<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE article  PUBLIC "-//NLM//DTD Journal Publishing DTD v3.0 20080202//EN" "http://dtd.nlm.nih.gov/publishing/3.0/journalpublishing3.dtd"><article xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink" dtd-version="3.0" xml:lang="en" article-type="research article"><front><journal-meta><journal-id journal-id-type="publisher-id">JIS</journal-id><journal-title-group><journal-title>Journal of Information Security</journal-title></journal-title-group><issn pub-type="epub">2153-1234</issn><publisher><publisher-name>Scientific Research Publishing</publisher-name></publisher></journal-meta><article-meta><article-id pub-id-type="doi">10.4236/jis.2017.83015</article-id><article-id pub-id-type="publisher-id">JIS-77697</article-id><article-categories><subj-group subj-group-type="heading"><subject>Articles</subject></subj-group><subj-group subj-group-type="Discipline-v2"><subject>Computer Science&amp;Communications</subject></subj-group></article-categories><title-group><article-title>
 
 
  Private Personal Information Verification
 
</article-title></title-group><contrib-group><contrib contrib-type="author" xlink:type="simple"><name name-style="western"><surname>Hoang</surname><given-names>Giang Do</given-names></name><xref ref-type="aff" rid="aff1"><sup>1</sup></xref><xref ref-type="corresp" rid="cor1"><sup>*</sup></xref></contrib><contrib contrib-type="author" xlink:type="simple"><name name-style="western"><surname>Wee</surname><given-names>Keong Ng</given-names></name><xref ref-type="aff" rid="aff1"><sup>1</sup></xref></contrib></contrib-group><aff id="aff1"><addr-line>School of Computer Science and Engineering, Nanyang Technological University, Singapore City, Singapore</addr-line></aff><author-notes><corresp id="cor1">* E-mail:<email>do0004ng@e.ntu.edu.sg(HGD)</email>;</corresp></author-notes><pub-date pub-type="epub"><day>06</day><month>07</month><year>2017</year></pub-date><volume>08</volume><issue>03</issue><fpage>223</fpage><lpage>239</lpage><history><date date-type="received"><day>June</day>	<month>21,</month>	<year>2017</year></date><date date-type="rev-recd"><day>Accepted:</day>	<month>July</month>	<year>15,</year>	</date><date date-type="accepted"><day>July</day>	<month>18,</month>	<year>2017</year></date></history><permissions><copyright-statement>&#169; Copyright  2014 by authors and Scientific Research Publishing Inc. </copyright-statement><copyright-year>2014</copyright-year><license><license-p>This work is licensed under the Creative Commons Attribution International License (CC BY). http://creativecommons.org/licenses/by/4.0/</license-p></license></permissions><abstract><p>
 
 
  Physical document verification is a necessary task in the process of reviewing applications for a variety of services, such as loans, insurance, and mortgages. This process consumes a large amount of time, money, and human resources, which leads to limited business throughput. Furthermore, physical document verification poses a critical risk to clients’ personal information, as they are required to provide sensitive details and documents to verify their information. In this paper, we present a systematic approach to address shortcomings in the current state of the processes used for physical document verification. Our solution leverages a semi-trusted party data source (
  i.e. a governmental agency) and cryptographic protocols to provide a secure digital service. We make use of homomorphic encryption and secure multi-party computation to develop a series of protocols for private integer comparison and (non-) membership testing. Secure boolean evaluation and secure result aggregation schemes are proposed to combine the results of the evaluation of multiple predicates and produce the final outcome of the verification process. We also discuss possible improvements and other applications of the proposed secure system of protocols. Our framework not only provides a cost-efficient and secure solution for document verification, but also creates space for a new service.
 
</p></abstract><kwd-group><kwd>Secure Computation</kwd><kwd> Homormophic Encryption</kwd><kwd> Multiparty Computation</kwd></kwd-group></article-meta></front><body><sec id="s1"><title>1. Introduction</title><p>Recent advances in technology have led to the introduction of many digital and automated services, such as e-shopping, e-learning, and e-banking. These digi- talised services not only reduce the cost of operation, but also increases through- put for businesses. However, several tasks in these services continue to involve a considerable amount of human effort. Physical document verification is a necessary task in the process of reviewing applications for many services, such as loans, insurances, and mortgages. This process consumes a large amount of time, money, and human resources. Consider the example of a loan or an insurance application. The applicants are usually required to provide numerous documents to certify their relevant personal information, such as birth certificate, statement of monthly income, marriage certificate, medical records, and so on. At the same time, the loan/insurance provider requires a considerable amount of human resource to verify and store these documents. This process can take several weeks to complete, and serves to limit business throughput.</p><p>Moreover, the process of physical document verification incurs a critical privacy risk for applicants. They provide to a third party (i.e. the service provider) many sensitive documents, such as birth certificates, IDs, health records, and so on. All these documents are stored in the provider’s database. If the client applies for multiple schemes or subscriptions, multiple copies of his/her per- sonal data are stored in different places. Since data can be leaked from the server, storing personal information in multiple third-party databases is not recommen- ded. One source of such a leak is employees who do not follow the company’s privacy policies, and may, intentionally or unintentionally, reveal sensitive client information. Even when the provider claims to enforce strict policies pertaining to privacy, there is still a chance that the database systems are vulnerable to malicious external attacks.</p><p>In this paper, we propose a systematic approach to address the abovementioned shortcomings of the current state of the process of physical document verifi- cation. We assume that there is a trusted data source that stores the certified personal information of clients. We also assume that a list of requirements (maybe involving the divulgence of private information) needs to be fulfilled by the applicant to qualify for a given scheme or subscription. We present a series of protocols that allow the verifier and the data keeper to communicate with each other and securely verify the applicant’s information according to the requirements proposed by the verifier. The main contributions of this paper are as follows:</p><p>1) The proposed system digitalizes the process of document verification and hence enhances business throughput.</p><p>2) The system protects user confidentiality from both the verifier and the data keeper. The details of the requirements proposed by the verifier also remain hidden from the data keeper.</p><p>3) The proposed approach creates space for new services for information data storage and verification.</p><p>The remainder of the paper is organised as follows: In the next section, we review related work in the literature. Section 3 contains our problem formulation as well as the scenario we consider. Section 4 contains a discussion of our security model and assumptions as well as the underlying cryptographic techniques we leverage (i.e. Paillier’s encryption scheme). The proposed solution to the problem of secure personal information verification is described in Section 5, which systematically discusses four stages of the solution. Section 6 presents experimental evaluations of the proposed sub-protocols. The final section discusses future work and our conclusions.</p></sec><sec id="s2"><title>2. Related Work</title><p>The scenario we consider shares characteristics with the problem of zero- knowledge proof. Zero-knowledge proof systems, introduced by Goldwasser et al. [<xref ref-type="bibr" rid="scirp.77697-ref1">1</xref>] , involve two parties―a prover and a verifier. The system allows the prover to convince the verifier of some fact without revealing information about the proof. In our proposed problem, a client has to prove that he/she poses several attributes that match the requirements provided by the verifier. Zero-knowledge proof systems have been well researched, and have a wide range of applications, including authentication [<xref ref-type="bibr" rid="scirp.77697-ref2">2</xref>] , voting [<xref ref-type="bibr" rid="scirp.77697-ref3">3</xref>] , and e-cash [<xref ref-type="bibr" rid="scirp.77697-ref4">4</xref>] . J. Camenisch [<xref ref-type="bibr" rid="scirp.77697-ref5">5</xref>] proposed a useful zero-knowledge proof scheme which allows the prover to convince the verifier that a digitally committed value is a member of a given public set. The scheme can be directly applied to our problem. The client is assigned a number of digital commitments for each attribute, such that he/she can prove that the commitments belong to certain public sets. However, a separate instance of proof and verification is needed for each independent verifier; and every time the client’s attribute changes, he/she needs to be assigned a new commitment from a trusted server. Moreover, the scheme only presents solutions for simple membership and range predicates. In order to provide an efficient solution to the problem of personal information verification, where the predicates are much more complicated, we need to consider different approaches.</p><p>Another approach to consider is private set intersection [<xref ref-type="bibr" rid="scirp.77697-ref6">6</xref>] [<xref ref-type="bibr" rid="scirp.77697-ref7">7</xref>] . It allows the verifier to determine whether an applicant satisfies the relevant requirements given a threshold. However, this approach can only deal with exact attribute matching. Moreover, without a trusted party verifying the set of attributes, the applicant can use false information.