diff options
author | Markus Teich <markus.teich@stusta.mhn.de> | 2016-10-12 14:21:16 +0200 |
---|---|---|
committer | Markus Teich <markus.teich@stusta.mhn.de> | 2016-10-12 14:21:16 +0200 |
commit | eddab7698236e5fcc0f258e191409c64062753b4 (patch) | |
tree | 23de21f90e50ac87af51901c90b3e0cbe3715e02 | |
parent | 7e4d82b58bc136283c4e3b927abfb81a951ad59b (diff) | |
download | libbrandt-eddab7698236e5fcc0f258e191409c64062753b4.tar.gz libbrandt-eddab7698236e5fcc0f258e191409c64062753b4.zip |
math.tex: add first price public outcome protocol and description for M+1st price private outcome protocol
-rw-r--r-- | tex-stuff/math.tex | 63 |
1 files changed, 60 insertions, 3 deletions
diff --git a/tex-stuff/math.tex b/tex-stuff/math.tex index 04cc1dc..b5cd37e 100644 --- a/tex-stuff/math.tex +++ b/tex-stuff/math.tex | |||
@@ -101,7 +101,9 @@ the price $p_{b_a}$ bidder $a$ is willing to pay. $\forall j: p_j < p_{j+1}$. | |||
101 | \subsubsection{Generate public key} | 101 | \subsubsection{Generate public key} |
102 | 102 | ||
103 | \begin{enumerate} | 103 | \begin{enumerate} |
104 | \item Choose $x_{+a} \in \mathbb{Z}_q$ and $\forall i,j: m_{ij}^{+a}, r_{aj} \bmod q$ at random. | 104 | \item Choose the private key share $x_{+a} \in \mathbb{Z}_q$ and \\ |
105 | $\forall i,j:$ Blinding factors $m_{ij}^{+a} \bmod q$ and \\ | ||
106 | $\forall j:$ El Gamal encryption parameters $r_{aj} \bmod q$ at random. | ||
105 | \item Publish $Y_{\times a}={x_{+a}}G$ along with Proof 1 of $Y_{\times a}$'s ECDL. | 107 | \item Publish $Y_{\times a}={x_{+a}}G$ along with Proof 1 of $Y_{\times a}$'s ECDL. |
106 | \item Compute $Y=\sum_{i=1}^nY_{\times i}$. | 108 | \item Compute $Y=\sum_{i=1}^nY_{\times i}$. |
107 | \end{enumerate} | 109 | \end{enumerate} |
@@ -147,13 +149,68 @@ each $i, j$ and $h \neq i$ after having received all of them. | |||
147 | 149 | ||
148 | \subsection{First Price Auction Protocol With Public Outcome} | 150 | \subsection{First Price Auction Protocol With Public Outcome} |
149 | 151 | ||
150 | TODO | 152 | \subsubsection{Round 2: Compute outcome} |
153 | |||
154 | $\forall j:$ Compute and publish \\[2.0ex] | ||
155 | $\gamma_j^{\times a} = m_j^{+a}\displaystyle\left(\sum_{h=1}^n\sum_{d=j+1}^k\alpha_{hd}\right)+\sum_{h=1}^n2^{h-1}\alpha_{hj}$ and \\[2.0ex] | ||
156 | $\delta_j^{\times a} = m_j^{+a}\displaystyle\left(\sum_{h=1}^n\sum_{d=j+1}^k \beta_{hd}\right)+\sum_{h=1}^n2^{h-1} \beta_{hj}$ \\[2.0ex] | ||
157 | with a corresponding Proof 2 for $\displaystyle ECDL\left(m_j^{+a}\left(\sum_{h=1}^n\sum_{d=j+1}^k\alpha_{hd}\right)\right) = ECDL\left(m_j^{+a}\left(\sum_{h=1}^n\sum_{d=j+1}^k \beta_{hd}\right)\right)$. \\[2.0ex] | ||
158 | |||
159 | The message has $k$ parts, each consisting of $5$ Points. Therefore the message | ||
160 | is $5k*32 = 160k$ bytes large. Note that compared to auctions with private | ||
161 | outcome the message size is reduced by a factor of $n$ because we don't need to | ||
162 | compute different outcome functions for each bidder when the outcome should be | ||
163 | public. Therefore we don't need $nk$ blinding factors $m_{ij}^{+a}$ in this | ||
164 | scheme, but only $k$ different ones $m_j^{+a}$. | ||
165 | |||
166 | \subsubsection{Round 3: Decrypt outcome} | ||
167 | |||
168 | $\forall j:$ Compute and publish $\displaystyle\varphi_j^{\times a} = | ||
169 | x_{+a}\left(\sum_{h=1}^n\delta_j^{\times h}\right)$ with a Proof 2 showing | ||
170 | $ECDL(\varphi_j^{\times a}) = ECDL(Y_{\times a})$ \\[2.0ex] | ||
171 | |||
172 | This message has $k$ parts, each consisting of $4$ Points. Therefore the message | ||
173 | is $4k*32 = 128k$ bytes large. | ||
174 | |||
175 | \subsubsection{Epilogue: Outcome determination} | ||
