An Agent-Based Auction Protocol on Mobile Devices

(1)

Research Article

An Agent-Based Auction Protocol on Mobile Devices

Yu-Fang Chung,

1

Tzer-Long Chen,

2

Tzer-Shyong Chen,

3

Dai-Lun Chiang,

3

and Yu-Ting Chen

4

1_{Department of Electrical Engineering, Tunghai University, No. 1727, Section 4, Taiwan Boulevard, Xitun District,}

Taichung 40704, Taiwan

2_{Department of Technological Product Design, Lingtung University, Taiwan} 3_{Department of Information Management, Tunghai University, Taichung, Taiwan}

4_{Department of Computer Science and Engineering, National Chiao Tung University, Taiwan}

Correspondence should be addressed to Yu-Fang Chung; [email protected]

Received 14 October 2013; Revised 10 April 2014; Accepted 17 April 2014; Published 13 May 2014 Academic Editor: Li Weili

Copyright © 2014 Yu-Fang Chung et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. This paper proposes an English auction protocol to preserve a secure, fair, and effective online auction environment, where the operations are integrated with mobile agent technology for bidders participating in online auctions. The protocol consists of four participants, namely, registration manager, agent house, auction house, and bidder.

1. Introduction

With the popularization of the World Wide Web and its prompt adaptability to trends, traditional auction systems and business transactions have gradually transferred them-selves to network platform transactions. Not only does online auction solve general problems like market price discrepancy due to asymmetric information, it also makes up for the time, space, and location constraints faced by traditional auctions and provides for transactions being conducted in conditions much freer and more public, allowing information much more transparency, and thus much fairer, and equal

trading opportunities for the interested [1]. Therefore, online

English auctions have successfully come to replace the offline traditional auctions, appearing more powerful and capable than the offline ones.

With the rapid development of mobile phones, the demand for mobile commerce has increased as a conse-quence. Based on market demand considerations, mobile service providers have begun launching mobile commerce services. To meet auction security demands in an environ-ment of heterogeneous networks, an auction mechanism must satisfy both mobile and constraint needs. Under the analysis of various auction mechanisms in the study, a safe,

fair, and efficient online auction environment was established by mobility and autonomy features of employing mobile agent.

Today, online auction protocols are applied over the Internet, including open auction and sealed-bid auction. Open auction can be subdivided into English auction and

Dutch auction [1]. English auction is to have all participant

bidders place their bidding prices on the basis of the reserve price that is preliminarily set by a host. After everything is in place, the host starts the bidding process. The bidding price soars gradually, the item going to the participant at the highest price. In Dutch auctions, bidders place their bids for lower prices. The auction will be closed when a bidder is

willing to pay the final price [2]. Bidders in English auction

can observe the bidding behaviors of their competitors during the entire auction process, so as to immediately adjust the bidding hereafter. Such a protocol is highly competitive because its game rule forces the bidding price to rise up. Thus,

an item fetches highest price [3] at auction. As a result, the

expected return on the goods in English auction protocol is usually higher than that in other protocols. Most auction-based websites, such as eBay and Yahoo! auctions, run the auction following English auction protocol, which are applied to the application of mobile commerce in the paper.

Volume 2014, Article ID 314180, 11 pages http://dx.doi.org/10.1155/2014/314180

(2)

For the auction model on a mobile-based environment,

[4] proposed a mobile auction agent model (MoAAM);

bidders participate in online auctions through mobile agents. The protocol employed modular exponentiation operations which require a large computation amount, bringing a grad-ual degradation of performance in key generation, bidding, and verification phases. In contrast, the study runs the proposed protocol under the difficulty of solving discrete logarithm problem, leading to the positive improvement of performance in key generation, bidding, and verification phases. In terms of computation reduction on mobile devices and the workload of the connected server, the proposed system makes online auction systems much more convenient. A system should be endowed with the following features to

maintain a fair and secure auction [5].

(1) Anonymity: during the course of an auction, no one is able to recognize the other bidders’ identities. (2) Traceability: the winner’s real identity can be

recog-nized at the end of the auction.

(3) No framing: the identities of all bidders remain independent. No one can falsely claim to be any other bidder who participates in the auction.

(4) Unforgeability: nobody is able to forge another one’s valid bidding price.

(5) Nonrepudiation: the winning bidder is unable to deny the proposed bidding price after being announced. (6) Fairness: all bidding must be conducted in an open

and fair manner.

(7) Public verifiability: anyone can verify the identities and bidding prices of the participating bidders. (8) Unlinkability among various auction rounds: nobody

will know the same bidder’s identity among different rounds of auction.

(9) Linkability within a single auction round: the bidders can repeatedly place new bidding prices within a single auction round and can be recognized by other bidders.

(10) Efficient bidding: in order to make the bidding effi-cient, computation complexity must be minimized. (11) One-time registration: the bidder only needs to

regis-ter once and then he/she can participate in all auctions that are opened.

(12) Easy revocation: the registration manager can easily revoke someone’s right to bid.

The rest of this paper is organized as follows.Section 2

contains a review of related work on English auction protocol, the related cryptosystem concepts, and how the mobile auction agent model actually works in practice. The proposed

protocol is shown inSection 3. InSection 4, the analyses of

security and efficiency would be performed to examine the proposed protocol. The final conclusion and

recommenda-tions for further studies are given inSection 5.

2. Related Work

2.1. English Auction Protocol. Regarding English auction

protocol research, the concept of bulletin board for verifi-cation was firstly applied to an English auction protocol in

[6], satisfying various security concerns in the auction and

successfully reducing computation and server load during the

auction. The method was based on the concept in [7,8], where

group signature technology was utilized in English auction protocol to offer bidders higher security. Under the

consid-eration of security, the protocol in [6] would not publish any

bidders’ information against the bidder privacy’s risk, leading to loss of anonymity, fairness, and unlinkability among auction rounds, etc., as required by the English auction

protocol. Later, [5] made improvements on the method in [6],

allowing bidders’ identities and information to be published, yet risking the unlinkability among auction rounds, for example, bidders’ identities could not be identified through

released information of previous auction rounds. In 2003, [9]

proposed a much simpler and more effective method for the anonymity in English auction. However, it was shown to be

insecure enough for bidders’ privacy and rights by [10], as

bidders were not allowed to verify whether the shared keys they possessed belonged to the same auctioneer during the

auction. Subsequently, [11] utilized an alias for resolving the

situation.

