1 / 46

Privacy Preserving Auctions and Mechanism Design

Privacy Preserving Auctions and Mechanism Design. Moni Naor Benny Pinkas Reuben Sumner. Presented by: Raffi Margaliot. Agenda. Motivation Architecture & Entities High Level Protocol Description Cryptographic Tools Secure Computation of Auctions Overhead Calculation. English Auction.

karah
Download Presentation

Privacy Preserving Auctions and Mechanism Design

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy Preserving Auctions and Mechanism Design Moni Naor Benny Pinkas Reuben Sumner Presented by: Raffi Margaliot

  2. Agenda • Motivation • Architecture & Entities • High Level Protocol Description • Cryptographic Tools • Secure Computation of Auctions • Overhead Calculation

  3. English Auction • Ascending, open-cry. • Most popular type of auction on the internet. • Drawbacks: • Many rounds. • Over a long period of time. • Solution: • Vickrey auction.

  4. Vickrey Auction • Second price sealed bid auction. • All bidders send their bids. • The winner is the highest bidder. • The winner pays second highest bid. • Advantages: • Bidding true value is dominant strategy. • Simulates open cry ascending (English) auction in a single round. • Why aren’t Vickrey auctions more popular? • Major problem if Auctioneer is corrupt...

  5. Vickery: Corrupt Auctioneer I bid $900 I bid $1000 You win, pay $999 eSleaze.com • How can bidders verify that auctions is begin conducted properly? • Can be solved if the value of the bids could be hidden until bidding closes, preventing a corrupt auctioneer from manipulating auction results.

  6. On the Next Day… • One day: • You bid $1000 • win and pay $600 • On the next day, another auction for same item: • You bid $1000 • win and required to pay $999… • Suspicion: eSleaze used previous day’s bid to raise up clearing price • How to let the auctioneer learn as little information as is essential to conduct the auction?

  7. Hal Varian Quote • “even if current information can be safeguarded, records of past behavior can be extremely valuable, since historical data can be used to estimate the willingness to pay. What should be the appropriate technological and social safeguards to deal with this problem?” • This work: technological safeguards

  8. Mechanism Design • Design of protocols for selfish parties. • The goal of a protocols is to aggregate preferences to determine some “social choice.” • Model: • Each party has a utility function expressing its valuation of each possible outcome of the protocol. • Sends information based on it. • Goal: design the protocol so that it is not beneficial to cheat.

  9. The Revelation Principle • “there exists an equivalent mechanism in which the optimal strategy for each party is to report its true utility function.” • Example: Vickrey auction. • Problems with applying revelation principle: • The center may be corrupt and misuse the truthful bids it receives. • Utility function contains sensitive information. • Participants might cheat simply to avoid leaking this information.

  10. Security & Privacy Requirements • Auctioneer only learns: • Who is the highest bidder. • Clearing price: second highest bid. • Should be able to prove that auction was conducted properly, while hiding bids from bidders. • Does not learn: • Highest bid. • Who is second highest bidder. • What are the other bids.

  11. This Work • Achieves the requested security and privacy requirements. • Without any third party that: • Is fully trusted. • Takes an active part in the auction.

  12. Agenda • Motivation • Architecture & Entities • High Level Protocol Description • Cryptographic Tools • Secure Computation of Auctions • Overhead Calculation

  13. Architecture Auction Issuer Auctioneers Bidders

  14. Entity Types • Bidders: • One or several bidders wish to sell items. • Remaining bidders interested in buying the items. • Auctioneer: Runs the show. • Advertises the auction. • Receives the bids from the bidders. • Communicates with the auction issuer. • Computes the output of the protocol. • Can be one of the bidders.

  15. Entity Types • Auction issuer: • Runs in the background and ensures that the auctions are executed properly. • Responsible for “coding the program” that computes the output of the protocol so as to preserver privacy. • Supply this program to the auctioneer. • Does not interact with bidders. • Can provide programs for many auctions carried out by many auctioneers.

  16. Trust and Security • Only a coalition of the Auctioneerand the Auction Issuer can compromise: • Proper working of auction • Bidders privacy • All other coalitions gain no more information than in the ideal model Bidder’s Privacy

  17. Properties • Bidders communicate only with Auctioneer. • Bidders send a single message. • Auction Issuer performs a single, one-round interaction with the Auctioneer. • Public Key of the Auction Issuer is known to the Bidders, no other PKI required.

