BSEA: A Blind Sealed-Bid E-Auction Scheme for E-Commerce Applications

Abstract

Due to an increase in the number of internet users, electronic commerce has grown significantly during the last decade. Electronic auction (e-auction) is one of the famous e-commerce applications. Even so, security and robustness of e-auction schemes still remain a challenge. Requirements like anonymity and privacy of the $bid$ value are under threat from the attackers. Any auction protocol must not leak the anonymity and the privacy of the $bid$ value of an honest Bidder. Keeping these requirements in mind, we have firstly proposed a controlled traceable blind signature scheme (CTBSS) because e-auction schemes should be able to trace the Bidders. Using CTBSS, a blind sealed-bid electronic auction scheme is proposed (BSEA). We have incorporated the notion of blind signature to e-auction schemes. Moreover, both the schemes are based upon elliptic curve cryptography (ECC), which provides a similar level of security with a comparatively smaller key size than the discrete logarithm problem (DLP) based e-auction protocols. The analysis shows that BSEA fulfills all the requirements of e-auction protocol, and the total computation overhead is lower than the existing schemes.

1. Introduction

Recent advancement in modern technologies has converted many activities of human life into the digital/electronic format—for example, paper-based ballot to electronic voting system, paper-based cash to electronic cash, paper-based prescription to electronic health record, etc. Similarly, electronic auction (e-auction) is the electronic version of selling something to a bidder with highest bid value. More formally, it is a financial transaction procedure that helps in listing the price of commodities over a distributed environment. Initially, the auctioneer offers his goods, commodities or services on an auction website over the internet. Interested parties can submit their bid value for the product to be auctioned before the stipulated deadline. Generally, the auction procedure is transparent. All of the interested parties are allowed to participate in the auction process. Prior to e-auction, people were following a centralized approach to do the bidding process. Major limitations that motivated research community to switch from the centralized approach to the distributed approach are geographic area and time. Some challenges of e-auction like bidder’s anonymity and bidder’s privacy have to be resolved before adapting e-auction [1,2,3,4]. Generally, e-auction schemes can be categorized into four types including English auction, Dutch auction, sealed bid auction, and Vickrey auction [5]. Due to the simple requirements of the sealed bid auction, it is always easy to implement it in an e-auction. Essential requirements of e-auction schemes are anonymity, non-repudiation, un-forgeability, traceability, public verifiability, integrity and confidentiality, fairness, authentication, privacy, and robustness [6,7]. In real life, there are some situations where we do not want to reveal the content of the message to the signing authority. In such cases, a blind signature serves the purpose. Blind signature is a variation of the digital signature, where the signer is unaware of the content of the message to be signed by him/her [8,9,10,11,12]. A list of requirements that needs to be satisfied by any blind signature scheme are: Blindness, Correctness, Authentication, Integrity, Non-Repudiation, Un-forgeability, Non-Reusability, and Un-traceability [13,14,15]. Blind signature schemes are designed as untraceable in applications like e-voting and e-cash [16,17,18,19]. However, blind signature application in the e-auction scheme requires controlled traceability. The advantages of elliptic curve cryptography (ECC)-based crypto-system over others like discrete logarithm problem (DLP) and the integer factorization problem (IFP) are: smaller key size, reduction in storage space, reduction in transmission requirement, and reduction in processing power [20,21,22,23,24,25,26]. Due to the smaller size key, ECC-based schemes can be applied in smart cards and wireless communication systems, where the devices have less memory, bandwidth, and computational power [27].

In this paper, we proposed a blind sealed-bid e-auction scheme using ECC (BSEA). Before proposing BSEA, we proposed a controlled traceable blind signature scheme (CTBSS), which is the basic building block of the proposed BSEA. In e-auction protocols, the Bidder corresponding to the $max\_bid$ should be traceable by the auction authorities. BSEA is shown to be resistant against various kinds of adversarial attacks like key only attack, forgery attack, known and chosen message attack, replay and eavesdropping attack, identity theft attack, and impersonate attack [28,29,30,31]. We have shown that BSEA satisfies all the requirements of the e-auction protocols. Based on the requirements and total computational overhead, we have performed a comparative analysis of our scheme with the existing schemes, and showed the results.

The rest of the article is organized as follows. Some related works are provided in Section 2. The proposed CTBSS using ECC is presented in Section 3. The security analysis of CTBSS is discussed in Section 4. The proposed e-auction protocol using CTBSS (BSEA) and its security analysis are given in Section 5 and Section 6, respectively. The performance analysis of the proposed BSEA is presented in Section 7. The concluding remarks are given in Section 8.

