PP-VCA: A Privacy-Preserving and Verifiable Combinatorial Auction Mechanism

Zhang, Mingwu; Zhou, Bingruolan

doi:https://doi.org/10.1155/2020/8888284

Wireless Communications and Mobile Computing

On this page

Abstract Introduction Background and Related Work Preliminaries Evaluation Conclusion Data Availability Additional Points Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

Attacks, Challenges, and New Designs in Security and Privacy for Smart Mobile Devices

View this Special Issue

Research Article | Open Access

Volume 2020 | Article ID 8888284 | https://doi.org/10.1155/2020/8888284

PP-VCA: A Privacy-Preserving and Verifiable Combinatorial Auction Mechanism

Mingwu Zhang^1,2,3and Bingruolan Zhou^2,3

Academic Editor: Weizhi Meng

Received24 Jun 2020

Revised22 Aug 2020

Accepted18 Sept 2020

Published20 Oct 2020

Abstract

Combinatorial auctions can be employed in the fields such as spectrum auction, network routing, railroad segment, and energy auction, which allow multiple goods to be sold simultaneously and any combination of goods to be bid and the maximum sum of combinations of bidding prices to be calculated. However, in traditional combinatorial auction mechanisms, data concerning bidders’ price and bundle might reveal sensitive information, such as personal preference and competitive relation since the winner determination problem needs to be resolved in terms of sensitive data as above. In order to solve this issue, this paper exploits a privacy-preserving and verifiable combinatorial auction protocol (PP-VCA) to protect bidders’ privacy and ensure the correct auction price in a secure manner, in which we design a one-way and monotonically increasing function to protect a bidder’s bid to enable the auctioneer to pick out the largest bid without revealing any information about bids. Moreover, we design and employ three subprotocols, namely, privacy-preserving winner determination protocol, privacy-preserving scalar protocol, and privacy-preserving verifiable payment determination protocol, to implement the combinatorial auction with bidder privacy and payment verifiability. The results of comprehensive experimental evaluations indicate that our proposed scheme provides a better efficiency and flexibility to meet different types of data volume in terms of the number of goods and bidders.

1. Introduction

1.1. Backgrounds

Combinatorial auctions allow multiple goods to be sold simultaneously and any combination of goods to be bid, which provides a vivid and wide auction application on the Internet with the online e-commerce enabling consumers to complete a variety of complex activities, such as bank account deposit withdrawal, commodity trading service, and transaction information inquiry [1]. The auction is gradually changing from traditional auction to electronic auction and becoming an important part of e-commerce. For example, spectrum [2, 3] and energy [4] can be auctioned through the networks. The electronic auction system generally consists of an auctioneer, several sellers, and bidders. The seller entrusts the auctioneer to arrange the auction, accept the bids, and declare the winner [6]. Combinatorial auction is an important part of electronic auction, which is more scalable and can adapt to more complex demands. In a single auctioneer combinatorial auction, the auctioneer sells multiple heterogeneous goods simultaneously and bidders bid on any combination of the goods (called bundle or set) instead of just ones [7], which have been researched extensively because of the generality and scalability of on-growing applications [8].

Privacy-preserving combinatorial auction protocols usually employ the cryptographic technique to protect bidders’ private information. When the auction terminates, only the auction outcomes, i.e., who are winners and the corresponding payments, are revealed. In the auction process, the losers’ bids and bundles are kept private since the auctioneers might use losers’ bids to maximize their revenues in future auctions [6]. For example, the average value of losers’ bids can motivate auctioneers to increase the starting price in future auction of similar goods. In addition, private information of bidders, such as bundle and bids, can be used to disclose personal preference and competitive relationship. In an auction system, there is serious competition between bidders, and this information is vital and needs to be protected.

1.2. Scenario and Application

Assume that an auctioneer publishes the information of some goods simultaneously on the Internet. Product numbers are labelled from #1 to #10. Every bidder chooses the sequence of the good number that he wants to own (i.e., bundle) and then provides the price that he is willing to pay (i.e., bid). The chosen list is described in Table 1.

Every bidder computes , where is the number of products in the bundle. The auctioneer picks out the largest average value 7750 and finds that #4 and #7 are still available, which means is the winner of the first round. In the second round, the auctioneer finds that average value is the largest. However, bundle contains one good that is already auctioned (#4), which means cannot be a winner. The auctioneer will choose all the winners in this way.

