Privacypreserving combinatorial auction without an auctioneer
Abstract
Combinatorial auctions are employed into many applications such as spectrum auctions held by the Federal Communications Commission (FCC). A crucial problem in such auctions is the lack of secure and efficiency mechanism to protect the privacy of the bidding prices and to ensure data security. To solve the problem, we propose an approach to represent the price as a polynomial’s degree based on verifiable secret sharing. So, we can obtain the two polynomials’s degree maximum/sum by the degree of the two polynomial’s degree sum/product. In the protocol, the bidders’ information is hidden. The auctioneers can receive the shares without a secure channel, so our protocol is more applicable to more scenarios. The scheme can resist the collusion attack, passive attack and so on. Moreover, Compared to Kikuchi (IEICE Trans Fundam Electron Commun Comput Sci 85(3):676–683, 2002); Suzuki and Yokoo (Secure combinatorial auctions by dynamic programming with polynomial secret sharing, 2003), the proposed scheme has the authentication property without increasing the communications cost.
Keywords
Security Verification Combinatorial auctions Dynamical programming Secret sharing1 Introduction
Recently, combinatorial auctions have become an interesting domain, which allow that multiple goods are sold simultaneously and any combination of goods can be bid. For example, FCC spectrum, network routing, and railroad segment can be auctioned.
To carry out a combinatorial auction, the winner determination problem has to be solved first. The problem can be cooperatively solved by multiauction servers, which can calculate the maximum sum of combinations of bidding prices. It is a challenge problem to protect bidding prices. If the auctioneer is trust, it can solve the winner determination problem. However, it is not practical as the auctioneer may collude with a participant to reveal the bids’ information during the auction. If a strategyproof mechanism is utilized to resist collusion attacks. However, the auctioneer can create a fake bid to increase revenue.
In traditional auctions, cryptographic functions (public key cryptography, hash chains, etc.) [1, 2, 3, 4] are utilized to protect the bid’s privacy. However, these schemes do not consider spatial reuse, so they are not applicable to the secondary spectrum market. In the secondary spectrum market, SPRING was proposed in [5], which introduces a trustworthy agent to interact with both the auctioneer and the bidders. The sensitive information can be protected. However, SPRING depends on a trusted third party (the agent). In [6, 7, 8, 9, 10], homomorphic encryption [11, 12, 13] is employed to hid each bidder’s bidding values with a vector of cipher texts, and ensures the auctioneer to figure out the maximum value, and charge the bidders securely. However, the homomorphic encryption has a higher computational cost, which is not practical now.
To tackle the above challenges, two problems have to be solved. First, multiauction servers compute the maximum sum of combinations of bidding prices, while the information of bids and the part of the optimal solution should be kept secret. Second, the collusion activity of multiauction servers must be resisted. We employ verifiable secret sharing [14] to protect privacy and data security in combinatorial auctions. The scheme allows multiservers to randomly choose secret shares and verify the legitimacy of them to each other.
The rest of the paper is organized as follows. Section 2 introduces related work. Section 3 presents preliminaries. In Section 4, we describe the main idea of the proposed scheme. In Section 5, we analyze the security and performance of the scheme, followed by a conclusion in Section 6.
2 Related works
To protect data security and privacy in auctions, cryptographic tools, such as AES, homomorphic encryption, and secret sharing, have been applied.
SPRING [5] presents a trustworthy agent to protect the sensitive information of the auctions. However, SPRING depends on a trusted third party (the agent). In [6, 7], the authors utilize a vector of cipher text to mask the bidding prices, and guarantee that the maximum value, randomizing the bids, and charging the bidders can be figured out. However, the schemes [6, 7] are not practical as homomorphic encryption has a very high computational overhead, which is not applicable to the applications now. In [8], a secure auction without auctioneer scheme for VCG auction is designed based on homomorphic, in which the bidders work together to decide who the winner is without auctioneer; however, the computational overhead is high for each bidder, which has low efficiency. In [9], the authors design a sealedbid firstprice auction scheme based on homomorphic encryption, in which the server processes the bidder’s encrypted bids using homomorphic encryption and the aggregation result is known by auctioneer; however, the scheme cannot resist the collusion activity between the server and auctioneer.