2. Related Work

Several e-auction protocols have been designed so far; however, the security of e-auction schemes remains a challenge.

In [32], the authors proposed a sealed-bid auction protocol where a malicious bidder cannot deny his bid value. They used a verifiable signature scheme to justify their protocol. In [33], a sealed bid auction method with a time server has been proposed, where after a certain time period, the sealed bids are opened and evaluated. An e-auction scheme to improve the privacy of bids such that the winner will be determined and known only by the auctioneer is proposed in [34]. Chang et al. [35] proposed three anonymous auction protocols to ensure bidder’s privacy. They used a deniable authentication scheme to check the validity of the bids, where every bidder can bid arbitrarily and anonymously. However, in [36], Jiang et al. pointed out some security weakness of [35] where the bidder cannot detect the tampered response message from the auctioneer. Hence, Jiang et al. proposed an improved scheme that prevents tampering attacks. Subsequently, an improved method is proposed for further enhancement in [4]. In [37], the authors proposed an e-auction protocol consisting of four parties, namely, bidder, third party, auctioneer and bank. This scheme aims to solve the problem of the bidder’s deposit payment with a deposit deducting certificate. However, in [38], the authors mentioned a security drawback, where the bidding receipt can be forged by the bidder to claim that she is the valid auction winner. Hence, the scheme proposed in [37] was unable to preserve the privacy of the bidders. Hence, it does not preserve the anonymity property. Even malicious bidders can forge the bid receipt sent by the third party and can claim that she is a valid winner. In [38], the authors proposed an e-auction protocol that removes the flaws of [37] and was comparatively more secure and efficient. They have used symmetric key encryption instead of asymmetric key encryption to enhance the efficiency. However, the security of their scheme totally relies on the trust of the third party as it has all the information about the bidders who may affect in the subsequent auctions. Much more emphasis has been given to the third party instead of sharing the load. In [39], Cao et al. proposed an e-auction that is based on an untrusted third party. System preparing, bidder registration and blind signature, bidding, and bid opening are the phases of this scheme. This scheme satisfies bidder anonymity, unforgeability, non-repudiation, public verifiability, secret bidding prices, and fairness. In [40], the authors propose a secure and efficient electronic auction scheme with strong anonymity. However, the schemes presented in [39,40] fails to prove that their scheme fulfills traceability requirements of e-auction, which is very necessary in the current context of e-auction protocols. In [41], the authors have proposed a cryptographic e-auction protocol using the threshold cryptosystem. This protocol offers facilities like incontrovertibility of participants, integrity of data, incontrovertibility of offers, confidence of bids, anonymity of the winning bidder, and public verification. It provides traceability as the bidders themselves sign the message, and hence they cannot deny and are traceable. However, the identity of the bidder is not preserved here. In addition to the above facts, their security relies on the difficulty of solving the DLP for the sealed bid electronic auction. Therefore, an electronic online auction using the elliptic curve discrete logarithm problem will enhance the security level, which is the basic building block for the proposed BSEA. Hence, in BSEA, complete anonymity without any repudiation has been achieved.

3. Proposed Controlled Traceable Blind Signature Scheme

In this section, we discussed the proposed CTBSS. Three entities, namely, Signer, Requester (Sender), and Verifier participate in CTBSS. The objective of CTBSS is that the Requester has to get a blind signature of the Signer on the message and the Verifier can verify the authenticity of the signature present in the message, and this is shown in Figure 1. Before CTBSS starts, all the entities have to agree on the security parameters, i.e., an elliptic curve $E_p(a,b)$ of order p. The scheme uses some symbols and the meanings of these symbols are listed in

Table 1. Symbols used in CTBSS.

Symbols	Meaning
P	base point of large order, such that $nP=O$
n	number of points on $E_p(a,b)$
O	point at infinity
$r{1}_s,r{2}_s$	random numbers chosen by the Signer
$r{1}_r,r{2}_r$	random numbers chosen by the Requester
m	message
$H(.)$	secure hash function

. The CTBSS consists of four phases, such as key generation, blinding, signing, and unblinding with verification, which are described below via several algorithms. These phases are shown in Algorithms 1–4, respectively. The overall flow of the proposed CTBSS is given in Figure 2.

