Some Efficient Solutions to Yaos Millionaire Problem

We present three simple and efficient protocol constructions to solve Yao’s Millionaire Problem when the parties involved are non-colluding and semi-honest. The first construction uses a partially homomorphic Encryption Scheme and is a 4-round scheme using 2 encryptions, 2 homomorphic circuit evaluations (subtraction and XOR) and a single decryption. The second construction uses an untrusted third party and achieves a communication overhead linear in input bit-size with the help of an order preserving function.Moreover, the second construction does not require an apriori input bound and can work on inputs of different bit-sizes. The third construction does not use a third party and, even though, it has a quadratic communication overhead, it is a fairly simple construction.

💡 Research Summary

The paper “Some Efficient Solutions to Yao’s Millionaire Problem” proposes three distinct protocols (named A, B, and C) for securely comparing two private integers a and b held by Alice and Bob, under the semi‑honest (honest‑but‑curious) model and assuming the parties do not collude. The authors claim that each construction is simple, efficient, and improves on prior work in terms of round complexity or communication overhead.

Protocol A – Partially Homomorphic Encryption (PHE) based
The first construction assumes the existence of a partially homomorphic encryption scheme that supports additive homomorphism and bit‑wise XOR. Bob encrypts his input b and sends E(b) to Alice. Alice encrypts a, generates a fresh random mask R, and computes V = (E(a) − E(b)) ⊕ E(R). Because of the homomorphic properties, V encrypts (a − b) ⊕ R. Bob decrypts V, obtains the masked difference, extracts its most‑significant bit (MSB), and returns that single bit to Alice. Alice XORs the received MSB with the MSB of R to recover the sign of a − b, which directly yields the answer to “a > b?”. The protocol runs in four rounds, requires two encryptions, one decryption, and two homomorphic operations (subtraction and XOR). Communication consists of the ciphertexts E(a) and E(b) plus two single‑bit messages. The authors argue that security follows from the semantic security of the underlying PHE and the one‑time‑pad nature of R. However, the paper provides only a high‑level intuition; it does not specify concrete parameters for R (size, distribution) nor does it formally prove that the masked difference leaks no information beyond the sign.

Protocol B – Untrusted Third Party with Order‑Preserving Function (OPF)
The second construction eliminates the need for homomorphic operations by mapping each binary input to an integer via a custom order‑preserving function F. F is built from n per‑bit functions f_i : {0,1}→ℕ chosen such that the increment f_i(1) − f_i(0) dominates the sum of all previous increments (Equation (1) in the paper). The overall mapping is F(x) = ∑{i=1}^{n} f_i(x_i). Because of the dominance condition, F preserves the total order of the original numbers: x > y ⇔ F(x) > F(y). Alice and Bob agree on three global parameters (s, k, l) and define each f_i(0)=s, f_i(1)=s + k_i·l, where the k_i are distinct integers. They also generate a random unbiased bit u; if u = 0 they complement both inputs before applying F, thereby randomizing the order direction. After computing A = F(a) and B = F(b), they send these integers to an untrusted third party Ursula, who simply compares A and B and returns the result. If u = 0 the parties flip the answer. Communication is linear in the input size n (each of A and B requires O(n) bits), and the computational effort to compute F is also O(n). The security argument rests on the secrecy of the parameters (s, k, l) and on the difficulty of factoring the expression F(a) − F(b) = l·∑{i∈V_a} k_i − l·∑_{i∈V_b} k_i. The authors claim that without knowing n, s, k, or l, Ursula cannot infer the original inputs, and that factoring the resulting large composite numbers is infeasible. Nevertheless, the paper lacks a formal reduction to a known hard problem, and it does not quantify how much information about a or b leaks from the magnitude of A and B (e.g., the gap between them reveals a lower bound on the numeric distance). Moreover, the generation and distribution of the secret parameters are left to Alice alone, raising trust concerns in a setting where Alice could bias the function to her advantage.

Protocol C – No Third Party, Quadratic Communication
The third protocol is only sketched. It removes the third party entirely, but the communication cost grows quadratically with the input length (O(n²)). No concrete steps, cryptographic primitives, or security proofs are provided, making it difficult to assess its practicality. Compared to well‑known O(log n) or O(n) secure comparison protocols based on garbled circuits or oblivious transfer, this construction appears inefficient and under‑specified.

Related Work and Positioning
The authors briefly survey prior literature, mentioning Yao’s original exponential‑time protocol, Goldreich’s early MPC constructions, Paillier‑based additive homomorphic solutions, and more recent two‑round protocols. They argue that their constructions improve on round count (Protocol A) or eliminate the need for a bound on input size (Protocol B). However, many of the cited works already achieve similar or better asymptotic performance with stronger security guarantees (e.g., proofs in the universal composability framework). The paper does not provide experimental benchmarks or concrete parameter choices (key sizes, modulus lengths, etc.) that would allow a fair performance comparison.

Critical Assessment

1. Novelty – The three protocols are essentially recombinations of known techniques: (i) additive homomorphic encryption plus a random mask, (ii) order‑preserving mapping with a third party, and (iii) an unspecified quadratic‑communication scheme. The paper does not introduce a fundamentally new cryptographic primitive or a provably optimal construction.
2. Security Rigor – Security analyses are informal. Protocol A’s proof reduces to the security of the underlying PHE and the one‑time‑pad property of R, but no reduction to a standard hardness assumption is shown. Protocol B relies on the secrecy of parameters and the “hardness of factoring,” yet the exact relationship between breaking the protocol and solving a known problem (e.g., integer factorization or discrete logarithm) is not established. No simulation‑based proofs or UC‑style arguments are presented.
3. Parameter Selection – The paper omits concrete guidance on choosing s, k, l, and the size of R. Without such guidance, implementers cannot assess whether the parameters provide sufficient entropy or meet security levels comparable to, say, 128‑bit security.
4. Efficiency Claims – While the round count for Protocol A (four rounds) is modest, the communication overhead includes transmitting full ciphertexts of size dependent on the encryption modulus, which can be several kilobytes for 2048‑bit keys. Protocol B’s linear communication is attractive, but the integer values A and B may be substantially larger than the original inputs because of the cumulative sums of the f_i values, potentially offsetting the claimed efficiency. Protocol C’s quadratic cost makes it unattractive for realistic inputs.
5. Practical Considerations – The reliance on a semi‑honest model limits applicability in adversarial settings. No discussion is provided on how the protocols could be hardened against malicious parties (e.g., using zero‑knowledge proofs to enforce correct behavior). The third‑party model in Protocol B assumes Ursula is completely untrusted yet still receives the mapped values; the paper does not address potential side‑channel leakage from timing or size of the transmitted integers.

Conclusion
The paper presents three conceptually simple constructions for Yao’s Millionaire problem, emphasizing low round counts and linear communication. However, the contributions are incremental, the security arguments are informal, and essential implementation details (parameter sizes, concrete performance numbers) are missing. For the work to be considered a solid addition to the literature, it would need formal security proofs (preferably in a simulation‑based framework), explicit parameter recommendations, and experimental evaluation against existing state‑of‑the‑art protocols. Nonetheless, Protocol A’s four‑round, two‑encryption design could be of interest for lightweight devices where homomorphic encryption is already available, and Protocol B’s order‑preserving mapping offers an alternative perspective on secure comparison without heavy cryptographic machinery, provided its security can be rigorously substantiated.