Download presentation

Presentation is loading. Please wait.

Published byAmber Sutherland Modified over 2 years ago

1
A Two-Server Auction Scheme Ari Juels and Mike Szydlo Financial Cryptography March 2002

2
Auctions increasingly popular u 2.6 million new auctions per day on eBay in 2000 –About three auctions per year for every inhabitant of U.S. u Attempted auctions (and hoaxes) in 99: –A healthy kidney ( high bid: $5.7 million ) –A military rocket launcher –200 pounds of cocaine –A team of software engineers –A baby ( high bid: $109,100 ) –A teenage boy selling his virginity ( high bid: $10 million )

3
popular with all sorts... Former Sotheby's chairman guilty BBC News, 6 December 2001 The former chairman of auction house Sotheby's has been found guilty in New York of conspiring to fix art prices after two days of jury deliberations. Diebenkorn Shilling Case Draws FBI Probe The fallout from Kenneth A. Walton's failed eBay auction of a "great big wild abstract painting" continues today…

4
eBay vs. Sealed-bid I bid $500 Pseudonymous (eBay) I bid $500 Sealed-bid Great sporting event One-round Transparent participation Psychologically neutral Time-bounded Masks identities Facilitates, e.g., shilling Fungible goods Serious auctions

5
Alice Bob Duke Cate Sealed-Bid Auctions

6
f(x 1,x 2, x 3,x 4 ) = winner f Alice Bob Duke Cate x1x1 x2x2 x3x3 x4x4 Sealed-Bid Auctions

7
f(x 1,x 2, x 3,x 4 ) = winner f Alice Bob Duke Cate x1x1 x2x2 x3x3 x4x4 General Secure Multiparty Computation (GSMC )

8
The Literature on Sealed-Bid Auctions u Most sealed-bid systems get away from inefficiencies of GSMC –Weakened trust models –Specifying function f as maximum u Some tailor GSMC to auctions –JJ00 –NPS99 (Naor, Pinkas, and Sumner)

9
Winner: Cate! AliceBobDukeCate NPS at a glance f

10
Features of NPS u Use of exactly two servers gives many benefits (Yao construction) u One round of interaction for bidders -- and no latency u Any function f with efficient boolean circuit yield practical computation –Vickrey auctions –Private surveys u Few rounds of communication But there s a flaw...

11
Trust model AliceBobDukeCate Auction guaranteed correct (or fails) Bids remain private

12
Oblivious Transfer bit b t 0, t 1 tbtb What was t 1-b ? What was b ? b

13
Proxy Oblivious Transfer (POT ) tbtb What was b ? Chooser bit b What were b and t 1-b ? t 0, t 1 tbtb

14
POT in Auction Bit b of bid f What was b ? What was b ? tbtb tbtb Chooser

15
The Problem With POT Bit 0 in bid f t0t0 t0t0 Chooser Observed in JJ00

16
The Problem With POT Bit 0 in bid f t1t1 t1t1 Alices bid has been changed! Chooser

17
We need Verifiable POT Bit b Chooser tbtb C * = (C(t 0 ),C(t 1 )) t b,C *, What was b ? What was b ?

18
Our Contributions u We introduce very efficient VPOT primitive -- fixing security flaw in NPS u With our VPOT, roughly ten times faster for bidder than NPS! –NPS: Tens of exponentiations –Ours: Tens of modular multiplications (great for cell phones) –Ours: Twice as slow for servers

19
Idea 1: Efficiency (RSA-based OT) bit b (t 0, t 1 ) (Y 0, Y 1 ) (X 0, X 1 ) R Z N X b = R 3 mod N X 1 = CX 0 RSA modulus N Random C in Z N Y 0 = t 0 / (X 0 ) 1/3 Y 1 = t 1 / (X 1 ) 1/3 t b = Y b R

20
bit b (t 0, t 1 ) (Y 0, Y 1 ) (X 0, X 1 ) RSA modulus N Random C in Z N For technical reason, real protocol slightly different Previous schemes typically based on, e.g., El Gamal El-Gamal-based --> Several modular exponentiations RSA-based --> Several modular multiplications Idea 1: Efficiency (RSA-based OT)

21
Idea 2: Verifiability t0t0 t1t1 Bit w = 0 if t 0 on left w = 1 if t 0 on right

22
Idea 2: Verifiability u Prove ordering of vaults = Prove fact about single bit w u Key tool: Goldwasser-Micali 84

23
Conclusion u NPS clever, practical approach to sealed- bid auctions u With VPOT, we can bring NPS ideas to fruition u High efficiency for weak bidding devices, e.g., cell phones

Similar presentations

© 2016 SlidePlayer.com Inc.

All rights reserved.

Ads by Google