# Provable secure brand-new multi-auction mechanism with dynamic identity.

AbstractDifferent from traditional auctions, electronic auctions provide a platform to allow bidders and auctioneers merchandise to each other over network anytime and anywhere. Auctioneers can publish information of goods, and bidders can choose the interested targets through this bidding platform. To ensure the fairness and security of electronic auctions, Li et al. have proposed a practical electronic auction scheme which can confirm the requirement of strong anonymity, bidding privacy, and secret bidding price. However, we have found out that Li et al.'s scheme may lurk the risk of the denial-of-service attack during the bidding phase in a sealed-bid auction. Thus, we propose a brand-new sealed-bid auction mechanism, in which the essentials of e-auction can be firmly preserved. In particular, each bidder only needs to register at the center once and then can join to multiple plays launched by different auctioneers. Moreover, the correctness of mutual authentication is confirmed according to the BAN logic model.

Keywords: Electronic auction, sealed-bid auction, dynamic identity, BAN logic, anonymity

1. Introduction

With the rapid development of the Internet technology and electronic commerce, commonly known as E-commerce, electronic auction which is one of E-commerce business model becomes more and more popular in recent years. Originally, traditional auctions occur at the market when someone wants to sell the goods or services and invite lots of buyers to bid. Different from traditional auctions, electronic auctions allow bidders and sellers communicate each other over the network anytime and anywhere. For example, eBay, Yahoo! and Taobao are quite famous electronic auction websites.

Generally, electronic auctions can be divided into three types [1-18]: English auction, Dutch auction, and sealed-bid auction. As to the English auction, each bidder arbitrarily chooses a bidding price and then submits a public bid which must be higher than the previous round. The bid will be finished whenever no one bids the higher price. Dutch auction is similar to English auction, however, it starts at the top price, and the price will progressively go down until someone is willing to buy the goods with the first price. Both English auction and Dutch action are collectively known as an open auction. On the other hand, a sealed-bid auction allows each bidder submit a bid to the auctioneer with a concealed price. After receiving tender information from bidders, an auctioneer will reveal the contents of all the bids and further compare these bids to pick out the highest one. Later, the auctioneer publishes the highest bidding price as well as announces the winner at the end of the auction.

Nowadays, many protocols for electronic auction have been proposed. In 2003, Chang and Chang [2] presented an efficient anonymous auction protocol based on deniable authentication which can achieve the bidder anonymity. Later on, Jiang et al. [3] proposed an improvement on efficient anonymous auction which claimed that Chang et al.'s protocol would suffer from the replay attack in the initial phase. However, the computational cost was not taken into consideration in their scheme. Thus, Chang and Chang [4] presented an enhanced anonymous auction protocol with the alias. Afterwards, Liaw et al. [5] proposed an electronic online bidding auction protocol to meet certain security and make auction system more efficient. In 2008, Wu et al. [11] found that Liaw et al.'s protocol could not withstand the forge attacks. Hence, they provided a new electronic auction scheme to overcome these weaknesses. Lately, to reduce the heavy computational load of the entire auction in previous schemes [2, 3, 5], Chung et al. [6] proposed an English auction scheme with the bulletin board method which can raise the efficiency and verify bidding information. Owing to the increasing demand for mobile devices in electronic auctions recently, Chung et al. [7] proposed a mobile auction agent model (MoAAM) using elliptic curve cryptosystem in 2011. According to their scheme, it can permit bidders take part in electronic auctions via a mobile agent. Moreover, this scheme can make the auctions more efficient than others in terms of mitigation of computational cost on mobile devices. Later on, Li et al. [12] proposed a practical electronic auction scheme to achieve strong anonymity, bidding privacy, and secret bidding prices for sealed-bid auction which [2, 3, 4] could not confirm. Nevertheless, we find out that Li et al.'s scheme may suffer from the denial-of-service attack during the bidding phase in a sealed-bid auction.

Thus, we propose a brand-new sealed-bid auction mechanism based on the concept of multi-server verification [22], in which the essentials of e-auction can be firmly preserved. In particular, each bidder only needs to register at the center once and then can join to multiple plays launched by different auctioneers. The followings are the requirements the proposed new method can firmly confirmed [19-21].

(1) Anonymity

Bidders and auctioneers can authenticate each other and then establish a common session key to protect their subsequent communications.

(2) Bidding Privacy

In order to protect the privacy of losers, all tender information of bidders should not be revealed except for the winner.

(3) Bidding Price

All bids should not be public even if auctioneer announces a winner in the opening phase. Only the highest bidding price will be announced by the auctioneer.

(4) Unforgeability

Nobody can counterfeit a valid bid

(5) Public Verifiability

Anyone can verify whether the winner is valid or not and confirm the authenticity of the bid at the end of the auction.

(6) Non-repudiation

A bidder cannot deny the bid even after the auction is over.

(7) No Framing

Nobody can impersonate as any bidder's identity to join the bidding.

(8) One Time Registration

Any bidder only needs to register at registration center once and then can participate in different auctions.

(9) Unlinkability

Nobody can find out the relationship of bidder's identity among various auctions.

The rest of this paper is organized as follows. In Section 2, we review Li et al.'s practical electronic auction scheme and analyze the security vulnerabilities of their scheme. Then, the proposed multi-auction mechanism with dynamic identity is presented in Section 3. Later on, the security analysis and performance discussion are shown in Section 4 and 5, respectively. Finally, we make conclusions in Section6.

2. Review of Li et al.'s Scheme

In this section, we review Li et al.'s scheme [12], called a practical electronic auction scheme with strong anonymity and bidding privacy. There are four participants in their scheme, i.e., registration manager (RM), auction manager (AM), auctioneer, and bidder (Bidderi). In their scheme, registration manager is a role as government department which can revoke the anonymity of a given bidder while the auction manager requests, whereas auction manager is like a bidding platform such as eBay, Yahoo! or Taobao. In order to preserve strong anonymity for bidders, the authors combine registration manager with auction manager to disperse auction manager's power [2, 3, 4]. The cooperation of registration manager and auction manager is the only way to identify the bidder who wins the auction and becomes the winner. Their scheme contains three phases: registration phase, bidding phase, and decision-of-winner and announcement phase in an English auction and the sealed-bid auction, respectively. Nevertheless, we focus on the sealed-bid auction. The notations used throughout Li et al.'s scheme are summarized in Table 1.

Then, we briefly described zero knowledge proof [23] that will be used in Li et al.'s scheme. Zero knowledge proof (ZKP) is a protocol to prove that someone knows the secret value of discrete logarithms. Here, we assume that a prover knows the discrete logarithm x = [log.sub.g] y for the message m , where g is a generator, and he intends to show that he knows the secret value x to the verifier. V = ZKP (x; g, y, m ) is the confirmation which implies that the prover can compute a Schnorr signature (r, s) on the message m by calculating t = [g.sup.a] mod N, r = h(g || y|| t|| m),and s = a-rx, where a [member of] {1,[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] q } [4] and h denotes an one-way hash function. Hence, the verifier can verify the validity of the ture (r, s) by confirming r = (g ||y||[g.sup.s]||[y.sup.r]||m).

2.1 Review of Li et al.'s Scheme for Sealed-bid Auction

In this section, we review Li et al.'s scheme for sealed-bid auction. There are three main phases: registration phase, bidding phase, and decision-of-winner and announcement phase. The details of these phases are introduced as follows.

2.1.1 Registration Phase

Firstly, each bidder [Bidder.sup.i] generates his registration key and identity I[D.sub.i] through the following steps:

Step 1: [Bidder.sub.i] chooses a random number [a.sub.i] [member of] [Z.sub.N-1], and calculates the registration key [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] mod N.

Step 2: [Bidder.sub.i] registers his identity I[D.sub.i] at the registration center and generates a digital signature [[delta].sub.i] = S[K.sub.i] {I[D.sub.i], [y.sub.i}.

Step 3: [Bidder.sub.i] sends the registration information (I[D.sub.i], [y.sub.i] [[delta].sub.i]) with RM. After RM receives the message, it confirms the digital signature [[delta].sub.i] by P[K.sub.i]. If [[delta].sub.i] is valid, RM accepts the registration request and chooses a random number b. Otherwise, RM rejects the session. Later, RM calculates [y.sub.RM] and a Diffie-Hellman session key [Y.sub.i] which is also the auction key as follows:

[y.sub.RM] = [g.sup.b] mod N,

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

Step 4: RM stores I[D.sub.i] [[delta].sub.i] and [Y.sub.i] into the database D[B.sub.RM] (see Table 2) and then publishes N, g, [y.sub.RM], [T.sub.RM] and [Y.sub.i] on the bulletin board system BB[S.sub.RM] (see Table 3), where the timestamp [T.sub.RM] is generated by RM. Moreover, BB[S.sub.RM] is write-only for RM.

