Practical and Secure Solutions for Integer Comparison (Extended Abstract)

Transcription

1 Practcal and Secure Solutons for Integer Comparson (Extended Abstract) Juan Garay 1, erry Schoenmakers 2, and José Vllegas 2 1 ell Labs Lucent Technologes, 600 Mountan Ave., Murray Hll, NJ garay@research.bell-labs.com 2 Dept. of Mathematcs and Computng Scence, TU Endhoven, P.O. ox 513, 5600 M Endhoven, The Netherlands berry@wn.tue.nl, j.a.vllegas@tue.nl Abstract. Yao s classcal mllonares problem s about securely determnng whether x > y, gven two nput values x, y, whch are held as prvate nputs by two partes, respectvely. The output x > y becomes known to both partes. In ths paper, we consder a varant of Yao s problem n whch the nputs x, y as well as the output bt x > y are encrypted. Referrng to the framework of secure n-party computaton based on threshold homomorphc cryptosystems as put forth by Cramer, Damgård, and Nelsen at Eurocrypt 2001, we develop solutons for nteger comparson, whch take as nput two lsts of encrypted bts representng x and y, respectvely, and produce an encrypted bt ndcatng whether x > y as output. Secure nteger comparson s an mportant buldng block for applcatons such as secure auctonng. In ths extended abstract, our focus s on the two-party case, although most of our results extend to the mult-party case. We propose new logarthmc- and constant-round protocols for ths settng, whch acheve smultaneously very low communcaton and computatonal complextes. We analyze the protocols n detal and show that our solutons compare favorably to other known solutons. Key words: Mllonares problem; secure mult-party computaton; homomorphc encrypton. 1 Introducton The mllonares problem, ntroduced by Yao [Yao82], nvolves two partes who want to compare ther rches: they wsh to know who s rcher but do not want to dsclose any other nformaton about ther rches to each other. More formally, the problem s to fnd a two-party protocol for the secure evaluaton of the functon f(x, y) = [x > y] where the bracket notaton [], for a condton, s defned by [] = 1 f holds and [] = 0 otherwse (ths s called Iverson s conventon; see [Knu97]). Rather than requrng that the nputs x and y are actually known as prvate nputs to the partes, we wll work n the more general settng where the nputs are not necessarly known to the partes runnng the protocol. Instead, the nputs to the protocol may be gven as encrypted values only, and the output wll also be made avalable n encrypted form. Note that the nputs to our protocols wll actually be the encryptons of the bts, representng the ntegers to be compared. For the encryptons we wll use a threshold homomorphc cryptosystem, as n the framework of secure n-party computaton based on threshold homomorphc cryptosystems put forth by Cramer, Damgård, and Nelsen [CDN01]. In lne wth ths, we consder the case of an actve, statc adversary 3,.e., we consder the malcous case. 3 In prncple, the case of adaptve adversares could be handled at the expense of addtonal tools (e.g., [DN00,DN03,GMY03]); n ths extended abstract we focus on the statc (and stand-alone) case.

