Achieving Private Veriﬁcation in Multi-stakeholder Environment and

Application to Stable Matching

Toru Nakamura

a

, Hiroki Okada

b

, Kazuhide Fukushima and Takamasa Isohara

KDDI Research, Inc., 2-1-15, Ohara, Fujimino-shi, Saitama-ken, Japan

Keywords:

Veriﬁcation, Privacy, Multi-Stakeholder Environment.

Abstract:

Services to support decision-making, such as resource allocation and recommendations, are becoming pop-

ular and essential. This paper focuses on two-sided matching as a form of decision-making support. The

stable marriage problem has been thoroughly studied as an exciting research topic related to two-sided match-

ing. Stability is a property in which there is no man and woman who would agree to leave their assigned

partner, and this property is recognized as an ideal condition for participants. This paper assumes a system

where participants provide their preference orders to an assignee, and the assignee provides them with a stable

matching. When considering a multi-stakeholder environment, not only the participants’ requirements but also

the assignee’s intention should be respected. That is, the assignee should be given the discretion to select the

matching which is the best for the assignee among all the stable matchings. However, there is a possibility that

if the assignee is malicious, he/she falsiﬁes and provides an unstable matching in order to maximize his/her

beneﬁt with ignoring the participants’ requirements. It is difﬁcult for the participants to detect it if they want

to keep their preference orders secret from others. This paper proposes a solution of protocol including a

private veriﬁcation algorithm to judge whether the received matching is stable while keeping their preference

orders private. The proposed protocol is based on fully homomorphic encryption (FHE) and assumes the use

of a semi-honest third-party server. This paper also proposes a general solution that does not limit to speciﬁc

requirements from participants.

1 INTRODUCTION

Services to support decision-making, such as resource

allocation and recommendation, are becoming popu-

lar and essential. The stable marriage problem (Gale

and Shapley, 1962) has been throughly studied as a re-

search topic related to decision-making. Informally,

a stable matching is a one-to-one pairing of a set

of men to a set of women, containing no man and

woman who would agree to leave their assigned part-

ners. This paper assumes a system where participants

provide preference orders to an assignee, and the as-

signee provides a stable matching. When discussing

stable matching, we only discuss whether the partici-

pants’ requirements are satisﬁed while never consid-

ering the intention of the assignee. On the other hand,

in the context of the recommendation system, discus-

sion has begun on the multi-stakeholder environment,

where not only end-users’ requirements but also those

of other stakeholders such as item providers and sys-

a

https://orcid.org/0000-0003-2530-648X

b

https://orcid.org/0000-0002-5687-620X

tem operators are considered (Abdollahpouri et al.,

2020). In this paper, we discuss the issues involved

in providing stable matchings in the multi-stakeholder

environment.

For example, efﬁcient, stable matching algorithms

are used to assign graduating medical students to resi-

dency programs at hospitals in the real-world

1

. In this

case, participants, that is, students and hospitals, pro-

vide their preference orders to an assignee and expect

to receive a stable matching which is decided based

on their preference orders. Here, the assignee may

have another motivation beyond just providing a sta-

ble matching, for example, solving the issue of how to

reduce labor shortages in rural areas. When respect-

ing the assignee’s motivation, an assignee should be

given the discretion to select the matching which is

the best for the assignee among all the stable match-

ings. However, there is a possibility that if the as-

signee is malicious, he/she falsiﬁes and provides an

unstable matching in order to maximize his/her own

1

National Resident Matching Program (NRMP).

http://www.nrmp.org/

768

Nakamura, T., Okada, H., Fukushima, K. and Isohara, T.

Achieving Private Veriﬁcation in Multi-stakeholder Environment and Application to Stable Matching.

DOI: 10.5220/0011995800003467

In Proceedings of the 25th International Conference on Enterprise Information Systems (ICEIS 2023) - Volume 1, pages 768-775

ISBN: 978-989-758-648-4; ISSN: 2184-4992

Copyright

c

2023 by SCITEPRESS – Science and Technology Publications, Lda. Under CC license (CC BY-NC-ND 4.0)

beneﬁt. Though participants can easily detect such

falsiﬁcation if they can share their preference order, it

may be difﬁcult because of privacy concerns.

