Efficient Virtual Network Optimization across Multiple Domains without Revealing Private Information Toru Mano∗ , Takeru Inoue∗ , Dai Ikarashi† , Koki Hamada† , Kimihiro Mizutani∗ , Osamu Akashi∗ , ∗ NTT

Network Innovation Labs., Kanagawa 239–0847, Japan Email: [email protected], [email protected] † NTT Secure Platform Labs., Tokyo 180–0012, Japan Abstract—Building optimal virtual networks across multiple domains is an essential technology to offer flexible network services. However, existing research is founded on an unrealistic assumption; providers will share their private information including resource costs. Providers, as is well known, never actually do that to remain competitive. Technically, secure multiparty computation, which is a computational technique based on the cryptography, can be used to secure optimization, but it is too time-consuming. This paper presents a novel method to optimize virtual networks built over multiple domains, with great efficiency but without revealing any private information. Our method employs secure multi-party computation but only for masking sensitive values; it can optimize virtual networks under limited information without any time-consuming technique. It is solidly based on the theory of optimality, and is assured of finding reasonably optimal solutions. Experiments show that our method is fast and optimal in practice even concealing private information; it finds nearly optimal solutions in just a few minutes for large virtual networks with tens of nodes. This is the first work that can be implemented in practice for building optimal virtual networks across multiple domains. Index Terms—network virtualization, network optimization, secure multi-party computation

I. I NTRODUCTION Network virtualization [1]–[3] allows logically separated virtual networks (VNs) to coexist on a common physical infrastructure, and it provides network operators with flexibility, diversity, security, and manageability. Originally studied to resolve the so-called Internet ossification problem [4], it has become essential for offering QoS service and infrastructure as a service [5]. In network virtualization, the role of traditional ISPs is divided into those of service providers (SPs) and infrastructure providers (InPs); a SP makes a request to an InP for building a VN, while the InP embeds the VN onto its physical network. VN embedding is an optimization problem, in which the InP attempts to find a minimum cost mapping between the desired VN and its physical network with respect to constraints of physical resources (nodes and links) [3]. Although this problem is known to be N P-hard [6], many heuristics have been developed to locate better mappings [6]– [9] since InPs compete with mapping cost to win the contract. A VN can be built across multiple InPs, and doing so will be imperative in the future of network virtualization; VNs across multiple InPs, or inter-InP VNs, give SPs a lot of benefits,

such as end-to-end service delivery for several regions [10], business continuity under severe accidents, and diversity of resource functionality and performance. SPs want to get these optimal VNs at the lowest price, but this optimization is hard for SPs and InPs since no entity knows the entirety of the physical networks unlike the single InP case. Past research work on this problem [5], [10]–[13] assumed that InPs would share their private information like resource costs or prices with SPs and other InPs, but InPs have traditionally been reluctant to disclose them [14]; e.g., the disclosure allows their competitors to estimate their future bidding prices (InPs do not want to share their private information with SPs as well as other InPs though SPs are not their competitors, because SPs can often be InPs in another bid)1 . Despite much research effort on optimizing inter-InP VNs [5], [10]– [13], their optimization methods can never be implemented in practice as long as they rely on the assumption of private information revelation. Secure multi-party computation (MPC) [15], which enables participants to jointly compute a function while keeping the inputs private, can be used to solve this problem. However, it could take months to embed a VN to several InPs [16], since every primitive operation in MPC is executed in a distributed manner with attendant communication delays. Since candidate physical resources must be reserved during the computation, InPs have to pay very high opportunity costs [10]. In the past, MPC has been applied to various problems, including polynomial optimization problems [17], [18] and simple decision problems [19]–[21], but it has never been successfully applied to tough optimization problems like VN embedding. In this paper, we propose a novel optimization method that minimizes inter-InP VN price without sharing InPs’ private information, while using minimal MPC operations. We show our basic idea in Fig. 1; each InP identifies the pieces of the requested VN that can be embedded to its physical network, and the SP uses just the price order calculated by an MPC sort algorithm to select the optimal set of pieces that covers the whole VN. The SP cannot estimate the price of any piece from the order (e.g., given that the SP might be an InP in a future bid, it cannot know the price used to win the bid). 1 We

confirmed this view by private interviews with network operators.

(1) InPs enumerate embeddable VN pieces v1

v1

v2

v4

v3 v1

v2

v3

v3

Requested VN

v4

v1 v3

v2

InPgreen

InPred

InPblue

(2) SP and InPs sort the pieces by the prices with MPC v1

v4

v1

v2

v3

Price rank = 1,

v3

v3

2,

3,

4,

v1 v2

5 (expensive)

(3) SP selects optimal set of pieces to cover VN v4

v1 v2

v3

v3

Duplicated node v3 is removed from expensive blue piece

(4) InPs connect the optimal pieces v1 v2

InPgreen

v4 v3

InPred

InPblue

Fig. 1. Basic idea of optimizing a VN built across multiple InPs. (1) A SP makes a VN request to InPs, which enumerate embeddable pieces of the VN. (2) The SP and InPs cooperatively sort the pieces by their prices employing MPC, and the SP gets only the price order without seeing price values. (3) The SP searches for the optimal set of pieces that cover the whole VN, relying on just the price order, not price values. (4) The selected VN pieces are allocated to the InPs’ physical networks.

InPs are not informed of the price order, and so they cannot estimate the prices of the other InPs’ pieces at all. Since MPC is used just for sorting the pieces, our method can finish in a short time. In order to resolve this optimization problem given only the price order of VN pieces, we develop a new theory that defines the optimality of SPs and InPs; this theory gives a solid guideline for designing algorithms to find optimal solutions for SPs and InPs. •

•

For SPs, we introduce a theorem to minimize the worstcase VN price based on just the price order. We then utilize a sophisticated search algorithm with a cost function derived from the theory, which efficiently finds the optimal set of pieces. (Section III-A) For InPs, we present another theorem that states that it is sufficient for InPs to enumerate just the Pareto set of pieces, since other pieces play no role in the SP’s optimization. Since the resulting algorithm enumerates many fewer pieces, the SP’s search space is greatly

reduced without losing the opportunity of any InP for winning the bid. (Section III-B) We also design protocols to securely execute this distributed optimization process using MPC; e.g., InPs’ private information is kept confidential, and InPs’ cheating acts to illegally win a bid are deterred. (Section IV) Thorough numerical experiments show that our method finds VNs that are twice as optimal than those without price order; surprisingly, the VNs found by our method are only 20 % worse than those found with full price value disclosure. Our method requires just a couple of minutes to find optimal VNs even those with 40 nodes, due to the limited use of MPC. (Section V) Our method is designed to be practical enough to follow the complex policies of SPs and InPs; no existing work concerns itself with both SP and InP policies, as discussed in related work in Section VI. Our method allows InPs to filter out embeddable VN pieces, if these pieces violate their policies. SPs can examine VN pieces while considering InP reputation. This is the first work acceptable for InPs, since our method does not force them to share their private information. SPs are encouraged to use our method, since it can find near optimal VNs in reasonable computation time. We believe that our method will play a key role in building VNs across multiple InPs in the future Internet. II. V IRTUAL N ETWORK O PTIMIZATION WITH M ULTIPLE P ROVIDERS This section defines the VN optimization problem. A physical network is represented as an undirected graph consisting of physical nodes and links. Each physical node is associated with available capacity (CPU and/or memory) and type (functionalities and/or locations), and belongs to a single InP. Each link has available capacity (bandwidth), and belongs to an InP, or to two InPs if it is an inter-InP link. Nodes and links are both referred to as resources. A virtual network is also an undirected graph, G = (V, E). Each virtual node and virtual link, v ∈ V and e ∈ E, specifies the corresponding capacity requirement as, r(v) and r(e), respectively. A virtual node can be embedded in a physical node that has enough capacity with matched type. A virtual link is mapped to a physical path; all physical links on the path must have enough capacity, while a part of the path can be shared with other paths (Fig. 1(4) includes examples of a virtual link mapped to a physical path). Virtual links across InPs are configured with inter-InP links based on mutual agreement between the InPs [10]. Cost of virtual resources is determined based on required capacity and the physical resources to which the virtual resources are embedded. VN price, f (G), is determined by InPs based on the resource cost; we assume the price function is monotonic, i.e., f (G0 ) ≤ f (G) if G0 ⊆ G. Embedding a VN in a single InP is an optimization problem in which the InP finds the minimum cost embedding satisfying the constraints of resource capacity and node type. SPs are not involved in the optimization process.

