1 / 24

Achieving Fairness in Private Contract Negotiation

Achieving Fairness in Private Contract Negotiation. Keith Frikken and Mikhail Atallah Purdue University March 2, 2005. Overview. Introduction/Motivation Related Work Framework Protocols Extensions Summary. Overview. Introduction/Motivation Related Work Framework Protocols

Thomas
Download Presentation

Achieving Fairness in Private Contract Negotiation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Achieving Fairness in Private Contract Negotiation Keith Frikken and Mikhail Atallah Purdue University March 2, 2005

  2. Overview • Introduction/Motivation • Related Work • Framework • Protocols • Extensions • Summary FC 2005

  3. Overview • Introduction/Motivation • Related Work • Framework • Protocols • Extensions • Summary FC 2005

  4. Introduction • Alice and Bob wish to negotiate a contract • Contract consists of many clauses • How to distribute revenue • Where are specific tasks performed • Alice and Bob have constraints on the acceptability of a clause • Naïve solution: • Alice and Bob reveal constraints to one another • Reveals unnecessary information FC 2005

  5. Goals • Alice and Bob would like to create a protocol that determines an agreement that is: • Valid: satisfies both party’s constraints • Fair: neither party can control the outcome • Efficient: No clause is replaceable by another that is better for both parties • Semi-honest (Honest but Curious) FC 2005

  6. Overview • Introduction/Motivation • Related Work • Framework • Protocols • Extensions • Summary FC 2005

  7. Related Work • Automated Negotiations • [Grosof et al, 1999] • [Governatori et al, 2000] • Secure Protocols • [Yao, 1982] • [Yao, 1986] • [Goldreich et al, 1987] • [Katz and Ostrovsky, 2004] • [Malkhi et al, 2004] • Secure Protocols for Set Intersection • [Freedman et al, 2004] FC 2005

  8. Building Blocks • Homomorphic Encryption: • E(x)*E(y)=E(x+y) • E(x)y=E(xy) • Semantic Security • [Paillier, 1999] and [Damgård and Jurik, 2001] • Secure Circuit Evaluation • [Yao, 1986] • Any 2-ary circuit with m gates and n inputs can be evaluated securely with: • O(m) communication and pseudo-random functions • O(n) 1-out-of-2 OTs • O(1) rounds FC 2005

  9. Overview • Introduction/Motivation • Related Work • Framework • Protocols • Extensions • Summary FC 2005

  10. Framework • A clause is a public set S={s0,…,sN-1} • Alice (Bob) have constraints on the acceptability of a clause, represented by AS (BS) • A term xS is acceptable if xA∩B • A clause is satisfiable if A∩B≠ FC 2005

  11. Framework(cont.) • A negotiation is a set of clauses S0,…,Sk-1 • A negotiation is satisfiable if all of its terms are satisfiable • A contract is a sequence of terms x0,…,xk-1 (where xiSi) • A contract is valid if all terms are acceptable to all parties FC 2005

  12. Overview • Introduction/Motivation • Related Work • Framework • Protocols • Extensions • Summary FC 2005

  13. Protocol Template • Two Parts: • Protocol for determining if a clause is satisfiable • Protocols for computing a fair agreement (where neither party has control) • Extend these to the negotiation level • Satisfiability: Conjunction • Valid: Can compute independently FC 2005

  14. Protocol for Satisfiability • Trivial reduction from Set Disjointness (i.e., a clause is satisifiable if the sets are not disjoint) • Suppose Alice forms a list of binary values a0,…,aN-1 where ai is true is Alice finds the ith term acceptable • Bob similarly forms b0,…,bN-1 • Equivalent to i=0 to N-1 (ai  bi) • Easily evaluated with a circuit with O(N) gates and O(N) inputs FC 2005