There is existing work on private stable matching

algorithms, ﬁrst introduced by Golle (Golle, 2006),

based on the Gale-Shapley algorithm with secure

multiparty computation (MPC). These proposals can

achieve participants’ privacy from other participants

and matching authorities. There is no assignee in this

setting; participants and matching authorities collabo-

rate to execute pre-deﬁned matching algorithms such

as the Gale-Shapley algorithm. However, this setting

may be unrealistic in a business context; naturally, an

assignee would seek beneﬁt commensurate with the

effort of attracting participants to the matching ser-

vice.

1.1 Contributions

The contribution of this paper is to propose a protocol

that satisﬁes the following requirements. More gener-

ally, we will use “user,” “private input,” and “server”

instead of “participant,” “preference order,” and ”as-

signee,” respectively, in the rest of the paper.

1. Veriﬁability: Users can accept a result obtained

from the server if and only if the result satisﬁes

the users’ requirements.

2. Privacy: The adversary can not obtain any infor-

mation about the private inputs of the users.

3. Selectability: The server can freely choose a re-

sult from among all the results candidates.

We propose a protocol that satisﬁes the three re-

quirements, veriﬁability, privacy, and selectability,

with a semi-honest third-party server, called a veri-

ﬁer and fully homomorphic encryption (FHE). FHE

is cryptography that allows the operation of any func-

tions for encrypted data. We ﬁrst show a general con-

struction of this protocol which does not limit speciﬁc

requirements from users but assumes that the veriﬁ-

cation algorithm of the requirement is available on

FHE. Furthermore, we show a speciﬁc implementa-

tion of an FHE-based veriﬁcation algorithm for two-

sided matching that checks whether matching is stable

while users’ private inputs kept secret.

Note that we do not consider the server to be an

adversary to privacy requirements in this paper; there-

fore, we do not regard the server knowing the private

inputs of the users as a privacy issue. Even if we can

exclude the server as a potential adversary of the pri-

vacy requirement, it is still worth discussing even in

this problem setting because no simple solution satis-

ﬁes all of the above requirements.

HEREHEREHERE

1.2 Organization

The remainder of the paper is organized as follows.

Section 2 describes the existing work related to this

paper. Section 3 provides the mathematical model

for our protocol and deﬁnes the requirements of the

protocol. Section 4 describes the proposed general

construction of the protocol. Section 5 provides the

speciﬁc implementation of our solution for the stable

matching problem. Section 6 presents the discussion,

and Section 7 concludes this paper.

2 RELATED WORK

Homomorphic encryption (HE) is a type of cryptog-

raphy that allows a third party (e.g., cloud service

provider) to perform some mathematical operations

on encrypted data without compromising the encryp-

tion (Acar et al., 2018). In particular, fully homomor-

phic encryption (FHE), which can perform arbitrary

operations an arbitrary number of times, has been ac-

tively studied. Its practicality has been improved sig-

niﬁcantly since Gentry (Gentry, 2009) ﬁrst proposed

FHE. In this paper, we propose methods based on

FHE.

Veriﬁable computation is a method that enables a

user to ofﬂoad the computation of a function π to an-

other untrusted party. The user can verify whether the

received result is truly π(x) at a lower cost than exe-

cuting π(x) by the user himself (Parno et al., 2013).

However, this technique cannot solve the issue ad-

dressed in this paper because users cannot know π in

advance to realize selectability.

The stable marriage problem is a well-known

problem; informally, a stable matching is a one-to-

one pairing of a set of men to a set of women,

containing no man and woman who would agree to

leave their assigned partners. Gale and Shapley pro-

posed an efﬁcient algorithm to ﬁnd male-dominated

(or female-dominated) stable matching (Gale and

Shapley, 1962). Golle proposed the ﬁrst private sta-

ble matching algorithm based on the Gale-Shapley

algorithm, where if a majority of matching authori-

ties are honest, the protocol correctly outputs a stable

matching and reveals no other information than what

can be learned from that match and the preferences

of participants controlled by the adversary (Golle,

2006). Franklin et al. pointed out that Golle’s al-

gorithm includes a failure in the communication cost

and proposed a modiﬁed version of the algorithm

based on threshold additive homomorphic encryp-

tion (TAHE) and secret sharing (SS) (Franklin et al.,

2007). Franklin et al. also proposed two more ef-

Achieving Private Veriﬁcation in Multi-stakeholder Environment and Application to Stable Matching

