tion has the potential to improve supply-chain management practice, and, by removing one ... 0219560 from the National Science Foundation, Contract N0...

2 downloads 0 Views 229KB Size

Secure Supply-Chain Protocols Mikhail J. Atallah CERIAS and Computer Sciences Purdue University [email protected] Vinayak Deshpande Krannert School of Management Purdue University [email protected] Abstract Supply chain interactions have huge economic importance, yet these interactions are managed inefficiently. One of the major sources of inefficiency in supply-chain management is information asymmetry; i.e., information that is available to one or more organizations in the chain (e.g., manufacturer, retailer) is not available to others. There are several causes of information asymmetry, among them fear that a powerful buyer or supplier will take advantage of private information, that information will leak to a competitor, etc. We propose Secure Supply-Chain Collaboration (SSCC) protocols that enable supply-chain partners to cooperatively achieve desired system-wide goals without revealing the private information of any of the parties, even though the jointly-computed decisions require the information of all the parties. Secure supply-chain collaboration has the potential to improve supply-chain management practice, and, by removing one major inefficiency therein, improve productivity. We present specific SSCC protocols for two types of supply-chain interactions: Capacity allocation, and e-auctions. In the course of doing so, we design techniques that are of independent interest, and are likely to be useful in the design of future SSCC protocols. Keywords: Supply-chain online interactions, privacy, security, secure multi-party computation, capacity allocation in e-commerce, e-auctions.

Portions of this work were supported by Grants EIA-9903545 and ISS0219560 from the National Science Foundation, Contract N00014-02-10364 from the Office of Naval Research, by sponsors of the Center for Education and Research in Information Assurance and Security, and by Purdue Discovery Park’s e-enterprise Center.

Hicham G. Elmongui CERIAS and Computer Sciences Purdue University [email protected] Leroy B. Schwarz Krannert School of Management Purdue University [email protected] 1. Introduction Information asymmetry is known to create inefficiencies in managing supply chains, among them under-investment in capacity leading to shortages; misallocation of inventory, transportation, and management resources; increased prices; and reduced customer service. It can also lead to increased use of premium shipping, increased penalties resulting from line shut-downs, and lost future business contracts. Unfortunately, the barriers to information-sharing are significant, among them fear that information voluntarily shared with a partner will be used against the volunteer, fear that sensitive information will leak to a competitor, government regulations about information-sharing, etc. Further, if one of the parties is government, then there are national security reasons to protect secret information. These barriers can be overcome if traditional methods for information-sharing are replaced by Secure SupplyChain Collaboration (SSCC) protocols, which would enable supply-chain partners to cooperatively achieve desired system-wide goals without revealing any private information, even though the jointly-computed decisions require this information. The contributions of this paper are (i) to present such protocols for two classes of supply-chain interactions (capacity allocation under various policies, and bidding and auctions under both discriminatory and nondiscriminatory pricing), and (ii) to give techniques and building blocks that are likely to be useful in the design of future SSCC protocols.

2. Related work Because this paper relates to both protocols and supply chains, we need to review related work from both.

2.1. Related Cryptographic techniques

our protocols.

The closest area of cryptography relevant to our work is secure multiparty computation [28]. Secure multi-party protocols are a form of cooperative distributed computing that preserves the privacy of the participants’ data. This general class of computations typically takes the following form between two parties: ”Alice” and ”Bob” each have a private input (say, for Alice and for Bob), and they want to compute where the efficiently com putable function is known to both Alice and Bob However, neither side is willing to disclose his/her private data to the other party, or even to any third party. A protocol that involves only Alice and Bob, is said to be secure if, at its end, Alice and Bob know only (and their respective inputs, of course). Of course, Alice might in fer something about from her knowledge of , , and , but that is unavoidable. Goldreich states in [10] that although the general secure multi-party computation problem is solvable in theory, using the solutions derived by these general results for special cases can be impractical. In other words, efficiency dictates the development of special solutions for special cases for efficiency reasons. In addition, as noted above, the characteristics of supply-chain settings necessitate the development of such solutions. For example, whereas in most secure multiparty settings all the parties know the function they are cooperatively computing, in our case each party (e.g., Alice) is computing her own individual function that is just as important to keep hidden from the other participants as her private data . Another complication is that the decision computed by a participant (e.g., Alice) can depend not only on the other participants’ private data ( ), but also on their private functions as well. To see how this can happen, simply consider the case of a multi-party supply chain negotiation where each party (say, Bob) can “drop out” of the negotiation depending on the value of . The theoretical general secure multiparty computation techniques can be modified to handle this, but the resulting methods are even more impractical than the above-mentioned ones for the case when all sides are cooperatively computing the same function. In Selective Private Function Evaluation (SPFE) [22], a client interacts with one or more servers holding copies of a database !" # $ in order to compute * * %'&" *, + %)( , for some function and indices

#

chosen by the client. Ideally, the client must learn nothing more about the database than %-&. %/( , and the servers should learn nothing. The requirement that the server not know in SPFE is similar to our requirement that not be known to any of the other participants, although we have not used SPFE techniques in

