Comparing Information Without Leaking It

Home , Moni Naor, Moshe Vardi, Moti Yung, Ronald Fagin, Steven Rudich

How can two people determine without revealing anything else to each other whether they possess the same information— in case they do not? There are surprisingly simple solutions. Comparing Information Without

Ronald Fagin, Moni Naor, Leaking It and Peter Winkler

COMMUNICATIONS OF THE ACM May 1996/Vol. 39, No. 5 77 onsider the following problem, which actually occurred in real life; the problem is masked somewhat to protect the participants’ confidentiality. Bob comes to Ron, a manager in his com- pany, with a complaint about a sensitive matter, asking Ron to Ckeep his identity confidential. A few months later, Moshe (another manager) tells Ron that someone has complained to him, also with a confi-

dentiality request, about the same matter. Still other cases arise when two people wish to gos- sip without spreading rumors (each wants to deter- Ron and Moshe would like to determine whether mine if the other is in possession of the same the same person has complained to each of them, information) or to overcome shyness (perhaps there but, if there are two complainers, Ron and Moshe is a certain desirable course of action before them want to give no information to each other about their that neither wants to be the first to suggest). identities. In some situations, the objective is to compare The protocol typically used in a situation like this numerical values (that is, determine which is larger) is akin to the game “20 Questions,” but is known as rather than to test for equality. A typical case is Yao’s delicate conversational probing. Ron might ask “two-millionaires” problem [20], in which the parties Moshe if Moshe’s complainer is male; if the answer is wish to determine who is richer without revealing Yes, Moshe might ask Ron if Ron’s complainer’s sur- their numerical worths. Similarly, a group of friends name begins with a letter preceding M in the alpha- may wish to determine who among them is the oldest, bet. This goes on until Ron and Moshe determine has had the most lovers, or has the extreme value of whether they have the same person in mind. When any potentially embarrassing parameter. We envision they do not, however (particularly when the first No an adult game called “Are You Thinking What I’m occurs late in the game), a great deal of information Thinking?” in which matching and comparison with- may have been exchanged. out leaking are employed to encourage people to Before suggesting some superior protocols, we reveal more about themselves. point out that there are myriad other reasons why two A more serious application occurs in business and or more parties might wish to compare information in labor relations where much time is wasted as par- without leaking it. ties jockey, trying to determine whether they share Obviously, whenever two persons suspect that they common ground. Suppose party A is interested in have the same person in mind to nominate for some acquiring a property belonging to party B, but would post, invite for dinner, or blame for a disaster, but not consider paying more than $x for it; B is willing to neither is willing to risk embarrassment by revealing sell but is not interested in entertaining any offer the name, the situation is much like the one with Ron below $y. A and B would like very much to know and Moshe. which is the greater value, because if x Ն y, they can Similarly, two persons may each wish to determine begin bargaining in earnest, and if x Ͻ y, they can go whether the other is a co-member of a certain secret home. But neither can reveal his number without society. The test of membership, however, is knowl- undermining his bargaining position. edge of a password. The danger is that if A states the When more than two parties are involved, there password in order to convince B of his authenticity, are possible applications in a boardroom or even a and B is an impostor, then B may later be able to jury room setting. For example, leaders often need to make illicit use of the password. know what their advisors really think in the absence The reader can imagine some circumstances in of “fear of dissension.” When a group is polled con- which comparing information without leaking it cerning the advisability of some course of action, it enables two people to engage in an illegal activity might be desirable to set things up so that if a major- without fear of entrapment. However, the techniques ity agree, the outcome will be the same as if there we suggest later might also be used by legal authori- were unanimity. Then no one need be afraid of dis- ties. Suppose the police suspect person A of master- tinguishing himself or herself as a renegade, and if a minding a certain crime and have captured majority of those present have doubts, discussion will underling B. They have offered B immunity for ensue. Similarly, secret ballot elections are supposed incriminating A, but B is afraid to name A unless he to preserve the confidentiality of the voters, but in a can be assured that the police already suspect A. The small group, the tally often tells all. Some of our tech- police are hamstrung because if they suggest A’s niques can be employed to hold elections in which name to B, then B’s statement won’t hold up in court. only the name of the winner (or perhaps the names

