Invertible Polynomial Representation For Private Set Operations

In many private set operations, a set is represented by a polynomial over a ring Z(sigma) for a composite integer sigma, where Z(sigma) is the message space of some additive homomorphic encryption. While it is useful for implementing set operations with polynomial additions and multiplications, it has a limitation that it is hard to recover a set from a polynomial due to the hardness of polynomial factorization over Z(sigma).We propose a new representation of a set by a polynomial over Z(sigma), in which s is a composite integer with known factorization but a corresponding set can be efficiently recovered from a polynomial except negligible probability. Since Z(sigma)[x] is not a unique factorization domain, a polynomial may be written as a product of linear factors in several ways. To exclude irrelevant linear factors, we introduce a special encoding function which supports early abort strategy. Our representation can be efficiently inverted by computing all the linear factors of a polynomial in Z(sigma)[x] whose roots locate in the image of the encoding function.As an application of our representation, we obtain a constant-round private set union protocol. Our construction improves the complexity than the previous without honest majority.