A Round and Communication Efficient Secure Ranking Protocol

Transcription

1 A Round and Communication Efficient Secure Ranking Protocol Shaoquan Jiang 1,2 and Guang Gong 2 1 Department of Computer Science, University of Electronic Science and Technology, Chengdu, CHINA. 2 Department of Electrical and Computer Engineering, University of Waterloo, Waterloo, ON, N2L 3G1, CANADA {jiangshq, ggong}@calliope.uwaterloo.ca Abstract. In this work, we initiate the study of realizing a ranking functionality (m 1,, m n ) (r 1,, r n ) in the non-adaptive malicious model, where r i = 1 + {m j : m j < m i}. Generically, it has been solved by a general multi-party computation technique (via a circuit formulation). However, such a solution is inefficient in either round complexity or communication complexity. In this work, we propose an efficient construction without a circuit. Our protocol is constant round and efficient in communication complexity as well. Furthermore, we show it is directly secure in the non-adaptive malicious model (i.e., without a compiler, as is used in many general constructions). 1 Introduction A general multi-party computation paradigm was initially studied by Yao [15]. In this paradigm, any cryptographic functionality can be solved as a special case. Such a functionality can be first formulated into some circuit. Then, a semi-honestly secure protocol for this circuit is constructed. In the semi-honest model, all the parties (including corrupted parties) strictly follow the protocol specification. This, of course, does not suffice for real applications. To obtain a realistically secure protocol, a compiler is proposed which, given a semi-honestly secure protocol, outputs a maliciously secure protocol. This approach is generally very powerful, as one need not take care of the problem s specific features (except the circuit itself). However, since a generic solution does not exploit the problem s special properties, it is not efficient in general. Therefore, it is very interesting and valuable to solve the specific problem without the generic approach. With this motivation in mind, we study a multi-party millionaire problem below. There are n parties, P 1,, P n. Each P i has m i dollars for 1 m i N. The problem is how to admit P i to get the rank of m i but nothing beyond this. Formally, we are interested in

2 realizing the ranking functionality (m 1,, m n ) (r 1,, r n ), where r i = 1 + {m j : m j < m i }, i = 1,, n. 1.1 Related Work Since Yao [15], many authors [6, 9, 8, 5, 12] worked in the circuit paradigm. However, prior to the work by Cramer et al. [3] and by Jakobsson et al. [13], none of them have achieved both the non-adaptive malicious security and the communication complexity O(kn C ), where communication complexity is the total number of bits sent by all parties, C is the circuit size, n is the number of parties, and k is the security parameter. Applying to a ranking functionality, one can achieve communication complexity Õ(kn3 ). However, [3] has a round complexity O(d) and [13] has a round complexity O(d + n), where d is the depth of circuit size and in case of ranking functionality d = Ω(log n) 1. All these results are evaluated in the broadcast channel. The currently most communication efficient and maliciously secure multi-party computation protocol is due to Hirt and Maurer [11], whose communication complexity is O((mn 2 + n I n 4 + n o n + n 4 )k) (in the pairwise channel), where m is the number of multiplication gates in the circuit, n I and n o are the number of inputs and outputs respectively. Applying to the ranking functionality, it implies a solution of communication complexity O(kn 5 ). However, their protocol has a very high round complexity O(n 2 ). Note a broadcast channel with communication complexity O(n 2 ) and round complexity O(n) can be constructed [10]. Therefore, no maliciously secure protocol for the ranking problem has previously achieved a result equivalent to a constant round with communication complexity O(kn 3 ) in the broadcast channel. 1.2 Contribution In this work, we construct an efficient n-party ranking protocol. Our protocol has a constant round complexity. Assume k is the security parameter and each party P i has an input m i {1,, N}. Then our protocol has a communication complexity O(kn 2 (n + N)). Therefore, if N = O(n) which is the typical case, the communication complexity is O(kn 3 ). Thus, our protocol is efficient in both communication complexity and round complexity. In addition, we prove that our construction is secure in the non-adaptive malicious model. 1 This easily follows from two facts: (1) the circuit is acyclic and each node has at most two inputs; (2) the circuit size for ranking is trivially lower bounded by Ω(n).

