A Two-Server Auction Scheme

Ari Juels and Mike SzydloFinancial Cryptography ‘02

12 March 2002

Auctions increasingly popular 2.6 million new auctions per day on eBay in 2000

– About three auctions per year for every inhabitant of U.S.

Attempted auctions (and hoaxes) in ‘99:– A healthy kidney (high bid: $5.7 million)– A military rocket launcher

– 200 pounds of cocaine

– A team of software engineers

– A baby (high bid: $109,100)

– A teenage boy selling his virginity (high bid: $10 million)

popular with all sorts...

Former Sotheby's chairman guiltyBBC News, 6 December 2001

The former chairman of auction house Sotheby's has been found

guilty in New York of conspiring to fix art prices after two days

of jury deliberations.

Diebenkorn Shilling Case Draws FBI ProbeThe fallout from Kenneth A. Walton's failed eBay auction of a

"great big wild abstract painting" continues today…

eBay vs. Sealed-bid

I bid$500

Pseudonymous (eBay)

I bid$500

Sealed-bid

•Great sporting event

•One-round•Transparent participation•Psychologically neutral

•Time-bounded•Masks identities•Facilitates, e.g., shilling

•Fungible goods•“Serious” auctions

Alice

Bob

Duke

Cate

Sealed-Bid Auctions

f(x1,x2,x3,x4)

= winner

f

Alice

Bob

Duke

Catex1

x2

x3

x4

Sealed-Bid Auctions

f(x1,x2,x3,x4)

= winner

f

Alice

Bob

Duke

Catex1

x2

x3

x4

General Secure MultipartyComputation (GSMC )

The Literature on Sealed-Bid Auctions

Most sealed-bid systems get away from inefficiencies of GSMC– Weakened trust models– Specifying function f as “maximum”

Some tailor GSMC to auctions– JJ00– NPS99 (Naor, Pinkas, and Sumner)

Winner:

Cate!

Alice Bob Duke Cate

NPS at a glance

f

Features of NPS Use of exactly two servers gives many

benefits (Yao construction) One round of interaction for bidders -- and no

latency Any function f with efficient boolean circuit

yield practical computation– Vickrey auctions– Private surveys

Few rounds of communication But there’s a flaw...

Trust model

Alice Bob Duke Cate

Auction

guaranteed

correct

(or fails)

Bids

remain

private

Oblivious Transfer

bit b t0, t1

tb

What was

t1-b ?What was

b ?

b

Proxy Oblivious Transfer (POT )

tb

What was

b ?

Chooserbit b

What were

b and t1-b ?

t0, t1tb

POT in Auction

Bit b of bid

fWhat was

b ?

What was

b ?

tb

tb

Chooser

The Problem With POT

Bit ‘0’ in bid

f

t0

t0

Chooser

Observed in JJ00

The Problem With POT

Bit ‘0’ in bid

f

t1

t1

Alice’s bid has

been changed!

Chooser

We need Verifiable POT

Bit bChooser

tb

C* = (C(t0),C(t1))tb ,C*,

What was

b ?

What was

b ?

Our Contributions

We introduce very efficient VPOT primitive -- fixing security flaw in NPS

With our VPOT, roughly ten times faster for bidder than NPS!– NPS: Tens of exponentiations– Ours: Tens of modular multiplications

(great for cell phones)– Ours: Twice as slow for servers

Idea 1: Efficiency(RSA-based OT)

bit b (t0, t1)

(Y0, Y1)

(X0, X1)

R ZN

Xb = R3 mod N

X1 = CX0

RSA modulus N

Random C in ZN

Y0 = t0 / (X0)1/3

Y1 = t1 / (X1)1/3

tb = Yb R

bit b (t0, t1)

(Y0, Y1)

(X0, X1)

RSA modulus N

Random C in ZN

•For technical reason, real protocol slightly different•Previous schemes typically based on, e.g., El Gamal•El-Gamal-based --> Several modular exponentiations•RSA-based --> Several modular multiplications

Idea 1: Efficiency(RSA-based OT)

Idea 2: Verifiability

t0 t1

Bit w = 0 if t0 on left

w = 1 if t0 on right

Idea 2: Verifiability

Prove ordering of vaults = Prove fact about single bit w

Key tool: Goldwasser-Micali ‘84

Conclusion NPS clever, practical approach to sealed-

bid auctions With VPOT, we can bring NPS ideas to

fruition High efficiency for weak bidding devices,

e.g., cell phones