240 likes | 423 Views
Achieving Fairness in Private Contract Negotiation. Keith Frikken and Mikhail Atallah Purdue University March 2, 2005. Overview. Introduction/Motivation Related Work Framework Protocols Extensions Summary. Overview. Introduction/Motivation Related Work Framework Protocols
E N D
Achieving Fairness in Private Contract Negotiation Keith Frikken and Mikhail Atallah Purdue University March 2, 2005
Overview • Introduction/Motivation • Related Work • Framework • Protocols • Extensions • Summary FC 2005
Overview • Introduction/Motivation • Related Work • Framework • Protocols • Extensions • Summary FC 2005
Introduction • Alice and Bob wish to negotiate a contract • Contract consists of many clauses • How to distribute revenue • Where are specific tasks performed • Alice and Bob have constraints on the acceptability of a clause • Naïve solution: • Alice and Bob reveal constraints to one another • Reveals unnecessary information FC 2005
Goals • Alice and Bob would like to create a protocol that determines an agreement that is: • Valid: satisfies both party’s constraints • Fair: neither party can control the outcome • Efficient: No clause is replaceable by another that is better for both parties • Semi-honest (Honest but Curious) FC 2005
Overview • Introduction/Motivation • Related Work • Framework • Protocols • Extensions • Summary FC 2005
Related Work • Automated Negotiations • [Grosof et al, 1999] • [Governatori et al, 2000] • Secure Protocols • [Yao, 1982] • [Yao, 1986] • [Goldreich et al, 1987] • [Katz and Ostrovsky, 2004] • [Malkhi et al, 2004] • Secure Protocols for Set Intersection • [Freedman et al, 2004] FC 2005
Building Blocks • Homomorphic Encryption: • E(x)*E(y)=E(x+y) • E(x)y=E(xy) • Semantic Security • [Paillier, 1999] and [Damgård and Jurik, 2001] • Secure Circuit Evaluation • [Yao, 1986] • Any 2-ary circuit with m gates and n inputs can be evaluated securely with: • O(m) communication and pseudo-random functions • O(n) 1-out-of-2 OTs • O(1) rounds FC 2005
Overview • Introduction/Motivation • Related Work • Framework • Protocols • Extensions • Summary FC 2005
Framework • A clause is a public set S={s0,…,sN-1} • Alice (Bob) have constraints on the acceptability of a clause, represented by AS (BS) • A term xS is acceptable if xA∩B • A clause is satisfiable if A∩B≠ FC 2005
Framework(cont.) • A negotiation is a set of clauses S0,…,Sk-1 • A negotiation is satisfiable if all of its terms are satisfiable • A contract is a sequence of terms x0,…,xk-1 (where xiSi) • A contract is valid if all terms are acceptable to all parties FC 2005
Overview • Introduction/Motivation • Related Work • Framework • Protocols • Extensions • Summary FC 2005
Protocol Template • Two Parts: • Protocol for determining if a clause is satisfiable • Protocols for computing a fair agreement (where neither party has control) • Extend these to the negotiation level • Satisfiability: Conjunction • Valid: Can compute independently FC 2005
Protocol for Satisfiability • Trivial reduction from Set Disjointness (i.e., a clause is satisifiable if the sets are not disjoint) • Suppose Alice forms a list of binary values a0,…,aN-1 where ai is true is Alice finds the ith term acceptable • Bob similarly forms b0,…,bN-1 • Equivalent to i=0 to N-1 (ai bi) • Easily evaluated with a circuit with O(N) gates and O(N) inputs FC 2005
Finding a fair term • Input: Alice has binary values a0,…,aN-1 and Bob has b0,…,bN-1. It is known that i such that aibi. Furthermore, Alice and Bob have exchanged semantically-secure homomorphic encryption systems EA and EB • Output: An index j such that ajbj and where neither Alice or Bob can control outcome • Semi-honest OT reduces to this problem • Circuit Complexity: • Both parties input permutations into the circuit which then permutes values (using composition of permutations) and then choose first agreement • O(N log N) input (unless using pseudorandom permutation) • O(N2) gates • Our protocol’s goal: O(N) modular exponentiations and O(N) communication FC 2005
Step 1 of Simplified Protocol • Input: Alice has binary values a0,…,aN-1 and Bob has b0,…,bN-1. It is known that i such that aibi. • Output: Bob learns EA(a0b0),…,EA(aN-1bN-1) • Step: • Alice sends to Bob EA(a0),…,EA(aN-1) • For each value bi, Bob does: • If bi=0, output EA(0) • If bi=1, output EA(ai)EA(0) FC 2005
Step 2 of Simplified Protocol • Input: Bob has EA(a0b0),…, EA(aN-1bN-1) and has a permutation ΠB • Output: Alice learns EB(a0b0),…, EB(aN-1bN-1) permuted with ΠB • Steps: • Bob permutes his input with ΠB • For each item EA(aibi) in the list: • Bob chooses a random value ri from {0,1} • If ri=0, he sets γi to EA(aibi), otherwise he γi sets it to EA(aibi)-1EA(1) (i.e., EA(1-(aibi))=EA(⌐(aibi))) • He sends Alice the ordered triple (γi,EB(ri),EB(1-ri)) • For each triple (γi,EB(ri),EB(1-ri)): • Alice computes j=DA(γi) • If j=0 she sets her output to be EB(ri) • Otherwise sets her output to be EB(1-ri) FC 2005
Step 3 of Simplified Protocol • Input: Alice has EB(a0b0),…, EB(aN-1bN-1) permuted with ΠB, and she has two permutations Π’ and Π’’ • Output: Bob gets a list of items permuted with Π’’Π’ΠB where one of them is marked as the agreement • Steps: • Alice permutes the items with Π’ (call this list α0,…,αN-1) • Alice computes a sequence of values: β0,…, βN-1, where β0=α0, and βi= αi*(βi-1)2 • She computes a sequence of values: θ0,…, θN-1, where θi=(βi*EB(-1))q[i] where q[i] is a randomly chosen value • Alice permutes these values with Π’’ and sends them to Bob along with Π’’Π’ • Bob decrypts the values and chooses the one that is 0 and computed the original index by inverting the permutations. FC 2005
Overview • Introduction/Motivation • Related Work • Framework • Protocols • Extensions • Summary FC 2005
Expressing Preferences • Alice and Bob assign a utility to each possible term (denoted by UA(x) and UB(x)) – assume utilities are distinct • A term t1 is inefficient if a term t2 such that UA(t1)<UA(t2) and UB(t1)<UB(t2) • An efficient term is Pareto optimal • Desirable to only choose efficient terms • Set Disjointness reduces to finding a fair and efficient term FC 2005
Other Extensions • Interactive Negotiation • Feedback • Engage in the protocol several times relaxing constratints • Sparse sets: creating protocols with communication proportional to |A|+|B| • Dependent Clauses • Combine dependent clauses into a “super”-clause FC 2005
Overview • Introduction/Motivation • Related Work • Framework • Protocols • Extensions • Summary FC 2005
Summary • Introduce framework for contract negotiation • Introduced protocols for finding valid, fair, and efficient contracts • Future Work • Dependent Clauses • Multiple parties • Malicious Adversary Model • Multiple Negotiations with Inter-Clause Dependencies • Other negotiation strategies FC 2005
Acknowledgements • Anonymous Reviewers • Gov’t • NSF5, ONR, AFRL • Industry • Intel, Motorola, HP + the corporate sponsors of CERIAS • Foundation • Lilly Endowment • Purdue • CERIAS, Discovery Park FC 2005