Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

Bartering refers to the direct exchange of goods or services for other goods or services [9]. Nowadays, traded goods and services include books, rental cars, apartments, production surpluses, or idle times of employees. The attractiveness of bartering stems from the fact that it does not suffer from shortcomings of currencies such as foreign exchange problems, inflation, liquidity problems of banks, or concentration of economic power.

Today, a large fraction of bartering transactions is carried out via centralized (online) platforms which support their users in finding suitable trade partners. Since bartering involves sensitive personal data (e.g., negotiation ranges), a main objective of prior work [14,15,16] is to replace these central platforms by decentralized privacy-preserving protocols which allow a fixed number of parties to privately barter their commodities thus eliminating the risk that a platform operator may not only learn sensitive personal data but (to some extent) can also control and manipulate which parties eventually trade their commodities.

Specifically, in the considered bartering setting, the privacy-preserving multi-party protocols of [14,15,16] allow each party to specify a quote that includes an offered and a desired commodity along with the corresponding quantity ranges at which a party is willing to trade. The protocols then obliviously detect a trade which consists of disjoint trade cycles (of lengths greater than or equal to two). These trade cycles encode how the parties can exchange their commodities (in a cyclic fashion) such that each one of the trade partners is satisfied with the trade. From participating in such a protocol, a party only learns its local view of a trade, i.e., its direct trade partners and what to exchange with them. Yet a party’s quote remains private at all times.

Besides trade cycles, a trade chain is another exchange structure which is widely studied in the literature (see, e.g., [4, 5]). Specifically, trade chains are of importance when so-called donor parties are considered which are altruistic parties that give their offered commodity away for free (i.e., without receiving another commodity in return). Analogously to a trade cycle, a trade chain indicates how the parties can exchange their commodities, with the difference that the first party in a chain is a donor party and the last party in the trade chain does not have to give away its offered commodity. The analysis of the impact of considering trade chains (instead of considering only trade cycles) in the context of conventional (i.e., non privacy-preserving) bartering is an active field of research (see, e.g., [4, 5]). Recent results show that considering trade chains can lead to a significant increase of the overall number of parties that can trade. However, to the best of our knowledge, to date there is no privacy-preserving bartering protocol yet that was explicitly designed for the detection of trade chains (or a combination of trade chains and trade cycles).

In this paper, we present a first step to close this gap by introducing an efficient bartering protocol that enables the distributed detection of trade chains in a privacy-preserving fashion. Our protocol detects an optimal set of simultaneously executable trade chains so that the number of parties that can trade is maximized while the parties’ quotes are kept private at all times. Furthermore, we formally prove that from participating in our novel protocol, a party only learns its direct trade partners and what to exchange with them. At the core of the protocol is a novel privacy-preserving protocol implementing the cycle canceling algorithm that allows multiple parties to solve the minimum cost flow problem on encrypted flow networks.

2 Preliminaries

Let \(e \leftarrow _{\$}S\) indicate that e is drawn uniformly at random from S and let \(\mathbb {N}_{b} :=\{1,\ldots ,b\}\). For a logical statement B (e.g., \(0 \wedge 1\) or \(5 < 6\)), the Iverson Bracket [B] evaluates to 1 if B is true and to 0 otherwise. The index set of parties \(P_{1},\ldots ,P_{\iota }\) (\(\iota \in \mathbb {N}\)) that participate in a multi-party protocol is defined as \(\mathscr {P}:=\{1\ldots ,\iota \}\).

A directed graph is a graph \(G = (V,E)\) where each edge \((v,w) \in E\) with \(v,w \in V\) is directed from v to w. For a directed graph \(G = (V,E)\), a tuple \((v_1,v_2,\ldots ,v_l)\) with \(v_i \in V\) and \((v_i,v_{i+1}) \in E\) (\(\forall i \in \mathbb {N}_{l-1}\)) is referred to as path (of length l). If additionally \((v_l,v_1) \in E\), tuple \((v_1,v_2,\ldots ,v_l)\) is referred to as cycle (of length l). A (directed) graph \(G = (V,E)\) is often represented by means of an adjacency matrix \(A :=(a_{i,j})_{|V| \times |V|}\) where for all \(i,j \in V\) \(a_{i,j} = 1\) if \((i,j) \in E\) and \(a_{i,j} = 0\) otherwise.

Let \(G = (V,E)\) be a directed graph and let \(h: E \rightarrow S\) be a function that maps each edge \((v,w) \in E\) to a value in S. For convenience, we sometimes encode h as a matrix \(H :=(h_{i,j})_{|V| \times |V|}\) where for all \(i,j \in V\) \(h_{i,j} = h(i,j)\) if \((i,j) \in E\) and \(h_{i,j} = 0\) otherwise.

The following definitions are based on [6] (extended by a cost function) and are essential for the formalizing of our approach for the detection of trade chains.

Definition 1

(Flow Network). A flow network is a directed graph \(G = (V,E)\) with a capacity function \(u: V \times V \rightarrow \mathbb {R}^{\ge 0}\) and a cost function \(c: V \times V \rightarrow \mathbb {R}\) such that \(u(v,w) = c(v,w) :=0\) in case that \((v,w) \notin E\). Furthermore, if \((v,w) \in E\) then \((w,v) \notin E\). A flow network has one so-called source node and one so-called sink node where the source \(s \in V\) has no incoming edges and the sink \(t \in V\) has no outgoing edges.

