Round-Efficient Private Stable Matching from Additive Homomorphic Encryption

Abstract

In the present paper, we propose private stable matching protocols to solve the stable marriage problem with the round complexity \(O(n^2)\), where n is the problem size. In the multiparty setting, the round complexity of our protocol is better than all of the existing practical protocols. We also implement our protocol on a standard personal computer, smartphones, and tablet computers for experimental performance evaluation. Our protocols are constructed by using additive homomorphic encryption only, and this construction yields improved round complexity and implementation-friendliness. To the best of our knowledge, our experiment is the first implementation report of a private stable matching protocol that has a feasible running time.

Appendices

A Initialization of the Proposed Protocol

The initialization step is performed by the matching authorities after the input submission step. In order to reduce the complexities, the bids are initialized using the single free man technique, as introduced by Franklin et al. [7]. An explicit overview of the initialization step procedure for the proposed bid design is provided below.

The initialization step consists of (1) modification of input encrypted preferences, (2) generation of dummy encrypted preferences, and (3) initialization of the fifth element of bids. After the input submission step, if the numbers of men and women are not the same, the matching authorities then generate and insert random preferences into the set that has fewer participants. Next, the matching authorities modify the encrypted preferences and generate the encrypted preferences of \(n+1\) fake men and n fake women as follows:

(4)

(5)

where \(\mathord {\varvec{a}}_i\) and \(\mathord {\varvec{b}}_j\) are encrypted preferences of man \(A_i\) and woman \(B_j\), respectively. The ciphertexts of Parts 1 through 6 in Eqs. (4) and (5) are permutation vectors defined in Table 4, and all of the elements in the permutation vectors are encrypted. Then, all of the preferences are ordered as follows. The first n men and women are the true participants of the stable marriage problem. The remaining \(n+1\) men and n women are fake men and women. After the above modification, there are \(2n+1\) men’s encrypted preferences and 2n women’s encrypted preferences.

Table 4. Range of plaintext at Parts 1–6 in Eqs. (4) and (5).

Then, the matching authorities form \(2n+1\) vectors \(\mathord {\varvec{q}}_0,\mathord {\varvec{q}}_1,\ldots ,\mathord {\varvec{q}}_{2n}\) from 2n vectors \(\mathord {\varvec{b}}_0,\mathord {\varvec{b}}_1,\ldots ,\mathord {\varvec{b}}_{2n-1}\), in the same manner as Golle and Franklin et al. ’s protocol [7, 12].

Then, \(2n+1\) bids are arranged as \(W_i=\big [{{\mathrm{\mathrm {E}}}}(i),\mathord {\varvec{a}}_i,\mathord {\varvec{v}}_i,\mathord {\varvec{q}}_i,{{\mathrm{\mathrm {E}}}}(\mathord {\varvec{\rho }}_i)\big ]\). The arrangement of the bids is the same as in [12], except that the counter is given as the ciphertext vector.

Next, the matching authorities generate two sets \(\mathcal {F}_1\) and \(\mathcal {E}_1\), where \(\mathcal {F}_1\) denotes a set of free bids and is initialized as \(\mathcal {F}_1:=\mathinner {\lbrace \,{W_0}\,\rbrace }\), where \(W_0\) is a bid of \(A_{0}\). The fifth value \({{\mathrm{\mathrm {E}}}}(\mathord {\varvec{\rho }}_{0})\) of the free bid \(W_{0}\) is updated to the ciphertext vector, which represents \({{\mathrm{\mathrm {E}}}}(0)\). Here, \(\mathcal {E}_1\) denotes a set of engaged bids and includes 2n engaged bids. The engaged bids in \(\mathcal {E}_1\) are initialized as follows. True men \(A_{1},A_{2},\ldots ,A_{n-1}\) get engaged to fake women \(B_{n},B_{n+1},\ldots ,B_{2n-2}\), respectively, and fake men \(A_{n},A_{n+1},\ldots ,A_{2n-1}\) get engaged to true women \(B_{0},B_{1},\ldots ,B_{n-1}\), respectively. Moreover, fake man \(A_{2n}\) gets engaged to fake woman \(B_{2n-1}\). In other words, \(\mathcal {E}_1:=\Big \{\overline{W}_{i,n-1+i}~\big |~i=1,2,\ldots ,n-1\Big \}\cup \Big \{\overline{W}_{n+i,i}~\big |~i=0,1,\ldots ,n-1\Big \}\cup \Big \{\overline{W}_{2n,2n-1}\Big \}\).

Then, the matching authorities jointly apply the \({{\mathrm{\mathrm {MIX}}}}\) to \(\mathcal {F}_1\) and \(\mathcal {E}_1\) independently. Application of the \({{\mathrm{\mathrm {MIX}}}}\) to the bids in \(\mathcal {F}_1\) is performed as follows. First, a randomly generated secret permutation is applied to the set of bids and engaged bids. Next, for each bid, all ciphertexts included in the bids are re-randomized and \(W_i\leftarrow \big [{{\mathrm{\mathrm {E}}}}(i),\pi (\mathord {\varvec{a}}_i),\pi (\mathord {\varvec{v}}_i),\pi (\mathord {\varvec{q}}_i),{{\mathrm{\mathrm {E}}}}(\mathord {\varvec{\rho }}_i)\big ]\) is then computed, where \(\pi \) is a randomly generated secret permutation. For the engaged bids in \(\mathcal {E}_1\), the operation for the bid contained in each engaged bid is the same in above, then the remaining two ciphertexts are re-randomized.

B Correctness of the Proposed Protocol

The differences between our protocol and FGM1 [7] are in lines 4–5 and line 11. The remaining steps are equivalent to FGM1. We confirm the correctness of the proposed protocol by ensuring that these two changes do not change the protocol behavior.

In lines 4–5, the encryption of the counter \(\mathord {\varvec{\rho }}_i\) used in Golle’s protocol is readily obtained by \({{\mathrm{\mathrm {E}}}}(\rho _i)=\prod _{\ell =0}^{n-1}{{\mathrm{\mathrm {E}}}}(\rho _{i,\ell })^{\ell }\). Thus, the change of the representation of the counter does not affect the behavior of the protocol.

Next, we consider the treatment of the increment of the counter (at line 11). Since the preferences are set by Eqs. (4) and (5), the true men (resp. fake men) prefer the true women (resp. fake women) to the fake women (resp. true women). Thus, the true men (resp. fake men) never propose to the fake women (resp. true women). None of the fake men prefer \(B_{2n-1}\). Therefore, all of the fake men propose to \(B_{2n-1}\) as a last resort. No matter which fake man proposes to \(B_{2n-1}\), the resulting engagement is stable, except for the case in which \(A_{2n}\) proposes. Thus, man \(A_{2n}\) always becomes single after 2n pairs are made. At the same time, no fake women proposed to by \(A_{2n}\) will agree with the engagement because \(A_{2n}\) is ranked as the worst by all of the women. Thus, for any input preferences, proposals by \(A_{2n}\) are declined at any time. Note that n is the largest number of rejected proposals for the stable marriage problem of size n. In the proposed protocol, the counter \({{\mathrm{\mathrm {E}}}}(\mathord {\varvec{\rho }}_{2n})\) is incremented by 1-right rotation \({{\mathrm{\mathrm {E}}}}(\mathord {\varvec{\rho }}_{2n})\ggg {1}\) for each engagement. This operation corresponds to incrementing with modulo n. Since 1-right rotation is not an arithmetic operation and the ciphertext vector representing the counter is made to be sufficiently long, the operation \({{\mathrm{\mathrm {E}}}}(\mathord {\varvec{\rho }}_{2n})\ggg {1}\) does not cause overflow.

Therefore, the behavior of the proposed protocol is equivalent to that of Golle and Franklin et al. ’s protocol and outputs stable matching correctly after \(2n^2\) iterations of the main loop of Algorithm 2 (lines 2–15) [7, 12].

C Security of the Proposed Protocol

In the proposed protocol, the main building blocks are the \({{\mathrm{\mathrm {EQTEST}}}}\) and the \({{\mathrm{\mathrm {MIX}}}}\). These are based on the threshold additive homomorphic encryption. The other building blocks are constructed using the main building blocks, as explained in Sect. 2. The security and input privacy of the proposed stable matching protocol are guaranteed by the underlying threshold additive homomorphic encryption and the \({{\mathrm{\mathrm {MIX}}}}\), which are shown by the following theorem.

Theorem 3

Suppose that the threshold additive homomorphic encryption scheme is semantically secure, that the \({{\mathrm{\mathrm {MIX}}}}\) is private against any probabilistic polynomial-time semi-honest adversaries, and that the number of adversaries that collude with each other is less than the threshold, which is specified by the underlying threshold additive homomorphic encryption scheme.

The proposed protocol presented in Sect. 4.2 is private against any probabilistic polynomial-time semi-honest adversaries in the sense of Definition 1.

Proof

(Sketch). We prove the security of the proposed protocol by showing that the modifications to GFGM and FGM1 do not affect the proof of [12, Proposition 3]. Since the difference of our protocol and Golle and Franklin et al. ’s protocols is the 5th element of bid, we state the security proof of this part. Assume an adversary that can distinguish the 5th element of our bid. In such conditions, using this adversary can break the semantic security of the underlying additive homomorphic encryption. Hence, our protocol is private with the two primitives described in the sections above.