SEARCH

SEARCH BY CITATION

Keywords:

  • homomorphic auction;
  • bid validity check;
  • high efficiency

ABSTRACT

  1. Top of page
  2. ABSTRACT
  3. INTRODUCTION
  4. EXISTING HOMOMORPHIC E-AUCTION SCHEMES AND THEIR DRAWBACKS IN EFFICIENCY
  5. HOMOMORPHIC E-AUCTION BASED ON ENCRYPTION ALGORITHM WITH A SMALL MESSAGE SPACE
  6. HOMOMORPHIC E-AUCTION WITH THRESHOLD ROBUSTNESS AND FREE OF REPEATING MECHANISM
  7. HIGHER COMPUTATIONAL EFFICIENCY IN HOMOMORPHIC E-AUCTION WITH MORE ROUNDS OF COMMUNICATION
  8. COMPARISON AND CONCLUSION
  9. REFERENCES

Traditionally, there are two very costly operations in homomorphic e-auction schemes. First, bid validity check is an efficiency bottleneck for both the bidders and auctioneers, but it is needed to guarantee validity of the bids and correctness of homomorphic bid opening. Second, although the auctioneers can employ binary search to reduce the instances of homomorphic bid opening, every bid opening needs a costly equality test. The two costly operations prevent homomorphic e-auction from being applied to efficiency-sensitive applications. In this paper, three new homomorphic e-auction protocols are proposed to get rid of them in homomorphic e-auction. As a result, efficiency of e-auction is greatly improved. Copyright © 2012 John Wiley & Sons, Ltd.

INTRODUCTION

  1. Top of page
  2. ABSTRACT
  3. INTRODUCTION
  4. EXISTING HOMOMORPHIC E-AUCTION SCHEMES AND THEIR DRAWBACKS IN EFFICIENCY
  5. HOMOMORPHIC E-AUCTION BASED ON ENCRYPTION ALGORITHM WITH A SMALL MESSAGE SPACE
  6. HOMOMORPHIC E-AUCTION WITH THRESHOLD ROBUSTNESS AND FREE OF REPEATING MECHANISM
  7. HIGHER COMPUTATIONAL EFFICIENCY IN HOMOMORPHIC E-AUCTION WITH MORE ROUNDS OF COMMUNICATION
  8. COMPARISON AND CONCLUSION
  9. REFERENCES

In a sealed-bid auction scheme, each bidder chooses his evaluation from a number of biddable prices and submits it to some auctioneers, who then open the bids and determine the winning price and winner according to a predefined auction rule. Usually, the bidder with the highest bid wins. The following properties are often desired in sealed-bid auction.

  1. Correctness: The auction result is determined strictly according to the auction rule.
  2. Public verifiability: Correctness of the auction including validity of the bids, correctness of bid opening, and correctness of winner identification must be publicly verifiable.
  3. Fairness: No bidder can take advantage of other bidders (e.g., recover other bids and choose or change his own bids according to other bids).
  4. Confidentiality: Each bid remains confidential before the bid opening phase starts.
  5. Bid privacy: Confidentiality of the losing bids must still be retained after the auction finishes. Strictly speaking, no information about any losing bid should be revealed except what can be deduced from the auction result.
  6. Robustness: The auction can still run properly in abnormal situations such as existence of invalid bid or failure of some auctioneers.

When bid privacy must be kept, a popular solution to sealed-bid secure e-auction is homomorphic auction [1, 3, 5, 13-15, 18, 20]. Its advantage over other sealed-bid e-auction schemes [4, 7, 11, 12, 16, 17, 19, 25-28] is simplicity in bid opening. Its bid opening function opens the bids collectively instead of separately and is called homomorphic bid opening. To adopt this bid opening function, one-selection-per-price principle and homomorphic bid sealing must be employed. Each bidder has to submit a bidding choice at every biddable price to indicate whether he is willing to pay that price (e.g., 1 for “YES” or 0 for “NO”). Every choice is sealed with a homomorphic secret sharing or encryption algorithm (as will be explained in details in Section 2) so that the auctioneers can test at a price whether the sum of the bidding choices (and thus the number of bidders willing to pay the price) is positive without revealing any bidding choice. With this homomorphic bid opening mechanism, the winning bid can be determined without opening the separate bidding choices.

In homomorphic e-auction, each bidding choice must be in some special set (containing the certain values standing for “YES” or “NO”) to guarantee correctness and fairness of the auction. So validity of the bids must be proven by the bidders and then publicly verified. However, proof and verification of bid validity are highly inefficient in the existing homomorphic e-auction schemes. Moreover, although binary search for the winning price only tests the sum of bidding choices at some chosen prices, each test is an equality test (as will be explained in details in Section 2), which cannot be efficiently implemented in the existing homomorphic e-auction schemes when no bid privacy is compromised. Some methods [21-23] are proposed to improve efficiency of homomorphic e-auction. The techniques in Refs [21, 22] employ short exponents to improve efficiency, but their method has two drawbacks. First, it weakens soundness of e-auction. Second, its advantage in efficiency is not very fair because other homomorphic e-auction schemes can improve their efficiency by employing shorter exponents and weakening soundness as well. The homomorphic e-auction scheme in Ref. [23] is only efficient when there is only one verifier to check validity of the bids*. So it is not suitable for publicly verifiable e-auction applications, where there are many verifiers including the auctioneers and other observers. In this paper, we are interested in e-auction with robust soundness, general applicability, and balanced efficiency. So these improvements [21-23] are incomparable with our new techniques. The most recent e-auction scheme [24] has limited application in a special wireless network, although it proposes some inspiring ideas. Its ideas and designs are generalized and developed in this paper.

Three new homomorphic e-auction protocols are proposed in this paper to get rid of bid validity check and equality test in homomorphic e-auction. They randomize the bids before summing them up so that correctness of auction is achieved without bid validity check, and bid privacy is maintained without any equality test. The three new e-auction protocols are much more efficient than the existing secure e-auction schemes, including homomorphic auction and other solutions. They employ different sealing mechanisms to suit different applications. The first protocol employs efficient Goldwasser–Micali (G-M) encryption algorithm but needs a repeating mechanism and cannot employ a flexible sharing threshold in distributed bid opening. The second protocol employs more costly Paillier encryption algorithm but is free of any repeating mechanism and supports threshold distributed bid opening. The third protocol employs extremely efficient symmetric cipher and threshold distributed bid opening but needs more rounds of communication.

