CN103248478A - Multi-party security agreement based sealed electric auction scheme and verification method - Google Patents

Abstract

The invention relates to the fields of multi-party security calculation, communication security and eBusiness, and provides a publicly verifiable sealed electric auction scheme which meets characters of transaction requirement and safety and fairness requirements of the transaction, reduces transaction complexity and ensures communication security. Therefore, the technical scheme adopted is that the multi-party security agreement based sealed electric auction scheme and a corresponding verification method comprise the following steps: 1), building a secret key system for an auction company; 2), list price encryption and decryption, wherein the step comprises the steps: a), encrypting a list price through a public key pki-Bi by a bidder Bi, and b), decrypting by an auction center; 3), carrying out digital signature by the bidder and verifying that the digital signature scheme used by the bidder is an elliptic curve signature system; and 4), carrying out list price verification by the bidder. The invention is mainly applied to the field of auction communication.

Description

Sealed electronic auction scheme and verification method based on security protocol in many ways

Technical field

The present invention relates to safe calculating, communication security, e-commerce field in many ways, specifically, relate to sealed electronic auction scheme and verification method based on security protocol in many ways.

Technical background

Electronic auction is an important application of ecommerce, be one by the special spot exchange mode of auction colony's price determination and assigning process.Perfect along with development of internet technology and secrecy system, auction trade turns to based on network electronic pattern from traditional mode gradually.Electronic auction system mainly contains the advantage of two aspects: the one, and well-designed electronic auction agreement can realize the optimum allocation of resource, reach the reasonable resources utilization, the economics characteristics of this characteristics source auction, also it is subjected to the main cause that a large amount of scholars pay close attention to just; The 2nd, electronic auction system can need not the auction scene just can participate in competitive bidding, thereby saves lot of manpower and material resources, minimizes transaction cost, and these characteristics derive from the power that its network system provides.Electronic auction relates to multiple network and information security technology, and these technology not only can be used for electronic auction, also can be used for other e-commerce and e-government, so the security study of electronic auction is also significant to the research of network and information security.

The electronic auction agreement generally is made up of auction participant (bidder, the seller and auction room), arbitration organ and auction protocol.Auction protocol refers to the protocol rule that everybody must observe in auction process, the generation rule of for example employing of auction technique, victor and triumph price, and simultaneously, the electronic auction agreement also is the special case that a kind of pragmatize of security protocol in many ways needs.Arbitration organ be responsible for to solve between the bidder, between bidder and the seller and between they and the auction room because the dispute that a variety of causes produces.The general right and wrong electronization of arbitration organ in electronic auction, it is dependable third party, only after dispute took place, arbitration organ just got involved.In general, the auction main body is made of bidder, auction server, registration center and the seller, as shown in Figure 1.

Traditional single article auction technique mainly contains four kinds: (1) English auction (auction of price increases formula), auction room provides the lowest price of all auction goods earlier, marked price during each the bid is all than the marked price height of last time, and instructing at last, the someone has gone out till the highest price; (2) Dutch Auction (auction of price degression type), auction room provides a marked price earlier, and price is along with time fluctuation is floated downward, up to there being the bidder to be ready to bid; (3) sealed type auction marks after the auction beginning Packed mode is sent, and declares the closing of up to the seller, opens bidding documents, and marked price the soprano win; (4) auction of sealed type divalence is also named in Vikrey auction, and different with the sealed type auction is that concluded price is the second high bidder's price.On the basis in Vikrey auction, during the same article of M unit of auction, if M the person's of outbiding acceptance of the bid, each winning bidder buys a unit, and is unified according to highest price position (M+1) the price payment that goes out among the unsuccessful tenderer, then is that M+1 auctions.Economist Vikrey has proved second price principle support commodity allocation optimization, and has reduced the possibility that the bidder gangs up, and therefore obtains Nobel economics prize in 1996.People such as Wumam have proved that (M+1) valency auction equally satisfies the excitation competition mechanism with the Vikrey auction, and namely bidder's optimal policy is ready the true valency that for it.The present invention is opened bid by auction center, goes for multiple article auction technique.

So-called agreement is exactly that two or more participant finishes the series of steps that a certain specific task is taked.Security protocol is the message exchange protocol based on cryptography, and its objective is provides various security services in network environment.In many ways security protocol is the foundation for security of many distributed systems, and the safe operation of guaranteeing these agreements is very important.In many ways adopted multiple different cryptographic system in the security protocol, its hierarchical structure as shown in Figure 2.Therefrom as can be seen, these agreements are built on the multiple security means, often relate to the agreement on many bases such as secret is shared, encryption, signature, promise, zero-knowledge proof.