Definition 2

(Flow). A flow f in a flow network \(G = (V,E)\) with capacity function u(vw) and cost function c(vw) is a function \(f: V \times V \rightarrow \mathbb {R}\) such that \(0 \le f(v,w) \le u(v,w)\) and for all \(w \in V \backslash \{s,t\}\) \(\sum _{v \in V} f(v,w) = \sum _{v \in V} f(w,v)\). The value of a flow f is defined as \(|f| :=\sum _{v \in V} f(s,v)\). A maximum flow f is a flow in G where |f| is maximized. The cost of a flow f is given by \(\sum _{(v,w) \in E} c(v,w){\cdot }f(v,w)\). A minimum cost flow f is a flow with minimized cost.

Definition 3

(Residual Network). Given a flow network \(G = (V,E)\) and a flow f, the residual network \(G_f = (V,E_f)\) with residual capacity \(u_f\) and residual cost \(c_f\) is defined as \(E_f :=\{(v,w) \in V \times V: u_f(v,w) > 0\}\) and

$$\begin{aligned} \small u_f(v,w) :={\left\{ \begin{array}{ll} u(v,w) - f(v,w) &{} \,{if }\, (v,w){\in }E\\ f(w,v) &{} \,{if }\, (w,v){\in }E\\ 0 &{} \,{otherwise} \end{array}\right. },~ c_f(v,w) :={\left\{ \begin{array}{ll} c(v,w) &{}\,{if }\, (v,w){\in }E\\ -c(v,w) &{}\,{if }\, (w,v){\in }E\\ 0 &{}\,{otherwise} \end{array}\right. } \end{aligned}$$

2.1 Paillier Threshold Cryptosystem

Our privacy-preserving bartering protocol for trade chain detection relies on the additively homomorphic Paillier cryptosystem which has been proven to be semantically secure [12]. More precisely, we make use of the \((\tau ,\iota )\) threshold variant of the Paillier cryptosystem from [10] where the private key is distributed among \(\iota \) parties such that at least \(\tau \) parties have to cooperate in order to decrypt a ciphertext. Figure 1 gives a brief overview of the corresponding key generation procedure, the encryption function, and some homomorphic properties. In the remainder of this paper, we omit the public and private key from our notation, define , and represent negative integers by the upper half \([\lceil n/2 \rceil ,\) \(n-1]\) of the plaintext space \(\mathbb {P}\) (cf. Fig. 1). With \(\mathbb {C}\) we denote the corresponding ciphertext space (see Fig. 1). For convenience, we write the encryption of a matrix \(A = (a_{i,j})_{m \times n}\) as and define .

Fig. 1.
figure 1

Overview of the threshold Paillier variant from [10].

Full size image

2.2 Secure Multi-Party Computation

Secure multi-party computation (SMPC) allows a set of \(\iota \) parties to compute an \(\iota \)-input functionality such that each party only learns its prescribed output and what can be deduced from it in combination with its private input—even in the presence of an adversary. In this paper, we consider a semi-honest adversary that corrupts and controls a fixed set of parties following the protocol specifications but trying to learn as much as possible about the inputs of the honest parties.

Let \(\overline{x}:=(x_1,\ldots ,x_{\iota })\) and let be a multi-party functionality where \(P_{\ell }\) (\(\ell \in \mathscr {P}\)) provides input \(x_{\ell }\) and obtains output . Furthermore, let \(\pi \) be an \(\iota \)-party protocol allowing to compute . With \(I :=\{i_1,\ldots ,i_{\kappa }\} \subset \mathscr {P}\) we denote the index set of \(1 \le \kappa < \iota \) corrupted parties controlled by the semi-honest adversary.

Informally, party \(P_{\ell }\)’s view on the execution of a protocol \(\pi \) on input \(\overline{x}\) consists of the messages received during the protocol execution as well as the party’s internal random coin tosses. Let \(\overline{x}_I\) and denote the \(\kappa \)-tuples \((x_{i_1},\ldots ,x_{i_{\kappa }})\) and , respectively. A protocol \(\pi \) is said to securely (i.e., correctly and privately) compute functionality  if there exists a probabilistic polynomial time simulator \( \textsf {S} \) which on input I, \(\overline{x}_I\), and simulates a protocol transcript that is computationally indistinguishable from the view of the corrupted parties resulting from an actual protocol execution. For the sake of clarity, we enclose simulated values with angle brackets \(\langle \cdot \rangle \).

A gate \(\rho \) (resp., a gate functionality ) is a special type of protocol (resp., functionality) which obtains encrypted input and/or returns encrypted output. In general, these ciphertexts come from a higher-level protocol (resp., functionality) and the corresponding plaintext values are not known to any party. We write (resp., \((o) \leftarrow \rho (x)\)) to indicate that all parties provide the same input and obtain the same output.

Fig. 2.
figure 2

Example for transforming a set of quotes \(\mathbf {Q}\) into an exchange network. The source and the sink are represented by square nodes, the offer and the demand of donor parties are represented by diamond nodes, and the offer and the demand of ordinary parties are represented by round nodes. Each edge is annotated with its capacity (above) and its cost (below).

