1. MPC for Comparing Two Shared Secrets without Bit-Decomposition Takashi Nishide * Kazuo Ohta The University of Electro-Communications * Hitachi Software Engineering Co., Ltd. 2006/03/05

2. 2 Comparison Protocol Given [a] p, [b] p, parties compute[a < ? b] p where a,b {0,1, …,p-1}, (a < ? b) {0,1} and (a < ? b) = 1 iff a < b. [a] p : Polynomial sharing of a secret a [a] B : Bitwise sharing of a secret a that is, the shares of the bits of a [a] B = {[a l-1 ] p, …,[a 0 ] p } s.t. a =2 i a i

3. 3 Overview of 2 Approaches Existing Scheme[DFKNT06] Given [a] p, [b] p Compute [a] B, [b] B. Compute [a < ? b] p by Bitwise Less- Than. Our Scheme Given [a] p, [b] p Compute [a < ? p/2] p, [b < ? p/2] p, and [a-b mod p < ? p/2] p Compute [a < ? b] p from the above 3 shared bits.

4. 4 Our Construction Comparison Protocol for [a < ? b] p assuming [a < ? p/2] p is available

5. 5 Our Construction(Cont.) How to Compute [a < ? p/2] p Generate a bitwise sharing [r] B, compute [c] p =[a] p +[r] p and reveal c. If r { r low, …, r high } a p/2. [r ? { r low, …, r high }] p = [r low - 1 < ? r] p * [r < ? r high + 1] p 0 p/2 p a r c=a+r mod p r low r high

6. 6 Complexity Analysis Comparison Protocol based on [DFKNT06] 2 * Bit-Decomposition in parallel 1 * Bitwise Less-Than Our Comparison Protocol 3 * joint random number bitwise-sharing in parallel 6 * bitwise less-than in parallel 3 * multiplication in parallel 3 * multiplication in 2 rounds

7. 7 Other Improvements