JP2002032621A - Electronic bidding/bid-opening method and device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a bidding and bid-opening method which reduces the calculation volume and performs the bid-opening only with person in charge of the bid-opening. SOLUTION: Plural bid-opening devices and plural bidding devices are connected by a communication line, and the person in charge of the bid-opening publishes a bid price table and a hash function, and each bidding device generates bid information including a price index and a signature in accordance with a bid price, secret random numbers, and the hash function and transmits them to the bid-opening devices, and the bid-opening devices publish this information and verify the signature and generate a chain of the hash function to perform verification by the calculated price index and determine a successful bidder and a price for the successful bid in the case of successful verification.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an application technology of information security technology, and a plurality of bidders distributed on a communication network such as the Internet,
The present invention relates to an electronic bidding method and apparatus for bidding using electronic communication.

[0002]

2. Description of the Related Art As a typical example of a conventional bidding method, K.
Sako, Universally verifiable auction protocol which
hides losing bids, Proc. of Public Key Cryptograph
y 2000, pp. 35-39, 2000. According to this bidding method, (1) the bidder publishes a bidding price list showing a plurality of prices.
(2) Each bidder determines a bidding price from a bidding price list and performs encryption Enc kp (Mp) using a public key kp different for each price p and a bidding message Mp for the price p. (3) The bid opener receives the bid information Enck (Mp) and decrypts the bid message Mp using the decryption key.

In this bidding method, each bidder performs encryption using a public key, and the bidder responds to the encryption (ie, the number of prices shown in the bid price table × the number of bidders × the number of bidders). ) It is necessary to perform decryption using a decryption key.

[0004]

In the conventional method, bid information is generated by public key encryption. However, since a lot of calculations are required for encryption using a public key and decryption using a decryption key. However, there is a problem that the efficiency is low.

[0005]

Since the electronic bidding method and the electronic bidding apparatus proposed in the present invention are configured using a chain of hash functions, the hash function is SH.
By using a practical hash function such as A-1,
A bid opening method and a bid opening device that are tens of thousands of times more efficient than the conventional method using public key cryptography are realized. Further, since the bid opening can be performed only by the bid opener, the bidder does not need to communicate with the bid opener at the time of opening the bid and only needs to communicate at the time of bidding, thereby realizing an efficient bidding method in terms of communication volume.

[0006] Furthermore, [price confidentiality], [verifiability], and [non-repudiation] required as an electronic bidding method are satisfied.

[0007]

(Embodiment 1) Hereinafter, Embodiment 1 of the present invention will be described. The overall configuration of the present invention includes a bid opening device (bid opener) {A _i } (1 ≦ i ≦ a) (a: the number of bid openers) and a bidding device (bid bidder) {B _j } (1 ≦ j ≦ b) ( b: number of bidders) are connected via a communication channel. In the bidding bid opening device, there bid opening device A _i performs tender opening, the other bid opening device cooperate to bid opening of tender opening device A _i. Thus, only some tender opening system A _i can prevent unauthorized because of the inability to perform the tender opening.

First, a bid opening device (bid opener) {A _i } (1 ≦ i ≦ a)
Performs the preprocessing], then each bid apparatus (each bidder) B _j performs a bid by Bid procedure, finally bid opening device (tender opening's)
{A _i } (1 ≦ i ≦ a) cooperates with [Bid Opening Procedure] to open bids. [Preprocessing] Among the bid opening devices {A _i } (1 ≦ i ≦ a), a certain bid opening device A _i has a bid price table {1,..., K,.

