BA<sup>2</sup>P : Bidirectional and Anonymous Auction Protocol with Dispute-Freeness

Huang, Ke; Mu, Yi; Rezaeibagha, Fatemeh; He, Zheyuan; Zhang, Xiaosong

doi:https://doi.org/10.1155/2021/6690766

Security and Communication Networks

On this page

Abstract Introduction Related Works Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2021 | Article ID 6690766 | https://doi.org/10.1155/2021/6690766

BA²P : Bidirectional and Anonymous Auction Protocol with Dispute-Freeness

Ke Huang,¹Yi Mu,²Fatemeh Rezaeibagha,³Zheyuan He,¹and Xiaosong Zhang¹

Academic Editor: Prosanta Gope

Received30 Nov 2020

Revised06 Sept 2021

Accepted24 Sept 2021

Published15 Oct 2021

Abstract

Electronic auction is a popular platform to sell goods, task assignment, and resources’ allocation due to reductions of transaction costs and has attracted a huge number of potential buyers. However, it is challenging to address the disputes between the buyer and the auctioneer. The main reason is, on the one hand, solving such problem leverages to the broad domain of research aspects, such as economic theory, engineering, and cryptography, and, on the other hand, it is difficult to arbitrate in a decentralized and anonymous setting. In this work, we consider a more general framework to solve the potential disputes by enforcing bidirectional confirmation and public verification. Hence, the bidding procedure is clear to inspect and potential disputes can be erased. To achieve this goal, we propose policy-driven chameleon hash and revised linkable-and-redactable ring signature as building blocks. We used these two tools to build a bidirectional and anonymous auction protocol called P. In our P protocol, the bidders can competitively and anonymously place their bids to outbid others. At the end of the auction protocol, everyone can verify the validity of the bidding proof and decide the winner. Thus, dispute-freeness feature is achieved. The analysis suggests that our proposal is provably secure and practically efficient, and it trades some efficiencies with dispute-freeness feature.

1. Introduction

Auction is a process to buy or sell commodities and services [1]. Specifically, the auction is a market institution in which traders or parties submit bids that can be an offer to buy or sell at a given price. Typically, an auction includes the following entities: bidder, seller, auctioneer, commodity, valuation, and price. Electronic auction (E-auction) is a fundamental part of the electronic commerce technology [2]. The Internet-turned e-auction is the most successful stories of web-based services. It removes physical limitations by enabling convenient and fast auction services remotely for audiences at any time and any space [2]. Due to the reductions in transaction costs, huge potential buyers, and independence of time and space, e-auctions are popular mechanisms to sell goods, task assignment, resources’ allocation, etc. [1]. English auction and sealed-bid auctions are two most commonly known auction types. In an English auction, buyers call out their prices increasingly. In a sealed-bid auction, prices are privately submitted to the auctioneer. In addition, the auction can be categorized by the seller-side and the buyer side auction. According to different types of auctions, there could be buyers to 1 seller, 1 buyer to sellers, or even buyers to sellers [1].

Ensuring the e-auction protocol working properly is essential, especially considering the increasingly valuable assets traded in e-auction and people’s increasing preference to purchase items online. Due to the heterogeneity, freely accessible, and full anonymity of the Internet, e-auction protocols suffer from frequent and unprecedented threats from insiders (malicious buyer or auctioneer) and outsiders (e.g., hackers). For example, Abe and Suzuki [3] identified the bid-rigging problem in the sealed auction where the buyer seeks to manipulate the auction by ordering other bidders to bid very low price. This problem could be considered as an insider attack. One of the most challenging problems is dispute settlement and arbitration. During the execution of the e-auction protocol, doubts of the fairness during auction procedure and potential disputes between the buyer and the auctioneer may arise. However, solutions offer us a broad research domain: economy [4], engineering, and cryptography [5, 6]. For instance, how to reach [1] the nash equilibrium in game theory or how to achieve fair arbitration from the legal aspect. This is challenging in a totally decentralized and anonymous setting where the buyer’s identity and the bids are concealed. Ring signature is generally adopted to achieve the buyer anonymity in e-auction protocols [7–9]. Unlike group signature, which requires a group manager for setup, ring signature greatly simplifies the design by removing the need for a centralized entity. However, this also brings difficulties to arbitrate disputes since every buyer is hidden in pseudonyms and no justifiable evidence and mechanism are provided to support the dispute settlement.

In this work, by using chameleon hash and ring signature, we give a solution to the aforementioned problems. Simply, Chameleon Hash or Trapdoor Commitment (TC) (also known as a trapdoor one-way hash function) [10] can be viewed as a box with a secret lock. It allows the holder of the key to change the secret (i.e., a committed value) in the box even after the box is locked. Such property allows both the buyer and the auction manager to confirm the bids securely while evidences can be revealed to the public for verification. As long as the buyer or the auction manager finds the bid suspicious or wrong, he will not confirm it. As a result, dispute-freeness is achieved since all successfully placed bids are guaranteed by dual confirmation and cryptographic proof.