78 May 1996/Vol. 39, No. 5 COMMUNICATIONS OF THE ACM of candidates involved in a runoff) is revealed. they would like to avoid any programming whatsoev- Although we have now gone far afield from Ron er, if possible. Their goal is a quick and dirty solution and Moshe, there is an obvious solution to all the pre- that can be expected to work reasonably well. ceding problems. Perhaps the time has come to list the properties we might wish an information-comparing protocol to Solution 1: Josephine have, emphasizing those on which we concentrate in trusted third party is found; all information this article. We remain loyal to the Ron-and-Moshe is presented to him or her with the agree- story for simplicity; but the reader is invited to extrap- Ament that only the required results are olate from our schemes to cover multiple partici- revealed. In the case of Ron and Moshe, each could pants, to compare numbers, and so on. In what individually go to Josephine (the trusted third party), follows, Ron’s “value” is the name of the person who and tell her the name of the complainer. Josephine complained to him—or whatever other piece of could then announce to Ron and Moshe whether the information is the subject of the protocol—and simi- complainers are the same. larly for Moshe. We offer six properties: How satisfactory this solution is depends on how easy it is to find a person to play Josephine’s role and 1. Resolution. Ron and Moshe should find out on how much information Josephine must be trusted whether or not their values match. with. The best situation would be if Josephine had no 2. Leakage. Assuming they follow the protocol faithful- idea why Ron and Moshe are whispering names to ly, Ron and Moshe gain no knowledge about each her, although even then, Ron and Moshe might feel other’s value, except whether or not they are equal. that they are violating the complainers’ trust. 3. Privacy. No one else should gain any information An exciting trend in cryptography in recent years is about Ron and Moshe’s values. the study of protocols for secret function evaluation 4. Security. Neither Ron nor Moshe should be able [13, 14, 17, 20, 21]. These protocols avoid the use of to profit by cheating. That is, neither should be trusted third parties and can be used to solve any of able, by failing to follow the protocol, to deter- these problems. Why don’t Ron and Moshe just follow mine the other’s value without matching it or to such a protocol? determine whether the values match while deny- A technical problem ing the information to the other. with such protocols is that 5. Simplicity. The protocol should be easy both to they rely on unproven implement and to understand; that is, Ron and Moshe should be required to expend The idea is that no machine only a small amount of time, energy, and

operating in probabilistic polynomial time should be able

to distinguish the results of the cryptographic protocol

money to learn, use, from the results of the trusted-third-party solution. and be confident in the protocol. assumptions about computational complexity, such 6. Remoteness. Ron and Moshe need not be physical- as the existence of functions that are easy to compute ly present at the same place to execute the solution. but difficult for any feasible machine to invert. In practice, a more serious problem is simply that they Property 2 says intuitively that if the complainers are complex schemes that only certain experts can be are different, then neither Ron nor Moshe should expected to understand. Thus, blind trust is given to have gained any information at the conclusion of the the system designer. An additional point is that these protocol as to who the other complainer is, other solutions are not yet genuinely practical, even if than the fact that it is a different complainer. implemented with the best possible care. A comment is in order about property 4. One vir- Our goal in this article is to provide some schemes tually unavoidable problem is lying by simulation. whose implementation is so transparent that no Thus, we can do little about the possibility that, say, expertise is needed to verify correctness. We hope Ron will try to mislead Moshe by acting as if the per- that some of these schemes will provide not only prac- son who complained to him were Alice, when it was tical solutions to our problem, but also insight into Bob. Of course, Ron will then determine whether the the subtleties of communication and information. person who complained to Moshe is Alice, rather As it happens, Ron and Moshe happen to trust than determining whether the person who com- cryptographic protocols; their main problem is that plained to Moshe is Bob. So in property 4, we should they are lazy (“overworked” might be a kinder term). really require that the cheater learns for exactly one They don’t want to program such a protocol. Indeed, value whether it is equal to the other party’s input.

