Properties

which is polynomial bounded. Therefore, the protocol is secure with perfect zero-knowledge.

3.3.2 Properties

We can find out that our scheme has the properties of correctness, confidentiality, fairness, privacy, public verifiability, and robustness. And most important of all, our scheme has the property of publicly verifiable bid validity. We describe them more detail in the following.

z Correctness

If all parties act honestly, the winning price and the winner (s) are determined according to our auction rule correctly.

z Confidentiality

We use the registration manager RM to hold the relationship between the bidder’s identity and his public key and the auction manager AM to hold the

decryption keys for all bidding prices. Hence, even every one can verify the validity of the bids, but no one can get any information about the bidder’s identity and his bidding price.

z Fairness

All bidders can look a proper polling on Internet and after each bidder submits his bid, he can not modify it. Besides, each bid contains the bidder’s signature and no bidder can deny.

z Privacy

In our scheme, even after the opening phase, the bidding prices of the losing bidders can be kept secret since the remainders of the decryption keys are not published by the auction manager AM.

z Public Verifiability

In the opening phase, the auction manager AM would publish the decryption keys corresponding to the bidding prices downwards until the winner is published. Every one can verify the result of the auction with those decryption keys published. Hence, the validity of the result in our auction can be publicly verified by every one.

z Robustness

In our scheme, every one can verify the validity of the bid. If there exist some invalid bids, anyone can ask the auction manager AM to revoke those invalid bids. Hence, our scheme can prevent malicious bidder sending invalid bids to disturb the auction. In other word, even there are invalid bids from malicious bidders, the result of our scheme is correct.

z Public Verifiable Bid Validity

In our scheme, every one can verify the validity of the bidder and the validity of the bidder’s bidding price with the proofs for verifiable encryption of signature of knowledge.

Chapter 4 Conclusion

In this thesis, we have proposed a sealed-bid auction with publicly verifiable bid validity. Our scheme is one of the first-price sealed-bid auctions. It has the properties of correctness, confidentiality, fairness, privacy, public verifiability, and robustness.

Most important of all, in our scheme, every one can publicly verify the validity of the bid such that malicious bidders can not send invalid bids to disturb the auction.

In our scheme, we combine the bidder’s signature and his bidding price as the bids using verifiable encryption of signature of knowledge and then use 1-out-of-P re-encryption proof of encryption keys. The signature we use here needs the bidder’s password memorized in bidder’s mind and the corresponding partial secret stored in his mobile devices to increase the security.

Bid-validity in our scheme contains not only the validity of bidding price but also the validity of the bidder. In our scheme, every one can verify the bid validity but he can not get any information about the bidder’s identity and his bidding price. If there exist some invalid bids, anyone can ask the auction manager AM to revoke those invalid bids. Hence, our protocol can prevent malicious bidder sending invalid bids to disturb the auction.

In our scheme, if the registration manager RM is attacked, only the information about the relation of the bidder’s identity and his public key is leaked, no one can have the idea about the bidding price that the bidder bids. If the auction manager AM is attacked, only the information about the bidding price of the bidder is leaked, no

one can get the idea about the relation between the bidder’s identity and his public key.

In other words, in our scheme, if one manager is attacked, our scheme can achieve weak confidentiality. But if two managers collaborate, they can know the relation of the bidding price and the corresponding bidder’s identity. Besides, in the bidding phase of our scheme, each bidder has to send his bid with (P+1) proofs. The number of proofs needs to depend on the size of the price list. Hence, in future work, we hope to avoid the collaboration attack of the managers and reduce the number of proofs.

Bibliography

[1] C. Cachin, “Efficient private bidding and auctions with an oblivious third party,”

In Proceedings of the 6th ACM conference on Computer and communications security, pages 120-127. ACM Press, 1999.

