Outsourced Mutual Private Set Intersection Protocol for Edge-Assisted IoT

Zhang, Jing; Qin, Rongxia; Mu, Ruijie; Wang, Xiaojun; Tang, Yongli

doi:https://doi.org/10.1155/2021/3159269

Security and Communication Networks

On this page

Abstract Introduction Related Work Preliminaries Conclusions Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

Security and Privacy for Edge-Assisted Internet of Things

View this Special Issue

Research Article | Open Access

Volume 2021 | Article ID 3159269 | https://doi.org/10.1155/2021/3159269

Outsourced Mutual Private Set Intersection Protocol for Edge-Assisted IoT

Jing Zhang,¹Rongxia Qin,¹Ruijie Mu,¹Xiaojun Wang,²and Yongli Tang¹

Academic Editor: Shifeng Sun

Received30 Aug 2021

Revised17 Oct 2021

Accepted09 Dec 2021

Published31 Dec 2021

Abstract

The development of edge computing and Internet of Things technology has brought convenience to our lives, but the sensitive and private data collected are also more vulnerable to attack. Aiming at the data privacy security problem of edge-assisted Internet of Things, an outsourced mutual Private Set Intersection protocol is proposed. The protocol uses the ElGamal threshold encryption algorithm to rerandomize the encrypted elements to ensure all the set elements are calculated in the form of ciphertext. After that, the protocol maps the set elements to the corresponding hash bin under the execution of two hash functions and calculates the intersection in a bin-to-bin manner, reducing the number of comparisons of the set elements. In addition, the introduction of edge servers reduces the computational burden of participating users and achieves the fairness of the protocol. Finally, the IND-CPA security of the protocol is proved, and the performance of the protocol is compared with other relevant schemes. The evaluation results show that this protocol is superior to other related protocols in terms of lower computational overhead.

1. Introduction

The vigorous development of fifth-generation technology (5G), Internet of Things (IoT), edge computing, and other technologies has spawned new medical and life modes such as smart medical treatment [1], smart home [2], and smart bus [3]. Intelligent IoT devices have been widely used in daily life and have brought great changes to people's life. With the assistance of proxy devices and edge servers [4], these data can be outsourced to edge storage for subsequent analysis and use. However, although data outsourcing based on edge computing reduces the storage and computing overhead on the user side, it also exposes the user's sensitive data to the risk of leakage [5]. How to protect the privacy of data stored on edge servers and share data with designated data consumers (such as service and product providers, medical professionals, and educators) has become the focus of research.

Private Set Intersection (PSI), as an efficient encryption technology that allows secret sharing of data information, can ensure the security of the data stored on the edge server when making full use of the data for intersection calculation. So it has become an important research object to solve the problem of edge-assisted Internet of Things data privacy sharing. PSI protocol [6] refers to the intersection of two participants calculating their private sets. In the edge computing environment, two clients encrypt their respective data sets and outsource them to the edge server. Then the edge server effectively performs the intersection operation but cannot know any information in the set. Then one or two clients can obtain the intersection result, while their respective sets remain private. Usually, only one client obtains the intersection result is the one-way PSI protocol [7], which can be applied in situations such as contact tracing of the novel coronavirus COVID-19 [8]. At this time, the client unilaterally obtains the intersection result to determine whether it belongs to the contact. However, one-way PSI protocol cannot guarantee that both clients obtain the intersection result at the same time. Obviously, one-way PSI cannot satisfy both clients in the situation such as profile matching [9], in which both clients want to obtain the intersection results to realize the medical information sharing between patients. In this case, mutual PSI (mPSI) protocol [10] is the better choice. That is our focus.

Debnath et al. [11] proposed a secure mutual oblivious pseudorandom function (mOPRF) under the malicious model based on composite order group to maintain the fairness of the mPSI protocol and use homomorphic encryption algorithm to protect data privacy. However, since the protocol is constructed based on composite order, the efficiency is lower than that based on prime order. Based on [11], Debnath et al. [12] proposed another mPSI protocol using prime order groups. The protocol also uses homomorphic encryption algorithm to ensure the security of data and uses semihonest offline arbiter to achieve fairness between two participants. However, the complexity of the protocol is still high. The mPSI protocol in [13] is also constructed based on prime order. It uses the multiplicative homomorphic encryption ElGamal and the distributed ElGamal cryptosystem to ensure the security of data and the offline semihonest arbiter to achieve fairness. But in order to ensure the security under the malicious model, the verifiable Cramer-Shoup cryptographic system used makes the protocol more complicated. Overall, although these mPSI protocols achieve data privacy and fairness, they have high computational complexity and low efficiency.