  15. Finding a fair term • Input: Alice has binary values a0,…,aN-1 and Bob has b0,…,bN-1. It is known that i such that aibi. Furthermore, Alice and Bob have exchanged semantically-secure homomorphic encryption systems EA and EB • Output: An index j such that ajbj and where neither Alice or Bob can control outcome • Semi-honest OT reduces to this problem • Circuit Complexity: • Both parties input permutations into the circuit which then permutes values (using composition of permutations) and then choose first agreement • O(N log N) input (unless using pseudorandom permutation) • O(N2) gates • Our protocol’s goal: O(N) modular exponentiations and O(N) communication FC 2005

  16. Step 1 of Simplified Protocol • Input: Alice has binary values a0,…,aN-1 and Bob has b0,…,bN-1. It is known that i such that aibi. • Output: Bob learns EA(a0b0),…,EA(aN-1bN-1) • Step: • Alice sends to Bob EA(a0),…,EA(aN-1) • For each value bi, Bob does: • If bi=0, output EA(0) • If bi=1, output EA(ai)EA(0) FC 2005

  17. Step 2 of Simplified Protocol • Input: Bob has EA(a0b0),…, EA(aN-1bN-1) and has a permutation ΠB • Output: Alice learns EB(a0b0),…, EB(aN-1bN-1) permuted with ΠB • Steps: • Bob permutes his input with ΠB • For each item EA(aibi) in the list: • Bob chooses a random value ri from {0,1} • If ri=0, he sets γi to EA(aibi), otherwise he γi sets it to EA(aibi)-1EA(1) (i.e., EA(1-(aibi))=EA(⌐(aibi))) • He sends Alice the ordered triple (γi,EB(ri),EB(1-ri)) • For each triple (γi,EB(ri),EB(1-ri)): • Alice computes j=DA(γi) • If j=0 she sets her output to be EB(ri) • Otherwise sets her output to be EB(1-ri) FC 2005

  18. Step 3 of Simplified Protocol • Input: Alice has EB(a0b0),…, EB(aN-1bN-1) permuted with ΠB, and she has two permutations Π’ and Π’’ • Output: Bob gets a list of items permuted with Π’’Π’ΠB where one of them is marked as the agreement • Steps: • Alice permutes the items with Π’ (call this list α0,…,αN-1) • Alice computes a sequence of values: β0,…, βN-1, where β0=α0, and βi= αi*(βi-1)2 • She computes a sequence of values: θ0,…, θN-1, where θi=(βi*EB(-1))q[i] where q[i] is a randomly chosen value • Alice permutes these values with Π’’ and sends them to Bob along with Π’’Π’ • Bob decrypts the values and chooses the one that is 0 and computed the original index by inverting the permutations. FC 2005

  19. Overview • Introduction/Motivation • Related Work • Framework • Protocols • Extensions • Summary FC 2005

  20. Expressing Preferences • Alice and Bob assign a utility to each possible term (denoted by UA(x) and UB(x)) – assume utilities are distinct • A term t1 is inefficient if  a term t2 such that UA(t1)<UA(t2) and UB(t1)<UB(t2) • An efficient term is Pareto optimal • Desirable to only choose efficient terms • Set Disjointness reduces to finding a fair and efficient term FC 2005

  21. Other Extensions • Interactive Negotiation • Feedback • Engage in the protocol several times relaxing constratints • Sparse sets: creating protocols with communication proportional to |A|+|B| • Dependent Clauses • Combine dependent clauses into a “super”-clause FC 2005

  22. Overview • Introduction/Motivation • Related Work • Framework • Protocols • Extensions • Summary FC 2005

  23. Summary • Introduce framework for contract negotiation • Introduced protocols for finding valid, fair, and efficient contracts • Future Work • Dependent Clauses • Multiple parties • Malicious Adversary Model • Multiple Negotiations with Inter-Clause Dependencies • Other negotiation strategies FC 2005

  24. Acknowledgements • Anonymous Reviewers • Gov’t • NSF5, ONR, AFRL • Industry • Intel, Motorola, HP + the corporate sponsors of CERIAS • Foundation • Lilly Endowment • Purdue • CERIAS, Discovery Park FC 2005

More Related