Combinatorial auctions are employed into many applications such as spectrum auctions held by the Federal Communications Commission (FCC). A crucial problem in such auctions is the lack of secure and efficiency mechanism to protect the privacy of the bidding prices and to ensure data security. To solve the problem, we propose an approach to represent the price as a polynomial’s degree based on verifiable secret sharing. So, we can obtain the two polynomials’s degree maximum/sum by the degree of the two polynomial’s degree sum/product. In the protocol, the bidders’ information is hidden. The auctioneers can receive the shares without a secure channel, so our protocol is more applicable to more scenarios. The scheme can resist the collusion attack, passive attack and so on. Moreover, Compared to Kikuchi (IEICE Trans Fundam Electron Commun Comput Sci 85(3):676–683, 2002); Suzuki and Yokoo (Secure combinatorial auctions by dynamic programming with polynomial secret sharing, 2003), the proposed scheme has the authentication property without increasing the communications cost.

Introduction

Recently, combinatorial auctions have become an interesting domain, which allow that multiple goods are sold simultaneously and any combination of goods can be bid. For example, FCC spectrum, network routing, and railroad segment can be auctioned.

To carry out a combinatorial auction, the winner determination problem has to be solved first. The problem can be cooperatively solved by multi-auction servers, which can calculate the maximum sum of combinations of bidding prices. It is a challenge problem to protect bidding prices. If the auctioneer is trust, it can solve the winner determination problem. However, it is not practical as the auctioneer may collude with a participant to reveal the bids’ information during the auction. If a strategy-proof mechanism is utilized to resist collusion attacks. However, the auctioneer can create a fake bid to increase revenue.

In traditional auctions, cryptographic functions (public key cryptography, hash chains, etc.) [1–4] are utilized to protect the bid’s privacy. However, these schemes do not consider spatial reuse, so they are not applicable to the secondary spectrum market. In the secondary spectrum market, SPRING was proposed in [5], which introduces a trustworthy agent to interact with both the auctioneer and the bidders. The sensitive information can be protected. However, SPRING depends on a trusted third party (the agent). In [6–10], homomorphic encryption [11–13] is employed to hid each bidder’s bidding values with a vector of cipher texts, and ensures the auctioneer to figure out the maximum value, and charge the bidders securely. However, the homomorphic encryption has a higher computational cost, which is not practical now.

To tackle the above challenges, two problems have to be solved. First, multi-auction servers compute the maximum sum of combinations of bidding prices, while the information of bids and the part of the optimal solution should be kept secret. Second, the collusion activity of multi-auction servers must be resisted. We employ verifiable secret sharing [14] to protect privacy and data security in combinatorial auctions. The scheme allows multi-servers to randomly choose secret shares and verify the legitimacy of them to each other.

The rest of the paper is organized as follows. Section 2 introduces related work. Section 3 presents preliminaries. In Section 4, we describe the main idea of the proposed scheme. In Section 5, we analyze the security and performance of the scheme, followed by a conclusion in Section 6.

Related works

To protect data security and privacy in auctions, cryptographic tools, such as AES, homomorphic encryption, and secret sharing, have been applied.

SPRING [5] presents a trustworthy agent to protect the sensitive information of the auctions. However, SPRING depends on a trusted third party (the agent). In [6, 7], the authors utilize a vector of cipher text to mask the bidding prices, and guarantee that the maximum value, randomizing the bids, and charging the bidders can be figured out. However, the schemes [6, 7] are not practical as homomorphic encryption has a very high computational overhead, which is not applicable to the applications now. In [8], a secure auction without auctioneer scheme for VCG auction is designed based on homomorphic, in which the bidders work together to decide who the winner is without auctioneer; however, the computational overhead is high for each bidder, which has low efficiency. In [9], the authors design a sealed-bid first-price auction scheme based on homomorphic encryption, in which the server processes the bidder’s encrypted bids using homomorphic encryption and the aggregation result is known by auctioneer; however, the scheme cannot resist the collusion activity between the server and auctioneer.

