Available at:http://hdl.handle.net/2078.1/152571

[Downloaded 2019/04/19 at 09:54:52 ]

"Securely solving classical network flow problems"

Aly, Abdelrahaman ; Van Vyve, Mathieu

Abstract

We investigate how to solve several classical network flow problems usingsecure multi-party computation. We consider the shortest path problem, theMinimum Mean Cycle problem and the Minimum Cost Flow problem. To thebest of our knowledge, this is the first time the two last problems have beenaddressed in a general multi-party computation setting. Furthermore, our studyhighlights the complexity gaps between traditional and secure implementationsof the solutions, to later test its implementation. It also explores various trade-offs between performance and security. Additionally it provides protocols thatcan be used as building blocks to solve complex problems. Applications of ourwork can be found in: communication networks, routing data from rival companyhubs; benchmarking, comparing several IT appliances configurations of rivalcompanies; distribution problems, retailer/supplier selection in multi-level supplychains that want to share routes without disclosing sensible inform...

Document type : Communication à un colloque (Conference Paper)

Référence bibliographique

Aly, Abdelrahaman ; Van Vyve, Mathieu. Securely solving classical network flow problems.17thInternational Conference on Information Security and Cryptology - ICISC 2014 (Seoul, SouthKorea, du 03/12/2014 au 05/12/2014). In: Volume 8949 of the series Lecture Notes in ComputerScience pp 205-221,

DOI : 10.1007/978-3-319-15943-0_13

brought to you by COREView metadata, citation and similar papers at core.ac.uk

provided by DIAL UCLouvain

2014/57 ■

Securely solving classical network flow problems

Abdelrahaman Aly and Mathieu Van Vyve

Center for Operations Research and Econometrics

Voie du Roman Pays, 34

B-1348 Louvain-la-Neuve Belgium

http://www.uclouvain.be/core

D I S C U S S I O N P A P E R

CORE Voie du Roman Pays 34, L1.03.01 B-1348 Louvain-la-Neuve, Belgium. Tel (32 10) 47 43 04 Fax (32 10) 47 43 01 E-mail: corestat-library@uclouvain.be http://www.uclouvain.be/en-44508.html

CORE DISCUSSION PAPER2014/57

Securely Solving

Classical Network Flow Problems∗

Abdelrahaman Aly† Mathieu Van Vyve‡

November 2014

Abstract

We investigate how to solve several classical network flow problemsusing secure multi-party computation. We consider the shortest pathproblem, the Minimum Mean Cycle problem and the Minimum CostFlow problem. To the best of our knowledge, this is the first time thetwo last problems have been addressed in a general multi-party compu-tation setting. Furthermore, our study highlights the complexity gapsbetween traditional and secure implementations of the solutions, to latertest its implementation. It also explores various trade-offs between per-formance and security. Additionally it provides protocols that can beused as building blocks to solve complex problems. Applications of ourwork can be found in: communication networks, routing data from rivalcompany hubs; benchmarking, comparing several IT appliances configura-tions of rival companies; distribution problems, retailer/supplier selectionin multi-level supply chains that want to share routes without disclosingsensible information; amongst others.Keywords: Network Flows, Multi-party Computation, Secure Collabo-ration.JEL Classification: C61, C65.

∗This research was supported by the WIST Walloon Region project CAMUS and theBelgian IAP Program P7/36 initiated by the Belgian State, Prime Minister’s Office, SciencePolicy Programming. The scientific responsibility is assumed by the authors. The authors aregrateful to Edouard Cuvelier, Sophie Mawet, Olivier Pereira and the anonymous reviewers fortheir feedback.†Universite catholique de Louvain, CORE, B-1348 Louvain-la-Neuve, Belgium. E-mail:

abdelrahaman.aly@uclouvain.be‡Universite catholique de Louvain, CORE, B-1348 Louvain-la-Neuve, Belgium. E-mail:

abdelrahaman.aly@uclouvain.be

1

1 Introduction

Secure Multi-party Computation (MPC), studies the problem where severalplayers want to jointly compute a given function without disclosing their inputs;this problem was first addressed by Yao [1]. Different adversary models can beconsidered. A semi-honest setting, where corrupted players try to learn onlywhat can be inferred from the information they have been provided with; oran active setting, where they manipulate the data in order to learn from anypossible leakage caused. Several cryptographic primitives for secret sharing andhomomorphic encryption, e.g. Shamir scheme [2] and Pailler encryption [3],have been proposed to address the problem.

Applications have emerged naturally in different fields, for instance, whereall the secret information is sent by the players to a third trusted party whoonly reveals the final output. For example, in auctions, the auctioneer can beseen as a trusted third party. We study the scenario where no trusted thirdparties are allowed.

Since 1982, MPC has been in constant development [4, 5, 6, 7]. At first MPCwas regarded as a theoretical research project. Later, the advent of frameworkslike Fairplay [7], SEPIA [8] or the open source tool Virtual Ideal Functional-ity Framework (VIFF) [9], complemented by an improvement in performancebounds, fostered the appearance of real life applications e.g. Damgard et al. [10].Faster MPC protocols immediately followed [11], widening the spectrum for ap-plication development.

Classical network flow problems arise in real life applications in several ar-eas e.g. project planning, networking, supply chain management, productionscheduling. Combinatorial optimization, dynamic programing and mathemat-ical programming have yielded polynomial-time algorithms for many of theseproblems (a detailed treatment can be found in Ahuja et al. [12]).

Our central objects of study are the shortest path problem on weightedgraphs, the Minimum Mean Cycle problem (MMC) and the the minimum costflow problem (MCF). We present algorithms that address privacy preservingconstraints on these problems and solve them in polynomial time. We also em-pirically test the performance of our implementations. Finally, we show howto use our protocols as building blocks to solve more complex problems. Forexample, a WLAN network constructed by competing agents that want to se-curely compute, in a distributed fashion, their routing tables and the networkflow configuration that supports its maximum traffic volume at the minimumcost possible. The routing algorithms could use our shortest path protocol tosecurely define the routing tables. Moreover, a combination of the max flowalgorithm [13] with our minimum cost flow protocol could be used to obtain thedesired flow distribution securely. Note that for these types of application thenumber of vertices e.g. routers, is not necessarily very large.

1.1 Our Contributions

We provide algorithmic solutions to three classical network flow problems in amulti-party and distributed setting: the shortest path based on Dijkstra, theminimum mean cycle using Karp’s solution and the Minimum Cost Flow usingthe Minimum Mean Cycle Canceling (MMCC) algorithm. To the best of ourknowledge, this is the first time the last two problems have been studied under

2

Advance Impl.l Simple Impl. Complete Graphs Privacy Preserving Secure Comparisons

Dijkstra |E| + |V | · log(|V |) |V |2 |V |2 |V |3 |V |2

MMC |E| · |V | |E| · |V | |V |3 |V |5 |V |3

MMCC |V |2 · |E|3log(|V |) |V |2 · |E|3log(|V |) |V |8 · log(|V |) |V |10 · log(|V |) |V |8 · log(|V |)

Table 1: Asymptotic bounds of Original and Privacy-Preserving algorithmicversions

MPC security constraints. We also introduce a novel technique to hide thevertex selected at each iteration of Dijkstra’s algorithm, avoiding the overheadcaused by the use of special data structures e.g. oblivious data structures. Thisis particularly relevant on dense graphs. We refer the reader to Section 1.2 forfurther analysis. However, it has to be noticed that it is not the case for othergraph instances. Moreover, we show polynomial bounds for all three problemsrelying only on black box operations, discussed in detail in the following sections.The secret information can be distributed as pleased by the parties. Our workconsiders input data to be secret except for a bound in the number of verticesof the graphs, hiding the weights and costs of the edges as well as the topologyof the graph.First, we identify the best and more efficient algorithms that are suitable to workwith the limited FABB functionality. Then, we introduce secure versions of thesealgorithms, guaranteeing their correctness and provide their complexity bounds.We also report on computational experiments on running implementations ofthese algorithms using Python and VIFF (given its status as an open sourcetool, capabilities, performance and availability).Protocol Design. Performance is highly tied to the capabilities of the FABB .How crypto-primitives are implemented and their scalability i.e. number ofplayers, determine the general overhead of the protocols. Factors like the roundcomplexity of the arithmetic methods, performance of the comparison methodused, number of players, and parallelization capabilities, influence the overallprocess. Just as we do, traditional works abstract these details and focus solelyin the algorithm design.Security and Correctness. The security of our algorithms comes from the factthat we only use operations from the arithmetic black-box and prevent any in-formation leakage. This implies that the protocols are as secure as the MPCprimitives they are implemented over e.g. information-theoretic secure (see alsoSection 2.1). Furthermore the correctness of our algorithms is essentially in-herited from the correctness of the classical algorithms from which they arederived. More specifically, we modify the previously known and correct algo-rithms to avoid, in general, information leakage, while working on secret data,showing that these modifications do not alter their output.Complexity. We use atomic communication rounds as our main performanceunit to determine the complexity (round complexity) of our protocols. Besides,because of strong differences in performance between comparisons and multi-plications motivate trade-offs, limiting the use of comparisons in favor of morearithmetic operations. i.e. additions and multiplications.

