Electronic Auctions Literature Review

Electronic Auctions

Literature Review

Jarrod Trevathan

June 6, 2005

2

Contents

1 Introduction 11

1.1 Types of Auctions . . . . . . . . . . . . . . . . . . . . . . . . . . 121.2 Auction Notation and Terminology . . . . . . . . . . . . . . . . . 131.3 Security Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

1.3.1 General Security Goals . . . . . . . . . . . . . . . . . . . . 151.3.2 Security Goals for Sealed Bid Auctions . . . . . . . . . . . 161.3.3 Security Goals for Open Bid Auctions . . . . . . . . . . . 16

1.4 Auctioneer Corruption . . . . . . . . . . . . . . . . . . . . . . . . 17

2 Literature Review 19

2.1 Franklin and Reiter . . . . . . . . . . . . . . . . . . . . . . . . . . 202.1.1 Initialisation . . . . . . . . . . . . . . . . . . . . . . . . . 202.1.2 Registration . . . . . . . . . . . . . . . . . . . . . . . . . . 202.1.3 Bidding . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212.1.4 Winner Determination . . . . . . . . . . . . . . . . . . . . 212.1.5 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . 222.1.6 Efficiency Analysis . . . . . . . . . . . . . . . . . . . . . . 22

2.2 Kikuchi, Harkavy and Tygar . . . . . . . . . . . . . . . . . . . . 232.2.1 Initialisation . . . . . . . . . . . . . . . . . . . . . . . . . 232.2.2 Registration . . . . . . . . . . . . . . . . . . . . . . . . . . 242.2.3 Bidding . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242.2.4 Winner Determination . . . . . . . . . . . . . . . . . . . . 242.2.5 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . 242.2.6 Efficiency Analysis . . . . . . . . . . . . . . . . . . . . . . 25

2.3 Sako . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252.3.1 Initialisation . . . . . . . . . . . . . . . . . . . . . . . . . 262.3.2 Registration . . . . . . . . . . . . . . . . . . . . . . . . . . 262.3.3 Bidding . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262.3.4 Winner Determination . . . . . . . . . . . . . . . . . . . . 262.3.5 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . 272.3.6 Efficiency Analysis . . . . . . . . . . . . . . . . . . . . . . 27

2.4 Naor, Pinkas and Sumner . . . . . . . . . . . . . . . . . . . . . . 272.4.1 Initialisation . . . . . . . . . . . . . . . . . . . . . . . . . 282.4.2 Registration . . . . . . . . . . . . . . . . . . . . . . . . . . 28

3

4 CONTENTS

2.4.3 Bidding . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282.4.4 Winner Determination . . . . . . . . . . . . . . . . . . . . 292.4.5 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . 292.4.6 Efficiency Analysis . . . . . . . . . . . . . . . . . . . . . . 30

2.5 Stubblebine and Syverson . . . . . . . . . . . . . . . . . . . . . . 302.5.1 Initialisation . . . . . . . . . . . . . . . . . . . . . . . . . 312.5.2 Registration . . . . . . . . . . . . . . . . . . . . . . . . . . 322.5.3 Bidding . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322.5.4 Winner Determination . . . . . . . . . . . . . . . . . . . . 332.5.5 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . 332.5.6 Efficiency . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

2.6 Viswanathan, Boyd and Dawson . . . . . . . . . . . . . . . . . . 342.6.1 Digital Cash Protocol . . . . . . . . . . . . . . . . . . . . 352.6.2 Sealing Protocol . . . . . . . . . . . . . . . . . . . . . . . 362.6.3 Registration . . . . . . . . . . . . . . . . . . . . . . . . . . 372.6.4 Bidding . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382.6.5 Winner Determination . . . . . . . . . . . . . . . . . . . . 382.6.6 Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382.6.7 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . 382.6.8 Efficiency Analysis . . . . . . . . . . . . . . . . . . . . . . 39

2.7 Omote and Miyaji . . . . . . . . . . . . . . . . . . . . . . . . . . 392.7.1 Registration . . . . . . . . . . . . . . . . . . . . . . . . . . 402.7.2 Bidding . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412.7.3 Winner Determination . . . . . . . . . . . . . . . . . . . . 412.7.4 Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412.7.5 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . 412.7.6 Efficiency Analysis . . . . . . . . . . . . . . . . . . . . . . 42

2.8 Wang and Leung . . . . . . . . . . . . . . . . . . . . . . . . . . . 422.8.1 Initialisation . . . . . . . . . . . . . . . . . . . . . . . . . 432.8.2 Registration . . . . . . . . . . . . . . . . . . . . . . . . . . 432.8.3 Bidding . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442.8.4 Winner Determination . . . . . . . . . . . . . . . . . . . . 442.8.5 Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442.8.6 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . 442.8.7 Efficiency Analysis . . . . . . . . . . . . . . . . . . . . . . 45

3 Conclusion 47

4 Appendix 49

4.1 Symmetric Encryption . . . . . . . . . . . . . . . . . . . . . . . . 494.2 Public Key Encryption . . . . . . . . . . . . . . . . . . . . . . . . 494.3 RSA Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494.4 DLP Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504.5 Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . 504.6 Cut and Choose Protocol . . . . . . . . . . . . . . . . . . . . . . 504.7 Secret Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

CONTENTS 5

4.8 Blind Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . 514.9 Group Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . 514.10 Verifiable Signature Sharing . . . . . . . . . . . . . . . . . . . . . 524.11 Oblivious Transfer . . . . . . . . . . . . . . . . . . . . . . . . . . 524.12 Digital Cash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

6 CONTENTS

List of Figures

1.1 Taxonomy of Electronic Auction Schemes . . . . . . . . . . . . . 12

2.1 Structure of the Franklin and Reiter Auction Scheme . . . . . . . 202.2 Structure of the Kikuchi et al Auction Scheme . . . . . . . . . . 232.3 Structure of the Sako Auction Scheme . . . . . . . . . . . . . . . 262.4 Structure of the Naor et al Auction Scheme . . . . . . . . . . . . 282.5 Structure of the Stubblebine and Syverson Auction Scheme . . . 312.6 Structure of the Viswanathan et al Auction Scheme . . . . . . . . 342.7 Structure of the Omote and Miyaji Auction Scheme . . . . . . . 402.8 Structure of the Wang and Leung Auction Scheme . . . . . . . . 43

7

8 LIST OF FIGURES

List of Tables

2.1 The Sealing Protocol . . . . . . . . . . . . . . . . . . . . . . . . . 362.2 The Registration Protocol between bi and RM . . . . . . . . . . 442.3 The Registration Protocol between bi and MM . . . . . . . . . . 45

9

10 LIST OF TABLES

Chapter 1

Introduction

An auction is an exchange mechanism where many potential buyers submit bidsfor a commodity that is usually awarded to the highest bidder. The Auctioneeraccepts bids on behalf of the seller(s) of the commodity and determines whothe winner is according to the auction rules. In recent years, several companieshave emerged that offer auctioning services over a network such as eBay1 andOnSale2. These types of auctions have geographical advantages over traditionalauctions as sellers and buyers need not be physically present at a central loca-tion during the auction proceedings. This allows for larger and more elaborateauctions reaching many more bidders than was possible with traditional auc-tions. However, this also provides opportunities for the auction participants tocheat.

As participants are not physically present, buyers or sellers might repudiatebids, refuse to pay for or deliver goods, collude to affect the settlement priceor just disavow the auction outcome all together. Furthermore, the Auctioneermight be biased or corrupt and can selectively block bids, abuse bidder infor-mation or award the auction to someone other than the legitimate winner. Inaddition, an outsider not privy to the auction might attempt to disrupt theauction protocol in some manner.

An electronic auction is a cryptographic scheme that attempts to securelyimplement an auction where all of the auction participates are assumed to beuntrustworthy. Various schemes have been proposed in literature that attemptto solve these problems. In this paper we describe the security problems inherentin conducting electronic auctions and provide a review of several schemes. Eachscheme in analysed according to its ability to solve these security problems.

This paper is organised as follows: Section 1.1 provides some background ondifferent types of auctions. Section 1.3 discusses security issues for conductingelectronic auctions. Section 2 gives a overview of several schemes that have beenproposed in literature.

1http://www.ebay.com2http://www.onsale.com

11

12 CHAPTER 1. INTRODUCTION

1.1 Types of Auctions

The first known auctions occurred in Babylon circa 500 BC with the dubiousapplication of auctioning women for marriage [C67]. Ancient Rome then seizedupon the idea and expanded auctions to encompass all types of goods andservices. There now exist many different forms of auctions that have evolved tosuit differing needs and applications. Figure 1.1 gives a taxonomy of the typesof electronic auctions that we will discuss in this paper.

@@

@@

@@

@@

@@

@@

@@

@

@@

@@

@@

@@

single double

sealed open

ascending descending

Vickrey(M+1)st English Dutch CDA

Figure 1.1: Taxonomy of Electronic Auction Schemes

Auctions can be classified according to the number of sellers and the mannerby which bidders submit bids. An auction that has only one seller and manybuyers is referred to as a single auction. An auction with many sellers and manybuyers (i.e., a securities market) is referred to as a double auction. Bidding inan auction can typically be of two types: sealed or open. In a sealed bid auction,secret bids (not known to the other bidders) are submitted to the Auctioneer.Once the bidding period closes, the bids are opened and the winner is determinedaccording to some publicly known rule (e.g., the highest bidder wins). In anopen bid auction, bids are known to all participants throughout the biddingperiod.

A Vickrey auction [V61] is a second price, sealed bid auction. The bidderwith the highest bid wins and they must pay an amount corresponding to thesecond highest bid. Vickrey auctions are popular in cryptography due to theirsimple computational requirements. (M+1)st price auctions generalise Vickreyauctions where there are M units for sale. The M highest bidders win and paythe (M + 1)st price – i.e., the highest losing bid.

An English auction is a first price, open bid auction. The bid amounts areknown to all parties, and bidders attempt to outbid each other. The highestbidder (for a given time-out period) wins and must pay an amount equal to the

1.2. AUCTION NOTATION AND TERMINOLOGY 13

winning bid. An English auction is the most well known type of auction andis widely used for real estate. However, it less adaptable to online situationscompared to sealed bid auctions due to its reliance on real-time price updates.English and Vickrey auctions are considered as ascending due to the biddersbidding up the settlement price.

