Transcript Slide 1

Unconditionally Secure First-Price Auction
Protocols Using a Multicomponent Commitment Scheme
Mehrdad Nojoumian and Douglas R. Stinson
David R. Cheriton School of Computer Science
University of Waterloo, Canada
12th International Conference on Information and Communications Security (ICICS)
December 15 -17, 2010
Contents
 Introduction and Preliminaries
 Multicomponent Commitment Scheme
 Secure First-Price Auction Protocols
 Verifiable Protocol with Non-Repudiation (VNR)
 Efficient Verifiable Protocol with Non-Repudiation (EVNR)
 Cost Analysis and Discussions
Mehrdad Nojoumian
2
Security Model Definition
 Passive versus Active Adversary Model
 In the former, players follow protocols correctly but are curious to learn
the secret. In the latter, players may also deviate from protocols.
 Static versus Mobile Adversary Model
 In the former, the adversary corrupts players ahead of time. In the latter,
the adversary corrupts different players while the protocol is executing.
 Computational versus Unconditional Security
 In the former, security of protocols rely on computational assumptions.
In the latter, the adversary has unlimited computation power.
E.g., computational assumptions: discrete log or hardness of factoring.
Mehrdad Nojoumian
3
Introduction
 Commitment Scheme: like coin-flipping problem
Head/Tail
1. Commit:
Alice
Bob
Head
2. Reveal:
can not change it, just reveal it
 Secure Auctions Protocols: to preserve the privacy of losing bids
 First-price: the bidder who proposed the highest bid β wins & pays $β.
 Second-price: the winner pays the amount of the second-highest bid.
 (M+1)st-price: this is a general form of the second-price auction.
Mehrdad Nojoumian
4
Secure Auction Properties
 Dutch-Style: starts from the highest price and continues by a decreasing
mechanism. This is secure without using any crypto techniques but we are
looking for other properties.
Example:
b1 = 2
b2 = 1
b3 = 1
(2 bits for each bid: 4 options)
1. Let j = 22 – 1 = 3 possible prices (excluding zero)
3
2
1
2. Each Bi broadcasts 1 or 0 depending on whether he wants to pay price j or not
2
3. If all agent broadcast 0, set j = j – 1 and go to step-2
otherwise j is the selling price and the bidder who submitted 1 wins
1
 Correctness: Determining the winner and selling price correctly.
 Privacy: Preventing the propagation of private bids, i.e., losing bids.
 Non-Repudiation: Preventing all bidders to deny their bids.
Mehrdad Nojoumian
5
Secure First-Price Auctions
 Motivation: bidders decide on their bids ahead of time and independent of
whatever info they may gain during the auction. Consequently, bidders
cannot change their minds later and we can better deal with rush conditions.
 Contribution: constructions of unconditionally secure first-price auction
protocols with a decreasing price mechanism, i.e., Dutch-style auction, and
a multicomponent commitment scheme with multiple committers & verifiers.
 Previous Research: all these constructions are computationally secure
 [SM99]: the authors here use undeniable signature schemes.
 [Sak00]: this construction applies public-key encryption schemes.
 [SKM00]: collision intractable random hash functions are used.
Mehrdad Nojoumian
6
Previous Research
 Undeniable Signature Scheme: Bi communicate with A at each round
B1
b1
proves Sig1(b1) is not a valid sig of n
Sig1(b1)
Sig2(b2)
Sig1(b1)
Sig3(b3)
price = n
b2
Sig2(b2)
proves Sig2(b2) is a valid sig of n-α
price = n-1
Auctioneer
…
B2
proves Sig2(b2) is not a valid sig of n
price = n-α
B2 wins
Sig3(b3)
B3
b3
SP = n-α
proves Sig3(b3) is not a valid sig of n
* Sakurai and Miyazaki, A Bulletin-Board Based Digital Auction Scheme with Bidding Down Strategy.
International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC), pp. 180–187, 1999.
