Data Privacy in Bid-Price Control for Network Revenue Management
DData Privacy in Bid-Price Control for Network Revenue Management
Utku Karaca
Econometric Institute, Erasmus University Rotterdam, 3000 DR, Rotterdam PO Box 1738, The Netherlands
S¸. ˙Ilker Birbil
Econometric Institute, Erasmus University Rotterdam, 3000 DR, Rotterdam PO Box 1738, The Netherlands
Nur¸sen Aydın
Warwick Business School, University of Warwick, Coventry CV4 7AL, United Kingdom
Gizem Mullao˘glu
Department of Industrial Engineering, Ya¸sar University, Bornova, Izmir, Turkey
Abstract:
We study a network revenue management problem where multiple parties agree to share some of thecapacities of the network. This collaboration is performed by constructing a large mathematical programmingmodel available to all parties. The parties then use the solution of this model in their own bid-price controlsystems. In this setting, the major concern for the parties is the privacy of their input data and the optimalsolutions containing their individual decisions. To address this concern, we propose an approach based on solvingan alternative data-private model constructed with input masking via random transformations. Our main resultshows that each party can safely recover only its own optimal decisions after the same data-private model is solvedby all the parties. We also discuss the security of the transformed problem and consider several special cases wherepossible privacy leakage would require attention. Observing that the dense data-private model may take moretime to solve than the sparse original non-private model, we further propose a modeling approach that introducessparsity into the data-private model. Finally, we conduct simulation experiments to support our results.
Keywords : Data privacy; network revenue management; collaboration; resource sharing; bid-price control
1. Introduction.
Forming alliances is an important business strategy for a firm to streamline itscosts and to remain competitive. Alliances can be considered as the collaboration among several parties toconduct various activities such as allocating resources, sharing information and providing complementaryservices. These partnerships can also be observed among competitors, like several firms joining theirprofessional assets to manage a supply chain network (Granot and Soˇsi´c, 2005). Recently, logisticscompanies selling substitutable products have started to collaborate by sharing empty vehicle capacitiesto overcome the problem of excess capacity in freight transportation (Speranza, 2018). Similarly, retailerscombine their distribution centers in a single facility to reduce their inventory and transportation costs(Ding and Kaminsky, 2019). In airline revenue management, the carriers sign an alliance contract, calledcodeshare agreements, to share their flight capacities and provide joint services (Topaloglu, 2012). Thereare three major types of codeshare agreements commonly used in practice: hard block space, soft blockspace and free sell (Ratliff and Weatherford, 2013). In block space agreements, each carrier agrees inadvance on receiving a fixed number of seats from the shared flights. Then, all carriers govern their ownallocated capacities throughout the selling season. In free sale strategy, the operating carrier first informsthe non-operating partners about the availability of the shared flight. Then, the non-operating airlinessell seats according to the capacity limit of the operating airline. Collaborations can also be found inseveral other industries including lodging, telecommunications and maritime transportation (Guo andWu, 2018; Agarwal and Ergun, 2010; Chun et al., 2017; Lai et al., 2019).1 a r X i v : . [ m a t h . O C ] F e b araca, Birbil, Aydın, Sa˘gol: Data Privacy in NRM semi-honest or honest-but-curious (Goldreich, 2009). In some cases, the parties can deviate from the protocol infavour of themselves which is studied under malicious models. The challenge in effectively managing acollaboration lies in information sharing and trust. With misleading information or malicious intent, itis quite difficult for a company to maximize its own revenues in the long run, and at the same time,preserve its reputation. However, individual partners may still be unwilling or unable to share completeinformation about their operations. Depending on the industry, this sensitive information may involvedemand forecasts, selling prices and available capacities. Thus, the privacy of this input data and theresulting decisions becomes a major concern.In this paper, we consider a semi-honest capacity sharing setting in network revenue management,where partners control the booking process over a large network of capacities by coordinating theirresources (Boyd, 1998). As an example, consider the management of the network revenue for an airlinealliance, where each partner operates a set of flight legs and markets a set of itineraries. Throughcodeshare agreements set at the beginning of a sale season, partners decide how to share their capacitiesin the alliance network. Several studies point out that although optimizing the centralized model ofthe network maximizes the total alliance revenue, it can be problematic since partners have to sharetheir private data and coordinate their airline reservation systems together with the other partners inthe alliance (Houghtalen et al., 2011; Topaloglu, 2012). Therefore, decomposition and decentralizationapproaches have been studied to minimize information sharing between partners.In general, network problems are quite challenging for analysis and revenue maximization. As aremedy, approximation methods based on problem decomposition are frequently used. A recent generalframework originates from modeling and solving the network problem after a path-based decomposition(Birbil et al., 2014). It turns out that a large number of network revenue management problems, fromstatic to robust capacity control, can be considered within this framework (Talluri and van Ryzin, 2004;Birbil et al., 2009; Aydin and Birbil, 2018). In this decomposition, each origin destination path includesa set of different products that use some of the capacities on the network. For instance, in airline networkrevenue management, the products correspond to the itineraries of various fare-classes that use up aircraftcapacities on the network of flights. Similarly, in freight transportation, the products correspond to thedelivery types with specific prices that consume vehicle capacities on the network of transport routes(Van Riessen et al., 2017).In case of a collaboration among multiple parties, the network problem includes a set of resourceconstraints denoting the shared or the individually managed capacities. The fundamental aim of the araca, Birbil, Aydın, Sa˘gol: Data Privacy in NRM bid-price control in the revenue management literature. In fact, Birbil et al. (2014) have observed thatthe best-performing path-based decomposition models also rely on network bid-prices. However, withoutthe necessary but mostly private information about the network, the correct values of bid-prices andthe capacity allocations for the shared resources cannot be computed. This lack of proper informationabout the network raises an important question: How can one compute the correct bid-prices and thecapacity allocations of the shared resources to involved parties that maximize the overall revenue whileguaranteeing that the information shared by the parties remains private? This question constitutesthe main motivation behind our current study. To that end, we propose a general transformation-basedapproach that considers data privacy in a multi-party network revenue management setting. Our proposedapproach can be used in multitude of revenue management applications including freight logistics, airlinetransportation and hotel industry.In our collaborative model, the parties jointly compute the optimal solution using their input, whichthey try to keep private. This setting is known as secure multi-party computation (SMC). When oneclaims that a model is data-private under SMC, the fundamental challenge lies in proving that theproposed model and the associated data-sharing protocol indeed satisfy a formal security definition.However, there is an overarching trade-off between efficiency and security (Goldreich, 2009). In thiswork, we adopt the acceptable security definition as it is mainly used for transformation-based methods(Du and Zhan, 2002). This security definition stems from formally quantifying the leakage due to randomtransformations. For a linear programming problem, this leakage is small and bounded even when thetransformations are quite restricted (Dreier and Kerschbaum, 2011). Using similar steps, we also arguein a separate section that our transformed problem is secure in the same sense.Overall we make the following contributions: (cid:5)
We present a new approach that considers data privacy in bid-price control for network revenuemanagement when multiple parties agree to share some of the network capacities. To the best ofour knowledge, this approach is the first attempt in the literature to alleviate the data privacyconcerns in bid-price control. (cid:5)
Our analysis makes use of several previous privacy studies based on random transformations ofthe problem data. However, our focus on the bid-prices allows us to extend these studies with newresults about the privacy of dual solutions. These results play the key role for the data-privatebid-price control approach that we propose here for network revenue management. (cid:5)
We discuss the security of our mathematical model through leakage quantification, where we applya special set of random matrices for transforming the simple inequalities. This set of matrices isfar larger than the set of permutation matrices commonly used in other studies. Thus, we obtainfor our model a better security with our transformation than those in the literature. araca, Birbil, Aydın, Sa˘gol:
Data Privacy in NRM (cid:5) After the random transformations, the resulting problem may take a long time to solve due tothe loss of the sparsity structure of the original problem. To overcome this issue, we propose anew mathematical model that leads to a particular transformation which is likely to result in asparse transformed problem. (cid:5)
We support our results with a simulation study on a set of revenue management problems wherethe network structure is taken from an actual firm and adapted to an alliance network. (cid:5)
The steps that we follow in this study can be extended to other resource sharing applications,where linear programming is one of the fundamental tools and data privacy a major concern.The rest of the paper features the following structure: In the next section, the relevant literatureis reviewed. The proposed data-private mathematical model for network revenue management alongwith the main results of the paper are introduced in Section 3. Section 4 presents the results of ourcomputational study that we have conducted on a real-world network structure. Finally, we discuss themanagerial insights provided by this work, conclude the paper and provide several directions for futureresearch in Section 5.
