Provably correct, secrecy preserving computation and its applications in auctions and securities exchanges

Recent advances in cryptography provide powerful new tools for enhancing trust in electronic commerce at low cost. We construct a general model of provably correct, secrecy preserving computation without relying on any particular cryptographic framework or assumptions. This model employs an "Evaluator-Prover" that accepts encrypted inputs from many (possibly unaffiliated) parties, computes one or more functions on those inputs, outputs the functions' results and verifies the correctness of the results to one or more verifiers. We distinguish our work from other secure computation approaches as a balance between absolute security and a completely trusted third party, achieving a model enjoying computational tractability and suitability for business applications. Our evaluator-prover is not trusted in the traditional sense; it is bound to output only the correct results at all times and prevented from disclosing private data by tools from other areas of computer science research such as trusted computing and network security, rather than the provably secure cryptographic tools employed in many past solutions. We show how to construct an implementation of our model using Paillier's homomorphic encryption scheme. We propose a "time-lapse cryptography service" that produces public encryption keys and guarantees decryption at a particular time by constructing and releasing the corresponding decryption key after a specific interval. This service functions as a new cryptographic commitment primitive with binding, hiding, and nonrepudiation. Provided with these tools, we construct four new mechanisms for electronic commerce: a cryptographic sealed-bid auction protocol for one or more identical items, a cryptographic combinatorial auction protocol based on the "clock-proxy" auction, a cryptographic securities exchange that conducts a continuous double auction for a particular security, and a cryptographic combinatorial securities exchange that provides for efficient atomic exchange of baskets of many securities. Along the way, we develop useful building blocks of independent interest, most notably a novel cryptographic mechanism to efficiently prove a solution to a linear or integer program is optimal based on its encrypted inputs and encrypted constraints; this provides unprecedented efficiency in proving the correctness of winner and price determination in our combinatorial clock-proxy auction.

[1]  Roger B. Myerson,et al.  Optimal Auction Design , 1981, Math. Oper. Res..

[2]  Rafail Ostrovsky,et al.  Conditional Oblivious Transfer and Timed-Release Encryption , 1999, EUROCRYPT.

[3]  Hugo Krawczyk,et al.  Secure Distributed Key Generation for Discrete-Log Based Cryptosystems , 1999, Journal of Cryptology.

[4]  Daisuke Yamamoto,et al.  Sealed-Bid Auctions with Efficient Bids , 2003, ICISC.

[5]  Makoto Yokoo,et al.  Secure Combinatorial Auctions by Dynamic Programming with Polynomial Secret Sharing , 2002, Financial Cryptography.

[6]  Jacques Stern,et al.  Non-interactive Private Auctions , 2002, Financial Cryptography.

[7]  Benny Moldovanu,et al.  Goethe's Second‐Price Auction , 1998, Journal of Political Economy.

[8]  Sébastien Lahaie,et al.  An analysis of alternative slot auction designs for sponsored search , 2006, EC '06.

[9]  David C. Parkes,et al.  Achieving Budget-Balance with Vickrey-Based Payment Schemes in Exchanges , 2001, IJCAI.

[10]  Salil P. Vadhan,et al.  Statistical Zero-Knowledge Arguments for NP from Any One-Way Function , 2006, 2006 47th Annual IEEE Symposium on Foundations of Computer Science (FOCS'06).

[11]  Torben P. Pedersen Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing , 1991, CRYPTO.

[12]  Roberto Burguet,et al.  Bribery and Favoritism by Auctioneers in Sealed-Bid Auctions , 2007 .

[13]  Masayuki Abe,et al.  M+1-st Price Auction Using Homomorphic Encryption , 2002, Public Key Cryptography.

[14]  Moti Yung,et al.  Robust efficient distributed RSA-key generation , 1998, STOC '98.

[15]  Markus Jakobsson,et al.  Proactive public key and signature systems , 1997, CCS '97.

[16]  T. Schelling,et al.  The Strategy of Conflict. , 1961 .

[17]  Makoto Yokoo,et al.  Secure Generalized Vickrey Auction without Third-party Servers , 2004, Financial Cryptography.

[18]  Michael O. Rabin,et al.  Time-Lapse Cryptography Technical Report TR-2206 , 2006 .

[19]  Paul Milgrom,et al.  Putting Auction Theory to Work , 2004 .

[20]  David Porter,et al.  Combinatorial auction design , 2003, Proceedings of the National Academy of Sciences of the United States of America.

[21]  Abhi Shelat,et al.  Fair-Zero Knowledge , 2005, TCC.

[22]  Joonsang Baek,et al.  Token-Controlled Public Key Encryption , 2005, ISPEC.