In [15, 16], the bidding prices are hidden via secret sharing. However, there are two weaknesses in [15] as follows. First, the relationships of multi-winner can not be solved. Second, the scheme is not efficient as the computational cost is very much higher. The bids are hidden by the degree of polynomials [16]. However, the scheme is based on the passive adversary model and cannot resist collusion attacks. Therefore, it is not practical.

In [17, 18], the sealed-bid auctions are constructed via verifiable secret sharing. The scheme can resist collusion attacks among the evaluators. However, the secret shares are obtained from a third party via a private secure channel, so the scheme cannot resist collusion attacks amongst evaluators and the third party.

In this paper, we present a privacy-preserving combinatorial auction without an auctioneer based on verifiable secret sharing [14]. Compared to [15, 16], it does not need a secure channel among the bidders and the server. Meanwhile, the proposed scheme provides the authentication without increasing the communication cost.

Preliminaries

We now introduce some preliminary concepts for the cryptographic primitives used in this paper.

Dynamic programming

Dynamic programming [19] can be utilized to solve the problem, which is viewed as the result of a sequence of stepwise decisions.

We first describe the dynamic programming’s concept via an algorithm of finding the longest path in a one-dimensional-directed graph in Fig. 1. The graph includes the nodes S,1,2,…,n with directed links among them. The link is denoted (j,k), where j<k. w(j,k) denoted the weight for each link (j,k). Figuring out the longest path from initial node S to terminal node n is our goal, i.e., to find a maximized path from S to n. For the sake of simplicity, we assume that it exists at least one link from j for each node j (where 1=j<n) except node n.

We assume the longest path from S to n is denoted by L. The last half of L for any node j on L is also a longest path from j to n, which is called the principle of optimality. We can utilize the feature to search out the original problem’s optimal solution via the sub-problems’ optimal solutions.

Specifically, the longest path from S to n can be obtained by figuring out the following recurrence formula from node n−1 to S. In the formula, the longest path from j to n is denoted as f(j). f(j) is called the node j’s evaluation value. f(n) is defined as S for terminal node n. f(S) represents the optimal solution for initial node S.

$$ f(j)=\max_{(j,k)}\{w(j, k)+f(k)\} $$

(1)

When we calculate the formula, the value f(j) of the link (j,k) is recorded for each node j, i.e., max_{(j,k)}{w(j,k)+f(k)} is the value of the link, which recorded links from S to n constructs the longest path.

Assume that there are n+1 stages j=1,…,n and each stage j’s state is (j,s). When j<k, there can be directed links ((j,s),(k,t)) between these states. The weight w(((j,s),(k,t))) is given for each link. The following recurrence formula is defined dynamic programming evaluates function f:

The evaluation value f((S,s)) can be calculated, which is the original problem’s optimal value, by iteratively applying the relation for j=n,n−1,…,1 with initial values f((n,s))=iv(s).

We introduce the proposed privacy-preserving combinatorial auction without an auctioneer based on the longest path of a one-dimensional directed graph. An example is introduced in Section 4.6.

Secret sharing schemes

Secret sharing is an important cryptographic primitive, which is utilized to our scheme. Since secret sharing is developed by Shamir [20] and Blakley [21] in 1979, many secret sharing schemes have been extensively studied [14, 22–24]. Generally speaking, secret sharing is briefly introduced as follows. A dealer shares a secret with a number of usersU_{1},…,U_{
n
}, a user gets the secret if and only if it can co-work with at least t−1 other users, where t≤n is a pre-determined parameter. The dealer shares the secret and the users is s∈GF(p_{1}), where p_{1}>N. Each user U_{
i
} holds a secret key k_{
i
}∈GF(p_{1}), which is only known by U_{
i
} and the dealer.

The dealer follows two step procedure. First, it constructs a polynomial function F(x) of degree t−1 shown in (3):

$$ F(x)=s+\sum\limits_{j=1}^{t-1}\mu_{j}x^{j}, $$

(3)

by randomly choosing each μ_{
j
}. Note that all (additive and multiplication) operations used in (3) is modular arithmetic (defined over GF(p_{1})) as opposed to real arithmetic. Also s forms the constant component of F(x) - i.e., s=F(0). Then, in the second step, the dealer sends a shared secret s_{
i
}=F(x_{
i
}) to each U_{
i
}, where x_{
i
} is a random number selected by U_{
i
} and is sent to the dealer via the secure channel protected by k_{
i
}.