</p><p>While sharing similar purposes as the above approaches, our system considers a different setting in the context of zero-knowledge proof systems. The commu- nication and verification processes are conducted by a verifier and a semi-honest data keeper, rather than by a verifier and a client. Our approach leverages the computation model of secure multi-party computation introduced by C. Yao [<xref ref-type="bibr" rid="scirp.77697-ref8">8</xref>] . Many follow-up studies have addressed different problems in this context. Some sub-protocols presented in this paper are inspired by [<xref ref-type="bibr" rid="scirp.77697-ref9">9</xref>] and modify [<xref ref-type="bibr" rid="scirp.77697-ref10">10</xref>] using studies along this line of research.</p></sec><sec id="s3"><title>3. Problem Formulation</title><p>Definitions. Our proposed system involves three general parties―the client, the verifier, and the data keeper―as illustrated in <xref ref-type="fig" rid="fig1">Figure 1</xref>.</p><p>・ The client. The client wishes to privately prove that his/her personal data satisfy the predicates predefined by the verifier.</p><p>・ The verifier. The verifier (we call the verifier Bob) provides a series of pre- dicates that need to be satisfied by the client.</p><fig id="fig1"  position="float"><label><xref ref-type="fig" rid="fig1">Figure 1</xref></label><caption><title> System Model</title></caption><graphic mimetype="image"   position="float"  xlink:type="simple"  xlink:href="http://html.scirp.org/file/6-7800459x2.png"/></fig><table-wrap id="table1" ><label><xref ref-type="table" rid="table1">Table 1</xref></label><caption><title> Sample personal data records</title></caption><table><tbody><thead><tr><th align="center" valign="middle" >ID</th><th align="center" valign="middle" >Name</th><th align="center" valign="middle" >Age</th><th align="center" valign="middle" >Sex</th><th align="center" valign="middle" >Income</th><th align="center" valign="middle" >Nationality</th><th align="center" valign="middle" >Marital Status</th></tr></thead><tr><td align="center" valign="middle" >1</td><td align="center" valign="middle" >Julia</td><td align="center" valign="middle" >29</td><td align="center" valign="middle" >F</td><td align="center" valign="middle" >30,000</td><td align="center" valign="middle" >Singaporean</td><td align="center" valign="middle" >Married</td></tr><tr><td align="center" valign="middle" >2</td><td align="center" valign="middle" >Deny</td><td align="center" valign="middle" >32</td><td align="center" valign="middle" >M</td><td align="center" valign="middle" >35,000</td><td align="center" valign="middle" >Singaporean</td><td align="center" valign="middle" >Single</td></tr><tr><td align="center" valign="middle" >3</td><td align="center" valign="middle" >Christina</td><td align="center" valign="middle" >38</td><td align="center" valign="middle" >F</td><td align="center" valign="middle" >80,000</td><td align="center" valign="middle" >Myanmar</td><td align="center" valign="middle" >Single</td></tr><tr><td align="center" valign="middle" >4</td><td align="center" valign="middle" >Alwen</td><td align="center" valign="middle" >41</td><td align="center" valign="middle" >M</td><td align="center" valign="middle" >120,000</td><td align="center" valign="middle" >Indonesian</td><td align="center" valign="middle" >Married</td></tr><tr><td align="center" valign="middle" >5</td><td align="center" valign="middle" >Dino</td><td align="center" valign="middle" >37</td><td align="center" valign="middle" >M</td><td align="center" valign="middle" >90,000</td><td align="center" valign="middle" >Malaysian</td><td align="center" valign="middle" >Divorced</td></tr></tbody></table></table-wrap><p>・ The data keeper. The data keeper (whom we call Alice) stores the personal data of the client and provides a security guarantee for the data storage.</p><p>The database stored by the data keeper consists of n records. Each record describes a client by m attributes. <xref ref-type="table" rid="table1">Table 1</xref> presents a simple example of data content maintained by the data keeper.</p><p>A personal information verification scheme is a Boolean function on a data record. The Boolean function is informally described by single and complex predicates. We assume that the single predicates are equality, inequality, mem- bership, and non-membership.</p><p>・ An equality predicate examines whether a variable x is equal to a certain value a:<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x3.png" xlink:type="simple"/></inline-formula>.</p><p>・ An inequality predicate inputs a variable x and a certain value a, and outputs 1 when <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x4.png" xlink:type="simple"/></inline-formula> (and 0 otherwise).</p><p>・ The membership and non-membership predicates check whether variable x belongs (or does not belong) to a set A of elements:<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x5.png" xlink:type="simple"/></inline-formula>.</p><p>A complex statement contains multiple single predicates and a set of logical expressions<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x6.png" xlink:type="simple"/></inline-formula>. A series of predicates (provided by the verifier) can be expressed as a complex predicate by combining them using the <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x7.png" xlink:type="simple"/></inline-formula> operator. The personal data of clients are accepted by the verifier only if they satisfy the final complex predicate.</p><p>Workflow. To illustrate, consider the following example: A client first outsources his/her data to a data keeper called Alice. Alice can be a govern- mental agency. The client and Alice are responsible for ensuring the correctness of the information. The client can pay a small fee to Alice for keeping track of his/her data. The verifier Bob provides a subscription scheme. In order to subscribe to the scheme, the client needs to satisfy a number of statements for personal information, including age, income, nationality, health condition, etc. He/She wants to prove that he/she qualifies for the scheme, but does not want to reveal exact information. At the same time, he/she also wishes to hide the fact that he/she is applying the certain scheme through others (such as Alice). He/She should anonymously authenticate Bob to communicate with Alice. Bob interacts with Alice by our proposed approach. Finally, Bob should be able to decide whether the client qualifies for the given scheme.</p></sec><sec id="s4"><title>4. Background</title><sec id="s4_1"><title>4.1. Security Assumptions</title><p>In this paper, the privacy/security of the proposed protocols is measured by the amount of information disclosed during execution. We adopt the security definitions and proof techniques from the literature on secure multi-party computation to analyse. The secure multi-party computation problem involves multiple parties collaboratively performing various types of computation with- out compromising the privacy of data. In the mid 1980s, C. Yao [<xref ref-type="bibr" rid="scirp.77697-ref8">8</xref>] introduced the idea of securely computing any two-party functionality in the presence of dishonest adversaries. Since then, various privacy-preserving protocols have been proposed to address different class of computation problems in the context of private data.</p><p>There are two common adversarial models under secure multi-party compu- tation: semi-honest and malicious. In the malicious model, the adversary has the ability to arbitrarily deviate from the protocol specifications. On the other hand, in the semi-honest model, an attacker (i.e. one of the participating parties) is expected to follow the prescribed steps of the protocol. However, the attacker is subsequently free to compute additional information based on his or her private input, output and messages received during the execution of the secure protocol. Although the assumptions of the semi-honest adversarial model are weaker than those of the malicious model, we insist that this assumption is realistic under the problem settings. We assume that the data keepers are trusted (as they are governmental agencies) to ensure the confidentiality of sensitive client data. It is difficult to imagine them colluding with other companies to damage their own reputation. Moreover, it is often non-trivial for one party to maliciously deviate from a particular protocol which may be hidden in a complex process.</p><p>In short, we assume that the verifier and the data keeper are semi-honest. They will correctly follow the protocol specifications. However, at the same time, they are also curious about the applicants’ information. In general, secure personal information as described in Section 5 should meet the following privacy requirements:</p><p>・ Client-to-verifier privacy. The verifier should not be able to gain any details concerning the client’s personal data stored in the data keeper’s database, except for those he can learn from the result (i.e. the client qualifies or not).</p><p>・ Client-to-data-keeper privacy. At any point during protocol execution, the identity of the applicant should not be revealed to the data keeper.</p><p>・ End user’s privacy. The verifier should not be able to obtain any information relating to other clients stored in the data keeper’s database.</p><p>・ Verifier-to-data-keeper privacy. The details of the predicates should not be leaked to the data keeper. This requirement is particularly applicable to private services where the selection criteria may be private to the provider.</p></sec><sec id="s4_2"><title>4.2. Additive Homomorphic Encryption</title><p>An additive homomorphic encryption scheme is a cryptosystem that allows arithmetic (i.e. addition) operations to be performed on the ciphertext without decryption or knowing the actual values. Efficient additive homomorphic cryptosystems have been proposed, such as the Pallier cryptosystem [<xref ref-type="bibr" rid="scirp.77697-ref11">11</xref>] , or the Damgard and Jurik cryptosystems [<xref ref-type="bibr" rid="scirp.77697-ref12">12</xref>] , which are Paillier encryption scheme of flexible lengths. For simplicity, we assume that a Paillier cryptosystem is used for encryption and decryption throughout this paper.</p><p>The Paillier cryptosystem consists of three algorithms:</p><p>1)<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x8.png" xlink:type="simple"/></inline-formula>: Inputs a security parameter and produces the key pair<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x9.png" xlink:type="simple"/></inline-formula>.</p><p>2)<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x10.png" xlink:type="simple"/></inline-formula>: Inputs a public key <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x11.png" xlink:type="simple"/></inline-formula> and a message m, and outputs a ciphertext c.