VN optimization across multiple InPs involves a SP and InPs. The SP attempts to find the optimal VN partition that minimizes the price of the whole VN, while each InP embeds a given piece of the VN in its physical network. This is quite a tough problem, since SP’s optimization methods cannot rely on InPs’ private information, such as resource costs and prices, available resource capacities, and node types. The price of each piece is determined by the corresponding InP, and InPs try to lease larger (more profitable) VN pieces to the SP. We assume that the SP doesn’t have both roll of SP and InP simultaneously. We also assume that each VN request is processed independently and separately, and so we consider a single request at a time in this paper. III. T HEOREMS AND A LGORITHMS This section proposes two algorithms with related theorems. Section III-A discusses an algorithm in which a SP finds an optimal set of VN pieces as shown in Fig. 1(3), while Section III-B describes another algorithm for InPs to enumerate minimum necessary pieces as in Fig. 1(1). A. Selecting Optimal Virtual Network by Service Provider 1) Definitions: We define a VN piece as a subgraph of VN, P ⊆ G, which is embedded in a single InP. These pieces are enumerated by InPs, and they are used to cover the VN specified by the SP. Links that connect to another InP have an open-end with omitted nodes (Fig. 1(1–3)). These omitted nodes are not mapped to any physical node at enumeration. Virtual links with open-end will be connected with bonds after optimal pieces are selected. A bond, bi,j , is associated with a physical link between InPs i and j. Figure 1(4) requires two bonds; bgreen,red connects two virtual links between InPgreen and InPred , while bred,blue connects the virtual link between InPred and InPblue . Bonds are enumerated along with pieces by InPs (we omit them in the figure). Bonds are not concerned with resource requirements at enumeration, since they are not associated with any virtual link. Multiple virtual links can be allocated to a single bond if it has enough capacity. The set of pieces and bonds enumerated by all InPs is denoted by X . A subset of them enumerated by the i-th InP is represented as X i ⊆ X , while a subset of them selected by the SP is denoted by X s ⊆ X . If some virtual resources are commonly found in X s , they are associated with the best rank piece; e.g., in Fig. 1(3), virtual node v3 is found in the red and blue pieces, and is removed from the blue piece since its rank is worse. We refer to both a piece and a bond as X ∈ X , and refer to a piece or bond of i-th InP’s as X i . Coverage of piece c(P ) ∈ [0, 1] is defined as, P P e∈E(P )∩E r(e) v∈P ∩V r(v) + we P , c(P ) = wv P v∈V r(v) e∈E r(e)

where the coverages of nodes and links are weighted (wv + we = 1), and open-ended links are ignored (since they do not contribute to the coverage), that is, E(P ) = {{u, v} ∈ P : u ∈ P ∧ v ∈ P }. Bonds have no coverage, and so we have c(bi,j ) = 0 (∀i, j ∈ {1, · · · , n}).

We define the extended price of a piece, f¯(P ), as, f (P ) f¯(P ) = , c(P ) which represents an estimated VN price assuming that the piece is extended to cover the whole VN keeping the unit price. Open-ended links are tentatively priced assuming they will be connected to one of neighboring InPs. Similarly, the extended price of bond, f¯(b), is defined as, P f (b) 0 e∈E r(e) , f¯(b) = we

where f0 (b) is the unit price of the corresponding inter-InP link. The extended price will be used to sort pieces and bonds, and it will also be used to bound VN prices. 2) Optimization Problems: We discuss the optimization problems faced by the SP in covering its desired VN with the pieces and bonds enumerated by the InPs. Since SPs do not know about the InPs’ physical networks, they just try to cover the whole VN without considering available capacities of physical resources. Capacity requirement of inter-InP virtual links will be examined after the optimization, while pieces (virtual resources within an InP) are mapped to physical resources at enumeration. We begin with constraints. A SP selects zero or one piece from each InP, |{P ∈ X s ∩ X i : P is a piece}| ≤ 1 (∀i = 1, . . . , n),

(1)

where n is the number of InPs. This is because InPs do not guarantee to embed multiple pieces. Any number of bonds can be selected if necessary. We refer to this constraint as g1 (X s ). In order to connect a pair of open-ended virtual links, there must exist a sequence of bonds between the InPs; e.g., an open-ended virtual link, {u, v} = e, must be connected with a sequence of bonds between the InP of virtual node u and that of v, ∀{u, v} = e ∈ P ∈ X s : e is open-ended, ∃bInP(u),i0 , · · · , bik ,InP(v) ∈ X s ,

(2)

where virtual node v is mapped to InP(v). This constraint is referred as g2 (X s ). Given subset X s , we can determine the VN price as follows, f (X s ) =

n X i=1

f (X i ) +

X

X

f0 (b)r(e),

e∈E b (X s ) b∈B(e)

where E b (X s ) is a set of inter-InP virtual links, and B(e) is a set of bonds on inter-InP virtual link e. The first term means the price of pieces, and the second term is that of bonds. We define the SP’s optimization problem as follows, min

X s ⊆X

s.t.

f (X s ) g1 (X s ), and g2 (X s ), ∀v ∈ V, ∃P ∈ X s : v ∈ P,

∀e ∈ E, ∃P ∈ X s : e ∈ P,

(3) (4)

Algorithm 1: Select optimal VN by SP

1 2 3 4

5 6 7 8 9 10

Input: [X1 , · · · , Xm ] // sorted pieces/bonds list Output: X ? ⊆ X // optimal subset T ← {∅} for k ← 1 to m do if Xk is a piece then T ← T ∪ {X s ∪ {Xk } : X s ∈ T , g1 (X s ∪ {Xk })} // constraint of (1) else T ← {X s ∪ {Xk } : X s ∈ T } foreach X s ∈ T do if X s covers G then return X s

// (2), (3), and (4)

(T is reduced as a heuristic)

where constraints (3) and (4) ensure that the whole VN is covered. The SP has to solve this problem without price values f (X)’s, i.e. using just the given X sorted in ascending order by extended price, f¯(X). We denote the sorted list of X by [X1 , · · · , XS m ], where m is the size of X (m = 5 in Fig. 1), m and X = i=1 {Xi }. Although it is quite hard to find an optimal solution without price values, we have the following theorem on the optimality yielded by the price order. Theorem 1. Given a subset of pieces and bonds, X s ⊆ X , the price of a VN built with them is bounded by, f (X s ) ≤ (1 + we )nf¯max (X s ) = O(f¯max (X s )),

(5)

where f¯max (X s ) is the maximum extended price of elements contained in X s , i.e., f¯max (X s ) = max{f¯(Xk ) : Xk ∈ X s }.

Proof: The VN price of subset X s is bounded as follows,

f (X s ) ≤ ≤

nf¯max (X s ) +

X

X we f¯max (X s ) P r(e) 0 e0 ∈E r(e )

e∈E b (X s ) b∈B(e)

(1 + we )nf¯max (X s ),

wherePwe use the price monotonicity and f¯(b) f0 (b) e∈E r(e)/we ≤ f¯max (X s ).

=

Lemma 1. Given just the price order, the most rational strategy for minimizing the worst case price is to simply minimize the maximum price rank of the selected subset; i.e., min max{k : Xk ∈ X s },

X s ⊆X

under the same constraints, (1), (2), (3), and (4), where max{k : Xk ∈ X s } is the maximum price rank of subset X s. This is because bound (5) is determined just by the maximum extended price, which is associated with the maximum rank.

3) Algorithms: We design an algorithm to find the optimal subset of pieces and bonds, X ? ⊆ X , based on Lemma 1. Algorithm 1 shows an exhaustive version of it (ignore line 10 for a while). The SP examines all possible subsets stored in T , while adding a piece or bond of maximum rank k to each subset in T . The constraint of single piece per InP, (1), is checked at line 4. If a subset satisfies the constraints of (2), (3), and (4) at line 8, an optimal subset is successfully found. This algorithm obviously finds the optimal subset minimizing the maximum rank, since it is exhaustive. However, the number of subsets examined, |T |, grows exponentially with the number of pieces and bonds, m, and so becomes computationally intractable. Our solution is a heuristic search algorithm of polynomial computational complexity that introduces a cost function based on Lemma 1. At the end of each iteration (line 10 of Algorithm 1), some “better” subsets are chosen and others are removed from T , which allows us to easily control the computation complexity. The subsets are prioritized based on the closing rank, which is the maximum rank of a given subset when the subset grows to cover the whole VN. It is formally defined as follows, for subset X s ∈ T , min {max{k : Xk ∈ X 0 } : X 0 ⊇ X s , X 0 covers G}. 0 X

We choose subsets of smaller closing rank, since we are minimizing the maximum rank of the subset when it covers the VN. Here we employ the coupon collector’s problem [22] to estimate the closing rank. This is because this well-known problem gives us a tool to count coupons (subsets) with overlaps among them. The closing rank of subset X s is roughly estimated as follows, for iteration i, k(X s , i) = i

H|V |+|E| H|V |+|E| − H|{v or

, e∈P ∈X s }|

where Hn is the n-th harmonic number. Restricting the maximum size of T up to T , i.e., |T | ≤ T , the time complexity of heuristic search is O(mT (n|V |+|E|+ log T ), while the space complexity is O(T ). In this algorithm, SPs can take account of InP reputation; e.g., the piece size of ill-reputed InPs can be limited, or some penalty is added to their closing rank. B. Enumerating Virtual Network Pieces by Infrastructure Providers InPs enumerate their pieces and bonds in the beginning of our method, as shown in Fig. 1(1). The number of bonds cannot be so large, since it is bounded by the number of interInP links. On the other hand, since any subgraph of VN can be a piece, the number of pieces increases exponentially with VN size. For SPs, relatively few pieces should be enumerated, since the time complexity of the optimization algorithm increases with the number of pieces. InPs, however, want to enumerate as many pieces as possible in order to enhance the chance of winning a bid. We propose an algorithm to select the minimal necessary pieces without losing any InP’s chance based on Pareto optimality.

