Privacy-preserving combinatorial auction without an auctioneer

Abstract

Combinatorial auctions are employed into many applications such as spectrum auctions held by the Federal Communications Commission (FCC). A crucial problem in such auctions is the lack of secure and efficiency mechanism to protect the privacy of the bidding prices and to ensure data security. To solve the problem, we propose an approach to represent the price as a polynomial’s degree based on verifiable secret sharing. So, we can obtain the two polynomials’s degree maximum/sum by the degree of the two polynomial’s degree sum/product. In the protocol, the bidders’ information is hidden. The auctioneers can receive the shares without a secure channel, so our protocol is more applicable to more scenarios. The scheme can resist the collusion attack, passive attack and so on. Moreover, Compared to Kikuchi (IEICE Trans Fundam Electron Commun Comput Sci 85(3):676–683, 2002); Suzuki and Yokoo (Secure combinatorial auctions by dynamic programming with polynomial secret sharing, 2003), the proposed scheme has the authentication property without increasing the communications cost.

1 Introduction

Recently, combinatorial auctions have become an interesting domain, which allow that multiple goods are sold simultaneously and any combination of goods can be bid. For example, FCC spectrum, network routing, and railroad segment can be auctioned.

To carry out a combinatorial auction, the winner determination problem has to be solved first. The problem can be cooperatively solved by multi-auction servers, which can calculate the maximum sum of combinations of bidding prices. It is a challenge problem to protect bidding prices. If the auctioneer is trust, it can solve the winner determination problem. However, it is not practical as the auctioneer may collude with a participant to reveal the bids’ information during the auction. If a strategy-proof mechanism is utilized to resist collusion attacks. However, the auctioneer can create a fake bid to increase revenue.

In traditional auctions, cryptographic functions (public key cryptography, hash chains, etc.) [1–4] are utilized to protect the bid’s privacy. However, these schemes do not consider spatial reuse, so they are not applicable to the secondary spectrum market. In the secondary spectrum market, SPRING was proposed in [5], which introduces a trustworthy agent to interact with both the auctioneer and the bidders. The sensitive information can be protected. However, SPRING depends on a trusted third party (the agent). In [6–10], homomorphic encryption [11–13] is employed to hid each bidder’s bidding values with a vector of cipher texts, and ensures the auctioneer to figure out the maximum value, and charge the bidders securely. However, the homomorphic encryption has a higher computational cost, which is not practical now.

To tackle the above challenges, two problems have to be solved. First, multi-auction servers compute the maximum sum of combinations of bidding prices, while the information of bids and the part of the optimal solution should be kept secret. Second, the collusion activity of multi-auction servers must be resisted. We employ verifiable secret sharing [14] to protect privacy and data security in combinatorial auctions. The scheme allows multi-servers to randomly choose secret shares and verify the legitimacy of them to each other.

The rest of the paper is organized as follows. Section 2 introduces related work. Section 3 presents preliminaries. In Section 4, we describe the main idea of the proposed scheme. In Section 5, we analyze the security and performance of the scheme, followed by a conclusion in Section 6.

2 Related works

To protect data security and privacy in auctions, cryptographic tools, such as AES, homomorphic encryption, and secret sharing, have been applied.

SPRING [5] presents a trustworthy agent to protect the sensitive information of the auctions. However, SPRING depends on a trusted third party (the agent). In [6, 7], the authors utilize a vector of cipher text to mask the bidding prices, and guarantee that the maximum value, randomizing the bids, and charging the bidders can be figured out. However, the schemes [6, 7] are not practical as homomorphic encryption has a very high computational overhead, which is not applicable to the applications now. In [8], a secure auction without auctioneer scheme for VCG auction is designed based on homomorphic, in which the bidders work together to decide who the winner is without auctioneer; however, the computational overhead is high for each bidder, which has low efficiency. In [9], the authors design a sealed-bid first-price auction scheme based on homomorphic encryption, in which the server processes the bidder’s encrypted bids using homomorphic encryption and the aggregation result is known by auctioneer; however, the scheme cannot resist the collusion activity between the server and auctioneer.

