Thesis organization

The remainder of his thesis is organized as follows: In Chapter 2, we shall briefly introduce the related theories and schemes. Then, we propose a sealed-bid auction with publicly verifiable bid validity and analyze its properties in Chapter 3. Finally, in Chapter 4, we conclude this thesis and indicate some future directions.

Chapter 2 Preliminaries

In this chapter, we will introduce some important theories and schemes that are involved in our scheme. In section 2.1, we will give the introduction about interactive zero-knowledge proof system of knowledge. In section 2.2, we will give basic idea of signature of knowledge. In section 2.3, we will introduce the definition of verifiable encryption of signature of knowledge. In section 2.4, we will state what 1-out-of-P re-encryption of encryption keys is and the difference between 1-out-of-P re-encryption proof and 1-out-of-P re-encryption proof of encryption keys. In section 2.5, we will introduce other auction schemes.

2.1 Interactive Zero-Knowledge Proof System of Knowledge

An interactive proof system P,V consists of two Turning machines P and V, called “Prover” and “Verifier”, respectively.

A typical interactive proof system has three rounds (commit-challenge-response).

P first commits to a value. V then challenges on of two things: either the commitment has the right form or P knows the witness. P then responds to the challenge, while reveals no information about the witness. The real witness is randomized by the committed value in the first step.

Consider the problem that the prover wants to prove that he knows the discrete

logarithm x=log_g ymod pof (p, q, y) where p = 2q+1, p, q are primes, g∈Gq-{1}, and g∈Gq. We want to show that P really know the value x. We call this type of proof

“proof of knowledge”.

In the setting of proof of knowledge, we require that the prover P be a polynomial-time probabilistic Turing machine (PTM) with a private input (witness).

We consider the binary predicate Q such that for an input instance x of the right form, there is a corresponding secret ρ such that Q(x, ρ) = 1. The proof system of knowledge for Q is to show that the prover P knows a witness ρ for an input instance x. We use P

( ) ( )

ρ ,V x to denote the interactive proof system of P and V such that x

is the public common input and ρ is the prover P’s private input. If P

( ) ( )

ρ ^,V x =¹, it means that the verifier V accepts that the prover P really knows the witness;

otherwise, it means that the verifier rejects.

Moreover, if we want to show that the interactive proof system of knowledge is zero-knowledge, we require that the interaction of the prover and the verifier can be simulated.

Definition 2.1(Interactive Zero-Knowledge Proof System of Knowledge)

Let P and V be both polynomial-time PTM’s. An interactive zero-knowledge proof system of knowledge P,V for the binary predicate Q satisfies the following three conditions:

1. Completeness

∀x and ∀ρ with Q(x, ρ) = 1, ^Pr

[

^P

( ) ( )

ρ ^{,V x =1}

]

⁼¹. 2. Soundness

There is a probabilistic (expected) polynomial-time knowledge extractor E such that ∀x∈Dom(Q), ∀P^*

( ) ( )

[ ] _{( )} [

^E

(

^{P V x}

)

^Q

(

^x

) ] ( )

^x

x x p

V

P ρ = ≥ 1 ⇒Pr , , =ρ , ,ρ =1 ≥1−ε 1

,

Pr ^{* * * *}

where Dom(Q) means the domain of Q, p(⋅) is a polynomial, and ε(⋅) is negligible.

3. Zero-knowledge

For each verifier V^*, there is a simulator MV* such that the following two distributions are polynomially indistinguishable:

z

{

^P

( )

^{ρ ,V*}

( )

^x

}

_{x∈Dom( ) (Q,Qx,ρ)=1}^;

z

{

^M_V^*

( )

^x

}

_{x∈Dom( )Q} ^.

Notice in the definition 2.1, we have “for each verifier V^*, there is a simulator”, while in reality, we usually use a stronger statement “there is a universal simulator M^* for every verifier”.

