Secure Receipt-Free Sealed-Bid Electronic Auction - Semantic Scholar

Secure Receipt-Free Sealed-Bid Electronic Auction Jaydeep Howlader1 , Anushma Ghosh2 , and Tandra DebRoy Pal1 1 2

National Institute of Technology, Durgapur, India Microsoft India (R&D) Pvt. Ltd. Hyderabad, India

Abstract. The auction scheme that provides receipt-freeness, prevents the bidders from bid-rigging by the coercers. Bid-rigging is a dangerous attack in electronic auction. This happen if the bidder gets a receipt of his bidding price, which proves his bidding prices, from the auction protocol. The coercers used to force the bidders to disclose their receipts and hence bidders lose the secrecy of their bidding prices. This paper presents a protocol for a receipt-free, sealed-bid auction. The scheme ensures the receipt-freeness, secrecy of the bid, secrecy of the bidder and public verifiability.

1

Introduction

Auction has become a major phenomenon of electronic commence in the recent years. Auction is a game for trading some items. There is a competition among the buyers to get their bids as the winning bid. Whereas, another tussle is between the auctioneer and bidders trade the items in a reasonable price. The most common auctions are English auction, Dutch auction and Sealed-Bid auction. Sealed-Bid auction is a mechanism for establishing the price of goods/items and are widely used in the real world. However, Sealed-Bid auction suffers from a serious attack, that is, bid-rigging by coercers. Bid-rigging is a phenomenon where the coercers cheat by ordering other buyers to bid very low prices so that he can win the auction by bidding an unreasonably low price. If bid-rigging occurs, the auction fails to establish the appropriate price. The game of auction goes in favor of the coercers, so it is important to prevent bid-rigging. The traditional paper-based Sealed-Bid auction does not encounter the bid-rigging. There is no receipt issued by the auctioneer on submission of bids. The sealed bids are kept secret and are not opened before the schedule time of the auction. Most of the existing electronic Sealed-Bid auction schemes are subject to be bid-rig, as they issue receipts to the bidders on submission of their bidding prices, which are exploited by the coercers to verify whether the bidders obey their order. The coercers are also able to identify the bidders who have broken the collusion. To enforce the bid-rigging, the coercers reward the colluded bidders and punish the bidders who have broken the collusion. There are different varieties of Sealed-Bid auction. Vickrey [1] presented a second-price Sealed-Bid auction where the bidder with the highest price won, S. Ranka et al. (Eds.): IC3 2009, CCIS 40, pp. 228–239, 2009. c Springer-Verlag Berlin Heidelberg 2009

Secure Receipt-Free Sealed-Bid Electronic Auction

229

but he only paid the second highest price. Another Sealed-Bid auction is M + 1st price auction. The M + 1st Sealed-Bid is used to sell M units of a single kind of item where M bidders win and they pay the M + 1st price. Vickrey’s auction can be formulated as a M + 1st auction for M = 1. The receipt-freeness was first introduced by Benaloh and Tuinstra [2] in a voting protocol to overcome the problem of vote-buying. Their protocol was based on two assumptions: a voting booth that physically separated the voters from the others during the vote casting, and a secure communication channel between the trusted authorities (single or multiple) and the voting booth. Later on Sakurai and Miyazaki [3] pointed out the problem of bid-rigging in their electronic auction scheme. The scheme was developed to hide the identity of the winning bidder by using convertible group signature. However the scheme was not a receipt-free, hence it could not prevent the bid-rigging in presence of coercers. Hiding the loser bidders identity was also discussed in [4,5], but they were again not receipt-free. So, hiding the identity of the bidders is not sufficient to solve the problem of bid-rigging. In addition, the auction scheme should be receipt-free so that the coercers are not able to verify whether the bidders obey their order or not. Some other electronic auction schemes were proposed in different literatures. Suzuki et al. [6] using chain of hash functions to speed up the computation of auction procedure. In [7] Franklin et al. described a secure auction service that guaranteed secrecy of the bids, verifiability of the winning price, anonymity of the bidders. The problem of those schemes is: they do not prevent the bid-rigging in presence of the coercers. Sealed-Bid auction is the basic mechanism to establishing the price of goods and materials for procurement and is widely used by the governmental/nongovernmental organizations. The auction schemes [3,5,6,7] were designed for sealed-bid auctioning. Kikuchi et al. presented an anonymous sealed-bid auction in [8] using encrypted bid vector. A time dependent cryptographic key based sealed-bid auction procedure was presented in [9] by Michiharu. Abe and Suzuki [10] proposed a M + 1st sealed-bid auction using homomorphic encryption. The above schemes did not provide the receipt-freeness. The first receipt free sealedbid auction scheme was proposed by Abe and Suzuki [11] to prevent bid-rigging. The scheme was based on multiple auctioneer threshold trust model, i.e., a majority of the auctioneers were assumed to be honest. In their scheme the bidders chose their secret seeds for bidding. A t-out-of-n secret share is shared among the auctioneers. During the opening, all auctioneers published their secret shares and recovered the secret seed to compute the winning price. However, a dishonest auctioneer might disclose the secret seeds of the bidders to the coercers after opening, so that coercers could know all the secret information of victim bidders beforehand. If the winning price was not in the favor of the coercer, he could identify the victim bidders who had not followed the order. So Abe and Suzuki’s scheme could not prevent the bid-rigging completely. Recently, Chen et al. [12] presented a receipt-free auction scheme using homomorphic encryption. Chen et al. introduced another entity called seller. The scheme was based on single auctioneer and single seller model. The bidders chose their secret seed and constructed

