Privacy-Preserving Greater-Than Integer Comparison without
Binary Decomposition
Sigurd Eskeland
Norwegian Computing Center, Postboks 114 Blindern, 0314 Oslo, Norway
Keywords:
Privacy-Preserving Integer Comparison, Privacy Protocols, Homomorphic Cryptography.
Abstract:
Common for the overwhelming majority of privacy-preserving greater-than integer comparison schemes is
that cryptographic computations are conducted in a bitwise manner. To ensure secrecy, each bit must be
encoded in such a way that nothing is revealed to the opposite party. The most noted disadvantage is that the
computational and communication cost of bitwise encoding is at best linear to the number of bits. Also, many
proposed schemes have complex designs that may be difficult to implement. Carlton et al. (2018) proposed an
interesting scheme that avoids bitwise decomposition and works on whole integers. A variant was proposed by
Bourse et al. (2019). Despite that the stated adversarial model of these schemes is honest-but-curious users,
we show that they are vulnerable to malicious users. Inspired by the two mentioned papers, we propose a
novel comparison scheme, which is resistant to malicious users.
1 INTRODUCTION
The idea of the Millionaire’s Problem (Yao, 1982) is
to facilitate two millionaires, who do not trust each
other and who do not want to reveal their worth to
each other, to find out who is the richest. Although
such tasks could trivially be solved by a trusted third
party who decides which party has the greatest value,
the goal is to replace the trusted party with a privacy-
preserving protocol. In other words, it is the ability to
conduct privacy-preserving greater-than integer com-
parisons (PPGTC) without a trusted third party.
PPGTC may be used as a subprotocol for
conducting privacy-preserving computations on en-
crypted data sets. Practical applications are auctions
with private biddings, voting systems, privacy-
preserving database retrieval and data-mining,
privacy-preserving statistical analysis, genetic
matching, face recognition, privacy-preserving set
intersection computation, etc.
Privacy-preserving integer comparison is an ac-
tive research field that is based on techniques such as
homomorphic encryption, garbled circuits, oblivious
transfer, and secret sharing. Authors generally tend
to claim some improvement over some other scheme
in particular with regard to efficiency, but the actual
efficiency may not be readily comparable (for exam-
ple, due to methods are very different) nor available
in many papers. Common for the overwhelming ma-
jority of privacy-preserving greater-than integer com-
parison schemes is that cryptographic computations
are conducted in a bitwise manner. To ensure se-
crecy, each bit of the private inputs must be encoded
in such a way that nothing is revealed to the oppo-
site party. Bitwise cryptographic processing results in
high computational and communication costs that is
proportional to data input sizes. Also, many proposed
schemes have complex designs that may be difficult
to implement.
Carlton et al. (2018) a PPGTC scheme that works
on whole integers and that does not require bitwise
coding or encryption. Inspired by (Damg
˚
ard et al.,
2008a; Damg
˚
ard et al., 2008b), it makes use of a spe-
cial RSA modulus. Blinding is conducted to protect
the input values. At the end of the protocol, a plain-
text equality test (PET) subprotocol determines the
outcome of the comparison, which imposes an addi-
tional performance cost. Bourse et al. (2019) pro-
posed a slightly modified two-pass PPGTC protocol
that avoids the PET subprotocol, and whose function
is simply replaced by a control value that is sent to
party A in the last pass. By means of this value,
party A determines the outcome of the comparison.
A disadvantage of the Bourse scheme compared
to the Carlton scheme is a significantly smaller up-
per bound of private inputs and a composite modu-
lus, whose size exceeds those recommended for RSA,
even at small input bounds.
340
Eskeland, S.
Privacy-Preserving Greater-Than Integer Comparison without Binary Decomposition.
DOI: 10.5220/0009822403400348
In Proceedings of the 17th International Joint Conference on e-Business and Telecommunications (ICETE 2020) - SECRYPT, pages 340-348
ISBN: 978-989-758-446-6
Copyright
c
2020 by SCITEPRESS – Science and Technology Publications, Lda. All rights reserved
The stated adversarial model of the Carlton and
Bourse schemes is honest-but-curious users, i.e., par-
ticipants that do not deviate from protocol specifica-
tion concerning how messages are computed. The
overall motivation for using privacy-preserving pro-
tocols has to do with lack of trust, where privacy-
preserving methods allow individuals who do not trust
each other to conduct computations without disclos-
ing their private inputs. The assumption of honest-
but-curious users is therefore somewhat a contradic-
tion to the assumption that users do not trust each
other.
