計算兩集合交集與否的公平協定

國立交通大學

資

資

資訊

訊

訊科

科

科

學

學

學與

_與

_與工

工

工程

程

程研

研

研究

究

究所

所

所

碩

碩

碩士

士

士論

論

論文

文

文

計

計

計

算

算

算兩

_兩

_兩集

集

集合

_合

_合交

交

交集

集與

集

_與

_與否

_否

_否的

的

的公

_公

_公平

平

平協

協

協定

定

定

Fairness of Secure Computation Protocols for

Disjointness of Two Sets

研 究 生:

官振傑

指導教授: 曾文貴 教授

中

計

算兩集合交集與否的公平協定

Fairness of Secure Computation Protocols for Disjointness of

Two Sets

研 究

生: 官振傑

_{Student: Albert Guan}

指導教授: 曾文貴 教授

Advisor: Wen-Guey Tzeng

國立交通大學

資訊科

學與工程研究所

碩士論文

A Thesis

Submitted to Institute of Computer Science and Engineering

College of Computer Science

National Chiao Tung University

in Partial Fulfillment of the Requirements

for the Degree of

Master

in

Computer Science

June 2010

Hsinchu, Taiwan, Republic of China

中

Abstract

Given two finite nonempty sets A and B. Assume that at least one of the set contains more than one elements. We present fairness secure computation protocols for determining whether the given two sets have intersection or not.

Each party has a set as the input to the protocol. At the end of the protocol both parties know whether the two sets have intersection or not, but noting else. In particular, each party does not know the set the other party has. Furthermore, if the intersection of the two sets is not empty, then none of the parties know the elements in the intersection, nor do they know the cardinality of the intersection.

Our first protocol is complete fair with respect to both parties. At the end of the protocol, both parties knows the final result or none of them know it, even if there is a malicious party who may violate the protocol. Our second protocol is almost complete fair. The probability that “one party learns the result but the other does not” is negligible. This protocol needs less computational time, and it also needs less proofs of knowledge in the protocol.

Our protocols need only O(mn) comparisons of the obfuscated elements, where m and n are the number of elements in A and B, respectively. The number of comparisons is independent of the size of the domain from which the elements of the sets A and B are selected.

It is known that the millionaires’ problem can be reduced to the set intersection problem. Therefore, the millionaires’ problem can be solved efficiently by our protocol even if the input domain is very large.

摘

摘

摘

要

要

要

給定兩個有限集合 A 和 B. 假設沒有一個集合是空的, 而且至少有一 個集合包含多於一個元素. 我們設計一個決定此二集合是否有交集的 公平且安全的計算協定. 在此計算協定開始時, 每位參與者各自擁有一個集合當作此協定的輸 入. 在此協定結束時, 每位參與者都知到這兩個集合是否有交集, 除此 之外, 雙方都不知道其他的資訊. 例如: 他們都不知道別人的集合是甚 麼. 假設此二集合的交集非空集合, 也沒有一方會知道這些交集的元素 會是甚麼, 或是 A 和 B 的交集包含多少元素. 我們的第一個協定對雙方而言是完全公平的. 這意思是指, 即使有一方 是惡意者, 他不忠實遵守協定來執行, 甚至可以提前結束此協定, 他也 占不到便宜. 協定結束之後一定是雙方都知道答案或雙方都不知道答 案. 我們的第二個協定對雙方而言幾乎是完全公平的. 第二個協定所 需要的計算量比第一個少, 而且其安全性所需要的假設條件也比較少. 我們的協定先將兩集合的元素轉換成模糊的形式, 使得雙方都無知道 照轉換後的元素與原來的元素對應關係. 我們的協定只需要 O(mn) 的比較經過轉換之後集合的元素是否相等就可讓雙方知道答案, 其中 m _{和 n 分別為集合 A 和 B 集合元素的個數. 其所需的比較次數和 A} 與 B 集合元素的定義範圍無關. 我們已知百萬富翁問題可以化約為兩集合是否有交集的問題來解. 所 以, 即使是定議域非常大的百萬富翁問題, 利用我們的協定來解百萬富 翁問題也會非常有效率.

Contents

1 Introduction 1

2 Preliminaries 5

2.1 Equality test without Fairness . . . 5

2.1.1 Cryptographic Assumptions . . . 5

2.1.2 Proofs of knowledge . . . 6

2.1.3 The protocol . . . 6

2.2 Equality test with Complete Fairness . . . 9

2.2.1 Cryptographic Assumptions . . . 9

2.2.2 Proofs of knowledge . . . 9

2.2.3 The protocol . . . 11

3 Impossibility of Complete Fairness for Single Element Sets 15 4 Protocol with Complete Fairness 17 4.1 Description of the Protocol . . . 18

4.2 Security Analysis of the Protocol . . . 21

4.3 Performance Analysis of the Protocol . . . 26

5 Protocol with Almost Complete Fairness 27 5.1 Description of the Protocol . . . 27

5.2 Analysis of the Protocols . . . 31

List of Figures

4.1 Phase 2 of Complete Fairness Secure Computation of Set Disjointness 20 4.2 Phase 2 of the Ideal Model for Complete Fairness Secure

Computa-tion of Set Disjointness . . . 22 4.3 Construct an adversary S from adversary A corrupting Alice . . . . 23 4.4 Construct an adversary S from adversary A corrupting Bob . . . . 25 5.1 Phase 2 of Almost Complete Fairness Secure Computation of Set

Disjointness . . . 29 5.2 Summary of the Set Disjointness Protocol, Phase 1 . . . 30 5.3 Summary of the Set Disjointness Protocol, Phase 2 . . . 31

List of Tables

3.1 The value of f (A, B) when A and B contains exactly one element from {0, 1}. . . 16

Chapter 1

Introduction

Secure computation is fundamental in modern cryptography. Many applications are based on secure two-party computation protocols. In this thesis, we present secure and fair protocols for determining whether the intersection of two sets is empty or not.

In cryptography, a secure two-party computation protocol is a protocol for com-puting a function f (x, y) jointly by two parties. Let the two parties be Alice and Bob. Initially, Alice has an input x and Bob has an input y. After the execution of the protocol, both Alice and Bob knows the output f (x, y), but nothing else. This is a security requirement of the protocol. In particular, Alice does not know the input y of Bob, and Bob does not know the input x of Alice, unless x or y can be deduced from the value of f (x, y) and the information they already have. Furthermore, if the intersection of the two sets is not empty, then none of the par-ties know the elements in the intersection, nor do they know the cardinality of the intersection of the two sets.

In the design of the two-party computation protocols, two models are usually considered. The first model is the semi-honest model. In the semi-honest model, both parties perform computations according to the specification of the protocol.

However, they may be curious to learn more information from the information they already have and the information transmitted in the protocol. The second model considers the case in which one of the party may be malicious. The malicious party may deviate from the protocol in any way, or aborting the protocol. In this thesis, we design protocols under the malicious model.

One of the important property of a two-party computation protocol is fairness, especially in the malicious model. A secure two-party computation is complete fairness if one party learns the value of f (x, y), then so does the other party.

In some cases, a somewhat relaxed condition may also be useful. A secure two-party computation is almost complete fairness if the probability of the event “one party learns the value of f (x, y) and the other party does not” is negligible.

In this thesis, we propose two secure two-party computation protocols for decid-ing whether the intersection of two sets is empty or not, assumdecid-ing that there may be a malicious party. The first protocol has the property of complete fairness, and the second one is almost complete fairness. The first one needs more computation and more proofs of knowledge, while the second one needs less. Specifically, the first one needs O(mn log p) computations, while the second one needs only O(mn) computations.

Cleve has shown that complete fairness secure computation for exclusive-or problem is impossible [2]. Based on this results, we show that if each of the two sets A and B contains one element from {0, 1}, or any two-element set, then there are no protocols with complete fairness to determine the intersection of the two sets is empty or not. Therefore, one of the contributions of our work is that we completely classify the disjointness problem of two sets by their cardinality. If m = n = 1, then there are no complete fairness protocols. Otherwise, if n > 1 or

m > 1, then there exist such a protocol.

Our protocol first obfuscates the elements in each set so that no party knows the mapping of the original elements and the obfuscated elements. The two parties then compares the obfuscated elements in each set in a way described latter. Let the number of the elements of the two sets be m and n, respectively. Our protocol needs only O(mn) comparison of the the obfuscated elements. The number of comparisons is independent of the size of the input domain. Hence, it is more efficient than currently known protocols, especially when the input domain is very large.

Gordon, Hazay, Katz and Lindell showed that the millionaires’ problem has a complete fairness secure computation protocol [3]. However, the round complex-ity of their protocol is proportional to the size of the input domain. Thus, only problems with polynomial-size domain is feasible if their protocol is to be used. It is known that the millionaires’ problem can be reduced to the set intersection problem [4]. Therefore, by using our protocols the millionaires’ problem can be solved more efficiently.

The rest of the thesis is organized as follows. In Chapter 2, we modify the protocols for equality test of two integers proposed by Boudot, Schoenmakers, and Traor´e [1]. The modified protocols will be used by our protocol for comparing the elements. In Chapter 3, we show that some special case of set disjointness problem is impossible. In Chapter 4 we present our first protocol, which is complete fairness. In Chapter 5, we present our second protocol, which is almost complete fairness. We also analyze the security and the performance of each protocol. In Chapter 6, we make conclusions and present future works.

Chapter 2

Preliminaries

Our protocol carefully selects a pair of elements, one from each set, to be compared in each round. They proposed two versions of the protocol for equality test [1]. One with complete fairness and the other one does not. We modify the complete fairness version of the equality test protocol proposed by Boudot, Schoenmakers, and Traor´e to compare whether these two elements are equal or not. The modified version of their protocols can be briefly described as follows.

2.1

Equality test without Fairness

2.1.1

Cryptographic Assumptions

Let q be a large prime, Gq be a group of order q. The cryptographic assumptions

required in this version of Boudot et al.’s protocol are: 1. The Discrete Logarithm assumption (DL)

On input Gq, g, y, it is infeasible to compute loggy.

2. The Diffie-Hellman assumption (DH)

It is infeasible to compute gab _{given g, g}a_{, g}b _{for some random a, b ∈ Z} q.

3. The Decision Diffie-Hellman assumption (DDH)

It is infeasible to decide deterministically whether c = ab given g, ga_{, g}b_{, g}c

for some random a, b, c ∈ Zq.

2.1.2

Proofs of knowledge

The proofs of knowledge required in this version of their protocols are: 1. Proof of the knowledge of a discrete logarithm

The protocol allows Alice to prove to Bob that she knows an element x ∈ Zq

satisfying y = gx_{, where y is Alice’s public key. Alice randomly selects an}

integer r ∈ Zq, computes W = gr, c = h(W ), and D = r − xc (mod q).

Then Alice sends the proof (c, D) to Bob. Bob is convinced if c = h(gDyc). 2. Proof of the equality of two discrete logarithms

The protocol allows Alice to prove to Bob that she knows an element x ∈ Zq

satisfying y1 = gx1 and y2 = g2x, where y1 and y2 are Alice’s public keys. Alice

randomly selects r ∈ Zq, computes W1 = g1r, W2 = g2r, c = h(W1, W2), and

D = r − xc (mod q). Then Alice sends the proof (c, D) to Bob. Bob is convinced if c = h(g₁Dyc₁, g₂Dyc₂).

2.1.3

The protocol

Boudot et al.’s secure two-party computation protocol for equality test without fairness can be summarize as follows.

1. Alice and Bob generate a group Gq of a large prime order q, by taking Gq as

2. They decide on generators g0, g1, g2 of Gq, for which they do not know the

value of log_g

igj for i 6= j, 0 ≤ i, j < 3.

3. Generate g3.

(a) Alice generates ga= gx1a for a random xa∈ Z∗q, and sends it to Bob.

(b) Bob generates gb = gx1b for a random xb ∈ Z∗q and sends it to Alice.

(c) They prove the knowledge of xa and xb to each other respectively, by

using Schnorr’s protocol [8]. They also check whether ga = 1 and gb = 1

or not. If any of ga or gb is 1, they abort the protocol.

Let g3 = gx1axb = gxab = g xa

b , which can be computed independently by Alice

and Bob.

4. Alice selects a random element a ∈ Zq and computes

(Pa, Qa) = (ga3, g a 1g

x

2). (2.1)

Then she shows that there indeed exists an a ∈ Zqfor which she knows x ∈ Zq

satisfying 2.1.

5. Alice shows that she knows a ∈ Zq by computing ai ∈ Zq, i = 0, . . . , k − 1

subject to the condition that a =Pk−1

i=0 ai2i (mod q) and, and setting Bi =

gai

3 , i = 0, . . . , k − 1.

Since Alice can only know one a satisfying Pa = ga3, it follows that (Pa, Qa)

is correctly computed by Alice.

6. Alice sends (Pa, Qa) and the proofs over to Bob.

7. Bob verifies the proofs and also checks that Pa=Qk−1i=0 B2

i

8. By symmetry, Bob does the same as Alice, computing Pb, Qb satisfying (Pb, Qb) = (gb3, g b 1g y 2). (2.2)

where b ∈ Zq are randomly chosen.

9. Alice and Bob both compute (Pa/Pb, Qa/Qb), which will be of the form:

(Pa/Pb, Qa/Qb) = (ga−b3 , g1a−bg x−y

2 ). (2.3)

10. Then Alice produces

Ra= (Qa/Qb)xa

and a proof that log_g1ga = logQa/QbRa to show that Ra is correctly formed.

Alice then sends Ra, as well as the proof, to Bob.

11. Similarly, Bob produces

Rb = (Qa/Qb)xb

and a corresponding proof, and send them to Alice.

12. Since both Alice and Bob know equation 2.3 and the definition of g3, they

can compute Rab. Rab = Rxab = R xa b = (Qa/Qb)xaxb = ga−b3 g (x−y)xaxb 2 . (2.4)

At the end of the protocol, Alice and Bob test if Pa/Pb = Rab. If it is equal,

2.2

Equality test with Complete Fairness

2.2.1

Cryptographic Assumptions

The cryptographic assumptions required by the complete fairness version of Boudot, Schoenmakers, and Traor´e’s protocol are:

1. The Discrete Logarithm assumption (DL)

On input Gq, g, y, it is infeasible to compute loggy.

2. The Diffie-Hellman assumption (DH)

It is infeasible to compute gab _{given g, g}a_{, g}b _{for some random a, b ∈ Z} q.

3. The Decisional Diffie-Hellman assumption (DDH)

It is infeasible to decide whether c = ab given g, ga, gb, gc for some random a, b, c ∈ Zq.

2.2.2

Proofs of knowledge

The proofs of knowledge’s required by the complete fairness version of their protocol are:

1. Proof of the knowledge of a discrete logarithm

There exists protocol allows Alice to prove to Bob that she knows an element x ∈ Zqsatisfying y = gx, where y is Alice’s public key. Alice randomly selects

an integer r ∈ Zq, computes W = gr, c = h(W ), and D = r − xc (mod q).

Then Alice sends the proof (c, D) to Bob. Bob is convinced if c = h(gDyc). 2. Proof of the knowledge of discrete coordinate

satisfying y = gx1

1 g x2

2 , where y is Alice’s public key. Alice randomly selects

two integers r1, r2 ∈ Zq, computes W = g1r1g2r2, c = h(W ), D1 = r1 − x1c

(mod q), and D2 = r2−x2c (mod q). Then Alice sends the proof (c, D1, D2)

to Bob. Bob is convinced if c = h(gD1

1 g D2

2 yc).

3. Proof of the equality of two discrete logarithms

There exists protocol allows Alice to prove to Bob that she knows an element x ∈ Zqsatisfying y1 = g1xand y2 = gx2, where y1and y2are Alice’s public keys.

Alice randomly selects r ∈ Zq, computes W1 = gr1, W2 = g2r, c = h(W1, W2),

and D = r − xc (mod q). Then Alice sends the proof (c, D) to Bob. Bob is convinced if c = h(gD

1 yc1, g2Dyc2).

4. Proof of the equality of two discrete coordinates

There exists protocol allows Alice to prove to Bob that she knows x1, x21, x22

satisfying y1 = g1x1g x21

2 and y2 = gx11g x22

2 , where y1 and y2 are Alice’s public

keys. Alice randomly selects r1, r21, r22 ∈ Zq, computes W1 = gr11g r21 2 , W2 = gr1 1 g r22 2 , c = h(W1, W2), D1 = r1− x1c (mod q), D21= r21− x21c (mod q),

and D22 = r22− x22c (mod q). Alice sends the proof (c, D1, D21, D22) to

Bob. Bob is convinced if c = h(gD1

1 gD221yc1, g D1

1 g2D22yc2).

5. Proof that a coordinate is equal to 0 or to 1

There exists protocol allows Alice to prove to Bob that she knows x1, x2 with

x1 ∈ Zq and x2 ∈ {0, 1} satisfying y = gx11g x2

2 , where y is Alice’s public key.

Suppose x2 = v with v = 0 or v = 1. Alice randomly selects r, c1−v, D1−v ∈

Zq, computes Wv = gr1, W1−v = g1D1−v(y/g 1−v

2 )c1−v, c = h(W0, W1), cv =

c − c1−v (mod q), and Dv = r − x1cv (mod q). Alice sends the proof

(mod q).

2.2.3

The protocol

Boudot et al.’s fair protocol for equality test can be summarize as follows:

1. Alice and Bob generate a group Gq of a large prime order q, by taking Gq as

a subgroup of Z∗_p for a large prime p such that q | (p − 1).

2. They decide on generators g0, g1, g2 of Gq, for which they do not know the

value of log_gigj for i 6= j, 0 ≤ i, j < 3.

3. Generate g3:

(a) Alice generates ga= gx1a for a random xa∈ Z∗q.

(b) Bob generates gb = gx1b for a random xb ∈ Z∗q.

(c) They prove the knowledge of xa and xb to each other, using Schnorr’s

protocol.

(d) They also check that ga 6= 1 and gb 6= 1.

Let g3 = gx1axb = gxab = g xa

b , which can be computed independently by Alice

and Bob.

4. Alice selects a random element a ∈ Zq and a random number e, 0 ≤ e < 2k,

and computes (Pa, Qa) = (g3ag e 0, g a 1g x 2). (2.5)

5. Alice shows that she knows a, e ∈ Zq with 0 ≤ e < 2k by computing ai ∈ Zq

and ei ∈ {0, 1}, i = 0, . . . , k − 1 subject to the condition that a =Pk−1i=0 ai2i

(mod q) and e = Pk−1

i=0 ai2i, and setting Bi = ga3ig ei

6. Alice proves that each ei is in {0, 1}. Since Alice can only know one pair a, e

satisfying Pa = g3age0, it follows that (Pa, Qa) is correctly computed by Alice.

Alice sends (Pa, Qa) and the proofs over to Bob.

7. Bob verifies the proofs and also checks that Pa=Qk−1i=0 B2

i

i .

8. Alice sends ga

3 to Bob.

9. By symmetry, Bob does the same as Alice, computing Pb, Qb satisfying

(Pb, Qb) = (g3bg f 0, gb1g

y

2). (2.6)

where b ∈ Zq and f, 0 ≤ f < 2k are randomly chosen.

10. Alice and Bob both compute (Pa/Pb, Qa/Qb), which will be of the form:

(Pa/Pb, Qa/Qb) = (g3a−bg e−f 0 , g1a−bg

x−y

2 ). (2.7)

11. Then Alice produces

Ra= (Qa/Qb)xa

and a proof that log_g1ga = logQa/QbRa to show that Ra is correctly formed.

12. Similarly, Bob produces

Rb = (Qa/Qb)xb

and a corresponding proof. Now Alice and Bob both know on account of equation 2.7 and the definition of g3 that

Rab = Rxab = R xa

b = (Qa/Qb)xaxb = ga−b3 g

(x−y)xaxb

13. Finally, Alice and Bob fairly disclose the values of e and f . Once these values are released, both Alice and Bob may determine whether x = y by testing whether

Pa/Pb = Rabg0e−f. (2.9)

By equation 2.7 and equation 2.8 this equality holds if and only if x = y. To disclose e and f without revealing the values of a and b, Alice and Bob execute the following step for i = k − 1, . . . , 1.

1. They send each other the values of ai, ei and bi, fi, respectively.

2. Bob checks that Bi = g3aig ei

0 and Alice does a similar check for bi, fi.

3. At the last step, they release only e0 and f0, respectively.

4. Finally, Alice proves that she knows log_g3B0/g0e0 and Bob gives a similar proof

for f0. This convinces the other party that the bits e0 and f0 are correct.

The main modification is in the step 8 and step 9 of the fairness version. Alice needs to send ga₃ to Bob, and Bob also needs to send gb₃to Alice. These modifications allow Alice and Bob to compute the final results deterministically when one party aborts the protocol. Therefore, it guarantees the fairness of the protocol for both parties. For example, if Bob deliberately aborts the protocol at i = l, he will only be at most one bit ahead of Alice to test the equality of the two elements. At the time Bob aborts the protocol, Alice has Ai = g3big

fi

0 and gb3. By using gb3 she can

search for the combinations of the missing bits f0, f1, . . . , fl. Thus, she needs no

Chapter 3

Impossibility of Complete

Fairness for Single Element Sets

Before we present our secure and fair protocols for determining the disjointness of two sets, we show that some special cases of the set disjointness problem cannot be solved with complete fairness.

In 1986, Cleve showed that complete fairness secure two-party computation of the exclusive-or problem is impossible [2]. In any two-party computation of the exclusive-or, a malicious party can always bias the output of the other party. Our proof of the impossibility for this special case is based on Cleve’s result. This implies that the general version of the disjointness of two sets cannot be computed with complete fairness.

Theorem 1 The general version of the disjointness of two sets cannot be computed with complete fairness.

Proof It is sufficient to show that some special case cannot be computed with complete fairness. Consider two sets A and B which are subsets of {0, 1}. As-sume that each set contains only one elements, then the value of f (A, B) can be illustrated in Table 3.1.

Table 3.1: The value of f (A, B) when A and B contains exactly one element from {0, 1}.

0 1 0 1 0 1 0 1

It is clear that this is a negation of the exclusive-or problem. If the disjointness of the sets A and B can be computed securely with complete fairness then the exclusive-or problem can also be computed securely with complete fairness. This is a contradiction to Cleve’s result.

Therefore, we requires that at least one of the set A or B contains at least two elements in our protocols.

We note that when the universal set U from which the two sets A and B are drawn are very large and each set contains only one element from U , then the set disjointness problem is equivalent to the equality test problem. Thus, the problem has complete fairness secure two party computation when U is large, even if each set A or B contains only one element from U .

Chapter 4

Protocol with Complete Fairness

Assume that Alice has a set

A = {a1, a2, . . . , am},

and Bob has a set

B = {b1, b2, . . . , bn}.

They want to know whether A ∩ B is empty or not. We assume that both sets are nonempty and the set B contains more than 1 element, that is, n > 1, m ≥ 1. If B contains only 1 element, we switch the roles of A and B in the following protocol. Let λ be the security parameter. Assume that both the sets A and B are finite subset of integers whose value can be represented by λ bits.

For any two sets A and B, define a function f : f (A, B) =



0 if A ∩ B is empty, 1 if A ∩ B is not empty.

The two-party protocol for computing f (A, B) consists of two phases.

In the first phase, Alice and Bob exchange A and B, but in the obfuscated form. It is required that the same elements are mapped into the same integer to allow correct comparison in the second phase. This can be done as follows. Each element

a ∈ A is obfuscated by taking h(a) to a random power αβ, modulo a large prime p, where h(x) is a cryptographic hash function known to both Alice and Bob. The elements of B can be obfuscated in a similar way. The random powers α and β are chosen randomly by Alice and Bob, respectively.

In the second phase, Alice and Bob compare the elements, one from each set, to determine whether they are equal or not. For the complete fairness version, the way the two elements are chosen is simple and straight forward. This is due to the complete fairness version of equality test of the elements is used. In the almost complete fairness version, a secure but may not be fair version of equality test is used to compare the elements. It requires less computation and less proofs of knowledge in the protocol. However, elements to be compared must be carefully chosen so that almost complete fairness can be achieved.

In this chapter, we describe our first protocol for two parties to determine whether the intersection of two sets is empty or not. The protocol is secure and complete fairness.

4.1

Description of the Protocol

First, Alice and Bob choose a large prime p, p > 2λ, and the discrete logarithm problem over Z∗_p is intractable. Since each element in A and B can be represented by at most λ bits, p is larger than any element in A and B. Finally, we let h denote a cryptography hash function.

Then Alice and Bob run the following protocol.

1. Alice randomly chooses a positive integer α ∈ Zp−1, computes the set

and sends the elements a(1)₁ , a(1)₂ , . . . , a(1)_m of A1, in random order to Bob.

2. Bob randomly chooses a positive integer β ∈ Zp−1, computes the set

B1 = {h(b)β mod p | ∀b ∈ B},

and sends the elements b(1)₁ , b(1)₂ , . . . , b(1)_n of B1, in random order to Alice.

3. After receiving a(1)₁ , a(1)₂ , . . . , a(1)

m from Alice, Bob computes the set

A2 = {aβ mod p | ∀a ∈ A1},

and stores the elements a(2)₁ , a(2)₂ , . . . , a(2)_m of A2, in random order.

4. After receiving b(1)₁ , b(1)₂ , . . . , b(1)

n from Bob, Alice computes the set

B2 = {bα mod p | ∀b ∈ B1},

and stores the elements b(2)₁ , b(2)₂ , . . . , b(2)_n of B2, in random order.

In the above protocol, each element is first hashed and then obfuscated by raising a random power αβ modulo p, where α is chosen by Alice and β is chosen by Bob. Since the values of α and β are chosen at random, each element is mapped to a random element in the subgroup generated by h(ai) or h(bj) in Z∗p. Therefore,

neither Alice or Bob can predict the final transformed value of each element. We also need a random permutation so that the mapping from the original elements and the obfuscated elements cannot be known by Alice and Bob. This is done by sending the element in a random order and storing the resulting elements in a random order.

At the end of the first phase, Alice has the set B2; while Bob has the set A2.

In the second phase, each element b in B2 is checked for whether it is in A2.

Alice and Bob run a modified Boudot, Schoenmakers, and Traor´e’s protocol to determine whether b is in A2 or not. Bob gets the comparison result one bit ahead

of Alice. However, Alice can validate the result if she gets all the bits from Bob. Otherwise, she can compute the rest of the bits without the help of Bob.

The second phase of our first protocol can be described as follows. Alice and Bob compare the elements by running the protocol given in Figure 4.1.

for i = 1, 2, . . . , n do for j = 1, 2, . . . , m do

Alice and Bob compare the equality of b(2)_i and a(2)_j ; if b(2)_i = a(2)_j then

Alice and Bob output 1; stop;

end if end for end for

Alice and Bob output 0; stop;

Figure 4.1: Phase 2 of Complete Fairness Secure Computation of Set Disjointness

We must specify what needs to be done if one party aborts the protocol. We assume that both party can learn the value of f (A, B) only through the comparison of the elements. If any party aborts the protocol in phase 1, then both parties output nothing. They do not know any information about the f (A, B) yet. On the other hand, if any party aborts the protocol in phase 2, we assume that this party knows that f (A, B) = 1. If this is the case, then both party outputs 1.

aborts the protocol is reasonable, since without knowing f (A, B) = 1 and aborts the protocol would have no advantage.

4.2

Security Analysis of the Protocol

A two-party computation is secure and complete fairness if the view of the adversary in the real protocol is computationally indistinguishable from the view in the ideal model of computation. The view consists of the outputs of both parties.

This is formalized by first considering an ideal model of computing the same function f . In the ideal model, there is a trusted third party T P, which is trusted by both party and is incorruptible. Two parties send their inputs x and y to the trusted third party in a secure way. The trusted third party computes the function f on their inputs x and y. Finally, the trusted party sends to each party the value of the functions f on input x and y.

A protocol π is said to securely compute f with complete fairness if for every non-uniform probabilistic polynomial adversary A in a real model, there exists a non-uniform probabilistic polynomial-time adversary S in the ideal model such that the view of the adversary in the real execution of the protocol is computationally indistinguishable from the view in the ideal implementation.

{IDEALf,S(z)(x, y)}(x,y)∈X×Y,z∈{0,1}∗

c

≡ {REALπ,A(z)(x, y)}(x,y)∈X×Y,z∈{0,1}∗

In set disjointness problem, phase 1 is the same as phase 1 of our protocol. Phase 2 of the ideal model can be described in Figure 4.2.

It is reasonable to assume that the ideal model computes the set disjointness problem securely with complete fairness.

for i = 1, 2, . . . , n do for j = 1, 2, . . . , m do

Alice securely sends b(2)_i to T P; Bob securely sends a(2)_j to T P; T P computes c =



1 if b(2)_i = a(2)_j ,

0 otherwise. , and sends c to Alice and Bob; if c = 1 then

Alice and Bob output 1; stop;

end if end for end for

Alice and Bob output 0; stop;

Figure 4.2: Phase 2 of the Ideal Model for Complete Fairness Secure Computation of Set Disjointness

As in the real world model, we require that one party output 1 whenever the other party aborts the protocol in any iteration.

Theorem 2 Our first protocol securely computes the set disjointness problem with complete fairness.

Proof Let A be an adversary in our protocol who can learn the value of f (A, B) and, at the same time, can prevent the other party from learning it, with non-negligible probability. We show that our protocol computes the set disjointness problem with complete fairness by showing that if there is an adversary A in our protocol, then there is an adversary S corrupting the same party in the ideal model. In the ideal model, the adversary S can also learn the value of f (A, B) and, at the same time, can prevent the other party from learning it, with non-negligible probability.

First, let Alice be the adversary A in our protocol. The adversary A is also called the real world adversary. We construct an ideal world adversary S given black-box access to A. A sketch diagram of the construction is given in Figure 4.3.

S g Alice (A) ? 6 g Bob - T P _ - Bob

Figure 4.3: Construct an adversary S from adversary A corrupting Alice

Note that, in Figure 4.3, we use “Bob” and “Bob” to distinguish the two dif-g

ferent parties in different models. “Bob” is in the real world model, and “Bob” isg

in the ideal Model.

The detailed construction of S from A are given as follows. 1. S invokes A on the input the set A.

2. If A aborts in Phase 1, then S outputs whatever A outputs, and halts. Otherwise, S proceeds the phase 2 as below.

3. To simulate each iteration i = 1, 2, . . . , n and j = 1, 2, . . . , m,

(a) If A aborts, then S sends b(2)_j to T P, outputs whatever A outputs, and halts.

(b) If A does not abort and uses xito compareBob’s element in the protocol.g

(c) If ci = 1, then S uses xi to compare Bob’s element. Otherwise, c = 0, Sg

chooses a random integer x0_j 6= xi and uses x0j to compareBob’s element.g

We analyze the adversary S described above. Let A denote the input of Alice. The view of A in an execution with S is identical to its view in a real world execution withBob. The only difference is that the elements sent by S is a randomg

integer x0_j, instead of b(2)_j . This does not affect the view of A, since the equality test used in the protocol is secure, and the comparison result is the same for x0_j or a(2)_j is used. Hence, what is left to proof is that the joint distribution of A’s view and Alice’s output is identical in the real world and the ideal world. We show this by separately considering different cases:

1. S sends nothing to the trusted third party because A aborted the protocol in Phase 1. There will be no output for both party in the real world or in the ideal world models.

2. A aborts the protocol for some i, 1 ≤ i ≤ n. In the real world, Bob would assume that Alice knows the intersection is not empty and then output 1. In the ideal world, Bob would also output 1, because S sends b(2)_j to T P at this round, or he has already know the value of f (A, B) in the previous iteration. 3. If A does not abort the protocol, and the protocol ended normally, then both party out puts f (A, B), in the real world model and in the ideal world model. Based on the above argument, we conclude that the joint distribution of A’s view and Alice’s output is identical in the real world and the ideal world.

Now, let Bob be a real world adversary A. We construct an adversary S given black-box access to A. A sketch diagram of the construction is given in Figure 4.4.

Alice - T P - S g Alice 6 ? g Bob (A)

Figure 4.4: Construct an adversary S from adversary A corrupting Bob Note that, in Figure 4.4, we use “Alice” and “Alice” to distinguish the twog

different parties in different models. “Alice” is in the real world model, and “Alice”g

is in the ideal Model.

The details of the construction are given as follows. 1. S invokes A on the input the set B.

2. If A sends abort in Phase 1, then S outputs whatever A outputs, and halts. Otherwise, S proceeds phase 2 as below.

3. To simulate each iteration i = 1, 2, . . . , n and j = 1, 2, . . . , m.

(a) If A aborts, then S sends a(2)_j to T P, output whatever A outputs, and halts.

(b) If A does not aborts and sends yj to Alice, then S sends yg _j to T P,

obtains cij from T P.

(c) If cij = 1 then S sends yj to Alice. Otherwise S chooses a randomg

integer y0_j 6= yj and sends y0j to A.

A proof for the case when Alice is real world adversary is similar to the previous case, and it is omitted.

4.3

Performance Analysis of the Protocol

Recall that m and n are the cardinality of the sets A and B, respectively. The protocol needs at most mn comparison of the elements. Since the Boudot, Schoen-makers, and Traor´e’s protocol is used in the comparison of the element, each com-parison needs O(log p) modular exponentiation operations, where p is the prime used to construct the group Gq [1]. Note that log p ≥ λ can also be considered

as the security parameter of the protocol. Thus, it needs O(mn log p) modular exponentiation operations.

Chapter 5

Protocol with Almost Complete

Fairness

In this section, we describe our second protocol for two parties to determine whether the intersection of two sets is empty or not. The protocol is secure and almost complete fairness.

5.1

Description of the Protocol

The protocol for almost complete fairness also consists of two phases. The first phase of the protocol involves the obfuscation of the elements in each set, and it is the same as the first phase of the previous protocol with complete fairness.

In the second phase, Alice has the set B2 and Bob has the set A2, and each

element b in B2 is checked for whether it is in A2 or not. Alice and Bob run a

secure two-party protocol to determine whether b is in A2 or not.

In order to achieve almost complete fairness, the way of selecting elements in B2 to check its membership in A2 should be carefully designed. We now describe

how Alice chooses the element in B2 to be compared in each round.

selection order of elements in B2 and the number of rounds of checking membership

are determined by the following random process.

Alice randomly selects an integer w as the number of of rounds, n < w ≤ 2n, and sets a table T [1 . . . w] of w entries. Each entry T [i] stores the element in B2

to be compared in the i-th round. She randomly assigns the n elements of B2

to any subset of n entries of the table T . Since w > n, not all entries in T are assigned. Let z be the maximum index of the entry which was assigned in the random assignment of the table T , and b = T [z]. The unassigned entries of the table T are filled in by the following rules:

1. z = w = 2n. For each unassigned entry of T , Alice assigns b to the entry with probability 1₂ and each b0 ∈ B2\{b} to the entry with probability _2(n−1)1 .

2. otherwise w 6= 2n or z 6= w. For each unassigned entry of T , Alice assigns each b0 ∈ B2 to the empty entry with probability 1_n.

This arrangement is necessary to make sure that the probability of “the final round is 2n” is negligible. By final round we mean after this round, all elements in B2 has been compared. That is, k is the final round, if

B2 = ∪ki=1T [i].

Therefore, Bob can only guess which round is the final round. In other words, he can make sure that this is a final round only at the 2n-th round, and the probability that this occurs is negligible.

Alice and Bob then compare the elements by running the protocol as shown in Figure 5.1.

In this phase, Alice and Bob repeatedly compare the elements of B2 and A2.

for i = 1, 2, . . . , w do for j = 1, 2, . . . , m do

Alice and Bob compare the equality of T [i] and a(2)_j ; if T [i] = a(2)_j then

Alice and Bob output 1; stop;

end if end for end for

Alice and Bob output 0; stop;

Figure 5.1: Phase 2 of Almost Complete Fairness Secure Computation of Set Dis-jointness

Schoenmakers, and Traor´e can be used in the comparisons of the elements [1]. The comparison result will be known for Bob first, and known for Alice later. In their protocol, if Bob refuses to send the value or sending the wrong value to Alice, Alice can notice this fact, and she then react in the same way as Bob abort the protocol. The protocol for secure computation of set intersection can be summarized in Figure 5.2 and Figure 5.3.

To design a secure protocol with complete fairness even when there is a malicious party, we need to define what should be done when the malicious party aborts the protocol abnormally. The abnormally termination of the protocol includes Alice or Bob terminate or sending wrong information to the other party in the comparison of the equality of the two elements. Note that sending wrong information can be detected easily in the Boudot, Schoenmakers, and Traor´e’s protocol.

It is simple for our protocol to deal with abnormal abortion of the protocol. If Alice aborts the protocol, then both parties output 0, and if Bob aborts the

Phase 1

Input: Alice has A = {a1, a2, . . . , am}, Bob has B = {b1, b2, . . . , bn}. Output: Alice has B2= {b

(2) 1 , b (2) 2 , . . . , b (2) n }, Bob has A2= {a (2) 1 , a (2) 2 , . . . , a (2) m}.

1. Alice and Bob choose a hash function h and a large prime p such that the discrete logarithm over Z∗

p is intractable, and p is greater than the security parameter λ. 2. Alice randomly chooses α ∈ N, computes the set

A1= {h(a)αmod p | ∀a ∈ A}, and sends the elements of A1, a

(1) 1 , a

(1) 2 , . . . , a

(1)

m, in random order to Bob. 3. Bob randomly choose β ∈ N, computes the set

B1= {h(b)βmod p | ∀b ∈ B}, and sends the elements of B1, b

(1) 1 , b

(1) 2 , . . . , b

(1)

n , in random order to Alice. 4. After receiving A1 from Alice, Bob computes the set

A2= {aβmod p | ∀a ∈ A1}, and stores the elements of A2, a

(2) 1 , a (2) 2 , . . . , a (2) m, in random order. 5. After receiving B1from Bob, Alice computes the set

B2= {bαmod p | ∀b ∈ B1}, and stores the elements of B2, b

(2) 1 , b (2) 2 , . . . , b (2) n , in random order.

Figure 5.2: Summary of the Set Disjointness Protocol, Phase 1

protocol, then both party output 1.

This is because if Alice aborts the protocol, then Alice must know that all elements have been compared. If this is not the case, then she gains no advantage to abort the protocol. Therefore, Bob should assume that A ∩ B = ∅.

On the other hand, if Bob aborts the protocol, then Bob must have found out that some element in his set is equal to some element in Alice’s. Otherwise he gains no advantage to abort the protocol. Therefore, Alice should assume that

Phase 2 Input: Alice has B2= {b

(2) 1 , b (2) 2 , . . . , b (2) n }, Bob has A2= {a (2) 1 , a (2) 2 , . . . , a (2) m}. Output: Alice and Bob both learns f (A, B).

1. Alice randomly selects a number w of rounds, n < w ≤ 2n, and sets a table T [1 . . . w] of w entries. She randomly assigns the n elements of B2to some subset of n entries of the table. Let z be the maximum index of the random assignment in the table and b = T [z]. The rest entries of the table T are filled in by the following rules:

(a) z = w = 2n. For each unassigned entry of T , Alice assigns b to the entry with probability 1

2 and each b 0

∈ B2\{b} to the entry with probability _2(n−1)1 . (b) otherwise. For each unassigned entry of T , Alice assigns each b0 ∈ B2 to the

entry with probability 1 n.

2. For i = 1, 2, . . . , w, Alice and Bob compare element b = T [i] with each elements in A2as shown in Figure 5.1.

3. At the end of the protocol, both Alice and Bob know the value of f (A, B). 4. If Alice aborts the protocol, then Bob assumes f (A, B) = 0.

5. If Bob aborts the protocol, then Alice assumes f (A, B) = 1.

Figure 5.3: Summary of the Set Disjointness Protocol, Phase 2 A ∩ B 6= ∅.

5.2

Analysis of the Protocols

Since ai = bj if and only if h(ai)αβ = h(bj)αβ, B2∩ A2 6= ∅ if and only if B ∩ A 6= ∅.

Therefore, at the end of the protocol, both parties will learn the correct value of f (A, B), if both parties follow the protocol exactly.

