Mistakes of A Popular Protocol Calculating Private Set Intersection and Union Cardinality and Its Corrections

TL;DR

This paper identifies fundamental errors in a widely-used 2012 protocol for private set intersection and union cardinality, provides a corrected version, and offers new security proofs and experimental validation.

Contribution

It uncovers critical mistakes in a popular PSI-CA protocol, proposes a corrected protocol, and supplies updated security analysis and experimental results.

Findings

Original protocol contains fundamental correctness errors.

Corrected protocol achieves accurate PSI-CA results.

New security proof validates the corrected protocol.

Abstract

In 2012, De Cristofaro et al. proposed a protocol to calculate the Private Set Intersection and Union cardinality(PSI-CA and PSU-CA). This protocol's security is based on the famous DDH assumption. Since its publication, it has gained lots of popularity because of its efficiency(linear complexity in computation and communication) and concision. So far, it's still considered one of the most efficient PSI-CA protocols and the most cited(more than 170 citations) PSI-CA paper based on the Google Scholar search. However, when we tried to implement this protocol, we couldn't get the correct result of the test data. Since the original paper lacks of experimental results to verify the protocol's correctness, we looked deeper into the protocol and found out it made a fundamental mistake. Needless to say, its correctness analysis and security proof are also wrong. In this paper, we will point out this PSI-CA protocol's mistakes, and provide the correct version of this protocol as well as the PSI protocol developed from this protocol. We also present a new security proof and some experimental results of the corrected protocol.