EXISTING HOMOMORPHIC E-AUCTION SCHEMES AND THEIR DRAWBACKS IN EFFICIENCY

  1. Top of page
  2. ABSTRACT
  3. INTRODUCTION
  4. EXISTING HOMOMORPHIC E-AUCTION SCHEMES AND THEIR DRAWBACKS IN EFFICIENCY
  5. HOMOMORPHIC E-AUCTION BASED ON ENCRYPTION ALGORITHM WITH A SMALL MESSAGE SPACE
  6. HOMOMORPHIC E-AUCTION WITH THRESHOLD ROBUSTNESS AND FREE OF REPEATING MECHANISM
  7. HIGHER COMPUTATIONAL EFFICIENCY IN HOMOMORPHIC E-AUCTION WITH MORE ROUNDS OF COMMUNICATION
  8. COMPARISON AND CONCLUSION
  9. REFERENCES

Homomorphic e-auction employs a homomorphic encryption algorithm to seal the bids. An encryption algorithm with decryption function D() is homomorphic if D(c1c2) = D(c1) + D(c2) or D(c1c2) = D(c1)D(c2) for any ciphertexts c1 and c2. With a homomorphic encryption algorithm with encryption function E() and homomorphic property D(c1c2) = D(c1) + D(c2) (and sometimes homomorphic secret sharing, which has a similar homomorphic property), the existing homomorphic e-auction schemes [1, 3, 5, 13-15, 18, 20] work as follows, where for simplicity of description, homomorphic secret sharing-based bid sealing is not discussed:

  1. m auctioneers A1, A2, …, Am share the private key of the employed homomorphic encryption algorithm, whose decryption function outputs a message in Zq.
  2. Suppose there are n bidders B1, B2, …, Bn and L biddable prices p1, p2, …, pL. It is required that L < n and n < q, which is easily satisfied in any practical auction application.
  3. Each bidder Bi chooses his bid pρ and generates his bidding vector (si, 1, si, 2, …, si, L), where si, l = 1 for l = ρ and si, l = 0 otherwise.
  4. Each bidding vector (si, 1, si, 2, …, si, w) is encrypted into (ci, 1, ci, 2, …, ci, w), where ci, l = E(si, l).
  5. Each Bi illustrates validity of his bid through proof of
    • display math(1)
    • display math(2)
  6. The sealed bids are adjusted: inline image for i = 1, 2, …, n and l = 1, 2, …, L. The final sealing result inline image contains 1 iff Bi is willing to pay pl.
  7. The auctioneers cooperate to search for the winning bids. Usually, there are two searching strategies: downward search and binary search. The former starts from the highest biddable price and goes downward, testing whether there are any bidding choices of “1” at each price on its route until it is found at a price, which becomes the winning price. The latter organizes the biddable prices in a binary tree and follows the binary searching route toward the winning price, doing the same test at each price on its route until “1” is met at the winning price. No matter which search strategy is employed, at each price on the searching route, pl, the auctioneers cooperate to test whether inline image. If bid privacy needs to be completely protected and the number of YES choices at pl cannot be revealed, inline image cannot be revealed, and this test is reduced to an equality test to see whether

    • display math
    • In a downward search, if inline image is met, pl is the winning price; otherwise, the search goes to the next lower price.
    • In a binary search, if inline image, the search goes to the sub-binary tree containing the lower prices; otherwise, the search goes to the sub-binary tree containing the higher prices.

    Most homomorphic e-auction schemes employ binary search to shorten the searching route. The search goes on until it stops at the winning price.

  8. The bidding choices at the winning price are decrypted to identify the winner.

Both proof and verification of validity of the bids and equality test are inefficient. The former usually needs L instances of zero-knowledge proof of partial knowledge [6] for each bid, whereas the latter usually employs complex and costly multiparty computation and zero-knowledge proof operations. Unfortunately, both bid validity check and equality are necessary for correctness and privacy of the existing homomorphic auction schemes. Especially, invalid bids may fail homomorphic e-auction. For example, if a bidder submits −1 as a bidding choice at a price, it may make the sum of bidding choices at that price to be 0 when there is another 1 choice at the price. In another example, two malicious bidders can collude to break fairness of auction as follows:

  1. Two colluding bidders Bμ and Bν submit 1 and −1, respectively, at the highest price they are willing to pay. At other biddable prices, they bid normally (e.g., only submitting 1 at the prices no higher than their expectation of winning bid).
  2. After bid opening, if either Bμ or Bν wins, they accept the auction result and do nothing. If another bidder wins at a price lower than the highest price they are willing to pay, Bμ claims winning and publishes his 1 choice at the highest price they are willing to pay to prove his claim.

HOMOMORPHIC E-AUCTION BASED ON ENCRYPTION ALGORITHM WITH A SMALL MESSAGE SPACE

  1. Top of page
  2. ABSTRACT
  3. INTRODUCTION
  4. EXISTING HOMOMORPHIC E-AUCTION SCHEMES AND THEIR DRAWBACKS IN EFFICIENCY
  5. HOMOMORPHIC E-AUCTION BASED ON ENCRYPTION ALGORITHM WITH A SMALL MESSAGE SPACE
  6. HOMOMORPHIC E-AUCTION WITH THRESHOLD ROBUSTNESS AND FREE OF REPEATING MECHANISM
  7. HIGHER COMPUTATIONAL EFFICIENCY IN HOMOMORPHIC E-AUCTION WITH MORE ROUNDS OF COMMUNICATION
  8. COMPARISON AND CONCLUSION
  9. REFERENCES

A simple idea to get rid of bid validity check in homomorphic e-auction is that if the message space of the encryption algorithm employed to seal the bids only contains two integers, respectively representing YES and NO, any ciphertext in its ciphertext space is an encryption of a valid bidding choice. An example of such special encryption algorithms is G-M encryption algorithm [9], which can be modified as follows to support homomorphic bid opening:

  1. Key generation

    Two large primes p and q with roughly the same size are chosen to be the private key. The public key is composed of N = pq and y, a quadratic nonresidue modulo N with Jacobi symbol 1.

  2. Message space and ciphertext space: {1, − 1} [RIGHTWARDS ARROW]Q, where Q contains all the integers with Jacobi symbol 1 in inline image.
  3. Encryption

    • If the message is 1, the ciphertext is x2 mod N, where x is randomly chosen from inline image.
    • If the message is −1, the ciphertext is yx2 mod N, where x is randomly chosen from inline image.
  4. Decryption: If an integer with Jacob symbol −1 is given as the ciphertext, the decryption fails and the integer is declared as an invalid ciphertext. If a valid ciphertext is given, output the Legendre symbol of the ciphertext.

The only modification from the original G-M encryption is that the messages space is changed from {0, 1} to {1, −1}. So after the modification, the G-M encryption scheme is still semantically secure. Moreover, it becomes homomorphic. Namely, D(c1)D(c2) = D(c1c2) holds for decryption function D() and any ciphertexts c1 and c2. The property of low computational cost when the message space is not too large is also inherited from the original G-M encryption. An encryption averagely costs 1.5 multiplication. The cost of a decryption (calculating Legendre symbol when the factorization of N is known) is comparable with multiplication.

