3.1 Network Model

There are three entities in the intersection set computation, namely: an entity A, an entity B, and a computation server C. Upon receiving the sets from A and B, C will compute and return the intersection sets to A and B. For privacy protection, A and B conduct their respective computations to conceal the original set prior to sending to C. C conducts the computation of PISC over the concealed sets and returns information on the intersection of original sets.

We denote the set from A to C, the set from B to C, the the intersection set from C to A and B, as Set_A, Set_B, and Set_C, respectively. Thus, the basic logic flow in network model can be simplified as follows:

Msg1) A → C : Set_A, where x → y : z denotes a message z being sent from entity x to entity y.

Msg2) B → C : Set_B;

Msg3) C → A : Set_C, C → B : Set_C.

It is worth noting that Set_A and Set_B are concealed sets of the original sets, and Set_C can be redirected to the intersection of the original sets only at A and at B upon receipt.

3.2 Attack Model

We assume that the communication channels between entities and the server are protected by standard security mechanisms (e.g., encryption and integrity protection) at link layers (e.g., IEEE802.11i and CDMA); thus, attackers who can sniff packets are beyond the scope of this paper. In this paper, we focus on adversaries for privacy leakage at server side. In this context, we point out the following potential attacks, and we denote the adversary as Adv.

Definition Set Reveal Attack (Adv_sra). The adversary reveals the privacy of entity A and entity B from observing Set_A and Set_B. Roughly speaking, H(x) = H(x|Set_A, Set_B), where H is the entropy function and x is any information about A or B.

In other words, entity A and entity B present Set_A and Set_B to server C for discovering of the intersection members. As the server C is not entirely trustworthy, the presenting sets should not reveal the privacy of A or B. Thus, Set_A and Set_B must be transformed from the original sets to the concealed sets for further intersection computation. That is, Set_A and Set_B that are presented to the server C must not leak the privacy of entity A and entity B, respectively. In the tradition reductionist approach [22–24], the adversary we consider in this paper has an upper bound in computational capabilities (i.e., a probabilistic polynomial-time turing machine—PPTM).

Adv_sra captures the basic security notion, and the security can be achieved by some transformations guaranteeing computational secrecy. However, we observe that if sets presented to untrustworthy servers are “linkable”, it may also compromise the privacy of entity A (or B). This is because the adversary at the untrustworthy server can discover that entity A (or B) has conducted the same behavior more frequently than others, the interests or preference at entity A (or B) can then be inferred by the adversary (e.g., purchasing certain merchandise such as milk powder more frequently than others). We coin such an attack against the PISC as a Set Linkage Attack.

Definition Set Linkage Attack (Adv_sla). The adversary can successfully guess that at least one item in Set_A (or Set_B) in one round is the same as another entity in a previous round. Roughly speaking, Observing , where Set_A and are in two distinct rounds.

For example, after the adversary observes Set_A in one round and in another round, the adversary can link one member in Set_A to another member in . That is, the adversary can successfully guess there exists a same member in both Set_A and , which can compromise the privacy of that particular entity in some situations.

A more relaxed notion is to assume server C is semi-trustworthy (also known as honest-but-curious adversary). That is, the computation on server C for intersection set computation (mathematically) is trustworthy (i.e., correctly computed), but the adversary on server C may seek to infer the privacy of entity A and entity B by observing Set_A and Set_B. Here, the computation functionality for intersection set has to be trustworthy as a prerequisite condition; otherwise, we will not be able to achieve privacy-aware intersection set computation.

Thus, the privacy requirements are stated as follows:

Definition . In the presence of Adv_sra and Adv_sla at a semi-trustworthy server C with a computational bound, the intersection set of Set_A and Set_B uploaded by entity A and entity B can be correctly computed without compromising the privacy of entity A and entity B. (Note that, the intersection set is for the original sets, rather than the concealed sets.)

