Two and Three-Party Digital Goods Auctions: Scalable Privacy Analysis
aa r X i v : . [ c s . I T ] S e p Two and Three-Party Digital Goods Auctions:Scalable Privacy Analysis
Patrick Ah-Fat and Michael HuthDepartment of Computing, Imperial College LondonLondon, SW7 2AZ, United Kingdom { patrick.ah-fat14, m.huth } @imperial.ac.uk Abstract
A digital goods auction is a type of auction where potential buyers bid the maximal price that theyare willing to pay for a certain item, which a seller can produce at a negligible cost and in unlimitedquantity. To maximise her benefits, the aim for the seller is to find the optimal sales price, which everybuyer whose bid is not lower will pay. For fairness and privacy purposes, buyers may be concerned aboutprotecting the confidentiality of their bids. Secure Multi-Party Computation is a domain of Cryptographythat would allow the seller to compute the optimal sales price while guaranteeing that the bids remainsecret. Paradoxically, as a function of the buyers’ bids, the sales price inevitably reveals some privateinformation. Generic frameworks and entropy-based techniques based on Quantitative Information Flowhave been developed in order to quantify and restrict those leakages. Due to their combinatorial nature,these techniques do not scale to large input spaces. In this work, we aim at scaling those privacy analysesto large input spaces in the particular case of digital goods auctions. We derive closed-form formulasfor the posterior min-entropy of private inputs in two and three-party auctions, which enables us toeffectively quantify the information leaks for arbitrarily large input spaces. We also provide supportiveexperimental evidence that enables us to formulate a conjecture that would allow us to extend our resultsto any number of parties.
Secure Multi-Party Computation (SMC) [27, 23] is a paradigm which enables several parties to compute apublic function of their own private inputs without ever disclosing their private input. Secure protocols thatallow participants to compute such functions require them to share specific pieces of information throughdifferent rounds of communication intertwined with local computations, with the aim of guaranteeing theconcealment of private values. Specifically, they ensure that no information flows about the private inputs,apart from that which can be inferred from the intended public output. From that notion of security, itfollows that the output of any sensible secure computation will reveal some information about the privateinputs. Although cryptographic protocols have been extensively studied and optimised in the past decadesin order to improve their speed and efficiency, this leakage is considered inevitable and is commonly referredto as the acceptable leakage in the literature, and has thus been largely ignored so far [17, 20, 13, 8].We believe however, that this is a questionable position and that it is of interest – and of importance – toraise participants’ awareness of this leakage before they decide to engage in an SMC protocol, and to offerthem the opportunity to gauge, by themselves, the risk that they would run by entering a computation,rather than imposing this leakage on them. More precisely, we believe that an SMC participant may beconcerned by the following questions: is this leakage really acceptable? Is not this statement subjective? Arethere objective ways of assessing the acceptability of such leakage, that each person could interpret based onher own expectations? Finally, is this leakage really inevitable? Under which conditions?Some recent works have aimed at proposing some possible answers to those questions. A frameworkbased on Quantitative Information Flow allows one to quantify this acceptable leakage, where the inputs’privacy is evaluated via general entropy-based measures [1, 2, 3]. These measures allow participants to havean objective way of measuring the risks that taking part in a computation would present. These entropy-based measured are generic and can be parametrised so as to capture individual privacy requirements andexpectations. Based on this model, different randomising techniques have been proposed in order to enhanceparticipants’ privacy while guaranteeing high utility [2, 6].The principle behind those methods is to select a notion of entropy and measure the inputs’ privacy viathe conditional entropy of an input given the knowledge of the public output. Evaluating the value of those1ntropy measures requires to browse the whole input space and yields a complexity that is linear in thesize of the total input domain. Their combinatorial essence thus does not allow those methods to scale tolarge inputs spaces. It has been shown that this complexity can be reduced for particular theoretical casessuch as for three-party affine computations [4, 5], which allows those methods to scale to large input spaces.Being able to apply these methods to real-world problem requires the possibility to adapt them to real-worldfunctions, and to large input spaces.The aim of this work is to focus on a particular practical application of SMC, namely the digital goodsauctions , and to scale those privacy analyses to arbitrarily large input spaces. More precisely, we aim atreducing the complexity of those analyses by deriving a closed-form formula for the input’s posterior min-entropy in the case of two-party auctions, thus providing a way for assessing the acceptable leakage in twoparty auctions for any input size. We then notice that deriving a closed-form formula for this entropy is moreinvolved in the presence of three parties. However, as the generic empirical methods are able to compute thisentropy for small input spaces, we are mostly interested in evaluating this entropy for large input spaces. Forthree-party auctions, we thus focus on deriving an asymptotic development of this entropy for large inputspaces. Finally, we provide supportive experimental evidence that help us to formulate a conjecture on theasymptotic behaviour of this entropy for large input spaces with any number of parties.This paper is outlined a follows. We discuss some related works in Section 2. We introduce relevantbackground in Section 3. The digital goods auctions are presented in Section 4. Section 5 focuses on two-party auctions while three-party auctions are tackled in Section 6. Our conjecture is supported and formulatedin Section 7. We discuss our work in Section 8 and conclude in Section 9.
In this section, we present some relevant domains of cryptography and discuss their relation to our work.
Secure Multi-party Computation.
Secure Multi-party Computation [28, 27, 23, 21, 9, 12] is a domainof Cryptography that provides advanced protocols which enable several participants to compute a publicfunction of their own private inputs without having to rely on any other trusted third party or any externalauthority. Those protocols enable the participants to compute a function in a decentralised manner, whileensuring that no information leaks about the private inputs, other than what can be inferred from the publicoutput. The commonly called “acceptable leakage” which is further studied in this paper, is the informationthat can be inferred by an attacker about the private inputs given the knowledge of the public output alone.Secure Multi-Party Computation is not the only domain that is subject to an acceptable leakage. Inparticular, the results of our work are also applicable to other fields or scenarios that aim at protecting theinputs’ privacy and that involve the opening of a public output, such as outsourced computation where atrusted third party is privately sent all the inputs and returns the public output as unique piece of information,or trusted computing where the parties input their secret data into hardware security modules, which thenensure that no unintended information will be accessible to the other parties.We emphasise the fact that our work focuses on the acceptable leakage that may occur in SMC, trustedcomputing or outsourced computations, and is thus largely orthogonal to the technicalities that SMC proto-cols may involve.