2 Requrng () that the nputs are gven n encrypted form (wthout anyone knowng these nputs) and () that the output bt [x > y] also be encrypted (wthout anyone learnng ts value) sets our problem settng apart from the settng of Yao s paper [Yao82] and much of the follow-up lterature. Indeed, consder computng [x = y] n the case of encrypted nputs but publc output, where the followng straghtforward soluton works. Let [m] denote a (probablstc) encrypton of a message m n a threshold homomorphc cryptosystem. Gven encryptons [x] and [y ], the encrypton [x y ] s publcly computed. Furthermore, the partes jontly compute an encrypton [r ] for a (jontly) random r. Usng one nvocaton of a secure multplcaton protocol, the partes then produce encrypton [(x y)r ], whch s jontly decrypted. If the result s 0, then x = y; otherwse, x y, and the result s a random number. In contrast, when the output s requred n encrypted form, such smple solutons are not known and protocols (ncludng ours) need to work over the encrypted values of the bnary representaton of nputs. Furthermore, unlke many publcatons on the mllonares problem, we consder the malcous case rather than the sem-honest (or honest-but-curous) case. 1.1 Our contrbutons The contrbutons of ths work are as follows: A logarthmc-round protocol for secure nteger comparson, whch s based on an elegant oolean crcut for nteger comparson of depth log 2 m for m-bt ntegers. In addton, the sze of the crcut s only 3m (countng the number of secure multplcaton gates). The crcut can be readly used as a drop-n replacement for the O(1)-depth crcut for nteger comparson n [DFK + 06], whch s only of theoretcal nterest as t uses 19 rounds and 22m secure multplcatons. Note that the depth of our log-depth crcut exceeds ther constant-depth crcut for nteger comparson only f the nputs consst of ntegers of bt length m = 2 20 or longer.) A constant-round protocol for secure nteger comparson for whch the number of rounds s a small constant and the number of secure multplcatons s a small multple of m. Our constant-round soluton s restrcted to the case of two partes (or, rather, any constant number of partes). Our protocol bulds on a protocol by lake and Kolesnkov [K04] for nteger comparson for a dfferent settng. In partcular, we provde an effcent technque for securely returnng the output bt n an encrypted form. We lke to stress that applcaton of our log-depth crcut s not restrcted to the framework of [CDN01]: the crcut can be used n any framework for secure n-party computaton that assumes that the functon to be computed s gven as a crcut. In partcular, the crcut can be used for secure computaton based on verfable secret sharng. Furthermore, the proof of securty of our constant-round protocol s nterestng n ts own rght. Theorem 1, as explaned below, essentally captures the securty of the protocol n a modular way. Here, we have adopted the approach suggested recently n [ST06], and we show how the requred smulator can be bult even though our protocol s of a much dfferent nature than the ones n [ST06]. 1.2 Related work There appear to be only a few publcatons n the lterature whch consder encrypted nputs and outputs for nteger comparson. Above we have already mentoned the work of Damgård

3 et al. [DFK + 06]. The man dfference s that they work n an uncondtonal settng, reflected by the use of sharngs for an underlyng lnear secret sharng scheme, whle we work n the cryptographc model where we use encryptons for an underlyng threshold homomorphc cryptosystem. Together wth a secure multplcaton protocol for a homomorphc threshold ElGamal scheme, Schoenmakers and Tuyls [ST04] also present a soluton for secure nteger comparson for encrypted nputs and outputs. Ther soluton, however, requres a lnear (O(m)) number of rounds and secure multplcaton gates. Wth more relaxed requrements than ours, randt [ra06] presents a soluton where the nputs are encrypted but the output s n the clear for both partcpants, and furthermore, t s not 0 or 1 but nstead 0 or random, whch lmts ts applcablty. A dfferent approach to solve the problem under consderaton s when one of the partes acts as a server. In ths settng, say, Alce knows the prvate keys to open encryptons and ob works over hs nputs and Alce s encrypted nputs to produce some nformaton that allows Alce to know the output of the functon beng evaluated. Examples of these approaches for nteger comparson are presented n [Fs01,K04,LT05]. In contrast to our solutons, these solutons cannot provde encrypted output and the actual encrypted nputs are known to the actors n the protocols. 1.3 Organzaton of the paper The rest of the paper s organzed as follows. In Secton 2 we ntroduce the man buldng blocks used by our protocols and we gve some background on threshold homomorphc cryptosystems. In Secton 3 we present our two new protocols for nteger comparson, together wth ther proof of securty (specfcally, of the second protocol, as the proof of the frst protocol follows drectly from the securty guarantees provded by the [CDN01] settng). We conclude n Secton 4 wth a bref performance analyss and comparson to exstng results. 2 Prelmnares Our results apply to any threshold homomorphc cryptosystem, such as those based on ElGamal or Paller. It s assumed that a secure multplcaton protocol s avalable, as n [CDN01,ST04]. Snce we only need secure multplcaton of bnary values, we use the condtonal gate of [ST04], whch allows for an effcent mplementaton based on threshold homomorphc ElGamal whch n turn allows for the use of ellptc curves, hence yeldng compact and effcent mplementatons. Further detals on threshold homomorphc ElGamal are omtted n ths extended abstract. We wrte [x] for a (probablstc) encrypton of the value x, usng the publc key of the underlyng threshold homomorphc ElGamal cryptosystem. Further, let Z q denote the message space, for a large prme q (of, say, sze 160 bts). The cyclc group G used for ElGamal s also of order q, and we assume that elements of G are represented usng q bts only (whch s the case for ellptc curves). Thus, an ElGamal encrypton consstng of two group elements s of sze 2 q. In order to wthstand actve attacks, we use Σ-protocols [CDS94], a standard type of zeroknowledge proofs/arguments. Assumng the random oracle model, all proofs can be converted nto non-nteractve ones and can be smulated easly.

