11.1. 10.1 Motivation
Sealed bid auctions require that no participant can inspect the competing bids before the bidding ends and that all participants can see the bids shortly afterwards. Usually, trusted third parties are used for the purpose of keeping the time and the secrecy and a reward proportional to the winning bid is used to keep their incentives somewhat aligned with that of the participants.
Even in this setting, the trusted party can be corrupted or simply unable to fulfill its role due to technical difficulties. Decentralizing such a third party results in a simpler and more scalable design than designing the protocol in such a way that requires the cooperation of every participant.
11.2. 10.2 Background
The essential tasks of the auction house, keeping the time and the secrets, can be converted into a cryptographic algorithm as follows: a public key to which participants encrypt their bids is generated in a deterministic, pseudorandom way after which the corresponding private key is found by the joint effort of many participants.
Taking a page from Bitcoin, timekeeping is guaranteed by the carefully calibrated difficulty of the cryptographic puzzle at hand: finding the private key given the public key.
The time to find the private key needs to have a predictable expected value and small variance. Cryptographic puzzles that rely on inverting a one-way function typically yield an exponentially distributed time to solution, because - if the underlying cryptographic primitive is efficient - they are best solved by memoryless trial and error. Knowing the difficulty of such a puzzle and the available computing power, the expected value of this exponential distribution can be estimated. Solving a given, sufficiently large number of such puzzles results in the time to solution following a Gamma distribution with parameters and (or ), respectively, which can have an arbitrarily small variance relative to its expected value.
A suitable cryptographic challenge would be finding the indices of random points on an appropriately chosen elliptic curve over a suitable Galois field. In this case, the public key would be the -touple of points on the elliptic curve, while the private key the corresponding indices.
11.2.1. 10.2.1 Elliptic curve cryptography
An elliptic curve over a field is a plane curve determined by the solutions of the equation
together with an "infinity" point (which is the infinite point of the vertical lines in the projective plane over real numbers). The coefficients are from the field as well as the solutions of the equation. For primefields, i.e. for a prime we need the extra assumption that
The above equation can be written in is a simple form only if the characteristic of is not 2 or 3. The binary fields (i.e. ) are very important from applications point of view, in this case the above formula can be written in the following form with coefficients :
From the rich and deep theory of elliptic curves the cryptographers are mostly using the fact that the points of an elliptic curve form an Abelian group. This group has the remarkable advantage that the discrete logarithm problem is hard within it (for appropriate choice of parameters). The identity element of the group is the infinite point denoted by and the sum of two points and can be interpreted in a expressive geometric way.
Hence the elliptic curve is an algebraic curve of order 3, the line containing and intersects the curve in exactly one more point denoted by The reflection of this point to the axis will be defined as , see Figure 53 ( denotes ). Let us note, that we count the intersections with multiplicities, hence if, e.g. then instead of the conjunctive line we draw the tangent line to the curve at the given point, etc.
This geometric interpretation can be described by algebraic formulas over any field as well. For the sake of simplicity, we suppose that we want to determine the point (here we denote the coordinates of and by and , resp.). As an easy exercise, it can be shown that
where
and
Let us note that in case the formulas are more simple hence the computation of the multiple of a given point is relatively fast. See an example over field on Figure 55.
The main attraction of elliptic curve cryptography are the easier implementation and the fact that the discrete log problem is harder in an elliptic curve based group than in an ordinary cyclic group As a consequence of these an elliptic curve based system can guarantee the same level of security using less space and computation because of the smaller size of keys and ciphertexts. An Abelian group based on an elliptic curve can be either a cyclic one or a direct product of two cyclic groups (in practical applications a curve is chosen randomly from a predefined subset, when one of these factors has small size). For example an elliptic curve based encryption system over the field can guarantee the same level of security than an RSA system with modulus size of 1024 bits. Hence there is one order of magnitude of gain in the communication and space complexity and rather in computational complexity, because the arithmetics in can be implemented significantly simpler than the arithmetics mod a prime of 1024 bits. On the other hand, there are specific methods for solving the discrete logarithm problem over elliptic curves, hence one has to choose the parameters carefully. One such example is the case of curves over where is a non-prime, where so-called Weil-attack can be implemented.
Another weakness arises when the elliptic curve and the field have the same cardinality.
11.2.2. 10.2.2 Security requirements
It is very important to defend against "sneak peeks" into the bids before the end of bidding by an attacker. Thus bidding should be closed long before most of the indices are revealed.
A provable consensus should exist about what bids have been entered on time.
Possibilities for the desired outcomes are the following:
1. Collect, compare and analyze the existing methods for decentralization of an auctioneer in sealed bid auction.
2. Make a reference implementation for a method which computes the indices of a -touple of points on the elliptic curve and present test-results for several sets of parameters.
11.3. 10.3 Literature
1. Li, J., Dabek, F. 2006. F2F: Reliable Storage in Open Networks. 5th International Workshop on Peer-to-Peer Systems (IPTPS '06). http://iptps06.cs.ucsb.edu/papers/Li-F2F06.pdf
2. Rogers, M., Bhatti, S. 2007. How to Disappear Completely: A Survey of Private Peer-to-Peer Networks. 1st International Workshop on Sustaining Privacy in Collaborative Environments (SPACE 2007).
http://archive.cs.st-andrews.ac.uk/papers/download/RB07b.pdf
3. Milgrom, P., Weber, R. 1982. A theory of auctions and competitive bidding. Econometrica 50, (5). pp. 1089–
1122. http://www.cs.princeton.edu/courses/archive/spr10/cos444/papers/milgrom_weber82.pdf
4. Koblitz, N. 1987. Elliptic Curve Cryptosystems. Mathematics of Computation 48 (177). pp. 203- 209.http://www.ams.org/journals/mcom/1987-48-177/S0025-5718-1987-0866109-5/S0025-5718-1987-0866109-5.pdf
5. Hankerson, D., Vanstone, S., Menezes, A. J. 2003. Guide to Elliptic Curve Cryptography. Springer-Verlag New York, Inc.