $E(-x_i)$

Store ${\lambda }_i$ and $E(-x_i)$ in the list to obtain ${\alpha }_i=[{\lambda }_i,E(-x_i)]$

Putting all ${\alpha }_i$ into a list gives the set $\alpha =[{\alpha }_1,{\alpha }_2,\dots ,{\alpha }_m]$

Bob

Compute $y_j$’ bite ${\pi }_j$

Calculate the number of bites $y_j$ for ${\pi }_j$

Store ${\pi }_j$ and $E(y_j)$ in the list to obtain ${\beta }_i=[{\pi }_j,E(y_j)]$

Putting all ${\beta }_j$ into a list yields the list $\beta =[{\beta }_1,{\beta }_2,\dots ,{\beta }_n]$

3.1.2. Interaction Phase

Figure 3. PSI-CA protocol.

Figure 3. PSI-CA protocol.

3.2. Correctness of the Protocol

According to the protocol, for each element $x_i$ of Alice, the result of encryption with the Paillier system shown in Section 2.2 is:

$$A_i=E(-x_i)=g^{-x_i}{r}_i{}^N\mathrm{mod}{N}^2$$

Alice then sends the encrypted data, along with the corresponding data bits ${\lambda }_i$, to Bob.

Bob encrypts $y_j$ using the public key given by Alice (as shown in the encryption process in Section 2.2 above) and obtains

$$B_j=E(y_j)=g^{y_j}{r}_j{}^N\mathrm{mod}{N}^2$$

If ${\lambda }_i\ne {\pi }_j$, that means that the number of bits in the same encoding is different: it means that the two data must not be the same and must not be common elements of the two sets.

If ${\lambda }_i={\pi }_j$, the two elements are likely to be the same, so then $A_i$ and $B_j$ are added homomorphically (as shown in Section 2.2), i.e.,

$$v_i\prime =A_i\times B_j=E(-x_i)\times E(y_j)=E(-x_i+y_j)$$

Bob randomly picks a random number $r_s\in N^{*}$ for calculation:

$$v_t={(v_t\prime )}^{r_s}=g^{r_s\times (-x_i+y_j)}{(r_i{r}_j)}^{r_{s}N}\mathrm{mod}{N}^2$$

And Bob sends $\mathrm{V}$ to Alice, who decrypts it and obtains $E(x_i\prime )=g^{x_i\prime }{r}_i{}^N\mathrm{mod}{N}^2$

$$D(v_t\prime )=\frac{L((v_t\prime )\mathrm{mod}{N}^2)}{L(g^{\lambda }\mathrm{mod}{N}^2)}\mathrm{mod}N=r_s(-x_i+y_j)$$

If $x_i \mathrm{and} y_j$ are equal, then $D(v_i\prime )=0$.

If $x_i$ and $y_j$ are not equal, then $D(v_t\prime )\ne 0$.

Therefore, Alice only needs to calculate the value equal to zero in V, that is, the number of the same elements on both sides, and Alice obtains the base number of the intersection of the intersection of the two sides, so the agreement is correct.

3.3. Protocol Security

Theorem 1.

The privacy intersection cardinality protocol PSI-CA is secure.

Proof of Theorem 1.

Under a semi-honest model, this theorem is proved by constructing the simulators $S_1$ and $S_2$ to make Equations (1) and (2) hold, in the protocol PSI-CA

$$vie{w}_1^{\pi }(X,Y)=\{X,{\lambda }_i,r_i,E(W),f_1(X,Y)\}$$

(1)

$$vie{w}_2^{\pi }(X,Y)=\{Y,{\pi }_j,r_j,r_t,E(A),f_2(X,Y)\}$$

(2)

where X and Y are the input from Alice and Bob, ${\lambda }_i$ is the bite number of $x_i$, $r_i$ is the random number chosen by Alice during encryption, ${\pi }_j$ is the bite number of $y_j$, and $r_j$ and $r_t$ are the random numbers chosen by Bob after different encryption operations, where $E(A)$ refers to the ciphertext information sent by Alice to Bob. We also have the ciphertext message that Bob sends to Alice, while $f_1(X,Y) and f_2(X,Y)$ is the output received by Alice and Bob, respectively.