Alternatively an auction can be descending if the settlement price is biddown rather than up. In a Dutch or Reverse auction, the seller gradually lowershis/her offer until a buyer accepts. Auctions of this type are widely used inmarkets with perishable commodities such as seafood. Dutch auctions have thenatural property of concealing the losing bids. All auctions discussed so far havebeen single in the sense that there is only one seller.

In a Continuous Double Auction (CDA) there are many buyers and sellerswho continuously trade a single commodity. Bids are matched and clearedover time according to the auction rules. CDAs are typically open bid. Thebest known example of a CDA is a securities market such as the New YorkStock Exchange (NYSE). There now exist numerous online broker sites such asCommsec3 that offer services for trading in securities markets.

1.2 Auction Notation and Terminology

The following notation is used throughout this paper. In an auction there aren bidders B = b1, b2, ..., bn. Typically most auctions only have one seller.However, in the case of double auctions there may be m sellers. In this paper,buyers and sellers can both be considered as bidders with the only differencebeing the type of bid they submit (i.e., type = BUY, SELL). The AuctioneerA is responsible for organising the auction. It is generally the Auctioneer’s job toadvertise the auction, register bidders, accept bids and to determine the auctionoutcome.

In some forms of auctions the seller might set a reserve price which is theminimum price that they will accept as a winning bid. Other auctions also placerestrictions on the domain of bid amounts or bid increment they will accept frombidders. For example, some schemes impose a bidding range v1, v2, ..., vk of kdiscrete prices which can only be bid.

The bid close time is the time, which the Auctioneer will receive bids upuntil. Bids received after the bid close time are discarded. The bid close timedepends on the auction’s termination rules. For example, English Auctions mayclose after a timeout where no bids higher than the current highest bid has beenmade. A CDA does not terminate at all.

There are several main activities (or phases) fundamental to any electronicauction protocol:

• Initialisation: The Auctioneer sets up the auction and advertises it (i.e.,type of good, starting time, etc).

3http://www.commsec.com.au


• Registration: In order to participate in the auction, bidders must firstregister with the Auctioneer (or a registration manager). This ensuresthat only valid bids are made and that bidders can be identified for pay-ment purposes. It is desirable for registration to be a one-off procedure.Once a bidder has registered they should be able to participate in anynumber of auctions rather than re-registering for each new auction.

• Bidding: A registered bidder computes his/her bid and submits it tothe Auctioneer. The Auctioneer checks the bid received to ensure that itconforms with the auction rules.

• Winner Determination: The Auctioneer determines the winner ac-cording to the auction rules. It is desirable for this process to be publiclyverifiable.

There are additional activities specific to particular auction types that alsomust be performed. For example, it is common practice in English and CDAsto supply bidders with intermediate information during bidding such as a pricequote. Additionally, sealed-bid auctions might arrive at a tie-situation wheremore than one bidder has bid the winning price, which usually requires anadditional round of bidding to be conducted. Furthermore, CDAs allow biddersto cancel and/or modify their bids under certain conditions prior to the winnerdetermination phase. In addition, bids in a CDA might also expire after whichthey can not be considered during the winner determination phase.

1.3 Security Issues

The security requirements for an electronic auction are numerous. In general,core requirements include that the Auctioneer must arrive at the correct win-ner according to the auction rules; the winner must receive the item from theseller; the seller must receive payment in full from the winning bidder; andno bidder should have more information than any other to determine his/herbid. The final requirement is especially true in CDAs where insider trading isconsidered an offence. Discussions regarding auction security can be found in[FR96, NPS99, BM00]. Many auctions proposed in literature have differing se-curity goals which are largely dependent on whether the auction is sealed bid oropen bid. In the following subsections we outline what we have identified as themain security goals for sealed bid and open bid auctions respectively. However,first we will discuss some common problems inherent in all types of (traditionaland electronic) auctions and some of the (non-cryptographic) solutions that arein use:

Shielding - A bidder places an artificially high bid which is withdrawn just priorto the bid close time. This can have the effect of deterring other bidders with

1.3. SECURITY ISSUES 15

lower valuations from bidding. When the bid is withdrawn the bidder may haveanother lower bid designed to win with the deflated price.

Shilling - a bidder or group of bidders (called shills) collude to artificially inflatethe clearing price for the seller. If one of the shills accidentally wins, the itemis resold in another auction.

Sniping - A bidder refrains from making a bid until just prior to the bid closetime. When the bid is made it is usually done so in a manner that does notallow any other bidder to respond in time.

Siphoning - A non-participant observing an auction makes a lower offer directlyto a bidder. The non-participant avoids the costs and risks associated withconducting an auction.

Misrepresented or non-existent items - A seller might make false claims aboutthe item for sale or sell an item they don’t have.

In an attempt to reduce these problems, existing commercial on-line auctionsites offer remedies such as legislation and incentives. Firstly, laws can be madewith regard to breaking the rules. For example, defaulting on payment couldresult in a fine and/or jail sentence. Another solution is to provide an incentivescheme to reward people that follow the rules. For example, eBay offers afeedback system that allows buyers and sellers to create profiles about each otherbased on previous dealings. Anyone can view these profiles before engaging inbusiness with the individual. A buyer or seller with a shady reputation can alsobe blacklisted from future auction proceedings.

Other solutions involve credit card registration, escrow services and insur-ance. Credit card registration can be used as both proof of identity and securityfor payment. In a similar manner, escrow services require all bidders to keeppayment in escrow (security), which is either refunded or deposited dependingon the auction outcome. Alternately, insurance can be offered to participants insituations where they suffer loss as a result of unfair behaviour. However, noneof these solutions is perfect.

1.3.1 General Security Goals

The following outlines the general security goals for electronic auctions:

Unforgeability - Bid must be unforgeable, otherwise a bidder can be imper-sonated.

Non-Repudiation - Once a bidder has submitted a bid they must not be ableto repudiate having made it. For example, if a bidder wins and does not wantto pay they might deny that they submitted the bid.


Public Verifiability - There must be publicly available information by whichall parties can be verified as having correctly followed the auction protocol. Thisshould include evidence of registration, bidding and proof of winner/loser.

Robustness - The auction process must not be affected by invalid bids nor byparticipants not following the auction protocol correctly.

Anonymity - The bidder-bid relationship must be concealed so that no biddercan be associated with the bid they submit. This is often done by issuingbidders with a pseudonym that they can use to submit bids. Other aspectsof anonymity relate to whether the identity of the winner is revealed and towhom. For example, should the Auctioneer learn the winner’s identity and/orthe winning price, or should only the seller know this?

1.3.2 Security Goals for Sealed Bid Auctions

Sealed bid auctions possess unique security goals due to the fact that bids mustbe sealed during the bid submission. The following outlines the additional se-curity goals for sealed bid auctions:

Confidentiality - Once a bid has been sealed, it must remain secret until thewinner determination phase of the auction.

Privacy of Losing Bids - After the winner determination phase, the values ofthe losing bids must be kept secret (although most schemes leak bid statistics).Further questions also arise over how much information is disclosed regardingthe winner and winning bid. For example, should only the seller and winnerknow the amount of the winning bid? What information should the Auctioneerlearn about winning/losing bids?

Unlinkability - The Auctioneer should not be able to learn information aboutindividual bidders based on previous auctions conducted. This informationcould be used in future auctions in a manner that disadvantages the bidder.Consider the following scenario in a Vickrey auction: a bidder (denoted by b1)submits a bid for $100. The second highest bid is $50, so b1 wins and has topay only $50. In a future auction, b1 again bids $100 and again the secondhighest bid is $50. Since the Auctioneer knows b1’s valuation, the Auctioneerenters a bid for $99. b1 wins and must pay $99. In doing so, the Auctioneer hasincreased the auction’s revenue by $49.

1.3.3 Security Goals for Open Bid Auctions

The security goals for open bid auctions differ to that of sealed bid auctions.For example, as all bids are open there is no need to keep a bidder’s valuationsecret during bid submission. Furthermore, it is not required that losing bidsshould be kept secret. Most open bid auctions such as English and CDAs also

1.4. AUCTIONEER CORRUPTION 17

have a dependency on time during the bidding process. The following discussessome security goals specific to open bid auctions:

Non-profilability - It is desirable that every bid to be unlinkable to preventthe Auctioneer (or other parties) from creating a profile about any particularbidder. Note that anonymity in itself does not guarantee non-profilability. Forexample, if a bidder submits several bids using the same pseudonym an Auc-tioneer still learns information regarding that particular bidder, even thoughthe Auctioneer does not learn the bidder’s identity.

Unskewability - The Auctioneer must not be able to alter the auction timing.For example, speed up its clock in an attempt to close the auction early, or slowthe auction down to keep the bidding process active beyond the official timeout.

Unblockability - The Auctioneer cannot selectively block bids based on bidamount or the identity of the bidder.

1.4 Auctioneer Corruption

A major problem in electronic auction protocols is how to protect bidders froma corrupt Auctioneer. A malicious Auctioneer might influence the auction pro-ceedings in a manner inconsistent with the auction rules. For example, theAuctioneer might choose to block bids, insert fake bids, steal payments, profilebidders, open sealed bids prior to the winner determination phase, artificiallyinflate/deflate prices or award the item to someone other than the legitimatewinner. Furthermore, there may exist collusion between the Auctioneer andsome of the bidders (similar to shilling).

In general, all schemes can be classified according to how they deal with thisproblem. We have identified the following trust models:

Auctioneer Trust - This is the easiest (and the most unacceptable) solutionto the problem. In fact, the whole problem is based on the doubt that whetherthe Auctioneer honestly follows the protocol or not. However, assuming thatthe Auctioneer is a trustworthy solves many relevant problems (e.g., security,anonymity, etc.). This is why all existing Internet auction sites fully trust theAuctioneer.

Trusted Third Party - Since the Auctioneer is beneficiary, the assumptionthat it follows the auction protocols may not be very realistic. An alternativecould be that the bidders and Auctioneer provide a trusted third party (TTP)with information so that when there is a dispute the TTP can be called uponto resolve the dispute.


