Privacy preserving comparison

Abstract

A method for performing a secure comparison between a first secret data and a second secret data, including: receiving, by a processor of a first party, custom character encrypted bits of the second secret data y from a second party, where is an integer; computing the Hamming weight h of first secret data x, wherein x has bits; computing the value of a first comparison bit .sub.A such that .sub.A=0 when h>/2, .sub.A=1 when h</2, and .sub.A is randomly selected when h= custom character /2; forming a set of /2 indexes that includes at least the indexes i where x.sub.i=.sub.A; selecting random invertible scalars r.sub.i for each i in and computing c*.sub.i=(1+(12.sub.A)x.sub.i.Math.y.sub.i.sup.2.sup.A.sup.1.Math.(x.sub.jy.sub.j)).sup.r.sup.i wherein w denotes the homomorphic encryption of w using a cryptographic key of the second party; selecting random invertible scalars r.sub.1 and computing custom character c*.sub.1=(.sub.A.Math.x.sub.jy.sub.j).sup.r.sup.1; transmitting ciphertexts c*.sub.i in a random order to the second party.

Claims

1. A method for performing a secure comparison between a first secret data and a second secret data, comprising: receiving, by a processor of a first party, custom character encrypted bits of the second secret data y from a second party, where is an integer; computing the Hamming weight h of first secret data x, wherein x has bits; computing the value of a first comparison bit .sub.A such that .sub.A=0 when h>/2, .sub.A=1 when h</2, and .sub.A is randomly selected when h= custom character /2; forming a set of /2 indexes that includes at least the indexes i where x.sub.i=.sub.A; selecting random invertible scalars r.sub.i for each i in and computing
c*.sub.i=(1+(12.sub.A)x.sub.i.Math.y.sub.i.sup.2.sup.A.sup.1.Math.(x.sub.jy.sub.j)).sup.r.sup.i wherein w denotes the homomorphic encryption of w using a cryptographic key of the second party; selecting random invertible scalars r.sub.1 and computing
custom character c*.sub.1=(.sub.A.Math.x.sub.jy.sub.j).sup.r.sup.1; transmitting ciphertexts c*.sub.i in a random order to the second party.

2. The method of claim 1, wherein when the second party sets a value of a second comparison bit .sub.B based upon the decrypted c*.sub.i's and wherein .sub.A.sub.B=[xy].

3. The method of claim 2, wherein when the second party sets a second comparison bit .sub.B=1 when any one of the decrypted c*.sub.i's is equal to zero.

4. The method of claim 2, wherein when the second party sets a second comparison bit .sub.B=0 when none of the decrypted c*.sub.i's is equal to zero.

5. The method of claim 1, wherein the encryption uses the Pallier cryptosystem.

6. The method of claim 1, wherein the encryption uses the exponential variant of the ElGamal cryptosystem.

7. The method of claim 1, further comprising receiving an encryption of the second comparison bit .sub.B from the second party and computing custom character =.sub.B when .sub.A=0 and =1.Math..sub.B.sup.1 when .sub.A0, wherein =[xy].

8. A method for performing a secure comparison between a first secret data and a second secret data, comprising: receiving, by a processor of a first party, encrypted second secret data custom character y from a second party, wherein where is the number of bits in y and wherein y denotes the additive homomorphic encryption of y; choosing a random mask in , where is a security parameter; computing z.sup.=y.Math.x.sup.1.Math.+, wherein x is the first secret data having bits; sending custom character z.sup.to the second party; computing x= mod ; receiving, by the processor of a first party, encrypted bits of y from the second party, wherein y is based upon z.sup.; computing the Hamming weight h of x; computing the value of a first comparison bit .sub.A such that .sub.A=0 when h> custom character /2, .sub.A=1 when h</2, and .sub.A is randomly selected when h=/2; forming a set of /2 indexes that includes at least the indexes i where x.sub.i=.sub.A; selecting random invertible scalars r.sub.i for each i in and computing
c*.sub.i=(1+(12.sub.A)x.sub.i.Math.y.sub.i.sup.2.sup.A.sup.1.Math.( custom character x.sub.jy.sub.j)).sup.r.sup.i; selecting random invertible scalars r.sub.1 and computing
c*.sub.1=(.sub.A.Math.x.sub.jy.sub.j).sup.r.sup.1; transmitting ciphertexts c*.sub.i in a random order to the second party.