2. Review of Related Literature.
Collaboration via forming alliances is very popular in manyindustries. Therefore, the efficient capacity allocation among the involved parties has long constitutedan intriguing research topic. One of the first studies in this area was proposed by Boyd (1998). Heconsidered the capacity control problem for an airline alliance and formulated a mathematical model toallocate capacities on shared flight legs among participants. He also discussed that, although centralizedmanagement of alliances is significantly important to maximize revenue, it requires system coordinationand information exchange which may not be possible due to organizational regulations. Since the capacitycontrol problem in an alliance takes place in the context of the network of services, it is generallyformulated as a network revenue management problem. A deterministic linear program is widely used toconstruct capacity control policies such as bid-prices and booking limits for network revenue managementproblems (Talluri and van Ryzin, 2004). Various authors have argued that capacity control approachesbased on bid-prices consistently perform better than capacity allotment (Talluri and van Ryzin, 1998).Vinod (2005) has addressed the importance of bid-prices while coordinating the booking policies inairline alliances. He has argued that, in order to maximize the total alliance revenue, the allocatedbooking limits should be updated during the planning horizon according to the bid-prices of the carriers.Graf and Kimms (2011) have presented an option-based approach to find the booking limits for theparticipants. They have considered a two-airline partnership and assumed that each partner can reserveseats in a shared flight by using real-options. Topaloglu (2012) has formulated a centralized codeshareproblem as a deterministic model. He has proposed a decomposition approach to find booking limits foreach alliance partner as well as bid-prices for shared flights. Belobaba and Jain (2013) have discussedthe application of several bid-price strategies in alliances and pointed out the challenges of informationsharing among partners.Many existing studies on airline alliances have mainly focused on revenue sharing mechanisms among araca, Birbil, Aydın, Sa˘gol:
Data Privacy in NRM araca, Birbil, Aydın, Sa˘gol:
Data Privacy in NRM araca, Birbil, Aydın, Sa˘gol:
Data Privacy in NRM
7a trade-off between the level of privacy and the optimality of the problem. Considering the tight profitmargins in revenue management applications, the deviation from the optimal solutions is less desirablefor the practitioners.
3. Private Bid-price Control.
Consider a network revenue management problem where multi-ple parties collaborate to share several capacities of the network for their own resource allocation (orreservation) systems based on bid-price control. Some of these shared capacities may be owned by theparticipating parties or procured from third-party providers. In addition to the shared capacities, eachparty controls its own private capacities. Parties set a partnership agreement at the beginning of theplanning horizon. Therefore, a partner does not have any access to the private data of any other partner.Depending on the industry, this private data may be revenues, available resources, operation routes anddemand information. Being a part of the collaboration extends the resource portfolio and reinforces themarket position for each party.Like most studies in the literature, we also assume that the parties in an alliance cooperate truthfully(Krajewska and Kopfer, 2006; Topaloglu, 2012). This implies that the involved parties do not alter theirdata to get a better position in the collaboration. This assumption is naturally satisfied for severalimportant reasons: If one of the parties strategically manipulate the collaboration and secure most ofthe shared capacities, then there can be legal consequences or simply loss-of-goodwill for their business.Moreover, as these bid-prices do not result from the correct network information, they are of no use forcontrolling the shared capacities. It is also important to note that in network revenue management, thebid prices are frequently updated as the capacities deplete over time. Such a strategic move from one ofthe parties can also cause other parties to opt out of the partnership in the next update round. Evenworse, the other parties may start altering their data, which also eventually leads to the total collapseof the collaboration. As a final example, consider a holding company that owns all the parties in thecollaboration. Due to legal regulations, it may be impossible to share data among the involved partieswithout transformation. In such a setting, there is no incentive for any participant to manipulate thecollaboration at the expense of the others.
We start with an illustration of the proposed capacity sharingsetting. Figure 1 shows a simple network structure for two parties. Each link between a pair of nodescorresponds to a shared or private capacity on the network. The first party operates the capacities (1-3) and (3-4), whereas the second party operates the capacities (2-3) and (2-4). The second party alsouses the capacity (3-4) shared by the first party. A sequence of links constitutes a path ( e.g. routeor itinerary). The set of paths listed in Figure 1 shows a number of origin-destination combinations.Moreover, on each path there could be multiple products with different revenues. An example couldbe the set of different transshipment prices on a route that involves several stops with different truckcapacities on a transportation network. Birbil et al. (2014) have also explored this network structure andproposed a framework based on path decomposition. They treat each path as a single resource problemfor a fixed capacity and solve an optimization problem over all possible allocations of the capacities. After araca, Birbil, Aydın, Sa˘gol:
Data Privacy in NRM → → → → K and the set of paths controlled by party k ∈ K is denoted by S k . Let J be the set of m capacities shared by at least two parties. Likewise, let J k be the set of m k private capacities for party k ∈ K . We define x s to denote the allocated capacity to path s . We further define a js = , if path s uses one unit from capacity j ;0 , otherwise . If we denote the whole collection of paths as S , then the generic model becomesmaximize (cid:88) s ∈S φ s ( x s ) , subject to (cid:88) s ∈S a js x s ≤ c j , j ∈ J , (cid:88) s ∈S k a js x s ≤ c j , j ∈ J k , k ∈ K ,x s ≥ , s ∈ S , where c j are the capacity parameters. The first set of constraints ensures that the capacity allocationdecision for paths do not violate the shared capacities. The second set of constraints guarantees thatthe capacity allocation decisions to paths for party k ∈ K do not exceed the private capacity limitsfor that party. The function φ s ( x s ) for a given x s is itself an optimization problem that yields theallocation decision of x s capacities to different classes with the objective of maximizing revenue. Forinstance, φ s ( x s ) may correspond to a stochastic dynamic programming or a deterministic programmingmodel constructed for capacity allocation problem for each path s . We do not require any specific model(dynamic or deterministic) to formulate the objective function. We consider a conventional model, where araca, Birbil, Aydın, Sa˘gol: Data Privacy in NRM x s (cid:55)→ φ s ( x s ), s ∈ S are discreteconcave functions. Birbil et al. (2014) have discussed that many well-known single dimension capacitycontrol models proposed in the revenue management literature satisfy this assumption. Any of thesemodels can be used to construct the objective function. We refer to Birbil et al. (2014) for an elaboratediscussion on different dynamic and static network revenue management problems that can be consideredwithin this generic structure.As the objective function is concave and separable, we can replace it by a piece-wise linear concavefunction and reformulate the problem as a linear program. Dantzig (1956) has proposed an approachwhich represents the concave objective function as an indefinite integral and approximates it by a sumover fixed intervals. Suppose for each s ∈ S that φ s ( x s ) consists of B s breakpoints (intervals with alength of one) that subdivides the range of x s . These breakpoints collectively form the set B s for s ∈ S .We introduce the auxiliary variables x bs for b ∈ B s , and set x s = (cid:88) b ∈B s x bs . Since the length of each interval is one, we have x bs ≤ , s ∈ S , b ∈ B s . If we denote the partial revenuesby r bs , then the new model becomesmaximize (cid:88) s ∈S (cid:88) b ∈B s r bs x bs , subject to (cid:88) s ∈S (cid:88) b ∈B s a js x bs ≤ c j , j ∈ J , (cid:88) s ∈S k (cid:88) b ∈B s a js x bs ≤ c j , j ∈ J k , k ∈ K , ≤ x bs ≤ , s ∈ S , b ∈ B s . Due to the concavity of the objective function, we have r s ≥ r s ≥ r B s s for s ∈ S . We refer to Dantzig(1956) for the details of this modelling approach. This structure allows us to partition for k ∈ K , thedecision variables and the objective function parameters as x k = [ x bs : s ∈ S k , b ∈ B s ] (cid:124) and r k = [ r bs : s ∈ S k , b ∈ B s ] (cid:124) , respectively. Again for k ∈ K , we next define the m × n k matrix A k with n k = (cid:80) s ∈S k B s and the m k × n k matrix B k as A k = a js a js · · · a js (cid:124) (cid:123)(cid:122) (cid:125) B s times j ∈J ,s ∈S k and B k = b js b js · · · b js (cid:124) (cid:123)(cid:122) (cid:125) B s times j ∈J k ,s ∈S k , (1)respectively. Here b js = 1, if path s uses one unit from capacity j ; otherwise, b js = 0. The last step is to araca, Birbil, Aydın, Sa˘gol: Data Privacy in NRM c = [ c j : j ∈ J ] (cid:124) and c k = [ c j : j ∈ J k ] (cid:124) for all k ∈ K , respectively.We are now ready to give our main capacity sharing model with the path-based formulation: Z = maximize (cid:88) k ∈K r (cid:124) k x k , (2)subject to (cid:88) k ∈K A k x k ≤ c , ( α ) (3) B k x k ≤ c k , k ∈ K , ( α k ) (4) ≤ x k ≤ , k ∈ K . (5)where and stand for the vector of ones and the vector of zeros, respectively. To summarize, thecolumns designated by subscript k ∈ K show all products owned by party k and the vector r k ∈ R n k denotes the corresponding expected revenues for the same party. The m × n k incidence matrix A k showswhether a product of party k uses the shared capacities. Likewise, the m k × n k matrix B k consistsof columns incident to the private capacities. The vectors α ∈ R m and α k ∈ R m k , k ∈ K given inparentheses are the dual variables (bid-prices) associated with the common and the individual capacityconstraints, respectively. After solving this problem, each party obtains its own optimal allocationsand bid-prices. They also receive the optimal common bid-price vector corresponding to the sharedcapacities. These bid-prices can be used by the parties to implement their booking policies. That is,each party accepts the product request, if the revenue obtained from this product exceeds the sum of thebid-prices corresponding to those resources used by the requested product. In our subsequent discussion,the optimal values of capacity allocations and bid-prices for each party and the optimal bid-price vectorfor shared capacities are denoted by x ∗ k , α ∗ k and α ∗ . One may question why multiple parties would prefersolving the network problem collectively. Instead, the shared capacity, c may be partitioned amongthe parties before obtaining the bid-prices. This is also known as hard block space codeshare agreement(Ratliff and Weatherford, 2013). That is, each party k ∈ K receives its share of the capacity denoted by s k such that c = (cid:80) k ∈K s k . Then, the same party k can solve the following problem: Z k = maximize r (cid:124) k x k , (6)subject to A k x k ≤ s k , (7) B k x k ≤ c k , (8) ≤ x k ≤ . (9) araca, Birbil, Aydın, Sa˘gol: Data Privacy in NRM (cid:80) k ∈K Z k ≤ Z . This result simply follows from the fact that the collection of feasiblesolutions to each (6)-(9) is also a feasible solution to (2)–(5). Third, the bid-prices obtained from theindividual models depend on the partitioning of the common capacity and lack information about theentire network. Overall, it is more beneficial for all parties to collaborate and solve the collective model(2)–(5). Even though they may have agreed to collaborate, themajor concern for the parties is the privacy of the input data and their sensitive decisions when solvingthe joint problem (2)-(5). The input data consists of the revenue vectors, the product matrices andthe capacity vectors. Clearly, each party would try not to reveal its own revenue vector. The productsdata, on the other hand, show the paths for the parties. For instance, the transportation companiesin the logistics industry do not share their routes with other parties. In other industries, like in airlinetransportation, the paths may be publicly available. However, each party may still hide the numberof available capacities reserved for a path. Therefore, as expressions in (1) show, failing to hide theproduct matrices would then simply reveal the allocated capacities to a path. In our problem setup, theparties keep their revenue and capacity vectors as well as their product matrices private. Although theparties sign up for sharing some capacities on the network, they do not share any information about theirindividual capacities. Thus, only the shared resource capacities are not private for the involved parties.Aside from the privacy of their input data, the parties may also prefer to disguise their optimal decisionsregarding the allocations and, more importantly, their bid-prices corresponding to their private capacitiesdesignated by the set of constraints (4). In the subsequent part of this section, we present the steps forthe parties to randomly transform their private input and output data. Then, with this transformed data,the overall private model is constructed and made available to all parties. We conclude this section withour key result, which shows that parties can still recover their optimal allocations and bid-prices afterthe proposed private model is solved by each party. In our following discussion, we use the term maskedproblem to refer to the resulting problem after applying random transformations to the input data.First, we start with concealing the private output; that is, the individual optimal allotments ( x ∗ k ) andthe individual bid-prices ( α ∗ k ). To this end, we first ask each party k ∈ K to generate its own privatepair of random vectors, η k ∈ R n k and ξ k ∈ R m k to transform the primal and dual solutions. Then, weuse the auxiliary variables z k and v k for k ∈ K to construct the following mathematical model: araca, Birbil, Aydın, Sa˘gol: Data Privacy in NRM (cid:88) k ∈K ( r k + B (cid:124) k ξ k ) (cid:124) z k + (cid:88) k ∈K ξ (cid:124) k v k (10)subject to (cid:88) k ∈K A k z k ≤ c + (cid:88) k ∈K A k η k , ( β ) (11) B k z k + v k = c k + B k η k , k ∈ K , ( β k ) (12) z k ≤ + η k , k ∈ K , (13) z k ≥ η k , k ∈ K , (14) v k ≥ , k ∈ K , (15)where the vectors in parentheses are again the dual vectors associated with the corresponding constraints.The constraints (11) and (12) correspond to the capacity constraints (3) and (4) in path-based formulation(2)–(5), respectively. Note that, we use the transformations z k = x k + η k and v k = c k − B k x k for k ∈ K to obtain the new model. Since x k is increased by η k , the right hand side of constraints (3) and (4) areincreased by (cid:80) k ∈K A k η k and B k η k in constraints (11) and (12), respectively. Given that the auxiliaryvariable v k corresponds to the slack of constraints (3), we can rewrite the constraint (12) as an equality.The new auxiliary variable v k and its cost coefficient ξ k are introduced to make sure that the dualoptimal solution is shifted with a random vector. The following lemma formally shows that the optimalallocations and the bid-prices for each party are indeed perturbed with private random noise vectorsafter solving this problem. Clearly, this observation holds as long as each party k ∈ K does not share itsrandom vectors η k and ξ k with the other parties. Lemma 3.1
If we denote the primal optimal solution of (10) - (15) by ( z ∗ k , v ∗ k ) k ∈K and the dual optimalvariables associated with the capacity constrains by ( β ∗ , β ∗ k ) k ∈K , then we have z ∗ k = x ∗ k + η k , k ∈ K , β ∗ = α ∗ , β ∗ k = α ∗ k + ξ k , k ∈ K . Proof.
