Bsea: a Blind Sealed-bid E-auction Scheme for E-commerce Applications

Due to an increase in the number of internet users, electronic commerce has grown significantly during the last decade. Electronic auction (e-auction) is one of the famous e-commerce applications. Even so, security and robustness of e-auction schemes still remain a challenge. Requirements like anonymity and privacy of the bid value are under threat from the attackers. Any auction protocol must not leak the anonymity and the privacy of the bid value of an honest Bidder. Keeping these requirements in mind, we have firstly proposed a controlled traceable blind signature scheme (CTBSS) because e-auction schemes should be able to trace the Bidders. Using CTBSS, a blind sealed-bid electronic auction scheme is proposed (BSEA). We have incorporated the notion of blind signature to e-auction schemes. Moreover, both the schemes are based upon elliptic curve cryptography (ECC), which provides a similar level of security with a comparatively smaller key size than the discrete logarithm problem (DLP) based e-auction protocols. The analysis shows that BSEA fulfills all the requirements of e-auction protocol, and the total computation overhead is lower than the existing schemes.


Introduction
Recent advancement in modern technologies has converted many activities of human life into the digital/electronic format-for example, paper-based ballot to electronic voting system, paper-based cash to electronic cash, paper-based prescription to electronic health record, etc.Similarly, electronic auction (e-auction) is the electronic version of selling something to a bidder with highest bid value.More formally, it is a financial transaction procedure that helps in listing the price of commodities over a distributed environment.Initially, the auctioneer offers his goods, commodities or services on an auction website over the internet.Interested parties can submit their bid value for the product to be auctioned before the stipulated deadline.Generally, the auction procedure is transparent.All of the interested parties are allowed to participate in the auction process.Prior to e-auction, people were following a centralized approach to do the bidding process.Major limitations that motivated research community to switch from the centralized approach to the distributed approach are geographic area and time.Some challenges of e-auction like bidder's anonymity and bidder's privacy have to be resolved before adapting e-auction [1][2][3][4].Generally, e-auction schemes can be categorized into four types including English auction, Dutch auction, sealed bid auction, and Vickrey auction [5].Due to the simple requirements of the sealed bid auction, it is always easy to implement it in an e-auction.Essential requirements of e-auction schemes are anonymity, non-repudiation, un-forgeability, traceability, public verifiability, integrity and confidentiality, fairness, authentication, privacy, and robustness [6,7].In real life, there are some situations where we do not want to reveal the content of the message to the signing authority.In such cases, a blind signature serves the purpose.Blind signature is a variation of the digital signature, where the signer is unaware of the content of the message to be signed by him/her [8][9][10][11][12].A list of requirements that needs to be satisfied by any blind signature scheme are: Blindness, Correctness, Authentication, Integrity, Non-Repudiation, Un-forgeability, Non-Reusability, and Un-traceability [13][14][15].Blind signature schemes are designed as untraceable in applications like e-voting and e-cash [16][17][18][19].However, blind signature application in the e-auction scheme requires controlled traceability.The advantages of elliptic curve cryptography (ECC)-based crypto-system over others like discrete logarithm problem (DLP) and the integer factorization problem (IFP) are: smaller key size, reduction in storage space, reduction in transmission requirement, and reduction in processing power [20][21][22][23][24][25][26].Due to the smaller size key, ECC-based schemes can be applied in smart cards and wireless communication systems, where the devices have less memory, bandwidth, and computational power [27].
In this paper, we proposed a blind sealed-bid e-auction scheme using ECC (BSEA).Before proposing BSEA, we proposed a controlled traceable blind signature scheme (CTBSS), which is the basic building block of the proposed BSEA.In e-auction protocols, the Bidder corresponding to the max_bid should be traceable by the auction authorities.BSEA is shown to be resistant against various kinds of adversarial attacks like key only attack, forgery attack, known and chosen message attack, replay and eavesdropping attack, identity theft attack, and impersonate attack [28][29][30][31].We have shown that BSEA satisfies all the requirements of the e-auction protocols.Based on the requirements and total computational overhead, we have performed a comparative analysis of our scheme with the existing schemes, and showed the results.
The rest of the article is organized as follows.Some related works are provided in Section 2. The proposed CTBSS using ECC is presented in Section 3. The security analysis of CTBSS is discussed in Section 4. The proposed e-auction protocol using CTBSS (BSEA) and its security analysis are given in Section 5 and Section 6, respectively.The performance analysis of the proposed BSEA is presented in Section 7. The concluding remarks are given in Section 8.

