A Novel Edge Cache-Based Private Set Intersection Protocol via Lightweight Oblivious PRF

With the rapid development of edge computing and the Internet of Things, the problem of information resource sharing can be effectively solved through multi-party collaboration, but the risk of data leakage is also increasing. To address the above issues, we propose an efficient multi-party private set intersection (MPSI) protocol via a multi-point oblivious pseudorandom function (OPRF). Then, we apply it to work on a specific commercial application: edge caching. The proposed MPSI uses oblivious transfer (OT) together with a probe-and-XOR of strings (PaXoS) as the main building blocks. It not only provides one-sided malicious security, but also achieves a better balance between communication and computational overhead. From the communication pattern perspective, the client only needs to perform OT with the leader and send a data structure PaXoS to the designated party, making the protocol extremely efficient. Moreover, in the setting of edge caching, many parties hold a set of items containing an identity and its associated value. All parties can identify a set of the most frequently accessed common items without revealing the underlying data.


Introduction
Co-creation and sharing gained significance in the transition from the era of information technology to the era of digital technology.While information sharing brings convenience, the risk of privacy breaches also rises.The private set intersection (PSI) protocol is a widely used approach to distributed set computation.It is devoted to the joint intersection calculation of data from two or more parties.The PSI protocol guarantees that all parties can collaboratively calculate the intersection of the sets without disclosing anything beyond that intersection.PSI plays an important role in improving pattern matching [1], private contact discovery [2], advertisement conversion rate [3], and edge caching [4].Edge caching is a key technology for communication networks.In order to utilize cache resources more efficiently, individual operators tend to keep their public items in a shared cache that can be accessed by all parties.However, since the cache is shared among multiple parties, these parties aim to identify the set of most frequently visited common data items and add them to the network edge cache.Their objective is to achieve this without revealing the actual underlying data.This is known as the multi-party shared cache problem, where determining the common term is a typical private set intersection problem.
Most of the current efficient PSI protocols are built on OT [5][6][7].The OT-based PSI protocols offer greater advantages in terms of communication and computation when compared with PSI based on public key encryption [8,9] and PSI based on a garbled circuit [10][11][12].Efficient OT extension techniques allow parties to generate many OT protocol instances at a low computational cost through a few public key operations.Chase et al. [5] implemented a two-party PSI protocol with one-sided malicious security.This protocol uses OT and a multi-point OPRF to achieve a good balance between computational and communication overhead.The protocol can only interact between two parties, and multiple runs are required to accomplish the intersection computation with multiple parties

•
Multi-party PSI protocol: We propose a specifically efficient MPSI protocol utilizing OT and a PaXoS.The PaXoS can be seen as a corresponding Encode/Decode algorithm achieving a constant rate.Therefore, our protocol has good computational performance.The protocol has low communication overhead since the clients only need to send a data structure.Theoretical analysis shows that the protocol leads to a better balance between communication and computational cost.

•
Security against malicious clients: We present that our protocol uses the data structure PaXoS to hide the key during encoding to resist malicious adversaries, which can achieve one-sided malicious security against the clients with almost no additional overhead.At the same time, we prove that the protocol can also resist any possible collusion attack from malicious clients.

•
Multi-party cooperative cache: Our MPSI protocol can be applied to edge caching scenarios by using cuckoo hashing and simple hashing.The protocol supports having data associated with each input and the extension of payloads to multi-party.In a multi-party cooperative cache (MPCCache) setting, the MPCCache protocol allows parties to compute a sum depending on the data associated with the intersection items.Compared with [4], our MPCCache protocol eliminates the computing burden associated with polynomial interpolation and improves computational efficiency.

