2016-06-10 16:48:50 +02:00
\documentclass { article}
\usepackage [a4paper, margin=2cm] { geometry}
\usepackage { amsmath}
2016-06-19 17:45:52 +02:00
\usepackage { amsfonts}
2016-06-10 16:48:50 +02:00
\begin { document}
2016-06-11 09:44:06 +02:00
\section { first price auction with tie breaking and private outcome (EC-Version)}
\subsection { Zero Knowledge Proofs}
2016-06-20 20:48:43 +02:00
\subsubsection { Proof 1: Knowledge of an ECDL}
2016-06-11 09:44:06 +02:00
2016-06-21 20:26:24 +02:00
Alice and Bob know $ v $ , $ g $ and $ q = |g| $ , but only Alice knows $ x $ , so that
2016-06-20 20:48:43 +02:00
$ v = xg $ .
2016-06-11 09:44:06 +02:00
\begin { enumerate}
\item Alice chooses $ z $ at random and calculates $ a = zg $ .
2016-06-20 20:48:43 +02:00
\item Alice computes $ c = HASH ( g,v,a ) $ mod $ q $ .
\item Alice sends $ r = ( z + cx ) $ mod $ q $ and $ a $ to Bob.
2016-06-11 09:44:06 +02:00
\item Bob checks that $ rg = a + cv $ .
\end { enumerate}
2016-06-20 20:48:43 +02:00
\begin { tabular} { r l}
Prover only knowledge: & $ x $ \\
Common knowledge: & $ v, g $ \\
Proof: & $ r, a $
\end { tabular}
\subsubsection { Proof 2: Equality of two ECDL}
2016-06-11 09:44:06 +02:00
Alice and Bob know $ v $ , $ w $ , $ g _ 1 $ and $ g _ 2 $ , but only Alice knows $ x $ , so that
$ v = xg _ 1 $ and $ w = xg _ 2 $ .
\begin { enumerate}
\item Alice chooses $ z $ at random and calculates $ a = zg _ 1 $ and $ b = zg _ 2 $ .
2016-06-20 20:48:43 +02:00
\item Alice computes $ c = HASH ( g _ 1 ,g _ 2 ,v,w,a,b ) $ mod $ q $ .
\item Alice sends $ r = ( z + cx ) $ mod $ q $ , $ a $ and $ b $ to Bob.
2016-06-11 09:44:06 +02:00
\item Bob checks that $ rg _ 1 = a + cv $ and $ rg _ 2 = b + cw $ .
\end { enumerate}
2016-06-20 20:48:43 +02:00
\begin { tabular} { r l}
Prover only knowledge: & $ x $ \\
Common knowledge: & $ v, w, g _ 1 , g _ 2 $ \\
Proof: & $ r, a, b $
\end { tabular}
\subsubsection { Proof 3: An encrypted value is one out of two values}
2016-06-11 09:44:06 +02:00
Alice proves that an El Gamal encrypted value $ ( \alpha , \beta ) = ( m + ry, rg ) $
2016-06-12 15:35:05 +02:00
either decrypts to $ 0 $ or to the fixed value $ g $ without revealing which is the
2016-06-20 20:48:43 +02:00
case, in other words, it is shown that $ m \in \{ 0 , g \} $ . \\
2016-06-12 15:35:05 +02:00
2016-06-20 20:48:43 +02:00
\noindent If $ m = 0 $ :
2016-06-12 15:35:05 +02:00
\begin { enumerate}
\item Alice chooses $ r _ 1 $ , $ d _ 1 $ , $ w $ at random and calculates $ a _ 1 = r _ 1 g + d _ 1 \beta $ , $ b _ 1 = r _ 1 y + d _ 1 ( \alpha - g ) $ , $ a _ 2 = wg $ and $ b _ 2 = wy $ .
2016-06-20 20:48:43 +02:00
\item Alice computes $ c = HASH ( g, \alpha , \beta ,a _ 1 ,b _ 1 ,a _ 2 ,b _ 2 ) $ mod $ q $ .
\item Alice chooses $ d _ 2 = c - d _ 1 $ mod $ q $ and $ r _ 2 = w - rd _ 2 $ mod $ q $ .
2016-06-12 15:35:05 +02:00
\end { enumerate}
2016-06-20 20:48:43 +02:00
\noindent If $ m = g $ :
2016-06-12 15:35:05 +02:00
\begin { enumerate}
\item Alice chooses $ r _ 2 $ , $ d _ 2 $ , $ w $ at random and calculates $ a _ 1 = wg $ , $ b _ 1 = wy $ , $ a _ 2 = r _ 2 g + d _ 2 \beta $ and $ b _ 2 = r _ 2 y + d _ 2 \alpha $ .
