Since ai = bj if and only if h(ai)αβ = h(bj)αβ, B2∩ A2 6= ∅ if and only if B ∩ A 6= ∅.
Therefore, at the end of the protocol, both parties will learn the correct value of f (A, B), if both parties follow the protocol exactly.
Now, we argue that our second protocol achieves almost complete fairness. If both Alice and Bob honestly execute the protocol, both of them can certainly obtain the correct result. However, Alice or Bob may abort the protocol during execution after she (or he) is 100% sure about the result. This is analyzed in the following two conditions.
1. At the moment that Alice is 100% sure about f (A, B), she immediately aborts protocol. This happens when the last element of B2 has been checked for its membership in A2. Let b = T [k] be the last element in B2 for membership checking. That is, each element in B2\{b} appears in T [l] for some l < k.
When Alice aborts the protocol after knowing whether b = T [k] is in A2, Bob already knows that f (A, B) is the result of this round. Thus, Alice does not have any advantage over Bob.
2. Bob is 100% sure about f (A, B). This happens either when Bob knows f (A, B) = 1 and refuses to tell Alice the correct result or when Bob is 100%
sure that all elements in B2 have been compared with A2. In the first case, Alice should assume that A ∩ B 6= ∅, otherwise, Bob gains no advantage to abort the protocol. In the second case, Bob cannot be sure that all elements in B2 have been compared until the last round, which is not known to him except for w = 2n. Thus, when w = 2n and z = 2n, Bob gains advantage by abort the protocol before Alice knows that f (A, B) = 0. However, The probability that w = z = 2n is negligible, when n is large enough.
Note that Bob can refuse to tell Alice the correct result by abnormally terminate the protocol or sending wrong information to Alice in the equality testing protocol, as noted above.
In our protocol, Bob would gain advantage of knowing f (A, B) = 0 before Alice with 100% certainty if and only if w = 2n and b = T [w] never appears in the other entries of T .
Let p be the probability for this event. The value of p can be computed as follows. The probability for w = 2n is 1n. The probability for the last position is
selected is (w−1n−1) Therefore, the value of p is negligible, when n is large.
If the value of n is small, we may need to increase the value of w to reduce the value of p. Let w = kn for some k > 2. Then, Therefore, if k is large then the value of p is negligible.
5.3 Performance Analysis of the Protocol
Recall that m and n are the cardinality of the sets A and B, respectively. Since n < w ≤ 2n, the protocol needs at most 2mn comparison of the elements. Each comparison needs O(1) modular exponentiation operations [1]. Thus, it needs O(mn) modular exponentiation operations, which is more efficient than the first protocol.
Chapter 6
Conclusions and Future Works
We have presented two secure two-party computation protocols for determining whether the intersection of two sets is empty or not. The first one has the property of complete fairness, and the second one is almost complete fairness. The first protocol need more computation; while the second one needs less.
Both our protocols need only O(mn) comparisons of the elements. It is inde-pendent to the size of the domain from which the set A and B are drawn.
It is known that the millionaires’ problem can be reduced to the set intersec-tion problem. Our protocols can be used to solve the millionaires’ problem more efficiently, especially when the size of the domain is large.
We also show that when A and B each contains only 1 element of two-element set U , then the problem cannot be computed securely with complete fairness. However, when the cardinality of U is very large, then this case of the set disjointness problem is equivalent to the equality test problem, which can be computed with complete fairness.
The following are plausible subjects for the future research.
1. Design a protocol for computing set intersection,
2. Design a protocol to computing the cardinality of the intersection of sets, 3. Extend our two-party protocol to three-party and any k-party computation
protocols for k > 3,
4. Find other functions which has complete fair secure computation protocols.
Bibliography
[1] Fabrice Boudot, Berry Schoenmakers, and Jacques Traor´e. A fair and efficient solution to the socialist millionaires’ problem. Discrete Applied Mathematics, 111:23–36, 2001.
[2] Richard Cleve. Limits on the security of coin flips when half the processors are faulty. In Proceedings of 18-th Annual ACM Symposium on Theory of Computing, pages 364–369. ACM, 1986.
[3] S. Dov Gordon, Carmit Hazay, Jonathan Katz, and Yehuda Lindell. Complete fairness in secure two-party computation. In Proceedings of 40-th Annual ACM Symposium on Theory of Computing, pages 413–422. ACM, May 2008.
[4] Hsiao-Ying Lin and Wen-Guey Tzeng. An efficient solution to the millionaires’
problem based on homomorphic encryption. In In ACNS 2005, volume 3531 of Lecture, pages 456–466, 2005.
[5] Yehuda Lindell. Parallel coin-tossing and constant-round secure two-party computation. Journal of Cryptography, 16(3):143–184, 2003.
[6] Yehuda Lindell and Benny Pinkas. A proof of security of Yao’s protocol for two-party computation. Journal of Cryptology, 22:161–188, 2009.
[7] Moni Naor and Benny Pinkas. Oblivious polynomial evaluation. SIAM journal on computing, 35(5):1245–1281, 2006.
[8] C. P. Schnorr. Efficient signature generation by smart cards. Journal of Cryptology, 4(3):161–174, 1991.
[9] Andrew C. Yao. Protocols for secure computations. In Proceedings of 23-rd Annual Symposium on Foundation of Computer Science, pages 160–164.
IEEE, 1982.
[10] Andrew C. Yao. How to generate and exchange secrets. In Proceedings of 27-th Annual Symposium on Foundation of Computer Science, pages 162–167.
IEEE, 1986.
[11] Qingsong Ye, Huaxiong Wang, and Christophe Tartary. Privacy-preserving distributed set intersection. In Proceedings of 3-rd International Conference on Availability and Security, pages 1332–1339. IEEE, 2008.