Presentation is loading. Please wait.

Presentation is loading. Please wait.

Achieving Fairness in Private Contract Negotiation

Published byVictoria Kelley Modified over 6 years ago

Similar presentations

Presentation on theme: "Achieving Fairness in Private Contract Negotiation"— Presentation transcript:

1 Achieving Fairness in Private Contract Negotiation
Keith Frikken and Mikhail Atallah Purdue University March 2, 2005

2 Overview Introduction/Motivation Related Work Framework Protocols
Extensions Summary FC 2005

3 Overview Introduction/Motivation Related Work Framework Protocols
Extensions Summary FC 2005

4 Introduction Alice and Bob wish to negotiate a contract
Contract consists of many clauses How to distribute revenue Where are specific tasks performed Alice and Bob have constraints on the acceptability of a clause Naïve solution: Alice and Bob reveal constraints to one another Reveals unnecessary information FC 2005

5 Goals Alice and Bob would like to create a protocol that determines an agreement that is: Valid: satisfies both party’s constraints Fair: neither party can control the outcome Efficient: No clause is replaceable by another that is better for both parties Semi-honest (Honest but Curious) FC 2005

6 Overview Introduction/Motivation Related Work Framework Protocols
Extensions Summary FC 2005

7 Related Work Automated Negotiations Secure Protocols
[Grosof et al, 1999] [Governatori et al, 2000] Secure Protocols [Yao, 1982] [Yao, 1986] [Goldreich et al, 1987] [Katz and Ostrovsky, 2004] [Malkhi et al, 2004] Secure Protocols for Set Intersection [Freedman et al, 2004] FC 2005

8 Building Blocks Homomorphic Encryption: Secure Circuit Evaluation
E(x)*E(y)=E(x+y) E(x)y=E(xy) Semantic Security [Paillier, 1999] and [Damgård and Jurik, 2001] Secure Circuit Evaluation [Yao, 1986] Any 2-ary circuit with m gates and n inputs can be evaluated securely with: O(m) communication and pseudo-random functions O(n) 1-out-of-2 OTs O(1) rounds FC 2005

9 Overview Introduction/Motivation Related Work Framework Protocols
Extensions Summary FC 2005

10 Framework A clause is a public set S={s0,…,sN-1}
Alice (Bob) have constraints on the acceptability of a clause, represented by AS (BS) A term xS is acceptable if xA∩B A clause is satisfiable if A∩B≠ FC 2005

11 Framework(cont.) A negotiation is a set of clauses S0,…,Sk-1
A negotiation is satisfiable if all of its terms are satisfiable A contract is a sequence of terms x0,…,xk-1 (where xiSi) A contract is valid if all terms are acceptable to all parties FC 2005

12 Overview Introduction/Motivation Related Work Framework Protocols
Extensions Summary FC 2005

13 Protocol Template Two Parts: Extend these to the negotiation level
Protocol for determining if a clause is satisfiable Protocols for computing a fair agreement (where neither party has control) Extend these to the negotiation level Satisfiability: Conjunction Valid: Can compute independently FC 2005

14 Protocol for Satisfiability
Trivial reduction from Set Disjointness (i.e., a clause is satisifiable if the sets are not disjoint) Suppose Alice forms a list of binary values a0,…,aN-1 where ai is true is Alice finds the ith term acceptable Bob similarly forms b0,…,bN-1 Equivalent to i=0 to N-1 (ai  bi) Easily evaluated with a circuit with O(N) gates and O(N) inputs FC 2005

15 Finding a fair term Input: Alice has binary values a0,…,aN-1 and Bob has b0,…,bN-1. It is known that i such that aibi. Furthermore, Alice and Bob have exchanged semantically-secure homomorphic encryption systems EA and EB Output: An index j such that ajbj and where neither Alice or Bob can control outcome Semi-honest OT reduces to this problem Circuit Complexity: Both parties input permutations into the circuit which then permutes values (using composition of permutations) and then choose first agreement O(N log N) input (unless using pseudorandom permutation) O(N2) gates Our protocol’s goal: O(N) modular exponentiations and O(N) communication FC 2005

16 Step 1 of Simplified Protocol
Input: Alice has binary values a0,…,aN-1 and Bob has b0,…,bN-1. It is known that i such that aibi. Output: Bob learns EA(a0b0),…,EA(aN-1bN-1) Step: Alice sends to Bob EA(a0),…,EA(aN-1) For each value bi, Bob does: If bi=0, output EA(0) If bi=1, output EA(ai)EA(0) FC 2005

17 Step 2 of Simplified Protocol
Input: Bob has EA(a0b0),…, EA(aN-1bN-1) and has a permutation ΠB Output: Alice learns EB(a0b0),…, EB(aN-1bN-1) permuted with ΠB Steps: Bob permutes his input with ΠB For each item EA(aibi) in the list: Bob chooses a random value ri from {0,1} If ri=0, he sets γi to EA(aibi), otherwise he γi sets it to EA(aibi)-1EA(1) (i.e., EA(1-(aibi))=EA(⌐(aibi))) He sends Alice the ordered triple (γi,EB(ri),EB(1-ri)) For each triple (γi,EB(ri),EB(1-ri)): Alice computes j=DA(γi) If j=0 she sets her output to be EB(ri) Otherwise sets her output to be EB(1-ri) FC 2005

18 Step 3 of Simplified Protocol
Input: Alice has EB(a0b0),…, EB(aN-1bN-1) permuted with ΠB, and she has two permutations Π’ and Π’’ Output: Bob gets a list of items permuted with Π’’Π’ΠB where one of them is marked as the agreement Steps: Alice permutes the items with Π’ (call this list α0,…,αN-1) Alice computes a sequence of values: β0,…, βN-1, where β0=α0, and βi= αi*(βi-1)2 She computes a sequence of values: θ0,…, θN-1, where θi=(βi*EB(-1))q[i] where q[i] is a randomly chosen value Alice permutes these values with Π’’ and sends them to Bob along with Π’’Π’ Bob decrypts the values and chooses the one that is 0 and computed the original index by inverting the permutations. FC 2005

19 Overview Introduction/Motivation Related Work Framework Protocols
Extensions Summary FC 2005

20 Expressing Preferences
Alice and Bob assign a utility to each possible term (denoted by UA(x) and UB(x)) – assume utilities are distinct A term t1 is inefficient if  a term t2 such that UA(t1)<UA(t2) and UB(t1)<UB(t2) An efficient term is Pareto optimal Desirable to only choose efficient terms Set Disjointness reduces to finding a fair and efficient term FC 2005

21 Other Extensions Interactive Negotiation
Feedback Engage in the protocol several times relaxing constratints Sparse sets: creating protocols with communication proportional to |A|+|B| Dependent Clauses Combine dependent clauses into a “super”-clause FC 2005

22 Overview Introduction/Motivation Related Work Framework Protocols
Extensions Summary FC 2005

23 Summary Introduce framework for contract negotiation
Introduced protocols for finding valid, fair, and efficient contracts Future Work Dependent Clauses Multiple parties Malicious Adversary Model Multiple Negotiations with Inter-Clause Dependencies Other negotiation strategies FC 2005

24 Acknowledgements Anonymous Reviewers Gov’t Industry Foundation Purdue
NSF5, ONR, AFRL Industry Intel, Motorola, HP + the corporate sponsors of CERIAS Foundation Lilly Endowment Purdue CERIAS, Discovery Park FC 2005

Download ppt "Achieving Fairness in Private Contract Negotiation"

Similar presentations

Polylogarithmic Private Approximations and Efficient Matching

Polylogarithmic Private Approximations and Efficient Matching
Constant-Round Private Database Queries Nenad Dedic and Payman Mohassel Boston UniversityUC Davis.

Constant-Round Private Database Queries Nenad Dedic and Payman Mohassel Boston UniversityUC Davis.
Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.

Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.
Reaching Agreements II. 2 What utility does a deal give an agent? Given encounter  T 1,T 2  in task domain  T,{1,2},c  We define the utility of a.

Reaching Agreements II. 2 What utility does a deal give an agent? Given encounter  T 1,T 2  in task domain  T,{1,2},c  We define the utility of a.
Secure Computation of Linear Algebraic Functions

Secure Computation of Linear Algebraic Functions
Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto

Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Oblivious Branching Program Evaluation

Oblivious Branching Program Evaluation
Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,

Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
Improved Efficiency for Private Stable Matching Matthew Franklin, Mark Gondree, and Payman Mohassel University of California, Davis 02/07/07 - Session.

Improved Efficiency for Private Stable Matching Matthew Franklin, Mark Gondree, and Payman Mohassel University of California, Davis 02/07/07 - Session.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Oblivious Transfer (OT) Alice (sender) has n secrets Alice wants to give k secrets to Bob Bob wants the secrets but does not want Alice to know which secrets.

Oblivious Transfer (OT) Alice (sender) has n secrets Alice wants to give k secrets to Bob Bob wants the secrets but does not want Alice to know which secrets.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 5 Group Key Management.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 5 Group Key Management.
BY : Darshana Chaturvedi.  INTRODUCTION  RSA ALGORITHM  EXAMPLES  RSA IS EFFECTIVE  FERMAT’S LITTLE THEOREM  EUCLID’S ALGORITHM  REFERENCES.

BY : Darshana Chaturvedi.  INTRODUCTION  RSA ALGORITHM  EXAMPLES  RSA IS EFFECTIVE  FERMAT’S LITTLE THEOREM  EUCLID’S ALGORITHM  REFERENCES.

Similar presentations

Ads by Google