Electronic Sealed-Bid Auction, Bid Privacy, Relative Bid Privacy, Batch cation, Mix Network, Secure Evaluation, High Efficiency Verifi-i... Model 5 uses secure evaluationto open the bids
Trang 1Analysis and Design of Secure Sealed-Bid
Auction
by
Kun Peng
Bachelor of Engineering in Computer Software (Huazhong University of Science
and Technology, Wuhan, China) – 1997Master of Engineering in Computer Software and Theory (Huazhong University
of Science and Technology, Wuhan, China) – 2000
Thesis submitted in accordance with the regulations for
Degree of Doctor of Philosophy
Information Security Research Centre Faculty of Information Technology Queensland University of Technology
Trang 3QUEENSLAND UNIVERSITY OF TECHNOLOGY
DOCTOR OF PHILOSOPHY THESIS EXAMINATION
CENTRE/RESEARCH CONCENTRATION: Information Security Research Centre
PRINCIPAL SUPERVISOR: Associate Professor Colin Boyd
Under the requirements of PhD regulation 9.2, the above candidate was examined orally
by the Faculty The members of the panel set up for this examination recommend that
the thesis be accepted by the University and forwarded to the appointed Committee for
examination
Name: Associate Professor Colin Boyd Signature
Panel Chairperson (Principal Supervisor)
Name: Professor xxxx Signature
Panel Member
Name: Dr xxxxxxx Signature
Panel Member
Under the requirements of PhD regulation 9.15, it is hereby certified that the thesis of
the above-named candidate has been examined I recommend on behalf of the Thesis
Examination Committee that the thesis be accepted in fulfilment of the conditions for the
award of the degree of Doctor of Philosophy
Name Professor xxxxxxxx Signature Date
Chair of Examiners (Thesis Examination Committee)
Trang 5Electronic Sealed-Bid Auction, Bid Privacy, Relative Bid Privacy, Batch cation, Mix Network, Secure Evaluation, High Efficiency
Verifi-i
Trang 7Auctions have a long history and are an effective method to distributed resources
In the era of Internet and e-commerce, electronic sealed-bid auction play an portant role in business However, it is a risk to run a sealed-bid auction throughthe Internet, which is an open and unreliable environment There are many se-curity concerns about correctness and fairness of the auction and privacy of thebidders in electronic sealed-bid auctions Cryptology seems to be the only se-curity solution for electronic sealed-bid auction On the other hand, a practicalelectronic sealed-bid auction scheme must be efficient So efficient application ofcryptographic tools to electronic sealed-bid auction is the focus of this thesis.Firstly, security requirements of sealed-bid auctions are surveyed The auctionresult must be determined correctly according to the submitted bids and the pre-defined auction rule The bidders must compete with each other in a fair playand none of them can take advantage of others The auction must be publiclyverifiable, so that the auction result is acceptable by everyone Usually, a losingbidder hopes to keep his bid secret, so the losing bids should be kept secret Indifferent applications, different auction rules may be applied So, to avoid a tie,
im-a lim-arge number of biddim-able prices must be im-accepted in some im-applicim-ations
Secondly, the currently known sealed-bid auction schemes are classified Inrecent years, many sealed-bid auction schemes based on various cryptographicprimitives have been proposed Nearly all of them can be classified into fivemodels In the Model 1, each bid is known to the auctioneers, who can findthe winning bid and winner very efficiently Bid privacy is not implemented
in Model 1 In Model 2 homomorphic bid opening is employed, so that thewinning bid and winner can be found while the losing bids are kept secret InModel 3 very strong bid privacy is achieved through a Dutch-style bid opening,which is highly inefficient In Model 4, the link between the bids and biddersinstead of confidentiality of the bids is kept secret This kind of confidentiality
iii
Trang 8bid privacy.) Implementation of relative bid privacy can be very efficient if anefficient anonymous channel can be constructed Model 5 uses secure evaluation
to open the bids and find the auction result and makes it possible to achieveabsolute bid privacy efficiently
Three main cryptographic primitives are explored and employed to designnew auction schemes in four auction models The first tool is batch verification,which can improve computational efficiency in auction schemes The second ismix network, which can be used to implement anonymous channels in Model 4and Model 5 Two new efficient mix networks are designed and used in Model
2, Model 4 and Model 5 The third is secure evaluation, which is employed intwo new auction schemes in Model 5 to achieve strong bid privacy efficiently.Other cryptographic primitives employed in the auction schemes include efficient1-out-of-w oblivious transfer in Model 2 and key chain in Model 3
Five new auction schemes are proposed The first scheme in Model 2 batchverifies bid validity to improve efficiency The second scheme optimises the keychain used in Model 3 to obtain a more advanced auction scheme The thirdscheme implements a concrete anonymous channel in Model 4 for the first timeand achieves relative bid privacy and high efficiency convincingly The last twoemploy new secure evaluation techniques to achieve absolute bid privacy and highefficiency With these five new auction schemes, better solutions are achieved invarious auction applications
