1 Introduction

With the rapid development of the Internet in recent years, e-commerce, online trading, and electronic auction are becoming more and more popular. Auction has a long history, from the early days of ancient Babylon, auction has gradually become an efficient form of allocation of resources, as time goes by, and traditional auction theory has quite mature.

Due to the prosperity of electronic commerce, traditional auction also transferred to the network platform, electronic auction is the online form of traditional auction, with more and more customers and a wide variety of auctioned things. Related economic theories have proved that auction can maximize the interests of the participants (both seller and bidder) under certain conditions.

Electronic auction is the online form of traditional auction. The seller can use online auction platform to show their products by using multimedia technology with the help of the traditional auction intermediaries and platform service providers.

Electronic auction is mainly in the following three forms: English auction, which is the most common form of trade, is identified with the property that prices are non-decreasing. Users compete for the highest price they are willing to pay. The transaction will be stopped when the transaction deadline has come. The goods will be sold to the highest bidder. The first-price sealed-bid auction, the bidders will seal the bids. After the auction, the auctioneer opens the tenders and publishes the highest bid. The goods will sell to the highest bidder. The second-price sealed-bid auction, the first-price bidder is the winning bidder who buys the goods with the second price.

Electronic auction should satisfy the following properties.

  • The bidder anonymity; even after the publication of auction results, any person cannot inform of the identity of the failures and his/her bid.

  • Non-repudiation; the winning bidder cannot deny that he/she has submitted the highest bid and can accurately obtain the winning identity.

  • Verifiability; anyone can publicly verify the validity of the winner and can verify the winning bidder is the first-price bidder in all bidders.

  • Non-deception; no one can pretend a registered bidder to join in the auction.

  • Correctness; the auctioneer should give the correct auction results.

The computer and network technology in the application of the electronic auction is in order to make the information transfer more quickly and communication more comprehensively, to reduce economic welfare loss caused by the information asymmetry and poor communication. But in the current network environment, information asymmetry phenomenon has not disappeared, but increased to some extent, also the deceptive behaviors occurred in the e-auction frequently. In the 2010 report of IFCC (Internet Fraud Complaint Center), e-auction fraud accounted for 10.3% of the Internet fraud, this situation hampered the development of the electronic auction.

On the other hand, buyers’ price information is commercial secrets or personal privacy, especially in a large auction, such as spectrum auction, exploitation of mineral rights, and real estate property rights, the tender’s information may be abused, and this hampered the effectiveness of the transaction and reduced the social and economic benefits. According to the result of the survey of SCET (Secure Computing, Economy and Trust) project, 78% of buyers want their information is confidential. From the above, we need to pay attention to the security and privacy of electronic auction system, promote the development of network auction system, and increase the social welfare.

The network is a virtual environment, and the bidders are anonymous on the Internet. Although anonymity can protect the privacy of individuals, it brings many security issues to the online auctions. How to design the fair auction scheme with privacy preserving is an important research in modern auction system.

1.1 Our contributions

In this paper, we focus on the confidentiality protection of the bids in auction system. We construct a novel first-price sealed-bid auction scheme; the main contributions are as follows.

  • The bids are keeping secret in the process of auction. The auctioneer cannot get the value of each bid.

  • No one can fake the winning identity, which ensures the fairness of auction.

  • The winning bid cannot be faked, and the winner cannot change it.

  • The communication of our scheme is low; only two rounds communication is needed.

1.2 Related work

The private comparison is often discussed in our daily life. A common problem of ciphertext comparison is millionaires’ problem. Yao [15] solved it in 1986. In order to keep the privacy of the data in the comparison process, order preserving encryption (OPE) [8, 9] is proposed. However, there are many interactions between the client and the server in OPE schemes. In 2013, Furukawa [5] proposed a request-based comparable encryption scheme which only needs one round communication. In 2015, Chen et al. [3] improved the comparison efficiency with sliding window method.

There are many researches on auctions, such as [6, 10, 13, 14]; however, most of them do not study the confidentiality of the bids. The general way to keep the auction privacy is using homomorphic encryption, such as [1, 12]. Peng et al. [11] proposed a new first-bid e-auction scheme based on secret sharing, which achieved bids privacy. Franklin and Reiter [4] proposed the design and implementation of a distribute service for performing sealed-bid auctions. Li et al. [7] proposed an anonymity auction scheme with zero knowledge proof. Brandt and Sandholm [2] studied the bid privacy problem in sealed bid auctions, and the authors proved that the first-price sealed-bid auction can be emulated by an unconditionally fully private protocol. However, there are many interactions between bidders and auctioneer.

