Secure Auctions without an Auctioneer via Verifiable

Download PDF
0 downloads 0 Views 214KB Size Report
Comment
Maya Larson, Chunqiang Hu, Ruinian Li,. Wei Li, Xiuzhen ..... ing it impossible for the third party to cheat them. .... In 2014 IEEE 13th International Conference.
Secure Auctions without an Auctioneer via Verifiable Secret Sharing Maya Larson, Chunqiang Hu, Ruinian Li, Wei Li, Xiuzhen Cheng Department of Computer Science, The George Washington University, Washington DC, 20052 USA

{maya_, chu, ruinian, weili,cheng}@gwu.edu ABSTRACT Combinatorial auctions are a research hot spot. They impact people’s daily lives in many applications such as spectrum auctions held by the FCC. In such auctions, bidders may want to submit bids for combinations of goods. The challenge is how to protect the privacy of bidding prices and ensure data security in these auctions? To tackle this challenge, we present an approach based on verifiable secret sharing. The approach is to represent the price in the degree of a polynomial; thus the maximum/sum of the degree of two polynomials can be obtained by the degree of the sum/product of the two polynomials based on secret sharing. This protocol hides the information of bidders (bidding price) from the auction servers. The auctioneers can obtain their secret shares from bidders without a secure channel. Since it doesn’t need a secure channel, this scheme is more practical and applicable to more scenarios. This scheme provides resistance to collusion attacks, conspiracy attacks, passive attacks and so on. Compared to [11, 21], our proposed scheme provides authentication without increasing the communication cost.

Categories and Subject Descriptors C.2 [COMPUTER-COMMUNICATION NETWORKS]: General—Security and protection; D.4.6 [Security and Protection]: [Cryptographic controls; Authentication]; K.4.4 [Electronic Commerce]: [Security]

General Terms Algorithms, Design, Security, Verification

1.

INTRODUCTION

Combinatorial auctions have gained tremendous attention among researchers and E-commerce in recent years. An extensive survey is presented in [3]. In combinatorial auctions, multiple goods are auctioned simultaneously and each bid may claim any combination of goods. Examples are auctions for airport time slots, railroad Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]. PAMCO’15, June 22, 2015, Hangzhou, China. c 2015 ACM 978-1-4503-3523-2/15/06 ...$15.00. Copyright DOI: http://dx.doi.org/10.1145/2757302.2757305.

segments, FCC spectrum auctions, delivery routes, network routing and so on. In traditional auctions, bid-privacy is mainly protected via cryptographic functions (public key cryptography, hash chains, etc) [2, 12,18,20]. These schemes are not applicable to the secondary spectrum market as they do not consider spatial reuse and completely ignore the unique challenges caused by the frequency heterogeneity. In the secondary spectrum market, a truthful and bid-privacy preserving spectrum auction mechanism termed SPRING was proposed in [10]. SPRING introduces a trust-worthy agent who can interact with both the auctioneer and the bidders such that the information can be separated to ensure that no party in the auction has enough knowledge to infer any sensitive information with certain probability. An obvious weakness of SPRING is its dependence on a trusted third party (the agent). In the research [15,16], the authors leverage homomorphic encryption [14] to mask the bidding values of each bidder with a vector of ciphertexts, and enable the auctioneer to find the maximum value, randomize the bids, and charge the bidders securely. To execute a combinatorial auction, we have to solve the winner determination problem. This can be cooperatively solved by multiple auction servers, which can compute the maximum sum of the combinations of bidding prices. From the view point of security, how to hide bidding prices is an important problem. If we trust the auctioneer, we can simply obtain the private information from the auctioneer. The auctioneer can solve the winner determination problem. However, a trusted auctioneer is not practical because the auctioneer may collude with a participant and reveal the information of bids during the auction. If a strategy-proof mechanism is adopted in which the other participants’ bids are useless, this scheme resists collusion attacks. However, if the auctioneer knows the highest bid, he can increase revenue by creating a fake bid whose price is close to the highest bid. To tackle the above challenges, we have to solve the following two problems: First, multiple auction servers compute the maximum sum of the combinations of bidding prices, while the information of bids that are not part of the optimal solution should be kept secret. Second, collusion among auction servers must be discouraged. We utilize verifiable secret sharing [6] to develop a method to protect privacy and data security. This scheme allows multiple servers to select secret shadows and verify the legitimacy of their identities to each other. The rest of the paper is organized as follows. In Section 2, we introduce related work, in Section 3 we present preliminaries, in Section 4 we develop the main idea of the proposed scheme, in Section 5 we analyze the security and efficiency of the scheme. Section

