Outsourced Mutual Private Set Intersection Protocol for Edge-Assisted IoT

+e development of edge computing and Internet of+ings technology has brought convenience to our lives, but the sensitive and private data collected are also more vulnerable to attack. Aiming at the data privacy security problem of edge-assisted Internet of +ings, an outsourced mutual Private Set Intersection protocol is proposed. +e protocol uses the ElGamal threshold encryption algorithm to rerandomize the encrypted elements to ensure all the set elements are calculated in the form of ciphertext. After that, the protocol maps the set elements to the corresponding hash bin under the execution of two hash functions and calculates the intersection in a bin-to-binmanner, reducing the number of comparisons of the set elements. In addition, the introduction of edge servers reduces the computational burden of participating users and achieves the fairness of the protocol. Finally, the IND-CPA security of the protocol is proved, and the performance of the protocol is compared with other relevant schemes. +e evaluation results show that this protocol is superior to other related protocols in terms of lower computational overhead.


Introduction
e vigorous development of fifth-generation technology (5G), Internet of ings (IoT), edge computing, and other technologies has spawned new medical and life modes such as smart medical treatment [1], smart home [2], and smart bus [3]. Intelligent IoTdevices have been widely used in daily life and have brought great changes to people's life. With the assistance of proxy devices and edge servers [4], these data can be outsourced to edge storage for subsequent analysis and use. However, although data outsourcing based on edge computing reduces the storage and computing overhead on the user side, it also exposes the user's sensitive data to the risk of leakage [5]. How to protect the privacy of data stored on edge servers and share data with designated data consumers (such as service and product providers, medical professionals, and educators) has become the focus of research.
Private Set Intersection (PSI), as an efficient encryption technology that allows secret sharing of data information, can ensure the security of the data stored on the edge server when making full use of the data for intersection calculation. So it has become an important research object to solve the problem of edge-assisted Internet of ings data privacy sharing. PSI protocol [6] refers to the intersection of two participants calculating their private sets. In the edge computing environment, two clients encrypt their respective data sets and outsource them to the edge server. en the edge server effectively performs the intersection operation but cannot know any information in the set. en one or two clients can obtain the intersection result, while their respective sets remain private. Usually, only one client obtains the intersection result is the one-way PSI protocol [7], which can be applied in situations such as contact tracing of the novel coronavirus COVID-19 [8]. At this time, the client unilaterally obtains the intersection result to determine whether it belongs to the contact. However, one-way PSI protocol cannot guarantee that both clients obtain the intersection result at the same time. Obviously, one-way PSI cannot satisfy both clients in the situation such as profile matching [9], in which both clients want to obtain the intersection results to realize the medical information sharing between patients. In this case, mutual PSI (mPSI) protocol [10] is the better choice. at is our focus.
Debnath et al. [11] proposed a secure mutual oblivious pseudorandom function (mOPRF) under the malicious model based on composite order group to maintain the fairness of the mPSI protocol and use homomorphic encryption algorithm to protect data privacy. However, since the protocol is constructed based on composite order, the efficiency is lower than that based on prime order. Based on [11], Debnath et al. [12] proposed another mPSI protocol using prime order groups. e protocol also uses homomorphic encryption algorithm to ensure the security of data and uses semihonest offline arbiter to achieve fairness between two participants. However, the complexity of the protocol is still high. e mPSI protocol in [13] is also constructed based on prime order. It uses the multiplicative homomorphic encryption ElGamal and the distributed ElGamal cryptosystem to ensure the security of data and the offline semihonest arbiter to achieve fairness. But in order to ensure the security under the malicious model, the verifiable Cramer-Shoup cryptographic system used makes the protocol more complicated. Overall, although these mPSI protocols achieve data privacy and fairness, they have high computational complexity and low efficiency.
In this paper, we propose an outsourced mPSI (O-mPSI) protocol in the aid of the edge server. e protocol not only protects the data privacy of parties and achieves the fairness of the results obtained by both parties, but also improves the efficiency. e main contributions are as follows: (1) e O-mPSI protocol improves the method of preprocessing set elements in [14] by increasing the number of elements stored in each hash bin instead of using the stash. It only needs to compare the elements in the two hash tables in a bin-to-bin manner to calculate the intersection, which further reduces the number of comparisons of set elements and decreases the computational cost of the protocol. As a result, the computation and communication overhead of this protocol is lower than the existing mPSI protocol and realizes the efficiency of the O-mPSI protocol. (2) e protocol adopts ElGamal threshold encryption algorithm to encrypt the elements in the hash table to ensure that the set elements of both parties are compared in the form of ciphertext, so that the users can correctly and safely calculate the intersection and realize the data privacy of the O-mPSI protocol. (3) e protocol introduces a semihonest edge server as the third party, and the work of set element comparison is transferred to the server, which further reduces the computational burden of users. At the same time, it enables two users to process collection elements in parallel. is ensures that, after the implementation of the agreement, both parties can know the intersection results at the same time and realize the fairness of O-mPSI protocol.

