Efficient Traceable OT-MP-PSI Protocol
- The paper introduces ET-OT-MP-PSI, a protocol that combines Shamir secret sharing, OPPRF, and zero-secret share refreshing to achieve secure and traceable over-threshold PSI.
- ET-OT-MP-PSI discloses an element only when it appears in at least t parties’ datasets and simultaneously reveals which parties hold it, ensuring verifiability.
- The protocol achieves significant efficiency gains—up to thousands of times faster than prior methods—while maintaining security against t-2 colluding semi-honest parties.
Searching arXiv for the specified paper and closely related prior work on traceable over-threshold MP-PSI. Efficient Traceable OT-MP-PSI (ET-OT-MP-PSI) is a protocol for Traceable Over-Threshold Multi-Party Private Set Intersection (T-OT-MP-PSI) in which an element is disclosed when it appears in at least out of participants’ sets, and the output additionally reveals which parties hold it. In the formulation studied in "Practical Traceable Over-Threshold Multi-Party Private Set Intersection" (Yang et al., 31 Dec 2025), the protocol is centralized around a designated leader , with outputting tuples of the form for elements whose multiplicity satisfies , while all other parties output . ET-OT-MP-PSI combines Shamir secret sharing, an oblivious programmable pseudorandom function (OPPRF), and share refreshing using zero-secret sharing to provide traceability and improved efficiency while remaining secure against collusion among up to semi-honest parties (Yang et al., 31 Dec 2025).
1. Formal setting and traceability requirement
In ordinary multi-party private set intersection (MP-PSI), there are parties 0, each holding a private set 1, and the objective is to compute
2
Threshold MP-PSI generalizes this by disclosing an element 3 whenever its multiplicity 4 satisfies
5
This is the 6-out-of-7 or over-threshold condition (Yang et al., 31 Dec 2025).
T-OT-MP-PSI strengthens threshold MP-PSI by requiring traceability. The output must reveal not only the qualifying element but also the identities of the holders. The ideal functionality 8 described in (Yang et al., 31 Dec 2025) takes as input private sets 9 of size 0 and a threshold 1 with 2, and returns to 3
4
while all other parties output 5.
This traceability requirement distinguishes ET-OT-MP-PSI from ordinary threshold PSI. A normal threshold PSI may reveal only the set
6
but not the corresponding holders. In contrast, T-OT-MP-PSI reveals the holder set 7, making the result attributable and, in the terminology of (Yang et al., 31 Dec 2025), making the intersection elements traceable and the result verifiable.
2. System model, adversary model, and corruption threshold
ET-OT-MP-PSI is defined in a system centered on a designated leader 8, with the remaining parties 9 acting as clients (Yang et al., 31 Dec 2025). The protocol is analyzed in the standard semi-honest / honest-but-curious model: parties follow the protocol correctly but may attempt to infer additional information from their local state and received messages. A party’s view consists of its private input, random tape, and all received messages, and security is defined via simulation by a simulator 0 that produces a computationally indistinguishable view (Yang et al., 31 Dec 2025).
In this setting, traceability means that if an element is output as part of the threshold intersection, the protocol also identifies the set of parties that hold it. The paper explicitly connects this property to scenarios such as digital forensics, anomaly attribution, and AML, where evidence must be attributed to specific holders (Yang et al., 31 Dec 2025).
The protocol family in (Yang et al., 31 Dec 2025) contains two security regimes. For ET-OT-MP-PSI, the corruption threshold is up to
1
semi-honest parties. The paper states that if 2 parties collude in ET-OT-MP-PSI, they can reconstruct enough information from Shamir shares and updated shares to infer whether an honest party holds a specific element, even without full reconstruction; consequently, the security threshold is 3 (Yang et al., 31 Dec 2025). A second protocol, ST-OT-MP-PSI, strengthens this to security against up to 4 semi-honest participants by further leveraging the oblivious linear evaluation protocol, but ET-OT-MP-PSI itself retains the 5 bound (Yang et al., 31 Dec 2025).
3. Construction of ET-OT-MP-PSI
ET-OT-MP-PSI combines three components: Shamir secret sharing, OPPRF, and share refreshing using zero-secret sharing (Yang et al., 31 Dec 2025). Its construction is organized into three phases.
In the conditional secret sharing phase, for each element 6, the leader 7 treats 8 as a secret and applies 9-Shamir secret sharing over a field 0: 1 producing shares
2
To ensure that only parties holding the same element receive the relevant share, 3 uses OPPRF with each client 4. The sender input is
5
and the receiver input is
6
If 7, then 8 obtains
9
otherwise it receives a random-looking value (Yang et al., 31 Dec 2025).
