libbrandt/tex-stuff/math.tex
2016-06-16 00:08:49 +02:00

142 lines
6.0 KiB
TeX

\documentclass{article}
\usepackage[a4paper, margin=2cm]{geometry}
\usepackage{amsmath}
\begin{document}
\section{first price auction with tie breaking and private outcome (EC-Version)}
\subsection{Zero Knowledge Proofs}
\subsubsection{Proof of Knowledge of a EC DL}
Alice and Bob know $v$ and $g$ with $|g| = n$, but only Alice knows $x$, so that $v = xg$.
\begin{enumerate}
\item Alice chooses $z$ at random and calculates $a = zg$.
\item Alice computes $c = HASH(g,v,a)$ mod n.
\item Alice sends $r = (z + cx)$ mod n and $a$ to Bob.
\item Bob checks that $rg = a + cv$.
\end{enumerate}
\subsubsection{Proof of equality of two EC DL}
Alice and Bob know $v$, $w$, $g_1$ and $g_2$, but only Alice knows $x$, so that
$v = xg_1$ and $w = xg_2$.
\begin{enumerate}
\item Alice chooses $z$ at random and calculates $a = zg_1$ and $b = zg_2$.
\item Alice computes $c = HASH(g_1,g_2,v,w,a,b)$ mod n.
\item Alice sends $r = (z + cx)$ mod n, $a$ and $b$ to Bob.
\item Bob checks that $rg_1 = a + cv$ and $rg_2 = b + cw$.
\end{enumerate}
\subsubsection{Proof that an encrypted value is one out of two values}
Alice proves that an El Gamal encrypted value $(\alpha, \beta) = (m + ry, rg)$
either decrypts to $0$ or to the fixed value $g$ without revealing which is the
case, in other words, it is shown that $m \in \{0, g\}$.
If $m = 0$:
\begin{enumerate}
\item Alice chooses $r_1$, $d_1$, $w$ at random and calculates $a_1 = r_1g + d_1\beta$, $b_1 = r_1y + d_1(\alpha - g)$, $a_2=wg$ and $b_2=wy$.
\item Alice computes $c = HASH(g,\alpha,\beta,a_1,b_1,a_2,b_2)$ mod n.
\item Alice chooses $d_2=c-d_1$ mod n and $r_2=w-rd_2$ mod n.
\end{enumerate}
If $m = g$:
\begin{enumerate}
\item Alice chooses $r_2$, $d_2$, $w$ at random and calculates $a_1=wg$, $b_1=wy$, $a_2=r_2g + d_2\beta$ and $b_2=r_2y + d_2\alpha$.
\item Alice computes $c = HASH(g,\alpha,\beta,a_1,b_1,a_2,b_2)$ mod n.
\item Alice chooses $d_1=c-d_2$ mod n and $r_1=w-rd_1$ mod n.
\end{enumerate}
Then regardless of the value of $m$:
\begin{enumerate}
\item Alice sends $(\alpha, \beta), a_1, b_1, a_2, b_2, c, d_1, d_2, r_1, r_2$ to Bob.
\item Bob checks that $c=d_1+d_2$ mod n, $a_1=r_1g+d_1\beta$, $b_1=r_1y+d_1(\alpha-g)$, $a_2=r_2g+d_2\beta$ and $b_2=r_2y+d_2\alpha$.
\end{enumerate}
\subsection{Protocol}
\subsubsection{Generate public key}
\begin{enumerate}
\item Choose $x_a$ and $m_{ij}, r_{aj}$ for each $i$ and $j$ at random.
\item Publish $y_a=g^{x_a}$ along with a zero-knowledge proof of knowledge of $y_a$'s EC DL.
\item Compute $y=\sum_{i=1}^ny_i$.
\end{enumerate}
\subsubsection{Round 1: Encrypt bid}
\begin{enumerate}
\item Set $b_{aj}=\begin{cases}g & \mathrm{if}\quad j=b_a\\0 & \mathrm{else}\end{cases}$ and publish $\alpha_{aj}=b_{aj}+r_{aj}y$ and $\beta_{aj}=r_{aj}g$ for each j.