Related Work
Since Agrawal et al. [15] proposed the concept of PSI, a series of work has been done to construct the PSI protocol. Ordinarily, they are divided into one-way PSI and mutual PSI.
2.1. One-Way PSI. At present, there are many types of research on the one-way PSI protocol, and the design methods are mainly based on public key encryption, garbled circuit (GC), oblivious transfer (OT), and cloud computing. Based on the design method of public key encryption system, literature [16] uses Fully Homomorphic Encryption (FHE) to construct the PSI protocol. e protocol uses bloom filters (BF) to process data, so that the complexity of the protocol has nothing to do with the size of the client set. Huang and Evans designed a PSI protocol [17] through GC that can resist semihonest adversaries, which proved to be suitable for the intersection calculation of sets of different sizes. Pinkas et al. realized the PSI protocol [18] with linear communication complexity based on GC and oblivious programmable pseudorandom functions (OPPRF). is protocol is superior to previous circuit-based PSI protocols in terms of efficiency. Literature [14] constructed oblivious pseudorandom function (OPRF) based on OT extension and then proposed a PSI protocol combined with OPRF and hash algorithm, and the security is proved under the semihonest opponent model. Kavousi et al. proposed a PSI protocol in [19], which takes the OPRF and the garbled BF as its main components, avoiding costly operations of computation and having high scalability. e protocol in [20] allows users to store their private data sets on cloud server and also entrust computing of the intersection to the server and use homomorphic encryption (HE) and oblivious polynomial evaluation (OPE) to process the data. It greatly reduces the workload of users and improves the computational efficiency of the protocol. e PSI protocol designed by Abadi et al. [21] also uses cloud storage of private data sets. It is mainly constructed by hash table and OPE without any public key encryption operation. However, all parties need to establish a secure channel in advance; otherwise it is easy for an attacker to eavesdrop on the communication between honest parties. Literature [22] proposed an improved PSI scheme based on [21]. ere is no need for any secure channel in the scheme, which is superior to the scheme in [21] in terms of confidentiality and complexity.

Mutual PSI.
e research on mutual PSI protocol began in 2005; Kissner and Song et al. proposed the first mPSI protocol [23], which is based on the mathematical properties of OPE and uses HE to calculate PSI on ciphertexts. e fairness of the protocol depends on the fairness of the threshold encryption scheme used by the protocol. Camenisch and Zaverucha proposed another mPSI authentication set protocol [24] based on Camenisch-Lysyanskaya signature (CLS) and OPE. e disadvantage of this protocol is that its computational overhead is quadratic and the computational complexity is relatively high. Fairness of the protocol in [24] is realized by a fair exchange scheme. However, if the input is not authenticated, it usually does not work. Kim et al. coupled the prime representation (PR) technology with threshold additive HE and realized an mPSI protocol [25] with linear complexity for the first time in the semihonest security model and through the nature of threshold decryption to achieve the fairness of the protocol. Dong and Chen et al. proposed a fair mPSI protocol [26] with a semihonest arbitrator based on HE and OPE. e arbitrator in the protocol can handle conflicts and cannot know the user's private input and output. e mPSI protocol in [11] is constructed by HE and mutual oblivious pseudorandom function (mOPRF). e fairness of the mOPRF ensures the fairness of the protocol. And in the standard model, it has been proven to resist the attack of malicious adversaries. In [12], an mPSI protocol with linear communication and computational overhead is constructed by using prime order group. e protocol uses a distributed ElGamal encryption algorithm and an offline semitrusted third party to achieve the fairness of the protocol and the security under the malicious adversary model. e mPSI protocol in [13] uses multiplicative HE and a distributed ElGamal cryptosystem to protect data privacy and uses an offline semihonest arbiter to achieve fairness. Under the decisional Diffie-Herman hypothesis, it is proved that the protocol is safe under the malicious adversary model.
We show the differences between these protocols in Table 1.

