Survey on e-Auction Presenter Nguyen Hoang Anh NordSecMob
Jan 05, 2016
Survey on e-Auction
Presenter Nguyen Hoang Anh
NordSecMob
2
Outline
Introduction to e-Auction What is auction? Desired properties for an e-Auction scheme Basic e-Auction protocol
e-Auction scheme English auction First-price sealed bid auction Second-price sealed bid auction (Vickrey auction)
Conclusion
3
Introduction to e-Auction
An auction is a method of trading goods that do not have a fixed price
Auction is based on competition and reflects the essential of market The sellers wish to sell their goods as high as
possible, the buyers want to pay as little as necessary
Roles: Bidder (buyer) – Seller – Auctioneer (trusted third party)
4
Introduction to e-Auction
Types of auctions: English auction Dutch auction Sealed-bid auction: First-price, Second-price, (M+1)st-
price
5
Desired properties
Non-repudiation No framing Traceability Public verifiability Unlinkability Robustness Efficiency of bidding
6
Desired properties
Fairness All bids should be dealt with in a fair way, e.g., no
information about bidding will be disclosed to give any bidder unfair advantage
Bidder privacy No bidder’s identity or trading history will be revealed even
after the auction session. The secrecy of losing bids should be kept.
Correctness of system The winning bid is the highest among bids were placed.
The winner is the person who made that bid
7
Basic auction protocol Initialization
Auctioneer sets the system parameters and publishes them Bidder registration
A bidder sends the Auctioneer her/his public key to register Auction preparation
The Auctioneer computes the preparation data for each auction. A bidder may download her/his information for bidding
Bidding A bidder computes her/his bid information and places her/his bid
Opening a winning bid The Auctioneer computes only a winning bid while keeping the other
bids secret (not needed in public auction) Winner decision
The Auctioneer identifies only a winner while keeping loser’s anonymity
8
English auction scheme
Proof of knowledge PK(y = P()) is the proof of knowledge between
two parties given the publicly known value y, the Prover knows the
value of such that the predicate P() is true.
Signature based on a Proof of Knowledge (SPK) SPK[(): y = g] (m)
9
English auction scheme 2 Bulletin Board System (BBS)
Bulletin board is a place where people can leave public messages, e.g., to advertise things, announce events, or provide information
Can be read by anybody, but can be written only by an authority=> Help reduce communication complexity
2 separate roles AM: Auction Manager
Prepare for auctions Carry out several auctions Manage the current bid value
RM: Registration Manager Manager the participants of auctions Prepare for auctions Identifies a certain bidder at the request of AM
10
English auction scheme
Alice(y1, x1, m1)
y1 = gx1
1. Registration (y1, V11)
V11 = SPK[(): y1 = g] (mR)
Alice : y1Bob : y2Carol : y3
:
Public keys gr
y3r
y1r
y2r
:
2. Preparationgrs
1. T2 = y2rs
2. T3 = y3rs
3. T1 = y1rs
:
3. grs
4. T1 = (grs)x1
5. Bidding (3, m1, V21)V21 = SPK[(): T1 = (grs)] (mR)
Current bid value
6. Winner decision
V31
V31=SPK[():T1 = (y1r)] (mR)
Kazumasa OMOTE. A study on Electronic Auctions, 2002
6. Winner decision
V31
V31=SPK[():T1 = (y1r)] (mR)
11
English auction scheme
Properties Linkability in an auction (same Ti in one auction) Unlinkability among different auctions (different
Ti-s for different auctions) No single authority can break anonymity and
secrecy of bids
12
First-price sealed-bid auction
Desired properties Secrecy of bidding price
=> open bids from highest possible price to the winning price, all the lower prices are kept secret
Verifiability=> Use public key encryption systems or hash chain technique
Undeniability=> The bidder needs to sign for his bid
Anonymity=> Bidders register to a registration center and get their keys for
signature scheme
13
First-price sealed-bid auction
Undeniable signature scheme Signing algorithm Verification protocol
a signature can only be verified with the help of the signer => Avoid replay attack
Disavowal protocol allows the signer to prove whether a given signature is a
forgery
=> The signer cannot deny his valid signature
14
First-price sealed-bid auction
Bidder 1: b1
Bidder 2: b2
Bidder 3: b3
Auctioneer
Price list {1, 2,…, n}
Sig1(b1)
Sig2(b2)
Sig3(b3)j = n
j = n - 1
j
Disavowal
My sig was not a valid signature of
j
My sig was not a valid signature of
j
My sig was not a valid signature of
j
My sig was the valid signature of j
Winning bid j Winning bidder Bidder 2
Sakurai and Miyazaki. A bulletin-board based digital auction scheme with bidding down strategy. In Proc. International Workshop on Cryptographic Techniques and E-Commerce, 1999
Undeniable signature of bidding priceSig1(b1)
Sig2(b2)
Sig3(b3)
15
First-price sealed-bid auction
Sakurai and Miyazaki. A bulletin-board based digital auction scheme with bidding down strategy. In Proc. International Workshop on Cryptographic Techniques and E-Commerce, 1999
16
First-price sealed-bid auction
Drawbacks of the protocol All bidders have to communicate with the
auctioneer in opening phase=> Protocol 2
17
First-price sealed-bid auction
Bidder 1: b1
Bidder 2: b2
Bidder 3: b3
Auctioneer
Price list {1, 2,…, n}
{(K_1; M_1), (K_2; M_2)…, (K_n; M_n)}
Sako. Universally verifiable auction protocol which hides losing bids. In Proc Of SCIS’99, pages 35-39
EK_b1(M_b1)
EK_b2(M_b2)
EK_b3(M_b3)
j = n
Check the equality EK_j(C_bi) = M_j ?
- If such C_bi exists: winning bid is j, winning bidder is i
- If there is no such C_bi: j = j – 1, repeat above step
18
First-price sealed-bid auction
Sako. Universally verifiable auction protocol which hides losing bids. In Proc Of SCIS’99, pages 35-39
19
First-price sealed-bid auction
Advantage Bidders need not to communicate with the
auctioneer in opening phase Disadvantage
Malicious auctioneer can reveal all bidding prices
=> Use plural auctioneers and distributed decryption technique
20
First-price sealed-bid auction
Problems with sealed-bid auction methods using public key cryptosystems Computationally expensive Require a lot of communication Limit the number of bidders and the range of
bidding prices
21
First-price sealed-bid auction
Bidder 1: P1Secret seeds:(S11, S21,...,Sa1)
Bidder 2: P2Secret seeds:(S21, S22,…,Sa2)
Bidder 3: P3Secret seeds:(S13, S23,…,Sa3)
Auctioneer 1
Auctioneer a
Bidi = {bi, c1i, c2i, …, cai}bi = h(hPi(S1i)|hPi(S2i) | … | hPi(Sai))cji = hn+1(Sji)
(Bid1, Sig1(Bid1))
(Bid2, Sig2(Bid2))
(Bid
3, S
ig3(
Bid3)
)
Publishes (Bid_i,Sigi(Bid_i)
S11
S12
S13
Sa2
Sa1
Sa3
hk (S
ai)
k = n
Check hash chain for all bidders
k = k - 1
Publishes hk(Sij)
K. Suzuki, K. Kobayashi, and H. Morita. Efficient sealed-bid auction using hash chain. Proceedings of the Third International Conference on Information Security and Cryptology, Vol. 2015 of Lecture Notes In
Computer Science, pages 183 – 191, 2000. Springer-Verlag. ISBN 3-540-41782-6
bi = h(hk(S1i)|hk(S2i)|…|hk(Sai)) ???
22
First-price sealed-bid auction Secrecy of bidding price
Bids are opened from the highest price to the winning price Hash chain is distributed to plural auctioneers => losing bid
prices are kept secret (besides the case all auctioneers collude)
Verifiability Anyone can verify the correctness of the hash chains which
are already published Undeniability
The signer has to sign for his bid Anonymity
Each bidder can use his public key of signature to bid anonymously
Efficiency
23
Vickrey auction
Vickrey auction scheme The bidder who offers the highest bid price gets
the good at the second-highest price Attractive theoretical properties
The dominant strategy for each bidder is to place a bid honestly according to her/his own true value
Rarely used in practice Auctioneer may change the outcome of auctions Auctioneer may reveal bidders’ private information
24
Vickrey auction scheme
Homomorphic encryption scheme EK(m1; r1) . EK(m2; r2) = EK (m1+m2; r1+r2)
Range proof: integer commitment scheme, plus range checking PK(c=EK(,) [L,H])
25
Vickrey auction scheme
Notations S: seller A: auction authority B: maximum number of bidders V: maximum number of different bids (X1, …, XB): vector of bids in a nonincreasing
order In public-key cryptosystem (G,E,D), c = EK(m; r)
denote the encryption of m by using a random coin r under they key K.
H: hash function
26
Vickrey auction
Bidder 1: b1
Bidder 2: b2
Bidder 3: b3
Auctioneer
Secret key: sk
Seller
Auctioneer’s public key: pk
Sig2(Epk(Bb2))
Sig1(Epk(Bb1))
Sig3(Epk(Bb3))
E=∏i Epk(Bbi)
Decrypt E
Learn bid statistic
X2
X2
X2
X2
My bid was higher than X2
Helger Lipmaa, N. Asokan, Valtteri Niemi. Secure Vickrey Auctions without threshold trust. Technical Report 2001/095, International Association for Cryptologic Research, November 2001
27
Practical e-Auction systems
eBay and Amazon Auction use Vickrey model with a proxy bidder facility The bidder tells the proxy a maximum price that
s/he is willing to pay The proxy keeps this information secret and bids
on the bidder’s behalf in the ascending auction. The highest bidder wins, pays at amount equal to
the second highest bidder (plus one increment). Ebay: fixed ending time. Amazon: auctions end
when there have been no new bids for ten minutes.
28
Conclusion
Three kinds of auction schemes are surveyed English auction scheme First-price sealed-bid auction scheme Second-price sealed-bid auction scheme
Desired properties Bidder privacy Correctness of system Efficiency