iv
Trang 91.1 Aims and Objectives 2
1.2 Contributions and Achievements 3
1.3 Outline of the Thesis 4
2 Sealed-Bid Auction 7 2.1 What Is A Sealed-Bid E-Auction? 7
2.2 Requirements of a Sealed-Bid Auction 11
2.2.1 Basic Requirements 11
2.2.2 Advanced Requirements 13
2.2.3 Receipt-Freeness, A Misused Concept in Auction 14
2.3 Classification of Bid Privacy 17
2.4 Classification of Sealed-bid Auctions 19
2.4.1 Model 1: Auction with Simple Encryption 20
2.4.2 Model 2: Auction with Homomorphic Bid-Opening 21
2.4.3 Model 3: Auction with Downward Search 23
2.4.4 Model 4: Auction with Relative Bid Privacy 25
v
Trang 103 Cryptographic Tools 31
3.1 Encryption Algorithms 31
3.1.1 ElGamal Encryption 32
3.1.2 RSA Encryption 32
3.1.3 Paillier’s Public Key Encryption Scheme 32
3.2 Secret Sharing 33
3.2.1 Shamir’s Threshold Scheme 33
3.2.2 Verifiable Secret Sharing 33
3.2.3 Verifiable Secret Sharing for Auction Schemes 34
3.3 Distributed Decryption 36
3.3.1 Distributed ElGamal Decryption 36
3.3.2 Distributed RSA Decryption 37
3.3.3 Distributed Paillier Decryption 37
3.4 Knowledge Proof Techniques 38
3.4.1 Three-Move Σ Proof 38
3.4.2 Proof of Knowledge of Logarithm 40
3.4.3 Proof of Equality of Logarithms 40
3.4.4 Proof of Knowledge of 1-out-of-k Logarithm 41
3.4.5 Proof of 1-out-of-k Equality of Logarithms 41
3.4.6 Proof of Knowledge of Root 42
3.4.7 Summary 42
3.5 Conclusion 43
4 Batch Verification Techniques 45 4.1 Development of Batch Verification Technology 45
4.2 New Batch Verification Techniques 49
4.2.1 Batch Verification of Knowledge of Logarithm 50
4.2.2 Batch Verification of Equality of Logarithms of Common Base 52
4.2.3 Batch Verification of Equality of Logarithms of Common Exponent 53
Batch Verification with Strict Assumption 54
Batch Verification with Loose Assumption 55
vi
Trang 114.2.4 Batch Verification of Knowledge of Root 57
4.3 Conclusion 59
5 Mix Networks 61 5.1 Definition of Mix Network 62
5.2 Classification of Mix Networks 63
5.2.1 Decryption Chain or Re-encryption 63
5.2.2 General or Separate Verification 65
5.2.3 Tag Attached to Input 68
5.2.4 Summary 68
5.3 A New Mix Network with General Validity Verification 69
5.3.1 The Current Mix Networks with General Validity Verification 70 5.3.2 The New Mix Network 72
5.3.3 Analysis and Summary 74
5.4 A New Mix Network with Separate Verification 76
5.4.1 The Current Mix Networks with Separate Verification 77
5.4.2 Improvement on the Naive Verification Technique 78
5.4.3 A New Mix Network with Separate Verification 81
Group Shuffling 82
Batched Group-shuffling Mix Network 86
5.4.4 Analysis 88
Correctness Analysis 88
Other Properties 90
Summary 93
5.5 Batch Verification of Decryption Validity in Mix Networks 94
5.5.1 Batch Verification of ElGamal Decryption 94
5.5.2 Batch Verification of Distributed RSA Decryption 95
5.5.3 Batch Verification of Distributed Paillier Decryption 97
5.5.4 Summary 98
5.6 Conclusion 99
6 Secure Evaluation 101 6.1 Related Work 102
6.2 Preliminary Work 105
6.2.1 Verification of Paillier Encryption 105
Proof of Knowledge of Nth Root modZ∗ N 2 105
vii
Trang 126.3 A New General Purpose Secure Evaluation: SE-1 109
6.3.1 A Building Block — Zero Test 110
Simple Zero Test 110
Complex Zero Test 112
6.3.2 New Secure Evaluation Technique 113
Two Special Formats 114
Secure Evaluation in F-1 116
Secure Evaluation in F-2 116
Application of SEF-1 and SEF-2 117
6.3.3 Analysis 118
6.3.4 An Application Example 119
6.4 A New Special Purpose Secure Evaluation Technique — SE-2 121
6.4.1 Proof Primitive 122
6.4.2 Ciphertext Comparison 125
Bit Encryption and its Validity Verification 126
The Comparison Function 127
6.4.3 Analysis 128
6.5 Comparison 131
6.6 Conclusion 132
7 Auction with Homomorphic Bid-Openings 135 7.1 Homomorphic Bid Opening 135
7.2 Verification of Bid Validity — Inefficient but Necessary 136
7.3 Implementation of Verification of Bid Validity 138
7.3.1 A Special Bid Format Suitable for Verification 138
7.3.2 Validity verification with homomorphic secret sharing 139
7.3.3 Validity verification with ElGamal encryption 140
7.3.4 Validity verification with Paillier encryption 141
7.4 Batch Verification of Bid Validity 141
7.4.1 1-out-of-w Oblivious Transfer 143
7.4.2 Batch Verification of Bid Validity in Homomorphic Secret Sharing Auction 145
7.4.3 Batch Validity Verification with ElGamal Encryption 146
7.4.4 Batch Validity Verification with Paillier Encryption 147
viii
Trang 137.4.5 Security Analysis 148
7.4.6 Efficiency Analysis 149
7.4.7 Summary 149
7.5 Conclusion 151
8 Auction with Downward Search 153 8.1 Bid Privacy in Dutch-style Sealed-bid Auction 153
8.2 Key Chain and its Application to Protect Bid Privacy 154
8.2.1 Key chain 154
8.2.2 The Scheme by Watanabe and Imai 155
8.2.3 Problems in the Scheme by Watanabe and Imai 156
8.3 A Modified Key Chain and its Application to Auction 158
8.4 Analysis of the New Auction Scheme 162
8.4.1 Security of the New Auction Scheme 162
8.4.2 Efficiency Comparison 165
8.5 Conclusion 165
9 Auctions with Relative Bid Privacy 167 9.1 A Trade-off between Bid Privacy and Other Properties in Auction 167 9.2 Implementation of the auction scheme 169
9.3 Analysis 172
9.3.1 Security Analysis 172
9.3.2 Efficiency Analysis 173
9.3.3 Comparison 174
9.4 Conclusion 176
10 Auctions by Secure Evaluation 177 10.1 A New Auction Scheme in Model 5 — Auction 4 178
10.1.1 The Auction Protocol 178
10.1.2 Analysis 179
10.2 Another New Auction Scheme in Model 5 — Auction 5 181
10.2.1 The auction Protocol 181
10.2.2 Security Analysis 183
10.3 Efficiency Optimisation 185
10.3.1 Binary Mix 185
10.3.2 The Bid Validity Verification Function 186
ix
Trang 1411 Conclusion and Future Directions 191
11.1 Summary of Contributions 191
11.1.1 Results of the Survey of Sealed-bid Auction 192
11.1.2 Original Cryptographic Primitives 193
11.1.3 New Auction Schemes 194
11.2 Future Directions 195
x
Trang 15List of Figures
2.1 Auction with Simple Encryption 21
2.2 Auction Homomorphic Bid-Opening 22
2.3 Auction with Downward Search 24
2.4 Auction with Relative Bid Privacy 25
2.5 Auction by Secure Evaluation 27
4.1 Bellare’s Batch Verification of Exponentiations with a Common Base 48 5.1 Mix Network 62
5.2 Decryption-chain Mix Network 64
5.3 Re-encryption Mix Network 64
5.4 General Verification Mix Network 66
5.5 Separate Verification Mix Network 67
5.6 Grouping 84
6.1 Proof of Knowledge of Nth Root 106
6.2 Proof of Knowledge of 1-out-of-2 Nth Root 108
6.3 Combined Proof of Equality of Exponent and Knowledge of Nth Root 122
7.1 Simple Batch Verification with Secret Sharing 142
7.2 Batch Verification with Secret Sharing 145
7.3 Batch Verification with ElGamal Encryption 147
7.4 Batch Verification of Validity with Paillier Encryption 148
8.1 Modified key chain 158
8.2 Optimistic auction procedure 161
xi
Trang 17List of Tables
1 Symbols xxii
2 Notations xxiii
2.1 Trust and bid privacy 19
2.2 Properties and efficiency of current auction schemes 28
4.1 Efficiency improvenment by batch verification 60
5.1 Classification of mix networks 69
5.2 comparison of mix networks 76
5.3 Comparison of the new mix network against other mix networks 91 5.4 Comparison of computation cost of shuffling verification in mix networks in full-length exponentiations 93
5.5 Example of cost of shuffling verification in mix networks 93
5.6 Cost of Validity Verification 98
6.1 Drawbacks of the currently existing secure evaluation schemes 105
6.2 The truth table for the example function 114
6.3 Partial information revelation from m1− m2 130
6.4 Efficiency of secure evaluation 132
7.1 Comparison of Computation Efficiency 150
7.2 Comparison of Computation Efficiency 151
7.3 Comparison 152
8.1 Key generation in the scheme by Watanabe and Imai 156
8.2 Bids in the scheme by Watanabe and Imai 157
8.3 Key generation in our scheme 159
8.4 Bids in our scheme 160
8.5 Efficiency comparison 166
xiii
Trang 189.3 Comparison of Efficiency with Example Values 176
10.1 Example 180
10.2 Comparison of properties 187
10.3 Comparison 189
11.1 Five Auction Models 192
11.2 Properties of the new auction schemes 194
11.3 Efficiency Comparison 196
xiv
Trang 19The work contained in this thesis has not been previously submitted for a degree
or diploma at any higher education institution To the best of my knowledge andbelief, the thesis contains no material previously published or written by anotherperson except where due reference is made
Signed: Date:
xv
Trang 21Previously Published Material
The following papers have been published or presented contain material based onthe content of this thesis
[1] Kun Peng, Colin Boyd, Ed Dawson, and Kapali Viswanathan Robust, vacy protecting and publicly verifiable sealed-bid auction In Robert H Deng,Sihan Qing, Feng Bao, and Jianying Zhou, editors, Information and Com-munications Security, 4th International Conference, ICICS 2002, Singapore,December 9-12, 2002, Proceedings,ICICS, volume 2513 of Lecture Notes inComputer Science, pages 147 – 159 Springer, 2002
pri-[2] Kun Peng, Colin Boyd, Ed Dawson, and Kapali Viswanathan Non-interactiveauction scheme with strong privacy In Pil Joong Lee and Chae Hoon Lim,editors, Information Security and Cryptology - ICISC 2002, 5th InternationalConference Seoul, Korea, November 28-29, 2002, Revised Papers,ICISC, vol-ume 2587 of Lecture Notes in Computer Science, pages 407 – 420 Springer,2003
[3] Kun Peng, Colin Boyd, Edward Dawson, and Kapali Viswanathan Fivesealed-bid auction models In Australia Workshop of Information Security
2003, pages 77 – 86, 2003
[4] Kun Peng, Colin Boyd, Edward Dawson, and Kapali Viswanathan Efficientimplementation of relative bid privacy in sealed-bid auction In The 4th Inter-national Workshop on Information Security Applications, WISA2003, volume
2908 of Lecture Notes in Computer Science, pages 244 – 256, Berlin, 2003.Springer-Verlag
[5] Kun Peng, Colin Boyd, Edward Dawson, and Kapali Viswanathan A correct,private and efficient mix network In 7th International Workshop on Theory
xvii
Trang 222004 Springer-Verlag.
[6] Riza Aditya, Kun Peng, Colin Boyd, and Ed Dawson Batch verification forequality of discrete logarithms and threshold decryptions In Second confer-ence of Applied Cryptography and Network Security, ACNS 04, volume 3089
of Lecture Notes in Computer Science, pages 494–508, Berlin, 2004 Verlag
Springer-xviii
Trang 23After studying IT for ten years and learning more than sixty units in it, I suddenlyfound most of the units I learnt during my bachelor and master courses havenothing to do with my Ph.D thesis On the contrary, the basic knowledge aboutnumber theory and probability theory I learnt in middle school and high schoolare very helpful Especially, the special training for the national mathematicscontest during my high school study affects my research work in the past threeyears greatly So I would firstly like to thank the excellent mathematics education
in middle school and high school in China Especially, I have to thank my highschool mathematics teacher Li Hegui
During my seven-year-study of computer science at HUST, several professorstaught me knowledge useful in this thesis Professor Hong Fan taught discretemathematics (including set theory, group theory, ring theory, graphics theory andlogics) and an introduction unit to cryptology (which is not so systematic andcomprehensive as Introduction to Cryptology at QUT) Professor Cui Guohuataught two units about algorithm design and analysis, which are useful in proto-col design and efficiency analysis in this thesis Associate Professor Hu Lunjunadviced me to choose information security as my research field during my mastercourse Unfortunately I forget the names of the professors teaching linear algebraand probability theory
During my study at ISRC, QUT, I learnt a lot of useful knowledge in tology in two units — Introduction to Cryptology and Advanced cryptology —taught by Professor Ed Dawson, Dr Lauren May and Associate Professor ColinBoyd Another unit, Security Topics by Associate Professor Colin Boyd is alsohelpful to my research
cryp-Most importantly, I would like to thank my four supervisors They have beenalways supported me and helped me even when I made mistakes My principalsupervisor, Associate Professor Colin Boyd is an expert in secure protocols His
xix
Trang 24optimise them He also taught me the basic skills for research and professionalEnglish writing My associate supervisor, Professor Ed Dawson is an excellentdirector He can always find promising research direction and the best way toorganise an academic paper Dr Kapali Viswanathan gave me a lot of concretehelp in study, research and life He did a very successful Ph.D study at ISRC not
a long time ago His experience in Ph.D study is so helpful to me, that I alwaysregard him an a good example to follow After Dr Viswanathan returned to India,
Dr B Lee took his place Dr Byoungcheon Lee is an experienced researcher andgave me many constructive advices in my research
In the last three months of thesis writing, my parents came from China andstayed with me With their support and help, I can focus on my thesis Manyother members of ISRC and IT Faculty at QUT gave me a lot of help DrGreg Maitland helped me to master the usage of LATEX for academic writing
Ms Elizabeth Hansford, Ms Christine Orme and Ms Elizabeth Lipowitz gave megreat support in my work Mr Riza Aditya and Ms Minna Yao are good partners
in work and life
xx
Trang 25The following parameters in Table 1 are used in this thesis.The notations used in this thesis are listed In Table 2
xxi
Trang 26t the trust threshold of the auctioneers
Trang 27Notation Meaning
BGCV batched grouped correctness verification of
the new mix network with separate verificationBVDV batch verification of decryption validity
SEF-1 computation of combinational logic of ciphertexts in Format 1SEF-2 computation of combinational logic of ciphertexts in Format 2
EVCC encryption an verification by cut-and-choose
new mix network with separate verification
NGMN new mix network with general verification
OT1 communication from the chooser to the sender
in the new 1-out-of-w oblivious transferOT2 communication from the sender to the chooser
in the new 1-out-of-w oblivious transfer
S-Mix-1 the first prototype of the new mix network with separate verificationS-Mix-2 the second prototype of the new mix network with separate verificationS-Mix-3 the final proposal of the new mix network with separate verification
Table 2: Notations
xxiii
Trang 29Chapter 1
Introduction
Electronic commerce, like traditional commerce, is composed of three phases:price negotiation, payment and goods delivery In an open and unreliable en-vironment like the Internet, there are many threats to security in the first twophases Much research work has been done on electronic payment Especially, so-phisticated e-cash schemes have been designed to provide anonymity and preventdouble spending However, in the area of price negotiation such as electronic auc-tions, there has been much less research As a result, very few current electronicauction schemes can provide appropriate security and privacy with practical cost.Auctions are an effective and convenient method to negotiate price and dis-tribute resources Traditionally, auctions are widely applied in trading of an-tiques, fine arts, and mineral right Recently they are also used to distributenational radio spectrum and TV advertisements
In the last several years, a lot of Internet auction websites like E-Bay haveappeared At the same time, more and more cryptographic applications to elec-tronic auctions have been proposed Cryptology has proved to be a key technique
to implement security and privacy in electronic auctions However, due to liable connection of the Internet, interactive sealed-bid auction may fail because
unre-of failure unre-of network connection Moreover, it is difficult to determine whether abidder deliberately refuses to cooperate or is prevented from appropriate cooper-ation by technical problems Additionally, in a sealed-bid auction with friendlyinterface, it is not a good idea to require the bidders to remain on line to takepart in bid opening So only non-interactive sealed-bid e-auctions are practical
1
Trang 30As public key cryptology is costly, it must be applied appropriately to guaranteecomputational efficiency So this thesis concentrates on efficient application ofcryptology to non-interactive sealed-bid auctions.
The currently existing electronic sealed-bid auction schemes will be surveyed,studied and classified Appropriate auction models will be set up Achievementsand drawbacks of the current auction schemes in different models will be analysed.New auction schemes will be designed in the models It will be shown thatcompared to the currently existing auction schemes, the new auction schemeshave better performance and higher efficiency
The aim of this thesis is to design secure, private and efficient electronic sealed-bidauction schemes Especially privacy of the bidders (e.g bids of the losing bidders
in an auction) must be protected Although electronic auction has been widelyapplied in many websites like e-bay, bid privacy or privacy of the bidders is ignored
in many practical solutions for e-auction including e-bay It may be acceptable
to ignore bid privacy in auctions of items of small value, but in auction involvingvaluable items, bids are sensitive information When bid privacy is not protected,sealed-bid auction becomes an unfair procedure as a seller or auctioneer can takeadvantage over the bidders and know their personal evaluations Moreover, aseller can use the bidding information of the past auction to optimise his auctionstrategy in later auctions of similar items to get more profit from the bidders So,
a lot of work in this thesis is focused on implementation of bid privacy, which isnecessary for sealed-bid auction to be employed to more important applications
of resource distribution
It is not intended to design a single sealed-bid auction scheme suitable forevery application Instead, different auction models will be set up, each suitablefor a special application In each model, one or two new auction schemes will
be designed to satisfy the corresponding application better than the currentlyexisting auction schemes
Firstly, requirements of sealed-bid auctions and how the current sealed-bide-auction schemes satisfy them will be analysed, so that the auction models can
be set up Then drawbacks and shortcomings are identified in currently existingauction schemes in each model
Trang 311.2 Contributions and Achievements 3
To propose better auction schemes, various cryptographic tools must be ployed Some of them will be modified from previous work Others will be origi-nally designed Then new auction schemes can be based on these cryptographicprimitives
em-Although different solutions may be provided for different applications, thefollowing common security properties must be achieved Firstly, confidentiality
of the bids and fairness for the bidders must be guaranteed Secondly, privacy
of the losing bidders must be protected Thirdly, the trust on either the bidders
or the auctioneers cannot be too strong Finally, robustness and flexibility must
be provided Efficiency is also very important for a practical auction scheme Inthis thesis, both computation and communication of the auction schemes must
be efficient enough to suit the proposed applications Moreover, the bidders donot need to keep on-line after they submit their bids
Three main outcomes in this thesis are classification of sealed-bid auctions, posal of original cryptographic primitives and design of new auction schemes.First of all, electronic sealed-bid auctions have been classified into five models:Models 1, 2, 3, 4 and 5 This classification covers almost all the currently knownsealed-bid auction schemes As each model employs different bid opening func-tion, has different computational and communicational cost and achieves differentrequirements, they are suitable for different applications With the classification,different models can be chosen for different applications The classification alsoprovides a guideline for studies and improvements of sealed-bid auctions
pro-Secondly, original cryptographic primitives including batch verification, mixnetwork and secure evaluation have been designed Batch verification can improvecomputational efficiency in various auction schemes Four batch verification tech-niques are proposed in this thesis and applied in bid validity verification and bidshuffling Mix networks can be applied to mix the bids, so that they cannot belinked to the bidders Therefore, the bids can be submitted anonymously andbid privacy is easier to achieve Two new mix networks are proposed in thisthesis and applied in two different auction models respectively Secure evalua-tion techniques can be applied in sealed-bid auctions as bid opening is a functionwith encrypted inputs Two efficient and publicly verifiable secure evaluation
Trang 32techniques are proposed and applied in sealed-bid auctions to achieve strong bidprivacy efficiently Other original cryptographic primitives proposed in this thesisinclude oblivious transfer, zero test, binary mix and key chain These primitivescan not only be applied to sealed-bid auction schemes proposed in this thesis, butalso have independent value and can be used in many other applications.
