Secure market clearing mechanisms

1 downloads 0 Views 90KB Size Report
represented through various ways - garbled circuit construction (Yao, 1982), ... circuit (Goldreich,1987), algebraic circuit (Ben-Or et al.,1988), as a product of ...
INDIAN INSTITUTE OF MANAGEMENT CALCUTTA

WORKING PAPER SERIES

WPS No. 582/ January 2006

Secure market clearing mechanisms: Selected issues by Sumit Chakraborty, Satish Kumar Sehgal [email protected] [email protected]

Doctoral student, IIM Calcutta, Diamond Harbour Road, Joka P.O., Kolkata 700 104, India &

Asim Kumar Pal [email protected]

Professor, IIM Calcutta, Diamond Harbour Road, Joka P.O., Kolkata 700 104 India

Secure market clearing mechanisms : Selected issues Sumit Chakraborty, Satish Kumar Sehgal & Asim Kumar Pal Management Information Systems Indian Institute Of Management Calcutta Joka, Diamond Harbour Road, Kolkata – 700104,West Bengal , India Phone number : 0091-033-24678300, Fax :0091-033-24678307 E-mail addresses : [email protected], [email protected], [email protected]

1

Abstract Economic mechanisms are designed to achieve an efficient allocation of resources in demand driven supply chain network. In order to select the right allocation protocol for a certain situation, it is important to know about the characteristics of different negotiation situations and related market clearing mechanisms. The sharing of information is important for efficient coordination of operational processes across the supply chain. But, the partners of supply chain are often reluctant to disclose sensitive strategic information with a perception that such type of information can either be used by the supply chain partners or can be disclosed to their competitors. Privacy is a critical issue for efficient supply chain management. This paper presents two privacy preserving market-clearing mechanisms integrating the concepts of secure multi-party computation and supply chain management. The first protocol is useful for discriminatory pricing based market-clearing mechanism; different buyers pay different prices to the supplier. The protocol does not use any mediator. The second protocol is useful for nondiscriminatory pricing based market-clearing mechanism; all buyers pay the same unit price to the supplier. Both protocols preserve the privacy of the buyers and the supplier regarding their inputs i.e. demand and price allocation model. The design of such market clearing mechanisms is useful for several applications – resource and task allocations in multi-agent systems, auctions, reverse auctions, price negotiations in electronic market and supply chain interaction. Keywords: Discriminatory pricing, Non-discriminatory pricing, Privacy, Secure multi-party computation, Market clearing transaction, Supply chain. 1.Introduction The rapid expansion of global market, the explosive growth of information and communication technologies, aggressive competition and the changing economic and social conditions have triggered tremendous opportunity to conduct business electronically. Electronic market operations like e-auctions, e-negotiations and e-procurement have become common place today. Online B2B and B2C exchanges are expected to automate collaboration among strategic partners of the integrated demand and supply chain by providing transparency and lowering the cost of intercompany transactions. However, lack of privacy and trust in electronic exchange mechanisms are the most serious threats for a full deployment of digital business (Welty & Fernandez, 2001). A supply chain is a network of organizations that satisfies the demand of ultimate customers by generating value in the form of products and services. Supply chain management is a novel management paradigm; the basic objective is to improve competitiveness of the supply chain and to fulfill ultimate customer demands by integrating a network of organizational units through systematic coordination of material, information and financial flows (Stadler and Kilger, 2002). A supply chain includes all the stages involved directly or indirectly in business processes suppliers, manufacturers, distributors and customers. Each stage of the supply chain performs different processes and interacts with other stages of the supply chain; there is a constant flow of material, information and funds between different stages. The issue of how to best manage a decentralized collaborative supply chain has received considerable attention from OR/MS researchers. All of these research works discuss the importance of sharing appropriate strategic data for greater transparency and accuracy of supply 2

chain planning. Aviv (2001) developed a collaborative forecasting model on the basis of the interaction on inventory and forecasting in a two-stage supply chain of a single product with stochastic demand. The supply chain partners jointly maintain and update a single forecasting process. Akkermans et al. (2004) have shown how supply chain transparency is created in a collaborative planning setting in high-tech electronics sector. The interplay between trust and technology can reduce transactions costs and encourage trust and commitment among organizations. The sharing of information is important for efficient coordination of operational processes across the supply chain. But, the partners of supply chain are often reluctant to disclose sensitive strategic information with a perception that such type of information can either be used by the supply chain partners or can be divulged to their competitors. What has remained the gap in the research so far is how privacy can be ensured in exchange of strategic information for collaborative supply chain management. Most of the research-studies simply discuss the issue of information sharing without addressing the question of privacy. We have tried to reduce this gap by designing privacy-preserving market-clearing transaction protocol. Economic mechanisms are designed to achieve an efficient allocation of resources in demand driven supply chain network. In order to select the right allocation protocol for a certain situation, it is important to know about the characteristics of different negotiation situations and related market clearing mechanisms (Bichler et al., 2003). The design of market clearing mechanisms is useful for several applications – resource and task allocations in multi-agent systems, auctions, reverse auctions, price negotiation in electronic market and supply chain interaction. Market clearing mechanism Sandholm and Suri (2001) investigated the problem of market-clearing mechanisms based on discriminatory pricing for multi-agent bidding systems. They have considered an e-market setting where the bidder expresses his preferences via demand curve indicating the quantity q(p) he will accept at each unit price p. If his bid is cleared at price p, he receives q(p) units for a total price of p.q(p). Several computational e-markets have been designed on the basis of piecewise linear or step function demand curves of the buying agents. The objective of the supplier is to find the minimum number of units to be sold to the bidders with maximum possible revenue. Atallah et al. (2003) designed secure supply chain collaboration protocols for two types of supply chain interaction - capacity allocation and market clearing transactions under discriminatory and nondiscriminatory pricing. This work integrates three distinct research areas – secure multi-party computation, mechanism design and supply chain management. The protocols enable the supply chain partners to achieve desired goals without revealing private information of any of the parties even though the jointly computed decisions require information of all the parties. In this paper, we present two privacy preserving market-clearing mechanisms for discriminatory and nondiscriminatory pricing based transactions. The paper is organized as follows. Section 2 presents basic building block of solution methodology – secure multi-party computation. Section 3 describes discriminatory pricing based market-clearing mechanism. Section 4 discusses nondiscriminatory pricing based market-clearing mechanism. Section 5 concludes the paper.

