A High Throughput BFV-Encryption-Based Secure Comparison Protocol

Abstract

Secure comparison is a fundamental problem in multiparty computation. There are two different parties, each holding an $l$-bit integer, denoted by $a$ and $b$, respectively. The goal of secure comparison is to compute the order relationship between $a$ and $b$, say $\left(a>b\right)\in \left\{0,1\right\}$, without revealing their inputs to any others. Since previous solutions based on homomorphic encryption need at least $\mathsf{\Omega }\left(l\right)$encryptions for each $l$-bit comparison, the total encryption time leads to a computational bottleneck for these protocols. This work presents a fast, semi-honest, secure comparison protocol based on the BFV encryption scheme. With its vector-like plaintext space, the number of required encryptions can be significantly reduced; actually, only six encryptions are needed for each comparison in our protocol. In other words, the proposed protocol can achieve the time complexity $\tilde{O}(\lambda +l$) for a given security parameter λ. As a result, 4096-bit integers can be securely compared within 12.08 ms, which is 280 times faster than the state-of-the-art homomorphic encryption-based secure comparison protocol. Furthermore, we can compare k pairs of $l\cdot k^{-1}$-bit integers with almost the same execution time as comparing $l$-bit integers and achieve higher throughput regardless of the compared integer size.

1. Introduction

1.1. Homomorphic Encryption-Based Secure Comparison

The goal of multi-party computation (MPC) is to create an algorithm that enables different parties to compute a function jointly without revealing their inputs. In areas such as secret voting or e-commerce, MPC provides a solution for protecting each party’s privacy without the involvement of a trusted third party (TTP). However, the high computational costs of MPC make these solutions practically infeasible. Secure comparison is one of the fundamental problems in MPC, with the goal of computing $\left(a>b\right)\in \left\{0,1\right\}$ securely for two different parties with private inputs $a$ and $b$. Since special-purpose secure comparison protocols (SP-SCPs) often outperform those protocols based on general-purpose MPC constructions, SP-SCPs can improve the performance of most privacy-preserved applications. This fact motivates us to develop high-speed, secure comparison protocols.

Homomorphic Encryption (HE) and Garbled Circuits (GC) are two of the most famous cryptographic techniques for constructing secure comparison protocols. Based on the study presented in [1], HE-based protocols can achieve faster speed and lower round complexity, whereas GC-based protocols provide a lower communication rate and higher flexibility. In this work, we focus on the computational cost and compete for the speed of our protocol to state-of-the-art HE-based comparison protocols. In general, the performance of an HE-based protocol is strongly related to which HE scheme is used. For example, the protocol proposed in [2] needs only two encryptions for each bit, but the final performance is 60.4 milliseconds per bit (ms/bit) (Runs on [email protected] GHz, single core, and set security parameter λ = 128.) since each Paillier encryption [3] needs 23 ms. The authors in [4] replaced Paillier with subgroup-RSA [5], which needs only 0.692 ms/bit for each encryption and provides a much better performance of 1.74 ms/bit. Noticeably, the protocols proposed in [6,7] compare 8 bits simultaneously by the threshold property in the plaintext space${\mathbb{Z}}_{2^{2^8}}$, which needs only two encryptions and one private-equality-test (Private-equality-test is to compute (a == b) ∈ {0, 1} securely for two different parties. Notice. two encryptions are needed in the protocol.) for every 8-bit. In their works, the performance reaches 0.8 ms/bit. To the best of our knowledge, these two are the fastest 2-round secure comparison protocol [2,4,8,9,10] and the fastest secure comparison protocol [6,7]. We will refer to them as DGK protocol and CEK protocol, respectively. The Paillier and the subgroup-RSA mentioned above are HE schemes that can execute additions in the encryption domain. We refer to them as additive homomorphic encryption (AHE) schemes.

Fully homomorphic encryption (FHE) specifically addresses those HE schemes that can realize arbitrary arithmetic circuits in the encryption domain. The first construction of FHE was proposed by Gentry [11,12] in 2009. In his construction, Gentry first proposed a somewhat homomorphic encryption (SWE) scheme, which can implement a limited number of additions and multiplications in the encryption domain, and then used bootstrapping mechanism (Bootstrapping technique is to implement a decryption circuit in the encryption domain to create a new ciphertext associated with the same message but with fewer evaluations in the encryption domain.) “refresh” the ciphertexts. Inspired by Gentry’s blueprint, different FHE schemes [13,14,15,16,17,18,19] have been proposed in the following years.

Our work was inspired by the HE scheme proposed by Fan and Vercauteren [17], inherited from [14,15,16,20,21,22,23,24,25,26], and is one of the widely used FHE schemes up to now. To avoid confusion, we always use the “BFV scheme” to represent SHE schemes proposed in [17]. Since the BFV is one of the SHE schemes, the corresponding ciphertext size is determined by the number of evaluations in the encryption domain. While the execution speed of each operation in the BFV scheme would decrease as the ciphertext-size increase; therefore, it is hard to realize complicated functions in a practical use case. On the other hand, if the target function is simple enough, then the ciphertexts can be small, and the performance of the BFV scheme can outperform subgroup-RSA. We observed this fact in our experiments; that is, the encryption of the BFV scheme can be realized within 0.21 ms in our protocol, whereas the encryption of subgroup-RSA needs 0.7 ms. The remarks about and comparisons with recently published related work will be presented in Section 5.3.

1.2. Secure Decryption

Let p be the public key and s be the secret key. We say an encryption scheme can implement an operation ⋆: $\mathcal{P}$ × $\mathcal{P}$ → $\mathcal{P}$ in the encryption domain if there exists a computable function T such that

Dec (T (c₁, c₂, p), s) = Dec(c₁, s) ⋆ Dec(c₂, s)

(1)

for arbitrary ciphertexts c₁, c₂ ∈ $\mathcal{C}$. Those encryption schemes that satisfy the property mentioned in Equation (1) are the HE schemes. Since HE enables us to compute over the ciphertexts, we may let the party that does not have a secret key compute the function in the encryption domain; and the other party decrypts the ciphertext(s) associated with the result. The problem is, if the latter party may learn other information while decrypting, then the security of the former party could be compromised. On the other hand, if the two parties can securely decrypt the result, we can achieve the security requirement of two-party computation (2PC), as shown in Figure 1.

2. The BFV Encryption Scheme

BFV scheme is an attractive encryption scheme that is equipped with fast encryption and decryption operations, vector-like plaintext space (optional), and robust computations in the encryption domain. We review some functionalities of the BFV scheme in this section. Other BFV-related operations, such as bootstrapping, can be found in [11,15,17,27]. Moreover, for self-completeness, the algebraic structure and commonly used notations of the BFV scheme are presented in Appendix A.

This section addresses the assumptions and some characteristics related to the BFV scheme. As anonymous reviewers suggest, all the corresponding proof will be presented in Appendix B.

2.1. Security Assumption

Definition 1. 

(Ring Learning with Error Distribution) Let ${ℛ}_q$ be the $m$-th cyclotomic ring with coefficients in ${\mathbb{Z}}_q$. Let $s\in {ℛ}_q$ and $\chi$ be a small distribution with $Prob\left\{\left|\chi \right|>B\right\}=0$. Then, the ring learning with error distribution $RLW{E}_{s,\mathsf{\chi }}^{q,m}$ is the distribution of $\left(Y, Y\cdot s+{\chi }^n\right)$, where $Y$ is a uniform distribution in ${ℛ}_q$ and $n$ is the degree of ${ℛ}_q$.

Assumption 1. 

(Infeasibility of decision-RLWE) The decision problem of Ring Learning with Error (RLWE), denoted by decision-${\mathrm{RLWE}}_{\mathrm{s},\chi }^{\mathrm{q},\mathrm{m}}$, is to distinguish uniform distribution and ${\mathrm{RLWE}}_{\mathrm{s},\chi }^{\mathrm{q},\mathrm{m}}$. The decision-RLWE assumption is to assume decision-${\mathrm{RLWE}}_{\mathrm{s},\chi }^{\mathrm{q},\mathrm{m}}$ is infeasible.

The decision-RLWE assumption establishes the security assumption of the BFV encryption scheme. Moreover, we can reduce it to the well-known shortest vector problem (SVP) if $\chi$ is a discrete Gaussian distribution with sufficient large standard error (e.g., $\sigma =\mathsf{\Omega }\left(\sqrt{n}\right)$) and the secret key is sampled from ${\chi }^n$ [28]. However, we sometimes use small standard error (e.g., $\sigma =3.2$ in [29]) for better performance.

2.2. Ciphertext and Algebra

Given $m=2^d, n=m/2$, and let ${\mathsf{\Phi }}_m\left(X\right)$ be the $m$-th cyclotomic polynomial. where ${\mathsf{\Phi }}_m\left(X\right)=\left(X^n+1\right)$. Let $ℛ=\mathbb{Z}\left[X\right]/\left({\mathsf{\Phi }}_{\mathrm{m}}\left(X\right)\right)$ be the cyclotomic ring with degree $n$. Plaintexts are in ${ℛ}_p=ℛ/pℛ$, and ciphertexts are in ${ℛ}_q^2={\left(ℛ/qℛ\right)}^2$, where $q\gg p$ and the ratio $\rho =q/p$ can be treated as the “tolerance” of error.

Let $\chi$ be a small distribution, say $Prob\left\{\left|\chi \right|>B\right\}=0$.

2.3. Encryption and Decryption

2.3.1. Encryption and Decryption on Polynomial Algebra

Multiplication in ${ℛ}_q$(denoted as ${\mathrm{PolyMul}}_n$, cf. Algorithm 1 for detailed definition) can be implemented in $\mathsf{\Theta }\left(n\cdot \log n\right)$ operations in ${\mathbb{Z}}_q$ by Fast Fourier Transformation (FFT), and the time complexity would be $\mathsf{\Theta }\left(n\cdot \log n\cdot \log q\right)$. For convenience, we use a bolder case to denote a polynomial, which can be stored as $n$ coefficients in $\left[0,q-1\right)$ in a computer, and it would be the requirement of all of the following algorithms. Similarly, each plaintext could be stored as $n$ coefficients in $\left[0,p-1\right).$

Algorithm 1 ${\mathrm{PolyMul}}_n$
Input:	$a,b,q,\alpha$
Output:	$c$
Ensure:	$c\equiv a\cdot b \mathrm{mod} \left({\mathsf{\Phi }}_{\mathrm{n}}\left(X\right),q\right)$ $0\le c_i<q$
1:	$A=\left(A_0,A_1,\dots ,A_{n-1}\right)\leftarrow {\mathrm{FFT}}_{n,q,\alpha }\left(a\right)$
2:	$B=\left(B_0,B_1,\dots ,B_{n-1}\right)\leftarrow {\mathrm{FFT}}_{n,q,\alpha }\left(b\right)$
3:	for $i=0,1,\dots ,n-1$ do
4:	$C_i\leftarrow A_i\cdot B_i \mathrm{mod} q$
5:	end for
6:	$C\leftarrow \left(C_0,C_1,\dots ,C_{n-1}\right)$
7:	$c=\left(c_0,c_1,\dots ,c_{n-1}\right)\leftarrow {\mathrm{InvFFT}}_{n,q,\alpha }\left(C\right)$

Once again, we assume the secret key, s, is generated from a small distribution $\chi$ (cf. Algorithm 2 for details).