3 This work is organized as follows. Section 2 introduces the security model. Section 3 introduces a building block: a zero sharing protocol. Section 4 introduces our ranking protocol containing some sub ideal functionalities and its security analysis. Section 5 considers how to realize the sub ideal functionalities and obtain a full functional ranking protocol. 2 Security Model In this section, we introduce the security model for non-adaptive malicious adversary. In this model, we first have an ideal process in the non-adaptive malicious model, where the computation is achieved via a trusted third party. Then, we turn to the maliciously real process, which is a model for the execution of the real protocol. Finally, a protocol is said to be secure if the real process and ideal process essentially have an identical performance. Ideal Process. We consider the ideal process w.r.t. a non-adaptive malicious adversary S. Let f be an ideal functionality and F be a trusted third party. Let P 1,, P n be n parties involved in the execution. S has an arbitrary auxiliary input z and P i has an input x i D. Before the protocol starts, S can select a set of parties Φ {P 1,, P n } for corruption. As a result, all the inputs of these parties are provided to S. In addition, their future actions are fully taken by S. After the protocol starts, the execution is described as follows. Upon input x i, an uncorrupted P i forwards it to F. Upon receiving an output from F, P i outputs it directly. S can change the input x i of a corrupted party P i to x i D { }, and sends x i to F. Upon receiving x 1, x 2,, x n from all parties (x i = x i for an uncorrupted P i ), F may ask S for a message. Then, he follows f to compute output (o 1, o 2,, o n ) from (x 1,, x n) and the response from S (if any). By default, if some x i =, then o 1 = = o n =. Finally, F asks S to deliver o i to P i. S can deliver o i or for an uncorrupted P i. In any case, the secret part of o i will be kept invisible from S. Finally, S can output whatever he wishes. Let r 0 and r S be the random input of F and S, respectively. The joint execution in the ideal process, denoted by IDEAL F,S(z) (x; r 0, r S ), is a concatenation of the outputs for uncorrupted parties as well as the adversary S. Later we will use random variable IDEAL F,S(z) (x) to denote

4 IDEAL F,S(z) (x; r 0, r S ) with random input r 0 and r S. Real Process. Let Γ be a protocol to realize a functionality f. Let P 1,, P n be n parties involved in the execution. Let A is a PPT adversary with an auxiliary input z. Before the protocol starts, A specifies a set of parties Φ {P 1,, P n } for corruption. As in the ideal process, once a party is corrupted, his secret input is provided to A. In addition, his future action is fully taken by A. After the protocol starts, the real process is described as follows. Upon input x i, an uncorrupted P i exactly follows the protocol Γ to answer the incoming message and generates its output o i. The action for each corrupted P i is fully taken by A. In addition, we assume the channel is authenticated with a guaranteed delivery. That is, for any message M from an uncorrupted P i, A must deliver M to the specified receiver without any change. Let r A, r i, (P i Φ) are the random input for A and P i, respectively. o A, o i, (P i Φ) are the outputs for A, P i, respectively. Similar to the ideal process, we can define the joint execution, denoted by REAL Γ,A(z) (x; r A, {r i : P i Φ}), to be a concatenation of outputs for uncorrupted parties and the output of A. We use REAL Γ,A(z) (x) to denote the variable of the joint execution with uniform random input. Definition 1. Let Γ be an n-party protocol to implement a functionality f. Γ is said to be secure in a malicious but non-adaptive model if for any probabilistic polynomial-time adversary A in this model there exists an expected polynomial-time ideal adversary S such that { } { } c IDEAL f,s(z) (x) REAL Γ,A(z) (x) z,x where c means computational indistinguishability, z is auxiliary input and x = (x 1,, x n ) is the input vector for parties. 3 A Zero-Sharing Protocol In our ranking protocol (Section 4), rank r j is computed by pair-wise comparing m j with other m i and then summarizing the results. In order not to leak the comparison bit (m i < m j ), we employ a blinding technique such that all blinding values (for a fixed i) collectively constitute a random sharing of zero. The zero-sharing protocol is constructed in z,x,

5 this section, which will be introduced now. Formally, we propose a protocol for functionality F 0 : (1 κ,, 1 κ ) f 1 (x),, f n (x), where f i (x) is uniformly at random from Z q [x] of degree at most n 1 such that n i=1 f i(x) = 0. In the ideal process, the adversary is allowed to choose f i (x) for corrupted parties. Our zero-sharing protocol is presented in Table 1, where p, q are primes with p = 2q + 1, and g, h Z p have an order of q. Let R 2dl = {(g y 1 h y 2, (y 1, y 2 )) : y 1, y 2 Z q }. The protocol employs a multi-party functionality F m2dl for each party to prove the knowledge of his commitment. F m2dl is defined as follows. Definition 2. (Multi-party Functionality: F m2dl ) F m2dl does the following with parties P 1,, P n and adversary S, and is parameterized by relation R 2dl. Upon (F jt, (f jt, f jt ))n t=1 from each P j, F m2dl checks if (F jt, (f jt, f jt )) R 2dl. If it holds for all j and t, F m2dl sends message ok to P 1,, P n and S; otherwise, it does nothing. After the protocol execution, P i can compute u ij = f i (j), for each j = 1,, n. All parties can compute U ij = g u ij h u ij, where u ij = f i (j). Note the sharing scheme has a property that for each j, i u ij = 0. That is why we call it a zero-sharing protocol. In our ranking protocol (Section 4), u ij will be used to blind the bit (m i < m j ). The completeness of ranking will be guaranteed by the fact i u ij = 0. Lemma 1. Our zero-sharing protocol securely realizes F 0. Specifically, if Φ is the set of corrupted parties with Φ n 1, then f i (x) for uncorrupted P i is uniformly at random in F [x] with degree at most n 1 such that the only constraint is P i Φ f i(x) = P i Φ f i(x). In addition, {u ij } i Φ,1 j n is uniform at random in Zq n (n Φ ) with only constraint i Φ u ij = i Φ u ij, for each j = 1,, n. Proof. We now show that for any PPT real process adversary A, there exists an expected polynomial-time ideal process adversary S such that the two executions are indistinguishable. S first prepares p = 2q + 1, g, and computes h = g a, for a Z q. Then he runs A with p, g, h. In turn, he will receive a set Φ for corruption. Then he corrupts Φ in the ideal process. For simplicity, we use P i to represent a party in the internal simulation and P i the party in the external ideal process. S follows the real protocol execution to interact with A for Step one and Step two, at the end of which he will obtain f j (x) for each uncorrupted P j. In Step three, upon (F jt, (f jt, f jt )) from each corrupted P j (controlled by A), S

