[ieee 2010 fourth asia international conference on mathematical/analytical modelling and computer...
TRANSCRIPT
Protocols for Getting Maximum Value for Multi-Party Computations
Rashid Sheikh Maharaja Ranjit Singh College of Professional
Sciences, Indore, India [email protected]
Durgesh Kumar Mishra
Acropolis Institute of Technology and Research,
Indore, India [email protected]
Abstract- In today’s distributed computing environment multiple
parties compute some function of their private inputs. In such a
scenario privacy preservation of such inputs is a matter of great
concern because each party is also worried about the privacy of
their inputs. This subject is evolved as Secure Multiparty
Computation (SMC). The protocols proposed in this paper allow
multiple parties to get maximum of their inputs without
disclosing individual inputs to one another or even to any third
party. We use a third party for computation that may not be
trusted. The protocol uses binary countdown approach. In one of
the protocols anonymizers are used to hide the identity of the
party. The probabilistic analysis of the protocols is presented. Keywords- Secure Multiparty Computation, Privacy, Security,
Max_secure.
I. INTRODUCTION
This is the age of online transactions. Many organizations
collaborate together for their mutual benefits. But these
organizations may not have trust in one another. Situation
arises when these parties want to compute some function of
their private inputs without disclosing actual inputs to each
other. This branch of information security is called Secure
Multi-Party Computation (SMC) [3, 4]. The researchers
devised many specific SMC problems like privacy-
preserving data mining, privacy- preserving statistical
analysis, privacy-preserving geometric computation, privacy
preserving intrusion detection, privacy preserving
cooperative scientific computation, privacy preserving
database query, etc.
Two models for SMC are used for analysis of a
particular SMC problem. In ideal model a Trusted Third
Party (TTP) is used which accepts actual data from the
parties. The TTP computes the common function and sends
its value to the parties. This model is frequently used
because it is easy to implement. The trustworthiness of the
TTP is a crucial issue in this model because when the TTP
turns corrupt whole notion of SMC becomes worthless. In
real model parties themselves agree on a protocol for
computing the function such the privacy of the individual
inputs are preserved. A party could be honest, semi honest
or malicious party. An honest party follows the steps of the
protocol and never tries to learn any other information
except the result. A semi honest party follows the protocol
but tries to know other data. A malicious party neither
follows the protocol nor respects the privacy of other
parties. The solution to SMC problem depends on the type
of the SMC model and the behavior of the parties.
May real life applications of SMC emerged like
privacy-preserving social network analysis, privacy-
preserving medical diagnosis system, privacy-preserving
voting system, privacy-preserving private information
retrieval, privacy-preserving auction management, privacy-
preserving monitoring in sensor networks, etc.
In this paper we propose a problem as: how multiple
parties can learn the maximum value of all the data inputs
without the parties disclosing actual inputs to one another or
even to a third party. The solution proposed in this paper
uses binary countdown approach.
II. BACKGROUND AND OUR PROPOSAL
The subject of SMC started in 1982 with Yao’s [1]
millionaire’s problem when he proposed the problem as:
how two millionaires can know who is richer without
revealing actual wealth to one another or even to a third
party. He proposed solutions using cryptographic
techniques. Initially researchers focused on theoretical
studies and provided solutions using circuit evaluation
protocols [2, 3]. As of now, three different types of
solutions are available in the literature. One is cryptographic
techniques using many building blocks like oblivious
transfer, private matching, Yao’s solution, etc. [4].Another
is randomization method uses random numbers to hide the
actual data [5]. The third is the anonymization method
which allows hiding the identity of participating parties [6].
Novel secure sum protocols are proposed to get sum of
multiple data values without disclosing the individual value
to one another in [7, 8, 9].
In this paper, we propose a protocol which allows
multiple parties to know the greatest value without any party
knowing other’s value. We use a binary countdown
approach in which each participating party sends MSB
(Most Significant Bit) to a third party. Ultimately, the result
is announced by the third party.
III. PROPOSED PROTOCOL: Max_secure
In this section, we discuss the architecture, informal and
formal description of the protocol. A. Proposed Architecture of Max_secure Protocol
In this protocol multiple parties P1, P2, .., Pn are involved
in knowing the greatest value of their inputs x1, x2, …, xn.
Parties send MSBs to the Third Party (TP). The TP then
2010 Fourth Asia International Conference on Mathematical/Analytical Modelling and Computer Simulation
978-0-7695-4062-7/10 $26.00 © 2010 IEEE
DOI 10.1109/AMS.2010.120
597
takes logical OR of these bits and decides the greatest value.
The result is announced by the TP.
B. Informal Description of the Max_secure Protocol
The participating parties have their values stored in the
binary format. The number of bits in each value is kept
equal. Each of the parties sends its first MSB to the TP. The
TP takes logical OR of bits received. The result of the OR
operation is announced by the TP. If the result of the OR
operation is zero, it does nothing and waits for the next
MSB. If the result of the OR operation is a 1, all those
parties who sent a 0 bit stop sending further bits to the TP. It
means those parties who sent a 1 bit continue sending the
bits. When all the bits of the last party are sent, the TP
announces this that the algorithm is stopped. The parties
collect the set of the results of the OR operation to learn the
greatest value. The winner will be only known to the TP. If
the privacy of the winner is to be preserved, the TP will not
tell the identity of the winner.
