Question 4. A sealed-bid auction is a process where a number of parties
called bidders submit sealed bids for buying some item. Once all sealed bids
have been submitted, the bids are revealed and the highest bidder is the one
that buys the item.
Suppose that the following cryptographic primitives are available:
• A fully secure public-key encryption scheme (e.g., RSA-OAEP) that
consists of the key-generation algorithm PKE.Gen, the encryption algorithm Enc, and the decryption algorithm Dec.

• An existentially unforgeable digital signature scheme (e.g., RSA-FDH)
that consists of the key-generation algorithm DS.Gen, the signing algorithm Sign, and the verification algorithm Vrfy.

• A trusted certificate authority (CA) that can be used to issue publickey certificates for any party.
Using the cryptographic primitives above, design and analyse an electronic sealed-bid auction protocol according to the following guidelines:

• The parties involved in the auction are: (i) an auction administrator
(AA) and a number of m bidders B1, . . . , Bm. The bidders trust the
AA during the execution of an auction protocol. However, a malicious
bidder may observe the communication of another bidder with the AA,
or even attempt to send a message on behalf of another party.

• An auction protocol execution for a publicly known item I consists of
three phases outlined as follows:
1. Setup: the involved parties generate any necessary cryptographic
keys and obtain certificates for their public keys. In addition, the
AA provides each bidder with any necessary public keys (and
certificates) it has generated and the bidders send any necessary
public keys (and certificates) they have generated to the AA.
2. Bidding: Each bidder securely provides the AA with their bid
(i.e., an integer amount of money) for item I.
3. Result: The AA “opens” all the sealed bids and sets Bˆ ∈
{B1, . . . , Bm} as the identity of the highest bidder. It announces
the result to all bidders, which consists of the identity Bˆ and the
bid of bidder Bˆ. For simplicity, assume that any two bidders will
never provide the same bid, i.e., there are no ties.
• The auction protocol should be designed so that it achieves the following security properties:
1. The bidders cannot learn each others’ bids during the Binding
phase.
2. Only one bid per bidder will be accepted.
3. No bidder can provide the AA with a bid on behalf of another
bidder.

4. When a bidder receives the result, they are assured that it was
indeed provided by the AA.
In particular, given the above guidelines, you are asked to:
Transcribed Image Text:(a). Provide a detailed description of all the steps of your design that capture the Setup, Binding, and Result phases. Your descrip- tion should not only be based on narrative, but it should also take into account the syntax of the underlying cryptographic primitives. For instance, if C is a ciphertext on some message M under public key pk, use the notation C← Encpk (M) at the ciphertext generation step.

Question

Question 4. A sealed-bid auction is a process where a number of parties
called bidders submit sealed bids for buying some item. Once all sealed bids
have been submitted, the bids are revealed and the highest bidder is the one
that buys the item.
Suppose that the following cryptographic primitives are available:
• A fully secure public-key encryption scheme (e.g., RSA-OAEP) that
consists of the key-generation algorithm PKE.Gen, the encryption algorithm Enc, and the decryption algorithm Dec.

• An existentially unforgeable digital signature scheme (e.g., RSA-FDH)
that consists of the key-generation algorithm DS.Gen, the signing algorithm Sign, and the verification algorithm Vrfy.

• A trusted certificate authority (CA) that can be used to issue publickey certificates for any party.
Using the cryptographic primitives above, design and analyse an electronic sealed-bid auction protocol according to the following guidelines:

• The parties involved in the auction are: (i) an auction administrator
(AA) and a number of m bidders B1, . . . , Bm. The bidders trust the
AA during the execution of an auction protocol. However, a malicious
bidder may observe the communication of another bidder with the AA,
or even attempt to send a message on behalf of another party.

• An auction protocol execution for a publicly known item I consists of
three phases outlined as follows:
1. Setup: the involved parties generate any necessary cryptographic
keys and obtain certificates for their public keys. In addition, the
AA provides each bidder with any necessary public keys (and
certificates) it has generated and the bidders send any necessary
public keys (and certificates) they have generated to the AA.
2. Bidding: Each bidder securely provides the AA with their bid
(i.e., an integer amount of money) for item I.
3. Result: The AA “opens” all the sealed bids and sets Bˆ ∈
{B1, . . . , Bm} as the identity of the highest bidder. It announces
the result to all bidders, which consists of the identity Bˆ and the
bid of bidder Bˆ. For simplicity, assume that any two bidders will
never provide the same bid, i.e., there are no ties.
• The auction protocol should be designed so that it achieves the following security properties:
1. The bidders cannot learn each others’ bids during the Binding
phase.
2. Only one bid per bidder will be accepted.
3. No bidder can provide the AA with a bid on behalf of another
bidder.

4. When a bidder receives the result, they are assured that it was
indeed provided by the AA.
In particular, given the above guidelines, you are asked to:

(a).
Provide a detailed description of all the steps of your design
that capture the Setup, Binding, and Result phases. Your descrip-
tion should not only be based on narrative, but it should also take
into account the syntax of the underlying cryptographic primitives.
For instance, if C is a ciphertext on some message M under public key
pk, use the notation C← Encpk (M) at the ciphertext generation step.

Accepted Answer

To achieve the specified security properties in the auction protocol, we can design a three-phase…