Achieving Fairness in Achieving Fairness in Private Contract Private Contract
NegotiationNegotiation
Keith Frikken and Mikhail Keith Frikken and Mikhail AtallahAtallah
Purdue UniversityPurdue University
March 2, 2005March 2, 2005
FC 2005FC 2005
OverviewOverview
Introduction/MotivationIntroduction/Motivation Related WorkRelated Work FrameworkFramework ProtocolsProtocols ExtensionsExtensions SummarySummary
FC 2005FC 2005
OverviewOverview
Introduction/MotivationIntroduction/Motivation Related WorkRelated Work FrameworkFramework ProtocolsProtocols ExtensionsExtensions SummarySummary
FC 2005FC 2005
IntroductionIntroduction
Alice and Bob wish to negotiate a contractAlice and Bob wish to negotiate a contract Contract consists of many clausesContract consists of many clauses
How to distribute revenueHow to distribute revenue Where are specific tasks performedWhere are specific tasks performed
Alice and Bob have constraints on the Alice and Bob have constraints on the acceptability of a clauseacceptability of a clause
Naïve solution:Naïve solution: Alice and Bob reveal constraints to one anotherAlice and Bob reveal constraints to one another Reveals unnecessary information Reveals unnecessary information
FC 2005FC 2005
GoalsGoals
Alice and Bob would like to create a Alice and Bob would like to create a protocol that determines an agreement protocol that determines an agreement that is:that is:
ValidValid: satisfies both party’s constraints: satisfies both party’s constraints FairFair: neither party can control the outcome: neither party can control the outcome EfficientEfficient: No clause is replaceable by : No clause is replaceable by
another that is better for both partiesanother that is better for both parties Semi-honest (Honest but Curious)Semi-honest (Honest but Curious)
FC 2005FC 2005
OverviewOverview
Introduction/MotivationIntroduction/Motivation Related WorkRelated Work FrameworkFramework ProtocolsProtocols ExtensionsExtensions SummarySummary
FC 2005FC 2005
Related WorkRelated Work
Automated NegotiationsAutomated Negotiations [Grosof et al, 1999][Grosof et al, 1999] [Governatori et al, 2000][Governatori et al, 2000]
Secure ProtocolsSecure Protocols [Yao, 1982][Yao, 1982] [Yao, 1986][Yao, 1986] [Goldreich et al, 1987][Goldreich et al, 1987] [Katz and Ostrovsky, 2004][Katz and Ostrovsky, 2004] [Malkhi et al, 2004][Malkhi et al, 2004]
Secure Protocols for Set Intersection Secure Protocols for Set Intersection [Freedman et al, 2004][Freedman et al, 2004]
FC 2005FC 2005
Building BlocksBuilding Blocks
Homomorphic Encryption:Homomorphic Encryption: E(x)*E(y)=E(x+y)E(x)*E(y)=E(x+y) E(x)E(x)yy=E(xy)=E(xy) Semantic SecuritySemantic Security [Paillier, 1999] and [Damg[Paillier, 1999] and [Damgård and Jurik, 2001]ård and Jurik, 2001]
Secure Circuit EvaluationSecure Circuit Evaluation [Yao, 1986][Yao, 1986] Any 2-ary circuit with m gates and n inputs can Any 2-ary circuit with m gates and n inputs can
be evaluated securely with:be evaluated securely with: O(m) communication and pseudo-random functionsO(m) communication and pseudo-random functions O(n) 1-out-of-2 OTsO(n) 1-out-of-2 OTs O(1) roundsO(1) rounds
FC 2005FC 2005
OverviewOverview
Introduction/MotivationIntroduction/Motivation Related WorkRelated Work FrameworkFramework ProtocolsProtocols ExtensionsExtensions SummarySummary
FC 2005FC 2005
FrameworkFramework
A A clause clause is a public set S={sis a public set S={s00,…,s,…,sN-1N-1}} Alice (Bob) have Alice (Bob) have constraintsconstraints on the on the
acceptability of a clause, represented acceptability of a clause, represented by Aby AS (BS (BS)S)
A term xA term xS is S is acceptableacceptable if x if xAA∩B∩B A clause is A clause is satisfiablesatisfiable if A∩B≠ if A∩B≠
FC 2005FC 2005
Framework(cont.)Framework(cont.)
