Privacy Preserving Auctions and Mechanism Design

1
Privacy Preserving Auctions and Mechanism Design

• Moni Naor
• Benny Pinkas
• Reuben Sumner

Presented by Raffi Margaliot
2
Agenda

• Motivation
• Architecture Entities
• High Level Protocol Description
• Cryptographic Tools
• Secure Computation of Auctions
• Overhead Calculation

3
English Auction

• Ascending, open-cry.
• Most popular type of auction on the internet.
• Drawbacks
• Many rounds.
• Over a long period of time.
• Solution
• Vickrey auction.

4
Vickrey Auction

• Second price sealed bid auction.
• All bidders send their bids.
• The winner is the highest bidder.
• The winner pays second highest bid.
• Advantages
• Bidding true value is dominant strategy.
• Simulates open cry ascending (English) auction in
  a single round.
• Why arent Vickrey auctions more popular?
• Major problem if Auctioneer is corrupt...

5
Vickery Corrupt Auctioneer
I bid 900
I bid 1000
eSleaze.com
You win, pay 999

• How can bidders verify that auctions is begin
  conducted properly?
• Can be solved if the value of the bids could be
  hidden until bidding closes, preventing a corrupt
  auctioneer from manipulating auction results.

6
On the Next Day

• One day
• You bid 1000
• win and pay 600
• On the next day, another auction for same item
• You bid 1000
• win and required to pay 999
• Suspicion eSleaze used previous days bid to
  raise up clearing price
• How to let the auctioneer learn as little
  information as is essential to conduct the
  auction?

7
Hal Varian Quote

• even if current information can be safeguarded,
  records of past behavior can be extremely
  valuable, since historical data can be used to
  estimate the willingness to pay. What should be
  the appropriate technological and social
  safeguards to deal with this problem?
• This work technological safeguards

8
Mechanism Design

• Design of protocols for selfish parties.
• The goal of a protocols is to aggregate
  preferences to determine some social choice.
• Model
• Each party has a utility function expressing its
  valuation of each possible outcome of the
  protocol.
• Sends information based on it.
• Goal design the protocol so that it is not
  beneficial to cheat.

9
The Revelation Principle

• there exists an equivalent mechanism in which
  the optimal strategy for each party is to report
  its true utility function.
• Example Vickrey auction.
• Problems with applying revelation principle
• The center may be corrupt and misuse the truthful
  bids it receives.
• Utility function contains sensitive information.
• Participants might cheat simply to avoid leaking
  this information.

10
Security Privacy Requirements

• Auctioneer only learns
• Who is the highest bidder.
• Clearing price second highest bid.
• Should be able to prove that auction was
  conducted properly, while hiding bids from
  bidders.
• Does not learn
• Highest bid.
• Who is second highest bidder.
• What are the other bids.

11
This Work

• Achieves the requested security and privacy
  requirements.
• Without any third party that
• Is fully trusted.
• Takes an active part in the auction.

12
Agenda

• Motivation
• Architecture Entities
• High Level Protocol Description
• Cryptographic Tools
• Secure Computation of Auctions
• Overhead Calculation

13
Architecture
Auction Issuer
Auctioneers
Bidders
14
Entity Types

• Bidders
• One or several bidders wish to sell items.
• Remaining bidders interested in buying the items.
• Auctioneer Runs the show.
• Advertises the auction.
• Receives the bids from the bidders.
• Communicates with the auction issuer.
• Computes the output of the protocol.
• Can be one of the bidders.

15
Entity Types

• Auction issuer
• Runs in the background and ensures that the
  auctions are executed properly.
• Responsible for coding the program that
  computes the output of the protocol so as to
  preserver privacy.
• Supply this program to the auctioneer.
• Does not interact with bidders.
• Can provide programs for many auctions carried
  out by many auctioneers.

16
Trust and Security

• Only a coalition of the Auctioneer and the
  Auction Issuer can compromise
• Proper working of auction
• Bidders privacy
• All other coalitions gain no more information
  than in the ideal model

Bidders Privacy
17
Properties

• Bidders communicate only with Auctioneer.
• Bidders send a single message.
• Auction Issuer performs a single, one-round
  interaction with the Auctioneer.
• Public Key of the Auction Issuer is known to the
  Bidders, no other PKI required.

18
Agenda

• Motivation
• Architecture Entities
• High Level Protocol Description
• Cryptographic Tools
• Secure Computation of Auctions
• Overhead Calculation

19
Auction Is Published

• Auctioneer publishes the details of the auction
• Rules for selection of winner.
• Closing time.
• Auction Issuer supporting the auction.

20
Bidders Submit Bids

• Bidders submit encrypted bids to the Auctioneer.
• The AI can decrypt part of encryption, but even
  it can not discover the actual bids.

21
AI Generates Program

• The AI generates a program to compute the output
  of the auction.
• It generates a circuit composed of Boolean gates
  such as AND, OR and NOT that performs this task
  and then garbles'' the circuit.
• The Auctioneer forwards portions of the bids to
  the AI, which decrypts the bids and uses them to
  compute garbled inputs'' to the circuit.
• It sends the circuit and the inputs to the
  Auctioneer, along with a signed translation table
  that decrypts'' the output of the circuit.

22
And the Winner Is

• The Auctioneer uses the garbled inputs and the
  encrypted circuit to compute the output of the
  circuit.
• It publishes the result and the signed
  translation table received from the AI.

And the winner is
23
Related Work - Cryptography

• Secure multi-party computation GMW,BGW.
• Compute any f(X1,,Xn), where Xi known only to
  party i.
• Parties learn nothing but final output.
• Drawbacks
• High interactivity between all parties
  (bidders).
• Considerable computational overhead.
• Secure against coalitions of at most 1/3.

24
Related Work - Auctions

• Distribute the Auctioneer into many servers
  FR,HTK.
• Drawbacks
• High interactivity between servers.
• All servers controlled by Auctioneer, security
  only if not too many of the collude.
• Not robust to changes in auction.
• This work
• Single round between Auctioneer and AI.
• Security against any coalition of Bidders and
  Auctioneer or AI.
• General, full control of what each party learns.
• Bidders privacy preserved after the auction
  ended.

25
Agenda

• Motivation
• Architecture Entities
• High Level Protocol Description
• Cryptographic Tools
• Secure Computation of Auctions
• Overhead Calculation

26
Cryptographic Tools

• Pseudo-random functions (block ciphers)
• Digital Signatures
• Garbled Circuits
• Proxy-Oblivious Transfer

27
Garbled Circuits Yao

• Two party protocol
• Input
• Sender (AI) Function F,as a combinatorial
  circuit
• Receiver (Auctioneer) x
• Output
• Receiver F(x) , and no knowledge of F
• Sender no knowledge of x

28
Garbled Circuits Yao

• Initialization
• Sender assigns random (garbled) values to the 0/1
  values of each wire
• Constructs a table for every gate, s.t. given
  garbled values of input wires enables to compute
  garbled values of output wire, and nothing else
• Computation
• Receiver obtains garbled values of input wires of
  circuit, and propagates them to the output wires

29
Garbling a Gate
Wi0,Wi1
Wj0,Wj1
i
j
00
01
10
G
11
k
Wk0,Wk1
Table enables to compute garbled output value of
gate from garbled input values, using two
applications of a Pseudo-Random Function
WiBi,WjBj ? WkG(Bi,Bj) Table entries
(? Bi,Bj ? 0,1) WkG(Bi,Bj)
FWiBi(Cj) FWjBj(Ci) garbled
output PRF keyed by garbled inputs
30
Garbling a Circuit

• Sender assigns garbled values to each wire.
• Prepares a table for every gate.
• Sends to receiver.
• When receiver obtains garbled input values,
  propagates them through circuit, until able to
  compute garbled output values.
• Overhead depends on circuit size. For binary
  circuits
• size of tables 4C.
• computing the result 2C PRF applications.

31
Proxy Oblivious Transfer

• Input
• Sender 2 secrets M0M1 (garbled input values).
• Chooser b ? 0,1 (input bit).
• Proxy nothing.
• Output
• Sender nothing.
• Chooser nothing.
• Proxy Mb (garbled value of input bit).
• Sender and Proxy do not learn b, the input bit.

32
Proxy Oblivious TransferBased on Hardness of
Discrete Log

• Sender and Chooser agree on a large cyclic group
  Gg, a generator g, and a random constant c ? Gg
• Chooser
• Selects a random r, 0 lt r ltGg
• Sets PKb gr, PK1-b c / PKb
• Sends PK0 to Sender
• Sends r to Proxy

33
Proxy Oblivious TransferBased on Hardness of
Discrete Log

• Sender
• Computes PK1 c / PK0
• Computes EPK0(C(M0)), EPK1(C(M1))
• C( ) is an error correction code
• EPK is El Gamal encryption
• Permutes and sends to Proxy
• Proxy knows private key r and can decrypt Mb
• Security Chooser cant know discrete log of both
  PK0 and PK1
• Overhead O(1) exponentiations

34
Agenda

• Motivation
• Architecture Entities
• High Level Protocol Description
• Cryptographic Tools
• Secure Computation of Auctions
• Overhead Calculation

35
Secure Computation of Auctions

• The Auction Issuer prepares a circuit that
  computes the result of the auction, and garbles
  it.
• The Auctioneer publishes the auction.
• Each Bidder, in parallel, engages in Proxy
  oblivious transfer for each bit of his bid. This
  reveals to the Auctioneer the garbled value of
  this bit.
• Auction Issuer sends to Auctioneer the gates
  tables, and a translation table from garbled
  output values.
• Auctioneer computes result of auction.

36
Secure Computation of Auctions

• Function for Vickrey auction
• Bids X1,,Xn. Each bid L bits
• F(X1,,Xn) (i,p) where i max (X1,,Xn),
  p max (X1,,Xi-1,Xi1,,Xn)
• Garbling the circuit Auction Issuer
• Constructs a circuit C for F, garbles it to
  generate C
• For every output wire k of C, signs a translation
  table b,G(Wkb) (G 1-way)
• Sends C translation to Auctioneer
• Auctioneer publishes auction
• terms, public key of issuer

37
Secure Computation of Auctions

• Coding the input
• Each Bidder i engages in proxy OT for each bit
  of Xi Xi1 XiL
• Mij(0), Mij(1) garbled values for wire Xij
• Auction Issuer is the sender Mij(0), Mij(1)
• Bidder is chooser input Xij
• Auctioneer is proxy learns Mij (Xij)
• Computing the output Auctioneer takes C and
  Mij ( Xij ) i1..N, j1..L , computes
  garbled output values, and translates
• Verification Bidders use translation tables to
  verify

38
Optimizations

• Auction Issuer can prepare the garbled circuit in
  advance, and send it offline
• Optimize circuit
• Optimize proxy OT
• optimize communication pattern
• trade computation for bandwidth

39
Proxy Oblivious TransferCommunication Pattern

• Naive

2 Encryption Keys
Encryptions
1 Decryption Key
40
Proxy Oblivious TransferCommunication Pattern

• Better Bidders communicate only with Auctioneer

2 Encryption Keys
2 Encryption Keys
1 Decryption Key
Encryptions
41
Agenda

• Motivation
• Architecture Entities
• High Level Protocol Description
• Cryptographic Tools
• Secure Computation of Auctions
• Overhead Calculation

42
Overhead - Example

• Assume
• N 1000 bidders
• L 20 bits (1,000,000 possible bids)
• Communication
• Smart circuit for Vickrey auctions
• (non binary wires and gates)
• C O(NL)
• about 5NL gates
• 25NL table entries (4MB)

43
Overhead - Computation

• Main computation overhead
• Proxy Oblivious Transfer
• Invocation for every input bit
• PII 20 exponentiations per sec
• Parties
• Bidder 20 OT 5 exp ( 0.25 sec)
• Auctioneer, AI (total) 20000 OT 5000 exp (250
  sec)
• Circuit computation is negligible
• O(C) applications of PRF

44
Prototype Implementation

• 1500 lines of Python code
• 800 lines of C for encryption and PRFs
• Exponentiations coded in assembler
• Optimized the circuit computing 2nd price auction
• Optimized the proxy oblivious transfer protocol

45
Other Auctions and Mechanisms

• Main constraint - circuit size.
• Kth price auctions.
• circuit size O(NLKL).
• good for double auctions.
• good for risk seekers?
• Generalized Vickrey auction - participants report
  utility function. Bottleneck - circuit size.
• Groves Clarke - sum of reported values should be
  greater than threshold - efficient circuit.
• And many more

46
Further Work

• Implementation
• Distribute the Auction Issuer
• Better security
• Reduce load
• Seems hard a k-out-of-n access structure of
  Auction Issuer servers
• Possible split on-line work
• one party prepares the circuit
• several servers act as the Auction Issuer