</p><p>3)<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x12.png" xlink:type="simple"/></inline-formula>: Inputs a private key <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x13.png" xlink:type="simple"/></inline-formula> and a ciphertext c, and outputs a message m, such as<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x14.png" xlink:type="simple"/></inline-formula>.</p><p>The security of the Paillier encryption scheme relies on the computational hardness assumption of a novel mathematical problem called composite residuosity. The decision version of this problem class assumes that no polynomial-time algorithm can distinguish the N-th residues modulo <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x15.png" xlink:type="simple"/></inline-formula> with a non-negligible probability. <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x16.png" xlink:type="simple"/></inline-formula>and <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x17.png" xlink:type="simple"/></inline-formula> denote the Paillier encryption and decry- ption algorithms, respectively.</p><p>The Paillier cryptosystem is additive homomorphic encryption. If we consider two operators &#180; and + in the ciphertext and the plaintext domains, respectively, <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x18.png" xlink:type="simple"/></inline-formula>and <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x18.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x19.png" xlink:type="simple"/></inline-formula> are two plaintext elements. The Paillier encryption scheme <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x18.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x19.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x20.png" xlink:type="simple"/></inline-formula> satisfies the followings properties:</p><p>・ Additive Homomorphism:</p><disp-formula id="scirp.77697-formula329"><graphic  xlink:href="http://html.scirp.org/file/6-7800459x21.png"  xlink:type="simple"/></disp-formula><p>・ Homomorphic Multiplication:</p><disp-formula id="scirp.77697-formula330"><graphic  xlink:href="http://html.scirp.org/file/6-7800459x22.png"  xlink:type="simple"/></disp-formula><p>・ Semantic Security: Informally, a semantically secure [<xref ref-type="bibr" rid="scirp.77697-ref13">13</xref>] encryption scheme is a probabilistic, polynomial-time algorithm such that given the ciphertext, an adversary cannot deduce any additional information about the plaintext.</p><p>The above computation is performed modulo<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x23.png" xlink:type="simple"/></inline-formula>. We refer the reader to [<xref ref-type="bibr" rid="scirp.77697-ref11">11</xref>] for more details. We also note that any additive homomorphic encryption scheme that satisfies the above properties can be utilized to implement our proposed framework.</p></sec></sec><sec id="s5"><title>5. Secure Information Verification</title><sec id="s5_1"><title>5.1. Overview</title><p>Our proposed approach to the secure information verification problem consists of four stages:</p><p>1) Setup―During this phase, the client goes through an anonymous authen- tication process so that the verifier is authenticated to communicate with the data keepers for the verification stage. In addition, the data keeper and the verifier generate an encryption key pair and exchange the public key of the homomorphic cryptosystem. These public keypairs are utilized for secure com- munication and computation at the later stages.</p><p>2) Single Predicate―In this stage, the data consumer evaluates a predicate for each entity in the dataset of the data keeper. The output of this stage is the encryption of either 1 or 0, depending on whether the entity satisfies the pre- dicate.</p><p>3) Secure Complex Predicate Evaluation―Based on the results of the previous stage, the verifier collaborates with the data keeper to compute the result of the complex logical combination of Boolean predicates. Again, the output of this stage is the encryption of either 1 or 0 depending on whether the entity satisfies the predicate.</p><p>4) Aggregation of Output Data―At this stage, the final result is aggregated, decrypted and shown to the verifier. Since the data keeper computes the de- cryption, we propose a secure protocol to generate the outcome so that the data keeper cannot obtain any information concerning the final result.</p></sec><sec id="s5_2"><title>5.2. Setup</title><p>In the setup phase, the client is first required to complete anonymous authen- tication with the data keeper Alice, who then allows the verifier Bob to initiate the secure information verification process on the records of Alice’s database. When the clients agree to their personal information being stored in Alice’s database, she issues to each client a credential to be used for authentication. Each time a client subsequently requests access to Alice’s database, he/she uses her credentials for verification with Alice, who begins communication with Bob for the information verification process.</p><p>Traditional password-based authentication systems expose the identity of the client to the data keeper Alice. Hence, they violate the client-to-data-keeper privacy requirement. To satisfy this, it is desirable to have an authentication scheme that promises unlinkability, i.e. the server should not be able to link user requests such that access to the same user cannot be recognised as such.</p><p>As the anonymous authentication process is not our main contribution here, we only briefly review possible approaches to satisfy this requirement. The most feasible solution is anonymous credentials introduced by D. Chaum [<xref ref-type="bibr" rid="scirp.77697-ref14">14</xref>] . This allows a user to prove that he/she has obtained a credential issued by an organisation without revealing anything regarding his/her identity other than the credential. J. Camenisch [<xref ref-type="bibr" rid="scirp.77697-ref15">15</xref>] proposed a protocol that allows an organisation to issue a credential by obtaining a signature on a committed value. The client can then prove with zero knowledge that she has a signature under the organisation’s public key on the given value.</p><p>Applied to our problem setting, the client first generates a non-interactive zero-knowledge proof (i.e. applying the Fiat--Shamir transform) of his/her credentials with Alice. He/She transfers the proof to Bob, who submits the proof to Alice. Finally, Alice authenticates Bob to communicate and verify the client’s information.</p><p>Following the authentication process, Alice and Bob generate two Paillier key pairs using the <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x24.png" xlink:type="simple"/></inline-formula> algorithms and agree on two key public pairs for communication during verification execution. We denote by <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x24.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x25.png" xlink:type="simple"/></inline-formula> and <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x24.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x25.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x26.png" xlink:type="simple"/></inline-formula> the Paillier encryption under Alice’s public key and that under Bob’s public key, respectively.</p></sec><sec id="s5_3"><title>5.3. Single Individual Predicate Evaluation</title><p>In the single predicate evaluation stage, for each data record and each attribute that needs to be verified, the verifier Bob and the data keeper Alice together perform one of the following protocols: equality predicate evaluation, inequality predicate evaluation and (non-) membership predicate evaluation. The output of each protocol is an encrypted bit maintained by Bob. The resulting bit is encrypted under the data keeper’s public key so that Bob cannot obtain any information relating to the other entities in the database. We now describe the three protocols to securely evaluate the results of these predicates.</p><sec id="s5_3_1"><title>5.3.1. Equality Predicate</title><p>A secure equality predicate evaluation tests whether two private inputs x and y are equal:<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x27.png" xlink:type="simple"/></inline-formula>. We use the protocol presented by C. Gentry et al. [<xref ref-type="bibr" rid="scirp.77697-ref10">10</xref>] to develop the protocol for secure equality predicate evaluation. Gentry’s equal-to- zero protocol [<xref ref-type="bibr" rid="scirp.77697-ref10">10</xref>] allows the comparison between a private value and zero. To be able to apply the equal-to-zero protocol, we execute a transformation (as presented in Protocol 1) on the two private inputs.</p><disp-formula id="scirp.77697-formula331"><graphic  xlink:href="http://html.scirp.org/file/6-7800459x28.png"  xlink:type="simple"/></disp-formula><p>The computation in Steps 1 - 2 transforms the problem into a secure equal-to-zero protocol. In this protocol, Alice holds an encrypted message with value a. The message is encrypted under Bob’s key; hence, neither Alice nor Bob has information concerning the value a. The remaining part of the protocol involves compare a with 0. In the last step, Bob is required to compute an AND operator on the ciphertext space. In binary setting, the AND operator is exactly a multiplication scheme. We describe a secure multiplication scheme as in Protocol 4. The protocol allows Bob to compute the product of two ciphertexts where he does not know the decryption key.</p><disp-formula id="scirp.77697-formula332"><graphic  xlink:href="http://html.scirp.org/file/6-7800459x29.png"  xlink:type="simple"/></disp-formula><p>The computations on lines 2 and 5 of Protocol 2 are performed by using the homomorphic property of Paillier encryption. During the protocol, Bob only works on encrypted data while the server receives two random numbers. Hence, no information regarding x and y is obtained by Bob and S. The correctness of the protocol is trivial, as<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x30.png" xlink:type="simple"/></inline-formula>. The protocol requires two encrypted integer transfers for communication. Bob needs to perform five multiplication operations and five exponentiation operations in the ciphertext space.</p><p>Analysis. We now analyse the correctness and security of the equality predicate evaluation protocol (Protocol 1). Due to the transformation in Steps 1 - 2, we only need to examine the remaining parts, where the two parties together compare the encrypted value a with 0.