Step 5: RM confirms S[K.sub.RM]{[y.sub.RM]||[T.sub.RM]} by P[K.sub.RM]. If it holds, AM reads a Diffie-Hellman session key [Y.sub.i] from BB[S.sub.RM] and chooses a random number c. Later on, AM calculates [y.sub.AM], a Diffie-Hellman session key [Y.sub.RA] , and the auction key [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] for each bidder as follows:

[y.sub.AM] = [g.sup.c] mod N,

[Y.sub.RA] = (y.sub.RM[).sup.c] = (y.sub.AM[).sup.b] = [g.sup.bc] mod N,

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

Step 6: AM stores [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] and [Y.sub.i] into the database D[B.sub.AM] (see Table 4) and publishes N, g, [y.sub.AM] [T.sub.AM] [Y.sub.AM] and [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] on the bulletin board system BB[S.sub.AM] (See Table 5), where the timestamp [T.sub.AM] is generated by AM. Moreover, BB[S.sub.AM] is write-only for AM.

Step 7: [Bidder.sub.i] checks S[K.sub.RM] {[y.sub.RM] ||[T.sub.RM]} and S[K.sub.AM] {[Y.sub.RA] ||[T.sub.AM]} by P[K.sub.RM] and P[K.sub.AM]. If it holds, [Bidder.sub.i] can obtain [y.sub.RM] and [Y.sub.RA] to confirm a Diffie-Hellman session key [Y.sub.i] from BB[S.sub.RM] and a Diffie-Hellman session key [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] from BB[S.sub.AM] as follows:

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] mod N,

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] mod N.

If they hold, it implies that the auction key [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] is believed to be valid. Otherwise, [Bidder.sub.i] blames to

RM or AM

2.1.2 Bidding Phase

In this phase, each bidder attends the auction to bid with his own bid [bid.sub.i] via the following steps:

Step 1: [Bidder.sub.i] selects a random number [e.sub.i] and computes [F.sub.i] = [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] where [P'.sub.i] is the bidding price and h ([e.sub.i], [P'.sub.i]) is a two-variable one-way hash function with [e.sub.i] and [P'.sub.i].

Step 2: Then, [Bidder.sub.i] sends [bid'.sub.i] = ([MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]) to AM, where GID is the identification of the good, [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] is the signature, and the message [m'.sub.i]([F.sub.i]||GID). If the signature [V1'.sub.i] is valid for the message [m'.sub.i] [Bidder.sub.i] will certainly know the secure value [a.sub.i].

Step 3: Let [T'.sub.i] be the time at which AM receives the bid from [Bidder.sub.i] and [T'.sub.0] be the deadline of the auction. Subsequently, AM confirms the validity of the timestamp [T'.sub.i], and if [T'.sub.i] < [T'.sub.0]' , AM accepts the bid request. Otherwise, AM rejects it.

Step 4: AM or anyone can confirm whether the signature [V1'.sub.i]' is valid. If it holds, that implies the bid is believed to be valid by the verifier. Otherwise, AM rejects the request.

Step 5: AM confirms the information (GID [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]) from D[B.sub.AM]. If this information can be found in the database, the request is rejected. On the contrary, AM stores the information (GID [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]) in D[B.sub.AM] to avoid double bidding.

Finally, AM publishes all values of [bid'.sub.i] = (F.sub.i], GID [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] on BB[S.sub.AM].

2.1.3 Decision-of-winner and Announcement Phase

While the sealed bidding is finished, each bidder posts the information ([e.sub.i], [p.sub.i]', [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]) on , [BBS.sub.i] where [BBS.sub.i] is write-only for each bidder. Thus, anyone can verify whether the published value [F.sub.i] on [BBS.sub.i] is the same as the computed one. Afterwards, AM announces the winner and RM revokes the anonymity of the bidder and identifies the winner at the same time.

Step 1: Each bidder posts the information ([e.sub.i], [p.sub.i]', [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]) on [BBS.sub.i].

Step 2: We assume that [p.sub.j]' is the highest price at the end of bidding phase. In such a case, AM checks whether [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] by ([e.sub.i], [p.sub.i]', [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]) and a two-variable one-way hash function. If it holds, AM announces the winner with his winning bid [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]. Otherwise, AM decides the second highest bidding price. Subsequently, anyone can confirm whether the bidding price is valid. If it holds, that means the bidding price is believed to be valid by the verifier.

Step 3: According to the relationship of [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] and [Y.sub.j], AM can find [Y.sub.j] through [DB.sub.AM].

Step 4: AM posts the information ([Y.sub.j], [V2'.sub.j]) on [BBS.sub.AM] so that anyone can confirm the relationship [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] and [Y.sub.j] by the signature [V2'.sub.j] where [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII].

Step 5: RM confirms the signature [V2'.sub.j] and identifies [Bidder.sub.j] as the winner by consulting [DB.sub.RM] with the help of [Y.sub.j].

Step 6: Next, RM generates the signature [V3'.sub.j] = ZKP(b;[y.sub.j],[Y.sub.j],[bid'.sub.j]) and informs Auctioneer of W'=[PK.sub.Auctioneer]{[[delta].sub.j], [PK.sub.j], [V3'.sub.j]}, where [PK.sub.Auctioneer] is the public key of Auctioneer and [p.sub.j]' is the bidding price of the winner [Bidder.sub.j].

Finally, Auctioneer decrypts W' to obtain [[delta].sub.j], [PK.sub.j], and the signature [V3'.sub.j]. Later on, Auctioneer confirms the relationship between [y.sub.j] and [Y.sub.j] by [V3'.sub.j] and verifies the winner utilizing [[delta].sub.j] and [PK.sub.j]. Here, the winner [Bidder.sub.j] cannot deny his own bid since [[delta].sub.j] is the digital signature of [Bidder.sub.j].

2.2 Cryptanalysis of Li et al.'s Scheme

Li at al. have claimed that their scheme can withstand various attacks, however, we find out that this scheme may suffer from the denial-of-service attack during the bidding phase in a sealed-bid auction. Hence, we demonstrate the security flaw of their scheme outlined below.

If a malicious attacker Eve intends to launch the attack, she needs to intercept the bid request [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] sent from the bidder [Bidder.sub.i] in the bidding phase. Later on, she changes [F.sub.i] to another one [F.sub.Eve] and transmits this bid request [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] to AM in the valid time. Afterwards, AM will verify the validity of the signature [V1.sub.i]. If the signature is not valid, AM will deny the request. Even though the bid request will be accepted by AM, a legitimate bidder [Bidder.sub.i] must be fail to AM. Since [F.sub.Eve] is not a legal one, [F.sub.Eve] will not pass the verification to AM. Thus, [Bidder.sub.i] cannot successfully tender a bid to AM. If Eve repeatedly intercepts the bid request, replaces [F.sub.i] to a new one [F.sub.Eve], and then sends the forged bid requests to AM, this will make AM overload by computing the Schnorr signatures. Consequently, their scheme is unable to withstand the denial-of-service attack.

3. Proposed Scheme

In this section, we propose an efficient and secure multi-auction mechanism with dynamic identity using smart card. It includes three participants in our mechanism: bidder ([Bidder.sub.i]), auctioneer ([Auctioneer.sub.j]), and registration center (RC). In the beginning, RC chooses x as the master secret key and y as the secret number. These two parameters are only known to the registration center which is considered to be trustworthy. Later, the registration center calculates and shares the hash value h(x), h(x||y), and h([AID.sub.j]||h(y)) for each auctioneer via a secure channel while [Auctioneer.sub.j] registers himself to the registration center with his identity [AID.sub.j]. Most important of all, we have assumed that the information stored in the smart card cannot be extracted to be utilized in our proposed mechanism. The proposed mechanism contains five phases: registration phase, login phase, mutual authentication and key agreement phase, sealed bidding phase, and winner announcement phase. The notations used throughout the proposed mechanism are shown in Table 6.

The flowchart of multi-auction mechanism is described in Fig. 1. If someone wants to participate in an auction, he must register at the registration center first. Later on, the registration center will issue the smart card so that each bidder can join in any auction using smart card. Afterwards, each bidder negotiates a common session key to ensure that the following communications are secure. After receiving the bids from bidders, the auctioneer will compare all bidding prices and pick out the highest one as the winner.

3.1 Registration Phase

The bidder [Bidder.sub.i] must register at the registration center before participating in an auction. The flowchart of registration phase is illustrated in Fig. 2.

Step 1: [Bidder.sub.i] arbitrarily chooses his identity [UID.sub.i], password [PW.sub.i] and calculates [P.sub.i]=h([PW.sub.i]). After that, [Bidder.sub.i] submits [UID.sub.i] and [P.sub.i] to RC via a secure channel.