In [15, 16], the bidding prices are hidden via secret sharing. However, there are two weaknesses in [15] as follows. First, the relationships of multi-winner can not be solved. Second, the scheme is not efficient as the computational cost is very much higher. The bids are hidden by the degree of polynomials [16]. However, the scheme is based on the passive adversary model and cannot resist collusion attacks. Therefore, it is not practical.

In [17, 18], the sealed-bid auctions are constructed via verifiable secret sharing. The scheme can resist collusion attacks among the evaluators. However, the secret shares are obtained from a third party via a private secure channel, so the scheme cannot resist collusion attacks amongst evaluators and the third party.

In this paper, we present a privacy-preserving combinatorial auction without an auctioneer based on verifiable secret sharing [14]. Compared to [15, 16], it does not need a secure channel among the bidders and the server. Meanwhile, the proposed scheme provides the authentication without increasing the communication cost.

3 Preliminaries

We now introduce some preliminary concepts for the cryptographic primitives used in this paper.

3.1 Dynamic programming

Dynamic programming [19] can be utilized to solve the problem, which is viewed as the result of a sequence of stepwise decisions.

We first describe the dynamic programming’s concept via an algorithm of finding the longest path in a one-dimensional-directed graph in Fig. 1. The graph includes the nodes S,1,2,…,n with directed links among them. The link is denoted (j,k), where j<k. w(j,k) denoted the weight for each link (j,k). Figuring out the longest path from initial node S to terminal node n is our goal, i.e., to find a maximized path from S to n. For the sake of simplicity, we assume that it exists at least one link from j for each node j (where 1=j<n) except node n.

Fig. 1

An example of one dimension directed graph

We assume the longest path from S to n is denoted by L. The last half of L for any node j on L is also a longest path from j to n, which is called the principle of optimality. We can utilize the feature to search out the original problem’s optimal solution via the sub-problems’ optimal solutions.

Specifically, the longest path from S to n can be obtained by figuring out the following recurrence formula from node n−1 to S. In the formula, the longest path from j to n is denoted as f(j). f(j) is called the node j’s evaluation value. f(n) is defined as S for terminal node n. f(S) represents the optimal solution for initial node S.

$$ f(j)=\max_{(j,k)}\{w(j, k)+f(k)\} $$

(1)

When we calculate the formula, the value f(j) of the link (j,k) is recorded for each node j, i.e., max_(j,k){w(j,k)+f(k)} is the value of the link, which recorded links from S to n constructs the longest path.

Assume that there are n+1 stages j=1,…,n and each stage j’s state is (j,s). When j<k, there can be directed links ((j,s),(k,t)) between these states. The weight w(((j,s),(k,t))) is given for each link. The following recurrence formula is defined dynamic programming evaluates function f:

$$ f((j,s))=\max_{j<k, ((j,s),(k,t))}\{w(((j,s),(k,t)))+f((k,t))\} $$

(2)

The evaluation value f((S,s)) can be calculated, which is the original problem’s optimal value, by iteratively applying the relation for j=n,n−1,…,1 with initial values f((n,s))=iv(s).

We introduce the proposed privacy-preserving combinatorial auction without an auctioneer based on the longest path of a one-dimensional directed graph. An example is introduced in Section 4.6.

3.2 Secret sharing schemes

Secret sharing is an important cryptographic primitive, which is utilized to our scheme. Since secret sharing is developed by Shamir [20] and Blakley [21] in 1979, many secret sharing schemes have been extensively studied [14, 22–24]. Generally speaking, secret sharing is briefly introduced as follows. A dealer shares a secret with a number of users U₁,…,U _n , a user gets the secret if and only if it can co-work with at least t−1 other users, where t≤n is a pre-determined parameter. The dealer shares the secret and the users is s∈GF(p₁), where p₁>N. Each user U _i holds a secret key k _i ∈GF(p₁), which is only known by U _i and the dealer.