Algorithm 1 Key Generation Phase

1: The Signer generates two random numbers $r{1}_s$ and $r{2}_s$|$r{1}_s,r{2}_s\in {Z_p}^{*}$. 2: She computes $X=r{1}_{s}P$, $Y=r{2}_{s}P$, and $Z=(Y+X)$. 3: Signer publishes his/her public parameters as $\langle X,Y,Z\rangle$ and keeps $r{1}_s$ and $r{2}_s$ as secret.

Algorithm 2 Blinding Phase

1: Requester generates two random numbers $r{1}_r$ and $r{2}_r$|$r{1}_r,r{2}_r\in {Z_p}^{*}$ ▹ $r{1}_r$ is the blinding factor used by the Requester. 2: She computes $M=r{2}_{r}Z$. 3: She computes $N=r{2}_{r}P$. 4: She calculates $u_1=H\left(m\right)$ and $u_2=(u_1-r{2}_r){r{1}_r}^{-1}$. 5: Sender publishes his/her public parameters as $\langle M,N\rangle$ and keeps $r{1}_r$ and $r{2}_r$ as secret. 6: Requester sends the blind message ($u_2$) to the Signer.

Algorithm 3 Signing Phase

1: After receiving $u_2$ from the Requester, the Signer signs the message by computing the following equation: $$s=(r{2}_s+r{1}_s)u_2,$$ (1)

▹ s is the Signer’s signature on the blind message.

2: Signer sends s to the Sender.

Algorithm 4 Unblinding with Verification Phase

1: After receiving s, the Sender unblinds the message by computing the following equation: $$S=(sr{1}_r+r{2}_r)P.$$ (2) 2: The signed message of m by the Signer is S. 3: This can be verified by the Verifier using the following equation: $$S+M-N\stackrel{?}{=}{u}_{1}Z.$$ (3)

4. Security Analysis of CTBSS

In this section, the security analysis of the proposed CTBSS is performed by considering various properties like correctness, blindness, traceability, and universally verifiable. CTBSS satisfies these properties on the assumption that elliptic curve discrete logarithm problem (ECDLP) is hard to break and the hash function $H(.)$ is secure and collision resistant.

4.1. Correctness Proof

The correctness of the proposed CTBSS is proved as follows. Here, we have shown that $S+M-N$ and $u_{1}Z$ are same. Hence, the Verifier can be able to check the authenticity of the signature using Equation (3). Substituting the value of S from Equation (2) in left hand side (LHS) of Equation (3), we will obtain

$$S+M-N=(sr{1}_r+r{2}_r)P+M-N=sr{1}_{r}P+r{2}_{r}P+M-N.$$

Now, solving using the value of N,

$$\Rightarrow S+M-N=sr{1}_{r}P+N+M-N=sr{1}_{r}P+M.$$

Substituting the value of s using Equation (1),

$$\Rightarrow S+M-N=(r{2}_s+r{1}_s)u_{2}r{1}_{r}P+M=(r{2}_{s}P+r{1}_{s}P)\left(u_2\right)r{1}_r+M.$$

Now, using the value of $u_2$,

$$\begin{array}{c}\Rightarrow S+M-N=(r{2}_{s}P+r{1}_{s}P)(u_1-r{2}_r){r{1}_r}^{-1}r{1}_r+M\hfill \\ =(r{2}_{s}P+r{1}_{s}P)(u_1-r{2}_r)+M\hfill \end{array}.$$

The above equation can be further simplified using X and Y and results in

$$\Rightarrow S+M-N=(Y+X)(u_1-r{2}_r)+M.$$

Using the value of Z,

$$\Rightarrow S+M-N=Z(u_1-r{2}_r)+M=u_{1}Z-r{2}_{r}Z+M.$$

Now, using the value of M,

$$\Rightarrow S+M-N=u_{1}Z-M+M=u_{1}Z.$$

Hence, the correctness of the proposed CTBSS is proved.

4.2. Blindness

Given two signature pairs (S and $S^{*}$) out of which one is valid and one is previously stored, it is very difficult for the adversary to find the blinding factor $r{1}_r$ from S and $S^{*}$. From Z and M, it is very difficult for the adversary to find the value of $r{2}_r$. This happens due to the difficulty in solving the ECDLP problem.