Algorithm 2 $\mathrm{KeyGen}$
Input:	$\perp$
Output:	$s$
1:	for $i=0,1,\dots ,n-1$ do
2:	$s_i\leftarrow \chi$
3:	end for
4:	$s\leftarrow \left(s_0,s_1,\dots ,s_{n-1}\right)$

Algorithm 3 $\mathrm{EncSym}$
Input:	$m, s$
Output:	$\left(c_0,c_1\right)$
Require:	$0\le m_i<p$ $\mathrm{Prob}\left\{\chi >\rho \right\}=0$
Ensure:	$m=|{\rho }^{-1}\cdot \left(c_0+{\mathrm{PolyMul}}_{n,q,\alpha }\left(c_1,s\right)\right)|$ Each element of $\left(c_0,c_1\right)$ is in the range $\left\{0,1,\dots ,q-1\right\}$
1:	for $i=0,1,\dots ,n-1$ do
2:	$c_i\leftarrow \left\{0,1,\dots ,q-1\right\}$
3:	end for
4:	$c_1\leftarrow \left(c_0,c_1,\dots ,c_{n-1}\right)$
5:	for $i=0,1,\dots ,n-1$ do
6:	$e_i\leftarrow \chi$
7:	end for
8:	$e\leftarrow \left(e_0,e_1,\dots ,e_{n-1}\right)$
9:	$c_0\leftarrow e-{\mathrm{PolyMul}}_n\left(c_1,s\right)+m\cdot \rho$
10:	$c_0\leftarrow c_0 \mathrm{mod} q$

EncSym (Algorithm 3) is to encrypt a message m with secret key s. That is,

$$c_0+c_1\cdot s=m\cdot \rho +e.$$

(2)

We may use Algorithm 4 to define the error with the corresponding message and ciphertext. Moreover, the ciphertext can be correctly decrypted if and only if the error is less than $\rho /2$(see Algorithm 5). We can summarize this subsection’s discussions into the following Lemma.

Lemma 1. 

(Sufficient Condition for Correct Decryption). Given ciphertext $c=\left(c_0, c_1\right)\in {ℛ}_q^2$, and message $m\in {ℛ}_p$, and $e={\left[c_0+c_1\cdot s-{\left[m\right]}_p\cdot \rho \right]}_q$ is the corresponding error, then ${\Vert e\Vert }_{\infty }<\rho \cdot 2^{-1}$ implies ${\left[c_0+c_1\cdot s\right]}_q\cdot {\rho }^{-1}\equiv {\left[m\right]}_p mod p.$Thus, we can decrypt correctly if the error is small enough.

Proof. 

Please refer to Appendix B.1 for detailed proof. □

Algorithm 4 $\mathrm{CalculateError}$
Input:	$\left(c_0,c_1\right), m, s$
Output:	$e$
1:	$e\leftarrow c_0+{\mathrm{PolyMul}}_{n,q,\alpha }\left(c_1,s\right)-m\cdot \rho$
2:	$e\leftarrow e \mathrm{mod} q$

Algorithm 5 $\mathrm{Dec}$
Input:	$\left(c_0,c_1\right), s$
Output:	$m$
Require:	Each element of $\mathrm{CalculateError}\left(c_0,c_1,m\right)$ is in the range $\left\{0,1,\dots ,\rho /2-1\right\}\cup \left\{q-\rho /2,\dots ,q-1\right\}$
1:	$m=\left(m_0,m_1,\dots ,m_{n-1}\right)\leftarrow c_0+{\mathrm{PolyMul}}_{n,q,\alpha }\left(c_1,s\right) \mathrm{mod} q$
2:	for $i=0,1,\dots ,n-1$ do
3:	$m_i\leftarrow \lfloor \left(m_i+\rho /2\right)\cdot {\rho }^{-1}\rfloor$	▻$Divide \rho and round$
4:	end for
5:	$m\leftarrow \left(m_0,\dots ,m_{n-1}\right)$

2.3.2. The Correctness of Homomorphic Operations

In this subsection, we introduce the addition between two ciphertexts (denoted as Add), the addition between a ciphertext and a plaintext (denoted as AddPlain, cf. Algorithm 6), and the multiplication between a ciphertext and a plaintext (denoted as MulPlain, cf. Algorithm 7).

Given $c,c^{\prime }\in {ℛ}_q^2$, suppose the corresponding messages are $m, m^{\prime }\in {ℛ}_p$, and the corresponding errors are $e,e^{\prime }\in ℛ$. The above-mentioned operations can be defined as follows:

Add (c, c′): Return (c₀ + c′₀, c₁ + c′₁)

AddPlain (c, m′): Return (c₀ +[m′]_p · ρ , c₁)

MulPlain (c, m′): Return (c₀ · [m′]_p, c₁ · [m′]_p)

Claim 1. 

(Correctness of Addition). Suppose $\Vert e+{e^{\prime }\Vert }_{\infty }$,then

$$\mathrm{Dec} (\mathrm{Add} (c,c^{\prime }), s) = m+m^{\text{'}}.$$

(3)

We illustrate the definition and the operation process of the homomorphic addition (denoted as Add, cf. Algorithm 8 for details).

Proof. 

Please refer to Appendix B.2.a for details. □

Claim 2. 

(Correctness of Addition between a Plaintext and a Ciphertext). Suppose $\Vert {e\Vert }_{\infty }<2^{-1}\cdot \rho$, then

Dec (AddPlain (c, m’), s) = m + m’.

(4)

Proof. 

Please refer to Appendix B.2.b for details. □

Claim 3.  

(Correctness of Multiplication between a Plaintext and a Ciphertext).

Suppose $\Vert e\cdot {m^{\prime }\Vert }_{\infty }$ $<2^{-1}\cdot \rho$, then

Dec (MulPlain (c, m’), s) = m · m′.

(5)

Proof.  

Please refer to Appendix B.2.c for details. □

Notice that all the correctness mentioned above is associated with the magnitude of the norm of errors. Claims 1, 2, and 3 are essential for estimating how large $q$ should be.

Algorithm 6 $\mathrm{AddPlain}$
Input:	$\left(c_0,c_1\right), m\prime$
Output:	$\left(c_0^{\prime },c_1^{\prime }\right)$
Require:	$\mathrm{Dec}\left(c_0,c_1,s\right)=m$
Ensure:	$\mathrm{Dec}\left(c_0^{\prime },c_1^{\prime },s\right)=m+m^{\prime }$
1:	$c_0^{\prime }\leftarrow c_0+m^{\prime }\cdot \rho \mathrm{mod} q$
2:	$c_1^{\prime }\leftarrow c_1$

Algorithm 7 Mul$\mathrm{Plain}$
Input:	$\left(c_0,c_1\right), m\prime$
Output:	$\left(c_0^{\prime },c_1^{\prime }\right)$
Require:	Let $e=\mathrm{CalculateError}\left(c_0,c_1,m,s\right)$ $e^{\prime }={\mathrm{PolyMul}}_n\left(e,m^{\prime }\right) \mathrm{mod} q$ Require ${\Vert e^{\prime }\Vert }_{\infty }<\rho /2$
Ensure:	$\mathrm{Dec}\left(c_0^{\prime },c_1^{\prime },s\right)\equiv {\mathrm{PolyMul}}_n\left(m,m^{\prime }\right) \mathrm{mod} q$
1:	$c_0^{\prime }\leftarrow {\mathrm{PolyMul}}_n\left(c_0,m^{\prime }\right) \mathrm{mod} q$
2:	$c_1^{\prime }\leftarrow {\mathrm{PolyMul}}_n\left(c_1,m^{\prime }\right) \mathrm{mod} q$

Algorithm 8 $\mathrm{Add}$
Input:	$\left(c_0,c_1\right), \left(c_0^{\prime },c_1^{\prime }\right)$
Output:	$\left(c_0^{add},c_1^{add}\right)$
Require:	Let $e=\mathrm{CalculateError}\left(c_0,c_1,m,s\right)$, $e^{\prime }=\mathrm{CalculateError}\left(c_0^{\prime },c_1^{\prime },m^{\prime },s\right)$ Require $\Vert e+{e^{\prime }\Vert }_{\infty }<\rho /2$
Ensure:	$\mathrm{Dec}\left(c_0^{\prime },c_1^{\prime },s\right)=m+m^{\prime }$
1:	$c_0^{add}\leftarrow c_0+c_0^{\prime } \mathrm{mod} q$
2:	$c_1^{add}\leftarrow c_1+c_1^{\prime } \mathrm{mod} q$

2.4. Public Key Generation and Encryption

The public key generation (denoted as PubKeyGen) involved in our protocol can be illustrated in Algorithm 9. Moreover, the asymmetric encryption function (denoted as EncAsym) concerning our protocol can be depicted in Algorithm 10.

Algorithm 9 $\mathrm{PubKeyGen}$
Input:	$s$
Output:	$\left(p{k}_0,p{k}_1\right)$
1:	$p{k}_0,p{k}_1\leftarrow \mathrm{EncSym}\left(0,s\right)$

Algorithm 10 $\mathrm{EncAsym}$
Input:	$m,\left(p{k}_0,p{k}_1\right)$
Output:	$\left(c_0,c_1\right)$
1:	for $i=0,1,\dots ,n-1$ do
2:	$r_i\leftarrow \chi$
3:	$e_i\leftarrow \chi$
4:	$e_i^{\prime }\leftarrow \chi$
5:	end for
6:	$r\leftarrow \left(r_0,r_1,\dots ,r_{n-1}\right), e\leftarrow \left(e_0,e_1,\dots ,e_{n-1}\right), e^{\prime }\leftarrow \left(e_0^{\prime },e_1^{\prime },\dots ,e_{n-1}^{\prime }\right)$
7:	$c_0\leftarrow {\mathrm{PolyMul}}_n\left(p{k}_0,r\right)+e+m\cdot \rho \mathrm{mod} q$
8:	$c_1\leftarrow {\mathrm{PolyMul}}_n\left(p{k}_1,r\right)+e^{\prime } \mathrm{mod} q$

To claim the correctness of EncAsym, we should evaluate the norm of the error:

$$\mathrm{CalculateError}\left({\mathrm{EncAsym}}_{pk}\left(m\right),s\right)=r\cdot \left(p{k}_0+p{k}_1\cdot s\right)+e+e\prime \cdot s$$

Notice $p{k}_0+p{k}_1\cdot s,$ r, e, e’, and s are sampling from ${\chi }^n$ and bounded by $B$; thus, we have

$$\Vert r\cdot \left(p{k}_0+p{k}_1\cdot s\right)+e+e\prime \cdot {s\Vert }_{\infty }\le n\cdot B^2+B+n\cdot B^2.$$

Recall Algorithm 5—the correctness of decryption is ensured if $\rho$ bounds the error. Therefore, we can choose $q$ large enough, so the correctness follows. That is,

$$\rho =q\cdot p^{-1}>2\cdot n\cdot B^2+B\ge \Vert \mathrm{CalculateError}{\left({\mathrm{EncAsym}}_{pk}\left(m\right),s\right)\Vert }_{\infty }$$

(6)

2.5. Time Complexity

Additions in ${ℛ}_q$needs $n$ additions in ${\mathbb{Z}}_q$, and the time complexity would be $\mathsf{\Theta }\left(n\cdot \log q\right)$. Multiplications can be implemented in $\mathsf{\Theta }\left(n\cdot \log n\cdot \log q\right)$ by FFT implementation of the polynomial ring. Let $\lambda$ be the security parameter, suppose the $m$-bit pseudo-random number can be generated in $\mathsf{\Theta }\left(m\cdot \lambda \right)$, then the time complexity associated with each operation can be listed in

Table 1. Time Complexity of BFV Operations.