Decisional Diffie-Hellman Assumption
Definition 1. Let G be a cyclic group of prime order p, g is the generator of G, and a, b← R Z p . For the following two four-tuple distributions: R � (g, g a , g b , g c ) ∈ G 4 , D � (g, g a , g b , g ab ) ∈ G 4 , and for any probability polynomial time (PPT) adversary A when distinguishing between R and D, its advantage Adv DDH A (λ) � |Pr[A(R) � 1]− Pr[A(D) � 1]| is negligible with security parameter λ, where R is a random four-tuple and D is a Diffie-Hellman fourtuple.

Adversary Model.
We consider the environment where a PPT adversary A exists; the definition and model follow [27]. In this setting, the adversary A can eavesdrop on the messages transmitted through the communication channel and allow A to corrupt participant to obtain private key. e capabilities of the adversary A are shown in Table 2.

Formal Security Model.
We mainly describe the formal security model of the O-mPSI protocol in this section. It is based on the model in [28] and we made some modifications according to the specific requirements of the O-mPSI protocol.
Initialization. In a two-party set intersection scheme O-mPSI, three entities are involved, that is, two participants P 1 , P 2 ∈ User and an edge server S ∈ Server. Each of them may have several instances called oracle, which involve different, concurrent executions of O-mPSI. We denote user instances as P i 1 , P i 2 (i ∈ Z), server instances as S i , and any kind of instance as U ∈ User ∪ Server. In addition, P 1 holds key pair (pk 1 , sk 1 ), P 2 has key pair (pk 2 , sk 2 ), and pk is the system public key.
Queries. e adversary A only interacts with the participants of the protocol through oracle queries, which simulates the capabilities of adversary A in a real attack. And all possible oracle queries are shown below: (1) Execute (P i 1 , P i 2 , S i ): e adversary's eavesdropping attack is simulated in this oracle query (see C1 in Table 2), and the messages exchanged during the actual implementation of the O-mPSI protocol are returned.
(2) Send (U, m): A sends a message to instance U in this query; then the response generated by U processing m based on O-mPSI protocol is returned.
e corruption ability of the adversary is simulated in this query (see C2 in Table 2). A can only corrupt one of the two users, not both. If a � 1, it returns the private key sk 1 and data set X of P 1 . If a � 2, it returns the private key sk 2 and data set Y of P 2 . (4) Collude (S): e collusion ability of adversary A is simulated in this query (i.e., C3 in Table 2). Any information stored on the server is returned. (5) Reveal (U): e system private key shared by the instances P i 1 and P i 2 is returned to the adversary in this query. But instances P i 1 , P i 2 and their partner S i must not have been queried by corrupt-query and test-query; otherwise it returns ⊥. (6) Challenge (U, m 0 , m 1 ): In this query, A selects two messages m 0 and m 1 of equal length and sends them to instance U. e instance U selects b← R 0, 1 { } randomly, then encrypts m b , and returns the ciphertext c. Among them, P i 1 , P i 2 , and S i in U have not been inquired by corrupt-query and reveal-query; otherwise it returns ⊥. And this query is called only once during execution. IND-CPA security. During the execution of the O-mPSI protocol, A can require polynomial degree to execute, send, corrupt, collude, and reveal queries. A can also send a challenge-query and a test-query to an instance that has not been queried. At the end of the game execution, for the bit b in the challenge-query, A outputs a guess bit b ′ in the test-query. If b ′ � b, it means that A wins and it is recorded as Succ.
e advantage that the adversary A can destroy the IND-CPA security of O-mPSI protocol is defined as

