CN105072092A - Improved first-price sealed auction method with comparable encryption - Google Patents

Abstract

The invention discloses an improved first-price sealed auction method with comparable encryption. Based on comparable encryption and multi-linear mapping, a high-efficiency first-price sealed auction scheme is proposed, the communication round number between vendors and bidders is optimized, the workload for the bidders brought by the communication round number is greatly reduced, only a round of communication is needed between the vendors and the bidders, and all the safety requirements of the first-price sealed auction can be satisfied.

Description

A kind of first valency sealed auction method of comparison encryption of improvement

Technical field

The present invention relates to data communication technology field, be specifically related to a kind of first valency sealed auction method of comparison encryption of improvement.

Background technology

Compared with the service of network-driven and application applys with corresponding tradition, have its irreplaceable advantage, such as electronic voting makes the statistics of voting results more reliable, greatly facilitates voter simultaneously, makes it stay indoors and just can complete ballot; Electronic cash has greatly promoted the development of with no paper currency.Electronic auction, a kind of e-business activity carried out in auction side and bidder, along with the development of ecommerce, has started to become gradually a kind of common phenomenon in life.Meanwhile, become further severe about the safety problem in the safety problem of electronic auction, particularly sealed auction.Such as, because auction price strictly depends on the judgement of bidder for auction items, and embody the wish of auctioneer to a certain extent, therefore how to protect the privacy of auction price just to become a safety problem highly considered.Just think, if in a sealed auction, target price is revealed to other bidder, and so this price will auction afterwards or play a role in consulting, and that is basic in sealed auction fairness has been destroyed.

For various safety problem, the scheme much based on multi-party computations and secret sharing is suggested to addressing these problems.Collude with for two kinds that exist in the sealed auction that document [1] middle finger has attacking, i.e. auctioneer and the bidder attack of colluding with, the attack that bidder and bidder collude with, but the program can not resist these attacks completely.Also have the scheme proposed in document [2] and document [3] based on homomorphism secret sharing, these schemes or need the communication of multinomial wheel number, or need the amount of calculation of burdensome.

In the auction scheme of a safety, confidentiality and the privacy of protection auction valency are very important.As a rule, the privacy of auction valency is based on some believable entities, and such as existing secure auctions scheme uses multiple auctioneer to set up a threshold mechanism usually, or is realized the secret protection of auction valency by multi-party computations.And these schemes need a large amount of communication wheel numbers usually, these are in some scenes, are unacceptable for bidder.Because for the bidder participating in electronic auction, they do not have obligation and remain on line states to keep communicating with auctioneer or other bidders always, and therefore, communication wheel number is a performance highly causing our concern.

Certainly, there are some schemes now, as document [4] and document [1], achieved other communication wheel number of Constant Grade, but they or verifiability and fairness cannot be met, or can only to carry out under random oracle.Go back the communication wheel number that the effective scheme of neither one can only need to take turns under the prerequisite meeting existing demand for security at present.

After the people such as Franklin have designed and Implemented the Distributed Services scheme for sealed auction first in document [5], various scheme has been suggested thereupon.

Propose a scheme based on homomorphic cryptography in document [4], with general safety circuit calculate unlike, the number of plies at any one gate place is taken into account by this programme, and the gate in the program can accept not limited input.Although the communication that this scheme only needs constant to take turns, it can not meet verifiability and fairness.

In order to solve produced problem in such scheme, in document [3], describe a kind of sealed first-price auction scheme based on privacy share newly.But the correctness of this scheme execution result and the fairness of implementation are based upon on heavy amount of calculation.Meanwhile, this scheme realizes the privacy protecting of auction price by gate method, and this just means a large amount of communication wheel numbers.

Author in document [1] constructs the scheme of constant wheel communication.They use and support that the ElGamal encipherment scheme of part homomorphism is to build the scheme of oneself.But take turns in communication in each of the program, zero-knowledge proof is all absolutely necessary.In addition, this scheme needs to perform under random oracle.

In order to the needs of practical application, in document [6], author proposes the scheme that can solve the anonymity problem between two auction sides, and the program has still used zero-knowledge proof.This scheme can be widely used in the auction context of any one sensitivity, but the inefficiencies of zero-knowledge proof result in a large amount of communication wheel numbers.

Except the scheme of mentioned relevant sealed first-price auction, in document [7], propose the method for carrying out safe function computing based on ciphertext above, propose one " MixandMax " simultaneously and auction scheme.What then pay close attention in document [8] is Dutch Auction, and the main distinction of this auction and sealed auction scheme is just in the latter, and bidder needs the auction price determining them in advance.Meanwhile, also there is the scheme in some similar documents [9], what author paid close attention to is anonymity problem in English auction.Document [10] and document [11] then propose general introduction and the sealing multiattribute on-lineroll grinding scheme of their research field.

In document [12], Yao describes a kind of scheme being called best guess of novelty, and the auction scheme that extra estimated value can be utilized will to have " k part article, n bidder " is decomposed into the auction scheme having " k part article, 1 bidder ".Author illustrates this amplification and can be used to solve central issue, powerful effect of such as randomized technique and the contrast that Bayes realizes and dominating stragegy realizes in some auction optimum theories.

And in document [13], author thinks the size of list of articles of auctioning and providing, it is a kind of metric parameter of auction complexity.In addition, in document [11], consider from the uncertain angle of demand, author illustrates the retailer for a risk-neutral, and the first price driven auction is relative to the superiority of other auction techniques.

In addition, also have some documents as [14] and [15], be devoted to study the privacy how protecting auction valency in sealed auction.In above-mentioned two sections of articles, author demonstrates the sealed first-price auction scheme that there is Perfect Secrecy.But the complexity of this scheme is index rank, and there is not effective solution.

【1】BrandtF，“Howtoobtainfullprivacyinauctions”，InternationalJournalofInformationSecurity，5(4)：201-216(2006).

【2】NojoumianM，StinsonDR.，“EfficientSealed-BidAuctionProtocolsUsingVerifiableSecretSharing”InformationSecurityPracticeandExperience.SpringerInternationalPublishing：302-317(2014).

【3】PengK，BoydC，DawsonE，“Optimizationofelectronicfirst-bidsealed-bidauctionbasedonhomomorphicsecretsharing”ProgressinCryptology-Mycrypt：84-98(2005).

【4】BaudronO，SternJ，“Non-interactiveprivateauctions”FinancialCryptography：364-377(2002).

【5】FranklinMK，ReiterMK，“Thedesignandimplementationofasecureauctionservice”SoftwareEngineering，IEEETransactionson，22(5)：302-312(1996)

【6】LiMJ，JuanJST，TsaiJHC，“Practicalelectronicauctionschemewithstronganonymityandbiddingprivacy”InformationSciences，181(12)：2576-2586(2011).

【7】JakobssonM，JuelsA，“Mixandmatch：Securefunctionevaluationviaciphertexts”AdvancesinCryptology-ASIACRYPT2000.162-177(2000).

【8】NojoumianM，StinsonDR，“Unconditionallysecurefirst-priceauctionprotocolsusingamulticomponentcommitmentscheme”InformationandCommunicationsSecurity.266-280(2010).

【9】ChenN，GravinN，LuP，“Optimalcompetitiveauctions”Proceedingsofthe46thAnnualACMSymposiumonTheoryofComputing.ACM：253-262(2014)

【10】PhamL，TeichJ，WalleniusH，etal，“Multi-attributeonlinereverseauctions：Recentresearchtrends”，EuropeanJournalofOperationalResearch，242(1)：1-9(2015).

【11】BuddeM，MinnerS，“First-andsecond-pricesealed-bidauctionsappliedtopushandpullsupplycontract”EuropeanJournalofOperationalResearch，237(1)：370-382(2014).

【12】YaoACC，“Ann-to-1BidderReductionforMulti-itemAuctionsanditsApplications”arXivpreprintarXiv：1406.3278(2014).

【13】HartS，NisanN，“Themenu-sizecomplexityofauctions”arXivpreprintarXiv：1304.6116(2013).

【14】BrandtF，SandholmT，“(Im)possibilityofunconditionallyprivacy-preservingauctions”，ProceedingsoftheThirdInternationalJointConferenceonAutonomousAgentsandMultiagentSystems-Volume2.IEEEComputerSociety，810-817(2004).

【15】BrandtF，SandholmT，“Ontheexistenceofunconditionallyprivacy-preservingauctionprotocols”，ACMTransactionsonInformationandSystemSecurity(TISSEC)，11(2)：6(2008).

Summary of the invention

For the deficiencies in the prior art, the present invention aims to provide a kind of first valency sealed auction scheme of comparison encryption of improvement, builds one both met important security performance simultaneously only need one take turns the sealed auction scheme of communication.

