Practical implementations of Private Set Membership

Problem Statement

Imagine you have a set (no duplicate elements) e.g. S1 = {'a', 'b', 'c'}.

You wish to share a private (and ideally both small in size and integrity protected) representation of this set with another party (who could have pre-shared keys with you) where they can verify (yes or no) if some element of their choice e.g. 'b' is a part of the set S1.

What is the most simple combination of cryptographic primitives that you can use to solve this?

Directions so far

It would seem that hashing the set would be ideal (as opposed to simply encrypting) due to the size constraints.

If we wish to do opaque membership checks some sort of homomorphic encryption is likely needed.

I've read up on Private-Set-Intersection and Private-Set-Membership, however the implementations I found are not minimal and have other "kitchen-sink" functionality that is not desirable.

Some reading so far

• https://engineering.fb.com/2019/03/01/security/homomorphic-hashing/ (https://eprint.iacr.org/2019/227.pdf)
• https://github.com/google/private-membership
• Faster Private Set Intersection Based on OT Extension (pdf)
• Efficient Private Matching and Set Intersection (pdf)
• Faster Unbalanced Set Intersection (pdf)

You just need an oblivious PRF. Alice computes and sends $F_k(x)$ for all $x \in S$, where $F$ is a PRF. Alice and Bob use an OPRF protocol to let Bob learn $F_k(y)$ for a value $y$ of his choice. If $y \in S$ then Bob will see a match with the values sent by Alice. If $y \not\in S$ then the pseudorandomness of $F$ implies that $\{ F_k(x) \mid x \in S \}$ all look random even given $F_k(y)$. In other words, these values leak nothing about the specific values of $x$ in $S$.

There is a simple semi-honest OPRF protocol for the PRF $F_k(x) = H(x)^k$, where $H$ is a random oracle. It works like this:

• Bob chooses random $r$ and sends $Y = H(y)^r$ to Alice.
• Alice sends $Z = Y^k = H(y)^{rk}$ to Bob.
• Bob computes output $Z^{1/r} = H(y)^k = F_k(y)$.

Malicious-secure OPRFs are not much more expensive. You can find a few here and here.

This is something I've been working on.

I would like "small" below to be much smaller than what follows. But this would work for your purposes for a set of binary strings $S$, cryptographic hash $H(x)$, and pre-shared key $k$.

$H(S)=\text{sort} \{H(x) | x \in S\}$. Call this the public witness for $S$. You can hide the size of the set by including random hashes to a given length modulus. This would be a public witness with no integrity, but gives the basic idea.

Assuming the size of $x$ is generally much larger than $H(x)$, the representation of the witness $H(S)$ for $S$ is small compared to the representation for $S$.

If you want to restrict this to those with a pre-shared symmetric key k: (I use $+$ for append to distinguish from the set "such that")

$H^2(k+S)=\text{sort} \{H(k+H(k+x)) | x \in S\}$. Append a keyed-checksum for an integrity check.

$\text{witness for S}: H^2(k+S) + H(k+H^2(k+S))$

Again, to hide the size of $S$ you could always add random hashes to a max size or (imperfectly) to a size modulus.

Checking for membership: send $(n,H(k+n) \bigoplus H(k+x))$ where $n$ is an incrementing number (it may be implied such as a timestamp). The recipient can uncover $H(k+x)$ and then compute $H(k+H(k+x))$ to see if it is in the witness set.