2.0 Basic building blocks - Secure multiparty computation The basic building block of our solution methodology is secure multiparty computation. Two or more agents want to conduct a computation based on their private inputs but neither of them 3

wants to share his proprietary data set to other. The objective of secure multiparty computation (SMC) is to compute a public function with each party’s private input such that in the end only the evaluation result is known and the private inputs are not exposed except those derived from the result (Du and Atallah,2001). In case of secure multi-party computation, a single building block may not be sufficient to accomplish a task; a series of steps should be executed to solve the given problem. Such a well-defined series of steps is called a SMC protocol. Lindell (2003) defined some useful properties of a SMC protocol – privacy, correctness, independence of inputs, guranteed output delivery and fairness. A protocol ensures privacy if the input of each party is not disclosed to other parties, only the output of computation should be revealed. The protocol ensures correctness if each party is guranteed that the output it receives is correct. Corrupted parties must select their inputs independently of the inputs of honest parties but they should not be able to prevent honest parties from receiving their output. Corrupted parties should receive their outputs if and only if the honest parties also receive their outputs and this ensures fairness of the protocol. In the study of SMC problems, two models are commonly assumed (Vaidya,2004) – semi-honest model and malicious model. A semi-honest party follows the protocol properly with correct input. But after the execution of the protocol, he is free to use all its intermediate computations to compromise privacy. A malicious party does not need to follow the protocol properly with correct input; it can substitute its local input and enter the protocol with an incorrect input. A third party may exist in a protocol. A trusted third party is given all data; it performs the computation and delivers the result. In some SMC protocols, an untrusted third party is used to improve efficiency. A protocol preserves privacy if no agent learns anything more than its prescribed output (Lindell, 2003). In particular, the only information that should be disclosed about other agent’s inputs is what can be derived from the output itself. Secure multi-party computation generally preserves privacy of data through following methods (Du & Atallah, 2001; Sehgal, 2005): 1. Adding random noise to data - The basic idea of data perturbation is to alter the data so that real individual data values cannot be recovered. For an input x∈X, it is assumed that (x+r) effectively preserves the privacy of x if r is a secret random number uniformly distributed in a domain Y where |Y| >>|X|. 2. Splitting a message into multiple parts randomly and sending the message to target audience through a number of parties so that the identity of original sender is hidden. 3. Controlling the sequence of passing selected messages from one party to other parties (in serial or parallel mode) in contrast with the centralized or broadcast mode of communication. 4. Dynamically changing the sequence of events and actors through election or random selection. 5. Permuting the sequence of message strings randomly. Secure multi-party computation covers a wide range of topics. In the following section, we describe two specific areas of SMC, which are useful for the design of our privacy-preserving discriminatory pricing based market-clearing mechanism – oblivious transfer and secure function evaluation. We have also discussed the basic overview of homomorphic encryption. 2.1 Oblivious transfer Oblivious transfer (OT) is a bi-party protocol wherein a receiver learns some information regarding the input of the sender such that the sender does not know what the receiver has learnt. The notion of oblivious transfer has several versions. Rabin introduced the concept of oblivious 4

transfer. In the original OT problem, the receiver learns the secret of the sender with probability ½. 1-out-of-2 oblivious transfer (OT12) is a protocol by which a sender (S) transfers ignorantly to a receiver (R) one out of two recognizable secret messages (Even, Goldreich and Lempel, 1985). 1-out-of-n oblivious transfer is a protocol between two parties where the sender holds n inputs. At the end of the protocol, the receiver learns only 1 out of n inputs and the sender should not know which input the receiver learns (Naor and Pinkas, 1999). Oblivious transfer is a fundamental primitive of secure distributed computation and has many applications such as private bidding, private information retrieval and fair electronic contract signing. Oblivious transfer is a useful building block of secure function evaluation. 2.2 Secure function evaluation Alice with an input x and Bob with an input y want to evaluate a function z = f(x,y) based on their joint inputs such a way that does not allow the other agent to gain more information than necessary about their inputs. Alice and Bob can achieve this through a protocol known as secure function evaluation (Naor and Nissim,2001). In the field of secure function evaluation, f is represented through various ways - garbled circuit construction (Yao, 1982), combinatorial circuit (Goldreich,1987), algebraic circuit (Ben-Or et al.,1988), as a product of matrices over a large field (Feige et al., 1994), low degree polynomial (Beaver et al., 1990) and randomizing polynomials (Ishai and Kushilevitz, 2000). The underlying model of Naor and Nissim (2001) is the communication complexity tree, which results savings in the communication and computational complexity. They proposed communication preserving secure function evaluation protocols based on private indirect indexing using oblivious transfer. In this paper, we have applied the concept of secure function evaluation for private computation of optimum demand and price of each buyer 2.3 Homomorphic encryption Several secure multiparty protocols need a public key cryptosystem with a homomorphic property. Let E denotes a probabilistic encryption scheme; M and C be the message space and cipher text space respectively. C is a group under operation ⊗ and M is a group under operation ⊕. c1 = Er1(m1) and c2 = Er2(m2). E is called a (⊕,⊗)-homomorphic encryption scheme if for any instance E of the encryption scheme, there exists r such that c1 ⊗ c2 = Er (m1 ⊕ m2) (Cramer et al., 1997). A good property of homomorphic encryption is that addition can be conducted on the encrypted data privately. For (⊕,⊗) scheme, if ci is the encryption of the single vote, by decrypting c = c1⊗…⊗cm, one can obtain the tally of the bidding without decrypting single vote. Paillier’s crypto system holds additive homomorphic property (Paillier, 1999). It is also useful for constructing homomorphic commitment scheme, which enables an agent to commit to a value while keeping it secret. Any commitment scheme defines two steps - commit and reveal (Delfs, 2002). In the commit step, the sender (S) sends the committed message in encrypted form to the receiver (R). R does not learn anything about the committed value. S cannot change the committed value after the commit step. At reveal step, S sends additional information to the R and R recovers the committed message if both S and R follow the protocol correctly.

