SECURE ONLINE ENGLISH AUCTIONS

Jarrod Trevathan

School of Mathematical and Physical Sciences

James Cook University

Wayne Read

School of Mathematical and Physical Sciences

James Cook University

Keywords:

Online auctions, event timing, anonymity, group signature.

Abstract:

Security and privacy in online auctions is a major concern as auction participants have many opportunities

to cheat (e.g., repudiate bids, not deliver items, etc.). Online auctions such as those used by eBay are based

on a type of auction referred to as an English auction. Dispite the English auction being the most popular

type of auction, it has received less security coverage than other types of auctions (e.g., sealed-bid auctions).

An existing proposal for a “secure” English auction prevents the Auctioneer from closing the auction early

and from blocking bids, but does not protect a bidder’s anonymity. Another proposal provides anonymity, but

does not stop an Auctioneer from skewing its clock or blocking bids. This paper proposes a new scheme for

conducting secure and anonymous online English auctions using a modiﬁed type of group signature. Trust

is divided among three servers owned by separate companies to ensure anonymity and fairness. Our scheme

solves the problems of the existing English auction schemes and has following characteristics: unforgeability,

anonymity, unlinkability, exculpability, coalition-resistance, veriﬁability, robustness, traceability, revocation,

one-off registration, unskewability and unblockability. Our scheme has comparable efﬁciency to the existing

schemes for the enhanced security and privacy it provides.

1 INTRODUCTION

Online auctioning is now widely accepted as one of

the premiere means to do business on the web. Eng-

lish auctions are the most common type of online auc-

tion employed by Internet auctioneers (e.g., eBay

1

and uBid

2

). Such auctions are used to sell various

items from real estate to football tickets. An Eng-

lish auction allows one seller to offer an item for sale.

Many potential buyers then submit bids for the item

attempting to outbid each other. The winner is the

bidder with the highest bid after a given time-out pe-

riod where no bid higher than the current highest bid

has been made. The winner must pay the seller an

amount equal to the winning bid.

Since the participants are not physically present in

an online auction, there exist many security concerns

and opportunities for people to cheat. For example, a

bidder might repudiate having made a bid or the seller

doesn’t deliver the item. Furthermore, the Auctioneer

could inﬂuence the auction in a manner inconsistent

1

http://www.ebay.com

2

http://www.ubid.com

with its rules (e.g., block bids). Security and privacy

in electronic auctions has been covered in (Boyd and

Mao, 2000; Franklin and Reiter, 1996; Naor et al.,

1991; Trevathan, 2005; Viswanathan et al., 2000),

and numerous “secure” auction schemes have been

proposed. However, most of the schemes presented

so far have been for sealed bid auctions (i.e., bids re-

main secret until the close of bidding). An English

auction on the other hand is an open bid auction (i.e.,

everyone knows the values of the bids). This com-

bined with the nature of the auctioning process makes

English auctions more complicated than regular cryp-

tographic auction schemes.

The timing of events in English auctions is much

more critical than sealed bid auctions. As a result, this

presents some unique security risks. An English auc-

tion requires a real-time link between the bidders and

the Auctioneer. Frequent price quotes are issued to

update bidders regarding the current highest bid. As

bidders base their decisions on this information, its

timeliness directly inﬂuences the auction. A corrupt

Auctioneer could disadvantage certain bidders by de-

laying this information or by speeding up (skewing)

the clock in order to close the auction early. Fur-

387

Trevathan J. and Read W. (2006).

SECURE ONLINE ENGLISH AUCTIONS.

In Proceedings of the International Conference on Security and Cryptography, pages 387-396

DOI: 10.5220/0002096603870396

Copyright

c

SciTePress

thermore, the speed and ease of the bid submission

process is signiﬁcant, especially when an auction is

nearing its end. A malicious Auctioneer could selec-

tively block bids based on bidder identity and/or bid

value.

(Stubblebine and Syverson, 1999) presented an

English auction scheme that prevents the Auctioneer

from closing the auction early and from blocking bids.

However it does not protect a bidder’s anonymity.

Alternately, a scheme by (Omote and Miyaji, 2001)

provides anonymity, but does not stop an Auction-

eer from skewing its clock or blocking bids. We be-

lieve the short-comings of the existing schemes can

be solved by basing the auction protocol on a modi-

ﬁed group signature scheme.

The concept of group signatures was introduced

by (Chaum and van Heyst, 1991). A group signa-

ture scheme allows members of a group to sign mes-

sages on behalf of the group, such that the resulting

signature does not reveal the identity of the signer.

Signatures can be veriﬁed with respect to a single

group public key. Only a designated group manager

is able to open signatures, and thus reveal the signer’s

identity. Due to these unique security characteristics,

group signature schemes have recently been used as

the basis for auction protocols (see (Trevathan et al.,

2005; Trevathan et al., 2006)).

This paper presents a scheme for conducting online

English auctions in a secure and anonymous manner.

The new scheme solves the problems of the existing

proposals while maintaining all of their features. The

role of the Auctioneer is divided among two auction

servers (owned by separate companies) to ensure that

the correct timing of events is maintained and to pre-

vent bid blocking. (see (Naor et al., 1991).) Our

scheme uses a group signature that is altered so that

the role of the group manager is also divided among

two indepedent auction servers. This allows for bid

veriﬁcation and protects a bidder’s identity unless the

two servers collude. In the case of a dispute (e.g.,

a bidder repudiates a bid), a court order can be used

to reveal the bidder’s identity and he/she can be per-

manently revoked from the auction proceedings. The

scheme is ﬂexible and allows the group signature to

be updated as better techniques for group signatures

become available. Our scheme offers comparable ef-

ﬁciency trade-offs for its enhanced security and pri-

vacy characteristics.

