Cryptographic Protocols for Sealed-Bid Auctions Without Trusted Servers

全文

(1)Cryptographic Protocols for Sealed-Bid Auctions Without Trusted Servers Wen-Guey Tzeng* · Nai-Chia Yeh** · Rong-Jaye Chen** * Department of Computer and Information Science National Chiao Tung University, Hsinchu, Taiwan ** Department of Computer Science and Information Engineering National Chiao Tung University, Hsinchu, Taiwan e-mail : [email protected]. Abstract Sealed-bid auctions are a kind of auctions that bidders send their sealed bidding prices to the auctioneer and the auctioneer opens all bids to determine the winner and the winning bid. In this paper, we propose a novel construction on the secure computation of the greaterthan function. This idea is applied to the two-party private bidding and sealed-bid auction protocols. Our protocols require no trusted servers. In the private bidding protocol, it needs two rounds of communication between the bidders. In the auction protocol, a public bulletin board is used. It takes two or three rounds of communication between the bidders and the board. After the execution of our protocols, no bid information is revealed to any party. Key words: sealed-bid auction, secure multiparty computation, DiffieHellman key exchange, privacy. 1. Introduction. As Internet prevails, electronic commerce becomes an important issue. Traditional face-to-face communication and trading activities are translated into electronic processes, such as electronic mail, digital money, electronic voting, and so forth. Internet indeed facilitates human life, but it is an important issue how we keep personal information secret in the network. Traditional laws and contracts are not sufficient to protect our privacy. That is why we study cryptography. By cryptographic techniques, trading activities are implemented in the computer network which meets various security requirements.. 1.

(2) Generally speaking, a trading process consists of three phases : price negotiation, payment, and goods delivery. Auctions are a form of price negotiation that allow buyers to settle the price of goods. They can roughly be classified into two types, open-cry auctions and sealed-bid auctions. In the open-cry auction, each buyer bids his price publicly and at the close of the auction the bidder who bids the highest price wins and gets the goods. The disadvantages of this type of auctions are time-consuming and revelation of the bid information of buyers. It is almost impossible to have a fair open-cry auctions in the unreliable network. Sealed-bid auctions are usually used in the auction of government procurement contracts, public construction and government-owned land etc. Each bidder seals his bidding price and submits it to the auctioneer. At the close of the auction, the auctioneer opens all bids to determine the winner and the selling price. This type of auctions is more efficient in network communication. For the reasons of security and practicability, we study the topic of sealed-bid auctions. Many researchers are devoted to the study of secure and efficient sealedbid auctions[FR96][Sak00][HTK98][Cac99][BS][Fis]. Several approaches are based on the multiparty computation and secret sharing to ensure the privacy of bid information. In this paper, we give a new direction to compare two secrets securely. One protocol is presented for two-party private bidding and two protocols for first-price sealed-bid auctions. In the private bidding protocol, no trusted servers are required for a fair bidding between two players. It needs only two rounds of interaction. The computation complexity of one party is 4` modular exponentiations. In the auction protocols, we use a public bulletin board. One of our auction protocols requires two rounds of communication, and the other requires three rounds. During each round of our protocols, each bidder posts some messages on the board. At the end of the auction, each bidder’s bid information is unknown to others. Only the winning bid is revealed to all participants by the winner.. 2. Our Auction Protocols. This section focuses on our auction protocols. First, we introduce the protocol private bidding. It is also the protocol for the millionaires’ problem. On the basis of private bidding, we develop the auction protocol auction1. It allows more than two players to compare their bids and finds the highest one. In this protocol, each player does not have any information about the value of the other players’ bids, but he can know whose bid is higher than his, and whose bid is lower. We develop another auction protocol auction2 to improve the security. In the protocol auction2, each player knows only his own order among all. Finally, we give security analysis. 2.

