 Research
 Open Access
 Published:
Privacypreserving combinatorial auction without an auctioneer
EURASIP Journal on Wireless Communications and Networking volume 2018, Article number: 38 (2018)
Abstract
Combinatorial auctions are employed into many applications such as spectrum auctions held by the Federal Communications Commission (FCC). A crucial problem in such auctions is the lack of secure and efficiency mechanism to protect the privacy of the bidding prices and to ensure data security. To solve the problem, we propose an approach to represent the price as a polynomial’s degree based on verifiable secret sharing. So, we can obtain the two polynomials’s degree maximum/sum by the degree of the two polynomial’s degree sum/product. In the protocol, the bidders’ information is hidden. The auctioneers can receive the shares without a secure channel, so our protocol is more applicable to more scenarios. The scheme can resist the collusion attack, passive attack and so on. Moreover, Compared to Kikuchi (IEICE Trans Fundam Electron Commun Comput Sci 85(3):676–683, 2002); Suzuki and Yokoo (Secure combinatorial auctions by dynamic programming with polynomial secret sharing, 2003), the proposed scheme has the authentication property without increasing the communications cost.
Introduction
Recently, combinatorial auctions have become an interesting domain, which allow that multiple goods are sold simultaneously and any combination of goods can be bid. For example, FCC spectrum, network routing, and railroad segment can be auctioned.
To carry out a combinatorial auction, the winner determination problem has to be solved first. The problem can be cooperatively solved by multiauction servers, which can calculate the maximum sum of combinations of bidding prices. It is a challenge problem to protect bidding prices. If the auctioneer is trust, it can solve the winner determination problem. However, it is not practical as the auctioneer may collude with a participant to reveal the bids’ information during the auction. If a strategyproof mechanism is utilized to resist collusion attacks. However, the auctioneer can create a fake bid to increase revenue.
In traditional auctions, cryptographic functions (public key cryptography, hash chains, etc.) [1–4] are utilized to protect the bid’s privacy. However, these schemes do not consider spatial reuse, so they are not applicable to the secondary spectrum market. In the secondary spectrum market, SPRING was proposed in [5], which introduces a trustworthy agent to interact with both the auctioneer and the bidders. The sensitive information can be protected. However, SPRING depends on a trusted third party (the agent). In [6–10], homomorphic encryption [11–13] is employed to hid each bidder’s bidding values with a vector of cipher texts, and ensures the auctioneer to figure out the maximum value, and charge the bidders securely. However, the homomorphic encryption has a higher computational cost, which is not practical now.
To tackle the above challenges, two problems have to be solved. First, multiauction servers compute the maximum sum of combinations of bidding prices, while the information of bids and the part of the optimal solution should be kept secret. Second, the collusion activity of multiauction servers must be resisted. We employ verifiable secret sharing [14] to protect privacy and data security in combinatorial auctions. The scheme allows multiservers to randomly choose secret shares and verify the legitimacy of them to each other.
The rest of the paper is organized as follows. Section 2 introduces related work. Section 3 presents preliminaries. In Section 4, we describe the main idea of the proposed scheme. In Section 5, we analyze the security and performance of the scheme, followed by a conclusion in Section 6.
Related works
To protect data security and privacy in auctions, cryptographic tools, such as AES, homomorphic encryption, and secret sharing, have been applied.
SPRING [5] presents a trustworthy agent to protect the sensitive information of the auctions. However, SPRING depends on a trusted third party (the agent). In [6, 7], the authors utilize a vector of cipher text to mask the bidding prices, and guarantee that the maximum value, randomizing the bids, and charging the bidders can be figured out. However, the schemes [6, 7] are not practical as homomorphic encryption has a very high computational overhead, which is not applicable to the applications now. In [8], a secure auction without auctioneer scheme for VCG auction is designed based on homomorphic, in which the bidders work together to decide who the winner is without auctioneer; however, the computational overhead is high for each bidder, which has low efficiency. In [9], the authors design a sealedbid firstprice auction scheme based on homomorphic encryption, in which the server processes the bidder’s encrypted bids using homomorphic encryption and the aggregation result is known by auctioneer; however, the scheme cannot resist the collusion activity between the server and auctioneer.