2.2. RSA Cryptosystem. RSA, developed by Rivest, Shamir,

and Adleman, makes use of an expression with exponentials. It is the first algorithm known to be suitable for signing as well as encryption and is one of the first great advances in public-key cryptography. The RSA is one specific method of public-key cryptosystem utilizing two prime numbers as the key for encryption and decryption. The operations of RSA are listed below.

(1) Randomly select two large prime numbers𝑝 and 𝑞

and calculate𝑁 = 𝑝𝑞.

(2) Compute the least common multiple of two large

prime numbers𝜙(𝑁) = (𝑝 − 1)(𝑞 − 1).

(3) Compute the public key 𝑒, where 𝑒 satisfies

GCD(𝑒, 𝜙(𝑁)) = 1.

(4) Compute the secret key 𝑑, where 𝑑 satisfies 𝑒𝑑 =

1 mod 𝜙(𝑁).

(5) Publish(𝑒, 𝑁) but keep the secret key 𝑑 secretly. Since

the security of RSA is based on calculating the prime

factors 𝑝 and 𝑞 after publishing 𝑁 the large prime

numbers𝑝 and 𝑞 should be carefully selected so that

their factorization becomes impossible.

(6) The encryption and the decryption are presented

as follows, where 𝑀 is the plaintext and 𝐶 is the

ciphertext after the encryption.

(Encryption)𝐶 = 𝑀𝑒 mod𝑁.

(Decryption)𝑀 = 𝐶𝑑mod𝑁.

The difficulty in factorizing large prime numbers deter-mines the reliability of RSA algorithm. In other words,

(3)

the more difficulty the integer factorization presents, the more reliable the RSA algorithm is.

2.3. ElGamal Digital Signature. Putting digital signatures on

a document aims to show the integrity and the nonrepu-diation. Integrity refers to preventing the document from being tampered with in the transmission process, and the receiver can use the digital signature for verifying whether the document is tampered with or not. Since digital signature is calculated by the signer using his/her secret key, it could prevent the signer from denying the signature that he/she signed afterwards. This is considered to protect the receiver, as nonrepudiation. In numerous studies, many protocols were proposed for digital signatures, such as DSA, RSA,

Schnorr, ElGamal [12], and ECDSS. The study applied the

ElGamal algorithm to signature scheme, which is further introduced as follows.

(1) Choose a large prime number𝑝, where 𝑝 − 1 has a

large prime factor, and a primitive root𝑔, where 𝑔 ∈

𝑍_𝑝.

(2) The signer chooses one integer𝑥 as his/her secret key

satisfying1 < 𝑥 < 𝑝 − 1.

(3) After computing his/her public key 𝑦 using the

following equation, the signer publishes it. Consider

𝑦 = 𝑔𝑥mod𝑝. (1)

(4) The signer randomly chooses an integer𝑘 satisfying

(𝑘, 𝑝 − 1) = 1.

(5) Compute the signature(𝑟, 𝑠) of plaintext 𝑚. Consider

𝑟 = 𝑔𝑘mod𝑝

𝑚 = 𝑥𝑟 + 𝑘𝑠 mod 𝑝 − 1 or 𝑠 = 𝑘−1(𝑚 − 𝑥𝑟) mod 𝑝 − 1.

(2) (6) The receiver verifies the legality after receiving the

signature(𝑟, 𝑠) as follows:

𝑔𝑚= 𝑦𝑟𝑟𝑠mod𝑝. (3)

If the equation holds,(𝑟, 𝑠) is the legal signature of the

plaintext𝑚 and vice versa.

The security of ElGamal depends on solving the difficulty

of discrete logarithm problems𝑝 and 𝑔. An inappropriate

selection of𝑝 and 𝑔 would therefore result in the signature

being forged.

2.4. Diffie-Hellman Key Exchange. Diffie-Hellman key

exchange scheme allows two parties that have no prior knowledge of each other to jointly establish a shared secret

key over an insecure communication channel [13]. The

security is based on the difficulty of discrete logarithm problem (DLP). The operation of Diffie-Hellman key exchange is shown as follows.

(1)𝐴 selects one integer 𝑥 as his/her secret key, which

satisfies1 < 𝑥 < 𝑝 − 1, where 𝑝 is a prime number.

Then,𝐴 uses the following equation for computing

his/her public key𝑋 and publishes 𝑋:

𝑋 ≡ 𝑔𝑥mod𝑝. (4)

(2)𝐵 selects one integer 𝑦 as his/her secret key, which

satisfies1 < 𝑦 < 𝑝 − 1, where 𝑝 is a prime number.

Then,𝐵 uses the following equation for computing

his/her public key𝑌 and publishes 𝑌:

𝑌 ≡ 𝑔𝑦mod𝑝. (5)

(3) Both𝐴 and 𝐵 have the published public key and their

own secret keys to calculate the shared secret key𝐾_𝑎𝑏

as follows:

𝐾_𝑎𝑏 ≡ 𝑌𝑥mod𝑝 or 𝐾_𝑏𝑎≡ 𝑋𝑦mod𝑝. (6)

(4) The last step is the verification, as follows:

𝐾_𝑎𝑏≡ 𝑌𝑥_{≡ (𝑔}𝑦₎𝑥_{≡ (𝑔}𝑥₎𝑦_{≡ 𝑋}𝑦_{≡ 𝐾}

𝑏𝑎 mod𝑝. (7)

There are two disadvantages to Diffie-Hellman scheme. First, the session key could merely be used between the two

parties. When there are𝑛 users in a system, and one of them

wants to communicate with any of the other users, the user

will need to have𝑛 − 1 session keys and the system will have

to maintain𝑥(𝑥 − 1)/2 session keys. Second, the identities of

the presently communicated objects are unknown; i.e.,𝐴 and

𝐵 would not recognize each other’s actual identities.

2.5. Mobile Agent

2.5.1. Basic Concept of Mobile Agent. Recently, the application

of mobile technology to network data transfer has received considerable attention. In information technology, the mobile agent is highly autonomous and is a mobile software that the users can capitalize to perform tasks in heterogeneous net-work environments. Since the mobile agent does not require constant online network connections, it also demonstrates significant improvement in the network performance.