2016-06-20 20:48:43 +02:00
\item Alice computes $ c = HASH ( g, \alpha , \beta ,a _ 1 ,b _ 1 ,a _ 2 ,b _ 2 ) $ mod $ q $ .
\item Alice chooses $ d _ 1 = c - d _ 2 $ mod $ q $ and $ r _ 1 = w - rd _ 1 $ mod $ q $ .
2016-06-12 15:35:05 +02:00
\end { enumerate}
2016-06-20 20:48:43 +02:00
\noindent Then regardless of the value of $ m $ :
2016-06-12 15:35:05 +02:00
\begin { enumerate}
2016-06-20 20:48:43 +02:00
\item Alice sends $ ( \alpha , \beta ) , a _ 1 , b _ 1 , a _ 2 , b _ 2 , d _ 1 , d _ 2 , r _ 1 , r _ 2 $ to Bob.
\item Bob checks that $ c = d _ 1 + d _ 2 $ mod $ q $ , $ a _ 1 = r _ 1 g + d _ 1 \beta $ , $ b _ 1 = r _ 1 y + d _ 1 ( \alpha - g ) $ , $ a _ 2 = r _ 2 g + d _ 2 \beta $ and $ b _ 2 = r _ 2 y + d _ 2 \alpha $ .
2016-06-12 15:35:05 +02:00
\end { enumerate}
2016-06-16 00:08:49 +02:00
2016-06-20 20:48:43 +02:00
\begin { tabular} { r l}
Prover only knowledge: & $ r, x $ \\
Common knowledge: & $ \alpha , \beta $ \\
Proof: & $ a _ 1 , a _ 2 , b _ 1 , b _ 2 , d _ 1 , d _ 2 , r _ 1 , r _ 2 $
\end { tabular}
2016-06-16 00:08:49 +02:00
\subsection { Protocol}
2016-06-19 17:45:52 +02:00
Let $ n $ be the number of participating bidders/agents in the protocol and $ k $ be
the amount of possible valuations/prices for the sold good. Let $ g $ be the
2016-06-19 21:58:39 +02:00
base point of Ed25519 and $ q = ord ( g ) $ the order of it. $ 0 $ is the neutral point
2016-06-19 17:45:52 +02:00
for addition on Ed25519. $ a \in \left \{ 1 , 2 , \dots ,n \right \} $ is the index of the
agent executing the protocol, while $ i, h \in \left \{ 1 , 2 , \dots , n \right \} $ are
other agent indizes. $ j, b _ a \in \left \{ 1 , 2 , \dots ,k \right \} $ with $ b _ a $ denoting
the price $ p _ { b _ a } $ bidder $ a $ is willing to pay. $ \forall j: p _ j < p _ { j + 1 } $ .
2016-06-16 00:08:49 +02:00
\subsubsection { Generate public key}
\begin { enumerate}
2016-06-20 20:48:43 +02:00
\item Choose $ x _ { + a } \in \mathbb { Z } _ q $ and $ \forall i,j: m _ { ij } ^ { \times a } , r _ { aj } \in \mathbb { Z } _ q $ at random.
\item Publish $ y _ { \times a } = { x _ { + a } } g $ along with Proof 1 of $ y _ { \times a } $ 's ECDL.
2016-06-19 17:45:52 +02:00
\item Compute $ y = \sum _ { i = 1 } ^ ny _ { \times i } $ .
2016-06-16 00:08:49 +02:00
\end { enumerate}
\subsubsection { Round 1: Encrypt bid}
2016-06-20 01:38:16 +02:00
The message has $ k $ parts, each consisting of $ 10 $ Points plus an additional $ 3 $
Points for the last proof. Therefore the message is $ 10 k * 32 + 3 * 32 = 320 k + 96 $
bytes large.
2016-06-16 00:08:49 +02:00
\begin { enumerate}
2016-06-20 20:48:43 +02:00
\item $ \forall j: $ Set $ b _ { aj } = \begin { cases } g & \mathrm { if } \quad j = b _ a \\ 0 & \mathrm { else } \end { cases } $ and publish $ \alpha _ { aj } = b _ { aj } + r _ { aj } y $ and $ \beta _ { aj } = r _ { aj } g $ .
\item $ \forall j: $ Use Proof 3 to show that $ ( \alpha _ { aj } , \beta _ { aj } ) $ decrypts to either $ 0 $ or $ g $ .
\item Use Proof 2 to show that $ ECDL _ y \left ( \left ( \sum _ { j = 1 } ^ k \alpha _ { aj } \right ) - g \right ) = ECDL _ g \left ( \sum _ { j = 1 } ^ k \beta _ { aj } \right ) $ .