In this work, we propose a bidirectional and anonymous auction protocol with dispute-freeness, called P. The framework of our proposal is shown in Figure 1. Similar to the English auction, but with slight adaptations, our proposal allows the buyer to place his bid competitively. The bid is placed anonymously based on ring signature and the use of anonymous cryptocurrency and pseudonym for privacy concerns. An auction manager is delegated to confirm and verify the bids. All bids are bidirectionally verified and confirmed and then revealed during the Open Phase to the public to achieve the dispute-freeness. We propose Policy-driven Chameleon Hash (PCH) and Revised Linkable-and-Redactable Ring signature (R-LRRS) as building blocks to construct our P scheme. Our contributions can be highlighted as below:(1)We propose the PCH and R-LRRS as building blocks. PCH is a trapdoor one-way hash function with both deterministic and probabilistic hashing algorithms. R-LRRS is a revised version of our previously proposed ring signature [11].(2)Our proposed P is divided into five phases: initiation, prebidding, bidding, confirmation, and open. Our P leverages PCH and R-LRRS to achieve bidirectional and anonymous bidding with dispute-freeness. Cryptocurrency and pseudonyms are used to achieve transaction and identity privacies for buyers. The buyer can competitively place his bids in order to win the auction. An auction manager is delegated to verify and confirm the bidder’s proof. As each proof is dually confirmed and is publicly verifiable, dispute-freeness feature is provided.(3)We give the system model and several security requirements of our proposed P. Followed by detailed construction as well as the predefined model, we give security and complexity analysis of our scheme. The evidence suggests that our proposal is provably secure based on intractable assumptions. Meanwhile, our proposal is practically efficient.

Zhang et al. [1] conducted a comprehensive survey of recent auction approaches. They systematically reviewed the auction-based applications and mechanisms in wireless and mobile systems. Their work is helpful for the reader to study this topic. We summarize the related works on auction protocols as follows.

Cryptography offers a broad range of tools for the diverse designs of early auction systems and protocols. From 1999 to 2010, a number of works have been proposed, which applied cryptographic algorithms to achieve various desired properties for auction. Naor et al. [12] proposed an efficient sealed-bid, two-server auction system. This was an early design of private auction. Later, Viswanathan and Dawson [13] proposed a simple, efficient, and secure design to achieve sealed bidding with anonymity. They utilized modular approach in the analysis and design methodology. Later, Nguyen and Traore [7] proposed a public auction protocol that utilized blind group signatures to achieve bidder privacy. Differently, they considered public auction. The design of the public auction scheme was generally diverse to private auction. Omote and Miyaji [14] proposed to achieve English auction with efficient bidding and verification by using bulletin board. Their scheme enables easy revocation and one-time registration. Their scheme is desirable for users with limited computing capabilities. Abe and Suzuki [3] identified the bid-rigging problem in the sealed auction where the buyer seeks to manipulate the auction by ordering other bidders to bid very low price. Peng et al. [15] proposed a new concept, called relative bid privacy.

They proposed a new mix network to implement an auction with relative bid privacy. Specifically, they employed ElGamal encryption and re-encryption to hide bidding information. Juels and Szydlo [23] introduced verifiable proxy oblivious transfer to address the security vulnerability in Naor et al.’s work [12]. Xiong et al. [8] proposed an efficient sealed-bidding protocol based on ring signature and variable technique of encryption key chain where the auctioneer is allowed to determine the winning bid while the losing bids are not revealed. Later, Xiong et al. [9] proposed an efficient and spontaneous privacy-preserving English auction protocol based on revocable ring signature. In comparison with their previous work [8], the new scheme in [9] offers conditional privacy-preservation and one-time registration. Most importantly, it is more efficient than the previous work in both communication and computation complexities. Following this, Nojoumian and Stinson [24] built a first-price auction protocol based on a new commitment. A multicomponent commitment is proposed as a building block, in which three schemes with diverse properties are proposed. In another work, Dong and Pang [25] formally studied the notion of receipt-freeness and bidding-price-secrecy by the formalization of observational equivalences and analysis.

From 2010 to 2021, the design of auction protocol is mainly affected by the development of cryptography as well as diverse applications. Galal and Youssef [26] proposed several cryptographic primitives as building blocks to achieve a smart contract protocol for a succinctly verifiable sealed-bid auction on the Ethereum blockchain. Here, Ethereum is a decentralized platform based on blockchain technology. Smart contract is a Turing-complete protocol to achieve arbitrary computer program in Ethereum. Galal and Youssef [22] proposed another smart contract-based verifiable sealed-bid auction on the Ethereum blockchain. Similarly, multiple cryptographic primitives are used as building blocks to achieve the design. However, these constructions are generally complex and inefficient. Galal and Youssef [27] proposed Trustee as a trusted and efficient Vickrey auction on top of Ethereum for full privacy-preservation with much lower fees for the online auction. A prototype of Trustee for the inspection and security analysis and gas costs are provided. Jiao et al. [28] proposed an auction-based market model based on proof-of-work based blockchain network for computing resource allocation. Nguyen and Thai [29] exploited smart contract and state channel technologies to achieve decentralized and trustless framework for iterative double auction. An et al. [30] exploited smart contract and greedy strategy to achieve trustless crowdsensed data trading in reverse auction. As observed, Ethereum is a promising and popular platform to develop auction protocol since it supports fast payment and provides smart contract to enable application-rich services.