In private-preserving combinatorial auction, a crucial issue to be solved is how to pick out a set of disjoint goods under the price value of which is the maximized. Actually, this problem can be classified as an optimization problem. In [9], Zhang et al. proposes a privacy-preserving optimization for distributed fractional knapsack, which uses the greedy algorithm to find an optimal solution. Suzuki and Yokoo [10, 11] introduce dynamic programming to solve the winner determination problem on finding the shortest path of the directed graph [12]. However, the schemes in [10–12] may lead to a superpolynomial run time when the combinatorial auction parameters, i.e., the number of bidders and the number of goods, increase rapidly [13].

Threshold secret sharing schemes can also be used to solve the privacy-preserving problem in combinatorial auctions. For example, Kikuchi and Thorpe [14] proposed a privacy-preserving combinatorial auction protocol which employed a Shamir secret sharing scheme to share bids between multiple auctioneers, which allows any entity to detect misbehavior of bidders and auctioneers. Considering the high communication cost in [14], Hu et al. [15] provided an authentication property without increasing the communication cost in combinatorial auctions. Homomorphic encryption provides an available approach to protect each bidding value with a vector of ciphertext and then guarantees the auctioneer to figure out the maximum value securely [16–20]. In order to improve the performance, Xu et al. [21] give the comparison of different sorting algorithms and show that different sorting algorithms may have great effect on the performance of the protocol.

1.3. Organization

The remainder of this paper is organized as follows: We provide an overview of related work and background in Section 2. In Section 3, we introduce some terms used in the paper and provide the system framework, adversary model, and security requirement. In Section 4, we introduce the technology used in the paper. We provide our concrete scheme in Section 5 and give the security analysis in Section 6. The feature comparison and performance analysis are presented in Section 7. Finally, we draw our conclusion in Section 8.

2.1. Backgrounds of Combinatorial Auction

The traditional combinatorial auction includes one auctioneer and bidders, as shown in Figure 1. The auctioneer is responsible for arranging the auction, accepting the bids, and declaring the winner. This process consists of two steps. Firstly, the auctioneer will send the information of goods to be auctioned to bidders. Bidders give the sequence of goods that they want to obtain (called bundle) and quotation for bundle (called bid). The auctioneer selects the winner and announces the results according to some mechanism. Then, the auctioneer determines the price that the winner should pay. Notice that the winner’s bid and payment are not necessarily equal.

When the auctioneer picks out the winners, the main goal is to maximize social welfare, which is the sum of the winners’ bids. In this process, we should ensure that no information about the others’ bundles and bids are released. Also, the winner’s payment determination should be verifiable [22].

In order to reduce the losses caused by collusion and cheating among bidders, the famous Generalized Vickrey Auction (GVA) strikes a balance between risk and profit, in which the GVA is a sealed bid auction where auction goods are sold to bidders at the second highest price, which guarantees the authenticity of the auction while maximizing the interests of the auctioneer and bidders. However, the implementation of GVA is NP-hard even under the assumption of single-minded bidders. Zhang et al. [23] investigated the impact on such mechanisms of replacing exact solutions by approximate ones and proposed a particular greedy optimization method, which could guarantee the truthfulness of the auction.

2.2. Related Work

Currently, there exist several approaches to achieve privacy-preserving secure combinatorial auction, such as dynamic programming, Shamir’s threshold secret sharing scheme, homomorphic encryption, and secure multiparty computation.

Sakurai et al. [24] and Sandholm [25] employed dynamic programming to combinatorial auction. However, with the increase of the number of bidders and goods, dynamic programming will lead to nonpolynomial computation cost. Kikuchi and Thorpe [14] proposed a privacy-preserving combinatorial auction using Shamir’s threshold secret sharing scheme, and through further improvements, Hu et al. [15] presented a method to reduce the communication cost and that could resist the collusion attack and passive attack.

Some combinatorial auction protocols are based on homomorphic encryption technique in ciphertext fields [16–20]. However, these protocols need a high computational cost. Palmer et al. [26] employed the technique of secure multiparty computation to implement privacy-preserving combinatorial auction, where the protocol is not scalable since the inputs of combinatorial auction cannot be predeterminated. In [9], Zhang et al. employed the inner product of matrix and cancellation with invertible matrix to achieve asymmetric scalar product preserving encryption. Instead of homomorphic encryption, Li et al. [27] used random noise to mask the bid values. By using a masking approach, the server only knows the noise, and the auctioneer only knows the auction results, which will decrease computational complexity in the combinatorial auction.

As an emerging decentralized security data management system, blockchain has gained much popularity recently and has been applied in electronic auction. As the participants in the conventional auction-based trading may collude or take selfish actions, [28] employed the Ethereum framework for trustless, secure, and distributed auctioning. [29] proposed a decentralized electricity transaction mode for microgrids based on blockchain and continuous double auction (CDA) mechanism, which could solve problems in traditional management, such as high operation cost and low transparency.