The advantages of mobile agents include(1) low network

loads,(2) high network latency resistance, (3) encapsulation

of protocols,(4) asynchrony and autonomy, (5) dynamical

adaptation, and(6) natural heterogeneity. The advantages of

assigning tasks to mobile agents cannot be overemphasized. However, because it is entrusted with the user’s private key and agent code at the time of task assignment, the data transfer management regarding agents’ access management and control becomes particularly important.

Although this protocol can effectively solve data trans-mission insecurity, the efficiency can still be improved on. In

Figure 1, the repetitious key storage in different agent codes not only results in the memory space consumption, it but also causes performance exhausted while computing keys.

Therefore, [14] proposed two schemes in the application

(4)

Encrypted with K₁ Encrypted with K₂ Encrypted with K₃ Static Classes acl Agent.zip Support.zip Control.zip Retrieval.zip

Encrypted for server:

S₁ S₂ S₃ DK₁ DK₂ DK₃ DK₂ DK₃ DK₁ S₁: cyut.edu.tw S₂: ccu.edu.tw S₃: ieee-security.org sctx

Figure 1: Tree-based structure of key management and access control. DK: decryption key S₁ S₂ S₄ S₅ S₃ S₆ N₁ N₂ N₄ N₅ N₃ N₆ DK₁ DK₂ DK₃ DK₄

Figure 2: Hierarchical structure of key management and access control.

of Akl and Taylor into the agent management, integrating the keys of lower successive tiers as one. The server could thus use its own key and through mathematical computation obtain successive private keys that could restore confiden-tial documents. This security is based on the difficulty of solving elliptic curve discrete logarithm problem. The second scheme, in its attempt to improve mobile agent’s computation efficiency, applied the cryptosystem based on the difficulty of discrete logarithm problem to reduce the public parameter size without compromising security. Their approach used the hierarchical structure for managing mobile agent’s access control to users’ keys, at the same time protecting data transmission when the access permission differed from user

to user as shown inFigure 2.

During the task execution, the mobile agent roams between various hosts in a network. In the process to carry out message exchanges, it may also be required to connect with other mobile agents, which, thus, imposes

security concerns arising out of insecure connections [15],

malicious modifications by unauthorized external users, or

even deliberate attacks by internal users. Therefore, mobile agent security is an important issue that needs to be overcome to effect into its successful application.

The mobile agent might face the following threats during the task execution.

(1) Unauthorized users access to the related information of servers:

(1.1) causing deliberate system paralysis and break-down in a nonauthorization situation,

(1.2) unauthorized access to data or resource from server by forging as authorized agents.

(2) Attacks on mobile agent by other agents:

(2.1) forging identity codes of other agents for autho-rization access to services and resources, thereby avoiding the responsibility and breaching other users’ trust on the legal mobile agent,

(2.2) paralyzing the legal agent by sending repetitious messages.

(3) Attacks on mobile agent by other malicious servers: (3.1) deceiving and threatening the mobile agent

through the abuse of trusted third party servers’ identification codes,

(3.2) ignoring the mobile agent’s requests deliber-ately,

(3.3) deceiving negotiating mobile agents by tamper-ing with their data field.

(4) Attacks on server by other malicious servers or mobile agents:

(4.1) deliberate delayed response to mobile agent’s request: such common attacks intend to cut off the requests or lower the mobile agent’s efficiency by making the mobile agent wait for responses, resulting in repeated requests and hence lowering the system efficiency. Abnormal or abrupt task termination of mobile agents results from deadlock state where other mobile agent continue to wait for responses,

(4.2) deterring the mobile agents from task comple-tion deliberately, resulting in a live-locked.

2.5.2. Mobile Auction Agent Model. Mobile auction agent

model [4], called MoAAM, is designed to enable users to

use their mobile devices to participate in online auctions.

MoAAM consists of four agents, namely,(1) personal agent,

(2) customer agent, (3) auctioneer agent, and (4) broker agent. How these agents communicate with each other in

MoAAM through a web server is shown inFigure 3.

Inside the mobile device, there is an interactive interface, called personal agent, which would connect with an agent

(5)

Personal agent Mobile device Mobile client (customer) Wireless network Customer agent Wireless gateway Broker agent Auctioneer agent Fixed network with web service Wireless

connection

SMS/email

notification Agent house server

SOAP SOAP SOAP Broker agent Auction house server server

Figure 3: Communication in MoAAM.

Agent matcher Agent register Query broker agent Control agents Specifying agents Bid agent Interface for specifying agents Interface for control agents Auctioneer agent generator Bid agent

Mobile agent platform Auctioneer agent Agent database User interface Customer agent Web system

Auction house server Request for

generated bid agent

Create bid agent from template Messages Create agent from template Messages Register auctioneer

agent Request for_generated

auctioneer agent Dispatch Request for recommending the auctioneer Bid agent generator Broker agent agent auctioneer

Figure 4: Architecture of MoAAM.

house server via the wireless network. In a few words, a per-sonal agent is a preset agent that operates on the mobile device and provides an interface to allow users to communicate with the agent house server. The customer agent, the auctioneer agent, and the broker agent all operate in the fixed network. The personal agent connects to the customer agent when a mobile network user wants to buy a specific product. Then, the person agent sends the description of desired products and price information to the customer agent. On the other hand, an auctioneer registers the information of products to the broker agent. After the broker agent receives the user’s request, an auction list, which meets the user’s needs, will be generated and sent back to the user. If the user decides to purchase the auction items from the received list, a bid agent will be created by the customer agent and be dispatched to an auction house server to participate in the bidding.

The architecture of MoAAM [4] is shown inFigure 4and

how it works is described as follows.

(1) Primary participants in the MoAAM:

(1.1) broker agent: it is responsible for pairing up bidders and auctioneers. Moreover, it generates auction item lists and provides bidding price information for the users,

(1.2) bid agent: an individual user would use it for participating in auctions and placing the bids, (1.3) auctioneer agent: auctioneers use it as their

representative for managing the items they are selling,

(1.4) auction house server: a platform where online auctions take place.