Related Work
PSI.The development of efficient constructions for PSI functionality has received considerable research attention in the last decade or more.Some of the recent relevant works on PSI are illustrated in Table 1.Ghosh et al. [15] presented a MPSI protocol using oblivious linear function evaluation (OLE) with optimal asymptotic communication complexity.However, the balance between communication and computation cost is not good.Kolesniko [16] proposed a two-party PSI protocol against semi-honest adversaries.The protocol is mainly based on OT techniques for security string equivalence testing and is computationally efficient.Pinkas [17] proposed a two-party semi-honest PSI protocol based on OT and a GBF.The parallelized processing of the protocol allows for some improvement in protocol efficiency.Nevo [18] proposed a malicious PSI protocol utilizing oblivious programmable PRF (OPPRF) and oblivious key-value store (OKVS) technology, which solves the problem of multi-party PSI against malicious adversaries.However, this protocol does not lead to a better trade-off between communication and computational overhead.Pinkas [19] also proposed a PSI protocol for two parties in the malicious model which uses a PaXoS to implement, for the first time, a malicious secure PSI using cuckoo hashing.Ben-Efraim et al. [20] implemented malicious MPSI based on a GBF for multiple parties.However, GBFs suffer from a certain false positive rate and their high communication overhead.Bui et al. [21] constructed an optimized semi-honest PSI based on a pseudorandom correlation generator (PCG).Additionally, they can use the PCG to construct protocols with fully malicious security in the standard model.OT two-party Semi-Honest [17] GBF + OT two-party Semi-Honest [18] OPPRF + OKVS multi-party Malicious [19] PaXoS two-party Malicious [20] GBF multi-party Malicious [21] PCG two-party Semi-Honest Function-based PSI.Many studies have focused on developing efficient techniques for PSI construction.In addition, these studies have explored the output results of computing a function over intersections, allowing for potential extensions to various business scenarios.Table 2 shows recent related works on function-based PSI.Ion et al. [3] proposed a PI-Sum Protocol utilizing Diffie-Hellman (DDH) and homomorphic encryption (HE).Thinking about the advertising (Ad) conversion problem: Ad providers want to analyze Ad effectiveness by age, which obviously cannot be solved using the PI-Sum.Chida [22] proposed a new function based on OPRF and DDH assumptions to calculate the weighted sum of two-party privacy sets (PIW-sum), which has more practical application value.Pinkas et al. [11] proposed an idea of calculating payloads based on the circuit, OPPRF, and cuckoo hash constructs, which allows each input item from one party to have payload data attached to it, and finally to calculate some specific functions of the payloads in the intersection set.Based on a new shuffled distributed oblivious PRF (DOPRF), Miao et al. [23] constructed a two-party PSI cardinality (PSI-CA) protocol for malicious settings which achieves a good computation and communication cost.In the above protocols, only one party can own the payload data, which can be applied in limited practical scenarios.Nguyen et al. [4] extended payload data to the multi-party setting and proposed an MPCCache sharing framework based on polynomial interpolation and OPPRF, which enables multiple parties to calculate a sum of data payloads on each of common data items and can identify the most frequently accessed data items.OPPRF multi-party MPCCache [11] OPPRF + Circuit multi-party PSI-payload [22] OPRF + DDH two-party PIW-Sum [23] DOPRF two-party PSI-CA

Notions
The computational and statistical security parameters are denoted by λ and σ. [n] stands in for the set {1, . . . ,n}.R ← indicates uniformly random selection.The notation || denotes concatenation between strings.{0, 1} * denotes the set of strings consisting of 0 and 1, where * means that the strings in the set can be of any length.We use C ≈ to indicate that the real world is indistinguishable from the ideal world.We denote with v[i] the i-th element of a vector v of length l.The i-th column vector i ∈ [n] of the matrix M n×m is denoted by the symbol M i .The Hamming weight of the binary string x is represented by ||x|| H

One-Sided Malicious Security
One-sided malicious security [5] is a security property found in cryptographic protocols wherein one party is allowed to engage in arbitrary malicious behavior in an attempt to compromise security while the other parties follow specified behavioral guidelines.In this context, only the targeted party is vulnerable to malicious action, whereas the other parties maintain their assigned roles and responsibilities.Our MPSI protocol achieves unilateral malicious security against the clients, as they are considered as a whole.We further prove that the proposed MPSI is secure against malicious clients.

Security Model
MPSI is a unique instance of secure multi-party computation (MPC).We adhere to the MPC standard security definition.The ideal functionality of MPSI is defined in Figure 1.

One-Sided Malicious Security
One-sided malicious security [5] is a security property found in cryptographic protocols wherein one party is allowed to engage in arbitrary malicious behavior in an attempt to compromise security while the other parties follow specified behavioral guidelines.In this context, only the targeted party is vulnerable to malicious action, whereas the other parties maintain their assigned roles and responsibilities.Our MPSI protocol achieves unilateral malicious security against the clients, as they are considered as a whole.We further prove that the proposed MPSI is secure against malicious clients.

Security Model
MPSI is a unique instance of secure multi-party computation (MPC).We adhere to the MPC standard security definition.The ideal functionality of MPSI is defined in Figure 1.

Inputs: Party
Output: Party n P receives the set intersection The security models [24] of secure multi-party computation are divided into semihonest and malicious models.For the semi-honest model, an adversary can completely obey the protocol execution process, yet might record all the data in the protocol execution process and try to learn more from the data generated during the protocol execution process.The adversary under the malicious model can not only infer the sensitive information through the data of the protocol process but also refuse to participate in the protocol, alter the private input set information, or prematurely stop the protocol from running.Our protocol can achieve one-sided malicious security.

Definition 1. (Malicious security against the clients)
If there is a PPT adversary  who might unilaterally depart from the protocol in the real world, there exists a PPT adversary  who could modify the input to the ideal functionality and terminate the output in an ideal world.Then, the protocol Π can protect from malicious clients, such that for each input 1 ,..., n X X : . (1)

Oblivious Transfer
Rabin et al. [25] proposed a crucial cryptographic primitive OT.In a 1-out-of-2 OT configuration, the receiver can have a choice bit {0,1} b ∈ , while the sender can have input strings 0 1 ( , ) m m .The OT acts to prevent the receiver from knowing nothing regarding 1 b m − and prevent the sender from learning anything about b.OT necessitates costly public-key operations.Ishai et al. [26] described an OT extension technique that permits many OT executions at the cost of doing few public-key procedures.We can use the instantiation OT in [15].The ideal functionality of OT is defined in Figure 2.

PaXoS
The following is a way to encode key-value mapping into a brief data structure using a PaXoS [19].The associated Encode/Decode methods are frequently more convenient to describe when describing a PaXoS than the u mapping.The security models [24] of secure multi-party computation are divided into semihonest and malicious models.For the semi-honest model, an adversary can completely obey the protocol execution process, yet might record all the data in the protocol execution process and try to learn more from the data generated during the protocol execution process.The adversary under the malicious model can not only infer the sensitive information through the data of the protocol process but also refuse to participate in the protocol, alter the private input set information, or prematurely stop the protocol from running.Our protocol can achieve one-sided malicious security.Definition 1. (Malicious security against the clients) If there is a PPT adversary A who might unilaterally depart from the protocol in the real world, there exists a PPT adversary S who could modify the input to the ideal functionality and terminate the output in an ideal world.Then, the protocol Π can protect from malicious clients, such that for each input X 1 , . . ., X n :

Oblivious Transfer
Rabin et al. [25] proposed a crucial cryptographic primitive OT.In a 1-out-of-2 OT configuration, the receiver can have a choice bit b ∈ {0, 1}, while the sender can have input strings (m 0 , m 1 ).The OT acts to prevent the receiver from knowing nothing regarding m 1−b and prevent the sender from learning anything about b.OT necessitates costly public-key operations.Ishai et al. [26] described an OT extension technique that permits many OT executions at the cost of doing few public-key procedures.We can use the instantiation OT in [15].The ideal functionality of OT is defined in Figure 2.

One-Sided Malicious Security
One-sided malicious security [5] is a security property found in cryptographic protocols wherein one party is allowed to engage in arbitrary malicious behavior in an attempt to compromise security while the other parties follow specified behavioral guidelines.In this context, only the targeted party is vulnerable to malicious action, whereas the other parties maintain their assigned roles and responsibilities.Our MPSI protocol achieves unilateral malicious security against the clients, as they are considered as a whole.We further prove that the proposed MPSI is secure against malicious clients.

Security Model
MPSI is a unique instance of secure multi-party computation (MPC).We adhere to the MPC standard security definition.The ideal functionality of MPSI is defined in Figure 1.
Output: Party n P receives the set intersection The security models [24] of secure multi-party computation are divided into semihonest and malicious models.For the semi-honest model, an adversary can completely obey the protocol execution process, yet might record all the data in the protocol execution process and try to learn more from the data generated during the protocol execution process.The adversary under the malicious model can not only infer the sensitive information through the data of the protocol process but also refuse to participate in the protocol, alter the private input set information, or prematurely stop the protocol from running.Our protocol can achieve one-sided malicious security.

Definition 1. (Malicious security against the clients) If there is a PPT adversary  who might
unilaterally depart from the protocol in the real world, there exists a PPT adversary  who could modify the input to the ideal functionality and terminate the output in an ideal world.Then, the protocol Π can protect from malicious clients, such that for each input 1 ,..., n X X : . (1)

Oblivious Transfer
Rabin et al. [25] proposed a crucial cryptographic primitive OT.In a 1-out-of-2 OT configuration, the receiver can have a choice bit {0,1} b ∈ , while the sender can have input strings 0 1 ( , ) m m .The OT acts to prevent the receiver from knowing nothing regarding 1 b m − and prevent the sender from learning anything about b.OT necessitates costly public-key operations.Ishai et al. [26] described an OT extension technique that permits many OT executions at the cost of doing few public-key procedures.We can use the instantiation OT in [15].The ideal functionality of OT is defined in Figure 2.

PaXoS
The following is a way to encode key-value mapping into a brief data structure using a PaXoS [19].The associated Encode/Decode methods are frequently more convenient to describe when describing a PaXoS than the u mapping.

PaXoS
The following is a way to encode key-value mapping into a brief data structure using a PaXoS [19].The associated Encode/Decode methods are frequently more convenient to describe when describing a PaXoS than the u mapping.
Encode((x 1 , y 1 ), . . ., (x t , y t )): Given t items (x i , y i ), where x i ∈ {0, 1} * and y i ∈ {0, 1} w , indicate via M the t × m matrix where the i-th row is u(x i ).Note that u(x) is the result of using the mapping u to x.It is possible to find a data structure (matrix satisfying M × D = (y 1 , . . ., y t ) T .In particular, the subsequent linear system of equations is fulfilled when the u(x i )'s are linearly independent: Decode(D, x): Given D ∈ ({0, 1} w ) m and x ∈ {0, 1} * , we can extract the correspond- ing "value" via y = u(x),

Multi-Point OPRF
Chase [5] presented a PSI protocol for two parties based on multi-point OPRF.The sender chooses a pseudorandom seed s R ← {0, 1} w , and the receiver computes a pseudoran- dom function v = F k (x i ) based on its set elements to construct two matrices: A m×w and B m×w .For each x i ∈ X 1 , the corresponding bits in matrices are the same, while others are different.The sender obtains a matrix C m×w depending on seed s and runs w OTs with the receiver.Each column of the matrix is either A j or B j for all j ∈ [w].Then, the sender ) and sends them to the receiver.Eventually, the receiver can find the intersection of the two sets based on its computed OPRF value.

Hamming Correlation Robustness
Under the assumption of correlation robustness for the underlying hash function, our MPSI structure is demonstrated to be secure.[5]) If the distribution produced by the sampling of s ← {0, 1} n at random is pseudorandom for a 1 , . . . ,a m , b 1 , . . . ,b m ∈ {0, 1} n , and has

Definition 2. (Hamming Correlation Robustness
where ⊕ denotes bitwise-AND and bitwise-XOR, respectively, and F is a random function.

Cuckoo Hashing and Simple Hashing
Hash technology is one of the essential tools for optimizing communication and computational complexity in PSI protocols.There are two commonly used construction methods for hash technology: simple hashing and cuckoo hashing [10].Simple hashing can map elements to k positions in a hash table using k hash functions, with each bucket being capable of storing multiple elements.Cuckoo hashing can map elements to a specific location in a hash table using a hash function, and its basic idea is to use multiple hash functions to handle collisions.When collisions occur, cuckoo hashing evicts the element occupying the original position, which can be rehomed to alternative positions.If alternative positions are already occupied, the process repeats until all elements can find their homes.Typically, cuckoo hashing and simple hashing are combined to achieve optimal results in PSI protocols.

Overview
In this section, we show the MPSI protocol.A couple of parties P 1 , . . ., P n with respective private input sets X 1 , . . ., X n desire to collectively compute X 1 ∩ . . .∩ X n without disclosing any more information.Note that we regard t as the set sizes for parties, P n as the leader, and P i∈[n−1] as the client.The system model of the MPSI protocol is shown in Figure 3.

Overview
In this section, we show the MPSI protocol.A couple of parties 1 ,..., n P P with res tive private input sets 1 ,..., n X X desire to collectively compute without disc ing any more information.Note that we regard t as the set sizes for parties, n P as leader, and [ 1] i n P ∈ − as the client.The system model of the MPSI protocol is shown in Fig 3.

OT ( )
Clent a a=1,2,...,n 2 X − : ( ) ( ) n P constructs a random matrix m w A × and chooses strings for [ 1] i n and sets using the entries of the received matrix and send to  ( ) according to its input set, which all n P to find the intersection.This implies that, if x I ∈ , the hash function's input from and n P will be equal.While the output of the PRF would be pseudorandom to P x I ∉ , the hash function's input from 1 n P − will be dramatically different from any input.

Our Protocol
We show our MPSI protocol in Figure 4.The selection of m , w , 1 l , and 2 l in MPSI protocol follows [5] and they show how to choose the parameters concretely.P n constructs a random matrix A m×w and chooses strings for , where j ∈ [w].For each i ∈ [n − 1], from its input elements, P n constructs unique matrices B m×w .P n first initializes a matrix using the entries of the received matrix and send D i to P n−1 .P n−1 decodes all the D i .Then, they compute and sends the OPRF values ] according to its input set, which allows P n to find the intersection.This implies that, if x ∈ I, the hash function's input from P n−1 and P n will be equal.While the output of the PRF would be pseudorandom to P n if x / ∈ I, the hash function's input from P n−1 will be dramatically different from any P n 's input.

Our Protocol
We show our MPSI protocol in Figure 4.The selection of m, w, l 1 , and l 2 in our MPSI protocol follows [5] and they show how to choose the parameters concretely.
. He also uniformly samples a PRF key

Concluding the Intersection:
(i and encode a PaXos data structure i D to , and computes its OPRF values ( ) ( ) according to

Protocol Correctness
n P constructs the special matrices i A and i B for for all j w ∈ .Let x be the intersection element.Since each column of matrix n j A is composed of uniform random shares as ...
for each x I ∈ .Based on the nature of the constructed data structure, we have , and we can always satisfy H and 2 H are random oracles, and the underlying OT is protected against malicious receivers, then our MPSI protocol has one-sided malicious security which can be secure against malicious clients when m , w , 1 l , and 2 l are chosen appropriately.
Proof of Theorem 1.We consider any client

Protocol Correctness
P n constructs the special matrices A i and B i for ] for all j ∈ w.Let x be the intersection element.Since each column of matrix A n j is composed of uniform random shares as for j ∈ w, after the client P i∈[n−1] runs OTs with P n , the matrix Based on the nature of the constructed data structure, we have Decode( ), and we can always satisfy

Protocol Security
Theorem 1.If F is a PRF, H 1 and H 2 are random oracles, and the underlying OT is protected against malicious receivers, then our MPSI protocol has one-sided malicious security which can be secure against malicious clients when m, w, l 1 , and l 2 are chosen appropriately.
. Finally, S can send these x to ideal functionality.Let Q i 1 , Q 2 be a set of queries P i∈[n−1] and P n−1 make to H 1 and H 2 , respectively, and let and Q 2 =|Q 2 |.We will misuse notation: for matrix C m×w and vector

We prove Real
The outputs of parties in the real world.Hyb1 Similar to Hyb0, but S performs OT simulator on {P i } i∈[l] to obtain s i .If s i [j] = 0, it randomly chooses string A i j of length m and constructs matrix B i j = A i j ⊕ D j , and it randomly chooses string B i j of length m and constructs matrix A i j = B i j ⊕ D j ; otherwise, it gives C i 1 , . . ., C i w to OT simulator as output.Hyb1 is computationally indistinguishable from Hyb0 due to OT security against malicious receiver.Hyb2 Similar to Hyb1 except that the protocol terminates if there exists ] via the terminate condition added in Hyb4.Note that if x ∈ X n and x ∈ Q, because of the construction of E, we then have . Suppose there is a PPT adversary A that, with non-negligible probability, produces Q, Q 2 , and X n such that there exist y ∈ Q ] .Then, [5] shows we can break the security of the PRF.Hyb6 Same as Hyb5 except that the protocol terminates if there exists The protocol is aborted with negligible probability because of the security of the PRF.Hyb7 Same as Hyb6 except that P n 's outputs are substituted by its outputs in the ideal world.Hyb7 can change P n 's outputs if and only if there exists a value ϕ received by P n and considered by is aborted via terminate condition in Hyb6 with negligible probability.Hyb8 Same as Hyb7 except that the protocol does not terminate.Hyb7 and Hyb8 are computationally indistinguishable since H 1 and H 2 are random oracles and F k is a PRF.Hyb9 The output in the ideal world.The difference between Hyb9 and Hyb8 is that S samples a random matrix C and encodes a data structure PaXoS, which is identically distributed.

Complexity Analysis
To better evaluate the complexity of the protocol, we first need to perform a simple analysis of the overall protocol process.It is important to note that this protocol uses only inexpensive tools such as OTs and bitwise operations, making it concretely efficient.We treat t as the set sizes and set m = t as in [5].So, w can be viewed as a value dependent on λ by fixing m and t.
Party P n is referred to as the leader carrying the majority overhead of the protocol, while the others are referred to as clients.Regarding the complexity of the protocol, P n designs matrices of a particular form, requiring linear complexity in t.Then, they perform w OTs for clients independently, resulting in linear complexity in the number of OTs.Moreover, P i∈[n−2] just do encoding operations for data structure D i , and P n−1 does hashing, bitwise-XOR, and decoding operations, which require linear communication and computation complexities.Although the computational overhead of P n−1 is larger than that of other clients, they do not need to encode and send a data structure.From this, we can regard the overall communication and computation costs as uniformly distributed across all clients.
Note that our protocol can be divided into offline and online phases.Only lightweight procedures are required in the online phase, and communication and computation costs associated with performing OT can be handled in the offline phase.In addition, the bits exchanged among the parties concerning the random OT and the optimized malicious OT extension are summarized in Table 3. Table 3. Bits sent for leader and client.

Communication Party
Total Bit Transmission

Comparison
It should be noted that, due to the variations in architectures and security levels, making a fair comparison is challenging.Nevertheless, we have endeavored to include some recent studies pertaining to diverse security models (e.g., semi-honest, malicious, etc.).So, we contrast the complexity of communication and computation with [13][14][15] in Table 4, where n is the number of parties, k is the number of hash functions, t is the size of input sets, and λ is the security parameter.In our MPSI protocol, the communication and computation complexity of the leader are O(tnλ), which is linear in the number of parties.Meanwhile, the complexity for the client remains constant regardless of the number of parties involved (namely, O(tλ)) because the client P i∈[n−1] only needs to compute and send a data structure D i and does not need to perform additional data transfers with other parties.Therefore, our protocol achieves a good trade-off between communication and computation overhead.Figure 5 shows the security levels of the discussed protocols.Compared with [13], our protocol achieves a stronger security model without sacrificing communication and computation costs.We implement one-sided malicious security and [14] implements the Aug semi-honest model.It is difficult to define which security model is more practical, but our protocol has better computation and communication performance.Although the security model in [15] is higher-performing, our protocol has greater communication performance and achieves a better trade-off between communication and computation.
input sets, and λ is the security parameter.In our MPSI protocol, the communic and computation complexity of the leader are ( ) O tnλ , which is linear in the numb parties.Meanwhile, the complexity for the client remains constant regardless of the n ber of parties involved (namely, ( ) O tλ ) because the client [ 1] i n P ∈ − only needs to com and send a data structure i D and does not need to perform additional data transfers other parties.Therefore, our protocol achieves a good trade-off between communica and computation overhead.
Semi-Honest [14] ( ) One-sided Malici Figure 5 shows the security levels of the discussed protocols.Compared with our protocol achieves a stronger security model without sacrificing communication computation costs.We implement one-sided malicious security and [14] implement Aug semi-honest model.It is difficult to define which security model is more practica our protocol has better computation and communication performance.Although th curity model in [15] is higher-performing, our protocol has greater communication formance and achieves a better trade-off between communication and computation.

