A Blockchain-Based Sealed-Bid e-Auction Scheme with Smart Contract and Zero-Knowledge Proof

e-Auction improves the efficiency of bid transaction. However, the protection of bidders’ privacy, transaction fairness and verifiability, transaction data security, high cost of third-party auction center, and other issues have attracted more attention. According to the transaction process and basic principles of the sealed auction, we explored the problems existing in the current sealed-bid e-auction schemes. Based on the blockchain technology, we proposed a sealed-bid e-auction scheme with smart contract technology, Bulletproofs zero-knowledge proof protocols, and Pedersen commitment algorithm. )e proposed scheme constructed an auction mechanism without the third-party auctioneer so as to restrict the behaviors of auction parties for the sake of auction security, reliability, fairness, and privacy protection. Compared with the related sealed e-auction schemes based on blockchain technologies in six metrics, we conducted the experiment to show that the proposed scheme protected the bid information from leakage well and successfully verified the winning bid price and the related bidder by all transaction participants without the third-party auctioneer.


Introduction
Auction is a common and traditional way to sell goods that are not easy to value. In the transaction, there is a serious information asymmetry between the seller and the buyers. Buyers usually have a strong incentive to hold down prices. Because the seller does not know the important information of the buyer's valuation, the one-turn pricing transaction cannot guarantee the effective allocation of scarce resources.
at is, it cannot guarantee the buyer who is considered to be the most valuable owner of the goods. Auction with the reasonable market trading rules makes the full use of the competition between buyers to achieve the effective allocation of resources and other objectives. Since auction plays an important role in resource allocation, many researchers have conducted studies on the improvement of the mechanism of auction. For example, William Vickrey was awarded the Nobel Economics Prize (1996) for his auction theory. Paul Milgrom and Robert Wilson won the Nobel Economics Prize (2020) for their improvements to auction theory and inventions of new auction formats.
In different markets, traditional auctions are divided into sealed-bid auctions and open-bid auctions according to whether the auction price is open or not. In the sealed-bid auctions, the bidders cast their bids secretly before the bid deadline; then the auctioneer opens the bids and selects the winner according to the auction rules. e open-bid auctions are divided into English auctions and Dutch auctions, which are often used in commodity transactions among individuals. Compared with the open-bid auctions, the sealed-bid auctions only reveal the winning bid price, while the bid price of other bidders is kept secret. Sealed-bid auctions can effectively protect the anonymity of the bidders' identity and the privacy of the bid price. e efficiency of the sealed-bid auctions is also higher than that of the open-bid auctions. erefore, sealed-bid auctions are mainly used for transactions between enterprises.
With the popularity of the Internet and the rapid development of e-commerce, e-auctions, as a new and efficient form of auctions, provide a fair trading environment for buyers and sellers and are time-and cost-efficient. For the transactions of enterprise assets, sealed-bid e-auctions attract more bidders to participate, and the benefits of the owner of the goods (the seller) are better guaranteed. However, in the complex Internet environment, the defects of traditional e-auctions, such as privacy disclosure and centralized private verification, limit the application of e-auctions. Although most of the current researches on sealed-bid e-auctions are trying to use encryption technology and multiparty multiround computation to solve the untrustworthy problem of thirdparty auctioneers, it is still a great challenge to establish an all-in-one scheme to prevent information leakage and identify fraud and repudiation in the increasingly complex Internet environment.
In recent years, the blockchain technology was successfully applied in e-cash, intellectual property protection, evidence fixation, reputation systems, Internet of things (IoT), financial services, and energy trading [1][2][3]. Researchers have been trying to migrate e-auctions to blockchains. eoretically speaking, the decentralization feature of blockchains can effectively remove the negative effects caused by the third-party auctioneer, and meanwhile, it can save the auction intermediary costs. e consensus mechanism, information encryption, smart contracts, and other technologies related to blockchains can automate the auction process without any deliberate intervention. Even if blockchain technology is faced with security issues such as majority attack and double spending, some studies have tried technologies such as machine learning to make blockchain-based applications more resilient against attacks [4,5]. erefore, the confidentiality of the auction data, the fairness of the auction activities, the auction commitment, and the nontampering of the auction results are well guaranteed.
In this paper, we proposed a sealed-bid e-auction scheme based on blockchains with commitment algorithm, smart contracts, and zero-knowledge proof to protect the bid information from leakage and verify the auction result with all bidders anonymously, which successfully implemented the secure and fair auction without the third-party auctioneer. e paper was organized in the following sections. In Section 2, the related studies were discussed and the gaps in related studies were analyzed. In Section 3, the main methods used in the sealed-bid e-auction scheme including the auction smart contract, bid price hiding algorithm, and bid result verification algorithm were introduced in detail. In Section 4, the process of the auction scheme was designed and all phases in the process were illustrated. In Section 5, we conducted an experiment to validate the proposed scheme. e experimental results were discussed in this section. In the last section of the paper, conclusive remarks and future study plan were provided.
For the sake of better readability, some important terms and variables used in the following sections are illustrated in advance in Table 1.