3.0 Discriminatory pricing based market-clearing mechanism 5

3.1 Literature survey The theme of discriminatory pricing based model is that different buyers pay different prices to the supplier. Sandholm and Suri (2001) investigated the problem of discriminatory price auction wherein the objective of the supplier is to maximize revenue subject to capacity constraints. They have designed a polynomial algorithm assuming that all bids are downward sloping linear demand curve. According to this scheme, the seller first computes the unconstrained optimal solution for each bid independently; then allocates his capacity. In case of shortage of capacity, the supplier increases the unit price uniformly for all bids until either the solution becomes feasible or the price becomes infeasible for some bids. In this context, Atallah et al. (2003) proposed a secure version of “All-or-none” framework – a supplier has to accept or reject all orders based on his supply curve. Each buyer commits his orders as a single price-quantity pair. The buyers do not disclose their demand (or orders) to the supplier before the supplier’s decision is made regarding the allocation. Let (pi, di) be the price-quantity pair of buyer i and the supply curve of the supplier be q = p+θ. The supply curve is unknown to the buyers. Without knowing n

individual buyer’s order, the supplier needs to know whether the total revenue



pi di ≥

i =1

n

( ∑ di -θ).( i =1

n



di ); if not he will reject all orders. This is ultimately a private comparison

i =1

problem; the supplier knows the cumulative demand without any disclosure of individual buyer’s demand through homomorphic encryption based secure summation scheme. Atallah et al. (2003) also proposed a generic description of discriminatory pricing based marketclearing scheme using a proxy (mediator). The scheme involves three different types of participants – a supplier, a group of buyers and a proxy (distributor). In this scheme, each buyer initially does not reveal his demand to the supplier or the proxy unless his demand is fulfilled. The proxy knows the maximum capacity (C) and the capacity allocation model of the supplier. A protocol is run between the proxy and the buyers to decide allocation of each buyer (qi). Next, a protocol is run between each buyer and the supplier to settle the revenue. The supplier collects the revenue from each buyer. The proxy informs the supplier about the cumulative demand; the supplier dispatches the required items to the proxy accordingly. Finally, the proxy distributes the items to buyers. The scheme takes care of the collusion of the supplier with the buyers; it also helps the supplier to detect any cheating of the proxy regarding the communication of distorted cumulative demand information. We have observed some critical aspects of this scheme as given below. 1. Atallah’s scheme assumes that the proxy (mediator) does not disclose the capacity and capacity allocation model of the supplier to the buyers. The proxy is assumed to be trust-worthy and honest. A dis-honest proxy can reveal this information to the buyers. So, the privacy of the supplier is not preserved. 2. The proxy knows the allocation of each buyer. He can sell this information to the supplier. 3. The protocol is designed in such a way that the supplier cannot know the demand of each individual buyer; only it knows the revenue to be collected from each buyer and the total demand of all buyers. The proxy plays the role of the distributor. Such type of scheme may not be 6

practical since the supplier does not get sufficient information about individual buyer’s demand for efficient customer relationship management in future. 4. The scheme assumes the possibility of interaction among buyers; the objective is to prevent collusion and dishonest behavior of the proxy. Practically, such type of interaction among the buyers may not be feasible.

3.2 The problem

There is a set of n buyers {Bi,i=1,…,n} and the supplier (S). S has a price-allocation model g and each buyer Bi has a demand curve d = fi(p). The price and allocation is decided on the basis of g and f. This requires the buyers to inform the supplier about their demand curves which is not acceptable as this leads to considerable information loss which can be used for strategic reasons in future by the supplier. The objective is to compute g(fi(p)) in such a way that Bi can learn only what can be inferred from g(fi(p)) regarding the optimal price and the allocated quantity (p*,d*). Another important aspect is to compute allocation of multiple buyers under capacity constraints. In this paper, we propose a discriminatory pricing based market-clearing mechanism satisfying the following assumptions and requirements. Assumptions: 1. S may adopt various types of price-allocation models such as revenue maximization model, profit maximization model, break-even pricing model and coupon pricing (Jagpal, 1999). But for a particular case of negotiation, the supplier should adopt a specific price-allocation model g, i.e. S commits to g and adheres to g throughout the negotiation. 2. For a particular case of negotiation, buyers may have different types of demand curve – it may be linear (with different slopes) or step function or nonlinear. But, a buyer commits to a particular demand curve f, which he does not change during negotiation. 3. Both the buyers and the supplier are assumed to be semi-honest. Requirements : 1. No buyer should learn the price allocation model g of the supplier during negotiation. 2. The supplier should not learn the demand function f of any buyer. 3.3 Proposed discriminatory pricing based market-clearing mechanism We propose a discriminatory pricing based market-clearing mechanism without using any mediator.