We compare our scheme with relevant works in Table 1 with a focus on privacy-preservation. Similarly, we employed a standard cryptographic algorithm called chameleon hash to achieve bidder’s anonymity and hidden bids. Noticeably, we do not rely on a trusted auctioneer since we can run an arbitration protocol to settle the disputes and it is publicly verifiable. To generalize, the early works have mainly focused on utilizing specific methodology or tool as solution, while current works have adopted multiple technologies. Current designs have heavily relied on multiple cryptographic building blocks [22, 26], which imposed high complexities to both design and performance. However, a work focusing on the dispute settlement or with arbitration does not exist in the literature. Therefore, once users have doubts over the process and outcomes, there is no easy way and clear evidence to justify.

3. Preliminary

We give some preliminary knowledge used in our work.

3.1. Complexity Assumptions

Let be a cyclic multiplicative group generated by with prime order . We informally state the following assumptions: Discrete logarithm problem (DLP) : given , where , computing is hard. Decisional Diffie–Hellman problem (DDHP) : given , where , deciding whether is hard. Computational Diffie–Hellman problem (CDHP) : given , where , computing is hard. q-Strong Diffie–Hellman problem (q-SDHP) [31]: choose . Given a -tuple and a generator of -order cyclic group , computing for some is hard.

3.2. Bilinear Pairing

Given two multiplicative groups and with the same group order and generator , denote as symmetric bilinear map, where , for all and . Additionally, compute is efficient.

3.3. Unpredictable File Source

We give the notion of “unpredictable file source” [32] as follows. This notion is used to capture the lower bound of our security given in Section 7.

Specifically, denote file source as a polynomial algorithm which on input , it outputs . Denote as random vectors and as auxiliary information. Fix by . The guessing probability of is defined by . We state that is an unpredictable file source if is negligible.

4. Building Blocks

We introduce the building blocks of our work in this section.

4.1. Policy-Driven Chameleon Hash

We propose the Policy-driven Chameleon Hash (PCH) as follows: PCH is a variant of chameleon hash (Trapdoor Commitment (TC) [10]) featured by two different hashing algorithms: Probabilistic Hashing and Deterministic Hashing . To explain, generates each hash with a freshly chosen randomness, while computes each hash deterministically from the message itself (similar as hash-as-a-key method [32]). A PCH scheme consists of the following five algorithms . : on inputting a security parameter , choose two groups and with prime order and generator . Set bilinear map as . Set hash functions as . Denote . Select a random number as the trapdoor key, and compute as the hash key. Output . : pick a customized identity . Given the hash key , compute coefficients and . Choose a random and compute probabilistic chameleon randomness . Then, compute chameleon hash . Output . : pick a customized identity . Given a hash key , compute coefficients , , and . Compute deterministic chameleon randomness . Then, compute a deterministic chameleon hash . Output . : on inputting a customized identity , a public key , and a tuple , where , compute coefficients and . Then, check whether equation 1 holds: and check whether holds. If no, output 0; else, compute and check whether . If yes, output deter which signifies is an output of ; else, output 1 to indicate is an output of . : on inputting a tuple , a customized identity , a trapdoor key , and a new message , compute coefficients and . Then, compute new chameleon randomness .

4.2. Revised Linkable-and-Redactable Ring Signature

Liu et al. [33] proposed 1-out-of- Linkable Spontaneous Anonymous Group (LSAG) Signature as an extension of Spontaneous Anonymous Group (SAG) [34]. In our previous work [11], we extended Liu et al.’s LSAG [33] to a Linkable-and-Redactable Ring Signature (LRRS) [11]. In this work, we revised our previous LRRS scheme slightly to derive a Revised LRRS (R-LRRS). To note, if we use a different for each signing, linkability will not be achieved in our R-LRRS. An R-LRRS signature consists of the following four algorithms . : on inputting a security parameter , choose a group generated by of order . Then, set cryptographic hash function: and . Derive . Finally, pick a random number as the private key, and compute as the public key. Output . : input a private key , a message , a list of public keys , and a set of tuples . User generates coefficients as follows:(1)Set as a customized identity, compute and for . Then, pick two random numbers and compute .(2)For each , run . If all outputs are 1 or deter, proceed; otherwise, return and terminate.(3)For each , user picks a random number , and compute .(4)Then, compute , and .(5)Output . : on inputting a list of public keys, a message , the signature , and a set of tuples , the signature verification algorithm proceeds as follows:(1)Set as a customized identity. Compute coefficients , , and .(2)For , run . If all outputs are 1 or deter, proceed; otherwise, abort and terminate.(3)For each , compute and . Then, compute , for .(4)Check whether . If it holds, output 1; else, output 0. : on inputting a private signing key , a list of public keys, a new message , and an old signature , perform redaction as follows:(1)Set as a customized identity. Compute coefficients and .(2)For each , run to derive . If no is returned, proceed; else, return and terminate.(3)For each , run . If no 0 is returned, proceed; else, return and terminate.(4)Output .

5. Definitions

In this section, we present our system model and security requirements.

5.1. System Model

The framework of our P is shown in Figure 1. It consists of four parties: auction manager (AM), seller, buyer, and certificate authority (CA). We briefly introduce each entity as follows: Auction Manager (AM). Auction manager is the one who initiates the system and holds the auction on behalf of the seller. The AM also holds the buyer’s deposit and publishes misbehaviors by deducting the deposit. After he verifies and confirms a winner’s bid, he relays the winner’s money from the buyer to the seller via anonymous cryptocurrency. Seller. Seller is the one who wishes to sell his merchandise online. He delegates the AM to hold an auction and transacts with AM with anonymous cryptocurrency. He communicates with AM via the anonymous channel. Buyer. Buyer is the one who involves in an auction protocol anonymously to make an offer. He places his bid competitively in order to outbid others. If he wins, he will send money to AM via cryptocurrency, as previously negotiated and confirmed. He communicates with AM via the anonymous channel. Certificate Authority (CA). Certificate authority is a trusted third party which is responsible for assigning private and public key pairs to each buyer, seller, and AM.

