On the Homomorphic Properties of Kyber and McEliece with Application to Post-Quantum Private Set Intersection

Abstract

Crystals-Kyber and Classic-McEliece are two prominent post-quantum key encapsulation mechanisms (KEMs) designed to address the challenges posed by quantum computing to classical cryptographic schemes. While the former has been standardized by the National Institute of Standards and Technology (NIST), the latter is well-known for its exceptional robustness and as one of the finalists of the fourth round of post-quantum cryptography standardization. Private set intersection (PSI) is a privacy-preserving technique that enables two parties, each possessing a dataset, to compute the intersection of their sets without revealing anything else. This can be achieved thanks to homomorphic encryption (HE), which allows computations on encrypted data. In this paper, firstly, we study Kyber and McEliece, apart from being KEMs, as post-quantum public key encryption (PKE), and examine their homomorphic properties. Secondly, we design two different two-party PSI protocols that utilize the homomorphic capabilities of Kyber and McEliece. Thirdly, a practical performance evaluation under NIST’s security levels 1, 3, and 5 is conducted, focusing on three key metrics: storage overhead, communication overhead, and computation cost. Insights indicate that the Kyber-based PSI Protocol, which utilizes the multiplicative homomorphic property, is secure but less efficient. In contrast, the McEliece-based PSI protocol, while efficient in practice, raises concerns regarding its security as a homomorphic encryption scheme.

1. Introduction

Of late, cryptographers have become increasingly worried about advances in quantum computing. Once a powerful quantum computer is released, Shor’s algorithm [1] will break all widely deployed public key cryptosystems (PKC), specifically those based on factoring or discrete-log hard problems like RSA and elliptic curve constructions. Consequently, in 2017, NIST called for Post-quantum cryptography (PQC) proposals. Lattice-based and code-based cryptographic schemes are two of the main types of proposals submitted to the NIST PQC competition for standardization. Code-based and lattice-based cryptographic schemes are conceptually similar in using noise (error) for security but differ in their mathematical foundations. Both schemes leverage the difficulty of certain structured decoding problems [2]. Indeed, lattice-based cryptography replaces the ‘codeword plus random errors’ of the code-based cryptography with a ‘lattice point plus random errors’ [3].

In the NIST’s third round PQC competition, Crystal-Kyber [4], a lattice-based post-quantum key encapsulation mechanism (KEM), has been selected for standardization. Additionally, another four KEM algorithms have been selected to continue in the NIST’s fourth round. Among the four submissions, Classic-McEleiece [3,5], an important code-based post-quantum KEM candidate, is constructed based on the original McEliece [6] and its dual variant, Niederreiter [7,8] public key encryption (PKE), which have proved their stability and robustness against attacks for over 40 years.

Private set intersection (PSI) is a cryptographic multiparty computation problem first introduced in [9], where distrusted parties holding private sets of elements submit their sets as inputs, and only one or more parties receive the intersection and nothing else. In the classical formulation, the protocol enables two parties to jointly compute the intersection. However, the problem can be extended to a multiparty PSI, adding a layer of complexity. Moreover, there are many variants of PSI. For example, we can classify PSI into one-way PSI, where only one party learns the output, or mutual PSI, where all parties receive the output. We can also classify the problem by the sizes of the input sets, such as balanced PSI for inputs of comparable sizes or unbalanced PSI, where one input is much larger than the others. In another variant, the output can be other functions than the intersection, like PSI-CA, where the output is the cardinality of the intersection rather than the intersection itself. Moreover, the problem might demand additional requirements, such as threshold-PSI, where the parties obtain the output only when the cardinality is above a certain threshold, or size-hiding PSI, where the size of the inputs is hidden throughout the protocol.

The PSI has wide real-world applications like medical and criminal records, anomaly detection, private database queries, the military sector, and others. The following motivational example demonstrates one of the real-world MPSI scenarios.

Example [10]: Various military factories want to compare the quality of a specific precision instrument with others of the same type. To achieve this goal, they need to collect these precision instruments from different military factories. However, no military factory is willing to expose its own private data to others.

Thanks to homomorphic encryption (HE), the sets’ intersection can be computed, and privacy is still preserved. HE is a property of public-key cryptosystems that enables certain computations to be performed on ciphertexts, producing an encrypted result that, when decrypted, complies with the outcome of the same operations on the plaintexts. Most public-key encryption schemes support at least one type of homomorphic operation. For the PSI problem, we are interested in homomorphic schemes that support addition and/or multiplication operations.

Motivated by this, in this work, we investigate and compare the homomorphic capabilities of the underlying public key encryption (PKE) schemes of two important post-quantum KEM candidates, namely Crystal-Kyber and Classic-McEliece, in the context of the two-party PSI problem. While the homomorphic properties of McEliece/Niederreiter PKE have already been studied in the literature stripped of any concrete applications, the homomorphic properties of Kyber have not, to the best of our knowledge, been directly examined. Therefore, we go beyond revisiting these properties by designing two new PSI protocols based on the respective cryptosystems. We stress that our focus is to study and examine the underlying PKEs of the mentioned candidates and to clarify whether these two candidates, in addition to their role in KEM schemes, are appropriate for quantum-safe homomorphic encryption.

Contributions

The main contributions of this study are threefold:

• Designs a two-party PSI protocol that utilizes McEliece’s additive homomorphic property and the Bloom filter data structure.
• Designs a two-party PSI protocol that utilizes Kyber’s multiplicative homomorphic property.
• Provides an experimental performance evaluation framework to compare the two proposed protocols, considering NIST’s security levels 1, 3, and 5, and focusing on three key metrics: storage overhead, communication overhead, and computation cost.

The rest of the paper is organized as follows. Section 2 presents important background on HE, Crystal-Kyber, and Classic-McEliece. A literature review is conducted in Section 3. The design of the proposed PSI protocols and the theoretical analysis are detailed in Section 4, while the experimental work and results are presented in Section 5. Section 6 provides the conclusion and outlines the future work.

2. Background

In this section, we recall the necessary information that helps to understand the rest of the paper. Before delving into the details of the dedicated cryptosystems, we provide the following definitions to distinguish between three closely related concepts: public key cryptosystem (PKC), public key encryption (PKE), and key encapsulation mechanism (KEM).

Definition 1 (Public Key Cryptosystem (PKC)). 

Any cryptographic scheme that uses a pair of keys (public and private) for performing cryptographic tasks, including encryption, digital signature, and key exchange, is broadly referred to as PKC.

Definition 2 (Public Key Encryption (PKE)). 

A specific type of PKC designed solely for exchanging secure messages between two or more legitimate parties. It uses the public key for encryption and the private key for decryption.

Definition 3 (Key Encapsulation Mechanism (KEM)). 

A PKC protocol that can be used by two parties to establish a shared secret key over a public (insecure) channel. The output is not an encrypted message but a secret key used for symmetric key encryption.

Also, we provide the following security definitions that help in the formal proofs of the proposed algorithms.

Definition 4 (IND-CPA Security). 

A public key encryption scheme is said to achieve indistinguishability under chosen-plaintext attack (IND-CPA) if no polynomial-time (PPT) adversary $\mathcal{A}$ can distinguish between the encryptions of two messages of equal length, even when given access to the public key and the ability to encrypt any plaintext of their choice. Formally, for any PPT adversary $\mathcal{A}$, the advantage in the IND-CPA game is negligible:

$${\mathit{Adv}}_{\mathit{PKE},\mathcal{A}}^{\mathit{IND-CPA}}\left(\kappa \right)=\left|Pr[{\mathit{IND-CPA}}_{\mathit{PKE}}^{\mathcal{A}}\left(\kappa \right)=1]-{\displaystyle \frac{1}{2}}\right|\le \mathit{negl}\left(\kappa \right)$$

(1)

where κ is the security parameter and the IND-CPA game involves the adversary choosing two messages, $m_0$ and $m_1$, receiving an encryption of one of them, and attempting to determine which message was encrypted.

Definition 5 (IND-CCA Security). 

A public key encryption scheme achieves indistinguishability under chosen-ciphertext attack (IND-CCA) if it satisfies IND-CPA security and additionally remains secure even when a PPT adversary $\mathcal{A}$ has access to a decryption oracle that can decrypt any ciphertext except the challenge ciphertext. This represents a stronger security notion than IND-CPA, as it protects against adaptive chosen-ciphertext attacks. Formally, for any PPT adversary $\mathcal{A}$ with access to decryption oracle ${\mathcal{O}}_{\mathit{dec}}$, the advantage in the IND-CCA game is negligible:

$${\mathit{Adv}}_{\mathit{PKE},\mathcal{A}}^{\mathit{IND-CCA}}\left(\kappa \right)=\left|Pr[{\mathit{IND-CCA}}_{\mathit{PKE}}^{\mathcal{A},{\mathcal{O}}_{\mathit{dec}}}\left(\kappa \right)=1]-{\displaystyle \frac{1}{2}}\right|\le \mathit{negl}\left(\kappa \right)$$

(2)

where the adversary can query the decryption oracle on any ciphertext other than the challenge ciphertext during the attack game.

Definition 6 (Semi-Honest Security Model). 

A two-party PSI protocol $\pi =({\mathsf{P}}_{\mathsf{1}},{\mathsf{P}}_{\mathsf{2}})$ is secure against semi-honest, a.k.a. honest but curious, adversaries if for any probabilistic polynomial-time (PPT) adversary $\mathcal{A}$ that corrupts at most one party, there exists a PPT simulator $\mathcal{S}$ such that for all sets ${\mathit{G}}_1$ and ${\mathit{G}}_2$:

$$\left\{{\mathsf{IDEAL}}_{\mathcal{S},\mathcal{A}}({\mathit{G}}_1,{\mathit{G}}_2,\kappa )\right\}\stackrel{c}{\equiv }\left\{{\mathsf{REAL}}_{\pi ,\mathcal{A}}({\mathit{G}}_1,{\mathit{G}}_2,\kappa )\right\}$$

(3)

where

• IDEAL represents the ideal functionality where parties only learn $G_1\cap G_2$.
• REAL represents the real protocol execution.
• $\stackrel{c}{\equiv }$ denotes computational indistinguishability.

