Data Privacy Management

Cryptocurrencies and Blockchain

Technology ESORICS 2018
International Workshops DPM 2018 and
CBT 2018 Barcelona Spain September 6
7 2018 Proceedings Joaquin
Garcia-Alfaro
Visit to download the full and correct content document:
https://textbookfull.com/product/data-privacy-management-cryptocurrencies-and-bloc
kchain-technology-esorics-2018-international-workshops-dpm-2018-and-cbt-2018-bar
celona-spain-september-6-7-2018-proceedings-joaquin-garcia-alfaro/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...

Data Privacy Management Cryptocurrencies and Blockchain

Technology ESORICS 2019 International Workshops DPM
2019 and CBT 2019 Luxembourg September 26 27 2019
Proceedings Cristina Pérez-Solà
https://textbookfull.com/product/data-privacy-management-
cryptocurrencies-and-blockchain-technology-
esorics-2019-international-workshops-dpm-2019-and-
cbt-2019-luxembourg-september-26-27-2019-proceedings-cristina-
perez-sola/
Security and Trust Management 14th International
Workshop STM 2018 Barcelona Spain September 6 7 2018
Proceedings Sokratis K. Katsikas

https://textbookfull.com/product/security-and-trust-
management-14th-international-workshop-stm-2018-barcelona-spain-
september-6-7-2018-proceedings-sokratis-k-katsikas/

Emerging Technologies for Authorization and

Authentication First International Workshop ETAA 2018
Barcelona Spain September 7 2018 Proceedings Andrea
Saracino
https://textbookfull.com/product/emerging-technologies-for-
authorization-and-authentication-first-international-workshop-
etaa-2018-barcelona-spain-september-7-2018-proceedings-andrea-
saracino/

Computer Security 23rd European Symposium on Research

in Computer Security ESORICS 2018 Barcelona Spain
September 3 7 2018 Proceedings Part I Javier Lopez

https://textbookfull.com/product/computer-security-23rd-european-
symposium-on-research-in-computer-security-
esorics-2018-barcelona-spain-september-3-7-2018-proceedings-part-
Graph Drawing and Network Visualization 26th
International Symposium GD 2018 Barcelona Spain
September 26 28 2018 Proceedings Therese Biedl

https://textbookfull.com/product/graph-drawing-and-network-
visualization-26th-international-symposium-gd-2018-barcelona-
spain-september-26-28-2018-proceedings-therese-biedl/

Privacy in Statistical Databases UNESCO Chair in Data

Privacy International Conference PSD 2018 Valencia
Spain September 26 28 2018 Proceedings Josep Domingo-
Ferrer
https://textbookfull.com/product/privacy-in-statistical-
databases-unesco-chair-in-data-privacy-international-conference-
psd-2018-valencia-spain-september-26-28-2018-proceedings-josep-
domingo-ferrer/

Understanding and Interpreting Machine Learning in

Medical Image Computing Applications First
International Workshops MLCN 2018 DLF 2018 and iMIMIC
2018 Held in Conjunction with MICCAI 2018 Granada Spain
September 16 20 2018 Proceedings Danail Stoyanov
https://textbookfull.com/product/understanding-and-interpreting-
machine-learning-in-medical-image-computing-applications-first-
international-workshops-mlcn-2018-dlf-2018-and-imimic-2018-held-
in-conjunction-with-miccai-2018-granada-sp/

Big Data Analytics and Knowledge Discovery 20th

International Conference DaWaK 2018 Regensburg Germany
September 3 6 2018 Proceedings Carlos Ordonez

https://textbookfull.com/product/big-data-analytics-and-
knowledge-discovery-20th-international-conference-
dawak-2018-regensburg-germany-september-3-6-2018-proceedings-
carlos-ordonez/

Business Process Management Workshops: BPM 2018

International Workshops, Sydney, NSW, Australia,
September 9-14, 2018, Revised Papers Florian Daniel

https://textbookfull.com/product/business-process-management-
workshops-bpm-2018-international-workshops-sydney-nsw-australia-
september-9-14-2018-revised-papers-florian-daniel/
 Joaquin Garcia-Alfaro
Jordi Herrera-Joancomartí
Giovanni Livraga · Ruben Rios (Eds.)
LNCS 11025

Data Privacy Management,

Cryptocurrencies and
Blockchain Technology
ESORICS 2018 International Workshops, DPM 2018
and CBT 2018, Barcelona, Spain, September 6–7, 2018
Proceedings