3

S

2

1

4

6 2

3

n-1

1

n

2

1

Figure 1: Example of one dimension directed graph 6 presents how to apply the secure computing to the applications, followed by a conclusion in Section 7.

2.

RELATED WORKS

In order to ensure data security and privacy in auctions in recent years, cryptographic tools, such as AES, homomorphic encryption, and secret sharing, have been applied. SPRING [10] introduces a trust-worthy agent to ensure that no party in the auction has the knowledge to obtain any sensitive information with certain probability. An obvious weakness of SPRING is its dependence on a trusted third party (the agent). In [15, 16], the authors mask the bidding prices with a vector of ciphertext, and ensure that the auctioneer can find the maximum value, randomize the bids, and charge the bidders securely based on homomorphic encryption. However, this design [15, 16] involves very high computational overhead as homomorphic encryption is notoriously computationally-intensive, which renders it inapplicable to many applications. In [11, 21], the authors employ secret sharing to hide bidding prices. However, there are two shortcomings in [11]. First, the scheme can not handle relationships among multiple winners, second, it is not computationally efficient. In [21], the authors hide the bids as the degree of polynomials. However, this scheme is limited to the passive adversary model, and the evaluators have to obtain their shares from a third party via a secure channel so this scheme can not resist collusion attacks. Therefore, this scheme is not practical. In [13], the authors apply verifiable secret sharing to construct sealed-bid auctions. The scheme provides verification to resist collusion attacks among the evaluators. Because the evaluators obtain their secret shares from a third party via a private secure channel, the scheme is vulnerable to collusion attacks between evaluators and the third party. In this paper, we present a private and secure auction based on verifiable secret sharing [6]. Compared to [11, 21], our proposed scheme provides authentication without increasing the communication cost. Meanwhile, the communication between bidder and server does not need a secure channel. The scheme has strong resistance to collusion attacks, conspiracy attacks, passive attacks and so on.

3.

PRELIMINARIES

an optimal sequence of decisions is obtained by implementing the principle of optimality. The principle of optimality states that an optimal sequence of decisions has the property that any subset of decisions is also optimal. In the following section, we first introduce the concept of dynamic programming using the algorithm of finding the longest path in a one dimensional directed graph described in Figure 1. This graph consists of nodes S, 1, 2, ..., n with directed links among them. (j, k) represents a link, where j < k. For each link (j, k), its weight is denoted by w(j, k). Our goal is to find out the longest path from initial node S to terminal node n, i.e., to find a path from S to n such that the sum of the weights of the links is maximized. For the sake of simplicity, we assume that there exists at least one link that starts from j for each node j (where 1 = j < n), i.e., there is no dead-end node except n. The longest path issue’s notable characteristic is as follows. Assume L denotes the longest path from S to n. It follows that the last half of L for any node j on L, i.e., the part of L from j to n, is also a longest path from j to n. This characteristic is called the principle of optimality. This feature helps us to figure out the optimal solution of the original problem from the optimal solutions of sub-problems. Specifically, we can obtain the length of the longest path from S to n by solving the following recurrence formula from node n−1 to S. In this formula, f (j) denotes the length of the longest path from j to n. We call f (j) the evaluation value of node j. For terminal node n, f (n) is defined as S. For initial node S, f (S) represents the optimal solution, i.e., the length of the longest path from S to n. f (j) = max{w(j, k) + f (k)} (j,k)

(1)