1. Each buyer (Bi) estimates optimal price and demand (p*i, d*i) privately using secure function evaluation protocol (as discussed in section 3.3.1) and gives the supplier a cryptographic commitment to (p*i, d*i). Bi does not reveal (p*i, d*i) to the supplier (S) unless he is satisfied with his allocation. 7

n

2. S privately computes



d*i using protocol (as discussed in section 3.3.2) and compares it

i =1

with total production capacity. 3.Each buyer (Bi) learns his allocation (qi) through secure capacity allocation protocol (as discussed in section 3.3.3). 4. If Bi is satisfied with his allocation, he reveals (p*i, d*i ,qi) to S; S verifies the commitment of Bi (section 3.3.4). 5. S distributes qi to Bi and collects revenue (p*i .qi) from Bi.

The aforesaid scheme is different from Atallah’s protocol from different perspectives. Our scheme does not assume any mediator. So, there is no chance of collusion and dishonest behavior from the side of the mediator. The scheme is designed in such a way that the supplier initially cannot know the demand and price of each individual buyer. If the buyer is satisfied with his allocation, he discloses the information of individual demand, price and allocation to the supplier. The supplier verifies the commitment of the buyers. The supplier plays the role of the distributor and holds all information required for efficient customer relationship management. So, it is a partially private bidding process. The protocol requires communication between each buyer and the supplier; there is no interaction among the buyers. The protocol involves following various types of computation : 1.Private computation of (p*,d*) for each buyer. 2.Private estimation of cumulative demand of all the buyers. 3. Execution of secure capacity allocation protocol 4. Verification of commitment. 3.3.1 Privacy preserving protocol to find (p*, d*) 3.3.1.1 Privacy preserving protocol to find (p*, d*) - without mediator Let the supplier be Alice and the buyer be Bob. Bob has a function f(p) which depends on price p. Alice has a function g(f(p)) where g represents an optimization function, e.g. price–allocation model. It is required that after the execution of the protocol, Bob knows p* and f(p*) where p* = maxp (g(f(p)). Actually, p* is a function of g. For simplicity p* is being used in place of p*(g) unless it clear from the context. The following protocol is based on the concept of private indexing ( Naor and Nissim,2001):

Inputs : Alice holds a price allocation model g and Bob holds a demand curve f. 1. Bob generates a secret random index j where 1 ≤ j ≤ n. This is a secret only known to Bob. Bob also generates (n-1) random demand curves and appends its actual demand curve f at a random position j and sends the sequence (f1,f2,…,fj,…,fn) to Alice. 2. Alice computes g(f) with its demand function f and holds the list y (=g(f1),g(f2),…,g(fj),…,g(fn)). 3. Alice and Bob run 1-out-of-n oblivious transfer protocol between the list y and index j, Bob learns g(fj)=(p*,d*). 8

4. Bob asks Alice for required parameters to compute output (p*,d*).

Discussion In this protocol, Alice can not get any idea about the demand curve of Bob. On the other side, Bob cannot know the price allocation model of Alice. This protocol avoids the threat of collusion since there is no mediator. The protocol requires communication between Alice and Bob only. Bob knows the formula of (p*,d*) but Alice does not know the same. The protocol requires following various types of computation 1. Generation of (n-1) random demand functions. 2. Computation of n numbers of g(f). 3. Private indexing through oblivious transfer – The complexity of 1-out-of-n oblivious transfer protocol is nlogn evaluations of pseudo-random function plus logn invocations of 1-out-of-2 oblivious transfer protocol (Naor & Pinkas, 1999). This scheme is not mutually verifiable. The supplier has to depend on the buyer for the information regarding (p*,d*). This limitation can be avoided if we use following scheme, which requires the service of a mediator.

3.3.1.2 Privacy preserving protocol to find (p*, d*) - with mediator The protocol presented here utilizes the services of a mediator. We require that the mediator should not have any information regarding the optimal solution or the demand curves of the buyer or the price allocation model at the end of the protocol. Similarly, the buyer and the supplier will not learn anything about each others function except only the final solution. The protocol developed here is based on Secure Multiparty Computation (SMC) concept that utilizes cryptography and stochasticity due to randomization. Let the supplier be Alice and the buyer be Bob. Bob has a function f(p) which depends on price p. Alice has a function g(f(p)) where g represents an optimization function, e.g. price–allocation model. It is required that at the end of the process, both Bob and Alice know p* and f(p*) where p* = maxp (g(f(p)) …. (1) (Actually, p* is a function of g. For simplicity p* is being used in place of p*(g) unless it clear from the context.). Further, Bob does not learn anything about g. Similarly, Alice does not learn anything about f. The protocol which uses a mediator called Ursula is as follows: 1.Alice generates (n-1) random functions and appends its function g at a random position. Alice sends to Ursula the appended list of which gA = g, where A ∈r {1,2,…,n}, ∈r denotes a random element. 2.Bob generates (m-1) random functions and appends its function f at a random position. Bob sends to Ursula the appended list of which fB = f, where B ∈r {1,2,…,m}. 3.Ursula (mediator) does: a. Finds n x m Optimal Price-Allocation matrix X = (Xij) i=1,..n; j=1,..,m where Xij = (simply referred as (p*, f(p*)) is the optimal solution for the corresponding functions fj and gi. b. (i) Encrypts X using the public key of Bob and sends the encrypted matrix to Alice. 9