Contribution. In this paper, we show that Carlton
and Bourse schemes are insecure with regard to mali-
cious users, i.e., participants whose message compu-
tations deviate from the protocol specification. In par-
ticular, the attacks presented in this paper are unde-
tectable, which underlines that the honest-but-curious
adversarial assumption is arguable insufficient. We
propose a novel PPGTC scheme that seeks to miti-
gate the mentioned schemes’ insecurities w.r.t. ma-
licious users. It has only two rounds, and the upper
plaintext bounds are favorably comparable with the
Carlton scheme.
Outline. Section 2 provides necessary prelimi-
naries and presents the basic idea of the compari-
son mechanisms used by the mentioned Carlton and
Bourse schemes, and the one proposed in this paper.
Section 3 outlines the Bourse scheme. Attacks on this
scheme is presented in Section 4. The Carlton scheme
and an attack are presented in Section 5. In Section 6
our novel PPGTC scheme is presented.
2 PRELIMINARIES
The main feature of the PPGTC schemes proposed
by Carlton et al. (2018) and Bourse et al. (2019) is
the ability to compare entire integers, as opposed to
bitwise operation on encrypted bits. This is achieved
by special cyclic subgroups realized by making use of
the following parameters:
• a and d, where 0 < a ≤ d and d/a denotes the
upper bound of m
A
,m
B
≤ d/a. Note that a does
not exist in the Carlton scheme, where solely d
denotes the upper bound of private inputs.
• Let n = pq, where p and q are primes and
– p = p
d
0
p
s
p
t
+ 1 and q = p
d
0
q
s
q
t
+ 1 if p
0
= 2
– p = 2p
d
0
p
s
p
t
+ 1 and q = 2p
d
0
q
s
q
t
+ 1 if p
0
is a
small odd prime
and p
s
,q
s
, p
t
,q
t
are distinct primes. See Sec-
tion 2.1 for details on how to set the sizes of these
primes.
•
¯
b denotes an upper public bound of p
s
q
s
.
• g is a generator of a cyclic subgroup G ⊂ Z
∗
n
of
order p
d
0
.
• h is a generator of a cyclic subgroup H ⊂ Z
∗
n
of
order p
s
q
s
.
• c is a long-term private key that is used by party A,
where
c = p
s
q
s
1
p
s
q
s
mod p
d
0
(1)
The public key is {n,a,d, p
0
,g,h,
¯
b}, and the private
key of party A is {p,q,c}. The core idea behind the
Carlton scheme is that the element
g
p
d+m
A
−m
B
0
mod n (2)
where 0 ≤ m
A
,m
B
≤ d, can be used to compare two
integers m
A
and m
B
, due to whether multiples of the
exponential factors p
0
exceed p
d
0
or not, so that
g
p
d+m
A
−m
B
0
6= 1 if m
A
< m
B
= 1 if m
A
≥ m
B
This construction is almost identical in the Bourse
scheme, which has an additional public parameter a,
where integer comparison is conducted according to
g
p
d+a·(m
A
−m
B
)
0
mod n (3)
where 0 ≤ m
A
,m
B
≤ d/a.
2.1 Prime Sizes
The upper plaintext bound
b
m and the chosen security
level λ determine prime sizes. Primes p
s
and q
s
have
to be greater than 256 bits in order to thwart Coron’s
attack (Coron et al., 2010) that factors the RSA mod-
ulus.
Let ` denote the size of p and q; s denote the size
of p
s
and q
s
, which should be s ≤ 256; and t denote
the size of p
t
and q
t
. The upper plaintext bound sets
d =
b
m in the Carlton scheme and d = a ·
b
m in the
Bourse scheme. If log
2
(p
d
0
) + s > ` then let t = 0 and
p
t
= q
t
= 1. Otherwise, let t = ` − log
2
(p
d
0
) − s. The
latter applies only for the cases where
b
m is small, and
p
t
and q
t
are needed to increase the sizes of p and q
so that the security level of n agrees with λ.
3 THE BOURSE SCHEME
The Bourse scheme is summarized in Figure 1. In the
first pass, party A generates the random r
1
and blinds
m
A
by computing
C = g
p
a·m
A
0
h
r
1
mod n
Privacy-Preserving Greater-Than Integer Comparison without Binary Decomposition
341
Subsequently in the second pass, party B randomly
generates r
2
,u,v, and blinds m
B
in the responding
computation:
D = C
u·p
d−a·m
B
0
g
v
h
r
2
mod n
and the control value D
0
= f (g
v
), where f is a secure
hash function. Finally, party A computes
C
0
= D
c
= (C
u·p
d−a·m
B
0
g
v
h
r
2
)
c
=
(g
p
a·m
A
0
h
r
1
)
u·p
d−a·m
B
0
g
v
h
r
2
c
= (g
p
a·m
A
0
)
u·p
d−a·m
B
0
g
v
= g
u·p
d+a·(m
A
−m
B
)
0
g
v
(4)
Due to the private key c, each factor of base h is elim-
inated, so that C
0
∈ G.
