Presentation is loading. Please wait.

Presentation is loading. Please wait.

Completely Anonymous, Secure, Verifiable, and Secrecy Preserving Auctions Michael O. Rabin, Harvard University and Google Research Joint work with Yishay.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Completely Anonymous, Secure, Verifiable, and Secrecy Preserving Auctions Michael O. Rabin, Harvard University and Google Research Joint work with Yishay."— Presentation transcript:

1 Completely Anonymous, Secure, Verifiable, and Secrecy Preserving Auctions Michael O. Rabin, Harvard University and Google Research Joint work with Yishay Mansour Valiant Symposium, Washington DC. May 2009

2 GOALS Auction Mechanism, Auctioneer/Prover, Auction, Bidders Bidding: Secret, Non-Coercible, Deniable Verifiable Proof of Correctness of Outcome Bids, Winners, Prices: Permanently Secret Winners Deniably Know Prices, Quantities

3 High level structure Bidders –Send their bid-shares to Trusted Parties Trusted parties –Prepare random vector representations of each share, and securely send to Auctioneer –Can have t faulty out of 3t+1 parties Auctioneer –Calculates auction outcome –Prepares public zero-knowledge proofs of correctness, for future verifiers.

4 Main Ideas and Methods Representing numbers: Let p be a 128-bit prime –F p = {0, …, p-1} –operations: addition and multiplication mod p. X = (u,v) –val(X) = u+v mod p For x in F p, X = (u,v) represents x if val(X) = x. – Example: p = 17, x = 5, X = ( 13, 9 ) Creating Random Representations X of x –Choose u randomly, set v= (x-u) mod p

5 Illustration of the Method Auctioneer/Prover (AU) has x, y, z, where x = y+z, wants to prove this sum. X=(u 1,v 1 ); Y=(u 2,v 2 ); Z=(u 3,v 3 ) rand. Reps. of x, y, z. Coordinates posted as COM(u 1 ) … COM(v 3 ) x = y+z iff val(X) = val(Y)+val(Z) iff exists r u 1 = u 2 +u 3 +r ………………(2) v 1 = v 2 +v 3 -r ……………….(3)

6 Proof and verification Verifier (VR) sees: COM(u 1 ), COM(v 1 ), …, COM(u 3 ),COM(v 3 ). AU reveals r VR randomly picks c from {1,2} If c=1, –AU reveals u 1, u 2, u 3 ; VR checks com. and (2). Similarly, for c=2. Probability of cheating ≤ ½.

7 Amplification Simultaneously verifying: x=y+z, y+w=t+x+q, etc., same representations and same coin c used. Probability of cheating ≤ ½. Using 20 random representations X i,Y i,Z i of x,y,z and independent choices c 1, …, c 20 from {1,2}. Probability of cheating ≤ 1/2 20 < 1/1000000

8 Extensions Proving multiplications Proving inequalities Using addition, multiplication and inequalities captures any reasonable code In all proofs never are both coordinates of vector representations revealed

9 Submitting Values to AU Since proofs/verifications require multiple representations of values, to submit x –create, say, 40 random representations X 1 = (u 1,v 1 ), …, X 40 = (u 40,v 40 ) –submit COM(u 1 ), …, COM(v 40 ) –Securely de-commit (reveal)

10 Extending Sequence of Representations of a Value Given representations Y 1 = (u 1, v 1 ), …, Y 40 = (u 40, v 40 ) of a value y, Auctioneer can create representations Y 41, …, Y 40+N and ZK proves: (1)of original 40, more than 35 represent the same value y (2) of the next N representations N/2 remain untouched and (7/8)N/2 represent the value y

11 Bidders bidding Bidders B 1, …, B m. Trusted Parties (TP) P 1, …, P 16 No more than 5 TPs may become faulty Bidder B j bids x j. –He (16, 5) Secret Shares x j into s j 1, …, s j 16 –Bidder secretly transmits s j k to P k, 1 ≤ k ≤ 16

12 Parties submit bid-shares to Auctioneer Party P k prepares, for every bidder B j, 40 random vector representations S j k,1, …, S j k,40 of the share s j k of bid x j. Submits to AU (signed) commitments to the coordinates of these vector representations P k securely submits to AU de- commitments of above.

