Secure multiparty computation of a comparison problem

Private comparison is fundamental to secure multiparty computation. In this study, we propose novel protocols to privately determine \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$x>y, x<y$$\end{document}x>y,x<y, or \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$x=y$$\end{document}x=y in one execution. First, a 0–1-vector encoding method is introduced to encode a number into a vector, and the Goldwasser–Micali encryption scheme is used to compare integers privately. Then, we propose a protocol by using a geometric method to compare rational numbers privately, and the protocol is information-theoretical secure. Using the simulation paradigm, we prove the privacy-preserving property of our protocols in the semi-honest model. The complexity analysis shows that our protocols are more efficient than previous solutions.

in the semi-honest model. However, Goldreich designed an important compiler. Given a protocol π that privately computes a function f in the semi-honest model, his compiler can produce a new protocol π ′ that privately computes f in the malicious model. In addition, some SMC problems have not been efficiently solved and some SMC problems are not solved even in the semi-honest model (Gu et al. 2015;Xia et al. 2015;Pan et al. 2015;Ren et al. 2015). So we propose our protocols in the semi-honest model.
The GT problem is a building block of many SMC protocols (Shim 2012;Zhang et al. 2011;Banu and Nagaveni 2013;Lin et al. 2014;Fu et al. 2015a;Hong and Sun 2016). Cryptographic researchers have proposed some GT protocols. Cachin (1999) proposed a GT protocol based on the φ-hiding assumption, but this protocol need a trusted third party. Ioannidis and Grama (2003) used the oblivious transfer (OT) scheme to construct a GT protocol, but the length of inputs was restricted by a secure parameter of the OT scheme. Fischlin (2001) used the Goldwasser-Micali encryption scheme to construct a two-round GT protocol, and its computation cost is ( dlogN + 6d + 3d) modular multiplications (d is the length of private inputs, is set to 40-50).
Later, Li et al. (2005) constructed a function F to compare two function values instead of plaintexts, and used the OT 1 m scheme to compare any data. Schoenmakers et al. (2004) used a threshold homomorphic encryption scheme to solve the GT problem, in which inputs was shared among a group of parties. The communication cost was O(n). Blake and Kolesnikov (2004) used the Paillier encryption schemem to construct a two-round GT protocol whose computation cost was O(nlogN ) modular multiplications. Lin and Tzeng (2005) proposed a two-round GT protocol using the ElGamal multiplicatively homomorphic encryption scheme and a 0-1 encoding method, and the computation cost was O(nlog p) modular multiplications. Grigoriev and Shpilrain (2014) used a public encryption scheme to solve the Millionaires' Problem with two-round communications and computation costs is (6logp + 3d) modular multiplications. Maitra et al. (2015) proposed a two-round protocol to solve the Millionaires' Problem with computation costs of (2dlogp) modular multiplications.
However, some previous GT solutions just compare integers, some of them cannot determine x > y, x < y, or x = y in one execution, some of them need a trusted third party, and some of them are inefficient.
In this study, we propose new solutions to the GT problem. We introduce a 0-1-vector encoding method, and use the Goldwasser-Micali (abstracted as GM) encryption scheme to compare integers efficiently. Then we present a protocol to privately compare rational numbers in one execution by computing the area S △ of a triangle.
Our contribution: 1. We introduce a 0-1-vector encoding method which is used to encode a number into a vector. Using the encoding method, we can transform the comparison problem into a vector-element-selecting problem. This method is more efficient than directly comparing two numbers. 2. We propose a private comparison protocol for integers based on the XOR homomorphism of the GM encryption scheme and the vector encoding method. Its computation cost for a vector of length L is (6L + 4) modular multiplications and the communication cost is two rounds at most.
3. Further, we use a geometric method to privately compare two rational numbers. By privately computing the sign of a triangle area S △ , we determine whether x = y, x < y , or x > y in one execution. The protocol just needs five additions and eight multiplications, so its computation cost can be neglected and its communication cost is one round. The protocol is information-theoretical secure.
The rest of this paper is organized as follows: "Related work" section introduces related definitions and methods, including the ideal SMC model, the semi-honest model, the simulation paradigm, the Goldwasser-Micali encryption scheme, the 0-1-vector encoding method, and the secure computation method of the area of a triangle; "New protocols to privately solve a comparison problem" section proposes new protocols for comparing integers and rational numbers, shows the correctness and security analysis of our protocols, and proves their privacypreserving property using the simulation paradigm; "Complexity analysis" section compares the computational and communication complexity of our protocols with previous solutions; "Conclusion" section concludes this work.