A A negotiationnegotiation is a set of clauses S is a set of clauses S00,…,S,…,Sk-k-
11
A negotiation is A negotiation is satisfiablesatisfiable if all of its if all of its terms are satisfiableterms are satisfiable
A contract is a sequence of terms xA contract is a sequence of terms x00,,…,x…,xk-1k-1 (where x (where xiiSSii))
A contract is valid if all terms are A contract is valid if all terms are acceptable to all partiesacceptable to all parties
FC 2005FC 2005
OverviewOverview
Introduction/MotivationIntroduction/Motivation Related WorkRelated Work FrameworkFramework ProtocolsProtocols ExtensionsExtensions SummarySummary
FC 2005FC 2005
Protocol TemplateProtocol Template
Two Parts:Two Parts: Protocol for determining if a clause is Protocol for determining if a clause is
satisfiablesatisfiable Protocols for computing a fair agreement Protocols for computing a fair agreement
(where neither party has control)(where neither party has control) Extend these to the negotiation levelExtend these to the negotiation level
Satisfiability: ConjunctionSatisfiability: Conjunction Valid: Can compute independentlyValid: Can compute independently
FC 2005FC 2005
Protocol for SatisfiabilityProtocol for Satisfiability
Trivial reduction from Set Disjointness (i.e., a Trivial reduction from Set Disjointness (i.e., a clause is satisifiable if the sets are not clause is satisifiable if the sets are not disjoint)disjoint)
Suppose Alice forms a list of binary values Suppose Alice forms a list of binary values aa00,…,a,…,aN-1N-1 where a where aii is true is Alice finds the ith is true is Alice finds the ith term acceptableterm acceptable
Bob similarly forms bBob similarly forms b00,…,b,…,bN-1N-1
Equivalent to Equivalent to i=0 to N-1i=0 to N-1 (a (aii b bii)) Easily evaluated with a circuit with O(N) Easily evaluated with a circuit with O(N)
gates and O(N) inputs gates and O(N) inputs
FC 2005FC 2005
Finding a fair termFinding a fair term
Input: Alice has binary values aInput: Alice has binary values a00,…,a,…,aN-1N-1 and Bob has b and Bob has b00,…,b,…,bN-N-
11. It is known that . It is known that i such that ai such that aiibbii. Furthermore, Alice and . Furthermore, Alice and Bob have exchanged semantically-secure homomorphic Bob have exchanged semantically-secure homomorphic encryption systems Eencryption systems EAA and E and EBB
Output: An index j such that aOutput: An index j such that ajjbbjj and where neither Alice or and where neither Alice or Bob can control outcomeBob can control outcome
Semi-honest OT reduces to this problemSemi-honest OT reduces to this problem Circuit Complexity:Circuit Complexity:
Both parties input permutations into the circuit which then Both parties input permutations into the circuit which then permutes values (using composition of permutations) and then permutes values (using composition of permutations) and then choose first agreementchoose first agreement
O(N log N) input (unless using pseudorandom permutation)O(N log N) input (unless using pseudorandom permutation) O(NO(N22) gates) gates
Our protocol’s goal: O(N) modular exponentiations and O(N) Our protocol’s goal: O(N) modular exponentiations and O(N) communicationcommunication
FC 2005FC 2005
Step 1 of Simplified ProtocolStep 1 of Simplified Protocol
Input: Alice has binary values aInput: Alice has binary values a00,…,a,…,aN-1N-1 and Bob and Bob has bhas b00,…,b,…,bN-1N-1. It is known that . It is known that i such that ai such that aiibbi. i.
Output: Bob learns EOutput: Bob learns EAA(a(a00bb00),…,E),…,EAA(a(aN-1N-1bbN-1N-1))
Step:Step:
1.1. Alice sends to Bob EAlice sends to Bob EAA(a(a00),…,E),…,EAA(a(aN-1N-1))
2.2. For each value bFor each value bii, Bob does:, Bob does: If bIf bii=0, output E=0, output EAA(0)(0) If bIf bii=1, output E=1, output EAA(a(aii)E)EAA(0)(0)
FC 2005FC 2005
Step 2 of Simplified ProtocolStep 2 of Simplified Protocol
Input: Bob has EInput: Bob has EAA(a(a00bb00),…, E),…, EAA(a(aN-1N-1bbN-1N-1) and has a permutation ) and has a permutation ΠΠBB
Output: Alice learns EOutput: Alice learns EBB(a(a00bb00),…, E),…, EBB(a(aN-1N-1bbN-1N-1) permuted with ) permuted with ΠΠBB Steps:Steps:1.1. Bob permutes his input with Bob permutes his input with ΠΠBB
2.2. For each item For each item EEAA(a(aiibbii)) in the list: in the list: Bob chooses a random value rBob chooses a random value ri i from {0,1}from {0,1} If rIf rii=0, he sets =0, he sets γγi i to to EEAA(a(aiibbii), otherwise he ), otherwise he γγii sets it to sets it to