In [15, 16], the bidding prices are hidden via secret sharing. However, there are two weaknesses in [15] as follows. First, the relationships of multiwinner can not be solved. Second, the scheme is not efficient as the computational cost is very much higher. The bids are hidden by the degree of polynomials [16]. However, the scheme is based on the passive adversary model and cannot resist collusion attacks. Therefore, it is not practical.
In [17, 18], the sealedbid auctions are constructed via verifiable secret sharing. The scheme can resist collusion attacks among the evaluators. However, the secret shares are obtained from a third party via a private secure channel, so the scheme cannot resist collusion attacks amongst evaluators and the third party.
In this paper, we present a privacypreserving combinatorial auction without an auctioneer based on verifiable secret sharing [14]. Compared to [15, 16], it does not need a secure channel among the bidders and the server. Meanwhile, the proposed scheme provides the authentication without increasing the communication cost.
Preliminaries
We now introduce some preliminary concepts for the cryptographic primitives used in this paper.
Dynamic programming
Dynamic programming [19] can be utilized to solve the problem, which is viewed as the result of a sequence of stepwise decisions.
We first describe the dynamic programming’s concept via an algorithm of finding the longest path in a onedimensionaldirected graph in Fig. 1. The graph includes the nodes S,1,2,…,n with directed links among them. The link is denoted (j,k), where j<k. w(j,k) denoted the weight for each link (j,k). Figuring out the longest path from initial node S to terminal node n is our goal, i.e., to find a maximized path from S to n. For the sake of simplicity, we assume that it exists at least one link from j for each node j (where 1=j<n) except node n.
We assume the longest path from S to n is denoted by L. The last half of L for any node j on L is also a longest path from j to n, which is called the principle of optimality. We can utilize the feature to search out the original problem’s optimal solution via the subproblems’ optimal solutions.
Specifically, the longest path from S to n can be obtained by figuring out the following recurrence formula from node n−1 to S. In the formula, the longest path from j to n is denoted as f(j). f(j) is called the node j’s evaluation value. f(n) is defined as S for terminal node n. f(S) represents the optimal solution for initial node S.
When we calculate the formula, the value f(j) of the link (j,k) is recorded for each node j, i.e., max_{(j,k)}{w(j,k)+f(k)} is the value of the link, which recorded links from S to n constructs the longest path.
Assume that there are n+1 stages j=1,…,n and each stage j’s state is (j,s). When j<k, there can be directed links ((j,s),(k,t)) between these states. The weight w(((j,s),(k,t))) is given for each link. The following recurrence formula is defined dynamic programming evaluates function f:
The evaluation value f((S,s)) can be calculated, which is the original problem’s optimal value, by iteratively applying the relation for j=n,n−1,…,1 with initial values f((n,s))=iv(s).
We introduce the proposed privacypreserving combinatorial auction without an auctioneer based on the longest path of a onedimensional directed graph. An example is introduced in Section 4.6.
Secret sharing schemes
Secret sharing is an important cryptographic primitive, which is utilized to our scheme. Since secret sharing is developed by Shamir [20] and Blakley [21] in 1979, many secret sharing schemes have been extensively studied [14, 22–24]. Generally speaking, secret sharing is briefly introduced as follows. A dealer shares a secret with a number of users U_{1},…,U_{ n }, a user gets the secret if and only if it can cowork with at least t−1 other users, where t≤n is a predetermined parameter. The dealer shares the secret and the users is s∈GF(p_{1}), where p_{1}>N. Each user U_{ i } holds a secret key k_{ i }∈GF(p_{1}), which is only known by U_{ i } and the dealer.
The dealer follows two step procedure. First, it constructs a polynomial function F(x) of degree t−1 shown in (3):
by randomly choosing each μ_{ j }. Note that all (additive and multiplication) operations used in (3) is modular arithmetic (defined over GF(p_{1})) as opposed to real arithmetic. Also s forms the constant component of F(x)  i.e., s=F(0). Then, in the second step, the dealer sends a shared secret s_{ i }=F(x_{ i }) to each U_{ i }, where x_{ i } is a random number selected by U_{ i } and is sent to the dealer via the secure channel protected by k_{ i }.
We now show how to recover s by t or more users. Without loss of generality, let U_{1},…,U_{ t } be the cooperating users. The secret s=F(0) can be reconstructed from s_{1}=F(x_{1}),…,s_{ t }=F(x_{ t }) by these t users.
Note that the cumulative product in (4) is essentially the Lagrange coefficient. The correctness of (4) can be easily verified based on the definition of F(x).
The proposed scheme—secure computing
We present the proposed privacypreserving combinatorial auction without an auctioneer, and we also discuss the security and efficiency of the scheme.
Requirements
The requirements for the secure protocol are as follows:

1.
Evaluators (servers) select their secret keys by themselves, and the weight publishers (WP) (buyers and sellers) calculate and publish the weights for each share.

2.
The legitimacy of evaluators is verified to each other, and then the evaluators cooperatively implement dynamic programming protocol to find the optimal solution, while each weight is kept secret.
To achieve this goal, the following two questions should be solved: How to resist collusion attacks? How to figure out the maximum sum of weights without revealing each weight? We denote a weight as a polynomial’s degree; So, the degree of the sum/product of the two polynomials construct the maximum/sum of the degree of two polynomials, and verifiable secret sharing scheme [14, 25] is employed to resist collusion attack.
Basic idea
Weight publisher WP has a secret s∈Z_{ N }. WP chooses random n (n>s) points x_{1},x_{2},…,x_{ n }∈Z_{ N }, the constant c∈Z_{ N }, and publish them. Then, it randomly chooses a polynomial A∈Z_{ N }[ x] s.t. deg(A)=s and A(0)=c and holds its secret. WP publishes its shares {A(x_{1}),A(x_{2}),…,A(x_{ n })}. Each evaluator E_{ l } holds its share for A(x_{ l }), where l is the number of the evaluators,
A masking polynomial M∈Z_{ N }[x] s.t. deg(M)=d and M(0)=0 is chosen by each WP, who keeps it secret. Then, WP calculates its l shares M(x_{ l }), and l−th share is selected by each evaluator. Then, masked shares A(x_{ l })+M(x_{ l }) where (l=1,2,…,d+1) are published by d+1 evaluators {E_{1},E_{2},…,E_{d+1}}. The evaluators utilize these d+1 masked shares to perform polynomial interpolation, i.e., determine polynomial is A+M, recover A(0)=A(0)+M(0), and verify whether A(0)=c or not. We can recover the constant term A(0)=c from d+1 shares if deg(A)=d, where deg(A+M)=d. We cannot recover the constant term A(0)=c from d+1 shares if deg(A+M)>d. Thus, we are convinced that deg(A)=d if A(0)=c holds. Furthermore, the degree of the sum/product of the two polynomials can construct using the maximum/sum of the degree of two polynomials by the following formulas:
The maximum/sum of two secrets to be locally determined as each evaluator E_{ l } can calculate its share of sum A+B / product A·B of two polynomials A and B by calculating the sum A(x_{ l })+B(x_{ l }) / product A(x_{ l })·B(x_{ l }) of two shares A(x_{ l }) and B(x_{ l }).
System model
As shown in Fig. 2, our system model consists of three major entities: mask publisher (MP), evaluators (E), weight publishers (WP). In the following, we briefly summarize the major functions of each entity.

Mask publisher (MP):MP is used to generate and distribute keys for all evaluators. MP also generates the mask polynomial, and distributes the mask value for each evaluator.

Evaluators (E): Each evaluator computes cooperatively executes dynamic programming and finds the optimal solution and verifies the identities of evaluators each other.

Weight publishers (WP): Each WP distributes its shares to each evaluators.
Security model
In our security model, we consider that the following security goals need to be achieved:

Privacypreservation of bidders’ bids. The evaluators should be able to verify the identities of other evaluators; i.e, when the evaluators work together to figure out the optimal solution, they should verify the identities of each participant fist; meanwhile, the privacy should be protected.

Nonrepudiation: any bidder (weight publisher) cannot repudiate his bid.