Mehrdad Nojoumian
7
Previous Research
 Public-Key Encryption Scheme: dishonest A can reveal all bids bi
B1
n: Kn & Mn
b1
…
C1 = Ek_b1(Mb1)
1: K1 & M1
price = n
price = n-1
b2
C2 = Ek_b2(Mb2)
Auctioneer
…
B2
price = n-α
Bi wins
C3 = Ek_b3(Mb3)
B3
SP = n-α
b3
A stops when he finds a Dk_j(Ci) = Mj
* Sako, An Auction Protocol Which Hides Bids of Losers, the 3rd International Workshop on Practice and
Theory in Public Key Cryptography (PKC), Springer LNCS, vol. 1751, pp. 422–432, 2000.
Mehrdad Nojoumian
8
Construction of MCS
 Multicomponent Commitment Scheme: we assume that majority of
players are honest. Our proposed scheme consists of a trusted initializer T
and n players P1… Pn (T leaves the scheme after the initialization).
1. Initialize: T selects n polynomials of degree n-1 and sends gi to Pi and
also n-1 distinct points on each gi to other players:
…
g1
n-1 points
g2
…
…
gn
2. Commit: each player Pi computes yi = gi(xi) as a committed value and
broadcasts yi to other players, where xi is the secret of Pi. That is, y1…yn
are committed values and x1…xn are secrets of players accordingly.
3. Reveal: each Pi discloses gi(x) and his secret xi to other parties through
the public broadcast channel. Other players first investigate the validity
of yi = gi(xi). They then check to see if all n-1 points are on gi(x), voting.
Mehrdad Nojoumian
9
Security Proof of MCS
1. Hiding: each receiver is computationally unbounded and cannot learn
secrets before the reveal phase except with a negligible probability
2. Binding: each sender is computationally unbounded and cannot cheat by
revealing a fake secret except with a negligible probability
dishonest minority
guessing one point of honest players
honest majority
3. Validating: with the honest majority assumption, players can validate all
secrets correctly during the reveal phase in the presence of colluders.
Mehrdad Nojoumian
10
Construction of VNR
 Verifiable Protocol with Non-Repudiation: βi ∊[η,κ] and θ = κ-η+1
1. Initialize: trusted initializer T randomly selects θ polys for each bidder,
where B1…Bn. He sends n-1 distinct points on each poly to other parties.
2. Commit: suppose βi ∊[0,7], θ = 8, βi = 7 - 5 = 2, and Z13. Bi first converts
βi to a specific binary vector and then converts it to a non-binary vector
as shown below. Finally, he commits to the resulting field elements.
x=0→[0,7)
x=1→[7,13)
3. Reveal: auction starts with κ and continues by a decreasing price
mechanism. The winner proves his claim by revealing commitments.
Losers also prove that their bids have been less than the winning price.
E.g., if βwin= 4, Bi reveals (7- 4 +1)= 4 values in [7,13), i.e., βi has been at most 3
Mehrdad Nojoumian
11
Construction of EVNR
 Efficient Verifiable Protocol with Non-Repudiation: λ ≈ log2θ
1. Initialize: T randomly selects λ polynomials for each bidder. He then
sends n-1 distinct points on each polynomial to other parties.
2. Commit: suppose βi ∊[0,7], λ = log28 = 3, βi = 7- (101)2 = 2, and Z13. Bi
first converts κ-βi to a binary vector and then converts it to a non-binary
vector as shown here. Finally, he commits to the resulting field elements.
x=0→[0,7)
x=1→[7,13)
3. Reveal: auction starts with κ and continues by a decreasing price
mechanism. The winner proves his claim by revealing commitments.
Losers also prove that their bids have been less than the winning price.
E.g., if βwin= 5, Bi reveals the 3rd value: 7-(1??)2 = 3, i.e., βi has been at most 3
if βwin= 3, Bi reveals 1st and 3rd values: 7-(1?1)2 = 2, i.e., βi has been at most 2
Mehrdad Nojoumian
12
Cost Analysis
 Computation & Communication: interpolating a polynomial of degree
at most n-1 at n points takes O(C(n) log n), that is, O(n log2 n) using FFT:
1. MCS: n polynomials(n-1) are evaluated at n points.
2. VNR: nθ polynomials(n-1) are evaluated at n points.
3. EVNR: nλ=n*log2θ polynomials(n-1) are evaluated at n points.
we have full secrecy, i.e., (n-1) players cannot learn the committed
value, and the honest majority assumption is for the correctness.
Mehrdad Nojoumian
13
Thank You Very Much
Questions?
Mehrdad Nojoumian
14