Algorithm 2: Enumerate pieces and bonds by i-th InP

1 2 3 4 5 6 7

Input: G, r // requested VN Output: X i // embeddable pieces and bonds P ← embeddable pieces of i-th InP, found with G and r B ← bonds of i-th InP foreach P ∈ P do foreach P ? ∈ P \ {P } do if P ?  P then // if P is not Pareto P ← P \ {P } return P ∪ B

We first define the partial order over pieces. Piece P ? precedes another piece P , if P ? is a supergraph of P and P ? ’s extended price is smaller than P ’s; i.e., P ?  P ⇐⇒ P ? ⊇ P ∧ f¯(P ? ) ≤ f¯(P ). A Pareto set of pieces is defined as follows. Given a set of pieces, the set is a Pareto set if no piece in the set precedes any other piece in the set; i.e., a set of pieces, P, is a Pareto set, P ? , if, P ? 6 P (∀P ∈ P, P ? ∈ P \ {P }). In a Pareto set, no piece dominates others in terms of coverage and extended price. Based on this Pareto optimality, we have the following theorem and lemma (proofs are omitted due to space limits). Theorem 2. The assumption is that SPs follow Lemma 1 as their most rational strategy. Given a set of pieces and bonds, X , which contains pieces of the non-Pareto set, these pieces are never included in the optimal subset, X ? ; i.e., X ? ∩ P¯ ? = ∅,

where P¯ ? is the complement set of Pareto set P ? .

Lemma 2. InPs can reduce the number of pieces to enumerate without losing a chance to win a bid, if the Pareto set of pieces is selected. We design an algorithm for InPs to enumerate a set of pieces and bonds following Lemma 2, as presented in Algorithm 2. Each InP first finds embeddable pieces and bonds, lines 1–2. After selecting a Pareto set of pieces at lines 3–6, the union of the selected pieces and bonds is obtained at line 7. As mentioned at the beginning of this section, there can be a huge number of embeddable pieces, and so it is intractable to find all of them at line 1. InPs, however, do not want to miss a chance to cover a VN by overlooking some embeddable pieces. In addition, it seems difficult to find many embeddable pieces, since embedding just a single VN is N P-hard as is well known. We introduce here a greedy algorithm to find embeddable pieces such that all virtual nodes are covered by at least one piece (if possible). The algorithm starts with a virtual node,

and tries to embed it in a physical node with maximum available capacity. The requested VN is expanded until no more virtual resource is embedded to the physical network. This expanding process is repeated with each virtual node v ∈ V . Although pieces are not necessarily optimally embedded in this greedy manner, InPs can re-embed pieces of the SP’s optimal selection in the final stage of our method. The time complexity of Algorithm 2 with greedy embedding is O(dn|V |2 (|E p | + |V p | log |V p |) + |P|2 ), where d is the maximum degree of the VN, and V p and E p are sets of physical nodes and links in the InP. The space complexity is O(|X i |). Each InP independently enumerates a set of pieces and bonds, X i , and then the union of these sets, X , is sorted with MPC and passed to the SP. Although the union set is not necessarily a Pareto set, the SP must not make it Pareto removing some pieces from it. This is because at most one piece is allowed to select for each InP due to constraint (1), and non-Pareto pieces could be Pareto if some pieces of other InPs were excluded by the constraint. In Algorithm 2, InPs can embed their pieces following their policies, with some modification of our algorithm. InPs are also allowed to eliminate pieces and bonds that do not follow the policies. IV. P ROTOCOLS This section describes protocols between an SP and InPs; these protocols securely control the whole optimization process. Section IV-A describes a protocol to sort the VN pieces with MPC as shown in Fig. 1(2), and Section IV-B discusses another protocol to conclude the optimization process (Fig. 1(4)). We assume that the SP and InPs do not collude with each other, but each InP might cheat to win a bid illegally by itself if possible. In an MPC process, SPs and InPs follow the predefined protocols and do not try to corrupt the computation, since it has been theoretically proved that no participant change the results to what it wants [23]. A. Sorting Protocol In this protocol, pieces and bonds enumerated by InPs are sorted with MPC by their extended prices, without revealing the price values. In MPC, secret value x is distributed among MPC participants, each of which is allocated a share of the value. The value can be reconstructed only when a sufficient number of shares are combined together; individual shares are of no use on their own. A share of x allocated to the i-th participant is denoted by [[x]]i . In our method, MPC participants are chosen from InPs by the SP, while shares of secret values (extended prices) are provided by all InPs that join our method. Figure 2 describes our sorting protocol. The i-th InP enumerates its pieces and bonds, X i , with Algorithm 2. These pieces and bonds are associated with IDs, {(idX , X) : X ∈ X i }, where idX is the ID of piece or bond X, and are sent to the SP. Upon receiving these sets from all InPs, the SP randomly chooses MPC participants from