</p><p>We note that in Step 7, Alice reserves bit <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x31.png" xlink:type="simple"/></inline-formula> when<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x31.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x32.png" xlink:type="simple"/></inline-formula>. This means that we perform the XNOR operation on bit <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x31.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x32.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x33.png" xlink:type="simple"/></inline-formula> and ciphertext <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x31.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x32.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x33.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x34.png" xlink:type="simple"/></inline-formula> for all<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x31.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x32.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x33.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x34.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x35.png" xlink:type="simple"/></inline-formula>. Remember that<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x31.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x32.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x33.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x34.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x35.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x36.png" xlink:type="simple"/></inline-formula>, so at that step, we actually compute <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x31.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x32.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x33.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x34.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x35.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x36.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x37.png" xlink:type="simple"/></inline-formula>. Moreover, since<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x31.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x32.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x33.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x34.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x35.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x36.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x37.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x38.png" xlink:type="simple"/></inline-formula>, all <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x31.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x32.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x33.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x34.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x35.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x36.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x37.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x38.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x39.png" xlink:type="simple"/></inline-formula>s are zero if and only if<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x31.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x32.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x33.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x34.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x35.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x36.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x37.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x38.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x39.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x40.png" xlink:type="simple"/></inline-formula>. Therefore, all <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x31.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x32.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x33.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x34.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x35.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x36.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x37.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x38.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x39.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x40.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x41.png" xlink:type="simple"/></inline-formula> if<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x31.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x32.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x33.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x34.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x35.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x36.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x37.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x38.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x39.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x40.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x41.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x42.png" xlink:type="simple"/></inline-formula>; the last step concludes the protocol, where Bob computes the AND of all bits <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x31.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x32.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x33.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x34.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x35.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x36.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x37.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x38.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x39.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x40.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x41.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x42.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x43.png" xlink:type="simple"/></inline-formula> and outputs the inverted result.</p><p>The security of the two parties follows the semantic security properties of the employed encryption scheme―the Paillier cryptosystem. Alice only obtains the encryption version of y. On the other hand, Bob receives a randomized value <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x44.png" xlink:type="simple"/></inline-formula> and an array of encrypted bits<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x44.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x45.png" xlink:type="simple"/></inline-formula>. Hence, no more information is leaked to either party.</p></sec><sec id="s5_3_2"><title>5.3.2. Inequality Predicate</title><p>The inequality predicate considers two parties that pose two private integral values x and y and wish to evaluate the predicate<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x46.png" xlink:type="simple"/></inline-formula>. This problem is known as secure comparison. The first solution to it was proposed by A. Yao [<xref ref-type="bibr" rid="scirp.77697-ref8">8</xref>] in the 1980s, and pioneered research on secure multi-party computation. Since then, extensive research has been conducted to address the problem of secure comparison. Di Crescenzo [<xref ref-type="bibr" rid="scirp.77697-ref16">16</xref>] proposed a secure comparison protocol with <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x46.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x47.png" xlink:type="simple"/></inline-formula> complexity, where n is the length in bits of the compared numbers, and N is the group size of the plaintext of the employed encryption scheme. Fischlin [<xref ref-type="bibr" rid="scirp.77697-ref17">17</xref>] and Blake [<xref ref-type="bibr" rid="scirp.77697-ref9">9</xref>] reduced the complexity of the solutions to <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x46.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x47.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x48.png" xlink:type="simple"/></inline-formula>.</p><p>We propose a variant of Blake’s protocol [<xref ref-type="bibr" rid="scirp.77697-ref9">9</xref>] as a building block to compare two private inputs. In our problem setting, at this stage, it is expected that no information relating to the results of the evaluation are known to the verifier or the data keeper. Therefore, we cannot directly apply the protocol proposed by Blake [<xref ref-type="bibr" rid="scirp.77697-ref9">9</xref>] , as it leaks the comparison results to one of the parties. In order to prevent such information leakage, we propose a mechanism, as an extension to the original scheme [<xref ref-type="bibr" rid="scirp.77697-ref9">9</xref>] as shown in Protocol 3.</p><p>Blake’s protocol allows us to obliviously transfer one over two secrets depending on the result of the secure comparison. The protocol considers the scenario where there are two parties holding two private inputs x and y. The second party holds two secrets <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x49.png" xlink:type="simple"/></inline-formula> (in addition to private input y). Blake’s protocol allows the two parties obliviously transfer <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x49.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x50.png" xlink:type="simple"/></inline-formula> when <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x49.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x50.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x51.png" xlink:type="simple"/></inline-formula> and <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x49.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x50.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x51.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x52.png" xlink:type="simple"/></inline-formula> in the other case. Our modification adds one more step which is the secure equality evaluation protocol to determine the secret that has been sent. At the end of the protocol, Bob obtains an encrypted bit that indicates the result of the inequality comparison. To present the protocol, we follow Blake [<xref ref-type="bibr" rid="scirp.77697-ref9">9</xref>] and denote by <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x49.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x50.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x51.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x52.