- 105 Views
- Uploaded on
- Presentation posted in: General

Privacy Preserving Auctions and Mechanism Design

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

**1. **Privacy Preserving Auctions and Mechanism Design Moni Naor, Benny Pinkas, Reuban Sumner
Presented by Jason D. Bakos

**2. **Presentation Outline Introduction and Goals
Cryptographic Tools
Two-Party Secure Function Evaluation
Secure Function Evaluation for Auctions
Issues
Overhead
Security
Other Mechanisms

**3. **Introduction 2 main types of auctions
Open-cry English Auction
Interactive
Highest bidder is winner
Winner pays highest bid
Usually slightly higher than next highest
Valuation is not revealed to auctioneer
Disadvantage: complex to run

**4. **Introduction Sealed bid second price auction
One bid per bidder
Highest bidder wins
Winner pays second highest bid
Optimal strategy is to bid true valuation
Disadvantage: valuations revealed to auctioneer
Must place total trust in auctioneer
Reservation, auctioneer bids, lying, renegging

**5. **Introduction GOAL:
Keep bids secret from auctioneer
Auctioneer only needs to know
identification of highest bidder
clearing price
Need a third entity
Auction issuer
Create protocol where neither auctioneer nor auction issuer have full information about bidders and bids
Assumption: auctioneer and auction issuer do not collude

**6. **Introduction Auction consists of three types of entities
Bidders, auctioneer, auction issuer
Protocol
Auctioneer advertises details of auction
Rules, times, AI
AI creates an encryption scheme for each bidder to use
Bidders submit encrypted bids to the auctioneer, using the AIs encryption scheme
AI generates a program to compute the outcome of the auction based upon the encrypted bids, then sends circuit and output translation table to auctioneer
Auctioneer uses inputs and program to compute outcome of auction

**7. **Presentation Outline Introduction and Goals
Cryptographic Tools
Two-Party Secure Function Evaluation
Secure Function Evaluation for Auctions
Issues
Overhead
Security
Other Mechanisms

**8. **Cryptographic Tools Pseudo-random functions
e.g. FK(x)
Function that implements a random unique integer mapping for each key
Provides model for block ciphers or keyed one-way hash functions
In this context, K is 80 bits, x is one bit, and result is 81 bits
(Secure) Oblivious Transfer
Sender, chooser
Sender has 2 secret values (m0, m1)
Chooser knows s, learns ms, and doesnt learn m1-s
Sender does not know which value the chooser received
Algorithm involved uses two public key encryptions (sender) and one public-key decryption by the chooser

**9. **Cryptographic Tools Proxy Oblivious Transfer
Sender (as before), chooser, proxy
Chooser chooses s
proxy learns ms (but not s)
Secure Function Evaluation for Two Parties
Two parties: Input owner A (x) and program owner B (f)
At the end of the protocol, A should learn f(x) (nothing about f) and B should learning nothing about x
A is auctioneer, B is auction issuer, and f computes outcome of auction
f is expressed as a combinatorial binary circuit
Inputs are entered into input wires and are propagated through gates

**10. **Presentation Outline Introduction and Goals
Cryptographic Tools
Two-Party Secure Function Evaluation
Secure Function Evaluation for Auctions
Issues
Overhead
Security
Other Mechanisms

**11. **Two-Party Secure Function Evaluation B assigns each wire i two random values (Wi0, Wi1) corresponding to 0 and 1
Used as pseudo-random keys (e.g. 80 bits)
Wire values denoted as bi (0 or 1)
B assigns a garble function to each wire: pi: bi -> ci
(Wibi,ci) denotes the garbled value of wire i
Gate function denoted as bk=g(bi,bj)
B creates a table Tg which enables computation of garbled output of g: (Wkbk,ck) from garbled inputs (Wibi,ci) and (Wjbj,cj)

**12. **Two-Party Secure Function Evaluation The table does not disclose any information about the output of g for other inputs
Does not reveal input or output values
Assume |FK(x)| = |Wkbk|+1
The table contains four entries:
For A to use the table
A knows (Wibi,ci), (Wjbj,cj)
Finds (ci,cj) in the table
Performs XOR with entry in the table to compute garbled output (Wkg(bi,bj),ck)
Recall that A xor B xor C xor B xor C = A
Garbled output from garbled inputs and table

**13. **Two-Party Secure Function Evaluation For each input wire, B and A engage in oblivious transfer
B is the sender, A is the chooser
B sends the gate tables to A
B sends a translation table from the garbled values of the output wires to output bits
By the end of the oblivious transfer stages, A has enough information to compute f(x)