9. The method of claim 8, wherein when the second party decrypts custom character z.sup.and defines y=z.sup. mod .

10. The method of claim 8, wherein the first party sets .sub.A=.sub.A when / custom character is even, and .sub.A=1.sub.A otherwise, second party sets a value of a second comparison bit .sub.B=.sub.B when z.sup./ is odd, and .sub.B=1.sub.B otherwise and wherein .sub.A.sub.B=[xy].

11. A non-transitory machine-readable storage medium encoded with instructions for performing a secure comparison between a first secret data and a second secret data, comprising: instructions for receiving, by a processor of a first party, custom character encrypted bits of the second secret data y from a second party, where is an integer; instructions for computing the Hamming weight h of first secret data x, wherein x has bits; instructions for computing the value of a first comparison bit .sub.A such that .sub.A=0 when h>/2, .sub.A=1 when h< custom character /2, and .sub.A is randomly selected when h=/2; instructions for forming a set of /2 indexes that includes at least the indexes i where x.sub.i=.sub.A; instructions for selecting random invertible scalars r.sub.i for each i in and computing
c*.sub.i=(1+(12.sub.A)x.sub.i.Math.y.sub.i custom character .sup.2.sup.A.sup.1.Math.(x.sub.jy.sub.j)).sup.r.sup.i wherein w denotes the homomorphic encryption of w using a cryptographic key of the second party; instructions for selecting random invertible scalars r.sub.1 and computing
c*.sub.1=(.sub.A.Math.x.sub.jy.sub.j).sup.r.sup.1; instructions for transmitting ciphertexts custom character c*.sub.i in a random order to the second party.

12. The non-transitory machine-readable storage medium of claim 11, wherein when the second party sets a value of a second comparison bit .sub.B based upon the decrypted c*.sub.i's and wherein .sub.A.sub.B=[xy].

13. The non-transitory machine-readable storage medium of claim 12, wherein when the second party sets a second comparison bit .sub.B=1 when any one of the decrypted c*.sub.i's is equal to zero.

14. The non-transitory machine-readable storage medium of claim 12, wherein when the second party sets a second comparison bit .sub.B=0 when none of the decrypted c*.sub.i's is equal to zero.

15. The non-transitory machine-readable storage medium of claim 11, wherein the encryption uses the Pallier cryptosystem.

16. The non-transitory machine-readable storage medium of claim 11, wherein the encryption uses the exponential variant of the ElGamal cryptosystem.

17. The non-transitory machine-readable storage medium of claim 11, further comprising instructions for receiving an encryption of the second comparison bit .sub.B from the second party and computing custom character =.sub.B when .sub.A=0 and =1.Math..sub.B.sup.1 when .sub.A0, wherein =[xy].

18. A non-transitory machine-readable storage medium encoded with instructions for performing a secure comparison between a first secret data and a second secret data, comprising: instructions for receiving, by a processor of a first party, encrypted second secret data custom character y from a second party, wherein where is the number of bits in y and wherein y denotes the additive homomorphic encryption of y; instructions for choosing a random mask in , where is a security parameter; instructions for computing z.sup.=y.Math.x.sup.1.Math.+, wherein x is the first secret data having custom character bits; instructions for sending z.sup. to the second party; instructions for computing x= mod ; instructions for receiving, by the processor of a first party, encrypted bits of y from the second party, wherein y is based upon z.sup.; instructions for computing the Hamming weight h of x; instructions for computing the value of a first comparison bit .sub.A such that .sub.A=0 when h> custom character /2, .sub.A=1 when h</2, and .sub.A is randomly selected when h=/2; instructions for forming a set of /2 indexes that includes at least the indexes i where x.sub.i=.sub.A; instructions for selecting random invertible scalars r.sub.i for each i in and computing
c*.sub.i=(1+(12.sub.A)x.sub.i custom character .Math.y.sub.i.sup.2.sup.A.sup.1.Math.(x.sub.jy.sub.j)).sup.r.sup.i; instructions for selecting random invertible scalars r.sub.1 and computing
c*.sub.1=(.sub.A.Math.x.sub.jy.sub.j).sup.r.sup.1; instructions for transmitting ciphertexts c*.sub.iin a random order to the second party.