To achieve these goals, the present invention adopts following technical scheme:

A first valency sealed auction method for the comparison encryption of improvement, comprise at least two bidders and at least one auction side, described method comprises the steps:

S1 sets up a bulletin board and makes each bidder have the region of oneself to carry out written contents, once content is written on bulletin board, just can not modify again;

S2 uses multilinear pairing in all bidders, generate unified master key mkey;

The each bidder B of S3 _igenerate self mark and ciphertext, the auction sequence number of self that i obtains for bidder each when auction starts;

The ciphertext of self that step S3 obtains by each bidder of S4 and mark issue auction side, auction side compares successively according to the auction sequence number of bidder, first the ciphertext of the ciphertext of first bidder and next bidder is compared and draw higher value and continued to compare with the ciphertext of next bidder to obtain higher value, and then this higher value obtained is continued compare with the ciphertext of next bidder; So analogize, till the ciphertext of all bidders all participates in comparing, obtain the maximum of all bidder's ciphertexts;

S5 auction side announces the mark corresponding to maximum obtained in step S4 on bulletin board, confirm, from the bidder as winning bidder, the auction valency of self and corresponding ciphertext are issued auction side, wherein auction valency will as marking the price, and corresponding ciphertext is then as the proof of identity; According to the random value inspection comprised in ciphertext, auction root submits whether the bidder of auction valency is final winning bidder to, once through checking, auction valency is just published on bulletin board by auction side.

It should be noted that, a kind of implementation method of step S2 is as follows:

2.1) note has n bidder and 1 auction side, therefore selects n-1 group G when using multilinear pairing;

2.2) each bidder B _i(i=1,2,3 ..., n) the secret random value s of equal Stochastic choice _i← { 0,1} ^κ, wherein { 0,1} ^κrepresent that length is { 0, the 1} Bit String of κ; Then each bidder B _iby corresponding with self writing on bulletin board makes all entities taken part in auction to see, wherein g is first group G ₁generator;

2.3) i-th bidder B _icarry out multilinear pairing to be calculated as follows:

$\hat{e}(g^{s_1},...,g^{s_{i-1}},g^{s_{i+1}},...,g^{s_n})=\hat{e}{(g,...,g,g,...,g)}^{s_1...s_{i-1}{s}_{i+1}...s_n}=g_{n-1}^{s_1...s_{i-1}{s}_{i+1}...s_n};$

Wherein, g _n-1be (n-1)th group G _n-1generator;

2.4) according to step 2.3) result of calculation calculate master key mkey:

$mkey={\left(g_{n-1}^{s_1,...,s_{i-1},s_{i+1},...,s_n}\right)}^{s_i}=g_{n-1}^{\underset{i=1}{\overset{n}{\Π}}{s}_i}.$

On the basis of above-mentioned steps S2 implementation method, described step S3 is implemented as follows:

3.1) a hash function Hash:{0,1} is defined ^κ× { 0,1} ^{4+ κ+1}→ { 0,1} ^κ, { 0,1} ^κ{ 0,1} ^{4+ κ+1}represent that length is { 0, the 1} Bit String of κ and 4+ κ+1 respectively;

3.2) make parameter p aram=(m, Hash), m is the length of auction valency, i-th bidder B _iauction valency b _{i, j}represent a jth bit of the auction valency of i-th bidder, j=0,1 ..., m-1; Following formula is utilized to generate bidder B _imark token _i:

token _i＝(d _i，0，d _i，1，...，d _i，m)；

Wherein d _{i, 0}, d _{i, 1}..., d _{i, m}represent i-th bidder B _imark token _i0 to m-1 bit, have:

d _i，m＝Hash(mkey，(0，0 ^κ，0))；

d _i，j＝Hash(mkey，(1，d _i，j+1，b _i，j))，j＝m-1，...，0；

Wherein, 0 ^κrepresent that length is 0 string of κ;

3.3) B _istochastic choice r _i← { 0,1} ^κ, and generate:

c _i，j＝Hash(d _i，j，(2，r _i，0))；

e _i，j＝Hash(mkey，(4，d _i，j+1，0))+b _i，jmod3；

f _i，j＝Hash(d _i，j+1，(5，r _i，0))+e _i，jmod3；

Wherein, j=m-1 ..., 0;

Finally, bidder B _iobtain its ciphertext;

ciph _i＝(r _i，(c _i，0，...，c _i，m-1)，(f _i，0，...，f _i，m-1))；

Wherein, r _ifor auction side in step S5 carries out to winning bidder the random value that authentication utilizes.

Based on the realization of step S2 and S3, in described step S4, often to compare the process of two bidder's ciphertexts as follows for wheel:

Bidder corresponding to the higher value that draws is compared with when participating in another bidder that epicycle compares for neighbouring relations when last round of:

1) first auction side finds and whether there is j and make:

Wherein, implication be indicate that arbitrary k makes, i is the last round of bidder's sequence number compared corresponding to the higher value that draws;

2) if having then auction can select ciph _iand ciph _i+1in the ciphertext of any one and next bidder compare, wherein ciph _iand ciph _i+1be respectively bidder B _iand B _i+1ciphertext, otherwise auction side generate:

e _i，j＝f _i，j-Hash(d _i，j+1，(5，r _i，0))mod3；

e _i+1，j＝f _i+1，j-Hash(d _i，j+1，(5，r _i+1，0))mod3

And select higher value by following rule:

If e _{i, j}-e _{i+1, j}=1mod3, then ciph _iciphertext as the higher value in both and next bidder compares, if e _{i, j}-e _{i+1, j}=2mod3, then ciph selects in auction side _i+1compare with the ciphertext of next bidder;

Bidder corresponding to the higher value that draws is compared with when participating in another bidder that epicycle compares for space-apart relation when last round of:

1) first auction side finds and whether there is j and make:

Wherein, implication be indicate that arbitrary k makes; I is the last round of bidder's sequence number compared corresponding to the higher value that obtains;

2) if then auction can select ciph _iand ciph _i+2in the ciphertext of any one and next bidder compare, wherein ciph _iand ciph _i+2be respectively bidder B _iand B _i+2ciphertext, otherwise auction side generate:

e _i，j＝f _i，j-Hash(d _i，j+1，(5，r _i，0))mod3；

e _i+2，j＝f _i+2，j-Hash(d _i，j+1，(5，r _i+2，0))mod3；

And select higher value by following rule:

If e _{i, j}-e _{i+2, j}=1mod3, then ciph _iciphertext as the higher value in both and next bidder compares, if e _{i, j}-e _{i+2, j}=2mod3, then ciph selects in auction side _i+2compare with the ciphertext of next bidder.

The another kind of implementation method of step S2, Ke Yishi:

2.1) note has n bidder, 1 auction side A and auction publisher AI, therefore selects n-1 group G when using multilinear pairing;

2.2) each bidder B _i(i=1,2,3 ..., n) the secret random value s of Stochastic choice _i← { 0,1} ^κ, wherein { 0,1} ^κrepresent that length is { 0, the 1} Bit String of κ; Then each bidder B _iby corresponding with self writing on bulletin board makes all entities taken part in auction to see, wherein g is first group G ₁generator;

2.3) i-th bidder B _icarry out multilinear pairing to be calculated as follows:

$\hat{e}(g^{s_1},...,g^{s_{i-1}},g^{s_{i+1}},...,g^{s_n})=\hat{e}{(g,...,g,g,...,g)}^{s_1...s_{i-1}{s}_{i+1}...s_n}=g_{n-1}^{s_1...s_{i-1}{s}_{i+1}...s_n};$

Wherein, g _n-1be (n-1)th crowd of G _n-1generator;

2.4) according to step 2.3) result of calculation calculate master key mkey:

$mkey={\left(g_{n-1}^{s_1,...,s_{i-1},s_{i+1},...,s_n}\right)}^{s_i}=g_{n-1}^{\underset{i=1}{\overset{n}{\Π}}{s}_i}.$

Based on the realization of above-mentioned steps S2, the another kind of implementation method of described step S3 is as follows:

3.1) a hash function Hash:{0,1} is defined ^κ× { 0,1} ^{4+ κ+1}→ { 0,1} ^κ, { 0,1} ^κ{ 0,1} ^{4+ κ+1}represent that length is { 0, the 1} Bit String of κ and 4+ κ+1 respectively;

3.2) make parameter p aram=(m, Hash), m is the length of auction valency; I-th bidder B _iauction valency b _{i, j}represent a jth bit of the auction valency of i-th bidder, j=0,1 ..., m-1; Following formula is utilized to generate mark token _i:

token _i＝(d _i，0，d _i，1，...，d _i，m)；

Wherein d _{i, 0}, d _{i, 1}..., d _{i, m}represent i-th bidder B _imark token _i0 to the bit of m-1, have:

d _i，m＝Hash(mkey，(0，0 ^κ，0))；

d _i，j＝Hash(mkey，(1，d _i，j+1，b _i，j))，j＝m-1，...，0；

Wherein, 0 ^κrepresent that length is 0 string of κ;

3.3) B _istochastic choice r _i← { 0,1} ^κ, and generate:

c _i，j＝Hash(d _i，j，(2，r _i，0))；

e _i，j＝Hash(mkey，(4，d _i，j+1，0))+b _i，jmod3；

f _i，j＝Hash(d _i，j+1，(5，r _i，0))+e _i，jmod3；

Wherein, j=m-1 ..., 0;

Finally, bidder B _iobtain its ciphertext;

ciph _i＝(r _i，(c _i，0，...，c _i，m-1)，(f _i，0，...，f _i，m-1))；

Wherein, r _ifor auction side in step S5 carries out to winning bidder the random value that authentication utilizes;

3.4) each bidder B _iutilize himself auction valency bid and mark token _icalculate Hash (bid, token _i), and the value calculated is published on bulletin board as commitment value.