Accountability: any bidder can be verified that they follow the protocol to get the optimal solution by the evaluators.
Secure computing
Initialization phase
There is a mask publisher, MP, which chooses a randomly masked polynomial M∈Z_{ N }[ x] s.t. deg(M)=d and M(0)=0 and keeps it secret. The weight publishers WP_{(i,j)} for each link (i,j). There are l evaluators {E_{1},E_{2},…,E_{ l }} where l is greater than the length of the longest path.
To solve the verification problem, the intercommunication is needed by the mask publisher MP and the evaluators. The communication between MP and the evaluators can use the public channel. First, the mask publisher randomly selects two strong primes p and q, and calculates N=pq. Then, the mask publisher figures out the generator g, and publishes {g,N}.
Each evaluator E_{ i } randomly chooses an integer s_{ i } as its secret share where s_{ i }∈ [ 2,N], and calculates R_{ i }=g^{s}_{ i } mod N. Then, E_{ i } sends R_{ i } and its identity number id_{ i } to mask publisher MP. For any two pair of evaluators E_{ i } and E_{ j }, MP must guarantee that R_{ i }≠R_{ j }. MP publishes {id_{ i },R_{ i }}. The mask publisher MP first selects an integer s_{0} from the interval [ 2,N] and computes λ such that s_{0}λ=1 mod ϕ(N), where ϕ(N) is the Euler phifunction; and then MP computes R_{0}=g^{s}_{0} mod N. Finally, the MP calculates \(R_{i}^{\prime }=R_{i}^{s_{0}}\mod N\) and the mask value \(M_{i}=M(R_{i}^{\prime })\) for each evaluator E_{ i }. MP publishes {R_{0},λ}.
Weight Publisher WP_{(i,j)} enlarges its weight \(\widetilde {w}(i,j)\): \(w(i,j) = \widetilde {w}(i,j)+ t_{w} \times (ji)\) where t_{ w } is a threshold parameter of WP_{(i,j)}. The extension will not change the optimal solution of the longest path from S to n. \(\widetilde {f}(i)\) and f(i) are denoted the original weight value \(\widetilde {w}(i,j)\) and the extended weight w(i,j) of node i, respectively. Then, for each node j, \(f(i)=\widetilde {f}(i) + t_{w} \times (ni)\). So, the maximum can be computed and the secure computing is performed in Section 4.2. The polynomial H_{(i,j)} for node i is randomly chosen by weight publisher WP_{(i,j)} s.t. deg(H_{(i,j)})=w(i,j), and H_{(i,j)}(0)=c. The WP_{(i,j)} holds it secret.
Construction phase
The weighter publisher WP_{(i,j)} performs the following steps:

1)
Compute \(Y_{i}=H_{(i,j)} (R_{i}^{\prime }) \mod N\);

2)
Send Y_{ i } to the evaluator E_{ i }.
Each evaluator E_{ i } computes performs the following steps to obtain the ith share of the optimal value:

1)
Computes
$$ F_{j}(R_{i})=\sum\limits_{(i,k)}(H_{(i,k)}(R_{i})) \times F_{k}(R_{i}) \label {equ:each_evaluator_share} $$(7)for j=n−1,n−2,…,0, where F_{ j }(x) is the optimized polynomial, which represents the longest path from the start node S to node j, and F_{ n }(x)=1.

2)
Publishes HM_{ i }=H_{(0,i)}×F_{ i }+M_{ i }. The Eq. (7) is related to the recurrence relation of dynamic programming, as described in Eq. (1).
Recovery and verification phase
Without loss of generality, let E={E_{1},E_{2},…,E_{d+1}}. The evaluators of E will recover the polynomial HM_{ i }=H_{(0,i)}×F_{ i }+M_{ i } based on following procedure.

1)
Each evaluator calculates \(R_{i}^{\prime \prime }=R_{0}^{s_{i}} \mod N\) to obtain the share, where s_{ i } is the share of HM_{ i }.

2)
The evaluator in E verifies \(R_{i}^{\prime \prime }\), which is provided by E_{ i }. If \({R_{i}^{\prime \prime }}^{\lambda }=R_{i} \mod N\), then \(R_{i}^{\prime \prime }\) is legitimacy; Otherwise, \(R_{i}^{\prime \prime }\) is false, which means that E_{ i } might be a cheater. The share will be discarded.