2.2. Supply-chain background Historically, supply-chain management research has focused on “centralized” policies; i.e., decision-rules for optimizing a single objective function (e.g., system profit) under the assumption that all the information about the system (e.g., costs, capacity, inventory status) is available to a central planner. In mathematical terms, supply-chain research has historically focused on problems of the form optimize , where the input vector is centrally available and a single decision-maker optimizes this function. See [21] and [8], for examples of this research. Although this literature has contributed decision-rules for managing supply chains that employ centralized information and control, in fact, most real-world supply chains are managed, not by a single decision-maker, but by several decision-makers, each with their own, often incompatible, objective functions, and each using her/his own proprietary information. Today, research in supply-chain management is largely focused on multiple decision-makers with multiple objective functions, each formulating their own decision-rules on the basis of “asymmetric information” (i.e., information available to any given decision-maker is not necessarily available to any other decision-makers). In mathematical terms, this stream of research splits the traditional objective function into separate objective functions 0 and for Alice and Bob respectively, based on private inputs and . The intellectual roots of this new focus on decentralized supply-chains is auctions and other information-asymmetry models in economic game theory. In these information-asymmetry models, without loss of generality, Alice typically acts as a leader and provides incentives to Bob to ”reveal” his private input , in addition to participation constraints on . Alice then takes action based on Bob’s data. There is also a national program underway, sponsored by the Voluntary Intraindustry Commerce Standards (VICS) association to develop standards and procedures under which independent buyers and sellers can share plans, forecasts, and decision-making involving inventory replenishment. This program, called Collaborative Planning, Forecasting, and Replenishment (CPFR) has attracted the interest of literally hundreds of companies (http://www.cpfr.org/Members.html). Unfortunately, CPFR must overcome at least one major obstacle in order to achieve success for buyer and sellers: the reluctance of either/both to share private, proprietary information. Several researchers have examined the value of information-sharing in a supply-chain. Iyer and Ye [12], for example, assess the value of information sharing in a retail environment, where retailers share promotion infor-

mation with their suppliers. Song and Zipkin [25] develop an inventory-replenishment policy to take advantage of information about supply conditions. Cachon and Fisher [4] study the value of sharing demand and inventory level information in a supply chain. More recently, Aviv [2, 3] has examined the effect of collaborative forecasting on supplychain performance. This work, the literature on centralized decison-making, and the agency loss associated with decentralized decision-making, provide the supply-chain motivation and foundation for our work.

3. Capacity Allocation in E-Commerce Consider a single supplier and 1 retailers. The supplier has a constant marginal production cost, but limited capacity, 2 . The retailers operate in non-competing retail markets, each with a linear demand curve: 3465798 , where 3 is market demand, 8 is the retail price, and 5 is the market potential (i.e., what demand will be if price equaled zero). Everyone, including the supplier, knows the form of the retailer’s demand curve, but each retailer’s 5 is its private information. In order to maximize its profits, each retailer wants to * maximize its revenue, 8 3 . Hence, retailer (defined to have 59:5"% ) would like to order (and sell) 3;<5=%?>[email protected] units, and at price 5"%,>[email protected] per unit, and receive revenue 5B% A >"C . Note that * 5.%,>[email protected] is the maximum transfer price/unit retailer is willing to pay the supplier; i.e., a higher transfer price will yield a loss; a lower price provides a profit; and, the lower the * transfer price, the higher retailer ’s profit. If the supplier has unlimited capacity and knows each retailer’s 5 , then, in order to maximize its profits, the supplier * will charge retailer a transfer price 5 % >[email protected] per unit, thereby sucking up all of the profits in the system. The supplier is able to do so because she knows that the retailer is making a profit at a lower price, since she knows 5 % >[email protected] . If the supplier has limited capacity, 2 , and knows every retailer’s 5 , then she will allocate the capacity, 2 , such that the marginal revenues are equal across all retailers. For example, if there exist two retailers with parameters 5D and 5 and capacity A is tight, then the retailer will allocate the capacity such that 5 [email protected] G5 A [email protected]=3 A . And, again, because the supplier knows every retailer’s 5 , the supplier will be able to price these units so that she captures all the retailers’ profits. Now suppose that all the supplier has is a probability distribution on each retailer’s 5 . The supplier’s goal is the same; i.e., to maximize its profit, but now has to do so in light of uncertainty about each retailer’s 5 . There are two consequences of the corresponding misallocation: (1) total profit in the supply chain decreases below its maximum possible value; and (2) some retailers get some positive profit. In [7], Deshpande and Schwarz designed an incentive compatible pricing and allocation scheme to get every re-

tailer to reveal its 5 , thereby allowing the retailer to maximize its profit without forcing any retailer to experience a loss. Moreover, they show that the optimal allocation pol icy, I 5 5 # 5"JK , for the supplier is to equalize the A information rent-adjusted marginal revenues across all retailers. They were able to establish the following optimal allocation rule: Theorem 1 If retailers face deterministic downward sloping linear demand, with the intercept of the demand-curve 5 private to the retailers, then the linear allocation mechanism (defined below) is optimal for the supplier. Definition 3.1 (Linear Allocation) Index the retailers in decreasing order of their quantities; i.e., 3"MLN3 L<OL A * 3 J . Retailer is$ R allocated I *W3 _ % =Q P where I 3 % "Q P N Q P and zero otherwise. R SMT"UWVYX [Z 3 % 7\2^] if 3 % 7 $K Q Here P is the number of the retailers who will actually buy, 2 is the total capacity *b_ thatQ the supplier can provide, and I 3%` FQ P aL X for all P . Note that the linear allocation scheme should be jointly implemented with the optimal pricing scheme, as designed in [7], for the scheme to be incentive compatible. Intuitively, linear allocation is simply an “equal sharing of the pain” among the buyers, with the understanding that if that pain exceeds the 3 % of a buyer then that buyer drops out. This is why Q P , the number of buyers who do not drop out, can be less than the number Q of initial buyers. If there are Q P actual buyers, then they each get the same amount less than their order, i.e., the “pain” inflicted on each buyer is equal to (total shortage)/Q P where the total shortage equals what the Q P buyers would have wanted minus 2 . (Note that the total shortage is not 3 dcfeee.c 3Jg7\2 .) Deshpande and Schwarz also prove the structure of the optimal policy for the supplier if the retailers are “newsvendors”, i.e., retailers, like real newsvendors, face demand generated from a probability distribution. Theorem 2 If retailers are newsvendors with a normal demand distribution with mean 5 , and an exponential prior on 5 , then the linear allocation mechanism is optimal for the supplier. Theorem 3 If retailers are newsvendors with a uniform demand distribution on h X 5"i , and a Pareto supplier’s prior on 5 , then the proportional allocation mechanism (defined below) is optimal for the supplier. Definition 3.2 (Proportional Allocation) Retailer mn,o . Here 1 located I 3% j1k where I 3%` j1kl number of the retailers, and 2 supplier can provide.

