Privacy-Preserving Auction For Big Data Trading Using Homomorphic Encryption

This article has been accepted for publication in a future issue of this journal, but has not been
fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TNSE.2018.2846736, IEEE
Transactions on Network Science and Engineering
1
Privacy-Preserving Auction for Big Data Trading

Using Homomorphic Encryption
Weichao Gao∗ , Wei Yu∗ , Fan Liang∗ , William G. Hatcher∗ , and Chao Lu∗
∗ Department of Computer and Information Sciences
Towson University, MD, USA 21252

Emails: {wgao3,fliang1,whatch2}@students.towson.edu, {wyu,clu}@towson.edu
Abstract—Cyber-Physical Systems (smart grid, smart transportation, smart cities, etc.), driven by advances in Internet of Things (IoT)
technologies, will provide the infrastructure and integration of smart applications to accelerate the generation and collection of big data
to an unprecedented scale. As now a fundamental commodity in our current information age, such big data is a crucial key to
competitiveness in modern commerce. In this paper, we address the issue of privacy preservation for data auction in CPS by
leveraging the concept of homomorphic cryptography and secured network protocol design. Specifically, we propose a generic
Privacy-Preserving Auction Scheme (PPAS), in which the two independent entities of Auctioneer and Intermediate Platform comprise
an untrusted third-party trading platform. Via the implementation of homomorphic encryption and one-time pad, a winner in the auction
process can be determined and all bidding information is disguised. Yet, to further improve the security of the privacy-preserving
auction, we additionally propose an Enhanced Privacy-Preserving Auction Scheme (EPPAS) that leverages an additional signature
verification mechanism. The feasibilities of both schemes are validated through detailed theoretical analyses and extensive
performance evaluations, including assessment of the resilience to attacks. In addition, we discuss some open issues and extensions
relevant to our scheme.
Index Terms—High-Confidence CPS, Internet of Things, Big Data, Auction, Privacy-Preserving, Homomorphic Cryptography, Security
and Resilience, Network Protocol Design
1 I NTRODUCTION erated in CPS/IoT systems, critical challenges must be over-

come, such as properly evaluating the price of datasets,
With the advancement of Internet of Things (IoT) tech-
enabling fair and secure data trading with the support of
nologies, immense quantities of sensors and actuators will
network protocols, and ensuring data copyright protection.
be developed and deployed to support the monitoring and
Although data, in the form of digital information/commod-
control of a number of smart-world Cyber-Physical Sys-
ity, can be duplicated and assigned with an infinite number
tems (CPS), including the smart grid, smart transportation,
of copies, competition among data users would prefer to
smart cities, smart manufacturing, and others [1], [2], [3],
compete for it. Thus, an economically-driven approach, such
[4], [5]. In such smart-world systems, massive amounts of
as auctioning, becomes a viable way for the data trading in
data will be generated, giving rise to truly unprecedented
the networking environment so that the value of collected
CPS/IoT-based big data [6], [7], [8]. Ubiquitous distributed
data can be maximized via a trading-based data sharing
network-connected devices will engender diverse applica-
paradigm. Notice that there have already been auctions de-
tions for the generation, maximization, and optimization
signed for similarly intangible items, such as electricity and
of a variety of resources that span a multitude of domains.
spectrum resources, and a number of research efforts have
Furthermore, it is readily evident that emerging network-
been conducted [9], [10], [11], [12], [13], [14]. Nonetheless, a
ing and computing technologies shall enable easier, faster,
majority of these auctions take place on an auction platform
and cheaper data collection from such CPS systems.
run by sellers, meaning that the sellers play the role of the
Research on the accumulation, analysis, and applica-
auctioneer, and information from the bidders is open to the
tion of big data has proceeded rapidly. With the help
sellers during the auction. In addition, with the increasing
of data mining, deep learning, and other techniques to
number of data owners, it is inefficient and inconvenient
facilitate data processing, massive amounts of data are
for each data seller to maintain their own auction platform.
already being collected and processed, generating valu-
Thus, a third-party data trading platform in the network
able information to users and affecting our daily lives.
environment would be a more realistic approach.
As a result, greater attention is being paid to the market
value of big data, which has come to be considered as When a third-party auction platform is used, privacy
a new type of natural resource. Naturally, this resource protection becomes a critical issue and this calls for de-
itself can be considered as a domain of CPS, similar to signing effective network protocols to achieve privacy-
electrical energy or spectrum allocation, as it implicates preserving auction. For both sellers and bidders in an active
distributed infrastructures and networked technologies auction, the reserve or bidding price should not be revealed
for the management and effective optimization of welfare until the end of the bidding window. In addition, the auction
for data users and owners. data (i.e., the data to sell) should be accessed only by
To realize the potential value of data commodities gen- the winner of the bid. Thus, a fully trusted platform is
2327-4697 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TNSE.2018.2846736, IEEE
2
desired. Nonetheless, the fully trustworthy third-party plat- and comparison. The evaluation results demon-
form is difficult to realize for a variety of reasons, including strate the effectiveness, efficiency, and security of
emergent cyber-threats, insider adversaries, and platform our proposed EPPAS.
insecurity. In order to protect the privacy of both sellers and • Extension: As the proposed scheme is generic, and
buyers, additional protection and detection schemes should a variety of auction rules can be provisioned and
be provisioned on the platform. more efficient cryptosystems can be applied, we
To address the issue of privacy protection in the third- address potential avenues of future research to
party auction platform, we consider the introduction of meet the requirements of different data auctions.
homomorphic cryptography [15] to enable the auctions
The remainder of this paper is organized as follows: In
to be processed using only encrypted bids and design a
Section 2, we provide preliminary background to briefly
corresponding network protocol. In this paper, we first pro-
review homomorphic cryptography. In Section 3, we intro-
pose a baseline Privacy-Preserving Auction Scheme (PPAS)
duce the design rationale to achieve the privacy-preserving
to meet the basic requirements of the privacy-preserving
data auctions. In Section 4, we propose our baseline scheme,
auction. To be specific, the scheme is designed with two
the Privacy-Preserving Auction Scheme (PPAS) for big data
independent entities that comprise the third-party auction
auctions, along with an analysis, performance evaluation,
platform: (i) the Auctioneer and (ii) the Intermediate Plat-
and considerations about its limitations. In Section 5, we
form. We leverage the Paillier cryptosystem [16] to im-
improve upon the baseline scheme with the addition of
plement homomorphic encryption and with the assistance
further security features, proposing the Enhanced Privacy-
of a one-time pad. Under our designed architecture, the
Preserving Auction Scheme (EPPAS). We also analyze the
Intermediate Platform will only see the Paillier encrypted
properties of our scheme with respect to both efficiency
bids, while the Auctioneer only sees the bids disguised
and security. In Section 6, we discuss some open issues
with a one-time pad. This design ensures that the auction
and extensions relevant to our schemes. In Section 7, we
data will only be accessible by the winner of the auction.
conduct a literature review. Finally, we conclude the paper
A prototype of PPAS is implemented and evaluated, with
in Section 8.
the goal of conducting auctions on encrypted bids being
achieved.
We then further investigate the security limitation of 2 P RELIMINARY
PPAS and attempt to improve the scheme with additional In this section, we briefly introduce the concept of Homo-
security features. Thus, the Enhanced Privacy-Preserving morphic cryptography. Traditionally, data is encrypted by
Auction Scheme (EPPAS) is proposed, based on PPAS. To one party, sent, and must be decrypted for processing of the
be specific, we use the digital signature feature of the plaintext result. Nonetheless, it is clear that this is not ideal,
Paillier cryptosystem to ensure that the data has not been as not all destinations can be trusted. Instead, the ability
manipulated in transmission or by a compromised entity for processing to be performed on the encrypted cypher-
(the Auctioneer or the Intermediate Platform) in the net- text data should ensure that the destination never sees the
work. In addition, the function of comparing encrypted data content of the original plaintext. This is the concept of ho-
is revised to eliminate possible loopholes. We conduct a momorphic cryptography. Here, all the data is encrypted by
theoretical analysis to validate the efficiency and security some encryption scheme before being transmitted to some
features of EPPAS. This is carried by evaluating time and untrusted parties for computation. All the computation on
space complexities to measure efficiency, while various at- the untrusted side is performed on the encrypted data, and
tack scenarios are applied to validate the security resiliency. the computed result is received and decrypted by the user to
Finally, we implement the system and conduct extensive obtain the final result. Ideally, privacy is protected because
experiments on assorted scenarios. Our experimental results the plaintext data is never observed in any untrusted area.
demonstrate that our designed system is capable of meeting To realize this process, the operations that are performed on
the needs of privacy preservation during the third-party the ciphertext, once decrypted, must match the correspond-
platform-basd data auction, and is secure against attacks ing operations performed on the original plaintext.
from compromised messages, and compromised compo- The concept of homomorphic encryption can be pre-
nents of the third-party platform. sented as
Our contributions in this paper are as follows:
∀m1 , m2 ∈ M, EK (m1 ) C EK (m2 ) → EK (m1 M m2 ),
• Basic Scheme: We propose a basic scheme denoted (1)
as the Privacy-Preserving Auction Scheme (PPAS) where M is the set of plaintext, m is any plaintext in M,
to enable auctions with encrypted bids. We provide E is the encryption function, K is the encryption key, and
a detailed description of the designed architecture M and C stand for some operators in M and the corre-
and algorithms, an analysis of the auction scheme, sponding set of ciphertext C . Under the ideal homomorphic
and evaluate its performance via emulation. encryption scheme, the untrusted servers only see, operate,
• Enhanced Scheme: Based on insights from our anal- and return encrypted data, enabling protection of the user’s
ysis of the PPAS scheme, we propose an Enhanced privacy.
Privacy Preserved Auction Scheme (EPPAS), to im- Regarding the development of homomorphic encryp-
prove the security and privacy of the auction. We tion, the first homomorphic encryption schemes achieved
provide the detailed architecture and algorithms only Partial Homomorphic Encryption (PHE), meaning that
of the improved EPPAS, analysis of the improved the possible homomorphic operations were limited to a
auction, and an additional performance evaluation finite set (e.g., only addition and multiplication). Typical
3
PHE schemes include ElGamal [17] and Paillier [16], among the ciphertext from being decrypted by any seller or bidder,
others. In contrast, a Fully Homomorphic Encryption (FHE) the public key should not belong to any one of them. In
scheme is one that allows arbitrary computations on cypher- the meantime, however, using the auctioneer’s public key
text. The first viable fully homomorphic scheme was pro- would enable it to know the actual value before the end of
posed by Gentry [15] in 2009, using lattice-based cryptogra- the bidding window.
phy and the mechanism of bootstrapping. Expansions upon To address this issue, our solution is to introduce an
that work include LTV [18] and GSW [19], among others. independent party, denoted the Intermediate Platform, lo-
Despite these advances, in most cases, current implementa- cated between the auction participants and the Auctioneer.
tions of FHE are not suited to meet efficiency requirements Specifically, all bids from the participants are sent to the
with respect to speed and space. As a compromise, the Intermediate Platform, in which they are padded with a
recent trend is to use Somewhat Homomorphic Encryption randomly generated pad, using the following:
(SWHE), which have a limited number of operations and
PKa (Padded Bid) = PKa (Bid) (c,padding) PKa (Pad). (2)
depth of FHE, but can still achieve good performance.
In our privacy-preserving auction scheme, we imple- In addition, the feature of homomorphic encryption enables
ment one representative homomorphic encryption scheme, the padded bids to satisfy the following condition:
called Paillier cryptosystem [16] as an example to demon-
strate our idea. This is an asymmetric encryption system Padded Bid = SKa (PKa (Padded Bid)) = Bid(m, padding) Pad.
based on the problem of computing nth residue, and is (3)
believed to be computationally difficult. Paillier belongs to In Equations (2) and (3), P Ka (x) stands for the encryp-
a partial homomorphic scheme that supports addition on tion function using the Auctioneer’s public key, SKa (x)
the ciphertext. That is, E(m1 ) + (m2 )) = E(m1 ) · E(m2 ), stands for the decryption function using the Auctioneer’s
where E is the encryption function, and m1 and m2 are the secret key, (c, padding) is the operation of padding using
plaintext. We note that Paillier can achieve semantic security, ciphertext, and (m, padding) is the operation of padding using
where it is not possible to determine, in polynomial time, plaintext. In this design, the Intermediate Platform sees only
the original plaintext, whose ciphertext encrypts with a the encrypted bids and the Auctioneer sees only the padded
probability significantly larger than 0.5. bids. Furthermore, neither of them would be able to uncover
the original bids before the end of the bidding window.
In the meantime, when using same pad for every bid, it
3 D ESIGN R ATIONALE is possible for the Auctioneer to use the padded bids to
compare and sort when a proper homomorphic encryption
In the following, we introduce our design rationale to
system is selected.
achieve a privacy-preserving data auction. To fulfill the
requirements, we consider cryptosystems and design algo-
rithms to realize the individual key functions needed in the 3.3 Auction Data Delivery
trading process. Another important requirement from the seller is that the
auction data needs to be disguised and would only be able
to be revealed to the winner of the auction. In designing
3.1 Leveraging Homomorphic Encryption
the platform for big data trading, the size of the auction
Recall that in our proposed scenario described in Section 1, data must be taken into consideration. Notice that symmet-
the data auctions are controlled by a third-party auctioneer. ric encryption schemes are much faster than asymmetric
In this scenario, privacy protection is required by both sell- schemes. We thus leverage this property, using a symmetric
ers and bidders. Specifically, sensitive bidding information scheme, such as AES, to encrypt the large volume of auction
(bidding price, reserve price, quantity, etc.) must remain data, and applying the asymmetric homomorphic scheme to
undisclosed until at least the end of the bidding window encrypt the AES encryption key for the system to deliver.
of each auction. We have also developed the algorithms for key delivery
To meet this requirement, one simple solution is to using a homomorphic scheme and one-time pad (OTP). To
encrypt the sensitive data before the bids are sent out. be specific, the seller randomly generates the key K for
Meanwhile, the auctioneer needs the data to determine the AES encryption to encrypt the auction data D and obtain
bidding result. This means that either it must reveal the the AES encrypted data AESK (D). K is then encrypted
disguised data right after the bidding window, or it can by the Auctioneer’s public key P Ka to obtain P Ka (K).
generate the bidding result using the disguised data without Upon receipt of AESK (D) and P Ka (K), the Intermedi-
knowing the actual value. In the former, all bids can only ate Platform generates the OTP, applies the homomorphic
be processed after the bidding window, which is inefficient padding using Equation (4), and sends P Ka (KOT P )) to
when the number of bids is high. Thus, the second option, the Auctioneer. From Equations (5) and (6), the Auctioneer
where the bids can be processed as received without reveal- decrypts P Ka (KOT P )) using its own secret key SKa , and
ing the contents, becomes the viable approach, implicating re-encrypts the result using the auction winner’s public key
homomorphic encryption. P Kw , sending it back to the Intermediate Platform. Finally,
the platform applies homomorphic depadding, defined in
3.2 Independent Intermediate Platform Equation (7), leaving the PKw encrypted AES key P Ka (K),
which allows the winner to decrypt and reveal AESK (D).
To enable operation upon multiple encrypted bids in
These equations are listed as follows:
an asymmetric homomorphic encryption scheme, all bids
should be encrypted using the same public key. To prevent PKa (KOT P ) = PKa (K) (c,padding) PKa (OTP), (4)
4
KOT P = SKa (PKa (KOT P )), (5)

