Transcript

European Journal of Operational Research 208 (2011) 75–85

Contents lists available at ScienceDirect

European Journal of Operational Research

journal homepage: www.elsevier .com/locate /e jor

Production, Manufacturing and Logistics

Secure collaborative supply chain planning and inverse optimization – TheJELS model

Richard Pibernik a,b, Yingying Zhang a,⇑, Florian Kerschbaum c, Axel Schröpfer c

a Supply Chain Management Institute, EBS Business School, Soehnleinstrasse 8F, 65201 Wiesbaden, Germanyb MIT-Zaragoza International Logistics Program, Zaragoza Logistics Center, C/Bari 55 – PLAZA, 50197 Zaragoza, Spainc SAP Research CEC Karlsruhe, Vincenz-Priessnitz-Strasse 1, 76131 Karlsruhe, Germany

a r t i c l e i n f o a b s t r a c t

Article history:Received 27 March 2010Accepted 17 August 2010Available online 21 August 2010

Keywords:Supply chain managementCollaborationSecure multi-party computationInformation sharing

0377-2217/$ - see front matter � 2010 Elsevier B.V. Adoi:10.1016/j.ejor.2010.08.018

⇑ Corresponding author. Tel.: +49 611 360 18 800;E-mail address: [email protected] (Y. Zhang

It is a well-acknowledged fact that collaboration between different members of a supply chain yields asignificant potential to increase overall supply chain performance. Sharing private information has beenidentified as prerequisite for collaboration and, at the same time, as one of its major obstacles. One poten-tial avenue for overcoming this obstacle is Secure Multi-Party Computation (SMC). SMC is a cryptographictechnique that enables the computation of any (well-defined) mathematical function by a number of par-ties without any party having to disclose its input to another party. In this paper, we show how SMC canbe successfully employed to enable joint decision-making and benefit sharing in a simple supply chainsetting. We develop secure protocols for implementing the well-known ‘‘Joint Economic Lot Size (JELS)Model” with benefit sharing in such a way that none of the parties involved has to disclose any private(cost and capacity) data. Thereupon, we show that although computation of the model’s outputs can beperformed securely, the approach still faces practical limitations. These limitations are caused by thepotential of ‘‘inverse optimization”, i.e., a party can infer another party’s private data from the outputof a collaborative planning scheme even if the computation is performed in a secure fashion. We providea detailed analysis of ‘‘inverse optimization” potentials and introduce the notion of ‘‘stochastic security”,a novel approach to assess the additional information a party may learn from joint computation and ben-efit sharing. Based on our definition of ‘‘stochastic security” we propose a stochastic benefit sharing rule,develop a secure protocol for this benefit sharing rule, and assess under which conditions stochastic ben-efit sharing can guarantee secure collaboration.

� 2010 Elsevier B.V. All rights reserved.

1. Introduction

It is a well-acknowledged fact that collaboration between dif-ferent members of a supply chain yields a significant potential toincrease overall supply chain performance. The benefits of collab-orative supply chain planning, such as reducing overall supplychain costs and increasing service levels, have been highlightedin many theoretical and empirical studies (e.g. Vereecke andMuylle, 2006). In a general sense, supply chain collaboration(SCC) can be defined as a joint decision making process for aligningplans of individual supply chain members with the aim of achiev-ing coordination under information asymmetry (Stadtler, 2009).Due to the prevalence of information asymmetry, informationsharing is a prerequisite for any collaborative planning approach.Individual members of the supply chain dispose of relevant (pri-vate) data regarding their own operations (e.g. cost and capacitydata, inventory levels, demand forecasts) that need to be ex-

ll rights reserved.

fax: +49 611 360 18 802.).

changed in order to enable joint decision-making. To align inven-tory decisions or synchronize production plans, for example,companies need to share information such as on-hand inventoryand cost/capacity data related to manufacturing and warehousing.There is, however, substantial evidence that information sharing(as a prerequisite for SCC) constitutes the most significant obstaclefor implementation of SCC. Jap (1999), for example, states the fol-lowing: ‘‘Along with the possibility of extraordinary outcomes,close collaborations also may bear significant risks. The processof creating strategic advantages requires sharing of sensitive costand process information [. . .]. This can reduce bargaining powerand increase exposure to opportunism.” Stadtler (2009), in a simi-lar vain, indicates that companies may not want to weaken theirfuture bargaining power by disclosing sensitive data. He argues,for example, that a supplier would not want to disclose slackcapacities because he runs the risk that the buyer will ask for pricereductions (Stadtler, 2009). Lee and Whang (2000) observe thatmembers of the supply chain are especially reluctant to share costdata because of the potential threat that their customers will takeadvantage of this information to enforce lower prices in future

76 R. Pibernik et al. / European Journal of Operational Research 208 (2011) 75–85

negotiations. Extensive empirical evidence for the reluctance to-wards information sharing in the supply chain are provided byFawcett et al. (2004) and Bagchi and Skjoett-Larsen (2005). Viswa-nathan et al. (2007) identify this reluctance as the main reason fora lack of success of SCC.

In any conventional form of SCC, these problems cannot beovercome. If members of the supply chain are indeed not willingto share information other than what is considered uncritical(e.g. demand forecasts), SCC will not be put into practice. One pos-sible avenue to overcome these barriers is the application of SecureMulti-Party Computation (SMC) to collaborative planning in thesupply chain. SMC is a cryptographic technique that allows forcomputation of any (well-defined) mathematical function by anumber of parties without any party having to disclose its inputto another party. Each party’s input remains private to that party,but the result can be made available to all, or only to a subset, ofthe other parties.1 Consider the following simple example to illus-trate the basic idea of SMC (Schneier, 1996): Alice, Bob and Charlieeach has a number xA, xB and xC as (private) input and want to com-pute x = xA + xB + xC. However, they do not want to disclose their pri-vate data to each other. Alice chooses a random number r andprivately sends r + xA to Bob. Bob adds his input and privately sendsr + xA + xB to Charlie. Charlie does the same with his input and sendsr + xA + xB + xC back to Alice. Alice recalls r, subtracts it from the re-ceived value r + xA + xB + xC and announces x = xA + xB + xC. Observingthe messages exchanged between Alice, Bob and Charlie, it is easy tosee that neither one of them learns the input of the other parties, e.g.Bob is blinded by the random choice r of Alice, and Alice does not getto see the message (including r + xA + xB) sent by Bob to Charlie.Cryptography research has proven that there exists such a protocolfor any well-defined function /(xA,xB, . . .) for any (finite) number ofparties (Yao, 1986; Goldreich, 2002). It is important to note thatSMC does not rely on a (trusted) third party to perform computa-tions and ensure data privacy, but is based on decentralized compu-tation implemented through so-called secure protocols.

In this paper, we show how SMC can be successfully employedin the context of SCC to overcome the problems related to revela-tion of sensitive private data. More specifically, we demonstratehow joint decision-making and benefit sharing can be imple-mented without disclosing private data of the individual membersof the supply chain. We use the well-known ‘‘Joint Economic LotSize (JELS) Model” (Banerjee, 1986) to demonstrate the potentialof SMC for collaborative supply chain planning. Although the JELSmodel is rather simplistic in that it addresses a very basic two-party problem, we consider it particularly useful in the contextof our research: first of all, it allows us to simultaneously studyinformation sharing, joint planning and benefit sharing issues ina fairly simple and intuitive setting. Also, in its conventional form,the JELS model yields closed form solutions that are easy to deriveand that lend themselves to direct development of secure protocolsfor joint decision-making, benefit sharing, and further structuralanalysis.

The contributions of the research presented in this paper can besummarized as follows: we first develop protocols that allow fordecentralized secure (privacy preserving) computation of boththe joint economic lot size and the monetary benefits that areshared among the parties according to different benefit sharingrules. Thereupon, we show that although computation of the mod-el’s outputs can be performed securely, the approach still facespractical limitations. These limitations are caused by the potentialof ‘‘inverse optimization” (Atallah et al., 2006): one or all parties in-volved may be able to infer some or all of the private data of other

1 The basic theoretical results of secure computation have been established morethan 25 years ago. A comprehensive review of SMC can be found in Goldreich (2002).

parties from the output of the joint computation (in our case thejoint economic lot size and the individual benefits). For all practicalpurposes, we can assume that for parties engaged in SCC it is irrel-evant whether their data is disclosed during joint computation orcan be inferred from its results. In either case sensitive data willbe disclosed; as a consequence, the most important obstacle toSCC will prevail. We provide a detailed analysis of ‘‘inverse optimi-zation” potentials and identify the information that can be inferredfrom the output of the JELS model. We also introduce the notion of‘‘stochastic security”, a novel approach based on the additionalinformation a party may learn from joint computation and benefitsharing. Based on our definition of ‘‘stochastic security” we pro-pose a stochastic benefit sharing rule, provide a secure protocolfor this benefit sharing rule and study, under which conditions itcan guarantee secure collaboration. Next to the development of asecure collaboration mechanism based on the JELS model, the find-ings and insights coming from our research – specifically with re-spect to stochastic security – can be generalized to different supplychain settings in which SMC can help overcome the problems asso-ciated with sharing sensitive data.

