The millionaires’ problem is the basis of secure multiparty computation and has many applications. Using a vectorization method and the Paillier encryption scheme, we first propose a secure two-party solution to the millionaires’ problem, which can determine
The millionaires’ problem (abstracted as a greater than (GT) problem) was proposed by Yao [
Motivated by Goldwasser’s predictions, cryptographic researchers have studied many SMC problems, including private sorting problems [
The GT problem is a foundational component of many SMC protocols [
Cryptographic researchers have proposed several GT protocols. Yao [
Many researchers have proposed GT protocols based on homomorphic encryption schemes. Li and Wang [
In addition, some researchers proposed SMC protocols for the GT problem based on the linear secret sharing method. Nishide and Ohta [
Although several protocols have been proposed, their efficiency is not very high and more efficient SMC protocols are desirable. Therefore, this paper proposes two efficient solutions to both the two-party and multiparty GT problems.
(2) Protocol 1 securely solves the two-party GT problem based on the vectorization method and the Paillier encryption scheme. It determines
(3) Protocol 2 securely computes the multiparty GT problem (i.e., secure sorting problem) based on the vectorization method and the secret splitting method without any encryption scheme based on computational assumptions. The computational cost is negligible and the communication cost is
A two-party computation is a random computation process, denoted by
The above two-party computation can be extended to
The ideal SMC model is the most secure SMC model. It needs a trusted third party (TTP), that will always tell the truth and never lies. If such a TTP exists, Alice (holding Alice sends Bob sends TTP computes TTP sends
Theoretically, this protocol can solve any SMC problem, but the TTP is not easily implemented in practice. Therefore, SMC protocols without needing a TTP must be developed.
At present, SMC protocols are investigated either in the semihonest model or in the malicious model. A semihonest party truthfully follows the protocol but may retain all intermediate computation and try to deduce other parties’ private inputs from the record. Studying SMC in the semihonest model is the basis of studying SMC in the malicious model. The semihonest model is not only an important methodology but also provides an appropriate model for many settings. In some settings, proving that a protocol is secure in the semihonest model is sufficient. Furthermore, Goldreich et el. [
A protocol is considered secure if what a party can obtain from the execution of the protocol can also be computed only from his input and output. This situation is formalized by a simulation paradigm [
The simulation paradigm is a commonly used and widely accepted proof method for secure multiparty computation. The principle of the simulation paradigm is that the security of an SMC protocol is compared to the security of the ideal SMC protocol, and the protocol is secure if it discloses no more information than the ideal SMC protocol does. Therefore, the simulation paradigm is considered as the formal expression of principle to evaluate the security of SMC protocols.
Suppose that
In the execution of
For a function
In order to prove that a multiparty computation protocol is secure, we must construct simulators
A semihonest party is one that follows the protocol properly, with the exception that it keeps a record of all its intermediate computations. Loosely speaking, a multiparty protocol privately computes
Let
In case
The Paillier public-key cryptosystem [
The public key is
We use a vectorization method to solve the GT problem privately. The vectorization method encodes a number into a vector. Suppose that
The computational complexity of our protocol depends on
Yao is the pioneer of secure multiparty computation research. In his seminal paper entitled “Protocols for Secure Computations” [
In many cases,
In this section, we propose protocols to solve secure two-party and multiparty GT problems. In the two-party case, we propose Protocol 1 by using the vectorization method to encode a plaintext number into a vector and using the Paillier encryption scheme to encrypt the vector’s components. Protocol 1 can determine the relationship of
Although we can expand the two-party GT protocol to
Yao’s scheme [
In our solution, Alice (holding
The solution for two-party GT problem is as follows.
With the Paillier encryption scheme, Alice generates the public key Following the vectorization method, Alice encodes where Alice selects where Alice sends Bob selects a random number Bob sends Alice decrypts and tells Bob the result If If If
Alice computes When Alice receives When Bob obtains the result Using Protocol 1, we can determine the relationship between
The following theorem refers to the privacy-preserving property of this protocol.
Protocol 1 for the two-party GT problem is secure in the semihonest model.
We begin by constructing
In the protocol,
By Using the Paillier encryption scheme,
Let
Since
Similarly, we can construct
In practice, more than two parties want to privately compare all of their numbers. For example, some companies want to compare their turnovers, but they do not want to disclose their data, so they prefer a secure protocol that can sort their turnovers. As another example, students desire to know their own score’s rank without publishing their scores, and thus they must privately determine the order of their own score.