In [15, 16], the bidding prices are hidden via secret sharing. However, there are two weaknesses in [15] as follows. First, the relationships of multiwinner can not be solved. Second, the scheme is not efficient as the computational cost is very much higher. The bids are hidden by the degree of polynomials [16]. However, the scheme is based on the passive adversary model and cannot resist collusion attacks. Therefore, it is not practical.
In [17, 18], the sealedbid auctions are constructed via verifiable secret sharing. The scheme can resist collusion attacks among the evaluators. However, the secret shares are obtained from a third party via a private secure channel, so the scheme cannot resist collusion attacks amongst evaluators and the third party.
In this paper, we present a privacypreserving combinatorial auction without an auctioneer based on verifiable secret sharing [14]. Compared to [15, 16], it does not need a secure channel among the bidders and the server. Meanwhile, the proposed scheme provides the authentication without increasing the communication cost.
3 Preliminaries
We now introduce some preliminary concepts for the cryptographic primitives used in this paper.
3.1 Dynamic programming
Dynamic programming [19] can be utilized to solve the problem, which is viewed as the result of a sequence of stepwise decisions.
We assume the longest path from S to n is denoted by L. The last half of L for any node j on L is also a longest path from j to n, which is called the principle of optimality. We can utilize the feature to search out the original problem’s optimal solution via the subproblems’ optimal solutions.
When we calculate the formula, the value f(j) of the link (j,k) is recorded for each node j, i.e., max_{(j,k)}{w(j,k)+f(k)} is the value of the link, which recorded links from S to n constructs the longest path.
The evaluation value f((S,s)) can be calculated, which is the original problem’s optimal value, by iteratively applying the relation for j=n,n−1,…,1 with initial values f((n,s))=iv(s).
We introduce the proposed privacypreserving combinatorial auction without an auctioneer based on the longest path of a onedimensional directed graph. An example is introduced in Section 4.6.
3.2 Secret sharing schemes
Secret sharing is an important cryptographic primitive, which is utilized to our scheme. Since secret sharing is developed by Shamir [20] and Blakley [21] in 1979, many secret sharing schemes have been extensively studied [14, 22, 23, 24]. Generally speaking, secret sharing is briefly introduced as follows. A dealer shares a secret with a number of users U_{1},…,U_{ n }, a user gets the secret if and only if it can cowork with at least t−1 other users, where t≤n is a predetermined parameter. The dealer shares the secret and the users is s∈GF(p_{1}), where p_{1}>N. Each user U_{ i } holds a secret key k_{ i }∈GF(p_{1}), which is only known by U_{ i } and the dealer.
by randomly choosing each μ_{ j }. Note that all (additive and multiplication) operations used in (3) is modular arithmetic (defined over GF(p_{1})) as opposed to real arithmetic. Also s forms the constant component of F(x)  i.e., s=F(0). Then, in the second step, the dealer sends a shared secret s_{ i }=F(x_{ i }) to each U_{ i }, where x_{ i } is a random number selected by U_{ i } and is sent to the dealer via the secure channel protected by k_{ i }.
Note that the cumulative product in (4) is essentially the Lagrange coefficient. The correctness of (4) can be easily verified based on the definition of F(x).
4 The proposed scheme—secure computing
We present the proposed privacypreserving combinatorial auction without an auctioneer, and we also discuss the security and efficiency of the scheme.
4.1 Requirements
 1.
Evaluators (servers) select their secret keys by themselves, and the weight publishers (WP) (buyers and sellers) calculate and publish the weights for each share.
 2.
The legitimacy of evaluators is verified to each other, and then the evaluators cooperatively implement dynamic programming protocol to find the optimal solution, while each weight is kept secret.
To achieve this goal, the following two questions should be solved: How to resist collusion attacks? How to figure out the maximum sum of weights without revealing each weight? We denote a weight as a polynomial’s degree; So, the degree of the sum/product of the two polynomials construct the maximum/sum of the degree of two polynomials, and verifiable secret sharing scheme [14, 25] is employed to resist collusion attack.
4.2 Basic idea
Weight publisher WP has a secret s∈Z_{ N }. WP chooses random n (n>s) points x_{1},x_{2},…,x_{ n }∈Z_{ N }, the constant c∈Z_{ N }, and publish them. Then, it randomly chooses a polynomial A∈Z_{ N }[ x] s.t. deg(A)=s and A(0)=c and holds its secret. WP publishes its shares {A(x_{1}),A(x_{2}),…,A(x_{ n })}. Each evaluator E_{ l } holds its share for A(x_{ l }), where l is the number of the evaluators,
The maximum/sum of two secrets to be locally determined as each evaluator E_{ l } can calculate its share of sum A+B / product A·B of two polynomials A and B by calculating the sum A(x_{ l })+B(x_{ l }) / product A(x_{ l })·B(x_{ l }) of two shares A(x_{ l }) and B(x_{ l }).
4.3 System model
 Mask publisher (MP):MP is used to generate and distribute keys for all evaluators. MP also generates the mask polynomial, and distributes the mask value for each evaluator.