Our research contributes to a relatively new field in supplychain management. To the best of our knowledge, only three pa-pers have so far addressed the application of SMC to supply chaincollaboration. Atallah et al. (2003) develop secure protocols forallocating the fixed capacity of a supplier to multiple buyers. Theyconsider a different problem setting that focuses only on informa-tion sharing rather than on collaborative planning and benefitsharing. Also, they do not address the problem of inverse optimiza-tion. Clifton et al. (2008) consider load swapping between indepen-dent trucking companies that have individual pick-up and deliverytasks. They develop a secure protocol for swapping loads withoutdisclosing any private information of the trucking companies, ex-cept the loads to be swapped. In their paper, they neither (haveto) explicitly consider benefit sharing nor do they address theproblem of inverse optimization. Atallah et al. (2006) addressSMC in the context of collaborative planning, forecasting, andreplenishment (CPFR). They consider a two-stage serial supplier-retailer setting with non-stationary stochastic demand and providesecure protocols for both collaborative forecasting and replenish-ment. Atallah et al. are the first to address the problem of inverseoptimization; they provide intuition into which data can belearned by the two parties involved in CPFR. Due to the complexityof their model, however, it is difficult (if not impossible) to conducta rigorous analysis of inverse optimization potentials. Moreover,they consider inverse optimization in a very strict sense, i.e., thatone party can obtain perfect knowledge about the private data ofthe other party from the outputs of the collaborative planningmechanism. In our paper, we provide secure protocols for a simpler(although practically relevant) model that also allows us to gaindeeper analytical insights into the potential of inverse optimiza-tion. In addition, our analysis is based on a less restrictive and, aswe believe, a more practical interpretation of inverse optimization.Besides assessing the potential for obtaining perfect knowledge ofanother party’s private data, we also analyze how much additionalinformation can be obtained, given that each party had some priorknowledge about the private data of another party.

The remainder of this paper is organized as follows: in the nextsection, we introduce the JELS model and describe a secure proto-col for determining both the joint economic lot size and the bene-fits of the individual parties. We also provide a formal analysis ofthe private data that each party can learn from the joint planningresult from inverse optimization under deterministic conditions.In Section 3 we provide a definition of stochastic security, establishgeneral properties of this concept and analyze, under which condi-tions the JELS model with alternative benefit sharing rules isstochastically secure. In Section 4 we develop a stochastic benefit

R. Pibernik et al. / European Journal of Operational Research 208 (2011) 75–85 77

sharing rule that can, under certain conditions, guarantee securityof the collaborative planning mechanism. Section 5 provides asummary of our major findings and outlines the potential for fu-ture research.

2 Note that we use quotation marks to express that we are referring to a (private)parameter and not its specific value, e.g. ‘‘fB” represents the (private) parameter fixedcost of the buyer and fB a specific value.

2. The secure JELS model

In this section we introduce the JELS Model with alternativebenefit sharing rules, describe secure protocols based on SMC thatenable secure computation of the model’s results and provide afirst analysis of the (deterministic) security of the JELS model withalternative benefit sharing rules.

2.1. The conventional JELS model

Consider a simple supply chain setting with a single supplier(party A) and a single buyer (party B) of a specific product. Thebuyer and the supplier have negotiated a fixed supply quantity ofd units per period. Without loss of generality, we assume thatthe buyer decides upon his order quantity, denoted by qB, andthe (corresponding) number of orders d/qB, which he places tothe supplier. It is assumed that the supplier has sufficient capacityto fulfill the buyer’s orders and that his lead time is zero. Thebuyer’s total relevant costs TRCB(qB) are d/qB � fB + 1/2 � qB � hB,where fB denotes the buyer’s fixed cost per order, and hB his inven-tory holding cost per unit and period. 1/2 � qB is the average inven-tory throughout the period. The buyer’s economic order quantityq�B is

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi2 � d � fB=hB

p. Let qA denotes the supplier’s production lot size,

c the production capacity per period (with c P d) fA the set-up costper production lot, and hA his inventory holding cost per unit andperiod. Assume that the supplier follows a lot-for-lot productionpolicy; he cannot accommodate lot streaming and delivers the en-tire production batch after its completion. Thus, inventory only oc-curs throughout each production cycle and drops to zero after a lotis completed. The duration of each cycle is qA/c and the averageinventory during this time is 1/2 � qA. The number of production cy-cles per period is d/qA. Multiplying these terms gives the supplier’saverage inventory: 1/2 � qA � d/c (Banerjee, 1986; Sucky, 2006). Thesupplier’s total relevant costs, denoted by TRCA(qA), are d/qA � fA + 1/2 � qA � d/c � hA and his economic lot size q�A is

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi2 � c � fA=hA

p. Under

the assumption of a lot-for-lot production policy, the lot size ofthe supplier will correspond to the order size of the buyer, i.e.,qA = qB. In the following we assume, without loss of generality, thatthe buyer places orders of size q�B and that the supplier does nothave sufficient bargaining power to influence the buyer’s decision.In this case qA ¼ q�B, resulting in total joint costs ofJTRCðq�BÞ ¼ TRCA q�B

� �þ TRCB q�B

� �.

Based on this brief outline of the problem setting, it is easy toexplain the underlying rationale of the JELS model: if q�B – q�A thereexists a ‘‘joint economic lot size”, denoted by q�J , that leads to min-imal joint costs of the buyer and supplier such thatJTRCðq�J Þ < JTRCðq�BÞ (Sucky, 2006). The joint economic lot size q�Jis given by

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi2 � d � ðfA þ fBÞ=ðd � hA=c þ hBÞ

p(Banerjee, 1986). The

buyer does not have an incentive to deviate from his individualoptimal solution because he incurs higher costs when choosingq�J instead of q�B, i.e., TRCB q�B

� �< TRCBðq�J Þ. However, it can be shown

that the cost increase on the buyer’s side is more than offset by acost decrease on the supplier’s side, i.e. TRCA q�B

� �� TRCAðq�J Þ >

TRCBðq�J Þ � TRCBðq�BÞ (Banerjee, 1986). To incentivize the buyer todeviate from his individual optimal order quantity q�B the suppliercan offer a side payment to compensate the cost increase on thebuyer’s side. We denote by p the side payment made by the sup-plier to the buyer and define the following constraint that ensures(weak) incentive rationality:

TRCB q�J� �

� TRCB q�B� �

6 p 6 TRCA q�B� �

� TRCA q�J� �

: ð1Þ

The buyer will only engage in collaborative planning if his cost in-crease is at least offset by the side payment p; the supplier will onlyparticipate if the side payment is not higher than his benefit fromcollaborative planning. The side payment is subject to negotiationsbetween the buyer and the supplier. Prior to adopting q�J , the twoparties will have to agree upon a benefit sharing rule that deter-mines the side payment p. In the literature, different rules for shar-ing the benefit have been suggested. Banerjee (1986), for example,proposed a simple ‘‘fixed ratio” benefit sharing rule where the buyerand supplier ex ante agree upon the percentage of the benefit thateach party receives and that satisfies condition Eq. (1). Based on aproposed benefit sharing ratio of 1:n between the buyer and sup-plier, the benefit allocated to the buyer should be1=ðnþ 1Þ � JTRCðq�BÞ � JTRCðq�J Þ

� �. Thus, the buyer receives a side

payment of

p ¼ TRCBðq�J Þ � TRCBðq�BÞ þ 1=ðnþ 1Þ � JTRCðq�BÞ � JTRCðq�J Þ� �

¼ 1=ðnþ 1Þ � d � ðfA þ fBÞ � ðq�J � q�BÞ2= q�2J � q�B� �

þ 1=2 � hB � d � fB= q�J � q�B� �� �

� q�J � q�B� �

:

Another option has been proposed by Goyal (1976). He suggests a‘‘fair” benefit sharing rule in which benefits are distributed in sucha way that the costs of the buyer and supplier relative to the totalcosts do not change when switching from q�B to q�J ,

i.e., TRCAðq�J Þþp� �

= TRCBðq�J Þ�p� �

¼TRCAðq�BÞ=TRCBðq�BÞ. Rearranging

terms yields the buyer’s side payment: p ¼ 1=2 � hB � q�2J � q�2B

� �2=

q�J � q�2J þ q�2B

� �� �.

Later in our analysis, we will revisit both benefit sharing rules toexplore whether they have different implications on the data secu-rity of the parties involved.