(3) of all our protocols.. 2.1. Two-party Private Bidding (Millionaires’ Problem). We introduce the protocol for computing the greater-than function : GT (x1 , x2 ) = (x1 > x2 ) where (x1 > x2 ) = 1 if and only if x1 > x2 . Yao’s millionaires’ problem [Yao82][Yao86] and Cachin’s private bidding problem [Cac99] are both based on the secure computation of the greater-than function. In the millionaires’ problem, two millionaires want to compare their fortunes, but would not like to reveal their assets. In the problem of private bidding, Alice wants to buy some goods from Bob. The deal will take place if and only if the price Alice offers is greater than Bob’s selling price. We unify this kind of problems to the problem of comparison of two `-bit strings, x1 , x2 , where x1 = x1,` x1,`−1 . . . x1,1 , x2 = x2,` x2,`−1 . . . x2,1 , which are possessed by two players, P1 and P2 . Let Xi1 , Xi0 be two sets of prefix strings such that Xi1 = {xi,` xi,`−1 . . . xi,j+1 | xi,j = 1, 1 ≤ j ≤ `} Xi0 = {xi,` xi,`−1 . . . xi,j+1 | xi,j = 0, 1 ≤ j ≤ `} where we define the prefix string of xi,` as xi,`+1 = λ. For example, let x1 = 234. Convert x1 to binary strings, x1 = 11101010. Then we get X11 = {λ, 1, 11, 1110, 111010}, and X10 = {111, 11101, 1110101}. With two sets of prefix strings, we can compute the greater-than function by observing whether X11 and X20 have intersection, that is, (. GT (x1 , x2 ) =. 6 ∅ 1 if X11 ∩ X20 = 0 if X11 ∩ X20 = ∅. For example, let x1 = 234, x2 = 228. Then x1 = 11101010 x2 = 11100100 X11 = {λ, 1, 11, 1110, 111010} X20 = {111, 1110, 111001, 1110010} We can easily see that X11 ∩ X20 = {1110}, so x1 is greater than x2 . Up to now, we have introduced an idea of comparison between x1 and x2 . In order to achieve the goal of secure computation, one player can not directly give prefix strings to the other party, otherwise it will disclose its secret. We use the technique of Diffie-Hellman key exchange [DH76] to commit each element of the prefix-string sets. As the scheme of the key exchange, there is a public input, a prime p = 2q + 1 where q is also a prime. Our computation. 3.

(4) is all over the order-q subgroup Gq . At first, each player Pi prepares two prefix-string sets, Xi1 and Xi0 , from his secret xi and maps each binary prefix string into a value in Gq with a pre-specified hash function H. This process forms two `-element sets, Ai = {ai,1 , ai,2 . . . ai,` } and Bi = {bi,1 , bi,2 . . . bi,` } where each element in Ai (resp. Bi ) is a hash value from each element in Xi1 (resp. Xi0 ). If there are not enough elements, randomly choose values from Gq . The elements in Ai and Bi can be seen as the generators in the protocol of Diffie-Hellman key exchange. Pi securely checks whether Ai and Bj have intersection by checking if the key generated from ai,s and the key generated from bj,t are the same or not. The process is as follows. Each player Pi randomly chooses a variable ui in Zq∗ to commit each element ai,s in Ai such that mi,s = aui,si , and randomly chooses a variable vi in Zq∗ to commit each element bi,s in Bi such that µi,s = bvi,si . He submits all values mi,s , µi,s to the other one. Next, each party Pi computes αi,s = mvj,si where mj,s is gotten from the other party, and transmits all values αi,s to Pj . In uv the final, Pi computes βi,s = µuj,si . With the information of αj,s = ai,si j and v j ui βi,t = bj,t , Pi determines himself as the winner if there exists some elements such that αj,s = βi,t . In other words, Pi is a winner if and only if Ai and Bj have intersection. The protocol is shown in Figure 1 private bidding. We omit the modulo computation during the description of the protocol. For the reason of security, we use a permutation to mix the data sent to the other side.. 2.2. Auction. We introduce the protocol for the first-price auction. The auction protocol is an extension of the two-party private bidding protocol. There are n bidders, P1 , P2 , . . . , Pn . Each of them has his `-bit bidding price xi . After the execution of the protocol, we want to find the highest bidding price and the player who bids the winning price. No trusted servers are needed in our protocol. Instead, a public bulletin board is used for communicating between bidders. Like the two-party private bidding protocol, there are two rounds of communication in this protocol. During each round, each bidder reads some information from the bulletin board and posts some messages on the board. After the communication, everyone checks if he is the winner or not. If the player finds his price the highest one, he opens his winning bid and posts some secrets to prove it. The scheme is similar with the protocol private bidding in Figure 1. There is a public input, a prime p = 2q+1, and all computation is in Gq . Each player Pi prepares two sets, Ai = {ai,1 , ai,2 , . . . , ai,` } and Bi = {bi,1 , bi,2 , . . . , bi,` }, in which the elements are computed from the elements in the prefix-string sets Xi1 and Xi0 with a hash function H. Pi chooses random variables ui and vi to commit the elements in Ai and Bi such that mi,s = aui,si and µi,s = bvi,si . Each player posts the values mi,s and. 4.