In this paper, we propose an outsourced mPSI (O-mPSI) protocol in the aid of the edge server. The protocol not only protects the data privacy of parties and achieves the fairness of the results obtained by both parties, but also improves the efficiency. The main contributions are as follows:(1)The O-mPSI protocol improves the method of preprocessing set elements in [14] by increasing the number of elements stored in each hash bin instead of using the stash. It only needs to compare the elements in the two hash tables in a bin-to-bin manner to calculate the intersection, which further reduces the number of comparisons of set elements and decreases the computational cost of the protocol. As a result, the computation and communication overhead of this protocol is lower than the existing mPSI protocol and realizes the efficiency of the O-mPSI protocol.(2)The protocol adopts ElGamal threshold encryption algorithm to encrypt the elements in the hash table to ensure that the set elements of both parties are compared in the form of ciphertext, so that the users can correctly and safely calculate the intersection and realize the data privacy of the O-mPSI protocol.(3)The protocol introduces a semihonest edge server as the third party, and the work of set element comparison is transferred to the server, which further reduces the computational burden of users. At the same time, it enables two users to process collection elements in parallel. This ensures that, after the implementation of the agreement, both parties can know the intersection results at the same time and realize the fairness of O-mPSI protocol.

Since Agrawal et al. [15] proposed the concept of PSI, a series of work has been done to construct the PSI protocol. Ordinarily, they are divided into one-way PSI and mutual PSI.

2.1. One-Way PSI

At present, there are many types of research on the one-way PSI protocol, and the design methods are mainly based on public key encryption, garbled circuit (GC), oblivious transfer (OT), and cloud computing. Based on the design method of public key encryption system, literature [16] uses Fully Homomorphic Encryption (FHE) to construct the PSI protocol. The protocol uses bloom filters (BF) to process data, so that the complexity of the protocol has nothing to do with the size of the client set. Huang and Evans designed a PSI protocol [17] through GC that can resist semihonest adversaries, which proved to be suitable for the intersection calculation of sets of different sizes. Pinkas et al. realized the PSI protocol [18] with linear communication complexity based on GC and oblivious programmable pseudorandom functions (OPPRF). This protocol is superior to previous circuit-based PSI protocols in terms of efficiency. Literature [14] constructed oblivious pseudorandom function (OPRF) based on OT extension and then proposed a PSI protocol combined with OPRF and hash algorithm, and the security is proved under the semihonest opponent model. Kavousi et al. proposed a PSI protocol in [19], which takes the OPRF and the garbled BF as its main components, avoiding costly operations of computation and having high scalability. The protocol in [20] allows users to store their private data sets on cloud server and also entrust computing of the intersection to the server and use homomorphic encryption (HE) and oblivious polynomial evaluation (OPE) to process the data. It greatly reduces the workload of users and improves the computational efficiency of the protocol. The PSI protocol designed by Abadi et al. [21] also uses cloud storage of private data sets. It is mainly constructed by hash table and OPE without any public key encryption operation. However, all parties need to establish a secure channel in advance; otherwise it is easy for an attacker to eavesdrop on the communication between honest parties. Literature [22] proposed an improved PSI scheme based on [21]. There is no need for any secure channel in the scheme, which is superior to the scheme in [21] in terms of confidentiality and complexity.

2.2. Mutual PSI

The research on mutual PSI protocol began in 2005; Kissner and Song et al. proposed the first mPSI protocol [23], which is based on the mathematical properties of OPE and uses HE to calculate PSI on ciphertexts. The fairness of the protocol depends on the fairness of the threshold encryption scheme used by the protocol. Camenisch and Zaverucha proposed another mPSI authentication set protocol [24] based on Camenisch-Lysyanskaya signature (CLS) and OPE. The disadvantage of this protocol is that its computational overhead is quadratic and the computational complexity is relatively high. Fairness of the protocol in [24] is realized by a fair exchange scheme. However, if the input is not authenticated, it usually does not work. Kim et al. coupled the prime representation (PR) technology with threshold additive HE and realized an mPSI protocol [25] with linear complexity for the first time in the semihonest security model and through the nature of threshold decryption to achieve the fairness of the protocol. Dong and Chen et al. proposed a fair mPSI protocol [26] with a semihonest arbitrator based on HE and OPE. The arbitrator in the protocol can handle conflicts and cannot know the user's private input and output. The mPSI protocol in [11] is constructed by HE and mutual oblivious pseudorandom function (mOPRF). The fairness of the mOPRF ensures the fairness of the protocol. And in the standard model, it has been proven to resist the attack of malicious adversaries. In [12], an mPSI protocol with linear communication and computational overhead is constructed by using prime order group. The protocol uses a distributed ElGamal encryption algorithm and an offline semitrusted third party to achieve the fairness of the protocol and the security under the malicious adversary model. The mPSI protocol in [13] uses multiplicative HE and a distributed ElGamal cryptosystem to protect data privacy and uses an offline semihonest arbiter to achieve fairness. Under the decisional Diffie-Herman hypothesis, it is proved that the protocol is safe under the malicious adversary model.

We show the differences between these protocols in Table 1.