In the application to auction (which must be publicly verifiable) in this paper, it is required to publicly prove and verify correctness of each decryption. If the decryption authority outputs 1 given a ciphertext c, he must publish a Zero Knowledge (ZK) proof of knowledge of a square root of c to guarantee correctness of his decryption. If the decryption party output is −1 given a ciphertext c, he must publish a ZK proof of knowledge of a square root of cy to guarantee correctness of his decryption. Because the decryption authority knows factorization of N, he can efficiently calculate a square root of any quadratic residue and use the ZK proof in Ref. [10] to prove the knowledge of the square root.

When the modified G-M encryption is employed to seal the bidding choices, homomorphic bid opening can work as −1 and 1, which are used to represent YES and NO, respectively, in a bid choice. If all the choices at a price are “NO” (represented by 1), the product of any subset of them is 1. If there is at least one “YES” choice (represented by −1) at a price, the probability that the product of a random subset of the choices at that price is −1 is 0.5. So if a number (denoted as T1, e.g., 20 or 30) of random subsets are chosen from all the choices at a price and the product of the choices in each subset is calculated, all the T1 products are always 1 if all the choices at that price are “NO”; at least one product is −1 with a probability inline image if at least one of the choices at that price is “YES”. So if at a price, homomorphism of G-M encryption is exploited to repeatedly (for T1 time) decrypt the products of the encrypted choices in different random subsets without decrypting any single encrypted choice, bid opening at that price can be implemented without breaching bid privacy. Each product must be verified to be valid (it is the product of some encrypted choices) for the sake of public verifiability, whereas each subset must be kept secret for the sake of complete bid privacy. Besides bid validity check, this bid opening mechanism gets rid of equality test as well.

The auction protocol is described in the following. Note that two indices k and k′ are used for the auctioneers in the description. Ak refers to the kth auctioneer holding his bidding shares and decrypting the product of his bidding shares, whereas inline image refers to the k′th auctioneer randomizing bidding shares held by other auctioneers.

  1. Preparation phase

    A bulletin board, acting as a broadcast communication channel, is set up, where the auction rule is published. There are n bidders B1, B2, …, Bn. m auctioneers A1, A2, …, Am are employed. Each Ak sets up a modified G-M encryption scheme with modulus Nk, public key yk, encryption function Ek() and decryption function Dk() for k = 1, 2, …, m.

  2. Bidding phase

    Each bidder Bi chooses bi,j, his bidding choice at the jth biddable price for j = 1, 2, …, L. If he is willing to pay pj, Bi chooses bi, j = − 1. If he is not willing to pay pj, Bi chooses bi, j = 1. Then Bi randomly chooses bi, j, k from {1, −1} for k = 1, 2, …, m such that inline image. Finally, Bi calculates ci, j, k = Ek(bi, j, k) for j = 1, 2, …, L and k = 1, 2, …, m, then publishes them on the bulletin board.

  3. Bid opening phase

    The auctioneers perform a binary search for the winning price in the biddable prices. The operation at any price pj on the searching route is as follows.

    1. ci, j, k for i = 1, 2, …, n and k = 1, 2, …, m are verified to be valid ciphertexts (with Jacob symbol 1).
    2. Each auctioneer inline image randomly chooses secret integer inline image for i = 1, 2, …, n and t = 1, 2, …, T1.
    3. Each auctioneer inline image randomly chooses secret integer inline image from inline image for k = 1, 2, …, m and t = 1, 2, …, T1.
    4. Each auctioneer inline image calculates and publishes on the bulletin board
      • display math
    5. For t = 1, 2, …, T1, each inline image publishes on the bulletin board a proof of knowledge of inline image for i = 1, 2, …, n and inline image for k = 1, 2, …, m to satisfy
      • display math(3)
      For t = 1, …, T1, where details of the proof are described in Figure 1.
    6. For t = 1, 2, …, each auctioneer Ak publishes inline image and proof of correctness of his decryption on the bulletin board until inline image or t = T1. If one decryption returns −1, the search at pj returns a positive result (at least one bid at this price). Otherwise, the search at pj returns a negative result (no bid at this price).
image

Figure 1. Batch proof and verification of Equation (3).

Download figure to PowerPoint

If the search at pj returns a positive result, the binary search continues upward. If the search at pj returns a negative result, the binary search continues downward. The tth round of bid opening operation at price pj is demonstrated in Table 1, where there are three auctioneers: A1, A2, and A3. Finally, the binary search ends at the winning price.

Table 1. The tth round of bid opening operation at pj.
AkA1 holds ci, j, 1 for i = 1, 2, …, nA2 holds ci, j, 2 for i = 1, 2, …, nA3 holds ci, j, 3 for i = 1, 2, …, n
inline image
A1 selects ri, j, t, 1 for 1 ≤ i ≤ n, Rj, 1, t, 1, Rj, 2, t, 1, Rj, 3, t, 1inline image inline imageinline image inline imageinline image inline image
A2 selects ri, j, t, 2 for 1 ≤ i ≤ n, Rj, 1, t, 2, Rj, 2, t, 2, Rj, 3, t, 2inline image inline imageinline image inline imageinline image inline image
A3 selects ri, j, t, 3 for 1 ≤ i ≤ n, Rj, 1, t, 3, Rj, 2, t, 3, Rj, 3, t, 3inline image inline imageinline image inline imageinline image inline image
 dj, 1, t = D1(Cj, 1, t, 1Cj, 1, t, 2Cj, 1, t, 3)dj, 2, t = D2(Cj, 2, t, 1Cj, 2, t, 2Cj, 2, t, 3)dj, 3, t = D3(Cj, 3, t, 1Cj, 3, t, 2Cj, 3, t, 3)

The key technique in the e-auction design is the efficient proof protocol in Figure 1, whose security is illustrated in Theorem 1, Theorem 2, and Theorem 3.

Theorem 1. The proof protocol in Figure 1 is correct. More precisely, if inline image does not deviate from the proof protocol, he can pass the verification.

Proof. If inline image does not deviate from the proof protocol, for k = 1, 2, …, m

  • display math

Theorem 2. The proof protocol in Figure 1 is especially sound. More precisely, if inline image's proof passes the verification with a probability larger than 0.5 and at least one auctioneer chooses his challenges randomly, he can efficiently calculate inline image for i = 1, 2, …, n, t = 1, 2, …, T1, and inline image for k = 1, 2, … m, t = 1, 2, …, T1, such that inline image mod Nk for k = 1, 2, …, m, t = 1, 2, …, T1.

Proof. That at least one auctioneer chooses his challenges randomly implies challenges inline image are randomly chosen in inline image's proof in Figure 1.

