280 lines
12 KiB
TeX
280 lines
12 KiB
TeX
\documentclass{article}
|
|
\usepackage[a4paper, margin=2cm]{geometry}
|
|
\usepackage{amsmath}
|
|
\usepackage{amsfonts}
|
|
\begin{document}
|
|
|
|
\section{Ed25519 Elliptic Curve Based Algorithms And Protocols}
|
|
\subsection{Zero Knowledge Proofs}
|
|
\subsubsection{Proof 1: Knowledge of an ECDL}
|
|
|
|
Alice and Bob know $V$, $G$ and $q = |G|$, but only Alice knows $x$, so that
|
|
$V = xG$.
|
|
|
|
\begin{enumerate}
|
|
\item Alice chooses $z \bmod q$ at random and calculates $A = zG$.
|
|
\item Alice computes $c = HASH(G,V,A) \bmod q$.
|
|
\item Alice sends $G, V, A$ and $r = (z + cx) \bmod q$ to Bob.
|
|
\item Bob computes $c$ as above and checks that $rG = A + cV$.
|
|
\end{enumerate}
|
|
|
|
\begin{tabular}{r l}
|
|
Prover only knowledge: & $x$ \\
|
|
Common knowledge: & $V, G$ \\
|
|
Proof: & $r, A$
|
|
\end{tabular}
|
|
|
|
\subsubsection{Proof 2: Equality of two ECDL}
|
|
|
|
Alice and Bob know $V$, $W$, $G_1$ and $G_2$, but only Alice knows $x$, so that
|
|
$V = xG_1$ and $W = xG_2$.
|
|
|
|
\begin{enumerate}
|
|
\item Alice chooses $z \bmod q$ at random and calculates $A = zG_1$ and $B = zG_2$.
|
|
\item Alice computes $c = HASH(G_1,G_2,V,W,A,B) \bmod q$.
|
|
\item Alice sends $V, W, G_1, G_2, A, B$ and $r = (z + cx) \bmod q$ to Bob.
|
|
\item Bob computes $c$ as above and checks that $rG_1 = A + cV$ and $rG_2 = B + cW$.
|
|
\end{enumerate}
|
|
|
|
\begin{tabular}{r l}
|
|
Prover only knowledge: & $x$ \\
|
|
Common knowledge: & $V, W, G_1, G_2$ \\
|
|
Proof: & $r, A, B$
|
|
\end{tabular}
|
|
|
|
\subsubsection{Proof 3: An encrypted value is one out of two values}
|
|
|
|
Alice proves that an El Gamal encrypted value $(\alpha, \beta) = (M + rY, rG)$
|
|
either decrypts to $0$ or to the fixed value $G$ without revealing which is the
|
|
case, in other words, it is shown that $M \in \{0, G\}$. \\
|
|
|
|
\noindent If $M = 0$:
|
|
|
|
\begin{enumerate}
|
|
\item Alice chooses $r_1, d_1, w \bmod q$ at random and calculates $A_1 = r_1G + d_1\beta$, $B_1 = r_1Y + d_1(\alpha - G)$, $A_2=wG$ and $B_2=wY$.
|
|
\item Alice computes $c = HASH(G,\alpha,\beta,A_1,B_1,A_2,B_2) \bmod q$.
|
|
\item Alice chooses $d_2=c-d_1 \bmod q$ and $r_2=w-rd_2 \bmod q$.
|
|
\end{enumerate}
|
|
|
|
\noindent If $M = G$:
|
|
|
|
\begin{enumerate}
|
|
\item Alice chooses $r_2, d_2, w \bmod q$ at random and calculates $A_1=wG$, $B_1=wY$, $A_2=r_2G + d_2\beta$ and $B_2=r_2Y + d_2\alpha$.
|
|
\item Alice computes $c = HASH(G,\alpha,\beta,A_1,B_1,A_2,B_2) \bmod q$.