4.3. Traceability

In blinding phase, the Requester sends the blind message to the Signer. Thus, the Signer can keep a list that contains values of type ($u_2,s$). Afterwards, the Requester sends the pair $(S,u_1)$ to the Verifier for the message m, and the Signer can collect this value. By collecting these values, she will not be able to find the value of $r{1}_r$ and $r{2}_r$. However, using Equation (2) in the expression $S-N$, $S-N=(sr{1}_r+r{2}_r)P-r{2}_{r}P=sr{1}_{r}P$. This happens because the value of N is the public parameter of the Requester. Let $r{1}_{r}P=P^{\prime }$, and then $S-N=s{P}^{\prime }$. Now, the Signer will have the value of $S-N$. She can find the value of $s^{-1}$. $P^{\prime }$ can be found as $P^{\prime }=s^{-1}(S-N)$. Then, she compares, for every $P^{\prime }$, if $S-N=s{P}^{\prime }$. Hence, the Signer can trace the signature s for m, which depends on the number of blind signatures signed by the Signer.

4.4. Universally Verifiable

The blind signature can be verified by using the signature-message pair $(S,u_1)$ and publicly available parameters $(M,N,Z)$ for message m. Anyone can check its authenticity using Equation (3), once the Sender reveals the signature-message pair $(S,u_1)$. Hence, CTBSS is universally verifiable.

5. Proposed Blind Sealed-Bid Electronic-Auction Scheme

In this section, we discussed the proposed blind sealed-bid e-auction scheme using elliptic curve cryptography (BSEA). CTBSS scheme is used in BSEA. The system model for the proposed BSEA is shown in Figure 3. BSEA consists of the advertisement phase, the registration setup phase, the registration confirmation phase, the bidding phase and the winner determination phase. These phases are described below.

In the advertisement phase, the Auctioneer will publish an advertisement and announce the start of the auction process. She will choose the system parameters such as $E_p(a,b)$ as the elliptic curve of order p and P as the base point. She will choose $s_a$ as his/her private key. Then, she will find his/her public key $P_a$ as $P_a=s_{a}P$. After this, the auction message $M_a$ will be signed by the Auctioneer using his/her private key as Sign${}_{sa}\left(M_a\right)$. Sign${}_{sa}\left(M_a\right)$ is sent to the Third Party to publish on the web, so that the auction message will be available to the public. This signed message can be verified by anyone using the Auctioneer’s public key.

The registration setup phase facilitates interested Bidders to register to the system before submission of their $bid$. Registration Manager (RM) is an entity with which every individual Bidder has to register. RM provides anonymity to each and every individual Bidder. In order to register, several steps are carried out by both the RM and the Bidder as mentioned in Algorithm 5. The overall flow of this phase is given in Figure 4.

Algorithm 5 Registration Setup Phase

1: RM chooses his/her private keys as $a_{rm},b_{rm}\in {Z_p}^{*}$.   2: She computes $A_{rm}=a_{rm}P$ and $B_{rm}=b_{rm}P$.   3: RM publishes his/her public key as $\langle A_{rm},B_{rm}\rangle$.   4: Like step 1, here the Bidder chooses his/her private parameters as $y_b,z_b\in {Z_p}^{*}$.   5: She computes the following equation: $$Z_b=z_{b}P,$$ (4) and publishes $\langle Z_b\rangle$ as his/her public parameter.   6: RM computes $K_{rmb}$ as $$K_{rmb}=b_{rm}{Z}_b.$$ (5)   7: The Bidder also finds the same key $K_{rmb}$ as $$K_{rmb}=z_b{B}_{rm}.$$ (6)   8: She computes $R_b=y_b(A_{rm}+P)$, $e_b=H\left(TS\right||R_b)$, and $e{1}_b=y_b^{-1}{e}_b$.   9: Bidder encrypts the tuple $\langle ID\left|\right|TS\left|\right|e{1}_b\rangle$ using the secret key $K_{rmb}$ and sends it to the RM. 10: RM decrypts the corresponding message using the same shared secret key $K_{rmb}$ and computes $s_{rm}$ as follows: $$s_{rm}=a_{rm}-e{1}_{b}H\left(TS\right)b_{rm}.$$ (7) 11: RM signs the $s_{rm}$ with $b_{rm}$ as Sign${}_{b_{rm}}\left(s_{rm}\right)$ and sends it to the Bidder.

The steps of the registration confirmation phase are mentioned in Algorithm 6, and a pictorial representation of the same is shown in Figure 5. The Bidding phase consists of several steps as mentioned in Algorithm 7, and a pictorial representation of the same is shown in Figure 6. The steps of the winner determination phase are mentioned in Algorithm 8.