To be proof-oriented, the (universal) simulator simulates the “view” of the verifier V^* interacting with P on common public input x and P’s private input is ρ. Here, “view” means the transcript (messages) exchanged by P and V^*.

Combining the universal simulator and the view concept, we have an alternative definition for zero-knowledge.

Definition 2.2(Zero-Knowledge based on view and universal simulator)

An interactive proof system of knowledge P

( ) ( )

ρ ,V x is (computational) zero-knowledge if there is a universal simulator M^* such that for every possible verifier V^*, the following two distributions are polynomially indistinguishable, where

M^* runs in expected polynomial time depending on the run time of V^*. z

{

View

(

P

( )

ρ ^,V^*,x

) }

_x∈_{Dom( ) (Q,Qx,}ρ₎=₁;

z

{

M^*

( )

V^*,x

}

x_∈Dom_{( )}Q .

Furthermore, if the real transcript ^View

(

^P

( )

^{ρ ,V*,x}

)

and the simulated one

( )

^{V x}

M^{* *}, are identical, the system is called a perfect zero-knowledge interactive proof system of knowledge.

From the above, we know that if we want to show that the interactive poof system of knowledge is zero-knowledge, we have to ensure the distributions of the simulated one and the real transcript are polynomially indistinguishable.

For simplicity, we allow the simulator M^* to output ⊥, denoting a failure round of simulation. We have another alternative definition for zero-knowledge.

Definition 2.3(Zero-Knowledge failure)

An interactive proof system of knowledge P

( ) ( )

ρ ,V x is (computational) zero-knowledge if for every possible verifier V^*, the following two distributions are polynomially indistinguishable:

z

{

View

(

P

( )

ρ ^,V^*,x

) }

_x∈_{Dom( ) (Q,Qx,}ρ₎=₁; z

{

m^*

( )

V^*,x

}

x_∈Dom_{( )}Q .

where ^m*

( )

^V*,x the random valuable ^M*

(

^V*,x

)

conditioned on ^M*

(

^V*,x

)

^≠⊥,

that is, for all z, ^Pr

[

^m*

(

^V*,x

)

^{= z}

]

^=Pr

[

^M*

(

^V*,x

)

^{= zM*}

(

^V*,x

)

^≠⊥

]

^and

( )

[

^{M V ,x ≠⊥}

]

Pr ^{* *} is non-negligible.

In the following, we will give some basic idea of non-interactive proof system.

In non-interactive proof system, the prover P produces a string of showing all the properties of an interactive proof system without interacting with the verifier. Hence, we need a random source to replace the verifier’s role in the interactive system. The more realistic is to use a secure (collision-resistant) hash function H in place of the verifier.

2.2 Signature of Knowledge

Signature of knowledge is a non-interactive zero-knowledge proof of knowledge, but being dependent on message m.

For example, if the system’s public parameters are a large prime p where p=2q + 1, q is also a large prime, a generator g of Gq, and a secure (collision resistant) hash function H(⋅):{0,1}^*→Zq. A user, said Bob, whose secret key is x and public key is . Now, if Bob wants to sign for a message m, the pair that satisfies

p g

y= ^x mod

(

^c,w

)

(

^{m p g y g p}

)

H

c= , , , , ^r mod and w=r−cx where r∈RZ_q is the signature of knowledge on message m. By checking c = c’, we can verify the signature on m where

p y

x=log_g mod

(

^{m p y g y p}

)

H

c'= , , , ^{w c} mod . This is because

( )

^{g p g p}.

g p y

g^{w c} mod = ^{r−cx x c} mod = ^r mod

Besides, in the above example, we can find out that we can also use the pair (a, w) to be the signature of knowledge x=log_g ymod p for Bob on message m. The verifier can first compute ^c=H

(

^m,p,g,y,a

)

and then verify if . This is because

p y

g

a= ^{w c} mod

( )

^{g p g p a}

g p y

g^{w c} mod = ^{r−cx x c} mod = ^r mod = .

