Privacy Preserving Auctions and Mechanism Design Moni Naor Benny Pinkas Reuben Sumner Presented by: Raffi Margaliot

Agenda Motivation Motivation Architecture & Entities Architecture & Entities High Level Protocol Description High Level Protocol Description Cryptographic Tools Cryptographic Tools Secure Computation of Auctions Secure Computation of Auctions Overhead Calculation Overhead Calculation

English Auction Ascending, open-cry. Ascending, open-cry. Most popular type of auction on the internet. Most popular type of auction on the internet. Drawbacks: Drawbacks:  Many rounds.  Over a long period of time. Solution: Solution:  Vickrey auction.

Vickrey Auction Second price sealed bid auction. Second price sealed bid auction.  All bidders send their bids.  The winner is the highest bidder.  The winner pays second highest bid. Advantages: Advantages:  Bidding true value is dominant strategy.  Simulates open cry ascending (English) auction in a single round. Why aren’t Vickrey auctions more popular? Why aren’t Vickrey auctions more popular?  Major problem if Auctioneer is corrupt...

Vickery: Corrupt Auctioneer How can bidders verify that auctions is begin conducted properly? How can bidders verify that auctions is begin conducted properly? Can be solved if the value of the bids could be hidden until bidding closes, preventing a corrupt auctioneer from manipulating auction results. Can be solved if the value of the bids could be hidden until bidding closes, preventing a corrupt auctioneer from manipulating auction results. eSleaze.com I bid $900 I bid $1000 You win, pay $999

On the Next Day… One day: One day:  You bid $1000  win and pay $600 On the next day, another auction for same item: On the next day, another auction for same item:  You bid $1000  win and required to pay $999… Suspicion: eSleaze used previous day’s bid to raise up clearing price Suspicion: eSleaze used previous day’s bid to raise up clearing price How to let the auctioneer learn as little information as is essential to conduct the auction? How to let the auctioneer learn as little information as is essential to conduct the auction?

Hal Varian Quote “even if current information can be safeguarded, records of past behavior can be extremely valuable, since historical data can be used to estimate the willingness to pay. What should be the appropriate technological and social safeguards to deal with this problem?” “even if current information can be safeguarded, records of past behavior can be extremely valuable, since historical data can be used to estimate the willingness to pay. What should be the appropriate technological and social safeguards to deal with this problem?” This work: technological safeguards This work: technological safeguards

Mechanism Design Design of protocols for selfish parties. Design of protocols for selfish parties. The goal of a protocols is to aggregate preferences to determine some “social choice.” The goal of a protocols is to aggregate preferences to determine some “social choice.” Model: Model:  Each party has a utility function expressing its valuation of each possible outcome of the protocol.  Sends information based on it. Goal: design the protocol so that it is not beneficial to cheat. Goal: design the protocol so that it is not beneficial to cheat.

The Revelation Principle “there exists an equivalent mechanism in which the optimal strategy for each party is to report its true utility function.” “there exists an equivalent mechanism in which the optimal strategy for each party is to report its true utility function.” Example: Vickrey auction. Example: Vickrey auction. Problems with applying revelation principle: Problems with applying revelation principle:  The center may be corrupt and misuse the truthful bids it receives.  Utility function contains sensitive information.  Participants might cheat simply to avoid leaking this information.

Security & Privacy Requirements Auctioneer only learns: Auctioneer only learns:  Who is the highest bidder.  Clearing price: second highest bid.  Should be able to prove that auction was conducted properly, while hiding bids from bidders. Does not learn: Does not learn:  Highest bid.  Who is second highest bidder.  What are the other bids.

This Work Achieves the requested security and privacy requirements. Achieves the requested security and privacy requirements. Without any third party that: Without any third party that:  Is fully trusted.  Takes an active part in the auction.

