Suppose there is a group of N people some of whom possess a specific
property. For example, their wealth is above or below a threshold,
they voted for a particular candidate, they have a certain disease,
etc. The group wants to find out how many of its members posses the
property -- but without revealing the identities. Unless of course it
turns out that all members do or do not have the attribute of
interest. However, in all other cases the counting algorithm should
guarantee that nobody can find out if a particular individual possesses
the property unless *all the other* N-1 members of the group
collude.

One particular instance of the above problem is Dr. Ecco's CentiMillionaire problem, published in Dr. Dobb's Journal, May 2000 issue.

We have 20 people around the world. They are all Centimillionaires, but none have more than $10 billion. They are rich enough, however, that they all round their wealth to the nearest $100 million. Several may have the same number of centimillions. They want to know how many centimillions the richest and poorest among the 20 have and how big those rich and poor subgroups are. Nobody should learn who else is in any subgroup (unless all or all but one are in some subgroup or there is large-scale collusion). You can assume that they will be honest in the information they give and in any calculations they are asked to do... They must communicate by phone.

Liane's solution requires that all 20 people communicate with each other at least once, nearly 200 phone calls. This present web page describes a method to determine the distribution of wealth among 20 centimillionaires with only 58 calls. This solution offers the same collusion protection: 19 people must collude to infer the 20th person's wealth. The last nineteen calls are just to announce the result, and can be replaced with a single conference call if allowed. Actually all the communication can be made public without revealing anything about the wealth of any particular centimillionaire.

The solution is a combination of a Diffie-Hellman key exchange and RSA algorithms. See an excellent web page Cryptography and Number Theory for Digital Cash by J. Orlin Grabbe for background information and references. The solution relies on the fact that a discrete log problem is very hard. Unlike RSA, each CentiMillionaire distributes p and q but keeps both encryption and decryption exponents private. If both p and q are chosen to be of the form 2^k+1, then every odd number less than (p-1)*(q-1) will do as an encryption exponent ei. Thus it appears one can't easily guess which exponent another CentiMillionaire has chosen.

The counting algorithm does not require any trusted third parties, and all communications between centimillionaires can be conducted in public.

Here is how twenty centimillionaires can determine how many of them fall within a particular wealth bucket.

Let centimillionaire C1 choose:

for each wealth bucket (1 through 100):

- two prime numbers p and q
- number x such that x^(2^k) mod (p*q) are all distinct and neither is 1; in addition x^(2^k) are divisible by neither p nor q; for k=0..20
- Two numbers e1 and d1 such that:
- e1*d1 = 1 mod (p-1)*(q-1) if C1's wealth is not in this bucket
- e1*d1 = 2 mod (p-1)*(q-1) if C1's wealth is in the bucket under consideration
- and e1 is mutually prime with (p-1)*(q-1)

- Compute x^e1, and verify it is not divisible by p or q

(otherwise, choose another e1,d1 pair) - Give a call to centimillionaire C2 and tell him p, q, x, x^e1

Let centimillionaire C2:

for each wealth bucket (1 through 100):

- Receive p, q, x, x^e1 from C1
- choose two numbers e2 and d2 such that:
- e2*d2 = 1 mod (p-1)*(q-1) if C2's wealth is not in this bucket
- e2*d2 = 2 mod (p-1)*(q-1) if C2's wealth is in the bucket under consideration
- and e2 is mutually prime with (p-1)*(q-1)

- Compute (x^e1)^e2, and verify it's not divisible by p or q (otherwise, choose another e2,d2 pair)
- Give a call to centimillionaire C3 and tell him p, q, x, (x^e1)^e3

Let centimillionaire C20:

for each wealth bucket (1 through 100):

- Receive p, q, x, x^(e1*...e19) from C19
- choose two numbers e20 and d20 such that:
- e20*d20 = 1 mod (p-1)*(q-1) if C20's wealth is not in this bucket
- e20*d20 = 2 mod (p-1)*(q-1) if C20's wealth is in the bucket under consideration
- and e20 is mutually prime with (p-1)*(q-1)

- Compute x^(e1*...e19*e20), and verify it's not divisible by p or q (otherwise, choose another e20,d20 pair)
- Give a call to centimillionaire C1 and tell him x^(e1*...e19*e20)

Round 1 (20 calls) is ended

Centimillionaire C1:

for each wealth bucket (1 through 100):

- Receive x^(e1*...e19*e20) from C20
- Call C2 and tell him the result of
(x^(e1*...e19*e20))^d1

This number is either

x^(e2*e3...e20) or

x^(2*e2*e3...e20)

depending whether C1's wealth was in this particular bucket.

This conclusion is based upon Euler's theorem:

x^((p-1)*(q-1)) = 1 mod (p*q) if x is mutually prime with p*q so that

(x^(u*e1))^d1 = ((x^u)^(e1*d1)) = x^u or (x^u)^2, for each u

Centimillionaire C2:

for each wealth bucket (1 through 100):

- Receives (x^(e1*...e19*e20))^d1 from C1
- Computes (x^(e1*...e19*e20))^d1^d2 and tells it to C3

Centimillionaire C20:

for each wealth bucket (1 through 100):

- Receives (x^(e1*...e19*e20))^(d1*...d19) from C19
- Raises it to the power d20. The result is

x^(2^k) mod (p*q)

where k-0..20 is the count of the centimillionaires in this particular bucket.

It's easy to determine the count k by enumeration of all 21 possibilities and comparing with the above result.

Thus after 39 calls Centimillionaire C20 knows the exact distribution of wealth. He needs to make 19 more calls to tell the result to the others. Or he can make one conference call.

Suppose Centimillionaires C1 and C3 conspire to learn the wealth of
C2. They know:

x^e1, (x^e1)^e2, x^(e2*...e20), x^(w*e3...e20)

where w is either 1 or 2 (depending if C2's wealth falls within the
bucket under consideration). Alas, the only way they can figure w is
to find out e2 -- by solving a discrete logarithm problem. If e2 is
chosen large enough, the solution is not feasible. This also shows
that all conversation above can be conducted in public. Even knowledge
of intermediate results does not compromise each centimillionaire's
privacy.

oleg-at-pobox.com or oleg-at-okmij.org or oleg-at-computer.org

Your comments, problem reports, questions are very welcome!