The present disclosure relates to a fast secure multiparty comparison approach optimized for common computing architectures.
The comparison of two numbers is a fundamental step in many computations. For example, comparison functions can be used to compute the weights in the network where f(x)=x if x is positive and equals 0 otherwise. In particular, x can be compared to 0. As another example, both in training and evaluation, decision trees use comparisons to determine which features of the data are most relevant (e.g., provide the most information gain), and evaluate which path in the decision tree should be followed for input data.
The comparison of two numbers becomes more complicated when the numbers are encrypted, or when each of the numbers is “split” across multiple parties so that no single party can see the numbers, but collectively the parties “share” the numbers—e.g., as the sum of their shares of the numbers.
The following presents a simplified summary relating to one or more aspects disclosed herein. Thus, the following summary should not be considered an extensive overview relating to all contemplated aspects, nor should the following summary be considered to identify key or critical elements relating to all contemplated aspects or to delineate the scope associated with any particular aspect. Accordingly, the following summary has the sole purpose to present certain concepts relating to one or more aspects relating to the mechanisms disclosed herein in a simplified form to precede the detailed description presented below.
A method of comparing a first number Abit with a second number Bbit, the method comprising: receiving, from a first computing device associated with the first number Abit, a share a1bit and a share b1bit; receiving, from a second computing device associated with the second number Bbit, a share a2bit and a share b2bit, wherein the first number Abit=a1bit+a2bit mod 264 and wherein the second number Bbit=b1bit+b2bit mod 264, and wherein the first number Abit=a1bit XOR a2bit and wherein the second number Bbit=b1bit XOR b2bit, wherein XOR comprises an XOR function that applies addition modulo 2 to corresponding pairs of bits of two strings; and comparing, via a comparison function that compares numbers as modulo 264, the first number Abit and the second number Bbit to generate a shared output bit indicating which number is larger.
A system for comparing a first number Abit with a second number Bbit, the system comprising: one or more processors; and one or more computer-readable memories storing instructions which, when executed by the one or more processors, cause the one or more processors to be configured to: receive, from a second computing device associated with the second number Bbit, a share a2bit and a share b2bit, wherein the first number Abit=a1bit+a2bit mod 264 and wherein the second number Bbit=b1bit+b2bit mod 264, and wherein the first number Abit=a1bit XOR a2bit and wherein the second number Bbit=b1bit XOR b2bit, wherein XOR comprises an XOR function that applies addition modulo 2 to corresponding pairs of bits of two strings; and compare, via a comparison function that compares numbers as modulo 264, the first number Abit and the second number Bbit to generate a shared output bit indicating which number is larger.
Other objects and advantages associated with the aspects disclosed herein will be apparent to those skilled in the art based on the accompanying drawings and detailed description. This summary is not intended to identify key or essential features of the claimed subject matter, nor is it intended to be used in isolation to determine the scope of the claimed subject matter. The subject matter should be understood by reference to appropriate portions of the entire specification of this patent, any or all drawings, and each claim.
The foregoing, together with other features and aspects, will become more apparent upon referring to the following specification, claims, and accompanying drawings.
The accompanying drawings are presented to aid in the description of various aspects of the disclosure and are provided solely for illustration of the aspects and not limitation thereof.
Certain aspects of this disclosure are provided below for illustration purposes. Alternate aspects may be devised without departing from the scope of the disclosure. Additionally, well-known elements of the disclosure will not be described in detail or will be omitted so as not to obscure the relevant details of the disclosure. Some of the aspects described herein may be applied independently and some of them may be applied in combination as would be apparent to those of skill in the art. In the following description, for the purposes of explanation, specific details are set forth in order to provide a thorough understanding of aspects of the application. However, it will be apparent that various aspects may be practiced without these specific details. The figures and description are not intended to be restrictive.
The ensuing description provides example aspects only, and is not intended to limit the scope, applicability, or configuration of the disclosure. Rather, the ensuing description of the example aspects will provide those skilled in the art with an enabling description for implementing an example aspect. It should be understood that various changes may be made in the function and arrangement of elements without departing from the scope of the application as set forth in the appended claims.