[23]  Wedad Elmaghraby Auctions and Pricing in E-Marketplaces , 2004 .

[24]  Marco Celentani,et al.  Corruption and Competition in Procurement , 2001 .

[25]  Mads J. Jurik,et al.  Extensions to the Paillier Cryptosystem with Applications to Cryptological Protocols , 2003 .

[26]  Yiannis Tsiounis,et al.  Easy Come - Easy Go Divisible Cash , 1998, EUROCRYPT.

[27]  Rosario Gennaro,et al.  Theory and practice of verifiable secret sharing , 1996 .

[28]  David C. Parkes,et al.  ICE: an iterative combinatorial exchange , 2005, EC '05.

[29]  Hikaru Morita,et al.  Secure Protocol to Construct Electronic Trading , 2001 .

[30]  Lawrence M. Ausubel,et al.  Ascending Auctions with Package Bidding , 2002 .

[31]  Subhash Suri,et al.  Approximately-strategyproof and tractable multi-unit auctions , 2003, EC '03.

[32]  Jean Tirole,et al.  Auction design and favoritism , 1991 .

[33]  Hiroaki Kikuchi,et al.  (M+1)st-Price Auction Protocol , 2002, Financial Cryptography.

[34]  Ernest F. Brickell,et al.  Gradual and Verifiable Release of a Secret , 1987, CRYPTO.

[35]  Christopher Thorpe,et al.  Time-Lapse Cryptography , 2006 .

[36]  Joan Feigenbaum,et al.  Instance-Hiding Proof Systems , 1999 .

[37]  Anshul Kothar,et al.  Approximately-strategyproof and tractable multi-unit auctions , 2003 .

[38]  O. Ashenfelter How Auctions Work for Wine and Art , 1989 .

[39]  Amit Sahai,et al.  On the (im)possibility of obfuscating programs : (Extended abstract) , 2001, CRYPTO 2001.

[40]  Moni Naor,et al.  Privacy preserving auctions and mechanism design , 1999, EC '99.

[41]  Ronald Cramer,et al.  A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack , 1998, CRYPTO.

[42]  Giovanni Di Crescenzo,et al.  Privacy for the Stock Market , 2002, Financial Cryptography.

[43]  Ronald L. Rivest,et al.  Time-lock Puzzles and Timed-release Crypto , 1996 .

[44]  Manuel Blum,et al.  Non-interactive zero-knowledge and its applications , 1988, STOC '88.

[45]  Paul C. Pfleiderer,et al.  Sunshine Trading and Financial Market Equilibrium , 1991 .

[46]  Jens Christopher Andvig Corruption in the North Sea oil industry: Issues and assessments , 1995 .

[47]  Ran Canetti,et al.  Universally Composable Commitments , 2001, CRYPTO.

[48]  R. McAfee,et al.  Auctions and Bidding , 1986 .

[49]  M. Rothkopf,et al.  Why Are Vickrey Auctions Rare? , 1990, Journal of Political Economy.

[50]  Amit Sahai,et al.  On the (im)possibility of obfuscating programs , 2001, JACM.

[51]  Martin Pesendorfer A Study of Collusion in First-Price Auctions , 2000 .

[52]  D. Graham,et al.  Collusive Bidder Behavior at Single-Object Second-Price and English Auctions , 1987, Journal of Political Economy.

[53]  M. Rabin DIGITALIZED SIGNATURES AND PUBLIC-KEY FUNCTIONS AS INTRACTABLE AS FACTORIZATION , 1979 .

[54]  Taher ElGamal,et al.  A public key cyryptosystem and signature scheme based on discrete logarithms , 1985 .

[55]  Johannes Buchmann,et al.  LiDIA : a library for computational number theory , 1995 .

[56]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[57]  Masayuki Abe,et al.  Mix-Networks on Permutation Networks , 1999, ASIACRYPT.

[58]  G. Gemmill Transparency and Liquidity: A Study of Block Trades on the London Stock Exchange under Different Publication Rules , 1996 .

[59]  Matthew K. Franklin,et al.  Efficient generation of shared RSA keys , 2001, JACM.

[60]  Makoto Yokoo,et al.  Secure multi-agent dynamic programming based on homomorphic encryption and its application to combinatorial auctions , 2002, AAMAS '02.

[61]  Yeon-Koo Che,et al.  Competitive Procurement with Corruption , 2004 .

[62]  E. Maasland,et al.  Auction Theory , 2021, Springer Texts in Business and Economics.

[63]  G. Nemhauser,et al.  Integer Programming , 2020 .