Agenda Motivation Motivation Architecture & Entities Architecture & Entities High Level Protocol Description High Level Protocol Description Cryptographic Tools Cryptographic Tools Secure Computation of Auctions Secure Computation of Auctions Overhead Calculation Overhead Calculation

Architecture Bidders Auctioneers AuctionIssuer

Entity Types Bidders: Bidders:  One or several bidders wish to sell items.  Remaining bidders interested in buying the items. Auctioneer: Runs the show. Auctioneer: Runs the show.  Advertises the auction.  Receives the bids from the bidders.  Communicates with the auction issuer.  Computes the output of the protocol.  Can be one of the bidders.

Entity Types Auction issuer: Auction issuer:  Runs in the background and ensures that the auctions are executed properly.  Responsible for “coding the program” that computes the output of the protocol so as to preserver privacy.  Supply this program to the auctioneer.  Does not interact with bidders.  Can provide programs for many auctions carried out by many auctioneers.

Trust and Security Only a coalition of the Auctioneer and the Auction Issuer can compromise: Only a coalition of the Auctioneer and the Auction Issuer can compromise:  Proper working of auction  Bidders privacy All other coalitions gain no more information than in the ideal model All other coalitions gain no more information than in the ideal model Bidder ’ s Privacy

Properties Bidders communicate only with Auctioneer. Bidders communicate only with Auctioneer. Bidders send a single message. Bidders send a single message. Auction Issuer performs a single, one-round interaction with the Auctioneer. Auction Issuer performs a single, one-round interaction with the Auctioneer. Public Key of the Auction Issuer is known to the Bidders, no other PKI required. Public Key of the Auction Issuer is known to the Bidders, no other PKI required.

Agenda Motivation Motivation Architecture & Entities Architecture & Entities High Level Protocol Description High Level Protocol Description Cryptographic Tools Cryptographic Tools Secure Computation of Auctions Secure Computation of Auctions Overhead Calculation Overhead Calculation

Auction Is Published Auctioneer publishes the details of the auction: Auctioneer publishes the details of the auction:  Rules for selection of winner.  Closing time.  Auction Issuer supporting the auction.

Bidders Submit Bids Bidders submit encrypted bids to the Auctioneer. Bidders submit encrypted bids to the Auctioneer. The AI can decrypt part of encryption, but even it can not discover the actual bids. The AI can decrypt part of encryption, but even it can not discover the actual bids.

AI Generates Program The AI generates a program to compute the output of the auction. The AI generates a program to compute the output of the auction. It generates a circuit composed of Boolean gates such as AND, OR and NOT that performs this task and then ``garbles'' the circuit. It generates a circuit composed of Boolean gates such as AND, OR and NOT that performs this task and then ``garbles'' the circuit. The Auctioneer forwards portions of the bids to the AI, which decrypts the bids and uses them to compute ``garbled inputs'' to the circuit. The Auctioneer forwards portions of the bids to the AI, which decrypts the bids and uses them to compute ``garbled inputs'' to the circuit. It sends the circuit and the inputs to the Auctioneer, along with a signed translation table that ``decrypts'' the output of the circuit. It sends the circuit and the inputs to the Auctioneer, along with a signed translation table that ``decrypts'' the output of the circuit.

And the Winner Is… The Auctioneer uses the garbled inputs and the encrypted circuit to compute the output of the circuit. The Auctioneer uses the garbled inputs and the encrypted circuit to compute the output of the circuit. It publishes the result and the signed translation table received from the AI. It publishes the result and the signed translation table received from the AI. And the winner is…

Related Work - Cryptography Secure multi-party computation: [GMW,BGW]. Secure multi-party computation: [GMW,BGW].  Compute any f(X 1,…,X n ), where X i known only to party i.  Parties learn nothing but final output. Drawbacks: Drawbacks:  High interactivity between all parties (bidders…).  Considerable computational overhead.  Secure against coalitions of at most 1/3.

Related Work - Auctions Distribute the Auctioneer into many servers [FR,HTK]. Distribute the Auctioneer into many servers [FR,HTK]. Drawbacks: Drawbacks:  High interactivity between servers.  All servers controlled by Auctioneer, security only if not too many of the collude.  Not robust to changes in auction. This work: This work:  Single round between Auctioneer and AI.  Security against any coalition of Bidders and Auctioneer or AI.  General, full control of what each party learns.  Bidders privacy preserved after the auction ended.

