Brandts Fully Private Auction Protocol Revisited Jannik Dreier 1 , - PowerPoint PPT Presentation

Brandt’s Fully Private Auction Protocol Revisited Jannik Dreier 1 , Jean-Guillaume Dumas 2 , Pascal Lafourcade 1 1 Verimag and 2 Laboratoire Jean Kuntzmann (LJK), Université Grenoble 1, CNRS, FRANCE Africacrypt, Cairo, Egypt June 23, 2013

Challenges in e-Auctions • Competing parties: • Bidders/Buyers • Auctioneer • Seller • Many possible mechanisms: English, Dutch, Sealed Bid, . . .

e-Auctions: Security Requirements Fairness Verifiability Non-Repudiation Non-Cancellation Security Requirements Privacy Receipt-Freeness Coercion-Resistance Anonymity

Plan 1 Introduction 2 Brandt’s Fully Private Auction Protocol 3 Analysis & Results 4 Conclusion

Plan 1 Introduction 2 Brandt’s Fully Private Auction Protocol 3 Analysis & Results 4 Conclusion

Protocol by Brandt [Bra06] • Completely distributed protocol, no authorities • Distributed homomorphic n-out-of-n threshold ElGamal encryption • Bidders compute function f where f ij = 1 if bidder i won at price j , f ij � = 1 otherwise. • Each bidder i only learns “his” f ij , i.e. only if he won or lost • Zero-Knowledge Proofs (ZKP) to protect against misbehaving parties

Protocol execution

Protocol execution 1. Distributed key setup

Protocol execution 1. Distributed key setup 2. Encrypted bids

Protocol execution 1. Distributed key setup 2. Encrypted bids 3. Hom. Computation of f ij

Protocol execution 4. Partial decryption 1. Distributed key setup 2. Encrypted bids 3. Hom. Computation of f ij

Protocol execution 4. Partial decryption 5. Shares 1. Distributed key setup 2. Encrypted bids 3. Hom. Computation of f ij

Protocol execution 4. Partial decryption 5. Shares 1. Distributed key setup 2. Encrypted bids 3. Hom. Computation of f ij 6. Missing shares for f ij

Bid encoding, example For a public constant Y � = 1: � if j = bid a Y b aj = 1 otherwise Example: bid 1 = 3, bid 2 = 1 and bid 3 = 2. Then         b 1 , 4 1 1 1 1 1 b 1 , 3 Y         b 1 =  =  , b 2 =  , b 3 =         b 1 , 2 1 1 Y      b 1 , 1 1 Y 1

f ij , example Definition:       lower prices, same bidder bigger prices, all bidders ties using index � �� � � �� � � �� �    j − 1   i − 1  n k � � r i , j � � � �       ˜ ˜ f ij ( X ) = X hd · X id · X hj , f ij = f ij ( b )              h = 1 d = j + 1   d = 1   h = 1  Hence:   1     Y ∗ 1 ∗ 1 Y Y   b 1 = 1 ∗ 1 ∗ 1 ∗ 1 ∗ 1 1       ˜ 1 f 1 ( b ) =  =       Y ∗ 1 ∗ 1 ∗ 1 ∗ 1 ∗ 1 ∗ 1 Y    1 Y 2 1 ∗ Y ∗ 1 ∗ 1 ∗ 1 ∗ 1 ∗ Y ∗ 1 ∗ 1   1     1 ∗ 1 ∗ Y ∗ 1 Y 1   Y 2 b 2 = 1 ∗ 1 ∗ Y ∗ Y       ˜ 1 f 2 ( b ) =  =       Y 2 Y ∗ Y ∗ 1    Y Y 2 ∗ Y 2 1   1     1 ∗ Y ∗ 1 ∗ 1 ∗ 1 Y 1   Y 2 b 3 = 1 ∗ Y ∗ 1 ∗ Y ∗ 1       ˜ Y f 3 ( b ) =  =       Y ∗ 1 ∗ 1 ∗ 1 Y    1 Y 2 ∗ Y 3 1 ∗ Y b = ( b 1 , b 2 , b 3 )

Plan 1 Introduction 2 Brandt’s Fully Private Auction Protocol 3 Analysis & Results 4 Conclusion

Attacking Privacy • Observation: If r ij = 1 for all i and j , then f is injective and efficiently invertible (proof in the paper). • r ij is jointly chosen by the bidders • If malleable proofs of knowledge are used, a malicious bidder can set r ij = 1 • Allows the seller to invert f and obtain all bidders’ private bids

How to set r ij = 1 When computing � � m a � � m a ij and δ a ˜ ˜ ij , γ a ij = f ij ( α ) ij = f ij ( β ) wait until all other bidders published their γ a ij and δ a ij . Submit   − 1   − 1 � � � � � � ˜ ˜ γ k δ k γ ω ij = f ij ( α ) · and δ ω ij = f ij ( β ) · .   ij ij k � = ω k � = ω � � � m a m a m a Then r ij = ij = 1 − ij + ij = 1. a a � = ω a � = ω