(5) Public Input : • (p, q) : p, q are random primes, p = 2q + 1 and q is k-bit where k is a security parameter. • H : H is a hash function mapping the binary string to the value in Gq , which is the order-q subgroup of Zp∗ . Secret Input of Pi , i = 1, 2 : • xi : xi Pi ’s secret. • πi : πi is a permutation over {1, 2, . . . , `} for mix. Protocol : • Preparation : Each player Pi converts his secret xi into two sets of prefix strings, Xi1 , Xi0 , and then computes two `-element sets Ai = {ai,s | ai,s = H(x1i,s ), x1i,s ∈ Xi1 , 1 ≤ s ≤ `} and Bi = {bi,s | bi,s = H(x0i,s ), x0i,s ∈ Xi0 , 1 ≤ s ≤ `} ,ai,s , bi,s ∈ Gq . If there are not enough elements, randomly choose values from Gq . • First Round : 1 – P1 : Choose a random variable u1 ∈ Zq∗ , and compute m1,s = au1,π 1 (s) for s = 1, 2, . . . , `. 2 – P2 : Choose a random variable u2 ∈ Zq∗ , and compute m2,s = au2,π 2 (s) for s = 1, 2, . . . , `.. – P1 −→ P2 : m1,` , m1,`−1 , . . . , m1,1 – P1 ←− P2 : m2,` , m2,`−1 , . . . , m2,1 • Second Round : – P1 : 1 1. Choose a random variable v1 ∈ Zq∗ , and compute µ1,s = bv1,π for 1 (s) s = 1, 2, . . . , `. 1 2. Compute α1,s = mv2,π for s = 1, 2, . . . , `. 1 (s). – P2 : 2 for 1. Choose a random variable v2 ∈ Zq∗ , and compute µ2,s = bv2,π 2 (s) s = 1, 2, . . . , `. 2 2. Compute α2,s = mv1,π for s = 1, 2, . . . , `. 2 (s). – P1 −→ P2 : (µ1,` , µ1,`−1 , . . . , µ1,1 ) , (α1,` , α1,`−1 , . . . , α1,1 ) – P1 ←− P2 : (µ2,` , µ2,`−1 , . . . , µ2,1 ) , (α2,` , α2,`−1 , . . . , α2,1 ) • Final : 1 – P1 : Compute β1,s = µu2,s , for s = 1, 2, . . . , `. Check if there exists some elements such that α2,s = β1,t , 1 ≤ s, t ≤ `. If it does, he knows x1 is greater than x2 . 2 – P2 : Compute β2,s = µu1,s , for s = 1, 2, . . . , `. Check if there exists some elements such that α1,s = β2,t , 1 ≤ s, t ≤ `. If it does, he knows x2 is greater than x1 .. Figure 1: private bidding 5.

(6) µi,s on the bulletin board. Like the protocol private bidding, each one computes αi,j,s = mvj,si for all other players Pj and posts the values αi,j,s on the board. To compare with Pj ’s bidding price, the player Pi reads µj,s and αj,i,s from the board and computes βi,j,s = µuj,si . Pi checks if there exists some uv v u values αj,i,s = ai,si j and βi,j,t = bj,tj i such that αj,i,s = βi,j,t . If it does, he announces himself as the winner. The protocol is shown in Figure 2 auction1. Permutations are also used for mixing the data posted on the board. We must point out that auction1 has weaker security. Although each bidding price is not revealed exactly, each bidder knows whose bids are higher than his and whose bids are lower than his after the communication. We modify the scheme to enhance the security by presenting another auction protocol auction2, for which each bidder knows only his own order among all. The basic idea is that xi > xj if and only if Xi1 and Xj0 have intersection. In S particular, exactly one element appears in the intersection. Let Θ = Xj0 j6=i. ∗. Xi1. . If xi is greater than all other xj where j 6= i. and Θ must have intersection and there are (n − 1) elements in the intersection. The difference of this protocol is that each player Pi does the union for Pi−1 . The public inputs, secret inputs of each player, and the preparation, first round, second round in this protocol are similar with those in the protocol auction1. In order to conceal the comparing information αi,j,s , each player Pi chooses a key pair of his encryption scheme (Ei ,Di ), publishes the encryption function Ei and keeps the decryption function Di secret. A prime p is the public input where p = 2q + 1 and q is also a prime. All computation is in the order-q subgroup Gq . Each player prepares two sets Ai = {ai,1 , ai,2 , . . . , ai,` } and Bi = {bi,1 , bi,2 , . . . , bi,` } from prefix-string sets Xi1 and Xi0 with a hash function H. Random variables ui and vi are chosen by Pi for committing each element in Ai and Bi . Pi calculates mi = aui,si , µi,s = bvi,si , and posts all values mi,s , µi,s on the board. In the next round, Pi reads the data mj,s , computes αi,j,s = mvj,si . In order to keep Pj from knowing the information of αi,j,s , Pi encrypts αi,j,s by the encryption function Ej+1 such that ei,j,s = Ej+1 (αi,j,s ), and then submits ei,j,s to the board. In the third round, each player Pi reads all values ej,i−1,s , and decrypts them by his decryption function Di such that αj,i−1,s = Di (ej,i−1,s ). Pi randomly chooses a variable wi in Zq∗ , and computes two sets Γi−1 = {γi−1,1 , γi−1,2 , . . . , γi−1,(n−1)` } and ∆i−1 = {δi−1,1 , δi−1,2 , . . . , δi−1,(n−1)` } for the player Pi−1 † where each element in Γi−1 (resp. ∆i−1 ) is the value αj,i−1,s (resp. µj,s ), j 6= (i − 1), to the power of wi . Γi−1 and ∆i−1 are posted on the board by Pi . In the final, Pi computes ui 0 0 0 the set ∆0i = {δi,1 , δi,2 , . . . , δi,(n−1)` } where δi,s = δi,s . He checks if there are (n − 1) elements in the intersection of Γi and ∆0i . If it does, Pi announces himself as the winner. The protocol auction2 is shown in Figure 3. All ∗ †. Θ may be a multi-set which allows duplicate items in one set. If i = 1, i − 1 means n.. 6.