Full size image

3 Overview

3.1 Bartering Related Terminology

We consider multiple parties \(P_{1},\ldots ,P_{\iota }\) where each party specifies one offered and one desired commodity. In particular, given a finite set \(\mathscr {C}\) of commodities \(c_1,\ldots ,c_{|\mathscr {C}|}\), each party \(P_{\ell }\) (\(\ell \in \mathscr {P}\)) specifies one quote \(\mathbf {q}^{(\ell )} :=(\mathbf {o}^{(\ell )},\mathbf {d}^{(\ell )})\) where \(\mathbf {o}^{(\ell )}\) refers to \(P_{\ell }\)’s offer and \(\mathbf {d}^{(\ell )}\) refers to \(P_{\ell }\)’s demand. The offer \(\mathbf {o}^{(\ell )} :=(c_{o}^{(\ell )},\overline{q}_{o}^{(\ell )})\) indicates that \(P_{\ell }\) offers a quantity of at most \(\overline{q}_{o}^{(\ell )} \in \mathbb {N}\) of commodity \(c_{o}^{(\ell )} \in \mathscr {C}\). Similarly, the demand \(\mathbf {d}^{(\ell )} :=(c_{d}^{(\ell )},\underline{q}_{d}^{(\ell )})\) of \(P_{\ell }\) specifies the minimum quantity \(\underline{q}_{d}^{(\ell )}\) at which it desires commodity \(c_{d}^{(\ell )} \in \mathscr {C}\). A quote \(\mathbf {q}^{(\ell )}\) indicates that party \(P_{\ell }\) is willing to give at most \(\overline{q}_{o}^{(\ell )}\) units of commodity \(c_{o}^{(\ell )}\) iff it receives a least \(\underline{q}_{d}^{(\ell )}\) units of commodity \(c_{d}^{(\ell )}\). We distinguish a special type of a party \(P_{\ell }\), called donor party, with quote \(\mathbf {q}^{(\ell )} :=((c_{o}^{(\ell )},\overline{q}_{o}^{(\ell )}),(\lambda ,0))\) that is willing to give away at most \(\overline{q}_{o}^{(\ell )}\) units of commodity \(c_{o}^{(\ell )}\) where symbol \(\lambda \) indicates the absence of \(P_{\ell }\)’s demand. A party \(P_{\ell }\) is referred to as endowed party in case that \(P_{\ell }\) receives a specific quantity of its desired commodity without having to give away anything to another party in return. The quotes \(\mathbf {q}^{(\ell )} = (\cdot ,\mathbf {d}^{(\ell )})\) and \(\mathbf {q}^{(\ell ^{\prime })} = (\mathbf {o}^{(\ell )},\cdot )\) of two parties \(P_{\ell }\) and \(P_{\ell ^{\prime }}\) (\(\ell \ne \ell ^{\prime }\)) are partially compatible iff for \(\mathbf {d}^{(\ell )} = (c_{d}^{(\ell )},\underline{q}_{d}^{(\ell )})\) and \(\mathbf {o}^{(\ell ^{\prime })} = (c_{o}^{(\ell ^{\prime })},\overline{q}_{o}^{(\ell ^{\prime })})\) it holds that \([(c_{d}^{(\ell )} = c_{o}^{(\ell ^{\prime })}) \wedge (\underline{q}_{d}^{(\ell )} \le \overline{q}_{o}^{(\ell ^{\prime })})] = 1\). The set of quotes of all parties \(P_{1},\ldots ,P_{\iota }\) is denoted as \(\mathbf {Q}:=\{\mathbf {q}^{(1)},\ldots ,\mathbf {q}^{(\iota )}\}\).

Definition 4

(Trade Chain). For parties \(P_{1},\ldots ,P_{\iota }\) and their corresponding set of quotes \(\mathbf {Q}\), a trade chain of length m is a tuple \((P_{\ell _1},P_{\ell _2},\ldots ,P_{\ell _m})\) (with \(\ell _i \ne \ell _j\) for \(i \ne j\)) such that \(\mathbf {q}^{(\ell _1)} = (\mathbf {o}^{(\ell _1)},(\lambda ,0))\) and \(\mathbf {q}^{(\ell _2)} = (\cdot ,\mathbf {d}^{(\ell _2)})\) as well as \(\mathbf {q}^{(\ell _i)} = (\mathbf {o}^{(\ell _i)},\cdot )\) and \(\mathbf {q}^{(\ell _{i+1})} = (\cdot ,\mathbf {d}^{(\ell _{i+1})})\) are partially compatible \((i = 2,\ldots ,\)\(m-1)\). Two trade chains are called disjoint and are simultaneously executable in case they have no parties in common.

3.2 Approach

The goal of this work is to design an efficient privacy-preserving bartering protocol to determine an optimal set of disjoint trade chains (that when executed simultaneously maximize the number of parties that can trade). Our approach is to first transform the parties’ private quotes into a special type of flow network, referred to as exchange network (see Fig. 2).

Definition 5

(Exchange Network). For a given set of \(\iota \) parties \(\mathscr {P}\) and the corresponding set of quotes \(\mathbf {Q}\), an exchange network is a flow network \(G^{\text {EN}}= (V,E)\) with two nodes \(d_{\ell }, o_{\ell } \in V\) for each party \(P_{\ell }\) \((\ell \in \mathscr {P})\) representing its demand and offer. Furthermore, \((d_{\ell },o_{\ell }) \in E\) with \(u(d_{\ell }, o_{\ell }) :=1\) and \(c(d_{\ell }, o_{\ell }) :=-1\) as well as \((o_{\ell },d_{\ell ^{\prime }}) \in E\) with \(u(o_{\ell },d_{\ell ^{\prime }}) :=1\) and \(c(o_{\ell },d_{\ell ^{\prime }}) :=0\) in case that \(\mathbf {q}^{(\ell )} = (\mathbf {o}^{(\ell )},\cdot )\) and \(\mathbf {q}^{(\ell ^{\prime })} = (\cdot ,\mathbf {d}^{(\ell ^{\prime })})\) are partially compatible \((\ell ,\ell ^{\prime }\in \mathscr {P})\). In addition, \(G^{\text {EN}}\) has a source and a sink node \(s,t \in V\) where \((s,d_{\ell }) \in E\) iff \(\mathbf {q}^{(\ell )} = (\cdot ,(\lambda ,0))\) with \(u(s,d_{\ell }) :=1\) and \(c(s,d_{\ell }) :=0\) as well as \((o_{\ell },t)\) with \(u(o_{\ell },t) :=1\) and \(c(o_{\ell },t) :=0\) \((\forall o_{\ell } \in V)\). \(G^{\text {EN}}\sim \mathbf {Q}\) indicates that \(G^{\text {EN}}\) is deduced from \(\mathbf {Q}\).