PKw (KOT P ) = PKw (KOT P ), (6)
PKw (K) = PKw (KOT P ) (c,depadding) PKw (OTP). (7)
Via this mechanism, we can prevent both Auctioneer and
Intermediate Platform from seeing the original value of the
AES key. Thus, by using a proper homomorphic encryption
mechanism, the auction data can be delivered to the target
without being revealed.
3.4 Selection of Cryptosystem

In order to realize the auction procedure efficiently, one
of the most important functions is sorting, because it
determines the winning prices of the auction. Note that Fig. 1. System Architecture
the algorithm for sorting on disguised data depends sig-
nificantly on the cryptosystem selected. Considering the that neither the Intermediate Platform, nor the auction par-
analysis outlined above, we choose the Paillier cryptosystem ticipants would be able to decrypt the ciphertext. By design,
to realize our design. Recall that in Section 2, Paillier enables the Auctioneer keeps receiving pairs of the ciphertext of the
the addition operation by decrypting the product of the one-time-padded bidding prices from the Intermediate Plat-
ciphertext, according to, form during the bidding window, comparing the padded
value, and replying with the results. This function enables
Pi + P ad = SK(PK(Pi ) · PK(P ad)). (8)
the Intermediate Platform to carry out the sorting operation
th on the encrypted bidding prices. After the bidding window,
Here, Pi is the i price, and Pad is the pad to disguise Pi .
Thus, the sorting result on P ricei (where i ∈ n) is equiva- the auctioneer receives and reveals the encrypted winning
lent to the sorting result on P ricei + P ad, where i ∈ n, when price, and re-encrypts the key to the auction data with the
using the same pad. Meanwhile, in the detailed algorithm, winner’s public key.
the revealing of the pad after the bidding window will help Intermediate Platform. The Intermediate Platform is
the Auctioneer find the actual value of the winning price. independent from the Auctioneer. During the auction, it
The operation of homomorphic addition also satisfies receives and stores the encrypted bids from Sellers and
our design for auction data delivery, applying the key Bidders. The Intermediate Platform is implemented with the
exchanging algorithm that we mentioned in Equations (4) Paillier cryptosystem as well, and performs the function of
through (7). The homomorphic de-padding can be realized padding on the incoming bids. By the communication with
using the auctioneer, the intermediate platform is able to sort all
incoming encrypted bids without revealing them. After the
PKw (K) = PKw (KOT P ) · (PKw (OTP))−1 , (9) winner is determined, the auction data will be posted with
where PKw is the winner’s public key, KOT P is the padded the key encrypted by the winner’s public key.
key, and OTP is the one-time pad. Seller and Bidders. A seller is the provider of the auction
data and determines the reserve price. Bidders are the par-
ties who submit bids to the auction platform for seeking the
4 P RIVACY -P RESERVING AUCTION S CHEME auction data. In our proposed auction scheme, we assume
Based on the design rationale in Section 3, we consider the that all participants (sellers and bidders) in the auctions
selected cryptosystem with the outlined algorithms, and are registered users. To be specific, the Auctioneer and the
propose our Privacy-Preserving Auction Scheme (PPAS). Intermediate Platform are able to access the public key of
We first present our architecture and workflow, and then the auction participants from the database, and the payment
analyze the system with respect to time and space efficiency. to the seller is guaranteed as long as the winning price
Finally, we implement and evaluate a prototype of our (higher than the reserve price) is determined. It is worth
system, and consider several unresolved issues. noting that the prototype of the auction scheme supports
auctions with one seller, multiple bidders, and one winner.
Our designed system is generic and a variety of auction
4.1 System Architecture
rules can be provisioned in our system.
Figure 1 illustrates the system architecture of the Privacy- In addition, we list the notations used in the algorithms
Preserving Auction Scheme, which consists of four entities: discussed in the following sections in Table 1.
Auctioneer, Intermediate Platform, Seller, and Bidder. Each
entity is detailed below.
Auctioneer. The Auctioneer is the party who organizes 4.2 Detailed Workflow
the data auctions. It initializes new auctions upon the re- The detailed workflow of the Privacy-Preserving Auction
quest from a registered seller and generates asymmetric Scheme is illustrated in Figure 1. We have divided the
key pairs using a Homomorphic cryptosystem (we use the process into five primary phases, which correspond to the
Paillier cryptosystem in this prototype) and publishes its numbers in the figure. In addition, Algorithms 1 through
public key (PK). The secret key (SK) is kept only by itself so 4 are presented, describing each algorithm implemented
5
TABLE 1. Notations Algorithm 2: PPAS: Bidder’s Algorithm