2.1. Homomorphic Encryption

HE is a property of public-key cryptosystems that enables certain arithmetic computations to be performed on ciphertexts, producing an encrypted result that, when decrypted, complies with the outcome of the same operations on the plaintexts. Most public-key encryption schemes support at least one type of homomorphic operation. HE can be classified into three categories: (1) Partially homomorphic encryption (PHE), which can perform only one mathematical function an unlimited number of times. For example, the Paillier cryptosystem [11] supports only the addition operation, while the original RSA [12] can support only the multiplication operation. Other PHE schemes are Goldwasser and Micali [13], ElGamal [14], Naccache and Stern [15], Benaloh [16], and Okamoto and Uchiyama [17]. (2) Somewhat homomorphic encryption (SWHE): it supports some types of arithmetic functions a limited number of times. For example, the Boneh–Goh–Nissim cryptosystem [18] can evaluate unlimited additions and one multiplication. Other SWHE schemes are Yao [19], Sander et al. [20], and Ishai and Paskin [21]. (3) Fully homomorphic encryption (FHE), which supports an unlimited number of operations for an unlimited number of times. Constructing a fully homomorphic scheme that can evaluate an arbitrary function was not possible until Gentry’s breakthrough in 2009 [22]. Other FHE schemes are BFV [23], BGV [24], CKKS [25], and TFHE [26].

2.2. Crystal Kyber Cryptosystem

Crystal-Kyber [4] is a lattice-based public key cryptosystem mainly used as a KEM for establishing private keys for symmetric-key cryptosystems. The Kyber KEM is IND-CCA2 secure and is built upon Kyber PKE, which is IND-CPA secure. Its security is based on the hardness of the modular learning with errors (MWLE) problem, which is as hard as several worst-case lattice problems, specifically, the shortest vector problem (SVP). MLWE was first introduced in [27], and it offers much better efficiency and security tradeoffs when compared with learning with error (RWE) [2] and ring learning with error (RLWE) [28] problems. Moreover, its keys are fairly small to be used in real-world applications.

For detailed information and documentation about Kyber’s IND-CCA2-secure KEM, we refer the reader to [29].

Herein, we describe Kyber’s IND-CPA-secure PKE as it will be used to investigate the homomorphic properties of the cryptosystem. Let R and $R_q$ denote the rings $Z\left[X\right]/\left(X^n+1\right)$ and $Z_q\left[X\right]/\left(X^n+1\right)$, respectively, where n is a power of two such that $X^n+1$ is a cyclotomic polynomial. Specifically, Kyber operates over the polynomial ring ${\mathbb{R}}_{3329}={\mathbb{Z}}_{3329}\left[x\right]/\langle x^{256}+1\rangle$ and sets a security parameter $k\ge 2$ to achieve better security than RLWE. Namely, k determines the number of polynomials in the module setting. Notably, when $k=1$, the MLWE instance reduces to a pure RLWE instance [30].

Kyber’s PKE Keygen, Encryption, and Decryption algorithms [4] are defined in Algorithm 1, Algorithm 2, and Algorithm 3, respectively.    

Algorithm 1 Kyber.KeyGen(): key generation

1: $\mathbf{A}\sim R_q^{k\times k}$ 2: $(\mathbf{s},\mathbf{e})\sim {\beta }_{\eta }^k\times {\beta }_{\eta }^k$ 3: $\mathbf{t}:={Compress}_q\left(\mathbf{A}\mathbf{s}+\mathbf{e},d_t\right)$ 4: $\mathrm{return}(pk:=(\mathbf{A},\mathbf{t}),sk:=\mathbf{s})$

Algorithm 2 Kyber.Enc(pk = ($\mathbf{A},\mathbf{t})$, $m\in M$): encryption

1: $\mathbf{t}:={\mathrm{Decompress}}_q\left(\mathbf{t},d_t\right)$ 2: $\left(\mathbf{r},{\mathbf{e}}_1,e_2\right)\sim {\beta }_{\eta }^k\times {\beta }_{\eta }^k\times {\beta }_{\eta }$ 3: $\mathbf{u}:={\mathrm{Compress}}_q\left({\mathbf{A}}^T\mathbf{r}+{\mathbf{e}}_1,d_u\right)$ 4: $v:={\mathrm{Compress}}_q\left({\mathbf{t}}^T\mathbf{r}+e_2+⌈{\displaystyle \frac{q}{2}}⌋·m,d_v\right)$ 5: $\mathrm{return}c:=(\mathbf{u},v)$

Algorithm 3 Kyber.Dec(sk = s, c = ($\mathbf{u},v$)): decryption

1: $\mathbf{u}:={\mathrm{Decompress}}_q\left(\mathbf{u},d_u\right)$ 2: $v:={Decompress}_q\left(v,d_v\right)$ 3: $\mathrm{return}\mathrm{Compress}\left(v-{\mathbf{s}}^T\mathbf{u},1\right)$

2.2.1. Example

For a simple example we set $k=2,n=4,q=7681,d_u=d_t=11,d_v=3$. Let Bob’s public key be a 2 by 2 matrix $\mathbf{A}$ chosen randomly,

$$\mathbf{A}=\left(\begin{array}{cc}1917x^3+2032x^2+2056x+273& 4818x^3+3189x^2+6024x+153\\ 520x^3+7002x^2+4588x+4276& 2324x^3+5975x^2+3315x+1547\end{array}\right)$$

Then he also samples the secret key s and the error vector e from the centered binomial distribution ${\beta }_4$:

$$\begin{array}{c}\mathbf{s}=\left({\displaystyle \genfrac{}{}{0pt}{}{x^3-2x}{-x^3-x^2-2x}}\right)\\ \mathbf{e}=\left({\displaystyle \genfrac{}{}{0pt}{}{-x^3-x+2}{-x^2}}\right)\end{array}$$

Calculating $\mathbf{t}=\mathbf{A}\mathbf{s}+\mathbf{e}$ mod $x^4+1$, we obtain

$$\mathbf{t}=\left({\displaystyle \genfrac{}{}{0pt}{}{6696x^3+1950x^2+5122x+5267}{4184x^3+7493x^2+5013x+2709}}\right)$$

after using the compression function, he obtains

$$\mathbf{t}=\left({\displaystyle \genfrac{}{}{0pt}{}{1785x^3+520x^2+1366x+1404}{1116x^3+1998x^2+1337x+722}}\right)$$

Then the public key will be $(\mathbf{A},\mathbf{t})$, while the secret key is $\mathbf{s}$. Suppose Alice wants to send the message $m=x^3+x+1$. For the first sample $\left(\mathbf{r},{\mathbf{e}}_1,e_2\right)\sim {\beta }_4^2\times {\beta }_4^2\times {\beta }_4$, we obtain

$$\begin{array}{c}\mathbf{r}=\left({\displaystyle \genfrac{}{}{0pt}{}{-2x^3+x^2+2x+1}{-2x^3-3x^2}}\right)\\ {\mathbf{e}}_1=\left({\displaystyle \genfrac{}{}{0pt}{}{-3x^3+x^2-3x-3}{-3x^3-3x}}\right)\\ e_2=x+3\end{array}$$

To find the ciphertext, Alice computes $\mathbf{u}:={\mathbf{A}}^T\mathbf{r}+{\mathbf{e}}_1,v:={\mathbf{t}}^T\mathbf{r}+e_2+3841·m$, we obtain

$$\begin{array}{c}\mathbf{u}=\left({\displaystyle \genfrac{}{}{0pt}{}{534x^3+6145x^2+4948x+5655}{3872x^3+1990x^2+3766x+888}}\right)\\ v=3931x^3+376x^2+5841x+5799\end{array}$$

after compression, the ciphertext will turn to

$$\begin{array}{c}\mathbf{u}=\left({\displaystyle \genfrac{}{}{0pt}{}{142x^3+1638x^2+1319x+1508}{1032x^3+531x^2+1004x+237}}\right)\\ v=3931x^3+376x^2+5841x+5799\end{array}$$

To decrypt the message, Bob decompresses the ciphertext and calculates $v-{\mathbf{s}}^T\mathbf{u}=3747x^3+7294x^2+3769x+3824$; then the coefficients that are closer to 3841 than 0 or 7681 will be considered 1, otherwise 0. That is, the decrypted message will be $1\ast x^3+0\ast x^2+1\ast x+1$, Alice’s original message.

2.2.2. Homomorphism

Let $E\left(x\right)=({\mathbf{u}}_{\mathbf{x}},v_x)$ and $E\left(y\right)=({\mathbf{u}}_{\mathbf{y}},v_y)$ be two ciphertexts. The following homomorphic relation holds:

$$E\left(x\right)+E\left(y\right)=E(x\oplus y)$$

(4)

We define the addition in (4) as follows $E\left(x\right)+E\left(y\right)=({\mathbf{u}}_{\mathbf{x}}+{\mathbf{u}}_{\mathbf{y}},v_x+v_y)$.