4 As mentoned above, we make use of secure multplcaton gates whch on nputs [x] and [y ], n partcpants can compute an encrypton [xy ]. Secure multplcaton gates can be mplemented n a constant number of rounds [CDN01], and n fact can be very effcent for less general requrements, such as the case of one of the multplcands, say, x { 1, 1} the so-called condtonal gate [ST04]. Throughout the rest of the paper, f one of the values on a secure multplcaton gate s guaranteed to belong to a two-value doman, we refer to t as a condtonal gate. Further, n case one of nputs, say, x, s prvate to one of the partes, a smplfed multplcaton protocol can be used wth no nteracton between (among) the partcpants. The protocol conssts n lettng the party knowng the prvate value broadcast a re-encrypton of [xy ] = [y ] x usng the homomorphc propertes of the scheme, and generate a Σ-proof showng that [xy ] was correctly computed accordng to [x] and [y ]. We wll refer to ths gate as the prvate multpler gate. For the performance comparsons presented at the end of ths paper, we note that the condtonal gate of [ST04] n the two-party case, usng (2,2)-threshold homomorphc ElGamal, requres about 50 exponentatons and 34 q bts of communcaton per nvocaton. Smlarly, the prvate-multpler gate where, say, nput x s prvately known to one of the partes, requres about 10 exponentatons and 6 q bts of communcaton per nvocaton. A fnal tool that we wll use (also wthout further explanaton n ths extended abstract) are verfable mxes [SK95], a tool for verfably mxng lsts of cphertexts. More formally, a verfable mx takes as nput a lst of encryptons [x 1 ],..., [x m ], and produces another lst of encryptons [x 1 ],..., [x m ] as output such that [x π(1) ] = [x 1 ] [0],..., [x π(m) ] = [x m ] [0] for some random permutaton π of {1,..., m}. Here, each occurrence of [0] denotes a probablstc encrypton of 0. The verfable mx also outputs a non-nteractve zero-knowledge proof (for whch we assume the random-oracle model throughout). For concreteness, we assume Groth s effcent proof [Gro03], whch for our settng leads, performance-wse, to about 12m exponentatons and 4m q bts per proof. We are now ready to descrbe our protocols for nteger comparson. 3 New Solutons to the Integer Comparson Problem In ths secton we present two new protocols for nteger comparson followng dfferent approaches. In both cases, the nputs x and y are gven as sequences of encrypted bts, [x m 1 ],..., [x 0 ] and [y m 1 ],..., [y 0 ], wth x = m 1 =0 x 2, y = m 1 =0 y 2. The output s [[x > y]]. Hence, both nputs and output are avalable n encrypted (shared) form only. Frst, let s consder computng [[x > y]] usng a crcut consstng of smple arthmetc gates (addton, subtracton, condtonal). The output of x > y conssts of one bt only, whch s set to 1 f x > y, and to 0 otherwse. Let t m denote such a bt. A smple oblvous program to compute t m startng from the least sgnfcant bt (rather than startng from the most sgnfcant bt!) s gven by t 0 = 0, t +1 = (1 (x y ) 2 )t + x (1 y ). Ths program leads to a crcut requrng 2m 1 condtonal gates [ST04]. A dsadvantage s that the depth of the crcut s m, hence nducng a crtcal path of m sequental secure multplcatons (the terms [x y ] can be computed n parallel (for = 0,..., m 1), followed by