We now show how to recover s by t or more users. Without loss of generality, let U_{1},…,U_{
t
} be the cooperating users. The secret s=F(0) can be reconstructed from s_{1}=F(x_{1}),…,s_{
t
}=F(x_{
t
}) by these t users.

Note that the cumulative product in (4) is essentially the Lagrange coefficient. The correctness of (4) can be easily verified based on the definition of F(x).

The proposed scheme—secure computing

We present the proposed privacy-preserving combinatorial auction without an auctioneer, and we also discuss the security and efficiency of the scheme.

Requirements

The requirements for the secure protocol are as follows:

1.

Evaluators (servers) select their secret keys by themselves, and the weight publishers (WP) (buyers and sellers) calculate and publish the weights for each share.

2.

The legitimacy of evaluators is verified to each other, and then the evaluators cooperatively implement dynamic programming protocol to find the optimal solution, while each weight is kept secret.

To achieve this goal, the following two questions should be solved: How to resist collusion attacks? How to figure out the maximum sum of weights without revealing each weight? We denote a weight as a polynomial’s degree; So, the degree of the sum/product of the two polynomials construct the maximum/sum of the degree of two polynomials, and verifiable secret sharing scheme [14, 25] is employed to resist collusion attack.

Basic idea

Weight publisher WP has a secret s∈Z_{
N
}. WP chooses random n (n>s) points x_{1},x_{2},…,x_{
n
}∈Z_{
N
}, the constant c∈Z_{
N
}, and publish them. Then, it randomly chooses a polynomial A∈Z_{
N
}[ x] s.t. deg(A)=s and A(0)=c and holds its secret. WP publishes its shares {A(x_{1}),A(x_{2}),…,A(x_{
n
})}. Each evaluator E_{
l
} holds its share for A(x_{
l
}), where l is the number of the evaluators,

A masking polynomial M∈Z_{
N
}[x] s.t. deg(M)=d and M(0)=0 is chosen by each WP, who keeps it secret. Then, WP calculates its l shares M(x_{
l
}), and l−th share is selected by each evaluator. Then, masked shares A(x_{
l
})+M(x_{
l
}) where (l=1,2,…,d+1) are published by d+1 evaluators {E_{1},E_{2},…,E_{d+1}}. The evaluators utilize these d+1 masked shares to perform polynomial interpolation, i.e., determine polynomial is A+M, recover A(0)=A(0)+M(0), and verify whether A(0)=c or not. We can recover the constant term A(0)=c from d+1 shares if deg(A)=d, where deg(A+M)=d. We cannot recover the constant term A(0)=c from d+1 shares if deg(A+M)>d. Thus, we are convinced that deg(A)=d if A(0)=c holds. Furthermore, the degree of the sum/product of the two polynomials can construct using the maximum/sum of the degree of two polynomials by the following formulas:

$$ \max\{deg(A), deg(B)\} = deg(A + B) $$

(5)

$$ deg(A) + deg(B) = deg(A\cdot B) $$

(6)

The maximum/sum of two secrets to be locally determined as each evaluator E_{
l
} can calculate its share of sum A+B / product A·B of two polynomials A and B by calculating the sum A(x_{
l
})+B(x_{
l
}) / product A(x_{
l
})·B(x_{
l
}) of two shares A(x_{
l
}) and B(x_{
l
}).

System model

As shown in Fig. 2, our system model consists of three major entities: mask publisher (MP), evaluators (E), weight publishers (WP). In the following, we briefly summarize the major functions of each entity.

Mask publisher (MP):MP is used to generate and distribute keys for all evaluators. MP also generates the mask polynomial, and distributes the mask value for each evaluator.

Evaluators (E): Each evaluator computes cooperatively executes dynamic programming and finds the optimal solution and verifies the identities of evaluators each other.

Weight publishers (WP): Each WP distributes its shares to each evaluators.

Security model

In our security model, we consider that the following security goals need to be achieved:

Privacy-preservation of bidders’ bids. The evaluators should be able to verify the identities of other evaluators; i.e, when the evaluators work together to figure out the optimal solution, they should verify the identities of each participant fist; meanwhile, the privacy should be protected.

Non-repudiation: any bidder (weight publisher) cannot repudiate his bid.

Accountability: any bidder can be verified that they follow the protocol to get the optimal solution by the evaluators.

Secure computing

Initialization phase

There is a mask publisher, MP, which chooses a randomly masked polynomial M∈Z_{
N
}[ x] s.t. deg(M)=d and M(0)=0 and keeps it secret. The weight publishers WP_{(i,j)} for each link (i,j). There are l evaluators {E_{1},E_{2},…,E_{
l
}} where l is greater than the length of the longest path.

To solve the verification problem, the intercommunication is needed by the mask publisher MP and the evaluators. The communication between MP and the evaluators can use the public channel. First, the mask publisher randomly selects two strong primes p and q, and calculates N=pq. Then, the mask publisher figures out the generator g, and publishes {g,N}.

Each evaluator E_{
i
} randomly chooses an integer s_{
i
} as its secret share where s_{
i
}∈ [ 2,N], and calculates R_{
i
}=g^{s}_{
i
} mod N. Then, E_{
i
} sends R_{
i
} and its identity number id_{
i
} to mask publisher MP. For any two pair of evaluators E_{
i
} and E_{
j
}, MP must guarantee that R_{
i
}≠R_{
j
}. MP publishes {id_{
i
},R_{
i
}}. The mask publisher MP first selects an integer s_{0} from the interval [ 2,N] and computes λ such that s_{0}λ=1 mod ϕ(N), where ϕ(N) is the Euler phi-function; and then MP computes R_{0}=g^{s}_{0} mod N. Finally, the MP calculates \(R_{i}^{\prime }=R_{i}^{s_{0}}\mod N\) and the mask value \(M_{i}=M(R_{i}^{\prime })\) for each evaluator E_{
i
}. MP publishes {R_{0},λ}.

Weight Publisher WP_{(i,j)} enlarges its weight \(\widetilde {w}(i,j)\): \(w(i,j) = \widetilde {w}(i,j)+ t_{w} \times (j-i)\) where t_{
w
} is a threshold parameter of WP_{(i,j)}. The extension will not change the optimal solution of the longest path from S to n. \(\widetilde {f}(i)\) and f(i) are denoted the original weight value \(\widetilde {w}(i,j)\) and the extended weight w(i,j) of node i, respectively. Then, for each node j, \(f(i)=\widetilde {f}(i) + t_{w} \times (n-i)\). So, the maximum can be computed and the secure computing is performed in Section 4.2. The polynomial H_{(i,j)} for node i is randomly chosen by weight publisher WP_{(i,j)} s.t. deg(H_{(i,j)})=w(i,j), and H_{(i,j)}(0)=c. The WP_{(i,j)} holds it secret.

Construction phase

The weighter publisher WP_{(i,j)} performs the following steps:

for j=n−1,n−2,…,0, where F_{
j
}(x) is the optimized polynomial, which represents the longest path from the start node S to node j, and F_{
n
}(x)=1.

2)

Publishes HM_{
i
}=H_{(0,i)}×F_{
i
}+M_{
i
}. The Eq. (7) is related to the recurrence relation of dynamic programming, as described in Eq. (1).

Recovery and verification phase

Without loss of generality, let E={E_{1},E_{2},…,E_{d+1}}. The evaluators of E will recover the polynomial HM_{
i
}=H_{(0,i)}×F_{
i
}+M_{
i
} based on following procedure.

1)

Each evaluator calculates \(R_{i}^{\prime \prime }=R_{0}^{s_{i}} \mod N\) to obtain the share, where s_{
i
} is the share of HM_{
i
}.

2)

The evaluator in E verifies \(R_{i}^{\prime \prime }\), which is provided by E_{
i
}. If \({R_{i}^{\prime \prime }}^{\lambda }=R_{i} \mod N\), then \(R_{i}^{\prime \prime }\) is legitimacy; Otherwise, \(R_{i}^{\prime \prime }\) is false, which means that E_{
i
} might be a cheater. The share will be discarded.

3)

Recover the polynomial: the polynomial HM_{
i
} can be uniquely determined as follows:

As described in Section 4.2, evaluators check whether deg(F_{0})≤d. Evaluators can verify whether F_{0}=c or not. For instance, if c=0, F_{0} should be equal to 0. We can perform binary search to figure out the optimal value f(0)=deg(F_{0}), and publish it.

Tracing the optimal path

Evaluators calculate the optimal path as follows:

Assume that the evaluators know f(j)=deg(F_{
j
}), and they want to trace to node k s.t. deg(F_{
j
})=deg(H_{(j,k)}×F_{
k
}+ M_{
j
}). We test whether deg(H_{(j,k)}×F_{
k
}+M_{
j
})=deg(F_{
j
})−1 or not for all nodes k linked to node j. The evaluators know that the node k attains f(j) when the inequality does not hold for node k. They can determine f(k)=deg(F_{
k
}) as in Section 4.5.3 after finding the node k that attains f(j), and publish it. Iterating this procedure recursively yields to the optimal path.

An example

Here, we give an example of one-dimensional graph shown in Fig. 3 to explain how to apply our scheme.

There are three links, (S, 1) (1, 2), (S, 2), wherein weighers are {2, 1, 2}, respectively. The weight publishers WP_{(S,1)},WP_{(1,2)},WP_{(S,2)} generate the following polynomials for these links:

There are four evaluator {E_{1},E_{2},E_{3},E_{4}}, which randomly choose x_{1}=1,x_{2}=2,x_{3}=3,x_{4}=4, respectively. For simplicity, we assume that t_{
w
}=0 and c=0.

First, the mask publisher MP first chooses mask polynomial M(x)=x^{2}, and chooses two primes p=5 and q=7, and calculates N=5×7=35. Then, the mask publisher MP chooses the generator g=2 and a randomly number s_{0}=5, and computes λ=5 from s_{0}λ=1 mod (ϕ(N)=24). MP computes R_{0}=g^{s}_{0} mod N=2^{5} mod 35=32. MP publishes {g,N,R_{0},λ}.

Second, the evaluator E_{
i
} computes R_{
i
}=g^{x}_{
i
} mod N, so four evaluators {E_{1},E_{2},E_{3},E_{4}} generate R_{1}=2^{1} mod N=2,R_{2}=2^{2} mod N=4,R_{3}=2^{3} mod N=8,R_{4}=2^{4} mod N=16, respectively. The evaluators {E_{1},E_{2},E_{3},E_{4}} send {R_{1},R_{2},R_{3},R_{4}} to MP separately.

Third, MP computes \(R_{1}^{\prime }=R_{1}^{5} \mod N=32, R_{2}^{\prime }=R_{2}^{5} \mod N=9, R_{3}^{\prime }=R_{3}^{5} \mod N=8, R_{4}^{\prime }=R_{4}^{5} \mod N=11\), and computes the mask value \(M_{1}= {R_{1}^{\prime }}^{2}=1024, M_{2}={R_{2}^{\prime }}^{2}=81, M_{3}={R_{3}^{\prime }}^{2}=64, M_{4}={R_{4}^{\prime }}^{2}=121\), and then sends \(\{\{R_{1}^{\prime }, M_{1}\}, \{R_{2}^{\prime }, M_{2}\}, \{R_{3}^{\prime }, M_{3}\}, \{R_{4}^{\prime }, M_{4}\}\}\) to evaluators {E_{1},E_{2},E_{3},E_{4}}, respectively.

Each evaluator computes its shares following Section 4.5.2. The evaluators’ corresponding computation are shown in Table 1.

When the evaluators work together to figure out the optimal result, the evaluators verify identities of participants each other using the method in Section 4.5.3 first. If all the evaluators pass the verification, from Table 1, the evaluators can recover F_{0}(x)=x^{3}+x^{2}+2x from the shares F_{0}(32)=33,856,F_{0}(9)=828,F_{0}(8)=592, and F_{0}(11)=1476, where F_{0}(0)=0. According to the Eq. (1) and (7), we figure out that f(0)=3. The evaluators also can recover the mask polynomial M(x)=x^{2} according to the mask shares. Because the polynomial of degree 2, which is reconstructed from the shares of H_{(S,1)}×F_{1}+M, does not equal to 0, the link (S,1) attains f(0)=3, which means that the link (S,1) is included in the optimal result.

Result and discussion

In this section, we discuss the security properties of the proposed scheme and analyze the performance of the proposed scheme.

Security analysis

In this subsection, we discuss the security properties of the proposed scheme in terms of resistance against active attacks, resistance against passive attacks, non-repudiation, and accountability.

Resistance against active attacks

Conspiracy attacks:In order to recover the secrets, we assume that two evaluators have a collusion activity. For example, two evaluators E_{
i
} and E_{
j
} can exchange their value s_{
i
} and s_{
j
}. So, E_{
i
} holds s_{
j
} while E_{
j
} holds s_{
i
}. Then, E_{
i
} calculates \({R_{j}^{\prime \prime }}^{\lambda }=R_{j}\) while E_{
j
} computes \({R_{i}^{\prime \prime }}^{\lambda }=R_{i}\). Therefore, E_{
i
} and E_{
j
} might try to pass the verification. However,it is not impossible as the Id and (Id,R) pairs have been published by all evaluators. Thus, the conspiracy of the participants E_{
i
} and E_{
j
} can be easily recognized by other participants.

Evaluator cheating: Assume that an evaluator E_{
i
} wants to gain a secret (s) via providing a false private key R_{
j
}. E_{
i
} calculates \(R_{i}^{\prime \prime }=R_{0}^{s_{j}} \mod N\) and broadcasts it. However, other participants can check the validity of \(R_{i}^{\prime \prime }\) by calculating \({R_{i}^{\prime \prime }}^{\lambda }=R_{j}\neq R_{i}\) when receiving \(R_{i}^{\prime \prime }\) provided by E_{
i
}. Because that the Id_{
i
} and the R_{
i
} of E_{
i
} are published, it is easy to detect that E_{
i
} provides an incorrect \(R_{i}^{\prime \prime }\).

Reconstruct the polynomial: Assume that an adversary adv wants to use fewer than t shares (t<d) to reconstruct the polynomial HM_{
i
}, it is not impossible because that it equals to break Shamir’s scheme, which has been proved that it holds the security property.

Reveal the secret key of the evaluator: Assume an adversary wants to obtain the participant E_{
i
}’s secret shadow s_{
i
} from the public information R_{
i
}. He obtains s_{
i
} from R_{
i
}=g^{s}_{
i
}; however, he has to solve the discrete logarithm problem (DLP), which is an NP-hard problem. So, it is not impossible to obtain the secret key from the evaluator.

Resistance against passive attacks

Because that all published shares with random polynomials are masked by the mask publisher, meanwhile the extended weight w(i,j)=deg(H(i,j)) is equal to or larger than d, the adversary can not obtain any information from masked shares when the number of weight publishers is less than the threshold d. Thus, the proposed scheme is secure against passive adversaries.

Non-repudiation:

Theorem 1If a bidder (Weight Publisher) makes a bid, it cannot deny making the bid in a later time.

Proof If a bidder (Weight Publisher) make a bid, because that the evaluators work together to figure out the optimal result, and each participant is verified by other participants. If some Weight Publisher deny making the bid, the other evaluators can work together to trace all the internment mask result to verify whether the Weight publisher is lie or not according to the optimal result. □

Accountability:Accountability is required to secure a system from the aspects of integrity, confidentiality, and privacy [26–30]. An accountability mechanism is typically utilized to figure out who is responsible for what. In essence, accountability means that the system is recordable and traceable, which implies that making any entity in the system accountable for all its actions. Under such a consideration, our scheme is accountable as the evaluators can verified each other and work together to obtain the optimal result, which can be used as an evidence for dispute resolution; therefore, no one can deny its actions. Thus, we claim that the scheme has the property of accountability.

Performance analysis

In this section, we discuss the performance properties of our scheme and compare our schemes with others. The comparison of the properties of our scheme and the schemes proposed in [16, 17] is shown in Table 2. The details are presented as follows:

In [16, 17], the third party is needed, which may be dishonest. Hence, the original secrets may not be reconstructed by the evaluators. In our scheme, it is impossible for the third party to cheat the evaluators as the evaluators choose their own shadows.

The validity of the shares of each evaluator can be checked by other evaluators; the proposed scheme is verifiable. This improves upon [16] in which the source of the other share cannot be verified by the evaluator. If a wrong share is provide by one evaluator, which can not be figured out by other other evaluators.

In [16, 17], the shadows of the evaluators are received from the third party via secure channel; however, our scheme never discloses the shadow of each evaluator in the recovery and verification phases, and the shadow can be reused.

In [16, 17], the secret shadows is transmitted via a private secure channel by weight publishers; however, in our scheme, the shadows is not transmitted by the weight publishers via secure channel because that the secret shadow is chosen by the evaluators themselves.

Table 3 shows round complexity during each phase. The proposed scheme does not consider communications without secure channels, i.e., the weight publisher or the evaluators publish shares in our scheme, which can be implemented by a bulletin board. Here, q is the number of links, n is the number of nodes, l is the number of evaluators (which is equal to or greater than possible maximal value), d+1 is the number of masks, and N is the order of the finite field Z_{
N
}.

Note that our approach does have one disadvantage: if the number of nodes is very large, our scheme may be invalid sometimes because the combinatorial auction’s winner determination problem is NP-complete.

Conclusions

In this paper, we presented a privacy-preserving combinatorial auction without an auctioneer scheme. In our scheme, the price is represented as the degree of a polynomial; thus, the degree of the sum/product of the two polynomials construct the maximum/sum of the degree of two polynomials. The bidders information is hidden, and the legitimacy of the evaluator is also verified based on secret sharing, which can resists collusion attacks.

Our future research will focus on the following direction: design more efficient approaches based on greedy algorithm to protect the privacy of combinatorial auction, which would be much more suitable for practical applications.

References

K Sako, in Proceedings of Public Key Cryptography 2000. Universally verifiable auction protocol which hides losing bids (SpringerMelbourne, 2000), pp. 35–39.

C Cachin, in Proceedings of the 6th ACM Conference on Computer and Communications Security. Efficient private bidding and auctions with an oblivious third party (ACMSingapore, 1999), pp. 120–127.

K Kobayashi, H Morita, K Suzuki, M Hakuta, Efficient sealed-bid auction by using one-way functions. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. 84(1), 289–294 (2001).

K Suzuki, K Kobayashi, H Morita, in Information Security and Cryptology-CISC 2000. Efficient sealed-bid auction using hash chain (SpringerSeoul, 2001), pp. 183–191.

Q Huang, Y Tao, F Wu, in INFOCOM, 2013 Proceedings IEEE. Spring: A strategy-proof and privacy preserving spectrum auction mechanism (IEEETurin, 2013), pp. 827–835.

M Pan, X Zhu, Y Fang, Using homomorphic encryption to secure the combinatorial spectrum auction without the trustworthy auctioneer. Wirel. Netw. 18(2), 113–128 (2012).

M Pan, J Sun, Y Fang, Purging the back-room dealing: Secure spectrum auction leveraging paillier cryptosystem. IEEE J. Sel. Areas Commun. 29(4), 866–876 (2011).

M Larson, R Li, C Hu, W Li, X Cheng, R Bie, in Wireless Algorithms, Systems, and Applications. A bidder-oriented privacy-preserving vcg auction scheme (SpringerQufu, 2015), pp. 284–294.

M Larson, W Li, C Hu, R Li, X Cheng, R Bie, in Wireless Algorithms, Systems, and Applications. A secure multi-unit sealed first-price auction mechanism (SpringerQufu, 2015), pp. 295–304.

A Alrawais, A Alhothaily, J Yu, C Hu, X Cheng, Secureguard: a certificate validation system in public key infrastructure. IEEE Trans. Veh. Technol. (2018). Preprint.

P Paillier, in Advances in cryptology-EUROCRYPT’99. Public-key cryptosystems based on composite degree residuosity classes (SpringerPrague, 1999), pp. 223–238.

K Xing, C Hu, J Yu, X Cheng, F Zhang, Mutual privacy preserving k-means clustering in social participatory sensing. IEEE Trans. Ind. Inform. 13(4), 2066–2076 (2017).

K Suzuki, M Yokoo, in Financial Cryptography. Secure combinatorial auctions by dynamic programming with polynomial secret sharing (SpringerGuadeloupe, 2003), pp. 44–56.

M Nojoumian, DR Stinson, in Information Security Practice and Experience. Efficient sealed-bid auction protocols using verifiable secret sharing (SpringerFuzhou, 2014), pp. 302–317.

M Larson, C Hu, R Li, W Li, X Cheng, in Proceedings of the 2015 Workshop on Privacy-Aware Mobile Computing. Secure auctions without an auctioneer via verifiable secret sharing (ACMHangzhou, 2015), pp. 1–6.

C Hu, W Li, X Cheng, J Yu, S Wang, R Bie, A secure and verifiable access control scheme for big data storage in clouds. IEEE Transactions on Big Data (2018). Preprint.

MH Dehkordi, S Mashhadi, An efficient threshold verifiable multi-secret sharing. Comput Stand. Interfaces. 30(3), 187–190 (2008).

C Hu, N Zhang, H Li, X Cheng, X Liao, Body area network security: a fuzzy attribute-based signcryption scheme. IEEE J. Sel. Areas Commun. 31(9), 37–46 (2013).

C Hu, X Liao, D Xiao, Secret image sharing based on chaotic map and chinese remainder theorem. Int. J. Wavelets Multiresolution Inf. Process. 10(03), 1250023–118 (2012).

R Jagadeesan, A Jeffrey, C Pitcher, J Riely, in Computer Security–ESORICS 2009. Towards a theory of accountability and audit (SpringerSaint-Malo, 2009), pp. 152–167.

T Truderung, A Vogt, et al, in Proceedings of the 17th ACM Conference on Computer and Communications Security. Accountability: definition and relationship to verifiability (ACMChicago, 2010), pp. 526–535.

J Feigenbaum, AD Jaggard, RN Wright, in Proceedings of the 2011 Workshop on New Security Paradigms Workshop. Towards a formal model of accountability (ACMMarin County, 2011), pp. 45–56.

C Ko, DA Frincke, T Goan Jr, T Heberlein, K Levitt, B Mukherjee, C Wee, in Proceedings of the 1st ACM Conference on Computer and Communications Security. Analysis of an algorithm for distributed recognition and accountability (ACMFairfax, 1993), pp. 154–164.

We are very grateful to Dr. Xiuzhen Cheng and Dr. Maya Larson who have helped improve the quality of this paper.

Funding

This project was partial supported by the National Natural Science Foundation of China under grants 61702062, 61672119, 61472418 and 61571049, and the National Science Foundation of the USA under grants: CNS-1407986, CNS-1443858, CNS-1704397 and IIS-1741279, and the Natural Science Foundation of Chongqing (cstc2015jcyjA40037).

Author information

Authors and Affiliations

Key Laboratory of Dependable Service Computing in Cyber Physical Society (Chongqing University), Ministry of Education, Chongqing, China

Chunqiang Hu

School of Software Engineering, Chongqing University, Chongqing, China

Chunqiang Hu

Department of Computer Science, George Washington University, Washington, USA

Ruinian Li, Bo Mei & Arwa Alrawais

Department of Computer Science, Georgia State University, Atlanta, USA

Wei Li

College of Information Science and Technology, Beijing Normal University, Beijing, China

All the authors developed the solution of the problem. CH proposed the main idea of the paper and finished the draft of the paper. RL, BM, and WL discussed and improved the scheme. AA and RB focused on smoothing out the language of the paper. All authors read and approved the final manuscript.

The authors declare that they have no competing interests.

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License(http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.

Hu, C., Li, R., Mei, B. et al. Privacy-preserving combinatorial auction without an auctioneer.
J Wireless Com Network2018, 38 (2018). https://doi.org/10.1186/s13638-018-1047-z