Zfp& n,o

*

is alis the

is the total capacity that the

Note that in proportional allocation every retailer is allocated a positive quantity, and therefore Q P g1 . The optimal allocation mechanisms derived above are based on the revelation principle, which states that the supplier can induce the retailers to truthfully reveal their order quantities 3 % , thus indirectly revealing their private information parameter 5 % to the supplier.

3.1. Information Required for SSCC The allocation mechanism described above and its corresponding pricing policy described in [7] might be appropriate if allocation decisions are made once and only once. However, if allocation decisions are repeated, say, weekly over a selling season of several months, then there would be no incentive for the retailers to participate after the first allocation, since, after that, they would make no profits, because their 5 ’s would have been revealed as part of the first allocation process. (Note that the linear allocation mechanism requires each retailer to reveal its true order quantity 3 % based on its information parameter 5 % .) In the next subsection, we sketch secure protocols for the above allocation mechanisms. These protocols for al* location use the retailer order quantities 3q% srF # 1 as inputs and compute the allocation, I 3 3 j3JK deA fined above, without revealing any retailer’s private information parameter 5 % to either to the supplier or to the other retailers. Since these protocols do not reveal the individual retailers’ private information parameter, these protocols can be used repeatedly, unlike the auction mechanism described in [7]. Before the protocol every retailer knows his quantity 3 % , the supplier knows her capacity 2 . After the protocol is completed, every retailer knows the actual quantity I 3 % =Q P she would be allocated under the allocation policy (whether linear or proportional), Q P , and nothing else (other than what she can infer from I 3 % "Q P , which is unavoidable). The protocol itself does not reveal the individual 3 % or Z % 3 % .

3.2. Secure Information Protocols We present the protocols corresponding to both capacity allocation models. The details of some of the used building blocks come in later sections. In the versions of the protocols presented in this document, we assume by default that the participating parties are honest-but-curious, i.e. they will follow the protocol, but while doing so they could nevertheless try to illegally compute information about the other party’s secret data. However, we often give protocols that can handle dishonest behavior that is worse than the honest-but-curious (participants who do not follow the protocol, or who collude with some of the participants against other participants). Finally, we treat prices and quantities

as essentially continuous, so the protocols (in their current form) are not appropriate for interactions about small numbers of “widgets” (like large ships or aircraft, where rounding to within 1 unit is significant). We believe our protocols can be modified to handle such cases as well, but we have not yet looked at the details of these modifications. Linear Allocation Protocol 1. Every retailer initially marks himself as “active” (some will mark themselves as “passive” as the protocol proceeds). We use t to denote the set of active retailers . We use Q P to denote u tvu . 2. Repeat the following substeps (a)–(d) until Q P ceases to change from one iteration to the next:

*

(a) Every retailer generates a random w % . Let w6 J Z %)x w% ; note that no single party knowns w . (b) Using a secure simultaneous summation protocol (discussed later), the participants cooperatively compute both Q P and yz Z %|{=} 3 % 792 c w in such a way that Q P is known to all participants but y is known only to the supplier. (c) If the computed Q P is the same as it was in the previous iteration of these substeps (a)–(d) then the protocol moves to Step 3 below, otherwise it continues with the next substep (d).

(d) The participants run a secure simultaneous summation protocol in which the supplier’s item (used in the summation) is y;> Q P , and every re* tailer ’s item is w % > Q P , such that the answer to the summation is known to the retailers but not to the supplier. All the retailers simul therefore Q P 7 w> Q P ~ taneously learn the quantity ; y

> Z %{=} 3 % 7a2a> Q P , which happens to be the current (tentative) pain per active retailer. If that pain exceeds any active retailer’s 3% then that retailer * marks itself as “passive” (and is implicitly no longer in t even though it continues to be a party to the protocol). 3. The “pain per active retailer” that was computed in the last iteration of the above Step 2(d) is taken to be the * true one, and every active retailer computes his allocation I 3 % "Q P as being equal to 3 % minus that “pain per active retailer”. Note that, in the above, retailers who are no longer active continue to participate in the protocol (of course they now contribute 0 rather than 1 to the distributed computation of Q P ): Excluding them from subsequently participating in the protocol would have the drawback of revealing to the other participants who is no longer in t .

The number of iterations in the above protocol could, in the worst case, be 1 . We have made an observation that brings the number of iterations down to )F1 . In a nutshell, after defining two functions and on the indices rF 1\ , we give a characterization of the “stable value” of Q P in terms of the relationship between Q P and Q P that is reached at the last iteration of Step 2. The characterization in turn makes possible a binary search for the stable Q P in Step 2. We omit the details. Proportional Allocation Protocol 1. The 1 retailers cooperatively choose a random w that is known to all except the supplier.