Similar to our scheme, the system’s public parameters are a large prime p where

p = 2q + 1, q is a large prime, two generator g and h of Gq, and a collision resistant hash function H(⋅):{0,1}^*→Zq. A user, said Bob, whose secret key contains the password π memorized in his mind and the corresponding partial secret α stored in his mobile device and public key is . Now, if Bob wants to sign on

message m, he first computes ,

p h

g

y= ^{α π} mod

p h

g

a= ^{r1 r2} mod ^c=H

(

^m,p,g,h,y,a

)

^,

α c r

w₁ = ₁− , and w₂ =r₂ −cπ where r1,r2∈RZq, and then publishes as his signature of knowledge of α and π such that on message m.

The verifier can verify by first computing

(

a,w1,w2

)

p h

g

y= ^{α π} mod

(

^{m p g h y a}

)

H

c= , , , , , and then verifying if p

y h g

a= ^{w1 w2 c} mod . This is because

(

^{g h}

)

^{p g h p a}

h g p y

h

g^{w1 w2 c} mod = ^{r1−cα r2−cπ α π c} mod = ^{r1 r2} mod =

2.3 Verifiable Encryption of Signature of Knowledge

Verifiable encryption is an encryption scheme where one can prove some property of data S, which is given in encrypted form. When the encryption scheme is secure, the encrypted data should reveal no information regard S.

The setting of a verifiable encryption scheme is a two-party protocol between a prover P and a verifier V. Their common inputs are a public key Y, public value m, and a binary predicate Q. As a result of the protocol, V either rejects, or being convinced that the encryption of some value S under Y satisfies (m, S)∈Q. For example, Q is defined such that (m, S) ∈Q if and only if S is a signature of on message m with respect to some fixed public key Y. In other word, P convinces V that the encrypted data is a valid signature on m.

The two-party protocol should ensure that V accepts an encryption of an invalid

S with only negligible probability. Moreover, V should learn nothing except the fact that S is a valid signature with respect to m.

The encryption key can belong to P, but typically belongs to a third party, and even in this case the third party should not need to take part in the protocol. In other words, P does not need to know the secret key (decryption key) X corresponding to public key (encryption key) Y.

We find a definition of a secure verifiable scheme for a relation following [5].

Definition 2.4(Secure Verifiable Encryption)

Let Q be a binary predicate and let ^LQ =

{

^m∃^S:

(

^m,^S

)

∈^Q

}

. A secure verifiable encryption scheme for a binary predicate Q consists of a two party protocol and a recovery algorithm . We let denote the output of V when interacting with P on input Y, m, and k, where k is a security parameter. We require that the following three properties hold:

ℜ V_P(Y,m,k)

1. Completeness

∀(Y, X)∈G(1^k) and ∀m∈L_Q, if P and V are honest then V_P(Y,m,k)≠⊥. 2. Validity

For all prover P and all (Y, X)∈G(1^{* k}), for every polynomials p(⋅) and all sufficiently large k, we have

( )

( ) ( )

[ ] _{( )}

k k p

m Y V b b and Q b X

m _P 1

, , :

: ,

,

Pr ℜ ∉ ≠⊥ = * <

3. Computational Zero-Knowledge

For every V^* there exists a expected polynomial-time simulator M_V* with black-box access to V^* such that for all distinguishers A, all polynomials p,

all m∈L_Q, and all sufficiently large k, we have

( ) ( ) ( ) ( ) ( ) {

[ ^} ]

( )

k p i k m Y V b k m Y M b G X Y i b m Y

A _i ^k _{v P}

1 2 1

1 , 0

; , , :

; , , :

; 1 : , : ,

,

Pr ₀ * ₁ ^*

+

<

∈

=

=

=

=

In our scheme, P wants to convince the verifier V that he really knows the signature of knowledge, but V can not get any information about P’s secret.

Hence, we give a modified definition of secure verifiable encryption of signature of knowledge in the version of interactive zero-knowledge proof system of knowledge introduced in section 2.1.

