Not Just Summing: The Identifier Leakage of Private-Join-and-Compute and Its Improvement

In this work, we focus on the Private Intersection-Sum (PIS) with cardinality problem: two parties hold datasets containing user identifiers, and the second party additionally has an integer value associated with each user identifier. Both parties want to learn the number of users they have in common, and the sum of the integer values associated with a user, without revealing anything more. To this end, Google proposed a PIS protocol and released the open-source library Private-Join-and-Compute. And the security of the protocol has been proven proved in the honest-but-curious model. However, this study found a two potential shortcoming shortcomings in the Private-Join-and-Compute library: the user identifier stealing attack against the PIS protocol based on a special input data structure. An improved PIS protocol is proposed based on differential privacy technology, and the Private-Join-and-Compute open-source library is optimized. Through a security proof and formal analysis based on the Tamarin tool, we show that the improved PIS protocol successfully resists the discovered attack without obvious additional overhead.