3)
Recover the polynomial: the polynomial HM_{ i } can be uniquely determined as follows:
$$\begin{array}{@{}rcl@{}} & F_{j}&= \sum\limits_{i=1}^{d+1} (H_{(0,i)} \times F_{i} +M_{i})\prod\limits_{j=1, j\neq i}^{d+1} \frac{xR_{j}^{\prime}}{R_{i}^{\prime} R_{j}^{\prime}}\\ &&=S_{1}+S_{2}x+\cdots+S_{d} x^{d} \end{array} $$(8)
As described in Section 4.2, evaluators check whether deg(F_{0})≤d. Evaluators can verify whether F_{0}=c or not. For instance, if c=0, F_{0} should be equal to 0. We can perform binary search to figure out the optimal value f(0)=deg(F_{0}), and publish it.
Tracing the optimal path
Evaluators calculate the optimal path as follows:
Assume that the evaluators know f(j)=deg(F_{ j }), and they want to trace to node k s.t. deg(F_{ j })=deg(H_{(j,k)}×F_{ k }+ M_{ j }). We test whether deg(H_{(j,k)}×F_{ k }+M_{ j })=deg(F_{ j })−1 or not for all nodes k linked to node j. The evaluators know that the node k attains f(j) when the inequality does not hold for node k. They can determine f(k)=deg(F_{ k }) as in Section 4.5.3 after finding the node k that attains f(j), and publish it. Iterating this procedure recursively yields to the optimal path.
An example
Here, we give an example of onedimensional graph shown in Fig. 3 to explain how to apply our scheme.
There are three links, (S, 1) (1, 2), (S, 2), wherein weighers are {2, 1, 2}, respectively. The weight publishers WP_{(S,1)},WP_{(1,2)},WP_{(S,2)} generate the following polynomials for these links:
There are four evaluator {E_{1},E_{2},E_{3},E_{4}}, which randomly choose x_{1}=1,x_{2}=2,x_{3}=3,x_{4}=4, respectively. For simplicity, we assume that t_{ w }=0 and c=0.
First, the mask publisher MP first chooses mask polynomial M(x)=x^{2}, and chooses two primes p=5 and q=7, and calculates N=5×7=35. Then, the mask publisher MP chooses the generator g=2 and a randomly number s_{0}=5, and computes λ=5 from s_{0}λ=1 mod (ϕ(N)=24). MP computes R_{0}=g^{s}_{0} mod N=2^{5} mod 35=32. MP publishes {g,N,R_{0},λ}.
Second, the evaluator E_{ i } computes R_{ i }=g^{x}_{ i } mod N, so four evaluators {E_{1},E_{2},E_{3},E_{4}} generate R_{1}=2^{1} mod N=2,R_{2}=2^{2} mod N=4,R_{3}=2^{3} mod N=8,R_{4}=2^{4} mod N=16, respectively. The evaluators {E_{1},E_{2},E_{3},E_{4}} send {R_{1},R_{2},R_{3},R_{4}} to MP separately.
Third, MP computes \(R_{1}^{\prime }=R_{1}^{5} \mod N=32, R_{2}^{\prime }=R_{2}^{5} \mod N=9, R_{3}^{\prime }=R_{3}^{5} \mod N=8, R_{4}^{\prime }=R_{4}^{5} \mod N=11\), and computes the mask value \(M_{1}= {R_{1}^{\prime }}^{2}=1024, M_{2}={R_{2}^{\prime }}^{2}=81, M_{3}={R_{3}^{\prime }}^{2}=64, M_{4}={R_{4}^{\prime }}^{2}=121\), and then sends \(\{\{R_{1}^{\prime }, M_{1}\}, \{R_{2}^{\prime }, M_{2}\}, \{R_{3}^{\prime }, M_{3}\}, \{R_{4}^{\prime }, M_{4}\}\}\) to evaluators {E_{1},E_{2},E_{3},E_{4}}, respectively.
Each evaluator computes its shares following Section 4.5.2. The evaluators’ corresponding computation are shown in Table 1.
When the evaluators work together to figure out the optimal result, the evaluators verify identities of participants each other using the method in Section 4.5.3 first. If all the evaluators pass the verification, from Table 1, the evaluators can recover F_{0}(x)=x^{3}+x^{2}+2x from the shares F_{0}(32)=33,856,F_{0}(9)=828,F_{0}(8)=592, and F_{0}(11)=1476, where F_{0}(0)=0. According to the Eq. (1) and (7), we figure out that f(0)=3. The evaluators also can recover the mask polynomial M(x)=x^{2} according to the mask shares. Because the polynomial of degree 2, which is reconstructed from the shares of H_{(S,1)}×F_{1}+M, does not equal to 0, the link (S,1) attains f(0)=3, which means that the link (S,1) is included in the optimal result.
Result and discussion
In this section, we discuss the security properties of the proposed scheme and analyze the performance of the proposed scheme.
Security analysis
In this subsection, we discuss the security properties of the proposed scheme in terms of resistance against active attacks, resistance against passive attacks, nonrepudiation, and accountability.
Resistance against active attacks