(7) Public Input : • (p, q) : p, q are random primes, p = 2q + 1 and q is k-bit where k is a security parameter. • H : H is a hash function mapping the binary string to the value in Gq , which is the order-q subgroup of Zp∗ . Secret Input of Pi for i = 1, 2, . . . , n : • xi : xi is the bidding price. • πi : πi is a permutation over {1, 2, . . . , `} for mix. Protocol : • Preparation : Each player Pi converts his bid xi into two sets of prefix strings, Xi1 , Xi0 , and then computes two `-element sets Ai = {ai,s | ai,s = H(x1i,s ), x1i,s ∈ Xi1 , 1 ≤ s ≤ `} and Bi = {bi,s | bi,s = H(x0i,s ), x0i,s ∈ Xi0 , 1 ≤ s ≤ `} ,ai,s , bi,s ∈ Gq . If there are not enough elements, randomly choose values from Gq . • First Round : Each player Pi does the following : i 1. Choose a random variable ui ∈ Zq∗ , and compute mi,s = aui,π for i (s) s = 1, 2, . . . , `.. 2. Post the values mi,s on the bulletin board for s = 1, 2, . . . , `. • Second Round : Each player Pi does the following : i 1. Choose a random variable vi ∈ Zq∗ , and compute µi,s = bvi,π for i (s) s = 1, 2, . . . , `.. 2. In accordance with the variables mj,s that Pj , 1 ≤ j 6= i ≤ n, posts, i compute αi,j,s = mvj,π for s = 1, 2, . . . , `. i (s) 3. Post the values µi,s and αi,j,s on the board where 1 ≤ s ≤ `, 1 ≤ j 6= i ≤ n. • Final : Each player Pi does the following : – For comparing with Pj , 1 ≤ j 6= i ≤ n, compute βi,j,s = µuj,si for s = 1, 2, . . . , `. Check if there exists some elements such that αj,i,s = βi,j,t , 1 ≤ s, t ≤ `. If it does, he knows xi is greater than xj . – After all checks, if xi is greater than all other xj , 1 ≤ j 6= i ≤ n, post the variables ui ,vi and his winning bid xi . Other bidders can verify it by the same way.. Figure 2: auction1. 7.