As noted above, the comparison of two numbers fundamental to many operations. For example, neural networks often apply the ReLU function (rectified linear unit) to compute the weights in the network where ReLU(x)=x if x is positive and equals 0 otherwise. Decision trees use comparisons to determine which features of the data are most relevant (e.g., provide the most information gain), and evaluate which path in the decision tree should be followed for input data.
Note that the “system” as disclosed herein can include a single computing device as in the computing system 300 shown in
The equalities disclosed may hold modulo some number. For example, the equation A=a1+a2, mod 264 means that A−(a1+a2) is a multiple of 264. This disclosure may not always refer to the modulus explicitly, and it is understood that it need not always be 264. The purpose of “sharing” a number across several parties in this way is so that no single party learns the number. In fact, the numbers a1, b1, a2, b2 can be chosen randomly so that, from Alice's perspective, Alice's shares a1, b1 are numbers that appear completely random and independent (modulo 264 for example) from the numbers A and B, and therefore Alice's shares convey absolutely no information about A and B. Bob's shares, from his perspective, similarly appear to the random and independent. Of course, someone who views all of the shares a1, b1, a2, b2 can see that they correspond to A and B (by the equations above), but Alice 106 and Bob 110 in isolation each see only half of the shares, which (in isolation) appear completely independent of A and B.
Despite the fact that each party holds shares that appear—to each party in isolation—to be random and independent, the approach is to enable the parties to compare their shared numbers A and B. The innovation described here is an especially efficient secure multiparty computation (SMPC) method for determining which number is larger without revealing anything at all about these numbers, besides the result of the comparison. Even the final result of the comparison need not be revealed but can be held as a value “split” or “shared” among the parties of the comparison protocol.
In some aspects, this disclosure addresses the case where A and B are two numbers that fit in 64-bit words. Specifically, each number is mapped modulo 264 into the range [−263, 263−1]. The case is addressed where A and B are each shared between Alice and Bob as shown in
The approach has two main components. The first component is a protocol, called COMPARE-Z. The COMPARE-Z protocol takes as input two 64-bit shares a1bit, b1bit held by Alice 106 and two 64-bit shares Abit=a1bit XOR a2bit and Bbit=b1bit XOR b2bit, where XOR is the XOR function that applies addition modulo 2 to the corresponding pairs of bits of two strings. Notice that it is preferred that the values Abit and Bbit are shared bit-by-bit via XOR instead of modulo 264.
The protocol COMPARE-Z will output a shared bit indicating the result of the comparison. That is, interpreting the 64-bit strings Abit and Bbit as numbers modulo 264, the shared output bit will indicate which numbers is larger. The innovation here is the extreme efficiency of the disclosed approach, which includes two features: (1) a very simple, natural, and minimally-complex multivariate polynomial is used to represent the comparison function in terms of the individual bits of Abit and Bbit, and (2) the approach evaluates the polynomial using a recursive approach that takes advantage of fast in-built 64-bit processor instructions such as XOR, AND, and shift. Moreover, the recursive approach allows more and more intermediate results of the comparisons to be compressed together into a 64-bit word as the recursive protocol progresses, which reduces the overall complexity of the computation. Note that all of these optimizations work despite the fact that the numbers are shared. The second component of the disclosed approach is an almost cost-free reduction of our initial problem—comparing A and B when Alice 106 and Bob 110 hold shares of them modulo 264—to the problem solved by COMPARE-Z—comparing Abit and Bbit when Alice 106 and Bob 110 hold them as 64 shares modulo 2.
This component adjusts the result of COMPARE-Z based on the topmost bit of the shares held by Alice 106 and Bob 110.
Comparing two 64-Bit numbers that are shared bit-wise first using the COMPARE-Z component of the comparison protocol is discussed next. Suppose there are two 64-bit strings Abit and Bbit. The system will determine whether Abit≥Bbit when these 64-bit strings are interpreted as integers in the range [−263, 263−1]. One can write out the binary representation of these numbers: Abit=A63bit, . . . , A0bit and Bbit=B63bit, . . . , B0bit. Suppose that these are numbers in the range [0, 264−1]. Note that the system only needs to make slight adjustments for the range [−263, 263−1]. Then, the result is that Abit>Bbit if and only if Aibit>Bibit where i is the index of the most significant bit at which Abit and Bbit differ.
