In this section, we analyze the security of the proposed PSI technique in Security of Proposed PSI section and the security of the proposed scheme in Security of the Proposed Scheme section, respectively.
Security of Proposed PSI
According to Definition 1: The above PSI technique is secure in the semi-honest model. Our evidence is given below, where one side is dishonest and the other honest. In each case, we will construct a simulator in the ideal model. When the PSI technique is performed, there is no difference between the ideal case and the real case when the calculation is made.
Case 1: Corrupted Party A
In such a case, a simulator Sim is constructed which is an ideal model in which one party A is dishonest and has the following cases.
-
1
Sim generates a set of public and private keys (pk, sk) and sends its public key pk to A.
-
2
Treat Sim as B and start the technique. \({b_{Bi}}^*= (1\le i\le n)\) and construct the Bloom filter \({BF_{B}[i]}^*\) and encrypt it with \({C_{i}}^*=Enpk({BF_{B}[i]}^*)\). Then send it to A.
-
3
After receiving \(e_{bAi}\) from A, Sim computes \({b_{i}}^*\) = Decsk(\(e_{i}\)) = \(BF_{B}[h_{}(b_{Ai})]\).
-
4
The position and number of 1’s in \(b_{i}\) obtained by Sim is the intersection part, ideal model and then obtained \(b_{i}\).
In the real execution:
\(view_{A}^\pi =(c_{i}(1\le i\le n),b_{i}(1\le i\le n))\)
In the simulation:
\(view_{f}^\pi =({c_{i}}^*(1\le i\le n),{b_{i}}^*(1\le i\le n))\)
After comparing the real execution with the simulated execution of this technique, we get the same results. Then, in Case 1, Sim’s view is computationally indistinguishable from the real view. Therefore, the security mode is satisfied.
Case 2: Corrupted Party B
In such a case, a simulator Sim is constructed which is an ideal model in which one party B is dishonest and has the following scenario.
-
1
Sim generates a set of public and private keys (pk, sk) and sends (pk, sk) to B.
-
2
Treat Sim as A and initiate PSI technique. When \(C_{i} (1\le i \le n)\) is received, Sim uses the private key sk to calculate \(Dec_{sk} (C_{i})= BF_{B}[i]\); then the position of 1 in the filter is the data information of B.
-
3
Sim sends the input \(b_{Bi}\) of B to the trusted third party in the ideal model, and then obtains the output b.
In the real execution:
\(view_{A}^\pi =(c_{i}(1\le i\le n),b_{i}(1\le i\le n))\)
In the simulation:
\(view_{f}^\pi =({c_{i}}^*(1\le i\le n),{b_{i}}^*(1\le i\le n))\)
After comparing the real execution with the simulated execution of PSI technique, we get the same result. Then, in Case 2, Sim’s view is computationally indistinguishable from the real view.
Therefore, the PSI technique is secure.
Security of the Proposed Scheme
The security of the basic PSI technique has been proved in 5.1. Our discussion of the security of the scheme will demonstrate two aspects. 1) the security of the data on the blockchain. 2) the security of the scheme if one party is dishonest.
Theorem 1
Assuming that the scheme is carried out in such a way that the private data of both participating parties are not available to any party. The proposed privacy set intersection technique securely implements the interactive computation on the blockchain.
Proof
Data security for users: For A, throughout the homomorphic operation, \(e_{b_{Ai}}=({c_{i}}^*)^{b_{Ai}}En_{pk}(0)\) in the calculation of \(r_{i,k-1}^n\), it is a random number, which plays a protective role in protecting A’s private data, and the initial data of A is encoded by 0-1 and then expressed by hash calculation, because the hash function has a one-way nature, which in turn ensures A’s data security.
For B, In the whole process of the protocol, B uses the public key \(pk=(n,g)\) of the Pailliar encryption algorithm to encrypt \(BF_{B}[i]\) to get \(C_{i}=En_{pk}[BF_{B}[i]]=g^{m}r^{n}(mod n^2)\), which is then uploaded to the blockchain through a smart contract. Since the private key \(\lambda\) is in the hands of B, no one can decrypt \(C_{i}\), and \(g\in {Z_{n}}^*\) in the public key is chosen randomly for B. Therefore, it is also impossible to obtain B’s private message PB from \(C_{i}\). Therefore, B’s data is secure.
Data security on the blockchain: Due to the immutability and traceability of the blockchain, this means that once data is written to the blockchain, no one can easily change the data information without permission. And the information is written to the blockchain in chronological order. Once there is any problem, we can trace back and check every link to ensure the data security of both parties.
Since both the private key sk and the \(\lambda\) in the public key are specified by B, the \(C_{i}\) uploaded by B will not cause data leakage even if it is public, so \(C_{i}^*\) is secure. The r in the blockchain e is a random number of A, so the data on the blockchain will not leak the private data of any party even if it is made public.
So that the scheme we propose to get the data is secure.
Theorem 2
Under the semi-honest model, our blockchain-based PSI scheme is secure.
Proof
When A does not comply with the scheme and has the malicious act of obtaining others’ information, as in 5.1, \(({c_{i}}(1\le i\le n),{b_{i}}(1\le i\le n)) \overset{c}{\equiv } ({c_{i}}^*(1\le i\le n),{b_{i}}^*(1\le i\le n))\) and \(view_{A}^\pi \overset{c}{\equiv } view_{f}^\pi\), so if A does not comply with the scheme, the computational and real views are indistinguishable in Sim’s view.
If receiver B does not comply with the scheme, there is a malicious behavior to obtain information from others. Due to the nature of public key encryption, \(({c_{i}}(1\le i\le n),{b_{i}}(1\le i\le n)) \overset{c}{\equiv } ({c_{i}}^*(1\le i\le n),{b_{i}}^*(1\le i\le n))\) and \(view_{A}^\pi \overset{c}{\equiv } view_{f}^\pi\),B sends the error message through the smart contract and then uploads it to the chain. However, since the vector of sender A is projected by hash function, it is computationally irreversible, so the privacy of A’s data is also guaranteed.
Therefore, our proposed scheme is secure under the semi-honest model.