The dealer follows two step procedure. First, it constructs a polynomial function F(x) of degree t−1 shown in (3):

$$ F(x)=s+\sum\limits_{j=1}^{t-1}\mu_{j}x^{j}, $$

(3)

by randomly choosing each μ _j . Note that all (additive and multiplication) operations used in (3) is modular arithmetic (defined over GF(p₁)) as opposed to real arithmetic. Also s forms the constant component of F(x) - i.e., s=F(0). Then, in the second step, the dealer sends a shared secret s _i =F(x _i ) to each U _i , where x _i is a random number selected by U _i and is sent to the dealer via the secure channel protected by k _i .

We now show how to recover s by t or more users. Without loss of generality, let U₁,…,U _t be the cooperating users. The secret s=F(0) can be reconstructed from s₁=F(x₁),…,s _t =F(x _t ) by these t users.

$$ s = F(0)=\sum\limits_{j=1}^{t} \left(s_{j} \prod\limits_{i \in [1, n],i\neq j}\frac{0-x_{i}}{x_{j}-x_{i}} \right). $$

(4)

Note that the cumulative product in (4) is essentially the Lagrange coefficient. The correctness of (4) can be easily verified based on the definition of F(x).

4 The proposed scheme—secure computing

We present the proposed privacy-preserving combinatorial auction without an auctioneer, and we also discuss the security and efficiency of the scheme.

4.1 Requirements

The requirements for the secure protocol are as follows:

1. 1.

   Evaluators (servers) select their secret keys by themselves, and the weight publishers (WP) (buyers and sellers) calculate and publish the weights for each share.

2. 2.

   The legitimacy of evaluators is verified to each other, and then the evaluators cooperatively implement dynamic programming protocol to find the optimal solution, while each weight is kept secret.

To achieve this goal, the following two questions should be solved: How to resist collusion attacks? How to figure out the maximum sum of weights without revealing each weight? We denote a weight as a polynomial’s degree; So, the degree of the sum/product of the two polynomials construct the maximum/sum of the degree of two polynomials, and verifiable secret sharing scheme [14, 25] is employed to resist collusion attack.

4.2 Basic idea

Weight publisher WP has a secret s∈Z _N . WP chooses random n (n>s) points x₁,x₂,…,x _n ∈Z _N , the constant c∈Z _N , and publish them. Then, it randomly chooses a polynomial A∈Z _N [ x] s.t. deg(A)=s and A(0)=c and holds its secret. WP publishes its shares {A(x₁),A(x₂),…,A(x _n )}. Each evaluator E _l holds its share for A(x _l ), where l is the number of the evaluators,

A masking polynomial M∈Z _N [x] s.t. deg(M)=d and M(0)=0 is chosen by each WP, who keeps it secret. Then, WP calculates its l shares M(x _l ), and l−th share is selected by each evaluator. Then, masked shares A(x _l )+M(x _l ) where (l=1,2,…,d+1) are published by d+1 evaluators {E₁,E₂,…,E_d+1}. The evaluators utilize these d+1 masked shares to perform polynomial interpolation, i.e., determine polynomial is A+M, recover A(0)=A(0)+M(0), and verify whether A(0)=c or not. We can recover the constant term A(0)=c from d+1 shares if deg(A)=d, where deg(A+M)=d. We cannot recover the constant term A(0)=c from d+1 shares if deg(A+M)>d. Thus, we are convinced that deg(A)=d if A(0)=c holds. Furthermore, the degree of the sum/product of the two polynomials can construct using the maximum/sum of the degree of two polynomials by the following formulas:

$$ \max\{deg(A), deg(B)\} = deg(A + B) $$

(5)

$$ deg(A) + deg(B) = deg(A\cdot B) $$

(6)

The maximum/sum of two secrets to be locally determined as each evaluator E _l can calculate its share of sum A+B / product A·B of two polynomials A and B by calculating the sum A(x _l )+B(x _l ) / product A(x _l )·B(x _l ) of two shares A(x _l ) and B(x _l ).