Algorithm 6 Registration Confirmation Phase

1: The third party (TP) generates two random numbers $r{1}_s$ and $r{2}_s$. ▹ which act as his/her private keys such that $r{1}_s,r{2}_s\in {Z_p}^{*}$.   2: She computes $X=r{1}_{s}P$, $Y=r{2}_{s}P$, and $Z=(Y+X)$.   3: She publishes $\langle X,Y,Z\rangle$ as public parameters and keeps $r{1}_s$ and $r{2}_s$ secret.   4: The Bidder decrypts $s_{rm}$ using $K_{rmb}$ after receiving $s_{rm}$ from the RM.   5: After decryption, the Bidder finds ${s_{rm}}^{\prime }$ as per the following equation: $${s_{rm}}^{\prime }=(s_{rm}+1)y_b-e_{b}H\left(TS\right)z_b.$$ (8)   6: Now, the Bidder sends the tuple (${s_{rm}}^{\prime },e_b,TS$) along with $Z_b$ to the TP.   7: TP verifies the signature ${s_{rm}}^{\prime }$ using the following equation: $$e_b=H(TS,{s_{rm}}^{\prime }P+e_{b}H\left(TS\right)(Z_b+B_{rm})).$$ (9)   8: If Equation (9) holds up well, then the TP finds a secret key $K_{TP}$ according to the following equation: $$K_{TP}=r{1}_s{Z}_b.$$ (10)   9: TP generates a random number $r_{TP}$ and encrypts $r_{TP}$ using $K_{TP}$ as Enc${}_{K_{TP}}\left(r_{TP}\right)$. 10: TP puts his/her signature on the tuple (${s_{rm}}^{\prime },e_b,TS$) as Sign${}_{r{1}_s}({s_{rm}}^{\prime },e_b,TS)$. 11: TP sends the tuple ($X,En{c}_{K_{TP}}\left(r_{TP}\right),Sig{n}_{r{1}_s}({s_{rm}}^{\prime },e_b,TS)$) to the Bidder. 12: When the Bidder receives the tuple ($X,En{c}_{K_{TP}}\left(r_{TP}\right),Sig{n}_{r{1}_s}({s_{rm}}^{\prime },e_b,TS)$), she can find the value of $K_{TP}$ using X. 13: Using $K_{TP}$, she finds the value of $r_{TP}$.

Algorithm 7 Bidding Phase

1: The Bidder generates two random numbers $r{1}_r$ and $r{2}_r$ such that $r{1}_r,r{2}_r\in {Z_p}^{*}$▹ where $r{1}_r$ is the blinding factor.   2: The Bidder computes his/her public key $M=r{2}_{r}Z$.   3: She computes $N=r{2}_{r}P$.   4: Using the blinding factor, she blinds his/her $bid$ value.   5: She computes $u_1=H\left(bid\right)$ and $u_2=(u_1-r{2}_r){r{1}_r}^{-1}$.   6: The Bidder sends $u_2$ to the TP to get his/her signature.   7: The TP finds the signature on the blind message corresponding to $bid$ of the Bidder using the following equation: $$s=(r{2}_s+r{1}_s)u_2.$$ (11)

▹ Here, the TP can not find anything about the $bid$ value.

8: The TP sends the blind signature on the $bid$ value s to the Bidder.   9: After receiving s from the TP, the Bidder unblinds the message s to get the signature on the original $bid$ value. The Bidder can find this using the following equation: $$S=(sr{1}_r+r{2}_r)P.$$ (12)

▹ The signed $bid$ value by the TP is S.

10: The signature can be verified using the following equation: $$S+M-N\stackrel{?}{=}{u}_{1}Z.$$ (13)

▹ Here, without revealing the $bid$ value, it can be verified.

Algorithm 8 Winner Determination Phase

1: Every Bidder sends their encrypted $bid$ message to the TP along with the signed message S and the random number $r_{TP}$ issued to him/her by the TP, encrypting with $K_{TP}$, which can be represented as Enc${}_{K_{TP}}(r_{TP},bid,S)$. 2: After receiving the corresponding encrypted tuple from the Bidders, the TP decrypts the message using $K_{TP}$ and checks the validity of the random number $r_{TP}$ and retrieves $bid$ and S. 3: The third party finds $H\left(bid\right)=u_1^{\prime }$ and verifies whether $S+M-N\stackrel{?}{=}{u}_1^{\prime }Z$ or not. 4: if the condition in step 3 is satisfied, then 5:     She accepts the $bid$ and finds $max\_bid$ among all of the Bidders. 6:     The TP sends Enc${}_{K_{TP}}(max\_bid,Sig{n}_{r{1}_s}\left(r_{TP}\right))$ to the corresponding Bidder and publishes the tuple $(max\_bid,S)$, so that it can be verified by anyone. 7: end if 8: The corresponding Bidder can claim himself/herself as the winner of the auction process.

6. Security and Requirement Analysis of BSEA

In this section, the security analysis of the proposed BSEA is performed by considering various attacks.

6.1. Correctness Proof

For correctness of BSEA, we have to check for the correctness of the blind signature and the registration done by the Bidder. Now, using Equation (7) in Equation (8), we will get,

$${s_{rm}}^{\prime }=((a_{rm}-e{1}_{b}H\left(TS\right)b_{rm})+1)y_b-e_{b}H\left(TS\right)z_b.$$

Now, using the value of $e{1}_b$ in the above equation, it can be written as

$$\begin{array}{c}{s_{rm}}^{\prime }=(a_{rm}+1)y_b-y_b^{-1}{e}_b{y}_{b}H\left(TS\right)b_{rm}-e_{b}H\left(TS\right)z_b,\hfill \\ \Rightarrow {s_{rm}}^{\prime }=(a_{rm}+1)y_b-e_{b}H\left(TS\right)b_{rm}-e_{b}H\left(TS\right)z_b,\hfill \\ \Rightarrow {s_{rm}}^{\prime }=(a_{rm}+1)y_b-e_{b}H\left(TS\right)(b_{rm}+z_b).\hfill \end{array}$$

Using the above value of ${s_{rm}}^{\prime }$ in right hand side (RHS) of Equation (9), we will get

$$\begin{array}{c}H\left(TS\right||{s_{rm}}^{\prime }P+e_{b}H\left(TS\right)(Z_b+B_{rm}))\hfill \\ =H\left(TS\right||((a_{rm}+1)y_b-e_{b}H\left(TS\right)(b_{rm}+z_b))P+e_{b}H\left(TS\right)(Z_b+B_{rm})).\hfill \end{array}$$

Using the values of $b_{rm}$ and $Z_b$, we will get

$$\begin{array}{c}H\left(TS\right||(a_{rm}+1)y_b-e_{b}H\left(TS\right)(b_{rm}+z_b)P+e_{b}H\left(TS\right)(Z_b+B_{rm}))\hfill \\ =H\left(TS\right||(a_{rm}+1)y_b-e_{b}H\left(TS\right)(b_{rm}+z_b)P+e_{b}H\left(TS\right)(z_b+b_{rm})P)\hfill \\ =H\left(TS\right||(a_{rm}+1)y_{b}P-e_{b}H\left(TS\right)(b_{rm}+z_b)P+e_{b}H\left(TS\right)(b_{rm}+z_b)P)\hfill \\ =H\left(TS\right|\left|(a_{rm}+1)y_{b}P\right).\hfill \end{array}$$

Using the value of $R_b$,

$$\begin{array}{c}{R}_b=y_b(A_{rm}+P),\hfill \\ \Rightarrow R_b=y_b(a_{rm}P+P),\hfill \\ \Rightarrow R_b=y_b(a_{rm}+1)P.\hfill \end{array}$$

Using this value in the simplified version of RHS of Equation (9), we will get

$$\begin{array}{c}H\left(TS\right|\left|(a_{rm}+1)y_{b}P\right)\hfill \\ =H\left(TS\right|\left|R_b\right)\hfill \\ =e_b.\hfill \end{array}$$

$e_b$ is in the LHS of Equation (9). Hence, the correctness of the registration of the Bidder is proved.

6.2. Security Analysis

The security of the proposed BSEA depends on the strength of the secure hash function $H(.)$ and the crypto-graphically computational hard problem ECDLP. Here, some of the attacks that can be withstood by BSEA have been discussed.

