 Hello, everyone. I'm Xihang, a PhD student from Hamphill Center for Information Security. This presentation is about a multi-party continuity test for threshold-private-set intersection joined work with Pedro Branco and Nicole Dutley. Here's a brief overview of this talk. I'm going to start with the background and the motivation of private-set intersection. Next, I will show our results in this work and relations with concurrent work. Then I will show the challenge we met and our approach to get around it. At the end, I finish the talk with a short summary. Let me briefly explain what is a private-set intersection. As an example, say there are two companies denoted as Alice and Bob respectively. Holding their own customers' contacts denoted as SA and SB. They would like to know who are their common customers so they can cooperate with each other without leaking other own customers' information. So basically, they require a protocol along each party to learn the intersection, but nothing else. This is called private-set intersection or PSI. Today, we are more interested in a special setting of standard PSI called threshold PSI, which means parties only learn the intersection when it is larger than some threshold, otherwise they learn nothing. Here is a great example for threshold PSI that is luxury. Suppose there are two people who would like to go to different destinations and they want to share a ride from Uber, so they need to know which path is common for both, but they don't want to leak their own unique secret route. Basically, they require a following protocol to achieve the goal. If two paths intersected substantially, they learn the shared path and could agree on what sharing. However, if two paths are barely intersected, they learn nothing instead and much than neither would share it. So here are related works for threshold PSI. Gauche and Simkin in crypto 2019 gave the first two-party threshold PSI protocol, which communication only depends on the threshold instead of the set size. I will briefly explain the scheme later. Generally, in high levels, their protocol can be divided into two phases or two parts. The first part is a kind of netted test step. The second one is an intersection commutation step. The second part can be extended to multi-party easily, so we only focus on the first step in this talk. That is a kind of netted test for multi-party. Now I show our main results. Our main result is a multi-party kind of netted test, which allows parties to check if its intersection is larger than n minus t for some threshold t. Here, big n is a number of parties, and small n is a set of size, and t is substantially smaller than n and small n. Our approach only requires thresholded additively homomorphic encryption instead of a fully homomorphic one. That's why we only realize weaker assumptions such as DDH or DCR, and we achieve a t-square communication complexity for each party. Actually, there's a concurrent work, b and r24 of ours, also considered the same problem in multi-party setting, but they focus on a slightly different variant, which complements ours. Specifically, we focus on the case which allows parties to learn the intersection and only if the difference between the union and the intersection is smaller than g. Whereas ours is to learn it if and only if the intersection is larger than n minus t. Now let's move to the technical part. First, we curve the two-party particle from GS19. Suppose two parties, Alice and Bob, holding a set as a and as b, of size n respectively, without losing generality, we assume both sets are of the same size. So the problem is they want to know the intersection if and only if the set difference is smaller than some threshold t, where t is much smaller than n. The main observation of them is the set reconciliation techniques introduced by Minsky can be leveraged in this case. That is, each party encodes their own set as a polynomial like this. So for each element aj from s, your s is their own set. The polynomial is the product of all the terms of x minus aj. Now two parties, Alice and Bob, have two polynomials, pa and pb, while encoding their sets. If we compute pa or pb, then the common factors of two polynomials, which are corresponding to the intersection, are cancelled out. Finally, it's only a rational function left with low degree. A low-degree rational function means its numerator and its denominator are of low degree polynomials. Here it means pa minus b and pb minus a are two t-degree polynomials, where t is a threshold. Therefore, both parties can firstly compute all of the t evaluation points of the rational function pa over pb. Then one party, say Bob, can recover the denominator via interpolation, which will review the intersection when compared to his own set. Of course, Bob should not learn the numerator pa minus b. Otherwise, the security is compromised. As Bob, we also learn the whole set of Alice, which is forbidden. In GS19, they use a oblivious linear evaluation for OLE to mask the numerator with a random polynomial to hide the information. So far, we only discussed the second part, which is how to compute an intersection. It can only be proved when the intersection size is larger than m minus t. Otherwise, the proof of security will fail. That's why they still require a cardinality test to make sure when the compute intersection size or its cardinality is large enough. Still, let's first consider the two-party cardinality test in GS19. They encode set elements into the exponents, say for each element aj or ai. They encode the set as a polynomial qx equals to sum of all of x to ai. As then, the security check is the difference of two polynomials, qa and qa minus qb is sparse polynomial. Sparse polynomial means the polynomial has much fewer terms compared to its degree. Here, any of qx might be a polynomial with exponentially large degree, whereas it only has t terms or t monomials. Of course, here we need some secure computation to do a private check. Finally, if the resulting polynomial is sparse, we conclude that the set difference is small, which passed the cardinality test. Otherwise, it doesn't pass the test, and both parties will just abort the protocol. However, if we were to directly extend the approach to multi-party setting, we would let m parties compute m minus 1 times q1x minus q2x to qnx. This is a sparse polynomial only if n times t is small, because the resulting polynomial has n times t terms if the intersection cardinality is t. Thus, the communication codes for each party will depend on the number of parties n, which is highly undesired. We need to seek for other solutions. For simplicity, let's first consider the insecure way of our approach to do cardinality test. We use the original encoding set for an n-sized set. We encode it as an antiquated polynomial. Then suppose there are n sets from s1, s2 to sn. We encode them as ps1 to psn. If we compute the original function ps1 plus ps2 plus 2 psn over ps1, after we cancel it out, common factors resulting in original function has degree t at most if the intersection cardinality is larger than m minus t. This actually helps us to get rid of the number of parties n in the computation. Therefore, the cardinality test boils down to the following problem. Given a rational function f of x equals to p1 of x over p2 of x, can we decide if degree of p1 or degree of p2 is smaller than t with only t evaluation points of f of x? We give an affirmative answer in this work. Our crucial observation is that if we interpret f of x equals to p1 of x over p2 of x, where f of x is some unknown reduced rational function, which means p1 of x and p2 of x are co-prime, they don't share any common factors. So if we interpret this f of x on two different sports sets, say v and w, so each one of size all of t, we will get two different interpreted functions fv and fw respectively. Then we would have if degree of p1 equals to degree of p2 smaller than some threshold t, our interpreted functions fv equals to fw. Otherwise, if the degree is larger than t, then these two interpreted functions are different. Say fv will not equal to fw, except with a negligible probability over the uniform choice of vi and wi. Moreover, interpreting a rational function can be reduced to solving a linear system of equations by extending secure linear algebra tools developed by KMWF07 to multipartic case, who can perform the degree test revealing nothing else than output. Note that we also need to randomize numerators of the rational function, which is not for security, but for the correctness. We prove our security, we prove the security of our protocol in externalized UC from work. The standard UC from work has a subtle issue that because the inputs of our sub-porticles are encrypted under a public key, which needs to come from somewhere in the UC setting, so it's some kind of definitional problem. So this is also mentioned in the concurrent work BMR21, and they get around this by only proving the final protocol instead of the sub-porticles. We choose to prove the security in a generalized UC from work, externalized UC from work, which has a global setup of public key infrastructure, so we can get around this subtle issue. To make a short summary, we developed a multipartic cardinality test for threshold PSI. This communication only depends on the threshold for each party, without relying on the number of parties N. Our construction is built up, it only relies on additional homomorphic encryption, which is much weaker than fully homomorphic ones, so we don't require let's say assumptions. That's all, thanks for your attention.