3. Model of Privacy-Preserving Combinatorial Auction

3.1. System Model

We first present our system model for privacy-preserving combinatorial auction, in which there are three kinds of participants, i.e., an auctioneer who wants to sell several products simultaneously, bidders who want to succeed in the auction, and a crypto service provider who is responsible for key distribution and collaborative computation. In the privacy-preserving combinatorial auction model, we suppose that there is a classical channel between any two participants. The symbols in this paper are shown in Table 2.

As shown in Figure 2, during the auction, every bidder has his own bundle that he expects to obtain and his bid , i.e., the price he is willing to pay on his bundle . During the auction, one product can only be auctioned to one bidder, and the auctioneer’s goal is to maximize social welfare. So, the winners are chosen by the auctioneer as follows:i.e., a set of conflict-free bidders whose total bid is maximized, and is winners’ bundle. After that, the auctioneer will determine the price that the winner should pay according to some mechanism. Besides, CSP will generate a blind signature for bidders’ bid and bundle, which will be used to verify the correctness of the result later.

3.2. Attack Models and Security Requirements

Different from a previous work that assumes CSP is trustworthy, in this paper, we assume that the crypto service provider is semihonest. That is, CSP will follow the protocol steps honestly but tries to learn the bidders’ bundles and bids, i.e., “curious.” But CSP cannot collude with the auctioneer, i.e., noncooperative. Because CSP and the auctioneer are usually service providers with industry certification standards, if either party has any collusion or deception, it will greatly damage its reputation and interests.

In the semihonest adversary model, the main idea is to limit the information exposed to the auctioneer and CSP. When the allocation terminates, the auctioneer is supposed to only know the winners, their bundles, and payments. Each bidder only knows whether he is a winner. The bidder will also be informed the price he should pay, if he is the winner. Each bidder does not know anything about others’ bundle or bid. CSP will help auctioneer to decrypt but know nothing about auction results.

Also, the auctioneer is assumed to be curious, malicious, and ignorant, which is interested in bidders’ bundles and bids because this information will enable the auctioneer to have more advantage in future auction of similar goods, i.e., “curious.” Besides, bidders’ preferences and competitive relationship will be disclosed according to the bundles and bids. The auctioneer may also try to obtain secret key to decrypt bids or report a fake payment to the winners (i.e., “malicious”), but he is not aware of bidders’ bid for a specific product or preference on these goods (i.e., “ignorant”). The auctioneer may also report a fake payment to the winners, i.e., “malicious,” but he is not aware of bidders’ bid for a specific product or preference on these goods, i.e., “ignorant.” In our system, bidders are assumed to be noncooperative and curious. They will follow the scheme honestly but want to know others’ bundles and bids to help them make decision, i.e., “curious.” However, they will not collude with each other, i.e., “noncooperative.”

In our scheme, the following security goals should be achieved:(i)Privacy preservation: no one can obtain the others’ bundle and bid. Winner determination and payment determination should not arrive at the expense of revealing the losing bids and bundles(ii)Verifiability and integrity: the winner should be able to verify whether the auctioneer gives a wrong payment to maximize social welfare

Our scheme focuses on the confidentiality of losers’ bundle and bid since winners’ bundles and payments might be learned from the valid output of the auction.

3.3. Design Goal

Our design goal is to develop an efficient, verifiable, and privacy-preserving combinatorial auction scheme. In particular, the following four desirable objectives need to be considered:(i)Fairness: all bidders should have the same advantage to win the auction(ii)Security: the proposed scheme should meet the security requirements as above(iii)Anonymity: the protocol should not reveal any indications about bidder-bid relation. In other words, the auctioneer cannot get bidder’s identity information from bid(iv)Scalability: when the combinatorial auction parameters, such as the number of bidders and goods, increase rapidly, the protocol is still efficient in terms of both computation and communication cost

4. Preliminaries

We first introduce the primitives and terms that will be used in our scheme.

4.1. ElGamal Cryptosystem

The ElGamal encryption scheme provides a multiplicative homomorphic encryption that comprises the algorithms as key generation, encryption algorithm, and decryption algorithm that are described as follows.(i)ElGamal.KeyGen: randomly select a large prime number and at random select a generator . At random, select a number . Calculate . The public key is , and the private key is (ii)ElGamal.Encrypt: to encrypt a message , at first, select a random number , which is relatively prime with , and then calculate , . The ciphertext is set as (iii)ElGamal.Decrypt: on input a ciphertext and a private key , output the plaintext by computing

Homomorphic multiplication: let be the ciphertext of plaintext . We have

4.2. The Monotonically Increasing and One-Way Function

In this section, we give the notation of monotonically increasing and one-way function [30], which will serve as the building block of combinatorial auction with privacy preservation in our scheme.