5.2. Security Requirements

A secure P scheme satisfies the following properties:

Ours is secure if the underlying R-LRRS scheme satisfies existential unforgeability against adaptive chosen-plaintext under chosen-public-key attack (EU-ACP-CPK) [33]. The EU-ACP-CPK security is an extension of the notion of existential unforgeability under adaptive chosen-message-attacks (EUF-CMA) [35]. Unlike EUF-CMA, EU-ACP-CPK additionally allows the adversary to select an arbitrary subset of initially generated public keys during each round of signing oracle access. Given the public keys of all group members in the aforementioned way, the adversary still cannot forge a valid signature for any message . A formal definition for EU-ACP-CPK security is given in [33, 36].

Definition 1. Let be the signing oracle which takes inputs of any public key list and any message as queried and outputs a signature as a response such that . An R-LRRS scheme satisfies EU-ACP-CPK if, for any Probabilistic Polynomial Time (PPT) adversary with signing oracle such that , ’s probability in successfully forging a valid signature such that is negligible. Here, is not queried to the signing oracle previously.
Like all ring signature-based auction protocols proposed in [7–9], our is secure if the underlying R-LRRS scheme satisfies anonymity. This means no adversary can efficiently determine the private key used to produce the given R-LRRS signature.

Definition 2. An R-LRRS scheme satisfies anonymity if, for any PPT algorithm , on inputs of any message , any list of public keys, any set of private keys , and any valid R-LRRS signature generated by the signer , ’s probability in successfully linking the signature to the signer is negligible.
Our is secure if the underlying chameleon hash scheme satisfies collision-resistance (COL-RES) and indistinguishability (IND). Following Camenisch et al.’s security model [37], we formalize the security requirements of COL-RES and IND as follows. To note, since one of our PCH’s subalgorithm cannot satisfy any semantic security, we prove by assuming the existence of unpredictable file source (as given in Section 3.3) to set up a lower bound [32].

Definition 3. A PCH scheme satisfies COL-RES security if, for any PPT algorithm , it is hard to derive a fresh hash collision under unpredictable file source [32], i.e., collision-resistance under unpredictable file source [32], COL-UNP.

Definition 4. A PCH scheme satisfies IND security if, for any PPT , following the model sketched in Figure 1 of [37], it is hard to distinguish between outputs of deterministic hash (generated by ) and probabilistic hash ((generated by )). Denote this security as IND-D&P.

6. The Construction of P

The detailed construction of our is given in this section. A workflow of our is given in Figure 2.

6.1. Initiation

To join , each user (buyer, seller, and AM) needs to acquire a set of private and public key pairs from the CA. We assume each user is assigned with one key pair for simplicity. The AM selects a security parameter and runs and to initiate the system.

6.2. Prebidding Phase

During this stage, each buyer is required to place his first bid. When this stage is finished, the first bid proof is generated. In addition, a deposit is sent to the AM. The AM can fix the first bid by setting up a base price. The first bid is paid as a ticket to the auction and a deposit to ensure penalization of future misbehavior. The deposit will be refunded if it is not a winner’s bid. When this phase is over, each buyer is supposed to output the first bid proof.(1)Suppose the buyer places his first bid at time point , where is only known to the buyer . He sends money to the AM via an anonymous cryptocurrency. Denote as the time of the buyer ’s payment generation, as the private key of the buyer and as the corresponding public key, and as the private key of and as the corresponding public key.(2)Buyer randomly collects public keys to form a sequence of ring , where is the head and is the tail of the ring. Here, is hidden in the and unknown to the public.(3)For each , the buyer runs and . Denote as the first set of commitments and as the second set of commitments, and both are committed to .(4)Buyer runs and . Output as the first bid proof. Buyer sends the first bid proof to the AM.

To note, we use a different set of public keys for each different signing to generate R-LRRS signature. Thus, linkability will not hold in our . In other words, it is hard to detect two signatures generated by the same signer. This is vital since linkability will break the anonymity in our scheme (but is useful to detect double-spending in cryptocurrencies [33]).

6.3. Bidding Phase

During this stage, each buyer competitively places his new bids in order to outbid others. A bulletin board system (BBS) can be utilized to record the bidding history. At the end of this phase, the buyer is supposed to output the last bid proof.(1)Set and . Set as the last bid proof.(2)For a new bid placed at time , suppose is the time of last bid (for simplicity, assume ), and the buyer runs to generate a new signature . Then, set .(3)Repeat step 2 if the buyer places another bid. When this phase is over, output . Buyer sends the last bid proof to the AM.

To note, is not necessarily required to be calculated immediately when the buyer places a new bid. Ideally, it is just for the last bid. However, due to the unpredictability of the bidding process, it is undetermined which one is the last bid until this phase ends.