On the basis of the implementation method of above-mentioned steps S2 and S3, the another embodiment of step S4 is:

Bidder B _iby the mark token of self _i, random value r _iwith issue auction side A, meanwhile, will issue auction publisher AI; Then often wheel to compare the process obtaining higher value as follows:

Bidder corresponding to the higher value that draws is compared with when participating in another bidder that epicycle compares for neighbouring relations when last round of:

1) first auction side finds and whether there is j and make:

Wherein, implication be indicate that arbitrary k makes; I is the last round of bidder's sequence number compared corresponding to the higher value that obtains;

2) if there is no such j, then illustrate that the ciphertext of two bidders that epicycle compares is equal, then one of them and next bidder in two bidders can be selected to compare; Once the side of auction A finds really there is such j, then calculate two cryptographic Hash Hash (d _{i, j+1}, (5, r _i, 0)) and Hash (d _{i, j+1}, (5, r _i+1, 0)), then these two values are issued auction publisher AI, auction publisher AI calculates according to following formula:

e _i，j＝f _i，j-Hash(d _i，j+1，(5，r _i，0))mod3；

e _i+1，j＝f _i+1，j-Hash(d _i，j+1，(5，r _i+1，0))mod3；

If e _{i, j}-e _{i+1, j}=1mod3, then auction publisher AI and determine for a larger side; If e _{i, j}-e _{i+1, j}=2mod3, then auction publisher AI and determine for a larger side;

Bidder corresponding to the higher value that draws is compared with when participating in another bidder that epicycle compares for space-apart relation when last round of:

1) first auction side finds and whether there is j and make:

Wherein, implication be indicate that arbitrary k makes; I is the last round of bidder's sequence number compared corresponding to the higher value that obtains;

2) if there is no such j, then illustrate that the ciphertext of two bidders that epicycle compares is equal, then one of them and next bidder in two bidders can be selected to compare; Once the side of auction A finds really there is such j, then calculate two cryptographic Hash Hash (d _{i, j+1}, (5, r _i, 0)) and Hash (d _{i, j+1}, (5, r _i+2, 0), then these two values are issued auction publisher AI, auction publisher AI calculates according to following formula:

e _i，j＝f _i，j-Hash(d _i，j+1，(5，r _i，0))mod3；

e _i+2，j＝f _i+2，j-Hash(d _i，j+1，(5，r _i+2，0))mod3；

If e _{i, j}-e _{i+2, j}=1mod3, then auction publisher AI and determine for a larger side; If e _{i, j}-e _{i+2, j}=2mod3, then auction publisher AI and determine for a larger side.

As the another kind of implementation method of described step S2, Ke Yishi:

2.1) bidder B _ieach bit for its auction valency selects two groups of random values: with wherein, r _{i, j}← { 0,1} ^κ, r ' _{i, j}← { 0,1} ^κ, 0≤j≤m-1, with for auction side in step S5 carries out to winning bidder the random value that authentication utilizes;

2.2) note has n bidder, 1 auction side A and auction publisher AI, therefore selects n-1 group G when using multilinear pairing;

2.3) each bidder B _i(i=1,2,3 ..., n) the secret random value s of Stochastic choice _i← { 0,1} ^κ, wherein { 0,1} ^κrepresent that length is { 0, the 1} Bit String of κ; Then each bidder B _iby corresponding with self writing on bulletin board makes all entities taken part in auction to see, wherein g is first group G ₁generator; I-th bidder B _icarry out multilinear pairing to be calculated as follows:

$\hat{e}(g^{s_1},...,g^{s_{i-1}},g^{s_{i+1}},...,g^{s_n})=\hat{e}{(g,...,g,g,...,g)}^{s_1...s_{i-1}{s}_{i+1}...s_n}=g_{n-1}^{s_1...s_{i-1}{s}_{i+1}...s_n};$

Wherein, g _n-1be (n-1)th crowd of G _n-1generator;

2.4) according to step 2.3) result of calculation calculate master key mkey:

$mkey={\left(g_{n-1}^{s_1,...,s_{i-1},s_{i+1},...,s_n}\right)}^{s_i}=g_{n-1}^{\underset{i=1}{\overset{n}{\Π}}{s}_i}.$

Based on the realization of above-mentioned steps S2, the another kind of implementation method of step S3 is as follows:

3.1) a hash function Hash:{0,1} is defined ^κ× { 0,1} ^{4+ κ+1}→ { 0,1} ^κ, { 0,1} ^κ{ 0,1} ^{4+ κ+1}represent that length is { 0, the 1} Bit String of κ and 4+ κ+1 respectively;

3.2) make parameter p aram=(m, Hash), m is the length of auction valency; I-th bidder B _iauction valency be b _{i, j}represent a jth bit of the auction valency of i-th bidder, j=0,1 ..., m-1, utilizes following formula to generate mark token _i:

token _i＝(d _i，0，d _i，1，...，d _i，m)；

Wherein d _{i, 0}, d _{i, 1}..., d _{i, m}represent i-th bidder B _imark token _i0 to m-1 bit, have:

d _i，m＝Hash(mkey，(0，0 ^κ，0))；

d _i，j＝Hash(mkey，(1，d _i，j+1，b _i，j))，j＝m-1，...，0；

Wherein, 0 ^κrepresent that length is 0 string of κ;

3.3) following formulae discovery is utilized to obtain $\stackrel{\→}{c_i}=(c_{i,0},...,c_{i,m-1})$ With ${\stackrel{\→}{f}}_i=(f_{i,0}...,f_{i,m-1}):$

$c_{i,j}=d_{i,j}\⊕r_{i,j};$

f _i，j＝d _i，j+1+r′ _i，j+b _i，jmod3(1≤i≤n，0≤j≤m-1)。

Based on the realization of above-mentioned steps S2 and S3, the another kind of implementation method of step S4 is as follows:

If bidder is B _isequence number i be odd number, then by self with issue auction side A, will simultaneously issue auction publisher AI; If bidder is B _isequence number i be even number, then by self with issue auction publisher AI, will simultaneously issue auction side A; Then often wheel to compare the process obtaining higher value as follows:

Bidder corresponding to the higher value that draws is compared with when participating in another bidder that epicycle compares for neighbouring relations when last round of:

1) side of auction A utilizes and last round ofly compares the bidder's corresponding to higher value obtained with participate in another bidder's of comparing of epicycle calculate as follows, wherein, the sequence number of the bidder of i corresponding to the last round of higher value obtained:

$c_{i,j}\⊕r_{i+1,j}=d_{i,j}\⊕r_{i,j}\⊕r_{i+1,j};$

2) auction publisher AI to utilize and participate in another bidder's that epicycle compares compare bidder's corresponding to the higher value that obtains with last round of calculate as follows:

$c_{i+1,j}\⊕r_{i,j}=d_{i+1,j}\⊕r_{i+1,j}\⊕r_{i,j}$

3) side of auction A and auction publisher AI will with the other side is sent to, until they find that there is different bits by bit; Then the side of auction A utilizes and last round ofly compares the bidder's corresponding to higher value obtained with participate in another bidder's of comparing of epicycle calculate as follows:

f _i，j+r′ _i+1，j＝d _i，j+1+r′ _i，j+b _i，j+r′ _i+1，jmod3；

Another bidder's that auction publisher AI utilizes participation epicycle to compare bidder corresponding to the higher value that obtains is compared with last round of calculate as follows:

f _i+1，j+r′ _i，j＝d _i+1，j+1+r′ _i+1，j+b _i+1，j+r′ _i，jmod3；

4) result of calculation is issued the other side by the side of auction A and auction publisher AI, and both sides all obtain that larger side of result by subtraction;

Bidder corresponding to the higher value that draws is compared with when participating in another bidder that epicycle compares for space-apart relation when last round of:

1) side of auction A utilizes and last round ofly compares the bidder's corresponding to higher value obtained with participate in another bidder's of comparing of epicycle calculate as follows, wherein, the sequence number of the bidder of i corresponding to the last round of higher value obtained:

$c_{i,j}\⊕r_{i+2,j}=d_{i,j}\⊕r_{i,j}\⊕r_{i+2,j};$

2) auction publisher AI to utilize and participate in another bidder's that epicycle compares compare bidder corresponding to the higher value that obtains with last round of calculate as follows:

$c_{i+2,j}\⊕r_{i,j}=d_{i+2,j}\⊕r_{i+2,j}\⊕r_{i,j}$

3) side of auction A and auction publisher AI will with the other side is sent to, until they find that there is different bits by bit; Then the side of auction A utilizes and last round ofly compares bidder corresponding to the higher value that obtains with participate in the next bidder's that compares of epicycle calculate as follows:

f _i，j+r′ _i+2，j＝d _i，j+1+r′ _i，j+b _i，j+r′ _i+2，jmod3；

Another bidder's that auction publisher AI utilizes participation epicycle to compare bidder corresponding to the higher value that obtains is compared with last round of calculate as follows:

f _i+2，j+r′ _i，j＝d _i+2，j+1+r′ _i+2，j+b _i+2，j+r′ _i，jmod3；

After a computation, result of calculation is issued the other side by the side of auction A and auction publisher AI, and both sides all obtain that larger side of result by subtraction.

