A Practical Solution to Yao's Millionaires' Problem and Its Application in Designing Secure Combinatorial Auction

06/15/2019 ∙ by Sankarshan Damle, et al. ∙ IIIT Hyderabad 0

The emergence of e-commerce and e-voting platforms has resulted in the rise in the volume of sensitive information over the Internet. This has resulted in an increased demand for secure and private means of information computation. Towards this, the Yao's Millionaires' problem, i.e., to determine the richer among two millionaires' securely, finds an application. In this work, we present a new solution to the Yao's Millionaires' problem namely, Privacy Preserving Comparison (PPC). We show that PPC achieves this comparison in constant time as well as in one execution. PPC uses semi-honest third parties for the comparison who do not learn any information about the values. Further, we show that PPC is collusion-resistance. To demonstrate the significance of PPC, we present a secure, approximate single-minded combinatorial auction, which we call TPACAS, i.e., Truthful, Privacy-preserving Approximate Combinatorial Auction for Single-minded bidders. We show that TPACAS, unlike previous works, preserves the following privacies relevant to an auction: agent privacy, the identities of the losing bidders must not be revealed to any other agent except the auctioneer (AU), bid privacy, the bid values must be hidden from the other agents as well as the AU and bid-topology privacy, the items for which the agents are bidding must be hidden from the other agents as well as the AU. We demonstrate the practicality of TPACAS through simulations. Lastly, we also look at TPACAS' implementation over a publicly distributed ledger, such as the Ethereum blockchain.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

In the last decade, different e-commerce and e-voting platforms have grown in popularity. Consequently, the need for privacy of the information exchange within these platforms has become imperative. The consumers (or voters), being strategic agents, prefer the preservation of their private information (bids, votes, etc.) as well as their public identities from other (often) competitive agents. This anonymity of information also increases participation.

With blockchain gaining momentum, e-commerce and e-voting are now being conducted as smart contracts over distributed platforms such as Ethereum. A smart contract is a computer protocol intended to digitally facilitate, verify, or enforce the negotiation or performance of a contract [1]. Since these protocols on the blockchain are on a publicly distributed ledger, they are open to any interested agent, while making the agent’s bid/vote as well the execution of its payments publicly verifiable, transparent as well as pseudo-anonymous. However, a consequence of this is that even an agent’s private information is publicly available for anyone to see and use. This further necessitates the need for privacy-preserving e-commerce/e-voting protocols, over blockchain.

At the heart of e-commerce/e-voting protocols is the comparison of two values, either in the form of a bid or a vote. Therefore, in order to build a protocol that preserves each agent’s private information, we require a method for comparing these values while preserving their privacy111The preliminary idea of using secure comparison for designing privacy-preserving auctions has been published in [2].. In the literature, this challenge is similar to Yao’s Millionaires’ problem (Yao [3]) of securely determining the richer between two different parties and has been extensively studied.

1.1 Yao’s Millionaires’ Problem

Introduced in 1982 by Yao [3], the Millionaires’ problem discusses two agents (millionaires), Alice and Bob, who are interested in knowing the richer among them – without revealing their true wealth. The first solution to the problem, Yao [3], is computationally expensive and requires large memory. Thereafter, several protocols with great improvement have been proposed [4, 5, 6, 7]. However, each comparison through these protocols is at best linear in order of the length of the binary representation of these numbers and may also involve multiple rounds of computation. This makes the process computationally expensive for e-commerce/e-voting applications. Further, these protocols require the continuous involvement of agents. Assigning trusted third parties to take part in the protocol on behalf of the agents would reveal the agent’s private information to them.

In this paper, we introduce a novel method for comparing two integers and (i.e., ) securely, i.e., a solution to the Yao’s Millionaires’ problem, namely, Privacy Preserving Comparison (PPC). In PPC, we assume that there are approved cryptographic notaries in the system which act as semi-trusted third parties to assist the central server (CS) to determine whether or not. We show that neither the CS nor the notaries learn any information regarding the values of and during or after the comparison.