another protocol finish thea optimization process (Fig. 1(4)). providers. cess. Section IV-Atodescribes protocol to sort VN pieces A.Belbekkouche, Yumerefendi, M. “Embedding virtual topologies “Resource in networked c lemma (proofs are omitted for space limits). In this price. complex constraints located inare multiple [16] A. M. Hasan, and A. Karmouch, discov protocol, pieces and bonds enumerated by the InPs pp. 1745–1747. cannot change the since results it wishes. is much harder, it asinvolves multiple commodities with A. Yumerefendi, “Embedding virtual topologies in networked clouds,” duce pieces optimality, to enumerate losing in proc. of ACM CFI, 2011, pp. 26–29.IEEE Communications Sur VII. C ONCLUSIONS We MPC assume shown that a in SPFig. and1(2), InPsand doSection not collude discusses with each with his Pareto wewithout have the following and allocation in network virtualization,” J. 2011, Chase, proc.Heermann, of ACM CFI, pp. and 26–29. sorted MPC as bylocated their extended prices, without IV-B revealing [15] Y. Xin, I. Baldine, A. Mandal,in C. constraints in multiple providers. that Pareto SPs follow 1 A. ofcomplex their with [16] Tutorials, A. Belbekkouche, M. 4, M.pp. Hasan, and A. Karmouch, “Resource dis Sorting Protocol ifAssuming selecting setforofLemma pieces. vol. 14, no. 1114–1128, 2012. virtualA.topologies in networked clouds,” other, but eachtoInP might cheat to winprocess a bid (Fig. illegally another protocol finish the optimization 1(4)).byA. Yumerefendi, “Embedding [16] Belbekkouche, M. M. Hasan, and A. Karmouch, “Resource discovery nt set (proofs of P ? .the emma are omitted space limits). VII. C ONCLUSIONS theXprice values. In MPC, secret value x is distributed among l strategy. Given a set of pieces and bonds, , itself VII.InPs C ONCLUSIONS allocation in network virtualization,” IEEE Communications CFI, 2011, pp. 26–29. and allocation in network virtualization,” IEEE Communications Surveys Zaheer, J. Xiao, and R. Boutaba, “Multi-provider service negotiaS if possible. MPC process, SPsbycollude and follow thein proc. of ACM assume that and a InSPabonds and enumerated InPs do not with each In this We protocol, pieces InPs are In this paper, we proposed an optimization method to build [17] F.and vol. 14, no. 4, pp. 1114–1128, 2012. ce pieces pieces tothat enumerate without losing A. Karmouch, “Resource discovery hm for InPs to enumerate a these set of pieces Tutorials, vol. 14, no. 4, pp.virtualization,” 1114–1128, 2012. ns of non-Pareto set, pieces aretheir never participants, MPC each of which isnotallocated a share of the [16] A. Belbekkouche, M. M. Hasan, and Tutorials, Assuming SPs follow Lemma 1 of and contracting in network in proc. of IEEE NO predefined protocols and doprices, trytowithout towin corrupt the illegally computation, sorted with MPC their extended other, butbyeach InP might cheat a revealing bid by and allocation VII. C ONCLUSIONS [17] F. Zaheer, J. Xiao, and R. Boutaba, “Multi-provider service negotiation a VN across multiple InPs without revealing their private in network virtualization,” IEEE Communications Surveys ? F. Zaheer, J. Xiao, and R. Boutaba, “Multi-provider service nego pp. 471–478. selecting Pareto ofAlgorithm pieces. In this only paper,when we proposed an optimization method to paper, build we proposed an optimization method to build [17] 2010, he optimal subset, X set ; in i.e., emma 2, Given asthe presented 2. thevalue. strategy. a set of pieces and bonds, X , The value can been beIn reconstructed sufficient In this and contracting in network virtualization,” in proc. of IEEE NOMS, since has thataInPs any follow participant price values. In MPC, secret valueprocess, x is proved distributed among vol. 14, no. 4, pp. 1114–1128, 2012. effort itself if it possible. atheoretically MPC SPs and the Tutorials,information. contracting in network virtualization,”Volume in proc. of IEEE Although much has been devoted to this [18] O.andGoldreich, Foundations of Cryptography, 2, Basic ApplN a VN across multiple InPs without revealing J.their private of to non-Pareto these areMPC never pieces and set, bonds, at pieces lines 1– 2010, pp. 471–478. number of shares areofthe combined together; individual shares ?pieces [17] F. Zaheer, Xiao,across and R. Boutaba, “Multi-provider service negotiation a VN multiple InPs without revealing their private mbeddable for InPs enumerate a set of pieces each which is allocated amethod sharetheof the cannot change results as ittry wishes. predefined protocols and do not to Although corrupt = ;, Inparticipants, this paper, we proposed aninformation. optimization tocomputation, build 2010, pp. 471–478. tions. Cambridge University Press, 2004. each other, but each InP might cheat to win a bid illegally by ? deto bonds by InP i much effort has been devoted to this [18] O. Goldreich, Foundations of Cryptography, Volume 2, Basic Applicaproblem, existing efforts require the private information to and contracting in network virtualization,” in proc. of IEEE NOMS, e optimal subset, X ; i.e., at lines 3–6, the union areVN of novalue useitmultiple on their own. A share of when x allocated toparticipant i-th mmaset 2, of aspieces presented in?Algorithm 2. value. The can be reconstructed only a sufficient since has been theoretically proved that any [19] T. Mano, K. Mizutani, and O. Akashi, “Secure resource provision information. Although much effort has been devoted to this [18] O. Goldreich, Foundations of Cryptography, Volume 2, Basic Ap a across InPs without revealing their private tions. Cambridge University Press, 2004. 2010, pp.be 471–478. itself if possible. In MPC processes, SPs andproblem, InPs follow the efforts require the private A. Sorting Protocol existing information Algorithm 1:domains,” Select optimal VN by SP shared intothe[19] optimization, whichand makes them impracticalprovisioning a complement set ofbonds, P at . at // requested VN and are obtained line 7. 1– number participant isAlthough denoted by [[x]]effort across in proc. of IFIP/IEEE IM, 2013, pp. 11 T. Mano,require K. Mizutani, O. Akashi,information “Secure resourceto eddable pieces and lines tions. multiple Cambridge University Press, 2004. of shares are combined shares i . together; cannot change the results asshared ithas wishes. information. much been devoted to thiswhich [18]makes O. Goldreich, Foundations of Cryptography, Volume 2, the Basic private Applica= ;,bonds problem, existing efforts be inindividual theenumerated optimization, impractical predefined protocols and do not try to corrupt the computation, Indescribes thistheir protocol, pieces and bonds by InPs aretions. them across multiple domains,” in proc. of IFIP/IEEE IM, 2013, pp. [19] 1129–1134. to implement. We introduced a theory that can find the e pieces and bonds T. Mano, K. Mizutani, and O. Akashi, “Secure resource provis beginning of this section, there can be Cambridge University Press, 2004. SP i-th InP Figure 2 our sorting protocol. The i-th InP enuo set of pieces at lines 3–6, the union are of no use on own. A share of x allocated to i-th SP which makes them j-thimpractical Participant Input: [Xand · · Shmatikov, · ,InP Xm ] “Privacy-preserving // sorted algorithm piece nPs can reduce pieces ?to enumerate without losingtheoretically problem, efforts require theparticipant private We information to a theory that 1 ,i-th toany implement. can find inthe 1134.“Secure be shared the since it has been proved that A. existing Sorting Protocol Brickell V.domains,” with MPC by their prices,introduced without revealing complement setand of P . itline [19] T. Mano, K. Mizutani, O.optimization, Akashi, resource provisioning multiple in proc. of IFIP/IEEEgraph IM, 2013, pp. found with r soat optimal VNand given just the price order computed with MPC, [20] J.across dwin bonds areif G obtained 7. set of pieces. eddable pieces, and is intractable participant isindenoted by [[x]] merates sorted its pieces and bonds, X i ,extended with Algorithm 2. These i . which a bid, selecting the Pareto [20] of J. Brickell andIM, V. Shmatikov, “Privacy-preserving graph algorithms inthe semi-honest the optimization, makes themjust impractical optimal VN given theby price order computed with MPC,in We cannot changebetheshared results as wishes. across multiple domains,” proc. IFIP/IEEE pp. 1129– to implement. introduced a2013, theory that canin Cryptology, find theser. Lecture1134. listmodel,” in Proc. of Advances in Cryptology, ser. Lec price values. Inpieces MPC, secret value x, Xis InP In thisit protocol, and bonds enumerated InPs are Algorithm i among the semi-honest model,” in Proc. of Advances eginning of this section, there be to losing developed search algorithm based on the Figure 2the describes our sorting protocol. The i-th enuline InPs, however, do notcan want pieces and bonds are associated with IDs, {id :distributed X 2 Xthe }, Enumerate pieces and bonds, , with 2 on the an efficient to implement. We introduced a theory that can find Ps can1.reduce pieces to enumerate without Xan 1134. and ? and developed efficient search algorithm based Notes in Computer Science. Springer, 2005, vol. 3788, pp. 236–2 [20]Output: J. Brickell V. Shmatikov, “Privacy-preserving algorith Notesthe in Computer Science. computed Springer, 2005, vol. 3788, 236–252. i of an algorithm for InPs to a set of pieces its X // graph optimal Embedding request forpp.optimal VN, XandK.✓ MPC participants, which isprices, allocated a share of[20] theJ. Brickell sorted with MPC byeach their extended without optimal VN given just price order MPC, ddable pieces, and sothe it enumerate is intractable merates pieces bonds, Xtheory. with Algorithm 2.sent These andVN V. We Shmatikov, “Privacy-preserving graph algorithms in theory. also discussed the Pareto optimality of with VN pieces anVN by overlooking some embeddable where is theand ID piece or, order bond X,also anddiscussed arewith to revealing the A. Sorting Protocol optimal VN justof the price computed MPC, Sugiyama, T. Hasegawa, T. Hasegawa, and A. NaL a bid, if selecting Pareto set of pieces. We the Pareto optimality of pieces X isgiven [21] M. Fukushima, K. Sugiyama, T. Hasegawa, T. Hasegawa, and A. [21] Nakao,M. theFukushima, semi-honest model,” in Proc. of Advances in Cryptology, ser. i a sufficient ollowing Lemma 2, asdo presented in to Algorithm 2. value. The value can be reconstructed only when the price values. In MPC, secret value x is distributed among the semi-honest model,” in Proc. of Advances in Cryptology, ser. Lecture and developed an efficient search algorithm based on the ne 1. InPs, however, not want 1 T {;} pieces and bonds are associated with IDs, {id , X : X 2 X }, “Minimum disclosure routing for network virtualization and its236 ex X Pieces and with IDs, “Minimum disclosure routing for the network virtualization and its exper-Notes in Computer Science. Springer, 2005, vol. 3788, pp. by InPs, in order to pp. reduce search space. eems uneasy to find many embeddable and developed an bonds efficient search algorithm based onorder the to reduce SP. Upon receiving these sets from all InPs, the SP in randomly enumerated by by InPs, theenumerated search space. (Fig. 1(2)), pieces andeach bonds enumerated Computer Science. Springer, 2005, vol. 3788,IEEE/ACM 236–252. finds embeddable pieces and In bonds, at lines nft algorithm for InPs to enumerate athis set protocol of where pieces1– number of ofshares are combined individual MPC participants, of which istogether; allocated atoshare ofshares the Notes in imental evaluation,” Transactions on Networking, vol. 21,imental evaluation,” IEEE/ACM Transactions on Networking, vol. Xbyis not Pareto VN overlooking some embeddable is is the ID piece or bond X, and are sent the theory. We also discussed the Pareto optimality of VN pieces X [21] M. Sugiyama, T. Hasegawa, T. Hasegawa, and A. N 2 for kFukushima, 1 toK.m do Numerical experiments method isK.fast and We also discussed the Pareto of VNshowed pieces that embedding w/o private info ng justa Pareto a single VN is N P-hard as sorted isthetheory. Numerical experiments showed that our method is fast and Run chooses participants from InPs. Theoptimality j-th participant recieves [21]our M. Fukushima, Sugiyama, T. Hasegawa, T. Hasegawa, and A. Nakao, InPs are with MPC by their normalized prices, without no. 6, pp. 1839–1851, 2013. cting set of pieces at lines 3–6, union no. 6, pp. 1839–1851, 2013. owing Lemma 2, as presented in Algorithm 2. are of no use on their own. A share of x allocated to i-th The these value sets can from beoptimal reconstructed only randomly when a sufficienthow ms uneasy to find many embeddable SP.enumerated Uponvalue. receiving allreduce InPs, the routing for network virtualization and its disclosure routing for virtualization its experMPC practice. We toenumerated solve this in quite by InPs, in have orderand toR. and reduce thesolve search space. byMPC, InPs, in participation order toxX the SP space. [22]network S.We Machiraju H. how Katz, “Verifying global multi-S.“Minimum shares ofparticipant extended prices, {[[id ]]jdistributed , in [[¯ qoffer (X)]] : individual X have 2 Xshown },shares “Minimum optimal practice. shown to this invariants quite in[22] 3 if Xk disclosure isanda R. piece then jsearch In value is Machiraju H. Katz, “Verifying global in mv ed pieces and bonds obtained 7.price finds andrevealing bonds, atthe lines 1– values. issecret denoted by [[x]] number of shares are combined together; imental evaluation,”for IEEE/ACM Transactions on Networking, vol. Proc. 21, of ACM HotNets, 2004, pp. i . participant just aembeddable single VNpieces isare N P-hard asat isline chooses participants from InPs. The Transactions oninvariants Networking, provider distributed systems,” 149–imental evaluation,” IEEE/ACM hard optimization problem limited information the Numerical experiments showed thatj-th our method isrecieves fastbyunder and s Proc. of ACM s Numerical experiments showed ourinmethod is fast greedy tooffind embeddable provider distributed systems,” OK from InPs. sort them the hard optimization problem underthat limited information for and the among participants, each of which iscollabolatively allocated a protocol. share no. 6, pp. 1839–1851, 2013. ned thealgorithm beginning this section, there can beof Figure 2prices, describes our sorting The i-th InP enu4 T T [ {X [ {Xk } : X HotNets, 2 T ,2004, g1 (Xpp.s 1[ ng ainPareto set of pieces at lines 3–6,MPC theshares union 154. no. 6, pp. 1839–1851, 2013.in are ofThe no participants use on their own. A share of x allocated to i-th extended {[[id ]] , [[¯ q (X)]] : X 2 X }, X j j first time ever. 154. optimal inprice, practice. We have sort shown how to solve this quite [22] S. Machiraju and R. H. Katz, “Verifying global invariants in multii tual nodes are covered by at least one optimal in practice. We have shown how to solve this quite extended with a MPC algorithm. Since the sorted [23] M. Burkhart, M. Strasser, D. Many, and X. Dimitropoulos, “SEPIA: of the value. The value can be reconstructed only when a first time ever. [22] S. Machiraju and R. H. Katz, “Verifying global invariants in ber of embeddable and soatitline is intractable merates its and ,sort withthem Algorithm 2. These pieces and bondstopieces, are obtained 7.from InPs. participant is pieces denoted by bonds, [[x]] reedy algorithm find embeddable The participants the j-thcollabolatively Participant information i . Xwork // M.constraint ofand(1) [23]andM. Burkhart, Strasser, D. Many, X. Dimitropoulos, “SEP provider distributed of ACM HotNets,aggregation 2004, pp. 149– Future