19. The non-transitory machine-readable storage medium of claim 18, wherein when the second party decrypts custom character z.sup. and defines y=z.sup. mod .

20. The non-transitory machine-readable storage medium of claim 18, wherein the first party sets .sub.A=.sub.A when / custom character is even, and .sub.A=1.sub.A otherwise, second party sets a value of a second comparison bit .sub.B=.sub.B when z.sup./ is odd, and .sub.B=1.sub.B otherwise and wherein .sub.A.sub.B=[xy].

Description

BRIEF DESCRIPTION OF THE DRAWINGS

(1) In order to better understand various exemplary embodiments, reference is made to the accompanying drawings, wherein:

(2) FIG. 1 illustrates a first embodiment of a privacy comparison protocol; and

(3) FIG. 2 illustrates a second embodiment of a privacy comparison protocol.

(4) To facilitate understanding, identical reference numerals have been used to designate elements having substantially the same or similar structure and/or substantially the same or similar function.

DETAILED DESCRIPTION

(5) The description and drawings illustrate the principles of the invention. It will thus be appreciated that those skilled in the art will be able to devise various arrangements that, although not explicitly described or shown herein, embody the principles of the invention and are included within its scope. Furthermore, all examples recited herein are principally intended expressly to be for pedagogical purposes to aid the reader in understanding the principles of the invention and the concepts contributed by the inventor(s) to furthering the art, and are to be construed as being without limitation to such specifically recited examples and conditions. Additionally, the term, or, as used herein, refers to a non-exclusive or (i.e., and/or), unless otherwise indicated (e.g., or else or or in the alternative). Also, the various embodiments described herein are not necessarily mutually exclusive, as some embodiments can be combined with one or more other embodiments to form new embodiments.

(6) A comparison compares two custom character -bit integers to decide whether or not xy. This problem arises in a variety of privacy-preserving applications including secure data mining and secure auctions.

(7) There exist different versions of the problem depending on whether the numbers x and y are known to the respective parties or unknown to everyone, and whether the result of the comparison is public or private. In this disclosure, it is assumed that two parties have two integers (in the clear) and that they want to compare these numbers without revealing the value. Embodiments of the comparison protocol described below can also be used in the case where one of the parties has the encrypted integers and the other party has the key to decrypt encrypted integers and in this case both integers will remain unknown to the parties. The final result of the comparison protocol can be public or secretly shared between the parties.

(8) The embodiments of the disclosure introduce new comparison protocols which increase the efficiency in both communication and computational complexities by about a factor of two as compared to the current state of the art. These embodiments include the following features: Performing the comparison based on the Hamming weight of the integer x. These embodiments are designed in a way that guarantees having at most

(9) $.Math. \frac{}{2} .Math. + 1$
bit comparisons, which leads to a better performance. The protocols are cryptographically secure. By possibly adding dummy comparisons, the protocols become robust against timing attacks as well. In order to hide the information of Hamming weight of x from the other party, a sub-protocol is introduced that generates random shares and compares those shares. The protocols described may be applied to increase the efficiency of any comparison protocol based on bit-wise comparison. See e.g., Hsiao-Ying Lin and Wen-Guey Tzeng. An efficient solution to the millionaires' problem based on homomorphic encryption. In J. Ioannidis, A. D. Keromytis, and M. Yung, editors, Applied Cryptography and Network Security (ACNS 2005), volume 3531 of Lecture Notes in Computer Science, pages 456-466. Springer, 2005. In order to provide a concrete example in the embodiments described herein the well-known DGK comparison protocol is used. See Ivan Damgrd, Martin Geisler, and Mikkel Krigaard, Homomorphic encryption and secure comparison, International Journal of Applied Cryptography, 1(1):22-31, 2008.

(10) Damgrd, Geisler, and Krigaard present an elegant protocol for comparing private values. It was later modified in: Zekeriya Erkin, Martin Franz, Jorge Guajardo, Stefan Katzenbeisser, Inald Lagendijk, and Tomas Toft, Privacy-preserving face recognition, In I. Goldberg and M. J. Atallah, editors, Privacy Enhancing Technologies (PETS 2009), volume 5672 of Lecture Notes in Computer Science, pages 235-253. Springer, 2009; and Thijs Veugen. Improving the DGK comparison protocol, In 2012 IEEE International Workshop on Information Forensics and Security (WIFS 2012), pages 49-54. IEEE, 2012.