3.1 Security Assumptions
The security of the first round of both the Carlton and
Bourse schemes relies on the small RSA subgroup de-
cision assumption. The following definition is from
the Bourse paper (Bourse et al., 2019):
Definition 1 (The small RSA subgroup decision
assumption) This assumption holds if given an
RSA quintuple (u, p
0
,d, n, g), the distributions x and
x
p
d
0
p
1
q
1
are computationally indistinguishable from a
uniformly random quadratic residue x = r
2
mod n.
This assumption states that it is hard to distinguish el-
ements in H ⊂ Z
∗
n
of order p
s
q
s
(generated by h) from
a random quadratic residue in Z
∗
n
. In other words, it
holds if it is not possible to determine if an integer
belongs to H or not. It applies solely to C in the first
round as a measure for whether the subgroup order of
the masking factor h
r
1
∈ H achieves necessary secu-
rity.
The security of the second round relies on sta-
tistically indistinguishable uniform distributions in a
subgroup of order p
a
0
, which is considerably smaller
than that of H. In the second round, party B gener-
ates three secret random secret integers (r
2
,u,v) and
sends (D,D
0
) to party A, who computes C
0
. Given C
0
,
party A can guess either g
u·p
d+a·(m
A
−m
B
)
0
or g
v
, where
the correctness of each guess is verified w.r.t. D
0
.
3.2 Security Parameter Considerations
The integers p
0
,a determine the security level λ of D
in Round 2 and d:
p
a
0
= 2
λ
where a = λ
log2
log p
0
(5)
and d = a ·
b
m. In agreement with Eq. 3, the input val-
ues (m
A
,m
B
) define subgroups G
0
⊆ G of variable or-
der if m
A
< m
B
.
|G
0
| = p
d−a·(m
A
−m
B
)
0
≥ 2
λ
The smallest subgroup G
0
is produced by m
A
− m
B
=
−1, where p
d+a·(m
A
−m
B
)
0
= p
d−a
0
. For this case, the
effective range of the random integer u is 0 < u < p
a
0
,
cf. Eq. 5. Assuming that p
a
0
is big enough, the Bourse
scheme is secure w.r.t. honest-but-curious users. Sec-
tion 4 discusses how a malicious user can reduce this
range to make it searchable.
The private input upper bound
b
m is confined by the
RSA modulus size. Table 1 shows integer sizes as a
function of λ and
b
m, where ` denotes the size of p and
q. It assumes that p
0
= 2 and s = 256 bits, cf. Sec-
tion 2.1. NIST recommends that the RSA modulus
should be 2048 bits for a λ = 112 bits security level,
and 3072 bits for λ = 128 bits security.
1
The moduli
lengths given in the table exceed the RSA recommen-
dations, meaning that p
t
,q
t
are not needed. The fore-
Table 1: Parameter sizes for the Bourse scheme, where p
0
=
2.
λ
b
m a d ` |n|
112 10 112 1120 1376 2752
112 50 112 5600 5856 11712
112 100 112 11200 11456 22912
128 10 128 1280 1536 3072
128 50 128 6400 6656 13312
128 100 128 12800 13056 26112
most downside is the limitation of low upper bounds
on private inputs, which, as in the example, causes a
very large composite n that significantly exceeds that
which is recommended for RSA.
4 MALICIOUS USER ATTACKS
The Bourse scheme assume honest-but-curious users
that do not deviate from the protocol. A user that
is motivated to disclose the private input of another
user may be inclined to deviate from the protocol for
this purpose. In this section we show that the Bourse
scheme is insecure with regard to dishonest users, in
particular party A. The consequence is that party A
may obtain the private input of party B, who will not
know that a privacy breach has occurred. Note that the
following attacks do not apply to the Carlton scheme,
1
http://www.keylength.com
SECRYPT 2020 - 17th International Conference on Security and Cryptography
342
Party A Party B
Private key c
r
1
∈ {1...
¯
b} r
2
∈ {1...
