Analysis and Design of Secure Sealed-Bid Auction by Kun Peng Bachelor of Engineering in Computer Software (Huazhong University of Science and Technology, Wuhan, China) – 1997 Master of Engineering in Computer Software and Theory (Huazhong University of Science and Technology, Wuhan, China) – 2000 Thesis submitted in accordance with the regulations for Degree of Doctor of Philosophy Information Security Research Centre Faculty of Information Technology Queensland University of Technology ii QUEENSLAND UNIVERSITY OF TECHNOLOGY DOCTOR OF PHILOSOPHY THESIS EXAMINATION CANDIDATE NAME: Kun Peng CENTRE/RESEARCH CONCENTRATION: Information Security Research Centre PRINCIPAL SUPERVISOR: Associate Professor Colin Boyd ASSOCIATE SUPERVISOR(S): Professor Ed Dawson THESIS TITLE: Analysis and Design of Secure Sealed-Bid Auction Under the requirements of PhD regulation 9.2, the above candidate was examined orally by the Faculty The members of the panel set up for this examination recommend that the thesis be accepted by the University and forwarded to the appointed Committee for examination Name: Associate Professor Colin Boyd Signature Panel Chairperson (Principal Supervisor) Name: Professor xxxx Signature Panel Member Name: Dr .xxxxxxx Signature Panel Member Under the requirements of PhD regulation 9.15, it is hereby certified that the thesis of the above-named candidate has been examined I recommend on behalf of the Thesis Examination Committee that the thesis be accepted in fulfilment of the conditions for the award of the degree of Doctor of Philosophy Name Professor xxxxxxxx Signature Date Chair of Examiners (Thesis Examination Committee) Keywords Electronic Sealed-Bid Auction, Bid Privacy, Relative Bid Privacy, Batch Verification, Mix Network, Secure Evaluation, High Efficiency i ii Abstract Auctions have a long history and are an effective method to distributed resources In the era of Internet and e-commerce, electronic sealed-bid auction play an important role in business However, it is a risk to run a sealed-bid auction through the Internet, which is an open and unreliable environment There are many security concerns about correctness and fairness of the auction and privacy of the bidders in electronic sealed-bid auctions Cryptology seems to be the only security solution for electronic sealed-bid auction On the other hand, a practical electronic sealed-bid auction scheme must be efficient So efficient application of cryptographic tools to electronic sealed-bid auction is the focus of this thesis Firstly, security requirements of sealed-bid auctions are surveyed The auction result must be determined correctly according to the submitted bids and the predefined auction rule The bidders must compete with each other in a fair play and none of them can take advantage of others The auction must be publicly verifiable, so that the auction result is acceptable by everyone Usually, a losing bidder hopes to keep his bid secret, so the losing bids should be kept secret In different applications, different auction rules may be applied So, to avoid a tie, a large number of biddable prices must be accepted in some applications Secondly, the currently known sealed-bid auction schemes are classified In recent years, many sealed-bid auction schemes based on various cryptographic primitives have been proposed Nearly all of them can be classified into five models In the Model 1, each bid is known to the auctioneers, who can find the winning bid and winner very efficiently Bid privacy is not implemented in Model In Model homomorphic bid opening is employed, so that the winning bid and winner can be found while the losing bids are kept secret In Model very strong bid privacy is achieved through a Dutch-style bid opening, which is highly inefficient In Model 4, the link between the bids and bidders instead of confidentiality of the bids is kept secret This kind of confidentiality iii is weaker than normal bid privacy and called relative bid privacy in this thesis (Complete confidentiality of the bids in the end of the auction is called absolute bid privacy.) Implementation of relative bid privacy can be very efficient if an efficient anonymous channel can be constructed Model uses secure