Enhanced Secure Comparison Schemes Using Homomorphic Encryption

Abstract

Comparing two integers under the encrypted form is useful for privacy-preserving data mining, secure auction, and so on. Based on the ring-learning with errors (ring-LWE) assumption, Saha and Koshiba proposed a practical approach—SK17—in [NBiS2017], established under the 3-party computation model where two clients (one of them has a decryption key) compare their data via an outsource cloud server without revealing their data. In this study, we propose three enhanced schemes from SK17 to improve efficiency, security, and flexibility. We implement the first protocol to show its efficiency using the ring-LWE-based homomorphic encryption scheme proposed by Lauter et al., while providing security analysis and practicality evaluation in the theory for the other two protocols.

Appendix: How to Obtain \(a-b\) From c in Eq. (3)?

For two \(\ell \)-bit integers, a and b, their binary vectors are \(A = (a_0, a_1, ... , a_{\ell -1})\) and \(B = (b_0, b_1, ... , b_{\ell -1})\), respectively. \(a-b\) can be obtained using \(c_i = v_i + w_i\) in Eq. (3), where \(w_i= \sum _{j=1}^{i-1}|a_j-b_j|\) (with initialized \(w_0=0\)) denotes how many bits are different before the i-th bit; and \(v_i=a_i -b_i + 1 \in \{0, 1, 2\}\) is regarding the difference of the i-th bits of A and B. In detail,

(18)

Therefore, it is easy to evaluate that \(a=b\) iff \(c = \mathbf{1}_{\ell } = (1, 1, ... , 1)\), because, in this case, \(w_i=0\) and \(v_i = 1\), for all \(i= 0, 1, ... , \ell -1\).

When \(a \ne b\), w.l.o.g., we assume that \(a_i, b_i\) are the first different bits, then \(c_0 = c_1 =... = c_{i-1} = 1\). Now, we show how to obtain \(a-b\) using \(c_i, ..., c_{\ell -1}\).

First, because \(a_i, b_i \in \{0, 1\}\) and \(a_i\ne b_i\), then \(c_i = 0\) or 2. When

(19)

Second, consider the \((i+1)\)-th bits of a and b. Because \(c_{i+1}=w_{i+1} + v_{i+1}=1+ v_{i+1}\), so \(c_{i+1} \in \{1,2,3\}\). According to Eq. (18), if

(20)

Using Eqs. (19) and (20), the k-th bit differences \(d_{k} = a_{k}-b_{k}\) (for \(k=i, ..., \ell -1\)) are computed, where \(w_{k}\) are obtained at the before step. Finally, we obtain

$$\begin{aligned} a-b = \sum _{k=i}^{\ell -1}d_k\times 2^{\ell -1-k}. \end{aligned}$$