WO2001011527A2 - Preservation de la loyaute de negociations et de calculs - Google Patents

Preservation de la loyaute de negociations et de calculs Download PDF

Info

Publication number
WO2001011527A2
WO2001011527A2 PCT/US2000/021615 US0021615W WO0111527A2 WO 2001011527 A2 WO2001011527 A2 WO 2001011527A2 US 0021615 W US0021615 W US 0021615W WO 0111527 A2 WO0111527 A2 WO 0111527A2
Authority
WO
WIPO (PCT)
Prior art keywords
sub
center
function
output
input
Prior art date
Application number
PCT/US2000/021615
Other languages
English (en)
Other versions
WO2001011527A8 (fr
Inventor
Binyamin Pinkas
Simeon Naor
Original Assignee
Yeda Research And Development Co. Ltd.
Fleit, Lois
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Yeda Research And Development Co. Ltd., Fleit, Lois filed Critical Yeda Research And Development Co. Ltd.
Priority to US09/807,099 priority Critical patent/US7240198B1/en
Publication of WO2001011527A2 publication Critical patent/WO2001011527A2/fr
Publication of WO2001011527A8 publication Critical patent/WO2001011527A8/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q30/00Commerce
    • G06Q30/06Buying, selling or leasing transactions

Definitions

  • This invention relates generally to cryptography and to secure distributed computation, and more particularly it relates to computerized auctions conducted using PCs and/or servers over a network, such as, the Internet.
  • the center that computes F can of course prove that it computed it correctly by publishing all the inputs. However this solution affects the privacy of the other parties, since their inputs become public.
  • the inventive method overcomes this problem since it enables the center to prove that it computed F correctly without leaking any information about the inputs.
  • Both systems distribute the operation of the auctioneer between several servers and privacy is guaranteed as long as not too many of the servers collude (most of the protocols require that less than a third of the servers collude, and therefore, need a minimum of four servers).
  • the inventive method does not require to distributing the operation of the auctioneer among several non-colluding servers, and provides security even if the auctioneer is attempting to cheat.
  • Naor and Pinkas [see REFERENCE 6] present a different method that prevents even the center from learning information about the parties' inputs. That method requires the operation of an additional party - the Issuer.
  • the Issuer generates a program that computes the function (or the auction) and sends it to the center.
  • the center receives messages from the parties, which contain some information that is intended for the Issuer. After the center receives messages from all the parties it sends a message to the Issuer and receives a response which enables it to use the program to compute the output of F for the parties' inputs.
  • the method ensures that neither the center nor the Issuer learn information about the inputs of the parties. In this sense it provides better privacy than the inventive method described herein.
  • the inventive method presented here does not require the cooperation of any additional party (like the Issuer) for the computation of F. It enables the center to compute the function by itself and prove that it computed it correctly, and in this respect is an advantage.
  • the present invention is a method, system and apparatus that enables the center to compute and publish the output of F and to prove to all parties that it computed F correctly. This is done without revealing the value of the input of a party to any other party.
  • the parties can be bidders in an auction
  • their inputs are their bids
  • the center is the auctioneer
  • the program F expresses the rule by which the outcome of the auction is decided.
  • the invention requires the auctioneer to prove that it computed the result of the auction correctly.
  • the invention provides the same security as in the following scenario: Assume that there is a reliable party (say an accountant or a lawyer) which is trusted by all other parties. This party observes the operation of the center, i.e. it examines the inputs that the center receives, verifies that the center computes the correct output, and testifies that this is the case.
  • the invention provides the same security as is provided with this trusted party, but without using any such party. This ensures better security (since trusted parties might breach the trust they are given), and is more efficient (since it does not require an additional party).
  • Figure 1 is a block diagram illustrating the different entities engaged in a computerized auction.
  • Figure 2 is a schematic diagram illustrating the steps of the method of the present invention where the steps are indicated by numerals in parentheses.
  • FIG 3 is a high level descriptive flow chart of the present invention as generally depicted in the diagrams of Figures 1 and 2.
  • Figures 4A and 4B are a flow chart showing the steps of the implementation of the preferred embodiment of the present invention.
  • Figure 5 is a flow chart of a secure two-party function evaluation protocol as implemented by the present invention.
  • Figure 6 is a schematic diagram of a gate used in the protocol depicted in Figure 5, and also shows the pseudo-random function used to prepare Table T g used in the protocol of depicted in Figure 5.
  • the apparatus and method of the present invention comprises an auction service that is used in a network, such as, the Internet, and uses clients and/or servers.