A maximum flow of minimum cost f in \(G^{\text {EN}}= (V,E)\) encodes an optimal set of disjoint trade chains for \(P_{1},\ldots ,P_{\ell }\) where an edge \((o_{\ell },d_{\ell ^{\prime }}) \in E\) with \(f(o_{\ell },d_{\ell ^{\prime }}) = 1\) indicates that a party \(P_{\ell }\) has to give away some specific amount (to be negotiated after all parties learned their trade partners) of its offered commodity to party \(P_{\ell ^{\prime }}\) (\(\ell ,\ell ^{\prime }\in \mathscr {P}\)). A sequence S of edges \((s,d_{\ell _1}),(d_{\ell _1},o_{\ell _2}),\ldots ,(o_{\ell _m},t)\) in \(G^{\text {EN}}\) with \(f(v,w) = 1\) (\(\forall (v,w)\in S\)) encodes a single trade chain corresponding to \((P_{\ell _1},P_{\ell _2},\ldots ,P_{\ell _m})\) where \(\ell _1,\ell _2,\ldots ,\ell _m \in \mathscr {P}\). This correlation is due to the construction of an exchange network: Each party \(P_{\ell }\) is represented by two nodes in \(G^{\text {EN}}\) (with an edge of capacity 1 in between) where one node is associated with \(P_{\ell }\)’s demand and the second node is associated with \(P_{\ell }\)’s offer.Footnote 1 This ensures that there is at most a flow of 1 “through” each party enforcing that each party is involved in at most one trade chain. There are directed edges of capacity 1 between the source node and the demand nodes of all donor parties to ensure that each trade chain is initiated by a donor party. Furthermore, there are directed edges of capacity 1 between the sink node and the offer nodes of all parties so that in principle each party can become the end of a trade chain. Our cost encoding is motivated by the fact that for each additional party that is added to a trade chain, the cost of the flow is decreased by one such that determining a maximum flow of minimum cost f in \(G^{\text {EN}}\) is analogous to determining a set of disjoint trade chains maximizing the number of parties that can trade.

The problem of computing a (maximum) flow of minimum cost is known as the minimum cost flow problem (for a maximum flow).

Definition 6

(Minimum Cost Flow Problem). Given a flow network \(G = (V,E)\), a capacity function u, a cost function c, and a maximum flow f in G, the minimum cost flow problem is to find a flow \(f'\) of minimum cost with \(|f| = |f'|\).

One direct and efficient approach for solving the minimum cost flow problem (for a maximum flow) is to use the cycle canceling algorithm [11] (cf. Algorithm 1). This algorithm takes a flow network \(G = (V,E)\), a capacity function u, as well as a cost function c as input and first computes a (maximum) flow f in G. Then, it iteratively eliminates directed cycles with negative cost (i.e., cycles for which the sum of the costs associated with its edges is negative) in the residual network arising from G (together with u and c) and f. To this end, the flow along the negative cost cycle is augmented by the minimum value of the residual capacities of the edges belonging to the cycle. This operation does not change |f|. The algorithm terminates once all negative cost cycles are eliminated. According to the negative cycle optimality condition [2], this approach allows the computation of a maximum flow with minimum cost.

figure a

The maximum flow f in G (Step 1, Algorithm 1) can be computed by using the push-relabel algorithm (see, e.g., [6]). A negative cost cycle (Steps 5 and 10, Algorithm 1) can be computed by an extension of the Bellman-Ford algorithm (see, e.g., [6]) that not only determines whether a negative cost cycle exists but also computes the edges belonging to such a cycle. After computing the negative cost cycle N, the minimum residual capacity \(u^*\) in the cycle is determined and the flow is augmented accordingly (Step 8, Algorithm 1).

At the core of our novel privacy-preserving bartering protocol for the detection of an optimal set of disjoint trade chains (Sect. 5) is a newly developed privacy-preserving implementation of the cycle canceling algorithm.

4 Gates

In the following, we review gates secure against semi-honest adversaries which are used as building blocks for our novel privacy-preserving bartering protocol.

4.1 Secure Basic Operations

Definition 7

( ). Let \(P_{1},\ldots ,P_{\iota }\) hold ciphertexts and . Then, gate functionality  is given by .

A gate \(\rho _{\text {Mult}}\) implementing  for the semi-honest model can be derived from the multiplication gate presented in [7, 8] which has communication and round complexities in and , respectively, where \(k\) refers to the security parameter of the Paillier cryptosystem.

Definition 8

( ). Let \(P_{1},\ldots ,P_{\iota }\) hold ciphertexts and . Then, gate functionality  is given by with \(b :=[x < y]\).