The electronic auction agreement of a safety must have the mechanism of fair competition, and in order to prevent manipulations such as bidder and auction room or the seller conspire, the privacy that makes the bidder is in auction process and can access secretly after the auction, must carry out anonymity bid.A sealed electronic auction protocol should satisfy following requirement: (1) fairness, refer to that all bidder status are the same, and there is not a side than its other party more advantageous conditions to be arranged; (2) non-repudiation, the bidder can not deny its bid after submitting a tender; (3) unforgeable, bidder's bid can not be forged; (4) verifiability can openly prove the legitimacy that the winning bidder marks the price: (5) marked price confidentiality, and bidder's marked price must be maintained secrecy; (6) bidder's anonymity, bid participant's identity (comprising winning bidder's identity and unsuccessful tenderer's identity) must be maintained secrecy.Existing electronic auction agreement all needs the participation of auction room basically, exist auction room and bidder scheme like this and close the threat of obtaining interests, the fail safe of the auction system that has reduced, and some auction protocol that do not rely on auction room calculation of complex often, practicality is not strong.

Summary of the invention

For overcoming the deficiencies in the prior art, the present invention aims to provide the sealed electronic auction scheme that can openly verify, scheme satisfies the character of transaction-based requirements, satisfy fail safe and the fairness requirement of transaction, reduce the complexity of transaction, ensure communication safety, for this reason, the technical solution used in the present invention is, based on sealed electronic auction scheme and the verification method of security protocol in many ways, comprises the following steps:

1) auction room sets up cipher key system

Auction room according to elliptic curve cryptosystem choose elliptic curve E (a, b) and E (a, b) the some p (x who has Prime Orders n on _p, y _p) as the essential information of encryption system, wherein, x _pAnd y _pThe coordinate anyhow of difference representative point p; And between interval [1, n-1], select a random integers d _iAs bidder B _iPrivate key, i ∈ [1, n], the sequence number that takes part in auction of expression bidder, B _iPKI be pk _i-B _i=d _iP announces bidder's PKI;

2) marked price is encrypted and deciphering

A) bidder B _iUse PKI pk _i-B _iMarked price is encrypted

Bidder B _iAt first with oneself original marked price M _iBe expressed as a field element m _i∈ GF (p) selects a random integers k then between [1, n-1] _i, calculation level (x ₁, y ₁)=k _iP and point (x ₂, y ₂)=k _iQ, Q=pk _i-B _iIf, x ₂Reselect random integers k for=0, calculate c=m _ix ₂, at last with data (x ₁, y ₁, c) send to auction center, as the marked price data encrypted;

B) auction center is decrypted process and receives bidder B when auction center _iMarked price ciphertext (x ₁, y ₂, c) after, auction center should at first use bidder B _iPrivate key d _iCalculation level (x ₂, y ₂)=d _i(x ₁, y ₁), then by calculating m _i=cx ₂ ^-1Recover bidder B _iOriginal marked price m _i

3) bidder's digital signature and checking

The digital signature scheme that the bidder uses is the ellipse curve signature system;

4) bidder's checking of marking the price

The open checking of marking the price to the bidder based on " millionaire " protocol scheme of Parisa Kaghazgaran and Babak Sadeghyan proposition in the auction center, the concrete marked price proof procedure that auction room carries out is as follows:

A) the bidder B of auction center _iPKI be pk-B _iRespectively to marked price m ₁And m ₂Be encrypted, Be expressed as and use PKI pk-B _iThe encryption function of encrypting obtains encrypted result and is

B) auction center chooses a random integers R and uses bidder B _iPKI for this integer is encrypted, the encrypted result that obtains is $E_{\mathrm{pk}-B_i}\left(R\right);$

C) train value down calculates in auction center, and computation purpose is in order to prevent bidder B _iLearn marked price m ₁And m ₂Actual value.

D) auction center is to bidder B _iSend $E_{\mathrm{pk}-B_i}(m_1+R)$ With $E_{\mathrm{pk}-B_i}(m_2+R);$

E)

Expression private key d _iThe decryption function that is decrypted, bidder B _iUse private key d _iThe data deciphering that auction center is sent obtains

$D_{d_i}\left(E_{\mathrm{pk}-B_i}(m_1+R)\right)=m_1+R,D_{d_i}\left(E_{\mathrm{pk}-B_i}(m_2+R)\right)=m_2+R;$

Because R is identical random number, just can simply obtain the size of x and y.

5) detailed process of electronic auction scheme:

A) preparatory stage

Auction room's public address system parameter, the elliptic curve of selecting for use is E, basic point is p, the seller registers to auction room, after being verified as validated user, the access authentication identity, the auctioner announces the auction items information that takes part in auction and has issued marked price at BBS2 and is m then, the bidder who participates in registers to auction room, and the legal bidder of auction behavior provides an interim competitive bidding identity B _i

Auction room is to bidder B _iSend B _iParticipate in the PKI pk-B of auction _iWith private key d _i, undocumented private key d wherein _iBe the random integers between [1, n-1], PKI pk _i=d _i* p, and at BBS1 announcement bidder B _iPKI pk _i, be used for the mutual certifying signature of bidder and marked price encryption;

B) bidding period

Bidding period is mainly used ECDSA signature system and elliptic curve cryptography system, based on millionaire's agreement, verifies the size of encrypting marked price at the marked price Qualify Phase to the bidder;