176 | |||
177 | \begin{enumerate} | ||
178 | \item $\forall j:$ Compute $\displaystyle V_j=\sum_{h=1}^n\gamma_j^{\times h} - \sum_{h=1}^n\varphi_j^{\times h}$. | ||
179 | \item The $V_j$ with the biggest index $p$ where $V_p \neq 0$ denotes that $p$ is the selling price. | ||
180 | \item We then compute $d=ECDL(V_p)/n$ which is doable since it only has small factors. | ||
181 | \item The lowest $w$ where the bit $w$ is set in $d$ denotes the winner. | ||
182 | \end{enumerate} | ||
151 | 183 | ||
152 | \subsection{M+1st Price Auction Protocol With Private Outcome} | 184 | \subsection{M+1st Price Auction Protocol With Private Outcome} |
153 | 185 | ||
186 | The tie breaking for M+1st Price Auctions is not only computationally intensive, | ||
187 | but also introduces a lot of protocol complexity if done in an optimized | ||
188 | way\footnote{TODO: quote diploma thesis}. Since this would lead to a huge amount | ||
189 | of additional code which will likely introduce more bugs\footnote{TODO: quote}, | ||
190 | we decided to keep it simple and take another approach for tie breaking in the | ||
191 | M+1st Price Auction schemes. We took the simplest one, interlacing the bids, so | ||
192 | that no two bidders are allowed to bid the same price. On the application level | ||
193 | we will still handle $k_{\text{app}}$ different prices, but within libbrandt we | ||
194 | will multiply that by a factor of $n$ to get $k_{\text{lib}}=nk_{\text{app}}$. | ||
195 | Then each bidder $i$ is only allowed to place his bid $b$ on prices $p$ with | ||
196 | $\exists a\in{[1,k_{\text{app}}]}:b=an-i+1$. This condition will be checked by | ||
197 | an additional proof in the first round of the protocol and ensures that the | ||
198 | bidders with a lower index win in case of ties. This expansion will be done | ||
199 | right at the beginning of an auction by libbrandt. In the remaining part about | ||
200 | the M+1st Price Auction Protocols we will use $k$ instead of $k_{\text{lib}}$, | ||
201 | so $k$ will be divisible by $n$ without remainder. | ||
202 | |||
203 | Unfortunately this tie breaking simplification has the downside of revealing the | ||
204 | identity and bid of the bidder who had the highest bid amongst the losing | ||
205 | bidders. If there are multiple ones fulfilling this criteria (having a tie on | ||
206 | the M+1st bid), then only the one with the lowest index will be revealed. This | ||
207 | problem can be prevented by using anonymized bidder identities, so the winners | ||
208 | only learn the selling prize (the M+1st highest bid), but not who placed this | ||
209 | M+1st highest bid. | ||
210 | |||
154 | \subsubsection{Addition to Round 1: Encrypt bid} | 211 | \subsubsection{Addition to Round 1: Encrypt bid} |
155 | 212 | ||
156 | The Bidders also have to use Proof 2 to show that $ ECDL_Y\left(\left(\sum_{j=1}^{k/n}\alpha_{a,jn+a}\right) - G\right) = ECDL_G\left(\sum_{j=1}^{k/n}\beta_{a,jn+a}\right)$. | 213 | The Bidders also have to use Proof 2 to show that $\displaystyle ECDL_Y\left(\left(\sum_{j=1}^{k/n}\alpha_{a,jn+a}\right) - G\right) = ECDL_G\left(\sum_{j=1}^{k/n}\beta_{a,jn+a}\right)$. \\[2.0ex] |
157 | This is to ensure bidders have only chosen valid bids for their bid index, since | 214 | This is to ensure bidders have only chosen valid bids for their bid index, since |
158 | in M+1st price auctions the amount of possible prices is multiplied by $n$ to | 215 | in M+1st price auctions the amount of possible prices is multiplied by $n$ to |
159 | prevent ties. This increases the message size by $96$ bytes. | 216 | prevent ties. This increases the message size by $96$ bytes. |