COMMUNICATIONS OF THE ACM May 1996/Vol. 39, No. 5 79 Cryptographic protocols are very good at satisfying more characters than anticipated or contained an properties 1 through 4 and 6, with the help of com- unanticipated space. plexity-theoretic assumptions. However, our interest To get around this difficulty, the third author, P. is in achieving property 5 as well. To do so, we are Winkler, has designed (and obtained a patent for) a willing to sacrifice some of the other properties when special-purpose box, called the Electronic Trusted necessary; for example, Ron and Moshe trust each Party, that implements Solution 2. It is a portable elec- other, so property 4 is not so important. Property 3 tronic device that accepts information from two or may be weakened to allow some information to pass more persons, compares or combines it in a prese- to a third party; property 2 may be weakened by allow- lected fashion, destroys the input information, and ing small amounts of information to pass in the non- then displays the results. The critical feature of the match case, or by allowing critical information to pass Electronic Trusted Party is that it is incapable of stor- only in rare cases, or both. Depending on the cir- ing information between uses or of revealing infor- cumstances, property 6 may or may not be significant. mation other than as intended. It thus functions as a After presenting our proposed solutions, we limited-access computing device, whose special fea- return to properties 1 through 6 and examine briefly tures enable users to trust it with private information. how they fared. For serious applications, the device can be certi- fied as genuine by its manufacturer in one of various Other Solutions ways; and it can be made tamper-proof, so that, for E now present solutions suggested by us example, opening the battery case blanks the mem- and our colleagues. Note that some of the ory and opening anything else breaks a seal. Wproposals assume that there is a (short) The Electronic Trusted Party can be used for any known list of candidates for “complainer,” such as the of the applications described earlier, by selecting an department members, or that the name of the com- appropriate mode (e.g., “match,” “rank,” or “vote”) plainer is uniquely representable as an alphabetic and specifying the number of participants and type string. Some proposals assume the existence of a of information desired. Like a computer program, it trusted third party (Josephine), and others do not. must to some extent be trusted; but the fact that it is a manufactured special-purpose device—without any Solution 2: Computer Program means of accessing the memory or any apparent way To avoid giving information to Josephine as in Solu- to misuse information—makes it much easier to trust tion 1, we replace Josephine with a computer. Ron in practice. The reader may imagine a plastic or metal and Moshe could obtain a computer program that box about the size of a hand calculator, but with al- works as follows: phanumeric keys and a special hood/cover to facili- tate private data entry. • The program asks for input from Ron, who types, while Moshe is not looking, the name (Bob) of the Solution 4: Random Permutation person who complained to him. Another modification of Solution 1 (Josephine) can • The program then clears the screen and asks for be obtained by disguising the identities of the possi- input from Moshe, who types, while Ron is not look- ble complainers. Let us assume, for example, there ing, the name of the person who complained to him. are 20 possible candidates. Ron and Moshe agree on • The program clears the screen again and a random labeling of these candidates by the num- announces whether the names that Ron and bers 0 to 19; then each privately tells Josephine the Moshe typed in were the same. number of the person who complained to him, and • The computer finally erases all input information Josephine announces whether the two numbers re- from its memory. ceived are the same. Noga Alon of Tel Aviv University suggested that if Solution 3: Special-Purpose Device the set of candidates is not clear or if the number of Readers will note that, alas, third-party trust is still a candidates is so large it is not practical for Ron and factor in Solution 2—namely, the computer pro- Moshe to generate a random labeling of the name grammer. In particular, how can Ron and Moshe be space, the same effect can be obtained using univer- assured that the program will perform the last step sal classes of hash functions (e.g., those of Carter and and not instead squirrel away the input for future use? Wegman [5, 18]). A concrete example follows. Conceivably, Ron and Moshe can take advantage of Fix a method of assigning unique numbers to can- their professional expertise to actually write the pro- didates, such as the candidate’s name interpreted as gram and input it side by side, but this is too much a number base 27 (alphabetic characters plus space), trouble for them. They might be especially concerned and let p be a prime number larger than the number with debugging, since they would like to feel confi- assigned to any candidate. Ron and Moshe agree on dent that there is no subtle error in programming two random numbers a and b mod p, where a Ó 0 that could cause the program to abort, spewing the mod p, without telling Josephine. If xR is the number data onto the screen, because, say, a typed name had corresponding to the person who complained to

80 May 1996/Vol. 39, No. 5 COMMUNICATIONS OF THE ACM Ron, then Ron tells Josephine the number axR ϩ b To keep Josephine completely in the dark while mod p. Similarly, Moshe tells Josephine the number maintaining the structure of the protocol seems to re- axM ϩ b mod p, where xM is the number correspond- quire substantial effort, but it can be done. The fol- ing to the person who complained to Moshe. The lowing protocol is based on work by Feige et al. [11] point is that if axR ϩ b mod p and axM ϩ b mod p are on secret computation and builds on [13] and [14]. different, then they are, as far as Josephine is con- Using Barrington’s Theorem [1], Ron and Moshe, cerned, simply a random pair uniformly chosen from working together, can associate with each candidate

{(c1,c2)͉0 Յ c1 Յ p Ϫ 1, 0 Յ c 2 Յ p Ϫ 1, and c1 Þ c2}. a pair of lists ␳1, . . . , ␳m and ␮1, . . . , ␮m such that:

Solution 5: Random Rotation • Each ␳i and ␮i is a permutation of the set An even simpler implementation of the idea of Ran- {1,2,3,4,5}. dom Permutation was suggested by Silvio Micali of • If ␳1, . . . , ␳m corresponds to Ron’s complainer MIT. Assume there are 20 candidates to whom Ron and ␮1, . . . , ␮m to Moshe’s, then the composition and Moshe have openly assigned numbers from 0 to ␳1␮1 . . . ␳m␮m yields the rotation ␶ ϭ (12345) 19 (perhaps corresponding to alphabetical order). when the complainers are the same and yields the Josephine generates a random number k between 0 identity permutation otherwise. and 19 and tells it to Ron; Ron adds the number corresponding to his complainer to k and passes the re- Now Ron and Moshe generate and agree on an ad- sulting number mod 20 to Moshe. For example, if ditional list ␴0, . . . , ␴2m of random permuta-

A group of friends may wish to determine who among them

is the oldest, has had the most lovers, or has the extreme

value of any potentially embarrassing parameter.