Ideal SMC model
The ideal SMC model is the simplest SMC model. It needs a trusted third party (TTP), who always tells the truth, never lies, and never discloses any input information. So the ideal SMC protocol is the most secure. If such a TTP exists, Alice (holding x ) and Bob (holding y ) can privately compute f(x, y) as follows: 1. Alice sends x to TTP; 2. Bob sends y to TTP; 3. TTP computes f (x, y) = (f 1 (x, y), f 2 (x, y)); 4. TTP sends the result to Alice and Bob.
Theoretically, the above protocol can solve any SMC problems, but the TTP cannot be easily found in practice. So we need to study SMC protocols without TTP.

Semi-honest model
We assume that all parties are semi-honest. A semi-honest party truthfully follows a protocol and sends correct inputs to others, except that he may record all intermediate computation and try to derive other parties' private inputs from the record. Goldreich has proved that, a protocol which can privately compute a functionality f in the semihonest model can be complied, by introducing a bit commitment macro, into another protocol which can compute the functionality f in the malicious model. The semi-honest model is not only an important methodological tool but may also provide a good model in many settings. It suffices to prove that a protocol is secure in the semi-honest model.
If the information that a party efficiently computes from the execution of a protocol can also be efficiently computed on its input and output, the protocol is private. This intuition is formalized by the simulation paradigm. That is, a party's view in a protocol execution can be simulated by its input and output. If so, the parties learn nothing from the protocol execution itself, and the protocol is private. Notations and definition are following: Notations: Alice holds x, and Bob holds y in a two-party SMC protocol.
1. Alice and Bob's inputs are x, y, respectively; 2. They propose a protocol π to compute a function f, where f is a probabilistic polynomial time functionality; 3. Alice and Bob obtain message sequences view π 1 (x, y) = (x, r 1 , m 1 1 , . . . , m 1 t ) and view π 2 (x, y) = (x, r 2 , m 2 1 , . . . , m 2 t ), respectively, where r 1 or r 2 is the result of her or his internal coin toss, and m 1 i or m 2 i is her or his received message; 4. Alice's output is output π 1 (x, y), and Bob's output is output π 2 (x, y).

Definition 1
For a function f , π privately computes f if there exists a probabilistic polynomial time algorithm, denoted by simulators S 1 and S 2 , such that: where c ≡ denotes computational indistinguishability. To prove that a multiparty computation protocol is private, we must construct the simulators S 1 and S 2 such that (1) and (2) hold.

Goldwasser-Micali public key cryptosystem
A multiplicative group of Z n is Z * n = {x ∈ Z n |gcd(x, n) = 1}. Let a ∈ Z * n . a is called a quadratic residue modulo n if there exists an x ∈ Z * n such that x 2 ≡ a(modn). If no such x exists, a is called a quadratic non-residue modulo n. For any r ∈ Z * n , r 2 mod n is always a quadratic residue modulo n. The Goldwasser-Micali (GM) public key cryptosystem (Goldwasser and Micali 1984) is the first probabilistic cryptosystem based on the fact that if t is quadratic nonresidue, then so is tr 2 for any r ∈ Z * n , and which consists of following three algorithms: Key generation: Takes a security parameter k as an input. The GM encryption scheme chooses two k-bit primes p and q, sets n = pq, and picks a t ∈ Z 1 n (Z 1 n is the subset of Z * n containing the elements with Jacobi symbol) such that t is a quadratic nonresidue modulo n. It then publishes (n, t) as public keys, and keeps the private keys (p, q) secret.
Encrypt: Takes a message m ∈ {0, 1} as input, the public key {n, t}, and a random number r. It encrypts m i as follows: Decrypt: Based on the private key (p, q), it decrypts E(m i ) as follows: is the Legendre symbol, which is defined as follows:

Homomorphism:
The GM encryption scheme has homomorphism, that is: From the above observation, it shows that E(m i ) · E(m j ) = E(m i ⊕ m j ) and the plaintexts m i ∈ {0, 1}, so the GM encryption has XOR homomorphism.

Vector encoding method
In this subsection, we introduce a vector encoding method. The vector encoding method can encode a natural number k into a vector v as follows: The vector of a number k is encoded as follows: where Privately computing the area of a triangle Li et al. (2010) have proposed a SMC protocol of computing the area of a triangle, as follows.
Suppose that there is a triangle △P 0 P 1 P 2 with three vertices P 0 (x 0 , y 0 ), P 1 (x 1 , y 1 ), P 2 (x 2 , y 2 ), the area of △P 0 P 1 P 2 is computed without security requirements as follows: where the sign of S △P 0 P 1 P 2 is positive if and only if (P 0 → P 1 → P 2 → P 0 ) form a counterclockwise cycle, and negative if and only if (P 0 → P 1 → P 2 → P 0 ) form a clockwise cycle.
The Formula (4) can be rearranged as follows: By Formula (6), we can privately compute the sign of S △P 0 P 1 P 2 .
Protocol 1 Privately computing the sign of S P0P1P2 .
1. Bob selects a positive random number r and computes and sends {a, b, c} to Alice.