6.4. Confirmation Phase

In this stage, the AM is supposed to check the BBS and all last bid proofs (suppose there are buyers who have placed their bids). At the end of this phase, the AM generates a confirmation proof for user as follows:(1)Parse the buyer ’s last bidding proof as , where is the time of buyer ’s first bid. Denote as the time of buyer ’s last bid in the bidding phase. Set buyer ’s confirmation proof initially as .(2)For each buyer , the AM runs to generate . Set .(3)AM relays the confirmation proof to each buyer .

6.5. Open Phase

At this stage, each buyer is supposed to open his commitments to the first bid proof (i.e., inputs used to compute the first commitment). Meanwhile, AM will open his commitments to the confirmation proof (i.e., inputs used to compute the second commitment). Failure to comply leads to invalid bid. Based on the above, the public can verify the validity of the auction procedure and determine a winner. We assume each buyer has placed bids more than once and the buyer is the winner for the ease of analysis. We show how to verify as follows.(1)Buyer reveals the first bid proof , the last bid proof , and corresponding commitments , to the public. Accordingly, the AM reveals the confirmation proof and corresponding commitments to the public. The public can run and to verify the validity of these proofs and commitments.(2)Based on the information recorded in BBS, the public can determine a winner. Since each bid is confirmed bidirectionally by the buyer and the AM, it is undeniable for either the buyer or the AM to dispute the validity of the bid. This idea is brought from undeniable signature [38].

Once the winner is determined and confirmed, the winner can transmit the money via anonymous cryptocurrency to the AM. In return, the AM will relay the money to the seller (maybe charge some transaction fees). In addition, it arranges the shipment of the purchased physical assets to the buyer or grant him access to the purchased digital assets. Accordingly, the shipment and the access are all conducted in the anonymous channel.

7. The Security Analysis of P

Here, we give the security analysis of our proposed scheme based on security requirements defined in Section 5.2.

Theorem 1. If there exists a PPT adversary who can break the EU-ACP-CPK property of our R-LRRS scheme, we can construct a PPT simulator to solve the DLP with nonnegligible probability.

Proof. Suppose can forge an R-LRRS signature with nonnegligible probability, i.e.,for some polynomial . Let be the maximum number of queries to and in total. Let be the maximum number of queries to . Then, we can construct a PPT simulator which invokes to solve the DLP with nonnegligible probability. Given a DLP instance , sets where , and it aims to output . simulates inputs for and processes outputs from adaptively. We give a proof sketch as follows:
Let be the system parameter generated in the initiation phase. Let and be random oracles controlled by , which return the same response to the same query by maintaining query histories. Let be a list of public keys where each key is generated properly according to the prebidding phase. invokes adaptively based on the constructed inputs and ’s responses. A simulation transcript tape is used to record the invocation of . can simulate by back patching [33]. Some outputs of are valid forgeries of R-LRRS signatures and are used to solve DLP with nonnegligible probability. A proof of unforgeability based on rewind simulation is given in [33]. Specifically, the signature returned by is the same as the one signed by the signer in the adversary ’s view. To derive this conclusion, we can discuss the conditional probability of in successfully forging a valid signature in each ’s transcript and the queries made to the signing oracle . Furthermore, can do a rewind-simulation accordingly. By considering the equations based on two -forgery signatures from the tape and a rewind-simulation tape , we can derive the answer to the DLP instance and bound the ’s probability in solving the DLP. Due to the intractability of the DLP, our R-LRRS satisfies EU-ACP-CPK security. Refer to [33], for more details.

Theorem 2. If there exists a PPT adversary who can break the anonymity of our R-LRRS scheme, we can construct a PPT simulator to solve the DDHP with a nonnegligible advantage.

. On given , the simulator is supposed to call and determine . Suppose there exists a PPT adversary , on inputs of any message , a list of public keys, a set of private keys , and a valid R-LRRS signature generated by the buyer ; the ’s probability in successfully linking the signature to the buyer (signer) for polynomial is

Then, we can construct a PPT simulator to solve the DDHP with probability:

Refer to [33], for details.

Theorem 3. If there exists a PPT adversary who can break the COL-UNP of our PCH scheme, we can construct an algorithm to solve the q-SDHP with nonnegligible probability.

. We give a proof sketch as follows. On a given q-SDHP instance () (parse it by (), where ), here, is unknown. We can construct an algorithm which interacts with to derive an answer: (), for some as follows:(i)Setup: the algorithm runs to initiate the system and derives , where , and is privately kept by . sends to .(ii)Query: adversary issues distinct queries to (assume ).(iii)Response: for each , where , generates responses as follows. Set polynomial , where are randomness of polynomial and . Define coefficient and as follows:

Next, define polynomial and . Compute for each as follows:

Then, can compute each , for each :

Since the equation holds for , where and is the correct response to hold each collision. replies with as a response.

Output: adversary wins the game by outputting such thatwhere , , and .

Next, we can parse bywhere

Next, we can parse by , for some and . Then, we can deduce by

Since and has never been queried before (i.e., ), cannot divide . So, the algorithm derives a q-SDHP answer as follows:

Theorem 4. If there exists a PPT adversarywho can break the IND-D&P of our PCH scheme, we can construct an algorithmto solve the DDHP with a nonnegligible advantage.

. Our IND-D&P is reducible to the DDHP. Suppose is a PPT adversary against our IND-D&P; we prove by game hopping as follows: Game 0: this is the original game.(1)Setup: the algorithm runs to initiate the system and derives , where , and is privately kept by . Then, sends to .(2)Challenge: flips a coin and proceeds differently. For , compute coefficient and chameleon hash as follows: For , compute coefficient and chameleon hash as follows: relays to the adversary . Suppose issues at most distinct queries to oracle (controlled by ) on and ; then, returns answer to each distinct query accordingly.(3)Output: the adversary outputs and wins if .(ii)Game 1: it is the same as Game 0, except that we randomly sample and use it to compute . Thus, is computed as follows: where is computed as follows:(iii)Game 2: it is the same as Game 1, except that we randomly sample and use it to compute . Hence, is computed as follows: where is computed as follows:

If , this implies Game 0; else, , this implies Game 1. Thus, we can bound ’s advantage in solving the DDHP by via distinguishing among Game 0 and Game 1. Here, we denote as the event for winning the Game i. Analogically, we have via distinguishing among Game 1 and Game 2. Due to the unpredictability of file source , Game 2 generates as the one-time pad, and therefore, we have .

Based on the above, we can bound ’s advantage in solving the DDHP by . Details are omitted due to space limitations. Since each hop only made negligible changes, the modification is beyond the adversary ’s view; otherwise, we can construct an algorithm to solve the DDHP assuming the adversary can distinguish among Game 0 and Game 1, or Game 1 and Game 2, subsequently. Refer to [39], for more details.

8. Performance Evaluation

In this section, we evaluate the computational complexity and experimental performance of our scheme. We have given the complexity of each stage in Table 2. As shown in Table 2, during the prebidding and the bidding Phases, the buyer’s computational complexity is linear with and . However, since can be fixed to 1, if we let the buyer only compute the last bidding proof (instead of for each bid), this turns our auction protocol into a sealed bidding case. In addition, suppose there are buyers who participated in the bidding. To verify the validity of all the last bidding proofs and determine the highest bidder from them, AM needs to perform times verification for each set of commitments and the last bid proof, i.e., in total. The complexity of the open phase at the public side is bound by and . However, the public can choose to verify or delegate a third party to do it.

Denote as the number of public keys in , as the number of buyers, as the number of bids placed per bidder during the bidding Stage, as the group multiplication, as the group exponentiation, as the group inversion, and as bilinear pairing operation.

Parameter is defined as Table 2.

We also compare the complexity of our scheme with other works in Table 3. As observed in Table 3, Xiong et al.’s [9] scheme is most efficient one. The reason is Xiong et al.‘s [9] scheme did not involve trapdoor commitment to achieve bidirectional confirmation between the buyer and the AM. So, undeniability (dispute-freeness) is not achieved. Therefore, when a dispute occurs, it is hard to perform fair arbitration. Alternatively, our scheme provides bidirectional confirmation to achieve dispute-freeness since both the buyer and AM confirm every bid. These proofs are released together with the commitments during open stage and are publicly verifiable. Basically, our scheme trades efficiency with the dispute-freeness property.

Next, we conduct experiments to evaluate the running costs of our protocol at the buyer side. To simulate, we implemented our scheme using C language on a laptop with 3.5 GHz 4-cores CPU, 8 GB RAM, and 256 SSD for storage. The operating system is 32 bits Windows 7 SP1. All algorithms are implemented using PBC (version-0.5.13) for all cryptographic operations. We choose a super supersingular curve with embedding degree of 2. Denote and as the binary sizes of groups and , respectively. We range the number of pubic keys in (i.e., ) from 0 to 5. We compare the running costs at the buyer side for different coefficients and . We give experimental results in Figure 3. As it is shown in Figure 3, the costs at the buyer side are factored by several coefficients: , , and . When these coefficients are not surprisingly large, the running costs are generally acceptable.

9. Conclusion

We proposed a bidirectional and anonymous auction protocol with the dispute-freeness property. Our proposal is based on two cryptographic schemes as building blocks: policy-driven chameleon hash and revised linkable-and-redactable ring signature. In our proposal, bidders can competitively place their bids in order to outbid others.

An auction manager is employed to verify and confirm the bidding proof generated by the buyer. Due to the bidirectional confirmation and public verifiability, our auction protocol is dispute-free. The evidence suggests that our proposal is provably secure based on intractable assumptions. Meanwhile, our proposal is practically efficient, and it trades efficiency with the dispute-freeness feature.

There is a number of additional functionalities to enrich our current design, for example, employing more standard and sophisticated cryptographic algorithms (e.g., zero-knowledge proof) to achieve practical and stronger privacy preservation. In addition, more formal security model which captures practical security threat is needed. Though some current works focus on utilizing several sophisticated cryptographic algorithms in one scheme, they suffered from inefficiency issue. Therefore, to design a practical bidding protocol for mass deployment, the complexity of the underlying cryptographic algorithms should not be the bottleneck of the whole scheme. We consider the solutions to the above problems as challenging and interesting future works.

Data Availability

No data were used to support the findings of the study.

Conflicts of Interest

The authors declare that they have no conflicts of interest or personal relationships that could have appeared to influence the work reported in this paper.

Acknowledgments

This work was supported in part by the National Key R&D Program of China, under Grant nos. 2017YFB0802300 and 2018YFB08040505, National Natural Science Foundation of China, under Grants 62002048, 61872087, U19A2066, and 62072078, University Startup, under Grant no.Y030202059018061, and Blockchain Research Lab of UESTC, Chengdu Jiaozi Financial Holding Group Company Ltd; China Mobile Information Communication Technology Co., Ltd (Chengdu); 2020 UAV Operation Management Platform Phase II (Package 2:Safety Subsystem) (no. CMCMII-202001245).