3.3 Design Goals

The design of PISC should also consider flexibility, as Set_A and Set_B may not have the exact intersection set. In other words, we can also compute the rough intersection set even though Set_A and Set_B are not exactly or approximately equal. The flexibility will be particularly helpful in social network and e-commerce applications, as approximate intersection set is adequate for the required functionalities (e.g., identifying similar goods that may be of interest to an e-commerce user). Flexibility is also necessary when exact intersection set for the uploaded sets does not exist.

To achieve flexible PISC in a lightweight manner is also important, particularly due to the scale of data involved and the real-time nature of such computations. The lightweight computation in one time computation of PISC will significantly influence the scalability of the proposed method.

Therefore, the design goals are lightweight and flexible PISC.

4.1 Abstract Model

LiPISC consists of the following functions:

1) f_conceal. It takes as input the original set, Set_AO, and outputs a concealed set, Set_AC. That is, where Set_A ⇒ Set_B means that ∀x ∈ Set_A, compute y = f_conceal(x) and include y in Set_B.

2) f_intersect. It takes as input two sets, Set_AC and Set_BC, and outputs a concealed intersection set, Set_IC. That is,

3) f_reveal. It takes as input a set, Set_IC, and outputs an original intersection set, Set_IO. That is, where Set_IO = Set_AO ∧ Set_BO, Set_IAO = Set_IO ∧ Set_AO, Set_IBO = Set_IO ∧ Set_BO. Certainly, Set_IO = Set_IAO = Set_IBO.

Therefore, in LiPISC,

1. A and B conceal the original sets Set_A and Set_B using f_conceal, and obtain concealed sets Set_AC and Set_BC, respectively.
2. A and B respectively send concealed sets Set_AC and Set_BC to C.
3. C computes the intersection set Set_IC from the received concealed sets using f_intersect. C then returns Set_IC to both A and B.
4. A finds the indeed intersection set (Set_IAO) of the original sets (i.e., Set_AO ∧ Set_BO) from Set_IC using f_reveal. Similarly, B finds the indeed intersection set (Set_IBO) of the original sets (i.e., Set_AO ∧ Set_BO) from Set_IC using f_reveal.

Thus, LiPISC can be formulated as an abstract model:

1) Entity A:

1.1) f_conceal : Set_AO ⇒ Set_AC;

1.2) A → C : Set_AC.

2) Entity B:

2.1) f_conceal : Set_BO ⇒ Set_BC;

2.2) B → C : Set_BC.

3) Server C:

3.1) f_intersect : Set_AC × Set_BC ⇒ Set_IC;

3.2) C → A : Set_IC;

3.3) C → B : Set_IC.

4)

Entity A:

4.1) f_reveal : Set_IC ⇒ Set_IAO;

Entity B:

4.2) f_reveal : Set_IC ⇒ Set_IBO.

The requirement is as follows: f_conceal.

Proposition 4.1 f_conceal should achieve the functionality to defend against Adv_sra and Adv_sla.

Proof f_conceal is the only transformation of the original set before the observation of the adversary. After this transformation, the adversary at C can observe the transformation result of f_conceal. Thus, f_conceal should defend against Adv_sra and Adv_sla. ▫

f_conceal should make it possible to find the corresponding f_intersect and f_reveal. That is, corresponding f_intersect and f_reveal should be found easily and should perform efficiently after the transformation of f_conceal. Thus, f_conceal is the most important of three functions. Besides, these three functions must be lightweight in terms of computation. Therefore, finding proper f_conceal has the highest priority in searches.

4.2 Basic Construction

The basic construction is described as follows:

1) Entity A:

1.1) f_conceal : Set_AO ⇒ Set_AC. Let ; That is, Set_AC ⇐ Hash(x ∈ Set_AO), where Hash(⋅) could be a cryptographic hash function. In other words, Set_AC = {y|y = Hash(x), ∀x ∈ Set_AO}.

