Practical and Secure Solutions for Integer Comparison

Transcription

1 In Publc Key Cryptography PKC 07, Vol of Lecture Notes n Computer Scence, Sprnger-Verlag, pp Practcal and Secure Solutons for Integer Comparson Juan Garay 1, erry Schoenmakers 2, and José Vllegas 2 1 ell Labs Alcatel-Lucent, 600 Mountan Ave., Murray Hll, NJ garay@research.bell-labs.com 2 Dept. of Mathematcs and Computng Scence, TU Endhoven, P.O. ox 513, 5600 M Endhoven, The Netherlands berry@wn.tue.nl, j.a.vllegas@tue.nl Abstract. Yao s classcal mllonares problem s about securely determnng whether x > y, gven two nput values x, y, whch are held as prvate nputs by two partes, respectvely. The output x > y becomes known to both partes. In ths paper, we consder a varant of Yao s problem n whch the nputs x, y as well as the output bt x > y are encrypted. Referrng to the framework of secure n-party computaton based on threshold homomorphc cryptosystems as put forth by Cramer, Damgård, and Nelsen at Eurocrypt 2001, we develop solutons for nteger comparson, whch take as nput two lsts of encrypted bts representng x and y, respectvely, and produce an encrypted bt ndcatng whether x > y as output. Secure nteger comparson s an mportant buldng block for applcatons such as secure auctons. In ths paper, our focus s on the two-party case, although most of our results extend to the mult-party case. We propose new logarthmc-round and constant-round protocols for ths settng, whch acheve smultaneously very low communcaton and computatonal complextes. We analyze the protocols n detal and show that our solutons compare favorably to other known solutons. Key words: Mllonares problem; secure mult-party computaton; homomorphc encrypton. 1 Introducton The mllonares problem, ntroduced by Yao [Yao82], nvolves two partes who want to compare ther rches: they wsh to know who s rcher but do not want to dsclose any other nformaton about ther rches to each other. More formally, the problem s to fnd a two-party protocol for the secure evaluaton of the functon f(x, y) = [x > y] where the bracket notaton [], for a condton, s defned by [] = 1 f holds and [] = 0 otherwse (ths s called Iverson s conventon; see [Knu97]). Rather than requrng that the nputs x and y are actually known as prvate nputs to the partes, we wll work n the more general settng where the

2 nputs are not necessarly known to the partes runnng the protocol. Instead, the nputs to the protocol may be gven as encrypted values only, and the output wll also be made avalable n encrypted form. Note that the nputs to our protocols wll actually be encryptons of the ndvdual bts, representng the ntegers to be compared. For these encryptons we wll use a threshold homomorphc cryptosystem, as n the framework of secure n-party computaton based on threshold homomorphc cryptosystems put forth by Cramer, Damgård, and Nelsen [CDN01]. In lne wth ths, we consder the case of an actve, statc adversary 3,.e., we consder the malcous case. Requrng () that the nputs are gven n encrypted form (wthout anyone knowng these nputs) and () that the output bt [x > y] also be encrypted (wthout anyone learnng ts value) sets our problem settng apart from the settng of Yao s paper [Yao82] and much of the follow-up lterature. Indeed, consder computng [x = y] n the case of encrypted nputs but publc output, where the followng well-known soluton works. Let [M ] denote a (probablstc) encrypton of a message M n a threshold homomorphc cryptosystem. Gven encryptons [[x] and [y ], the encrypton [[x y ] s publcly computed. Furthermore, the partes jontly compute an encrypton [r ] for a (jontly) random r. Usng one nvocaton of a secure multplcaton protocol, the partes then produce encrypton [(x y)r ], whch s jontly decrypted. If the result s 0, then x = y; otherwse, x y, and the result s a random number. In contrast, when the output s requred n encrypted form, such smple solutons are not known and typcally protocols (ncludng ours) work over the encrypted values of the bnary representaton of the nputs x and y. Furthermore, unlke many publcatons on the mllonares problem, we consder the malcous case rather than the sem-honest (or honest-but-curous) case. 1.1 Our contrbutons The contrbutons of ths paper are as follows: A logarthmc-round protocol for secure nteger comparson, whch s based on an elegant oolean crcut for nteger comparson of depth log 2 m for m-bt ntegers. In addton, the sze of the crcut s only 3m (countng the number of secure multplcaton gates). The crcut can be readly used as a drop-n replacement for the O(1)-depth crcut for nteger comparson n [DFK + 06], whch s only of theoretcal nterest as t uses 19 rounds and 22m secure multplcatons. Note that the depth of our log-depth crcut exceeds ther constant-depth crcut for nteger comparson only f the nputs consst of ntegers of bt length m = 2 20 or longer.) A constant-round protocol for secure nteger comparson for whch the number of rounds s a small constant and the number of secure multplcatons s 3 In prncple, the case of adaptve adversares could be handled at the expense of addtonal tools (e.g., [DN00,DN03,GMY03]); n ths paper we focus on the statc (and stand-alone) case.

