Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing Auctions using Cryptography Richard Barnes Cryptography Applications Bistro University of Virginia, March 16, 2004 Richard Barnes Cryptography.

Published byMelissa Courtenay Modified over 10 years ago

Similar presentations

Presentation on theme: "Securing Auctions using Cryptography Richard Barnes Cryptography Applications Bistro University of Virginia, March 16, 2004 Richard Barnes Cryptography."— Presentation transcript:

1 Securing Auctions using Cryptography Richard Barnes Cryptography Applications Bistro University of Virginia, March 16, 2004 Richard Barnes Cryptography Applications Bistro University of Virginia, March 16, 2004

2 Outline Context: Definitions and roles Types of auctions Vulnerabilities and Approaches Cryptographic solutions Adding security to a Vickrey Auction Adding security to a Combinatorial Auction Building in security into a novel mechanism Context: Definitions and roles Types of auctions Vulnerabilities and Approaches Cryptographic solutions Adding security to a Vickrey Auction Adding security to a Combinatorial Auction Building in security into a novel mechanism

3 Context Once upon a time: Bartering Unfamiliar or unknown buyers and sellers Multi-party price negotiation Auction: An organized way for many buyers and a seller to agree on a price goods. Once upon a time: Bartering Unfamiliar or unknown buyers and sellers Multi-party price negotiation Auction: An organized way for many buyers and a seller to agree on a price goods.

4 Types of Auctions English: Start low, bid up, highest bid wins. E.g: eBay, Sotheby’s Dutch: Starts high, auctioneer drops price, first to bid wins. (Can go multiple rounds or sealed) E.g: Salon IPO Double Auction: Both buyers and sellers submit prices, matched by auctioneer. E.g: NYSE, NASDAQ, CBOT First-price sealed-bid: Bidders submit closed bids; highest wins. E.g: eBay proxy bidding English: Start low, bid up, highest bid wins. E.g: eBay, Sotheby’s Dutch: Starts high, auctioneer drops price, first to bid wins. (Can go multiple rounds or sealed) E.g: Salon IPO Double Auction: Both buyers and sellers submit prices, matched by auctioneer. E.g: NYSE, NASDAQ, CBOT First-price sealed-bid: Bidders submit closed bids; highest wins. E.g: eBay proxy bidding

5 Types of Auctions Second-price sealed-bid or Vickrey: All bidders submit sealed bids, second-highest bid wins. Maximizes seller revenue by encouraging upward bidding. Optimal strategy is to bid private valuation. Open to dishonest auctioneers. Generalizations: M-th price Second-price sealed-bid or Vickrey: All bidders submit sealed bids, second-highest bid wins. Maximizes seller revenue by encouraging upward bidding. Optimal strategy is to bid private valuation. Open to dishonest auctioneers. Generalizations: M-th price

6 Types of Auctions Combinatorial Auction: Given a pool of available goods, buyers bid on all possible allocations of these goods. Maximizes seller revenue and social surplus Winning allocation maximizes total price Each bidder pays difference between the total price that would have been paid without him and the other bidders total payment. FCC uses a modified combinatorial auction to sell rights to EM spectrum. Combinatorial Auction: Given a pool of available goods, buyers bid on all possible allocations of these goods. Maximizes seller revenue and social surplus Winning allocation maximizes total price Each bidder pays difference between the total price that would have been paid without him and the other bidders total payment. FCC uses a modified combinatorial auction to sell rights to EM spectrum.

7 Vulnerabilities Auction fraud: 46.1% of reported Internet frauds, Median loss $320 Bidders can collude to bid below their valuations (Insider trading) or place unreasonably high bids (Jump bidding) Auctioneers and sellers can insert bids to raise prices (Shill bidding) or tamper with Vickrey prices Many exploits are out-of-bandwidth, esp. on eBay: Non-delivery, fake escrow, etc. Auction fraud: 46.1% of reported Internet frauds, Median loss $320 Bidders can collude to bid below their valuations (Insider trading) or place unreasonably high bids (Jump bidding) Auctioneers and sellers can insert bids to raise prices (Shill bidding) or tamper with Vickrey prices Many exploits are out-of-bandwidth, esp. on eBay: Non-delivery, fake escrow, etc.