When calculating this formula, we record the value f (j) of the link (j, k) for each node j, i.e., the value of the link is max(j,k) {w(j, k)+ f (k)}. The longest path is constructed by following these recorded links from S to n. We present a generalization that is used in following sections. There are n + 1 stages j = 1, ..., n and states (j, s) at each stage j. There can be directed links ((j, s), (k, t)) between these states only if j < k. For each link, weight w(((j, s), (k, t))) is given. Dynamic programming evaluates function f defined by the following recurrence formula: f ((j, s)) =

max

{w(((j, s), (k, t))) + f ((k, t))} (2)

j n. Before secret sharing, each respondent (participant) ui should obtain its secret key xi ∈ Zp , which is only known by ui and the dealer. The dealer follows a two-step process. First, it constructs a polynomial function f (x) of degree t − 1, i.e. f (x) = s +

t−1 X

aj xj ,

(3)

j=1

by randomly choosing each aj i.i.d. with a uniform distribution from Zp . Note that all (additive and multiplication) operations used in (3) and throughout the rest of the paper are modular arithmetic (defined over Zp ) as opposed to real arithmetic. Also note that s forms the constant component of f (x) - i.e., s = f (0). Then, in the second step, the dealer transmits to each ui a shared secret si , where si = f (xi ).

(4)

We now show how t or more users can cooperate to recover the s by sharing the secret shares received from the dealer. Without loss of generality, let u1 , . . . , ut be the t cooperating users. These t users can reconstruct the secret s = f (0) from s1 = f (x1 ), . . . , st = f (xt ) by computing   t Y X 0 − x i sj . s = f (0) = (5) xj − xi j=1

polynomials, and we employ the proposed verifiable secret sharing scheme [6, 7] to resist collusion attack. Our proposed scheme is based on Shamir’s polynomial secret sharing [4, 6, 19], which is a useful cryptographic tool. Secret sharing plays a significant role in protecting secret information from becoming lost, being destroyed, or falling into the wrong hands [5, 8, 9]. However, we represent a secret by the degree of a polynomial while Shamir uses the constant term of a polynomial. This kind of polynomial secret sharing is also used for (M + 1) - the price auctions by Kikuchi [11]. But Kikuchi’s scheme does not adopt verifiable secret sharing to resist collusion attacks as we do.

4.2

Basic Idea

Weight publisher W P has a secret s ∈ ZN , who performs secret sharing as follows: Randomly choose n (n > s) points x1 , x2 , ..., xn ∈ ZN and constant c ∈ ZN and publish them, and randomly choose polynomial A ∈ ZN [x] s.t. deg(A) = s and A(0) = c and hold it secret. Weight publisher W P publishes the shares {A(x1 ), A(x2 ), ..., A(xn )}. There are l evaluators, each evaluator El takes its share for A(xl ). Each weight publisher randomly chooses a masking polynomial M ∈ ZN [x] s.t. deg(M ) = d and M (0) = 0 and keeps it secret. W P then computes l shares M (xl ) , and each evaluator picks up one l−th share. Then, d+1 evaluators {E1 , E2 , ..., Ed+1 } publish masked shares A(xl ) + M (xl ) where (l = 1, 2, ..., d + 1). Evaluators perform polynomial interpolation using these d + 1 masked shares, i.e., determine polynomial A + M , recover A(0) = A(0) + M (0), and check whether A(0) = c or not. If deg(A) = d, we have deg(A+M ) = d and can recover the constant term A(0) = c from d + 1 shares. If deg(A + M ) > d, we cannot recover the constant term A(0) = c from d+1 shares. Thus, if A(0) = c holds, we are convinced that deg(A) = d. Furthermore, the maximum/sum of the degree of two polynomials can be obtained by the degree of the sum/product of the two polynomials by the following formulas: max{deg(A), deg(B)} = deg(A + B)

(6)

deg(A) + deg(B) = deg(A · B)

(7)

i∈[1,n],i6=j

4.

THE PROPOSED SCHEME – SECURE COM- Each evaluator El can compute its share of sum A + B / product A · B of two polynomials A and B by taking sum A(xl ) + B(xl ) / PUTING

We present the proposed secure dynamic programming protocol, and we also discuss the security and efficiency of the scheme.