One can express this condition as a polynomial as follows: COMPARE-Z(Abit, Bbit)=y63+x63 y62+x63 x62 y61+ . . . x63 . . . x1 y0. Consider why the formula is correct. Notice that, for any i, it is impossible for both yii and xi to be nonzero when Aibit, Bibit∈{0, 1}. Therefore, at most, one of the monomials in the above polynomial can be nonzero. If, for example x63 x62 . . . x(i+1)yi is nonzero, it indicates that Abit and Bbit have the same most significant bits, until the i-bit where Aibit=1 and Bibit=0, in which case A>B. The various monomials in the polynomial above partition the possible positions where Aibit and Bibit begin to differ, and overall the polynomial computes the comparison function correctly. This is in fact the minimally-complex that takes the binary representations of two numbers as input and outputs the result of their comparison.
Moreover, the polynomial above can be computed very quickly using a recursive approach. Specifically, one can define the following two polynomials: pn(x(n−1), . . . , x0, y(n−1), . . . , y0)=y(n−1)+x(n−1) y(n−2)+x(n−1) x(n−2) y(n−3)+ . . . +x(n−1) . . . x1 y0 qn(x(n−1), . . . , x0, y(n−1), . . . , y0)=x(n−1) x(n−2) . . . x1 x0. In particular, pn is precisely the comparison function, as explained above, and qn can be simply the product of the bits in x. Observe that pn(x(n−1), . . . , x0, y(n−1), . . . , y0)=p(n/2) (x(n−1), . . . , x(n/2), y(n−1), . . . , y(n/2))+q(n/2)(x(n−1), . . . , x(n/2), y(n−1), . . . , y(n/2))·p(n/2)(x(n/2−1), . . . , x0, y(n/2−1), . . . , y0) qn(x(n−1), . . . , x0, y(n−1), . . . , y0)=q(n/2)(x(n−1), . . . , x(n/2), y(n−1), . . . , y(n/2))+·q(n/2)(x(n/2−1), . . . , x0, y(n/2−1), . . . , y0). A recursive module or engine for example implemented as a computing device or software programmed to control a processor to perform a recursive approach to computing the data can be implemented.
That is, one can decompose the computation of pn and qn in terms of computations of p(n/2) and q(n/2) over the most significant half of the bits and the least significant half. For example, when n=64, the computation of p64 and q64 decomposes as two computations each of p32 and q32 which are then combined through addition and/or multiplication to obtain the final results. Each computation of p32 and q32, in turn, decomposes into two computations of p16 and q16 (and then an aggregation step), and so on, until at the “bottom” of the recursion process one can run 32 instances of p2 and q2 that compute y(2i+1)+x(2i−1)y2i and x(2i+1)·x2i for all i∈[0, 31]. While 32 instances of p2 and q2 may initially sound expensive, one can batch them—that is, compute them simultaneously in a SIMD (single instructions, multiple data) fashion—in a small number of operations on 64-bit words. Computer processors 304 typically use a 64-bit architecture, and come up equipped with fast instructions, such as taking the XOR of two 64-bit words, taking their AND (multiplying each pair of corresponding bits from two 64-bit words and putting the result in another 64-bit word) and shift (which can shift the bits in a word left or right).