We achieve this secure comparison in constant time, i.e., the complexity of our method is per comparison. Further, we show that our solution is collusion resistant. We use Pedersen commitment [8] of the values to provide zero-knowledge proof for the verifiability of the comparison. We illustrate the utility of our method by using it to build a privacy-preserving protocol for single-minded combinatorial auction, which we call TPACAS, i.e., Truthful, Privacy-preserving Approximate Combinatorial Auction with Single-minded bidders.

1.2 Secure Combinatorial Auctions

Auctions are mechanisms which facilitate the buying and selling of goods/items among a group of agents. In general, a combinatorial auction, where the agents can bid for combination(s) of items, yields a higher revenue than selling the items individually. For example, different governments across the globe have been using combinatorial auctions to lease out wireless spectrum [9] or allocate airport landing take-off slots to interested agents [10]. In such auctions, the participating entities, which we refer as agents throughout the paper, desire different types of privacy, as the information they submit may expose their business plans to their competitors. For example, the disclosure of an agent’s public identity reveals its interest in acquiring the items auctioned. The revelation of an agent’s bidding information (bid value and the combination of preferred items) to an auctioneer or other participating agents may expose its profits, economic situations and preferences for specific items to its competitors. The competitors may further exploit this information in future auctions. In consequence, an auction protocol should be such that only the winning agents’ combination of preferred items is made public while preserving the privacy of the identities and the bidding information of the other agents.

Auction protocols which preserve the privacy of bidding information are called secure auction protocols. In this paper, we define these desirable privacies of a secure auction in three types: (i) Agent privacy, an agent’s participation in an auction must be hidden from all the other agents; (ii) Bid privacy, the bid values must be hidden from the other agents as well as the auctioneer; (iii) Bid-topology privacy, the items for which the agents are bidding must be hidden from the other agents as well as the auctioneer.

Furthermore, if the bidding information is hidden from the agents as well as the auctioneer, we need a trustworthy

implementation of a secure auction. That is, anybody should be able to verify the correctness of the allocations and that the payments are in alignment with the described rules. Besides, the implementation must preserve all the three types of privacies with high probability. Motivated by these challenges, we focus on the preservation of privacy of all agents’ bidding information in an instance of a combinatorial auction.

Typically, the goal in such auctions is to maximize the social welfare, i.e., we should allocate these resources to those who value them most. Strategic agents may misreport their valuations to maximize their profits. Thus, we look for auctions which, through appropriate payment rules, ensure that the agents bid their true valuation. In game theory, such auction protocols (allocation rule along with payment rule) are called

dominant strategy incentive compatible. In addition to this, auction protocols must also be individually rational i.e., protocols wherein the agents have a non-negative payoff.

Combinatorial auctions have an exponential number of possible valuations for each agent and are NP-Complete [11]. Hence, we focus on a single-minded case. In this, the agents are interested in a single specific bundle of items and obtain a particular value if they get the whole bundle (or any super-set) and zero otherwise. Even single-minded combinatorial auctions, being NP-Hard [12], are solved approximately. In particular, Lehmann et al. [13] propose a strategic proof mechanism for such auctions, which gives -approximate allocation and payment rule, which we refer to as ICA-SM (Incentive Compatible Approximate auctions for Single-minded bidders). Here, denotes the number of items being auctioned. In this paper, we propose TPACAS (Truthful, Privacy-preserving, an Approximately efficient Combinatorial Auction for Single-minded bidders), which solves a single-minded combinatorial auction, preserving the cryptographic and game theoretic properties mentioned earlier, i.e., TPACAS is a trustworthy implementation of ICA-SM.

One can leverage the approach of Micali and Rabin [14] which uses homomorphic property of the commitments or Parkes et al. [15] which also uses time-lapse cryptography to achieve winner determination while preserving the privacy of the agents and their bidding information. However, these protocols expose the bidding information to the auctioneer after the bidding phase is over. We overcome these issues by proposing the use of notaries. We assume there are approved cryptographic notaries in the system and the auctioneer can appoint them in assisting in the auction. In TPACAS, the auctioneer assigns a signed random for each agent and a set of randomly chosen notaries. The agents commit their bid values and the size of the bundle in which they are interested similar to [14]. The challenge remains to sort the bids or to check if two agents have any item in common while keeping the values and bid topology private. Towards this, we use our novel method for secure comparison of two integers, i.e., PPC.