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x53.png" xlink:type="simple"/></inline-formula> a set of integers agreed by the two parties before executing the protocol.</p><disp-formula id="scirp.77697-formula333"><graphic  xlink:href="http://html.scirp.org/file/6-7800459x54.png"  xlink:type="simple"/></disp-formula><p>In Step 3.b, Bob is required to compute the XOR of two encrypted bits<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x55.png" xlink:type="simple"/></inline-formula>, and<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x55.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x56.png" xlink:type="simple"/></inline-formula>. Since<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x55.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x56.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x57.png" xlink:type="simple"/></inline-formula>, we can evaluate the result with the help of the secure multiplication protocol (Protocol 2). To compute the encry- ption of vector<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x55.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x56.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x57.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x58.png" xlink:type="simple"/></inline-formula>, Bob only needs to apply the homomorphic property of the Paillier cryptosystem as discussed in Section 4.2.</p><p>Analysis. We first show that the protocol correctly computes the desired functionality. The flag vector <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x59.png" xlink:type="simple"/></inline-formula> is a binary vector, where the i-th bit indicates whether<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x59.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x60.png" xlink:type="simple"/></inline-formula>. Therefore, vector <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x59.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x60.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x61.png" xlink:type="simple"/></inline-formula> as constructed in Step 2c is a vector with the following structure: it starts with one or more 0s followed by a 1, and then a sequence of non-1s.</p><p>Let k be the first position where <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x62.png" xlink:type="simple"/></inline-formula> and <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x62.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x63.png" xlink:type="simple"/></inline-formula> differ, which implies that <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x62.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x63.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x64.png" xlink:type="simple"/></inline-formula> and <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x62.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x63.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x64.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x65.png" xlink:type="simple"/></inline-formula> determine the result of predicate<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x62.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x63.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x64.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x65.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x66.png" xlink:type="simple"/></inline-formula>. <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x62.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x63.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x64.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x65.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x66.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x67.png" xlink:type="simple"/></inline-formula>randomizes the value of <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x62.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x63.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x64.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x65.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x66.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x67.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x68.png" xlink:type="simple"/></inline-formula> but keeps<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x62.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x63.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x64.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x65.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x66.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x67.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x68.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x69.png" xlink:type="simple"/></inline-formula>. We note that with a large probability, <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x62.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x63.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x64.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x65.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x66.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x67.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x68.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x69.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x70.png" xlink:type="simple"/></inline-formula>is statistically close to uniformly random in<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x62.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x63.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x64.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x65.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x66.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x67.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x68.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x69.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x70.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x71.png" xlink:type="simple"/></inline-formula>. Finally, the transformation in Step 2e is a permutation of <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x62.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x63.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x64.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x65.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x66.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x67.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x68.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x69.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x70.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x71.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x72.png" xlink:type="simple"/></inline-formula> where set <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x62.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x63.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x64.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x65.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x66.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x67.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x68.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x69.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x70.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x71.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x72.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x73.png" xlink:type="simple"/></inline-formula> and<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x62.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x63.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x64.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x65.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x66.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x67.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x68.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x69.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x70.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x71.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x72.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x73.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x74.png" xlink:type="simple"/></inline-formula>. The final step, where a random permutation <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x62.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x63.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x64.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x65.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x66.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x67.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x68.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x69.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x70.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x71.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x72.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x73.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x74.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x75.png" xlink:type="simple"/></inline-formula> is sent back to Alice, hides information concerning index k.</p><p>Since there is a negligible minority of elements of <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x76.png" xlink:type="simple"/></inline-formula> in a group of size N, with overwhelming probability, there is exactly one element in vector <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x76.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x77.png" xlink:type="simple"/></inline-formula> belonging to set<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x76.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x77.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x78.png" xlink:type="simple"/></inline-formula>. In Step 3, Alice can output either <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x76.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x77.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x78.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x79.png" xlink:type="simple"/></inline-formula> or <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x76.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x77.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x78.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x79.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x80.png" xlink:type="simple"/></inline-formula> depending on whether<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x76.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x77.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x78.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x79.