Differential Privacy.
Differential Privacy (DP) [14, 15] formalises privacy concerns and introduces tech-niques that provide users of a database with the assurance that their personal details will not have a signifi-cant impact on the output of the queries performed on the database. More precisely, it proposes mechanismswhich ensure that the outcome of the queries performed on two databases differing in at most one elementwill be statistically indistinguishable. Moreover, minimising the distortion of the outcome of the queries whileensuring privacy is an important trade-off that governs DP.Although DP is particularly suited for quantifying – and enhancing – privacy in statistical computationsinvolving a large number of parties, its usefulness diminishes when a small number of parties are involved inthe computation, or when the output of the computation is meant to be highly dependent on every inputvalue. In a vote or in an auction for example, it would not be sensible to evaluate the privacy of inputs byhow independent they are of the output. In general multi-party computations, independence between theoutput and the inputs is not a desirable property, and we thus need a more meaningful way of quantifyingthe inputs’ privacy, which we discuss in the next paragraph.2 uantitative Information Flow.
The purpose of Quantitative Information Flow (QIF) [25, 18] is toprovide frameworks and techniques based on information theory and probability theory for measuring theamount of information that leaks from a secret. Different mathematical concepts have emerged in order toconvey varied and precise information about a secret: Shannon entropy [24] reflects the minimum numberof binary questions required to recover a secret on average, while the min-entropy is an indicator of theprobability to guess a secret in one try [26, 11, 25]. Richer measures such as R´enyi entropy [22] and the g -entropy [7] have been introduced in order to quantify some specific properties of a secret. Generalisedentropies have been proposed in order to unify those different concepts [2, 16].In this work, we will measure the information gained by an attacker by means of min-entropy, which isused extensively in Cryptography in order to quantify the vulnerability of a secret. Although we selected theconditional min-entropy in order to propose a measure of privacy that can be meaningful in SMC, we believethat it would be interesting to extend and compare our approach to other notions of entropy and possiblyother methods for quantifying privacy. Let us now present the mathematical model [1, 2] that we will use to study the notion of privacy in SMC.Let n be a positive integer. Let x , . . . , x n be n integers, belonging to n different parties P , . . . , P n respectively. Let us assume that these parties wish to enter the secure computation of an n -ary function f and to compute its output o = f ( x , . . . , x n ).We are interested in studying the information that opening the output reveals about private inputs. Moreprecisely, let us assume that we wish to study the information that leaks about private input x j . We call it targeted input, while the other inputs are called spectators ’ inputs. To this end, we consider each input x i as a random variable X i taking values in a domain D i . The output is also assigned a random variable O defined as a composition of random variables O = f ( X , . . . , X n ). Its domain is denoted by D O .Then the privacy of targeted input X j will be quantified as the conditional min-entropy of X j given O ,defined as: H( X j | O ) = − log V( X j | O )where the conditional vulnerability V( X j | O ) is defined as:V( X j | O ) = X o ∈ D O p ( O = o ) · max x j ∈ D j p ( X j = x j | O = o ) (1)For clarity purposes, we will abuse notation and omit the domains in the summations, and omit therandom variable name in the probability notations, when they can be obviously inferred from context. Thisway, the above vulnerability rewrites as V( X j | O ) = P o p ( o ) · max x j p ( x j | o ) .We now formulate an assumption that will hold throughout the paper. Assumption 1.
Throughout the paper, we assume that the inputs are uniformly distributed over J m K where m is a positive integer, and where J m K denotes { , . . . , m } . By virtue of Bayes’ theorem and Assumption 1, the vulnerability from Equation (1) can be rewritten as:V = X o max x p ( x ) · p ( o | x )= 1 m X o max x p ( o | x ) (2)We recall that all the values of p ( o | x ) can be computed in O ( m n ), the max can be computed in O ( m ) andthe sum in O ( m n ), which quickly becomes intractable as the input size m grows. We thus seek a closed-formformula for H( X | O ). In the next section, we present the function f that is considered in this paper. Sections5 and 6 then focus on simplifying the expression of V for this precise function f . More precisely, we derive aclosed-form formula for V for two-party auctions. Following the same approach, we notice that deriving an exact formula would be more involved in the three-party case. However, our main objective is to be able to3rovide analyses that scale to large input spaces, since empirical, combinatorial, analyses are already able tocompute exact values of V for small input spaces – and fail to do so for large ones. We then decide to focuson deriving the asymptotic behaviour of V for large values of m in three-party auctions. Auctions are part of the practical use cases that can benefit from the security properties provided by SecureMulti-Party Computation. In fact, and as an aside, one of the first practical applications of SMC implementedon a large scale was an auction between several Danish farmers and a producer [10]. Indeed, depending onthe setting and the rules of the auction, participants may be interested in keeping their bids private in orderto protect their economic interests. Resorting to SMC might also enhance fairness between participants andmay provide other reassuring guarantees that may be lacking in a traditional auction. A non-exhaustive listof such guarantees are: • The confidentiality of the bids protects the participants’ economic position from both the auctioneerand the other participants. • Protocols that are secure under active adversaries may guarantee the participants that the result hasnot been falsified. In comparison with traditional methods, this prevents the polling authority frombeing involved in any kind of corruption. • In some cases, SMC may offer the benefit that bids from different participants are taken into accountsimultaneously, whereas some traditional auction types may not.Although SMC provides the participants with a way of entering all their inputs once and simultaneously,and importantly, without revealing their bids, we know that some information will leak about private bids.In this work, we study a particular case of auctions, known as digital goods auctions . This application hasalso been chosen as a case study in influential papers on Differential Privacy such as McSherry and Talwar’spaper on the exponential mechanism [19]. Let us introduce the principle of a digital goods auction, andexplain the different pieces of private information that are being manipulated and the public informationthat is revealed during such auctions.A digital goods auction involves one seller and n buyers. A seller has an unlimited supply of a certainitem or good, that she wants to sell. Each buyer will either buy the item, or refuse to buy it. In particular, abuyer will not buy the item several times. Each buyer P i will bid a price x i , which is the maximal price thathe is willing to pay to buy the item. If the sales price p of the item is greater than x i , then buyer P i will notbuy the item. If p is not greater than x i , then P i will pay the price p to get the item, which will turn intobenefits for the seller. We assume that the seller did not pay anything to acquire the items, so that her total benefits – also referred to as budget or profit – will equal pb where p is the sales price of the item and b is thenumber of buyers who can afford it, i.e. b = |{ i ∈ J n K | x i ≥ p }| . The aim of the auction is to determinethe optimal sales price of the item that maximises the seller’s benefits. As an aside, if the seller’s profits canbe maximised with different values of p , then we define the auction as retaining the lowest value of p , as itwill satisfy more participants. The computation of the optimal price of the item can be represented as thefollowing function f described in Algorithm 1: Algorithm 1
Multi-party auction function f Inputs: x , . . . , x n ∈ J m K Output:
Auction sales price p ∈ { x , . . . , x n } function f ( x , . . . , x n ) sort x i ’s in descending order such that x ≥ · · · ≥ x n k ← argmax j j · x j (choose largest possible k ) return x k Choosing the largest possible k means that if the same budget is attainable with different sales prices,we choose the one which enables more participants to buy, e.g. f (1 , , ,
1) = 1 where the maximal budget4able 1: Outputs of the two-party auction with maximal input m = 9. x y o = f ( x , . . . , x n ) necessarily equals one of theinput values x i . We can show that the price is not optimal otherwise.Naturally, the buyers’ bids x i constitute private pieces of information that the buyers do not wish toreveal: neither the other buyers nor the seller should be able to learn any information about a particular bid x i before the opening of the final price p . In order to guarantee such a level of privacy, the participants canfor example enter an SMC protocol, or resort to a Trusted Execution Environment.On the other hand, the sales price p is the information that is intended to be computed and to be madepublic. As such, it inevitably reveals some information about the private bids, which is commonly referredto as the acceptable leakage in the SMC literature. One may wish to gauge this acceptable leakage, and inparticular may wonder whether this leakage is tolerable in a two-party auction.The aim of the work reported in this paper is to quantify the information that flows about the private bidswhen the result of the auction – i.e. the sales price – is revealed. More precisely, we aim at deriving a methodfor quantifying the bids’ privacy that is scalable to arbitrarily large input spaces, which previous genericmethods were not able to accommodate. Precisely, we now aim at simplifying the expression of p ( o | x ) fromEquation (2), where x represents one targeted input in order to be able to compute it for large values of m . In a two-party auction, the function f can be simplified. It is straightforward to see that the sorting procedureand the argmax function can be written as in the following Algorithm 2. Algorithm 2
Two-party auction function f Inputs: x, y ∈ J m K Output:
Sales price p ∈ { x, y } function f ( x, y ) if x > y then if x > y then return x else return y else / ∗ x ≤ y ∗ / if y > x then return y else return x In order to illustrate and reason about the results of such a function, let us assume that m = 9 and letus plot the function’s outputs on the 2-dimensional array in Table 1.Let us now look at the quantity that we wish to compute. In order to compute H( X | O ), we will computemax x p ( o | x ) for each output o . To do so, we argue that for each output o , we have max x p ( o | x ) = p ( O =5able 2: Enumerating set S that contains all the input combinations ( x, y ) that satisfy f ( x, y ) = x . (a) Couloured cells highlight elements of S .Red cells correspond to cases where x > y .Blue cells include cases where x ≤ y . x y (b) Blue cells have been transposed fromTable 2(a) in order to surface an obviousexpression for the cardinality | S | . x y o | X = o ). Indeed, for fixed values of o and x , we have: p ( o | x ) = X yf ( x,y )= o p ( y )= X yf ( x,y )= o m since the inputs are uniformly distributed.Moreover, if x = o , then this sum can contain at most one summand which would correspond to the casewhere y = o , since the output o must equal one of the inputs. On the contrary, if x = o then the sum contains at least one summand which corresponds to the case where y = o , again because the output must equal oneof the inputs.For that reason, we have: max x p ( o | x ) = p ( o | X = o )and thus: V = 1 m X o p ( o | X = o )= 1 m X o |{ y | f ( o, y ) = o }| (3)where | · | denotes the cardinality of a set.We can now illustrate in Table 2(a) the result of that sum by highlighting in colour all the cells thatsatisfy the condition f ( o, y ) = o . We gather all the inputs satisfying this condition in a set that we define as S = { ( x, y ) ∈ J m K | f ( x, y ) = x } . Red cells correspond to the cases where x > y while blue cells to thosewhere x ≤ y :The aim is thus to compute the number of coloured cells, which equals the desired values of P o |{ y | f ( o, y ) = o }| . To do this, we present the following geometric interpretation. Let us “transpose” all the cellshighlighted in blue. By transposing a cell at location ( i, j ), we mean discolouring this cell and then colouringits symmetric one at location ( j, i ). We obtain the array depicted in Table 2(b).We note that no two cells are coloured with two different colours. From that we can see that: X o |{ y | f ( o, y ) = o }| = m X k =1 k Theorem 1.
In a two-party auction, where the inputs are uniformly distributed over J m K , we have: H( X | O ) = − log m + 12 m Proof.