We first define ( λ k ) k ∈K as the dual vector corresponding to the upper bound constraints(5). Then, the dual of (2)–(5) becomesminimize c (cid:124) α + (cid:88) k ∈K c (cid:124) k α k + (cid:88) k ∈K (cid:124) λ k (16)subject to A (cid:124) k α + B (cid:124) k α k + λ k ≥ r k , k ∈ K , (17) α , α k , λ k ≥ , k ∈ K . (18)Likewise, we also define ( ν k ) k ∈K and ( θ k ) k ∈K as the dual vectors corresponding to the constraints (13) araca, Birbil, Aydın, Sa˘gol: Data Privacy in NRM c + (cid:88) k ∈K A k η k ) (cid:124) β + (cid:88) k ∈K ( c k + B k η k ) (cid:124) β k + (cid:88) k ∈K ( + η k ) (cid:124) ν k − (cid:88) k ∈K η (cid:124) k θ k (19)subject to A (cid:124) k β + B (cid:124) k β k + ν k − θ k = r k + B (cid:124) k ξ k , k ∈ K , (20) β k ≥ ξ k , k ∈ K , (21) β , ν k , θ k ≥ , k ∈ K . (22)Suppose that ( z ∗ k , v ∗ k ) k ∈K and ( β ∗ , β ∗ k , ν ∗ k , θ ∗ k ) k ∈K are the primal and the dual optimal solutions for (10)–(15), respectively. Let z ∗ k = x ∗ k + η k , k ∈ K . (23)We plug this particular vector into (10)-(15) and observe that v k ≥ , k ∈ K . Thus, ( x ∗ k ) k ∈K is a feasiblesolution for (2)–(5). Next we plug β ∗ = α ∗ , β ∗ k = α ∗ k + ξ k , k ∈ K , ν ∗ k = λ ∗ k , k ∈ K , (24)into (19)–(22) and note that θ k ≥ , k ∈ K . This shows that ( α ∗ , α ∗ k , λ ∗ k ) k ∈K is a feasible solution for(16)–(18). Consequently, we have feasible solutions for both the primal problem and the dual problem.When we consider the equalities in (10)-(15) and (19)–(22), we obtain for k ∈ K that v ∗ k = c k + B k η k − B k z ∗ k = c k − B k x ∗ k , θ ∗ k = A (cid:124) k β ∗ + B (cid:124) k β ∗ k + ν ∗ k − r k − B (cid:124) k ξ k = A (cid:124) k α ∗ + B (cid:124) k α ∗ k + λ ∗ k − r k . (25)Recall that the strong duality of linear programming implies (cid:88) k ∈K ( r k + B (cid:124) k ξ k ) (cid:124) z ∗ k + (cid:88) k ∈K ξ (cid:124) k v ∗ k = ( c + (cid:88) k ∈K A k η k ) (cid:124) β ∗ + (cid:88) k ∈K ( c k + B k η k ) (cid:124) β ∗ k + (cid:88) k ∈K ( + η k ) (cid:124) ν ∗ k − (cid:88) k ∈K η (cid:124) k θ ∗ k . Rewriting this equality with (23), (24) and (25) shows that (cid:88) k ∈K r (cid:124) k x ∗ k = c (cid:124) α ∗ + (cid:88) k ∈K c (cid:124) k α ∗ k + (cid:88) k ∈K (cid:124) λ ∗ k . This establishes that ( x k ) k ∈K and ( α ∗ , α ∗ k , λ ∗ k ) k ∈K are the primal and dual optimal solutions for (2)–(5),respectively. The desired equalities in the hypothesis follow from our construction. (cid:3) We note that, in order to solve problem (10)-(15), each party k ∈ K still needs to reveal its pair ofrandom vectors, η k and ξ k so that the objective function and the bound constraints can be constructed.Consequently, the optimal allocations and the bid-prices of each party are no longer private. Thus, ournext step is to conceal the random vectors by using a linear transformation. That is, we set v k = E (cid:124) k w k araca, Birbil, Aydın, Sa˘gol: Data Privacy in NRM k ∈ K , where E k is a t k × m k random matrix with t k ≥ m k . Likewise, we can also set z k = D (cid:124) k u k for k ∈ K , where D k is a s k × n k random matrix with s k ≥ n k . This is, in fact, the transformation proposedby Mangasarian (2011). We note that we can simply form matrices D k and E k with real or rationalrandom values. Then, the resulting matrices are almost-surely full rank (Feng and Zhang, 2007). Wethen obtain maximize (cid:88) k ∈K ( r k + B (cid:124) k ξ k ) (cid:124) D (cid:124) k u k + (cid:88) k ∈K ξ (cid:124) k E (cid:124) k w k (26)subject to (cid:88) k ∈K A k D (cid:124) k u k ≤ c + (cid:88) k ∈K A k η k , (27) B k D (cid:124) k u k + E (cid:124) k w k = c k + B k η k , k ∈ K , (28) D (cid:124) k u k ≤ + η k , k ∈ K , (29) D (cid:124) k u k ≥ η k , k ∈ K , (30) E (cid:124) k w k ≥ , k ∈ K . (31)Nonetheless, this transformation is still not enough to conceal the data or the random vectors becausethe parties have to explicitly share the random matrices E k due to constraints (28) and (31). Likewise,the random matrices D k as well as the random vectors η k need to be revealed because of the boundconstraints (29)-(30). In fact, probably for the same reason Mangasarian (2011) deals only with linearprogramming models without bound constraints and mentions that there is “a difficulty associated withpossibly including non-negativity constraints.” Li et al. (2013) include inequality constraints and resolvethis privacy issue by allowing each party to generate a diagonal random matrix for their slack variables.We, on the other hand, propose to sample from the set of M -matrices for which the positive diagonalmatrices constitute a subset. This leads tomaximize (cid:88) k ∈K ( r k + B (cid:124) k ξ k ) (cid:124) D (cid:124) k u k + (cid:88) k ∈K ξ (cid:124) k E (cid:124) k w k (32)subject to (cid:88) k ∈K A k D (cid:124) k u k ≤ c + (cid:88) k ∈K A k η k , (33) F k B k D (cid:124) k u k + F k E (cid:124) k w k = F k ( c k + B k η k ) , k ∈ K , (34) G k D (cid:124) k u k ≤ G k ( + η k ) , k ∈ K , (35) H k D (cid:124) k u k ≥ H k η k , k ∈ K , (36) L k E (cid:124) k w k ≥ , k ∈ K , (37)where the m k × m k matrices F k and L k as well as the n k × n k matrices G k and H k are all M -matrices.In order to conceal the random vector η k and the random matrices D k and E k for k ∈ K , we multiplyconstraints (28)-(31) by M -matrices F k , G k , H k and L k , respectively and obtain constraints (34) - (37). If S is an M-matrix, then Sx ≥ implies x ≥ (Horn and Johnson, 1991). araca, Birbil, Aydın, Sa˘gol: Data Privacy in NRM Definition 3.1 (M-matrix (Poole and Boullion, 1974)) An (cid:96) × (cid:96) matrix M that can be expressedin the form M = s I − N , where N = ( n ij ) with n ij ≥ , i, j ∈ , ..., (cid:96) , and s > ρ ( N ) is called an M-matrixwhere ρ ( N ) = max {| λ | : det( λ I − N ) = 0 } . This definition also gives a procedure to obtain a random M -matrix: First sample a random nonnegative N matrix and select a random s > ρ ( N ). Then, s I − N becomes an M -matrix. This simple procedureclearly shows that the set of M -matrices is uncountable and hence it is possible to produce infinitelymany M -matrices. We will make use of this observation, when we discuss the security of our transformedproblem in the next section.To simplify our notation, we further define for k ∈ K the following¯ r k = D k ( r k + B (cid:124) k ξ k ) , ¯ ξ k = E k ξ k , ¯ A k = A k D (cid:124) k , ¯ c = c + (cid:80) k ∈K A k η k ¯ B k = F k B k D (cid:124) k , ¯ F k = F k E (cid:124) k ¯ c k = F k ( c k + B k η k ) , ¯ G k = G k D (cid:124) k ¯ k = G k ( + η k ) ¯ H k = H k D (cid:124) k , ¯ η k = H k η k , ¯ L k = L k E (cid:124) k , (38)and rewrite model (32)-(37) as¯ Z = maximize (cid:88) k ∈K ¯ r (cid:124) k u k + (cid:88) k ∈K ¯ ξ (cid:124) k w k (39)subject to (cid:88) k ∈K ¯ A k u k ≤ ¯ c , ( γ ) (40)¯ B k u k + ¯ F k w k = ¯ c k , k ∈ K , ( γ k ) (41)¯ G k u k ≤ ¯ k , k ∈ K , (42)¯ H k u k ≥ ¯ η k , k ∈ K , (43)¯ L k w k ≥ , k ∈ K , (44)where ( γ , γ k ) k ∈K are the dual variables. The following theorem shows that after the random transfor-mations the primal and dual solutions of the original problem can easily be recovered. The proof of thistheorem is given in Appendix A. Theorem 3.1
Let ( u ∗ k , w ∗ k ) k ∈K and ( γ ∗ , γ ∗ k ) k ∈K be the primal and dual optimal solutions of (39) - (44) .Using again the primal and dual optimal solutions, ( x ∗ k ) k ∈K and ( α ∗ , α ∗ k ) k ∈K of the original problem (2) – (5) , we obtain Z = ¯ Z − (cid:80) k ∈K r (cid:124) k η k − (cid:80) k ∈K ( c k + B k η k ) (cid:124) ξ k , x ∗ k = D (cid:124) k u ∗ k − η k , k ∈ K , α ∗ = γ ∗ , α ∗ k = F (cid:124) k γ ∗ k − ξ k , k ∈ K . araca, Birbil, Aydın, Sa˘gol: Data Privacy in NRM Algorithm 1
Data-Private Bid-Price Control for Party ˆ k ∈ K Compile private individual input ξ ˆ k , η ˆ k , D ˆ k , E ˆ k , F ˆ k , G ˆ k , H ˆ k , L ˆ k . Transform individual input using (38) and share¯ r ˆ k , ¯ ξ ˆ k , ¯ A ˆ k , ¯ B ˆ k , ¯ F ˆ k , ¯ c ˆ k , ¯ G ˆ k , ¯ ˆ k , ¯ H ˆ k , ¯ η ˆ k , ¯ L ˆ k , A ˆ k η ˆ k . Store all transformed data(¯ r k , ¯ ξ k , ¯ A k , ¯ B k , ¯ F k , ¯ c k , ¯ G k , ¯ k , ¯ H k , ¯ η k , ¯ L k , A k η k ) k ∈K . Solve (39)-(44) with ¯ c = c + (cid:80) k ∈K A k η k and the stored data. Obtain transformed optimal solution( u ∗ k , w ∗ k , γ ∗ , γ ∗ k ) k ∈K . Recover private individual output using the transformed optimal solution and the private input inStep 1: x ∗ ˆ k = D (cid:124) ˆ k u ∗ ˆ k − η ˆ k , α ∗ = γ ∗ , α ∗ ˆ k = F (cid:124) ˆ k γ ∗ ˆ k − ξ ˆ k . With this main theorem, we conclude that the parties can safely obtain their own solutions, since theset of random matrices designated with subscript k is known only to the individual party k ∈ K . It isimportant to note that the parties can generate their primal solutions by using the random matrices, yetthe dual solutions of the original problem are exactly the same as the transformed problem ( γ ∗ = α ∗ ).Algorithm 1 shows how one party (ˆ k in the algorithm) can apply the data-private bid-price control. InStep 1, the party prepares the input data. This data is transformed in Step 2 and shared with the otherparties. Now, the input for the overall private model is available to everyone (Step 3). Each party thensolves the private problem and obtains the optimal solutions in Step 4. Then, party ˆ k recovers its optimalbid-price vectors in Step 5. As a result, using Lemma 3.1 and Theorem 3.1, we show that the optimalprimal and dual solutions of the original model can be obtained safely from the optimal primal and dualsolutions of the transformed model. Hence, we conclude that the correctness of the original problem ispreserved. We next discuss the security of our data private model (39)-(44). We assume that theparties participating in the protocol are semi-honest . That is, they follow the protocol and submit theirtransformed data, yet they make a note if any data is revealed by the other participants. The parties allhave access to the transformed linear programming model. Moreover, all parties may have an idea aboutthe ranges of the various input values.Although our transformation-based approach provides efficiency, there is a risk of information leakage.Actually, Laud and Pankova (2013) show that it is impossible to achieve an information theoreticalsecurity with the transformation techniques of multiplication, scaling, permutation and shifting; a pointthat is also noted by Dreier and Kerschbaum (2011). Du and Zhan (2002), on the other hand, proposethe acceptable security definition for transformation-based approaches. A protocol satisfies acceptablesecurity, if the adversaries can only consider all possible values of the transformed data in a domain with araca, Birbil, Aydın, Sa˘gol:
Data Privacy in NRM
Leakage Quantification.
The leakage quantification analysis is used to estimate the probability ofan adversary’s ability to guess the correct input data after the transformed data is publicly available.Dreier and Kerschbaum (2011) model their transformation approach as a communication channel and tryto measure the leakage caused by the output. In this seminal work, all the vectors are considered to bepositive and the random transformation matrices belong to the class of positive monomial matrices . Thisclass contains matrices with exactly one positive entry in each row and each column. Moreover, Dreierand Kerschbaum assume that the channel input and output are vectors with integer elements with upperbounds on their values. Clearly, the random matrices and the random vectors in our transformations areobtained from much larger sets than those used by Dreier and Kerschbaum. In our case, even thoughthe input matrices are binary, there are no upper bounds or integrality requirements on the elements ofthe vectors or the random (not necessarily square) matrices that we use for transformations. Recall thatthe matrices in (38) are either fully random without any restrictions or they are randomly generated M -matrices. It is clear that the set of positive monomial matrices is a subset of fully random matricesas well as M -matrices. In fact, as Definition 3.1 and the paragraph following the definition show, thereare uncountably many M -matrices. A similar argument is also valid for our vectors, since they are alsofully random. Hence, we can also argue that the leakage with our transformations is small and bounded. Ensuring Data Privacy for Special Cases.
Recall that the matrices A k and B k constitute thepaths for each firm k ∈ K . In certain applications, the firms may be required to make these productspublicly available, or with a little effort, for example by web scraping, these products can be gathered.For instance, in airline revenue management, these products correspond to different fare-class itinerarieswhich can be easily compiled by everyone through various reservation systems.The privacy of the proposed model (39)-(44) partly depends on hiding the random matrices D k and E k . Then, the critical question becomes whether these random matrices could be obtained when thecolumns A k and B k are known. Let us formally pose this problem for A k . Suppose that one has anestimate ˆ A k matrix for some k ∈ K , which shares exactly the same columns with A k but most likely ina different order. Then, we have the following linear system¯ A k = A k D (cid:124) k = ˆ A k P k D (cid:124) k , araca, Birbil, Aydın, Sa˘gol: Data Privacy in NRM P k is an n k × n k permutation matrix. Note that in this equation both P k and D k are unknown.Even if P k is an identity matrix, that is ˆ A k = A k , then there are still infinitely many solutions for eachcolumn of D k , since we can safely assume for many applications that m < n k . However, it would beadvisable for each firm k ∈ K to permute the columns of A k before transforming with D k . This wouldcertainly add one more layer of protection for privacy. In fact, for some extreme cases, this could as wellbe the only layer of protection. Consider for instance a charter airline that only operates single fare-class,single-leg itineraries consisting of all the shared capacities. This implies that A k is simply the identitymatrix. Thus, failure to use a permutation matrix P k would reveal D k immediately.On a similar note, one should also be cautious about the matrices G k and F k . Consider for instancethe case where G k and F k are known along with n k = s k and t k = m k for some k ∈ K . Since G k is an M -matrix, using (38) yields ( G − k ¯ G k ) (cid:124) = ( G − k G k D (cid:124) k ) (cid:124) = D k . As D k has full rank, we then obtain the following:¯ A k D − (cid:124) k = A k , ¯ H k D − (cid:124) k = H k , ¯ η k H − k = η k . Likewise, the remaining private information of firm k is also revealed by F − k ¯ B k D − (cid:124) k = B k , ( F − k ¯ F k ) (cid:124) = E k , E − k ¯ ξ k = ξ k , D − k ¯ r k − D − k B (cid:124) k ξ k = r k , F − k ¯ r k − F − k B (cid:124) k η k = c k . We note that even when s k > n k and t k > m k , one can still have quite a good estimate concerning theprivate information, as the projection matrices ( D (cid:124) k D k ) − and ( E (cid:124) k E k ) − can be used above instead of D − k and E − k , respectively.Finally, the smaller the size of the problem, the harder it may become to ensure data privacy. Takefor example the extreme case of n k = s k = 1 for some k ∈ K . Then, G k can be derived as¯ k − ¯ G k ¯ H − k ¯ η k = G k + G k η k − ¯ G k ¯ H − k ¯ η k = G k . Similar derivation can be given to disclose F k when m k = 1 and c k is known . Overall, our recommenda-tion is to solve the proposed model (39)-(44) for sizes certainly larger than two. When the actual problemis small, the involved parties may consider adding artificial products and redundant constraints to ensureprivacy. When we consider the structure of the proposed data-private model (39)-(44), weobserve that the matrices in the original model lose their sparse structure after the reformulation. Takefor instance the matrix A k and its transformed counterpart ¯ A k . An incidence matrix A k is sparse When party k has only one capacity ( m k = 1), it could be simple to obtain c k . araca, Birbil, Aydın, Sa˘gol: Data Privacy in NRM A k is quite dense. This loss of sparsity structure in the overall problem should be expected tocause an increase in the computation time. Indeed, we have observed that whenever the matrices ¯ A k and¯ B k are obtained by straightforward randomization, then the solution time of the data-private model isconsiderably longer than the time to solve the original problem (see Section 4 for our actual computationtimes). Figures 2(a) and 2(b) show the sparsity structure before and after direct random transformation,respectively. (a) Original A k and B k matrix (b) Dense ¯A k and ¯B k matrix (c) Sparse ¯A k and ¯B k matrix Figure 2: The sparsity structure of matrices for an example problem from our computational study. Thevalues in each cell of the matrix is between zero (dark blue) and one (bright white). The darker the cell,the closer the value to zero.In order to circumvent this loss of sparsity, we try to randomize the matrices in a structured manner sothat we can obtain transformed matrices that are as sparse as possible. To this end, we aim at filling inthe nonzero entries of the random matrix D k in such a way that the multiplication of its components withthe components of A k and B k yields as many zeros as possible. This observation leads to the followingmathematical programming model:minimize (cid:124) m ( A k U ) s k + (cid:124) m k ( B k U ) s k + (cid:124) n k U1 s k (45)subject to U1 s k ≥ s k n k , (46) n k U ≥ s k s k , (47) U is a binary matrix , (48)where the subscript • in • shows the dimension of the vector of ones. The first two terms in (45) areadded to obtain as many zeros as possible after multiplying A k and B k with the binary matrix U . Thelast term of (45) makes sure that the solution is filled with zeros instead of ones as long as the first twoterms are not affected. The constraints (46)-(47) guarantee that we have s k many ones in each columnand row of U . This is a network flow problem satisfying the total unimodularity property. Therefore, itcan be solved very efficiently by a standard network simplex algorithm. Moreover, the resulting optimalspanning tree solution U ∗ has full rank (Wright, 2000). Then, the last step is to randomize this binarymatrix to obtain the desired matrix. Formally, D (cid:124) k = U ∗ (cid:12) R , where (cid:12) stands for the Hadamard product araca, Birbil, Aydın, Sa˘gol: Data Privacy in NRM R is an n k × s k random matrix. When contrasted against Figure 2(b), Figure 2(c) shows howobtaining the matrix D k by solving (45)-(48) changes the sparsity structure of the data-private model.At this point, we should emphasize that the random matrices obtained after solving the mathematicalprogramming model (45)-(48) may not be secure in the sense of Section 3.3. Thus, the gain frommaintaining sparsity may come at the cost of a security breach. This happens because we do not have acontrol on the optimal solution of the model, and hence, it is not easy to quantify the potential leakage(see also Hong et al. (2018) for a similar discussion).