Threshold Trust - Threshold trust schemes protect against a corrupt Auc-tioneer by distributing the role of the Auctioneer across ℓ servers. The auctioncan be considered secure/fair unless a threshold t, 1 ≤ t ≤ ℓ of the Auctioneerscollude. Threshold trust however, requires much communication between bid-ders and the auction servers, as well as between the auction servers themselves.

Two-Server Trust - It can be argued that threshold trust is not effective,since collusion among Auctioneers is beneficial to the whole group members. Analternative approach is to split trust up among two servers owned by separateentities. Here the auction security goals can be trusted as long as the two entitiesdo not collude. Two-server trust schemes effectively reduce the communicationoverhead involved in threshold trust schemes and thus far have also proved tobe very computationally efficient.

Distributed Bidder Trust - Bidders distributively determine the auctionoutcome without the help of an Auctioneer. The merit of such an approachis that collusion amongst bidders is prevented unless all bidders are corrupt,which negates the reason for colluding in the first place. These schemes requireall bidders to participate during the winner determination phase.

Chapter 2

Literature Review

In this section we provide a review of the main types of electronic auctionschemes that have been proposed in literature. The schemes are presented in achronological order to show how the security requirements have evolved.

The following schemes are covered:

Franklin and Reiter (Vickrey)

Kikuchi, Harkavy and Tygar (Vickrey, tie-breaking)

Sako (Dutch)

Naor, Pinkas and Sumner (Generic)

Stubblebine and Syverson (English)

Viswanathan, Boyd and Dawson (Sealed bid)

Omote and Miyaji (English)

Wang and Leung (Continuous double)

Each scheme is analysed based on its ability to satisfy the basic securitycriteria of unforgeability, non-repudiation, public verifiability, robustness andanonymity. Known and new security flaws in each scheme are presented byshowing that the scheme fails in one or more of the scheme’s proposed securityobjectives. In addition, we provide an efficiency analysis for each scheme.

19

20 CHAPTER 2. LITERATURE REVIEW

2.1 Franklin and Reiter

Franklin and Reiter [FR96] present what can be considered the first formal at-tempt at constructing a secure auctioning system. They propose a second price,sealed bid auction scheme which distributes the role of the Auctioneer acrossseveral servers (see Figure 2.1). The auction process is considered safe as longas a threshold t of the Auctioneers are not corrupt. Bids are submitted usinga digital cash protocol (see 4.12). Bidders split their bid using a secret shar-ing scheme (see 4.7) and then send their shares to the appropriate servers. Atthe close of bidding the servers multicast their shares to each other and jointlycompute the result. Each server owns a share of the winner’s digital coin signedwith a verifiable signature sharing scheme (see 4.10). The signature prevents asingle Auctioneer from altering a bid or throwing an auction to a single bidder.Their system further enables the bids to be backed by escrowing financial com-mitments of the bidders.

Figure 2.1: Structure of the Franklin and Reiter Auction Scheme

Notation

B = b1, ..., bn: biddersA = a1, ..., aℓ: auction serverst: threshold of trusted auction serversaid: auction id

2.1.1 Initialisation

The Auctioneer advertises the auction and publishes aid. Associated with eachauction server ai is a public key ki for use in a deterministic public key cryp-tosystem (such as RSA, see 4.3). All ai publish their public keys ki and keeptheir private keys k−1

i secret.

2.1.2 Registration

A bidder registers with the Auctioneer and obtains aid, and ki for all ai.

2.1. FRANKLIN AND REITER 21

2.1.3 Bidding

A bidder submits his/her bid as a digital coin < v, σbank(v), wv >. Here v isthe value of the bid and wv is aid.

The bid is divided using a (t, n)-threshold secret sharing scheme. The bank’ssignature on the coin is shared using a V ΣS scheme. bi multicasts the jth shareof his/her bid to ai, for all j, 1 ≤ j ≤ ℓ as follows:

M1 - aid, shj(bi‖v‖wv)‖aid)kjaj∈A, V ΣSj(aid, σbank)

Bidding closes when an auction server ai multicasts the following message:

M2 - aid, close

When ai has received close messages for auction aid from t different servers,it considers bidding closed.

2.1.4 Winner Determination

There are three stages to winner determination in this scheme; opening the bids,bid verification, and declaration of the winner.

During the opening stage, the auction servers collaborate to reconstruct abid by combining the shares of the secret sharing scheme for each bidder. Auc-tioneer ai multicasts shj(s) to the other Auctioneers, where shj(s) is the jthshare of the bid received from bi.

M3 - shj(s), bi

Each Auctioneer then performs a validity check on the bid and the bank’ssignature on the coin using the V ΣS protocol. Each server multicasts the shareof who they think is the winner to all the other servers.

M4 - aid, V ΣS

When server ai has t shares of V ΣS for a bid, they are able to reconstructthe bank’s signature σbank(v), on the winning bidder’s digital coin. ai sends thefollowing message to the bidders:

M5 - aid, bi, σai(aid‖bi)

The message states that ai thinks that bi has won the auction. σai(aid‖bi) is

ai’s signature on the auction and bi’s bid. When bi receives t of these messages,he/she can use them to claim the item bid upon.


2.1.5 Security Analysis

Unforgeability - No one can forge the bank’s signature on a bidder’s coin, nor canthey alter its amount. None of the auction servers can reconstruct the bank’ssignature with fewer than t shares from the V ΣS.

Non-repudiation - In the event of a bidder repudiating a bid, the Auctioneerscan still obtain payment from the bidder by reconstructing his/her signature onthe digital coin.

Public Verifiability - This scheme is not publicly verifiable. The auction servershave no way of knowing if they hold correct shares, or whether the informationthey receive from other servers is correct.

Robustness - An auction server ai has no way to verify if they are holding alegitimate share of a bid. A bidder could launch a denial of service attack byflooding the auction servers with fake bids.

Anonymity - The Auctioneer knows the identity of every bidder. However, theauthors describe how a pseudonym can be used when bidding. Bid amountsremain secret/sealed until the end of the bidding period unless t auction serverscollude. However, after opening the bids all auction servers learn the bid values.

2.1.6 Efficiency Analysis

Registration - bi must contact each auction server ai. This is a total of ℓ com-munications. bi must store ℓ public keys ki.

Bidding - Use of multicast protocols results in steep communication overheads.bi is required to contact every auction server requiring ℓ messages. The totalnumber of messages sent by all bidders during this stage is ℓn. An auctionserver ai is required to send ℓ− 1 close messages. This is a total of (ℓ2 − ℓ)/2close messages for the set of auction servers.

Verification -

Winner Determination - ai must send ℓ−1 messages to the other auction serversregarding a bid. ai must do this for all n bids giving a total of nℓ− 1 messages.Collectively the servers broadcast n(ℓ2 − ℓ)/2 messages.

Verification of the V ΣS is slow. Each server must also send a message tothe winner. To determine the winner requires an individual server to send upto 3ℓn− 2n messages.

2.2. KIKUCHI, HARKAVY AND TYGAR 23

2.2 Kikuchi, Harkavy and Tygar

Kikuchi et al [KHT98a] present a second price, sealed bid auction, which isable to resolve ties. This scheme is based on secure addition (see section ...).Each bidder chooses his/her bid value from a price list V of k bidding prices.If his/her valuation is higher than a price, s/he bids his/her secret ID value;otherwise s/he bids 0. The scheme employs ℓ servers where t are trusted to becorrect (see Figure 2.2). A bidder seals his/her bid by splitting it up among allℓ auctioneers using a (t, ℓ)-secret sharing scheme. This is done for all k pointsin the price list. To unseal a bid, each auction server broadcasts its share to theother auctioneers. The bid values for each price in the list are summed. Whenonly a single bidder bids at a particular price, the result equals the bidder’s ID.

Figure 2.2: Structure of the Kikuchi et al Auction Scheme

Notation

B = b1, ..., bn: biddersA = a1, ..., aℓ: auction serversS: the sellerp: a large prime numbert: threshold of trusted auction serversV = v1, ..., vk: price listσS(i): bi’s secret ID value signed by the sellerr: random paddingES(...): encryption under the seller’s public key


Each auction server ai is associated with a distinct point αai∈ Zp. The seller

S, publishes a price list V , of permissible bidding values.


2.2.2 Registration

A bidder, bi, registers with S. S provides bi with k secret IDs. These are of theform:

IDbi,vj= ES(σS(i)||r)

Each IDbi,vjcorresponds to a point vj in the price list (1 ≤ j ≤ k). σS(i) denotes

S’s signature on bi’s secret ID value i. Es is the encryption of the signed valuesusing S’s public key. r is a random number and || denotes concatenation.

2.2.3 Bidding

bi picks k random polynomials of the form:

fbi,vj(x) = s + α1x + ... + αat

xat (mod p)

Where the coefficients are uniformly randomly chosen for each polynomial. Ifbi is willing to bid at price vj , then s is set to be IDbi,vj

, (i.e., bi’s ID for pricevj). Otherwise s is set to zero. bi sends fbi,vj

(αi) to ai for all j, 1 ≤ j ≤ k, andall i, 1 ≤ i ≤ ℓ.


Each auction server broadcasts its share of bi’s bid to the other ℓ − 1 servers.Given more than t points of the aggregate polynomial each server uses LaGrangeinterpolation to solve the simultaneous equations and obtain the free variable.This variable contains the bidder’s bid for the given price vj . For each vj ∈ Van auction server computes the sum of all bidders’ bids:

Fvk= fb1,vj

(α1) + ... + fbn,vj(αn) (mod p)

When there is only one remaining IDbi,vjthe winner will recognise Fvj

as his/hersecret ID and j − 1 as the price s/he must pay. At this stage, S decrypts thewinner’s bid IDbi,vj

with his private key and retrieves the winner’s identity.This is subject to verification of S’s signature on the winner’s ID.

A tie occurs when two or more bidders bid at the highest price. This isdetected when no bidders are be able to identify Fvk

as their own ID. In thissituation, the auction enters a second round of bidding with a revised price list.


