The scheme by Lee et al

Lee et al. [5] improved the security problem of Omote and Miyaji’s scheme [6] that the identity of the winner cannot be published. And they proposed the essential requirements of the public auction. The scheme of Lee et al. is as follows:

【Entity】

Registration Manager (RM) : being in charge of the registration process and has secret database to keep bidder’s identity information and the corresponding secret parameter. After a winner decision procedure, RM and AM together post the winning bidder information on the winner announcement bulletin board.

Auction Manager (AM) : being responsible to manage and host the auction. After a winner decision procedure, RM and AM together post the winning bidder information on the winner announcement bulletin board.

Bidder (B) : being participant in an auction that AM holds.

【Notation】

q

p , : two large primes, satisfying q| p1; g : an element gZ_p with order q ;

B i : bidder i;

x i : the secret key of B (_i x_iZ_q);

y i : the public key of B (_i y_i=g^xi (modp));

t i : a random number of B (_i t_i{0 ,1}^*);

k

RKi _, : a round key for B in the k-th round of auction; _i

T i : a ticket identifier for B ; _i k : the index of auctions (k 1);

XAM : AM’s secret key (X_AMZ_q);

YAM : AM’s public key (y_AM =g^XAM mod p ,pZ_q);

) (x

h : a one-way hash function, satisfying h^k(x )h(x ,h^k-1(x)).

The operation of the scheme includes six stages: (1) Initialization, (2) Bidder Registration, (3) Round key Setup, (4) Auction Ticket Preparation, (5) Bidding, and (6) Winner Announcement. The different stages are as described below:

【Initialization】

The system parameter settings of the RM and AM cooperatively set up the system parameters in this stage.

RM executes the following procedure:

Step 1: Set up two read-only bulletin board, and post identities and public keys of all bidders on registration bulletin board and the round keys of all bidders on round key bulletin board. RM is the only one can write and update the bulletin boards.

Step 2: Publish p, q, g and h(x) on his bulletin boards.

Step 3: Together with AM, set up a read-only winning bidder bulletin board and post the winning bidder’s information which used to verify one’s identity. Only RM and AM have the authority to write and update the bulletin board.

AM executes the following procedure:

Step 1: Set up a read-only auction ticket bulletin board, which provides the auction

verification information of all bidders. AM is the only one can write and update the bulletin board.

Step 2: Randomly select an integer X_AM Z_q as the private key and use it to calculate the corresponding public key Y_AM as follows:

p g

Y_AM = ^XAM mod , where pZ_q

Step3: Publish Y_AM.

Step 4: Together with RM, set up a read-only winning bidder bulletin board and post the winning bidder’s information which used to verify one’s identity. Only RM and AM have the authority to write and update the bulletin board.

【Bidder Registration】

When a new bidder Bi joins in the auction, he/she must follow the following steps in requesting registration from RM:

Step 1: Select a private key x_i and calculate its corresponding registration key Z_q y as _i follows:

p g

y_i  ^xi mod

Step 2: Select a random number t_i{0 ,1}^* and keep it secretly.

Step 3: Send {B_i ,y ,_i t_i} to RM secretly and prove his/her knowledge of the private key x _i in zero-knowledge.

Step 4: If RM accepts Bi‘s registration, RM publishes {B_i ,y_i} on his registration bulletin board and keeps {B_i,t _i} secretly in his secure database.

【Round key Setup】

RM calculates n round key RK_{i ,k} for all n bidders using y and _i t in the k-th round _i of auction as follows:

p y

RK_{i ,k}  _i^hk(ti)mod

Then RM shuffles and publishes them on his round key bulletin board. But anybody except RM and Bi does not know the correspondence between y and _i RK_{i ,k}.

【Auction Ticket Preparation】

AM gets the list of all the round keys RK_{i ,k} of n valid bidders Bi (i ) =1,2,… ,I from RM’s round key bulletin board. Then AM executes the following steps to complete the setup

of the auction:

Step 1: Selects the random numbers r_iZ_q({r₁ ,r₂ ,… ,r_I}) for each bidder Bi (i ). =1,2,… ,I

Step 2: Calculate the auction keys {(RK_{i ,k})^ri ,g^ri} for each bidder Bi (i ). =1,2,… ,I

Step 3: Calculate the ticket identifiers T for each bidder B_i i (i=1,2,… ,I) as follows:

p RK

h

T_i  (( _{i ,k})^XAM mod

{T_i,( RK_{i ,k})^ri ,g^ri } is the auction ticket that AM grants Bi the authorization to participate the k-th round of auction.

Step 4: Shuffle and publish the auction tickets {T_i,( RK_{i ,k})^ri ,g^ri } on the auction ticket bulletin board.

Step 5: Keep {T , } secretly in his database. _i r_i

【Bidding】

To participate in the k-th round of auction, Bi must complete the following steps:

Step 1: Calculate the round key of the k-th round RK_{i ,k} as follows:

p y

RK_{i ,k}  _i^hk(ti)mod

And verify that the round key matches with the one that is posted on RM’s round key bulletin board. If the round key is not listed, he/she can complain to RM.

Step 2: Calculate the ticket identifier T as follows: _i

i i

k t x

h

i h Y

T  ( _AM ^{( )})

T must be verified that it matches with the information posted on AM’s auction ticket i

bulletin board. If Bi’s ticket identifier is listed in auction ticket bulletin board, he/she can get auction ticket {T_i,( RK_{i ,k})^ri ,g^ri} which granted by AM. Otherwise, Bi can

(auction ID bid value m_i 

【Winner Announcement】

Assume that a bid m of bidder B_i i is the highest bid at the end of the bidding stage. AM and RM jointly publish the winner’s related information on the winner announcement bulletin board for others to verify winner’s identity. The steps are as follows:

Step 1: AM announces the winner’s bid information {T_i ,m_i ,V_i} on the winner announcement bulletin board.

Step 2: AM posts {T_i ,r_i ,RK_{i ,k}} on the winner announcement bulletin board which allows anyone to confirm the correlation between RK_{i ,k} and (RK )_{i ,k} ^ri.

Step 3: RM posts {RK_{i, k} ,h^k(t_i),y_i} on the winner announcement bulletin board which

allows anyone to confirm the correspondence between RK_{i ,k}  y_i^hk(ti)modp and y . _i It shows that Bi is the winner.

Step 4: Anyone verifies that Bi is the winner using the published values r and _i h^k(t_i).

Lee et al.’s scheme solves the security concerns of Omote and Miyaji’s scheme that the winner’s identity cannot be published. However, if there are n bidders to participate in the auction, AM not only publishes 3n the amount of information on auction ticket bulletin board, but also selects a random secret number for each bidder to employ modular exponentiation operations. It would increase the computation amount.