• Key only attack: In order to successfully launch a key only attack, the attacker needs to get a valid signature. Even if she gets a valid signature, then she is also unable to unblind the signature, as she does not know the blinding factor and the private key of the Bidder (i.e., $r{1}_r$ and $r{2}_r$). The difficulty of finding $r{2}_r$ depends on the difficulty of ECDLP and finding the value of $r{1}_r$ depends on the difficulty of solving IFP.
• Known message attack: In the known message attack, the attacker generates a valid signature for his own message $bi{d}^{\prime }$. Here, she has access to two or more message-signature pairs like $(S^{\prime },u_1^{\prime })$ and $(S^{″},u_1^{″})$. Here, the attacker can generate another signature $S^{‴}=S^{\prime }+S^{″}$ for message $bid$, if she can find $H\left(bid\right)=H\left(bi{d}^{\prime }\right)+H\left(bi{d}^{″}\right)$. This is very difficult if the hash function is preimage resistant. Moreover, she also needs to find the value of $u_2$ for which she has to find $r{1}_r$ and $r{2}_r$.
• Chosen message attack: In case of chosen message attack, the attacker can make the TP to sign for two $bid$ messages, $bi{d}^{\prime }$ and $bi{d}^{″}$. Then, she can calculate a new signature $S^{‴}=S^{\prime }+S^{″}$. If the attacker can find $H\left(bid\right)=H\left(bi{d}^{\prime }\right)+H\left(bi{d}^{″}\right)$ and the blind message $u_2$ for his/her message $bid$, then she can do a chosen message attack on BSEA. However, it is very difficult to find the hash value of a message $bid$ that is the same as the hash value of the given messages $bi{d}^{\prime }$ and $bi{d}^{″}$.
• Forgery attack: Given X and P, finding $r{1}_s$ is difficult due to the difficulty in solving the ECDLP problem. Hence, the private key of the TP can never be guessed correctly. It will be difficult for the attacker to unblind the message because $r{1}_r$ and $r{2}_r$ are the private components of the Bidder.
• Replay attack: An attacker cannot retrieve the $id$ of the Bidder as the message sent to the RM is encrypted with the session key $K_{rmb}$. She would not be able to find either $e{1}_b$ or $s_{rm}$. Similarly, due to the session key $K_{TP}$ that is only with the Bidder and the TP, the attacker would not be able to find the random number $r_{TP}$.
• Eavesdropping attack: Even if the attacker wants to eavesdrop on the communication between any Bidder and the RM or the TP, she will not get enough advantage. The reason for this is that the data that flows are encrypted with the session keys $K_{rmb}$ and $K_{TP}$ and are also being signed by the respective entities.
• Identity theft attack: In the proposed BSEA, the Bidder’s $id$ is not used for authentication. Instead, timestamp ($TS$) is being used for authentication, which prevents the Bidder from the risk of identity theft. In addition to this, the random number $r_{TP}$ provided by the TP is only known to them. However, in case the TP is corrupted, she may reveal the random number $r_{TP}$, but the real identity of the Bidder is still concealed.
• Impersonate attack: It is impossible to impersonate either the Bidder or the RM or the TP because all have used either their session key to encrypt the messages or the private keys to sign the messages.

As BSEA is resistant to the above mentioned attacks, BSEA is secure.

6.3. Requirement Analysis

Here, we have analyzed all the requirements those need to be fulfilled by e-auction protocols. By this, we want to show that BSEA also satisfies the requirements of e-auction protocols.

• Anonymity: The information about every Bidder must be hidden from other Bidders. The TP will authenticate the Bidders and will assign a random number to each of them. Every Bidder blinds their $bid$ value and sends to the TP to get his/her signature. Thus, all the information about the Bidder, including his/her $bid$ value, is hidden from everyone until the auction process is closed. In the winner determination phase, the Bidder sends his/her $bid$ value only to the TP to determine the $max\_bid$. Thus, anonymity is preserved for all the Bidders even if the TP is corrupted.
• Un-forgeability: Any attempt by the attacker to forge bid value will fail as she can not find $u_2$. For this, she has to find $r{1}_r$ and $r{2}_r$, and, for this, she has to solve ECDLP. Moreover, all the necessary information is encrypted with the session key and/or signed by the Sender. Hence, forgery attack is not possible.
• Non-Repudiation: The Bidder as well as the TP must not be able to deny the act that they have done during the execution of the phases of BSEA. The Bidder cannot deny casting the $bid$ because the signed $bid$ value S can be verified using Equation (13), where M is the public key of the Bidder. Similarly, the TP can not deny receiving the $bid$, as the same signature is also verified by using his public key Z.
• Public Verifiability: The signature S can be verified by everyone after publishing the signature parameter $(S,u_1)$. Moreover, the final winner’s $bid$ can also be verified by everyone once the TP publishes the tuple $(S,max\_bid)$. As anyone can now find $u_1=H(max\_bid)$ and verify the signature S. The authenticity of every Bidder can also be verified by everyone.
• Traceability: The winning Bidder or any other Bidder who does not follow the auction rule can be identifiable because the proposed BSEA is traceable (the explanation is given in Section 4.3).
• Fairness and Robustness: BSEA satisfies the fairness property because even if the malicious Bidder or Auctioneer colludes with the TP, they will not gain any information about the honest Bidder, which can harm him/her in the running auction process or any future auction process.
• Privacy: BSEA maintains the privacy of every Bidder during the auction process. It also preserves the privacy of the losing Bidder even after the winner determination phase is over.
• Integrity and Confidentiality: The integrity and confidentiality of BSEA are achieved through blind signature and the session key. No one can find the $bid$ value before the winner determination phase is over due to the blindness property of the proposed BSEA. No one can change the $bid$ value once signed by the TP because, even if it is modified, it cannot be verified by Equation (13).