Evaluators (E): Each evaluator computes cooperatively executes dynamic programming and finds the optimal solution and verifies the identities of evaluators each other.

Weight publishers (WP): Each WP distributes its shares to each evaluators.
4.4 Security model

Privacypreservation of bidders’ bids. The evaluators should be able to verify the identities of other evaluators; i.e, when the evaluators work together to figure out the optimal solution, they should verify the identities of each participant fist; meanwhile, the privacy should be protected.

Nonrepudiation: any bidder (weight publisher) cannot repudiate his bid.

Accountability: any bidder can be verified that they follow the protocol to get the optimal solution by the evaluators.
4.5 Secure computing
4.5.1 Initialization phase
There is a mask publisher, MP, which chooses a randomly masked polynomial M∈Z_{ N }[ x] s.t. deg(M)=d and M(0)=0 and keeps it secret. The weight publishers WP_{(i,j)} for each link (i,j). There are l evaluators {E_{1},E_{2},…,E_{ l }} where l is greater than the length of the longest path.
To solve the verification problem, the intercommunication is needed by the mask publisher MP and the evaluators. The communication between MP and the evaluators can use the public channel. First, the mask publisher randomly selects two strong primes p and q, and calculates N=pq. Then, the mask publisher figures out the generator g, and publishes {g,N}.
Each evaluator E_{ i } randomly chooses an integer s_{ i } as its secret share where s_{ i }∈ [ 2,N], and calculates R_{ i }=g^{ s }_{ i } mod N. Then, E_{ i } sends R_{ i } and its identity number id_{ i } to mask publisher MP. For any two pair of evaluators E_{ i } and E_{ j }, MP must guarantee that R_{ i }≠R_{ j }. MP publishes {id_{ i },R_{ i }}. The mask publisher MP first selects an integer s_{0} from the interval [ 2,N] and computes λ such that s_{0}λ=1 mod ϕ(N), where ϕ(N) is the Euler phifunction; and then MP computes R_{0}=g^{ s }_{0} mod N. Finally, the MP calculates \(R_{i}^{\prime }=R_{i}^{s_{0}}\mod N\) and the mask value \(M_{i}=M(R_{i}^{\prime })\) for each evaluator E_{ i }. MP publishes {R_{0},λ}.
Weight Publisher WP_{(i,j)} enlarges its weight \(\widetilde {w}(i,j)\): \(w(i,j) = \widetilde {w}(i,j)+ t_{w} \times (ji)\) where t_{ w } is a threshold parameter of WP_{(i,j)}. The extension will not change the optimal solution of the longest path from S to n. \(\widetilde {f}(i)\) and f(i) are denoted the original weight value \(\widetilde {w}(i,j)\) and the extended weight w(i,j) of node i, respectively. Then, for each node j, \(f(i)=\widetilde {f}(i) + t_{w} \times (ni)\). So, the maximum can be computed and the secure computing is performed in Section 4.2. The polynomial H_{(i,j)} for node i is randomly chosen by weight publisher WP_{(i,j)} s.t. deg(H_{(i,j)})=w(i,j), and H_{(i,j)}(0)=c. The WP_{(i,j)} holds it secret.
4.5.2 Construction phase
 1)
Compute \(Y_{i}=H_{(i,j)} (R_{i}^{\prime }) \mod N\);
 2)
Send Y_{ i } to the evaluator E_{ i }.
 1)Computes$$ F_{j}(R_{i})=\sum\limits_{(i,k)}(H_{(i,k)}(R_{i})) \times F_{k}(R_{i}) \label {equ:each_evaluator_share} $$(7)
for j=n−1,n−2,…,0, where F_{ j }(x) is the optimized polynomial, which represents the longest path from the start node S to node j, and F_{ n }(x)=1.