8 Security Goals Prevent buyers, sellers, and auctioneers from tampering with the proper course of the auction. Provide privacy for buyers and sellers Separate bid information from buyer identification. Maintain secrecy of bids in sealed auction. Prevent buyers, sellers, and auctioneers from tampering with the proper course of the auction. Provide privacy for buyers and sellers Separate bid information from buyer identification. Maintain secrecy of bids in sealed auction.

9 Approaches to Security Legislative: Make laws against breaking the rules of the auction, as for insider trading. Economic/Social: Provide economic incentives for following the rules, as with the eBay recommendation system. Cryptographic: Incorporate a cryptographic protocol to ensure that rules are followed. Legislative: Make laws against breaking the rules of the auction, as for insider trading. Economic/Social: Provide economic incentives for following the rules, as with the eBay recommendation system. Cryptographic: Incorporate a cryptographic protocol to ensure that rules are followed.

10 Cryptographic Solutions Public auction + Cryptograpic privacy Combinatorial auction + Cryptographic enforcement Elkind & Lipmaa’s novel protocol Many others exist, especially studying Vickrey auctions. Financial Cryptography has several recent examples. Public auction + Cryptograpic privacy Combinatorial auction + Cryptographic enforcement Elkind & Lipmaa’s novel protocol Many others exist, especially studying Vickrey auctions. Financial Cryptography has several recent examples.

11 Secure Public Auction Provide bidders privacy and anonymity while keeping bid prices public. Introduce two agents: Registration Manager: Tracks identities of bidders by tying their Diffie-Hellman public key to a secret string (unique for each bidder) and generates round keys. Auction Manager: Prepares tickets and decides winner without knowing true identities. Provide bidders privacy and anonymity while keeping bid prices public. Introduce two agents: Registration Manager: Tracks identities of bidders by tying their Diffie-Hellman public key to a secret string (unique for each bidder) and generates round keys. Auction Manager: Prepares tickets and decides winner without knowing true identities. Lee, Kim, & Ma, Indocrypt 2001

12 I. Bidders register with RM by providing public key, secret string. RM keeps secret string. II. RM creates, shuffles, and publishes a list of round keys, one for each bidder, based on public key and a hash of the secret string. III. AM creates “bidding tickets” consisting of a hash of a round key and an auction key. IV. Bidders find their tickets and place bids by posting their ticket ID and their price. V. The winning ticket is chosen, and the RM reveals a hash of the winner’s secret string. I. Bidders register with RM by providing public key, secret string. RM keeps secret string. II. RM creates, shuffles, and publishes a list of round keys, one for each bidder, based on public key and a hash of the secret string. III. AM creates “bidding tickets” consisting of a hash of a round key and an auction key. IV. Bidders find their tickets and place bids by posting their ticket ID and their price. V. The winning ticket is chosen, and the RM reveals a hash of the winner’s secret string. Secure Public Auction Lee, Kim, & Ma, Indocrypt 2001

13 At each step, the bidder can recognize information for himself, but AM, RM, and other bidders cannot: Round keys are shuffled, but tied to secret information. Tickets are based on round keys and common information. Bids are tied only to ticket ID numbers. At each step, the bidder can recognize information for himself, but AM, RM, and other bidders cannot: Round keys are shuffled, but tied to secret information. Tickets are based on round keys and common information. Bids are tied only to ticket ID numbers. Secure Public Auction Lee, Kim, & Ma, Indocrypt 2001

14 Secure Combinatorial Auction Homomorphic crypto: E(ab) = E(a) E(b) Represent prices as “base-1” numbers: Can find max. bid, add a constant without decrypting. Want to bid on allocations, i.e. maps Bid has the form: Homomorphic crypto: E(ab) = E(a) E(b) Represent prices as “base-1” numbers: Can find max. bid, add a constant without decrypting. Want to bid on allocations, i.e. maps Bid has the form: Suzuki & Yokoo, FC2003

15 Each bidder has valuation function Auctioneer creates “blank bids” Each bidder adds his bid to every blank except the one with his number, so at the end, tells which bid maximizes total price tells what would be paid without bidder Each bidder has valuation function Auctioneer creates “blank bids” Each bidder adds his bid to every blank except the one with his number, so at the end, tells which bid maximizes total price tells what would be paid without bidder Secure Combinatorial Auction Suzuki & Yokoo, FC2003

