Efficient Set Operations in the Presence of Malicious Adversaries


We revisit the problem of constructing efficient secure two-party protocols for the problems of set intersection and set union, focusing on the model of malicious parties. Our main results are constant-round protocols that exhibit linear communication and a (practically) linear number of exponentiations with simulation-based security. At the heart of these constructions is a technique based on a combination of a perfectly hiding commitment and an oblivious pseudorandom function evaluation protocol. Our protocols readily transform into protocols that are UC secure, and we discuss how to perform these transformations.


  1. [1]

    G. Aggarwal, N. Mishra, B. Pinkas, Secure computation of the kth-ranked element, in EUROCRYPT’04. LNCS, vol. 3027 (Springer, Berlin, 2004), pp. 40–55

    Google Scholar 

  2. [2]

    Y. Aumann, Y. Lindell, Security against covert adversaries: efficient protocols for realistic adversaries, in 4th TCC. LNCS, vol. 4392 (Springer, Berlin, 2007), pp. 137–156

    Google Scholar 

  3. [3]

    Y. Azar, A.Z. Broder, A.R. Karlin, E. Upfal, Balanced allocations. SIAM J. Comput. 29(1), 180–200 (1999)

    MathSciNet  MATH  Article  Google Scholar 

  4. [4]

    M. Ben-Or, S. Goldwasser, A. Wigderson, Completeness theorems for non cryptographic fault tolerant distributed computations, in 20th STOC (1988), pp. 1–10

    Google Scholar 

  5. [5]

    D. Boneh, E. Goh, K. Nissim, Evaluating 2-DNF formulas on ciphertexts, in 2nd TCC. LNCS, vol. 3378 (Springer, Berlin, 2005), pp. 325–341

    Google Scholar 

  6. [6]

    S. Böttcher, S. Obermeier, Secure set union and bag union computation for guaranteeing anonymity of distrustful participants. J. Softw. 3(1), 9–17 (2008)

    Google Scholar 

  7. [7]

    R. Canetti, Security and composition of multiparty cryptographic protocols. J. Cryptol. 13(1), 143–202 (2000)

    MathSciNet  MATH  Article  Google Scholar 

  8. [8]

    J. Camenisch, G.M. Zaverucha, Private intersection of certified sets, in Financial Crypto (2009), pp. 128–127

    Google Scholar 

  9. [9]

    R. Canetti, Universally composable security: A new paradigm for cryptographic protocols, in 42nd FOCS (2001), pp. 136–145

    Google Scholar 

  10. [10]

    R. Canetti, E. Kushilevitz, Y. Lindell, On the limitations of universal composable two-party computation without set-up assumptions, in 44th FOCS (2003), pp. 136–145

    Google Scholar 

  11. [11]

    D. Chaum, T.P. Pedersen, Wallet databases with observers, in CRYPTO’92. LNCS, vol. 740 (Springer, Berlin, 1992), pp. 89–105

    Google Scholar 

  12. [12]

    D. Chaum, C. Crépeau, I. Damgård, Multiparty unconditionally secure protocols, in 20th STOC (1988), pp. 11–19

    Google Scholar 

  13. [13]

    R. Cramer, I. Damgård, B. Schoenmakers, Proofs of partial knowledge and simplified design of witness hiding protocols, in CRYPTO’94. LNCS, vol. 839 (Springer, Berlin, 1994), pp. 174–187

    Google Scholar 

  14. [14]

    D. Dachman-Soled, T. Malkin, M. Raykova, M. Yung, Efficient robust private set intersection, in ANCS. LNCS, vol. 5479 (Springer, Berlin, 2009), pp. 125–142

    Google Scholar 

  15. [15]

    I. Damgård, Efficient concurrent zero-knowledge in the auxiliary string model, in EUROCRYPT’00. LNCS, vol. 1807 (Springer, Berlin, 2000), pp. 418–430

    Google Scholar 

  16. [16]

    I. Damgård, M. Jurik, A generalisation, a simplification and some applications of Paillier’s probabilistic public-key system, in Public Key Cryptography. LNCS, vol. 1992 (Springer, Berlin, 2001), pp. 119–136

    Google Scholar 

  17. [17]

    I. Damgård, J.B. Nielsen, Perfect hiding and perfect binding universally composable commitment schemes with constant expansion factor, in CRYPTO’02. LNCS, vol. 2442 (Springer, Berlin, 2002), pp. 3–42

    Google Scholar 

  18. [18]

    I. Damgård, M. Jurik, J.B. Nielsen, A generalization of Paillier’s public-key system with applications to electronic voting, in Public Key Cryptography (2001), pp. 119–136

    Google Scholar 

  19. [19]

    T. ElGamal, A public-key cryptosystem and a signature scheme based on discrete logarithms, in CRYPTO’84. LNCS, vol. 196 (Springer, Berlin, 1984), pp. 10–18

    Google Scholar 

  20. [20]

    J. Feigenbaum, Y. Ishai, T. Malkin, K. Nissim, M.J. Strauss, R.N. Wright, Secure multiparty computation of approximations. ACM Trans. Algorithms 2(3), 435–472 (2006)

    MathSciNet  Article  Google Scholar 

  21. [21]

    P. Fouque, D. Pointcheval, Threshold cryptosystems secure against chosen-ciphertext attacks, in Asiacrypt (2000), pp. 573–584

    Google Scholar 

  22. [22]

    P. Fouque, G. Poupard, J. Stern, Sharing decryption in the context of voting of lotteries, in Financial Crypto (2009), pp. 90–104

    Google Scholar 

  23. [23]

    M.J. Freedman, Y. Ishai, B. Pinkas, O. Reingold, Keyword search and oblivious pseudorandom functions, in 2nd TCC. LNCS, vol. 3378 (Springer, Berlin, 2005), pp. 303–324