 2)
Publishes HM_{ i }=H_{(0,i)}×F_{ i }+M_{ i }. The Eq. (7) is related to the recurrence relation of dynamic programming, as described in Eq. (1).
4.5.3 Recovery and verification phase
 1)
Each evaluator calculates \(R_{i}^{\prime \prime }=R_{0}^{s_{i}} \mod N\) to obtain the share, where s_{ i } is the share of HM_{ i }.
 2)
The evaluator in E verifies \(R_{i}^{\prime \prime }\), which is provided by E_{ i }. If \({R_{i}^{\prime \prime }}^{\lambda }=R_{i} \mod N\), then \(R_{i}^{\prime \prime }\) is legitimacy; Otherwise, \(R_{i}^{\prime \prime }\) is false, which means that E_{ i } might be a cheater. The share will be discarded.
 3)
Recover the polynomial: the polynomial HM_{ i } can be uniquely determined as follows:
$$\begin{array}{@{}rcl@{}} & F_{j}&= \sum\limits_{i=1}^{d+1} (H_{(0,i)} \times F_{i} +M_{i})\prod\limits_{j=1, j\neq i}^{d+1} \frac{xR_{j}^{\prime}}{R_{i}^{\prime} R_{j}^{\prime}}\\ &&=S_{1}+S_{2}x+\cdots+S_{d} x^{d} \end{array} $$(8)
As described in Section 4.2, evaluators check whether deg(F_{0})≤d. Evaluators can verify whether F_{0}=c or not. For instance, if c=0, F_{0} should be equal to 0. We can perform binary search to figure out the optimal value f(0)=deg(F_{0}), and publish it.
4.5.4 Tracing the optimal path
Evaluators calculate the optimal path as follows:
Assume that the evaluators know f(j)=deg(F_{ j }), and they want to trace to node k s.t. deg(F_{ j })=deg(H_{(j,k)}×F_{ k }+ M_{ j }). We test whether deg(H_{(j,k)}×F_{ k }+M_{ j })=deg(F_{ j })−1 or not for all nodes k linked to node j. The evaluators know that the node k attains f(j) when the inequality does not hold for node k. They can determine f(k)=deg(F_{ k }) as in Section 4.5.3 after finding the node k that attains f(j), and publish it. Iterating this procedure recursively yields to the optimal path.
4.6 An example
There are four evaluator {E_{1},E_{2},E_{3},E_{4}}, which randomly choose x_{1}=1,x_{2}=2,x_{3}=3,x_{4}=4, respectively. For simplicity, we assume that t_{ w }=0 and c=0.
First, the mask publisher MP first chooses mask polynomial M(x)=x^{2}, and chooses two primes p=5 and q=7, and calculates N=5×7=35. Then, the mask publisher MP chooses the generator g=2 and a randomly number s_{0}=5, and computes λ=5 from s_{0}λ=1 mod (ϕ(N)=24). MP computes R_{0}=g^{ s }_{0} mod N=2^{5} mod 35=32. MP publishes {g,N,R_{0},λ}.
Second, the evaluator E_{ i } computes R_{ i }=g^{ x }_{ i } mod N, so four evaluators {E_{1},E_{2},E_{3},E_{4}} generate R_{1}=2^{1} mod N=2,R_{2}=2^{2} mod N=4,R_{3}=2^{3} mod N=8,R_{4}=2^{4} mod N=16, respectively. The evaluators {E_{1},E_{2},E_{3},E_{4}} send {R_{1},R_{2},R_{3},R_{4}} to MP separately.
Third, MP computes \(R_{1}^{\prime }=R_{1}^{5} \mod N=32, R_{2}^{\prime }=R_{2}^{5} \mod N=9, R_{3}^{\prime }=R_{3}^{5} \mod N=8, R_{4}^{\prime }=R_{4}^{5} \mod N=11\), and computes the mask value \(M_{1}= {R_{1}^{\prime }}^{2}=1024, M_{2}={R_{2}^{\prime }}^{2}=81, M_{3}={R_{3}^{\prime }}^{2}=64, M_{4}={R_{4}^{\prime }}^{2}=121\), and then sends \(\{\{R_{1}^{\prime }, M_{1}\}, \{R_{2}^{\prime }, M_{2}\}, \{R_{3}^{\prime }, M_{3}\}, \{R_{4}^{\prime }, M_{4}\}\}\) to evaluators {E_{1},E_{2},E_{3},E_{4}}, respectively.
Each evaluator’s shares
H _{(S,1)}  H _{(1,2)}  H _{(S,2)}  F _{1}  F _{0}  M  H_{(S,1)}×F_{1}+M  H_{(S,2)}×F_{2}+M  