Related Studies
At present, there have existed a lot of related studies on sealed-bid e-auctions.
Frankin and Reiter (1995) presented a distributed service for performing sealed-bid auctions. is service can issue secret bids to the service for an advertised auction. Once the bid period ends, the auction service opens the bids, which determines the winning bid. Using novel cryptographic techniques, the service is constructed to provide strong protection for both the auctioneer and trusted bidders [6]. Brandt et al. proposed an approach that does not rely on trusted third parties, for example, auctioneers. e proposed technique is based on EIGamal encryption to protect the bidders' privacy. However, all computation in the auction was only performed by the auctioneer and time-consuming [7,8]. Bogetoft et al. combined knowledge from economics with Shamir secret sharing scheme to implement secure auctions without trusted auctioneers [9]. e linear secret sharing-based secure multiparty computation was used to implement the secure auction protocol instead of the trusted third party. However, the computation requires more interactions. Lee et al. proposed a securely sealed-bid auction scheme that uses the group signature scheme with the function of authenticated encryption. It was claimed to achieve the following goals: secrecy of bidding price, anonymity, verifiability, nonrepudiation, and better performance [10]. Cao tried bit commitment and blind signature technology to design an e-auction scheme based on untrusted third parties. Cao claimed that the e-auction scheme meets the demand of secure e-auction and it can withstand the conspiracy attack [11]. However, in this auction scheme, bidders may cast bid prices many times, which was not fully inconsistent with the auction rules. In addition, the auction result was announced by the winning bidder himself, which was absolutely unreliable. Sun et al. found that if the group manager has a valid group signature  [12]. Wang et al. used identity-based group signature and provable secure sharing protocol to design the sealed e-auction scheme. e scheme aims at anonymity, robustness, unforgeability, verification, and privacy protection [13]. However, the scheme depended on the verification center, which acted as a kind of third-party auctioneer. It was argued that the fairness and reliability were not well guaranteed in this kind of centralized mode. Cheng et al. proposed a sealed-bid auction scheme based on an untrusted third party, which uses a digital signature to verify the bidders and encrypts the bid price to keep the secrecy and accuracy of auction [14]. is scheme implements anonymity, secrecy, and unforgeability. However, the winning bid price was verified and determined by the thirdparty auctioneer.
ere have existed some blockchain-based sealed e-auction schemes. For example, Galal and Youssef proposed the sealed-bid auction on the Ethereum blockchain with smart contracts and zero-knowledge proofs. e proposed scheme implements the validity, fairness, secrecy of the auction transaction. However, the proposed scheme depended on the third-party auctioneer [15,16]. Peng et al. designed a blockchain-based sealed-bid auction with concurrent signature. In their scheme, the fuzziness of concurrent signature is used to protect the privacy of bidders and hide the bid price [17]. However, the scheme was argued that the winning bid price was not reliably verified. Xiong proposed an anonymous e-auction protocol based on blockchains. In her protocol, the blind signature scheme was used to realize the anonymity of bid behavior [18]. However, this protocol was still based on the third-party auctioneer. Yu improved a two-party comparison protocol by zero-knowledge proof and proposed a sealed-bid blockchain auction scheme with semihonest judge parties. By using the blockchain as the infrastructure, the auction process and records cannot be tampered with and traceable to reduce the dependence on the third party and improve the fairness of the auction through bid security [19]. However, the semihonest judge party (the auctioneer) was still required to verify part of the zero-knowledge proof, and the partial security still depends on the honesty of the judge party.
According to the above literature review, the related studies still have some defects in sealed-bid auction schemes. (1) e risks from centralized transaction mode: as was discussed above, in traditional auctions, the whole transactions are in the control of auctioneers. It has been proved that the untrusted auctioneers may cause the bid price leakage and tamper with the auction results. In related studies, most e-auction schemes, even those based on blockchains, still took auctioneers as the transaction controllers. erefore, the fairness and reliability of auctions were not perfectly guaranteed. (2) Incomplete price hiding: price hiding is the core of sealed-bid auctions. In most related studies, the bid price is protected by encryption. However, in the open phase, the bid price is decrypted and directly revealed for verification, which may cause price leakage and the benefits damage of the winning bidder.

