Privacy Preserving Auctions and Mechanism Design

Privacy Preserving Auctions and Mechanism Design PowerPoint PPT Presentation


  • 101 Views
  • Uploaded on
  • Presentation posted in: General

Presentation Outline. Introduction and GoalsCryptographic ToolsTwo-Party Secure Function EvaluationSecure Function Evaluation for AuctionsIssuesOverheadSecurityOther Mechanisms. Introduction. 2 main types of auctionsOpen-cry English AuctionInteractiveHighest bidder is winnerWinner pays hi

Download Presentation

Privacy Preserving Auctions and Mechanism Design

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


1. Privacy Preserving Auctions and Mechanism Design Moni Naor, Benny Pinkas, Reuban Sumner Presented by Jason D. Bakos

2. Presentation Outline Introduction and Goals Cryptographic Tools Two-Party Secure Function Evaluation Secure Function Evaluation for Auctions Issues Overhead Security Other Mechanisms

3. Introduction 2 main types of auctions Open-cry English Auction Interactive Highest bidder is winner Winner pays highest bid Usually slightly higher than next highest Valuation is not revealed to auctioneer Disadvantage: complex to run

4. Introduction Sealed bid second price auction One bid per bidder Highest bidder wins Winner pays second highest bid Optimal strategy is to bid true valuation Disadvantage: valuations revealed to auctioneer Must place total trust in auctioneer Reservation, auctioneer bids, lying, renegging

5. Introduction GOAL: Keep bids secret from auctioneer Auctioneer only needs to know identification of highest bidder clearing price Need a third entity “Auction issuer” Create protocol where neither auctioneer nor auction issuer have full information about bidders and bids Assumption: auctioneer and auction issuer do not collude

6. Introduction Auction consists of three types of entities Bidders, auctioneer, auction issuer Protocol Auctioneer advertises details of auction Rules, times, AI AI creates an encryption scheme for each bidder to use Bidders submit encrypted bids to the auctioneer, using the AI’s encryption scheme AI generates a program to compute the outcome of the auction based upon the encrypted bids, then sends circuit and output translation table to auctioneer Auctioneer uses inputs and program to compute outcome of auction

7. Presentation Outline Introduction and Goals Cryptographic Tools Two-Party Secure Function Evaluation Secure Function Evaluation for Auctions Issues Overhead Security Other Mechanisms

8. Cryptographic Tools Pseudo-random functions e.g. FK(x) Function that implements a “random” unique integer mapping for each key Provides model for block ciphers or keyed one-way hash functions In this context, K is 80 bits, x is one bit, and result is 81 bits (Secure) Oblivious Transfer Sender, chooser Sender has 2 secret values (m0, m1) Chooser knows s, learns ms, and doesn’t learn m1-s Sender does not know which value the chooser received Algorithm involved uses two public key encryptions (sender) and one public-key decryption by the chooser

9. Cryptographic Tools Proxy Oblivious Transfer Sender (as before), chooser, proxy Chooser chooses s proxy learns ms (but not s) Secure Function Evaluation for Two Parties Two parties: Input owner A (x) and program owner B (f) At the end of the protocol, A should learn f(x) (nothing about f) and B should learning nothing about x A is auctioneer, B is auction issuer, and f computes outcome of auction f is expressed as a combinatorial binary circuit Inputs are entered into input “wires” and are propagated through “gates”

10. Presentation Outline Introduction and Goals Cryptographic Tools Two-Party Secure Function Evaluation Secure Function Evaluation for Auctions Issues Overhead Security Other Mechanisms

11. Two-Party Secure Function Evaluation B assigns each wire i two random values (Wi0, Wi1) corresponding to 0 and 1 Used as pseudo-random keys (e.g. 80 bits) Wire values denoted as bi (0 or 1) B assigns a “garble” function to each wire: pi: bi -> ci (Wibi,ci) denotes the garbled value of wire i Gate function denoted as bk=g(bi,bj) B creates a table Tg which enables computation of garbled output of g: (Wkbk,ck) from garbled inputs (Wibi,ci) and (Wjbj,cj)

12. Two-Party Secure Function Evaluation The table does not disclose any information about the output of g for other inputs Does not reveal input or output values Assume |FK(x)| = |Wkbk|+1 The table contains four entries: For A to use the table A knows (Wibi,ci), (Wjbj,cj) Finds (ci,cj) in the table Performs XOR with entry in the table to compute garbled output (Wkg(bi,bj),ck) Recall that A xor B xor C xor B xor C = A Garbled output from garbled inputs and table

13. Two-Party Secure Function Evaluation For each input wire, B and A engage in oblivious transfer B is the sender, A is the chooser B sends the gate tables to A B sends a translation table from the garbled values of the output wires to output bits By the end of the oblivious transfer stages, A has enough information to compute f(x)