3 a small multple of m. Our constant-round soluton s restrcted to the case of two partes (or, rather, any constant number of partes). Our protocol bulds on a protocol by lake and Kolesnkov [K04] for nteger comparson for a dfferent settng. In partcular, we provde an effcent technque for securely returnng the output bt n an encrypted form. We lke to stress that applcaton of our log-depth crcut s not restrcted to the framework of [CDN01]: the crcut can be used n any framework for secure n-party computaton that assumes that the functon to be computed s gven as a crcut. In partcular, the log-depth crcut can be used for secure computaton based on verfable secret sharng, thus yeldng solutons whch are uncondtonally secure rather than computatonally secure, as descrbed n ths paper. Furthermore, the proof of securty of our constant-round protocol s nterestng n ts own rght. Theorem 1, as explaned below, essentally captures the securty of the protocol n a modular way. Here, we have adopted the approach suggested recently n [ST06], and we show how the requred smulator can be bult even though our protocol s of a much dfferent nature than the ones n [ST06]. 1.2 Related work There appear to be only a few publcatons n the lterature whch consder encrypted nputs and outputs for nteger comparson. Above we have already mentoned the work of Damgård et al. [DFK + 06]. The man dfference s that they work n an uncondtonal settng, reflected by the use of sharngs for an underlyng lnear secret sharng scheme, whle we work n the cryptographc model where we use encryptons for an underlyng threshold homomorphc cryptosystem. Together wth a secure multplcaton protocol for a homomorphc threshold ElGamal scheme, Schoenmakers and Tuyls [ST04] also present a soluton for secure nteger comparson for encrypted nputs and outputs. Ther soluton, however, requres a lnear (O(m)) number of rounds and secure multplcaton gates. Wth more relaxed requrements than ours, randt [ra06] presents a soluton where the nputs are encrypted but the output s n the clear for both partcpants, and furthermore, t s not 0 or 1 but nstead 0 or random, whch lmts ts applcablty. A dfferent approach to solve the nteger comparson problem s when one of the partes acts as a server. In ths settng, say, Alce knows the prvate keys to open encryptons and ob works over hs nput bts and Alce s encrypted nput bts to produce some nformaton that allows Alce to know the output of the functon beng evaluated. Examples of these approaches to nteger comparson are presented n [DC00,Fs01,K04,LT05]. In contrast to our solutons, these solutons do not provde encrypted output and the actual encrypted nputs are known to the partes runnng the protocols.