769

fective algorithms; one is based on private informa-

tion retrieval (PIR) in addition to TAHE and SS, and

the other is based on secure multiparty computation

(MPC) and the Naor-Nissim protocol. Teruya and

Sakuma proposed a more effective algorithm based

solely on TAHE (Teruya and Sakuma, 2015). Doerner

et al. (Doerner et al., 2016) and Riazi et al. (Riazi

et al., 2017) proposed practical private stable match-

ing with Oblivious RAM (ORAM). This technique is

effective if the algorithm to ﬁnd a speciﬁc matching is

determined in advance without considering the exis-

tence of a server that manages participants. However,

this technique is not suitable for the problem setting

of this paper because the requirement in this paper is

selectivity, which guarantees the freedom to choose

among the matches that satisfy stability for the server.

3 MODEL AND REQUIREMENTS

In this section, we deﬁne the mathematical model and

the requirements for the discussion in this paper. In

addition, the issues of existing methods are summa-

rized from the above viewpoints. The mathematical

model assumes applications that can calculate results

from only user inputs.

3.1 Model

Let n be the number of users. Each user has his/her

private inputs x

1

,... x

n

, respectively, where user i’s in-

put is x

i

∈ X. We assume that the users require a server

S to provide a result y ∈ Y for inputs x

1

,. .. ,x

n

that sat-

isﬁes a requirement L, where Y is the set of possible

ranges of y. L can be represented by L ⊆ X ×···×X ×

Y , that is, the requirement of users is to get a result y

such that (x

1

,. .. x

n

,y) ∈ L. We assume that a server

S chooses and provides y to the users. The server is

expected to return y such that (x

1

,. .. ,x

n

,y) ∈ L from

the users; however, if the server is malicious, it may

choose y

0

that is (x

1

,. .. ,x

n

,y

0

) /∈ L.

Users communicate and execute a protocol with

the server, and in some cases a third-party server, and

obtain a result from the server. We assume that there

exists an efﬁcient veriﬁcation algorithm V , that out-

puts 1 if (x

1

,. .. ,x

n

,y) ∈ L, otherwise, outputs 0.

3.2 Requirements

We show the requirements of our proposed protocol

as follows.

1. Veriﬁability: the users can accept the result

y for private inputs x

1

,. .. x

n

if and only if

(x

1

,. .. x

n

,y) ∈ L.

2. Privacy: the protocol reveals no information about

users’ private inputs to the adversary.

3. Selectability: The server S can choose any y ∈ Y .

In other words, server S does not need to ﬁx the

algorithm to be executed in advance.

In this paper, we do not consider the server as

an adversary for privacy requirements; therefore, the

server is allowed to know the private inputs of users,

i.e., we do not regard that as a privacy issue. In the

next section, we will propose a protocol with an ad-

ditional third-party veriﬁcation server, called veriﬁer.

Therefore, it is necessary to regard the other users and

the veriﬁer as potential adversaries for the privacy re-

quirement in this case. We also consider the assumed

adversaries as semi-honest (passive) adversaries. This

setting is not designed to achieve the most desirable

level of privacy, that is, this is a weaker assumption

than that of a malicious (active) adversary. Neverthe-

less, this study is still worthwhile because the semi-

honest adversary model is generally considered a rea-

sonable assumption. The most important point of this

paper is to discuss protocols that simultaneously real-

ize veriﬁability, privacy, and selectability. Achieving

stricter privacy requirements will be subject of our fu-

ture work.

3.3 Issues of Naive Methods

In this section, we introduce two naive protocols that

do not require any novelty without the assumption of

a secure communication channel, and describe their

issues.

3.3.1 Naive 1: Not Shared among Users

STEP 1. Each user i sends x

i

∈ X to the server S via

a secure channel.

STEP 2. S selects any y ∈ Y and sends it to each user.

STEP 3. Each user accepts y.

The naive 1 method satisﬁes privacy and selectability,

however, it does not satisfy veriﬁability because the

users accept any y even if (x

1

,. .. x

n

,y) /∈ L.

3.3.2 Naive 2: Shared among Users

STEP 1. Each user i sends x

i

∈ X to the server S via

a secure channel.