*

2. Each retailer sends w

3 % to the supplier.

3. The supplier y , the sum of what he received, computes J yw Z %)x 3 % , and sends y

*

4. Every retailer computes its allocation 3F% as 3"% fwK J 3 % >"y H3 % 2;> Z %)x 3 % .

*

5. Every retailer sends its 3=% to the supplier. The supplier verifies that the sum of the 3 % ’s equals 2 . If so the protocol terminates. Otherwise cheating has taken place by one or more retailers, where “cheating” by re* tailer means sending a 3 % that is not consistent with * the initial 3% that retailer had used earlier in Step 2; * i.e., it consists of retailer changing its mind about its quantity after it has learned (in Step 4) what its true 3F% would have been. If cheating has been detected then Step 6 below pinpoints which retailer(s) cheated.

*

*

6. For every retailer , the supplier determines whether has cheated as follows: The supplier compares, for all other retailers , the ratio 3 % >"3 (available from Step 5) with the ratio 3 % >"3 (available from Step 2). If the two ratios do not equal each other for a majority of other * values then the supplier decides that retailer is a cheater. Note 1. It is easy to see that the above cheater-detection scheme works as long as a majority of the retailers are honest. Note 2. Keith Frikken has pointed out that, instead of * verifying for every , pair in Step 6, the supplier could * simply compute for every retailer the ratio of 3F% to the * wK 3"% he received * from in Step 2 (that ratio must be the same for all ’s).

4. E-Auctions In economics, information asymmetry has been widely studied in using principal-agent models with adverse selection (see [9]). These models assume that a principal makes

decisions and sets contracting parameters for single or multiple agents, without complete information about agent’s “actions” [1, 20, 26]. Auction theory has also been used to model information-asymmetry problems, as described in the seminal papers by Vickrey [27], Myerson [16], Riley and Samuelson [19], and Milgrom and Weber [15]. See Klemperer [14] for a more recent review on the theory of auctions. The use of auctions for allocating resources such as securities is described by Harris and Raviv [11]. Optimal auctions typically invoke the revelation principle, which states that it is sufficient for a principal to restrict his/her attention to contracts/auctions that induce the agents to tell the truth. Although useful in theory, the revelation principle does not necessarily yield practical procedures and protocols. We consider two broad models: One where all buyers ( bidders) get the same unit price from the supplier (nondiscriminatory pricing), and another where different buyers can get different prices from the supplier depending on their demand (discriminatory pricing). We begin with the former.

4.1. E-Auctions with non-discriminatory Pricing In this model of supply-chain interaction, a seller wants * to fix the selling price for all the buyers. Each buyer has a price-quantity pair 8 % 3 % expressing his preference to buy 3 % units at a unit price of 8 % , based on an underlying demand curve 3 % 5 % 7M8 % . The seller has a supply curve 3\8 c 5 and wants to figure out what price 8 she should ask from all of them according to the total demand: 8 is the price from the supply curve that corresponds to the total demand $ Z %)x 3% . Under the rules of the auction, each buyer’s demand parameter 5 % is not to be revealed to any other buyer. Further, the seller is to remain ignorant of any buyer’s individual demand parameter before setting her price, thereby facilitating a policy of non-discriminatory pricing. The price charged by the seller is a function of the bids received. After the * common price 8 is announced, only those buyers whose price 8 % is lower than 8 are allowed not to buy, and those * buyers whose 8 % Lz8 are not allowed to jack up their 3 % . 4.1.1 Information and Decision Criteria for nondiscriminatory price auctions The relevant information from the buyers is their price quantity pair bids 8 % 3 % . The fixed price charged by the seller is a function of the bids received. However, the seller is not supposed to know the total demand of the bidders before setting her price. After the common price 8 is known to * everybody, only those buyers whose price 8% is lower than * 8 are allowed not to buy, and those buyers whose 8%LG8 are not allowed to jack up their 3 % . This is achieved by hav* ing each buyer , as a first step in the protocol, send the

seller a “commitment” to its 8 % and (separately) one for its either of them to the seller; this ties the 3 % , without revealing * hands of buyer and prevents her from modifying 8% or 3% after the negotiation is over (for details of how commitment is done using cryptography we refer the reader to textbooks such as [24]). * At the end of the protocol, a buyer whose 8%G8 will “open” her commitment to 8% (i.e., reveal 8% to the seller) as a justification for not buying at price 8 , whereas a buyer whose 8 % L8 will open her commitment to 3 % (i.e., reveal 3 % to the seller) as a proof that she did not change her original 3 % after learning of the advantageous 8 . It is a crucial property of cryptographic commitment protocols that the seller can verify whether the revealed 8 % or 3 % match the * * commitment originally sent by buyer . Note that no buyer reveals to the seller both 8 % and 3 % , and that no buyer knows J Z %)x 3% . The protocol is given below. Non-Discriminatory Pricing Protocol

*

1. Every bidder gives the seller a cryptographic commitment to its 3% (which, as discussed earlier, does not reveal 3% to the seller yet prevents the bidder from changing its 3% value later on). 2. Every buyer initially marks itself as “active” (some will later mark themselves as “passive” as the protocol proceeds). We use t to denote the set of active buyers to denote u tvu ; at this stage Q P g1 .. 3. Repeat the following substeps (a)–(c) until Q P ceases to change from one iteration to the next:

(a) The buyers and the seller all engage in the secure summation protocol (twice) to simultane8 Z %{=} 3%7f5 ; reously get (i) Q P and (ii) : call that 83~75 is the seller’s supply curve. For the 8 computation, the “data” used by an ac* tive buyer in this summation protocol is 3 % , by a passive buyer is 0, whereas the supplier uses 75 . For the Q P computation, the data is 1 if that buyer is active (i.e., in t ), and 0 otherwise.