Operation	Time Complexity
PolyMul	$n\cdot \log n\cdot \log q$
KeyGen	$n\cdot \log q\cdot \lambda$
EncSym	$n\cdot \log n\cdot \log q+n\cdot \log q\cdot \lambda$
PubKeyGen	$n\cdot \log n\cdot \log q+n\cdot \log q\cdot \lambda$
EncAsym	$n\cdot \log n\cdot \log q+n\cdot \log q\cdot \lambda$
Dec	$n\cdot \log n\cdot \log q$
AddPlain	$n\cdot \log q$
MulPlain	$n\cdot \log n\cdot \log q$
Add	$n\cdot \log q$

.

Since $\rho =p^{-1}\cdot q$ can be regarded as the affordability of error, $q$ should be large enough for the evaluations. However, the security level is inversely proportional to log $q$, so $n$ should increase proportional to preserve the same security level. Therefore, we should use the number of evaluations to represent the time complexity.

As seen in Table 1, the performance is dominated by $n,q$. Recall that the error should be less than $\rho \cdot 2^{-1}$. Each multiplication would increase the upper bound of the error by a factor of $n · p · 2^{-1},$and the error of fresh ciphertext is less than $B$, so the error after $d$ multiplications is at most ${\left(n · p · 2^{-1}\right)}^d\cdot B$, and we choose $\rho ,q$ large enough to keep the correctness:

$${\log }_2\rho -1>d\cdot \log \left(n · p · 2^{-1}\right)+\log B$$

(7a)

$${\log }_{2}q>d · \left({\log }_{2}p+{\log }_{2}n-1\right)+{\log }_{2}B+1.$$

(7b)

Let $\lambda =\mathsf{\Theta }\left(n/{\log }_{2}q \right)$ be the security level, then $n=\mathsf{\Omega }\left(\lambda \cdot {\log }_{2}q\right)=\mathsf{\Omega }\left(\lambda \cdot d\cdot {\log }_{2}p\right)$. We conclude that the computational cost has a quadratic growth with respect to $d$.

2.6. Batching

Batching is a commonly used technique to speed up cryptographic operations; however, its relation to mathematical derivations has seldom been presented and discussed. Since batching plays a crucial role in our proposed protocol, we detail its definition and derivation in this subsection. Readers who are familiar with batching can jump to the next section directly.

Suppose ${\mathsf{\Phi }}_m\left(X\right)=f_1\left(X\right)·f_2\left(X\right)\cdot \cdots \cdot f_k\left(X\right)$where $f_1,\dots ,f_k$ are co-prime, then we can apply Chinese Remainder Theorem to derive the following isomorphic relation:

$${\mathbb{Z}}_p\left[X\right]/\left({\mathsf{\Phi }}_m\left(X\right)\right)\cong {\mathbb{Z}}_p\left[X\right]/\left(f_1\left(X\right)\right)\times \cdots \times {\mathbb{Z}}_p\left[X\right]/\left(f_1\left(X\right)\right)$$

(8)

If we further assume $f_i\left(X\right)$ is irreducible, and $\mathrm{deg}\left(f_i\right)=d$for each $i$, then

$${\mathbb{Z}}_p\left[X\right]/\left(f_i\left(X\right)\right)\cong GF\left(p^d\right)$$

(9a)

$${ℛ}_p\cong GF{\left(p^d\right)}^{n/d}$$

(9b)

Generally, the isomorphic relation given in (Equation (9)) always holds. In the following paragraphs, we will introduce how to choose p for some given d and n.

For convenience, we always choose $m=2^{t+1}$, so $n=\phi \left(m\right)=2^t,$ and ${\mathsf{\Phi }}_m\left(X\right)=X^n+1$. We claim that ${ℛ}_p\cong {\mathbb{Z}}_p^n$ if$p$ is a prime with $p=2kn+1$:

We can find a generator $g\in {\mathbb{Z}}_p^{*}$, $\alpha =g^k$ has order $2n$, and ${\alpha }^n=-1$ is a root of ${\mathsf{\Phi }}_m$. Similarly, let ${\alpha }_i={\alpha }^{2i+1}$, then ${\alpha }_i$ has order $2n$ and is also a root of $X^n+1$. Since ${\left\{{\alpha }_i\right\}}_{0\le i<n}$ are $n$ different roots of ${\mathsf{\Phi }}_m$, we may write

$$X^n+1=\left(X-{\alpha }_0\right) · \left(X-{\alpha }_1\right) · ··· · \left(X-{\alpha }_{n-1}\right)$$

(10)

and

$${\mathbb{Z}}_p\left[X\right]/\left({\mathsf{\Phi }}_m\left(X\right)\right)\cong {\mathbb{Z}}_p\left[X\right]/\left(X-{\alpha }_0\right)\times \cdots \times {\mathbb{Z}}_p\left[X\right]/\left(X-{\alpha }_{n-1}\right)\cong {\mathbb{Z}}_p^n$$

(11)

Notice that $f \mapsto {\left(f mod \left(f\left(X\right)-{\alpha }_i\right)\right)}_{0\le i<n}$ is an isomorphism from ${\mathbb{Z}}_p\left[X\right]/\left({\mathsf{\Phi }}_m\left(X\right)\right)$ to ${\mathbb{Z}}_p^n$, and $f mod \left(f\left(X\right)-{\alpha }_i\right)$ can be determined by $f\left({\alpha }_i \right)$. We may apply the Number Theoretic Transform (NTT) to send $f$ to ${\left(f\left({\alpha }_i\right)\right)}_{0\le i<n}$ with $O\left(n\cdot \log n\right)$operations in ${\mathbb{Z}}_p$. We may also let $Y=X^d$, so

$$Y^{n/d}+1=\left(Y-{\beta }_0\right)·\left(Y-{\beta }_1\right)· ··· ·\left(Y-{\beta }_{n/d-1}\right)$$

$$X^n+1=\left(X^d-{\beta }_0\right)·\left(X^d-{\beta }_1\right)· ··· ·\left(X^d-{\beta }_{n/d-1}\right),$$

(12)

where ${\beta }_i={\beta }^{2i+1}$, and $\beta ={\alpha }^d$. We derive another isomorphic relation

$${\mathbb{Z}}_p\left[X\right]/\left({\mathsf{\Phi }}_m\left(X\right)\right)\cong {\mathbb{Z}}_p\left[X\right]/\left(X^d-{\beta }_0\right)\times \cdots \times {\mathbb{Z}}_p\left[X\right]/\left(X^d-{\beta }_{n/d-1}\right)$$

(13)

$$\cong {\left({\mathbb{Z}}_p\left[X\right]/\left(X^d+1\right)\right)}^d$$

(14)

We may write$f={{\displaystyle \sum }}_{j=0}^{d-1}{f}_j\left(Y\right) · X^j$ with $Y=X^d$, then the isomorphism (cf. Equation (13)) can be defined as

$$f\mapsto {\displaystyle \sum }_{j=0}^{d-1}{\left(f_j\left(Y\right) mod \left(Y-{\beta }_i\right)\right)}_{0\le i<n/d}\cdot X^j$$

(15)

Similarly, $f_j mod \left(Y-{\alpha }_i\right)$ can be determined by $f_j\left({\beta }_i\right),$ and the values of ${\left(f_j\left({\beta }_i\right)\right)}_{0\le i<n/d}$ can be calculated by $n/d$-dimension NTT, which needs O ((nd⁻¹) · log (nd⁻¹)) operations in $\mathbb{Z}$p or the time complexity is O ((nd⁻¹) · log (nd⁻¹)) · O (log q). Consequently, the time complexity of the whole map becomes the summation of d different NTTs plus the time needed for combining them, which equals

O (d·(nd⁻¹) ·log (nd⁻¹) ·log q) + O (n · log q) = O (n · log q · (log n − log d)).

(16)

As illustrated in Figure 2, the function that maps (Zp [X ]/(Φd (X)))^n/d to R_m,p can be regarded as an “encoder”, and its inverse is the “decoder”. Notice we always suppose 2 · (n/d) divides (p—1), and n is a power of 2. In the following, we will use ${\mathrm{Encode}}_{n/d,{\alpha }^d}$ to denote the function from ${\mathbb{Z}}_p\left[X\right]/\left(X^d-{\beta }_0\right)\times \cdots \times {\mathbb{Z}}_p\left[X\right]/\left(X^d-{\beta }_{n/d-1}\right)$ to ${\mathbb{Z}}_p\left[X\right]/\left(X^n+1\right)$, and ${\mathrm{Decode}}_{n/d,{\alpha }^d}$ will be the inverse of Encode.

3. Two-Party Computation and BFV Encryption

In the following contexts, we name the two players (or parties) Alice and Bob. With the BFV scheme, Alice can delegate the computation to Bob without revealing her private input. Let cresult denote the ciphertext computed by Bob. Suppose there is a protocol that can derive the message in cresult without leaking any information which may infringe the privacy of Bob. In that case, we say the protocol satisfies the security requirement of two-party computation via the BFV scheme, or the protocol can derive the message securely through “secure decryption”.

3.1. The Secure Decryption Protocol

Suppose Bob holds some ciphertext c^result, Alice holds the secure key s, and the goal of secure decryption is to compute Dec (c^result, s) securely, which can be formulated as in

Table 2. Formulas Associated with the Secure Decryption.

Party	A	B
Input	$s$	$c^{result},pk$
Output	$\mathrm{Dec}\left(c^{result},s\right)$	$\perp$

notice if the secure decryption exists, and Bob can compute the function f in the encryption domain, then they can securely compute f by

(i) Alice encrypting her private input(s) and sending the results to Bob.

(ii) Bob computing the function f in the encryption domain and obtaining the ciphertext c^result associated with the desired result, called m^result.

(iii) Performing the above “secure decryption” protocol; then, Alice learns the m^result without knowing any other information.

Notice that the first term of the public key, say p₁, is sampled from a uniform distribution. If Bob randomly sampled $r\leftarrow {\chi }^n,e\leftarrow {\chi }^n$, then the pair $\left(p{k}_1,p{k}_1\cdot r+e\right)$“looks like” a pair of uniformly sampled samples in the view of Alice, by the RLWE assumption. Based on this idea, we will construct our first secure decryption protocol in the remaining context of this section.

Suppose the error of $c^{result}$ is $e_{result}$, the error of $c^{zero}$ is $e_{zero}$. Let $c^{\prime }=c^{result}+c^{zero}+\left(e,0\right)$, then the error in $c^{\prime }$ is $e_{result}+e_{zero}+e$. By Lemma 2, $\Vert e_{result}+e_{zero}+{e\Vert }_{\infty }$ implies Dec (c′, s) = Dec (c^result, s). Before proving the security of Protocol 3.1, we first analyze the distinguishability between e_result + e_zero + e and a uniform sample from ${\left\{-T,\dots ,T\right\}}^n$.

Lemma 2. 

(Distinguishability of a uniform sample with little bias). For some e ∈ $\mathbb{Z}$, distinguishing two samples, one is sampled uniformly from $\left\{-T,-T+1,\dots ,T\right\}$, the other is from $\left\{-T+e,-T+1,\dots ,T+e\right\}$, the advantage of the adversary is no more than $\left|e\right|\cdot {\left(2T\right)}^{-1}$.

Proof. 

Please refer to Appendix C.1 for details. □

Corollary 1. 

(Distinguishability of a uniform vector with little bias). For some e ∈ ${\mathbb{Z}}^n$, distinguishing two samples, one is sampled from ${\left\{-T,-T+1,\dots ,T\right\}}^n$, the other is from ${\left\{-T,-T+1,\dots ,T\right\}}^n+e$, the advantage of the adversary is no more than ${\mathsf{\Sigma }}_i\left|e_i\right|\cdot {\left(2T\right)}^{-1}$.