Need to further illustrate, can find out in step S5, as long as at this moment have one to be honest in bidder, so winning bidder does not just cheat by an auction valency relatively little compared with auction valency submitted to before.If any bidder except winning bidder wants to cheat and the winning bidder that disguises oneself as, so the ciphertext corresponding with highest price must can be generated, but due to the correct random value of its there is no telling, so can only pretend successfully with insignificant probability.

Beneficial effect of the present invention is:

1, first valency (the first price) sealed auction based on the comparison encryption improved is constructed, not only can protect privacy and the confidentiality of auction price, and between auction side and bidder, only need one to take turns communication, owing to saving the live load that communication brings, therefore the present invention is very practical in the auction of reality;

2, as the auction scheme typically having n bidder, compare the scheme that other need multiple auction sides participation agreement, the present invention only needs an auction side, enormously simplify auction flow process, and save system resource (as bandwidth, memory space and amount of calculation), simultaneously owing to only having a side in the side of auction, the deployment of auction with carry out relative simple and convenient.

Accompanying drawing explanation

Fig. 1 is the model schematic of the embodiment of the present invention one;

Fig. 2 is the schematic flow sheet of the embodiment of the present invention one;

Fig. 3 is the model schematic of the embodiment of the present invention two;

Fig. 4 is the schematic flow sheet of the embodiment of the present invention two;

Fig. 5 is the model schematic of the embodiment of the present invention three;

Fig. 6 is the schematic flow sheet of the embodiment of the present invention three.

Embodiment

Below with reference to accompanying drawing, the invention will be further described, it should be noted that, the present embodiment, premised on the technical program, give detailed execution mode and concrete operating process, but the protection range of the claims in the present invention is not limited to the present embodiment.

Below first technical term involved in the present invention is described.

One, sealed auction

Sealed auction comprises sealed first-price auction and Wei Kerui (Vickrey) auctions two kinds of auction formats.In sealed first-price auction, all bidders will submit the auction valency of their good seal to simultaneously, and except bidder oneself, and nobody can know his auction valency.Meanwhile, in sealed first-price auction, highest price person must mark, and pays with its auction valency.And Wei Kerui auction and sealed first-price auction are except winning bidder only need pay according to the second high auction valency, and indistinction.Several auction theory is there is: Threshold Model, trusted third party's model and without credible auction side model etc. in sealed auction.Under these models, in sealed auction, the security performance of following necessity is had to require:

Accuracy: correctly obtain auction result, namely auction winner and get marking the price.Meanwhile, auction result must decide according to auction rules.Such as, if carry out be second price sealed auction, namely Wei Kerui auction, so just should be auction valency soprano must mark, and with second high price pay;

Confidentiality: before the auction result announcement stage, each auction valency should keep secret to except everyone of bidder itself;

Verifiability: the participant of auction, as bidder must can verify the result of auction;

Fairness: bidder comprises last winning bidder, forbids adjusting its price after have submitted auction price again or denying;

Privacy: even if the privacy of target price is also protected after End of Auction not, strictly speaking, except the partial information that last tender price can be had to infer, any information about non-tender price all can not be revealed;

Robustness: auction under improper environment and still can normally carry out, when such as there is malicious attack behavior;

Anonymity: the identity information of unsuccessful bidder also must be maintained secrecy.At some in particular cases, the identity information of winning bidder also need to be keep secret.

Two, multilinear pairing

The people such as Garg and Gentry first proposed this cryptographic primitive of multilinear pairing in 2013.They suppose existence group's system generating algorithm G, and using security parameter κ and positive integer k as input, wherein k represents the number of times allowing matching operation.G (1 ^λ, k) export a series of group each crowd of G _i(i=1,2,3 ..., rank k) are all Big prime p > 2 ^λ.In addition, g is made _ias each G _igenerator, and make g=g ₁.

In this article, author reasonably supposes to there is a series of bilinear map $\{{\hat{e}}_{i,j}:G_i\×G_j\→G_{i+j}|i,j\≥1;i+j\≤k\},$ Map meet following equalities:

${\hat{e}}_{i,j}(g_i^a,g_i^b)=g_{i+j}^{a+b}:\∀a,b\∈Z_p$

When context statement is very clear and definite, about the subscript i of Linear Mapping, j is omitted sometimes.Such as, can simply be written as:

$\hat{e}(g_i^a,g_j^b)=g_{i+j}^{ab};$

Three, encryption is compared

Furukawa proposed in 2013 and compares this cryptographic primitive of encryption.Relatively encryption is made up of four algorithms: Gen, Enc, Der and Cmp.

The parameter n ∈ N of Gen: a kind of probabilistic type algorithm, given security parameter κ ∈ N and expression scope, output parameter param and master key mkey, n are included in param:

(param，mkey)＝Gen(κ，n)；

Enc: a kind of probabilistic type algorithm, given parameters param, master key mkey, and number 0≤num≤2 ⁿ, export ciphertext ciph:

ciph＝Enc(param，mkey，hum)；

Der: a kind of probabilistic type algorithm, given parameters param, master key mkey, and number 0≤num≤2 ⁿ, export a mark token:

token＝Der(param，mkey，hum)；

Cmp: a kind of deterministic type algorithm, given parameters param, two ciphertext ciph and ciph ', and a mark token, export-1,1,0:

Cmp(param，ciph，ciph′，token)∈{-1，1，0}。

Embodiment one

In the technical scheme of the present embodiment based on semi-honesty model, all participants namely auctioned can strictly carry on an agreement, but likely preserve some intermediate object programs in this locality, and attempt to derive some extra information.Meanwhile, also suppose that bidder can not collude with auctioneer.

As shown in Figure 1 and Figure 2, a kind of first valency sealed auction scheme of comparison encryption of improvement, comprises the steps:

S1 sets up a bulletin board and makes each bidder have the region of oneself to carry out written contents; It should be noted that, once content is written on bulletin board, just can not modify again.

S2 uses multilinear pairing in all bidders, generate unified master key mkey:

2.1) note has n bidder and 1 auction side, therefore selects n-1 group G when using multilinear pairing;

2.2) each bidder B _i(i=1,2,3 ..., n) the secret random value s of equal Stochastic choice _i← { 0,1} ^κ, wherein { 0,1} ^κrepresent that length is { 0, the 1} Bit String of κ; Then each bidder B _iby corresponding with self writing on bulletin board makes all entities taken part in auction to see, wherein g is first group G ₁generator;

2.3) i-th bidder B _icarry out multilinear pairing to be calculated as follows:

$\hat{e}(g^{s_1},...,g^{s_{i-1}},g^{s_{i+1}},...,g^{s_n})=\hat{e}{(g,...,g,g,...,g)}^{s_1...s_{i-1}{s}_{i+1}...s_n}=g_{n-1}^{s_1...s_{i-1}{s}_{i+1}...s_n};$

Wherein, g _n-1be (n-1)th group G _n-1generator;

2.4) according to step 2.3) result of calculation calculate master key mkey:

$mkey={\left(g_{n-1}^{s_1,...,s_{i-1},s_{i+1},...,s_n}\right)}^{s_i}=g_{n-1}^{\underset{i=1}{\overset{n}{\Π}}{s}_i}$

The each bidder B of S3 _igenerate self mark and ciphertext, the auction sequence number of self that i obtains for bidder each when auction starts;

3.1) a hash function Hash:{0,1} is defined ^κ× { 0,1} ^{4+ κ+1}→ { 0,1} ^κ, { 0,1} ^κ{ 0,1} ^{4+ κ+1}represent that length is { 0, the 1} Bit String of κ and 4+ κ+1 respectively;

