Survey on e-Auction
Presenter
Nguyen Hoang Anh
NordSecMob
Outline
Introduction to e-Auction
e-Auction scheme
What is auction?
Desired properties for an e-Auction scheme
Basic e-Auction protocol
English auction
First-price sealed bid auction
Second-price sealed bid auction (Vickrey auction)
Conclusion
2
Introduction to e-Auction
An auction is a method of trading goods that
do not have a fixed price
Auction is based on competition and reflects
the essential of market
The sellers wish to sell their goods as high as
possible, the buyers want to pay as little as
necessary
Roles: Bidder (buyer) – Seller – Auctioneer
(trusted third party)
3
Introduction to e-Auction
Types of auctions:
English auction
Dutch auction
Sealed-bid auction: First-price, Second-price, (M+1)stprice
4
Desired properties
Non-repudiation
No framing
Traceability
Public verifiability
Unlinkability
Robustness
Efficiency of bidding
5
Desired properties
Fairness
Bidder privacy
All bids should be dealt with in a fair way, e.g., no
information about bidding will be disclosed to give any
bidder unfair advantage
No bidder’s identity or trading history will be revealed even
after the auction session.
The secrecy of losing bids should be kept.
Correctness of system
The winning bid is the highest among bids were placed.
The winner is the person who made that bid
6
Basic auction protocol
Initialization
Bidder registration
A bidder computes her/his bid information and places her/his bid
Opening a winning bid
The Auctioneer computes the preparation data for each auction. A
bidder may download her/his information for bidding
Bidding
A bidder sends the Auctioneer her/his public key to register
Auction preparation
Auctioneer sets the system parameters and publishes them
The Auctioneer computes only a winning bid while keeping the other
bids secret (not needed in public auction)
Winner decision
The Auctioneer identifies only a winner while keeping loser’s
anonymity
7
English auction scheme
Proof of knowledge
PK(y = P()) is the proof of knowledge between
two parties
given the publicly known value y, the Prover knows the
value of such that the predicate P() is true.
Signature based on a Proof of Knowledge (SPK)
SPK[(): y = g] (m)
8
English auction scheme
2 Bulletin Board System (BBS)
Bulletin board is a place where people can leave public
messages, e.g., to advertise things, announce events, or
provide information
Can be read by anybody, but can be written only by an
authority
=> Help reduce communication complexity
2 separate roles
AM: Auction Manager
Prepare for auctions
Carry out several auctions
Manage the current bid value
RM: Registration Manager
Manager the participants of auctions
Prepare for auctions
Identifies a certain bidder at the request of AM
9
English auction scheme
2. Preparation
Public keys
Alice : y1
Bob : y2
Carol : y3
:
grs
gr
y3r
y1r
y2r
:
6. Winner decision
V31
V31=SPK[():T1 = (y1r)] (mR)
1. T2 = y2rs
2. T3 = y3rs
3. T1 = y1rs
:
Current bid value
3. grs
1. Registration
(y1, V11)
V11 = SPK[(): y1 =
g]
5. Bidding (3, m1, V21)
(mR)
Alice
(y1, x1, m1)
y1 = gx1
V21 = SPK[(): T1 = (grs)] (mR)
4. T1 = (grs)x1
Kazumasa OMOTE. A study on Electronic Auctions, 2002
10
English auction scheme
Properties
Linkability in an auction (same Ti in one auction)
Unlinkability among different auctions (different
Ti-s for different auctions)
No single authority can break anonymity and
secrecy of bids
11
First-price sealed-bid auction
Desired properties
Secrecy of bidding price
=> open bids from highest possible price to the winning
price, all the lower prices are kept secret
Verifiability
=> Use public key encryption systems or hash chain technique
Undeniability
=> The bidder needs to sign for his bid
Anonymity
=> Bidders register to a registration center and get their keys for
signature scheme
12
First-price sealed-bid auction
Undeniable signature scheme
Signing algorithm
Verification protocol
a signature can only be verified with the help of the signer
=> Avoid replay attack
Disavowal protocol
allows the signer to prove whether a given signature is a
forgery
=> The signer cannot deny his valid signature
13
First-price sealed-bid auction
Undeniable signature of bidding price
Sig1(b1)
Disavowal
Bidder 1: b1
Sig2(b2)
Sig3(b3)
Sig1(b1)
My sig was not a
valid
signature
of jvalid
My sig
was the
signature of j
Bidder 2: b2
Sig2(b2)
My sig was not a
valid signature of j
Auctioneer
Price list {1, 2,…, n}
Sig3(b3)
Bidder 3: b3
My sig was not a
valid signature of j
Winning bid
j
Winning bidder Bidder 2
j=n
j=n-1
j
Sakurai and Miyazaki. A bulletin-board based digital auction scheme with bidding down strategy. In Proc.
