Mathematical Problems in Engineering

Volume 2013 (2013), Article ID 172718, 5 pages

http://dx.doi.org/10.1155/2013/172718

## Efficient Secure Multiparty Computation Protocol for Sequencing Problem over Insecure Channel

^{1}State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China^{2}School of Computer Science and Technology, Nanjing Normal University, Nanjing, Jiangsu 210023, China

Received 2 March 2013; Accepted 2 August 2013

Academic Editor: Vishal Bhatnagar

Copyright © 2013 Yi Sun et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

As a powerful tool in solving privacy preserving cooperative problems, secure multiparty computation is more and more popular in electronic bidding, anonymous voting, and online auction. Privacy preserving sequencing problem which is an essential link is regarded as the core issue in these applications. However, due to the difficulties of solving multiparty privacy preserving sequencing problem, related secure protocol is extremely rare. In order to break this deadlock, this paper first presents an efficient secure multiparty computation protocol for the general privacy-preserving sequencing problem based on symmetric homomorphic encryption. The result is of value not only in theory, but also in practice.

#### 1. Introduction

Sequencing problem is very common in our daily life, such as ranking according to the scores, queuing by the height. Informally speaking, it is about comparing and sequencing of some numbers. It is easy and convenient to get the result because it cares nothing about privacy in the scenes above. On the contrary, privacy-preserving sequencing problem (PPSP) is always a hard challenge since it requires to conduct secret numbers comparison without knowing the numbers. In this scenario, all participants distrust each other and would not like to leak their own secret information to anyone else. It is an urgent task to be solved for some important applications such as electronic bidding, anonymous voting, and online auction. Naturally, as a powerful tool in solving privacy-preserving cooperative problems, secure multiparty computation (SMC) [1] is the best choice for privacy-preserving sequencing. In fact, the classical Millionaire’s problem [1–3] is the earliest example of introducing secure multiparty computation into the sequencing problem. More specifically, the millionaire’s problem, with the aim to find out which one of the two Millionaires is richer without revealing their net worth, can be described as comparing two secret numbers in the perspective of sequencing, that is, the 2-party case of PPSP. In this aspect, the case of 2-party sequencing problem has already been resolved along with the advent of the solutions to Millionaire’s problem and the presence of other secure two-party computation protocols [4–12]. Due to the limitation of the 2-party case in practice, the general multiparty PPSP becomes the focus in secure multiparty computation recently.

In 1962, Held and Karp [13] put forward a dynamic programming approach to multiparty sequencing problem before the advent of SMC. They concern more about some certain scenarios and aim to design schemes for the special applications such as the traveling-salesman problem. Subsequently, the research on PPSP is rare and mainly about the 2-party case. Currently, Tang et al. [14] have constructed an efficient and secure multiparty computation protocol for PPSP by making use of a secret sharing scheme based on polynomial. It is an important fruit of PPSP since it has indeed realized secure sequencing among distrusted participants. However, the cost is too high in choosing random numbers and transmitting messages. In the case of parties with adversaries, it needs to choose polynomials and random numbers. What is more, the transmitted messages are up to every round.

This paper applies the fast symmetric homomorphic encryption to replace the cumbersome secret sharing based on polynomial. It no longer needs to choose so many polynomials and random numbers. Relevant complexities in computation and communication also have a great improvement. Our result is not only much simpler but also more efficient. In brief, our contributions can be summarized as follows.(1)We first introduce symmetric homomorphic encryption to solve the privacy-preserving sequencing problem in secure multiparty computation, which brings less communications and random numbers than the method of secret sharing based on polynomial.(2)Our protocol is appropriate for the insecure channel which allows external attackers to eavesdrop and can resist at most adversaries’ corruption supposing that any two neighbor parties do not conspire.(3)We propose a protocol for the general privacy-preserving sequencing problem, which is suitable for multiple parties to securely determine the order of a given set rather than just two parties such as the simplest sequencing problem-Millionaire’s problem, or a special application such as the traveling-salesman problem.

*Organization*. The rest of this paper is organized as follows. In Section 2, we briefly give some related preliminaries. In Section 3, we present the new efficient secure multiparty computation protocol for privacy-preserving sequencing problem over insecure channel. In Section 4, we analyze the proposed protocol in detail including its correctness and privacy. Furthermore, we show the advantages of our protocol in the two aspects of transmitted messages and random numbers. Finally, we summarize our work of this paper in the last section.