(b) If the computed Q P is the same as it was in the previous iteration of these substeps (a)–(c) then the protocol moves to Step 4 below, otherwise it continues with the next substep (c).

(c) Buyers whose 8 % 8 mark themselves as “passive” (i.e., no longer in t ). 4. Buyers whose 8%0L8 reveal their 3% to the seller, who verifiers that it matches the commitment received in Step 1. The table below summarizes who knows what after the above protocol completes:

Who knows what Supplier Buyer

,? Y ¤

=.`` 0¡£ ¢

¤

Z ¤

¤ ¤

4.2. E-auctions with discriminatory pricing The main difference from the non-discriminatory case is that, whereas in the former all the buyers get the same price, in this framework the price paid by each buyer is not fixed but rather is a function of its bid. The relevant information from the buyers is their price quantity pair bids 8 % j3 % . In this framework, the price paid by each buyer is not fixed, but a function of its bid. The goal for the seller is to set the price paid by the buyers as a function of the bids received so as to maximize its revenue, _ i.e. SMT"U Z % 8 % 3 % , subject to the supply constraint Z % 3 % 2 . The “pick-and-choose” protocol (below) reveals to each buyer only which (if any) of that buyer’s alternative 8% 3%Y is accepted by the seller, without revealing to the seller either 8% or 3% ; the seller may have to eventually know more for external reasons such as shipping, but that is not inherent to the protocol. 4.2.1 Pick-and-Choose framework The problem of finding the minimum number of units to be sold to the bidders, with the maximum possible revenue, was investigated by Sandholm and Suri in [23]. They proved that it is ¥t -Complete, and devised a pseudopolynomial algorithm to solve it. Our protocol extends that algorithm to make it secure, in the sense that no (price,quantity) pair is to be revealed to other bidders. The details are given in [6] 4.2.2 An Architecture for Discriminatory Pricing in the Single-Seller Case An immediate problem with discriminatory pricing is that * buyer would apparently have to reveal to the seller both 8 % and 3 % , which compromises that buyer’s demand curve (this was not a problem in non-discriminatory pricing because the seller did not get 8 % ). This would not be a problem in the case of multiple sellers. For the single-seller case, there is a need for designing architectures to solve this problem. One possibility is to introduce another party to the protocol, i.e., a proxy with the following assumptions and goals: (i) The seller learns the total quantity actually sold (not the individual 3% ’s), (ii) the proxy who learns the individual 3q% (and can therefore direct shipping), (iii) the seller learns the dollar amount due from each buyer (the product 8 % 3 % , not the individual 8 % ), (iv) no buyer learns the total quantity sold or

any price paid by another buyer, (v) the proxy does not collude with the seller or with any of the buyers, but is otherwise untrusted in the sense that he is not supposed to know any (price,quantity) pair of any other participant in the protocol. We next describe some scenarios for the interactions between the seller and the buyers. Notes about the results below, using proxy architecture: The results below can be extended to the case of multiple sellers * if the allocation of the total quantify to seller is a fixed fraction ¦#%§¨r of the total quantity. Both the seller proxy and the buyer proxy can be eliminated, and a direct manybuyer and many-seller protocol is possible, if we assume the honest-but-curious model and have no worry about keeping the parties honest (whereas in what follows we do worry about buyers changing their mind about their bid ex-post facto, about the proxy not fulfilling its obligations, etc). In some of the scenarios described next, the seller is trying to set the price of each buyer. Mainly the following steps are honored by the different parties in order to comply with the proposed architecture. We also consider issues such as how to keep the proxy honest, and how to make the protocols resilient against collusion by a subset of the participants.

*

1. Each buyer has his request 3 % that he does not want to reveal to the proxy unless his request would be satisfied. 2. The proxy knows the maximum capacity of the seller, which is I . 3. A protocol is run between the proxy and the buyers * in order to settle a 3q© % for each buyer according to some seller’s capacity allocation model. This protocol should neither reveal I to the buyers nor reveal 3 % to the proxy or to the other buyers. The result of this protocol is that each buyer knows the available quantity he can receive 3 © % . The proxy knows each 3 © % too, as he will be the distributor of the quantities later. 4. A protocol is run between each buyer separately and the seller himself so that each of the buyers can know what is the total amount that he has to pay, ©8 % 3 © % . The seller also knows that amount as it will be his revenue. One possible protocol is the oblivious polynomial evaluation protocol [17, 5].

*

5. The seller collects ©8 %[3© % from each buyer . 6. The proxy sends the total required quantities, Z % 3© % , to the seller who will send the items to the distributor (the proxy). 7. the proxy distributes the items on the retailers.