As we argued in Equation (3), we know that:V = 1 m X o |{ y | f ( o, y ) = o }| It thus suffices to compute the cardinality of the following set S : S = { ( x, y ) ∈ J m K | f ( x, y ) = x } Let us express S as the disjoint union of the following two subsets: S = { ( x, y ) ∈ J m K | f ( x, y ) = x ∧ x > y } S = { ( x, y ) ∈ J m K | f ( x, y ) = x ∧ x ≤ y } We note that S corresponds to the area highlighted in red in Table 2(a), and S corresponds to the bluearea. The additional ordering on x and y ensures that { S , S } forms a partition of S and thus | S | = | S | + | S | .We can swap both coordinates of the elements of S without altering its cardinality. We thus have | S | = | S ′ | where we define S ′ as follows: S ′ = { ( x, y ) ∈ J m K | f ( y, x ) = y ∧ y ≤ x } = { ( x, y ) ∈ J m K | y ≥ x ∧ y ≤ x } On the other hand, we have: S = { ( x, y ) ∈ J m K | x > y ∧ y ≤ x } We can see that S and S ′ are disjoint and thus | S | + | S ′ | = | S ∪ S ′ | . This union can be rewritten as: S ∪ S ′ = { ( x, y ) ∈ J m K | ( x > y ∨ y ≥ x ) ∧ y ≤ x } = { ( x, y ) ∈ J m K | y ≤ x } from which we can infer that | S ∪ S ′ | = m ( m + 1)2and thus: H( X | O ) = − log m ( m + 1)2 m = − log m + 12 m We also checked that this formula is experimentally validated by our programs computing H( X | O )empirically.As we are particularly interested in studying the behaviour of H( X | O ) for large input spaces, weformulate the following corollary. Corollary 1.
When m tends towards infinity, H( X | O ) converges and: lim m →∞ H( X | O ) = log 2 Proof.
This is an immediate consequence of Theorem 1.7 lgorithm 3
Three-party auction function f Inputs: x, y, z ∈ J m K Output:
Sales price p ∈ { x, y, z } function f ( x, y, z ) Sort inputs such that x ≥ y ≥ z if x > y and x > z then return x else if y > z then return y else return z Let us now consider the case where three parties enter an auction. Algorithm f is adapted in the followingAlgorithm 3. We can see that once the inputs have been sorted, the program simply consists in finding themaximum of x, y and 3 z .Before computing V, let us introduce some useful results that we will need in this section. Let us generalise a result that we hinted at in the previous section, and that will be of importance in derivingan algebraic expression for H( X | O ). We claim that substituting the value of one of the inputs to the valueof the output does not change the output of f . Lemma 1.
Let { x i } i be a set of n inputs and let o be a value. Then we have: f ( x , x , . . . , x n ) = o = ⇒ f ( o, x , . . . , x n ) = o (4) Proof.
Let us introduce a few notations in order to develop this proof. Let { x i } i be a set of n inputs and let o and o ′ two values such that: f ( x , . . . , x n ) = o (5) f ( o, x , . . . , x n ) = o ′ (6)where we will refer to Equation (5) to scenario 1 while Equation (6) will be referred to as scenario 2.For sake of convenience, let us introduce another set of inputs { x ′ i } i which we define as: x ′ = o (7) ∀ i ∈ J n K : x ′ i = x i (8)so that we can write f ( x ′ , . . . , x ′ n ) = o ′ .Let S and S ′ be two subsets of J n K defined as: S = { i ∈ J n K | x i ≥ o } S ′ = { i ∈ J n K | x ′ i ≥ o ′ } In other words, S and S ′ represent the sets of parties that will get to buy the item in an auction involvingthe sets of inputs { x i } i and { x ′ i } i respectively.Let b and b ′ be the seller’s benefits in both scenarios, defined as: b = | S | · ob ′ = | S ′ | · o ′ Finally, for input set { ξ i } i , subset σ ⊆ J n K and value ω , we say that the triple ( { ξ i } i , σ, ω ) is qualified if: ∀ j ∈ σ : ξ j ≥ ω
8e can notice that if ( { ξ i } i , σ, ω ) is qualified, then the seller’s benefits in an auction involving inputs { ξ i } i will be no lower than | σ | · ω .The intuition of the proof follows. First, there is nothing to show when o = x . We will prove that if o < x , then b ′ = b as o is the optimal price for scenario 2. If o > x , we will argue that b ′ = b + o which canonly be achieved for o ′ = o . Case 1.
Let us assume that o < x . We first argue that b ′ = b .In this case, we have x ′ i ≤ x i for all i in J n K . For all subset σ ⊆ { , . . . , n } , if ( { x ′ i } , σ, o ′ ) is qualified,then ( { x i } , σ, o ′ ) is also qualified. Thus we have b ′ ≤ b . Moreover, we know that ( { x ′ i } , S, o ) is qualified since x ′ ≥ o . Hence, b ′ ≥ b and thus b ′ = b .Let us now argue that o ′ = o . We know that b ′ can be achieved with a sales price of o . As the auctionfunction f favours lower sales prices for the same seller’s benefits, we know that o ′ ≤ o .Let us assume by contradiction that o ′ < o . As argued before, we know that ( { x i } , S ′ , o ′ ) is qualified.The benefits with inputs { x i } would equal | S ′ | · o ′ . But we have just shown that b ′ = b where by definition b ′ equals | S ′ · o ′ | . Thus the optimal benefits in scenario 1 would also be achieved with an output value o ′ satisfying o ′ < o which is a contradiction. Thus o ′ = o . Case 2.
Let us assume that o > x . Let us first argue that b ′ = b + o .We know that ( { x i } , S, o ) is qualified by definition and thus ( { x ′ i } , S ∪ { } , o ) is also qualified since x ′ = o .Thus b ′ ≥ ( | S | + 1) · o , or in other words b ′ ≥ b + o .Moreover, we know that for all subset σ ⊆ { , . . . , n } , if ( { x ′ i } , σ, o ′ ) is qualified, then the triple ( { x i } , σ ∩{ , . . . , n } , o ′ ) is also qualified, since x ′ i = x i for all i in J n K . Let us now assume by contradiction that b ′ > b + o . As by definition ( { x ′ i } , S ′ , o ′ ) is qualified, we know that ( { x i } , S ′ ∩ J n K , o ′ ) is qualified, too.Thus: b ≥ ( | S ′ | − · o ′ ≥ | S ′ | · o ′ − o ′ ≥ b ′ − o ′ By assumption, this implies: b > b + o − o ′ and thus: o ′ > o This implies that 1 / ∈ S ′ and thus ( { x i } , S ′ , o ′ ) is qualified, which means that b ≥ b ′ , which is a contra-diction.In conclusion, we have b ′ = b + o . Let us now argue that o ′ = o .We have already mentioned that b ′ can be achieved with a sales price of o , and thus o ′ ≤ o . Let us assumeby contradiction that o ′ < o . Then we know that 1 ∈ S ′ (since x ′ = o ). We also know that as ( { x ′ i } , S ′ , o ′ )is qualified, then ( { x i } , S \ { } , o ′ ) is qualified too. Consequently: b ≥ ( | S ′ | − · o ′ ≥ b ′ − o ′ As assumed by proof by contradiction that o ′ < o , we thus have b > b ′ − o and thus: b ′ < b + o which is a contradiction, which concludes the case and the proof.We also recall a result that will be useful for studying the asymptotic behaviour of H( X | O ). Lemma 2.
Let n be a positive integer and let a and b be positive integer no larger than n . Then: b X k = a k = 12 ( b − a ) + O ( n ) b X k = a k = 13 ( b − a ) + O ( n )9 roof. We recall that we have: n X k =1 k = n ( n + 1)2 n X k =1 k = n ( n + 1)(2 n + 1)6Thus for all positive integer c no larger than n , we have: c X k =1 k = 12 c + O ( n ) c X k =1 k = 13 c + O ( n )And thus as a and b are no larger than n : b X k = a k = b X k =1 k − a X k =1 k + O ( n )= 12 ( b − a ) + O ( n ) n X k =1 k = b X k =1 k − a X k =1 k + O ( n )= 13 ( b − a ) + O ( n )where we note that the bounds of the indices in the sums are allowed to differ by 1 since the difference iscompensated in the O ( n ) and O ( n ) terms. We are now interested in computing the value of V. For this, we argue again that max x p ( o | x ) = p ( o | X = o ).Indeed, we know that for fixed values of o and x , we have: p ( o | x ) = X y,zf ( x,y,z )= o p ( y, z )= |{ ( y, z ) | f ( x, y, z ) = o }| m where we note that in this 3-party setting, the pair ( y, z ) plays the role of the spectators’ input, whichcomprises two inputs y and z . However, Lemma 1 ensures that: ∀ x : |{ ( y, z ) | f ( x, y, z ) = o }| ≤ |{ ( y, z ) | f ( o, y, z ) = o }| and thus Equation (2) becomes: V = 1 m X o |{ ( y, z ) | f ( o, y, z ) = o }| (9)The aim is thus now to compute the above sum, which can be written as the cardinality of the followingset S : S = { ( x, y, z ) | f ( x, y, z ) = x } S = [ x S x where for all x we define: S x = { ( x, y, z ) | f ( x, y, z ) = x } Let us partition each set S x into the following four subsets, that correspond to the different possible inputorderings: S x = S ∩ { ( x, y, z ) | x > y ∧ x > z } S x = S ∩ { ( x, y, z ) | y ≥ x > z } S x = S ∩ { ( x, y, z ) | z ≥ x > y } S x = S ∩ { ( x, y, z ) | x ≤ y ∧ x ≤ z } We note that S corresponds to the cases where x is the largest of x, y and z , S and S includes thecases where x is the middle element and S depicts the cases where x is the smallest item.Let x be in J m K . It is immediate to see that { S x , . . . , S x } forms a partition of S x and thus | S x | = | S x | + · · · + | S x | , and furthermore | S | = P x | S x | . Let us thus focus on the cardinality of those four subsets. Case 1.
Let y and z be in J m K such that: x > y ∧ x > z and let us study the membership of ( x, y, z ) in S x .We have: f ( x, y, z ) = x ⇐⇒ ( x > y ∧ x > z ) ∨ ( x > y ∧ x > z ) ⇐⇒ ( y < x ∧ z < x ) ∨ ( y < x ∧ z < x )In order to tally the number of different pairs ( y, z ) that satisfy those conditions, it is helpful to rewritethose systems as the following disjunction: f ( x, y, z ) = x ⇐⇒ ( y < x ∧ z < x ) ∨ ( y < x ∧ x ≤ z < x ) ∨ ( 13 x ≤ y < x ∧ z < x )The three disjuncts above are disjoint, and the last two disjuncts are symmetrical in y and z . We canthus express the cardinality of S x as: | S x | = (cid:24) x − (cid:25) + 2 (cid:18)(cid:24) x (cid:25) − − (cid:24) x (cid:25) + 1 (cid:19) (cid:18)(cid:24) x − (cid:25)(cid:19) = (cid:18)(cid:24) x − (cid:25)(cid:19) (cid:18) (cid:24) x (cid:25) − (cid:24) x (cid:25) − (cid:19) (10) Case 2 and 3.
Let us now study the cardinality of S x . Let y and z be in J m K such that: y ≥ x > z x, y, z ) in S x . We have: f ( x, y, z ) = x ⇐⇒ (2 x ≥ y ∧ x > z ) ⇐⇒ ( x ≤ y ≤ x ∧ z < x )We can thus express the cardinality of S x depending on which side of n , value 2 x is. If 2 x ≤ m , then: | S x | = (2 x − x + 1) (cid:18)(cid:24) x (cid:25) − (cid:19) = ( x + 1) (cid:18)(cid:24) x (cid:25) − (cid:19) (11)If 2 x > m , then: | S x | = ( m − x + 1) (cid:18)(cid:24) x (cid:25) − (cid:19) (12)By symmetry on y and z , we also have | S x | = | S x | . Case 4.
Let us now take y and z in J m K such that: x ≤ y ∧ x ≤ z and let us study the membership of ( x, y, z ) in S x .We have: f ( x, y, z ) = x ⇐⇒ (3 x ≥ y ∧ x ≥ z ) ∨ (3 x ≥ y ∧ x ≥ z ) ⇐⇒ ( x ≤ y ≤ x ∧ x ≤ z ≤ x ) ∨ ( x ≤ y ≤ x ∧ x ≤ z ≤ x )Rewriting those conditions as disjoint cases, we get: f ( x, y, z ) = x ⇐⇒ ( x ≤ y ≤ x ∧ x ≤ z ≤ x ) ∨ ( x ≤ y ≤ x ∧ x < z ≤ x ) ∨ ( 32 x < y ≤ x ∧ x ≤ z ≤ x )Let us treat those 3 disjoint disjunctions separately. Let c x , c x and c x denote the number of differenttriples ( x, y, z ) that satisfy the three above systems respectively, i.e. that: c x = (cid:12)(cid:12)(cid:12)(cid:12)(cid:26) ( x, y, z ) | x ≤ y ≤ x ∧ x ≤ z ≤ x (cid:27)(cid:12)(cid:12)(cid:12)(cid:12) c x = (cid:12)(cid:12)(cid:12)(cid:12)(cid:26) ( x, y, z ) | x ≤ y ≤ x ∧ x < z ≤ x (cid:27)(cid:12)(cid:12)(cid:12)(cid:12) c x = (cid:12)(cid:12)(cid:12)(cid:12)(cid:26) ( x, y, z ) | x < y ≤ x ∧ x ≤ z ≤ x (cid:27)(cid:12)(cid:12)(cid:12)(cid:12) Let us focus on c x first. If x ≤ m , then: c x = (cid:18)(cid:22) x (cid:23) − x + 1 (cid:19) (13)12therwise, if x > m , then: c x = ( m − x + 1) (14)Let us now focus on c x . c x = (cid:18) x − (cid:22) x (cid:23)(cid:19) (cid:18)(cid:22) x (cid:23) − x + 1 (cid:19) if 3 x ≤ m (cid:18) m − (cid:22) x (cid:23)(cid:19) (cid:18)(cid:22) x (cid:23) − x + 1 (cid:19) if x ≤ m ≤ x x > m (15)And by symmetry on y and z , we have c x = c x . Finally, we have | S x | = c x + c x + c x .Let us recall that we wished to compute the cardinality of set S in order to fulfil our original aim whichwas to compute input x ’s vulnerability V. We have now derived the cardinality of each subset S xi for all i in J
1; 4 K and for all x in J m K . Moreover, we have intentionally expressed S as a disjoint union so that: | S | = X x | S x | + · · · + | S x | (16)The expression that we can derive for | S | in this way involves sums with ceilings and floorings and wouldthus not immediately lead to a closed-form formula that can be computed in constant time. Indeed, combiningEquations (10), (11), (12), (13), (14) and (15) provides us with a closed-form expression for | S x | + · · · + | S x | for any fixed value of x in J m K . Equation (16) then allows us to compute the cardinality | S | by summingthose m expressions, which allows us to compute | S | in O ( m ) time.However, we recall that for small input spaces, we already have a combinatorial way of computing vul-nerability V, and that our major problem is to scale our analyses to large input spaces, which is specificallywhere the combinatorial method fails to scale.For that reason, in the remainder of this report, we will aim at deriving a closed-form formula for theasymptotic behaviour of | S | for large values of input size m . In order to do so, we will study the asymptotic behaviour, when m tends towards infinity, of | S xi | and P x | S xi | for all i in J
1; 4 K in order to be able to compute that of | S | and thus of V. In this section, the asymptoticbehaviour of the cardinality of a set, say S , will refer to the asymptotic behaviour of | S | when expressed asa function of m , when m tends towards infinity.Let us consider again the expression of | S x | obtained in Equation (10) and let us study its asymptoticbehaviour when m is large. We note that x is an integer ranged in J m K and is thus a O ( m ). By simplifyingthe ceiling in the first factor, we have: (cid:24) x − (cid:25) = 13 x + O (1) Case 1.
We now recall the entire expression of | S x | obtained in Equation (10) and proceed with a similarreasoning: | S x | = (cid:18)(cid:24) x − (cid:25)(cid:19) (cid:18) (cid:24) x (cid:25) − (cid:24) x (cid:25) − (cid:19) = (cid:18) x + O (1) (cid:19) (cid:18) x − x + O (1) (cid:19) = 23 x + x · O (1)= 23 x + O ( m ) 13e thus obtain: X x | S x | = m X x =1 (cid:18) x + O ( m ) (cid:19) = 23 · m ( m + 1)(2 m + 1)6 + O ( m )= 13 m + O ( m ) Case 2 and 3.
Let us now study the case of | S x | . Based on Equations (11), then if 2 x ≤ m , we have: | S x | = ( x + 1) (cid:18)(cid:24) x (cid:25) − (cid:19) = 23 x + O ( m )Similarly, if 2 x > m , then Equation (12) becomes: | S x | = ( m − x + 1) (cid:18)(cid:24) x (cid:25) − (cid:19) = 23 mx − x + O ( m )And thus: m X x =1 | S x | = m X x =1 (cid:18) x + O ( m ) (cid:19) + m X x = m (cid:18) mx − x + O ( m ) (cid:19) + O ( m )where we note again that the bounds of the indices in the sums are allowed to differ by 1 since the differenceis compensated in the O ( n ) term.Let us compute each term separately. Using the results recalled in Lemma 2, we have: m X x =1 (cid:18) x + O ( m ) (cid:19) = 23 · (cid:16) m (cid:17) + O ( m )= 12 · m + O ( m )Similarly, we note that P mx = m O ( m ) = O ( m ). Moreover, we have: m X x = m (cid:18) mx − x (cid:19) = 23 m m X x = m x − m X x = m x + O ( m )= 2 m · (cid:18) m − (cid:16) m (cid:17) (cid:19) − (cid:18) m − (cid:16) m (cid:17) (cid:19) + O ( m )= 2 m · · m − · m + O ( m )= m − m · + O ( m )= 12 · m + O ( m )Combining the previous two terms, we get: m X x =1 | S x | = 12 · m + 12 · m + O ( m )= 12 · m + O ( m )14y symmetry, we immediately get: m X x =1 ( | S x | + | S x | ) = 12 · m + O ( m ) Case 4.
Let us finally study the asymptotic behaviour of P x | S x | = P x ( c x + c x + c x ). If x ≤ m , we knowfrom Equation (13) that: c x = (cid:18)(cid:22) x (cid:23) − x + 1 (cid:19) = x + O ( m )Moreover, if x > m , then from Equation (14): c x = ( m − x + 1) = m − mx + x + O ( m )Thus: m X x =1 c x = m X x =1 x + m X x = m ( m − mx + x ) + O ( m )= 12 · · m + m − · m · + 19 m + O ( m )= m + O ( m )Similarly, by Equation (15), we have: c x = x + O ( m ) if 3 x ≤ mxm − x + O ( m ) if x ≤ m ≤ x x > m Thus: m X x =1 c x = m X x =1 x + m X x = m (cid:18) xm − x (cid:19) + O ( m )= 3 m · · + (2 − m · · − · m · · + O ( m )= m · + O ( m )And by symmetry, we have: m X x =1 ( c x + c x ) = m · + O ( m )And thus: m X x =1 | S x | = m + m · + O ( m )= m · + O ( m )15 onclusion. And finally: | S | = X i =1 | S i | = 13 m + 12 · m + m · + O ( m )= 13 m + O ( m ) (17)Given this analysis, we can now formulate our main result for 3-party auctions. Theorem 2.