If the bidder is B _iArticle M there is auction interest, then sends the encryption marked price information signature (r of oneself _i, s _i) to auction center and announcement, after authentication is passed through, be encrypted the announcement of marked price by auction center, owing to announce among the announcement board BBS1 that bidder B is arranged _iPKI, then all participants can be to B _iCarry out authentication;

C) the opening of bid stage

When reaching End of Auction during the moment, auction center is decrypted the marked price after encrypting among the announcement board BBS1, obtain all bidders' original marked price, choosing preceding M higher bidder of auction valency is the winning bidder, the marked price of choosing M+1 bidder's transmission is the acceptance of the bid marked price, in announcement board BBS2, announce winning bidder's information and marked price, winning bidder B _xWith the private key d of oneself _xSend to the x ∈ of auction center [1, n], the sequence number that the expression winning bidder takes part in auction, checking winning bidder identity;

D) open checking marked price

If the suitor is B _jDoubt j ∈ [1, n] to oneself not getting the bid, the sequence number that the expression bidder takes part in auction can propose marked price checking application to auction center, utilizes target fairness in " millionaire " protocol verification.B _jSelect two to encrypt competitive bidding valency (B at random _jExcept), the B of auction center _jPKI pk-B _jOriginal competitive bidding valency is encrypted, and auction center carries out the encryption with random number chosen of random number according to agreement then, at last the information that obtains is sent to B _j, B _jJust can compare the size of marked price.

The digital signature scheme that the bidder uses is the ellipse curve signature system, is specially:

A) bidder generates eap-message digest

The Auction ID of supposing the bidder is B _i, i ∈ [1, n], the sequence number that the expression bidder takes part in auction, the marked price ciphertext is E _i(x ₁, y ₁, c), encrypted by auction second stage marked price, calculate its hashed value e=H(E with the SHA-1 hash function _i(x ₁, y ₁, c) || B _i), H is the Hash hash function, then e is bidder's eap-message digest;

B) bidder carries out digital signature

The bidder uses private key d _iCalculate the point (x of elliptic curve _i, y _i)=d _iP, elliptic curve are E, and basic point is p, changes x then _iBe decimal integer

If If r=0, then private key d is redistributed in prompting _i, then the bidder calculates s=k _i ^-1(e+d _iR) modn is if s=0 then forwards calculating (x to _i, y _i)=d _iP; Last bidder B _iThe signature that obtains be integer (r, s);

C) checking of bidder's digital signature

Suppose bidder B _iThe digital signature of announcing be (r ', s '), the marked price data after the encryption that auction center receives are E _i'.SHA-1 hashed value e'=H (E at first calculates according to bidder ID in auction center _i' || B _i), if the digital signature parameter r ' that announces, s ' is not in interval [1, n-1], then refusal is signed; Otherwise calculating c=(s'] ^-1Modn, u ₁=e'cmodn and u ₂=r'cmodn, (x _i, y _i)=u ₁P+u ₂If Q is (x _i, y _i) be infinite point, then the refusal signature is changed x at last _iBe decimal integer

If r '=v then bidder B _iSignature be real, if r ' ≠ v then bidder B _iMessage may be distorted or used incorrect signature, perhaps sign from assailant's forgery, the signature be considered to invalid.

The present invention possesses following technique effect:

The present invention is purpose with the various character that satisfy electronic auction, has proposed the sealed type auction scheme that can openly verify.In the hope of the environment of a comparatively fair safety can be provided for the electronic auction industry, strengthen bidder and auctioneer to the trust of electronic auction, convenient user's auction behavior.The beneficial effect of expection comprises:

1) satisfies the requirement of sealed electronic auction protocol.The electronic auction agreement of safety need satisfy fairness, non-repudiation, requirements such as unforgeable, verifiability, marked price confidentiality.The present invention requires the bidder to provide digital signature to carry out authentication when participating in auction and confirming the winning bidder by using the ECDSA Digital Signature Algorithm, has satisfied non-repudiation and unforgeable.Agreement is carried out elliptic curve cryptography in the bidding period to marked price, and use the solution of millionaire's problem in the sort algorithm in many ways, the encryption marked price that can send all bidders under the situation of not revealing marked price is sorted, preceding M+1 position is auction triumph side, has satisfied fairness and marked price confidentiality.

2) satisfy the lower requirement of computation complexity and communication complexity.Suppose that all auctioneers are honest, need carry out 2n subelliptic curve in the auction stage asks multiplication more doubly to finish the vectorial encryption of marking the price, need also need to carry out 2n subelliptic curve in the opening of bid stage asks multiplication more doubly to finish to encrypting the deciphering of marked price vector, so the computation complexity of agreement optimum is Ο (n).Agreement signature verification, auction stage and opening of bid stage all only need one to take turns and communicate by letter, so the communication complexity of agreement is Ο (3).

3) realized preventing the requirement that bidder and auction room or the seller conspire.The invention scheme has the character of open checking, and namely the bidder can openly verify the size that the bidder marks the price mutually behind opening of bid, has avoided auction room and bidder to conspire.