Step 2: After receiving the message [UID.sub.i] and and [P.sub.i] from [Bidder.sub.i], RC calculates parameters [A.sub.i], [B.sub.i], [C.sub.i], [D.sub.i], [E.sub.i], as follows:

[A.sub.i]=h([UID.sub.i]||x)

[B.sub.i]=h([UID.sub.i]||[P.sub.i])

[C.sub.i]=h([A.sub.i]||[B.sub.i])[direct sum]h(h(x))||[r.sub.i])

[D.sub.i]=[r.sub.i][direct sum]h(x||y)

[E.sub.i]=[P.sub.i][direct sum][A.sub.i].

Finally, RC stores these security parameters {[B.sub.i], [C.sub.i], [D.sub.i], [E.sub.i], h([??]), h(y)} into the smart card and sends back to [Bidder.sub.i] through a secure channel.

3.2 Login Phase

When [Bidder.sub.i] wants to join in the auction, he needs to perform the following steps to generate the request.

Step 1: He has to insert his smart card into the card reader and enters his identity [UID.sub.i] and password [PW.sub.i].

Step 2: The smart card calculates [B.sub.i]*=h([UID.sub.i]||h[PW.sub.i]))=h([UID.sub.i]||[P.sub.i]) and confirms whether [B.sub.i]* is equal to [B.sub.i], where the value [B.sub.i] is stored in the smart card. If they are equal, it implies that [Bidder.sub.i] is a legitimate user. [Bidder.sub.i] carries on the following steps. Otherwise, the smart card rejects the request.

Step 3: After confirming [Bidder.sub.i] is a legitimate user, the smart card generates a random nonce [N.sub.i] and calculates the following steps:

[A.sub.i]=[P.sub.i][direct sum][E.sub.i]

h(h(x)||[r.sub.i])=h([A.sub.i]||[B.sub.i])[direct sum][C.sub.i]

[CID.sub.i]=[C.sub.i][direct sum]h(h(h(x)||[r.sub.i])||[N.sub.i]||[AID.sub.j])

[P.sub.ij]=[D.sub.i][direct sum][AID.sub.j][direct sum][N.sub.i]

[[alpha].sub.i]=h([AID.sub.j]||h(y))[direct sum][N.sub.i]

[[beta].sub.i]=h(h([A.sub.i]||[B.sub.i])||[N.sub.i]||[P.sub.ij]||[CID.sub.i]).

Finally, [Bidder.sub.i] submits [m.sub.1]={[CID.sub.i], [P.sub.ij], [[alpha].sub.i], [[beta].sub.i]} as the login request message to [Auctioneer.sub.j] over a public channel.

3.3 Mutual Authentication and Key Agreement Phase

In this phase, [Auctioneer.sub.j] will authenticate each bidder after receiving the login message. Later on, both of them accomplish the common key while the authentication is over. Shortly afterwards, [Bidder.sub.i] can utilize the session key to communicate with [Auctioneer.sub.j]. The flowchart of mutual authentication and key agreement phase is illustrated in Fig. 3, and the detailed steps are described as follows.

Step 1: Upon receiving the login request message [m.sub.1]={[CID.sub.i], [P.sub.ij], [[alpha].sub.i], [[beta].sub.i]} from [Bidder.sub.i], [Auctioneer.sub.j] utilizes the pre-shared hash value h(x), h(x||y) and h([AID.sub.j]||h(y)) to calculate the following:

[N.sub.i]=h([AID.sub.j]||h(y))[direct sum][[alpha].sub.i]

[D.sub.i]=[P.sub.ij][direct sum][AID.sub.j][direct sum][N.sub.i]

[r.sub.i]=[D.sub.i][direct sum]h(x||y)

[C.sub.i]=[CID.sub.i][direct sum]h(h(h(x)||[r.sub.i])||[N.sub.i]||[AID.sub.j])

h([A.sub.i]||[B.sub.i])=[C.sub.i][direct sum]h(h(x)||[r.sub.i])

[[beta].sub.i]*=h(h([A.sub.i]||[B.sub.i])||[N.sub.i]||[P.sub.ij]||[CID.sub.i]).

Step 2: Later on, [Auctioneer.sub.j] confirms whether the computed value [[beta].sub.i]* is equal to the received [[beta].sub.i]. If they hold, [Auctioneer.sub.j] uthenticates [Bidder.sub.i] successfully. Thus, it implies that [Bidder.sub.i] is an authorized user, and then [Auctioneer.sub.j] further chooses a random nonce [N.sub.j]. Otherwise, [Auctioneer.sub.j] rejects the login request in this session.

Step 3: [Auctioneer.sub.j] calculates and sends [[gamma].sub.i]=h([A.sub.i]||[B.sub.i])[direct sum][N.sub.i][direct sum][N.sub.j], [[delta].sub.i]=h(h([A.sub.i]||[B.sub.i])||[N.sub.j]||[AID.sub.j]) to [Bidder.sub.i].

Step 4: Upon receiving the message [m.sub.2]={[[gamma].sub.i], [[delta].sub.i]} from [Auctioneer.sub.j], [Bidders.sub.i] calculates [N.sub.j]=h([A.sub.i]||[B.sub.i])[direct sum][N.sub.i][direct sum][[gamma].sub.i] and [[delta].sub.i]*=h(h([A.sub.i]||[B.sub.i])||[N.sub.j]||[AID.sub.j]). Later, [Bidder.sub.i] confirms whether the computed value [[delta].sub.i]* is equal to [[delta].sub.i]. If If they are equal, it means that [Bidder.sub.i] successfully authenticates [Auctioneer.sub.j] which is an authorized service provider. Shortly afterwards, [Bidder.sub.i] calculates the mutual authentication message [[theta].sub.i]=h(h([A.sub.i]||[B.sub.i])||[N.sub.j]||[AID.sub.j]) and submits the message [m.sub.3]={[[theta].sub.i]} to [Auctioneer.sub.j]. Otherwise, [Bidder.sub.i] rejects the message and terminates the session.

Step 5: Upon receiving the message [m.sub.3]={[[theta].sub.i]} from [Bidder.sub.i] , [Auctioneer.sub.j] calculates [[theta].sub.i]*=h(h([A.sub.i]||[B.sub.i])||[N.sub.j]||[AID.sub.j]) and confirms whether the computed value [[theta].sub.i]* is equal to [[theta].sub.i]. If they are the same, it implies that [Auctioneer.sub.j] successfully authenticates [Bidder.sub.i]. The mutual authentication is completed. After the mutual authentication phase, [Bidder.sub.i] can negotiate the session key [K.sub.i]=h(h([A.sub.i]||[B.sub.i])||[N.sub.i]||[N.sub.j]||[AID.sub.j]) with [Auctioneer.sub.j].

3.4 Sealed Bidding Phase

After the key agreement phase, [Bidder.sub.i] can utilize the session key [K.sub.i] to to participate in bidding. The flowchart of sealed bidding phase is illustrated in Fig. 4.

Step 1: [Bidder.sub.i] arbitrarily chooses the bidding price [bid.sub.i]. Then, he calculates [w.sub.i]=h([CID.sub.i]||[bid.sub.i]||[K.sub.i]||[AID.sub.j]) with his dynamic identity [CID.sub.i] and [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] by the session key [K.sub.i]. Here, it not only protects the tender information of the bidder, but also confirms integrity and confidentiality of the tender information.

Step 2: [Bidder.sub.i] submits his tender information [m.sub.4]={[CID.sub.i], [msg.sub.i]} to [Auctioneer.sub.j].

Step 3: Upon receiving the tender information [m.sub.4]={[CID.sub.i], [msg.sub.i]} from [Bidder.sub.i]. [Auctioneer.sub.j] decrypts [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] to obtain [CID.sub.i], [bid.sub.i] and [w.sub.i] by the common session key [K.sub.i]. Later on, it confirms whether [CID.sub.i] and [W.sub.i] is valid or not. If it does not hold, the bidding price [bid.sub.i] can be treated as nullity. Otherwise, [Bidder.sub.i] price [bid.sub.i] will be considered as legal. Finally, [Bidder.sub.i] successfully bids in this sealed-bid auction.

3.5 Winner Announcement Phase

Once [Auctioneer.sub.j] receives all bids from bidders, it compares all bidding prices and chooses the highest bidding one among bidders as the winner. Finally, the auctioneer announces the winner with his tender information [CID.sub.i], [msg.sub.i], session key [K.sub.i], and the bidding price [bid.sub.i].

4. Analysis

Here, we analyze the security of our proposed mechanism which is based on symmetric encryption function, one-way hash function, and exclusive-or operation in Subsection 4.1. Furthermore, the assumptions of symmetric encryption function, one-way hash function, and exclusive-or operation are depicted as below. Later on, the requirements of the sealed-bid auction can be achieved in our proposed mechanism are shown in Subsection 4.2.

Symmetric encryption function[[[??]].sub.K]

According to [25], it is computationally infeasible to obtain the plaintext M from the encrypted message [[M].sub.k] in the case of unknown encryption key K.

One-way hash function([??])

Variable size message is input and fixed size result returned. One-way hash function h([??]) is defined as follows [26].