|
|
\item Alice chooses $d_1=c-d_2 \bmod q$ and $r_1=w-rd_1 \bmod q$.
|
|
\end{enumerate}
|
|
|
|
\noindent Then regardless of the value of $M$:
|
|
|
|
\begin{enumerate}
|
|
\item Alice sends $G, (\alpha, \beta), A_1, B_1, A_2, B_2, d_1, d_2, r_1, r_2$ to Bob.
|
|
\item Bob computes $c$ as above and checks that $c=d_1+d_2 \bmod q$, $A_1=r_1G+d_1\beta$, $B_1=r_1Y+d_1(\alpha-G)$, $A_2=r_2G+d_2\beta$ and $B_2=r_2Y+d_2\alpha$.
|
|
\end{enumerate}
|
|
|
|
\begin{tabular}{r l}
|
|
Prover only knowledge: & $r, x$ \\
|
|
Common knowledge: & $\alpha, \beta$ \\
|
|
Proof: & $A_1, A_2, B_1, B_2, d_1, d_2, r_1, r_2$
|
|
\end{tabular}
|
|
|
|
\subsection{public outcome auctions}
|
|
|
|
TODO: no need to unicast Round 3 to seller, implications
|
|
|
|
\subsection{M+1st price auctions}
|
|
|
|
TODO: explain blowing up $k$ to $nk$ to prevent ties and the additional check
|
|
needed in Round 1.
|
|
|
|
\subsection{Prologue}
|
|
|
|
These steps are the same for all following protocols in this section.
|
|
|
|
Let $n$ be the number of participating bidders/agents in the protocol and $k$ be
|
|
the amount of possible valuations/prices for the sold good. Let $G$ be the
|
|
base point of Ed25519 and $q = ord(G)$ the order of it. $0$ is the neutral point
|
|
for addition on Ed25519. $a \in \left\{1,2,\dots,n\right\}$ is the index of the
|
|
agent executing the protocol, while $i, h \in \left\{1, 2, \dots, n\right\}$ are
|
|
other agent indizes. $j, b_a \in \left\{1,2,\dots,k\right\}$ with $b_a$ denoting
|
|
the price $p_{b_a}$ bidder $a$ is willing to pay. $\forall j: p_j < p_{j+1}$.
|
|
|
|
\subsubsection{Generate public key}
|
|
|
|
\begin{enumerate}
|
|
\item Choose the private key share $x_{+a} \in \mathbb{Z}_q$ and \\
|
|
$\forall i,j:$ Blinding factors $m_{ij}^{+a} \bmod q$ and \\
|
|
$\forall j:$ El Gamal encryption parameters $r_{aj} \bmod q$ at random.
|
|
\item Publish $Y_{\times a}={x_{+a}}G$ along with Proof 1 of $Y_{\times a}$'s ECDL.
|
|
\item Compute $Y=\sum_{i=1}^nY_{\times i}$.
|
|
\end{enumerate}
|
|
|
|
\subsubsection{Round 1: Encrypt bid}
|
|
|
|
The message has $k$ parts, each consisting of $10$ Points plus an additional $3$
|
|
Points for the last proof. Therefore the message is $10k*32 + 3*32 = 320k + 96$
|
|
bytes large.
|
|
|
|
\begin{enumerate}
|
|
\item $\forall j:$ Set $B_{aj}=\begin{cases}G & \mathrm{if}\quad j=b_a\\0 & \mathrm{else}\end{cases}$ and publish $\alpha_{aj}=B_{aj}+r_{aj}Y$ and $\beta_{aj}=r_{aj}G$.
|
|
\item $\forall j:$ Use Proof 3 to show that $(\alpha_{aj}, \beta_{aj})$ decrypts to either $0$ or $G$.
|
|
\item Use Proof 2 to show that $ ECDL_Y\left(\left(\sum_{j=1}^k\alpha_{aj}\right) - G\right) = ECDL_G\left(\sum_{j=1}^k\beta_{aj}\right)$.