Through this method, we show how to sort as well as compare the bidding information of agents without revealing them, with the help of notaries. The notaries do not learn of any bidding information. We assume that each agent’s bundle size is . Otherwise, bid-topology will get revealed to the auctioneer in our protocol. Note that in our protocol, the notary’s role is only to assist the auctioneer in determining winners and their payments when the bidding information is hidden. The notaries will not know the agent identities or their bidding information.

1.3 Adversary Model

As defined in literature (refer [16]), and as standard in solutions for Yao’s Millionaires’ Problem (eg., [5, 4, 17, 18]), in this paper, we assume that all agents, i.e., Alice, Bob, auctioneer, notaries etc., are semi-honest or honest-but-curious. This implies that while these agents can observe and cipher any information, they do not deviate from the defined protocol. We use semi-honest and honest-but-curious interchangeably throughout the paper.

1.4 Contributions

The following are our contributions:

  • We present a secure, robust and verifiable method, Privacy Preserving Comparison (PPC), for securely comparing two integers (Procedures 3 and 4). We show that the method preserves the privacy of the two integers unless out of parties collude.

  • We propose a cryptographic protocol, TPACAS, that implements a truthful single-minded combinatorial auction (Theorem 1). It is -approximate and preserves agent privacy of all the losing agents from rest of the agents (Proposition 1). It preserves bid privacy with high probability, and the auctioneer will not know any bid value even after the auction is over (Proposition 2). It also preserves bid-topology privacy from the notaries (Proposition 3) as well as the auctioneer with high probability (Proposition 4).

  • We believe PPC can be further used to implement other privacy-preserving mechanisms such as other type of auctions, voting etc.

1.5 Paper Overview

The paper is organized as follows: Section 2 discusses the existing results for the Millionaire problem and secure auctions, Section 3 describes the relevant cryptographic techniques as well as the auction setting; Section 4 introduces our novel method for secure comparison of two integers, i.e., PPC, Section 5 presents the TPACAS auction protocol; and Section 6 analyzes it. We conclude and summarize the paper in Section 7.

2 Related Work

In this section, we summarize the related literature for (i) Millionaires’ Problem; and (ii) Secure Auctions.

2.1 Yao’s Millionaires’ Problem

The problem was first introduced by Yao [3] along with its first solution. However, the presented solution is exponential in time and space. After this, most of the solutions Chaum et. al. [19], Beaver and Godwasser [20] have focused on using multi-party circuit computations. Grigoriev and Shpilrain [21] use various laws of classical physics to present various solutions to the problem. These solutions are irrelevant to an online setting, while also being time consuming for e-commerce/e-voting applications. In this paper, we focus on solutions which can deployed be in an online setting.

Ioannidis and Grama [7] present a two-round protocol which is polynomial while Lin and Tzeng [5] and Blake and Kolesnikov [4] provide a single-round solution which is linear in the order of the length of the integers to be compared. For their solutions, [7] uses complex bitwise operators while [5, 4] use Paillier homomorphic encryptions and zero-knowledge proof. The computational cost per comparison in [5] is and in [4] is , where is the bit number and modulus of the Paillier scheme. Recently, Liu et. al. [18] proposed a single-round solution using Paillier encryption and vectorization method. However, the solution is of the order , where

is the vector dimension.

These solutions also require the owners of the integers to do complex operations. Given the number of potential comparisons needed for e-commerce/e-voting applications, continuous involvement of the owners is infeasible. Additionally, one can not simply assign trusted third parties for the operations as that would reveal the owners’ private information to them.

2.2 Secure Auctions

VCG mechanisms were proposed by Vickrey [22], Clarke [23] and Graves [24]. As the allocation problem in a general combinatorial auction is NP-Complete, Lehmann et. al. [13] states a strategy proof, approximate greedy mechanism to solve the allocation problem in a restricted setting, without preserving bid privacy. Following the impossibility result on unconditional privacy Brandt and Sandholm [25], much of the research has targeted to achieve privacy based on computational hardness of certain problems like discrete-log problem.