includesby development of faster search systems,” algo- in Proc. hard problem under limited for the Privacy-preserving of multi-domain network events efalthem algorithm starts with aatsection, virtual node, provider distributed systems,” in Proc. of ACM HotNets, 2004, pp listbeto isoptimization distributed as secret shares among participants, sufficient number of shares are together; individual Price optimizationincludes problem under information the line 1. InPs, however, not want pieces and bonds aresort associated with IDs, {id ,i-th X :e.g., Xof2enuX i }, ed in theatbeginning of by this there can Figure 2combined describes our sorting protocol. The InP nodes are covered least do one Future development ofrequest faster 2010, search algoextended price, with a MPC algorithm. Since the sorted X 154. hard Privacy-preserving aggregation of multi-domain network events statistics,” in Proc. oflimited USENIX Security, pp.for 15–15. rithms, game theoretic analysis the relationship betweenwork SP time ever. 154. i bond oof physical with theshares maximam oflistfirst no on own. A ofpiece xamong allocated toX, [[id · ·where · their , idXis ]]pieces j-th partitipant, the SP gathers these 5 else [23] M. Burkhart, M. Strasser, D. Many, and X. Dimitropoulos, “SEPIA: toa cover astarts VNnode by overlooking some embeddable [24] M. Zhao, W. Zhou, A. J. Gurney, A. Haeberlen, M. Sherr, and B. T. isfor theshare ID of or and are sent to the realgorithm embeddable pieces, and so it isare intractable statistics,” in Proc. of USENIX Security, 2010, 15–15. Xdistributed jsecret its and bonds, X , with Algorithm 2. These first time ever. with a virtual node, isuse as shares participants, e.g., 1 , merates m X Share of prices rithms, game theoretic analysis of the relationship between SP [23] M. Burkhart, M. Strasser, D. Many, and X.pp. and InPs,ofand large-scale experiments with actual providers. Dimitropoulos, work development faster search algo“Private and verifiable interdomain routing decisions,” SIGCOMM Privacy-preserving aggregation of Loo, multi-domain network events and i pieces, union ofexpanded the s J. Gurney, A. Haeberlen, [24] Zhao,TW. Zhou, Sherr, and “S B i-thmany participant isFuture denoted by [[x]] ethem VN iswith until nowant and reconstructs the sorted and dition, seems to find embeddable SP. Upon receiving these sets list. from all InPs, the SP randomly atitthe line 1. uneasy InPs, however, do not i . are pieces andincludes bonds associated with IDs, {id , Xthese : XX 2 arequested physical node the maximam Share prices [[idshares the Finally, SP i X }, ? Xpieces 6 M. {XA. [ {Xk }of: multi-domain X s 2 T }M.network Xto ¯ gathers 1 , · · · , idXm ]]j for j-th partitipant, and InPs, and large-scale experiments with actual providers. Future includes development ofof algoComput. Commun. Rev., vol. 42,faster no. 4, pp.search 383–394, 2012. {[[id } {[[f¯(X)]] :X 2 Proc. X } ofwork Privacy-preserving aggregation even statistics,” in USENIX Security, 2010, pp. 15–15. X ]]j , [[f (X)]] j : X 2 SP rithms, game theoretic analysis of the relationship between Loo, “Private and verifiable interdomain routing decisions,” SIGCO ed. Figure ?? shares describes the sorting Each InP i bond enumerjust aexpanded single VNuntil is Nno P-hard as isand isoembedding embedded toisoverlooking the physical network. chooses from InPs. The becomes j-th participant recieves cover a VN by some embeddable requested VN bonds are associated with order, theand input where isXparticipants isprotocol. the IDtheir of piece orwhich X, pieces and are sent to [24] the M. Zhao, W. Zhou, A. J. Gurney, reconstructs the sorted list. Finally, i ? A. Haeberlen, M. Sherr, and B. T. statistics,” in Proc. of USENIX Security, 2010, pp. 15–15. ¯ ¯ rithms, game theoretic analysis of the relationship between SP 7 Comput. sRev., vol. 42, no. 4, pp. 383–394, 2012. Commun. {[[id ]] , [[ f (X)]] : X 2 X } {[[ f (X)]] : X 2 X } and InPs, and large-scale experiments with actual providers. i X j j his section, there can be foreach X 2 T do ates pieces and bonds S with Algorithm 2. These pieces and embedded theeach physical shares extended prices, {[[id ]]j ,InPs, [[¯ q (X)]] X 2 X },Loo, “Private and verifiable interdomain routing decisions,” SIGCOMM tion, it seemsto uneasy tovirtual find network. many areSP. associated with their order, the Upon these setswhich fromXbecomes all SP: randomly is repeated with nodeembeddable v 2 bonds of Algorithm 1.ofreceiving jinput [24] M. Zhao, W. Zhou, A. J. Gurney, A. Haeberlen, M. Sherr, and ? InPs,Rev., andvol.large-scale experiments i f¯(X)]] s verifiable interdomain routing decisions,” SIGC Commun. 42, no. 4, pp. 383–394, 2012. with actual providers. {[[id ]]j ,1. [[IDs, f¯InPs. (X)]] X2i }SInPs. {[[ :is XSas2participant Xsort } shares, s, andnecessarily so aitwith is intractable jS:,,X Sort IDs, prices, MPC bonds are with {id Sby :2S },exchanged where greedy algorithm to N find sntroduce repeated virtual node vP-hard 2embeddable from The participants collabolatively them by theComput.and ofasAlgorithm mbedding just aeach single VN is is X Loo, “Private chooses participants from The, with j-th recieves not optimally embedded inassociated Since extended prices are always secret 8 if X and covers G then // (2), (3), orithm 2. InPs,optimally however, Comput. Commun. Rev., vol. {[[idX ]]j , [[Reconstruct f¯(X)]]j : X 2prices, X i } {[[f¯(X)]] : X 2 X ? } is the ID ofleast piece or extended bond and they are sent to thesort SP. Upon ot necessarily embedded inat Since prices always exchanged hatcan allre-embed virtual nodes areof covered by one extended price, with a MPC Since the shares of extended prices, {[[id [[¯ qsecret (X)]] : Xway, 2 sorted X }, Ps pieces SP’s optimal as shown inS,Fig. 2, noare one can reconstruct them. Injshares, this X ]]algorithm. j ,as 9 return X s 42, no. 4, pp. 383–394, 2012. Share of sorted list id overlooking some canifof re-embed pieces of SP’s optimal as InPs’ shown inlistFig. 2, no can reconstruct them. In this way, receiving these sets private from all InPs, the SP randomly sible). The algorithm starts with virtual node, isinformation distributed secretcollabolatively shares participants, e.g., roduce a greedy algorithm to finda embeddable from InPs. Theone participants sort them by the age our method. isasprotected inchooses thisamong protocol. uce a greedy algorithm ge of InPs’ information is protected inpartitipant, this protocol. embed it method. to anodes physical nodeparticipants with maximam from InPs. Each j recieves shares of theSince [[id · · , idXwith j-thsort SP gathers these at all our virtual are covered by the at least oneprivate extended price, MPC algorithm. the sorted X1 , ·participant m ]]j afor 10 (T is reduced for heuristic) i at allThe virtual nodesstarts are pacity. Thealgorithm requested VN with isnormalized expanded until , p¯(S)]] :S 2 }, from eachamong InP shares andj reconstructs theshares sorted list. Finally, piecese.g., and ble). a virtualprices, node,no{[[id list distributed as Ssecret participants, Sis Fig. 3. Closing protocol. The SP requests InPs to ensure the optimal VN ble). An starts withnode a resource isa embedded to the physical network. i, and eventually collects those of all InPs’, {[[id , p ¯ (S)]] : bonds are associated with their order, which becomes the input mbed it toInP physical with the maximam [[id , · · · , id ]] for j-th partitipant, the SP gathers these S j X X j 1 Reconstruct sorted list, m Sn a physical node withVN the for list. asort while). SP examines all possible subsets stored in T , Algorithm Select VN byparticipants SPand reconstructs ng process is repeated withis1: each node vi }. 2 The S 2 virtual S = optimal of Algorithm 1.then collabolatively city. The requested expanded until no can be embedded in their physical networks. If all checks pass, the SP unveils shares the sorted Finally,A pieces and i=1 S P expands the necessarily requested while adding piece or bond of maximumthe rank k to each pieces are optimally in Since are exchanged asasecret esource is not embedded the physical network. them byembedded the normalized price, following a sorting algorithm bonds are extended associated with theiralways order, which becomes the shares, input optimal VN price. Input:to[X //to sorted pieces/bonds 1 , · · · , Xm ] is input Algorithm 1 prices embedded the re-embed physical manner, can pieces of SP’s optimal asAlgorithm shown Fig. 2, no one can reconstruct them. In this way, of single piece per InP, (1), is subsetasin T . The constraint g processInPs istorepeated with each node v 2the of of virtual MPC. Since sorted list inis1. distributedly obtained price values, we have the following theorem on the list ing process he final of our with method. InPs’ private information is protected in this protocol. ieces are stage not starting necessarily optimally in Since extended prices are always exchanged as secret shares, among participants, i.e., [[id , · · · , id ]] for j-th checked at line 4. If a subset satisfies constraints of (2), (3), ?sharesembedded S1 subset Sm j Output: X ✓ X // optimal given the price order. ieces are not TABLE I nner, InPs cannecessarily re-embed pieces of SP’s optimal as shown in Fig. 2, no one can reconstruct them. In an thisoptimal way, subset is successfully found. This partitipant, the SP gathers these shares and reconstructs the and (4) at line 8, 1 T {;} anner, re-embed e final InPs stagecan of our method. InPs’ and private information is protected in protocol. Fig. 2. protocol. Extended prices of pieces bonds are securely sortedSorting list. Finally, pieces bonds are associated with thethis and algorithm obviously finds the optimal subset minimizing the P ARAMETERS IN EXPERIMENTS Theorem 1. Given a subset of pieces and bonds, 2 for k 1 to m do a single-InP embedding sorted list, which the input of Algorithm 1. maximum it is prices exhaustive. However, the number of MPCbecomes participants. After sorting them byrank, thesince secret with 3 ifshared X is a among piece then the price of VN built with them is tightly bounded in the final stage of ourk Since normalized prices are always secret examined, |T |, grows exponentially with the number s s s exchanged assubsets MPC, the sorted list is reconstructed by the SP without seeing the prices. The 4 T T [ {X [ {X } : X 2 T , g (X [ {X })} 1 k e limits. shares, as shownkin Fig ??, no participant can see the of price pieces and bonds, m, and it is computationally intractable. // constraint of (1) # of InPs; n q(X s ) [6,10] (1 + we )n¯ qmax (X s ) = O(¯ qmax (X s )) include SP as iswell as some InPs chosen by the SP. m 2 with the greedy participants em- values. InPs’ privatethe information not revealed at all inWe this then describe a heuristic search algorithm of polynomial 3s # of MPC participants g |V p |) + |P|25), where elsed protocol. computational complexity, introducing a cost function based where q¯max (X is the maximum extended price o p p V p and E p 6are sets of T {X s [ {Xk } : X s 2 T } of physical 80,s)240 on Lemma 1. At the end of each iteration# (line 10 of nodes and links per InP; |V |, |E | The space complexity is B. sFinalizing Protocol contained in [0, X 2] , i.e., q¯max (X s ) = max{¯ q (Xk ) : X Algorithm 1), some “better” subsets are chosen andphysical others links between InPs 7 foreach X 2 T do # of arelinks removed from T , which allows us to easily control the 8 if X s This coversprotocol G then(Fig. //1(4)) (2),embeds (3), inter-InP and (4)virtual s Available capacity of nodes and links [1, 20], [20, 40] Proof: The VN price of subset X is bounded tes a set of pieces and to physicals networks, and unveils the price of the optimal computational complexity. The subsets are prioitized based on 9 return X 2 2] ets are passed to the SP VN to the SP. Since the VN has been mapped to InPs by [15, Mean and variance of unit price n 60], [3 , 12X X j j the closing rank, which is the maximum rank of a given subset X X i The set of each InP, S , Algorithm we are now allowed to embed inter-InP virtual s 10 (T is reduced for 1, heuristic) [10, 40], [20, 80] virtual nodes and links; |V |, |E| when the subset grows to cover the whole VN.#It of is formally q(X )  q(Xi ) + q0 (b)r(e) ion is not necessarily a links (open-ended edges and their bonds), which could not s Required capacity of nodes and links; r(v), r(e) [1, 15], [1, 15] defined as follows, for subset X 2 T , b s i=1 e2E (X ) b2B(e) ne the Pareto efficiency been embedded in the enumeration stage. In order to embed # of node types 5 0 0 s 0 X X we q¯max alized price. This ineffi- them, we utilize PolyViNE [12], which is an existing protocol min max{k : Xk 2 X , X ◆ X , X covers G}. P  0.5, n¯ qmax most of non-Pareto 0.5(X s ) + weights; wv , we to have embedthea following VN over theorem multi-InPs. original PlyViNE, price pieces values, we on In thethe optimality X1 choose subsets Xmof jsmaller closing rank, Coverage We since we are e0 2E jointly partition the requested VN relying on their private e2E b (X s ) b2B(e) given the priceInPs order. Max search width; T 2000 minimizing the maximum rank of subset when it covers the eir pieces following their information, but since the VN has been partitioned by the SP in s s  (1 + w )n¯ q (X ), e max VN. We here employ the coupon collector’s problem [24] to a subset pieces X ✓ the X , PolyViNE minate piecesTheorem and bonds1. Given our method, InPsofcan embedand the bonds, VN following estimate the closing rank. This is because this well-known the price of VN built with themrevealing is tightlyprivate bounded by, protocol without information. If common b s where E (X ) is a set of inter-InP virtual link problem gives a tool to count coupons (subsets) with overlaps virtual resources ares found among pieces of the optimal VN, q(X s )  (1 + we )n¯ q (X ) = O(¯ q (X s )), (5) s LS a set P of bonds on inter-InP virtual link e, an the SP mapsmax the resources to max a piece of lower rank. among them. The closing rank of subset X is estimated as follows, between a SPwhere and InPs; theextended price of the optimal VN is unveiled for when iteration i, q0 (b) e2E r(e)/we  q¯max (X s ). q¯max (X s )Inisthis theprotocol, maximum price of elements s SP to pay for.s The SP gathers the secret shares optimizationcontained process ofin Xthe H|V |+|E| , i.e., q¯max (X ) = max{¯ q (Xk ) : Xk 2 X s }. of optimal s k(X , i) = i , Lemma 1. Given just the price order, it is the mo ection IV-A describes a pieces and bonds from the MPC participants, and reconstructs H|V |+|E| H|{v or e2P 2X s }| s Proof: VNnormalized price of subset is bounded follows, he normalized price, and The their prices.X These prices as cannot be necessarily strategy for SPs to simply minimize the maximum where Hn is the n-th harmonic number. n ocol to finish embedding X identical with those that will be charged by InPs, since they X X of selected subset; i.e., Restricting the maximum size of T upto T , i.e., |T |  T , nPs do not collude been determined without embedding inter-InP virtual q(X s ) with  haveq(X ) + q (b)r(e) i 0 the time complexity of heuristic search is O(mT (n|V |+|E|+ i=1 e2E b (X s ) b2B(e) min max{k : Xk 2 X s }, log T ), while the space complexity is O(T ). X X we q¯max (X s ) X s ✓X P  n¯ qmax (X s ) + r(e) In this algorithm, SPs can take account of InP reputation; 0 e0 2E r(e ) under the same constraints, (1), (2), (3), and e.g., for ill-reputed InPs, their piece size can be limited, or e2E b (X s ) b2B(e) some penalty is added to their closing rank. max{k : Xk 2 X s } is the maximum price rank  (1 + we )n¯ qmax (X s ),