¯
b}
u ∈ {1... p
a
0
},u - p
0
v ∈ {1... p
a
0
},v - p
0
C = g
p
a·m
A
0
h
r
1
C
−−−−−−−−−−−−−−−−−−−→
D = C
u·p
d−a·m
B
0
g
v
h
r
2
D
0
= f (g
v
)
D,D
0
←−−−−−−−−−−−−−−−−−−−
C
0
= D
c
If D
0
= f (C
0
)
Then m
A
≥ m
B
Else m
A
< m
B
.
Figure 1: The Bourse et al. comparison scheme.
presented in Section 5, due to using a PET subproto-
col.
4.1 Fixed Value Attack
This attack pertains to the initial computation con-
ducted by party A. In Round 1, party A selects k =
a − 1, and sends C = g
p
k
0
h
r
1
to party B. In Round 2,
party B computes and returns (D, D
0
) to party A, who
lastly computes
C
0
= g
u·p
k
0
·p
d−am
B
0
g
v
= g
u·p
a−1+d−am
B
0
g
v
Consider the following cases:
Case 1. If m
B
= 0 then
C
0
= g
u·p
a−1+d
0
g
v
= g
v
Case 2. If m
B
= 1 then
C
0
= g
u·p
a−1+d−a
0
g
v
= g
u
0
·p
d−1
0
g
v
where 0 < u
0
< p
0
.
Case 3. If m
B
> 1 then
C
0
= g
u·p
a−1+d−am
B
0
g
v
= g
u
0
·p
d−a(m
B
−1)−1
0
g
v
where 0 < u
0
< p
a·(m
B
−1)+1
0
.
The two first cases are trivial for party A to identify
by checking w.r.t. the hash value D
0
. For the third
case, assuming that p
a
0
is big enough, it would not be
possible for party A to recover g
v
and then m
B
.
4.2 Selected Value Attack
The previous attack can be generalized for any pres-
elected value of m
B
, meaning if party A computes C
w.r.t. a specific value m
0
B
, it will give him or her assur-
ance whether this is the value submitted by party B in
Round 2.
In Round 1, party A selects k = a m
0
B
− 1, and
sends C = g
p
k
0
h
r
1
to party B. Lastly, party A obtains
C
0
≡ (g
p
k
0
)
u·p
d−a·m
B
0
g
v
≡ g
u
0
·(p
a·m
0
B
−1+d−a·m
B
0
)
g
v
≡ g
u
0
·p
d+a·(m
0
B
−m
B
)−1
0
g
v
Consider the following cases:
Case 1. If m
0
B
> m
B
then C
0
= g
v
.
Case 2. If m
B
= m
0
B
then
C
0
= g
u·p
d−1
0
g
v
= g
u
0
·p
d−1
0
g
v
where 0 < u
0
< p
0
.
Case 3. If m
0
B
< m
B
then
C
0
= g
u
0
p
d−a·(m
B
−m
0
B
)−1
0
g
v
where 0 < u
0
< p
a·(m
B
−m
0
B
)+1
0
.
As was for the fixed value attack, the two first cases
are trivial for party A to identify. For the third case,
assuming that a is big enough, it would not be possi-
ble for party A to recover m
B
.
Privacy-Preserving Greater-Than Integer Comparison without Binary Decomposition
343
4.3 Public Keys with Tiny Hidden
Subgroups
A common assumption in public key cryptography is
that users generate their own key pairs and then ex-
change public keys. In the Bourse scheme, Party A is
the holder of the private key, and would provide the
key pair. A malicious party A could generate a spu-
rious public key (n, g,h, p
0
,a,d) with a significantly
smaller subgroup than specified in order to obtain pri-
vate inputs by small brute-force searches.
The following describes how public keys with tiny
subgroups can be computed for the Bourse scheme:
• p
0
, a, d are selected in accordance with Section 2.
• Select a prime p
0
that is close to d, i.e., p
0
& d, so
that the small prime p
0
is a generator (i.e., primi-
tive root) to p
0
.
• Let n = pq be the product of two primes, where
p = p
0
p
s
p
t
+1 and q = p
0
q
s
q
t
+1, and p
s
, p
t
,q
s
,q
t
are generated in accordance with Section 2.
• g and h are generated in accordance with Sec-
tion 2.
g will now generate a tiny subgroup G
0
confined by
p
0
, so that |G
0
| = p
0
−1. Due to the following modular
equivalence, it holds that
C
0
= g
u·p
d+a·(m
A
−m
B
)
0
g
v
≡ g
u
0
·p
d+a·(m
A
−m
B
)
0
g
v
0
(mod n)
where 0 < u
0
,v
0
< p
0
, cf. Eq. 4. Accordingly, D
0
=
f (g
v
) = f (g
v
0
).