Suppose that , where and for , where is an -dimensional dataset and is the upper bound of all data values in . Meanwhile, we denote a set of Euclidean distance by , where

Then, we construct a function , which maps each element to . In particular, for each , , where , each coefficient is an integer, and for . In addition, is a noise and randomly chosen from .

Obviously, the function is a monotonically increasing function, that is,

Moreover, the function is also a one-way function. That is, it is infeasible to recover from for any .

Both security and computation overhead need to be considered to determine the degree of function . With the increasing of , the computation overhead of function will be increasing. Thus, an optimal value should be chosen according to the balance of security and efficiency. In our protocol, we set the degree of to be , which is equal to the number of bidders.

4.3. Blind Signature

In the PP-VCA scheme, we employ a blind signature to guarantee that a signer can create a signature for bidder’s bid and bundle without knowing the real bid price. Concretely, in the blind signature scheme, the signer can generate the signature of bidding price without knowing . In our scheme, we utilize a blind signature to ensure the authenticity and reliability of the combinatorial auction and verify whether the payment price is correctly calculated. By analyzing the inherent disadvantages of the blinded Nyberg-Rueppel scheme, Qi et al. [31] gave an improved scheme by adding hash function in the signature, which enables the signature scheme to be against changing agreed information attack. We give the concrete blinded Nyberg-Rueppel scheme in Scheme 1.

Scheme 1. Blinded Nyberg-Rueppel scheme (BNR).BNR.SysPara: at random, select a multiplicative group of prime order and its generator , where is a prime factor of prime number . Select a hashing function .

BNR.KeyGen: let be information agreed by the signer and the signee in advance. Compute , where is a one-way function. The signer picks a random number and keeps secret and publishes the public parameters as and .

BNR.Signing: signer blindly signs signee’s message .

1: The signer randomly selects and sends to the signee

2: The signee randomly selects , , computes and until . Then, he sends to the signer

3: The signer computes and sends to the signee

4: The signee computes

5: Set the signature as

BNR.Verify: the verifier checks whether and accepts the signature if the equation holds.

5. Our Proposed Scheme

Before submitting the combinatorial auction, all bidders blind sign their bundle and average value through the crypto service provider. As we deploy the blind signature scheme, CSP will not attain any relevant information about the real message and . Also, we can combine the auction scheme with anonymization techniques to protect bidders’ identity information [32]. In our protocol, bidders’ personally identifiable information will be protected by anonymous techniques, which keeps the bidder-bid relation private. Our framework of proposed PP-VCA is described in Figure 3, in which we employ three subprotocols, namely, privacy-preserving winner determination protocol (PPWD), privacy-preserving scalar protocol (PPSP), and privacy-preserving verifiable payment determination protocol (PPVPD), to implement the combinatorial auction with bidder privacy and payment verifiability.

5.1. Privacy-Preserving Winner Determination

At first, we give a greedy winner determination protocol in Algorithm 1. Note that in order to protect the privacy information and of the bidder, AUCT cannot directly sort on the plaintext and select the winner (see Step 2), because the comparison and sorting will reveal the private information and of the bidders. So, we use a monotonically increasing and one-way function to protect the bidder’s , which enables the auctioneer to pick out the largest one without knowing any information about .

Input: each has bundle and bid .
Output: AUCT obtains the winner set and bundle set .
1: :
(a) Compute average value
(b) Send to AUCT
2: AUCT:
(a) Initialize ,
(b) Sort in a nonincreasing order according to the value of . That is, the bigger the , the former the . The sorted sequence is called
(c) Check in and test whether . If true, update with , with

The above GWD algorithm needs to check whether s bundle contains the goods that has already been auctioned, which can be solved by privacy-preserving scalar product. We utilize -dimensional binary vector to represent the auction status of goods, where the th bit if the th goods have already been auctioned and otherwise. Similarly, we utilize another -dimensional binary vector to represent s bundle , where th bit if the th goods and if the th goods .

If s bundle does not contain the goods that has already been auctioned, then

If the scalar product is , that means s bundle includes already-auctioned goods. During this process, both and are private information and have to be protected. Besides, the auctioneer will obtain side information about from , because can guess which goods wants to get according to . Similarly, is able to gain some side information about from . During this process, it is easy to see that and are s privacy information, which should be kept from the auctioneer AUCT. Besides, and are AUCT’s privacy information, which should be kept private from . We design Algorithm 2 to solve the product calculation of two vectors while protecting the privacy and check whether the result is equal to 0.

