Yao's Millionaires' problem explained

Yao's Millionaires' problem is a secure multi-party computation problem introduced in 1982 by computer scientist and computational theorist Andrew Yao. The problem discusses two millionaires, Alice and Bob, who are interested in knowing which of them is richer without revealing their actual wealth.

This problem is analogous to a more general problem where there are two numbers

and

and the goal is to determine whether the inequality

a\geqb

is true or false without revealing the actual values of

and

The Millionaires' problem is an important problem in cryptography, the solution of which is used in e-commerce and data mining. Commercial applications sometimes have to compare numbers that are confidential and whose security is important.

Many solutions have been introduced for the problem, including physical solutions based on cards.^[1] The first solution, presented by Yao, is exponential in time and space.^[2]

Protocols and proof

The protocol of Hsiao-Ying Lin and Wen-Guey Tzeng

Let

s=s_ns_n-1\ldotss₁\in\{0,1\}ⁿ

be a binary string of length n.

Denote 0-encoding of s as

	0
S
	s

=\{s_ns_n-1\ldotss_i+11\mids_i=0;1\leqi\leqn\}

and 1-encoding of s as

	1
S
	s

=\{s_ns_n-1\ldotss_i\mids_i=1;1\leqi\leqn\}.

Then, the protocol^[3] is based on the following claim:

Assume that a and b are binary strings of length n bits.

Then

a>b

if the sets

	1
S
	a

and

	0
S
	b

have a common element (where a and b are the binary encodings of the corresponding integers).

The protocol leverages this idea into a practical solution to Yao's Millionaires' problem by performing a private set intersection between

	1
S
	a

and

	0
S
	b

The protocol of Ioannidis and Ananth

The protocol^[4] uses a variant of oblivious transfer, called 1-2 oblivious transfer. In that transfer one bit is transferred in the following way: a sender has two bits

S₀

and

S₁

. The receiver chooses

i\in\{0,1\}

, and the sender sends

S_i

with the oblivious transfer protocol such that

the receiver doesn't get any information about

S_(1-i)

the value of

is not exposed to the sender.

To describe the protocol, Alice's number is indicated as

, Bob's number as

, and it is assumed that the length of their binary representation is less than

for some

d\inN

. The protocol takes the following steps.

Alice creates a matrix

of size

d x 2

-bit numbers, where

is the length of the key in the oblivious transfer protocol. In addition, she chooses two random numbers

and

, where

0\lequ<2k

and

v\leqk

K_ijl

will be the

-th bit of the number that appears in cell

K_ij

(where

l=0

indicates the least significant bit). In addition,

a_i

is denoted as the

-th bit of Alice's number

. For every

1\leqi\leqd

Alice does the following actions.

1. For every bit

j\geqv

she sets

K_i1j

and

K_i2j

to random bits.

1. If

a_i=1

, let

l=1

, otherwise let

l=2

and for every

j, 0\leqj\leq2 ⋅ i-1

set

K_ilj

to a random bit.

1. For

m=2 ⋅ i

set

K_il(m+1)=1

and

K_ilm

a_i

1. For every

i,1\leqi<d

S_i

will be a random

-bit number, and

S_d

will be another number of

bits where all bits except the last two are random, and the last two are calculated as

S_d(k-1)=1 ⊕

	d-1
oplus
	j=1

S_j(k-1) ⊕

	d
oplus
	j=1

K_j1(k-1)

and

S_d(k-2)=1 ⊕

	d-1
oplus
	j=1

S_j(k-2) ⊕

	d
oplus
	j=1

K_j1(k-2)

, where

oplus

is the bitwise XOR operation.

1. For

l=1,2

set

K'_ij=\operatorname{rot}(K_il ⊕ S_i,u)

. Where

\operatorname{rot}(x,t)

indicates the bitwise rotation of

to the left by

bits.