Now, we argue that our second protocol achieves almost complete fairness. If both Alice and Bob honestly execute the protocol, both of them can certainly obtain the correct result. However, Alice or Bob may abort the protocol during execution after she (or he) is 100% sure about the result. This is analyzed in the following two conditions.

1. At the moment that Alice is 100% sure about f (A, B), she immediately aborts protocol. This happens when the last element of B2 has been checked for its

membership in A2. Let b = T [k] be the last element in B2 for membership

checking. That is, each element in B2\{b} appears in T [l] for some l < k.

When Alice aborts the protocol after knowing whether b = T [k] is in A2, Bob

already knows that f (A, B) is the result of this round. Thus, Alice does not have any advantage over Bob.

2. Bob is 100% sure about f (A, B). This happens either when Bob knows f (A, B) = 1 and refuses to tell Alice the correct result or when Bob is 100% sure that all elements in B2 have been compared with A2. In the first case,

Alice should assume that A ∩ B 6= ∅, otherwise, Bob gains no advantage to abort the protocol. In the second case, Bob cannot be sure that all elements in B2 have been compared until the last round, which is not known to him

except for w = 2n. Thus, when w = 2n and z = 2n, Bob gains advantage by abort the protocol before Alice knows that f (A, B) = 0. However, The probability that w = z = 2n is negligible, when n is large enough.

Note that Bob can refuse to tell Alice the correct result by abnormally terminate the protocol or sending wrong information to Alice in the equality testing protocol, as noted above.

In our protocol, Bob would gain advantage of knowing f (A, B) = 0 before Alice with 100% certainty if and only if w = 2n and b = T [w] never appears in the other entries of T .

Let p be the probability for this event. The value of p can be computed as follows. The probability for w = 2n is 1_n. The probability for the last position is

selected is (

w−1 n−1)

(w n)

. The probability for the element b = T [2n] is not selected in the remaining w − n rounds is1₂w−n. Thus,

p = 1 n · _w−1 n−1  _w n  · 1 2 w−n = 1 n · n w· 1 2 n = 1 w· 1 2 n < 1 n · 2n.

Therefore, the value of p is negligible, when n is large.

If the value of n is small, we may need to increase the value of w to reduce the value of p. Let w = kn for some k > 2. Then,

p = 1 n · _w−1 n−1  _w n  · ₁ 2 w−n = 1 n · n w · ₁ 2 (k−1)n = 1 w · ₁ 2 (k−1)n = 1 kn · 2(k−1)n.

Therefore, if k is large then the value of p is negligible.

5.3

Performance Analysis of the Protocol

Recall that m and n are the cardinality of the sets A and B, respectively. Since n < w ≤ 2n, the protocol needs at most 2mn comparison of the elements. Each comparison needs O(1) modular exponentiation operations [1]. Thus, it needs O(mn) modular exponentiation operations, which is more efficient than the first protocol.

Chapter 6

Conclusions and Future Works

We have presented two secure two-party computation protocols for determining whether the intersection of two sets is empty or not. The first one has the property of complete fairness, and the second one is almost complete fairness. The first protocol need more computation; while the second one needs less.

Both our protocols need only O(mn) comparisons of the elements. It is inde-pendent to the size of the domain from which the set A and B are drawn.

It is known that the millionaires’ problem can be reduced to the set intersec-tion problem. Our protocols can be used to solve the millionaires’ problem more efficiently, especially when the size of the domain is large.

We also show that when A and B each contains only 1 element of two-element set U , then the problem cannot be computed securely with complete fairness. However, when the cardinality of U is very large, then this case of the set disjointness problem is equivalent to the equality test problem, which can be computed with complete fairness.

The following are plausible subjects for the future research. 1. Design a protocol for computing set intersection,

2. Design a protocol to computing the cardinality of the intersection of sets, 3. Extend our two-party protocol to three-party and any k-party computation

protocols for k > 3,

Bibliography

[1] Fabrice Boudot, Berry Schoenmakers, and Jacques Traor´e. A fair and efficient solution to the socialist millionaires’ problem. Discrete Applied Mathematics, 111:23–36, 2001.

[2] Richard Cleve. Limits on the security of coin flips when half the processors are faulty. In Proceedings of 18-th Annual ACM Symposium on Theory of Computing, pages 364–369. ACM, 1986.

[3] S. Dov Gordon, Carmit Hazay, Jonathan Katz, and Yehuda Lindell. Complete fairness in secure two-party computation. In Proceedings of 40-th Annual ACM Symposium on Theory of Computing, pages 413–422. ACM, May 2008. [4] Hsiao-Ying Lin and Wen-Guey Tzeng. An efficient solution to the millionaires’

problem based on homomorphic encryption. In In ACNS 2005, volume 3531 of Lecture, pages 456–466, 2005.

[5] Yehuda Lindell. Parallel coin-tossing and constant-round secure two-party computation. Journal of Cryptography, 16(3):143–184, 2003.

[6] Yehuda Lindell and Benny Pinkas. A proof of security of Yao’s protocol for two-party computation. Journal of Cryptology, 22:161–188, 2009.

[7] Moni Naor and Benny Pinkas. Oblivious polynomial evaluation. SIAM journal on computing, 35(5):1245–1281, 2006.

[8] C. P. Schnorr. Efficient signature generation by smart cards. Journal of Cryptology, 4(3):161–174, 1991.

[9] Andrew C. Yao. Protocols for secure computations. In Proceedings of 23-rd Annual Symposium on Foundation of Computer Science, pages 160–164. IEEE, 1982.

[10] Andrew C. Yao. How to generate and exchange secrets. In Proceedings of 27-th Annual Symposium on Foundation of Computer Science, pages 162–167. IEEE, 1986.

[11] Qingsong Ye, Huaxiong Wang, and Christophe Tartary. Privacy-preserving distributed set intersection. In Proceedings of 3-rd International Conference on Availability and Security, pages 1332–1339. IEEE, 2008.