4.1

Requirements

The requirements for the secure dynamic programming protocol are as follows: 1. Evaluators (servers) choose their secret key by themselves, and the weight publishers (buyers and sellers) compute and publish their weights for each share. 2. Evaluators verify the legitimacy of their identities to each other, and then cooperatively execute dynamic programming and find the optimal solution, while each weight is kept secret. To achieve this goal, we have to solve the following question: How to resist collusion attacks by evaluators? How to determine the maximum and sum of weights without revealing the weights themselves? Our approach is to denote a weight as the degree of a polynomial; thus the maximum/sum of the degree of two polynomials can be obtained by the degree of the sum/product of the two

product A(xl ) · B(xl ) of two shares A(xl ) and B(xl ). This allows the maximum/sum of two secrets to be locally determined.

4.3 4.3.1

Secure Computing Initialization phase

There is a weight publisher W P(i,j) for each link (i, j). There are l evaluators {E1 , E2 , ..., El } where l is greater than the length of the longest path, and d + 1 mask publishers T0 , ..., Td where d is a threshold parameter of mask publishers. For simplicity, a mask publisher corresponds to each weight publisher. To solve the verification problem, weight publisher W P and the evaluators need some intercommunication. It can be done with a public channel. First, the weight publisher chooses two strong primes p and q, and computes N = pq. Then the weight publisher chooses an integer g, which is a generator of [0, N ] and publishes {g, N }. Weight Publisher W P(i,j) extends its weight w(i, e j): w(i, j) = w(i, e j) + tw × (j − i) where tw is a threshold parameter of the weight publisher. The optimal solution (the longest path from S to n) will not change by this extension. We denote the original weight value w(i, e j) and the extended weight w(i, j) of node i by

fe(i) and f (i), respectively. Then f (i) = fe(i) + tw × (n − i) for each node i. So we can obtain the maximum and perform secure computing as in Section 4.2. Weight Publisher W P(i,j) randomly chooses polynomial H(i,j) for node i s.t. deg(H(i,j) ) = w(i, j), and H(i,j) (0) = c and holds it secret. Each evaluator Ei in E chooses an integer si from the interval [2, N ] as its secret share and calculates Ri = g si mod N , then evaluator Ei provides Ri and its identity number idi to weigh publisher W P . For any pair of evaluators Ei and Ej , W P must ensure that Ri 6= Rj . W P publishes {idi , Ri }.

4.3.2

Construction phase

The weight publisher W P selects an integer s0 from the interval [2, N ] and computes p such that s0 p = 1 mod φ(N ), where φ(N ) is the Euler phi-function. Then it performs the following steps: 1) Compute R0 = g s0 mod N and Ri0 = Ris0 mod N for each evaluator Ei . 2) Publish {R0 , p};

5.

SECURITY ANALYSIS

In this section, we discuss the security strength of the proposed scheme by examining how it can counter prevelant attacks. We also show that our protocol thwarts passive adversaries that use public information and information from collusive participants; passive adversaries cannot manipulate the collusive participants.

5.1.1

4) Compute Mi = M(i,j) (Ri0 ) mod N ; 5) Compute Yi = H(i,j) (Ri0 ) mod N ; 6) Publish {(M1 , Y1 ), (M2 , Y2 ), ..., (Mn , Yn )};

Recovery and Verification Phase

Without loss of generality, each evaluator El computes its share as follows: X

(H(i,k) (Rl ) + M (Rl )) × Fk (Rl )

(8)

(i,k)

for j = n − 1, n − 2, ..., 0, where Fj (x) is the optimized polynomial, which represents the longest path from the start node S to node j, and F1 (0) = 1. The equation 8 is related to the recurrence relation of dynamic programming, as described in equation (1). Let E = {E1 , E2 , ..., Ed+1 }. The evaluators of E will recover the polynomial H(x) + M (x) based on following procedure. 1) Each evaluator computes Ri00 = R0si mod N to get the share, where si is the share of H(x) + M (x). p

2) The evaluator in E verifies Ri00 provided by Ei . If Ri00 = Ri mod N , then Ri00 is true; Otherwise Ri00 is false, which means that Ei might be a cheater. 3) Recover the polynomial: The polynomial H(x) + M (x) can be uniquely determined as follows:

Fj

=

d+1 d+1 X Y (Yi + Mi ) i=1

j=1,j6=i

x − Rj0 Ri0 − Rj0

= S1 + S2 x + · · · + Sd xd

mod N

mod N

(9)

As described in section 4.2, evaluators check deg(F0 ) ≤ d or not. Evaluators can compute whether F0 equals the appropriate constant determined by constant c or not. For instance, if c = 0, F0 should equal to 0. Through the check, we can find the optimal value f (0) = deg(F0 ) via performing binary search, and publish it.