Figure 1: Proposed architecture of Max_secure protocol.
C. Formal Description of the Max_secure Protocol
Assume P1, P2, .., Pn are the cooperating parties having
private data x1 , x2, …, xn respectively. Each party represents
its data value in m-bit binary number. When the protocol
starts each of the parties sends its MSB to the TP. The TP
takes logical OR of these bits. The TP announces result to
all parties. When the result of this OR is a 0 bit, the TP
waits for the next MSB from the parties. All parties
continue sending the next MSB to the TP. If the result of the
OR operation is a 1 bit, all those parties who sent 0 bits stop
sending the bits and simply listen the result of OR operation
for all the bits. Ultimately, the algorithm runs m times and
the result of logical OR is accumulated by TP with left shift
operation into some variable, say k. Finally the TP
announces the result. The communication lines between the
TP and the parties are assumed to be secure. The TP is also
assumed to be semi honest. It follows the protocol but may
try to learn some information other than the result. The
greatest value is available in the variable k.
Algorithm:Max_secure
1. Assume P1, P1, …, Pn are the parties with inputs x1,
x2 , …, xn respectively.
2. Assume each of the inputs is represented by m-bit
binary number.
3. Assume k=0. ( Bits will be shifted into k to get the
result )
4. while (m > 0)
begin
Each party sends next MSB to the TP.
The TP takes logical OR of the received bits
If result is 0, TP wait for the next MSB; all
parties send next MSB to the TP.
If result is 1, the parties which sent 0 bits, stop
sending the bits and the parties who sent a 1bit,
continue sending the next MSB.
m = m – 1.
Shift left the result of OR into k.
end
5. TP announces the result as k.
6. End of algorithm.
C. Performance Analysis of The Max_Secure Protocol
The protocol Max_secure is designed for the semi honest
parties. The parties send bits to the TP. So, they are
oblivious about each other's data. Thus, the privacy of
individual input data is preserved. The TP generally knows
only a few bits of the data inputs except that of the winner.
Thus, even if the TP wants to know the actual data inputs of
the parties, it cannot do so. The identity of the maximum
value holder is known to the TP. It is up to the TP or the
requirement of the actual application whether to show the
identity of the winner to other parties. If two or more parties
are the winners, they also know about each other’s data.
IV. EXTENDED MAX_SECURE PROTOCOL
The Max_secure protocol has a flaw that the TP knows the
identity of the maximum value holder party. At the same
time the TP is also aware of the lower bound of the dropped
parties. But what if the identity of the party is to be
protected? We can extend the architecture of the protocol by
incorporating anonymizers between TP and the parties. The
function of the anonymizer is to hide the identity of the
parties [10]. These anonymizers can be hardware devices,
software or a combination of both. Fig. 2 depicts the
architecture of the Extended Max_secure protocol where A1,
A2, …, An are the anonymizers.
A. Informal Description of the Extended Max_secure Protocol
The parties send bits starting from MSB to the
anonymizer. The anonymizers send the bits to the TP.
598
Anonymizers hide the identity of the party using some
mechanism. The TP computes logical OR of the bits
received from all the parties and broadcasts this bit to all the
parties. The parties after examining this bit decide whether
to remain in the computation process or to go out of the
process. If the resulting bit is 0, the parties will transmit the
next MSB. If the resulting bit is 1, all those parties who sent
0 stop sending any bits. The parties who sent 1 bit send their
next MSB to the anonymizers. The process continues until
all the bits of the data are sent by the last party in the
competition. In this scheme also the TP uses a shift register
in which the result of logical OR will be shifted. The
number inside the shift register is the greatest of all the
parties.
Figure 2: Proposed architecture of Extended Max_secure protocol.
B. Formal Description of the Extended Max_secure Protocol
Algorithm:Extended Max_secure
1. Assume P1, P1, …, Pn are the parties with
inputs x1, x2 , …, xn respectively.
2. Assume each of the inputs is represented by m-bit
binary number.
3. Assume A1, A2, …, An are the
anonymizers.
4. Assume k=0. ( Bits will be shifted into k to get the
result )
5. while (m > 0)
begin
Each party sends next MSB to the Anonymizer.
The anonymizer hides identity of the party and
sends the bit to the TP.
The TP takes logical OR of the received bits
If result is 0, TP wait for the next MSB; all
parties send next MSB to the anonymizers.
If result is 1, the parties which sent 0 bits, stop
sending the bits and the parties who sent a 1bit,
continue sending the next MSB.
m = m – 1.
Shift left the result of OR into k.
end
6. TP announces the result as k.
7. End of algorithm.
C. Performance Analysis of The Extended
Max_Secure Protocol
As the anonymizers hide the identity of the parties, the TP
will not be aware about which party sent which bit pattern.
Thus the lower bound and the maximum value holder’s
identity are preserved. But the trustworthiness of the
anonymizers is important because if the anonymizer goes
semi honest, it can disclose the data of the party to others.