[0009]

[Equation 33]

[0010] is decided and made public on a public bulletin board or the like. In practice, a practical hash function such as SHA-1 is used as h. Bid Procedure each bid apparatus B _j bidding procedure (step 110-150)
Bid by. (Step 110) Each bidding apparatus B _j determines a bidding price k _j (1 ≦ k _j ≦ p). (Step 120) Each bidding device B _j uses a random number generator to generate a secret random number.
{S _{i, j} } (1 ≦ i ≦ a) is generated. (Step 130) bid information Bid _j for each bid apparatus B _j is bid k _j

[0011]

[Equation 34]

(Step 140) Each bidding device transmits bid information Bid.
_j and its signature σ _j = Sig _Bj (Bid _j ) are calculated by the signature Sig _Bj calculation unit, transmitted to each bid opening device, and made public on a public bulletin board or the like. (Step 150) each bid apparatus transmits a secure communication path secret random number S _{i, j} to each tender opening's A _i. (For example, each bidder
A: Encrypt with the public key of _i and send. [Bid Opening Procedure] The bid opening device {A _i } (1 ≦ i ≦ a) cooperates in the bid opening procedure (steps 210-250) to determine the successful bidder B _j and the successful bid price k. (Step 210) Each bid opening device A _i bids on all bidders B _j {(Bid
_j , σ _j )} (1 ≦ j ≦ b), the signature verification unit verifies the validity of the bidder's signature σ _j . (Step 220) Each bid opening device A _i converts the chain of hash functions {h ^k (S _{i, j} )} (1 ≦ k ≦ p + 1) for 1 ≦ j ≦ b to the hash function h
The calculation is performed by the calculation unit, and it is confirmed that the calculated value is equal to h ^{p + 1} (S _{i, j} ) published in advance. (At this time, if h ^p (S _{i, j} ) is made public, it will be known that the bid has been made with p, so a hash function for the price higher than the highest price in the bidding price list will be made public.) = P is repeated. (Step 230) Each bid opening device A _i is 1 ≦ j ≦ b (all bidders)
Publish h ^k (S _{i, j} ) for Some bidding devices have a set of values
{{h ^k (S _{i, j} )} (1 ≦ j ≦ b)} (1 ≦ i ≦ a)

[0013]

(Equation 35)

Is calculated and verified by comparison with b _j (step 130) which has already been published. (Step 240) If verification is not successful for all j, k
= K-1 (decrease bid price) and return to (step 230). (Step 250) If the verification is successful for certain js, the bidders B _j are made public as a successful bidder and k as a successful bid price on a public bulletin board or the like. (Embodiment 2) Hereinafter, Embodiment 2 of the present invention will be described.

The second embodiment is a t out of a threshold version of the first embodiment. If t bid collectors among the bidders {A _i } (1 ≦ i ≦ a) cooperate, the bid opening can be performed. . The overall configuration of the present invention is:
As in the first embodiment, a bid opening device (bid opener) {A _i } (1 ≦ i ≦ a) and a bidding device (bidder) {B _j } (1 ≦ j ≦ b) are connected via a communication path. I have. First, the bid opening device (bid opener) {A _i } (1 ≦ i ≦ a)
Performs the preprocessing], then each bid apparatus (bidder) B _j performs a bid by Bid procedure, finally bid opening device (tender opening's)
{A _i } (1 ≦ i ≦ a) cooperates with [Bid Opening Procedure] to open bids. [Preprocessing] Of the bid opening devices (bid openers) {A _i } (1 ≦ i ≦ a), a certain bid opening device has a bid price table {1,..., K,.

[0016]

[Equation 36]

Then, the threshold value t is determined and made public on a public bulletin board or the like. In practice, a practical hash function such as SHA-1 is used as h. Bid Procedure each bid apparatus B _j bidding procedure (step 110-15
Bid by 0). (Step 110) Each bidding apparatus B _j determines a bidding price k _j (1 ≦ k _j ≦ p). (Step 120) Each bidding device B _{j generates} a secret random number {S _{i, j} } (1 ≦ i
≦ a) is generated by a random number generator, and a random finite field Fq
Generate the above t-1 order polynomial F _j (x) ∈Fq [x]. (Step 130) bid information Bid _j for each bid apparatus B _j is bid k _j

[0018]

(37)