Bob is assigned the number 10 in the ordering, then tions of the set {1,2,3,4,5}, and they supply per- Ron tells Moshe the number (k ϩ 10) mod 20. mutations alternately (and privately) to Josephine as Ϫ1 Moshe takes this number, subtracts from it the follows: Ron gives her ␴0␳1␴1 ; then Moshe gives her Ϫ1 Ϫ1 number corresponding to the person who complained ␴1␮1␴2 then Ron gives her ␴2␳2␴3 ; and so on. to him, and passes the result mod 20 to Josephine. Josephine composes these permutations and an- Josephine then announces whether the number she nounces the result, which by construction is either Ϫ1 Ϫ1 received from Moshe is the same as the number she ␴0␶␴2m or ␴0␴2m . passed to Ron. If it is, then Ron and Moshe know that Ron and Moshe can, of course, tell from the result it was the same person who complained to both of whether their complainers were the same, but them; otherwise, they know it was not. Josephine has seen nothing but uniformly chosen ran- Note that Josephine obtains some information in dom permutations. It is interesting to note that this this solution—the difference between the numbers method is applicable to any function, not just equal- assigned to the two complainers. ity testing. The catch is that for an arbitrary function, the number m may be very large. Solution 6: Permutation Composition One of the shortcomings of Random Permutation Solution 7: Message for Moshe and Random Rotation is that Josephine finds out Henceforth, we leave Josephine behind and try to whether Ron and Moshe obtained a match. Can this make do without the voluntary participation of a third information be denied the third party? party. Our next solution, which is actually a takeoff We consider keeping the structure of the protocol. on an old joke, was suggested by Russell Impagliazzo Thus, Ron and Moshe agree on some random string of the University of California, San Diego. Ron and and send Josephine some function of their inputs, Moshe assign a random telephone number to each and Josephine announces a result from which Ron candidate. Ron dials the phone number correspond- and Moshe can deduce the answer. A simple but im- ing to the person (Bob) who complained to him and perfect approach (suggested by Bill Aiello of Bell- asks to leave a message for Moshe. Of course, the per- core) is for Ron and Moshe to repeat the procedure son who answers the phone has no idea who Moshe of Solution 4 or Solution 5 (say) 15 times, 14 being is. A few minutes later, Moshe dials the phone num- phony; for each phony procedure, Ron and Moshe ber corresponding to the person who complained to decide using a secret coin flip whether to provide him and asks if anyone has tried to leave a message Josephine with a match or a non-match. Not know- for him. ing which procedure is the real one, Josephine is (probably) kept more or less in the dark as to the Solution 8: Airline Reservation genuine outcome. A neat practical version of Message for Moshe takes

COMMUNICATIONS OF THE ACM May 1996/Vol. 39, No. 5 81 advantage of the fact that airlines do not provide son who complained to him and a slip saying No in names of people who have reserved flights. While each of the other 19 cups. Moshe does the same. Ron Moshe is out of the room, Ron calls Delta Airlines and and Moshe then remove the labels and shuffle the makes a reservation in the name of his complainer for cups at random. They then look inside the cups to the Tuesday afternoon flight from Atlanta to Salt Lake see whether one of them contains two slips saying Yes. City. Moshe then takes over and tries to cancel the reservation in his complainer’s name. Finally Ron can- Solution 11: Deck of Cards cels, or tries to cancel, the reservation he made. The following scheme gives a practical method for handling large or unspecified candidate sets, al- Solution 9: Password though it has compensatory flaws. It makes use of the Dick Lipton of Princeton University and Nick Pip- coincidence that the number of playing cards in an penger of the University of British Columbia inde- ordinary deck is twice the number of letters in the pendently suggested a protocol that relies on the pres- English alphabet. ence of a computer but does not require any new The red and black cards of a deck of 52 playing programming. Ron changes