Input: CSP has a pair of Elgamal key: , .
The auctioneer AUCT has ; has .
Output: AUCT obtains .
1: AUCT: send to CSP
2: CSP:
(a) Compute
(b) Send to AUCT
3: For each :
(a) Pick a random number and encrypt to compute
(b) Send to the auctioneer AUCT
4: AUCT: compute

If , AUCT will explicitly know that s bundle does not contain the goods that have already been auctioned, and otherwise, the final output is indistinguishable from a random number in from the auctioneer’s perspective. Combining Algorithms 1 and 2, we give a privacy-preserving winner determination model (Algorithm 3), which can be regarded as a black-box algorithm and only outputs the winner and the corresponding bundle.

Input: CSP has a pair of ElGamal key: , ; the auctioneer AUCT has ; has and .
Output: AUCT obtains the winner set and corresponding bundle set .
1: CSP:
(a) Select a large number , calculate , and select s.t.
(b) Randomly choose noise from
(c) Send , and to
2: :
(a) Compute the average value
(b) Compute
(c) Send to AUCT
3: AUCT and jointly perform:
(a) AUCT picks the largest and records the corresponding bidder as . is the bundle of
(b) On input (, , , ), perform privacy-preserving scalar product protocol (PPSP) to obtain
(c) AUCT receives
4: AUCT:
(a) If , is the winner. Inform to send , bundle and and put into the winner set and mark s bundle as auctioned in
(b) Otherwise, remove from bidders
Repeat Steps 3–4 until no set can be updated

In Algorithm 3, computes the average value and calculates using the parameters provided by CSP. Because is a one-way increasing function, the auctioneer AUCT is able to pick out the largest by comparing the value of , which is equivalent to picking the largest . Futhermore, AUCT asks the corresponding to execute Algorithm 2 together, in which will not reveal any information about . AUCT verifies whether s bundle contains the goods that have already been auctioned through judging whether is equal to 1. If , that means compared with other bidders, the average value of is the largest one, and the corresponding bundle is also available, which means is the winner of this round. The auctioneer will inform to submit , bundle and , and then update and to continue the search for the next winner. can prove the identity of , and the signature can guarantee the integrity of . If , that means the bundle of contains at least one good that has been auctioned, so AUCT will remove from bidders and enter the next round of selection.

5.2. Privacy-Preserving Verifiable Payment Determination

We propose a privacy-preserving verifiable payment determination protocol that is shown in Algorithm 4. AUCT determines the payment that the winner should pay by the following algorithm: Among the bidders whose bundle would have been allocated if were not the winner, AUCT finds out whose average value is maximum, i.e., the candidate of . Then, s payment is , where is the average value of .

In our scheme, the winner s payment is determined by his candidate s average value . In Algorithm 2, AUCT cannot know any information about the bundle of . As a result, AUCT also cannot know any information about from . Similarly, the winner cannot obtain any information about s bundle and , and even does not know who is .

Input: the auctioneer AUCT has and the winner’s and .
Output: obtains the payment .
1: AUCT removes the winner from bidders and modifies to , where is the set of auctioned goods and is the bundle of . Then, through Algorithm 3, AUCT chooses a freshful winner , who is the candidate of . AUCT notifies to send average value and to AUCT
2: If the candidate of can be successfully found, AUCT computes and sends and to . If no candidate is found, AUCT sets as the agreed default value and notifies that is the default value
3: If is not the default value, can recover from and verify whether is correct through . If they are not equal to each other, knows that the payment is not correct

6. Security Analysis

6.1. Bidder’s Privacy Preservation

In the PP-VCA protocol, neither the crypto service provider CSP nor the auctioneer AUCT can learn the full information of bidders. CSP is only responsible for key distribution and blind signature, so it cannot obtain any information about bidders’ private data. The auctioneer only knows the winners and their bundles and payments. As to auction losers, we give Theorems 1-4 to prove that the auctioneer and other bidders cannot obtain any information about losers’ bundles and bids, even their real identity.

Theorem 1. An adversarial auctioneer s advantage is negligible.

Proof. If the auctioneer wants to construct skillfully to obtain , for example, let , and will obtain . Due to the discrete logarithms, an adversarial cannot obtain or . Similarly, an adversarial cannot obtain any information about . Therefore, we have

Theorem 2. An adversarial auctioneer AUCT’s advantage is negligible for all losers.

Proof. Every winner’s bundle is given to AUCT; therefore, we have if is a winner of the auction. Further, we assume that the ElGamal encryption algorithm is semantically secure, during the privacy-preserving scalar product protocol (see Algorithm 2), an adversarial AUCT learns whether there exists a feasible bundle which is negligible, and this reveals nothing about losers’ ; therefore the adversary’s view on losers’ bundle in our PP-VCA is the same as the one in an ideal black-box algorithm. Therefore, is negligible in security parameter , where is a loser and is a negligible function.

