國
立
交
通
大
學
資訊科學與工程研究所
碩
士
論
文
行 動 商 務 的 代 理 人 英 式 拍 賣 機 制 之 研 究
A Study of Agent-based English Auction Protocols for
Mobile Commerce
研 究 生:陳鈺婷
指導教授:黃世昆 教授
Commerce
研 究 生:陳鈺婷 Student:Yu-Ting Chen
指導教授:黃世昆 Advisor:Shih-Kun Huang
國 立 交 通 大 學
資 訊 科 學 與 工 程 研 究 所
碩 士 論 文
A ThesisSubmitted to Institute of Computer Science and Engineering College of Computer Science
National Chiao Tung University in partial Fulfillment of the Requirements
for the Degree of Master
in
Computer and Information Science
July 2011
Hsinchu, Taiwan, Republic of China
學生:陳鈺婷 指導教授:黃世昆 老師
國立交通大學資訊科學與工程研究所碩士班
摘要
由於網路科技的迅速發展以及個人行動電話普遍化的趨勢,使得以行動裝置進行網 路拍賣的商機需求,具有相當可期的潛力,因此,在滿足行動裝置需求與限制的條件下, 本論文將行動代理人技術與英式拍賣機制的運作予以整合,使競標者透過代理人的方式 參與拍賣與競標,並使用英式拍賣機制建置網路拍賣環境,以提供使用者一個安全、公 平及有效率的網路拍賣環境。在此機制之下,包含四個參與者,包括註冊單位、代理人 管理者、拍賣所管理者、競標者,註冊單位負責註冊與驗證競標者的身分;代理人管理 者負責管理或控制所有相關的代理人與核發交易公開金鑰給競標者;拍賣所管理者負責 提供拍賣的場所,並維護與主持整個拍賣的運作;競標者則是參與拍賣與出價的買方。 該機制符合電子拍賣協定中的安全性:匿名性、可追蹤性、不可陷害性、不可偽造性、 不可否認性、公平性、可公開驗證性、在不同拍賣中無關聯性、同一拍賣中有關聯性、 投標有效率、單次註冊、容易註銷。同時,為了因應網路環境,需考量競標資訊傳遞過 程所耗損的時間成本,因此,本論文以佈告欄的方式供各個管理者公佈競標資訊,並應 用橢圓曲線密碼系統,利用其短金鑰、低運算量等特性,力求提升產生金鑰與出價的速 度、驗證的效率,並且減少行動裝置的計算量與伺服器的負載量,從而增進網路拍賣系 統的便利性。 關鍵字:行動代理人、英式拍賣、橢圓曲線密碼系統、匿名性、公開驗證性for Mobile Commerce
Student:Yu-Ting Chen Advisor:Dr. Shih-Kun Huang
Institute of Computer Science and Engineering
National Chiao Tung University
ABSTRACT
Rapid development of the Internet and the extensive use of mobile phones have led to increased potentiality for the application of mobile devices in online auctions. Keeping the needs and constraints of mobile devices in mind, this paper proposes a secure, fair, and effective online auction environment based on the English Auction protocol by integrating its operation with mobile agent technology that allows bidders to participate in online auctions through mobile agents. The protocol consists of four participants: Registration Manager, Agent House, Auction House, and Bidder. The Registration Manager is responsible for Bidders’ identity registration and verification. The Agent House manages and controls all related agents and assigns the public transaction keys to Bidders. The Auction House provides a place for auction, and maintains and hosts all necessary operations for an online auction to be taken place. The Bidder can be defined as the buyer who is interested in purchasing items
from the auction.The proposed scheme conforms the following security characteristics which
satisfying the requirements of an online auction protocol: anonymity, traceability, non-framing, unforgeability, non-repudiation, fairness, public verifiability, unlinkability among various auction rounds, linkability within a single auction round, bidding efficiency, one-time registration, and easy revocation. Given the complex nature of the Internet environment, the consideration is also given to time costs of bidders’ data transmission. Thus, this paper makes use of the bulletin board approach for managers to publish the bidding information. Application of Elliptic Curve Cryptosystem for its small key size and low computation amount is exploited to improve the speed of key generation and bidding, and verification efficiency. By cutting down on computation cost for mobile devices and load volumes on the part of servers, convenience of conducting online auctions is enhanced as well.
Keywords: Mobile Agent, English Auction, Elliptic Curve Cryptosystem, Anonymity, Public Verification
1. Introduction ... 1
1.1 Background and Motivation ... 1
1.2 Objective ... 3
1.3 Thesis Outline ... 4
2. Related
Work ... 5
2.1 Omote and Miyaju’s scheme ... 5
2.2 The scheme by Lee et al. ... 11
2.3 The scheme by Chang et al. ... 16
3. Preliminaries ... 21
3.1 Mathematical theories... 21
3.1.1 One-way Hash Function ... 21
3.1.2 Discrete Logarithm Problem ... 22
3.1.3 Integer Factorization Problem ... 22
3.2 Principles of cryptography... 22
3.2.1 Public-Key Cryptosystem ... 23
3.2.2 RSA Cryptosystem ... 23
3.2.3 ElGamal Digital Signature ... 24
3.2.4 Diffie-Hellman key exchange ... 25
3.2.5 Elliptic Curve Cryptosystem ... 27
3.3 Mobile agent ... 30
3.3.1 Basic concept of mobile agent ... 30
3.3.2 Mobile Auction Agent Model (MoAAM) ... 33
4. Proposed
scheme ... 37
4.2.1 Initialization ... 40
4.2.2 Registration ... 41
4.2.3 Generation of Transaction Public Key ... 43
4.2.4 Signature ... 44
4.2.5 Auction Bidding ... 45
4.2.6 Winner Announcement ... 46
4.3 Using Elliptic Curve Cryptosystem ... 47
4.3.1 Initialization ... 48
4.3.2 Registration ... 49
4.3.3 Generation of Transaction Public Key ... 51
4.3.4 Signature ... 52
4.3.5 Auction Bidding ... 53
4.3.6 Winner Announcement ... 54
5. Security and efficiency analysis ... 56
6. Conclusion ... 61
List of Tables
Table 1: Points over the elliptic curve
E23(1,4)... 28
Table 2: System Parameters for modular exponentiation scheme ... 39
Table 3: System Parameters for Elliptic Curve Cryptosystem scheme ... 47
Table 4: Time complexity comparison ... 60
List of Figures
Figure 1: Tree-based structure of key management and access control ... 30
Figure 2: Hierarchical structure of key management and access control ... 31
Figure 3: Communication in MoAAM ... 34
Figure 4: Architecture of MoAAM ... 36
1. Introduction
Over the past few years, with the technical development of the Internet continuing to become more mature in these years, and the prevalence of World Wide Web, the Internet which not only crosses the geographical boundaries but also the applications of Internet have developed toward diversification has become the largest information communication network and media marketing. At the same time, it has also changed business types. Therefore, many kinds of online transactions and auctions have come out. Due to the instantaneity and the interactivity of the Internet, online transactions and auctions present better advantages than traditional businesses do, such as offering the latest business information with less cost or 24-hour services. In this case, the proportion of people using online auction is gradually higher than traditional auction. Moreover, the functions and the effectiveness from online auction are more powerful than those from traditional auction. However, security problems accompany the development of online auction has become one of the important issues for e-business. Due to the improvement of network capability and the growing of the number of smart phones, more and more people perform various Internet activities via mobile devices. One of these activities is online auctions. In order to satisfy the demand for mobile commerce, it is necessary to develop techniques for mobile commerce which satisfy the requirements and the limitations of the mobile devices.
