Docstoc

Privacy Preserving Auctions and Mechanism Design

Document Sample
Privacy Preserving Auctions and Mechanism Design Powered By Docstoc
					Privacy Preserving Auctions and Mechanism Design
Moni Naor Benny Pinkas Reuben Sumner

Presented by: Raffi Margaliot

Agenda



   

Motivation Architecture & Entities High Level Protocol Description Cryptographic Tools Secure Computation of Auctions Overhead Calculation

English Auction
Ascending, open-cry.  Most popular type of auction on the internet.  Drawbacks:  Many rounds.  Over a long period of time.  Solution:  Vickrey auction.


Vickrey Auction






Second price sealed bid auction.  All bidders send their bids.  The winner is the highest bidder.  The winner pays second highest bid. Advantages:  Bidding true value is dominant strategy.  Simulates open cry ascending (English) auction in a single round. Why aren’t Vickrey auctions more popular?  Major problem if Auctioneer is corrupt...

Vickery: Corrupt Auctioneer

eSleaze.com
 

How can bidders verify that auctions is begin conducted properly? Can be solved if the value of the bids could be hidden until bidding closes, preventing a corrupt auctioneer from manipulating auction results.

On the Next Day…






One day:  You bid $1000  win and pay $600 On the next day, another auction for same item:  You bid $1000  win and required to pay $999… Suspicion: eSleaze used previous day’s bid to raise up clearing price



How to let the auctioneer learn as little information as is essential to conduct the auction?

Hal Varian Quote


“even if current information can be safeguarded, records of past behavior can be extremely valuable, since historical data can be used to estimate the willingness to pay. What should be the appropriate technological and social safeguards to deal with this problem?”

 This

work: technological safeguards

Mechanism Design
  



Design of protocols for selfish parties. The goal of a protocols is to aggregate preferences to determine some “social choice.” Model:  Each party has a utility function expressing its valuation of each possible outcome of the protocol.  Sends information based on it. Goal: design the protocol so that it is not beneficial to cheat.

The Revelation Principle






“there exists an equivalent mechanism in which the optimal strategy for each party is to report its true utility function.” Example: Vickrey auction. Problems with applying revelation principle:  The center may be corrupt and misuse the truthful bids it receives.  Utility function contains sensitive information.  Participants might cheat simply to avoid leaking this information.

Security & Privacy Requirements




Auctioneer only learns:  Who is the highest bidder.  Clearing price: second highest bid.  Should be able to prove that auction was conducted properly, while hiding bids from bidders. Does not learn:  Highest bid.  Who is second highest bidder.  What are the other bids.

This Work
 Achieves

the requested security and privacy requirements.  Without any third party that:  Is fully trusted.  Takes an active part in the auction.

Agenda



   

Motivation Architecture & Entities High Level Protocol Description Cryptographic Tools Secure Computation of Auctions Overhead Calculation

Architecture

Auction Issuer Bidders Auctioneers

Entity Types




Bidders:  One or several bidders wish to sell items.  Remaining bidders interested in buying the items. Auctioneer: Runs the show.  Advertises the auction.  Receives the bids from the bidders.  Communicates with the auction issuer.  Computes the output of the protocol.  Can be one of the bidders.

Entity Types


Auction issuer:  Runs in the background and ensures that the auctions are executed properly.  Responsible for “coding the program” that computes the output of the protocol so as to preserver privacy.  Supply this program to the auctioneer.  Does not interact with bidders.  Can provide programs for many auctions carried out by many auctioneers.

Trust and Security
Only a coalition of the Auctioneer and the Auction Issuer can compromise:  Proper working of auction  Bidders privacy  All other coalitions gain no more information than in the ideal model


Bidder’s Privacy

Properties
Bidders communicate only with Auctioneer.  Bidders send a single message.  Auction Issuer performs a single, one-round interaction with the Auctioneer.  Public Key of the Auction Issuer is known to the Bidders, no other PKI required.


Agenda



   

Motivation Architecture & Entities High Level Protocol Description Cryptographic Tools Secure Computation of Auctions Overhead Calculation

Auction Is Published


Auctioneer publishes the details of the auction:  Rules for selection of winner.  Closing time.  Auction Issuer supporting the auction.

