Our Basic Scheme

(

^ai ,^w1ⁱ ,^w2ⁱ

)

: the signature of the bidder Bi on message m;

( ) ( )

(

^T1ⁱ ,^T2ⁱ

)

: the bid of the bidder Bi;

( ) ( )

( ) (

^{( ) ( )}

)

{

i Pⁱ

}

P i

i T T T

T₁₁ , ₂₁ ,..., ₁ , ₂ : the bid list of the bidder Bi used for 1-out-of-P re-encryption proof of encryption keys;

3.2 Our Basic Scheme

Our scheme has six main phases and their procedure is as follows:

1. Initialization.

2. Bidder registration.

3. Auction preparation.

4. Bidding.

5. Bid verification.

6. Opening.

We describe them in detail in the following:

z Initialization

The registration manager RM selects large primes p and q such that p = 2q + 1 and picks up g and h which are two generators of Gq. Besides, the registration manager RM chooses a collision-resistant hash function H(⋅):{0,1}*→Z_q. Then the registration manager RM publishes p, g, h, and H on the RM’s BBS as system public parameters.

z Bidder registration

When a bidder whose identity is Bob participates in an auction, he sends his identity and public key y with the signature Sign_{α ,π}

( )

y signed by signature of knowledge, using his password π memorized in his mind and the partial secret α stored in his mobile device, to the registration manager RM as a bidder registration. After all bidders finished their registrations, the registration manager RM publishes those public keys and their corresponding indexes on the RM’s bulletin boards system (BBS) but keeps the relation of the bidders’ identities and their public keys in secret.

After the registration manager RM publishes the list of pairs of public keys and indexes, each bidder searches his corresponding index from the RM’s BBS using his public key.

z Auction preparation

The auction manager AM publishes the price list {δ1,.. , δP} and the unique

message m of the good on the AM’s BBS. Then the auction manager AM generates a pair of decryption key Xj and encryption key Yj corresponding to the price δj where and for 1≤ j ≤P. Here, we have to note that in order to stand for distinct price, so the decryption keys selected by the auction manager AM should be distinct. The auction manager AM holds the decryption keys and publishes the encryption keys on the AM’s BBS.

q R

j Z

X ∈ Y_j =g^xj mod p

After all those public keys are published, each bidder Bi (1≤ i ≤I) sends his index i and a list

{ (

^{( ) ( )}

) (

^{( ) ( )}Pⁱ

) }

i P i

i T T T

T₁₁ , ₂₁ ,..., ₁ , ₂ where

(

^{T( ) T( )}

)

^EY_j

(

^Sign _{i i}

( )

^m

)

i j i

j 2 α,π

1 , =

for 1≤ j ≤P to the AM’s BBS.

In order to get the list

{ (

^{( ) ( )}

) (

^{( ) ( )}Pⁱ

) }

i P i

i T T T

T₁₁ , ₂₁ ,..., ₁ , ₂ , each bidder B_i has to follow the two steps described in Figure 3.1. First, each bidder has to make a signature on the unique message m of the good using signature of knowledge with his secrets which are the password πi memorized in his mind and the partial secret αi

stored in his mobile device. After the generation of the signature, we can get

( ) ( ) ( )

(

^{a i} ,^w1ⁱ ,^w2ⁱ

)

to be the signature of knowledge of password πi and the partial

secret αi such that y_i = g^αih^πi mod p on message m for the bidder Bi. Second, he encrypts his signature using all the encryption keys published.

Besides, it is worthy of remark that the generation of the signature of each bidder Bi only need to be done once. In other words, the signature of the bidder Bi used in an auction would be the same.

Moreover, our encryption function only deals with the elements

(

^w1^{( )i} ,^w2^{( )i}

)

of the signature of the bidder Bi. We encrypt

(

^w1^{( )i} ,^w2^{( )i}

)

but let be public.

The bidder B

( )ⁱ

a

i will publish the element a^{( )i} of his signature in the bidding phase.