4 1.3 Organzaton of the paper The rest of the paper s organzed as follows. In Secton 2 we ntroduce the man buldng blocks used by our protocols and we gve some background on threshold homomorphc cryptosystems. In Secton 3 we present our two new protocols for nteger comparson, together wth ther proof of securty (specfcally, of the second protocol, as the proof of the frst protocol follows drectly from the securty guarantees provded by the [CDN01] settng). We conclude n Secton 4 wth a bref performance analyss and comparson to exstng results. 2 Prelmnares Our results apply to any threshold homomorphc cryptosystem, such as those based on ElGamal or Paller. It s assumed that a secure multplcaton protocol s avalable, as n [CDN01,ST04]. Snce we only need secure multplcaton of bnary values, we use the condtonal gate of [ST04], whch allows for an effcent mplementaton based on threshold homomorphc ElGamal whch n turn allows for the use of ellptc curves, hence yeldng compact and effcent mplementatons. We wrte [x] for a (probablstc) encrypton of the value x, usng the publc key of the underlyng threshold homomorphc ElGamal cryptosystem. Further, let Z q denote the message space, for a large prme q (of, say, sze 160 bts). The cyclc group G used for ElGamal s also of order q, and we assume that elements of G are represented usng q bts only (whch s the case for ellptc curves). Thus, an ElGamal encrypton consstng of two group elements s of sze 2 q. In order to wthstand actve attacks, we use Σ-protocols [CDS94], a standard type of zero-knowledge proofs/arguments. Assumng the random oracle model, all proofs can be converted nto non-nteractve ones and can be smulated easly. As mentoned above, we make use of secure multplcaton gates whch on nput [x] and [y ] allows two or more partes (who share the prvate key of the underlyng threshold homomorphc cryptosystem) to jontly compute an encrypton [[xy ]. Secure multplcaton gates can be mplemented n a constant number of rounds [CDN01], usng the Paller cryptosystem. Usng a number of rounds lnear n the number of partes (whch s constant n case of two-party computaton), the condtonal gate [ST04] can be used nstead, n case one of the multplcands s from a two-valued doman (e.g., f x {0, 1}). Furthermore, n case one of nputs, say, x s prvate to one of the partes, a smplfed multplcaton protocol can be used wth no nteracton between the partes. The protocol conssts n lettng the party knowng the prvate value x broadcast a re-encrypton of [xy ] = [y ] x usng the homomorphc propertes of the scheme, and generate a Σ-proof showng that [xy ] was correctly computed wth respect to [x] and [y ]. Followng [ST04], we wll refer to ths protocol as the prvate-multpler gate. For the performance comparsons presented at the end of ths paper, we wll assume a setup usng a (2,2)-threshold homomorphc ElGamal cryptosystem.

5 We note that n ths case a condtonal gate requres about 50 exponentatons and 34 q bts of communcaton, per nvocaton. Smlarly, a prvate-multpler gate requres about 10 exponentatons and 6 q bts of communcaton, per nvocaton. In the same settng, a threshold decrypton requres 6 exponentatons and 6 q bts of communcaton. A fnal tool that we wll use are verfable mxes [SK95], a tool for verfably mxng lsts of cphertexts. More formally, a verfable mx takes as nput a lst of encryptons [x 1 ],..., [x m ], and produces another lst of encryptons [x 1 ],..., [x m ] as output such that [[x π(1) ] = [x 1 ] [0],..., [x π(m) ] = [x m ] [0] for some random permutaton π of {1,..., m}. Here, each occurrence of [0]] denotes a probablstc encrypton of 0. A verfable mx also outputs a non-nteractve zero-knowledge proof (for whch we assume the random-oracle model throughout). For concreteness, we assume Groth s effcent proof [Gro03], whch for our settng requres about 14m exponentatons and s of sze 6m q bts. We are now ready to descrbe our protocols for nteger comparson. 3 New Solutons to the Integer Comparson Problem In ths secton we present two new protocols for nteger comparson followng dfferent approaches. In both cases, the nputs x and y are gven as sequences of encrypted bts, [x m 1 ],..., [x 0 ] and [y m 1 ],..., [y 0 ], wth x = m 1 =0 x 2, y = m 1 =0 y 2. The output s [[x > y]]. Hence, both nputs and output are avalable n encrypted form only. As a startng pont and for later comparson, we frst the lnear-depth crcut of [ST04] for computng x > y, usng smple arthmetc gates only (addton, subtracton, condtonal gates). The crcut (or, oblvous program) s fully descrbed by the followng recurrence: t 0 = 0, t +1 = (1 (x y ) 2 )t + x (1 y ), where t m s the output bt (hence t m = [x > y]). Rather than startng from the most sgnfcant bt, ths crcut computes [x > y] startng from the least sgnfcant bt. Although somewhat counterntutve, the advantage of ths approach s that the crcut contans 2m 1 condtonal gates only (compared to about 3m condtonal gates when startng from the most sgnfcant bt, see [ST04]). A dsadvantage s that the depth of the crcut s m, hence nducng a crtcal path of m sequental secure multplcatons (the terms [x 1 y 1 ],...,[x m y m ] can be computed n parallel, but the computaton of t 1,..., t m must be done sequental). The computatonal complexty and communcaton complexty of a protocol for nteger comparson based on ths crcut s thus determned by the work requred for the condtonal gates. For later comparson, n the two-party case, we have about 100m exponentatons and 68m q bts of communcaton and a lnear number of rounds.