(6)

(2) The running of customer agent.

The customer agent provides an interface with three different functions for the user:

(2.1) query the broker agent: know what kind of auc-tion items the broker agent so far has registered and the bidding prices for these items,

(2.2) specify the bid agent: a user sends his/her request and bidding information to the bid agent generator. The generator will create a bid agent from a template,

(2.3) control the bid agent: this function allows the user to communicate with the bid agent and control the behavior of a bid agent.

(3) The running of broker agent.

First, the auctioneer needs to register his/her agent with the broker agent, and then the broker agent will store the auctioneer’s information in the database. When the customer agent sends a request for item information, the broker agent would reply with a list of recommended items to the customer agent. (4) The running of auction house.

The auction house server offers a web interface to allow the auctioneers to execute the following functions:

(4.1) specify the auctioneer agent: an auctioneer sends his/her request and auction information to the auctioneer agent generator. The generator will create an auctioneer agent from a template. The newly created agent and auction informa-tion would be registered with the broker agent, (4.2) the management of the auctioneer agent: this

interface allows the auctioneer to communicate with the auctioneer agent and control the auc-tioneer agent’s behavior.

(5) Mobile agent platform.

The mobile agent platform is where the bid agent and the auctioneer agent would be sent to as the auction starts.

3. Proposed Protocol

The proposed system includes six phases of(1) initialization,

(2) registration, (3) generation of transaction public key, (4)

signature, (5) auction bidding, and (6) winner

announce-ment. The whole process flow is shown in Figure 5. In

the process, there are four main participants, which are registration manager (RM), agent house (AH), auction house (AUH), and bidder (B). What the participants do is described as follows.

(1) Registration Manager (RM):

(1.1) it is a unit for bidders applying for the reg-istration. All bidders only require registering once. After that, they can participate in multiple auctions and no more registration is needed,

(1.2) to be in charge of storing bidders’ identity infor-mation and corresponding secret parameters, (1.3) to manage and maintain the bulletin board,

which is called BBRM. On the bulletin board, two types of information would be published. One is the registration key and identity infor-mation of a bidder and another is a pseudonym that a bidder uses in a single auction round. The published information would be supplied to anyone for the identification verification, and only the RM has the authority to write and update the bulletin board.

(2) Agent House (AH):

(i) to be in charge of communicating with the broker agent and create bid agents,

(ii) to manage and maintain a bulletin board, which

is called BBAH. The bulletin board would

pro-vide the bidder’s transaction public key for the verification purpose, and only the AH has the authority to write and update the bulletin board. (3) Auction House (AUH):

(3.1) to provide the auction place, to maintain the operations, and to host the auctions,

(3.2) to manage and maintain a bulletin board, which

is called BBAUH. On this bulletin board, the

published information would be the bidding information of bidders and the winning bidder’s information. All the published information can be used for verifying one’s identity, and only the AUH has the authority to write and update the bulletin board.

(4) Bidder (𝐵):

(i) it is the one who participates and places bids in the auction.

The system using modular exponentiation in the English auction protocol is presented as follows. The given system

parameters are shown inTable 1.

In the following are the auction processes.

3.1. Initialization. The RM and AH establish system

parame-ters and the steps are as follows.

(1) Registration Manager

Step 1. Set up a read-only bulletin board (BBRM) and post two

kinds of information. One is the registration key and identity information of all bidders. Another is pseudonyms used by

(7)

Agent house (AH) Registration manager (RM) Bidder Broker agent Auction house (AUH) #1 #2 #3 (1) Register (2) Request (3) Respond a list (4) Apply for TPK (5) Make a price and generate a signature (6) Apply for a bid agent

(7) Generate (8) Bidding (9) (10) Return #2 (11) (12) Return #3 Steps: iBid agent DB Note: PS:

Post #1 during the auction Post #2, #3 after the auction BB_RM {ID_i, RKi} Ni,j {ID_i_{, }} {RK_i, , 𝛾_i, 𝜀i, IDi} (Bi) PK_AH BB_AH Gj Transmit {TPK_i,j} {Si,j, TPKi,j} Transmit {Ni,j} BB_AUH

#1: {TPKi,j, bidi,j, 𝛼i,j, 𝛽i,j} #2:{TPKi,j, (rj· xs),Ni,j} #3:{Ni,j, Hj(ki),RKi} 1: registration : generation of transaction 5: signature : auction bidding : winner announcement public key ki ki 2∼4 6∼8 9∼12

{TPKi,j, EKi(bidi,j, 𝛼ij, 𝛽i,j)}

Figure 5: Flow chart of proposed system.

the bidders in the𝑗th round of auction. The RM is the only

one who can write and update the bulletin board.

Step 2. Declare𝑝, 𝑞, 𝑔, 𝐻(𝑥) publicly. (2) Auction House

Step 1. Set up a read-only bulletin board (BBAH) and publish

the transaction public key and related information of all bidders on the bulletin board. AH is the only one authorized to write and update the bulletin board.

Step 2. Randomly select an integer SKAH ∈ [1, 𝑞 − 1] as the

private key to calculate the corresponding public key PKAH.

The equation is as follows:

PKAH= 𝑔

SKAH_mod𝑝. ₍₈₎

Step 3. Post PKAHon BBAH.

3.2. Registration. As a new bidder (𝐵_𝑖) joins in an auction;

𝐵𝑖 must apply for the registration with the RM at the very

beginning. After the registration is completed, the RM would

generate pseudonyms, which can only be used one time for

𝐵_𝑖in the𝑗th round of auction.

𝐵_𝑖 should first calculate all relevant parameters before

registering with the RM. The registration process is shown as follows.

Step 1.𝐵_𝑖randomly selects an integer SK_𝑖 ∈ [1, 𝑞 − 1] as the private key and computes a corresponding registration key

RK_𝑖. The equation is given as follows:

RK_𝑖= 𝑔SK𝑖_mod_𝑝. ₍₉₎

Step 2.𝐵_𝑖randomly selects an integer𝑘_𝑖∈ [1, 𝑞−1] as a secret parameter.