Theorem 3. An adversarial auctioneer AUCT’s advantage is negligible for all losers.

Proof. In the payment determination model of the winner , the candidate s average value is disclosed to AUCT. Because of the privacy-preserving scalar product PPSP, AUCT knows nothing about , so he does not learn from . We have

Theorem 4. An adversarial bidder s advantage and are negligible for all .

Proof. For all adversarial bidders, no matter he is a winner or not, all he learns from the PP-VCA protocol is a valid auction output . We have demonstrated in Section 5.2, and then, the winner cannot obtain any information about the candidate’s and .

As a result, in a collusion-free case, our proposed combinatorial auction scheme can protect the information of bidders.

6.2. Payment Verification

In Algorithm 4, the winner’s payment is determined by his candidate’s average value. Since AUCT and use a blind signature generated by CSP, AUCT to convince that provides the correct , and can easily verify whether AUCT the data are modified to maximize social welfare, while protecting the plaintext itself in the signature.

7. Performance and Evaluation

We give the performance analysis and evaluation of our combinatorial auction scheme PP-VCA in terms of communication overhead and computation overhead.

7.1. Communication Cost

In our PP-VCA combinatorial auction scheme, each bidder needs to transfer ciphertext, so bidders need to transfer a total of ciphertext, and the auctioneer needs to return the result. The security parameter used in our scheme is , and the length of the ciphertext of Elgamal is . Because the length of the result is relatively small compared to , so it can be ignored. Therefore, in our combinatorial auction scheme, the communication overhead is .

7.2. Benchmark and Computational Overhead

To evaluate the computation overhead, we conducted an experiment, which was in Windows 8 with a 64-bit operating system, RAM 4 G, Intel® Core™ i5-4210U CPU @ 1.70 GHz. In order to exclude the communication I/O during the simulation, we generated all strings in the communication and conducted the computation in the local instance. Security parameter is 128-bit, and every operation is run 1000 times to evaluate the average running time.

In the winner determination protocol, is the time which the bidder spends on encrypt using CSPs , and is the time which the bidders take to calculate using the parameters provided by CSP. is the total time that the auctioneer spends on the decryption of the ciphertext, selection of the winner, and update of and . In terms of different goods and bidders, we give the performance and analysis of computational cost in the winner determination protocol that is shown in Figures 4–6, respectively.

By Figures 4 and 5, it is easy to see that the auctioneer’s computation overhead will increase logarithmically with the increasing of the value of max bid and will increase linearly with the increasing of the amount of total bidders and total goods. Firstly, the larger the value of max bid, the larger the average value . So, obtained by one-way and monotonically increasing function is larger, which will increase the auctioneer’s computation overhead to select the largest . Secondly, the increase of the amount of total bidders and total goods will inevitably increase the auctioneer’s computation overhead. Figures 5 and 6 demonstrate that, in our protocol, the auctioneer’s computation overhead grows with small constant factors linearly.

Meanwhile, Figures 4 and 5 indicate that the value of max bid and the amount of total bidders do not have a big impact on bidder’s computation overhead, since each bidder calculates the average values , and encrypts the bundle locally. The increase of the number of total goods will increase the bidder’s encryption time , but Figure 6 illustrates that the bidder’s computation overhead grows with small constant factors linearly as well.

7.3. Comparison with Peer Works

We compare scalability of our PP-VCA protocol with peer works in Table 3. Considering the actual running time of our protocol with peer works, we notice that our protocol’s run time increases logarithmically with the increasing of the max bid and increases linearly with the increasing of total bidders and total goods. We improve the performance to a linear growth and logarithmic growth, which illustrates that our PP-VCA protocol provides a better scalability in the practice.

8. Conclusion

In this work, we proposed an effective, scalable, and flexible privacy-preserving combinatorial auction scheme to protect bidder’s privacy and ensure the correctness and verifiability of the bidding price. We employed a monotonically increasing one-way function to ensure the auctioneer to pick out the largest bid without disclosing the bidding price. In addition, we put forward a privacy-preserving verifiable payment determination protocol to confirm the payment that the winner should pay. Furthermore, we used a blind signature scheme to succeed in allowing all bidders to verify the payment without knowing the real sensitive bidding price. Performance analysis and experimental results indicate that our scheme provides a better performance and scalability in combinatorial auction systems.

Data Availability

Data is available on request.

Additional Points

This is the extended and full version of [5].

Conflicts of Interest

The authors declare no conflict of interest regarding this publication.