Is calculated. (However, s _{a, j} indicates the variance information of the price index.) (Step 140) Each bidding device transmits the bidding information Bid _j and its signature σ _j = Sig _Bj (Bid _j ) to each bid opening device and publishes them. Publish on bulletin boards. (Step 150) each bid apparatus B _j are transmitted by secure communication path secret random number S _{i, j} to each tender opening's A _i. (E.g., encrypted and transmitted with the public key of each bid opening's A _i.) [Bid opening procedure] tender opening system _{{A i} (1 ≦ i} ≦ a) is bid opening procedure [210-25
0] to open a bid in cooperation with the highest bidder B _j , the winning bid k
(Maximum bid price). (Step 210) Each bid opening device A _i bids on all bidders B _j {(Bid
_j , σ _j )} (1 ≦ j ≦ b), the signature verification unit verifies the validity of the signature σ _j . (Step 220) Each bid opening device A _i converts the chain of hash functions {h ^k (S _{i, j} )} (1 ≦ k ≦ p + 1) for 1 ≦ j ≦ b to the hash function h
The calculation is performed by the calculation unit, and it is confirmed that the calculated value is equal to h ^{p + 1} (S _{i, j} ) published in advance. (At this time, if h ^p (S _{i, j} ) is released, p
Since it is known that a bid has been made, a hash function for a price higher than the highest price in the bid price list is disclosed. (Step 225) A certain bid opening apparatus repeats the following with k = p. (Step 230) each bid opening device A _i for ^{1 ≦ j ≦ b h k (} S
_{i, j} ) on a public bulletin board. When a certain bid opening device has at least t sets out of a set of values {{h ^k (S _{i, j} )} (1 ≦ j ≦ b)} (1 ≦ i ≦ a),

[0020]

(38)

(Step 240) A certain bid opening apparatus has all j
If the verification does not hold for, set k = k-1 (step 2
Return to 30). (Step 250) If the verification is successful for a certain j, a certain bid opening device discloses the bidders B _j as the successful bidder and k as the successful bid price.

[0022]

The electronic bid opening method and apparatus proposed by the present invention are configured using a chain of hash functions, and are disclosed by using a practical hash function such as SHA-1 as the hash function. A bid opening method and apparatus that are tens of thousands of times more computationally efficient than the conventional method using key encryption is realized. Further, since the bid opening can be performed only by the bid opener, the bidder does not need to communicate with the bid opener at the time of opening the bid and only needs to communicate at the time of bidding, thereby realizing an efficient bidding method in terms of communication volume.

Further, the following properties required as an electronic bidding method are satisfied. [Price confidentiality] The bid opening ends when the winning bidder comes out, and since the value h ^k (S _{i, j} ) of the chain of hash functions after the winning bidder comes out is secret, the bid prices other than the winning bid price are kept secret. Have been. [Verifiability] Since the bid information {Bid _j } 1 ≦ j ≦ b is open to the public, anyone can verify the correctness of the chain of hash functions, and thus the validity of the successful bidder and the successful bid price. [Non-repudiation] Each bid information Bid _j has a signature σ _j = S of the bidder B _j
Since ig _Bj (B _i d _j ) is attached, bidding cannot be denied.

Further, since the bid information Bid _j is made public, it is necessary to find a collision of the hash function h in order to deny or falsify the bid that has been made.
This is not possible due to the difficulty of collision.

[Brief description of the drawings]

FIG. 1 is a schematic configuration diagram of the present invention.

Diagram illustrating a bid of bidder B _j that is Embodiment 1 of the present invention; FIG.

FIG. 3 is a block diagram of a bidding device _Bj .

[4] tender opening block diagram of a device A _i.

Claims (18)