1.1 Background and Motivation
With the popularization of the World Wide Web and its prompt adaptability to trends, traditional auction systems and business transactions have gradually transferred themselves to network platform transactions. Not only does online auction solve general problems like
location constraints faced by traditional auctions, and provides for transactions to be conducted in conditions much freer and more public, allowing information much more transparency, and thus much fairer, and equal trading opportunities for the interested [1]. Therefore, online English auction has successfully come to replace the offline traditional auction and is more powerful and capable than the offline traditional auction.
With the rapid development of mobile phones, the demand for mobile commerce has increased as a consequence. Based on market demand considerations, mobile service providers have begun launching mobile commerce service. In order to meet auction security demands in an environment of heterogeneous networks, it is necessary to develop an auction mechanism that satisfies both mobile and constraint needs. Therefore, this paper will present both research and analysis on current auction mechanisms, and by employing mobile agent’s mobility and autonomy features, present a safe, fair, and efficient online auction environment.
Today, online auction protocols are applied over the Internet include open auction and sealed-bid auction. Open auction can be subdivided into two types: English Auction and Dutch Auction [1]. The English Auction is to have all participant bidders to place their bid prices on the basis of the reserve price that is preliminarily set by a host. After everything is in place, the host will start the bidding process. As the bid price increases, the person with the highest price will win after the auction time ends. In Dutch Auction, the bidders in the auction will place their bids for lower prices. The auction will be closed when a bidder who is willing to pay the final price [2]. Bidders in English Auction can observe the bidding behavior of their competitors during the entire auction process and make immediate adjustments to how he/she would place the bid. Therefore, it can be highly competitive under this kind of protocol, because the protocol would force the bid price to increase if the goods are desirable. Thus, we can say the English Auction protocol is efficient, because a good protocol can promote the auctioned goods to be sold to someone who is willing to pay at a higher price [3]. As a result
of it, the expected return on the goods that are used in English Auction protocol is usually higher than other protocols. So, most auction-based websites, such as eBay and Yahoo! Auctions, use English Auction to operate. Therefore, this paper would primarily focus on how to apply the English Auction protocol for mobile commerce.
1.2 Objective
For the auction model on a mobile-based environment, Kuo-Hsuan Huang proposed a mobile auction agent model (MoAAM) [4], which allows the bidders to participate in online auctions through mobile agents. Huang’s scheme employs modular exponentiation operations, but it would increase the processing time for key generation, bidding, and verification. Thus, the paper is proposed to add the concept of Elliptic Curve Cryptosystem (ECC) onto MoAAM, because ECC is able to provide low computation amount and small key size. It would aid to increase the speed of generating keys, bidding, and verification. In terms of reduction of computation on mobile device and workload of the connected server, the proposed scheme will make online auction system become more convenient for users. In order to maintain a fair and secured auction, the following features for security are as below [5]:
(1) Anonymity: During the course of an auction, no one is able to recognize the other bidders’ identity.
(2) Traceability: Winner’s real identity can be recognized at the end of the auction. (3) No framing: The identities of all bidders remain independent. No one can falsely
claim to be any other bidder who participated in the auction.
winning bidder has been announced.
(6) Fairness: All bidding must be conducted in an open and fair manner.
(7) Public verifiability: Anyone can verify the identity and bid prices of the participated bidders.
(8) Unlinkability among various auction rounds: Nobody will know the same bidder’s identity that among different rounds of auction.
(9) Linkability within a single auction round: The bidders can repeatedly place new bid price within a single auction round and can be recognized by other bidders.
(10) Efficient bidding: In order to make the bidding become efficient, times for computation must be minimized.
(11) One-time Registration: The bidder only needs to register once and then he/she can participate in all auctions that are opened.
(12) Easy Revocation: Registration manager can easily revoke someone’s right to bid.
1.3 Thesis
Outline
The rest of this paper is organized as follows. Section 2 contains a review of related work on English Auction protocol. In Section 3, we will introduce some backgrounds about proposed scheme, including mathematical theories, principles of cryptography, and mobile agent, etc. Our proposed scheme, which is about how to apply ECC onto MoAAM, is shown in Section 4. In Section 5, a security analysis would be performed to examine our proposed scheme. The final conclusion and recommendations for further studies are given in Section 6.
2. Related Work
In English auction protocol research, Omote and Miyayu [6] were the first to propose the concept of adding the bulletin board for verification in 2001 to construct an English auction protocol that satisfies various security concerns in the auction to reduce computation and server load during the auction. Their method was based on the concept proposed by Nguyen
and Traore [7, 8], who utilized group signature technology in English Auction protocol to
raise the security level for the bidders. However, for a security reason, Omate and Miyaji’s scheme would not publish any bidders’ information in order to avoid the possibility of security breach on bidders’ privacy. However, this could violate the purpose of anonymity, fairness, and unlinkability among auction rounds, etc., as are required by the English Auction protocol.