|
|
\end{enumerate}
|
|
|
|
\subsection{First Price Auction Protocol With Private Outcome}
|
|
|
|
\subsubsection{Round 2: Compute outcome}
|
|
|
|
The message has $nk$ parts, each consisting of $5$ Points. Therefore the message
|
|
is $5nk*32 = 160nk$ bytes large.
|
|
|
|
$\forall i,j:$ Compute and publish \\[2.0ex]
|
|
$\gamma_{ij}^{\times a} = m_{ij}^{+a}\displaystyle\left(\left(\sum_{h=1}^n\sum_{d=j+1}^k\alpha_{hd}\right)+\left(\sum_{d=1}^{j-1}\alpha_{id}\right)+\left(\sum_{h=1}^{i-1}\alpha_{hj}\right)\right)$ and \\[2.0ex]
|
|
$\delta_{ij}^{\times a} = m_{ij}^{+a}\displaystyle\left(\left(\sum_{h=1}^n\sum_{d=j+1}^k \beta_{hd}\right)+\left(\sum_{d=1}^{j-1} \beta_{id}\right)+\left(\sum_{h=1}^{i-1} \beta_{hj}\right)\right)$ \\[2.0ex]
|
|
with a corresponding Proof 2 for $ECDL(\gamma_{ij}^{\times a}) = ECDL(\delta_{ij}^{\times a})$.
|
|
|
|
\subsubsection{Round 3: Decrypt outcome}
|
|
|
|
$\forall i,j:$ Send $\varphi_{ij}^{\times a} =
|
|
x_{+a}\left(\sum_{h=1}^n\delta_{ij}^{\times h}\right)$ with a Proof 2 showing
|
|
$ECDL(\varphi_{ij}^{\times a}) = ECDL(Y_{\times a})$ to the seller who publishes
|
|
all $\varphi_{ij}^{\times h}$ and the corresponding proofs of correctness for
|
|
each $i, j$ and $h \neq i$ after having received all of them.
|
|
|
|
\subsubsection{Epilogue: Outcome determination}
|
|
|
|
\begin{enumerate}
|
|
\item $\forall j:$ Compute $V_{aj}=\sum_{i=1}^n\gamma_{aj}^{\times i} - \sum_{i=1}^n\varphi_{aj}^{\times i}$.
|
|
\item If $\exists w: V_{aw} = 0$, then bidder $a$ is the winner of the auction. $p_w$ is the selling price.
|
|
\end{enumerate}
|
|
|
|
\subsection{First Price Auction Protocol With Public Outcome}
|
|
|
|
\subsubsection{Round 2: Compute outcome}
|
|
|
|
$\forall j:$ Compute and publish \\[2.0ex]
|
|
$\gamma_j^{\times a} = m_j^{+a}\displaystyle\left(\sum_{h=1}^n\sum_{d=j+1}^k\alpha_{hd}\right)+\sum_{h=1}^n2^{h-1}\alpha_{hj}$ and \\[2.0ex]
|
|
$\delta_j^{\times a} = m_j^{+a}\displaystyle\left(\sum_{h=1}^n\sum_{d=j+1}^k \beta_{hd}\right)+\sum_{h=1}^n2^{h-1} \beta_{hj}$ \\[2.0ex]
|
|
with a corresponding Proof 2 for $\displaystyle ECDL\left(m_j^{+a}\left(\sum_{h=1}^n\sum_{d=j+1}^k\alpha_{hd}\right)\right) = ECDL\left(m_j^{+a}\left(\sum_{h=1}^n\sum_{d=j+1}^k \beta_{hd}\right)\right)$. \\[2.0ex]
|
|
|
|
The message has $k$ parts, each consisting of $5$ Points. Therefore the message
|
|
is $5k*32 = 160k$ bytes large. Note that compared to auctions with private
|
|
outcome the message size is reduced by a factor of $n$ because we don't need to
|
|
compute different outcome functions for each bidder when the outcome should be
|
|
public. Therefore we don't need $nk$ blinding factors $m_{ij}^{+a}$ in this
|
|
scheme, but only $k$ different ones $m_j^{+a}$.
