Cryptology ePrint Archive: Report 2021/266

VOLE-PSI: Fast OPRF and Circuit-PSI from Vector-OLE

Peter Rindal and Phillipp Schoppmann

Abstract: In this work we present a new construction for a batched Oblivious Pseudorandom Function (OPRF) based on Vector-OLE and the PaXoS data structure. We then use it in the standard transformation for achieving Private Set Intersection (PSI) from an OPRF. Our overall construction is highly efficient with $O(n)$ communication and computation. We demonstrate that our protocol can achieve malicious security at only a very small overhead compared to the semi-honest variant. For input sizes $n = 2^{20}$, our malicious protocol needs 6.2 seconds and less than 59 MB communication. This corresponds to under 450 bits per element, which is the lowest number for any published PSI protocol (semi-honest or malicious) to date. Moreover, in theory our semi-honest (resp. malicious) protocol can achieve as low as 219 (resp. 260) bits per element for $n=2^{20}$ at the added cost of interpolating a polynomial over $n$ elements. As a second contribution, we present an extension where the output of the PSI is secret-shared between the two parties. This functionality is generally referred to as Circuit-PSI. It allows the parties to perform a subsequent MPC protocol on the secret-shared outputs, e.g., train a machine learning model. Our circuit PSI protocol builds on our OPRF construction along with another application of the PaXoS data structure. It achieves semi-honest security and allows for a highly efficient implementation, up to 3x faster than previous work.

Category / Keywords: cryptographic protocols / Private Set Intersection, Secure Computation, Vector OLE

Original Publication (with minor differences): IACR-EUROCRYPT-2021

Date: received 3 Mar 2021, last revised 9 May 2021

Contact author: peterrindal at gmail com, schoppmann at informatik hu-berlin de

Available format(s): PDF | BibTeX Citation

Note: minor fixes

Version: 20210509:231041 (All versions of this report)

Short URL: ia.cr/2021/266


[ Cryptology ePrint archive ]