**14. **Two-Party Secure Function Evaluation Security of gates
Every masking value (FW(ci)) is used only once
Without knowledge of the correct key, masking values look random
Overhead
Communication is performed in one back and forth round
B can prepare the circuit in advance (one table for each of m gates)
Computation: one oblivious transfer for each input bit (n)
A and B must perform n exponentiations
A must evaluate f
m applications of PR function
Negligible compared to oblivious transfer

**15. **Presentation Outline Introduction and Goals
Cryptographic Tools
Two-Party Secure Function Evaluation
Secure Function Evaluation for Auctions
Issues
Overhead
Security
Other Mechanisms

**16. **Secure Function Evaluation for Auctions Auctioneer must compute f(x1,,xn) = result of auction = <i,p>
i = winner
p = clearing price
AI constructs circuit to compute auction result and garbles it
Auctioneer advertises auction and AIs public key (P. OT)
Each bidder engages in a 1-of-2 proxy oblivious transfer (for each bit)
AI is sender (garbled input bit value-pairs)
Bidder is the chooser
Auctioneer is proxy
Note that the auction issuer doesnt receive any inputs
Auctioneer computes outcome of auction
AI provides output translation table

**17. **Secure Function Evaluation for Auctions

**18. **Secure Function Evaluation for Auctions Auctioneer:
Build table for one and-gate

**19. **Secure Function Evaluation for Auctions The AI sends tables to auctioneer
Proxy oblivious transfer
AI sender (garbled values)
Auctioneer proxy (gets garbled values)
Bidders chooser (selects garbled inputs, unknown to others)
Auctioneer receives garbled inputs for table

**20. **Secure Function Evaluation for Auctions In order to auctioneer to evaluate table
Example: use bidder 0s inputs to AND-gate
Garbled input bits are 01 so we use row 2 of the table
Recall, the inputs were 0110, 1001
0111 xor F011(0)=1010 xor F100(1)=1110
=0011 (which is the garbled value of 0 for the input)
i.e. 1 and 0 = 0

**21. **Presentation Outline Introduction and Goals
Cryptographic Tools
Two-Party Secure Function Evaluation
Secure Function Evaluation for Auctions
Issues
Overhead
Security
Other Mechanisms

**22. **Overhead Bidders engage in proxy OT as choosers
Number of bits in bid
Exponentiations proportional to input length
Bidders encrypt each bid (once per bid)
Not bad
AI prepares and sends circuit (offline)
Can optimize table (multi-valued bits)
AI acts as sender in proxy OT for all bids
Significant load for acting as sender
Auctioneer acts as proxy in proxy OT for each bit in all bids
Auctioneer evaluates circuit
PR function evaluations proportional to circuit size

**23. **Presentation Outline Introduction and Goals
Cryptographic Tools
Two-Party Secure Function Evaluation
Secure Function Evaluation for Auctions
Issues
Overhead
Security
Other Mechanisms

**24. **Security Issues Messages from the bidders are encrypted in P. OT exchange
Prevent auctioneer from creating meaningful changes to the cleartext by changing the ciphertext
Must avoid a replay attack (repeating a message from past auction)
Solution: add date/time stamp to bidders cleartext messages before encrypting
Bidder verification of auctioneer f-computation and AI involvement
Require auctioneer to publish tables and garbled input values of the circuit for simulation
Require AI to sign a list of hash values of the messages it received from the bidders (displayed by auctioneer)

**25. **Security Issues Malicious auctioneer
Encryption scheme
Protect against corrupt auctioneer from changing bids
Verification of circuit evaluation
Publish tables to bidders
AI sign tables
Malicious auction issuer
Consider an AI that colludes with bidder(s)
It can change the circuit to favor bidder(s) or use bad inputs
AI provides m copies of the program to the auctioneer
Removes garbling for half of copies, auctioneer verifies
Malicious bidders
Denial-of-service by bidders
Auctioneer can prove this took place
Bidder receives bid of 0 (using details of the proxy OT algorithm)

**26. **Presentation Outline Introduction and Goals
Cryptographic Tools
Two-Party Secure Function Evaluation
Secure Function Evaluation for Auctions
Issues
Overhead
Security
Other Mechanisms

**27. **Other Mechanisms Different auctions can be implemented if we use different circuits
kth price auctions
double auctions
M sellers and N buyers
Mth-price, (M+1)st price
Generalized Vickrey Auctions
Agents report utilities, center calculates allocation
Sell multiple units where U-function depends of number received
FCC spectrum auctions
Several rounds

**28. **Other Mechanisms Other global problem mechanisms can be used where there is no trust in the center
Groves-Clarke
Public good is produced if valuation sum is higher than a threshold
Elicit opinions from group of experts
Accept majority opinion
GOAL: keep votes private from voters and center
Stable matching
Computer dating service
GOAL: privacy from center