Privacy Preserving Auctions and Mechanism Design

Privacy Preserving Auctions and Mechanism Design

Moni NaorMoni Naor

Benny PinkasBenny Pinkas

Reuben SumnerReuben Sumner

Presented by: Raffi Margaliot

Agenda

MotivationMotivation Architecture & EntitiesArchitecture & Entities High Level Protocol DescriptionHigh Level Protocol Description Cryptographic ToolsCryptographic Tools Secure Computation of AuctionsSecure Computation of Auctions Overhead CalculationOverhead Calculation

English Auction Ascending, open-cry.Ascending, open-cry. Most popular type of auction on the Most popular type of auction on the

internet.internet. Drawbacks:Drawbacks:

Many rounds.Many rounds. Over a long period of time.Over a long period of time.

Solution:Solution: Vickrey auction.Vickrey auction.

Vickrey Auction Second price sealed bid auction.Second price sealed bid auction.

All bidders send their bids.All bidders send their bids. The winner is the highest bidder.The winner is the highest bidder. The winner pays second highest bid.The winner pays second highest bid.

Advantages:Advantages: Bidding true value is dominant strategy.Bidding true value is dominant strategy. Simulates open cry ascending (English) Simulates open cry ascending (English)

auction in a single round.auction in a single round. Why aren’t Vickrey auctions more popular?Why aren’t Vickrey auctions more popular?

Major problem if Auctioneer is corrupt...Major problem if Auctioneer is corrupt...

Vickery: Corrupt Auctioneer

How can bidders verify that auctions is begin How can bidders verify that auctions is begin conducted properly?conducted properly?

Can be solved if the value of the bids could be Can be solved if the value of the bids could be hidden until bidding closes, preventing a corrupt hidden until bidding closes, preventing a corrupt auctioneer from manipulating auction results.auctioneer from manipulating auction results.

eSleaze.com

I bid $900

I bid $1000

You win, pay $999

On the Next Day… One day:One day:

You bid $1000You bid $1000 win and pay $600win and pay $600

On the next day, On the next day, another auction for same item:another auction for same item: You bid $1000You bid $1000 win and required to pay $999…win and required to pay $999…

Suspicion: Suspicion: eSleaze used previous day’s bid to eSleaze used previous day’s bid to raise up clearing priceraise up clearing price

How to let the auctioneer learn as little How to let the auctioneer learn as little information as is essential to conduct the information as is essential to conduct the auction?auction?

Hal Varian Quote

““even if current information can be even if current information can be safeguarded, records of past behavior can safeguarded, records of past behavior can be extremely valuable, since historical data be extremely valuable, since historical data can be used to estimate the willingness to can be used to estimate the willingness to pay. What should be the appropriate pay. What should be the appropriate technologicaltechnological and social safeguards to deal and social safeguards to deal with this problem?”with this problem?”

This work: This work: technologicaltechnological safeguards safeguards

Mechanism Design

Design of protocols for selfish parties.Design of protocols for selfish parties. The goal of a protocols is to aggregate The goal of a protocols is to aggregate

preferences to determine some “social choice.”preferences to determine some “social choice.” Model:Model:

Each party has a utility function expressing its Each party has a utility function expressing its valuation of each possible outcome of the valuation of each possible outcome of the protocol.protocol.

Sends information based on it.Sends information based on it. Goal:Goal: design the protocol so that it is not design the protocol so that it is not

beneficial to cheat.beneficial to cheat.

The Revelation Principle ““there exists an equivalent mechanism in which there exists an equivalent mechanism in which

the optimal strategy for each party is to report its the optimal strategy for each party is to report its true utility function.true utility function.””

Example: Vickrey auction.Example: Vickrey auction. Problems with applying revelation principle:Problems with applying revelation principle:

The center may be corrupt and misuse the The center may be corrupt and misuse the truthful bids it receives.truthful bids it receives.

Utility function contains Utility function contains sensitivesensitive information. information. Participants might Participants might cheatcheat simply to avoid leaking simply to avoid leaking

this information.this information.

Security & Privacy Requirements

Auctioneer only learns:Auctioneer only learns: Who is the highest bidder.Who is the highest bidder. Clearing price: second highest bid.Clearing price: second highest bid. Should be able to prove that auction was Should be able to prove that auction was

conducted properly, while hiding bids from conducted properly, while hiding bids from bidders.bidders.

Does not learn:Does not learn: Highest bid.Highest bid. Who is second highest bidder.Who is second highest bidder. What are the other bids.What are the other bids.

This Work

Achieves the requested security and Achieves the requested security and privacy requirements.privacy requirements.

Without any third party that:Without any third party that:Is fully trusted.Is fully trusted.Takes an active part in the auction.Takes an active part in the auction.