his password to be the cards are separated to form two decks of 26 cards; name of the person who complained to him (thus, each deck is then shuffled and placed face down on Ron changes his password to BOB). Moshe then tries the table. A 26-step procedure now begins. to log on as Ron, using as a password the name of the At step i, Ron removes the top card from each deck person who complained to him. Moshe succeeds pre- and puts the two cards together face-to-face, not look- cisely if the same person complained to Ron and ing at their values, with the card from the red deck Moshe. Note that password-checking programs are on top. He takes the pair behind his back; if the ith (typically) designed fortuitously for the task at hand letter of the alphabet is in his secret name, he inverts and are heavily debugged for high security—so that, the pair so the black card is on top; otherwise he does for example, when the password is typed in, it does nothing. not appear on the screen. Then Ron passes the pair of cards to Moshe; Moshe It is interesting that Pippenger thought of this so- takes the cards behind his own back, again inverting lution by considering hash functions. Many computer them precisely if the ith letter of the alphabet is in systems store not the password, but a hashed version Moshe’s secret name. The pair of cards is now placed of the password, so that a system hacker cannot look on an accumulating “result stack” on the table. at a table of stored passwords; instead, the hacker sees After 26 steps, all the cards are in the result stack, at best a hashed version of the password, from which which is then riffle-shuffled carefully so card colors it should be difficult to infer the password. In such a do not show. Finally, cards are dealt off the top of the system, when someone types in his or her password, result stack; a red card face up signals a mismatch of the computer compares the hashed value of the pass- secret names. word typed in with the stored hashed value of the ac- It is interesting to note that Crépeau and Kilian tual password. Thus, in such a system, the Lipton-Pip- [9] have shown how Ron and Moshe can evaluate any penger solution is a preprogrammed version of both function secretly using a deck with four kinds of cards. Computer Program and Random Permutation. All they have to be able to do is perform a random The following clever variation of Password, sug- cyclic shift of the cards. The number of cards required gested by Alain Plagne of École Normale Supérieure is proportional to the size of the circuit to evaluate in Paris, removes any possible temptation on Moshe’s the function. part to surreptitiously try more than one password against Ron’s. Ron issues the “passwd” command, Solution 12: Envelopes which asks for the old password and then the new We now give a physical solution that avoids leaking one, for which Ron enters his complainer’s name as information (even if the name space is large) and re- before. Then Moshe takes over when the “passwd” quires no trust. This scheme is somewhat technical program demands confirmation of the new password. and may be skipped by the casual reader. Afterward, Ron checks whether or not his old pass- Suppose for ease in description that the name word is still valid. space is {0, 1}n; that is, assume that the name of the person who complained to Ron is (encoded as) the Solution 10: Cups sequence x ϭ x1x2 . . . xn of n bits and that the name Miki Ajtai of the IBM Almaden Research Center sug- of the person who complained to Moshe is the se- gested a physical solution to our problem. We need quence y ϭ y1y2 . . . yn of n bits. As in many crypto- to assume that there is a fairly small pool of candi- graphic protocols, our solution allows a small proba- dates, say 20. Ron and Moshe obtain 20 identical con- bility of error; here, the error represents the tainers (perhaps by purchasing disposable cups), probability that Ron and Moshe believe, at the con- arrange them in a line, and write labels in front of clusion of the protocol, that their candidates are the each cup, one for each candidate. Ron then puts a same when they are actually different. Let k be a pos- folded slip of paper saying Yes in the cup of the per- itive integer large enough so that probability of error