[64]  David C. Parkes,et al.  Practical secrecy-preserving, verifiably correct and trustworthy auctions , 2006, ICEC '06.

[65]  David Levine,et al.  CABOB: A Fast Optimal Algorithm for Winner Determination in Combinatorial Auctions , 2005, Manag. Sci..

[66]  Elmar Wolfstetter,et al.  Bid Rigging - an Analysis of Corruption in Auctions , 2005, SSRN Electronic Journal.

[67]  S. Raghavan,et al.  Fair Payments for Efficient Allocations in Public Sector Combinatorial Auctions , 2007, Manag. Sci..

[68]  Ran Canetti,et al.  Universally Composable Commitments (Extended Abstract) , 2001, CRYPTO 2001.

[69]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[70]  John Asker,et al.  Properties of Scoring Auctions , 2004 .

[71]  Aggelos Kiayias,et al.  Efficient Cryptographic Protocols Realizing E-Markets with Price Discrimination , 2006, Financial Cryptography.

[72]  Yevgeniy Dodis,et al.  Time Capsule Signature , 2005, Financial Cryptography.

[73]  Pascal Paillier,et al.  Public-Key Cryptosystems Based on Composite Degree Residuosity Classes , 1999, EUROCRYPT.

[74]  Allan T. Ingraham A Test for Collusion between a Bidder and an Auctioneer in Sealed-Bid Auctions , 2005 .

[75]  Sunju Park,et al.  Protocol completion incentive problems in cryptographic Vickrey auctions , 2008, Electron. Commer. Res..

[76]  Marc S. Robinson,et al.  Collusion and the Choice of Auction , 1985 .

[77]  Valtteri Niemi,et al.  Secure Vickrey Auctions without Threshold Trust , 2002, Financial Cryptography.

[78]  Jung Hee Cheon,et al.  Timed-Release and Key-Insulated Public Key Encryption , 2006, Financial Cryptography.

[79]  Joan Feigenbaum,et al.  Secure Multiparty Computation of Approximations , 2001, ICALP.

[80]  David C. Parkes,et al.  Cryptographic Securities Exchanges , 2007, Financial Cryptography.

[81]  Ho-fung Leung,et al.  Secure Double Auction Protocols with Full Privacy Protection , 2003, ICISC.

[82]  Ananth N. Madhavan,et al.  Market Microstructure: A Survey , 2000 .

[83]  Trey Smith,et al.  Constructing and Clearing Combinatorial Exchanges Using Preference Elicitation , 2002 .

[84]  Timothy C. Salmon,et al.  Preventing Collusion between Firms in Auctions Timothy , 2003 .

[85]  Dan Boneh,et al.  Almost entirely correct mixing with applications to voting , 2002, CCS '02.

[86]  Masayuki Abe,et al.  Remarks on Mix-Network Based on Permutation Networks , 2001, Public Key Cryptography.

[87]  Maarten C. W. Janssen Auctioning Public Assets: Analysis and Alternatives , 2004 .

[88]  L. Glosten,et al.  Market Microstructure: A Survey of Microfoundations, Empirical Results, and Policy Implications , 2005 .

[89]  M. Yung,et al.  \indirect Discourse Proofs": Achieving Eecient Fair Oo-line E-cash , 1996 .

[90]  Clara Vega,et al.  Market Microstructure , 2009, Encyclopedia of Complexity and Systems Science.

[91]  Leandro Arozamena,et al.  The Effect of Corruption on Bidding Behavior in First-Price Auctions , 2005 .

[92]  Emmanouil Magkos,et al.  Uncoercible e-Bidding Games , 2004, Electron. Commer. Res..

[93]  Elmar G. Wolfstetter,et al.  Corruption in Procurement Auctions , 2006 .

[94]  Moni Naor Cryptography and mechanism design , 2001 .

[95]  Felix Brandt,et al.  How to obtain full privacy in auctions , 2006, International Journal of Information Security.

[96]  R. Porter,et al.  Detection of Bid Rigging in Procurement Auctions , 1992, Journal of Political Economy.

[97]  Donald B. Keim,et al.  The Upstairs Market for Large-Block Transactions: Analysis and Measurement of Price Effects , 1996 .

[98]  Ivan Damgård,et al.  Efficient Multiparty Computations Secure Against an Adaptive Adversary , 1999, EUROCRYPT.

[99]  Flavio M. Menezes,et al.  Corruption And Auctions , 2001 .

[100]  B. Rindi,et al.  Transparency, Liquidity and Price Formation , 2002 .

[101]  Felix Brandt,et al.  (Im)possibility of unconditionally privacy-preserving auctions , 2004, Proceedings of the Third International Joint Conference on Autonomous Agents and Multiagent Systems, 2004. AAMAS 2004..