Pre-image resistance: Given the message digest y=h(M), it is computationally infeasible to derive the message M from y.

Second pre-image resistance: Given the message M and the message digest y=h(M), it is computationally infeasible to find another message M' to satisfy that M' [not equal to] M and h(M')=y.

Collision resistance: It is computationally infeasible to pick out two arbitrary plaintexts M, M' such that M' [not equal to] M and h(M') = h(M).

Exclusive-or operation [direct sum]

The exclusive-or operation shall not be compromised in polynomial time. Given the message [M.sub.1], [M.sub.2], it is computationally infeasible to derive the message [M.sub.1] from the ciphertext C without knowing the message [M.sub.2] in polynomial time. However, it is easily to calculate C = [M.sub.1] [direct sum] [M.sub.2].

4.1 Security Analysis

4.1.1 Perfect Forward Secrecy

In our proposed mechanism, both the bidder [Bidder.sub.i] and the auctioneer [Auctioneer.sub.j] can utilize the shared information h([A.sub.1]||[B.sub.1] to calculate the common session key [K.sub.i] = h(h([A.sub.1]||[B.sub.1])||[N.sub.1]||[N.sub.j]||[AID.sub.j] with the random nonce [N.sub.i] and [N.sub.j]. Even if a malicious attacker Eve can comprimise [K.sub.i] = h(h([A.sub.1]||[B.sub.1])||[N.sub.1]||[N.sub.j]||[AID.sub.j], she still cannot recover the previous session keys or speculate the session keys for the future. Since each session key contains an individual random nonce, this makes all session keys be distinct. However, she cannot learn of the random nonce under the assumption of pre-image resistance. Even though Eve can obtain a valid random nonce, she still cannot construct the common session key without the knowledge of h([A.sub.i]||[B.sub.i] under the assumption of pre-image resistance. As a result, the proposed mechanism can provide perfect forward secrecy.

4.1.2 Replay Attack

We assume that a malicious attacker Eve intends to intercept the login request message [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] from the bidder [Bidder.sub.i] to launch the replay attack. Then, Eve will replay the request message to [Auctioneer.sub.j] However, this login request message must fail since [Auctioneer.sub.j] can confirm whether the random nonce is fresh or not. As a result, the proposed mechanism is secure against the replay attack.

4.1.3 Impersonation Attack

Impersonation attack means that a malicious attacker Eve intends to masquerade as the legal bidder [Bidder.sub.i] to login to the auctioneer [Auctioneer.sub.j]. First, she needs to forge the login request message [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] sequentially and send them to [Auctioneer.sub.j]. However, it is computationally infeasible for Eve to generate the first parameter [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] without knowing [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] and [N.sub.i] under the assumption of the exclusive-or function. Owing to unknown nonce [N.sub.i], she cannot separately generate other parameters [P.sub.ij], [CID.sub.i], [[beta].sub.i] or function and the pre-image resistance. Despite she is able to obtain a valid nonce, it is useless. The reason is that Eve cannot construct the first parameter [[alpha].sub.i] without [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] under the assumption of the exclusive-or function. For the above-mentioned reasons, Eve has no way to launch this attack so that the proposed mechanism can prevent the impersonation attack.

4.1.4 Server Spoofing Attack

Server spoofing attack means that if a legal bidder [Bidder.sub.i], (Eve) intends to fabricate as the auctioneer [Auctioneer.sub.j] to fool and response [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] to the bidder [Bidder.sub.i], she must fail. The reason is that it is impossible for [Bidder.sub.k] to calculate [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] without the knowledge of h([A.sub.1]||[B.sub.1]) and [N.sub.i] under the assumption of the exclusive-or function as well as [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] without the knowledge of h([A.sub.i]||[B.sub.i]) and [N.sub.i] under the assumption of the pre-image resistance. Furthermore, [N.sub.i] is protected by a [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] Without the hash value [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII], it is infeasible for [Bidder.sub.i] to retrieve [N.sub.i] from [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] under the assumption of the exclusive-or function. Hence, [Bidder.sub.i] cannot transfer a valid response [m.sub.2] = {[[beta].sub.i], [[sigma].sub.i]} to [Bidder.sub.i].

Similarly, a legal auctioneer [Auctioneer.sub.k] (Eve) may try to imitate as the auctioneer [Auctioneer.sub.j] to cheat the play. However, it is computationally infeasible to construct h([AID.sub.k]||[h.sub.(y)]) without secret hash value h(y) under the assumption of pre-image resistance. Here, no one but RC can know secret Y and h(y). Moreover, the pre-shared hash value h([AID.sub.k]||[h.sub.(y)]) from [Auctioneer.sub.k] will not be equal to h([AID.sub.j]||[h.sub.(y)]) from [Auctioneer.sub.j] Therefore, [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII], will not be valid under the assumption of of exclusive-or function. For the above-mentioned reasons, no one can impersonate a legal auctioneer to spoof bidders in the proposed mechanism.

4.1.5 Man-in-the-middle Attack

In this type of attack, we assumed that a malicious attacker Eve can intercept the login request messages sent from [Bidder.sub.i]. to the auctioneer [Auctioneer.sub.j] and then transfer the modified messages to [Bidder.sub.i] In the beginning, Eve intercepts the login request message [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] from [Bidder.sub.i] and the response message [m.sub.2] = {[[beta].sub.i], [[sigma].sub.i]} from [Auctioneer.sub.j]. Later on, Eve starts a new session with [Bidder.sub.i] by transmitting the modified response [m.sub.2]' = {[[beta].sub.i]', [[sigma].sub.i]'}. However, Eve cannot alter any message such as [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] without knowing h([A.sub.i]||[B.sub.i]) and [N.sub.i] under the assumption of exclusive-or function and [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] without the knowledge of h([A.sub.i]||[B.sub.i]) under the assumption of pre-image resistance. Despite she can obtain [CID.sub.i] and [P.sub.ij] from intercepting the login request message [m.sub.1], she still cannot retrieve h([A.sub.i]||[B.sub.i]) from [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] under the assumption of pre-image resistance.

Therefore, Eve is unable to launch the attack and the proposed mechanism is secure against man-in-the-middle attack.

4.1.6 Denial-of-service Attack

The resistance to denial-of-service attack means that it can prevent legitimate bidders from failing to auctioneers, namely auctioneers cannot provide bidding service to bidders properly. Here, we demonstrate that denial-of-service attack cannot be launched by Eve in our proposed mechanism. If Eve intends to launch this attack, she needs to modify the login request message [m.sub.1] to pass the verification with her nonce [N.sub.i]*. However, it must be fail since it is computationally infeasible for Eve to generate a valid nonce without hash value h([AID.sub.j]||[h.sub.(y)]) under the assumption of exclusive-or function, where [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]. Eve cannot successfully generate these parameters [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] to pass the verification, which are associated with the random nonce [N.sub.i] Thus, it is difficult for malicious attackers to launch an effective denial-of-service attack in our proposed mechanism.

4.1.7 Proper Mutual Authentication and Key Agreement

Upon receiving the login request message [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] from [Bidder.sub.i], [Auctioneer.sub.j] will calculate the parameters [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] sequentially and confirm whether the computed [[sigma].sub.i]* is equal to [[sigma].sub.i]. If so, [Bidder.sub.i] is successfully authenticated by [Auctioneer.sub.j] Here, only the proper [Auctioneer.sub.j] can filter out [N.sub.i] using h([AID.sub.j]||[h.sub.(y)])[direct sum][[alpha].sub.i] under the assumption of exclusive-or function since h([AID.sub.j]||[h.sub.(y)]) is also known [Auctioneer.sub.j]. Hence, it can continually calculate [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] with [P.sub.ij], [AID.sub.ij], and the valid nonce [N.sub.i]. After obtaining [D.sub.i] it uses the pre-shared hash value h(x||y) to compute [r.sub.i], where [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]. In the case of owning these parameters [CID.sub.i], h(x), n, [N.sub.i] and [AID.sub.j], [Auctioneer.sub.j] can easily calculate [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII], where h(x) is pre-shared by RC in the registration phase. Thanks to these two values [C.sub.i] and h(h(x)||[r.sub.i]), [Auctioneer.sub.j] can further compute [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]. Thus, [Auctioneer.sub.j] can authenticate [Bidder.sub.i] at this moment by verifying whether the computed [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] is equal to [[beta].sub.i] Obviously, if it holds, it implies that [Bidder.sub.i] is a legitimate user, and the login request message is accepted by [Auctioneer.sub.j]

[Bidder.sub.i] checks that [Auctioneer.sub.j] is a legitimate service provider by confirming whether the computed [[sigma].sub.i]* is equal to the received one [sigma.sub.1] under the assumption of second pre-image resistance. If they are the same, [Auctioneer.sub.j] is successfully authenticated by [Bidder.sub.i]. Here, [Bidder.sub.i] can obtain [N.sub.j] from [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] under the assumption of exclusive-or function using the hash value h([A.sub.i]||[B.sub.i]) which is only known to himself and [N.sub.i] which is generated by the smart card. Thus, no one but [Bidder.sub.i] can acquire the valid nonce [N.sub.j] sent from [Auctioneer.sub.j]. Afterwards, [Bidder.sub.i] calculates the mutual message [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] and submits it to [Auctioneer.sub.j]. Later on, it will verify whether the computed [theta.sub.i]* is equal to the received one [theta.sub.i] under the assumption of second pre-image resistance. It is clear that [m.sub.3] = {[theta.sub.i]} will pass the verification. Hence, [Bidder.sub.i] and [Auctioneer.sub.j] can mutually authenticate and accomplish the key [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] in our proposed mechanism.