The table below summarizes who knows what after the protocol completes: Who knows what Supplier Proxy Retailer

,? Y

¤

©

¤

©

ª© `[© ¤

¤

¤ ¤

=© ¢ ¡

`© ¢ ¡

Z ©

¤

¤

¤

Keeping the Proxy Honest In the protocol as given above, the proxy can steal from the seller by sending him a different total quantity, other than the real Z % 3 © % . We need to modify the protocol so that it allows the seller to detect this kind of cheating. The following modification achieves this: 1. The first retailer sends ©3 « c¬ to the next buyer where ¬ is a large random number known only to this buyer. 2. Each other buyer will add his 3 © % to the number he received from the previous buyer, then sends the sum to the next buyer. 3. The last buyer sends the sum to the seller, and the first buyer sends ¬ to the seller. 4. The seller adds ¬ to the total quantities received from the proxy. If it is equal to the sum he has received from the last buyer ¬~c Z % 3© % then the proxy had sent the correct total quantity, otherwise the proxy was trying to cheat. Preventing collusion The previous protocol prevents the proxy from cheating, but what about the seller cheating? She can collude with the second buyer so as to know the 3q% of the first one. She can also collude with any buyer so as to get the sum of the 3% ’s of the buyer before her in that ordering. Now, we modify the previous protocol to get one that keeps the proxy honest (unless a buyer colludes with him), and also prevents the successful collusion of the seller with any buyer (our scheme actually works for collusion by many, but for reasons of space limitations we do not include the general description). 1. The first buyer sends n,© ®¯!° S ±§8 to the next buyer where ¬ is a large random number known only to this buyer, and 8 are public (known to all participants), 8 is a large prime, b²8 and it is best if is a primitive root. 2. Each other buyer will multiply his n© o S ª±8 to the number he received from the previous buyer, then sends the product to the next buyer.

3. The last buyer sends the product to the seller, and the first buyer sends ° S ª±K8 to the seller. 4. The seller multiplies ° S ±8 wby ( raised to the a power equal to the total quantities received from the proxy, modulo 8 ). If the result is equal to the product he has received from the last buyer ³ Z o n,© o´|¯µ° S ±K8 then the proxy is honest in sending the total quantities. Otherwise the proxy was stealing from the seller.

Although the seller has ° S ±§8 and can collude with the second buyer to receive n,© ®¯!° S ª±8 , knowing 3« is still as hard as solving the discrete logarithm problem (a problem widely believed intractable). However, this is true only for large values of 3% ’s – for small 3« , the seller can find it by trying all its possible values. We have a scheme that overcomes this drawback (we cannot include it here due to space limitations — for the same reason we do not include the extension to collusion-resistance against collusion by ¦ entities for any a priori known constant ¦ ). We next describe a possible scenario for the interactions between the seller and the buyers for the purpose of clearing the market. 4.2.3 All-or-None Framework: In this framework, the bidders make their offers as pricequantity pair bids, and the seller has either to accept or to reject the whole bunch according to her supply curve. The bidders do not want to reveal their offers before the seller’s decision is made. * Let 8 % 3 % be the pair bid of bidder . Let the supply curve of the seller be 3²8 c 5 . Without knowing the offer, the seller needs to know whether the revenue will be as good as what her supply curve requires. Hence the problem is to compute this predicate without revealing any additional information about the supply curve or about the price-quantity pair bids. The revenue that she will get from this offer is Z % 8%3% . The unit price that she expects due the current de8 Z % 3%7f5 . Thus she expects a revenue of mand is ZV % 3%7a5 ] V Z % 3% ] . Thus, our problem is defined now as computing the predicate Z % 8 % 3 % L V Z % 3 % 75 ] V Z % 3 % ] without revealing any 8 % j3 % or 5 . The following protocol allows the seller to make her decision without revealing her supply curve, and without revealing to her any of the pricequantity pair bids of the buyers. The table below summarizes who knows what after the protocol completes: Who knows what Supplier buyer

,?[¶ ¤

""??q 0¡£ ¢ ¤

Z

Z -

4.2.4 All-or-None Protocol: Initially, each bidder sends to the seller’s proxy a “commitment” to its 3 % and to the seller a “commitment” to its 8 % 3 % , without revealing either of them to the seller or to the proxy. Secure summation protocol for additively split data (discussed below) is used to generate · and ¸ such that ·¹7¸ Z % 3%d75 . It is also used to generate º and » where º7»b Z % 3% . These four values* should be with four different persons; % is with person . We com pute ·7k¸j º 7k»q0 ·.º c ¸»7k·q»7kºj¸j as follows:

¼½ sends · to ¦ who computes ¾Bºlf·.º . ¼À¿ sends ¸ to Á who computes ¾B»K ¬ » c ¸`» , where ¬ » is a random number chosen by Á . ¼ ¦ sends º to ¿ who computes ¾ ¸ ¬ ¸ 7\ º ¸ , where ¬ ¸ is a random number chosen by ¿ . ¼ Á sends » to ½ who computes ¾ · 67 » · . ¿ sends ¾ ¸ to ½ who adds it to his ¾ · . Meanwhile Á sends ¾ » to ¦ who adds it to his ¾ º . Then Á sends his new ¾ » to ½ who adds it to his current ¾ · . Thus ½ now has the value of · V Z % 3 % 7a5 ] V Z % 3 % ]0cÂ¬ ¸ c²¬ » .

Similarly, the summation protocol for additively split data is run to find Z % 8 % 3 % and ½ receives Ã · and Á receives Ã » , such that Ã=·Ä7vÃ"» Z % 8 %Y3% . Á sends ¬ »Ä7vÃ"» to ½ who adds it to his Ã"· . Now ½ has the value of Ã=·K Z % 8 %¶3% cÂ¬ » . ½ computes Ã"·¹7· and sends it to the seller. The seller runs Yao’s millionaire protocol [28] with ¿ to see whether the value in her hand is larger than ¬ ¸ . If so, then she accepts all the offers. Otherwise, she reject them all. In case she accepts the offers, the bidders reveal their 3 % ’s to the proxy who will sum them up and sends Z3 % to the seller. The bidders also reveal their 8 % 3 % to the seller. Now the seller can verify that the revealed data are the ones they have committed to and can also check for the verified predicate. In case the seller rejects the whole deal, the bidders do not have to reveal their price-quantity pairs.