Agenda Motivation Motivation Architecture & Entities Architecture & Entities High Level Protocol Description High Level Protocol Description Cryptographic Tools Cryptographic Tools Secure Computation of Auctions Secure Computation of Auctions Overhead Calculation Overhead Calculation

Cryptographic Tools Pseudo-random functions (block ciphers) Pseudo-random functions (block ciphers) Digital Signatures Digital Signatures Garbled Circuits Garbled Circuits Proxy-Oblivious Transfer Proxy-Oblivious Transfer

Garbled Circuits [Yao] Two party protocol Two party protocol Input: Input:  Sender (AI): Function F,as a combinatorial circuit  Receiver (Auctioneer): x Output: Output:  Receiver: F(x), and no knowledge of F  Sender: no knowledge of x

Garbled Circuits [Yao] Initialization : Initialization :  Sender assigns random (garbled) values to the 0/1 values of each wire  Constructs a table for every gate, s.t. given garbled values of input wires enables to compute garbled values of output wire, and nothing else Computation: Computation:  Receiver obtains garbled values of input wires of circuit, and propagates them to the output wires

ij k W i 0,W i 1 W j 0,W j 1 W k 0,W k 1 Table enables to compute garbled output value of gate from garbled input values, using two applications of a Pseudo- Random Function W i B i,W j B j  W k G(B i,B j ) Table entries: (  Bi,Bj  {0,1}) [ W k G(B i,B j ) + F W i B i (C j ) + F W j B j (C i ) ] garbled output PRF keyed by garbled inputs G Garbling a Gate

Garbling a Circuit Sender assigns garbled values to each wire. Prepares a table for every gate. Sends to receiver. When receiver obtains garbled input values, propagates them through circuit, until able to compute garbled output values. Overhead depends on circuit size. For binary circuits:   size of tables: 4|C|.   computing the result: 2|C| PRF applications.

Proxy Oblivious Transfer Input: Input:  Sender: 2 secrets M 0 M 1 (garbled input values).  Chooser: (input bit).  Chooser: b  {0,1} (input bit).  Proxy: nothing. Output: Output:  Sender:nothing.  Chooser: nothing.  Proxy: M b (garbled value of input bit). Sender and Proxy do not learn b, the input bit. Sender and Proxy do not learn b, the input bit.

Proxy Oblivious Transfer Based on Hardness of Discrete Log Sender and Chooser agree on a large cyclic group Gg, a generator g, and a random constant c Sender and Chooser agree on a large cyclic group Gg, a generator g, and a random constant c  Gg Chooser   Selects a random r, 0 < r <|G g |   Sets PK b = g r, PK 1-b = c / PK b   Sends PK 0 to Sender   Sends r to Proxy

Proxy Oblivious Transfer Based on Hardness of Discrete Log Sender Sender   Computes: PK 1 = c / PK 0   Computes: E PK 0 (C(M 0 )), E PK 1 (C(M 1 ))   C( ) is an error correction code   E PK is El Gamal encryption   Permutes and sends to Proxy Proxy knows private key r and can decrypt M b Security: Chooser can’t know discrete log of both PK 0 and PK 1 Overhead: O(1) exponentiations

Agenda Motivation Motivation Architecture & Entities Architecture & Entities High Level Protocol Description High Level Protocol Description Cryptographic Tools Cryptographic Tools Secure Computation of Auctions Secure Computation of Auctions Overhead Calculation Overhead Calculation

Secure Computation of Auctions The Auction Issuer prepares a circuit that computes the result of the auction, and garbles it. The Auction Issuer prepares a circuit that computes the result of the auction, and garbles it. The Auctioneer publishes the auction. The Auctioneer publishes the auction. Each Bidder, in parallel, engages in Proxy oblivious transfer for each bit of his bid. This reveals to the Auctioneer the garbled value of this bit. Each Bidder, in parallel, engages in Proxy oblivious transfer for each bit of his bid. This reveals to the Auctioneer the garbled value of this bit. Auction Issuer sends to Auctioneer the gates tables, and a translation table from garbled output values. Auction Issuer sends to Auctioneer the gates tables, and a translation table from garbled output values. Auctioneer computes result of auction. Auctioneer computes result of auction.