We have: H( X | O ) = log 3 + O (cid:18) m (cid:19) Proof.
Equation (9) and (17) yield: V = 13 + O (cid:18) m (cid:19) and manipulating asymptotic developments yields:H = − log (cid:18) (cid:18) O (cid:18) m (cid:19)(cid:19)(cid:19) = log 3 − log (cid:18) O (cid:18) m (cid:19)(cid:19) = log 3 + O (cid:18) m (cid:19) It follows that H( X | O ) converges when m tends toward infinity and its limit is stated in the followingresult. Corollary 2.
When the input size m tends towards infinity, the value of H( X | O ) converges and: lim m →∞ H( X | O ) = log 3 Proof.
This is an immediate consequence of Theorem 2.We note that a more precise approximation of V and H( X | O ) can be obtained by bounding the cardinalityof the subsets involved in the computation of | S | with upper and lower bounds. In particular, each flooringand ceiling can be approximated with a range of width 1, and so more involved computation would lead toa more precise result.The results obtained so far led us to conjecture on the asymptotic vulnerability of a targeted input in ageneral n -party auction. Let n be a positive integer and let us consider an n -party auction. Let m be a positive integer that representsthe input size. Let us consider n inputs x , . . . , x n and we recall that the computation of the output of theauction is modelled by function f .In light of Corollaries 1 and 2, we formulate the following conjecture. Conjecture 1.
Let H( X | O ) represent the conditional entropy of one of the inputs, X , given the output ofthe auction O . Then H( X | O ) converges when m tends towards infinity and: lim m →∞ H( X | O ) = log n
16e note that this conjecture is also verified when n = 1 since in the presence of a single party, we haveH( X | O ) = 0. The results derived in Corollaries 1 and 2 are also consistent with this conjecture. In thissection, we provide more evidence which supports our intuition.Let us first generalise a notion introduced in Equation (9) that will enable us to express the vulnerabilitymore conveniently. Definition 1.
We define function c n : N ∗ → N for all positive integer m as: c n ( m ) = |{ ( x , . . . , x n ) ∈ J m K n | f ( x , . . . , x n ) = x }| As discussed in Section 6, we can easily prove that V = c n ( m ) m n . The difficulty resides in computing c n ( m )for large values of m .Let us first formulate a second conjecture on the shape of function c n . This will help us to reason aboutits asymptotic behaviour more precisely. Conjecture 2.
There exists a positive rational number a n in Q such that: c n ( m ) = a n · m n + O ( m n − )We can see in Section 6 from the way that c n ( m ) is constructed that it will comply with the shapeaforementioned.Conjecture 1 is now equivalent to the fact that a n = n , for which we will show some empirical supportiveevidence. We emphasise the fact that the following reasoning is empirical and does not constitute a proof.As Conjecture 2 suggests that function c n behaves like a polynomial of degree n for large values of m ,we decided to try and interpolate function c with a polynomial of degree at most n via its first 30 values c n (1) , . . . , c n (30) which we computed empirically. Let us plot the first 30 values of c n that we computed for n = 2 , . . . ,
5. Based on those 20 values, we performed a polynomial regression with a polynomial of degree n respectively, and with a least squares method. The respective interpolating polynomials P , . . . , P that weempirically obtain are displayed below: P = 0 . x + 0 . xP = 0 . x + 0 . x + 0 . x − . P = 0 . x + 0 . x + 0 . x + 1 . x − . P = 0 . x + 0 . x − . x + 14 . x − . x + 64 . a n are indeed very close to n , which supports our Conjecture 1. The results obtained and conjectured in this paper suggest that the computational power that an attackermay have should somehow play a role in our approach. Similarly to the differences that have been formallydefined between information-theoretic security and computational security in a cryptographic protocol, wemay also identify similar nuances in privacy.For example, let us assume that our Conjecture 1 is correct and that the vulnerability of one input in an n -party auction converges towards n when the input size m tends to infinity. This would be a poor privacyguarantee, since the prior vulnerability of one input is m , and m is much larger than n .However, this n limit would be a theoretical value: this means that in theory, an attacker learning theoutput of an auction has on average a n probability of guessing one input in one try if he selects the bestguess. But in reality, an attacker with limited computational power might not be able to select the best guessthat would offer him a n probability of guessing the secret.Our empirical method for computing c n ( m ) – that does not scale to large input spaces – does provide,along with the exact value of c n ( m ), the best guessing strategy that achieves the expected vulnerability as itexplicitly chooses the best guess. 17 5 10 15 20 25 30012345 · m p r e v a l e n ce c n ( m ) P n ( m ) (a) Case n = 2. · m p r e v a l e n ce c n ( m ) P n ( m ) (b) Case n = 3. · m p r e v a l e n ce c n ( m ) P n ( m ) (c) Case n = 4. · m p r e v a l e n ce c n ( m ) P n ( m ) (d) Case n = 5. Figure 1: Polynomial interpolation of empirical values of c n with theoretical polynomials P n of degree atmost n . The first 30 values of c n were computed empirically, those values were used to perform a polynomialregression with a least squares method. 18owever, in the 3-party auction, we solely proved that for a large value of m , the input’s vulnerabilitywould be close to . In particular, we were unable to provide a way for an attacker to select the best guessingstrategy given the auction’s output.One might thus be interested in considering the potential difference that may exist between the theoreticalvulnerability and the computational vulnerability of a secret. Digital goods auctions are one real world use case that can benefit from the security guarantees that SecureMulti-Party Computation has to offer. One of the main advantages of using SMC is to protect the confi-dentiality of the participants’ bids. As in every application of SMC, private inputs in auctions are subjectto acceptable leakage. Although general, combinatorial privacy analyses are able to quantify this leakage forsmall input spaces, they fail to scale to large input spaces. In this paper, we derived methods for quantifyingthe acceptable leakage that scales to arbitrarily large input spaces in the particular case of digital goodsauctions. We first derived a closed-form formula for the posterior entropy of a targeted input in two-partyauctions. We then focused on studying the asymptotic behaviour of this posterior entropy in three-partyauctions. This enabled us to formulate a conjecture on the asymptotic behaviour of this acceptable leakagein general n -party auctions with large input spaces, which we further supported with empirical observations. References [1] Patrick Ah-Fat and Michael Huth. Secure multi-party computation: Information flow of outputs andgame theory. In
International Conference on Principles of Security and Trust , pages 71–92. Springer,2017.[2] Patrick Ah-Fat and Michael Huth. Optimal accuracy-privacy trade-off for secure computations.