InPs. The j-th participant receives shares of extended prices, {([[id ]] , [[f¯(X)]] ) : X ∈ X }, from InPs. The participants use an MPC sort algorithm to collaboratively sort them by extended price. Since the sorted list is distributed as secret shares among participants, e.g., [[id , · · · , id ]] for j-th participant, the SP gathers these shares and reconstructs the sorted list. Finally, pieces and bonds are associated with their order, which becomes the input of Algorithm 1. Since extended prices are always exchanged as secret shares, as shown in Fig. 2, no one can reconstruct them. In this way, InPs’ private information is protected in this protocol.

without the entire VN mapping, so as not to reveal selected pieces of other InPs. InPs then try to embed them with PolyViNE modified so as not to rely on private information. If embedding fails, the SP resumes Algorithm 1 and finds B. Closing Protocol the next optimal VN. If successful, the SP collects the secret This protocol embeds inter-InP virtual links to physical shares and reconstructs their extended prices, f¯(X)’s. paths, and unveils the price of the optimal VN to the SP. We The price of the optimal VN is unveiled to just the SP, not X s . cannot be unveiled to begin with inter-InP virtual links. Since optimal pieces has InPs. Infrastructure Prices of other pieces and bonds where E b (X s ) is a set of inter-InP virtual links, B(e) is B. Enumerating Virtual Network Pieces by Providers a set P of bonds on inter-InP virtual link e, and q ¯ (b) = been selected by Algorithm 1, we are now allowed to embed anyone, since collecting the shares This is because bound (5) is determined just by the is not permitted. InPs enumerate their pieces and bonds in the beginning of q0 (b) e2E r(e)/we  q¯max (X s ). extended price, which is associated with the maxim inter-InP virtual links to physical paths. In asorder to Fig. embed our method, shown in 1(1). The number of bonds Lemma 1. Given just the price order, it is the most rational V. E XPERIMENTS cannot so large, since it protocol is bounded by the number of interwesimply utilize PolyViNE which isbean existing strategythem, for SPs to minimize the maximum [10], price rank 3) Algorithms: We design an algorithm to find InP links. On the other hand, since any subgraph of VN can be of selected subset; i.e., subset of pieces and bonds, X ?in✓ X , based on a piece, number of PolyViNE, pieces increases exponentially the evaluate our optimization to embed a VN over multiple InPs. In thetheoriginal We with first algorithm described VN size. For SPs, too many pieces should not be enumerated, Algorithm 1 shows an exhaustive version of it (ign min max{k : Xk 2 X s }, jointly partition the requested since VNthewhile sharing their algorithm Section III-A, and then examine the output of our enumeration X InPs ✓X time complexity of optimization depends on the number of pieces. InPs, however, want to enumerate under the same constraints, (1), (2), (3), and (4), where private information, but since the VN has been partitioned by algorithm in Section III-B. Finally, the computation time of our max{k : Xk 2 X s } is the maximum price rank of subset as many pieces as possible in order to enhance the chance the SP in our method, InPs can embed the VN method is measured. We did not compare our method of winning a bid.without We proposeraising an algorithm whole to select minimal X s. necessary pieces without losing the InP’s chance based on the issues. with any existing work, since, to the best of our knowledge, This is privacy because bound (5) is determined just by the maximum Pareto optimality. extended price, which is associated with the maximum rank. first define the partial to order Piece P ? method exists that protects private information. At the end, the price of the optimalWeVN is unveiled theover pieces. no practical precedes another piece P , if P ? is a supergraph of P and 3) Algorithms: design an algorithm to find an optimal ? SP. TheWeSP gathers secret shares of optimal pieces and bonds Parameters used in the experiments are chosen followP ’s extended price is smaller than P ’s; i.e., subset of pieces and bonds, X ? ✓ X , based on Lemma 1. ? ? ? from the MPC participants, and reconstructs their extended ing [5], [10] (Table I). Physical and virtual networks are generAlgorithm 1 shows an exhaustive version of it (ignore line 10 P P () P ◆ P ^ q¯(P )  q¯(P ). prices. These prices cannot be necessarily identical with those ated by GT-ITM [24]. The unit price of physical resources are that will be charged by InPs, since they have been determined randomly determined based on mean and variance, which are without embedding inter-InP virtual links. However, this price defined for each InP. The piece price is the sum of embedded check is indispensable, because without it InPs could give physical resources. unfairly low prices for sorting and charge much higher prices The experiments were conducted on a machine with Xeon for payment. E3 3.50GHz ×4, emulating long round-trip time of 300 Figure 3 shows the closing protocol. After finding the msec (assuming SPs and InPs are distributed on different optimal VN, the SP asks InPs whether inter-InP virtual links continents). Our method is implemented in C++ and Haskell can be embedded; the SP tells InPs only their assignment with a fast MPC sort algorithm [25]. s

