Secure Collaborative , Forecasting, and Replenishment (SCPFR)

Mikhail Atallah* · Marina Blanton* · Vinayak Deshpande** Keith Frikken* · Jiangtao Li* · Leroy B. Schwarz**

* Department of Computer Sciences ** Krannert School of Purdue University West Lafayette, IN 47907

May 30, 2005

Extended Abstract

1. Introduction

It is well known that information-sharing about inventory levels, , order-status, demand forecasts, production/delivery schedules, etc. can dramatically improveme supply-chain per- formance. Lee and Whang (2000) describe several real-world examples. The reason for this improvement, of course, isn’t information-sharing, per se, but, rather, because shared infor- mation improves decision-making. However, despite its well-known benefits, many companies are averse to sharing their so-called “private” information, fearful that their partner(s) or competitor(s) will take advantage of it. Secure Multi-Party Computation (SMC) provides a framework for supply-chain partners to make collaborative forecasts and/or collaborative decisions without disclosing private in- formation to one another; and, most important, without the aid of a “trusted third party”. SMC accomplishes this through the use of so-called protocols. An SMC protocol involves theoretically-secure hiding of private information (e.g., encryption), transmission, and pro- cessing of hidden private . Since private information is never available in its original form (e.g., if encryption is used to hide the data, it is never decrypted), any attempt to hack or misuse private information is literally impossible. In our research, we apply SMC protocols to facilitate collaborative forecasting and inventory-replenishment decisions between a single supplier and a single retailer. The model is an extension of Clark and Scarf (1960). The business process is CPFR: Collaborative Plan-

1 ning, Forecasting, and Replenishment. Hence, the acronym “SCPFR” for Secure CPFR.

1.1 Overview/Summary

This research describes privacy-preserving protocols for collaborative forecasting and inven- tory planning. The business scenario is a 2-stage, serial (supplier-retailer) supply chain facing periodic stochastic retailer demand. Our model is based on that of Clark and Scarf (1960) except customer demand is nonstationary. More specifically, during each time period, the retailer experiences customer demand generated by a state-dependent linear process. The only inventory available to satisfy this demand is the retailer’s on-hand inventory at the be- ginning of that time period (after receiving any orders due for delivery that period). Excess customer demand is backordered, and all retailer end-of-period backorders incur a penalty

cost of $pR/unit. Retailer end-of-period inventory is charged a holding cost of $hR/unit. At the beginning of each time period, after receiving any units delivered that time period, but before demand occurs, the retailer has the opportunity to place an order on the supplier. In our analytical model, negative orders (i.e., instantaneous returns) are permitted without penalty, as they are in other models of nonstationary demand. There is no fixed order cost. If the supplier’s inventory is inadequate to fill the retailer’s order entirely, the supplier will ship only a partial order, backordering the remainder until its own inventory is adequate to

fill it. The supplier-to-retailer delivery leadtime is a fixed LR periods. The supplier incurs

an inventory-holding cost of $hS /unit on its end-of-period inventory each period (hS

In addition, the supplier incurs a backorder-penalty cost of $pS /unit on customer backorders at the retailer. Like the retailer, the supplier can place an order (or make an instant, costless return) at the beginning of each period. The supplier’s source of supply is infinite. The

leadtime on supplier orders is a fixed LS periods. The privacy concerns of each company are as follows: Each company has private informa- tion (e.g. signals) with respect to retail-customer demand. Each company’s private information would improve the collaborative forecast, but neither company desires to disclose that information to its partner. Each company also has private information (e.g., retailer’s inventory-holding cost, manufacturer’s production cost), which, if centralized, could lead to a “coordinated” (i.e., first-best) decision, but both companies desire to maintain its privacy, too. Under the collaborative policy our incentive-compatible SCPFR protocols determine a collaborative forecast of future customer demand, and, based on these, the target base-stocks

2 of both partners that will minimize supply-chain expected cost. Based on these, and their private inventory status, the retailer and supplier are then instructed how much to order. The contributions of this research are as follows: 1) First to address privacy and incentive- compatibility issues in CPFR. 2) First to demonstrate that information-sharing isn’t nec- essary to achieve in a supply-chain. In particular, we: (a) demonstrate that forecasting and inventory-replenishment can be done collaboratively without disclosing the private information of either the supplier or retailer; and (b) construct inventive compati- ble mechanisms for collaborative forecasting. 3) Demonstrate that it is difficult/impossible for either party to determine the private information of its partner using its own private information and the orders it is instructed to make by the SCPFR protocols. This is an important practical consideration; i.e., why use SMC techniques if participants can compute their partners’ private inputs 4) Demonstrate the benefits of SCPFR using . 5) Provide practical SMC protocols. That is, given their privacy-preserving nature, certain sim- ple mathematical processes become very complex. Each table look-up, for example, if done in a secure manner, has complexity proportional to the size of the table. We reformulate such processes to make them more computationally efficient.

