A cryptographic cloud-based approach for the 1 mitigation of the airline cargo cancellation problem

In order to keep in good long-term relationships with their main customers, 8 Airline Cargo companies do not impose any fee for last minute cancellations of shipments. 9 As a result, customers can book the same shipment on several cargo companies. Cargo 10 companies try to balance cancellations by a corresponding volume of overbooking. However, 11 the considerable uncertainty in the number of cancellations does not allow to ﬁne-tune 12 the optimal overbooking level, causing losses. In this work, we show how the deployment 13 of cryptographic techniques, enabling the computation on private information of customers 14 and companies data can improve the overall service chain, allowing for striking and enforcing 15 better agreements. We propose a query system based on proxy re-encryption and show how 16 the relevant information can be extracted, still preserving the privacy of customers’ data. 17 Furthermore, we provide a Game Theoretic model of the use case scenario and show that 18 it allows a more accurate estimate of the cancellation rates. This supports the reduction of 19 the uncertainty and allows to better tune the overbooking level. 20

1 Introduction as rightfulness, and make the share of the risk among the parties less unfair. 111 Typically, if an indicator of the non-justifiability/rightfulness/legitimacy of 112 a given behavior could be made available (without violating confidentiality) 113 most dysfunctional behaviors could be assigned a penalty by an enforceable 114 contract, thus discouraging that behavior. 115 With respect to excess reservation, the hidden information concerns the 116 actual capacity demand by the suppliers: this information can be forecast, 117 based on private information known to FFs and not to ACCs: making available 118 this information in aggregated form to the ACCs could help the latter to tune 119 the overbooking. We return to this point in the Discussion and Conclusions 120 section: our focus here is on the multiple reservation problem. 121 With respect to multiple reservation, at shipment time, the hidden infor-122 mation, known by the FF, but not by the ACC, consists in whether the FF 123 has actually sent the load through another ACC. This information, though, 124 is present in the airlines company cargo records. An ACC could impose, by 125 contract, to a FF that it will not book the same cargo over more ACCs (in 126 exchange, the ACC could offer incentives in the form of moderate discounts 127 in case the spot price falls below some threshold). This is a condition that a 128 FF could agree to accept, even if it restricts its operational freedom: indeed, 129 it is unlikely that a FF defends the right to no-shows motivated by the use of  In this paper we propose a privacy preserving query system that protects 146 users' data, still allowing the detection of misbehavior from one of the partici-147 pants. Synergies between ACCs and their customer FFs and synergies among 148 ACCs motivate the adoption of the above described solutions: the cost of such 149 audit system could be shared among the participants.

150
Hereafter we develop the design of the system to contrast the problem of 151 multiple reservations: we plan to discuss in a future work the problem of excess 152 reservation and the corresponding solution. Thus, the main contributions of 153 the present work is the description of an audit system for multiple reservation 154 detection based on cryptographic techniques.

156
Obviously, such an audit system has a cost, not only for its construction and 157 deployment, but also for its operation. It is well known that some SMC queries 158 can be rather expensive and time consuming. Some important elements to 159 take into account are the following: in the business scenario described, the 160 burden of the proof is upon the ACC, i.e. the ACC has to pay for the audit, 161 so as to prove that the cancellation is illegitimate, in order to apply a fine; 162 furthermore, cancellations happen rather frequently and most of the time they 163 do not correspond to multiple booking. Consequently it is impractical and 164 can be economically disadvantageous for the ACC to run a audit at each 165 cancellation: the ACCs can afford, instead, the adoption of a random sampling 166 schema (randomness is used to grant non-predictability). Thus, not all the 167 violations will be detected. This fact is know to the FFs, which can count on 168 some level of impunity, depending on the audit rate of by the ACC. In turn, 169 the ACC is aware of this possibility for the FFs and might try to tune the 170 audit rate consequently.

171
Such an interdependent decision landscape -where the system consists of  overbooking rate to be used as a countermeasure. Notice, in passing, that in 198 this case, the players' rationality is a sound assumption: whereas individuals, forced to take decisions under condition of uncertainty, often act irrationally, 200 profit oriented organizations tend in general to act rationally.

201
The paper is organized as follows: in Section 2 the scenario, the system 202 solution and the corresponding protocol are formally defined; in Section 3 203 the Game Theoretic Model of the use case is developed and the equilibrium 204 solution is given; there, we also point out how the system can reduce the 205 relative error cancellation rate estimate; a brief discussion of the future work, 206 in Section 4 concludes the paper.    In the next section, we will propose a fast equality test for multi-owner   Setup. On input a security parameter λ, a randomized algorithm is run by 301 the Trusted Authority T A to output system public parameters and master 302 key.
-Setup (1 λ ): T A takes as input a security parameter λ and picks two 304 prime numbers p, q with p − 1 = 2q. It generates a cyclic group G 305 with generator g such that G is the unique order q subgroup of Z * p = 306 {1, 2, . . . , p − 1}, and then picks a random key K M uniformly from Z * q 307 to outputs the system master key MK and the corresponding system 308 public parameters Param = G, g, q .   and divides it into two shares k j 1 and k j 2 such that k j ← k j 1 + k j 2 .