(ii) Encrypts X using the public key of Alice and sends the encrypted matrix to Bob. 4.Alice sends to Bob the value of A and Bob sends to Alice the value of B. 5.Alice extracts the (A,B)-th element of the encrypted matrix received from Ursula in Step 3b(i) and sends to Bob. 6.Bob decrypts the message received from Alice in Step 5 to find the solution (p*, f(p*)) before sending it to Alice. 7. After knowing the allocation, Bob extracts the (A,B)-th element of the encrypted matrix received from Ursula in step 3b(ii) and sends it to Alice. 8.Alice decrypts the message received from Bob in step 7 to find the solution (p*, f(p*)) before sending it to Bob. N.B. a) The functions in Step 1 and Step 2 should be specified by a pre-fixed format, e.g. polynomial when feasible. b) n and m should be sufficiently large. c) The functions to be selected in Step 1 as well as in Step 2 should be indistinguishable from each other and from the target function to Ursula. Theorem: The following holds after the execution of the protocol provided that the mediator is semi-honest: a) The supplier and the buyer both learn (p*, f(p*)). b) The supplier does not learn anything else about the buyer’s function f. c) The buyer does not learn anything else about the supplier’s function g. d) The mediator does not learn (probabilistically) anything about either function f or g. e) The supplier and the buyer can not lie to each other. Thus, the mutual verification of the commitments by the buyer and supplier is ensured. Proof: a) Since the Ursula (mediator) is semi-honest, i.e. it follows the protocol as is desirable, Alice (supplier) finds in Step 8 XA,B = eA-1(eA(XA,B)), where eA and eB are public encryption key (function) of Alice and Bob respectively. eA-1 and eB-1 are corresponding decryption keys which are private to Alice and Bob respectively. Similarly, Bob (buyer) finds in step 6, XA,B = eB-1(eB(XA,B)). b) Alice gets the matrix from Ursula in Step 3b(i) where the elements are encrypted using the public key of Bob, and hence can not decipher anything about Bob’s function. Further, in Step 7 Alice gets only a single value (encrypted by it’s own key) from Bob, but this only refers to the optimal solution it is seeking, hence no additional disclosure is possible (e.g. knowing the pattern of (p*, f(p*)) for a given f). c) Similarly, Bob gets the matrix from Ursula in Step 3b(ii) where the elements are encrypted using the public key of Alice, and hence can not decipher anything about Alice’s function. d) Ursula receives n functions from Alice of which only one is the targeted function g. Since, functions other than g (gA here) are assumed to be random and indistinguishable from g to Ursula, Ursula can not make out which is g. Ursula can at best make a probabilistic guess about g, this probability can be made arbitrarily small by making n sufficiently large. The same holds for Bob’s f. 10

e) Alice and Bob are expected to receive the same matrix X from Ursula encrypted by two encryption functions (but in a different order) because Ursula is semi-honest by assumption. Alice sends information to Bob in Step 4 (on value of A), Step 5 (on optimal solution) and Step 7 (on the optimal solution for confirmation). Similarly, Bob sends information to Alice in Step 4 (on value of B), Step 7 (on optimal solution) and Step 6 (on the optimal solution for confirmation). If Alice consistently sends the wrong information on A and corresponding matrix elements, it will get wrong result (though apparently consistent as there will be no mismatch) because the optimal solution obtained will be different from the desired one. This of course is assuming Bob is sending either right or consistently wrong information throughout. But, if Alice sends inconsistently wrong information to Bob (e.g. in Step 4 it gives value of A as 4 to Bob, but in Step 5 sends the (5,B)-th element) then there is every chance that there will be a mismatch. Similar mismatches will be there for other kinds of inconsistent information communicated. Here Steps 6 and 8 are performing the vital role of confirmation and checking. Thus, the information committed by Alice is verified by Bob and vice-versa. But, there is a limitation. If Ursula corrupts the data in a clever manner there is no way Alice or Bob can detect that. Only thing since Ursula does not have the knowledge of A or B, it is difficult for Ursula to bias the solution in any particular direction. The following open problems can be investigated further: (a) Better heuristics for global optimization (for allocation to multiple buyers) to satisfy the supply constraint. Here we are considering case of no knowledge of the demand curve of the buyers disclosed to the supplier. This requires either a better heuristic at the supplier level, or a better optimization algorithm at the buyer level mixed with combining buyer combining strategies. (b) The current protocol for single buyer to be extended to multiple buyers. This may raise additional issues of collusion between buyers. This may also bring in efficiency in the total optimization problem by reducing the total number of optimization runs for equation (1), currently for each buyer m.n such runs are required (However, it should be noted that the complexity analysis has not been given in this paper.). (c) Semi-honesty assumption on the mediator is sometimes difficult to impose. To reduce this kind of risk (e.g. spoofing by the mediator) one can try a scheme as follows. For example, if a noisy information regarding f and g by manipulating them to f’ and g’ (rather than just by adding noise as in the current case) could be solved. But it would be difficult for the buyer and supplier to find the optimal solution for the original functions given the optimal solutions for the modified functions found by the mediator. It will be worthwhile to search eligible optimization processes which allow this. Collusion between the mediator and the buyer becomes a bigger threat when buyers are unknown to the supplier and also when multiple buyers are being handled simultaneously.