This paper is organised as follows: the remainder of

this section discusses security issues inherent in Eng-

lish auctions and our contribution. Existing English

auction schemes and their shortcomings are discussed

in Section 2. The components of our new scheme are

introduced in Section 3 and the auction protocol is

described in Section 4. An informal security analysis

of the new scheme is given in Section 5. Section 6

presents an efﬁciency comparision of the new scheme

and Section 7 provides some concluding remarks.

1.1 Fundamentals of Online English

Auctions

There are four main activities in an online English

auction:

Initialisation – The Auctioneer sets up the auction

and advertises it i.e., type of good being auctioned,

starting time, etc.

Registration – In order to participate in the auction,

bidders must ﬁrst register with the Auctioneer.

Bidding – A registered bidder computes his/her bid

and submits it to the Auctioneer. The Auctioneer

checks the bid received to ensure that it conforms

with the auction rules.

Winner Determination – The Auctioneer determines

the winner according to the auction rules. Online

English auctions can terminate according to the fol-

lowing rules (see (Kumar and Feldman, 1998; Stub-

blebine and Syverson, 1999)):

1. Expiration Time - The auction closes at a predeter-

mined expiration time.

2. Timeout - The auction closes when no bids higher

than the current highest bid are made within a pre-

determined timeout interval.

3. Combination of Expiration and Timeout - The auc-

tion closes when there is a timeout after the expira-

tion time.

1.2 Security Issues in Online English

Auctions

The core security requirements for an English auction

include:

Unforgeability - Bids must be unforgeable, otherwise

a bidder can be impersonated.

Veriﬁability - There must be publicly available infor-

mation by which all parties can be veriﬁed as having

correctly followed the auction protocol. This should

include evidence of registration, bidding and proof of

the winner of the auction.

Exculpability - Neither the Auctioneer nor a legiti-

mate bidder can forge a valid signature of a bidder.

Coalition-resistance - No coalition of bidders can

frame an innocent bidder by fabricating a bid.

Robustness - The auction process must not be af-

fected by invalid bids or by participants not following

the correct auction protocol.

SECRYPT 2006 - INTERNATIONAL CONFERENCE ON SECURITY AND CRYPTOGRAPHY

388

Anonymity - The bidder-bid relationship must be

concealed so that no bidder can be associated or iden-

tiﬁed with the bid they submit.

One-time registration - Registration is a one-off pro-

cedure, which means that once a bidder has regis-

tered, they can participate in future auctions held by

the Auctioneer.

Unlinkability - Bids are unlinkable within an auction,

and also between plural auctions.

Traceability - Once a bidder has submitted a bid, they

must not be able to repudiate having made it. Other-

wise if a bidder wins and does not want to pay, they

might deny that they submitted the winning bid. In

this event the identity of the bidder who submitted the

bid in question can be revealed.

Revocation - Malicious bidders can be easily revoked

from all future auctions.

English auctions are open bid and the timely nature

of the auction process therefore raises several further

concerns. Due to the ﬂexibility of closing rules for

English auctions this introduces the following unique

requirements:

Unskewability - The Auctioneer must not be able to

alter the auction timing. For example, speed up its

clock in an attempt to close the auction early, or slow

the auction down to keep the bidding process active

beyond the ofﬁcial timeout.

Unblockability - The Auctioneer cannot selectively

block bids based on bid amount or the identity of the

bidder.

Conditional bid cancellation - In online auctions us-

ing an expiration time, it is common for the auction to

continue for days or weeks. In this situation a bidder

might be reluctant to make such an open ended bid.

Therefore depending on the closing rule and the stage

of the auction it is desirable to allow bidders to con-

ditionally cancel bids. Note that bidders should not

be able to cancel bids when an auction is in a timeout

stage and cancellation must only be done in strict ac-

cordance with the Auctioneer’s bid cancellation pol-

icy.

2 EXISTING ENGLISH AUCTION

SCHEMES

Discussions regarding security for English auctions

can be found in (Kumar and Feldman, 1998; Tre-

vathan et al., 2005). Several “secure” English auc-

tion schemes have been proposed by (Lee et al., 2001;

Nguyen and Traore, 2000; Omote and Miyaji, 2001;

Stubblebine and Syverson, 1999). The ﬁrst scheme

is due to (Stubblebine and Syverson, 1999). This

scheme requires bidders to register with the Auction-

eer. The Auctioneer must periodically timestamp the

auction proceedings with a Notary to prove to bid-

ders that it is not skewing its clock. Bidders submit

bids using a reverse hash chain and secret bid com-

mitments. This is done to ensure that the Auctioneer

cannot block bids, and that bidders are not able to re-

pudiate bids. The auction proceedings are recorded

on a public bulletin board that is readable by every-

one, but can only be written to by the Auctioneer.

We have identiﬁed the following problems with this

scheme:

1. There is no anonymity for the bidders.

2. Bids are linkable, meaning that the Auctioneer can

create proﬁles about individual bidders and their

bidding strategies.

3. All parties must trust the Notary. (i.e., to ensure the

correct timing is maintained.)

(Omote and Miyaji, 2001) reﬁne a scheme by

(Nguyen and Traore, 2000) that uses a form of mod-

iﬁed group signature (Ateniese et al., 2000; Ca-

menisch and Stadler, 1997; Chaum and van Heyst,

1991). This scheme allows a bidder to register once

and participate in any number of auctions held by the

Auctioneer. Bids are claimed to be unlinkable be-

tween different auctions, but linkable within a partic-

ular auction. This is achieved by requiring the bidder

to calculate a new signature generation key prior to

each auction.