Following the Bourse protocol, the malicious
party A interacts with the honest party B. In Round 1,
party A sends C = gh
r
1
to party B. Party A can then
easily find the low-entropy v
0
w.r.t. checking D
0
=
f (g
v
0
). Knowing v
0
, party A finds 0 ≤ x ≤ p
0
w.r.t.
D
0
= g
x
g
v
0
where x = u
0
· p
d−a·m
B
0
.
This attack is prevented by validating g and n by
checking that g
p
d
0
≡ 1 (mod n) holds.
5 THE CARLTON SCHEME
The Carlton scheme is shown in Fig. 2. The public
key (n, p
0
,d, g,h) and private key c is generated in
agreement with Section 2. It uses a plaintext equality
test in the end. Note that in Carlton et al. (Carlton
et al., 2018), p
0
is denoted as b, and c as x.
The correctness of C
0
is given by
C
0
= D
c
= (g
p
m
A
0
h
r
1
)
p
d−m
B
0
g
s
h
r
2
= g
p
d+m
A
−m
B
0
g
s
where similar to Eq. 4, the factors of base h are elim-
inated. The security of Round 1 is based on the small
RSA subgroup decision assumption, cf. Definition 1.
The security of Round 2 is based on the secrecy of
g
s
. Note that the Carlton scheme is more favorable
than the Bourse scheme by considerably larger upper
bounds on private inputs, as seen in Table 2.
Table 2: Parameter sizes for the Carlton scheme and our
scheme, p
0
= 2.
λ
b
m d ` |n|
112 100 100 1024 2048
112 1000 1000 1256 2512
112 5000 5000 5256 10512
128 100 100 1536 3072
128 1000 1000 1536 3072
128 5000 5000 5256 10512
5.1 Known Subgroup Attacks
Similar to the Bourse scheme, the Carlton scheme as-
sumes honest-but-curious users. From the perspective
of malicious users, the attacks presented in Section 4
do not apply to the Carlton scheme due to the way
that the final integer comparison is conducted. But as
we show next, the Carlton scheme is nevertheless not
secure with regard to malicious users.
The computation of the integer D in the Carlton
scheme is similar to that of the Bourse scheme, except
for that in the Bourse scheme the factor C
u·p
d−a·m
B
0
of
D is “randomized” by u over a larger subgroup deter-
mined by p
a
0
. The lack of this feature in the Carlton
scheme can be exploited by party A.
Since party A is the holder of the private key, we
assume that party A knows the composition of the
RSA modulus. Knowing subgroup orders does not
make this party malicious as long as he acts in agree-
ment to the protocol. There may be several variant
attacks, where a party knows subgroup orders. One
variant is as follows:
Party A sends to C = α
r
to party B, where r is a
random number — thereby deviating from how the
protocol specifies this computation. Party B has no
way to determine this, and computes D according to
protocol. Finally, Party A computes
D
p
d
0
·p
s
·q
s
= (α
r·p
d−m
B
0
g
s
h
r
2
)
p
d
0
p
s
q
s
= α
r·p
2·d−m
B
0
·p
s
·q
s
SECRYPT 2020 - 17th International Conference on Security and Cryptography
344
Party A Party B
Private key c
r
1
∈ {1...
¯
b} r
2
∈ {1...
¯
b}
s ∈ {1... p
d
0
− 1}
C = g
p
m
A
0
h
r
1
C
−−−−−−−−−−−−−−−−−−−→
D = C
p
(d−m
B
)
0
g
s
h
r
2
D
←−−−−−−−−−−−−−−−−−−−
g
w
= D
c
w = log
g
(g
w
)
PET(w,s)
←−−−−−−−−−−−−−−−−−−→
If w = s
Then m
A
≥ m
B
Else m
A
< m
B
.
Figure 2: The Carlton et al. comparison scheme.
eliminating factors of base g and h. Knowing before-
hand α
r·p
s
·q
s
, party A then easily recovers m
B
.
6 A NOVEL
PRIVACY-PRESERVING
GREATER-THAN
COMPARISON SCHEME
In this section we present a novel privacy-preserving
greater-than integer comparison protocol. Inspired
by the two previous schemes (Carlton et al., 2018;
Bourse et al., 2019), our scheme uses a cyclic sub-
group of a power order p
d
0
. Similar to the Carlton
scheme, two integers m
1
and m
2
are compared in a
privacy-preserving manner in agreement with Eq. 2,
which avoids the restricted bounds on private inputs
of the Bourse scheme.