References

Y. Zhang, C. Lee, D. Niyato, and P. Wang, “Auction approaches for resource allocation in wireless systems: a survey,” IEEE Communications surveys & tutorials, vol. 15, no. 3, pp. 1020–1041, 2012.
View at: Publisher Site | Google Scholar
X. Zhou, S. Gandhi, S. Suri, and H. Zheng, “EBay in the sky: strategy-proof wireless spectrum auctions,” in Proceedings of the 14th ACM International Conference on Mobile Computing and Networking, pp. 2–13, ACM, San Francisco CA USA, March 2008.
View at: Google Scholar
M. Abe and K. Suzuki, “Receipt-free sealed-bid auction,” in Proceedings of the International Conference on Information Security, pp. 191–199, Springer, Seoul, Korea, October 2002.
View at: Publisher Site | Google Scholar
R. Singh, A. D. Dwivedi, G. Srivastava, A. Wiszniewska-Matyszkiel, and X. Cheng, “A game theoretic analysis of resource mining in blockchain,” Cluster Computing, vol. 23, no. 3, pp. 2035–2046, 2020.
View at: Publisher Site | Google Scholar
L. Malina, G. Srivastava, P. Dzurenda, J. Hajny, and S. Ricci, “A privacy-enhancing framework for Internet of things services,” in Proceedings of the International Conference on Network and System Security, pp. 77–97, Springer, Sapporo, Japan, December 2019.
View at: Publisher Site | Google Scholar
L. Malina, G. Srivastava, P. Dzurenda, J. Hajny, and R. Fujdiak, “A secure publish/subscribe protocol for Internet of things,,” in Proceedings of the 14th International Conference on Availability, Reliability and Security, pp. 1–10, ACM, Canterbury CA, United Kingdom, August 2019.
View at: Publisher Site | Google Scholar
K. Q. Nguyen and J. Traoré, “An online public auction protocol protecting bidder privacy,” in Proceedings of the Australasian Conference on Information Security and Privacy, pp. 427–442, Springer, Brisbane, Australia, June 2000.
View at: Publisher Site | Google Scholar
H. Xiong, Z. Qin, and F. Li, “An anonymous sealed-bid electronic auction based on ring signature,” International Journal of Network Security, vol. 8, no. 3, pp. 235–242, 2009.
View at: Google Scholar
H. Xiong, Z. Chen, and F. Li, “Bidder-anonymous English auction protocol based on revocable ring signature,” Expert Systems with Applications, vol. 39, no. 8, pp. 7062–7066, 2012.
View at: Publisher Site | Google Scholar
M. Fischlin, Trapdoor Commitment Schemes and Their Applications, Citeseer, Princeton, NJ, USA, 2001, PhD thesis.
K. Huang, X. Zhang, Y. Mu, F. Rezaeibagha, and X. Du, “Scalable and redactable blockchain with update and anonymity,” Information Sciences, vol. 546, pp. 25–41, 2021.
View at: Publisher Site | Google Scholar
M. Naor, B. Pinkas, and R. Sumner, “Privacy preserving auctions and mechanism design,” in Proceedings of the 1st ACM Conference on Electronic Commerce, pp. 129–139, November 1999.
View at: Publisher Site | Google Scholar
K. Viswanathan, C. Boyd, and E. Dawson, “A three hhased schema for sealed bid auction system design,” in Proceedings of the Australasian Conference on Information Security and Privacy, pp. 412–426, Springer, Brisbane, Australia, July 2000.
View at: Publisher Site | Google Scholar
K. Omote and A. Miyaji, “A practical English auction with simple revocation,” IEICE - Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. 85, no. 5, pp. 1054–1061, 2002.
View at: Google Scholar
K. Peng, C. Boyd, E. Dawson, and K. Viswanathan, “Efficient implementation of relative bid privacy in sealed-bid auction,” in Proceedings of the International Workshop on Information Security Applications, pp. 244–256, Springer, Jeju Island, Korea, August 2003.
View at: Google Scholar
M. K. Franklin and M. K. Reiter, “The design and implementation of a secure auction service,” IEEE Transactions on Software Engineering, vol. 22, no. 5, pp. 302–312, 1996.
View at: Publisher Site | Google Scholar
H. Kikuchi, M. Hakavy, and D. Tygar, “Multi-round anonymous auction protocols,” IEICE - Transactions on Info and Systems, vol. 82, no. 4, pp. 769–777, 1999.
View at: Google Scholar
K. Sako, “An Auction Protocol Which Hides Bids of Losers,” in Proceedings of the International Workshop on Public Key Cryptography, pp. 422–432, Springer, Melbourne, Australia, September 2000.
View at: Publisher Site | Google Scholar
K. Suzuki, K. Kobayashi, and H. Morita, “Efficient sealed-bid auction using hash chain,” in Proceedings of the International Conference on Information Security and Cryptology, pp. 183–191, Springer, Seoul, Korea, December 2000.
View at: Google Scholar
K. Suzuki and M. Yokoo, “Secure generalized Vickrey auction using homomorphic encryption,” in Proceedings of the International Conference on Financial Cryptography, pp. 239–249, Springer, Guadeloupe, French West Indies, January 2003.
View at: Publisher Site | Google Scholar
K. Peng, C. Boyd, and E. Dawson, “Optimization of electronic first-bid sealed-bid auction based on homomorphic secret sharing,” in Proceedings of the International Conference on Cryptology in Malaysia, pp. 84–98, Springer, Kuala Lumpur, Malaysia, September 2005.
