Achieving Fairness in Private Contract Negotiation

Achieving Fairness in Achieving Fairness in Private Contract Private Contract

NegotiationNegotiation

Keith Frikken and Mikhail Keith Frikken and Mikhail AtallahAtallah

Purdue UniversityPurdue University

March 2, 2005March 2, 2005

FC 2005FC 2005

OverviewOverview

Introduction/MotivationIntroduction/Motivation Related WorkRelated Work FrameworkFramework ProtocolsProtocols ExtensionsExtensions SummarySummary

FC 2005FC 2005

OverviewOverview


FC 2005FC 2005

IntroductionIntroduction

Alice and Bob wish to negotiate a contractAlice and Bob wish to negotiate a contract Contract consists of many clausesContract consists of many clauses

How to distribute revenueHow to distribute revenue Where are specific tasks performedWhere are specific tasks performed

Alice and Bob have constraints on the Alice and Bob have constraints on the acceptability of a clauseacceptability of a clause

Naïve solution:Naïve solution: Alice and Bob reveal constraints to one anotherAlice and Bob reveal constraints to one another Reveals unnecessary information Reveals unnecessary information

FC 2005FC 2005

GoalsGoals

Alice and Bob would like to create a Alice and Bob would like to create a protocol that determines an agreement protocol that determines an agreement that is:that is:

ValidValid: satisfies both party’s constraints: satisfies both party’s constraints FairFair: neither party can control the outcome: neither party can control the outcome EfficientEfficient: No clause is replaceable by : No clause is replaceable by

another that is better for both partiesanother that is better for both parties Semi-honest (Honest but Curious)Semi-honest (Honest but Curious)

FC 2005FC 2005

OverviewOverview


FC 2005FC 2005

Related WorkRelated Work

Automated NegotiationsAutomated Negotiations [Grosof et al, 1999][Grosof et al, 1999] [Governatori et al, 2000][Governatori et al, 2000]

Secure ProtocolsSecure Protocols [Yao, 1982][Yao, 1982] [Yao, 1986][Yao, 1986] [Goldreich et al, 1987][Goldreich et al, 1987] [Katz and Ostrovsky, 2004][Katz and Ostrovsky, 2004] [Malkhi et al, 2004][Malkhi et al, 2004]

Secure Protocols for Set Intersection Secure Protocols for Set Intersection [Freedman et al, 2004][Freedman et al, 2004]

FC 2005FC 2005

Building BlocksBuilding Blocks

Homomorphic Encryption:Homomorphic Encryption: E(x)*E(y)=E(x+y)E(x)*E(y)=E(x+y) E(x)E(x)yy=E(xy)=E(xy) Semantic SecuritySemantic Security [Paillier, 1999] and [Damg[Paillier, 1999] and [Damgård and Jurik, 2001]ård and Jurik, 2001]

Secure Circuit EvaluationSecure Circuit Evaluation [Yao, 1986][Yao, 1986] Any 2-ary circuit with m gates and n inputs can Any 2-ary circuit with m gates and n inputs can

be evaluated securely with:be evaluated securely with: O(m) communication and pseudo-random functionsO(m) communication and pseudo-random functions O(n) 1-out-of-2 OTsO(n) 1-out-of-2 OTs O(1) roundsO(1) rounds

FC 2005FC 2005

OverviewOverview


FC 2005FC 2005

FrameworkFramework

A A clause clause is a public set S={sis a public set S={s00,…,s,…,sN-1N-1}} Alice (Bob) have Alice (Bob) have constraintsconstraints on the on the

acceptability of a clause, represented acceptability of a clause, represented by Aby AS (BS (BS)S)

A term xA term xS is S is acceptableacceptable if x if xAA∩B∩B A clause is A clause is satisfiablesatisfiable if A∩B≠ if A∩B≠

FC 2005FC 2005

Framework(cont.)Framework(cont.)