4.1.8 Formal Mutual Authentication according to BAN Logic Model

In order to confirm the identity for communicating participants, we demonstrate the achievement of mutual authentication between bidders and auctioneers based on BAN logic [27, 28]. The notations of BAN logic are described in Table 7.

Here, we describe the logical assumptions of BAN logic that we use in the proof as below.

(1) Messagemeaning: [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

(2) Nonce - verification: [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

(3) Jurisdiction: [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

(4) Receiving: P [??] [<X>.sub.Y]/P [??] X

(5) Freshness Propagation: P|[equivalent to]#(X)/P|[equivalent to]#(X, Y)

(6) [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

The rule of Session Key is an extension rule for the combination key [29] in BAN logic. Note that X is a critical element of the combination key K.

For simplicity, we transfer our proposed mechanism into the generic form M1, M2, M3 as follows.

M1. [Bidder.sub.i] [right arrow] [Auctioneer.subj]: h(AI[D.sub.j] || h(y)), [r.sub.i] [direct sum] h(x || y) [direct sum] AI[D.sub.j] [direct sum] [N.sub.i], [C.sub.i] [direct sum] h(h(x) || [r.sub.i]) || [N.sub.i] || AD[.sub.j]), h(h([A.sub.i] || [B.sub.i] || [N.sub.i] || [P.sub.ij] || CI[D.sub.i])

M2. [Auctioneer.sub.j] [right arrow] [Bidder.sub.i]: h([A.sub.i] || [B.sub.i]) [direct sum] [N.sub.i] [direct sum] [N.sub.j], h(h([A.sub.i] || [B.sub.i]) || [N.sub.j] || AI[D.sub.i])

M3. [Bidder.sub.i] [right arrow] [Auctioneer.sub.j]: h(h[A.sub.i] || [B.sub.i] || [N.sub.j] || AI[D.sub.j])

Later on, we further convert the generic form M1, M2, M3 into the idealized from,, I1 I2 I3 and list the corresponding goals as below.

I1. [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

I2. [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

I3. [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

G1. [Auctioneer.sub.j]|[equivalent to][N.sub.j]

G2. [Bidder.sub.i]|[equivalent to][N.sub.j]

G3. [Auctioneer.sub.j]|[equivalent to][Bidder.sub.i][N.sub.j]

G4. [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

G5. [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

Here, we use [[??]X[??].sub.Y] to denote the result of exclusive-oring X with the secret Y for exclusive-or operation representation. Moreover, the hash function can be processed similarly as the above-mentioned in our proposed mechanism. To complete the proof, we define essential assumptions to prove that the communications can be established in our proposed mechanism.

A1. [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

A2. [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

A3. [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

A4. [Auctioneer.sub.j] |[equivalent to]#([N.sub.i])

A5. [Auctioneer.sub.j]|[equivalent to][Bidder.sub.i] |[equivalent to]|[??][N.sub.i]

A6. [Bidder.sub.i]|[equivalent to]|[N.sub.i]

A7. [Bidder.sub.i]|[equivalent to]|#([N.sub.i])

A8. [Bidder.sub.i]|[equivalent to] [Auctioneer.sub.j]|[??] [N.sub.i]

Theorem 4.1 Bidders and auctioneers can authenticate each other in our proposed mechanism.

Proof: We infer the goals G1, G2, G3 to show that both bidders and auctioneers can mutually authenticate.

For the first goal G1, we can derive following formulas.

R1. [Auctioneer.sub.j][??] [N.sub.i] (using I1 and A1 based on Receiving rule)

R2. [Auctioneer.sub.j][??] [r.sub.i]

R3. [Auctioneer.sub.j][??] h([A.sub.i] || [B.sub.i])

R4. [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

R5. [Auctioneer.sub.j] |[equivalent to] [Bidder.sub.i] |~[N.sub.i] (using R3 and R4 based on Message-meaning rule)

The formula R1 implies that [Auctioneer.sub.j] can use I1 and A1 to retrieve the random nonce [N.sub.i]. Hence, we assume that [Auctioneer.sub.j] will temporarily believe [N.sub.i] once he retrieves it. Afterward, we derive that [Auctioneer.sub.j] can further retrieve [r.sub.i] from [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] hxy N r using A2 and R1 (i.e., the formula R2).

Similarly, we can derive the formula R3 according to the derivation of the formula R2 which is derived from the formula R1. Note that only the correct [Auctioneer.sub.j] can successfully retrieve [N.sub.i] from Bidderi using A1 and further retrieve the secret value h([A.sub.i] || [B.sub.i]) of [Bidder.sub.i] using R2, A2, and A3. Obviously, we can deduce that no one but [Bidder.sub.i] and the correct auctioneer [Auctioneer.sub.j] can know the hash value h([A.sub.i] || [B.sub.i]). That is, once the Auctioneerj retrieves h([A.sub.i] || [B.sub.i]) (i.e., the formula R3), he will believe that it is only shared with the [Bidder.sub.i] (i.e., the formula R4).

Subsequently, we can proceed to the proof of G1 as follows.

R6. [Auctioneer.sub.j] |[equivalent to] [Bidder.sub.i] |[equivalent to][N.sub.i] (using R5 and A4 based on Nonce-verification rule)

R7. [Auctioneer.sub.j] |[equivalent to] [N.sub.i] (using R6 and A5 based on Jurisdiction rule)

Later on, the second goal G2 is inferred in the same manner as below.

R8. [Bidder.sub.i] [??] ([N.sub.i], [N.sub.j], [Auctioneer.sub.j] |[equivalent to]h([A.sub.i] || [B.sub.i])) (using I2 based on Receiving rule)

R9. [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

The formula R8 implies that [Bidder.sub.i] can retrieve the random nonce [N.sub.j] using I2. Hence, we assume that [Bidder.sub.i] will temporarily believe [N.sub.j] once he retrieves it. Note that only the correct [Bidder.sub.i] can retrieve [N.sub.j] from [Auctioneer.sub.j] using I2. Obviously, we can deduce that no one but the correct [Bidder.sub.i] and the correct auctioneer [Auctioneer.sub.j] can know the hash value h([A.sub.i] || [B.sub.i]) Thus, [Bidder.sub.i] will believe that the hash value h([A.sub.i] || [B.sub.i]) is only shared with [Auctioneer.sub.j] (i.e., the formula R9).

R10. [Bidder.sub.i] |[equivalent to] [Auctioneer.sub.j] |~[N.sub.i] (using R8 and R9 based on Message-meaning rule)

R11. [Bidder.sub.i] |[equivalent to] [Auctioneer.sub.j] |[equivalent to] [N.sub.i] (using R10 and A7 based on Nonce-verification rule)

R12. [Bidder.sub.i] |[equivalent to] [N.sub.i] (using R11 and A8 based on Jurisdiction rule)

Finally, we can obtain the third goal G3, inferred as below.

R13. [Auctioneer.sub.j] |[equivalent to] [Bidder.sub.i] |~[N.sub.i] (using I2 and R9 based on Message-meaning rule)

R14. [Auctioneer.sub.j] |[equivalent to] [Bidder.sub.i] |[equivalent to] [N.sub.i] (using R13 based on Nonce-verification rule)

As the above-mentioned rules and assumptions, we can infer that the goals G1, G2, G3 are achieved.

Theorem 4.2 Bidders and auctioneers can generate a common session key in our proposed mechanism. Namely, both of them have authenticated each other.

Proof: We infer the goals G4, G5 to show that both bidders and auctioneers can negotiate a common session key. Besides, we expand the session key before beginning the proof as below:

[K.sub.i] = h(h([A.sub.i] || [B.sub.i]) || [N.sub.i] || [N.sub.j] || [AID.sub.j]

Clearly, we can find out that if both [Bidder.sub.i] and [Auctioneer.sub.j] intend to negotiate this session key [K.sub.i] , they must have a common secret value h([A.sub.i] || [B.sub.i]).

As demonstrated in Theorem 4.1, we can deduce the formula R4 and R9. Later on, we can further derive following formulas for the goal G4.

R15. [Auctioneer.sub.j] [equivalent to]#([K.sub.i]) (using A4 and R4 based on Freshness Propagation rule)

R16.[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] (using R15 based on Session Key rule)

Afterwards, the goal G5 can be deduced similarly.