6 3.1 Logarthmc round complexty wth low computatonal complexty The result n ths secton shows how to reduce the depth of the crcut to O(log m) wthout ncreasng ts sze beyond O(m). The dea reles on the followng smple but crucal property of nteger comparson. Wrte x = X 1 X 0 and y = Y 1 Y 0 as bt strngs, where 0 X 1 = Y 1 m and 0 X 0 = Y 0 m. Then, { [X1 > Y [x > y] = 1 ], X 1 Y 1 ; [X 0 > Y 0 ], X 1 = Y 1, whch may be arthmetzed as [x > y] = [X 1 > Y 1 ] + [X 1 = Y 1 ][X 0 > Y 0 ]. Ths property suggests a protocol that would frst splt the bt strngs x and y n about equally long parts, compare these parts recursvely, and then combne these to produce the fnal output. To evaluate the expresson for [x > y] usng smple arthmetc gates, we ntroduce the followng auxlary functon: z(x, y) = [x = y] = 1 (x y) 2 Let t,j stand for the value of > when appled to the substrngs x +j 1,..., x +1, x and y +j 1,..., y +1, y. Expressed explctly n terms of the bts of x and y, a full soluton for [x > y] s obtaned by evaluatng t 0,m from (usng l = j/2 ) 4 : { x x t,j = y, j = 1; t +l,j l + z +l,j l t,l, j > 1. { 1 x + 2x z,j = y y, j = 1; z +l,j l z,l, j > 1. Correctness of the computaton should be mmedate, and ts securty follows from the securty guarantees provded by the framework we are consderng [CDN01], assumng secure arthmetc gates. Regardng overhead, the number of condtonal gates requred for z,j s 2j 1. The number of condtonal gates for t,j s j 1, not countng the condtonal gates for z. Thus, the total number of condtonal gates for t 0,m s bounded above by 3m 2. About log 2 m condtonal gates can be saved by observng that some z-values are not needed for the evaluaton of t. The computatonal and communcaton complextes are domnated by the number of condtonal gates. In the worst case, 3m 2 condtonal gates are requred, resultng n about 150m exponentatons and 102m q broadcast bts. 4 Any value l, 0 < l < j, actually works, but only l j/2 gves logarthmc depth. The msb-to-lsb and lsb-to-msb crcuts n [ST04] are specal cases, obtaned respectvely by settng l = 1 and l = j 1.

7 The depth of the crcut s exactly log 2 m, hence O(log m) wth hdden constant equal to 1 for the base-2 logarthm. As a further remark we note that ths log-depth crcut allows for the computaton of sgn(x y) at vrtually no extra cost. Here, sgn(z) s the sgnum functon, whch s equal to the sgn of z (whch s equal to 1 f z < 0, 0 f z = 0, and 1 f z > 0). Ths follows form the fact that the crcut also computes [x = y], next to [x > y], hence one obtans sgn(x y) = 2[x > y] 1 + [x = y] as well. 3.2 Constant round complexty wth low computatonal complexty In ths secton we seek to reduce the round complexty to O(1), adoptng an approach qute dfferent from the one above. We consder the problem of computng [[x > y]] n the two-party case, and we wsh to acheve a low, constant-round complexty whle keepng the sze of the crcut small as well. Frst, we note that the O(1)-depth and O(m)-sze crcut for nteger comparson of [DFK + 06] s only of theoretcal nterest to us: the depth of the crcut s actually 19, and ts sze s 22m (only countng secure multplcaton gates). For a result that possbly competes wth our logarthmc soluton we take the protocol for condtonal oblvous transfer of lake and Kolesnkov [K04] (where the condton s also an nteger comparson) as a startng pont. The man dea n that protocol s to calculate the frst poston where the bts of x and y dffer, startng from the most-sgnfcant bt. Let be that poston; then x y { 1, 1} ndcates whether x > y or not. Jumpng ahead a lttle, the poston wll be determned as the unque ndex satsfyng γ = 1 (whch s guaranteed to exst f we assume x y; see below). Of course, the value of must reman hdden, whch s acheved by the partes randomly permutng (.e., mxng) the relevant sequences. The protocol s descrbed n detal below. As sad above, our startng pont s the protocol n [K04] for the passve adversary settng. New ngredents nclude the fact that we allow for encrypted nputs [x] and [y ], rather than prvate nputs x and y. Accordngly, we use a (2,2)-threshold homomorphc cryptosystem nstead of just a homomorphc cryptosystem, and we use secure multplcaton (condtonal gates). Furthermore, we use a specfc knd of blndng at the end of the protocol n order to extract the outcome of the nteger comparson n encrypted form. Fnally, as an mportant dfference, we can actually use other homomorphc cryptosystems, such as ElGamal, whereas [K04] makes essental use of Paller. Constant-round protocol. The protocol conssts of the followng steps: 1. Usng m condtonal gates, partes A and jontly compute [f ] = [[x y ]]. Then they publcly compute the γ-sequence: [γ m ] = [0]; [γ ] = [2γ +1 + f ], for = m 1,..., For = m 1,..., 0, party A broadcasts [r A ] for random ra R Z q and produces sequence [u A ] = [ra (γ 1)] usng a prvate-multpler gate.