Experimental Evaluation
In order to compare the runtime overhead of each protocol more intuitively, sim tion experiments and a results analysis were performed.It should be noted that the consumed by this protocol is the average time of multiple experiments.The experim

Experimental Evaluation
In order to compare the runtime overhead of each protocol more intuitively, simulation experiments and a results analysis were performed.It should be noted that the time consumed by this protocol is the average time of multiple experiments.The experimental platform was Windows 10, Intel (R) Core (TM) i5-8250U CPU @ 1.60 GHz 1.80 GHz, 8.00 GB of RAM, and a compiled environment of Dev-C++5.11.
We first consider the total time required for each protocol to execute with different numbers of set elements.It is assumed that n = 100, k = λ = 128, and t = 2 10 , 2 11 , 2 12 , 2 13  are chosen for the comparison experiment, and Figure 6 shows the total running time of the protocol as a function of the number of elements contained in the set.
We first consider the total time required for each protocol to execute with diffe numbers of set elements.It is assumed that 2 ,2 ,2 ,2 t = chosen for the comparison experiment, and Figure 6 shows the total running time o protocol as a function of the number of elements contained in the set.From Figure 6, the total time overhead in each protocol grows essentially linear the number of set elements continues to increase.However, the time of our MPSI prot increases the slowest when the fixed set cardinality is small.Our MPSI protocol has slowest time growth rate.
In addition, the effect of the change in the number of parties on the running tim the protocol is further considered.Suppose that the maximum number of elements tained in the set is , the security parameters are kept fixed at , and number of parties  From Figure 7, the running time of all protocols increases gradually with the num of parties.The time overheads of our MPSI protocol are lower than those of the o protocols when n is fixed.In addition, our MPSI protocol has the slowest time growth From Figure 6, the total time overhead in each protocol grows essentially linearly as the number of set elements continues to increase.However, the time of our MPSI protocol increases the slowest when the fixed set cardinality is small.Our MPSI protocol has the slowest time growth rate.
In addition, the effect of the change in the number of parties on the running time of the protocol is further considered.Suppose that the maximum number of elements contained in the set is t = 1000, the security parameters are kept fixed at k = λ = 128, and the number of parties n = 10 1 , 10 2 , 10 3 , 10 4 is selected for the comparison experiment.The total protocol runtime as a function of the number of parties is shown in Figure 7.
We first consider the total time required for each protocol to execute with diffe numbers of set elements.It is assumed that 2 ,2 ,2 ,2 t = chosen for the comparison experiment, and Figure 6 shows the total running time o protocol as a function of the number of elements contained in the set.From Figure 6, the total time overhead in each protocol grows essentially linear the number of set elements continues to increase.However, the time of our MPSI pro increases the slowest when the fixed set cardinality is small.Our MPSI protocol ha slowest time growth rate.
In addition, the effect of the change in the number of parties on the running tim the protocol is further considered.Suppose that the maximum number of elements tained in the set is , the security parameters are kept fixed at , and number of parties   From Figure 7, the running time of all protocols increases gradually with the num of parties.The time overheads of our MPSI protocol are lower than those of the o protocols when n is fixed.In addition, our MPSI protocol has the slowest time growth From Figure 7, the running time of all protocols increases gradually with the number of parties.The time overheads of our MPSI protocol are lower than those of the other protocols when n is fixed.In addition, our MPSI protocol has the slowest time growth rate.

MPCCache in Edge Computing
This section aims to address the problem of edge collaborative content caching, wherein all parties can jointly cache the most frequently accessed common data items in shared caches.Figure 8 shows the difference between the traditional cache model and edge cache model.Our challenge is to find how to determine a set of the most frequently accessed common items without revealing any underlying data.

MPCCache in Edge Computing
This section aims to address the problem of edge collaborative content caching, wherein all parties can jointly cache the most frequently accessed common data items in shared caches.Figure 8 shows the difference between the traditional cache model and edge cache model.Our challenge is to find how to determine a set of the most frequently accessed common items without revealing any underlying data.