230

J. Howlader, A. Ghosh, and T.D. Pal

their encrypted bid-vectors. The encrypted bid-vectors were sealed by the seller and sent back to the bidders. The bidders checked the validity of their seals, but they could not prove their bidding-prices from the sealed bid-vectors. After verifying the seal, sealed-bids were placed in a bulletin board. On the time of opening the auctioneer opened the bids and declared the winning price. The scheme suffers from two major problems. Firstly, the auctioneer may open the bids before the schedule time and evaluates the winning price. Then he can provide the information to his agents to bid accordingly. Secondly, if the seller is dishonest, he may provide the encrypted bid-vectors to the coercers. The encrypted bid-vectors are all committed messages. The coercers would exploit the committed messages to verify whether the bidders obey his order. In this paper we present a receipt-free auction scheme with multiple sealer and single auctioneer. Our scheme is based on multiple sealer trusted model, assuming that some of the sealers are honest. We ensure that the auctioneer can not open the bids before the schedule time. We also ensure that, any blinded message provided by the dishonest sealers to coercers, in any intermediate stage of auction, does not reveal any information. We assume an anonymous channel between the bidders and the sealers. The anonymous channel hides the correspondences between the sender and receiver. The rest of the paper is organized as follows: section 2 presents the basic properties and requirements of receipt-free sealed-bid auction. Section 3 describes the auction scheme. The auction scheme is divided in two phases: bidding phase and opening phase. In section 4 we present the security and verifiability analysis. Section 5 presents the efficiency and complexity of the proposed auction scheme. The conclusion the work is in section 6.

2

Receipt-Free Sealed-Bid Auction: Properties and Security Requirements

The sealed-bid auction is an auction mechanism where the bidders submit their bids in sealed envelope. The bids are kept secret during the bidding period. There is a predetermined schedule for bid opening. No bids are accepted after the scheduled time. The bids are opened by the auctioneer at the time of opening and the winning price is determined according to the auction rule. The sealed-bid auction procedure can be formulated in two phases: Bidding phase and Opening phase. To achieve a fair auction, the sealed-bid auction protocol must satisfy the following properties: 2.1

Properties of Receipt-Free Sealed-Bid Auction

Secrecy of Bids: All the bids must be kept secret during the bidding phase. No one even the auctioneer can not open the bids before the time of opening. All the bids except the winning bid must be kept secret even after the auction is over. Hiding the losers’ price [4,5] is also important.