E _{1}  992  32  2112  32  33,856  1024  32,768  3136 
E _{1}  72  9  180  9  828  81  729  261 
E _{1}  56  8  144  8  592  64  512  208 
E _{1}  110  11  266  11  1476  121  1331  387 
When the evaluators work together to figure out the optimal result, the evaluators verify identities of participants each other using the method in Section 4.5.3 first. If all the evaluators pass the verification, from Table 1, the evaluators can recover F_{0}(x)=x^{3}+x^{2}+2x from the shares F_{0}(32)=33,856,F_{0}(9)=828,F_{0}(8)=592, and F_{0}(11)=1476, where F_{0}(0)=0. According to the Eq. (1) and (7), we figure out that f(0)=3. The evaluators also can recover the mask polynomial M(x)=x^{2} according to the mask shares. Because the polynomial of degree 2, which is reconstructed from the shares of H_{(S,1)}×F_{1}+M, does not equal to 0, the link (S,1) attains f(0)=3, which means that the link (S,1) is included in the optimal result.
5 Result and discussion
In this section, we discuss the security properties of the proposed scheme and analyze the performance of the proposed scheme.
5.1 Security analysis
In this subsection, we discuss the security properties of the proposed scheme in terms of resistance against active attacks, resistance against passive attacks, nonrepudiation, and accountability.
5.1.1 Resistance against active attacks

Conspiracy attacks:In order to recover the secrets, we assume that two evaluators have a collusion activity. For example, two evaluators E_{ i } and E_{ j } can exchange their value s_{ i } and s_{ j }. So, E_{ i } holds s_{ j } while E_{ j } holds s_{ i }. Then, E_{ i } calculates \({R_{j}^{\prime \prime }}^{\lambda }=R_{j}\) while E_{ j } computes \({R_{i}^{\prime \prime }}^{\lambda }=R_{i}\). Therefore, E_{ i } and E_{ j } might try to pass the verification. However,it is not impossible as the Id and (Id,R) pairs have been published by all evaluators. Thus, the conspiracy of the participants E_{ i } and E_{ j } can be easily recognized by other participants.