333
The T A computes the user's cloud side key k j ← MK − k j and 334 securely returns keys (j, k j1 ), k j2 and (j, k j ) to the proxy, the user 335 and the cloud service provider, respectively.    ElGamal encryption to obtain 371 C * 0 = (g rt , (g rt ) k i · g rtki g t.A ) = (g rt , g rtMK g t.A ) C * 1 = (g rt , (g rt ) k i · g rtki g rt ) = (g rt , g rtMK g rt ) C * 2 = (g rc , (g rc ) k i · g rcki g rt ) = (g rc , g rcMK g rt ) 3. Re-encrypts I i with proxy side key as -Q-Search (j, k j , C * (T i ), q v ): On input the user query q v , the cloud 379 server does the following: 1. Sends user query to the proxy server who re-encrypts the query 382 with user's proxy side key k j1 to get 2. Re-encrypts q v with the user's cloud side key to output 3. Upon receiving each C * (T i ) from the proxy server, the cloud ser- As anticipated in the introduction, the operation of the query system described 409 in the previous section is far from being costless: the system implies a series 410 of economic costs, not only for construction, deployment, maintenance and 411 ordinary information update, but also per query computation. We focus on the cost per query, and assume that the cost of a query is incurred by the 413 querying agent, in our case an ACC.

414
There is a wide literature on the cost of queries in cryptographic distributed 415 systems (indeed one of the main assessment metrics for cryptographic proto-416 cols is efficiency) however, the analysis of such costs is out of the scope of the 417 present work: here it is important to know that they consist both in commu-418 nication and computation costs and that in some cases the cost of a query 419 is considerable. We assume that the expected cost of a query can be esti-420 mated with reasonable accuracy and refer to such a cost by c. For the sake 421 of simplicity, we also assume that such cost is essentially the same for every 422 query.

423
The point is the following: if c > 0, then, depending on the rate at which 424 a cancellation corresponds to a multiple reservation, it may or may not be 425 economically advantageous for the ACC to adopt an exhaustive audit strategy. 426 We develop this point further below. represents the difference between that forward price and the "spot market" 447 price for that capacity: b is the saving that the FF obtains through cheating. 448 We assume that, if the violation by the FF is discovered, the FF has to pay 449 to the ACC a compensation at least equal to the forward price of the capacity.

450
This represents a penalty to FF. This amount is specified in the contract. We 451 indicate this amount by a (for amends, in the sense of penalty/fine).

452
Let us note, in passing, that b < d ≤ a, this fact however (as the amount 453 by which a is greater that d) are inessential for the following discussion: as we In practical cases, however, the cost c of a query is high enough and the 467 order of magnitude of the violation rate p is low enough for dp being less than c.

468
This is mainly due to the fact that cancellations can happen for many reasons, 469 most of them legitimate, many of them related to the intrinsic inefficiency of 470 a complex system such as the air cargo service supply chain. Since c > dp, 471 auditing all the cancellations would not represent a paying strategy for the 472 ACC. Thus, the deterministic strategy does not to apply.

473
The ACC has to resort to some form of random-sampling based auditing: it 474 should audit with probability 0 < q < 1: its problem becomes choosing the op-  The total cancellation rate is defined as where R is a known constant representing the total number of reservations to 551 an ACC form a FF, X is the total number of cancellations due to multiple 552 reservations, while Y is the total number of cancellations due to other causes, 553 whereas x = X/R and y = Y /R. In practice x and y are not known.

554
The revenue manager, normally tries to find an estimatex of x and an 555 estimateŷ of y: the two estimates will be affected by uncertainties, expressed 556 by the variances σ 2 (x) and σ 2 (ŷ), so that the variance of the overall estimateẑ 557 of the cancellation rate, σ 2 (ẑ) = σ 2 (x)+σ 2 (ŷ)−cov(x, y), under the hypothesis 558 of independence, will be σ 2 (ẑ) = σ 2 (x) + σ 2 (ŷ). The relative error is defined 559 as 560 σ(ẑ) z = σ 2 (x) + σ 2 (ŷ) x + y If, as we did using GT, we find that the quantity X is tied to the quantity 561 Y by a fixed ratio p * , with r = p * /(1 − p * ), then the overall estimate reduces to the estimate of y: 563 z = y (1 + r) and the relative error on the estimate reduces to the only relative error on y This represents a considerable improvement in the estimate, which allows the multiple reservation by proposing the use of a query system based on a privacy 569 preserving cryptographic technique.

570
The audit method can be used within a randomized inspection schema, 571 which modeled by Game Theory, allows to predict the optimal rate of inspec-572 tion and of cancellation, respectively. 573 We show that the prediction of the rate of cancellation due to multiple 574 reservations reduces the uncertainty on the overall cancellation rate and allows 575 the revenue management of Cargo companies to better tune the overbooking 576 level.

577
In the future, we plan to develop further this work by a more detailed 578 specification of the system based on realistic data from the application domain; 579 furthermore, we plan to refine the Game Theoretic model -for the prediction 580 of the cancellation rate originated by multiple reservation -by lifting several 581 simplifying assumptions adopted in the present paper.

582
Finally, we plan to extend the approach also to leverage the private infor- the selfishness-aware design of cooperative systems. IEEE Transactions