Finally, five new sealed-bid auction schemes in the last four models (the firstone is too simple to be secure) — Auctions 1, 2, 3, 4 and 5 — are designed toachieve improvements on the previous schemes Auction 1 employs batch verifi-cation techniques to batch verify the validity of bid and overcomes an efficiencybottleneck in Model 2 Auction 2 in Model 3 employs an optimised key chain toachieve very strong bid privacy non-interactively Auction 3 in Model 4 employs
an efficient new mix network to realize strong fairness and a new concept, tive bid privacy, very efficiently The last two auction schemes are in Model 5.Auction 4 employs a new general purpose secure evaluation technique to realizesecure bid opening in any sealed-bid auction Auction 5 employs a new specialsecure evaluation technique to compare the encrypted bids in pairs to find thewinning bid
In this thesis cryptographic technology is explored and applied to electronicsealed-bid auction Electronic sealed-bid auction is identified as a useful mecha-nism to distribute resources through computer networks The current solutionsfor sealed-bid electronic auction are surveyed and classified Auction schemes indifferent models can suit different applications However, drawbacks and short-comings exist in each model Moreover, it is shown that no current auctionscheme can practically handle precise auction while bid privacy and high effi-ciency are required Therefore, improvents are made in four of the five models
At first, cryptographic primitives including batch verification, mix network andsecure evaluation are designed Then these primitives are applied to new auctionschemes with better properties and performance
The thesis is composed of eleven chapters Except the first chapter, duction, and the last chapter, Conclusion, the other nine chapters can be dividedinto three part: background, primitives and auction schemes
Intro-The first part compires of Chapter 2 and Chapter 3 In Chapter 2,
Trang 33require-1.3 Outline of the Thesis 5
ments for sealed-bid auction are listed and the current electronic sealed-bid tion schemes are classified into five models — Model 1: auction with simpleencryption, Model 2: auction homomorphic bid-opening, Model 3: auction withdownward search, Model 4: auction with relative bid privacy and Model 5: Auc-tion through secure evaluation — each suitable for certain applications In Chap-ter 3, existing cryptographic tools to be applied in this thesis are introduced Inthe following three chapters original cryptographic primitives are proposed
auc-The second part compires of Chapters 4, 5, 6 In Chapter 4 new techniques
in batch verification are proposed In Chapter 5, two new mix networks aredesigned In Chapter 6, two secure evaluation techniques are described Thesethree cryptographic tools will be employed to design and improve auction schemes
in the following chapters In Chapters 7, 8, 9 and 10, better solutions are proposed
in four auction models respectively
The third part compires of Chapters 7, 8, 9, 10 In Chapter 7, efficient bidvalidity verification mechanism is designed to improve efficiency in Model 2 InChapter 8, a more secure and efficient key chain is designed to achieve very strongbid privacy non-interactively in Model 3 In Chapter 9, a new concept, relativebid privacy, is defined and implemented very efficiently in a new auction scheme
in Model 4 In Chapter 10, the two new secure evaluation techniques in Chapter
6 are employed to design two new auction schemes in Model 5 to achieve absolutebid privacy efficiently Batch verification technology presented in Chapter 4 isemployed in Chapters 5, 6 and 7 while mix network protocols presented in Chapter
5 is employed in chapters 6, 9 and 10 A conclusion is drawn in Chapter 11
The author’s published papers related to this thesis include [PBDV02b, PBDV02a,PBDV03b, PBDV03a, PBDV04, APBD04] Classification of auction schemes wasproposed in [PBDV03b], which is the base of the classification and modelling inSection 2.4 An improved homomorphic auction scheme in Model 2 is proposed in[PBDV02b], which will be covered in Section 7.3.2 An improved non-interactiveauction scheme in Model 3 was proposed in [PBDV02a], which will be described inSection 9.2 Model 4 and relative bid privacy were formally defined in [PBDV03a],which includes a new mix network and an efficient auction scheme with relativebid privacy The mix network and the auction scheme will be described in Sec-tion 5.3 and Section 10.1 respectively A new mix network was presented in[PBDV04], which is described in Section 5.4 and applied to the two secure eval-uation techniques in Chapter 6 and the two new auction schemes in Chapter 10
Trang 34Batch verification of validity of decryption proposed in [APBD04] is Section 5.5.