A A negotiationnegotiation is a set of clauses S is a set of clauses S00,…,S,…,Sk-k-

11

A negotiation is A negotiation is satisfiablesatisfiable if all of its if all of its terms are satisfiableterms are satisfiable

A contract is a sequence of terms xA contract is a sequence of terms x00,,…,x…,xk-1k-1 (where x (where xiiSSii))

A contract is valid if all terms are A contract is valid if all terms are acceptable to all partiesacceptable to all parties

FC 2005FC 2005

OverviewOverview


FC 2005FC 2005

Protocol TemplateProtocol Template

Two Parts:Two Parts: Protocol for determining if a clause is Protocol for determining if a clause is

satisfiablesatisfiable Protocols for computing a fair agreement Protocols for computing a fair agreement

(where neither party has control)(where neither party has control) Extend these to the negotiation levelExtend these to the negotiation level

Satisfiability: ConjunctionSatisfiability: Conjunction Valid: Can compute independentlyValid: Can compute independently

FC 2005FC 2005

Protocol for SatisfiabilityProtocol for Satisfiability

Trivial reduction from Set Disjointness (i.e., a Trivial reduction from Set Disjointness (i.e., a clause is satisifiable if the sets are not clause is satisifiable if the sets are not disjoint)disjoint)

Suppose Alice forms a list of binary values Suppose Alice forms a list of binary values aa00,…,a,…,aN-1N-1 where a where aii is true is Alice finds the ith is true is Alice finds the ith term acceptableterm acceptable

Bob similarly forms bBob similarly forms b00,…,b,…,bN-1N-1

Equivalent to Equivalent to i=0 to N-1i=0 to N-1 (a (aii b bii)) Easily evaluated with a circuit with O(N) Easily evaluated with a circuit with O(N)

gates and O(N) inputs gates and O(N) inputs

FC 2005FC 2005

Finding a fair termFinding a fair term

Input: Alice has binary values aInput: Alice has binary values a00,…,a,…,aN-1N-1 and Bob has b and Bob has b00,…,b,…,bN-N-

11. It is known that . It is known that i such that ai such that aiibbii. Furthermore, Alice and . Furthermore, Alice and Bob have exchanged semantically-secure homomorphic Bob have exchanged semantically-secure homomorphic encryption systems Eencryption systems EAA and E and EBB

Output: An index j such that aOutput: An index j such that ajjbbjj and where neither Alice or and where neither Alice or Bob can control outcomeBob can control outcome

Semi-honest OT reduces to this problemSemi-honest OT reduces to this problem Circuit Complexity:Circuit Complexity:

Both parties input permutations into the circuit which then Both parties input permutations into the circuit which then permutes values (using composition of permutations) and then permutes values (using composition of permutations) and then choose first agreementchoose first agreement

O(N log N) input (unless using pseudorandom permutation)O(N log N) input (unless using pseudorandom permutation) O(NO(N22) gates) gates

Our protocol’s goal: O(N) modular exponentiations and O(N) Our protocol’s goal: O(N) modular exponentiations and O(N) communicationcommunication

FC 2005FC 2005

Step 1 of Simplified ProtocolStep 1 of Simplified Protocol

Input: Alice has binary values aInput: Alice has binary values a00,…,a,…,aN-1N-1 and Bob and Bob has bhas b00,…,b,…,bN-1N-1. It is known that . It is known that i such that ai such that aiibbi. i.

Output: Bob learns EOutput: Bob learns EAA(a(a00bb00),…,E),…,EAA(a(aN-1N-1bbN-1N-1))

Step:Step:

1.1. Alice sends to Bob EAlice sends to Bob EAA(a(a00),…,E),…,EAA(a(aN-1N-1))

2.2. For each value bFor each value bii, Bob does:, Bob does: If bIf bii=0, output E=0, output EAA(0)(0) If bIf bii=1, output E=1, output EAA(a(aii)E)EAA(0)(0)

FC 2005FC 2005


Input: Bob has EInput: Bob has EAA(a(a00bb00),…, E),…, EAA(a(aN-1N-1bbN-1N-1) and has a permutation ) and has a permutation ΠΠBB

Output: Alice learns EOutput: Alice learns EBB(a(a00bb00),…, E),…, EBB(a(aN-1N-1bbN-1N-1) permuted with ) permuted with ΠΠBB Steps:Steps:1.1. Bob permutes his input with Bob permutes his input with ΠΠBB

2.2. For each item For each item EEAA(a(aiibbii)) in the list: in the list: Bob chooses a random value rBob chooses a random value ri i from {0,1}from {0,1} If rIf rii=0, he sets =0, he sets γγi i to to EEAA(a(aiibbii), otherwise he ), otherwise he γγii sets it to sets it to

EEAA(a(aiibbii))-1-1EEAA(1) (i.e., E(1) (i.e., EAA(1-(a(1-(aiibbii))=E))=EAA((⌐(⌐(aaiibbii)))))) He sends Alice the ordered triple (He sends Alice the ordered triple (γγii,E,EBB(r(rii),E),EBB(1-r(1-rii))))