Firstly, simulator $S_1$ is constructed to simulate $vie{w}_1^{\pi }(X,Y)$; the $S_1$ simulation process is as follows:

• Accept input $(X,f_1(X,Y))$; based on the values of $f_1(X,Y)$, select set $Y\prime =\{y_1\prime ,y_2\prime ,\dots ,y_n\prime \}$, $f_1(X,Y\prime )=f_1(X,Y)$, and let $X\prime =\{-x_1,-x_2,\dots ,-x_m\}$.
• The $S_1$ encryption set $X\prime$ obtains $E(X\prime )=\{E(-x_1),E(-x_2),\dots ,E(-x_m)\}$ and calculates $v_t\prime ={(E(-x_i)\times E(y_j\prime ))}^{r_s}\mathrm{mod}{N}^2$.
• Where $S_1$ gives the element of the encrypted set $E(W)$ as $v_t\prime$$\left(t\in \{1,2,\dots ,n\times m\}\right)$, to decrypt it, by calculating the number of zero elements, you can judge the number of intersections of the two sides, and obtain the corresponding result. In protocol execution, $vie{w}_1^{\pi }(X,Y)=\{X,r_i,E(W),f_1(X,Y)\}$:

  $$S_1(X,f_1(X,Y))=\{X,r_i,E(W\prime ),f_1(X,Y\prime )\}$$

Because $E(W)=\{v_1\prime ,\dots ,v_2\prime ,\dots ,v_t\prime ,\dots ,v_{n\times m}\prime \}(t\in \{1,2,\dots ,n\times m\})$ is created by Bob based on the $E(X\prime )$ sent by Alice, the $E(Y)$ to which the individual belongs, and the random number $r_s$, although Alice has a private key for decryption, she can only know that the decrypted information is composed of (0,random number). It is impossible to know which ciphertext can be decrypted to obtain 0 or a random number. So, we have $E(W)\stackrel{c}{\equiv }E(W\prime )$, and because $f_1(X,Y)=f_1(X,Y\prime )$, so we have:

$${\{S_1(X,f_1(X,Y))\}}_{X.Y}\stackrel{c}{\equiv }{\{vie{w}_1^{\pi }(X,Y)\}}_{X,Y}$$

Secondly, the simulator $S_2$ is constructed to simulate $vie{w}_2^{\pi }(X,Y)$. The simulation process of $S_2$ is as follows:

• Accept input $(Y,f_2(X,Y))$, according to the values of $f_2(X,Y)$, select the set $X\prime =\{x_1\prime ,x_2\prime ,\dots ,x_n\prime \}$, $f_2(X\prime ,Y)=f_2(X,Y)$, and let $X^{\alpha }=\{-x_1\prime ,-x_2\prime ,\dots ,-x_m\prime \}$.
• The $S_2$ encrypted set $X^{\alpha }$ gains $E(X^{\alpha })=\{E(-x_1\prime ),E(-x_2\prime ),\dots ,E(-x_m\prime )\}$ and calculates $v_t\prime ={(E(-x_i\prime )\times E(y_j\prime ))}^{r_s}\mathrm{mod}{N}^2$.
• $S_2$ obtains the encryption set $E(A)=E(X^{\alpha })$, $S_2$ decrypts it, and the corresponding result can be obtained by calculating the number of zero elements and judging the number of intersections between the two sides. In the execution of the agreement, $vie{w}_2^{\pi }(X,Y)=\{X,r_j,r_s,E(W),f_1(X,Y)\}$, while

  $$S_2(X,f_2(X,Y))=\{X,r_j,r_s,E(A\prime ),f_2(X\prime ,Y)\}$$

Since $E(A)$ is encrypted by Alice and Bob has no private key, according to the semantic security of the encryption algorithm, for Bob, $E(A)\stackrel{c}{\equiv }E(A\prime )$. While Bob obtains ${\lambda }_i$ for the data bit sent by Alice, the probability that Bob can infer Alice’s data is $\frac{1}{2^{{\lambda }_i}}$, and Bob cannot infer the real data by other means. Further, because $f_2(X,Y)=f_2(X\prime ,Y)$, hence, ${\{S_2(X,f_2(X,Y))\}}_{X.Y}\stackrel{c}{\equiv }{\{vie{w}_2^{\pi }(X,Y)\}}_{X,Y}$.

Therefore, the protocol is secure. □

4. Discussion

In this section, we will conduct theoretical analysis and specific experiments to compare our protocol with the protocol [23] according to different indicators, in order to demonstrate that our protocol has a good overall performance and is suitable for a wider range of application scenarios.

4.1. Theoretical Evaluation

Table 2. Performance analysis.

Protocol	Time Complexity	Space Complexity	Rounds
The text’s	$O\left(n\right)~O(mn)$	$O\left(n\right)~O(mn)$	2
Reference [23]’s protocol	$O\left(n^2\right)$	$O\left(n^2\right)$	6

presents a qualitative performance comparison, where m and n represent the sizes of the two sets, respectively. However, according to our research, in fact, n in the [23] protocol depends on the item with the highest number of elements in the two sets.

In literature [23], Alice sends Bob the encryption polynomial $E_{pk}(f)$, which is one round; Bob sends Alice the encryption polynomial $E_{pk}(g)$, which is one round; Alice sends Bob the cryptographic $E_{pk}({\phi }_1)$, in which ${\phi }_1=f\times r_1+g\times r_2$; and Bob sends Alice the encryption polynomial $E_{pk}(\phi )$, where $\phi ={\phi }_1+{\phi }_2$, ${\phi }_2=f\times s_1+g\times s_2$, which is one round. Because threshold decryption is used and each participant receives $f\times r+g\times s$, at the end of the protocol, it can be assumed that Alice and Bob send part of their private keys to each other for two rounds. So, the total communication/discussion involves six rounds. More importantly, all participants in the above model finally obtain $f\times r+g\times s$, and the degree of this polynomial is $\max \left\{\right|X|,|Y\left|\right\}$. Moreover, according to the most advanced complexity-solving polynomial methods, its complexity is difficult to decrease rapidly.