[Claims] 1. A plurality of bid opening devices {A_i} (1 ≦ i ≦ a) (a: Bid opener
Number) and multiple bidding devices {B _j} (1 ≦ j ≦ b) (b: number of bidders)
Connected via a communication path,_i} (1 ≦ i ≦ a)
Price table {1, ..., k, ..., p} and hash function hStep 1 to decide and publish, each bidding device B_jIs the bid price k_j(1 ≦ k_j≤p)
Dense random number {S_{i, j}｝ (1 ≦ i ≦ a) is generated and the bid price k_jTo
Bid Information Bid_j (Equation 2)Calculate the bid information Bid_jAnd its signature σ_j = Sig_Bj (Bid_j)
Step 2 of transmitting to each bid opening device and publishing, and each bidding device B_jIs the secret random number S_{i, j}The opening device A_iEncryption
Step 3 to send and send,_i} (1 ≦ i ≦ a) is the total bid device B_jBid {(Bid_j,
σ_j)｝ (1 ≦ j ≦ b), then signature σ_jVerify the legitimacy of
And each bid opening device A_iIs a series of hash functions for 1 ≦ j ≦ b
Chain {h^k(S_{i, j})} (1 ≦ k ≦ p + 1), and published h
^{p + 1}(S_{i, j}Step 4 to confirm that it is equal to) and a step to repeat the following calculation assuming k = p
5 and {h^k(S_{i, j})} (1 ≦ j ≦ b) and publish a set of values {{h^k(S_{i, j})} (1
≦ j ≦ b)} (1 ≦ i ≦ a)And calculate b_j= B_j’, And for all j
If not satisfied, set k = k-1 and return to step 5
6 and if the verification is successful for some j, then bidder B_jDrop us
A step 7 for disclosing the bidder, k as a contract price
In addition, bid prices other than the winning bidder are kept secret,
All bidders can verify that the case is
It is impossible to deny or tamper with the bid,
By using commitment by chain of function
Electronic bidding characterized by efficient and efficient bidding
How to open a bill. 2. A plurality of bid opening devices {A_i} (1 ≦ i ≦ a) (a: Bid opener
Number) and multiple bidding devices {B _j} (1 ≦ j ≦ b) (b: number of bidders)
Connected via a communication path,_i} (1 ≦ i ≦ a)
Price table {1, ..., k, ..., p} and hash function hStep 1 to decide and publish, each bidding device B_j Is the bid price k_j(1 ≦ k_j≤p)
Dense random number {S_{i, j}Generate｝ (1 ≦ i ≦ a) and generate a random finite
T−1 degree polynomial F over field Fq_jGenerate (x) ∈Fq [x] and bid
k_jBid information for_j (Equation 5)Calculate the bid information Bid_jAnd its signature σ_j= Sig_Bj(Bid_j)
Step 2 of transmitting to each bid opening device and publishing it, and a secret random number S_{i, j}The opening device A_i And send it encrypted
Step 3 and the bid opening device {A_i} (1 ≦ i ≦ a) is the total bid device B_iBid {(Bid_j,
σ_j)｝ (1 ≦ j ≦ b), then signature σ_jVerify the legitimacy of
And each bid opening device A_iIs a series of hash functions for 1 ≦ j ≦ b
Chain {h^k(S_{i, j})} (1 ≦ k ≦ p + 1), and published h
^{p + 1}(S_{i, j}Step 4 to confirm that it is equal to), and a certain bidding apparatus repeats the following calculation with k = p.
5 and {h^k(S_{i, j})} (1 ≦ j ≦ b) and publish a set of values {{h^k(S_{i, j})} (1
≦ j ≦ b)} (1 ≦ i ≦ a), at least t sets are obtained,b_j= B_j’And all j are not verified
And step 6 returning to step 5 with k = k−1, and if verification is successful for some j, bidder B_jDrop us
A step 7 for disclosing the bidder, k as a contract price
Bid prices other than the winning bidder are kept secret,
All bidders can verify that the price is legitimate and
It is not possible to deny or alter such bids,
By using the commitment by the chain of functions
E-commerce, which can efficiently implement bidding
How to open bills. 3. A plurality of bidding devices {B _j } (1) connected to a plurality of bid opening devices {A _i } (1 ≦ i ≦ a) (a: the number of bidders) via a communication path.
≦ j ≦ b) (b: number of bidders), published bid price table {1,..., K,..., P} and hash function h Accordingly, each bid unit B _j is bid k _j determines _{(1 ≦ k j ≦ p)} , to generate secret random number {S _{i, j}} a (1 ≦ i ≦ a), for the bid k _j Bid information Bid _j [Equation 8] Is calculated, and the bid information Bid _j and its signature σ _j = Sig _Bj (Bid _j )