The JELS model represents a very intuitive and simple examplefor collaborative planning in a supply chain context. Both partiesonly have to agree upon a relatively straightforward joint planningmechanism and negotiate a benefit sharing scheme that is accept-able to both of them. However, to introduce collaborative planningbased on the JELS model, they will also inevitably have to revealtheir relevant private data that is needed to compute q�J and p. Gi-ven that the overall supply quantity d is known by both parties, thebuyer’s and the supplier’s sets of relevant private data are{‘‘fB”, ‘‘hB”}2 and {‘‘c”, ‘‘fA”, ‘‘hA”}, respectively. In any ‘‘conventional”approach to collaborative planning, they will either have to disclosethis data to each other, or to some third party that performs compu-tation of the relevant outputs q�J and p. As outlined previously, thereare good reasons to assume that such a collaborative planning ap-proach will, in many cases, not be pursued, because the parties in-volved are not willing to disclose cost and capacity data – neitherto their supply chain partners nor to a third party. Note that thisreluctance to disclose private data might not be the same for eachpartner. In the setting described above, the (strong) buyer may nothave to fear a disadvantage when disclosing his private data to hissupplier or a third party. The supplier, however, faces all of the po-tential consequences (described in Section 1) when the buyer getsto know his private data. Nonetheless, there is still reason to believethat even the buyer will not (always) want to disclose his privatedata to a supplier or a third party. One reason may be that the buyerfears that information leaks to competitors. Alternatively, he might

Fig. 1. Protocol overview.

78 R. Pibernik et al. / European Journal of Operational Research 208 (2011) 75–85

also believe that the supplier will utilize this information to negoti-ate better terms for benefit sharing. These arguments are in line withthe empirical evidence described in our introduction: it is reasonableto assume that in many real-life settings, supply chain partners aregenerally reluctant to share sensitive data. To account for the factthat certain partners may be less reluctant to share data (in our casethe buyer), we later introduce the notion of ‘‘one-sided security” or‘‘asymmetric security”, which refers to a situation in which the sen-sitive data of only one party is protected.

In the next section, we describe a secure protocol that allowsjoint computation of q�J and p without revealing any private dataduring computation.

2.2. Protocols for secure computation of the JELS model with benefitsharing

We build our analysis on the following definition of a securesupply chain protocol (based on Atallah et al., 2003).

Definition 1 (Secure Supply Chain Protocol). Let DA = {1, . . . ,n} andDB = {1, . . . ,m} denote the private data sets of supply chain partnersA and B. Let xi

A and xjB denote the values of the private parameter

i 2 DA and j 2 DB and let bXiA and bXj

B denote their respective domains.Let uAB denote a function that calculates the joint planning resultbased on the input values xA 2 bX1

A � � � � � bXnA and xB 2 bX1

B� � � � � bXm

B . Assume that the function uAB is known to both A andB. A protocol is called secure, if at its end, both parties only learnthe result uAB (xA,xB), but A does not get to know any xj

B 2 bXjB that

cannot be inferred from xA and the result uAB(xA,xB), and B does notget to know any xi

A 2 bXiA that cannot be inferred from xB and the

result uAB(xA,xB).Definition 1 states that a protocol for joint computation of a

function is secure if the parties involved learn nothing beyond theirprivate inputs and the joint function’s result.3 Transferring this gen-eral definition of a secure supply chain protocol to the setting of theJELS model, the private data sets are DA = {‘‘c”, ‘‘fA”, ‘‘hA”} andDB = {‘‘fB”, ‘‘hB”}, and the function for calculating the joint planningresult q�J is

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi2 � d � ðfA þ fBÞ= d � hA=c þ hBð Þ

p. In addition, we also re-

quire another function for calculating the transfer payment from Ato B, as described in the previous section. In this setting, a protocolis secure if party A does not get to know parameter values {fB,hB}and B does not get to know parameter values {c, fA,hA} from the com-putations leading to q�J and p.

For our secure protocols, we use the mechanism of secure func-tion evaluation introduced by Yao (1982), which has been provensecure (Lindell and Pinkas, 2004) for the case of honest-but-curiousparties. Honest-but-curious (or semi-honest) parties follow theprotocol properly, but keep a record of intermediate computationsand messages to find out the values of each other’s inputs.4

Fig. 1 provides an overview of a protocol based on Yao’s securefunction evaluation technique. The basic idea of the protocol is totranslate the joint function uAB into a Boolean circuit consistingof several individual building blocks (sub-circuits); each sub-cir-cuit represents a basic arithmetic operation. An entire circuit, rep-resenting uAB, can be constructed by connecting the input andoutput wires of those sub-circuits according to the structure of

3 It should be noted that from a cryptographic perspective, anything that can belearned from one’s input and output is not protected by Definition 1. Consider, forexample, summation between two parties: A has input xA and B has input xB and theycompute /AB(xA, xB) = xA + xB. A can infer xB from xA and /AB(xA,xB), such that B caneven send xB in clear to A and the protocol is still secure according to Definition 1. Thesecurity implied by the function /AB(xA,xB) is of no concern to secure protocols. Wewill address this issue later in the context of inverse optimization.

4 Yao’s protocol can also be efficiently extended to malicious parties (Lindell andPinkas, 2007). Malicious parties may behave arbitrarily and, as such, abort theprotocol. If, however, a result is computed, it is correct and secure (Goldreich, 2002).

the formula concatenating intermediate values. The result is a cir-cuit for computing the entire formula.

For our problem we construct two circuits for computations ofq�J and p (see Fig. 2). These circuits will lead to two correspondingprotocols that are executed in a sequential fashion according toFig. 1 – first q�J is computed securely, and subsequently p. Party Aencrypts the first circuit for computation of q�J and sends it to partyB. Loosely speaking, A computes the output uAB(xA,xB) for everypossible input xB of B and encrypts it with a fresh key. A sendsall ciphertexts to B and B obtains the key corresponding to his in-put. An improvement over this simple approach is to encrypt andtransmit a circuit that computes uAB(xA,xB) instead of all possibleresults and to compute the result using the encrypted circuit. Athen only needs to construct and encrypt the circuit for uAB andchoose keys for each possible input xB of B. B needs to obtain thekeys corresponding to his specific input xB to execute the circuitand to obtain the output of the joint function uAB(xA,xB) for his in-put xB. B must receive the correct keys from A without A knowingwhich ones they are and without B obtaining any information be-yond them (i.e. keys not for his specific input xB). A and B canachieve this using Oblivious Transfer (Rabin, 1981; Even et al.,1985). In Oblivious Transfer, a sender can transmit one out of Nmessages without learning which one it is. The recipient in Obliv-ious Transfer can choose the message corresponding to his input,but learns nothing about the other messages. After receiving thekeys for his input, B can execute (decrypt) the circuit with his pri-vate inputs. He sends the result obtained for uAB(xA,xB) to A. Both Aand B now know the jointly computed result (i.e. q�J in the JELSmodel). Observe that A sees only his input, all possible inputs fromB and the result of the joint computation. Clearly, A will learn noth-ing from the protocol execution about B’s input as required by Def-inition 1. B sees his input, the encrypted circuit, some decryptionkeys and the output. Since B only receives keys for decryptingthe circuit for his input, he will also not learn anything about A’sinput from the encrypted circuit as long as its encryption is secure.The same procedure is then repeated for the fixed ratio benefitsharing circuit for securely computing the side payment.

The circuits as well as the required building blocks are dis-played in Fig. 2. In both circuits, the gray values on the left denotethe private part of the buyer’s input to the circuit, while the grayvalues on the top denote those of the supplier. For the cost-basedbenefit sharing approach, the formula of p does not require any in-put of the supplier, so p can be locally computed by the buyer andno circuit is needed. Therefore, in Fig. 2, we only present the fixedratio benefit sharing circuit. In Malkhi et al. (2004) it has been pro-ven that Yao’s protocol translates a circuit into a secure protocol.Thus, our remaining task is to choose the relevant building blocks

(a) JELS circuit

+ +

÷

*2Jq

2 Bfd⋅ ⋅

Bh

2 Afd⋅ ⋅ /Ad h c⋅

(b) Fixed ratio benefit sharing circuit

Ad f⋅

+

÷

p

+

( )2**BJq q−

( )2* *JB Bd qf q⋅ ⋅ −

( ) *2 *1 BJn qq+ ⋅ ⋅

( )( ) ( )* *1 * *2 JB B B BJh f qq qd q⋅ − ⋅ ⋅ ⋅ −

Fig. 2. Circuits for secure computation.

Table 1Complexity of the single building blocks.

Addition Multiplication Division

g(l) 5l � 3 6l2 � 8l + 3 22l2 � 11l + 5O(g(l)) O(l) O(l2) O(l2)g(32) 157 5891 22,181

R. Pibernik et al. / European Journal of Operational Research 208 (2011) 75–85 79

for the circuits described in Fig. 2. For our protocols, we require thecircuits to be one-pass, i.e. they may not contain feedbacks, regis-ters or similar optimizations commonly used in processors.

