Brandt's fully private auction protocol revisited

Auctions have a long history, having been recorded as early as 500 B.C. Nowadays, electronic auctions have been a great success and are increasingly used. Many cryptographic protocols have been proposed to address the various security requirements of these electronic transactions, in particular to ensure privacy. Brandt developed a protocol that computes the winner using homomorphic operations on a distributed ElGamal encryption of the bids. He claimed that it ensures full privacy of the bidders, i.e. no information apart from the winner and the winning price is leaked. We first show that this protocol -- when using malleable interactive zero-knowledge proofs -- is vulnerable to attacks by dishonest bidders. Such bidders can manipulate the publicly available data in a way that allows the seller to deduce all participants' bids. Additionally we discuss some issues with verifiability as well as attacks on non-repudiation, fairness and the privacy of individual bidders exploiting authentication problems.

[1]  E. Maasland,et al.  Auction Theory , 2021, Springer Texts in Business and Economics.

[2]  Ivan Damgård,et al.  Zero-Knowledge Proofs for Finite Field Arithmetic or: Can Zero-Knowledge be for Free? , 1997 .

[3]  Lucio Grandinetti,et al.  Operations research methods for resource management and scheduling in a computational grid: a survey , 2004, High Performance Computing Workshop.

[4]  David Abramson,et al.  Economic models for resource management and scheduling in Grid computing , 2002, Concurr. Comput. Pract. Exp..

[5]  Atsuko Miyaji,et al.  A Practical English Auction with One-Time Registration , 2001, ACISP.

[6]  Ueli Maurer,et al.  Unifying Zero-Knowledge Proofs of Knowledge , 2009, AFRICACRYPT.

[7]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[8]  Taher El Gamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, IEEE Trans. Inf. Theory.

[9]  David Chaum,et al.  Wallet Databases with Observers , 1992, CRYPTO.

[10]  Marc Fischlin,et al.  Efficient Non-malleable Commitment Schemes , 2009, J. Cryptol..

[11]  Felix Brandt,et al.  A verifiable, bidder-resolved Auction Protocol , 2002 .

[12]  Jian Weng,et al.  Zero-Knowledge Argument for Simultaneous Discrete Logarithms , 2010, COCOON.

[13]  Felix Brandt,et al.  Fully Private Auctions in a Constant Number of Rounds , 2003, Financial Cryptography.

[14]  Jian Weng,et al.  Zero-Knowledge Argument for Simultaneous Discrete Logarithms , 2011, Algorithmica.

[15]  Josef Pieprzyk,et al.  An Efficient eAuction Protocol , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[16]  David Chaum,et al.  An Improved Protocol for Demonstrating Possession of Discrete Logarithms and Some Generalizations , 1987, EUROCRYPT.

[17]  Nancy A. Lynch,et al.  Impossibility of distributed consensus with one faulty process , 1985, JACM.

[18]  David Chaum,et al.  Demonstrating Possession of a Discrete Logarithm Without Revealing It , 1986, CRYPTO.

[19]  Ivan Damgård,et al.  Zero-Knowledge Proofs for Finite Field Arithmetic; or: Can Zero-Knowledge be for Free? , 1998, CRYPTO.

[20]  Ahmad-Reza Sadeghi,et al.  Private auctions with multiple rounds and multiple items , 2002, Proceedings. 13th International Workshop on Database and Expert Systems Applications.

[21]  Ed Dawson,et al.  Robust, Privacy Protecting and Publicly Verifiable Sealed-Bid Auction , 2002, ICICS.

[22]  Ueli Maurer,et al.  Efficient Proofs of Knowledge of Discrete Logarithms and Representations in Groups with Hidden Order , 2005, Public Key Cryptography.

[23]  Jonathan Katz,et al.  Efficient cryptographic protocols preventing man-in-the-middle attacks , 2002 .

[24]  Claus-Peter Schnorr,et al.  Efficient signature generation by smart cards , 2004, Journal of Cryptology.

[25]  Marc Fischlin,et al.  Non-Malleable Commitment Schemes , 2009 .

[26]  Felix Brandt,et al.  How to obtain full privacy in auctions , 2006, International Journal of Information Security.

[27]  T. Elgamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, CRYPTO 1984.

[28]  Moni Naor,et al.  Privacy preserving auctions and mechanism design , 1999, EC '99.

[29]  Yvo Desmedt,et al.  A General Zero-Knowledge Scheme , 1997, Des. Codes Cryptogr..

[30]  Kazue Sako,et al.  An Auction Protocol Which Hides Bids of Losers , 2000, Public Key Cryptography.