Given the commitments a1, a2, …, am and any integer T in inline image, there must exist challenges inline image and inline image in inline image such that inline image and responses zi, inline image for i = 1, 2, …, n and sk, inline image for k = 1, 2, …, m can be found to satisfy the following two equations.

  • display math(4)
  • display math(5)

Otherwise, given a1, a2, …, am and any inline image, responses zi for i = 1, 2, …, n and sk for k = 1, 2, …, m can be found for at most one wT to satisfy inline image. This deduction implies among the inline image possible combinations of inline image, at most, inline image of them can be the challenges such that correct responses zi for i = 1, 2, …, n and sk for k = 1, 2, …, m can be found for the commitments a1, a2, …, am to satisfy inline image. This conclusion leads to a contradiction: correct responses zi for i = 1, 2, …, n and sk for k = 1, 2, …, m can be found for a random set of challenges inline image to pass the verification in the protocol in Figure 1 with a probability no larger than 0.5.

Without losing generality, suppose wT = 1 and inline image. Equation (4) divided by Equation (5) yields

  • display math(6)

Note that Equation (6) is true for any integer T in inline image.

Theorem 3. The proof protocol in Figure 1 is honest verifier zero knowledge.

Proof. For simplicity of the proof, suppose ci, j, k has Jacob symbol 1 for i = 1, 2, …, n. In the proof transcript, ak distributes uniformly in all the integers with Jacobi symbol 1 in inline image for k = 1, 2, …, m; each of inline image distributes uniformly in {0, 1} if at least one co-auctioneer chooses his challenges to inline image randomly; zi distributes uniformly in {0, 1} for i = 1, 2, …, n; sk distributes uniformly in all the integers with Jacobi symbol 1 in inline image for k = 1, 2, …, m. So anyone can randomly choose wt from {0, 1} for t = 1, 2, …, T1, zi from {0, 1} for i = 1, 2, …, n, and sk from all the integers with Jacobi symbol 1 in inline image for k = 1, 2, …, m, then calculate inline image to produce a proof transcript with the same distribution. Because the two transcripts are indistinguishable when the challenges are randomly chosen, the proof is zero knowledge if at least one co-auctioneer chooses his challenges to inline image randomly.

Without the assumption that ci, j, k has Jacob symbol 1 for i = 1, 2, …, n, the proof can be given similarly. The only difference is that the distribution space becomes inline image.

This optimized e-auction protocol is called Protocol 1. Satisfaction of the desired security properties in the new sealed-bid auction design in this section is illustrated as follows:

Theorem 4. If each inline image passes all the T2 instances of verification in Section 1 with a probability larger than inline image and at least one auctioneer chooses the challenges randomly in the verification in Section 1, whether there is any YES choice at pl is detected with an overwhelmingly large probability.

Proof. Because each inline image passes all the T2 instances of verification in Figure 1 with a probability larger than inline image, each inline image passes at least one of the T2 instances of verification in Figure 1 with a probability larger than 0.5. Because at least one auctioneer chooses the challenges randomly in the verification in Section 1, according to Theorem 2

  • display math

So

  • display math

According to multiplicative homomorphism of the modified G-M encryption, correctness of the modified G-M decryption guaranteed by the public correctness proof of decryption and the decryption rule that the decryption of any quadratic residue is 1, for t = 1, 2, …, T1:

  • display math

Note that for any inline image at price pj,

  • if bi, j = 1 for i = 1, 2, …, n, then inline image;
  • else then inline image with a probability 0.5 as inline image for i = 1, 2, …, n are random (at least one auctioneer inline image randomly chooses and conceals inline image for i = 1, 2, …, n).

Because inline image is tested for T1 times at price pj unless inline image is met,

  • if bi, j = 1 for i = 1, 2, …, n, then inline image for t = 1, 2, …, T1;
  • else then inline image for t = 1, 2, …, T1 with a probability inline image.

So, bid opening at pj is correct with an overwhelmingly large probability inline image.

Protocol 1 is computationally private. More precisely, no information about the losing bids is revealed other than what can be deduced from the auction result if at least one auctioneer is honest and factorization of the product of two large primes is computationally intractable. This conclusion is based on the following important facts about bid privacy.

  • The modified G-M encryption is semantically secure if factorization of the product of two large primes is computationally intractable, so no information about any bid is revealed from any encrypted choice if factorization of the product of two large primes is computationally intractable.
  • To get any information about the bids, the encrypted choices must be decrypted. However, ciphertext of each choice is randomly shared among the auctioneers, and every share is randomly chosen and independent of the corresponding choice. So although every auctioneer can decrypt any choice share encrypted with his public key, decryption of any choice requires cooperation of all the auctioneers (called complete corporate decryption in this paper), which is impossible when at least one auctioneer is honest.
  • The decryption operations in the bid opening phase reveals no information about the losing bids if at least one auctioneer is honest because of the following reasons:
    • If inline image for t = 1, 2, …, T1 at a price pj, these T1 complete corporate decryptions only reveal that there is no “YES” choice at pj, which is deducible from the auction result. So no information about bi, j for i = 1, 2, …, n, which cannot be deduced from the auction result, is revealed.
    • If inline image for a certain t in inline image, it is only revealed that there is at least one “YES” choice in a subset of the choices at pj. If the subset is kept secret, the revealed information is deducible from the auction result. Note that inline image is (at least computationally) hidden in inline image, whereas Theorem 3 indicates that the proof in Figure 1 is zero knowledge when at least one auctioneer is honest. So inline image for i = 1, 2, …, n are retained secret, and thus, all the T1 chosen subsets are kept secret when at least one auctioneer is honest. So no information about bi, j for i = 1, 2, …, n, which cannot be deduced from the auction result, is revealed when at least one auctioneer is honest.

Each operation in Protocol 1 is publicly verifiable. Confidentiality must have been achieved because bid privacy (a stronger requirement) is achieved. Correctness and confidentiality together guarantee fairness.

Because the message space of the modified G-M encryption is {−1, 1}, containing only “YES” choice and “NO” choice, any ciphertext in the ciphertext space of the employed G-M encryption algorithm is a valid sealed bidding choice. So no additional bid validity check is needed in the new auction protocol, whereas verification of membership in the ciphertext space of the employed G-M encryption algorithm is simple and efficient. Therefore, the new homomorphic e-auction protocol in this section guarantees correct bid opening at any price and greatly improves efficiency of homomorphic bid opening. However, it cannot detect an inconsistent bid, which contains YES choices at higher prices and NO choices at lower prices. Existence of inconsistent bids may lead the binary search to stop at a price, although there are YES bidding choices at higher prices. Fortunately, usually, bidders will not submit an inconsistent bid because they cannot benefit from it. For any bidder, if his highest YES choice is lower than some other bidder's offer, the chance for him to win is still negligible even if his bid is inconsistent and consists a NO choice at a price lower than his highest YES choice. For any bidder, if his highest YES choice is the highest offer and he can win, submitting an inconsistent bid containing one or more NO choice at lower prices only reduces his chance to win. Moreover, we can even ask the winner to open all his bidding choices and deny his winning if his bid turns out to be inconsistent. In this way, the chance for an inconsistent bid to win is completely eliminated.