evaluation to open the bids and find the auction result and makes it possible to achieve absolute bid privacy efficiently Three main cryptographic primitives are explored and employed to design new auction schemes in four auction models The first tool is batch verification, which can improve computational efficiency in auction schemes The second is mix network, which can be used to implement anonymous channels in Model and Model Two new efficient mix networks are designed and used in Model 2, Model and Model The third is secure evaluation, which is employed in two new auction schemes in Model to achieve strong bid privacy efficiently Other cryptographic primitives employed in the auction schemes include efficient 1-out-of-w oblivious transfer in Model and key chain in Model Five new auction schemes are proposed The first scheme in Model batch verifies bid validity to improve efficiency The second scheme optimises the key chain used in Model to obtain a more advanced auction scheme The third scheme implements a concrete anonymous channel in Model for the first time and achieves relative bid privacy and high efficiency convincingly The last two employ new secure evaluation techniques to achieve absolute bid privacy and high efficiency With these five new auction schemes, better solutions are achieved in various auction applications iv Contents Keywords i Abstract iii Declaration xv Previously Published Material xvii Acknowledgements xix Notation xxi Introduction 1.1 Aims and Objectives 1.2 Contributions and Achievements 1.3 Outline of the Thesis Sealed-Bid Auction 2.1 What Is A Sealed-Bid E-Auction? 7 2.2 Requirements of a Sealed-Bid Auction 2.2.1 Basic Requirements 11 11 2.2.2 Advanced Requirements 2.2.3 Receipt-Freeness, A Misused Concept in Auction 2.3 Classification of Bid Privacy 13 14 17 2.4 Classification of Sealed-bid Auctions 2.4.1 Model 1: Auction with Simple Encryption 19 20 2.4.2 2.4.3 2.4.4 Model 2: Auction with Homomorphic Bid-Opening Model 3: Auction with Downward Search Model 4: Auction with Relative Bid Privacy v 21 23 25 2.4.5 Model 5: Auction by Secure Evaluation 2.5 Conclusion Cryptographic Tools 26 27 31 3.1 Encryption Algorithms 3.1.1 ElGamal Encryption 31 32 3.1.2 RSA Encryption 3.1.3 Paillier’s Public Key Encryption Scheme 3.2 Secret Sharing 32 32 33 3.2.1 3.2.2 Shamir’s Threshold Scheme Verifiable Secret Sharing 33 33 3.2.3 Verifiable Secret Sharing for Auction Schemes 3.3 Distributed Decryption 3.3.1 Distributed ElGamal Decryption 34 36 36 3.3.2 3.3.3 Distributed RSA Decryption Distributed Paillier Decryption 37 37 3.4 Knowledge Proof Techniques 3.4.1 Three-Move Σ Proof 3.4.2 Proof of Knowledge of Logarithm 38 38 40 3.4.3 3.4.4 3.4.5 Proof of Equality of Logarithms Proof of Knowledge of 1-out-of-k Logarithm Proof of 1-out-of-k Equality of Logarithms 40 41 41 3.4.6 3.4.7 Proof of Knowledge of Root Summary 42 42 3.5 Conclusion 43 Batch Verification Techniques 4.1 Development of Batch Verification Technology 4.2 New Batch Verification Techniques 45 45 49 4.2.1 4.2.2 Batch Verification of Knowledge of Logarithm Batch Verification of Equality of Logarithms of Common 50 52 4.2.3 Base Batch Verification of Equality of Logarithms of Common Exponent Batch Verification with Strict Assumption Batch Verification with Loose Assumption 54 55 vi 53 Chapter 11 Conclusion and Future Directions Schemes Computation Communication bidder cost auctioneer example example cost example interactive average (4w + 1)n 32769000 average n(2w + 2) 8194000 yes 1000 average nw/2 + n 4097000 yes 61448000 no 59394000 no ≥ 40976195 no [SM99] average 2w + [SKM00] 1 n [Sak00] 3 average (1.5w + 1)n [WI00] 8w + [KHT98, CKM01, KHAN00] ≥ 6w + 16386 cost 65537 ≥ 49153 [Kik01, OM02, AS02, Bra01] average (5.5n + 1)w + 4n ≥ 4wn + log2 w 12289000 (1.5w + 1)nm + 3n 45068192 average (7.25w + 2)n ≥ 32772039 +4n [NPS99, JS02]a ≥ t log w + [JJ00]b log2 w + ≥ 522 27 +3(log2 w + n)m ≥ 2nt log2 w + n average 2.5n + log2 w ≥ 1041000 28573939 +2200(n − 1) log w [KO02] ≥ n(5w + 1) log2 w + 27 220n log2 w + 7l + 4n ≥ 40t log w(n − 1) + 4.5n log2 wt average 2nlog2 w + 2.5n+ ≥ 23119200 no 75353139 no 7586455 no 8249053 no 16384000 no 53000 no 1121470 no 902990 no 1160m(n − 1) log2 w + log2 w 2864091 116mn