3.3. For each triple (For each triple (γγii,E,EBB(r(rii),E),EBB(1-r(1-rii)):)): Alice computes j=DAlice computes j=DAA((γγii)) If j=0 she sets her output to be EIf j=0 she sets her output to be EBB(r(rii) ) Otherwise sets her output to be EOtherwise sets her output to be EBB(1-r(1-rii))

FC 2005FC 2005


Input: Alice has EInput: Alice has EBB(a(a00bb00),…, E),…, EBB(a(aN-1N-1bbN-1N-1) permuted with ) permuted with ΠΠBB, , and she has two permutations and she has two permutations ΠΠ’ and ’ and ΠΠ’’’’

Output: Bob gets a list of items permuted with Output: Bob gets a list of items permuted with ΠΠ’’’’ΠΠ’’ΠΠBB where one of them is marked as the agreementwhere one of them is marked as the agreement

Steps:Steps:1.1. Alice permutes the items with Alice permutes the items with ΠΠ’ (call this list ’ (call this list αα00,…,,…,ααN-1N-1) ) 2.2. Alice computes a sequence of values: Alice computes a sequence of values: ββ00,…, ,…, ββN-1N-1, where , where

ββ00==αα00, and , and ββii= = ααii*(*(ββi-1i-1))22

3.3. She computes a sequence of values: She computes a sequence of values: θθ00,…, ,…, θθN-1N-1, where , where θθii=(=(ββii*E*EBB(-1))(-1))q[i]q[i] where q[i] is a randomly chosen value where q[i] is a randomly chosen value

4.4. Alice permutes these values with Alice permutes these values with ΠΠ’’ and sends them to ’’ and sends them to Bob along with Bob along with ΠΠ’’’’ΠΠ’’

5.5. Bob decrypts the values and chooses the one that is 0 and Bob decrypts the values and chooses the one that is 0 and computed the original index by inverting the permutations.computed the original index by inverting the permutations.

FC 2005FC 2005

OverviewOverview


FC 2005FC 2005

Expressing PreferencesExpressing Preferences

Alice and Bob assign a utility to each Alice and Bob assign a utility to each possible term (denoted by Upossible term (denoted by UAA(x) and U(x) and UBB(x)) (x)) – assume utilities are distinct– assume utilities are distinct

A term tA term t11 is inefficient if is inefficient if a term t a term t22 such such that Uthat UAA(t(t11)<U)<UAA(t(t22) and U) and UBB(t(t11)<U)<UBB(t(t22) )

An efficient term is Pareto optimalAn efficient term is Pareto optimal Desirable to only choose efficient termsDesirable to only choose efficient terms Set Disjointness reduces to finding a fair Set Disjointness reduces to finding a fair

and efficient termand efficient term

FC 2005FC 2005

Other ExtensionsOther Extensions

Interactive NegotiationInteractive Negotiation FeedbackFeedback Engage in the protocol several times relaxing Engage in the protocol several times relaxing

constratintsconstratints Sparse sets: creating protocols with Sparse sets: creating protocols with

communication proportional to |A|+|B|communication proportional to |A|+|B| Dependent ClausesDependent Clauses

Combine dependent clauses into a “super”-Combine dependent clauses into a “super”-clauseclause

FC 2005FC 2005

OverviewOverview


FC 2005FC 2005

SummarySummary

Introduce framework for contract negotiationIntroduce framework for contract negotiation Introduced protocols for finding valid, fair, Introduced protocols for finding valid, fair,

and efficient contracts and efficient contracts Future WorkFuture Work

Dependent ClausesDependent Clauses Multiple partiesMultiple parties Malicious Adversary ModelMalicious Adversary Model Multiple Negotiations with Inter-Clause Multiple Negotiations with Inter-Clause

DependenciesDependencies Other negotiation strategiesOther negotiation strategies

FC 2005FC 2005

AcknowledgementsAcknowledgements

Anonymous ReviewersAnonymous Reviewers Gov’tGov’t

NSFNSF55, ONR, AFRL, ONR, AFRL IndustryIndustry

Intel, Motorola, HP + the corporate sponsors of Intel, Motorola, HP + the corporate sponsors of CERIASCERIAS

FoundationFoundation Lilly EndowmentLilly Endowment

PurduePurdue CERIAS, Discovery ParkCERIAS, Discovery Park

Documents

Achieving Fairness in Private Contract Negotiation