8 3. Party does the same wth [r ] producng sequence [[u ] = [r (γ 1)], where r R Z q. Now they publcly produce sequence [u ] = [u A ][u ][x y ] = [(r A + r )(γ 1) + (x y )]. 4. Party A verfably mxes sequence [u ] producng sequence [u ]. 5. Party verfably mxes sequence [u ] producng sequence [v ]. Now, partes A and take turns to multply ths last sequence by a randomly selected number n { 1, 1}: 6. Party A broadcasts [s A ], s A R { 1, 1}, and uses a prvate-multpler gate to produce sequence [v ] = [s A v ]. A proof that [s A ] s an encrypton of ether 1 or 1 s also gven. 7. Party does the same, broadcastng [s ], s R { 1, 1}, and producng sequence [w ] = [s v ] along wth the requred proofs. 8. Fnally, partes A and proceed to decrypt the sequence [w ] untl they fnd the unque ndex satsfyng w { 1, 1}. The output s defned as [(v + 1)/2]. The value v s ether 1 or 1, hence (v + 1)/2 s ether 0 or 1. Ths lnear transformaton can be done for free because of homomorphc propertes. The above protocol assumes that x y, n order that ndex s well defned. If x = y, then no entry n the w-sequence wll be equal to 1 or 1. One can put sentnels to resolve possble equalty, by settng f 1 = 1 and u 1 = (r 1 A + r 1)(γ 1) + 1. The rest of the protocol s adapted accordngly. In case the output need not be encrypted, steps 6 and 7 are omtted, and the partcpants drectly open the sequence v to fnd the poston where v s n { 1, 1}, where 1 means that x s less than or equal to y, and 1 means x s greater than y. For the complextes, the number of rounds for the protocol s small: at most 9 rounds (two rounds for the condtonal gates n step 1, and one round for each of the subsequent steps). For the number of exponentatons, we have 50m for the condtonal gates (step 1), 40m for the multplcaton gates (steps 2, 3, 6, and 7), 28m for the verfable mxes, and 3m for the decrypton (m/2 expected decryptons), whch amounts to 124m exponentatons n total. Smlarly, 77m q s the number of bts of communcaton. We have omtted further optmzatons for clarty of exposton. The protocol easly extends to the multparty case, but snce the mxng s done sequentally, constant round complexty s not acheved (note that secure multplcaton gates can be constant-round even n the mult-party case f Paller encrypton s used, as n [CDN01]). Proof of securty. For the proof of securty, we want to be able to smulate ths protocol assumng that one of the partcpants s corrupted. The dea s to gve the smulator the nputs [x ] and [y ] n such a way that a consstent vew of the protocol can be constructed wthout makng use of the prvate nformaton of the honest partcpant. We frst revew the smulaton requrements for the buldng blocks. In order to smulate a condtonal gate, encryptons [[x] and [y ] are requred, as well

9 as one encrypton of [xy ] wth the requrement that x { 1, 1} (or, any other two-value doman) and the contents of the encryptons are consstent. The actual values x,y and xy need not be known. The same holds for the prvate multpler gate, where n ths case the proof of knowledge of, say, x s smulated. For a threshold decrypton, we need to provde both [x] and x to the correspondng smulator. We now turn to the overall smulaton strategy. We note that one problem already arses at the frst step of the protocol: n order to smulate the condtonal gate nvocatons n Step 1, the smulator has to produce [x y ] only gven [x ] and [y ], whch s mpossble! We crcumvent such problems by adoptng the approach recently ntroduced n [ST06], n whch t s explaned that smulaton for nput/output pars of a specal form (see Theorem 1 below) suffce to ensure ntegraton wth the framework of [CDN01]. Ths s a consequence of the fact that the securty proof n [CDN01] centers around