Table 1 presents the complexity bounds we obtain. In all cases, the numberof comparisons matches the complexity of a best implementations on completegraphs. However, we need to introduce additional multiplications to hide thebranchings involved in the algorithms.

3

Prototyping. VIFF, provided the functionality needed to evaluate our proto-cols and measure their performance. Details on the framework can be found in[14]. VIFF delivers by default security against honest-but-curious adversaries,and can be configured to provide certain protections against active attacks e.g.[15]. Our tests show the effects, in terms of performance, that the implementa-tions of the crypto-primitives have in our protocols. Single rounded primitives,like multiplications can be consider to have a low performance cost (whateverit takes to send on a piece of secret shared or encrypted information towardsother players on single round). Depending on the bit-size of the data processed,a more complicated operations such as Toft’s comparison method used by VIFF[16], is ≈ 150 times less efficient than a multiplication. Current state of theart comparisons protocols [17] are still significantly more costly than multipli-cations.

1.2 Related Works

Extensive effort has been made on comparisons and equality tests under MPCe.g. [16, 18, 19, 20]. The most efficient, to the best of our knowledge, arethe comparison methods proposed by Limpa and Toft [17], with a sub-linearcomplexity bound on the online phase. Nonetheless, work has also been donefor other kind of applications using various MPC techniques.Sorting. Various sorting algorithms have been implemented using MPC. Goodrich[21] securely implements shell-sort. Jonsson et al. [22] show how to securely im-plement sorting networks. More recent work by Hamada et al. [23] and [24]on combinatorial sorting algorithms has been also proposed, as well as a data-oblivious version of a variant of the shell-sort called ”zig-zag” sorting [25] byGoodrich.Branching Programs. Branching mechanisms study the case where the decisionflows are determined by certain parametrization and the nature and value ofthe input. Several authors have considered a two-party setting where the userdoes not want to reveal its input and the server wants to privately computethe branching e.g. [26, 27, 28]. While security is maintained, leakage of infor-mation e.g. branching length, compromises the security of the algorithms forapplications like ours.Graph Theory Problems. Different alternatives to solve some graph theory prob-lems have been studied by Aly et al. [13], namely the shortest path and max-imum flow problems. They provide bounds on the Bellman-Ford and Dijkstraalgorithms. Our own bounds are slightly better with our version of Dijkstra,using different approaches. Indeed, [13] uses a searching array technique, sim-ilar to the one proposed by Launchbury et al. [29], to keep track of a secretshared index. Our proposed Dijkstra implementation does not require the useof this technique, eliminating its overhead. Edmonds-Karp and push-relabelbounds are provided as well for the maximum flow problem. As in our case,their implementations are secure in the information-theoretic model relying onthe same arithmetic black-box FABB . Brickell and Shmatikov have addressedthe shortest path problem on a two-party case, limited to the honest by curiousmodel. They succeed by revealing at each iteration the new edge of the shortestpath added. Our approach attacks the problem in a different fashion by elimi-nating this requirement. Moreover, our algorithms assume the capabilities thearithmetic black-box used, and are therefore not limited to the two-party case.

4

Finally, Banton et al. [30] have proposed data-oblivious alternative for theBreath-First-Search (BFS) algorithm, which is later used to solve the specialcase of the shortest path problem where all edges have the same weight e.g.all existing edges weight 1 and non-existing 0. We consider instead the moregeneral case with weighted graphs. Additionally, they use their BFS algorithmto provide bounds for the Max-Flow problem, where weighted edges with a pos-itive residual capacity are mapped as 1 and its counterparts as 0, extending thedefinition of an existing edge.Linear Programming. Solutions for linear programming have been proposed byseveral authors [31, 32, 33]. All three solve the problem by using the simplexalgorithm. Toft in [32] revises security weaknesses on Li and Atallah [31] propo-sitions and presents termination conditions and methods for the algorithm, giventhat simplex has no polynomial-time complexity.Oblivious data structures over ORAM. Data structures are used to speed-up Di-jkstra’s algorithm and achieve its optimal complexity. ORAM has been viewedas a suitable mechanism to build oblivious distributed data structures with thecorresponding overhead and configuration e.g. The work of Wang et al. [34] de-signed to work on a client(s)-server configuration. Moreover, secure two-partycomputation protocols have been developed to take advantage of the recentadvances on ORAM e.g. [35, 36]. The two-party tool and algorithmic im-plementations of Liu et al. [37] securely address the shortest path and othercombinatorial problems by using these kinds of data structures. More recently,Keller and Scholl [38] show how to use oblivious data structures on a multi-partysetting, where none of the players have to fulfill the role of the server. Further-more, they use their data structures to implement Dijkstra’s algorithm. Theirexperimentation shows how some MPC solutions in the absence of ORAM canperform better for certain kinds of graphs than their proposed counterparts i.esamples of smaller-to-medium sizes and complete graphs of any size. This is eas-ily explained by the fact that the overhead coming from the ORAM exceeds theasymptotic advantage of the algorithms. Indeed, we address the problem differ-ently, our Dijkstra algorithm is designed to work on plain vectors and matricesand does not require any secure data structure construction, slightly improvingthe bounds proposed by Aly et al. [13], who’s work is later used in Keller andScholl’s analysis. This allows us to avoid any overhead caused by the use ofORAM or static secret sharing arrays. We refer to [38] for details.

1.3 Overview

Section 2 describes the notation we use, as well as the cryptographic primitives.It also serves to introduce ”building blocks” i.e. small algorithmic proceduresregularly used. In Section 3 we present a solution for Dijkstra. Section 4 in-troduces the minimum mean cycle problem. Section 5 then explains the imple-mentation using MPC primitives. Section 6 gives an overview of the minimumflow problem and the minimum mean cycle-canceling algorithm. In the sectionsahead, details on the algorithm are presented. Following this, Section 7 specifiesthe secure formulation of the problem and gives some general remarks, it alsoprovides the body implementation of the algorithm with MPC primitives andcontemplate early termination conditions. Section 8 shows the results of ourcomputational experimentation. Lastly, Section 9 provides general conclusions.

5

2 Preliminaries

2.1 Security

We use the terms ”securely” and ”privacy preserving” indistinctly. We cansuccinctly formalize their notion as follows: parties P1, ..., Pn want to jointlyand correctly compute the function y = f(x1, ..., xn) where xi is Pi secret input.The security constraints are as follows: only y is allowed to be revealed to allparties. In other words, the security constraint is such that each player Pi learnsy and what can be inferred from y, but no more. In particular, any informationgiven during the computation process should not allow him to infer informationabout other secret inputs.

Additionally, all our protocols are designed under the information-theoreticmodel in the presence of passive or active adversaries over FABB . This impliesthat as long as the parties do not have access to other private data but their own,unbounded computing power would not allow them to obtain any additionalinformation. This means in practice that they will be as secure as the underlyingMPC functionality and crypto-primitives they rely on.

2.2 Cryptographic Assumptions

Modulo arithmetic for some M or ring arithmetic allows to simulate secureinteger arithmetic. Indeed, several multi-party computation solutions have beendesigned to work on modulo arithmetic for an appropriate M e.g. a sufficientlybig prime number (transforming the ring in a finite field over some M, ZM ),such that no overflow occurs. This is true for secret sharing schemes the likesof Shamir [2] sharing or additive sharing, as well for homomorphic thresholdpublic key encryption.

Primitives like addition between secret shared inputs on secret sharing, aswell as additions and multiplications of these by public values, are linear oper-ations and do not require any information transmission between players. Whendata is communicated between players it is called a communication round or justround. For complexity analysis purposes, we require constant-round protocolsfor multiplications. By extension, sharing and reconstruction are done in oneround as well. There are still local operations involved with all the primitives,but the performance cost is mainly determined by the communication processes,as explained by Maurer [39]. We assume that the execution flavor i.e. sequentialand parallel, does not compromise the security of the private data.