    Google Scholar 

  24. [24]

    M. Freedman, K. Nissim, B. Pinkas, Efficient private matching and set-intersection, in EUROCRYPT’04. LNCS, vol. 3027 (Springer, Berlin, 2004), pp. 1–19

    Google Scholar 

  25. [25]

    O. Goldreich, Foundations of Cryptography: Volume 1—Basic Tools (Cambridge University Press, Cambridge, 2001)

    Google Scholar 

  26. [26]

    O. Goldreich, Foundations of Cryptography: Volume 2—Basic Applications (Cambridge University Press, Cambridge, 2004)

    Google Scholar 

  27. [27]

    O. Goldreich, A. Kahan, How to construct constant-round zero-knowledge proof systems for NP. J. Cryptol. 9(3), 167–190 (1996)

    MathSciNet  MATH  Article  Google Scholar 

  28. [28]

    O. Goldreich, S. Micali, A. Wigderson, How to play any mental game, in 19th STOC (1987), pp. 218–229

    Google Scholar 

  29. [29]

    S. Goldwasser, S. Micali, Probabilistic encryption. J. Comput. Syst. Sci. 28(2), 270–299 (1984)

    MathSciNet  MATH  Article  Google Scholar 

  30. [30]

    C. Hazay, Y. Lindell, Efficient protocols for set intersection and pattern matching with security against malicious and covert adversaries, in 5th TCC. LNCS, vol. 4948 (Springer, Berlin, 2008), pp. 155–175

    Google Scholar 

  31. [31]

    S. Jarecki, Personal Communication

  32. [32]

    S. Jarecki, X. Liu, Efficient oblivious pseudorandom function with applications to adaptive OT and secure computation of set intersection, in 6th TCC. LNCS, vol. 5444 (Springer, Berlin, 2009), pp. 577–594

    Google Scholar 

  33. [33]

    E. Kiltz, P. Mohassel, E. Weinreb, M.K. Franklin, Secure linear algebra using linearly recurrent sequences, in 5th TCC. LNCS, vol. 4392 (Springer, Berlin, 2007), pp. 291–310

    Google Scholar 

  34. [34]

    L. Kissner, D.X. Song, Privacy-preserving set operations, in CRYPTO’05. LNCS, vol. 3621 (Springer, Berlin, 2005), pp. 241–257. See technical report CMU-CS-05-113 for the full version

    Google Scholar 

  35. [35]

    Y. Lindell, B. Pinkas, Privacy preserving data mining. J. Cryptol. 15(3), 177–206 (2002)

    MathSciNet  MATH  Article  Google Scholar 

  36. [36]

    P. Mohassel, E. Weinreb, Efficient secure linear algebra in the presence of covert or computationally unbounded adversaries, in CRYPTO’08. LNCS, vol. 5157 (Springer, Berlin, 2009), pp. 481–496

    Google Scholar 

  37. [37]

    M. Naor, K. Nissim, Communication preserving protocols for secure function evaluation, in 33th STOC (2001), pp. 590–599

    Google Scholar 

  38. [38]

    M. Naor, O. Reingold, Number-theoretic constructions of efficient pseudo-random functions, in 38th FOCS (1997), pp. 231–262

    Google Scholar 

  39. [39]

    K. Nissim, E. Weinreb, Communication efficient secure linear algebra, in 4th TCC (2006), pp. 522–541

    Google Scholar 

  40. [40]

    T. Okamoto, Provably secure and practical identification schemes and corresponding signature schemes, in CRYPTO’92. LNCS, vol. 740 (Springer, Berlin, 1992), pp. 31–53

    Google Scholar 

  41. [41]

    P. Paillier, Public-key cryptosystems based on composite degree residuosity classes, in EUROCRYPT’99. LNCS, vol. 1592 (Springer, Berlin, 1999), pp. 223–238

    Google Scholar 

  42. [42]

    T.P. Pedersen, Non-interactive and information-theoretical secure verifiable secret sharing, in CRYPTO’91. LNCS, vol. 576 (Springer, Berlin, 1991), pp. 129–140

    Google Scholar 

  43. [43]

    C. Peikert, V. Vaikuntanathan, B. Waters, A framework for efficient and composable oblivious transfer, in CRYPTO’08. LNCS, vol. 5157 (Springer, Berlin, 2008), pp. 554–571

    Google Scholar 

  44. [44]

    C.P. Schnorr, Efficient identification and signatures for smart cards, in CRYPTO’89. LNCS, vol. 435 (Springer, Berlin, 1989), pp. 239–252

    Google Scholar 

  45. [45]

    B. Vocking, How asymmetry helps load balancing. J. ACM 50(4), 568–589 (2003)

    MathSciNet  Article  Google Scholar 

  46. [46]

    A.C. Yao, Protocols for secure computations, in 23th FOCS (1982), pp. 160–164

    Google Scholar 

Download references

Author information



Corresponding author

Correspondence to Carmit Hazay.

Additional information

C. Hazay research was supported by an Eshkol scholarship and the Israel Science Foundation (grant No. 70/80).

K. Nissim research partly supported by the Israel Science Foundation (grant No. 860/06).

Communicated by Ivan Damgård

Rights and permissions

Reprints and Permissions

About this article

Cite this article

Hazay, C., Nissim, K. Efficient Set Operations in the Presence of Malicious Adversaries. J Cryptol 25, 383–433 (2012). https://doi.org/10.1007/s00145-011-9098-x

Download citation

Key words

  • Secure two-party computation
  • Simulation-based security
  • Set intersection
  • Set union
  • Oblivious pseudorandom function evaluation