3.2) make parameter p aram=(m, Hash), m is the length of auction valency; I-th bidder B _iauction valency b _{i, j}represent a jth bit of the auction valency of i-th bidder, j=0,1 ..., m-1; Following formula is utilized to generate bidder B _imark token _i:

token _i＝(d _i，0，d _i，1，...，d _i，m)；

Wherein d _{i, 0}, d _{i, 1}..., d _{i, m}represent i-th bidder B _imark token _i0 to the bit of m-1, have:

d _i，m＝Hash(mkey，(0，0 ^κ，0))；

d _i，j＝Hash(mkey，(1，d _i，j+1，b _i，j))，j＝m-1，...，0；

Wherein, 0 ^κrepresent that length is 0 string of κ;

3.3) B _istochastic choice r _i← { 0,1} ^κ, and generate:

c _i，j＝Hash(d _i，j，(2，r _i，0))；

e _i，j＝Hash(mkey，(4，d _i，j+1，0))+b _i，jmod3；

f _i，j＝Hash(d _i，j+1，(5，r _i，0))+e _i，jmod3；

Wherein, j=m-1 ..., 0;

Finally, bidder B _iobtain its ciphertext;

ciph _i＝(r _i，(c _i，0，...，c _i，m-1)，(f _i，0，...，f _i，m-1))；

Wherein, r _ifor auction side in step S5 carries out to winning bidder the random value that authentication utilizes.

The ciphertext of self that step S3 obtains by each bidder of S4 and mark issue auction side, auction side compares successively according to the auction sequence number of bidder, first the ciphertext of the ciphertext of first bidder and next bidder is compared and draw higher value and continued to compare with the ciphertext of next bidder to obtain higher value, and then this higher value obtained is continued compare with the ciphertext of next bidder; So analogize, till the ciphertext of all bidders all participates in comparing, obtain the maximum of all bidder's ciphertexts; Concrete comparative approach is as follows:

Bidder corresponding to the higher value that draws is compared with when participating in another bidder that epicycle compares for neighbouring relations when last round of:

1) first auction side finds and whether there is j and make:

Wherein, implication be indicate that arbitrary k makes, i is the last round of bidder's sequence number compared corresponding to the higher value that draws;

2) if having then auction can select ciph _iand ciph _i+1in the ciphertext of any one and next bidder compare, wherein ciph _iand ciph _i+1be respectively bidder B _iand B _i+1ciphertext, otherwise auction side generate:

e _i，j＝f _i，j-Hash(d _i，j+1，(5，r _i，0))mod3；

e _i+1，j＝f _i+1，j-Hash(d _i，j+1，(5，r _i+1，0))mod3

And select higher value by following rule:

If e _{i, j}-e _{i+1, j}=1mod3, then ciph _iciphertext as the higher value in both and next bidder compares, if e _{i, j}-e _{i+1, j}=2mod3, then ciph selects in auction side _i+1compare with the ciphertext of next bidder;

Bidder corresponding to the higher value that draws is compared with when participating in another bidder that epicycle compares for space-apart relation when last round of:

1) first auction side finds and whether there is j and make:

Wherein, implication be indicate that arbitrary k makes; I is the last round of bidder's sequence number compared corresponding to the higher value that obtains;

2) if then auction can select ciph _iand ciph _i+2in the ciphertext of any one and next bidder compare, wherein ciph _iand ciph _i+2be respectively bidder B _iand B _i+2ciphertext, otherwise auction side generate:

e _i，j＝f _i，j-Hash(d _i，j+1，(5，r _i，0))mod3；

e _i+2，j＝f _i+2，j-Hash(d _i，j+1，(5，r _i+2，0))mod3；

And select higher value by following rule:

If e _{i, j}-e _{i+2, j}=1mod3, then ciph _iciphertext as the higher value in both and next bidder compares, if e _{i, j}-e _{i+2, j}=2mod3, then ciph selects in auction side _i+2compare with the ciphertext of next bidder.

S5 auction side announces the mark token of highest price on bulletin board _i, confirm, from the bidder as winning bidder, the auction valency of self and corresponding ciphertext are issued auction side, wherein auction valency will as marking the price, and corresponding ciphertext is then as the proof of identity; Auction side is by ciphertext ciph _iin random value r _icheck and submit whether the bidder of auction valency is final winning bidder to, once through checking, auction valency is just published on bulletin board by auction side.

Need to further illustrate, step S1-S3 belongs to the preparatory stage, and step S4 belongs to comparison phase, and step S5 then belongs to announcement phase.

Need to further illustrate, can find out in step S5, as long as at this moment have one to be honest in bidder, so winning bidder does not just cheat by an auction valency relatively little compared with auction valency submitted to before.If any bidder except winning bidder wants to cheat and the winning bidder that disguises oneself as, so the ciphertext corresponding with highest price must can be generated, but due to the correct random value r of its there is no telling _i, so can only pretend successfully with insignificant probability.

Above-mentioned whole scheme is all the auction price after comparing encryption, and can not reveal auction valency originally, this just protects privacy and the confidentiality of auction price.

Embodiment two

The scheme hypothesis auction side of embodiment one can not collude with bidder, and in a sense, this is a stronger hypothesis.In order to address this problem, the auction theory comprising an an auction side A and auction publisher AI can be adopted to weaken hypothesis, also suppose that this two side can not act in collusion simultaneously.Embodiment under this hypothesis is as follows:

As shown in Figure 3, Figure 4, in embodiment two, step S1, S2 with S3 are basic identical with embodiment one, and the main distinction is, in step S2, add an auction publisher AI, in step S3, and each bidder B _iafter obtaining the ciphertext of himself, need the auction valency bid and the mark token that utilize himself _icalculate Hash (bid, token _i), and the value calculated is published on bulletin board as commitment value.Bidder so just can be stoped to change or deny the auction valency of himself.

The each bidder B of S4 _ithe ciphertext ciph that step S3 is obtained _iwith mark token _iissue auction side, the ciphertext of the ciphertext of first bidder and next bidder compares and draws higher value and the ciphertext of itself and next bidder compared and obtain higher value by auction side, and then the ciphertext of this higher value obtained and next bidder is compared; So analogize, till the ciphertext of all bidders all participates in comparing, obtain the maximum of all bidder's ciphertexts; Concrete comparative approach is as follows:

Bidder B _iby the mark token of self _i, random value r _iwith issue auction side A, meanwhile, will issue auction publisher AI;

Bidder corresponding to the higher value that draws is compared with when participating in another bidder that epicycle compares for neighbouring relations when last round of:

1) first auction side finds and whether there is j and make:

Wherein, implication be indicate that arbitrary k makes; I is the last round of bidder's sequence number compared corresponding to the higher value that obtains;

2) if there is no such j, then illustrate that the ciphertext of two bidders that epicycle compares is equal, then one of them and next bidder in two bidders can be selected to compare; Once the side of auction A finds really there is such j, then calculate two cryptographic Hash Hash (d _{i, j+1}, (5, r _i, 0)) and Hash (d _{i, j+1}, (5, r _i+1, 0)), then these two values are issued auction publisher AI, auction publisher AI calculates according to following formula:

e _i，j＝f _i，j-Hash(d _i，j+1，(5，r _i，0))mod3；

e _i+1，j＝f _i+1，j-Hash(d _i，j+1，(5，r _i+1，0))mod3；

If e _{i, j}-e _{i+1, j}=1mod3, then auction publisher AI and determine for a larger side; If e _{i, j}-e _{i+1, j}=2mod3, then auction publisher AI and determine for a larger side;

Bidder corresponding to the higher value that draws is compared with when participating in another bidder that epicycle compares for space-apart relation when last round of:

1) first auction side finds and whether there is j and make:

Wherein, implication be indicate that arbitrary k makes; I is the last round of bidder's sequence number compared corresponding to the higher value that obtains;

2) if there is no such j, then illustrate that the ciphertext of two bidders that epicycle compares is equal, then one of them and next bidder in two bidders can be selected to compare; Once the side of auction A finds really there is such j, then calculate two cryptographic Hash Hash (d _{i, j+1}, (5, r _i, 0)) and Hash (d _{i, j+1}, (5, r _i+2, 0), then these two values are issued auction publisher AI, auction publisher AI calculates according to following formula:

e _i，j＝f _i，j-Hash(d _i，j+1，(5，r _i，0))mod3；

e _i+2，j＝f _i+2，j-Hash(d _i，j+1，(5，r _i+2，0))mod3；

If e _{i, j}-e _{i+2, j}=1mod3, then auction publisher AI and determine for a larger side; If e _{i, j}-e _{i+2, j}=2mod3, then auction publisher AI and determine for a larger side.