4.3 System model

As shown in Fig. 2, our system model consists of three major entities: mask publisher (MP), evaluators (E), weight publishers (WP). In the following, we briefly summarize the major functions of each entity.

• Mask publisher (MP):MP is used to generate and distribute keys for all evaluators. MP also generates the mask polynomial, and distributes the mask value for each evaluator.

  Fig. 2

  

  System Model

• Evaluators (E): Each evaluator computes cooperatively executes dynamic programming and finds the optimal solution and verifies the identities of evaluators each other.

• Weight publishers (WP): Each WP distributes its shares to each evaluators.

4.4 Security model

In our security model, we consider that the following security goals need to be achieved:

• Privacy-preservation of bidders’ bids. The evaluators should be able to verify the identities of other evaluators; i.e, when the evaluators work together to figure out the optimal solution, they should verify the identities of each participant fist; meanwhile, the privacy should be protected.

• Non-repudiation: any bidder (weight publisher) cannot repudiate his bid.

• Accountability: any bidder can be verified that they follow the protocol to get the optimal solution by the evaluators.

4.5 Secure computing

4.5.1 Initialization phase

There is a mask publisher, MP, which chooses a randomly masked polynomial M∈Z _N [ x] s.t. deg(M)=d and M(0)=0 and keeps it secret. The weight publishers WP_(i,j) for each link (i,j). There are l evaluators {E₁,E₂,…,E _l } where l is greater than the length of the longest path.

To solve the verification problem, the intercommunication is needed by the mask publisher MP and the evaluators. The communication between MP and the evaluators can use the public channel. First, the mask publisher randomly selects two strong primes p and q, and calculates N=pq. Then, the mask publisher figures out the generator g, and publishes {g,N}.

Each evaluator E _i randomly chooses an integer s _i as its secret share where s _i ∈ [ 2,N], and calculates R _i =g^s _i mod N. Then, E _i sends R _i and its identity number id _i to mask publisher MP. For any two pair of evaluators E _i and E _j , MP must guarantee that R _i ≠R _j . MP publishes {id _i ,R _i }. The mask publisher MP first selects an integer s₀ from the interval [ 2,N] and computes λ such that s₀λ=1 mod ϕ(N), where ϕ(N) is the Euler phi-function; and then MP computes R₀=g^s₀ mod N. Finally, the MP calculates \(R_{i}^{\prime }=R_{i}^{s_{0}}\mod N\) and the mask value \(M_{i}=M(R_{i}^{\prime })\) for each evaluator E _i . MP publishes {R₀,λ}.

Weight Publisher WP_(i,j) enlarges its weight \(\widetilde {w}(i,j)\): \(w(i,j) = \widetilde {w}(i,j)+ t_{w} \times (j-i)\) where t _w is a threshold parameter of WP_(i,j). The extension will not change the optimal solution of the longest path from S to n. \(\widetilde {f}(i)\) and f(i) are denoted the original weight value \(\widetilde {w}(i,j)\) and the extended weight w(i,j) of node i, respectively. Then, for each node j, \(f(i)=\widetilde {f}(i) + t_{w} \times (n-i)\). So, the maximum can be computed and the secure computing is performed in Section 4.2. The polynomial H_(i,j) for node i is randomly chosen by weight publisher WP_(i,j) s.t. deg(H_(i,j))=w(i,j), and H_(i,j)(0)=c. The WP_(i,j) holds it secret.

4.5.2 Construction phase

The weighter publisher WP_(i,j) performs the following steps:

1. 1)

   Compute \(Y_{i}=H_{(i,j)} (R_{i}^{\prime }) \mod N\);

2. 2)

   Send Y _i to the evaluator E _i .