4. Computational Study.
We devote this section to our computational study for discussing differ-ent aspects of our proposed data-private model. In particular, we explore the impact of capacity sharingand evaluate the computational performance of the data-private model. We next explain our simulationsetup in detail and then present our numerical results. Our computational study uses the network struc-ture from a major airline. However, we emphasize that the proposed privacy approach can be applied tomany other industries, where multiple parties collaborate to maximize their revenues.
We design our experiments by using an airline network structure obtained from anactual airline. These data include flight legs with corresponding capacities, flight itineraries and origin-destination (OD) paths. We simulate the arrival of reservation requests over a planning horizon of length T . We assume that the booking requests for OD path s ∈ S arrive according to a homogeneous Poissonprocess with rate λ s . Given that a booking request arrives for OD-path s at time period t , it is forproduct i with probability p is ( t ). The way we generate these arrival probabilities is quite similar to theone given by Birbil et al. (2014).The simulation process is defined as follows. We first generate the arrival times of booking requestsfor all OD-paths over the planning horizon T . By using the arrival probabilities for products in each ODpath, we find the product of the requests and apply the corresponding booking policies. To change thetightness of the flight capacities, we use a load factor parameter ( ρ ). The average arrival rate, µ j forflight j ∈ J depends on the value of the load factor. This relation can be expressed as µ j = ρ c j T N j , where N j is the number of OD-paths using flight leg j . Then, the arrival rate λ s for OD-path s is generated asfollows λ s = (cid:80) j ∈ Js µ j J s , where J s is the number of flight legs used by OD-path s .Our experimental design is based on various factors. These are the number of alliance partners ( K ),the number of OD-paths ( N ) and the load factor ( ρ ). In simulation experiments, we design three alliancepartnerships with different numbers of partners K ∈ { , , } . We assume that all alliance partners havea similar market share in terms of number of OD-paths in the alliance network. We test three networkswith sizes N ∈ { , , } . We extract these networks from the overall network data, which include119, 215 and 368 flight legs and 869, 1,762 and 3,567 products, respectively. We note that the originalnetwork data belongs to a singe airline and hence, it does not include any alliance information. In orderto construct an alliance network, we randomly allocate OD-paths in each network to obtain artificiallygenerated airline partners. Since we randomly divide OD paths among the fictitious alliance partners, araca, Birbil, Aydın, Sa˘gol: Data Privacy in NRM ρ ∈ { . , . } corresponding to medium and high loads, respectively. The computational resultsare reported over 100 simulation runs. We take the reservation period length as T = 1 , Number of Parties Network Size ( N )( K )
100 200 4002
16 42 109
18 43 124
In this section, we conduct simulation experiments to evaluate the effects of collabo-rative capacity sharing and provide a sensitivity analysis with respect to various parameters. Formally,we compare the following three strategies:i.
Collaborative Capacity Planning (CP) : This strategy assumes that alliance partners actcollaboratively and the booking decisions for shared capacities are controlled through an inte-grated planning system. Topaloglu (2012) describes this system as “centralized planning” wherethe booking decisions are made by considering the overall alliance benefit. CP solves the model(2)-(5) to compute the optimal values of the dual variables ( α ∈ R m and α k ∈ R m k , k ∈ K ) asso-ciated with the capacity constraints. When a request for a product arrives, the summation of theoptimal dual variables corresponding to the used flight legs becomes the bid-price for accepting orrejecting the request. That is, assuming a product request using path s arrives for party k , we ac-cept this request if the fare of the product is greater than or equal to (cid:80) j ∈J a js α j + (cid:80) j ∈J k b js α jk .To consider the effects of reoptimization, we divide the planning horizon into five equal segmentsand resolve the model (2)-(5) at the beginning of each segment with the updated capacities. SinceCP coordinates the booking decisions for the whole alliance, this strategy requires access to allflight information of the partners (the capacities on all flight legs and the expected demands forall products) which is quite unlikely to occur in practice (Topaloglu, 2012).ii. Coordinated Capacity Sharing (CCS) : In this strategy, the parties come together and solvethe data-private model (39)-(44) by transforming their private information to obtain the optimalvalues of the transformed dual variables and the capacity allocations (see Algorithm 1). Afterpartners receive the transformed solution, each of them converts the transformed values to theoriginal ones as shown in Theorem 3.1. During the booking horizon, each partner makes its ownbooking control decisions by using the optimal dual variables and the allocated leg capacities.Letting, ( α ∗ , α ∗ k ) k ∈K be the recovered dual variables obtained by the dual optimal solution ofmodel (39)-(44), we accept the arriving path s request if the fare of the product is greater thanor equal to (cid:80) j ∈J a js α ∗ j + (cid:80) j ∈J k b js α ∗ jk and there is enough allocated leg capacity for the flightscovered by path s . Similar to CP, we divide the booking horizon into five segments and resolve araca, Birbil, Aydın, Sa˘gol: Data Privacy in NRM
Individual Control (IC) : This strategy solves problem (6)-(9) for each partner. For sharedflight-legs, partner-based capacity allocations are calculated with respect to the expected de-mands. In particular, letting d jk be the demand for partner k in shared flight leg j , the allocatedcapacity for partner k is calculated as d jk (cid:80) k ∈ Kj d jk c j , where K j is the set of partners using leg j . In this strategy, each partner makes its own booking control decisions by using the optimalbid-prices associated with capacity constraints in problem (6)-(9). Similar to previous strategies,we divide the planning horizon into five segments and revise the bid-prices at the beginning ofeach segment. IC strategy requires alliance partners to share their demand information in orderto allocate the capacities of the shared flights.Recall that the objective function value in path-based formulation can also be obtained by solvingdifferent single-capacity, static and dynamic programming models. Our approach here is applicable inall those cases. In our numerical experiments, we assume that the three strategies listed above use adeterministic linear programming (DLP) model to compute the booking control policies. The reasonbehind this choice is two-fold: First, DLP models are frequently used in the literature. Second, Birbilet al. (2014) discuss that bid-price control with a DLP model is a competitive strategy when comparedagainst other static and dynamic network models.Figure 3 shows our simulation results for three alliance networks with two, four and six partners,respectively. In these figures, we present the relative differences with respect to the CP strategy, since italways performs better than the other two strategies. CP oversees the whole alliance network and makesaccept-reject decisions for arriving reservation requests for all partners. On the other hand, airlines indi-vidually make their booking control decisions in strategies CCS and IC without sharing any informationover the planning horizon. In Figure 3, the dashed line passing through 100 corresponds to CP, and barcharts are used to show the relative difference for strategies CCS and IC.When we compare the respective performances, we observe that the average revenues obtained by CCSare very close to those obtained by CP, especially for the networks with 100 and 200 OD-paths. Theaverage performance gaps between CP and CCS are only 0.20%, 0.35% and 0.85% for the problems with100, 200 and 400 OD-paths, respectively. As Figure 3 illustrates, the performance gaps between CP andCCS slightly decrease when the load factor is high. We conjecture that CP and CCS make same bookingdecisions most of the time since both of these strategies solve the same centralized model to obtain theiroptimal booking policies The only difference is that CCS allocates shared flight capacities to partners;hence, each airline is restricted by that limit while making booking control decisions. CP strategy poolsthe capacities of the shared legs and does not consider the individual booking limits. When the arrivalintensity is high, CCS can compensate the revenue loss due to these restrictive booking limits. We havevalidated that the relative differences between the total expected revenues obtained by CCS and CP arestatistically significant at 95% level in 18 test scenarios. For the relative differences between the total araca, Birbil, Aydın, Sa˘gol: Data Privacy in NRM r = r = K = K = K =