(8) posted values are also disordered by permutations.. 2.3. Security Analysis. We discuss the security requirements of our protocols. A secure private bidding or auction protocol must satisfy two requirements : correctness and privacy. In the proof of correctness, we show that the player announces that he is the winner if and only if he has the highest bidding price. In the proof of privacy, we require that nobody gets the others’ bidding prices except the winning price. As we mentioned above, after the execution of the protocol auction1, each player knows the greater-than or less-than relationship between his bid and those of the other bidders. However, he learns no information about the relationship between any pair of the others. After the execution of the protocol auction2, each bidder knows his order among all, but no information about others’ orders. 2.3.1. Correctness. The correctness of our three protocols is basically based on the correctness of the greater-than function we present. Given two `-bit secrets, x1 and x2 , x1 is greater than x2 if and only if the intersection of X11 and X20 is not empty and there is only one element in the intersection. The error occurs when players randomly choose some variables in Gq to fill two sets Ai and Bj such that Xi1 and Xj0 have no intersection but Ai and Bj have intersection. The probability we randomly select the same element in Gq is O(2−k ). If k is large enough (ex. k = 1024), the error probability is negligible. We can disregard it. Besides, in the protocol auction2, the error also occurs uv w uv w 0 (= bh,ti h i+1 ) but ai,s 6= bh,t , j 6= h. The when γi,s (= ai,si j i+1 ) equals δi,t probability is O(2−k ). We can also ignore it. Therefore, after the protocols private bidding, auction1, auction2, the winner is the player who bids the highest price with overwhelming probability. 2.3.2. Privacy. An important goal of the private bidding or sealed-bid auctions is to keep each player’s bidding price secret during the protocol. We say that one player Pi gets no information about any other’s bidding price xj if the view of Pi in the execution of the protocol where Pj bids xj is indistinguishable from the view in the execution of the protocol where Pj bids x∗j . Based on the DDH assumption, the following pairs of ensembles can be reduced to be polynomially indistinguishable. • R∗ = {Rn∗ } and D∗ = {Dn∗ } : – Rn∗ = (p, q, g1 , g2 , g1a , g2b ). 8.

(9) Public Input : • (p, q) : p, q are random primes, p = 2q + 1 and q is k-bit where k is a security parameter. • H : H is a hash function mapping the binary string to the value in Gq , which is the order-q subgroup of Zp∗ . • Ei , 1 ≤ i ≤ n : Ei is the encryption function of the bidder Pi . Secret Input of Pi : • xi : xi is the bidding price. • πi : πi is a permutation over {1, 2, . . . , `} for mix. • Di : Di is the decryption function for Ei . Protocol : • Preparation : Each player Pi converts his bid xi into two sets of prefix strings, Xi1 , Xi0 , and then computes two `-element sets Ai = {ai,s | ai,s = H(x1i,s ), x1i,s ∈ Xi1 , 1 ≤ s ≤ `} and Bi = {bi,s | bi,s = H(x0i,s ), x0i,s ∈ Xi0 , 1 ≤ s ≤ `} ,ai,s , bi,s ∈ Gq . If there are not enough elements, randomly choose values from Gq . • First Round : Each player Pi does the following : u. i 1. Choose a random variable ui ∈ Zq∗ , and compute mi,s = ai,π. i (s). for s = 1, 2, . . . , `.. 2. Post the values mi,s on the bulletin board for s = 1, 2, . . . , `. • Second Round : Each player Pi does the following : v. i 1. Choose a random variable vi ∈ Zq∗ , and compute µi,s = bi,π. i (s). for s = 1, 2, . . . , `.. 2. In accordance with the variables mj,s that Pj , 1 ≤ j 6= i ≤ n posts, compute αi,j,s = vi mj,π , and use the encryption function Ej+1 to encrypt αi,j,s such that ei,j,s = i (s) Ej+1 (αi,j,s ) for s = 1, 2, . . . , `. 3. Post the values µi,s and ei,j,s on the board where 1 ≤ s ≤ `, 1 ≤ j 6= i ≤ n. • Third Round : Each player Pi does the following : 1. Use the decryption function Di to decrypt all values ej,i−1,s such that αj,i−1,s = Di (ej,i−1,s ) where 1 ≤ j 6= (i − 1) ≤ n, 1 ≤ s ≤ `. w. i |1 ≤ j 6= 2. Choose a random variable wi ∈ Zq∗ , and compute two sets Γ(i−1) = {αj,i−1,s wi (i − 1) ≤ n, 1 ≤ s ≤ `} and ∆(i−1) = {µj,s |1 ≤ j 6= (i − 1) ≤ n, 1 ≤ s ≤ `}. Use the mix technique to disorder the elements in each set.. 3. Post the sets Γ(i−1) = {γ(i−1),1 , ..., γ(i−1),(n−1)` } {δ(i−1),1 , ..., δ(i−1),(n−1)` } on the bulletin board.. and. ∆(i−1). =. • Final : Each player Pi does the following : – Read the information of two sets Γi and ∆i on the board. Then compute ∆0i = 0 |δ 0 = δ ui , 1 ≤ s ≤ (n − 1)`}. {δi,s i,s i,s 0 ) there exists such that γ 0 – Check how many pairs (γi,s , δi,t i,s = δi,t , 1 ≤ s, t ≤ `. If there are (n-1) or more equivalent pairs, he is the winner. Then post the variables ui ,vi and the wining price xi . Other bidders can verify it by the same way.. Figure 3: auction2. 9.