Evaluator cheating: Assume that an evaluator E_{ i } wants to gain a secret (s) via providing a false private key R_{ j }. E_{ i } calculates \(R_{i}^{\prime \prime }=R_{0}^{s_{j}} \mod N\) and broadcasts it. However, other participants can check the validity of \(R_{i}^{\prime \prime }\) by calculating \({R_{i}^{\prime \prime }}^{\lambda }=R_{j}\neq R_{i}\) when receiving \(R_{i}^{\prime \prime }\) provided by E_{ i }. Because that the Id_{ i } and the R_{ i } of E_{ i } are published, it is easy to detect that E_{ i } provides an incorrect \(R_{i}^{\prime \prime }\).

Reconstruct the polynomial: Assume that an adversary adv wants to use fewer than t shares (t<d) to reconstruct the polynomial HM_{ i }, it is not impossible because that it equals to break Shamir’s scheme, which has been proved that it holds the security property.

Reveal the secret key of the evaluator: Assume an adversary wants to obtain the participant E_{ i }’s secret shadow s_{ i } from the public information R_{ i }. He obtains s_{ i } from R_{ i }=g^{ s }_{ i }; however, he has to solve the discrete logarithm problem (DLP), which is an NPhard problem. So, it is not impossible to obtain the secret key from the evaluator.
5.1.2 Resistance against passive attacks

Nonrepudiation:
Theorem 1 If a bidder (Weight Publisher) makes a bid, it cannot deny making the bid in a later time.
Proof If a bidder (Weight Publisher) make a bid, because that the evaluators work together to figure out the optimal result, and each participant is verified by other participants. If some Weight Publisher deny making the bid, the other evaluators can work together to trace all the internment mask result to verify whether the Weight publisher is lie or not according to the optimal result. □

Accountability:Accountability is required to secure a system from the aspects of integrity, confidentiality, and privacy [26, 27, 28, 29, 30]. An accountability mechanism is typically utilized to figure out who is responsible for what. In essence, accountability means that the system is recordable and traceable, which implies that making any entity in the system accountable for all its actions. Under such a consideration, our scheme is accountable as the evaluators can verified each other and work together to obtain the optimal result, which can be used as an evidence for dispute resolution; therefore, no one can deny its actions. Thus, we claim that the scheme has the property of accountability.
5.2 Performance analysis
 In [16, 17], the third party is needed, which may be dishonest. Hence, the original secrets may not be reconstructed by the evaluators. In our scheme, it is impossible for the third party to cheat the evaluators as the evaluators choose their own shadows.
Properties
Our scheme
Scheme in [17]
Scheme in [16]
Resist the evaluators
Yes
No
No
cheating activity
Secure channel
No
Yes
Yes
Verifiable
Yes
Yes
No
Efficient reconstruction
Yes
Yes
Yes
and trace
The reusability of the
Yes
No
No
secret shadow
Third party
No
Yes
Yes
Select the secret shadow
Yes
No
No
by the evaluators

The validity of the shares of each evaluator can be checked by other evaluators; the proposed scheme is verifiable. This improves upon [16] in which the source of the other share cannot be verified by the evaluator. If a wrong share is provide by one evaluator, which can not be figured out by other other evaluators.

In [16, 17], the shadows of the evaluators are received from the third party via secure channel; however, our scheme never discloses the shadow of each evaluator in the recovery and verification phases, and the shadow can be reused.