Alice computes
3. Alice tells Bob the sign of λ, that is, Sign(S P0P1P2 ).

Correctness and security:
1. In the protocol, Alice knows r(y 1 − y 2 ) = a and r(x 2 − x 1 ) = b. If r, (y 1 − y 2 ), (x 2 − x 1 ) are integers and gcd(x 2 − x 1 , y 1 − y 2 ) = 1, Alice can compute r by r = gcd(a, b). To avoid this situation, r should be selected by the form l.2 i 5 j (i, j, l ∈ Z), such as 5.425, 17.8125 or their multiple (Li et al. 2010). 2. In the protocol, Alice may get the slope k of a line L P 1 P 2 by computing k = a b , but she cannot determine which line with the slope k and cannot obtain x 1 , x 2 , y 1 and y 2 , because there are three equations with five unknown variables. For Bob, the protocol is secure. 3. By the result, Bob just obtains Sign(S △P 0 P 1 P 2 ), and cannot compute x 0 and y 0 . For Alice, the protocol is secure.
Theorem 1 Protocol 1 is private.
The conclusion is proved by showing two simulators S 1 and S 2 such that formulas (1) and (2) hold.

New protocols to privately solve a comparison problem
In this work, we propose new protocols to solve the private comparison problem for integers and rational numbers. For the integer comparison problem, we use a 0-1-vector encoding method and the GM encryption scheme. For the rational numbers comparison S 1 (P 0 , f 1 (P 0 , (P 1 , P 2 )) = {P 0 , a ′ , b ′ , c ′ , Sign( ′ )}.
problem, we use the method for computing the area of a triangle to determine the relationship of x and y in one execution privately. We analyze the correctness and security of our protocols, and prove their privacy-preserving property using the simulation paradigm.

Privately solving a comparison problem for integers
Alice and Bob hold their own numbers x, y, and they do not want to disclose their numbers when they execute the protocol. Alice uses the 0-1-vector encoding method to map x into a vector X and encrypts X by the GM encryption scheme. Bob selects an element from the ciphertexts of the vector X and encrypts the element using the homomorphism of the GM encryption scheme. Alice decrypts the ciphertexts and knows x > y, x < y, or x = y. We first present Protocol 2 to determine the relationship P(x, y) : x > y or x ≤ y. If we need to further determine x < y or x = y, we use Protocol 3 to solve the comparison problem.
Protocol 2 Secure computation of determining P (x, y) : x > y or x ≤ y.
Input: Alice holds x, and Bob holds y.
1. According to the GM encryption scheme, Alice generates the public keys {n, t} and the private keys {p, q}, and selects random numbers {r 1 , r 2 , · · · , r L }.
2. Using the 0-1-vector encoding method, Alice encodes x into a vector: 3. Alice encrypts the vector X using the GM encryption scheme as follows: 4. Alice sends E(X) to Bob.

According to his plaintext y, Bob selects the y-th element from E(X),
that is, E(m y , r y ). Using the XOR homomorphism of the GM encryption scheme, Bob selects a random number r b and computes: 6. Bob sends E y to Alice.

Alice tells Bob the result P (x, y).
If the result is x ≤ y, we can use Protocol 3 to determine x < y or x = y.
Protocol 3 Secure computation of comparing x = y or x = y.
Input: Alice holds x, and Bob holds y.
Output: x = y or x = y.
2. The step is different to step 2 in Protocol 2. Alice encodes the plaintext x into a vector: 3. Alice encrypts the vector X as follows: 4. Alice sends E(X) to Bob.

According to his plaintext y, Bob selects the y-th element from E(X),
that is, E(m y , r y ). Using the XOR homomorphism of the GM encryption scheme, Bob selects a random number r b and computes: 6. Bob sends E y to Alice.
7. Alice decrypts E y , as follows: If ( 8. Alice tells Bob x = y or not.