Definition 2.5(Secure Verifiable Encryption of Signature of Knowledge)

Let Q be the binary predicate such that for each instance x = (Y, m, EY(S)) of the right form, there is a corresponding secret ρ such that Q(x, ρ) = 1, where S is a valid signature with respect to m and EY(S) means the encryption of signature on message m with respect to some fixed public key Y. We require that the following three properties hold:

1. Completeness

∀x and ∀ρ with Q(x, ρ) = 1, ^Pr

[

^P

( ) ( )

ρ ^{,V x =1}

]

⁼¹

2. Validity

There is a probabilistic (expected) polynomial-time knowledge extractor E such that ∀x∈Dom(Q), ∀P^*

( ) ( )

[ ] _{( )} [

^E

⁽

^{P* V x}

⁾

^Q

( )

^x

] ( )

^x

x x p

V

P ρ = ≥ 1 ⇒Pr , , = ρ , ,ρ =1 ≥1−ε 1

,

Pr ^{* * *}

where Dom(Q) means the domain of Q, p(⋅) is a polynomial, and ε(⋅) is negligible.

3. Computational Zero-Knowledge

If there is a universal simulator M^* such that for every possible verifier V^*, the following two distributions are polynomially indistinguishable:

z

{

View

(

P

( )

ρ ^,V^*,x

) }

_x∈_{Dom( ) (Q,Qx,}ρ₎=₁; z

{

m^*

( )

V^*,x

}

x_∈Dom_{( )}Q .

where ^m*

( )

^V*,x the random valuable ^M*

(

^V*,x

)

conditioned on

(

^{V x}

)

^≠⊥

M^{* *}, , that is, for all z,

( )

[

^{m V ,x = z}

]

^=Pr

[

^M

(

^{V ,x}

)

^{= zM}

(

^{V ,x}

)

^≠⊥

]

Pr ^{* * * * * *} and ^Pr

[

^M*

(

^V*,x

)

^≠⊥

]

^is

non-negligible.

2.4 1-out-of-P Re-encryption Proof of Encryption Keys

In order to have a witness indistinguishable protocol, we require an algorithm for random re-encryption of a bid, such as ElGamal encryption algorithm.

Generally speaking, 1-out-of-P re-encryption proof defined in [11] means an efficient witness indistinguishable protocol, which a prover can prove that a given encrypted bid t, a encrypted list t1, .., tP, and a witness that tj is a re-encryption of t for j∈{1,…,P}, proves that indeed tj is a re-encryption of t without revealing index j.

In most common electronic voting system, 1-out-of-P re-encryption proof is used for different messages. In our thesis, we use it for different encryption keys.

We show the general 1-out-of-P re-encryption proof and the 1-out-of-P re-encryption proof of encryption keys in non-interactive form in the following.

General 1-out-of-P re-encryption proof¹

3. The prover computes

( )

4. The verifier verifies the proof as the follows

(1) compute d d q d d_P q

1-out-of-P re-encryption proof of encryption keys²

3. The prover computes

( ) ( )

4. The verifier verifies the proof as the follows

(1) compute d d d d_P q

2The basic idea is

2

2.5 Previous Electronic Auction Schemes

We can find out that in most auctions, the validity of the bids is not verified or only verified by the auctioneer.

z The validity of the bids is not verified.

Cachin [1] proposed a private bidding and auction scheme using the millionaire’s protocol to determine who is richer without disclosing anything else about their wealth between two parties. This protocol employs two semi-trusted parties, T and V, as auction servers. All bidders and T are connected to V in secure channel. The server V chooses the random values for n instances of private bidding protocol. The bidders encrypt their bids, send them to the server V, but not involve further. The server V determines the highest bid through n successive queries to the server T who oblivious compares two bids, but who does not learn anything about the bids. At the end, V leans partial order of the bids, but not more.

Noar[13] introduced a simple architecture for preserving the privacy of the bids of losing bidders while maintaining communication and computational efficiency.

