460 likes | 589 Views
Privacy Preserving Auctions and Mechanism Design. Moni Naor Benny Pinkas Reuben Sumner. Presented by: Raffi Margaliot. Agenda. Motivation Architecture & Entities High Level Protocol Description Cryptographic Tools Secure Computation of Auctions Overhead Calculation. English Auction.
E N D
Privacy Preserving Auctions and Mechanism Design Moni Naor Benny Pinkas Reuben Sumner Presented by: Raffi Margaliot
Agenda • Motivation • Architecture & Entities • High Level Protocol Description • Cryptographic Tools • Secure Computation of Auctions • Overhead Calculation
English Auction • Ascending, open-cry. • Most popular type of auction on the internet. • Drawbacks: • Many rounds. • Over a long period of time. • Solution: • Vickrey auction.
Vickrey Auction • Second price sealed bid auction. • All bidders send their bids. • The winner is the highest bidder. • The winner pays second highest bid. • Advantages: • Bidding true value is dominant strategy. • Simulates open cry ascending (English) auction in a single round. • Why aren’t Vickrey auctions more popular? • Major problem if Auctioneer is corrupt...
Vickery: Corrupt Auctioneer I bid $900 I bid $1000 You win, pay $999 eSleaze.com • How can bidders verify that auctions is begin conducted properly? • Can be solved if the value of the bids could be hidden until bidding closes, preventing a corrupt auctioneer from manipulating auction results.
On the Next Day… • One day: • You bid $1000 • win and pay $600 • On the next day, another auction for same item: • You bid $1000 • win and required to pay $999… • Suspicion: eSleaze used previous day’s bid to raise up clearing price • How to let the auctioneer learn as little information as is essential to conduct the auction?
Hal Varian Quote • “even if current information can be safeguarded, records of past behavior can be extremely valuable, since historical data can be used to estimate the willingness to pay. What should be the appropriate technological and social safeguards to deal with this problem?” • This work: technological safeguards
Mechanism Design • Design of protocols for selfish parties. • The goal of a protocols is to aggregate preferences to determine some “social choice.” • Model: • Each party has a utility function expressing its valuation of each possible outcome of the protocol. • Sends information based on it. • Goal: design the protocol so that it is not beneficial to cheat.
The Revelation Principle • “there exists an equivalent mechanism in which the optimal strategy for each party is to report its true utility function.” • Example: Vickrey auction. • Problems with applying revelation principle: • The center may be corrupt and misuse the truthful bids it receives. • Utility function contains sensitive information. • Participants might cheat simply to avoid leaking this information.
Security & Privacy Requirements • Auctioneer only learns: • Who is the highest bidder. • Clearing price: second highest bid. • Should be able to prove that auction was conducted properly, while hiding bids from bidders. • Does not learn: • Highest bid. • Who is second highest bidder. • What are the other bids.
This Work • Achieves the requested security and privacy requirements. • Without any third party that: • Is fully trusted. • Takes an active part in the auction.
Agenda • Motivation • Architecture & Entities • High Level Protocol Description • Cryptographic Tools • Secure Computation of Auctions • Overhead Calculation
Architecture Auction Issuer Auctioneers Bidders
Entity Types • Bidders: • One or several bidders wish to sell items. • Remaining bidders interested in buying the items. • Auctioneer: Runs the show. • Advertises the auction. • Receives the bids from the bidders. • Communicates with the auction issuer. • Computes the output of the protocol. • Can be one of the bidders.
Entity Types • Auction issuer: • Runs in the background and ensures that the auctions are executed properly. • Responsible for “coding the program” that computes the output of the protocol so as to preserver privacy. • Supply this program to the auctioneer. • Does not interact with bidders. • Can provide programs for many auctions carried out by many auctioneers.
Trust and Security • Only a coalition of the Auctioneerand the Auction Issuer can compromise: • Proper working of auction • Bidders privacy • All other coalitions gain no more information than in the ideal model Bidder’s Privacy
Properties • Bidders communicate only with Auctioneer. • Bidders send a single message. • Auction Issuer performs a single, one-round interaction with the Auctioneer. • Public Key of the Auction Issuer is known to the Bidders, no other PKI required.