Later, Lee et al. [5] made improvements on Omote and Miyaji’s method. It allowed
bidders’ identities and information to be published, yet maintained the feature of unlinkability among auction rounds, i.e. bidders’ identities cannot be identified through released information of previous auction rounds.
In 2003, Chang et al. [9] proposed a much simpler and more effective method for
anonymity in English Auction. However, Jiang et al. [10] pointed out that Chang et al.’s
method was not secure enough to protect bidders’ privacy and rights, as bidders have no way to verify whether the shared keys they possess belong to the same auctioneer during the
auction.Subsequently, Chang et al. utilized an alias to resolve the situation [11].
2.1 Omote and Miyaju’s scheme
information of bidders to improve the efficient of Group Signature for English Auction protocol proposed by Nguyen and Traore [7, 8]. In the scheme of Omete and Miyaji, there are mainly three entities, Bidder, Registration Manager (RM), and Auction Manager (AM). During the auction, RM manages the correspondence of bidder identity to public key. AM manages a bulletin board, and maintains the operations and hosts the auctions. When a certain bidder is identified after a winner decision procedure or later disputes, AM has only to request RM to identify the bidder to complete the entire auction. Omete and Miyaji claimed that their scheme can satisfy the safety features for English Auction, including: (1) Anonymity, (2) Traceability, (3) No framing, (4) Unforgeability, (5) Fairness, (6) Verifiability, (7) Unlikability among different auctions, (8) Linkability in an auction, (9) Efficiency of bidding, (10) One-time registration, and (11) Easy revocation. The participants and the parameters in the scheme proposed by Omote and Miyaji are explained as below:
【Entity】
Registration Manager (RM) : being responsible to manage and store the
correspondence of bidder identity to public key, and send the identity of the bidder to the vendor when a bidder wins out.
Auction Manager (AM) : being responsible to maintain the operations and host
the auctions.
Bidder (B) : being participant in an auction that AM holds.
【Notation】
q
p , : two large primes, satisfying q|p1;
g : an element gZp with order q ;
i : the index of bidders (i1 , ,I);
i
B : bidder i;
i
x : the secret key of B (i xiZq);
i
y : the public key of B (i y =gxi (modp)
i );
i
r : AM’s random number for B (i riZq);
i
t : a random number of B (i ti ); Zq
i
T : an auction key for B ; i
k : the index of auctions (k 1);
AM
X : AM’s secret key (XAMZq);
AM
Y : AM’s public key ( X q
M g p p Z
Y = AM mod ,
A );
Enc : Enc(key ,data) is a secret key encryption function by using a secret key, key;
j
Enc : )Encj(key,data is j-times encryption by using the same key, i.e.
)) , ( , ( ) , ( 1 key Enc key Enc data key Encj j .
The operation of the scheme includes: (1) Initialization, (2) Bidder Registration, (3) AM’s Setup, (4) Bidding, (5) Verifiability, and (6) Winner Announcement. The different stages are described as follows:
【Initialization】
The system parameter settings of the RM and AM are as below: RM publishes p, q and g on his bulletin board.
q X M g p p Z Y = AM mod , A and publishes YAM.
【Bidder Registration】
When a new bidder Bi joins in the auction, he/she must follow the following steps in
requesting registration from RM:
Step 1: Select a private key xiZq and calculates its corresponding registration key yi:
p g
y xi
i mod
Step 2: Select a random number ti , named ticket. Zq
Step 3: Send {y , } to RM as the registration key, registers his/her identity and proves that i ti
he/she knows the discrete logarithm x of i y to the base g by showing i V1:
) ]( : ) [( 1 SK α yi g mR V
Step 4: After RM authenticates the validity of V1, RM publishes bidder’s registration key
{y , } on his bulletin board and keeps bidder’s name and the corresponding i ti
registration in its own database.
【Auction Setup by AM】
Assume that the set of registered bidders is Bi (i=1,2,… ,I). When an auction is
requested, AM follows the following steps to set up the auction. The auction below is assumed to be at the k-th auction:
Step 1: AM calculates a shared secret key yxAM p
i mod with each bidder Bi (i ) =1,2,… ,I by
Step 2: AM generates the random numbers ri Zq({r1 ,r2 ,… ,rI}) for each bidder published
on RM’s bulletin board and keeps the numbers {r1 ,r2 ,… ,rI} secret.
Step 3: AM encrypts t to i ( AM, ) ( AM, 1( AM, )) i X i k X i i X i k y t Enc y Enc y t
Enc in the k-time Enc
encryption function by using a shared key XAM
i y .
Step 4: AM calculates the following auction key T for Bi i using Bi’s public key y i
published on RM’s bulletin board.
Step 5: AM publishes the shuffled auction key T of all bidders on his bulletin board. i
【Bidding】
To participate in the k-th auction, Bi must complete the following steps:
Step 1: Using AM’s public key YAM to calculate XAM
i y as follows: p Y yX xi i AM mod AM
Step 2: Calculating auction certificate T as follows: i
) , ), , ( ( AMi ri ri i i x k i Enc Y t y g T i
T must be verified that they are matched with the information posted on AM’s
bulletin board.
Step 3: Generates the signature of knowledge V2for bid m as follows: i
) ]( ) ( : [ 2 i r r i g m y SK V i i
Step 4: Finally, send the following bid information {m ,yri ,gri ,V2
i
【Verifiability】
After Bi publishes the bid information {mi ,yiri ,gri ,V2}, anyone can verify them as
shown below:
Step 1: Anybody can confirm that a bidder knows surely the discrete logarithm x of i y by i
checking the validity of the signature of knowledge V2. Otherwise, AM would
remove the illegal bid information from his bulletin board.
Step 2: Anybody can accept that the signer is one of the bidders if the values ri
i
y and g in ri
2
V are published on AM’s bulletin board. If they are, the bidder which owns the bid
information is a legitimate bidder.
【Winner Announcement】
At the end of the bidding, AM on obtaining the information on the highest bid, forwards
the 1
i
r of Bi to RM. Then RM uses y and iri ri1 to calculate y , and saves the i
comparison result in the database, for confirming the bidder’s identity and then informing the vendor of the winner’s identity.
Although the scheme of Omote and Miyaji satisfies the security requirements of English Auction, the real identity of the winner cannot be published for verification. In the winner announcement stage, RM secretly informs the vendor of winner’s identity. Therefore, other bidders and AM cannot verify the legality of winner. If RM announces the winner’s identity, AM can get his/her real identity from the public key that could violate the purpose of anonymity, fairness, and unlinkability among auction rounds [5].
