Client Puzzles

1
A Two-Server Auction Scheme
Ari Juels and Mike Szydlo Financial Cryptography
02 12 March 2002
2
Auctions increasingly popular

• 2.6 million new auctions per day on eBay in 2000
• About three auctions per year for every
  inhabitant of U.S.
• Attempted auctions (and hoaxes) in 99
• A healthy kidney (high bid 5.7 million)
• A military rocket launcher
• 200 pounds of cocaine
• A team of software engineers
• A baby (high bid 109,100)
• A teenage boy selling his virginity (high bid
  10 million)

3
popular with all sorts...
4
eBay vs. Sealed-bid

• One-round
• Transparent participation
• Psychologically neutral

• Time-bounded
• Masks identities
• Facilitates, e.g., shilling

• Fungible goods
• Serious auctions

• Great sporting event

5
Sealed-Bid Auctions
6
Sealed-Bid Auctions
f
7
General Secure Multiparty Computation (GSMC )
f
8
The Literature on Sealed-Bid
Auctions

• Most sealed-bid systems get away from
  inefficiencies of GSMC
• Weakened trust models
• Specifying function f as maximum
• Some tailor GSMC to auctions
• JJ00
• NPS99 (Naor, Pinkas, and Sumner)

9
NPS at a glance
f
10
Features of NPS

• Use of exactly two servers gives many benefits
  (Yao construction)
• One round of interaction for bidders -- and no
  latency
• Any function f with efficient boolean circuit
  yield practical computation
• Vickrey auctions
• Private surveys
• Few rounds of communication
• But theres a flaw...

11
Trust model
Auction guaranteed correct (or fails)
Bids remain private
12
Oblivious Transfer
t0, t1
bit b
What was t1-b ?
What was b ?
13
Proxy Oblivious Transfer (POT )
t0, t1
tb
What was b ?
What were b and t1-b ?
bit b
Chooser
14
POT in Auction
f
Bit b of bid
Chooser
15
The Problem With POT
f
Observed in JJ00
Bit 0 in bid
Chooser
16
The Problem With POT
f
Alices bid has been changed!
Bit 0 in bid
Chooser
17
We need Verifiable POT
Bit b
Chooser
18
Our Contributions

• We introduce very efficient VPOT primitive --
  fixing security flaw in NPS
• With our VPOT, roughly ten times faster for
  bidder than NPS!
• NPS Tens of exponentiations
• Ours Tens of modular multiplications
  (great for cell phones)
• Ours Twice as slow for servers

19
Idea 1 Efficiency (RSA-based OT)
RSA modulus N Random C in ZN
(t0, t1)
bit b
R ? ZN Xb R3 mod N X1 CX0
Y0 t0 / (X0)1/3 Y1 t1 / (X1)1/3
tb Yb R
20

Idea 1 Efficiency (RSA-based OT)

RSA modulus N Random C in ZN
(t0, t1)
bit b

• For technical reason, real protocol slightly
  different
• Previous schemes typically based on, e.g., El
  Gamal
• El-Gamal-based --gt Several modular
  exponentiations
• RSA-based --gt Several modular multiplications

21

Idea 2 Verifiability
Bit w 0 if t0 on left w 1 if t0 on
right
22

Idea 2 Verifiability

• Prove ordering of vaults Prove fact
  about single bit w
• Key tool
  Goldwasser-Micali 84

23
Conclusion

• NPS clever, practical approach to sealed-bid
  auctions
• With VPOT, we can bring NPS ideas to fruition
• High efficiency for weak bidding devices, e.g.,
  cell phones