# Secure Computation of the Median (and Other Elements of Specified Ranks)

## Abstract

We consider the problem of securely computing the *k*th-ranked element of the union of two or more large, confidential data sets. This is a fundamental question motivated by many practical contexts. For example, two competitive companies may wish to compute the median salary of their combined employee populations without revealing to each other the exact salaries of their employees. While protocols do exist for computing the *k*th-ranked element, they require time that is at least linear in the sum of the sizes of their combined inputs. This paper investigates two-party and multi-party protocols for both the semi-honest and malicious cases. In the two-party setting, we prove that the problem can be solved in a number of rounds that is logarithmic in *k*, where each round requires communication and computation cost that is linear in *b*, the number of bits needed to describe each element of the input data. In the multi-party setting, we prove that the number of rounds is linear in *b*, where each round has overhead proportional to *b* multiplied by the number of parties. The multi-party protocol can be used in the two-party case. The overhead introduced by our protocols closely match the communication complexity lower bound. Our protocols can handle a malicious adversary via simple consistency checks.

### Keywords

Secure function evaluation Secure multi-party computation*k*th-ranked element Median Semi-honest adversary Malicious adversary

## Preview

Unable to display preview. Download preview PDF.

### References

- [1]M. Atallah, M. Blanton, K. Frikken, J. Li, Efficient correlated action selection, in
*Financial Cryptography*(2006), pp. 296–310 Google Scholar - [2]D. Beaver, Secure multiparty protocols and zero-knowledge proof systems tolerating a faulty minority.
*J. Cryptol.***4**(2), 75–122 (1991) MATHCrossRefGoogle Scholar - [3]D. Beaver, S. Micali, P. Rogaway, The round complexity of secure protocols. In
*Proceedings of the Twenty-Second Annual ACM Symposium on the Theory of Computing*(1990), pp. 503–513 Google Scholar - [4]I. Blake, V. Kolesnikov, Strong conditional oblivious transfer and computing on intervals, in
*10th International Conference on the Theory and Application of Cryptology and Information Security ASIACRYPT*(2004), pp. 515–529 Google Scholar - [5]C. Cachin, Efficient private bidding and auctions with an oblivious third party, in
*Proc. 6th ACM Conference on Computer and Communications Security*(1999), pp. 120–127 Google Scholar - [6]C. Cachin, S. Micali, M. Stadler, Computationally private information retrieval with polylogarithmic communication, in
*Advances in Cryptology: EUROCRYPT ’99*(1999), pp. 402–414 Google Scholar - [7]R. Canetti, Security and composition of multiparty cryptographic protocols.
*J. Cryptol.***13**(1), 143–202 (2000) MATHCrossRefMathSciNetGoogle Scholar - [8]R. Canetti, Universally composable security: a new paradigm for cryptographic protocols, in
*Proceedings of the 42nd Annual Symposium on Foundations of Computer Science*(2001), pp. 136–145 Google Scholar - [9]R. Canetti, Y. Ishai, R. Kumar, M. Reiter, R. Rubinfeld, R. Wright, Selective private function evaluation with applications to private statistics, in
*Proceedings of Twentieth ACM Symposium on Principles of Distributed Computing*(2001), pp. 293–304 Google Scholar - [10]R. Canetti, Y. Lindell, R. Ostrovsky, A. Sahai, Universally composable two party computation, in
*34th ACM Symposium on the Theory of Computing*(2002), pp. 494–503 Google Scholar - [11]J. Feigenbaum, Y. Ishai, T. Malkin, K. Nissim, M. Strauss, R. Wright, Secure multiparty computation of approximations, in
*Proceedings of 28th International Colloquium on Automata, Languages and Programming*(2001), pp. 927–938 Google Scholar - [12]M. Fischlin, A cost-effective pay-per-multiplication comparison method for millionaires, in
*RSA Security 2001 Cryptographer’s Track*, vol. 2020 (2001), pp. 457–471 Google Scholar - [13]M. Franklin, M. Yung, Communication complexity of secure computation, in
*Proceedings of the Twenty-Fourth Annual ACM Symposium on the Theory of Computing*(1992), pp. 699–710 Google Scholar - [14]P. Gibbons, Y. Matias, V. Poosala, Fast incremental maintenance of approximate histograms, in
*Proc. 23rd Int. Conf. Very Large Data Bases*(1997), pp. 466–475 Google Scholar - [15]O. Goldreich,
*Foundations of Cryptography: vol. 2, Basic Applications*(Cambridge University Press, Cambridge, 2004) Google Scholar - [16]O. Goldreich, S. Micali, A. Wigderson, How to play any mental game or A completeness theorem for protocols with honest majority, in
*Proceedings of the 19th Annual Symposium on Theory of Computing*, May 1987, pp. 218–229 Google Scholar - [17]S. Goldwasser, L. Levin, Fair computation of general functions in presence of immoral majority, in
*Proceedings of Advances in Cryptology*(1991), pp. 77–93 Google Scholar - [18]Y. Ishai, K. Nissim, J. Kilian, E. Petrank, Extending oblivious transfers efficiently, in
*23rd Annual International Cryptology Conference*(2003), pp. 145–161 Google Scholar - [19]H. Jagadish, N. Koudas, S. Muthukrishnan, V. Poosala, K. Sevcik, T. Suel, Optimal histograms with quality guarantees, in
*Proc. 24th Int. Conf. Very Large Data Bases*(1998), pp. 275–286 Google Scholar - [20]S. Jarecki, V. Shmatikov, Efficient two-party secure computation on committed inputs, in
*EUROCRYPT ’07*(Springer, Berlin, 2007), pp. 97–114 CrossRefGoogle Scholar - [21]E. Kushilevitz, N. Nisan,
*Communication Complexity*(Cambridge University Press, Cambridge, 1997) MATHGoogle Scholar - [22]S. Laur, H. Lipmaa, Additive conditional disclosure of secrets and applications. Cryptology ePrint Archive, Report 2005/378, 2005 Google Scholar
- [23]H. Lin, W. Tzeng, An efficient solution to the millionaires’ problem based on homomorphic encryption, in
*Third International Conference Applied Cryptography and Network Security*(2005), pp. 456–466 Google Scholar - [24]Y. Lindell, B. Pinkas, Privacy preserving data mining.
*J. Cryptol.***15**(3), 177–206 (2002) MATHCrossRefMathSciNetGoogle Scholar - [25]Y. Lindell, B. Pinkas, An efficient protocol for secure two-party computation in the presence of malicious adversaries, in
*EUROCRYPT ’07*(Springer, Berlin, 2007), pp. 52–78 CrossRefGoogle Scholar - [26]S. Micali, P. Rogaway, Secure computation, in
*Proceedings of Advances in Cryptology*(1991), pp. 392–404 Google Scholar - [27]M. Naor, K. Nissim, Communication preserving protocols for secure function evaluation, in
*Proceedings of the 33rd Annual ACM Symposium on Theory of Computing*(2001), pp. 590–599 Google Scholar - [28]B. Pfitzmann, M. Waidner, Composition and integrity preservation of secure reactive systems, in
*ACM Conference on Computer and Communications Security*(2000), pp. 245–254 Google Scholar - [29]V. Poosala, V. Ganti, Y. Ioannidis, Approximate query answering using histograms.
*IEEE Data Eng. Bull.***22**(4), 5–14 (1999) Google Scholar - [30]M. Rodeh, Finding the median distributively.
*J. Comput. Syst. Sci.***24**(2), 162–166 (1982) CrossRefMathSciNetGoogle Scholar - [31]L. von Ahn, N. Hopper, J. Langford, Covert two-party computation, in
*Proceedings of the Thirty-Seventh Annual Acm Symposium on Theory of Computing*(2005), pp. 513–522 Google Scholar - [32]A. Yao, Protocols for secure computations, in
*Proceedings of the 23rd Symposium on Foundations of Computer Science*(1982), pp. 160–164 Google Scholar - [33]A. Yao, How to generate and exchange secrets, in
*Proceedings of the 27th Symposium on Foundations of Computer Science*(1986), pp. 162–167 Google Scholar