\end{enumerate}
\subsubsection{Round 2: Compute outcome}
\begin{enumerate}
\item
\end{enumerate}
\subsubsection{Round 3: Decrypt outcome}
\begin{enumerate}
\item
\end{enumerate}
\subsubsection{Epilogue: Outcome determination}
\begin{enumerate}
\item
\end{enumerate}
\section{first price auction with tie breaking and private outcome}
\begin{align}
v_{aj} & = \frac{\prod_{i=1}^n \gamma_{aj}^{\times i}}{\prod_{i=1}^n \varphi_{aj}^{\times i}} \\[2.0ex]
& = \frac{\prod_{i=1}^n \gamma_{aj}^{\times i}}{\prod_{i=1}^n \left(\prod_{h=1}^n \delta_{aj}^{\times h}\right)^{x_{+i}}} \\[2.0ex]
& = \frac{\prod_{i=1}^n \left(\left(\prod_{h=1}^n \prod_{d=j+1}^k \alpha_{hd}\right)\cdot\left(\prod_{d=1}^{j-1} \alpha_{ad}\right)\cdot\left(\prod_{h=1}^{a-1} \alpha_{hj}\right)\right)^{m_{aj}^{+i}}}{\prod_{i=1}^n \left(\prod_{h=1}^n \left(\left(\prod_{s=1}^n \prod_{d=j+1}^k \beta_{sd}\right)\cdot\left(\prod_{d=1}^{j-1} \beta_{ad}\right)\cdot\left(\prod_{s=1}^{a-1} \beta_{sj}\right)\right)^{m_{aj}^{+h}}\right)^{x_{+i}}} \\[2.0ex]
& = \frac{\prod_{i=1}^n \left(\left(\prod_{h=1}^n \prod_{d=j+1}^k b_{hd} y^{r_{hd}}\right)\cdot\left(\prod_{d=1}^{j-1} b_{ad} y^{r_{ad}}\right)\cdot\left(\prod_{h=1}^{a-1} b_{hj} y^{r_{hj}}\right)\right)^{m_{aj}^{+i}}}{\prod_{i=1}^n \left(\prod_{h=1}^n \left(\left(\prod_{s=1}^n \prod_{d=j+1}^k g^{r_{sd}}\right)\cdot\left(\prod_{d=1}^{j-1} g^{r_{ad}}\right)\cdot\left(\prod_{s=1}^{a-1} g^{r_{sj}}\right)\right)^{m_{aj}^{+h}}\right)^{x_{+i}}} \\[2.0ex]
& = \frac{\prod_{i=1}^n \left(\left(\prod_{h=1}^n \prod_{d=j+1}^k b_{hd} \left(\prod_{t=1}^n g^{x_{+t}}\right)^{r_{hd}}\right)\cdot\left(\prod_{d=1}^{j-1} b_{ad} \left(\prod_{t=1}^n g^{x_{+t}}\right)^{r_{ad}}\right)\cdot\left(\prod_{h=1}^{a-1} b_{hj} \left(\prod_{t=1}^n g^{x_{+t}}\right)^{r_{hj}}\right)\right)^{m_{aj}^{+i}}}{\prod_{i=1}^n \left(\prod_{h=1}^n \left(\left(\prod_{s=1}^n \prod_{d=j+1}^k g^{r_{sd}}\right)\cdot\left(\prod_{d=1}^{j-1} g^{r_{ad}}\right)\cdot\left(\prod_{s=1}^{a-1} g^{r_{sj}}\right)\right)^{m_{aj}^{+h}}\right)^{x_{+i}}}
\end{align}
\subsection{outcome function}
\begin{align}
v_a & = \left((2U-I)\sum_{i=1}^n b_i-(2M+1)\mathbf{e}+(2M+2)Lb_a\right)R_a^* \\[2.0ex]
v_{aj} & = \left(\sum_{i=1}^n \left(\sum_{d=j}^k b_{id} + \sum_{d=j+1}^k b_{id}\right)-(2M+1)+(2M+2)\sum_{d=1}^j b_{ad}\right)R_a^* \\[2.0ex]
& \text{switch from additive finite group to multiplicative finite group} \\[2.0ex]
v_{aj} & = \left(\frac{\displaystyle\prod_{i=1}^n \left(\prod_{d=j}^k b_{id} \cdot \prod_{d=j+1}^k b_{id}\right) \cdot \left(\prod_{d=1}^j b_{ad}\right)^{2M+2}}{(2M+1)g}\right)R_a^* \\[2.0ex]
\end{align}
\subsection{fixes to step 5 in (M+1)st Price auction from the 2003 paper pages 9 an 10}
\begin{align}
\gamma_{ij} = & \frac{\prod_{h=1}^n \prod_{d=j}^k (\alpha_{hd}\alpha_{h,d+1})\left(\prod_{d=1}^j \alpha_{id}\right)^{2M+2}}{(2M+1)Y} \\
\text{changed to} & \frac{\prod_{h=1}^n \left(\prod_{d=j}^k \alpha_{hd} \cdot \prod_{d=j+1}^k \alpha_{hd}\right)\left(\prod_{d=1}^j \alpha_{id}\right)^{2M+2}}{Y^{2M+1}} \\[2.0ex]
\delta_{ij} = & \prod_{h=1}^n \prod_{d=j}^k (\beta_{hd}\beta_{h,d+1})\left(\prod_{d=1}^j \beta_{id}\right)^{2M+2} \\
\text{changed to} & \prod_{h=1}^n \left(\prod_{d=j}^k \beta_{hd} \prod_{d=j+1}^k \beta_{hd}\right)\left(\prod_{d=1}^j \beta_{id}\right)^{2M+2}
\end{align}
\end{document}