A Secure and Efficient Protocol for Electronic Treasury Auctions

Abstract

Auctions have become an important part of electronic commerce. Considering the gradually increasing importance of confidentiality and privacy in auction modeling, various designs have been proposed to ensure secure transmission especially in sealed-bid auctions. However, to the best of our knowledge there is no secure and privacy preserving Treasury Auction system. Looking at systems currently in use, many countries perform those auctions manually. Since all the bids are transferred to the system in clear form, confidentiality and privacy are not guaranteed. Therefore, the system is more vulnerable to potential threats especially due to the ongoing advances and developments in technology. In a secure electronic auction system, it is possible to determine the winner or the winners without revealing any private information. In this work, we propose a new, secure and efficient electronic auction protocol for Treasury Auctions based on secure multi-party computation, secret sharing and threshold homomorphic cryptosystem.

Appendices

A Comparison Function

Assume that a party A has two encrypted values \({\mathsf{Enc}}_{pk_B}(a)\) and \({\mathsf{Enc}}_{pk_B}(b)\) of \(\ell \)-bits and the party B has the private key. They want to compare the numbers a and b whose actual values are not known to A and B. By the following function the party A outputs

$$ Comparison({\mathsf{Enc}}_{pk_B}(a), {\mathsf{Enc}}_{pk_B}(b)) = \left\{ \begin{array}{ll} {\mathsf{Enc}}_{pk_B}(1) &{} \text{ if } a \le b \\ {\mathsf{Enc}}_{pk_B}(0) &{} \text{ if } a > b . \end{array} \right. $$

If the result is decrypted by party B then the output becomes

$$ Comparison({\mathsf{Enc}}_{pk_B}(a), {\mathsf{Enc}}_{pk_B}(b)) = \left\{ \begin{array}{ll} 1 &{} \text{ if } a \le b \\ 0 &{} \text{ if } a > b . \end{array} \right. $$

This protocol is proposed in Veugen’s paper [28]. Note that we can use other methods for secure comparison as well, e.g., [12, 17, 18, 23, 26]. In our proposed system, the encrypted unit prices are to be compared pair by pair and the parties are the Central Bank (party A) and the Treasury (party B). According to Veugen [28], the following protocol shows how to adjust the DGK comparison protocol with encrypted inputs such that perfect security is achieved towards B requiring only a small increase in computational and communication complexity. The difference with DGK comparison protocol [11] is the modified subprotocol with private inputs. See [28] for the details.

Let \(0 \le a, b < 2^\ell < n\) and n be the Paillier public key component used in the main protocol. The notation \((a \le b)\) is used to denote the bit such that

$$ (a \le b) = \left\{ \begin{array}{ll} 1 &{} \text{ if } a \le b \\ 0 &{} \text{ if } a > b \end{array} \right. $$

and \(\oplus \) denotes the exclusive or of two bits.

B Submission and Evaluation Phase

Fig. 1.

Submission and evaluation phase of treasury auction process

C Award Phase

Fig. 2.

Award phase of treasury auction process

D Complexity Analysis

In this section, we present computational, communication and round complexity of our proposed system. For the computational complexity, we will only count expensive asymmetric operations. Since symmetric encryptions and hash functions are comparatively very cheap, these can be ignored in the analysis of overall complexity. Note that the submitted encrypted bid is a 4-tuple component. The Primary Dealers computes 4k encryptions where k denotes the number of bids. The Central Bank receives k four-tuple encrypted bids. After the bid submission deadline, subprotocol step will be run for k bids. We have \((k-1)k/2\) comparisons for k values in Sorting function and at most k comparisons for k values in FindCutoffPoint function. There are \((3\ell +10)\) public key encryptions in one Comparison function, then in total \((3\ell +10)(k^2 + k)/2\) public key encryptions exist under the subprotocol step. Hence, in the Submission and Evaluation phase there are in total, with the \((8k + 2 + (3\ell +10)(k^2 + k))/2\) public key encryptions and 3 additional signatures. There are only one public key operation and one signature in the Award phase. Hence, there are in total \((16k + 24 + (3\ell +10)(k^2+k))/2\) public key operations in our proposed model.

As for the communication complexity, there are in total \((4k + 2\ell + 4m + 13)\) public key encryptions and 2 signatures transferred in the Submission and Evaluation phase, and one hashed value and 2 public key messages transferred in the Award phase. Hence, there are in total \((4k + 2\ell + 4m + 15)\) public key operations, 2 signatures and one hashed value transferred.