Resistance against active attacks Evaluator Cheating

Assume that an evaluator, Ei , intends to provide a false private s key Rj to gain a secret(s). Ei computes Ri00 = R0j mod N 00 and broadcasts it. However, when receiving Ri provided by Ei , other participants could verify the validity of Ri00 by computing d Ri00 = Rj 6= Ri because the Idi and the Ri of Ei are published. Therefore it is easy to detect whether or not Ei provides an incorrect Ri00 .

5.1.2 Fj (Rl ) =

Tracing the optimal path

Evaluators compute the optimal path as follows: Assume that they know f (j) = deg(Fj ), and want to trace to node k s.t. deg(Fj ) = deg((H(i,k) (Rl ) + M (Rl )) × Fk ). For all nodes k linked to node j, we test whether deg((H(i,k) (Rl ) + M (Rl )) × Fk ) = deg(Fj ) − 1 or not. Because the inequality holds for node k that does not attain f (j), evaluators know that the node k attains f (j) when the inequality does not hold for node k. After finding the node k that attains f (j), they can decide f (k) = deg(Fk ) as in Section 4.3.3, and publish it. Iterating this process recursively yields to the optimal path.

5.1

3) Choose a mask polynomial M(i,j) ;

4.3.3

4.3.4

Conspiracy attacks

Assume that two evaluators Ei and Ej collude in order to recover the secrets. For example, they could exchange their si and sj values. Thus Ei holds sj and Ej holds si . Then Ei can comd d pute Rj00 = Rj and Mj can compute Ri00 = Ri . Therefore Mi and Mj might try to pass the verification. However, this is not true because all evaluators have published their Id and (Id, R) pairs, which means that the Id could not be tampered. Thus other participants can easily recognize the conspiracy of the participants Ei and Ej .

5.1.3

Reconstruct the polynomial

If an adversary E tries to use fewer than t shares, where t < d, to reconstruct the polynomial H(x) + M (x), the hardness is equivalent to the case that E successfully breaks Shamir’s scheme. Recall that this scheme is based on the security of the Shamir’s scheme.

5.1.4

Reveal the secret key of the evaluator

Assume an adversary intends to get the secret shadow si of the participant Ei from the public information Ri . If he wants to obtain si from Ri = g si , he has to solve the discrete logarithm problem (DLP ), which is an N P -hard problem. So the attacker can not obtain the secret key from the evaluator.

5.2

Resistance against passive attacks

In the protocol, d + 1 weight publishers masked all published shares with random polynomials. Hence, masked shares are uniformly random to the adversary and leak no information if the number of weight publishers is less than or equal to the threshold d.

Table 1: A comparison of the properties of our scheme and the schemes proposed in [13, 21] Properties The Proposed Scheme Scheme in [13] Scheme in [21] It is impossible for the evaluators to cheat Yes No No Secure Channel No Yes Yes Yes Yes No Verification Efficient recovery, construction, and trace Yes Yes Yes The secret shadow is reusable Yes No No Uses a third party No Yes Yes Each evaluator selects its secret shadow Yes No No

Phases Initialization phase Construction Phase Recovery and Verification (Recovery) Tracing to the optimal path

Table 2: Communication complexity The Proposed Scheme Add and Multiple protocol in [13] 0 3q × l 0 q×l 0 d × l × log l d × l × (q + log l) d × l × (q + log l)+1

By the extension of weight, extended weight w(i, j) = deg(H(i, j)) is larger than or equal to d. Hence, the adversary cannot recover polynomial H(i, j) and cannot obtain any information about the weight if the number of evaluators is less than or equal to threshold d, Thus, our protocol is unconditionally secure against passive adversaries.