With the formula R16, we can deduce that [Auctioneer.sub.j] believes that it has the common session key [K.sub.i] shared with [Bidder.sub.i].

R17. [Bidder.sub.i]|[equivalent to] #([K.sub.i]) (using A7 and R9 based on Freshness Propagation rule)

R18. [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] (using R17 based on Session Key rule)

According to the formula R18, we can summarize that [Bidder.sub.i] believes that it has the common session key [K.sub.i] shared with [Auctioneer.sub.j]

Corollary 4.1 Bidders and auctioneers that run in the proposed mechanism can not only authenticate each other, but also share a common session key.

Proof: From Theorem 4.1, bidders and auctioneers can provide mutual authentication to each other. On the basis of Theorem 4.2, bidders and auctioneers can negotiate a common session key in our proposed mechanism. In other words, both of them can be authenticated each other and communicate with a common session key in our proposed mechanism. Hence, we can provide the formal proof of the correctness of mutual authentication.

4.2 Essential Requirements

4.2.1 Anonymity

Each bidder will generate the dynamic identity [CID.sub.i] which is similar to the pseudonym before the sealed bidding phase and then submit the tender information [msg.sub.i] with his dynamic identity [CID.sub.i] to the auctioneer. Even though the bidding is over, nobody can reveal the real identity of the winner either auctioneers or other bidders. Owing to the random nonce [N.sub.i] , the dynamic identity [CID.sub.i] will be different in each auction, where [CID.sub.i] = [C.sub.i] [direct sum] h(h(h(x)||[r.sub.i]) ||[N.sub.i]||[AID.sub.i]). Furthermore, no one can learn of the real identity of [Bidder.sub.i] even [CID.sub.i] is public.

4.2.2 Bidding Privacy

To protect the privacy of losers, all tender information of bidders has been encrypted by the session key in our proposed mechanism. Here, we assume that [Bidder.sub.j] is the winner. The auctioneer will only publish the information of winner about the tender information [msg.sub.j], the session key [K.sub.j], the highest bidding price [bid.sub.j], and the dynamic identity [CID.sub.j] in the winner announcement phase. If someone intends to get more information of [Bidder.sub.i], he must have the common session key of [Bidder.sub.i]. However, the session key [K.sub.i] = h(h([A.sub.i] || [B.sub.i]) || [N.sub.i] || [N.sub.j] || [AID.sub.j]) = will be distinct in each auction with two random nonces. Thus, it is computationally infeasible to construct [K.sub.i] without , [N.sub.i], [N.sub.j] and h([A.sub.i] || [B.sub.i]) under the assumption of pre-image resistance. Hence, nobody can learn more secret information about losers.

4.2.3 Secret Bidding Price

The bidding price [bid.sub.i] is protected by the tender information [msg.sub.i] [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] which is encrypted by the common session key [K.sub.i] under the assumption of the symmetric encryption in our proposed mechanism. Only the correct auctioneer [Auctioneer.sub.j] can decrypt and learn the bidding price and publish. Here, it is computationally infeasible to obtain the plaintext [CID.sub.i], [bid.sub.i] and [w.sub.i] from the encrypted message msgi without session key [K.sub.i].

4.2.4 Unforgeability

The bidding price [bid.sub.i] is encrypted by the common session key [K.sub.i] in the tender information [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]. If someone intends to fabricate a valid bid, he must construct the session key [K.sub.i] to decrypt the tender information in the first place. However, the session key is only known to [Bidder.sub.i] and. [Auctioneer.sub.j] Hence, nobody can create a valid biding price of others in our proposed mechanism.

4.2.5 Non-repudiation

If bidders intend to deny their bids at the end of an auction in our proposed mechanism, the auctioneer can prove that the tender information [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] is the bid of [Bidder.sub.i] with the session key [K.sub.i]. Here, only the correct auctioneer can obtain [CID.sub.i], [bid.sub.i],i and [w.sub.i] from. [Bidder.sub.i] After that, it carries on computing [w*.sub.i] = h([CID.sub.i] || [bid.sub.i] || [K.sub.i] || [AID.sub.j] whether wi is equal to the computed one [w*.sub.i]. If they are the same, it implies that the bidding price is bid by [Bidder.sub.i].

4.2.6 No Framing

If a legal but malicious bidder [Bidder.sub.k] wants to impersonate a valid bidder [Bidder.sub.i] to participate in the auction, he needs to know the session key of [Bidder.sub.i]. However, it is computationally infeasible for [Bidder.sub.k] to impersonate and submit valid tender information to the auctioneer without knowing the session key under the assumption of the symmetric encryption. Thus, our proposed mechanism can withstand [Bidder.sub.k] to impersonate a valid bidder.

4.2.7 One Time Registration

In our proposed mechanism, each bidder just registers once with the registration center and then can join multiple auctions. For each play, he randomly generates the nonce [N.sub.i] to negotiate a common session key with the auctioneer. Later, each bidder can use this common session key to participant in the auction which he is interested in.

In our proposed mechanism, each bidder just registers once with the registration center and then can join multiple auctions. For each play, he randomly generates the nonce Ni to negotiate a common session key

with the auctioneer. Later, each bidder can use this common session key to participant in the auction which he is interested in.

In our proposed mechanism, each bidder just registers once with the registration center and then can join multiple auctions. For each play, he randomly generates the nonce Ni to negotiate a common session key with the auctioneer. Later, each bidder can use this common session key to participant in the auction which he is interested in.

4.2.8 Unlinkability

The bidder attends different auctions by the distinct nonce. Due to the random nonce, the bidder can arbitrarily change his dynamic identity and the session key to a new one among plural auctions. Thus, no one can link another auction to know the relationship of bidders.

4.3 Comparisons

Here, we compare the confirmed requirement of our mechanism with other related works in Table 8. Most of related works can achieve parts of the requirement. However, [2] and [4] have been pointed out that they cannot achieve bidding privacy and secret bidding price for sealed-bid auctions by Li et al. [12]. Furthermore, [2, 5, 12] have been demonstrated that there exist some security problems, respectively. Also, it has been shown that Chang et al.'s protocol [2] may suffer from the replay attack in the initial phase [3]. Later on, Wu et al. [11] found that Liaw et al.'s protocol [5] could not resist the forge attacks. Recently, Li et al. [12] proposed a practical electronic auction to meet strong anonymity, bidding privacy, and secret bidding prices. Unfortunately, we have found that the denial-of-service attack may be launched in Li et al.'s scheme during the bidding phase in a sealed-bid auction. Consequently, we propose mechanism to satisfy the requirements of the previously mentioned auction.

In Table 9, we list security comparisons of our proposed mechanism with other related works. Here, our proposed mechanism can provide proper mutual authentication, secure session key agreement, and robustness to resist various attacks. The detail of security analysis is shown in Subsection 4.1. In addition, we present a formal proof based on BAN logic model which can provide mutual authentication between bidders and auctioneers to assure the legitimacy of two participants. In 2003, Chang and Chang presented an efficient anonymous auction protocol which can achieve the bidder anonymity. However, Jiang et al. claimed that their protocol would suffer from the replay attack. Later on, Chang and Chang presented an enhanced anonymous auction protocol to decrease the computation cost which Jiang et al. was not taken into consideration. Afterwards, Liaw et al. proposed an electronic auction protocol which was found that their protocol could not resist the impersonation attack by Wu et al. Lately, in order to reduce the computation load of the total auction in [2, 3, 5], Chung et al. presented an English auction protocol with the bulletin board method which can raise the efficiency. Later, Li et al. proposed a practical electronic auction protocol to achieve strong anonymity, bidding privacy, and secret bidding prices which cannot be preserved in [2, 3, 4].

As a result, we propose a multi-auction mechanism which can satisfy all the security and fundamental requirements.

5. Performance Discussions

In this section, we discuss the computational cost of the proposed mechanism and make comparisons with related schemes. In our proposed mechanism, we demonstrate the computational overhead of each participant in verification phase, sealed bidding phase, and winner announcement phase. The detail is shown as Table 10. In order to reduce the burden of computational overhead, we have applied the one-way hash function, exclusive-or function, and symmetric key function, instead if public cryptosystem. Exclusive-or operations should be ignored because the computational load of exclusive-or operation is very low. All of these functions can help our proposed mechanism reduce the computational cost and be more efficient than other related schemes.