4) satisfy the user can be not online requirement simultaneously.This invention is after the bidder sends to auction room with oneself encryption marked price, draws winning bidder's price and winning bidder's signing messages by auction room's unified calculation, announces acceptance of the bid information at announcement board then.Can carry out open checking if the bidder has a question, whole process does not need the bidder simultaneously online.

Description of drawings

Accompanying drawing 1: auction illustraton of model.

Accompanying drawing 2: security protocol hierarchical chart in many ways.

Accompanying drawing 3: electronic auction scheme illustraton of model.

Accompanying drawing 4: auction scheme activity diagram.

Embodiment

The present invention is directed to the deficiencies in the prior art, by studying security protocol in many ways, utilize relatively agreement of ellipse curve signature physique (ECDSA), elliptic curve cryptosystem and enciphered data, designed a kind of sealed electronic auction protocol scheme safe, that can openly verify.Auction center has served as the function of registration center simultaneously in this scheme, but because agreement has the openly property verified, has limited the right of auction center, has prevented manipulations such as auction center and bidder or the seller conspire.This scheme had both satisfied the actual needs of electronic auction, also well ensured the desired security feature of electronic auction, and can under the situation of not revealing winning bidder and middle marked price, be relatively easy to the bid result is verified, compare with other schemes, less calculating and communication cost are arranged.

As can be known described by preamble, existing electronic auction agreement is difficult to satisfy the requirement of many real trades.Trace it to its cause is that this requires the participation of trusted third party on the one hand, has also increased the agreement complexity of calculation on the other hand because fail safe and the fairness of transaction can not well satisfy.The present invention by utilizing basic agreement, proposes a kind of sealed electronic auction scheme that can openly verify to be calculated as the basis safely in many ways, and scheme satisfies the character of asking of concluding the business and wanting, and reduces the complexity of concluding the business.Main contents comprise:

1) because some auctions need marked price to maintain secrecy, can not announce the actual value of marked price.When auctioning; auction center provides a key that participates in auction right for the bidder; the present invention utilizes bidder's PKI that elliptic curve cryptosystem is carried out in marked price and encrypts; elliptic curve cryptosystem is one of three class public key cryptography physique safely and effectively; can protect bidder's marked price efficiently, realize the confidentiality of marked price.

2) utilize ellipse curve signature physique (ECDSA) that the bidder is carried out authentication.The bidder utilizes the marked price information of private key digital signature oneself, and the signing messages with oneself before carrying out auction is published among the announcement board BBS1, carries out the checking of identity.Prevent that the bidder from denying or forging auction information after opening of bid.

3) existing auction protocol often has characteristics such as computational complexity.Digital signature of the present invention and marked price are all used based on elliptic curve cryptosystem in the encryption stage, and this system is celebrated with efficient, can exchange fail safe with the RSA equality strength for the bit of much less, have reduced the complexity of calculation of agreement.Invention utilizes the isomorphism of elliptic curve cryptosystem when openly verifying, obtain the result who needs with smaller calculation.

4) the existing auction protocol that has an auction room mostly exists the threat that auction room and bidder's scheme are closed.The present invention utilizes the isomorphism of elliptic curve cryptosystem to use relatively agreement of enciphered data, makes the bidder can carry out the open price checking after auction, reduces the danger that auction room and bidder scheme is closed.

The present invention passes through analysis of classical key technology and the system model of security protocol in many ways, binding site with reality is proposed, then with the security requirement of satisfying electronic auction system for setting out substantially, be cutting point with high efficiency and practicality, propose the sealed electronic auction scheme that openly to verify.When the user participated in electronic auction, this programme had been protected bidder's information security on the one hand, and the secret fairness that reaches between the bidder of marked price has also reduced the complexity in the computational process on the other hand.Scheme at first requires the bidder that marked price is encrypted, and uses the ECDSA Digital Signature Algorithm to carry out authentication then, has satisfied requirements such as fail safe, non-repudiation, marked price confidentiality.Announce winning bidder's signature by auction room's deciphering at last, the winning bidder need send to auction room's identity verification to the encrypted random number of oneself, has satisfied fairness, unforgeable.Specifically be described below:

1) auction room sets up cipher key system

Auction room according to elliptic curve cryptosystem choose elliptic curve E (a, b) and E (a, b) the some p (x who has Prime Orders n on _p, y _p) as the essential information of encryption system, x _pAnd y _pThe coordinate anyhow of difference representative point P.And between interval [1, n-1], select a random integers d _iAs bidder B _iPrivate key (i ∈ [1, n], the sequence number that takes part in auction of expression bidder), B then _iPKI be pk-B _i=d _iP announces bidder's PKI.

2) marked price is encrypted and deciphering

A) bidder B _iUse PKI pk-B _iMarked price is encrypted

Bidder B _iAt first with original marked price M _iBe expressed as a field element m _i∈ GF (P) selects a random integers k then between [1, n-1] _i, calculation level (x _q, y ₁)=k _iP and point (x ₂, y ₂)=k _iQ(Q=pk-B _i), if x ₂Reselect random integers k for=0, calculate c=mx ₂, at last with data (x ₁, y ₁, c) send to auction center, as the marked price data encrypted.