AuID Identifier of an auction 1 Fetch the public key of the Auctioneer (PKa ) and Auction ID
UIDs , UIDb i Unique Identifier of the Seller and Bidders (AuID);
SKa , PKa Secret-Public Key Pair generated by the Auctioneer 2 if Key pair not exists then
SKs , PKs Secret-Public Key Pair generated by the Seller 3 Generate key pair ({PKbi ,SKbi });
SKbi , PKbi Secret-Public Key Pair generated by the i-th Bidder 4 Update PKbi to Auctioneer’s database;
PK() Encryption using Public Key 5 Determine bidding price Pbi ;
SK() Decryption using Secret Key 6 Fetch User ID: UIDbi ;
Ss (), Sbi (), Signed by Seller/Bidder using secret key 7 Encrypt using PKa : get PKa (Pbi );
Vs (), Vbi (), Verify Signature using Seller/Bidder’s public key 8 Send {AuID, UIDbi , PKa (Pbi )} to Intermediate Platform as
K AES key to encrypt the Auction Data Bidding Information ;
D The Auction Data for sale
AESK (D) AES encrypted auction data
PADp () One-Time-Pad for price pad
PADK () One-Time-Pad for AES key pad Algorithm 3: PPAS: Intermediate Platform Algo-
Pr Reserve Price
Pbi Bidding Price rithm
Pw Winning Price 1 Receive public key of the Auctioneer (PKa ), Auction ID
SN Series Number generated by Intermediate Plat- (AuID) and bidding window;
form, assigned to received bids 2 while during bidding window do
3 Receive bids;
4 if from seller then
5 Store PKa (Pr ) and PKa (K );
for each of the four entities (Seller, Bidder, Intermediate 6 else
Platform, and Auctioneer) in detail. 7 Store PKa (Pbi ) in last position of heap;
Phase 1: Open New Auction. The Seller sends the 8 do
request to the Auctioneer to open a new auction. 9 Randomly generate pad PADp for price padding;
10 PKa (Pbi + PADp )=PKa (Pbi ) · PKa (PADp );
Phase 2: Initialize the Auction. Following Algorithm 4 11 Fetch Price Ps in current position of the heap to
in Line 1 through 6, the Auctioneer initializes the auction swap;
upon the receipt of the new auction request. It generates 12 PKa (Ps + PADp )=PKa (Ps ) · PKa (PADp );
13 Send PKa (Pbi + PADp ) and PKa (Ps + PADp ) to the
Paillier key pairs {PKa , SKa } and the Auction ID (AuID) for Auctioneer to compare;
this newly initialized auction. PKa and AuID are published 14 Flag = Receive boolean value from Auctioneer,
and the Intermediate Platform is informed by the Auction- larger for true ;
eer to start waiting for bids. 15 while Flag;
Phase 3: Place Bids During the bidding window, the 16 heap.pull(), get winner: PKa (Pw );
Seller follows Algorithm 1. It randomly generates a 256-bit 17 Randomly generate pad PADp for price padding;
key (K ) for AES encryption on the data to sell (Line 5). As 18 Send PKa (Pw + PADp ) and PKa (Pr + PADp ) to the Auctioneer
to compare;
we use Paillier cryptosystem-based module n, the K should 19 Receive boolean value from Auctioneer, larger for true ;
be positive. K and the reserve price (Pr ) are encrypted 20 if true then
using the Auctioneer’s public key (P Ka ) (Line 8). The Seller 21 Randomly generate pad PADK for key padding;
then sends the auction ID (AuID), the user ID (UIDs ), the 22 Send UIDw , PKa (K +PADK ) to Auctioneer;
23 Receive PKw (K +PADK ) ;
encrypted reserve price (PKa (Pr )), and the encrypted key 24 Depadding: PKw (K ) = PKw (K +PADK ) * [
for the AES encrypted auction data (PKa (K )) as the auction PKw (PADK )]−1 ;
information to the Intermediate Platform (Line 9). After that, 25 Publish AESK (D) and PKw (K );
26 else
the Auction Data D is Encrypted using AES with key K , the 27 Terminate current auction;
result AESK (D) is sent to the Intermediate Platform as well
(Line 10 and 11).
The Bidder follows Algorithm 2. It determines the bid-
ding price (Pbi ) and encrypts it using the Auctioneer’s
Phase 4: Price Sorting. While the bidding window re-
public key (PKa ) (Line 5 through 7). The Seller then sends
mains open, the Intermediate Platform follows Algorithm 3
{AuID, UIDbi , PKa (Pbi )to the Intermediate Platform as Bid-
to receive and store the seller’s auction information (Line
ding Information (Line 8).
5), and continues receiving bids from the bidders (Line 7
through 14). The accepted bids are inserted and stored to
Algorithm 1: PPAS: Seller’s Algorithm a heap (with the maximum price on top). To determine the
1 Fetch the public key of the Auctioneer (PKa ) and Auction ID position of the incoming bids in the heap, the encrypted
(AuID); new price is compared with the price stored in the parent.
2 if Key pair not exists then
3 Generate key pair ({PKs ,SKs }); Both encrypted prices are padded with a new randomly
4 Update PKs to Auctioneer’s database; generated pad before the pair is sent to the Auctioneer.
5 Randomly generate AES key K ; After decryption with its secret key (SKa ), the Auctioneer
6 Determine reserve price Pr ; (follows Algorithm 4, Line 7 through 15) has the one-time-
7 Fetch User ID: UIDs ; padded prices, replying true if the newer price is larger for
8 Encrypt using PKa : get PKa (K ), PKa (Pr );
9 Send {AuID, UIDs , PKa (Pr ), PKa (K )} to Intermediate the Intermediate Platform to finish the sorting.
Platform as Auction Information ; Phase 5: Conclude the Auction. When the bidding
10 Encrypt Auction Data D using K , get AESK (D) ; window closes, the Intermediate Platform checks whether
11 Send AESK (D) to Intermediate Platform as Auction Data ;
the reserve price is exceeded by the top price in the heap
using the same mechanism for comparison as in Phase 3
6
TABLE 2. Time Efficiency in PPAS
Algorithm 4: PPAS: Auctioneer Algorithm (n is the number of total bids)
Operation O() Seller Bidder Auctioneer IP
1 Receive auction request from seller; Key Generation O(1) 1 1 1 0
2 Generate key pair ({PKa ,SKa }); Encryption O(1) 2 1 1 n lg n + 2
3 Generate Auction ID (AuID); Decryption O(1) 0 0 n lg n + 2 0
4 Determine bidding window ;
Padding O(1) 0 0 0 n lg n + 2
5 Publish PKa , AuID;
6 Send bidding window to Intermediate Platform; TABLE 3. Per Item Space Cost over Key Length in PPAS
7 while during bidding window do
8 Receive pairs of padded prices ; 512 bits 1024 bits 2048 bits
9 Padded P1 = SKa (PKa (P1 +PADp ) ; Key Size 192 bytes 384 bytes 768 bytes
10 Padded P2 = SKa (PKa (P2 +PADp ) ; Ciphertext 128 bytes 256 bytes 512 bytes
11 Compare Padded P1 to Padded P2
12 if larger then Bidding message 136 bytes 264 bytes 520 bytes
13 Send true to Intermediate Platform Payload 8 bytes 8 bytes 8 bytes
14 else
15 Send f alse to Intermediate Platform
the auctioneer will perform decryption for nlogn+2 times.
16 Bidding window close;
17 Receive pairs of padded prices ; As we can observe in Table 2, the overall upper bound of the
18 Padded P1 = SKa (PKa (P1 +PADp ) ; time complexity in an entire auction process is O(n log n),
19 Padded P2 = SKa (PKa (P2 +PADp ) ; which is determined by the heap sorting of the received
20 Compare Padded P1 to Padded P2 ; bids in the Intermediate Platform, again n being the number
21 if larger then
22 Send true to Intermediate Platform; of bids during the auction. Under this time complexity, we
23 Receive UIDw , PKa (K +PADK ); consider our proposed Privacy-Preserving Auction Scheme
24 Fetch PKw using UIDw ; to be efficient.
25 Decrypt PKa (K +PADK ) ;
26 PKw (K +PADK ) = PKw (SKa (PKa (K +PADK )));
Space Efficiency: In Table 3, we generalize the per-item
27 Send PKw (K +PADK ) to Intermediate Platform; space cost in the Privacy-Preserving Auction Scheme when
28 else choosing different key lengths. Theoretically, a large length
29 Send f alse to Intermediate Platform; asymmetric key can provide a higher degree of security,
30 Auction close; at the cost of storage overhead. For example, when using
a 2048-bit key, which is considered sufficient security for
the near future, the resulting key size is 768 bytes and each
(Algorithm 3, Line 16 through 19; Algorithm 4, Line 16 ciphertext would require 512 bytes. In addition, while each
through 20). The winner’s UID and the one-time-padded payload, such as bidding price, remains 8-bytes, the bidding
and encrypted AES key is sent to the Auctioneer (Algo- message in this case would be 520 bytes.
rithm 3, Line 21 and 22). The Auctioneer returns with the
OTP-padded AES key encrypted by the winner’s public key 4.4 Performance Evaluation of PPAS
(Algorithm 4, Line 22 through 27). The Platform removes
A prototype of the proposed Privacy-Preserving Auction
the OTP, and publishes AESK (D) and P Kw (K ), which
has been implemented. We now present the results of our
can only be decrypted by the winner of the auction (Al-
performance evaluation to demonstrate its effectiveness.
gorithm 3, Line 23 and 24).
The prototype, including Paillier cryptosystem [16], and the
workflow and algorithms described in Section 4.2, have
4.3 Analysis of PPAS been implemented in Java. More specifically, each of the
Time Efficiency: By decomposing the key operations in- four entities (Auctioneer, Intermediate Platform, Seller, and
volved in the auction process, we generalize the time effi- Bidder) have been individually implemented for execution
ciency in Table 2. The individual operations are listed in in the Common Open Research Emulator (CORE) [20],
the first column, while the second column represents the which is a python framework with a GUI for users to
upper bound of the time complexity in big-O notation emulate network topology. All communication and data
for each individual operation. In the third through sixth transmissions in our evaluation have been carried out using
columns, we list the total number of times each operation the Constrained Application Protocol (CoAP) protocol.
occurs for each entity (Seller, Bidder, Auctioneer, and In- In our deployed prototype, the bandwidth has been set
termediate Platform) during one full auction process with to a high value so that we consider only the processing
n bidders. In the table, IP stands for the “Intermediate time at this evaluation. The emulation environment was
Platform". The processing time to perform a single key setup on an OSX system on a MacMini computer with
generation is fixed when the length of the target key is an Intel Core i5 CPU at 2.6 GHZ, and 8 GB memory. The
determined, resulting in O(1). In the same way, perform- experiments were carried out in the following two stages.
ing a single encryption, decryption, or padding will take In the first stage, we evaluated the performance of the
a fixed time as well, once the key is determined. During individual operations, including Encryption, Decryption,
the auction, the Intermediate Platform will perform heap Padding, and Key Generation. We tested each Operation
sorting (complexity O(nlogn)) on the received bids each using key lengths of 512 bits, 1024 bits, and 2048 bits, each
time it performs encryption on a one-time-pad, as well executed 10,000 times and taking the average processing
as when it performs padding. Additionally, it does the time as the performance metric of the individual Operations.
same operation for the reserve price and AES key from In the second stage, we evaluated the performance of the
the seller, which is 2. The resulting complexity is a total system (i.e., the Auctioneer and the Intermediate Platform).
nlogn + 2 for each operation. Applying the same analysis, We used the worst-case scenario that assumes all bids come
7
TABLE 4. Time for Individual Operations in PPAS
remain that need consideration, especially those that exceed
512 bits 1024 bits 2048 bits the normal auction procedure. We outline several in the
KeyGen 8.4013 ms 46.5453 ms 377.8954 ms
following scenarios.
Encryption 1.3833 ms 9.1497 ms 68.3971 ms
Decryption 1.2893 ms 8.8755 ms 68.0633 ms Issue 1. Manipulated Message: In the PPAS, all bids
Padding 0.0047 ms 0.0148 ms 0.0441 ms communicated between involved entities are encrypted to
prevent the leakage of privacy. With the public key of the
TABLE 5. System Performance (2048-bit key) Auctioneer being accessible to everyone, however, any party
100 1000 10000 is able to generate a valid message, including bids. It is
Processing time 59951 ms 913797 ms 12615756 ms possible, then, that an adversary may try to either replace
Avg. time per bid 599.51 ms 913.80 ms 1261.58 ms messages during the communication, or even pretend to be
Success Rate 100 % 100 % 100 % a legal bidder to intervene in the auction process. Lacking
a verification mechanism, potential issues of authentication
need to be addressed.
at the end of the bidding window. The key length used was
Issue 2. Loopholes in Comparing Encrypted Data:
2048 bits, which is capable of providing adequate security
Recall Algorithms 3 and 4 in Section 4.2, to compare two
against brute force attacks. The numbers of bids were set
encrypted bids in the Intermediate Platform, the encrypted
to 100, 1,000, and 10,000. We recorded the processing time
prices are padded and sent to the Auctioneer, which returns
from the first incoming bid until the winner-access-only key
the result after comparing the padded prices. This mech-
was published. We also recorded the accuracy of the system
anism keeps the prices disguised in both the Auctioneer
successfully finding a winner.
and the Intermediate Platform under normal operation.
Table 4 shows the performance of individual operations
Nonetheless, the function of comparison implemented in
under different key lengths. As can be observed, the average
the Auctioneer could be potentially abused. In this case, to
processing time for each individual operation increases with
disclose a target encrypted data (either a price or the AES
the length of key. This result can be used as a baseline to
key of the auction data), the only thing that an adversary
predict the performance when applied to other uses.
must do is applying the mechanism of binary search and
Table 5 shows the system performance of the Auction-
keep generating closer values. This, then, requires the In-
eer with the Intermediate Platform. We can observe from
dependent Platform to be trustable and not compromised,
the result that the system achieves a 100 % success rate
which is inconsistent with the requirements of the third-
in finding the correct winner, proving the effectiveness of
party auction platform.
our system. Nonetheless, the average processing time for
Issue 3. Compromised Entities: In this scenario, we
each bid in a 10,000-bid auction is on the order of 1200 ms
consider one or more of the auction entities to be compro-
when using a 2048-bit key, which is a significantly long
mised, and assume that the adversary has full access to the
time. Furthermore, the total processing time to complete an
compromised entities. When either bidders or the seller are
auction with 10,000 bids is approximately 3.5 hours. We can
compromised, illegal bids could be received and accepted
attribute this to the fact that every comparison of price must
by the Intermediate Platform and the Auctioneer, and the
apply a new one-time-pad to the encrypted bid. Nonethe-
auction result would be affected. When the Intermediate
less, our scheme shows great promise, as the performance
Platform is compromised, the adversary could claim itself
can be dramatically increased in several ways. Considering