In this scheme there are two mangers responsible

for conducting the auction. The Registration Man-

ager (RM) secretly knows the correspondence of the

bidder’s identity and registration key. RM works as an

identity escrow agency. The Auction Manager (AM)

hosts the auction and prepares bidder’s auction keys

in each round.

We have identiﬁed the following problems with this

scheme:

1. All bidders must update their keys between each

round of auctioning, which is essentially equiva-

lent to re-registering. Therefore, this negates the

author’s claims that registration is a one-off proce-

dure.

2. AM can skew its clock and/or selectively block

bids.

3. Revoking a bidder is inefﬁcient as it requires AM

to reissue new keys to all of the existing bidders.

4. (Lee et al., 2001) describe a ﬂaw in this scheme

during the winner announcement stage. Here AM

is able to erroneously inform any bidder that they

have won without being publicly veriﬁable. Lee et

al. propose a solution. However, this introduces

several more bulletin boards and requires computa-

tions that are an order of magnitude slower.

5. Bids are linkable within a current auction, but un-

linkable between plural auctions. The motivation

SECURE ONLINE ENGLISH AUCTIONS

389

for this is stated as the auction participants gain

utility in terms of entertainment from viewing the

auction. For example, when there is a rally between

two particular bidders, observers enjoy knowing

how many bids a bidder has submitted.

With regard to the last point, it is our opinion, that

in an anonymous auction scheme all bids (whether

in the same auction or not) must be totally unlink-

able. Observers can still see a rally, however, there is

no need to know exactly whom the bids are coming

from. Our scheme described in the next section, does

not allow bids to be linked within the same auction or

between plural auctions.

3 COMPONENTS OF OUR

SCHEME

The auction has four parties:

A Bidder, who is interested in buying an item from a

seller in an English auction.

An Auction Manager (AM), who organises the

auction proceedings, accepts bids and determines

the winner according to whoever has submitted the

highest bid. To participate in an auction, a bid-

der presents his/her real identity to AM. AM issues

the bidder with a token that allows him/her to register.

A Registration Manager (RM), who takes part in the

protocol in order to complete the registration of a

bidder, once a token has been obtained from AM. At

the end of the protocol, the bidder obtains a secret

key that enables him/her to generate signed bids in a

proper format.

An Auction Helper (AH), who aids AM in accepting

bids and determining the winner. AH is owned by a

separate company and is tasked with ensuring that

AM does not alter its clock or block bids.

The scheme uses a two-server trust approach that

can be broken down into two subsystems: the

anonymity subsystem and the auction subsystem (see

Figure 1). The anonymity subsystem protects the

anonymity of the bidders provided the AM and RM

do not collude. The auction subsystem ensures the

correct outcome of the auction as long as AM and AH

do not collude. There is no trust assumed between

RM and AH.

Each bidder, AM and AH are connected to a com-

mon broadcast medium with the property that mes-

sages sent to the channel instantly reach every party

connected to it. The broadcast channel is public so

that everybody can listen to all information commu-

nicated via the channel, but cannot modify it. It is

also assumed that there are private channels between

RM and any potential bidders (who wish to join the

auction proceedings).

3.1 Group Signatures

To join an auction, a bidder must ﬁrst register with

RM (who plays the role of a group manager in a group

signature scheme). Once registered, a bidder can par-

ticipate in the auction by signing bids using the group

signature. Bids are submitted to an independent AM

who runs the auction (with the help of AH which is

explained later). AM (and AH) post the auction re-

sults on a publicly veriﬁable bulletin board.

One of the most efﬁcient and popular proposals for

group signature schemes is due to (Ateniese et al.,

2000). This is the group signature scheme that is used

for the basis of our auction protocol. The (Ateniese et

al., 2000) group signature scheme informally works

as follows:

Let n = pq be an RSA modulus, where p and q are

two safe primes (i.e., p = 2p

′

+ 1, q = 2q

′

+ 1, and

p

′

, q

′

are also prime numbers). Denote by QR(n), the

set of quadratic residues - a cyclic group generated

by an element of order p

′

q

′

. The group public key

is Y = (n, a, a

0

, y = g

x

, g, h), where a, a

0

, g, h are

randomly selected elements from QR(n). The secret

key of the group manager is x.

To join the group, a user (bidder i) must engage in

a protocol with the group manager (i.e., RM and AM)

and receive a group certiﬁcate [B

i

, e

i

] where B

i

=

(a

x

i

, a

0

)

1/e

i

mod n with e

i

and x

i

chosen from two

integral ranges as deﬁned in (Ateniese et al., 2000).

(x

i

is only known to the user/bidder).

In order to sign a message/bid, m, the user/bidder

has to prove possession of his member certiﬁcate

[B

i

, e

i

] without revealing the certiﬁcate itself. More

precisely, the user/bidder computes:

T

1

= B

i

y

w

mod n, T

2

= g

w

mod n,

T

3

= g

e

i

h

w

mod n SK(m)

where the value SK(m), computed over a message

m, indicates a signature of knowledge of the secret

key x

i

and the e

i

th root of the ﬁrst part of the repre-

sentation of T

3

(in the implementation of our scheme,

the exact signature generation and veriﬁcation proce-

dures will be presented).

In the case of a dispute, the group manager can

open a signature that reveals the identity of the signer.