(11) The comparison protocol utilizes an additively homomorphic encryption scheme. Let custom character m denote the encryption of a message m. The homomorphic property implies that for any two messages m and m, the encryption of m+m can be obtained from the encryptions of m and m as m+m=m.Math.m for some public operation .Math.. Likewise, for a known constant integer d, the encryption of dm (that is, m+m+ . . . +m (d times)) can be obtained from the encryption of m as custom character dm=m.sup.d. Examples of additively homomorphic encryption schemes include the Paillier cryptosystem or the exponential variant of the ElGamal encryption scheme.

(12) The DGK+ protocol, a variation on the Damgrd-Geisler-Krigaard protocol, will now be described. Alice possesses a private custom character -bit value x=x.sub.i2.sup.i while Bob possesses a private -bit value y=y.sub.i2.sup.i. The goal for Alice and Bob is to respectively obtain bits .sub.A and .sub.B such that .sub.A.sub.B=[xy]. Here [xy] denotes the result of the comparison: [xy]=1 (true) if xy, and [xy]=0 (false) if x>y. The protocol proceeds in four steps: 1. Bob encrypts the bits of y= custom character y.sub.i2.sup.i under his public key and sends y.sub.i, 0i1, to Alice. 2. Alice chooses uniformly at random a bit .sub.A{0,1} and defines s=12.sub.A. Alice also selects +1 random invertible scalars r.sub.i, 1i1. 3. Next, for 1i0, Alice computes
c*.sub.i=(s.Math.x.sub.i.Math.y.sub.i.sup.1.Math.( custom character x.sub.jy.sub.j).sup.3).sup.r.sup.i. Finally, Alice computes
c*.sub.1=(.sub.A.Math.x.sub.jy.sub.j).sup.r.sup.1. Alice sends the +1 ciphertexts c.sub.i* in a random order to Bob. 4. Using his private key, Bob decrypts the received c.sub.i*'s. If one is decrypted to zero, Bob sets .sub.B=1. Otherwise, Bob sets .sub.B=0.
Note that given custom character y.sub.i, Alice can obtain x.sub.iy.sub.i as

(13) $x_{i} y_{i} = {\begin{matrix} y_{i} & if x_{i} = 0 \\ 1 .Math. {y_{i}}^{- 1} & if x_{i} = 1 \end{matrix} .$

(14) The correctness of the DGK+ protocol follows from the fact that x=( custom character , . . . , x.sub.0) is smaller than or equal to y=(, . . . , y.sub.0) if only and only if 1. x=y, or 2. there exists some index i, with 0i1, such that
x.sub.i<y.sub.i, and
x.sub.j=y.sub.j for 1ji+1.

(15) When xy, this latter condition is equivalent to the existence of some index i, with 0i custom character 1, such that x.sub.iy.sub.i+1+(x.sub.jy.sub.j)=0. Indeed, because (x.sub.iy.sub.i+1)0 and (x.sub.jy.sub.j)0, it follows that x.sub.iy.sub.i+1+(x.sub.jy.sub.j)=0 is equivalent to x.sub.iy.sub.i+1=0 and (x.sub.jy.sub.j)=0 for all ji+1, which in turn is equivalent to x.sub.i<y.sub.i and x.sub.j=y.sub.j for all ji+1.

(16) Let .sub.A{0,1}. The above test is replaced to allow the secret sharing of the comparison bit across Alice and Bob as [xy]=.sub.A.sub.B. The new test checks the existence of some index i, with 0i custom character 1, such that
c.sub.i=x.sub.iy.sub.i+(12.sub.A)+3(x.sub.jy.sub.j)
is zero. When .sub.A=0 this occurs if xy; when .sub.A=1 this occurs if x>y. As a result, the first case yields .sub.A=[x<y]=1[xy] while the second case yields .sub.A=[x>y]=[xy]=1[xy]. This discrepancy is corrected by augmenting the set of c.sub.i's with an additional value c.sub.1 given by
c.sub.1=.sub.A+ custom character (x.sub.jy.sub.j).