6 Params: p = 2q + 1, g, h; Output: f i(x) Z q[x] for each P i, i = 1,, n. 1. For each j = 1,, n, P i takes f ij(x) = n 1 t=0 fijtxt, f ij(x) = n 1 t=0 f ijtx t Z q [x] randomly such that j f ij(x) = 0 and j f ij(x) = 0. Then he computes F ijt = g f ijt h f ijt. He privately sends (f ij (x), f ij(x)) to P j, and makes F ijt public. 2. P j verifies if n l=1 F ilt = 1 and if F ijt = g f ijt h f ijt for all i, t. If the verification fails, P j broadcasts a complaint toward unsuccessful P i. P i tries to resolve it by making (f ij (x), f ij(x)) public. If the complaint still remains unresolved, by default set (f ij (x), f ij(x)) = (0, 0) for all j. P j computes f j (x) = n i=1 f ij(x), f j(x) = n i=1 f ij(x). 3. F m2dl is invoked such that P j proves (F jt, (f jt, f jt)) R 2dl for all t, where F jt = n i=1 Fijt, fj(x) := n 1 t=0 fitxt, f j(x) := n 1 t=0 f itx t. If ok is received, P i accepts and outputs (f i (x), f i(x)); otherwise, he outputs. Table 1. An Efficient Zero Sharing Protocol Zero-Sharing(n) verifies if (F jt, (f jt, f jt )) R 2dl. If yes, S sends message ok back to A 2 and in the ideal process he sends f jt for corrupted P j to F 0. When F 0 asks him to deliver the messages, he does it faithfully. On the other hand, if the verification fails, S sends for corrupted party P j to F 0 (note if no party is corrupted, ok must occur). Finally, S outputs whatever A does. The difference between this simulated execution and real execution is that the outputs for uncorrupted parties might be different. In order to be consistent with the ideal process, the output for an uncorrupted P i in the internal simulation is supposed to output f j (x), where f j (x) is the polynomial sent to P j from the ideal functionality (but invisible to S). However, in the simulated execution, the output f j (x) of P j might be different from f j (x). However, this is not a problem as given the adversary view in the simulated system, we can consistently reformulate the output of P j to f j (x). Indeed, take a fixed party P r Φ, reformulate f rj (x) to f rj (x) = f rj (x)+ f j (x) f j (x) and f rj (x) to f rj (x) = f rj (x) a 1 ( f j (x) f j (x)), for each other P j Φ. After the reformulation, adversary view does not change. However, the distribution of the reformulated simulation is exactly according to the real protocol since for each j = 1,, n f rj (x) + i r f ij(x) = f j (x) f j (x) + n i=1 f ij(x) = f j (x), f rj (x) + i r f ij (x) = f j (x) f j (x) + n i=1 f ij (x) = f j (x). 2 Note in this case we must have j f jt = j f jt = 0; otherwise, the adversary can be transformed to break Discrete Log problem as 1 = j Fjt = g j f jt h j f jt

7 Thus, our protocol realizes the functionality F 0. The second statement is immediate from the first statement. 4 Our Hybrid Ranking Protocol In this section, we introduce our cryptographic ranking protocol in the hybrid model, see Table 2. Let p, q be large primes with p = 2q + 1. Let g, h, σ, z 1 be random elements in z p of order q. These parameters are setup by a trusted third party. Before the ranking protocol, we assume that all parties have jointly run a zero sharing protocol. Consequently, each P i has the secret output f i (x), f i (x) and public output F jt for all j and t. Let U ij = n 1 t=0 F jt it (publicly computable), u ij = f i (j), u ij = f i (j) (known to P i ). Then, U ij = g u ij h u ij. As mentioned before, u ij will be used in the ranking protocol to blind the bit (m j < m i ). Our ranking protocol is divided into two phases: input commitment and rank computation. In the input commitment phase, we first encode m i {1,, N} as a N-tuple (0,, 0, 1, 1,, 1), where 1 starts at the (m i + 1)th component. Next, each P i commits to the encoded N-tuple of m i : B i1 = h x i1,, B i(mi ) = h x i(m i), B i(mi +1) = σh x i(m i +1),, B in = σh x in. Then, we ask each P j to prove the knowledge of the commitment. Let B it = B i(t+1) Bit 1, 1 t N, where B i(n+1) = σ by default. Then, it suffices to prove: B i1 is commitment of bit 0, B it is a commitment of either 0 or 1, for each t. Indeed, once this is done, the digital committed in B it is no more than that in B i(t+1). Since B i1 is a commitment of 0 and B i(n+1) is a commitment of 1, the tuple committed in {B it } N+1 t=1 must start with a sequence of 0, followed by a sequence of 1. Thus, the proof task can be formalized as an ideal functionality F mor + below, where relations R dl = {(h x, x) : x Z q } and R or = R dl {(σh x, x) : x Z q }. In the protocol, F mor + is invoked in which each P i proves (B it, x it ) R or for all t and (B i1, x i1 ) R dl. Definition 3. (Multi-party Functionality: F mor +) F mor + does the following, running P 1,, P n and S, and parameterized by relations R or and R dl. Upon receiving (B i1, x i1 ) and {(B it, x it )}N t=1 from each P i, F mor + verifies if (B it, x it ) R or and (B i1, x i1 ) R dl. It holds for all i and t, F mor + sends message ok to P 1,, P n and S; otherwise, it does nothing.