2.3 The Arithmetic Black-Box

Multi-party computation, by privately sharing inputs, can be performed in dif-ferent ways, (using homomorphic encryption techniques e.g. [3, 40, 41], orsecret sharing formulations, like the one introduced by Shamir [2]). The con-cept of the arithmetic black-box FABB [42] embeds this behavior and makesthe process transparent for the algorithm designer. It creates an abstractionlayer between the protocol construction and functionality specificities, and atthe same time it provides the security guarantees desired. Following [42, 19, 13],we assume the following functionalities are available: storage and retrieval ofring ZM elements, additions, multiplications, equality and inequality tests.

6

Several MPC schemes for all of these operations have been proposed in thelast 30 years. Multiplications have been addressed by [5, 43, 44] amongst others.As mentioned, comparisons with statistical security and sub-linear complexityon the on-line phase have been explored in [19, 17], and perfect security inconstant rounds by [45, 18, 20, 17].

2.4 Notation

We use the traditional square brackets e.g. [x], to denote secret shared orencrypted values contained in the FABB . This notation is commonly used bysecure applications [45, 20, 13]. Sometimes [∞] is used on our algorithms. Giventhat the FABB is limited by the size of M , this value, has to be understood asa sufficiently large constant smaller than M but much bigger than the values ofthe inputs, and depending on the application on which it is going to be used. Ithas to be noted that some comparison protocols require a security parameter onthe size of M that has to be taken into account when defining its size. Moreover,secure operations are described using the infix operation e.g. [z]← [x] + [y] forsecure addition into the FABB and [z]← [x] · [y] for secure multiplication. Thesecret result of any secure operation primitive is stored in [z] and onto the FABB .This notation covers all operations performed with secret values, including thoseperformed with public scalars and secret values.

We define two repeatedly used subroutines to improve readability and sim-plify expressions. They only use the primitives available in the FABB and workunder the same general assumptions.

conditional assignment : Overloaded functionality of the assignment op-erator represented by [z]←[c] [x] : [y]. Much like in [37, 32, 13], the behaviorof the assignment is tied to a secretly shared binary condition [c]. If [c] isone, [x] is assigned to [z] and [y] otherwise. Our version employs a singlemultiplication for that purpose. Protocol 1 shows the implementation ofthe conditional assignment, using only supported FABB operations. Thesubroutine can be extended for other mathematical structures i.e. vectors,matrices.

Protocol 1: Implementation of secure conditional assignment.

Input: Binary expression [c], assignment values [x] and [y].Output: Value [z] containing [x] if 1 and [y] if 0, evaluated according the

binary expression [c]1 [a]← [c] · ([x]− [y]);2 [z]← [y] + [a];

conditional exchange : We define the operator condexch([c], i, j, [v]). Itexchanges the values held in position i and j of secretly shared vector [v] ifa secretly shared binary condition [c] is 1 and leaves the vector unchangedotherwise. We describe the algorithm as protocol 2. We also extend thisoperator to work with matrices. In that case both ith and jth rows andcolumns are swapped.

7

Protocol 2: condexch: Exchanges the values of 2 different vector positions

Input: Any vector [v]. Indexes i, jOutput: The vector [v] with values i,j swapped if [c] true.

1 [a]← [c] · ([v]j − [v]i);2 [v]i ← [v]i + a;3 [v]j ← [v]j − a;

2.5 On Network Flows and Matrix Representation

The number of vertices in the graph or at least an upper bound on them areassumed to be publicly known with no restrictions on how the information isdistributed amongst the players. Following [13, 30, 38] our protocols assumecomplete graph representation for their inputs, as a tool to hide the graphstructure. That is why an adjacency matrix representation of the graph, usingthe bound as its size, is preferred. Capacities and/or costs of the edges arerepresented as elements in matrices. This allows the algorithm designer todecouple the graph representation from its topology. The application designerhas to define how information of the topology is actually distributed and whatis hidden. For instance, if its known that each player owns at most a singlevertex, then, each player has to secretly share a row of a capacity adjacencymatrix where he places a [0] at each unconnected vertex position or [∞] if its acost matrix.

We briefly describe some general definitions on graph theory that are of-ten used during the following sections. Ahuja et al. [12] provides more formalnotions.

Strong Connectivity: Is a special case of a directed graph G = (V,E)where, there is at least one path from every vertex to any other vertex.

Residual Capacity: Is the difference between the capacity of an edge (v, w) ∈E and the flow circulating over it.

Residual Graph: Is the associated network defined by all edges with pos-itive residual capacities.

Walk: Is a sequence of contiguous edges (v1, w1), ..., (vk, wk) such that wi =vi+1 for all 1 ≤ i ≤ n− 1 and (vi, wi) ∈ E for all 1 ≤ i ≤ n.

Path: A path is a walk of G where no vertex is visited more than once.Every path, by definition is a walk, but not all paths are walks.

Cycle: A cycle is a special path (v1, w1)...(vd, wd) ∈ E where v1 = wd.Every cycle by definition is a path, but not all paths are cycles.

3 Dijkstra’s Algorithm

The algorithm provides a greedy way to find the shortest path from a sourcevertex s in a directed connected graph with non-negative capacities. Basically,it selects the vertex with the smallest accumulated distance and then propagatesthe path forward until all vertices have been explored. This ensures to get the

8

Protocol 3: Shortest Path Protocol based on Dijkstra’s algorithm

Input: A matrix of shared weights [U ]i,j for i, j ∈ {1, ..., |V |} and a unitvector [S] encoding the source vertex.

Output: The vector of predecessors [P ] and/or the vector of distances[d]i.

1 for i← 1 to |V | do2 [π]i ← i; [d]i ←[Si] [0] : [∞]; [P ]i ← i[S]i;3 end4 for i← 1 to |V | do5 for j ← |V | to i+ 1 do6 [c]← [d]j < [d]j−1;7 ([π], [P ], [d], [U ])← condexch([c], j, j − 1, [π], [P ], [d], [U ]);

8 end9 for j ← i+ 1 to |V | do

10 [a]← [d]i + [U ]i,j ;11 [c]← [a] < [d]j ;12 [d]j ←[c] [a] : [d]j ;13 [P ]j ←[c] [π]i : [P ]j ;

14 end

15 end

shortest path from a source vertex to all other vertices in the graph. To findthe shortest path to a single vertex is also possible. Our secure implementationcan be adapted to detect at each iteration whether the target vertex has beenreached to stop the algorithm.Adapting Dijkstra to MPC. The input data in our case is a weighted adjacencymatrix [U ] where non existing edges are represented by [∞]. Dijkstra’s algorithmtreats the vertices of the graph in an order that depends on the capacities of theedges. The main challenge is to hide this order. Earlier work [13] has proposedto hide the position of the vertex accessed by using a secretly shared unaryvector [0, 0, ..., 0, 1, 0, ..., 0]. We introduce a different technique. The basic ideais to exploit the symmetry in the data structure. More precisely, the numberingof the vertices or equivalently, the position of a vertex in the data structure isindifferent for the algorithm. We exploit this by positioning at iteration i, thevertex with the lowest distance in position i. That way we align the vertexexploration of our protocol with the secret data stored in all the structures.This enables us to gain in the number of operations performed because we canavoid considering edges pointing to vertices already explored. The algorithm isdetailed as Protocol 3.Correctness Because the algorithm constantly reshuffles the positions of thevertices in all matrices and vectors used, we need to (secretly) track the positionof the vertices. This is the role of the vector π. Throughout the algorithm πjholds the node number that is currently in position j.

The loop on lines 5-8 determines the untreated vertex with current minimumdistance. This vertex is brought to position i in all data structures. Loopon lines 9-14 scans all edges leaving node in position i to all other untreatedvertices (positioned after i). If the edge improves the current best path (Line11), the current best distances and predecessors are updated (Lines 12-13). The

9

predecessor of node i is recorded as Pj . If the path needs to be kept secret andsubsequently used in a parent protocol, then it would be more suitable to recordthis information in a matrix with Pi,j = 1 indicating that the predecessor of iis j (and 0 otherwise). It is easy to adapt the algorithm for this case.Security. Following the correctness analysis, the protocol does not need to leakintermediate values on any inner process. Moreover, Operations are provided bythe FABB . Additionally, The number of operations depends solely on the upperbound on the number of vertices (we assumed this to be public), therefore thesame follows for the execution CPU time and memory usage. These adheres toour definition of security, no player learns anything but the output.Complexity. The algorithm performs |V |2 +O(|V |) comparisons (at Lines 6 and

11) and 4·|V |33 + O(|V |2) multiplications, dominated by Line 7 (the 4/3 factor

is 4 times the sum of the square of the integers 1 to |V |). This distinction isimportant for small graph instances where the comparison complexity dominatesover round complexity.