Conspiracy attacks:In order to recover the secrets, we assume that two evaluators have a collusion activity. For example, two evaluators E_{ i } and E_{ j } can exchange their value s_{ i } and s_{ j }. So, E_{ i } holds s_{ j } while E_{ j } holds s_{ i }. Then, E_{ i } calculates \({R_{j}^{\prime \prime }}^{\lambda }=R_{j}\) while E_{ j } computes \({R_{i}^{\prime \prime }}^{\lambda }=R_{i}\). Therefore, E_{ i } and E_{ j } might try to pass the verification. However,it is not impossible as the Id and (Id,R) pairs have been published by all evaluators. Thus, the conspiracy of the participants E_{ i } and E_{ j } can be easily recognized by other participants.

Evaluator cheating: Assume that an evaluator E_{ i } wants to gain a secret (s) via providing a false private key R_{ j }. E_{ i } calculates \(R_{i}^{\prime \prime }=R_{0}^{s_{j}} \mod N\) and broadcasts it. However, other participants can check the validity of \(R_{i}^{\prime \prime }\) by calculating \({R_{i}^{\prime \prime }}^{\lambda }=R_{j}\neq R_{i}\) when receiving \(R_{i}^{\prime \prime }\) provided by E_{ i }. Because that the Id_{ i } and the R_{ i } of E_{ i } are published, it is easy to detect that E_{ i } provides an incorrect \(R_{i}^{\prime \prime }\).

Reconstruct the polynomial: Assume that an adversary adv wants to use fewer than t shares (t<d) to reconstruct the polynomial HM_{ i }, it is not impossible because that it equals to break Shamir’s scheme, which has been proved that it holds the security property.

Reveal the secret key of the evaluator: Assume an adversary wants to obtain the participant E_{ i }’s secret shadow s_{ i } from the public information R_{ i }. He obtains s_{ i } from R_{ i }=g^{s}_{ i }; however, he has to solve the discrete logarithm problem (DLP), which is an NPhard problem. So, it is not impossible to obtain the secret key from the evaluator.
Resistance against passive attacks
Because that all published shares with random polynomials are masked by the mask publisher, meanwhile the extended weight w(i,j)=deg(H(i,j)) is equal to or larger than d, the adversary can not obtain any information from masked shares when the number of weight publishers is less than the threshold d. Thus, the proposed scheme is secure against passive adversaries.

Nonrepudiation:
Theorem 1 If a bidder (Weight Publisher) makes a bid, it cannot deny making the bid in a later time.
Proof If a bidder (Weight Publisher) make a bid, because that the evaluators work together to figure out the optimal result, and each participant is verified by other participants. If some Weight Publisher deny making the bid, the other evaluators can work together to trace all the internment mask result to verify whether the Weight publisher is lie or not according to the optimal result. □

Accountability:Accountability is required to secure a system from the aspects of integrity, confidentiality, and privacy [26–30]. An accountability mechanism is typically utilized to figure out who is responsible for what. In essence, accountability means that the system is recordable and traceable, which implies that making any entity in the system accountable for all its actions. Under such a consideration, our scheme is accountable as the evaluators can verified each other and work together to obtain the optimal result, which can be used as an evidence for dispute resolution; therefore, no one can deny its actions. Thus, we claim that the scheme has the property of accountability.
Performance analysis
In this section, we discuss the performance properties of our scheme and compare our schemes with others. The comparison of the properties of our scheme and the schemes proposed in [16, 17] is shown in Table 2. The details are presented as follows:

In [16, 17], the third party is needed, which may be dishonest. Hence, the original secrets may not be reconstructed by the evaluators. In our scheme, it is impossible for the third party to cheat the evaluators as the evaluators choose their own shadows.

The validity of the shares of each evaluator can be checked by other evaluators; the proposed scheme is verifiable. This improves upon [16] in which the source of the other share cannot be verified by the evaluator. If a wrong share is provide by one evaluator, which can not be figured out by other other evaluators.