5. Some Building Blocks We now present details of some building blocks that were used in our protocols. by increasing order of complexity.

5.1. Secure Simultaneous Multi-Party Summation Protocol The purpose of this protocol is to make Q parties, each with a number Å % , cooperate to simultaneously find out Æ $ªÇ Z %/x!« Å % without revealing to each other anything

Æ

other than that answer . In the protocol that follows, when * we say that a person having an item and a person having an item ¾ simultaneously exchange their respective and ¾ , we assume that this exchange happens in a single step – the details of how to achieve such a simultaneous exchange of secrets between two parties are in many textbooks and are omitted (see, e.g., [24] ). This will be typically necessary only in a protocol’s last step (the one that reveals the answer) rather than in the protocol’s intermedi* ate steps (in which it is fine if gives his to and then * right after that gives his own ¾ to ). As a practical matter, and because of the considerable overhead and complexity of the known protocols for the simultaneous exchange of secrets, one could avoid them by settling for the less-thanideal (but perfectly fine for our purpose) exchange of and * ¾ bit by bit: sends a bit of , then sends a bit of ¾ , and they alternate until done – anyone who lies will have to do so before he completely learns the other’s secret, but he could have done that anyway by lying about his own Å% in the first place. We will henceforth just use the notion of simultaneous exchange of secrets without specifying which actual technique is used for achieving it. Essentially the same protocol can be used when the data is additively split and the answer is to come up similarly split (here an is split is in the sense that two parties have random-looking and, respectively, that add up tp ). In preparation, the following is done:

¼ Every party * gets a random number w % . ¼ Every party @ * gives to @ * c r his Å % c w % , then every A A * * @ c r gives to @ his w A % ¯ . Now the odd-numbered parties have the Å c w of every-

body spread amongst them, and the even-numbered parties will have the w of everybody spread amongst them. Now the odd (resp., even) -numbered parties compute $ªÇ $ªÇ! Å c w (resp., R), where ÅN Z %/x« Å§% and wN Z %)x« w% . Finally, the odd (resp., even) simultaneously exchange their quantities to obtain Å . The computation of Å c w (resp., R) is done using a straight forward “tree based” approach whose details are omitted.

Bob has ¿È ¿ . ¿[É , and ¦§ È Ê½ È c ¿È . After running the protocol, Alice ends up * É with a ËÌ and Bob with a Ë such that Ë ^c Ë :Í Q %)x ¦#% . The protocol is nontrivial and we omit its details from here (they can be found in [13]).

5.3. Secure Filtered Maximization Protocol Alice and Bob are sharing a vector ¦ È :½ È c ¿È additively, ½ such that Alice has È whereas Bob has ¿ È . They want to find * SWT=U *Î ¦% _ IM r _E*§_ Q . As usual, neither Alice nor Bob wants to give his vector to the other – in fact the protocol results in the answer itself being additively split * between them: Alice gets a random-looking and Bob a * * * * random-looking such that where Äc . A A * *^Î _ The aim of the protocol is to get SMT"U ¦ *% _Ï*_ Q can be represented also as IW r * * which _À Ð Q IÀ7;¦ % r *l_ Q where Ð * Q Íb is equal SMT"U to r if ÍL X and is equal 7r otherwise. The protocol is ex_g*0_ Q ecuted by repeating the following steps for each r Ñ Ñ È È such that 2 % c % * if to create two vectors Ñ 2 and _ * ¦#% I and 2% c Ñ %Ò7 otherwise. Alice will hold 2 È while Bob will hold È .

Ó 1. Bob generates a random vector È µ | , and com * Ô * 7 µ 7 7^) . a putes the vector È ¾ ¾)0 2. Bob generates a random permutation Õ ÕHH× .

Ó Ó 3. Bob sends © gÕ

such that ÕgÖ

to Alice.

4. Bob generates two random numbers Ø and Ù . He also generates a random split 3 and 3 for I such that IÚg3 c 3 .

ÆÈ ¿ % À 5. Bob creates 7 Ø\7ÂÍ Õ§# 37ÙO , a vector where Í Õ equals r if Õ:H Û × and is X otherwise.

5.2. Minimum Finding Protocol for Already-Split Data

6. Alice creates a vector ½ % X and uses it to run a onesided Blind and Permute protocol [13] with Bob who uses the same Õ in it. TheÜ outcome of this protocol is that Alice gets a vector È GÕ ½ % c Ø0 3 c ÙO . During this protocol neither Alice nor Bob can deduce a private value of the other party.

The second building block is how to find the minimum of a set of data where each datum is additively split between two parties. Here by “ is additively split” we mean that z c and one party has while the other has (and ¶ could be quite large and negative, so that is effectively unknown to either one of the two parties). In [13], Atallah et al proposed a secure protocol to compute the minimum element of a vector ¦ È that is shared ad½ " ½BÉ , ditively between two parties: Alice has ½ È

7. An asymmetric Yao’s millionaire protocol is run between Ü Ü Alice and Bob. In this protocol, Æ Alice Æ uses 7 A asÆ her input, whereas Bob uses if Æ A 7 ÕÝ× or 7 A if Õ Û × . Only Alice knows the result of this protocol. If she figures out that her input to the protocol is larger than Bob’s input, then she sets Ó Ó 2%µ © A 7Ë (case 1), otherwise she sets 2v%µ © 7Ë (case 2), where Ë is a random number selected by Alice.