2016-06-16 00:08:49 +02:00
\end { enumerate}
\subsubsection { Round 2: Compute outcome}
2016-06-20 01:38:16 +02:00
The message has $ nk $ parts, each consisting of $ 5 $ Points. Therefore the message
is $ 5 nk * 32 = 160 nk $ bytes large.
2016-06-20 20:48:43 +02:00
$ \forall i,j: $ Compute and publish \\ [2.0ex]
$ \gamma _ { ij } ^ { \times a } = m _ { ij } ^ { + a } \displaystyle \left ( \left ( \sum _ { h = 1 } ^ n \sum _ { d = j + 1 } ^ k \alpha _ { hd } \right ) + \left ( \sum _ { d = 1 } ^ { j - 1 } \alpha _ { id } \right ) + \left ( \sum _ { h = 1 } ^ { i - 1 } \alpha _ { hj } \right ) \right ) $ and \\ [2.0ex]
$ \delta _ { ij } ^ { \times a } = m _ { ij } ^ { + a } \displaystyle \left ( \left ( \sum _ { h = 1 } ^ n \sum _ { d = j + 1 } ^ k \beta _ { hd } \right ) + \left ( \sum _ { d = 1 } ^ { j - 1 } \beta _ { id } \right ) + \left ( \sum _ { h = 1 } ^ { i - 1 } \beta _ { hj } \right ) \right ) $ \\ [2.0ex]
with a corresponding Proof 2 for $ ECDL ( \gamma _ { ij } ^ { \times a } ) = ECDL ( \delta _ { ij } ^ { \times a } ) $ .
2016-06-16 00:08:49 +02:00
\subsubsection { Round 3: Decrypt outcome}
2016-06-20 20:48:43 +02:00
$ \forall i,j: $ Send $ \varphi _ { ij } ^ { \times a } =
x_ { +a} \left (\sum _ { h=1} ^ n\delta _ { ij} ^ { \times h} \right )$ with a Proof 2
$ ECDL ( \varphi _ { ij } ^ { \times a } ) = ECDL ( y _ { \times a } ) $ to the seller who publishes
all $ \varphi _ { ij } ^ { \times h } $ and the corresponding proofs of correctness for
each $ i, j $ and $ h \neq i $ after having received all of them.
2016-06-16 00:08:49 +02:00
\subsubsection { Epilogue: Outcome determination}
\begin { enumerate}
2016-06-20 20:48:43 +02:00
\item $ \forall j: $ Compute $ v _ { aj } = \sum _ { i = 1 } ^ n \gamma _ { aj } ^ { \times i } - \sum _ { i = 1 } ^ n \varphi _ { aj } ^ { \times i } $ .
\item If $ \exists w: v _ { aw } = 1 $ , then bidder $ a $ is the winner of the auction. $ p _ w $ is the selling price.
2016-06-16 00:08:49 +02:00
\end { enumerate}
2016-06-11 09:44:06 +02:00
2016-06-10 16:48:50 +02:00
\section { first price auction with tie breaking and private outcome}
\begin { align}
v_ { aj} & = \frac { \prod _ { i=1} ^ n \gamma _ { aj} ^ { \times i} } { \prod _ { i=1} ^ n \varphi _ { aj} ^ { \times i} } \\ [2.0ex]
& = \frac { \prod _ { i=1} ^ n \gamma _ { aj} ^ { \times i} } { \prod _ { i=1} ^ n \left (\prod _ { h=1} ^ n \delta _ { aj} ^ { \times h} \right )^ { x_ { +i} } } \\ [2.0ex]
& = \frac { \prod _ { i=1} ^ n \left (\left (\prod _ { h=1} ^ n \prod _ { d=j+1} ^ k \alpha _ { hd} \right )\cdot \left (\prod _ { d=1} ^ { j-1} \alpha _ { ad} \right )\cdot \left (\prod _ { h=1} ^ { a-1} \alpha _ { hj} \right )\right )^ { m_ { aj} ^ { +i} } } { \prod _ { i=1} ^ n \left (\prod _ { h=1} ^ n \left (\left (\prod _ { s=1} ^ n \prod _ { d=j+1} ^ k \beta _ { sd} \right )\cdot \left (\prod _ { d=1} ^ { j-1} \beta _ { ad} \right )\cdot \left (\prod _ { s=1} ^ { a-1} \beta _ { sj} \right )\right )^ { m_ { aj} ^ { +h} } \right )^ { x_ { +i} } } \\ [2.0ex]