HOMOMORPHIC E-AUCTION WITH THRESHOLD ROBUSTNESS AND FREE OF REPEATING MECHANISM

  1. Top of page
  2. ABSTRACT
  3. INTRODUCTION
  4. EXISTING HOMOMORPHIC E-AUCTION SCHEMES AND THEIR DRAWBACKS IN EFFICIENCY
  5. HOMOMORPHIC E-AUCTION BASED ON ENCRYPTION ALGORITHM WITH A SMALL MESSAGE SPACE
  6. HOMOMORPHIC E-AUCTION WITH THRESHOLD ROBUSTNESS AND FREE OF REPEATING MECHANISM
  7. HIGHER COMPUTATIONAL EFFICIENCY IN HOMOMORPHIC E-AUCTION WITH MORE ROUNDS OF COMMUNICATION
  8. COMPARISON AND CONCLUSION
  9. REFERENCES

The G-M-based homomorphic e-auction protocol in this paper gets rid of bid validity check and improves efficiency of homomorphic e-auction. Although it can be employed in many e-auction applications, it is not suitable for e-auction requiring strong robustness. Bid opening in it needs cooperation of all the auctioneers, so its robustness fails if one of them does not work. Stronger robustness can be based on a threshold bid opening structure such that bid opening can always work if the number of cooperating auctioneers is over a threshold and failure of a small number of auctioneers is tolerable. The simplest way to implement threshold bid opening is to share the private key of the bid-sealing encryption algorithm among the auctioneers using threshold secret sharing. However, there is no known method to share the private key of G-M encryption algorithm in that way. Another homomorphic encryption algorithm, Paillier encryption, has a well-known threshold key sharing mechanism [8], so it can be employed to implement threshold robustness in e-auction. However, because the message space of Paillier encryption is very large, a new method is needed to get rid of bid validity check and equality test from Paillier-based homomorphic e-auction. Moreover, with a large message space, it is hopeful to avoid the repeating mechanism in homomorphic bid opening to further improve efficiency. First, Paillier encryption with threshold decryption [8] is recalled as follows:

  1. Key generation

    N′ = pq′, p′ = 2p′ + 1 and q′ = 2q′ + 1, where p′ and q′ are primes and gcd(N′, φ(N′)) = 1. Integers a, b are randomly chosen from inline image and inline image mod N′ 2. The private key is βpq′, where β is randomly chosen from inline image. The public key consists of N′, g and θ = aβpq′. A1, A2, … Am are the private key holders. Let inline image, where f0 = βpq′ and f1, f2, …, ft − 1 are random integers in inline image. The share dj = F(j)mod pqN′ is distributed to Aj for j = 1, 2, …, m. G is the cyclic subgroup containing all the quadratic residues in inline image, where an integer y in inline image is an N′th residue if there exists an integer x such that inline image. Random integer v is a generator of G and inline image for j = 1, 2, …, m, where Δ = m !. Integers v and vj for j = 1, 2, …, m are published.

  2. Encryption

    A message inline image is encrypted into inline image, where r is randomly chosen from inline image.

  3. Partial decryptions of ciphertext c

    For j = 1, 2, …, m, Aj provides his part of decryption inline image and proves inline image.

  4. Combination of partial decryptions

    The final decryption result can be recovered as inline image, where set S contains the indices of t correct partial decryptions and inline image

    With this encryption algorithm to seal the bids and a new method to get rid of bid validity check, homomorphic e-auction can be implemented as follows to not only achieve threshold robustness but also avoid any repeating mechanism:

    1. Each bidder Bi generates his bidding vector (si, 1, si, 2, …, si, L), where si, l is a random positive integer if he is willing to pay pl and si, l = 0 otherwise.
    2. Paillier encryption with distributed decryption is employed to encrypt the bids where the private key is shared among the auctioneers A1, A2, …, Am. Each bidding vector (si, 1, si, 2, …, si, L) is encrypted into (ci, 1, ci, 2, …, ci, L), where inline image and ri, l is randomly chosen from inline image for l = 1, 2, …, L.
    3. The auctioneers cooperate to search for the winning bids using binary search. At each price on the searching route, pl, homomorphic bid opening is as follows.
      1. Each auctioneer Aj publishes a commitment (e.g. one-way hash function) of random integer Rj, i, l from inline image for i = 1, 2, …, n. After all the commitments have been published, the auctioneers publish Rj, i, l for j = 1, 2, …, m and i = 1, 2, …, n on the bulletin board.
      2. inline image is calculated.
      3. The auctioneers cooperate to decrypt inline image.
      If inline image, the search goes to the lower price; otherwise, the search goes to the higher price. The search goes on until it stops at the winning price.
    4. The bidding choices at the winning price are decrypted to identify the winners.

This optimized e-auction protocol is called Protocol 2. As illustrated in Theorem 5, Protocol 2 is correct as long as at least one auctioneer is honest.

Theorem 5. Iff the binary search at a price pl ends negatively, si, l = 0 mod N′ for i = 1, 2, …, n with an overwhelmingly large probability if at least one auctioneer is honest.

To prove this theorem, the following lemma must be proven first.

Lemma 1. If inline image with a probability larger than 1/N′ for random s1, s2, …, sn from inline image, then yi = 0 mod N′ for i = 1, 2, …, n.

Proof. Given any integer k in inline image, there must exist integers s1, s2, …, sk − 1, sk + 1, …, sn in inline image and two different integers sk and inline image in inline image such that the following two equations are correct.

  • display math(7)
  • display math(8)

Otherwise, for any s1, s2, …, sk − 1, sk + 1, …, sn, there is at most one sk to satisfy equation inline image This deduction implies among the N′ n possible combinations of s1, s2, …, sn; equation inline image is correct for at most N′ n − 1 combinations. This conclusion leads to a contradiction: given random integers si from ZN for i = 1, 2, …, n; equation inline image is correct with a probability no larger than 1/N′.

Subtracting Equations (8) from (7) yields

  • display math

Note that inline image as inline image. So, yk = 0 mod N′. Note that k can be any integer in inline image. Therefore, yi = 0 mod N′ for i = 1, 2, …, n.

Proof of Theorem 5. When si, l = 0modN′ for i = 1, 2, …, n,

  • display math

and thus, the binary search at a price pl ends negatively.That the binary search at a price pl ends negatively implies

  • display math

So

  • display math

Therefore, according to Lemma 1, si, l = 0modN′ for i = 1, 2, …, n with an overwhelmingly large probability.