(10) – Dn∗ = (p, q, g1 , g2 , g1a , g2a ) • S = {Sn } and T = {Tn } – Sn = (p, q, g1 , g2 , h1 , h2 , g1a , g2a ) – Tn = (p, q, g1 , g2 , h1 , h2 , ha1 , ha2 ) • S 0 = {Sn0 } and T 0 = {Tn0 } – Sn0 = (p, q, g1 , g2 , ..., g` , h1 , h2 , ..., h` , g1a , g2a , ..., g`a ) – Tn0 = (p, q, g1 , g2 , ..., g` , h1 , h2 , ..., h` , ha1 , ha2 , ..., ha` ) where p is an n-bit prime, p = 2q + 1, q is also a prime, gi ,hi are generators of the order-q subgroup Gq of Zp∗ , and a, b are chosen uniformly from Zq∗ . In the protocols private bidding and auction1, we say Pi gets no information about Pj ’s bidding price if the following two views are polynomially indistinguishable : • h(mj,` , ..., mj,1 ), (µj,` , ..., µj,1 ), (αj,i,` , ..., αj,i,1 )i with Pj ’s bid xj ∗ ∗ )i with Pj ’s bid x∗j , ..., αj,i,1 • h(m∗j,` , ..., m∗j,1 ), (µ∗j,` , ..., µ∗j,1 ), (αj,i,`. where xj and x∗j satisfy the result, ex. xj < xi and x∗j < xi . Based on the polynomial indistinguishability of the two ensembles S 0 and T 0 , the following pairs of views are polynomially indistinguishable : 1.. • hp, q, aj,` , ..., aj,1 , a∗j,` , ..., a∗j,1 , mj,` = (aj,` )uj , ..., mj,1 = (aj,1 )uj i • hp, q, aj,` , ..., aj,1 , a∗j,` , ..., a∗j,1 , m∗j,` = (a∗j,` )uj , ..., m∗j,1 = (a∗j,1 )uj i. 2.. • hp, q, bj,` , ..., bj,1 , b∗j,` , ..., b∗j,1 , µj,` = (bj,` )vj , ..., µj,1 = (bj,1 )vj i • hp, q, bj,` , ..., bj,1 , b∗j,` , ..., b∗j,1 , µ∗j,` = (b∗j,` )vj , ..., µ∗j,1 = (b∗j,1 )vj i. ∗ ∗ The two views (αj,` , ..., αj,1 ) and (αj,` , ..., αj,1 ) are identically distributed since ui v j ∗ αj,s = ai,s = αj,s . Therefore, two views of Pi are polynomially indistinguishable. No player gets any information about any other’s bidding price. We must point out that when xi is greater than xj , Pi knows that there exists a bit b such that b = 1 in xi and b = 0 in xj , and the prefix strings of b in xi and in xj are equal. However, if there are more than one bit 1 in xi , Pi still gets no information about which bit 1 makes xi greater than xj since each player uses a permutation to randomize the sequence of the variables he sends to the other party. The protocol auction2 is a modification of the protocol auction1, but the security is stronger such that no bidder gets any information about the others’ bidding prices except the order of his bid among all. We say that the player Pi has no information about the others’ bids xj except. 10.

(11) his order ω if given two (n − 1)-bid vectors hx1 , ..., xi−1 , xi+1 , ..., xn i and hx∗1 , ..., x∗i−1 , x∗i+1 , ..., x∗n i such that (ω − 1) bids xj (resp. x∗j ) are greater than xi and others are less, Pi can not distinguish the following two views : • h{mj,s , µj,s , ej,i,s , γi,t , δi,t |1 ≤ j 6= i ≤ n, 1 ≤ s ≤ `, 1 ≤ t ≤ (n − 1)`}i with input hx1 , ..., xi−1 , xi+1 , ..., xn i ∗ ∗ • h{m∗j,s , µ∗j,s , e∗j,i,s , γi,t , δi,t |1 ≤ j 6= i ≤ n, 1 ≤ s ≤ `, 1 ≤ t ≤ (n − 1)`}i ∗ ∗ with input hx1 , ..., xi−1 , x∗i+1 , ..., x∗n i. The proof is similar with that of the protocol auction1, it can be shown that the following pairs of views are polynomially indistinguishable. 1.. • hp, q, {aj,s , a∗j,s , mj,s = (aj,s )uj |1 ≤ j 6= i ≤ n, 1 ≤ s ≤ `}i • hp, q, {aj,s , a∗j,s , m∗j,s = (a∗j,s )uj |1 ≤ j 6= i ≤ n, 1 ≤ s ≤ `}i. 2.. • hp, q, {bj,s , b∗j,s , µj,s = (bj,s )vj |1 ≤ j 6= i ≤ n, 1 ≤ s ≤ `}i • hp, q, {bj,s , b∗j,s , µ∗j,s = (b∗j,s )vj |1 ≤ j 6= i ≤ n, 1 ≤ s ≤ `}i. 3.. • hp, q, {bj,s , b∗j,s , δi,t = (bj,s )vj wi+1 | 1 ≤ j 6= i ≤ n, 1 ≤ s ≤ `, 1 ≤ t ≤ (n − 1)`}i ∗ • hp, q, {bj,s , b∗j,s , δi,t = (b∗j,s )vj wi+1 | 1 ≤ j 6= i ≤ n, 1 ≤ s ≤ `, 1 ≤ t ≤ (n − 1)`}i. ∗ ) = Ei+1 ((ai,s )ui vj ) Since ej,i,s = Ei+1 (αj,i,s ) = Ei+1 ((ai,s )ui vj ), e∗j,i,s = Ei+1 (αj,i,s ∗ and γi,s = (ai,s )ui vj wi+1 = γi,s , the following pairs of views are identically distributed. 1.. • h{ej,i,s |1 ≤ j 6= i ≤ n, 1 ≤ s ≤ `}i • h{e∗j,i,s |1 ≤ j 6= i ≤ n, 1 ≤ s ≤ `}i. 2.. • h{γi,t |1 ≤ t ≤ (n − 1)`}i ∗ • h{γi,t |1 ≤ t ≤ (n − 1)`}i. Thus, two views of Pi are polynomially indistinguishable. Since xj (resp. x∗j ) is chosen to satisfy the result of the protocol, Pi finds the order of his bid ω in the final phase. Therefore, no player gets any information about the others’ bids except the order of his bid among all.. 2.4. Performance. We discuss the computation and communication cost of our protocols. Let n be the number of bidders, ` be the bit length of bidding prices, and p be the modulo of the discrete logarithm problem. The protocol private bidding in Figure 1 requires two rounds of communication. The amount of data in each. 11.

(12) round is O(`). Each bidder spends about 4` modular exponentiations in Zp . The protocol auction1 in Figure 2 requires two rounds of communication. In the first round, the amount of data on the bulletin board is n`. In the second round, the amount is n2 `. Each bidder spends about 2n` modular exponentiations in Zp . The protocol auction2 in Figure 3 requires three rounds of communication. In the first round, the amount of data on the board is n`. In the second round, the amount is n2 `. In the third round, the amount is 2n2 ` − 2n`. Each bidder spends about 4n` − 2` modular exponentiations in Zp . We compare our protocols with the existing private bidding and sealedbid auction protocols. Table 1 shows the types of trusted third parties used in all the protocols compared. Table 2 shows the computation complexity. Table 3 shows the communication complexity. Table 4 shows the privacy of auction protocols. Table 1: comparison of trusted third parties protocol. trusted third party. [Cac99] private bidding. 1 oblivious server. [Cac99] auction. 2 non-colluding servers. [Fis] private bidding. 1 oblivious server. [BS] auction. 1 semi-trusted server. our private bidding. none. our auction1. 1 public bulletin board. our auction2. 1 public bulletin board. Table 2: comparison of computation complexity computation complexity protocol. bidder. server. [Cac99] private bidding. ` encryptions. 2` modular exponentiations. [Cac99] auction. 2n` encryptions. 2n` modular exponentiations. [Fis] private bidding. 6`λ + ` modular multiplications. [BS] auction. n` encryptions. our private bidding. 4` modular exponentiations. our auction1. 2n` modular exponentiations. our auction2. 4n` − 2` modular exponentiations. 12. 2`λ decryptions n(n −. 2)`(n−1). modular multiplications.