Security and Communication Networks
3.3. Hash Algorithm. Cuckoo hashing. Cuckoo hashing [29] is a method to solve hash conflict, which is widely used in PSI protocols. In this hashing technique, two hash functions } are used to map n elements into m bins, where each bin has at most b elements. When storing an element x in the cuckoo hash table, calculate the two bin positions h 1 (x) and h 2 (x) corresponding to x. If both bins are not full, insert x into either of them; if one of the two bins is full and the other is not full, then insert x into the bin that is not full; if both bins are full, then randomly select a position to kick out one of the elements y and then insert x into it; the kicked y is reinserted into the cuckoo table using the same algorithm.
is process is called relocation, and the relocation process is executed recursively until all elements are stored in the cuckoo hash table.
Simple hashing. is hashing technique is similar to cuckoo hashing. Two hash functions h 1 , h 2 : 0, 1 } are used to map n elements into m bins, and each bin also has at most b elements. However, in simple hash mapping, when the element x is mapped to its corresponding two positions h 1 (x) and h 2 (x), the elements are stored in both h 1 (x) and h 2 (x).

ElGamal reshold Encryption Algorithm.
e ElGamal threshold encryption algorithm [30] is implemented according to the additive homomorphism of the ElGamal encryption algorithm, which is composed of KeyGen, Encrypt, Decrypt, and Rerandomize four algorithms. e specific algorithm is as follows: KeyGen. Given a cyclic group G of order p and its generator g, the security parameter is λ. Parties P 1 and P 2 randomly select sk i ←Ζ p (i � 1, 2) and then compute pk i � g sk i modp, where sk i is their respective private key, and pk i is their respective public key. en the public key of the threshold encryption scheme is pk � pk 1 · pk 2 .
Encrypt. For a message m, map m to H(m) using the hash function H(·), where H(·) is defined as 0, 1 { } * ⟶ G. en select a random number r 1 , and compute the ciphertext of the message m as ct � (g m · pk r 1 modp).

Overview.
e system model of O-mPSI protocol is shown in Figure 1. ere are three entities involved, two participating users P 1 , P 2 and a semihonest edge server S. Among them, P 1 has private data set X � x 1 , . . . x n 1 and user P 2 has private data set Y � y 1 , . . . , y n 2 . ey hope to calculate the intersection X ∩ Y of X and Y through the server S without revealing their own set information. Hash + OPE Semihonest No [22] Hash + OPE Semihonest No Table 2: Capabilities of the adversary.

