Survey on e-Auction

Survey on e-Auction

Presenter Nguyen Hoang Anh

NordSecMob

2

Outline

Introduction to e-Auction What is auction? Desired properties for an e-Auction scheme Basic e-Auction protocol

e-Auction scheme English auction First-price sealed bid auction Second-price sealed bid auction (Vickrey auction)

Conclusion

3

Introduction to e-Auction

An auction is a method of trading goods that do not have a fixed price

Auction is based on competition and reflects the essential of market The sellers wish to sell their goods as high as

possible, the buyers want to pay as little as necessary

Roles: Bidder (buyer) – Seller – Auctioneer (trusted third party)

4

Introduction to e-Auction

Types of auctions: English auction Dutch auction Sealed-bid auction: First-price, Second-price, (M+1)st-

price

5

Desired properties

Non-repudiation No framing Traceability Public verifiability Unlinkability Robustness Efficiency of bidding

6

Desired properties

Fairness All bids should be dealt with in a fair way, e.g., no

information about bidding will be disclosed to give any bidder unfair advantage

Bidder privacy No bidder’s identity or trading history will be revealed even

after the auction session. The secrecy of losing bids should be kept.

Correctness of system The winning bid is the highest among bids were placed.

The winner is the person who made that bid

7

Basic auction protocol Initialization

Auctioneer sets the system parameters and publishes them Bidder registration

A bidder sends the Auctioneer her/his public key to register Auction preparation

The Auctioneer computes the preparation data for each auction. A bidder may download her/his information for bidding

Bidding A bidder computes her/his bid information and places her/his bid

Opening a winning bid The Auctioneer computes only a winning bid while keeping the other

bids secret (not needed in public auction) Winner decision

The Auctioneer identifies only a winner while keeping loser’s anonymity

8

English auction scheme

Proof of knowledge PK(y = P()) is the proof of knowledge between

two parties given the publicly known value y, the Prover knows the

value of such that the predicate P() is true.

Signature based on a Proof of Knowledge (SPK) SPK[(): y = g] (m)

9

English auction scheme 2 Bulletin Board System (BBS)

Bulletin board is a place where people can leave public messages, e.g., to advertise things, announce events, or provide information

Can be read by anybody, but can be written only by an authority=> Help reduce communication complexity

2 separate roles AM: Auction Manager

Prepare for auctions Carry out several auctions Manage the current bid value

RM: Registration Manager Manager the participants of auctions Prepare for auctions Identifies a certain bidder at the request of AM

10


Alice(y1, x1, m1)

y1 = gx1

1. Registration (y1, V11)

V11 = SPK[(): y1 = g] (mR)

Alice : y1Bob : y2Carol : y3

:

Public keys gr

y3r

y1r

y2r

:

2. Preparationgrs

1. T2 = y2rs

2. T3 = y3rs

3. T1 = y1rs

:

3. grs

4. T1 = (grs)x1

5. Bidding (3, m1, V21)V21 = SPK[(): T1 = (grs)] (mR)

Current bid value

6. Winner decision

V31

V31=SPK[():T1 = (y1r)] (mR)

Kazumasa OMOTE. A study on Electronic Auctions, 2002

6. Winner decision

V31

V31=SPK[():T1 = (y1r)] (mR)

11


Properties Linkability in an auction (same Ti in one auction) Unlinkability among different auctions (different

Ti-s for different auctions) No single authority can break anonymity and

secrecy of bids

12

First-price sealed-bid auction

Desired properties Secrecy of bidding price

=> open bids from highest possible price to the winning price, all the lower prices are kept secret

Verifiability=> Use public key encryption systems or hash chain technique

Undeniability=> The bidder needs to sign for his bid

Anonymity=> Bidders register to a registration center and get their keys for

signature scheme

13


Undeniable signature scheme Signing algorithm Verification protocol

a signature can only be verified with the help of the signer => Avoid replay attack

Disavowal protocol allows the signer to prove whether a given signature is a

forgery

=> The signer cannot deny his valid signature

14


Bidder 1: b1

Bidder 2: b2

Bidder 3: b3

Auctioneer

Price list {1, 2,…, n}

Sig1(b1)

Sig2(b2)

Sig3(b3)j = n

j = n - 1

j

Disavowal

My sig was not a valid signature of

j


j


j

My sig was the valid signature of j

Winning bid j Winning bidder Bidder 2

Sakurai and Miyazaki. A bulletin-board based digital auction scheme with bidding down strategy. In Proc. International Workshop on Cryptographic Techniques and E-Commerce, 1999

Undeniable signature of bidding priceSig1(b1)

Sig2(b2)

Sig3(b3)

15


Sakurai and Miyazaki. A bulletin-board based digital auction scheme with bidding down strategy. In Proc. International Workshop on Cryptographic Techniques and E-Commerce, 1999

16


Drawbacks of the protocol All bidders have to communicate with the

auctioneer in opening phase=> Protocol 2

17


Bidder 1: b1

Bidder 2: b2

Bidder 3: b3

Auctioneer

Price list {1, 2,…, n}

{(K_1; M_1), (K_2; M_2)…, (K_n; M_n)}

Sako. Universally verifiable auction protocol which hides losing bids. In Proc Of SCIS’99, pages 35-39

EK_b1(M_b1)

EK_b2(M_b2)

EK_b3(M_b3)

j = n

Check the equality EK_j(C_bi) = M_j ?