n=8 Our algorithm Coverage search

3

|V|=30 Our Algorithm Coverage search

3

2

2

1

1

0

0 10

2500

4

20 30 40 # of virtual nodes, |V|

0.6 0.4 Our algorithm Coverage search 2 3 4 5 Normalized VN price

2000 1500

1000

1000

500

500 20 30 # of virtual nodes

Fig. 5. Cumulative distribution function of normalized VN prices. Our method finds better VNs with high probability.

A. Results We evaluate two variants of our optimization algorithm of Section III-A: “price search” and “coverage search”. The price search uses price values to exhaustively search for the optimal subset; this gives a lower bound of VN price, though it takes quite a long time. The coverage search relies on just piece coverage, i.e., no price-related information; this is similar to Algorithm 1, but it sorts pieces and bonds by the coverage (assuming bonds precede pieces) and reduces T by the coverage of X s . Figure 4 shows optimal VN prices normalized by those of price search. Our algorithm is, surprisingly, only 2–19 % worse than the price search on average. It outperforms the coverage search by 35–173 %. As shown in Fig. 5, our algorithm finds the same VNs as the price search once in five times, and it never outputs VNs that are more than twice as expensive as the price search results, unlike coverage search. We believe that these promising results, which are due to our search strategy based on Lemma 1 and the heuristic, are good enough for SPs to choose our method. Figure 6 shows the number of pieces and bonds enumerated by the algorithm of Section III-B, that is, m. They are reduced to 34.9 % for 40-node VNs based on the Pareto optimality, without losing InPs’ opportunity. This reduction significantly reduces the search space of the optimization problem. Figure 7 shows the computation time of our method. Our method completes all four stages in just 200 seconds for a 40-node VN. The most time consuming process, the opti-

6

40

|V|=30

8 10 # of InPs, n

Fig. 6. Number of pieces and bonds enumerated by our method; reduced by about 2/3. We solved 30 instances for each bar. The means are represented by the marks, and standard deviations are indicated by error bars. 250 200 150

n=8 Closing protocol Optimization algorithm Sorting protocol Enumeration algorithm

250

|V|=30

200 150

100

100

50

50 0

0 6

All Pareto set

0 10

Computation time [sec]

Cumulative distribution func.

0.8

1

2500 n=8

1500

8 10 # of InPs, n

1

0

2000

All Pareto set

0

6

Fig. 4. Optimal VN prices normalized by those optimized using prices. Our method is only about 10 % worse than the optimization result gained with prices, and it outperforms the method without price order. We solved 30 instances for each bar. The means are represented by the marks, and the 10th and 90th percentiles are indicated by error bars.

