Secure Combinatorial Auctions

Combinatorial auction protocols can have additional security issues, such as bid signaling and pseudonymous bidder strategies:

One potential concern in combinatorial auctions and possibly multi-unit auctions is bidder signaling. Signaling is not an issue in single item auctions as there is little purpose and limited strategies. Bidders may en-code messages in their bids by adding small values to bids to communicate a message, or retaliating to particular bids. Retaliation can for example be used by a large bidder who bids on a package of goods it is uninterested in because a smaller bidder bid in a package it is interested in (clearly sending the smaller bidder the message that is unhappy about something the smaller bidder did) [18]. The possibility of bidder signaling can be mitigated by rounding [18], concealing bidder identities, proxy auctions [18] or possibly by setting high reserve prices and offering preferences for small businesses have been suggested [17].

Bidders in combinatorial auctions may have a pseudonymous bidder strategy where it is advantageous to bid under multiple identities [67].

Bidders may attempt this to alter VCG payments [67] or to purchase com-plementary items separately (presumably at a lower price) [41]. Yokoo in-troduces the concept of a pseudonymous-bid-strategy-proof protocol where the dominant strategy for a bidder is to not use pseudonymous. He proves that there is no pseudonymous-bid-strategy-proof combinatorial auction protocol which has pareto efficiency. Yokoo develops a pseudonymous-bid-proof protocol called the Leveled Division Set (LDS) protocol.

Privacy Preserving WDP Algorithms

A subset of secure auctions is privacy preserving combinatorial auctions, in which the WDP algorithm performs operations on encrypted bids. Bid-ders submit encrypted bids of which malicious auctioneers can only deter-mine the optimal allocation and its corresponding bids. Some component of a bid may need to be decrypted to find prices for goods and the general approach to this problem is to use threshold encryption to restrict decryp-tion to a minimum. None of the following algorithms provide a method for implementing business rules, though some could be implemented in monetary terms.

Yokoo et al. [68] provides a combinatorial threshold bid-encryption WDP algorithm using dynamic programming and homomorphic thresh-old encryption. Values encrypted with homomorphic encryption can be multiplied, retaining the product of the encrypted values when decrypted.

Vectors of encrypted values, called weights, can be created representing bids, e.g. if e(z) represents z encrypted and z is a number not equal to one, then the vector e(z), e(z), e(z), e(1), e(1) will represent the number three. Notice that the number of values not equal to one represent the total weight. If two vectors are multiplied together, the resulting vector is the greater of the two vectors. An example is shown below.

{e(z), e(z), e(1), e(1), e(1)}

× {e(z), e(z), e(z), e(1), e(1)}

{e(z²), e(z²), e(z), e(1), e(1)}

2.1. AUCTIONS 21 An acyclic directed graph is created containing all the combinations of goods as nodes, while edges represent the highest bid for a bundle of goods (which as shown can be found without revealing any bids). The technique for threshold encryption is not specified, however any mecha-nism should be possible. The winning allocation is the longest path through the graph. Without threshold encryption and with a trustworthy auc-tioneer this algorithm provides confidentiality, privacy and increases ro-bustness, however with a corrupt auctioneer all properties fail. These can be restored with threshold encryption, using multiple auctioneers. If the number of corrupt auctioneers is below the threshold then it is not possible to break the confidentiality.

This algorithm by itself does nothing for verifiability, and removes the obvious form of bidders solving the WDP themselves. The scheme has been implemented for combinatorial auctions using a single auctioneer [14]. A modification for verification is provided by Palmer [40].

Polynomial secret sharing for combinatorial auctions [62] is another threshold bid-encryption WDP algorithm. Instead of using homomorphic encryption, bids are represented by polynomials. Threshold properties are provided using polynomial secret sharing [56] which simplifies the design as it matches the bid. Dynamic programming is used and the secure prop-erties hold. This has been implemented for this thesis as explained in [13].

The Secure Generalised Vickrey Auction (SGVA) [63] is another se-cure combinatorial auction WDP algorithm using homomorphic encryp-tion and threshold encrypencryp-tion. SGVA does not use dynamic program-ming. Instead the bidders each submit their bids to the auctioneer by adding their bids to a table. The columns of the table represent the dif-ferent ways that goods can be allocated amongst bidders. The first row represents the total bids for each allocation and the subsequent rows rep-resent the totals without a corresponding bidder. Finding the winners and computing the VCG prices is easy but can be expensive. The number of columns is given by b^gwhere b is the number of bidders and g is the

num-ber of goods, the numnum-ber of rows is b + 1 and so the table would usually be large, and searching lengthy. The same properties of the two secure dynamic programming schemes hold.

A modified version of SVGA [69] does not distribute encryption amongst multiple auctioneers but amongst the bidders instead. Prices for bundles are calculated first and bidders do not operate on their own submitted bids. With threshold encryption, bidders are no more able to influence the outcome of an auction than auctioneers are in the other schemes. The al-gorithm still uses homomorphic encryption and dynamic programming.

The secure properties still hold but there is no requirement for additional third-parties. A problem not discussed is what to do in the case of not enough bidders. One solution would be to add auctioneers to make up the difference. However systems running many auctions may have to hold a spare number of auctioneers in reserve.

Garbled circuits [38] is a method of securely computing the result of an auction and ensuring no information, other than what is requested is leaked. Programs (circuits) are created by a trusted third party called an Auction Issuer (AI) and used by the auctioneer and bidders. To run an auction, an auctioneer requests a program from the third party (an auction issuer), in the form of a garbled circuit [66]. The auctioneer acts as a proxy for an oblivious protocol for bidders and the AI to encrypt bids suitable for input into the circuit. The auctioneer then passes the encrypted bids through the circuit which returns the winners and prices paid (as specified by the circuit).

Naor claims that circuits can be created to any auction specification required, without exposing private information other than the result. It is a concern that for large-scale systems, using garbled circuits would be too difficult [68] or too large to use (Naor suggests sending the circuit on a CD or DVD). Garbled circuits allow public verifiability while retaining privacy. Naor claimed that it is possible to run combinatorial auctions with garbled circuits and this has been proven to be possible [40].

2.1. AUCTIONS 23