100 200 400 100 200 400808590951008085909510080859095100
Number of OD−Paths R e l a t i v e R e v enue s ( % ) CCS IC CP
Figure 3: Relative average revenues with respect to CP.In the last step, we evaluate the computational efficiency of the data-private model (39)-(44). Tounderstand the effect of transformation, we report the computation times for the original model (2)-(5)and the data-private model (39)-(44). The data-private model results are first given with straightforwardrandomization, which ends with full matrices. Then, we solve (45)-(48) to obtain sparse matrices. Weevaluate the computation times for all network sizes with four parties. Figure 4 presents the averagecomputation times on a semi-logarithmic plot; that is, the values on the vertical axis are scaled by takingtheir logarithms. The legend shows the original model (CP), the masked model with straightforwardrandomization (CCS - Dense) and the masked model with sparsity inducing transformations (CCS - araca, Birbil, Aydın, Sa˘gol:
Data Privacy in NRM
100 200 4001e−021e−011e+001e+011e+021e+03
Number of OD−Paths R un t i m e ( s e c . ) i n l og − sc a l e CP CCS − Sparse CCS − Dense
Figure 4: Average computation time ( ρ = 1 . , K = 4). araca, Birbil, Aydın, Sa˘gol: Data Privacy in NRM
5. Conclusion.
We have presented a mathematical model which considers data privacy in bid-pricecontrol for network revenue management when multiple parties share some of the capacities of the network.The proposed approach is based on applying matrix transformations to our prior work on path-basedmathematical programming formulations. We have shown that the original primal and dual optimalsolutions can be derived from the proposed data-private mathematical model. We have also discussedthe security of the input data after solving the transformed problem.We have conducted a simulation study on a network structure of an airline. Our results have illustratedthe benefits of the proposed data-private bid price control. We have considered the setting with andwithout an alliance, and shown that, with an alliance the revenues for the parties are significantly higher.Therefore, these results offer an economic motivation for the parties to form an alliance. Nevertheless,the privacy comes at a cost. Unlike the sparse structure of the original problem, the data-private modelhas a dense structure. This loss of sparsity causes a considerable increase in computation times. Toovercome this problem, we have provided an approach based on solving a network flow model. We havedemonstrated how this approach positively affects the computational effort. We have also cautioned thatour approach for maintaining the sparse structure may come at a security leakage cost. An importantpoint that we have left for future study.Even though we have conducted a simulation study on an airline network, our approach is not limited toairline problems. The proposed approach can be used in different network problems, where alliances pro-vide benefits to the collaborators. For instance, in the logistics sector, sharing network capacities amongseveral companies may increase the utilization of the resources. This high utilization, in turn, increasesthe competitive advantage of a participating company in terms of higher profit and less environmentalimpact.There are other interesting research questions about data privacy in network revenue management.We have presented a transformation-based approach for bid-price control. Although we guarantee toobtain the exact optimal solutions for each party, our approach may require an inspection for potentialsecurity breaches especially for small-scale problems. Another approach could be using the concept ofdifferential-privacy, where the main idea is to perturb the output with a carefully adjusted noise. Suchan approach does lead to approximate solutions but the privacy levels can be quantified and controlled.This approach is also on our agenda for future research. araca, Birbil, Aydın, Sa˘gol:
Data Privacy in NRM Appendix A.
We have reserved this appendix for the proof of our main theorem, which we haverepeated here for clarity of presentation.
Theorem 3.1
Let ( u ∗ k , w ∗ k ) k ∈K and ( γ ∗ , γ ∗ k ) k ∈K be the primal and dual optimal solutions of (39) - (44) .Using again the primal and dual optimal solutions, ( x ∗ k ) k ∈K and ( α ∗ , α ∗ k ) k ∈K of the original problem (2) – (5) , we obtain Z = ¯ Z − (cid:80) k ∈K r (cid:124) k η k − (cid:80) k ∈K ( c k + B k η k ) (cid:124) ξ k , x ∗ k = D (cid:124) k u ∗ k − η k , k ∈ K , α ∗ = γ ∗ , α ∗ k = F (cid:124) k γ ∗ k − ξ k , k ∈ K . Proof.
To obtain the linear programming model (39)-(44), we apply for k ∈ K the change ofvariables D (cid:124) k u k = z k and E (cid:124) k w k = v k to the model (10)-(15). Likewise, multiplying both sides of theequality constraints (12) with F k leads for k ∈ K , to the change of variables β k = F (cid:124) k γ k . Note thatboth sides of the constraints (13)-(15) are multiplied by M-matrices, and hence, feasibility is not affected.Using next Lemma 3.1 implies x ∗ k = z ∗ k − η k = D (cid:124) k u ∗ k − η k , k ∈ K , α ∗ = β ∗ = γ ∗ , α ∗ k = β ∗ k − ξ k = F (cid:124) k γ ∗ k − ξ k , k ∈ K . Mangasarian (2011, Proposition 1) has shown that the optimal objective function values of (10)-(15)and (39)-(44) are the same. Recall from the proof of Lemma 3.1 that (10)-(15) is obtained from (2)–(5) by applying for k ∈ K , the transformations z k = x k + η k and β k = α k + ξ k . Using the firsttransformation, the constant term (cid:80) k ∈K r (cid:124) k η k is subtracted from the objective function. Moreover, thesame transformation also alters the right-hand-side of (4) as c k + B k η k , k ∈ K . The second transformationwith this new right-hand-side subtracts additionally the constant term (cid:80) k ∈K ( c k + B k η k ) (cid:124) ξ k from theobjective function. Adding both constant terms establishes the required equality:¯ Z = Z + (cid:88) k ∈K r (cid:124) k η k + (cid:88) k ∈K ( c k + B k η k ) (cid:124) ξ k . This completes the proof. (cid:3) araca, Birbil, Aydın, Sa˘gol:
Data Privacy in NRM References
Agarwal, R. and Ergun, O. (2010). Network design and allocation mechanisms for carrier alliances inliner shipping.
Operations Research , 58(6):1726–1742.Aydin, N. and Birbil, S. I. (2018). Decomposition methods for dynamic room allocation in hotel revenuemanagement.
European Journal of Operational Research , 271(1):179–192.Bednarz, A. (2012).
Methods for Two-Party Privacy-Preserving Linear Programming . PhD thesis, TheUniversity of Adelaide, Adelaide, Australia.Belobaba, P. and Jain, H. (2013). Alliance revenue management in practice: Impacts of bid price sharingand dynamic valuation.
Journal of Revenue and Pricing Management , 12(6):475–488.Birbil, S. I., Frenk, J. B. G., Gromicho, J. A. S., and Zhang, S. (2009). The role of robust optimizationin single-leg airline revenue management.