the winner to the Auctioneer, and obtain the key of the auc-
that we use the worst-case scenario where all bids come
tion data. When the Auctioneer is compromised, although
at the last minute, the bids in real-world auctions would
the key of the auction data with one-time pad is secured, the
come in throughout the entire bidding window. Thus, the
comparing function could be abused to circumvent proper
processing after the bidding window would be significantly
operation of the auction. As a result, the mechanism of
reduced. Meanwhile, the experiment has been conducted
detecting compromised entities is needed to reject malicious
on a standard commodity computer. To meet the needs
bids or at least alert the system.
of large scale service, the system could be deployed to
more powerful servers or cloud hardware. Recall that in
Table 2, the upper bound of the overall time complexity is 5 E NHANCED P RIVACY -P RESERVING AUCTION
O(n log n), indicating that the system is well designed and S CHEME
performance can be increased by the application of better
hardware. To address the remaining security issues in our Privacy-
Preserving Auction Scheme (PPAS) proposed in Section 4,
4.5 Remaining Security Issues we now propose an Enhanced Privacy-Preserving Auction
As observed in Section 4.4, our proposed Privacy-Preserving Scheme (EPPAS). In the following, we first introduce the
Auction Scheme is proven to be able to complete the basic enhanced security features of EPPAS. We then present the
auction procedure. Recall the design of the PPAS in Sec- system architecture and detailed workflow. Finally, we con-
tion 4.2, all bids received and seen by the Intermediate duct an analysis of EPPAS with respect to both efficiency
Platform are encrypted with the Secret Key generated by the and security.
Auctioneer, while all bids received and seen by the Auction-
eer are encrypted with the one-time pad by the Intermediate 5.1 Enhanced Security Features
Platform. As the Auctioneer and the Intermediate Platform In our enhanced scheme, we seek to improve upon the
are independent of each other, privacy during normal auc- design of the system to address the three security issues
tion procedures is preserved. Nonetheless, security issues (Issues 1, 2, and 3) discussed in Section 4.5.
8
5.1.1 Manipulated Message Prevention the enhanced scheme is able to filter and reject manipu-
Since the third-party auction platform cannot be fully lated bids from compromised bidders. In the meantime, it
trusted, there should be mechanisms to detect and prevent also prevents the compromised Intermediate Platform from
potential security issues. In the Privacy-Preserving Auction manipulating the received bids. In our enhanced scheme,
Scheme (PPAS) presented in Section 4, we have separated the Auctioneer would sample the incoming prices at a
the Auctioneer and the Intermediate Platform, making them given rate, and verify them after the bidding window to
independent of each other. This means that the privacy see whether the Intermediate Platform used a different pad
of the auction participants is ensured by the encryption to manipulate the sorting results. While the Intermediate
scheme, unless both the Auctioneer and the Intermediate Platform still uses one-time pad to secure the key of the
Platform are compromised at the same time. The encrypted auction data, a compromised Auctioneer cannot cheat the
data, however, is easily manipulated, since everyone can key as well. We will describe the entire algorithm in detail
apply the public key. For example, as outlined in Issue 1 in the rest of this section.
in Section 4.5, above, if the bidding price is manipulated,
the bidder could lose the bid or pay more.
5.2 System Architecture
Thus, to ensure the correct auction results, there should
be mechanisms to protect the integrity of the data. We The overall architecture of EPPAS remains the same as that
leverage the digital signature to enable the detection of ma- of PPAS, as in Figure 1, consisting of the four entities:
nipulation. In some asymmetric encryption schemes, users Auctioneer, Intermediate Platform, Seller, and Bidder. The
are able to use their own secret key to sign the data. The changes to each are detailed in the descriptions below.
signature can only be created by using the secret key, and Notice that, while the architecture of the system does not
could be verified by using the public key. By examining the change, we have replaced several implementations follow-
data with its signature, the recipient is able to detect any ing Section 5.1.
anomaly or attempted falsification. Notice that, for digital Auctioneer. The function remains largely the same as in
signature, Paillier supports signing on the data using the PPAS. The Auctioneer in EPPAS is the party who organizes
secret key and verifying the signature using the public key. the data auctions. It still initializes new auctions upon a
Using signature verification, manipulated bids will be fil- request from a registered seller, generates asymmetric key
tered and rejected by the normally functioning Intermediate pairs using a homomorphic cryptosystem (we keep the use
Platform. of Paillier cryptosystem as an example to demonstrate our
idea), and publishes its public key (PK). The secret key (SK)
5.1.2 Loophole Improvement is kept only by itself so that neither the Intermediate Plat-
form, nor the auction participants would be able to decrypt
To determine the winner of an auction with privacy dis-
the ciphertext. Maintaining the same design, the Auctioneer
guised, the function of comparison between the asymmet-
receives the ciphertext of padded bidding prices from the
ric encrypted prices are needed. Recall in our proposed
Intermediate Platform during the bidding window. Unlike
Privacy-Preserving Auction Scheme (PPAS), we implement
PPAS, in EPPAS, the sorting takes place in the Auctioneer.
the comparison function on the Auctioneer side, in which
Comparing the padded prices enables the Auctioneer to find
the secret key can be accessed. By sending the pair of
the highest price without knowing the actual value. In our
padded encrypted prices to the Auctioneer, the Intermediate
enhanced scheme, the Auctioneer also samples the incoming
Platform receives the result. This mechanism has a critical
bids at a consistent sample rate for further detection of
loophole, however, as denoted in Issue 2 in Section 4.5,
malfunctions. After the bidding window closes, it receives
and can be abused by the adversary.
the pad of the price and the OTP padded key for the auction
To address this issue, we have re-designed the compari-
data from the Intermediate Platform to reveal the winning
son mechanism. In our enhanced scheme, the sorting heap
price, and verifies the sampled prices to detect anomalies
is implemented on the Auctioneer’s side. The Intermediate
from the Intermediate Platform, which is not fully trusted.
Platform no longer maintains the heap, but only sends the
Intermediate Platform. The Intermediate Platform re-
padded prices along with a serial number to the auctioneer.
mains independent from the Auctioneer in our enhanced
After the bidding window, the winning price is determined
scheme. During the auction, it receives and stores the en-
by the Auctioneer, and the corresponding serial number
crypted bids from Sellers and Bidders. The Intermediate
is used to fetch the remaining information of the winning
Platform is implemented with the Paillier cryptosystem, and
bid from the Intermediate Platform. With the new signature
performs the function of padding on the incoming bids. In
verification mechanism, the Auctioneer further verifies the
the enhanced scheme, the Intermediate Platform examines
bid, and replies with the re-encrypted key for the auction
each bid by verifying the signatures to avoid suspicious
data to the Intermediate Platform. Since the Auctioneer
bids. Meanwhile, the communication from the Auctioneer
no longer simply responds to the request of comparing
is examined as well. After the winner is determined, the
encrypted data, the enhanced scheme can eliminate the
auction data will be posted with the key encrypted by
aforementioned loophole.
winner’s public key.
Seller and Bidders. The roles of the seller and the
5.1.3 Compromised Entity Detection and Prevention bidders do not change. The Seller remains the provider of
Recall from Section 4.5 that we discussed the issue of the auction data and determines the reserve price. Bidders
compromised entities. With the implementation of the dig- submit bids to the auction platform for acquiring the auction
ital signature and verification, the Intermediate Platform of data. In the enhanced scheme, the bidding information is
9
additionally signed with a digital signature to avoid data its own secret key SKbi to sign the bidding price (Pbi )
being manipulated by adversaries. to obtain Sbi (Pbi ), and sign the sum of AuID+UIDbi +
We would like to clarify that the authentication and PKa (Pbi )+Sbi (Pbi ), and obtain Sbi (ALL) (Line 8 and 9).
payment are required in both our proposed auction Then, {AuID, UIDbi , PKa (Pbi ), Sbi (Pbi ), Sbi (ALL)} is sent to
schemes, PPAS and EPPAS, and only legal participants the Intermediate Platform as the Bidding Information (Line
(registered users) are allowed to participate in the auction. 10).
In Algorithms 1 and 2 for PPAS and Algorithms 5 and 6
for EPPAS, sellers and bidders will include their unique Algorithm 5: EPPAS: Seller’s Algorithm
identifiers (UID) in the bids. The issue/risk of fake infor-
1 Fetch the public key of the Auctioneer (PKa ) and Auction ID
mation does exist in the PPAS scheme (as we mentioned (AuID);
in Section 4.5). This issue is addressed in our proposed 2 if Key pair not exists then
enhanced scheme, EPPAS, by implementing signatures in 3 Generate key pair ({PKs ,SKs });
4 Update PKs to Auctioneer’s database;
the biddings (as mentioned in Section 5.4.3).
To be specific, the Auctioneer and the Intermediate 5 Randomly generate AES key K ;
6 Determine reserve price Pr ;
Platform are able to access the public key of the auction 7 Fetch User ID: UIDs ;
participants from the database, and the payment to the 8 Encrypt using PKa : get PKa (K ), PKa (Pr );
seller is guaranteed as long as the winning price (higher 9 Sign using SKs , get Ss (Pr );
10 Sign using SKs , get Ss (ALL) = Ss [AuID + UIDs + PKa (Pr ) +
than the reserve price) is determined. It is worth noting that Ss (Pr ) + PKa (K )];
the prototype of the auction scheme supports auctions with 11 Send {AuID, UIDs , PKa (Pr ), Ss (Pr ), PKa (K ), Ss (ALL)} to
one seller, multiple bidders, and one winner. Our designed Intermediate Platform as Auction Information ;
system remains generic and a variety of auction rules can 12 Encrypt Auction Data D using K , get AESK (D) ;
13 Send AESK (D) to Intermediate Platform as Auction Data ;
be provisioned in our system. In terms of security, we
consider attacks that would manipulate the bidding infor-
mation or procedures after compromising the Auctioneer
or the Intermediate Platform. Notice that attacks against Algorithm 6: EPPAS: Bidder’s Algorithm
availability, such as denial-of-service, which aim at disabling 1 Fetch the public key of the Auctioneer (PKa ) and Auction ID
the operation of the auction system, are outside the scope of (AuID);
this paper. In the meantime, the scenarios where individual 2 if Key pair not exists then
participants (Sellers, Bidders, or both) are compromised by 3 Generate key pair ({PKbi ,SKbi });
4 Update PKbi to Auctioneer’s database;
the adversary, or where bidding information is manipulated
5 Determine bidding price Pbi ;
by the adversary, are outside the scope as well. 6 Fetch User ID: UIDbi ;
7 Encrypt using PKa : get PKa (Pbi );
8 Sign using SKbi , get Sbi (Pr );
5.3 Detailed Workflow 9 Sign using SKbi , get Sbi (ALL) =
Figure 1 illustrates the workflow for each auction process in Sbi [AuID+UIDbi +PKa (Pbi )+Sbi (Pbi )];
the EPPAS, which includes the following key phases. 10 Send {AuID, UIDbi , PKa (Pbi ), Sbi (Pbi ), Sbi (ALL)} to
Intermediate Platform as Bidding Information ;
Phase 1: Open New Auction. The Seller sends the
request to the Auctioneer to open a new auction.
Phase 2: Initialize Auction. According to Algorithm 8 Phase 4: Price Sorting: In this step, the Intermediate Plat-
(Line 1 through 6), upon the receipt of the new auction form receives the seller’s auction information and continues
request, the Auctioneer initializes the auction. It generates receiving bids from the bidders following Algorithm 7 (Line
Paillier key pairs {PKa , SKa } and the Auction ID (AuID) for 6 through 24). It examines each bid by verifying the signa-
this newly initialized auction. PKa and AuID are published ture Sbi (ALL), and rejects unmatched bids (Line 9 through
and the Intermediate Platform is informed by the Auction- 11 and 18 through 20). Accepted bids are assigned with
eer to start waiting for bids. a serial number (SN ), and stored (Line 13 and 22). Each
Phase 3: Place Bids. The Seller follows Algorithm 5. It encrypted price is then padded and sent with its SN to
randomly generates a 256-bit key (K ) for AES encryption on the Auctioneer (Line 13 through 16 and 22 through 24).
the data to sell (Line 5). As we use the Paillier cryptosystem- Following Algorithm 8 (Line 7 through 15), after decryption,
based module n, the K should be positive. K and the the Auctioneer has the padded price, and inserts it into a
reserve price (Pr ) are encrypted using the Auctioneer’s max heap so all incoming prices are sorted. The auctioneer
public key (PKa ) (Line 8). The Seller then uses its own secret also samples the prices at a given rate for future detection
key SKs to sign the reserve price (Pr ) to obtain Ss (Pr ), and of anomalies from the Intermediate Platform, which may be
sign the sum of AuID+UIDs + PKa (Pr )+Ss (Pr )+PKa (K ), compromised or abused by the insider adversary.
obtaining Ss (ALL) (Line 9 and 10). Then, {AuID, UIDbi , Phase 5: Conclude Auction: When the bidding window
PKa (Pbi ), Sbi (Pbi ), Sbi (ALL)} is sent as the auction informa- closes, the Auctioneer checks whether the reserve price is
tion to the Intermediate Platform (Line 11). After that, the exceeded, and sends the SN of the winner and the bids in
Auction Data D is Encrypted using AES with key K , and the sample list to the Intermediate Platform (Algorithm 8,
the result AESK (D) is sent to the Intermediate Platform as Line 17 through 18). The Platform returns with the en-
well (Line 12 and 13). crypted pads for the price, the encrypted OTP padded AES
The Bidder follows Algorithm 6. It determines the bid- key, and the signatures of the reserve price, winning price,
ding price (Pbi ), which is encrypted using the Auctioneer’s and sampled price (Algorithm 7, Line 25 through 27). When
public key (PKa ) (Line 5 through 7). The Seller then uses all signatures are verified, the Auctioneer re-encrypts the
10
Algorithm 7: EPPAS: Intermediate Platform Algo- Algorithm 8: EPPAS: Auctioneer Algorithm

