Loading in 5 sec....

Achieving Fairness in Private Contract NegotiationPowerPoint Presentation

Achieving Fairness in Private Contract Negotiation

- 145 Views
- Updated On :

Achieving Fairness in Private Contract Negotiation. Keith Frikken and Mikhail Atallah Purdue University March 2, 2005. Overview. Introduction/Motivation Related Work Framework Protocols Extensions Summary. Overview. Introduction/Motivation Related Work Framework Protocols

Related searches for

Download Presentation
## PowerPoint Slideshow about '' - Thomas

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

### Achieving Fairness in Private Contract Negotiation

Keith Frikken and Mikhail Atallah

Purdue University

March 2, 2005

Introduction

- Alice and Bob wish to negotiate a contract
- Contract consists of many clauses
- How to distribute revenue
- Where are specific tasks performed

- Alice and Bob have constraints on the acceptability of a clause
- Naïve solution:
- Alice and Bob reveal constraints to one another
- Reveals unnecessary information

FC 2005

Goals

- Alice and Bob would like to create a protocol that determines an agreement that is:
- Valid: satisfies both party’s constraints
- Fair: neither party can control the outcome
- Efficient: No clause is replaceable by another that is better for both parties
- Semi-honest (Honest but Curious)

FC 2005

Related Work

- Automated Negotiations
- [Grosof et al, 1999]
- [Governatori et al, 2000]

- Secure Protocols
- [Yao, 1982]
- [Yao, 1986]
- [Goldreich et al, 1987]
- [Katz and Ostrovsky, 2004]
- [Malkhi et al, 2004]

- Secure Protocols for Set Intersection
- [Freedman et al, 2004]

FC 2005

Building Blocks

- Homomorphic Encryption:
- E(x)*E(y)=E(x+y)
- E(x)y=E(xy)
- Semantic Security
- [Paillier, 1999] and [Damgård and Jurik, 2001]

- Secure Circuit Evaluation
- [Yao, 1986]
- Any 2-ary circuit with m gates and n inputs can be evaluated securely with:
- O(m) communication and pseudo-random functions
- O(n) 1-out-of-2 OTs
- O(1) rounds

FC 2005

Framework

- A clause is a public set S={s0,…,sN-1}
- Alice (Bob) have constraints on the acceptability of a clause, represented by AS (BS)
- A term xS is acceptable if xA∩B
- A clause is satisfiable if A∩B≠

FC 2005

Framework(cont.)

- A negotiation is a set of clauses S0,…,Sk-1
- A negotiation is satisfiable if all of its terms are satisfiable
- A contract is a sequence of terms x0,…,xk-1 (where xiSi)
- A contract is valid if all terms are acceptable to all parties

FC 2005

Protocol Template

- Two Parts:
- Protocol for determining if a clause is satisfiable
- Protocols for computing a fair agreement (where neither party has control)

- Extend these to the negotiation level
- Satisfiability: Conjunction
- Valid: Can compute independently

FC 2005

Protocol for Satisfiability

- Trivial reduction from Set Disjointness (i.e., a clause is satisifiable if the sets are not disjoint)
- Suppose Alice forms a list of binary values a0,…,aN-1 where ai is true is Alice finds the ith term acceptable
- Bob similarly forms b0,…,bN-1
- Equivalent to i=0 to N-1 (ai bi)
- Easily evaluated with a circuit with O(N) gates and O(N) inputs

FC 2005

Finding a fair term

- Input: Alice has binary values a0,…,aN-1 and Bob has b0,…,bN-1. It is known that i such that aibi. Furthermore, Alice and Bob have exchanged semantically-secure homomorphic encryption systems EA and EB
- Output: An index j such that ajbj and where neither Alice or Bob can control outcome
- Semi-honest OT reduces to this problem
- Circuit Complexity:
- Both parties input permutations into the circuit which then permutes values (using composition of permutations) and then choose first agreement
- O(N log N) input (unless using pseudorandom permutation)
- O(N2) gates

- Our protocol’s goal: O(N) modular exponentiations and O(N) communication

FC 2005

Step 1 of Simplified Protocol

- Input: Alice has binary values a0,…,aN-1 and Bob has b0,…,bN-1. It is known that i such that aibi.
- Output: Bob learns EA(a0b0),…,EA(aN-1bN-1)
- Step:
- Alice sends to Bob EA(a0),…,EA(aN-1)
- For each value bi, Bob does:
- If bi=0, output EA(0)
- If bi=1, output EA(ai)EA(0)

FC 2005

Step 2 of Simplified Protocol

- Input: Bob has EA(a0b0),…, EA(aN-1bN-1) and has a permutation ΠB
- Output: Alice learns EB(a0b0),…, EB(aN-1bN-1) permuted with ΠB
- Steps:
- Bob permutes his input with ΠB
- For each item EA(aibi) in the list:
- Bob chooses a random value ri from {0,1}
- If ri=0, he sets γi to EA(aibi), otherwise he γi sets it to EA(aibi)-1EA(1) (i.e., EA(1-(aibi))=EA(⌐(aibi)))
- He sends Alice the ordered triple (γi,EB(ri),EB(1-ri))

- For each triple (γi,EB(ri),EB(1-ri)):
- Alice computes j=DA(γi)
- If j=0 she sets her output to be EB(ri)
- Otherwise sets her output to be EB(1-ri)

FC 2005

Step 3 of Simplified Protocol

- Input: Alice has EB(a0b0),…, EB(aN-1bN-1) permuted with ΠB, and she has two permutations Π’ and Π’’
- Output: Bob gets a list of items permuted with Π’’Π’ΠB where one of them is marked as the agreement
- Steps:
- Alice permutes the items with Π’ (call this list α0,…,αN-1)
- Alice computes a sequence of values: β0,…, βN-1, where β0=α0, and βi= αi*(βi-1)2
- She computes a sequence of values: θ0,…, θN-1, where θi=(βi*EB(-1))q[i] where q[i] is a randomly chosen value
- Alice permutes these values with Π’’ and sends them to Bob along with Π’’Π’
- Bob decrypts the values and chooses the one that is 0 and computed the original index by inverting the permutations.

FC 2005

Expressing Preferences

- Alice and Bob assign a utility to each possible term (denoted by UA(x) and UB(x)) – assume utilities are distinct
- A term t1 is inefficient if a term t2 such that UA(t1)<UA(t2) and UB(t1)<UB(t2)
- An efficient term is Pareto optimal
- Desirable to only choose efficient terms
- Set Disjointness reduces to finding a fair and efficient term

FC 2005

Other Extensions

- Interactive Negotiation
- Feedback
- Engage in the protocol several times relaxing constratints

- Sparse sets: creating protocols with communication proportional to |A|+|B|
- Dependent Clauses
- Combine dependent clauses into a “super”-clause

FC 2005

Summary

- Introduce framework for contract negotiation
- Introduced protocols for finding valid, fair, and efficient contracts
- Future Work
- Dependent Clauses
- Multiple parties
- Malicious Adversary Model
- Multiple Negotiations with Inter-Clause Dependencies
- Other negotiation strategies

FC 2005

Acknowledgements

- Anonymous Reviewers
- Gov’t
- NSF5, ONR, AFRL

- Industry
- Intel, Motorola, HP + the corporate sponsors of CERIAS

- Foundation
- Lilly Endowment

- Purdue
- CERIAS, Discovery Park

FC 2005

Download Presentation

Connecting to Server..