Agenda


Architecture

BiddersBiddersAuctioneersAuctioneers

Auction Auction IssuerIssuer

Entity Types

Bidders:Bidders: One or several bidders wish to sell items.One or several bidders wish to sell items. Remaining bidders interested in buying the Remaining bidders interested in buying the

items.items. Auctioneer:Auctioneer: Runs the show. Runs the show.

Advertises the auction.Advertises the auction. Receives the bids from the bidders.Receives the bids from the bidders. Communicates with the auction issuer.Communicates with the auction issuer. Computes the output of the protocol.Computes the output of the protocol. Can be one of the bidders.Can be one of the bidders.

Entity Types

Auction issuer:Auction issuer: Runs in the background and ensures that Runs in the background and ensures that

the auctions are executed properly.the auctions are executed properly. Responsible for “coding the program” that Responsible for “coding the program” that

computes the output of the protocol so as computes the output of the protocol so as to preserver privacy.to preserver privacy.

Supply this program to the auctioneer.Supply this program to the auctioneer. Does not interact with bidders.Does not interact with bidders. Can provide programs for many auctions Can provide programs for many auctions

carried out by many auctioneers.carried out by many auctioneers.

Trust and Security

Only a coalition of the Only a coalition of the AuctioneerAuctioneer andand the the Auction IssuerAuction Issuer can compromise: can compromise: Proper working of auctionProper working of auction Bidders privacyBidders privacy

All other coalitions gain no more information All other coalitions gain no more information than in the ideal modelthan in the ideal model

Bidder’sPrivacy

Properties

BiddersBidders communicate only with communicate only with Auctioneer.Auctioneer. BiddersBidders send a single message. send a single message. Auction IssuerAuction Issuer performs a single, one-round performs a single, one-round

interaction with the interaction with the Auctioneer.Auctioneer. Public Key of the Public Key of the Auction IssuerAuction Issuer is known to is known to

the the BiddersBidders, no other PKI required., no other PKI required.

Agenda


Auction Is Published

AuctioneerAuctioneer publishes the details of the auction: publishes the details of the auction: Rules for selection of winner.Rules for selection of winner. Closing time.Closing time. Auction IssuerAuction Issuer supporting the auction. supporting the auction.

Bidders Submit Bids

BiddersBidders submit submit encryptedencrypted bids to the bids to the AuctioneerAuctioneer.. The The AIAI can decrypt part of encryption, but even it can decrypt part of encryption, but even it

can not discover the actual bids.can not discover the actual bids.

AI Generates Program The The AIAI generates a program to compute the output of the generates a program to compute the output of the

auction.auction. It generates a circuit composed of Boolean gates such as It generates a circuit composed of Boolean gates such as

AND, OR and NOT that performs this task and then AND, OR and NOT that performs this task and then ``garbles'' the circuit.``garbles'' the circuit.

The The AuctioneerAuctioneer forwardsforwards portions of the bids to the portions of the bids to the AIAI, , which decrypts the bids and uses them to compute which decrypts the bids and uses them to compute ``garbled inputs'' to the circuit.``garbled inputs'' to the circuit.

It It sendssends the circuit and the inputs to the the circuit and the inputs to the AuctioneerAuctioneer, along , along with a signed translation table that ``decrypts'' the output with a signed translation table that ``decrypts'' the output of the circuit.of the circuit.

And the Winner Is… The The AuctioneerAuctioneer uses the garbled inputs and the uses the garbled inputs and the

encrypted circuit to compute the output of the encrypted circuit to compute the output of the circuit.circuit.

It publishes the result and the signed translation It publishes the result and the signed translation table received from the table received from the AI.AI.

And the winner is…

Related Work - Cryptography

Secure multi-party computation:Secure multi-party computation: [GMW,BGW]. [GMW,BGW]. Compute any f(XCompute any f(X11,…,X,…,Xnn), where X), where Xii known only known only

to party i.to party i. Parties learn nothing but final output.Parties learn nothing but final output.

DrawbacksDrawbacks:: High interactivity between all parties High interactivity between all parties

(bidders…).(bidders…). Considerable computational overhead.Considerable computational overhead. Secure against coalitions of at most 1/3.Secure against coalitions of at most 1/3.

Related Work - Auctions Distribute the Distribute the AuctioneerAuctioneer into many servers into many servers

[FR,HTK].[FR,HTK]. DrawbacksDrawbacks::

High interactivity between servers.High interactivity between servers. All servers controlled by All servers controlled by AuctioneerAuctioneer, security , security

only if not too many of the collude.only if not too many of the collude. Not robust to changes in auction.Not robust to changes in auction.

This work:This work: Single roundSingle round between Auctioneer and AI. between Auctioneer and AI. Security against Security against any coalitionany coalition of of BiddersBidders and and AuctioneerAuctioneer or or

AIAI.. General, full control of what each party learns.General, full control of what each party learns. BiddersBidders privacy preserved privacy preserved afterafter the auction ended.the auction ended.