The performance of the protocol can be evaluated by
considering different cases:
Case 1: There are n parties each having one anonymizer:
The probably of one anonymizer becoming malicious is :
P1 = 1/n (1)
The probability of k anonymizers becoming malicious is :
Pk = k/n where k < n (2)
The probability of selecting one such type of anonymizer
is:
P1k = k / n2 (3)
Case 2: There are n parties and n independent anonymizers
where a party can select any one of the anonymizers:
The probability of one party chosen from n anonymizers is
1/n and one party becoming malicious is also 1/n. When we
combine both, the probability of one party becoming
malicious out of n independent anonymizers is:
P1n = 1/n2 (4)
Therefore, the probability of k out of n anonymizers
becoming malicious is:
Pnk = k/n2 (5)
The probability of selecting one such anonymizer out of n
anonymizers is:
Pn1 = 1/n3 (6)
The probability of k anonymizers becoming malicious is:
Pkn = k/n3 (7)
Case-3: There are n parties and m anonymizers where any
party can select any anonymizer randomly.
The probability of selecting one anonymizer is:
P1 P2 Pn
A1 A2 An
TP Result
599
1/m
The probability of any anonymizer to be malicious is:
1/m
Therefore, the probability of any anonymizer to be
malicious is:
1/m2
Hence the probability of k anonymizers becoming
malicious is:
k/m2
The probability of selecting one anonymizer is
k/nm2
Figure 3 shows the Probability of security breach for n
parties with m randomly selected anonymizer against
malicious anonymizer.
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
1 2 3 4 5 6 7 8 9 10
Number of Malacious Anonymizers (k)
Pro
ba
bility
(P
R)
m=1 m=2 m=3
m=4 m=5 m=6
Fig. 3: Probability of security breach for n parties with m randomly
selected anonymizer against malicious anonymizer.
V. CONCLUSION AND FUTURE SCOPE
The proposed protocols Max_secure and Extended
Max_secure allow finding the greatest value among multiple
data inputs of cooperating parties without any of the parties
knowing about the data of any other party. The Max_secure
protocol used binary countdown approach in which each of
the parties sends MSB to the TP. The TP may not be trusted.
The protocol is suitable for the semi honest parties. The
protocol provides privacy preservation for all the data
inputs. The TP knows only few bits of the data inputs except
the greatest data. The identity of the maximum value holder
remains with the TP only. It can be revealed by the TP
depending on a particular application. In Extended
Max_secure protocol the anonymizers hide the identity of
the parties so as to make the protocol more secure. Efforts
can be made to design the protocol for malicious party. The
model we used is the ideal model of SMC. The same can be
designed for the real model of the SMC.
REFERENCES
[1] A.C.Yao, “Protocol for Secure Computations,” in proceedings of the
23rd annual IEEE symposium on foundation of computer science,
pages 160-164, Nov.1982.
[2] O. Goldreich, S. Micali, and A. Wigderson, "How to Play Any Mental
Game," in STOC '87: Proceedings of the nineteenth annual ACM
conference on Theory of computing. New York, NY, USA: ACM,
pages 218-229 1987.
[3] O. Goldreich, “Secure Multi-Party Computation (Working Draft),
Available from http: /www.wisdom.weizmann.ac.il/ home/oded/ public
html/ foc.html 1998.
[4] V. Oleshchuk, and V. Zadorozhny, “Secure Multi-Party Computations
and Privacy Preservation: Results and Open Problems,” Telektronikk:
Telenor's Journal of Technology, Vol. 103, No.2, 2007.
[5] C. Clifton, M. Kantarcioglu, J. Vaidya, X. Lin, and M. Y. Zhu, “Tools
for Privacy-Preserving Distributed Data Mining,” J. SIGKDD
Explorations, Newsletter, Vol.4, No.2, ACM Press, pages 28-34, Dec.
2002.
[6] D. K. Mishra, M. Chandwani, “Extended Protocol for Secure
Multiparty Computation using Ambiguous Identity,” WSEAS
Transaction on Computer Research, Vol. 2, issue 2, Feb. 2007.
[7] R. Sheikh, B. Kumar and D. K. Mishra, “Privacy-Preserving k-Secure
Sum Protocol,” in International Journal of Computer Science and
Information Security, Vol. 6 No.2, pages 184-188, USA, Nov. 2009.
[8] R. Sheikh, B. Kumar and D. K. Mishra, “A Distributed k-Secure Sum
Protocol for Secure Multi-party Computation,” Accepted in the
Journal of Computing, Vol.2 Issue3, USA, March 2010.
[9] R. Sheikh, B. Kumar and D. K. Mishra, “Changing Neighbors k-
Secure Sum Protocol for Secure Multi-party Computation,” in
International Journal of Computer Science and Information Security,
Vol. 7 No.1, pages 239-143, USA, Jan. 2010.
[10] D. K. Mishra, M. Chandwani, “Extended Protocol for Secure
Multiparty Computation using Ambiguous Identity,” WSEAS
Transaction on Computer Research, Vol. 2, issue 2, Feb. 2007.
600