Step 3.𝐵_𝑖randomly selects an integer𝑡_1,𝑖 ∈ [1, 𝑞 − 1] and

computes the verification information(𝛾_𝑖, 𝜀_𝑖). The

computa-tion steps are given as follows:

𝛾_𝑖= 𝐻 (𝑔𝑡1,𝑖_mod_𝑝)

𝜀_𝑖= (𝑡_1,𝑖+ 𝛾_𝑖⋅ SK_𝑖) mod 𝑞. (10)

Step 4.𝐵_𝑖 sends the information {RK_𝑖, 𝑘_𝑖, 𝛾_𝑖, 𝜀_𝑖} and the

(8)

Table 1: Parameters for modular exponentiation system.

p, q Two big prime numbers, satisfying𝑞|𝑝 − 1

g A generator with order q in𝑍_𝑝

𝐸_𝐾(𝑚) A symmetric encryption method of message m with thekey K

(K is the shared key between Bi and AM)

H(x) _𝐻A one-way hash function, satisfying_𝑗_{(𝑥) = 𝐻(𝑥, 𝐻}_𝑗−1_{(𝑥)) and 𝐻}₀_{(𝑥) = 𝑥}

SK_AH AH’s private key

PKAH AH’s public key

𝐵𝑖 The ith bidder

𝑏𝑖𝑑𝑖,𝑗 A bidding price that is placed by Bi in the_auction 𝑗th round of

SK_𝑖 Bi’s private key

RK_𝑖 Bi’s registration key

𝑘𝑖,𝑡1,𝑖,𝑡2,𝑖 Three secret parameters chosen by Bi

𝑁𝑖,𝑗 A pseudonym, RM creates only for Bi in the jth round_{of auction}

𝑟_𝑗 A random number chosen by AH in the jth round of

auction

𝐺𝑗 The public information published by AH in the jth_{round of auction}

TPK_𝑖,𝑗 A transaction public key, AH generates only for Bi in

the jth round of auction

RM. After the RM receives the information transmitted by

𝐵_𝑖, the registration would proceed.

Step 5. The RM authenticates the validity of{RK_𝑖, 𝑘_𝑖, 𝛾_𝑖, 𝜀_𝑖} by

the following equations:

𝛾_𝑖󸀠= 𝐻 (𝑔𝜀𝑖_{⋅ RK}

𝑖−𝛾𝑖 mod𝑝) (11)

𝛾_𝑖󸀠?𝛾_𝑖. (12)

If (12) holds,{RK_𝑖, 𝑘_𝑖, 𝛾_𝑖, 𝜀_𝑖} is valid. This proves SK_𝑖and RK_𝑖

corresponding to each other. In contrast, RM would refuse

to take the registration application from𝐵_𝑖 if the received

information is forged.

Step 6. The RM keeps𝐵_𝑖’s identity information ID_𝑖and the

corresponding secret parameter𝑘_𝑖in its own database.

Step 7. The RM posts 𝐵_𝑖’s identity information ID_𝑖 and

registration key RK_𝑖on BBRM.

Step 8. Before the𝑗th round of auction starts, the RM would

generate a pseudonym(𝑁_𝑖,𝑗) for every bidder 𝐵_𝑖. The order of

all pseudonyms would be randomly arranged and posted on

BBRM. The equation is shown as follows:

𝑁_𝑖,𝑗= RK_𝑖𝐻𝑗(𝑘𝑖)_mod𝑝. ₍₁₃₎

Step 9.𝐵_𝑖can use (13) for computing his/her own pseudonym and verify that his/her pseudonym matches with the one

posted on BBRM. If𝐵𝑖 dose not find his/her pseudonym on

BBRM, he/she can appeal to the RM.

3.3. Generation of Transaction Public Key. In the𝑗th round

of auction,𝐵_𝑖 can obtain the auction information through

the AH who could ask the broker agent to supply the information about currently open auctions. The broker agent would prepare an auction house list that matches the needs

of𝐵_𝑖and send the list back to the AH for𝐵_𝑖to review. When

𝐵𝑖decides which auction he/she wants to participate in,𝐵𝑖

would have to apply for a transaction public key (TPK_𝑖,𝑗),

which is managed by the AH. The AH would generate TPK_𝑖,𝑗

with𝐵_𝑖’s pseudonym on BBRMfor the bidder. The steps are

given as follows.

Step 1. The AH randomly selects an integer𝑟_𝑗 ∈ [1, 𝑞 − 1]

and computes the public information𝐺_𝑗. Then, the AH would

post𝐺_𝑗on BBAH. The equation is shown as follows:

𝐺_𝑗 = 𝑔𝑟𝑗 _mod_𝑝. ₍₁₄₎

Step 2. The AH would use𝑁_𝑖,𝑗and its own private key SKAH

for generating a parameter𝑆_𝑖,𝑗and TPK_𝑖,𝑗for each𝐵_𝑖and post

the generated information on BB_AH. The equation is shown as

follows:

𝑆_𝑖,𝑗= 𝑁_𝑖,𝑗SKAH _mod𝑝 ₍₁₅₎

TPK_𝑖,𝑗= 𝑁_𝑖,𝑗𝑟𝑗⋅𝑆𝑖,𝑗 _mod_𝑝. ₍₁₆₎

3.4. Signature. Before𝐵_𝑖starts to participate in the auction,

𝐵_𝑖must verify TPK_𝑖,𝑗 given by the AH on BB_AH. If the key

is valid,𝐵_𝑖would calculate the corresponding signature with

the bidding price and related information. Subsequently,𝐵_𝑖

can start participating in the bidding. The steps are stated as follows.

Step 1.𝐵_𝑖 uses the AH’s public key PKAH for computing a

parameter𝑆_𝑖,𝑗󸀠 , as follows:

𝑆󸀠_𝑖,𝑗= PKAH𝐻

𝑗_(𝑘

𝑖)⋅SK𝑖 _mod_𝑝. ₍₁₇₎

Step 2.𝐵_𝑖combines his/her private key SK_𝑖and parameter𝑆󸀠_𝑖,𝑗

to generate TPK󸀠_𝑖,𝑗, as follows:

TPK󸀠_𝑖,𝑗= 𝐺_𝑗𝐻𝑗(𝑘𝑖)⋅𝑆󸀠𝑖,𝑗⋅SK𝑖 _mod_𝑝. ₍₁₈₎

𝑆󸀠_𝑖,𝑗 and TPK󸀠_𝑖,𝑗 must verify that they are matched with the

information posted on BB_AH; if not,𝐵_𝑖can appeal to AH.