In the secret share update phase, the protocol refreshes shares to prevent privacy leakage from comparing pre-update and post-update values. For each party 0 with 1 and each bin 2, the party constructs a zero-secret Shamir polynomial
3
Each party computes update shares 4 for all recipients 5, and recipients sum all received updates: 6 The leader updates its share for 7 by
8
Because the added shares encode the zero secret, the underlying secret is preserved while the shares are refreshed (Yang et al., 31 Dec 2025).
In the conditional collection and reconstruction phase, each client 9 conditionally returns the updated share to 0 via OPPRF. The sender input at 1 is
2
where
3
The receiver input at 4 is
5
If 6, then 7 receives the correct updated share 8 (Yang et al., 31 Dec 2025).
The leader then reconstructs by trying all subsets of 9 shares among the 0 updated shares, always including its own share, using Lagrange interpolation. If for some subset
1
then 2 is in the threshold intersection. To identify holders, 3 checks for each party 4 whether
5
Those satisfying the equality are identified as holders of the element (Yang et al., 31 Dec 2025).
4. Data structures, hashing, and protocol flow
Before the main protocol, each party hashes its set into bins. The paper uses Cuckoo hashing on the receiver side, with one element per bin and dummy padding for empty bins, and Simple hashing on the sender side, with bins padded to a maximum size 6 (Yang et al., 31 Dec 2025). This arrangement hides the distribution of elements across bins.
The protocol uses the following data structures and share variables (Yang et al., 31 Dec 2025):
| Symbol | Meaning |
|---|---|
| 7 | bins from Simple hashing for sender-side data |
| 8 | bins from Cuckoo hashing for receiver-side data |
| 9 | maximum bin size in Simple hashing |
| 0 | original Shamir shares |
| 1 | OPPRF-delivered shares |
| 2 | accumulated zero-share updates |
| 3 | updated share before collection |
| 4 | final received share at 5 |
The message flow has four steps. First, for each bin 6, 7 programs OPPRF with shares of elements in 8, and each client 9 queries using its elements in 0. Second, clients generate zero-secret Shamir shares and send them to all parties. Third, each client 1 uses OPPRF again to conditionally send the updated share back to 2. Fourth, 3 performs interpolation across subsets of size 4 among the received shares; if reconstruction succeeds, the element is in the threshold intersection, and the holder identities are then read off from the matching shares (Yang et al., 31 Dec 2025).
A plausible implication is that the protocol’s practical efficiency depends not only on the cryptographic primitives but also on the binning-and-padding strategy, since OPPRF is executed on binned data rather than on all pairwise comparisons. The paper explicitly attributes part of the efficiency to “binning / padding techniques to reduce comparisons” (Yang et al., 31 Dec 2025).
5. Correctness, privacy, and proof structure
The central security claim for ET-OT-MP-PSI is stated as Theorem 1 in (Yang et al., 31 Dec 2025): ET-OT-MP-PSI realizes 5 and is secure against collusion among up to 6 semi-honest parties.
The correctness proof distinguishes two cases. If an element is in the intersection, then at least 7 parties obtain correct shares, the refreshed shares remain consistent, and reconstruction succeeds. If an element is not in the intersection, then fewer than 8 correct shares exist, so reconstruction fails except with negligible probability (Yang et al., 31 Dec 2025). This aligns the threshold semantics directly with Shamir reconstruction: successful interpolation serves as the test for threshold membership.
The privacy proof is simulation-based under the semi-honest model. When 9 is honest and only clients are corrupted, the simulator produces OPPRF outputs as random field elements and simulates zero-share updates with random polynomials; indistinguishability follows from OPPRF obliviousness and Shamir security. When 00 is corrupted, the simulator uses the ideal output 01, returns random values for non-intersection items, and computes correct outputs for actual intersection items (Yang et al., 31 Dec 2025).
The proof relies on the security of Shamir secret sharing, the security and obliviousness of OPPRF, computational indistinguishability in 02, and the semi-honest adversary model (Yang et al., 31 Dec 2025). The paper’s notion of “reliability of intersection” is that the output is verifiable: an element is not merely anonymously reported as satisfying the threshold, but is reconstructible through secret-sharing consistency and accompanied by a holder list that can be checked (Yang et al., 31 Dec 2025).
6. Complexity and empirical performance
The notation used in the complexity analysis includes 03 for the number of parties, 04 for set size, 05 for threshold, 06 for the statistical security parameter, 07 for the computational security parameter, 08 for the maximum bin size of Simple hashing, and 09 for the prime defining 10 (Yang et al., 31 Dec 2025).
