Open Access

Privacy-preserving combinatorial auction without an auctioneer

EURASIP Journal on Wireless Communications and Networking20182018:38

Received: 19 November 2017

Accepted: 30 January 2018

Published: 12 February 2018


Combinatorial auctions are employed into many applications such as spectrum auctions held by the Federal Communications Commission (FCC). A crucial problem in such auctions is the lack of secure and efficiency mechanism to protect the privacy of the bidding prices and to ensure data security. To solve the problem, we propose an approach to represent the price as a polynomial’s degree based on verifiable secret sharing. So, we can obtain the two polynomials’s degree maximum/sum by the degree of the two polynomial’s degree sum/product. In the protocol, the bidders’ information is hidden. The auctioneers can receive the shares without a secure channel, so our protocol is more applicable to more scenarios. The scheme can resist the collusion attack, passive attack and so on. Moreover, Compared to Kikuchi (IEICE Trans Fundam Electron Commun Comput Sci 85(3):676–683, 2002); Suzuki and Yokoo (Secure combinatorial auctions by dynamic programming with polynomial secret sharing, 2003), the proposed scheme has the authentication property without increasing the communications cost.


SecurityVerificationCombinatorial auctionsDynamical programmingSecret sharing

1 Introduction

Recently, combinatorial auctions have become an interesting domain, which allow that multiple goods are sold simultaneously and any combination of goods can be bid. For example, FCC spectrum, network routing, and railroad segment can be auctioned.

To carry out a combinatorial auction, the winner determination problem has to be solved first. The problem can be cooperatively solved by multi-auction servers, which can calculate the maximum sum of combinations of bidding prices. It is a challenge problem to protect bidding prices. If the auctioneer is trust, it can solve the winner determination problem. However, it is not practical as the auctioneer may collude with a participant to reveal the bids’ information during the auction. If a strategy-proof mechanism is utilized to resist collusion attacks. However, the auctioneer can create a fake bid to increase revenue.

In traditional auctions, cryptographic functions (public key cryptography, hash chains, etc.) [14] are utilized to protect the bid’s privacy. However, these schemes do not consider spatial reuse, so they are not applicable to the secondary spectrum market. In the secondary spectrum market, SPRING was proposed in [5], which introduces a trustworthy agent to interact with both the auctioneer and the bidders. The sensitive information can be protected. However, SPRING depends on a trusted third party (the agent). In [610], homomorphic encryption [1113] is employed to hid each bidder’s bidding values with a vector of cipher texts, and ensures the auctioneer to figure out the maximum value, and charge the bidders securely. However, the homomorphic encryption has a higher computational cost, which is not practical now.

To tackle the above challenges, two problems have to be solved. First, multi-auction servers compute the maximum sum of combinations of bidding prices, while the information of bids and the part of the optimal solution should be kept secret. Second, the collusion activity of multi-auction servers must be resisted. We employ verifiable secret sharing [14] to protect privacy and data security in combinatorial auctions. The scheme allows multi-servers to randomly choose secret shares and verify the legitimacy of them to each other.

The rest of the paper is organized as follows. Section 2 introduces related work. Section 3 presents preliminaries. In Section 4, we describe the main idea of the proposed scheme. In Section 5, we analyze the security and performance of the scheme, followed by a conclusion in Section 6.

2 Related works

To protect data security and privacy in auctions, cryptographic tools, such as AES, homomorphic encryption, and secret sharing, have been applied.

SPRING [5] presents a trustworthy agent to protect the sensitive information of the auctions. However, SPRING depends on a trusted third party (the agent). In [6, 7], the authors utilize a vector of cipher text to mask the bidding prices, and guarantee that the maximum value, randomizing the bids, and charging the bidders can be figured out. However, the schemes [6, 7] are not practical as homomorphic encryption has a very high computational overhead, which is not applicable to the applications now. In [8], a secure auction without auctioneer scheme for VCG auction is designed based on homomorphic, in which the bidders work together to decide who the winner is without auctioneer; however, the computational overhead is high for each bidder, which has low efficiency. In [9], the authors design a sealed-bid first-price auction scheme based on homomorphic encryption, in which the server processes the bidder’s encrypted bids using homomorphic encryption and the aggregation result is known by auctioneer; however, the scheme cannot resist the collusion activity between the server and auctioneer.