- If such C_bi exists: winning bid is j, winning bidder is i

- If there is no such C_bi: j = j – 1, repeat above step

18


Sako. Universally verifiable auction protocol which hides losing bids. In Proc Of SCIS’99, pages 35-39

19


Advantage Bidders need not to communicate with the

auctioneer in opening phase Disadvantage

Malicious auctioneer can reveal all bidding prices

=> Use plural auctioneers and distributed decryption technique

20


Problems with sealed-bid auction methods using public key cryptosystems Computationally expensive Require a lot of communication Limit the number of bidders and the range of

bidding prices

21


Bidder 1: P1Secret seeds:(S11, S21,...,Sa1)

Bidder 2: P2Secret seeds:(S21, S22,…,Sa2)

Bidder 3: P3Secret seeds:(S13, S23,…,Sa3)

Auctioneer 1

Auctioneer a

Bidi = {bi, c1i, c2i, …, cai}bi = h(hPi(S1i)|hPi(S2i) | … | hPi(Sai))cji = hn+1(Sji)

(Bid1, Sig1(Bid1))

(Bid2, Sig2(Bid2))

(Bid

3, S

ig3(

Bid3)

)

Publishes (Bid_i,Sigi(Bid_i)

S11

S12

S13

Sa2

Sa1

Sa3

hk (S

ai)

k = n

Check hash chain for all bidders

k = k - 1

Publishes hk(Sij)

K. Suzuki, K. Kobayashi, and H. Morita. Efficient sealed-bid auction using hash chain. Proceedings of the Third International Conference on Information Security and Cryptology, Vol. 2015 of Lecture Notes In

Computer Science, pages 183 – 191, 2000. Springer-Verlag. ISBN 3-540-41782-6

bi = h(hk(S1i)|hk(S2i)|…|hk(Sai)) ???

22

First-price sealed-bid auction Secrecy of bidding price

Bids are opened from the highest price to the winning price Hash chain is distributed to plural auctioneers => losing bid

prices are kept secret (besides the case all auctioneers collude)

Verifiability Anyone can verify the correctness of the hash chains which

are already published Undeniability

The signer has to sign for his bid Anonymity

Each bidder can use his public key of signature to bid anonymously

Efficiency

23

Vickrey auction

Vickrey auction scheme The bidder who offers the highest bid price gets

the good at the second-highest price Attractive theoretical properties

The dominant strategy for each bidder is to place a bid honestly according to her/his own true value

Rarely used in practice Auctioneer may change the outcome of auctions Auctioneer may reveal bidders’ private information

24

Vickrey auction scheme

Homomorphic encryption scheme EK(m1; r1) . EK(m2; r2) = EK (m1+m2; r1+r2)

Range proof: integer commitment scheme, plus range checking PK(c=EK(,) [L,H])

25

Vickrey auction scheme

Notations S: seller A: auction authority B: maximum number of bidders V: maximum number of different bids (X1, …, XB): vector of bids in a nonincreasing

order In public-key cryptosystem (G,E,D), c = EK(m; r)

denote the encryption of m by using a random coin r under they key K.

H: hash function

26

Vickrey auction

Bidder 1: b1

Bidder 2: b2

Bidder 3: b3

Auctioneer

Secret key: sk

Seller

Auctioneer’s public key: pk

Sig2(Epk(Bb2))

Sig1(Epk(Bb1))

Sig3(Epk(Bb3))

E=∏i Epk(Bbi)

Decrypt E

Learn bid statistic

X2

X2

X2

X2

My bid was higher than X2

Helger Lipmaa, N. Asokan, Valtteri Niemi. Secure Vickrey Auctions without threshold trust. Technical Report 2001/095, International Association for Cryptologic Research, November 2001

27

Practical e-Auction systems

eBay and Amazon Auction use Vickrey model with a proxy bidder facility The bidder tells the proxy a maximum price that

s/he is willing to pay The proxy keeps this information secret and bids

on the bidder’s behalf in the ascending auction. The highest bidder wins, pays at amount equal to

the second highest bidder (plus one increment). Ebay: fixed ending time. Amazon: auctions end

when there have been no new bids for ten minutes.

28

Conclusion

Three kinds of auction schemes are surveyed English auction scheme First-price sealed-bid auction scheme Second-price sealed-bid auction scheme

Desired properties Bidder privacy Correctness of system Efficiency

Survey on e-Auction

Documents

auction managerprepare

auction session

eauctionan auction

winning price

highest possible price

certain bidder

auctioneer herhis public

herhis information