Electronic bidding, comprising: a step 1 for transmitting to each bid opening device to publish it; and a step 2 for each bidding device B _j to encrypt and transmit a secret random number S _{i, j} to each bid opening device A _i. Method. 4. A plurality of bid opening devices {A _i } (1) connected to a plurality of bidding devices {B _j } (1 ≦ j ≦ b) (b: number of bidders) via a communication path.
≦ i ≦ a) (a: the number of bidders), among the bid opening devices {A _i } (1 ≦ i ≦ a), a certain bid opening device has a bid price table {1,..., K,. p} and the hash function h Step 1 to decide and publish, and bidding information for bid price k _j created by each bidding device
Bid _j (Equation 10) And the signature σ _j = Sig _Bj (Bid _j ) and the encrypted secret random number S _{i, j} , and the bidding of all bidding devices B _j {(Bid _j , σ _j )｝ (1 ≦ j ≦ b), the validity of the signature σ _j is verified, and each of the bid opening devices A _i satisfies 1 ≦ j ≦
calculating a chain of hash functions {h ^k (S _{i, j} )} (1 ≦ k ≦ p + 1) for b and checking that it is equal to the published h ^{p + 1} (S _{i, j} ) 3, a certain bid opening apparatus repeats the following calculation assuming k = p, and step 4, and publishes {h ^k (S _{i, j} )} (1 ≦ j ≦ b) and sets a value {{h ^k ( S _{i, j} )} (1
.Ltoreq.j.ltoreq.b)} (1.ltoreq.i.ltoreq.a). Is calculated, b _j = b _j ′ is verified, and if the verification is not satisfied for all j, step 5 is returned to step 4 with k = k−1, and if the verification is satisfied for certain j, the bidder B _j A step of deciding and disclosing a successful bidder and a successful bid price of k. 5. A plurality of bidding devices {B _j } (1) connected to a plurality of bid opening devices {A _i } (1 ≦ i ≦ a) (a: the number of bidders) via a communication path.
≦ j ≦ b) (b: number of bidders), published bid price table {1,..., K,..., P} and hash function h , Each bidding device B _j determines a bidding price k _j (1 ≦ k _j ≦ p), generates a secret random number {S _{i, j} ｝ (1 ≦ i ≦ a), and generates a random finite field Fq Generate the above t−1 degree polynomial F _j (x) ∈Fq [x],
Bid information Bid _j [number 13] for the bid price k _j Is transmitted, and the bidding information Bid _j and its signature σ _j = Sig _Bj (Bid _j ) are transmitted to each bid opening device and made public, and a secret random number S _{i, j} is encrypted in each bid opening device A _i E-bidding method, comprising the step of: 6. A plurality of bid opening devices {A _i } (1) connected to a plurality of bidding devices {B _j } (1 ≦ j ≦ b) (b: the number of bidders) via a communication path.
≦ i ≦ a) (a: the number of bidders), among the bid opening devices {A _i } (1 ≦ i ≦ a), a certain bid opening device has a bid price table {1,..., K,. p}, and the hash function h Step 1 to decide and publish, and t−1 on a random finite field Fq created by each bidder
Generate a degree polynomial F _j (x) ∈Fq [x], and generate bid information Bid _j for the bid price k _j And receiving the signature σ _j = Sig _Bj (Bid _j ) and the encrypted secret random number S _{i, j ;} and bidding {(Bid _j , σ _j )｝ (1 ≦ j ≦ b), the validity of the signature σ _j is verified, and each bid opening device A _i satisfies 1 ≦ j ≦
calculating a chain of hash functions {h ^k (S _{i, j} )} (1 ≦ k ≦ p + 1) for b and checking that it is equal to the published h ^{p + 1} (S _{i, j} ) 3, a certain bid opening device repeats the following calculation with k = p, and step 4, and publishes {h ^k (S _{i, j} )} (1 ≦ j ≦ b) and sets a value {{h ^k (S _{i, j} )} (1
≦ j ≦ b)} (1 ≦ i ≦ a), if at least t sets are provided, b _j = b _j ′ is verified, and if the verification is not successful for all j, step 5 returns to step 4 with k = k−1. If the verification is successful for some _j , the bidders B _j are passed to the successful bidder. , K as a successful bid price. 7. The method according to any one of claims 1 to 6, wherein a bidder includes a bid conversion table {1, 2,..., P} and a price conversion table {v_1, v}.