STEP 2. S selects any y satisfying (x

1

,. .. x

n

,y) ∈ L

and sends it to each user.

STEP 3. Each user i shares x

i

with other users and

executes r ← V (x

1

,. .. x

n

,y). i accepts y if

r = 1, otherwise, rejects y.

ICEIS 2023 - 25th International Conference on Enterprise Information Systems

770

The naive 2 method satisﬁes veriﬁability and se-

lectability, however, it does not satisfy privacy be-

cause the users share their private inputs.

4 GENERAL CONSTRUCTION

In this section, we show the general construction of a

protocol that simultaneously satisﬁes veriﬁability, pri-

vacy, and selectivity with a semi-honest veriﬁer and

FHE. The general construction does not limit any spe-

ciﬁc requirement from users but assumes that the ver-

iﬁcation algorithm of the requirement is available on

FHE.

4.1 Fully Homomorphic Encryption

(FHE)

FHE can perform arbitrary operations for an arbi-

trary number of times, We show the deﬁnition of FHE

(Brakerski and Vaikuntanathan, 2011)(Acar et al.,

2018) as follows.

Deﬁnition 1. Fully Homomorphic En-

cryption FHE is a quintet of algorithms

(Setup,Keygen, Enc,Dec, Eval) which satisﬁes

authenticity, compactness, and security.

• Setup params ← Setup(1

λ

): outputs a public pa-

rameter param.

• Key Generation (pk,sk) ← Keygen(param): out-

puts public encryption key pk and secret decryp-

tion key sk.

• Encryption c ← Enc(pk, µ): encrypts a message

µ ∈ {0, 1} with pk and outputs a cyphertext c.

• Decryption µ ← Dec(sk, c): decrypts cyphertext

c with sk and outputs µ.

• Homomorphic Evaluation ˆc ←

Eval(C ,(c

1

,. .. c

`

),pk): computes any circuit

C : {0,1}

`

→ {0,1} to c

1

,. .. c

`

with pk and

outputs ˆc.

Authenticity is the property that any ciphertext

obtained by the encryption algorithm and the homo-

morphic evaluation algorithm can be decrypted cor-

rectly. Compactness is the property that the size of

a ciphertext after homomorphic evaluation does not

depend on the size of the circuit in which an op-

eration is performed. Security is the property that

the attack success rate is negligibly small for any

given attacker. See (Brakerski and Vaikuntanathan,

2011)(Acar et al., 2018) for the details of deﬁnitions.

Obviously, it is possible to construct a fully homo-

morphic encryption for any algorithm, if it is possible

to homomorphically compute any circuit.

Therefore, we redeﬁne the FHE as follows. Here-

inafter, when we refer to the FHE, the following deﬁ-

nition will be applied.

Deﬁnition 2. Fully Homomorphic En-

cryption FHE is a quintet of algorithms

(Setup,Keygen, Enc,Dec, Eval) which satisﬁes

authenticity, compactness, and security.

• Setup params ← Setup(1

λ

): outputs a public pa-

rameter param.

• Key Generation (pk,sk) ← Keygen(param): out-

puts public encryption key pk and secret decryp-

tion key sk.

• Encryption c ← Enc(pk, µ): encrypts a message

µ ∈ X with pk and outputs a cyphertext c.

• Decryption µ ← Dec(sk, c): decrypts cyphertext

c with sk and outputs µ.

• Homomorphic Evaluation ˆc ←

Eval(A,(c

1

,. .. c

n

),d,pk): computes any al-

gorithm A : X × ··· × X × Y → {0, 1} with

ciphertexts c

1

,. .. c

n

, and d, and public encryption

key pk and outputs ˆc.

If for 1 ≤ i ≤ n, c

1

i

← Enc(pk, x

i

), c

2

←

Enc(pk, y), ˆc ← Eval(A,(c

1

1

,. .. c

1

n

),c

2

,pk), then

Dec(sk, ˆc) = A((x

1

,. .. x

n

),y) from the property of au-

thenticity.

4.2 Proposed FHE-based Protocol

Here, we show a protocol which satisﬁes all the re-

quirements in the general setting. We assume that

there exists a veriﬁcation algorithm V that outputs 1

if (x

1

,. .. ,x

n

,y) ∈ L, otherwise, outputs 0, and the ho-

momorphic evaluation algorithm on V is available.