Bidders Submit Bids
 

Bidders submit encrypted bids to the Auctioneer. The AI can decrypt part of encryption, but even it can not discover the actual bids.

AI Generates Program
 





The AI generates a program to compute the output of the auction. It generates a circuit composed of Boolean gates such as AND, OR and NOT that performs this task and then ``garbles'' the circuit. The Auctioneer forwards portions of the bids to the AI, which decrypts the bids and uses them to compute ``garbled inputs'' to the circuit. It sends the circuit and the inputs to the Auctioneer, along with a signed translation table that ``decrypts'' the output of the circuit.

And the Winner Is…




The Auctioneer uses the garbled inputs and the encrypted circuit to compute the output of the circuit. It publishes the result and the signed translation table received from the AI.

And the winner is…

Related Work - Cryptography




Secure multi-party computation: [GMW,BGW].  Compute any f(X1,…,Xn), where Xi known only to party i.  Parties learn nothing but final output. Drawbacks:  High interactivity between all parties (bidders…).  Considerable computational overhead.  Secure against coalitions of at most 1/3.

Related Work - Auctions
 



Distribute the Auctioneer into many servers [FR,HTK]. Drawbacks:  High interactivity between servers.  All servers controlled by Auctioneer, security only if not too many of the collude.  Not robust to changes in auction. This work:
 

 

Single round between Auctioneer and AI. Security against any coalition of Bidders and Auctioneer or AI. General, full control of what each party learns. Bidders privacy preserved after the auction ended.

Agenda



   

Motivation Architecture & Entities High Level Protocol Description Cryptographic Tools Secure Computation of Auctions Overhead Calculation

Cryptographic Tools
Pseudo-random functions (block ciphers)  Digital Signatures  Garbled Circuits  Proxy-Oblivious Transfer


Garbled Circuits [Yao]
Two party protocol  Input:  Sender (AI): Function F,as a combinatorial circuit  Receiver (Auctioneer): x  Output:  Receiver: F(x) , and no knowledge of F  Sender: no knowledge of x


Garbled Circuits [Yao]


Initialization:
Sender assigns random (garbled) values to the 0/1 values of each wire  Constructs a table for every gate, s.t. given garbled values of input wires enables to compute garbled values of output wire, and nothing else




Computation:


Receiver obtains garbled values of input wires of circuit, and propagates them to the output wires

Garbling a Gate
Wi0,Wi1 i G k Wk0,Wk1 Wj0,Wj1 j
00 01 10 11

Table enables to compute garbled output value of gate from garbled input values, using two applications of a PseudoRandom Function

WiBi,WjBj  WkG(Bi,Bj)

Table entries: ( Bi,Bj  {0,1})

[ WkG(Bi,Bj) +
garbled output

FWiBi(Cj) + FWjBj(Ci) ]
PRF keyed by garbled inputs

Garbling a Circuit

  



Sender assigns garbled values to each wire. Prepares a table for every gate. Sends to receiver. When receiver obtains garbled input values, propagates them through circuit, until able to compute garbled output values. Overhead depends on circuit size. For binary circuits:  size of tables: 4|C|.  computing the result: 2|C| PRF applications.

Proxy Oblivious Transfer


Input:  Sender: 2 secrets M0M1 (garbled input values).  Chooser: b  {0,1} (input bit).  Proxy: nothing. Output:  Sender: nothing.  Chooser: nothing.  Proxy: Mb (garbled value of input bit). Sender and Proxy do not learn b, the input bit.