231

Verifiability: Anyone must be able to verify the correctness of the auction. As it is mentioned above that, all the prices except the winning price are kept secret after the opening of auction. So any one should able to verify whether the winning price declared by the auctioneer is indeed the correct price or not. Anonymity: The bidder must bid anonymously. The encrypted bids should not contain the identity of the bidders, nor would the bidders able to prove their bidding prices from the sealed bids. It is important to keep bidders identity as secret, even after the opening of the bids to prevent bid-rigging. Efficiency: The computation and communication overhead of auction should be reasonable. The bidders should not be heavily computation intensive related to the auction authorities. Moreover, the bidders should not necessarily be present during the opening. Non-repudiation: The auctioneer only declares the winning price. The bidder, who has bid the winning price, may not respond or may repudiate. The auction protocol should able to identify the winning bidder, if it is necessary. Receipt-freeness: The auction scheme should be receipt-free to avoid bidrigging. Anyone, even the bidder himself, should not be able to prove his bidding price from the sealed bid. 2.2

Physical Requirements for Receipt-Free Sealed-Bid Auction

The physical requirements, to ensure security and prevent bid-rigging, are as follows: Public Board: The public board is a public channel with memory, where the entities can write but no one can delete any information from the public board. The public board is available to every entity. Anonymous Channel: An anonymous channel hides the correspondences between the sender and the receivers. Chaum [17] described a computationally secure anonymous channel called MIX-net using public board. The anonymous channel hides who sends to whom. We assume an anonymous channel between the bidders and the sealers. Bidders compute their encrypted bids and send the encrypted bids to the sealers through the anonymous channel. The sealers do not know the source of the encrypted bids. They perform the sealing operation and write the sealed bids on the public board. 2.3

Entities of Receipt-Free Sealed-Bid Auction

The entities of the auction protocol are as follows: Auctioneer: who wants to sell some items or conducts the auction. There is a single auctioneer. The auctioneer publishes a price list P = {p1 , p2 , . . . , pn }, in ascending order.

232


Bidder: who wants to buy the items and bids for the items. There are m bidders B = {B1 , B2 , . . . , Bm }. The number of bidders is not fixed. The bidder Bi selects his bidding price pj ∈ P and constructs an encrypted bid-vector with his random seed. Sealer: who plays a role between the bidders and the auctioneer. The sealer does the sealing operation on the encrypted bid-vectors generated by the bidders. There are t sealers S = {S1 , S2 , . . . St }. Generally, t < m. To avoid collusion we have introduced multiple sealers. The bid-vectors are sealed by all the t sealers. The auction scheme is based on the following assumptions: 1. B = {B1 , B2 , . . . , Bm } is the set of m bidders, out of them, there may be some coercers. 2. S = {S1 , S2 , . . . , St } is the set of sealers, out of them, some of the sealers may collude with the coercive bidders. We assume that all the sealers are not colluded, there are some honest sealers. 3. There is a single auctioneer, A. The auctioneer along with the t sealers open the bids on the schedule time. Then the auctioneer computes and declares the winning price. The scheme ensures that the auctioneer can not open the bids without the cooperation of all the sealers. 4. Coercers are empowered enough to get hold all the stored keys of the bidders. Coercers can enforce the bidders to disclose the plaintext for any committed ciphers that the coercers get. But coercers are not able to influence the bidding process and they are not able to observe the bidders to bid.

3

Receipt-Free Sealed-Bid Auction Procedure

Consider a subgroup Gq of order q from Z∗p , where p and q are large primes and q|p − 1. Let g ∈ Gq is a generator of the group Gq . Gy and Gn are two independent generators of the group Gq , which indicate ‘I bid’ and ‘I do not bid’ respectively. The keys used in the auction protocol are: – Bidder Bi ’s private key is xBi and public key is hBi = g xBi . – Auctioneer A chooses his secret key xA and published his public key hA = g xA . – SealerSi has a private key xSi and publishes his public key hSi = g xSi . – hS = ti=1 hSi is the shared public key of t sealers. – hS/Si ,Sj ,...,Sk = hS /(hSi hSj . . . hSk ) is the shared public key of sealers excluding Si , Sj , . . . , Sk 3.1

Bidding Phase

The bidder Bi selects his bidding price from the list P and generates an encrypted bid-vector. The bidder sends the encrypted bid-vector to the sealers through an anonymous channel. The sealers S1 , S2 , . . . St perform the sealing operation and write the receipt-free sealed bid-vector in a public board. The sealing operation is performed by all the t sealers. The bidder verifies his seal bid-vector. Following is the detail description of the bidding process.