8. A one-sided Blind and Permute protocol is run beÔ tween Alice and Bob, in which Bob’s input is È . The output of that protocol is that Bob will receive a value Ô Ô Ô Ô of © c Ë in case 1 or © ªc Ë in case 2; where © fÕ . Ñ A He should sets % to his output. The maximum finding protocol for already-split date is Ñ * * run on 2 È and È so that to give to Alice and to Bob, A * * * where c .

A

6. Conclusion and Future Work We gave protocols for some supply-chain interactions. In future work, we will examine the impact of SSCC protocols on the well-known “bullwhip” effect [18].

References

[12] A. V. Iyer and J. Ye. Assessing the value of information sharing in a promotional retail environment. Manufacturing & Service Operations Management, 2:128–143, Spring 2000. [13] M. J. A. F. Kerschbaum and W. Du. Secure and private edit distance computaion. Technical report, Computer Science Department, Syracuse University, 2002. [14] P. Klemperer. Auction theory: A guide to the literature. Journal of Economic Reviews, 3:227–260, 1999. [15] P. R. Milgrom and R. J. Weber. A theory of auctions and competitive bidding. Econometrica, 50(5):1089–1122, 1982. [16] R. B. Myerson. Optimal auction design. Mathematics of Operations Research, 6(1):58–73, 1981. [17] M. Naor and B. Pinkas. Oblivious transfer and polynomial evaluation (extended abstract). In Proceedings of the 31th ACM Symposium on Theory of Computing, pages 245–254, Atanta, GA, USA, May 1-4 1999. [18] H. L. V. Padmanabhan and S. Whang. Information distortion in a supply chain. Management Science, 43(4):546– 558, 1997. [19] J. G. Riley and W. F. Samuelson. Optimal auctions. The American Economic Review, 71(3):381–392, 1981. [20] M. Rothschild and J. Stiglitz. Equilibrium in competitive insurance markets: An essay on the economics of imperfect information. Quarterly Journal of Economics, 80:629–649, 1976. [21] J. M. R. Roundy. Analysis of Multistage Production Systems, volume 4 of Handbooks in OR and MS, S.C. Graves et al.(editors), chapter 2. North Holland, 1993. [22] R. C. Y. I. R. K. M. R. R. Rubinfeld, and R.N.Wright. Selective private function evaluation with applications to private statistics (extended abstract). In Proceedings of the Twentieth ACM Symposium on Principles of Distributed Computing (PODC), 2001. [23] T. Sandholm and S. Suri. Market clearability. In International Joint Conference on Artificial Intelligence (IJCAI), Seattle, WA, 2001. [24] B. Schneier. Applied Cryptography. John Wiley & Sons, 1995. [25] J. S. Song and P. H. Zipkin. Inventory control with information about supply conditions. Management Science, 42(10):1409–1419, 1996. [26] A. M. Spence. Market Signaling. Harvard University Press, Cambridge, MA, 1974. [27] W. Vickrey. Counterspeculation, auctions and competitive sealed tendors. Journal of Finance, 16(1):8–37, 1961. [28] A. Yao. Protocols for secure computations. In Proceedings of the 23rd Annual IEEE Symposium on Foundations of Computer Science, 1982.

[1] G. Akerlof. The market for lemons: Quality uncertainty and the market mechanism. Quarterly Journal of Economics, 89:448–500, 1970. [2] Y. Aviv. The effect of collaborative forecasting on supply chain performance. Management Science, 47(10):1–18, 2001. [3] Y. Aviv. Gaining benefits from joint forecasting and replenishment processes: The case of auto-correlated demand. Manufacturing & Service Operations Management, 4(1):55–74, 2002. [4] G. P. Cachon and M. Fisher. Supply chain inventory management and the value of shared information. Management Science, 46(8):1032–1050, August 2000. [5] Y.-C. Chang and V.-J. Lu. Oblivious polynomial evaluation and oblivious neural learning. In Proceedings of ASIACRYPT, Gold Coast, Australia, 2001. a comprehensive tutorial on WinWord Macro Virus. [6] M. A. H. E. V. Deshpande and L. Schwarz. Secure supply chain protocols. Technical report, Center for Education and Research in Information Assurance and Security (CERIAS), 2003. [7] V. Deshpande and L. Schwarz. Optimal capacity allocation in decentralized supply chains. Technical Report Working paper, Purdue University, Krannert School of Management, Dec 2002. [8] A. Federgruen. Centralized Planning Models for MultiEchelon Inventory Systems Under Uncertainty, volume 4 of Handbooks in OR and MS, S. C. Graves et al. (editors), chapter 3. North Holland, 1993. [9] D. Fudenberg. and J. Tirole. Game Theory. MIT Press, Cambridge, MA, 2000. [10] O. Goldreich. Secure multi-party computation (working draft). Available from http://www.wisdom.weizmann.ac.il/home/oded/public html/foc.html, 1998. [11] M. Harris and A. Raviv. Allocation mechanisms and the design of auctions. Econometrica, 49(6):1477–1499, 1981.

Our partners will collect data and use cookies for ad personalization and measurement. Learn how we and our ad partner Google, collect and use data. Agree & close