B) auction center is decrypted process

When bidder B receives in auction center _iMarked price ciphertext (x ₁, y ₁, c) after, auction center should at first use bidder B _iPrivate key d _iCalculation level (x ₂, y ₂)=d _i(x ₁, y ₁), then by calculating m=cx ₂ ^-1Recover bidder B _iOriginal marked price m _i

3) bidder's digital signature and checking

The digital signature scheme that the bidder uses is the ellipse curve signature system, and the benefit of doing like this is can use same key right in digital signature and marked price encryption stage.

A) bidder generates eap-message digest

The Auction ID of supposing the bidder is B _i, the marked price ciphertext is E _i(x ₁, y ₁, c), calculate its hashed value e=H(E with the SHA-1 hash function _i(x ₁, y ₁, c) || B _i), then e is bidder's eap-message digest.

B) bidder carries out digital signature

The bidder uses private key d _iCalculate the point (x of elliptic curve _i, y _i)=d _iP changes x then _iBe decimal integer

If

If r=0, then private key d is redistributed in prompting _iThen the bidder calculates s=k _i ^-1(e+d _iR) modn is if s=0 then forwards calculating (x to _i, y _i)=d _iP.Last bidder B _iThe signature that obtains be integer (r, s).

C) checking of bidder's digital signature

Suppose bidder B _iThe digital signature of announcing be (r ', s '), the marked price data after the encryption that auction center receives are E _i'.

SHA-1 hashed value e'=H (E at first calculates according to bidder ID in auction center _i' || B _i), if the digital signature parameter r ' that announces, s ' is not in interval [1, n-1], then refusal is signed; Otherwise calculate c=(s') ^-1Modn, u ₁=e'cmodn and u ₂=r'cmodn, (x _i, y _i)=u ₁P+u ₂If Q is (x _i, y _i) be infinite point, then refusal is signed.Change x at last _iBe decimal integer

If r '=v then bidder B _iSignature be real, if r ' ≠ v then bidder B _iMessage may be distorted or used incorrect signature, perhaps sign from assailant's forgery, the signature be considered to invalid.

4) bidder's checking of marking the price

The open checking of marking the price to the bidder based on " millionaire " protocol scheme of Parisa Kaghazgaran and Babak Sadeghyan proposition in the auction center, because what use was encrypted in marked price in this auction model is elliptic curve cryptosystem, and elliptic curve cryptosystem is the homomorphism cryptographic system, can be encrypted the comparison of data easily.Amount of calculation and the traffic of agreement have been significantly reduced like this.Suppose bidder B _iTo marked price m ₁And m ₂Propose the checking application, then the concrete marked price proof procedure of auction room's execution is as follows:

A) the bidder B of auction center _iPKI be pk-B _iTo the m that marks the price respectively ₁And m ₂Be encrypted,

Be expressed as and use PKI pk-B _iThe encryption function of encrypting obtains encrypted result and is

B) auction center chooses a random integers R and uses bidder B _iPKI for this integer is encrypted, the encrypted result that obtains is $E_{\mathrm{pk}-B_i}\left(R\right).$

C) train value down calculates in auction center, and computation purpose is in order to prevent bidder B _iLearn marked price m ₁And m ₂Actual value.

D) auction center is to bidder B _iSend $E_{\mathrm{pk}-B_i}(m_1+R)$ With $E_{\mathrm{pk}-B_i}(m_2+R).$

E) bidder B _iUse private key d _iThe data deciphering that auction center is sent obtains, Be expressed as and use PKI d _iThe decryption function of deciphering

$D_{d_i}\left(E_{\mathrm{pk}-B_i}(m_1+R)\right)=m_1+R,D_{d_i}\left(E_{\mathrm{pk}-B_i}(m_2+R)\right)=m_2+R.$

Because R is identical random number, just can simply obtain the size of x and y.

5) detailed process of electronic auction scheme

Fig. 3 has provided the roughly framework of electronic auction scheme, and the detailed step of protocol model is as follows:

A) preparatory stage

Auction room's public address system parameter, the elliptic curve of selecting for use is E, basic point is p, the seller registers to auction room, after being verified as validated user, the access authentication identity, the auctioner announces the auction items information that takes part in auction and has issued marked price at BBS2 and is m then, the bidder who participates in registers to auction room, and the legal bidder of auction behavior provides an interim competitive bidding identity B _i

Auction room is to bidder B _iSend B _iParticipate in the PKI Q of auction _iWith private key d _i, undocumented private key d wherein _iBe the random integers between [1, n-1], PKI pk _i=d _i* p, and at BBS1 announcement bidder B _iPKI pk _i, be used for the mutual certifying signature of bidder and marked price encryption.

B) bidding period

Bidding period is mainly used ECDSA signature system and elliptic curve cryptography system, the marked price Qualify Phase based on

Millionaire's agreement is verified the size of encrypting marked price to the bidder.