2.2 The scheme by Lee et al.
Lee et al. [5] improved the security problem of Omote and Miyaji’s scheme [6] that the identity of the winner cannot be published. And they proposed the essential requirements of the public auction. The scheme of Lee et al. is as follows:
【Entity】
Registration Manager (RM) : being in charge of the registration process and has secret
database to keep bidder’s identity information and the corresponding secret parameter. After a winner decision procedure, RM and AM together post the winning bidder information on the winner announcement bulletin board.
Auction Manager (AM) : being responsible to manage and host the auction. After
a winner decision procedure, RM and AM together post the winning bidder information on the winner announcement bulletin board.
Bidder (B) : being participant in an auction that AM holds.
【Notation】
q
p , : two large primes, satisfying q| p1;
g : an element gZp with order q ;
i
B : bidder i;
i
x : the secret key of B (i xiZq);
i
y : the public key of B (i y =gxi (modp)
i ); i t : a random number of B (i {0 ,1}* i t ); k i
i
T : a ticket identifier for B ; i
k : the index of auctions (k 1);
AM
X : AM’s secret key (XAMZq);
AM
Y : AM’s public key ( X q
M g p p Z
y = AM mod ,
A );
) (x
h : a one-way hash function, satisfying hk(x )h(x ,hk-1(x)).
The operation of the scheme includes six stages: (1) Initialization, (2) Bidder Registration, (3) Round key Setup, (4) Auction Ticket Preparation, (5) Bidding, and (6) Winner Announcement. The different stages are as described below:
【Initialization】
The system parameter settings of the RM and AM cooperatively set up the system parameters in this stage.
RM executes the following procedure:
Step 1: Set up two read-only bulletin board, and post identities and public keys of all bidders on registration bulletin board and the round keys of all bidders on round key bulletin board. RM is the only one can write and update the bulletin boards.
Step 2: Publish p, q, g and h(x) on his bulletin boards.
Step 3: Together with AM, set up a read-only winning bidder bulletin board and post the winning bidder’s information which used to verify one’s identity. Only RM and AM have the authority to write and update the bulletin board.
AM executes the following procedure:
verification information of all bidders. AM is the only one can write and update the bulletin board.
Step 2: Randomly select an integer XAM Zq as the private key and use it to
calculate the corresponding public key YAM as follows:
p g Y X M = AM mod A , where pZq Step3: Publish YAM.
Step 4: Together with RM, set up a read-only winning bidder bulletin board and post the winning bidder’s information which used to verify one’s identity. Only RM and AM have the authority to write and update the bulletin board.
【Bidder Registration】
When a new bidder Bi joins in the auction, he/she must follow the following steps in
requesting registration from RM:
Step 1: Select a private key xi and calculate its corresponding registration key Zq y as i
follows:
p g
y xi
i mod
Step 2: Select a random number {0 ,1}*
i
t and keep it secretly.
Step 3: Send {Bi ,y ,i ti} to RM secretly and prove his/her knowledge of the private key x i
in zero-knowledge.
Step 4: If RM accepts Bi‘s registration, RM publishes {Bi ,yi} on his registration bulletin
【Round key Setup】
RM calculates n round key RKi ,k for all n bidders using y and i t in the k-th round i
of auction as follows: p y RK hk ti i k i mod ) ( ,
Then RM shuffles and publishes them on his round key bulletin board. But anybody
except RM and Bi does not know the correspondence between y and i RKi ,k.
【Auction Ticket Preparation】
AM gets the list of all the round keys RKi ,k of n valid bidders Bi (i ) =1,2,… ,I from
RM’s round key bulletin board. Then AM executes the following steps to complete the setup of the auction:
Step 1: Selects the random numbers riZq({r1 ,r2 ,… ,rI}) for each bidder Bi (i ). =1,2,… ,I
Step 2: Calculate the auction keys { ri ri
k i g
RK ) ,
( , } for each bidder Bi (i ). =1,2,… ,I
Step 3: Calculate the ticket identifiers T for each bidder Bi i (i=1,2,… ,I) as follows:
p RK h T X k i i (( , ) AM mod { ri ri k i i RK g
T ,( , ) , } is the auction ticket that AM grants Bi the authorization to
participate the k-th round of auction.
Step 4: Shuffle and publish the auction tickets { ri ri
k i i RK g
T ,( , ) , } on the auction ticket
bulletin board.
【Bidding】
To participate in the k-th round of auction, Bi must complete the following steps:
Step 1: Calculate the round key of the k-th round RKi ,k as follows:
p y RK hk ti i k i mod ) ( ,
And verify that the round key matches with the one that is posted on RM’s round key bulletin board. If the round key is not listed, he/she can complain to RM.
Step 2: Calculate the ticket identifier T as follows: i
i i k x t h i h Y T ( ( )) AM i
T must be verified that it matches with the information posted on AM’s auction ticket
bulletin board. If Bi’s ticket identifier is listed in auction ticket bulletin board, he/she
can get auction ticket { ri ri
k i i RK g
T,( , ) , } which granted by AM. Otherwise, Bi can
complain to AM.
Step 3: Bi checks the validity of the auction ticket {Ti,( RKi ,k)ri ,gri} as below:
p RK p gi k i i ri k i x t h r) mod ( ) mod ( ( ) ? ,
If it does not hold, Bi can complain to AM.
Step 4: Prepare the bid information {Ti ,mi ,Vi} as follows and post them on the bidding
bulletin board:
) _ || _
(auction ID bid value mi ) ]( ) ( ) ( : [ , r r i k i i i SK RK g m V i i i , where xi i k i h (t )
【Winner Announcement】
Assume that a bid m of bidder Bi i is the highest bid at the end of the bidding stage. AM
and RM jointly publish the winner’s related information on the winner announcement bulletin board for others to verify winner’s identity. The steps are as follows:
Step 1: AM announces the winner’s bid information {Ti ,mi ,Vi} on the winner announcement
bulletin board.
Step 2: AM posts {Ti ,ri ,RKi ,k} on the winner announcement bulletin board which allows
anyone to confirm the correlation between RKi ,k and ri
k i RK ) ( , . Step 3: RM posts { , k( i), i} i, k h t y
RK on the winner announcement bulletin board which
allows anyone to confirm the correspondence between RK yhk ti p
i k i mod ) ( , and y . i
It shows that Bi is the winner.