[102]  Paul Feldman,et al.  A practical scheme for non-interactive verifiable secret sharing , 1987, 28th Annual Symposium on Foundations of Computer Science (sfcs 1987).

[103]  K. Hagerty,et al.  The Mandatory Disclosure of Trades and Market Liquidity , 1995 .

[104]  Mihir Bellare,et al.  Verifiable partial key escrow , 1997, CCS '97.

[105]  Christian Cachin,et al.  Efficient private bidding and auctions with an oblivious third party , 1999, CCS '99.

[106]  J. Doug Tygar,et al.  Electronic Auctions with Private Bids , 1998, USENIX Workshop on Electronic Commerce.

[107]  Michael Szydlo,et al.  Risk Assurance for Hedge Funds Using Zero Knowledge Proofs , 2005, Financial Cryptography.

[108]  Yoav Shoham,et al.  Combinatorial Auctions , 2005, Encyclopedia of Wireless Networks.

[109]  Paul F. Syverson,et al.  Fair On-Line Auctions without Special Trusted Parties , 1999, Financial Cryptography.

[110]  Byoungcheon Lee,et al.  Receipt-Free Electronic Auction Schemes Using Homomorphic Encryption , 2003, ICISC.

[111]  Noam Nisan,et al.  Bidding Languages for Combinatorial Auctions , 2005 .

[112]  Fabrice Boudot,et al.  Efficient Proofs that a Committed Number Lies in an Interval , 2000, EUROCRYPT.

[113]  Ivan Damgård,et al.  A Generalisation, a Simplification and Some Applications of Paillier's Probabilistic Public-Key System , 2001, Public Key Cryptography.

[114]  Manoj Kumar,et al.  Internet Auctions , 1998, USENIX Workshop on Electronic Commerce.

[115]  David C. Parkes,et al.  Iterative Combinatorial Auctions: Theory and Practice , 2000, AAAI/IAAI.

[116]  David Levine,et al.  Winner determination in combinatorial auction generalizations , 2002, AAMAS '02.

[117]  David C. Parkes,et al.  Preventing Strategic Manipulation in Iterative Auctions: Proxy Agents and Price-Adjustment , 2000, AAAI/IAAI.

[118]  Makoto Yokoo,et al.  Secure Generalized Vickrey Auction Using Homomorphic Encryption , 2003, Financial Cryptography.

[119]  Matthew K. Franklin,et al.  The Design and Implementation of a Secure Auction Service , 1996, IEEE Trans. Software Eng..

[120]  Ivan Damgård,et al.  A Practical Implementation of Secure Auctions Based on Multiparty Integer Computation , 2006, Financial Cryptography.

[121]  Sean W. Smith Trusted Computing Platforms - Design and Applications , 2005 .

[122]  Ian F. Blake,et al.  Scalable, Server-Passive, User-Anonymous Timed Release Cryptography , 2005, 25th IEEE International Conference on Distributed Computing Systems (ICDCS'05).

[123]  Thierry Verdier,et al.  Corruption and Competition in Procurement Auctions , 2005 .

[124]  Silvio Micali,et al.  Proofs that yield nothing but their validity and a methodology of cryptographic protocol design , 1986, 27th Annual Symposium on Foundations of Computer Science (sfcs 1986).

[125]  Jean-Francois Richard,et al.  Bidder Collusion at Forest Service Timber Sales , 1997, Journal of Political Economy.

[126]  S. Rose-Ackerman The economics of corruption , 1975 .

[127]  Benny Pinkas,et al.  Fairplay - Secure Two-Party Computation System (Awarded Best Student Paper!) , 2004 .

[128]  Lawrence M. Ausubel,et al.  The Clock-Proxy Auction: A Practical Combinatorial Auction Design , 2004 .

[129]  Rocco A. Servedio,et al.  Highly Efficient Secrecy-Preserving Proofs of Correctness of Computations and Applications , 2007, 22nd Annual IEEE Symposium on Logic in Computer Science (LICS 2007).

[130]  William Vickrey,et al.  Counterspeculation, Auctions, And Competitive Sealed Tenders , 1961 .

[131]  Tilman Börgers,et al.  Auction theory for auction design , 2003 .

[132]  David C. Parkes,et al.  Achieving Budget-Balance with Vickrey-Based Payment Schemes in Combinatorial Exchanges , 2001 .

[133]  Ralph C. Merkle,et al.  Secure communications over insecure channels , 1978, CACM.

[134]  Rafail Ostrovsky,et al.  Replication is not needed: single database, computationally-private information retrieval , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[135]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .