Papers
Topics
Authors
Recent
Search
2000 character limit reached

Security-Enhanced Traceable OT-MP-PSI

Updated 4 July 2026
  • The paper introduces a protocol that reveals leader-held elements only if they appear in t or more parties' sets, ensuring precise holder identification.
  • It leverages Shamir secret sharing, OPPRF, and OLE-based share refreshing to securely mask and update shares against collusion attacks.
  • Empirical benchmarks demonstrate significant speedups over prior methods, making it applicable to network anomaly detection and digital forensics.

Security-enhanced Traceable Over-Threshold Multi-Party Private Set Intersection (ST-OT-MP-PSI) is a designated-receiver threshold MP-PSI protocol in which n3n \ge 3 parties P0,,Pn1P_0,\dots,P_{n-1} hold private sets S0,,Sn1S_0,\dots,S_{n-1} of size mm, and party P0P_0 learns exactly those elements of S0S_0 that appear in at least tt parties’ sets, together with the number and identities of the holders. The ideal output is

I={(ei,ci,{Pj})eiS0, cit},I=\{(e_i,c_i,\{P_j\}) \mid e_i \in S_0,\ c_i \ge t\},

while all other parties output \bot. The protocol was introduced as the stronger of two traceable over-threshold MP-PSI constructions, with its defining property being semi-honest security against collusion among up to n1n-1 parties, achieved by combining conditional Shamir secret sharing, OPPRF, and an OLE-based share-update mechanism (Yang et al., 31 Dec 2025).

1. Functionality, semantics, and problem model

ST-OT-MP-PSI is formulated for threshold MP-PSI rather than ordinary all-party intersection. For an element P0,,Pn1P_0,\dots,P_{n-1}0, the protocol uses

P0,,Pn1P_0,\dots,P_{n-1}1

to denote the number of parties holding P0,,Pn1P_0,\dots,P_{n-1}2, and it discloses P0,,Pn1P_0,\dots,P_{n-1}3 iff P0,,Pn1P_0,\dots,P_{n-1}4. The “traceable” component is that the receiver learns not only that an element satisfies the threshold, but also the full holder set

P0,,Pn1P_0,\dots,P_{n-1}5

Because the holder identities are revealed, the count P0,,Pn1P_0,\dots,P_{n-1}6 is revealed as well (Yang et al., 31 Dec 2025).

The protocol is asymmetric. Only P0,,Pn1P_0,\dots,P_{n-1}7 receives the result, and the functionality is explicitly restricted to elements of P0,,Pn1P_0,\dots,P_{n-1}8’s set: P0,,Pn1P_0,\dots,P_{n-1}9 Accordingly, the construction is not a symmetric threshold intersection over the union of all parties’ sets. The paper’s complexity discussion correspondingly designates S0,,Sn1S_0,\dots,S_{n-1}0 as the Leader and the other participants as Clients (Yang et al., 31 Dec 2025).

The data model assumes that elements can be encoded in a field suitable for Shamir sharing and OLE. In the implementation, elements are 128-bit values, and the finite field is over a large modulus S0,,Sn1S_0,\dots,S_{n-1}1 chosen to accommodate 128-bit elements. The motivating applications emphasized for this functionality are network anomaly detection, digital forensics investigation, and suspicious account or anti-money-laundering analysis, all of which benefit from revealing both the qualifying element and the parties that hold it (Yang et al., 31 Dec 2025).

A common misconception is to equate traceability here with a general public-accountability notion. In this protocol family, traceability means that S0,,Sn1S_0,\dots,S_{n-1}2 can identify the holder set for each disclosed over-threshold element. The paper does not separately formalize “traceability,” “soundness,” “robustness,” or “reliability” as named definitions (Yang et al., 31 Dec 2025).

2. Cryptographic structure and constituent primitives

ST-OT-MP-PSI is built from four main components: Shamir secret sharing, zero-secret share refresh, OPPRF, and OLE, together with simple hashing and cuckoo hashing for binning (Yang et al., 31 Dec 2025).