rithm 1 Receive auction request from seller;
1 Receive public key of the Auctioneer (PKa ), Auction ID 2 Generate key pair ({PKa ,SKa });
(AuID) and bidding window; 3 Generate Auction ID (AuID);
2 if Key pair not exists then 4 Determine bidding window ;
3 Generate key pair ({PKp ,SKp }); 5 Publish PKa , AuID;
4 Update PKp to Auctioneer’s database; 6 Send bidding window to Intermediate Platform;
5 Randomly generate pad PADp for price padding and pad 7 while during bidding window do
PADK for AES key padding; 8 Receive padded price and SN from Intermediate Platform;
6 while during bidding window do 9 if Reserve price then
7 Receive bids; 10 Padded Pr = SKa (PKa (Pr +PADp ) ;
8 if from seller then 11 if bidding price then
9 Verify using Vs {Ss (ALL)}; 12 Padded Pbi = SKa (PKa (Pbi +PADp ) ;
10 if not match then 13 Insert Padded Pbi to HeapMAX
11 Reject; 14 if random by sample rate then
12 else 15 Add SN to Sample List (LSN )
13 Assign series number SN and store;
14 Padding: PKa (Pr + PADp ) = PKa (Pr )*PKa (PADp ) ; 16 Bidding window close;
15 Padding: PKa (K +PADK ) = PKa (K )*PKa (PADK ) ; 17 if HeapMAX .pull >= Padded Pr then
16 Send PKa (Pr +PADp ) and SN to the Auctioneer ; 18 Send List of SN LSN include all sampled SN and
17 else winner’SNw , to Intermediate Platform;
18 Verify using Vbi {Sbi (ALL)}; 19 Receive PKa (PADp ), Sw (Pw ), Sbi (Pbi ) where SNbi ∈ LSN ,
19 if not match then PKa (K +PADK ) ;
20 Reject; 20 Decrypt PKa (PADp ), PKa (K +PADK ) ; Pi = Padded Pi -
21 else PADp , for reserve price, winning price, and sampled
22 Assign series number SN and store; price ;
23 Padding: PKa (Pbi + PADp ) = 21 if reserve, winning and sample prices verified then
PKa (Pbi )*PKa (PADp ) ; 22 PKw (K +PADK ) = PKw (SKa (PKa (K +PADK ))) send
24 Send PKa (Pbi )*PKa (PADp ) and SN to the PKw (K +PADK ) to Intermediate Platform;
Auctioneer ; 23 Auction close;
24 else
25 Receive list of SN LSN and SNw from Auctioneer; 25 Prices are manipulated, auction terminate ;
26 Use SNw find PK(w ); 26 else
27 Send PKa (PADp ), Sbi (Pbi ) where SNbi ∈ LSN , 27 Reserve price not hit;
PKa (K +PADK ) to Auctioneer; 28 Send terminate to Intermediate Platform;
28 if receive PKw (K +PADK ) then
29 Depadding: PKw (K ) = PKw (K +PADK ) * [
PKw (PADK )]−1 ; TABLE 6. Composition of operations in each Entity
30 Publish AESK (D) and PKw (K ); (n is the number of total bids)
31 else O() Seller Bidder Auctioneer IP
32 Terminate current auction ; Key Gen. O(1) 1 1 1 1
Encryption O(1) 2 1 1 2
Decryption O(1) 0 0 n+2 0
Padding O(1) 0 0 0 n+2
Sorting O(log n) 0 0 n 1
OTP padded AES with the winner’s public key, and sends Signature O(1) 2 2 2 n
it to the Platform (Algorithm 8, Line 21 through 23). The Verification O(1) 0 0 n + 2+ n+2
Platform removes the OTP, and publishes AESK (D) and rsample · n
P Kw (K ), which can only be decrypted by the winner of the
auction (Algorithm 7, Line 28 through 30). time complexities will not exceed O(n log n), we consider
our proposed scheme to be efficient.
5.4 Analysis of EPPAS 5.4.2 Space Efficiency