8 If F mor + does not send ok, each P i aborts; otherwise, he is ready for phase two. In the rank computation stage, each P i essentially uses an oblivious transfer to send a blinded comparison bit (m i < m j ) to P j. To do this, he does a fresh commitment to m i using {B ijt } N t=1, and then computes D ijt = (B j σ t ) x ijt z u ij 1 = h y jx ijt z u ij 1 σ (m j t)x ijt. Then P i sends {B ijt D ijt } N t=1 to P j. If P j computed this message honestly, then D ij(mj ) = h x ijty j z u ij Thus, P j can compute ξ i = B ij(mj ) D 1/y j ij(m j ) = σδ ij z u ij/y j 1, where δ ij is the bit (m i < m j ). Note i δ ij = r j 1 and i u ij = 0. We have n i=1 ξ i = σ rj 1. Finally, P j can obtain r j by trial. So what is left is for P i to prove that {B ijt D ijt } N t=1 is computed appropriately. To do this, define ) R rc = {({A t Ãt D t } N 1 U, {x t x t } N 1 u u : Ã t A 1 t = h x t x t, (A t, x t ) R or, D t = ( σ t ) x t z1 u, U = gu h u, G q, x t, x t, u, u Z q }. This relation is motivated by ( {Bit B ijt D ijt } N 1 U ij B j, {x t x ijt } N 1 u ij u ) ij Rrc, 1. which implies {B ijt D ijt } N t=1 is computed appropriately. In the protocol, an ideal functionality F mrc below is invoked for this purpose. This completes the description of our protocol. Definition 4. (Multi-party Functionality: F mrc ) F mrc does the following, running P 1,, P n and S, and parameterized by R rc, σ and z 1. Upon input ( {Bit B ijt D ijt } N 1 U ij B j, {x it x ijt } N 1 u ij u ij) from P i, F mrc checks it is consistent w.r.t. R rc. If it holds, then F mrc sends message ok(p i, P j ) to P j and S; otherwise, it ignores the verification for (P i, P j ). Now we formally prove the security of our ranking protocol. Theorem 1. Under the Decisional Diffie-Hellman (DDH) assumption, our hybrid ranking protocol is secure in the non-adaptive malicious model.

9 Params: p, g, σ, h, z 1 ; Input: m i for P i, i = 1,, n. PHASE ONE: Input Commitment. { h x it if 1 t m i, 1. Each P i takes x it Z q, computes B it = σh x. Then Pi it if m i < t N broadcasts B i1,, B in. 2. Let B it = B i(t+1) B 1 it for 1 t N, where by default B i(n+1) = σ. Let x it = x i(t+1) x it and x i(n+1) = 0. F mor + is invoked in which each P i proves (B i1, x i1) R dl and (B it, x it) R or for all t. If a message ok is not received from F mor +, P i aborts; otherwise, he is ready for Phase Two. Let B i = σ N N t=1 B 1 it = σ m i h y i, for y i = N t=1 xit. Pi keeps yi secret. PHASE TWO: Rank Computation. 1. P i prepares the outgoing message to { P j as follows. h x ijt if 1 t m i, - P i takes x ijt Z q, set B ijt = σh x ijt if m i < t N. In other words, P i commits to m i again. - P i computes D ijt = (B j σ t ) x ijt z u ij 1, sends {D ijt} N t=1 to P j. 2. ( F mrc is invoked in which ) each P i proves {B it B ijt D ijt } N t=1 U ij B j, {x it x ijt } N t=1 u ij u ij R rc to P j. 3. Receiving ok(p i, P j ) for all i, P j computes ξ i = B ij(mj ) D 1/y j ij(m j ). Finally, he derives ξ = N i=1 ξ i = σ r j 1 and obtains r j by trial. Table 2. Our Hybrid Ranking Protocol Proof. We show that for any PPT real process adversary A, there exists an expected polynomial-time ideal process adversary S such that the joint executions in the two processes are indistinguishable. S internally runs the simulated real process with A, playing the uncorrupted parties. At the same time, he is externally involved in the ideal process execution, on behalf of corrupted party P i Φ. The code of S is described as below. S first gets the input m i for each P i Φ, and provides to A as the input for P i. He prepares p, g, h, σ = h a for a Z q and runs A with it. S plays the role of uncorrupted P i to compute B it = h x it, where x it Z q, 1 t N. Note that S does not know the real input m i. Thus, he is unable to do a real commitment to m i. Then, S simulates the ideal functionality F mor +. If all the inputs from corrupted parties (controlled by A) have been successfully verified, S (simulating F mor +) sends ok to A; otherwise, he does nothing.

10 S calculates m i from the input to F mor + for corrupted P i. He then externally sends m i for P i to F 0. And in turn, he obtains the corresponding r i. He then chooses arbitrary m j for uncorrupted P j such that each m i for corrupted P i has a rank r i among ( m 1,, m n ). Then for uncorrupted P j, he defines x jt = x jt if t m j; x jt = x jt a if m j < t N. Under this formulation, {B it } N 1 is an encoding of m i as computed in Step 1 of Phase One. In Phase Two, S faithfully interacts with A by simulating F mrc and all uncorrupted P i with {x it } N 1. In the external execution (ideal process), S delivers r j to uncorrupted P j if and only if ok(p i, P j ) for all i has been computed in the internal execution for all corrupted P i. Finally, S outputs whatever A does. The view of A is different from the real process: for uncorrupted P i, (1) Input commitment is dummy instead of a commitment of m i ; (2) m i is not equal to m i for uncorrupted P i. In the remaining part, we show this modification does change the distribution of A s view. Let the simulated game be Γ. Consider the mental game Γ 1 of Γ, where the only difference is that for uncorrupted P i, the input commitment is for m i instead of first being dummy and reformulating later. The view of A under this change is identically distributed in Γ, as x it in Γ is uniformly at random (thus x it obtained in the reformation is random) in Z q. Now we will show that the adversary view in Γ 1 and the variant of Γ 1, where m i for uncorrupted P i is replaced by m i, is indistinguishable. We achieve this via a sequence of game techniques. First we modify Γ 1 to Γ 2 such that in Phase Two, for each uncorrupted P i, D ijt = h y jx ijt β m j t ijt z u ij 1, where β ijt G q. Note if β ijt = σ x ijt, then Γ 2 becomes Γ 1. We show that the execution in these two games are indistinguishable. If this were not true, we construct an adversary B 2 to break DDH assumption. Given (h, σ, α, β) (either DH tuple or random tuple), B 2 takes (σ, α ljt, β ljt ) Rud 0 (h, σ, α, β), 1 t N, 1 j n, for each uncorrupted P l (algorithm Rud is presented in Appendix A). He then follows Γ 1 (and Γ 2 ) for input commitment stage. In the second phase, he follows the simulator S in Γ 2, except that for uncorrupted P i, h x ijt in defining B ijt is taken as α ijt and that D ijt = α y j ijt β m j t ijt z u ij 1. Finally, B 2 feeds the execution output to the distinguisher and outputs whatever he does. Note if (h, σ, α, β) is DH tuple, then the simulated game by B 2 is distributed as in Γ 1 ; otherwise, it is distributed according to Γ 2.

11 Thus, the distinguishability between Γ 1 and Γ 2 implies the non-negligible advantage of B 2, a contradiction to DDH assumption. We modify Γ 2 to Γ 3 such that in Phase Two, for any uncorrupted pair P i and P j, D ijt = γ ijt β m j t ijt z u ij 1 for γ ijt G q (instead of γ ijt = h y jx ijt ). We show the execution in Γ 2 and Γ 3 is indistinguishable; otherwise, consider a DDH breaker B 3. Upon receiving input (h, µ, ν, γ), B 3 first takes (µ j, ν j, γ j ) Rud 1 (h, µ, ν, γ) (See Appendix A for details) for each uncorrupted P j and then further takes (µ j, ν ijt, γ ijt ) Rud 0 (h, µ j, ν j, γ j ) for 1 t N and each uncorrupted P i. He follows the simulation in Γ 2 for input commitment except that h x jn is computed as µ j N 1 t=1 h x jt. Note this simulation is distributed identically as in Γ 2 (and Γ 3 ) as µ j is uniform in G q. In Phase Two, B 3 follows the simulation in Γ 3, except that for any uncorrupted pair P i, P j, (1) h x ijt in computing B ijt is defined to be ν ijt ; (2) D ijt = γ ijt β m j t ijt z u ij 1, where β ijt G q as in Γ 2 and γ ijt is the value just derived from Rud. By the property of Rud algorithm, if (h, µ, ν, γ) is a DH tuple, then the simulated game is identically distributed as Γ 2 ; otherwise, it is according to Γ 3. Thus, the distinguishablity between Γ 2 and Γ 3 implies the distinguishability of DDH, contradiction. Consider the mental game Γ 4, a variant of Γ 3 while m i is replaced by m i (registered by P i to the ideal functionality). We show that the views of A between Γ 3 and Γ 4 are identically distributed. Otherwise, commitments for { m i } Pi Φ and {m i } Pi Φ using the method in Step 1 can be distinguished. However, this is impossible since the two set of commitments have identical distribution. Here is details. Upon input {B it } N 1 for each uncorrupted P i (either commit of m i or commitment of m i ), a distinguisher B 4 simulates Step 2 normally (as in Γ 3 ). Phase Two is simulated as follows. - For each uncorrupted P i, B ijt = B it h ijt for each j, t, where ijt Z q. - For each uncorrupted P i and corrupted P j, take D ijt G q for t m j. Fix P i0 Φ. Take D i0 j( m j ) = B y j i 0 j( m j ) σ R jyj z u ij 1, where R j = {i : P i Φ, m i m j }. For i i 0, take D ij( mj ) = B y j ij( m j ) zu ij 1. Note y j = N t=1 x jt and x jt is obtained from the input to functionality F mor + by A in Phase One. - For uncorrupted P i and P j, take D ijt G q. Now we claim that no matter the input to the simulator is commitment of { m i } or {m i }, the above simulation is consistent with Γ 4. It suffices to show that D ij( mj ) for uncorrupted P i and corrupted P j is according to Γ 4. Notice for corrupted P j, m j is ranked r j for both cases