Shamir’s S0,,Sn1S_0,\dots,S_{n-1}3-secret sharing is used in its standard degree-S0,,Sn1S_0,\dots,S_{n-1}4 form. For a secret S0,,Sn1S_0,\dots,S_{n-1}5, the dealer samples

S0,,Sn1S_0,\dots,S_{n-1}6

assigns shares S0,,Sn1S_0,\dots,S_{n-1}7 with

S0,,Sn1S_0,\dots,S_{n-1}8

and reconstructs with Lagrange interpolation: S0,,Sn1S_0,\dots,S_{n-1}9 In ST-OT-MP-PSI, mm0 does not share the element mm1 itself. It shares a fresh random value mm2 associated uniquely with mm3. The paper states that this change prevents mm4 colluding parties from reconstructing and learning mm5’s elements directly from shares (Yang et al., 31 Dec 2025).

Zero-secret sharing is used to refresh shares without changing the underlying secret. Each updating party samples

mm6

so adding mm7 to an existing share preserves the same constant term. The stated role of this refresh is privacy of non-output matches: without it, mm8 could compare originally sent and later returned values and infer whether another party holds an element even when the threshold is not met (Yang et al., 31 Dec 2025).

OPPRF acts as the equality-gated transfer mechanism. Its functionality is that a sender programs pairs mm9, a receiver queries P0P_00, and the receiver obtains P0P_01 when P0P_02, otherwise a random-looking value. In ST-OT-MP-PSI, OPPRF is used for conditional share distribution, conditional share collection, and conditional revelation of the OLE index P0P_03 associated with a matched simple-hash position (Yang et al., 31 Dec 2025).

OLE provides the security-enhancing step. In OLE, the sender inputs P0P_04, the receiver inputs P0P_05, and the receiver learns

P0P_06

The sender learns nothing about P0P_07, and the receiver learns nothing beyond the linear output. ST-OT-MP-PSI uses OLE so that the refresh term for a share becomes reconstructible by P0P_08 only when P0P_09 and another party hold the same element (Yang et al., 31 Dec 2025).

Hashing supplies the protocol’s batching structure. The sender side uses simple hashing, the receiver side uses cuckoo hashing, empty cuckoo bins are filled with dummy elements, and each simple-hash bin is padded to the maximum bin size S0S_00. This same S0S_01 determines the number of OLE instances executed per bin (Yang et al., 31 Dec 2025).

3. Protocol workflow

The protocol proceeds in three phases after hashing and padding (Yang et al., 31 Dec 2025).

In the preprocessing stage, each party maps its set into both cuckoo-hashing bins S0S_02 and simple-hashing bins S0S_03. Padding hides occupancy. For each element S0S_04, S0S_05 generates a random associated secret S0S_06, then performs S0S_07-Shamir sharing to obtain

S0S_08

Using OPPRF, S0S_09 conditionally distributes tt0 to tt1: if tt2 holds the same element, it receives the correct share; otherwise it receives a random value. Concretely, for each bin tt3, tt4 programs

tt5

and tt6 queries with

tt7

The resulting value is denoted tt8, with tt9 on equality and random otherwise (Yang et al., 31 Dec 2025).

In the share-update phase, each helper party I={(ei,ci,{Pj})eiS0, cit},I=\{(e_i,c_i,\{P_j\}) \mid e_i \in S_0,\ c_i \ge t\},0 samples a bin-specific degree-I={(ei,ci,{Pj})eiS0, cit},I=\{(e_i,c_i,\{P_j\}) \mid e_i \in S_0,\ c_i \ge t\},1 polynomial with zero constant term,

I={(ei,ci,{Pj})eiS0, cit},I=\{(e_i,c_i,\{P_j\}) \mid e_i \in S_0,\ c_i \ge t\},2

The value I={(ei,ci,{Pj})eiS0, cit},I=\{(e_i,c_i,\{P_j\}) \mid e_i \in S_0,\ c_i \ge t\},3 is sent directly to I={(ei,ci,{Pj})eiS0, cit},I=\{(e_i,c_i,\{P_j\}) \mid e_i \in S_0,\ c_i \ge t\},4, so I={(ei,ci,{Pj})eiS0, cit},I=\{(e_i,c_i,\{P_j\}) \mid e_i \in S_0,\ c_i \ge t\},5’s own refreshed share for I={(ei,ci,{Pj})eiS0, cit},I=\{(e_i,c_i,\{P_j\}) \mid e_i \in S_0,\ c_i \ge t\},6 is