log2 w + 7m log2 w +4nm + 2n log2 w average Auction w + 0.5 log2 w + Auction average 1.5w + Auction Auction log w + 8203.5 n(2 log w + 7) 12290 average nw/2 + 2n + 33039 n(w + log w + 5) +3 log2 w 14 9n +4 log2 w + 4098001 average 2nw 9000 log2 w(16.5n + k(2k − 1) + 5) 215929 8n + 9nm m log2 w(17n + 2k + 6) +n Auction log w + 14 +n(log2 w + 1) n(12 log2 w + 1) + 2k2 ′ +(n − 1)(5L + 8) 194994 mn(11 log2 w + 1) + 2mk2 + ′ (n − 1)m(5L + 4) + n log2 w Table 11.3: Efficiency Comparison a The cost for an auctioneer is in fact the cost for either the auctioneer or the auction issuer Although winner identification was not implemented in [JJ00], it can be realized with average n/2 distributed decryptions and its cost is included here 196 b 11.2 Future Directions 197 tion So when very strong bid privacy (without any trust) is needed in a Vickrey auction or other types of auction, there is no existing solution Although Auction strengthens bid privacy in non-interactive auction in Model 3, its key chain is downwards linked and cannot be applied to other auction rules than first bid auction If the key chain can be constructed like a binary tree, binary search can be performed along the key chain and ρth bid auction can be supported The private key in the chain must be threshold shared among the bidders where the threshold is ρ If each bidder proves in zero knowledge that he only holds a share in one of any two son nodes, the key chain cannot extend any more once the winning bid is found However there is a fatal drawback in this solution: the bids along the binary search route are revealed Namely, bid privacy is not integrated Is it possible to design a binary key chain with acceptable bid privacy? The ciphertext comparison technique provides an efficient and publicly verifiable solution to the millionaire problem and leads to Auction 5, which is secure and efficient However, the ciphertext comparison is based on Paillier encryption, which means its high efficiency is only limited to the encryption phase and comparison phase As the Paillier private key is a secret factorization, distributed generation of the private key among the authorities is inefficient So, the initialization phase of the ciphertext comparison is inefficient Although the initialization can be performed before-hand (before the bidding starts in an auction), it is still a high cost Is it possible to base the ciphertext comparison on encryption with efficient distributed generation (like the efficient distributed generation of a secret logarithm in ElGamal), so that its initialization phase is also efficient? Some techniques and protocols in this thesis, like Auction 1, have not been formally proved to be secure However, provable security is very important in cryptology As the research work goes on, some of the missing formal proof of the cryptographic protocols in this thesis will be provided With more formal and comprehensive security proof, the auction schemes in this thesis will be more convincing and popular It is desired to apply other auction rules like combinatorial auction in electronic sealed-bid auction applications As stated in Section 2.1, combinatorial auction is more flexible and comprehensive, so it becomes more and more popular recently However, combinatorial auction is more complex and involves more techniques So, research in this thesis is limited to the circumstance where only one type of item is on sale As combinatorial auction is an ideal method to 198 Chapter 11 Conclusion and Future Directions distribute resources in some applications, extending the current research to combinatorial auction is of great sense In this thesis, all the research work is on the protocol level The auction protocols are designed, but their implementation in real-world applications is not considered The value of a protocol can be fully recognised only after it is developed into a practical application As the research is pushed forward to practical auction systems, practical questions like denial-of-service attack need to be considered Bibliography [Abe99] M Abe Mix-networks on permutation net-works In ASIACRYPT ’98, pages 258–273, Berlin, 1999 Springer-Verlag Lecture Notes in Computer Science 1716 [AH01] Masayuki Abe and Fumitaka Hoshino Remarks on mix-network based on permutation networks In Public Key Cryptography 2001, pages 317–324, Berlin, 2001 Springer-Verlag Lecture Notes in Computer Science 1992 [AI03] Masayuki Abe and Hideki Imai Flaws in some robust optimistic mix-nets In ACISP 2003, volume 2727 of Lecture Notes in Computer Science, pages 39–50 Springer, 2003 [APBD04] Riza Aditya, Kun Peng, Colin Boyd, and Ed Dawson Batch verification for equality of discrete logarithms and threshold decryptions In Second conference of Applied Cryptography and Network Security, ACNS 04, volume 3089 of Lecture Notes in Computer Science, pages 494–508, Berlin, 2004 Springer-Verlag [AS02] Masayuki Abe and Koutarou Suzuki M+1-st price auction using homomorphic encryption In Public Key Cryptology 2002, pages 115–124, Berlin, 2002 Springer-Verlag Lecture Notes in Computer Science Volume 2288 [Auc01] Auctionwatch April, 2001 http://www.auctionwatch.com/awdaily/feature/yearin URL [Bao98] Feng Bao An efficient verifiable encryption scheme for encryption of discrete logarithms In the Smart Card Research Conference, CARDIS’98, pages 213–220, Berlin, 1998 Springer-Verlag Lecture Notes in Computer Science 1820 199 200 [Bea00] BIBLIOGRAPHY D Beaver Minimal-latency secure function evaluation In EUROCRYPT ’00, Bruges, Belgium, May 14-18, 2000, Proceeding, volume 1807 of Lecture Notes in Computer Science, pages 335–350 Springer, 2000 [BG02] Dan Boneh and Philippe Golle Almost entirely correct mixing with applications to voting In Proceedings of the 9th ACM conference on Computer and communications security, pages 68–77, 2002 [BGR98] M Bellare, J A Garay, and T Rabin Fast batch verification for modular exponentiation and digital signatures In EUROCRYPT ’98, pages 236–250, Berlin, 1998 Springer-Verlag Lecture Notes in Computer Science 1403 [BOGK+ 88] Michael Ben-Or, Shafi Goldwasser, Joe Killian, , and Avi Wigderson Multi-prover interactive proofs: How to remove intractability assumptions In Proceedings of the Twentieth Annual ACM Symposium on Theory of Computing, STOC1988, pages 113–131, 1988 [BP00] Colin Boyd and Chris Pavlovski Attacking and repairing batch verification schemes In ASIACRYPT ’00, pages 58–71, Berlin, 2000 Springer-Verlag Lecture Notes in Computer Science 1976 [Bra01] Felix Brandt Cryptographic protocols for cure second-price auctions 2001 Available http://wwwbrauer.in.tum.de/∼brandtf/papers/cia2001.pdf [BT94] seat Josh Benaloh and Dwight Tuinstra Receipt-free secret-ballot elections In Proceedings of the Twenty-Sixth Annual ACM Symposium on the Theory of Computing, pages 544–553, 1994 [Cac99] Christian Cachin Efficient private bidding and auctions with an oblivious third party In the 6th ACM Conference on Computer and Communications Security, 1999 Available at http://www.tml.hut.fi/∼helger/crypto/link/protocols/auctions.html [CB86] J Cohen Benaloh Secret sharing homomorphisms: keeping shares of a secret secret In CRYPTO ’86, pages 251–260, Berlin, 1986 Springer-Verlag Lecture Notes in Computer Science Volume 263 BIBLIOGRAPHY [CC00] 201 Christian Cachin and Jan Camenisch Optimistic fair secure computation (extended abstract) In CRYPTO ’00, pages 94–112, Berlin, 2000 Springer-Verlag Lecture Notes in Computer Science 1880 [CCD88] David Chaum, Claude Crepeau, and Ivan Damg˚ ard Multiparty unconditionally secure protocols (extended abstract) In Proceedings of the Twentieth Annual ACM Symposium on Theory of Computing, STOC1988, pages 11–19, 1988 [CDD+ 99] Ronald Cramer, Ivan Damg˚ ard, Stefan Dziembowski, Martin Hirt, and Tal Rabin Efficient multiparty computations secure against an adaptive adversary In EUROCRYPT ’99, volume 1592 of Lecture Notes in Computer Science, pages 311–326 Springer, 1999 [CDN01] Ronald Cramer, Ivan Damg˚ ard, and Jesper Buus Nielsen Multiparty computation from threshold homomorphic encryption In EUROCRYPT ’01, Innsbruck, Austria, May 6-10, 2001, Proceeding, volume 2045 of Lecture Notes in Computer Science, pages 280– 299 Springer, 2001 [CDS94] R Cramer, I B Damg˚ ard, and B Schoenmakers Proofs of partial knowledge and simplified design of witness hiding protocols In CRYPTO ’94, pages 174–187, Berlin, 1994 Springer-Verlag Lecture Notes in Computer Science