5 the sequental computaton of t 1,..., t m. The number of exponentatons and broadcast bts are domnated by the number of condtonal gate nvocatons, n our case 2m. Therefore, for the two-party case, we have about 100m exponentatons and 68m q bts of communcaton and lnear number of rounds. 3.1 Logarthmc round complexty wth low computatonal complexty The result n ths secton shows how to reduce the depth of the crcut to O(log m) wthout ncreasng ts sze beyond O(m). The dea reles on the followng smple but crucal property of nteger comparson. Wrte x = X 1 X 0 and y = Y 1 Y 0 as bt strngs, where 0 X 1 = Y 1 m and 0 X 0 = Y 0 m. Then, whch may be arthmetzed as [x > y] = { [X1 > Y 1 ], X 1 Y 1 ; [X 0 > Y 0 ], X 1 = Y 1, [x > y] = [X 1 > Y 1 ] + [X 1 = Y 1 ][X 0 > Y 0 ]. Ths property suggests a protocol that would frst splt the bt strngs x and y n about equally long parts, compare these parts recursvely, and then combne these to produce the fnal output. To evaluate the expresson for [x > y] usng smple arthmetc gates, we ntroduce the followng auxlary functon: z(x, y) = [x = y] = 1 (x y) 2 Let t,j stand for the value of > when appled to the substrngs x +j 1,..., x +1, x and y +j 1,..., y +1, y. Expressed explctly n terms of the bts of x and y, a full soluton for [x > y] s obtaned by evaluatng t 0,m from (usng l = j/2 ) 4 : { x x t,j = y, j = 1; t +l,j l + z +l,j l t,l, j > 1. { 1 x + 2x z,j = y y, j = 1; z +l,j l z,l, j > 1. Correctness of the computaton should be mmedate, and ts securty follows from the securty guarantees provded by the framework we are consderng [CDN01], assumng secure buldng blocks/gates. Regardng overhead, the number of condtonal gates requred for z,j s 2j 1. The number of condtonal gates for t,j s j 1, not countng the condtonal gates for z. Thus, the total number of condtonal gates for t 0,m s bounded from above by 3m 2. About log 2 m condtonal gates can be saved by observng that some z-values are not needed for the evaluaton of t, specfcally the values z 0,. The computatonal and communcaton complextes are domnated by the number of condtonal gates. In the worst case, 3m 2 condtonal gates are requred, resultng n about 4 Any value l, 0 < l < j, actually works, but only l j/2 gves logarthmc depth. The msb-to-lsb and lsb-to-msb crcuts n [ST04] are specal cases, obtaned respectvely by settng l = 1 and l = j 1.

6 150m exponentatons and 102m q broadcast bts. The depth of the crcut s exactly log 2 m, hence O(log m) wth hdden constant equal to 1 for the base-2 logarthm. As a further remark we note that ths log-depth crcut allows for the computaton of sgn(x y) at vrtually no extra cost. Here, sgn(z) s the sgnum functon, whch s equal to the sgn of z (whch s equal to 1 f z < 0, 0 f z = 0, and 1 f z > 0). Ths follows form the fact that the crcut also computes [x = y], next to [x > y], hence one obtans sgn(x y) = 2[x > y] 1 + [x = y] as well. 3.2 Constant round complexty wth low computatonal complexty In ths secton we seek to reduce the round complexty to constant, adoptng an approach qute dfferent from the one above. We consder the problem of computng [[x > y]] n the two-party case, and we wsh to acheve a low, constant-round complexty whle keepng the sze of the crcut small as well. Frst, we note that the O(1)-depth and O(m)-sze crcut for nteger comparson of [DFK + 06] s only of theoretcal nterest to us: the depth of the crcut s actually 19, and ts sze s 22m (only countng secure multplcaton gates). For a result that possbly competes wth our logarthmc soluton we take the protocol for condtonal oblvous transfer of lake and Kolesnkov [K04] (where the condton s also an nteger comparson) as a startng pont. The man dea n that protocol s to calculate the frst poston where the bts of x and y dffer, startng from the most-sgnfcant bt. Let be that poston; then x y { 1, 1} ndcates whether x > y or not. Jumpng ahead a lttle, the poston wll be the unque ndex satsfyng a varable γ = 1 (whch s guaranteed to exst f we assume x y; see below). Of course, the value of must reman hdden, whch s acheved by the partes randomly permutng (.e., mxng) the relevant sequence. The protocol s descrbed n detal below. As sad above, our startng