They employ an additional third party auction issuer that generate the programs for computing the auctions but does not take an active part in the protocol. Their protocol ensures that except collaboration of the auctioneer and the auction issuer, neither party gains any information about the bids, even after the auction is terminated. Moreover, bidders can verify the correctness of the auction.

In [2], Kikuchi presented a new protocol for (M + 1)st-price auction, a style of auction in which the highest M bidders win and pay a uniform price, determined by (M + 1)st price. The scheme uses the verifiable secret sharing technique, where the

bidding point is represented by the degree of a polynomial shared by the number of the auctioneers. In this scheme, there exist some drawbacks. For example, this scheme has an undesirable condition that the number of the auctioneers must be larger than the number of the bidding points, so it is difficult to set bidding points. Moreover, every one can anonymously disturb an auction by submitting an invalid bid.

z The validity of the bids is verified by the auctioneer before the opening phase.

In this kind of auctions, the auctioneer often just verifies the bidding value (bidding format).

Harkavy, Tygar and Kikuchi [10] described an auction service for secure sealed-bid auctions, in which only the winning bid is disclosed. Both first-price and second-price auctions are supported. It is based on general techniques for secure multiparty computation and can tolerant up to

⎥⎦⎥

⎢⎣⎢ −

≤ 3

s 1

t corrupted servers.

However, the protocol is practical only for small value of s.

In [9], Abe and Suzuli proposed the (M + 1)st-price auction using homomorphic encryption and mix and match technique. Their scheme realizes public verifiability of a winner and the wining bid. However, each bidder must compute K+1 zero-knowledge proofs in bidding, where K is the number of bidding points. Besides, in this protocol, the bidding price (bidding format) can be verified by every one.

In [6], Omote and Miyaji proposed a second-price sealed-bid auction with public verifiability. In their scheme, they use the verifiable discriminant function of the p0-root to achieve public verifiability.

z The validity of the bids is verified by the auctioneer in the opening phase.

In this kind of auctions, the auctioneer often just concern the validity of the

winner.

In [12], Franklin and Reiter use a set of distributed auctioneers and feature an innovative primitive called verifiable secret-sharing. Their protocol can also successfully prevent a single auctioneer altering a bid or throwing an auction to a single bidder. However, the confidentiality of bids of the bidders is not achieved, since the confidentiality is as essential as fairness. Besides, their protocol will result in all auctioneers knowing all bids after the auction is decided.

The problem on privacy of losers is firstly point out by Kikuchi, Harkavy and Tyger[3]. The basic idea of the scheme is “secure addition”. However, the proposed scheme has a problem that the process of determining the winner does not work successfully when the winners with the same bidding price are multiple in the auction.

In other words, this protocol can not work when two or more bidders bid at the same highest price.

In [14], Liu, Wang and Wang, proposed a new multi-round sealed-bid auction scheme based on Shamir’s (t, n)-threshold secret sharing scheme. The protocol guarantees that no information about the losing bidders is leaked, and that the seller can collect the digital money from the winning bidder. In addition, the protocol support both first-price and second-price sealed-bid auction.

In [4], Kikuchi, Hotta, Abe and Nakanishi modified [3] in which “mask” step are added to keep all bids private and only the winning bid and winner are determined by the collaboration of distributed servers. They improve the security of the protocol in [3] such that the second highest must be not known even by the winner.

Watanabe and Imai [16] introduced a totally different trust third party, the off-line trusted third party (TTP), to achieve the universally verifiable auction scheme.

They make use of a TTP in optimistic sense, i.e. the TTP takes part in the protocol only if one bidder cheats or simply crashes. However, this protocol has a disadvantage that all bidders have to participate in the auction at the beginning in the opening phase.

In [8], Suzuki, Kobayashi and Morita presented the first sealed-bid auction scheme, which is only using multiple hash functions. This method drastically reduces the time taken for bidding and opening bids. However, it is not practical for opening all the bids if one of the auctioneers is distrust or can not release his secret seed.