Proxy Oblivious Transfer
Based on Hardness of Discrete Log

Sender and Chooser agree on a large cyclic group Gg, a generator g, and a random constant c  Gg  Chooser  Selects a random r, 0 < r <|Gg|  Sets PKb = gr, PK1-b = c / PKb  Sends PK0 to Sender  Sends r to Proxy


Proxy Oblivious Transfer
Based on Hardness of Discrete Log


  

Sender  Computes: PK1 = c / PK0  Computes: EPK0(C(M0)), EPK1(C(M1))  C( ) is an error correction code  EPK is El Gamal encryption  Permutes and sends to Proxy Proxy knows private key r and can decrypt Mb Security: Chooser can’t know discrete log of both PK0 and PK1 Overhead: O(1) exponentiations

Agenda



   

Motivation Architecture & Entities High Level Protocol Description Cryptographic Tools Secure Computation of Auctions Overhead Calculation

Secure Computation of Auctions
  





The Auction Issuer prepares a circuit that computes the result of the auction, and garbles it. The Auctioneer publishes the auction. Each Bidder, in parallel, engages in Proxy oblivious transfer for each bit of his bid. This reveals to the Auctioneer the garbled value of this bit. Auction Issuer sends to Auctioneer the gates tables, and a translation table from garbled output values. Auctioneer computes result of auction.

Secure Computation of Auctions






Function for Vickrey auction:  Bids X1,…,Xn. Each bid L bits  F(X1,…,Xn) = (i,p) where i = max (X1,…,Xn), p = max (X1,…,Xi-1,Xi+1,…,Xn) Garbling the circuit: Auction Issuer  Constructs a circuit C for F, garbles it to generate C’  For every output wire k of C, signs a translation table [b,G(Wkb)] (G 1-way)  Sends C’ + translation to Auctioneer Auctioneer publishes auction:  terms, public key of issuer

Secure Computation of Auctions






Coding the input:  Each Bidder i engages in proxy OT for each bit of Xi = Xi1… XiL j  Mij(0), Mij(1) garbled values for wire Xi  Auction Issuer is the sender: { Mij(0), Mij(1) }  Bidder is chooser: input Xij  Auctioneer is proxy: learns Mij (Xij) Computing the output: Auctioneer takes C’ and { Mij ( Xij ) } i=1..N, j=1..L , computes garbled output values, and translates Verification: Bidders use translation tables to verify

Optimizations
Auction Issuer can prepare the garbled circuit in advance, and send it offline  Optimize circuit  Optimize proxy OT  optimize communication pattern  trade computation for bandwidth


Proxy Oblivious Transfer
Communication Pattern
Naive:

2 Encryption Keys

Proxy Oblivious Transfer
Communication Pattern
Better: Bidders communicate only with Auctioneer

2 Encryption Keys

2 Encryption Keys Encryptions

1 Decryption Key

Agenda



   

Motivation Architecture & Entities High Level Protocol Description Cryptographic Tools Secure Computation of Auctions Overhead Calculation

Overhead - Example
Assume:  N = 1000 bidders  L = 20 bits (1,000,000 possible bids)  Communication: Smart circuit for Vickrey auctions


(non binary wires and gates)


|C| = O(NL)  about 5NL gates  25NL table entries (4MB)

Overhead - Computation
Main computation overhead: Proxy Oblivious Transfer  Invocation for every input bit  PII: 20 exponentiations per sec  Parties:  Bidder: 20 OT = 5 exp ( 0.25 sec)  Auctioneer, AI (total): 20000 OT = 5000 exp (250 sec)  Circuit computation is negligible:  O(|C|) applications of PRF


Prototype Implementation
1500 lines of Python code  800 lines of C for encryption and PRFs  Exponentiations coded in assembler  Optimized the circuit computing 2nd price auction  Optimized the proxy oblivious transfer protocol


Other Auctions and Mechanisms
 


 

Main constraint - circuit size. K’th price auctions.  circuit size O(NL+KL).  good for double auctions.  good for risk seekers? Generalized Vickrey auction - participants report utility function. Bottleneck - circuit size. Groves Clarke - sum of reported values should be greater than threshold - efficient circuit. And many more…

Further Work
 

Implementation Distribute the Auction Issuer  Better security  Reduce load  Seems hard: a k-out-of-n access structure of Auction Issuer servers  Possible: split on-line work  one party prepares the circuit  several servers act as the Auction Issuer


				
DOCUMENT INFO
Lingjuan Ma Lingjuan Ma MS
About work for China Compulsory Certification. Some of the documents come from Internet, if you hold the copyright please contact me by huangcaijin@sohu.com