benefit. Though participants can easily detect such
falsification if they can share their preference order, it
may be difficult because of privacy concerns.
There is existing work on private stable matching
algorithms, first introduced by Golle (Golle, 2006),
based on the Gale-Shapley algorithm with secure
multiparty computation (MPC). These proposals can
achieve participants’ privacy from other participants
and matching authorities. There is no assignee in this
setting; participants and matching authorities collabo-
rate to execute pre-defined matching algorithms such
as the Gale-Shapley algorithm. However, this setting
may be unrealistic in a business context; naturally, an
assignee would seek benefit commensurate with the
effort of attracting participants to the matching ser-
vice.
1.1 Contributions
The contribution of this paper is to propose a protocol
that satisfies the following requirements. More gener-
ally, we will use “user,” “private input,” and “server”
instead of “participant,” “preference order,” and ”as-
signee,” respectively, in the rest of the paper.
1. Verifiability: Users can accept a result obtained
from the server if and only if the result satisfies
the users’ requirements.
2. Privacy: The adversary can not obtain any infor-
mation about the private inputs of the users.
3. Selectability: The server can freely choose a re-
sult from among all the results candidates.
We propose a protocol that satisfies the three re-
quirements, verifiability, privacy, and selectability,
with a semi-honest third-party server, called a veri-
fier and fully homomorphic encryption (FHE). FHE
is cryptography that allows the operation of any func-
tions for encrypted data. We first show a general con-
struction of this protocol which does not limit specific
requirements from users but assumes that the verifi-
cation algorithm of the requirement is available on
FHE. Furthermore, we show a specific implementa-
tion of an FHE-based verification algorithm for two-
sided matching that checks whether matching is stable
while users’ private inputs kept secret.
Note that we do not consider the server to be an
adversary to privacy requirements in this paper; there-
fore, we do not regard the server knowing the private
inputs of the users as a privacy issue. Even if we can
exclude the server as a potential adversary of the pri-
vacy requirement, it is still worth discussing even in
this problem setting because no simple solution satis-
fies all of the above requirements.
HEREHEREHERE
1.2 Organization
The remainder of the paper is organized as follows.
Section 2 describes the existing work related to this
paper. Section 3 provides the mathematical model
for our protocol and defines the requirements of the
protocol. Section 4 describes the proposed general
construction of the protocol. Section 5 provides the
specific implementation of our solution for the stable
matching problem. Section 6 presents the discussion,
and Section 7 concludes this paper.
2 RELATED WORK
Homomorphic encryption (HE) is a type of cryptog-
raphy that allows a third party (e.g., cloud service
provider) to perform some mathematical operations
on encrypted data without compromising the encryp-
tion (Acar et al., 2018). In particular, fully homomor-
phic encryption (FHE), which can perform arbitrary
operations an arbitrary number of times, has been ac-
tively studied. Its practicality has been improved sig-
nificantly since Gentry (Gentry, 2009) first proposed
FHE. In this paper, we propose methods based on
FHE.
Verifiable computation is a method that enables a
user to offload the computation of a function π to an-
other untrusted party. The user can verify whether the
received result is truly π(x) at a lower cost than exe-
cuting π(x) by the user himself (Parno et al., 2013).
However, this technique cannot solve the issue ad-
dressed in this paper because users cannot know π in
advance to realize selectability.
The stable marriage problem is a well-known
problem; informally, a stable matching is a one-to-
one pairing of a set of men to a set of women,
containing no man and woman who would agree to
leave their assigned partners. Gale and Shapley pro-
posed an efficient algorithm to find male-dominated
(or female-dominated) stable matching (Gale and
Shapley, 1962). Golle proposed the first private sta-
ble matching algorithm based on the Gale-Shapley
algorithm, where if a majority of matching authori-
ties are honest, the protocol correctly outputs a stable
matching and reveals no other information than what
can be learned from that match and the preferences
of participants controlled by the adversary (Golle,
2006). Franklin et al. pointed out that Golle’s al-
gorithm includes a failure in the communication cost
and proposed a modified version of the algorithm
based on threshold additive homomorphic encryp-
tion (TAHE) and secret sharing (SS) (Franklin et al.,
2007). Franklin et al. also proposed two more ef-
Achieving Private Verification in Multi-stakeholder Environment and Application to Stable Matching
769