3.3.2 Private estimation of cumulative demand We have applied the concept of additive homomorphic encryption to construct a secure summation protocol for the estimation of cumulative demand of a set of buyers. The protocol is as follows : 11

1. One of the buyers ( say, B1) generates a public key (K) for additive homomorphic encryption and sends it to S. He does not disclose the private decryption key. S distributes K to all other buyers participated in the bidding process. 2. Each buyer ( Bi) computes and sends Ek(di) to S. n

3. S selects a random number r and computes S = Ek(r) +



Ek(di) and sends S to B1.

i =1

n

4. B1 decrypts S using its private key and informs S about (r +



di); S computes cumulative

i =1

n

demand D =



di .

i =1

The protocol considers communication between each buyer and the suppliers; there is no communication among the buyers. The protocol does not assume the existence of any mediator. 3.3.3 Secure capacity allocation protocols In the scenario where the supply available with the supplier is more than the total projected demand then the supplier would like to satisfy all the buyers using its allocation model. However in the cases where the supply is less than the total demand, the supplier would have to find the combination of buyers, which would fit its allocation model and give it the maximum total benefit. The objectives of secure allocation protocols are as follows : 1. After the execution of protocol, each buyer will be able to know his actual allocation. 2. The supplier (S) will be able to know the shortage of capacity ( if any). 3.3.3.1 Secure linear allocation protocol Here, we consider that n number of buyers are involved in negotiation with a supplier. Linear allocation is simply as an equal sharing of the pain ( i.e. shortage of capacity) among the buyers. If that pain exceeds the actual demand of a buyer, then the buyer becomes passive and does not participate in the transaction (Deshpande and Schwarz, 2002). The buyer Bi is allocated qi = di – n

(1/n) max (0, ∑ di - C) where n is the number of active buyers who actually buy, C is the i =1

production capacity of the supplier. The secure linear allocation protocol is as follows:

1.Every buyer (B) acts as active buyer; n is the number of active buyers at any iteration during the execution of the protocol. The value of n is known to each buyer and S. 2.Repeat (a) – (c) until n stops to change from one iteration to the next: n

a. S computes cumulative demand D =



di using the protocol ( section 3.3.2)

i =1

12

n

b. S computes q = 1/n( ∑ di - C) and sends q to each buyer. i =1

c. B computes his allocation (di – q) and marks himself as passive buyer if (di – q) is negative. The value of n is updated accordingly. 3.The allocation computed in the last iteration of step 2(c) is considered to be the final allocation.

We have followed the concept of Atallah’s scheme(2004). Our protocol assumes that no interaction is possible among the buyers. The supplier computes cumulative demand of all the buyers in a private way; finds out shortage of capacity (if any); estimates pain per each active buyer and informs to each buyer. The buyer computes his allocation.

3.3.3.2 Secure proportional allocation protocol n

The buyer Bi is allocated qi = min {di, C.di/( ∑ di)}. Here, n is the number of active buyers and i =1

C is the total production capacity of the supplier.

n

1.S computes cumulative demand D =



di . using the protocol ( section 3.3.2)

i =1

2. 5.S computes D’ = D/C and sends D’to Bi, C is the capacity of S. n

3. Bi computes its allocation qi = (di/D’) = Cdi/( ∑ di ) i =1

Atallah et al. (2004) proposed a secure proportional allocation protocol assuming that all the buyers jointly select a random number r and send (r.di) to the supplier. The supplier computes n

r.( ∑

di)/C and sends the same to each buyer. The buyer computes his allocation. We have

i =1

designed the secure proportional allocation protocol differently. We assume that no interaction is possible among the buyers. The supplier computes the cumulative demand privately and n

estimates the ratio( ∑

di)/C; sends this ratio to each buyer and the buyer computes his

i =1

allocation. 3.3.3.3 Allocation protocol for revenue maximization The problem of maximizing the revenue of the supplier under capacity constraints was investigated by Sandholm and Suri (2001); the problem is NP complete. Atallah et al. (2004) proposed a secure pick-and-choose framework for the same problem. The scheme assumes that interaction is possible among the buyers. It would be an interesting problem to find allocation of 13

individual buyer while maximizing the revenue of the supplier under capacity constraints but there should not be any interaction among the buyers. We plan to tackle this problem in future. In this section, we have discussed three different types of capacity allocation schemes; a supplier may have other various types of allocation protocol. An important issue is how to decide ideal capacity allocation protocol under capacity constraints. If all the buyers face deterministic downward sloping linear demand curves, then linear allocation mechanism is optimal for the supplier (Deshpande and Schwarz,2002). If all the buyers hold uniform demand distribution, proportional allocation mechanism generates optimal solution for the supplier. In our problem, the supplier does not know the demand curves or distribution of demand of the buyers. So, he cannot decide on ideal allocation scheme that can generate optimum solution. Here is the conflict between privacy and optimization. From the perspective of customer relationship management, a supplier can adopt following two strategies 1. Entertain all the buyers participated in the bidding process – In this case, linear or proportional allocation strategy is useful. 2. Do not entertain all the buyers participated in the bidding process – The main objective of the supplier is to maximize revenue; the bids of some buyers may become infeasible according to this policy. 3.3.4 Verification of commitment In case of linear and proportional allocation protocol, the supplier and all the buyers know a common homomorphic encryption key. Each buyer encrypts his demand and price with common additive homomorphic encryption key and sends the message to the supplier. If a buyer is satisfied with his allocation, he informs his demand (d*), allocation (q) and price (p*) to the supplier. The supplier applies encryption key on this information and verifies the commitment of each buyer regarding individual price and demand. 4.0 Non -discriminatory pricing based market-clearing mechanism In case of nondiscriminatory pricing based market transaction, all buyers pay the same unit price to the supplier. Sandholm and Suri (2001) investigated the problem of auctions and reverse auctions with non-discriminatory price setting. Atallah et al. (2003) proposed secure nondiscriminatory pricing protocols for e-auctions. The buyers do not reveal their bids regarding price and demand (pi, di) before the supplier announces a fixed selling price common for all the buyers. The supplier remains ignorant of any buyer’s individual bid before setting his price, thereby supporting a scheme of nondiscriminatory pricing. Atallah’s scheme is an iterative process; the process continues until number of active buyers is same for two consecutive iterations. In the following section, we propose a privacy preserving non-discriminatory pricing based market-clearing mechanism extending the concept of Atallah. The rules of the game are as follows: 1. Let p be the price fixed by the supplier. If pi ≥ p and the buyer (Bi) is satisfied with his allocation, Bi is called active buyer and will participate in the buying process and reveal his demand and price to the supplier. 14

2. Otherwise, Bi is called passive buyer and will not participate in the buying process. 3.A buyer with demand di at price pi commits to it and cannot change it in future.

