Yao's Millionaire's problem
Yao's Millionaire's problem is a secure multi-party computation problem first introduced by Andrew Yao back in 1982 that tries to solve the following: Alice and Bob want to compare their salaries to see who is earning the most, nonetheless, they don't want to reveal anything about their salaries but the one bit of information that says if it's lower or higher than the other salary.
This can be simplified by saying that we want a protocol that lets us check if without revealing nor .
We can consider three versions of the problem:
- Continuous version: The values compared lay in .
- Discrete version: The values compared lay in .
- Finite version: The values compared lay in a finite set of .
It's clear that if we solved the continuous one then we would have the other two solved, but the solution to the continuous case is very complex and it would be interesting to see if we could provide a simpler solution for the other case. The solution I will provide will be for the finite version but in practical terms, this is enough as all salaries usually range within a finite amount of values (for example from zero to one trillion $).
Use case of this protocol
A use case of this protocol is to solve a problem many people face every day. When applying for jobs, you may have a minimum salary requirement that you would want the company to provide, and there is also a maximum salary the company is willing to pay you. If the minimum salary was higher than the maximum offered by the company, then it wouldn't make sense to go through the application process at all!
If you as a job applicant were to reveal this value and it was much lower than what the company was willing to pay, they could reduce the salary they would have offered you otherwise. As well as if the company reveals the maximum salary they are willing to pay, the applicant could increase its expectancies and claim more when offered the real salary if it was lower than the maximum they said they could offer.
By using the problem we solve this problem as the company and the applicant can check beforehand if the salary expectation is lower than the maximum salary offered in this position and if not, not go through the selection process.
First solution to the problem
I will provide a simple solution that I read the first time this problem was proposed to me in the finite case version and we will see that it is not fully correct.
Since we are working on the finite case we have possible values of salary. The protocol will work as follows:
- Alice enters the room and gets boxes labeled with each possible salary value. She then puts inside each box a piece of paper with "Yes" written if the box's salary is lower than hers and "No" otherwise. Alice then leaves the room.
- Bob now enters the room and reads the paper inside the box with his salary value and checks whether the written value is "Yes" or "No". If the value is "Yes" he knows that his salary is lower than Alice's and if it's "No" he knows that his salary is higher than Alice's. Bob then leaves the room and tells Alice the result.
This simple solution to the problem may seem correct, but it doesn't take into account that, without the use of a third party it's impossible to know if Bob opened one, two or all the boxes in the room.
A solution for this problem could be to have the boxes be commitments and commit to bit if "No" and if "Yes". Then to open a box, Bob would have to request Alice for the key to open the commitment. This wouldn't work because Bob would have to reveal to Alice which box he wants to open and Alice could then deduce Bob's salary.
We will propose a solution using a technique used in Oblivious transfer protocols that solves this problem.
Solution to the problem
Taking into account that the finite set is of size n, let be or depending on whether the i'th box has a "Yes" or a "No". The protocol to solve this problem will be the following:
- Alice generates RSA key pair () and sends the public portion () to Bob.
- Alice generates n random values in and sends them to Bob.
- Bob generates a random value in and a random value in and sends to Alice.
- Alice computes for . There will be only one equal to but Alice doesn't know which one since is a random value. Alice then sends to Bob.
- Bob will finally compute and will know the value of the box.
We can see that this protocol is correct because if then and ; and if then and since is a random value, Bob won't be able to get any information about .
Final thoughts
This protocol is a simple solution to the problem that can be used in many real-life scenarios. Nonetheless, it is not the most efficient solution as it requires exponentiations and modular multiplications. Can any simpler solution be found? Or can any faster solution be found?
Another question I have is if any simple solution can be found specifically for the discrete case (non-finite). If any reader has any ideas, please let me know!
References
[0] The Simplest Protocol for Oblivious Transfer
[1] Yao's Millionaires' problem and decoy-based public key encryption by classical physics
[2] Oblivious transfer lecture from Berkeley CS 276 - Cryptography course