In [15, 16], the bidding prices are hidden via secret sharing. However, there are two weaknesses in [15] as follows. First, the relationships of multi-winner can not be solved. Second, the scheme is not efficient as the computational cost is very much higher. The bids are hidden by the degree of polynomials [16]. However, the scheme is based on the passive adversary model and cannot resist collusion attacks. Therefore, it is not practical.

In [17, 18], the sealed-bid auctions are constructed via verifiable secret sharing. The scheme can resist collusion attacks among the evaluators. However, the secret shares are obtained from a third party via a private secure channel, so the scheme cannot resist collusion attacks amongst evaluators and the third party.

In this paper, we present a privacy-preserving combinatorial auction without an auctioneer based on verifiable secret sharing [14]. Compared to [15, 16], it does not need a secure channel among the bidders and the server. Meanwhile, the proposed scheme provides the authentication without increasing the communication cost.

3 Preliminaries

We now introduce some preliminary concepts for the cryptographic primitives used in this paper.

3.1 Dynamic programming

Dynamic programming [19] can be utilized to solve the problem, which is viewed as the result of a sequence of stepwise decisions.

We first describe the dynamic programming’s concept via an algorithm of finding the longest path in a one-dimensional-directed graph in Fig. 1. The graph includes the nodes S,1,2,…,n with directed links among them. The link is denoted (j,k), where j<k. w(j,k) denoted the weight for each link (j,k). Figuring out the longest path from initial node S to terminal node n is our goal, i.e., to find a maximized path from S to n. For the sake of simplicity, we assume that it exists at least one link from j for each node j (where 1=j<n) except node n.
Fig. 1

An example of one dimension directed graph

We assume the longest path from S to n is denoted by L. The last half of L for any node j on L is also a longest path from j to n, which is called the principle of optimality. We can utilize the feature to search out the original problem’s optimal solution via the sub-problems’ optimal solutions.

Specifically, the longest path from S to n can be obtained by figuring out the following recurrence formula from node n−1 to S. In the formula, the longest path from j to n is denoted as f(j). f(j) is called the node j’s evaluation value. f(n) is defined as S for terminal node n. f(S) represents the optimal solution for initial node S.
$$ f(j)=\max_{(j,k)}\{w(j, k)+f(k)\} $$

When we calculate the formula, the value f(j) of the link (j,k) is recorded for each node j, i.e., max(j,k){w(j,k)+f(k)} is the value of the link, which recorded links from S to n constructs the longest path.

Assume that there are n+1 stages j=1,…,n and each stage j’s state is (j,s). When j<k, there can be directed links ((j,s),(k,t)) between these states. The weight w(((j,s),(k,t))) is given for each link. The following recurrence formula is defined dynamic programming evaluates function f:
$$ f((j,s))=\max_{j<k, ((j,s),(k,t))}\{w(((j,s),(k,t)))+f((k,t))\} $$

The evaluation value f((S,s)) can be calculated, which is the original problem’s optimal value, by iteratively applying the relation for j=n,n−1,…,1 with initial values f((n,s))=iv(s).

We introduce the proposed privacy-preserving combinatorial auction without an auctioneer based on the longest path of a one-dimensional directed graph. An example is introduced in Section 4.6.

3.2 Secret sharing schemes

Secret sharing is an important cryptographic primitive, which is utilized to our scheme. Since secret sharing is developed by Shamir [20] and Blakley [21] in 1979, many secret sharing schemes have been extensively studied [14, 2224]. Generally speaking, secret sharing is briefly introduced as follows. A dealer shares a secret with a number of users U1,…,U n , a user gets the secret if and only if it can co-work with at least t−1 other users, where tn is a pre-determined parameter. The dealer shares the secret and the users is sGF(p1), where p1>N. Each user U i holds a secret key k i GF(p1), which is only known by U i and the dealer.

The dealer follows two step procedure. First, it constructs a polynomial function F(x) of degree t−1 shown in (3):
$$ F(x)=s+\sum\limits_{j=1}^{t-1}\mu_{j}x^{j}, $$

by randomly choosing each μ j . Note that all (additive and multiplication) operations used in (3) is modular arithmetic (defined over GF(p1)) as opposed to real arithmetic. Also s forms the constant component of F(x) - i.e., s=F(0). Then, in the second step, the dealer sends a shared secret s i =F(x i ) to each U i , where x i is a random number selected by U i and is sent to the dealer via the secure channel protected by k i .