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x80.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x81.png" xlink:type="simple"/></inline-formula>. The last two steps conclude our construction of the protocol, where <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x76.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x77.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x78.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x79.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x80.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x81.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x82.png" xlink:type="simple"/></inline-formula> only if <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x76.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x77.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x78.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x79.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x80.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x81.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x82.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x83.png" xlink:type="simple"/></inline-formula> as desired.</p><p>We now prove the security of the protocol. Due to the universal security of the secure equality evaluation protocol, we only need to consider the first part (i.e. Steps 1 - 3). Privacy for Alice trivially holds because of the semantic security properties of the employed encryption scheme―the Paillier cryptosystem. Bob only receives from Alice a list of encryption messages, and obtains no more information about Alice’s private input.</p><p>Bob’s privacy against the semi-honest party Alice is proven by constructing a simulator<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x84.png" xlink:type="simple"/></inline-formula>, where x is the private input of Alice and v the value obtained in the part of the protocol that is examined. <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x84.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x85.png" xlink:type="simple"/></inline-formula>needs to generate a distribution statistically close to the view of Alice in real execution. The simulator generates a random vector<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x84.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x85.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x86.png" xlink:type="simple"/></inline-formula>: for<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x84.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x85.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x86.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x87.png" xlink:type="simple"/></inline-formula>, a random element <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x84.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x85.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x86.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x87.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x88.png" xlink:type="simple"/></inline-formula> is chosen. It then replaces the randomly chosen element of <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x84.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x85.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x86.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x87.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x88.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x89.png" xlink:type="simple"/></inline-formula> with s (i.e.<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x84.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x85.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x86.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x87.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x88.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x89.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x90.png" xlink:type="simple"/></inline-formula>), and outputs<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x84.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x85.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x86.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x87.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x88.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x89.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x90.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x91.png" xlink:type="simple"/></inline-formula>. As discussed above, due to the randomization in Step 2.d, vector <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x84.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x85.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x86.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x87.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x88.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x89.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x90.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x91.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x92.png" xlink:type="simple"/></inline-formula> is statistically close to being uniformly random in <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x84.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x85.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x86.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x87.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x88.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x89.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x90.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x91.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x92.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x93.png" xlink:type="simple"/></inline-formula> (except one element in<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x84.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x85.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x86.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x87.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x88.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x89.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x90.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x91.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x92.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x93.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x94.png" xlink:type="simple"/></inline-formula>).</p></sec><sec id="s5_3_3"><title>5.3.3. (Non-) Membership Predicate</title><p>A membership predicate allows the verifier to examine whether an attribute of the client falls into certain categories. A simple example is the case where the verifier wishes to know if an applicant works in the education industry (e.g. teacher, student, librarian, school counsellor, etc.). A non-membership predicate is the complement of the membership query, and tests whether a particular value is excluded from a set.</p><p>The membership predicate evaluation protocol is presented in Protocol 4. The non-membership predicate can be easily derived from Protocol 4 by applying the NOT operator discussed in Section 5.4.</p><p>In the protocol, Alice is required to evaluate the encrypted polynomial <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x95.png" xlink:type="simple"/></inline-formula> at point <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x95.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x96.png" xlink:type="simple"/></inline-formula> (line 3). She can do so due to the homomorphism of the cryptosystem. She first computes <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x95.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x96.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x97.png" xlink:type="simple"/></inline-formula> in plaintext, and then computes <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x95.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x96.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x97.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x98.png" xlink:type="simple"/></inline-formula> by the homomorphic multiplication property of the Paillier cryptosystem. Finally, she calculates <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x95.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x96.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x97.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x98.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x99.png" xlink:type="simple"/></inline-formula> in encrypted form by applying the homomorphic addition property.</p><disp-formula id="scirp.77697-formula334"><graphic  xlink:href="http://html.scirp.org/file/6-7800459x100.png"  xlink:type="simple"/></disp-formula><p>Analysis. We first analyse the correctness of the protocol. If<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x101.png" xlink:type="simple"/></inline-formula>, there exists one <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x101.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x102.png" xlink:type="simple"/></inline-formula> such that<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x101.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x102.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x103.png" xlink:type="simple"/></inline-formula>. This implies<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x101.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x102.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x103.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x104.png" xlink:type="simple"/></inline-formula>. This observation leads to the final step of the protocol, where Bob and Alice collaboratively evaluate the equality predicate with inputs <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x101.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x102.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x103.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x104.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x105.png" xlink:type="simple"/></inline-formula> and<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x101.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x102.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x103.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x104.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x105.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x106.png" xlink:type="simple"/></inline-formula>. Hence, the encrypted bit <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x101.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x102.