Secure comparison is a fundamental problem in secure computation and privacy pre- serving data mining. In his seminal paper on secure computation (Yao, 1982), Yao proposed the Millionaires' problem, in which two millionaires wish to know who is richer but without revealing their asset values. The original solution is exponential in time and space. Several ecient protocols have been proposed and they focus on the case when each party knows one number (Lin et al., 2005). The new secure com- parison protocol presented in the previous section assumes that we use the additive secret-sharing scheme based on homomorphic encryption and that the numbers are secrets split between two parties. The adoption of homomorphic encryption enables ecient implementation of secure multiplication, which is a basic and almost indis- pensable operation in the design of privacy preserving data mining protocols. The new protocol assumes that both the input numbers and the output result are secrets split between two parties, so that it can be used as a subprotocol in other privacy preserving data mining protocols.
Bunn et al. (2007) proposed a secure comparison protocol based on homomorphic encryption in the development of their secure k-means protocol. Their comparison
protocol assumes that two secrets x, y ∈[0,2L)are split between two parties and the
comparison result is thatr = 0 if x < y, r = 1 if x > y, and r takes 0 or 1randomly
when x=y. The resultr is also a secret split between Alice and Bob.
Bunn et al. rst proposed a secure protocol to privately transform a secret xinto
its binary representation. It is assumed that the secret x∈ [0, N/2) and x∈ [0,2L).
If we let α = 0 if xA, xB ∈ [0, N/2) and α = 1 otherwise, then x = xA+xB−αN.
LetxA
LxAL−1. . . xA1 and xBLxLB−1. . . xB1 be the lowest L bits of xA and xB, respectively,
andp=pLpL−1. . . p1 be the lowestLbits of2K−N. Then the binary representation of x is computed as the following:
xALxAL−1. . . xA1 xBLxBL−1. . . xB1
+α∗(pLpL−1. . . p1)
x=xLxL−1. . . x1
The authors didn't give the exact details of how to compute the above formula. One possible way is to lines 11-16 in Protocol 3.1 to perform binary addition twice and it takes 4L+O(1) secure multiplications. I present the secure transformation
protocol in Protocol 3.2. In the protocol, β = 1−α.
Protocol 3.2 Secure transformation protocol
Input: a secret integer x such that 0 ≤ x < 2L and 0 ≤ x < N/2 is split between
Alice and Bob, x=xA+xB (mod N).
Output: the binary representation ofx,x=xL. . . x1, whose bitsxi are secrets split
between Alice and Bob.
1: Alice: β1 = 1 if zA< N/2and β1 = 0 otherwise.
2: Bob: β2 = 1 if zB < N/2and β2 = 0 otherwise.
3: Alice and Bob use secure multiplication (Protocol 2.1) to securely compute β =
β1β2. Alice obtainsαA and Bob obtainsβB such that β=βA+βB (mod N).
4: Alice: letp=pL. . . p1 be the lowest L bits of xA.
5: Bob: let q=qL. . . q1 be the lowest L bits of xB.
6: c0 = 0 7: for i= 1 to L do 8: ci =pici−1+qi(pi+ci−1−pici−1−pici−1) 9: di =pi+qi+ci−1−ci−ci 10: end for 11: for i= 1 to L do
12: if the i-th bit of (2K −N) is 1then
13: si = 1−β 14: else 15: si = 0 16: end if 17: end for 18: c0 = 0 19: for i= 1 to L do 20: ci =dici−1+si(di+ci−1−dici−1−dici−1) 21: xi =di+si+ci−1−ci−ci 22: end for
Lines 4-10 computes dL. . . d1, the binary representation of d = xA+xB. Lines
2K−N. In line 12, if the i-th bit of (2K−N)is 1, Alice sets si,A = (1−βA) modN
and Bob sets si,B = (−βB) modN; Otherwise, Alice and Bob set their shares of si as
0. s = sL. . . r1 is the binary representation of α(2K −N). Lines 18-22 compute the binary representation of x=d+s.