Protocol 2 guarantees correctness of bid opening at any price without the need to verify validity of the bidding choices. Like in Protocol 1, submitting inconsistent bid brings no benefit to any bidder in this new e-auction protocol, and the winner's bid can be completely opened to prevent any inconsistent bid from winning.

HIGHER COMPUTATIONAL EFFICIENCY IN HOMOMORPHIC E-AUCTION WITH MORE ROUNDS OF COMMUNICATION

  1. Top of page
  2. ABSTRACT
  3. INTRODUCTION
  4. EXISTING HOMOMORPHIC E-AUCTION SCHEMES AND THEIR DRAWBACKS IN EFFICIENCY
  5. HOMOMORPHIC E-AUCTION BASED ON ENCRYPTION ALGORITHM WITH A SMALL MESSAGE SPACE
  6. HOMOMORPHIC E-AUCTION WITH THRESHOLD ROBUSTNESS AND FREE OF REPEATING MECHANISM
  7. HIGHER COMPUTATIONAL EFFICIENCY IN HOMOMORPHIC E-AUCTION WITH MORE ROUNDS OF COMMUNICATION
  8. COMPARISON AND CONCLUSION
  9. REFERENCES

A new homomorphic e-auction free of bid validity check and equality test is proposed in this section to achieve stronger security and higher efficiency. It employs symmetric cipher to encrypt the bids to improve efficiency but needs more rounds in communication. It is the first secure e-auction protocol employing symmetric cipher to encrypt the bids. It is described as follows.

  • 1.
    Initial phase

The parameters and symbols to be used are as follows:

  • There are m auctioneers A1, A2, …, Am and n bidders B1, B2, …, Bn.
  • Integer t smaller than m is the trust threshold such that cooperation of at least t auctioneers is necessary to open any bid.
  • The biddable prices are denoted as P1, P2, …, PL.
  • Ek() and Dk() denote the encryption algorithm and decryption algorithm using key k of a symmetric cipher like advanced encryption standard (AES), where the key space, message space, and cipher space of them are Zδ.
  • ρ is the largest prime no larger than δ.
  • H() is a one-way and collision-resistant hash function to map a long message to Zρ.
  • H′() is a one-way and collision-resistant hash function to map a long message to Zδ.
  • pj and qj are secret large primes chosen by Aj who publishes Nj = pjqj. As an asymmetric cipher parameter, each Nj should be larger than any key of the symmetric cipher, which is a useful property.

The auctioneers and bidders set up symmetric session keys between them.

  1. Each Bi chooses ki, j for every Aj, the session key to communicate with Aj. He sends it to Aj in the form inline image, where ri, j is randomly chosen from inline image
  2. Each Aj calculates his session keys inline image for i = 1, 2, …, n using his knowledge of pj and qj.
  • 2.
    Bidding and bid opening

The auctioneers cooperate to run a binary search for the winning price among the biddable prices. The binary search starts at PL/2 and the auctioneers test whether there is any bidder willing to pay that price. If there is, the search goes on to the higher prices; otherwise, it goes on to the lower prices. Next search step is just like the previous one, starting in the middle and going on to one side. As the binary search goes on, the searched range of prices becomes smaller and smaller, and finally, the search ends at the highest price any bidder is willing to pay. The search at a price Pl on the binary searching route is as follows:

  1. Each Bi chooses his bid at that price: bi, l. If he is willing to pay Pl, then bi, l is a random positive integer in Zρ; otherwise, it is zero.
  2. Each Bi builds a polynomial inline image, where αi, l, 0 = bi, l and αi, l, κ for κ = 1, 2, …, t − 1 are random integers chosen from Zρ.
  3. Each Bi builds a polynomial inline image, where γi, l, κ for κ = 0, 1, …, t − 1 are random integers chosen from Zρ.
  4. Each Bi publishes encrypted bid shares inline image for j = 1, 2, …, m.
  5. Each Bi publishes another set of encrypted shares inline image for j = 1, 2, …, m.
  6. inline image for i = 1, 2, …, n are challenges to validity of bidding and bid opening.
  7. Each Bi publishes ϕi, l, κ = wi, lαi, l, κ + γi, l, κmod ρ for κ = 0, 1, …, t − 1.
  8. Each Aj verifies that his share from Bi is valid as follows:
  1. He calculates inline image
  2. He calculates inline image
  3. He verifies
  • display math(9)

If the verification fails, Aj claims that Bi has sent him an invalid bid share. He publishes ki, j, si, l, j, and inline image such that any one can verify failure of Equation (9) and that si, l, j and inline image are invalid shares sent to Aj by Bi. This public verification can detect dishonest bidders who are removed, and their bids are deleted.

  • i.
    After the shares are verified and only valid shares are kept, any t auctioneers can cooperate to calculate the sum of all the bids at Pl as follows, where the set of the indices of the participating auctioneers is denoted as textit S:
  • 0.
    Each auctioneer Aj in S calculates inline image
  • ii.
    Each auctioneer Aj in S calculates inline image
  • iii.
    Each auctioneer Aj in S publishes inline image
  • iv.
    After Sj, l for j = 1, 2, …, m is published, each auctioneer Aj in S publishes sj, l and inline image
  • v.
    It is publicly verified inline image for j = 1, 2, … m. Any auctioneer failing to pass the verification is required to publish sj, l and inline image again. Any auctioneer cannot provide correct sj, l, and inline image is replaced by one of the n-t stand-by auctioneers.
  • vi.
    inline image and inline image are calculated where inline image
  • vii.
    It can be publicly verified
  • display math(10)

The auction continues only if the verification is passed. If the verification fails, another set of t auctioneers are selected to carry out bid opening. If at least t auctioneers are honest, correct bid opening can always be obtained.

  • (j)
    If sl > 0, the search goes to the higher prices; otherwise, it goes to the lower prices. Finally, the binary search stops at a price PK, which is the winning price.
  • 3.
    Winner identification

The auctioneers open all the bids at PK

  • display math

A bidder Bi is a winner if bi > 0.

This new e-auction protocol is called Protocol 3. It can detect dishonest behaviors of malicious bidders and auctioneers and achieve robustness. Theorem 6, Theorem 7, and Theorem 8 illustrate that invalid operations in bidding and bid opening in Protocol 3 can be detected. More precisely, Theorem 6 shows that invalid bid sharing by any malicious bidder can be detected by the auctioneers with an overwhelmingly large probability; Theorem 7 shows that no matter how the bidders choose the integers in their bids, the auction result is correct with an overwhelmingly large probability if the auctioneers carries out bid opening honestly; Theorem 8 shows that dishonest bid opening operations can be detected with an overwhelmingly large probability. Theorem 6 and Theorem 7 are proven in details, whereas proof of Theorem 8 is not repeated because it is very similar to proof of the other two theorems.