We now analyze the effectiveness of the improved EPPAS In Table 7, we generalize the per item space cost when
scheme with respect to time and space efficiency, and addi- choosing different key lengths. Theoretically, a large length
tionally analyze the enhanced security features. asymmetric key can provide a higher degree of security, at
the cost of storage overhead. Using a 2048-bit key, which
5.4.1 Time Efficiency is considered sufficient for the near future, each ciphertext
In Table 6, we list the fundamental operations used in our and signature requires 512 bytes. Recall Algorithm 6, in
proposed prototype in the first column. The time complexity our prototype, which uses 2048-bit keys, each bid needs
of each individual operation is provided in the second 2 signatures and 1 ciphertext to secure the 8-byte bidding
column. In the Paillier cryptosystem, the length of the key price, resulting in 1536 bytes of overhead.
determines its strength. Once the length is determined, the
time of a single operation remains constant. This can be TABLE 7. Per Item Space Cost over Key Length
seen in the table, in which the time complexity for every
512 bits 1024 bits 2048 bits
cryptography-related operation is O(1). In addition, sorting Key Size 192 bytes 384 bytes 768 bytes
can achieve O(log n) for each insertion, where n is the Ciphertext 128 bytes 256 bytes 512 bytes
number of items that are already in the sorted list. For each Signature 128 bytes 256 bytes 512 bytes
auction, we count the number of individual operations used Bidding message 392 bytes 776 bytes 1542 bytes
by each entity in the remaining columns of Table 6. As the Payload 8 byte 8 bytes 8 bytes
11
1
10%
1 1
20% 10% 10%
0.8 30% 20% 20%
40% 0.8 30% 0.8 30%
Success Rate
50% 40%
0.6 40%
Success Rate
Success Rate
50% 50%
0.6 0.6
0.4
0.4 0.4
0.2
0.2 0.2
0
0 10 20 30 40 50 60
0 0
Number of Bids 0 10 20 30 40 50 60 0 10 20 30 40 50 60
Number of Bids Number of Bids
(a) Manipulation Not Missing Higher
Bidder (b) Manipulation Not Being Detected (c) Cheat Successful
Fig. 2. Success Rate of Manipulation by Compromised Platform
5.4.3 Enhanced Security Features is compromised and we assume the adversary has full and
We now analyze the security features of EPPAS with respect complete access. The adversary has the Auctioneer’s secret
to three primary cases: (i) Messages are manipulated, (ii) key SKa . Nonetheless, by our deigned procedure, it is not
the Intermediate Platform is compromised, and (iii) the possible for the adversary to obtain the unpadded prices
Auctioneer is compromised. before the end of the bidding window. The adversary could
Manipulated Message: In this case, none of the entities send a bid to the Intermediate Platform and obtain the
are compromised. Instead, an adversary tries to send ma- padded price to find the value of the pad. Nonetheless, with
nipulated messages (e.g., bids) to intervene in the auction only the padded price and serial number returns, it is hard
process. Nonetheless, as we implement signatures in each to match the original price.
message sent between entities, the manipulated message is If the adversary wants to cheat for the key of the auction
not able to pass the verification due to not being signed, and data, it could try to claim itself as the winner of the auction.
the manipulated messages will be rejected without affecting Nonetheless, according to our design, the Winner’s serial
the auctions. number is sent to the Intermediate Platform before getting
Intermediate Platform Compromised: In this case, the the pad to reveal actual prices. The adversary would not
Intermediate Platform is compromised and we assume that be able to find the serial number for its own bidding price.
the adversary has full and complete access. First, the Inter- Therefore, this type of cheating cannot be achieved.
mediate Platform is independent from the Auctioneer. This To summarize, our proposed EPPAS is proven to be
means that it is still not able to obtain the Auctioneer’s secret secure against the above attacks.
key SKa , and thus the encrypted prices and key for the
auction data will not be revealed. Next, we consider that the 5.5 Performance Evaluation of EPPAS
adversary may want to reveal the key K for the auction data Just as in the PPAS evaluation, we have implemented our
by cheating the Auctioneer. By design, however, it can only proposed Enhanced Privacy-Preserving Auction Scheme
obtain the re-encrypted key P Kw (K ) from the Auctioneer. and conducted a performance evaluation to demonstrate its
Thus, the only mechanism available is to make itself the effectiveness. In the following, we first present the evalua-
winner of the auction. To win the auction, the adversary tion methodology and then describe the evaluation results.
would need to create a price with a legal signature, which Methodology. We have implemented our EPPAS proto-
means using a registered account. In addition, it needs to type, including Paillier cryptosystem [16], and the workflow
manipulate all other higher bids. Since the Paillier encrypted and algorithms described in Section 5.3, in Java. The four
prices are semantic secure, the adversary can only randomly entities (Auctioneer, Intermediate Platform, Seller, and Bid-
select the target at a certain rate, hoping to have found all der) have been individually implemented for emulation in
higher bids. CORE, and we used the Constrained Application Protocol
Figure 2a illustrates the success rate of the adversary not (CoAP) protocol to realize the communication and data
missing any higher bids over the number of incoming bids, transmissions.
assuming a 10 % chance for the bid to be higher. Nonethe- The bandwidth has again been fixed at a high value such
less, the manipulation would be detected by the Auctioneer that we consider only the processing time of the scheme. The
as well. Figure 2b represents the successful rate of not being emulation environment was setup on the same system from
detected over the number of incoming bids, assuming a 10 % Section 4.4 (an OSX system on a MacMini computer with
sampling rate in the Auctioneer. Combined, the successful Intel Core i5 CPU at 2.6 GHZ, and 8 GB memory).
cheating rate is shown in Figure 2c, which is less than The experiments were conducted in the following three
0.1 % after the total number of bids exceeds 50. Notice that, stages: In the first stage, we evaluated the performance of
even if the manipulation is successful and not detected, the the individual operations, including Encryption, Decryp-
adversary still needs to pay at least the reserve price, since tion, Padding, Signing, Verification, and Key Generation,
manipulation to the reserve price would be detected under testing each using key lengths of 512 bits, 1024 bits, and
our guarantee. 2048 bits. Each Operation was executed 10,000 times, and the
Auctioneer Compromised: In this case, the Auctioneer average processing time was recorded as the performance of
12
TABLE 9. System Performance (2048-bit key)

