An efficient solution to the socialist millionaires' problem

摘要

We present a two-round protocol to solve the socialist millionaire problem based on the homomorphic property of the Goldwasser-Micali (GM) cryptosystem. We require the proposed protocol to be secure against active and passive attacks. However, homomorphic encryption schemes are malleable by design [14][1]. To tackle this problem we apply an authenticated encryption scheme, called Encrypt-then-MAC, to our protocol [3]. We analyze the security of the proposed protocol, and we show that an active adversary, who has access to the ciphertext on the communication channel and the decryption oracle, cannot forge another ciphertext which leads him to guess the plaintext (IND-CCA2 security). Moreover, the active adversary cannot modify the ciphertext which leads to a desired modification of the plaintext to affect the outcome of the protocol (NM-CCA2 security). Note that our solution can be applied to other problems which are solvable with an exclusive- or homomorphic property.