\documentclass{article} \usepackage[a4paper, margin=2cm]{geometry} \usepackage{amsmath} \usepackage{amsfonts} \begin{document} \section{first price auction with tie breaking and private outcome (EC-Version)} \subsection{Zero Knowledge Proofs} \subsubsection{Proof 1: Knowledge of an ECDL} Alice and Bob know $V$, $G$ and $q = |G|$, but only Alice knows $x$, so that $V = xG$. \begin{enumerate} \item Alice chooses $z \bmod q$ at random and calculates $A = zG$. \item Alice computes $c = HASH(G,V,A) \bmod q$. \item Alice sends $G, V, A$ and $r = (z + cx) \bmod q$ to Bob. \item Bob computes $c$ as above and checks that $rG = A + cV$. \end{enumerate} \begin{tabular}{r l} Prover only knowledge: & $x$ \\ Common knowledge: & $V, G$ \\ Proof: & $r, A$ \end{tabular} \subsubsection{Proof 2: Equality of two ECDL} Alice and Bob know $V$, $W$, $G_1$ and $G_2$, but only Alice knows $x$, so that $V = xG_1$ and $W = xG_2$. \begin{enumerate} \item Alice chooses $z \bmod q$ at random and calculates $A = zG_1$ and $B = zG_2$. \item Alice computes $c = HASH(G_1,G_2,V,W,A,B) \bmod q$. \item Alice sends $V, W, G_1, G_2, A, B$ and $r = (z + cx) \bmod q$ to Bob. \item Bob computes $c$ as above and checks that $rG_1 = A + cV$ and $rG_2 = B + cW$. \end{enumerate} \begin{tabular}{r l} Prover only knowledge: & $x$ \\ Common knowledge: & $V, W, G_1, G_2$ \\ Proof: & $r, A, B$ \end{tabular} \subsubsection{Proof 3: An encrypted value is one out of two values} Alice proves that an El Gamal encrypted value $(\alpha, \beta) = (M + rY, rG)$ either decrypts to $0$ or to the fixed value $G$ without revealing which is the case, in other words, it is shown that $M \in \{0, G\}$. \\ \noindent If $M = 0$: \begin{enumerate} \item Alice chooses $r_1, d_1, w \bmod q$ at random and calculates $A_1 = r_1G + d_1\beta$, $B_1 = r_1Y + d_1(\alpha - G)$, $A_2=wG$ and $B_2=wY$. \item Alice computes $c = HASH(G,\alpha,\beta,A_1,B_1,A_2,B_2) \bmod q$. \item Alice chooses $d_2=c-d_1 \bmod q$ and $r_2=w-rd_2 \bmod q$. \end{enumerate} \noindent If $M = G$: \begin{enumerate} \item Alice chooses $r_2, d_2, w \bmod q$ at random and calculates $A_1=wG$, $B_1=wY$, $A_2=r_2G + d_2\beta$ and $B_2=r_2Y + d_2\alpha$. \item Alice computes $c = HASH(G,\alpha,\beta,A_1,B_1,A_2,B_2) \bmod q$. \item Alice chooses $d_1=c-d_2 \bmod q$ and $r_1=w-rd_1 \bmod q$. \end{enumerate} \noindent Then regardless of the value of $M$: \begin{enumerate} \item Alice sends $G, (\alpha, \beta), A_1, B_1, A_2, B_2, d_1, d_2, r_1, r_2$ to Bob. \item Bob computes $c$ as above and checks that $c=d_1+d_2 \bmod q$, $A_1=r_1G+d_1\beta$, $B_1=r_1Y+d_1(\alpha-G)$, $A_2=r_2G+d_2\beta$ and $B_2=r_2Y+d_2\alpha$. \end{enumerate} \begin{tabular}{r l} Prover only knowledge: & $r, x$ \\ Common knowledge: & $\alpha, \beta$ \\ Proof: & $A_1, A_2, B_1, B_2, d_1, d_2, r_1, r_2$ \end{tabular} \subsection{Protocol} Let $n$ be the number of participating bidders/agents in the protocol and $k$ be the amount of possible valuations/prices for the sold good. Let $G$ be the base point of Ed25519 and $q = ord(G)$ the order of it. $0$ is the neutral point for addition on Ed25519. $a \in \left\{1,2,\dots,n\right\}$ is the index of the agent executing the protocol, while $i, h \in \left\{1, 2, \dots, n\right\}$ are other agent indizes. $j, b_a \in \left\{1,2,\dots,k\right\}$ with $b_a$ denoting the price $p_{b_a}$ bidder $a$ is willing to pay. $\forall j: p_j < p_{j+1}$. \subsubsection{Generate public key} \begin{enumerate} \item Choose $x_{+a} \in \mathbb{Z}_q$ and $\forall i,j: m_{ij}^{\times a}, r_{aj} \bmod q$ at random. \item Publish $Y_{\times a}={x_{+a}}G$ along with Proof 1 of $Y_{\times a}$'s ECDL. \item Compute $Y=\sum_{i=1}^nY_{\times i}$. \end{enumerate} \subsubsection{Round 1: Encrypt bid} The message has $k$ parts, each consisting of $10$ Points plus an additional $3$ Points for the last proof. Therefore the message is $10k*32 + 3*32 = 320k + 96$ bytes large. \begin{enumerate} \item $\forall j:$ Set $B_{aj}=\begin{cases}G & \mathrm{if}\quad j=b_a\\0 & \mathrm{else}\end{cases}$ and publish $\alpha_{aj}=B_{aj}+r_{aj}Y$ and $\beta_{aj}=r_{aj}G$. \item $\forall j:$ Use Proof 3 to show that $(\alpha_{aj}, \beta_{aj})$ decrypts to either $0$ or $G$. \item Use Proof 2 to show that $ ECDL_Y\left(\left(\sum_{j=1}^k\alpha_{aj}\right) - G\right) = ECDL_G\left(\sum_{j=1}^k\beta_{aj}\right)$. \end{enumerate} \subsubsection{Round 2: Compute outcome} The message has $nk$ parts, each consisting of $5$ Points. Therefore the message is $5nk*32 = 160nk$ bytes large. $\forall i,j:$ Compute and publish \\[2.0ex] $\gamma_{ij}^{\times a} = m_{ij}^{+a}\displaystyle\left(\left(\sum_{h=1}^n\sum_{d=j+1}^k\alpha_{hd}\right)+\left(\sum_{d=1}^{j-1}\alpha_{id}\right)+\left(\sum_{h=1}^{i-1}\alpha_{hj}\right)\right)$ and \\[2.0ex] $\delta_{ij}^{\times a} = m_{ij}^{+a}\displaystyle\left(\left(\sum_{h=1}^n\sum_{d=j+1}^k\beta_{hd}\right)+\left(\sum_{d=1}^{j-1}\beta_{id}\right)+\left(\sum_{h=1}^{i-1}\beta_{hj}\right)\right)$ \\[2.0ex] with a corresponding Proof 2 for $ECDL(\gamma_{ij}^{\times a}) = ECDL(\delta_{ij}^{\times a})$. \subsubsection{Round 3: Decrypt outcome} $\forall i,j:$ Send $\varphi_{ij}^{\times a} = x_{+a}\left(\sum_{h=1}^n\delta_{ij}^{\times h}\right)$ with a Proof 2 $ECDL(\varphi_{ij}^{\times a}) = ECDL(Y_{\times a})$ to the seller who publishes all $\varphi_{ij}^{\times h}$ and the corresponding proofs of correctness for each $i, j$ and $h \neq i$ after having received all of them. \subsubsection{Epilogue: Outcome determination} \begin{enumerate} \item $\forall j:$ Compute $V_{aj}=\sum_{i=1}^n\gamma_{aj}^{\times i} - \sum_{i=1}^n\varphi_{aj}^{\times i}$. \item If $\exists w: V_{aw} = 1$, then bidder $a$ is the winner of the auction. $p_w$ is the selling price. \end{enumerate} \section{first price auction with tie breaking and private outcome} \begin{align} v_{aj} & = \frac{\prod_{i=1}^n \gamma_{aj}^{\times i}}{\prod_{i=1}^n \varphi_{aj}^{\times i}} \\[2.0ex] & = \frac{\prod_{i=1}^n \gamma_{aj}^{\times i}}{\prod_{i=1}^n \left(\prod_{h=1}^n \delta_{aj}^{\times h}\right)^{x_{+i}}} \\[2.0ex] & = \frac{\prod_{i=1}^n \left(\left(\prod_{h=1}^n \prod_{d=j+1}^k \alpha_{hd}\right)\cdot\left(\prod_{d=1}^{j-1} \alpha_{ad}\right)\cdot\left(\prod_{h=1}^{a-1} \alpha_{hj}\right)\right)^{m_{aj}^{+i}}}{\prod_{i=1}^n \left(\prod_{h=1}^n \left(\left(\prod_{s=1}^n \prod_{d=j+1}^k \beta_{sd}\right)\cdot\left(\prod_{d=1}^{j-1} \beta_{ad}\right)\cdot\left(\prod_{s=1}^{a-1} \beta_{sj}\right)\right)^{m_{aj}^{+h}}\right)^{x_{+i}}} \\[2.0ex] & = \frac{\prod_{i=1}^n \left(\left(\prod_{h=1}^n \prod_{d=j+1}^k b_{hd} y^{r_{hd}}\right)\cdot\left(\prod_{d=1}^{j-1} b_{ad} y^{r_{ad}}\right)\cdot\left(\prod_{h=1}^{a-1} b_{hj} y^{r_{hj}}\right)\right)^{m_{aj}^{+i}}}{\prod_{i=1}^n \left(\prod_{h=1}^n \left(\left(\prod_{s=1}^n \prod_{d=j+1}^k g^{r_{sd}}\right)\cdot\left(\prod_{d=1}^{j-1} g^{r_{ad}}\right)\cdot\left(\prod_{s=1}^{a-1} g^{r_{sj}}\right)\right)^{m_{aj}^{+h}}\right)^{x_{+i}}} \\[2.0ex] & = \frac{\prod_{i=1}^n \left(\left(\prod_{h=1}^n \prod_{d=j+1}^k b_{hd} \left(\prod_{t=1}^n g^{x_{+t}}\right)^{r_{hd}}\right)\cdot\left(\prod_{d=1}^{j-1} b_{ad} \left(\prod_{t=1}^n g^{x_{+t}}\right)^{r_{ad}}\right)\cdot\left(\prod_{h=1}^{a-1} b_{hj} \left(\prod_{t=1}^n g^{x_{+t}}\right)^{r_{hj}}\right)\right)^{m_{aj}^{+i}}}{\prod_{i=1}^n \left(\prod_{h=1}^n \left(\left(\prod_{s=1}^n \prod_{d=j+1}^k g^{r_{sd}}\right)\cdot\left(\prod_{d=1}^{j-1} g^{r_{ad}}\right)\cdot\left(\prod_{s=1}^{a-1} g^{r_{sj}}\right)\right)^{m_{aj}^{+h}}\right)^{x_{+i}}} \end{align} \subsection{outcome function} \begin{align} v_a & = \left((2U-I)\sum_{i=1}^n b_i-(2M+1)\mathbf{e}+(2M+2)Lb_a\right)R_a^* \\[2.0ex] v_{aj} & = \left(\sum_{i=1}^n \left(\sum_{d=j}^k b_{id} + \sum_{d=j+1}^k b_{id}\right)-(2M+1)+(2M+2)\sum_{d=1}^j b_{ad}\right)R_a^* \\[2.0ex] & \text{switch from additive finite group to multiplicative finite group} \\[2.0ex] v_{aj} & = \left(\frac{\displaystyle\prod_{i=1}^n \left(\prod_{d=j}^k b_{id} \cdot \prod_{d=j+1}^k b_{id}\right) \cdot \left(\prod_{d=1}^j b_{ad}\right)^{2M+2}}{(2M+1)g}\right)R_a^* \\[2.0ex] \end{align} \subsection{fixes to step 5 in (M+1)st Price auction from the 2003 paper pages 9 an 10} \begin{align} \gamma_{ij} = & \frac{\prod_{h=1}^n \prod_{d=j}^k (\alpha_{hd}\alpha_{h,d+1})\left(\prod_{d=1}^j \alpha_{id}\right)^{2M+2}}{(2M+1)Y} \\ \text{changed to} & \frac{\prod_{h=1}^n \left(\prod_{d=j}^k \alpha_{hd} \cdot \prod_{d=j+1}^k \alpha_{hd}\right)\left(\prod_{d=1}^j \alpha_{id}\right)^{2M+2}}{Y^{2M+1}} \\[2.0ex] \delta_{ij} = & \prod_{h=1}^n \prod_{d=j}^k (\beta_{hd}\beta_{h,d+1})\left(\prod_{d=1}^j \beta_{id}\right)^{2M+2} \\ \text{changed to} & \prod_{h=1}^n \left(\prod_{d=j}^k \beta_{hd} \prod_{d=j+1}^k \beta_{hd}\right)\left(\prod_{d=1}^j \beta_{id}\right)^{2M+2} \end{align} \end{document}