A gate \(\rho _{\text {LT}}\) implementing  for the semi-honest model has been presented in [13]. This gate has communication and round complexities in  and , respectively. Based on gate \(\rho _{\text {LT}}\) it is straight-forward to derive the corresponding greater than (GT), less than or equal (LTE), greater than or equal (GTE), and equality test (ET) variants as sketched, e.g., in [13].

4.2 Secure Negative Cost Cycle Computation

We use an adaptation of the Bellman-Ford algorithm (see, e.g., [6]) for the computation of negative cost cycles in exchange networks.

In general, the Bellman-Ford algorithm can be used to solve the single-source shortest-paths problem on a weighted directed graph \(G = (V,E)\) for a given source node \(s \in G\) where the weights of the edges are defined by a cost function \(c: E \rightarrow \mathbb {R}\) (cf. [6]). The single-source shortest-paths problem is to find a shortest path (i.e., the path with the lowest cost) from the source node to all other nodes in G. Since the Bellman-Ford algorithm supports negative edge costs, there can be negative cost cycles in G implying that no shortest path can be found. In this case, the Bellman-Ford algorithm indicates that no solution exists. Otherwise, the algorithm provides a solution to the single-source shortest-paths problem. In particular, the Bellman-Ford algorithm iterates |V| times over all edges \((v,w) \in E\) and for each node maintains the current lowest cost from the source node as well as the associated predecessor node. In case that the current solution can still be improved in the |V|-th iteration step, then G contains at least one negative cost cycle. Since we are not only interested in learning whether a negative cost cycle exists in G but also have to determine the edges of a negative cost cycle, the Bellman-Ford algorithm has to be slightly adapted such that, e.g., the node for which the last cost update is obtained is used in combination with the currently stored predecessors for all nodes to find the nodes of the negative cost cycle that induced the last cost update.

Definition 9

( ). Let \(P_{1},\ldots ,P_{\iota }\) hold the encrypted adjacency matrix of a directed graph \(G = (V,E)\) and the encrypted cost matrix encoding the cost function of G. The index of the source node s of G is publicly known. Then, gate functionality  is given by where is an encrypted adjacency matrix encoding a negative cost cycle in G.

In [3], a secure protocol implementing the Bellman-Ford algorithm is proposed. It is straight-forward to modify this protocol to additionally extract the encrypted adjacency matrix encoding a negative cost cycle in G. The communication and round complexities of the adapted protocol from [3] are in and where \(k\) refers to the security parameter of the Paillier cryptosystem.

5 Protocol

In this section, we now present our novel privacy-preserving bartering protocol for the detection of trade chains.

Definition 10

( ). Let \(P_{\ell }\) hold private input \(\mathbf {q}^{(\ell )}\) \((\forall \ell \in \mathscr {P})\). Then, protocol functionality  is given by where \(T^{(\ell )} :=(T^{(\ell )}_{ \textsf {send} },T^{(\ell )}_{ \textsf {rec} })\) refers to the indices of \(P_{\ell }\)’s direct trade partners w.r.t. the detected trade chains derived from a maximum flow \(f^*\) with minimum cost in \(G^{\text {EN}}\sim \mathbf {Q}:=\{\mathbf {q}^{(1)},\ldots ,\mathbf {q}^{(\iota )}\}\) where \(f^*\) is chosen uniformly at random from all maximum flows of minimum cost in \(G^{\text {EN}}\).

5.1 Intuition

Intuitively, our novel protocol \(\pi _{\text {OTCD}}\) (securely implementing functionality in the semi-honest model) can be divided into four phases (see Algorithm 2). In the first phase, the parties compute the encrypted capacity matrix  and the cost matrix , encoding the capacity function and the cost function of the private exchange network \(G^{\text {EN}}= (V,E) \sim \mathbf {Q}\). These matrices are computed in an oblivious fashion such that no party learns any information about the quote of another party. In the second phase, a maximum flow f (not necessarily having minimum cost) is computed in an oblivious fashion where the result is encoded in an encrypted matrix . Based on , the encrypted capacity matrix of the residual network of \(G^{\text {EN}}\) is computed in an oblivious fashion. The third phase uses gate \(\rho _{\text {NCC}}\) (see Sect. 4) to iteratively find a negative cost cycle (where in \(\rho _{\text {NCC}}\) the order of the edges to be processed is chosen uniformly at random) in the current residual network of \(G^{\text {EN}}\) in a privacy-preserving fashion. In order to eliminate the negative cost cycles, the flow as well as the residual capacities are updated by performing homomorphic operations on and . At the end of the third phase, a maximum flow \(f^*\) with minimum cost is encoded by means of  (which in turn represents an optimal set of trade chains). In the fourth phase, the parties jointly extract the identifiers \(T^{(\ell )}_{ \textsf {send} }\), \(T^{(\ell )}_{ \textsf {rec} }\) of the trade partners of each party \(P_{\ell }\) from such that a party only learns its own trade partners as prescribed by Definition 10. The identifiers indicate that party \(P_{\ell }\) has to give away some quantity of its offered commodity to party \(P_{T^{(\ell )}_{ \textsf {send} }}\) (receiver) and is to receive some quantity of its desired commodity from party \(P_{T^{(\ell )}_{ \textsf {rec} }}\) (sender). An identifier of value 0 is used to indicate that a sender (resp., receiver) does not exist. For example, \(T^{(\ell )}_{ \textsf {rec} } = 0\) for a donor party \(P_{\ell }\) and \(T^{(\ell ^{\prime })}_{ \textsf {send} } = T^{(\ell ^{\prime })}_{ \textsf {rec} } = 0\) for a party \(P_{\ell ^{\prime }}\) that is not part of a trade chain.