|
|
|
|
\subsubsection{Round 3: Decrypt outcome}
|
|
|
|
$\forall j:$ Compute and publish $\displaystyle\varphi_j^{\times a} =
|
|
x_{+a}\left(\sum_{h=1}^n\delta_j^{\times h}\right)$ with a Proof 2 showing
|
|
$ECDL(\varphi_j^{\times a}) = ECDL(Y_{\times a})$ \\[2.0ex]
|
|
|
|
This message has $k$ parts, each consisting of $4$ Points. Therefore the message
|
|
is $4k*32 = 128k$ bytes large.
|
|
|
|
\subsubsection{Epilogue: Outcome determination}
|
|
|
|
\begin{enumerate}
|
|
\item $\forall j:$ Compute $\displaystyle V_j=\sum_{h=1}^n\gamma_j^{\times h} - \sum_{h=1}^n\varphi_j^{\times h}$.
|
|
\item The $V_j$ with the biggest index $p$ where $V_p \neq 0$ denotes that $p$ is the selling price.
|
|
\item We then compute $d=ECDL(V_p)/n$ which is doable since it only has small factors.
|
|
\item The lowest $w$ where the bit $w$ is set in $d$ denotes the winner.
|
|
\end{enumerate}
|
|
|
|
\subsection{M+1st Price Auction Protocol With Private Outcome}
|
|
|
|
The tie breaking for M+1st Price Auctions is not only computationally intensive,
|
|
but also introduces a lot of protocol complexity if done in an optimized
|
|
way\footnote{TODO: quote diploma thesis}. Since this would lead to a huge amount
|
|
of additional code which will likely introduce more bugs\footnote{TODO: quote},
|
|
we decided to keep it simple and take another approach for tie breaking in the
|
|
M+1st Price Auction schemes. We took the simplest one, interlacing the bids, so
|
|
that no two bidders are allowed to bid the same price. On the application level
|
|
we will still handle $k_{\text{app}}$ different prices, but within libbrandt we
|
|
will multiply that by a factor of $n$ to get $k_{\text{lib}}=nk_{\text{app}}$.
|
|
|
|
The bids are scaled up as well by the mapping $\forall
|
|
i\in{[1,n]}:b_{i,\text{lib}}=b_{i,\text{app}}n-i+1$. Therefore the set of
|
|
allowed bids for bidder $i$ is defined as $\{j|k_{\text{lib}}-j+1\equiv
|
|
i\pmod{n}\}$.
|
|
|
|
This restriction will be checked by an additional proof in the first round of
|
|
the protocol and ensures that the bidders with a lower index win in case of
|
|
ties. The expansion will be done right at the beginning of an auction by
|
|
libbrandt and the reverse mapping is applied before reporting the auction
|
|
outcome to the application, so this expansion is transparent to the application.
|
|
In the remaining part about the M+1st Price Auction Protocols we will use $k$
|
|
instead of $k_{\text{lib}}$, so $k$ will be divisible by $n$ without remainder.
|
|
|
|
Unfortunately this tie breaking simplification has the downside of revealing the
|
|
identity and bid of the bidder who had the highest bid amongst the losing
|
|
bidders. If there are multiple ones fulfilling this criteria (having a tie on
|
|
the M+1st bid), then only the one with the lowest index will be revealed. This
|
|
problem can be prevented by using anonymized bidder identities, so the winners
|
|
only learn the selling prize (the M+1st highest bid), but not who placed this
|
|
M+1st highest bid.