Micali and Rabin [14] solves single-item and multi-unit auctions while preserving the privacy of the bids using Pedersen commitment, but reveal the bid information to the auctioneer after the end of the bidding phase, whereas Parkes et. al. [15] uses Paillier encryption and time-lapse cryptography for the same. [26] gives a practical, multi-unit auction that does not reveal any private information to a third party, even after the auction closes. Naor et. al. [27] uses an auction issuer while Franklin and Reiter [28] uses multiple servers as trusted third parties to solve auctions securely. In both these protocols, the bid-topology is revealed to these third parties. Parkes et. al. [29] uses clock-proxy auction to solve a privacy-preserving combinatorial auction, revealing private information to the auctioneer after the end of the clock phase. The protocol is linear in size of the original computational time, from exponential. Suzuki and Yokoo [30] proposes a privacy-preserving, secure combinatorial auction without revealing any bid information to a third party, using dynamic programming, and [31] extends it to add verifiability. The protocol, however, is exponential in size of the number of bids and is thus impractical even for a small number of bids.

3 Preliminaries

In Section 3.1, we provide the cryptographic background required for the results; and in Section 3.2, we describe the auction setting with the relevant cryptographic and game-theoretic properties.

3.1 Cryptographic Background

For the design of our method for secure comparison of two integers, the following cryptographic techniques are required.

3.1.1 Pedersen Commitment Scheme

Commitment functions are functions that allow one to commit to a chosen value (or chosen statement) while keeping it hidden to others, with the ability to reveal the committed value later.

Let and denote large primes such that divides , as the unique subgroup of of order , and as a generator of . Also, let and be elements of such that is intractable, where is the secret key.

Definition 1.

A Pedersen commitment scheme is the commitment of a message , with a random help value , as,

Definition 1 follows from [8]. Note that, this commitment scheme is information theoretically hiding i.e., given a commitment , every value is equally likely to be the value committed in ; computationally binding i.e., an adversary can not find two distinct and which open the same commitment , unless it can solve the discrete-log problem; and is homomorphic i.e., given only the public keys () and the commitments of and , one can compute the commitment of .

Let denote an agent ’s secret key. Thus, every agent ’s set of public keys is represented by the set .

3.1.2 Random Number Representation

As standard in the literature (eg., [14]), we use random number representation of a number , .

Definition 2.

A random number representation of a number , , is a representation of as the pair where and

To find of a number , any agent randomly chooses and then picks In this, with only or , no information about the value of can be deduced.

Notation. In this paper, represents the Pedersen commitment of as , i.e., denotes the pair of commitments .

3.1.3 Zero-knowledge proof

In cryptography, Zero-knowledge proof (ZKP) is a method by which an agent, called a Prover (), is able to convince another agent, called a Verifier (), that it knows some information , without revealing (or any other information related to ) [32]. Further, cannot prove to any other party that knows . Informally, ZKP’s allows to reveal its knowledge of some information, without giving out that information.

In this paper, we model ZKP as an interaction (exchange of messages) between and . To this, a ZKP must satisfy the following three properties [32]. Here, a honest agent is the one which follows the protocol (proof) correctly.

  • Completeness. A honest will be able to convince a honest that the statement is true, if it is true.

  • Soundness. No dis-honest can convince a honest that the statement is true, if it is false, with high probability.

  • Zero-knowledge. No is able to learn any information regarding the statement, except that it is true, in the case that the statement is true.

3.1.4 Value Comparison

We now look at a method for comparing two values i.e., to find out whether or not , when . As shown in [14], and . Therefore, to compare and we only need to check whether .

3.1.5 Cryptographic Notaries

Similar to [15], cryptographic notaries are reputable agents, such as law firms, accountants, or firms specializing in providing means of communication of information among agents.

3.1.6 Secure Information Exchange

Similar to [33], we define an information exchange as secure if it is done over an anonymous and confidential channel. Towards this, Tor hidden services [34] or SSH connections [35] can be used.

3.2 Auction Design

We are considering a situation where an auctioneer (), the seller itself, is interested in selling indivisible items and there are interested and strategic agents via a combinatorial auction. We assume there exists a set of cryptographic notaries , described in the next section, that can assist in determining the winners and their payments. We denote the set consisting of every participating agent in this protocol as i.e., .

Combinatorial auctions factor in the inter-dependency of the values to an agent with respect to the different combinations possible i.e., each agent has a different preference for different subsets. The valuation function describes these preferences . In absence of payments, the agent may boast about . We denote its payment as . Formally, for each possible subset , is a real-valued function such that is the value an agent obtains if he wins the subset . Also, if is the price paid by the agent for the subset, then its utility is given by .

3.2.1 Cryptographic Properties in Auction

Auction protocols must preserve the privacy of the bidding information from all the agents, including the auctioneer, even after the closing of the bidding phase while providing verifiability of the correctness of the allocation and the payments. In this subsection, we describe these required cryptographic properties of an auction protocol.

  • Non-repudiation. This deals with the inability of an auctioneer or an agent to retract from their actions. Auction protocols must be able to commit an agent to its bid as well as prove the exclusion of any bid by the auctioneer.

  • Verifiability. The public, including the agents, must be shown a conclusive proof of the correctness of the auction protocol. The protocol must enforce correctness; an auctioneer should not be able to present valid proofs for invalid winners or incorrect payments.

  • Privacy. An auction protocol should hide bidding information of an agent from the other participating agents. After the auction, only the information revealed from the winning agents should be known. The types of privacies relevant for an auction are defined below. For this, let be the set of winning agents.

    Definition 3 (Agent Privacy).

    No agent should be able to discover each others identity i.e., for an agent during the auction and for an agent after the auction, no other agent should know about ’s participation in the auction.

    Definition 4 (Bid Privacy).

    No agent should be able to know any agent’s bid valuation i.e., the probability with which an agent can guess agent ’s bid valuation is .

    Definition 5 (Bid-Topology Privacy).

    No agent should be able to know any other agent’s bundle of items i.e., the probability with which an agent can guess the item bundle of an agent during the auction and of an agent after the auction is negligible [36] in the number of items being auctioned.

Let us say that the allocation of the items is determined by an allocation rule , which takes as the input and outputs who gets which items, where denotes the set of valuations of agents not including . The payment rule is given by . Thus, an auction is characterized by , an allocation rule and the payment rule. Given an auction, we need the following game theoretic properties to be satisfied.

3.2.2 Game Theoretic Properties in Auction

The valuations of each agent is its private information i.e., hidden from every other agent in the auction. This opens the door for any such agent to lie about their valuations for their benefit. Thus, we look for auctions which incentivize an agent to bid for its true valuation. In mechanism design theory, such truthful auctions are called dominant strategy incentive compatible (DSIC). Further, an auction is ex-post individually rational (IR) if every agent always gets non-negative utility.

Definition 6 (Dominant Strategy Incentive Compatible).

An auction is DSIC if , ,, we have

where and .

Definition 7 (Individually Rationality).

An auction is ex-post individually rational if , we have

As the allocation problem in this setting is NP-Complete and because of the difficulty in representing and communicating valuation functions of each agent (since these are exponential in size) in it, we look for much simpler cases of auctions such as the single-minded case.

3.2.3 The Single-Minded Case

These are auctions wherein agents are interested in a single specific bundle of items, and get a scalar value if they get this whole bundle (or any super-set) and get zero value for any other bundle. Formally,

Definition 8.

A single-minded valuation function is a function in which there exists a bundle of items and a value such that , and for all other . Here, a single-minded bid is the pair .

As the allocation problem in this case is NP-Hard, we look at algorithms which can solve this approximately. An algorithm, in an auction setting, is a -approximation algorithm if an allocation generated by the algorithm is always less than a factor times the value of the optimal allocation. We now discuss one such algorithm.

3.2.4 An Incentive Compatible approximation Algorithm (ICA-SM)

Algorithm 1 describes ICA-SM, which is a greedy algorithm that solves the allocation problem for single-minded case with agents, items, and as agent ’s bid valuation and preferred bundle of items, with as the set of winners approximately. ICA-SM is computationally efficient, incentive compatible and is -approximate [13].

  1. Initialization:

    • Sort the agents according to the order :

  2. For , if then

  3. Output:

    • Allocation: The set of winners is .

