Oblivious Comparator and its application to Auction

Hiroaki Kikuchi

Tokai University - Japan

English Auction

$30$40

$50$60

Bidder A Bidder B Bidder C

Auctioneer

Sealed-bid Auction

Bidder A Bidder B Bidder C

Auctioneer$70 $20 $50

A is $70B is $20

Issue: Trust in Auctioneer

Bidder A Bidder B Bidder C

$70 $20

Approach: Oblivious Comparator

Bidder A Bidder B Bidder C

$70 $20 $30

Winner ??? Who win?

Contents Introduction for issues in auction and

outline of an oblivious comparator Secure Function Evaluation

Model, Building blocks and securityCompleteness

Auction ProtocolPerformance

Conclusion

Secure Function Evaluation

A

B

C

CMP y = ƒ(a, b, c)

a

b

cTarget:

a+b+c

max(a,b,c)

highest(A,B,C)

Model

A

B

C

CMP

E[a]

E[b]

E[c]

Si

E[y] = E[ƒ(a, b, c)]

Si+1 = T[E[y]]

The Idea

Logic Circuit with Ciphertext 1. Homomorphic Encryption over GF(2)

2. Logical Operations (AND,NOT)

3. Reed-Muller Expansion

4. State Machine “comparator”

1. Homomorphic Encryption Public-key Encryption E[x]

Homomorphism over GF(2)

a,b in {m0, m1}E[a] x E[b] = E[a b]

Indistinguishablity » Given E[m0] and E[m1], hard to figure E[m0]

Distributed Threshold Encryption» Key-generation, decryption (t-out-of-n)

Verifiable encryption

Homomorphism over GF(2)

a, b E[a], E[b]

a⊕b E[a⊕b]

E

E

⊕ x

Example: ElGamal encryption Key Generation

p = 2q + 1, g in G of order qpublic key: y = gx, secret key: xencryption: E[m] = (myr, gr)decryption: m = (myr)/(gr)x

Plain messagesm {1, -1}1 = false(0), -1 = true (1)

EXOR Homomorphism

E[a] = (ayr, gr)E[b] = (bys, gs) (abyr+s, gr+s) = E[ab]

1-bit EXORE[1] x E[1] = E[1] 0 0 = 0E[1] x E[-1] = E[-1] 0 1 = 1E[-1] x E[1] = E[-1] 1 0 = 1E[-1]x E[-1] = E[1] 1 1 = 0

2. Logical Operations

ObjectiveGiven a ciphertext E[a] (unknown a), player

B with a plaintext b whishes to compute » Negation E[~a]» Conjunction E[ab]» Disjunction E[ab]

without revealing his secret b.

2. Logical Operations

Lemma 3.1 (Negation)E[~a] = E[a] x E[m1] = E[a ⊕ -1]

Lemma 3.2 (Conjunction)

Similarly, E[a1a2b] and E[ab] are computed.

1 if][][

0 if][][

0

0

bmEaE

bmEabE

2. Logical Operations

Verifiability Attack ： (violating definition)

» E.g. sending E[random] as E[ab], or E[a] when b = 0.

gG

yMM

gG

ymM

gG

yMM

gG

ymM

PK

ab

bab

a

a

ab

ab

a

a 1

0

0

:),(

3. Reed-Muller Expansion Lemma 2.3

Arbitrary n-variable boolean function ƒ(x1,x2,x3) is represented as

ƒ = a0 ⊕ a1x1 ⊕ a2 x2 ⊕ a3 x3

⊕ a4x1x2 ⊕ a5x1x3 ⊕ a6x2x3

a⊕ 7x1x2x3

where ai in {0,1} (Boolean)

3. Reed-Muller Expansion Lemma 2.1

xy = x y xy⊕ ⊕

Majority function ƒ(x,y,z) = xy xz yz

= xy (xz yz xzyz)⊕ ⊕= xy xz yz xyz⊕ ⊕ ⊕

x y x y⊕ xy x y0 0 0 0 0

0 1 1 0 1

1 0 1 0 1

1 1 0 1 1

AND

4. State Machine

Oblivious Computer C Set of states Si={s1,…,sL}

» L=2i, S0=∅ State transition function T

» Si=T(Si-1,Ai)

» Ai: Sequence of ciphertexts

Decoding function D» Y = D[Sn]

Sibi

CPi

Ai

T(Si,Ai)

Si+1

E.g. Majority Function

S0a

CPA

A1={E[a]} T(S0,A1)=S0UA1

S1={ , ∅ E[a]}

bPBc

PC

S1

A2={E[b],E[ab]}TA2

S2=S1UA2S2

A3A3={E[ac], E[bc], E[abc]}

T

S3=S2UA3

Majority Function

Final StateS3={E[a], E[b], E[c],

E[ab], E[ac], E[bc], E[abc]} Decoding function: D

D(S3)=E[ab]xE[ac]xE[bc]xE[abc] =E[ab ac bc abc]⊕ ⊕ ⊕ =E[ab ac bc]

Oblivious Comparator (Auction)

K-bit InputA: a = (a2, a1, a0)B: b = (b2, b1, b0)

Output Winning price　 c =max(a,b) = a if a > b b if a < b

Winnerw = A if a > b

　 B if a < b

Oblivious Comparator

Flags = true if a>b = true if a<b = true if a b

A: a = (1 0 0)

B: b = (1 1 0)

c

0

0

0

1

0

1

1

1

0

1

1

0

= i-1 ai ~bi

= i-1 ~ai bi

= i i

= ~(a) (i ai i bi)

n-player Comparison

C

P1 a1

S1=c

S2=max(c,a1)P2 a2

S3=max(c,a2)

Sn=max(c,an)=max(a1,..,an)

Size of S is independent from n

Efficiency

k-bit ComparatorInternal state ： 2k ciphertext O(2k)rounds: 　 once for each player O(n)

Biddercommunication ：　

2k minterms x ciphertexts O(2k)Computation ：　

2k ciphertext E[m0] O(2k)

Conclusions

We have proposed a cryptographic protocol for secure function

evaluation, i.e., functionally complete oblivious computer

» Round complexity of n» Communication and Computation of O(2k)

Its application to Auction in which auctioneer is able to perform comparison for n bids and determine the winning price and the winner without knowledge of each bid.

Threshold Decryption

Key GenerationSecret ƒ(1), ƒ(2), ƒ(3)Public key y = gƒ(0) = gƒ(1)1 gƒ(2)2 gƒ(3)3

DecryptionE[m] = (myr, gr)m = myr/ (gr)ƒ(1)1 (gr)ƒ(1)1 (gr)ƒ(1)1

Performance

bidders auctioneersrounds bandwidth # rounds bandwidth

KHT98 1 O(2k) m 1 O(2k)

Sako99 1 O(1) m mk/2 O(n)

MS99 k/2 O(1) 1 nk/2 O(1)Proposed 1 O(2k) 1 n O(2k)

First-P

rice