Each evaluator E _i computes performs the following steps to obtain the ith share of the optimal value:

1. 1)

   Computes

   $$ F_{j}(R_{i})=\sum\limits_{(i,k)}(H_{(i,k)}(R_{i})) \times F_{k}(R_{i}) \label {equ:each_evaluator_share} $$

   (7)

   for j=n−1,n−2,…,0, where F _j (x) is the optimized polynomial, which represents the longest path from the start node S to node j, and F _n (x)=1.

2. 2)

   Publishes HM _i =H_(0,i)×F _i +M _i . The Eq. (7) is related to the recurrence relation of dynamic programming, as described in Eq. (1).

4.5.3 Recovery and verification phase

Without loss of generality, let E={E₁,E₂,…,E_d+1}. The evaluators of E will recover the polynomial HM _i =H_(0,i)×F _i +M _i based on following procedure.

1. 1)

   Each evaluator calculates \(R_{i}^{\prime \prime }=R_{0}^{s_{i}} \mod N\) to obtain the share, where s _i is the share of HM _i .

2. 2)

   The evaluator in E verifies \(R_{i}^{\prime \prime }\), which is provided by E _i . If \({R_{i}^{\prime \prime }}^{\lambda }=R_{i} \mod N\), then \(R_{i}^{\prime \prime }\) is legitimacy; Otherwise, \(R_{i}^{\prime \prime }\) is false, which means that E _i might be a cheater. The share will be discarded.

3. 3)

   Recover the polynomial: the polynomial HM _i can be uniquely determined as follows:

   $$\begin{array}{@{}rcl@{}} & F_{j}&= \sum\limits_{i=1}^{d+1} (H_{(0,i)} \times F_{i} +M_{i})\prod\limits_{j=1, j\neq i}^{d+1} \frac{x-R_{j}^{\prime}}{R_{i}^{\prime} -R_{j}^{\prime}}\\ &&=S_{1}+S_{2}x+\cdots+S_{d} x^{d} \end{array} $$

   (8)

As described in Section 4.2, evaluators check whether deg(F₀)≤d. Evaluators can verify whether F₀=c or not. For instance, if c=0, F₀ should be equal to 0. We can perform binary search to figure out the optimal value f(0)=deg(F₀), and publish it.

4.5.4 Tracing the optimal path

Evaluators calculate the optimal path as follows:

Assume that the evaluators know f(j)=deg(F _j ), and they want to trace to node k s.t. deg(F _j )=deg(H_(j,k)×F _k + M _j ). We test whether deg(H_(j,k)×F _k +M _j )=deg(F _j )−1 or not for all nodes k linked to node j. The evaluators know that the node k attains f(j) when the inequality does not hold for node k. They can determine f(k)=deg(F _k ) as in Section 4.5.3 after finding the node k that attains f(j), and publish it. Iterating this procedure recursively yields to the optimal path.

4.6 An example

Here, we give an example of one-dimensional graph shown in Fig. 3 to explain how to apply our scheme.

Fig. 3

An example: one directed graph

There are three links, (S, 1) (1, 2), (S, 2), wherein weighers are {2, 1, 2}, respectively. The weight publishers WP_(S,1),WP_(1,2),WP_(S,2) generate the following polynomials for these links:

$$\label {equ:as} \left\{\begin{array}{ll} H_{(S,1)}=x^{2}-x&\\ H_{(1,2)}=x&\\ H_{(S,2)}=2x^{2}+2x&\\ \end{array}\right. $$

(9)

There are four evaluator {E₁,E₂,E₃,E₄}, which randomly choose x₁=1,x₂=2,x₃=3,x₄=4, respectively. For simplicity, we assume that t _w =0 and c=0.

First, the mask publisher MP first chooses mask polynomial M(x)=x², and chooses two primes p=5 and q=7, and calculates N=5×7=35. Then, the mask publisher MP chooses the generator g=2 and a randomly number s₀=5, and computes λ=5 from s₀λ=1 mod (ϕ(N)=24). MP computes R₀=g^s₀ mod N=2⁵ mod 35=32. MP publishes {g,N,R₀,λ}.