12 {m i } Pi Φ and { m i } Pi Φ, it follows that {i : P i Φ, m i m j } = {i : P i Φ, m i m j }. Thus, we only need to consider the case, where for uncorrupted P i, {B it } N 1 is a commitment of m i. Our key point is that for any j, {u ij : P i Φ} are uniform in Z q with only constraint P i Φ u ij = P i Φ u ij (by Lemma 1). Note that B ijt = σ δ it h x ijt, where δ it is the bit ( m i < t). Thus, in the simulation, D i0 j m j = h y jx i0 j m j σ y jδ i0 m j σ y jrj z u i 0 j 1 ; for other uncorrupted P i, D ij mj = h y jx ij mj σ y jδ i mj z u ij 1. Note that σ R j P i Φ σδ i m j z u ij 1 = P i Φ zu ij 1. Let ũ i 0 j = u i0 j (R j δ i0 m j )y j log z1 σ, and ũ ij = u ij +δ i mj log z1 σ for other uncorrupted P i. Note that P i Φ ũij = P i Φ u ij, we have that {ũ ij } Pi Φ can be regarded as another feasible assignment for {u ij } Pi Φ. Furthermore, {ũ ij } Pi Φ is according to the real distribution since {u ij } Pi Φ is uniform at random with the only constraint on their additive sum. Therefore, the simulation is actually distributed as in Γ 4. Our claim follows. Furthermore, notice adversary view in Γ 1,, Γ 4 when m i = m i for all uncorrupted P i is still indistinguishable. On the other hand adversary view in Γ 1 with m i = m i for all uncorrupted P i is according to the real execution. Thus, the execution of ideal process by S is indistinguishable from the execution of the real process by A. 5 Full Ranking Protocol Cramer et al. [3] demonstrates a transformation which, given any - protocol, outputs a secure 3-round multi-party (parallel) -protocol. In this section, we realize our building functionalities F m2dl, F mor +, F mrc using their transformation. Then a full ranking protocol can be obtained by (sequentially) composing these realizations with the hybrid protocol in the last section. We start with the notion of -protocol Protocol Let R be a binary relation consisting of pair (x, w), where x is a public string and w is a witness of polynomial length. Consider a 3-round proof of knowledge protocol for (x, w) R, where x is the common input and w is the private input for the prover. The prover starts with a message a. The verifier responds with a challenge e. Finally, the prover responds with a finishing message z. Then the verifier accepts if and only if ver(a, e, z, x) = 1 for a public algorithm ver. Such an interactive proof system is said to be a -protocol if it satisfies the following.

13 Completeness. If the prover is given a private input w such that (x, w) R, then the verifier always accepts. Special Honest Verifier Zero-knowledge. For any e, one can efficiently compute (a, e, z) such that (a, e, z) is according to the real distribution with a fixed e. Witness Extraction. For a fixed x, one can efficiently extract witness w from any two accepting transcripts (a, e, z) and (a, e, z ) with e e. Useful Examples. The protocols in Appendix B are -protocols π dl, π 2dl, π or, and π rc for relations R dl, R 2dl, R or and R rc respectively. These examples will soon be applied to realize our building functionalities. 5.2 Secure Multi-Party -Protocol Let R 1,, R v be v binary relations. Assume n parties P 1,, P n. Let Λ = (Λ 1,, Λ n ), where Λ i is a collection of numbers from {1,, v} with replacement (i.e., taking two identical numbers is allowed). Let x i,j, for j Λ i and 1 i n, be the common input for all parties. Suppose F Λ be an n-party functionality in which each P i proves the knowledge of witness w ij s.t. (x ij, w ij ) R j, for each j Λ i. The following has been established by Cramer et al. [3] (Section 6.3 in their paper). Lemma 2. Let R 1,, R v be v binary relations. Let π i be a -protocol for relation R i for 1 i v. Then there exists a 3-round multi-party protocol π Λ realizing F Λ. In addition, if π i (1 i v) has a communication complexity upper bounded by O(K), then the communication complexity of π Λ is upper bounded by O(K n i=1 Λ i ). Now we are ready to realize F m2dl, F mor +, F mrc. From Lemma 2, we we can easily conclude the following result. Corollary 1. There exists a 3-round multi-party protocol π m2dl (resp. π mor +, π mrc ) realizing the ideal functionality F m2dl (resp. F mor +, F mrc ). Furthermore, the communication complexity of π m2dl (resp. π mor +, π mrc ) is O(n 2 k) (resp. O(nNk), O(nNk)), where k is the security parameter (i.e., the length of p). Proof. In F m2dl, each P i proves the knowledge of witness for n instances w.r.t R 2dl. In F mor +, each P i proves the knowledge of witness of N instances w.r.t. R or and one instance w.r.t. R dl. In F mrc, each P i proves the knowledge of witness of one instance w.r.t. R rc. On the other hand, π dl, π 2dl, π or and π rc are -protocols for R dl, R 2dl, R or and