pont s the protocol n [K04] for the passve adversary settng. New ngredents nclude the fact that we allow for encrypted nputs [x] and [y ], rather than prvate nputs x and y. Accordngly, we use a (2,2)-threshold homomorphc cryptosystem nstead of just a homomorphc cryptosystem, and we use secure multplcaton (condtonal gates). Furthermore, we use a specfc knd of blndng at the end of the protocol n order to extract the outcome of the nteger comparson n encrypted form. Fnally, as an mportant dfference, we can actually use other homomorphc cryptosystems, such as ElGamal, whereas [K04] makes essental use of Paller. Constant-round protocol. The protocol conssts of the followng steps: 1. Usng m condtonal gates, partes A and jontly compute [f ] = [[x y ]]. Then they publcly compute the γ-sequence: [γ m ] = [0]; [γ ] = [2γ +1 + f ], for = m 1,..., For = m 1,..., 0, party A broadcasts [r A ] for random ra R Z q and produces [u A ] = [r A (γ 1)] usng a prvate-multpler gate. 3. Party does the same wth [r ] producng [u ] = [[r (γ 1)], where r R Z q. Now they publcly produce [u ] = [u A ][u ][x y ] = [(r A + r )(γ 1) + (x y )]. 4. Party A verfably mxes sequence ([u ]) m 1 0 producng sequence ([u ])m Party verfably mxes sequence ([u ])m 1 0 producng sequence ([v ]) m 1 0. Now, partes A and take turns to multply ths last sequence by a randomly selected number n { 1, 1}:

7 6. Party A broadcasts [s A ], s A R { 1, 1}, and uses a prvate-multpler gate to produce ([v ])m 1 0 = ([s A v ]) m 1 0. A proof that [s A ] s an encrypton of ether 1 or 1 s also requred. 7. Party does the same, broadcastng [s ], s { 1, 1}, and producng ([w ]) m 1 0 = ([s v ])m 1 0 along wth the requred proof. 8. Fnally, partes A and proceed to decrypt the sequence ([w ]) m 1 0 untl they fnd the unque ndex satsfyng w { 1, 1}. The output s defned as [(v + 1)/2]. The value v s ether 1 or 1, hence (v +1)/2 s ether 0 or 1. Ths lnear transformaton can be done for free because of homomorphc propertes. The above protocol assumes that x y; hence the ndex s well defned. If x = y, then no entry n the w-sequence wll be equal to 1 or 1. One can put sentnels to resolve possble equalty, by settng f 1 = 1 and u 1 = (r 1 A + r 1 )(γ 1) + 1. The rest of the process s carred through by addng these sentnels to the sequences. In case the output need not be encrypted, steps 6 and 7 are omtted, and the partcpants drectly open the sequence v to fnd the poston where v s n { 1, 1}, where 1 means that x s less than or equal to y, and 1 means x s greater than y. For the complextes, the protocol requres about 124m exponentatons and 77m q bts of communcaton. The number of rounds for the protocol s small: 9 rounds as wrtten above; we have omtted further optmzatons for clarty of exposton. The protocol also easly extends to the multparty case, but snce the mxng s done sequentally, constant round complexty s not acheved (note that secure multplcaton gates can be constant-round even n the mult-party case f Paller encrypton s used, as n [CDN01]). Proof of securty. For the proof of securty, we want to be able to smulate ths protocol assumng that one of the partcpants s corrupted. The dea s to gve the smulator the nputs [x ] and [y ] n such a way that a consstent vew of the protocol can be constructed wthout makng use of the prvate nformaton of the honest partcpant. We frst revew the smulaton requrements for the buldng blocks. In order to smulate a condtonal gate, encryptons [x] and [y ] are requred, as well as one encrypton of [xy ] wth the requrement that x { 1, 1} (or, any other two-value doman) and the contents of the encryptons are consstent. The actual values x,y and xy need not be known. The same holds for the prvate multpler gate, where n