Newton’s iterative method: usually has linear convergence and a complexity of about $O(n^2)~O(n^3)$, where n is the order of the polynomial.

Dichotomy: has convergence and its complexity is about $O(n\log (M))$, where n is the order of the polynomial and M is the range of values of the polynomial roots.

The Durand–Kerner method is convergent and has a complexity of about $O(kn)$, where k is the number of iterations and n is the order of the polynomial.

Baistow method: usually has quadratic convergence and the complexity is about $O(n^2)~O(n^3)$, where n is the order of the polynomial.

And the above method will increase the complexity as the degree of the polynomial increases.

For the protocol in this article, Alice sends Bob encrypted data for one round, and Bob sent Alice encrypted data for one round. So, the total number of communication rounds is two. Moreover, since we determine and solve based on the number of bits of information the data from both parties, this greatly improves the efficiency of encryption and decryption. Using this protocol, the complexity that may be obtained based on different data may not be the same. Although our protocol’s efficiency is not currently the highest known, it is optimal for achieving accurate cardinality testing.

4.2. Experimental Evaluation

We have implemented the above protocols separately to compare their specific performance. Both protocols were implemented using the Python language, and the testing platform was equipped with a Core (TM) i7-8750H CPU@2.20 GHz 2.21 GHz Model processor (Intel Corporation, Santa Clara, CA, USA) and 16 GB 1867 MHz DDR3 memory. This test was completed in a LAN network environment with low network latency. For the following two protocols, we implemented them using the Python language. Our implementation is divided into two stages: one is the online communication stage and the other is the offline operation stage. For the above two protocols, we have uniformly ignored the process of generating and interacting with the sender’s key, and the length of our key is set to 3072 bits, which can fully ensure our information security. In the offline stage [23], the offline stage mainly deals with polynomial roots and the corresponding encryption and decryption operations. Our protocol mainly handles operations such as encryption, decryption, and scalar multiplication encryption during the offline phase. In the online stage, Ref. [23] mainly obtains encrypted polynomials through the interaction process between both parties and can obtain intersections. However, our protocol mainly matches by specific identifiers, finds approximately identical terms, and sends them to the other party. The specific performance is shown in

Table 3. Comparison of online time and offline time of different protocols.

$\left(\mathit{X},\mathit{Y}\right)$	Protocol	Online Time (s)	Offline Time (s)	Total Time
(100,100)	Text’s protocol	83.39	166.78	250.17
	Reference [23]’s protocol	83.33	10,021.83	10,106.16
(100,300)	Text’s protocol	88.64	265.92	354.56
	Reference [23]’s protocol	265.92	90,177.28	90,265.92
(100,500)	Text’s protocol	73.82	295.28	369.10
	Reference [23]’s protocol	369.10	250,221.46	250,590.56

.

After analyzing the above table, we found that the effect of our protocol in the offline stage is far superior to that of [23]. In order to see the specific changes in the two protocols more directly, we specially drew Figure 4, in which we used the red line to represent the offline calculation stage of our protocol, and the blue line to describe the offline calculation stage [23]. In this experiment, the number of elements in X set is kept constant at 50, and the number of elements in Y set is 1 to 10 times that of X, so the X-axis represents the ratio of the number of elements in the X and Y sets, and the Y-axis represents the corresponding running time. It is obvious from Figure 4 that our protocol efficiency is relatively efficient.

Our protocol has been tested and it was found that when our protocol is faced with an imbalance of two elements, the effect of offline computing is far better than the equilibrium situation. Moreover, after some modifications to our protocol, we can quickly find the intersection elements. We only need to add a new guide to Alice’s element in the pre-processing stage, and we can change to a new encryption, which can only be seen by ourselves, and send the element to Bob. When Bob calculates the element, it is only necessary to form a list with the guide to participate in the operation, and send it to Alice. Then, Alice calculates the 0 element, and can find the corresponding set intersection element through the corresponding guide of the 0 element.

5. Conclusions

This article proposes a new perfect computing protocol to solve the PSI-CA/PSU-CA problem and proves its security in a semi-honest model. It uses Paillier semi-homomorphic encryption technology, and compared with the most advanced protocol A, this protocol has fewer constant rounds of communication and a lower computational complexity in the offline stage, and has a wide range of application scenarios. In addition, the protocol has more room for optimization in the future, and the computing efficiency of the protocol should be improved on the premise of ensuring correctness. Can the protocol be combined with other advanced technologies to improve the computing efficiency?