#### 2. Preliminaries

##### 2.1. Secure Multiparty Computation

Secure multiparty computation is dedicated to dealing with the problem of privacy-preserving cooperative computation among distrusted participants. It was first introduced by Yao in 1982 [1] by putting forward the famous Millionaire’s problem. Afterwards, SMC has become a research focus in the international cryptographic community, and a mass of research results have been published one after the other [2–12].

Generally speaking, SMC is a method to implement cooperative computation with all participants’ private data, ensuring the correctness of the computation as well as not disclosing additional information except the necessary results. Assume that there are participants . Each has a secret, respectively, . They want to compute the value of a public function on variables at the point , that is, . An SMC protocol is dubbed secure if no participant can learn more from the description of the public function and the result of the global calculation than what he can learn from his own information.

##### 2.2. Homomorphic Encryption

In this subsection, we introduce a basic tool to design our protocol, the symmetric homomorphic encryption scheme. Allowing for security, the participants usually would not like to directly transmit their original data over insecure channel while interacting with others. They expect that other parties can perform necessary computations on the encrypted version of the data. In this way, they can encrypt their own private information and then transmit it to others without exposing the real data and finally decrypt the information sent back by others to get the target result when completing cooperative computation. To meet this demand, Rivest et al. proposed homomorphic encryption in 1978 [15]. His work sparked the research in this field. A lot of articles have been proposed and widely used in many applications since then. However, the most common homomorphic encryption schemes are mainly asymmetric, for example, ELGamal homomorphic encryption scheme and Paillier’ homomorphic encryption scheme.

Although symmetric homomorphic encryption has not been used in PPSP, it is really a promising method for secure multiparty computation while dealing with the problem of privacy-preserving sequencing. The symmetry will bring high efficiency to our solution since symmetric encryption possesses the advantage of being really fast and can be used as often as possible. As illustrated in [16], a block cipher like AES is typically 100 times faster than RSA encryption and 2000 times than RSA decryption, with about 60?MB per second on a modest platform. Stream ciphers are even faster, some of them being able to encrypt/decrypt 100?MB per second or more. Therefore, asymmetric homomorphic encryptions are bound to much slower than the symmetric ones. In this paper, we will employ the superior symmetric homomorphic encryption schemes to construct our protocol.

Generally, an encryption scheme is said to be homomorphic if for any given encryption key , the encryption function satisfies the following condition: where denotes the set of the plaintexts (ciphertexts), and and are the operators in and .

We say that a scheme is additively homomorphic if we consider addition operators, and it is multiplicatively homomorphic if we consider multiplication operators. Usually, multiplicative homomorphic encryption functions are more efficient than additive homomorphic encryption functions.

Herein, we will use the random symmetric homomorphic encryption function in this paper, which satisfies the following property: where is a random function and is the set of rational numbers.

It is easy to deduce that for all , ,

##### 2.3. Privacy-Preserving Sequencing Problem

###### 2.3.1. The Original Problem

Privacy-preserving sequencing problem is in fact the more universal description of the generalized secret number comparison. To be more specific, there are distrusted participants . Each of them has a private number, respectively, . The problem is that they hope to rank the -array without leaking any information about . It requires that after executing cooperative computation, know the size relations of but no more other information. Formally, we can represent the whole problem as shown in Algorithm 1.

###### 2.3.2. Equivalent Transformation of the Original Problem

In this paper, we make use of a useful theorem in the progressing procedure following reference [14] so that we can reduce the initial sequencing problem about the -array to the new -array , which has the same sequence as and is called as the pseudoarray of . Then can obtain the sequence of by directly comparing the pseudoarrays in public. Along with the equivalent transformation of the problem, the aim of secure multiparty computation needs a corresponding change. It no longer has to consider how to deal with the real data but only needs to securely get the pseudodata . And then the subsequent work is just a piece of cake.

Theorem 1. *Arrays and have the same sequence, where , , , .*

*Proof. *Given for all
Then,
Let
Then, . As we know that , , . Therefore, . That means, for all , , and , have the same sequence. Obviously, and have the same sequence.