Correctness and security:
1. In Protocol 2 and Protocol 3, Step 5 is based on the XOR homomorphism of the GM encryption scheme, that is, If m y = 0, E(m y , r y ) = r 2 y mod n, then D(E(m y , r y ) × r 2 b mod n) = 0, so x > y in Protocol 2 or x � = y in Protocol 3; If m y = 1, E(m y , r y ) = tr 2 y mod n, then D(E(m y , r y ) × r 2 b mod n) = 1, so x ≤ y in Protocol 2 or x = y in Protocol 3; 2. Because the GM encryption scheme is a probabilistic encryption scheme, the same plaintext m i can be encrypted to different ciphertexts E(m i , r i ). Therefore, Bob does not discover the law of E(m i , r i ); 3. Alice's random numbers r i and Bob's random number r b are private. Bob cannot compute E(m i , r i ), and Alice cannot compute E(0, r b ); E(m y , r y ) × E(0, r b ) = E(m y , r y ) × r 2 b mod n = E(m y ⊕ 0); 4. Bob selects the ciphertext E(m y , r y ), and encrypts E(m y , r y ), so Alice does not know which element Bob selects; 5. The prime numbers p and q are private, so Bob cannot decrypt E(X).
Theorem 2 Protocol 2 is private.
Proof We will prove it by constructing S 1 and S 2 such that Formula (1) and (2) hold. S 1 works as follows: 1. The inputs are {x, P(x, y)}. S 1 randomly selects a number y ′ such that P(x, y) = P(x, y ′ ) .
S 1 uses (x, y ′ ) to simulate the process. S 1 constructs the vector X = {m 1 , m 2 , . . . , m L }. 2. By the GM encryption scheme, S 1 encrypts X using different random numbers r i , E(X) = (E(m 1 , r 1 ), E(m 2 , r 2 ), . . . , E(m L , r L )); 3. S 1 selects a random r ′ , and computes E(m y ′ , r y Using the same method, we can construct S 2 , such that: This completes the proof.

Theorem 3 Protocol 3 is private.
The proving process is similar to Theorem 2, so we omit the proof.

Privately solving a comparison problem for rational numbers
In practice, most numbers need to be compared are rational numbers. The above protocols cannot compare rational numbers, so we propose a solution to compare rational numbers.
By "Privately computing the area of a triangle" section, we use two rational numbers m and n to construct three vertices of a triangle, and privately compute the sign of the area S to determine m = n, m > n, or m < n in one execution.
and judge whether P 0 on the top of P 1 or not. The result tells them m > n, m = n, or m < n, as follows in Fig. 1.
Protocol 4 Privately comparing rational numbers m = n, m < n, or m > n.
Input: Alice holds m, and Bob holds n.
1. Alice and Bob agree on selecting a rational number x 0 as their abscissa, and they construct two vertices P 0 (x 0 , m) and P 1 (x 0 , n).
2. Bob selects a rational number x 2 satisfying x 2 < x 0 and a random number y 2 . He constructs a vertice P 2 (x 2 , y 2 ).
3. Alice holds a points P 0 (x 0 , m), and Bob holds two points P 1 (x 0 , n), P 2 (x 2 , y 2 ), and P 0 , P 1 , P 2 can form a triangle P 0 P 1 P 2 ( Figure 1). They invoke Protocol 1 to obtain the sign of the area S P0P1P2 .
4. Bob selects a positive random number r and computes and sends {a, b, c} to Alice.
6. Alice tells Bob the sign of λ, that is, Sign( P 0 P 1 P 2 ).
8. Bob tells Alice the result. 1. In the protocol, Alice knows r(n − y 2 ) = a and r(x 2 − x 0 ) = b. If r, (n − y 2 ), (x 2 − x 0 ) are integers and gcd(x 2 − x 0 , n − y 2 ) = 1, Alice can compute r by r = gcd(a, b). But in Protocol 4, x 0 , x 2 , y 2 , n, a, b are rational numbers, thus Alice cannot compute r by r = gcd(a, b). 2. In the protocol, Alice can get {a, b, c}, but there are three equations with four unknown variants and Alice cannot obtain {n, r, x 2 , y 2 }. 3. In step 6, Alice just computes , and she knows the sign of S P 0 P 1 P 2 . Thus she knows P 0 → P 1 → P 2 is clockwise or counterclockwise, but she does not know whether P 2 is on the left or right of P 0 , so she cannot know m > n or m < n (Fig. 2). Alice knows the sign of S P 0 P 1 P 2 is negative, and further knows P 0 → P 1 → P 2 is clockwise. But she does not know m > n or m < n. 4. By the result, Bob just obtains Sign(△P 0 P 1 P 2 ), but cannot compute x 0 and m. For Alice, the protocol is secure. 5. The protocol does not use any public key encryption scheme, so it is informationtheoretical secure.

Theorem 4 Protocol 4 is private.
The conclusion is proved by showing two simulators S 1 and S 2 such that Formulas (1) and (2) hold.
It follows that This completes the proof.