123
Lecture Notes in Computer Science 11025
Commenced Publication in 1973
Founding and Former Series Editors:
Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen

Editorial Board
David Hutchison
Lancaster University, Lancaster, UK
Takeo Kanade
Carnegie Mellon University, Pittsburgh, PA, USA
Josef Kittler
University of Surrey, Guildford, UK
Jon M. Kleinberg
Cornell University, Ithaca, NY, USA
Friedemann Mattern
ETH Zurich, Zurich, Switzerland
John C. Mitchell
Stanford University, Stanford, CA, USA
Moni Naor
Weizmann Institute of Science, Rehovot, Israel
C. Pandu Rangan
Indian Institute of Technology Madras, Chennai, India
Bernhard Steffen
TU Dortmund University, Dortmund, Germany
Demetri Terzopoulos
University of California, Los Angeles, CA, USA
Doug Tygar
University of California, Berkeley, CA, USA
Gerhard Weikum
Max Planck Institute for Informatics, Saarbrücken, Germany
More information about this series at http://www.springer.com/series/7410
Joaquin Garcia-Alfaro Jordi Herrera-Joancomartí
•

Giovanni Livraga Ruben Rios (Eds.)

•

Data Privacy Management,

Cryptocurrencies and
Blockchain Technology
ESORICS 2018 International Workshops, DPM 2018
and CBT 2018, Barcelona, Spain, September 6–7, 2018
Proceedings

123
Editors
Joaquin Garcia-Alfaro Giovanni Livraga
Télécom SudParis Università degli Studi di Milano
Evry Crema
France Italy
Jordi Herrera-Joancomartí Ruben Rios
Enginyeria de la Informacio I de les Com Universidad de Málaga
Universitat Autonoma de Barcelona Málaga
Bellaterra Spain
Spain

ISSN 0302-9743 ISSN 1611-3349 (electronic)

Lecture Notes in Computer Science
ISBN 978-3-030-00304-3 ISBN 978-3-030-00305-0 (eBook)
https://doi.org/10.1007/978-3-030-00305-0

Library of Congress Control Number: 2018953831

LNCS Sublibrary: SL4 – Security and Cryptology

© Springer Nature Switzerland AG 2018

Chapters 28 and 30 are licensed under the terms of the Creative Commons Attribution 4.0 International
License (http://creativecommons.org/licenses/by/4.0/). For further details see license information in the
chapters.
This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the
material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information
storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now
known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.
The publisher, the authors and the editors are safe to assume that the advice and information in this book are
believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors
give a warranty, express or implied, with respect to the material contained herein or for any errors or
omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in
published maps and institutional affiliations.

This Springer imprint is published by the registered company Springer Nature Switzerland AG
The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland
 Foreword from the CBT 2018 Program Chairs

This volume contains the proceedings of the Second International Workshop on

Cryptocurrencies and Blockchain Technology (CBT 2018) held in Barcelona during
September 6–7, 2018, in conjunction with the 23rd European Symposium on Research
in Computer Security (ESORICS) 2018.
In less than ten years, cryptocurrencies and blockchain technology have taken a
central position in the IT world. The capitalization marked for cryptocurrencies is
bigger than 300 billion dollars and other promising applications of blockchain tech-
nology range from personal identification and good tracking to distributed autonomous
organizations. Since security is probably the main objective behind all such proposals,
a careful analysis should be performed on those proposals before they reach the mass
market. To that end, the CBT workshop aims to provide a forum for researchers in this
area to carefully analyze current systems and propose new ones in order to create a
scientific background for the solid development of this new area.
In response to the call for papers, we received 39 submissions that were carefully
reviewed by the Program Committee (PC), comprising 19 members, and by additional
reviewers. Each submission received at least three reviews. The PC selected seven full
papers and eight short papers for presentation at the workshop. The selected papers
cover aspects about smart contracts, second layer and off-chain transactions, trans-
parency, performance, attacks, and privacy.
Furthermore, the workshop will be enhanced with a keynote talk sponsored by the
Research Institute (cf. https://researchinstitute.io/), complemented by sponsoring from
BART (Blockchain Advanced Research & Technologies), Inria Saclay, Institut
Mines-Télécom, Universitat Autónoma de Barcelona, and SAMOVAR (URM 5157 of
CNRS).
A special thank you goes to all the authors, who submitted papers to CBT 2018, as
well as the PC and additional reviewers, who worked hard to review the submissions
and discussed the final program. Last but not least, we would like to thank the ESO-
RICS organizers, especially Sokratis Katsikas (ESORICS Symposium Steering Com-
mittee Chair), Miquel Soriano (ESORICS 2018 General Chair), Javier Lopez
(ESORICS 2018 Program Chair), Josep Pegueroles-Valles (ESORICS 2018 Organi-
zation Chair), Marcel Fernandez and Jose Luis Muñoz Tapia (ESORICS 2018 Web-
masters), for all their help and support during the organization of CBT 2018.