  18. Agenda • Motivation • Architecture & Entities • High Level Protocol Description • Cryptographic Tools • Secure Computation of Auctions • Overhead Calculation

  19. Auction Is Published • Auctioneer publishes the details of the auction: • Rules for selection of winner. • Closing time. • Auction Issuer supporting the auction.

  20. Bidders Submit Bids • Bidders submit encrypted bids to the Auctioneer. • The AI can decrypt part of encryption, but even it can not discover the actual bids.

  21. AI Generates Program • The AI generates a program to compute the output of the auction. • It generates a circuit composed of Boolean gates such as AND, OR and NOT that performs this task and then ``garbles'' the circuit. • The Auctioneerforwards portions of the bids to the AI, which decrypts the bids and uses them to compute ``garbled inputs'' to the circuit. • It sends the circuit and the inputs to the Auctioneer, along with a signed translation table that ``decrypts'' the output of the circuit.

  22. And the Winner Is… • The Auctioneer uses the garbled inputs and the encrypted circuit to compute the output of the circuit. • It publishes the result and the signed translation table received from the AI. And the winner is…

  23. Related Work - Cryptography • Secure multi-party computation: [GMW,BGW]. • Compute any f(X1,…,Xn), where Xi known only to party i. • Parties learn nothing but final output. • Drawbacks: • High interactivity between all parties (bidders…). • Considerable computational overhead. • Secure against coalitions of at most 1/3.

  24. Related Work - Auctions • Distribute the Auctioneer into many servers [FR,HTK]. • Drawbacks: • High interactivity between servers. • All servers controlled by Auctioneer, security only if not too many of the collude. • Not robust to changes in auction. • This work: • Single round between Auctioneer and AI. • Security against any coalition of Bidders and Auctioneer or AI. • General, full control of what each party learns. • Bidders privacy preserved afterthe auction ended.

  25. Agenda • Motivation • Architecture & Entities • High Level Protocol Description • Cryptographic Tools • Secure Computation of Auctions • Overhead Calculation

  26. Cryptographic Tools • Pseudo-random functions (block ciphers) • Digital Signatures • Garbled Circuits • Proxy-Oblivious Transfer

  27. Garbled Circuits [Yao] • Two party protocol • Input: • Sender (AI): Function F,as a combinatorial circuit • Receiver (Auctioneer):x • Output: • Receiver: F(x) , and no knowledge of F • Sender: no knowledge of x

  28. Garbled Circuits [Yao] • Initialization: • Sender assigns random (garbled) values to the 0/1 values of each wire • Constructs a table for every gate,s.t. given garbled values of input wires enables to compute garbled values of output wire, and nothing else • Computation: • Receiver obtains garbled values of input wires of circuit, and propagates them to the output wires

  29. Garbling a Gate Wi0,Wi1 Wj0,Wj1 i j 00 01 10 G 11 k Wk0,Wk1 Table enables to compute garbled output value of gate from garbled input values, using two applications of a Pseudo-Random Function WiBi,WjBj WkG(Bi,Bj) Table entries:( Bi,Bj  {0,1}) [ WkG(Bi,Bj) + FWiBi(Cj) + FWjBj(Ci) ] garbled output PRF keyed by garbled inputs

  30. Garbling a Circuit • Sender assigns garbled values to each wire. • Prepares a table for every gate. • Sends to receiver. • When receiver obtains garbled input values, propagates them through circuit, until able to compute garbled output values. • Overheaddepends on circuit size. For binary circuits: • size of tables: 4|C|. • computing the result: 2|C| PRF applications.

  31. Proxy Oblivious Transfer • Input: • Sender: 2 secrets M0M1(garbled input values). • Chooser: b {0,1}(input bit). • Proxy: nothing. • Output: • Sender: nothing. • Chooser: nothing. • Proxy: Mb (garbled value of input bit). • Sender and Proxy do not learn b, the input bit.