Blockchains.
Nakamoto proposed blockchains in his paper "Bitcoin: a peer-to-peer electronic cash system" [20]. As is stated, blockchain is a kind of distributed file system maintained by multiparty. With P2P communication, blockchains protect the data with encryption technology and consensus mechanism. Different from the traditional file systems, blockchains use chained file storages, put data records into blocks, and organize blocks into chained blocks by recording the hash value of the previous block in the header of each block (see Figure 1). Users (also called miners) can create multiple addresses on the blockchains, which are independent of the users' identity. e blocks are added by miners in the chain that solves complex puzzles whose transactional cost is lower than a specified target hash value. e copy of the added block is then broadcasted to every peer node in the chain. e block addition process is agreed upon and validated by the majority of the nodes in the chain. e agreement process is termed as consensus in the chain. If the majority of nodes agree to a common consensus, the block is added to the existing chain; otherwise, it is discarded [21]. erefore, the creation process does not need the intervention of a third party. It is difficult to associate user identity through address information, which realizes better anonymity than traditional file systems. In practice, blockchains are divided into public blockchains, private blockchains, and consortium blockchains. Public blockchains and consortium blockchains have more blocks and stronger data tampering resistance, but they are puzzled by the lower operation efficiency. e private blockchains support highly efficient data operation, while the degree of decentralization is not as high as public blockchains and consortium blockchains. For e-auction, these three kinds of blockchains are all applicable.
In our proposed sealed-bid e-auction scheme, all auction data were encrypted and stored in the blockchain-based file systems.

e Smart Contract.
Szabo invented smart contracts as a set of promises, specified in a digital form, including protocols within which the parties perform on these promises. From common law, economic theory, and contractual conditions often found in practice, four basic objectives of smart contracts are designed. e first of these is observability, the ability of the principals to observe the performance of the contract of each other or to prove their performance to other principals. A second objective, verifiability, is the ability of a principal to prove to an arbitrator that a contract has been performed or breached, or the ability of the arbitrator to find this out by other means. e third objective of contract design is privity, the principle that knowledge and control over the contents and performance of a contract should be distributed among parties only as much as necessary for the performance of that contract. e fourth objective is enforceability and at the same time minimizing the need for enforcement [22].
Due to the lack of trusted execution environments, smart contracts have not been practiced widely until Ethereum integrated blockchains with smart contracts [23]. From then on, smart contracts become the core of new-generation blockchain-based applications which are not limited in the e-cash area. For example, Kumari et al. proposed a P2P secure energy trading scheme, ET-DeaL based on smart contract [24].
Smart contracts are usually implemented in programming languages such as Solidity [25] and Lua [26]. e developers define a set of rules as functions in smart contracts and then publish smart contracts on blockchains. at is, smart contracts are immutable and available for all users of blockchain applications. All users interact with smart contracts and call functions to fulfill the transactions. Since smart contracts are the consensus of all participants and are automatically running without any outer control, there is no opportunity for fraud behaviors to be executed. e main actions in the proposed sealed-bid auction scheme are demonstrated in the following smart contract (see Algorithm 1).