We now show how to recover s by t or more users. Without loss of generality, let U1,…,U t be the cooperating users. The secret s=F(0) can be reconstructed from s1=F(x1),…,s t =F(x t ) by these t users.
$$ s = F(0)=\sum\limits_{j=1}^{t} \left(s_{j} \prod\limits_{i \in [1, n],i\neq j}\frac{0-x_{i}}{x_{j}-x_{i}} \right). $$

Note that the cumulative product in (4) is essentially the Lagrange coefficient. The correctness of (4) can be easily verified based on the definition of F(x).

4 The proposed scheme—secure computing

We present the proposed privacy-preserving combinatorial auction without an auctioneer, and we also discuss the security and efficiency of the scheme.

4.1 Requirements

The requirements for the secure protocol are as follows:
  1. 1.

    Evaluators (servers) select their secret keys by themselves, and the weight publishers (WP) (buyers and sellers) calculate and publish the weights for each share.

  2. 2.

    The legitimacy of evaluators is verified to each other, and then the evaluators cooperatively implement dynamic programming protocol to find the optimal solution, while each weight is kept secret.


To achieve this goal, the following two questions should be solved: How to resist collusion attacks? How to figure out the maximum sum of weights without revealing each weight? We denote a weight as a polynomial’s degree; So, the degree of the sum/product of the two polynomials construct the maximum/sum of the degree of two polynomials, and verifiable secret sharing scheme [14, 25] is employed to resist collusion attack.

4.2 Basic idea

Weight publisher WP has a secret sZ N . WP chooses random n (n>s) points x1,x2,…,x n Z N , the constant cZ N , and publish them. Then, it randomly chooses a polynomial AZ N [ x] s.t. deg(A)=s and A(0)=c and holds its secret. WP publishes its shares {A(x1),A(x2),…,A(x n )}. Each evaluator E l holds its share for A(x l ), where l is the number of the evaluators,

A masking polynomial MZ N [x] s.t. deg(M)=d and M(0)=0 is chosen by each WP, who keeps it secret. Then, WP calculates its l shares M(x l ), and lth share is selected by each evaluator. Then, masked shares A(x l )+M(x l ) where (l=1,2,…,d+1) are published by d+1 evaluators {E1,E2,…,Ed+1}. The evaluators utilize these d+1 masked shares to perform polynomial interpolation, i.e., determine polynomial is A+M, recover A(0)=A(0)+M(0), and verify whether A(0)=c or not. We can recover the constant term A(0)=c from d+1 shares if deg(A)=d, where deg(A+M)=d. We cannot recover the constant term A(0)=c from d+1 shares if deg(A+M)>d. Thus, we are convinced that deg(A)=d if A(0)=c holds. Furthermore, the degree of the sum/product of the two polynomials can construct using the maximum/sum of the degree of two polynomials by the following formulas:
$$ \max\{deg(A), deg(B)\} = deg(A + B) $$
$$ deg(A) + deg(B) = deg(A\cdot B) $$

The maximum/sum of two secrets to be locally determined as each evaluator E l can calculate its share of sum A+B / product A·B of two polynomials A and B by calculating the sum A(x l )+B(x l ) / product A(x l B(x l ) of two shares A(x l ) and B(x l ).

4.3 System model

As shown in Fig. 2, our system model consists of three major entities: mask publisher (MP), evaluators (E), weight publishers (WP). In the following, we briefly summarize the major functions of each entity.
  • Mask publisher (MP):MP is used to generate and distribute keys for all evaluators. MP also generates the mask polynomial, and distributes the mask value for each evaluator.
    Fig. 2

    System Model

  • Evaluators (E): Each evaluator computes cooperatively executes dynamic programming and finds the optimal solution and verifies the identities of evaluators each other.

  • Weight publishers (WP): Each WP distributes its shares to each evaluators.

4.4 Security model

In our security model, we consider that the following security goals need to be achieved:
  • Privacy-preservation of bidders’ bids. The evaluators should be able to verify the identities of other evaluators; i.e, when the evaluators work together to figure out the optimal solution, they should verify the identities of each participant fist; meanwhile, the privacy should be protected.

  • Non-repudiation: any bidder (weight publisher) cannot repudiate his bid.

  • Accountability: any bidder can be verified that they follow the protocol to get the optimal solution by the evaluators.

4.5 Secure computing

4.5.1 Initialization phase

There is a mask publisher, MP, which chooses a randomly masked polynomial MZ N [ x] s.t. deg(M)=d and M(0)=0 and keeps it secret. The weight publishers WP(i,j) for each link (i,j). There are l evaluators {E1,E2,…,E l } where l is greater than the length of the longest path.

To solve the verification problem, the intercommunication is needed by the mask publisher MP and the evaluators. The communication between MP and the evaluators can use the public channel. First, the mask publisher randomly selects two strong primes p and q, and calculates N=pq. Then, the mask publisher figures out the generator g, and publishes {g,N}.

Each evaluator E i randomly chooses an integer s i as its secret share where s i [ 2,N], and calculates R i =g s i mod N. Then, E i sends R i and its identity number id i to mask publisher MP. For any two pair of evaluators E i and E j , MP must guarantee that R i R j . MP publishes {id i ,R i }. The mask publisher MP first selects an integer s0 from the interval [ 2,N] and computes λ such that s0λ=1 mod ϕ(N), where ϕ(N) is the Euler phi-function; and then MP computes R0=g s 0 mod N. Finally, the MP calculates \(R_{i}^{\prime }=R_{i}^{s_{0}}\mod N\) and the mask value \(M_{i}=M(R_{i}^{\prime })\) for each evaluator E i . MP publishes {R0,λ}.

Weight Publisher WP(i,j) enlarges its weight \(\widetilde {w}(i,j)\): \(w(i,j) = \widetilde {w}(i,j)+ t_{w} \times (j-i)\) where t w is a threshold parameter of WP(i,j). The extension will not change the optimal solution of the longest path from S to n. \(\widetilde {f}(i)\) and f(i) are denoted the original weight value \(\widetilde {w}(i,j)\) and the extended weight w(i,j) of node i, respectively. Then, for each node j, \(f(i)=\widetilde {f}(i) + t_{w} \times (n-i)\). So, the maximum can be computed and the secure computing is performed in Section 4.2. The polynomial H(i,j) for node i is randomly chosen by weight publisher WP(i,j) s.t. deg(H(i,j))=w(i,j), and H(i,j)(0)=c. The WP(i,j) holds it secret.

4.5.2 Construction phase

The weighter publisher WP(i,j) performs the following steps:
  1. 1)

    Compute \(Y_{i}=H_{(i,j)} (R_{i}^{\prime }) \mod N\);

  2. 2)

    Send Y i to the evaluator E i .

Each evaluator E i computes performs the following steps to obtain the ith share of the optimal value:
  1. 1)
    $$ F_{j}(R_{i})=\sum\limits_{(i,k)}(H_{(i,k)}(R_{i})) \times F_{k}(R_{i}) \label {equ:each_evaluator_share} $$

    for j=n−1,n−2,…,0, where F j (x) is the optimized polynomial, which represents the longest path from the start node S to node j, and F n (x)=1.

  2. 2)

    Publishes HM i =H(0,i)×F i +M i . The Eq. (7) is related to the recurrence relation of dynamic programming, as described in Eq. (1).


4.5.3 Recovery and verification phase

Without loss of generality, let E={E1,E2,…,Ed+1}. The evaluators of E will recover the polynomial HM i =H(0,i)×F i +M i based on following procedure.
  1. 1)

    Each evaluator calculates \(R_{i}^{\prime \prime }=R_{0}^{s_{i}} \mod N\) to obtain the share, where s i is the share of HM i .

  2. 2)

    The evaluator in E verifies \(R_{i}^{\prime \prime }\), which is provided by E i . If \({R_{i}^{\prime \prime }}^{\lambda }=R_{i} \mod N\), then \(R_{i}^{\prime \prime }\) is legitimacy; Otherwise, \(R_{i}^{\prime \prime }\) is false, which means that E i might be a cheater. The share will be discarded.

  3. 3)

    Recover the polynomial: the polynomial HM i can be uniquely determined as follows:

    $$\begin{array}{@{}rcl@{}} & F_{j}&= \sum\limits_{i=1}^{d+1} (H_{(0,i)} \times F_{i} +M_{i})\prod\limits_{j=1, j\neq i}^{d+1} \frac{x-R_{j}^{\prime}}{R_{i}^{\prime} -R_{j}^{\prime}}\\ &&=S_{1}+S_{2}x+\cdots+S_{d} x^{d} \end{array} $$

As described in Section 4.2, evaluators check whether deg(F0)≤d. Evaluators can verify whether F0=c or not. For instance, if c=0, F0 should be equal to 0. We can perform binary search to figure out the optimal value f(0)=deg(F0), and publish it.

4.5.4 Tracing the optimal path

Evaluators calculate the optimal path as follows:

Assume that the evaluators know f(j)=deg(F j ), and they want to trace to node k s.t. deg(F j )=deg(H(j,k)×F k + M j ). We test whether deg(H(j,k)×F k +M j )=deg(F j )−1 or not for all nodes k linked to node j. The evaluators know that the node k attains f(j) when the inequality does not hold for node k. They can determine f(k)=deg(F k ) as in Section 4.5.3 after finding the node k that attains f(j), and publish it. Iterating this procedure recursively yields to the optimal path.

4.6 An example

Here, we give an example of one-dimensional graph shown in Fig. 3 to explain how to apply our scheme.
Fig. 3

An example: one directed graph

There are three links, (S, 1) (1, 2), (S, 2), wherein weighers are {2, 1, 2}, respectively. The weight publishers WP(S,1),WP(1,2),WP(S,2) generate the following polynomials for these links:
$$\label {equ:as} \left\{\begin{array}{ll} H_{(S,1)}=x^{2}-x&\\ H_{(1,2)}=x&\\ H_{(S,2)}=2x^{2}+2x&\\ \end{array}\right. $$

There are four evaluator {E1,E2,E3,E4}, which randomly choose x1=1,x2=2,x3=3,x4=4, respectively. For simplicity, we assume that t w =0 and c=0.

First, the mask publisher MP first chooses mask polynomial M(x)=x2, and chooses two primes p=5 and q=7, and calculates N=5×7=35. Then, the mask publisher MP chooses the generator g=2 and a randomly number s0=5, and computes λ=5 from s0λ=1 mod (ϕ(N)=24). MP computes R0=g s 0 mod N=25 mod 35=32. MP publishes {g,N,R0,λ}.

Second, the evaluator E i computes R i =g x i mod N, so four evaluators {E1,E2,E3,E4} generate R1=21 mod N=2,R2=22 mod N=4,R3=23 mod N=8,R4=24 mod N=16, respectively. The evaluators {E1,E2,E3,E4} send {R1,R2,R3,R4} to MP separately.

Third, MP computes \(R_{1}^{\prime }=R_{1}^{5} \mod N=32, R_{2}^{\prime }=R_{2}^{5} \mod N=9, R_{3}^{\prime }=R_{3}^{5} \mod N=8, R_{4}^{\prime }=R_{4}^{5} \mod N=11\), and computes the mask value \(M_{1}= {R_{1}^{\prime }}^{2}=1024, M_{2}={R_{2}^{\prime }}^{2}=81, M_{3}={R_{3}^{\prime }}^{2}=64, M_{4}={R_{4}^{\prime }}^{2}=121\), and then sends \(\{\{R_{1}^{\prime }, M_{1}\}, \{R_{2}^{\prime }, M_{2}\}, \{R_{3}^{\prime }, M_{3}\}, \{R_{4}^{\prime }, M_{4}\}\}\) to evaluators {E1,E2,E3,E4}, respectively.

Each evaluator computes its shares following Section 4.5.2. The evaluators’ corresponding computation are shown in Table 1.
Table 1

Each evaluator’s shares


H (S,1)

H (1,2)

H (S,2)

F 1

F 0




E 1









E 1









E 1









E 1









When the evaluators work together to figure out the optimal result, the evaluators verify identities of participants each other using the method in Section 4.5.3 first. If all the evaluators pass the verification, from Table 1, the evaluators can recover F0(x)=x3+x2+2x from the shares F0(32)=33,856,F0(9)=828,F0(8)=592, and F0(11)=1476, where F0(0)=0. According to the Eq. (1) and (7), we figure out that f(0)=3. The evaluators also can recover the mask polynomial M(x)=x2 according to the mask shares. Because the polynomial of degree 2, which is reconstructed from the shares of H(S,1)×F1+M, does not equal to 0, the link (S,1) attains f(0)=3, which means that the link (S,1) is included in the optimal result.

5 Result and discussion

In this section, we discuss the security properties of the proposed scheme and analyze the performance of the proposed scheme.

5.1 Security analysis

In this subsection, we discuss the security properties of the proposed scheme in terms of resistance against active attacks, resistance against passive attacks, non-repudiation, and accountability.

5.1.1 Resistance against active attacks

  • Conspiracy attacks:In order to recover the secrets, we assume that two evaluators have a collusion activity. For example, two evaluators E i and E j can exchange their value s i and s j . So, E i holds s j while E j holds s i . Then, E i calculates \({R_{j}^{\prime \prime }}^{\lambda }=R_{j}\) while E j computes \({R_{i}^{\prime \prime }}^{\lambda }=R_{i}\). Therefore, E i and E j might try to pass the verification. However,it is not impossible as the Id and (Id,R) pairs have been published by all evaluators. Thus, the conspiracy of the participants E i and E j can be easily recognized by other participants.

  • Evaluator cheating: Assume that an evaluator E i wants to gain a secret (s) via providing a false private key R j . E i calculates \(R_{i}^{\prime \prime }=R_{0}^{s_{j}} \mod N\) and broadcasts it. However, other participants can check the validity of \(R_{i}^{\prime \prime }\) by calculating \({R_{i}^{\prime \prime }}^{\lambda }=R_{j}\neq R_{i}\) when receiving \(R_{i}^{\prime \prime }\) provided by E i . Because that the Id i and the R i of E i are published, it is easy to detect that E i provides an incorrect \(R_{i}^{\prime \prime }\).

  • Reconstruct the polynomial: Assume that an adversary adv wants to use fewer than t shares (t<d) to reconstruct the polynomial HM i , it is not impossible because that it equals to break Shamir’s scheme, which has been proved that it holds the security property.

  • Reveal the secret key of the evaluator: Assume an adversary wants to obtain the participant E i ’s secret shadow s i from the public information R i . He obtains s i from R i =g s i ; however, he has to solve the discrete logarithm problem (DLP), which is an NP-hard problem. So, it is not impossible to obtain the secret key from the evaluator.

5.1.2 Resistance against passive attacks

Because that all published shares with random polynomials are masked by the mask publisher, meanwhile the extended weight w(i,j)=deg(H(i,j)) is equal to or larger than d, the adversary can not obtain any information from masked shares when the number of weight publishers is less than the threshold d. Thus, the proposed scheme is secure against passive adversaries.
  • Non-repudiation:

    Theorem 1 If a bidder (Weight Publisher) makes a bid, it cannot deny making the bid in a later time.

    Proof If a bidder (Weight Publisher) make a bid, because that the evaluators work together to figure out the optimal result, and each participant is verified by other participants. If some Weight Publisher deny making the bid, the other evaluators can work together to trace all the internment mask result to verify whether the Weight publisher is lie or not according to the optimal result. □

  • Accountability:Accountability is required to secure a system from the aspects of integrity, confidentiality, and privacy [2630]. An accountability mechanism is typically utilized to figure out who is responsible for what. In essence, accountability means that the system is recordable and traceable, which implies that making any entity in the system accountable for all its actions. Under such a consideration, our scheme is accountable as the evaluators can verified each other and work together to obtain the optimal result, which can be used as an evidence for dispute resolution; therefore, no one can deny its actions. Thus, we claim that the scheme has the property of accountability.

5.2 Performance analysis

In this section, we discuss the performance properties of our scheme and compare our schemes with others. The comparison of the properties of our scheme and the schemes proposed in [16, 17] is shown in Table 2. The details are presented as follows:
  • In [16, 17], the third party is needed, which may be dishonest. Hence, the original secrets may not be reconstructed by the evaluators. In our scheme, it is impossible for the third party to cheat the evaluators as the evaluators choose their own shadows.
    Table 2

    The properties of our scheme and the schemes proposed in [16, 17]


    Our scheme

    Scheme in [17]

    Scheme in [16]

    Resist the evaluators




    cheating activity


    Secure channel








    Efficient reconstruction




    and trace


    The reusability of the




    secret shadow


    Third party




    Select the secret shadow




    by the evaluators

  • The validity of the shares of each evaluator can be checked by other evaluators; the proposed scheme is verifiable. This improves upon [16] in which the source of the other share cannot be verified by the evaluator. If a wrong share is provide by one evaluator, which can not be figured out by other other evaluators.

  • In [16, 17], the shadows of the evaluators are received from the third party via secure channel; however, our scheme never discloses the shadow of each evaluator in the recovery and verification phases, and the shadow can be reused.

  • In [16, 17], the secret shadows is transmitted via a private secure channel by weight publishers; however, in our scheme, the shadows is not transmitted by the weight publishers via secure channel because that the secret shadow is chosen by the evaluators themselves.

Table 3 shows round complexity during each phase. The proposed scheme does not consider communications without secure channels, i.e., the weight publisher or the evaluators publish shares in our scheme, which can be implemented by a bulletin board. Here, q is the number of links, n is the number of nodes, l is the number of evaluators (which is equal to or greater than possible maximal value), d+1 is the number of masks, and N is the order of the finite field Z N .
Table 3

Communication complexity


The proposed scheme

Add and multiple protocol in [17]

Scheme in [16]

Initialization phase




Construction phase




Recovery and verification (recovery)




Tracing to the optimal path




Note that our approach does have one disadvantage: if the number of nodes is very large, our scheme may be invalid sometimes because the combinatorial auction’s winner determination problem is NP-complete.

6 Conclusions

In this paper, we presented a privacy-preserving combinatorial auction without an auctioneer scheme. In our scheme, the price is represented as the degree of a polynomial; thus, the degree of the sum/product of the two polynomials construct the maximum/sum of the degree of two polynomials. The bidders information is hidden, and the legitimacy of the evaluator is also verified based on secret sharing, which can resists collusion attacks.

Our future research will focus on the following direction: design more efficient approaches based on greedy algorithm to protect the privacy of combinatorial auction, which would be much more suitable for practical applications.



We are very grateful to Dr. Xiuzhen Cheng and Dr. Maya Larson who have helped improve the quality of this paper.


This project was partial supported by the National Natural Science Foundation of China under grants 61702062, 61672119, 61472418 and 61571049, and the National Science Foundation of the USA under grants: CNS-1407986, CNS-1443858, CNS-1704397 and IIS-1741279, and the Natural Science Foundation of Chongqing (cstc2015jcyjA40037).

Authors’ contributions

All the authors developed the solution of the problem. CH proposed the main idea of the paper and finished the draft of the paper. RL, BM, and WL discussed and improved the scheme. AA and RB focused on smoothing out the language of the paper. All authors read and approved the final manuscript.

Competing interests

The authors declare that they have no competing interests.

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License(, which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.

Authors’ Affiliations

Key Laboratory of Dependable Service Computing in Cyber Physical Society (Chongqing University), Ministry of Education, Chongqing, China
School of Software Engineering, Chongqing University, Chongqing, China
Department of Computer Science, George Washington University, Washington, USA
Department of Computer Science, Georgia State University, Atlanta, USA
College of Information Science and Technology, Beijing Normal University, Beijing, China


  1. K Sako, in Proceedings of Public Key Cryptography 2000. Universally verifiable auction protocol which hides losing bids (SpringerMelbourne, 2000), pp. 35–39.Google Scholar
  2. C Cachin, in Proceedings of the 6th ACM Conference on Computer and Communications Security. Efficient private bidding and auctions with an oblivious third party (ACMSingapore, 1999), pp. 120–127.Google Scholar
  3. K Kobayashi, H Morita, K Suzuki, M Hakuta, Efficient sealed-bid auction by using one-way functions. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. 84(1), 289–294 (2001).Google Scholar
  4. K Suzuki, K Kobayashi, H Morita, in Information Security and Cryptology-CISC 2000. Efficient sealed-bid auction using hash chain (SpringerSeoul, 2001), pp. 183–191.View ArticleGoogle Scholar
  5. Q Huang, Y Tao, F Wu, in INFOCOM, 2013 Proceedings IEEE. Spring: A strategy-proof and privacy preserving spectrum auction mechanism (IEEETurin, 2013), pp. 827–835.View ArticleGoogle Scholar
  6. M Pan, X Zhu, Y Fang, Using homomorphic encryption to secure the combinatorial spectrum auction without the trustworthy auctioneer. Wirel. Netw. 18(2), 113–128 (2012).View ArticleGoogle Scholar
  7. M Pan, J Sun, Y Fang, Purging the back-room dealing: Secure spectrum auction leveraging paillier cryptosystem. IEEE J. Sel. Areas Commun. 29(4), 866–876 (2011).View ArticleGoogle Scholar
  8. M Larson, R Li, C Hu, W Li, X Cheng, R Bie, in Wireless Algorithms, Systems, and Applications. A bidder-oriented privacy-preserving vcg auction scheme (SpringerQufu, 2015), pp. 284–294.View ArticleGoogle Scholar
  9. M Larson, W Li, C Hu, R Li, X Cheng, R Bie, in Wireless Algorithms, Systems, and Applications. A secure multi-unit sealed first-price auction mechanism (SpringerQufu, 2015), pp. 295–304.View ArticleGoogle Scholar
  10. W Li, M Larson, C Hu, R Li, X Cheng, R Bie, Secure multi-unit sealed first-price auction mechanisms. Secur. Commun. Netw. 9(16), 3833–3843 (2016).View ArticleGoogle Scholar
  11. A Alrawais, A Alhothaily, J Yu, C Hu, X Cheng, Secureguard: a certificate validation system in public key infrastructure. IEEE Trans. Veh. Technol. (2018). Preprint.Google Scholar
  12. P Paillier, in Advances in cryptology-EUROCRYPT’99. Public-key cryptosystems based on composite degree residuosity classes (SpringerPrague, 1999), pp. 223–238.Google Scholar
  13. K Xing, C Hu, J Yu, X Cheng, F Zhang, Mutual privacy preserving k-means clustering in social participatory sensing. IEEE Trans. Ind. Inform. 13(4), 2066–2076 (2017).View ArticleGoogle Scholar
  14. C Hu, X Liao, X Cheng, Verifiable multi-secret sharing based on LFSR sequences. Theor. Comput. Sci. 445:, 52–62 (2012).MathSciNetView ArticleMATHGoogle Scholar
  15. H Kikuchi, (m+1) st-price auction protocol. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. 85(3), 676–683 (2002).MATHGoogle Scholar
  16. K Suzuki, M Yokoo, in Financial Cryptography. Secure combinatorial auctions by dynamic programming with polynomial secret sharing (SpringerGuadeloupe, 2003), pp. 44–56.View ArticleGoogle Scholar
  17. M Nojoumian, DR Stinson, in Information Security Practice and Experience. Efficient sealed-bid auction protocols using verifiable secret sharing (SpringerFuzhou, 2014), pp. 302–317.View ArticleGoogle Scholar
  18. M Larson, C Hu, R Li, W Li, X Cheng, in Proceedings of the 2015 Workshop on Privacy-Aware Mobile Computing. Secure auctions without an auctioneer via verifiable secret sharing (ACMHangzhou, 2015), pp. 1–6.Google Scholar
  19. R Bellman, Dynamic programming and lagrange multipliers. Proc. Natl. Acad. Sci. U. S. A. 42(10), 767 (1956).MathSciNetView ArticleMATHGoogle Scholar
  20. A Shamir, How to share a secret. Commun. ACM. 22(11), 612–613 (1979).MathSciNetView ArticleMATHGoogle Scholar
  21. G Blakley, Safeguarding cryptographic keys. Proc. Natl. Comput. Conference1979. 48:, 313–317 (1979).Google Scholar
  22. C Hu, W Li, X Cheng, J Yu, S Wang, R Bie, A secure and verifiable access control scheme for big data storage in clouds. IEEE Transactions on Big Data (2018). Preprint.Google Scholar
  23. MH Dehkordi, S Mashhadi, An efficient threshold verifiable multi-secret sharing. Comput Stand. Interfaces. 30(3), 187–190 (2008).View ArticleMATHGoogle Scholar
  24. C Hu, N Zhang, H Li, X Cheng, X Liao, Body area network security: a fuzzy attribute-based signcryption scheme. IEEE J. Sel. Areas Commun. 31(9), 37–46 (2013).View ArticleGoogle Scholar
  25. C Hu, X Liao, D Xiao, Secret image sharing based on chaotic map and chinese remainder theorem. Int. J. Wavelets Multiresolution Inf. Process. 10(03), 1250023–118 (2012).MathSciNetView ArticleMATHGoogle Scholar
  26. J Liu, Y Xiao, J Gao, Achieving accountability in smart grid. IEEE Syst. J. 8(2), 493–508 (2014).View ArticleGoogle Scholar
  27. R Jagadeesan, A Jeffrey, C Pitcher, J Riely, in Computer Security–ESORICS 2009. Towards a theory of accountability and audit (SpringerSaint-Malo, 2009), pp. 152–167.View ArticleGoogle Scholar
  28. T Truderung, A Vogt, et al, in Proceedings of the 17th ACM Conference on Computer and Communications Security. Accountability: definition and relationship to verifiability (ACMChicago, 2010), pp. 526–535.Google Scholar
  29. J Feigenbaum, AD Jaggard, RN Wright, in Proceedings of the 2011 Workshop on New Security Paradigms Workshop. Towards a formal model of accountability (ACMMarin County, 2011), pp. 45–56.View ArticleGoogle Scholar
  30. C Ko, DA Frincke, T Goan Jr, T Heberlein, K Levitt, B Mukherjee, C Wee, in Proceedings of the 1st ACM Conference on Computer and Communications Security. Analysis of an algorithm for distributed recognition and accountability (ACMFairfax, 1993), pp. 154–164.Google Scholar


© The Author(s) 2018