233

1. Bidder Bi decides his bidding price pj ∈ P from the price list published by the auctioneer and encrypts the price as follows: i Γj

= (i Xj ,i Yj ) =

r

r

g i rj , hiA j hiS j Gy r r g i rj , hiA j hiS j Gn

if pj is the j th price in the list P otherwise

for 1 ≤ j ≤ n, i rj ∈R Zq is randomly selected by bidder Bi . The notation denotes the j th encrypted price of the bidder Bi . Bi also computes a blinded commitment vector as:

i Γj

i Cj

i rj H(i Γj )

= hA

xBi

for 1 ≤ j ≤ n, H is a one-way hash function. The bidder Bi constructs the encrypted bid-vector as a two tuples i Γj , i Cj and sends the encrypted bidvector to any of the t sealer through the anonymous channel. Let Bi sends the encrypted bid-vector to Sk . 2. Sealer Sk receives the encrypted bid-vector and engraves his random seed i rj,sk and computes the partially sealed-bid vector as i Γj,k , i Cj , i Rj where i Γj,k = {i Xj,k , i Yj,k }: i Xj,k

= i Xj . g i rj,sk = g i rj . g i rj,sk = g i rj +i rj,sk

i Yj,k

i rj,sk

= i rj,sk . i Y j . hA r

r

i rj,s

. hS/Skk . (i Xj )−xSk

i rj,sk

= i rj,sk . hiA j hiS j . hA i rj +i rj,sk

= i rj,sk . hA

i rj +i rj,sk

= i rj,sk . hA

i rj,s

− rj

. hS/Skk . hSki

.G

i rj,s

r

j . hiS/S . hS/Skk . G k i rj +i rj,sk

. hS/Sk

.G

for 1 ≤ j ≤ n, i rj,sk ∈R Zq is randomly selected by sealer Sk , G is either Gn or Gy . Sealer Sk computes a response i Rj = i Rj , i αj , i βj . The response is used by the bidders to verify the seal. Sealer Sk selects random numbers i wj,k for 1 ≤ j ≤ n and computes the following: i Rj

= i wj,k + i Cj . i rj,sk

i αj

= g i wj,k

i βj

= (i rj,sk )−i Cj . hiA j,k

w

The sealer Sk sends the i Γj,k , i Cj , i Rj to some sealer Sl randomly selected from S − {Sk }. 3. Sl receives the partially sealed bit vector i Γj,k , i Cj , i Rj from Sk and does the sealing operation to produce the partial sealed bit vector as i Γj,l , i Cj , i Rj ,

234


where i Γj,l = {i Xj,l , i Yj,l }: i Xj,l

= i Xj,k . g i rj,sl = g i rj +i rj,sk . g i rj,sl = g i rj +i rj,sk +i rj,sl = g i rj +

i Yj,l

a=k,l

i rj,sa i rj,sl

i rj,s

= i rj,sl . i Yj,k . hA

−xSl

. hS/Skl ,Sl . i Xj,k

i rj +i rj,sk

= i rj,sl .i rj,sk .hA

i rj +i rj,sk

i rj +i rj,sk +i rj,sl

a=k,l

i rj,sa

r +

. hiA j

a=k,l

.hA

i rj,s

. hS/Sk ,Sl

i rj,sa

r +

−(i rj +i rj,sk )

.hS/Skk,Sl .hSl

i rj +i rj,sk +i rj,sl

= i rj,sl . i rj,sk . hA =

i rj,sl

.hS/Sk

a=k,l

j . hiS/S k ,Sl

.G

.G

i rj,sa

.G

for 1 ≤ j ≤ n, i rj,sl ∈R Zq is randomly selected by bidder Sl . Sealer Sl updates the response i Rj with his random numbers i wj,l for 1 ≤ j ≤ n as follows: i Rj

= i Rj + (i wj,l + i Cj . i rj,sl ) =

i αj

a=k,l

= i αj . g =g

i βj

i wj,a

+ i Cj

a=k,l

i rj,sa

i wj,k

a=k,l

i wj,a

w

= i βj . (i rj,sl )−i Cj . hiA j,l =

a=k,l

i rj,sa

−i Cj

a=k,l

. hA

i wj,a

The sealer Sl sends the partially sealed bid-vector i Γj,l , i Cj , i Rj to some sealer Sm , randomly selected from S − {Sk , Sl }. Sealer Sm receives the partially sealed bid-vector, engraves his random seed and updates the response vector and sends the bid-vector to some other sealer. 4. In this way, the last sealer, say St receives the bid-vector and computes the final sealed bid vector as i Γj,t , i Cj , i Rj where i Γj,t = {i Xj,t , i Yj,t }: i Xj,t

= g i rj +

i Yj,t =

=

t

a=1 t a=1

t

a=1 i rj,sa

i rj,sa

i rj,sa

r +

. hiA j

r +

. hiA j

t

a=1 i rj,sa

t

a=1 i rj,sa

r +

t

r

j a=1 i j,sa . hiS/S .G 1 ,S2 ,...,St

.G


235

Sealer St updates the response vector i Rj as: t

i Rt

=

i αj

=g

i βj

=

t

i wj,a + i Cj i rj,sa a=1 a=1 t a=1 i wj,a

t

i rj,sa

−i Cj

a=1

t

. hA a=1 i

wj,a

Sealer St puts the sealed bid-vector i Γj,t , i Cj , i Rj in the public board. 5. The bidder Bi checks the validity of the sealed bid vector, that is, Bi checks whether i Γj,t is indeed the sealed bid vector of i Γj . The verification is done as follows: – Bi identifies his sealed bid from the challenge vector i Cj and verifies the following relations: g i Cj C

hiA j

i rj +i Rj

i rj +i Rj

=? i αj (i Xj,t )i Cj

Gi Cj =? i βj (i Yj,t )i Cj

for 1 ≤ j ≤ n. G is either Gy or Gn depending on the Bi bidding price. If the bidder Bi fails to verify his bidding price, he raises the complain. 3.2

Opening Phase

After successfully executing the bidding phase, the bids are opened as per the m scheduled time. All sealers Sk , for 1 ≤ k ≤ t, compute Vj,sk = i=1 (i rj,sk ), the product of all random seeds i rj,sk used for sealing the j th price value and send privately to the auctioneer A. After receiving all Vj,sk (1 ≤ k ≤ t) from t sealers the auctioneer A opens the bid-vectors and declares the winning price. The opening of bids is as follows: 1. Auctioneer opens the bids in descending order, that is, auctioneer first opens the bids for Pn , then Pn−1 and so on until the winning price is not found. The opening of the j th price value is done as follows: – A computes m i Yj,t Yj = m i=1 xA i=1 (i Xj,t ) =

m,t

i rj,t

.G

G is either Gn or Gy

i,k=1

Gj = t =

Yj

k=1 Vj,sk m−l l Gn Gy

Gj = Gm−l Gly for l ≥ 0. Auctioneer declares the winning price as pj , for n the j where l ≥ 1 appears first.

236


2. After declaring the winning price the bidder Bi claims his victory with the encrypted bid-vector i Γj , i Cj . The auctioneer verifies the claim and the winner is decided by the auctioneer as follows: – Auctioneer computes i Cj

−H(i Γj )xA

= i Cj

xBi

= i Xj

– The bidder Bi and auctioneer A execute an interactive zero-knowledge proof protocol to verify that i Cj and hBi have the common exponent as xBi . • Bi selects δj for 1 ≤ j ≤ n randomly and computes aj = g δj , bj = δj i Xj and sends (aj , bj ) to the auctioneer. • Auctioneer A selects random challenges cj for 1 ≤ j ≤ n and sends to the Bidder Bi . • Bi computes γj = δj + cj xBi and replies to the A. • Auctioneer verifies the following relations: c

g γj =? aj . hBji

γi i Xj

4

= bj . ?

