Omote and Miyaju’s scheme

In 2001, Omete and Miyaji [6] proposed the use of bulletin board approach for verifying

information of bidders to improve the efficient of Group Signature for English Auction protocol proposed by Nguyen and Traore [7, 8]. In the scheme of Omete and Miyaji, there are mainly three entities, Bidder, Registration Manager (RM), and Auction Manager (AM).

During the auction, RM manages the correspondence of bidder identity to public key. AM manages a bulletin board, and maintains the operations and hosts the auctions. When a certain bidder is identified after a winner decision procedure or later disputes, AM has only to request RM to identify the bidder to complete the entire auction. Omete and Miyaji claimed that their scheme can satisfy the safety features for English Auction, including: (1) Anonymity, (2) Traceability, (3) No framing, (4) Unforgeability, (5) Fairness, (6) Verifiability, (7) Unlikability among different auctions, (8) Linkability in an auction, (9) Efficiency of bidding, (10) One-time registration, and (11) Easy revocation. The participants and the parameters in the scheme proposed by Omote and Miyaji are explained as below:

【Entity】

Registration Manager (RM) : being responsible to manage and store the correspondence of bidder identity to public key, and send the identity of the bidder to the vendor when a bidder wins out.

Auction Manager (AM) : being responsible to maintain the operations and host the auctions.

Bidder (B) : being participant in an auction that AM holds.

【Notation】

p , : two large primes, satisfying q q|p1; g : an element gZ_p with order q ;

I : the number of bidders;

i : the index of bidders (i1  , ,I);

B i : bidder i；

x i : the secret key of B (_i x_iZ_q);

y i : the public key of B (_i y_i =g^xi (modp));

r i : AM’s random number for B (_i r_iZ_q);

t i : a random number of B (_i t_i ); Z_q

T i : an auction key for B ; _i k : the index of auctions (k 1);

XAM : AM’s secret key (X_AMZ_q);

YAM : AM’s public key (Y_AM =g^XAM mod p ,pZ_q);

Enc : Enc(key ,data) is a secret key encryption function by using a secret key, key;

Enc : )j Enc^j(key,data is j-times encryption by using the same key, i.e.

)) , ( ,

( )

,

(key data Enc key Enc ¹ key 

Enc^j  ^j .

The operation of the scheme includes: (1) Initialization, (2) Bidder Registration, (3) AM’s Setup, (4) Bidding, (5) Verifiability, and (6) Winner Announcement. The different stages are described as follows:

【Initialization】

The system parameter settings of the RM and AM are as below:

RM  publishes p, q and g on his bulletin board.

AM  selects a private key X_AMZ_q , and calculates the corresponding public key

q X

M g p p Z

Y_A = ^AM mod ,  and publishes Y_AM.

【Bidder Registration】

When a new bidder Bi joins in the auction, he/she must follow the following steps in requesting registration from RM:

Step 1: Select a private key x_iZ_q and calculates its corresponding registration key y_i:

p g

y_i  ^xi mod

Step 2: Select a random number t_i , named ticket. Z_q

Step 3: Send {y , } to RM as the registration key, registers his/her identity and proves that _i t_i he/she knows the discrete logarithm x of _i y to the base g by showing _i V₁:

) ](

: )

1 SK[(α yi g mR

V   ^

Step 4: After RM authenticates the validity of V₁, RM publishes bidder’s registration key {y , } on his bulletin board and keeps bidder’s name and the corresponding _i t_i registration in its own database.

【Auction Setup by AM】

Assume that the set of registered bidders is Bi (i=1,2,… ,I). When an auction is requested, AM follows the following steps to set up the auction. The auction below is assumed to be at the k-th auction:

Step 1: AM calculates a shared secret key y_i^xAM modp with each bidder Bi (i ) =1,2,… ,I by using Diffie-Hellman key-distribution.

Step 2: AM generates the random numbers r_i Z_q({r₁ ,r₂ ,… ,r_I}) for each bidder published on RM’s bulletin board and keeps the numbers {r₁ ,r₂ ,… ,r_I} secret.

Step 3: AM encrypts t to _i Enc^k(y_i^XAM,t_i)Enc(y_i^XAM,Enc^k1(y_i^XAM,t_i)) in the k-time Enc encryption function by using a shared key y_i^XAM.

Step 4: AM calculates the following auction key T for B_i i using Bi’s public key y _i published on RM’s bulletin board.

Step 5: AM publishes the shuffled auction key T of all bidders on his bulletin board. _i

【Bidding】

To participate in the k-th auction, Bi must complete the following steps:

Step 1: Using AM’s public key Y_AM to calculate y_i^XAM as follows:

p Y

y_i^{X xi} mod

AM

AM 

Step 2: Calculating auction certificate T as follows: _i

) , ), , (

( ^k _AM^xi _{i i}^{ri ri}

i Enc Y t y g

T 

T must be verified that they are matched with the information posted on AM’s i

bulletin board.

Step 3: Generates the signature of knowledge V₂for bid m as follows: _i

) ](

) ( :

2 [ i

r r

i g m

y SK

V   ⁱ  ^{i }

Step 4: Finally, send the following bid information {m_i ,y_i^ri ,g^ri ,V₂} to AM, thus completing

【Verifiability】

After Bi publishes the bid information {m_i ,y_i^ri ,g^ri ,V₂}, anyone can verify them as shown below:

Step 1: Anybody can confirm that a bidder knows surely the discrete logarithm x of _i y by _i checking the validity of the signature of knowledge V₂. Otherwise, AM would remove the illegal bid information from his bulletin board.

Step 2: Anybody can accept that the signer is one of the bidders if the values y and _i^ri g in ^ri

V2 are published on AM’s bulletin board. If they are, the bidder which owns the bid information is a legitimate bidder.

【Winner Announcement】

At the end of the bidding, AM on obtaining the information on the highest bid, forwards the r_i^1 of Bi to RM. Then RM uses y and _i^ri r_i^1 to calculate y , and saves the _i comparison result in the database, for confirming the bidder’s identity and then informing the vendor of the winner’s identity.

Although the scheme of Omote and Miyaji satisfies the security requirements of English Auction, the real identity of the winner cannot be published for verification. In the winner announcement stage, RM secretly informs the vendor of winner’s identity. Therefore, other bidders and AM cannot verify the legality of winner. If RM announces the winner’s identity, AM can get his/her real identity from the public key that could violate the purpose of anonymity, fairness, and unlinkability among auction rounds [5].