The performance of our privacy preserving version of Dijkstra has an extrafactor of |V | when compared with a vanilla implementation. Brickell [46] elimi-nates this overhead by revealing at each iteration the current shortest path. Ourapproach does not leak any information but the final shortest path. Moreover,it can also be extended to obtain the shortest path between any pair of vertices(v, w) ∈ V . It can also be seen that no special data-structure is needed, givingthe FABB autonomy on the crypto-primitive selection.

4 Minimum Mean Cycle Problem

The Minimum Mean Cycle problem (MMC) is to determine (on a directed graphG = (V,E) with edge costs C) the cycle W with the minimum averaged cost(total cost divided by the number of edges in W ). The original description ofthe problem and algorithms can be found in [47, 48, 49, 50].

Our interest on the MMC problem comes from the fact that it is used asa subroutine to solve the minimum cost flow problem by the minimum meancycle canceling algorithm [51]. It is also used by other algorithms of the samenature. More details like applications, proofs and algorithms can be found in[12]. The following analysis assumes strong connectivity on G. In case a graphinstance does not provide enough edges to fulfill this requirement, edges with avery large cost can be added to the graph.

The solution proposed by Karp [50] can be divided in two steps. First, wearbitrarily define a vertex s to be the origin of all paths to all vertices in V .Let dk(i) be the smallest weighted walk from s to the vertex i that containsexactly k edges. The walk obtained might contain one or several cycles. Then,we calculate dk(v) ∀v ∈ V with k from 1 to |V |. The following shows how tocompute this recursively:

dk(j) = min{i:(i,j)∈E}

{dk−1(i) + cij}, (1)

where d0(s) = 0 and d0(v) =∞ ∀v ∈ {V − s}. Second, we calculate the cost ofthe minimum mean cycle as:

µ∗ = minj∈V

max0≤k≤|V |−1

[d|V |(j)− dk(j)

|V | − k

](2)

10

This expression can be intuitively explained as follows. Let j∗ and k∗ the indexesachieving µ∗. Then d|V |(j∗) is the cost of a walk containing the cycle W anddk∗(j∗) is the cost of the same walk with the cycle removed e.g. it is a path. The

difference between the two yields the cycle cost. Proofs can be found in [50]. Astrictly positive or negative µ∗ means that at least a positive/negative cycle ispresent with µ∗ as its mean. A case where the answer is 0 might also mean nocycle was found in the graph. The algorithm can be extended to find the cycleW as part of the answer. Overall algorithmic complexity is O(|V ||E|).

5 Privacy-Preserving Minimum Mean Cycle So-lution

The privacy-preserving solution we introduce follows the steps provided by theprevious section. Moreover, each step and the whole protocol are designed to beused as sub-routines. As usual, our approach assumes all input data is in secretform, including the adjacency matrix of costs [C], where non-existing edges arerepresented by [∞]- except the upper bound on the number of vertices. Ad-ditionally, all quantities are integers bounded by some M i.e. bigger than thegreatest quantity to be analyzed, but still much smaller than the size of the fieldZM to avoid overflows, and the edge costs as an adjacency matrix. The final goalof the protocol is to obtain not only the mean cost of the minimum cycle, butthe cycle itself as well. We use the function getmincycle to refer to the protocol.

Correctness. First, we have to replicate the result of equation (1). We selectnode 1 as the source node s. Implementing the recursion is fairly straightforwardas the order in which the edges are scanned does not depend on the input.The more difficult task is to encode the walks. To that end, we define the 4-dimensional matrix [walk] where [walk]i,j,k,l is the number of times the edge(i, j) is traversed by the shortest walk of length k from s to l. Also, because ofthe specific way we want to use our secure version of the MCC algorithm as asub-routine, we define an additional argument [b] to the protocol. Specifically,[b]i,j = 1 indicates that the edge (i, j) is forbidden, i.e. cannot be part of thesolution. The algorithm is detailed as Protocol 4.

Loop 5-8 checks whether edge (i, j) improves the walk of length k from sto j. This is done by comparing the best one found so far with cost [A]jk to[A]ik−1 plus the cost of edge (i, j). Depending on the result, the best costs andwalks are updated.

Second, we adapt (2) to obtain the value of the minimum mean cycle, aswell as the encoding of the cycle. We achieve it by iterating over the matrices[A] and [walks] generated in the first step. The only difficulty is to workaroundthe non-integer division. In place of any costly procedure, we keep track ofthe numerators and the denominators separately, and compare only the crossmultiplication instead. The minimum mean cost cycle is encoded as a |V | ×|V | matrix [min − cycle] where [min − cycle]ij = 1 if the edge (i, j) is partof the minimum mean cycle. The rest of the algorithm is a straightforwardimplementation of (2). The details are provided as Protocol 5.Security. Like with our Dijkstra implementation, no intermediate data is re-leased and the operations are provided by the FABB , following our definition of

11

Protocol 4: First step of: MMC protocol based on Karp’s algorithm

Input: A matrix of shared costs [C]i,j for i, j ∈ {1, ..., |V |}, a binarymatrix on viable edges [b]i,j for i, j ∈ {1, ..., |V |}.

Output: A matrix of walk costs [A]i,k for i ∈ {1, ..., |V |} andk ∈ {0, ..., |V |}, a walk matrix walksij for i, j ∈ {1, ..., |V |}encoding these walks.

1 [A]← [∞]; [A]00 ← [0]; [C]← [C] + [∞](1− [b]);2 for k ← 1 to |V |+ 1 do3 for j ← 1 to |V | do4 for i← 1 to |V | do5 [c]← [A]ik−1 + [C]ij < [A]jk;6 [A]jk ←[c] [A]ik−1 + [C]ij : [A]jk;7 [walks]··kj ←[c] [walks]··k−1i : [walks]··kj ;8 [walks]ijkj ←[c] [walks]ijkj + 1 : [walks]ijkj ;

9 end

10 end

11 end

Protocol 5: Second step of: MMC protocol based on Karp’s algorithm

Input: A matrix of walk costs [A]i,k for i ∈ {1, ..., |V |} andk ∈ {0, ..., |V |}, a walk matrix walksij for i, j ∈ {1, ..., |V |}encoding these walks.

Output: The cost of the minimum mean cycle [min− cost]. A matrixwith the minimum mean cycle [min-cycle]i,j fori, j ∈ {1, ..., |V |}.

1 for j ← 1 to |V | do2 [max-cycle], [max-cost]← ∅;3 for k ← |V | to 1 do4 [a-num]← [A]j(|V |+1) − [A]jk;5 [a-den]← |V | − k;6 [c]← [k-num] · [k-den] < [a-num] · [k-den];7 [k-num]←[c] [a-num] : [k-num];8 [k-den]←[c] [a-den] : [k-den];9 [max-cycle]←[c] [walks]··|V |j − [walks]··kj : [max-cycle];

10 [max-cost]←[c] [A]jk : [max-cost]

11 end12 [c]← [j-num] · [k-den] > [k-num] · [j-den];13 [j-num]←[c] [k-num] : [j-num];14 [j-den]←[c] [k-den] : [j-den];15 [min-cycle]←[c] [max-cycle] : [min-cycle];16 [min-cost]←[c] [max-cost] : [min-cost]

17 end

12

security. Complexity. In total (Protocols 4 and 5), our implementation of MMCrequires O(|V |3) (Line 5 of Protocol 4) and O(|V |5) multiplications or communi-cation rounds (from the conditional assignments of Lines 7 and 8 of Protocol 4).One might ask whether this could not be brought down to O(|V |4) by encodingthe walks in Protocol 4 as a 3-dimensional matrix holding the predecessor nodeof each node. However, reconstructing the walks for the operation performed atLine 9 of Protocol 5 would then need O(|V |5) conditional assignments insteadof the currently O(|V |4). So we prefer to stick with our simple and as efficientapproach.

6 Minimum Cost Flow Problem

The Minimum-Cost Flow problem (MCF) is of finding a feasible flow in a capac-itated directed graph G = (E, V ) that minimizes the costs (proportional to themagnitude of the flows). The problem can be modeled as a linear program butthere exists more efficient strongly polynomial time combinatorial algorithms,see [12, 52]. The more traditional minimum capacitated cost flow problem canbe shown to be equivalent to the transshipment and the minimum-cost circula-tion (MCC) problem.