ths case the proof of knowledge of, say, x s smulated. For a threshold decrypton, we need to provde both [x] and x to the correspondng smulator. We now turn to the global smulaton strategy. We note that one problem already arses at the frst step of the protocol: n order to smulate the condtonal gate nvocatons n Step 1, the smulator has to produce [x y ] only gven [[x ] and [y ], whch s mpossble! We crcumvent such problems by adoptng the approach recently ntroduced n [ST06], n whch t s explaned that smulaton for nput/output pars of a specal form (see Theorem 1 below) suffce to ensure ntegraton wth the framework of [CDN01]. Ths s a consequence of the fact that the securty proof n [CDN01] centers around the constructon of a so-called YAD b dstrbuton, whch s defned as a functon of an encrypted bt [b]. The structure of the securty proof [CDN01] follows an deal-model/real-model approach. The YAD 0 dstrbuton s dentcal to the dstrbuton of the deal-model case, whereas the YAD 1 dstrbuton s statstcally ndstngushable from the dstrbuton n the real-model

8 case. Therefore, f an adversary can dstngush between the deal/real cases, t mples that the adversary can dstngush the YAD 0 dstrbuton from the YAD 1 dstrbuton. ut as the choce between these two dstrbutons s determned by the value of the encrypted bt b, t follows that the dstngusher for the deal/real cases s a dstngusher for the underlyng encrypton scheme. And ths s done tghtly,.e., wthout loss n the success probablty for the dstngusher. (See [CDN01,ST06] for more detals.) Thus, t s suffcent to show a smulaton for nputs of a specal form, namely, [ x] = [(1 b)x (0) + bx (1) ], where x (0) and x (1) are gven n the clear to the smulator, but b s only gven n encrypted form [b]. The values x (0) and x (1) correspond to the values arsng n the YAD 0 and YAD 1 cases, respectvely. Theorem 1. Gven nput values x (0), y (0), x (1) and y (1) and an encrypton [b] wth b {0, 1} the above protocol can be smulated statstcally ndstngushably for nputs [ x ] = [(1 b)x (0) + bx (1) ] and [ỹ ] = [(1 b)y (0) + by (1) ]. Proof. Let x (0), y (0), x (1) and y (1) and encrypton [b] wth b {0, 1} be gven. Assumng that party A s corrupted, the smulaton works as follows: 1. For Step 1, we rely on the smulator for the condtonal gates, whch we need to provde wth the nputs [ x ] and [ỹ ] and the correspondng output [ f ] = [ x ỹ ]. The latter values are computed as [(1 b)x (0) y (0) + bx (1) y (1) ], usng [b] and the homomorphc propertes of the cryptosystem. Smlarly, the smulator also [ γ ] = [(1 b)γ (0) + bγ (1) ]. Let 0 and 1 denote the ndces such that γ (0) 0 and γ (1) 1 are n { 1, 1}. These values are known to the smulator. 2. Next, we let party A do her work. She wll broadcast [[ r A ] and [ũa ], for all. The values r A can be extracted by rewndng the proof of knowledge of the prvate-multpler nvocaton. 3. The dea of ths step s to generate values r (j) n a such a way that allows the smulator to put equal values n the u-sequences such that they wll decrypt to the same value ndependently of b. For ths the smulator does the followng. Frst, he selects s (0) R { 1, 1}. The value of s (1) depends on the result of the comparson of x (0) aganst y (0), and x (1) aganst y (1). If both comparsons have the same result, then s (1) = s(0), otherwse s(1) = s(0). Now the smulator selects r (0) (a) u (0) s (0) = u(1) s (1) (b) u (1) 0 s (1) = u(0) 1 s (0), for { 0, 1 }; ; (c) u (0) 0 s (0) = u(1) 1 s (1). Frst, we note that, for j = 0, 1: u (j), r (1) n such a way that u (0) and u (1) = ( r A + r (j) )(γ (j) For cases (a) and (b) we essentally need that u (0) s (0) = ( ra +r (0) )(γ (0) 1)+(x (0) y (0) 1) + (x (j) y (j) ). satsfy the followng: ) = ( r A +r (1) )(γ (1) 1)+(x (1) y (1) ) = u (1) s (1), whch can be acheved by frst selectng r (0) n turn s random n each selecton of b). at random, and then obtanng r (1) (whch