6.1 Construction
The proposed scheme requires the following parame-
ters:
• n = pq, where p and q are large primes, and
– p = p
d
0
p
s
+ 1 and q = p
d
0
q
s
+ 1 if p
0
= 2
– p = 2p
d
0
p
s
+ and q = 2p
d
0
q
s
+ 1 if p
0
is a small
odd prime
where p
s
and q
s
are distinct primes.
• d denotes the upper bound of the private inputs:
0 ≤ m
A
,m
B
< d.
•
¯
b denotes an upper public bound of p
s
q
s
.
• α is a small generator to Z
p
and Z
q
.
• A private key g = α
p
s
q
s
mod n generating ele-
ments in G of order p
d
0
.
Public parameters are {n, d, p
0
,
¯
b}. The private key
g is held by Alice. We therefore assume that Alice
issues the public key and knows the construction of n.
The proposed scheme is summarized in Figure 3.
In Round 1, Bob shares:
x = α
p
m
B
0
α
r
1
and β = α
p
d
0
r
2
α
p
d−m
B
0
r
1
r
2
with Alice. In Round 2, Alice should check that x 6= 1
and x 6= α. Alice computes and sends:
y = g
r
4
p
m
A
0
x
r
3
= g
r
4
p
m
A
0
α
p
m
B
0
r
3
α
r
1
r
3
and
γ = f (β
r
3
) = f ((α
p
d
0
r
2
+p
d−m
B
0
r
1
r
2
)
r
3
)
= f (α
p
d
0
r
2
r
3
+p
d−m
B
0
r
1
r
2
r
3
)
(6)
to Bob, where f is a secure hash function. Finally,
Bob computes:
w = y
r
2
p
d−m
B
0
= (g
r
4
p
m
A
0
α
p
m
B
0
r
3
α
r
1
r
3
)
r
2
p
d−m
B
0
= g
r
2
r
4
p
d+m
A
−m
B
0
α
p
d
0
r
2
r
3
α
p
d−m
B
0
r
1
r
2
r
3
= g
r
2
r
4
p
d+m
A
−m
B
0
(α
p
d
0
r
2
α
p
d−m
B
0
r
1
r
2
)
r
3
= g
r
2
r
4
p
d+m
A
−m
B
0
β
r
3
(7)
Privacy-Preserving Greater-Than Integer Comparison without Binary Decomposition
345
Alice Bob
Private key g
r
3
∈ {1...
¯
b} r
1
∈ {1...
¯
b}
r
4
∈ {1...d}, r
4
- p
0
r
2
∈ {1...
¯
b},r
2
- p
0
x = α
p
m
B
0
α
r
1
β = α
p
d
0
r
2
α
p
d−m
B
0
r
1
r
2
x,β
←−−−−−−−−−−−−−−−−−−−
y = g
r
4
p
m
A
0
x
r
3
γ = f (β
r
3
)
y,γ
−−−−−−−−−−−−−−−−−−−→
w = y
r
2
p
d−m
B
0
If f (w) = γ
Then m
A
≥ m
B
Else m
A
< m
B
.
Figure 3: The proposed secure comparison protocol.
and checks whether:
f (w)
?
= γ
There are two outcomes:
• f (w) = γ because w = β
r
3
and m
A
≥ m
B
.
• f (w) 6= γ because w 6= β
r
3
and m
A
< m
B
with an
overwhelming probability.
Note that the secret ephemeral integers r
2
,r
4
should
not be divisible by p
0
to avoid reduction of the order
of the elements based on g.
6.2 Security Parameter Considerations
The bounds of private inputs is confined by the RSA
modulus size. As mentioned, RSA modulus recom-
mendations are 2048 bits for a λ = 112 bits security
level, and 3072 bits for λ = 128 bits security. Table 2
shows parameter sizes as a function of security level
λ and maximum input bound
b
m, where ` denotes the
size of p and q.
7 SECURITY ANALYSIS
The security relies on indistinguishability of random
distributions, except for when it comes to a malicious
users, who submits a computation that deviates from
the protocol specification. This is a reasonable sce-
nario, as such deviating computations cannot be de-
tected by the opponent, which again underlines that
the honest-but-curious adversarial assumption is an
insufficient assumption.
Note that the attacks fixed and selected value at-
tacks in Sections 4.1 and 4.2 do not apply to our
scheme, since they assume that the generator g is pub-
lic. The known subgroup attack in Section 5.1 does
not apply directly to our scheme, but reduced sub-
groups are addressed in Section 7.2. The tiny hidden
subgroups attack in Section 4.3 is addressed in this
analysis.
