1 / 14

Unconditionally S ecure First-Price Auction Protocols Using a Multicomponent Commitment Scheme

Unconditionally S ecure First-Price Auction Protocols Using a Multicomponent Commitment Scheme. Contents. Introduction and Preliminaries Multicomponent Commitment Scheme Secure First-Price Auction Protocols Verifiable Protocol with Non-Repudiation (VNR)

elma
Download Presentation

Unconditionally S ecure First-Price Auction Protocols Using a Multicomponent Commitment Scheme

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Unconditionally Secure First-Price AuctionProtocols Using a Multicomponent Commitment Scheme

  2. Contents • Introduction and Preliminaries • Multicomponent Commitment Scheme • Secure First-Price Auction Protocols • Verifiable Protocol with Non-Repudiation (VNR) • Efficient Verifiable Protocol with Non-Repudiation (EVNR) • Cost Analysis and Discussions

  3. Security Model Definition • Passive versus Active Adversary Model • In the former, players follow protocols correctly but are curious to learn the secret. In the latter, players may also deviate from protocols. • Static versus Mobile Adversary Model • In the former, the adversary corrupts players ahead of time. In the latter, the adversary corrupts different players while the protocol is executing. • Computational versus Unconditional Security • In the former, security of protocols rely on computational assumptions. In the latter, the adversary has unlimited computation power. E.g., computational assumptions: discrete log or hardness of factoring.

  4. Head/Tail Introduction Alice Bob Head can not change it, just reveal it • Commitment Scheme:like coin-flipping problem • Commit: • Reveal: • Secure Auctions Protocols: to preserve the privacy of losing bids • First-price: the bidder who proposed the highest bid βwins & pays $β. • Second-price:the winner pays the amount of the second-highest bid. • (M+1)st-price:this is a general form of the second-price auction.

  5. Secure Auction Properties 3 2 1 2 1 • Dutch-Style: starts from the highest price and continues by a decreasing mechanism. This is secure without using any crypto techniques but we are looking for other properties. Example: b1 = 2 b2 = 1 b3 = 1 (2 bits for each bid: 4 options) • Let j = 22 – 1 = 3 possible prices (excluding zero) • Each Bi broadcasts 1 or 0 depending on whether he wants to pay price j or not • If all agent broadcast 0, set j = j – 1 and go to step-2 otherwise j is the selling price and the bidder who submitted 1 wins • Correctness: Determining the winner and selling price correctly. • Privacy: Preventing the propagation of private bids, i.e., losing bids. • Non-Repudiation: Preventing all bidders to deny their bids.

  6. Secure First-Price Auctions • Motivation: bidders decide on their bids ahead of time and independent of whatever info they may gain during the auction. Consequently, bidders cannot change their minds later and we can better deal with rush conditions. • Contribution: constructions of unconditionally secure first-price auction protocols with a decreasing price mechanism, i.e., Dutch-style auction, and a multicomponent commitment scheme with multiple committers & verifiers. • Previous Research: all these constructions are computationally secure • [SM99]: the authors here use undeniable signature schemes. • [Sak00]: this construction applies public-key encryption schemes. • [SKM00]: collision intractable random hash functions are used.

  7. Previous Research B1 proves Sig1(b1) is not a valid sig of n b1 Sig1(b1) Sig2(b2) Sig3(b3) Sig1(b1) price = n Auctioneer B2 price = n-1 proves Sig2(b2) is not a valid sig of n b2 proves Sig2(b2) is a valid sig of n-α … Sig2(b2) price = n-α B2 wins SP = n-α B3 Sig3(b3) b3 proves Sig3(b3) is not a valid sig of n • Undeniable Signature Scheme: Bi communicate with A at each round * Sakurai and Miyazaki, A Bulletin-Board Based Digital Auction Scheme with Bidding Down Strategy. International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC), pp. 180–187, 1999.

