A Two-Server
Auction Scheme
Ari Juels and Mike Szydlo
Financial Cryptography ‘02
12 March 2002
Auctions increasingly popular
 2.6
million new auctions per day on
eBay in 2000
– About three auctions per year for every
inhabitant of U.S.
 Attempted
auctions (and hoaxes) in ‘99:
– A healthy kidney (high bid: $5.7 million)
– A military rocket launcher
– 200 pounds of cocaine
– A team of software engineers
– A baby (high bid: $109,100)
– A teenage boy selling his virginity (high bid: $10 million)
popular with all sorts...
Diebenkorn Shilling Case Draws FBI Probe
The fallout from Kenneth A. Walton's failed eBay auction of a
"great big wild abstract painting" continues today…
Former Sotheby's chairman guilty
BBC News, 6 December 2001
The former chairman of auction house Sotheby's has been found
guilty in New York of conspiring to fix art prices after two days
of jury deliberations.
eBay vs. Sealed-bid
Pseudonymous (eBay)
•Time-bounded
•Masks identities
•Facilitates, e.g., shilling
•Great sporting event
Sealed-bid
•One-round
•Transparent participation
•Psychologically neutral
•Fungible goods
•“Serious” auctions
Sealed-Bid Auctions
Alice
Cate
Bob
Duke
Sealed-Bid Auctions
f(x1,x2,x3,x4)
= winner
Alice
Cate
x1
x3
f
Bob
x2
x4
Duke
General Secure Multiparty
Computation (GSMC )
f(x1,x2,x3,x4)
= winner
Alice
Cate
x1
x3
f
Bob
x2
x4
Duke
The Literature on
Sealed-Bid Auctions
 Most
sealed-bid systems get away from
inefficiencies of GSMC
– Weakened trust models
– Specifying function f as “maximum”
 Some
tailor GSMC to auctions
– JJ00
– NPS99 (Naor, Pinkas, and Sumner)
NPS at a glance
Winner:
Cate!
f
Alice
Bob
Duke
Cate
Features of NPS
 Use
of exactly two servers gives many
benefits (Yao construction)
 One round of interaction for bidders -and no latency
 Any function f with efficient boolean
circuit yield practical computation
– Vickrey auctions
– Private surveys
 Few
rounds of communication
 But there’s a flaw...
Trust model
Auction
guaranteed
correct
(or fails)
Bids
remain
private
Alice
Bob
Duke
Cate
Oblivious Transfer
b
bit b
t0, t1
tb
What was
What was
t1-b ?
b?
Proxy Oblivious Transfer (POT )
tb
t0, t1
tb
What were
What was
b and t1-b ?
b?
bit b
Chooser
POT in Auction
tb
tb
f
What was
What was
b?
b?
Bit b of bid
Chooser
The Problem With POT
t0
t0
f
Observed in JJ00
Bit ‘0’ in bid
Chooser
The Problem With POT
t1
t1
f
Alice’s bid has
been changed!
Bit ‘0’ in bid
Chooser
We need Verifiable POT
C* = (C(t0),C(t1))
tb ,C*,
tb
What was
What was
b?
b?
Bit b
Chooser
Our Contributions
 We
introduce very efficient VPOT primitive
-- fixing security flaw in NPS
 With our VPOT, roughly ten times faster for
bidder than NPS!
– NPS: Tens of exponentiations
– Ours: Tens of modular multiplications
(great for cell phones)
– Ours: Twice as slow for servers
Idea 1: Efficiency
(RSA-based OT)
RSA modulus N
Random C in ZN
(t0, t1)
(X0, X1)
bit b
(Y0, Y1)
R  ZN
Xb = R3 mod N
X1 = CX0
tb = Yb R
Y0 = t0 / (X0)1/3
Y1 = t1 / (X1)1/3
Idea 1: Efficiency
(RSA-based OT)
RSA modulus N
Random C in ZN
bit b
(X0, X1)
(t0, t1)
(Y0, Y1)
•For technical reason, real protocol slightly different
•Previous schemes typically based on, e.g., El Gamal
•El-Gamal-based --> Several modular exponentiations
•RSA-based --> Several modular multiplications
Idea 2: Verifiability
t0
t1
Bit w = 0 if t0 on left
w = 1 if t0 on right
Idea 2: Verifiability
Prove
ordering of vaults =
Prove fact about single bit w
Key tool:
Goldwasser-Micali ‘84
Conclusion
 NPS
clever, practical approach to sealedbid auctions
 With VPOT, we can bring NPS ideas to
fruition
 High efficiency for weak bidding devices,
e.g., cell phones