Secure Computation of Auctions Function for Vickrey auction: Function for Vickrey auction:  Bids X 1,…,X n. Each bid L bits  F(X 1,…,X n ) = (i,p) where i = max (X 1,…, X n ), p = max (X 1,…,X i-1,X i+1,…,X n ) Garbling the circuit: Auction Issuer Garbling the circuit: Auction Issuer  Constructs a circuit C for F, garbles it to generate C’  For every output wire k of C, signs a translation table [b,G(W k b )] (G 1-way)  Sends C’ + translation to Auctioneer Auctioneer publishes auction: Auctioneer publishes auction:  terms, public key of issuer

Secure Computation of Auctions Coding the input: Coding the input:  Each Bidder i engages in proxy OT for each bit of X i = X i 1 … X i L  M ij (0), M ij (1) garbled values for wire X i j  Auction Issuer is the sender: { M ij (0), M ij (1) }  Bidder is chooser: input X i j  Auctioneer is proxy: learns M ij (X i j ) Computing the output: Auctioneer takes C’ and { M ij ( X i j ) } i=1..N, j=1..L, computes garbled output values, and translates Computing the output: Auctioneer takes C’ and { M ij ( X i j ) } i=1..N, j=1..L, computes garbled output values, and translates Verification: Bidders use translation tables to verify Verification: Bidders use translation tables to verify

Optimizations Auction Issuer can prepare the garbled circuit in advance, and send it offline Auction Issuer can prepare the garbled circuit in advance, and send it offline Optimize circuit Optimize circuit Optimize proxy OT Optimize proxy OT  optimize communication pattern  trade computation for bandwidth

Proxy Oblivious Transfer Communication Pattern Naive: 1 Decryption Key Encryptions 2 Encryption Keys

Proxy Oblivious Transfer Communication Pattern Better: Bidders communicate only with Auctioneer 1 Decryption Key Encryptions 2 Encryption Keys

Agenda Motivation Motivation Architecture & Entities Architecture & Entities High Level Protocol Description High Level Protocol Description Cryptographic Tools Cryptographic Tools Secure Computation of Auctions Secure Computation of Auctions Overhead Calculation Overhead Calculation

Overhead - Example Assume: Assume:  N = 1000 bidders  L = 20 bits ( 1,000,000 possible bids) Communication: Communication: Smart circuit for Vickrey auctions (non binary wires and gates)  |C| = O(NL)  about 5NL gates  25NL table entries (4 MB )

Overhead - Computation Main computation overhead: Main computation overhead: Proxy Oblivious Transfer Proxy Oblivious Transfer  Invocation for every input bit  P II : 20 exponentiations per sec Parties: Parties:  Bidder: 20 OT = 5 exp ( 0.25 sec)  Auctioneer, AI (total): OT = 5000 exp (250 sec) Circuit computation is negligible: Circuit computation is negligible:  O(|C|) applications of PRF

Prototype Implementation 1500 lines of Python code 800 lines of C for encryption and PRFs Exponentiations coded in assembler Optimized the circuit computing 2nd price auction Optimized the proxy oblivious transfer protocol

Other Auctions and Mechanisms Main constraint - circuit size. Main constraint - circuit size. K’th price auctions. K’th price auctions.  circuit size O(NL+KL).  good for double auctions.  good for risk seekers? Generalized Vickrey auction - participants report utility function. Bottleneck - circuit size. Generalized Vickrey auction - participants report utility function. Bottleneck - circuit size. Groves Clarke - sum of reported values should be greater than threshold - efficient circuit. Groves Clarke - sum of reported values should be greater than threshold - efficient circuit. And many more… And many more…

Further Work Implementation Implementation Distribute the Auction Issuer Distribute the Auction Issuer  Better security  Reduce load  Seems hard: a k-out-of-n access structure of Auction Issuer servers  Possible: split on-line work  one party prepares the circuit  several servers act as the Auction Issuer