Our MPCCache
We describe how to use our MPCCache protocol to handle the edge cache case.The network operators . The sum of a common item is determined as the total of the individual values of the operators for the item.We present the MPCCache protocol in Figure 9.
[ 1] i n P ∈ − conduct simple hashing and n P conducts cuckoo hashing that maps common items to the same bucket.According to the PaXoS, all the buckets are compressed into a data structure so that n P can efficiently compute the MPCCache.In detail, [ 1] i n P ∈ − choose n j q and n j s uniformly at random for ; it is otherwise random.Then, n P computes ( ) , respectively, to check whether is based on a garbled circuit, and, if so, obtain the sum of the corresponding common item .

Our MPCCache
We describe how to use our MPCCache protocol to handle the edge cache case.The network operators P i∈[n] respectively own set K i = (x i 1 , z i 1 ), . . ., (x i t , z i t ) , where x i ∈ {0, 1} * denotes an identify element and z i ∈ {0, 1} w denotes its associated value.Note that the latter may represent the anticipated frequency of content being accessed or the value to network operators of the cached content.Let the common items I = ∩ n i=1 X i = {x 1 , x 2 . ..} be the intersection of the identifiers, where X i = x i 1 , . . ., x i t is the set of identity for P i∈[n] .For each common item x ∈ I, calculate a sum of the associated values z; that is, sum (x) = ∑ n i=1 z (x) .The sum of a common item is determined as the total of the individual values of the operators for the item.
We present the MPCCache protocol in Figure 9. P i∈[n−1] conduct simple hashing and P n conducts cuckoo hashing that maps common items to the same bucket.According to the PaXoS, all the buckets are compressed into a data structure so that P n can efficiently compute the MPCCache.In detail, P i∈[n−1] choose q n j and s n j uniformly at random for j ∈ de f = z − s i j , and send the encoding Encode x j, f i x j and Encode x j, g i x j to P n , where to obtain the correct decoding f i x j and g i x j if x n j = x i j ; it is otherwise random.Then, P n computes q n j de f , respectively, to check whether ⊕ n i=1 q i j = 0 is based on a garbled circuit, and, if so, obtain the sum of the corresponding common item ⊕ n i=1 s i j .

Oblivious Transfer:
n P and [ 1] i n P ∈ − run the same Oblivious Transfer as in Figure 4.

Compute:
(i) n P sends key k to ( ) according to n GT .n P finally computes ( )( ) Figure 9.Our MPCCache protocol.

Correctness and Security
Correctness: Section 4.3 proves that ; that is, ( ) . Via the property of the data structure PaXoSs , we always have ( ) ( )   .That is, when x ∈ I, it always satisfies that ⊕ n i=1 q i j = 0 and ⊕ n i=1 s i j = ∑ n i=1 z i .
Theorem 2. If F is a PRF and H 1 is a random oracle, then the construction of our MPCCache protocol has colluding semi-honest security, given the OT, PaXoS, GC, and appropriate parameters.
Proof of Theorem 2. If we consider l parties {P i } i∈[l] to be corrupted by an adversary A, then the number of uncorrupted parties is (n − l).Given {K i } i∈[l] , the simulator S interacts with {P i } i∈[l] as follows.S samples random matrices, performs OT, chooses the PRF key k and sends k to {P i } i∈[l] .The simulator S constructs random data structures representing honest parties according to the randomness of the matrices.S sends two data structures D i x and D i z constructed on a PaXoS to ideal functionality.We prove Real ∏ A (K 1 , . . . ,K n ) c ≈ Ideal F S (K 1 , . . . ,K n ).
Hyb0 The outputs of parties in the real world.Hyb1 Same as Hyb1, Hyb2, and Hyb6 in Section 4.4.Hyb2 Similar to Hyb1 except that the decoding executions of the PaXoS are replaced as follows.When {P i } i∈[l] does not contain P n , S receives nothing from the data structure PaXoS.When {P i } i∈[l] contains P n , if x ∈ I, P n receives D i x and D i z , thus ] ⊕ q i j , (z i − s i j ) for the PaXoS involving the non-colluding party {P i } i∈[n−l] and j ∈ [β].Note that q i j and s i j are used in the above expression for each bin j ∈ [β].Since these values are uniform, so are D i x and D i z .Therefore, we replace the decoding outputs of the PaXoS with random ones.Otherwise, all the decoding outputs of the PaXoS are uniformly random from the perspective of P n and {P i } i∈[l] .Hyb2 is computationally indistinguishable from Hyb1 due to the PaXoS's security.Hyb3 The output in the ideal world.The only difference between Hyb3 and Hyb2 is that S executes the output of the circuit.