1.3 Organization of this paper

The organization of this paper is as follows. Some preliminaries are given in Section 2. The privacy preserving auction system is given in Section 3. Then in Section 4 we give our protocol of secure auction. The security analysis is given in Section 5. The comparisons and efficiency analysis are given in Section 6. Finally, conclusion will be made in Section 7.

2 Preliminaries

2.1 Hash function

A hash function takes arbitrary data as input and returns a fixed-size bit string as output.

The secure hash function has four main properties:

  • x, the computation of h(x) is efficient.

  • y, find x, which satisfies the equation h(x) = y, is computational infeasible.

  • Given x 1, find x 2, which satisfies the equation h(x 1) = h(x 2), is computational infeasible.

  • Find x 1 and x 2, which satisfy the equation h(x 1) = h(x 2), is computational infeasible.

2.2 Comparable encryption

We follow the definition in [5]. The comparable encryption has four algorithms, Gen, Enc, Der, and Cmp.

  • Gen: Inputs a security parameter λ ∈ N and a range parameter n ∈ N, outputs a master key mkey. (pa is the parameter)

$$ \left( pa, mkey\right)\leftarrow Gen\left(\lambda, n\right) $$

  • Der: Inputs the master key mkey, and a number 0 ≤ num < 2n, outputs a token t.

$$ t\leftarrow Der\left( mkey, num\right) $$

  • Enc: Inputs the mkey, and a number 0 ≤ num < 2n, outputs a ciphertext c.

$$ ciph\leftarrow Enc\left( mkey, num\right) $$

  • Cmp: Inputs two ciphertexts c and c , and a token t, outputs {− 1,1,0}.

$$ Cmp\left( ciph,{ciph}^{\prime },t\right)\in \left\{-1,1,0\right\} $$

We assume the ciphertext c and the token t input to Cmp.

$$ t= Der\left( mkey, num\right) $$

and

$$ c= Enc\left( mkey, num\right). $$

The output of Cmp is {− 1,0,1}, respectively, when

$$ num<{num}^{\prime }, $$
$$ num={num}^{\prime }, $$

or

$$ num>{num}^{\prime }. $$

3 Privacy preserving auction system

3.1 Design goals

The design goals of our system are as follows.

  • Confidentiality. To prevent the private information of each entity. Each bid should be only known by the bidder himself before the bid opening phase starts.

  • Correctness. To make sure that the authority returns the correct results. The auction results should be determined according to the auction rule.

  • Privacy. To make sure the losing bids are keeping secret. The losing bids should not be revealed in the process of the auction.

  • Secure Comparison. The bids will not be revealed in the comparison process.

  • Fairness. The bidders cannot be able to modify and/or deny the submitted bids.

  • Verification. Participants could verify the winning bid.

3.2 Auction model

The auction system contains two parties, auctioneer (AU) and the bidders.

In order to keep the privacy of the bids, the bids should be encrypted before sending to AU.

AU constructs the action system and then generates the system parameters and the master key.

Bidders encrypt the data with the master key and generate the tokens with their random values.

The system model is shown in Fig. 1.

Fig. 1
figure 1

Auction model

Full size image

The auction system can be described as follows.

  • Setup. The bidders share the masker key, which will be used to generate the ciphertexts and the tokens.

  • Token generation. Each bidder generates the tokens of his/her encrypted data and sends the ciphertexts and tokens to AU.

  • Bidding comparison. AU does some computations on the tokens and finds out the first different value of the ciphertexts. And then, it will give the bidding result.

  • Verification. AU publishes token of the highest bid. The bidder who wins the auction should send the ciphertext to the auctioneer as a proof. The auctioneer checks whether the bidder is the winner or not with the random number provided by the bidder.

4 Our construction of auction system with privacy protection

In this section, we give our privacy preserving scheme for first-price sealed-bid auction. We assume bidders do not collude with the auctioneer.

Setup. One of the bidders, such as B 1, generates the master key mkey, and then B 1 sends mkey to other bidders through a secure channel.