for 1 ≤ j ≤ n

ci i Cj

Security Analysis

The proposed scheme satisfies the following security properties: Security: The bidders are allowed to generate their encrypted bid-vectors and they send the encrypted bid-vectors through an anonymous channel to some sealer. The anonymous channel hides the correspondences between the sender and the receiver. So, if the coercers eavesdrop the communication, they would not get any information about whose bid is what. Even if the coercers capture some encrypted bid-vectors from some colluded sealers, they would not able to make any correspondences between the bidders and the encrypted bid-vectors. However, the encrypted bid-vector contains the identity of the bidder engraved in the blind commitment i Cj . In that case, the auctioneer can only verify the identity of the bidder Bi , after honestly executing an interactive zero-knowledge proof by auctioneer and bidder. The encrypted bid-vectors are sealed by t sealers so that the auctioneer can not open the bids without the help of all the sealers. m We assume that there are some honest sealer who will not provide Vj,sk = i=1 (i rj,sk ) before the schedule time of opening. So it is ensured that the auctioneer is unable to open the bids before the schedule time. Receipt-freeness: i Γj = (i Xj ,i Yj ) contains the encrypted price value of the bidder Bi . i Γj is sealed by t sealers as i Γj,t and written in the public board. The sealed bid-vector contains the random seeds of t sealers. The bidder Bi can


237

verify the seal on his bid, but he can not prove to any third party that i Γj,t is the sealed bid of i Γj , as the bidder does not know the random seeds used by the t sealers. Even a subset of colluded sealers are not able to make the correspondence between the i Γj,t and i Γj . Moreover, initial encrypted price value (i Xj , i Yj ) generated by the bidder Bi is not require during the validity checking. Validity: The result of the auction can be verified by any one. If any one wants to check the correctness of the result, the auctioneer publishes all the Yj and the Vj,sk (w ≤ j ≤ n where pw is the winning price), and the correctness can be verified. Anonymity: The anonymous channel between the bidders and the sealers provides the bidders to bid anonymously. Moreover, the result of the auction does not reveal the bidder’s identity, but the winning price. The winner claims his victory and the winner’s claim is verified by the auctioneer. The identity of the bidder present in the blind commitment i Cj is only verified by the auctioneer by executing an interactive zero knowledge proof with the bidder. The coercers can not make any relation among the bids and the bidders. So, the anonymity of the bidder is maintained in this auction scheme. Non-repudiation: The auction scheme does not declare the winner, it declares the winning price. In that case, the winning bidder may repudiate or he may keep silent. The auction scheme should able to identify the winning bidder after the auction, if he repudiates. This is done as follows: Let pw , the wth entry of the price list is the winning price. Also let sealer Sk receives the encrypted bid-vector i Γj , i Cj . The auctioneer asks the sealers to write the initial encrypted price value (not signed by any sealer) i Γw , i Cw xS (1 ≤ i ≤ m), on the public board. Then every sealer computes hiSrkw = i Xw k for 1 ≤ i ≤ m, 1 ≤ k ≤ t and writes on the public board. So every entry in the public board look like i Γw , i Cw , hiSr1w , hiSr2w , . . . hiSrtw . Auctioneer computes Gi =

xA i Xw

i Yw t

k=1

hiSrkw

for 1 ≤ i ≤ m

and gets the bidders’ marks on the price value pw . The mark is either Gy , that is ‘I bid’ or Gn , means ‘I do not bid’. The entry in the public board for which auctioneer computes Gi = Gy is the winner. The identity of the winner is engraved in the blind commitment i Cw maid by the bidder. Auctioneer asks all xB the bidders to sign i Xw as i Cˆw = i Xw i and asks all the bidders to proof that ˆ i Cw and hBi have the same exponent as xBi . If the bidders do the signature along with the proof, auctioneer can identify the repudiated bidder Bi for which ˆ i Cw = i Cw .

5

Efficiency

The entities of the auction scheme are: multiple bidders, multiple sealers and single auctioneer. In this section we present the computation and communication complexity of the scheme. Let n,m and t represent the number of bidding

238

J. Howlader, A. Ghosh, and T.D. Pal Table 1. Communication complexity of the auction scheme operation Bidding Sealing Verification Opening

communication rounds volume Bi → Sj 1 O(n) Sj → Sk St t O(n) PublicBoard → Bi 1 O(n) PublicBoard → A 1 O(mn) {S1 , S2 , . . . St } → A t O(m) Winner Verification Bi ↔ A 3 O(n) Repudiation {S1 , S2 , . . . St } → PublicBoard t O(1) {S1 , S2 , . . . St } → PublicBoard mt O(1) PublicBoard → A m O(t)

prices, number of bidders and number of sealers respectively. Table 1 presents the communication patterns, number of rounds and the volume of data in every round.