I={(ei,ci,{Pj})eiS0, cit},I=\{(e_i,c_i,\{P_j\}) \mid e_i \in S_0,\ c_i \ge t\},7

The crucial update for other parties is implemented with OLE. For each potential simple-hash position I={(ei,ci,{Pj})eiS0, cit},I=\{(e_i,c_i,\{P_j\}) \mid e_i \in S_0,\ c_i \ge t\},8, I={(ei,ci,{Pj})eiS0, cit},I=\{(e_i,c_i,\{P_j\}) \mid e_i \in S_0,\ c_i \ge t\},9 interacts with \bot0 so that \bot1 obtains

\bot2

and with \bot3 so that \bot4 obtains

\bot5

where

\bot6

Summing over all \bot7, \bot8 gets

\bot9

and n1n-10 gets

n1n-11

Party n1n-12 then forms

n1n-13

This value is sent back conditionally to n1n-14 through OPPRF, and a second OPPRF reveals the matching OLE index n1n-15 if the elements are equal (Yang et al., 31 Dec 2025).

In the reconstruction phase, n1n-16 receives from each n1n-17 a candidate updated share n1n-18, then adds the appropriate n1n-19 determined by the recovered index: P0,,Pn1P_0,\dots,P_{n-1}00 For each P0,,Pn1P_0,\dots,P_{n-1}01, P0,,Pn1P_0,\dots,P_{n-1}02 considers subsets of P0,,Pn1P_0,\dots,P_{n-1}03 shares among its P0,,Pn1P_0,\dots,P_{n-1}04 candidates, always including its own share, reconstructs a degree-P0,,Pn1P_0,\dots,P_{n-1}05 polynomial,

P0,,Pn1P_0,\dots,P_{n-1}06

and accepts iff

P0,,Pn1P_0,\dots,P_{n-1}07

Once such a polynomial is found, holder identification is performed by checking

P0,,Pn1P_0,\dots,P_{n-1}08

If the equality holds, P0,,Pn1P_0,\dots,P_{n-1}09 is identified as a holder of P0,,Pn1P_0,\dots,P_{n-1}10 (Yang et al., 31 Dec 2025).

4. OLE-based cancellation and the meaning of “security-enhanced”

The distinguishing technical idea in ST-OT-MP-PSI is that share refreshing is made contingent on element equality through OLE-based masking. When P0,,Pn1P_0,\dots,P_{n-1}11, the update assembled by P0,,Pn1P_0,\dots,P_{n-1}12 satisfies

P0,,Pn1P_0,\dots,P_{n-1}13

The P0,,Pn1P_0,\dots,P_{n-1}14 term vanishes exactly on equality, and the result becomes the correctly refreshed Shamir share. If P0,,Pn1P_0,\dots,P_{n-1}15, the residual term remains and the value is random-looking rather than a valid share (Yang et al., 31 Dec 2025).

This construction is presented as the remedy to the collusion weakness of ET-OT-MP-PSI. In ET-OT-MP-PSI, the updated share for an honest P0,,Pn1P_0,\dots,P_{n-1}16 has the direct form

P0,,Pn1P_0,\dots,P_{n-1}17

which allows colluding parties to test whether the OPPRF output equals

P0,,Pn1P_0,\dots,P_{n-1}18

The paper’s claim is that this inference attack limits ET-OT-MP-PSI to security against at most P0,,Pn1P_0,\dots,P_{n-1}19 semi-honest colluding parties. ST-OT-MP-PSI removes that direct test by splitting the update into a piece bound to P0,,Pn1P_0,\dots,P_{n-1}20’s element and a piece bound to P0,,Pn1P_0,\dots,P_{n-1}21’s element, with correctness recovered only when the elements are equal (Yang et al., 31 Dec 2025).

The resulting security theorem is that ST-OT-MP-PSI realizes P0,,Pn1P_0,\dots,P_{n-1}22 and is secure against collusion among up to P0,,Pn1P_0,\dots,P_{n-1}23 parties in the semi-honest model. The proof is simulation-based and treats two cases: first, P0,,Pn1P_0,\dots,P_{n-1}24 honest and all others corrupted; second, exactly one P0,,Pn1P_0,\dots,P_{n-1}25 honest and all others, including P0,,Pn1P_0,\dots,P_{n-1}26, corrupted. In the first case, the simulator uses random OPPRF outputs, random OLE inputs and outputs, and the fact that the corrupted parties see no output from P0,,Pn1P_0,\dots,P_{n-1}27. In the second case, the simulator is given the final output P0,,Pn1P_0,\dots,P_{n-1}28, simulates random values when an honest party’s element should remain hidden, and reconstructs the correct OPPRF and OLE-index outputs only for elements legitimately revealed by the ideal functionality (Yang et al., 31 Dec 2025).