Volume 839 [CDvdG87] D Chaum, I B Damg˚ ard, and J van de Graaf Multiparty computations ensuring privacy of each party’s input and correctness of the result In CRYPTO ’87, pages 87–119, Berlin, 1987 SpringerVerlag Lecture Notes in Computer Science Volume 293 [Cha81] D Chaum Untraceable electronic mail, return address and digital pseudonym Communications of the ACM, 24(2), pages 84–88, 1981 [CKL03] Xiaofeng Chen, Kwangjo Kim, and Byoungcheon Lee Receipt-free electronic auction schemes using homomorphic encryption In Information Security and Cryptology - ICISC 2002, 5th International Conference, Berlin, 2003 Springer-Verlag 202 [CKM01] BIBLIOGRAPHY Koji Chida, Kunio Kobayashi, and Hikaru Morita Efficient sealedbid auctions for massive numbers of bidders with lump comparison In Information Security, 4th International Conference, ISC 2001, pages 408–419, Berlin, 2001 Springer-Verlag Lecture Notes in Computer Science Volume 2200 [CP92] D Chaum and T P Pedersen Wallet databases with observers In CRYPTO ’92, pages 89–105, Berlin, 1992 Springer-Verlag Lecture Notes in Computer Science Volume 740 [Cra96] R Cramer Modular Design of Secure yet Practical Cryptographic Protocols PhD thesis, CWI and Uni.of Amsterdam, 1996 [DC02] Ivan Damg˚ ard and Ronald Cramer On -protocols Cryptologic Protocol Theory, 2002 http://www.daimi.au.dk/ ivan/Sigma.ps [DV00] S DeVries and R auctions: A survey Vohra 2000 Combinatorial Available at http://www.citeseer.nj.nec.com/devries01combinatorial.html [Fel87] P Feldman A practical scheme for non-interactive verifiable secret sharing In 28th Annual Symposium on Foundations of Computer Science, pages 427–437, 1987 [FH96] Matthew K Franklin and Stuart Haber Joint encryption and message-efficient secure computation Journal of Cryptology 9(4), pages 217–232, 1996 [Fia89] Amos Fiat Batch RSA In CRYPTO ’89, volume 435, pages 175– 185, Berlin, 1989 Springer-Verlag [Fis01] Marc Fischlin A cost-effective pay-per-multiplication comparison method for millionaires In Topics in Cryptology - CT-RSA 2001, The Cryptographer’s Track at RSA Conference 2001, San Francisco, CA, USA, April 8-12, 2001, Proceedings, volume 2020 of Lecture Notes in Computer Science, pages 457–472 Springer, 2001 [FPS00] Pierre-Alain Fouque, Guillaume Poupard, and Jacques Stern Sharing decryption in the context of voting or lotteries In Financial BIBLIOGRAPHY 203 Cryptography 2000, pages 90–104, Berlin, 2000 Springer-Verlag Lecture Notes in Computer Science Volume 1962 [FR96] Matthew K Franklin and Michael K Reiter The design and implementation of a secure auction service In IEEE Transactions on Software Enginerring, volume 5, pages 302–312, May 1996 [fra01] Fraud August, 2001 http://www.fraud.org/internet/99final.htm URL [FS01] Jun Furukawa and Kazue Sako An efficient scheme for proving a shuffle In CRYPTO ’01, volume 2139 of Lecture Notes in Computer Science, pages 368–387 Springer, 2001 [GJKR99] R Gennaro, S Jarecki, H Krawczyk, and T Rabin Secure distributed key generation for discrete-log based cryptosystems In EUROCRYPT ’99, pages 123–139, Berlin, 1999 Springer-Verlag Lecture Notes in Computer Science Volume 1592 [GMW87] Oded Goldreich, Silvio Micali, and Avi Wigderson How to play any mental game or a completeness theorem for protocols with honest majority In Proceedings of the Nineteenth Annual ACM Symposium on Theory of Computing, STOC 1987, pages 218–229, 1987 [GQ89] L C Guillou and J J Quisquater A “paradoxical” identity-based signature scheme resulting from zero-knowledge In Shafi Goldwasser, editor, CRYPTO ’88, pages 216–231, Berlin, 1989 SpringerVerlag Lecture Notes in Computer Science Volume 403 [Gro03] Jens Groth A verifiable secret shuffle of homomorphic encryptions In Public Key Cryptography 2003, pages 145–160, Berlin, 2003 Springer-Verlag Lecture Notes in Computer Science Volume 2567 [GRR87] Rosario Gennaro, Michael O Rabin, and Tal Rabin Simplified VSS and fast-track multiparty computations with applications to threshold cryptography In Proceedings of the seventeenth annual ACM symposium on Principles of distributed computing, PODC’98, pages 101 – 111, 1987 204 [GZB+ 02] BIBLIOGRAPHY Philippe Golle, Sheng Zhong, Dan Boneh, Markus Jakobsson, and Ari Juels Optimistic mixing