16 All calculations are performed on encrypted values. Neither buyers nor the auctioneer know the values of the individual bids. Tampering is obviated by lack of information. Hard part is complexity: All calculations are performed on encrypted values. Neither buyers nor the auctioneer know the values of the individual bids. Tampering is obviated by lack of information. Hard part is complexity: Secure Combinatorial Auction Suzuki & Yokoo, FC2003

17 Elkind & Lipmaa’s Auction Goals: Protect privacy of bidders Prevent seller/auctioneer tampering Minimize cognitive costs to bidders Perform a series of secure 2nd-price auctions until there is a stable selling price. Goals: Protect privacy of bidders Prevent seller/auctioneer tampering Minimize cognitive costs to bidders Perform a series of secure 2nd-price auctions until there is a stable selling price. Elkind & Lipmaa, FC2004

18 Before auction, agree on a shared masking function. For each round: Bidders submit masked, encrypted bids to auctioneer, with a zero-knowledge proof that this bid is within a small range below the last bid. All bids are published without names. Auction proceeds until second price stabilizes Identity of winner is determined by a distributed protocol matching the (unknown) max bid to its bidder. Before auction, agree on a shared masking function. For each round: Bidders submit masked, encrypted bids to auctioneer, with a zero-knowledge proof that this bid is within a small range below the last bid. All bids are published without names. Auction proceeds until second price stabilizes Identity of winner is determined by a distributed protocol matching the (unknown) max bid to its bidder. Elkind & Lipmaa’s Auction Elkind & Lipmaa, FC2004

19 Secure against shill bids, collusive bids, and jump bidding because bids are constrained to be decreasing. Secure against auctioneer tampering because all bids are encrypted. Maintains anonymity of all bidders except winner. Secure against shill bids, collusive bids, and jump bidding because bids are constrained to be decreasing. Secure against auctioneer tampering because all bids are encrypted. Maintains anonymity of all bidders except winner. Elkind & Lipmaa’s Auction Elkind & Lipmaa, FC2004

20 Summary Auctions play a central role, as a way of organizing price negotiations. Many security vulnerabilities introduced by auction mechanisms can be addressed with cryptographic auction protocols. Cryptographic protocols can also add privacy features lacking in normal mechanisms. However, protocol solutions don’t address other attacks, e.g. bait-and-switch. Auctions play a central role, as a way of organizing price negotiations. Many security vulnerabilities introduced by auction mechanisms can be addressed with cryptographic auction protocols. Cryptographic protocols can also add privacy features lacking in normal mechanisms. However, protocol solutions don’t address other attacks, e.g. bait-and-switch.

21 References Elkind & Lipmaa (2004) Interleaving Cryptography and Mechanism Design. Financial Cryptography 2004. Gottlieb (1999) What is a Dutch auction IPO? Slate Magazine. Internet Fraud Complaint Center (2002) IFCC 2002 Internet Fraud Report. Lee, Kim, & Ma (2001) Efficient Public Auction with One-time Registration and Public Verifiability. Indocrypt 2001. Suzuki & Yokoo (2003) Secure Generalized Vickrey Auction using Homomorphic Encryption. Financial Cryptography 2004. Elkind & Lipmaa (2004) Interleaving Cryptography and Mechanism Design. Financial Cryptography 2004. Gottlieb (1999) What is a Dutch auction IPO? Slate Magazine. Internet Fraud Complaint Center (2002) IFCC 2002 Internet Fraud Report. Lee, Kim, & Ma (2001) Efficient Public Auction with One-time Registration and Public Verifiability. Indocrypt 2001. Suzuki & Yokoo (2003) Secure Generalized Vickrey Auction using Homomorphic Encryption. Financial Cryptography 2004.

Download ppt "Securing Auctions using Cryptography Richard Barnes Cryptography Applications Bistro University of Virginia, March 16, 2004 Richard Barnes Cryptography."

Similar presentations

Yossi Sheffi Mass Inst of Tech Cambridge, MA ESD.260J/1.260J/15.

Yossi Sheffi Mass Inst of Tech Cambridge, MA ESD.260J/1.260J/15.
E-Auctions. Electronic CommercePrentice Hall © 2006 2 Learning Objectives 1.Define the various types of e-auctions and list their characteristics. 2.Describe.

E-Auctions. Electronic CommercePrentice Hall © Learning Objectives 1.Define the various types of e-auctions and list their characteristics. 2.Describe.
(Single-item) auctions Vincent Conitzer v() = $5 v() = $3.