Second, the evaluator E _i computes R _i =g^x _i mod N, so four evaluators {E₁,E₂,E₃,E₄} generate R₁=2¹ mod N=2,R₂=2² mod N=4,R₃=2³ mod N=8,R₄=2⁴ mod N=16, respectively. The evaluators {E₁,E₂,E₃,E₄} send {R₁,R₂,R₃,R₄} to MP separately.

Third, MP computes \(R_{1}^{\prime }=R_{1}^{5} \mod N=32, R_{2}^{\prime }=R_{2}^{5} \mod N=9, R_{3}^{\prime }=R_{3}^{5} \mod N=8, R_{4}^{\prime }=R_{4}^{5} \mod N=11\), and computes the mask value \(M_{1}= {R_{1}^{\prime }}^{2}=1024, M_{2}={R_{2}^{\prime }}^{2}=81, M_{3}={R_{3}^{\prime }}^{2}=64, M_{4}={R_{4}^{\prime }}^{2}=121\), and then sends \(\{\{R_{1}^{\prime }, M_{1}\}, \{R_{2}^{\prime }, M_{2}\}, \{R_{3}^{\prime }, M_{3}\}, \{R_{4}^{\prime }, M_{4}\}\}\) to evaluators {E₁,E₂,E₃,E₄}, respectively.

Each evaluator computes its shares following Section 4.5.2. The evaluators’ corresponding computation are shown in Table 1.

Table 1 Each evaluator’s shares

When the evaluators work together to figure out the optimal result, the evaluators verify identities of participants each other using the method in Section 4.5.3 first. If all the evaluators pass the verification, from Table 1, the evaluators can recover F₀(x)=x³+x²+2x from the shares F₀(32)=33,856,F₀(9)=828,F₀(8)=592, and F₀(11)=1476, where F₀(0)=0. According to the Eq. (1) and (7), we figure out that f(0)=3. The evaluators also can recover the mask polynomial M(x)=x² according to the mask shares. Because the polynomial of degree 2, which is reconstructed from the shares of H_(S,1)×F₁+M, does not equal to 0, the link (S,1) attains f(0)=3, which means that the link (S,1) is included in the optimal result.

5 Result and discussion

In this section, we discuss the security properties of the proposed scheme and analyze the performance of the proposed scheme.

5.1 Security analysis

In this subsection, we discuss the security properties of the proposed scheme in terms of resistance against active attacks, resistance against passive attacks, non-repudiation, and accountability.

5.1.1 Resistance against active attacks

• Conspiracy attacks:In order to recover the secrets, we assume that two evaluators have a collusion activity. For example, two evaluators E _i and E _j can exchange their value s _i and s _j . So, E _i holds s _j while E _j holds s _i . Then, E _i calculates \({R_{j}^{\prime \prime }}^{\lambda }=R_{j}\) while E _j computes \({R_{i}^{\prime \prime }}^{\lambda }=R_{i}\). Therefore, E _i and E _j might try to pass the verification. However,it is not impossible as the Id and (Id,R) pairs have been published by all evaluators. Thus, the conspiracy of the participants E _i and E _j can be easily recognized by other participants.

• Evaluator cheating: Assume that an evaluator E _i wants to gain a secret (s) via providing a false private key R _j . E _i calculates \(R_{i}^{\prime \prime }=R_{0}^{s_{j}} \mod N\) and broadcasts it. However, other participants can check the validity of \(R_{i}^{\prime \prime }\) by calculating \({R_{i}^{\prime \prime }}^{\lambda }=R_{j}\neq R_{i}\) when receiving \(R_{i}^{\prime \prime }\) provided by E _i . Because that the Id _i and the R _i of E _i are published, it is easy to detect that E _i provides an incorrect \(R_{i}^{\prime \prime }\).

• Reconstruct the polynomial: Assume that an adversary adv wants to use fewer than t shares (t<d) to reconstruct the polynomial HM _i , it is not impossible because that it equals to break Shamir’s scheme, which has been proved that it holds the security property.