4.1 The protocol We have designed our protocol satisfying following requirements: 1. No buyer Bi will disclose his price pi at any point of time. 2. Supplier (S) will inform only the active buyer about the common price p. 3. Only active buyers will disclose their demands to the supplier. 4. No other disclosure is permissible. 5. All commitments are verifiable. 6. There is no interaction among the buyers.

n

1.S computes cumulative demand D =



di using the protocol ( section 3.3.2)

i =1

2. S performs: a. determines the non-discriminatory price p based on D. b. computes and sends EK(p) to all buyers. 3. Bi learns his allocation through secure capacity allocation protocol ( section 3.3.3) 4. Each buyer Bi and S undergo through private comparison protocol to find if pi ≥ p. If pi ≥ p and Bi is satisfied with his allocation, then Bi becomes active buyer otherwise becomes passive buyer. 5. Each active buyer reveals his demand d’i to S. 6. S performs: a.computes EKi(d’i). He also sends private decryption key of EKi to S. b.if EKi(di) = EKi(d’i) disclose p to the active buyer Bi . c.verifies the buyer’s commitment on price pi. d.informs non-discriminatory price p to each active buyer. 7. Each active buyer verifies the commitment of the supplier on p and pays the revenue to the supplier; the supplier dispatches allocated quantities to the buyer.

4.2 Discussion At the start of the process, each buyer commits his bid in the form of demand and price (pi ,di); di is the individual demand of a buyer Bi for a specific item and Bi wills to pay pi as unit price of the item before the start of the negotiaton. The supplier computes cumulative demand of the buyers privately and estimates a non-discriminatory price. Each buyer learns his allocation privately. The protocol solves Yao’s millionaires’ problem in step 4 (Fischlin, 2001). Two agents want to compare their values privately without disclosing their inputs to each other. An active buyer reveals his bid if he is satisfied with his allocation. The protocol preserves the privacy of 15

the bid of each buyer at initial phase before the disclosure of non-discriminatory price. On the other side, the buyer can not know the capacity of the supplier. The protocol requires communication between each buyer and the supplier. There is no communication among the buyers. The protocol involves computations on account of following functions : 1.Private estimation of cumulative demand of all the buyers. 2. Execution of secure capacity allocation protocol 3.Execution of private comparison protocol between each buyer and the supplier. 4. Verification of commitment. - The supplier verifies the commitment of each buyer on his bid i.e. demand and price. Each buyer verifies the commitment of the supplier on the nondiscriminatory price. The protocol relies heavily on encryption. However, we do not consider this as a major limitation as many operating systems provide encryption package such as GnuPG of Linux. So, the buying and selling firms should not face any problem for the implementation of such protocols in a negotiation support system. Additionally the text to be encrypted is small and thus the communication cost of encryption is very less. 5.Conclusion This paper presents two privacy-preserving market-clearing mechanisms for discriminatory and nondiscriminatory pricing based transactions. Both the schemes preserves the privacy of capacity and price allocation model of the supplier and the demand of the buyers at proper phases. In our protocol, we have not assumed malicious behavior of agents. In future, we plan to tackle this issue. We believe that the application of privacy preserving distributed alogorithmic mechanism design provides rich opportunities of research in computer science, economics and operations research. It is really challenging to develop electronic markets based on our privacy-preserving protocols.

Appendix 1: 1-out-of-N Oblivious Transfer Protocol (Naor & Pinkas, 1999) : B’s input is X1, X2, …, XN where each XI ∈{0, l}m and N = 2l. The receiver A would like to learn XI. 1. B prepares l random pairs of keys (k01,k11), (k02,k12),…,(k0l,k1l) where for all 1 ≤ j ≤ l and b ∈ {0,1} each Kbj is a t-bit key to the pseudo-random function FK. 2. For all 1 ≤ I ≤ N (i1,i2,...,il) be the bits of I.B prepares YI = XI ⊕ ⊕ Fkijj(I) 3. A and B engage in a l-out-of-2 OT for each 1 ≤ j ≤ l on the strings (k0j, kj1j). If A would like to learn XI she should pick kijj 4. B sends A the strings Y1,Y2,…,YN. l 5. A reconstructs XI = YI ⊕ ⊕ j=1 Fkijj (I) 16

Appendix 2 : Example of computation of (p*,d*) Let, the buyer has a demand curve, d = ap2+bp+c ; The supplier has revenue maximization capacity allocation model. Revenue , r = p.d = p(ap2+bp+c) dr/dp = 0 ; p* = -(2b/3a) ; d* = c-(2b2/9a) References Akkermans, H., Bogerd, P. & Doremalen,J.V. (2004). Travail, transparency and trust : A case study of computer supported collaborative supply chain planning in high tech electronics. European Journal of Operational Research, 153, 445-456.