3. Preliminaries

3.1. Decisional Diffie-Hellman Assumption

Definition 1. Let be a cyclic group of prime order , is the generator of , and . For the following two four-tuple distributions: , , and for any probability polynomial time (PPT) adversary when distinguishing between and , its advantage is negligible with security parameter , where is a random four-tuple and is a Diffie-Hellman four-tuple.

3.2. Security Model

3.2.1. Adversary Model

We consider the environment where a PPT adversary exists; the definition and model follow [27]. In this setting, the adversary can eavesdrop on the messages transmitted through the communication channel and allow to corrupt participant to obtain private key. The capabilities of the adversary are shown in Table 2.

3.2.2. Formal Security Model

We mainly describe the formal security model of the O-mPSI protocol in this section. It is based on the model in [28] and we made some modifications according to the specific requirements of the O-mPSI protocol.

Initialization. In a two-party set intersection scheme O-mPSI, three entities are involved, that is, two participants and an edge server . Each of them may have several instances called oracle, which involve different, concurrent executions of O-mPSI. We denote user instances as , server instances as , and any kind of instance as . In addition, holds key pair , has key pair , and is the system public key.

Queries. The adversary only interacts with the participants of the protocol through oracle queries, which simulates the capabilities of adversary in a real attack. And all possible oracle queries are shown below:(1)Execute (): The adversary’s eavesdropping attack is simulated in this oracle query (see C1 in Table 2), and the messages exchanged during the actual implementation of the O-mPSI protocol are returned.(2)Send (): sends a message to instance in this query; then the response generated by processing based on O-mPSI protocol is returned.(3)Corrupt (): The corruption ability of the adversary is simulated in this query (see C2 in Table 2). can only corrupt one of the two users, not both. If , it returns the private key and data set of . If , it returns the private key and data set of .(4)Collude (): The collusion ability of adversary is simulated in this query (i.e., C3 in Table 2). Any information stored on the server is returned.(5)Reveal (): The system private key shared by the instances and is returned to the adversary in this query. But instances , and their partner must not have been queried by corrupt-query and test-query; otherwise it returns .(6)Challenge (): In this query, selects two messages and of equal length and sends them to instance . The instance selects randomly, then encrypts , and returns the ciphertext . Among them, , , and in have not been inquired by corrupt-query and reveal-query; otherwise it returns . And this query is called only once during execution.(7)Test (): After querying the oracle, if the guessed bit , return 1; otherwise return 0. This query can only point to the instance in the challenge-query and is called only once during execution.

IND-CPA security. During the execution of the O-mPSI protocol, can require polynomial degree to execute, send, corrupt, collude, and reveal queries. can also send a challenge-query and a test-query to an instance that has not been queried. At the end of the game execution, for the bit in the challenge-query, outputs a guess bit in the test-query. If , it means that wins and it is recorded as . The advantage that the adversary can destroy the IND-CPA security of O-mPSI protocol is defined as

Definition 2. For any PPT adversary , if there is a negligible function such that , then the O-mPSI protocol is IND-CPA secure.

3.3. Hash Algorithm

Cuckoo hashing. Cuckoo hashing [29] is a method to solve hash conflict, which is widely used in PSI protocols. In this hashing technique, two hash functions are used to map elements into bins, where each bin has at most elements. When storing an element in the cuckoo hash table, calculate the two bin positions and corresponding to . If both bins are not full, insert into either of them; if one of the two bins is full and the other is not full, then insert into the bin that is not full; if both bins are full, then randomly select a position to kick out one of the elements and then insert into it; the kicked is reinserted into the cuckoo table using the same algorithm. This process is called relocation, and the relocation process is executed recursively until all elements are stored in the cuckoo hash table.

Simple hashing. This hashing technique is similar to cuckoo hashing. Two hash functions are used to map elements into bins, and each bin also has at most elements. However, in simple hash mapping, when the element is mapped to its corresponding two positions and , the elements are stored in both and .

3.4. ElGamal Threshold Encryption Algorithm

The ElGamal threshold encryption algorithm [30] is implemented according to the additive homomorphism of the ElGamal encryption algorithm, which is composed of KeyGen, Encrypt, Decrypt, and Rerandomize four algorithms. The specific algorithm is as follows:

KeyGen. Given a cyclic group of order and its generator , the security parameter is . Parties and randomly select and then compute , where is their respective private key, and is their respective public key. Then the public key of the threshold encryption scheme is .

Encrypt. For a message , map to using the hash function , where is defined as . Then select a random number , and compute the ciphertext of the message as .

Decrypt. For a ciphertext , half-decrypts it as ; then fully decrypts as .

Rerandomize. For the given ciphertext , select a random number to rerandomize it to .

4. Outsourced Mutual PSI Protocol

4.1. Overview

The system model of O-mPSI protocol is shown in Figure 1. There are three entities involved, two participating users and a semihonest edge server . Among them, has private data set and user has private data set . They hope to calculate the intersection of and through the server without revealing their own set information.