July 2018 Joaquin Garcia-Alfaro

Jordi Herrera-Joancomartí
 Organization

2nd International Workshop on Cryptocurrencies and Blockchain

Technology — CBT 2018

Program Committee Chairs

Joaquin Garcia-Alfaro Institut Mines-Télécom, Télécom SudParis, France
Jordi Herrera-Joancomartí Universitat Autònoma de Barcelona, Spain

Program Committee
Daniel Augot Inria Saclay, France
Rainer Böhme Universität Innsbruck, Austria
Joseph Bonneau New York University, USA
Jeremy Clark Concordia University, Canada
Ittay Eyal Technion, Israel
Hannes Hartenstein Karlsruher Institut für Technologie, Germany
Akira Kanaoka Toho University, Japan
Ghassan Karame NEC Research Institute, Germany
Shin’ichiro Matsuo BSafe.network and Keio University, Japan
Patrick McCorry University College London, UK
Sarah Meiklejohn University College London, UK
Andrew Miller University of Illinois, Urbana-Champaign, USA
Pedro Moreno Sanchez Purdue University, USA
Jose Luis Muñoz Tapia Universitat Politècnica de Catalunya, Spain
Guillermo Navarro Universitat Autònoma de Barcelona, Spain
Cristina Pérez-Solà Universitat Autònoma de Barcelona, Spain
Tim Ruffing Saarland University, Germany
Roger Wattenhofer ETH Zürich, Switzerland
Aviv Zohar The Hebrew University, Israel

Steering Committee
Rainer Böhme Universität Innsbruck, Austria
Joaquin Garcia-Alfaro Institut Mines, France
Hannes Hartenstein Karlsruher Institut für Technologie, Germany
Jordi Herrera-Joancomartí Universitat Autònoma de Barcelona, Spain
VIII Organization

Additional Reviewers

Sergi Delgado-Segura Patrik Keller

Joan Bel Michael Fröwis
Carlos Dolader Felix Klaedtke
Till Neudecker Juan Hernandez-Serrano
 Foreword from DPM 2018 Program Chairs

This volume contains the proceedings of the 13th International Workshop on Data
Privacy Management (DPM 2018), which was held in Barcelona, Spain, during
September 6–7, 2018, in conjunction with the 23rd European Symposium on Research
in Computer Security (ESORICS 2018).
The aim of DPM is to promote and stimulate international collaboration and research
exchange in areas related to the management of privacy-sensitive information. This is a
very critical and important issue for organizations and end users. It poses several
challenging problems such as translation of high-level business goals into system-level
privacy policies, administration of sensitive identifiers, data integration, and privacy
engineering, among others.
In response to the call for papers, 36 submissions were received and each of them
was evaluated on the basis of significance, novelty, and technical quality. The Program
Committee, comprising 35 members, performed an excellent task and with the help of
additional reviewers all submissions went through a careful anonymous review process
(3 reviews per submission). The Program Committee’s work was carried out
electronically, yielding intensive discussions. Among the submitted papers, the
Program Committee accepted 11 full papers (resulting in an acceptance rate of 30.5%)
and 5 short papers for presentation at the workshop.
The success of DPM 2018 depends on the volunteering effort of many individuals,
and there is a long list of people who deserve special thanks. We would like to thank all
the members of the Program Committee and all the external reviewers for all their hard
work in evaluating the papers in a short time window and for their active participation
in the discussion and selection process. We are very grateful to all people who gave
their assistance and ensured a smooth organization process: the DPM Steering
Committee for the guidance and support in the organization of the workshop; Enrico
Bacis for taking care of publicity; the ESORICS Symposium Steering Committee and
its chair, Sokratis Katsikas, for all the arrangements that made the satellite events
possible; Joaquin Garcia-Alfaro (ESORICS 2018 Workshop Chair), Miguel Soriano
(ESORICS 2018 General Chair), and Josep Pegueroles (ESORICS 2018 Organization
Chair) for their support in the workshop organization and logistics. We would also like
to thank the keynote speakers for accepting our invitation and for their enlightening
talks. We also express our gratitude for the support received from the UNESCO Chair
in Data Privacy, sponsor of the workshop.
Last but certainly not least, our thanks goes to all the authors who submitted papers
and to all the attendees of the workshop. We hope you find the program of DPM 2018
interesting, stimulating, and inspiring for your future research.