the constructon of a so-called YAD b dstrbuton, whch s defned as a functon of an encrypted bt [b]. The structure of the securty proof [CDN01] follows an deal-model/realmodel approach. The YAD 0 dstrbuton s dentcal to the dstrbuton of the deal case, whereas the YAD 1 dstrbuton s statstcally ndstngushable from the dstrbuton n the real case. Therefore, f an adversary can dstngush between the deal/real cases, t mples that the adversary can dstngush the YAD 0 dstrbuton from the YAD 1 dstrbuton. ut as the choce between these two dstrbutons s determned by the value of the encrypted bt b, t follows that the dstngusher for the deal/real cases s a dstngusher for the underlyng encrypton scheme. And ths s done n tght way,.e., wthout loss n the success probablty for the dstngusher. (See [CDN01,ST06] for more detals.) Thus, t s suffcent to show a smulaton for nputs of a specal form, namely, [ x] = [(1 b)x (0) + bx (1) ], where x (0) and x (1) are gven n the clear to the smulator, but b s only gven n encrypted form [b]. The values x (0) and x (1) correspond to the values arsng n the YAD 0 and YAD 1 cases, respectvely. Theorem 1. Gven nput values x (0), y (0), x (1) and y (1) and an encrypton [b] wth b {0, 1} the above protocol can be smulated statstcally ndstngushably for nputs [ x ] = [(1 b)x (0) + bx (1) ] and [ỹ ] = [(1 b)y (0) + by (1) ]. Proof. Let x (0), y (0), x (1) and y (1) and encrypton [b] wth b {0, 1} be gven. Assumng that party A s corrupted, the smulaton works as follows: 1. For Step 1, we rely on the smulator for the condtonal gates, whch we need to provde wth the nputs [ x ] and [ỹ ] and the correspondng output [ f ] = [ x ỹ ]. The latter values are computed as [(1 b)x (0) y (0) + bx (1) y (1) ], usng [b] and the homomorphc propertes of the cryptosystem. Smlarly, the smulator also computes [ γ ] = [(1 b)γ (0) +bγ (1) ]. Let and 1 denote the ndces such that γ (0) = γ (1) 1 = 1 as these values are known to the smulator. 2. Next, we let party A do her work. She wll broadcast [ r A ] and [ũa ], for all. The values r A can be extracted by rewndng the proof of knowledge of the prvate-multpler nvocaton.

10 3. The dea of ths step s to generate values r (j) such that the smulator may put equal values (up to sgn) n the u-sequences, whch wll later decrypt to the same value ndependently of b. For ths the smulator does the followng. Frst, he selects s (0) R { 1, 1}. The value of s (1) depends on the result of the comparson of x (0) aganst y (0), and x (1) aganst y (1). If both comparsons have the same result, then s (1) = s(0), otherwse s(1) = s(0). Now the smulator selects r (0) the followng: (a) u (0) s (0) = u(1) s (1) (b) u (1) s (1) = u(0) 1 s (0), for {, 1 }; ; (c) u (0) s (0) = u(1) 1 s (1). Frst, we note that, for j = 0, 1: u (j) = ( r A + r (j), r (1) n such a way that u (0) and u (1) )(γ (j) 1) + (x (j) y (j) ). satsfy For case (a) we essentally need that s (0) s(1) u(0) = u (1), whch means that s (0) ( s(1) ( r A +r (0) )(γ (0) 1)+(x (0) y (0) ) ) =( r A +r (1) )(γ (1) 1)+(x (1) y (1) ), where {, 1 }. Ths can be acheved by frst selectng r (0) at random, and then solatng and obtanng r (1) (whch n turn s random n each selecton of b). Smlarly, n case (b), we requre that s (1) s(0) u(1) = u (0) 1, whch s equvalent to s (1) s(0) ( ( r A 0 +r (1) )(γ (1) 1)+(x (1) y (1) ) ) =( r A 1 +r (0) 1 )(γ (0) 1 1)+(x (0) 1 y (0) 1 ), and t s solved as n case (a). For case (c), just takng r (0) and r (1) 1 at random s enough: n those postons the γ-sequences take the value 1 and the randomzaton s lost when consderng u-sequences. The smulator now prepares [ r ] as [(1 b)r(0) + br (1) ] and [ũ ] as [ r ( γ 1)], for all. These encrypted values are broadcast, and the smulator for the prvate-multpler gate s nvoked, wth multplcands [ r ] and [ γ ], and result [(1 b)r (0) γ (0) + br (1) γ (1) ]. The sequence [ũ ] s constructed as n the protocol: [ũ ] = [ũ A ][ũ ][ x ỹ ]. y constructon, t follows that [ũ ] = [(1 b)u (0) + bu (1) ], for all. 4. The smulator lets party A mx the sequence [ũ ], producng a new sequence [ũ ]. The smulator can also extract the permutaton π A that lnks both sequences. 5. Now the smulator randomly selects two ndces, call them ĩ and ĩ, and constructs two permutatons π (0) and π(1) as follows:

11 π (0) (π A( )) = π (1) (π A( 1 )) = ĩ ; π (0) (π A( 1 )) = π (1) (π A( )) = ĩ ; for the remanng postons the permutatons are randomly defned under the condton that π (0) (π A()) = π (1) (π A()), {, 1 }. The next step s to call the smulator of the mx proof dependng on [b], because the smulator wll never know whch permutaton, π (0) actually used. For ths, he constructs the sequences v (j) = u (j) π 1 A (π(j) or π(1), s 1, for ()) j = 0, 1, and then defnes the sequence [ṽ ] = [(1 b)v (0) + bv (1) ], for all. Wth the mxed sequence broadcast by party A n the prevous step and ths last sequence, the smulator now calls the smulator for the mx proof. 6. Party A multples the entre sequence [ṽ ] by a number s A (whch s extracted from the correspondng prvate-multpler proof for [ s A ]), resultng n sequence [ṽ ]. 7. Now the smulator has almost all the work already done. At ths stage he constructs [ s ] = [(1 b)s (0) + bs(1) ], and broadcasts t. Then he constructs the sequence [ w ] = [(1 b)v (0) s A s (0) + bv(1) s A s (1) ]. Note that ṽ = ṽ s A. The prvate-multpler smulator s now nvoked on nputs [ s ] and [ṽ ], and output [ w ]. 8. To smulate the last step, the smulator can lnk back the plantext of encryptons [ w ] by usng permutaton π A π (j), for j = 0, 1; note that the sgn of these values s affected by the factor s A. Thus, w (j) = s A s (j) u(j) π 1 A (π(j) 1, ()) for all, due to the constructon at step 5. Moreover, the plantexts n [w (0) ] and [w (1) ] are equal, as a result of the work of the smulator at step 3. It also follows that w (0) = w (1) = w, ndependently of [b]. Hence, the smulator for the threshold decrypton s called, for nstance, over nputs [ w ] and s A s (0) u(0) π 1 A (π(0) 1. ()) The values generated n ths way by the smulator are consstent, and therefore an adversary cannot statstcally dstngush them from the ones resultng n a real executon. The case when party s corrupted s smlar wth some mnor dfferences, due to the order n whch tasks are executed. Ths completes the proof. 4 Conclusons In ths paper we have presented two new solutons to the nteger comparson problem. Our frst soluton acheves a logarthmc round complexty of exactly log 2 m rounds for m-bt ntegers, whereas the second soluton acheves a constant number of rounds (n the two-party case). In Table 1 we show a comparson

12 Integer Comparson Soluton No. Exponentatons roadcast ts Lnear-depth crcut [ST04] 100m 68m q Logarthmc-depth crcut 150m 102m q Constant-round protocol (two-party) 124m 77m q Table 1. Comparson of dfferent secure solutons for [x > y] between the dfferent solutons presented n ths paper and the lnear-depth crcut of [ST04]. Evdently, gong below O(m) rounds comes at the cost of an ncrease n computatonal and communcaton complexty. For the constant round soluton, the addtonal costs are smaller than for the logarthmc round soluton; however, the logarthmc round soluton also apples to the mult-party case. From a practcal pont of vew, our mult-party logarthmc-depth soluton s very good compared to the known results so far: communcaton and computaton are are only 50% worse than for a lnear-depth soluton. Even though O(1)-round s not acheved ths