(17) It is worth observing that c.sub.1 can only be zero when .sub.A=0 and x=y. Therefore, in all cases, when there exists some index i, with 1i custom character 1, such that c.sub.i=0, then .sub.A=1[xy], or equivalently, [xy]=.sub.A1.

(18) It is easily verified that custom character c.sub.i* as computed in step 3 of the DGK+ protocol is the encryption of r.sub.ic.sub.i. Clearly, if r.sub.ic.sub.i is zero then so is c.sub.i because r.sub.i0. Hence, if one of the c*.sub.i's decrypts to 0 then [xy]=.sub.A1=.sub.A.sub.B; if not, one has [xy]=.sub.A=.sub.A.sub.B. This concludes the proof of correctness.

(19) In section II-A of Veugen, the author does not explicitly mention that c.sub.1 has to be randomized by an invertible scalar r.sub.1. This step is important as otherwise, assuming .sub.A=1 (which occurs with probability ), if Bob decrypts one of the custom character c*.sub.i's to 1, he can deduce that x is very likely equal to y.

(20) The Damgrd-Geisler-Kr custom character igaard (DKG) protocol has the disadvantage of being computational intensive. Step 3 of the DKG protocol is dominated by +1 exponentiations in the group underlying the homomorphic encryption scheme. Those are costly operations. This issue was addressed in Veugen. Veugen was able to divide the computational workload by approximately a factor of two. However, the resulting implementation is subject to timing attacks. Another drawback of the DKG protocol is the communication cost. Step 3 in the DKG protocol produces custom character +1 ciphertexts that are transmitted from Alice to Bob.

(21) An embodiment of a comparison method will now be described that reduces by roughly a factor of two both the computational complexity and the necessary bandwidth for step 3. Furthermore, provided it is properly implemented, the proposed method is resistant against timing attacks.

(22) The same setting as described above will be used again where Alice possesses an custom character -bit integer x and Bob possesses an -bit integer y. The goal is for Alice and Bob to respectively obtain bits .sub.A and .sub.B such that .sub.A.sub.B=[xy].

(23) A first embodiment of the privacy comparison protocol, as illustrated in FIG. 1, proceeds as follows. 1. Bob encrypts the bits of y= custom character y.sub.i2.sup.i under his public key and sends y.sub.i, 0i1, to Alice 110. 2. Alice computes the Hamming weight of x (i.e., the number of nonzero bits of x) 115. Let h denote the Hamming weight of x. The value of .sub.A is set based upon the Hamming weight h 120. There are three cases to consider: (a) if h>l/2, Alice sets .sub.A=0; (b) if h<l/2, Alice sets .sub.A=1; (c) if h= custom character /2 (this can only occur when is even), Alice chooses a random value in {0,1} for .sub.A. 3. Next, Alice forms a set of indexes i 125 such that (a) where ={0i1|x.sub.i=.sub.A}; and (b) # =/2. For each i, Alice selects a random invertible scalar r.sub.i 130 and computes 135
custom character c*.sub.i=(1+(12.sub.A)x.sub.i.Math.y.sub.i.sup.2.sup.A.sup.1.Math.(x.sub.jy.sub.j)).sup.r.sup.i. Finally, Alice computes 140
c*.sub.1=(.sub.A.Math.x.sub.jy.sub.j).sup.r.sup.1. Alice sends the /2+1 ciphertexts c.sub.i* in a random order to Bob 145. 4. Using his private key, Bob decrypts the received custom character c*.sub.i's. If one is decrypted to zero, Bob sets .sub.B=1 150. Otherwise, Bob sets .sub.B=0.

(24) The correctness of this protocol will now be discussed. It is useful to introduce some notation. For a t-bit integer a=.sub.i=0.sup.t1a.sub.i2.sup.i with a.sub.i{0,1}, let denote the complementary of a; i.e., =2.sup.ta1. In particular, for t=1, a=a.sub.0 and =.sub.0=1a.sub.0.

(25) As a first proposition let x= custom character x.sub.i2.sup.i and y=y.sub.i2.sup.i, with x.sub.i, y.sub.i{0,1}, be two -bit integers. Define

(26) $c_{i} = x_{i} + \overline{y_{i}} + {.Math.}_{j = i + 1}^{- 1} (x_{j} y_{j}) .$
Then x<y if and only if there exists some unique index i with 0i custom character 1 such that c.sub.i=0.