This is due to the fact that the pair (T

1

, T

2

) is an El-

Gamal encryption of the user’s certiﬁcate (using the

public key of the group manager). That is, the group

manager can compute B

i

, using B

i

= T

1

/(T

2

)

x

.

SECRYPT 2006 - INTERNATIONAL CONFERENCE ON SECURITY AND CRYPTOGRAPHY

390

Figure 1: The Auction Model.

In certain circumstances users must be revoked

from the group. For example, a membership expires

or a user misbehaves. Reissuing keys to all existing

group members is unwieldy and inefﬁcient for a large

group. Using a certiﬁcate revocation list to blacklist

malicious bidders requires the veriﬁer of the signature

to check a list that is linear in the number of revoked

users.

(Camenisch and Lysyanskaya, 2002) propose a

scheme based on a dynamic accumulator that requires

a member to prove that they have not been revoked.

Informally, an accumulator is a method to combine

a set of values into one short accumulator such that

there is a short witness that a given value was incor-

porated into the accumulator. It is infeasible to ﬁnd a

witness for a value that is not in the accumulator. A

dynamic accumulator allows values to be added and

deleted from the accumulator at unit cost. By incor-

porating dynamic accumulators into a group signature

scheme, revocation can easily be performed by delet-

ing a member’s value from the accumulator.

A user must check the accumulator prior to signing.

This requires an online link between the group man-

ager and the users. In terms of an auction, a bidder

must check the accumulator each time they submit a

bid. This is reasonable for English auctions, as there

is a real-time communication link between the Auc-

tioneer and bidders anyway.

The (Camenisch and Lysyanskaya, 2002) dynamic

accumulator scheme can be deﬁned as follows: A

dynamic accumulator for a family of inputs {X

1

}

is a family of families of functions {F

1

} with the

following properties:

Efﬁcient generation: There is an efﬁcient proba-

bilistic algorithm G that on input 1

k

produces a ran-

dom element f of F

k

. Moreover, along with f, G also

outputs some auxiliary information about f, denoted

aux

f

.

Efﬁcient evaluation: f ∈ F

k

is a polynomial-size

circuit that, on input (u, k) ∈ U

f

× X

k

, outputs a

value v ∈ U

f

, where U

f

is an efﬁciently-samplable in-

put domain for the function f; and X

k

is the intended

input domain whose elements are to be accumulated.

Quasi-commutative: For all k, for all f ∈ F

k

for

all u ∈ U

f

for all x

1

, x

2

∈ X

k

, f(f (u, x

1

), x

2

) =

f(f(u, x

2

), x

1

). If X = {x

1

, ..., x

m

} ⊂ X

k

, then by

f(u, X ) we denote f(f(...(u, x

1

), ...), x

m

).

Witness: Let v ∈ U

f

and x ∈ X

k

. A value w ∈ U

f

is called a witness for x in v under f if v = f(w, x).

Addition: Let f ∈ F

1

, and v = f(u, X ) be the

accumulator so far. There is an efﬁcient algorithm A

to accumulate a given value x

′

∈ X

1

. The algorithm

outputs:

1. X

′

= X ∪ {x

′

} and v

′

= f(v, x

′

) = f(u, X

′

);

2. w

′

which is the witness for x ∈ X in v

′

.

Deletion: Let f ∈ F

1

, and v = f (u, X ) be the

accumulator so far. There exist efﬁcient algorithms

D, W to delete an accumulated value x

′

∈ X . The

functionality of the algorithms includes:

1. D(aux

f

, v, x

′

) = v

′

such that v

′

= f(u, X {x

′

}),

and

2. W(w, x, x

′

, v, v

′

) = v

′

such that f(w

′

, x) = v

′

,

where x ∈ X and f(w, x) = v.

The (Camenisch and Lysyanskaya, 2002) dynamic

accumulator scheme is based on the strong RSA

assumption and accumulates prime numbers (i.e.,

the primes used for the membership certiﬁcates in

(Ateniese et al., 2000) group signature scheme).

The scheme also provides a proof that a committed

value was accumulated (we will omit these details).

The construction of a dynamic accumulator where

the domain of accumulated values consists of prime

numbers, is as follows:

SECURE ONLINE ENGLISH AUCTIONS

391

- F

k

is the family of functions that correspond to ex-

ponentiating modulo-safe prime products drawn from

the integers of length k. Choosing f ∈ F

k

amounts

to choosing a random modulus n = pq of length k,

where p = 2p

′

+ 1, q = 2q

′

+ 1, and p, p

′

, q, q

′

are all

prime. We will denote f corresponding to modulus n

and domain X

A,B

by f

n,A,B

.

- X

A,B

is the set {e ∈ primes : e 6= p

′

, q

′

∧ A ≤

e ≤ B}, where A and B can be chosen with arbitrary

polynomial dependence on the security parameter k,

as long as 2 < A and B < A

2

. X

′

A,B

is (any subset

of) of the set of integers from [2, A

2

− 1] such that

X

A,B

⊆ X

′

A,B

.

- For f = f

n

, the auxiliary information aux

f

is the

factorisation of n.

- For f = f

n

, U

f

= {u ∈ QR

n

: u 6= 1} and U

′

f

=

Z

∗

n

.

- For f = f

n

, f(u, x) = u

x

mod n. Note that

f(f(u, x

1

), x

2

) = f(u(x

1

, x

2

)) = u

x

1

x

2

mod n.

- Update of the accumulator value. Adding a value

˜x to the accumulator value v can be done as v

′

=

f(v, ˜x) = v

˜x

mod n. Deleting a value ˜x from

the accumulator is as follows: D((p, q), v, ˜x) =

v

˜x−1 mod (p−1)(q−1)

mod n.

- Update of a witness. Updating a witness u after ˜x

has been added can be done by u

′

= f(u, ˜x) = u

˜x

.

In case, ˜x 6= x ∈ X

k

has been deleted from the accu-

mulator, the witness u can be updated as follows. By

the extended GCD algorithm, one can compute the

integers a, b such that ax + b˜x = 1 mod n and then

u

′

= W(u, x, ˜x, v, v

′

) = u

b

v

′a

.

4 THE AUCTION PROTOCOL

This section describes the auction protocol. A high

level view of the protocol is given in Figure 2.

Lines dipict communication between parties while the

dashed circles indicate stages in the protocol. Lines

that pass through the dashed circles are communica-

tions that are performed during the particular stage.

4.1 Setup

Most activities of this stage need to be performed only

once (in order to establish the auction proceedings).

Let λ

1

, λ

2

, γ

1

, and γ

2

be some lengths, Λ, Γ be some

integral ranges, and H(.) be a collision-resistant hash

function. RM sets up the group public key and his

secret key by performing the following steps:

1. Chooses two safe primes p and q (i.e., p = 2p

′

+ 1

and q = 2q

′

+ 1, where p

′

and q

′

are prime num-

bers) and sets the RSA modulus n = pq

2. Chooses random elements a, a

0

, g, h ∈ QR(n)

3. Chooses a secret element x ∈

R

Z

∗

p

′

q

′

and sets y =

g

x

mod n

4. Publishes the group public key as Y =

(n, a, a

0

, y, g, h)

5. Creates the public modulus n for the accumulator,

chooses a random u ∈ QR

n

and publishes (n, u)

6. Set up (empty for now) public archives E

add

for

storing values that correspond to added users and

E

delete

for storing values that correspond to deleted

users

4.2 Registration

A user submits a request to AM to participate in the

auction proceedings. AM veriﬁes the identity of the

requestor, and issues a token that is veriﬁable by RM.

The user then takes part in a protocol with RM, in

order to obtain his/her secret key and a certiﬁcate of

membership in the auction proceedings. Note that

the token does not carry the real identity of the bid-

der. All communication between RM and the owner

of a token is authenticated and recorded. The pro-

tocol between a new bidder i, and RM is as follows

(checks in which values are chosen from proper in-

tervals, the user knows discrete logarithms of values,

etc. are omitted):

1. Bidder i selects random exponents x

′

i

, r and sends

C

1

= g

x

′

i

h

r

mod n to the RM

2. RM checks that C

1

∈ QR(n). If this is the case,

RM selects random values α

i

, β

i

and sends them to

bidder i

3. Bidder i computes x

i

= 2

λ

1

+(α

i

x

′

i

+β

i

mod 2

λ

2

)

and sends to RM the value C

2

= a

x

i

mod n

4. RM checks that C

2

∈ QR(n). If this is the

case, RM selects a random e

i

∈ Γ and computes

B

i

= (C

2

a

0

)

1/e

i

mod n then sends the member-

ship certiﬁcate [B

i

, e

i

] to bidder i (note that B

i

=

(a

x

i

a

0

)

1/e

i

mod n)

5. Bidder i veriﬁes that a

x

i

a

0

= B

e

i

i

mod n

6. Add the current u to the bidder’s membership cer-

tiﬁcate. Update u: u = f

n

(u, e

i

). Update E

add

:

store e

i

there

7. Verify that f

n

(u

i

, e

i

) = u

e

i

i

= u

RM creates a new entry in the membership table

and stores bidder i’s membership certiﬁcate [B

i

, e

i

]

and a transcript of the registration process in this lo-

cation.

4.3 Setup - Before Each Auction

AM organises the auction (i.e., advertising and calls

for auction). AM posts information to the bulletin

SECRYPT 2006 - INTERNATIONAL CONFERENCE ON SECURITY AND CRYPTOGRAPHY

392

Figure 2: The Auction Protocol.

board regarding the auction including the auction id

(which uniquely identiﬁes the auction), the reserve

price (minimum winning price that will be accepted),

the auction starting time and the auction closing rules.

4.4 Bidding

Using a membership certiﬁcate [B

i

, e

i

], a bidder can

generate anonymous and unlinkable group signatures

on a bid m. m contains the auction id and the amount

of the bid (i.e., m = id k bid value). Bidder i submits

a bid m to both AM and AH signed using his/her

secret key.

Update Membership - Prior to submitting a bid, a

bidder must check if there have been any changes to

the group (i.e., new bidders have been added, or other

bidders have been revoked). If this is the case, a bid-

der must perform a membership update. This is done

as follows:

An entry in the archive is called “new” if it was en-

tered after the last time bidder i performed an update.

1. Let y denote the old value of u

2. For all new e

j

∈ E

add

, u

i

= f(u

i

,

Q

e

j

) = u

e

j

i

and y = y

e

j

3. For all new e

j

∈ E

delete

, u

i

=

W (u

i

, e

i

,

Q

e

j

, y, u) (Note that as a result

u = f (u

i

, e

i

))

Sign Bid - In order to generate a signature on a mes-

sage/bid, m, bidder i performs the following:

1. Chooses a random value w and computes:

T

1

= B

i

y

w

mod n, T

2

= g

w

mod n,

T

3

= g

e

i

h

w

mod n

2. Chooses r

1

, r

2

, r

3

, r

4

(randomly) from predeter-

mined intervals and computes:

(a) d

1

= T

r

1

1

/(a

r

2

y

r

3

), d

2

= T

r

1

2

/(g

r

3

), d

3

=

g

r

4

, and d

4

= g

r

1

h

r

4

(all in mod n),

(b) c = H(g k h k y k a

0

k a k T

1

k T

2

k T

3

k

d

1

k d

2

k d

3

k d

4

k m),

(c) s

1

= r

1

− c(e

i

− 2

ξ

1

), s

2

= r

2

− c(x

i

− 2

λ

1

),

s

3

= r

3

− ce

i

w, and s

4

= r

4

− cw (all in Z).

3. In addition to T

1

, T

2

, and T

3

the bidder com-

putes the values C

e

= g

e

h

r

1

, C

u

= uh

r

2

, and

C

r

= g

r

2

h

r

3

and sends them to AM, with random

choices r

1

, r

2

, r

3

∈

R

Z

[n/4]

4. The output is

(c, s

1

, s

2

, s

3

, s

4

, r

1

, r

2

, r

3

, r

4

, T

1

, T

2

, T

3

, C

e

, C

u

, C

r

)

Prove Membership/Verify Bid - AM and AH check

the validity of the bidder’s signature using the group’s

public key Y. A bid of the correct form is considered

to be valid and is included in the auction (i.e., posted

on the bulletin board). An invalid bid is discarded.

There are two copies of the bid on the bulletin, one

posted by AM and the other posted by AH. AM and

AH verify the signature on the bid as follows:

1. Compute (all in mod n):

c

′

= H(g k h k y k a

0

k a k T

1

k

T

2

k T

3

k (a

c

0

T

(s

1

−c2

ξ

1

)

1

)/(a

s

2

−c2

λ

1

y

s

3

) k

(T

s

1

−c2

ξ

1

2

)/(g

s

3

) k T

c

2

g

s

4

k T

c

3

g

s

1

−c2

ξ

1

h

s

4

k m)

SECURE ONLINE ENGLISH AUCTIONS

393

2. AM, AH and the bidder engage in a protocol to

prove membership (see (Camenisch and Lysyan-

skaya, 2002) for details)

3. Accept the signature if and only if c = c

′

, and the

parameters s

1

, s

2

, s

3

, s

4

lie in the proper intervals

Bid Cancellation - If a bidder desires to cancel a bid,

they must send a copy of the bid they wish to cancel

and a CANCEL message signed using his/her group

key to both AM and AH. Upon receiving the CAN-

CEL message, AM and AH check the bidder’s signa-

ture on the message using the group’s public key Y.

If the signature is valid, AM and AH then check what

stage the auction is in. If the auction close rule is cur-

rently in an expiration time stage, AM and AH each

post a message to the bulletin stating that the particu-

lar bid has been cancelled. If the auction is currently

in a timeout stage, the CANCEL message is discarded

and the bid remains in effect.

4.5 Winner Determination

Once the auction has closed, AM and AH then deter-

mine the auction outcome according to which bidder

has made the highest bid. The winning bidder can

produce a copy of the signed bid as evidence that they

have won.

4.6 Traceability

In the event of a dispute, RM (with the help of AM)

can open the signature on a bid to reveal which bidder

is the original signer. This process is as follows:

1. Check the signature’s validity via the veriﬁcation

procedure

2. Recover B

i

(and thus the identity of bidder i) as

B

i

= T

1

/T

2

x

mod n

RM then checks the registration transcripts, and

determines the token associated with this certiﬁcate.

AM, who knows the relation between tokens and real

identities, can determine the identity of the bidder.

Note that in our scheme, revealing the identity of a

bidder does not reveal any information about his/her

past bids.

4.7 Revocation

When a bidder has been caught breaking the auction

rules, they can be permanently revoked from the auc-

tion proceedings by cancelling the bidder’s ability to

sign future bids. To achieve this, the bidder’s prime

number used in his/her membership certiﬁcate is not

included when the dynamic accumulator is updated.

This can be done as follows: Retrieve e

i

which is the

prime number corresponding to the bidder’s member-

ship certiﬁcate. Update u: u = D(ψ(n), u, e

i

). Up-

date E

delete

: store e

i

there.

5 SECURITY

This section provides an informal security analysis

of the online English auction scheme presented in

this paper based on the characteristics described in

Section 1.2.

Unforgeability - Only bidders that are members of

the group are able to sign messages on behalf of the

group. This is due to the unforgeability of the under-

lying group signature.

Anonymity - Given a valid signature

(c, s

1

, s

2

, s

3

, s

4

, T

1

, T

2

, T

3

) identifying the ac-

tual signer is computationally difﬁcult. Determining

which bidder with certiﬁcate [B

i

, e

i

] has signed a

bid, requires deciding whether the three discrete

logarithms log

y

T

1

/B

i

, log

g

T

2

, and log

g

T

3

/g

e

i

are equal. This is assumed to be infeasible under

the decisional Difﬁe-Hellman assumption, and thus

anonymity is guaranteed. Note that in our auction,

RM can ﬁgure out the certiﬁcate associated with each

signature, but cannot determine the identity of the

bidder associated with this certiﬁcate.

Unlinkability - Deciding if two signatures

(c, s

1

, s

2

, s

3

, s

4

, T

1

, T

2

, T

3

) and

(ec, es

1

, es

2

, es

3

, es

4

,

f

T

1

,

f

T

2

,

f

T

3

) were computed by the

same bidder is computationally hard (with the same

argument as for anonymity).

Exculpability - Neither a bidder nor AM, AH and/or

RM can sign on behalf of another bidder. This is be-

cause the secret key x

i

, associated to user i is com-

putationally hidden from RM. RM, at most, can learn

a

x

i

mod n, which cannot help him to learn the ex-

ponent x

i

(since the discrete logarithm over the safe

composite modulo n, is difﬁcult).

Coalition-resistance - This is due to the follow-

ing theorem: (Ateniese et al., 2000) Under the

strong RSA assumption, a group certiﬁcate [B

i

=

(a

x

i

a

0

)

1/e

i

mod n, e

i

] with x

i

∈ Λ and e

i

∈ Γ can

be generated only by the group manager provided that

the number K of certiﬁcates the group manager issues

is polynomially bounded.

Veriﬁability - All bids (including signatures) are

posted to the public bulletin, therefore all parties can

verify the auction outcome.

Robustness - Invalid bids will not be posted to the

bulletin board. Moreover, malicious bidders will be

revoked from the system, and thus cannot affect the

auction outcome.

Traceability - RM is always able to open a valid sig-

nature and, with the help of AM, identify the signer

SECRYPT 2006 - INTERNATIONAL CONFERENCE ON SECURITY AND CRYPTOGRAPHY

394

Table 1: Comparison of CDA schemes.

SS99 OM001 Our Scheme TX03

Registration 1 exp. 480 mul. 30 exp. 2 exp.

Signing 1 exp. 240 mul. 25 exp. 17 exp.

Veriﬁcation 1 exp. 320 mul. 21 exp. 16 exp.

Revocation N/A O(ℓ) O(1) O(1)

of the bid.

Revocation - Bidders can be easily revoked from

the future auctions if they have broken the auction

rules. See theorem 2 in (Camenisch and Lysyanskaya,

2002).

One-time registration - Once a bidder has received

a signature generation key, they are free to participate

in future auctions.

Unskewability - AH observes AM’s clock (and vice

versa) therefore any clock skews will not go unno-

ticed. AM’s clock can be trusted as long as both AM

and AH do not collude.

Unblockability - A bidder must submit his/her bids

to both AM and AH, who post the bid on the bulletin

board. If either tries to block a bid, then only one

conﬁrmation of the bid will be posted to the bulletin

board which will indicate that one of the parties has

blocked a bid. Bids cannot be blocked unless AM and

AH collude.

Conditional bid cancellation - Bidders can condi-

tionally cancel bids by sending a CANCEL message

to AM and AH as long as the auction is not in a time-

out stage.

6 EFFICIENCY

This section discusses the efﬁciency considerations of

the new scheme. We contrast our approach with the

existing English auction schemes. Table 1 shows the

amount of work performed during each major stage

of the auction in terms of the number of modular ex-

ponentiations (exp) or multiplications (mul) required.

The schemes compared include: (Stubblebine and

Syverson, 1999) (SS99), (Omote and Miyaji, 2001)

(OM01), our scheme, and (Tsudik and Xu, 2003)

(TX03). ((Tsudik and Xu, 2003) is an alternate im-

plementation of our approach.)

The registration, signing and veriﬁcation proce-

dures for SS99 are relatively efﬁcient. However, SS99

do not protect a bidder’s identity, nor do they dis-

cuss revocation issues. To incorporate revocation into

this scheme, it is likely that the registration procedure

would have to be repeated between auctions. Further-

more, SS99 do not address the issue of one-time reg-

istration. Once again bidders would have to repeat

the registration process for each auction they want to

participate in.

OM01 is signiﬁcantly less efﬁcient than SS99.

OM01 does not address bid cancellation whereas

SS99 does. Furthermore, OM01 does not prevent

the Auctioneer from skewing its clock. However,

OM01 protects a bidders identity and addresses one-

time registration. The cost of one-time registration

in OM01 is issuing new keys to bidders between auc-

tions, which is essentially equivalent to re-registering.

The revocation method in OM01 is tied in with the

one-time registration mechanism and therefore must

also be repeated between each auction. To revoke a

bidder requires the Auctioneer to perform work pro-

portional to O(ℓ) where ℓ is the number of bidders.

In contrast, our scheme has the most practical one-

time registration procedure. That is, once a bidder has

registered, there is no work required to retain mem-

bership other than regularly checking the accumula-

tor. We address bid cancellation, clock-skewing and

privacy concerns. To revoke a bidder, the Auction-

eer only has to update the accumulator. Bidders must

check the accumulator value prior to each bid which

is a constant operation. Our auction scheme can also

be implemented using TX03 which has signiﬁcant ef-

ﬁciency gains.

The efﬁciency of our scheme is comparable to

the existing proposals. First of all our scheme has

an enhanced set of security requirements that are

much more comprehensive. Furthermore, our scheme

clearly has the most efﬁcient revocation method. In

addition, we have the most practical one-time regis-

tration procedure.

7 CONCLUSIONS

This paper presented a scheme for conducting se-

cure and anonymous online English auctions. Such

a scheme is vital for protecting the security and

anonymity of participants who engage in online auc-

tioning. The timeliness of information and veriﬁa-

bility of the Auctioneer’s actions is critical in an on-

line English auction. We have shown that the exist-

ing “secure” English auction schemes are inadequate

for the task. The scheme by (Stubblebine and Syver-

SECURE ONLINE ENGLISH AUCTIONS

395

son, 1999) does not provide anonymity for the bid-

ders and requires all parties to trust a public Notary.

The scheme by (Omote and Miyaji, 2001) does not

prevent an Auctioneer from skewing his/her clock or

from blocking bids.

In direct contrast, our scheme solves all of the prob-

lems of the existing schemes and has a more compre-

hensive set of security requirements. We use a group

signature to provide veriﬁcation of bids and to pro-

tect the identities of bidders. The group signature is

modiﬁed so that the identity of a bidder is divided

among two separate parties (i.e., the anonymity sub-

system). The role of the Auctioneer is also divided

among two parties to prevent clock-skewing and bid-

blocking (i.e., the auction subsystem). The scheme

has comparable efﬁciency to the existing proposal for

its enhanced security and privacy characteristics. The

efﬁciency and security of the scheme rests with the

underlying group signature scheme used. Our ap-

proach offers the client ﬂexibility in choosing from

any group signature scheme. The scheme offers efﬁ-

cient one-time registration and revocation procedures

that are clearly better suited to handling multiple auc-

tions than existing proposals.

REFERENCES

Ateniese, G., Camenisch, J., Joye, M. and Tsudik, G.

(2000). A practical and provably secure coalition se-

cure coalition-resistant group signature scheme in Ad-

vances in Cryptology - Proceedings of CRYPTO 2000,

vol. 1880 of Lecture Notes in Computer Science,

Springer-Verlag, 255-270.

Ateniese, G., Song, D. and Tsudik, G. (2002). Quasi-

Efﬁcient Revocation of Group Signatures, in Proceed-

ings of Financial Cryptography, vol. 2357 of Lecture

Notes in Computer Science, Springer-Verlag, 183-

197.

Boyd, C. and Mao, W. (2000). Security Issues for Elec-

tronic Auctions, Technical Report, Hewlett Packard,

TR-HPL-2000-90.

Camenisch, J. and Lysyanskaya, A. (2002). Dynamic Ac-

cumulators and Application to Efﬁcient Revocation of

Anonymous Credentials, in Advances in Cryptology -

Proceedings of CRYPTO 2002, vol. 2442 of Lecture

Notes in Computer Science, Springer-Verlag, 61-76.

Camenisch, J. and Stadler, M. (1997). Efﬁcient Group

Signature Scheme for Large Groups, in Advances

in Cryptology - Proceedings of CRYPTO ’97, vol.

1294 of Lecture Notes in Computer Science, Springer-

Verlag, 410-424.

Chaum, D. and van Heyst, E. (1991). Group Signatures,

in Advances in Cryptology - Proceedings of EURO-

CRYPT’91, vol. 547 of Lecture Notes in Computer

Science, Springer-Verlag, 257-265.

Franklin, M. and Reiter, M. (1996). The Design and Imple-

mentation of a Secure Auction Service, IEEE Trans-

actions on Software Engineering, vol. 22, 302-312.

Kumar, M. and Feldman, S. (1998). Internet Auctions, in

Proceedings of the Third USENIX Workshop on Elec-

tronic Commerce, 49-60.

Lee, B., Kim, K. and Ma, J. (2001). Efﬁcient Public Auc-

tion with One-time Registration and Public Veriﬁabil-

ity, in International Conference on Cryptology in In-

dia - Proceedings of INDOCRYPT 2001, vol. 2247 of

Lecture Notes in Computer Science, Springer-Verlag,

162-174.

Naor, M., Pinkas, B. and Sumner, R. (1999). Privacy Pre-

serving Auctions and Mechanism Design, in The 1st

ACM Conference on Electronic Commerce, 129-139.

Nguyen, K. and Traore, J. (2000). An On-line Public Auc-

tion Protocol Protecting Bidder Privacy, in Proceed-

ings of ACSIP 2000 - Australasian Conference on In-

formation Security and Privacy, vol. 1841 of Lecture

Notes in Computer Science, Springer-Verlag, 427-

442.

Omote, K. and Miyaji, A. (2001). A Practical English Auc-

tion with One-Time Registration, in Proceedings of

ACSIP 2001 - Australasian Conference on Informa-

tion Security and Privacy, vol. 2119 of Lecture Notes

in Computer Science, Springer-Verlag, 221-234.

Stubblebine, S. and Syverson, P. (1999). Fair On-line Auc-

tions Without Special Trusted Parties, in Proceed-

ings of Financial Cryptography 1999, vol. 1648 of

Lecture Notes in Computer Science, Springer-Verlag,

230-240.

Tsudik, G. and Xu, S. (2003). Accumulating Composites

and Improved Group Signing, in Advances in Cryptol-

ogy - Proceedings of ASIACRYPT 2003, vol. 2894 of

Lecture Notes in Computer Science, Springer-Verlag,

269-286.

Trevathan, J. (2005). Security, Anonymity and Trust in

Electronic Auctions, Association for Computing Ma-

chinery Crossroads, Spring Edition, 3-9, vol. 11.3.

Trevathan, J., Ghodosi, H. and Read, W. (2005). Design

Issues for Electronic Auctions, in 2nd International

Conference on E-Business and Telecommunication

Networks, 340-347.

Trevathan, J., Ghodosi, H. and Read, W. (2006). An

Anonymous and Secure Continuous Double Auction

Scheme, in 39th International Hawaii Conference on

System Sciences, 125(1-12).

Viswanathan, K., Boyd, C. and Dawson, E. (2000). A

Three Phased Schema for Sealed Bid Auction System

Design, Proceedings of ACSIP 2000 - Australasian

Conference on Information Security and Privacy, vol.

1841 of Lecture Notes in Computer Science, Springer-

Verlag, 412-426.

SECRYPT 2006 - INTERNATIONAL CONFERENCE ON SECURITY AND CRYPTOGRAPHY

396