We will now show the construction of the arithmetic buildingblocks in the above circuits given the one-pass constraint byYao’s protocol. The necessary building blocks for our secure pro-tocol are addition, multiplication and division. Research in circuitdesign has yielded many efficient circuits for arithmetic buildingblocks (Beame et al., 1986; Karatsuba, 1995; Wegener, 1996);besides choosing the most efficient and suitable one accordingto the one-pass constraint, we minimize the size of the circuitthat needs to be computed securely in Yao’s protocol by locallypre-computing some inputs and post-computing some results.For example, we save a computation of the square root in thecircuit for q�2J . Instead, q�2J can be used locally and non-securelyto compute q�J without any loss of privacy.5 Our goal is to mini-mize the number of gates for a realistic domain U, e.g. 32 bit. Thedomain U needs to be chosen such that it includes all possible in-puts, outputs and intermediate values of /AB(xA,xB) and thereforeno over- or underflow occurs during the computation. It is impor-tant to note that the size of U is independent of any securityparameter chosen to protect the privacy of data sets. Thus, circuitswith the same (or even lower) asymptotic complexity may notice-ably differ in the absolute number of gates. The absolute numberof gates is relevant because computation and communication costsare linearly increasing in the number of gates. We developed a no-vel building block for division and utilize addition and multiplica-tion circuits, which have previously been proposed by Redkin(1981) and Wegener (1996). A formal definition of all of the build-ing blocks can be found in the Appendix. Table 1 depicts the func-tion of the number of gates required for inputs of length l bit, g(l),the asymptotic complexity O(g(l)), and the number of gates g(32)required for our domain of 32 bits for the three arithmetic build-ing blocks used in our protocols.

5 Note that there exist circuits with better asymptotic complexity than ours, but wecannot use many of them, since they either do not adhere to the one-pass constraint(Oberman and Flynn, 1997) or their complexity hides very high constants in the ‘‘bigO” notation (e.g. Karatsuba and Ofman, 1962).

The different protocols for calculating q�J and p were imple-mented in a web-based service application. The code for the proto-cols runs in the user’s web browsers implemented in Java Scriptand the web server is only used to forward messages betweenthe browsers potentially tunneled through the companies’firewalls.

2.3. Inverse optimization and deterministic security

Secure protocols based on our description in the previous sec-tion enable SCC without any party having to reveal any private in-put data. However, we have to consider that individual partiesinvolved may be able to infer private data of other parties fromthe output of the secure joint computation – in our case both thebuyer and the supplier may learn something about each other’sprivate data from q�J and p. We follow Atallah et al. (2006) and referto this as ‘‘inverse optimization”. It is important to note that in-verse optimization is not of concern in SMC – a protocol will stillbe considered secure, even if one or more parties involved couldinfer the private data of another from the outputs of the protocoland their own private inputs. However, and as stated previously,for the parties involved in collaborative supply chain planning itwill be irrelevant whether their private data is disclosed in thecourse of joint computation or can be inferred from its results. Ineither case, we can assume that disclosure of sensitive private datawill inhibit collaboration. Therefore, we define a secure collabora-tive planning mechanism to include both secure computation (asin Definition 1) and ‘‘non-invertibility” of private data.

Definition 2 (Secure Collaborative Planning Mechanism). A collab-orative planning mechanism is called deterministically secure ifuAB(xA,xB) is computed by means of a secure protocol (Definition1), and there exists no algorithms GA or GB that computeGAðxA;uABðxA; xBÞÞ ¼ xj

B for any j 2 DB; xjB 2 bXj

B and any xA 2 bX1A

� � � � � bXnA or GBðxB;uABðxA; xBÞÞ ¼ xi

A for any i 2 DA; xiA 2 bXi

A andany xB 2 bX1

B � � � � � bXmB (inverse optimization).

In this definition, we use the term ‘‘deterministic” to indicatethat inverse optimization leads to perfect knowledge about an-other party’s private data. In Section 3 we will introduce the notionof stochastic security that refers to imperfect knowledge and addi-tional partial information that can be obtained from inverse opti-mization. For several reasons (e.g. because of asymmetricdistribution of power), there may be instances in which one partyis not reluctant to share private data. In the automotive industry,for example, an OEM may be willing to share his holding andordering cost information with the supplier, while the suppliermay be very sensitive about revealing set-up costs and capacities.We will use the term one-sided collaborative planning mecha-

80 R. Pibernik et al. / European Journal of Operational Research 208 (2011) 75–85

nisms if Definition 2 is fulfilled for only one of the parties. Since weshowed in the previous section that q�J and p can be computed se-curely, we now have to assess whether either party has the poten-tial for inverse optimization. We establish the correspondingresults in Proposition 1.

Proposition 1.

(a) The JELS model with fixed ratio benefit sharing is not a securecollaborative planning mechanism according to Definition 2.From q�J and p the supplier can infer the values of all privatedata of the buyer. The buyer can infer the supplier’s fixed costfA as well as the ratio hA/c between the holding cost and thecapacity of the supplier.

(b) The JELS model with cost-based benefit sharing is a one-sidedsecure collaborative planning mechanism for the supplier. Fromq�J and p the supplier can infer the values of all private data ofthe buyer. The buyer can infer a relationship between the valuesfA,hA and c of the supplier, but not their exact values.6

From Proposition 1 we observe that for a collaborative planningmechanism based on the JELS model, all of the private data of bothpartners is disclosed when a fixed ratio benefit sharing rule is cho-sen. This obviously implies that the application of a secure protocolas described in the previous section is futile. If the partners agreedto distribute their benefits according to the cost-based rule, thesupplier would learn all private data of the buyer; however, thebuyer would not be able to infer the private data of the supplier.Applying a secure protocol would only be effective in supportingcollaborative planning if the buyer was not sensitive to disclosinghis private data to the supplier. Clearly, in order to make a collab-orative planning approach attractive to both parties, a mechanismthat prevents inverse optimization has to be established. Before weaddress this issue, we will introduce a stochastic extension to Def-inition 2 to account for important practical issues related to datarevelation.

3. Stochastically secure collaborative planning

So far, we considered inverse optimization (based on Atallahet al. (2006)) as the ability to obtain perfect knowledge about an-other party’s private data. Interpreted in this sense, inverse optimi-zation is not given if one party could obtain a very precise(although imperfect) estimate of the other party’s private data.More realistically, we should assume that each party has someprior (imperfect) knowledge about the other party’s data, andmay improve this knowledge based on the joint planning results.In the JELS model’s setting, for example, we should assume thatthe buyer is able to come up with a reasonably good estimate forthe supplier’s inventory holding costs. The question ariseswhether, given this estimate and the output values q�J and p, thebuyer can obtain (equally) good estimates for other variables. Insuch a case we would, from a practical perspective, be inclinednot to consider a collaborative planning mechanism as secure.Therefore, we define inverse optimization in a weaker sense andrelate it to the additional knowledge a party can obtain about an-other party’s private data. This, however, requires us to formalizeboth the a priori knowledge about the private data before jointcomputation and the (improved) a posteriori knowledge after in-verse optimization.

In the following section, we define a stochastically secure col-laborative planning mechanism and establish relevant propertiesthat will support our further analysis. We will use these resultsto analyze stochastic security of the JELS model.

6 All proofs are relegated to the Appendix.

3.1. Definition and properties of stochastically secure collaborativeplanning

Assume that party A has imperfect prior information about aparameter ‘‘x” of party B. From A’s perspective, ‘‘x” can then be con-sidered a random variable X. Different assumptions can be madeabout the prior knowledge of A about ‘‘x”. For example, we can as-sume that A knows the probability distribution of X, but not its truevalue x. In our model we do not require A to know the distributionof X, but assume that A can at least specify a lower bound lX > 0 andupper bound uX > 0 such that Pr{lX 6 X 6 uX} P c, where c denotesa pre-defined confidence level (e.g. c = 0.95). This implies that Aknows that the true value of X will lie within [lX,uX] with probabil-ity c. Clearly, as uX � lX increases, A possesses less prior knowledgeabout the parameter ‘‘x”. A privacy measure is required to assesswhether ‘‘x” can be considered private from B’s viewpoint, orwhether A has a sufficiently accurate estimate of the parameterfor it not to be considered private. If A knew that X follows a sym-metric distribution with first and second order moments lX and rX

respectively, an appropriate privacy measure q(X) would be

qðXÞ ¼ arg minq

PrflX � qlX 6 X 6 lX þ qlXgP c: ð2Þ

q(X) then represents the relative size of the (symmetric) confidenceband around lX. Clearly, small values of q(X) indicate that lX is avery accurate estimate of ‘‘x”, e.g., for q(X) = 0.01 the true value xwill be within a band of 1% around lX. As q(X) increases, the esti-mate of parameter ‘‘x” is becoming increasingly inaccurate.