July 2018 Giovanni Livraga

Ruben Rios
 Organization

13th International Workshop on Data Privacy

Management — DPM 2018

Program Committee Chairs

Giovanni Livraga Università degli Studi di Milano, Italy
Ruben Rios Universidad de Málaga, Spain

Publicity Chair
Enrico Bacis Università degli Studi di Bergamo, Italy

Program Committee
Ken Barker University of Calgary, Canada
Jordi Castellà-Roca Universitat Rovira i Virgili, Spain
Mauro Conti University of Padua, Italy
Jorge Cuéllar Siemens AG, Germany
Frederic Cuppens Telecom Bretagne, France
Nora Cuppens Telecom Bretagne, France
Sabrina De Capitani Università degli Studi di Milano, Italy
di Vimercati
José M. De Fuentes Universidad Carlos III de Madrid, Spain
Roberto Di Pietro Hamad Bin Khalifa University, Qatar
Josep Domingo-Ferrer Universitat Rovira i Virgili, Spain
Carmen Fernandez-Gago University of Málaga, Spain
Sara Foresti Università degli Studi di Milano, Italy
Sebastien Gambs Université du Québec à Montréal, Canada
Joaquin Garcia-Alfaro Télécom SudParis, France
Marc Juarez Katholieke Universiteit Leuven, Belgium
Christos Kalloniatis University of the Aegean, Greece
Sokratis Katsikas Giøvik University College in Norway, Norway
Hiroaki Kikuchi Meiji University, Japan
Costas Lambrinoudakis University of Piraeus, Greece
Maryline Laurent Télécom SudParis, France
Wouter Lueks École Polytechnique Fédérale de Lausanne,
Switzerland
 Organization XI

Fabio Martinelli IIT-CNR, Italy

Chris Mitchell Royal Holloway, University of London, UK
Guillermo Navarro-Arribas Universitat Autònoma de Barcelona, Spain
David Nuñez NuCypher, USA
Martín Ochoa Universidad del Rosario, Colombia
Javier Parra-Arnau Universitat Rovira i Virgili, Spain
Gerardo Pelosi Politecnico di Milano, Italy
Silvio Ranise FBK, Security and Trust Unit, Italy
Pierangela Samarati Università degli Studi di Milano, Italy
Matthias Templ Vienna University of Technology, Austria
Vicenç Torra University of Skövde, Sweden
Yasuyuki Tsukada Kanto Gakuin University, Japan
Lena Wiese University of Göttingen, Germany
Melek Önen EURECOM, France

Steering Committee
Josep Domingo-Ferrer Universitat Rovira i Virgili, Spain
Joaquin Garcia-Alfaro Télécom SudParis, France
Guillermo Navarro-Arribas Autonomous University of Barcelona, Spain
Vicenç Torra University of Skövde, Sweden

Additional Reviewers

Michael Bamiloshin Zahra Pooranian

Alberto Blanco-Justicia Sara Ricci
Lorena Cazorla Andrea Saracino
Salimeh Dashti Mina Sheikhalishahi
Lorena González Manzano Mohammad Shojafar
Nicholas Mainardi Aggeliki Tsohou
Katerina Mavroeidi Katerina Vgena
David Pàmies Estrems
 Contents

CBT Workshop: Smart Contracts

Succinctly Verifiable Sealed-Bid Auction Smart Contract . . . . . . . . . . . . . . . 3

Hisham S. Galal and Amr M. Youssef

Blockchain-Based Fair Certified Notifications . . . . . . . . . . . . . . . . . . . . . . . 20

Macià Mut-Puigserver, M. Magdalena Payeras-Capellà,
and Miquel A. Cabot-Nadal

On Symbolic Verification of Bitcoin’s SCRIPT Language . . . . . . . . . . . . . . . . 38

Rick Klomp and Andrea Bracciali

Self-reproducing Coins as Universal Turing Machine. . . . . . . . . . . . . . . . . . 57

Alexander Chepurnoy, Vasily Kharin, and Dmitry Meshkov

CBT Workshop: Second Layer, Off-chain Transactions

and Transparency

Split Payments in Payment Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Dmytro Piatkivskyi and Mariusz Nowostawski