Step 3.𝐵_𝑖randomly selects an integer𝑡_2,𝑖 ∈ [1, 𝑞 − 1] and

decides a bidding price bid_𝑖,𝑗. Afterwards, a corresponding

signature{𝛼_𝑖,𝑗, 𝛽_𝑖,𝑗} is created, shown as follows:

𝛼_𝑖,𝑗= 𝐺_𝑗𝑡2,𝑖_mod𝑝

𝛽_𝑖,𝑗= (𝑡_2,𝑖+ 𝐻𝑗(𝑘_𝑖) ⋅ 𝑆_𝑖,𝑗⋅ SK_𝑖⋅ 𝐻 (bid_𝑖,𝑗|| 𝛼_𝑖,𝑗)) mod 𝑞.

(19)

Step 4.𝐵_𝑖uses the AH’s public key PKAHfor computing the

shared key𝐾_𝑖, shown as follows:

𝐾_𝑖= PKAH𝐻

𝑗_(𝑘

(9)

Table 2: Definition of the notation.

𝑇MUL The time cost for modulus multiplication operation

𝑇EXP The time cost for modulus exponentiation operation

𝑇_𝐻 The time cost for one-way hash function operation

Step 5.𝐵_𝑖used𝐾_𝑖for encrypting the bid bid_𝑖,𝑗and the

signa-ture{𝛼_𝑖,𝑗, 𝛽_𝑖,𝑗} to obtain the ciphertext 𝐸_𝐾_𝑖(bid_𝑖,𝑗, 𝛼_𝑖,𝑗, 𝛽_𝑖,𝑗).

3.5. Auction Bidding. Before the auction starts,𝐵_𝑖 needs to obtain a bid agent from the AH. After a bid agent is acquired,

𝐵_𝑖, then, is allowed to bid. The auction bidding process is

stated as follows.

Step 1.𝐵_𝑖 should first send out the data tuple

{TPK𝑖,𝑗, 𝐸𝐾𝑖(bid𝑖,𝑗, 𝛼𝑖,𝑗, 𝛽𝑖,𝑗)} to the AH and apply for a

bid agent.

Step 2. After the AH receives the data from 𝐵_𝑖, the AH

must compute the shared key 𝐾_𝑖 to decrypt the

cipher-text 𝐸_𝐾_𝑖(bid_𝑖,𝑗, 𝛼_𝑖,𝑗, 𝛽_𝑖,𝑗) and authenticate the validity of

{TPK_𝑖,𝑗, 𝐸_𝐾_𝑖(bid_𝑖,𝑗, 𝛼_𝑖,𝑗, 𝛽_𝑖,𝑗)}. The equations for verification

are shown as follows:

𝐾_𝑖= TPK_𝑖,𝑗SKAH⋅𝑟𝑗−1 _mod𝑝 ₍₂₁₎

𝐺_𝑗𝛽𝑖,𝑗_?TPK

𝑖,𝑗𝐻(bid𝑖,𝑗||𝛼𝑖,𝑗)⋅ 𝛼𝑖,𝑗mod𝑝. (22)

If (22) holds, this proves that{TPK_𝑖,𝑗, 𝐸_𝐾_𝑖(bid_𝑖,𝑗, 𝛼_𝑖,𝑗, 𝛽_𝑖,𝑗)} is

valid, and vice versa. The AH can reject the bidding request

from𝐵_𝑖if the received information is false.

Step 3. The AH uses the bidding information {TPK_𝑖,𝑗,

bid_𝑖,𝑗, 𝛼_𝑖,𝑗, 𝛽_𝑖,𝑗} for creating a new bid agent for 𝐵_𝑖, and then the

AH would send this agent to the selected AUH to represent

𝐵_𝑖participating in the auction.

Steps 1, 2, and 3 can be skipped if the bid is placed more than once. Only the bidding information would be verified.

Step 4. When the bid agent arrives at the AUH, it has to be

verified that TPK_𝑖,𝑗is the same as on BB_AH. If not, the AUH

can reject𝐵_𝑖’s application.

Step 5. The AUH verifies the bidding information{TPK_𝑖,𝑗,

bid_𝑖,𝑗, 𝛼_𝑖,𝑗, 𝛽_𝑖,𝑗} using (22). If (22) holds, it means that

{TPK_𝑖,𝑗, bid_𝑖,𝑗, 𝛼_𝑖,𝑗, 𝛽_𝑖,𝑗} is valid.

Step 6. The AUH posts the bidding information

{TPK_𝑖,𝑗, bid_𝑖,𝑗, 𝛼_𝑖,𝑗, 𝛽_𝑖,𝑗} on BBAUH. Anyone can use (22)

for verifying the bidding information of𝐵_𝑖.

3.6. Winner Announcement. When the𝑗th round of auction

ends, the one who places the highest bidding price would be announced as the winner. Then, the AUH would take the

winner’s TPK_𝑖,𝑗 to reconfirm the winner’s information𝑁_𝑖,𝑗

and RK_𝑖with the AH and RM. Afterwards, the result would be

published on BBAUHand can be obtained by anyone to verify.

The steps are stated as follows.

Step 1. The AUH takes the winner’s TPK_𝑖,𝑗to the AH and asks

for the pseudonym𝑁_𝑖,𝑗used by the winner.

Step 2. The AH returns the information{TPK_𝑖,𝑗, (𝑟_𝑗⋅𝑆_𝑖,𝑗), 𝑁_𝑖,𝑗}

back to the AUH.

Step 3. The AUH can use (16) for confirming the relationship

between TPK_𝑖,𝑗and𝑁_𝑖,𝑗.

Step 4. The AUH takes the winner’s𝑁_𝑖,𝑗to the RM and asks

for the winner’s RK_𝑖.

Step 5. The RM returns the information{𝑁_𝑖,𝑗, 𝐻𝑗(𝑘_𝑖), RK_𝑖}

back to the AUH.

Step 6. The AUH can use (13) for confirming the relationship

between𝑁_𝑖,𝑗and RK_𝑖.