For the multiplication, it is not as straightforward. Consider the following multiplication of two messages

$$\begin{array}{cc}\hfill (w_x+⌈{\displaystyle \frac{q}{2}}⌋·x)(w_y+⌈{\displaystyle \frac{q}{2}}⌋·y)& \approx \left(\left(v_x-{\mathbf{u}}_{\mathbf{x}}·\mathbf{s}\right)·\left(v_y-{\mathbf{u}}_{\mathbf{y}}·\mathbf{s}\right)\right)\hfill \\ & \approx v_x{v}_y-v_x\sum _{i=1}^k{u}_{yi}{g}_i-v_y\sum _{i=1}^k{u}_{xi}{g}_i+\sum _{i=1}^k\sum _{j=1}^k{u}_{xi}{u}_{yj}{g}_i{g}_j.\hfill \end{array}$$

where $u_{xi},u_{yi},g_i$ are the i-th component of ${\mathbf{u}}_{\mathbf{x}},{\mathbf{u}}_{\mathbf{y}},\mathbf{s}$ and ${∥w_i∥}_{\infty }\le ⌈{\displaystyle \frac{q}{4}}⌋$. Multiplying the LHS yields

$$(w_x+\lceil {\displaystyle \frac{q}{2}}\rfloor ·x)(w_y+\lceil {\displaystyle \frac{q}{2}}\rfloor ·y)=w_x{w}_y+\lceil {\displaystyle \frac{q}{2}}\rfloor (x{w}_y+y{w}_x)+{\lceil {\displaystyle \frac{q}{2}}\rfloor }^{2}xy$$

Therefore, we write the multiplication as follows

$$E\left(x\right)·E\left(y\right)=\left(d_1,{\mathbf{d}}_{\mathbf{2}},{\mathbf{d}}_{\mathbf{3}}\right)$$

(5)

The ciphertext in this form, Equation (5), is a non-standard ciphertext computed over the rationals $\mathbb{Q}$, where

$$\begin{array}{cccc}\hfill d_1& =v_x·v_y\hfill & \hfill d_{2i}& =v_x·u_{yi}+v_y·u_{xi}\hfill \\ \hfill d_{3_{ij}}& =u_{xi}·u_{yj}\hfill \end{array}$$

Note that the size of the ciphertext increased, and it is not decrypted as a usual ciphertext. It is possible to reduce it to the usual ciphertext form $\left({\mathbf{d}}_{\mathbf{1}}^{\prime },d_2^{\prime }\right)$ such that it is decrypted as $d_2^{\prime }-{\mathbf{s}}^T{\mathbf{d}}_{\mathbf{1}}^{\prime }$ using a computationally costly operation called Relinearization [31]. Relinearization could be avoided when the multiplicative depth is small using what is called the leveled FHE [24]. As such, the non-standard ciphertext can be successfully decrypted using Equation (6).

$$x·y=\lceil {\displaystyle \frac{d_1-{\mathbf{d}}_{\mathbf{2}}·\mathbf{s}+{\mathbf{d}}_{\mathbf{3}}\mathbf{s}·\mathbf{s}}{{\lceil \frac{q}{2}\rfloor }^2}}\rfloor$$

(6)

For instance, in the two-party PSI protocol, the multiplicative depth is exactly equal to one, and Equation (6) can be efficiently used.

2.3. McEliece/Niederreiter and Classic-McEliece Cryptosystem

The Classic-McEliece key-encapsulation mechanism is derived from the code-based public key cryptosystem proposed by R. McEliece in 1978 [6]. More precisely, Classic-McEliece KEM is built upon Niederreiter [7,8], which is a dual variant of the McEliece PKE. The original McEliece PKE has a robust security history, as dozens of papers over 40 years have tried, with no success, to attack this system. The main reason that keeps McEliece away from practical consideration is its huge key sizes compared to those of its number-theoretic PKE counterparts.

McEliece PKE is based on the hardness of decoding a general linear code. The original algorithm uses binary Goppa codes, which can be efficiently decoded using an algorithm by Paterson. Let G be the $k\times n$ generator matrix of a linear code that can correct up to t errors and has an efficient decoding algorithm. The cryptosystem’s Keygen, Encryption, and Decryption algorithms are defined in Algorithms 4–6 as follows:   

Algorithm 4 McEliece.KeyGen(): key generation

1: $\mathbf{Select}\mathbf{a}\mathbf{random}\mathbf{binary}\mathbf{non-singular}\mathbf{matrix}S\sim {\mathrm{F}}_2^{k\times k}$ 2: $\mathbf{Select}\mathbf{an}\mathit{n}\times \mathit{n}\mathbf{permutation}\mathbf{matrix}P$ 3: $\mathbf{compute} G_p:=SGP$ 4: $\mathbf{return} \mathrm{pk}:={\mathrm{G}}_p,\mathrm{sk}:=(S,P)$

Algorithm 5 McEliece.Enc(pk = $G_p$, $m\in F_2^k$): encryption

1: $\mathbf{Choose}\mathbf{a}\mathbf{random}\mathbf{vector}e\in F_2^n|W_H\left(e\right)=t$ 2: $\mathbf{Compute} c=m{G}_p+e$ 3: $\mathbf{return} c$

Algorithm 6 McEliece.Dec(sk = ($S,P$), c): decryption

1: $\mathbf{Compute} c^{\prime }=c{P}^{-1}$ 2: $\mathbf{decode} m^{\prime }=decode\left(c^{\prime }\right)$ 3: $\mathbf{compute} m=m^{\prime }{S}^{-1}$ 4: $\mathbf{return} m$

In the decryption algorithm, $c^{\prime }=c{P}^{-1}=mSG+e{P}^{-1}$, where $mSG$ is a codeword. Since $W_H\left(e{P}^{-1}\right)\le t$, we can decode $c^{\prime }$ and obtain $m^{\prime }=mS$. Therefore, $m=m^{\prime }{S}^{-1}$.

2.3.1. Example

Consider the following: $4\times 12$ generator matrix of a linear code that can correct up to $t=2$ errors

$$G=\left(\begin{array}{cccccccccccc}0\hfill & 1\hfill & 1\hfill & 0\hfill & 1\hfill & 0\hfill & 1\hfill & 0\hfill & 0\hfill & 1\hfill & 0\hfill & 0\hfill \\ 0\hfill & 1\hfill & 1\hfill & 1\hfill & 1\hfill & 0\hfill & 0\hfill & 1\hfill & 1\hfill & 0\hfill & 0\hfill & 0\hfill \\ 1\hfill & 1\hfill & 0\hfill & 1\hfill & 1\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 1\hfill \\ 1\hfill & 1\hfill & 1\hfill & 0\hfill & 1\hfill & 1\hfill & 0\hfill & 1\hfill & 0\hfill & 0\hfill & 1\hfill & 0\hfill \end{array}\right)$$

And assume Alice wants to send to Bob the message $m=(1,0,1,0)$. Bob generates S randomly with a permutation matrix P,

$$S=\left(\begin{array}{cccc}1\hfill & 0\hfill & 0\hfill & 1\hfill \\ 0\hfill & 1\hfill & 0\hfill & 1\hfill \\ 0\hfill & 1\hfill & 0\hfill & 0\hfill \\ 0\hfill & 0\hfill & 1\hfill & 1\hfill \end{array}\right),P=\left(\begin{array}{cccccccccccc}1\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill \\ 0\hfill & 0\hfill & 1\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill \\ 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 1\hfill & 0\hfill & 0\hfill & 0\hfill \\ 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 1\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill \\ 0\hfill & 0\hfill & 0\hfill & 0\hfill & 1\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill \\ 0\hfill & 1\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill \\ 0\hfill & 0\hfill & 0\hfill & 1\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill \\ 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 1\hfill \\ 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 1\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill \\ 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 1\hfill & 0\hfill & 0\hfill \\ 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 1\hfill & 0\hfill \\ 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 1\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill \end{array}\right)$$

Then

$$G_p=SGP=\left(\begin{array}{cccccccccccc}1\hfill & 1\hfill & 0\hfill & 1\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 0\hfill & 1\hfill & 1\hfill & 1\hfill \\ 1\hfill & 1\hfill & 0\hfill & 0\hfill & 0\hfill & 1\hfill & 0\hfill & 1\hfill & 0\hfill & 0\hfill & 1\hfill & 0\hfill \\ 0\hfill & 0\hfill & 1\hfill & 0\hfill & 1\hfill & 1\hfill & 0\hfill & 1\hfill & 1\hfill & 0\hfill & 0\hfill & 1\hfill \\ 0\hfill & 1\hfill & 0\hfill & 0\hfill & 0\hfill & 1\hfill & 1\hfill & 0\hfill & 1\hfill & 0\hfill & 1\hfill & 1\hfill \end{array}\right).$$

So now Alice computes and sends to Bob the following:

$$m{G}_p+e=(1,1,1,1,1,1,0,1,1,1,1,0)+(1,1,0,0,0,0,0,0,0,0,0,0)=(0,0,1,1,1,1,0,1,1,1,1,0).$$

Bob then computes $(0,0,1,1,1,1,0,1,1,1,1,0)P^{-1}=(0,0,1,1,1,1,0,1,1,1,1,0)P^T=(0,1,1,1,1,0,1,0,1,1,1,0).$ Notice the new error $e{P}^{-1}=(1,0,0,0,0,1,0,0,0,0,0,0)$, so we can correct the errors and decode $mSG$ to obtain $m^{\prime }=(1,1,0,1)$. Finally, Bob computes $m{S}^{-1}=(1,1,0,1)\left(\begin{array}{cccc}1\hfill & 1\hfill & 1\hfill & 0\hfill \\ 0\hfill & 0\hfill & 1\hfill & 0\hfill \\ 0\hfill & 1\hfill & 1\hfill & 1\hfill \\ 0\hfill & 1\hfill & 1\hfill & 0\hfill \end{array}\right)=(1,0,1,0)$, Alice’s original message.

2.3.2. Homomorphism

McEliece PKE has the following additive homomorphism: [32]

$$E\left(x\right)+E\left(y\right)=E(x\oplus y)$$

(7)

However, note the following:

$$\begin{array}{cc}\hfill E\left(x\right)+E\left(y\right)& =\left(xSGP+e_1\right)+\left(ySGP+e_2\right)\hfill \\ & =(x+y)SGP+\left(e_1+e_2\right)=E(x\oplus y)\hfill \end{array}$$

We can see that the error vector $e_1+e_2$ of $E(x\oplus y)$ doubled in weight. Therefore, when performing the addition of ciphertexts, $e_1$ and $e_2$ should be chosen such that each has a weight of less than half of the maximum error-correcting rate of the code. In general, if we have n additions, each of the sum’s components must have a weight less than $1/n$ of the maximum error-correcting rate of the code.

A more efficient dual variant of the McEliece cryptosystem is due to Niederreiter [7,8]. Consider the $(n,\kappa )-$ linear Binary Goppa Code G,the Niederreiter cryptosystem is defined as shown in Algorithms 7–9.   

Algorithm 7 Niederreiter.KeyGen(): key generation

1: $\mathbf{Generate}\mathbf{the} (\mathit{n}-\mathit{k})\times \mathit{n} \mathbf{parity}\mathbf{check}\mathbf{matrix} \mathit{H} \mathbf{for} \mathit{G}$ 2: $\mathbf{Select}\mathbf{a}\mathbf{random}\mathbf{binary}\mathbf{non-singular}\mathbf{matrix} S\sim {\mathrm{F}}_2^{(n-\kappa )\times (n-k)}$ 3: $\mathbf{Select}\mathbf{an} \mathit{n}\times \mathit{n} \mathbf{permutation}\mathbf{matrix} P$ 4: $\mathbf{compute} H_p:=SHP$ 5: $\mathbf{return} \mathrm{pk}:={\mathrm{H}}_p,\mathrm{sk}:=(S,P)$

Algorithm 8 Niederreiter.Enc(pk = $H_p$, $m\in F_2^n$): encryption

1: $\mathbf{Encode}\mathbf{the}\mathbf{message} m \mathbf{such}\mathbf{that} m\in F_2^n|W_H\left(m\right)=t$ 2: $\mathbf{Compute} c=H_{p}m$ 3: $\mathbf{return} c$

Algorithm 9 Niederreiter.Dec(sk = ($S,P$), c): decryption

1: $\mathbf{Compute} c^{\prime }=S^{-1}c$ 2: $\mathbf{decode}{\mathit{m}}^{\prime }=\mathit{Syndrome}\mathit{decode}\left({\mathbf{c}}^{\prime }\right)$ 3: $\mathbf{compute} m=P^{-1}{m}^{\prime }$ 4: $\mathbf{return} m$

3. Related Works

Exploring the homomorphic properties of McEliece PKE was first studied in [32]. However, no attention has been given to leveraging these properties for constructing PSI protocols. Similarly, the homomorphic properties of the MLWE lattice, upon which Kyber is built, were investigated in [31]. That study, however, was not specifically dedicated to Kyber itself but to the MLWE lattice structures in general.

The problem of constructing post-quantum-based PSI protocols has been studied extensively in the literature. Most of the proposed protocols are based on lattice-based structures; specifically RLWE and LWE problems. In [33], the authors provided a comprehensive literature review on the PSI problem.

In [34], the authors proposed a lattice-based size hiding protocol for two-party PSI-CA secure in a semi-honest environment. The security is based on the hardness of the decisional Learning With Errors (DLWE) problem with linear complexity in the size of the inputs. To prevent arbitrary inputs, they proposed a protocol where a trusted third party authorizes the client’s input set.

Later in [35], the authors generalized the protocol to the Multiparty-PSI problem, secure in the semi-honest model with $O\left(nk{v}_{max}\right)$, where $v_{max}$ is the maximum set size and k and n are security parameters. The parties are arranged in a star topology so that all parties need not be online at the same time.

The security of the previous protocols is based on DLWE; however, other designs exist with security based on Ring-LWE. In [36], the authors proposed protocols based on the fully homomorphic encryption scheme that was proposed in [37], considering the semi-honest model. Also, the authors developed an extension protocol secure under the malicious model by outsourcing computing to a cloud. Another lattice-based protocol based on the NTRU fully homomorphic encryption scheme is proposed in [10].

While prior works have explored PSI protocols based on lattice assumptions such as LWE, RLWE, and NTRU, no existing study has designed PSI protocols built upon the PKEs of Kyber or McEliece. This leaves a clear gap in the literature, which we aim to address in this work. Specifically, we propose and evaluate two new two-party PSI protocols founded on Kyber and McEliece PKEs to examine and assess their homomorphic properties in practice.

4. Proposed PSI Protocols

In this section, the proposed post-quantum PSI protocols are presented.

4.1. Kyber Based Protocol

Based on the algorithm described in Section 2.3, we present the Kyber-based PSI protocol in the following section. Let $P_1,P_2$ be two semi-honest parties holding the sets $G_1=\left\{g_{11},g_{12},..,g_{1v}\right\},G_2=\left\{g_{21},g_{22},..,g_{2v}\right\}$, respectively, such that $G_1,G_2\subseteq U=\left\{g_1,g_2,\cdots ,g_w\right\}$, where $g_1<g_2<\cdots <g_w$. We can define a vector representation of the $P_i$’s set as $G_i^{\prime }=\left\{g_{i1}^{\prime },g_{i2}^{\prime },..,g_{iw}^{\prime }\right\}$ such that

$$g_{ij}^{\prime }=\left\{\begin{array}{c}p\left(x\right),g_j\in G_i\hfill \\ 0,g_j\notin G_i\hfill \end{array},(i=1,2,j=1,2,\cdots ,w).\right.$$

(8)

where $p\left(x\right)$ is a non-zero binary polynomial in R.

Taking the product of $E\left(G_1^{\prime }\right)$ and $E\left(G_2^{\prime }\right)$ and using (5), we have

$$\begin{array}{cc}\hfill E\left(G_1^{\prime }\right)·E\left(G_2^{\prime }\right)& =\left\{E\left(g_{11}^{\prime }\right)·E\left(g_{21}^{\prime }\right),E\left(g_{12}^{\prime }\right)·E\left(g_{22}^{\prime }\right),..,E\left(g_{1w}^{\prime }\right)·E\left(g_{2w}^{\prime }\right)\right\}\hfill \\ & =\left\{E\left(g_{11}^{\prime }{g}_{21}^{\prime }\right),E\left(g_{12}^{\prime }{g}_{22}^{\prime }\right),..,E\left(g_{1w}^{\prime }{g}_{2w}^{\prime }\right)\right\}\hfill \end{array}$$

So, after decryption, we obtain

$$g_{1j}^{\prime }{g}_{2j}^{\prime }=\left\{\begin{array}{c}p{\left(x\right)}^2,g_j\in G_1\cap G_2\hfill \\ 0,g_j\notin G_1\cap G_2\hfill \end{array},(j=1,2,\cdots ,w).\right.$$

(9)

Therefore, Algorithm 10 describes a Kyber-based private intersection protocol:   

Algorithm 10 Kyber-based Private Set Intersection

Input: $G_1,G_2$   Output: $G_1\cap G_2$ 1: $P_1⟶P_2:E\left(G_1^{\prime }\right).$ 2: $P_2$: For each coordinate $j\in \{1,\dots ,w\}$, draw an independent zero-ciphertext $Z_j\leftarrow E\left(0\right)$ and set $\tilde{E}\left(g_{1j}^{\prime }\right)\leftarrow E\left(g_{1j}^{\prime }\right)+Z_j$. 3: $P_2$: Compute the coordinate-wise product: $$\tilde{E}\left(G_1^{\prime }\right)·E\left(G_2^{\prime }\right)=\left\{\tilde{E}\left(g_{11}^{\prime }\right)·E\left(g_{21}^{\prime }\right),\dots ,\tilde{E}\left(g_{1w}^{\prime }\right)·E\left(g_{2w}^{\prime }\right)\right\},$$ where each product is returned in the form $(d_{1j},{\mathbf{d}}_{\mathbf{2}\mathbf{j}},{\mathbf{d}}_{\mathbf{3}\mathbf{j}})$, as defined in (5). 4: $P_2⟶P_1:{\left\{(d_{1j},{\mathbf{d}}_{\mathbf{2}\mathbf{j}},{\mathbf{d}}_{\mathbf{3}\mathbf{j}})\right\}}_{j=1}^w.$ 5: $P_1$: For each index j, $${\tilde{m}}_j\leftarrow \lceil {\displaystyle \frac{d_{1j}-{\mathbf{d}}_{\mathbf{2}\mathbf{j}}·\mathbf{s}+{\mathbf{d}}_{\mathbf{3}\mathbf{j}}\mathbf{s}·\mathbf{s}}{{\lceil \frac{q}{2}\rfloor }^2}}\rfloor$$ 6: $P_1$: For $j=1,\dots ,w$, If ${\tilde{m}}_j=0$ then $g_j\notin G_1\cap G_2$ else $g_j\in G_1\cap G_2$. 7: $P_1$: Output $G_1\cap G_2$.

The correctness of this protocol greatly depends on the noise of the underlying encryption scheme. In particular, from Section 2.2.2, the protocol is correct when every product in STEP 3 has the following property:

$$\parallel {\displaystyle \frac{w_x{w}_y}{{\lceil \frac{q}{2}\rfloor }^2}}+{\displaystyle \frac{x{w}_x+y{w}_y}{\lceil \frac{q}{2}\rfloor }}{\parallel }_{\infty }<{\displaystyle \frac{1}{2}}$$

That is when

$${\displaystyle \frac{{∥w_x∥}_{\infty }}{\lceil \frac{q}{2}\rfloor }}\ast {\displaystyle \frac{{∥w_y∥}_{\infty }}{\lceil \frac{q}{2}\rfloor }}+{\displaystyle \frac{{∥w_x∥}_{\infty }}{\lceil \frac{q}{2}\rfloor }}+{\displaystyle \frac{{∥w_y∥}_{\infty }}{\lceil \frac{q}{2}\rfloor }}<{\displaystyle \frac{1}{2}}$$

Because of the re-randomization in STEP 2, we differentiate between the distribution of $w_x$ and $w_y$.

Working coefficient-wise, let $p_r\left(t_x\right)$ be an upper bound on $Pr\left(\left|w_{xj}\right|\ge t_x\right)$ and $p\left(t_y\right)$ be an upper bound on $Pr\left(\left|w_{yj}\right|\ge t_y\right)$. That is an upper bound on the probability that the j-th coefficient of the polynomials $w_x$ and $w_y$ is greater than $t_x$ and $t_y$, respectively. Then, by union bound, we have $Pr\left({∥w_x∥}_{\infty }\ge t_x\right)\le n{p}_r\left(t_x\right)$ and $Pr\left({∥w_y∥}_{\infty }\ge t_y\right)\le np\left(t_y\right)$. Therefore, if we choose $t_x$ and $t_y$ such that ${\displaystyle \frac{t_x}{\lceil \frac{q}{2}\rfloor }}\ast {\displaystyle \frac{t_y}{\lceil \frac{q}{2}\rfloor }}+{\displaystyle \frac{t_x}{\lceil \frac{q}{2}\rfloor }}+{\displaystyle \frac{t_y}{\lceil \frac{q}{2}\rfloor }}\le {\displaystyle \frac{1}{2}}$, we can have an upper bound on the failure rate of one product in STEP 3. That is $Pr\left({∥w_x∥}_{\infty }\ge t_x\mathrm{or}{∥w_y∥}_{\infty }\ge t_y\right)\le n(p_r\left(t_x\right)+p\left(t_y\right))$. Taking a union bound over all products in STEP 3, we have an upper bound on the total failure rate $\delta$ of the protocol

$$\delta \le nw(p_r\left(t_x\right)+p\left(t_y\right))$$

(10)

One choice of $t_x$ and $t_y$ is $t_x=t_y={\displaystyle \frac{\sqrt{6}-2}{2}}\lceil {\displaystyle \frac{q}{2}}\rfloor$. However, since $w_x$ is noisier due to re-randomization, we can have a better estimate by choosing $t_y={\displaystyle \frac{\frac{1}{2}-\frac{t_x}{\lceil \frac{q}{2}\rfloor }}{1+\frac{t_x}{\lceil \frac{q}{2}\rfloor }}}\lceil {\displaystyle \frac{q}{2}}\rfloor$ and $t_x$ such that $nw(p_r\left(t_x\right)+p\left(t_y\right))$ is minimized. Using a Chernoff bound, we obtain the following result:

Theorem 1.

