This paper addresses privacy-preserving cross-platform ad attribution measurement in multi-identifier environments. Methodologically, it proposes a secure and practical user identity matching framework that integrates reverse oblivious pseudorandom functions (rOPRFs), blind key rotation, and differential privacy perturbation. This combination enables unlinkable intersection computation across identifiers while concealing the intersection cardinality to resist membership inference attacks. Unlike conventional OPRF-based approaches, the framework supports efficient key updates and scalable deployment. Experiments on billion-scale datasets demonstrate low latency and high accuracy, alongside strong privacy guarantees—formally satisfying ε-differential privacy—while maintaining industrial usability. The solution is directly applicable to real-world secure advertising conversion tracking.

This paper tackles the challenging and practical problem of multi-identifier private user profile matching for privacy-preserving ad measurement, a cornerstone of modern advertising analytics. We introduce a comprehensive cryptographic framework leveraging reversed Oblivious Pseudorandom Functions (OPRF) and novel blind key rotation techniques to support secure matching across multiple identifiers. Our design prevents cross-identifier linkages and includes a differentially private mechanism to obfuscate intersection sizes, mitigating risks such as membership inference attacks. We present a concrete construction of our protocol that achieves both strong privacy guarantees and high efficiency. It scales to large datasets, offering a practical and scalable solution for privacy-centric applications like secure ad conversion tracking. By combining rigorous cryptographic principles with differential privacy, our work addresses a critical need in the advertising industry, setting a new standard for privacy-preserving ad measurement frameworks.