Completely Anonymous, Secure, Verifiable, and Secrecy Preserving Auctions Michael O. Rabin, Harvard University and Google Research Joint work with Yishay.

Slides:

Advertisements

Similar presentations

Sublinear Algorithms … Lecture 23: April 20.

Advertisements

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.

Transformations We want to be able to make changes to the image larger/smaller rotate move This can be efficiently achieved through mathematical operations.

Dana Moshkovitz. Back to NP L  NP iff members have short, efficiently checkable, certificates of membership. Is  satisfiable?  x 1 = truex 11 = true.

Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.

Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.

On the size of dissociated bases Raphael Yuster University of Haifa Joint work with Vsevolod Lev University of Haifa.

1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.

Great Theoretical Ideas in Computer Science.

May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Michael O. Rabin Harvard University Hebrew University Algorithmic.

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

1 Adapted from Oded Goldreich’s course lecture notes.

Zero Knowledge Proofs By Subha Rajagopalan Jaisheela Kandagal.

A Secure Fault-Tolerant Conference- Key Agreement Protocol Wen-Guey Tzeng Source : IEEE Transactions on computers Speaker ： LIN, KENG-CHU.

Lecturer: Moni Naor Foundations of Cryptography Lecture 12: Commitment and Zero-Knowledge.

1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.

1. 2 Overview Some basic math Error correcting codes Low degree polynomials Introduction to consistent readers and consistency tests H.W.

Quantum Computing Joseph Stelmach.

Zero Knowledge Proofs. Interactive proof An Interactive Proof System for a language L is a two-party game between a verifier and a prover that interact.

DANSS Colloquium By Prof. Danny Dolev Presented by Rica Gonen

Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.

1 Verification Codes Michael Luby, Digital Fountain, Inc. Michael Mitzenmacher Harvard University and Digital Fountain, Inc.

K-Anonymous Message Transmission Luis von Ahn Andrew Bortz Nick Hopper The Aladdin Center Carnegie Mellon University.

Module 8 – Anonymous Digital Cash Blind Signatures DigiCash coins.

Efficient Consistency Proofs for Generalized Queries on a Committed Database R. Ostrovsky C. Rackoff A. Smith UCLA Toronto.

Hamming Codes 11/17/04. History In the late 1940’s Richard Hamming recognized that the further evolution of computers required greater reliability, in.

Foundations of Cryptography Lecture 2 Lecturer: Moni Naor.

Lecture 6: Public Key Cryptography

Quadratic Residuosity and Two Distinct Prime Factor ZK Protocols By Stephen Hall.

How to play ANY mental game

Efficient and Robust Private Set Intersection and multiparty multivariate polynomials Dana Dachman-Soled 1, Tal Malkin 1, Mariana Raykova 1, Moti Yung.

Optimistic Mixing for Exit-Polls Philippe Golle, Stanford Sheng Zhong, Yale Dan Boneh, Stanford Markus Jakobsson, RSA Labs Ari Juels, RSA Labs.

Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer.

6.853: Topics in Algorithmic Game Theory Fall 2011 Constantinos Daskalakis Lecture 21.

Topic 22: Digital Schemes (2)

Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2013 Nitesh Saxena.

CS151 Complexity Theory Lecture 13 May 11, Outline proof systems interactive proofs and their power Arthur-Merlin games.

Introduction to Modern Cryptography Sharif University Spring 2015 Data and Network Security Lab Sharif University of Technology Department of Computer.

Presented by: Suparita Parakarn Kinzang Wangdi Research Report Presentation Computer Network Security.

Public Key Encryption with keyword Search Author: Dan Boneh Rafail Ostroversity Giovanni Di Crescenzo Giuseppe Persiano Presenter: 陳昱圻.

Error Control Code. Widely used in many areas, like communications, DVD, data storage… In communications, because of noise, you can never be sure that.

SANDRA GUASCH CASTELLÓ PHD EVOTING WORKSHOP LUXEMBOURG, 15-16/10/2012 SUPERVISOR: PAZ MORILLO BOSCH Verifiable Mixnets.

Communication System A communication system can be represented as in Figure. A message W, drawn from the index set {1, 2,..., M}, results in the signal.

Zero-knowledge proof protocols 1 CHAPTER 12: Zero-knowledge proof protocols One of the most important, and at the same time very counterintuitive, primitives.

1 Network and Computer Security (CS 475) Modular Arithmetic and the RSA Public Key Cryptosystem Jeremy R. Johnson.

Chapter 31 INTRODUCTION TO ALGEBRAIC CODING THEORY.

Umans Complexity Theory Lectures Lecture 7b: Randomization in Communication Complexity.

Electronic Cash R. Newman. Topics Defining anonymity Need for anonymity Defining privacy Threats to anonymity and privacy Mechanisms to provide anonymity.

Multi-Party Proofs and Computation Based in part on materials from Cornell class CS 4830.

Software Security Seminar - 1 Chapter 4. Intermediate Protocols 발표자 : 이장원 Applied Cryptography.

Almost Entirely Correct Mixing With Applications to Voting Philippe Golle Dan Boneh Stanford University.

2 2.2 © 2016 Pearson Education, Ltd. Matrix Algebra THE INVERSE OF A MATRIX.

Zero-Knowledge Proofs Ben Hosp. Classical Proofs A proof is an argument for the truth or correctness of an assertion. A classical proof is an unambiguous.

Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.