14. Two-Party Secure Function Evaluation Security of gates Every masking value (FW(ci)) is used only once Without knowledge of the correct key, masking values look random Overhead Communication is performed in one back and forth round B can prepare the circuit in advance (one table for each of m gates) Computation: one oblivious transfer for each input bit (n) A and B must perform n exponentiations A must evaluate f m applications of PR function Negligible compared to oblivious transfer

15. Presentation Outline Introduction and Goals Cryptographic Tools Two-Party Secure Function Evaluation Secure Function Evaluation for Auctions Issues Overhead Security Other Mechanisms

16. Secure Function Evaluation for Auctions Auctioneer must compute f(x1,…,xn) = result of auction = <i,p> i = winner p = clearing price AI constructs circuit to compute auction result and garbles it Auctioneer advertises auction and AI’s public key (P. OT) Each bidder engages in a 1-of-2 proxy oblivious transfer (for each bit) AI is sender (garbled input bit value-pairs) Bidder is the chooser Auctioneer is proxy Note that the auction issuer doesn’t receive any inputs Auctioneer computes outcome of auction AI provides output translation table

17. Secure Function Evaluation for Auctions

18. Secure Function Evaluation for Auctions Auctioneer: Build table for one and-gate…

19. Secure Function Evaluation for Auctions The AI sends tables to auctioneer Proxy oblivious transfer AI sender (garbled values) Auctioneer proxy (gets garbled values) Bidders chooser (selects garbled inputs, unknown to others) Auctioneer receives garbled inputs for table…

20. Secure Function Evaluation for Auctions In order to auctioneer to evaluate table… Example: use bidder 0’s inputs to AND-gate… Garbled input bits are 01 so we use row 2 of the table Recall, the inputs were 0110, 1001 0111 xor F011(0)=1010 xor F100(1)=1110 =0011 (which is the garbled value of 0 for the input) i.e. 1 and 0 = 0

21. Presentation Outline Introduction and Goals Cryptographic Tools Two-Party Secure Function Evaluation Secure Function Evaluation for Auctions Issues Overhead Security Other Mechanisms

22. Overhead Bidders engage in proxy OT as choosers Number of bits in bid Exponentiations proportional to input length Bidders encrypt each bid (once per bid) Not bad AI prepares and sends circuit (offline) Can optimize table (multi-valued bits) AI acts as sender in proxy OT for all bids Significant load for acting as sender Auctioneer acts as proxy in proxy OT for each bit in all bids Auctioneer evaluates circuit PR function evaluations proportional to circuit size

23. Presentation Outline Introduction and Goals Cryptographic Tools Two-Party Secure Function Evaluation Secure Function Evaluation for Auctions Issues Overhead Security Other Mechanisms

24. Security Issues Messages from the bidders are encrypted in P. OT exchange Prevent auctioneer from creating meaningful changes to the cleartext by changing the ciphertext Must avoid a replay attack (repeating a message from past auction) Solution: add date/time stamp to bidders’ cleartext messages before encrypting Bidder verification of auctioneer f-computation and AI involvement Require auctioneer to publish tables and garbled input values of the circuit for simulation Require AI to sign a list of hash values of the messages it received from the bidders (displayed by auctioneer)

25. Security Issues Malicious auctioneer Encryption scheme Protect against corrupt auctioneer from changing bids Verification of circuit evaluation Publish tables to bidders AI sign tables Malicious auction issuer Consider an AI that colludes with bidder(s) It can change the circuit to favor bidder(s) or use bad inputs AI provides m copies of the program to the auctioneer Removes garbling for half of copies, auctioneer verifies Malicious bidders Denial-of-service by bidders Auctioneer can prove this took place Bidder receives bid of 0 (using details of the proxy OT algorithm)

26. Presentation Outline Introduction and Goals Cryptographic Tools Two-Party Secure Function Evaluation Secure Function Evaluation for Auctions Issues Overhead Security Other Mechanisms

27. Other Mechanisms Different auctions can be implemented if we use different circuits kth price auctions double auctions M sellers and N buyers Mth-price, (M+1)st price Generalized Vickrey Auctions Agents report utilities, center calculates allocation Sell multiple units where U-function depends of number received “FCC spectrum auctions” Several rounds

28. Other Mechanisms Other ‘global problem’ mechanisms can be used where there is no trust in the center… Groves-Clarke Public good is produced if valuation sum is higher than a threshold Elicit opinions from group of experts Accept majority opinion GOAL: keep votes private from voters and center Stable matching Computer dating service GOAL: privacy from center

  • Login