Types Descriptions C1
A can learn the messages transmitted in the communication channel. C2 A can corrupt one of the two participants to obtain its secret data and private key. C3 A can collude with dishonest edge server S to obtain the information stored in the server. e design idea of our protocol is based on [14], where P 1 and } to generate three hash bin positions corresponding to the set elements in the hash table. P 1 uses the cuckoo hashing to select one of the three bins to map each element in the set X to hash table T 1 , each bin stores one element, and the remaining elements are stored in the stash ST. P 2 uses simple hashing to map each element in set Y to the corresponding three bins in hash table T 2 , and each bin stores b elements. en, the elements in the hash bin of T 1 are compared with the elements in the corresponding hash bin of T 2 . And each element in the stash ST is compared to all elements in set Y. In this way, the comparison times of elements are reduced from O(n 2 ) to O(n), and the intersection X ∩ Y is all the equal elements obtained by comparison.
But we diverge from the protocol of [14] in the method. In our protocol, parties P 1 and P 2 agree on two hash functions h 1 , h 2 : 0, 1 { } * ⟶ 1, . . . , m { } to generate the two hash bin positions corresponding to the set elements in the hash table. In this way, the elements in the set Y of P 2 only need to be stored twice, which saves storage space and reduces the subsequent computational burden. Moreover, our protocol sets the size of each bin of hash table T 1 to b. is avoids that the elements cannot be stored in the hash table T 1 due to too many relocations when hash conflicts occur, so there is no need to increase the stash to store the elements. erefore, it is only necessary to compare the elements in the bin of T 1 with the elements in the corresponding bin of T 2 to obtain the intersection. is further decreases the number of comparisons and reduces the complexity of the protocol.
However, there is still a problem of how to protect the privacy of user set information while calculating the intersection correctly. We use the ElGamal threshold encryption algorithm to solve this problem, as shown in Section 4.2.1. Participant P a (a � 1, 2) uses the public key pk to encrypt the elements in the hash table T a and then sends it to the other party to rerandomize. Combined with the hash algorithm, we can see that, for ∀x i ∈ X in the hash bin of T 1 , if the same element y j ∈ Y in T 2 is stored in the corresponding hash bin, there must be E * (x i ) � E * (y j ) in the two hash bins with the same bin number. erefore, the use of ElGamal threshold encryption algorithm enables the comparison operation of elements to be performed in the form of ciphertext and ensures that the encrypted results of equal elements on both sides are the same. It creates conditions for the smooth implementation of intersection calculation.
In addition, in order to decrease the computational burden of both parties, the element comparison work is handed over to the edge server. Specifically, P a (a � 1, 2) sends the hash table encrypted by the ElGamal encryption algorithm to the server. en the server compares the elements in the two hash tables in a bin-to-bin manner in the form of ciphertext. at is, it compares the elements in the hash bin of T 1 with the elements in the corresponding hash bin of T 2 . In this way, all the equal ciphertext elements in the m bins are the intersection X ∩ Y in the ciphertext form.
en P 1 and P 2 cooperate to decrypt the intersection in the form of ciphertext in parallel, and the plaintext intersection X ∩ Y can be obtained at the same time. Among them, the comparison work of m bins can be performed in parallel, which reduces the time overhead of O-mPSI protocol.

O-mPSI Protocol.
In this section, we introduce the proposed O-mPSI protocol. For easier understanding, we divide the protocol into two parts: the data encryption part and the set intersection computation part, which are introduced in the following two subsections, respectively.

ElGamal reshold Encryption Protocol.
In this section, we describe how ElGamal threshold encryption algorithm works in the protocol, and the details are shown in Algorithm 1.

Remark 1.
In the key generation phase, parties P 1 and P 2 jointly generate the public key pk so that both parties can use the same public key for encryption in the subsequent encryption phase.

Security and Communication Networks
Remark 2. In the encryption phase, after encrypting the hash table, each party P i (i � 1, 2) needs to send ct T i to the other party for rerandomization. Because each party privately chose a random number for encryption, two equal elements are encrypted differently by the two parties. In addition, to calculate the set intersection correctly, adding the rerandomization operation performed by the other party to make the encryption results of equal elements the same is necessary.

Outsourced Two-Party Set Intersection Protocol.
In this section, we will explain the intersection calculation part of the O-mPSI protocol. Detailed description can be seen in Algorithm 2.

Remark 3.
In the data storage phase, P 1 hashes all its elements into one of its two corresponding bins, and each element is stored in only one bin. P 2 hashes all its elements into both of its two corresponding bins, and each element is stored in both bins. In this case, suppose that there is x i � y j (x i ∈ X and y j ∈ Y); the two bin positions h 1 (x i ) and h 2 (x i ) corresponding to x are the same as the two bin positions h 1 (y j ) and h 2 (y j ) corresponding to y. en no matter which bin(h 1 (x i ) or h 2 (x i )) x is stored in, the corresponding element y can be found in the two bins h 1 (y j ) and h 2 (y j ). erefore, it can be known that storing all elements in set Y in both bins can avoid missing intersection elements when computing the set intersection.

Remark 4.
In the data encryption phase, parties P 1 and P 2 use the ElGamal threshold encryption algorithm in Section 4.2.1 to encrypt the elements in their hash table and at the same time add a permutation sequence, so that both parties cannot know the specific location of the element. After hash tables T 1 and T 2 undergo the same permutation process, their bin numbers still correspond, so the intersection can be calculated correctly by the bins.

Remark 5.
In the intersection calculation phase, if the server continues to calculate on the encrypted intersection according to the addition homomorphism of ElGamal homomorphism encryption algorithm, the encrypted intersection sum can be obtained. en continuing step 2, the plaintext intersection sum will be obtained by both P 1 and P 2 .