Proof.  

Since each entry of the vector is independent to each other, the adversary of $i$-th entry is no more than $\left|e_i\right|$ by Lemma 2. Adversary of the whole vector is no more than summing up the adversary of each entry, which is ${\mathsf{\Sigma }}_i\left|e_i\right|\cdot {\left(2T\right)}^{-1}$. □

Notice that her security of Alice is guaranteed based on the security of the BFV scheme, so we need only to deal with the security of Bob. We will prove this by simulating the view of Alice from Dec (c^result, s) and s.

Claim 4. 

(The Security of Bob in Protocol 3.1). Suppose ‖eresult + ezero‖₁ < Esum, T > Esum · (2ε)⁻¹, and RLWE assumption holds, then the view of Alice, which is cresult ∈ (R_m,q)², can be simulated by Dec (c_b, s) and s.

Proof. 

Please refer to Appendix C.2 for details. □

Protocol 3.1. The Proposed Secure Decryption Protocol.

Protocol 3.1: $\mathrm{Decryption} \mathrm{Protocol}$
Party:	A	B
Input:	s	$c^{result},pk$
Output:	$\mathrm{Dec}\left(c^{result},s\right)$	$\perp$
	Round 1 (B’s turn)
1:	$c^0\leftarrow {\mathrm{EncAsym}}_{pk}\left(0\right)$
2:	$e\leftarrow {\left\{-T,\dots ,T\right\}}^n$
3:	$c^{\prime }=\left(c_0^{\prime },c_1^{\prime }\right)\leftarrow c^{result}+c^0$
4:	$c_0^{\prime }\leftarrow c_0^{\prime }+e \mathrm{mod} q$
5:	B sends $\left(c_0^{\prime },c_1^{\prime }\right)$ to A
	Round 2 (A’s turn)
6:	$m\leftarrow \mathrm{Dec}\left(c^{\prime },s\right)$
7:	Establish m

In a real case, we do not know the exact value of E_sum, but we can estimate an upper bound of ‖e_b + e_zero‖_∞, say E > ‖e_b + e_zero‖_∞, by Claims 1, 2, 3. Therefore, E_sum < n · E (we sometimes estimate E_sum as n^1/2 · E since EV[Esum] ≈ n^1/2 · E) (notice ε < n· E · q⁻¹ can be smaller than p(n)⁻¹ for any polynomial p and sufficient large n since q is exponential to n for some fixed security parameter and n · E = O (n²) for a fixed task in the encryption domain). In the next section, we will introduce “separate decryption” to improve performance.

3.2. Separate Decryption

Let $c=\left(c_0,c_1\right)\in {ℛ}_q^2$; the result of decryption can be computed from c₀ and (c₁ · s). The idea of separate decryption is: Bob holds c₀, Alice holds (c₁ · s), and they compute the decryption result jointly.

Let m be the message, $e$ be the correspond error. Further suppose

$${\left[c_0\right]}_q={\left[m_0\right]}_p\cdot \rho +e_0 \mathrm{and} {\left[c_1\cdot s\right]}_q={\left[m_1\right]}_p\cdot \rho +e_1$$

where the coefficients of $e_0,e_1$are in $\left(-\rho \cdot 2^{-1},\rho \cdot 2^{-1}\right]$. By the definition of error, we also have ${\left[c_0\right]}_q+{\left[c_1\cdot s\right]}_q\equiv {\left[m\right]}_p\cdot \rho +e \mathrm{mod} q$, so $e_0+e_1\equiv e$ mod $\rho$. By discussing the magnitude of $e_0,e_1,e$, there exists $v \mathrm{s}.\mathrm{t}.$

$${\left(e_0\right)}_i+{\left(e_1\right)}_i={\left(e\right)}_i+\rho \cdot {\left(v\right)}_i$$

(17)

where ${\left(v\right)}_i\in \left\{0,1\right\}$, and the message can be computed by${\left[m\right]}_p\equiv {\left[m_0\right]}_p+{\left[m_1\right]}_p+v. \mathrm{mod} p$.

For convenience, we will write $e_{0,i}={\left(e_0\right)}_i$, $e_{1,i}={\left(e_1\right)}_i$, $e_i={\left(e\right)}_i$, and $v_i={\left(v\right)}_i$. Let t ∈ {0,1}, we have

(i) If $e_{t,i}\ge 0$, then $e_{0,i}+e_{1,i}\ge e_{1-t,i}>-\rho \cdot 2^{-1}$, so $v_i$is either 0 or 1.

(ii) If$e_{t,i}<0$, then $e_{0,i}+e_{1,i}<e_{1-t,i}\le \rho \cdot 2^{-1}$, so $v_i \mathrm{is} \mathrm{either} 0 \mathrm{or}-1$.

Suppose $\left|e_i\right|<E<\rho \cdot 4^{-1}$, and define

$$u_{t,i}=\{\begin{array}{cc}\hfill 1& \mathrm{if} e_{t,i}\ge E\hfill \\ \hfill -1& \mathrm{if} e_{t,i}\le -E\hfill \\ \hfill 0& \mathrm{else}\hfill \end{array}$$

(18)

$$s_{t,i}=\{\begin{array}{cc}\hfill 1& \mathrm{if} e_{t,i}>0\hfill \\ \hfill -1& \mathrm{if} e_{t,i}<0\hfill \\ \hfill 0& \mathrm{else}\hfill \end{array}$$

(19)

So $v_i$ can be evaluated from $u_{t,i}$, $s_{t,i}$:

(i) If $e_{t,i}=1$, $s_{1-t,i}=1,$then $v_i=1$.

(ii) If $e_{t,i}=-1$, $s_{1-t,i}=1,$then $v_i=-1$.

(iii) Else, $v_i=0$

The procedures of separate decryption can now be listed as in

Table 3. Procedures of the Separable Secure Decryption (also known as Protocol 3.2 in this write-up).

Protocol 3.2: $\mathrm{Decryption} \mathrm{Protocol}$
Party:	A	B
Input:	s	$c^{result},pk$
Output:	$\mathrm{Dec}\left(c^{result},s\right)$	$\perp$
	Round 1 (A’s turn)
1:	$c^0\leftarrow {\mathrm{EncAsym}}_{pk}\left(0\right)$
2:	$c^{\prime }=\left(c_0^{\prime },c_1^{\prime }\right)\leftarrow c^{result}+c^0 \mathrm{mod} q$
3:	B sends $c_1^{\prime }$ to A
	Round 2 (A’s turn)
4:	$m\leftarrow {\mathrm{PolyMul}}_n\left(c_1^{\prime },s\right)$
5:	for $i=0,1,\dots ,n-1$ do
6:	$t\leftarrow m_i+\rho \cdot 2^{-1} \mathrm{mod} q$
7:	$e\leftarrow t \mathrm{mod} p$
8:	$u_{0,i}\leftarrow 0$	▻$Compute u_{t,i} in Equation \left(18\right)$
9:	if $e\ge E$ and $e\le \rho /2$ then
10:	$u_{0,i}\leftarrow 1$
11:	end if
12:	if $e\le \rho -E$ and $e>\rho /2$ then
13:	$u_{0,i}\leftarrow -1$
14:	end if
15:	$s_{0,i}\leftarrow 0$	▻$Compute s_{t,i} in Equation \left(19\right)$
16:	if $e>\rho /2$ then
17:	$s_{0,i}\leftarrow 1$
18:	end if
19:	if $e<\rho /2$ then
20:	$s_{0,i}\leftarrow -1$
21:	end if
22:	$m_i\leftarrow t\cdot {\rho }^{-1}$
23:	end for
24:	$m\leftarrow \left(m_0,m_1,\dots ,m_{n-1}\right)$
25:	A send $u_{0,i}, s_{0,i}$ to B.
	Round 2 (B’s turn)
26:	$\left(c_{0,0}^{\prime },c_{0,1}^{\prime },\dots ,c_{0,n-1}^{\prime }\right)\leftarrow c_0^{\prime }$
27:	for $i=0,1,\dots ,n-1$ do
28:	$t\leftarrow c_{0,i}^{\prime }+\rho \cdot 2^{-1} \mathrm{mod} q$
29:	$e\leftarrow t \mathrm{mod} p$
30:	$u_{1,i}\leftarrow 0$	▻$Compute u_{t,i} in Equation \left(18\right)$
31:	if $e\ge E$ and $e\le \rho /2$ then
32:	$u_{1,i}\leftarrow 1$
33:	end if
34:	if $e\le \rho -E$ and $e>\rho /2$ then
35:	$u_{1,i}\leftarrow -1$
36:	end if
37:	$s_{1,i}\leftarrow 0$	▻$Compute s_{t,i} in Equation \left(19\right)$
38:	if $e>\rho /2$ then
39:	$s_{1,i}\leftarrow 1$
40:	end if
41:	if $e<\rho /2$ then
42:	$s_{1,i}\leftarrow -1$
43:	end if
44:	$v_i\leftarrow u_{0,i}+u_{1,i}$
45:	if $sign\left(v_i\right)\ne sign\left(s_{0,i}+s_{1,i}\right)$ then
46:	$v_i\leftarrow 0$
47:	end if
48:	$m_i^{\prime }\leftarrow t\cdot {\rho }^{-1}+v_i \mathrm{mod} p$
49:	end for
50:	$m^{\prime }\leftarrow \left(m_0^{\prime },m_1^{\prime },\dots ,m_{n-1}^{\prime }\right)$
52:	B sends $m^{\prime }$ to A
	Round 3 (A’s turn)
53:	$m\leftarrow m+m^{\prime }\mathrm{mod} p$	▻$which is \mathrm{Dec}\left(c^{result},s\right)$

. From Equation (17), we have $e_{0,i}=e_i-e_{1,i}+\rho \cdot v_i$. So, $v_i=0$ if $-2^{-1}\cdot \rho <e_i-e_{1,i}<2^{-1}\cdot \rho$, further suppose $e_{1,i}$ sampled uniformly from $\left(-\rho \cdot 2^{-1},\rho \cdot 2^{-1}\right]$. Then, Prob$\left\{v_i=0\right\}\ge$ 1 − |1 + e_i| · ρ⁻¹.

Suppose ${\displaystyle \sum }_i\mathrm{Prob}\left\{\mathrm{ui} \ne 0\right\}$ < ε for some sufficient small ε > 0, then m = m₀ + m₁ with probability greater than 1 − ε. Therefore, the view of Alice, which is (c′, m₀), is equal to (c′, m − m₁) with a probability Prob {u = 0} > 1 − ε. Since m₁ = F (c′, s) for some computable function F, (c′, m − m₁) = (c′, m − F (c′, s)) is not distinguishable from (r, m − F (r)) (to Alice) by RLWE assumption.

An advantage of separate decryption is that we do not need to sample e from a large uniform distribution. Its other advantage is the lower communication rate because the size of $m\prime$ is smaller than that of $c_0^{\prime }$. However, we still need to choose a relatively large q for the indistinguishability in Lemma 2.

3.3. Two Party Computation via BFV Scheme

Since BFV encryption can implement arbitrary computable function $f$ in the encryption domain, we can construct the two-party computation (2PC) protocol based on the BFV encryption scheme. That is, a 2PC protocol can be constructed in the following steps (more details are depicted in

Table 4. The 2PC Computations via the BFV Scheme.

Protocol 3.3 2PC Protocol
Party:	A	B
Input:	$a^0,a^1,\dots ,a^{n_a},s$	$b^0,b^1,\dots ,b^{n_b},pk$
Output:	$f\left(a^0,a^1,\dots ,a^{n_a},b^0,b^1,\dots ,b^{n_b}\right)$	$\perp$
	Round 1 (A’s turn)
1:	for $i=0,1,\dots ,n_a$ do
2:	$c^i\leftarrow \mathrm{EncSym}\left(a^i,s\right)$
3:	end for
4:	A sends $c^0,\dots ,c^{n_a}$ to B
5:	Round 2 (B’s turn)
6:	$c^{result}\leftarrow f\left(c^0,\dots ,c^{n_a},b^0,b^1,\dots ,b^{n_b}\right)$
	Round 3
7:	A and B perform secure decryption to decrypt $c^{result}$, and A derived  $\mathrm{Dec}\left(c^{result},s\right)=f\left(a^0,a^1,\dots ,a^{n_a},b^0,b^1,\dots ,b^{n_b}\right)$

):

Step 1. Alice encrypts her input and sends the encrypted result to Bob.

Step 2. Bob directly computes the ciphertext(s) corresponding to the result in the encryption domain and performs the secure decryption protocol to send the message to Alice.

4. A High Throughput, Semi-Honest, Secure Comparison Protocol

4.1. Improving DGK Secure Comparison Protocol via the BFV Scheme

As mentioned in Section I, the BFV scheme performs well if the target function has shallow multiplication depth. Since the multiplication depth of the function in DGK protocol is 1, we can accelerate DGK protocol via BFV encryption. We briefly describe the DGK protocol in the following:

DGK Protocol (Setup, KeyGen, Enc (Round 1, Round2), Dec)

Setup. Suppose both a and b are $l$-bit integers; say $0\le a,b<2^l$, further assume $a={\displaystyle \sum }_{i=0}^{l-1}{a}_i·2^i, b={\displaystyle \sum }_{i=0}^{l-1}{b}_i·2^i$ with $a_i,b_i\in \left\{0,1\right\}$. Our goal is to compute whether $\left(a \ge b\right) \in \left\{0, 1\right\} \triangleq \left\{False, Truth\right\}$ securely. We use the plaintext space ${\mathbb{Z}}_p,$ where $p>l+1$ is a prime number. Choose $q$ large enough for evaluation and$n$large enough for desired security level. Before the protocol starts, Alice generates the secret key $s\leftarrow \mathrm{KeyGen}( )$ and the public key $pk\leftarrow \mathrm{PubKeyGen}\left(s\right)$, and sends the public key to Bob.

Enc. (Encryption)

Round 1. Alice computes $c_i^a\leftarrow {\mathrm{EncSym}}_s\left(a_i\right)$, sends $c_i^a$ to Bob.

Round 2. Bob generates the samples$r_i\leftarrow {\mathbb{Z}}_p^{*},$ and computes

$d_i=r_i\cdot \left(a_i-b_i+1+{\displaystyle \sum }_{j>i}\left(a_j-b_j\right)\cdot 2^{j+2}\right)$ in the encryption domain and permutes the ciphertexts randomly, so the corresponding message of $c_{i }^{\mathrm{result}}$ is$d_{\sigma \left(i\right)}$.

Let $c^{result}\leftarrow {\displaystyle \sum }_{0 \le i<l }{c}_{i }^{result}·X^{\sigma \left(i\right)}$.

Dec. (Decryption)

Alice and Bob perform secure decryption, so Alice derives $d_{\sigma \left(i\right)}$, and establishes “$a<b$” if, and only if, $d_{\sigma \left(i\right)}=0$ for some $i$.

Correctness of DGK.

Notice that $d_i=0$ if and only if $a_i=0,b_i=1$, and $a_j=b_j$ for all $j>i$.

Security of DGK. Since $ri$ is uniformly sampled from ${\mathbb{Z}}_p^{*}$, $d_i=r_i · (a_i-b_i+1+{\displaystyle \sum }_{j>i}\left(a_j-b_j\right)\cdot 2^{j+2})$is uniform in ${\mathbb{Z}}_p^{*}$ whenever $d_i \ne 0$. Therefore, the vector $\left(d_{\sigma \left(i\right)}\right)~{\left({\mathbb{Z}}_p^{*}\right)}^n,$ if $a \ge b$. In the case $b>a$, there is exactly one i such that $d_{\sigma \left(i\right)}=0$. Since the permutation is random, the distribution is uniform in

$$\left\{\left(v_0,\dots ,v_{n-1}\right)\in {\mathbb{Z}}_p^n| \mathrm{Exactly} \mathrm{one} v_i=0\right\}$$

Each secure decryption protocol needs one encryption operation, so the Basic Secure Comparison Protocol (we named it Protocol 4.1 in this write-up) presented in

Table 5. The Basic Secure Comparison Protocol (or Protocol 4.1).

Protocol 4.1 Basic Secure Comparison Protocol
Party:	A	B
Input:	$a_0,\dots ,a_{l-1},s$	$b_0,\dots ,b_{l-1},pk$
Output:	$\left(a\ge b\right)$	$\perp$
	Round 1 (A’s turn)
1:	for $i=0,1,\dots ,l-1$ do
2:	$c_i^a\leftarrow \mathrm{EncSym}\left(a^i,s\right)$
3:	end for
4:	A sends $c_0^a,\dots ,c_{l-1}^a$to B
	Round 2 (B’s turn)
5:	$c^{result}\leftarrow \left(0,0\right)$
6:	$u\leftarrow \left(0,0\right)$
7:	$s\leftarrow \left\{0,1,\dots ,l-1\right\}$
8:	for $i=l-1,\dots ,0$ do
9:	$t\leftarrow \mathrm{AddPlain}\left(c_i^a,0-b_i\right)$
10:	$c\leftarrow \mathrm{Add}\left(t,u\right)$
11:	$c\leftarrow \mathrm{AddPlain}\left(c,1\right)$
12:	$r\leftarrow {\mathbb{Z}}_p^{*}$
13:	$c\leftarrow \mathrm{MulPlain}\left(c,r\right)$	▻$r\cdot \left(a_i-b_i+1+{\mathsf{\Sigma }}_{j>i}\left(a_j-b_j\right)\cdot 2^{j+2}\right)$
14:	$u\leftarrow \mathrm{Add}\left(u,\mathrm{MulPlain}\left(t,2^{i+2}\right)\right)$	▻ ${\mathsf{\Sigma }}_{j>i}\left(a_j-b_j\right)\cdot 2^{j+2}$
15:	$tmp\leftarrow i+s \mathrm{mod} l$
16:	$c^{result}\leftarrow \mathrm{Add}\left(c^{result},MulPlain\left(c,X^{tmp}\right)\right)$
17:	end for
	Round 3 Secure Decrypt $c^{result}$ to A, where the associated message would be $m^{result}={\mathsf{\Sigma }}_{i=0}^{l-1}{d}_i\cdot X^{i+s \mathrm{mod} l}$
	Round 4 (A’s Turn)
18:	$\left(m_0^{result},m_1^{result},\dots ,m_{l-1}^{result},0,\dots ,0\right)\leftarrow m^{result}$
19:	$result\leftarrow 1$
20:	for $i=0,\dots ,l-1$ do
21:	if $m_i^{result}=0$ then
22:	$result\leftarrow 0$
23:	Establish $result$

needs l + 1 encryptions for each l-bit comparison. We will present and analyze various proposed high-speed comparison protocols in the following section.

4.2. High Throughput Comparison Protocol

To enhance the performance, we will use the batching technique presented in Section 2.6 to improve the utility of the plaintext space. Recall that

${ℛ}_p\cong {\left({\mathbb{Z}}_p\left[X\right]/\left(X^d+1\right)\right)}^{n/d}$.

Given $\left(X_0,\dots ,X_{n/d-1}\right),\left(Y_0,\dots ,Y_{n/d-1}\right)\in {\left({\mathbb{Z}}_p\left[X\right]/\left(X^d+1\right)\right)}^{n/d}$, the arithmetic operations of $GF{\left(pd\right)}^{n/d}$ can be defined as (cf. see the following Elementwise Mul-Add Protocol for details):

$$\left(X_0,\dots ,X_{n/d-1}\right)+\left(Y_0,\dots ,Y_{n/d-1}\right)=\left(X_0+Y_0,\dots ,X_{n/d-1}+Y_{n/d-1}\right)$$

(20a)

$$\left(X_0,\dots ,X_{n/d-1}\right)\cdot \left(Y_0,\dots ,Y_{n/d-1}\right)=\left(X_0\cdot Y_0,\dots ,X_{n/d-1}\cdot Y_{n/d-1}\right)$$

(20b)

That is, we can implement the vector-like operation in ${\left({\mathbb{Z}}_p\left[X\right]/\left(X^d+1\right)\right)}^{n/d}.$.

Further, the function evaluated in the encryption domain should be as simple as possible. So, the only function computed in the encryption domain would be

$$f\left(a,b,b\prime \right)=a\cdot b+b\prime$$

(21)

Any other operation should be evaluated in the plaintext domain by the one who holds the secret key.

4.2.1. The Single Pair Integer Comparison Protocol

Parameters. Choose a prime $p$ such that $p=2k · \left(n/d\right)+1$ and $n/d \ge l$ for some integers k and d. Notice the plaintext space ${ℛ}_p$ is isomorphic to ${\left({\mathbb{Z}}_p\right)}^n$, and Encode_n/d and Decode_n/d are the isomorphisms between them. The following protocol can compare a pair of $l$-bit integers securely, and we named it Protocol 4.2 in this write-up for ease of discussion.

Protocol 4.2. (The Single Pair Integer Comparison Protocol)

Setup. Alice generates the secret key s and the public key pk with the parameters above. Bob generates the samples u ← {0, 1,..., n/d − 1}, r₁, r₂ ← ${ℛ}_p$ and

$r^{\prime }\leftarrow {\left({\mathbb{Z}}_p^{*}\right)}^n$. We can describe the protocol as three simple 2PC sub-protocols.

2PC-1st. Alice computes x_a1 = Encode_n/d ((a_i)_0≤i<n/d). Bob computes xb₁ = Encode_n/d ((b_i)_0≤i<n/d) and x_r1 = Encode_n/d ((r₁)_i)_0≤i<n/d).

They securely compute x_mask =x_a1 + x_b1 − 2·x_a1 ·x_b1 + x_r1 for Alice. (Notice that a_i = b_i = 0 when i ≥ l).

2PC-2nd. Alice computes Decode_n/d (x_mask) and derives ((a_i − b_i)² + (r₁)_i)_0≤i<n/d. Let x_a2 = Encode_n/d ((${\displaystyle \sum }_{j>i}{\left({\mathrm{a}}_{\mathrm{j}} - {\mathrm{b}}_{\mathrm{j}}\right)}^2$ + (r₁)_i)_0≤i<n/d). Bob computes x_b2 = Encode_n/d ((${\displaystyle \sum }_{j>i}(r_1{)}_{\mathrm{i}}$)_0≤i<n/d), x_r2 = Encode_n/d ((r₂)_i)_0≤i<n/d), and x′ = Encode_n/d ((r′)_i)_0≤i<n/d). They securely compute dmask = (x_a1 + x_a2 − x_b1 − x_b2 + Encode_n/d ((1)_0≤i<n/d)) · x′ + x_r2 for Alice (notice that (a_i − b_i)² = a_i $\oplus$ b_i).

2PC-3rd. Similarly, Alice decodes d_mask and derives (a_i −b_i + 1 + ${\displaystyle \sum }_{j>i}{\mathrm{a}}_{\mathrm{i}} \oplus {\mathrm{b}}_{\mathrm{i}}$)· (r′)_i + (r₂)_i for each 0 ≤ i < n/d. Let x_a3 = ${\displaystyle \sum }_{0\le \mathrm{i}<\mathrm{n}/\mathrm{d} }(\left({\mathrm{a}}_{\mathrm{i}} -{\mathrm{b}}_{\mathrm{i}} +1+{\displaystyle \sum }_{j>i}{\mathrm{a}}_{\mathrm{i}} \oplus {\mathrm{b}}_{\mathrm{i}}\right)· \left(r\prime \right)\mathrm{i} +{\left(r_2\right)}_{\mathrm{i}}$) · X^i·d. They securely compute d′ = (x_a3 − r₂) · X^u·d for Alice.

Finally, Alice outputs 1 if the number of i such that (d′)_i is exactly n/d; Alice outputs 0 in other cases.

Correctness of Protocol 4.2. Notice that Decode_n/d (d_mask − r₂) = ((a_i − b_i + 1 + ${\displaystyle \sum }_{j>i}{\mathrm{a}}_{\mathrm{i}} \oplus {\mathrm{b}}_{\mathrm{i}}$) · (r′)i)_0≤i<n/d which shares the same value with the d_i in Table 5, so the correctness holds for the same reason discussed in the last section.

Security of Protocol 4.2. We first notice that there are three 2PCs in our protocol; Alice derives x_mask, d_mask, and d′ from them, respectively. Since x_mask and d_mask are masked by r₁ and r₂, they behave like samples taken from a uniform distribution in the view of Alice. d′ can be simulated by examining whether (a ≥ b) ∈ {0, 1} $\triangleq${False, Truth} and s by the same arguments presented in Section 4.1, which proves the security of Bob. On the other hand, Bob’s view consists of ciphertexts, so Alice would be secure as long as the BFV scheme is secure. We depict the details of Protocol 4.2 in

Table 6. Secure Comparison Protocol for a Pair of Integers (also known as Protocol 4.2).

Protocol 4.2: $\mathrm{Sec}\mathrm{ure} \mathrm{Comparison} \mathrm{Protocol}$
Party:	A	B
Input:	$a_0,\dots ,a_{n/d-1},s$	$b_0,\dots ,b_{n/d-1},pk$
Output:	$\left(a\ge b\right)$	$\perp$
	Round 1 (A’s turn)
1:	$a\leftarrow {\mathrm{Encode}}_{n/d,{\alpha }^d}\left(\left(a_0,a_1,\dots ,a_{n/d-1}\right)\right)$
2:	$c_a\leftarrow \mathrm{EncSym}\left(a,s\right)$
3:	Sends $c_a$ to B.
	Round 2 (B’s turn, computes xor)
4:	$b\leftarrow {\mathrm{Encode}}_{n/d,{\alpha }^d}\left(\left(b_0,b_1,\dots ,b_{n/d-1}\right)\right)$
5:	$c^{round2}\leftarrow \mathrm{MulPlain}\left(c_a,-2\cdot b\right)$	▻$\left(-2\cdot a_i\cdot b_i\right)$
6:	$c^{round2}\leftarrow \mathrm{Add}\left(c^{round2},c_a\right)$	▻$\left(a_i-2\cdot a_i\cdot b_i\right)$
7:	$c^{round2}\leftarrow \mathrm{AddPlain}\left(c^{round2},b\right)$	▻$\left(a_i-2\cdot a_i\cdot b_i+b_i\right)$
8:	for $i=0,1,\dots ,l-1$ do
9:	$mas{k}_i\leftarrow \left\{0,1,\dots ,p-1\right\}$
10:	end for
11:	$mask\leftarrow {\mathrm{Encode}}_{n/d,{\alpha }^d}\left(\left(mas{k}_0,\dots ,mas{k}_{n/d-1}\right)\right)$
12:	$c^{round2}\leftarrow \mathrm{AddPlain}\left(c^{round2},mask\right)$
13:	Secure Decrypt ${\mathrm{c}}^{round2}$ for A
14:	Round 3 (A’s turn, computes ${\displaystyle \sum }_{j>i}{\left(a_j-b_j\right)}^2\cdot j^{t+2}$
15:	Derived $a_i-2\cdot a_i\cdot b_i+b_i+mas{k}_i$ from secure decryption
16:	$u\leftarrow 0$
17:	for $i=n/d-1,\dots ,0$ do
18:	$x_i\leftarrow u+a_i+1$
19:	$u\leftarrow u+\left(a_i-2\cdot a_i\cdot b_i+b_i+mas{k}_i\right)\cdot 2^{i+2}$
20:	end for
21:	$x\leftarrow {\mathrm{Encode}}_{n/d,{\alpha }^d}\left(\left(x_0,\dots ,x_{n/d-1}\right)\right)$
22:	$c_x\leftarrow \mathrm{EncSym}\left(x,s\right)$
23:	Sends $c_x$ to B.
	Round 4 (B’s turn, compute $r_i\cdot \left(a_i-b_i+1+{\displaystyle \sum }_{j>i}{\left(a_j-b_j\right)}^2\cdot 2^{j+2}\right)$
24:	$u\leftarrow 0$
25:	for $i=n/d-1,\dots ,0$ do
26:	$t_i\leftarrow u$
27:	$u\leftarrow u+mas{k}_i\cdot 2^{i+2}$
28:	end for
29:	$t\leftarrow {\mathrm{Encode}}_{n/d,{\alpha }^d}\left(\left(t_0,t_1,\dots ,t_{n/d-1}\right)\right)$
30:	$c_x\leftarrow \mathrm{AddPlain}\left(c_x,-t\right)$	▻ remove the mask
31:	$c^{round4}\leftarrow \mathrm{AddPlain}\left(c_x,-b\right)$
32:	for $i=n/d-1,\dots ,0$ do
33:	$r_i\leftarrow {\mathbb{Z}}_p^{*}$
34:	$mas{k}_i\leftarrow \left\{0,1,\dots ,p-1\right\}$
35:	end for
36:	$r\leftarrow {\mathrm{Encode}}_{n/d,{\alpha }^d}\left(\left(r_0,\dots ,r_{n/d-1}\right)\right)$
37:	$mask\leftarrow {\mathrm{Encode}}_{n/d,{\alpha }^d}\left(\left(mas{k}_0,\dots ,mas{k}_{n/d-1}\right)\right)$
38:	$c^{round4}\leftarrow \mathrm{MulPlain}\left(c^{round4},r\right)$
39:	▻ $d_i=r_i\cdot \left(a_i-b_i+1+{\displaystyle \sum }_{j>i}{\left(a_j-b_j\right)}^2\cdot 2^{j+2}\right)$
40:	$c^{round4}\leftarrow \mathrm{AddPlain}\left(c^{round4},mask\right)$
	Secure Decrypt ${\mathrm{c}}^{round4}$ for A
41:	Round 5. (A’s turn, convert message to polynomial mod for rotation)
42:	Derived $d_i$ from secure decryption
43:	$c_d\leftarrow \mathrm{EncSym}\left(\left(d_0,0,..,0,d_1,0,\dots ,0,d_{n/d-1},0,\mathrm{..0}\right),s\right)$
44:	▻ non-batch format, 1 message followed by d-1 zeros
	Sends $c_d$ to B.
45:	Round 6 (B’s turn, randomly rotate)
46:	$mask\leftarrow \left(mas{k}_0,0,\dots ,0,mas{k}_i,0,\dots ,0,mas{k}_{n/d-1},0,\dots ,0\right)$
47:	▻ put $mas{k}_i$ as the $i\cdot d$-th coefficient
48:	$c_d\leftarrow \mathrm{AddPlain}\left(c_d,-mask\right)$	▻ remove the mask
49:	$r\leftarrow \left\{0,\dots ,n/d-1\right\}$
	$r\leftarrow r\cdot d$
50:	$c^{round6}\leftarrow \mathrm{MulPlain}\left(c_d,X^r\right)$
51:	Secure Decrypt $c^{round6}$ for A
52:	Round Final. (A’s turn, establish result), suppose $m^{round6}=\mathrm{Dec}\left(c^{round6},s\right)$
53:	$\left(m_0^{round6},\dots ,m_n^{round6}\right)\leftarrow m^{round6}$
54:	$\delta \leftarrow 1$
55:	for $i=n/d-1,\dots ,0$ do
56:	if $m_{i\cdot d}^{round6}=0$ then
57:	$\delta \leftarrow 0$
58:	end if
59:	end for
60:	Establish $\delta$

.

4.2.2. The Protocol for Comparing Pairs of Integers Simultaneously

The plaintext space has the best utilization when $n=l$, while $n \ge 1024$ in most practical use cases; however, we rarely need to compare such a large integer. We now modify Protocol 4.2 to compare $k$ pairs of $n/k$-bit integers simultaneously. For making a differentiation, we called this modified version Protocol 4.3 in this write-up.

Assume Alice’s inputs are $a_{i,j}\in \left\{0,1\right\}$ and Bob’s inputs are $b_{i,j}\in \left\{0,1\right\}$ where $0\le i<k,0\le j<n/k$—our goal is to find the order relationships between $a_i={\displaystyle \sum }_j{a}_{i,j}\cdot 2^j$ and $b_i={\displaystyle \sum }_j{b}_{i,j}\cdot 2^j$, denoted by ${\delta }_i=\left(a_i\ge b_i\right)\in \left\{0,1\right\}$. We can complete this task by following almost the same steps in Table 6.

Protocol 4.3. (The Protocol for Comparing Pairs of Integers Simultaneously)

Setup. The same as Protocol 4.2.

2PC-1st. Alice computes x_a1 = Encode_n ((a_ij)_0≤i<k, 0≤j<n/k). Bob computes x_b1 = Encode_n((b_ij)_{0≤i<k,0≤j<n/k}) and x_r1 = Encode_n(r₁). They securely compute

x_mask =x_a1 +x_b1 − 2·x_a1 ·x_b1 +x_r1 for Alice.

2PC-2nd. Alice computes Decoden(x_mask) to derive ((a_ij − b_ij)² + (r₁)_ij)_{0≤i<k,0≤j<n/k}.

Let x_a2 = Encode_n ((${\displaystyle \sum }_{t>j}{\left({\mathrm{a}}_{\mathrm{it}} - {\mathrm{b}}_{\mathrm{it}}\right)}^2$ + (r₁)_it)_{0≤i<k,0≤j<n/k}). Bob computes

x_b2 = Encode_n ((${\displaystyle \sum }_{t>j}{\left(r_1\right)}_{\mathrm{it}}$)_{0≤i<k,0≤j<n/k}), x_r2 = Encode_n(r₂), and

x′ = Encode_n(r′). They securely compute

dmask = (x_a1 + x_a2 − x_b1 − x_b2 + Encode_n((1)_{0≤i<k,0≤j<n/k})) · x′ + x_r2 for Alice.

(Notice that (a_i − b_i)² = ai $\oplus$ b_i)

2PC-3rd. Similarly, Alice decodes dmask and derives (a_ij −b_ij + 1 + ${\displaystyle \sum }_{t>j}\left({\mathrm{a}}_{\mathrm{it}} \oplus {\mathrm{b}}_{\mathrm{it}}\right)$)· (r′)_ij + (r₂)_ij, for each 0 ≤ i < n/d. Let x_a3 = Encode_k ((${\displaystyle \sum }_{0 \le j< \mathrm{n}/\mathrm{k}}{\left(d_{\mathrm{mask}}\right)}_{\mathrm{ij}}$· X^j)_0≤i<k).

Bob computes x_b3 = Encode_k ((${\displaystyle \sum }_{0\le j<\mathrm{n}/\mathrm{k}}{\left(r_2\right)}_{\mathrm{j}}$· X^j)_0≤i<k), xu = Encode_k ((X^ui)_0≤i<k) They securely compute d′ = (x_a3 − x_b3) · x_u for Alice.

Finally, Alice derives d′_ij from the 2PC-3rd. Let δ_i = 0 if there is some j, such that d′_ij = 0, and δ_i = 1 in other cases. Output (δ_i)_0≤i<k.

Notice that the major difference between Protocols 4.2 and 4.3 is in the 2PC-3rd step. We need to rotate (d_ij)_0≤j<n/k by u_i for each 0 ≤ i < k simultaneously, so we compute the encoded version of (${\displaystyle \sum }_{0\le j<\mathrm{n}/\mathrm{k}}{\left(d\right)}_{\mathrm{ij}}$·X^j)_0≤i<k, and rotate it by multiplying the encoded version of (X_ui)_0≤i<k. We summarize the detailed processing steps of Protocol 4.3 in

Table 7. The Information Flow and Processing Steps of Protocol 4.3.

Protocol 4.3: $\mathrm{Sec}\mathrm{ure} \mathrm{Comparison} \mathrm{Protocol} \mathrm{for}$ k-pairs
Party:	A	B
Input:	${\left(a_{ij}\right)}_{0\le i<k,0\le j<n/k},s$	${\left(b_{ij}\right)}_{0\le i<k,0\le j<n/k},pk$
Output:	$\left(a_i\ge b_i\right)$	$\perp$
	Round 1 (A’s turn)
1:	$a\leftarrow {\mathrm{Encode}}_{n,\alpha }\left(\left(a_{0,0},a_{0,1},\dots ,a_{k-1,n/k-1}\right)\right)$
2:	$c_a\leftarrow \mathrm{EncSym}\left(a,s\right)$
3:	Sends $c_a$ to B.
	Round 2 (B’s turn, computes XoR)
4:	$b\leftarrow {\mathrm{Encode}}_{n,\alpha }\left(\left(b_{0,0},b_{0,1},\dots ,b_{k-1,n/k-1}\right)\right)$
5:	$c^{round2}\leftarrow \mathrm{MulPlain}\left(c_a,-2\cdot b\right)$	▻$\left(-2\cdot a_{ij}\cdot b_{ij}\right)$
6:	$c^{round2}\leftarrow \mathrm{Add}\left(c^{round2},c_a\right)$	▻$\left(a_{ij}-2\cdot a_{ij}\cdot b_{ij}\right)$
7:	$c^{round2}\leftarrow \mathrm{AddPlain}\left(c^{round2},b\right)$	▻$\left(a_{ij}-2\cdot a_{ij}\cdot b_{ij}+b_{ij}\right)$
8:	for $i=0,1,\dots ,k-1$ do
9:	for $j=0,1,\dots ,n/k-1$ do
10:	$mas{k}_{ij}\leftarrow \left\{0,1,\dots ,p-1\right\}$
11:	end for
12:	end for
13:	$mask\leftarrow {\mathrm{Encode}}_{n,\alpha }\left(\left(mas{k}_{0,0},\dots ,mas{k}_{k-1,n/k-1}\right)\right)$
14:	$c^{round2}\leftarrow \mathrm{AddPlain}\left(c^{round2},mask\right)$
15:	Secure Decrypt ${\mathrm{c}}^{round2}$ for A
	Round 3 (A’s turn, computes ${\displaystyle \sum }_{t>j}{\left(a_{it}-b_{it}\right)}^2\cdot 2^{t+2}$
16:	Derived $a_{ij}-2\cdot a_{ij}\cdot b_{ij}+b_{ij}+mas{k}_{ij}$ from secure decryption
17:	for $i=0,1,\dots ,k-1$ do
18:	$u\leftarrow 0$
19:	for $t=n/k-1,\dots ,0$ do
20:	$x_{it}\leftarrow u+a_{it}+1$
21:	$u\leftarrow u+\left(a_{it}-2\cdot a_{it}\cdot b_{it}+b_{it}+mas{k}_{it}\right)\cdot 2^{t+2}$
22:	end for
23:	end for
24:	$x\leftarrow {\mathrm{Encode}}_{n,\alpha }\left(\left(x_{0,0},\dots ,x_{k-1,n/k-1}\right)\right)$
25:	$c_x\leftarrow \mathrm{EncSym}\left(x,s\right)$
26:	Sends $c_x$ to B.
27:	Round 4 (B’s turn, compute $r_{ij}\cdot \left(a_{ij}-b_{ij}+1+{\displaystyle \sum }_{t>j}{\left(a_{it}-b_{it}\right)}^2\cdot 2^{t+2}\right)$
28:	$u\leftarrow 0$
29:	for $i=0,1,\dots ,k-1$ do
30:	$u\leftarrow 0$
31:	for $j=0,1,\dots ,n/k-1$ do
32:	$t_{ij}\leftarrow u$
33:	$u\leftarrow u+mas{k}_{ij}\cdot 2^{j+2}$
34:	end for
35:	end for
36:	$t\leftarrow {\mathrm{Encode}}_{n/d,{\alpha }^d}\left(\left(t_{0,0},\dots ,t_{k-1,n/k-1}\right)\right)$
37:	$c_x\leftarrow \mathrm{AddPlain}\left(c_x,-t\right)$	▻ remove the mask
38:	$c^{round4}\leftarrow \mathrm{AddPlain}\left(c_x,-b\right)$
39:	for $i=0,1,\dots ,k-1$ do
40:	for $j=0,1,\dots ,n/k-1$ do
41:	$mas{k}_{ij}\leftarrow \left\{0,1,\dots ,p-1\right\}$
42:	$r_{ij}\leftarrow {\mathbb{Z}}_p^{*}$
43:	end for
44:	end for
45:	$r\leftarrow {\mathrm{Encode}}_{n,\alpha }\left(\left(r_{0,0},\dots ,r_{k-1,n/k-1}\right)\right)$
46:	$mask\leftarrow {\mathrm{Encode}}_{n,\alpha }\left(\left(mas{k}_{0,0},\dots ,mas{k}_{k-1,n/k-1}\right)\right)$
47:	$c^{round4}\leftarrow \mathrm{MulPlain}\left(c^{round4},r\right)$
48:	▻ $d_{ij}=r_{ij}\cdot \left(a_{ij}-b_{ij}+1+{\displaystyle \sum }_{t>j}{\left(a_{it}-b_{it}\right)}^2\cdot 2^{t+2}\right)$
49:	$c^{round4}\leftarrow \mathrm{AddPlain}\left(c^{round4},mask\right)$
50:	Secure Decrypt ${\mathrm{c}}^{round4}$ for A
51:	Round 5. (A’s turn, convert message to polynomial mod for rotation)
52:	Derived $d_i$ from secure decryption
53:	$d\leftarrow {\mathrm{Encode}}_{k,{\alpha }^{n/k}}\left(\left(d_{0,0},\dots ,d_{k-1,n/k-1}\right)\right)$
54:	▻ $k$-batch of degree $n/k-1$ polynomials
55:	$c_d\leftarrow \mathrm{EncSym}\left(d,s\right)$
	Sends $c_d$ to B.
	Round 6 (B’s turn, randomly rotate)
57:	$mask\leftarrow {\mathrm{Encode}}_{k,{\alpha }^{n/k}}\left(\left(mas{k}_{0,0},\dots ,mas{k}_{k-1,n/k-1}\right)\right)$
58:	$c_d\leftarrow \mathrm{AddPlain}\left(c_d,-mask\right)$	▻ remove the mask
59:	for $i=0,1,\dots ,k-1$ do
60:	$r_i\leftarrow \left\{0,1,\dots ,n/k-1\right\}$
61:	$e_i\leftarrow \left(0,\dots ,0,1,0,\dots ,0\right)$
62:	▻ length is $n/k$, only $r_i$-th entry is 1
63:	end for
64:	$e\leftarrow {\mathrm{Encode}}_{k,{\alpha }^{n/k}}\left(\left(e_0,e_1\dots ,e_{k-1}\right)\right)$
65:	$c^{round6}\leftarrow \mathrm{MulPlain}\left(c_d,e\right)$
66:	Secure Decrypt $c^{round6}$ for A
	Round Final. (A’s turn, establish result), suppose $m^{round6}=\mathrm{Dec}\left(c^{round6},s\right)$
67:	$\left(m_{0,0}^{round6},\dots ,m_{k-1,n/k-1}^{round6}\right)\leftarrow m^{round6}$
68:	for $i=0,1,\dots ,k-1$ do
69:	${\delta }_i\leftarrow 1$
70:	for $j=0,1,\dots ,n/k-1$ do
71:	if $m_{ij}^{round6}=0$ then
72:	${\delta }_i\leftarrow 0$
73:	end if
74:	end for
75:	end for
76:	Establish ${\delta }_i$

.

5. Experiment Results

5.1. Encryption Schemes

Since the performance of an HE-based secure comparison protocol is strongly related to which homomorphic encryption scheme it used, we examine the performances of Paillier, standard-RSA, subgroup-RSA in [5], and subgroup-RSA in [7] in

Table 8. Execution Time of Each One of the Benchmarked Encryption Schemes. (Runs ib [email protected] with security level 128, unit ms).

Schemes	Plaintext Space	Enc	Dec	KeyGen	Add	MulPlain
Paillier	${\mathbb{Z}}_p$	22.98	7.756	1871	0.021	-
RSA	${\mathbb{Z}}_p$	0.079	2.216	1792	-	0.008
RSA [5]	${\mathbb{Z}}_{37}$	0.692	0.209	1038	0.002	-
RSA [7]	${\mathbb{Z}}_{2^{256}}$	0.685	55.49	1325	0.002	-
BFV	${\mathbb{Z}}_{193}/\left(X^{1024}+1\right)$	0.459	0.055	0.360	0.002	0.065
BFV-opt	${\mathbb{Z}}_{193}/\left(X^{1024}+1\right)$	0.251	0.060	0.198	0.002	0.058

. Notice that Paillier is used in the earlier version of DGK protocol [2], subgroup-RSA is used in the DGK [4] and the CEK protocols. BFV scheme is used to build our comparison protocols. Notice that the decryption of subgroup-RSA needs to implement a discrete logarithm on the plaintext space, so the plaintext space needs to be very small (for a ciphertext c in subgroup-RSA, we may decrypt c by computing m = (logg cS) · S⁻¹ for some secret key S and public key g, namely, cS = gmS. Since DGK protocol needs only to determine whether the message is zero, Alice does not need to perform discrete logarithms to derive the direct value of m).

In [7], the authors claimed that if the plaintext space is bd for some small prime b, then they can implement discrete logarithms effectively. However, the speed of decryption is still much slower than that of the encryption without the aid of a sizeable pre-computed table. In the experiment of CEK protocol, we exclude the decryption time since the discrete logarithm is not necessary in their protocol.

We use the GMP library to implement the operations of big numbers. Although the codes run on Golang (Reference code: https://github.com/howard-kuo/cek_protocol/blob/master/rsaCek.go accessed on 18 February 2023), the performance would not be very different from the codes written on C directly. Our claim comes from the fact that the major computation cost lies in operations for evaluating big numbers. Furthermore, those operations are implemented by GMP, which is an efficient c-base library. Moreover, we use the Microsoft SEAL library in C++ to implement the BFV encryption scheme. Since the main computational bottleneck of our protocols is it to draw the samples from a discrete Gaussian distribution χ, we do some optimization on the sampler, as follows:

Since Prob {|χ| > 19} = 0 in the implementation of SEAL, we can store the commutative density function at each point (i.e., CDF(x) = Prob {χ > x} for −19 ≤ x ≤ 19). We may draw a sample from χ by the following function:

DiscreteGaussianSampler():

  u ← {0, 1, ..., 2³² −1}·2⁻³²

  x = arg max{y ∈ {−19, ..., 19} | CDF(y) > u}

Return x

We denote the optimized BFV implementation as “BFV-opt” in Table 8.

5.2. Performance Analyses

5.2.1. Computational Cost

The execution time of the DGK protocol, CEK protocol, and our protocols are shown in

Table 9. The Execution Time of Each One of the Benchmarked Secure Comparison Protocols. (Runs ib [email protected] with security level 128, unit ms, notice $\beta =O\left(\log \log n\right),p\left(\lambda \right)$ is the time complexity of subgroup-RSA).

Schemes	Secure Decryption	Round	Complexity	32-Bit	2048-Bit	4096-Bit
Protocol 4.1	Protocol 3.2	4	$\tilde{O}\left(\lambda \cdot l\right)$	7.496	479.7	966.6
Protocol 4.1	Protocol 3.1	2	$\tilde{O}\left(\lambda \cdot l\right)$	15.45	1000	1996.6
Protocol 4.3	Protocol 3.2	8	$\tilde{O}\left(\lambda +l\right)$	1.686	4.246	-
Protocol 4.3	Protocol 3.1	6	$\tilde{O}\left(\lambda +l\right)$	-	-	12.06
DGK [10]	Add Encryption Zero	2	$\tilde{O}\left(p\left(\lambda \right)\cdot l\right)$	55.71	3488	6766
CEK [7]	Add Encryption Zero	3~5	$\tilde{O}\left(p\left(\lambda \right)\cdot l\cdot {\beta }^{-1}\right)$	28.16	1696	3471

. Recall that DGK protocol uses RSA proposed in [5], CEK protocol uses RSA proposed in [7], and our protocols use an optimized BFV scheme. We use 3072-bit ciphertexts in DGK and CEK protocols (we use the same parameters and algorithms described in [6], and the parameters of our protocol depend on the size of compared integers and the secure decryption protocol we used. As discussed in Chapter 3, Alice may learn other information from the ciphertext generated by Bob. We suggest the reader uses two times the bit length for the security level they claimed (i.e., log2 n = 6144)). As discussed in Section 3.2, in the Secure Decryption portion, Protocol 3.1 needs to use a larger q to achieve indistinguishability; nevertheless, Protocol 3.2 needs to assume further that Bob cannot break the encryption system with some hint of the errors. As a result, Protocol 4.1 uses n = 1024, log2q = 27 and n = 2048, log2q = 55, respectively. Protocol 4.3 uses n = 1024, log2 q = 27 for 32-bit comparison; n = 2048, log2 q = 55 for 2048-bit comparison; n = 4096, log2 q = 109 for 4096-bit comparison, respectively.

It might sound weird when the ciphertext size, which is n · log₂ q, grows quadratic to n in the specific case in Table 9, but the execution time is not (cf. Figure 3). This is because the main computational cost is spent on sampling pseudo-random numbers, and the number of random numbers is linear to n.

5.2.2. Communication Cost

Ciphertexts in the BFV scheme have size 2 · n · log₂ q. In Protocol 4.1, we need to send l + 1 ciphertext in total, and in Protocol 4.2, we need to send 6 ciphertexts. The DGK protocol needs to send 2 · l ciphertexts, and CEK protocols need to send about 2 · l · 8⁻¹ ciphertexts (2 · l · 8⁻¹ RSA ciphertexts and 2 ECC ciphertexts).

We examine their required communication costs and report the results in

Table 10. Communication Rate of Each One of the Secure Comparison Protocols with Security Level 128 (for short l, i.e., 0 ≤ l < 32).

Schemes	Parameters	Ciphertext Size (KB)	Communication Cost (KB)
Protocol 4.1	n = 1024, log2 q = 27	6.75	6.75·(l+1)
Protocol 4.2	n = 1024, log2 q = 27	6.75	40.5
DGK [10]	log2 N = 3072	0.375	0.65 · l
CEK [7]	log2 N = 3072	0.375	0.08125 · l

and

Table 11. Communication Rates for Larger l (i.e., for l = 32, 2048, and 4096).

Schemes	l = 32 (KB)	l = 2048 (KB)	l = 4096 (KB)
Protocol 4.1	222.75	13,830.75	27654.75
Protocol 4.2	40.5	165	652.4
DGK [10]	24	1536	3072
CEK [7]	3	196	384

, respectively. Since the ciphertext size of the BFV scheme is much larger than that of the RSA, RSA’s communication rate is more extensive than the CEK or DGK protocol when l is small. On the other hand, Protocol 4.2 needs only constant-size ciphertexts, and it would have a better communication rate than the others when l is large. For ease of comparison, we also show the tendency in required communication rates of the two proposed protocols in Figure 4.

5.3. Remarks on Recently Published Related Works [22,23,24,25]

Badawi et al. [22] applied their vector operation-based multi-GPU Levelled-FHE to implement the inference circuit of two CNNs to perform homomorphically image classification on encrypted images from the MNIST and CIFAR 10 datasets. Their implementation gained 1 to 3 orders of magnitude speed-up compared with the CPU implementation on ordinary vector/polynomial operations. Further, Ref. [22] presented data parallelism approaches and applied workload partitioning methods to implement a variant of the BFV scheme on the NVIDIA K80 and P100 GPU clusters. Likewise, Ref. [23] worked toward speeding up the NTT, INTT, and NTT-based polynomial multiplication operations on various GPU platforms and reported that the encryption and the decryption operations of the BFV scheme on Microsoft’s SEAL library could be more than 100 times faster than on its Intel i9-7900X CPU counterpart. More positively, a single NTT operation for polynomials of degree 32768 with 61-bit coefficients can reach the ten-microsecond range on Nvidia GTX and Tesla series GPUs. These encouraging results give us confidence that with the aid of GPU’s computing power, the applicability of our protocol will be primarily enhanced (notice that our computing platform is Intel i5 CPU families only).

In our experiment, the execution time of a single BFV encryption of degree 32,768 is longer than that of our secure comparison protocol (with degree 1024, security level 128). Reducing the complexity of the target function and the ciphertext size is the core idea of our protocol. In more detail, if n = 8192, q has 109 bits, experimentally, a single encryption time cost of SEAL exceeds 10ms in our experimental settings. Under this circumstance, it would be hard to construct a comparison protocol that needs less than 12 ms execution time. On the other hand, 12 ms is the whole time needed for our 4096-bit protocol. This result comes from the fact that, for the same given degree n, a matrix-based LWE encryption would be slower than its polynomial counterpart because the respective time complexities are n² and n log n.

Specific to the encryption domain comparison, Ref. [24] designed an integer-and-FHE-based private database query (PDQ) protocol supporting compound conditions with equality and order comparisons, which scales efficiently for the length of input integers by applying techniques from the finite field theory. According to [24], the comparison algorithm needs about 25.259 s to compare 697 pairs of 64-bit integers using the BGV-level FHE scheme with SIMD techniques at more than 138 bits of security. This yields an amortized rate of just 36 ms per comparison. In contrast, Ref. [25] showed that FHE schemes suitable for arithmetic circuits (e.g., BGV or BFV) have a similar performance as FHE schemes for non-arithmetic circuits (such as the TFHE) in basic comparison tasks such as less-than, maximum, and minimum operations. Ref. [25] reported that the execution of the less-than function in the HElib library is up to 3 times faster than the prior work [24] based on BGV/BFV schemes. In [21], comparing a pair of 64-bit integers, sorting 64 32-bit integers, and finding the minimum of 64 32-bit integers can be completed in 11 milliseconds, in 19 s, and in 9.5 s, respectively, on an average laptop without multi-threading. In contrast, our comparison protocol can compare 64 pairs of 64-bit integers in 12.06 ms, which yields an amortized cost of 0.188ms. An intuitive reason for better performance is that the degree of our ciphertext is much smaller (n = 4096). On the other hand, we can only implement an elementary target function in the encryption domain since the ciphertext is tiny, forcing our protocol into a higher round of complexity (say, six rounds).

5.4. Summary

The computational cost of the proposed algorithms can be lower than that of the other protocols in most cases, while the communicational cost is much higher. With the rapid growth of internet speed, our protocol can be more practical than the others. Suppose the users attempt to compare many pairs of integers securely. In that case, the method introduced in Section 3.1 provides a solution to compare them securely with almost the same execution time examined in Section 5.2, which has lower communication costs and a faster execution speed than DGK and CEK protocols. Concrete execution times and speed-up ratios of various FHE operators have been reported above; however, those values depend on specific parameters, target functions, hardware configurations, and software implementation techniques adopted at the experiments.

Moreover, working with FHE also introduces significant engineering challenges in practice. Different schemes offer varying performance tradeoffs, and optimal choices are heavily application-dependent. In other words, judging the competing approaches’ superiority is only possible and fair with a standard testing environment and a common target task.

6. Conclusions

Homomorphic encryption enables end-to-end data security by performing computations directly on ciphertexts without needing in-advance decryption. However, due to the unavoidable ciphertext expansion and complicated error-controlling mechanisms, richness in computational and storage resources play dominating roles in the success of applying a homomorphic cryptosystem in real-world applications.

Comparison is a standard function required in many applications concerning orders of involved items; consequently, its homomorphic evaluation has been the object of many FHE-related works. Since inputs are encrypted, an HE-based comparison algorithm cannot terminate, like its plaintext domain counterpart, whenever it finds the first difference between the most significant bits. Comparison is a standard function required in many applications concerning orders of involved items; consequently, its homomorphic evaluation has been the object of many FHE-related works. Since inputs are encrypted, an HE-based comparison algorithm cannot terminate, like its plaintext domain counterpart, whenever it finds the first difference between the most significant bits. As a result, HE-based comparisons correspond to the worst-case complexity in the plain domain.

This work presents a fast, semi-honest, secure comparison protocol based on the BFV encryption scheme. With its vector-like plaintext space and the aid of batching technique, the number of required encryptions can be significantly reduced; each comparison needs only six encryptions in our protocol. In other words, the proposed protocol can achieve the time complexity for a given security parameter λ. As a result, 4096-bit integers can be securely compared within 12.08 ms, which is much faster than the state-of-the-art homomorphic encryption-based secure comparison protocol. Furthermore, we can compare k pairs of bit integers with almost the same execution time as comparing bit integers and achieve higher throughput regardless of the compared integer size.

As for our future work, shortly, we will conduct and examine the following research topics to better the overall BFV scheme’s performance:

(i). For every 2PC protocol with some task f, we may decompose f into simple subtasks, as we have addressed in Section IV, implying that those protocols can be sped up further via BFV encryption.

(ii). The computational bottleneck of our protocols comes mainly from the execution of random number sampling because the cryptographic hash function is much slower than generating RLWE samples in the implementation of SEAL. We can generate pseudo-random numbers by generating RLWE samples, accelerating the proposed protocol furthermore.

Notably, in machine learning, FHE has been used for tasks ranging from linear and logistic regression to Encrypted Neural Network inference. For example, FHE may be critical in running privacy-preserving ML-as-a-Service (MLasS) applications. Consequently, there has been increasing interest in FHE-based secure computation solutions. This tendency explains why Gartner [29] projected that “by 2025, at least 20% of companies will have a budget for projects that include FHE.” Therefore, how to embed our fast, secure comparison protocol to enhance appropriate MLasS applications will undoubtedly be one of our future research topics.