The design idea of our protocol is based on [14], where and select three hash functions to generate three hash bin positions corresponding to the set elements in the hash table. uses the cuckoo hashing to select one of the three bins to map each element in the set to hash table , each bin stores one element, and the remaining elements are stored in the stash . uses simple hashing to map each element in set to the corresponding three bins in hash table , and each bin stores elements. Then, the elements in the hash bin of are compared with the elements in the corresponding hash bin of . And each element in the stash is compared to all elements in set . In this way, the comparison times of elements are reduced from to , and the intersection is all the equal elements obtained by comparison.

But we diverge from the protocol of [14] in the method. In our protocol, parties and agree on two hash functions to generate the two hash bin positions corresponding to the set elements in the hash table. In this way, the elements in the set of only need to be stored twice, which saves storage space and reduces the subsequent computational burden. Moreover, our protocol sets the size of each bin of hash table to . This avoids that the elements cannot be stored in the hash table due to too many relocations when hash conflicts occur, so there is no need to increase the stash to store the elements. Therefore, it is only necessary to compare the elements in the bin of with the elements in the corresponding bin of to obtain the intersection. This further decreases the number of comparisons and reduces the complexity of the protocol.

However, there is still a problem of how to protect the privacy of user set information while calculating the intersection correctly. We use the ElGamal threshold encryption algorithm to solve this problem, as shown in Section 4.2.1. Participant uses the public key to encrypt the elements in the hash table and then sends it to the other party to rerandomize. Combined with the hash algorithm, we can see that, for in the hash bin of , if the same element in is stored in the corresponding hash bin, there must be in the two hash bins with the same bin number. Therefore, the use of ElGamal threshold encryption algorithm enables the comparison operation of elements to be performed in the form of ciphertext and ensures that the encrypted results of equal elements on both sides are the same. It creates conditions for the smooth implementation of intersection calculation.

In addition, in order to decrease the computational burden of both parties, the element comparison work is handed over to the edge server. Specifically, sends the hash table encrypted by the ElGamal encryption algorithm to the server. Then the server compares the elements in the two hash tables in a bin-to-bin manner in the form of ciphertext. That is, it compares the elements in the hash bin of with the elements in the corresponding hash bin of . In this way, all the equal ciphertext elements in the bins are the intersection in the ciphertext form. Then and cooperate to decrypt the intersection in the form of ciphertext in parallel, and the plaintext intersection can be obtained at the same time. Among them, the comparison work of bins can be performed in parallel, which reduces the time overhead of O-mPSI protocol.

4.2. O-mPSI Protocol

In this section, we introduce the proposed O-mPSI protocol. For easier understanding, we divide the protocol into two parts: the data encryption part and the set intersection computation part, which are introduced in the following two subsections, respectively.

4.2.1. ElGamal Threshold Encryption Protocol

In this section, we describe how ElGamal threshold encryption algorithm works in the protocol, and the details are shown in Algorithm 1.

	Inputs:
	: The cuckoo hash table
	: The hash table
	Output: the encrypted cuckoo hash table and .
	Key generation phase
	and calculate as below:
	1. Determine a hash function .
	2. Run the KeyGen algorithm in ElGamal threshold encryption to generate the key pairs .
	3. Publish the public keys and keep the private key .
	4. Each party computes .
	Encryption phase
	1. encrypts the cuckoo hash table by bins, for all , computes as follows:
	(1) choose a random number , for all items in the k^th cuckoo hash table , using ElGamal threshold encryption algorithm to encrypt them:
	(2) sends to in shuffled order.
	2. encrypts the hash table by bins, for all , computes as follows:
	(1) choose a random number , for all items in the k^th hash table , using ElGamal threshold encryption algorithm to encrypt them:
	(2) sends to in shuffled order.
	3. re-randomizes the received by bins. For all and , computes as follows: .
	Then .
	4. re-randomizes the received by bins. For all and , computes as follows:
	Then .

Remark 1. In the key generation phase, parties and jointly generate the public key so that both parties can use the same public key for encryption in the subsequent encryption phase.

Remark 2. In the encryption phase, after encrypting the hash table, each party needs to send to the other party for rerandomization. Because each party privately chose a random number for encryption, two equal elements are encrypted differently by the two parties. In addition, to calculate the set intersection correctly, adding the rerandomization operation performed by the other party to make the encryption results of equal elements the same is necessary.

4.2.2. Outsourced Two-Party Set Intersection Protocol

In this section, we will explain the intersection calculation part of the O-mPSI protocol. Detailed description can be seen in Algorithm 2.