|
|
|
|
\subsubsection{Addition to Round 1: Encrypt bid}
|
|
|
|
The bidders also have to use Proof 2 to show that $\displaystyle ECDL_Y\left(\left(\sum_{j=1}^{k/n}\alpha_{a,jn+a}\right) - G\right) = ECDL_G\left(\sum_{j=1}^{k/n}\beta_{a,jn+a}\right)$. \\[2.0ex]
|
|
This is to ensure bidders have only chosen valid bids for their bid index, since
|
|
in M+1st price auctions the amount of possible prices is multiplied by $n$ to
|
|
prevent ties. This increases the message size by $96$ bytes.
|
|
|
|
\subsubsection{Round 2: Compute outcome}
|
|
|
|
The message has $nk$ parts, each consisting of $5$ Points. Therefore the message
|
|
is $5nk*32 = 160nk$ bytes large.
|
|
|
|
$\forall i,j:$ Compute and publish \\[2.0ex]
|
|
$\gamma_{ij}^{\times a} = m_{ij}^{+a}\displaystyle\left(\sum_{h=1}^n\left(\sum_{d=j}^k\alpha_{hd}+\sum_{d=j+1}^k\alpha_{hd}\right)+\left(2M+2\right)\sum_{d=1}^{j}\alpha_{id} - \left(2M+1\right)Y \right)$ and \\[2.0ex]
|
|
$\delta_{ij}^{\times a} = m_{ij}^{+a}\displaystyle\left(\sum_{h=1}^n\left(\sum_{d=j}^k \beta_{hd}+\sum_{d=j+1}^k \beta_{hd}\right)+\left(2M+2\right)\sum_{d=1}^{j} \beta_{id}\right)$ \\[2.0ex]
|
|
with a corresponding Proof 2 for $ECDL(\gamma_{ij}^{\times a}) = ECDL(\delta_{ij}^{\times a})$.
|
|
|
|
\subsubsection{Round 3: Decrypt outcome}
|
|
|
|
$\forall i,j:$ Send $\varphi_{ij}^{\times a} =
|
|
x_{+a}\left(\sum_{h=1}^n\delta_{ij}^{\times h}\right)$ with a Proof 2 showing
|
|
$ECDL(\varphi_{ij}^{\times a}) = ECDL(Y_{\times a})$ to the seller who publishes
|
|
all $\varphi_{ij}^{\times h}$ and the corresponding proofs of correctness for
|
|
each $i, j$ and $h \neq i$ after having received all of them.
|
|
|
|
\subsubsection{Epilogue: Outcome determination}
|
|
|
|
\begin{enumerate}
|
|
\item $\forall j:$ Compute $V_{aj}=\sum_{i=1}^n\gamma_{aj}^{\times i} - \sum_{i=1}^n\varphi_{aj}^{\times i}$.
|
|
\item If $\exists w: V_{aw} = 0$, then bidder $a$ is the winner of the auction. $p_w$ is the selling price.
|
|
\end{enumerate}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
\subsection{fixes to step 5 in (M+1)st Price auction from the 2003 paper pages 9 an 10}
|
|
\begin{align}
|
|
\gamma_{ij} = & \frac{\prod_{h=1}^n \prod_{d=j}^k (\alpha_{hd}\alpha_{h,d+1})\left(\prod_{d=1}^j \alpha_{id}\right)^{2M+2}}{(2M+1)Y} \\
|
|
\text{changed to} & \frac{\prod_{h=1}^n \left(\prod_{d=j}^k \alpha_{hd} \cdot \prod_{d=j+1}^k \alpha_{hd}\right)\left(\prod_{d=1}^j \alpha_{id}\right)^{2M+2}}{Y^{2M+1}} \\[2.0ex]
|
|
\delta_{ij} = & \prod_{h=1}^n \prod_{d=j}^k (\beta_{hd}\beta_{h,d+1})\left(\prod_{d=1}^j \beta_{id}\right)^{2M+2} \\
|
|
\text{changed to} & \prod_{h=1}^n \left(\prod_{d=j}^k \beta_{hd} \prod_{d=j+1}^k \beta_{hd}\right)\left(\prod_{d=1}^j \beta_{id}\right)^{2M+2}
|
|
\end{align}
|
|
\end{document}
|