The main challenge of designing a protocol that securely implements functionality  is to keep the parties’ quotes \(\mathbf {Q}\) (and with that the structure of the resulting exchange network \(G^{\text {EN}}\sim \mathbf {Q}\)) private. Consequently, it is necessary to design a data oblivious protocol (i.e., the protocol flow is independent of the parties private input) that provides individualized output (i.e., each party only learns its local view of the detected trade chains). Algorithm 1 (see Sect. 3.2) is not data oblivious because the while loop in the main phase terminates once there are no further negative cost cycles. Furthermore, it cannot be used to provide individualized output as it is designed to operate on a public flow network. By fixing the number of iterations for finding negative cost cycles to \(|\iota |\), we ensure that all negative cost cycles are found while the protocol flow becomes data oblivious. In case that there are no further negative cost cycles, our protocol obliviously operates on encrypted dummy cycles that do not influence the already computed encrypted maximum flow of minimum cost. Finally, we adopt a technique from [16] to extract the local view of each party from the computed optimal set of trade chains represented by the encrypted maximum flow of minimum cost.

figure b

5.2 Protocol Description

In the following, we present the details of protocol \(\pi _{\text {OTCD}}\). For convenience, we associate the \(2\ell \)-th and the \((2\ell +1)\)-th row (resp., column) of the encrypted adjacency matrices used for the protocol specification of \(\pi _{\text {OTCD}}\) with node \(d_{\ell }\) and node \(o_{\ell }\) of \(G^{\text {EN}}\) (\(\forall \ell \in \mathscr {P}\)), respectively. The first and the last row (resp., column) are associated with the source node s and the sink node t, respectively.

1. Exchange Network Construction Phase: The purpose of the first phase is to compute the encrypted matrices with \(|V| = 2\iota +2\) in an oblivious fashion. These matrices encode the capacity and the cost function of the exchange network \(G^{\text {EN}}= (V,E)\) resulting from the parties’ private input quotes \(\mathbf {Q}\) (see Definition 5) and represent \(G^{\text {EN}}\sim \mathbf {Q}\).

First, \(P_{1}\) initializes the entries at position \((2\ell ,2\ell + 1)\) of the matrices  and  which encode the directed edge from nodes \(d_{\ell }\) to \(o_{\ell }\) representing the demand and offer of party \(P_{\ell }\) (\(\forall \ell \in \mathscr {P}\)). In particular, \(P_{1}\) sets these entries in  to and in  to . Additionally, the entries representing the corresponding reverse edges from \(o_{\ell }\) to \(d_{\ell }\) (which are not in \(G^{\text {EN}}\) but may exist in the residual network) are set to for later use. Furthermore, party \(P_{1}\) sets the capacity of the edges from each node \(o_{\ell }\) (\(\forall \ell \in \mathscr {P}\)) to the sink node t appropriately by . All other entries of and are set to before they are broadcasted by \(P_{1}\) (see Steps 1–6, Algorithm 2). Subsequently, all parties obliviously determine the donor parties and update the capacities of the edges between the source node and the demand nodes of the donor parties in to . Finally, for all pairs of parties \((P_{\ell },P_{\ell ^{\prime }})\) with \(\ell ,\ell ^{\prime }\in \mathscr {P}\) it is obliviously checked whether \(\mathbf {q}^{(\ell )} = (\mathbf {o}^{(\ell )},\cdot )\) and \(\mathbf {q}^{(\ell ^{\prime })} = (\cdot , \mathbf {d}^{(\ell ^{\prime })})\) are partially compatible. If this is the case, the encrypted capacity matrix is obliviously updated by setting (see Steps 7–10, Algorithm 2).

2. Flow Initialization Phase: The purpose of the second phase is to obliviously compute a maximum flow f in \(G^{\text {EN}}\) which is encoded by the encrypted matrix . Based on , the residual capacities of \(G^{\text {EN}}\) are initialized and encoded by the encrypted matrix . Instead of using a (privacy-preserving) variant of the push-relabel algorithm for computing a maximum flow in \(G^{\text {EN}}\)(see Sect. 3.2), we follow a more efficient approach that exploits \(G^{\text {EN}}\)’s particular structure: A flow of value 1 is sent from source node s to each demand node associated with a donor party. Then, the flow continues on to the corresponding offer node of the donor party and from there on directly to the sink node t. Note that such a flow is maximal since the maximum flow in \(G^{\text {EN}}\) is upper bounded by the number of donor parties. Furthermore, from the construction of an exchange network (see Definition 5) it follows that there always is such a flow in \(G^{\text {EN}}\). In protocol \(\pi _{\text {OTCD}}\), party \(P_{1}\) obliviously determines this flow locally by setting (\(\forall \ell \in \mathscr {P}\)). In Steps 15–18 of Algorithm 2, the parties jointly compute the entries of based on and . More precisely, in Step 16 it is obliviously checked whether or not there is a flow between two nodes vw (\(\forall v,w \in V\), \(v \ne w\)). Based on the result, is obliviously updated according to Definition 3 (see Steps 17–18).

3. Cycle Canceling Phase: In the conventional cycle canceling algorithm (see Algorithm 1), the while loop in the main phase is executed until all negative cost cycles are eliminated. In order to leak no information on the structure of the private exchange network \(G^{\text {EN}}\), protocol \(\pi _{\text {OTCD}}\) has to be data oblivious and thus the number of searches for negative cost cycles has to correspond to the upper bound of necessary searches (to eliminate all negative cost cycles) which is equal to \(\iota :=|\mathscr {P}|\) (see Theorem 1).

At the beginning of each iteration of the cycle canceling phase (see Step 20, Algorithm 2) gate \(\rho _{\text {NCC}}\) is used to obliviously compute a negative cost cycle in the residual network of \(G^{\text {EN}}\). In gate \(\rho _{\text {NCC}}\), the order of the edges to be processed is chosen uniformly at random. First, assume that such a cycle exists. This cycle is encoded by the encrypted matrix which constitutes the output of gate \(\rho _{\text {NCC}}\). In Steps 21–25, for each edge \((v,w) \in E\) that is part of the determined negative cost cycle, the flow is obliviously updated in the following way: In case that the edge under consideration is part of the exchange network, the corresponding entry in is obliviously incremented by one (see Step 24, Algorithm 2). Otherwise, the edge results from a residual flow over (wv) and thus entry is obliviously decreased by one (see Step 25, Algorithm 2). Based on the updated flow , in Steps 26–29, the residual capacities are updated analogously to the flow initialization phase.

In case that there is no (further) negative cost cycle before the end of the \(\iota \)-th iteration, then all entries of correspond to a fresh encryption of 0 and thus the privacy-preserving computations performed on and are just re-randomizations of the existing encrypted entries. Consequently, in each iteration of the cycle canceling phase it is kept private whether a (further) negative cost cycle exists.

4. Output Extraction Phase: At the end of the cycle canceling phase, the encrypted matrix encodes a maximum flow of minimum cost in \(G^{\text {EN}}\) that in turn represents an optimal set of trade chains for the participating parties. The purpose of the output extraction phase is to extract the parties’ local views w.r.t. the computed trade chains from . In particular, party \(P_{\ell }\) (\(\forall \ell \in \mathscr {P}\)) locally computes the encryption of \(T^{(\ell )}_{ \textsf {send} }\) (resp., \(T^{(\ell )}_{ \textsf {rec} }\)) as the homomorphic sum of the \(\ell \)-th row (resp., \(\ell \)-th column) where each encrypted entry is multiplied with the corresponding column (resp., row) index by using the homomorphic scalar multiplication operation of the underlying cryptosystem (see Step 32, Algorithm 2). Party \(P_{\ell }\) broadcasts the resulting encrypted values and which are jointly decrypted by all parties in such a way that only \(P_{\ell }\) learns the indices of its direct trade partners.

Complexity. The complexity of the exchange network construction phase is dominated by the calls of gates \(\rho _{\text {ET}}\), \(\rho _{\text {GTE}}\), and \(\rho _{\text {Mult}}\) (see Steps 8–10, Algorithm 2). The flow initialization phase has the same communication and round complexity which results from the iteration over all pairs of nodes in \(G^{\text {EN}}\) in order to compute the residual capacities (see Steps 15–18). The \(\iota \) executions of gate \(\rho _{\text {NCC}}\) dominate the cycle canceling phase since the communication complexity (resp., round complexity) of protocol \(\rho _{\text {NCC}}\) is in (resp., ). Finally, the output extraction phase has a communication complexity (resp., round complexity) in (resp., in ). The overall complexity of protocol \(\pi _{\text {OTCD}}\) is dominated by the cycle canceling phase, i.e., the communication complexity (resp., round complexity) of \(\pi _{\text {OTCD}}\) is in (resp., in ).

Theorem 1

Let party \(P_{\ell }\) hold private input \(\mathbf {q}^{(\ell )}\) \((\forall \ell \in \mathscr {P})\). Then, protocol \(\pi _{\text {OTCD}}\) securely computes functionality  in the semi-honest model.

Proof

Correctness (sketch): In the following, we show that on input \(\mathbf {Q}= \{\mathbf {q}^{(1)}, \ldots ,\mathbf {q}^{(\ell )}\}\), protocol \(\pi _{\text {OTCD}}\) computes functionality  (see Definition 10).

In the exchange network construction phase, \(\mathbf {Q}\) is obliviously transformed into an exchange network \(G^{\text {EN}}\sim \mathbf {Q}\) represented by the encrypted matrices  and . These matrices are constructed according to Definition 5 based on local as well as distributed computations on the parties’ private input quotes.

In the flow initialization phase, an initial maximum flow (not necessarily with minimum cost) from the source node through the donors’ demand and offer nodes to the sink node is computed locally by party \(P_{1}\). This flow (with a flow value equal to the number of donor parties) always exists due to the construction of an exchange network (see Definition 5). This flow is also maximal since each edge (with capacity 1) leaving the source node is incident to a donor’s demand node. The capacity of the residual network of \(G^{\text {EN}}\) w.r.t. to the initial flow is computed according to Definition 3 (the cost function of the residual network was already set during the exchange network construction phase).

The correctness of the cycle canceling phase can be reduced to the correctness of Algorithm 1 and the correctness of gate \(\rho _{\text {NCC}}\). This phase essentially implements Steps 5–10 of Algorithm 1 in a privacy-preserving fashion. After determining a negative cost cycle in the current residual network of \(G^{\text {EN}}\) by using gate \(\rho _{\text {NCC}}\), the flow along the negative cost cycle is augmented by 1 and the residual network is updated accordingly. Unlike Algorithm 1, the number of iterations of the while loop (see Step 6, Algorithm 1) in Algorithm 2 is fixed to \(\iota \) in order to achieve data obliviousness. First, it is important to note that \(\iota \) iterations are sufficient to eliminate all negative cost cycles because there are \(\iota \) edges with negative costs in \(G^{\text {EN}}\) and in each iteration the flow along at least one edge with negative cost is increased by 1. Furthermore, in case that there are no negative cost cycles before the last iteration of the loop has terminated, the encrypted adjacency matrix (see Step 20, Algorithm 2) merely consists of fresh encryptions of 0 and the maximum flow of minimum cost in \(G^{\text {EN}}\) that is already computed and encoded by is not modified by the operations performed in Steps 21–29 of Algorithm 2.

The last phase of protocol \(\pi _{\text {OTCD}}\) extracts each party’s trade partners from which encodes an optimal set of trade chains. In Step 32 of Algorithm 2, (resp., ) corresponds to the encryption of index 2i (resp., index \(2i +1\)) of the \((2\ell +1)\)-th row (resp., \(2\ell \)-th column) where (resp., ). From the computation of it follows that \(T^{(\ell )} = (T^{(\ell )}_{ \textsf {send} },T^{(\ell )}_{ \textsf {rec} })\) provides party \(P_{\ell }\) (\(\forall \ell \in \mathscr {P}\)) with the indices of its trade partners w.r.t. the computed optimal set of trade chains.

Privacy (sketch): In the following, we describe a simulator \( \textsf {S} \) which, given \(\mathbf {q}^{(i_1)},\ldots ,\mathbf {q}^{(i_{\kappa })}\) and \((T^{(i_1)}_{ \textsf {send} },T^{(i_1)}_{ \textsf {rec} }),\ldots ,(T^{(i_{\kappa })}_{ \textsf {send} },T^{(i_{\kappa })}_{ \textsf {rec} })\), simulates the view of the corrupted parties \(P_{i_1},\ldots ,P_{i_{\kappa }}\) (\(I :=\{i_1,\ldots ,i_{\kappa }\} \subset \mathscr {P}\)) that are controlled by a semi-honest adversary.

The initialization of and which is computed and broadcasted by \(P_{1}\) in Steps 1–6 (Algorithm 2) can be computed in the same way by \( \textsf {S} \). The following steps of the exchange network construction phase are simulated by using the subsimulators of \(\rho _{\text {ET}}\), \(\rho _{\text {GTE}}\), and \(\rho _{\text {Mult}}\) and by setting , , , and . The flow initialization phase can be simulated analogously to the first phase of protocol \(\pi _{\text {OTCD}}\). In order to simulate the \(\iota \) iterations of the cycle canceling phase, \( \textsf {S} \) uses the subsimulator of \(\rho _{\text {NCC}}\) and sets . The remaining steps can be simulated in the same way as described for the exchange network construction phase. The broadcasts sent in the output extraction phase (see Step 33, Algorithm 2) are simulated as and , respectively. The output of the individual decryption operations is simulated based on the corrupted parties’ protocol output which is given to \( \textsf {S} \) as input.

6 Related Work and Discussion

To the best of our knowledge, in the literature there are only privacy-preserving multi-party protocols that allow the detection of trade cycles:

The authors of [15] propose a privacy-preserving bartering protocol (secure in the semi-honest model) by means of which multiple parties can compute a set of trade cycles based on their private input quotes. In this protocol, the parties’ private quotes are transformed into logical formulae which are evaluated in an oblivious fashion. From participating in the protocol, a party only learns its direct trade partners. The protocol in [15] has two interesting features: First, it allows to put arbitrary restrictions on the lengths of the trade cycles to be detected. Depending on the bartering context an upper bound on the trade cycle lengths is essential in order to reduce the impact of a dropout and to facilitate simultaneous exchanges preventing that a party gives away its offered commodity but does not receive its desired commodity in return (cf. [1, 4]). Second, the protocol supports the integration of arbitrary selection strategies for the detection of trade cycles (e.g., a strategy that maximizes the number of parties that can trade their commodities). However, the complexity of the protocol can grow exponentially in the number of participating parties which is inevitable as soon as a restriction on the trade cycle length (greater than 2) is supported because the underlying decision problem is NP-complete [1].

Another privacy-preserving bartering protocol for the detection of trade cycles has been presented in [16]. This protocol follows a completely different approach compared to the protocol from [15]. The parties’ private quotes are transformed into a private weighted bipartite graph. At the core of the protocol is a privacy-preserving variant of the Hungarian algorithm which is used to obliviously compute a maximum weight matching in the weighted bipartite graph which encodes an optimal set of trade cycles maximizing the number of parties that can trade. The communication and the round complexities of this protocol are in and , respectively. A restriction of the trade cycle lengths is not supported and thus the number of applications is limited.

In contrast to trade cycles, there is no need to restrict the length of trade chains in order to prevent that a party gives away its offered commodity without receiving its desired commodity: By conducting the trades in the order specified by a trade chain (starting with the donor party), in the worst case the trade chain is just aborted prematurely. Obviously, it is possible to reduce the problem of the privacy-preserving detection of trade chains to the privacy-preserving detection of trade cycles by setting the demand of a donor party to a dummy entry that matches with all offers. Then, it is straight-forward to use the protocol from [16] for the privacy-preserving detection of trade chains in time polynomial in the number of participating parties. However, using our novel direct approach (see Sect. 5) it is possible to reduce the communication complexity (resp., the round complexity) from (resp., ) to (resp., ). Based on these theoretical results, we expect that our novel protocol yields a significant performance improvement over the existing (more general) protocols for the privacy-preserving detection of trade chains.