STEP 1. Let i ∈ {1,...n} be the representative of

users. i executes Setup(1

λ

), obtains param,

and publishes it.

STEP 2. i executes Keygen(param) and obtains

(pk,sk). i publishes pk and distributes sk

to all users.

STEP 3. Each user i sends x

i

∈ X to the server S via

a secure channel.

STEP 4. S selects any y ∈ Y and sends it to each user.

STEP 5. Each user i sends c

1

i

← Enc(pk, x

i

) and y

(practically all it takes is one user (e.g. i)

sends c

2

← Enc(pk, y)) to the veriﬁer D via

a secure communication channel.

STEP 6. D executes r

0

← Eval(V, (c

1

,. .. ,c

n

),c

2

,pk)

and sends r

0

to each user.

STEP 7. Each user i executes r ← Dec(r

0

,sk) and i

accepts y if r = 1, otherwise, i rejects y.

Achieving Private Veriﬁcation in Multi-stakeholder Environment and Application to Stable Matching

771

Veriﬁability is achieved because each user can ob-

tain r = V (x

1

,. .. ,x

n

,y) by the property of authenticity

in FHE. Selectivity is achieved because S can select

any y ∈Y . Regarding privacy, as mentioned in the pre-

vious section, we assume that the adversary is semi-

honest, that is, passive, hence what the adversary can

obtain is at most pk,{c

1

1

,. .. ,c

1

n

},c

2

. The adversary

can not obtain any information from this because of

the property of security in FHE.

5 APPLICATION TO STABLE

MATCHING

In this section, we show a speciﬁc implementation of

a protocol including an FHE-based veriﬁcation algo-

rithm for stable matching. Although FHE can theo-

retically be used to compute any algorithms with en-

crypted data, the implementation methods are non-

trivial. We focus on the case of the stable matching

and discuss the method for implementing the veriﬁ-

cation algorithm on FHE and its efﬁciency.

5.1 Deﬁnition of Stable Matching

The stable marriage problem is well known as the

problem of ﬁnding stable matching, as shown in (Gale

and Shapley, 1962). Informally, a stable matching is a

one-to-one pairing of a set of men to a set of women,

containing no man and woman who would agree to

leave their assigned partners.

An instance of a matching consists of two disjoint

sets where the number of elements is n, and set M is

men and the set W is women. Each person has a strict

total order, called the preference order, on members

on the other side. A matching M is a pair of M and

W , that is, M ⊆ M ×W . If (m,w) ∈ M , we denote

M (m) = w,M (w) = m. The rank of w in m’s pref-

erence order is denoted by P

m

(w), and it is called w’

preference rank in m. In the same way, m’ preference

rank in w is denoted by P

w

(m). If a person p prefers

a to b in an instance I , we denote a

p

b in I .

Deﬁnition 3. Given a matching M , a pair of a man

and a woman (m,w) is a blocking pair for M if all

the following conditions are met;

1. (m

0

,w

0

) ∈ M and m

0

∈ M,w

0

∈ W ,

2. w

0

m

0

M (m

0

),

3. m

0

w

0

M (w

0

).

Deﬁnition 4. A matching M is stable if M has no

blocking pair.

5.2 Stability Checking Algorithm

Various studies have been conducted on algorithms to

ﬁnd stable matching. Gale and Shapley proved that

at least one stable matching exists for all instances

and gave an efﬁcient algorithm to ﬁnd a stable match-

ing (Gale and Shapley, 1962). Gale-Shapley’s algo-

rithm is called the man-optimal algorithm because ev-

ery man has the best partner he can have in any sta-

ble matching, but every woman has the worst part-

ner. If applied with the roles of men and women re-

versed, the algorithm serves as the woman-optimal

algorithm. Algorithms for ﬁnding stable matching

based on optimizations different from that of Gale-

Shapley’s one have also been studied, such as egali-

tarian stable matching, minimum regret stable match-

ing (Irving et al., 1987), and sex-equal stable match-

ing (Kato, 1993).