(27) This may be proved as follows. As defined, c.sub.i is the sum of nonnegative terms. Therefore, c.sub.i=0 is equivalent to (i) x.sub.i=y.sub.i=0 and (ii) for i+1j custom character 1, x.sub.jy.sub.j=0. This in turn is equivalent to (i) x.sub.i<y.sub.i and (ii) for i+1j1, x.sub.j=y.sub.j; that is, x<y. To see that if an index i exists, such that c.sub.i=0 is unique, suppose that c.sub.i=0 for some ii. Without loss of generality, assume that i<i. Then, c.sub.i=x.sub.i+y.sub.i+ custom character (x.sub.jy.sub.j)x.sub.iy.sub.i=1, which is a contradiction.

(28) As second proposition, let x= custom character x.sub.i2.sup.i and y=y.sub.i2.sup.i, with x.sub.i, y.sub.i{0,1}, be two -bit integers. Define

(29) $c_{- 1} = {.Math.}_{j = 0}^{- 1} (x_{j} y_{j}) .$
Then x=y if and only if c.sub.1=0. The proof is obvious.

(30) By reversing the roles of x and y in the first proposition, the following corollary results: as a third proposition let x= custom character x.sub.i2.sup.i and y=y.sub.i2.sup.i, with x.sub.i, y.sub.i{0,1}, be two -bit integers. Define

(31) $c_{i} = y_{i} + \overline{x_{i}} + {.Math.}_{j = i + 1}^{- 1} (y_{j} x_{j}) .$
Then xy if and only if there exists no index i with 0i custom character 1 such that c.sub.i=0.

(32) This may be proved as follows. If there were such an index i, this would imply y<x by the first proposition. The absence of such an index therefore implies yx.

(33) Suppose first that the Hamming weight of x is greater than custom character /2 (and thus .sub.A=0). This means that x has more ones than zeros in its binary representation. Specifically, among the bits of x, at most /2 bits are equal to 0. Furthermore, the first proposition shows that c.sub.i needs only to be evaluated when x.sub.i=0 because when x.sub.i=1, it is already known that the corresponding c.sub.i cannot be zero. The case x=y is taken into account using the second proposition.

(34) Now suppose that the Hamming weight of x is less than custom character /2 (and thus .sub.A=1). In this case, among the bits of x, at most /2 bits are equal to 1. Then the second proposition can be made use of: with at most /2 tests for c.sub.i=0 (i.e., when x.sub.i=1), it can be decided whether xy.

(35) The last case is when the Hamming weight of x is custom character /2 (and thus .sub.A is equiprobably equal to 0 or 1). This supposes even. In this case, among the bits of x, /2 bits are equal to 0 and /2 bits are equal to 1. The combination of the first and second propositions or the third proposition can be used indifferently to decide after at most custom character /2=/2 tests for c.sub.i=0 whether or not xy.

(36) The above analysis shows that (i) only the indexes i custom character need to be tested, and (ii) # /2. If # <l/2 then additional indexes are added to to form . This ensures that # is always equal to /2 and is aimed at preventing timing attacks. Since the values of r.sub.ic.sub.i is nonzero for i.Math., the correctness follows by noting that the c*.sub.i's include the encryptions of r.sub.ic.sub.i for all i custom character .

(37) By construction, .sub.B=1 if one of the custom character c*.sub.i's decrypts to 0. 1. When .sub.A=0, the first and second propositions are used. A decryption to 0 means xy, and therefore [xy]=1=.sub.A.sub.B, as desired. 2. When .sub.A=1, the third proposition is used and a decryption to 0 means xy. Then, [xy]=0=.sub.A.sub.B, as desired.

(38) If none of the custom character c*.sub.i's decrypts to 0, then .sub.B=0. When .sub.A=0, this means xy; when .sub.A=1, this means xy. In both cases, [xy]=.sub.A.sub.B, as desired.

(39) A second embodiment of a comparison method will now be described. In the setting where Alice possesses x and Bob y and where Alice and Bob wish to respectively obtain .sub.A and .sub.B such that .sub.A.sub.B=6 with =[xy], the previously described first protocol needs special care. In particular, it requires that the Hamming weight of x a priori has the same probability to be greater than custom character /2 or less than /2. This guarantees that .sub.A is uniformly distributed over {0,1}. Indeed, if Bob knows for example that the Hamming weight of x is more likely greater than /2 (and thus .sub.A is more likely equal to 1), a value .sub.B=0 tells Bob that x is more likely less or equal to y because .sub.A.sub.B=[xy].

(40) The second embodiment described below is secure even when Bob has some a priori knowledge on the Hamming weight of x. The distribution of .sub.A will always be uniform over {0,1}, independently of the value of x.

(41) The second embodiment of the privacy comparison protocol, as shown in FIG. 2, proceeds as follows. 1a. Bob encrypts y under his public key and sends custom character y to Alice 210. 1b. Alice chooses a random mask in 215, where is a security parameter, and computes z.sup.=y.Math.x.sup.1.Math.+ 220, and sends z.sup. to Bob 225. 1c. Alice defines x= mod 230. 1d. Using his private key, Bob decrypts z.sup. and gets z.sup., and defines y=z.sup. mod custom character . 2. Alice and Bob now apply the previous comparison protocol on x and y 235-280 (similar to FIG. 1). Let .sub.A and .sub.B denote the respective outputs for Alice and Bob of the protocol, with .sub.A.sub.B=[xy]. 3. Alice sets .sub.A=.sub.A if / is even, and .sub.A=1.sub.A otherwise. 4. Bob sets .sub.B=.sub.B if z.sup./ custom character is odd, and .sub.B=1.sub.B otherwise.
It is worth noting here that x as defined in Step 3 is a random -bit integer. There is therefore no way for Bob to gain more information on its Hamming weight.

(42) The correctness of this protocol will now be discussed.

(43) Define X=/ custom character , Y=z.sup./, and =.sub.A.sub.B. The values for .sub.A and .sub.B such that .sub.A.sub.B=[xy] can be obtained from .sub.A and .sub.B, respectively. Indeed:

(44) $\begin{matrix} _{A}_{B} = [x y] = .Math. \frac{y + 2^{} - x}{2^{}} .Math. \\ = .Math. \frac{z^{} -}{2^{}} .Math. = .Math. \frac{(Y^{} 2^{} + y^{}) - (X^{} 2^{} + x^{})}{2^{}} .Math. = Y^{} - X^{} + .Math. \frac{y^{} - x^{}}{2^{}} .Math. \\ = Y^{} - X^{} +^{} - 1 == Y^{} - X^{} + (_{A}^{}_{B}^{}) - 1. \end{matrix}$
Therefore, modulo 2, one has:
.sub.A+.sub.BY+X+.sub.A+.sub.B+1(mod 2);
a solution of which is: .sub.A=(.sub.A+X) mod 2 and .sub.A=(.sub.B+Y+1) mod 2.

(45) The first and second embodiments may also produce an encrypted comparison bit as will now be described. Let denote the comparison bit; i.e., =[xy]. In certain settings, Alice wishes to produce an encryption of at the end of the protocol, rather than a share .sub.A of (the other share, .sub.B, being held by Bob). In this case, following step may be added to the first and second embodiments of the comparison protocols: 5. Bob encrypts .sub.B using his public key and sends custom character .sub.B to Alice. Upon receiving .sub.B, Alice computes as

(46) $= {\begin{matrix} _{B} & if_{A} = 0, \\ 1 .Math. {_{B}}^{- 1} & otherwise . \end{matrix}$

(47) In yet other embodiments, the inputs may be encrypted. There exists another practical setting for the comparison of private inputs. In this setting, Alice possesses custom character {circumflex over (x)} and , the encryption of two -bit values {circumflex over (x)}={circumflex over (x)}.sub.i2.sup.i and =.sub.i2.sup.i. Bob possesses the corresponding decryption key. The goal is for Alice to get {circumflex over ()}, the encryption under Bob's public key of the comparison bit {circumflex over ()}=[{circumflex over (x)}]. The protocols described in the embodiments above may be used in that setting as well. Let be a security parameter. Alice first chooses a random ( custom character +)-bit integer and, from {circumflex over (x)} and , computes z* where
z*=+{circumflex over (x)}+
as z*=.Math.{circumflex over (x)}.sup.1.Math.+. Alice also defines x= mod . Alice sends z* to Bob.