This disclosure exploits these fast instructions to make the above computations in a SIMD fashion wherein the computations are fast and in parallel. Specifically, the processor 304 can compute q2(x(2i+1), y2i, y(2i+1), y2i) for all i∈[0, 31] simultaneously by computing x(2):=x AND shiftright1(x)—that is, the system apply the 64-bit AND operation to x and the string x shifted right by 1 position, so that the bit in the ith position of x is in the (i−1)th position of shiftright1(x). Now bit positions 2i of x(2) for i∈[0, 31] hold the value x(2i+1)x2i. Next, to compute q4(x(2i+3), . . . , x2i, y(2i+3), . . . , y2i)) for all i∈[0, 15], the system sets x(4):=x(2) AND shiftright2(x(2)). Now bit positions 4i for i∈[0, 15] hold the value x(4i+3) . . . x4i. The system can stop this process when it has computed x(32). Altogether, the system needs only five fast instructions on 64-bit words to compute all of the outputs of the q polynomials that are needed in the computation. The system computes the outputs of p polynomials similarly. Because the outputs of the p polynomials are always in {0, 1}, it suffices to compute the results modulo 2, and therefore the system can replace the + operations in the p polynomials with XOR operations.
In the 0-th step of the recursion, the system starts with x(1)=x and y(1)=y. In the k-th step in the recursion, the system starts with x(2
y
(2
):=shiftright2k−1(y(2
For 64-bit words, the system needs to obtain the final result of the comparison as y(2
In sum, the C
Additional optimizations to Compare-Z are discussed next, including a compression concept. Recall that, after k steps of the recursion in C
Suppose one wishes to do many comparisons of 64-bit numbers, not just a single comparison. For example, suppose the system has two pairs of numbers—A(0) and B(0), A(1) and B(1)—and one wants to compute both C
But one can pack even more data into the process. After the system merges the q2 results as described above, and then performs the comparisons, one again is using only half of the bits of each resulting word. So, the system can merge again. Assuming one is trying to evaluate at least four comparisons, the system merges the first and second pairs of comparisons after computing their q2 values, and the system merges the merged results into a single word after computing the q4 results. Then, again, the system can continue the result of the recursion as before, where the final comparison results would end up in position 0, . . . , 3.
Furthermore, the system can continue to merge. Assuming the system is performing at least 64 comparisons, the system can merge results after each step in the recursion so that eventually the results of all 64 comparisons end up in a single word. This approach reduces both memory and computation as the recursion progresses.
Next is discussed alternative compression and pipelining concepts. The compression approach above reduces memory usage by half for each step of the recursion. If there is a fixed amount of memory, and one would like to pipe many comparisons through that memory so as to maximize throughput. The following describes another approach to compression.
The invariant that the system can maintain in this approach is that, at the beginning of a step, a single 64-bit word will hold results associated with six different comparisons, where (roughly speaking) the six comparisons are at six different steps in their recursive computation. One can focus on the first on the word that holds the results of the q polynomials (the x monomials) associated with the six comparisons (the word for the p polynomials is analogous). Specifically, in word w:
First, the system saves the result in position 1 elsewhere. Next, the system computes w′:=w AND shiftright1(w). Positions 2i of w′ now contain the information one would like to keep. Next, the system constructs w″ by moving the bit at position 2i to position i, so that this information is in positions [0, 31]. Finally, the system moves the 32 least significant bits associated with a new comparison (comparison 7) into positions [32, 63]. At the end, the system has a new w′″ where the invariant has been maintained, except now the results are associated with comparisons 2 through 7 rather than 1 through 6. One can do something similar with the p polynomials. In particular, the system uses the above approach twice, once for the 32 least significant bits of the y values associated with a comparison, and once for the 32 most significant bits. The final results of the comparisons are obtained from the bits that come “off the assembly line” from position 1, and these final computations can be batched as well. The advantage of this approach is that it fully employs a constant amount of memory as comparisons are piped through, and also fully employs the parallel computation capability of the system.
While Beaver triples are mentioned above, there are variations to using Beaver triples that can be used as well. A modified approach to Beaver triples can be used to reduce the amount of communication, and can even reduce the number of rounds, involved in the comparison protocol.
Suppose A and B are two 64-bit integers in the range [−262+1, 262−1]. Assume further that one has mod-264 sharings of these numbers between two parties Alice 106 and Bob 110—that is, Alice 106 holds a1, b1∈[−263, 263−1] and Bob 110 holds a2, b2∈[−263, 263−1] such that A=a1+a2 mod 264 and B=b1+b2 mod 264. They now want to run a SMPC protocol to determine whether A>B, using C
In this approach, roughly speaking, the system will compute (sharings of) D=A−B and check whether D>0:
k
i
=s
i(263−1)+di
[r]=C
The correctness of the reduction is discussed next. Recall some facts from above that can be used to prove correctness:
To prove correctness, one can consider the various cases of d1 and d2 being negative or positive.