On the other hand, to the best of our knowldege,

few studies have been conducted on stability check-

ing algorithms. A simple and efﬁcient (O(n

2

)) sta-

bility checking algorithm (shown in Algorithm 1) is

described in (Gusﬁeld and Irving, 1989); hence we

construct the implementation of our protocol based

on this algorithm.

Algorithm 1: Standard stability checking algorithm.

1: for m ← 1 to n do

2: for each w such that m prefers w to M (m) do

3: if w prefers to m to M (w) then

4: return 0

5: break

6: end if

7: end for

8: end for

9: return 1

A critical issue with implementing FHE is that

the results of conditional expressions in conditional

branchings cannot be known. Therefore, the stability

checking algorithm is modiﬁed not to use any condi-

tional branchings in our implementation.

5.3 Speciﬁc Implementation

Some open-source software libraries implement ho-

momorphic encryption such as HElib

2

. Such libraries

provide essential functions for homomorphic evalua-

tions. We provide a speciﬁc implementation of the

stability checking algorithm with the essential func-

tions from libraries such as HElib. The essential

2

HElib Documentation, https://homenc.github.io/

HElib/

ICEIS 2023 - 25th International Conference on Enterprise Information Systems

772

functions which are used for our implementation are

shown as follows.

1. Addition of two integers: ADD(x,y) outputs x+y,

where x and y are integers.

2. Multiplication of an integer and a bit: MULT(x,y)

outputs x if y = 1, otherwise outputs 0, where x is

an integer, y is a bit.

3. Comparison of two integers: COMP(x, y) outputs

1 if x < y, otherwise outputs 0, where x and y are

integers.

4. AND of two bits

5. OR of two bits

6. NOT of a bit

In order to execute our protocol, some prelim-

inary steps are required. First, the users’ pri-

vate inputs, which in this case are preference or-

ders, are converted to lists of preference ranks.

That is, m

i

’s list can be denoted by L

m

i

=

(P

m

i

(w

1

),P

m

i

(w

2

),. .. ,P

m

i

(w

n

)) and w

i

’s list can be

denoted by L

w

i

= (P

w

i

(m

1

),P

w

i

(m

2

),. .. ,P

w

i

(m

n

)).

The private inputs of the list are encrypted element-

by-element of the list, that is, the cyphertext from m

i

to the veriﬁer is c

m

i

= (c

m

i,1

,c

m

i,2

,. .. c

m

i,n

), where c

m

i, j

←

Enc(pk,P

m

i

(w

j

)).

The matching result y sent to the veriﬁer is repre-

sented by a pair (y

m

,y

w

) of lists of one-hot-vectors. If

the partner of m

i

is w

j

(that is, M (m

i

) = w

j

), let y

m

i

be a n-bit strings where j th bit y

m

i

[ j] is only 1 and

all the others 0. In the same way, if M (w

i

) = m

j

, let

y

w

i

be a n-bit strings where j th bit y

w

i

[ j] is only 1 and

all the others 0. This may seem redundant since y

w

is

just a permutation of y

m

; however, it is necessary to

construct our protocols using FHE.

We describe the algorithm that can return the

same result as the stability checking algorithm by

only ADD,MULT,COMP,AND,OR,NOT in Algo-

rithm 2.

The computation cost of this algorithm is O(n

2

).

5.4 Example

We show an example for a proof sketch of the

proposed algorithm. Let n = 4. Each member’s

preference order is shown in Figure 1. Let M =

{(m

1

,w

3

),(m

2

,w

1

),(m

3

,w

2

),(m

4

,w

4

)}. In this case,

this matching is not stable because (m

1

,w

2

) is block-

ing pair as shown in Figure 2.

In our protocol, the preference orders are

converted to the lists of preference ranks

shown in Figure 3. M is represented by y

m

=

((0,0, 1,0), (1,0,0,0),(0,1,0,0),(0,0,0,1)) and

y

w

= ((0,1, 0,0),(0,0,1,0),(1,0,0,0),(0,0,0,1)).

Algorithm 2: Stability checking algorithm for FHE.