9 Case (c) s easer: just takng r (0) 0 and r (1) 1 at random s enough because n those postons the γ-sequences take the value 1 and the randomzaton s lost when consderng u-sequences. The smulator now prepares [ r ] as [(1 b)r (0) + br (1) ] and [ũ ] as [ r ( γ 1)], for all. These encrypted values are broadcast, and the smulator for the prvate-multpler gate s nvoked, wth multplcands [ r ] and [ γ ], and result [(1 b)r (0) γ (0) + br (1) γ (1) ]. The sequence ([ũ ]) m 1 0 s constructed over tlde-sequences, but by constructon, t follows that [ũ ] = [(1 b)u (0) + bu (1) ], for all. 4. The smulator lets party A mx the sequence ([ũ ]) m 1 0, producng a new sequence ([ũ ])m 1 0. The smulator can also extract the permutaton π A that lnks both sequences. 5. Now the smulator randomly selects two ndces ĩ and ĩ and constructs two permutatons π (0) and π(1) as follows: π (0) (π A( 0 )) = π (1) (π A( 1 )) = ĩ ; π (0) (π A( 1 )) = π (1) (π A( 0 )) = ĩ ; for the remanng postons the permutatons are randomly defned under the condton that π (0) (π A()) = π (1) (π A()), { 0, 1 }. The next step s to call the smulator of the mx proof dependng on [b], because the smulator wll never know whch permutaton, π (0) or π(1), s actually used. For ths, he constructs the sequences (v (j) ) m 1 0 = (u (j) 1 ) m 1 0, and then defnes [ṽ ] = ()) π 1 A (π(j) [(1 b)v (0) + bv (1) ], for all. Wth the mxed sequence broadcast by party A n the prevous step and ths last sequence, the smulator now calls the smulator for the mx proof. 6. Party A multples the entre sequence ([ṽ ]) m 1 0 by a number s A (whch s extracted from [ s A ]), resultng n sequence ([[ṽ ])m Now the smulator has almost all the work already done. At ths stage he constructs [ s ] = [(1 b)s (0) +bs(1) ], and broadcasts t. Then he constructs the sequence ([ w ]) m 1 0 = ([(1 b)v (0) s A s (0) s A s (1) 0. Note that ṽ = ṽ s A. The prvate-multpler smulator +bv(1) ])m 1 s now nvoked on nputs [ s ] and [ṽ ], and output [ w ]. 8. To smulate the last step, the smulator can lnk the plantext of encryptons [ w ] by usng, for nstance, permutaton π A π (0), and notng that the sgn of these values s affected by the factor s A. The plantexts n [w (0) ] and [w (1) ] are equal and known by the smulator. Therefore, these are the values n [[ w ], ndependently of [b]. The values generated n ths way by the smulator are consstent, and therefore an adversary cannot statstcally dstngush them from the ones resultng n a real executon. The case when party s corrupted s smlar wth some mnor dfferences, due to the order n whch tasks are executed. Ths completes the proof. 4 Conclusons In ths paper we have presented two new solutons to the nteger comparson problem. In one nstance we obtan logarthmc number of rounds wth respect to the nputs length, and n the second a constant number rounds, for the two-party case. In Table 1 we show a comparson between the dfferent solutons presented n ths paper aganst the arthmetc

10 crcut soluton usng condtonal gates n [ST04]. Gong below O(m) rounds comes at the cost of an ncrease n computatonal and communcaton complexty. For the constant round soluton, the addtonal costs are smaller than for the logarthmc round soluton; however, the logarthmc round soluton also apples to the mult-party case. Clearly, ths leads to a trade-off. Integer Comparson Soluton No. Exponentatons roadcast ts Lnear-depth crcut [ST04] 100m 68m q Logarthmc-depth crcut 150m 102m q Constant-round protocol (two-party) 124m 77m q Table 1. Comparson of dfferent secure solutons for [x > y] From a practcal pont of vew, our