Unforgeability - It is assumed that no one knows what a bidder’s secret ID is(with high probability). However, as S knows all bidders’ IDs, s/he can frameany bidder.

Non-repudiation - All IDs are signed by S. When there is a dispute S checks thesignature and determines which bidder submitted the bid. However, this setup

2.3. SAKO 25

requires everyone to trust S.

Public Verifiability - The scheme is only trusted if t of the auction servers arehonest. There is no bid authentication at the time of bidding, therefore anyonecan insert a fake bid. Furthermore ai has no way of knowing whether it holds avalid share of a bid. S’s signature is only checked when the winner is declared.

Robustness - Invalid bids are able to disrupt the auction proceedings. If a biddersubmits a random value for each price in the list, then the no one will be able todetermine the auction outcome. Furthermore, if a bidder doesn’t correctly fol-low the auction protocol, for example, by not bidding his/her ID at every priceup to the level they are willing to pay, this will cause errors for this scheme.

Anonymity - The seller learns the identity of the winner. Neither the Auctioneernor the bidders knows the identity of the winner. Bids remain sealed during thebidding stage unless t auction servers collude. The values of losing bids remainsecret. However, the Auctioneer learns basic bid statistics.


Registration - S must do O(n) work. Signing and Encrypting each secret idrequires 2 modular exponentiations. There are 2k modular exponentiations re-quired for each bidder registered.

Bidding - The size of a bid is O(kℓ), proportional to the size of the price listk, and the number of auction servers ℓ. A bidder is required to perform O(ℓ)communications in order to submit a bid.

Verification - Verifying the winning bid requires 2 modular exponentiations.

Winner Determination - Unsealing a bid requires an auction server to transmitO(ℓ − 1) messages. Determining the winner requires each auction server toperform O(nk) modular additions.

2.3 Sako

Sako [S99] proposes a first price, sealed bid auction which takes a Dutch-styleapproach to opening bids. Bidders choose their bids from a price list and sendthis information (encrypted) to a set of Auctioneers (see Figure 2.3). The Auc-tioneers open (decrypt) the bids from highest to lowest in the price list untila winner is found. As soon as a winner is found, the Auctioneers refrain fromopening any further bids (i.e., they do not decrypt any bids of a lesser value inthe price list). This has the effect of concealing the values of losing bids (as in aDutch auction). The auction outcome and the privacy of losing bids is ensured


unless a threshold t, of the Auctioneers collude.

Figure 2.3: Structure of the Sako Auction Scheme

Notation

B = b1, ..., bn: biddersA = a1, ..., aℓ: auction serverst: threshold of trusted auction serversV = v1, ..., vk: price listEv, Dv: probabilistic encryption and decryption functionsMv: message for price vi

σi: bidder bi’s signaturez: counter variable


The Auctioneers determine and publish a set of encryption functions Ev,decryption functions Dv, and messages Mv for each price level v ∈ V .These are posted in a way that anyone can confirm their validity.

2.3.2 Registration

A bidder, bi, registers with all ℓ Auctioneers.

2.3.3 Bidding

Each bidding price is represented by the message Mv. Messages are encryptedusing Ev bi, chooses a bidding price vi ∈ V . Then bi creates his/her encryptedmessage Cbi

= Evi(Mvi

), which corresponds to price vi and publishes this ashis/her bid. This is signed using the bi’s signature σi.


The Auctioneers set z = k (i.e., the highest bidding point) and decrypt Cbi

using Dvi. While Dvi

(Cbi) 6= Mvi

for all bi, the Auctioneers repeat the previouscalculations for z = z − 1 (i.e., the next lowest bidding point in the price list).

2.4. NAOR, PINKAS AND SUMNER 27

When Dvi(Cbi

) = Mvifor one bidder, then the Auctioneers publish z = vi as

the winning bid.


Unforgeability - bi signs a bid using a digital signature σi.

Non-repudiation - In the event that bi repudiates a bid, the Auctioneers cancheck the signature σi on the winning bid.

Public Verifiability - Since all the values are published this system can be pub-licly verified. Note that everyone can verify that:

• Dvi(Cbi

) is the correct decryption regarding each Dvi, for i ≥ z.

• For all vj 6= vi, Dvj(Cbi) 6= Mvj .

• For each of the winners wi, Dvz(Cwz

) = Mvzholds.

Robustness - It is not clear what happens in the event of a tie-situation, i.e.,more than one bidder bids at the winning price.

Anonymity - This scheme does not address anonymity concerns. Bids remainsealed as long as t of the Auctioneers do not collude. Since this auction takesa Dutch-style approach, the privacy of loosing bids is insured (unless t auctionservers collude). The Auctioneer learns the identity of the winner and the valueof the winning bid.


Registration - bi must undertake O(ℓ) communications. ai must do O(n) work.

Bidding - The size of a bid is O(kℓ). bi must perform k + 1 modular exponenti-ations and undertake O(ℓ) communications.

Verification - Verification requires ai to perform 1 modular exponentiation perbid.

Winner Determination - ai is required to perform O(kn) modular exponentia-tions and O(kℓ) communications.

2.4 Naor, Pinkas and Sumner

Naor et al [NPS99] propose a second-price, sealed bid auction. This scheme usestwo Auctioneer servers each owned by a separate entity (see Figure 2.4). TheseAuctioneers are referred to as the Auction Issuer (AI) and the Auction Manager(AM) respectively. AM is responsible for conducting the auction. AI aids AM


in determining the winner. The Auctioneers communicate using an oblivioustransfer protocol (see 4.11) which effectively prevents each party from learningtoo much information about the bidders and the bids they submit. This scheme(and its variants) have thus far proved to be more efficient then threshold trustschemes.

Figure 2.4: Structure of the Naor et al Auction Scheme

Notation

B = b1, ..., bn: biddersAI: Auction IssuerAM: Auction Managerp: a prime numberr: a random secret numberg: a basepoint on which the DLP is hard (see 4.4)λ: number of bits in the binary representation of the bid valuem0

i,j , M1i,j: 0 or 1 for bit j, 1 ≤ j ≤ λ, of the bid value


AI generates a program for computing the winning bid, publishes his/her publickey E1 and c = gr mod p and keeps bi’s values m0

i,j , m1i,j(j = 1, ..., λ) secret.

AM sets K = 2λ bidding points.

2.4.2 Registration

A bidder, bi, registers with the AM.

2.4.3 Bidding

A bid value is expressed as a binary number of size 2λ. bi follows a 1-out-of-2proxy oblivious transfer protocol for each bit j of his/her bid. bi selects his/hersecret keys xi,1, ..., xi,λ. bi sends the following message to AM:

2.4. NAOR, PINKAS AND SUMNER 29

M1 - xi,1, ..., xi,λ

Where αi,j is either xi,j or r − xi,j . If αi,j = xi,j holds, the j-th bit of bi’s bidis 0. If αi,j = r − xi,j holds, the j-th bit of bi’s bid is 1.


AM forwards to AI:

M2 - E1(gαi,j )

AI decrypts them to gαi,j for i = 1, ..., n and j = 1, ..., λ. This is sent back toAM:

M3 - gαi,j

AM inputs the decrypted values m0i,j for m1

i,j (i = 1, ..., n and j = 1, ..., λ) intothe program. The program outputs both a winner and a winning bid.


Unforgeability - The AM and AI do not learn any more information then isnecessary to compute the auction outcome.

Non-repudiation -

Public Verifiability - It is difficult to verify the outputs of program because theAM does not know which value of m0

i,j for m1i,j i = 1, ..., n and j = 1, ..., λ

is used in the program. Nobody can verify whether the AI has made a faultyprogram or not. In fact, the following injustice could be done by the AI. Theprogram can output the winning bid higher that the second highest bid valuebecause a program knows the highest bid value. It can output the false winningbid. Nobody can tell whether the winning bid is false or not.

A further problem can occur when the AI colludes with a bidder bi. The AIcould create a faulty program which always declares bi as the winner. Nobodycan tell whether the winner is false or not.

Robustness - [JS02] identify a flaw where the AI can cheat by modifying bitsarbitrarily and without detection. This is because there is no way to verifythat the AI is forwarding the correct bits to the AM once the oblivious transferprocess has been completed. They propose a means of repairing this flaw whichrequires a slightly greater amount of computation and communication on thepart of the two auction servers, but actually involves much less computationon the part of the bidders. The proposal of [NPS99] involves several dozenexponentiations for a typical auction, the [JS02] scheme by contrast involves


only several dozen modular modifications. The key idea in their proposal is aform of oblivious transfer that they refer to as verifiable proxy oblivious transfer.

Anonymity - AI cannot discover the value of αi,j . AI sends(gsj , gαi,jsj m0

i,j , (c/gαi,j)sj m1i,j) to AM (sj is a random number), for i = 1, ..., n

and j = 1, ..., λ. Although the AM attempts to restore both m0i,j and m1

i,j using

xi,j (j = 1, ..., λ for bi either m0i,j or m1

i,j is valid. Note that AM cannot knowwhich value is rightfully decrypted.

No single entity knows the second highest bid value, the identity of thesecond highest bidder, nor the loosing bid values.


Registration - Consider a circuit with n inputs and m gates. The protocol re-quires AI to prepare m tables and send them to AM. This is the major communi-cation overhead of the protocol and can be performed offline, prior to disclosureof the input to AM. In the case of binary gates, the communication overhead is4m times the length of the output of the pseudo-random function (typically 8to 16 bytes long).

Bidding - The main computational overhead of the protocol is the computationof the n oblivious transfers. They require each of the two parties to perform atotal of O(n) exponentiations.

Verification -

Winner Determination - Party A computes the output of the circuit, and thisstage involves m applications of a pseudo-random function.

Baudron and Stern [BS01] describe a new auction protocol based on Naor etal. Robustness against active cheating players is achieved through an extramechanism for fair encryption of a bit. The scheme is based on homomorphicencryption but differs from general techniques of secure circuit evaluation bytaking into account the level of each gate and allowing efficient computation ofunbounded logical gates.

Lipmaa, Asokan, and Niemi [LAN02] further develop the model of Naor etal. They propose two new cryptographic Vickrey auction schemes incorporating(M+1)st auction properties.. The communication complexity between the sellerand Auctioneer in medium-sized auctions is one order of magnitude less thanNaor et al.