Correctness is likewise threshold-sensitive. If P0,,Pn1P_0,\dots,P_{n-1}29 is held by at least P0,,Pn1P_0,\dots,P_{n-1}30 parties, then P0,,Pn1P_0,\dots,P_{n-1}31 receives at least P0,,Pn1P_0,\dots,P_{n-1}32 correct updated shares and reconstructs the secret corresponding to P0,,Pn1P_0,\dots,P_{n-1}33; if fewer than P0,,Pn1P_0,\dots,P_{n-1}34 parties hold P0,,Pn1P_0,\dots,P_{n-1}35, then fewer than P0,,Pn1P_0,\dots,P_{n-1}36 correct shares are available and reconstruction fails with overwhelming probability. This combines threshold detection and holder identification in a single polynomial-consistency test (Yang et al., 31 Dec 2025).

5. Complexity and empirical performance

The principal asymptotic cost of ST-OT-MP-PSI lies in OLE-heavy updating and subset-based reconstruction (Yang et al., 31 Dec 2025).

Communication complexity is reported as

P0,,Pn1P_0,\dots,P_{n-1}37

for the Leader P0,,Pn1P_0,\dots,P_{n-1}38, and

P0,,Pn1P_0,\dots,P_{n-1}39

for each Client P0,,Pn1P_0,\dots,P_{n-1}40. The paper attributes the leader’s quadratic factor to the share-update procedure, which requires P0,,Pn1P_0,\dots,P_{n-1}41 additional OLE protocols and exchange of P0,,Pn1P_0,\dots,P_{n-1}42 ciphertexts (Yang et al., 31 Dec 2025).

Computation complexity is given as

P0,,Pn1P_0,\dots,P_{n-1}43

for the Leader, and

P0,,Pn1P_0,\dots,P_{n-1}44

for each Client. The reconstruction component alone costs

P0,,Pn1P_0,\dots,P_{n-1}45

using the bound

P0,,Pn1P_0,\dots,P_{n-1}46

According to the experimental discussion, runtime grows roughly linearly in set size P0,,Pn1P_0,\dots,P_{n-1}47, the ST share phase grows quadratically in the number of parties P0,,Pn1P_0,\dots,P_{n-1}48 because of OLE, and the reconstruction phase grows exponentially with P0,,Pn1P_0,\dots,P_{n-1}49, peaking near P0,,Pn1P_0,\dots,P_{n-1}50 where P0,,Pn1P_0,\dots,P_{n-1}51 is maximized (Yang et al., 31 Dec 2025).

The implementation was written in C++, using NTL for large-number operations and Shamir sharing, Boost for communication, OPPRF based on the table-based construction of Kolesnikov et al., and OLE from de Castro et al., based on RLWE. Because the OLE code did not support a 128-bit plaintext modulus directly, the implementation represented the modulus as

P0,,Pn1P_0,\dots,P_{n-1}52

for four 32-bit primes P0,,Pn1P_0,\dots,P_{n-1}53. As a consequence, each 128-bit share was decomposed into four residues, and ST-OT-MP-PSI executed four independent OPPRF evaluations per share distribution and reconstruction. Benchmarks were run on an Intel Xeon CPU @ 3.1 GHz, 80 vCores, 192 GB RAM, Ubuntu 22.04, with communication over a local network and no bandwidth or latency constraints (Yang et al., 31 Dec 2025).