Trang 35Chapter 2
Sealed-Bid Auction
In this chapter, the history and basic requirements of sealed-bid auction areintroduced Security and efficiency requirements of a practical and secure sealed-bid e-auction are systematically presented A secure requirement, bid privacy, is afocus of this thesis and explained in detail in this chapter The current sealed-bidauction schemes are classified into five models Advantages and shortcomings ofeach model are analysed Especially, existing drawbacks in the last four modelsare listed and methods to overcome them are discussed briefly Finally, researchdirections are presented to improve auction schemes in the last four models
The sealed-bid auction has been a useful tool to distribute resources for manyyears It usually contains four phases Various sealing functions may be used
to seal the bids and keep them secret before they are opened Different auctionrules may be used
Auctions have a long history since 500 B.C., when Herodotus reported theuse of an auction [Jr67] Auction was frequently used to liquidate property andestate goods during the Roman Empire [Jr67] They are an effective method
to distribute goods fairly In the traditional auction systems both the open cryauction, such as English auction and Dutch auction, and the sealed bid auctionhave been widely used In the open cry auctions, the bids are cried out openlyand the bidder with the highest bid win If each time a bidder cry out a new
7
Trang 36bid higher than the last one, it is called English auction If the auctioneer criesout the bids from the highest possible price one by one until a bidder accept thecurrent bid, it is called Dutch auction In a sealed-bid auction, a bidder has tosubmit a sealed bid before a closing time After the closing time one or moreauctioneers open the bids to decide the winners according to a pre-defined rule.
In the Internet era electronic commerce is an important and popular industry.Electronic auction is a key function in e-commerce and can be used to distributeelectronic as well as non-electronic goods effectively and fairly Although still atits early stage, e-auction is developing fast It is estimated that trade throughinternet auction systems in 1999 totals $4.5 billion [Auc01] The most famouse-auction website, e-bay, has more than two million visitors a day In a networkenvironment, sealed-bid auction is preferred not only because of its convenienceand quickness but also because of its potential ability to protect bid confidentialityand bidders’ privacy
The players in an auction include:
• seller, who has one or more items (also called goods) to sell;
• bidder, who submits a bid (the highest price he is willing to pay);
• auctioneer, who acts on behalf of the seller to determine a winning price(clearing price) and a bidder as the winner
• winner, the bidder chosen by the auctioneer(s) to pay the seller the clearingprice and get the goods
A sealed-bid auction is usually composed of four phases: preparation phase,bid submission phase, bid opening phase and winner determination phase
1 In the preparation phase, the auction system is set up and initialized Theauctioneers are chosen; the system parameters are generated; the item tosell is described; the auction rule is declared; the bidders winning price andthe winner’s identity as its output: (W, ID) = F (I1, b1, I2, b2, , In, bn)where n is the number of bidders, Ii is the identity of the ith bidder, bi is
Ii’s bid, W is the winning price and ID is the winner’s identity
2 In the bid submission phase, every bidder submits a sealed bid through acommunication network The bids may be encrypted or signed by the bidder
if needed The employed communication network can be based on any
Trang 372.1 What Is A Sealed-Bid E-Auction? 9
computer network, like the Internet or a LAN When bid sealing is applied
to protect confidentiality of the bids, the communication network becomes
a confidential channel Usually, a digital signature technique is employed
to upgrade the network to an authentic channel In some cases, specialtechniques are used to upgrade the network to an anonymous channel
3 In the bid opening phase, the bids are opened to determine the winningprice This is a very critical operation and the opening does not meanpublish all the bids in plaintext with bidders’ identities attached to them
as bid privacy and anonymity may be required As a result of bid opening,
a winning bid (price) is determined
4 In the winner determination phase, the winner(s) are identified so thatthe result (including the winning price and the winner’s identity) of theauction can be published If any bidder has a dispute, he can lodge it andthe auctioneers must prove validity of the result publicly
Sealing is a function used to achieve confidentiality and privacy Usually, thereare two kinds of sealing
1 Sealing by hash function: Initially, a commitment for each bid is ated by a one-way and collision-resistant hash function Each bidder firstpublishes his commitment of bid After all the bidders have published theircommitments, each bidder submits his bid (in plaintext or encrypted) Thismethod aims to realize bid confidentiality and thus fairness—it is impossiblefor any bidder to know the bids of other bidders when his bid is committedeven if he conspires with the auctioneer(s) Note that hash function is muchmore efficient than public-key encryption
gener-2 Sealing by encryption: The bids are encrypted when submitted As usuallythe bidders have not contacted the auctioneers before the auction1, it issupposed that public-key encryption algorithms are employed This method
is usually employed to implement bid privacy In the opening phase, onlynecessary decryptions are performed and all the bids except the winningbid may remain encrypted at the end of auction
1
If there is a session between the bidders and the auctioneers to distribute a symmetric key, it is possible to use more efficient secret-key encryption to encrypt the bids, but the key distribution still depends on public-key encryption.
Trang 38The role of hash function is not recognised in many auction schemes andencryption sealing is thought to be enough However bid confidentiality or bidprivacy achieved by encryption is often conditional—trust on some auctioneer(s)
or third party is assumed while bid confidentiality and fairness achieved by hashfunction sealing is only based on the strength of the hash function So hashfunction sealing is necessary to achieve strong bid confidentiality and fairness insome applications
According to different auction rules, sealed-bid auctions can be further sified as follows
clas-1 Only one item to sell
• First bid auction
Only one item is to be sold and the bidder with the highest bid gets theitem One drawback of this rule is that the bidders may decide theirbids according to their expectation of other bids instead of according totheir real evaluation of the item So the clearing price may be differentfrom the reasonable market price, which is a disadvantage compared
to open cry auction
• To overcome the problem in first bid auction, Vickrey [Vic61] proposed
a different rule: the bidder with the highest bid wins but he only paysthe second highest bid Under this rule, the bidders tend to submittheir real evaluation of the item as their bids
2 More than one identical item to sell
In kth bid auction, k − 1 identical items are on sale, the kth bidding price isthe clearing price and bidders with higher k − 1 bids are winners This isactually an extension of Vickrey auction and also encourages the bidder tosubmit their real evaluation as their bids
3 Combination of different items to sell
In a combinatorial auctions [SY02, YS02, DV00, Sil02, HKDMT01], morethan one type of item is sold and there may be more than one item in eachtype A bidder can offer a price for a chosen combination of the items.The seller chooses a distribution of the items so that the total price is thehighest Combinatorial auction is more flexible and comprehensive
Trang 392.2 Requirements of a Sealed-Bid Auction 11
In this thesis, it is assumed that there is only one type of item to sell andcombinatorial auction is not included
Like other fields of e-commerce, e-auction is facing serious security concerns.For example, fraud in e-auction is a big problem It was reported by the USInternet Fraud Watch that online auction fraud accounted for 87% of Internetfraud in the US in 1999 (increasing from 68% in 1998) [fra01] A fraud can
be committed by bidders or auctioneers Most contemporary e-auction websitesuse very simple auction mechanisms and require complete trust by the bidders
on the auctioneers Thus the bidders’ interest is at risk due to the maliciousactivities of the auctioneers The auctioneer may manipulate the price or theauction process to obtain a biased result When a bidder uses e-coin, maliciousauctioneers may misuse the e-coin Moreover, the auctioneers can obtain personalinformation (identity and bid value) about the bidders as normally neither privacynor anonymity service is provided in open cry e-auctions Additionally, some
of the current auction techniques are interactive and require many rounds ofcommunication before completion So more time is required to determine thefinal winning price As well intensive communication over the insecure Internet
is a problem from the perspective of availability of service and network security
To defend against the increasing fraud and attacks, an auction scheme must havesome desired requirements The security requirements can be divided into twotypes
2 Confidentiality
Confidentiality is the direct result of sealing The sealing must be so strong
Trang 40that each bid remains confidential to other bidders and the auctioneer(s)before the bid opening phase starts.
3 Fairness
No bidder can get more information than other bidders and take advantage
of them Two necessary conditions for fairness are that no bidder has anyknowledge of other bidders’ bids when he submits his bid and no bid can
be changed after it is submitted Otherwise he can choose his bid according
to other bids So the following two conditions must be satisfied
• No bidder has any knowledge of any other bids before the bid sion phase ends, which is in fact confidentiality
submis-• After the bid submission phase ends, no bidder can change his bid
4 Non-repudiation
No bidder can deny his bid A strict requirement for non-repudiation is thateven though some bidders try to deny their bids, a correct auction resultcan still be determined A looser standard only requires that any biddertrying to deny his bid can be identified and expelled from future auctions
or is liable to other sanctions
5 Robustness
Robustness is a stronger requirement than correctness It requires that acorrect auction result must be obtained not only in normal cases, but also inabnormal situations The possible abnormal incidents include the following
• A dishonest bidder submits an invalid bid
• One or more malicious auctioneers perform an incorrect bid opening
• One or more auctioneers fail to undertake their jobs
As many unexpected accidents may happen in a real auction, robustness isessential for an auction system to be practical
6 Public Verifiability
The validity of the auction must be publicly verifiable In many cases,neither the bidders nor the auctioneers can be trusted So validity of theirbehaviors must be publicly verifiable In other cases, a bidder or otherpeople may challenge the validity of the auction result and the dispute can