  • the invention utilizes cryptography and secure distributed computation via computers to effect a computerized auction.
  • the invention is not limited to computerized auctions, but has broader application. Many such applications involve a group of participants, denoted herein as "Parties", each of whom has an input to the group as a whole, where the group as a whole is required to compute and output a certain function of these inputs.
  • Parties a group of participants
  • function herein denotes, in the usual sense, any mathematical or logical mapping from one set of input entities to an output entity or set of entities.
  • the inputs may involve sensitive information, such that it would also be required that this computation does not reveal any information about the inputs, except for whatever might be computed from the final output.
  • Such inputs are herein denoted as "private inputs”. If, in addition to the parties, there were furthermore a trustworthy participant, denoted herein as a "center” and which is trusted by all the parties, then each party could simply send the respective private input to this center, which would then compute the function and publish, or output, the value of the computed function.
  • the center is a participant in the protocol and is involved in the computation of the function. It may or may not have a private input, and may or may not be within the group of parties.
  • the parties might not trust each other, and might not trust any single center.
  • Each party sends information about its utility function to a center, which decides on the outcome of the protocol based on the reports from the parties, according to a specified function of the utility functions (for example, in a sealed-bid auction, the specified function that determines the winner is the maximum of the bids).
  • a specified function of the utility functions for example, in a sealed-bid auction, the specified function that determines the winner is the maximum of the bids.
  • the creation of algorithms by mechanism design is known in the art, to solve a global problem among a number of selfish agents (e.g. routing, or some cooperation between the agents).
  • the present invention can be used to compute these algorithms without requiring trust in the center.
  • the plausibility of using the present invention for such a task depends on the complexity of expressing the utility functions and decision procedure in terms of circuits.
  • a particular case of interest is the Groves-Clarke mechanism, where the public good is served if the sum of reported values is higher than some threshold.
  • the circuit which computes this function is very simple, as is the circuit which computes the sum of the reported values for several options, and decides on the option with the highest sum. It is therefore very easy to use the present invention to provide a private protocol which computes a Groves-Clarke mechanism.
  • Opinion polling is another relevant application.
  • the application enables parties to contribute their opinion to a decision making without being concerned that their opinion would be revealed.
  • Such a mechanism can be implemented very efficiently by the present invention. This essentially requires that one expert chooses a subset of the experts whose opinions are considered, learns their opinions, and then adds his opinion.
  • the group decision is the majority opinion.
  • Another application is for polling the opinions of a group of people, while hiding the individual opinions of the participants.
  • an opinion poll such as the Gallup Poll
  • the poll is anonymous, and the organizer obtains lists of answers, one list for each participant. In order to prove that it computed the result correctly, the organizer must publish the lists of answers.
  • the present invention enables the sending of questions to the group members, and the processing of their answers to obtain commutative outputs without revealing any information about individual answers. Additional applications of the present invention include multiple-question opinion polls, sociometric research, and voting and elections.
  • Stable matching is yet another example of a global decision which depends on the private preferences of many parties. In many scenarios it is plausible that parties would be hesitant to reveal their matching preferences, even to the center that computes the matching (consider, for example, matching couples for a prom).
  • the present invention enables the parties to reveal their true preferences without being afraid that the center can leam them.
  • the overhead of implementing the present invention for this application depends on the complexity of expressing the matching algorithm as a combinatorial circuit.
  • the entities include The parties 320 and the Center 321.
  • Each of the parties 320 has an input to the function F.
  • F In the case of auctions some of the parties might wish to sell items, and the rest of the parties are interested in buying these items.
  • the center 321 runs the show: it advertises the fact that F is computed, receives the inputs, and performs the computation.
  • the center In the case of auctions, the center is the auctioneer. It publishes the auction, receives the bids from the bidders, and computes the outcome of the auction.
  • the auctioneer might be a party which merely organizes the auction. It is also possible that it is one of the bidders or one of the sellers (for example he is selling an item which all other bidders are interested in buying).