• Reveal the secret key of the evaluator: Assume an adversary wants to obtain the participant E _i ’s secret shadow s _i from the public information R _i . He obtains s _i from R _i =g^s _i ; however, he has to solve the discrete logarithm problem (DLP), which is an NP-hard problem. So, it is not impossible to obtain the secret key from the evaluator.

5.1.2 Resistance against passive attacks

Because that all published shares with random polynomials are masked by the mask publisher, meanwhile the extended weight w(i,j)=deg(H(i,j)) is equal to or larger than d, the adversary can not obtain any information from masked shares when the number of weight publishers is less than the threshold d. Thus, the proposed scheme is secure against passive adversaries.

• Non-repudiation:

  Theorem 1 If a bidder (Weight Publisher) makes a bid, it cannot deny making the bid in a later time.

  Proof If a bidder (Weight Publisher) make a bid, because that the evaluators work together to figure out the optimal result, and each participant is verified by other participants. If some Weight Publisher deny making the bid, the other evaluators can work together to trace all the internment mask result to verify whether the Weight publisher is lie or not according to the optimal result. □

• Accountability:Accountability is required to secure a system from the aspects of integrity, confidentiality, and privacy [26–30]. An accountability mechanism is typically utilized to figure out who is responsible for what. In essence, accountability means that the system is recordable and traceable, which implies that making any entity in the system accountable for all its actions. Under such a consideration, our scheme is accountable as the evaluators can verified each other and work together to obtain the optimal result, which can be used as an evidence for dispute resolution; therefore, no one can deny its actions. Thus, we claim that the scheme has the property of accountability.

5.2 Performance analysis

In this section, we discuss the performance properties of our scheme and compare our schemes with others. The comparison of the properties of our scheme and the schemes proposed in [16, 17] is shown in Table 2. The details are presented as follows:

• In [16, 17], the third party is needed, which may be dishonest. Hence, the original secrets may not be reconstructed by the evaluators. In our scheme, it is impossible for the third party to cheat the evaluators as the evaluators choose their own shadows.

  Table 2 The properties of our scheme and the schemes proposed in [16, 17]

• The validity of the shares of each evaluator can be checked by other evaluators; the proposed scheme is verifiable. This improves upon [16] in which the source of the other share cannot be verified by the evaluator. If a wrong share is provide by one evaluator, which can not be figured out by other other evaluators.

• In [16, 17], the shadows of the evaluators are received from the third party via secure channel; however, our scheme never discloses the shadow of each evaluator in the recovery and verification phases, and the shadow can be reused.

• In [16, 17], the secret shadows is transmitted via a private secure channel by weight publishers; however, in our scheme, the shadows is not transmitted by the weight publishers via secure channel because that the secret shadow is chosen by the evaluators themselves.

Table 3 shows round complexity during each phase. The proposed scheme does not consider communications without secure channels, i.e., the weight publisher or the evaluators publish shares in our scheme, which can be implemented by a bulletin board. Here, q is the number of links, n is the number of nodes, l is the number of evaluators (which is equal to or greater than possible maximal value), d+1 is the number of masks, and N is the order of the finite field Z _N .

Table 3 Communication complexity

Note that our approach does have one disadvantage: if the number of nodes is very large, our scheme may be invalid sometimes because the combinatorial auction’s winner determination problem is NP-complete.

6 Conclusions

In this paper, we presented a privacy-preserving combinatorial auction without an auctioneer scheme. In our scheme, the price is represented as the degree of a polynomial; thus, the degree of the sum/product of the two polynomials construct the maximum/sum of the degree of two polynomials. The bidders information is hidden, and the legitimacy of the evaluator is also verified based on secret sharing, which can resists collusion attacks.

Our future research will focus on the following direction: design more efficient approaches based on greedy algorithm to protect the privacy of combinatorial auction, which would be much more suitable for practical applications.