    • Payments: where is the smallest index such that , and for all , , . If no such exists then .

Algorithm 1 ICA-SM Algorithm

We refer to an auction protocol satisfying all the aforementioned game theoretic and cryptographic properties as a trustworthy implementation of an auction, i.e.,

Definition 9 (Trustworthy Implementation).

An auction protocol which provides non-repudiation and verifiability, while preserving agent privacy, bid privacy, and bid-topology privacy; along with being dominant strategy incentive compatible and individually rational, is a trustworthy implementation of an auction.

In the next section, we present our method for secure comparison of two integers. In the subsequent subsection, we show the verifiability of the comparison using ZKP.

4 Privacy Preserving Comparison of Two Integers

In this section, we first describe a procedure for secure comparison of two integers and owned by two agents Alice (say) and Bob (say), respectively. We assume that Alice and Bob have already agreed that . Additionally, we assume that there exists a central server (CS) that co-ordinates the comparison. Note that, and as shown later, the CS only aids the comparison and does not learn anything about the values of and . Procedure 2 describes the comparison [2].

Procedure 2 preserves privacy of the values and from CS since CS only knows the values and . It is trivial to see that CS shall not be able to find anything about the values of and from these, hence no information about or is revealed to it. In addition, every notary only has one component of the other agent’s value, which implies that it can not either find out anything about the other agent’s value.

Further, Procedure 2 is independent of the length of the binary representation of or and hence is of constant order () in computational time. The secure comparison is achieved in one execution of Procedure 2.

CS assigns Alice and Bob their respective pair of distinct notaries. Let, and be Alice and Bob’s pair of assigned notaries, respectively.
Steps
  1. [label=]

  2. Alice generates and Bob generates .

  3. All information exchange takes place securely.

  4. All information exchange takes place securely.

  5. All information exchange takes place securely.

  6. CS then checks the following,
    if return
    if return
    else return

Procedure 2 Secure Value Comparison of Two Integers

Discussion. By using , i.e., , to compare and we are able to preserve the privacy of the values and . However, using Procedure 2 to design secure mechanisms for applications such as auctions/voting may lead to loss of privacy of the values. For instance, in secure auctions, the bids of the winning agents are opened to determine their payments. This will lead to the disclosure of one value, say , which will consequently disclose to the CS through the known value . Thus, we must also hide the value from the CS while still preserving the comparison.

4.1 Privacy Preserving Comparison (PPC)

To overcome the potential loss of the privacy of the values and in secure comparison through Procedure 2, we introduce another novel procedure, namely, Privacy Preserving Comparison (PPC). Towards this, we assume that Alice and Bob have already agreed that . Here, for where is number of bits required to represent . In PPC, we require Alice and Bob to privately select an integer , respectively. Let, .

Before describing PPC, we present the following claim,

Claim 1.

and . Here, and with .

Proof. Observe that,

We know from [14]: and . For this, . Now,

  • [leftmargin=*]

  • To show : Trivially, if and , we have

    Further, if,

  • To show : Similarly, if and , we have

    Further, if,

The rest of the claim follows from the fact that as . ∎

With this claim, we now present our novel method for securely comparing two integers, namely, PPC.

4.1.1 PPC Procedure

Procedure 3 describes the steps taken by Alice and Bob in co-ordination with the CS in PPC. The pair of encryption given at the start and the help values send to the notaries are used for verification of the comparison as shown in Section 4.1.2.

CS assigns Alice and Bob their respective pair of distinct notaries. Let, and be Alice and Bob’s pair of assigned notaries, respectively.
Steps
  1. [label=]

  2. Alice generates and while Bob generates and . Then,

  3. All information exchange takes place securely.

  4. All information exchange takes place securely.

  5. All information exchange takes place securely.

  6. All information exchange takes place securely.

  7. CS then checks the following,
    if return
    if return
    else return

Procedure 3 Privacy Preserving Comparison (PPC)

Procedure 3 preserves privacy of the values and from CS since CS only knows the values222For the modular multiplication of , where is a prime and no information of is known, all possible values of are equally likely.   and . It is trivial to see that CS shall not be able to find anything about the values of and from these, hence no information about or is revealed to it. In addition, every notary only has one component of the other agent’s (Alice or Bob) value, which implies that it can not either find out anything about the other agent’s value. The commitments passed as inputs provide for verifiability of the comparison, as described in the next subsection.

