Practical Receipt-Free Sealed-Bid Auction in the Coercive Environment

Abstract

Sealed-Bid auction is an efficient and rational method to establish the price in open market. However sealed-bid auctions are subject to bid-rigging attack. Receipt-free mechanisms were proposed to prevent bid-rigging. The prior receipt-free mechanisms are based on two assumptions; firstly, existence of untappable channel between bidders and auction authorities. Secondly, mechanisms assume the authorities to be honest (not colluding). Moreover the bandwidth required to communicate the receipt-free bids is huge. This paper presents a sealed-bid auction mechanism to resist bid-rigging. The proposed method does not assume untappable channel nor consider the authorities to be necessarily honest. The proposed mechanism also manages the bandwidth efficiently, and improves the performance of the system.

Appendices

Appendix

1.1 Proof of Sealing

Sealer \(S_l\) receives the partially sealed bid-vector \(\langle \mathcal {X}_{S_{l-1}i}, \mathcal {Y}_{S_{l-1}i} \rangle \) from the preceding sealer \(S_{l-1}\), selects \(\hat{r}_{S_li,(k,j)}, r_{S_li,(k,j)} \in _R \mathbb {Z}_p\) randomly, performs the sealing operation and forwards the partially sealed bid-vector to the next sealer \(S_{l+1}\). Figure 2 describes the process. The sealing operation of the \(S_l\) is as follows:

Fig. 2.

Sequence of sealing operation

$$\begin{aligned}\begin{aligned} X_{S_li,(k,j)}&= g^{r_{S_li,(k,j)}} . X_{S_{l-1}i,(k.j)} \\&= g^{r_{S_li,(k,j)}} . g^{(r_{i,(k,j)}+\sum \limits _{t = 1}^{l-1} {r_{S_{t}i,(k,j)}})} \\&= g^{(r_{i,(k,j)}+ \sum \limits _{t = 1}^{l}{r_{S_{t}i,(k,j)}})} \\ Y_{S_li,(k,j)}&= \hat{r}_{S_li,(k,j)}.h_{A}^{r_{S_li,(k,j)}} . (h_{S/S_1,\dots S_l})^{r_{S_li,(k,j)}}.\left( X_{S_{l-1}i,(k,j)} \right) ^{-x_{S_l}} . Y_{S_{l-1}i,(k,j)} \\&= \hat{r}_{S_li,(k,j)}.h_{A}^{r_{S_li,(k,j)}} . (h_{S/S_1,\dots S_l})^{r_{S_li,(k,j)}}. \\&\quad \prod \limits _{t=1}^{l-1} \hat{r}_{S_{t}i,(k,j)}. h_{A}^{(r_{i,(k,j)}+ \sum \limits _{t = 1}^{l-1}{r_{S_{t}i,(k,j)}})}. (h_{S/S_1\dots S_l})^{(r_{i,(k,j)}+ \sum \limits _{t = 1}^{l-1}{r_{S_{t}i,(k,j)}})}. G_{\Box }\\&= \prod \limits _{t=1}^{l} \hat{r}_{S_{t}i,(k,j)}. h_{A}^{(r_{i,(k,j)}+ \sum \limits _{t = 1}^{l}{r_{S_{t}i,(k,j)}})}. (h_{S/S_1\dots S_l})^{(r_{i,(k,j)}+ \sum \limits _{t = 1}^{l}{r_{S_{t}i,(k,j)}})}. G_{\Box } \end{aligned}\end{aligned}$$

After \(t\) sealing operation the bid-vector is reduced to

$$\begin{aligned}\begin{aligned} X_{S_ti,(k,j)}&= g^{(r_{i,(k,j)}+ \sum \limits _{l=1}^{t}{r_{S_{l}i,(k,j)}})} \\ Y_{S_ti,(k,j)}&= \prod \limits _{l=1}^{t} \hat{r}_{S_{l}i,(k,j)}. h_{A}^{(r_{i,(k,j)}+ \sum \limits _{l = 1}^{t}{r_{S_{l}i,(k,j)}})}. (h_{S/S_1\dots S_t})^{(r_{i,(k,j)}+ \sum \limits _{l = 1}^{t}{r_{S_{l}i,(k,j)}})}. G_{\Box }\\&= \prod \limits _{l=1}^{t} \hat{r}_{S_{l}i,(k,j)}. h_{A}^{(r_{i,(k,j)}+ \sum \limits _{l = 1}^{t}{r_{S_{l}i,(k,j)}})}. G_{\Box } \end{aligned}\end{aligned}$$