1: r = 0

2: for i ← 1 to n do

3: s

m

= 0

4: s

w

= 0

5: for j ← 1 to n do

6: u

m

= MULT(P

m

i

(w

j

),y

m

i

[ j])

7: s

m

= ADD(s

m

,u)

8: u

w

= MULT(P

w

i

(m

j

),y

w

i

[ j])

9: s

w

= ADD(s

w

,u)

10: end for

11: for j ← 1 to n do

12: e

m

i, j

← COMP(P

m

i

(w

j

),s

m

)

13: e

w

i, j

← COMP(P

w

i

(m

j

),s

w

)

14: end for

15: end for

16: for i ← 1 to n do

17: for j ← 1 to n do

18: t

i, j

← AND (e

m

i, j

,e

w

j,i

)

19: r ← OR(r,t

i, j

)

20: end for

21: end for

22: r = NOT(r)

23: return r

ϭ Ϯ ϯ ϰ ϭ Ϯ ϯ ϰ

Figure 1: An example of preference orders.

The ranks of the pair of each member can be calcu-

lated by multiplication and addition of the preference

ranks and y

m

,y

w

. For example, for m

1

, his preference

rank is (3,1, 2,4) and his pair is w

3

(represented by

(0,0, 1,0)). w

3

’s rank of m

1

’s preference order is

3 · 0 +1 · 0 + 2 · 1 + 4 · 0 = 2.

Next, the ranks of each member in his/her pref-

erence list are compared with the preference rank of

his/her pair. If a rank is smaller than the rank of the

pair, 1 is assigned, otherwise, 0 is assigned as shown

in Figure 4. Here, 1 means a member who is preferred

to the current pair.

Finally, AND function between each row of the

left table and each column of the right table is calcu-

lated as shown in Figure 5. Here, 1 means a blocking

pair. Therefore, the matching is stable if all the ele-

ments of the table are 0, otherwise, it is not stable.

Achieving Private Veriﬁcation in Multi-stakeholder Environment and Application to Stable Matching

773

ϭ Ϯ ϯ ϰ ϭ Ϯ ϯ ϰ

ůŽĐŬŝŶŐ

WĂŝƌ

Figure 2: A blocking pair of the example.

ϯ ϭ Ϯ ϰ

ϯ ϰ Ϯ ϭ

ϯ Ϯ ϰ ϭ

ϰ ϯ Ϯ ϭ

Ϯ ϭ ϯ ϰ

ϭ ϰ Ϯ ϯ

ϭ Ϯ ϰ ϯ

ϰ ϯ Ϯ ϭ

Figure 3: Preference ranks.

6 DISCUSSION

The proposed method assumes the use of a semi-

honest veriﬁer. Future directions include (1) the mod-

iﬁcation of the methods without the veriﬁer and (2)

the modiﬁcation for stricter assumptions of an adver-

sary such as a malicious adversary. For the methods

without the veriﬁer, constructing an MPC-based veri-

ﬁcation algorithm may be a promising direction.

Sharing FHE private keys among users can be a

privacy risk; hence it is better to be able to use in-

dividual keys. Multi-key FHE or Secure Multiparty

Computation (MPC) (Ohata, 2020) may be a potential

solution for this issue; however, it requires all users to

participate in the veriﬁcation calculation.

We have shown that the computational complex-

ity of our proposed algorithm is O(n

2

). On the other

hand, the number of bits handled and the depth of

operations also affect the computational cost in the

implementation using FHE. We will implement and

evaluate our protocol and optimize it as future work.

In this paper, we limit the target of the mathemat-

ical model to applications that can calculate results

solely from users’ inputs such as matchings. We will

discuss the FHE implementation of the veriﬁcation al-

gorithm for a different problem from matching and

the extension for more complex models where param-

eters other than user inputs affect the results.

7 CONCLUSION

In this paper, we focused on a system where partici-

pants provided preference orders to an assignee, and

the assignee provided a stable matching. When con-

sidering a multi-stakeholder environment, not only

the participants’ requirements but also the assignee’s

intention should be respected, that is, the assignee

should be given the discretion to select the match-

Ϭ ϭ Ϭ Ϭ

Ϭ Ϭ ϭ ϭ

Ϭ Ϭ Ϭ ϭ

Ϭ Ϭ Ϭ Ϭ

Ϭ Ϭ Ϭ Ϭ

ϭ Ϭ Ϭ Ϭ

Ϭ Ϭ Ϭ Ϭ

Ϭ Ϭ Ϭ Ϭ

Figure 4: Comparison with the current pair.