5.3

Performance Analysis

In this subsection, we discuss the properties of our scheme and compare our schemes with others.

5.3.1

Advantage of the proposed scheme

Table 1 illustrates a comparison of the properties of our scheme and the schemes proposed in [13, 21]. The detailed explanations are presented as follows: • Most schemes like [13, 21], assume the third party may be dishonest. Hence, evaluators may not be able to reconstruct the original secrets. So the third party should also be verifiable. Each evaluator is allowed to check whether the third party is honest when distributing the shadows. However, in our scheme, the evaluators choose their own shadows, making it impossible for the third party to cheat them. Therefore we do not need to verify the validity of the third party. • Each qualified subset of the evaluators is able to compute the shared secrets while the unqualified ones can not obtain any information about the secrets. • Each evaluator can check the validity of the shares of other evaluators and itself; our scheme is verifiable. This improves upon [21] in which the evaluator can not verify the source of the other share. If one evaluator provides a wrong share, other evaluators can not figure out the identity of the dishonest evaluator. • The shadow of each evaluator will never be disclosed in the recovery and verification phases and its reuse is secure; our scheme allows multi-use schemes. This improves upon [13, 21] in which the evaluators have to obtain their shadows from the third party via secure channel when the polynomial are reconstructed. • Because the evaluators select their secret shadows, the weight publishers do not need to send the shadows to the evalua-

Scheme in [21] q×l 0 d × l × log l d × l × (q + log l)

tors via secure channel in our scheme. This improves upont [13, 21], in which weight publishers have to send the secret shadows to the evaluators via a private secure channel. Table 2 shows round complexity during each phase. The proposed scheme doesn’t consider communications without secure channels, i.e., the weight publisher or the evaluators publish shares in our scheme, which can be implemented by a bulletin board. Here, q is the number of links, n is the number of nodes, l is the number of evaluators (which is equal to or greater than possible maximal value), d + 1 is the number of masks, and N is the order of the finite field ZN .

6.

APPLICATION

In this section, we discuss the application of our secure dynamic programming protocol to general combinatorial auctions. For a general combinatorial auction, G = 1, 2, ..., m denotes multiple different goods. Each bidder Bk (1 = k = n) bids his/her price bk (I) for each subset I ⊂ G. Our goal is to figure out the max total price of the allocation of goods. As described in [21], we apply the proposed scheme above to solve the problem as follows. For each set I ⊆ G, we create a node I. Between these nodes, we place n multiple links. {(I, ∅)|I ⊆ G, 1 ≤ k ≤ n}

(10)

and {(I, C)|C ⊂ I ⊆ G, |C| ≥

|I| , 1 ≤ k ≤ n} 2

(11)

where ∅ represents the empty set, and |C| and |I| are the number of elements of set C and I, respectively. The weights are following: w((I, ∅)k ) = bk (I), w((I, C)k ) = bk (I − C)

(12)

We define that the initial node and terminal node are S and 0, respectively. It is clear that the problem is to figure out the longest path from S to 0, which can be solved using the proposed scheme. Note that our approach does have one disadvantage: if the number of nodes is very large, our scheme may be invalid sometimes because the combinatorial auction’s winner determination problem is NP-complete [17].

7.

CONCLUSION AND FUTURE WORK

In this paper, we presented a secure, verifiable dynamic programming method using a verifiable secret sharing scheme. In this method, multiple servers cooperatively compute a general combinatorial auction. Our approach is to represent the price as the degree of a polynomial; thus the maximum/sum of the degree of two polynomials is obtained by the degree of the sum/product of the two polynomials, which hides the information of bidders (bidding price) from the auction servers. Privacy is perserved because the servers do not know the information of bids if the bids are not a part of the optimal solution. This scheme resists collusion attacks because servers verify the legitimacy of each other. Analysis indicates that our scheme is computationally secure and efficient. Moreover, it is easy to implement and applicable in practical settings. One limitation of the scheme is that a large number of evaluators must be present to maintain the required ratio to the length of the longest path. Designing a method with a smaller number of evaluators is an important and challenging problem. Our future research lies in the following direction: design more efficient approaches. This would make the scheme better suited for practical applications.

