Yao's Millionaires' problem is a secure multi-party computation problem introduced in 1982 by computer scientist and computational theorist Andrew Yao. The problem discusses two millionaires, Alice and Bob, who are interested in knowing which of them is richer without revealing their actual wealth. This problem is analogous to a more general problem where there are two numbers a and b and the goal is to determine whether the inequality a \geq b is true or false without revealing the actual values of a and b. The Millionaires' problem is an important problem in cryptography, the solution of which is used in e-commerce and data mining. Commercial applications sometimes have to compare numbers that are confidential and whose security is important. Many solutions have been introduced for the problem, including physical solutions based on cards. The first solution, presented by Yao, is exponential in time and space.

Protocols and proof

The protocol of Hsiao-Ying Lin and Wen-Guey Tzeng

Let be a binary string of length n. Denote 0-encoding of s as and 1-encoding of s as Then, the protocol is based on the following claim: The protocol leverages this idea into a practical solution to Yao's Millionaires' problem by performing a private set intersection between S_a^1 and S_b^0.

The protocol of Ioannidis and Ananth

The protocol uses a variant of oblivious transfer, called 1-2 oblivious transfer. In that transfer one bit is transferred in the following way: a sender has two bits S_0 and S_1. The receiver chooses, and the sender sends S_i with the oblivious transfer protocol such that To describe the protocol, Alice's number is indicated as a, Bob's number as b, and it is assumed that the length of their binary representation is less than d for some. The protocol takes the following steps.

Proof

Correctness

Bob calculates the final result from, and the result depends on. K, and therefore c as well, can be split into 3 parts. The left part doesn't affect the result. The right part has all the important information, and in the middle is a sequence of zeros that separates those two parts. The length of each partition of c is linked to the security scheme. For every i, only one of has non-zero right part, and it is K_{i1} if a_i = 1, and K_{i2} otherwise. In addition, if i > j, and K_{il} has a non-zero right part, then has also a non-zero right part, and the two leftmost bits of this right part will be the same as the one of A_{il}. As a result, the right part of c is a function of the entries Bob transferred correspond to the unique bits in a and b, and the only bits in the right part in c that are not random are the two leftmost, exactly the bits that determines the result of a_i > b_i, where i is the highest-order bit in which a and b differ. In the end, if a_i > b_i, then those two leftmost bits will be 11, and Bob will answer that a \geq b. If the bits are 10, then a_i < b_i, and he will answer a < b. If a = b, then there will be no right part in c, and in this case the two leftmost bits in c will be 11, and will indicate the result.

Security

The information Bob sends to Alice is secure because it is sent through oblivious transfer, which is secure. Bob gets 3 numbers from Alice:

Complexity

The complexity of the protocol is O(d^2). Alice constructs d-length number for each bit of a, and Bob calculates XOR d times of d-length numbers. The complexity of those operations is O(d^2). The communication part takes also O(d^2). Therefore, the complexity of the protocol is O(d^2).