Formally, the MCC problem is of finding a capacitated flow in a symmetricgraph G = (E, V ) of minimum cost. The problem can be modeled as follows:

min1

2

∑v,w∈E

Cv,wfv,w (3)

subject to fv,w ≤ Uv,w ∀(v, w) ∈ E (4)

fv,w = −fw,v ∀(v, w) ∈ E (5)∑v∈E(w)

fv,w = 0 ∀w ∈ V (6)

Here the graph is assumed to be symmetric, i.e. for every (v, w) ∈ E thereis an edge (w, v) ∈ E. Each edge (v, w) has a maximal capacity Uv,w anda cost Cv,w per unit of flow. Additionally, all costs are antisymmetric, i.e.c(v, w) = −c(w, v) ∀(v, w) ∈ E. The variable f represents the amount of flowpassing through an edge. Using this notation, the residual capacity can beformally defined as rv,w = Uv,w − fv,w.

Constraints (4) are the capacity constraints. Constraints (5) are the flowantisymmetry constraints. Constraints (6) are the flow conservation constraintsat each node. This characterization of the problem is the same used by Goldbergand Tarjan [51] for their description of the MCC problem using the MinimumMean Cycle-Canceling algorithm (MMCC). It can be seen as a variant of thenon-polynomial cycle-canceling algorithm proposed by Klein in [53], but wherethe next cycle to be canceled is chosen by finding the minimum mean cost cycle.The change makes the algorithm strongly polynomial, i.e. its complexity onlydepends on |V | and |E| and no other parameter.

The algorithm is based on the finding of Busacker and Saaty [54], whichasserts that a circulation with no residual negative cost cycles is of minimalcost. Moreover, the algorithm can be characterized as follows:

1. Initialize the feasible circulation of as 0.

13

2. Obtain the minimum mean cycle W in the associated residual graph.

3. Set δ ← min{(v, w) ∈Wrv,w}.

4. Augment the flow by δ along the cycle W .

5. If there are still negative cycles goto 2.

Basically, we compute the cycle with the minimum negative average cost W inthe associated residual graph. Then, we augment the flow along this cycle untilan edge reaches its capacity. This process is repeated until no negative cycle isfound. Its complexity is O(|V |2 · |E|3 · log |V |).

7 Privacy-Preserving Minimum-Cost Flow Prob-lem

The input data are the capacity and cost adjacency matrices [U ] and [C], wherenon-existing edges are represented by [0] on the capacity matrix and by [∞] onthe cost matrix. As usual, all input data is secretly shared, except the bound onthe number of vertices. We assume all values are integer and of a bounded sizemuch smaller than M to avoid overflows in the field ZM . The solution is to beprovided as the flow matrix [F ] and total cost [totcost]. The final compositionof [F ] might leak some details on the graph’s topology depending on the answer.The protocol can be used as a sub-routine for more complex applications in casethe final output is kept private. Once the MMF problem is modeled as a MCCproblem, it is sufficient to securely solve the minimum circulation problem usinga privacy-preserving implementation of the MMCC algorithm to obtain a flowof minimum cost.Adapting the MMCC algorithm. If one wants to avoid any leakage of informa-tion, an important difference between a standard implementation and a secureone is that the augmenting flow process has to be repeated as many timesas the worst case analysis guarantees, instead of stopping it as soon as nonegative cycle is detected. We call each flow augmentation along the cyclea phase/iteration. We use the bound provided by Goldberg and Tarjan on [51]:|V ||E|2 log |V |+ |V | · |E| flow augmentations at most. Note that this is not anasymptotic bound. Given that we also hide the graph structure, |E| has to bereplaced by |V |2 in our complexity estimates. Our secure protocol requires toperform that many iterations to guarantee correctness with no leakage. Possiblestopping conditions to reduce the number of iterations are considered later inthis section.Protocol 6 shows our privacy-preserving solution for the MMCC algorithm,which is a straightforward translation of the algorithm outlined above.Correctness. The initial solution is set to zero at Line 1. The body of the mainloop is one flow augmentation phase. It starts by calling our secure implemen-tation of the Min Mean Cycle problem, leaving out saturated edges. Loop 5-9computes the maximum augmentation possible along the cycle identified. If thecycle has non-negative cost, this augmentation is set to zero at Line 10, beforeupdating the cost of the solution. Then the flow itself is augmented at Loop12-17.Security. Following the previous protocols, the current solution does not leak

14

Protocol 6: Privacy-preserving MMCC

Input: |V | × |V | matrices of shared capacities [U ]i,j and shared costs[C]i,j .

Output: The |V | × |V | matrix of flows [F ] and the associated total cost[totcost].

1 [F ], [b], [totcost]← 0 ;2 for k ← 1 to |V |5 log |V |+ |V |3 do3 [cost], [cycle]← getmincycle([C], [b]);4 δ ← [∞];5 for (i, j) ∈ [U ] do6 [r]← [U ]ij − [F ]ij ;7 [c]← [min− cycle]ij · ([δ] > [r]);8 [δ]←c [r] : [δ];

9 end10 [δ]← [δ] · ([cost] < 0);11 [totcost]← [totcost] + [δ] · [cost];12 for (i, j) ∈ [F ] do13 [c]← [cycle]ij ;14 [F ]ij ←c [F ]ij + [δ] : [F ]ij ;15 [F ]ji ←c [F ]ji − [δ] : [F ]ji;16 [b]ij ← [U ]ij − [F ]ij > 0;

17 end

18 end

intermediate values and uses FABB operations to calculate secret data, respect-ing our definition of security.Complexity. The most costly operation during one augmentation phase isthe call to getmincycle with O(|V |3) comparisons and O(|V |5) communicationrounds. The overall complexity isO(|V |8 log |V |) comparisons andO(|V |10 log |V |)communicational rounds. As mentioned above, one main difference between oursecure Minimum Cost Flow algorithm described above and a standard imple-mentation is that, to guarantee no leakage of information, we have to executeas many iterations as in the theoretical worst case. This makes the practicalperformance of the algorithm much worse than a standard implementation be-cause, in most practical applications, it is expected that the number of iterationsneeded to find the optimal solution is much smaller than the theoretical upperbound. Of course, one could easily publicly reveal the outcome of the test per-formed at Line 10 of Protocol 6 and stop the algorithm if the cost of the cycleis non-negative. But some information would be leaked.

To limit the amount of information leaked, several strategies are possible.One is to open the test every K iterations, with K being a publicly knowninteger. Another solution is to multiply the result of the test by a random bit(for = 1 with probability p) to statistically hide the result. These two wouldalso be combined. In both cases, the parameters (K and/or p) would controlthe trade-off between performance and information leaked.

15

8 Computational Experiments

Although we can determine theoretical bounds for our protocols, processing timeis also constrained by a variety of phenomenons; the way on which the securearithmetic functionality is implemented and the infrastructure were prototypesare executed affect their running time in real life applications. Therefore, we alsowant to empirically test the performance of these algorithms. More specificallywe want to analyze the following aspects.Measure the size of solvable instances using currently available MPC frameworke.g. (VIFF). The theoretical bounds only give a rate of increase with the sizeof the instance. They do not say anything about the actual computing time.Also, the scalability on VIFF is a concern. Our interest is to determine what isthe size of the instances that can be solved in a “reasonable” amount of time.Moreover, we want to determine the impact that the number of players and thesize of the graph instances have on CPU time performance. As it was mentionedVIFF was chosen, given its availability (open source) and easy coupling withlarger applications.Comparison between complexity bounds and practical behavior. Implementingthe protocols described is a good way to check and demonstrate that no aspectof the problem has been neglected in our analysis.Overhead of secure vs. non-secure implementations. Real life applications, inmany cases, employ a trusted third party to share and compute their infor-mation. It executes a non-secure implementation of an algorithm solving theproblem, and then reveals to the players the final output only. In this context,we try to determine the real overhead in performance of an implementation withsecure and a non-secure implementation of the protocols studied.

To answer these questions, we have run the following implementations :Standard non-secure version (SNSV). Solves the shortest path and minimumcapacitated cost flow problem with a vanilla (in this case, no optimized datastructure like a binary tree is used) implementation of the Dijkstra and MMCCalgorithms. Indeed, this algorithm could effectively be used by a third partyto compute the shortest path and MCF problems. We use it for benchmarkingagainst other implementations.Secure version with VIFF (VVIFF). We use VIFF to implement our privacy-preserving MMCC and Dijkstra algorithms and use it for benchmarking.Secure version zero-cost Functionality (ZCOST). On this prototype, we assumethe performance cost added by the secure functionalities of our FABB to be 0.We build our algorithms using nothing but Python. The goal is to differentiatebetween the overhead introduced by the FABB itself, and the overhead intro-duced by everything else in VIFF. Under this paradigm, we once again, measurethe performance of our Dijkstra and MMCC implementations. We use the datafor benchmarking against our algorithm’s realistic times obtained with VIFF,and the standard prototype. Another strong motivation comes from how VIFFmanages its memory and its strong effect on performance. Indeed, it is clearlyvisible when a relatively large amount of operations are performed. Moreover,it can be seen on our experimentation. That way we can have a clean view ofthe behavior of the prototypes.