Atallah, M. J. , Elmongui, H.G., Deshpande, V. & Schwarz, L.B. (2003). Secure supply chain protocols. In IEEE International Conference on E-Commerce. Newport Beach, California. Atallah, M. J. , Elmongui, H.G., Deshpande, V. & Schwarz, L.B. (2004). Secure supply-chain collaboration, Purdue University. Atallah, M.J., Bykova, M., Li, J., Frikken, K. & Topkara, M. (2004). Private collaborative forecasting and benchmarking. In Proceedings of WPES’04. Washington DC, USA. Aviv,Y. (2001). The effect of collaborative forecasting on supply chain performance. Management Science, 47, 1326-1343. Beaver,D., Feigenbaum,J. , Kilian, J. & Rogaway,P. (1990). Security with low communication overhead. Advances in Cryptology, Crypto’90, LNCS 537 (pp. 62-76). Springer. Bellare, M., & Micali, S. (1989). Non-interactive oblivious transfer and applications. In Advances in cryptology (pp. 547-557). Springer-Verlag, New York. Ben-Or,M., Goldwasser,S. & Wigderson (1988). Completeness theorems for non- cryptographic fault-tolerant distributed computing. In Proceedings of the ACM Symposium on Theory of Computing (pp. 1-10). Bichler, M., Kersten, G., & Strecker, S. (2003). Towards a structured design of electronic negotiations. Group Decision and Negotiation, 12, 311-335.

Chakraborty,S., Sehgal,S.K. & Pal, A.K. (2005). Privacy-preserving Discriminatory Pricing Protocol for Supply Chain Management. In Proceedings of 4th Security Conference. Las Vegas, USA.

17

Chakraborty,S., Sehgal, S.K. & Pal, A.K. (2005). Privacy preserving e-negotiation protocols based on secure multiparty computation. In Proceedings of IEEE Southeastcon Conferenc. Florida, USA. Cramer,R., Genaro,R. & Shoemakers,B (1997). A secure and optimally efficient multi-authority election scheme. Advances in cryptology – Eurocrypt’97, Lecture notes in Computer science, 1233.(pp. 103-118). Springer Verlag. Delfs, H., & Knebl, H. (2002). Introduction to cryptography - principles and applications. Springer-Verlag. Deshpande,V. & Schwarz,L.(2002).Optimal capacity allocation in decentralized supply chains. Technical report, Kranert school of management, Purdue University, Indiana, USA. Du, W., & Atallah, M. J. (2001). Privacy-preserving cooperative scientific computations. In Fourteenth IEEE workshop on computer security foundations (p. 273). IEEE Computer Society. Even, S., Goldreich, O. & Lempel, A. (1985). A randomized protocol for signing contracts. Communications of the ACM, 28(6), 637-647. Feige,U., Kilian, J. & Naor, M. (1994). On minimal models for secure computations. In Proceedings of the ACM Symposium on Theory of Computing ( pp. 554-563). Fischlin, M. (2001). A cost-effective pay-per-multiplication comparison method for millionaires. In Proceedings of the 2001 conference on topics in Cryptology: The Cryptographer’s Track at RSA, LNCS, 2020 (pp. 457-472). Springer-Verlag. Fudenberg, D., & Tirole, J. (1991). Game theory. The MIT Press. Goldreich, O. & Vainish, R. (1988). How to solve any protocol problem: an efficient improvement. In Proceedings of Advances in Cryptology, Crypto’87, Lecture Notes in Computer Science, 293 (pp. 73-86). Springer Verlag,. Goldwasser, S. (1997). Multi party computations: past and present. In Sixteenth annual ACM symposium on principles of distributed computing (pp. 1-6). ACM Press.

Huberman, B. A., Franklin, M., & Hogg, T. (1999). Enhancing privacy and trust in electronic communities. In Proceedings of First ACM conference on electronic commerce (pp. 78 - 86). Denver, Colorado. Ishai, Y. & Kushilevitz, E. (2000). Randomizing polynomials ; a new representation with applications to round-efficient secure computation. In Proceedings of the IEEE Symposium on Foundations of Computer Science ( pp. 294-304). Jagpal, S. (1999). Marketing strategy and uncertainty,Oxford University Press. 18

Lindell, Y. (2003). Composition of secure multi-party protocols a comprehensive study, Springer. Naor, M., & Pinkas, B. (1999). Oblivious transfer and polynomial evaluation (extended abstract). In Thirty-first ACM symposium on theory of computing (pp. 245-254). Atlanta, Georgia, USA. Naor, M., Pinkas, B., & Sumner, R. (1999). Privacy preserving auctions and mechanism design. In First ACM conference on electronic commerce (pp. 129 -139). ACM Press.

Naor, M., & Nissim,K. (2001). Communication preserving protocols for secure function evaluation. In Proceedings of the 33rd Symposium on Theory of Computing, (pp. 590-599). Paillier, P.(1999). Public-key cryptosystems based on composite degree residuosity classes. Advances in Cryptology, Eurocrypt’99, Lecture notes in computer science, 1592 (pp. 223-238). Springer-Verlag.

Sandholm,T. and Suri, S. (2000). Improved algorithm for optimal winner determination in combinatorial auctions and generalizations, In Proceedings of 17th National conference on Artificial Intelligence. Sandholm,T. and Suri, S., (2001). Market Clearability. International Joint conference on Artificial Intelligence, Seattle, USA. Sandholm,T. and Suri, S., (2002). Optimal clearing of supply/demand curve, In Proceedings of AAAI-02 workshop on agent-based technologies for B2B electronic commerce, Edmonton,Canada. Sehgal, S.K. (2006). Finding pareto-optimal frontier with minimum disclosure for multi-party negotiations. Unpublished doctoral dissertation, Indian Institute Of Management, Calcutta. Stadtler,H. & Kilger,C. (2004). Supply chain management and advanced planning concepts, models, software and case studies, 2nd edition, Springer. Vaidya,J.S.(2004). Privacy preserving data mining over vertically partitioned data, Ph.D. Thesis, Purdue University. Welty, B. & Fernandez,I.B. (2001). Managing trust and commitment in collaborative supply chain relationships. Communication of the ACM, 44 ( 6).

19