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x103.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x104.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x105.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x106.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x107.png" xlink:type="simple"/></inline-formula> is an indicator of whether value a belongs to set S.</p><p>The security the protocol can be proven with two simulators that generate the views of the two parties, Alice and Bob. For Alice, a simulator that generates and sends n random encrypted values is a valid simulator. Due to semantic security, she cannot distinguish the simulator from a real-world scenario. Similarly for Bob, a random number <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x108.png" xlink:type="simple"/></inline-formula> can be easily simulated. Finally, the security of Protocol 4 concludes the proof of security of the secure membership evaluation protocol.</p></sec></sec><sec id="s5_4"><title>5.4. Complex Predicate Evaluation</title><p>At this stage, Bob holds the encrypted result of the evaluation for each data record, with each attribute in a complex predicate that needs to be verified. This sub-section discusses three basic primitives that operate on the encrypted inputs at this stage. With these primitives, Bob has the capability to compute the results of the encryption of the desired bit to evaluate each data record. The output of this stage is an encrypted bit for each data record. This bit indicates whether the given record satisfies the complex statement.</p><p>The inputs of the three primitives are either one encrypted bit (NOT opera- tion) or two encrypted bits (AND and OR operations). They are described as follows:</p><p>1) <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x109.png" xlink:type="simple"/></inline-formula>(NOT)―It is easy to derive the formula for bit negation operation:<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x109.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x110.png" xlink:type="simple"/></inline-formula>. Clearly, the operation leaks no information re- garding the encrypted bit x to either Alice or Bob. It requires one exponentiation operation and one multiplication operation. Alice receives no more data, whereas Bob only works on his inputs, which are encrypted data.</p><p>2) <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x111.png" xlink:type="simple"/></inline-formula>(AND)―Because <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x111.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x112.png" xlink:type="simple"/></inline-formula> for any two bits<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x111.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x112.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x113.png" xlink:type="simple"/></inline-formula>, the primitive is identical to the description of SecMul (Protocol 2). The protocol requires five multiplication operations and five exponentiation operations in ciphertext space. The security of the protocol follows the analysis of secure multiplication (i.e. Protocol 2).</p><p>3) <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x114.png" xlink:type="simple"/></inline-formula>(OR)―Since<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x114.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x115.png" xlink:type="simple"/></inline-formula>, we can derive the definition of the OR primitive as in Protocol 5. The protocol requires seven multiplication operations and six exponentiation operations in ciphertext space. During the protocol, data that Bob and Alice receive are identical to those received during Protocol 2; hence, Bob and Alice gain nothing following protocol execution.</p><disp-formula id="scirp.77697-formula335"><graphic  xlink:href="http://html.scirp.org/file/6-7800459x116.png"  xlink:type="simple"/></disp-formula></sec><sec id="s5_5"><title>5.5. Aggregation of Output Data</title><p>As the input of this stage, for each entity in Alice’s database, Bob holds an encrypted bit that determines whether the data record qualifies the complex statement. In order to ensure there is exactly one qualified data record in case the application is successful, we introduce one special attribute to the final complex predicate. The attribute is the secret identification of the client in the database.</p><p>We assume that when the client registers his/her data with Alice the data keeper, Alice generates a secret random number <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x117.png" xlink:type="simple"/></inline-formula> to identify the client. The number is stored in the database as an attribute of the client. We introduce additional steps to address the requirement:</p><p>1) The client encrypts the random secret under Bob’s key, obtain<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x118.png" xlink:type="simple"/></inline-formula>.</p><p>2) The client anonymously sends the encryption of secret value to Alice.</p><p>3) Alice and Bob perform secure equality evaluation (starting from step 2) and get the result<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x119.png" xlink:type="simple"/></inline-formula>.</p><p>4) Bob applies AND operation with <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x120.png" xlink:type="simple"/></inline-formula> and the current result of evaluation process.</p><p>With the additional step, now Bob holds an array of encrypted bits with all 0s and at most one bit 1. Bob uses a homomorphism to compute the encrypted sum of these bits; the result is the encryption of either 1 or 0. He can send it to Alice for decryption and obtain the final result to determine whether the applicant qualifies. However, this may compromise Bob’s privacy, especially when he wants to hide his business progress. In order to maintain his privacy, we introduce one step for the randomization of the decryption process as follows:</p><p>1) Bob computes the encrypted sum using a homomorphism to obtain<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x121.png" xlink:type="simple"/></inline-formula>.</p><p>2) Bob generates a random number r, and computes <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x122.png" xlink:type="simple"/></inline-formula> and sends to Alice.</p><p>3) Alice decrypts c to obtain <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x123.png" xlink:type="simple"/></inline-formula> and sends it back to Bob. Note that Alice only receives a random number so that she learns nothing about the result of the application.</p><p>4) Bob computes the result<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/6-7800459x124.png" xlink:type="simple"/></inline-formula>.</p><p>Finally, Bob is able to decide the result of the verification process by bit s.</p></sec><sec id="s5_6"><title>5.6. Discussion</title><p>We first consider the security of the entire system, since all intermediate results revealed to Alice and Bob are either random or semantically secure encryptions of numbers. Furthermore, the outputs of all sub-protocols (only seen by Bob) are always encrypted under Alice’s key. Under the assumptions of the semi-honest model, we claim that the sequential composition of these sub- protocols leaks no details of the client or the predicates proposed by the verifier.</p><p>The second issue we consider is the practical implementation of the system. Since the same procedure is applied for all the data entries, the verification results for each data record can be computed in parallel. That means we are able to construct multiple verification threads, each one is corresponding to one data entry. By the batch verification approach, we can improve the running time of the whole process by a factor of n/m, where n is the number of data records and m is the number of threads.</p><p>While the same procedure is applied for each data record, the data keeper is not able to know who is the applicant. In practice, there are some cases that the data keeper (e.g. a governmental agency) is allowed to know the identity of the applicant, where this rigorous security feature is then not required. The proposed solution can be modified, and inherently improves performance. Specifically, the client can perform a simple authentication rather than an anonymous solution to allow the verifier to communicate with the data keeper. The verification process only needs to be performed on the only one data record identified by the client. Hence, the cost of the proposed solution is reduced by a factor of n where n is the number of data records in the data keeper’s database.</p><p>In our proposed solution, an applicant qualifies only if he/she satisfies all criteria specified by a single predicate or complex predicates. Hence, we can define a complex predicate to cover all criteria using the AND operation. We also can extend our protocol to adapt to threshold criteria, where the applicant qualifies only if he/she satisfies more than k criteria. The idea is to compute the sum of each predicates evaluation (in encrypted form) and apply a slightly modified version of Protocol 3 to compare the encrypted value with threshold k.</p></sec></sec><sec id="s6"><title>6. Implementation</title><p>We implemented our proposed method, and calculated the CPU time required to run our sub-protocols from Section 5. Our experiments were conducted on a Windows 10.0 machine with a 3-GHz processor and 16 GB of RAM. We used the Paillier cryptosystem as the underlying additive homomorphic encryption scheme and implemented the proposed sub-protocols in Java.</p><p>We first examined the operation of the secure equality evaluation and the secure inequality evaluation protocols. Two factors affect the performance of these protocols: the Paillier key size and the domain size of the input. <xref ref-type="table" rid="table2">Table 2</xref> shows the processing times of Protocols 1 &amp; 3 with different settings of bit size and key size. We performed the experiment with bit lengths of 32, 64 and 160. The latter was the size of the output of the SHA-1 hash function we used for the secret identification described in Section 5.5. The result showed that these protocols require twice the time for double-bit size of inputs; the time needed increased by a factor of nearly 7 when the Paillier key size was doubled.