VIFF benefits from passive security under the information theoretic modelon the multi-party case. VIFF provides access to Shamir secret sharing [2] andBGW multiplications [55] optimized by Gennaro et al. [56]. For comparisons

16

Number of vertices 4 8 12 16 20

Execution times (in seconds)3 Players 0.9 5 14 28 484 Players 1 7 17 34 57

Table 2: CPU Time of protocol 3

we use the most recent Toft comparison method implemented [16]. VIFF wasselected because it is freely and openly accessible. Additionally, for our exper-iments we use randomly generated complete graphs. All results presented areaveraged over 20 instances of the same size with 3 and 4 players.

All trials used the same workstation, an Intel Xeon CPUs X5550 (2.67GHz)and 42GB of memory, running Mac OS X 10.7. Additionally, every single processhad the same amount of CPU power and memory available. Execution timesobtained from the non-secure implementations are in the order of microseconds.This means that the times can be highly influenced by noise during the tests.To normalize the noise, we execute the standard non-secure implementationsone hundred thousand times and then report the averages.

8.1 Shortest Path Problem

Table 2 shows the results obtained by our VVIFF shortest path prototype:Additionally, we could run instances, using adjacency matrices, with a total

of 4032 edges/matrix entries, taking around 18 minutes. The spike in computingtime while working with these big instances follows the fact of the difficulty tomanage the memory for large graph instances.

Figure 1 also shows the CPU time and respective ratios calculated from ourdifferent implementations:

17

4 6 8 10 12 14 16 18

10

20

30

40

50

Number of vertices

Tim

e(C

PU

seconds)

3 Players4 Players

(a) CPU VVIFF

4 6 8 10 12 14 16 18

2

4

6

8

·104

Number of vertices

Ratio

(CPU

Tim

e)

3 players4 players

(b) VVIFF vs. SNSV

4 6 8 10 12 14 16 18

0.4

0.6

0.8

1·104

Number of vertices

Ratio

(CPU

Tim

e)

3 players4 players

(c) VVIFF vs. ZCOST

4 6 8 10 12 14 16 18

5

10

15

20

Number of vertices

Ratio

(CPU

Tim

e)

(d) ZCOST vs. SNSV

Figure 1: Dijkstra CPU Times and Ratio Analysis

From this we can conclude the following:

- We can solve securely, in reasonable time, shortest path problems on com-plete graphs of sizes up to 64 vertices over VIFF.

- As expected, the number of players, have little incidence on the general be-havior, given that in VIFF performance cost increases linearly in the numberof players [14].

- Compared to the standard implementation, roughly a factor of 5000|V | isneeded to securely solve the Dijkstra algorithm on VIFF.

- Roughly an extra factor of 1.4|V | is needed when executing crypto-primitiveshave 0 cost, to solve the problem securely.

- Combining the two previous remarks, we conclude that out of the 5000|V |overhead of our SMC implementation, the factor |V | is explained by algorith-mic design, a factor 1.4 is due to non-crypto related VIFF implementation,and the rest (a factor of a few thousands) is due to the crypto-related VIFFimplementation.

- Finally, for larger graphs, the ratio between execution time of VVIFF andZCOST decrease. This can easily be explained by the fact that it is thenumber of multiplications that gains importance as opposed to the numberof comparisons, and that multiplications are substantially cheaper.

18

A general conclusion is that security in our implementation comes at a veryhigh cost, but not so high as to make the approach completely out of questionin practice.

8.2 Minimum Flow Problem

For the minimum flow problem, we measure the time a single phase (one iter-ation of Protocol 6) takes to be executed, given that stopping conditions withsome leakage can substantially reduce the number of phases needed e.g. A graphwith a single cycle would only take one phase to be completed. To estimate theexecution time of the full algorithm, it suffices to multiply this by the knownnumber of phases needed. Our analysis includes the ratio between the time ittakes the SNSV prototype to find an answer and the privacy preserving ver-sions full execution time to guarantee correctness with no leakage. The resultsof these experiments can be found in Table 3 and Figure 2.

Number of vertices 4 5 6 7 8 9

Execution times (in seconds)MMCC Phase - 3 Players 11 21 35 56 84 125MMCC Phase - 4 Players 13 24 42 65 100 147

Table 3: Execution times per phase MMCC Algorithm for a complete graph.

4 5 6 7 8 9 10

20

40

60

80

100

120

140

Number of vertices

Tim

e(C

PU

seconds)

3 players4 players

(a) CPU VVIFF-Phase

4 5 6 7 8 9 10

0.5

1

1.5

2

2.5·1010

Number of vertices

Ratio

(CPU

Tim

e)

3 players4 players

(b) VVIFF vs. SNSV

4 5 6 7 8 9 10

0.4

0.6

0.8

1·104

Number of vertices

Ratio

(CPU

Tim

e)

3 players4 players

(c) VVIFF vs. ZCOST

4 5 6 7 8 9 10

2

4

6

8

·106

Number of vertices

Ratio

(CPU

Tim

e)

(d) ZCOST vs. SNSV

Figure 2: Secure MMCC CPU Times and Ratio Analysis

From these we can conclude the following:

19

- The fully secure version of our implementation is highly costly in terms ofperformance even for very small instances. This highlights the necessity ofusing termination conditions.

- Once again, the influence of the extra player has little incidence on theoverall performance time.

- The overhead of our secure implementation versus a standard one is of theorder of 2.5 · 108|V |2. Note that both algorithms have different complexityfunctions and vanilla versions of the algorithm typically converge towardsan answer before reaching its worst case complexity.

- Again, one can observe that the multiplications absorb a larger fraction ofthe computing time as the size of the instances increases.

9 Conclusions and Future Work

Strongly polynomial-time algorithms are appealing for MPC implementationsbecause, as the worst-case complexity is polynomial, it is possible to obtainfully secure (i.e. no leakage) and theoretically efficient algorithms and imple-mentations. We have demonstrated this for three classical network problems:Shortest Path, Minimum Mean Cycle and Minimum Cost Flow. However, ourcomputational experiments demonstrate that the price to pay for such securityis very high for the simplest problem (Shortest Path) and extremely penalizingfor the more complicated ones.

This research raises several questions for further work. A first one is whethertheoretically more efficient algorithms can be obtained for these problems. An-other one is related to the development of more efficient MPC platforms com-pared to the one we used for our computational experiments. Also one couldconsider other classical optimization problems. Obvious candidates are theMatching problem and Linear Programming. From a theoretical point of view,Linear Programming is probably more interesting as no fully combinatorial the-oretically efficient algorithm is known for this problem. The efficient algorithmsknown (i.e. interior point methods and the volume algorithm) require linearalgebra and it is not clear that they can be fully adapted to the general MPCconstrains we report on.

More complex applications are also possible, using our implementation asbuilding block, for instance: Imagine you have calculated the maximum flowof your network, and now want to obtain the configuration, equivalent to themaximal flow, at the minimal cost possible. As we estated, this can be achievedby using [13] to obtain the maximal flow, immediately followed by out MMCCprotocol described in 6.

References

[1] Yao, A.C.C.: Protocols for secure computations (extended abstract). In:23rd Annual Symposium on Foundations of Computer Science, IEEE (1982)160–164

[2] Shamir, A.: How to share a secret. Commun. ACM 22(11) (1979) 612–613

20

[3] Paillier, P.: Public-key cryptosystems based on composite degree residuos-ity classes. In: EUROCRYPT. (1999) 223–238

[4] Yao, A.C.: How to generate and exchange secrets. In: FOCS, IEEE (1986)162–167

[5] Goldreich, O., Micali, S., Wigderson, A.: How to play any mental gameor a completeness theorem for protocols with honest majority. In: STOC,ACM (1987) 218–229

[6] Lindell, Y.: Secure computation without agreement. In: Composition ofSecure Multi-Party Protocols. Volume 2815 of LNCS. Springer Berlin /Heidelberg (2003) 45–79

[7] Ben-David, A., Nisan, N., Pinkas, B.: Fairplaymp: a system for securemulti-party computation. In: CCS, ACM (2008) 257–266

[8] Burkhart, M., Strasser, M., Many, D., Dimitropoulos, X.: Sepia: privacy-preserving aggregation of multi-domain network events and statistics. In:Proceedings of the 19th USENIX conference on Security. USENIX Secu-rity’10, USENIX (2010)

[9] Damgard, I., Geisler, M., Krøigaard, M., Nielsen, J.: Asynchronous mul-tiparty computation: Theory and implementation. In Jarecki, S., Tsudik,G., eds.: Public Key Cryptography – PKC 2009. Volume 5443 of LectureNotes in Computer Science. Springer Berlin Heidelberg (2009) 160–179