0.2

# of pieces and bonds

Normalized VN price

4

10 20 30 40 # of virtual nodes, |V|

6

8 10 # of InPs, n

Fig. 7. Computation time of our method for the four stages of Fig. 1. Our method finishes in a couple of minutes for large VNs.

mization, scales quadratically against VN size; as suggested in Section III-A, the time complexity depends on VN size, |V | and |E|, and the number of pieces and bonds, m, which increases linearly for the VN size as shown in Fig. 6. The search heuristic greatly accelerates, by a factor of ten, this process, while the restricted enumeration of pieces provides a boost of three times (figures showing these effects are omitted due to space limits). The computation time is comparable, up to 1.6×, with that of coverage search, which should be fast since it maximizes the coverage. The piece enumeration is quadratic to VN size as shown in Section III-B, and it requires less than five seconds including Pareto set selection, thanks to the simple greedy approach. The protocols between the SP and InPs take less than 20 seconds in total even with the long communication delay of 300 msec, due to the limited use of MPC. Our method is fast enough to support just-in-time setup based on service demand. VI. R ELATED W ORK Several papers have discussed the inter-InP VN optimization problem. Most of them [5], [11]–[14] assume that InPs would share their private information with the SP, which partitions the requesting VNs based on the private information including resource costs. These methods are unacceptable for InPs, which have traditionally been reluctant to disclose the private information. In addition, VNs are partitioned by the SP without consideration of the InPs’ policies; this is why we allow the

InPs to enumerate embeddable pieces at first. PolyViNE [10] forces InPs to share the private information with each other. InPs use shared information including resource costs to jointly build the requested VN. Although PolyViNE is well designed to find feasible embedding between InPs, this method ignores the privacy issue. SPs’ policies are ignored since they are not involved in the embedding. To the best of our knowledge, our past work [16] is the only study that does not reveal InPs’ private information, but its computation time can be excessive, sometimes several months, due to the heavy use of MPC. Many algorithms have been proposed for the VN optimization problem with a single InP [6]–[9]. They complement our work by finding better embedding in the closing protocol. We are unaware of earlier techniques that apply MPC to complex optimization problems. The closest related works we know of are linear programming [26] and shortest path search between two parties [17], [18]. They are simple polynomial optimization problems, and so we had to develop a new approach for VN optimization which is N P-hard. Other MPC applications include anomaly detection [19], [20] and policy checking [21], which are also much simpler than our problem since they do check some invariants with MPC. Reference [27] applied MPC to sugar beet auction, which is a pricing mechanism with a single commodity; our problem is much harder, since it involves multiple commodities with complex constraints located in multiple providers. VII. C ONCLUSIONS In this paper, we proposed an optimization method to build a VN across multiple InPs without revealing their private information. Although much effort has been devoted to this problem, existing efforts require the private information to be shared in the optimization, which makes them impractical to implement. We introduced a theory that can find the optimal VN given just the price order computed with MPC, and developed an efficient search algorithm based on the theory. We also discussed the Pareto optimality of VN pieces enumerated by InPs, in order to reduce the search space. Numerical experiments showed that our method is fast and optimal in practice. We have shown how to solve this quite hard optimization problem under limited information for the first time ever. Future work includes development of faster search algorithms, game theoretic analysis of the relationship between SP and InPs, and large-scale experiments with actual providers. R EFERENCES [1] N. Chowdhury and R. Boutaba, “Network virtualization: state of the art and research challenges,” IEEE Communications Magazine, vol. 47, no. 7, pp. 20–26, 2009. [2] A. Belbekkouche, M. M. Hasan, and A. Karmouch, “Resource discovery and allocation in network virtualization,” IEEE Communications Surveys Tutorials, vol. 14, no. 4, pp. 1114–1128, 2012. [3] A. Fischer, J. Botero, M. Till Beck, H. de Meer, and X. Hesselbach, “Virtual network embedding: A survey,” IEEE Communications Surveys Tutorials, vol. 15, no. 4, pp. 1888–1906, 2013. [4] J. Turner and D. Taylor, “Diversifying the Internet,” in proc. of IEEE GLOBECOM, vol. 2, 2005, pp. 755–760.

[5] I. Houidi, W. Louati, W. B. Ameur, and D. Zeghlache, “Virtual network provisioning across multiple substrate networks,” Computer Networks, vol. 55, no. 4, pp. 1011 – 1023, 2011. [6] Y. Zhu and M. Ammar, “Algorithms for assigning substrate network resources to virtual network components,” in proc. of IEEE INFOCOM, 2006, pp. 1–12. [7] M. Yu, Y. Yi, J. Rexford, and M. Chiang, “Rethinking virtual network embedding: Substrate support for path splitting and migration,” SIGCOMM Comput. Commun. Rev., vol. 38, no. 2, pp. 17–29, 2008. [8] M. Chowdhury, M. Rahman, and R. Boutaba, “Vineyard: Virtual network embedding algorithms with coordinated node and link mapping,” IEEE/ACM Transactions on Networking, vol. 20, no. 1, pp. 206–219, 2012. [9] R. Gomes, L. Bittencourt, and E. Madeira, “A virtual network allocation algorithm for reliability negotiation,” in proc. of IEEE ICCCN, July 2013, pp. 1–7. [10] F. Samuel, M. Chowdhury, and R. Boutaba, “PolyViNE: policy-based virtual network embedding across multiple domains,” Journal of Internet Services and Applications, vol. 4, no. 1, pp. 1–23, 2013. [11] C. Wang, C. Wang, and Y. Yuan, “Game based dynamical bandwidth allocation model for virtual networks,” in proc. of IEEE ICISE, 2009, pp. 1745–1747. [12] Y. Xin, I. Baldine, A. Mandal, C. Heermann, J. Chase, and A. Yumerefendi, “Embedding virtual topologies in networked clouds,” in proc. of ACM CFI, 2011, pp. 26–29. [13] A. Belbekkouche, M. M. Hasan, and A. Karmouch, “Resource discovery and allocation in network virtualization,” IEEE Communications Surveys Tutorials, vol. 14, no. 4, pp. 1114–1128, 2012. [14] F. Zaheer, J. Xiao, and R. Boutaba, “Multi-provider service negotiation and contracting in network virtualization,” in proc. of IEEE NOMS, 2010, pp. 471–478. [15] O. Goldreich, Foundations of Cryptography, Volume 2, Basic Applications. Cambridge University Press, 2004. [16] T. Mano, K. Mizutani, and O. Akashi, “Secure resource provisioning across multiple domains,” in proc. of IFIP/IEEE IM, 2013, pp. 1129– 1134. [17] J. Brickell and V. Shmatikov, “Privacy-preserving graph algorithms in the semi-honest model,” in Proc. of Advances in Cryptology, ser. Lecture Notes in Computer Science. Springer, 2005, vol. 3788, pp. 236–252. [18] M. Fukushima, K. Sugiyama, T. Hasegawa, T. Hasegawa, and A. Nakao, “Minimum disclosure routing for network virtualization and its experimental evaluation,” IEEE/ACM Transactions on Networking, vol. 21, no. 6, pp. 1839–1851, 2013. [19] S. Machiraju and R. H. Katz, “Verifying global invariants in multiprovider distributed systems,” in Proc. of ACM HotNets, 2004, pp. 149– 154. [20] M. Burkhart, M. Strasser, D. Many, and X. Dimitropoulos, “SEPIA: Privacy-preserving aggregation of multi-domain network events and statistics,” in Proc. of USENIX Security, 2010, pp. 15–15. [21] M. Zhao, W. Zhou, A. J. Gurney, A. Haeberlen, M. Sherr, and B. T. Loo, “Private and verifiable interdomain routing decisions,” SIGCOMM Comput. Commun. Rev., vol. 42, no. 4, pp. 383–394, 2012. [22] D. J. Newman, “The double dixie cup problem,” American Mathematical Monthly, pp. 58–61, 1960. [23] Z. Beerliov´a-Trub´ıniov´a and M. Hirt, “Efficient multi-party computation with dispute control,” in Theory of Cryptography, ser. Lecture Notes in Computer Science. Springer, 2006, vol. 3876, pp. 305–328. [24] E. Zegura, K. Calvert, and M. Donahoo, “A quantitative comparison of graph-based models for Internet topology,” IEEE/ACM Transactions on Networking, vol. 5, no. 6, pp. 770–783, Dec 1997. [25] K. Hamada, R. Kikuchi, D. Ikarashi, K. Chida, and K. Takahashi, “Practically efficient multi-party sorting protocols from comparison sort algorithms,” in Information Security and Cryptology, ser. Lecture Notes in Computer Science. Springer, 2013, vol. 7839, pp. 202–216. [26] T. Toft, “Primitives and applications for multi-party computation,” Ph.D. dissertation, Aarhus UniversitetAarhus University, Science and TechnologyScience and Technology, Institut for DatalogiDepartment of Computer Science, 2007. [27] P. Bogetoft, I. Damgłrd, T. Jakobsen, K. Nielsen, J. Pagter, and T. Toft, “A practical implementation of secure auctions based on multiparty integer computation,” in Financial Cryptography and Data Security, ser. Lecture Notes in Computer Science. Springer, 2006, vol. 4107, pp. 142–147.