Related Work
Several e-auction protocols have been designed so far; however, the security of e-auction schemes remains a challenge.
In [32], the authors proposed a sealed-bid auction protocol where a malicious bidder cannot deny his bid value.They used a verifiable signature scheme to justify their protocol.In [33], a sealed bid auction method with a time server has been proposed, where after a certain time period, the sealed bids are opened and evaluated.An e-auction scheme to improve the privacy of bids such that the winner will be determined and known only by the auctioneer is proposed in [34].Chang et al. [35] proposed three anonymous auction protocols to ensure bidder's privacy.They used a deniable authentication scheme to check the validity of the bids, where every bidder can bid arbitrarily and anonymously.However, in [36], Jiang et al. pointed out some security weakness of [35] where the bidder cannot detect the tampered response message from the auctioneer.Hence, Jiang et al. proposed an improved scheme that prevents tampering attacks.Subsequently, an improved method is proposed for further enhancement in [4].In [37], the authors proposed an e-auction protocol consisting of four parties, namely, bidder, third party, auctioneer and bank.This scheme aims to solve the problem of the bidder's deposit payment with a deposit deducting certificate.However, in [38], the authors mentioned a security drawback, where the bidding receipt can be forged by the bidder to claim that she is the valid auction winner.Hence, the scheme proposed in [37] was unable to preserve the privacy of the bidders.Hence, it does not preserve the anonymity property.Even malicious bidders can forge the bid receipt sent by the third party and can claim that she is a valid winner.In [38], the authors proposed an e-auction protocol that removes the flaws of [37] and was comparatively more secure and efficient.They have used symmetric key encryption instead of asymmetric key encryption to enhance the efficiency.However, the security of their scheme totally relies on the trust of the third party as it has all the information about the bidders who may affect in the subsequent auctions.Much more emphasis has been given to the third party instead of sharing the load.In [39], Cao et al. proposed an e-auction that is based on an untrusted third party.System preparing, bidder registration and blind signature, bidding, and bid opening are the phases of this scheme.This scheme satisfies bidder anonymity, unforgeability, non-repudiation, public verifiability, secret bidding prices, and fairness.In [40], the authors propose a secure and efficient electronic auction scheme with strong anonymity.However, the schemes presented in [39,40] fails to prove that their scheme fulfills traceability requirements of e-auction, which is very necessary in the current context of e-auction protocols.In [41], the authors have proposed a cryptographic e-auction protocol using the threshold cryptosystem.This protocol offers facilities like incontrovertibility of participants, integrity of data, incontrovertibility of offers, confidence of bids, anonymity of the winning bidder, and public verification.It provides traceability as the bidders themselves sign the message, and hence they cannot deny and are traceable.However, the identity of the bidder is not preserved here.In addition to the above facts, their security relies on the difficulty of solving the DLP for the sealed bid electronic auction.Therefore, an electronic online auction using the elliptic curve discrete logarithm problem will enhance the security level, which is the basic building block for the proposed BSEA.Hence, in BSEA, complete anonymity without any repudiation has been achieved.

Proposed Controlled Traceable Blind Signature Scheme
In this section, we discussed the proposed CTBSS.Three entities, namely, Signer, Requester (Sender), and Verifier participate in CTBSS.The objective of CTBSS is that the Requester has to get a blind signature of the Signer on the message and the Verifier can verify the authenticity of the signature present in the message, and this is shown in Figure 1.Before CTBSS starts, all the entities have to agree on the security parameters, i.e., an elliptic curve E p (a, b) of order p.The scheme uses some symbols and the meanings of these symbols are listed in Table 1.The CTBSS consists of four phases, such as key generation, blinding, signing, and unblinding with verification, which are described below via several algorithms.These phases are shown in Algorithms 1-4, respectively.The overall flow of the proposed CTBSS is given in Figure 2.
5: Sender publishes his/her public parameters as M, N and keeps r1 r and r2 r as secret.6: Requester sends the blind message (u 2 ) to the Signer.