If the bidder is B _iArticle M there is auction interest, then sends the encryption marked price information signature (r of oneself _i, s _i) to auction center and announcement, after authentication is passed through, be encrypted the announcement of marked price by auction center, owing to announce among the announcement board BBS1 that bidder B is arranged _iPKI, then all participants can be to B _iCarry out authentication.

C) the opening of bid stage

When reaching End of Auction during the moment, auction center is decrypted the marked price after encrypting among the announcement board BBS1, obtains all bidders' original marked price.Choosing preceding M higher bidder of auction valency is the winning bidder, chooses marked price that M+1 bidder send for acceptance of the bid marked price (be example with the M+1 auction), announces winning bidder's information and marked price in announcement board BBS2.Winning bidder B _x(x ∈ [1, n], the sequence number that the expression winning bidder takes part in auction) is with the private key d of oneself _xSend to auction center, checking winning bidder identity.

D) open checking marked price

If the suitor is B _jOneself is not got the bid doubt, can propose marked price checking application to auction center, utilize target fairness in " millionaire " protocol verification.B _jSelect two to encrypt competitive bidding valency (B at random _jExcept), the B of auction center _jPKI pk-B _jOriginal competitive bidding valency is encrypted, and auction center carries out the encryption with random number chosen of random number according to agreement then, at last the information that obtains is sent to B _j, B _jJust can compare the size of marked price.Owing to can verify mutually between the bidder, strengthen the fairness of auction.

Auction scheme below by the sealed electronic that a M+1 auction model instance is showed openly to verify.Wherein Fig. 4 is auction scheme activity diagram.

1) system's preparatory stage

With 5 bidder (B ₁, B ₂, B ₃, B ₄, B ₅) 2 M of auction article are as example, wherein the marked price that rises of commodity is m, considers elliptic curve E _p(a, b), basic point is G.If auction center distributes to 5 private keys that participate in the bidder and is respectively (d ₁, d ₂, d ₃, d ₄, d ₅), then PKI is (pk-B ₁=d ₁G, pk-B ₂=d ₂G, pk-B ₃=d ₃G, pk-B ₄=d ₄G, pk-B ₅=d ₅G).

Publish data such as table 1 and the table 2 of preparatory stage announcement board BBS1 and BBS2:

Bidder ID	Bidder's PKI
		B 1	pk-B 1
B 2	pk-B 2
		B 3	pk-B 3
B 4	pk-B 4
		B 5	pk-B 5

Table 1: preparatory stage BBS1 data

Trade name	M
		The commodity trigger price	m

Table 2: preparatory stage BBS2 data

2) bidding period

Suppose bidder (B ₁, B ₂, B ₃, B ₄, B ₅) bid price be followed successively by: m ₁, m ₂, m ₃, m ₄, m ₅, the result after then marked price being encrypted is

E(m ₁)＝(x ₁₁,y ₁₁,c ₁),E(m ₂)＝(x ₁₂,y ₁₂,c ₂),E(m ₃)＝(x ₁₃,y ₁₃,c ₃),

E(m ₄)＝(x ₁₄,y ₁₄,c ₄),E(m ₅)＝(x ₁₅,y ₁₅,c ₅)。

Join the result that the bidder carries out digital signature to the marked price encrypted result then and be S _B1=(r ₁, s ₁), S _B2=(r ₂, s ₂), S _B3=(r ₃, s ₃), S _B4=(r ₄, s ₄), S _B5=(r ₅, s ₅) to auction center, by auction center announce and, the checking of signature, checking is announced marked price after the bidder encrypts by back auction center at announcement board BBS1.

Publish data such as the table 3 of bidding period announcement board BBS1, the publish data of BBS2 is constant.

Bidder ID	Bidder's PKI	Bidder's signature	The bidder encrypts marked price
				B 1	pk-B 1	S B1＝(r 1,s 1)	E(m 1)＝(x 11,y 11,c 1)
B 2	pk-B 2	S B2＝(r 2,s 2)	E(m 2)＝(x 12,y 12,c 2)
				B 3	pk-B 3	S B3＝(r 3,s 3)	E(m 3)＝(x 13,y 13,c 3)
B 4	pk-B 4	S B4＝(r 4,s 4)	E(m 4)＝(x 14,y 14,c 4)
				B 5	pk-B 5	S B5＝(r 5,s 5)	E(m 5)＝(x 15,y 15,c 5)

Table 3: bidding period BBS1 data

3) the opening of bid stage

Auction center obtains the enciphered data E (m that the bidder sends ₁), E (m ₂), E (m ₃), E (m ₄), E (m ₅) after, use its private key d respectively ₁, d ₂, d ₃, d ₄, d ₅Enciphered data is decrypted, recovers suitor's original marked price m ₁, m ₂, m ₃, m ₄, m ₅Auction center selects preceding 2 bidder of marked price (to be assumed to be B then ₁And B ₄) be the winning bidder, the 3rd marked price (is assumed to be m ₃) be tender price.