Algorithm 10 is $(1-\delta )$-correct, where δ satisfies

$$\delta \le 2nw(p_r\left(t_x\right)+p\left(t_y\right))$$

Such that

$$p\left(t_y\right)=\underset{\alpha \ge 0}{min}exp(\mathsf{\Psi }\left(\alpha \right)-\alpha max\{t_x-{\displaystyle \frac{\alpha q}{2^{d_v+1}}},0\}),$$

$$p_r\left(t_x\right)=\underset{\alpha \ge 0}{min}exp(2\mathsf{\Psi }\left(\alpha \right)-\alpha max\{t_y-{\displaystyle \frac{\alpha q}{2^{d_v}}},0\}),$$

where

$$\mathsf{\Psi }\left(\alpha \right):=kn\left(ln{A}_r\left(\alpha \right)+ln{A}_s\left(\alpha \right)\right)+\eta ln\left({\displaystyle \frac{1+cosh\alpha }{2}}\right),$$

$$\begin{array}{cc}& A_r\left(\alpha \right)={\displaystyle \frac{\left(\genfrac{}{}{0pt}{}{2\eta }{\eta }\right)}{4^{\eta }}}+{\displaystyle \frac{1}{2^{3\eta -1}}}\sum _{j=1}^{\eta }\left({\displaystyle \genfrac{}{}{0pt}{}{2\eta }{\eta -j}}\right){(1+cosh\left(j\alpha \right))}^{\eta }{\displaystyle \frac{sinh\left(j\frac{\alpha q}{2^{d_t+1}}\right)}{j\frac{\alpha q}{2^{d_t+1}}}},\hfill \\ & A_s\left(\alpha \right)={\displaystyle \frac{\left(\genfrac{}{}{0pt}{}{2\eta }{\eta }\right)}{4^{\eta }}}+{\displaystyle \frac{1}{2^{3\eta -1}}}\sum _{j=1}^{\eta }\left({\displaystyle \genfrac{}{}{0pt}{}{2\eta }{\eta -j}}\right){(1+cosh\left(j\alpha \right))}^{\eta }{\displaystyle \frac{sinh\left(j\frac{\alpha q}{2^{d_u+1}}\right)}{j\frac{\alpha q}{2^{d_u+1}}}}\hfill \end{array}$$

Proof. 

Let ${\Delta }_d:=q/2^d$. We adopt a uniform quantization model, that is

$${\delta }_{tj}\sim Unif\left[-{\displaystyle \frac{{\Delta }_{d_t}}{2}},{\displaystyle \frac{{\Delta }_{d_t}}{2}}\right],{\delta }_{uj}\sim Unif\left[-{\displaystyle \frac{{\Delta }_{d_u}}{2}},{\displaystyle \frac{{\Delta }_{d_u}}{2}}\right],{\delta }_{vj}\sim Unif\left[-{\displaystyle \frac{{\Delta }_{d_v}}{2}},{\displaystyle \frac{{\Delta }_{d_v}}{2}}\right]$$

Focusing on $p\left(t\right)$ only since $p_r\left(t\right)$ can be derived in a similar manner taking into account the additional noise. The jth coefficient is

$$w_{yj}={\left(e^{\top }r\right)}_j+{\left({\delta }_t^{\top }r\right)}_j-{\left(s^{\top }{e}_1\right)}_j-{\left(s^{\top }{\delta }_u\right)}_j+\left(e_{2j}\right)+\left({\delta }_{vj}\right).$$

Each one of the terms is a sum of $kn$ products of a centered binomial and uniform random variables. Except for $e_{2j}$, a centered binomial random variable, and $\left({\delta }_{vj}\right)$, modeled by its upper bound $a_v:={\displaystyle \frac{{\Delta }_{d_v}}{2}}$. Then, define the random part:

$$G_j:=w_{yj}-{\left({\delta }_v\right)}_j$$

We will compute the Moment Generating Function (MGF) of $G_j$ and apply the Chernoff bound. Note that if $X\sim {\beta }_{\eta }$, then $\mathbb{E}\left[e^{\theta X}\right]={\left({\displaystyle \frac{1+cosh\theta }{2}}\right)}^{\eta }$. Also, when $U\sim Unif[-\Delta /2,\Delta /2],\mathrm{then}\mathrm{for}\mathrm{any}\mathrm{constant}c,$ we have $\left[\mathbb{E}{e}^{\alpha cU}\right]={\displaystyle \frac{sinh(\alpha c\Delta /2)}{\alpha c\Delta /2}}=:{sinc}_h\left({\displaystyle \frac{\alpha c\Delta }{2}}\right),$${sinc}_h\left(x\right):={\displaystyle \frac{sinhx}{x}}$. Conditioning on $r\sim {\beta }_{\eta }$ and using independence:

$$\mathbb{E}\left[e^{\alpha re}|r\right]={\left({\displaystyle \frac{1+cosh\left(\alpha r\right)}{2}}\right)}^{\eta },\mathbb{E}\left[e^{\alpha r{\delta }_t}|r\right]={sinc}_h\left({\displaystyle \frac{\alpha r{\Delta }_{d_t}}{2}}\right)$$

Then the MGF of each product in ${\left(e^{\top }r\right)}_j\mathrm{and}{\left({\delta }_t^{\top }r\right)}_j$ is

$$A_r\left(\alpha \right):={\mathbb{E}}_{r\sim {\beta }_{\eta }}\left[{\left({\displaystyle \frac{1+cosh\left(\alpha r\right)}{2}}\right)}^{\eta }{sinc}_h\left({\displaystyle \frac{\alpha r{\Delta }_{d_t}}{2}}\right)\right].$$

Using the identity

$${\mathbb{E}}_{X\sim {\beta }_m}\left[e^{\theta X}{sinc}_h\left(\gamma X\right)\right]={\displaystyle \frac{1}{2\gamma }}{\int }_{-\gamma }^{\gamma }{cosh}^{2m}\left({\displaystyle \frac{\theta +s}{2}}\right)ds,$$

And ${cosh}^{2m}u={\displaystyle \frac{1}{2^{2m}}}\left(\left({\displaystyle \genfrac{}{}{0pt}{}{2m}{m}}\right)+2{\sum }_{r=1}^m\left({\displaystyle \genfrac{}{}{0pt}{}{2m}{m-r}}\right)cosh\left(2ru\right)\right)$, and the binomial expansion of ${\left({\displaystyle \frac{1+cosh\left(\alpha R\right)}{2}}\right)}^{\eta }$, a straightforward telescoping yields $A_r\left(\alpha \right).$

Similarly for $A_s\left(\alpha \right)$ for ${\left(s^{\top }{e}_1\right)}_j\mathrm{and}{\left(s^{\top }{\delta }_u\right)}_j.$ So,

$$\mathbb{E}\left[e^{\alpha G_j}\right]={\left(A_r\left(\alpha \right)\right)}^{kn}{\left(A_s\left(\alpha \right)\right)}^{kn}{\left({\displaystyle \frac{1+cosh\alpha }{2}}\right)}^{\eta }=exp\left(\mathsf{\Psi }\left(\alpha \right)\right)$$

and

$$\mathsf{\Psi }\left(\alpha \right)=kn\left(ln{A}_r\left(\alpha \right)+ln{A}_s\left(\alpha \right)\right)+\eta ln\left({\displaystyle \frac{1+cosh\alpha }{2}}\right).$$

From here, it is straightforward to apply the Chernoff bound, and the proof is complete.    □

Formal Security Proof

Theorem 2.

The Kyber-based Protocol (Algorithm 10) implements a secure two-party PSI in the semi-honest model, assuming the underlying Kyber PKE is IND-CPA secure.

Proof. 

We prove security by constructing simulators for both possible corruption cases and demonstrating computational indistinguishability between the real and ideal executions.

Following the semi-honest security model, we require that for any PPT adversary $\mathcal{A}$ corrupting at most one party, there exists a PPT simulator $\mathcal{S}$ such that

$${\left\{{\mathrm{IDEAL}}_{\mathcal{S},\mathcal{A}}(G_1,G_2,\kappa )\right\}}_{\kappa \in \mathbb{N}}\stackrel{c}{\equiv }{\left\{{\mathrm{REAL}}_{\Pi ,\mathcal{A}}(G_1,G_2,\kappa )\right\}}_{\kappa \in \mathbb{N}}$$

(11)

Case 1: $P_1$ is corrupted. When $P_1$ is corrupted, the adversary ${\mathcal{A}}_1$’s view consists of (i) its input $G_1$, (ii) the message received from $P_2$: ${\left\{(d_{1j},d_{2j},d_{3j})\right\}}_{j=1}^w$, and (iii) the protocol output $G_1\cap G_2$.