Algorithm 3 Signing Phase
1: After receiving u 2 from the Requester, the Signer signs the message by computing the following equation: s is the Signer's signature on the blind message.2: Signer sends s to the Sender.

Algorithm 4 Unblinding with Verification Phase
1: After receiving s, the Sender unblinds the message by computing the following equation: S = (sr1 r + r2 r )P. (2) 2: The signed message of m by the Signer is S.
3: This can be verified by the Verifier using the following equation: Signer Requester Verifier Generate r1 s and r2 s Find X = r1 s P Find Y = r2 s P

Security Analysis of CTBSS
In this section, the security analysis of the proposed CTBSS is performed by considering various properties like correctness, blindness, traceability, and universally verifiable.CTBSS satisfies these properties on the assumption that elliptic curve discrete logarithm problem (ECDLP) is hard to break and the hash function H(.) is secure and collision resistant.

Correctness Proof
The correctness of the proposed CTBSS is proved as follows.Here, we have shown that S + M − N and u 1 Z are same.Hence, the Verifier can be able to check the authenticity of the signature using Equation (3).Substituting the value of S from Equation (2) in left hand side (LHS) of Equation (3), we will obtain Now, solving using the value of N, Substituting the value of s using Equation (1), The above equation can be further simplified using X and Y and results in Using the value of Z, Now, using the value of M, Hence, the correctness of the proposed CTBSS is proved.

Blindness
Given two signature pairs (S and S * ) out of which one is valid and one is previously stored, it is very difficult for the adversary to find the blinding factor r1 r from S and S * .From Z and M, it is very difficult for the adversary to find the value of r2 r .This happens due to the difficulty in solving the ECDLP problem.

Traceability
In blinding phase, the Requester sends the blind message to the Signer.Thus, the Signer can keep a list that contains values of type (u 2 , s).Afterwards, the Requester sends the pair (S, u 1 ) to the Verifier for the message m, and the Signer can collect this value.By collecting these values, she will not be able to find the value of r1 r and r2 r .However, using Equation (2) in the expression S − N, S − N = (sr1 r + r2 r )P − r2 r P = sr1 r P.This happens because the value of N is the public parameter of the Requester.Let r1 r P = P , and then S − N = sP .Now, the Signer will have the value of S − N.She can find the value of s −1 .P can be found as P = s −1 (S − N).Then, she compares, for every P , if S − N = sP .Hence, the Signer can trace the signature s for m, which depends on the number of blind signatures signed by the Signer.

Universally Verifiable
The blind signature can be verified by using the signature-message pair (S, u 1 ) and publicly available parameters (M, N, Z) for message m.Anyone can check its authenticity using Equation (3), once the Sender reveals the signature-message pair (S, u 1 ).Hence, CTBSS is universally verifiable.

Proposed Blind Sealed-Bid Electronic-Auction Scheme
In this section, we discussed the proposed blind sealed-bid e-auction scheme using elliptic curve cryptography (BSEA).CTBSS scheme is used in BSEA.The system model for the proposed BSEA is shown in Figure 3. BSEA consists of the advertisement phase, the registration setup phase, the registration confirmation phase, the bidding phase and the winner determination phase.These phases are described below.
In the advertisement phase, the Auctioneer will publish an advertisement and announce the start of the auction process.She will choose the system parameters such as E p (a, b) as the elliptic curve of order p and P as the base point.She will choose s a as his/her private key.Then, she will find his/her public key P a as P a = s a P.After this, the auction message M a will be signed by the Auctioneer using his/her private key as Sign s a (M a ).Sign s a (M a ) is sent to the Third Party to publish on the web, so that the auction message will be available to the public.This signed message can be verified by anyone using the Auctioneer's public key.
The registration setup phase facilitates interested Bidders to register to the system before submission of their bid.Registration Manager (RM) is an entity with which every individual Bidder has to register.RM provides anonymity to each and every individual Bidder.In order to register, several steps are carried out by both the RM and the Bidder as mentioned in Algorithm 5.The overall flow of this phase is given in Figure 4.   5: She computes the following equation: and publishes Z b as his/her public parameter.6: RM computes K rmb as (5) 7: The Bidder also finds the same key K rmb as 8: She computes R b = y b (A rm + P), e b = H(TS||R b ), and e1 b = y −1 b e b .9: Bidder encrypts the tuple ID||TS||e1 b using the secret key K rmb and sends it to the RM.10: RM decrypts the corresponding message using the same shared secret key K rmb and computes s rm as follows: 11: RM signs the s rm with b rm as Sign b rm (s rm ) and sends it to the Bidder.
The steps of the registration confirmation phase are mentioned in Algorithm 6, and a pictorial representation of the same is shown in Figure 5.The Bidding phase consists of several steps as mentioned in Algorithm 7, and a pictorial representation of the same is shown in Figure 6.The steps of the winner determination phase are mentioned in Algorithm 8.

Third Party
Bidder Generate r1 s and r2 s Find X = r1 s P Find Y = r2 s P Find Z = (Y + X)  2: She computes X = r1 s P, Y = r2 s P, and Z = (Y + X).

Third Party Bidder Auctioneer
3: She publishes X, Y, Z as public parameters and keeps r1 s and r2 s secret.4: The Bidder decrypts s rm using K rmb after receiving s rm from the RM.5: After decryption, the Bidder finds s rm as per the following equation: 6: Now, the Bidder sends the tuple (s rm , e b , TS) along with Z b to the TP.7: TP verifies the signature s rm using the following equation: 8: If Equation ( 9) holds up well, then the TP finds a secret key K TP according to the following equation: 9: TP generates a random number r TP and encrypts r TP using K TP as Enc K TP (r TP ).10: TP puts his/her signature on the tuple (s rm , e b , TS) as Sign r1 s (s rm , e b , TS). 11: TP sends the tuple (X, Enc K TP (r TP ), Sign r1 s (s rm , e b , TS)) to the Bidder.12: When the Bidder receives the tuple (X, Enc K TP (r TP ), Sign r1 s (s rm , e b , TS)), she can find the value of K TP using X. 13: Using K TP , she finds the value of r TP .

Algorithm 7 Bidding Phase
1: The Bidder generates two random numbers r1 r and r2 r such that r1 r , r2 r ∈ Z p * where r1 r is the blinding factor.2: The Bidder computes his/her public key M = r2 r Z. 3: She computes N = r2 r P. 4: Using the blinding factor, she blinds his/her bid value.5: She computes u 1 = H(bid) and u 2 = (u 1 − r2 r )r1 r −1 .
6: The Bidder sends u 2 to the TP to get his/her signature.7: The TP finds the signature on the blind message corresponding to bid of the Bidder using the following equation: Here, the TP can not find anything about the bid value.8: The TP sends the blind signature on the bid value s to the Bidder.9: After receiving s from the TP, the Bidder unblinds the message s to get the signature on the original bid value.The Bidder can find this using the following equation: The signed bid value by the TP is S. 10: The signature can be verified using the following equation: Here, without revealing the bid value, it can be verified.

Algorithm 8 Winner Determination Phase
1: Every Bidder sends their encrypted bid message to the TP along with the signed message S and the random number r TP issued to him/her by the TP, encrypting with K TP , which can be represented as Enc K TP (r TP , bid, S). 2: After receiving the corresponding encrypted tuple from the Bidders, the TP decrypts the message using K TP and checks the validity of the random number r TP and retrieves bid and S.She accepts the bid and finds max_bid among all of the Bidders.

6:
The TP sends Enc K TP (max_bid, Sign r1 s (r TP )) to the corresponding Bidder and publishes the tuple (max_bid, S), so that it can be verified by anyone.7: end if 8: The corresponding Bidder can claim himself/herself as the winner of the auction process.

Security and Requirement Analysis of BSEA
In this section, the security analysis of the proposed BSEA is performed by considering various attacks.

Correctness Proof
For correctness of BSEA, we have to check for the correctness of the blind signature and the registration done by the Bidder.Now, using Equation (7) in Equation ( 8), we will get, Using the above value of s rm in right hand side (RHS) of Equation ( 9), we will get Using the values of b rm and Z b , we will get Using this value in the simplified version of RHS of Equation ( 9), we will get H(TS||(a rm + 1) e b is in the LHS of Equation (9).Hence, the correctness of the registration of the Bidder is proved.