  32. Proxy Oblivious TransferBased on Hardness of Discrete Log • Sender and Chooser agree on a large cyclic group Gg, a generator g, and a random constant c Gg • Chooser • Selects a random r, 0 < r <|Gg| • Sets PKb= gr, PK1-b = c / PKb • Sends PK0 to Sender • Sends r to Proxy

  33. Proxy Oblivious TransferBased on Hardness of Discrete Log • Sender • Computes: PK1 = c / PK0 • Computes: EPK0(C(M0)), EPK1(C(M1)) • C( ) is an error correction code • EPK is El Gamal encryption • Permutes and sends to Proxy • Proxyknows private key r and can decryptMb • Security: Chooser can’t know discrete log of both PK0andPK1 • Overhead: O(1) exponentiations

  34. Agenda • Motivation • Architecture & Entities • High Level Protocol Description • Cryptographic Tools • Secure Computation of Auctions • Overhead Calculation

  35. Secure Computation of Auctions • The Auction Issuer prepares a circuit that computes the result of the auction, and garbles it. • The Auctioneer publishes the auction. • Each Bidder, in parallel, engages in Proxy oblivious transfer for each bit of his bid. This reveals to the Auctioneer the garbled value of this bit. • Auction Issuer sends to Auctioneer the gates tables, and a translation table from garbled output values. • Auctioneer computes result of auction.

  36. Secure Computation of Auctions • Function for Vickrey auction: • Bids X1,…,Xn. Each bidL bits • F(X1,…,Xn)= (i,p) wherei = max (X1,…,Xn),p =max (X1,…,Xi-1,Xi+1,…,Xn) • Garbling the circuit: Auction Issuer • Constructs a circuit CforF, garbles it to generate C’ • For every output wire kofC, signs a translation table [b,G(Wkb)](G 1-way) • Sends C’+ translationto Auctioneer • Auctioneerpublishes auction: • terms, public key of issuer

  37. Secure Computation of Auctions • Coding the input: • Each Bidderi engages in proxy OT for each bit of Xi= Xi1… XiL • Mij(0), Mij(1) garbled values for wire Xij • AuctionIssuer is the sender: { Mij(0), Mij(1) } • Bidder is chooser: input Xij • Auctioneer is proxy: learns Mij(Xij) • Computing the output: Auctioneer takes C’ and { Mij( Xij ) }i=1..N, j=1..L, computes garbled output values, and translates • Verification: Bidders use translation tables to verify

  38. Optimizations • Auction Issuer can prepare the garbled circuit in advance, and send it offline • Optimize circuit • Optimize proxy OT • optimize communication pattern • trade computation for bandwidth

  39. Proxy Oblivious TransferCommunication Pattern Naive: 2 Encryption Keys Encryptions 1 Decryption Key

  40. Proxy Oblivious TransferCommunication Pattern Better: Bidders communicate only with Auctioneer 2 Encryption Keys 2 Encryption Keys 1 Decryption Key Encryptions

  41. Agenda • Motivation • Architecture & Entities • High Level Protocol Description • Cryptographic Tools • Secure Computation of Auctions • Overhead Calculation

  42. Overhead - Example • Assume: • N=1000bidders • L=20bits (1,000,000 possible bids) • Communication: Smart circuit for Vickrey auctions (non binary wires and gates) • |C| = O(NL) • about5NL gates • 25NL table entries (4MB)

  43. Overhead - Computation • Main computation overhead: Proxy Oblivious Transfer • Invocation for every input bit • PII: 20 exponentiations per sec • Parties: • Bidder: 20 OT = 5 exp ( 0.25 sec) • Auctioneer,AI (total): 20000 OT = 5000 exp (250 sec) • Circuit computation is negligible: • O(|C|) applications of PRF

  44. Prototype Implementation • 1500 lines of Python code • 800 lines of C for encryption and PRFs • Exponentiations coded in assembler • Optimized the circuit computing 2nd price auction • Optimized the proxy oblivious transfer protocol

  45. Other Auctions and Mechanisms • Main constraint - circuit size. • K’th price auctions. • circuit size O(NL+KL). • good for double auctions. • good for risk seekers? • Generalized Vickrey auction-participants report utility function. Bottleneck - circuit size. • Groves Clarke- sum of reported values should be greater than threshold - efficient circuit. • And many more…

  46. Further Work • Implementation • Distribute the Auction Issuer • Better security • Reduce load • Seems hard: a k-out-of-n access structure of Auction Issuer servers • Possible: split on-line work • one party prepares the circuit • several servers act as the Auction Issuer

More Related