for exit-polls In ASIACRYPT ’02, pages 451–465, Berlin, 2002 Springer-Verlag Lecture Notes in Computer Science Volume 1592 [HAK01] Fumitaka Hoshino, Masayuki Abe, and Tetsutaro Kobayashi Lenient/Strict batch verification in several groups In Information Security, 4th International Conference, ISC 2001, pages 81–94, Berlin, 2001 Springer-Verlag Lecture Notes in Computer Science Volume 2200 [Har98] L Harn Batch verifying multiple DSA-type digital signatures In Elecrronics Letters, 34,9, pages 870–871, 1998 [HKDMT01] R Holzman, N Kfir-Dahav, D Monderer, and M Tennenholtz Bundling Equilibrium in Combinatorial Auctions 2001 http://www.citeseer.nj.nec.com/holzman01bundling.html URL [HS00] Martin Hirt and Kazue Sako Efficient receipt-free voting based on homomorphic encryption In Advances in Cryptology— EUROCRYPT 00, pages 539–556, 2000 [JJ00] M Jakobsson and A Juels Mix and match: Secure function evaluation via ciphertexts In ASIACRYPT ’00, pages 143–161, Berlin, 2000 Springer-Verlag Lecture Notes in Computer Science Volume 1976 [JJ01] Ari Juels and Markus Jakobsson An optimally robust hybrid mix network In Proc of the 20th annual ACM Symposium on Principles of Distributed Computation, pages 284–292 ACM, 2001 [JJR02] Markus Jakobsson, Ari Juels, and Ronald L Rivest Making mix nets robust for electronic voting by randomizsed partial checking In Proceedings of the 11th USENIX Security Symposium, San Francisco, CA, USA, August 5-9, 2002, pages 339–353 USENIX, 2002 [Jr67] Ralph Cassidy Jr Auctions and Auctioneering 1967 A brief history of auctions extracted from the work is available at http://www.econport.org:8080/econport/request?page=man auctions briefhistory BIBLIOGRAPHY 205 [JS02] A Juels and M Szydlo An two-server auction protocol In Proc of Financial Cryptography, pages 329–340, 2002 [JSI96] Markus Jakobsson, Kazue Sako, and Russell Impagliazzo Designated verifier proofs and their applications In Advances in Cryptology—EUROCRYPT 96, pages 143–154, 1996 [KHAN00] Hiroaki Kikuchi, Shinji Hotta, Kensuke Abe, and Shohachiro Nakanishi Distributed auction servers resolving winner and winning bid without revealing privacy of bids In proc of International Workshop on Next Generation Internet (NGITA2000), IEEE, pages 307–312, July 2000 [KHT98] H Kikuchi, Michael Harkavy, and J D Tygar Multi-round anonymous auction In Proceedings of the First IEEE Workshop on Dependable and Real-Time E-Commerce Systems, pages 62–69, June 1998 [Kik01] Hiroaki Kikuchi (m+1)st-price auction In The Fifth International Conference on Financial Cryptography 2001, pages 291–298, Berlin, February 2001 Springer-Verlag Lecture Notes in Computer Science Volume 2339 [KO02] Kaoru Kurosawa and Wakaha Ogata Bit-slice auction circuit In 7th European Symposium on Research in Computer Security, ESORICS2002, volume 2502 of Lecture Notes in Computer Science Volume 2339, pages 24 – 38, Berlin, 2002 Springer-Verlag [LAN02] H Lipmaa, N Asokan, and V Niemi Secure vickrey auctions without thresh-old trust In Proceedings of the 6th Annual Conference on Financial Cryptography, 2002, Berlin, 2002 Springer-Verlag [LBD+ 03] Byoungcheon Lee, Colin Boyd, Ed Dawson, Kwangjo Kim, Jeongmo Yang, and Seungjae Yoo Providing receipt-freeness in mixnet-based voting protocols In to appear in Information Security and Cryptology, ICISC 2003, 2003 [LK00] Byoungcheon Lee and Kwangjo Kim Receipt-free electronic voting through collaboration of voter and honest verifier In JW-ISC 2000, pages 101–108, 2000 206 [LK02] BIBLIOGRAPHY Byoungcheon Lee and Kwangjo Kim Receipt-free electronic voting scheme with a tamper-resistant randomizer In Information Security and Cryptology, ICISC 2002, pages 389–406, 2002 [MBC01] Emmanouil Magkos, Mike Burmester, and Vassilios Chrissikopoulos Receipt-freeness in large-scale elections without untappable channels In The First IFIP Conference on E-Commerce, EBusiness, E-Government—I3E 01, pages 683–694, 2001 [MBC03] E Magkos, M Burmester, and V Chrissikopoulos An internet anonymous auction scheme JECR journal, 2003, 2003 [MV00] Yi Mu and Vijay Varadharajan An internet anonymous auction scheme In International Conference on Information Security and Cryptology 2000, pages 171–182, Berlin, 2000 Springer-Verlag Lecture