1.2) A → C : ID[i], Set_AC[i], where i = 1, …, |Set_AC|; |∗| returns the number of items in the set ∗; ID[i] is a temporary sequence number for i-th item in Set_AC, which is denoted as Set_AC[i];

2) Entity B:

2.1) B : f_conceal : Set_BO ⇒ Set_BC; Similar to 1.1), let f_conceal = Hash(⋅); Set_BC ⇐ Hash(Set_BO), where Hash(⋅) could be a one-way cryptographic hash function. In other words, Set_BC = Hash(x ∈ Set_BO) = {y|y = Hash(x), ∀x ∈ Set_BO}.

2.2) B → C : ID[i], Set_BC[i], where i = 1, …, |Set_BC|; ID[i] is a temporary sequence number for i-th item in Set_BC, which is denoted as Set_BC[i];

3) Server C:

3.1) f_intersect : Set_AC ∧ Set_BC ⇒ Set_IC;

3.2) C → A : ID[i], where Set_AC[i] ∈ Set_IC, i ∈ [1, |Set_AC|]; The total number of i is |Set_IC|; That is, |ID[i]| = |Set_IC|;

3.3) C → B : ID[j], where Set_BC[j] ∈ Set_IC, j ∈ [1, |Set_BC|]; The total number of j is |Set_IC|; That is, |ID[j]| = |Set_IC|;

4)

Entity A:

4.1) f_reveal : ID[i]⇒Set_IAO; As A has computed Set_AC ⇐ Hash(Set_AO) before, A can retrieve corresponding i-th item in Set_AO that will compose final Set_IAO;

Entity B:

4.2) f_reveal : ID[j]⇒Set_IBO; As B has computed Set_BC ⇐ Hash(Set_BO) before, A can retrieve corresponding j-th item in Set_BO that will compose final Set_IBO;

Remarks

1) f_conceal is pre-deployed or negotiated in advance at A and B, or distributed by C instantly and publicly. Even though f_conceal is publicly known, Adv_sra is still defended against due to the cryptographic properties of Hash(⋅).

2) Note that Hash(⋅) could be any function with dedicated requirements, although a computationally efficient cryptographic hash is usually preferred. Next, we will define the one-way and collision resistant requirements.

Proposition 4.2 should be one-way.

Proof Due to 4.1, f_conceal should have functionality of defending against Adv_sra. H(x|f_conceal(x)) = H(x) for PPTM adversary. Pr{x|y = f_conceal(x)} = 1/2ⁿ ∗ 1/2^m−n = 1/2^m = negl(m) should be negligible when m is sufficient large. negl(m) is a negligible function in m. Given y compute x is hard; thus, f_conceal must be one-way. ▫

Proposition 4.3 f_conceal should be collision resistant.

Proof f_conceal should be collision resistant, which is not for security but for the soundness of resulting intersection set returned from C. If so, the probability will be negligible that y₁ ∈ Set_AC and y₂ ∈ Set_BC are equal but x₁ ∈ Set_AO and x₂ ∈ Set_BO are not equal. ▫

Note that it is non-trivial to be aware that f_conceal is not second pre-image resistant, because server C has no idea of the pre-image of Set_AC as well as Set_BC.

Proposition 4.4 The false probability of basic construction for PISC is 1/2^m−n. That is, Pr{x₁ ∈ Set_AO ≠ x₂ ∈ Set_BO|y = f_conceal(x₁) ∈ Set_AC, y = f_conceal(x₂) ∈ Set_BC} = 1/2^m−n.

Proof There are 1/2^m−n x ∈ Set_AO mapping into the same y ∈ Set_AC. Thus, even y is the same x is different. The false probability of basic construction is 1/2^m−n. ▫

3) Only last k, k < |Hash(⋅)| = n bits can be selected in Hash(⋅) during comparison to further improve the efficiency, but it may induce extra false members in intersection set with false probability (namely, 1/2^m−k).

The privacy strength for the basic construction is as follows:

Proposition 4.5 Basic construction can defend against Adv_sra but not Adv_sla.