& = \frac { \prod _ { i=1} ^ n \left (\left (\prod _ { h=1} ^ n \prod _ { d=j+1} ^ k b_ { hd} y^ { r_ { hd} } \right )\cdot \left (\prod _ { d=1} ^ { j-1} b_ { ad} y^ { r_ { ad} } \right )\cdot \left (\prod _ { h=1} ^ { a-1} b_ { hj} y^ { r_ { hj} } \right )\right )^ { m_ { aj} ^ { +i} } } { \prod _ { i=1} ^ n \left (\prod _ { h=1} ^ n \left (\left (\prod _ { s=1} ^ n \prod _ { d=j+1} ^ k g^ { r_ { sd} } \right )\cdot \left (\prod _ { d=1} ^ { j-1} g^ { r_ { ad} } \right )\cdot \left (\prod _ { s=1} ^ { a-1} g^ { r_ { sj} } \right )\right )^ { m_ { aj} ^ { +h} } \right )^ { x_ { +i} } } \\ [2.0ex]
& = \frac { \prod _ { i=1} ^ n \left (\left (\prod _ { h=1} ^ n \prod _ { d=j+1} ^ k b_ { hd} \left (\prod _ { t=1} ^ n g^ { x_ { +t} } \right )^ { r_ { hd} } \right )\cdot \left (\prod _ { d=1} ^ { j-1} b_ { ad} \left (\prod _ { t=1} ^ n g^ { x_ { +t} } \right )^ { r_ { ad} } \right )\cdot \left (\prod _ { h=1} ^ { a-1} b_ { hj} \left (\prod _ { t=1} ^ n g^ { x_ { +t} } \right )^ { r_ { hj} } \right )\right )^ { m_ { aj} ^ { +i} } } { \prod _ { i=1} ^ n \left (\prod _ { h=1} ^ n \left (\left (\prod _ { s=1} ^ n \prod _ { d=j+1} ^ k g^ { r_ { sd} } \right )\cdot \left (\prod _ { d=1} ^ { j-1} g^ { r_ { ad} } \right )\cdot \left (\prod _ { s=1} ^ { a-1} g^ { r_ { sj} } \right )\right )^ { m_ { aj} ^ { +h} } \right )^ { x_ { +i} } }
\end { align}
\subsection { outcome function}
\begin { align}
v_ a & = \left ((2U-I)\sum _ { i=1} ^ n b_ i-(2M+1)\mathbf { e} +(2M+2)Lb_ a\right )R_ a^ * \\ [2.0ex]
v_ { aj} & = \left (\sum _ { i=1} ^ n \left (\sum _ { d=j} ^ k b_ { id} + \sum _ { d=j+1} ^ k b_ { id} \right )-(2M+1)+(2M+2)\sum _ { d=1} ^ j b_ { ad} \right )R_ a^ * \\ [2.0ex]
& \text { switch from additive finite group to multiplicative finite group} \\ [2.0ex]
v_ { aj} & = \left (\frac { \displaystyle \prod _ { i=1} ^ n \left (\prod _ { d=j} ^ k b_ { id} \cdot \prod _ { d=j+1} ^ k b_ { id} \right ) \cdot \left (\prod _ { d=1} ^ j b_ { ad} \right )^ { 2M+2} } { (2M+1)g} \right )R_ a^ * \\ [2.0ex]
\end { align}
\subsection { fixes to step 5 in (M+1)st Price auction from the 2003 paper pages 9 an 10}
\begin { align}
\gamma _ { ij} = & \frac { \prod _ { h=1} ^ n \prod _ { d=j} ^ k (\alpha _ { hd} \alpha _ { h,d+1} )\left (\prod _ { d=1} ^ j \alpha _ { id} \right )^ { 2M+2} } { (2M+1)Y} \\
\text { changed to} & \frac { \prod _ { h=1} ^ n \left (\prod _ { d=j} ^ k \alpha _ { hd} \cdot \prod _ { d=j+1} ^ k \alpha _ { hd} \right )\left (\prod _ { d=1} ^ j \alpha _ { id} \right )^ { 2M+2} } { Y^ { 2M+1} } \\ [2.0ex]
\delta _ { ij} = & \prod _ { h=1} ^ n \prod _ { d=j} ^ k (\beta _ { hd} \beta _ { h,d+1} )\left (\prod _ { d=1} ^ j \beta _ { id} \right )^ { 2M+2} \\
\text { changed to} & \prod _ { h=1} ^ n \left (\prod _ { d=j} ^ k \beta _ { hd} \prod _ { d=j+1} ^ k \beta _ { hd} \right )\left (\prod _ { d=1} ^ j \beta _ { id} \right )^ { 2M+2}
\end { align}
\end { document}