In [7], Peng, Boyd, Dawson and K. Viswanathan classified the published sealed-bid auction into four models according to how they deal with bid privacy and proposed a new model. Then give a comparison about the five models. In their model, they give another solution for bid privacy recovery, i.e. the registration authority an all the losing bidders cooperate to identify the dishonest winners by publishing their secrets, instead of a trust third party only being used. However, the drawback is that when the number of bidders involved is large, it is quite efficient to recover bid privacy.

Hence, we propose a sealed-bid auction protocol with public verifiable bid validity. Every one in our protocol can verify the validity of the bid which contains the validity of the bidder and the validity of the bidding price. If anyone finds some invalid bids from malicious bidders, he can ask the auction manager AM to revoke them before the opening phase.

Chapter 3

A Sealed-Bid Auction with Publicly Verifiable Bid Validity

In this chapter, we propose a sealed-bid auction with publicly verifiable bid validity and analyze its security and properties. Here, bid validity contains not only the validity of the bidder but also the validity of the bidder’s bidding price. In our scheme, we combine the signature and the bidding price as the bid. The bidder generates his signature on message m using the signature of knowledge technique.

The idea of our scheme is based on verifiable encryption of signature of knowledge and 1-out-of-P re-encryption proof of encryption keys.

Our scheme uses two managers, the registration manager RM and the auction manager AM. RM is the registration manager who guarantees the relationship between a bidder and his corresponding public key. AM is the auction manager who holds auctions and manages operations in an auction.

In our scheme, every one can verify the bidder’ s bid to check the bid validity, but can not get any information about the identities and bidding price of the bidders. If there exist some invalid bids, anyone can indicate them and ask the auction manager AM to revoke the invalid bids. The scheme can prevent some malicious bidders who send invalid bids to disturb the auction.

3.1 Notations

Main notations used in our scheme are described as follows:

RM : the registration manager:

z handle the bidder’s registration;

z manage RM’s bulletin board system (BBS) which publishes a list of public keys;

z declare the winner.

AM : the auction manager:

z manage the bidding phase;

z manage AM’s bulletin board system (BBS) which publishes the computing process of bids;

z declare the winning price.

m : the unique message of the good; (e.q. the auction identity of the good) I : the number of bidders;

i : the index of bidders;

Bi : a bidder whose index is i (i = 1,..,I );

p, q : large primes such that p = 2q + 1;

g, h : generators of Gq;

πi, αi : Bi’s private key where πi is the password memorized in the bidder’s mind and αi is the corresponding partial secret stored in the bidder’s mobile device.

yi : B_i’s public key where y_i = g^αih^πi mod p; P : the number of prices;

j : the index of prices;

δj : the j-th price (j = 1,…,P);

Xj : the decryption key corresponding to the j-th price;

Yj : the encryption key corresponding to the j-th price where p

g

Y_j = ^xj mod for 1≤ j ≤P ;

Signk() : a signature of knowledge signed by key k;

EY() : ElGamal encryption with public key Y such that E_Y(W) = (G = g^r mod p, M = WY^r mod p)

Dx() : ElGamal decryption with private key X such that D_X(G, M) = M/G^x mod p

H() : a secure (collision-resistant) hash function : {0,1}*→Z_q

( ) ( ) ( )

(

^ai ,^w1ⁱ ,^w2ⁱ

)

: the signature of the bidder Bi on message m;

( ) ( )

(

^T1ⁱ ,^T2ⁱ

)

: the bid of the bidder Bi;

( ) ( )

( ) (

^{( ) ( )}

)

{

i Pⁱ

}

P i

i T T T

T₁₁ , ₂₁ ,..., ₁ , ₂ : the bid list of the bidder Bi used for 1-out-of-P

T₁₁ , ₂₁ ,..., ₁ , ₂ : the bid list of the bidder Bi used for 1-out-of-P

在文檔中 可公開驗證出價合法性的彌封式拍賣系統 (頁 12-0)