	Inputs:
	: Set
	: Set
	Output: The intersection set , where .
	Data storage phase:
	1. and determine the number of bins, the size of bins and the two hash functions .
	2. For , , computes the two bin positions and corresponding to , and inserts into one of them. fills the bin with less than elements with dummy elements, then generates the cuckoo hash table .
	3. For , , computes the bin positions and corresponding to , and inserts into both of them. fills the bin with less than elements with dummy elements, then generates the hash table .
	Data encryption phase:
	1. calls the ElGamal threshold encryption protocol to compute the encrypted hash table , and then sends to the server in shuffled order.
	2. calls the ElGamal threshold encryption protocol to compute the encrypted cuckoo hash table , and then sends to the server in shuffled order.
	Intersection calculation phase:
	1. After the and are received, the server proceeds as follows:
	(1) computes the encrypted set intersection by bins: for , computes .
	(2) then the final encrypted intersection .
	(3) publishing ..
	2. After receiving , the users , and the server proceed as follows:
	(1) each party half-decrypts to using its private key, and then sends to the server.
	(2) then the server sends to and sends to .
	Each party fully decrypts the received other party half-decrypted intersection, and gets the plaintext intersection set .

Remark 3. In the data storage phase, hashes all its elements into one of its two corresponding bins, and each element is stored in only one bin. hashes all its elements into both of its two corresponding bins, and each element is stored in both bins. In this case, suppose that there is ( and ); the two bin positions and corresponding to are the same as the two bin positions and corresponding to . Then no matter which bin( or ) is stored in, the corresponding element can be found in the two bins and . Therefore, it can be known that storing all elements in set in both bins can avoid missing intersection elements when computing the set intersection.

Remark 4. In the data encryption phase, parties and use the ElGamal threshold encryption algorithm in Section 4.2.1 to encrypt the elements in their hash table and at the same time add a permutation sequence, so that both parties cannot know the specific location of the element. After hash tables and undergo the same permutation process, their bin numbers still correspond, so the intersection can be calculated correctly by the bins.

Remark 5. In the intersection calculation phase, if the server continues to calculate on the encrypted intersection according to the addition homomorphism of ElGamal homomorphism encryption algorithm, the encrypted intersection sum can be obtained. Then continuing step 2, the plaintext intersection sum will be obtained by both and .

5. Security Analysis

The security proof of the O-mPSI protocol based on decisional Diffie-Hellman (DDH) assumption is shown in this section.

Theorem 1. Letbe a represented group of order. Letbe a PPT adversary against the IND-CPA security within a time limit, andcan sendsend-queries,execute-queries, andrandom oracle queries at most. Then we can get

Proof. Let be the adversary against the IND-CPA security of O-mPSI protocol. Then construct PPT adversaries to attack the DDH assumption through . If can break the IND-CPA security, then at least one PPT adversary has successfully broken the DDH assumption. We utilize hybrid games to prove Theorem 1. The game starts from the real attack and ends when the adversary does not have any advantage. An event is defined for each game , which indicates that guesses the bit in the test-query correctly.(1)Game : The game corresponds to a real attack in the random oracle model. According to Definition 2, we can get(2)Game : We simulate the random oracle (and there is also a random oracle that will appear in ) in by maintaining hash list (and ) as usual. Besides, Send, Execute, Corrupt, Collude, Reveal, Challenge, and Test oracles will be simulated as in the real attack (see Table 3). It is easy to know that is completely indistinguishable from the real attack, so that(3)Game : Like , we simulate all oracles in , except for games where some collisions occur: and . Because or is simulated, they are randomly and uniformly selected. Therefore, from the birthday paradox, we know that(4)Game : In , we use the private oracles instead of the oracle to calculate and , which are completely independent of and . The games and are indistinguishable unless the event occurs: queries the hash function for or . In addition, no matter what bit in challenge-query is, the answer is random. Therefore, it can be see that(5)Game : In , we simulate the executions through the random self-reducibility of the Diffie-Hellman problem, and given one DDH instance , we randomly select and let , , so we can get a quadruple . Then we haveMoreover, means that the adversary had queried the random oracle on or . Then we getAccording to the above equations, we can conclude thatThe simulation queries involved in the protocol are as follows.

6. Performance Evaluation

6.1. Theoretical Evaluation

In this section, regarding the complexity of calculation and communication, we compare the O-mPSI protocol with the protocols in [11, 12, 20]. We choose these three protocols because both parties of the protocols in [11, 12] can know the intersection, and the protocol in [20] supports outsourcing. These protocols are very similar to our protocol. The comparison results are shown in Table 4.

Computation complexity. Our O-mPSI protocol uses a cuckoo hash table to store data, and the ElGamal threshold encryption algorithm to encrypt data. We use the number of modular exponential operations to evaluate the computational overhead of O-mPSI protocol. Party and party each performs exponential operations when encrypting the hash tables and and performs exponential operations in the decryption phase. The server only performs the intersection calculation which does not involve any exponential operations, where represents how many bins are in the hash table, is the size of the bin, and is the intersection-cardinality. Therefore, the protocol O-mPSI has performed modular exponential operations in total. We define , , , where is the cardinality of the private set of party . The possible values of intersection are in the range [0, ], where we take its maximum value . Therefore, the computational complexity is in the O-mPSI protocol.