Step 4: Anyone verifies that Bi is the winner using the published values r and i hk(ti).
Lee et al.’s scheme solves the security concerns of Omote and Miyaji’s scheme that the winner’s identity cannot be published. However, if there are n bidders to participate in the auction, AM not only publishes 3n the amount of information on auction ticket bulletin board, but also selects a random secret number for each bidder to employ modular exponentiation operations. It would increase the computation amount.
2.3 The scheme by Chang et al.
arbitrarily and anonymously in auction. Later, Jiang et al. [10] claimed that the initiation of their scheme would result in a security drawback because the bidder does not authenticate the auctioneer in the initiation. Subsequently, Chang et al. utilized an alias to resolve the situation [11]. The scheme of Chang et al. is as follows:
【Entity】
Certification Authority (CA), : being responsible to issue each bidder and P a certificate containing the public key and the signature of CA for this certificate.
Auctioneer (P) : being responsible to manage and host the auction.
Bidder (U) : being participant in an auction that P holds.
【Notation】
) (
2 m
E PK
: an asymmetric encryption function with the public key PK to encrypt the message m;
) (
2 m
S SK
: an asymmetric decryption function with the private key SK to decrypt the message m;
) ( 1 m
E K
: a symmetric encryption function with the secret key K to encrypt the message m;
P : the just auctioneer;
i
U : the bidder i;
U
ID : the bidder U’s unique identity;
p p ,SK
PK : the auctioneer P’s public key and private key;
U U ,SK
PK : the bidder U’s public key and private key;
g
n , : the public system parameters, where g and n are two public primes as
) (
H : the collision-free one-way hash function;
|| : the concatenation symbol.
The operation of the scheme is as described below:
【Initialization】
CA issues each of the bidders and the just auctioneer P a certificate containing the corresponding public key and the signature of CA for this certificate. The following steps are
performed such that P and Ui share a secret k:
Step 1: Ui randomly chooses a large number a and computes X and X as below:
n g X a mod ) ( 2 U X S X SK
Then Ui sends ID , U X and X to P.
Step 2: P first verifies X by checking if X E2PKU(X). If X is indeed sent from Ui, P
chooses a random large number b and computes Y , Y , k and W as below:
n g Y b mod ) ( 2 P Y S Y SK n g n X k bmod ab mod )) || || ( || ( 1 =E AIDU H IDU X Y W k
Then, P sends Y , Y and W to Ui, where AID is UU i‘s alias of his/her real identity.
Step 3: Upon getting Y , Y and W, Ui checks whether Y is valid by the following
) Y ( 2 P E PK Y
If it does not hold, Ui may inform P the information; otherwise, Ui computes k
which used to decrypt W to get AID as follows: U
n g
n Y
k a mod ab mod
Ui verifies AID by checking if U H(IDU ||X ||Y) is contained in the decryption
result. If it does not hold, Ui may ask P to retransmit the essential information;
otherwise, Ui makes sure that P is legal and k is indeed the shared secret. Then Ui
computes Z as follows: )) || || ( || ( 1 =E AIDU H Y Y W Z k
And Ui sends ID and Z to P. U
Step 4: After getting ID and Z, P uses k to decrypt Z and checking if U AID and U
) || ||
(Y Y W
H are in the decryption result. If both of them are contained, P makes
sure Ui is legal and has already gotten the shared secret; otherwise, P may resend
essential information to have them share the secret k.
【Traditional English Auction】
After the Initialization stage, the bidder Ui and the auctioneer P share a secret k, and they
have authenticated each other. If the bidder Ui wants to bid, he/she performs the following
steps:
Step 1: Ui computes S =S2SKU(B||T), where B is Ui’s bid and T is the current timestamp.
Step 2: Ui computes D=E1k(S).
computing )C= H(B||T||k for AID . If U C is not equal to C, P announces that
(B ,T ,D ,C) is invalid; or, P uses k to decrypt D to get S= S2SKU(B||T) and checks if
) ( 2 ) ||
(B T E PKU S . If it holds, the bid B is valid; otherwise, P announces that (B ,T ,D ,C)
is invalid. To prevent the malicious user from linking the bidder and the corresponding bids,
U
AID can be changed to be AID whenever UU i bids with AID . This approach depends U
on the policies.
If the countdown of the timer is zero and no bidder casts his/her bid, P closes the auction and resolves the winner anonymously by the result of comparison while verifying the bid.
3. Preliminaries
This section presents relevant mathematical concepts and principles of cryptography which this paper utilizes.
3.1 Mathematical
theories
A lot of mathematical theories are utilized in cryptography, such as Number Theory, Complexity Theory, and so on. They are the indispensable tools used to design cryptography systems and protocols. The required mathematics for cryptography is shown as below [12].
3.1.1 One-way Hash Function
The most basic concept for cryptographic applications is the One-way Function. A One-way Function is a function that is easy to compute on every input, but hard to invert given the image of a random input. Not being one-to-one is not considered sufficient of a function for it to be called one-way. And a One-way Hash Function is a function that transforms one arbitrary-length input to a shorter and fixed-length output. Assume M is a plaintext of arbitrary-length and h() is a One-way Hash Function. h() should have the following properties:
(1) Easy to compute: Given one arbitrary-length input M, it is easy to compute a fixed-length output h(M).
(2) Preimage-resistance: If we only knows the output h(M), it should be unfeasible to compute the input M.
another input M such that h(M)h(M).
3.1.2 Discrete Logarithm Problem
Let p and q be two large prime numbers which satisfy q | p1, and one integer g be a
generator with order q in Z (i.e. p 1g p1). Given one integer x, the maximum number
of multiplication operations are required to calculateygxmodp is
log
( ) 12x w x ,
where w(x) represents the number of 1 when x is expressed in binary form. However, to
calculate x with the known numbers, p, g, and y, the fastest solution presently requires }] )) ln(ln exp{(ln ) (
[L p p p 1/2 times of operations. Such problems which are encountered in
the above calculations are regarded as Discrete Logarithm Problem. For example, when 512
p , the required operation time is L(p)2256 1077 that it is rather impossible to
calculate x with y.