</p><p>The third single-predicate evaluation building block was the (non-) membership predicate. The run time of the building block depends on three factor: the Paillier key size, the number of elements in the set and the bit size of the inputs, where bit size only affects the final step of Protocol 4, which is the secure equality evaluation protocol. <xref ref-type="fig" rid="fig2">Figure 2</xref> show the relationship between the</p><table-wrap-group id="2"><label><xref ref-type="table" rid="table2">Table 2</xref></label><caption><title> Run times of secure equality and inequality evaluation protocols (ms)</title></caption><table-wrap id="2_1"><table><tbody><thead><tr><th align="center" valign="middle" >Size</th><th align="center" valign="middle" >Prtcl.1</th><th align="center" valign="middle" >Prtcl.3</th></tr></thead><tr><td align="center" valign="middle" >32</td><td align="center" valign="middle" >796</td><td align="center" valign="middle" >1769</td></tr><tr><td align="center" valign="middle" >64</td><td align="center" valign="middle" >1472</td><td align="center" valign="middle" >3542</td></tr><tr><td align="center" valign="middle" >160</td><td align="center" valign="middle" >3277</td><td align="center" valign="middle" >8623</td></tr></tbody></table></table-wrap><table-wrap id="2_2"><table><tbody><thead><tr><th align="center" valign="middle" >Size</th><th align="center" valign="middle" >Prtcl.1</th><th align="center" valign="middle" >Prtcl.3</th></tr></thead><tr><td align="center" valign="middle" >32</td><td align="center" valign="middle" >4477</td><td align="center" valign="middle" >12,047</td></tr><tr><td align="center" valign="middle" >64</td><td align="center" valign="middle" >9983</td><td align="center" valign="middle" >24,755</td></tr><tr><td align="center" valign="middle" >160</td><td align="center" valign="middle" >22,569</td><td align="center" valign="middle" >57,393</td></tr></tbody></table></table-wrap></table-wrap-group><fig id="fig2"  position="float"><label><xref ref-type="fig" rid="fig2">Figure 2</xref></label><caption><title> Running time of Secure Membership Evaluation</title></caption><graphic mimetype="image"   position="float"  xlink:type="simple"  xlink:href="http://html.scirp.org/file/6-7800459x125.png"/></fig><table-wrap id="table3" ><label><xref ref-type="table" rid="table3">Table 3</xref></label><caption><title> Running times of proposed sub-protocols</title></caption><table><tbody><thead><tr><th align="center" valign="middle" >Key Size</th><th align="center" valign="middle" >Secure Negation</th><th align="center" valign="middle" >Secure AND</th><th align="center" valign="middle" >Secure OR</th></tr></thead><tr><td align="center" valign="middle" >512</td><td align="center" valign="middle" >4 ms</td><td align="center" valign="middle" >20 ms</td><td align="center" valign="middle" >22 ms</td></tr><tr><td align="center" valign="middle" >1024</td><td align="center" valign="middle" >17 ms</td><td align="center" valign="middle" >73 ms</td><td align="center" valign="middle" >86 ms</td></tr><tr><td align="center" valign="middle" >2048</td><td align="center" valign="middle" >81 ms</td><td align="center" valign="middle" >517 ms</td><td align="center" valign="middle" >558 ms</td></tr></tbody></table></table-wrap><p>run times of the two remaining factors and the performance of the building block.</p><p>We had made a similar observation earlier: the cost of the secure membership evaluation protocol when the key size was 1024 bits was roughly six to seven times more efficient than with a length of 2048 bits for the Paillier key. The computational cost of the protocol also increased linearly with the size of the set. Finally, the run time of the three protocols that evaluated the Boolean functions are shown in <xref ref-type="table" rid="table3">Table 3</xref>. The same characteristics concerning the effect of the Paillier key size held for these building blocks.</p><p>In order to verify the feasibility of the whole proposed system, we conducted an experiment on a simulated dataset. We consider a complex statement veri- fication comprising of 10 single predicates linking together by two boolean operations AND, OR. The running time for verifying single data record was 25 seconds, and it took approximately 1 hour to verify one thousand data record in the parallel mode of 10 threads running simultaneously.</p></sec><sec id="s7"><title>7. Conclusion</title><p>In this paper, we proposed a framework for privacy-preserving verification of personal information. We used the secure multi-party computation model and homomorphic encryption to develop a systematic solution to the problem in four stages. We showed that the proposed scheme can protect the clients privacy from both the verifier and the data keeper, and at the same time provides privacy to the former. Different ways to further enhance the performance of the pro- posed method and a scheme extension for threshold verification were discussed. The experimental results highlighted the efficiency and feasibility of our pro- posed scheme under different security settings.</p></sec><sec id="s8"><title>Cite this paper</title><p>Do, H.G. and Ng, W.K. (2017) Private Personal Information Verification. Journal of Information Security, 8, 223-239. https://doi.org/10.4236/jis.2017.83015</p></sec></body><back><ref-list><title>References</title><ref id="scirp.77697-ref1"><label>1</label><mixed-citation publication-type="other" xlink:type="simple">Goldwasser, S., Micali, S. and Rackoff, C. (1985) The Knowledge Complexity of Interactive Proof-Systems (Extended Abstract). Proceedings of the 17th Annual ACM Symposium on Theory of Computing, Providence.</mixed-citation></ref><ref id="scirp.77697-ref2"><label>2</label><mixed-citation publication-type="other" xlink:type="simple">Yang, Y.J., Zhou, J.Y., Weng, J. and Bao, F. (2009) A New Approach for Anonymous Password Authentication. Twenty-Fifth Annual Computer Security Applications Conference, Honolulu.</mixed-citation></ref><ref id="scirp.77697-ref3"><label>3</label><mixed-citation publication-type="other" xlink:type="simple">Groth, J. (2005) Non-Interactive Zero-Knowledge Arguments for Voting. Third International Conference on Applied Cryptography and Network Security, New York.  
https://doi.org/10.1007/11496137_32</mixed-citation></ref><ref id="scirp.77697-ref4"><label>4</label><mixed-citation publication-type="other" xlink:type="simple">Camenisch, J., Hohenberger, S. and Lysyanskaya, A. (2006) Balancing Accountability and Privacy Using e-Cash (Extended Abstract). 5th International Conference on Security and Cryptography for Networks, Maiori.  
https://doi.org/10.1007/11832072_10</mixed-citation></ref><ref id="scirp.77697-ref5"><label>5</label><mixed-citation publication-type="other" xlink:type="simple">Camenisch, J., Chaabouni, R. and Shelat, A. (2008) Efficient Protocols for Set Membership and Range Proofs. Advances in Cryptology-ASIACRYPT 2008, 14th International Conference on the Theory and Application of Cryptology and Information Security, Melbourne.</mixed-citation></ref><ref id="scirp.77697-ref6"><label>6</label><mixed-citation publication-type="other" xlink:type="simple">Kissner, L. and Song, D. (2005) Privacy-Preserving Set Operations. Advances in Cryptology-CRYPTO 2005: 25th Annual International Cryptology Conference, Santa Barbara. https://doi.org/10.1007/11535218_15</mixed-citation></ref><ref id="scirp.77697-ref7"><label>7</label><mixed-citation publication-type="other" xlink:type="simple">De Cristofaro, E., Gasti, P. and Tsudik, G. (2012) Fast and Private Computation of Cardinality of Set Intersection and Union. Cryptology and Network Security, 11th International Conference, CANS 2012, Darmstadt.</mixed-citation></ref><ref id="scirp.77697-ref8"><label>8</label><mixed-citation publication-type="other" xlink:type="simple">Yao, A.C.-C. (1982) Protocols for Secure Computations (Extended Abstract). 23rd Annual Symposium on Foundations of Computer Science, Chicago.</mixed-citation></ref><ref id="scirp.77697-ref9"><label>9</label><mixed-citation publication-type="other" xlink:type="simple">Blake, I.F. and Kolesnikov, V. (2009) One-Round Secure Comparison of Integers. Journal of Mathematical Cryptology, 3.</mixed-citation></ref><ref id="scirp.77697-ref10"><label>10</label><mixed-citation publication-type="other" xlink:type="simple">Gentry, C., Halevi, S., Jutla, C.S. and Raykova, M. (2015) Private Database Access with He-Over-Oram Architecture. 13th International Conference on Applied Cryptography and Network Security, New York.  
https://doi.org/10.1007/978-3-319-28166-7_9</mixed-citation></ref><ref id="scirp.77697-ref11"><label>11</label><mixed-citation publication-type="other" xlink:type="simple">Paillier, P. (1999) Public-Key Cryptosystems Based on Composite Degree Residuosity Classes. Advances in Cryptology—EUROCRYPT99, International Conference on the Theory and Application of Cryptographic Techniques, Prague.  
https://doi.org/10.1007/3-540-48910-x_16</mixed-citation></ref><ref id="scirp.77697-ref12"><label>12</label><mixed-citation publication-type="other" xlink:type="simple">Damg&amp;aring;rd, I. and Jurik, M. (2001) A Generalisation, a Simplification and Some Applications of Paillier’s Probabilistic Public-Key System. Public Key Cryptography, 4th International Workshop on Practice and Theory in Public Key Cryptography, Cheju Island. https://doi.org/10.1007/3-540-44586-2_9</mixed-citation></ref><ref id="scirp.77697-ref13"><label>13</label><mixed-citation publication-type="other" xlink:type="simple">Goldreich, O. (2004) The Foundations of Cryptography: Vol. 2, Basic Applications. Cambridge University Press, Cambridge.</mixed-citation></ref><ref id="scirp.77697-ref14"><label>14</label><mixed-citation publication-type="other" xlink:type="simple">Chaum, D. (1985) Security without Identification: Transaction Systems to Make Big Brother Obsolete. Communications of the ACM, 28, 1030-1044.  
https://doi.org/10.1145/4372.4373</mixed-citation></ref><ref id="scirp.77697-ref15"><label>15</label><mixed-citation publication-type="other" xlink:type="simple">Camenisch, J. and Lysyanskaya, A. (2002) A Signature Scheme with Efficient Protocols. 3rd International Conference on Security in Communication Networks, Amalfi.</mixed-citation></ref><ref id="scirp.77697-ref16"><label>16</label><mixed-citation publication-type="other" xlink:type="simple">Di Crescenzo, G. (2000) Private Selective Payment Protocols. Financial Cryptography, 4th International Conference, Anguilla.</mixed-citation></ref><ref id="scirp.77697-ref17"><label>17</label><mixed-citation publication-type="other" xlink:type="simple">Fischlin, M. (2001) A Cost-Effective Pay-Per-Multiplication Comparison Method for Millionaires. Topics in Cryptology, The Cryptographer’s Track at RSA Conference, San Francisco.</mixed-citation></ref></ref-list></back></article>