Conclusions
In this work, we design an efficient MPSI protocol and the MPCCache protocol to better solve the information leakage problem in resource sharing.The proposed MPSI protocol derived from multi-point OPRF demonstrates concrete efficiency in achieving one-sided malicious security.The protocol also leads to a better trade-off between communication and computational overhead.It is based on OT and a data structure PaXoS and achieves linear computation and communication complexity concerning the input set size of each party.In our MPSI protocol, the asymptotic communication and computational complexity of the clients are largely determined by the size of the input sets rather than the number of parties (namely, O(tλ)).Overall, this research has contributed to the development of efficient MPSI protocols for multiple parties in practice.In fact, we apply the MPCCache protocol to edge caching scenarios using a simple transformation of the MPSI protocol.The MPCCache protocol under the semi-honest model can support the computation of specific functions on intersections.It is our belief that future work can improve the fairness of the MPSI protocol, as well as propose more application scenarios with practical application value.
The functionality returns only b m to the receiver and returns nothing to the sender.
The functionality returns only b m to the receiver and returns nothing to the sender.

Figure 2 .
Figure 2. Ideal functionality of OT F OT .

1 nP
− decodes all the i D .Then, they compute and sends the OPRF va ( )
and n P run w OTs where n P is the sender with input { , } obtain w number of m-bit strings as the column vectors of i m w C × .

1 (
Let ψ represent the set of OPRF values obtained from

X
corrupted by an adversary  .Let l clients 1 ,..., l P P be corrupted, making the number of uncorrupted clients ( ∈ , the simulator  interacts with [ ] { } i i l P ∈ as follows. samples random matrices

Figure 5 .
Figure 5.Comparison of security levels.

Figure 5 .
Figure 5.Comparison of security levels.
the comparison experiment.The protocol runtime as a function of the number of parties is shown in Figure7.

Figure 7 .
Figure 7. Running time vs. the number of parties.
the comparison experiment.The protocol runtime as a function of the number of parties is shown in Figure7.

Figure 7 .
Figure 7. Running time vs. the number of parties.

Figure 7 .
Figure 7. Running time vs. the number of parties.

Figure 8 .
Figure 8. Traditional cache model and edge cache model.

P
value.Note that the latter may represent the anticipated frequency of content being accessed or the value to network operators of the cached content.Let the common items ∈ .For each common item x I ∈ , calculate a sum of the associated values z ; that is, (

Figure 8 .
Figure 8. Traditional cache model and edge cache model.

Theorem 2 .Proof of Theorem 2 .
If F is a PRF and 1 H is a random oracle, then the construction of our MPCCache protocol has colluding semi-honest security, given the OT, PaXoS, GC, and appropriate parameters.If we consider l parties [ ] { } i i l P ∈ to be corrupted by an adversary  , then the number of uncorrupted parties is ( K ∈ , the simulator  interacts with [ ] { } i i l P ∈ as follows. samples random matrices, performs OT, chooses the PRF key k and sends k to [ ] { } i i l P ∈ .The simulator  constructs random data structures representing honest parties according to the randomness of the matrices. sends two data

Table 1 .
The related work of PSI.

Table 2 .
The related work of function-based PSI.
S constructs random data structures representing honest parties according to the randomness of the matrices.T 1 and T 2 are initialized to an empty table.In P i∈[n−1] 's query x to H 1 , S records (x, H 1 (x)) in table T i 1 .In P n−1 's query y to H 2 , S records (y, H 2 (y)) in table T 2 .When P n receives OPRF value Ψ, S finds all ϕ ∈ Ψ such that ϕ = H 2 (y) for some y in T 2 , and y Let l clients P 1 , ..., P l be corrupted, making the number of uncorrupted clients (n − l − 1).Given {X i } i∈[l] , the simulator S interacts with {P i } i∈[l] as follows.S samples random matrices {C i } i∈[l] ∈ {0, 1} m×w and performs malicious OT simulator on {P i } i∈[l]with outputs C i 1 , . . ., C i w .S honestly chooses PRF key k and sends k to {P i } i∈[l] .The sim- ulator H 1 is a random oracle, the protocol is aborted with negligible probability.Hyb3 Same as Hyb2, but, for each OPRF value ϕ received byP n , if ϕ / ∈ H 2 (Q 2 ), then P n ignores ϕ.Since H 2 is a random oracle, the probability of changing P n 's output is negligible.ϕ equals the output of H 2 on one of P n 's elements with negligible probability.Hyb4 Same as Hyb3 except that the protocol terminates if there exists y ∈ Q 2 , y ∈ A[F k (H 1 (X n ))] with y = y and H 2 (y) = H 2 (y ).Since H 2 is a random oracle, the protocol is aborted with negligible probability.Hyb5 Same as Hyb4, but, for each OPRF value ϕ received by P n , P n ignores ϕ when calculating the set intersection if ϕ = H 2 (y) for some y ∈ Q 2 , where y /