Agenda • Motivation • Architecture & Entities • High Level Protocol Description • Cryptographic Tools • Secure Computation of Auctions • Overhead Calculation
Auction Is Published • Auctioneer publishes the details of the auction: • Rules for selection of winner. • Closing time. • Auction Issuer supporting the auction.
Bidders Submit Bids • Bidders submit encrypted bids to the Auctioneer. • The AI can decrypt part of encryption, but even it can not discover the actual bids.
AI Generates Program • The AI generates a program to compute the output of the auction. • It generates a circuit composed of Boolean gates such as AND, OR and NOT that performs this task and then ``garbles'' the circuit. • The Auctioneerforwards portions of the bids to the AI, which decrypts the bids and uses them to compute ``garbled inputs'' to the circuit. • It sends the circuit and the inputs to the Auctioneer, along with a signed translation table that ``decrypts'' the output of the circuit.
And the Winner Is… • The Auctioneer uses the garbled inputs and the encrypted circuit to compute the output of the circuit. • It publishes the result and the signed translation table received from the AI. And the winner is…
Related Work - Cryptography • Secure multi-party computation: [GMW,BGW]. • Compute any f(X1,…,Xn), where Xi known only to party i. • Parties learn nothing but final output. • Drawbacks: • High interactivity between all parties (bidders…). • Considerable computational overhead. • Secure against coalitions of at most 1/3.
Related Work - Auctions • Distribute the Auctioneer into many servers [FR,HTK]. • Drawbacks: • High interactivity between servers. • All servers controlled by Auctioneer, security only if not too many of the collude. • Not robust to changes in auction. • This work: • Single round between Auctioneer and AI. • Security against any coalition of Bidders and Auctioneer or AI. • General, full control of what each party learns. • Bidders privacy preserved afterthe auction ended.
Agenda • Motivation • Architecture & Entities • High Level Protocol Description • Cryptographic Tools • Secure Computation of Auctions • Overhead Calculation
Cryptographic Tools • Pseudo-random functions (block ciphers) • Digital Signatures • Garbled Circuits • Proxy-Oblivious Transfer
Garbled Circuits [Yao] • Two party protocol • Input: • Sender (AI): Function F,as a combinatorial circuit • Receiver (Auctioneer):x • Output: • Receiver: F(x) , and no knowledge of F • Sender: no knowledge of x
Garbled Circuits [Yao] • Initialization: • Sender assigns random (garbled) values to the 0/1 values of each wire • Constructs a table for every gate,s.t. given garbled values of input wires enables to compute garbled values of output wire, and nothing else • Computation: • Receiver obtains garbled values of input wires of circuit, and propagates them to the output wires
Garbling a Gate Wi0,Wi1 Wj0,Wj1 i j 00 01 10 G 11 k Wk0,Wk1 Table enables to compute garbled output value of gate from garbled input values, using two applications of a Pseudo-Random Function WiBi,WjBj WkG(Bi,Bj) Table entries:( Bi,Bj {0,1}) [ WkG(Bi,Bj) + FWiBi(Cj) + FWjBj(Ci) ] garbled output PRF keyed by garbled inputs
Garbling a Circuit • Sender assigns garbled values to each wire. • Prepares a table for every gate. • Sends to receiver. • When receiver obtains garbled input values, propagates them through circuit, until able to compute garbled output values. • Overheaddepends on circuit size. For binary circuits: • size of tables: 4|C|. • computing the result: 2|C| PRF applications.
Proxy Oblivious Transfer • Input: • Sender: 2 secrets M0M1(garbled input values). • Chooser: b {0,1}(input bit). • Proxy: nothing. • Output: • Sender: nothing. • Chooser: nothing. • Proxy: Mb (garbled value of input bit). • Sender and Proxy do not learn b, the input bit.