Case 1: d1 and d2 have the same sign Suppose d1 and d2 are both ≥0 or both <0. In this case, d1−d2 is already in the range [−263, 263−1] without any reduction modulo 264. That is, D=d1−d2 over . So:
Notice that some of these equalities underlying correctness rely on the numbers not overflowing the interval [−263, 263−1]. For example, in the second case above, one can establish that d1<0 and d2<0 and both are in [−263, 263−1]. In that case k1=d1+263−1, k2=d2+263−11 are also both in [−263, 263−1]. If one had added 263−1 to d1 and d2 and the result of one addition overflowed (was bigger than 263−1, necessitating subtracting 264 to get it back in the proper range) while the other addition did not overflow, then comparing the two resulting numbers over the integers would give a different result than comparing the original numbers d1, d2,—leading to incorrectness.
Case 2: d1≥0 and d2<0
One can have s1=0, s2=1, k1=d1, k2=d2+263−1, and
result=1+C
Case 3: d1<0 and d2≥0
One can have s1=1, s2=0, k1=d1+263−1, k2=d2, and
result=1+C
The use of a multiparty protocol is described next. Above is described in detail how C
Let A=a1+ . . . +an mod 264 and B=b1+ . . . +bn mod 264+where party Pi holds shares (ai, bi). Let D=A−B, as before. The approach consists of two parts:
Step 1 includes several features. If each party Pi simply secret-shared its shares ai, bi—that is, it XOR-shared ai and bi among the n parties—then the n parties would have bit-wise sharings of 2n numbers—namely, ai, . . . , an, −b1, . . . , −bn—whose sum is D modulo 264. The problem now is to reduce the number of numbers in the sum from 2n to 2.
To solve this problem, the system can use the so-called 3-for-2 trick. The 3-for-2 trick takes 3 numbers in binary representations—for example, r=(rk, . . . , r0), s=(sk, . . . , s0), t=(tk, . . . , t0).—and outputs 2 numbers in binary representation that have the same sum as the original three numbers. Specifically, the first number is simply the XOR of the three numbers: u=r XOR s XOR t. The second number holds all of the “carry” bits from the addition of the three numbers: v=shiftleft1(v′) where v′=(r AND s) XOR (r AND t) XOR (s AND t). It can be verified that the numbers represented by u, v have the same sum as the numbers represented by r, s, t. Each application of the 3-for-2 trick reduces the number of numbers by 1, so 2n−2 applications of the trick are needed to reduce the number of numbers from 2n to 2.
Observe that many triples can be reduced to doubles in parallel. Also, observe that one can reduce communication significantly by not first n-wise sharing the initial values. Rather, for example, small sub-groups of parties can share within the sub-group and each subgroup separately can work to reduce the number of numbers that they are sharing. Once the small subgroups have reduced their number of numbers, they can cross-share with another group (or groups). This merging temporarily increases the number of numbers that are being shared in the group. But they work again to reduce the number of numbers. And so on, until the entire group is sharing only two numbers.
In some aspects, the first number Abit can include a first 64-bit word and the second number Bbit comprises a second 64-bit word. The share a1bit is in a 64-bit format and the share b1bit is in the 64-bit format.
The XOR function can compare a1bit with a2bit and b1bit with b2bit on a bit-by-bit basis and not under modulo 264. In another aspect, the comparison function can be represented as a multivariate polynomial in terms of individual bits of Abit and Bbit. The comparison function in such a case applies a recursive approach to evaluate the multivariate polynomial.
In some aspects, the comparing, via the comparison function that compares numbers as modulo 264, the first number Abit and the second number Bbit to generate the shared output bit indicating which number is larger occurs on each of the first computing device and the second computing device (e.g., the first computing device 106 and the second computing device 110).
In some aspects, the comparison function can apply a Beaver triples technique that converts a circuit of additions and multiplications into a secure multi-party computation protocol that evaluates the circuit securely. The Beaver triples technique in one example uses three 64-bit strings R, S, T such that T−R AND S. The triples R, S and T can be equivalent to 64 Beaver triples over a field GF(2).
In other aspects, the comparing can be performed using pre-prepared Beaver triples and the first computing device and the second computing device use secure multi-party computation operations for each XOR and AND gate of the comparison function. The comparison function can be implemented as a recursively computed comparison circuit.
In some aspects, a system (e.g., the computing device 300 and/or a combination of the first computing device 106 and the second computing device 110) for comparing a first number Abit with a second number Bbit. The system includes one or more processors and one or more computer-readable memories storing instructions. When the instructions are executed by the one or more processors, the instructions cause the one or more processors to be configured to: receive, from a first computing device associated with the first number Abit, a share a1bit and a share b1bit; receive, from a second computing device associated with the second number Bbit, a share a2bit and a share b2bit, wherein the first number Abit=a1bit+a2bit mod 264 and wherein the second number Bbit=b1bit+b2bit mod 264, and wherein the first number Abit=a1bit XOR a2bit and wherein the second number Bbit=b1bit XOR b2bit, wherein XOR comprises an XOR function that applies addition modulo 2 to corresponding pairs of bits of two strings; and compare, via a comparison function that compares numbers as modulo 264, the first number Abit and the second number Bbit to generate a shared output bit indicating which number is larger.
In some aspects, the first number Abit can include a first 64-bit word and the second number Bbit comprises a second 64-bit word. The share a1bit is in a 64-bit format and the share b1bit is in the 64-bit format.
The XOR function can compare a1bit with a2bit and b1bit with b2bit on a bit-by-bit basis and not under modulo 264. In another aspect, the comparison function can be represented as a multivariate polynomial in terms of individual bits of Abit and Bbit. The comparison function in such a case applies a recursive approach to evaluate the multivariate polynomial.
In some aspects, the comparing, via the comparison function that compares numbers as modulo 264, the first number Abit and the second number Bbit to generate the shared output bit indicating which number is larger occurs on each of the first computing device and the second computing device (e.g., the first computing device 106 and the second computing device 110).
In some aspects, the comparison function can apply a Beaver triples technique that converts a circuit of additions and multiplications into a secure multi-party computation protocol that evaluates the circuit securely. The Beaver triples technique in one example uses three 64-bit strings R, S, T such that T−R AND S. The triples R, S and T can be equivalent to 64 Beaver triples over a field GF(2).
In other aspects, the comparing can be performed using pre-prepared Beaver triples and the first computing device and the second computing device use secure multi-party computation operations for each XOR and AND gate of the comparison function. The comparison function can be implemented as a recursively computed comparison circuit.
In some embodiments, computing system 300 is a distributed system in which the functions described in this disclosure can be distributed within a datacenter, multiple data centers, a peer network, etc. In some embodiments, one or more of the described system components represents many such components each performing some or all of the function for which the component is described. In some embodiments, the components can be physical or virtual devices.
Example computing system 300 includes at least one processing unit (CPU or processor) 304 and connection 302 that couples various system components including system memory 308, such as read-only memory (ROM) 310 and random access memory (RAM) 312 to processor 304. Computing system 300 can include a cache of high-speed memory 306 connected directly with, in close proximity to, or integrated as part of processor 304.
Processor 304 can include any general purpose processor and a hardware service or software service, such as services 316, 318, and 320 stored in storage device 314, configured to control processor 304 as well as a special-purpose processor where software instructions are incorporated into the actual processor design. Processor 304 may essentially be a completely self-contained computing system, containing multiple cores or processors, a bus, memory controller, cache, etc. A multi-core processor may be symmetric or asymmetric.
To enable user interaction, computing system 300 includes an input device 326, which can represent any number of input mechanisms, such as a microphone for speech, a touch-sensitive screen for gesture or graphical input, keyboard, mouse, motion input, speech, etc. Computing system 300 can also include output device 322, which can be one or more of a number of output mechanisms known to those of skill in the art. In some instances, multimodal systems can enable a user to provide multiple types of input/output to communicate with computing system 300. Computing system 300 can include communication interface 324, which can generally govern and manage the user input and system output. There is no restriction on operating on any particular hardware arrangement, and therefore the basic features here may easily be substituted for improved hardware or firmware arrangements as they are developed.
Storage device 314 can be a non-volatile memory device and can be a hard disk or other types of computer readable media which can store data that are accessible by a computer, such as magnetic cassettes, flash memory cards, solid state memory devices, digital versatile disks, cartridges, random access memories (RAMs), read-only memory (ROM), and/or some combination of these devices.
The storage device 314 can include software services, servers, services, etc., that when the code that defines such software is executed by the processor 304, it causes the system to perform a function. In some embodiments, a hardware service that performs a particular function can include the software component stored in a computer-readable medium in connection with the necessary hardware components, such as processor 304, connection 302, output device 322, etc., to carry out the function.
For clarity of explanation, in some instances, the present technology may be presented as including individual functional blocks including functional blocks comprising devices, device components, steps or routines in a method embodied in software, or combinations of hardware and software.
Any of the steps, operations, functions, or processes described herein may be performed or implemented by a combination of hardware and software services or services, alone or in combination with other devices. In some embodiments, a service is a program or a collection of programs that carry out a specific function. In some embodiments, a service can be considered a server. The memory can be a non-transitory computer-readable medium.
In some embodiments, the computer-readable storage devices, mediums, and memories can include a cable or wireless signal containing a bit stream and the like. However, when mentioned, non-transitory computer-readable storage media expressly exclude media such as energy, carrier signals, electromagnetic waves, and signals per se.
Methods according to the above-described examples can be implemented using computer-executable instructions that are stored or otherwise available from computer-readable media. Such instructions can comprise, for example, instructions and data which cause or otherwise configure a general purpose computer, special purpose computer, or special purpose processing device to perform a certain function or group of functions. Portions of computer resources used can be accessible over a network. The executable computer instructions may be, for example, binaries, intermediate format instructions such as assembly language, firmware, or source code. Examples of computer-readable media that may be used to store instructions, information used, and/or information created during methods according to described examples include magnetic or optical disks, solid-state memory devices, flash memory, USB devices provided with non-volatile memory, networked storage devices, and so on.
Devices implementing methods according to these disclosures can comprise hardware, firmware and/or software, and can take any of a variety of form factors. Typical examples of such form factors include servers, laptops, smartphones, small form factor personal computers, personal digital assistants, and so on. The functionality described herein also can be embodied in peripherals or add-in cards. Such functionality can also be implemented on a circuit board among different chips or different processes executing in a single device, by way of further example.
The instructions, media for conveying such instructions, computing resources for executing them, and other structures for supporting such computing resources are means for providing the functions described in these disclosures.
Clauses associated with this description include:
Clause 1. A method of comparing a first number Abit with a second number Bbit, the method comprising: receiving, from a first computing device associated with the first number Abit, a share a1bit and a share b1bit; receiving, from a second computing device associated with the second number Bbit, a share a2bit and a share b2bit, wherein the first number Abit=a1bit+a2bit mod 264 and wherein the second number Bbit=b1bit+b2bit mod 264, and wherein the first number Abit=a1bit XOR a2bit and wherein the second number Bbit=b1bit XOR b2bit, wherein XOR comprises an XOR function that applies addition modulo 2 to corresponding pairs of bits of two strings; and comparing, via a comparison function that compares numbers as modulo 264, the first number Abit and the second number Bbit to generate a shared output bit indicating which number is larger.
Clause 2. The method of clause 1, wherein the first number Abit comprises a first 64-bit word and the second number Bbit comprises a second 64-bit word.
Clause 3. The method of any previous clause, wherein the share a1bit is in a 64-bit format and the share b1bit is in the 64-bit format.
Clause 4. The method of any previous clause, wherein the XOR function compares a1bit with a2bit and b1bit with b2bit on a bit-by-bit basis and not under modulo 264.