Proof As f_conceal is one-way, the adversary can reveal neither Set_AO from Set_AC nor Set_BO from Set_BC. Thus, Adv_sra is defended against. However, the same y ∈ Set_AC(Set_BC) in different rounds can be linked to the same x ∈ Set_AO(Set_BO). Thus, Adv_sla is not defended against. ▫

4.3 An Enhanced Basic Construction

To defend against Adv_sla, we propose the following enhancement by adding a random number to be used only once (i.e., nonce) in f_conceal to make it unlinkable when the adversary observes Set_AC (or Set_BC). More specifically, the enhancement is at steps 1.1) and 2.1) with the addition of the nonce, respectively. The enhanced steps 1.1) and 2.1) are as follows:

1.1) f_conceal : Set_AO ⇒ Set_AC. Let f_conceal = Hash(⋅); That is, Set_AC ⇐ H(nonce_A||Set_AO), where Hash(⋅) could be a cryptographic hash function; nonce is a number used once. In other words, ∀x ∈ Set_AO, y ⇐ Hash(nonce_A||x), y ∈ Set_AC.

2.1) f_conceal : Set_BO ⇒ Set_BC; Similar to 1.1), let f_conceal = Hash(⋅); Set_BC ⇐ Hash(nonce_B||Set_BO), where H(⋅) is a cryptographic hash function with one-wayness. In other words, ∀x ∈ Set_BO, y ⇐ Hash(nonce_B||x), y ∈ Set_BC.

Remarks

1) Nonce_A and Nonce_B could be timestamps, in which A and B need to be synchronized in advance.

2) Nonce_A and Nonce_B could be a value from a pseudorandom number generator, which is generated from a shared secret key (seed) and synchronized at A and B. That is, Nonce = PRNG(k), where k is a shared secret key between A and B (e.g., generated using a key establishment protocol [25]); PRNG(⋅) is a pseudorandom number generator.

3) Nonce_A and Nonce_B could be a synchronized counter.

Proposition 4.6 The enhanced basic construction can defend against Adv_sra and Adv_sla.

Proof The enhanced basic construction can defend against Adv_sra inherently due to basic construction. The discussion, thus, only concentrates on Adv_sla. As Nonce_A and Nonce_B vary in each round, the same y ∈ Set_AC(Set_BC) in different rounds usually cannot be identified by the adversary due to the collision resistance property of f_conceal. Thus, the linkage will not be drawn and Adv_sla is defended against. ▫

4.4 Advanced Construction with Rough Intersection for Flexibility

In a real-world deployment, such as on-line social networks and e-commerce websites, entity A and entity B are unlikely to have the exact number or same members in the submitted sets. Although exact intersection of Set_AO and Set_BO dose not exist, server C is still required to return approximate intersection of Set_AO and Set_BO. In this scenario, server C has to recommend the most approximate intersection of Set_AO and Set_BO from Set_AC and Set_BC. The basic construction and the enhanced basic construction are not able to address such a situation. Thus, we propose an advanced method that can satisfy this requirement.

Intuitively, if Hash(⋅) is “fuzzy” in that ‖x₁ − x₂‖ ∈ Δ ⇒ ‖y₁ − y₂‖ ∈ Δ, y₁ = Hash(x₁), y₂ = Hash(x₂), the rough set will be returned. Here, ‖⋅‖ returns either the absolute value or the hamming distance. However, this fuzzy property may compromise the one-wayness.

The improvements are due to the following: at f_conceal, Hash(⋅) is replaced by , where p is a sufficient large prime, and at f_intersect, the comparison is changed into computation of . More specifically, the method is described as follows:

1) Entity A:

1.1) A : f_conceal : Set_AO ⇒ Set_AC. Let , where x ∈ Set_AO; p is a large prime. That is, Set_AC ⇐ G(Set_AO), where G(Set_∗) means to compute f_conceal(x) for ∀x ∈ Set_∗. In other words, .