S5 auction side announces the mark token of highest price on bulletin board _i, confirm, from the bidder as winning bidder, the auction valency of self and corresponding ciphertext are issued auction side, wherein auction valency will as marking the price, and corresponding ciphertext is then as the proof of identity; Auction side is by ciphertext ciph _iin random value r _icheck and submit whether the bidder of auction valency is final winning bidder to.

In such scheme, if auction side (A) colludes with different bidders all respectively from auction publisher (AI), that is, B ₁collude with A, B ₂collude with AI (because the present embodiment scheme supposes that auction side can not collude with, so do not consider the situation that this two side and same bidder collude with auction publisher).

Because the setting of agreement, if the side of auction A obtains mkey, although it has token _i, random value r _iwith but because it does not have so cannot e be calculated _{i, j}, thus auction valency cannot be obtained; And if auction publisher and obtain mkey, although it is gathered around but because there is no random value r _iand token _i, also cannot calculate auction valency, either party therefore in them can not invade the privacy of the auction valency of any bidder.Therefore, give auction side even if mkey reveals by the bidder of malice or auction publisher, either party in them can not invade the privacy of the auction valency of any bidder.

Embodiment three

In theory, be generally forbid that auction root carries out force search according to the auction valency of mark token to bidder.But, even if allow force search, more random values can be introduced by following scheme and deal with this kind of attack.

As shown in Figure 5, Figure 6, the step S1 of the present embodiment is identical with embodiment one.Step S2 is implemented as follows:

2.1) bidder B _ieach bit for its auction valency selects two groups of random values: with wherein, r _{i, j}← { 0,1} ^κ, r ' _{i, j}← { 0,1} ^κ, 0≤j≤m-1, with for auction side in step S5 carries out to winning bidder the random value that authentication utilizes;

2.2) note has n bidder, 1 auction side A and auction publisher AI, therefore selects n-1 group G when using multilinear pairing;

Step 2.3)-2.5) the step 2.2 of enforcement and embodiment one)-2.4) identical.

Step S3 is implemented as follows:

Step 3.1)-3.2) the step 3.1 of enforcement and embodiment one)-3.2) identical.

3.3) following formulae discovery is utilized to obtain $\stackrel{\→}{c_i}=(c_{i,0},...,c_{i,m-1})$ With ${\stackrel{\→}{f}}_i=(f_{i,0}...,f_{i,m-1}):$

$c_{i,j}=d_{i,j}\⊕r_{i,j};$

f _i，j＝d _i，j+1+r′ _i，j+b _i，jmod3(1≤i≤n，0≤j≤m-1)。

If bidder is B _isequence number i be odd number, then by self with issue auction side A, will simultaneously issue auction publisher AI; If bidder is B _isequence number i be even number, then by self with issue auction publisher AI, will simultaneously issue auction side A; Then often wheel to compare the process obtaining higher value as follows:

Bidder corresponding to the higher value that draws is compared with when participating in another bidder that epicycle compares for neighbouring relations when last round of:

1) side of auction A utilizes and last round ofly compares the bidder's corresponding to higher value obtained with participate in another bidder's of comparing of epicycle calculate as follows, wherein, the sequence number of the bidder of i corresponding to the last round of higher value obtained:

$c_{i,j}\⊕r_{i+1,j}=d_{i,j}\⊕r_{i,j}\⊕r_{i+1,j};$

2) auction publisher AI to utilize and participate in another bidder's that epicycle compares compare bidder's corresponding to the higher value that obtains with last round of calculate as follows:

$c_{i+1,j}\⊕r_{i,j}=d_{i+1,j}\⊕r_{i+1,j}\⊕r_{i,j}$

3) side of auction A and auction publisher AI will with the other side is sent to, until they find that there is different bits by bit; Then the side of auction A utilizes and last round ofly compares the bidder's corresponding to higher value obtained with participate in another bidder's of comparing of epicycle calculate as follows:

f _i，j+r′ _i+1，j＝d _i，j+1+r′ _i，j+b _i，j+r′ _i+1，jmod3；

Another bidder's that auction publisher AI utilizes participation epicycle to compare bidder corresponding to the higher value that obtains is compared with last round of calculate as follows:

f _i+1，j+r′ _i，j＝d _i+1，j+1+r′ _i+1，j+b _i+1，j+r′ _i，jmod3；

4) result of calculation is issued the other side by the side of auction A and auction publisher AI, and both sides all obtain that larger side of result by subtraction;

Bidder corresponding to the higher value that draws is compared with when participating in another bidder that epicycle compares for space-apart relation when last round of:

1) side of auction A utilizes and last round ofly compares the bidder's corresponding to higher value obtained with participate in another bidder's of comparing of epicycle calculate as follows, wherein, the sequence number of the bidder of i corresponding to the last round of higher value obtained:

$c_{i,j}\⊕r_{i+2,j}=d_{i,j}\⊕r_{i,j}\⊕r_{i+2,j};$

2) auction publisher AI to utilize and participate in another bidder's that epicycle compares compare bidder corresponding to the higher value that obtains with last round of calculate as follows:

$c_{i+2,j}\⊕r_{i,j}=d_{i+2,j}\⊕r_{i+2,j}\⊕r_{i,j}$

3) side of auction A and auction publisher AI will with the other side is sent to, until they find that there is different bits by bit; Then the side of auction A utilizes and last round ofly compares bidder corresponding to the higher value that obtains with participate in the next bidder's that compares of epicycle calculate as follows:

f _i，j+r′ _i+2，j＝d _i，j+1+r′ _i，j+b _i，j+r′ _i+2，jmod3；

Another bidder's that auction publisher AI utilizes participation epicycle to compare bidder corresponding to the higher value that obtains is compared with last round of calculate as follows:

f _i+2，j+r′ _i，j＝d _i+2，j+1+r′ _i+2，j+b _i+2，j+r′ _i，jmod3；

After a computation, result of calculation is issued the other side by the side of auction A and auction publisher AI, and both sides all obtain that larger side of result by subtraction.

In the present embodiment scheme, any one bidder B _iauction valency any b _{i, j}can only pass through and f _{i, j}=d _{i, j+1}+ r ' _{i, j}+ b _{i, j}mod3 (1≤i≤n, 0≤j≤m-1) calculate, and the two parts in these two formula have been issued auction side and auction publisher respectively, so under the supposed premise can not colluded with this two side, any assailant cannot calculate auction valency, thus ensure that privacy and the confidentiality of auction valency.

For a person skilled in the art, according to above technical scheme and design, various corresponding change and distortion can be made, and all these change and distortion all should be included within the protection range of the claims in the present invention.

Claims (10)

1. a first valency sealed auction method for the comparison encryption improved, comprises at least two bidders and at least one auction side, it is characterized in that: described method comprises the steps:

S1 sets up a bulletin board and makes each bidder have the region of oneself to carry out written contents, once content is written on bulletin board, just can not modify again;

S2 uses multilinear pairing in all bidders, generate unified master key mkey;

The each bidder B of S3 _igenerate self mark and ciphertext, the auction sequence number of self that i obtains for bidder each when auction starts;

The ciphertext of self that step S3 obtains by each bidder of S4 and mark issue auction side, auction side compares successively according to the auction sequence number of bidder, first the ciphertext of the ciphertext of first bidder and next bidder is compared and draw higher value and continued to compare with the ciphertext of next bidder to obtain higher value, and then this higher value obtained is continued compare with the ciphertext of next bidder; So analogize, till the ciphertext of all bidders all participates in comparing, obtain the maximum of all bidder's ciphertexts;

S5 auction side announces the mark corresponding to maximum obtained in step S4 on bulletin board, confirm, from the bidder as winning bidder, the auction valency of self and corresponding ciphertext are issued auction side, wherein auction valency will as marking the price, and corresponding ciphertext is then as the proof of identity; According to the random value inspection comprised in ciphertext, auction root submits whether the bidder of auction valency is final winning bidder to, once through checking, auction valency is just published on bulletin board by auction side.

2. the first valency sealed auction method of the comparison encryption of a kind of improvement according to claim 1, it is characterized in that, step S2 is specifically implemented as follows:

2.1) note has n bidder and 1 auction side, therefore selects n-1 group G when using multilinear pairing;

2.2) each bidder B _i(i=1,2,3 ..., n) the secret random value s of equal Stochastic choice _i← { 0,1} ^κ, wherein { 0,1} ^κrepresent that length is { 0, the 1} Bit String of κ; Then each bidder B _iby corresponding with self writing on bulletin board makes all entities taken part in auction to see, wherein g is first group G ₁generator;

2.3) i-th bidder B _icarry out multilinear pairing to be calculated as follows:

$\hat{e}(g^{s_1},...,g^{s_{i-1}},g^{s_{i+1}},...,g^{s_n})=\hat{e}{(g,...,g,g,...,g)}^{s_1...s_{i-1}{s}_{i+1}...s_n}=g_{n-1}^{s_1...s_{i-1}{s}_{i+1}...s_n};$

Wherein, g _n-1be (n-1)th group G _n-1generator;

2.4) according to step 2.3) result of calculation calculate master key mkey:

$mkey={\left(g_{n-1}^{s_1,...,s_{i-1},s_{i+1},...,s_n}\right)}^{s_i}=g_{n-1}^{\underset{i=1}{\overset{n}{\mathrm{\Π}}}{s}_i}.$

3. the first valency sealed auction method of the comparison encryption of a kind of improvement according to claim 2, it is characterized in that, described step S3 is implemented as follows:

3.1) a hash function Hash:{0,1} is defined ^κ× { 0,1} ^{4+ κ+1}→ { 0,1} ^κ, { 0,1} ^κ{ 0,1} ^{4+ κ+1}represent that length is { 0, the 1} Bit String of κ and 4+ κ+1 respectively;

3.2) make parameter p aram=(m, Hash), m is the length of auction valency, i-th bidder B _iauction valency b _{i, j}represent a jth bit of the auction valency of i-th bidder, j=0,1 ..., m-1; Following formula is utilized to generate bidder B _imark token _i:

token _i＝(d _i，0，d _i，1，...，d _i，m)；

Wherein d _{i, 0}, d _{i, 1}..., d _{i, m}represent i-th bidder B _imark token _i0 to m-1 bit, have:

d _i，m＝Hash(mkey，(0，0 ^κ，0))；

d _i，j＝Hash(mkey，(1，d _i，j+1，b _i，j))，j＝m-1，...，0；

Wherein, 0 ^κrepresent that length is 0 string of κ;

3.3) B _istochastic choice r _i← { 0,1} ^κ, and generate:

c _i，j＝Hash(d _i，j，(2，r _i，0))；

e _i，j＝Hash(mkey，(4，d _i，j+1，0))+b _i，jmod3；

f _i，j＝Hash(d _i，j+1，(5，r _i，0))+e _i，jmod3；

Wherein, j=m-1 ..., 0;

Finally, bidder B _iobtain its ciphertext;

ciph _i＝(r _i，(c _i，0，...，c _i，m-1)，(f _i，0，...，f _i，m-1))；

Wherein, r _ifor auction side in step S5 carries out to winning bidder the random value that authentication utilizes.

4. the first valency sealed auction method of the comparison encryption of a kind of improvement according to Claims 2 or 3, is characterized in that, in described step S4, often to compare the process of two bidder's ciphertexts as follows for wheel:

Bidder corresponding to the higher value that draws is compared with when participating in another bidder that epicycle compares for neighbouring relations when last round of:

1) first auction side finds and whether there is j and make:

Wherein, implication be indicate that arbitrary k makes, i is the last round of bidder's sequence number compared corresponding to the higher value that draws;

2) if having then auction can select ciph _iand ciph _i+1in the ciphertext of any one and next bidder compare, wherein ciph _iand ciph _i+1be respectively bidder B _iand B _i+1ciphertext, otherwise auction side generate:

e _i，j＝f _i，j-Hash(d _i，j+1，(5，r _i，0))mod3；

e _i+1，j＝f _i+1，j-Hash(d _i，j+1，(5，r _i+1，0))mod3

And select higher value by following rule:

If e _{i, j}-e _{i+1, j}=1mod3, then ciph _iciphertext as the higher value in both and next bidder compares, if e _{i, j}-e _{i+1, j}=2mod3, then ciph selects in auction side _i+1compare with the ciphertext of next bidder;

Bidder corresponding to the higher value that draws is compared with when participating in another bidder that epicycle compares for space-apart relation when last round of:

1) first auction side finds and whether there is j and make:

Wherein, implication be indicate that arbitrary k makes; I is the last round of bidder's sequence number compared corresponding to the higher value that obtains;

2) if $\&ForAll;ks.t.0<k<m,c_{i+2,k}=Hash(d_{i,k},(2,r_{i+2},0));$ Then auction can select ciph _iand ciph _i+2in the ciphertext of any one and next bidder compare, wherein ciph _iand ciph _i+2be respectively bidder B _iand B _i+2ciphertext, otherwise auction side generate:

e _i，j＝f _i，j-Hash(d _i，j+1，(5，r _i，0))mod3；

e _i+2，j＝f _i+2，j-Hash(d _i，j+1，(5，r _i+2，0))mod3；

And select higher value by following rule:

If e _{i, j}-e _{i+2, j}=1mod3, then ciph _iciphertext as the higher value in both and next bidder compares, if e _{i, j}-e _{i+2, j}=2mod3, then ciph selects in auction side _i+2compare with the ciphertext of next bidder.

5. the first valency sealed auction method of the comparison encryption of a kind of improvement according to claim 1, it is characterized in that, described step S2 is specifically implemented as follows:

2.1) note has n bidder, 1 auction side A and auction publisher AI, therefore selects n-1 group G when using multilinear pairing;

2.2) each bidder B _i(i=1,2,3 ..., n) the secret random value s of Stochastic choice _i← { 0,1} ^κ, wherein { 0,1} ^κrepresent that length is { 0, the 1} Bit String of κ; Then each bidder B _iby corresponding with self writing on bulletin board makes all entities taken part in auction to see, wherein g is first group G ₁generator;

2.3) i-th bidder B _icarry out multilinear pairing to be calculated as follows:

$\hat{e}(g^{s_1},...,g^{s_{i-1}},g^{s_{i+1}},...,g^{s_n})=\hat{e}{(g,...,g,g,...,g)}^{s_1...s_{i-1}{s}_{i+1}...s_n}=g_{n-1}^{s_1...s_{i-1}{s}_{i+1}...s_n};$

Wherein, g _n-1be (n-1)th crowd of G _n-1generator;

2.4) according to step 2.3) result of calculation calculate master key mkey:

$mkey={\left(g_{n-1}^{s_1,...,s_{i-1},s_{i+1},...,s_n}\right)}^{s_i}=g_{n-1}^{\underset{i=1}{\overset{n}{\mathrm{\&Pi;}}}{s}_i}.$

6. the first valency sealed auction method of the comparison encryption of a kind of improvement according to claim 5, it is characterized in that, described step S3 is specifically implemented as follows:

3.1) a hash function Hash:{0,1} is defined ^κ× { 0,1} ^{4+ κ+1}→ { 0,1} ^κ, { 0,1} ^κ{ 0,1} ^{4+ κ+1}represent that length is { 0, the 1} Bit String of κ and 4+ κ+1 respectively;

3.2) make parameter p aram=(m, Hash), m is the length of auction valency; I-th bidder B _iauction valency b _{i, j}represent a jth bit of the auction valency of i-th bidder, j=0,1 ..., m-1; Following formula is utilized to generate mark token _i:

token _i＝(d _i，0，d _i，1，...，d _i，m)；

Wherein d _{i, 0}, d _{i, 1}..., d _{i, m}represent i-th bidder B _imark token _i0 to the bit of m-1, have:

d _i，m＝Hash(mkey，(0，0 ^κ，0))；

d _i，j＝Hash(mkey，(1，d _i，j+1，b _i，j))，j＝m-1，...，0；

Wherein, 0 ^κrepresent that length is 0 string of κ;

3.3) B _istochastic choice r _i← { 0,1} ^κ, and generate:

c _i，j＝Hash(d _i，j，(2，r _i，0))；

e _i，j＝Hash(mkey，(4，d _i，j+1，0))+b _i，jmod3；

f _i，j＝Hash(d _i，j+1，(5，r _i，0))+e _i，jmod3；

Wherein, j=m-1 ..., 0;

Finally, bidder B _iobtain its ciphertext;

ciph _i＝(r _i，(c _i，0，...，c _i，m-1)，(f _i，0，...，f _i，m-1))；

Wherein, f _ifor auction side in step S5 carries out to winning bidder the random value that authentication utilizes;

3.4) each bidder B _iutilize himself auction valency bid and mark token _icalculate Hash (bid, token _i), and the value calculated is published on bulletin board as commitment value.