Management Science , 55(1):148–163.Birbil, S. I., Frenk, J. B. G., Gromicho, J. A. S., and Zhang, S. (2014). A network airline revenuemanagement framework based on decomposition by origins and destinations.
Transportation Science ,48(3):313–333.Boyd, E. A. (1998). Airline alliance revenue management. Technical report, Pros Strategic Solutions,Houston, TX.C¸ etiner, D. (2013).
Fair Revenue Sharing Mechanisms for Strategic Passenger Airline Alliances , volume668. Springer, Berlin.Chun, S. Y., Kleywegt, A. J., and Shapiro, A. (2017). When friends become competitors: The design ofresource exchange alliances.
Management Science , 63(7):2127–2145.Curry, R. E. (1990). Optimal airline seat allocation with fare classes nested by origins and destinations.
Transportation Science , 24(3):193–204.Dantzig, G. B. (1956). Recent advances in linear programming.
Management Science , 2(2):131–144.Ding, S. and Kaminsky, P. M. (2019). Centralized and decentralized warehouse logistics collaboration.
Manufacturing & Service Operations Management . In press.Dreier, J. and Kerschbaum, F. (2011). Practical privacy-preserving multiparty linear programming basedon problem transformation. In , pages 916–924. IEEE.Du, W. (2001).
A Study of Several Specific Secure Two-Party Computation Problems . PhD thesis, PurdueUniversity, West Lafayette, Indiana.Du, W. and Zhan, Z. (2002). A practical approach to solve secure multi-party computation problems. In
Proceedings of the 2002 Workshop on New Security Paradigms , pages 127–135.Dwork, C. (2006). Differential privacy. In
Proc. 33rd Int. Colloquium on Automata, Languages andProgramming (ICALP), Venice, Italy, July 2006 , pages 1–12.Dwork, C., Kenthapadi, K., McSherry, F., Mironov, I., and Naor, M. (2006). Our data, ourselves: Privacyvia distributed noise generation. In
Annual International Conference on the Theory and Applicationsof Cryptographic Techniques , pages 486–503. Springer.Feng, X. and Zhang, Z. (2007). The rank of a random matrix.
Applied Mathematics and Computation ,185(1):689–694.Gansterer, M. and Hartl, R. F. (2018). Collaborative vehicle routing: A survey.
European Journal ofOperational Research , 268(1):1–12.Goldreich, O. (2009).
Foundations of Cryptography: Volume 2, Basic Applications . Cambridge UniversityPress.Graf, M. and Kimms, A. (2011). An option-based revenue management procedure for strategic airlinealliances.
European Journal of Operations Research , 215(2):459–469. araca, Birbil, Aydın, Sa˘gol:
Data Privacy in NRM
ManagementScience , 51(1):92–105.Guo, L. and Wu, X. (2018). Capacity sharing between competitors.
Management Science , 64(8):3554–3573.Han, S., Topcu, U., and Pappas, G. J. (2017). Differentially private distributed constrained optimization.
IEEE Transactions on Automatic Control , 62(1):50–64.Hong, Y. and Vaidya, J. (2014). An inference–proof approach to privacy-preserving horizontally parti-tioned linear programs.
Optimization Letters , 8(1):267–277.Hong, Y., Vaidya, J., Rizzo, N., and Liu, Q. (2018). Privacy-preserving linear programming. In
WorldScientific Reference on Innovation Volume 4: Innovation in Information Security , World ScientificBook Chapters, chapter 4, pages 71–93. World Scientific Publishing Co. Pte. Ltd.Horn, R. A. and Johnson, C. R. (1991).
Topics in Matrix Analysis . Cambridge University Press, Cam-bridge.Houghtalen, L., Ergun, O., and Sokol, J. (2011). Designing mechanisms for the management of carrieralliances,.
Transportation Science , 45(4):465–482.Hu, X., Caldentey, R., and Vulcano, G. (2012). Revenue sharing in airline alliances.
Management Science ,59(5):1177–1195.Huang, Z., Mitra, S., and Vaidya, N. (2015). Differentially private distributed optimization. In
Proceedingsof the 2015 International Conference on Distributed Computing and Networking , page 4. ACM.Kimms, A. and Cetiner, D. (2012). Approximate nucleolus-based revenue sharing in airline alliances.
European Journal of Operations Research , 220(2):510–521.Krajewska, M. A. and Kopfer, H. (2006). Collaborating freight forwarding enterprises.
OR Spectrum ,28(3):301–311.Lai, M., Xue, W., and Hu, Q. (2019). An ascending auction for freight forwarder collaboration in capacitysharing.
Transportation Science , 53(4):1175–1195.Laud, P. and Pankova, A. (2013). On the (im) possibility of privately outsourcing linear programming.In
Proceedings of the 2013 ACM Workshop on Cloud Computing Security , pages 55–64.Li, J. and Atallah, M. J. (2006). Secure and private collaborative linear programming. In
InternationalConference on Collaborative Computing: Networking, Applications and Worksharing , pages 1–8. IEEE.Li, W., Li, H., and Deng, C. (2013). Privacy-preserving horizontally partitioned linear programs withinequality constraints.
Optimization Letters , 7(1):137–144.Mangasarian, O. L. (2011). Privacy-preserving linear programming.
Optimization Letters , 5(1):165–172.Mangasarian, O. L. (2012). Privacy-preserving horizontally partitioned linear programs.
OptimizationLetters , 6(3):431–436.Poole, G. and Boullion, T. (1974). A survey on M-matrices.
SIAM review , 16(4):419–427.Ratliff, R. and Weatherford, L. R. (2013). Codeshare and alliance revenue management best practices:Agifors roundtable review.
Journal of Revenue and Pricing Management , 12(1):26–35.Speranza, M. G. (2018). Trends in transportation and logistics.
European Journal of Operational Research ,264(3):830–836.Talluri, K. and van Ryzin, G. (1998). An analysis of bid-price controls for network revenue management.
Management Science , 44(11-part-1):1577–1593.Talluri, K. T. and van Ryzin, G. J. (2004).
The Theory and Practice of Revenue Management . Springer,New York, NY.Toft, T. (2009). Solving linear programs using multiparty computation. In
International Conference onFinancial Cryptography and Data Security , pages 90–107. Springer.Topaloglu, H. (2012). A duality based approach for network revenue management in airline alliances.
Journal of Revenue Pricing and Management , 11(5):500–517. araca, Birbil, Aydın, Sa˘gol:
Data Privacy in NRM
Proceedings of the 2009 ACM Symposiumon Applied Computing , pages 2002–2007. ACM.Vaidya, J. (2009b). A secure revised simplex algorithm for privacy-preserving linear programming. In , pages 347–354.IEEE.Van Riessen, B., Negenborn, R. R., and Dekker, R. (2017). The cargo fare class mix problem for anintermodal corridor: revenue management in synchromodal container transportation.
Flexible Servicesand Manufacturing Journal , 29:634–658.Verdonck, L., Caris, A., Ramaekers, K., and Janssens, G. K. (2013). Collaborative logistics from theperspective of road transportation companies.
Transport Reviews , 33(6):700–719.Vinod, B. (2005). Practice papers: Alliance revenue management.
Journal of Revenue and PricingManagement , 4(1):66–82.Wang, C., Ren, K., and Wang, J. (2011). Secure and practical outsourcing of linear programming incloud computing. In
INFOCOM, 2011 Proceedings IEEE , pages 820–828. IEEE.Weeraddana, P. C., Athanasiou, G., Fischione, C., and Baras, J. S. (2013). Per-se privacy preservingsolution methods based on optimization. In
Proceedings of the 52nd IEEE Conference on Decision andControl , pages 206–211.Wright, C. P. (2014). Decomposing airline alliances: A bid-price approach to revenue management withincomplete information sharing.
Journal of Revenue and Pricing Management , 13(3):164–182.Wright, C. P., Groenevelt, H., and Shumsky, R. A. (2010). Dynamic revenue management in airlinealliances.
Transportation Science , 44(1):15–37.Wright, P. (2000). On minimum spanning trees and determinants.
Mathematics Magazine , 73(1):21–28.Yao, A. C. (1982). Protocols for secure computations. In , pages 160–164. IEEE.Zheng, J., Gao, Z., Yang, D., and Sun, Z. (2015). Network design and capacity exchange for liner allianceswith fixed and variable container demands.