Clause 5. The method of any previous clause, wherein the comparison function is represented as a multivariate polynomial in terms of individual bits of Abit and Bbit.
Clause 6. The method of any previous clause, wherein the comparison function applies a recursive approach to evaluate the multivariate polynomial.
Clause 7. The method of any previous clause, wherein the comparing, via comparison function that compares numbers as modulo 264, the first number Abit and the second number Bbit to generate the shared output bit indicating which number is larger occurs on each of the first computing device and the second computing device.
Clause 8. The method of any previous clause, wherein the comparison function applies a Beaver triples technique that converts a circuit of additions and multiplications into a secure multi-party computation protocol that evaluates the circuit securely.
Clause 9. The method of any previous clause, wherein the Beaver triples technique uses three 64-bit strings R, S, T such that T−R AND S.
Clause 10. The method of any previous clause, wherein R, S and T are equivalent to 64 Beaver triples over a field GF(2).
Clause 11. The method of any previous clause, wherein the comparing is performed using pre-prepared Beaver triples and the first computing device and the second computing device use secure multi-party computation operations for each XOR and AND gate of the comparison function.
Clause 12. The method of any previous clause, wherein the comparison function is implemented as a recursively computed comparison circuit.
Clause 13. A system for comparing a first number Abit with a second number Bbit, the system comprising: one or more processors; and one or more computer-readable memories storing instructions which, when executed by the one or more processors, cause the one or more processors to be configured to: receive, from a second computing device associated with the second number Bbit, a share a2bit and a share b2bit, wherein the first number Abit=a1bit+a2bit mod 264 and wherein the second number Bbit=b1bit+b2bit mod 264, and wherein the first number Abit=a1bit XOR a2bit and wherein the second number Bbit=b1bit XOR b2bit, wherein XOR comprises an XOR function that applies addition modulo 2 to corresponding pairs of bits of two strings; and compare, via a comparison function that compares numbers as modulo 264, the first number Abit and the second number Bbit to generate a shared output bit indicating which number is larger.
Clause 14. The system of clause 13, wherein the first number Abit comprises a first 64-bit word and the second number Bbit comprises a second 64-bit word.
Clause 15. The system of any of clauses 13-14, wherein the share a1bit is in a 64-bit format and the share b1bit is in the 64-bit format.
Clause 16. The system of any of clauses 13-15, wherein the XOR function compares a1bit with a2bit and b1bit with b2bit on a bit-by-bit basis and not under modulo 264.
Clause 17. The system of any of clauses 13-16, wherein the comparison function is represented as a multivariate polynomial in terms of individual bits of Abit and Bbit.
Clause 18. The system of any of clauses 13-17, wherein the comparison function applies a recursive approach to evaluate the multivariate polynomial.
Clause 19. The system of any of clauses 13-18, wherein the comparing, via comparison function that compares numbers as modulo 264, the first number Abit and the second number Bbit to generate the shared output bit indicating which number is larger occurs on each of the first computing device and the second computing device.
Clause 20. The system of any of clauses 13-19, wherein the comparison function applies a Beaver triples technique that converts a circuit of additions and multiplications into a secure multi-party computation protocol that evaluates the circuit securely.
Clause 21. The system of any of clauses 13-20, wherein the Beaver triples technique uses three 64-bit strings R, S, T such that T−R AND S.
Clause 22. The system of any of clauses 13-21, wherein R, S and T are equivalent to 64 Beaver triples over a field GF(2).
Clause 23. The system any of clauses 13-22, wherein the comparing is performed using pre-prepared Beaver triples and the first computing device and the second computing device use secure multi-party computation operations for each XOR and AND gate of the comparison function.
Clause 24. The system of any of clauses 13-23, wherein the comparison function is implemented as a recursively computed comparison circuit.
The present application claims priority to U.S. Provisional Application No. 63/380,109, Oct. 19, 2022, the content of which is incorporated herein in its entirety.
Number | Date | Country | |
---|---|---|---|
63380109 | Oct 2022 | US |