13

I'm currently reading about Yao' Millionaire Problem: http://research.cs.wisc.edu/areas/sec/yao1982-ocr.pdf

Alice and Bob want to know which of them is richer. Let $j \in \{1, \cdots 10\}$ be Bobs fortune, and $i$ Alice's. They share a public-private key pair where $E_A$ is the encryption with Alice's public key and $D_A$ the corresponding decryption function.

Here is Yao's roadmap:

  1. Bob picks a random $N$-bit integer $x$, and computes privately the value of $E_A(x)$; call the result $k$.
  2. Bob sends Alice the number $k-j+ 1$.
  3. Alice computes privately the values of $y_u=D_A(k-j+u)$ for $u= 1,2, \cdots,10$.
  4. Alice generates a random prime $p$ of $N/2$ bits, and computes the values $z_u=y_u \mod p$ for all $u$ ; if all $z_u$ differ by at least 2 in the $\bmod p$ sense, stop; otherwise generates another random prime and repeat the process until all $z_u$ differ by at least 2 ; let $p, z_u$ denote this final set of numbers.
  5. Alice sends the prime $p$ and the following 10 numbers to Bob: $z_1, z_2, \cdots , z_i$ followed by $z_{i}+ 1, z_{i+1}+1 , \cdots , z_{10}+ 1$ the above numbers should be interpreted in the $\bmod p$ sense.
  6. Bob looks at the $j$-th number (not counting $p$ ) sent from Alice, and decides that $i \ge j$ if it is equal to $x \bmod p$, and $i < j$ otherwise.

I understand everything, but I'm at loss at step 4. Why do the $z_u$ have to differ by at least 2? What can Bob deduce from Alice's List, if that condition is not fulfilled?

Added 8.5.16: I found that Bruce Schneier mentions that protocol in "Applied Cryptography". He writes: "All the verification ... is to guarantee that no number appears twice in the sequence ... Otherwise, if $z_a = z_b$, Alice knows that $a \le j < b$'' (Schneier interchanged Alice and Bob and $i$ with $j$). But he does not explain, why the initiator of the protocol can deduce that.

One more idea: Maybe the condition is not needed for all asymmetric encryption schemes but only for RSA (the only one at that time?). But I cannot show that either.

Added 9.6.16

One more thought: Let's assume, Bob gets from Alice a list that looks like: [$w_i$] = [11,7,6,22,33,44,55,66,77,88], then he can argue as follows:

  1. Opps, the list contains two elements having distance one (7,6)

  2. Alice follows the protocol, so the $z_i$ differ by at least 2

  3. So Alice, when calculating the $w_i$ must have incremented the smaller one of the corresponding $z$s

  4. So [$z_i$] must have been [11,7,5,21,32,43,54,65,76,87]

  5. So Alice's fortune equals 2

So I think, the distance condition is not only useless but dangerous because it removes entropy from the result set (and adds information).

Adrian Self
  • 139
  • 8
Calculatrix
  • 131
  • 7

0 Answers0