(Single-item) auctions Vincent Conitzer v() = $5 v() = $3.
Network Economics -- Lecture 4: Auctions and applications Patrick Loiseau EURECOM Fall 2012.

Network Economics -- Lecture 4: Auctions and applications Patrick Loiseau EURECOM Fall 2012.
CPS 296.1 Bayesian games and their use in auctions Vincent Conitzer

CPS Bayesian games and their use in auctions Vincent Conitzer
Chapter 25: Auctions and Auction Markets 1 Auctions and Auction Markets.

Chapter 25: Auctions and Auction Markets 1 Auctions and Auction Markets.
Auctions CS 886 Sept 29, 2004. Auctions Methods for allocating goods, tasks, resources... Participants: auctioneer, bidders Enforced agreement between.

Auctions CS 886 Sept 29, Auctions Methods for allocating goods, tasks, resources... Participants: auctioneer, bidders Enforced agreement between.
Intermediate Microeconomics Midterm (50%) (4/27) Final (50%) (6/22) Term grades based on relative ranking. Mon 1:30-2:00 ( 社科 757)

Intermediate Microeconomics Midterm (50%) (4/27) Final (50%) (6/22) Term grades based on relative ranking. Mon 1:30-2:00 ( 社科 757)
An Approximate Truthful Mechanism for Combinatorial Auctions An Internet Mathematics paper by Aaron Archer, Christos Papadimitriou, Kunal Talwar and Éva.

An Approximate Truthful Mechanism for Combinatorial Auctions An Internet Mathematics paper by Aaron Archer, Christos Papadimitriou, Kunal Talwar and Éva.
Bidding Strategy and Auction Design Josh Ruffin, Dennis Langer, Kevin Hyland and Emmet Ferriter.

Bidding Strategy and Auction Design Josh Ruffin, Dennis Langer, Kevin Hyland and Emmet Ferriter.
Auctions Auction types: –First price, sealed bid auction –Second price, sealed bid auction –English auction (ascending bid auction) –Dutch auction (descending.

Auctions Auction types: –First price, sealed bid auction –Second price, sealed bid auction –English auction (ascending bid auction) –Dutch auction (descending.
Econ 805 Advanced Micro Theory 1 Dan Quint Fall 2007 Lecture 2 – Sept 6 2007.

Econ 805 Advanced Micro Theory 1 Dan Quint Fall 2007 Lecture 2 – Sept
Michael R. Baye, Managerial Economics and Business Strategy, 3e. ©The McGraw-Hill Companies, Inc., 1999 Managerial Economics & Business Strategy Chapter.

Michael R. Baye, Managerial Economics and Business Strategy, 3e. ©The McGraw-Hill Companies, Inc., 1999 Managerial Economics & Business Strategy Chapter.
Internet Auction Presented by Ying Wang. §Introduction of Internet Auction §Different Internet Auction Methods §Internet Auction Software Design §Some.

Internet Auction Presented by Ying Wang. §Introduction of Internet Auction §Different Internet Auction Methods §Internet Auction Software Design §Some.
Multi-item auctions with identical items limited supply: M items (M smaller than number of bidders, n). Three possible bidder types: –Unit-demand bidders.

Multi-item auctions with identical items limited supply: M items (M smaller than number of bidders, n). Three possible bidder types: –Unit-demand bidders.
Game Theory in Wireless and Communication Networks: Theory, Models, and Applications Lecture 6 Auction Theory Zhu Han, Dusit Niyato, Walid Saad, Tamer.

Game Theory in Wireless and Communication Networks: Theory, Models, and Applications Lecture 6 Auction Theory Zhu Han, Dusit Niyato, Walid Saad, Tamer.
On Cheating in Sealed-Bid Auctions Ryan Porter Yoav Shoham Computer Science Department Stanford University.

On Cheating in Sealed-Bid Auctions Ryan Porter Yoav Shoham Computer Science Department Stanford University.
Chapter 10 E-Auctions.

Chapter 10 E-Auctions.
Welcome Auctions Jonathan D. Wareham wareham@acm.org.

Welcome Auctions Jonathan D. Wareham
Survey on e-Auction PresenterNguyen Hoang Anh NordSecMob.

Survey on e-Auction PresenterNguyen Hoang Anh NordSecMob.

Similar presentations

Ads by Google