82 May 1996/Vol. 39, No. 5 COMMUNICATIONS OF THE ACM of 2Ϫk is sufficiently small to be acceptable. mation to Moshe. If Ron writes a random value on Ron and Moshe each select 2n random numbers, his paper, rather than SR, then Moshe will (almost chosen independently between 0 and 2k Ϫ 1. They surely) conclude that x Þ y, whether or not this is cor- each prepare a set of 2n identical envelopes, put one rect, but Ron will know the true answer. We note that of their 2n random numbers in each envelope, and this problem can be corrected, but at the price of los- seal the envelopes. Ron and Moshe each arrange their ing efficiency and simplicity; the correction involves 2n envelopes in pairs so that each pair corresponds a more complicated scheme, which among other to one of the n bit positions. For each of his pairs, things executes this protocol k times. Ron assigns one envelope to correspond to the bit 0 and the other to the bit 1, and similarly for Moshe. Solution 13: Digital Envelopes We could imagine that Ron’s envelopes (and similarly The Envelopes solution can be implemented digi- Moshe’s) are arranged on the table in a 2 ϫ n rec- tally—and thus converted into a cryptographic pro- tangle, where the ith column corresponds to bit po- tocol. We briefly describe how. It is based on a prim- sition i, with the top envelope in the ith column rep- itive called “one-out-of-two oblivious transfer,” resenting the bit 0. suggested by Even, Goldreich, and Lempel [10], as a 0 1 0 1 0 Denote Ron’s pairs by (R1, R1), (R2, R2), . . . (Rn, generalization of Rabin’s “oblivious transfer” [15]; 1 0 1 0 1 Rn), and denote Moshe’s pairs by (M 1, M1), (M 2, M2), the notion was also developed independently by Wies- 0 1 n xi k . . . (Mn, Mn). Ron computes TR ϭ ⌺iϭ1 Ri mod 2 , ner in the 1970s, but not published until 1983 [19]. which is the sum of the random numbers corre- This primitive allows Ron to send two values R0, R1 to sponding to the bit values of his candidate. Similarly, Moshe so that Moshe can choose to receive either R0 n yi k 1 j Moshe computes TM ϭ ⌺iϭ1 M i mod 2 . or R . When Moshe chooses to receive R , he gets no Now Ron leaves the room. Moshe selects n en- knowledge about R1Ϫj. Ron gets no knowledge about velopes from Ron’s collection by choosing from the which R j Moshe chose. Given such a primitive, it is ith pair the one corresponding to the value of yi. The not hard to see how to implement Envelopes digitally. rest of the envelopes are put into a pile. Ron enters For each 1 Յ i Յ n, Ron sends to Moshe the values 0 1 the room and verifies that indeed Moshe has chosen Riand Ri in a one-out-of-two oblivious transfer. Moshe yi only n envelopes altogether. The unchosen envelopes chooses to receive R i . Moshe does the same with the j are destroyed. Moshe opens the envelopes he has Mi ’s. At the end, Ron has SR and Moshe has SM, which chosen and sums up their contents together with TM, they can compare—again, however, incurring the n yi k that is, computes SM ϭ TM ϩ ⌺iϭ1 R i mod 2 ϭ problem discussed at the end of Solution 12. n yi yi k ⌺iϭ1(M i ϩ R i ) mod 2 . Ron and Moshe exchange Following the execution of the protocol, Ron gains roles, carry out the same procedure with Moshe’s en- no additional knowledge as to Moshe’s value, and vice n xi velopes, and Ron computes SR ϭ TR ϩ ⌺iϭ1 Mi mod versa. k n xi xi k 2 ϭ ⌺iϭ1(Ri ϩ Mi ) mod 2 . (Note: bitwise “exclu- In order to implement oblivious transfer, one must sive or” may be used instead of sum in these calcula- assume that Ron and Moshe have computational tions.) power corresponding only to probabilistic polynomial Ron and Moshe end the protocol as follows: Ron time. That is, the computers at their disposal can be writes SR on a piece of paper, Moshe writes SM on a simulated by a Turing machine with a source of ran- piece of paper, and each gives the other his piece of dom bits, such that the running time of the Turing paper. If SR ϭ SM, they conclude that x ϭ y; otherwise, machine is bounded by some polynomial in the in- they conclude that x Þ y. put length. Furthermore, given the current state of It is not hard to verify the following: computational complexity theory, one must also make a “complexity theoretic” assumption. For in- • If Ron and Moshe follow the rules, and if x ϭ y, stance, implementations of one-out-of-two oblivious then SR ϭ SM, so Ron and Moshe conclude that x transfer exist, under the assumption that factoring a ϭ y. If x Þ y then SR Þ SM with probability random number of the form N ϭ PQ, where P and Q 1 Ϫ 2Ϫk, so with probability 1 Ϫ 2Ϫk, Ron and are primes, is hard. (See, for example, [4] for details Moshe conclude that x Þ y. of the implementation of oblivious transfer under • If the n envelopes that Moshe chose did not come such an assumption.) from exactly the positions defined by Ron’s bits Analysis x1,x2, . . . xn, then from Moshe’s viewpoint, SR is simply a random number selected uniformly from Most of the flaws in our solutions relative to our six the integers between 0 and 2k Ϫ 1. Thus, Moshe desired properties have probably already been spot- gains no information whatsoever from Ron’s num- ted by the reader. We take a brief excursion through ber SR. A similar statement applies for Ron with the properties, with comments. respect to Moshe’s number SM. Property 1: Resolution A problem with this scheme is that, for example, All of the solutions work when there is a match, as- Ron can learn whether x ϭ y but not give this infor- suming no local aberrations (e.g., in Message for