2. A Model of Collaborative Forecasting and Planning

We examine a supply-chain with two players, a supplier selling to a retailer. Our assumptions are the same as those of Clark and Scarf except that, in our model, customer demand in

period t, dt, is realized from a state-dependent linear process, as described below. The retailer observes demand over time and uses these observations to forecast customer future demand. These forecasts are then used by the retailer to place replenishment orders to the supplier. The retailer and the supplier also receive independent “signals” about market demand in the future. For example, a retailer has private information about “promotions” that he may be planning to run in the future which can affect his forecast of demand. Similarly, the supplier can receive signals about overall “market trends” which can influence future demand for the product. In the collaborative scenario, a joint forecast is created by incorporating past observations of demand as well the retailer’s and supplier’s signals about future demand. As a result, the forecast accuracy of the demand process improves. The primary goal of our research is to provide protocols such that this forecasting and inventory planning can be conducted

3 in a “secure” fashion, i.e., the protocols would preserve the privacy of each participants private information. Thus the collaborative forecast should be computed without actually revealing the retailer’s past observations of demand and his signals about future demand to the supplier, and without revealing the supplier’s signals to the retailer. In the next sub-sections we present a mathematical framework of the secure collaborative forecasting.

2.1 Demand Model and Forecasting Process

We assume that the demand follows a linear process given by the following equation:

T T r s dt = µ + θr X δt,i + θs X δt,i + t i=1 i=1 j Here Dt denotes the demand realization in period t, while δt,i indicates the signal observed r by player j about period t demand in period t − i. For example, δt,i may represent the impact of promotion that the retailer plans to run in period t as measured in period t − i. s Similarly, δt,i may represent the impact of new product introductions by the supplier in period t as estimated in period t − i. Our demand model is similar to the one proposed by Aviv (2002), except that we do not capture intertemporal correlation between demands in consecutive periods. As in Aviv (2002), we further assume that the signals and the error r s term are normally distributed, i.e., δt,i ∼ N(0,σr,i),δt,i ∼ N(0,σs,i),t ∼ N(0,σ0). The key difference between our model and Aviv’s is that information is split between the retailer and the supplier. Thus, in each period t the retailer observes the demand, dt, and r demand signals up to T periods in future, δj,j−t,j = t +1,...,t+ T , but these observations are not known to the supplier. Similarly, in each period t, the supplier observes signals about s demand up to T periods in future, δj,j−t,j = t +1,...,t+ T , but these observations are not known to the retailer. As a result, the parameters of the demand process, i.e., µ, θr, and θs are not known either to the supplier or the retailer. In the collaborative forecasting scenario, the forecast is based on both the retailer’s and supplier’s observations. Hence the forecasting is now determined as follows:

r ˆr ˆs 1. In each period t, estimateµ ˆ , θ , and θ by regressing the observations dt versus the r s observed signals δt,i and δt,i.

2. For the forecast horizon (T periods) construct the forecast using the following equation:

4 T T ˆ r ˆr r ˆs s dj =ˆµ + θ X δj,i + θ X δj,i,j= t +1, ..., t + T (1) i=j−t i=j−t ˆ where dj is the forecast of the mean demand in period j.

2.2 The Collaborative Inventory Planning Policy

By definition, the retailer’s echelon inventory is the same as its local inventory; while the supplier’s echelon inventory equals the total supply-chain inventory; i.e., inventory at the retailer, plus inventory at the supplier, plus any inventory in transit between the supplier

and the retailer. Define yS and yR to be the echelon base stocks of the supplier and retailer, respectively. The goal of the collaborative inventory planning process is to determine the optimal echelon base-stock levels in each period, to minimize the total supply chain costs.

Clark and Scarf prove that the optimal (yS, yR) which minimizes the total supply-chain ∗ ∗ costs can be determined sequentially, first, by finding the yR and then yS. Hence, assuming the existence of a so-called “trusted third party,” the determination of ∗ ∗ (yS,yR) is straightforward. We describe the corresponding secure sequential determination ∗ ∗ of (yS,yR) in Atallah et al (2005) which does not need a “trusted third party”.

2.3 Secure Process for Forecasting and Inventory Planning

We now describe the steps needed for secure collaboration between the retailer and the supplier, i.e., a process which does not reveal private information to either party. This is described by a 5 step process as follows:

1) Retailer and supplier input their (private) cost parameters, hR,pR,hS,pS to the protocol. This information is kept private by the protocol.