IEEETransactions on Information Theory , 65(5):3165–3182, 2018.[3] Patrick Ah-Fat and Michael Huth. Optimal accuracy-privacy trade-off for secure multi-party computa-tions. arXiv preprint arXiv:1803.00436 , 2018.[4] Patrick Ah-Fat and Michael Huth. Scalable information flow analysis of secure three-party affine com-putations. In , pages 2967–2971.IEEE, 2019.[5] Patrick Ah-Fat and Michael Huth. Scalable information-flow analysis of secure three-party affine com-putations.
CoRR , abs/1901.00798, 2019.[6] Patrick Ah-Fat and Michael Huth. Protecting private inputs: Bounded distortion guarantees withrandomised approximations.
Proceedings on Privacy Enhancing Technologies , 3:284–303, 2020.[7] M´ario S Alvim, Kostas Chatzikokolakis, Catuscia Palamidessi, and Geoffrey Smith. Measuring infor-mation leakage using generalized gain functions. In , pages 265–279. IEEE, 2012.[8] Yonatan Aumann and Yehuda Lindell. Security against covert adversaries: Efficient protocols for realisticadversaries. In
Theory of Cryptography Conference , pages 137–156. Springer, 2007.[9] Michael Ben-Or, Shafi Goldwasser, and Avi Wigderson. Completeness theorems for non-cryptographicfault-tolerant distributed computation. In
Proceedings of the twentieth annual ACM symposium onTheory of computing , pages 1–10. ACM, 1988.[10] Peter Bogetoft, Dan Lund Christensen, Ivan Damg˚ard, Martin Geisler, Thomas Jakobsen, MikkelKrøigaard, Janus Dam Nielsen, Jesper Buus Nielsen, Kurt Nielsen, Jakob Pagter, et al. Secure multi-party computation goes live. In
International Conference on Financial Cryptography and Data Security ,pages 325–343. Springer, 2009. 1911] Christian Cachin.
Entropy measures and unconditional security in cryptography . PhD thesis, Diss.Techn. Wiss. ETH Z¨urich, Nr. 12187, 1997. Ref.: U. Maurer; Korref.: JL Massey, 1997.[12] David Chaum, Claude Cr´epeau, and Ivan Damgard. Multiparty unconditionally secure protocols. In
Proceedings of the twentieth annual ACM symposium on Theory of computing , pages 11–19. ACM, 1988.[13] R. Cramer, I.B. Damg˚ard, and J.B. Nielsen.
Secure Multiparty Computation . Cambridge UniversityPress, 2015.[14] Cynthia Dwork. Differential privacy: A survey of results. In
International Conf. on Theory and Appli-cations of Models of Computation , pages 1–19. Springer, 2008.[15] Cynthia Dwork, Aaron Roth, et al. The algorithmic foundations of differential privacy.
Foundations andTrends R (cid:13) in Theoretical Computer Science , 9(3–4):211–407, 2014.[16] MHR Khouzani and Pasquale Malacaria. Relative perfect secrecy: Universally optimal strategies andchannel design. In Computer Security Foundations Symposium (CSF), 2016 IEEE 29th , pages 61–76.IEEE, 2016.[17] Yehuda Lindell and Benny Pinkas. Secure multiparty computation for privacy-preserving data mining.
Journal of Privacy and Confidentiality , 1(1):5, 2009.[18] Pasquale Malacaria. Algebraic foundations for quantitative information flow.
Mathematical Structuresin Computer Science , 25(02):404–428, 2015.[19] Frank McSherry and Kunal Talwar. Mechanism design via differential privacy. In
Foundations ofComputer Science, 2007. FOCS’07. 48th Annual IEEE Symposium on , pages 94–103. IEEE, 2007.[20] Claudio Orlandi. Is multiparty computation any good in practice? In
Acoustics, Speech and SignalProcessing (ICASSP), 2011 IEEE International Conference on , pages 5848–5851. IEEE, 2011.[21] Tal Rabin and Michael Ben-Or. Verifiable secret sharing and multiparty protocols with honest majority.In
Proceedings of the twenty-first annual ACM symposium on Theory of computing , pages 73–85. ACM,1989.[22] Alfr´ed R´enyi et al. On measures of entropy and information. In
Proceedings of the Fourth Berkeley Sym-posium on Mathematical Statistics and Probability, Volume 1: Contributions to the Theory of Statistics .The Regents of the University of California, 1961.[23] Adi Shamir. How to share a secret.
Communications of the ACM , 22(11):612–613, 1979.[24] C. E. Shannon. A mathematical theory of communication.
Bell System Technical Journal , 27(3):379–423,1948.[25] Geoffrey Smith. On the foundations of quantitative information flow. In
International Conference onFoundations of Software Science and Computational Structures , pages 288–302. Springer, 2009.[26] Geoffrey Smith. Quantifying information flow using min-entropy. In
Quantitative evaluation of systems(QEST), 2011 eighth international conference on , pages 159–167. IEEE, 2011.[27] Andrew C Yao. Protocols for secure computations. In
Foundations of Computer Science, 1982. SFCS’08.23rd Annual Symposium on , pages 160–164. IEEE, 1982.[28] Andrew Chi-Chih Yao. How to generate and exchange secrets. In