Theorem 6. If Equation (9) is satisfied for a bidder Bi with a probability larger than 1/ρ at a price Pl, any share si, l, j from that Bi at the price Pl is guaranteed to be the jth share generated by a unique polynomial.

Proof. Because Equation (9) is satisfied for Bi with a probability larger than 1/ρ at Pl, for the Bi at the Pl, there must exist two different integers in Zρ, wi, l, and inline image, such that Bi can provide ϕ0, i1, …, ϕt − 1 and inline image, respectively, to satisfy

  • display math(11)
  • display math(12)

Otherwise, for the Bi at the Pl, there is at most one wi, l in Zρ for Bi to produce κ0, κ1, …, κt − 1 to satisfy Equation (9), and the probability that Equation (9) is satisfied is no larger than 1/ρ, which is a contradiction.

Equations (11) and (12) yield

  • display math

Note that wi, l and inline image are different integers in Zρ and ρ is a prime, so inline image can be calculated, and thus

  • display math

Theorem 7. When the auctioneers follow Protocol 3 to recover sl, with an overwhelmingly large probability, sl = 0 iff b1, l, b2, l, …, bn, l are all zeros.

Before proof of Theorem 3, a lemma is proven first.

Lemma 2. If the auctioneers follow Protocol 3 to recover sl and sl = 0 with a probability larger than 1/ρ in Protocol 3, it is guaranteed that b1, l, b2, l, …, bn, l are all zeros.

Proof. Because the auctioneers follow Protocol 3 to recover sl and sl = 0 with a probability larger than 1/ρ and wi, l for i = 1, 2, …, n are (pseudo)random integers in Protocol 3,

  • display math

and so with random w1, l, w2, l, …, wn, l and a probability larger than 1/ρ,

  • display math(13)

So, for a T in inline image, there must exist an instance of integers w1, l, w2, l, …, wT − 1, l, wT + 1, l, wT + 2, l, …, wn, l in Zρ and two different integers wT, l and inline image in Zρ, such that

  • display math(14)
  • display math(15)

Otherwise, for any combination of w1, l, w2, l, …, wT − 1, l, wT + 1, l, wT + 2, l, …, wn, l, there is at most one wT, l in Zρ to satisfy Equation (13), and thus, the probability that Equation (13) is satisfied is no larger than 1/ρ, which is a contradiction.Equations (14) and (15) yield

  • display math

Note that wi, l and inline image are different integers in Zρ and ρ is a prime, so inline image, and thus, bT, l = 0modρ.. Because T can be any integer in inline image,

  • display math

Proof of Theorem 3. Because the auctioneers follow Protocol 3 to recover sl,

  • display math

and so sl = 0 if bi, l = 0 for i = 1, 2, …, n. Moreover, according to Lemma 2, if sl = 0 with a non-negligible probability, then bi, l = 0 for i = 1, 2, …, n. Therefore, sl = 0 iff b1, l, b2, l, …, bn, l are all zeros with an overwhelmingly large probability.

Theorem 8. Unless all the t auctioneers in S are dishonest, satisfaction of Equation (10) with a non-negligible probability guarantees that the auctioneers strictly follow Protocol 3 to recover sl.

All the additional verification operations in Protocol 3 are symmetric cipher operations, which are efficient in both computation (using simple calculation) and communication (transferring short integers). So they do not increase cost of the e-auction scheme significantly. Therefore, Protocol 3 is an efficient e-auction protocol suitable for users with limited computation capability.

COMPARISON AND CONCLUSION

  1. Top of page
  2. ABSTRACT
  3. INTRODUCTION
  4. EXISTING HOMOMORPHIC E-AUCTION SCHEMES AND THEIR DRAWBACKS IN EFFICIENCY
  5. HOMOMORPHIC E-AUCTION BASED ON ENCRYPTION ALGORITHM WITH A SMALL MESSAGE SPACE
  6. HOMOMORPHIC E-AUCTION WITH THRESHOLD ROBUSTNESS AND FREE OF REPEATING MECHANISM
  7. HIGHER COMPUTATIONAL EFFICIENCY IN HOMOMORPHIC E-AUCTION WITH MORE ROUNDS OF COMMUNICATION
  8. COMPARISON AND CONCLUSION
  9. REFERENCES

A comparison between our new homomorphic e-auction protocols and the existing homomorphic e-auction schemes [1, 3, 5, 13-15, 18, 20] is given in Table 2 to show the improvement achieved in our work. The number of exponentiations in large cyclic groups is counted to measure their computational cost. For fairness, other secure sealed-bid e-auction schemes like those employing multiparty secure computation [17, 12, 11, 16] and downward search [4, 7, 19, 25-28] are also included, and we assume that each of them in the comparison has to take necessary measures to achieve the security properties of e-auction like correctness and privacy. An example is given in the table to more clearly and convincingly show the advantage of the new protocols in efficiency, where n = 1000 and L = 1024 and T2 = 30.

Table 2. Efficiency comparison of secure e-auction schemes
SchemeBidderAuctioneerRobustness
Cost (exponentiation)ExampleCost (exponentiation)Example 
Secure computation≥ 2log2L + 121≥ 220nlog2L2 200 000Threshold is acceptable
Downward searchAveragely ≥ (1.5L + 1)23074Averagely ≥ 0.5L(n + 3) + 1.5n515 036Depends
Homomorphic with binary search≥ 6L6144≥ 4nL + 7log2L + 3n4 051 420Threshold
Protocol 100nT230 000Weaker
Protocol 22L2048(n + 3)log2L + 3n13 030Threshold
Protocol 30000Threshold

The comparison clearly demonstrates that our new homomorphic e-auction protocols are much more efficient than the existing homomorphic e-auction schemes. If interaction between the bidders and auctioneers is not a concern, Protocol 3 is the best choice because it has the highest computational efficiency. If non-interaction is required, either Protocol 1 or Protocol 2 can be employed, depending on whether threshold robustness is required and whether the bidders or the auctioneers have the priority in efficiency.

  • *

    In Ref. [23], the verifiers need to sign some messages using a special digital signature algorithm [2], which does not support multiparty distributed signing.

  • Computation for Jacob symbol is efficient and comparable with a multiplication, so invalid ciphertext can be discovered easily.