COMMUNICATIONS OF THE ACM May 1996/Vol. 39, No. 5 83 Moshe, the called party might untruthfully deny that suffer from possible collusions between Ron or Moshe a message was left for Moshe, and many of the solu- and Josephine; this is perhaps a more critical problem tions rely on agreement between Ron and Moshe con- than privacy in such solutions. Particularly weak— cerning the spelling of candidates’ names). Three of when Ron or Moshe can be tempted by the devil—are the solutions are capable of producing a false posi- Message for Moshe, Airline Reservation, and Pass- tive: Deck of Cards falls victim to accidental anagrams, word; all three allow one of the parties surreptitiously and Envelopes and Digital Envelopes admit a small to try several candidates. Computer Program permits probability of ruination by numerical coincidence. fake programs (so does Password), and Special-Pur- pose Device can fall victim to a phony device. Property 2: Leakage One particular method of cheating is for one of Since we make no assumption about computational the participants to halt the protocol prematurely af- power in any of the solutions except Digital En- ter learning what he needs to know—called the “walk- velopes, we can make the strong but simple require- away problem.” For example, in the first version of ment that what Ron or Moshe sees as a result of the Password, Moshe could obtain the answer without protocol (part of whose outcome is typically random) sharing it with Ron. This situation, of course, exposes is independent of the other’s complainer, assuming the deserter as a cheater, but at times there may be the complainers are different. This critical require- excuses, such as “The line went down.” This problem ment is fully achieved in all the solutions except Deck does not have a completely satisfactory solution, but of Cards, which involves a small possibility that no red it is possible to limit the advantage of the deserter card appears until the last few cards of the deck have (see, e.g., [2, 8, 10, 16]). been examined; then Ron and Moshe would be able to conclude that their complainers’ names contain Property 5: Simplicity similar sets of letters. Admittedly, some of our proposals are out of hand; In the Digital Envelopes solution, we assume a lim- Permutation Composition and perhaps Envelopes are itation on the computational power of Ron and too complex for realistic consideration. Special-Pur- Moshe. In this case, we must define what we mean by pose Device, of course, is not practical until such a the statement “Ron and Moshe gain no knowledge device is available. Computer Program and Password about each other’s value, except whether or not they require computers, and the third-party solutions re- are equal,” since Ron and Moshe each gain an en- quire Josephine, who certainly needs to be coopera- crypted version of the other party’s value. This state- tive if not trustworthy. ment can be made rigorous, as we now sketch. We Among the simplest solutions to execute, Cups consider the “ideal” solution—in terms of the infor- stands out when the list of candidates is known and mation transferred to the other party—to be Solution small. Otherwise, Airline Reservation and Deck of 1 (Josephine), where the trusted person Josephine Cards are effective, the latter being better when there simply announces the result. Therefore, what Ron is more time but less trust. We suspect, though, that (and similarly Moshe) desire from a protocol is that readers of this article will often find that Password re- Moshe’s knowledge after executing the cryptographic quires the least time and preparation. protocol would not be greater than after executing Solution 1. The idea is that no machine operating in Property 6: Remoteness probabilistic polynomial time should be able to dis- All the solutions using a trusted Josephine enjoy Prop- tinguish the results of the cryptographic protocol erty 6, that is, they do not require all parties to be from the results of Solution 1. The definition of the present at the same location. Airline Reservation and security of such protocols and the design of protocols Password (except with Plagne’s variation) can also be meeting these requirements have been the subject of operated remotely. However, if we want a solution intensive investigations in cryptography. A very ac- where Ron and Moshe are not tempted to gain more cessible introduction to such “zero-knowledge” pro- information but a physical solution is impossible, we tocols is given in [12]. must use a cryptographic solution. In fact, if all Ron and Moshe do is exchange messages between them, Property 3: Privacy then Chor and Kushilevitz [7] show that cryptogra- Of the solutions involving a trusted Josephine, only phy is necessary, and Kilian [14] shows that the use Permutation Composition gives nothing away to of oblivious transfer is necessary. The Digital En- Josephine; Random Permutation reveals the resolu- velopes solution seems to be the one that can be im- tion, and Random Rotation also provides Josephine plemented with the least cost (in programming effort with information about the complainers when they are and execution time). different. In Solution 1 (Josephine), all is revealed. Punch Line Property 4: Security Which of these wonderful solutions did Ron and The issue of cheating in our protocols is quite com- Moshe actually implement? The answer: None of plex. The solutions involving a trusted Josephine all them. We now describe the solution they used.

84 May 1996/Vol. 39, No. 5 COMMUNICATIONS OF THE ACM 5. Carter, J.L., and Wegman, M.N. Universal classes of hash func- Solution 14: Real Life tions. J. Comput. Syst. Sci. 18 (1979), 143–154. The first author, R. Fagin, brought up the problem 6. Chaum D., Crépeau C., and Damgård I. Multiparty uncondi- at dinner to his family. He explained that Bob had tionally secure protocols. In Proceedings of the 20th ACM Sympo- sium on Theory of Computing (Chicago, 1988), pp. 11–19. complained to him and that he was trying to decide 7. Chor, B., and Kushilevitz, E. A zero-one law for Boolean privacy. if Bob is the person who complained to Moshe. His SIAM J. Discr. Math. 4 (1991), 36–47. then-13-year-old son, Josh Fagin, said, “Why not just 8. Cleve, R. Controlled Gradual Disclosure Schemes for Random Bits and ask Bob whether he complained to Moshe?” Because Their Applications, Advances in Cryptology, Crypto ’89, Lecture Notes in Computer Science, Vol. 435, Springer-Verlag, New of its simplicity, this was in fact the solution that Ron York 1987, pp. 573–587. and Moshe actually implemented. Of course, this so- 9. Crépeau, C., and Kilian, J. Discreet Solitary Games, Advances in lution depends on the fact that the value Ron and Cryptology, Crypto ’93, Lecture Notes in Computer Science, Moshe are trying to compare is actually the name of Vol. 773, Springer-Verlag, New York, 1994, pp. 319–330. a person they can communicate with, rather than sim- 10. Even, S., Goldreich, O., and Lempel, A. A randomized protocol for signing contracts. Commun. ACM 28 (1985), 637–647. ply a number. It also depends on the fact that Ron 11. Feige, U., Kilian, J., and Naor, M. On minimal models for knew that Bob wouldn’t mind being asked (in fact, secure computation. In Proceedings of the 26th ACM Symposium on Bob was quite amused, and probably pleased at the Theory of Computing (Montréal, 1994), pp. 554–563. lengths Ron went to in order to protect his confi- 12. Goldreich, O. Randomness, interactive proofs, and zero-knowledge—A survey. In The Universal Turing Machine: A Half Century dentiality). As a humorous twist, showing how even Survey, R. Herken, ed., Oxford University Press, 1988, pp. 377–405. the best solutions can go astray in the real world, it 13. Goldreich, O., Micali, M., and Wigderson, A. How to play any turned out that Bob did not remember whether he mental game. In Proceedings of the 19th ACM Symposium on Theo- had complained to Moshe. Upon further reflection, ry of Computing (New York, 1987), pp. 218–229. Bob decided that he probably had, and Bob and Ron 14. Kilian, J. Use of Randomness in Algorithms and Protocols. MIT Press, Cambridge, Mass., 1990. agreed dynamically on a modification of the proto- 15. Rabin, M.O. How to exchange secrets by oblivious transfer, col: Bob asked Moshe if he (Bob) had complained to Tech. Memo TR-81, Aiken Computation Laboratory, Harvard Moshe. It turned out that Bob was indeed the person University, 1981. who had complained to Moshe. 16. Rabin, M.O. Transaction protection by beacons. J. Computer Syst. Sci. 27 (1983), 256–267. 17. Shamir, A., Rivest, R., and Adleman, L. Mental poker. In The Acknowledgments Mathematical Gardener, D. Klarner, ed. Wadsworth Internation- All three authors found that the cryptographic solu- al, 1981, pp. 37–43. tions in the literature were not necessarily the best 18. Wegman, M.N., and Carter, J.L. New hash functions and their for the situation at hand. Suggestions for solutions use in authentication and set equality. J. Comput. Syst. Sci. 22 (1981), 265–279. were solicited from colleagues, primarily at the IBM 19. Wiesner, S. Conjugate coding. SIGACT News 15 (1983), 78–88. Almaden Research Center and at the 22nd ACM Sym- 20. Yao, A.C. Protocols for secure computations. In Proceedings of the posium on Theory of Computing held in St. Louis, 23rd IEEE Symposium on Foundations of Computer Science (Chica- May 1990. Those who shared their thoughts with us, go, 1982), 160–164. 21. Yao, A.C. How to generate and exchange secrets. In Proceedings include Richard Cleve, Tomás Feder, Steven Rudich, of the 27th IEEE Symposium on Foundations of Computer Science David Shmoys, and Moti Yung. We thank Cynthia (Toronto, 1986), pp. 162–167. Dwork, Joseph(ine) Halpern, and Moshe Vardi for comments on a draft of this article. About the Authors: Naor’s research is supported by an Alon Fellowship RONALD FAGIN is manager of the Foundations of Computer Sci- ence group at the IBM Almaden Research Center in San Jose, CA. and a grant from the Israel Science Foundation ad- Author’s Present Address: Dept. K53-B2, IBM Research, Almaden ministered by the Israeli Academy of Sciences. Most Research Center, 650 Harry Road, San Jose, CA 95120-6099; email: of this work was done while he was at the IBM Al- fagin@almaden.ibm.com maden Research Center. Most of Winkler’s work on C MONI NAOR is the incumbent of the Morris and Rose Goldman this article was done while he was at Bellcore. Career Development Chair in the Department of Applied Math and Computer Science at the Weizmann Institute of Science. Author’s Present Address: Dept. of Applied Math and Computer Ron and Moshe are, in real life, Ron Fagin and Moshe Vardi. Science, Weizmann Institute of Science, Rehovot 76100, Israel; email: [email protected] References 1. Barrington, D.A. Bounded-width polynomial-sized branching 1 PETER WINKLER is a member of technical staff in the Mathe- programs recognize exactly those languages in NC , J. Comput- matical Sciences Research Center of Bell Laboratories. Author’s er Syst. Sci. 38 (1988), 150–164. Present Address: Bell Laboratories, 2D-147, 600 Mountain Avenue, 2. Ben-Or, M., Goldreich, O., Micali, S., and Rivest, R. A fair proto- Murray Hill, NJ 07974-0636; email: [email protected] col for contract signing, IEEE Trans. Inf. Theory 36 (1990), 40–46. 3. Ben-Or, M., Goldwasser, S., and Wigderson, A. Completeness Permission to make digital/hard copy of part or all of this work for personal theorems for non-cryptographic fault-tolerated distributed or classroom use is granted without fee provided that copies are not made or computation. In Proceedings of 20th ACM Symposium on Theory of distributed for profit or commercial advantage, the copyright notice, the title Computing (Chicago, 1988), pp. 1–10. of the publication and its date appear, and notice is given that copying is by 4. Brassard, G, Crépeau, C., and Robert, J.-M. All-or-Nothing Dis- permission of ACM, Inc. To copy otherwise, to republish, to post on servers, closure of Secrets, Advances in Cryptology, Crypto ’86, Lecture or to redistribute to lists requires prior specific permission and/or a fee. Notes in Computer Science, Vol. 263, Springer-Verlag, New York, 1987, pp. 234–238. © ACM 0002-0782/96/0500 $3.50

COMMUNICATIONS OF THE ACM May 1996/Vol. 39, No. 5 85