Paper 2021/1009

Polynomial Representation Is Tricky: Maliciously Secure Private Set Intersection Revisited

Aydin Abadi, Steven J. Murdoch, and Thomas Zacharias


Private Set Intersection protocols (PSIs) allow parties to compute the intersection of their private sets, such that nothing about the sets’ elements beyond the intersection is revealed. PSIs have a variety of applications, primarily in efficiently supporting data sharing in a privacy-preserving manner. At Eurocrypt 2019, Ghosh and Nilges pro- posed three efficient PSIs based on the polynomial representation of sets and proved their security against active adversaries. In this work, we show that these three PSIs are susceptible to several serious attacks. The attacks let an adversary (1) learn the correct intersection while making its victim believe that the intersection is empty, (2) learn a certain element of its victim’s set beyond the intersection, and (3) delete multiple elements of its victim’s input set. We explain why the proofs did not identify these attacks and propose a set of mitigations

Available format(s)
Cryptographic protocols
Publication info
Preprint. MINOR revision.
Private Set IntersectionMulti-party ComputationCryptographic ProtocolsCryptanalysis
Contact author(s)
aydin abadi @ ucl ac uk
s murdoch @ ucl ac uk
thomas zacharias @ ed ac uk
2021-08-06: received
Short URL
Creative Commons Attribution


      author = {Aydin Abadi and Steven J.  Murdoch and Thomas Zacharias},
      title = {Polynomial Representation Is Tricky: Maliciously Secure Private Set Intersection Revisited},
      howpublished = {Cryptology ePrint Archive, Paper 2021/1009},
      year = {2021},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.