REFERENCES

  1. Top of page
  2. ABSTRACT
  3. INTRODUCTION
  4. EXISTING HOMOMORPHIC E-AUCTION SCHEMES AND THEIR DRAWBACKS IN EFFICIENCY
  5. HOMOMORPHIC E-AUCTION BASED ON ENCRYPTION ALGORITHM WITH A SMALL MESSAGE SPACE
  6. HOMOMORPHIC E-AUCTION WITH THRESHOLD ROBUSTNESS AND FREE OF REPEATING MECHANISM
  7. HIGHER COMPUTATIONAL EFFICIENCY IN HOMOMORPHIC E-AUCTION WITH MORE ROUNDS OF COMMUNICATION
  8. COMPARISON AND CONCLUSION
  9. REFERENCES
  • 1
    Abe M, Suzuki K. Receipt-free sealed-bid auction. In ISC 2002, volume 2433 of Lecture Notes in Computer Science. Springer-Verlag: Berlin, 2002; 191199.
  • 2
    Boneh D, Boyen X. Short signatures without random oracles. In Eurocrypt '04, LNCS3027 5673.
  • 3
    B Felix. Cryptographic protocols for secure second-price auctions. 2001. Available from http://www.cs.miami.edu/~burt/learning/Csc498.043/cia2001.pdf.
  • 4
    Christian C. Efficient private bidding and auctions with an oblivious third partyIn. In the 6th ACM Conference on Computer and Communications Security. 1999.
  • 5
    Chida K, Kobayashi K, Morita H. Efficient sealed-bid auctions for massive numbers of bidders with lump comparison. In Information Security, 4th International Conference, ISC 200, volume 2200 of Lecture Notes in Computer Science. Springer-Verlag: Berlin, 2001; 408419.
  • 6
    Cramer R, Damgård I, Schoenmakers B. Proofs of partial knowledge and simplified design of witness hiding protocols. In CRYPTO '94, volume 839 of Lecture Notes in Computer Science. Springer-Verlag: Berlin, 1994; 174187.
  • 7
    Cramer R, Damgård I, Nielsen JB. Multiparty computation from threshold homomorphic encryption. In EUROCRYPT '01, volume 2045 of Lecture Notes in Computer Science, Springer: Berlin, 2001; 280299.
  • 8
    Fouque P-A, Poupard G, Stern J. Sharing decryption in the context of voting or lotteries. In Financial Cryptography 2000, volume 1962, Springer-Verlag: Berlin, 2000; 90104. Lecture Notes in Computer Science.
  • 9
    Wasser SG, Micali S. Probabilistic encryption. Journal of Computer Security 1984; 28(2):270299.
  • 10
    Guillou LC, Quisquater JJ. A “paradoxical” identity-based signature scheme resulting from zero-knowledge. In CRYPTO '88, volume 403 of Lecture Notes in Computer Science, Goldwasser S (ed). Springer-Verlag: Berlin, 1989; 216231.
  • 11
    Jakobsson M, Juels A. Mix and match: secure function evaluation via ciphertexts. In ASIACRYPT '00, volume 1976 of Lecture Notes in Computer Science. Springer-Verlag: Berlin, 2000; 143161.
  • 12
    Juels A, Szydlo M. A two-server, sealed-bid auction protocol. In The Sixth International Conference on Financial Cryptography 2002, volume 2357 of Lecture Notes in Computer Science. Springer-Verlag: Berlin, 2002; 7286.
  • 13
    Kikuchi H, Harkavy M, Tygar JD. Multi-round anonymous auction. In Proceedings of the First IEEE Workshop on Dependable and Real-Time E-Commerce Systems. 1998; 6269.
  • 14
    Kikuchi H, Hotta S, Abe K, Nakanishi S. Distributed auction servers resolving winner and winning bid without revealing privacy of bids. In Proceedings of the International Workshop on Next Generation Internet (NGITA2000), IEEE. 2000; 307312.
  • 15
    Kikuchi H. (m + 1)st-price auction. In The Fifth International Conference on Financial Cryptography 2001, volume 2339 of Lecture Notes in Computer Science. Springer-Verlag: Berlin, 2001; 291298.
  • 16
    Kurosawa K, Ogata W. Bit-slice auction circuit. In 7th European Symposium on Research in Computer Security, ESORICS2002, volume 2502 of Lecture Notes in Computer Science. Springer-Verlag: Berlin, 2002; 2438.
  • 17
    Naor M, Pinkas B, Sumner R. Privacy preserving auctions and mechanism design. In ACM Conference on Electronic Commerce 1999. 1999; 129139.
  • 18
    Omote K, Miyaji A. A second-price sealed-bid auction with the discriminant of the p-th root. In Financial Cryptography 2002, volume 2357 of Lecture Notes in Computer Science. Springer: Berlin, 2002; 5771.
  • 19
    Peng K, Boyd C, Dawson E, Viswanathan K. Non-interactive auction scheme with strong privacy. In 5th International Conference of Information Security and Cryptology—ICISC 2002, volume 2587 of Lecture Notes in Computer Science. Springer: Berlin, 2002; 407420.
  • 20
    Peng K, Boyd C, Dawson E, Viswanathan K. Robust, privacy protecting and publicly verifiable sealed-bid auctionIn. In 4th International Conference of Information and Communications Security, ICICS 2002, volume 2513 of Lecture Notes in Computer Science. Springer: Berlin, 2002; 147159.
  • 21
    Peng K, Boyd C, Dawson E. Batch verification of validity of bids in homomorphic e-auction. Computer Communications 2006; 29(2006):27982805.
  • 22
    Peng K, Dawson E. Efficient bid validity check in elgamal-based sealed-bid e-auctionIn. In ISPEC 2007, volume 4464 of Lecture Notes in Computer Science. Springer-Verlag: Berlin, 2007; 209224.
  • 23
    Peng K, Bao F. Efficiency improvement of homomorphic e-auctionIn. In TRUSTBUS 2010, volume 6264 of Lecture Notes in Computer Science. Springer-Verlag: Berlin, 2010; 238249.
  • 24
    Peng K. Secure e-auction for mobile users with low-capability devices in wireless networksIn. In WISTP 2011, volume 6633 of Lecture Notes in Computer Science. Springer-Verlag: Berlin, 2011; 351360.
  • 25
    Sako K. An auction scheme which hides the bids of losersIn. In Public Key Cryptology 2000, volume 1880 of Lecture Notes in Computer Science. Springer-Verlag: Berlin, 2000; 422432.
  • 26
    Sakurai K, Miyazaki S. A bulletin-board based digital auction scheme with bidding down strategy—towards anonymous electronic bidding without anonymous channels nor trusted centers. In Proceedings of the International Workshop on Cryptographic Techniques and E-Commerce. City University of Hong Kong Press: Hong Kong, 1999; 180187.
  • 27
    Suzuki K, Kobayashi K, Morita H. Efficient sealed-bid auction using hash chainIn. In International Conference on Information Security and Cryptology 2000, volume 2015 of Lecture Notes in Computer Science. Springer-Verlag: Berlin, 2000; 183191.
  • 28
    Watanabe Y, Imai H. Reducing the round complexity of a sealed-bid auction protocol with an off-line TTP. In STOC 2000, ACM: Portland, Oregon, USA, 2000; 80–86.