In

Table 2. Comparison for analysis of requirements.

	${\mathit{R}}_1$	${\mathit{R}}_2$	${\mathit{R}}_3$	${\mathit{R}}_4$	${\mathit{R}}_5$	${\mathit{R}}_6$	${\mathit{R}}_7$	${\mathit{R}}_8$
Liaw et al. [37]	√	√	×	√	√	×	×	√
Wu et al. [38]	√	√	√	√	√	√	×	√
Cao et al. [39]	√	√	√	√	×	√	×	√
Ksiezopolski et al. [41]	√	√	√	√	√	×	×	√
Cao [40]	√	√	√	√	×	√	√	√
BSEA	√	√	√	√	√	√	√	√

, we have compared the requirement evaluation results of BSEA with some of the previously proposed e-auction schemes. Here, R${}_i$ represents the requirement number mentioned above. Our scheme satisfies all the requirements, which are needed for an electronic auction.

7. Performance Analysis of BSEA

As per Table 2, the proposed BSEA protocol fulfills all the requirements needed to be satisfied by an e-auction protocol. Moreover, it saves a considerable amount of space in terms of key size as it is implemented using ECC. The performance of BSEA is discussed in terms of computational overhead by comparing it with the some of the popular existing schemes. The performance comparison results of BSEA are shown in

Table 3. Comparison for total computational overhead.

Schemes/Phases	Advertisement	Registration	Bidding	Winner Determination
Liaw et al. [37]	$n{T}_e$	$2n{T}_e+5n{T}_h$	$5n{T}_e$	$T_e+T_h$
Wu et al. [38]	$n{T}_e+n{T}_h$	$2n{T}_e+2n{T}_s+3n{T}_h$	$n{T}_e+4n{T}_e$	$n{T}_e+n{T}_e+2n{T}_s$
Cao et al. [39]	$2T_m+T_e$	$3n{T}_e+n{T}_m+2n{T}_s+5n{T}_h$	$2n{T}_e$	$n{T}_e$
BSEA	$T_e+T_h$	$2n{T}_m+2n{T}_e+2n{T}_s+5n{T}_h$	$4n{T}_m+n{T}_h$	$n{T}_m+4n{T}_s+n{T}_h$

n : Number of $bid$s in the auction process, $T_e$ : Time to compute exponential operation, $T_s$ : Time to compute symmetric key encryption, $T_h$ : Time to compute one-way hash operation, $T_m$ : Time to compute scalar multiplication operation.

in comparison to Liaw et al. [37], Wu et al. [38] and Cao et al. [39].

To verify the efficiency of BSEA in terms of time, we implemented Liaw et al. [37], Wu et al. [38], Cao et al. [39] and BSEA using the pairing based cryptography (PBC) library [42] with type A pairing from the PBC archive. We used SHA-1 as the hash function. Figure 7 shows the average computation time consumed by the schemes. Results show that our proposed scheme BSEA outperforms the existing schemes like Liaw et al. [37], Wu et al. [38] and Cao et al. [39]. Moreover, it saves a considerable amount of space in terms of key size, as it is implemented using ECC. Hence, the proposed scheme is efficient.

8. Conclusions

In this paper, we have proposed an electronic auction scheme using a blind signature protocol. We first proposed a blind signature protocol according to the requirements of the e-auction (CTBSS) and then employ it to design a sealed-bid electronic auction scheme (BSEA). Both protocols are based on elliptic curve cryptography. Moreover, an ECC based protocol is more efficient in terms of space in comparison to its counterparts, which are based on DLP. The proposed BSEA fulfills all the requirements of the e-auction protocol, and the computation overhead is low as compared to the existing schemes. The efficiency of BSEA can be further improved using very-large-scale integration (VLSI) implementation.