_2,..., V_p}, and when a bid is made at the bid price k, it is assumed that the bid was made at the price v_k, thereby enabling bidding at various bid prices. Tender opening, bidding, or bidding method. 8. The method according to claim 1, wherein a bidder publishes a unit price u together with a bid price table {1, 2,. The bidder divides his bid price v_k = k_j × u + q_j (1 ≦ q_j ≦ u) into a multiple k_j and a fraction q_j of the unit price, and bids the bid information and the fraction q_j for k_j. An electronic bidding, bidding, or bidding method characterized in that bidding using a table of a smaller number of prices than an actual price is enabled by opening bids in the order of larger (or smaller) q_j. 9. The method according to claim 1, wherein each bidder registers his / her public key with a registration center and registers the registered public key as a temporary name. An electronic bid opening, bidding, or bid opening method in which a bid can be anonymously participated by attaching a signature with a public key. 10. A plurality of bid opening devices {A_i} (1 ≦ i ≦ a) (a: Open bill
Bidders and multiple bidding devices {B_j} (1 ≦ j ≦ b) (b: number of bidders)
Connected via a communication path,_i} (1 ≦ i ≦ a), one bid opening device is a bidding price list {1,..., K,.
Number h (Equation 17)Bid price and hash function disclosure means to determine and release
E, each bidding device B_jIs the secret random number {S_{i, j}乱 数 (1 ≦ i ≦ a) random number generating means
And the bid price k_j(1 ≦ k_j≤ p) and the bid price k_jAgainst
Bid information Bid_j (Equation 18)Information calculating means for calculating the signature σ_j = Sig_Bj (Bid_j) And the bid information Bid_jAnd its signature σ_jTo each bid opening device
Communication means and secret random number S_{i, j}The opening device A_iTo encrypt and send to
Number-encrypting transmission means, each bid opening device {A_i} (1 ≦ i ≦ a) is the bid information Bid_jAnd its signature σ_jAnd encrypted secret random number S
_{i, j}Receives the bid information Bid_jAnd its signature σ_jPublic
Opening means and all bidding equipment B_jBid {(Bid_j, σ_j)｝ (1 ≦ j ≦ b)
The signature σ_jSignature verification means for verifying the validity of the secret, and an encrypted secret random number S_{i, j}And for 1 ≦ j ≦ b
Chain of hash functions {h ^k(S_{i, j})} (1 ≦ k ≦ p + 1),
Published h^{p + 1}(S_{i, j})
A chain function calculating means, and a bid opening apparatus, wherein k = p, and a calculating means for repeating the following calculation, {h^k(S_{i, j})} (1 ≦ j ≦ b), and a set of values {{h^k(S_{i, j})} (1 ≦ j ≦ b)} (1 ≦ i ≦ a)
(19)And calculate b_j= B_j′, And if verification of the verification means fails for all j, then k = k−1
Instruction means for performing the calculation of the calculation means again, and if verification of the verification means is successful for some j, bidder B
_jA means of disclosing us as the winning bidder and k as the winning bid
The bid prices other than those with the
And all bidders can verify that the winning bid is legitimate.
Yes, it is not possible to deny or alter
Use commitment by chain of hash functions
The feature is that bids are efficiently realized by
Electronic bid opening device. 11. A plurality of bid opening devices {A _i } (1 ≦ i ≦ a) (a: the number of bidders) and a plurality of bidding devices {B _j } (1 ≦ j ≦ b) (b: ) Are connected via a communication path, and among the bid opening devices {A _i } (1 ≦ i ≦ a), one of the bid opening devices has a bid price table {1,..., K,. p}, and the hash function h A bidding price table / hash function publishing means for determining and publishing the bidding price, and each bidding apparatus B _j comprises: a random number generating means for generating a secret random number {S _{i, j} ｝ (1 ≦ i ≦ a); _j (1 ≦ k _j ≦ p) and determine a random finite field Fq
The above-mentioned t−1 order polynomial F _j (x) ∈Fq [x] is generated, and the bid information Bid _j for the bid price k _{j is given by} Information calculating means for calculating the signature σ _j = Sig _Bj (Bid _j ), transmitting means for transmitting the bid information Bid _j and its signature σ _j to each bid opening device, and a secret random number The random number encryption transmitting means for encrypting S _{i, j} and transmitting it to each bid opening device A _i , and the bid opening device {A _i } (1 ≦ i ≦ a) provide bidding information Bid _j and its signature σ _j and encryption Secret random number S
