Efficient Non-Interactive Zero Knowledge Arguments for Set Operations

Abstract

We propose a non-interactive zero knowledge pairwise multiset sum equality test (PMSET) argument of knowledge in the common reference string (CRS) model that allows a prover to show that the given committed multisets \(\mathbb {A}_j\) for \(j \in \left\{ 1, 2, 3, 4\right\} \) satisfy \(\mathbb {A}_1 \uplus \mathbb {A}_2 = \mathbb {A}_3 \uplus \mathbb {A}_4\), i.e., every element is contained in \(\mathbb {A}_1\) and \(\mathbb {A}_2\) exactly as many times as in \(\mathbb {A}_3\) and \(\mathbb {A}_4\). As a corollary to the \(\mathrm{PMSET}\) argument, we present arguments that enable to efficiently verify the correctness of various (multi)set operations, for example, that one committed set is the intersection or union of two other committed sets. The new arguments have constant communication and verification complexity (in group elements and group operations, respectively), whereas the CRS length and the prover’s computational complexity are both proportional to the cardinality of the (multi)sets. We show that one can shorten the CRS length at the cost of a small increase of the communication and the verifier’s computation.

A Related Work

Our multiset commitment scheme is a modification of the commitment scheme [18], which in turn is related to the polynomial commitment scheme of [28]. In [28], the authors proposed a commitment scheme for polynomials \(f\), where instead of committing to the coefficients of \(f\) separately, one commits to \(f (\sigma )\), where \(\sigma \) is a random key. Their commitment scheme is based on the fact that for any polynomial \(f\), \(x-i\) divides \(f(x) - f(i)\). Our commitment scheme is somewhat more efficient than the one from [28], since [28] required the randomness \(r\) also to be a polynomial. Thus, one needs to generate \(\deg (f)\) times more randomness, and the opening of the commitment is also more burdensome. While the need for a new commitment scheme was motivated by the applications considered in [28], it is not necessary in our distinctively different applications.

Based on their commitment scheme, [28] proposed an NIZK proof that a specific public element belongs to the committed subset, which they named zero knowledge sets. Henry and Goldberg [26] showed that this argument was insecure, and provided a secure improvement. However, both these constructions were interactive, and would either require a random oracle, or be less efficient to get non-interactiveness. We provide a non-interactive implementation without random oracles in our accumulator argument, which is as efficient as both [28] and [26].

The balanced version of our multiset commitment scheme is somewhat similar to the setting in the electronic voting protocol of Dimitriou and Foteinakis [16], which had \(K\) disjoint but same size sets \(V_1, \cdots V_K\) with total cardinality \(C = K\cdot |V_1|\), and a prover commits to \(S\) such that \(S \subseteq V_i\) for some \(i \in [1, K]\). We can directly compare when either \(K = 1\) or \(K = \sqrt{C} = |V_1|\). But in both cases Dimitriou and Foteinakis require a separate zero-knowledge proof for each candidate, hence the prover’s computation, communication and verification are all \(\omega (C)\), whereas we have either \(\varTheta (C)\) prover’s computation, \(\varTheta (\sqrt{C})\) communication and \(\varTheta (\sqrt{C})\) verification (in the balanced version) or \(\varTheta (C)\) prover’s computation, constant communication and constant verification (in the non-balanced version).

In terms of set operations, there is a lot of related research in the literature. We denote \(k\) to be an upper bound for the size of the client’s and server’s sets (or the maximum of the two, if an upper bound is not required). Freedman, Nissim and Pinkas presented a two-party private matching and set intersection protocol [20], where the client inputs a private set \(\mathbb {C}\), and the server inputs a private set \(\mathbb {S}\); if \(s_i \in \mathbb {S}\cap \mathbb {C}\), the client learns \(s_i\), otherwise it learns a uniformly random value. The proposed 2-round protocol requires oblivious pseudorandom functions (OPRF) and is provably secure in the random oracle model, but requires \(O(k)\) communication. Jarecki and Lim [27] improved upon this and used OPRF to get a 1-round protocol secure in the random oracle model, and a 2-round protocol secure in the CRS model, both cases having \(O(k)\) communication. Both protocols reveal the size of the server’s set.

Kissner and Song [29] proposed different privacy-preserving set operation protocols that employed the concept of multi-sets. For example, the set union operation is seen as simply the product of the polynomial representations of the two sets. They implement secure set intersection with a fixed and equal size for the client and server sets, using the fact that for random polynomials \(r, s\), \(\chi _\mathbb {A}r + \chi _\mathbb {B}s = \chi _{\mathbb {A}\cap \mathbb {B}} t\) with \(t\) having no roots from the universal set \(\mathbb {U}\), except for a negligible probability. However, their protocols have \(O(k)\) proof size, prover’s computation and verification, with the overhead being a proof of correct polynomial multiplication. Moreover, they also have several operations on encrypted polynomials, such as derivatives to reduce duplicated elements of a multiset. These operations are costly, and we choose not to implement them as they will require a product argument as in [18].

There are several other results on private set intersections that are not directly comparable to ours. For example, Blanton and Aguiar [4] had more efficient set operations than the work stated above based on efficient parallelized multi-party operations, but it requires \(n > 2\) parties while we focus on two-party protocols. D’Arco et al. [15] showed that unconditionally secure size-hiding set intersection is possible with the help of a trusted third party (TTP), given that the client and server have set cardinality at most \(k\). However, the TTP sends output to the client and server based on their specific sets. This means that even for a fixed server set \(\mathbb {V}\), the TTP is required for each new client set. Moreover, their \(2\)-round, \(O(k)\)-communication protocol is only secure in the semi-honest model. Extending it to become a protocol secure against malicious adversaries, the proof size (that is dominated by proof of correct encryption for each of \(k\) Paillier ciphertexts) will also become \(O(k)\).

We summarize in Table 1. Note that we only include results that either have non-interactive zero knowledge proofs, or can be made non-interactive using the Fiat-Shamir heuristic. None of the work discussed has 1 round (non-interactive), does not require a random oracle and has proof size sublinear in the set cardinality, whereas our set operations have constant-size proof and is secure in the CRS model.