In [16, 17], the shadows of the evaluators are received from the third party via secure channel; however, our scheme never discloses the shadow of each evaluator in the recovery and verification phases, and the shadow can be reused.

In [16, 17], the secret shadows is transmitted via a private secure channel by weight publishers; however, in our scheme, the shadows is not transmitted by the weight publishers via secure channel because that the secret shadow is chosen by the evaluators themselves.
Table 3 shows round complexity during each phase. The proposed scheme does not consider communications without secure channels, i.e., the weight publisher or the evaluators publish shares in our scheme, which can be implemented by a bulletin board. Here, q is the number of links, n is the number of nodes, l is the number of evaluators (which is equal to or greater than possible maximal value), d+1 is the number of masks, and N is the order of the finite field Z_{ N }.
Note that our approach does have one disadvantage: if the number of nodes is very large, our scheme may be invalid sometimes because the combinatorial auction’s winner determination problem is NPcomplete.
Conclusions
In this paper, we presented a privacypreserving combinatorial auction without an auctioneer scheme. In our scheme, the price is represented as the degree of a polynomial; thus, the degree of the sum/product of the two polynomials construct the maximum/sum of the degree of two polynomials. The bidders information is hidden, and the legitimacy of the evaluator is also verified based on secret sharing, which can resists collusion attacks.
Our future research will focus on the following direction: design more efficient approaches based on greedy algorithm to protect the privacy of combinatorial auction, which would be much more suitable for practical applications.
References
 1
K Sako, in Proceedings of Public Key Cryptography 2000. Universally verifiable auction protocol which hides losing bids (SpringerMelbourne, 2000), pp. 35–39.
 2
C Cachin, in Proceedings of the 6th ACM Conference on Computer and Communications Security. Efficient private bidding and auctions with an oblivious third party (ACMSingapore, 1999), pp. 120–127.
 3
K Kobayashi, H Morita, K Suzuki, M Hakuta, Efficient sealedbid auction by using oneway functions. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. 84(1), 289–294 (2001).
 4
K Suzuki, K Kobayashi, H Morita, in Information Security and CryptologyCISC 2000. Efficient sealedbid auction using hash chain (SpringerSeoul, 2001), pp. 183–191.
 5
Q Huang, Y Tao, F Wu, in INFOCOM, 2013 Proceedings IEEE. Spring: A strategyproof and privacy preserving spectrum auction mechanism (IEEETurin, 2013), pp. 827–835.
 6
M Pan, X Zhu, Y Fang, Using homomorphic encryption to secure the combinatorial spectrum auction without the trustworthy auctioneer. Wirel. Netw. 18(2), 113–128 (2012).
 7
M Pan, J Sun, Y Fang, Purging the backroom dealing: Secure spectrum auction leveraging paillier cryptosystem. IEEE J. Sel. Areas Commun. 29(4), 866–876 (2011).
 8
M Larson, R Li, C Hu, W Li, X Cheng, R Bie, in Wireless Algorithms, Systems, and Applications. A bidderoriented privacypreserving vcg auction scheme (SpringerQufu, 2015), pp. 284–294.
 9
M Larson, W Li, C Hu, R Li, X Cheng, R Bie, in Wireless Algorithms, Systems, and Applications. A secure multiunit sealed firstprice auction mechanism (SpringerQufu, 2015), pp. 295–304.
 10
W Li, M Larson, C Hu, R Li, X Cheng, R Bie, Secure multiunit sealed firstprice auction mechanisms. Secur. Commun. Netw. 9(16), 3833–3843 (2016).
 11
A Alrawais, A Alhothaily, J Yu, C Hu, X Cheng, Secureguard: a certificate validation system in public key infrastructure. IEEE Trans. Veh. Technol. (2018). Preprint.
 12
P Paillier, in Advances in cryptologyEUROCRYPT’99. Publickey cryptosystems based on composite degree residuosity classes (SpringerPrague, 1999), pp. 223–238.
 13
K Xing, C Hu, J Yu, X Cheng, F Zhang, Mutual privacy preserving kmeans clustering in social participatory sensing. IEEE Trans. Ind. Inform. 13(4), 2066–2076 (2017).