EEAA(a(aiibbii))-1-1EEAA(1) (i.e., E(1) (i.e., EAA(1-(a(1-(aiibbii))=E))=EAA((⌐(⌐(aaiibbii)))))) He sends Alice the ordered triple (He sends Alice the ordered triple (γγii,E,EBB(r(rii),E),EBB(1-r(1-rii))))
3.3. For each triple (For each triple (γγii,E,EBB(r(rii),E),EBB(1-r(1-rii)):)): Alice computes j=DAlice computes j=DAA((γγii)) If j=0 she sets her output to be EIf j=0 she sets her output to be EBB(r(rii) ) Otherwise sets her output to be EOtherwise sets her output to be EBB(1-r(1-rii))
FC 2005FC 2005
Step 3 of Simplified ProtocolStep 3 of Simplified Protocol
Input: Alice has EInput: Alice has EBB(a(a00bb00),…, E),…, EBB(a(aN-1N-1bbN-1N-1) permuted with ) permuted with ΠΠBB, , and she has two permutations and she has two permutations ΠΠ’ and ’ and ΠΠ’’’’
Output: Bob gets a list of items permuted with Output: Bob gets a list of items permuted with ΠΠ’’’’ΠΠ’’ΠΠBB where one of them is marked as the agreementwhere one of them is marked as the agreement
Steps:Steps:1.1. Alice permutes the items with Alice permutes the items with ΠΠ’ (call this list ’ (call this list αα00,…,,…,ααN-1N-1) ) 2.2. Alice computes a sequence of values: Alice computes a sequence of values: ββ00,…, ,…, ββN-1N-1, where , where
ββ00==αα00, and , and ββii= = ααii*(*(ββi-1i-1))22
3.3. She computes a sequence of values: She computes a sequence of values: θθ00,…, ,…, θθN-1N-1, where , where θθii=(=(ββii*E*EBB(-1))(-1))q[i]q[i] where q[i] is a randomly chosen value where q[i] is a randomly chosen value
4.4. Alice permutes these values with Alice permutes these values with ΠΠ’’ and sends them to ’’ and sends them to Bob along with Bob along with ΠΠ’’’’ΠΠ’’
5.5. Bob decrypts the values and chooses the one that is 0 and Bob decrypts the values and chooses the one that is 0 and computed the original index by inverting the permutations.computed the original index by inverting the permutations.
FC 2005FC 2005
OverviewOverview
Introduction/MotivationIntroduction/Motivation Related WorkRelated Work FrameworkFramework ProtocolsProtocols ExtensionsExtensions SummarySummary
FC 2005FC 2005
Expressing PreferencesExpressing Preferences
Alice and Bob assign a utility to each Alice and Bob assign a utility to each possible term (denoted by Upossible term (denoted by UAA(x) and U(x) and UBB(x)) (x)) – assume utilities are distinct– assume utilities are distinct
A term tA term t11 is inefficient if is inefficient if a term t a term t22 such such that Uthat UAA(t(t11)<U)<UAA(t(t22) and U) and UBB(t(t11)<U)<UBB(t(t22) )
An efficient term is Pareto optimalAn efficient term is Pareto optimal Desirable to only choose efficient termsDesirable to only choose efficient terms Set Disjointness reduces to finding a fair Set Disjointness reduces to finding a fair
and efficient termand efficient term
FC 2005FC 2005
Other ExtensionsOther Extensions
Interactive NegotiationInteractive Negotiation FeedbackFeedback Engage in the protocol several times relaxing Engage in the protocol several times relaxing
constratintsconstratints Sparse sets: creating protocols with Sparse sets: creating protocols with
communication proportional to |A|+|B|communication proportional to |A|+|B| Dependent ClausesDependent Clauses
Combine dependent clauses into a “super”-Combine dependent clauses into a “super”-clauseclause
FC 2005FC 2005
OverviewOverview
Introduction/MotivationIntroduction/Motivation Related WorkRelated Work FrameworkFramework ProtocolsProtocols ExtensionsExtensions SummarySummary
FC 2005FC 2005
SummarySummary
Introduce framework for contract negotiationIntroduce framework for contract negotiation Introduced protocols for finding valid, fair, Introduced protocols for finding valid, fair,
and efficient contracts and efficient contracts Future WorkFuture Work
Dependent ClausesDependent Clauses Multiple partiesMultiple parties Malicious Adversary ModelMalicious Adversary Model Multiple Negotiations with Inter-Clause Multiple Negotiations with Inter-Clause
DependenciesDependencies Other negotiation strategiesOther negotiation strategies
FC 2005FC 2005
AcknowledgementsAcknowledgements
Anonymous ReviewersAnonymous Reviewers Gov’tGov’t
NSFNSF55, ONR, AFRL, ONR, AFRL IndustryIndustry
Intel, Motorola, HP + the corporate sponsors of Intel, Motorola, HP + the corporate sponsors of CERIASCERIAS
FoundationFoundation Lilly EndowmentLilly Endowment
PurduePurdue CERIAS, Discovery ParkCERIAS, Discovery Park