Notes in Computer Science Volume 2015 [MvOV96] A Menezes, P van Oorschot, and S Vanstone Handbook of Applied Cryptography CRC press, 1996 [MZV02] Yi Mu, Junqi Zhang, and Vijay Varadharajan m out of n oblivious transfer In Information Security and Privacy, 7th Australian Conference, ACISP 2002, Melbourne, Australia, July 3-5, 2002, Proceedings, volume 2384 of Lecture Notes in Computer Science Springer, 2002 [Nef01] C Andrew Neff A verifiable secret shuffle and its application to e-voting In ACM Conference on Computer and Communications Security 2001, pages 116–125, 2001 [NP01] Moni Naor and Benny Pinkas Efficient oblivious transfer protocols In Twelfth Annual Symposium on Discrete Algorithms, January 79, 2001, Washington, DC, USA ACM/SIAM, pages 448–457, 2001 [NPS99] Moni Naor, Benny Pinkas, and Reuben Sumner Privacy perserving auctions and mechanism design In ACM Conference on Electronic Commerce 1999, pages 129–139, 1999 BIBLIOGRAPHY [NR94] 207 Valtteri Niemi and Ari Renvall How to prevent buying of votes in computer elections In Advances in Cryptology—ASIACRYPT 94, pages 164–170, 1994 [NS98] David Naccache and Jacques Stern A new public key cryptosystem based on higher residues In ACM Computer Science Conference 1998, pages 160–174, 1998 [OA00] Miyako Ohkubo and Masayuki Abe A length-invariant hybrid mix In ASIACRYPT ’00, pages 178–191, Berlin, 2000 Springer-Verlag Lecture Notes in Computer Science Volume 1976 [Oka97] Tatsuaki Okamoto Receipt-free electronic voting schemes for large scale elections In Proc Security Protocols, 5th International Workshop 1997, pages 25–35, 1997 [OKST00] W Ogata, K Kurosawa, K Sako, and K Takatani Fault tolerant anonymous channel In Proc of International Conference on Information and Communication Security 1997, pages 440–444, Berlin, 2000 Springer-Verlag Lecture Notes in Computer Science Volume 1334 [OM02] Kazumasa Omote and Atsuko Miyaji A second-price sealed-bid auction with the discriminant of the p-th root In Financial Cryptography 2002, Berlin, 2002 Springer-Verlag [OU98] T Okamoto and S Uchiyama A new public-key encyptosystem as secure as factoring In CRYPTO ’98, pages 308–318, Berlin, 1998 Springer-Verlag Lecture Notes in Computer Science Volume 1403 [Pai99] P Paillier Public key cryptosystem based on composite degree residuosity classes In EUROCRYPT ’99, pages 223–238, Berlin, 1999 Springer-Verlag Lecture Notes in Computer Science Volume 1592 [PBDV02a] Kun Peng, Colin Boyd, Ed Dawson, and Kapali Viswanathan Noninteractive auction scheme with strong privacy In ICISC, volume 2587 of Lecture Notes in Computer Science, pages 407 – 420 Springer, 2002 208 BIBLIOGRAPHY [PBDV02b] Kun Peng, Colin Boyd, Ed Dawson, and Kapali Viswanathan Robust, privacy protecting and publicly verifiable sealed-bid auction In ICICS, volume 2513 of Lecture Notes in Computer Science, pages 147 – 159 Springer, 2002 [PBDV03a] Kun Peng, Colin Boyd, Edward Dawson, and Kapali Viswanathan Efficient implementation of relative bid privacy in sealed-bid auction In The 4th International Workshop on Information Security Applications, WISA2003, Berlin, 2003 Springer-Verlag [PBDV03b] Kun Peng, Colin Boyd, Edward Dawson, and Kapali Viswanathan Five sealed-bid auction models In Australia Workshop of Information Security 2003, 2003 [PBDV04] Kun Peng, Colin Boyd, Edward Dawson, and Kapali Viswanathan A correct, private and efficient mix network In 2004 International Workshop on Practice and Theory in Public Key Cryptography, pages 439–454, Berlin, 2004 Springer-Verlag [Ped91a] Torben P Pedersen Distributed provers with applications to undeniable signatures In EUROCRYPT ’91, pages 221–242, Berlin, 1991 Springer-Verlag Lecture Notes in Computer Science Volume 547 [Ped91b] Torben P Pedersen Non-interactive and information-theoretic secure verifiable secret sharing In EUROCRYPT ’91, pages 129–140, Berlin, 1991 Springer-Verlag Lecture Notes in Computer Science Volume 547 [Ped91c] Torben P Pedersen A threshold cryptosystem without a trusted party In EUROCRYPT ’91, pages 522–526, Berlin, 1991 SpringerVerlag Lecture Notes in Computer Science Volume 547 [Ped92] Torben P Pedersen Distributed Provers and Verifiable Secret Sharing Based on the Discrete Logarithm Problem PhD thesis, Computer Ssience Department, Arahus University,Arahus, Denmark, 1992 [PIK93] C Park, K Itoh, and K Kurosawa Efficient anonymous channel and all/nothing election scheme In EUROCRYPT ’93, pages BIBLIOGRAPHY 209 248–259, Berlin, 1993 Springer-Verlag Lecture Notes in Computer Science Volume 765 [Sak00] K Sako An auction scheme which hides the bids of losers In Public Key Cryptology 2000, pages 422–432, Berlin, 2000 Springer-Verlag Lecture Notes in Computer Science Volume 1880 [Sch91] C Schnorr Efficient signature generation by smart cards Journal of Cryptology, 4, 1991, pages 161–174, 1991 [Sho99] V Shoup Practical threshold signaturew In IBM Research Report IBM, 1999 IBM Research Report RZ 3121 [Sil02] Marius-Calin Silaghi An algorithm applicable to clearing combinatorial exchanges In Technical Report CS-2002, 2002 Available at http://www.citeseer.nj.nec.com/silaghi02algorithm.html [SK95] K Sako and J Killian Receipt-free mix-type voting scheme–a practical solution to the implementation of a voting booth In EUROCRYPT ’95, pages 393–403, Berlin, 1995 Springer-Verlag Lecture Notes in Computer Science Volume 921 [SKM00] Koutarou Suzuki, Kunio Kobayashi, and Hikaru Morita Efficient sealed-bid auction using hash chain In International Conference on Information Security and Cryptology 2000, pages 183–191, Berlin, 2000 Springer-Verlag Lecture Notes in Computer Science 2015 [SM99] Kouichi Sakurai and S Miyazaki A bulletin-board based digital auction scheme with bidding down strategy -towards anonymous electronic bidding without anonymous channels nor trusted centers In Proc International Workshop on Cryptographic Techniques and E-Commerce, pages 180–187, Hong Kong, 1999 City University of Hong Kong Press [SY02] K Suzuki and M Yokoo Secure combinatorial auctions by dynamic programming with polynomial secret sharing In K Suzuki and M Yokoo Secure combinatorial auctions by dynamic programming with polynomial secret sharing In Sixth International Financial Cryptography Conference (FC-02), pages 44–56, 2002 210 [SYY99] BIBLIOGRAPHY Tomas Sander, Adam Young, and Moti Yung Non-interactive cryptocomputing for NC1 In 40th Annual Symposium on Foundations of Computer Science, New York, NY, USA, FOCS ’99, pages 554– 567, 1999 [Tze02] Wen-Guey Tzeng Efficient 1-out-n oblivious transfer schemes In Public Key Cryptography, 5th International Workshop on Practice and Theory in Public Key Cryptosystems, PKC 2002, Paris, France, February 12-14, 2002, Proceedings, volume 2274 of Lecture Notes in Computer Science, pages 159–171 Springer, 2002 [VBD00] Kapali Viswanathan, Colin Boyd, and Ed Dawson A three phased schema for sealed bid auction system design In Information Security and Privacy, 5th Australasian Conference, ACISP’2000, pages 412–426, Berlin, 2000 Springer-Verlag Lecture Notes in Computer Science 1841 [Vic61] D Vickrey Counter speculation, auctions, and comatitive sealed tenders In Journal of finance March 1961, pages 9–37, 1961 [WI00] Yuji Watanabe and Hideki Imai Reducing the round complexity of a sealed-bid auction protocol with an off-line ttp In STOC 2000, pages 80–86 ACM, 2000 [Yao92] Andrew Chi-Chih Yao Protocols for secure computations (extended abstract) In IEEE Symposium on Foundations of Computer Science 1982, FOCS 1982, pages 160–164, 1992 [YS02] Makoto Yokoo and Koutarou Suzuki Secure multi-agent dynamic programming based on homomorphic encryption and its application to combinatorial auctions In First joint International Conference on Autonomous Agents and Multiagent Systems (AAMAS-2002), pages 112–119, 2002 Available at http://www.kecl.ntt.co.jp/csl/ccrg/members/yokoo/PDF/aamas2002secure-wd.pdf ... correctness and fairness of the auction and privacy of the bidders in electronic sealed- bid auctions Cryptology seems to be the only security solution for electronic sealed- bid auction On the other hand,... Associate Professor Colin Boyd ASSOCIATE SUPERVISOR(S): Professor Ed Dawson THESIS TITLE: Analysis and Design of Secure Sealed- Bid Auction Under the requirements of PhD regulation 9.2, the above candidate... 84 6.1 Proof of Knowledge of N th Root 106 6.2 Proof of Knowledge of 1-out -of- 2 N th Root 108 6.3 Combined Proof of Equality of Exponent and Knowledge of N th Root