way, the number of rounds s very low when consderng ntegers x and y of practcal sze, e.g., m = 32 or m = 64, n whch cases the depth s only 5 and 6, respectvely. References [K04] I. lake and V. Kolesnkov. Strong condtonal oblvous transfer and computng on ntervals. In Advances n Cryptology ASIACRYPT 04, volume 3329 of Lecture Notes n Computer Scence, pages , erln, Sprnger-Verlag. [ra06] F. randt. Effcent cryptographc protocol desgn based on dstrbuted El Gamal encrypton. In Informaton Securty and Cryptology - ICISC 2005, volume 3935 of Lecture Notes n Computer Scence, pages Sprnger- Verlag, [CDN01] R. Cramer, I. Damgård, and J.. Nelsen. Multparty computaton from threshold homomorphc encrypton. In Advances n Cryptology EUROCRYPT 01, volume 2045 of Lecture Notes n Computer Scence, pages , erln, Sprnger-Verlag. Full verson eprnt.acr.org/2000/055, October 27, [CDS94] R. Cramer, I. Damgård, and. Schoenmakers. Proofs of partal knowledge and smplfed desgn of wtness hdng protocols. In Advances n Cryptology CRYPTO 94, volume 839 of Lecture Notes n Computer Scence, pages , erln, Sprnger-Verlag. [DFK + 06] I. Damgård, M. Ftz, E. Kltz, J.. Nelsen, and T. Toft. Uncondtonally secure constant-rounds mult-party computaton for equalty, comparson, bts and exponentaton. In Proc. 3rd Theory of Cryptography Conference, TCC 2006, volume 3876 of Lecture Notes n Computer Scence, pages , erln, Sprnger-Verlag. [DN00] I. Damgård and J. Nelsen. Improved non-commttng encrypton schemes based on a general complexty assumpton. In Advances n Cryptology

13 Crypto 2000, volume 1880 of Lecture Notes n Computer Scence, pages Sprnger, [DN03] I. Damgård and J.. Nelsen. Unversally composable effcent multparty computaton from threshold homomorphc encrypton. In Advances n Cryptology CRYPTO 03, volume 2729 of Lecture Notes n Computer Scence, pages , erln, Sprnger-Verlag. [DC00] G. D Crescenzo. Prvate Selectve Payment Protocols. In FC 00: Proc. 4th Internatonal Conference on Fnancal Cryptography, Lecture Notes n Computer Scence, pages 72 89, London, 2001, Sprnger-Verlag. [Fs01] M. Fschln. A cost-effectve pay-per-multplcaton comparson method for mllonares. In Progress n Cryptology CT-RSA 2001, volume 2020 of Lecture Notes n Computer Scence, pages , erln, Sprnger- Verlag. [GMY03] J. Garay, P. MacKenze, and K. Yang. Strengthenng zero-knowledge protocols usng sgnatures. In Advances n Cryptology Eurocrypt 2003, volume 2656, pages Sprnger, [Gro03] J. Groth. A verfable secret shuffle of homomorphc encryptons. In Publc Key Cryptography PKC 03, volume 2567 of Lecture Notes n Computer Scence, pages , erln, Sprnger-Verlag. [Knu97] D. E. Knuth. The Art of Computer Programmng (Vol. 1: Fundamental Algorthms). Addson Wesley, Readng (MA), 3rd edton, [LT05] H. Ln and W. Tzeng. An effcent soluton to the mllonares problem based on homomorphc encrypton. In ACNS 2005, volume 3531 of Lecture Notes n Computer Scence, pages Sprnger-Verlag, [SK95] K. Sako and J. Klan. Recept-free mx-type votng scheme a practcal soluton to the mplementaton of a votng booth. In Advances n Cryptology EUROCRYPT 95, volume 921 of Lecture Notes n Computer Scence, pages , erln, Sprnger-Verlag. [ST04]. Schoenmakers and P. Tuyls. Practcal two-party computaton based on the condtonal gate. In Advances n Cryptology ASIACRYPT 04, volume 3329 of Lecture Notes n Computer Scence, pages , erln, Sprnger-Verlag. [ST06]. Schoenmakers and P. Tuyls. Effcent bnary converson for Paller encryptons. In Advances n Cryptology EUROCRYPT 06, volume 4004 of Lecture Notes n Computer Scence, pages , erln, Sprnger- Verlag. [Yao82] A. Yao. Protocols for secure computatons. In Proc. 23rd IEEE Symposum on Foundatons of Computer Scence (FOCS 82), pages IEEE Computer Socety, 1982.