Security Analysis
e security proof of the O-mPSI protocol based on decisional Diffie-Hellman (DDH) assumption is shown in this section.

Theorem 1.
Let G be a represented group of order p. Let A be a PPT adversary against the IND-CPA security within a time limit t, and A can send q send send-queries, q exe executequeries, and q h random oracle queries at most. en we can get 3. Publish the public keys pk i (i � 1, 2) and keep the private key sk i (i � 1, 2). 4. Each party computes pk � pk 1 · pk 2 . Encryption phase 1. P 1 encrypts the cuckoo hash table T 1 by bins, for all k ∈ [m], P 1 computes as follows: (1) choose a random number r k 1 , for all items x k i (i � 1, . . . , b) in the k th cuckoo hash table T k 1 , using ElGamal threshold encryption algorithm to encrypt them: to P 2 in shuffled order. 2. P 2 encrypts the hash table T 2 by bins, for all k ∈ [m], P 2 computes as follows: (1) choose a random number r k 2 , for all items y k i (i � 1, . . . , b) in the k th hash table T k 2 , using ElGamal threshold encryption algorithm to encrypt them: to P 1 in shuffled order. 3. P 1 re-randomizes the received ct T 2 by bins. For all k ∈ [m] and ∀i ∈ [b] , P 1 computes as follows: ). 4.P 2 re-randomizes the received ct T 1 by bins. For all k ∈ [m] and ∀i ∈ [b], P 2 computes as follows: ALGORITHM 1: ElGamal threshold encryption protocol. 6 Security and Communication Networks Proof. Let A be the adversary against the IND-CPA security of O-mPSI protocol. en construct PPT adversaries to attack the DDH assumption through A. If A can break the IND-CPA security, then at least one PPT adversary has successfully broken the DDH assumption. We utilize hybrid games to prove eorem 1. e game starts from the real attack and ends when the adversary does not have any advantage. An event Succ n is defined for each game G n (0 ≤ n ≤ 4), which indicates that A guesses the bit b in the test-query correctly.
(1) Game G 0 : e game G 0 corresponds to a real attack in the random oracle model. According to Definition 2, we can get (2) Game G 1 : We simulate the random oracle H: 0, 1 { } * ⟶ G (and there is also a random oracle H ′ that will appear in G 3 ) in G 1 by maintaining hash list L (and L ′ ) as usual. Besides, Send, Execute, Corrupt, Collude, Reveal, Challenge, and Test oracles will be simulated as in the real attack (see Table 3). It is easy to know that G 1 is completely indistinguishable from the real attack, so that Pr Succ 1 − Pr Succ 0 � 0.
(3) Game G 2 : Like G 1 , we simulate all oracles in G 2 , except for games where some collisions occur: H(x) and H(y). Because x or y is simulated, they are randomly and uniformly selected. erefore, from the birthday paradox, we know that Pr Succ 2 − Pr Succ 1 ≤ (4) Game G 3 : In G 3 , we use the private oracles H ′ instead of the oracle H to calculate s(ct T 1 ) and s(ct T 2 ), which are completely independent of ct T 1 and ct T 2 . e games G 3 and G 2 are indistinguishable unless the event AskH 3 occurs: A queries the hash function H for ct T 1 or ct T 2 . In addition, no matter what bit b in challenge-query is, the answer is random. erefore, it can be see that Pr Succ 3 − Pr Succ 2 ≤ Pr AskH 3 Pr Succ 3 � 1 2 .
(5) Game G 4 : In G 4 , we simulate the executions through the random self-reducibility of the Diffie-Hellman problem, and given one DDH instance (A � g x , B � g y ), we randomly select α, β ∈ Z p and Inputs: P 1 : Set X � x 1 , . . . , x n 1 P 2 : Set Y � y 1 , . . . , y n 2 Output: e intersection set I, where I � X ∩ Y. Data storage phase: 1. P 1 and P 2 determine the number m of bins, the size b of bins and the two hash functions h 1 , h 2 : 0, 1 , P 1 computes the two bin positions h 1 (x i ) and h 2 (x i ) corresponding to x i , and inserts x i into one of them. P 1 fills the bin with less than b elements with dummy elements, then generates the cuckoo hash table T 1 .
3. For y j ∈ Y, j ∈ [n 2 ], P 2 computes the bin positions h 1 (y j ) and h 2 (y j ) corresponding to y j , and inserts y j into both of them. P 2 fills the bin with less than b elements with dummy elements, then generates the hash table T 2 . Data encryption phase: 1. P 1 calls the ElGamal threshold encryption protocol to compute the encrypted hash table ct * T 2 , and then sends ct * T 2 to the server in shuffled order.
2. P 2 calls the ElGamal threshold encryption protocol to compute the encrypted cuckoo hash table ct * T 1 , and then sends ct * T 1 to the server in shuffled order. Intersection calculation phase: 1. After the ct * T 1 and ct * T 2 are received, the server proceeds as follows: (1) computes the encrypted set intersection by bins: for k ∈ [m], computes ct I k � ct * (2) then the final encrypted intersection ct I � ct I 1 ∪ ct I 2 ∪ · · · ∪ ct I m .
(3) publishing ct I�X∩Y .. 2. After receiving ct I , the users P 1 , P 2 and the server proceed as follows: (1) each party P i (i � 1, 2) half-decrypts ct I to ct I i ′ using its private key, and then sends ct I i ′ to the server. (2) then the server sends ct I 2 ′ to P 1 and sends ct I 1 ′ to P 2 . Each party fully decrypts the received other party half-decrypted intersection, and gets the plaintext intersection set I � z 1 , . . . , z w . ALGORITHM 2: Outsourced two-party set intersection protocol.