Acknowledgments

This work is supported by the National Natural Science Foundation of China under grant 62072134 and 61672010, the Open Research Project of State Key Laboratory of Cryptology of China, the Key projects of Guangxi Natural Science Foundation under grant 2019JJD170020, and the Open Fund Program for State Key Laboratory of Information Security of China under Grant 2020-MS-05.

References

M. Zhang, Y. Yao, B. Li, and C. Tang, “Accountable mobile e-commerce scheme in intelligent cloud system transactions,” Journal of Ambient Intelligence and Humanized Computing, vol. 9, no. 6, pp. 1889–1899, 2018.
View at: Publisher Site | Google Scholar
Y. Chen, Z. Ma, Q. Wang, J. Huang, X. Tian, and Q. Zhang, “Privacy-preserving spectrum auction design: challenges, solutions, and research directions,” IEEE Wireless Communications, vol. 5, pp. 142–150, 2019.
View at: Google Scholar
Q. Wang, J. Huang, Y. Chen, X. Tian, and Q. Zhang, “Privacy-preserving and truthful double auction for heterogeneous spectrum,” IEEE/ACM Transactions on Networking, vol. 27, no. 2, pp. 848–861, 2019.
View at: Publisher Site | Google Scholar
J. Lin, M. Pipattanasomporn, and S. Rahman, “Comparative analysis of auction mechanisms and bidding strategies for P2P solar transactive energy markets,” Applied energy, vol. 255, p. 113687, 2019.
View at: Publisher Site | Google Scholar
M. Zhang and B. Zhou, A verifiable combinatorial auction scheme with bidder's privacy protection, 2020.
R. Alvare and M. Nojoumian, “Comprehensive survey on privacy-preserving protocols for sealed-bid auctions,” Computers & Security, vol. 88, 2020.
View at: Google Scholar
T. Jung and X. Li, “Enabling privacy-preserving auctions in big data,” Journal of Parallel and auctioned Computing, vol. 73, no. 4, pp. 495–508, 2013.
View at: Google Scholar
M. Zhou, C. Niu, Z. Zheng, F. Wu, and G. Chen, “An efficient, privacy-preserving, and verifiable online auction mechanism for Ad exchanges,” in Globecom, IEEE Global Communications Conference, San Diego, CA, USA, 2015.
View at: Google Scholar
M. Zhang, Y. Chen, Z. Xia, J. Du, and W. Susilo, “PPO-DFK: a privacy-preserving optimization of distributed fractional knapsack with application in secure footballer configurations,” IEEE Systems Journal, vol. 2020, pp. 1–12, 2020.
View at: Publisher Site | Google Scholar
K. Suzuki and M. Yokoo, “Secure combinatorial auctions by dynamic programming with polynomial secret sharing,” in Lecture Notes in Computer Sciene, vol 2357, Springer, Berlin, Heidelberg, 2002.
View at: Google Scholar
M. Yokoo and K. Suzuki, “Secure multi-agent dynamic programming based on homomorphic encryption and its application to combinatorial auctions,” pp. 112–119.
View at: Google Scholar
D. C. Parkes, M. O. Rabin, and C. Thorpe, “Cryptographic combinatorial clock-proxy auctions,” in Lecture Notes in Computer Science, vol 5628, Springer, Berlin, Heidelberg.
View at: Google Scholar
M. Zhang, S. Zhang, and L. Harn, “An efficient and adaptive data-hiding scheme based on secure random matrix,” PLOS One, vol. 14, no. 10, article e0222892, 2019.
View at: Publisher Site | Google Scholar
H. Kikuchi and C. Thorpe, (m+1)st-prie auction protocol, vol 2339, Springer, Berlin, Heidelberg, 2002.
C. Hu, R. Li, B. Mei, W. Li, A. Alrawais, and R. F. Bie, “Privacy-preserving combinatorial auction without an auctioneer,” EURASIP Journal on Wireless Communications and Networking, vol. 2018, no. 1, 38 pages, 2018.
View at: Google Scholar
M. Pan, X. Zhu, and Y. Fang, “Using homomorphic encryption to secure the combinatorial spectrum auction without the trustworthy auctioneer,” Wireless Networks, vol. 18, no. 2, pp. 113–128, 2012.
View at: Publisher Site | Google Scholar
M. Pan, J. Sun, and Y. Fang, “Purging the back-room dealing: secure spectrum auction leveraging Paillie cryptosystem,” IEEE Journal on Selected Areas in Communications, vol. 29, no. 4, pp. 866–876, 2011.
View at: Google Scholar
M. Larson, R. Li, C. Hu, W. Li, X. Cheng, and R. Bie, “A bidder-oriented privacy-preserving vcg auction scheme,” in International Conference on Wireless Algorithms, Systems, and Applications, pp. 284–294, Springer, Cham.
View at: Google Scholar
W. Gao, W. Yu, F. Liang, W. G. Hatcher, and C. Lu, “Privacy-preserving auction for big data trading using homomorphic encryption,” IEEE Transactions on Network Science Engineering, vol. 7, 2018.
View at: Google Scholar
K. Xing, C. Hu, J. Yu, X. Cheng, and F. Zhang, “Mutual privacy preserving $k$ -means clustering in social participatory sensing,” IEEE Transactions on Industrial Informatics, vol. 13, no. 4, pp. 2066–2076, 2017.
View at: Publisher Site | Google Scholar
Y. Xu, Z. Chen, and H. Zhong, Privacy-preserving double auction mechanism based on homomorphic encryption and sorting networks, 2019.
M. Zhang, Y. Chen, and J. Huang, “SE-PPFM: a searchable encryption scheme supporting privacy-preserving fuzzy multi-keyword in cloud systems,” IEEE System Journal, vol. 2020, pp. 1–9, 2020.
View at: Publisher Site | Google Scholar
M. Zhang, Y. Chen, and W. Susilo, “PPO-CPQ: a privacy-preserving optimization of clinical pathway query for e-healthcare systems,” IEEE Internet of Things Journal, vol. 2020, 2020.
View at: Publisher Site | Google Scholar
Y. Sakurai, M. Yokoo, and K. Kamei, An efficient approximate algorithm for winner determination in combinatorial auctions, 2001.
T. Sandholm, “Algorithm for optimal winner determination in combinatorial auctions,” Artificial Intelligence, vol. 135, no. 1-2, pp. 1–54, 2002.
View at: Publisher Site | Google Scholar
B. Palmer, K. Bubendorfer, and I. Welch, Development and evaluation of a secure, privacy preserving combinatorial auction, 2011.
W. Li, M. Larson, C. Hu, R. Li, X. Cheng, and R. Bie, “Secure multi-unit sealed first-price auction mechanisms,” Security Communication Networks, vol. 9, no. 16, pp. 3833–3843, 2016.
View at: Publisher Site | Google Scholar
T. Chen, A. Khan, G. Zheng, and S. Lambotharan, “Blockchain secured auction-based user fffloading in heterogeneous wireless networks,” in IEEE Wireless Communication Letters, 2020.
View at: Publisher Site | Google Scholar
W. Jian, W. Qianggang, and Z. Niancheng, “A novel electricity transaction mode of microgrids based on blockchain and continuous double auction,” Energies, vol. 10, no. 12, p. 1971, 2017.
View at: Google Scholar
Y. Zheng, R. Lu, and J. Shao, “Achieving efficient and privacy-preserving k-NN query for outsourced eHealthcare data,” Journal of Medical Systems, vol. 43, no. 5, p. 123, 2019.
View at: Publisher Site | Google Scholar
Y. Qi, B. Yang, and Y. Yu, “Partial blind signatures based on Nyberg-Rueppel signature,” Application Research Of Computers, vol. 1, pp. 251–253, 2008.
View at: Google Scholar
W. Shi, J. Wang, J. Zhu, Y. Wang, and D. Choi, “A novel privacy-preserving multi-attribute reverse auction scheme with bidder anonymity using multi-server homomorphic computation,” Intelligent Automation Soft Computing, vol. 25, no. 1, pp. 171–181, 2019.
View at: Google Scholar