#### 3. Proposed Protocol

In this section, we present our protocol. The simplified version of the protocol is briefly illustrated in Figure 1, and the details can be described as follows.

*Initialization*. Assume that there are participants , each owning a secret number and a random symmetric homomorphic encryption function .

*Computation*(1) chooses a random number , , and computes and locally. For , , , sends to .(2)After receiving , computes , , , . And then, transmits to , , , . For , transfers to , .(3) computes and sends to ; For , computes and sends to .(4) computes , and broadcasts to obtain the sequence of the -array by comparing the size of the pseudoarray .

#### 4. Analysis

In this section, we have an analysis of the proposed protocol in the aspects of security and efficiency. To guarantee that it is a secure multiparty computation protocol, we have to prove that it satisfies correctness and privacy requirements at first.

##### 4.1. Correctness

Assume that the attacker is passive. Then, all participants (including all attackers and honest participants) correctly follow the protocol. Therefore, we only need to examine whether the protocol will give the correct sequence for the array . From the proof of Theorem 1, we know that the array have the same sequence with the pseudoarray . Thus, the proposed protocol can correctly achieve the aim of sequencing the array by comparing the pseudoarrays secretly. Hence, the protocol satisfies correctness.

##### 4.2. Privacy

According to the definition of privacy in multiparty computation protocols in [17], the protocol is private if the protocol satisfies the following conditions.(a)The information string viewed by each participant and a random string with the same length have the same probability distribution. That is, the information string and the random string are indistinguishable. (b)Arbitrary participants cannot jointly obtain any information about the input of any other participant.

In fact, in the proposed protocol, the viewed information strings of are , and in the first step; , , , , , in the second step; , , specially, for , the viewed information string in this step is for ; finally, in the last step, the viewed string is for . All the strings are generated by the random symmetric homomorphic encryption function . Therefore, the strings viewed by and a random string with the same length have the same probability distribution, and (a) is satisfied.

Moreover, our protocol also satisfies that arbitrary participants cannot jointly obtain any information about the input of any other participant under the assumption that any two neighbor parties never conspire. Since we have to compute for by collecting , , it is obvious that it is insecure if and collude. It is reasonable to suppose that no neighbors collude because the two adversaries are not exactly adjacent since they cannot control the order of the parties when executing the protocol. In addition, if an adversary wants to get more information from , he must corrupt with at least parties since there are unknown coefficients as well as breaking the encryption scheme .

What is more, in our protocol, all information strings are transmitted in the encrypted forms. The private information and are secret as long as the encryption function is robust. In other words, it is secure even over the insecure channel, which is better than the previous protocol based on polynomial for the sequencing problem.

In short, our protocol is correct and private.

##### 4.3. Efficiency

Our protocol is efficient as well as secure. It operates better than the previous one because it is independent of the secret sharing scheme based on complex polynomial. We can make a concrete comparison between the proposed protocol and the previous one on the numbers of random numbers and transmitted messages as in Table 1.

From Table 1, we can easily find that in Tang’ protocol [14], it needs to choose polynomials for , polynomials for , and polynomials for , that is, totally random numbers as well as polynomials; it also needs to transmit from to , , , , from to , , ; thus, messages are needed to be transmitted totally.

In our protocol, it only needs to choose random numbers in the whole procedure. And the messages that need to be transmitted are, respectively, , , , , , , , , and , , and , , totally messages. It is much simpler and more appropriate for the clients who expect easier products in practice.

If there are adversaries (the upper bound of the adversaries in Tang’ protocol [14]), the advantages of our protocol are more obvious as shown in Table 2.

#### 5. Conclusion

It is always a difficult problem in the cryptographic field to construct a secure multiparty computation protocol for the privacy-preserving sequencing problem. In the present study, we have successfully designed an efficient secure multiparty computation protocol for sequencing problem over insecure channel based on symmetric homomorphic encryption, which is of great importance to the theory on this topic and of significant value in practice for its high efficiency.

#### Acknowledgments

This work is supported by NSFC (Grant nos. 61170270, 61100203, 60903152, 61003286, and 61121061) and the Fundamental Research Funds for the Central Universities (Grant nos. BUPT2011YB01, BUPT2011RC0505, 2011PTB-00-29, 2011RCZJ15, and 2012RC0612).

#### References

- A. C. Yao, “Protocols for secure computations,” in
*Proceedings of the 23rd Annual IEEE Symposium on Foundations of Computer Science*, pp. 160–164, Chicago, Ill, USA, 1982. View at MathSciNet - Y. Lindell and B. Pinkas, “A proof of security of Yao's protocol for two-party computation,”
*Journal of Cryptology*, vol. 22, no. 2, pp. 161–188, 2009. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - O. S. Goldreich, S. Mical, and A. Wigderson, “How to play any mental game,” in
*Proceedings of the 19th Annual ACM Symposium on Theory of Computing (STOC ’87)*, pp. 218–229, ACM, New York, NY, USA, 1987. - R. Fagin, M. Naor, and P. Winkler, “Comparing information without leaking it,”
*Communications of the ACM*, vol. 39, no. 5, pp. 77–85, 1996. View at Google Scholar · View at Scopus - B. Schoenmakers and P. Tuyls, “Practical two-party computation based on the conditional gate,” in
*Advances in Cryptology: ASIACRYPT 2004, 10th International Conference on the Theory and Application of Cryptology and Information Security*, pp. 119–136, Springer, Jeju Island, Korea, 2004. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - I. F. Blake and V. Kolesnikov, “Strong conditional oblivious transfer and computing on intervals,” in
*Advances in Cryptology: ASIACRYPT 2004, 10th International Conference on the Theory and Application of Cryptology and Information Security*, pp. 515–529, Springer, Jeju Island, Korea, 2004. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - Y. L. Luo,
*Some key issues in secure multi-party computation and their applied research [Ph.D. dissertation]*, University of Science and Technology of China, 2005 (Chinese). - M. Fischlin, “A cost-effective pay-per-multiplication comparison method for millionaires,” in
*Topics in Cryptology: CT-RSA 2001, The Cryptographers’ Track at RSA Conference 2001*, pp. 457–471, Springer, San Francisco, Calif, USA, 2001. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - C. Cachin, “Efficient private bidding and auctions with an oblivious third party,” in
*Proceedings of the 1999 6th ACM Conference on Computer and Communications Security*, pp. 120–127, ACM, New York, NY, USA, November 1999. View at Scopus - J. Qin, Z.-F. Zhang, D.-G. Feng, and B. Li, “Protocol of comparing information without leaking,”
*Journal of Software*, vol. 15, no. 3, pp. 421–427, 2004. View at Google Scholar · View at Scopus - H. Y. Lin and W. G. Tzeng, “An efficient solution to the millionaires problem based on homomorphic encryption,” ASIACRYPT 2005, http://eprint.iacr.org/2005/043.
- I. Ioannidis and A. Grama, “An efficient protocol for Yao’s Millionaires’ problem,” in
*Proceedings of the 36th Hawaii International Conference on System Sciences*, Maui, Hawaii, USA, 2003, Track 7. - M. Held and R. M. Karp, “A dynamic programming approach to sequencing problems,”
*Journal of the Society for Industrial and Applied Mathematics*, vol. 10, pp. 196–210, 1962. View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - C. Tang, G. Shi, and Z. Yao, “Secure multi-party computation protocol for sequencing problem,”
*Science China. Information Sciences*, vol. 54, no. 8, pp. 1654–1662, 2011. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - R. L. Rivest, L. Adleman, and M. L. Dertouzos, “On data banks and privacy homomorphisms,” in
*Foundations of Secure Computation*, pp. 169–179, Academic Press, 1978. View at Google Scholar · View at MathSciNet - C. Fontaine and F. Galand, “A survey of homomorphic encryption for nonspecialists,”
*Eurasip Journal on Information Security*, vol. 2007, Article ID 13801, 2007. View at Publisher · View at Google Scholar · View at Scopus - M. Ben-Or, S. Goldwasser, and A. Wigderson, “Completeness theorems for non-cryptographic fault-tolerant distributed computation,” in
*Proceedings of the 20th Annual ACM symposium on Theory of Computing (STOC '88)*, pp. 1–11, 1988.