Threshold Private Set Intersection with Better Communication Complexity

Given l parties with sets X-1,..., X-l of size n, we would like to securely compute the intersection boolean AND(l)(i=1) X-i, if it is larger than n-t for some threshold t, without revealing any other additional information. It has previously been shown (Ghosh and Simkin, Crypto 2019) that this function can be securely computed with a communication complexity that only depends on t and in particular does not depend on n. For small values of t, this results in protocols that have a communication complexity that is sublinear in the size of the inputs. Current protocols either rely on fully homomorphic encryption or have an at least quadratic dependency on the parameter t. In this work, we construct protocols with a quasilinear dependency on t from simple assumptions like additively homomorphic encryption and oblivious transfer. All existing approaches, including ours, rely on protocols for computing a single bit, which indicates whether the intersection is larger than n-t without actually computing it. Our key technical contribution, which may be of independent interest, takes any such protocol with secret shared outputs and communication complexity O(lambda l poly(t)), where lambda is the security parameter, and transforms it into a protocol with communication complexity O(lambda(2)lt polylog(t)).