1.2) A → C : ID[i], Set_AC[i], where i = 1, …, |Set_AC|; |∗| returns the number of items in the set ∗; ID[i] is a temporary sequence number for i-th item in Set_AC, which is denoted as Set_AC[i];

2) Entity B:

2.1) B : f_conceal : Set_BO ⇒ Set_BC; Similar to 1.1), let , where x ∈ Set_BO; That is, Set_BC ⇐ G(Set_BO). In other words, .

2.2) B → C : ID[i], Set_BC[i], where i = 1, …, |Set_BC|; ID[i] is a temporary sequence number for i-th item in Set_BC, which is denoted as Set_BC[i];

3) Server C:

3.1) f_intersect : ∀Set_AC[i] ∈ Set_AC, Set_BC[j] ∈ Set_BC, if Set_AC[i]/Set_BC[j] < g^δ < p, let Set_AC[i]∨Set_BC[j]⇒Set_IC;

3.2) C → A : ID[i], where Set_AC[i] ∈ Set_IC, i ∈ [1, |Set_AC|]; The total number of i is |Set_IC|/2; That is, |ID[i]| = |Set_IC|/2;

3.3) C → B : ID[j], where Set_BC[j] ∈ Set_IC, j ∈ [1, |Set_BC|]; The total number of j is |Set_IC|/2; That is, |ID[j]| = |Set_IC|/2;

4)

Entity A:

4.1) f_reveal : ID[i]⇒Set_IAO; As A computes Set_AC ⇐ G(Set_AO), A can reveal corresponding i-th item in Set_AO that consists final Set_IAO;

Entity B:

4.2) f_reveal : ID[j]⇒Set_IBO; As B computes Set_BC ⇐ G(Set_BO), A can reveal corresponding j-th item in Set_BO that consists final Set_IBO;

Remarks

1) To reduce the computation overhead at entity A and entity B, in computing G(⋅), A and B can only compute the last k bits of x, y, ∀x ∈ Set_AO and ∀y ∈ Set_BO. log₂ x = {0,1}^m = {0,1}^{m − k}‖{0,1}^k, log₂ y = {0,1}ⁿ = {0,1}^{n − k}‖{0,1}^k. It will not compromise the soundness of PISC if k is properly chosen. We state the chosen method in the following proposition.

Proposition 4.7 If the absolute gap value between x ∈ Set_AO and y ∈ Set_BO is ‖x − y‖, we let k = log₂ log_g‖x − y‖.

Proof x ∈ Set_AO, g^x mod p ∈ Set_AC. x ∈ Set_BO, g^x mod p ∈ Set_BC. can be computed via where log_g(x − m) < 2^k and log_g(y − m) < 2^k. Thus, only computing the last k bits of x, y will not result in any difference for at server C. ▫

2) δ is a system parameter, which measures the approximate strength of the intersection set. More specifically, we state it formally in the following proposition.

Proposition 4.8 If the absolute gap value between x ∈ Set_AO and y ∈ Set_BO is ‖x − y‖, the intersection set produced by PISC will have ‖x − y‖ ≤ δ.

Proof x ∈ Set_AO, . y ∈ Set_BO, . Server C selects intersection set by thus ‖x − y‖ ≤ δ + kϕ(p) = δ + k(p − 1), where ϕ(⋅) is Euler function, and . p − 1 >> δ and x ≤ p − 1, y ≤ p − 1, thus ‖x − y‖ ≤ δ. ▫

From above two propositions, we can choose k = log₂ log_g‖x − y‖ = log₂ log_g δ bits at rear of log₂ x, ∀x ∈ Set_AO or log₂ y, ∀y ∈ Set_BO to compute Set_AC and Set_BC, respectively.

3) The computation overhead at server C is module exponential computation (for computing ) and one time division (for computing Set_AC[i]/Set_BC[j]). The computation overhead at an entity is module exponential computation (for computing and k is at most log₂ log_g δ bits).