To solve the secure multiparty GT problem (i.e., secure sorting problem), we may use Protocol 1 to compare pairwise, but this process is of high complexity and will disclose too much information to other parties. Therefore, we propose a more efficient protocol as follows.
The set is defined as
Consider
A protocol is proposed to compute
In our protocol,
All parties’
Four-party vectorization method and sorting order.
|
0 | 0 | 0 |
|
|
|
|
|
|
|
0 |
|
|
|
|
|
|
|
|
|
0 | 0 | 0 | 0 | 0 |
|
|
|
|
|
0 | 0 | 0 | 0 | 0 | 0 |
|
|
|
|
|||||||||
Addition |
|
|
|
|
|||||
|
|||||||||
Sorting order |
|
|
|
|
However, if
Four-party sending
All parties publish their
All parties encode their own numbers with the vectorization method. Take where where all All parties publish their
In this protocol, we use the secret splitting method to split a vector Protocol 2 does not require any encryption scheme based on computational assumptions, so it is information-theoretically secure.
In a particular case, if The protocol cannot be applied to the two-party situation, because, in this case, in the execution of Protocol 2 for two parties, Alice splits In this protocol, we do not consider attacks in the transmitting process. If necessary, we can use the Paillier encryption scheme [ In fact, in many cases, limited parties take part in sorting their numbers. In cryptographic literatures, the multiparty refers 3 to 5 parties. There are few literatures that consider more than 10 parties. In addition, in our life, we sort 100 richest men of the world or compare the top 100 banks in the world or rank the top 500 companies all over the world at most. Therefore, the number of parties in the above cases does matter much. Protocol 2 can resist collusion attacks, which is proved by the following Theorem
The following theorem states the privacy-preserving property of the protocol.
Protocol 2 for the multiparty GT problem is secure in the semihonest model.
In Protocol 2, even though some adversaries obtain
We consider the following cases.
By the result of the protocol, the coconspirators The set Let
Therefore, in this case, the protocol is secure.
To sum up, in any case, there exists a simulator
To help the readers understand the protocol, we give a toy example.
By By By By
The computational complexity is an important measure for evaluating the efficiency of an SMC protocol.
For secure two-party computation of the GT problem, we compare the computational complexity of Protocol 1 with that of the following typical solutions. The computational cost of [
In the proposed Protocol 1, Alice encodes her number
Computational complexities for the two-party GT problem.
Schemes | Result | Modular multiplications |
---|---|---|
Yao [ |
|
Exponential |
Blake and Kolesnikov [ |
|
|
Lin and Tzeng [ |
|
|
Protocol 1 |
|
|
Table
For secure multiparty computation of the GT problem (secure sorting problem), the solution of [
In Protocol 2, we simply use the vectorization and the secret splitting methods, which requires
Computational complexities for the
Schemes | Modular multiplications |
---|---|
Damgard et al. [ |
|
Tang et al. [ |
|
Protocol 2 | Negligible |
The communication complexity, measured by the number of communicating rounds, is another important measure for evaluating the efficiency of an interactive protocol. For secure two-party computation of the GT problem, [
For secure
Table
The communication complexities for the GT problem.
Schemes | Two-party |
|
---|---|---|
Yao [ |
2 | — |
Blake and Kolesnikov [ |
4 |
|
Nishide and Ohta [ |
15 | — |
Tang et al. [ |
— |
|
Protocol 1 | 1 | — |
Protocol 2 | — |
|
In this work, we propose the SMC protocols to solve the two-party and multiparty GT problem. Using the Paillier encryption scheme and the vectorization method, we construct an SMC protocol for solving the two-party GT problem which can determine
The authors declare that they have no conflicts of interest.
This research is supported by the Natural Science Foundation of China (Grant nos. 61272435, 61272514, 61261028, and 61562065), the Natural Science Foundation of Inner Mongolia (Grant no. 2017MS0602), the University Scientific Research Project of Inner Mongolia (Grant no. NJZY17166), and Fundamental Research Funds for the Central Universities (Grant no. 2016TS061). The authors thank the sponsors for their support.