The protocol in [11] is based on the two-way oblivious pseudorandom function mOPRF, without the participation of a third-party server, and its computation complexity is . The protocol in [12] also does not involve the third-party server; its computation complexity is . In the verifiable delegated PSI protocol of [20], the user performs exponential operations and the server performs exponential operations, so the overall computation complexity of [20] is .

From the analysis above, it is clear that our O-mPSI protocol has much lower computational complexity than the other three protocols.

Communication complexity. Our O-mPSI protocol uses the number of transmitted ciphertexts to express the complexity of communication. Party sends encrypted elements and rerandomized elements , for and , to . Party sends encrypted elements and rerandomized elements , for and , to . Thus, the O-mPSI protocol generates a total of ciphertexts transmissions. The communication complexity of the protocol O-mPSI is , due to .

In [11], the protocol generates ciphertexts interactions, the protocol in [12] generates ciphertexts interactions, and the protocol in [20] generates ciphertexts interactions.

To sum up, we can see that our O-mPSI protocol is superior to the other three protocols in terms of the communication complexity.

6.2. Experimental Evaluation

To verify the theoretical analysis results in Section 6.1, the computational costs of our O-mPSI protocol and the protocols in [11, 12, 20] are compared through experiments. The experimental platform is Windows 10, AMD Ryzen 5 4600H with Radeon Graphics 3.00 GHz, 16 GB RAM, and the compilation environment is MyEclipse 2017. In the experiment, we set and , where represents how many bins are in the hash table, is the size of the bin, and is the set cardinality.

Since our O-mPSI protocol and the protocols in [11, 12, 20] all use homomorphic encryption algorithm to encrypt data, we first compare the time it takes for the four protocols to execute with different modulus lengths. In this experiment, we set ; for modulus of 128 bit, 256 bit, 512 bit, and 1024 bit, the different homomorphic encryption times of the 4 protocols are shown in Figure 2.

It can be seen from Figure 2, with the increase of modulus length, the time of homomorphic encryption performed by the four protocols also increases. Among them, the time cost of the O-mPSI protocol is lower than that of Debnath’s mPSI1, mPSI2 protocol, and Abadi’s PSI protocol, and the growth trend is the slowest. The time cost in this experiment depends on how many modular exponential operations are used in the scheme. And according to Table 3, the modular exponential operation is least used in the calculation of the O-mPSI protocol. Therefore, the increase of modulus length has the least impact on O-mPSI protocol.

We further compare the time it takes for the four protocols to execute at different set cardinalities. In this experiment, we fixed the modulus length to 1024 bit; for the cardinality of , the running time of the four protocols can be seen in Figure 3.

It can be seen from Figure 3 that the execution time of the four protocols increases with the increasing size of the data set. Among them, the execution time overhead of the O-mPSI increases most slowly compared to that of Debnath’s mPSI1, mPSI2 protocol, and Abadi’s PSI protocol. This is because the O-mPSI protocol in this paper uses hash algorithm to process the set elements in advance. Therefore, as the size of the data set continues to increase, the time cost curve of O-mPSI protocol has grown slowly, while the time cost curve of the other three protocols has increased significantly.

7. Conclusions

To address the problem of data privacy and security sharing in edge-assisted IoT, we proposed a fair outsourced mPSI protocol with a lower computational cost. The proposed O-mPSI scheme uses the existing hash bin-to-bin method to calculate the intersection and improves it to further reduce the number of element comparisons. The calculation of intersection is outsourced to the edge server, which reduces the computing burden on both sides. The scheme adopts ElGamal threshold encryption algorithm to ensure data security. Only when both parties cooperate can all ciphertexts be completely decrypted. Therefore, this scheme can effectively resist the collusive attack between the server and any one of the two parties. And it proves that this scheme is IND-CPA secure under the DDH assumption. Through theoretical analysis and experimental evaluation, it is shown that the computational cost of our proposed O-mPSI protocol proposed in this paper is lower than that of other mutual PSI protocols.

The combination of edge computing and IoT improves the intelligence of IoT devices and introduces intelligent devices into all aspects of life. The massive use of smart IoT devices has led to a sharp increase in the amount of data generated by users. Privacy protection and secure sharing of big data in the IoT have become the focus of current research. Therefore, research on more secure and efficient PSI technology applied to edge-assisted IoT is our future research direction.

Data Availability

No data were used to support this study.

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

Acknowledgments

This work was supported by the National Natural Science Fund of China (no. 61802117), the PhD Foundation of Henan Polytechnic University (no. B2021-41), the Support Plan of Scientific and Technological Innovation Team in Universities of Henan Province, China (no. 20IRTSTHN013), the youth backbone teacher support program of Henan Polytechnic University (2018XQG-10), and the Research Foundation of Young Core Instructor in Henan Province, China (2018GGJS058).

