This new e-auction protocol is called Protocol 3. It can detect dishonest behaviors of malicious bidders and auctioneers and achieve robustness. Theorem 6, Theorem 7, and Theorem 8 illustrate that invalid operations in bidding and bid opening in Protocol 3 can be detected. More precisely, Theorem 6 shows that invalid bid sharing by any malicious bidder can be detected by the auctioneers with an overwhelmingly large probability; Theorem 7 shows that no matter how the bidders choose the integers in their bids, the auction result is correct with an overwhelmingly large probability if the auctioneers carries out bid opening honestly; Theorem 8 shows that dishonest bid opening operations can be detected with an overwhelmingly large probability. Theorem 6 and Theorem 7 are proven in details, whereas proof of Theorem 8 is not repeated because it is very similar to proof of the other two theorems.

Theorem 6. If Equation (9) is satisfied for a bidder *B*_{i} with a probability larger than 1/*ρ* at a price *P*_{l}, any share *s*_{i, l, j} from that *B*_{i} at the price *P*_{l} is guaranteed to be the *j*th share generated by a unique polynomial.

Proof. Because Equation (9) is satisfied for *B*_{i} with a probability larger than 1/*ρ* at *P*_{l}, for the *B*_{i} at the *P*_{l}, there must exist two different integers in *Z*_{ρ}, *w*_{i, l}, and , such that *B*_{i} can provide *ϕ*_{0}, *i*_{1}, …, *ϕ*_{t − 1} and , respectively, to satisfy

- (11)

- (12)

Otherwise, for the *B*_{i} at the *P*_{l}, there is at most one *w*_{i, l} in *Z*_{ρ} for *B*_{i} to produce *κ*_{0}, *κ*_{1}, …, *κ*_{t − 1} to satisfy Equation (9), and the probability that Equation (9) is satisfied is no larger than 1/*ρ*, which is a contradiction.

Equations (11) and (12) yield

Note that *w*_{i, l} and are different integers in *Z*_{ρ} and *ρ* is a prime, so can be calculated, and thus

Theorem 7. When the auctioneers follow Protocol 3 to recover *s*_{l}, with an overwhelmingly large probability, *s*_{l} = 0 iff *b*_{1, l}, *b*_{2, l}, …, *b*_{n, l} are all zeros.

Before proof of Theorem 3, a lemma is proven first.

Lemma 2. If the auctioneers follow Protocol 3 to recover *s*_{l} and *s*_{l} = 0 with a probability larger than 1/*ρ* in Protocol 3, it is guaranteed that *b*_{1, l}, *b*_{2, l}, …, *b*_{n, l} are all zeros.

Proof. Because the auctioneers follow Protocol 3 to recover *s*_{l} and *s*_{l} = 0 with a probability larger than 1/*ρ* and *w*_{i, l} for *i* = 1, 2, …, *n* are (pseudo)random integers in Protocol 3,

and so with random *w*_{1, l}, *w*_{2, l}, …, *w*_{n, l} and a probability larger than 1/*ρ*,

- (13)

So, for a *T* in , there must exist an instance of integers *w*_{1, l}, *w*_{2, l}, …, *w*_{T − 1, l}, *w*_{T + 1, l}, *w*_{T + 2, l}, …, *w*_{n, l} in *Z*_{ρ} and two different integers *w*_{T, l} and in *Z*_{ρ}, such that

- (14)

- (15)

Otherwise, for any combination of *w*_{1, l}, *w*_{2, l}, …, *w*_{T − 1, l}, *w*_{T + 1, l}, *w*_{T + 2, l}, …, *w*_{n, l}, there is at most one *w*_{T, l} in *Z*_{ρ} to satisfy Equation (13), and thus, the probability that Equation (13) is satisfied is no larger than 1/*ρ*, which is a contradiction.Equations (14) and (15) yield

Note that *w*_{i, l} and are different integers in *Z*_{ρ} and *ρ* is a prime, so , and thus, *b*_{T, l} = 0*modρ*.. Because *T* can be any integer in ,

Proof of Theorem 3. Because the auctioneers follow Protocol 3 to recover *s*_{l},

and so *s*_{l} = 0 if *b*_{i, l} = 0 for *i* = 1, 2, …, *n*. Moreover, according to Lemma 2, if *s*_{l} = 0 with a non-negligible probability, then *b*_{i, l} = 0 for *i* = 1, 2, …, *n*. Therefore, *s*_{l} = 0 iff *b*_{1, l}, *b*_{2, l}, …, *b*_{n, l} are all zeros with an overwhelmingly large probability.

Theorem 8. Unless all the *t* auctioneers in *S* are dishonest, satisfaction of Equation (10) with a non-negligible probability guarantees that the auctioneers strictly follow Protocol 3 to recover *s*_{l}.