1.2 ZK Protocol

Zero-Knowledge (ZK) protocol [7] is a tool by which the prover can prove to another party (the verifier) that a function has been correctly computed, without revealing the secret parameters of the computation. The auction mechanism uses the ZK protocol to determine the winning bidder. Let \(w=w_{d-1}\dots w_0\) be the winning price and \(B_i\) responds as the winner. The bidder \(B_i\) have to prove the following:

• \(B_i\) publishes \(G_i = g_{y}^{x_{B_i}}\) and proves that \(G_i\) and \(h_{B_i}\) having common exponent (\(x_{B_i}\)) over \(g_y\) and \(g\) respectively, without disclosing the secret \(x_{B_i}\). Algorithm 7 describes the proof.

• For \(k=0,1,\ldots d-1\), \(B_i\) publishes the product of all \(\hat{r}_{i,(k,w_k)}\) and proves that he knows the common exponents over \(X_{i,(k,w_k)}\)s and \(G_{i,(k,w_k)}\)s. The proof would not be carried on individual items but exercised on the product of all \(X_{i,(k,w_k)}\) (for \(k=0,1,\ldots d-1\)). The Algorithm 6 describes the proof.

Fig. 3.

Process of \(EBY()\)

Does ProcSwap() vulnerable

The subprocess \(EBY()\) is a recursive process that partitions the list \(L\) into two halves and invokes the P rocSwap(). Figure 3 shows the process of partitioning ans swapping operation. \(EBY()\) divides the list into some stacks of sealed bids. Every stack contains only two sealed bids where at least one of them must contains the Yes Mark on the \(P_{k,w_k}\) index. However, P rocSwap() procedure takes a stack (size \(2\)) and demands additional information to determine the bid containing the Yes Mark. We claim that the additional information that is published in order to execute P rocSwap() does not compromise the receipt-freeness property.

Lemma 1

Let \( a,b,c~ \& ~d \in \mathbb {Z}_{p}\) such that;

$$\begin{aligned}\begin{aligned} a.b = k_1 \quad \quad&\quad c.d = k_2\\ a.c = k_3 \quad \quad&\quad b.d = k_4 \end{aligned}\end{aligned}$$

Though the values of \( k_1,k_2,k_3~ \& ~k_4\) are known, it is computationally infeasible to find the unique solution of \( a,b,c~ \& ~d\).

Proof

In the above set of equation, any one of the equation is derivable from the other three equations. Let \(a.b = k_1\), \(c.d = k_2\) and \(a.c = k_3\) are given, the fourth equation can be derivable from the given three equations, that is, \(b.d = (a.b).(c.d).(a.c)^{-1} = k_1.k_2.k_{3}^{-1}\). Therefore the above system is effectively consists of three equations with four unknown variables. Henceforth infeasible to determine the unique solution of the \( a,b,c~ \& ~b\). If \(p\) is sufficiently big any random search is inefficient to get the solution of \( a,b,c,~ \& ~d\)    \(\Box \).

Let \(T1\) be a stack containing two bids \(B_1\) and \(B_2\). Also let \(T2\) be another stack containing two void bids \(V_1\) and \(V_2\). Therefore the \(\mathcal {BB}\) already contains the values

$$\begin{aligned} k_1 = \hat{r}_{S_1B_1,(k,j)}.\hat{r}_{S_1B_2,(k,j)} \end{aligned}$$

$$\begin{aligned} k_2 = \hat{r}_{S_1V_1,(k,j)}.\hat{r}_{S_1V_2,(k,j)} \end{aligned}$$

(The procedure P rocS( \(T1,S_1,P_{k,j}\) ) and P rocS( \(T2,S_1,P_{k,j}\) ) publish the values).

The call to the procedure P rocSwap(T1,T2) demands

$$\begin{aligned} k_3 = \hat{r}_{S_1B_1,(k,j)}.\hat{r}_{S_1V_2,(k,j)} \end{aligned}$$

$$\begin{aligned} k_4 = \hat{r}_{S_2V_1,(k,j)}.\hat{r}_{S_1V_2,(k,j)} \end{aligned}$$

Knowing the values \( k_1,k_2,k_3~ \& ~k_4\) adversary would not able to resolve the secrets \(\hat{r}_{S_1B_1,(k,j)}\) and \(\hat{r}_{S_1B_2,(k,j)}\) without better than any random guess.