For ET-OT-MP-PSI, the communication costs are divided into conditional secret sharing via OPPRF, share update, and conditional collection. The first two are each
11
and the third is
12
The overall summary gives leader and client communication as
13
for ET (Yang et al., 31 Dec 2025).
The computation cost for the leader includes Shamir sharing and evaluation,
14
reconstruction,
15
and OPPRF overhead,
16
The client computation cost is
17
The reconstruction formulas stated in the paper are the standard Shamir expressions: 18
19
with refresh polynomial
20
and refresh update represented as
21
The OPPRF functionality is described as programming
22
for sender inputs, while the receiver queries
23
and receives the programmed 24 whenever 25 (Yang et al., 31 Dec 2025).
The experimental setup reported in (Yang et al., 31 Dec 2025) uses an implementation in C++ with NTL for big-number arithmetic, Boost for communication, table-based OPPRF, and RLWE-based OLE for ST-OT-MP-PSI. The experiments were conducted on a machine with Intel Xeon 3.1GHz, 80 vCores, 192GB RAM, and Ubuntu 22.04. The element length was
26
and runtimes were averaged over 10 trials (Yang et al., 31 Dec 2025).
The headline benchmark reported in the abstract and conclusion is for 27, 28, and set size 29. Under these conditions, ET-OT-MP-PSI achieves 15056× faster runtime than Mahdavi et al.’s protocol, while ST-OT-MP-PSI achieves 505× faster runtime (Yang et al., 31 Dec 2025). Additional reported results include the case 30, 31, 32, where ET-OT-MP-PSI is 4312× faster and ST-OT-MP-PSI is 637× faster than Mahdavi et al.’s protocol; for reconstruction specifically at 33, 34, 35, the speedups are 45215× for ET and 13761× for ST (Yang et al., 31 Dec 2025).
Concrete runtime examples for ET-OT-MP-PSI are 1.73s for 36, 37; 6.23s for 38, 39; and 24.76s for 40, 41. For ST-OT-MP-PSI, the reported examples are 53.22s for 42, 43, and 207.78s for 44, 45 (Yang et al., 31 Dec 2025). The paper highlights linear scaling in set size and roughly exponential growth in reconstruction with threshold, attributing the latter to the enumeration of
46
subsets (Yang et al., 31 Dec 2025).
7. Relation to prior traceable OT-MP-PSI and practical significance
The paper identifies Mahdavi et al. as the main prior traceable OT-MP-PSI scheme and characterizes its limitations in three dimensions (Yang et al., 31 Dec 2025). First, the prior protocol is secure against up to 47 semi-honest participants under the assumption that certain designated special parties do not collude. Second, its computational complexity is
48
which the paper describes as expensive and poorly scaling with threshold. Third, the paper reports that for 49, 50, 51, runtime exceeds 9 hours (Yang et al., 31 Dec 2025).
ET-OT-MP-PSI preserves the 52 corruption tolerance but removes the additional assumption that designated special parties do not collude. ST-OT-MP-PSI goes further by raising corruption tolerance to 53, again without relying on designated non-colluding parties (Yang et al., 31 Dec 2025). The paper emphasizes that its protocols reduce the exponent from 54 to essentially 55, and use symmetric-key style primitives rather than heavy homomorphic encryption in the main path (Yang et al., 31 Dec 2025).
The end-to-end intuition given in (Yang et al., 31 Dec 2025) is that 56 secret-shares each candidate element with Shamir sharing; OPPRF ensures that only parties who actually hold the element receive the corresponding share; all parties refresh shares by adding zero-secret Shamir shares so that the leader cannot compare before-and-after values to infer non-intersection membership; 57 collects updated shares via OPPRF; and reconstruction by Lagrange interpolation simultaneously determines threshold membership and enables holder identification. This suggests that ET-OT-MP-PSI is best understood as a threshold PSI protocol in which membership evidence is encoded directly in the algebraic consistency of refreshed secret shares.
The protocol’s stated guarantees are the correctness of threshold intersection output, traceability of holders, privacy of non-intersecting elements, and semi-honest security up to 58 colluding parties for ET-OT-MP-PSI (Yang et al., 31 Dec 2025). In applications such as digital forensics, where each participant remains responsible for its own dataset and attribution of evidence matters, the combination of threshold disclosure and holder revelation is the defining property that distinguishes ET-OT-MP-PSI from ordinary MP-PSI.