Step 1: Each bidder Bi signs for the unique message m of the good to get a signature

Step 2: Each bidder Bi encrypts his signature P times using different encryption keys

( ( ) )

Figure 3.1: Generation of the list of 1-out-of-P re-encryption proof of encryption keys z Bidding

Each bidder Bi selects his encryption key corresponding to his bidding price δ

Yj

j. Bi then encrypts part of the signature

(

^w1^{( )i} ,^{w( )}2ⁱ

)

generated in the auction preparation phase using the encryption key Y_j described in Figure 3.2.

( ) ( )

After the encryption done, each bidder Bi sends his index i and

(

^{a( )i} ,^T1^{( )i} ,^T2^{( )i}

)

to the AM’s BBS. Besides, Bi also has to provide two kinds of proofs (P+1 proofs) as showed in Figure 3.3. There are P proofs for the first kind proof and 1 proof for the second proof. The two kinds of proofs are described as follows:

1. P proofs for verifiable encryption of signature of knowledge of (i)r₁^{( )i} ,r₂^{( )i} , αi, and πi such that

( ) r( ) c( )

(

q

)

w^{( )} r^{( )} c^{( )}

(

q

)

w₁ⁱ = ₁ⁱ − ⁱα_i mod , ₂ⁱ = ₂ⁱ − ⁱπ_i mod

to show that

(

^{a( )i} ,^w1^{( )i} ,^w2^{( )i}

)

is valid signature.

(ii)e^{( )}_jⁱ such that

(

^{( ) ( )i}j

)

i

j T

T₁ , ₂ is the correct ciphertext of w₁^{( )i} and w₂^{( )i} .

The bidder Bi has to send

(

^{( ) ( ) ( ) ( ) ( ) ( )i}j

)

i j i

j i

j i j i

j s s s s s

c₁ , ₁ , ₂ , ₃ , ₄ , ₅ ,∀ 1j, ≤ j≤P, to AM’s BBS.

2. 1-out-of-P re-encryption proof of encryption keys such that no one except Bi

can distinguish which encryption key is used. The bidder Bi has to show that for the encrypted bid

(

^T1^{( )i} ,^T2^{( )i}

)

, there is a re-encryption in the

( ) ( )

( ) (

^{( ) ( )}

)

{

Pⁱ

}

i P i

i T T T

T₁₁ , ₂₁ ,..., ₁ , ₂ . i.e.

( ) ( )

(

^{T T} i

) (

^{T( )}i^Yj ^{p T( )i g p}

)

j i

j , _{2 1} mod , ₂ mod

1

ε

= ε ,

(

^{( )}i ^{( )i}j

)

j T

T₁ , ₂ is the re-encryption of

( ) ( )

(

^T1ⁱ ,^T2ⁱ

)

.

The bidder B_i has to send

(

^{( ) ( )}

) (

^{( ) ( )}Pⁱ

)

i i

P

i c z z

c₂₁,..., ₂ , ₁ ,..., to AM’s BBS.

1. verifiable encryption of signature of knowledge of r₁^{( )i} ,r₂^{( )i} , αi, πi, and e^{( )}_jⁱ 2. 1-out-of-P re-encryption proof of encryption keys

( ) ( )

Figure 3.3: Two kinds of proofs for the bid of the bidder Bi

z Bid verification

This can be done by every one. If anyone finds invalid bids, then he can ask the auction manager AM to revoke them. If we want to verify the bid validity of the bidder Bi, we can do as follows: check w

p check r

p

check e

i

Figure 3.4: The idea of verifying the first proof in the bidding phase

3. (1) Compute c₂^{( )i} =c^{( )}₂₁ⁱ +...+c^{( )}₂ⁱ_P modq and

Starting from the highest price, the auction manager AM decrypts those ciphertexts starting on the downward prices as the follows:

For X = XP, XP-1,…

If the bid of the bidder Bi satisfies the equation, the auction manager AM publish the winning price is δ corresponding to the decryption key X and send the winner index i to the registration manager RM and then RM publishes the identity of the winner.

2. The AM publishes the decryption key X on AM’s BBS. If the winner’s identity is published, then the auction is terminated.

在文檔中 可公開驗證出價合法性的彌封式拍賣系統 (頁 31-39)