A Two-Server Auction Scheme Ari Juels and Mike

A Two-Server Auction Scheme Ari Juels and Mike Szydlo Financial Cryptography ‘ 02 12 March 2002

Auctions increasingly popular u 2. 6 million new auctions per day on e. Bay in 2000 – About three auctions per year for every inhabitant of U. S. u Attempted auctions (and hoaxes) in ‘ 99: – A healthy kidney (high bid: $5. 7 million) – A military rocket launcher – 200 pounds of cocaine – A team of software engineers – A baby (high bid: $109, 100) – A teenage boy selling his virginity (high bid: $10 million)

popular with all sorts. . . Diebenkorn Shilling Case Draws FBI Probe The fallout from Kenneth A. Walton's failed e. Bay auction of a "great big wild abstract painting" continues today… Former Sotheby's chairman guilty BBC News, 6 December 2001 The former chairman of auction house Sotheby's has been found guilty in New York of conspiring to fix art prices after two days of jury deliberations.

e. Bay vs. Sealed-bid I bid $500 Pseudonymous (e. Bay) • Time-bounded • Masks identities • Facilitates, e. g. , shilling • Great sporting event I bid $500 Sealed-bid • One-round • Transparent participation • Psychologically neutral • Fungible goods • “Serious” auctions

Sealed-Bid Auctions Alice Cate Bob Duke

Sealed-Bid Auctions f(x 1, x 2, x 3, x 4) = winner Alice Cate x 1 x 3 f Bob x 2 x 4 Duke

General Secure Multiparty Computation (GSMC ) f(x 1, x 2, x 3, x 4) = winner Alice Cate x 1 x 3 f Bob x 2 x 4 Duke

The Literature on -Bid Auctions u Sealed Most sealed-bid systems get away from inefficiencies of GSMC – Weakened trust models – Specifying function f as “maximum” u Some tailor GSMC to auctions – JJ 00 – NPS 99 (Naor, Pinkas, and Sumner)

NPS at a glance Winner: Cate! f Alice Bob Duke Cate

Features of NPS u u u Use of exactly two servers gives many benefits (Yao construction) One round of interaction for bidders -and no latency Any function f with efficient boolean circuit yield practical computation – Vickrey auctions – Private surveys u u Few rounds of communication But there’s a flaw. . .

Trust model Auction guaranteed correct (or fails) Bids remain private Alice Bob Duke Cate

Oblivious Transfer b bit b t 0, t 1 tb What was t 1 -b ? b?

Proxy Oblivious Transfer (POT ) tb t 0, t 1 tb What were What was b and t 1 -b ? bit b Chooser

POT in Auction tb tb What was f What was b? Bit b of bid Chooser

The Problem With POT t 0 f Observed in JJ 00 Bit ‘ 0’ in bid Chooser

The Problem With POT t 1 f Alice’s bid has been changed! Bit ‘ 0’ in bid Chooser

We need Verifiable POT C* = (C(t 0), C(t 1)) tb , C*, tb What was b? Bit b Chooser

Our Contributions u u We introduce very efficient VPOT primitive -- fixing security flaw in NPS With our VPOT, roughly ten times faster for bidder than NPS! – NPS: Tens of exponentiations – Ours: Tens of modular multiplications (great for cell phones) – Ours: Twice as slow for servers

Idea 1: Efficiency (RSA-based OT) RSA modulus N Random C in ZN (t 0, t 1) (X 0, X 1) bit b (Y 0, Y 1) R ZN Xb = R 3 mod N X 1 = CX 0 tb = Y b R Y 0 = t 0 / (X 0)1/3 Y 1 = t 1 / (X 1)1/3

Idea 1: Efficiency (RSA-based OT) bit b (X 0, X 1) RSA modulus N Random C in ZN (t 0, t 1) (Y 0, Y 1) • For technical reason, real protocol slightly different • Previous schemes typically based on, e. g. , El Gamal • El-Gamal-based --> Several modular exponentiations • RSA-based --> Several modular multiplications

Idea 2: Verifiability t 0 t 1 Bit w = 0 if t 0 on left w = 1 if t 0 on right

Idea 2: Verifiability u. Prove ordering of vaults = Prove fact about single bit w u. Key tool: Goldwasser-Micali ‘ 84

Conclusion u u u NPS clever, practical approach to sealedbid auctions With VPOT, we can bring NPS ideas to fruition High efficiency for weak bidding devices, e. g. , cell phones