Alternatively, we can compute the binary representation of xA + xB, denoted
by uLuL−1. . . u1, using lines 4-10; we then compute the binary representation of
xA+xB+ 2K−N, denoted byvLvL−1. . . v1, using lines 4-10 withxB replaced byxB+
2K−N. Then thei-th bit ofxis then (1−α)ui+αvi. When we use precomputation
techniques as we discuss in the previous subsection, this implementation may be more ecient because in line 8, pi and qi are numbers known by one party and the secure
multiplication can be simplied, while in line 20, both di and ci are secrets.
After transforming x and y into their binary representations, x = xL. . . x1 and
y=yL. . . y1, Bunn et.al used the following formula to compare x and y:
r=(xL⊕yL)xL+ (xL⊕yL⊕1)(xL−1⊕yL−1)xL−1
+ (xL⊕yL⊕1)(xL−1⊕yL−1⊕1)(xL−2⊕yL−2)
∗xL−2+· · ·+ (xL⊕yL)...(x2⊕y2⊕1)(x1⊕y1)
+ (xL⊕yL⊕1). . .(x1⊕y1⊕1)t,
where t takes 0 or 1 randomly and ⊕ is the XOR operation. Note that a⊕b =
a+b−2ab. This formula needs 4L+O(1) invocations of secure multiplication. So
the secure comparison protocol takes12L+O(1) secure multiplications totally.
Qi et al. (2008) proposed another secure protocol for comparison when Alice holds
xand Bob holds y. Let cj (dj) be 1if the integer with binary representationxj..x1 is greater (smaller) than the integer with binary representation yj...y1. They used the following formula to compute cL and dL, If j = 1 then
cj =xj(1−yj), dj =yj(1−xj),
If j >1then
cj = (1−dj−1)(cj−1+ (1−cj−1xj(1−yj)))dj
= (1−cj−1)(dj−1+ (1−dj−1yj(1−xj))).
The above formula needs 6L+O(1) multiplications. When the secrets x and y
representations. So the secure comparison protocol takes14L+O(1) secure multipli-
cations.
The three secure comparison protocols discussed so far are all based on homomor- phic encryption. S. From (2006) proposed a secure multi-party comparison protocol based on the Shamir's polynomial secret-sharing scheme. Suppose that two integers
x, y ∈[0,2L) have binary representations x= x
LxL−1. . . x1 and y =yLyL1. . . x1, re-
spectively. To comparexandy, we only need to compute(L+ 1)-th bit of 2L+x−y.
It is 1 if y ≤ x and 0 otherwise. This can be computed by usual binary additions.
When the polynomials are dened on the Galois eldGF(28), which has character2,
S. From (2006) used the following formula to compute the i-th carry-over bit
ci =xiyi+ci−1(xi+yi),
which requires2Lmultiplications. When the polynomials are dened over any prime
eld Zp, S. From used the following formula:
ci =xiyi+xici−1+yici−1−2xiyici−1,
which requires 4L multiplications. As the formula in line 14 in Protocol 3.1 shows,
this can be achieved with only 2L multiplications.
Nishide et al. (2007) proposed secure comparison protocols based on the Shamir's secret-sharing scheme. Their method is derived from interval testing. In their paper the polynomials are dened over some large eld Zp (p is a prime number) so that
all the considered integers are in Zp. In contrast, S. From used polynomials over the
small eld GF(28) to represent secrets of single bits.
Note that both in the additive secret-sharing scheme based on homomorphic en- cryption and in the Shamir's polynomial secret-sharing scheme, the secure comparison protocols presented here are all implemented using secure multiplication. However, the implementations of secure multiplication in these two schemes are dierent. In the additive secret-sharing scheme, the implementation of secure multiplication is based on the homomorphic property of cryptosystems; in the Shamir's secret-sharing scheme, secure multiplication is implemented via multiplication of polynomials. Note that in the Shamir's sharing scheme, secure multiplication and hence secure compar- ison don't work in two-party cases. In contrast, the additive secret-sharing scheme can be used in two-party cases.