1
NOT missing Higher Bidder 100 1000 10000
Manipulation Not Detected Processing time 51687 ms 505880 ms 5047507 ms
0.8 Cheat Success Avg. time 516.87 ms 505.88 ms 504.75 ms
Success Rate 100 % 100 % 100 %
Event Rate
0.6
TABLE 10. Resilience to Manipulated Messages (MSG)
Total Number Accepted Rejected
0.4 Normal MSG 900,000 900,000 0
Manipulated MSG 100,000 0 100,000
0.2 Total Number Completed Terminated
Auctions 100 100 0
0
0 200 400 600 800 1000
Number of Bids average processing time for each bid is on the order of
500 ms when using a 2048-bit key, taking almost 1.5 hours
Fig. 3. Security against Compromised Platform to complete an auction with 10,000 bids. Compared to the
TABLE 8. Time for Individual Operations result to in PPAS (Table 5), however, the processing time
512 bits 1024 bits 2048 bits in EPPAS is significantly reduced. This is due to the new
KeyGen 8.4013 ms 46.5453 ms 377.8954 ms comparison mechanism, where all padded prices are com-
Encryption 1.3833 ms 9.1497 ms 68.3971 ms pared and sorted in the Auctioneer’s side. Thus, encryption
Decryption 1.2893 ms 8.8755 ms 68.0633 ms
Padding 0.0047 ms 0.0148 ms 0.0441 ms
is no longer needed for every swap, saving processing time.
Signature 3.1532 ms 20.8929 ms 152.4763 ms It is notable our enhanced scheme has both improved the
Verification 2.5946 ms 17.6915 ms 135.0198 ms security of the system and reduced the processing time.
Nonetheless, this performance can be further increased
in multiple ways. First, considering that we use the worst-
the individual operations. In the second stage, we evaluate case scenario where all bids come at the last minute, the
the performance of the system (i.e., the Auctioneer and bids in real-world auctions would come in throughout the
the Intermediate Platform). We considered the worst-case entire bidding window, and the processing after the bid-
scenario that assumes all bids come at the end of the bidding ding window would be significantly reduced. Second, by
window. The key length that we used is 2048 bits, which is analyzing the individual operations, we know that Sign-
able to provide adequate security. The numbers of bids were ing and Verifying take much longer than Encryption and
set to 100, 1,000, and 10,000,. We recorded the processing Decryption. While these operations ensure the security of
time from the first incoming bid until the winner-access- the auction, nonetheless, the Verification/Signing may not
only key is published. We also record the accuracy of the need to use the same key pairs as Encryption and Decryp-
system successfully finding a winner. tion. Considering the security needs of different levels, we
In the third stage, we evaluate the security aspects of EP- could use a separate shorter bit-length key pair for digital
PAS. Particularly, we generated manipulated messages, and signature and verification. Finally, the experiment has been
simulated the attacks mentioned in Section 5.4 to validate conducted on a standard commodity computer. To meet the
the security of EPPAS. For instance, to test security against needs of large scale service, the system could be deployed
manipulated messages, we ran 100 experiments, where the to more powerful servers or clouds. As demonstrated in
total number of bids was set to 10,000. We manipulated Table 6, the highest time complexity of the operations is
10 % of the messages and recorded the rejection rate, as well O(n log n), meaning that the system is well designed and
as the times that the auction was terminated. To test the performance can be increased by implementation in more
security against the Platform being compromised, we set powerful hardware.
10 % target bids and set the manipulation rate at 10 %, and Table 10 illustrates the results of security against ma-
the sample rate in the Auctioneer is set to 10 %. The number nipulated messages. As can be observed, all manipulated
of bids is set to 200, and we recorded the rate of successful messages were rejected, and normal messages are accepted.
cheating of 10,000 runs. Likewise, all 100 auctions are correctly completed without
Results. Table 8 shows the performance of individual termination. The results demonstrate that the system is
operations under different key lengths. As can be observed, resilient to this type of attack, and normal operation is
the average processing time for each individual operation unaffected.
increases with the length of the key. This result can be used Figure 3 shows the result of security against a compro-
as a baseline to predict the performance when applied to mised Intermediate Platform. As can be observed, the com-
other uses. Compared to the results for PPAS (Table 5), ad- promised Platform is either detected or fails to manipulate
ditional processing times are included for digital signature all targets at the very beginning of the bidding procedure.
and verification. As observed, it would take about twice of Notice that, as shown in Section 5.4, the compromised
the processing time for these two operations compared to Auctioneer will not affect the system.
encryption and decryption.
Table 9 shows the system performance of the Auctioneer
with the Platform. It can be observed from the result that the 6 E XTENSION
system achieves a 100 % success rate in finding the correct Through our extensive experiments in Section 4.4, we
winner, again proving the effectiveness of our system. The have validated the effectiveness of our proposed Privacy-
13
Preserving Auction Scheme (PPAS). Furthermore, with the an alternative mechanism to protect identities and other
improvement in design, Section 5.5 presents better per- sensitive information, such as pricing. Nonetheless, since
formance in processing time for our Enhanced Privacy- the winner of the auction should be determined by the
Preserving Auction Scheme (EPPAS). As we have clarified bidding prices, adding randomized noise will affect the
in the performance evaluation, we used the worst-case accuracy of the auction process, reducing the utility of the
scenario, where all bids arrive at the end of the bidding auction process as a whole.
window. In real-world practice, bids could arrive randomly System Adaptability. Big data is the key to the next
during the bidding window, and would result in a shorter waves of growth in productivity. Meanwhile, IoT accelerates
processing time for the platform to return the bidding the growth in volume and variety for big data. Thus, data as
results. Meanwhile, our proposed EPPAS is highly security a kind of digital commodity has many different types and
resilient and can successfully deal with different privacy diverse sources, such as software, multimedia, unstructured
threats. In the following, we discuss some extensions. data, etc. In this paper, we only consider the content encryp-
Extended Algorithms and Rules. Despite the effective- tion method and auction algorithms, however, due to the
ness of our designed auction, there remain several avenues diversity of data types, the proposed auction platform needs
for us to improve upon this auction scheme. In this paper, to be extended to support different data types. For instance,
the auction schemes we have proposed (both PPAS and trading software in the proposed auction platform may not
EPPAS) can be considered as one generic framework. This require encryption. Furthermore, only using homomorphic
means that it is modularized and can be further integrated encryption to encrypt the licenses or the keys of the software
with additional algorithms and auction rules. As we have may be a viable and efficient alternative.
mentioned, for example, EPPAS is able to support one Data Pricing Model. Similar to traditional commodity
seller, multiple bidders, and one winner in each auction trading, the very first step of data trading is data pricing. In
process. It would be very interesting and useful to extend this paper, we only consider a generic auction mechanism
the capabilities of our auction platform to support more that is used to determine the price. There are a number of
auction rules, including multiple winners, multiple sellers research efforts related to auction mechanisms, include one-
on data equivalents, and others. Moreover, since the plat- side auction [25], [26], double auction, [27], [28], seal-bid
form is designed as a modular system, we can enable the auction [29], and combinatorial auction, to name a few. As
replacement of the current cryptosystem, or the introduction ongoing work, we plan to integrate additional auction mod-
of additional operations and mechanisms without changing els into our data trading platform. In addition to auction
the framework. As in the real-world, the trading data could schemes, different data pricing strategies (free-data strategy,
be from varying applications (CPS, IoT System, etc.), and usage-based pricing strategy, package pricing strategy, flat-
this modularization provides the capability for the auction pricing strategy, two-tart tariff strategy, etc.) should be con-
platform to access data that varies in type, size, and other sidered [6]. Finally, incorporating game theory mechanisms
features. into our data pricing model (e.g., non-cooperative game,
Based on the previous work and proposed auction plat- Stackelberg game, and bargaining game) has the potential
form, there are several extensions that we intend to imple- to improve the adaptability of our model, and provides
ment to further to improve the performance and security of another interesting research direction.
our proposed auction platform. The designed data trading Data Copyright Protection. The big data life-cycle con-
process is highly relevant to big data, IoT, and copyright sists of data collection, data analysis, data pricing, data
protection. Thus, in order to promote further research, trading, and data protection [6]. When the trading process
extension tasks should address system robustness, system is completed, the data copyright protection will be the most
adaptability, data pricing model, data trading scheme, and important issue for data owners. There are a number of
data copyright protection. research efforts toward protecting different types of data.
System Robustness: Homomorphic cryptography- For example, software-based copyright protection typically
based schemes cost more in terms of time and space to uses both on-line and off-line digital rights management
ensure privacy during the auction in comparison with tra- (DRM) [30], [31]. In contrast, multimedia-based copyright
ditional plaintext-based auction schemes. Different mech- protection usually includes watermarking technologies [32],
anisms in the realm of Homomorphic cryptosystems may [33], [34]. In the proposed auction platform, we use homo-
yield better performance in time and space costs, as well morphic encryption to encrypt the source data. It is our
as support additional operations. In addition, a variety of intention to investigate embedding a watermark into the
differential privacy mechanisms can be considered in the data during the encryption process. This feature has the
privacy-preserving design of the auction process [21], [22], potential to merge data trading and protection together, and
[23]. improve the performance and adaptability of the platform.
Other Privacy Preserving Strategies. Differential Pri-
vacy is another strategy for privacy preservation [24]. In 7 R ELATED W ORK
Differential Privacy, randomized noise is added to the The advance of CPS and IoT technologies have led to a
valued data as a response on each query to provide a dif- number of smart-world systems (smart grid, smart cities,
ferential privacy guarantee. Generally speaking, the noise smart manufacturing, etc.) [1], [2], [3], [4], [5] and data
is adjusted based on the sensitivity of the randomization trading has become an active research topic in recent years
function, which measures the maximum difference in the [6], [35], [12], [36], [37], [38], [39], [40], [27]. For example,
values of the two responses from the adjacent datasets. Liang et al. in [6] reviewed existing research in big data,
As applied to auctions, Differential Privacy can provide identified the lifecycle of big data trading, discussed existing
14
research focused on data pricing, data trading, and data Homomorphic cryptography and differential privacy are
protection, and considered future research needs. Pantelis representative types of privacy-preserving schemes in auc-
and Aija in [35] designed a taxonomy to study the value of tion markets that have been applied in recent years. There
big data. An et al. in [38] investigated a one-side data auction have been some research efforts related to using homomor-
market and proposed a scheme to deal with false data phic cryptography to protect auction processes, such as [59],
bidding attacks. Koronios et al. in [41] discussed internal [60], [61], [62], [63], [64]. For example, Huang et al. in [62],
data markets and the opportunities in data trading. Jiao et [64] applied homomorphic encryption to protect privacy in
al. in [40] proposed a Bayesian profit maximization auction, spectrum auction. The authors in [61] also designed auction
which can be solved to obtain optimal service price and data schemes based on homomorphic encryption in spectrum
size, leading to profit maximization. allocation. In addition, relevant techniques have been used
In trading digital commodities, determining pricing for secure data aggregation in wireless sensor networks
and value of the commodities are critical. For example, [65]. Nonetheless, there is only few literatures on designing
Muschalle et al. in [42] presented data pricing strategies, privacy-preserving schemes in data market auctions [66],
including the sample data free strategy, the usage-based [67].
data pricing strategy, and others. Meanwhile, Roncoroni To summarize, in this paper, we proposed a comprehen-
[43] proposed a cost-based data pricing model, which first sive third-party data auction platform using homomorphic
calculates the cost and then determines the price. Nonethe- encryption to protect the privacy of both owners/sellers
less, this model does not consider competition and demand, and bidders. To our knowledge, there is no other research
which is the disadvantage of this kind of pricing model [44]. which involves homomorphic encryption to protect the data
Niyato et al. in [36] proposed the market model and price auction process and designs both privacy-preserving and
scheme. Shen et al. in [37] addressed the issue of how to secure third-party auction platform, which is the focus of
price big personal data and proposed a pricing model for big our study. Compared with the existing auction schemes,
personal data based on tuple granularity. In addition, Kang we are not only focused on the efficiency and security of
et al. in [45] proposed a Stackelberg Game-based pricing the platform, but also the integration of the third-party
model and Mao et al. in [46] proposed a Bargaining Game- auction platform as a new concept to satisfy the demands
based pricing model. of big data and CPS. Through our experiments, the pro-
In addition, trading using auction schemes has been posed platform has demonstrated good performance, and
applied to manage resources in various systems, such as through the application of homomorphic encryption, all the
CPS [12], [11], wireless networks [13], [14], and others. For private information is encrypted during the auction process,
example, An et al. in [12] addressed the electricity trading demonstrably protecting both owner and bidder privacy.
issue in the smart grid and designed a new online double
auction scheme. Nadendla et al. in [13] designed a sealed- 8 F INAL R EMARKS
bid auction scheme to enable dynamic spectrum allocation In this paper, we have addressed the issue of protecting
in wireless networks. In addition, Chao et al. in [47] focused information privacy during the data auction in the third-
on the coordination of data trading and trading efficiency in party auction platform. We have leveraged the concept of
the market, and proposed an iterative auction mechanism homomorphic encryption to design a Privacy-Preserving
to coordinate trading. Their study focused on avoiding Auction Scheme (PPAS). In order to carry out a privacy-
the selfish data owner, who only seeks to maximize their preserving auction, we selected a set of crypto-primitives
own data value, which also affects the efficiency of overall and designed algorithms in our system to enable the ef-
systems. ficiency of the auction process. To further improve the
Regarding data auction mechanisms, Lorenzo and security and resistance to attacks of PPAS, we proposed
Gonzalez-Castano in [48] proposed a matching game mech- the Enhanced Privacy-Preserving Auction Scheme (EPPAS).
anism using game theory to increase the speed of an auction The prototypical system of the auction scheme has been
process. Yu et al. in [49] proposed an economics model that implemented to conduct thorough experimental evaluation.
deals with the trading scenario, in which the single user’s The experimental results demonstrate that our proposed
trading decision is subject to future demand uncertainty. Via scheme is capable of ensuring the determination of an
the designed scheme, a single user could make a decision to auction winner with a 100 % correct rate under normal
meet the best price by using this model. In addition, several operations and without leakage of private information. In
recent studies have begun to investigate the privacy issues addition, multiple attack scenarios against the auction were