13 Auctioneer AU discovers 11 TPs, say P 1, …, P 11, whose submitted S j k,1, …, S j k,40 are value consistent, and for every 1 ≤ j ≤ m, all 11 shares of x j are on the graph of a 5-th degree polynomial Computes outcome of the auction.

14 Preparation of anonymazing ZKP AU extends, for each B j, the submitted S j 1,1, …, S j 1,40 reps of share s j 1 of x j S j 2,1, …, S j 2,40 : S j 11,1, …, S j 11,40 in each row i, 1 ≤i≤11, by N additional representations of the same value.

15 Outline of Auctioneer’s proof and of verification Given sufficiently many representations X j 1, …, X j M of each bid x j, AU can construct verifiable proof of correctness of auction computation. This proof reveals identity of winners, possibly information about ordering of bid values.

16 Permuting identities of bid representations X 1 1, …, X 1 M X 2 1, …, X 2 M : X m 1, …, X m M Y 1 1, …, Y 1 K Y 2 1, …, Y 2 K : Y m 1, …, Y m K permutation Perm 1 Perm 2 Perm H Test half randomly chosen (for being permutation) Prove correctness of auction outcome using the other half.

17 Future Work Study implications of anonymization, secrecy preservation, deniability,for combating collusions in auction mechanisms Further improve efficiency Implement, measure performance

Download ppt "Completely Anonymous, Secure, Verifiable, and Secrecy Preserving Auctions Michael O. Rabin, Harvard University and Google Research Joint work with Yishay."

Similar presentations

Sublinear Algorithms 1 3 2 … Lecture 23: April 20.

Sublinear Algorithms … Lecture 23: April 20.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.
Transformations We want to be able to make changes to the image larger/smaller rotate move This can be efficiently achieved through mathematical operations.

Transformations We want to be able to make changes to the image larger/smaller rotate move This can be efficiently achieved through mathematical operations.
Dana Moshkovitz. Back to NP L  NP iff members have short, efficiently checkable, certificates of membership. Is  satisfiable?  x 1 = truex 11 = true.

Dana Moshkovitz. Back to NP L  NP iff members have short, efficiently checkable, certificates of membership. Is  satisfiable?  x 1 = truex 11 = true.
Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.

Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.
Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.

Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.
On the size of dissociated bases Raphael Yuster University of Haifa Joint work with Vsevolod Lev University of Haifa.

On the size of dissociated bases Raphael Yuster University of Haifa Joint work with Vsevolod Lev University of Haifa.
1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.

1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Michael O. Rabin Harvard University Hebrew University Algorithmic.

May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Michael O. Rabin Harvard University Hebrew University Algorithmic.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
1 Adapted from Oded Goldreich’s course lecture notes.

1 Adapted from Oded Goldreich’s course lecture notes.
Zero Knowledge Proofs By Subha Rajagopalan Jaisheela Kandagal.

Zero Knowledge Proofs By Subha Rajagopalan Jaisheela Kandagal.
A Secure Fault-Tolerant Conference- Key Agreement Protocol Wen-Guey Tzeng Source : IEEE Transactions on computers Speaker : LIN, KENG-CHU.

A Secure Fault-Tolerant Conference- Key Agreement Protocol Wen-Guey Tzeng Source : IEEE Transactions on computers Speaker : LIN, KENG-CHU.
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110 100100101010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100101

Lecturer: Moni Naor Foundations of Cryptography Lecture 12: Commitment and Zero-Knowledge.

Lecturer: Moni Naor Foundations of Cryptography Lecture 12: Commitment and Zero-Knowledge.
1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science.

1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.

Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.

Similar presentations

Ads by Google