We construct simulator ${\mathcal{S}}_1$ that, given $G_1$, $G_1\cap G_2$, and security parameter $\kappa$, operates as follows:

• Generate Kyber key pair $(pk,sk)\leftarrow \mathrm{KeyGen}\left(1^{\kappa }\right)$
• For $j=1,\dots ,w$:
  • If $g_j\in G_1\cap G_2$: Generate $(d_{1j},d_{2j},d_{3j})$ such that the decryption formula $m_j\leftarrow \lceil {\displaystyle \frac{d_{1j}-{\mathbf{d}}_{\mathbf{2}\mathbf{j}}·\mathbf{s}+{\mathbf{d}}_{\mathbf{3}\mathbf{j}}·{\mathbf{S}}^{\prime }}{{\lceil \frac{q}{2}\rfloor }^2}}\rfloor$ yields a non-zero polynomial
  • Otherwise: Generate $(d_{1j},d_{2j},d_{3j})$ such that $m_j=0$
• Output $(G_1,{\left\{(d_{1j},d_{2j},d_{3j})\right\}}_{j=1}^w,G_1\cap G_2)$

The indistinguishability follows from the zero-ciphertext blinding performed by $P_2$ in Step 2, where $\tilde{E}\left(g_{1j}\right)\leftarrow E\left(g_{1j}\right)+Z_j$ with $Z_j\leftarrow E\left(0\right)$. This randomization ensures that the homomorphic products reveal only intersection membership information. To extract anything more about $P_2$’s element, the adversary would need to identify $(u_y,v_y)$ using the triple $(d_{1j},d_{2j},d_{3j})$, his ciphertext and the secret key. However, the triple equations are invariant under the map $(u_x^{\prime },v_x^{\prime },u_y,v_y)\mapsto (\alpha u_x^{\prime },\alpha v_x^{\prime },{\alpha }^{-1}{u}_y,{\alpha }^{-1}{v}_y)$ for any non-zero rational $\alpha$. Let ${\widehat{u}}_x^{\prime }$ be a particular solution found from $d_3$ (note that $d_3$ is independent of the secret key). Then, by randomization, we have that among the set $L=\{\alpha {\widehat{u}}_x^{\prime }-u_x|\alpha \in \mathbb{Q}\}$, exactly one $\alpha$ satisfies $\alpha {\widehat{u}}_x^{\prime }-u_x=A^{\top }r+e$, for some small r and e. If $P_1$ can, find $P_2$’s element, then $P_1$ can find $\alpha$, thus solving the problem: given L find $\alpha$ such that $\alpha {\widehat{u}}_x^{\prime }-u_x=A^{\top }r+e$ for small r and e, which is hard. Thus, under the IND-CPA assumption of Kyber, no PPT adversary can distinguish between real and simulated products.

Case 2: $P_2$ is corrupted. When $P_2$ is corrupted, the adversary ${\mathcal{A}}_2$’s view consists of (i) its input $G_2$ and (ii) the message received from $P_1$: $E\left(G_1\right)=\{E\left(g_{11}\right),\dots ,E\left(g_{1w}\right)\}$. Note that $P_2$ does not receive the final output.

We construct simulator ${\mathcal{S}}_2$ that, given $G_2$ and security parameter $\kappa$, operates as follows:

• Generate Kyber key pair $(pk,sk)\leftarrow \mathrm{KeyGen}\left(1^{\kappa }\right)$
• For $j=1,\dots ,w$: Sample $r_j$ uniformly at random from the message space and compute $E\left(g_{1j}^{\prime }\right)\leftarrow \mathrm{Encrypt}(pk,r_j)$
• Output $(G_2,{\left\{E\left(g_{1j}^{\prime }\right)\right\}}_{j=1}^w)$

By the IND-CPA security of Kyber PKE, encryptions of actual set elements are computationally indistinguishable from encryptions of random elements. Since $P_2$ receives no intersection information, the simulation is perfect.    □

4.2. McEliece-Based Protocol

Since McEliece PKE supports only the additive homomorphism, a direct algorithm as in (10) cannot be used. In fact, the direct algorithm can be used, but if a peer acts maliciously by pretending that its set includes all the elements in the domain [38], privacy is no longer guaranteed. Hence, a data structure, e.g., a bloom filter, is needed to design a secure PSI protocol. To perform multiple AND operations, the Sandar Young Yung (YYT) technique [20] is utilized.

We first define the function $Expand,E\left(x\right)$, where a bit x encrypted to $E\left(x\right)$ is expanded to a vector ciphertext with length l as follows:

1. For each i, draw a sample $r_i$ uniformly from $\{0,1\}$.

2. For each element in the vector ciphertext $Expand\left(E\left(x\right)\right)=(E\left(e_1\right),E\left(e_2\right),\dots ,E\left(e_l\right))$ is set

$$E\left(e_i\right)=\left\{\begin{array}{cc}E\left(x\right)+E\left(1\right)=E(x\oplus 1)\hfill & \mathrm{if}{r}_i=0\hfill \\ E\left(0\right)\hfill & \mathrm{if}{r}_i=1\hfill \end{array}\right.$$

(12)

When the vector ciphertext $Expand\left(E\right(x\left)\right)$ is decrypted, the result will be $(e_1,e_2,\dots ,e_l)$. If $x=1$, then $x\oplus 1=0$, so for all i, $e_i=0$. Otherwise, $e_i$ will be uniformly distributed in $\{0,1\}$. Now, we define the sum of two vector ciphertexts as follows:

$$\begin{array}{cc}\hfill Expand\left(E\right(x\left)\right)+Expand\left(E\right(y\left)\right)& =E\left(e_1\right)+E\left(f_1\right),\dots ,E\left(e_l\right)+E\left(f_l\right)\hfill \\ & =E\left(e_1\oplus f_1\right),\dots ,E\left(e_l\oplus f_l\right)\hfill \end{array}.$$

Observe that if both x and y are 1, then all $e_i\oplus f_i$ is 0. However, if one of them is 0, then $e_1\oplus f_1$ will be uniformly distributed in $\{0,1\}$. So, we have

$$Expand\left(E\right(x\left)\right)+Expand\left(E\right(y\left)\right)=Expand\left(E\right(x\wedge y\left)\right)$$

A bloom filter is a probabilistic data structure used to test for inclusion [39]. A bloom filter can be represented as a vector of bits $B=(b_1,\dots ,b_m)$ of size m and $\lambda$ associated hash functions $h_i:{\{0,1\}}^l\mapsto \{1,\dots ,m\}$. Initially, the Bloom filter’s bits are all set to zero. Then we define the following two functions:

• $Add\left(x\right)$: Return B with $b_{h_i\left(x\right)=1}$ for all $1\le i\le \lambda$.
• $Test\left(x\right)$: Return ${\bigwedge }_{i=1}^{\lambda }{b}_{h_i\left(x\right)}$.

In a bloom filter, the function $Add\left(x\right)$ will add the element x by setting the location in B with index $b_{h_i}\left(x\right)$ to 1 for $i=1,\cdots ,\lambda$. The function $Test\left(x\right)$ will test whether an element x is added by checking whether the locations with indices calculated from the hash functions are set to 1 or not. When $Test\left(x\right)$ returns 0, this implies that x is definitely not added to the bloom filter; on the other hand, if $Test\left(x\right)$ returns 1, this tells us that x is probably in the bloom filter. Therefore, false negatives are impossible, while false positives are allowed. However, given that the probability of false positives ($ϵ$) is equal to $2^{-\lambda }$, increasing the number of hash functions ($\lambda$) can lead to a negligible value of $ϵ$. Accordingly, the optimal size of the bloom filter can be set by $m={\displaystyle \frac{n\lambda }{ln2}}$.

Therefore, we can, based on [40], perform a private intersection protocol as shown in Algorithm 11:

Algorithm 11 Private Set Intersection Protocol

1: $P_1$: $i=1,\dots v:Add\left(g_{1i}\right)$ 2: $P_1⟶P_2:G_p,(E\left(b_1\right),\dots ,E\left(b_m\right))$ 3: $P_2:i=1,\dots ,v:E\left(w_i^{\prime }\right)=E\left(g_{2i}\right)+{\sum }_{j=1}^{\lambda }Expand\left(E\left(b_{h_j\left(g_{2i}\right)}\right)\right)$ 4: $P_2⟶P_1:E\left(w_1^{\prime }\right),\dots ,E\left(w_m^{\prime }\right)$ 5: $P_1$: $D\left(E\left(w_1^{\prime }\right)\right),\dots ,D\left(E\left(w_m^{\prime }\right)\right)$ 6: $P_1:\left\{g_{11},\dots ,g_{1n}\right\}\cap \left\{w_1^{\prime },\dots ,w_m^{\prime }\right\}$

In STEP 3, we have the following

$$E\left(w_i^{\prime }\right)=E\left(g_{2i}\right)+\sum _{j=1}^{\lambda }Expand\left(E\left(b_{h_j\left(g_{2i}\right)}\right)\right)=E\left(g_{2i}\right)+Expand(E(\underset{j=1}{\overset{\lambda }{\bigwedge }}{b}_{h_j\left(g_{2i}\right)}))$$

This computation will result to

$$w_i^{\prime }=\left(g_{2i,1}\oplus e_1,\dots ,g_{2i,l}\oplus e_l\right).$$

If $g_{2i}$ is in the bloom filter, then $b_{h_j\left(g_{2i}\right)}$ will all be 1. So $e_j=0$. That is $\left(g_{2i,j}\oplus e_j\right)=g_{2i,j}$. However, if $g_{2i}$ is not in the bloom filter, then $e_j^{\prime }s$ will be randomly chosen, and so, $w_i^{\prime }$ will be chosen at random.

Formal Security Proof

Theorem 3.

Assuming the IND-CPA security of McEliece PKE and the error vector weights are properly managed, then the McEliece-based PSI protocol (Algorithm 11) implements a secure private set intersection in the semi-honest model.

Proof. 

We prove security by demonstrating that the view of any party in the real protocol can be simulated from their input and output alone, making it indistinguishable from the ideal model. For any PPT adversary $\mathcal{A}$ corrupting at most one party, there exists a PPT simulator $\mathcal{S}$ such that

$${\left\{{\mathrm{IDEAL}}_{\mathcal{S},\mathcal{A}}(G_1,G_2,\lambda )\right\}}_{\lambda \in \mathbb{N}}\stackrel{c}{\equiv }{\left\{{\mathrm{REAL}}_{\Pi ,\mathcal{A}}(G_1,G_2,\lambda )\right\}}_{\lambda \in \mathbb{N}}$$

(13)

• Case 1: $P_1$ is corrupted.

When $P_1$ is corrupted, the adversary ${\mathcal{A}}_1$’s view consists of (i) Its input $G_1$, (ii) the message received from $P_2$: $\{E\left(w_1^{\prime }\right),\dots ,E\left(w_m^{\prime }\right)\}$, and (iii) the protocol output $G_1\cap G_2$.

We construct simulator ${\mathcal{S}}_1$ as follows:

  1:

Input: $G_1$, $G_1\cap G_2$, security parameter $\kappa$

  2:

Generate McEliece key pair $(G_p,S)\leftarrow \mathrm{KeyGen}\left(1^{\kappa }\right)$

  3:

for $i=1,\dots ,|G_2|$ do

  4:

 if $g_{2i}\in G_1\cap G_2$ then

  5:

  Generate $E\left(w_i^{\prime }\right)$ such that decryption yields an element in $G_1$

  6:

 else

  7:

  Generate $E\left(w_i^{\prime }\right)$ such that decryption yields a random element not in $G_1$

  8:

 end if

  9:

end for

10:

Output: $(G_1,\{E\left(w_1^{\prime }\right),\dots ,E\left(w_m^{\prime }\right)\},G_1\cap G_2)$

Indistinguishability Analysis: The key insight lies in the properties of the Bloom filter and the additive homomorphic operations:

• Bloom Filter Masking: For elements $g_{2i}\in G_1\cap G_2$, all hash functions $h_j\left(g_{2i}\right)$ map to positions set to 1 in the Bloom filter, resulting in $E\left(w_i^{\prime }\right)=E\left(g_{2i}\right)$ after the expand operations cancel out.
• Random Masking for Non-intersection: For elements $g_{2i}\notin G_1\cap G_2$, at least one hash function maps to a position set to 0 in the Bloom filter. The expand operation introduces randomness, making $w_i^{\prime }$ appear random and unrelated to $g_{2i}$.

Under the IND-CPA security of McEliece PKE, the encrypted values are computationally indistinguishable from encryptions of the appropriate elements determined by intersection membership.

Therefore, ${\mathrm{IDEAL}}_{{\mathcal{S}}_1,{\mathcal{A}}_1}(G_1,G_2,\kappa )\stackrel{c}{\equiv }{\mathrm{REAL}}_{\mathsf{\Pi },{\mathcal{A}}_1}(G_1,G_2,\kappa )$.

• Case 2: $P_2$ is corrupted.

When $P_2$ is corrupted, the adversary ${\mathcal{A}}_2$’s view consists of

• Its input $G_2$
• The message received from $P_1$: $G_p,\{E\left(b_1\right),\dots ,E\left(b_m\right)\}$ (encrypted Bloom filter)

We construct simulator ${\mathcal{S}}_2$ as follows:

1:

Input: $G_2$, security parameter $\kappa$

2:

Generate McEliece key pair $(G_p,S)\leftarrow \mathrm{KeyGen}\left(1^{\kappa }\right)$

3:

Initialize Bloom filter $B=(b_1,\dots ,b_m)$ with random bits

4:

for $j=1,\dots ,m$ do

5:

 $E\left(b_j\right)\leftarrow \mathrm{Encrypt}(G_p,b_j)$ where $b_j\leftarrow \{0,1\}$ uniformly at random

6:

end for

7:

Output: $(G_2,G_p,\{E\left(b_1\right),\dots ,E\left(b_m\right)\})$

Indistinguishability Analysis: The security follows from the IND-CPA security of McEliece PKE:

• Ciphertext Indistinguishability: Under the syndrome decoding assumption, encryptions of the actual Bloom filter bits are computationally indistinguishable from encryptions of random bits.
• No Output Leakage: Since $P_2$ does not receive the intersection result, the simulator need not ensure consistency with any output information.
• Bloom Filter Privacy: The encrypted Bloom filter reveals no information about the underlying set $G_1$ beyond what can be inferred from the ciphertexts, which is negligible under the IND-CPA assumption.

Therefore, ${\mathrm{IDEAL}}_{{\mathcal{S}}_2,{\mathcal{A}}_2}(G_1,G_2,\kappa )\stackrel{c}{\equiv }{\mathrm{REAL}}_{\mathsf{\Pi },{\mathcal{A}}_2}(G_1,G_2,\kappa )$. □

4.3. Limitations and Discussion

Kyber and McEliece PKEs are probabilistic and achieve indistinguishability under chosen plaintext attack (IND-CPA) security. However, many real-world applications require a much stronger notion of security against active attacks. Namely, the PKE scheme should achieve indistinguishability under chosen ciphertext attack (IND-CCA) security. In the literature, IND-CCA secure variants of McEliece have been, proposed as in [41,42,43]. On the contrary, there is no IND-CCA secure variant of Kyber PKE.

Employing the McEliece cryptosystem as an additive homomorphic scheme primarily affects its security. Hence, we need to choose the error vectors so that they have proper weights. Since we have at most $\lambda +2$ in STEP 4 and STEP 5 Algorithm 11, then we choose $W_H\left(e_j\right)\in \left(0,{\displaystyle \frac{t}{\lambda +2}}\right]$. This reduction in the weight should be managed carefully; otherwise, the cryptosystem will be vulnerable to an information-set decoding attack [44,45]. In the experimental work section, we multiply t by 1.5 to keep the algorithm supporting the homomorphic property with high security. However, this will affect the ciphertext and public key size as will be shortly shown in Section 5. For the same security issue, the McEliece-based PSI protocol (Algorithm 11) is built upon the less efficient protocol [40] rather than the one proposed in [46,47]. From the correctness perspective, the McEliece-based PSI protocol depends on, again, the error vector and the Bloom filter, which may generate false positives.

On the other hand, the homomorphic properties of Kyber are straightforward and reveal no security breaches. One limitation of Kyber as a multiplicative homomorphic scheme is that the use of this property becomes computationally costly when many items are involved in a single multiplication operation, since bootstrapping keys and relinearization are required [31]. However, when only a small number of items (e.g., two) are multiplied per operation, as in the Kyber-based PSI protocol (Algorithm 10), the overhead remains manageable, keeping the computational cost within a practical range, as will be shown in the next section. Another limitation of the Kyber-based PSI protocol is that the non-standard ciphertext resulted by the homomorphic multiplication is larger than the standard ciphertext by $50\%$. The correctness of the protocol relies on the noise boundedness introduced by the Kyber PKE. That is, the protocol is correct as long as the accumulated noise during encryption and homomorphic multiplications does not exceed the decryption threshold.

Moreover, due to the aforementioned limitations, extending the proposed two-party PSI protocols to multiparty PSI protocols is almost impossible. Indeed, in the multiparty environment, these limitations are no longer manageable.

5. Experimental Work and Performance Evaluation

To evaluate our proposed protocols experimentally, we consider a Peer-to-Peer (P2P) file sharing network in which each file is identified by a unique serial number, namely a 32-byte integer. Each peer owns some files. Once a peer gets connected to another peer, they can only know the mutually inclusive file set that both pose by applying one of the proposed PSI protocols. The peer can repeat this process with several peers in the same network. Ultimately, the peer can know if he owns rare files that are only owned by him or a few other peers in the network; thus, an urgent backup must be performed.

Experimental Environment: Java JDK version 17 [48] is used as a programming language, Apache NetBeans version 20 [49] is used as an integrated development environment (IDE), and the Bouncy Castle cryptography library [50] is used to implement the proposed cryptographic algorithms. The PC specifications include an Intel Core i7-1255U CPU, 32 GB RAM, and Windows 11 Pro 64-bit OS.

Storage overhead, communication overhead, and computation cost are the metrics of interest to compute based on the three NIST security levels: level 1 meets the security of AES-128, level 3 meets the security of AES-192, and level 5 meets the security of AES-256.

Based on the specification above,

Table 1. The corresponding values of McEliece/Niederreiter and Kyber’s public/private keys and ciphertexts (in bytes) that meet the NIST’s security levels.

PKC Algorithm		Level-1 (AES-128)	Level-3 (AES-192)	Level-5 (AES-256)
Kyber	Pk	800	1184	1568
	SK	768	1152	1536
	Ciphertext	768	1088	1568
McEliece (Niederreiter variant)	Pk	261,120	524,160	1,047,319
	SK	6492	13,608	13,948
	Ciphertext	96	156	208
McEliece1.5t (Niederreiter variant)	Pk	330,624	640,224	1,344,434
	SK	6551	13,704	14,066
	Ciphertext	144	234	290

shows reference values for public/private keys and ciphertext sizes of Kyber and McEliece/Niederreiter PKE. Where McEliece1.5t refers to a tuned version of McEliece that has the t value increased by a factor of 1.5 to keep the McEliece algorithm secure after applying the additive homomorphic property. For instance, if McEliece’s t value is 64 for level-1 security, the McEliece1.5t’s t value becomes 96, and so on. The cost of this increase is an increase in the public key and ciphertext size, as shown in the table. Also, to avoid any decryption failure, the original encrypted texts, i.e., prior to the additive homomorphism, must be encrypted using $0.5t$ and $0.75t$ values for McEliece and McEliece1.5t protocols, respectively. We stress that all McEliece parameters and results are due to the Niederreiter variant.

5.1. Storage Overhead

The storage overhead (SO) is the overall sum of the public/private key sizes and the ciphertext ($ct$) size of the entire set, G, as depicted in (14).

$$SO=P_k+S_k+(ct\ast |G\left|\right).$$

(14)

The key size depends on the underlying algorithm and required security level. The overall ciphertext size is the size of a single encrypted element multiplied by the number of elements in the set, $\left|G\right|$.

Results for NIST’s level-1 security are depicted in

Table 2. Storage Overhead measured in KB for 128-level security.

Set Size	McEliece (261,120, 6492)		McEliece1.5t (330,624, 6551)		Kyber (800, 768)
	Ciphertext Size	Storage Overhead	Ciphertext Size	Storage Overhead	Ciphertext Size	Storage Overhead
100	9.38	266.96	14.06	343.33	75.00	76.53
200	18.75	276.33	28.12	357.40	150.00	151.53
300	28.12	285.71	42.19	371.46	225.00	226.53
350	32.81	290.40	49.22	378.49	262.50	264.03
400	37.50	295.08	56.25	385.52	300.00	301.53
450	42.19	299.77	63.28	392.55	337.50	339.03
500	46.88	304.46	70.31	399.58	375.00	376.53
550	51.56	309.15	77.34	406.62	412.50	414.03
600	56.25	313.83	84.38	413.65	450.00	451.53

and Figure 1. The results show that the most storage overhead of McEliece comes from its keys, while the most storage overhead of Kyber comes from its ciphertext. Thus, it is preferable to use Kyber for small set sizes, approximately less than 400 elements when Kyber is compared with McEliece and less than 550 elements when compared with McEliece1.5t. Figure 1 shows much clearer results. It shows that McEliece’s line increases by a small constant while Kyber’s line increases linearly. More importantly, it shows the exact intersection point and set size where it is recommended to switch to McEliece. The figure shows that the set size of 392 is where McEliece can be preferably used, as it incurs only 294.33 KB overhead, whereas Kyber incurs 295.53 KB overhead. Also, at the set size of 540, the storage overhead incurred by McEliece1.5t and Kyber is 405.21 KB and 406.53 KB, respectively.