Publish data such as the table 4 of opening of bid stage announcement board BBS2, the publish data of BBS1 is constant.

Trade name	M
		The commodity trigger price	m
Mark the price in the commodity	m 3
		Winning bidder ID	B 1And B 4

Table 4: opening of bid stage B BS2 data

4) open checking marked price

Suppose bidder B ₂The result doubts to opening of bid, and carries out bidder B to auction center's application ₁And B ₅Marked price checking.

A) auction center chooses B ₂PKI pk-B ₂

B) auction center is to bat person B ₁And B ₅Marked price m ₁And m ₅Use PKI pk-B ₂Carry out elliptic curve cryptography, obtain encrypted result E ' (m ₁) and E ' (m ₅).

C) auction center chooses random integers R, and to R PKI pk-B ₂Carry out elliptic curve cryptography, obtain encrypted result E ' (R).

D) calculate

With

And result of calculation sent to B ₂

E) B ₂Utilize the private key d of oneself ₂The result that auction center is sended over is decrypted, and obtains m ₁+ R and m ₅+ R draws marked price m ₁＞m ₅, obtain correct checking result.

5) electronic auction plan-validation

A) fairness: the auction scheme only allows each bidder to send once the encryption marked price of oneself, after the auction time ends, announces acceptance of the bid information by auction room's deciphering.Not existing to send the auctioneer of marked price earlier for winning bidder's situation, all is fair to all this models of participation bidder.

B) non-repudiation, verifiability: the auction scheme requires each bidder private key with oneself when participating in auction that message is carried out digital signature, because bidder's private key is different, have only bidder itself can the ID of oneself be signed, others can not forge, thus send have a non-repudiation.If same bidder denies the marked price of oneself, can confirm with digital signature, so the auction scheme has non-repudiation.

C) marked price confidentiality: the auction scheme uses elliptic curve encryption algorithm that marked price is encrypted, elliptic curve encryption algorithm is based on known elliptic curve E and put p, generate an integer d at random, calculate Q=d * p easily, but given Q calculates the just discrete logarithm problem of relative difficulty of d with p.Elliptic curve encryption algorithm is considered to one of three big secure cryptographic algorithm so far, can not break through in the limited time, so the auction scheme has the marked price confidentiality.

D) bidder's anonymity: in whole auction scheme, unique identity ID that the bidder uses auction center to distribute always submits a tender and takes part in auction.And identity ID has only the bidder to know, the assailant is difficult to obtain, so the auction scheme also has good bidder's anonymity.

Claims (3)

1. sealed electronic auction scheme and verification method based on a security protocol in many ways is characterized in that, comprise the following steps:

1) auction room sets up cipher key system

Auction room according to elliptic curve cryptosystem choose elliptic curve E (a, b) and E (a, b) the some p who has Prime Orders n on) x _p, y _p) as the essential information of encryption system, wherein, x _pAnd y _pThe coordinate anyhow of difference representative point p; And between interval [1, n-1], select a random integers d _iAs bidder B _iPrivate key, i ∈ [1, n], the sequence number that takes part in auction of expression bidder, B _iPKI be pk _i-B _i=d _iP announces bidder's PKI;

2) marked price is encrypted and deciphering

A) bidder B _iUse PKI pk _i-B _iMarked price is encrypted

Bidder B _iAt first with oneself original marked price M _iBe expressed as a field element m _i∈ GF (p) selects a random integers k then between [1, n-1] _i, calculation level (x _i, y _i)=k _iP and point (x ₂, y ₂)=k _iQ, Q=pk _i-B _iIf, x ₂Reselect random integers k for=0, calculate c=m _ix ₂, at last with data (x ₁, y ₁, c) send to auction center, as the marked price data encrypted;

B) auction center is decrypted process

When bidder B receives in auction center _iMarked price ciphertext (x ₁, y ₁, c) after, auction center should at first use bidder B _iPrivate key d _iCalculation level (x ₂, y ₂)=d _i(x ₁, y ₁), then by calculating m _i=cx ₂ ^-1Recover bidder B _iOriginal marked price m _i

3) bidder's digital signature and checking

The digital signature scheme that the bidder uses is the ellipse curve signature system;

4) bidder's checking of marking the price

The open checking of marking the price to the bidder based on " millionaire " protocol scheme of Parisa Kaghazgaran and Babak Sadeghyan proposition in the auction center, the concrete marked price proof procedure that auction room carries out is as follows:

A) the bidder B of auction center _iPKI be pk-B _iRespectively to marked price m ₁And m ₂Be encrypted,

Be expressed as and use PKI pk-B _iThe encryption function of encrypting obtains encrypted result and is

B) auction center chooses a random integers R and uses bidder B _iPKI for this integer is encrypted, the encrypted result that obtains is $E_{\mathrm{pk}-B_i}\left(R\right);$

C) train value down calculates in auction center, and computation purpose is in order to prevent bidder B _iLearn marked price m ₁And m ₂Actual value.