 14
C Hu, X Liao, X Cheng, Verifiable multisecret sharing based on LFSR sequences. Theor. Comput. Sci. 445:, 52–62 (2012).
 15
H Kikuchi, (m+1) stprice auction protocol. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. 85(3), 676–683 (2002).
 16
K Suzuki, M Yokoo, in Financial Cryptography. Secure combinatorial auctions by dynamic programming with polynomial secret sharing (SpringerGuadeloupe, 2003), pp. 44–56.
 17
M Nojoumian, DR Stinson, in Information Security Practice and Experience. Efficient sealedbid auction protocols using verifiable secret sharing (SpringerFuzhou, 2014), pp. 302–317.
 18
M Larson, C Hu, R Li, W Li, X Cheng, in Proceedings of the 2015 Workshop on PrivacyAware Mobile Computing. Secure auctions without an auctioneer via verifiable secret sharing (ACMHangzhou, 2015), pp. 1–6.
 19
R Bellman, Dynamic programming and lagrange multipliers. Proc. Natl. Acad. Sci. U. S. A. 42(10), 767 (1956).
 20
A Shamir, How to share a secret. Commun. ACM. 22(11), 612–613 (1979).
 21
G Blakley, Safeguarding cryptographic keys. Proc. Natl. Comput. Conference1979. 48:, 313–317 (1979).
 22
C Hu, W Li, X Cheng, J Yu, S Wang, R Bie, A secure and verifiable access control scheme for big data storage in clouds. IEEE Transactions on Big Data (2018). Preprint.
 23
MH Dehkordi, S Mashhadi, An efficient threshold verifiable multisecret sharing. Comput Stand. Interfaces. 30(3), 187–190 (2008).
 24
C Hu, N Zhang, H Li, X Cheng, X Liao, Body area network security: a fuzzy attributebased signcryption scheme. IEEE J. Sel. Areas Commun. 31(9), 37–46 (2013).
 25
C Hu, X Liao, D Xiao, Secret image sharing based on chaotic map and chinese remainder theorem. Int. J. Wavelets Multiresolution Inf. Process. 10(03), 1250023–118 (2012).
 26
J Liu, Y Xiao, J Gao, Achieving accountability in smart grid. IEEE Syst. J. 8(2), 493–508 (2014).
 27
R Jagadeesan, A Jeffrey, C Pitcher, J Riely, in Computer Security–ESORICS 2009. Towards a theory of accountability and audit (SpringerSaintMalo, 2009), pp. 152–167.
 28
T Truderung, A Vogt, et al, in Proceedings of the 17th ACM Conference on Computer and Communications Security. Accountability: definition and relationship to verifiability (ACMChicago, 2010), pp. 526–535.
 29
J Feigenbaum, AD Jaggard, RN Wright, in Proceedings of the 2011 Workshop on New Security Paradigms Workshop. Towards a formal model of accountability (ACMMarin County, 2011), pp. 45–56.
 30
C Ko, DA Frincke, T Goan Jr, T Heberlein, K Levitt, B Mukherjee, C Wee, in Proceedings of the 1st ACM Conference on Computer and Communications Security. Analysis of an algorithm for distributed recognition and accountability (ACMFairfax, 1993), pp. 154–164.
Acknowledgements
We are very grateful to Dr. Xiuzhen Cheng and Dr. Maya Larson who have helped improve the quality of this paper.
Funding
This project was partial supported by the National Natural Science Foundation of China under grants 61702062, 61672119, 61472418 and 61571049, and the National Science Foundation of the USA under grants: CNS1407986, CNS1443858, CNS1704397 and IIS1741279, and the Natural Science Foundation of Chongqing (cstc2015jcyjA40037).
Author information
Affiliations
Contributions
All the authors developed the solution of the problem. CH proposed the main idea of the paper and finished the draft of the paper. RL, BM, and WL discussed and improved the scheme. AA and RB focused on smoothing out the language of the paper. All authors read and approved the final manuscript.
Corresponding author
Ethics declarations
Competing interests
The authors declare that they have no competing interests.
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License(http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.
About this article
Cite this article
Hu, C., Li, R., Mei, B. et al. Privacypreserving combinatorial auction without an auctioneer. J Wireless Com Network 2018, 38 (2018). https://doi.org/10.1186/s136380181047z
Received:
Accepted:
Published:
Keywords
 Security
 Verification
 Combinatorial auctions
 Dynamical programming
 Secret sharing