Results for NIST’s level-3 security are depicted in

Table 3. Storage overhead measured in KB for 192-level security.

Set Size	McEliece (524,160, 13,608)		McEliece1.5t (640,224, 13,704)		Kyber (1184, 1152)
	Ciphertext Size	Storage Overhead	Ciphertext Size	Storage Overhead	Ciphertext Size	Storage Overhead
100	15.23	540.40	22.85	661.45	106.25	108.53
200	30.47	555.63	45.70	684.30	212.50	214.78
300	45.70	570.87	68.55	707.16	318.75	321.03
400	60.94	586.10	91.41	730.01	425.00	427.28
500	76.17	601.34	114.26	752.86	531.25	533.53
550	83.79	608.95	125.68	764.29	584.38	586.66
600	91.41	616.57	137.11	775.71	637.50	639.78
650	99.02	624.19	148.54	787.14	690.62	692.91
700	106.64	631.80	159.96	798.56	743.75	746.03
750	114.26	639.42	171.39	809.99	796.88	799.16
800	121.88	647.04	182.81	821.41	850.00	852.28

and Figure 2. The results show the same tendency as the level-1 security. However, since the public key size of McEliece is almost twice the size of level-1, Kyber performs better than McEliece and McEleice1.5t as long as the set size is less than 575 and 764, respectively, as shown in Figure 2.

Table 4. Storage overhead measured in KB for 256-level security.

Set Size	McEliece (1,047,319, 13,948)		McEliece1.5t (1,344,434, 14,066)		Kyber (1568, 1536)
	CiphertextSize	Storage Overhead	Ciphertext Size	Storage Overhead	Ciphertext Size	Storage Overhead
100	20.31	1056.71	28.32	1354.98	153.12	156.16
200	40.62	1077.02	56.64	1383.30	306.25	309.28
300	60.94	1097.33	84.96	1411.62	459.38	462.41
400	81.25	1117.64	113.28	1439.94	612.50	615.53
500	101.56	1137.96	141.60	1468.26	765.62	768.66
600	121.88	1155.98	140.62	1496.58	918.75	921.78
700	142.19	1158.27	169.92	1524.90	1071.88	1074.91
750	152.34	1178.58	198.24	1539.06	1148.44	1151.47
800	162.50	1188.74	212.40	1553.22	1225.00	1228.03
850	172.66	1206.76	226.56	1567.38	1301.56	1304.59
900	182.81	1198.89	240.72	1581.54	1378.12	1381.16
1000	203.12	1209.05	254.88	1609.86	1531.25	1534.28
1050	213.28	1219.21	283.20	1624.02	1607.81	1610.84
1100	223.44	1239.52	297.36	1638.18	1684.38	1687.41

and Figure 3 show the results of NIST’s level-5 security. Again, McEliece’s public key is approximately doubled, and thus the storage overhead is doubled. Therefore, Kyber outperforms McEliece and McEliece1.5t as long as the set size is less than 779 and 1062, respectively, as shown in Figure 3.

5.2. Communication Overhead

For the Kyber-based protocol (Algorithm 10), Peer 1, who initiates the PSI protocol, sends the encrypted elements of his entire set (including the zero elements) along with the public key. Peer 2 then returns the result of the homomorphic multiplication (element-wise) of its set with Peer 1’s set. Thus, the overall communication overhead, as given in Equation (15), is the sum of the public key size, the size of Peer 1’s encrypted set, and the size of the encrypted products of Peer 1’s and Peer 2’s sets.

$$C{O}_{Kyber}=P_k+|E(G_1,P_k)|+|E(G_1\times G_2,P_k)\left|\right).$$

(15)

For the McEliece-based protocol (Algorithm 11), Peer 1 should send the encrypted Bloom filter corresponding to his private set, along with the public key. Once Peer 2 receives the encrypted bloom filter, he evaluates the expansion function on the received bloom filter. Finally, he homomorphically xors the expanded ciphertexts with his elements and returns the result. Therefore, the overall communication overhead, Equation (16), is the total of the public key size, the size of the encrypted bloom filter, and the size of the encrypted set.

$$C{O}_{McEliece}=P_k+|E(B,P_k)|+2\ast |E(G,P_k)|.$$

(16)

Note for this implementation, we set the number of hash functions $\lambda =50$, such that the false positive rate ($ϵ$) is $2^{-50}$, following the recommendations in [46,47].

The results of the communication overhead for all NIST’s security levels are listed in

Table 5. Communication overhead measured in KB for 128-level security.

Set Size	McEliece (261,120, 6492)	McEliece1.5t (330,624, 6551)	Kyber (800, 768)
	Communication Overhead	Communication Overhead	Communication Overhead
100	264.94	337.50	188.28
200	274.88	352.13	375.78
300	284.82	366.75	563.28
350	289.78	374.07	657.03
400	294.75	381.38	750.78
450	299.72	388.69	844.53
500	304.69	396.01	938.28
550	309.66	403.32	1032.03
600	314.63	410.63	1125.78

,

Table 6. Communication overhead measured in KB for 192-level security.

Set Size	McEliece (524,160, 13,608)	McEliece1.5t (640,224, 13,704)	Kyber (1184, 1152)
	Communication Overhead	Communication Overhead	Communication Overhead
100	527.68	648.64	213.66
200	543.47	672.05	266.78
300	559.27	695.46	532.41
400	575.07	718.88	798.03
500	590.87	742.30	1063.66
550	598.77	754.00	1329.28
600	606.66	765.71	1462.09
650	614.56	777.42	1594.91
700	622.46	789.12	1727.72
750	630.36	800.84	1860.53
800	638.26	812.54	1993.34

and

Table 7. Communication overhead measured in KB for 256-level security.

Set Size	McEliece (524,160, 13,608)	McEliece1.5t (640,224, 13,704)	Kyber (1184, 1152)
	Communication Overhead	Communication Overhead	Communication Overhead
100	1043.65	1341.81	384.34
200	1064.53	1370.69	767.16
300	1085.40	1399.58	1149.97
400	1106.28	1428.46	1532.78
500	1127.16	1457.35	1915.59
600	1148.03	1486.23	2298.41
700	1168.91	1515.11	2681.22
750	1179.35	1529.56	2872.62
800	1189.78	1544.00	3064.03
850	1200.22	1558.44	3255.44
900	1210.66	1572.88	3446.84
1000	1231.53	1601.76	3829.66
1050	1241.97	1616.21	4021.06
1100	1252.41	1630.65	4212.47

and depicted in Figure 4, Figure 5 and Figure 6. The results show that for small set sizes, McEliece incurs higher communication overhead than Kyber. After a certain point, McEliece starts to outperform Kyber, and the gap between the two algorithms increases dramatically as the set size increases. Overall, the performance of Kyber is highly affected by the set size, whereas McEliece is slightly affected. Apparently, the figures show that McEliece’s line is almost straight, while Kyber’s line grows linearly.

5.3. Computation Cost

The most costly operation in the Kyber-based protocol (Algorithm 10) is the number of multiplication/mod operations, which increase as the module size (K) increases. The most costly operation in the McEliece-based protocol (Algorithm 11) is the hashing. As mentioned earlier, the number of hash functions ($\lambda$) is set to 50, following the recommendations in [46,47]. The results, summarized in

Table 8. Computation cost measured in ms.

Set Size	McEliece $\mathit{\lambda }=50$	Kyber ($\mathit{K}=2$)	Kyber ($\mathit{K}=3$)	Kyber ($\mathit{K}=4$)
	Computation Cost	Computation Cost	Computation Cost	Computation Cost
100	3.08	23.9	33.4	39.5
200	6.66	53.2	76.9	102.6
300	8.52	99.6	121.7	133.9
400	11.60	115.5	167	195.9
500	14.07	161.6	190.3	259.1
600	18.14	189.1	236.6	304.3
700	19.70	228.1	271.5	330.3

, indicate that the computation time of McEliece is substantially lower than that of Kyber.

6. Conclusions and Future Work

In this paper, we study the homomorphic properties of two important post-quantum public key cryptosystems (PKCs): Crystal-Kyber and Classic-McEliece. The research focuses on examining their underlying public key encryption (PKE) schemes. We begin with a comprehensive illustration of both candidates and their homomorphic properties, enriched with examples. Next, we apply these homomorphic properties to the private set intersection (PSI) problem. Two different PSI protocols are designed: one based on the additive homomorphic property of McEliece PKE and the other based on the multiplicative homomorphic property of Kyber PKE. Additionally, the limitations of each scheme are discussed and analyzed. To obtain much clearer insights, a practical performance evaluation under NIST’s security levels 1, 3, and 5 is conducted, focusing on three key metrics: storage overhead, communication overhead, and computation cost. Our findings indicate that the Kyber-based PSI Protocol is homomorphically secure, but it suffers from significant computational and communication overhead, which limits its practical applicability. Conversely, the McEliece-based PSI protocol demonstrates greater efficiency in practice but raises fundamental concerns regarding its suitability as a secure homomorphic encryption scheme. Yet, these limitations remain manageable within the controlled setting of two-party PSI protocols. However, extending to a multiparty environment would introduce significant challenges, making the limitations far more difficult to address in practice.

Future work includes improving the security and efficiency of the Kyber-based PSI protocol. From the security perspective, the IND-CPA Kyber PKE could be transformed into an IND-CCA Kyber PKE variant. A more efficient protocol could leverage the Kyber additive homomorphic rather than the multiplicative one. Another promising direction is to utilize the Kyber additive homomorphic property and combine it with a Bloom filter to design a multiparty PSI protocol.