� � � How to fake the proofs Proof of Knowledge of x : Peggy Victor Secret : x g , v = g x Public : g 1 : z z = g r 2 : c c 3 : s s = r + c · x ? g s == z · v c Check :

� � � How to fake the proofs Proof of Knowledge of x : Peggy Victor Secret : x g , v = g x Public : g 1 : z z = g r 2 : c c 3 : s s = r + c · x ? g s == z · v c Check : g s = g r + c · x = g r · g x · c = z · v c

� � � � How to fake the proofs Proof of Knowledge of ( 1 − x ) using Proof of Knowledge of x : Peggy Mallory Victor Secret : x g , w = gv − 1 = g 1 − x g , v = g x Public : g 1 ′ : y 1 : z � y = z − 1 z = g r 2 ′ : c 2 : c c c 3 ′ : u 3 : s � u = c − s s = r + c · x ? ? g s == z · v c g u == y · w c Check :

� � � � How to fake the proofs Proof of Knowledge of ( 1 − x ) using Proof of Knowledge of x : Peggy Mallory Victor Secret : x g , w = gv − 1 = g 1 − x g , v = g x Public : g 1 ′ : y 1 : z � y = z − 1 z = g r 2 ′ : c 2 : c c c 3 ′ : u 3 : s � u = c − s s = r + c · x ? ? g s == z · v c g u == y · w c Check : g u = g c − s = g c − r − c · x = g − r +( 1 − x ) · c = g − r · g ( 1 − x ) · c = y · w c

How to invert f • Bug in the O ( nk 2 ) algorithm in the paper, corrected version in O ( n 2 k 2 ) in technical report [DDL12] • With optimizations in O ( nk ) • Prototype implementation: Parallel Brandt with OMP on an Intel Xeon E5-4620, 32x2.2GHz 10000 1000 100 10 Time (s) 1 0.1 0.01 32 cores Brandt-32 bidders 0.001 Sequential Winner-32 bidders Sequential Attack-32 bidders 0.0001 Counter Attack-32 bidders 1e-05 0 1000 2000 3000 4000 5000 6000 7000 8000 9000 bids

Privacy, second attack Exploit the lack of authentication: • Target one bidder • Impersonate all other bidders • Resubmit the targeted bidder’s bid as their bids • Impersonate the seller • Obtain winning price=targeted bidder’s bid

Verifiability Verifiability: • No authentication of the bids, hence no verification who actually submitted the bids • r ij = 0 implies f ij = 1, hence several “winners” possible • Partial decryption phase: Need to prove the use of the correct key, otherwise “nobody wins”

Other attacks • Non-repudiation: Lack of authentication • Fairness: An attacker can impersonate all bidders, hence controlling winner and winning price.

How to fix the protocol Countermeasures against the identified issues: • Use of non-interactive or non-malleable zero-knowledge proofs • Authentication of all messages • Bidders need to prove that the value x a they use to decrypt is the same they used to generate their public key • When computing the γ a ij and δ a ij the bidders can check if the product is equal to one – if yes, they restart the protocol using different keys and random values

Plan 1 Introduction 2 Brandt’s Fully Private Auction Protocol 3 Analysis & Results 4 Conclusion

Conclusion • Analyzed Brandt’s Fully Private Auction Protocol • Completely distributed protocol designed for high privacy • However: No authentication of the messages • Attacks on Verifiability, Privacy, Fairness and Non-Repudiation • Malleable ZKPs allow for an efficient attack on privacy • Corner cases can lead to unexpected results, but are detectable • Proposed four simple fixes

Thank you for your attention! Questions? jannik.dreier@imag.fr

Felix Brandt. How to obtain full privacy in auctions. International Journal of Information Security , 5:201–216, 2006. Jannik Dreier, Jean-Guillaume Dumas, and Pascal Lafourcade. Attacking privacy in a fully private auction protocol. CoRR , abs/1210.6780, 2012.

Protocol description I Let G q be a multiplicative subgroup of order q , prime, and g a generator of the group. We consider that i , h ∈ { 1 , . . . , n } , j , bid a ∈ { 1 , . . . , k } (where bid a is the bid chosen by the bidder with index a ), Y ∈ G q \ { 1 } . More precisely, the n bidders execute the following five steps of the protocol: 1 Key Generation Each bidder a , whose bidding price is bid a among { 1 , . . . , k } does the following: • chooses a secret x a ∈ Z / q Z • chooses randomly m a ij and r aj ∈ Z / q Z for each i and j . • publishes y a = g x a and proves the knowledge of y a ’s discrete logarithm. • using the published y i then computes y = � n i = 1 y i .