14 R rc respectively. Thus, the first part follows from Lemma 2. The second part follows since π dl, π 2dl, π or and π rc have communication complexity O(k), O(k), O(k), O(Nk), respectively. 5.3 Full Ranking Protocol Now we are ready to state our full ranking protocol. Let F ulrank be the ranking protocol in the last section but functionalities F m2dl, F mor +, F mrc are replaced by π m2dl, π mor +, π mrc respectively. Theorem 2. Protocol F ulrank realizes the ranking functionality in the non-adaptive but malicious model. In addition, F ulrank has a constant round complexity and a communication complexity O(n 2 k(n + n)). Proof. Since F ulrank is obtained from the hybrid protocol via sequential compositions, the security follows. It has a constant round complexity since the hybrid protocol, and π m2dl, π mor +, π mrc all are constant round. Since the zero-sharing protocol has the communication complexity O(n 3 k) and the main ranking part has O(n 2 Nk), it follows that the whole protocol has O(n 2 k(n + n)). References 1. M. Bellare, A. Boldyreva, S. Micali, Public-Key Encryption in a Multi-user Setting: Security Proofs and Improvements, EUROCRYPT 00, pp , M. Bellare and S. Goldwasser, Verifiable Partial Key Escrow, ACM CCS 97, pp , R. Cramer, I. Damgrd, J. Nielsen, Multiparty Computation from Threshold Homomorphic Encryption, EUROCRYPT 01, pp , R. Cramer, I. Damgard, and B. Schoenmakers, Proofs of partial knowledge and simplified design of witness hiding protocols, CRYPTO 94, LNCS 839, Y. Desmedt (ed.), SpringerVerlag, R. Cramer, I. Damgard, and U. Maurer, Gemeral secure multi-party computation from any linear secret sharing scheme, Advances in Cryptology-EUROCRYPT 00, B. Preneel (Ed.), LNCS 1807, Springer-Verlag, pp , M. Franklin, Comlexity and Security of Distributed Protocols, Ph. D thesis, Columbia University, M. Franklin and Haber, Joint encryption and message-efficient computation, Journal of Cryptology, 9(4): , Z. Galil, S. Haber, and M. Yung. Cryptographic computation: secure fault-tolerant protocol and the public-key model. In Advances in Cryptology-CRYPTO 87, C. Pomerance (Ed.), LNCS 293, Spriner-Verlag, New York, O. Goldreich, S. Micali, and A. Wigderson, How to play any mental game or a completeness theorem for protocols with honest majority, STOC 87, pp , New York City, May, 1987.

15 10. V. Hadzilacos, J. Halpern, Message-Optimal Protocols for Byzantine Agreement (Extended Abstract), PODC 1991, pp , M. Hirt and U. Maurer, Robustness for Free in Uncondidtional Multi-party Computation, Advances in Cryptology-CRYPTO 01, J. Killian(Ed.), LNCS 2139, Springer-Verlag, pp , Y. Ishai and E. Kushilevitz, Randomizing polynomials: a new representation with application to random efficient secure computation, FOCS 00, pp , M. Jakobsson and A. Juels, Mix and match: secure function evaluation via ciphertexts, Advances in Cryptology-ASIACRYPT 00, T. Okamoto (Ed.), LNCS 1976, Springer-Verlag, pp , V. Shoup, On Formal Models for Secure Key Exchange, Available at A. C. Yao, Protocols for secure computations (extended abstract), FOCS 82, pp , Appendix A Diffie-Hellman Self-reduction. Now we introduce a self-reduction technique [1, 14]. Let p, q be two large primes with p = 2q + 1; G q be the subgroup of order q in Z p. And g G q \{1}. Thus, g = G q. Given a bit x and a tuple (g, g a, g b, g c ), a self-reduction algorithm Rud x in [1, 14] can efficiently compute a new triple (g a, g b, g c ) with the properties in Table 3. Table 3. Properties of Output from Self-reduction Rud x x = 0 x = 1 c = ab a = a & b random in Z q & c = a b a, b random in Z q & c = a b c ab a = a &b, c random in Z q a, b, c random in Z q For example, if the input is x = 0 and a tuple (g, g a, g b, g ab ), then the output will be (g a, g b, g ab ), where b is uniformly random in Z q. For simplicity, we use (g a, g b, g c ) Rud x (g, g a, g b, g c ) to denote a random output of Rud with input x and (g, g a, g b, g c ). Appendix B In our protocol, -protocols for R dl, R 2dl, R or and R rc are presented in Tables 4, 5, 6, 7. All these protocols are not new. For example, Tables 6 [2] and Table 7 both are examples of the general OR protocol in [4].