In [16, 17], the secret shadows is transmitted via a private secure channel by weight publishers; however, in our scheme, the shadows is not transmitted by the weight publishers via secure channel because that the secret shadow is chosen by the evaluators themselves.
Note that our approach does have one disadvantage: if the number of nodes is very large, our scheme may be invalid sometimes because the combinatorial auction’s winner determination problem is NPcomplete.
6 Conclusions
In this paper, we presented a privacypreserving combinatorial auction without an auctioneer scheme. In our scheme, the price is represented as the degree of a polynomial; thus, the degree of the sum/product of the two polynomials construct the maximum/sum of the degree of two polynomials. The bidders information is hidden, and the legitimacy of the evaluator is also verified based on secret sharing, which can resists collusion attacks.
Our future research will focus on the following direction: design more efficient approaches based on greedy algorithm to protect the privacy of combinatorial auction, which would be much more suitable for practical applications.
Notes
Acknowledgements
We are very grateful to Dr. Xiuzhen Cheng and Dr. Maya Larson who have helped improve the quality of this paper.
Funding
This project was partial supported by the National Natural Science Foundation of China under grants 61702062, 61672119, 61472418 and 61571049, and the National Science Foundation of the USA under grants: CNS1407986, CNS1443858, CNS1704397 and IIS1741279, and the Natural Science Foundation of Chongqing (cstc2015jcyjA40037).
Authors’ contributions
All the authors developed the solution of the problem. CH proposed the main idea of the paper and finished the draft of the paper. RL, BM, and WL discussed and improved the scheme. AA and RB focused on smoothing out the language of the paper. All authors read and approved the final manuscript.
Competing interests
The authors declare that they have no competing interests.
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
References
 1.K Sako, in Proceedings of Public Key Cryptography 2000. Universally verifiable auction protocol which hides losing bids (SpringerMelbourne, 2000), pp. 35–39.Google Scholar
 2.C Cachin, in Proceedings of the 6th ACM Conference on Computer and Communications Security. Efficient private bidding and auctions with an oblivious third party (ACMSingapore, 1999), pp. 120–127.Google Scholar
 3.K Kobayashi, H Morita, K Suzuki, M Hakuta, Efficient sealedbid auction by using oneway functions. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. 84(1), 289–294 (2001).Google Scholar
 4.K Suzuki, K Kobayashi, H Morita, in Information Security and CryptologyCISC 2000. Efficient sealedbid auction using hash chain (SpringerSeoul, 2001), pp. 183–191.CrossRefGoogle Scholar
 5.Q Huang, Y Tao, F Wu, in INFOCOM, 2013 Proceedings IEEE. Spring: A strategyproof and privacy preserving spectrum auction mechanism (IEEETurin, 2013), pp. 827–835.CrossRefGoogle Scholar
 6.M Pan, X Zhu, Y Fang, Using homomorphic encryption to secure the combinatorial spectrum auction without the trustworthy auctioneer. Wirel. Netw. 18(2), 113–128 (2012).CrossRefGoogle Scholar
 7.M Pan, J Sun, Y Fang, Purging the backroom dealing: Secure spectrum auction leveraging paillier cryptosystem. IEEE J. Sel. Areas Commun. 29(4), 866–876 (2011).CrossRefGoogle Scholar
 8.M Larson, R Li, C Hu, W Li, X Cheng, R Bie, in Wireless Algorithms, Systems, and Applications. A bidderoriented privacypreserving vcg auction scheme (SpringerQufu, 2015), pp. 284–294.CrossRefGoogle Scholar
 9.M Larson, W Li, C Hu, R Li, X Cheng, R Bie, in Wireless Algorithms, Systems, and Applications. A secure multiunit sealed firstprice auction mechanism (SpringerQufu, 2015), pp. 295–304.CrossRefGoogle Scholar