Step 7. The AUH will post the winner’s information,

{TPK_𝑖,𝑗, (𝑟_𝑗⋅ 𝑆_𝑖,𝑗), 𝑁_𝑖,𝑗} and {𝑁_𝑖,𝑗, 𝐻𝑗_(𝑘

𝑖), RK𝑖}, on BBAUH. The

winner’s information on BBAUHcan be obtained by anyone to

verify again according to (13) and (16).

4. Security and Efficiency Analysis

The proposed cryptosystem applied the ElGamal algorithm,

it having two advantages:(1) not keeping secret parameters,

as all system parameters can be public, and (2) different

ciphertexts formed from the same plaintext at distinct time by one same user. The ElGamal parameters are generally used in each phase of this system. The security is established on the difficulty of solving discrete logarithm problem, for

example, giving𝑔, 𝑝, and 𝑆KAH; the attempt of guessing or

deciphering 𝑃KAH is computationally infeasible. Regarding

the above-mentioned security features, the proposed protocol is discussed as follows.

(1) Anonymity. Except RM and AH working together to reveal

the identity during the auction, nobody can find out who the bidder is. The anonymity of bidders can be analyzed from the perspectives of RM, AH, and AUH.

(1.1) For the AUH, it is only authorized to obtain

the bidding information,{TPK_𝑖,𝑗, bid_𝑖,𝑗, 𝛼_𝑖,𝑗, 𝛽_𝑖,𝑗} and

{𝛼_𝑖,𝑗, 𝛽_𝑖,𝑗}, is the signature for bid_𝑖,𝑗, where TPK_𝑖,𝑗

is a key for the verification. Thus, the AUH is just

allowed to use TPK_𝑖,𝑗for verifying the signature and

comparing TPK_𝑖,𝑗 to the one posted on BBAH. Still,

who the bidder is will never be known.

(1.2) For the AH, it merely knows the relationship between

𝑁_𝑖,𝑗and TPK_𝑖,𝑗; thus, it does not have enough

infor-mation to recognize who the bidder is.

(1.3) For the RM, it cannot derive from TPK_𝑖,𝑗to obtain the

corresponding𝑁_𝑖,𝑗, even if the RM has the bidder’s

(10)

Table 3: Analysis of computation complexity

Phase [4] The proposed system

Registration 5𝑛𝑇EXP+ 1𝑛𝑇MUL+ 2𝑛𝑇𝐻 5𝑛𝑇EXP+ 2𝑛𝑇MUL+ 3𝑛𝑇𝐻

Generation of transaction public key 7𝑛𝑇_EXP+ 5𝑛𝑇_MUL+ 1𝑛𝑇_𝐻 (2𝑛 + 1)𝑇_EXP+ 1𝑛𝑇_MUL

Signature 3𝑇EXP+ 5𝑇MUL+ 1𝑇𝐻 4𝑇EXP+ 8𝑇MUL+ 2𝑇𝐻

Auction bidding 3𝑇EXP+ 3𝑇MUL+ 2𝑇𝐻 3𝑇EXP+ 2𝑇MUL+ 1𝑇𝐻

Winner announcement 2𝑇_EXP+ 1𝑇_MUL+ 1𝑇_𝐻 2𝑇_EXP+ 1𝑇_MUL+ 1𝑇_𝐻

As seen in the comparison table, the computation amount of this system is much lower than [4], especially in the generation phase of transaction public key.

(2) Traceability. Anyone can get{TPK_𝑖,𝑗, (𝑟_𝑗⋅ 𝑥_𝑆_𝑖,𝑗), 𝑁_𝑖,𝑗} and

{𝑁_𝑖,𝑗, 𝐻𝑗_(𝑘

𝑖), RK𝑖} from BBAUH and use (13) and (16) for

verifying the winning bidder’s identity.

(3) No Framing. Unless attackers get𝐵_𝑖’s SK_𝑖,𝐵_𝑖’s signature

cannot be forged. Even if attackers get RK_𝑖 and intend to

derive SK_𝑖from RK_𝑖, it will be difficult for him/her to obtain

SK_𝑖, because of the security based on the DLP.

(4) Unforgeability. Attackers will be unable to calculate

the transaction public key by using the equation

TPK_𝑖,𝑗 = 𝐺_𝑗𝐻𝑗(𝑘𝑖)⋅𝑆𝑖,𝑗⋅SK𝑖 _{(in modular exponentiation system)}

or TPK_𝑖,𝑗 = (𝐻𝑗(𝑘_𝑖) ⋅ 𝑥_𝑆󸀠

𝑖,𝑗 ⋅ SK𝑖)𝐺𝑗 or to forge any valid

bidding information{TPK_𝑖,𝑗, bid_𝑖,𝑗, 𝛼_𝑖,𝑗, 𝛽_𝑖,𝑗}. The reason can

be explained in three aspects.

(4.1) Attackers cannot obtain𝐵_𝑖’s SK_𝑖,𝑘_𝑖, and𝑆_𝑖,𝑗.

(4.2) Attackers have to spend a great deal of time on

resolving the DLP, even if𝐻𝑗(𝑘_𝑖) ⋅ 𝑆_𝑖,𝑗⋅ SK_𝑖or(𝐻𝑗(𝑘_𝑖) ⋅

𝑥_𝑆󸀠

𝑖,𝑗⋅ SK𝑖) is captured.

(4.3) Because𝐻𝑗(𝑘_𝑖) is different in each round of auction,

the bidder’s pseudonym𝑁_𝑖,𝑗 and transaction public

key TPK_𝑖,𝑗 would be different in each round of

auction.

(5) Nonrepudiation. A signature is hidden inside the bidding

information and it has the characteristic of no framing. Therefore, the winning bidder of the auction round cannot deny his/her signature.

(6) Fairness. All bidders use pseudonyms to join in the

auction. The AUH will post the valid bidding information

BBAUH. If 𝐵𝑖 does not find his/her bidding information,

he/she could appeal to the AUH. Like this, the AUH can fairly handle all bidders’ information.

(7) Public Verifiability. Anyone can confirm the validity of the

bidder, the validity of a bid, and the winning bidder’s real identities.