in data markets [50], [51]. Nonetheless, research on privacy investigated and applied in our evaluation, and have been
in data auctions is still in its infancy. correctly detected and prevented. We also discussed some
A critical issue of auction markets is the potential for extensions of our designed system. Our generic framework
privacy exposure for both bidders and owners in big data can be further integrated with other cryptosystems and
arena. Privacy protection concepts and methods can be auction rules to improve the performance and the scope of
found in [52], [6], [53], [54], [55], [56], [57], [24], [58], the data auction.
[21], [38]. For example, research efforts have been con-
ducted toward privacy preserving techniques for CPS [58]. R EFERENCES
Nonetheless, the traditional methods usually only focus on [1] R. van der Meulen, “8.4 billion connected ’things’ will be in
owner and commodity privacy protections, and ignore the use in 2017, up 31 percent from 2016,” 2017. [Online]. Available:
https://www.gartner.com/newsroom/id/3598917
bidders. One explanation is that the encrypted information [2] J. A. Stankovic, “Research directions for the Internet of Things,”
of bidders needs to be decrypted during the auction process. IEEE Internet of Things Journal, vol. 1, no. 1, pp. 3–9, Feb 2014.
15
[3] Q. Yang, D. An, R. Min, W. Yu, X. Yang, and W. Zhao, “Optimal [24] X. Yang, T. Wang, X. Ren, and W. Yu, “Survey on improving data
PMU placement based defense against data integrity attacks in utility in differentially private sequential data publishing,” IEEE
smart grid,” IEEE Transactions on Forensics and Information Security Transactions on Big Data, 2017.
(T-IFS), vol. 12, no. 7, pp. 1735–1750, 2017. [25] Q. Wu, M. C. Zhou, Q. Zhu, and Y. Xia, “Vcg auction-based
[4] J. Lin, W. Yu, X. Yang, Q. Yang, X. Fu, and W. Zhao, “A real-time dynamic pricing for multigranularity service composition,” IEEE
en-route route guidance decision scheme for transportation-based Transactions on Automation Science & Engineering, vol. PP, no. 99,
cyberphysical systems,” IEEE Transactions on Vehicular Technology, pp. 1–10, 2017.
vol. 66, no. 3, pp. 2551–2566, March 2017. [26] L. Li, X. Liu, and Z. Hu, A Bid Evaluation Method for Multi-attribute
[5] J. Lin, W. Yu, N. Zhang, X. Yang, H. Zhang, and W. Zhao, “A Online Reverse Auction. Springer Singapore, 2017.
survey on Internet of Things: Architecture, enabling technologies, [27] X. Zhou and H. Li, “Buying on margin and short selling in an
security and privacy, and applications,” IEEE Internet of Things artificial double auction market,” Computational Economics, no. 8,
Journal, vol. 4, no. 5, pp. 1125–1142, Oct 2017. pp. 1–17, 2017.
[6] F. Liang, W. Yu, D. An, Q. Yang, X. Fu, and W. Zhao, “A survey [28] T. Zhou, B. Chen, C. Zhu, and X. Zhai, “TPAHS: A truthful and
on big data market: Pricing, trading and protection,” IEEE Access, profit maximizing double auction for heterogeneous spectrums,”
vol. 6, pp. 15 132–15 154, 2018. in Trustcom/bigdatase/i?spa, 2017, pp. 27–33.
[7] S. Yu, M. Liu, W. Dou, X. Liu, and S. Zhou, “Networking for big [29] O. Kirchkamp, E. Poen, and J. P. Rei?, “Outside options: Another
data: A survey,” IEEE Communications Surveys Tutorials, vol. 19, reason to choose the first-price auction,” European Economic Review,
no. 1, pp. 531–549, Firstquarter 2017. vol. 53, no. 2, pp. 153–169, 2009.
[30] C. Skipper, E. D. Lewis, D. Konetski, C. Burchett, R. W. Schuckle,
[8] M. Mohammadi, A. I. Al-Fuqaha, S. Sorour, and M. Guizani,
J. M. Burke, W. W. Robbins, and C. E. Gates, “Systems and
“Deep learning for iot big data and streaming analytics: A
methods for providing secure data,” Aug. 5 2015, uS Patent App.
survey,” CoRR, vol. abs/1712.04301, 2017. [Online]. Available:
14/819,322.
http://arxiv.org/abs/1712.04301
[31] C. D’Orazio and K.-K. R. Choo, “An adversary model to evaluate
[9] C. Yi and J. Cai, “Two-stage spectrum sharing with combinatorial DRM protection of video contents on iOS devices,” Computers &
auction and stackelberg game in recall-based cognitive radio net- Security, vol. 56, pp. 94–110, 2016.
works,” IEEE Transactions on Communications, vol. 62, no. 11, pp. [32] F. Arab, S. M. Abdullah, S. Z. M. Hashim, A. A. Manaf, and
3740–3752, 2014. M. Zamani, “A robust video watermarking technique for the
[10] F. Wu, Q. Huang, Y. Tao, and G. Chen, “Towards privacy preserva- tamper detection of surveillance systems,” Multimedia Tools and
tion in strategy-proof spectrum auction mechanisms for noncoop- Applications, vol. 75, no. 18, pp. 10 855–10 885, 2016.
erative wireless networks,” IEEE/ACM Transactions on Networking [33] J. Hao, X. Yao, J. Huang, Y. Qian, and J. Jagannathan, “Video
(TON), vol. 23, no. 4, pp. 1271–1285, 2015. content protection,” Feb. 9 2016, uS Patent 9,258,584.
[11] Q. Yang, D. An, W. Yu, X. Yang, and X. Fu, “On stochastic optimal [34] K. Jain and U. Raju, “A digital video watermarking algorithm
bidding strategy for microgrids,” in 2015 IEEE 34th International based on LSB and DCT,” Journal of Information Security Research,
Performance Computing and Communications Conference (IPCCC), vol. 6, no. 3, pp. 92–97, 2015.
Dec 2015, pp. 1–8. [35] K. Pantelis and L. Aija, “Understanding the value of (big) data,”
[12] D. An, Q. Yang, W. Yu, X. Yang, X. Fu, and W. Zhao, “SODA: in Big Data, 2013 IEEE International Conference on, 2013, pp. 38–42.
Strategy-proof online double auction scheme for multimicrogrids [36] D. Niyato, M. A. Alsheikh, P. Wang, D. I. Kim, and Z. Han, “Mar-
bidding,” IEEE Transactions on Systems, Man, and Cybernetics: Sys- ket model and optimal pricing scheme of big data and internet
tems, vol. PP, no. 99, pp. 1–14, 2017. of things (iot),” in Communications (ICC), 2016 IEEE International
[13] V. S. S. Nadendla, S. K. Brahma, and P. K. Varshney, “Optimal Conference on, 2016, pp. 1–6.
spectrum auction design with 2-d truthful revelations under un- [37] Y. Shen, B. Guo, Y. Shen, X. Duan, X. Dong, and H. Zhang,
certain spectrum availability,” IEEE/ACM Transactions on Network- “A pricing model for big personal data,” Tsinghua Science and
ing, vol. 25, no. 1, pp. 420–433, Feb 2017. Technology, vol. 21, no. 5, pp. 482–490, 2016.
[14] Z. Feng, Y. Zhu, Q. Zhang, L. M. Ni, and A. V. Vasilakos, “TRAC: [38] D. An, Q. Yang, W. Yu, D. Li, Y. Zhang, and W. Zhao, “To-
Truthful auction for location-aware collaborative sensing in mobile wards truthful auction for big data trading,” in 2017 IEEE 36th
crowdsourcing,” in IEEE Conference on Computer Communications International Performance Computing and Communications Conference
(INFOCOM), April 2014, pp. 1231–1239. (IPCCC), Dec 2017.
[15] C. Gentry, “Fully homomorphic encryption using ideal lattices,” [39] C. Niu, Z. Zheng, F. Wu, X. Gao, and G. Chen, “Trading data
in Proceedings of the Forty-first Annual ACM Symposium on Theory of in good faith: Integrating truthfulness and privacy preservation
Computing, ser. STOC ’09. New York, NY, USA: ACM, 2009, pp. in data markets,” in Data Engineering (ICDE), 2017 IEEE 33rd
169–178. International Conference on. IEEE, 2017, pp. 223–226.
[16] P. Paillier et al., “Public-key cryptosystems based on composite [40] Y. Jiao, P. Wang, D. Niyato, M. A. Alsheikh, and S. Feng, “Profit
degree residuosity classes,” in Eurocrypt, vol. 99. Springer, 1999, maximization auction and data management in big data markets,”
pp. 223–238. in Wireless Communications and Networking Conference (WCNC),
[17] T. ElGamal, “A public key cryptosystem and a signature scheme 2017 IEEE. IEEE, 2017, pp. 1–6.
based on discrete logarithms,” IEEE Transactions on Information [41] A. Koronios, T. Redman, and J. Gao, “Internal data markets:
Theory, vol. 31, no. 4, pp. 469–472, 1985. the opportunity and first steps,” in Cooperation and Promotion of
Information Resources in Science and Technology, Fourth International
[18] A. López-Alt, E. Tromer, and V. Vaikuntanathan, “On-the-fly mul-
Conference on, 2009, pp. 127–130.
tiparty computation on the cloud via multikey fully homomorphic
[42] A. Muschalle, F. Stahl, A. Löser, and G. Vossen, “Pricing ap-
encryption,” in Proceedings of the forty-fourth annual ACM sympo-
proaches for data markets,” in International Workshop on Business
sium on Theory of computing. ACM, 2012, pp. 1219–1234.
Intelligence for the Real-Time Enterprise. Springer, 2012, pp. 129–144.
[19] C. Gentry, A. Sahai, and B. Waters, “Homomorphic encryption [43] A. Roncoroni, “Commodity price models,” Encyclopedia of Quanti-
from learning with errors: Conceptually-simpler, asymptotically- tative Finance, 2010.
faster, attribute-based,” in Advances in Cryptology–CRYPTO 2013.
[44] E. F. Fama and K. R. French, “Commodity futures prices: Some ev-
Springer, 2013, pp. 75–92.
idence on forecast power, premiums, and the theory of storage,” in
[20] Common Open Research Emulator, http://www.nrl.navy.mil/ The World Scientific Handbook of Futures Markets. World Scientific,
itd/ncs/products/core. 2016, pp. 79–102.
[21] X. Yang, T. Wang, X. Ren, and W. Yu, “Survey on improving data [45] X. Kang, R. Zhang, and M. Motani, “Price-based resource alloca-
utility in differentially private sequential data publishing,” IEEE tion for spectrum-sharing femtocell networks: A stackelberg game
Transactions on Big Data, vol. PP, no. 99, pp. 1–1, 2017. approach,” IEEE Journal on Selected areas in Communications, vol. 30,
[22] Q. Wang, Y. Zhang, X. Lu, Z. Wang, Z. Qin, and K. Ren, “Real-time no. 3, pp. 538–549, 2012.
and spatio-temporal crowd-sourced social network data publish- [46] Y. Mao, T. Cheng, H. Zhao, and N. Shen, “A strategic bargaining
ing with differential privacy,” IEEE Transactions on Dependable and game for a spectrum sharing scheme in cognitive radio-based
Secure Computing, vol. PP, no. 99, pp. 1–1, 2016. heterogeneous wireless sensor networks,” Sensors, vol. 17, no. 12,
[23] F. McSherry and K. Talwar, “Mechanism design via differential p. 2737, 2017.
privacy,” in Foundations of Computer Science, 2007. FOCS ’07. 48th [47] X. Cao, Y. Chen, and K. R. Liu, “Data trading with multiple
Annual IEEE Symposium on, Oct 2007, pp. 94–103. owners, collectors, and users: An iterative auction mechanism,”
16
IEEE Transactions on Signal and Information Processing over Networks, Weichao Gao received the B.S. degree from
vol. 3, no. 2, pp. 268–281, 2017. Fudan University (Shanghai, China) in 2005, the
[48] B. Lorenzo and F. J. Gonzalez-Castano, “A matching game for MBA from University of Michigan (MI, USA) in
data trading in operator-supervised user-provided networks,” in 2011, and the M.S. degree in Computer Science
Communications (ICC), 2016 IEEE International Conference on, 2016, and technology from Towson University (MD,
pp. 1–7. USA) in 2017. He is currently a doctoral stu-
[49] J. Yu, M. H. Cheung, J. Huang, and H. V. Poor, “Mobile data dent at Towson University. His research interests
trading: A behavioral economics perspective,” in Modeling and include Internet-of-Things, cyberspace security,
Optimization in Mobile, Ad Hoc, and Wireless Networks (WiOpt), 2015 and computer networks.
13th International Symposium on, 2015, pp. 363–370.
[50] C. Niu, Z. Zheng, F. Wu, X. Gao, and G. Chen, “Trading data
in good faith: Integrating truthfulness and privacy preservation
in data markets,” in Data Engineering (ICDE), 2017 IEEE 33rd
International Conference on, 2017, pp. 223–226.
[51] C. Perera, R. Ranjan, and L. Wang, “End-to-end privacy for open Wei Yu Dr. Wei Yu is an Associate Professor
big data markets,” IEEE Cloud Computing, vol. 2, no. 4, pp. 44–53, with the Department of Computer and Informa-
2015. tion Sciences, Towson University. Before joining
[52] P. Samarati and L. Sweeney, “Protecting privacy when disclosing Towson, he was with Cisco Systems Inc. for nine
information: k-anonymity and its enforcement through generaliza- years. He received the B.S. degree in electrical
tion and suppression,” Technical report, SRI International, Tech. engineering from Nanjing University of Technol-
Rep., 1998. ogy, Nanjing, China, in 1992, the M.S. degree
[53] S. Yu, “Big privacy: Challenges and opportunities of privacy study in electrical engineering from Tongji University,
in the age of big data,” IEEE Access, vol. 4, pp. 2751–2763, 2016. Shanghai, China in 1995, and the Ph.D. de-
[54] L. Xu, C. Jiang, J. Wang, J. Yuan, and Y. Ren, “Information security gree in computer engineering from Texas A&M
in big data: Privacy and data mining,” IEEE Access, vol. 2, pp. University in 2008. His research interests in-
1149–1176, 2014. clude cyberspace security and privacy, computer networks, and cyber-
[55] M. Naor, B. Pinkas, and R. Sumner, “Privacy preserving auctions physical systems. He is a recipient of a 2014 NSF CAREER Award,
and mechanism design,” in Proceedings of the 1st ACM conference 2015 University System of Maryland (USM) Regents’ Faculty Award for
on Electronic commerce. ACM, 1999, pp. 129–139. Excellence in Scholarship, Research, or Creative Activity, and the USM
[56] K. Peng, C. Boyd, E. Dawson, and K. Viswanathan, “Robust, Wilson H. Elkins Professorship Award, and Best Paper Awards from
privacy protecting and publicly verifiable sealed-bid auction,” in WASA 2017, IEEE IPCCC 2016, IEEE ICC 2013 and 2008.
International Conference on Information and Communications Security.
Springer, 2002, pp. 147–159.
[57] Y. Lindell and B. Pinkas, “Privacy preserving data mining.” Journal
of cryptology, vol. 15, no. 3, 2002.
[58] W. Han and Y. Xiao, “Privacy preservation for v2g networks in Fan Liang received a Bachelor degree in Com-
smart grid,” Comput. Commun., vol. 91, no. C, pp. 17–28, Oct. 2016. puter Science from Northwestern Polytechnical
[Online]. Available: http://dx.doi.org/10.1016/j.comcom.2016.06. University China in 2005, and a Master’s de-
006 gree in Computer Engineering from University
[59] K. Suzuki and M. Yokoo, “Secure combinatorial auctions by dy- of Massachusetts Dartmouth in 2015. Currently,
namic programming with polynomial secret sharing,” in Interna- he is pursuing his doctoral degree in Computer
tional Conference on Financial Cryptography. Springer, 2002, pp. Science at Towson University since 2017. His
44–56. research interests include wireless networks, big
[60] M. Yokoo and K. Suzuki, “Secure multi-agent dynamic program- data, smart grid and network security.
ming based on homomorphic encryption and its application to
combinatorial auctions,” in Proceedings of the first international joint
conference on Autonomous agents and multiagent systems: part 1.
ACM, 2002, pp. 112–119.
[61] M. Pan, X. Zhu, and Y. Fang, “Using homomorphic encryption to
secure the combinatorial spectrum auction without the trustwor- William Grant Hatcher received a Bachelor of
thy auctioneer,” Wireless Networks, vol. 18, no. 2, pp. 113–128, 2012. Science degree from the University of Maryland
[62] Q. Huang, Y. Tao, and F. Wu, “Spring: A strategy-proof and in Materials Science and Engineering. He is cur-
privacy preserving spectrum auction mechanism,” in INFOCOM, rently pursuing a Master of Computer Science
2013 Proceedings IEEE. IEEE, 2013, pp. 827–835. degree at Towson University. His research inter-
[63] T. Jung and X.-Y. Li, “Enabling privacy-preserving auctions in ests include mobile computing and security, big
big data,” in Computer Communications Workshops (INFOCOM WK- data, and machine learning.
SHPS), 2015 IEEE Conference on. IEEE, 2015, pp. 173–178.
[64] Q. Huang, Y. Gui, F. Wu, G. Chen, and Q. Zhang, “A general
privacy-preserving auction mechanism for secondary spectrum
markets,” IEEE/ACM Transactions on Networking, vol. 24, no. 3, pp.
1881–1893, 2016.
[65] S. Ozdemir and Y. Xiao, “Secure data aggregation in wireless
sensor networks: A comprehensive overview,” Comput. Netw.,
vol. 53, no. 12, pp. 2022–2037, Aug. 2009. [Online]. Available: Chao Lu has been with Towson University as
http://dx.doi.org/10.1016/j.comnet.2009.02.023 a professor of Computer Science since 1990.
[66] Z. Chen, L. Chen, L. Huang, and H. Zhong, “On privacy- He received his BS in Engineering from Shan-
preserving cloud auction,” in 2016 IEEE 35th Symposium on Reliable dong University China in 1982, and MS in 1985
Distributed Systems (SRDS), Sept 2016, pp. 279–288. and Ph.D. in Engineering (E.E.) in 1988 from
[67] T. Jung and X. Y. Li, “Enabling privacy-preserving auctions in City University of New York. His research inter-
big data,” in 2015 IEEE Conference on Computer Communications ests include error-free computing, human mo-
Workshops (INFOCOM WKSHPS), April 2015, pp. 173–178. tion classification, computer vision, parallel/dis-
tributed computing, and cyber security. He re-
ceived the U.S. Federal “Excellence in Technol-
ogy Transfer" award and the “Alan Berman Re-
search Publications" award in 2001, and has published more than 80
research papers.

Privacy-Preserving Auction For Big Data Trading Using Homomorphic Encryption

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Privacy-Preserving Auction For Big Data Trading Using Homomorphic Encryption

Uploaded by

Copyright:

Available Formats

This article has been accepted for publication in a future issue of this journal, but has not been

Privacy-Preserving Auction for Big Data Trading

Towson University, MD, USA 21252

1 I NTRODUCTION erated in CPS/IoT systems, critical challenges must be over-

KOT P = SKa (PKa (KOT P )), (5)

3.4 Selection of Cryptosystem

TABLE 1. Notations Algorithm 2: PPAS: Bidder’s Algorithm

Algorithm 7: EPPAS: Intermediate Platform Algo- Algorithm 8: EPPAS: Auctioneer Algorithm

5.4 Analysis of EPPAS 5.4.2 Space Efficiency

TABLE 9. System Performance (2048-bit key)

You might also like