In order to analyze the computational complexity with related schemes, we define the notation and present the details in Table 10. Since almost all related schemes include the bidding phase, thus, we consider the computational overhead of this phase as the principal part in a sealed-bid auction. Based on [30, 31], we can learn that [1T.sub.Asym] [approximately equal to]100[T.sub.Sym] [1T.sub.Sym] [approximately equal to]5/3[T.sub.Exp] [1T.sub.Exp][approximately equal to]600[T.sub.h] for software consideration. For brevity, we just discuss software consideration in our paper and find that one-way function is more efficient than symmetric key encryption. From Table 11, the computational load of our proposed mechanism is [T1.sub.Sym] + [1T.sub.h] + [9T.sub.Xor] in sealed bidding phase. In this phase, we only use one symmetric key encryption, one hash function, and nine exclusive-or operations. Here, the pervious schemes use one public key encryption, or one signature, or three exponentiation operations at least. Obviously, the new scheme requires less computational overhead than the previous auction schemes. Thus, our proposed mechanism is more efficient and applicable for the mobile device.

6. Conclusions

In this paper, we have pointed out that Li et al.'s practical electronic auction scheme is vulnerable to the denial-of-service attack. Aside from essential of electronic auction, we have developed a brand-new version with dynamic identity property to prevent from malicious tracing. The correctness of mutual authentication between bidder and auctioneer has been proved according to the BAN logic model. Moreover, the efficiency of the proposed mechanism has been demonstrated to be superior to related works. Specifically, a bidder only needs to register at the center once then he can join multiple plays of different auctioneers, which is defined as multi-auction.

References

[1] D. Hirakiuchi and K. Sakurait, "English vs. Sealed Bid in Anonymous Electronic Auction Protocols," in Proc. of IEEE International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises, pp. 171-176, 2001. Article (CrossRef Link)

[2] C.C. Chang and Y.F. Chang, "Efficient Anonymous Auction Protocols with Freewheeling Bids," Computers & Security, Vol. 22, No. 8, pp. 728-734, 2003. Article (CrossRef Link)

[3] R. Jiang, L. Pan and J. H. Li, "An Improvement on Efficient Anonymous Auction Protocols," Computers & Security, Vol. 24, No. 2, pp. 169-174, 2005. Article (CrossRef Link)

[4] Y.F. Chang and C.C. Chang, "Enhanced Anonymous Auction Protocols with Freewheeling Bids," in Proc. of 20th International Conference on Advanced Information Networking and Application, Vol. 1, pp. 353-358, 2006. Article (CrossRef Link)

[5] H.T. Liaw, W.S. Juang and C.K. Lin, "An Electronic Online Bidding Auction Protocol with both Security and Efficiency," Applied Mathematics and Computation, Vol. 174, No. 2, pp. 1487-1497, 2006. Article (CrossRef Link)

[6] Y.F. Chung, K.H. Huang, H.H. Lee, F.P. Lai and T.S. Chen, "Bidder-anonymous English Auction Scheme with Privacy and Public Verifiability," Journal of Systems and Software, Vol. 81, No. 1, pp. 113-119, 2008. Article (CrossRef Link)

[7] Y.F. Chung, Y.T. Chen, T.L. Chen and T.S. Chen, "An Agent-based English Auction Protocol using Elliptic Curve Cryptosystem for Mobile Commerce," Expert Systems with Applications, Vol. 38, No. 8, pp. 9900-9907, 2011. Article (CrossRef Link)

[8] H. Xiong, Z. Chen and F. Li, "Bidder-anonymous English Auction Protocol based on Revocable Ring Signature," Expert Systems with Applications, Vol. 39, No. 8, pp. 7062-7066, 2012. Article (CrossRef Link)

[9] J.Heezen and W. Beats, "The Impact of Electronic Markets: The Case of the Dutch Flower Auction," Journal of Strategic Information System, Vol. 5, No. 4, pp. 317-333, 1996. Article (CrossRef Link)

[10] W. Standaert, S. Muylle and I. Amelinckx, "An Empirical Study of Electronic Reverse Auction Project Outcomes," Electronic Commerce Research and Applications, Vol.14, No. 2, pp. 81-94, 2015. Article (CrossRef Link)

[11] C.C. Wu, C.C. Chang and I.C. Lin, "New Sealed-bid Electronic Auction with Fairness, Security and Efficiency," Journal of Computer Science and Technology, Vol. 23, No. 2, pp. 253-264, 2008. Article (CrossRef Link)

[12] M.J. Li, J. S.T. Juan and J. H.C. Tsai, "Practical Electronic Auction Scheme with Strong Anonymity and Bidding Privacy," Information Sciences, Vol. 181, No. 12, pp. 2576-2586, 2011. Article (CrossRef Link)

[13] W. Shi, "An Efficient Sealed-bid Auction Protocol with Bid Privacy and Bidder Privacy," International Journal of Innovative Computing, Information and Control, Vol. 8, No. 11, pp. 7943-7953, 2012. Article (CrossRef Link)

[14] W.S. Juang, H.T. Liaw, P.C. Lin and C.K. Lin, "The Design of a Secure and Fair Sealed-bid Auction Service," Mathematical and Computer Modelling, Vol. 41, No. 8-9, pp. 973-985, 2005. Article (CrossRef Link)

[15] K. Miyashita, "Online Double Auction Mechanism for Perishable Goods," Electronic Commerce Research and Applications, Vol.13, No. 5, pp. 355-367, 2015. Article (CrossRef Link)

[16] L. I. de Castro and D. H. Karney, "Equilibria Existence and Characterization in Auctions: Achievements and Open Questions," Journal of Economic Surveys, Vol. 26, No. 5, pp. 911-932, 2012. Article (CrossRef Link)

[17] C.C. Lina, S.C. Chenb and Y.M. Chu, "Automatic Price Negotiation on The Web: An Agent-based Web Application using Fuzzy Expert System," Expert Systems with Applications, Vol. 38, No. 5, pp. 5090-5100, 2011. Article (CrossRef Link)

[18] A. H. Ozer and C. Ozturan, "Multi-unit Differential Auction-barter Model for Electronic Marketplaces," Electronic Commerce Research and Applications, Vol. 10, pp. 132-143, 2011. Article (CrossRef Link)

[19] J.S. Chang and W.H. Chang, "Analysis of Fraudulent Behavior Strategies in Online Auctions for Detecting Latent Fraudsters," Electronic Commerce Research and Applications, Vol.13, No. 2, pp. 79-97, 2015. Article (CrossRef Link)

[20] F.S. Hsieh and C.S. Liao, "Schemes to Reward Winners in Combinational Double Auctions based on Optimization of Surplus," Electronic Commerce Research and Applications, Vol.14, No. 6, pp. 405-417, 2015. Article (CrossRef Link)

[21] C. Dang, Q. Hu and J. Liu, "Bidding Strategies in Online Auctions with Different Ending Rules and Value," Electronic Commerce Research and Applications, Vol.14, No. 2, pp. 104-111, 2015. Article (CrossRef Link)

[22] X. Li, J. Mab, W. Wang, Y. Xiong and J. Zhang, "A Novel Smart Card and Dynamic ID based Remote User Authentication Scheme for Multi-server Environments," Mathematical and Computer Modelling, Vol. 58, No. 1-2, pp. 85-95, 2012. Article (CrossRef Link)

[23] D. Chaum and H. Antwerpen, "Undeniable Signatures," Advances in Cryptology. CRYPTO'89, Vol. 435, pp. 212-216, 1990. Article (CrossRef Link)

[24] C.P. Schnorr, "Efficient Signature Generation for Smart Cards," Journal of Cryptology, Vol. 4, No. 3, pp. 239-252, 1991. Article (CrossRef Link)

[25] J. Daemen and V. Rijmen, "The Design of Rijndael: AES - The Advanced Encryption Standard," Springer, 2002. Article (CrossRef Link)

[26] A. Menezes, P. V. Oorschot and S. Vanstone, "Handbook of Applied Cryptography," CRC Press, USA, pp. 321-376, 1996. Article (CrossRef Link)

[27] M. Burrows, M. Abadi and R. Needham, "Authentication: A Practical Study in Belief and Action," in Proc. of 2nd Conference on Theoretical Aspects of Reasoning about Knowledge, CA, USA, pp. 325-342, 1988. Article (CrossRef Link)

[28] M. Burrows, M. Abadi and R. Needham, "A Logic of Authentication," ACM Transactions on Computer Systems, Vol. 8, No. 1, pp. 18-36, 1990. Article (CrossRef Link)

[29] S.P. Yang and X. Li, "Defect in Protocol Analysis with BAN Logic on Man-in-the-middle Attacks," Application Research of Computers, Vol. 24, pp. 149-151, 2007. Article (CrossRef Link)

[30] B. Schneier, "Applied Cryptography, Protocols Algorithms, and Source Code in C," John Wiley and Sons Inc., New York, U.S.A., 1994. Article (CrossRef Link)

Jung-San Lee received the BS degree in computer science and information engineering in 2002 and his Ph.D in computer science and information engineering in 2008, both from National Chung Cheng University, Chiayi, Taiwan. Since 2012, he has worked as an associate professor in the Department of Information Engineering and Computer Science at Feng Chia University, Taichung, Taiwan. His current research interests include information security, image processing, and watermarking.