Note that, PPC is independent of the length of the binary representation of or and hence is of constant order () in computational time. Further, the secure comparison is achieved in one execution of Procedure 3. Figure 1 represents the information flow during Procedure 3, schematically.

Privacy Analysis.

  • In PPC, by comparing with , we preserve the value of . Thus, we make sure that even in the event that one of or is revealed, the other value is not. Moreover, as is the product of two random integers owned by Alice and Bob, separately, no one agent can determine the others’ value through .

  • Note that, as is publicly known, will be an integer in the range . Thus the value of bounds the value of . However, the probability of guessing the value of , from , can be made negligible by appropriately setting the value for . For instance, of the order of bits and of the order bits, implies that can take values of the order bits. This results in possibilities for , i.e., the probability of guessing is negligible.

    Moreover, as PPC is independent of the order of one can increase the order of the numbers to further decrease the probability of guessing from without significantly increasing the computational cost.

  • Thus, PPC can be used to design privacy preserving mechanisms like auctions/voting. We illustrate the same with TPACAS (Section 5).

[width=]images/Secure_Compare.png

Figure 1: Schematic Representation of the flow of information (iiiiiiivvvi) during PPC (Procedure 3).

4.1.2 PPC Verification

Under the assumption that all agents are honest-but-curious, Procedure 3 not only preserves the privacy of the values but also ensures the correctness of the comparison. Moreover, the secure comparison is in constant time. We now relax this assumption by assuming Alice and Bob to be strategic agents, i.e., they may misreport the values passed to their assigned notaries in a bid to gain advantage. Thus, in such a setting, we need to verify that the values passed during the procedure represent the actual value being compared.

We use ZKP to verify that the values passed to the notaries during Procedure 3 are the same as the random representation of and . We make use of the encryptions333DSIC mechanisms can be used to ensure that strategic agents report the encryption of their true value (bid/vote etc.) in this step. We illustrate the same with TPACAS (Section 5)., and , for this. Further, let Alice’s public key be denoted by and Bob’s . Procedure 4 describes the interactive ZKP with the CS as the Prover . For this we also make use of the help values passed by Alice and Bob to their assigned notaries in Step (ii) of Procedure 3.

We now show that the ZKP described by Procedure 4 satisfies the three properties required for a ZKP, i.e.,

  • Completeness. It is trivial to see that if Eq. 2 holds, then Eq. 1 holds. That is, a honest will be able convince that the comparison was correct.

  • Soundness. If Eq. 2 does not hold, i.e., Alice and/or Bob misreported their values, then there can not be a case where can find other values except for for which Eq 1 holds, with high probability. This is because Pedersen commitments are computationally binding.
    Discussion. This property also makes the comparison robust to any misreporting done by the notaries. Thus, even if we further relax the assumption that the notaries are honest-but-curious, by allowing them to strategically misreport information, Procedure 4 will allow any to detect the misreporting. Thus, PPC (Procedures 3 and 4) is robust to any misreporting done by the notaries.

  • Zero-knowledge. It is trivial to see that, similar to the argument given for Procedure 3, does not gain any knowledge of the committed values or the help values through the values . Moreover, the value does not reveal any information about the value of , at any stage of the procedure, because of the hardness of the discrete-log problem. ∎

1 CS has and from Procedure 3.
2 CS then asks the assigned notaries to compute among them the following,
Here, . Further, all information exchange takes place securely.
3 CS asks to calculate and send the value . CS then asks to calculate and send the value . Similarly for commitments , and .
Let,
Observe that,
(1)
accepts that
(2)
only if Eq. 1 holds.
Procedure 4 ZKP for PPC

4.2 Collusion in PPC

Procedure 3 and Procedure 4 provide a secure and verifiable way for comparing two integers. The comparison requires semi-honest third parties – notaries and CS. While Procedure 4 ensures that the method is robust to misreporting of any value, collusion among the agents may result in loss of privacy of the values.