 10.W Li, M Larson, C Hu, R Li, X Cheng, R Bie, Secure multiunit sealed firstprice auction mechanisms. Secur. Commun. Netw. 9(16), 3833–3843 (2016).CrossRefGoogle Scholar
 11.A Alrawais, A Alhothaily, J Yu, C Hu, X Cheng, Secureguard: a certificate validation system in public key infrastructure. IEEE Trans. Veh. Technol. (2018). Preprint.Google Scholar
 12.P Paillier, in Advances in cryptologyEUROCRYPT’99. Publickey cryptosystems based on composite degree residuosity classes (SpringerPrague, 1999), pp. 223–238.Google Scholar
 13.K Xing, C Hu, J Yu, X Cheng, F Zhang, Mutual privacy preserving kmeans clustering in social participatory sensing. IEEE Trans. Ind. Inform. 13(4), 2066–2076 (2017).CrossRefGoogle Scholar
 14.C Hu, X Liao, X Cheng, Verifiable multisecret sharing based on LFSR sequences. Theor. Comput. Sci. 445:, 52–62 (2012).MathSciNetCrossRefzbMATHGoogle Scholar
 15.H Kikuchi, (m+1) stprice auction protocol. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. 85(3), 676–683 (2002).zbMATHGoogle Scholar
 16.K Suzuki, M Yokoo, in Financial Cryptography. Secure combinatorial auctions by dynamic programming with polynomial secret sharing (SpringerGuadeloupe, 2003), pp. 44–56.CrossRefGoogle Scholar
 17.M Nojoumian, DR Stinson, in Information Security Practice and Experience. Efficient sealedbid auction protocols using verifiable secret sharing (SpringerFuzhou, 2014), pp. 302–317.CrossRefGoogle Scholar
 18.M Larson, C Hu, R Li, W Li, X Cheng, in Proceedings of the 2015 Workshop on PrivacyAware Mobile Computing. Secure auctions without an auctioneer via verifiable secret sharing (ACMHangzhou, 2015), pp. 1–6.Google Scholar
 19.R Bellman, Dynamic programming and lagrange multipliers. Proc. Natl. Acad. Sci. U. S. A. 42(10), 767 (1956).MathSciNetCrossRefzbMATHGoogle Scholar
 20.A Shamir, How to share a secret. Commun. ACM. 22(11), 612–613 (1979).MathSciNetCrossRefzbMATHGoogle Scholar
 21.G Blakley, Safeguarding cryptographic keys. Proc. Natl. Comput. Conference1979. 48:, 313–317 (1979).Google Scholar
 22.C Hu, W Li, X Cheng, J Yu, S Wang, R Bie, A secure and verifiable access control scheme for big data storage in clouds. IEEE Transactions on Big Data (2018). Preprint.Google Scholar
 23.MH Dehkordi, S Mashhadi, An efficient threshold verifiable multisecret sharing. Comput Stand. Interfaces. 30(3), 187–190 (2008).CrossRefzbMATHGoogle Scholar
 24.C Hu, N Zhang, H Li, X Cheng, X Liao, Body area network security: a fuzzy attributebased signcryption scheme. IEEE J. Sel. Areas Commun. 31(9), 37–46 (2013).CrossRefGoogle Scholar
 25.C Hu, X Liao, D Xiao, Secret image sharing based on chaotic map and chinese remainder theorem. Int. J. Wavelets Multiresolution Inf. Process. 10(03), 1250023–118 (2012).MathSciNetCrossRefzbMATHGoogle Scholar
 26.J Liu, Y Xiao, J Gao, Achieving accountability in smart grid. IEEE Syst. J. 8(2), 493–508 (2014).CrossRefGoogle Scholar
 27.R Jagadeesan, A Jeffrey, C Pitcher, J Riely, in Computer Security–ESORICS 2009. Towards a theory of accountability and audit (SpringerSaintMalo, 2009), pp. 152–167.CrossRefGoogle Scholar
 28.T Truderung, A Vogt, et al, in Proceedings of the 17th ACM Conference on Computer and Communications Security. Accountability: definition and relationship to verifiability (ACMChicago, 2010), pp. 526–535.Google Scholar
 29.J Feigenbaum, AD Jaggard, RN Wright, in Proceedings of the 2011 Workshop on New Security Paradigms Workshop. Towards a formal model of accountability (ACMMarin County, 2011), pp. 45–56.CrossRefGoogle Scholar
 30.C Ko, DA Frincke, T Goan Jr, T Heberlein, K Levitt, B Mukherjee, C Wee, in Proceedings of the 1st ACM Conference on Computer and Communications Security. Analysis of an algorithm for distributed recognition and accountability (ACMFairfax, 1993), pp. 154–164.Google Scholar
Copyright information
Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License(http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.