Complexity analysis
In the work, we compare the computational and communication complexity with previous solutions for secure computation of the comparison problem.

Communication complexity
A protocol's communication cost is usually measured in round. Yao's protocol (Yao 1982) solves the GT problem with two rounds, but cannot determine whether x = y or x � = y. Cachin (1999) proposes a GT protocol depending on a trusted third party, and its communication cost is three rounds. Fischlin (2001) uses the GM encryption scheme to solve x < y or x ≥ y with two-round communication cost. Ioannidis and Grama (2003) uses the OT 1 2 scheme to solve the GT problem, and its communication cost is d rounds, where d is the length of the private inputs. Blake and Kolesnikov (2004) uses the Paillier encryption scheme to solve x > y, x < y or x = y, and its communication cost is two rounds. Lin's protocol (Lin and Tzeng 2005) needs two-round communications based on the Elgamal encryption scheme. Grigoriev and Shpilrain (2014) propose a solution to Yao's Millionaires' problem based on a public encryption scheme and their communication cost is two rounds. Maitra et al. (2015) propose a unified approach to Millionaires Problem with rational players, and the solution needs two-round communications.
In our Protocol 2, we need one round to determine x > y or x ≤ y. If we further determine x < y or x = y, we also need one round communication by Protocol 3. Therefore, for the integer comparison problem, we need two-round communication cost at most.
In our Protocol 4, we determine x < y, x > y or x = y in one execution, so the communication cost is one round.

Computational complexity
We use the number of modular multiplication to measure the computation costs of a protocol. The computation cost of Yao's protocol (Yao 1982) is exponential, and it is impractical if inputs are very long. Fischlin (2001) uses the GM encryption scheme to compare integers with ( dlogN + 6d + 3d) modular multiplications (d is the length of inputs, is set to 40-50). Blake and Kolesnikov (2004) uses the Paillier encryption scheme to solve the GT problem, the computation cost is 4dlogN modular multiplications. Lin and Tzeng (2005) uses (5dlogp + 4d − 6) modular multiplications (p is the modulus in the ElGamal encryption scheme) to determine x > y or x ≤ y. Grigoriev and Shpilrain (2014) use a public encryption scheme to solve the Millionaires' Problem and S 2 ((P 1 , P 2 ), f 2 (P 0 , (P 1 , P 2 ))) = {P 1 , P 2 , a, b, c, Sign(△P ′ 0 P 1 P 2 )}.
the computation cost is (6logp + 3d) modular multiplications. Maitra et al. (2015) solve the Millionaires' problem with (2dlogp) modular multiplications. In Protocol 2 and Protocol 3, we use the GM encryption scheme to encrypt the 0-1 encoding vector. The computation cost of the GM encryption scheme is three modular multiplications. So encrypting the vector needs 3L (L is the length of the 0-1 encoding vector) modular multiplications and decrypting E ′ y needs two modular multiplications. Therefore, the computation cost of Protocol 2 and Protocol 3 is (2 × (3L + 2)) = (6L + 4 ) modular multiplications at most.
In Protocol 4, we do not use any public key encryption scheme, so we just needs five additions and eight multiplications. It is well known that simple operations can even be neglected compared with expensive public key encryption or decryption operations. In this sense, our new solution is much more efficient than the existing ones.
We compare our protocols with previous solutions in Table 1. Table 1 shows that our protocols have the following advantages: 1. Our protocols can determine whether x > y, x < y or x = y, in one execution; 2. Our protocols can compare rational numbers in addition to integers; 3. Our protocols are more efficient than most of previous solutions in computational complexity.

Conclusion
Solving a comparison problem privately is fundamental to SMC protocols, so the comparison problem needs to be computed more efficiently. In this paper, we propose protocols to compare integers and rational numbers privately. In Protocol 2 and Protocol 3, we construct a 0-1-vector encoding method to encode an integer into a vector, and use the GM encryption scheme to complete the protocol. In Protocol 4, we use the method of computing the area of a triangle to privately compare rational numbers by computing the sign of the area of a triangle. In comparison with previous solutions, our protocols are more efficient and easy to implement. The comparison problem is a building block of SMC problems. If we can solve the problem efficiently, we will solve sorting problems and voting problems efficiently. Next we will solve geometric intersection problems and other SMC problems.

Table 1 Performance comparison
d is the length of inputs, is set to 40-50 in the Fischlin's method (Fischlin 2001), p is the modulus in the ElGamal encryption scheme (ElGamal 1984), N is the modulo, L is the length of the 0-1 encoding vector in out work