1. Field of the Invention
This invention relates generally to cryptography and to secure distributed computation, and more particularly it relates to computerized auctions conducted using PCs and/or servers over a network, such as, the Internet.
2. Description of the Prior Art
An exciting topic of cryptographic research is secure function evaluation [see e.g. REFERENCES 3, 7, the citations for which are given in detail at the end of the specification]. For any function F(x.sub.1, x.sub.2, . . . , x.sub.n), it is possible, in principle, to construct a protocol that allows a group of n parties, where party i has as its private input x.sub.i, to jointly evaluate F(x.sub.1, x.sub.2, . . . , x.sub.n). Following the protocol the parties learn F(x.sub.1, x.sub.2, . . . , x.sub.n) but no party i can learn about the inputs other than x.sub.i more than can be computed from x.sub.i and F(x.sub.1, x.sub.2, . . . , x.sub.n). The drawback of these protocols is that they are rather complex and require a lot of interaction between each of the parties. In the case of auctions this would require high interaction between the bidders, who have no motivation to interact with each other. The present invention, as will be described in greater detail in the following, provides a much simpler method in which all the parties communicate with just a single center. In the inventive method described hereinafter, the input of each of the parties becomes known to this center but otherwise, it is not known to any other party. The inventive method enables the center to prove that it preformed the computation correctly.
In the case of auctions, it is normally the case that the auctioneer is trusted by all parties to compute the result of the auction correctly. This might not be justified, since the auctioneer might benefit from an illegal modification of the result of the auction. (This is even true if the auctioneer is just a mediator that is selling items which are offered by third parties, since such auctioneers usually charge a commission which depends on the price with which the items are sold). It is sometimes the case that a trusted party (say an accountant) observes the operation of the auctioneer and testifies that it is trustworthy. However this party might be corrupted and cooperate with a corrupted auctioneer, it might also be the case that the trusted party cannot watch the auctioneer closely enough and the auctioneer can cheat without being detected. These problems are amplified in a computerized Internet setting.
The center that computes F can of course prove that it computed it correctly by publishing all the inputs. However this solution affects the privacy of the other parties, since their inputs become public. The inventive method overcomes this problem since it enables the center to prove that it computed F correctly without is leaking any information about the inputs.
There are suggestions in the art for distributing the operation of an auctioneer between many servers in a way which is secure as long as not too many of these servers operate maliciously. Franklin and Reiter [see REFERENCE 2] developed a distributed system for sealed-bid auctions with many auctioneer servers, which ensures the privacy of the bids until the time they are opened. This system further enables the bids to be backed by escrowing financial commitments of the bidders. Harakavy, Tygar, and Kikuchi [see REFERENCE 4] present systems for secure first price and second price sealed bid auctions, which preserve the privacy of the bids even after the winning bid is chosen (this variant was also briefly mentioned in REFERENCE 2). Both systems distribute the operation of the auctioneer between several servers and privacy is guaranteed as long as not too many of the servers collude (most of the protocols require that less than a third of the servers collude, and therefore, need a minimum of four servers). However, if enough auctioneer servers collude they are able to maliciously change the outcome of the auction and would not be detected. The requirement that auctioneer servers would not collude seems very hard to enforce since all these servers operate for the auctioneer which might have a motivation to cheat and increase its profits. Compared to these prior art solutions, the inventive method does not require to distributing the operation of the auctioneer among several non-colluding servers, and provides security even if the auctioneer is attempting to cheat.
Naor and Pinkas [see REFERENCE 6] present a different method that prevents even the center from learning information about the parties' inputs. That method requires the operation of an additional party—the Issuer. The Issuer generates a program that computes the function (or the auction) and sends it to the center. The center receives messages from the parties, which contain some information that is intended for the Issuer: After the center receives messages from all the parties it sends a message to the Issuer and receives a response which enables it to use the program to compute the output of F for the parties' inputs. The method ensures that neither the center nor the Issuer learn information about the inputs of the parties. In this sense it provides better privacy than the inventive method described herein. However, the inventive method presented here does not require the cooperation of any additional party (like the Issuer) for the computation of F. It enables the center to compute the function by itself and prove that it computed it correctly, and in this respect is an advantage.