View at: Publisher Site | Google Scholar
H. S. Galal and A. M. Youssef, “Verifiable sealed-bid auction on the Ethereum blockchain,” in Proceedings of the International Conference on Financial Cryptography and Data Security, pp. 265–278, Springer, Santa Barbara Beach Resort Curaçao, March 2018.
View at: Google Scholar
A. Juels and M. Szydlo, “A two-server, sealed-bid auction protocol,” in Proceedings of the International Conference on Financial Cryptography, pp. 72–86, Springer, Southampton, Bermuda, March 2002.
View at: Google Scholar
M. Nojoumian and D. R. Stinson, “Unconditionally secure first-price auction protocols using a multicomponent commitment scheme,” in Proceedings of the International Conference on Information and Communications Security, pp. 266–280, Springer, Barcelona, Spain, December 2010.
View at: Publisher Site | Google Scholar
N. Dong, H. Jonker, and J. Pang, “Analysis of A Receipt-Free auction protocol in the applied pi calculus,” in Proceedings of the International Workshop on Formal Aspects in Security and Trust, pp. 223–238, Springer, Pisa, Italia, November 2010.
View at: Google Scholar
H. S. Galal and A. M. Youssef, “Succinctly verifiable sealed-bid auction smart contract,” in Data Privacy Management, Cryptocurrencies and Blockchain Technology, Springer, New York, NY, USA, 2018.
View at: Google Scholar
H. S. Galal and A. M. Youssef, “Trustee: full privacy preserving vickrey auction on top of ethereum,” in Proceedings of the International Conference on Financial Cryptography and Data Security, pp. 190–207, Springer, St. Kitts, Saint Kitts and Nevis, February 2019.
View at: Google Scholar
Y. Jiao, P. Wang, D. Niyato, and K. Suankaewmanee, “Auction mechanisms in cloud/fog computing resource allocation for public blockchain networks,” IEEE Transactions on Parallel and Distributed Systems, vol. 30, no. 9, pp. 1975–1989, 2019.
View at: Publisher Site | Google Scholar
T. D. Nguyen and M. T. Thai, “Trustless framework for iterative double auction based on blockchain,” in Proceedings of the International Conference on Security and Privacy in Communication Systems, pp. 3–22, Springer, Orlando, VA, USA, October 2019.
View at: Publisher Site | Google Scholar
B. An, M. Xiao, A. Liu, G. Gao, and H. Zhao, “Truthful crowdsensed data trading based on reverse auction and blockchain,” in Proceedings of the International Conference on Database Systems for Advanced Applications, pp. 292–309, Springer, Chiang Mai, Thailand, April 2019.
View at: Publisher Site | Google Scholar
D. Boneh and X. Boyen, “Short signatures without random oracles,” in Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques, pp. 56–73, Springer, Interlaken, Switzerland, May 2004.
View at: Publisher Site | Google Scholar
M. Bellare, S. Keelveedhi, and T. Ristenpart, “Message-locked encryption and secure deduplication,,” in Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 296–312, Springer, Athens, Greece, May 2013.
View at: Publisher Site | Google Scholar
J. K. Liu, V. K. Wei, and D. S. Wong, “Linkable spontaneous anonymous group signature for ad hoc groups,” in Proceedings of the Australasian Conference on Information Security and Privacy, pp. 325–335, Springer, Sydney, Australia, July 2004.
View at: Publisher Site | Google Scholar
R. L. Rivest, A. Shamir, and Y. Tauman, “How to Leak a Secret,” in Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security, pp. 552–565, Springer, Gold Coast, Australia, December 2001.
View at: Publisher Site | Google Scholar
S. Goldwasser, S. Micali, and R. L. Rivest, “A digital signature scheme secure against adaptive chosen-message attacks,” SIAM Journal on Computing, vol. 17, no. 2, pp. 281–308, 1988.
View at: Publisher Site | Google Scholar
M. Abe, M. Ohkubo, and K. Suzuki, “1-Out-Of-n signatures from a variety of keys,” in Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security, pp. 415–432, Springer, Queenstown, New Zealand, December 2002.
View at: Publisher Site | Google Scholar
J. Camenisch, D. Derler, S. Krenn, H. C. Pöhls, K. Samelin, and D. Slamanig, “Chameleon-hashes with ephemeral trapdoors,” in Proceedings of the IACR International Workshop on Public Key Cryptography, pp. 152–182, Springer, Amsterdam, Netherlands, March 2017.
View at: Publisher Site | Google Scholar
D. Chaum and H. Van Antwerpen, “Undeniable signatures,” in Proceedings of the Conference on the Theory and Application of Cryptology, pp. 212–216, Springer, Houthalen, Belgium, April 1989.
View at: Google Scholar
F. Rezaeibagha, Y. Mu, S. Zhang, and X. Wang, “Provably Secure Homomorphic Signcryption,” in Proceedings of the International Conference on Provable Security, pp. 349–360, Springer, Xi’an, China, October 2017.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2021 Ke Huang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies