Download presentation

Presentation is loading. Please wait.

Published byNicole Darley Modified over 2 years ago

1
Survey on e-Auction PresenterNguyen Hoang Anh NordSecMob

2
2 Outline Introduction to e-Auction What is auction? Desired properties for an e-Auction scheme Basic e-Auction protocol e-Auction scheme English auction First-price sealed bid auction Second-price sealed bid auction (Vickrey auction) Conclusion

3
3 Introduction to e-Auction An auction is a method of trading goods that do not have a fixed price Auction is based on competition and reflects the essential of market The sellers wish to sell their goods as high as possible, the buyers want to pay as little as necessary Roles: Bidder (buyer) – Seller – Auctioneer (trusted third party)

4
4 Introduction to e-Auction Types of auctions: English auction Dutch auction Sealed-bid auction: First-price, Second-price, (M+1)st- price

5
5 Desired properties Non-repudiation No framing Traceability Public verifiability Unlinkability Robustness Efficiency of bidding

6
6 Desired properties Fairness All bids should be dealt with in a fair way, e.g., no information about bidding will be disclosed to give any bidder unfair advantage Bidder privacy No bidder’s identity or trading history will be revealed even after the auction session. The secrecy of losing bids should be kept. Correctness of system The winning bid is the highest among bids were placed. The winner is the person who made that bid

7
7 Basic auction protocol Initialization Auctioneer sets the system parameters and publishes them Bidder registration A bidder sends the Auctioneer her/his public key to register Auction preparation The Auctioneer computes the preparation data for each auction. A bidder may download her/his information for bidding Bidding A bidder computes her/his bid information and places her/his bid Opening a winning bid The Auctioneer computes only a winning bid while keeping the other bids secret (not needed in public auction) Winner decision The Auctioneer identifies only a winner while keeping loser’s anonymity

8
8 English auction scheme Proof of knowledge PK(y = P( )) is the proof of knowledge between two parties given the publicly known value y, the Prover knows the value of such that the predicate P( ) is true. Signature based on a Proof of Knowledge (SPK) SPK[( ): y = g ] (m)

9
9 English auction scheme 2 Bulletin Board System (BBS) Bulletin board is a place where people can leave public messages, e.g., to advertise things, announce events, or provide information Can be read by anybody, but can be written only by an authority => Help reduce communication complexity 2 separate roles AM: Auction Manager Prepare for auctions Carry out several auctions Manage the current bid value RM: Registration Manager Manager the participants of auctions Prepare for auctions Identifies a certain bidder at the request of AM

10
10 English auction scheme Alice (y 1, x 1, m 1 ) y 1 = g x1 1.Registration (y 1, V 11 ) V 11 = SPK[( ): y 1 = g ] (m R ) Alice : y1 Bob : y2 Carol : y3 : Public keys grgr y3ry1ry2r:y3ry1ry2r: 2. Preparation g rs 1.T 2 = y 2 rs 2.T 3 = y 3 rs 3.T 1 = y 1 rs : 3. g rs 4. T1 = (g rs ) x1 5. Bidding (3, m 1, V 21 ) V 21 = SPK[( ): T 1 = (g rs ) ] (m R ) Current bid value 6. Winner decision V 31 V 31 =SPK[( ):T 1 = (y 1 r ) ] (m R ) Kazumasa OMOTE. A study on Electronic Auctions, 2002 6. Winner decision V 31 V 31 =SPK[( ):T 1 = (y 1 r ) ] (m R )

11
11 English auction scheme Properties Linkability in an auction (same T i in one auction) Unlinkability among different auctions (different T i -s for different auctions) No single authority can break anonymity and secrecy of bids

12
12 First-price sealed-bid auction Desired properties Secrecy of bidding price => open bids from highest possible price to the winning price, all the lower prices are kept secret Verifiability => Use public key encryption systems or hash chain technique Undeniability => The bidder needs to sign for his bid Anonymity => Bidders register to a registration center and get their keys for signature scheme

13
13 First-price sealed-bid auction Undeniable signature scheme Signing algorithm Verification protocol a signature can only be verified with the help of the signer => Avoid replay attack Disavowal protocol allows the signer to prove whether a given signature is a forgery => The signer cannot deny his valid signature

14
14 First-price sealed-bid auction Bidder 1: b1 Bidder 2: b2 Bidder 3: b3 Auctioneer Price list {1, 2,…, n} Sig 1 (b 1 ) Sig 2 (b 2 ) Sig 3 (b 3 ) j = n j = n - 1 j Disavowal My sig was not a valid signature of j My sig was the valid signature of j Winning bid j Winning bidder Bidder 2 Sakurai and Miyazaki. A bulletin-board based digital auction scheme with bidding down strategy. In Proc. International Workshop on Cryptographic Techniques and E-Commerce, 1999 Undeniable signature of bidding price Sig 1 (b1) Sig 2 (b2) Sig 3 (b3)

15
15 First-price sealed-bid auction Sakurai and Miyazaki. A bulletin-board based digital auction scheme with bidding down strategy. In Proc. International Workshop on Cryptographic Techniques and E-Commerce, 1999

16
16 First-price sealed-bid auction Drawbacks of the protocol All bidders have to communicate with the auctioneer in opening phase => Protocol 2

17
17 First-price sealed-bid auction Bidder 1: b1 Bidder 2: b2 Bidder 3: b3 Auctioneer Price list {1, 2,…, n} {(K_1; M_1), (K_2; M_2)…, (K_n; M_n)} Sako. Universally verifiable auction protocol which hides losing bids. In Proc Of SCIS’99, pages 35-39 E K_b1 (M_b1) E K_b2 (M_b2) E K_b3 (M_b3) j = n Check the equality E K_j (C_bi) = M_j ? - If such C_bi exists: winning bid is j, winning bidder is i - If there is no such C_bi: j = j – 1, repeat above step

18
18 First-price sealed-bid auction Sako. Universally verifiable auction protocol which hides losing bids. In Proc Of SCIS’99, pages 35-39

19
19 First-price sealed-bid auction Advantage Bidders need not to communicate with the auctioneer in opening phase Disadvantage Malicious auctioneer can reveal all bidding prices => Use plural auctioneers and distributed decryption technique

20
20 First-price sealed-bid auction Problems with sealed-bid auction methods using public key cryptosystems Computationally expensive Require a lot of communication Limit the number of bidders and the range of bidding prices

21
21 First-price sealed-bid auction Bidder 1: P1 Secret seeds: (S 11, S 21,...,S a1 ) Bidder 2: P2 Secret seeds: (S 21, S 22,…,S a2 ) Bidder 3: P3 Secret seeds: (S 13, S 23,…,S a3 ) Auctioneer 1 Auctioneer a Bidi = {bi, c 1i, c 2i, …, c ai } bi = h(h Pi (S 1i )|h Pi (S 2i ) | … | h Pi (S ai )) cji = h n+1 (S ji ) (Bid1, Sig1(Bid1)) (Bid2, Sig2(Bid2)) (Bid3, Sig3(Bid3)) Publishes (Bid_i,Sig i (Bid_i) S 11 S 12 S 13 S a2 S a1 S a3 h k (S ai ) k = n Check hash chain for all bidders k = k - 1 Publishes h k (Sij) K. Suzuki, K. Kobayashi, and H. Morita. Efficient sealed-bid auction using hash chain. Proceedings of the Third International Conference on Information Security and Cryptology, Vol. 2015 of Lecture Notes In Computer Science, pages 183 – 191, 2000. Springer-Verlag. ISBN 3-540-41782-6 bi = h(h k (S 1i )|h k (S 2i )|…|h k (S ai )) ???

22
22 First-price sealed-bid auction Secrecy of bidding price Bids are opened from the highest price to the winning price Hash chain is distributed to plural auctioneers => losing bid prices are kept secret (besides the case all auctioneers collude) Verifiability Anyone can verify the correctness of the hash chains which are already published Undeniability The signer has to sign for his bid Anonymity Each bidder can use his public key of signature to bid anonymously Efficiency

23
23 Vickrey auction Vickrey auction scheme The bidder who offers the highest bid price gets the good at the second-highest price Attractive theoretical properties The dominant strategy for each bidder is to place a bid honestly according to her/his own true value Rarely used in practice Auctioneer may change the outcome of auctions Auctioneer may reveal bidders’ private information

24
24 Vickrey auction scheme Homomorphic encryption scheme E K (m 1 ; r 1 ). E K (m 2 ; r 2 ) = E K (m 1 +m 2 ; r 1 +r 2 ) Range proof: integer commitment scheme, plus range checking PK(c=E K ( , ) [L,H])

25
25 Vickrey auction scheme Notations S: seller A: auction authority B: maximum number of bidders V: maximum number of different bids (X 1, …, X B ): vector of bids in a nonincreasing order In public-key cryptosystem (G,E,D), c = E K (m; r) denote the encryption of m by using a random coin r under they key K. H: hash function

26
26 Vickrey auction Bidder 1: b1 Bidder 2: b2 Bidder 3: b3 Auctioneer Secret key: sk Seller Auctioneer’s public key: pk Sig 2 (E pk (B b2 )) Sig 1 (E pk (B b1 )) Sig 3 (E pk (B b3 )) E=∏i E pk (B bi ) Decrypt E Learn bid statistic X2X2 X2X2 X2X2 X2X2 My bid was higher than X 2 Helger Lipmaa, N. Asokan, Valtteri Niemi. Secure Vickrey Auctions without threshold trust. Technical Report 2001/095, International Association for Cryptologic Research, November 2001

27
27 Practical e-Auction systems eBay and Amazon Auction use Vickrey model with a proxy bidder facility The bidder tells the proxy a maximum price that s/he is willing to pay The proxy keeps this information secret and bids on the bidder’s behalf in the ascending auction. The highest bidder wins, pays at amount equal to the second highest bidder (plus one increment). Ebay: fixed ending time. Amazon: auctions end when there have been no new bids for ten minutes.

28
28 Conclusion Three kinds of auction schemes are surveyed English auction scheme First-price sealed-bid auction scheme Second-price sealed-bid auction scheme Desired properties Bidder privacy Correctness of system Efficiency

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google