Agenda


Cryptographic Tools

Pseudo-random functions (block ciphers)Pseudo-random functions (block ciphers) Digital SignaturesDigital Signatures Garbled CircuitsGarbled Circuits Proxy-Oblivious TransferProxy-Oblivious Transfer

Garbled Circuits [Yao] Two party protocolTwo party protocol Input:Input:

Sender (Sender (AIAI): Function ): Function FF,as a ,as a combinatorial circuitcombinatorial circuit

Receiver (Receiver (AuctioneerAuctioneer):): xx Output:Output:

Receiver: Receiver: FF((xx) , and no knowledge of ) , and no knowledge of FF Sender: no knowledge of Sender: no knowledge of xx

Garbled Circuits [Yao] InitializationInitialization::

Sender assigns random (garbled) values to the Sender assigns random (garbled) values to the 0/1 values of each wire0/1 values of each wire

Constructs a table for every gate,Constructs a table for every gate, s.t. given s.t. given garbled values of input wires enables to garbled values of input wires enables to compute garbled values of output wire, and compute garbled values of output wire, and nothing else nothing else

Computation:Computation: Receiver obtains garbled values of input wires Receiver obtains garbled values of input wires

of circuit, and propagates them to the output of circuit, and propagates them to the output wireswires

i j

k

00011011

Wi0,Wi

1 Wj0,Wj

1

Wk0,Wk

1

Table enables to compute garbled output value of gate from garbled input values, using two applications of a Pseudo-Random Function

WiBi,WjBj WkG(Bi,Bj)

Table entries: ( Bi,Bj {0,1})

[ WkG(Bi,Bj) + FWiBi(Cj) + FWjBj(Ci) ] garbled output PRF keyed by garbled inputs

G

Garbling a Gate

Garbling a Circuit

Sender assigns garbled values to each wire. Prepares a table for every gate. Sends to receiver. When receiver obtains garbled input values,

propagates them through circuit, until able to compute garbled output values.

Overhead depends on circuit size. For binary circuits: size of tables: 4|C|. computing the result: 2|C| PRF applications.

Proxy Oblivious Transfer Input:Input:

SenderSender: : 2 secrets M2 secrets M00MM11 (garbled input (garbled input values).values).

ChooserChooser: : b {0,1} (input bit).(input bit). ProxyProxy: : nothing.nothing.

Output:Output: SenderSender:: nothing.nothing. ChooserChooser: : nothing.nothing. ProxyProxy: : MMb b (garbled value of input bit).(garbled value of input bit).

Sender and Proxy do not learn b, the input bit.Sender and Proxy do not learn b, the input bit.

Proxy Oblivious TransferBased on Hardness of Discrete Log

SenderSender and and ChooserChooser agree on a large cyclic agree on a large cyclic group group GgGg, a generator , a generator gg, and a random , and a random constant constant cc Gg

ChooserSelects a random r, 0 < r <|Gg|Sets PKb = gr, PK1-b = c / PKb

Sends PK0 to SenderSends r to Proxy

Proxy Oblivious TransferBased on Hardness of Discrete Log

SenderSender Computes: PK1 = c / PK0

Computes: EPK0(C(M0)), EPK1(C(M1))

C( ) is an error correction codeEPK is El Gamal encryption

Permutes and sends to Proxy Proxy knows private key r and can decrypt Mb

Security: Chooser can’t know discrete log of both PK0 and PK1

Overhead: O(1) exponentiations

Agenda


Secure Computation of Auctions

The Auction Issuer prepares a circuit that The Auction Issuer prepares a circuit that computes the result of the auction, and garbles it.computes the result of the auction, and garbles it.

The The AuctioneerAuctioneer publishes the auction. publishes the auction. Each Each BidderBidder, in parallel, engages in , in parallel, engages in ProxyProxy

oblivious transfer for each bit of his bid. This oblivious transfer for each bit of his bid. This reveals to the reveals to the AuctioneerAuctioneer the garbled value of this the garbled value of this bit.bit.

Auction IssuerAuction Issuer sends to sends to AuctioneerAuctioneer the gates the gates tables, and a translation table from garbled output tables, and a translation table from garbled output values.values.

AuctioneerAuctioneer computes result of auction. computes result of auction.