Security and Communication Networks
Moreover, AskH 4 means that the adversary A had queried the random oracle H on E(x) or E(y). en we get Pr AskH 3 � Pr AskH 4

Pr AskH 4 ≤ q h Adv DDH
According to the above equations, we can conclude that e simulation queries involved in the protocol are as follows. □ 6. Performance Evaluation 6.1. eoretical Evaluation. In this section, regarding the complexity of calculation and communication, we compare the O-mPSI protocol with the protocols in [11,12,20]. We choose these three protocols because both parties of the protocols in [11,12] can know the intersection, and the protocol in [20] supports outsourcing. ese protocols are very similar to our protocol. e comparison results are shown in Table 4.
Computation complexity. Our O-mPSI protocol uses a cuckoo hash table to store data, and the ElGamal threshold encryption algorithm to encrypt data. We use the number of modular exponential operations to evaluate the computational overhead of O-mPSI protocol. Party P 1 and party P 2 each performs 2m + mb exponential operations when encrypting the hash tables T 1 and T 2 and performs w exponential operations in the decryption phase. e server only performs the intersection calculation which does not involve any exponential operations, where m represents how many bins are in the hash table, b is the size of the bin, and w is the intersection-cardinality. erefore, the protocol O-mPSI has performed 2(2m + mb + w) modular exponential operations in total. We define n � n 1 ≫ n 2 , b � 4, mb � 1.5n, where n i (i � 1, 2) is the cardinality of the private set of party P i . e possible values of intersection w are in the range [0, n], where we take its maximum value n. erefore, the computational complexity is 6.5n in the O-mPSI protocol.
(4) Send (S i , (ct * T 1 , ct * T 2 )): For each of the m hash bins, compute ct I k � ct * and ct I � ct I 1 ∪ ct I 2 ∪ · · · ∪ ct I m . en return ct I .
(5) Execute (P i 1 , P i 2 , S i ): According to the successive simulations of the send-queries, return ct T 1 ← send-query (P i 1 , start), ct T 2 ← send-query (P i 2 , start), ct * T 2 ← send-query (P i 1 , ct T 2 ), ct * T 1 ← send-query (P i 2 , ct T 1 ), and ct I ← send-query (S i , (ct * T 1 , ct * T 2 )).   e protocol in [11] is based on the two-way oblivious pseudorandom function mOPRF, without the participation of a third-party server, and its computation complexity is 48n. e protocol in [12] also does not involve the thirdparty server; its computation complexity is 23n + 7. In the verifiable delegated PSI protocol of [20], the user performs 10n + 15 exponential operations and the server performs 10n + 15 exponential operations, so the overall computation complexity of [20] is 20n + 30.
From the analysis above, it is clear that our O-mPSI protocol has much lower computational complexity than the other three protocols.
Communication complexity. Our O-mPSI protocol uses the number of transmitted ciphertexts to express the complexity of communication. Party P 1 sends mb encrypted elements E(x k i ) and mb rerandomized elements E * (y k i ), for 1 ≤ i ≤ b and 1 ≤ k ≤ m, to P 2 . Party P 2 sends mb encrypted elements E(y k i ) and mb rerandomized elements E * (x k i ), for 1 ≤ i ≤ b and 1 ≤ k ≤ m, to P 1 .
us, the O-mPSI protocol generates a total of 4mb ciphertexts transmissions. e communication complexity of the protocol O-mPSI is 6n, due to mb � 1.5n.
To sum up, we can see that our O-mPSI protocol is superior to the other three protocols in terms of the communication complexity.