2.5 Stubblebine and Syverson

Stubblebine and Syverson [SS99] present a first price English auction. Thescheme attempts to stop the Auctioneer from skewing its clock or selectivelyblocking bids. Bids are committed using secret bid commitment (SBC). This

2.5. STUBBLEBINE AND SYVERSON 31

allows the Auctioneer to commit to a bid before he knows who it is from or whatthe bid amount is. After the Auctioneer has committed to the bid submission,the bidder can reveal the key.

The Auctioneer must commit to the bids received at regular intervals. Any-one can verify the Auctioneer’s actions by obtaining a notarised (timestamped)version of the bid history from an on-line Notary. The Notary’s sole action is toissue a certificate that binds its time stamp to any file sent to it. ≺ M, tN ≻N

indicates the notarisation of M by the Notary N at time tN . Reasons for theNotary include:

1. To provide a non-repudiable record of the Auctioneer’s claimed auctionhistory at the time of notarisation.

2. To provide a trusted time source on which the Auctioneer and biddersmust synchronise. This prevents the Auctioneer from terminating theauction early or speeding up its clock.

The Auctioneer must maintain the notarised bid history in a manner that allbidders can access it. The bid history must be kept after the auction terminatesin case there is a dispute. If the Auctioneer fails to maintain the bid history,they will be fined. If a bidder suspects the Auctioneer is acting maliciously, thebidder can send a bid via a certified mail delivery system (see Figure 2.5).〈M〉s SBC to a message M using secret S.

Figure 2.5: Structure of the Stubblebine and Syverson Auction Scheme


There is a publicly posted database associated with each auction.

1. Description of the item

2. Various parameters associated with the auction

(a) Time bids will begin being taken

(b) Conditions for the auction to close

3. Optional minimum bid amount


4. High sales price (penalty the Auctioneer pays the Seller)

5. History of the bids that have been made so far

(a) Signature of the Notary

(b) Signature of the Auctioneer

2.5.2 Registration

1. Register with the Auction Service- id, credit card details, etc.

2. Receives a public signature key certificate

2.5.3 Bidding

1. The bidder downloads the most recent notarised history.

2. The bidder submits a bid. The first bid submitted is different from laterbids.

The first bid has the form:

Bid = AuctionID, 〈BidderID,≺ historyA, tN ≻N , bid amount〉S

The bid amount is indicated by the number of elements that are sent from areverse hash chain. A reverse hash chain is formed by repeatedly hashing arandom value some large number of times n. The first element of the chain c0

is the nth hash of the random value. As each link of the chain is revealed, it iseasy to confirm that its hash is the most recent previously revealed link. So forthe first bid that a bidder submits in an auction:

bid amount = c0, (i, ci)

The number of chain links revealed reflects the intended amount of the bid.Chain elements have a previously agreed value as part of the auction parameters.We use ⌊M⌋Kkbid

to indicate the signature of message M using Kkbidthe signing

key Kkbid. The bid key Kbid binds the bid back to the bidder, so that the

Auctioneer can collect on the winning bid. tN is the time given by the Notaryin the most recent notarised history submitted by the Auctioneer historyA, tN .The Auctioneer must commit to a bid by the end of the notarisation intervalfollowing the one in which it was received.

In subsequently sent bids, there is no need for the bidder to sign the bid.Subsequent bids have the form:

Bid = AuctionID, 〈BidderID,≺ historyA, tN ≻N , bid amount〉S

In these bids,bid amount = (i, cj)

2.5. STUBBLEBINE AND SYVERSON 33

The amount of this bid is indicated by j : the bidder has bid j times thevalue of a chain link. There is no need to sign since the Auctioneer can alwaysauthenticate the bid by binding back to kbid via the hash chain. The Auctioneercan thus show that the bidder has sent whatever total number of chain elementshe has sent in that auction.


The commitment that the Auctioneer makes to a bid is contingent on the biddersending his SBC secret (thus revealing his BidderID and the bid amount). For abid to be valid, this must be done by the end of the notarisation interval followingthe one in which the Auctioneer commits to accepting the bid; although it canbe done as soon as the bidder has evidence of the Auctioneer’s commitmentto his bid. To provide this evidence between notarisations, the Auctioneer cancommit herself by signing (and posting) histories since the last notarisation.Once a bidder has downloaded the Auctioneer’s signed commitment history, hecan reveal his secret, even within the same notarisation interval.

Bidders cannot withdraw a complete committed bid, nonetheless, a biddercan decide not to reveal his SBC secret, even after the bid is committed bythe Auctioneer. This amounts to a limited bid cancellation capability with anadded advantage; if the bidder chooses to cancel a bid in this way, then theBidderID and bid amount are never revealed.

The auction closes using a combination of expiration and timeout. Thetimeout interval must be at least as long as the notarisation interval. Thewinner is the bidder with the highest bid after the timeout period.


Unforgeability - The Auctioneer cannot frame a bidder for a higher bid sinces/he cannot produce the next unexposed chain element. Nor can the Auction-eer unpack the bid and claim it was for a lower amount since s/he will havecommitted to the bid before s/he knows the amount it contains.

Nonrepudiation - Once a bid has been unsealed the Auctioneer learns the iden-tity of the bidder.

Public Verifiability - The actions of the Auctioneer are verifiable via the Notaryand the public database

Robustness -

Anonymity - There is no anonymity for bidders.

Unblockability - Test bids ensure that the Auctioneer continues to accept bidsuntil the auction is over.


2.5.6 Efficiency

Registration - moderate

Bidding - Must commit to bid (hashing) and send 1 message to the Auctioneer.

Verification - A bidder only needs to sign his/her hash chain once.

Winner Determination - A bidder must send 1 message to the Auctioneer toreveal his/her bid.

2.6 Viswanathan, Boyd and Dawson

Viswanathan et al [VBD00] propose a sealed-bid auction system that requiresthe help of a bidder to unseal a bid. The auction uses a digital cash schemewhere the bank is trusted not to reveal the identity of a bidder, unless there isa dispute. Information pertaining to registration and the auction is posted intwo publicly readable databases (see Figure 2.6).

Figure 2.6: Structure of the Viswanathan et al Auction Scheme

Notation

B = b1, ..., bn: biddersp: sufficiently large primeG: prime order subgroup of Z∗

p

b ∈ Z∗p : bid value

I: bidder’s identityg1, g2: two generators of order q such that logg1

g2 are not known to anyoney1 = g1

xi , y2 = gx2

2 : bi’s public keyx1, x2: bi’s private keyd1, d2 ∈R Z∗

q

H : 1, 0∗ 7→ Zq: collision intractable hash function

2.6. VISWANATHAN, BOYD AND DAWSON 35

2.6.1 Digital Cash Protocol

System Settings: The bank, B, chooses and publishes primes p and q suchthat p = 2q + 1 and the generators g and g1 of order q. The bank publishesits public keys yB = gXB and the public key of the trustee, T , (for tracingpurposes). This is of the form fT = gXT , where XT is the private key. Everyuser registers with the bank to obtain an identity, I = gu1 , where g is the baseand u1 is the user’s private key.

Protocol Withdraw: The user identifies himself/herself to the bank and ob-tains a restrictive blind signature on a pseudonym, A = (Ig1)

s, where g1 is abase and s a secret, random value. The restrictive blind signature, restrictsthe structure of A to be of this form. The value of A is never revealed tothe bank. This is expressed as 〈A, CertA〉I := Withdraw(I, B, sI , XBB),which reads,“I engages in the withdraw protocol with B using a (random) values (known only to I) to obtain a certificate CertA for A, which are known onlyto I, signed by the bank using its private key XB.”

Protocol Spend: The user derives two pseudonyms A1 = gu1s and A2 = gs1

from A, such that A = A1A2. The user then proves to the merchant its knowl-edge of the pre-images of A1 and A2 with respect to the reference bases g and g1

respectively, proving the knowledge of representation of A and his/her identity,I. This is expressed as, 〈ProofA〉 := Spend(A, CertA, M, yb, fT , s, u1A),which reads, “A engages in the spend protocol with M using the certificate,CertA, B’s public key yb and the private data (S, u1) to generate the tran-scripts for a proof system 〈ProofA〉, which contains an encryption of the identityof the user under the public key fT .” 〈ProofA〉 contains the following tuples,(A1, A2, EncryptionfT

(I)) along with the corresponding proof transcripts. HereEncryptionfT

(I) is the encryption of the user identity I under the public key fT .

Protocol Deposit: The merchant submits the proofs of knowledge, which it re-ceived in the Protocol Spend, to the bank and avails credit. The bank can checkif it has already received the tuple (A1, A2) to detect double spent transcripts.This phase is expressed as, Deposit(M, B, A, CertA, 〈ProofA〉), which reads,“M engages in the deposit protocol with B to submit the values 〈A, CertA〉 and〈ProofA〉”

Protocol Trace: The bank needs to trace the identity of the user who spent aparticular transcript 〈ProofA〉, it can retrieve the ciphertext EncryptionfT

(I)and decrypt it using its private key to obtain the identity. This can be ex-pressed as 〈I, ProofT 〉 := Trace(X, T, 〈A, CertA〉, 〈ProofA〉, XTT ), whichreads “X engages in the tracing protocol with T using the values 〈A, CertA〉and 〈ProofA〉, to obtain the identity I and an optional proof 〈ProofT 〉, forproof of correct decryption of the ciphertext. The trustee uses its private keyXT for this purpose.”


Bidder Auctioneer

a, d1, d2 ∈R Z∗

q

S = gb1ga2

, B = gd1

1g

d2

2

S,B−→

c←− c ∈R Zq

s1 = d1 − cx1, s2 = d2 − cx2

t1 = s1 − bc, t2 = s2 − act1,t2−→

B?

= (Sy1y2)cg

t11

gt22

Table 2.1: The Sealing Protocol

2.6.2 Sealing Protocol

Figure 2.1 illustrates the interactive sealing protocol between the bidder andthe Auctioneer. At the end of this protocol, the Auctioneer will be convincedthat the bidder submitted a correct bid that can be opened at the bid-openingphase. Bidder bi, with public keys y1 and y2 wishes to commit to the bid valueb.

The non-interactive version of the protocol uses the Fiat-Shamir heuristic.Making using of a collision intractable hash function H : 0, 1∗ 7→ Zq, thesealer performs the following process with the bid b, his/her private key (x1, x2)and the commitment value b as the inputs to obtain the output as (S, t1, t2, c).

Begin Process Sealer

Input : x1, x2, b, a, g, g1, p, qd1, d2 ∈R Z∗

q

Compute:

S = gbga1 mod p, B = gd1gd2

1 mod pc := H(y1, y2, S, B)s1 = d1 − cx1 mod q, s2 = d2 − cx2 mod qt1 = s− bc mod q, t2 = s− ac mod qOutput : S, t1, t2, c

End Process

The outputs of the sealing process can be verified by employing the followingprocess:

Begin Process VerifySeal

Inputs : S, t1, t2, c, y1, y2, g, g1, p

If c?= H(y1, y2, S, (Sy1y2)

cgt1gt21 mod p), then

Result ←− PassElse

Result ←− FailOutput : Result

End Process

2.6. VISWANATHAN, BOYD AND DAWSON 37

In this process the verifier checks the sealing transcripts against the public keyof the sealer.

To open the seal the sealer can release the tuples (b, a). The values can bechecked against the seal as follows:

Begin Process VerifyOpenedSeal

Inputs : a, b, S, t1, t2, c, y1, y2, g, g1, p, q

If S?= gbga

1 , thens1 = t1 + ac mod q, s2 = t2 + bc mod q

ElseResult ←− FailGoToOutput

If c?= H(y1, y2, S, (y1y2)

cgs1gs2

1 mod p), thenResult ←− Pass

ElseResult ←− Fail

Output : ResultEnd Process

In this process the verifier checks the tuples (b, a) against the commitment valueS. If they are correctly verified the actual signature value (s1, s2) is computedfrom t1 and t2. The value of (s1, s2) is then checked for a proper signature. Notethat this is optional, because if the sealed tuples pass the VerifySeal processand the tuples (b, a) are correctly verified against S, then (s1, s2) will be a legalsignature tuple on S.

2.6.3 Registration

The bidder, bi, performs the following tasks:

1. Presents the tuple (Ai, CertAi) to R.

2. Engages in the spending protocol to convince its ownership of the tuplewithout revealing its identity. The spending protocol will be of the form:

(ProofAi) := Spend(Ai, CertAi

,R, yb, fT , s, uiAi)

If the spending phase was successful, then (ProofAi) will contain A1i

=gu1s and A1i

= gs1, such that Ai = A1i

A2i.

3. Chooses its bid value, b ∈ Z∗q .

4. Seals the bid using the sealing process described above. bi chooses a ∈R Z∗q

and computes the following:

S, s1, s2, c := Sealer(u1s, s, b, a, g, g1, p, q)

If R verifies the sealing process correctly as:

Pass?= V erifySeal(S, s1, s2, c, A1i

, A2i, g, g1, p)


The results of the sub-protocol are signed byR and published in a publiclyverifiable directory DBR.

2.6.4 Bidding

bi authenticates using his/her pseudonym A1i and opens his/her commitmentby sending (b, a) to the Auctioneer. The Auctioneer:

1. Obtains the registration transcripts from DBR using A1ias the index to

the database.

2. Verifies the R’s signature on the transcript.

3. Obtains the seal values from the transcript (i.e., (S, s1, s2, c)).

4. Verifies the opened commitments as:

Pass?= V erifyOpenedSeal(a, b, S, s1, s2, c, A1i

, A2i, g1, g2, p, q)

and aborts the submission process when the result is not Pass.

5. Signs the bid tuple (b, a) and the sealed values (S, s1, s2, c) as:

σAi:= Sign(xa, S, s1, s2, c, A1i

, A2i)

6. Sends σAito bi as a receipt of the bid.

7. Stores (b, a), σAi, (A1i

, A2i) in DBA.


When the auction closes, the highest bid,“b”, is chosen from DBA and thebi that submitted b is considered the winner. bi can use the pseudonym, Ai,(available from DBA) as proof of wining.

2.6.6 Tracing

If the winner repudiates the bid or a bidder refuses to unseal a bid, the Auc-tioneer can use A1i

to trace the identity of person that submitted the bid.


Unforgeability - Bids are signed using a digital signature.

Non-repudiation - If a bidder repudiates a bid, the Auctioneer consults thetrusted third party to reveal the bidder’s identity.

2.7. OMOTE AND MIYAJI 39

Public Verifiability - This scheme is publicly verifiable, as both the registrar andthe Auctioneer publish the results in DBR and DBA.

Robustness - The verification procedure removes any invalid bids.

Anonymity - The digital cash scheme provides anonymity. However, we showin [TGR05a] that a malicious bidder can create bids that make it appear as ifbi has not participated in the bid opening protocol. In this case the Auctioneererroneously runs the tracing protocol and reveals bi’s identity.


Registration - bi is required to undertake 2 communications to the Auction-eer/Registrar. Sealing a bid requires bi to compute 8 modular exponentiations.

Bidding - bi and the Auctioneer communicate twice during bidding. The Auc-tioneer must read from DBR and write to DBA.

Verification - For each bid, the Auctioneer is required to perform one 1 mod-ular exponentiation for verification, 3 modular exponentiations for the Verify-OpenSeal process and one 1 modular exponentiation to sign the receipt. Signingand verification require two computations of a hash function. For each bid theAuctioneer must do 5 modular computations and 2 hash function operations.

Winner Determination - Once the bids have been unsealed, they are posted onDBA in plaintext. This allows the winner to be efficiently computed.

2.7 Omote and Miyaji

Omote and Miyagi [OM01] present an English auction scheme using a groupsignature (see 4.9). In this scheme there are two mangers responsible for con-ducting a series of k auctions (see Figure 2.7). The Registration Manager (RM)secretly knows the correspondence of the bidder’s identity and registration key.The RM works as an identity escrow agency. The Auction Manager (AM) hoststhe auction and prepares bidder’s keys in each round. Bidders must aquire anew key prior to each auction in order to submit bids.

Assume we are using a discrete logarithm based cryptosystem. Let p andq be two large primes satisfying q|p − 1 and g be a generator of the multi-plicative group Z∗

p with order q. AM has the private key xA and the publickey yA = gxa. Bidder, bi, has private key xi and public key yi = gxi . YAM

is AM’s public key, and ti is an auction key for bi. k is the index of an auc-tion (k ≥ 1), Enc(key, data) is an encryption function using a secret key, key.Encj(key, data) is j-th encryption using the same key, Enc(key, Enc(key, ...)).


Figure 2.7: Structure of the Omote and Miyaji Auction Scheme

Notation

B = b1, ..., bn: biddersRM: Registration ManagerAM: Auction Managerp, q: two large primes (q|p− 1)g: an element g ∈ Zp with order qxi: a secret key of bi

yi: a public key of bi

ri: AM’s random number for bi

ti: a random number of bi

Ti: an auction key for bi

k: the index of auctions (k ≥ 1)YAM : AM’s public keyEnc: Enc(key, data) is a secret key encryption function using a secret key, keyEncj : Encj(key, data) is j-times encryption using the same key,

Enc(key, Enc(key, ...))

2.7.1 Registration

A bidder, bi, registers his/her public key yi with RM as follows: He/she choosesa random number, ti and sends (yi, ti) with a proof that he knows the privatekey xi (the discrete logarithm of yi to the base g). When RM accepts the proof,it publishes (yi, ti) on its bulletin board and keeps the bidder’s identity secret.

AM’s Setup (before each auction): Assume that AM holds the k-th round ofauctioning. It gets (yi, ti) for every participating bidder from RM’s bulletinboard. AM computes shared secret keys yxA

i for every bi using Diffie-Hellmankey distribution. AM generates a random number, ri and computes the following

2.7. OMOTE AND MIYAJI 41

auction key ti for every bi:

ti = (Enck(yxA

i , ti), yri

i , gri)

where Enck(yxA

i , ti) = Enc(yxA

i , Enck−1(yxA

i , ti)) is the k-th encryption of tiusing the shared key yxA

i . AM publishes the auction keys ti for all bidders onthe bulletin board in a shuffled manner.

2.7.2 Bidding

A bidder, bi, that wants to participate in the k-th auction round can find his/herauction key ti from AM’s bulletin board by computing Enck(yxA

i , ti) in advanceusing yxi

A = yxA

i . When bi places a bid, he/she sends the following bid informa-tion (mi, y

ri

i , gri , V2) to AM.

• a bid mi (mi = auction id ‖ bid value)

• yri and gri published by AM

• V2 = SK[α : yri

i = (gri)α](mi)

Here V2 is a signature of knowledge (SK) on message mi and implies thatbi knows the value α = xi (see Camenisch and Stadler [CS97]).


Assume that mj is the winning bid. AM proves to RM that the public in-formation y

rj

j added to the winning bid mj corresponds to the public key yj

by sending rj−1. RM then informs a vendor of the winner’s identity after thewinner decision procedure.

2.7.4 Tracing

In this scheme RM acts as a trusted third party. When there is a dispute RMis able to reveal the identity of the signer of a bid. AM revokes a guilty bidderby not updating his/her ti on the bulletin board for all subsequent auctions.


Unforgeability - It is impossible to generate a valid signature using the registra-tion key in AM’s bulletin board. Therefore nobody can forge a bid.

Non-repudiation - In the event of a dispute, the RM can reveal the identity ofa signer of a bid.

Public Verifiability - The auction proceedings are published on the bulletinboard. However, bids are only verifiable by the AM. Furthermore, there isno way to verify that the AM has in fact contacted the winner regarding the


auction outcome, nor if the AM has added the public information correctly tothe winning bid.

Robustness - AM can discard any bids that are not correctly formed.

Anonymity - Only the RM knows the winner’s identity after the winner de-termination phase. This means that all participants including the AM cannotidentify a winner but can confirm the validity of a winner. If the RM informsa vendor of a winner’s identity after the winner determination phase, nobodyexcept for the RM can identify a winner.


