Optimal Communication Unbalanced Private Set Union
Jean-Guillaume Dumas, Alexis Galan, Bruno Grenet, Aude Maignan, Daniel S. Roche
TL;DR
This work tackles Unbalanced Private Set Union (UPSU), where the Receiver learns the union $\mathbf{X}\cup\mathbf{Y}$ while the Sender learns nothing, with the Sender’s cost and communication ideally linear in $m=|\mathbf{Y}|$ and independent of $n=|\mathbf{X}|$. It introduces two two-party UPSU protocols that combine linearly homomorphic encryption (LHE) and fully homomorphic encryption (FHE) to achieve the target asymptotics, one using fully homomorphic multi-point evaluation (MEv) for optimal Sender cost and another trading Sender cost for a quasi-linear Receiver cost via an FHE Euclidean remainder and LHE MEv. The paper also analyzes leakage in partition-based UPSU constructions, provides a formal UPSU security definition under honest-but-curious adversaries, and demonstrates practical timings with an implementation on HElib showing favorable Sender-side performance even for larger Receiver sets. Together, these contributions push the boundary on efficient, privacy-preserving UPSU, offering both a rigorous theoretical framework and pathways toward practical deployment. The work highlights that careful orchestration of FHE/LHE techniques can yield optimal or near-optimal communication and computation profiles in unbalanced two-party set operations, with potential impact on data aggregation and secure collaboration scenarios.
Abstract
We present new two-party protocols for the Unbalanced Private Set Union (UPSU) problem. Here, the Sender holds a set of data points, and the Receiver holds another (possibly much larger) set, and they would like for the Receiver to learn the union of the two sets and nothing else. Furthermore, the Sender's computational cost, along with the communication complexity, should be smaller when the Sender has a smaller set. While the UPSU problem has numerous applications and has seen considerable recent attention in the literature, our protocols are the first where the Sender's computational cost and communication volume are linear in the size of the Sender's set only, and do not depend on the size of the Receiver's set. Our constructions combine linearly homomorphic encryption (LHE) with fully homomorphic encryption (FHE). The first construction uses multi-point polynomial evaluation (MEv) on FHE, and achieves optimal linear cost for the Sender, but has higher quadratic computational cost for the Receiver. In the second construction we explore another trade-off: the Receiver computes fast polynomial Euclidean remainder in FHE while the Sender computes a fast MEv, in LHE only. This reduces the Receiver's cost to quasi-linear, with a modest increase in the computational cost for the Sender. Preliminary experimental results using HElib indicate that, for example, a Sender holding 1000 elements can complete our first protocol using less than 2s of computation time and less than 10MB of communication volume, independently of the Receiver's set size.