Security Analysis
The security of the proposed BSEA depends on the strength of the secure hash function H(.) and the crypto-graphically computational hard problem ECDLP.Here, some of the attacks that can be withstood by BSEA have been discussed.

Key only attack:
In order to successfully launch a key only attack, the attacker needs to get a valid signature.Even if she gets a valid signature, then she is also unable to unblind the signature, as she does not know the blinding factor and the private key of the Bidder (i.e., r1 r and r2 r ).The difficulty of finding r2 r depends on the difficulty of ECDLP and finding the value of r1 r depends on the difficulty of solving IFP. 2. Known message attack: In the known message attack, the attacker generates a valid signature for his own message bid .Here, she has access to two or more message-signature pairs like (S , u 1 ) and (S , u 1 ).Here, the attacker can generate another signature S = S + S for message bid, if she can find H(bid) = H(bid ) + H(bid ).This is very difficult if the hash function is preimage resistant.Moreover, she also needs to find the value of u 2 for which she has to find r1 r and r2 r .3. Chosen message attack: In case of chosen message attack, the attacker can make the TP to sign for two bid messages, bid and bid .Then, she can calculate a new signature S = S + S .If the attacker can find H(bid) = H(bid ) + H(bid ) and the blind message u 2 for his/her message bid, then she can do a chosen message attack on BSEA.However, it is very difficult to find the hash value of a message bid that is the same as the hash value of the given messages bid and bid .4. Forgery attack: Given X and P, finding r1 s is difficult due to the difficulty in solving the ECDLP problem.Hence, the private key of the TP can never be guessed correctly.It will be difficult for the attacker to unblind the message because r1 r and r2 r are the private components of the Bidder. 5. Replay attack: An attacker cannot retrieve the id of the Bidder as the message sent to the RM is encrypted with the session key K rmb .She would not be able to find either e1 b or s rm .Similarly, due to the session key K TP that is only with the Bidder and the TP, the attacker would not be able to find the random number r TP .6. Eavesdropping attack: Even if the attacker wants to eavesdrop on the communication between any Bidder and the RM or the TP, she will not get enough advantage.The reason for this is that the data that flows are encrypted with the session keys K rmb and K TP and are also being signed by the respective entities.7. Identity theft attack: In the proposed BSEA, the Bidder's id is not used for authentication.
Instead, timestamp (TS) is being used for authentication, which prevents the Bidder from the risk of identity theft.In addition to this, the random number r TP provided by the TP is only known to them.However, in case the TP is corrupted, she may reveal the random number r TP , but the real identity of the Bidder is still concealed.8. Impersonate attack: It is impossible to impersonate either the Bidder or the RM or the TP because all have used either their session key to encrypt the messages or the private keys to sign the messages.
As BSEA is resistant to the above mentioned attacks, BSEA is secure.

Requirement Analysis
Here, we have analyzed all the requirements those need to be fulfilled by e-auction protocols.By this, we want to show that BSEA also satisfies the requirements of e-auction protocols.
1. Anonymity: The information about every Bidder must be hidden from other Bidders.The TP will authenticate the Bidders and will assign a random number to each of them.Every Bidder blinds their bid value and sends to the TP to get his/her signature.Thus, all the information about the Bidder, including his/her bid value, is hidden from everyone until the auction process is closed.In the winner determination phase, the Bidder sends his/her bid value only to the TP to determine the max_bid.Thus, anonymity is preserved for all the Bidders even if the TP is corrupted.2. Un-forgeability: Any attempt by the attacker to forge bid value will fail as she can not find u 2 .
For this, she has to find r1 r and r2 r , and, for this, she has to solve ECDLP.Moreover, all the necessary information is encrypted with the session key and/or signed by the Sender.Hence, forgery attack is not possible.3. Non-Repudiation: The Bidder as well as the TP must not be able to deny the act that they have done during the execution of the phases of BSEA.The Bidder cannot deny casting the bid because the signed bid value S can be verified using Equation (13), where M is the public key of the Bidder.Similarly, the TP can not deny receiving the bid, as the same signature is also verified by using his public key Z. 4. Public Verifiability: The signature S can be verified by everyone after publishing the signature parameter (S, u 1 ).Moreover, the final winner's bid can also be verified by everyone once the To verify the efficiency of BSEA in terms of time, we implemented Liaw et al. [37], Wu et al. [38], Cao et al. [39] and BSEA using the pairing based cryptography (PBC) library [42] with type A pairing from the PBC archive.We used SHA-1 as the hash function.Figure 7 shows the average computation time consumed by the schemes.Results show that our proposed scheme BSEA outperforms the existing schemes like Liaw et al. [37], Wu et al. [38] and Cao et al. [39].Moreover, it saves a considerable amount of space in terms of key size, as it is implemented using ECC.Hence, the proposed scheme is efficient.

Conclusions
In this paper, we have proposed an electronic auction scheme using a blind signature protocol.We first proposed a blind signature protocol according to the requirements of the e-auction (CTBSS) and then employ it to design a sealed-bid electronic auction scheme (BSEA).Both protocols are based on elliptic curve cryptography.Moreover, an ECC based protocol is more efficient in terms of space in comparison to its counterparts, which are based on DLP.The proposed BSEA fulfills all the requirements of the e-auction protocol, and the computation overhead is low as compared to the existing schemes.The efficiency of BSEA can be further improved using very-large-scale integration (VLSI) implementation.

Figure 4 .
Figure 4. Schematic diagram of the registration phase of BSEA.

FindFigure 5 .
Figure 5. Schematic diagram of the Registration Confirmation Phase of BSEA.
e b = H(TS, s rm P + e b H(TS)(Z b + B rm )).

3 := u 1 Z
The third party finds H(bid) = u 1 and verifies whether S + M − N ?or not.4: if the condition in step 3 is satisfied, then 5: s rm = ((a rm − e1 b H(TS)b rm ) + 1)y b − e b H(TS)z b .Now, using the value of e1 b in the above equation, it can be written as s rm = (a rm + 1)y b − y −1 b e b y b H(TS)b rm − e b H(TS)z b , ⇒ s rm = (a rm + 1)y b − e b H(TS)b rm − e b H(TS)z b , ⇒ s rm = (a rm + 1)y b − e b H(TS)(b rm + z b ).
TS||(a rm + 1)y b P − e b H(TS)(b rm + z b )P + e b H(TS)(b rm + z b )P) = H(TS||(a rm + 1)y b P).Using the value of R b , R b = y b (A rm + P), ⇒ R b = y b (a rm P + P), ⇒ R b = y b (a rm + 1)P.

Table 1 .
Symbols used in CTBSS.: The Signer generates two random numbers r1 s and r2 s | r1 s , r2 s ∈ Z p : She computes X = r1 s P, Y = r2 s P, and Z = (Y + X). 3: Signer publishes his/her public parameters as X, Y, Z and keeps r1 s and r2 s as secret.
1* .21: Requester generates two random numbers r1 r and r2 r | r1 r , r2 r ∈ Z p * r1 r is the blinding factor used by the Requester.2: She computes M

Algorithm 5
Registration Setup Phase 1: RM chooses his/her private keys as a rm , b rm ∈ Z p She computes A rm = a rm P and B rm = b rm P. 3: RM publishes his/her public key as A rm , B rm .4: Like step 1, here the Bidder chooses his/her private parameters as y b , z b ∈ Z p * .2: * .
of the Bidding Phase of BSEA.
1: The third party (TP) generates two random numbers r1 s and r2 s .whichact as his/her private keys such that r1 s , r2 s ∈ Z p * .

Table 3 .
Comparison for total computational overhead.Wu et al. [38] nT e + nT h 2nT e + 2nT s + 3nT h nT e + 4nT e nT e + nT e + 2nT s Cao et al. [39] 2T m + T e 3nT e + nT m + 2nT s + 5nT h 2nT e nT e BSEA T e + T h 2nT m + 2nT e + 2nT s + 5nT h 4nT m + nT h nT m + 4nT s + nT h n : Number of bids in the auction process, T e : Time to compute exponential operation, T s : Time to compute symmetric key encryption, T h : Time to compute one-way hash operation, T m : Time to compute scalar multiplication operation.