Security-Enhanced Traceable OT-MP-PSI
- The paper introduces a protocol that reveals leader-held elements only if they appear in t or more parties' sets, ensuring precise holder identification.
- It leverages Shamir secret sharing, OPPRF, and OLE-based share refreshing to securely mask and update shares against collusion attacks.
- Empirical benchmarks demonstrate significant speedups over prior methods, making it applicable to network anomaly detection and digital forensics.
Security-enhanced Traceable Over-Threshold Multi-Party Private Set Intersection (ST-OT-MP-PSI) is a designated-receiver threshold MP-PSI protocol in which parties hold private sets of size , and party learns exactly those elements of that appear in at least parties’ sets, together with the number and identities of the holders. The ideal output is
while all other parties output . The protocol was introduced as the stronger of two traceable over-threshold MP-PSI constructions, with its defining property being semi-honest security against collusion among up to parties, achieved by combining conditional Shamir secret sharing, OPPRF, and an OLE-based share-update mechanism (Yang et al., 31 Dec 2025).
1. Functionality, semantics, and problem model
ST-OT-MP-PSI is formulated for threshold MP-PSI rather than ordinary all-party intersection. For an element 0, the protocol uses
1
to denote the number of parties holding 2, and it discloses 3 iff 4. The “traceable” component is that the receiver learns not only that an element satisfies the threshold, but also the full holder set
5
Because the holder identities are revealed, the count 6 is revealed as well (Yang et al., 31 Dec 2025).
The protocol is asymmetric. Only 7 receives the result, and the functionality is explicitly restricted to elements of 8’s set: 9 Accordingly, the construction is not a symmetric threshold intersection over the union of all parties’ sets. The paper’s complexity discussion correspondingly designates 0 as the Leader and the other participants as Clients (Yang et al., 31 Dec 2025).
The data model assumes that elements can be encoded in a field suitable for Shamir sharing and OLE. In the implementation, elements are 128-bit values, and the finite field is over a large modulus 1 chosen to accommodate 128-bit elements. The motivating applications emphasized for this functionality are network anomaly detection, digital forensics investigation, and suspicious account or anti-money-laundering analysis, all of which benefit from revealing both the qualifying element and the parties that hold it (Yang et al., 31 Dec 2025).
A common misconception is to equate traceability here with a general public-accountability notion. In this protocol family, traceability means that 2 can identify the holder set for each disclosed over-threshold element. The paper does not separately formalize “traceability,” “soundness,” “robustness,” or “reliability” as named definitions (Yang et al., 31 Dec 2025).
2. Cryptographic structure and constituent primitives
ST-OT-MP-PSI is built from four main components: Shamir secret sharing, zero-secret share refresh, OPPRF, and OLE, together with simple hashing and cuckoo hashing for binning (Yang et al., 31 Dec 2025).
Shamir’s 3-secret sharing is used in its standard degree-4 form. For a secret 5, the dealer samples
6
assigns shares 7 with
8
and reconstructs with Lagrange interpolation: 9 In ST-OT-MP-PSI, 0 does not share the element 1 itself. It shares a fresh random value 2 associated uniquely with 3. The paper states that this change prevents 4 colluding parties from reconstructing and learning 5’s elements directly from shares (Yang et al., 31 Dec 2025).
Zero-secret sharing is used to refresh shares without changing the underlying secret. Each updating party samples
6
so adding 7 to an existing share preserves the same constant term. The stated role of this refresh is privacy of non-output matches: without it, 8 could compare originally sent and later returned values and infer whether another party holds an element even when the threshold is not met (Yang et al., 31 Dec 2025).
OPPRF acts as the equality-gated transfer mechanism. Its functionality is that a sender programs pairs 9, a receiver queries 0, and the receiver obtains 1 when 2, otherwise a random-looking value. In ST-OT-MP-PSI, OPPRF is used for conditional share distribution, conditional share collection, and conditional revelation of the OLE index 3 associated with a matched simple-hash position (Yang et al., 31 Dec 2025).
OLE provides the security-enhancing step. In OLE, the sender inputs 4, the receiver inputs 5, and the receiver learns
6
The sender learns nothing about 7, and the receiver learns nothing beyond the linear output. ST-OT-MP-PSI uses OLE so that the refresh term for a share becomes reconstructible by 8 only when 9 and another party hold the same element (Yang et al., 31 Dec 2025).
Hashing supplies the protocol’s batching structure. The sender side uses simple hashing, the receiver side uses cuckoo hashing, empty cuckoo bins are filled with dummy elements, and each simple-hash bin is padded to the maximum bin size 0. This same 1 determines the number of OLE instances executed per bin (Yang et al., 31 Dec 2025).
3. Protocol workflow
The protocol proceeds in three phases after hashing and padding (Yang et al., 31 Dec 2025).
In the preprocessing stage, each party maps its set into both cuckoo-hashing bins 2 and simple-hashing bins 3. Padding hides occupancy. For each element 4, 5 generates a random associated secret 6, then performs 7-Shamir sharing to obtain
8
Using OPPRF, 9 conditionally distributes 0 to 1: if 2 holds the same element, it receives the correct share; otherwise it receives a random value. Concretely, for each bin 3, 4 programs
5
and 6 queries with
7
The resulting value is denoted 8, with 9 on equality and random otherwise (Yang et al., 31 Dec 2025).
In the share-update phase, each helper party 0 samples a bin-specific degree-1 polynomial with zero constant term,
2
The value 3 is sent directly to 4, so 5’s own refreshed share for 6 is
7
The crucial update for other parties is implemented with OLE. For each potential simple-hash position 8, 9 interacts with 0 so that 1 obtains
2
and with 3 so that 4 obtains
5
where
6
Summing over all 7, 8 gets
9
and 0 gets
1
Party 2 then forms
3
This value is sent back conditionally to 4 through OPPRF, and a second OPPRF reveals the matching OLE index 5 if the elements are equal (Yang et al., 31 Dec 2025).
In the reconstruction phase, 6 receives from each 7 a candidate updated share 8, then adds the appropriate 9 determined by the recovered index: 00 For each 01, 02 considers subsets of 03 shares among its 04 candidates, always including its own share, reconstructs a degree-05 polynomial,
06
and accepts iff
07
Once such a polynomial is found, holder identification is performed by checking
08
If the equality holds, 09 is identified as a holder of 10 (Yang et al., 31 Dec 2025).
4. OLE-based cancellation and the meaning of “security-enhanced”
The distinguishing technical idea in ST-OT-MP-PSI is that share refreshing is made contingent on element equality through OLE-based masking. When 11, the update assembled by 12 satisfies
13
The 14 term vanishes exactly on equality, and the result becomes the correctly refreshed Shamir share. If 15, the residual term remains and the value is random-looking rather than a valid share (Yang et al., 31 Dec 2025).
This construction is presented as the remedy to the collusion weakness of ET-OT-MP-PSI. In ET-OT-MP-PSI, the updated share for an honest 16 has the direct form
17
which allows colluding parties to test whether the OPPRF output equals
18
The paper’s claim is that this inference attack limits ET-OT-MP-PSI to security against at most 19 semi-honest colluding parties. ST-OT-MP-PSI removes that direct test by splitting the update into a piece bound to 20’s element and a piece bound to 21’s element, with correctness recovered only when the elements are equal (Yang et al., 31 Dec 2025).
The resulting security theorem is that ST-OT-MP-PSI realizes 22 and is secure against collusion among up to 23 parties in the semi-honest model. The proof is simulation-based and treats two cases: first, 24 honest and all others corrupted; second, exactly one 25 honest and all others, including 26, corrupted. In the first case, the simulator uses random OPPRF outputs, random OLE inputs and outputs, and the fact that the corrupted parties see no output from 27. In the second case, the simulator is given the final output 28, simulates random values when an honest party’s element should remain hidden, and reconstructs the correct OPPRF and OLE-index outputs only for elements legitimately revealed by the ideal functionality (Yang et al., 31 Dec 2025).
Correctness is likewise threshold-sensitive. If 29 is held by at least 30 parties, then 31 receives at least 32 correct updated shares and reconstructs the secret corresponding to 33; if fewer than 34 parties hold 35, then fewer than 36 correct shares are available and reconstruction fails with overwhelming probability. This combines threshold detection and holder identification in a single polynomial-consistency test (Yang et al., 31 Dec 2025).
5. Complexity and empirical performance
The principal asymptotic cost of ST-OT-MP-PSI lies in OLE-heavy updating and subset-based reconstruction (Yang et al., 31 Dec 2025).
Communication complexity is reported as
37
for the Leader 38, and
39
for each Client 40. The paper attributes the leader’s quadratic factor to the share-update procedure, which requires 41 additional OLE protocols and exchange of 42 ciphertexts (Yang et al., 31 Dec 2025).
Computation complexity is given as
43
for the Leader, and
44
for each Client. The reconstruction component alone costs
45
using the bound
46
According to the experimental discussion, runtime grows roughly linearly in set size 47, the ST share phase grows quadratically in the number of parties 48 because of OLE, and the reconstruction phase grows exponentially with 49, peaking near 50 where 51 is maximized (Yang et al., 31 Dec 2025).
The implementation was written in C++, using NTL for large-number operations and Shamir sharing, Boost for communication, OPPRF based on the table-based construction of Kolesnikov et al., and OLE from de Castro et al., based on RLWE. Because the OLE code did not support a 128-bit plaintext modulus directly, the implementation represented the modulus as
52
for four 32-bit primes 53. As a consequence, each 128-bit share was decomposed into four residues, and ST-OT-MP-PSI executed four independent OPPRF evaluations per share distribution and reconstruction. Benchmarks were run on an Intel Xeon CPU @ 3.1 GHz, 80 vCores, 192 GB RAM, Ubuntu 22.04, with communication over a local network and no bandwidth or latency constraints (Yang et al., 31 Dec 2025).
Average runtimes over 10 trials were reported as follows for ST-OT-MP-PSI: for 54, 55s at 56 and 57s at 58; for 59, 60s at 61 and 62s at 63; for 64, 65s at 66 and 67s at 68. The paper highlights that for 69, 70, and 71, Mahdavi et al.’s protocol took 72s while ST-OT-MP-PSI took 73s, yielding a reported 74 speedup. For 75 and 76, Mahdavi’s share, reconstruction, and total times were 77s, 78s, and 79s, whereas ST’s were 80s, 81s, and 82s, corresponding to a reported 83 total speedup (Yang et al., 31 Dec 2025).
6. Relation to OT research and principal limitations
In ST-OT-MP-PSI, “OT” denotes over-threshold, not oblivious transfer. This matters because the protocol itself is a traceable threshold MP-PSI construction built from OPPRF, OLE, Shamir sharing, and hashing, whereas separate arXiv lines of work study oblivious transfer as a foundational primitive for PSI-style systems (Yang et al., 31 Dec 2025).
One such line is a 2-round UC-secure oblivious transfer framework in the ROM that is secure against active adaptive adversaries and can be instantiated from any OW-CPA public-key encryption scheme satisfying two structural properties. Its direct relevance to ST-OT-MP-PSI is as a base OT layer for OT extension or UC-style composition, but it does not provide traceability, PSI functionality, multi-party PSI orchestration, set encoding, OPRF design, identifiable abort, blame assignment, transcript adjudication, or participant tracing (Barreto et al., 2017).
A second line develops UC-secure OT from Smooth Projective Hash Functions with Grey Zone, with instantiations from Diffie-Hellman and LWE and a post-quantum OT interpretation in the random-oracle-style setup. The paper is explicitly a foundational OT paper rather than a traceability or PSI paper; it contributes a UC-secure, post-quantum 1-out-of-2 OT building block and the SPHFwG abstraction, but it likewise does not provide traceability, malicious receiver identification, transcript accountability, OT extension, PSI, MP-PSI, or adaptive corruption security (Bettaieb et al., 2022).
These comparisons delimit the scope of ST-OT-MP-PSI. Its contribution is the traceable over-threshold functionality
84
together with semi-honest security against collusion among up to 85 parties. It is not a maliciously secure protocol, and the paper does not claim adaptive security. The functionality is receiver-centric and asymmetric, only 86 learns the result, and the disclosed elements are restricted to 87. Reconstruction remains exponential in 88, the leader bears 89 communication, and the implementation inherits nontrivial CRT complexity from the OLE backend (Yang et al., 31 Dec 2025).
Within those boundaries, ST-OT-MP-PSI occupies a specific position in the literature: it strengthens collusion resistance for traceable over-threshold MP-PSI by making share refresh conditional on element equality through OLE, while remaining substantially faster than the earlier traceable protocol of Mahdavi et al. under the reported experimental settings (Yang et al., 31 Dec 2025).