A two-server, sealed-bid auction protocol

Abstract

Naor, Pinkas, and Sumner introduced and implemented a sealed-bid, two-server auction system that is perhaps the most efficient and practical to date. Based on a cryptographic primitive known as oblivious treinsfer, their system aims to ensure priveicy and correctness provided that at least one auction server behaves honestly. As observed in [19], however, the NFS system suffers from a security flaw in which one of the two servers can cheat so as to modify bids almost arbitrarily and without detection. We propose a means of repairing this flaw while preserving the attractive practical elements of the NFS protocol, including minimal round complexity for servers and minimal computation by players providing private inputs. Our proposal requires a slightly greater amount of computation and communication on the part of the two auction servers, but actually involves much less computation on the part of bidders. This latter feature makes our proposal particularly attractive for use with low-power devices. While the original proposal of NFS involved several dozen exponentiations for a typical auction, ours by contrast involves only several dozen modular multiplications. The key idea in our proposal is a form of oblivious transfer that we refer to as verifiable proxy oblimous transfer (VPOT).