6

Conclusion

In this paper we have presented a receipt-free sealed-bid auction scheme to prevent bid-rigging with single auctioneer and multiple bidders. The auction scheme is designed for 1st price auction. However, the scheme can be modified to M +1st price auction. The scheme ensures the receipt-freeness and prevents bid-rigging. The auction scheme allows the bidders to bid and go, the bidders need not be present during the opening phase. The scheme provides receipt-freeness, anonymous bidding, bid secrecy and non-repudiation.

References 1. Vickrey, W.: Counterspeculation, Auctions, and Competitive Sealed Tenders. Journal of Finance 16(1), 8–37 (1961) 2. Benaloh, J., Tuinstra, D.: Receipt-free secter-ballot election (extended abstract). In: Proc. 26th ACM Symposium on the Theory of Computing (STOC), pp. 544– 553. ACM Press, New York (1994) 3. Sakurai, K., Miyazaki, S.: An Anonymous Election Bidding Protocol Based on a New Convertible Group Signature Scheme. In: Clark, A., Boyd, C., Dawson, E.P. (eds.) ACISP 2000. LNCS, vol. 1841, pp. 385–399. Springer, Heidelberg (2000) 4. Sakurai, K., Miyazaki, S.: A Bulletin-Board Based Digital Auction Scheme with Bidding Down Strategy-Towards Anonymous Electronic Bidding without Anonymous Channels nor Trusted Centers. In: Proc. International Workshop on Cryptographic Techniques and E-Commerce (CryTEC 1999), pp. 180–187 (1999) 5. Sako, K.: An Auction Protocol which Hides Bids of Losers. In: Imai, H., Zheng, Y. (eds.) PKC 2000. LNCS, vol. 1751, pp. 422–432. Springer, Heidelberg (2000) 6. Suzuki, K., Kobayashi, K., Morita, H.: Efficient Sealed-bid Auction using Hash Chain. In: Won, D. (ed.) ICISC 2000. LNCS, vol. 2015, pp. 183–191. Springer, Heidelberg (2001)


239

7. Franklin, M.K., Reiter, M.K.: The Design an Implementation of a Secure Auction Service. IEEE Trans. Softw. Eng. 22(5), 302–312 (1996) 8. Kikuchi, H., Harkavy, M., Tygar, J.D.: Multi-round Anonymous Auction Protocol. In: Proc. 1st IEEE Workshop on Dependable and Real-Time E-Commerce Systems, pp. 62–69 (1998) 9. Kudo, M.: Secure Electronic Sealed-Bid Auction Protocol with Public Key Cryptography. Trans. IEICE trans. on Fundamentals of Electronics, Communications and Computer Sciences E81-A(1), 20–27 (1998) 10. Abe, M., Suzuki, K.: M + 1st Price Auction using Homomorphic Encryption. In: Naccache, D., Paillier, P. (eds.) PKC 2002. LNCS, vol. 2274, pp. 115–124. Springer, Heidelberg (2002) 11. Abe, M., Suzuki, K.: Receipt-Free Sealed-Bid Auction. In: Chan, A.H., Gligor, V.D. (eds.) ISC 2002. LNCS, vol. 2433, pp. 191–199. Springer, Heidelberg (2002) 12. Chen, X., Lee, B., Kim, K.: Receipt-Free Electronic Auction Scheme using Homorphic Encryption. In: Lim, J.-I., Lee, D.-H. (eds.) ICISC 2003. LNCS, vol. 2971, pp. 259–273. Springer, Heidelberg (2004) 13. Harkavy, M., Tygar, J.D., Kikuchi, H.: Electronic Auction with Private Bids. In: Proc. 3rd USENIX Workshop on Electronic Commerce (1998) 14. Canetti, R., Dwork, C., Naor, M., Ostrovsky, R.: Deniable Encryption. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 90–104. Springer, Heidelberg (1997) 15. Chaum, D., Pedersen, T.P.: Wallet Database with Observers. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 89–105. Springer, Heidelberg (1993) 16. Shamir, A.: How to Share a Secret. Communications of the ACM 22(11), 612–613 (1979) 17. David, L.: Chaum Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms. Communications of the ACM 24(2), 84–88 (1981)