7. the first valency sealed auction method of the comparison encryption of a kind of improvement according to claim 5 or 6, is characterized in that, in described step S4, and bidder B _iby the mark token of self _i, random value r _iwith issue auction side A, meanwhile, will issue auction publisher AI; Then often wheel to compare the process obtaining higher value as follows:

Bidder corresponding to the higher value that draws is compared with when participating in another bidder that epicycle compares for neighbouring relations when last round of:

1) first auction side finds and whether there is j and make:

Wherein, implication be indicate that arbitrary k makes; I is the last round of bidder's sequence number compared corresponding to the higher value that obtains;

2) if there is no such j, then illustrate that the ciphertext of two bidders that epicycle compares is equal, then one of them and next bidder in two bidders can be selected to compare; Once the side of auction A finds really there is such j, then calculate two cryptographic Hash Hash (d _{i, j+1}, (5, r _i, 0)) and Hash (d _{i, j+1}, (5, r _i+1, 0)), then these two values are issued auction publisher AI, auction publisher AI calculates according to following formula:

e _i，0＝f _i，j-Hash(d _i，j+1，(5，r _i，0))mod3；

e _i+1，j＝f _i+1，j-Hash(d _i，j+1，(5，r _i+1，0))mod3；

If e _{i, j}-e _{i+1, j}=1mod3, then auction publisher AI and determine for a larger side; If e _{i, j}-e _{i+1, j}=2mod3, then auction publisher AI and determine for a larger side;

Bidder corresponding to the higher value that draws is compared with when participating in another bidder that epicycle compares for space-apart relation when last round of:

1) first auction side finds and whether there is j and make:

Wherein, implication be indicate that arbitrary k makes; I is the last round of bidder's sequence number compared corresponding to the higher value that obtains;

2) if there is no such j, then illustrate that the ciphertext of two bidders that epicycle compares is equal, then one of them and next bidder in two bidders can be selected to compare; Once the side of auction A finds really there is such j, then calculate two cryptographic Hash Hash (d _{i, j+1}, (5, r _i, 0)) and Hash (d _{i, j+1}, (5, r _i+2, 0), then these two values are issued auction publisher AI, auction publisher AI calculates according to following formula:

e _i，j＝f _i，j-Hash(d _i，j+1，(5，r _i，0))mod3；

e _i+2，j＝f _i+2，j-Hash(d _i，j+1，(5，r _i+2，0))mod3；

If e _{i, j}-e _{i+2, j}=1mod3, then auction publisher AI and determine for a larger side; If e _{i, j}-e _{i+2, j}=2mod3, then auction publisher AI and determine for a larger side.

8. the first valency sealed auction method of the comparison encryption of a kind of improvement according to claim 1, it is characterized in that, step S2 is implemented as follows:

2.1) bidder B _ieach bit for its auction valency selects two groups of random values: with wherein, r _{i, j}← { 0,1} ^κ, r ' _{i, j}← { 0,1} ^κ, 0≤j≤m-1, with for auction side in step S5 carries out to winning bidder the random value that authentication utilizes;

2.2) note has n bidder, 1 auction side A and auction publisher AI, therefore selects n-1 group G when using multilinear pairing;

2.3) each bidder B _i(i=1,2,3 ..., n) the secret random value s of Stochastic choice _i← { 0,1} ^κ, wherein { 0,1} ^κrepresent that length is { 0, the 1} Bit String of κ; Then each bidder B _iby corresponding with self writing on bulletin board makes all entities taken part in auction to see, wherein g is first group G ₁generator;

2.4) i-th bidder B _icarry out multilinear pairing to be calculated as follows:

$\hat{e}(g^{s_1},...,g^{s_{i-1}},g^{s_{i+1}},...,g^{s_n})=\hat{e}{(g,...,g,g,...,g)}^{s_1...s_{i-1}{s}_{i+1}...s_n}=g_{n-1}^{s_1...s_{i-1}{s}_{i+1}...s_n};$

Wherein, g _n-1be (n-1)th crowd of G _n-1generator;

2.5) according to step 2.4) result of calculation calculate master key mkey:

$mkey={\left(g_{n-1}^{s_1,...,s_{i-1},s_{i+1},...,s_n}\right)}^{s_i}=g_{n-1}^{\underset{i=1}{\overset{n}{\mathrm{\&Pi;}}}{s}_i}.$

9. the first valency sealed auction method of the comparison encryption of a kind of improvement according to claim 8, is characterized in that: step S3 is implemented as follows:

3.1) a hash function Hash:{0,1} is defined ^κ× { 0,1} ^{4+ κ+1}→ { 0,1} ^κ, { 0,1} ^κ{ 0,1} ^{4+ κ+1}represent that length is { 0, the 1} Bit String of κ and 4+ κ+1 respectively;

3.2) make parameter p aram=(m, Hash), m is the length of auction valency; I-th bidder B _iauction valency be b _{i, j}represent a jth bit of the auction valency of i-th bidder, j=0,1 ..., m-1, utilizes following formula to generate mark token _i:

token _i＝(d _i，0，d _i，1，...，d _i，m)；

Wherein d _{i, 0}, d _{i, 1}..., d _{i, m}represent i-th bidder B _imark token _i0 to m-1 bit, have:

d _i，m＝Hash(mkey，(0，0 ^κ，0))；

d _i，j＝Hash(mkey，(1，d _i，j+1，b _i，j))，j＝m-1，...，0；

Wherein, 0 ^κrepresent that length is 0 string of κ;

3.3) following formulae discovery is utilized to obtain $\stackrel{\&RightArrow;}{c_i}=(c_{i,0},...,c_{i,m-1})$ With $\stackrel{\&RightArrow;}{f_i}=(f_{i,0}...,f_{i,m-1}):$

$c_{i,j}=d_{i,j}\&CirclePlus;r_{i,j};$

f _i，j＝d _i，j+1+r′ _i，j+b _i，jmod3(1≤i≤n，0≤j≤m-1)。

10. the first valency sealed auction method of the comparison encryption of a kind of improvement according to claim 8 or claim 9, is characterized in that, in step S4, if bidder is B _isequence number i be odd number, then by self with issue auction side A, will simultaneously issue auction publisher AI; If bidder is B _isequence number i be even number, then by self with issue auction publisher AI, will simultaneously issue auction side A; Then often wheel to compare the process obtaining higher value as follows:

Bidder corresponding to the higher value that draws is compared with when participating in another bidder that epicycle compares for neighbouring relations when last round of:

1) side of auction A utilizes and last round ofly compares the bidder's corresponding to higher value obtained with participate in another bidder's of comparing of epicycle calculate as follows, wherein, the sequence number of the bidder of i corresponding to the last round of higher value obtained:

$c_{i,j}\&CirclePlus;r_{i+1,j}=d_{i,j}\&CirclePlus;r_{i,j}\&CirclePlus;r_{i+1,j};$

2) auction publisher AI to utilize and participate in another bidder's that epicycle compares compare bidder's corresponding to the higher value that obtains with last round of calculate as follows:

$c_{i+1,j}\&CirclePlus;r_{i,j}=d_{i+1,j}\&CirclePlus;r_{i+1,j}\&CirclePlus;r_{i,j}$

3) side of auction A and auction publisher AI will with the other side is sent to, until they find that there is different bits by bit; Then the side of auction A utilizes and last round ofly compares the bidder's corresponding to higher value obtained with participate in another bidder's of comparing of epicycle calculate as follows:

f _i，j+r′ _i+1，j＝d _i，j+1+r′ _i，j+b _i，j+r′ _i+1，jmod3；

Another bidder's that auction publisher AI utilizes participation epicycle to compare bidder corresponding to the higher value that obtains is compared with last round of calculate as follows:

f _i+1，j+r′ _i，j＝d _i+1，j+1+r′ _i+1，j+b _i+1，j+r′ _i，jmod3；

4) result of calculation is issued the other side by the side of auction A and auction publisher AI, and both sides all obtain that larger side of result by subtraction;

Bidder corresponding to the higher value that draws is compared with when participating in another bidder that epicycle compares for space-apart relation when last round of:

1) side of auction A utilizes and last round ofly compares the bidder's corresponding to higher value obtained with participate in another bidder's of comparing of epicycle calculate as follows, wherein, the sequence number of the bidder of i corresponding to the last round of higher value obtained:

$c_{i,j}\&CirclePlus;r_{i+2,j}=d_{i,j}\&CirclePlus;r_{i,j}\&CirclePlus;r_{i+2,j};$

2) auction publisher AI to utilize and participate in another bidder's that epicycle compares compare bidder corresponding to the higher value that obtains with last round of calculate as follows:

$c_{i+2,j}\&CirclePlus;r_{i,j}=d_{i+2,j}\&CirclePlus;r_{i+2,j}\&CirclePlus;r_{i,j}$

3) side of auction A and auction publisher AI will with the other side is sent to, until they find that there is different bits by bit; Then the side of auction A utilizes and last round ofly compares bidder corresponding to the higher value that obtains with participate in the next bidder's that compares of epicycle calculate as follows:

f _i，j+r′ _i+2，j＝d _i，j+1+r′ _i，j+b _i，j+r′ _i+2，jmod3；

Another bidder's that auction publisher AI utilizes participation epicycle to compare bidder corresponding to the higher value that obtains is compared with last round of calculate as follows:

f _i+2，j+r′ _i，j＝d _i+2，j+1+r′ _i+2，j+b _i+2，j+r′ _i，jmod3；

After a computation, result of calculation is issued the other side by the side of auction A and auction publisher AI, and both sides all obtain that larger side of result by subtraction.