If A does not know the distribution of X but its confidence inter-val [lX,uX], the privacy measure can be defined as follows:

qðXÞ ¼ mX � lX

mX¼ uX �mX

mX¼ uX � lX

uX þ lX;7 ð3Þ

where mX = 1/2�(uX + lX) denotes the midpoint of the confidenceinterval of X. The interpretation of Eq. (3) is similar to Eq. (2). InEq. (3), q(X) represents the relative size of the confidence bandaround the midpoint of the confidence interval (and not the meanas in Eq. (2)). Our subsequent analysis will not depend on whethera distribution of another party’s parameter or only the confidenceinterval (with respect to some pre-defined confidence level) isknown.

We can now define a threshold value qmin to determine forwhich values of q(X) we consider a parameter ‘‘x” to be privateinformation. Based on q(X) and the privacy threshold qmin wecan develop a formal definition of a stochastically secure collabora-tive planning mechanism. In doing so, we have to evaluate the dataprivacy before and after collaborative planning. Let Xprior and Xpost

denote the random variable representing a parameter ‘‘x” beforeand after collaborative planning. Based on q(X), privacy of ‘‘x” be-fore (i.e. q(Xprior)) and after (q(Xpost)) can be evaluated. We denoteby Dprior

A ¼ fi 2 DAjqðXi;priorA ÞP qming and Dprior

B ¼ fj 2 DBjqðXj;priorB Þ

P qming the sets of private data of A and B with respect to a definedprivacy level qmin prior to the computation of /AB(xA,xB), and byDpost

A ¼fi2DAjqðXi;postA ÞPqming and Dpost

B ¼ fj 2 DBjqðXj;postB ÞP qming

the set of private data after joint computation and inverse optimi-zation. To avoid trivial issues we assume that Dprior

A ;DpriorB –£.

Definition 3 (Stochastically secure collaborative planning mecha-nism). A collaborative planning mechanism is called stochasticallysecure (at the qmin level) if uAB(xA,xB) is computed by means of asecure protocol (Definition 1), and there exists no algorithm GA forany j 2 Dprior

B ; xjB 2 bXj

B and any xA 2 bX1A � � � � � bXn

A that computes

7 For simplification, we assume all the parameters are positive. Since uX P lX > 0, itfollows 0 6 q(X) < 1.

Fig. 3. Confidence interval of X after joint computation.

R. Pibernik et al. / European Journal of Operational Research 208 (2011) 75–85 81

GA XpriorB ; xA;uABðxA; xBÞ

� �¼ Xj;post

B with q Xj;postB

� �6 qmin or GB for

any i 2 DpriorA ; xi

A 2 bXiA and any xB 2 bX1

B � � � � � bXmB that computes

GB XpriorA ; xB;uABðxA; xBÞ

� �¼ Xi;post

A with q Xi;postA

� �6 qmin (stochastic

inverse optimization).

In general terms, Definition 3 states that a collaborative plan-ning mechanism should be considered stochastically secure if anydata that is considered private before computation (based on thethreshold level qmin) remains private after joint computation andany inverse optimization. Note that this definition also capturesdeterministic inverse optimization and deterministic security asdefined in the previous section. For the reasons described previ-ously, we are also interested whether only one party can infer pri-vate data of another party, i.e. whether the collaborative planningmechanism can be considered one-sided secure. Our objective isto propose an approach to collaborative planning based on the JELSmodel that is both deterministically and stochastically secure.From our analysis in the previous section we saw that collaborationbased on the JELS model would at best be one-sided deterministi-cally secure if a cost-based benefit sharing rule is employed.Consider the results established in Proposition 1a and 1b: under afixed ratio benefit sharing rule, the buyer does not get to knowthe exact values hA and c but he knows their ratio hA/c. Similarly,under cost-based benefit sharing, the buyer does not know theexact values hA, fA and c, but knows their ratio from equationfA ¼ 1=2 � q�2J � hA=c þ 1=2 � q�2J � hB=d� fB. In the context of stochasticsecurity, the question arises whether the buyer would be able toobtain an accurate estimate of the remaining parameters if hehad an accurate estimate of one or more of the other parameters.Consider, for example, the ratio hA/c under fixed ratio benefit shar-ing. If the buyer is able to accurately estimate hA (which, from apractical perspective is reasonable to assume), he will clearly alsobe able to infer an accurate estimate of c. To be able to assess sto-chastic security, we need to analyze whether known functionalrelationships between different private parameters can be utilizedfor stochastic inverse optimization. For this purpose, we establishthe following two general theorems that will aid us in evaluatingstochastic security of a collaborative planning mechanism.

Theorem 1. Let the random variables Xprior and Yprior represent tworelevant parameters ‘‘x” and ‘‘y” of party A (B), for which party B (A)has imperfect a priori information. If, after the planning process, therealizations of these random variables are known to stand in a linearrelationship of the form x = a � y + b (where a and b are knownconstants and a 2 Rþ; b 2 RÞ, then:

\x" 2 Dpost ifminðuprior

X ;a � upriorY þ bÞ

maxðlpriorX ;a � lprior

Y þ bÞP

1þ qmin

1� qmin ;

\y" 2 Dpost ifminða � uprior

Y ; upriorX � bÞ

maxða � lpriorY ; lprior

X � bÞP

1þ qmin

1� qmin :

The idea underlying the preceding theorem is illustrated inFig. 3 and can be described as follows: assume that before the plan-

ning process the confidence interval for X was lpriorX ;uprior

X

h iwith

probability c and its privacy measure was q(Xprior) P qmin. Afterthe planning process, additional knowledge about ‘‘x” may be in-ferred from the known functional relationship between x and y,leading to an additional new (confidence) interval lnew

X ;unewX

� �for

X, whereby lnewX ¼ a � lprior

Y þ b and unewX ¼ a � uprior

Y þ b. Since we

know that x 2 ½lpriorX ;uprior

X � and x 2 lnewX ;unew

X

� �, we also know that

x 2 maxðlpriorX ; lnew

X Þ;min upriorX ;unew

X

� �h i¼ lpost

X ;upostX

h i, i.e., the realiza-

tion x must lie within the overlap of the two intervals (see Fig. 3).Based on this logic, it is easy to interpret the results established inTheorem 1.

In a similar fashion, we can develop conditions for stochasticsecurity for the case of three parameters with a known func-tional relationship (as in equation fA ¼ 1=2 � q�2J � hA=c þ 1=2�q�2J � hB=d� fB in the proof of Proposition 1, where the buyercan infer a relationship between fA, hA and c after the collabora-tive planning with cost-based benefit sharing). These are pre-sented in Theorem 2.

Theorem 2. Let the random variables Xprior,Yprior and Zprior representthree relevant parameters ‘‘x”, ‘‘y” and ‘‘z” of party A (B) for whichparty B (A) has imperfect a priori information. If, after the planningprocess, the realizations of these random variables are known to standin a relationship of the form x = a � y/z + b (where a and b are knownconstants and a 2 Rþ, b 2 RÞ, then:

(a) ‘‘x” 2 Dpost ifmin uprior

X ;a � upriorY =lprior

Z þ b� �

max lpriorX ;a � lprior

Y =upriorZ þ b

� � P1þ qmin

1� qmin

(b) ‘‘y” 2 Dpost ifmin a � uprior

Y ; ðupriorX � bÞ � uprior

Z

� �max a � lprior

Y ; ðlpriorX � bÞ � lprior

Z

� � P1þ qmin

1� qmin

(c) ‘‘z” 2 Dpost if

min upriorZ ;a �uprior

Y = lpriorX �b

� �� �1þqmin

(1)max lprior

Z ;a � lpriorY = uprior

X �b� �� �P

1�qmin (for lpriorX > bÞ or

(2)uprior

Z

max lpriorZ ;a � lprior

Y = upriorX � b

� �� �P1þ qmin

1� qmin (for lpriorX 6 bÞ

Structurally, the conditions stated in Theorem 2 are very similarto those established in Theorem 1 and can be interpreted in thesame way. Theorems 1 and 2 address all relevant functional rela-tionships the parameters in a collaborative planning mechanismbased on the JELS model may have. In the next section, we will uti-lize the results established in the two theorems to analyze stochas-tic security of the JELS model with the two alternative benefitsharing rules.

3.2. Stochastic security of the JELS model

In Section 2.3 we demonstrated that the JELS model is not deter-ministically secure. Most naturally we should assume that this alsoimplies that stochastic security (according to Definition 3) is not gi-ven. This, however, only holds true if all relevant parameters areprivate according to our privacy measure q(.) and the privacythreshold qmin prior to collaborative planning, i.e. Dprior

A ¼f\c"; \fA"; \hA"g and Dprior

B ¼ f\fB"; \hB"g. When analyzing deter-ministic security and inverse optimization we assumed that{c, fA,hA} are unknown to B and {fB,hB} unknown to A. As mentionedpreviously, we could now, however, also encounter situations inwhich one party has an accurate prior estimate of another party’sdata, e.g. qðHprior

A Þ 6 qmin. In Propositions 2 and 3, we establishrelevant properties of the JELS model and our two benefit sharingrules with respect to stochastic security. These are based directlyon the properties stated in Theorems 1 and 2.

