Protocols for Getting Maximum Value for Multi-Party Computations

Rashid Sheikh Maharaja Ranjit Singh College of Professional

Sciences, Indore, India rashidsheikhmrsc@yahoo.com

Durgesh Kumar Mishra

Acropolis Institute of Technology and Research,

Indore, India mishra_research@rediffmail.com

Abstract- In today’s distributed computing environment multiple

parties compute some function of their private inputs. In such a

scenario privacy preservation of such inputs is a matter of great

concern because each party is also worried about the privacy of

their inputs. This subject is evolved as Secure Multiparty

Computation (SMC). The protocols proposed in this paper allow

multiple parties to get maximum of their inputs without

disclosing individual inputs to one another or even to any third

party. We use a third party for computation that may not be

trusted. The protocol uses binary countdown approach. In one of

the protocols anonymizers are used to hide the identity of the

party. The probabilistic analysis of the protocols is presented. Keywords- Secure Multiparty Computation, Privacy, Security,

Max_secure.

I. INTRODUCTION

This is the age of online transactions. Many organizations

collaborate together for their mutual benefits. But these

organizations may not have trust in one another. Situation

arises when these parties want to compute some function of

their private inputs without disclosing actual inputs to each

other. This branch of information security is called Secure

Multi-Party Computation (SMC) [3, 4]. The researchers

devised many specific SMC problems like privacy-

preserving data mining, privacy- preserving statistical

analysis, privacy-preserving geometric computation, privacy

preserving intrusion detection, privacy preserving

cooperative scientific computation, privacy preserving

database query, etc.

Two models for SMC are used for analysis of a

particular SMC problem. In ideal model a Trusted Third

Party (TTP) is used which accepts actual data from the

parties. The TTP computes the common function and sends

its value to the parties. This model is frequently used

because it is easy to implement. The trustworthiness of the

TTP is a crucial issue in this model because when the TTP

turns corrupt whole notion of SMC becomes worthless. In

real model parties themselves agree on a protocol for

computing the function such the privacy of the individual

inputs are preserved. A party could be honest, semi honest

or malicious party. An honest party follows the steps of the

protocol and never tries to learn any other information

except the result. A semi honest party follows the protocol

but tries to know other data. A malicious party neither

follows the protocol nor respects the privacy of other

parties. The solution to SMC problem depends on the type

of the SMC model and the behavior of the parties.

May real life applications of SMC emerged like

privacy-preserving social network analysis, privacy-

preserving medical diagnosis system, privacy-preserving

voting system, privacy-preserving private information

retrieval, privacy-preserving auction management, privacy-

preserving monitoring in sensor networks, etc.

In this paper we propose a problem as: how multiple

parties can learn the maximum value of all the data inputs

without the parties disclosing actual inputs to one another or

even to a third party. The solution proposed in this paper

uses binary countdown approach.

II. BACKGROUND AND OUR PROPOSAL

The subject of SMC started in 1982 with Yao’s [1]

millionaire’s problem when he proposed the problem as:

how two millionaires can know who is richer without

revealing actual wealth to one another or even to a third

party. He proposed solutions using cryptographic

techniques. Initially researchers focused on theoretical

studies and provided solutions using circuit evaluation

protocols [2, 3]. As of now, three different types of

solutions are available in the literature. One is cryptographic

techniques using many building blocks like oblivious

transfer, private matching, Yao’s solution, etc. [4].Another

is randomization method uses random numbers to hide the

actual data [5]. The third is the anonymization method

which allows hiding the identity of participating parties [6].

Novel secure sum protocols are proposed to get sum of

multiple data values without disclosing the individual value

to one another in [7, 8, 9].

In this paper, we propose a protocol which allows

multiple parties to know the greatest value without any party

knowing other’s value. We use a binary countdown

approach in which each participating party sends MSB

(Most Significant Bit) to a third party. Ultimately, the result

is announced by the third party.

III. PROPOSED PROTOCOL: Max_secure

In this section, we discuss the architecture, informal and

formal description of the protocol. A. Proposed Architecture of Max_secure Protocol

In this protocol multiple parties P1, P2, .., Pn are involved

in knowing the greatest value of their inputs x1, x2, …, xn.

Parties send MSBs to the Third Party (TP). The TP then

2010 Fourth Asia International Conference on Mathematical/Analytical Modelling and Computer Simulation

978-0-7695-4062-7/10 $26.00 © 2010 IEEE

DOI 10.1109/AMS.2010.120

597

takes logical OR of these bits and decides the greatest value.

The result is announced by the TP.

B. Informal Description of the Max_secure Protocol

The participating parties have their values stored in the

binary format. The number of bits in each value is kept

equal. Each of the parties sends its first MSB to the TP. The

TP takes logical OR of bits received. The result of the OR

operation is announced by the TP. If the result of the OR

operation is zero, it does nothing and waits for the next

MSB. If the result of the OR operation is a 1, all those

parties who sent a 0 bit stop sending further bits to the TP. It

means those parties who sent a 1 bit continue sending the

bits. When all the bits of the last party are sent, the TP

announces this that the algorithm is stopped. The parties

collect the set of the results of the OR operation to learn the

greatest value. The winner will be only known to the TP. If

the privacy of the winner is to be preserved, the TP will not

tell the identity of the winner.

Figure 1: Proposed architecture of Max_secure protocol.

C. Formal Description of the Max_secure Protocol

Assume P1, P2, .., Pn are the cooperating parties having

private data x1 , x2, …, xn respectively. Each party represents

its data value in m-bit binary number. When the protocol

starts each of the parties sends its MSB to the TP. The TP

takes logical OR of these bits. The TP announces result to

all parties. When the result of this OR is a 0 bit, the TP

waits for the next MSB from the parties. All parties

continue sending the next MSB to the TP. If the result of the

OR operation is a 1 bit, all those parties who sent 0 bits stop

sending the bits and simply listen the result of OR operation

for all the bits. Ultimately, the algorithm runs m times and

the result of logical OR is accumulated by TP with left shift

operation into some variable, say k. Finally the TP

announces the result. The communication lines between the

TP and the parties are assumed to be secure. The TP is also

assumed to be semi honest. It follows the protocol but may

try to learn some information other than the result. The

greatest value is available in the variable k.

Algorithm:Max_secure

1. Assume P1, P1, …, Pn are the parties with inputs x1,

x2 , …, xn respectively.

2. Assume each of the inputs is represented by m-bit

binary number.

3. Assume k=0. ( Bits will be shifted into k to get the

result )

4. while (m > 0)

begin

Each party sends next MSB to the TP.

The TP takes logical OR of the received bits

If result is 0, TP wait for the next MSB; all

parties send next MSB to the TP.

If result is 1, the parties which sent 0 bits, stop

sending the bits and the parties who sent a 1bit,

continue sending the next MSB.

m = m – 1.

Shift left the result of OR into k.

end

5. TP announces the result as k.

6. End of algorithm.

C. Performance Analysis of The Max_Secure Protocol

The protocol Max_secure is designed for the semi honest

parties. The parties send bits to the TP. So, they are

oblivious about each other's data. Thus, the privacy of

individual input data is preserved. The TP generally knows

only a few bits of the data inputs except that of the winner.

Thus, even if the TP wants to know the actual data inputs of

the parties, it cannot do so. The identity of the maximum

value holder is known to the TP. It is up to the TP or the

requirement of the actual application whether to show the

identity of the winner to other parties. If two or more parties

are the winners, they also know about each other’s data.

IV. EXTENDED MAX_SECURE PROTOCOL

The Max_secure protocol has a flaw that the TP knows the

identity of the maximum value holder party. At the same

time the TP is also aware of the lower bound of the dropped

parties. But what if the identity of the party is to be

protected? We can extend the architecture of the protocol by

incorporating anonymizers between TP and the parties. The

function of the anonymizer is to hide the identity of the

parties [10]. These anonymizers can be hardware devices,

software or a combination of both. Fig. 2 depicts the

architecture of the Extended Max_secure protocol where A1,

A2, …, An are the anonymizers.

A. Informal Description of the Extended Max_secure Protocol

The parties send bits starting from MSB to the

anonymizer. The anonymizers send the bits to the TP.

598

Anonymizers hide the identity of the party using some

mechanism. The TP computes logical OR of the bits

received from all the parties and broadcasts this bit to all the

parties. The parties after examining this bit decide whether

to remain in the computation process or to go out of the

process. If the resulting bit is 0, the parties will transmit the

next MSB. If the resulting bit is 1, all those parties who sent

0 stop sending any bits. The parties who sent 1 bit send their

next MSB to the anonymizers. The process continues until

all the bits of the data are sent by the last party in the

competition. In this scheme also the TP uses a shift register

in which the result of logical OR will be shifted. The

number inside the shift register is the greatest of all the

parties.

Figure 2: Proposed architecture of Extended Max_secure protocol.

B. Formal Description of the Extended Max_secure Protocol

Algorithm:Extended Max_secure

1. Assume P1, P1, …, Pn are the parties with

inputs x1, x2 , …, xn respectively.

2. Assume each of the inputs is represented by m-bit

binary number.

3. Assume A1, A2, …, An are the

anonymizers.

4. Assume k=0. ( Bits will be shifted into k to get the

result )

5. while (m > 0)

begin

Each party sends next MSB to the Anonymizer.

The anonymizer hides identity of the party and

sends the bit to the TP.

The TP takes logical OR of the received bits

If result is 0, TP wait for the next MSB; all

parties send next MSB to the anonymizers.

If result is 1, the parties which sent 0 bits, stop

sending the bits and the parties who sent a 1bit,

continue sending the next MSB.

m = m – 1.

Shift left the result of OR into k.

end

6. TP announces the result as k.

7. End of algorithm.

C. Performance Analysis of The Extended

Max_Secure Protocol

As the anonymizers hide the identity of the parties, the TP

will not be aware about which party sent which bit pattern.

Thus the lower bound and the maximum value holder’s

identity are preserved. But the trustworthiness of the

anonymizers is important because if the anonymizer goes

semi honest, it can disclose the data of the party to others.

The performance of the protocol can be evaluated by

considering different cases:

Case 1: There are n parties each having one anonymizer:

The probably of one anonymizer becoming malicious is :

P1 = 1/n (1)

The probability of k anonymizers becoming malicious is :

Pk = k/n where k < n (2)

The probability of selecting one such type of anonymizer

is:

P1k = k / n2 (3)

Case 2: There are n parties and n independent anonymizers

where a party can select any one of the anonymizers:

The probability of one party chosen from n anonymizers is

1/n and one party becoming malicious is also 1/n. When we

combine both, the probability of one party becoming

malicious out of n independent anonymizers is:

P1n = 1/n2 (4)

Therefore, the probability of k out of n anonymizers

becoming malicious is:

Pnk = k/n2 (5)

The probability of selecting one such anonymizer out of n

anonymizers is:

Pn1 = 1/n3 (6)

The probability of k anonymizers becoming malicious is:

Pkn = k/n3 (7)

Case-3: There are n parties and m anonymizers where any

party can select any anonymizer randomly.

The probability of selecting one anonymizer is:

P1 P2 Pn

A1 A2 An

TP Result

599

1/m

The probability of any anonymizer to be malicious is:

1/m

Therefore, the probability of any anonymizer to be

malicious is:

1/m2

Hence the probability of k anonymizers becoming

malicious is:

k/m2

The probability of selecting one anonymizer is

k/nm2

Figure 3 shows the Probability of security breach for n

parties with m randomly selected anonymizer against

malicious anonymizer.

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

1 2 3 4 5 6 7 8 9 10

Number of Malacious Anonymizers (k)

Pro

ba

bility

(P

R)

m=1 m=2 m=3

m=4 m=5 m=6

Fig. 3: Probability of security breach for n parties with m randomly

selected anonymizer against malicious anonymizer.

V. CONCLUSION AND FUTURE SCOPE

The proposed protocols Max_secure and Extended

Max_secure allow finding the greatest value among multiple

data inputs of cooperating parties without any of the parties

knowing about the data of any other party. The Max_secure

protocol used binary countdown approach in which each of

the parties sends MSB to the TP. The TP may not be trusted.

The protocol is suitable for the semi honest parties. The

protocol provides privacy preservation for all the data

inputs. The TP knows only few bits of the data inputs except

the greatest data. The identity of the maximum value holder

remains with the TP only. It can be revealed by the TP

depending on a particular application. In Extended

Max_secure protocol the anonymizers hide the identity of

the parties so as to make the protocol more secure. Efforts

can be made to design the protocol for malicious party. The

model we used is the ideal model of SMC. The same can be

designed for the real model of the SMC.

REFERENCES

[1] A.C.Yao, “Protocol for Secure Computations,” in proceedings of the

23rd annual IEEE symposium on foundation of computer science,

pages 160-164, Nov.1982.

[2] O. Goldreich, S. Micali, and A. Wigderson, "How to Play Any Mental

Game," in STOC '87: Proceedings of the nineteenth annual ACM

conference on Theory of computing. New York, NY, USA: ACM,

pages 218-229 1987.

[3] O. Goldreich, “Secure Multi-Party Computation (Working Draft),

Available from http: /www.wisdom.weizmann.ac.il/ home/oded/ public

html/ foc.html 1998.

[4] V. Oleshchuk, and V. Zadorozhny, “Secure Multi-Party Computations

and Privacy Preservation: Results and Open Problems,” Telektronikk:

Telenor's Journal of Technology, Vol. 103, No.2, 2007.

[5] C. Clifton, M. Kantarcioglu, J. Vaidya, X. Lin, and M. Y. Zhu, “Tools

for Privacy-Preserving Distributed Data Mining,” J. SIGKDD

Explorations, Newsletter, Vol.4, No.2, ACM Press, pages 28-34, Dec.

2002.

[6] D. K. Mishra, M. Chandwani, “Extended Protocol for Secure

Multiparty Computation using Ambiguous Identity,” WSEAS

Transaction on Computer Research, Vol. 2, issue 2, Feb. 2007.

[7] R. Sheikh, B. Kumar and D. K. Mishra, “Privacy-Preserving k-Secure

Sum Protocol,” in International Journal of Computer Science and

Information Security, Vol. 6 No.2, pages 184-188, USA, Nov. 2009.

[8] R. Sheikh, B. Kumar and D. K. Mishra, “A Distributed k-Secure Sum

Protocol for Secure Multi-party Computation,” Accepted in the

Journal of Computing, Vol.2 Issue3, USA, March 2010.

[9] R. Sheikh, B. Kumar and D. K. Mishra, “Changing Neighbors k-

Secure Sum Protocol for Secure Multi-party Computation,” in

International Journal of Computer Science and Information Security,

Vol. 7 No.1, pages 239-143, USA, Jan. 2010.

[10] D. K. Mishra, M. Chandwani, “Extended Protocol for Secure

Multiparty Computation using Ambiguous Identity,” WSEAS

Transaction on Computer Research, Vol. 2, issue 2, Feb. 2007.

600