[2] H. Kikuchi, “(M + 1)-st price auction,” In Paul F. Syverson, editor, Financial Cryptography, 5th International Conference, FC 2001, volume 2339 of Lecture Notes in Computer Science, pages 351-363. Springer-Verlag, 2002.

[3] H. Kikuchi,M. Harkavy, and J. D. Tygar, “Multi-round anonymous auction protocols,” In Proceedings of the First IEEE Workshop on Dependable and Real-Time E-Commerce Systems, pages 62-69, 1998.

[4] H. Kikuchi, S. Hotta, K.Abe, and S. Nakanishi, “Distributed auction servers resolving winner and winning bid without revealing privacy of bids,” In Proceedings of International Workshop on Next Generation Internet (NGITA 2000), pages 307-312, 2000.

[5] J. Camenisch and I. Damgard, “Verifiable encryption, group encryption, and their Applications to separable group signatures and signature sharing schemes,” In Tatsuaki Okamoto, editor, Advances in Cryptology - ASIACRYPT 2000, volume 1976 of Lecture Notes in Computer Science, pages 331-345. Springer-Verlag, 2000.

[6] K. Omote and A. Miyaji, “A second-price sealed-bid auction with verifiable discriminant of p0-th root,” In Matt Blaze, editor, Financial Cryptography, 6th

International Conference, FC 2002, volume 2357 of Lecture Notes in Computer Science, pages 57-71. Springer-Verlag, 2003.

[7] K. Peng, C. Boyd, E. Dawson, and K. Viswanathan, “Five sealed-bid auction models,” In Proceedings of the Australasian information security workshop conference on ACSW frontiers 2003, pages 77-86. Australian Computer Society, 2003.

[8] K. Suzuki, K. Kobayashi, and H. Morita, “Efficient sealed-bid auction using hash chain,” In Dongho Won, editor, Information Security and Cryptology - ICISC 2000, volume 2015 of Lecture Notes in Computer Science, pages 183-191.

Springer-Verlag, 2000.

[9] M. Abe and K. , “M + 1-st price auction using homomorphic encryption,” In David Naccache and Pascal Paillier, editor, Public Key Cryptography, 5th International Workshop on Practice and Theory in Public Key Cryptosystems, PKC 2002, volume 2274 of Lecture Notes in Computer Science, pages 115-124.

Springer-Verlag, 2002.

[10] M. Harkavy and J. D. Tygar and H. Kikuchi, “Electronic auctions with private bids,” In Proceeding of 3rd USENIX Workshop on Electronic Commerce, 1998.

[11] M. Hirt and K. Sako, “Efficient receipt-free voting based on homomorphic encryption,” In Bart Preneel, editor, Advances in Cryptology - EUROCRYPT 2000, volume 1807 of Lecture Notes in Computer Science, pages 539-556.

Springer-Verlag, 2000.

[12] M. K. Franklin and M. K. Reiter, “The design and implementation of a secure

,” In IEEE Transactions on Software Engineering, pages 302-312, IEEE Computer Society, 1996.

[13] M. Naor, B. Pinkas and R. Sumner, “Privacy preserving auctions and mechanism design,” In Proceedings of the 1st ACM conference on Electronic commerce, pages 129-139. ACM Press, 1999.

[14] S. Liu, C. Wang, and Y. Wang, “A secure multi-round electronic auction scheme,” In Proceedings of the EUROCOMM 2000, pages 330-334. Germany, May 2000.

[15] S. Shin, K. kobara, and H. Imai, “Leakage-resilient authenticated key establishment protocols,” In Chi-Sung Laih, editor, Advances in Cryptology - ASIACRYPT 2003, volume 2894 of Lecture Notes in Computer Science, pages 155-172. Springer-Verlag, 2000.

[16] Y. Watanabe and H. Imai, “Reducing the round complexity of a sealed-bid auction protocol with an off-line TTP,” In Proceedings of the 7th ACM Conference on Computer and Communications Security, pages 80-86. ACM Press, 2000.