References

C. Zhou, J. Hu, and N. Chen, “Remote care assistance in emergency department based on smart medical,” Journal of Healthcare Engineering, vol. 2021, Article ID 9971960, 10 pages, 2021.
View at: Publisher Site | Google Scholar
R. L. Fritz, M. Wilson, G. Dermody, M. E. Schmitter, and D. J. Cook, “Automated smart home assessment to support pain management: multiple methods analysis,” Journal of Medical Internet Research, vol. 22, no. 11, Article ID e23943, 2020.
View at: Publisher Site | Google Scholar
R. S. Krishnan, S. Manikandan, J. R. F. Raj, and Y. H. Robinson, “Android Application Based Smart Bus Transportation System for Pandemic Situations,” in Proceedings of the 2021 Third International Conference On Intelligent Communication Technologies And Virtual Mobile Networks (ICICV), pp. 938–942, Tirunelveli, India, February 2021.
View at: Publisher Site | Google Scholar
K. Sabri, A. Toufik, and M. Mohamed, “Edge-based Safety Intersection Assistance Architecture for Connected Vehicles,” in Proceedings of the 2021 International Wireless Communications and Mobile Computing (IWCMC), pp. 272–277, Harbin City, China, july 2021.
View at: Publisher Site | Google Scholar
D. Fadolalkarim, E. Bertino, and A. Sallam, “An Anomaly Detection System for the Protection of Relational Database Systems against Data Leakage by Application Programs,” in Proceedings of the 2020 IEEE 36th International Conference On Data Engineering (ICDE), pp. 265–276, Dallas, TX, USA, April 2020.
View at: Publisher Site | Google Scholar
S. K. Debnath, K. Sakurai, K. Dey, and N. Kundu, “Secure Outsourced Private Set Intersection with Linear Complexity,” in Proceedings of the 2021 IEEE Conference On Dependable and Secure Computing (DSC), pp. 1–8, Aizuwakamatsu, Fukushima, Japan, February 2021.
View at: Publisher Site | Google Scholar
Y. Shi and S. Qiu, “Delegated key-policy attribute-based set intersection over outsourced encrypted data sets for CloudIoT,” Security and Communication Networks, vol. 2021, no. 4, Article ID 5595243, 11 pages, 2021.
View at: Publisher Site | Google Scholar
S. Dittmer, Y. Ishai, S. Lu et al., “Function Secret Sharing for PSI-CA: With Applications to Private Contact Tracing,” 2020, https://arxiv.org/abs/2012.13053.
View at: Google Scholar
Y. Qian, J. Shen, P. Vijayakumar, and P. K. Sharma, “Profile matching for IoMT: a verifiable private set intersection scheme,” IEEE Journal of Biomedical and Health Informatics, vol. 25, no. 10, pp. 3794–3803, 2021.
View at: Publisher Site | Google Scholar
S. K. Debnath and R. Dutta, “Provably secure fair mutual private set intersection cardinality utilizing bloom filter,” in Proceedings of the International Conference on Information Security and Cryptology, vol. 10143, pp. 505–525, Springer, Beijing, China, November 2016.
View at: Publisher Site | Google Scholar
S. K. Debnath and R. Dutta, “Towards fair mutual private set intersection with linear complexity,” Security and Communication Networks, vol. 9, no. 11, pp. 1589–1612, 2016.
View at: Publisher Site | Google Scholar
S. K. Debnath and R. Dutta, “New realizations of efficient and secure private set intersection protocols preserving fairness,” in Proceedings of the International Conference on Information Security and Cryptology, vol. 10157, pp. 254–284, Springer, Beijing, China, November 2016.
View at: Publisher Site | Google Scholar
S. K. Debnath and R. Dutta, “Fair mP. S. I. and mPSI-C. A.: Efficient constructions in prime order groups with security in the standard model against malicious adversary,” IACR Cryptol. ePrint Arch, vol. 216, 2016.
View at: Google Scholar
B. Pinkas, T. Schneider, and M. Zohner, “Scalable private set intersection based on OT extension,” ACM Transactions on Privacy and Security, vol. 21, no. 2, pp. 1–35, 2018.
View at: Publisher Site | Google Scholar
R. Agrawal, A. Evfimievski, and R. Srikant, “Information sharing across private data-bases,” in Proceedings of the 2003 ACM SIGMOD International Conference On Management Of Data, pp. 86–97, California, CA, USA, June 2003.
View at: Publisher Site | Google Scholar
Y. Cai, C. Tang, and Q. Xu, “Two-party privacy-preserving set intersection with FHE,” Entropy, vol. 22, no. 12, pp. 1339–1353, 2020.
View at: Publisher Site | Google Scholar
Y. Huang, D. Evans, and J. Katz, “Private Set Intersection: Are Garbled Circuits Better than Custom Protocols,” in Proceedings of the nineteenth Network and Distributed Security Symposium (NDSS 2012), San Diego, CA, USA, February 2012.