Ϭ ϭ Ϭ Ϭ

Ϭ Ϭ Ϭ Ϭ

Ϭ Ϭ Ϭ Ϭ

Ϭ Ϭ Ϭ Ϭ

Figure 5: Existence of blocking pairs.

ing that is the best for him/her among all the sta-

ble matchings, which satisfy the requirements from

participants. In this paper, we proposed a protocol

that satisﬁes the three requirements, veriﬁability, pri-

vacy, and selectability, with a semi-honest third-party

server, called a veriﬁer and fully homomorphic en-

cryption (FHE). We ﬁrst provided a general construc-

tion of this protocol which does not limit speciﬁc

requirements from users but assumes that the veriﬁ-

cation algorithm of the requirement is available on

FHE. Furthermore, we proposed a speciﬁc implemen-

tation of an FHE-based veriﬁcation algorithm for two-

sided matching that checks whether matching is stable

while users’ private inputs kept secret.

REFERENCES

Abdollahpouri, H., Adomavicius, G., Burke, R., Guy, I.,

Jannach, D., Kamishima, T., Krasnodebski, J., and

Pizzato, L. (2020). Multistakeholder recommenda-

tion: Survey and research directions. User Modeling

and User-Adapted Interaction, 30(1):127–158.

Acar, A., Aksu, H., Uluagac, A. S., and Conti, M. (2018). A

survey on homomorphic encryption schemes: Theory

and implementation. ACM Computing Surveys (Csur),

51(4):1–35.

Brakerski, Z. and Vaikuntanathan, V. (2011). Efﬁcient

fully homomorphic encryption from (standard) lwe. In

2011 IEEE 52nd Annual Symposium on Foundations

of Computer Science, pages 97–106.

Doerner, J., Evans, D., and shelat, a. (2016). Secure stable

matching at scale. In Proceedings of the 2016 ACM

SIGSAC Conference on Computer and Communica-

tions Security, CCS ’16, page 1602–1613, New York,

NY, USA. Association for Computing Machinery.

Franklin, M., Gondree, M., and Mohassel, P. (2007). Im-

proved efﬁciency for private stable matching. Lecture

Notes in Computer Science (including subseries Lec-

ture Notes in Artiﬁcial Intelligence and Lecture Notes

in Bioinformatics), 4377 LNCS:163–177.

Gale, D. and Shapley, L. S. (1962). College admissions and

ICEIS 2023 - 25th International Conference on Enterprise Information Systems

774

the stability of marriage. The American Mathematical

Monthly, 69:9–15.

Gentry, C. (2009). A fully homomorphic encryption

scheme. STANFORD UNIVERSITY.

Golle, P. (2006). A private stable matching algorithm. In

Proceedings of the 10th International Conference on

Financial Cryptography and Data Security, FC’06,

page 65–80, Berlin, Heidelberg. Springer-Verlag.

Gusﬁeld, D. and Irving, R. W. (1989). The Stable Marriage

Problem: Structure and Algorithms. The MIT Press.

Irving, R. W., Leather, P., and Gusﬁeld, D. (1987). An

efﬁcient algorithm for the “optimal” stable marriage.

Journal of the ACM (JACM), 34(3):532–543.

Kato, A. (1993). Complexity of the sex-equal stable mar-

riage problem. Japan Journal of Industrial and Ap-

plied Mathematics, 10:1–19.

Ohata, S. (2020). Recent advances in practical secure multi-

party computation. IEICE Transactions on Funda-

mentals of Electronics, Communications and Com-

puter Sciences, 103(10):1134–1141.

Parno, B., Howell, J., Gentry, C., and Raykova, M. (2013).

Pinocchio: Nearly practical veriﬁable computation. In

2013 IEEE Symposium on Security and Privacy, pages

238–252. IEEE.

Riazi, M. S., Songhori, E. M., Sadeghi, A.-R., Schneider,

T., and Koushanfar, F. (2017). Toward practical secure

stable matching. Proceedings on Privacy Enhancing

Technologies, 1:62–78.

Teruya, T. and Sakuma, J. (2015). Round-efﬁcient private

stable matching from additive homomorphic encryp-

tion. In Information Security, pages 69–86. Springer.

Achieving Private Veriﬁcation in Multi-stakeholder Environment and Application to Stable Matching

775