3.1.3 Integer Factorization Problem
There are two known large prime numbers p and q. To calculate the product N pq,
only one multiplication operation is required. However, it is not nearly so easy to calculate the
actual factors p and q from only a knowledge of the product N. This is called Integer
Factorization Problem (IFP), which cannot be solved in the polynomial time.
3.2 Principles of cryptography
Due to the rapid growth of digital communication and electronic data exchange, information security has become a crucial issue in business, administration and so on. Cryptography provides essential techniques for securing information and protecting data to
ensure confidentiality, integrity, authenticity, and non-repudiation of information. So it has become one of the main tools for privacy, trust, access control, electronic payments, corporate security, and countless other fields. Aiming at the required cryptography for cryptosystems [12], it is further explained as follows.
3.2.1 Public-Key Cryptosystem
The Public-Key Cryptosystem is also known as Asymmetric Cryptography. It is based on the use of two different keys, where the key used to encrypt a message is not the same as the key used to decrypt it. One is secret key, which used to decode or sign the documents, and known only by its owner. The other one is public key, which used to encode and verify a signature, and known to everyone. The Public-Key Cryptosystem proposed by Diffie and Hellman in 1976 is one of such cryptosystem [12, 13]. It presents the features of simply security analysis and being able to solve the problems of key distribution and management in Symmetric Cryptography, but takes time for encryption and decryption operations.
3.2.2 RSA Cryptosystem
RSA is developed by Rivest, Shamir and Adleman. It makes use of an expression with exponentials. It is the first algorithm known to be suitable for signing as well as encryption, and is one of the first great advances in Public-Key Cryptography. RSA is one specific method of Public-Key Cryptosystem utilizing two prime numbers as the key for encryption and decryption. The operations of RSA are listed as below:
(1) Randomly select two large prime numbers p and q, and calculate N as below:
pq N
) 1 )( 1 ( ) (N p q .
(3) Compute public key e, where e satisfies GCD(e ,(N))1.
(4) Compute secret key d, where d satisfies ed 1mod(N).
(5) Publish ( Ne , ), but keep secret key d secretly. Since the security of RSA is based on
that calculating the prime factors p and q after publishing N is infeasible, the large prime numbers p and q should be carefully selected so that the factorization of them becomes impossible.
(6) The encryption and the decryption are presented as below, where M is the plaintext and C is the ciphertext after encryption:
【Encryption】CMe modN
【Decryption】M CdmodN
The difficulty in factorizing large prime numbers determines the reliability of RSA algorithm. In other words, the more difficulty the integer factorization presents, the more reliable RSA algorithm is.
3.2.3 ElGamal Digital Signature
To put digital signatures on a document aims to show the integrity and the non-repudiation. Integrity refers to preventing the document from being tampered in the transmission process. And the receiver can use the digital signature to verify whether the document is tampered or not. Since digital signature is calculated by the signer using his/her secret key, it could prevent the signer from denying the signature that he/she signed afterwards. This is considered to protect the receiver, as non-repudiation. In numerous researchs, many schemes were proposed for digital signature, such as DSA, RSA, Schnorr,
ElGamal [12, 14], and ECDSS. The signature scheme utilized in this paper is similar to ElGamal, which is further introduced as follows:
(1) Choose a large prime number p, where p 1 has a large prime factor, and a
primitive root g, where *
p
Z g .
(2) The signer chooses one integer x as his/her secret key satisfying 1x p1.
(3) The signer uses the following equation to compute his/her public key y and publishes
y:
p g
y xmod
(4) The signer randomly chooses an integer k satisfying (k ,p1)1.
(5) Compute the signature ( sr , ) of plaintext m:
p g r kmod 1 mod xr ks p m or sk1(mxr)modp1
(6) The receiver verifies the legality after receiving the signature ( sr , ) as below:
p r
y
gm r smod
If the equation holds, ( sr , ) is the legal signature of plaintext m, and vice versa.
The security of ElGamal bases on the difficulty of Discrete Logarithm Problem that the security depends on p and g. Inappropriate selections of p and g would therefore result in signature being forged.
3.2.4 Diffie-Hellman key exchange
Diffie-Hellman key exchange scheme allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure communications channel
[15]. The security of this type schemes is based on the difficulty of Discrete Logarithm Problem. The operations of Diffie-Hellman key exchange are shown as below:
(1) A selects one integer x as his/her secret key, which satisfy 1x p1 where p is a
prime number. Then A uses the following equation to compute his/her public key X and publish X:
p g
X xmod
(2) B selects one integer y as his/her secret key, which satisfy 1y p1 where p is a
prime number. Then B uses the following equation to compute his/her public key Y and publish Y:
p g
Y ymod
(3) Both A and B have the published public keys and their own secret keys to calculate
the shared secret key K as below: ab
p Y K x ab mod or K X p y ba mod
(4) The last step is verification as follows:
p K X g g Y K x y x x y y ba ab ( ) ( ) mod
There are two disadvantages to Diffie-Hellman scheme. First, the session key could merely be used between the two parties. When there are n users in a system, and one of them wants to communicate with any of the other users, the user will need to have n-1 session keys
and the system will have to maintain x(x1)/2 session keys. Second, the identities of the
presently communicated objects are unknown; i.e., A and B would not recognize each other’s actual identity.
3.2.5 Elliptic Curve Cryptosystem
In 1985, Elliptic Curve Cryptography (ECC) was proposed by Neal Koblitz [16] and Victor Miller [17]. The ECC was able to improve the existing cryptogram systems in terms of having smaller system parameters, smaller public-key certificates, lower bandwidth usage, faster implementations, lower power requirement, and smaller hardware processor requirements [18]. Therefore, using the Elliptic Curve Cryptography to building up a cryptosystem is commendable by the reasons of high security and efficiency [19]. The mathematic settings of Elliptic Curve Cryptosystem can be as described below [19, 20].
First, elliptic curves can be divided into two families: prime curves and binary curves.
Prime curves (Zp) are good to used in software application, because it doesn’t require having
the extended bit-fiddling operation, which is needed by binary curve. Binary curves (GF(2n))
are best for hardware application as it require a few logic gates to build a powerful cryptosystems. Second, the variable and coefficients of the elliptic curves are limited to the elements of the finite field. Because of this limitation, it would increase the efficiency of ECC computing operation.