_{i, j} , receiving the bidding information Bid _j and its signature σ _j, and a publishing means, and when the bidding of all the bidding devices B _i {(Bid _j , σ _j )｝ (1 ≦ j ≦ b) is completed, A signature verification unit for verifying the validity of the signature σ _j , a decryption of the encrypted secret random number S _{i, j} , and a chain of hash functions {h ^k (S _{i, j} )} (1 ≦ j ≦ b) 1 ≦ k ≦ p + 1), and a hash function chain calculation means for confirming that it is equal to the published h ^{p + 1} (S _{i, j} ). A computing means for repeating the computation, and a publishing means for publishing {h ^k (S _{i, j} )} (1 ≦ j ≦ b), wherein a set of values {{h ^k (S _{i, j} )} (1 ≦ j ≦ b)} (1 ≦ i ≦ a), at least t sets are obtained, If the verification means for verifying b _j = b _j ′ and the verification means for all j are not satisfied, then k = k
Instruction means for performing the operation of the operation means again as −1, and if verification of the verification means is successful for a certain j, bidder B
A bidder / successful bid price determining means for deciding _j as a successful bidder and k as a winning bid price, and a publicizing means for disclosing the winning bidder and the winning bid price. In addition, all bidders can verify that the bid price is legitimate, and it is impossible to deny or falsify the bid that has been made, and it is possible to efficiently bid by using a commitment by a chain of hash functions. An electronic bidding device that can be realized. 12. A plurality of bidding devices {B _j } connected to a plurality of bid opening devices {A _i } (1 ≦ i ≦ a) (a: the number of bidders) via a communication path.
In (1 ≦ j ≦ b) (b: number of bidders), the published bid price table {1,..., K,..., P} and the hash function h Accordingly, each bidding device B _j determines a random number generating means for generating a secret random number {S _{i, j} ｝ (1 ≦ i ≦ a), and a bid price k _j (1 ≦ k _j ≦ p), and makes a bid. bid for the price k _j information bid _j [number 24] Information calculating means for calculating the signature σ _j = Sig _Bj (Bid _j ), transmitting means for transmitting the bid information Bid _j and its signature σ _j to each bid opening device, and bidding information Bid _j and a public means for publishing the signature σ _j thereof, and each bidding apparatus B _j is provided with an encryption transmitting means for encrypting and transmitting a secret random number S _{i, j} to each bid opening apparatus A _i. Electronic bidding device. 13. A plurality of bid opening devices {A _i } connected to a plurality of bidding devices {B _j } (1 ≦ j ≦ b) (b: number of bidders) via a communication path.
In (1 ≦ i ≦ a) (a: the number of bidders), among the bid opening devices {A _i } (1 ≦ i ≦ a), one of the bid opening devices has a bid price table {1,..., K,. , P} and the hash function h Publishing means to determine and publish, and bidding information for bid price k _j created by each bidding device
Bid _j (Equation 26) And its signature σ _j = Sig _Bj (Bid _j ), receiving means for receiving the encrypted secret random number S _{i, j} , and the bidding of all bidding devices B _j {(Bid _j , σ _j )｝ (1 ≦ j ≦ b), signature verification means for verifying the validity of the signature σ _j , and each bid opening device A _i performs a hash function chain {h
^k (S _{i, j} )} (1 ≦ k ≦ p + 1) and publishes h ^{p + 1} (S
_{i, j} ), a hash function chain calculation means for confirming that the value is equal to, a certain bid opening device repeats the following operation with k = p, and {h ^k (S _{i, j} )} (1 ≦ j ≦ b ) Is provided, and when all of the set of values {{h ^k (S _{i, j} )} (1 ≦ j ≦ b)} (1 ≦ i ≦ a) are prepared, And if the verification means verifying b _j = b _j ′ and verification of the verification means fail for all j, then k = k−1
Instruction means for performing the calculation of the calculation means again, and if verification of the verification means is successful for some j, bidder B