Average runtimes over 10 trials were reported as follows for ST-OT-MP-PSI: for P0,,Pn1P_0,\dots,P_{n-1}54, P0,,Pn1P_0,\dots,P_{n-1}55s at P0,,Pn1P_0,\dots,P_{n-1}56 and P0,,Pn1P_0,\dots,P_{n-1}57s at P0,,Pn1P_0,\dots,P_{n-1}58; for P0,,Pn1P_0,\dots,P_{n-1}59, P0,,Pn1P_0,\dots,P_{n-1}60s at P0,,Pn1P_0,\dots,P_{n-1}61 and P0,,Pn1P_0,\dots,P_{n-1}62s at P0,,Pn1P_0,\dots,P_{n-1}63; for P0,,Pn1P_0,\dots,P_{n-1}64, P0,,Pn1P_0,\dots,P_{n-1}65s at P0,,Pn1P_0,\dots,P_{n-1}66 and P0,,Pn1P_0,\dots,P_{n-1}67s at P0,,Pn1P_0,\dots,P_{n-1}68. The paper highlights that for P0,,Pn1P_0,\dots,P_{n-1}69, P0,,Pn1P_0,\dots,P_{n-1}70, and P0,,Pn1P_0,\dots,P_{n-1}71, Mahdavi et al.’s protocol took P0,,Pn1P_0,\dots,P_{n-1}72s while ST-OT-MP-PSI took P0,,Pn1P_0,\dots,P_{n-1}73s, yielding a reported P0,,Pn1P_0,\dots,P_{n-1}74 speedup. For P0,,Pn1P_0,\dots,P_{n-1}75 and P0,,Pn1P_0,\dots,P_{n-1}76, Mahdavi’s share, reconstruction, and total times were P0,,Pn1P_0,\dots,P_{n-1}77s, P0,,Pn1P_0,\dots,P_{n-1}78s, and P0,,Pn1P_0,\dots,P_{n-1}79s, whereas ST’s were P0,,Pn1P_0,\dots,P_{n-1}80s, P0,,Pn1P_0,\dots,P_{n-1}81s, and P0,,Pn1P_0,\dots,P_{n-1}82s, corresponding to a reported P0,,Pn1P_0,\dots,P_{n-1}83 total speedup (Yang et al., 31 Dec 2025).

6. Relation to OT research and principal limitations

In ST-OT-MP-PSI, “OT” denotes over-threshold, not oblivious transfer. This matters because the protocol itself is a traceable threshold MP-PSI construction built from OPPRF, OLE, Shamir sharing, and hashing, whereas separate arXiv lines of work study oblivious transfer as a foundational primitive for PSI-style systems (Yang et al., 31 Dec 2025).

One such line is a 2-round UC-secure oblivious transfer framework in the ROM that is secure against active adaptive adversaries and can be instantiated from any OW-CPA public-key encryption scheme satisfying two structural properties. Its direct relevance to ST-OT-MP-PSI is as a base OT layer for OT extension or UC-style composition, but it does not provide traceability, PSI functionality, multi-party PSI orchestration, set encoding, OPRF design, identifiable abort, blame assignment, transcript adjudication, or participant tracing (Barreto et al., 2017).

A second line develops UC-secure OT from Smooth Projective Hash Functions with Grey Zone, with instantiations from Diffie-Hellman and LWE and a post-quantum OT interpretation in the random-oracle-style setup. The paper is explicitly a foundational OT paper rather than a traceability or PSI paper; it contributes a UC-secure, post-quantum 1-out-of-2 OT building block and the SPHFwG abstraction, but it likewise does not provide traceability, malicious receiver identification, transcript accountability, OT extension, PSI, MP-PSI, or adaptive corruption security (Bettaieb et al., 2022).

These comparisons delimit the scope of ST-OT-MP-PSI. Its contribution is the traceable over-threshold functionality

P0,,Pn1P_0,\dots,P_{n-1}84

together with semi-honest security against collusion among up to P0,,Pn1P_0,\dots,P_{n-1}85 parties. It is not a maliciously secure protocol, and the paper does not claim adaptive security. The functionality is receiver-centric and asymmetric, only P0,,Pn1P_0,\dots,P_{n-1}86 learns the result, and the disclosed elements are restricted to P0,,Pn1P_0,\dots,P_{n-1}87. Reconstruction remains exponential in P0,,Pn1P_0,\dots,P_{n-1}88, the leader bears P0,,Pn1P_0,\dots,P_{n-1}89 communication, and the implementation inherits nontrivial CRT complexity from the OLE backend (Yang et al., 31 Dec 2025).

Within those boundaries, ST-OT-MP-PSI occupies a specific position in the literature: it strengthens collusion resistance for traceable over-threshold MP-PSI by making share refresh conditional on element equality through OLE, while remaining substantially faster than the earlier traceable protocol of Mahdavi et al. under the reported experimental settings (Yang et al., 31 Dec 2025).

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Security-enhanced Traceable OT-MP-PSI (ST-OT-MP-PSI).