82 R. Pibernik et al. / European Journal of Operational Research 208 (2011) 75–85

Proposition 2.

(a) The JELS model with fixed ratio benefit sharing is not a stochas-tically secure collaborative planning mechanism according toDefinition 3.

(b) The JELS model with fixed ratio benefit sharing is one-sided sto-

chastically secure for the supplier if \fA" R DpriorA ; \hA"; \c" 2

DpriorA and min uprior

HA= a � lprior

C

� �; a � uprior

C =lpriorHA

� �P 1þqmin

1�qmin, where

a ¼ 2 � ðnþ 1Þ � p � q�B= d � ðq�B � q�J Þ2

� �� 2 � ðnþ 1Þ � 1=2 � hB�ð

q�B=d� fB=q�J Þ=ðq�J � q�BÞ � hB=d.

Corresponding to the results obtained for deterministic secu-rity, we observe that the JELS model with fixed ratio benefit shar-ing is also not stochastically secure. If, however, the buyer has goodprior knowledge about the supplier’s fixed set-up costs (i.e.\fA" R Dprior

A Þ, he may, under certain conditions (stated in part b ofProposition 2) not be able to obtain an accurate estimate of hA

and c. In this case, we would consider the JELS model with fixed ra-tio benefit sharing a one-sided secure collaborative planningmechanism. In Proposition 3, we provide the corresponding resultsfor the case in which a cost-based benefit sharing rule is employed.

Proposition 3.

(a) The JELS model with cost-based benefit sharing is not a stochas-tically secure collaborative planning mechanism according toDefinition 3.

(b) The JELS model with cost-based benefit sharing is a one-sidedstochastically secure collaborative planning mechanism forthe supplier if the following conditions are satisfied:

min upriorF ;a �uprior

H =lpriorC þb

� �min

(1) If \fA" 2 DpriorA , then A A

max lpriorFA

;a � lpriorHA

=upriorC þb

� �P1þq1�qmin

(2) If \hA"2DpriorA , then

min a �upriorHA

;ðupriorFA�bÞ�uprior

C

� �max a � lprior

HA;ðlprior

FA�b� lprior

C

� � P1þqmin

1�qmin

(3) If \c" 2 DpriorA , then

min upriorC ;a �uprior

H = lpriorF �b

� �� �min

(i) A A

max lpriorC ;a � lprior

HA= uprior

FA�b

� �� �P1þq1�qmin (for lprior

FA>bÞ or

(ii)uprior

C

max lpriorC ;a � lprior

HA= uprior

FA�b

� �� �P1þqmin

1�qmin (for lpriorFA6bÞ,

where a ¼ 1=2 � q�2J and b ¼ 1=2 � q�2J � hB=d� fB.The results of Proposition 3 follow directly from Theorem 2.

From Proposition 3 we observe – similar to the analysis of deter-ministic security – that the JELS model with cost-based benefitsharing is not stochastically secure. Given certain conditions (sta-ted in Proposition 2b) regarding the prior knowledge about thesupplier’s data, the JELS model with cost-based benefit sharingcan be one-sided stochastically secure from the supplier’s pointof view.

4. Stochastic benefit sharing

Given the results of our previous analysis the question ariseswhether and under which conditions the JELS model can be made(more) secure both from the supplier’s and buyer’s point of view.The results presented in Section 2.3 demonstrate that if the sup-plier and buyer both only knew the joint economic lot size q�J , theywould not be able to infer much information about each other’s

private data. However, if the side payment p is revealed, both par-ties can employ (deterministic or stochastic) inverse optimizationto infer details about each other’s private data. As one way to rem-edy this problem, we propose a stochastic benefit sharing rule. Thisimplies that instead of sharing benefits according to some deter-ministic rule (fixed ratio or cost-based), the side payment will bea random variable drawn from a distribution defined upon certainfeasibility and incentive rationality constraints and agreed upon byboth parties. The rationale behind stochastic benefit sharing israther intuitive: if the side payment is a random variable, boththe supplier and the buyer will be able to infer ‘‘less” informationabout each other’s private parameters by means of inverse optimi-zation. The implications of stochastic benefit sharing on determin-istic security of the JELS model (analyzed in Section 2.3) arestraightforward: if the side payment is a random variable, neitherthe buyer nor the supplier can obtain perfect knowledge about theother party’s private data. However, as we have highlighted previ-ously, this will not solve the practical issues that motivated our no-tion of stochastic security. Clearly, if the side payment were drawnfrom a distribution with very low dispersion, both parties wouldnot be able to obtain perfect knowledge, but very accurate esti-mates of each other’s private data. Under such conditions, thoseparties that are sensitive to revealing private data would mostlikely not participate in collaborative planning.

We face two practical problems in defining a distribution for thestochastic side payment: on the one hand, we want to choose a dis-tribution with high dispersion from which little additional infor-mation can be inferred; on the other hand, we have to ensurethat benefit sharing is attractive (i.e. incentive rational) for thebuyer and the supplier. To develop a stochastic benefit sharing ruleand to analyze whether it leads to a stochastically secure collabo-rative planning mechanism, we first define (weak) incentive ratio-nality constraints. Let P denote the random side payment. In asingle period setting, benefit sharing will only be incentive rational

for both the supplier and the buyer if P 2 TRCBðq�J Þ � TRCBðq�BÞ;h

TRCAðq�BÞ � TRCAðq�J Þ�. For simplicity and notational brevity, wewill denote by �p ¼ TRCBðq�J Þ � TRCBðq�BÞ the lower bound of thedistribution of P and by �p ¼ TRCAðq�BÞ � TRCAðq�J Þ its upper bound.Obviously, both parties will learn least about each other’s privatedata if P � Uðp; �pÞ.

In the following section, we first show how this stochastic ben-efit sharing rule can be translated into a secure protocol. There-upon we derive relevant conditions that need to be satisfied forthe JELS model with stochastic benefit sharing to be stochasticallysecure according to Definition 3.

4.1. A secure protocol for stochastic benefit sharing

For secure computation of the JELS model with stochastic ben-efit sharing, we utilize the same approach as described in Sec-tion 2.2. Since the (deterministic or stochastic) benefit iscomputed separately from q�J , it only requires a protocol for securecomputation of the realization of P. The corresponding circuit withthe required building blocks for our protocol is displayed in Fig. 4.

We reformulate the stochastic side payment to P ¼ R�ð�p� pÞ=ð2l � 1Þ þ p, where R � U(0, 2l � 1) is a uniformly chosenl-bit random number. To reduce the size of the circuit, we computea multiple (2l � 1)P of the side payment which saves one divisionin the circuit compared to computing P. This multiple (2l � 1)Pcan be used to locally and non-securely compute P without anyloss of privacy. A chooses rA and B chooses rB, such that the jointlychosen R = rA � rB is fair and no one can manipulate its outcome(see Franklin, 1993, for a detailed discussion about the ‘‘fairness”problem). The inner box in Fig. 4 computes �p which we use to

Ad f⋅

p

Ar

* xor

Brp

( ) ( )** * *2 2B BJ Jq qq q− ⋅

+

+

( ) ( )* *2* 2 *B BJ J Bq qd q qf⋅ ⋅ − ⋅

p− * +

( )2 1l P−

Fig. 4. Stochastic benefit sharing circuit.

R. Pibernik et al. / European Journal of Operational Research 208 (2011) 75–85 83

construct the remainder of the circuit according to our reformula-tion of the side payment above. We use the same building blocks inthe entire construction as the ones used in Section 2.2 – multipli-cation and addition. Exclusive-Or (xor) is a bitwise operationimplemented using l exclusive-or (xor) gates. As before, the grayvalues on the left side of Fig. 4 denote private information of thebuyer and the gray values on the top denote private informationof the supplier. An implementation of this circuit using Yao’s pro-tocol will be secure according to Definition 1. We implementedthis circuit in the same framework as the protocols for q�J and p de-scribed in Section 2.2.

4.2. Stochastic security of the JELS model with stochastic benefitsharing

Given the protocol for secure computation of q�J (Section 2.2)and the protocol for P developed in the previous section, we nowhave to assess the potential of inverse optimization to determinewhether the JELS model with stochastic benefit sharing is secure.The supplier and the buyer will both know the value q�J and therealization of P. Since they have both agreed upon the stochasticbenefit sharing rule, they also know P � Uðp; �pÞ and the followingfunctional relationships:

�p ¼ d � ðfA þ fBÞ � q�J � q�B� �2

= q�2J � q�B� �

; ð4Þ

p ¼ d � fB � ð1=q�J � 1=q�BÞ þ 1=2 � hB � q�J � q�B� �

: ð5Þ

To assess whether the JELS model with stochastic benefit sharing isa secure collaborative planning mechanism we now have to deter-mine which additional information the two parties can infer fromthe output values q�J and p in conjunction with P � Uðp; �pÞ and theknown functional relationships in Eqs. (4) and (5). We use our re-sults from Theorems 1 and 2 to derive necessary conditions for sto-chastic security of the JELS model with stochastic benefit sharing.These conditions are summarized in Proposition 4.