(48) Bob decrypts custom character z* to get z* and defines y=z* mod .

(49) Again, it is worth noting that x and y are custom character -bit integers privately held by Alice and Bob, respectively. This is a setting similar to the one considered above. Let =[xy] and assume that Alice obtained as the output of the first or second comparison protocol embodiments. It will be shown below how Alice can get {circumflex over ()} custom character from .

(50) Define X=/ custom character and Y=z*/. Note that the problem of finding {circumflex over ()} boils down to the problem of finding . Indeed:

(51) $\begin{matrix} \hat{} = [\hat{x} \hat{y}] = .Math. \frac{\hat{y} + 2^{} - \hat{x}}{2^{}} .Math. \\ = .Math. \frac{z^{*} -}{2^{}} .Math. = .Math. \frac{(Y 2^{} + y) - (X 2^{} + x)}{2^{}} .Math. = Y - X + .Math. \frac{y - x}{2^{}} .Math. \\ = Y - X + - 1; \end{matrix}$
hence, Alice may compute custom character {circumflex over ()} from and Y as
{circumflex over ()}=Y.Math.X+1.sup.1.Math..
It suffices that Bob sends the value of Y to Alice.

(52) The embodiments described herein may be used in various applications. The comparison of private values is an essential building block for developing privacy-preserving machine-learning algorithms. These include the very popular SVM (support vector machines) algorithm as well as k-means clustering. In secure clustering algorithm, user profile should be compared with cluster centroids.

(53) Comparison protocols also have a pivotal role in authentication services. In fingerprint-based authentication, a biometric device (fingerprint reader) identifies a user by comparing her sample with the database of authorized entities. It is also used in face recognition. In private recommender systems, the user value is compared with a threshold. Comparison algorithms also have applications in secure matrix factorization, private bio-informatic services, and secure adaptive filtering.

(54) The embodiments described in this disclosure therefore find numerous applications. Remarkably, the resulting performance is greatly improved compared to state-of-the-art methods, both in computation and communication complexities.

(55) The embodiments described herein represent an improvement in the technology of secure comparisons of data by a single party who does not have access to the underlying secure data or between two parties who are keeping their own information secret from the other party. These embodiments provide a reduction in the amount of computations needed to perform these secure comparisons as well as reducing the amount of data that needed to be exchanged between the parties doing the comparison. As a result, the embodiments also lead to an improvement in terms of number of operations of a computer that may be used to carry out such secure comparisons.

(56) The methods described above may be implemented in software which includes instructions for execution by a processor stored on a non-transitory machine-readable storage medium. The processor may include a memory that stores the instructions for execution by the processor.

(57) Any combination of specific software running on a processor to implement the embodiments of the invention, constitute a specific dedicated machine.

(58) As used herein, the term non-transitory machine-readable storage medium will be understood to exclude a transitory propagation signal but to include all forms of volatile and non-volatile memory. Further, as used herein, the term processor will be understood to encompass a variety of devices such as microprocessors, field-programmable gate arrays (FPGAs), application-specific integrated circuits (ASICs), and other similar processing devices. When software is implemented on the processor, the combination becomes a single specific machine.

(59) It should be appreciated by those skilled in the art that any block diagrams herein represent conceptual views of illustrative circuitry embodying the principles of the invention.

(60) Although the various exemplary embodiments have been described in detail with particular reference to certain exemplary aspects thereof, it should be understood that the invention is capable of other embodiments and its details are capable of modifications in various obvious respects. As is readily apparent to those skilled in the art, variations and modifications can be effected while remaining within the spirit and scope of the invention. Accordingly, the foregoing disclosure, description, and figures are for illustrative purposes only and do not in any way limit the invention, which is defined only by the claims.

Privacy preserving comparison

Assignee

Inventors

Cpc classification

Classification Explorer

H04L2209/08

ELECTRICITY

Classification Explorer

H04L9/14

ELECTRICITY

Classification Explorer

G06F17/10

PHYSICS

Classification Explorer

H04L9/008

ELECTRICITY

Classification Explorer

H04L9/005

ELECTRICITY

International classification

Classification Explorer

H04L9/00

ELECTRICITY

Classification Explorer

H04L9/14

ELECTRICITY

Classification Explorer

G06F17/10

PHYSICS

Abstract

Claims

Description