In the finite field Zp, defined modulo a prime p, an elliptic curve is represented as
) (mod : ) , (a b y2 x3 ax b p
Ep , where (a ,b )Zp and 4a327b2 mod p0 . The
condition, 04a327b2 mod p , is necessary to ensure that y2x3axb(mod p) has
no repeated factors, which means that a finite abelian group can be defined based on the set )
,
( ba
Ep [21]. Included in the definition of an elliptic curve, a point at infinity denoted as O
is also called the zero point. The point at infinity O is the third point of intersection of any straight line with the curve, so that there are points including (x, y), (x, –y), and O on the straight line.
For points on an elliptic curve, we define a certain addition, denote “+”. The addition rules are given below.
(1) O + P = P and P + O = P, where O serves as the additive identity. (2) – O = O.
(3) P + (– P) = (– P) + P = O, where – P is the negative point of P. (4) (P + Q) + R = P + (Q + R).
(5) P + Q = Q + P.
For any two points P( xp ,yp) and Q( xq ,yq) over Ep( ba , ), the elliptic curve
addition operation, which is denoted as PQR( xr ,yr), satisfies the following rules.
p y x x λ y p x x λ x p r p r q p 2 r mod ) ) -( ( mod ) -( , Q P p y a x Q P p x x y y λ p p p q p q if , mod 2 3 if , mod where 2
【Example】
To give an equation of the form denoted as (1,4) : 2 3 1 4mod23
23 y x x
E ,
p Z b
a1, 4 , and 4a3 b27 2 22mod230, points over the elliptic curve (1,4)
23
E
show in Table 1 [22].
Table 1: Points over the elliptic curve E23(1,4)
(0,2) (0,21) (1,11) (1,12) (4, 7) (4,16) (7,3)
(7,20) (8,8) (8,15) (9,11) (9,12) (10,5) (10,18)
(11,9) (11,14) (13,11) (13,12) (14,5) (14,18) (15,6)
Let 3)P (7, and Q (8,15) in E23(1,4). When P ≠ Q, we must derive before calculating P + Q, as follows: 12 23 mod 12 23 mod 7 8 3 15 λ
So, when = 12, xr and yr can be derived as shown below:
5 23 mod 87 - 23 mod 3) -14) -(12(7 14 23 mod 129 23 mod 8) -7 -(122 r r y x Thus, P + Q = R = (14, 5).
To calculate 2P, P = (7, 3), we must first derive as follows:
17 23 mod 6 148 23 mod 3 2 1 7 3 2 λ
So, when = 17, xr and yr can be derived as shown below:
18 23 mod 258 - 23 mod 3) -22) -(17(7 22 23 mod 257 23 mod 7) -7 -(172 r r y x Thus, P + P = 2P = (22, 18).
We can see point multiplication on the elliptic curve. But, the point multiplication does not actually mean that one point multiplies by another. In fact, we have to use the equation,
P k
Q , in order to obtain a point on the curve. By assuming k is a natural number and Q
and P are points which are on E, Q can be defined as PPP in k times. The security
of ECC in the finite field is based on double-and-add algorithm, QkP. Therefore, it is
difficult to compute the result of k, even if the numbers of Q and P are given. This is the conundrum of Elliptic Curve Cryptography and is also known as Elliptic Curve Discrete Logarithm Problem (ECDLP) [23].
3.3 Mobile
agent
We will introduce the basic concept of mobile agent and the architecture of the auction model for mobile agent.
3.3.1 Basic concept of mobile agent
Recently, the application of mobile technology in network data transfer has received considerable attention. In information technology, the mobile agent is a highly autonomous and mobile software that users can capitalize to perform tasks in heterogeneous network environments. Since the mobile agent does not require constant online network connections, it also demonstrates significant improvement in network performance.
Figure 1: Tree-based structure of key management and access control
The advantages of mobile agent are including (1) Low network loads, (2) High network latency resistance, (3) Encapsulation of protocols, (4) Asynchrony and autonomy, (5) Dynamical adaptation, and (6) Natural heterogeneity. The advantages of assigning tasks to
mobile agent cannot be overemphasized. However, because it is entrusted with the user’s private key and agent code at the time of task assignment, data transfer management regarding agents’ access management and control becomes particularly important.
In related studies, Akl and Taylor proposed a tree-structured key management scheme [24]. Subsequently, Volker and Mehrdad [25] integrated the mobile agent concept into the tree-structured key management mechanism and proposed a system architecture as shown in Figure 1.
Although this scheme can effectively solve data transmission insecurity, efficiency can still be improved on. In Figure 2, repetitious key storage in different agent codes not only results in memory space consumption, but also is large costs on execution performance to key computation.
Figure 2: Hierarchical structure of key management and access control
Therefore, Huang et al. [21] proposed two new schemes in mobile agent application. The first method applied the tree-structure of Akl and Taylor into agent management, integrating the keys of lower successive tiers as one. The server can thus use its own key and through mathematical computation obtain successive private keys that can restore confidential
Logarithm Problem. The second scheme, in its attempt to improve mobile agent’s computation efficiency, applies the cryptosystem based on the difficulty of Discrete Logarithm Problem to reduce public parameter size without compromising security. Their approach uses hierarchical structure to manage mobile agent’s access control to users’ keys, at the same time protecting data transmission when access permission differs from user to user as shown in Figure 2.
During task execution, the mobile agent roams between various hosts in a network. In the process to carry out message exchanges, it may also be required to connect with other mobile agents, which thus imposes security concerns arising out of insecure connections [26], malicious modifications by unauthorized external users, or even deliberate attacks by internal users. Therefore, mobile agent security is an important issue that needs to be overcome to effect into its successful application.
The mobile agent might face the following threats during task execution: (1) Unauthorized users access the related information of servers
A. Causing deliberate system paralysis and breakdown in a non-authorization situation
B. Unauthorized access to data or resource form server by forging as authorized agents
(2) Attacks on mobile agent by other agents
A. Forging identity codes of other agents for the authorization to access services and resources, thereby avoiding responsibility and breaching other users’ trust on the legal mobile agent.