(8) Unlinkability among Various Auction Rounds. In each

auction, the pseudonym generated by the RM and the transaction public key generated by the AH are different. Except the RM and AH sharing these keys with each other,

no one will know the relationship about𝐵_𝑖 among various

auction rounds.

(9) Linkability within a Single Auction Round. Within a single

round of the auction,𝐵_𝑖holds the same TPK_𝑖,𝑗to place a bid

in the auction. It is traceable to know how many times the bidder places the bid and who places the bid.

(10) Efficiency of Bidding. The efficiency of bidding shall be

explained later.

(11) One-Time Registration. A bidder uses a pseudonym𝑁_𝑖,𝑗

for participating in the auction. Hence, 𝐵_𝑖 only needs to

register once with the RM.

(12) Easy Revocation. It is easy for the RM to revoke a bidder’s

identification and secret parameters from the database. Once the information is removed from the database, the bidder loses the right to participate in the auction.

The following is the performance comparison between [4]

and the proposed protocol. The notation used is defined as

shown as Tables2and3.

Due to modulus addition and subtraction operation amount being low, they can be omitted.

The analysis of computation complexity related to these two systems is described below following the above informa-tion.

As seen in the comparison table, the computation amount

of this system is much lower than [4], especially in the

generation phase of transaction public key.

5. Conclusion

This paper puts forward an agent-based English auction pro-tocol to allow bidders to obtain information and participate in auctions through an agent. Based upon the proposal, it clearly satisfies all of the security requirements for online auction protocols, such as anonymity, traceability, fairness, and so on. Because the mobile devices are identified with inherently weaker computation capability, this protocol is employed on the mobile agent to achieve lower computation amount and to reduce the time cost consumed by verification and computation. This is a means to make the online auction on mobile devices become more efficient and convenient. As wireless networks continue to become extensively used, the proposed system for wireless data exchange has just met the minimum for the security purpose. In the future, the key

(11)

point would be focused on enhancing the auction-related data protection.

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgment

This work was supported partially by National Science Coun-cil, Taiwan, under Grant NSC 102-2221-E-029-008.

References

[1] Z. X. Huang, Applying data mining to analyze online

auc-tion market [M.S. thesis], Chaoyang University of Technology,

Taichung, China, 2003.

[2] F. M. Lee, J. P. Chen, and J. W. Hung, “Applying software agent on internet auction and bargaining system,” Institute of Information

& Computing Machinery, vol. 3, no. 2, pp. 67–80, 2000.

[3] F. C. Peng, C. O. Chang, and M. C. Chen, “A study of influence of different auction mechanism to no-performing assets,” Sun

Yat-Sen Management Review, vol. 16, no. 3, pp. 401–428, 2008.

[4] K. H. Huang, A study on mobile computing applications to secure

transaction models [Doctoral Dissertation], National Taiwan

University, Taipei, China, 2008.

[5] K. K. Lee and J. Ma, “Efficient public auction with one-time registration and public Verifiability,” in Proceedings of the 2nd

International Conference on Cryptology in India (INDOCRYPT ’01), pp. 162–174, Chennai, India, December 16-20, 2001.

[6] K. Omote and A. Miyaji, “A practical English auction with one-time registration,” in Proceedings of the 6th Australasian

Conference on Information Security and Privacy, pp. 221–234,

Sydney, Australia, July 2001.

[7] K. Q. Nguyen and J. Traore, “An online public auction protocol protecting bidder privacy,” in Proceedings of the 5th Australasian

Conference on Information Security and Privacy, pp. 427–442,

Brisbane, Australia, July 2000.

[8] T. C. Wu, K. Y. Chen, and Z. Y. Lin, “An English auction mechanism for internet environment,” in Proceedings of the

Information Security Conference (ISC ’02), pp. 331–337.

[9] C.-C. Chang and Y.-F. Chang, “Efficient anonymous auction protocols with freewheeling bids,” Computers and Security, vol. 22, no. 8, pp. 728–734, 2003.

[10] R. Jiang, L. Pan, and J.-H. Li, “An improvement on efficient anonymous auction protocols,” Computers and Security, vol. 24, no. 2, pp. 169–174, 2005.

[11] Y.-F. Chang and C.-C. Chang, “Enhanced anonymous auction protocols with freewheeling bids,” in Proceedings of the 20th

International Conference on Advanced Information Networking and Applications, pp. 353–358, Vienna, Austria, April 2006.

[12] T. ElGamal, “A public key cryptosystem and a signature scheme based on discrete logarithms,” IEEE Transactions on

Informa-tion Theory, vol. 31, no. 4, pp. 469–472, 1985.

[13] W. Diffie and M. E. Hellman, “New directions in cryptography,”

IEEE Transactions on Information Theory, vol. 22, no. 6, pp.

644–654, 1976.

[14] K.-H. Huang, Y.-F. Chung, C.-H. Liu, F. Lai, and T.-S. Chen, “Efficient migration for mobile computing in distributed net-works,” Computer Standards and Interfaces, vol. 31, no. 1, pp. 40– 47, 2009.

[15] I.-C. Lin, H.-H. Ou, and M.-S. Hwang, “Efficient access control and key management schemes for mobile agents,” Computer

(12)

Submit your manuscripts at

http://www.hindawi.com

Hindawi Publishing Corporation

http://www.hindawi.com Volume 2014

Mathematics

Journal of

http://www.hindawi.com Volume 2014 Mathematical Problems in Engineering

Hindawi Publishing Corporation http://www.hindawi.com

Differential Equations

International Journal of

Volume 2014

http://www.hindawi.com Volume 2014 Hindawi Publishing Corporationhttp://www.hindawi.com Volume 2014

Mathematical PhysicsAdvances in

Complex Analysis

Journal of

Optimization

Journal of

Combinatorics

Journal of

Function Spaces

Abstract and Applied Analysis

http://www.hindawi.com Volume 2014 International Journal of Mathematics and Mathematical Sciences

Hindawi Publishing Corporation http://www.hindawi.com Volume 2014

The Scientific

World Journal

Discrete Dynamics in Nature and Society

Discrete Mathematics

Journal of

http://www.hindawi.com Volume 2014 Hindawi Publishing Corporationhttp://www.hindawi.com Volume 2014

An Agent-Based Auction Protocol on Mobile Devices

Research Article