1 / 23

A Two-Server Auction Scheme

A Two-Server Auction Scheme. Ari Juels and Mike Szydlo Financial Cryptography ‘02 12 March 2002. Auctions increasingly popular. 2.6 million new auctions per day on eBay in 2000 About three auctions per year for every inhabitant of U.S. Attempted auctions (and hoaxes) in ‘99:

aqua
Download Presentation

A Two-Server Auction Scheme

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Two-Server Auction Scheme Ari Juels and Mike Szydlo Financial Cryptography ‘02 12 March 2002

  2. Auctions increasingly popular • 2.6 million new auctions per day on eBay in 2000 • About three auctions per year for every inhabitant of U.S. • Attempted auctions (and hoaxes) in ‘99: • A healthy kidney (high bid: $5.7 million) • A military rocket launcher • 200 pounds of cocaine • A team of software engineers • A baby (high bid: $109,100) • A teenage boy selling his virginity (high bid: $10 million)

  3. Diebenkorn Shilling Case Draws FBI Probe The fallout from Kenneth A. Walton's failed eBay auction of a "great big wild abstract painting" continues today… Former Sotheby's chairman guiltyBBC News, 6 December 2001 The former chairman of auction house Sotheby's has been found guilty in New York of conspiring to fix art prices after two days of jury deliberations. popular with all sorts...

  4. I bid $500 I bid $500 Pseudonymous (eBay) Sealed-bid eBay vs. Sealed-bid • One-round • Transparent participation • Psychologically neutral • Time-bounded • Masks identities • Facilitates, e.g., shilling • Fungible goods • “Serious” auctions • Great sporting event

  5. Special Edition Alice Furby Cate Bob Duke Sealed-Bid Auctions

  6. Special Edition f(x1,x2,x3,x4) = winner Furby Special Edition x1 x3 Alice Furby x2 x4 Cate Bob Duke Sealed-Bid Auctions f

  7. General Secure Multiparty Computation (GSMC ) f(x1,x2,x3,x4) = winner Special Edition x1 x3 Alice Furby x2 x4 Cate Bob Duke f

  8. The Literature on Sealed-Bid Auctions • Most sealed-bid systems get away from inefficiencies of GSMC • Weakened trust models • Specifying function f as “maximum” • Some tailor GSMC to auctions • JJ00 • NPS99 (Naor, Pinkas, and Sumner)

  9. Winner: Cate! Special Edition Furby Alice Bob Duke Cate NPS at a glance f

  10. Features of NPS • Use of exactly two servers gives many benefits (Yao construction) • One round of interaction for bidders -- and no latency • Any function f with efficient boolean circuit yield practical computation • Vickrey auctions • Private surveys • Few rounds of communication • But there’s a flaw...

  11. Alice Bob Duke Cate Trust model Auction guaranteed correct (or fails) Bids remain private

  12. tb b Oblivious Transfer t0, t1 bit b What was t1-b ? What was b ?

  13. tb Proxy Oblivious Transfer (POT ) t0, t1 tb What was b ? What were b and t1-b ? bit b Chooser

  14. tb tb What was b ? What was b ? POT in Auction f Bit b of bid Chooser

  15. t0 t0 The Problem With POT f Observed in JJ00 Bit ‘0’ in bid Chooser

  16. t1 t1 The Problem With POT f Alice’s bid has been changed! Bit ‘0’ in bid Chooser

  17. C* = (C(t0),C(t1)) tb ,C*, What was b ? tb What was b ? We need VerifiablePOT Bit b Chooser

  18. Our Contributions • We introduce very efficient VPOT primitive -- fixing security flaw in NPS • With our VPOT, roughly ten times faster for bidder than NPS! • NPS: Tens of exponentiations • Ours: Tens of modular multiplications (great for cell phones) • Ours: Twice as slow for servers

  19. (X0, X1) (Y0, Y1) Idea 1: Efficiency (RSA-based OT) RSA modulus N Random C in ZN (t0, t1) bit b R ZN Xb = R3mod N X1= CX0 Y0 = t0 / (X0)1/3 Y1 = t1 / (X1)1/3 tb = YbR

  20. (X0, X1) (Y0, Y1) Idea 1: Efficiency (RSA-based OT) RSA modulus N Random C in ZN (t0, t1) bit b • For technical reason, real protocol slightly different • Previous schemes typically based on, e.g., El Gamal • El-Gamal-based --> Several modular exponentiations • RSA-based --> Several modular multiplications

  21. t0 t1 Idea 2: Verifiability Bit w = 0 if t0 on left w = 1 if t0 on right

  22. Idea 2: Verifiability • Prove ordering of vaults = Prove fact about single bit w • Key tool: Goldwasser-Micali ‘84

  23. Conclusion • NPS clever, practical approach to sealed-bid auctions • With VPOT, we can bring NPS ideas to fruition • High efficiency for weak bidding devices, e.g., cell phones

More Related