14
International Workshop on Cryptographic Techniques and E-Commerce, 1999
First-price sealed-bid auction
Sakurai and Miyazaki. A bulletin-board based digital auction scheme with bidding down strategy. In
Proc. International Workshop on Cryptographic Techniques and E-Commerce, 1999
15
First-price sealed-bid auction
Drawbacks of the protocol
All bidders have to communicate with the
auctioneer in opening phase
=> Protocol 2
16
First-price sealed-bid auction
Bidder 1: b1
EK_b1(M_b1)
Auctioneer
EK_b2(M_b2)
Bidder 2: b2
Price list {1, 2,…, n}
{(K_1; M_1), (K_2; M_2)…, (K_n; M_n)}
EK_b3(M_b3)
Bidder 3: b3
j=n
Check the equality EK_j(C_bi) = M_j ?
- If such C_bi exists: winning bid is j, winning bidder is i
- If there is no such C_bi: j = j – 1, repeat above step
Sako. Universally verifiable auction protocol which hides losing bids. In Proc Of SCIS’99, pages 35-39 17
First-price sealed-bid auction
Sako. Universally verifiable auction protocol which hides losing bids. In Proc Of SCIS’99, pages 35-3918
First-price sealed-bid auction
Advantage
Bidders need not to communicate with the
auctioneer in opening phase
Disadvantage
Malicious auctioneer can reveal all bidding prices
=> Use plural auctioneers and distributed
decryption technique
19
First-price sealed-bid auction
Problems with sealed-bid auction methods
using public key cryptosystems
Computationally expensive
Require a lot of communication
Limit the number of bidders and the range of
bidding prices
20
First-price sealed-bid auction
Publishes
(Bid_i,Sigi(Bid_i)
(Bid1, Sig1(Bid1))
Bidder 1: P1
Secret seeds:
(S11, S21,...,Sa1)
S11
Check hash chain
for all bidders
Auctioneer 1
bi = h(hk(S1i)|hk(S2i)|…|hk(Sai)) ???
S12
Bidder 3: P3
Secret seeds:
(S13, S23,…,Sa3)
k=n
hk(Sai)
Bidder 2: P2
Secret seeds:
(S21, S22,…,Sa2)
S13
Publishes hk(Sij)
k=k-1
Sa1
Sa2
Auctioneer a
Sa3
Bidi = {bi, c1i, c2i, …, cai}
bi = h(hPi(S1i)|hPi(S2i) | … | hPi(Sai))
cji = hn+1(Sji)
K. Suzuki, K. Kobayashi, and H. Morita. Efficient sealed-bid auction using hash chain. Proceedings of the
Third International Conference on Information Security and Cryptology, Vol. 2015 of Lecture Notes In 21
Computer Science, pages 183 – 191, 2000. Springer-Verlag. ISBN 3-540-41782-6
First-price sealed-bid auction
Secrecy of bidding price
Verifiability
The signer has to sign for his bid
Anonymity
Anyone can verify the correctness of the hash chains which
are already published
Undeniability
Bids are opened from the highest price to the winning price
Hash chain is distributed to plural auctioneers => losing bid
prices are kept secret (besides the case all auctioneers
collude)
Each bidder can use his public key of signature to bid
anonymously
Efficiency
22
Vickrey auction
Vickrey auction scheme
Attractive theoretical properties
The bidder who offers the highest bid price gets
the good at the second-highest price
The dominant strategy for each bidder is to place
a bid honestly according to her/his own true value
Rarely used in practice
Auctioneer may change the outcome of auctions
Auctioneer may reveal bidders’ private information
23
Vickrey auction scheme
Homomorphic encryption scheme
EK(m1; r1) . EK(m2; r2) = EK (m1+m2; r1+r2)
Range proof: integer commitment scheme,
plus range checking
PK(c=EK(,) [L,H])
24
Vickrey auction scheme
Notations
S: seller
A: auction authority
B: maximum number of bidders
V: maximum number of different bids
(X1, …, XB): vector of bids in a nonincreasing
order
In public-key cryptosystem (G,E,D), c = EK(m; r)
denote the encryption of m by using a random
coin r under they key K.
H: hash function
25
Vickrey auction
Auctioneer’s public key: pk
Bidder 1: b1
Sig1(Epk(Bb1))
E=∏i Epk(Bbi)
X2
Bidder 2: b2
X2
Sig2(Epk(Bb2))
Seller
X2
Secret key: sk
Decrypt E
Learn bid statistic
X2
Bidder 3: b3
Auctioneer
Sig3(Epk(Bb3))
My bid was higher
than X2
Helger Lipmaa, N. Asokan, Valtteri Niemi. Secure Vickrey Auctions without threshold trust. Technical Report
26
2001/095, International Association for Cryptologic Research, November 2001
Practical e-Auction systems
eBay and Amazon Auction use Vickrey model
with a proxy bidder facility
The bidder tells the proxy a maximum price that
s/he is willing to pay
The proxy keeps this information secret and bids
on the bidder’s behalf in the ascending auction.
The highest bidder wins, pays at amount equal to
the second highest bidder (plus one increment).
Ebay: fixed ending time. Amazon: auctions end
when there have been no new bids for ten
minutes.
27
Conclusion
Three kinds of auction schemes are surveyed
English auction scheme
First-price sealed-bid auction scheme
Second-price sealed-bid auction scheme
Desired properties
Bidder privacy
Correctness of system
Efficiency
28
© Copyright 2026 Paperzz