Non-Interactive and Fully Output Expressive Private Comparison

Abstract

Private comparison protocols are fundamental to the field of secure computation. Recently, Lu et al. (ASIACCS 2018) proposed a new protocol, \(\mathsf {XCMP}\), which is based on a ring-based fully homomorphic encryption (FHE) scheme. In that scheme, two \(\mu \)-bit integers a and b are compared in encrypted form without revealing the plaintext to an evaluator. The protocol outputs a bit in encrypted form, which indicates whether \(a > b\). \(\mathsf {XCMP}\) has the following three advantages: the output can be reused for further processing, the evaluation is performed without any interactions with a decryptor having a secret key, and the required multiplicative depth is only 1. However, \(\mathsf {XCMP}\) has two potential disadvantages. First, the protocol result preserves both additive and multiplicative homomorphisms over \(\mathbb {Z}_t\) only, whereas the underlying FHE scheme can support a much larger plaintext space of \(\mathbb {Z}_t[X]/(X^N+1)\) for a prime t and a power-of-two N; this restricts the functionality of applications using the comparison result. Second, the bit length \(\mu \) of the integers to be compared is no more than \(\log N\) (typically 16 bits, at most). Thus, it is difficult for \(\mathsf {XCMP}\) to handle larger integers. In this paper, we propose a non-interactive private comparison protocol that solves the aforementioned problems and outputs an additively and multiplicatively reusable comparison result over the ring without adding an extremely large computational overhead over \(\mathsf {XCMP}\). Moreover, by regarding a \(\mu ~(>16)\)-bit integer as a sequence of chunks, we show that the multiplicative depth required for our comparison protocol is logarithmic in the number of chunks. This value is much smaller than the naive solution with a multiplicative depth of \(\log \mu \). Experiment results demonstrate that our protocol introduces a subtle overhead over \(\mathsf {XCMP}\). Remarkably, we experimentally demonstrate that our protocol for a larger domain is comparable to the construction given by one of the state-of-the-art bitwise FHE schemes.