Presentation on theme: "A Two-Server Auction Scheme Ari Juels and Mike Szydlo Financial Cryptography 02 12 March 2002."— Presentation transcript:
A Two-Server Auction Scheme Ari Juels and Mike Szydlo Financial Cryptography 02 12 March 2002
Auctions increasingly popular u 2.6 million new auctions per day on eBay in 2000 –About three auctions per year for every inhabitant of U.S. u Attempted auctions (and hoaxes) in 99: –A healthy kidney ( high bid: $5.7 million ) –A military rocket launcher –200 pounds of cocaine –A team of software engineers –A baby ( high bid: $109,100 ) –A teenage boy selling his virginity ( high bid: $10 million )
popular with all sorts... Former Sotheby's chairman guilty BBC News, 6 December 2001 The former chairman of auction house Sotheby's has been found guilty in New York of conspiring to fix art prices after two days of jury deliberations. Diebenkorn Shilling Case Draws FBI Probe The fallout from Kenneth A. Walton's failed eBay auction of a "great big wild abstract painting" continues today…
eBay vs. Sealed-bid I bid $500 Pseudonymous (eBay) I bid $500 Sealed-bid Great sporting event One-round Transparent participation Psychologically neutral Time-bounded Masks identities Facilitates, e.g., shilling Fungible goods Serious auctions
f(x 1,x 2, x 3,x 4 ) = winner f Alice Bob Duke Cate x1x1 x2x2 x3x3 x4x4 Sealed-Bid Auctions
f(x 1,x 2, x 3,x 4 ) = winner f Alice Bob Duke Cate x1x1 x2x2 x3x3 x4x4 General Secure Multiparty Computation (GSMC )
The Literature on Sealed-Bid Auctions u Most sealed-bid systems get away from inefficiencies of GSMC –Weakened trust models –Specifying function f as maximum u Some tailor GSMC to auctions –JJ00 –NPS99 (Naor, Pinkas, and Sumner)
Winner: Cate! AliceBobDukeCate NPS at a glance f
Features of NPS u Use of exactly two servers gives many benefits (Yao construction) u One round of interaction for bidders -- and no latency u Any function f with efficient boolean circuit yield practical computation –Vickrey auctions –Private surveys u Few rounds of communication But there s a flaw...
Oblivious Transfer bit b t 0, t 1 tbtb What was t 1-b ? What was b ? b
Proxy Oblivious Transfer (POT ) tbtb What was b ? Chooser bit b What were b and t 1-b ? t 0, t 1 tbtb
POT in Auction Bit b of bid f What was b ? What was b ? tbtb tbtb Chooser
The Problem With POT Bit 0 in bid f t0t0 t0t0 Chooser Observed in JJ00
The Problem With POT Bit 0 in bid f t1t1 t1t1 Alices bid has been changed! Chooser
We need Verifiable POT Bit b Chooser tbtb C * = (C(t 0 ),C(t 1 )) t b,C *, What was b ? What was b ?
Our Contributions u We introduce very efficient VPOT primitive -- fixing security flaw in NPS u With our VPOT, roughly ten times faster for bidder than NPS! –NPS: Tens of exponentiations –Ours: Tens of modular multiplications (great for cell phones) –Ours: Twice as slow for servers
Idea 1: Efficiency (RSA-based OT) bit b (t 0, t 1 ) (Y 0, Y 1 ) (X 0, X 1 ) R Z N X b = R 3 mod N X 1 = CX 0 RSA modulus N Random C in Z N Y 0 = t 0 / (X 0 ) 1/3 Y 1 = t 1 / (X 1 ) 1/3 t b = Y b R
bit b (t 0, t 1 ) (Y 0, Y 1 ) (X 0, X 1 ) RSA modulus N Random C in Z N For technical reason, real protocol slightly different Previous schemes typically based on, e.g., El Gamal El-Gamal-based --> Several modular exponentiations RSA-based --> Several modular multiplications Idea 1: Efficiency (RSA-based OT)
Idea 2: Verifiability t0t0 t1t1 Bit w = 0 if t 0 on left w = 1 if t 0 on right
Idea 2: Verifiability u Prove ordering of vaults = Prove fact about single bit w u Key tool: Goldwasser-Micali 84
Conclusion u NPS clever, practical approach to sealed- bid auctions u With VPOT, we can bring NPS ideas to fruition u High efficiency for weak bidding devices, e.g., cell phones
Your consent to our cookies if you continue to use this website.