The following security assumption applies for ma-
licious users, as shown in this section:
Definition 2 (The Private RSA Subgroup Problem).
Given the RSA modulus n and an integer R = α
p
d
0
r
1
g
r
2
,
this computational problem is the difficulty of comput-
ing R
c
= g
r
2
under the assumption that g and c (de-
fined in Eq. 1) are not known, and where g generates
the subgroup G.
This problem hinges on the difficulty of factorizing n.
Note that the small RSA subgroup decision assump-
tion does not apply to our scheme, as there is no sub-
group H. In line with the previous discussions, the
following security analysis considers the two adver-
sarial models separately.
7.1 Security w.r.t. Honest-but-Curious
Users
In this section, we prove that the proposed protocol
preserve the confidentiality of private inputs against
honest-but-curious adversaries in the standard model.
Lemma 1 (Privacy of Bob). The secrecy of m
B
is
preserved assuming an honest-but-curious opponent.
Proof. In Round 1, Alice receives x,β, whose expo-
nents carry the private input m
B
.
SECRYPT 2020 - 17th International Conference on Security and Cryptography
346
• x: Given that r
1
of the blinding factor α
r
1
in x
is a uniform random value, x is indistinguishable
from α
z
, where z is a uniform random value. The
secrecy of α
p
m
B
0
is therefore preserved.
• β: Given that both factors of β, i.e., α
p
d
0
r
2
and
α
p
d−m
B
0
r
1
r
2
, have random exponents render them
indistinguishable from α
z
, where z is also a uni-
form random value. The secrecy of α
p
d−m
B
0
r
1
r
2
is
therefore preserved.
Since x,β are indistinguishable from random integers
in Z
∗
n
, the secrecy of m
B
is therefore preserved.
Note that x,β have the common exponents
r
1
,r
2
, p
m
B
0
, which may yield a corresponding corre-
lation. This is accounted for in the analysis in Sec-
tion 7.2.
Lemma 2 (Privacy of Alice). The secrecy of m
A
is
preserved assuming an honest-but-curious opponent.
Proof. Let m
B
= 0 to potentially extract m
A
for the
whole range of [1...d]. In Round 2, Bob receives y,γ.
Regarding y, the factor g
A
= g
r
4
p
m
A
0
is blinded by x
r
3
.
Honest-but-curious users implies that α is the ac-
tual element used to compute x, according to proto-
col, so that x
r
3
∈ B ⊂ Z
∗
n
, where |B| =
¯
b. The security
hinges on the secrecy of r
3
:
• Brute-force attack: Given β and γ, r
3
can be found
by checking f (β
r
3
)
?
= γ, cf. Eq. 6. Since
¯
b = |p
s
q
s
|
is very large, it is computationally infeasible to
brute-force r
3
. The secrecy of g
A
and thus m
A
is
preserved.
• Pre-image attack: Bob computes
w = y
r
2
p
d−m
B
0
= g
r
2
r
4
p
d+m
A
−m
B
0
β
r
3
cf. Eq. 7, where g
r
2
r
4
p
d+m
A
−m
B
0
, which contains the
private input m
A
, is blinded by β
r
3
. The blinding
factor can be disclosed by computing the inverse
f
−1
(γ) = β
r
3
. This is equivalent to breaking the
pre-image resistance property of the hash function
f . Assuming the one-way function f is secure,
this is computationally infeasible.
Given the above, the secrecy of m
B
is preserved
against an honest-but-curious adversary.
7.2 Security w.r.t. Malicious Users
Since Alice is the holder of the private key, we can as-
sume that Alice computes the key pair, and therefore
knows the composition of the RSA modulus. Since
Bob is the initiator of the protocol, Alice cannot cheat
Bob by sending him spurious protocol messages. This
confines the adversarial scenarios to:
1. Alice submits a spurious public key α
0
,n
0
to Bob.
2. Bob diverges from the protocol at computing x,β.
Alice could share a spurious RSA modulus n
0
with
Bob, cf. Section 4.3. Alternatively, the attack in Sec-
tion 5.1 utilizes the subgroup G of order p
d
0
of the
genuine RSA modulus. However, this subgroup may
be too large for brute-forcing.
By means of the private key g, Alice controls
the pertaining small subgroup order G
0
, by which it
is computationally feasible to search for the corre-
sponding exponent ˆe, given the modular equivalence
ˆg
ˆe
≡ α
e
(mod n
0
), where ˆe = e mod p
0
and p
0
= |G
0
|.
Lemma 3 (Privacy of Bob). The secrecy of m
B
is
preserved given a spurious RSA modulus with a tiny
hidden subgroup order G
0
.