An electronic ticket opening device, comprising: means for disclosing _j as a successful bidder and k as a contract price. 14. A plurality of bidding devices {B _j } connected to a plurality of bid opening devices {A _i } (1 ≦ i ≦ a) (a: the number of bidders) via a communication path.
In (1 ≦ j ≦ b) (b: number of bidders), the published bid price table {1,..., K,..., P} and the hash function h Thus, each bidding device _Bj can _generate a secret random number {S _{i, j} ｝ (1 ≦ i ≦
a) a random number generating means for generating a bidding price k _j (1 ≦ k _j ≦ p) and a random finite field Fq
The above-mentioned t−1 order polynomial F _j (x) ∈Fq [x] is generated, and bid information Bid _j for the bid price k _{j is given by} Information calculating means for calculating the signature σ _j = Sig _Bj (Bid _j ), transmitting means for transmitting the bid information Bid _j and its signature σ _j to each bid opening device, and a secret random number An electronic bidding device comprising random number encryption transmission means for encrypting and transmitting S _{i, j} to each of the bid opening devices A _i . 15. A plurality of bid opening devices {A _i } connected to a plurality of bidding devices {B _j } (1 ≦ j ≦ b) (b: number of bidders) via a communication path.
In (1 ≦ i ≦ a) (a: the number of bidders), among the bid opening devices {A _i } (1 ≦ i ≦ a), one of the bid opening devices has a bid price table {1,..., K,. , P} and the hash function h A bid price / hash function publishing means for determining and publishing, and t−1 on a random finite field Fq created by each bidding device.
Generates a degree polynomial F _j (x) ∈Fq [x] and generates bid information Bid _j for the bid price k _j . And the signature _{σ j = Sig Bj (Bid j} ) and the encrypted secret random number S _i, a receiving means for receiving a _j, bid for all bid apparatus _{B i {(Bid j, σ} j)} (1 ≦ j ≦ b), a signature verification unit for verifying the validity of the signature σ _j , and a chain of hash functions {h ^k (S _{i, j} )} (1 ≦ k ≦
hash function chain calculation means for calculating ( ^{p + 1} ) and confirming that it is equal to the published h ^{p + 1} (S _{i, j} ); And publishing means for publishing {h ^k (S _{i, j} )} (1 ≦ j ≦ b), and a set of values {{h ^k (S _{i, j} )} (1 ≦ j ≦ b)} When at least t pairs of (1 ≦ i ≦ a) are obtained, verification means for verifying b _j = b _j ′, instruction means for performing the calculation of the calculation means again with k = k−1 if verification of the verification means is not satisfied for all j, If verification is successful, bidder B
An electronic bid opening device, comprising: a successful bidder / successful bid price determining means for determining _j as a successful bidder and k as a successful bid price; and a disclosure means for disclosing the successful bidder and the successful bid price. 16. The method according to claim 10, wherein:
In the device of the item, a bidder has a bid conversion table {v_1, v} together with a bid price table {1,2, ..., p}.
_2,..., V_p}, and when a bid is made at the bid price k, it is assumed that the bid was made at the price v_k, thereby enabling bidding at various bid prices. Bid opening, bidding, or bid opening device. 17. The method according to claim 10, wherein:
In the device of the section, a bidder publishes the unit price u together with the bid price table {1,2, ..., p}, and uses his / her bid price v_k = k_j × u + q_j (1 ≦ q_j ≦ u) as a unit. Divided into price multiples k_j and fractions q_j, bid on k_j and bid the fractions q_j, and the bidder opens bids in the order of larger (or smaller) fractions q_j, so that the price is smaller than the actual price. Electronic bidding, bidding, or bidding apparatus, which enables bidding using the table. 18. The method according to claim 10, wherein:
In the device of paragraph 1, each bidder shall be able to participate in bidding anonymously by registering his / her public key with the registration center and signing with the registered public key using the registered public key as a temporary name. Features electronic bidding, bidding, or bidding.