Token generationToken generation. Bidder B j transforms the bid into binary form.

$$ \mathrm{bid}={\sum}_{i=0}^m{2}^{\mathrm{i}}{\mathrm{b}}_{\mathrm{i}}=\left({b}_m,{b}_{m-1},\dots, {b}_1,{b}_{m0}\kern0.75em \right). $$

The token is generated as follows.

$$ {\displaystyle \begin{array}{l}{d}_m=H\left( mkey,\left(0,0,0\right)\right)\\ {}{d}_i=H\left( mkey,\left(1,{d}_{i+1},{b}_i\right)\right)\end{array}} $$

for i = m − 1,...,0.

B i outputs the token

$$ t=\left({d}_0,{d}_1,\dots, {d}_m\right). $$

Ciphertext generation. The bidder B t randomly chooses R ∈ Zp (p is a large prime number), and generates

$$ {\displaystyle \begin{array}{l}{c}_i=H\left({d}_i,\left(2,0,H(R)\right)\right)\\ {}{e}_i=H\left( mkey,\left(4,{d}_{i+1},0\right)\right)+{b}_i\operatorname{mod}\ 3\\ {}{f}_i=H\left({d}_{i+1},\left(5,0,H(R)\right)\right)+{e}_i\operatorname{mod}\ 3\end{array}} $$

for i = m − 1,...,0.

The output ciphertext is

$$ ciph=\left(H(R),\left({c}_0,\dots, {c}_{m-1}\right),\left({f}_0,\dots, {f}_{m-1}\right)\right). $$

Then, B t sends the ciphertext ciph to auctioneer and publishes H(R||f 0||f 1||···||f m − 1) as the winning proof.

Bidding comparison. The comparison of two bids is as follows.

  1. 1.

    Auctioneer selects two ciphertexts ciph and ciph and gets H(R) and H(R ), then auctioneer compares the sequences in the two ciphertexts, until the first different pair appears. Let 0 ≤ j ≤ m − 1, if ∀k, j < k ≤ m − 1,

$$ {c}_k^{\prime }=H\left({d}_k,\left(2,0,H\left({R}^{\prime}\right)\right)\right)\wedge \Big({c}_j^{\prime}\ne H\left({d}_j,\left(2,0,H\left({R}^{\prime}\right)\right)\right) $$

is true, then b j and b j are the first different bits.

If ∀k,0 ≤ k ≤ m − 1,

$$ {c}_k^{\prime }=H\left({d}_k,\left(2,0,H\left({R}^{\prime}\right)\right)\right) $$

holds, that means bid = bid .

  1. 2.

    Auctioneer computes

$$ {\displaystyle \begin{array}{ll}\mathrm{diff}& ={f}_j-H\left({d}_{j+1},\left(5,0,H\operatorname{}R\right)\right)\\ {}& -\left({f}_j-H\Big({d}_{j+1},\left(5,0,H\left({R}^{'}\right)\right)\right)\kern1em \operatorname{mod}\ 3\\ {}& ={b}_j-{b}_{j\kern1.5em }^{\prime}\operatorname{mod}\ 3.\end{array}} $$

If bid > bid , then diff = 1 mod 3; else if bid < bid , then diff = − 1 = 2 mod 3.

The comparisons will not stop until all the ciphertexts are compared, then the auctioneer outputs the winning result.

Verification. After the above comparison steps, the auctioneer publishes token and the ciphertext of the highest bid. The bidder who acclaims that he/she is the winner should send to the auctioneer his/her bid as the winning bid and the value R as the proof. The auctioneer check whether the bidder is the winner or not through the equation

$$ H\left({R}^{\ast}\right)\kern1em {\displaystyle \begin{array}{c}?\\ {}=\end{array}}\kern1.25em H(R). $$

If the verification is passed, the auctioneer publishes the winner’s bid. And every bidder can verify the winning result.

5 Security analysis

5.1 Security of parameters

Theorem 1 The bids will not be revealed in the comparison process.

Proof The bid is as

$$ bid=\left({b}_m,{b}_{m-1},\cdots, {b}_1,{b}_0\right). $$

The token is t = (d 0,d 1,...,d m ), where

$$ {\displaystyle \begin{array}{l}{d}_m=H\left( mkey,\left(0,0,0\right)\right)\\ {}{d}_i=H\left( mkey,\left(1,{d}_{i+1},{b}_i\right)\right)\end{array}} $$

for i = m − 1,...,0.