Secure Computation of Auctions Function for Vickrey auction:Function for Vickrey auction:

Bids Bids XX11,…,,…,XXnn. Each bid. Each bid LL bits bits FF((XX11,…,,…,XXnn)) = (= (ii,,pp) where) where i i = max (= max (XX11,…,,…,XXnn),),

p p == max (max (XX11,…,,…,XXi-1i-1,,XXi+1i+1,…,,…,XXnn)) Garbling the circuit: Garbling the circuit: Auction IssuerAuction Issuer

Constructs a circuit Constructs a circuit CC forfor FF, garbles it to , garbles it to generate generate C’C’

For every For every outputoutput wire wire kk ofof CC, signs a translation , signs a translation table table [b,G(W[b,G(Wkk

bb)])] (G 1-way)(G 1-way) Sends Sends C’C’ + translation+ translation to to AuctioneerAuctioneer

AuctioneerAuctioneer publishes auction:publishes auction: terms, public key of issuerterms, public key of issuer

Secure Computation of Auctions Coding the input:Coding the input:

Each Each BidderBidder ii engages in proxy OT for each bit engages in proxy OT for each bit of of XXii = = XXii

11… X… XiiLL

MMijij(0), (0), MMijij(1)(1) garbled values for wire garbled values for wire XXiijj

AuctionAuction IssuerIssuer is the sender: { is the sender: { MMijij(0), (0), MMijij(1)(1) } } BidderBidder is chooser: input is chooser: input XXii

jj

AuctioneerAuctioneer is proxy: learns is proxy: learns MMijij (X(Xiijj))

Computing the output: Computing the output: AuctioneerAuctioneer takes takes C’C’ and and

{ { MMijij ( X( Xiij j ) ) }} i=1..N, j=1..Li=1..N, j=1..L , computes garbled output , computes garbled output values, and translatesvalues, and translates

Verification: Verification: BiddersBidders use translation tables to use translation tables to verifyverify

Optimizations

Auction IssuerAuction Issuer can prepare the garbled can prepare the garbled circuit in advance, and send it offlinecircuit in advance, and send it offline

Optimize circuitOptimize circuit Optimize proxy OT Optimize proxy OT

optimize communication patternoptimize communication pattern trade computation for bandwidthtrade computation for bandwidth

Proxy Oblivious TransferCommunication PatternNaive:Naive:

1 Decryption Key

1 Decryption Key Encryptions

Encryptions

2 Encryption Keys2 Encryption Keys

Proxy Oblivious TransferCommunication PatternBetter: Bidders communicate only with AuctioneerBetter: Bidders communicate only with Auctioneer

1 Decryption Key1 Decryption KeyEncryptionsEncryptions

2 Encryption Keys2 Encryption Keys2 Encryption Keys2 Encryption Keys

Agenda


Overhead - Example

Assume: Assume: NN == 10001000 biddersbidders LL == 2020 bits (bits (1,000,0001,000,000 possible bids) possible bids)

Communication: Communication: Smart circuit for Vickrey auctions Smart circuit for Vickrey auctions (non binary wires and gates)(non binary wires and gates) |C| |C| = = O(NL)O(NL)

aboutabout 5NL5NL gates gates25NL25NL table entries (4 table entries (4MBMB))

Overhead - Computation Main computation overhead:Main computation overhead: Proxy Oblivious TransferProxy Oblivious Transfer

Invocation for every input bitInvocation for every input bit PPIIII: 20 exponentiations per sec: 20 exponentiations per sec

Parties:Parties: Bidder:Bidder: 20 OT = 5 exp 20 OT = 5 exp ( 0.25 sec)( 0.25 sec) Auctioneer,Auctioneer, AIAI (total): 20000 OT = 5000 (total): 20000 OT = 5000

exp exp (250 sec)(250 sec) Circuit computation is negligible:Circuit computation is negligible:

O(|C|)O(|C|) applications of PRF applications of PRF

Prototype Implementation

1500 lines of Python code 800 lines of C for encryption and PRFs Exponentiations coded in assembler Optimized the circuit computing 2nd price

auction Optimized the proxy oblivious transfer

protocol

Other Auctions and Mechanisms

Main constraint - circuit size.Main constraint - circuit size. K’th price auctions.K’th price auctions.

circuit size O(NL+KL).circuit size O(NL+KL). good for double auctions.good for double auctions. good for risk seekers?good for risk seekers?

Generalized Vickrey auctionGeneralized Vickrey auction -- participants report participants report utility function. Bottleneck - circuit size.utility function. Bottleneck - circuit size.

Groves ClarkeGroves Clarke - sum of reported values should be - sum of reported values should be greater than threshold - efficient circuit.greater than threshold - efficient circuit.

And many more…And many more…

Further Work ImplementationImplementation Distribute the Auction IssuerDistribute the Auction Issuer

Better securityBetter security Reduce loadReduce load Seems hard: a k-out-of-n access structure of Seems hard: a k-out-of-n access structure of

Auction Issuer serversAuction Issuer servers Possible: split on-line workPossible: split on-line work

one party prepares the circuitone party prepares the circuitseveral servers act as the Auction Issuerseveral servers act as the Auction Issuer

Documents

Privacy Preserving Auctions and Mechanism Design