  • the Steps in a high level description of a preferred embodiment are illustrated in Figure 2.
  • the high level description of the illustrated preferred embodiment of the method involves the following sequence of steps of the protocol.
  • the Steps include the following sequence. (1 )
  • the center announces the computation and commits to the circuits.
  • Party 1 sends a commitment to its input (Party 1 represents a generic party, and this operation is performed by each of the participating parties).
  • the center publishes the commitments.
  • Party 1 opens its commitment, and the center verifies it.
  • the center computes the function.
  • the center publishes a proof that the computation was correct, and Party 1 verifies it.
  • Steps of the method of the present invention are elaborated in more detail in the following, with reference to Figure 3.
  • the center announces Step 301 that it will compute the function F.
  • the center publishes in Step 302 commitments to K combinatorial circuits 322 that compute F (where K is a security parameter).
  • Party B.sub.i which wishes to participate in computing the function F, sends a message to the center. They might exchange several rounds of communication, Step 303, at the end of which the center has a commitment c.sub.i to the value of B.sub.i's input x.sub.i.
  • the center publishes in Step 304 the commitments it received from the parties. (In the case of auctions this can be done at the end of the bidding period).
  • Step 305 the bidders choose part of the K circuits that the center committed to, from block 323, and ask the center to open them. They verify in Step 306 that the circuits compute the function F.
  • each party B.sub.i sends to the center the value x.sub.i to which it committed with c.sub.i.
  • the center now computes in Step 308 the value of the circuit that computes F for the inputs x.sub.i it received.
  • the procedure for verifying the computation takes place.
  • the center computes and publishes a proof in Step 309 that it computed the value of F correctly.
  • Each party can use the published commitments to verify in Step 310 that the proof is correct.
  • a considerable improvement to the protocol can be achieved by noting that the function that is computed by the circuit need not be the function F that the center computes, and whose computation should be verified.
  • the circuit that computes this function is substantially more efficient that the circuit computing F.
  • the inventive method employs cryptographic tools that enable a secure two-party function evaluation.
  • the particular secure two-party function evaluation protocol used in the present invention is based on the method disclosed in REFERENCE 7.
  • the protocol is run between two participants, A and B.
  • the input of A is a value x and the input of B is a description of a function f.
  • A learns f(x) (but no other information about ), and B learns nothing about x.
  • the input x is a private input of A
  • the function f is a private input of B.
  • the protocol is based on expressing as a combinatorial circuit of gates which are over some fixed base (e.g. all the functions g: 0,1 times 0,1 to 0,1).
  • the bits of the input are entered into input wires and are propagated through the gates.
  • This procedure encrypts a circuit by generating a pseudo-random isomorphic transformation of the circuit.
  • This encryption is herein referred to as a "garbling" of the circuit.
  • the cyphertext of a circuit so encrypted by this procedure is herein denoted as a “garbled” circuit.
  • Inputs 502 include: A: a value x, in an input 502-A, and
  • Outputs 536 that include: A: f(x), in an output 536-A, and B: nothing, in an output 536-B.
  • the protocol starts with Initialization.
  • B devises a circuit 506 made of logic gates, such that circuit 506 computes f.
  • the design of logic circuits made of gates that compute functions is well-known in the art.
  • step 508 B assigns to each wire / ' of circuit 506 two random values (lV, 0 ,l/V, 1 ) 510 corresponding to 0 and 1 values of wire /.
  • the random values should be long enough to be used as keys (for example, 80 bits long).
  • the value of wire is denoted by b,.
  • step 512 B also assigns to wire / ' a random permutation ⁇ 514 over 0,1 , ⁇ k . b, ⁇ c,.
  • step 516 B uses a pseudo-random function R 518 to prepare a table T g
  • Table T g does not disclose any information about the output of gate g for inputs other than the pair (b,, b j ), nor discloses the values of the bits b,, b Jt or b k .
  • step 524 B prepares an output translation table T 0 526 which decrypts the garbled output bits of the circuit (the cyphertext output) to the actual bits of the output of the circuit (the cleartext output).
  • Figure 6 also illustrates pseudo-random function R 518, which is used to prepare table T g 522.
  • table 7 g contains four entries of the form: c carving cf. W ⁇ i, bj) t Ck) XOR R W ⁇ HC j ) XOR Rwffc , where O ⁇ i ⁇ j ⁇ 1.
  • the entry does not have to include the index c h c, since this is implicit in the entry's location. b, b.
  • step 528 0 for each gate in circuit 506, B sends to A the table T g 522 that codes the gate.
  • B sends to A the table To 526 that decrypts the garbled values of the output of the circuit the output bits of the circuit.
  • step 532 for each gate input wire in the circuit, A and B engage in an Oblivious Transfer, at the end of which A learns the garbled value of the wire's input bit (but nothing about the garbled value of the i s input bit of the other wire into the gate), and B learns nothing.
  • A now has enough information to compute the circuit.
  • A computes the output of the circuit for the input x.
  • A does not know the garbled values for any other input bits, A cannot compute information about f(xo) 20 for any x 0 ⁇ x (except, of course, information that can be deduced from f(x) alone). Note that the communication between the two participants A and B can be done in a single back-and-forth round, and B can prepare the circuit in advance, before the input is known to A.
  • REFERENCE 7 (Yao's protocol) is limited to two participants, but has been extended has been extended in the prior art to handle multi-party inputs, see REFERENCE 3.. These extended protocols, however, require a round of communication for each gate in the circuit, which is impractical in many applications, such as in auctions.
  • the method of REFERENCE 3 would require extensive interactive communication among the bidders in an auction, and is therefore not suitable.
  • the present invention does not impose the burden of extensive interactive communication and does not require the bidders to communicate among themselves, and therefore represents an improvement not only over the prior art of REFERENCE 7 and 3.
  • the prior art of REFERENCE 3 is secure only for limited coalitions of less than one-third of the parties.
  • a commitment to a value X is similar to the following process: party B which knows the value of X writes it on a piece of paper which is put in a sealed envelope. At this stage no one can learn anything about X, but B is committed to X and cannot change the value in the envelope. At a later stage B can "open the commitment" by opening the envelope and revealing X.
  • a commitment to a value X is computed by a function
  • the first stage is the announcement. This stage is carried out by the center 421 announcing in step 401 that it will compute F.
  • K be a security parameter.
  • the center constructs in step 402 K garbled circuits that compute F. For each input wire j of each of the circuits the center chooses in step 403 a random permutation P.sub.j over the two values 0 and 1.
  • the center publishes in step 404 the tables of the gates of the K circuits 422. For each input wire j (in each of the circuits) it publishes in step 404 a commitment to W.sub.j.sup.O and a commitment to W.sub.j.sup.1 , ordered by the permutation P.sub.j, and a commitment to P.sub.j.
  • Each party B.sub.i has an input x.sub.i of I bits.
  • the bits of this input are denoted as x.sub.(i,l).
  • Each input bit should be input to an input wire in each of the K circuits.
  • the center sends in step 405 to B.sub.i, the permutation P.sub.j. B.sub.i sends in response in step 406 a commitment 424 to P.sub.j(x.sub.(i,l)), i.e. to the permuted value of its input.
  • the next stage is to publish the commitments.
  • the center 421 publishes in step 407 the commitments 424 it received from the parties.
  • the next stage is to open the commitments.
  • the parties 420 choose K/2 of the K circuits that the center has created and ask the center to open in step 408 all the commitments to the permutations and garbled inputs of these K/2 circuits 423. They verify in step 409 that these circuits indeed compute F.
  • Each of the parties B.sub.i sends in step 410 its input x.sub.i to the center.
  • B.sub.i also opens to the center the commitments that it made to each of its assigned input wires. These were for values 0 or 1 which are the permuted values of B.sub.i's inputs.
  • the center verifies in step 411 that these commitments are consistent.
  • the center publishes in step 412 the opened commitments 425 of each of the parties, and opens the garbled values W.sub.j.sup.O or W.sub.j.sup.1 that correspond to them.
  • the center computes the function in step 413 and publishes the output of each of the K/2 circuits which were not chosen by the parties.
  • each party 420 can verify the computations of the center 421.
  • Each B.sub.i can use the opened garbled values 425 and the tables of the gates 422 to compute the output of each of the K/2 circuits, and verify in step 414 that they all have the same output.
  • a party does not open its commitment. For example, a party might refuse to communicate with the sender at the step at which the commitments should be open.
  • This type of behavior enables cheating, for example, in the case of second price auctions the center itself might use fake identities of bidders in order to commit to bids in different values, and open only the bids which are smaller than the highest value among all other bids. This behavior might increase the amount that the winner would be required to pay.
  • One approach for dealing with parties that do not open their commitments appropriately would be to require parties to also submit their bids to a trusted third party T.
  • the help of the trusted party T is not required, if all parties open their commitments.
  • the trusted party T can be called upon to open it.
  • Such a scheme can be realized, for example, by using commitments of the following form: the public key of trusted partyT would be known to everyone.
  • a commitment to a value v would be an encryption of this value with T's public key (say with a probabilistic encryption scheme which ensures indistinguishability).
  • the party who created this commitment can open it by revealing v and showing how it encrypted it. If this party refuses to open the commitment then trusted party T can open it using its private key.

Landscapes

  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Finance (AREA)
  • Development Economics (AREA)
  • Economics (AREA)
  • Marketing (AREA)
  • Strategic Management (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

L'invention porte sur un procédé et un système de préservation de l'intégrité d'une négociation consistant à élaborer une architecture comportant un centre A et un ensemble d'usagers B.sub.1, B.sub.2,..., B.sub.n. Chacun des usagers B.sub.i crée une entrée X.sub.i, qui est introduite dans le centre A, lequel calcule et publie une fonction F(X.sub.1,X.sub.2,...,X.sub.n) sur la base des messages d'introduction qu'il a reçus. Chacun des usagers B.sub.i (1<=i<=n) communique exclusivement avec le centre A lequel publie des informations supplémentaires leur permettant de vérifier que F a été calculée correctement et empêchant à une coalition de tout sous-ensemble d'usagers d'apprendre quelque chose ne pouvant se calculer qu'avec les résultats de la fonction F(X.sub.1,...,X.sub.n) et de leurs propres introductions, ou d'informations sur les introductions des autres usagers.
PCT/US2000/021615 1999-08-10 2000-08-08 Preservation de la loyaute de negociations et de calculs WO2001011527A2 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US09/807,099 US7240198B1 (en) 2000-08-08 2000-08-08 Honesty preserving negotiation and computation

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US14818399P 1999-08-10 1999-08-10
US60/148,183 1999-08-10

Publications (2)

Publication Number Publication Date
WO2001011527A2 true WO2001011527A2 (fr) 2001-02-15
WO2001011527A8 WO2001011527A8 (fr) 2002-02-21

Family

ID=22524652

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2000/021615 WO2001011527A2 (fr) 1999-08-10 2000-08-08 Preservation de la loyaute de negociations et de calculs

Country Status (1)

Country Link
WO (1) WO2001011527A2 (fr)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2381173A (en) * 2001-10-15 2003-04-23 Hewlett Packard Co Method and apparatus for encrypting data
US6834272B1 (en) 1999-08-10 2004-12-21 Yeda Research And Development Company Ltd. Privacy preserving negotiation and computation
US7263191B2 (en) 2001-10-15 2007-08-28 Hewlett-Packard Development Company, L.P. Method and apparatus for encrypting data
US7330969B2 (en) 2001-10-15 2008-02-12 Hewlett-Packard Development Company, L.P. Method and apparatus for data validation
US8526621B2 (en) 2006-12-01 2013-09-03 President And Fellows Of Harvard College Method and apparatus for time-lapse cryptography

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
No Search *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6834272B1 (en) 1999-08-10 2004-12-21 Yeda Research And Development Company Ltd. Privacy preserving negotiation and computation
GB2381173A (en) * 2001-10-15 2003-04-23 Hewlett Packard Co Method and apparatus for encrypting data
GB2381173B (en) * 2001-10-15 2004-06-30 Hewlett Packard Co Method and apparatus for encrypting data
US7219226B2 (en) 2001-10-15 2007-05-15 Hewlett-Packard Company Method and apparatus for encrypting data
US7263191B2 (en) 2001-10-15 2007-08-28 Hewlett-Packard Development Company, L.P. Method and apparatus for encrypting data
US7330969B2 (en) 2001-10-15 2008-02-12 Hewlett-Packard Development Company, L.P. Method and apparatus for data validation
US8526621B2 (en) 2006-12-01 2013-09-03 President And Fellows Of Harvard College Method and apparatus for time-lapse cryptography

Also Published As

Publication number Publication date
WO2001011527A8 (fr) 2002-02-21

Similar Documents

Publication Publication Date Title
US6834272B1 (en) Privacy preserving negotiation and computation
Naor et al. Privacy preserving auctions and mechanism design
Kikuchi et al. Multi-round anonymous auction protocols
Cachin Efficient private bidding and auctions with an oblivious third party
Parkes et al. Practical secrecy-preserving, verifiably correct and trustworthy auctions
Bogetoft et al. Secure multiparty computation goes live
US7240198B1 (en) Honesty preserving negotiation and computation
Brandt How to obtain full privacy in auctions
Bag et al. SEAL: Sealed-bid auction without auctioneers
US11069171B2 (en) System and method for cryptographic choice mechanisms
Brandt A verifiable, bidder-resolved auction protocol
Brandt Secure and private auctions without auctioneers
Blake et al. Conditional encrypted mapping and comparing encrypted numbers
Brandt Cryptographic protocols for secure second-price auctions
CN111784483A (zh) 一种融合Pedersen承诺与Schnorr协议的安全多方计算协议算法
WO2001011527A2 (fr) Preservation de la loyaute de negociations et de calculs
Blake et al. One-round secure comparison of integers
Brandt Auctions
US11538070B2 (en) Blockchain-based system and method for peer-to-peer online advertising auction
Mamageishvili et al. Mechanism design and blockchains
JP4336105B2 (ja) 顧客の要求を処理する方法およびシステム
Wong et al. Toward a fair indictment for sealed-bid auction with self-enforcing privacy
Kolesnikov Secure two-party computation and communication
Ibrahim A novel approach to fully private and secure auction: A sealed-bid knapsack auction
Yang et al. An Anonymous Auction Protocol Based on GDH Assumption.

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): CA IL JP US

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE

WWE Wipo information: entry into national phase

Ref document number: 09807099

Country of ref document: US

121 Ep: the epo has been informed by wipo that ep was designated in this application
AK Designated states

Kind code of ref document: C1

Designated state(s): CA IL JP US

AL Designated countries for regional patents

Kind code of ref document: C1

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE

D17 Declaration under article 17(2)a
122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase in:

Ref country code: JP