mult-party logarthmc-depth soluton s very good compared to the known results so far: communcaton and computaton are are only 50% worse than for a lnear-depth soluton. Even though O(1)-round s not acheved ths way, the number of rounds s very low when consderng ntegers x and y of practcal sze, e.g., m = 32 or m = 64, n whch cases the depth s only 5 and 6, respectvely. References [K04] [ra06] [CDN01] [CDS94] I. lake and V. Kolesnkov. Strong condtonal oblvous transfer and computng on ntervals. In Advances n Cryptology ASIACRYPT 04, volume 3329 of Lecture Notes n Computer Scence, pages , erln, Sprnger-Verlag. F. randt. Effcent cryptographc protocol desgn based on dstrbuted El Gamal encrypton. In Informaton Securty and Cryptology - ICISC 2005, volume 3935 of Lecture Notes n Computer Scence, pages Sprnger-Verlag, R. Cramer, I. Damgård, and J.. Nelsen. Multparty computaton from threshold homomorphc encrypton. In Advances n Cryptology EUROCRYPT 01, volume 2045 of Lecture Notes n Computer Scence, pages , erln, Sprnger-Verlag. Full verson eprnt.acr.org/2000/055, October 27, R. Cramer, I. Damgård, and. Schoenmakers. Proofs of partal knowledge and smplfed desgn of wtness hdng protocols. In Advances n Cryptology CRYPTO 94, volume 839 of Lecture Notes n Computer Scence, pages , erln, Sprnger-Verlag. [DFK + 06] I. Damgård, M. Ftz, E. Kltz, J.. Nelsen, and T. Toft. Uncondtonally secure constant-rounds mult-party computaton for equalty, comparson, bts and exponentaton. In Proc. 3rd Theory of Cryptography Conference, TCC 2006, volume 3876 of Lecture Notes n Computer Scence, pages , erln, Sprnger-Verlag. [DN00] I. Damgård and J. Nelsen. Improved non-commttng encrypton schemes based on a general complexty assumpton. In Advances n Cryptology Crypto 2000, volume 1880 of Lecture Notes n Computer Scence, pages Sprnger, [DN03] I. Damgård and J.. Nelsen. Unversally composable effcent multparty computaton from threshold homomorphc encrypton. In Advances n Cryptology CRYPTO 03, volume 2729 of Lecture Notes n Computer Scence, pages , erln, Sprnger-Verlag. [Fs01] M. Fschln. A cost-effectve pay-per-multplcaton comparson method for mllonares. In Progress n Cryptology CT-RSA 2001, volume 2020 of Lecture Notes n Computer Scence, pages , erln, Sprnger-Verlag. [GMY03] J. Garay, P. MacKenze, and K. Yang. Strengthenng zero-knowledge protocols usng sgnatures. In [Gro03] Advances n Cryptology Eurocrypt 2003, volume 2656, pages Sprnger, J. Groth. A verfable secret shuffle of homomorphc encryptons. In Publc Key Cryptography PKC 03, volume 2567 of Lecture Notes n Computer Scence, pages , erln, Sprnger- Verlag.

11 [Knu97] D. E. Knuth. The Art of Computer Programmng (Vol. 1: Fundamental Algorthms). Addson Wesley, Readng (MA), 3rd edton, [LT05] H. Ln and W. Tzeng. An effcent soluton to the mllonares problem based on homomorphc encrypton. In ACNS 2005, volume 3531 of Lecture Notes n Computer Scence, pages Sprnger-Verlag, [SK95] K. Sako and J. Klan. Recept-free mx-type votng scheme a practcal soluton to the mplementaton of a votng booth. In Advances n Cryptology EUROCRYPT 95, volume 921 of Lecture Notes n Computer Scence, pages , erln, Sprnger-Verlag. [ST04]. Schoenmakers and P. Tuyls. Practcal two-party computaton based on the condtonal gate. In Advances n Cryptology ASIACRYPT 04, volume 3329 of Lecture Notes n Computer Scence, pages , erln, Sprnger-Verlag. [ST06]. Schoenmakers and P. Tuyls. Effcent bnary converson for Paller encryptons. In Advances n Cryptology EUROCRYPT 06, volume 4004 of Lecture Notes n Computer Scence, pages , erln, Sprnger-Verlag. [Yao82] A. Yao. Protocols for secure computatons. In Proc. 23rd IEEE Symposum on Foundatons of Computer Scence (FOCS 82), pages IEEE Computer Socety, 1982.