Zero Knowledge r Two parties:  All powerful prover P  Polynomially bounded verifier V r P wants to prove a statement to V with the following properties:

PROBABILITY AND COMPUTING RANDOMIZED ALGORITHMS AND PROBABILISTIC ANALYSIS CHAPTER 1 IWAMA and ITO Lab. M1 Sakaidani Hikaru 1.

False-name Bids “The effect of false-name bids in combinatorial

Probabilistic Algorithms

On the Size of Pairing-based Non-interactive Arguments

MPC and Verifiable Computation on Committed Data

Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.

Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.

Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.

Interactive Proofs and Secure Multi-Party Computation

Cryptology Design Fundamentals

Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.

Presentation transcript:

Completely Anonymous, Secure, Verifiable, and Secrecy Preserving Auctions Michael O. Rabin, Harvard University and Google Research Joint work with Yishay Mansour Valiant Symposium, Washington DC. May 2009

GOALS Auction Mechanism, Auctioneer/Prover, Auction, Bidders Bidding: Secret, Non-Coercible, Deniable Verifiable Proof of Correctness of Outcome Bids, Winners, Prices: Permanently Secret Winners Deniably Know Prices, Quantities

High level structure Bidders –Send their bid-shares to Trusted Parties Trusted parties –Prepare random vector representations of each share, and securely send to Auctioneer –Can have t faulty out of 3t+1 parties Auctioneer –Calculates auction outcome –Prepares public zero-knowledge proofs of correctness, for future verifiers.

Main Ideas and Methods Representing numbers: Let p be a 128-bit prime –F p = {0, …, p-1} –operations: addition and multiplication mod p. X = (u,v) –val(X) = u+v mod p For x in F p, X = (u,v) represents x if val(X) = x. – Example: p = 17, x = 5, X = ( 13, 9 ) Creating Random Representations X of x –Choose u randomly, set v= (x-u) mod p

Illustration of the Method Auctioneer/Prover (AU) has x, y, z, where x = y+z, wants to prove this sum. X=(u 1,v 1 ); Y=(u 2,v 2 ); Z=(u 3,v 3 ) rand. Reps. of x, y, z. Coordinates posted as COM(u 1 ) … COM(v 3 ) x = y+z iff val(X) = val(Y)+val(Z) iff exists r u 1 = u 2 +u 3 +r ………………(2) v 1 = v 2 +v 3 -r ……………….(3)

Proof and verification Verifier (VR) sees: COM(u 1 ), COM(v 1 ), …, COM(u 3 ),COM(v 3 ). AU reveals r VR randomly picks c from {1,2} If c=1, –AU reveals u 1, u 2, u 3 ; VR checks com. and (2). Similarly, for c=2. Probability of cheating ≤ ½.

Amplification Simultaneously verifying: x=y+z, y+w=t+x+q, etc., same representations and same coin c used. Probability of cheating ≤ ½. Using 20 random representations X i,Y i,Z i of x,y,z and independent choices c 1, …, c 20 from {1,2}. Probability of cheating ≤ 1/2 20 < 1/

Extensions Proving multiplications Proving inequalities Using addition, multiplication and inequalities captures any reasonable code In all proofs never are both coordinates of vector representations revealed

Submitting Values to AU Since proofs/verifications require multiple representations of values, to submit x –create, say, 40 random representations X 1 = (u 1,v 1 ), …, X 40 = (u 40,v 40 ) –submit COM(u 1 ), …, COM(v 40 ) –Securely de-commit (reveal)

Extending Sequence of Representations of a Value Given representations Y 1 = (u 1, v 1 ), …, Y 40 = (u 40, v 40 ) of a value y, Auctioneer can create representations Y 41, …, Y 40+N and ZK proves: (1)of original 40, more than 35 represent the same value y (2) of the next N representations N/2 remain untouched and (7/8)N/2 represent the value y

Bidders bidding Bidders B 1, …, B m. Trusted Parties (TP) P 1, …, P 16 No more than 5 TPs may become faulty Bidder B j bids x j. –He (16, 5) Secret Shares x j into s j 1, …, s j 16 –Bidder secretly transmits s j k to P k, 1 ≤ k ≤ 16

Parties submit bid-shares to Auctioneer Party P k prepares, for every bidder B j, 40 random vector representations S j k,1, …, S j k,40 of the share s j k of bid x j. Submits to AU (signed) commitments to the coordinates of these vector representations P k securely submits to AU de- commitments of above.

Auctioneer AU discovers 11 TPs, say P 1, …, P 11, whose submitted S j k,1, …, S j k,40 are value consistent, and for every 1 ≤ j ≤ m, all 11 shares of x j are on the graph of a 5-th degree polynomial Computes outcome of the auction.

Preparation of anonymazing ZKP AU extends, for each B j, the submitted S j 1,1, …, S j 1,40 reps of share s j 1 of x j S j 2,1, …, S j 2,40 : S j 11,1, …, S j 11,40 in each row i, 1 ≤i≤11, by N additional representations of the same value.

Outline of Auctioneer’s proof and of verification Given sufficiently many representations X j 1, …, X j M of each bid x j, AU can construct verifiable proof of correctness of auction computation. This proof reveals identity of winners, possibly information about ordering of bid values.

Permuting identities of bid representations X 1 1, …, X 1 M X 2 1, …, X 2 M : X m 1, …, X m M Y 1 1, …, Y 1 K Y 2 1, …, Y 2 K : Y m 1, …, Y m K permutation Perm 1 Perm 2 Perm H Test half randomly chosen (for being permutation) Prove correctness of auction outcome using the other half.

Future Work Study implications of anonymization, secrecy preservation, deniability,for combating collusions in auction mechanisms Further improve efficiency Implement, measure performance