Proposition 4

(a) The JELS model with stochastic benefit sharing is stochasticallysecure if the following conditions are satisfied:

(1) For the supplier: .

q�2 �q�

min

(i) If \fA" 2 Dprior

A , then upriorFA

pd �

J B

ðq�J �q�BÞ2 � fB P 1þq

1�qmin

(for pd �

q�2J �q�B

ðq�J �q�BÞ2 � fB > 0Þ,

(ii) If \hA" 2 DpriorA or \c" 2 Dprior

A , then

upriorHA

.�lpriorC � 2�p

d �q�B

ðq�J �q�BÞ2 � hB

d

�P 1þqmin

1�qmin (for 2�pd �

q�Bðq�J �q�BÞ

2 � hBd > 0Þ.

(2) For the buyer: minðuprior;unewÞ 1þ qmin

(i) If \fB" 2 DpriorB , then FB FB

max lpriorFB

; lnewFB

� � P1� qmin,

(ii) If \hB" 2 DpriorB , then

minðupriorHB

;unewHBÞ

maxðlpriorHB

; lnewHBÞ

P1þ qmin

1� qmin,

where lnewFB;unew

FB; lnew

HBand unew

HBcan be derived numerically from Eqs.

(4) and (5) – (see proof in Appendix).(b) The JELS model with stochastic benefit sharing is one-sided sto-

chastically secure for the supplier (buyer) if only the conditionsstated in a1 (a2) are satisfied.

From Proposition 4 we observe that under certain conditionsthe JELS model with stochastic benefit sharing is stochastically se-cure. Structurally, these conditions are similar to those derived inPropositions 2 and 3 and can be interpreted in the same way. How-ever, the security of the JELS model with stochastic benefit sharingis now dependent on the realization p of the stochastic side pay-ment. In the deterministic case, e.g., with fixed ratio benefit shar-ing, both parties were able to infer the overall benefit as well asthe values of other parameters based on their knowledge of p(and q�J Þ. Now, under stochastic benefit sharing, they also gainadditional, although less, information from their knowledge of p:from Eqs. (4) and (5) they know

d � fB � ð1=q�J � 1=q�BÞ þ 1=2 � hB � ðq�J � q�BÞ 6 p

6 d � ðfA þ fBÞ � ðq�J � q�BÞ2=ðq�2J � q�BÞ:

From this inequality, bounds for the unknown parameters can beinferred. Consider, for example, condition 1, (i) in Proposition 4a.Rearranging terms lets us determine a security threshold p for the

realization of P: p ¼ upriorFA� 1�qmin

1þqmin þ fB

� �� d�ðq�J �q�BÞ

2

q�2J �q�B

. All other parame-

ters given, ‘‘fA” will only remain secure if p 6 p. Based on this secu-rity threshold it is straightforward to interpret condition 1, (i):stochastic benefit sharing will only guarantee that ‘‘fA” remainssecure if p P �p, i.e. the security threshold is not lower than theupper bound of the side payment. In case that p 6 p < �p; \hA" willremain secure for realizations of P in the interval ½p; p�, and willnot remain secure for realizations in the interval �p; �p½. Furthermore,it is easy to see that ‘‘fA” will never remain secure if p < p. For p < �pstochastic benefit sharing cannot simultaneously guarantee sto-chastic security and incentive rationality defined in Eq. (1). In sucha situation, security can only be ensured if the incentive rationalityrequirements can be relaxed such that p P �p. The same consider-ations also apply to the remaining conditions stated in Proposition4. It is interesting to observe that the ability to construct a securecollaborative planning mechanism by means of a stochastic benefitsharing rule depends on the benefit of collaboration. The higherJTRCðq�BÞ � JTRCðq�J Þ, the larger will be the interval½p; �p� of the incen-tive rational P. If the benefit is very high, there is even some flexi-bility in setting the upper and lower bounds of P to guarantee aminimum surplus to both or either one of the parties. For a lowoverall benefit, we may encounter situations in which ½p; �p� willeither not ensure stochastic security or upper and lower boundshave to be relaxed and will not guarantee incentive rationality.Apart from letting the joint quantity \qJ" be a random variableand sacrifice optimality of the collaborative planning approach,we have no other means of ensuring stochastic security. In a gamewith multiple repetitions, this issue may be resolved by defininglower and upper bounds of P, which induce long run incentiverationality but may allow for losses incurred by one of the partiesin individual periods. A multi-period setting, however, raisesadditional security issues that are not addressed in our paper: from

Table 2Deterministic and stochastic security of the JELS model with deterministic and stochastic benefit sharing.

For the supplier For the buyer

Determ. secure? Stochast. secure? Determ. secure? Stochast. secure?

Fixed ratio benefit sharing NO (Prop. 1a) YES, but under certain conditions (Prop. 2b) NO (Prop. 1a) NO (Prop. 2a)Cost-based benefit sharing YES (Prop. 1b) YES, but under certain conditions (Prop. 3b) NO (Prop. 1b) NO (Prop. 3a)Stochastic benefit sharing YES YES, but under certain conditions (Prop. 4) YES YES, but under certain conditions (Prop. 4)

84 R. Pibernik et al. / European Journal of Operational Research 208 (2011) 75–85

multiple observations of q�J and p, both parties may infer additionalinformation about each other’s private data. The final results of ouranalysis are summarized in the Table 2.

5. Conclusions and directions for future research

Although collaborative planning has been identified as a power-ful measure to enhance supply chain performance, companies areoften not willing to engage in such approaches – the major reasonbeing their reluctance towards sharing sensitive data. Motivatedby this – perhaps most important – obstacle to collaborative plan-ning, the research in this paper focuses on the use of privacy pre-serving techniques for collaborative planning in supply chains.Focusing on the well-known JELS model, we first demonstratedhow SMC can be employed to securely compute the joint economiclot size and the monetary benefits that are shared among the par-ties. Although the proposed protocols ensure that during computa-tion sensitive data is not disclosed, secure multi-partycomputation does not ensure that partners cannot infer privatedata of other partners based on the outcome of collaborative plan-ning (i.e. the joint optimal lot size and the individual benefits). Wetermed this as inverse optimization (according to Atallah et al.,2006) and analyzed to which extent it can be exploited by individ-ual partners to infer private data of the other partner based on theoutput of the JELS model. In its original sense (as proposed byAtallah et al., 2006), inverse optimization referred to obtainingperfect knowledge about another party’s private data; however,it did not capture that one party could obtain a very precise(although imperfect) estimate of the other party’s private databased on the results of collaborative planning. In our research,we introduced a novel approach, termed as stochastic security,which is based on the notion that each party has some prior(imperfect) knowledge about the other party’s private data andmay improve this knowledge based on the joint planning results.Clearly, in such a setting, security depends on how much additionalknowledge a party can obtain. We provided a formal definition ofstochastic security and developed two (generally applicable) theo-rems to define, under which conditions parameters with a knownfunctional relationship will remain secure in a collaborative plan-ning approach. These theorems enabled an in-depth analysis ofstochastic security of the JELS model. To improve security we alsoproposed a (feasible and incentive rational) stochastic benefit shar-ing rule and developed a corresponding protocol for secure compu-tation of the benefit. Based on the general theorems for stochasticsecurity we defined conditions under which this benefit sharingapproach will guarantee (stochastic) security of the parties’ privatedata. One interesting finding in this context is that the size of themonetary benefit of the JELS model implicitly drives the likelihoodthat collaborative planning can be conducted in a secure fashion.Our findings imply that in a situation with high potential benefitsthrough collaboration it is easier to ensure data privacy.

Our analysis also demonstrated that, even with stochastic ben-efit sharing, we might encounter situations in which stochasticsecurity cannot be guaranteed. In such situations, security can onlybe achieved if, in addition to the benefit, the joint optimal order

quantity is also defined as a random variable (with correspondingfeasibility constraints) or if we relax incentive rationality con-straints. The latter may especially be feasible in a multi-period set-ting. These conjectures lead directly to interesting avenues forfuture research: it would be interesting to study, how much addi-tional information individual parties can infer from multiple repe-titions of a collaborative planning model (e.g. the secure JELSmodel with stochastic benefit sharing). This is not only interestingin our particular context, but also with respect to alternative col-laboration schemes such as the one proposed by Atallah et al.(2006).