16 Common Input: p = 2q + 1, h, X = h x. Auxiliary Input: x for Prover. 1. Prover takes x Z q, computes X = h x. Then he sends X to Verifier. 2. Verifier takes e Z q and sends to Prover. 3. Prover computes r = ex + x and sends r to Verifier. 4. Verifier checks if h r = X e X. He accepts if the check is successful. Table 4. The -Protocol π dl for relation R dl Common Input: p = 2q + 1, g, h, and S = g x h y. Auxiliary Input: (x, y) for Prover. 1. Prover takes x, y Z q, computes S = g x h y and sends it to Verifier. 2. Verifier takes e Z q and sends back to Prover. 3. Prover computes r 1 = ex + x, r 2 = ey + y and sends (r 1, r 2 ) to Verifier. 4. Verifier checks if S e S = g r 1 h r 2. The proof is accepted if the verification is successful. Table 5. The -Protocol π 2dl for relation R 2dl Common Input: p = 2q + 1, h, σ, X = h x or σh x. Auxiliary Input: x for Prover. 1. If X = h x, Prover takes w 1, r 2, c 2 Z q, computes R 1 = h w 1, R 2 = h r 2 (X/σ) c 2. If X = σh x, Prover takes w 2, r 1, c 1 Z q, computes R 1 = h r 1 X c 1, R 2 = h w 2. Then he sends (R 1, R 2) to Verifier. 2. Verifier takes c Z q and sends back to Prover. 3. If X = h x, Prover computes c 1 = c c 2, r 1 = w 1 + c 1 x. If X = σh x, Prover computes c 2 = c c 1, r 2 = w 2 + c 2x. Then he sends r 1, r 2, c 1, c 2 to Verifier. 4. Verifier checks if c 1 + c 2 = c, h r 1 = R 1 X c 1, h r 2 = R 2 (X/σ) c 2. He accepts if the verification is successful. Table 6. The -Protocol π or for relation R or

17 Common Input: Auxiliary Input: p = 2q + 1, g, h, σ, z 1, {B t B t D t} N t=1 U B {x t x t } N t=1 u u for Prover. 1. If B t = h x t, Prover takes x t1, u t1, u t1, r t2, r t2, s t2, s t2, e t2 Z q, computes Bt1 = h x t1, Bt2 = h r t2 (B t /σ) e t2, B t1 = h x t1, B t2 = h r t2 ( B t /σ) e t2, Dt1 = (Bσ t ) x t1z u t1 1, Dt2 = (Bσ t ) r t2 z s t2 Ut1 = g u t1h u t1, Ut2 = g s t2 h s t2u e t2. 1 D e t2 t, If B t = σh x t, Prover takes x t2, u t2, u t2, r t1, r t1, s t1, s t1, e t1 Z q, computes Bt1 = h r t1 B e t1 t, Bt2 = h x t2, B t1 = h r t1 B e t1 t, B t2 = h x t2, Dt1 = (Bσ t ) r t1 z s t1 1 D e t1 t, Dt2 = (Bσ t ) x t2z u t2 Ut1 = g s t1 h s t1u e t1, Ut2 = g u t2h u t2. Then he sends {Bt1 B t2, B t1 B t2, Dt1 D t2, Ut1 U t2} N 1 to Verifier. 2. Verifier takes e Z q and sends back to Prover. 3. If B t = h x t, Prover computes e t1 = e e t2, r t1 = x t1 + e t1x t, r t1 = x t1 + e t1 x t, s t1 = u t1 + e t1 u, s t1 = u t1 + e t1 u. If B t = σh x t, Prover computes e t2 = e e t1, r t2 = x t2 + e t2x t, r t2 = x t2 + e t2 x t, s t2 = u t2 + e t2 u, s t2 = u t2 + e t2 u. Then he sends {r t1 r t2, r t1 r t2, s t1 s t2, s t1 s t2, e t1, e t2 } N 1 to Verifier. 4. Verifier checks if e t1 + e t2 = e, and if the following for all t: 1, h r t1 = Bt1B e t1 t, h r t2 = Bt2(B t /σ) e t2, h r t1 = B t1 B e t1 t, h r t2 = B t2( B t /σ) e t2, (Bσ t ) r t1 z s t1 1 = Dt1D e t1 t, (Bσ t ) r t2 z s t2 1 = Dt2D e t2 t, g s t1 h s t1 = Ut1U e t1, g s t2 h s t2 = Ut2U e t2. He accepts if the verification is successful. Notation: B t = h x t and B t = h x t, or, B t = σh x t and B t = σh x t ; U = g u h u ; D t = (Bσ t ) x t z u 1. Table 7. The -protocol π rc for relation R rc