Proof. Let n
0
be a spurious RSA modulus having
a tiny hidden subgroup G
0
. W.r.t. x, β, assume
that Alice obtains the modular equivalent exponents
a,b of the equivalences x ≡ g
a
(mod n
0
) and β ≡ g
b
(mod n
0
), where a,b form the following equation sys-
tem:
a = p
m
B
0
+ r
0
1
mod p
0
b = p
d
0
r
0
2
+ p
d−m
B
0
r
0
1
r
0
2
mod p
0
Since the number of unknowns exceed the number of
equations, the equation system is underdefined. m
B
can therefore not be determined. The secrecy of m
B
is
preserved given a spurious RSA modulus.
A malicious user Bob may submit any integer to
Alice, and use the response y,γ and n to figure out
her private input. Bob would succeed if he is able
to correctly guess the blinding factor x
r
3
or g
r
4
p
m
A
0
,
although Bob does not know g.
Lemma 4 (Privacy of Alice). The secrecy of m
A
is
preserved assuming a malicious opponent.
Proof. This lemma is invalided by the following at-
tack: A malicious Bob reduces the group order by p
d
0
of x by submitting x = α
p
d
0
r
1
to Alice, who returns
y = g
r
4
p
m
A
0
x
r
3
= g
r
4
p
m
A
0
α
p
d
0
r
1
r
3
in agreement with the protocol. (Note that Alice must
check that x 6= 1, since this would expose g
r
4
p
m
A
0
.)
Bob computes y
c
= g
r
4
p
m
A
0
, where c is defined in
Eq. 1, eliminating the blinding factor α
p
d
0
r
1
r
3
. Bob
finds m
A
by checking (g
r
4
p
m
A
0
)
p
i
0
?
= 1 for 0 < i < d.
Alternatively, Bob could correctly guess r
4
,m
A
,
whereof the search space of 0 < r
4
< p
d
0
may or may
not be feasible, and then compute α
r
4
p
m
A
0
p
s
q
s
, whose
correctness is verified towards γ.
Privacy-Preserving Greater-Than Integer Comparison without Binary Decomposition
347
Both approaches require solving the private RSA
subgroup problem (cf. Def. 2). This is solvable pro-
vided that the RSA modulus can be factorized. If
the RSA modulus is properly composed, this would
be computationally infeasible. The secrecy of m
A
is
therefore preserved.
8 CONCLUSION
Common for the overwhelming majority of privacy-
preserving greater-than integer comparison schemes
is that cryptographic computations are conducted in
a bitwise manner. Recently, Carlton et al. (Carl-
ton et al., 2018) and Bourse et al. (Bourse et al.,
2019) proposed privacy-preserving integer compari-
son schemes that work on whole integers in contrast
to bitwise decomposition and encoding of the private
inputs.
In this paper, we have presented the mentioned
comparison schemes, and shown that they are vulner-
able to malicious users. Inspired by the two men-
tioned papers, we have proposed a novel privacy-
preserving greater-than integer comparison scheme,
which is resistant to malicious users.
REFERENCES
Bourse, F., Sanders, O., and Traor
´
e, J. (2019). Improved
secure integer comparison via homomorphic encryp-
tion. Cryptology ePrint Archive, Report 2019/427.
https://eprint.iacr.org/2019/427.
Carlton, R., Essex, A., and Kapulkin, K. (2018). Thresh-
old properties of prime power subgroups with ap-
plication to secure integer comparisons. Cryptology
ePrint Archive, Report 2018/224. https://eprint.iacr.
org/2018/224.
Coron, J.-S., Joux, A., Mandal, A., Naccache, D., and Ti-
bouchi, M. (2010). Cryptanalysis of the rsa subgroup
assumption from tcc 2005. Cryptology ePrint Archive,
Report 2010/650. https://eprint.iacr.org/2010/650.
Damg
˚
ard, I., Geisler, M., and Krøigaard, M. (2008a). Ho-
momorphic encryption and secure comparison. Inter-
national Journal of Applied Cryptography, (1):22–31.
Damg
˚
ard, I., Geisler, M., and Krøigaard, M. (2008b). A
correction to ”efficient and secure comparison for
on-line auctions”. IACR Cryptology ePrint Archive,
2008:321.
Yao, A. C. (1982). Protocols for secure computations. In
Proceedings of the 23rd Annual Symposium on Foun-
dations of Computer Science, SFCS ’82, pages 160–
164, Washington, DC, USA. IEEE Computer Society.
SECRYPT 2020 - 17th International Conference on Security and Cryptography
348