0 r 2) In period t, retailer inputs (private) information dt0 where t =1,...,T, δj,i where j = R R R 0,...,t+T, and i = j −t,...,T, and inventory status OHt , BOt , and OOt . Supplier inputs s his (private) information δj,i where j =0,...,t+ T and i = j − t,...,T, and inventory status S S S OHt , BOt ,OOt . This information is kept private and not revealed to anyone. 3) The secure forecasting protocol (described in Section 3) is run to compute the demand forecasts µ[t,t+LR+1], µ[t,t+LS], and µ[t,t+L1+L2+1]. These forecasts are computed in a split fashion and hence kept private. They serve as an input inventory planning process in the next step.

4) The secure inventory planning protocol (can be found in Atallah et al. (2005)) is run to

5 ∗ ∗ compute the retailer and suppliers optimal base-stock levels yR and yS. This information is also computed in split fashion and kept private. This serves as an input to the next step.

5) The secure replenishment protocol (can be found in Atallah et al. (2005)) is run to compute the retailer and suppliers ordering decision. The protocol computes the order ∗ ∗ quantity qR = yR − IPR and qS = yS − IPS. Each player learns their order quantity and nothing else from the protocol.

3. Secure Protocols for Forecasting

In this extended abstract we give only a secure demand forecasting protocol; secure inventory planning and secure replenishment protocols can be found in Atallah et al. (2005). These protocols rely on usage of cryptographic primitives and secure protocols for basic sub-tasks, which we briefly review here. One of the key notions is the notion of additively split data. An item x is said to be addivitely split between the supplier and retailer if the supplier has xs and the retailer has xr such that x = xs + xr, but the value of x is not known to either party. Using this notion, we show how to securely perform split addition and subtraction. In addition, usage of homomorphic encryption — encryption that allows one to perform arithmetic operations directly on encrypted data – permits us to construct protocols for secure split multiplication and division. Other building blocks that are used in the forecasting and planning protocols are: secure scalar product, secure polynomial evaluation, secure matrix multiplication, secure matrix inversion, and secure comparison. We refer the reader to Atallah et al. (2005) for a detailed description of these concepts and protocols. Next, we present our secure forecasting protocol. Figure 1 gives a protocol that securely ˆ computes dj , where t +1≤ j ≤ t + T , from equation (1) given additively split estimates (ˆµ, ˆ ˆ θr, and θs).

Correctness of the answer produced by this protocol follows from Equation (1), which it faith- fully implements. As long as the split multiplication protocol and the split addition protocol are secure, by the composition theorem of Canetti (2000), the secure demand forecasting protocol is secure.

6 s r Input: Supplier knows the δj,i’s and Retailer knows the δj,i’s, for all j, i such that ˆ ˆ j = t +1,...,t+ T and i = j − t,...,T. The parametersµ ˆ, θr, and θs are available ˆ ˆ in additively split form, i.e., for each x ∈{µ,ˆ θr, θs} Supplier (Retailer) has a random xs (resp., xr) such that x = xs + xr. ˆs ˆr Output: Supplier and Retailer obtain dj and dj , respectively, for all j = t+1,...,t+T ˆ ˆs ˆr where dj = dj + dj . Protocol Steps:

s T s 1. For each j ∈{t +1,...,t+ T }, Supplier computes vj = Pi=j−t δj,i. This is s a “local” computation, as Supplier has all the δj,i values. Retailer similarly r T r computes vj = Pi=j−t δj,i for all j ∈{t +1,...,t+ T }. 2. For each j ∈{t +1,...,t+ T }, Supplier and Retailer run a split multiplication r ˆ r s ˆ s protocol twice, once to compute wj = θrvj and once to compute wj = θsvj (both in split fashion).

3. For each j ∈{t+1,...,t+T }, Supplier and Retailer run a split addition protocol r s ˆ to computeµ ˆ + wj + wj , which is equal to dj .

Figure 1: Secure demand forecasting protocol. References

[1] Atallah, M.J., M. Blanton, V. Deshpande, K. Frikken, J. Li, and L. Schwarz. 2005. Se- cure Collaborative Planning, Forecasting, and Replenishment (SCPFR). Working Pa- per, Purdue University.

[2] Aviv, Y., 2002. Gaining Benefits from Joint Forecasting and Replenishment Processes: The Case of Auto-Correlated Demand Manufacturing & Service Operations Mgmt. 4(1), Winter 2002, Pgs: 0055-0074

[3] Canetti, R. 2000. Security and Composition of Multiparty Cryptographic Protocols. Journal of Cryptology 13(1), 143–202. Springer.

[4] Clark, A., H. Scarf.1906. Optimal Policies for a multi-echelon inventory problem. Man- agement Science, 40, p1426-1443.

[5] Lee, H. L., S. Whang. 2000. Information Sharing in a Supply Chain. International Journal of , 20(3/4), p373-387.

7