Copyright

Copyright © 2020 Mingwu Zhang and Bingruolan Zhou. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

458

Downloads

679

Citations

Wireless Communications and Mobile Computing

Attacks, Challenges, and New Designs in Security and Privacy for Smart Mobile Devices

PP-VCA: A Privacy-Preserving and Verifiable Combinatorial Auction Mechanism

Abstract

1. Introduction

1.1. Backgrounds

1.2. Scenario and Application

1.3. Organization

2. Background and Related Work

2.1. Backgrounds of Combinatorial Auction

2.2. Related Work

3. Model of Privacy-Preserving Combinatorial Auction

3.1. System Model

3.2. Attack Models and Security Requirements

3.3. Design Goal

4. Preliminaries

4.1. ElGamal Cryptosystem

4.2. The Monotonically Increasing and One-Way Function

4.3. Blind Signature

5. Our Proposed Scheme

5.1. Privacy-Preserving Winner Determination

5.2. Privacy-Preserving Verifiable Payment Determination

6. Security Analysis

6.1. Bidder’s Privacy Preservation

6.2. Payment Verification

7. Performance and Evaluation

7.1. Communication Cost

7.2. Benchmark and Computational Overhead

7.3. Comparison with Peer Works

8. Conclusion

Data Availability

Additional Points

Conflicts of Interest

Acknowledgments

References

Copyright