[10] Bogetoft, P., Christensen, D., Damgard, I., Geisler, M., Jakobsen,T., Krøigaard, M., Nielsen, J., Nielsen, J., Nielsen, K., Pagter, J.,Schwartzbach, M., Toft, T.: Secure multiparty computation goes live.In Dingledine, R., Golle, P., eds.: Financial Cryptography and Data Secu-rity. Volume 5628 of Lecture Notes in Computer Science. Springer BerlinHeidelberg (2009) 325–343

[11] Damgard, I., Keller, M., Larraia, E., Pastro, V., Scholl, P., Smart, N.:Practical covertly secure mpc for dishonest majority – or breaking the spdzlimits. In Crampton, J., Jajodia, S., Mayes, K., eds.: Computer Security– ESORICS 2013. Volume 8134 of Lecture Notes in Computer Science.Springer Berlin Heidelberg (2013) 1–18

[12] Ahuja, R.K., Magnanti, T.L., Orlin, J.B.: Network Flows: Theory, Al-gorithms, and Applications. Prentice-Hall, Inc., Upper Saddle River, NJ,USA (1993)

[13] Aly, A., Cuvelier, E., Mawet, S., Pereira, O., Vyve, M.V.: Securely solvingsimple combinatorial graph problems. In: Financial Cryptography. (2013)239–257

[14] Geisler, M.: Cryptographic protocols: theory and implementation. PhDthesis, Aarhus University Denmark, Department of Computer Science(2010)

[15] Orlandi, C.: Lego and other cryptographic constructions. Technical report(2009)

21

[16] Toft, T.: Primitives and Applications for Multi-party Computation. PhDthesis, Department of Computer Science, Aarhus University (2007)

[17] Lipmaa, H., Toft, T.: Secure equality and greater-than tests with sublinearonline complexity. In: ICALP (2). (2013) 645–656

[18] Nishide, T., Ohta, K.: Multiparty computation for interval, equality, andcomparison without bit-decomposition protocol. In: Public Key Cryptog-raphy. (2007) 343–360

[19] Toft, T.: Secure data structures based on multi-party computation. In:PODC, ACM (2011) 291–292

[20] Catrina, O., de Hoogh, S.: Improved primitives for secure multipartyinteger computation. In: SCN. (2010) 182–199

[21] Goodrich, M.T.: Randomized shellsort: A simple data-oblivious sortingalgorithm. J. ACM 58(6) (December 2011) 27:1–27:26

[22] Jonsson, K.V., Kreitz, G., Uddin, M.: Secure multi-party sorting andapplications. IACR Cryptology ePrint Archive 2011 (2011) 122

[23] Hamada, K., Kikuchi, R., Ikarashi, D., Chida, K., Takahashi, K.: Prac-tically efficient multi-party sorting protocols from comparison sort algo-rithms. In: ICISC. (2012) 202–216

[24] Hamada, K., Ikarashi, D., Chida, K., Takahashi, K.: Oblivious radix sort:An efficient sorting algorithm for practical secure multi-party computation.IACR Cryptology ePrint Archive 2014 (2014) 121

[25] Goodrich, M.T.: Zig-zag sort: A simple deterministic data-oblivious sortingalgorithm running in o(n log n) time. In: Proceedings of the 46th AnnualACM Symposium on Theory of Computing. STOC ’14, New York, NY,USA, ACM (2014) 684–693

[26] Kruger, L., Jha, S., Goh, E.J., Boneh, D.: Secure function evaluation withordered binary decision diagrams. In: ACM CCS, ACM (2006) 410–420

[27] Barni, M., Failla, P., Kolesnikov, V., Lazzeretti, R., Sadeghi, A.R., Schnei-der, T.: Secure evaluation of private linear branching programs with med-ical applications. In: ESORICS. Volume 5789 of LNCS., Springer (2009)424–439

[28] Barni, M., Failla, P., Lazzeretti, R., Sadeghi, A.R., Schneider, T.: Privacy-preserving ECG classification with branching programs and neural net-works. IEEE TIFS 6(2) (June 2011) 452–468

[29] Launchbury, J., Diatchki, I.S., DuBuisson, T., Adams-Moran, A.: Efficientlookup-table protocol in secure multiparty computation. In: Proceedingsof the 17th ACM SIGPLAN International Conference on Functional Pro-gramming. ICFP ’12, New York, NY, USA, ACM (2012) 189–200

[30] Blanton, M., Steele, A., Alisagari, M.: Data-oblivious graph algorithmsfor secure computation and outsourcing. In: Proceedings of the 8th ACMSIGSAC Symposium on Information, Computer and Communications Se-curity. ASIA CCS ’13, New York, NY, USA, ACM (2013) 207–218

22

[31] Li, J., Atallah, M.J.: Secure and private collaborative linear programming.In: Collaborative Computing: Networking, Applications and Worksharing,2006. CollaborateCom 2006. International Conference on. (Nov 2006) 1–8

[32] Toft, T.: Solving linear programs using multiparty computation. In: Fi-nancial Cryptography. Volume 5628 of LNCS., Springer (2009) 90–107

[33] Catrina, O., de Hoogh, S.: Secure multiparty linear programming usingfixed-point arithmetic. In: ESORICS. (2010) 134–150

[34] Wang, X., Nayak, K., Liu, C., Shi, E., Stefanov, E., Huang, Y.: Obliviousdata structures. Cryptology ePrint Archive, Report 2014/185 (2014) http://eprint.iacr.org/.

[35] Lu, S., Ostrovsky, R.: Distributed oblivious ram for secure two-partycomputation. Cryptology ePrint Archive, Report 2011/384 (2011) http:

//eprint.iacr.org/.

[36] Gordon, S.D., Katz, J., Kolesnikov, V., Krell, F., Malkin, T., Raykova,M., Vahlis, Y.: Secure two-party computation in sublinear (amortized)time. In: Proceedings of the 2012 ACM Conference on Computer andCommunications Security. CCS ’12, New York, NY, USA, ACM (2012)513–524

[37] Liu, C., Huang, Y., Shi, E., Katz, J., Hicks, M.: Automating efficientram-model secure computation. In: 35th IEEE Symposium on Securityand Privacy. (2014)

[38] Keller, M., Scholl, P.: Efficient, oblivious data structures for mpc. IACRCryptology ePrint Archive 2014 (2014) 137

[39] Maurer, U.: Secure multi-party computation made simple. Discrete Ap-plied Mathematics 154(2) (2006) 370 – 381 Coding and Cryptography.

[40] Cramer, R., Damgard, I., Nielsen, J.: Multiparty computation from thresh-old homomorphic encryption. In Pfitzmann, B., ed.: Advances in Cryptol-ogy — EUROCRYPT 2001. Volume 2045 of Lecture Notes in ComputerScience. Springer Berlin Heidelberg (2001) 280–300

[41] Damgard, I., Pastro, V., Smart, N.P., Zakarias, S.: Multiparty computationfrom somewhat homomorphic encryption. In: CRYPTO. Volume 7417 ofLNCS., Springer (2012) 643–662

[42] Damgard, I., Nielsen, J.B.: Universally composable efficient multipartycomputation from threshold homomorphic encryption. In: CRYPTO. Vol-ume 2729 of LNCS., Springer (2003) 247–264

[43] Chaum, D., Crepeau, C., Damgard, I.: Multiparty unconditionally secureprotocols. In: STOC, ACM (1988) 11–19

[44] Rabin, T., Ben-Or, M.: Verifiable secret sharing and multiparty protocolswith honest majority. In: Proceedings of the Twenty-first Annual ACMSymposium on Theory of Computing. STOC ’89, New York, NY, USA,ACM (1989) 73–85

23

[45] Damgard, I., Fitzi, M., Kiltz, E., Nielsen, J.B., Toft, T.: Unconditionallysecure constant-rounds multi-party computation for equality, comparison,bits and exponentiation. In: TCC. (2006) 285–304

[46] Brickell, J., Shmatikov, V.: Privacy-preserving graph algorithms in thesemi-honest model. In: ASIACRYPT. Volume 3788 of LNCS. Springer(2005) 236–252

[47] Lawler, Eugene L.: Optimal cycles in doubly weighted directed lineargraphs. Theory of Graphs International Symposium, Paris New York

[48] Lawler, E.L.: Optimal cycles in graphs and the minimal cost-to-time ratioproblem. In Marzollo, A., ed.: Periodic Optimization. Volume 135 of In-ternational Centre for Mechanical Sciences. Springer Vienna (1972) 37–60

[49] Dantzig, G., Blattner, W., Rao, R.: Finding a cycle in a graph withminimum cost to time ratio with application to a ship routing problem. In:Theory of Graphs, International Symposium. Gordon and Breach (1966)77–84

[50] Karp, R.M.: A characterization of the minimum cycle mean in a digraph.Discrete Mathematics 23(3) (1978) 309 – 311

[51] Goldberg, A.V., Tarjan, R.E.: Finding minimum-cost circulations by can-celing negative cycles. J. ACM 36(4) (October 1989) 873–886

[52] Wayne, K.D.: A polynomial combinatorial algorithm for generalized min-imum cost flow. In: Proceedings of the Thirty-first Annual ACM Sym-posium on Theory of Computing. STOC ’99, New York, NY, USA, ACM(1999) 11–18

[53] Klein, M.: A primal method for minimal cost flows with applications tothe assignment and transportation problems. Management Science 14(3)(1967) pp. 205–220

[54] Busacker, R., Saaty, T.: Finite graphs and networks: an introductionwith applications. International series in pure and applied mathematics.McGraw-Hill (1965)

[55] Ben-Or, M., Goldwasser, S., Wigderson, A.: Completeness theoremsfor non-cryptographic fault-tolerant distributed computation. In: STOC,ACM (1988) 1–10

[56] Gennaro, R., Rabin, M.O., Rabin, T.: Simplified vss and fast-track multi-party computations with applications to threshold cryptography. In: Pro-ceedings of the Seventeenth Annual ACM Symposium on Principles of Dis-tributed Computing. PODC ’98, New York, NY, USA, ACM (1998) 101–111

24

Recent titles CORE Discussion Papers

2014/15 Federico GRIGIS DE STEFANO. Strategic stability of equilibria: the missing paragraph. 2014/16 Claudio TELHA and Mathieu VAN VYVE. Efficient approximation algorithms for the

economic lot-sizing in continuous time. 2014/17 Yukai YANG. Testing constancy of the error covariance matrix in vector models against

parametric alternatives using a spectral decomposition. 2014/18 Koen DECANCQ, Marc FLEURBAEY and Erik SCHOKKAERT. Inequality, income, and

well-being. 2014/19 Paul BELLEFLAMME and Martin PEITZ. Digital piracy: an update. 2014/20 Eva-Maria SCHOLZ. Licensing to vertically related markets. 2014/21 N. Baris VARDAR. Optimal energy transition and taxation of non-renewable resources. 2014/22 Benoît DECERF. Income poverty measures with relative poverty lines. 2014/23 Antoine DEDRY, Harun ONDER and Pierre PESTIEAU. Aging, social security design and

capital accumulation. 2014/24 Biung-Ghi JU and Juan D. MORENO-TERNERO. Fair allocation of disputed properties. 2014/25 Nguyen Thang DAO. From agriculture to manufacture: How does geography matter ? 2014/26 Xavier Y. WAUTHY. From Bertrand to Cournot via Kreps and Scheinkman: a hazardous

journey. 2014/27 Gustavo BERGANTIÑOS and Juan MORENO-TERNERO. The axiomatic approach to the

problem of sharing the revenue from bundled pricing. 2014/28 Jean HINDRIKS and Yukihiro NISHIMURA. International tax leadership among asymmetric

countries. 2014/29 Jean HINDRIKS and Yukihiro NISHIMURA. A note on equilibrium leadership in tax

competition models. 2014/30 Olivier BOS and Tom TRUYTS. Auctions with prestige motives. 2014/31 Juan D. MORENO-TERNERO and Lars P. ØSTERDAL . Normative foundations for equity-

sensitive population health evaluation functions. 2014/32 P. Jean-Jacques HERINGS, Ana MAULEON and Vincent VANNETELBOSCH. Stability of

networks under Level-K farsightedness. 2014/33 Lionel ARTIGE, Laurent CAVENAILE and Pierre PESTIEAU. The macroeconomics of PAYG

pension schemes in an aging society. 2014/34 Tanguy KEGELART and Mathieu VAN VYVE. A conic optimization approach for SKU

rationalization. 2014/35 Ulrike KORNEK, Kei LESSMANN and Henry TULKENS. Transferable and non transferable

utility implementations of coalitional stability in integrated assessment models. 2014/36 Ibrahim ABADA, Andreas EHRENMANN and Yves SMEERS. Endogenizing long-term

contracts in gas market models. 2014/37 Julio DAVILA. Output externalities on total factor productivity. 2014/38 Diane PIERRET. Systemic risk and the solvency-liquidity nexus of banks. 2014/39 Paul BELLEFLAMME and Julien JACQMIN. An economic appraisal of MOOC platforms:

business models and impacts on higher education. 2014/40 Marie-Louise LEROUX, Pierre PESTIEAU and Grégory PONTHIERE. Longévité

différentielle et redistribution: enjeux théoriques et empiriques. 2014/41 Chiara CANTA, Pierre PESTIEAU and Emmanuel THIBAULT. Long term care and capital

accumulation: the impact of the State, the market and the family. 2014/42 Gilles GRANDJEAN, Marco MANTOVANI, Ana MAULEON and Vincent

VANNETELBOSCH. Whom are you talking with ? An experiment on credibility and communication structure.

2014/43 Julio DAVILA. The rationality of expectations formation. 2014/44 Florian MAYNERIS, Sandra PONCET and Tao ZHANG. The cleaning effect of minimum

wages. Minimum wages, firm dynamics and aggregate productivity in China.

Recent titles CORE Discussion Papers - continued

2014/45 Thierry BRECHET, Natali HRITONENKOVA and Yuri YATSENKO. Domestic

environmental policy and international cooperation for global commons. 2014/46 Mathieu PARENTI, Philip USHCHEV and Jacques-François THISSE. Toward a theory of

monopolistic competition. 2014/47 Takatoshi TABUCHI, Jacques-François THISSE and Xiwei ZHU. Does technological progress

affect the location of economic activity? 2014/48 Paul CASTANEDA DOWER, Victor GINSBURGH and Shlomo WEBER. Colonial legacy,

linguistic disenfranchisement and the civil conflict in Sri Lanka. 2014/49 Victor GINSBURGH, Jacques MELITZ and Farid TOUBAL. Foreign language learnings: An

econometric analysis. 2014/50 Koen DECANCQ and Dirk NEUMANN. Does the choice of well-being measure matter

empirically? An illustration with German data. 2014/51 François MANIQUET. Social ordering functions. 2014/52 Ivar EKELAND and Maurice QUEYRANNE. Optimal pits and optimal transportation. 2014/53 Luc BAUWENS, Manuela BRAIONE and Giuseppe STORTI. Forecasting comparison of long

term component dynamic models for realized covariance matrices. 2014/54 François MANIQUET and Philippe MONGIN. Judgment aggregation theory can entail new

social choice results. 2014/55 Pasquale AVELLA, Maurizio BOCCIA and Laurence A. WOLSEY. Single-period cutting

planes for inventory routing problems. 2014/56 Jean-Pierre FLORENS and Sébastien VAN BELLEGEM. Instrumental variable estimation in

functional linear models. 2014/57 Abdelrahaman ALY and Mathieu VAN VYVE. Securely solving classical network flow

problems. Books

V. GINSBURGH and S. WEBER (2011), How many languages make sense? The economics of linguistic

diversity. Princeton University Press. I. THOMAS, D. VANNESTE and X. QUERRIAU (2011), Atlas de Belgique – Tome 4 Habitat. Academia

Press. W. GAERTNER and E. SCHOKKAERT (2012), Empirical social choice. Cambridge University Press. L. BAUWENS, Ch. HAFNER and S. LAURENT (2012), Handbook of volatility models and their

applications. Wiley. J-C. PRAGER and J. THISSE (2012), Economic geography and the unequal development of regions.

Routledge. M. FLEURBAEY and F. MANIQUET (2012), Equality of opportunity: the economics of responsibility.

World Scientific. J. HINDRIKS (2012), Gestion publique. De Boeck. M. FUJITA and J.F. THISSE (2013), Economics of agglomeration: cities, industrial location, and

globalization. (2nd edition). Cambridge University Press. J. HINDRIKS and G.D. MYLES (2013). Intermediate public economics. (2nd edition). MIT Press. J. HINDRIKS, G.D. MYLES and N. HASHIMZADE (2013). Solutions manual to accompany intermediate

public economics. (2nd edition). MIT Press.

CORE Lecture Series R. AMIR (2002), Supermodularity and complementarity in economics. R. WEISMANTEL (2006), Lectures on mixed nonlinear programming. A. SHAPIRO (2010), Stochastic programming: modeling and theory.