View at: Google Scholar
B. Pinkas, T. Schneider, O. Tkachenko, and A. Yanai, “Efficient circuit-based PSI with linear communication,” in Proceedings of the Advances in Cryptology - EUROCRYPT 2019, vol. 11478, pp. 122–153, Springer, Darmstadt, Germany, May 2019.
View at: Publisher Site | Google Scholar
A. Kavousi, J. Mohajeri, and M. Salmasizadeh, “Efficient scalable multi-party private set intersection using oblivious PRF,” in Proceedings of the International Workshop on Security and Trust Management, vol. 13075, pp. 81–99, Springer, Darmstadt, Germany, October 2021.
View at: Publisher Site | Google Scholar
A. Abadi, S. Terzis, and C. Dong, “Verifiable delegated private set intersection on outsourced private datasets,” in Proceedings of the International Conference on Financial Cryptography & Data Security, vol. 9603, pp. 149–168, Springer, Christ Church, Barbados, February 2016.
View at: Google Scholar
A. Abadi, S. Terzis, R. Metere, and C. Dong, “Efficient delegated private set intersection on outsourced private datasets,” IEEE Transactions on Dependable and Secure Computing, vol. 16, no. 4, pp. 608–624, 2019.
View at: Publisher Site | Google Scholar
A. Kavousi, J. Mohajeri, and M. Salmasizadeh, “Improved Secure Efficient Delegated Private Set Intersection,” in Proceedings of the 2020 twentyeigth Iranian Conference on Electrical Engineering (ICEE), pp. 1–6, Tabriz, Iran, May 2020.
View at: Google Scholar
L. Kissner and D. Song, “Privacy-preserving Set Operations,” in Proceedings of the Annual International Cryptology Conference, pp. 241–257, Springer, Santa Barbara, California, CA, USA, August 2005.
View at: Publisher Site | Google Scholar
J. Camenisch and G. M. Zaverucha, “Private intersection of certified sets,” in Proceedings of the Financial Cryptography and Data Security, vol. 5628, pp. 108–127, Springer, Accra Beach, Barbados, February 2009.
View at: Publisher Site | Google Scholar
M. Kim, H. T. Lee, and J. H. Cheon, “Mutual Private Set Intersection with Linear Complexity,” in Proceedings of the International Workshop on Information Security Applications, vol. 7115, pp. 219–231, Springer, Jeju Island, Republic of Korea, August 2011.
View at: Google Scholar
C. Dong, L. Chen, J. Camenisch, and G. Russello, “Fair private set intersection with a semi-trusted arbiter,” in Proceedings of the Computer Science in Data and Applications Security and Privacy XXVII, vol. 7964, pp. 128–144, Springer, Newark, NJ, USA, July 2013.
View at: Publisher Site | Google Scholar
C. Wang, D. Wang, Y. Tu, G. Xu, and H. Wang, “Understanding node capture attacks in user authentication schemes for wireless sensor networks,” IEEE Transactions on Dependable and Secure Computing, 2020.
View at: Publisher Site | Google Scholar
D. Wang and P. Wang, “Two birds with one stone: two-factor Authentication with security beyond conventional bound,” IEEE Transactions on Dependable and Secure Computing, vol. 15, no. 4, pp. 708–722, 2018.
View at: Publisher Site | Google Scholar
R. Pagh and F. F. Rodler, “Cuckoo hashing,” Journal of Algorithms, vol. 51, no. 2, pp. 122–144, 2004.
View at: Publisher Site | Google Scholar
P. Miao, S. Patel, M. Raykova, K. Seth, and M. Yung, “Two-sided malicious security for private intersection-sum with cardinality,” in Proceedings of the Advances in Cryptology - CRYPTO 2020, vol. 12172, pp. 3–33, Springer, Santa Barbara, CA, USA, August 2020.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2021 Jing Zhang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

469

Downloads

533

Citations

Security and Communication Networks

Security and Privacy for Edge-Assisted Internet of Things

Outsourced Mutual Private Set Intersection Protocol for Edge-Assisted IoT

Abstract

1. Introduction

2. Related Work

2.1. One-Way PSI

2.2. Mutual PSI

3. Preliminaries

3.1. Decisional Diffie-Hellman Assumption

3.2. Security Model

3.2.1. Adversary Model

3.2.2. Formal Security Model

3.3. Hash Algorithm

3.4. ElGamal Threshold Encryption Algorithm

4. Outsourced Mutual PSI Protocol

4.1. Overview

4.2. O-mPSI Protocol

4.2.1. ElGamal Threshold Encryption Protocol

4.2.2. Outsourced Two-Party Set Intersection Protocol

5. Security Analysis

6. Performance Evaluation

6.1. Theoretical Evaluation

6.2. Experimental Evaluation

7. Conclusions

Data Availability

Conflicts of Interest

Acknowledgments

References

Copyright