Payment Network Design with Fees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Georgia Avarikioti, Gerrit Janssen, Yuyi Wang, and Roger Wattenhofer

Atomic Information Disclosure of Off-Chained Computations

Using Threshold Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Oliver Stengele and Hannes Hartenstein

Contour: A Practical System for Binary Transparency . . . . . . . . . . . . . . . . . 94

Mustafa Al-Bassam and Sarah Meiklejohn

CBT Workshop: Consensus, Mining Pools and Performance

What Blockchain Alternative Do You Need? . . . . . . . . . . . . . . . . . . . . . . . 113

Tommy Koens and Erik Poll

Valuable Puzzles for Proofs-of-Work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Colin Boyd and Christopher Carr

A Poisoning Attack Against Cryptocurrency Mining Pools . . . . . . . . . . . . . . 140

Mohiuddin Ahmed, Jinpeng Wei, Yongge Wang, and Ehab Al-Shaer
XIV Contents

Using Economic Risk to Model Miner Hash Rate Allocation

in Cryptocurrencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
George Bissias, Brian N. Levine, and David Thibodeau

CBT Workshop: Deadlocks, Attacks and Privacy

Avoiding Deadlocks in Payment Channel Networks . . . . . . . . . . . . . . . . . . 175

Shira Werman and Aviv Zohar

Coloured Ring Confidential Transactions . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Felix Engelmann, Frank Kargl, and Christoph Bösch

Pitchforks in Cryptocurrencies: Enforcing Rule Changes Through

Offensive Forking- and Consensus Techniques (Short Paper) . . . . . . . . . . . . 197
Aljosha Judmayer, Nicholas Stifter, Philipp Schindler,
and Edgar Weippl

DPM Workshop: Privacy Assessment and Trust

Towards an Effective Privacy Impact and Risk Assessment

Methodology: Risk Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Majed Alshammari and Andrew Simpson

Privacy Risk Assessment: From Art to Science, by Metrics . . . . . . . . . . . . . 225

Isabel Wagner and Eerke Boiten

Bootstrapping Online Trust: Timeline Activity Proofs . . . . . . . . . . . . . . . . . 242

Constantin Cătălin Drăgan and Mark Manulis

DPM Workshop: Private Data and Searches

Post-processing Methods for High Quality Privacy-Preserving

Record Linkage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Martin Franke, Ziad Sehili, Marcel Gladbach, and Erhard Rahm

d-DOCA: Achieving Privacy in Data Streams. . . . . . . . . . . . . . . . . . . . . . . 279

Bruno C. Leal, Israel C. Vidal, Felipe T. Brito, Juvêncio S. Nobre,
and Javam C. Machado

Data Oblivious Genome Variants Search on Intel SGX . . . . . . . . . . . . . . . . 296

Avradip Mandal, John C. Mitchell, Hart Montgomery, and Arnab Roy

DPM Workshop: Internet of Things

Developing GDPR Compliant Apps for the Edge . . . . . . . . . . . . . . . . . . . . 313

Tom Lodge, Andy Crabtree, and Anthony Brown
 Contents XV

YaPPL - A Lightweight Privacy Preference Language for Legally

Sufficient and Automated Consent Provision in IoT Scenarios . . . . . . . . . . . 329
Max-R. Ulbricht and Frank Pallas

PrivacyGuard: Enforcing Private Data Usage with Blockchain

and Attested Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Ning Zhang, Jin Li, Wenjing Lou, and Y. Thomas Hou

DPM Workshop: Privacy and Cryptography

A Performance and Resource Consumption Assessment of Secret

Sharing Based Secure Multiparty Computation . . . . . . . . . . . . . . . . . . . . . . 357
Marcel von Maltitz and Georg Carle

Privacy-Preserving Trade Chain Detection . . . . . . . . . . . . . . . . . . . . . . . . . 373

Stefan Wüller, Malte Breuer, Ulrike Meyer, and Susanne Wetzel

FHE-Compatible Batch Normalization for Privacy Preserving

Deep Learning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Alberto Ibarrondo and Melek Önen

DPM Workshop: Future Internet

A General Algorithm for k-anonymity on Dynamic Databases . . . . . . . . . . . 407

Julián Salas and Vicenç Torra

On Security of Anonymous Invitation-Based System . . . . . . . . . . . . . . . . . . 415

Naoto Yanai and Jason Paul Cruz

Probabilistic Metric Spaces for Privacy by Design Machine Learning

Algorithms: Modeling Database Changes . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Vicenç Torra and Guillermo Navarro-Arribas