For instance, if both the assigned notaries to Alice/Bob collude, the privacy of the integer owned by Alice/Bob is lost. However, this form of collusion is difficult in a real-world setting since the notaries will not be aware of each others existence in the comparison. This is because, from Procedure 3 or Figure 1, there is no line of communication between two notaries of the type where is either Alice or Bob.

However, if any one of the two assigned notaries to Alice as well as Bob collude with CS, i.e., out of parties, then the privacy of both the integers is lost. This follows similar to other third party secure protocols like [37, 30, 38]. Thus, PPC is collusion resistant unless the CS is part of the collusion.

4.3 PPC Illustration

We now illustrate the verifiable comparison of two integers in PPC (Procedures 3 and 4) with an example. Let, the values to be compared be owned by Alice, and owned by Bob with . Further, let . Let, . We have .

With this, can be represented as the pair with and can be represented as the pair with . The following steps describe the verifiable comparison in PPC.

  • Alice and Bob send and to CS.

  • Alice sends the pair of values to and the pair of values to . Similarly, Bob sends to and to .

    Comparison.

  • sends to and sends to .

  • sends to and sends to .

  • calculates or and calculates or . The notaries send their respective values to the CS.

  • CS calculates . Hence, CS returns the result .

    Verification.

  • CS shows that

  • CS asks the assigned the notaries to send the values as described in Procedure 4. CS already has and .

  • We have . This information exchange takes place securely.

  • CS computes and .

  • CS shows the following,

  • Hence, is convinced that the comparison was for the same values as the ones committed by Alice and Bob.

We now use PPC introduced for secure comparison of two integers to present a novel, secure combinatorial auction for the single-minded case that preserves the privacy of each agent’s bidding information even after the bidding phase is over, namely, TPACAS.

5 TPACAS Auction Protocol

In TPACAS, is set of agents wherein is the seller itself, and all arithmetic operations (except the payments) are modulo for the commitments and modulo for the values to be committed as well as the help values. Further, acts as the CS. We assume that and the set of notaries are honest-but-curious, while the bidders are also strategic as described in Section 4.1.2. Before describing the secure auction protocol, we define the following with respect to TPACAS:

  • Item Bundle. In TPACAS, an agent submits its item bundle , consisting of commitments of its preferred items at least once as well as different commitments of some (or all) of their preferred items randomly such that . Formally,

    Definition 10 (Item Bundle).

    An agent ’s item bundle is defined as where and ,

    where is the set of non-distinct items randomly chosen from such that .

  • Secure Bulletin Board. Secure Bulletin Boards (SBB) consists of publicly known websites which are controlled by . All data published is time stamped and cannot be erased. uses the SBB to publish all public information about the auction, including the initial auction announcement as well as (committed) information that have been submitted and proofs that can be used to verify all publicly available information about the outcome. The content of the SBB is viewable to all participating agents – and all are assured that they are viewing the same content. For example, the SBB can be a smart contract over blockchain, since all the values submitted on a smart contract will be on a publicly distributed ledger such as on the Ethereum blockchain.

Protocol 5 illustrates the TPACAS auction protocol presented. Note that, while we require , we do not require any such bound444This step ensures that no information about the items being compared is revealed (Section 5.2). on . Figure 2 summarizes the information flow among the participating agents during the execution of the protocol, schematically.

1 sets up the auction by announcing (or ) as well as the items being auctioned.
2 At the start of the auction, every agent gives its public id’s to upon which assigns to every agent a secret identifier , securely. These are known only to and not to any other agent.
3 generates a random for each item which is known to every agent but not to notaries. The agents commit these ids instead of directly committing their preferred set of items. The can be greater than , as to compare items we only need to check if they are equal.
4 assigns a pair of notaries to every agent randomly.
Bidding Phase:
5 (a) , submits its bid tuple, i.e., to . Each agent’s must be less than . Every also submits its item bundle . (b) publishes the bid tuple and the item bundle on the SBB for non-repudiation.
Post-Bidding Phase:
6 Each agent sends the random representations of the value as well as the random representation of all the commitments in , along with the help values of their commitments and their private integers to their assigned notaries, i.e., sends to and to