Proposition 4.9 The advanced construction can defend against Adv_sra, but not Adv_sla.

Proof As f_conceal is one-way due to the underlying discrete logarithm problem, Adv_sra is defended against. As f_conceal is a deterministic function, the same image will link to the same pre-image; thus, Adv_sla cannot be defended against. ▫

Proposition 4.10 In the advanced construction, f_conceal is collision resistant.

Proof The aim is to prove that it is difficult to find x ≠ y such at g^x ≡ g^y mod p. That is, it is difficult to find x ≠ y such that g^x−y mod p = 1. If g^x−y mod p = 1, x − y mod p − 1 = 0 by Fermat’s theorem. As x − y < δ and p is a big prime, it is computational infeasible for . ▫

Proposition 4.11 The advanced construction is sound.

Proof It is concluded from the previous propositions. f_conceal is one-way, collision resistant, and the returned intersection sets are indeed the approximate members. Thus, the advanced construction is sound. ▫

Finally, to defend against Adv_sla, we propose an enhancement method for the advanced construction by adding a nonce in f_conceal. More specifically, the enhancement is at Steps 1.1) and Step 2.1) by multiplying the nonce, respectively:

1.1). f_conceal = nonce ∗ g^x mod p, where x ∈ Set_AO; p is a large prime. That is, Set_AC ⇐ G(Set_AO), where G(Set_∗) means to compute f_conceal(x) for ∀x ∈ Set_∗. In other words,

2.1) f_conceal = nonce ∗ g^x mod p, where x ∈ Set_BO; That is, Set_BC ⇐ G(Set_BO).

The discussion on nonce is similar to the aforementioned remarks in the last section. The security proof after the inclusion of nonce is similar to Proposition 4.6. Until now, we reach the final proposed version of PISC that is the enhancement of the advanced construction. This incremental presentation helps for better understanding and smoothly remembering.

Potential Applications and Further Discussions

1) Example I. In social networks for recommending prospective friends, both users B and C are user A’s friends; thus, the intersection set of B’s friends and C’s friends may also be A’s friends. The service provider needs to perform PISC of two inputs—B’s friends and C’s friends, and those inputs should be concealed for privacy protection.

2) Example II. For recommending potentially goods of interest in an e-commence website, B’s purchase history and C’s purchase history have overlapping items with A’s purchase history (i.e., A, B, C have similar purchasing habits and preferences); thus, the intersection set of user B’s purchases and C’s purchases may also interest A. The service provider needs to perform PISC of two concealed inputs—B’s purchase history and C’s purchase history. Since we require that the purchase history of both B and C to be unlinkable, the service provider is unable to guess whether the same item exists in B’s or C’s purchase history.

3) As in LiPISC, A and B have to establish a shared nonce, which may require synchronization at both A and B. Alternatively, nonce can also be distributed by servers which does not break the security of the scheme as the servers will not know the nonce due to the one-wayness of f_conceal.

4) As stated in Section 3 (i.e., Problem Formulation), the adversary (trust) model in this paper only assumes an adversary at a central server. That is, entity A and entity B for PISC is trustworthy. Nonetheless, even though A (or B) could be un-trustworthy, A (or B) can only reveal the intersection set with B (or A) by random guess due to the one-wayness of f_conceal. The probability of successful guess is negligible due to the selection of f_conceal.

5) The gap between numeric distance represents the numeric deviation of inputting values, and the gap between Hamming distance represents the property deviation. The former gap can be computed from the latter gap if the major difference comes from the bits at the end, and the latter gap can also be estimated from the former gap. In this paper, we focus on the numeric distance, which is more general than the Hamming gap. In addition, the proposed method is suitable for both two situations, as here only rough intersection set computation is required.

6) The proposed scheme outperforms related work in sever aspects as follows: It is lightweight as only raw discrete logarithm computation is involved instead of cryptographic encryption. It can compute rough intersection set that is flexible in realistic. It tackles set linkage attack that has not been carefully explored in the literatures.