Finally, we note that our proposed system have only constant rounds.

E Proof of Theorem 1

For a primary dealer as an investor, the main privacy concern is secrecy of its name and anonymity of its bid values until end of the auction process. First of all, a malicious primary dealer cannot obtain any information during the Submission and Evaluation process because it only sends an encrypted and signed bid tuple \(({\mathsf{Enc}}_{pk_{{PD}_i}}(S_{B_i}), {\mathsf{Enc}}_{pk_T}(p_i), {\mathsf{Enc}}_{pk_T}(a_i), {\mathsf{Enc}}_{pk_T}(y_i))\). Therefore, it cannot change the other party’s inputs since all the bid components are encrypted and signed. Moreover, nobody except the Treasury will be able to decrypt the values. Secondly, the name value \({PD}_i\) is hashed and then encrypted using a (2,2)-threshold encryption scheme and the names of the winners are only revealed after the auction while the Treasury waits for the bidders to learn their own results. Finally, the response \(res =\) “Accept/Reject” of the Treasury for the \(i^{th}\) primary dealer can only be seen by that primary dealer because threshold decryption is performed (\({\mathsf{Dec}}_{sk^{(2)}_{{PD}_i}}({\mathsf{Enc}}_{pk_{{PD}_i}}({\mathsf{Sign}}_T[res]))\)) by using the key share \(sk^{(2)}_{{PD}_i}\) by the Treasury and needs decrypting with the other key share \(sk^{(1)}_{{PD}_i}\) which is known only by the \(i^{th}\) primary dealer.

At the beginning of the Award phase of the protocol, the bidder may refuse to send the related hash value \({{\mathsf{Hash}}}(X_i)\) to the Treasury. In this case both the bidder and the Treasury cannot learn the result of that bidder whether it is the accepted or rejected (because of anonymity of the bidders). In that case, the bidder must send the hash value \({{\mathsf{Hash}}}(X_i)\) in order to finalize the overall outcome. We can prevent this type of problem for example by penalty cases (e.g., banning of participation for future auctions). In order to find out that malicious bidder who did not send its hash value, the Treasury and all the primary dealers will meet and decrypt the related results. We underline that, such a hiding bidder does not compromise the privacy. Also no malicious party can submit a bid instead of an honest bidder for future auctions, by for example mounting a replay attack. Note that this is solved by means of time stamped signature schemes.    \(\Box \)

F Proof of Theorem 2

A malicious Treasury gets no information during the Submission and Evaluation phase since the Central Bank sends encrypted values \({{\mathsf{Sign}}_{CB}[\left\langle \text {output}_i, X_j \right\rangle ]}\) which are outputs of subprotocols. The Treasury obtains the encrypted ordered list \(\left\langle X_j \right\rangle \) of the accepted bidders and cannot obtain any extra information about the bidders since the list is anonymised. Similarly, during the Award phase, Treasury obtains hashed values \({{\mathsf{Hash}}}(X_i)\) which do not give any useful information to him. Hence, a malicious Treasury cannot learn any additional information except the winners’ bids.    \(\Box \)

G Proof of Theorem 3

Firstly, the only privacy concern for the Treasury is the secrecy of \(\delta \). Since \(\delta \) is encrypted with \(pk_T\), nobody else but only the Treasury itself can open (decrypt) this encrypted value and therefore, a malicious Central Bank who computes homomorphic evaluations with \({\mathsf{Enc}}_{pk_T}(\delta )\) cannot learn any useful information about it. Secondly, the Central Bank cannot see the sum values \(\sum _{i=1}^{k} a_i\), \(\sum _{i=1}^{k} y_i\), \(\sum _{i=1}^{m} a_i\) and \(\sum _{i=1}^{m} y_i\) in clear form. Despite the Central Bank makes some evaluations and calculations with those values under encryption, it cannot extract the sum since it has no knowledge of the decryption key \(sk_T\) belonging to the Treasury. Note that our proposed model does not consider active collusion between dishonest parties in which secret keys are revealed. Hence, it may also be said that the privacy of the sums are also satisfied.

The Central Bank runs exclusively the subprotocols, and uses its secret key \(sk_{CB}\) for signing the subprotocol outputs \(\{\left\langle \text {output}_i, X_j \right\rangle : i=1,\ldots ,6,\;j=1,\dots ,m\}\). Since the underlying subprotocols (sorting and comparing) are secure, a malicious Central Bank obtains no useful information. Therefore, privacy will not be compromised in the presence of a malicious Central Bank.    \(\Box \)