D) auction center is to bidder B _iSend $E_{\mathrm{pk}-B_i}(m_1+R)$ With $E_{\mathrm{pk}-B_i}(m_2+R);$

E)

Expression private key d _iThe decryption function that is decrypted, bidder B _iUse private key d _iThe data deciphering that auction center is sent obtains

$D_{d_i}\left(E_{\mathrm{pk}-B_i}(m_1+R)\right)=m_1+R,D_{d_i}\left(E_{\mathrm{pk}-B_i}(m_2+R)\right)=m_2+R;$

Because R is identical random number, just can simply obtain the size of x and y.

2. sealed electronic auction scheme and verification method based on security protocol in many ways according to claim 1 is characterized in that the detailed process of electronic auction scheme is:

A) preparatory stage

Auction room's public address system parameter, the elliptic curve of selecting for use is E, basic point is p, the seller registers to auction room, after being verified as validated user, the access authentication identity, the auctioner announces the auction items information that takes part in auction and has issued marked price at BBS2 and is m then, the bidder who participates in registers to auction room, and the legal bidder of auction behavior provides an interim competitive bidding identity B _i

Auction room is to bidder B _iSend B _iParticipate in the PKI pk-B of auction _iWith private key d _i, undocumented private key d wherein _iBe the random integers between [1, n-1], PKI pk _i=d _i* p, and at BBS1 announcement bidder B _iPKI pk _i, be used for the mutual certifying signature of bidder and marked price encryption;

B) bidding period

Bidding period is mainly used ECDSA signature system and elliptic curve cryptography system, based on millionaire's agreement, verifies the size of encrypting marked price at the marked price Qualify Phase to the bidder;

If the bidder is B _iArticle M there is auction interest, then sends the encryption marked price information signature (r of oneself _i, s _i) to auction center and announcement, after authentication is passed through, be encrypted the announcement of marked price by auction center, owing to announce among the announcement board BBS1 that bidder B is arranged _iPKI, then all participants can be to B _iCarry out authentication;

C) the opening of bid stage

When reaching End of Auction during the moment, auction center is decrypted the marked price after encrypting among the announcement board BBS1, obtain all bidders' original marked price, choosing preceding M higher bidder of auction valency is the winning bidder, the marked price of choosing M+1 bidder's transmission is the acceptance of the bid marked price, in announcement board BBS2, announce winning bidder's information and marked price, winning bidder B _xWith the private key d of oneself _xSend to the x ∈ of auction center [1, n], the sequence number that the expression winning bidder takes part in auction, checking winning bidder identity;

D) open checking marked price

If the suitor is B _jDoubt j ∈ [1, n] to oneself not getting the bid, the sequence number that the expression bidder takes part in auction can propose marked price checking application to auction center, utilizes target fairness in " millionaire " protocol verification.B _jSelect two to encrypt competitive bidding valency, B at random _jExcept, the B of auction center _jPKI pk-B _jOriginal competitive bidding valency is encrypted, and auction center carries out the encryption with random number chosen of random number according to agreement then, at last the information that obtains is sent to B _j, B _jJust can compare the size of marked price.

3. sealed electronic auction scheme and verification method based on security protocol in many ways according to claim 1 is characterized in that the digital signature scheme that the bidder uses is the ellipse curve signature system, is specially:

A) bidder generates eap-message digest

The Auction ID of supposing the bidder is B _i, i ∈ [1, n], the sequence number that the expression bidder takes part in auction, the marked price ciphertext is E _i(x ₁, y ₁, c), encrypted by auction second stage marked price, calculate its hashed value e=H(E with the SHA-1 hash function _i(x ₁, y ₁, c) || B _i), H is the Hash hash function, then e is bidder's eap-message digest;

B) bidder carries out digital signature

The bidder uses private key d _iCalculate the point (x of elliptic curve _i, y _i)=d _iP, elliptic curve are E, and basic point is p, changes x then _iBe decimal integer

If

If r=0, then private key d is redistributed in prompting _i, then the bidder calculates s=k _i ^-1(e+d _iR) modn is if s=0 then forwards calculating (x to _i, y _i)=d _iP; Last bidder B _IThe signature that obtains be integer (r, s);

C) checking of bidder's digital signature

Suppose bidder B _iThe digital signature of announcing be (r ', s '), the marked price data after the encryption that auction center receives are B _i'.SHA-1 hashed value e'=H(E at first calculates according to bidder ID in auction center _i' || B _i), if the digital signature parameter r ' that announces, s ' is not in interval [1, n-1], then refusal is signed; Otherwise calculate c=(s') ^-1Modn, u ₁=e ＇ cmodn and u ₂=r ＇ cmodn, (x _i, y _i)=u ₁P+u ₂If Q is (x _i, y _i) be infinite point, then the refusal signature is changed x at last _iBe decimal integer

If r '=v then bidder B _iSignature be real, if r ' ≠ v then bidder B _iMessage may be distorted or used incorrect signature, perhaps sign from assailant's forgery, the signature be considered to invalid.

Images