Registration - This requires 480 modular multiplications (using 1024 bits) foreach bidder and the Auctioneer. The communication required is 1.3 Kb. Signif-icant computation must take place between auction rounds. Each bidder mustalso contact the Auctioneer, and engage in a process that is essentially equiva-lent to re-registering.

Bidding - This requires 240 modular multiplications (using 1024 bits) for eachbidder. The communication required is 2.4 Kb for each bidder.

Verification - This requires the Auctioneer to perform 320 modular multiplica-tions (using 1024 bits).

Winner Determination - Bids are posted on the bulletin board in plaintext. Thisallows efficient calculation of the winner according to English auction rules.

2.8 Wang and Leung

Wang and Leung [WL04] discuss security and anonymity issues for CDAs usedin Internet retail markets. They propose a scheme that involves three serversto conduct the auction, but only requires trust between two of the servers (seeFigure 2.8). In order to participate in the auction, a bidder must first createa pseudonym that is blindly signed by one of the servers. This pseudonym isauthenticated and signed by the second server and the bidder is issued a cer-tificate to participate in the auction. To place a bid, a bidder forms his/her bidand presents this with his/her certificate to the third server whom conducts theauction. Bids are posted on a public bulletin board and are cleared accordingto the auction’s matching strategy. When there is a dispute, the two serversused during registration can reveal the identity of a bidder.

Notation

2.8. WANG AND LEUNG 43

Figure 2.8: Structure of the Wang and Leung Auction Scheme

B = b1, ..., bn: biddersRM: Registration ManagerMM: Market ManagerH(.): hash functionm: a messageσx(H(m)): signature of party x on H(m)Ωx(m): the tuple m, σx(H(m))σbi

(offer): bi’s signature on an offerCertbi

: bi’s auction certificatesn, r: random numberspsbi

= H(H(IDbi||sn||r): bi’s pseudonym

sbi, pbi: bi’s private/public keys


Let RM use the RSA system with public parameters n, e as the RSA moduloand the encryption key, respectively. Let d be the corresponding private key inthe RSA system and H(.) be an appropriate hash function. Denote by Ωx(m)the tuple m, σx(H(m)), that is a message, m and the signature of party xusing on H(m). Also let a bidder, bi, possess a certified encryption/decryptionkey pair.

2.8.2 Registration

When registering, a bidder submits his/her ID, a request to join the auctionand a random number sn. The registration protocol between bi and RM isshown in Table 2.2.

The RM signs the bidder’s ID concatenated with sn and returns this tothe bidder. The bidder calculates his/her pseudonym psbi

and temporary pri-vate/public keys sbi, pbi. The bidder then engages in a cut-and-choose protocol(see 4.6) so the RM can gain a zero knowledge proof that bi’s pseudonym andkeys are valid. When satisfied, the RM blindly signs (see 4.8) bi’s pseudonymand keys.


Bidder RM

Generates a random sn, and

M1 = Ωbi(IDbi

, request, sn)M1−→

Verifies bi’s signatureGenerates M2, such that:

M2 = ΩRM (IDbi||sn)

M2←−

Verifies RM’s signature.Generates random numbers r.

Computes pseudonympsbi

= H(H(IDbi||sn||r).

Generates a pair of temporaryprivate/public keys sbi, pbi.

Cut−and−ChooseProtocol←→

Obtains σRM (psbi, pbi

)

Table 2.2: The Registration Protocol between bi and RM

2.8.3 Bidding

After obtaining the certificate from MM, the bi submits its bid in the formoffer, σbi

(offer), Certbi, where offer = pbi

, BUY/SELL, Commodity, Value,Timestamp. The Auctioneer checks the validity of Certbi

and then posts thebid on the bulletin board.


The Auctioneer is responsible for matching bid/asks according to the marketclearing strategy. Winners are announced via the bulletin board.

2.8.5 Tracing

If bi repudiates a bid, RM and MM can combine their information collectedduring the registration stage to establish the identity corresponding to Certbi

.


Unforgeability - Bids are signed using a digital signature.

Non-repudiation - If bi repudiates a bid, RM and MM can combine informationto reveal the identity of who submitted the bid in question.

Public Verifiability - A major problem with is scheme is there is also no verifi-cation that a bidder’s bid has been included in the auction. This implies trust

2.8. WANG AND LEUNG 45

Bidder MM

Generates M4 as:

M2, r, (psbi, pbi

), σRM (psbi, pbi

) M4−→

Make sure that bi has notbeen registered before,

If M4 is verified,then generate Certbi

as:ΩRM (psbi

, pbi), σMM (psbi

, pbi)

Certbi←−Obtains the auction certificate.

Table 2.3: The Registration Protocol between bi and MM

in the Auctioneer. This is a serious flaw as the Auctioneer can selectively blockbids and is therefore able to manipulate the clearing price.

Robustness - A bid that is not of the correct form is discarded by the Auctioneer.

Anonymity - As long as the RM and MM do not collude a bidder remainsanonymous. However, we outline a flaw with this scheme in [TGR05b] thatallows a bidder’s identity to be revealed. Additionally, there is a degree oflinkability of a bidder’s trading pattern. Although the Auctioneer does notknow which pseudonym belongs to which trader, over time the Auctioneer canlearn information about particular traders based on the bids they received.


Registration - Registration is very inefficient due to the use of a cut and chooseprotocol. The number of messages that must be exchanged is proportional tothe probability required to convince the Auctioneer that the certificate is correct.

Bidding - Bidders are only required to submit one message to the Auctioneer.This requires one modular exponentiations to sign a bid.

Verification - The Auctioneer must perform 3 modular exponentiations to verifya bid.

Winner Determination - Bids are posted on the bulletin board in plaintext.This allows efficient calculation of the winner according to the CDA matchingstrategy.


Chapter 3

Conclusion

This paper reviewed several major types of electronic auction schemes. Eachscheme was uniformly presented by dissecting it into its major components. Thesecurity of each scheme was analysed according to how it dealt with the securityrequirements of unforgeability, non-repudiation, public verifiability, robustnessand anonymity. Furthermore the efficiency of each scheme was given.

47

48 CHAPTER 3. CONCLUSION

Chapter 4

Appendix

This section provides a basic overview of some of the cryptographic primitivesused in electronic auctions.

4.1 Symmetric Encryption

The goal of encryption is to securely send information between two parties viaan un-trusted channel. The sender and receiver must share a secret key x,prior to sending any messages (over a trusted channel). There are two stages,encryption and decryption. An encryption algorithm fe(), takes as input, amessage m and a secret key x to compute ciphertext c, where c = fe(m, x). Thedecryption algorithm fd(), takes as input, ciphertext c and a secret key x tocompute the original message m, where m = fd(c, x). Examples of symmetricencryption algorithms are DES and AES.

4.2 Public Key Encryption

Public key encryption uses two separate keys. The first key is made public k.When two parties want to communicate the sender must encrypt the messagewith the receiver’s public key, c = fe(m, k). The second key is kept private k−1.Upon receiving a message the receiver decrypts the message with the private key,m = fd(c, k

−1). It is assumed that the public key should give no informationabout the private key. Examples of public key encryption algorithms are RSAand ElGamal.

4.3 RSA Problem

The RSA problem was introduced by Rivest, Shamir and Adleman. Let n be aproduct such that n = pq. Given n, e and y (modn), it is infeasible to compute

49

50 CHAPTER 4. APPENDIX

x ∈ Z such that

xe = y mod n

4.4 DLP Problem

Solving the discrete logarithm problem is considered hard (but not proven).Consider the equation (where p is prime, g a generator of p and x is random):

y = gx mod p

Give g, x and p, it is a straightforward matter to calculate y. At worst, onemust perform x repeated multiplications. However, given y, g and p, it is ingeneral, very difficult to calculate x. The difficulty seems to be on the sameorder of magnitude as that of factoring primes required for RSA.

4.5 Digital Signatures

A digital signature allows the receiver of a message to verify that it came fromthe legitimate sender (i.e., it is not a forgery nor was it modified during trans-mission). Public key cryptography can be used to sign messages. The senderof a message m signs it by encrypting it with his/her private key k−1. Thesignature σ is a function of m and k−1, σ = fe(m, k−1). The sender sends σto the receiver. The receiver can verify the signature by decrypting it with thesender’s public key k, fd(σ, k) = < valid, invalid >. An example of a digitalsignature algorithm is DSS.

4.6 Cut and Choose Protocol

Cut and Choose is a basic building block of several protocols.When Alice has to cut a cake that she is going to share with Bob, she can

try to cut a larger piece for herself. But if she doesn’t get to pick which pieceis hers, she is motivated to try to cut the pieces fairly. For example, a parenttelling his/her kids to share stuff according to the protocol, “one of you dividesit, but the others get to choose their pieces first.”

In cryptographic protocols, cut-and-choose is used to prevent cheating. Itworks according to the same principle. In a cryptographic cut-and-choose, Bobhas to do some operation on a blob of data, but can’t be allowed to know whatis inside it, and Alice could cause a violation of trust if she were allowed to getBob to operate on an arbitrary blob.

In order to do a cut-and-choose, Alice prepares many blobs, any one of whichwould do the job at hand, and Bob has his choice. So Bob picks one, then Alicereveals the keys that unlock all the rest and Bob can verify that they are alllegitimate. At this point, Bob has a good reason to believe that the last one islegitimate too, because it would be stupid for Alice to try and cheat knowing

4.7. SECRET SHARING 51

that the odds of getting away with it were minimal, and besides, if she had triedto cheat, then Bob would most likely have discovered it when he unlocked allthe other blobs. So Bob can proceed with whatever he needs to do with the lastblob, assuming that the last blob is legitimate because all the others were.

4.7 Secret Sharing

A (t, n)-threshold secret sharing scheme is a method of breaking a secret s inton shares sh1(s), ..., shn(s), such that t shares are sufficient to reconstruct s butt− 1 or fewer shares give no information about s.

4.8 Blind Signatures

Blind signature schemes, first introduced by Chaum [Cha83] [Cha85], allow aperson to get a message signed by another party without revealing any infor-mation about the message to the other party.

Using RSA signatures, Chaum demonstrated the implementation of this con-cept as follows: Suppose Alice has a message m that she wishes to have signedby Bob, and she does not want Bob to learn anything about m. Let (n, e) beBob’s public key and (n, d) be his private key. Alice generates a random valuer such that gcd(r, n) = 1 and sends x = (rem) mod n to Bob. The value x is“blinded” by the random value r; hence Bob can derive no useful informationfrom it. Bob returns the signed value t = xd mod n to Alice. Since

xd(rem)d r md mod n

Alice can obtain the true signature s of m by computing s = r − 1t mod n.Now Alice’s message has a signature she could not have obtained on her

own. This signature scheme is secure provided that factoring and root extrac-tion remains difficult. However, regardless of the status of these problems thesignature scheme is unconditionally “blind” since r is random. The random rdoes not allow the signer to learn about the message even if the signer can solvethe underlying hard problems.

There are potential problems if Alice can give an arbitrary message to besigned, since this effectively enables her to mount a chosen message attack. Oneway of thwarting this kind of attack is described in [CFN88].

Blind signatures have numerous uses including timestamping, anonymousaccess control, and digital cash.

4.9 Group Signatures

The concept of group signatures was introduced by Chaum and van Heyst[CH91]. A group signature scheme allows members of a group to sign mes-sages on the group’s behalf such that the resulting signature does not reveal


their identity. Signatures can be verified with respect to a single group publickey, but does not reveal the identity of the signer. Only a designated groupmanager is able open signatures (reveal the signer’s identity), in the case of alater dispute. Furthermore, it is not possible to decide whether two signatureshave been issued by the same group member (unlinkability).

[CS97] present the first efficient group signature schemes in that the sizeof the group’s public key and of signatures are independent of the number ofgroup members. Furthermore, the group’s public key remain unchanged if anew member is added to a group. Group signatures have been used in electronicvoting protocols.

4.10 Verifiable Signature Sharing

Verifiable signature sharing enables the holder of a digitally signed message,who need not be the original signer, to share the signature among a group ofprocesses so that the correct group members can later reconstruct it. At theend of the sharing phase, each member can verify whether a valid signature forthe message can be reconstructed, even if the original signature holder and/orsome of the members are malicious. In addition, malicious members gain noinformation prior to reconstruction about the signature held by a shareholder.

4.11 Oblivious Transfer

Oblivious transfer allows two (or more) parties to exchange secrets in such amanner that the sender of the secret does not know which secret the receiverhas learned. In a 1-out-of-2 oblivious transfer scheme, a sender knows two secretvalues (m0, m1) and a chooser determines an input σ ∈ 0, 1. At the end ofthe protocol the chooser learns mσ, while learning nothing about m1−σ, andthe sender learns nothing about σ.

4.12 Digital Cash

Digital cash protocols attempt to emulate the properties of physical cash. Thereare typically three parties involved: a spender, a merchant and a bank. A digitalcash scheme allows a spender to withdraw money from the bank. The spendercan then purchase something from the merchant with the cash. The merchantaccepts the payment and deposits the money back at the bank.

Privacy and anonymity are significant issues for users of digital cash. Adigital cash scheme must prevent a merchant or bank from being able to tracea spender’s transactions. Furthermore, it must be impossible for the spender tore-use or “double spend” the cash without revealing his/her identity.

A digital coin consists of the following tuple, < v, σbank(v), wv >. Here vis the value of the coin and σbank is the bank’s signature on the coin. wv is

4.12. DIGITAL CASH 53

freshness information, such as a timestamp that can be used to prevent the coinfrom being double spent.

Digital cash protocols can be classified as offline or online. In an offlinescheme, no interaction is required between the merchant and the bank whenthe spender uses the digital cash. In an online scheme, the merchant mustverify the transaction with the bank at the time of the sale.


Bibliography

[BM00] C. Boyd and W. Mao. Security Issues for Electronic Auctions. HewlettPackard, HP Technical Report, HPL-2000-90, 2000.

[BS01] O. Baudron and J. Stern. Non-interactive Private Auctions. In SixthAnnual Proceedings of Financial Cryptography, pages 300-313, 2001.

[C67] R. Cassady. Auctions and Auctioneering. Berkeley: University of Califor-nia Press, 1967.

[C99] C. Cachin. Efficient Private Bidding and Auctions with an ObliviousThird Party. In Proceedings of 6th ACM Conference on Computer and Com-munications Security, pages 120-127, 1999.

[CS97] J. Camensich and M. Stadler. Efficient Group Signatures for LargeGroups. In Advances in Cryptology - CRYPTO’97, pages 410-424, 1997.

[CH91] D. Chaum and E. van Heyst. Group Signatures. In Eurocrypt’91, pages257-265, Springer-Verlag, 1991.

[FR92] D. Friedman and J. Rust. The Double Auction Market: Institutions,Theories and Evidence. Addison-Wesley, 1992.

[FR96] M. Franklin and M. Reiter. The Design and Implementation of a Se-cure Auction Service. In IEEE Transactions on Software Engineering, pages22(5):302-312, 1996.

[KHT98a] H. Kikuchi, M. Harkavy and J.D. Tygar. Electronic Auctions withPrivate Bids. In 3rd USENIX Workshop on Electronic Commerce, pages61-73, September 1998.

[KHT98b] H. Kikuchi, M. Harkavy and J.D. Tygar. Multi-round AnonymousAuction Protocols. In The Proceedings of the First IEEE Workshop on De-pendable and Real-Time E-Commerce Systems, pages 62-69, Springer-Verlag,1998.

[JJ02] M. Jakobsson and A. Juels. Mix and Match: Secure Function Evaluationvia Ciphertexts. In Asiacrypt, 2002.

55

56 BIBLIOGRAPHY

[JS02] A. Juels and M. Szydlo. A Two-Server, Sealed-Bid Auction Protocol. InSixth Annual Proceedings of Financial Cryptography, 2002.

[K01] H. Kikuchi. (M+1)st-price auction protocol. In Fifth Annual Proceedingsof Financial Cryptography, 2001.

[LAN02] H. Lipmaa, N. Asokan and V. Niemi. Secure Vickrey Auctions withoutThreshold Trust. In Sixth Annual Proceedings of Financial Cryptography,2002.

[NT00] K. Nguyen and J. Traore. An Online Public Auction Protocol ProtectingBidder Privacy. Fifth Australasian Conference on Information Security andPrivacy, ACISP’00. Pages 108-120, July, 2000.

[OM01] K. Omote and A. Miyaji. A Practical English Auction with One-timeRegistration. In Sixth Australiasian Conference on Information Security andPrivacy. Pages 221-234, July, 2001.

[PSST02] A. Perrig, S. Smith, D. Song and J.D. Tygar. SAM: A Flexible and Se-cure Auction Architecture using Trusted Hardware. In The Electronic Jour-nal for E-Commerce Tools and Applications, 2002.

[MBC00] E. Magkos, M. Burmester and V. Chrissikopoulos. An Equitably FairOn-line Auction Scheme. Proceedings of the First International Conferenceon Electronic Commerce and Web Technologies, September, 2000.

[LKM01] B. Lee, K. Kim and J. Ma. Efficient Public Auction with One-timeRegistration and Public Verifiability. Second International Conference onCryptology in India, Indocrypt’01, Pages 162-174, Springer-Verlag, LNCS2247, December, 2001.

[NPS99] M. Naor, B. Pinkas and R. Sumner. Privacy Preserving Auctions andMechanism Design. In The 1st ACM Conference on Electronic Commerce,November 1999.

[S99] K. Sako. Universal Verifiable Auction Protocol which Hides Losing Bids.In Proc. of SCIS’99, Pages 35-39, 1999.

[SM00a] D. Song and J. Millen. Secure Auctions in a Publish/Subscribe System.Available at http://www.csl.sri.com/users/millen/, 2000.

[SM99] K. Sakurai and S. Miyazaki. A Bulletin-Board Based Digital AuctionScheme with Bidding Down Strategy. In International Workshop on Cryp-tographic Techniques and E-Commerce, pages 180-187, 1999.

[SM00b] K. Sakurai and S. Miyazaki. An Auction Protocol which Hides theBids of Losers. In Public Key Cryptography, pages 422-432, 2000.

[SS99] S. Stubblebine and P. Syverson. Fair On-Line Auctions Without SpecialTrusted Parties. In Third Annual Proceedings of Financial Cryptography,pages 230-240, Springer-Verlag LNCS 1648, 1999.

BIBLIOGRAPHY 57

[T05] J. Trevathan, “Security, Anonymity and Trust in Electronic Auctions,”Association for Computing Machinery, Crossroads Magazine, Spring Edi-tion, vol. 11.3, 2005.

[TGR05a] J. Trevathan, H. Ghodosi and W. Read “Design Issues for ElectronicAuctions,” JCU Technical Report, 2005.

[TGR05b] J. Trevathan, H. Ghodosi and W. Read “An Secure and AnonymousContinuous Double Auction Scheme,” JCU Technical Report, 2005.

[TGR05c] J. Trevathan, H. Ghodosi and W. Read “Secure Online English Auc-tions,” JCU Technical Report, 2005.

[V61] W. Vickrey. Counterspeculation, auctions and sealed tenders. Journal ofFinance, 16:8-37, 1961.

[VBD00] K. Viswanathan, C. Boyd and E. Dawson. A Three Phased Schemafor Sealed Bid Auction System Design. In ACISP, 2000.

[WI00] Y. Watanaabe and H. Imai. Reducing the Round Complexity of aSealed-Bid Auction Protocol with an Off-Line TTP. In 7th ACM Confer-ence on Computer and Communications Security, pages 80-86, 2000.

[WL04] C. Wang and H. Leung. Anonymity and Security in Continuous DoubleAuctions for Internet Retails Market. In 37th Hawaii International Confer-ence on System Sciences, 2004.

[YS04] M. Yokoo and K. Suzuki. Secure Generalized Vickrey Auction with-out Trusted Third-Party Servers. In Eigth Annual Proceedings of FinancialCryptography, 2004.

Documents

Electronic Auctions Literature Review