(3) Attacks on mobile agent by other malicious servers
A. Deceive and threaten the mobile agent through the abuse of trusted third party servers’ identification codes.
B. Ignore mobile agent’s requests deliberately.
C. Deceive negotiating mobile agents by tampering their data field. (4) Attacks on server by other malicious servers or mobile agents
A. Deliberate delayed response to mobile agent’s request: such common attacks are intended to cut off the requests or lower mobile agent’s efficiency by making mobile agent wait for response, resulting in repeated requests and hence, lowering system efficiency. Abnormal or abrupt task termination of mobile agents also effects into deadlock state where other mobile agents continue to wait for response.
B. Deter the mobile agents from task completion deliberately, resulting into a live-locked.
3.3.2 Mobile Auction Agent Model (MoAAM)
MoAAM [4] is designed to enable users to use their mobile devices to participate in online auctions. MoAAM consists of four agents: (1) Personal Agent, (2) Customer Agent, (3) Auctioneer Agent and (4) Broker Agent. How these agents communicate with each other in MoAAM through a web server is shown in Figure 3.
Inside the mobile device, there is an interactive interface, called Personal Agent, which would connect with an Agent House Server via the wireless network. In a few words, a
to allow users to communicate with the Agent House Server. The Customer Agent, Auctioneer Agent, and Broker Agent all operates in the fixed network. The Personal Agent connects to the Customer Agent when a mobile network user wants to buy a specific product. Then the Person Agent sends the description of desired products and price information to the Customer Agent. On the other hand, an auctioneer registers the information of products to Broker Agent. After the Broker Agent receives the user’s request, an auction list, which meets the user’s needs, will be generated and sent back to the user. If the user decides to purchase the auction items from the received list, a Bid Agent will be created by the Customer Agent and be dispatched to an Auction House Server to join the bidding.
Figure 3: Communication in MoAAM
The architecture of MoAAM [4] is shown in Figure 4, and how it works is described as follows.
(1) Primary participants in MoAAM
(i) Broker Agent: It is responsible to pair up bidders and auctioneers. Moreover, it generates auction item lists and provides bid price information for the users.
(ii) Bid Agent: An individual user would use it to participate in auctions and place the bids.
(iii)Auctioneer Agent: Auctioneers use it as their representative to manage the items they are selling.
(iv) Auction House Server: A platform where online auctions take place. (2) How Customer Agent operates
The Customer Agent provides an interface with three different functions for the user:
(i) Query the Broker Agent: Know what kind of auction items the Broker Agent so far has registered and bid prices for these items.
(ii) Specify the Bid Agent: A user sends his/her request and bidding information to the Bid Agent generator. The generator will create a Bid Agent from a template. (iii)Control the Bid Agent: This function allows the user to communicate with the
Bid Agent and control the behavior of a Bid Agent. (3) How Broker Agent operates
First, the auctioneer needs to register his/her agent with the Broker Agent, and then the Broker Agent will store the auctioneer’s information in the database. When the Customer Agent sends a request for item information, the Broker Agent would reply a list of recommended items to the Customer Agent.
(4) How Auction House operates
The Auction House Server offers a web interface to allow the auctioneers to execute the following functions:
(i) Specify the Auctioneer Agent: An auctioneer sends his/her request and auction information to the Auctioneer Agent generator. The generator will create an Auctioneer Agent from a template. The newly created agent and auction information would be registered with the Broker Agent.
(ii) Control the Auctioneer Agent: This interface allows the auctioneer to communicate with the Auctioneer Agent and control the Auctioneer Agent’s behavior.
(5) Mobile agent platform
The mobile agent platform is where Bid Agent and Auctioneer Agent would be sent to as the auction starts.
4. Proposed scheme
The proposed scheme includes six stages: (1) Initialization, (2) Registration, (3) Generation of Transaction Public Key, (4) Signature, (5) Auction Bidding, and (6) Winner Announcement. The whole process flow is shown in Figure 5. In the process, there are four main participants, which are Registration Manager (RM), Agent House (AH), Auction house (AUH), and Bidder (B).
4.1 The
participants
(1) Registration Manager (RM)
(i) It is a unit for bidders to apply for registration. All bidders only require registering once. After that, they can participate in multiple auctions and no more registration is needed.
(ii) It is also responsible to store bidders’ identity information and corresponding secret parameters.
(iii)Manages and maintains the bulletin board, which is called BBRM. On the bulletin
board, two types of information would be published. One is registration key and identity information of a bidder. Another is pseudonym that a bidder uses in a single auction round. The published information would be supplied to anyone for identification verification. And only the RM has the authority to write and update the bulletin board.
(2) Agent House (AH)
(i) It is responsible to communicates with broker agent and creates bid agents.
(ii) Manages and maintains a bulletin board, which is called BBAH. The bulletin
board would provide the bidder’s transaction public key for the verification purpose. And only the AH has the authority to write and update the bulletin board.
(3) Auction House (AUH)
(i) Provides the auction place, maintains the operations, and hosts the auctions.
board, the published information would be the bidding information of bidders and the winning bidder’s information. All the published information can be used to verify one’s identity. And only the AUH has the authority to write and update the bulletin board.
(4) Bidder (B)
(i) It is the one who participates and places bids in the auction.
4.2 Using modular exponentiation
In order to know what is the difference in computation amount between using modular exponentiation and using Elliptic Curve Cryptosystem in English Auction protocol, this paper employs the same auction processes on these two methods.
First, the scheme using modular exponentiation in English Auction protocol is presented as follows. The given system parameters are shown in Table 2.
Table 2: System Parameters for modular exponentiation scheme
p, q Two big prime numbers, satisfying q| p1;
g A generator with order q in Z ; p
EK(m)
A symmetric encryption method of message m with the key K;
(K is the shared key between Bi and AM)
H(x) A one-way hash function, satisfying ( ) ( , ( ))
1 - x H x H x H j j and x x H0( ) ; AH
AH
PK AH’s public key;
Bi The ith bidder;
j i
bid , A bid price that is placed by Bi in the jth round of auction;
i
SK Bi’s private key;
i
RK Bi’s registration key;
i
k , t1,i, t2,i Three secret parameters that are chosen by Bi;
j i
N , A pseudonym, RM creates only for Bi in the jth round of auction;
j
r A random number chosen by AH in the jth round of auction;
j
G The public information published by AH in the jth round of auction;
j i
TPK , A transaction public key, AH generates only for Bi in the jth round of
auction;
The auction processes are described as follows.
4.2.1 Initialization
RM and AH establish system parameters and the steps are as follows: (1) Registration Manager