Clearly, a large part of our research results was based on thespecific setting of the JELS model. Therefore, not all of our resultsare universally applicable to other collaboration schemes. Theproblem of inverse optimization, however, is prevalent in any col-laborative planning approach in which data privacy has to be en-sured – not only when SMC is applied, but also when a trustedthird party (e.g. a 3PL) performs the computation. With our re-search we developed important insights into potential issues thatalso need to be resolved in collaborative approaches other thanthe JELS model. In recent years, for example, coordination betweenparties on two subsequent stages in the supply chain has receivedconsiderable attention (see, for example Tsay et al., 1999). A num-ber of different contracts (e.g. buy-back and revenue-sharing con-tracts) that (may) lead to channel coordination have beenidentified and analyzed for settings in which the downstreamparty (e.g. a retailer) behaves like a fixed price or price settingnewsvendor (e.g., Cachon and Lariviere, 2005). In such situations,coordination (i.e. first best) can also be achieved through collabo-ration between the upstream and downstream party. However,each party has to disclose relevant sensitive information, and anappropriate benefit sharing scheme is required to incentivize bothparties. The analogy to the problem in this paper is obvious, and itis easy to observe that data security and inverse optimization are atleast equally important and relevant as in the context of the JELSmodel. We believe that our results regarding secure collaboration,inverse optimization and stochastic benefit sharing can be trans-ferred to such settings. Similarly, secure collaboration can be uti-lized in Vendor Mangement Inventory (VMI) systems, where avendor/manufacturer uses sensitive information of its customers(i.e. demand and inventory data) to better manage channel inven-tories. Yu et al. (2009a,b) model a VMI system as a non-cooperativeStackelberg game where the manufacturer as the leader maximizeshis profits by considering the best responses of his retailers. In sucha scenario, we can already observe relevant issues related to datasecurity: VMI can only be implemented if the retailers share theirsensitive demand and inventory data. However, Yu et al. show thata cooperative game between the manufacturer and the retailerswould benefit the overall system and may potentially lead to awin–win-situation for all parties involved. Such a cooperativegame exhibits strong structural similarities with collaborativeplanning in the context of the JELS model: sensitive data of multi-ple (even competing) parties is required to determine a coopera-tive policy, and the manufacturer must be incentivized to deviatefrom the Stackelberg equilibrium through some incentive rationalbenefit sharing scheme. We believe that the results of the research

R. Pibernik et al. / European Journal of Operational Research 208 (2011) 75–85 85

presented in this paper, especially the findings related to secureprotocols, benefit sharing and stochastic security, can be used toimprove the overall outcome of such a supply chain game. Our re-sults may be even more relevant in a situation with multiple com-peting and heterogeneous retailers, where both the manufacturerand retailers decide upon product prices and can exert marketingefforts (Yu and Huang, 2010). In this type of scenario, issues relatedto revelation of sensitive data, coordination of decisions and bene-fit sharing are even more prevalent. The notion and formal defini-tion of stochastic security as well as the general theorems thatwere developed in our paper may provide a fruitful basis to devisecollaborative planning schemes that preserve data privacy and im-prove the overall system performance.

Acknowledgement

The authors would like to thank Roland Füss for his insightfulcomments.

Appendix A. Supplementary material

Supplementary data associated with this article can be found, inthe online version, at doi:10.1016/j.ejor.2010.08.018.

References

Atallah, M.J., Elmongui, H.G., Deshpande, V., Schwarz, L.B., 2003. Secure supply-chain protocols. In: IEEE International Conference on Electronic Commerce,pp. 293–302.

Atallah, M.J., Blanton, M., Deshpande, V., Frikken, K., Li, J., Schwarz, L.B., 2006. Securecollaborative planning, forecasting, and replenishment (SCPFR). In: Multi-Echelon/Public Applications of Supply Chain Management Conference.

Bagchi, P.K., Skjoett-Larsen, T., 2005. Supply chain integration: A European survey.International Journal of Logistics Management 16 (2), 275–294.

Banerjee, A., 1986. A joint economic-lot-size model for buyer and supplier. DecisionSciences 17, 292–311.

Beame, P.W., Cook, S.A., Hoover, H.J., 1986. Log depth circuits for division andrelated problems. Society for Industrial and Applied Mathematics Journal onComputing 15 (4), 994–1003.

Cachon, G.P., Lariviere, M.A., 2005. Supply chain coordination with revenue-sharingcontracts: Strengths and limitations. Management Science 51 (1), 30–44.

Clifton, C., Iyer, A., Cho, R., Jiang, W., Kantarcioglu, M., Vaidya, J., 2008. An approachto securely identifying beneficial collaboration in decentralized logisticssystems. Manufacturing & Service Operations Management 10 (1), 108–125.

Even, S., Goldreich, O., Lempel, A., 1985. A randomized protocol for signingcontracts. Communications of the ACM 28 (6), 637–647.

Fawcett, S.E., Magnan, G.M., Williams, A.J., 2004. Supply chain trust is within yourgrasp. Supply Chain Management Review 8 (2), 20–26.

Franklin, M., 1993. Complexity and security of distributed protocols. Ph.D.dissertation, Columbia University.

Goldreich, O., 2002. Secure multi-party computation. <http://www.wisdom.weizmann.ac.il/�oded/pp.html>.

Goyal, S.K., 1976. An integrated inventory model for a single supplier – singlecustomer problem. International Journal of Production Research 15 (1),107–111.

Jap, S.D., 1999. Pie-expansion efforts: Collaboration processes in buyer–supplierrelationships. Journal of Marketing Research (JMR) 36 (4), 461–475.

Karatsuba, A.A., 1995. The complexity of computations. Proceedings of the SteklovInstitute of Mathematics 211, 169–183.

Karatsuba, A.A., Ofman, Y., 1962. Multiplication of many-digital numbers byautomatic computers. Proceedings of the USSR Academy of Sciences 145,293–294.

Lee, H.L., Whang, S., 2000. Information sharing in a supply chain. InternationalJournal of Technology Management 20 (3/4), 373–387.

Lindell, Y., Pinkas, B., 2004. A proof of security of Yao’s protocol for two-partycomputation. In: Electronic Colloquium on Computational Complexity, 11.

Lindell, Y., Pinkas, B., 2007. An efficient protocol for secure two-party computationin the presence of malicious adversaries. In: Proceedings of Eurocrypt 2007.

Malkhi, D., Nisan, N., Pinkas, B., Sella, Y., 2004. Fairplay – A secure two-partycomputation system. In: Proceedings of the 13th USENIX Security Symposium.

Oberman, S.F., Flynn, M.J., 1997. Division algorithms and implementations. IEEETransactions on Computers 46 (8), 833–854.

Rabin, M., 1981. How to Exchange Secrets by Oblivious Transfer. Technical MemoTR–81: Aiken Computation Laboratory.

Redkin, N.P., 1981. On the minimal realization of a binary adder. Problemy Kibernet38, 181–216.

Schneier, B., 1996. Applied Cryptography. Protocols, Algorithms, and Source Code inC, second ed. Wiley, Bd. A, New York.

Stadtler, H., 2009. A framework for collaborative planning and state-of-the-art. ORSpectrum 31 (1), 5–30.

Sucky, E., 2006. A bargaining model with asymmetric information for a singlesupplier-single buyer problem. European Journal of Operational Research 171(2), 516–535.

Tsay, A.A., Nahmias, S., Agrawal, N., 1999. Modeling supply chain contracts: Areview. In: Quantitative Models for Supply Chain Management. Kluwer, Bostonet al, pp. 299–336.

Vereecke, A., Muylle, S., 2006. Performance improvement through supply chaincollaboration in Europe. International Journal of Operations and ProductionManagement 26 (11), 1176–1198.

Viswanathan, S., Widiarta, H., Piplani, R., 2007. Value of information exchange andsynchronization in a multi-tier supply chain. International Journal ofProduction Research 45 (21), 5057–5074.

Wegener, I., 1996. Effiziente Algorithmen für grundlegende Funktionen. Mitzahlreichen Aufgaben und Beispielen. Teubner, Stuttgart.

Yao, A.C., 1982. Protocols for secure computations. In: Annual IEEE Symposium onFoundations of Computer Science.

Yao, A.C., 1986. How to generate and exchange secrets. In: Proceedings of the 27thIEEE Symposium on Foundations of Computer Science, pp. 162–167.

Yu, Y., Huang, G.Q., 2010. Nash game model for optimizing market strategies,configuration of platform products in a Vendor Managed Inventory (VMI)supply chain for a product family. European Journal of Operational Research206 (2), 361–373.

Yu, Y., Chu, F., Chen, H., 2009a. A Stackelberg game and its improvement in a VMIsystem with a manufacturing vendor. European Journal of Operational Research192 (3), 929–948.

Yu, Y., Huang, G.Q., Liang, L., 2009b. Stackelberg game-theoretic model foroptimizing advertising, pricing and inventory policies in vendor managedinventory (VMI) production supply chains. Computers and IndustrialEngineering 57 (1), 368–382.


Recommended