Proxy Oblivious TransferBased on Hardness of Discrete Log • Sender and Chooser agree on a large cyclic group Gg, a generator g, and a random constant c Gg • Chooser • Selects a random r, 0 < r <|Gg| • Sets PKb= gr, PK1-b = c / PKb • Sends PK0 to Sender • Sends r to Proxy
Proxy Oblivious TransferBased on Hardness of Discrete Log • Sender • Computes: PK1 = c / PK0 • Computes: EPK0(C(M0)), EPK1(C(M1)) • C( ) is an error correction code • EPK is El Gamal encryption • Permutes and sends to Proxy • Proxyknows private key r and can decryptMb • Security: Chooser can’t know discrete log of both PK0andPK1 • Overhead: O(1) exponentiations
Agenda • Motivation • Architecture & Entities • High Level Protocol Description • Cryptographic Tools • Secure Computation of Auctions • Overhead Calculation
Secure Computation of Auctions • The Auction Issuer prepares a circuit that computes the result of the auction, and garbles it. • The Auctioneer publishes the auction. • Each Bidder, in parallel, engages in Proxy oblivious transfer for each bit of his bid. This reveals to the Auctioneer the garbled value of this bit. • Auction Issuer sends to Auctioneer the gates tables, and a translation table from garbled output values. • Auctioneer computes result of auction.
Secure Computation of Auctions • Function for Vickrey auction: • Bids X1,…,Xn. Each bidL bits • F(X1,…,Xn)= (i,p) wherei = max (X1,…,Xn),p =max (X1,…,Xi-1,Xi+1,…,Xn) • Garbling the circuit: Auction Issuer • Constructs a circuit CforF, garbles it to generate C’ • For every output wire kofC, signs a translation table [b,G(Wkb)](G 1-way) • Sends C’+ translationto Auctioneer • Auctioneerpublishes auction: • terms, public key of issuer
Secure Computation of Auctions • Coding the input: • Each Bidderi engages in proxy OT for each bit of Xi= Xi1… XiL • Mij(0), Mij(1) garbled values for wire Xij • AuctionIssuer is the sender: { Mij(0), Mij(1) } • Bidder is chooser: input Xij • Auctioneer is proxy: learns Mij(Xij) • Computing the output: Auctioneer takes C’ and { Mij( Xij ) }i=1..N, j=1..L, computes garbled output values, and translates • Verification: Bidders use translation tables to verify
Optimizations • Auction Issuer can prepare the garbled circuit in advance, and send it offline • Optimize circuit • Optimize proxy OT • optimize communication pattern • trade computation for bandwidth
Proxy Oblivious TransferCommunication Pattern Naive: 2 Encryption Keys Encryptions 1 Decryption Key
Proxy Oblivious TransferCommunication Pattern Better: Bidders communicate only with Auctioneer 2 Encryption Keys 2 Encryption Keys 1 Decryption Key Encryptions
Agenda • Motivation • Architecture & Entities • High Level Protocol Description • Cryptographic Tools • Secure Computation of Auctions • Overhead Calculation
Overhead - Example • Assume: • N=1000bidders • L=20bits (1,000,000 possible bids) • Communication: Smart circuit for Vickrey auctions (non binary wires and gates) • |C| = O(NL) • about5NL gates • 25NL table entries (4MB)
Overhead - Computation • Main computation overhead: Proxy Oblivious Transfer • Invocation for every input bit • PII: 20 exponentiations per sec • Parties: • Bidder: 20 OT = 5 exp ( 0.25 sec) • Auctioneer,AI (total): 20000 OT = 5000 exp (250 sec) • Circuit computation is negligible: • O(|C|) applications of PRF
Prototype Implementation • 1500 lines of Python code • 800 lines of C for encryption and PRFs • Exponentiations coded in assembler • Optimized the circuit computing 2nd price auction • Optimized the proxy oblivious transfer protocol
Other Auctions and Mechanisms • Main constraint - circuit size. • K’th price auctions. • circuit size O(NL+KL). • good for double auctions. • good for risk seekers? • Generalized Vickrey auction-participants report utility function. Bottleneck - circuit size. • Groves Clarke- sum of reported values should be greater than threshold - efficient circuit. • And many more…
Further Work • Implementation • Distribute the Auction Issuer • Better security • Reduce load • Seems hard: a k-out-of-n access structure of Auction Issuer servers • Possible: split on-line work • one party prepares the circuit • several servers act as the Auction Issuer