  8. Previous Research B1 n: Kn & Mn … 1: K1 & M1 b1 C1 = Ek_b1(Mb1) price = n Auctioneer B2 price = n-1 b2 C2 = Ek_b2(Mb2) … price = n-α Bi wins SP = n-α B3 C3 = Ek_b3(Mb3) b3 A stops when he finds a Dk_j(Ci) = Mj • Public-Key Encryption Scheme: dishonest A can reveal all bids bi * Sako, An Auction Protocol Which Hides Bids of Losers, the 3rd International Workshop on Practice and Theory in Public Key Cryptography (PKC), Springer LNCS, vol. 1751, pp. 422–432, 2000.

  9. Construction of MCS … g1 … g2 n-1 points … … gn • Multicomponent Commitment Scheme: we assume that majority of players are honest. Our proposed scheme consists of a trusted initializerT and n players P1… Pn (T leaves the scheme after the initialization). • Initialize:T selects n polynomials of degree n-1 and sends gi to Pi and also n-1 distinct points on each gi to other players: • Commit:each player Picomputes yi = gi(xi) as a committed value and broadcasts yi to other players, where xi is the secret of Pi. That is, y1…yn are committed values and x1…xn are secrets of players accordingly. • Reveal: each Pidiscloses gi(x) and his secret xi to other parties through the public broadcast channel. Other players first investigate the validity of yi = gi(xi). They then check to see if all n-1 points are on gi(x), voting.

  10. Security Proof of MCS dishonest minority guessing one point of honest players honest majority Hiding: each receiver is computationally unbounded and cannot learn secrets before the reveal phase except with a negligible probability Binding:each sender is computationally unbounded and cannot cheat by revealing a fake secret except with a negligible probability Validating: with the honest majority assumption, players can validate all secrets correctly during the reveal phase in the presence of colluders.

  11. Construction of VNR x=1→[7,13) x=0→[0,7) • Verifiable Protocol with Non-Repudiation:βi∊[η,κ] and θ = κ-η+1 • Initialize: trusted initializer T randomly selects θpolys for each bidder, where B1…Bn. He sends n-1 distinct points on each poly to other parties. • Commit: suppose βi∊[0,7], θ = 8, βi = 7 - 5 = 2, and Z13. Bi first converts βi to a specific binary vector and then converts it to a non-binary vector as shown below. Finally, he commits to the resulting field elements. • Reveal: auction starts with κand continues by a decreasing price mechanism. The winner proves his claim by revealing commitments. Losers also prove that their bids have been less than the winning price. E.g., if βwin= 4, Bi reveals (7- 4 +1)= 4 values in [7,13), i.e., βi has been at most 3

  12. Construction of EVNR x=1→[7,13) x=0→[0,7) • Efficient Verifiable Protocol with Non-Repudiation:λ ≈ log2θ • Initialize:T randomly selects λpolynomials for each bidder. He then sends n-1 distinct points on each polynomial to other parties. • Commit: suppose βi∊[0,7], λ = log28 = 3, βi = 7- (101)2 = 2, and Z13. Bi first converts κ-βi to a binary vector and then converts it to a non-binary vector as shown here. Finally, he commits to the resulting field elements. • Reveal: auction starts with κand continues by a decreasing price mechanism. The winner proves his claim by revealing commitments. Losers also prove that their bids have been less than the winning price. E.g., if βwin= 5, Bi reveals the 3rd value: 7-(1??)2 = 3, i.e., βi has been at most 3 if βwin= 3, Bi reveals 1st and 3rd values: 7-(1?1)2 = 2, i.e., βi has been at most 2

  13. Cost Analysis • Computation & Communication: interpolating a polynomial of degree at most n-1 at n points takes O(C(n) log n), that is, O(n log2 n) using FFT: • MCS:n polynomials(n-1) are evaluated at n points. • VNR:nθpolynomials(n-1) are evaluated at n points. • EVNR:nλ=n*log2θpolynomials(n-1) are evaluated at n points. we have full secrecy, i.e., (n-1) players cannot learn the committed value, and the honest majority assumption is for the correctness.

  14. Thank You Very Much Questions?

More Related