A Two-Server Auction Scheme
Ari Juels and Mike SzydloFinancial Cryptography ‘02
12 March 2002
Auctions increasingly popular 2.6 million new auctions per day on eBay in 2000
– About three auctions per year for every inhabitant of U.S.
Attempted auctions (and hoaxes) in ‘99:– A healthy kidney (high bid: $5.7 million)– A military rocket launcher
– 200 pounds of cocaine
– A team of software engineers
– A baby (high bid: $109,100)
– A teenage boy selling his virginity (high bid: $10 million)
popular with all sorts...
Former Sotheby's chairman guiltyBBC News, 6 December 2001
The former chairman of auction house Sotheby's has been found
guilty in New York of conspiring to fix art prices after two days
of jury deliberations.
Diebenkorn Shilling Case Draws FBI ProbeThe fallout from Kenneth A. Walton's failed eBay auction of a
"great big wild abstract painting" continues today…
eBay vs. Sealed-bid
I bid$500
Pseudonymous (eBay)
I bid$500
Sealed-bid
•Great sporting event
•One-round•Transparent participation•Psychologically neutral
•Time-bounded•Masks identities•Facilitates, e.g., shilling
•Fungible goods•“Serious” auctions
Alice
Bob
Duke
Cate
Sealed-Bid Auctions
f(x1,x2,x3,x4)
= winner
f
Alice
Bob
Duke
Catex1
x2
x3
x4
Sealed-Bid Auctions
f(x1,x2,x3,x4)
= winner
f
Alice
Bob
Duke
Catex1
x2
x3
x4
General Secure MultipartyComputation (GSMC )
The Literature on Sealed-Bid Auctions
Most sealed-bid systems get away from inefficiencies of GSMC– Weakened trust models– Specifying function f as “maximum”
Some tailor GSMC to auctions– JJ00– NPS99 (Naor, Pinkas, and Sumner)
Winner:
Cate!
Alice Bob Duke Cate
NPS at a glance
f
Features of NPS Use of exactly two servers gives many
benefits (Yao construction) One round of interaction for bidders -- and no
latency Any function f with efficient boolean circuit
yield practical computation– Vickrey auctions– Private surveys
Few rounds of communication But there’s a flaw...
Trust model
Alice Bob Duke Cate
Auction
guaranteed
correct
(or fails)
Bids
remain
private
Oblivious Transfer
bit b t0, t1
tb
What was
t1-b ?What was
b ?
b
Proxy Oblivious Transfer (POT )
tb
What was
b ?
Chooserbit b
What were
b and t1-b ?
t0, t1tb
POT in Auction
Bit b of bid
fWhat was
b ?
What was
b ?
tb
tb
Chooser
The Problem With POT
Bit ‘0’ in bid
f
t0
t0
Chooser
Observed in JJ00
The Problem With POT
Bit ‘0’ in bid
f
t1
t1
Alice’s bid has
been changed!
Chooser
We need Verifiable POT
Bit bChooser
tb
C* = (C(t0),C(t1))tb ,C*,
What was
b ?
What was
b ?
Our Contributions
We introduce very efficient VPOT primitive -- fixing security flaw in NPS
With our VPOT, roughly ten times faster for bidder than NPS!– NPS: Tens of exponentiations– Ours: Tens of modular multiplications
(great for cell phones)– Ours: Twice as slow for servers
Idea 1: Efficiency(RSA-based OT)
bit b (t0, t1)
(Y0, Y1)
(X0, X1)
R ZN
Xb = R3 mod N
X1 = CX0
RSA modulus N
Random C in ZN
Y0 = t0 / (X0)1/3
Y1 = t1 / (X1)1/3
tb = Yb R
bit b (t0, t1)
(Y0, Y1)
(X0, X1)
RSA modulus N
Random C in ZN
•For technical reason, real protocol slightly different•Previous schemes typically based on, e.g., El Gamal•El-Gamal-based --> Several modular exponentiations•RSA-based --> Several modular multiplications
Idea 1: Efficiency(RSA-based OT)
Idea 2: Verifiability
t0 t1
Bit w = 0 if t0 on left
w = 1 if t0 on right
Idea 2: Verifiability
Prove ordering of vaults = Prove fact about single bit w
Key tool: Goldwasser-Micali ‘84
Conclusion NPS clever, practical approach to sealed-
bid auctions With VPOT, we can bring NPS ideas to
fruition High efficiency for weak bidding devices,
e.g., cell phones