Acknowledgments The authors would like to thank all the reviewers for their helpful comments. This project was supported by US National Science Foundation grants: CNS-1407986, CNS-1318872, CNS-1442642, and CNS-1443858.

8.

REFERENCES

[1] R. Bellman. Dynamic programming and lagrange multipliers. Proceedings of the National Academy of Sciences of the United States of America, 42(10):767, 1956. [2] C. Cachin. Efficient private bidding and auctions with an oblivious third party. In Proceedings of the 6th ACM conference on Computer and communications security, pages 120–127. ACM, 1999. [3] S. De Vries and R. V. Vohra. Combinatorial auctions: A survey. INFORMS Journal on computing, 15(3):284–309, 2003. [4] M. Dehkordi and S. Mashhadi. An efficient threshold verifiable multi-secret sharing. Computer Standards & Interfaces, 30(3):187–190, 2008. [5] C. Hu, X. Cheng, F. Zhang, D. Wu, X. Liao, and D. Chen. Opfka: Secure and efficient ordered-physiological-feature-based key agreement for wireless body area networks. In INFOCOM, 2013 Proceedings IEEE, pages 2274–2282. IEEE, 2013. [6] C. Hu, X. Liao, and X. Cheng. Verifiable multi-secret sharing based on lrsr sequences. Theoretical Computer Science, 445:52–62, August 2012. [7] C. Hu, X. Liao, and D. Xiao. Secret image sharing based on chaotic map and chinese remainder theorem. International Journal of Wavelets, Multiresolution and Information Processing, 10(03):1250023(1–18), May 2012.

[8] C. Hu, F. Zhang, T. Xiang, H. Li, X. Xiao, and G. Huang. A practically optimized implementation of attribute based cryptosystems. In 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pages 197–204. IEEE, 2014. [9] C. Hu, N. Zhang, H. Li, X. Cheng, and X. Liao. Body area network security: A fuzzy attribute-based signcryption scheme. Selected Areas in Communications, IEEE Journal on, 31(9):37–46, 2013. [10] Q. Huang, Y. Tao, and F. Wu. Spring: A strategy-proof and privacy preserving spectrum auction mechanism. In INFOCOM, 2013 Proceedings IEEE, pages 827–835. IEEE, 2013. [11] H. Kikuchi. (m+1) st-price auction protocol. IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer Sciences, 85(3):676–683, 2002. [12] K. Kobayashi, H. Morita, K. Suzuki, and M. Hakuta. Efficient sealed-bid auction by using one-way functions. IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer Sciences, 84(1):289–294, 2001. [13] M. Nojoumian and D. R. Stinson. Efficient sealed-bid auction protocols using verifiable secret sharing. In Information Security Practice and Experience, pages 302–317. Springer, 2014. [14] P. Paillier. Public-key cryptosystems based on composite degree residuosity classes. In Advances in ˚ cryptologyUEUROCRYPTŠ99, pages 223–238. Springer, 1999. [15] M. Pan, J. Sun, and Y. Fang. Purging the back-room dealing: Secure spectrum auction leveraging paillier cryptosystem. Selected Areas in Communications, IEEE Journal on, 29(4):866–876, 2011. [16] M. Pan, X. Zhu, and Y. Fang. Using homomorphic encryption to secure the combinatorial spectrum auction without the trustworthy auctioneer. Wireless Networks, 18(2):113–128, 2012. [17] M. H. Rothkopf, A. Pekeˇc, and R. M. Harstad. Computationally manageable combinational auctions. Management science, 44(8):1131–1147, 1998. [18] K. Sako. Universally verifiable auction protocol which hides losing bids. Proceedings of Public Key Cryptography 2000, pages 35–39, 2000. [19] A. Shamir. How to share a secret. Communications of the ACM, 22(11):612–613, 1979. [20] K. Suzuki, K. Kobayashi, and H. Morita. Efficient sealed-bid auction using hash chain. In Information Security and ˚ CryptologyUICISC 2000, pages 183–191. Springer, 2001. [21] K. Suzuki and M. Yokoo. Secure combinatorial auctions by dynamic programming with polynomial secret sharing. In Financial Cryptography, pages 44–56. Springer, 2003.