For every

0\leqi\leqd

Bob transfers

K'_il

with the oblivious transfer protocol, where

l=b_i+1

, and

b_i

is the

-th bit of

Alice sends to Bob

	d
\operatorname{rot}\left(oplus
	j=1

S_j,u\right)

Bob calculates the bitwise XOR of all the numbers he got in step 3 and

from step 4. Bob scans the result from left to right until he finds a large sequence of zero bits. Let

be the bit to the right of that sequence (

is non zero). If the bit to the right of

equals 1, then

a\geqb

, otherwise

a<b

Proof

Correctness

Bob calculates the final result from

N ⊕

	d
oplus
	i=1

K'
	i(b_i+1)

	d
\operatorname{rot}\left(oplus
	i=1

K
	i(b_i+1)

,u\right)

, and the result depends on

	d
oplus
	i=1

K
	i(b_i+1)

.K, and therefore c as well, can be split into 3 parts. The left part doesn't affect the result. The right part has all the important information, and in the middle is a sequence of zeros that separates those two parts. The length of each partition of c is linked to the security scheme.

For every i, only one of

K_i1,K_i2

has non-zero right part, and it is

K_i1

a_i=1

, and

K_i2

otherwise. In addition, if

i>j

, and

K_il

has a non-zero right part, then

K_il ⊕ K_jl

has also a non-zero right part, and the two leftmost bits of this right part will be the same as the one of

A_il

. As a result, the right part of c is a function of the entries Bob transferred correspond to the unique bits in a and b, and the only bits in the right part in c that are not random are the two leftmost, exactly the bits that determines the result of

a_i>b_i

, where i is the highest-order bit in which a and b differ. In the end, if

a_i>b_i

, then those two leftmost bits will be 11, and Bob will answer that

a\geqb

. If the bits are 10, then

a_i<b_i

, and he will answer

a<b

. If

a=b

, then there will be no right part in c, and in this case the two leftmost bits in c will be 11, and will indicate the result.

Security

The information Bob sends to Alice is secure because it is sent through oblivious transfer, which is secure.

Bob gets 3 numbers from Alice:

\operatorname{rol}(K
	i(1+b_i)

⊕ S_i,u)

. For every

Bob receives one such number, and

S_i

is random, so no secure information is transformed.

N. This is an XOR of random numbers, and therefore reveals no information. The relevant information is revealed only after calculating c.
c. The same goes for c. The left part of c is random, and the right part is random as well, except for the two leftmost bits. Deducing any information from those bits requires guessing some other values, and the chance of guessing them correct is very low.

Complexity

The complexity of the protocol is

O(d²⁾

. Alice constructs d-length number for each bit of a, and Bob calculates XOR d times of d-length numbers. The complexity of those operations is

O(d²⁾

. The communication part takes also

O(d²⁾

. Therefore, the complexity of the protocol is

O(d^2).

Notes and References

Miyahara . Daiki . Hayashi . Yu-ichi . Mizuki . Takaaki . Sone . Hideaki . 2020 . Practical card-based implementations of Yao's millionaire protocol . Theoretical Computer Science . en . 803 . 207–221 . 10.1016/j.tcs.2019.11.005. free .
Yao . Andrew C. . Protocols for secure computations . 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982) . November 1982 . 1 . 160–164 . 10.1109/SFCS.1982.88.
Book: Lin . Hsiao-Ying . Tzeng . Wen-Guey . Applied Cryptography and Network Security . An Efficient Solution to the Millionaires' Problem Based on Homomorphic Encryption . 2005-06-07 . 3531 . Lecture Notes in Computer Science . en . 456–466 . 10.1007/11496137_31 . 978-3-540-26223-7 . 10.1.1.75.4917.
Book: Ioannidis . I. . Grama . A. . 2003 . An efficient protocol for Yao's millionaires' problem. 36th Annual Hawaii International Conference on System Sciences, 2003. Proceedings of the. 6 pp . en-US . IEEE . 10.1109/hicss.2003.1174464 . 978-0769518749 . 10.1.1.110.8816. 6907526 .

Yao's Millionaires' problem explained

Protocols and proof

The protocol of Hsiao-Ying Lin and Wen-Guey Tzeng

The protocol of Ioannidis and Ananth

Proof

Correctness

Security

Complexity

See also

Notes and References