Experimental Evaluation.
To verify the theoretical analysis results in Section 6.1, the computational costs of our O-mPSI protocol and the protocols in [11,12,20] are compared through experiments. e experimental platform is Windows 10, AMD Ryzen 5 4600H with Radeon Graphics 3.00 GHz, 16 GB RAM, and the compilation environment is MyEclipse 2017. In the experiment, we set b � 4 and mb � 1.5n, where m represents how many bins are in the hash table, b is the size of the bin, and n is the set cardinality.
Since our O-mPSI protocol and the protocols in [11,12,20] all use homomorphic encryption algorithm to encrypt data, we first compare the time it takes for the four protocols to execute with different modulus lengths. In this experiment, we set n � 1000; for modulus of 128 bit, 256 bit, 512 bit, and 1024 bit, the different homomorphic encryption times of the 4 protocols are shown in Figure 2.
It can be seen from Figure 2, with the increase of modulus length, the time of homomorphic encryption performed by the four protocols also increases. Among them, the time cost of the O-mPSI protocol is lower than that of Debnath's mPSI1, mPSI2 protocol, and Abadi's PSI protocol, and the growth trend is the slowest. e time cost in this experiment depends on how many modular exponential operations are used in the scheme. And according to Table 3, the modular Table 4: Comparison of the properties of O-mPSI protocol and related protocols.
It can be seen from Figure 3 that the execution time of the four protocols increases with the increasing size of the data set. Among them, the execution time overhead of the O-mPSI increases most slowly compared to that of Debnath's mPSI1, mPSI2 protocol, and Abadi's PSI protocol.
is is because the O-mPSI protocol in this paper uses hash algorithm to process the set elements in advance. erefore, as the size of the data set continues to increase, the time cost curve of O-mPSI protocol has grown slowly, while the time cost curve of the other three protocols has increased significantly.

Conclusions
To address the problem of data privacy and security sharing in edge-assisted IoT, we proposed a fair outsourced mPSI protocol with a lower computational cost. e proposed O-mPSI scheme uses the existing hash binto-bin method to calculate the intersection and improves it to further reduce the number of element comparisons. e calculation of intersection is outsourced to the edge server, which reduces the computing burden on both sides. e scheme adopts ElGamal threshold encryption algorithm to ensure data security. Only when both parties cooperate can all ciphertexts be completely decrypted.
erefore, this scheme can effectively resist the collusive attack between the server and any one of the two parties. And it proves that this scheme is IND-CPA secure under the DDH assumption. rough theoretical analysis and experimental evaluation, it is shown that the computational cost of our proposed O-mPSI protocol proposed in this paper is lower than that of other mutual PSI protocols. e combination of edge computing and IoT improves the intelligence of IoT devices and introduces intelligent devices into all aspects of life. e massive use of smart IoT devices has led to a sharp increase in the amount of data generated by users. Privacy protection and secure sharing of big data in the IoT have become the focus of current research. erefore, research on more secure and efficient PSI technology applied to edge-assisted IoT is our future research direction.

Data Availability
No data were used to support this study.

Conflicts of Interest
e authors declare that there are no conflicts of interest regarding the publication of this paper.