Bid Price Hiding.
We used cryptography commitment schemes to hide the bid price of bidders. Cryptography commitment schemes are a means of temporally hiding secret information so that it is verifiable in spite of the possible bias from either the prover (the party who commits to a value) or the verifier. e commitment scheme consists of three phases: setup, commitment, and verification. In the setup phase, the environment is set up, and keys are generated and published. During commitment, the prover commits to a message according to the proper algorithm and sends the commitment to the verifier. In the verification phase, the prover sends the information necessary for opening the commitment, and the verifier checks whether the commitment really is to the message that the prover claims it to be [27]. A well-designed cryptography commitment scheme should be characterized by the following features.
Hiding. Before the reveal of the commitment, the verifiers know nothing about data. ere are three kinds of binding: (1) perfect binding means that even with infinite computing power, the prover cannot change his mind after committing to a message, (2) statistical binding means that if the prover has infinite computing power, he can cheat with negligible probability, and (3) computational binding means that unless the prover has very large computing resources, then the probability of being able to change the value of the message being committed to is negligible.
Binding. After the reveal of the commitment, the prover cannot explain data to other data. ere are also three kinds of hiding: (1) perfect hiding means that a commitment to a message reveals no information about the message, even to an infinitely powerful verifier, (2) statistical hiding means that if the verifier has infinite computing power, he gets information about the message being committed to with negligible probability, and (3) computational hiding means that, for a polynomially bounded verifier, it is very difficult to guess what is inside the commitment.
It has been proved theoretically that the perfect commitment scheme with both perfect binding and perfect hiding is impossible. However, in the aspect of zero-knowledge proof for privacy protection, the first kind of commitment, which is supported by perfect hiding and computational binding, is usually used.
In cryptography commitment schemes, Hash commitment is the basic one, which uses a one-way hash function H (v) to map the data v to a commitment. Based on the unidirectionality of H (v), it is difficult to deduce the data v through H (v), which implements a certain degree of data hiding. Based on the anticollision of one-way hash function, it is difficult to find different data v′ to produce the same hash value, which implements a certain degree of data binding.
Hash commitment is simple in structure and easy to use, which meets the basic characteristics of cryptography commitment, ;and is suitable for applications with low requirements for data confidentiality. However, due to the lack of randomness, for the value v, the commitment c � H (v) is fixed. erefore, with powerful computation, the value v may be figured out through exhaustion computation. is kind of decryption is easy to implement in the current Internet environment. For applications that require higher data confidentiality, Hash commitment is not practical. In this paper, we proposed Pedersen's commitment [28] to hide the bid price. e Pedersen commitment is based on elliptic curves cryptography (ECC) advised by Neal Koblitz and Victor S. Miller in 1985. ECC is a public key encryption technique in cryptography which depends on the elliptic curve theory which helps us to create faster, smaller, and most efficient or valuable cryptographic keys [29]. Compared with RSA and DSA algorithms, only 256-bit ECC is just equal to or comparable to the 3072-bit RSA key, the main reason behind keeping a short key is the use of great computational power and secure and fast connection. It is harder to break for hackers compared to RSA and DSA, which means that the ECC algorithm ensures or secures the website and infrastructure safety than traditional methods in a more secure manner in the future. e Pedersen commitment cryptography function is defined in equation (1). By introducing the random blinding factor r, even if the private data v remains unchanged, the final commitment c will change according to the change of r, which implements the hiding of data. G and H generated by smart contracts are two generating points on specific elliptic curves, which are consensus information to all auction parties.
In our sealed-bid e-auction scheme, the Pedersen commitment scheme worked in the following steps: (1) e bidder b i got a random blinding factor r i and called the above Pedersen commitment function C (p i , r i ) to produce the commitment price C i . i ∈ I, where I was the set of the IDs of all bidders. (2) e bidder b i published C i to the blockchain and sent E (p i , r i , pk s ) to the smart contract account. E was the encryption function to encrypt p i and r i with pk s , where pk s was the public key of the smart contract. (3) When the bid deadline arrived, the smart contract opened the commitment. e commitment C * bound to the winning price p * was revealed and the differential commitment C i was sent to all bidders. C i was defined in equation (2), which was sent to bidder b i .
If p * i ≥ 0, then p * > p i .

Verification of Bid Result.
In practice, the additive homomorphism of Pedersen's commitment is integrated with Bulletproofs, an outstanding zero-knowledge proof protocol, to prove the binding relations of different values. Bulletproofs were proposed by Benedikt et al.
(2018) as a new noninteractive zero-knowledge proof protocol with very short proofs and without a trusted setup [30]. It is proved that Bulletproofs have better performance than ZK-SNARKs [31] and ZK-STARKs [32] and are very useful for encrypted currency. Bulletproofs can prove that the transaction amount is in a given positive range, which is essential to verify the transaction. erefore, we can use the Pedersen commitment algorithm to hide the real bid price and verify the higher biding price with the differential commitment price C i in equation (2) by Bulletproofs, because it is very easy to prove p * i ∈[0, 2 n ) (i.e., p * i ≥ 0) with Bulletproofs and C i . erefore, each bidder can verify that p * is higher than his bid price p i . e verification operation is shown as follows: (1) Bidder b i recomputed the differential commitment price C i ′ with the published C * and his own com- ′ with C i that was produced and distributed by the smart contract.
(3) If C i ′ � C i , C * was accepted. en bidder b i used Bulletproofs and C i to prove p * to be higher than his own bid price p i and returned the proof result to the smart contract. (4) When all bidders returned the proof results, the smart contract announced that the auction was successfully completed.

Security and Communication Networks
In the above steps, since all bidders published the commitment price on the blockchain, if one bidder changed (p, r) to make a new commitment price against the winning commitment C * , the smart contract and other bidders would be aware of his fraud behavior. e dishonest bidder would be regarded as an untrusted party and punished according to the auction rules. For example, the untrusted bidder's bid security would be confiscated and his permission to auction would be frozen for a period of time. For the owner of goods, since the smart contract was the consensus of all users of the auction system and automatically executed without outer control, the auction result was also accepted by the owner of goods. So far, the decentralized and completely privacy-protected sealedbid e-auction was successfully implemented.

The Auction Process
e process of the decentralized sealed-bid e-auction was divided into six phases: register, publish, bid, open, verify, and finish. In the auction scheme, there were four kinds of parties: owner of goods, bidders, the smart contract, and the blockchain.
e owner of goods published the goods information to the blockchain, and then the bidders cast their bid price before the bid deadline. e smart contract provided functions to support the actions in the above phases. e flowchart of the auction process is shown in the sequence diagram in Figure 2.

e Register Phase.
e users including the owner of goods and all bidders should register in the sealed auction system. e register function in the smart contract returned the user IDs and public and private keys to registered users. When users got these registration data, they encrypted the IDs with the public key of the smart contract and saved the encrypted IDs in the blockchain.

4.2.
e Publish Phase. After registration, the owner of goods called the publish() function in the smart contract to publish the goods information. In publish() function, the following activities were conducted: (1) e smart contract verified the user ID and returned the publish permission to the owner of goods. (2) e owner of goods sent the goods introduction, auction starting time t 1 , auction ending time t 2 , bid security requirement m, the smallest number of bidders n, and encrypted reserve price p r (encrypted by the public key of the smart contract) to the smart contract and saved them in the blockchain. at is, all information was the consensus except the reserve price.

e Bid Phase.
From time t 1 , the registered bidders who were interested in the goods were permitted to bid. e bid() function in the smart contract was responsible for the following bidding tasks.
(1) e bidders' identity was also verified by the smart contract like the goods' owner. (2) e bidders saved the caution deposit m to the account appointed and supervised by the smart contract. (3) Each bidder b i provided the bid price p i and a random number r i that were encrypted by the public key of the smart contract and saved them in the blockchain. e bid price p i will never be revealed by the smart contract. (4) Each bidder b i called the Pedersen commitment function to get the commitment price C i and saved it in the blockchain. Commitment price C i was encrypted by the private key of b i . at is, all bidders and the owner of goods can get the information of C i by decrypting it with the public key of b i .

e Open Phase.
When time t 2 arrived, the smart contract conducted the following activities: (1) e smart contract counted the bidders attending the auction and checked all bid prices in the auction. If the number of bidders was smaller than n, or all bid price was smaller than the reserve price p r , the auction was announced failed. Otherwise, the subsequent activities were taken. (2) All bid price was sorted and the highest bid price p * was selected as the winning bid price. (3) e commitment price C * bound to p * was published to the blockchain by the smart contract. (4) Each differential commitment price C i was calculated and encrypted with the public key of each bidder by smart contract and sent back to each bidder.

e Verify Phase.
When each bidder b i got C * and C i , he recalculated the differential commitment price C i ′ � C * − C i and compared C i with C i ′ . If C i ′ � C i , C i was successfully verified by bidder b i. en all bidders used Bulletproofs protocol to prove p * with C i without leaking any information about the winning bid price p * .

e Finish Phase.
After all bidders were verified and accepted p * , the smart contract asked the winning bidder to pay the rest of the payment for goods (p * − m) to the appointed account and then transferred the full payment p * to the owner of goods. e bid security of the other bidders was also returned to the bidders' own accounts.

Experiments and Discussion
In order to verify the feasibility of the proposed scheme, we built an Ethereum-like simulation experiment to test the main algorithms of the proposed sealed-bid auction scheme. e simulation environment was composed of 30 computers (blocks). e configuration of each node computer is shown in Table 2. e application was coded in Java development kits (JDK1.8) and Java pairing-based cryptography library (JPBC 2.0.0). e smart contract was coded in Solidity and Web3J and tested in Truffle.
We conducted 6 auction transactions with a different number of bidders. In each auction transaction, the goods' owner published the encrypted goods' information privately and secretly. Each bidder submitted his bid price separately.

Performance Analysis of the Scheme.
In each auction transaction in the experiment, the execution time of each transaction phase was recorded (see Table 3).
We calculated the correlation coefficients between the number of bidders and the execution time in different phase (see Table 4).
With the correlation coefficients, we found that the execution time of open and finish operations grew significantly with the increase of the number of bidders. It hinted that if more bidders attended the auction, the open and finish operation would spend more time. However, for publish, bid, and verify operations, the execution time remained relatively stable with different number of bidders. We conducted Chisquare test on the contingency table of execution time in publish, bid, and verify phases with a different number of bidders. e p value was 0.99, which hinted that there were no significant differences between the execution time in these phases. It meant that since these 3 operations were independently executed by each bidder, the execution time of these operations was not influenced by the number of bidders.
We also estimated the mean gas value of each phase operation (see Table 5). e largest gas value was about 6 million, which was far smaller than the current gas limit (12 million) of Ethereum. It hinted that the proposed scheme could be deployed on Ethereum.  Goods, reserve price, and t1 and t2 Auction information Acceptance Receipt Figure 2: e process of the decentralized sealed-bid e-auction.

Comparison Analysis with Related Blockchain-Based
Works. In each transaction of auctions in the experiment, all bid prices and bidders' identities were revealed to the observers for the validation of the proposed scheme. rough the experiment records, we confirmed the following: (1) e encrypted goods information was successfully published to all block nodes. (2) Each bid price was successfully encrypted as the commitment price and published to all block nodes. We compared four recent representative related works in six metrics including decentralization, anonymity, authentication, unforgeability, nonrepudiation, and winning price validation. e result is shown in Table 6.
Galal and Youssef [15], Xiong [18], and Yu [19] provided well-designed schemes based on blockchain technologies. ese 3 schemes show good performance in most metrics. However, they are based on their party auctioneers, which means that the schemes are subject to information leakage risks. Peng et al. [17] proposed an innovative scheme without auctioneer, which makes a breakthrough in the sealed-bid auction mechanism design. But in his scheme, the winning price is revealed to all bidders for the auction result validation. Even all participants of the auction confirm the result without any knowledge of the winning bidder's identity, it is not reasonable to reveal the winning price to the public.
In summary, through the experiment, the proposed scheme successfully performed the fair, secure, and reliable sealed-bid auction without the third-party auctioneer. It implemented a kind of decentralized auction with the help of blockchain technologies.

Conclusion and Future Work
Compared with the related sealed-bid auction schemes, the proposed scheme in this paper used the features of blockchain technologies to realize decentralized auctions. e risks from the third-party auctioneers were well eliminated. In summary, the proposed sealed-bid e-auction scheme showed the following features: (1) Sealability. All information in the auction transaction was encrypted by the public keys of the smart contract, owner, and bidders, which prevented the information from leakage. e bid price was only passed to the smart contract other than published on the blockchain. In addition, the bid price was mapped to a commitment price by the Pedersen commitment function. For all users getting the commitment price, they can never get the real bid price of bidders. (2) Fairness. All bidders were equally treated by the smart contract. ey got all commitment prices and the winning commitment price C * . en, they verified the auction result autonomously. If bidders tried to tamper with the auction result, their auction security would be confiscated and their permissions to the auction transaction were also frozen or canceled. e punishment was conducted automatically by the smart contract.
(3) Validity. e smart contract selected the winning bid price and the related bidder as the auction result, which obeyed the basic rule of the first-price sealed auction. (4) Nonrepudiation. All information in the auction transaction was saved in the blockchain and can never be denied under the consensus mechanism of blockchains. (5) Decentralized Verification. All bidders can verify and prove the auction result with zero-knowledge proof protocol (Bulletproofs). None of them can deny the bid price. (6) Cost-Effective. e scheme was free of the cost of the third-party auctioneer, which made the biggest benefits of all auction parties.
It should be noted that the proposed scheme has limitations in running performance. As was discussed in Section 5.1, the execution time of the open phase and finish phase was determined by the number of bidders. It means that the auction would become a time-consuming work if conducted in the open platforms such as Internet. In future studies, we will focus on the improvement of algorithms of the two auction phases and test the scheme in real blockchain environments. In addition, we will also investigate blockchain technologies other than Ethereum, which can help us protect the privacy of bids from all parties with lower computation resource requirements.

Data Availability
No data were used to support this study.