And the ciphertext is ciph = (H(R), (c 0,...,c m − 1), (f 0,...,f m − 1)),

where

$$ {\displaystyle \begin{array}{l}{c}_i=H\left({d}_i,\left(2,0,H(R)\right)\right)\\ {}{e}_i=H\left( mkey,\left(4,{d}_{i+1},0\right)\right)+{b}_i\operatorname{mod}\ 3\\ {}{f}_i=H\left({d}_{i+1},\left(5,0,H(R)\right)\right)+{e}_i\operatorname{mod}\kern0.5em 3\end{array}} $$

for i = m − 1,...,0.

The ciphertext is generated by the token, and the master key mkey is unknown to the auctioneer; thus, the auctioneer cannot generate a valid token, i.e., he/she cannot test the bids with other values.

On the other hand, the auctioneer only knows the difference ranges of the bids. Auctioneer knows the first different of two bids, that means the difference of the two bids is less than 2j. If the auctioneer keeps on comparing, he/she cannot get any information about the bids.

In the comparison phase, auctioneer computes as follows: Set j form m − 1 to 0, if ∀k, j < k ≤ m − 1,

$$ {c}_k^{\prime }=H\left({d}_k,\left(2,0,H\left({R}^{\prime}\right)\right)\right)\wedge \Big({c}_j^{\prime}\ne H\left({d}_j,\left(2,0,H\left({R}^{\prime}\right)\right)\right) $$

is true, then j is the location of the first different bit.

If auctioneer continues comparing with the rest of the information, in this case, d j + 1 = d j + i and d j  ≠ d j . This means

$$ {\displaystyle \begin{array}{l}{f}_j-1-H\left({d}_j,\left(5,0,H(R)\right)\right)-\operatorname{}{f_j}^{\prime }-1-H\left({d}_j,\left(5,0,H\left({R}^{\prime}\right)\right)\right)\\ {}=H\left({d}_j,\left(5,0,H(R)\right)\right)+{e}_j-H\left({d}_j,\left(5,0,H(R)\right)\right)-\operatorname{}H\left(d{\prime}_j,\left(5,0,H\left({R}^{\prime}\right)\right)\right)-{e_j}^{\prime }+H\left({d}_j,\left(5,0,H\left({R}^{\prime}\right)\right)\right)\\ {}=H\left( mkey,\left(4,{d}_j,0\right)\right)+{b}_j-H\left( mkey,\left({4}^{,}d{\prime}_j,0\right)\right)-b{\prime}_j\\ {}\ne {b}_i-{b}_i^{\prime }.\end{array}} $$

Hence, the auctioneer cannot do any further comparison.

Theorem 2 No one can forge the winning identity, and the winner cannot change the winning bid.

Proof If any bidder other than the winner acclaims that he/she is the winner, then he/she should generate the same ciphertext corresponding to the winning bid. Since he/she has no knowledge of random value R, and H(.) is the non-collision hash function; thus, the probability that H(R ) = H(R) is negligible.

On the other hand, if the winner wants to change the winning bid, he/she should generate a valid ciphertext, which is less than the winning bid, and more than other bids. However, H(.) is the non-collision hash function, it is impossible to generate the ciphertext and the random value equals the winning proof H(R||f 0||f 1||···||f m − 1).

6 Comparisons and efficiency

6.1 Comparisons

Some comparisons with related work are shown in Table 1.

Table 1 Comparisons
Full size table

6.2 Efficiency analysis

We implement our mechanism using C language and pairing-based cryptography (PBC) library. The testing activity has been carried out on a LINUX machine with Intel Core TM i5-3239M processors running at 2.60 GHz and 4G memory. The time cost in token generation and comparison phase is shown in Figs. 2 and 3.

Fig. 2
figure 2

Time cost of token generation

Full size image
Fig. 3
figure 3

Time cost in comparison phase

Full size image

7 Conclusions

Fairness is one of the most important parts in all kinds of auctions. The basic of the fairness is the confidentiality of the bids. Anyone except the bidder should not know the real value of his/her bid in the auction process. In this paper, an efficient scheme for the construction of first-price sealed-bid auction based on comparable encryption is proposed. In our scheme, the confidentiality of each bid is protected, and the winning bid cannot be faked. In addition, we reduce the communication round between the bidders and the auctioneer, only two rounds are needed. Our scheme is practical, which can protect the bids of each bidder in the auction process.