(13) Table 3: comparison of communication complexity round(s) protocol. bidder ⇔ bidder. bidder ⇔ server(board). [Cac99] bidding. 1. 1. [Cac99] auction. server ⇔ server. 1. [Fis] bidding. 1. O(n). 1. [BS] auction. 1. our private bidding. 2. our auction1. 2. our auction2. 3. message complexity (in blocks) protocol. bidder ⇔ bidder. bidder ⇔ server. server ⇔ server. (bidder ⇔ board) [Cac99] bidding. `. [Cac99] auction. 2n`. [Fis] bidding. `. total amount on the board. `. `λ n`. n`n−1. our auction1. n`. n2 `. our auction2. 2n` − 2`. 2n2 ` − 2n`. [BS] auction our private bidding. 2`. Table 4: comparison of privacy protocol. privacy. [Cac99] auction. reveal the greater-than and less-than relationship of bids to one auctioneer. [BS] auction. reveal nothing. our auction1. reveal the greater-than and less-than relationship of bids to bidders. our auction2. reveal the order of bids among all to bidders. 13.

(14) 3. Conclusion. In this paper, we proposed a novel construction for the secure computation of the greater-than function. We applied it to the two-party private bidding and first-price sealed-bid auction. Compared with existing schemes, our protocols require no trusted third parties. Instead, a public bulletin board is used. In the private bidding protocol private bidding, it needs two rounds of communication between two bidders. In the auction protocol auction1, it takes two rounds of communication between the bidders and the bulletin board, and in auction2, it takes three rounds. All computation is linear in the bit length of the bidding price `, the number of bidders n, and the security parameter k. Finally, we want to point out some possible improvements or directions for further work. • Enhanced Security : The auction protocols we developed reveal the partial order of bids to bidders. • Robustness : An actively cheating player might collapse the process. For example, there are no good ways to prevent a bidder from preparing incorrect prefix-string sets of his bidding price. Although an adversary gets nothing by cheating, his improper play might cause a failure to the auction. • Vickrey auction : The Vickrey acution has better revenue since the optimal strategy for each bidder is to bid his true value in this type of auctions. Some researchers are devoted to Vickrey or M + 1-st price auctions. However, their methods need the support of trusted third parties.. References [AS02]. Masayuki Abe and Koutarou Suzuki. M+1-st price auction using homomorphic encryption. Public Key Cryptography 2002, 2002.. [Boy00]. Colin Boyd. Security issues for electronic auctions. Technical report, HP Labs 2000 Technical Report, 2000.. [BS]. Olivier Baudron and Jacques Stern. Non-interactive private auctions. Financial Cryptography 2001.. [Cac99]. Christian Cachin. Efficient private bidding and auctions with an oblivious third party. The 6th ACM on Computer and Communications Security, 1999.. 14.

(15) [DH76]. W. Diffie and M. Hellman. New directions in cryptography. IEEE Transactions on Information Theory 22, pages 644–654, 1976.. [Fis]. Marc Fischlin. A cost-effective pay-per-multiplication comparison method for millionaires. RSA 2001.. [FR96]. Matthew K. Franklin and Michael K. Reiter. The design and implementation of a secure auction service. IEEE Transaction on Software Engineering, 22(5):302–312, May 1996.. [HTK98]. Michael Harkavy, J.D. Tygar, and Hiroaki Kikuchi. Electronic auctions with private bids. The Third USENIX Workshop on Electronic Commerce, pages 61–83, 1998.. [KF98]. Manoj Kumar and Stuart I. Feldman. Internet auctions. The Third USENIX Workshop on Electronic Commerce, pages 49–60, 1998.. [Kik01]. Hiroaki Kikuchi. (m+1)st-price auction. The Fifth International Conference on Financial Cryptography ’01, pages 291–298, February 2001.. [MvOV96] Alfed J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone. Handbook of APPLIED CRYPTOGRAPHY. CRC Press, October 1996. [NPS99]. Moni Naor, Benny Pinkas, and Reuben Summner. Privacy preserving auctions and mechanism design. The First ACM Conference on Electronic Commerce, November 1999.. [Sak00]. Kazue Sako. An auction protocol which hides bids of losers. Public Key Cryptography 2000, pages 422–432, 2000.. [SS99]. Stuart G. Stubblebine and Paul F. Syverson. Fair on-line auctions without special trusted parties. Financial Cryptography ’99, pages 230–240, 1999.. [Yao82]. A. Yao. Protocols for secure computation. The 23rd IEEE Symposium on Foundations of Computer Science, pages 160–164, 1982.. [Yao86]. A. Yao. How to generate and exchange secrets. The 27th IEEE Symposium on Foundations of Computer Science, pages 162–167, 1986.. 15.

(16)