Kuo-Jui Wei received the MS degree in information engineering and computer science in 2011. He is currently pursuing his Ph.D. degree in Information Engineering and Computer Science in Feng Chia University, Taichung, Taiwan. His current research interests include information security and mobile communications.

Ying-Chin Chen is currently pursuing her MS degree in information engineering and computer science in Feng Chia University, Taichung, Taiwan. Her current research interests include information security and e-commerce.

Yun-Hsiang Sun is currently pursuing his MS degree in information engineering and computer science in Feng Chia University, Taichung, Taiwan. His current research interests include information security and e-commerce.

Jung-San Lee (*), Kuo-Jui Wei, Ying-Chin Chen, and Yun-Hsiang Sun

Department of Information Engineering and Computer Science, Feng Chia University, Taichung 407, Taiwan, ROC leejs@fcu.edu.tw

Received July 2, 2016; revised September 25, 2016; accepted October 12, 2016; published December 31, 2016

Table 1. Notations used in Li et al.'s scheme. Notation Definition N Public system parameters g Generator of multiplication group [Z.sup.*.sub.N] [Bidder.sub.i] The ith bidder I[D.sub.i] Identity of [Bidder.sub.i] RM Registration manager AM Auction manager Auctioneer Auctioneer BB[S.sub.RM] Bulletin board system of RM BB[S.sub.AM] Bulletin board system of AM BB[S.sub.i] Bulletin board system of [Bidder.sub.i] D[B.sub.RM] Database of RM D[B.sub.AM] Database of AM S[K.sub.i] Asymmetric private key of [Bidder.sub.i] P[K.sub.i] Asymmetric public key of [Bidder.sub.i] Notation Notation N [a.sub.i] g b [Bidder.sub.i] c I[D.sub.i] [T.sub.RM] RM [T.sub.AM] AM [P.sub.i] Aictioneer [bid.sub.i] BB[S.sub.RM] GID BB[S.sub.AM] [y.sub.i] BB[S.sub.i] [Y.sub.i] D[B.sub.RM] [Y.sub.RA] D[B.sub.AM] [??] S[K.sub.i] S[K.sub.i]{[??]} P[K.sub.i] P[K.sub.i]{[??]} Notation Definition N Random number generated by [Bidder.sub.i] g Random number generated by RM [Bidder.sub.i] Random number generated by AM I[D.sub.i] Timestamp generated by RM RM Timestamp generated by AM AM Bidding price of Bidder Aictioneer Tender information of [Bidder.sub.i] BB[S.sub.RM] Identification of goods BB[S.sub.AM] Registration key of [Bidder.sub.i] BB[S.sub.i] Diffie-Hellman key tween [Bidder.sub.i] and RM D[B.sub.RM] Diffie-Hellman key tween RM and AM D[B.sub.AM] Diffie-Hellman key tween AM and [Bidder.sub.i] S[K.sub.i] Signing algorithm with asymmetric private key S[K.sub.i] P[K.sub.i] Encryption algorithm with asymmetric public key P[K.sub.i] Table 2. Bulletin board system of RM BB[S.sub.RM] N, g, [y.sub.RM], [T.sub.RM], S[K.sub.RM] {[y.sub.RM] || [T.sub.RM]} [y.sub.1], [y.sub.2], [??] [y.sub.n] [Y.sub.1], [Y.sub.2], [??] [Y.sub.n] Table 3. Database of RM D[B.sub.RM] Identity Signature Session Key I[D.sub.1] [[alpha].sub.1] [Y.sub.1] I[D.sub.2] [[alpha].sub.2] [Y.sub.2] . . . . . . . . . I[D.sub.n] [[alpha].sub.n] [Y.sub.n] Table 4. Bulletin board system of AM BB[S.sub.RM] N, g, [y.sub.AM], [T.sub.RM], [y.sub.RA], S[K.sub.AM] {[Y.sub.RA] || [T.sub.AM]} [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] Table 5. Database of AM D[B.sub.AM] Auction Key Session key [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] [Y.sub.1] [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] [Y.sub.2] . . . . . . [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] [Y.sub.n] Table 6. Notations used in multi-auction mechanism. Notation Definition [Bidder.sub.i] The ith bidder [UID.sub.i] Identity of [Bidder.sub.i] [PW.sub.i] Password of [Bidder.sub.i] [CID.sub.i] Dynamic identity of [Bidder.sub.i] [bid.sub.i] Bidding price of [Bidder.sub.i] [Auctioneer.sub.j] The jth Auctioneer [AID.sub.j] Unique identity of [Auctioneer.sub.j] RC Registration center x Master secret key maintained by RC y Secret number generated by RC [r.sub.i] Random number chosen by RC for each bidder [N.sub.i] Random nonce generated by [Bidder.sub.i]'s smart card [N.sub.j] Random nonce generated by [Auctioneer.sub.j] [K.sub.i] Session key shared between [Bidder.sub.i] and [Auctioneer.sub.j] [MATHEMATICAL Symmetric encryption using the common session EXPRESSION NOT key [K.sub.i] REPRODUCIBLE IN ASCII] h([.]) A one-way hash function [direct sum] Exclusive-or operation || Message concatenation operation [??] A secure channel [right arrow] A common channel Table 7. Notations used in BAN logic. Notation Definition Notation X Statement [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] P, Q Parties #(X) P |[equivalent to] X P believes X [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] P [??] X P receives X [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] P |~ X P once said X [<X>.sub.Y] Notation Definition X P has jurisdiction over X. P, Q The formula X is fresh. P |[equivalent to] X P communicates to Q by utilizing the shared key K. P [??] X The formula X is a secret only known between P and Q. P |~ X X combined with the formula Y; it is implied that Y be a secret. Table 8. Achieved requirements Requirements [2] [4] [5] [5] [11] [12] [13] Ours Anonymity O O O O O O O O Bidding Privacy X X - - - O - O Secret Bidding Price X X - - - O - O Security Problem X - X O O X O O Public Verifiability O O - O O O O O Non-repudiation O O O O O O O O No Framing - - - O - - O O Fairness O O - O O - O O One Time Registration - - O O - O - O Unlinkability - - O O - - O O O:It indicates that the essential can achieve. X:It indicates that the essential cannot achieve. -:It means that the essential is not mentioned. Table 9. Security comparisons Requirements [2] [4] [5] [6] [11] [12] Session key agreement - - - - - - Proper mutual authentication X X X X O X Replay attack X O - - - - Impersonation attack O O X - - - Server spoofing attack - - - - - - Resist man-in-the-middle attack O O - - - - Resist denial-of-service attack - - - - - X Requirements [13] Ours Session key agreement - O Proper mutual authentication X O Replay attack - O Impersonation attack - O Server spoofing attack - O Resist man-in-the-middle attack - O Resist denial-of-service attack - O Table 10. Computational cost of proposed mechanism Phase Bidder Verification Phase 5[T.sub.h] + 2[T.sub.Xor] Sealed Bidding Phase 1[T.sub.Sym] + 1[T.sub.h] Winner Announcement Phase 0 Phase Auctioneer Verification Phase 6[T.sub.h] + 7[T.sub.Xor] Sealed Bidding Phase 0 Winner Announcement Phase 1[T.sub.Sym] + 1[T.sub.h] [T.sub.h]: Hash cost, [T.sub.Xor]: Exclusive-or cost, [T.sub.Sym]: Symmetric key encryption cost Table 11. Comparisons of computational cost Sealed Bidding Phase [2] 3[T.sub.PKE] + 3[T.sub.h] [4] 1[T.sub.PKE] + 2[T.sub.Sym] [5] 5[T.sub.Exp] [6] 3[T.sub.Exp] + 6[T.sub.Mul] + 1[T.sub.h] [11] 4[T.sub.Exp] + 1[T.sub.Mul] [12] 1[T.sub.Sig] + 1[T.sub.Sym] + 1[T.sub.h] [13] 1[T.sub.PKE] + 1[T.sub.Sym] + 4[T.sub.h] Ours 1[T.sub.Sym] + 1[T.sub.h] + 9[T.sub.Xor] [T.sub.PKE]: Public key encryption cost [T.sub.Exp]: Modular exponentiation cost [T.sub.Sig]: Signature cost [T.sub.Xor]: Exclusive-or cost [T.sub.Sym]: Symmetric key encryption cost [T.sub.Mul]: Modular multiplication cost [T.sub.h]H: ash cost

Printer friendly Cite/link Email Feedback | |

Author: | Lee, Jung-San; Wei, Kuo-Jui; Chen, Ying-Chin; Sun, Yun-Hsiang |
---|---|

Publication: | KSII Transactions on Internet and Information Systems |

Article Type: | Report |

Date: | Dec 1, 2016 |

Words: | 12126 |

Previous Article: | Dynamic session key based Pairwise Key management scheme for Wireless Sensor Networks. |

Next Article: | New blind steganalysis framework combining image retrieval and outlier detection. |

Topics: |