Lifelogging Protection Scheme for Internet-Based Personal Assistants . . . . . . 431

David Pàmies-Estrems, Nesrine Kaaniche, Maryline Laurent,
Jordi Castellà-Roca, and Joaquin Garcia-Alfaro

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441

CBT Workshop: Smart Contracts
 Succinctly Verifiable Sealed-Bid Auction
Smart Contract

Hisham S. Galal(B) and Amr M. Youssef

Concordia Institute for Information Systems Engineering,

Concordia University, Montréal, QC, Canada
h galal@encs.concordia.ca

Abstract. The recently growing tokenization process of digital and

physical assets over the Ethereum blockchain requires a convenient trade
and exchange mechanism. Sealed-bid auctions are powerful trading tools
due to the advantages they offer compared to their open-cry counter-
parts. However, the inherent transparency and lack of privacy on the
Ethereum blockchain conflict with the main objective behind the sealed-
bid auctions. In this paper, we tackle this challenge and present a smart
contract protocol for a succinctly verifiable sealed-bid auction on the
Ethereum blockchain. In particular, we utilize various cryptographic
primitives including zero-knowledge Succinct Non-interactive Argument
of Knowledge (zk-SNARK), Multi-Party Computation (MPC), Public-
Key Encryption (PKE) scheme, and commitment scheme for our app-
roach. First, the proving and verification keys for zk-SNARK are gen-
erated via an MPC protocol between the auctioneer and bidders. Then,
when the auction process starts, the bidders submit commitments of
their bids to the smart contract. Subsequently, each bidder individually
reveals her commitment to the auctioneer using the PKE scheme. Then,
according to the auction rules, the auctioneer claims a winner and gen-
erates a proof off-chain based on the proving key, commitments which
serve as public inputs, and their underlying openings which are consid-
ered the auctioneer’s witness. Finally, the auctioneer submits the proof
to the smart contract which in turn verifies its validity based on the
public inputs, and the verification key. The proposed protocol scales effi-
ciently as it has a constant-size proof and verification cost regardless of
the number of bidders. Furthermore, we provide an analysis of the smart
contract design, in addition to the estimated gas costs associated with
the different transactions.

Keywords: Ethereum · Smart contract · Sealed-bid auction

zk-SNARK

1 Introduction
The unprecedented growing deployment of assets on Ethereum has created a
remarkable market for assets exchange [1] which imposes a high demand for var-
ious trading tools such as verifiable and secure auctions. Auctions are platforms
c Springer Nature Switzerland AG 2018
J. Garcia-Alfaro et al. (Eds.): DPM 2018/CBT 2018, LNCS 11025, pp. 3–19, 2018.
https://doi.org/10.1007/978-3-030-00305-0_1
4 H. S. Galal and A. M. Youssef

for vendors to advertise their assets where interested buyers deposit competitive
bids based on their own monetary valuation. Commonly, the auction winner is
the bidder who submitted the highest price, however, there are a variety of other
rules to determine the winner. Additionally, auctions have also been known to
promote many economic advantages for the efficient trade of goods and services.
According to [18], there exist two types of sealed-bid auctions: (i) First-price
sealed-bid auctions (FPSBA) where the bidders submit bids in sealed envelops
to the auctioneer. Subsequently, the auctioneer solely opens them to determine
the winner who submitted the highest bid, and (ii) Vickrey auctions, which are
similar to FPSBA with the exception that the winner pays the second highest
bid instead.
Arguably, the main objective behind concealing the losing bids in sealed-
bid auctions is to prevent the use of bidders’ valuations against them in future
auctions. Therefore, bidders are motivated to cast their bids without worrying
about the misuse of their valuations. Nonetheless, when auctioneers collude with
malicious bidders, the aforementioned advantage is easily broken. Consequently,
the auctioneer has to be trusted to preserve bids’ privacy and to correctly claim
the auction winner. Therefore, various constructions of sealed-bid auctions utilize
cryptographic protocols to ensure the proper and secure implementation without
harming the privacy of bids.
Ethereum is the second most popular blockchain based on its market capital-
ization that exceeds $53 billion USD as of May 2018 [4]. Ethereum allows running
decentralized applications in a global virtual machine environment known as
Ethereum Virtual Machine (EVM) [28] without depending on any third-party.
From a practical viewpoint, the EVM is a large decentralized computer with
millions of objects (known as smart contracts) that can maintain an internal
database, execute code, and interact with each other. As a result, the EVM
substantially simplifies the creation of blockchain applications on its platform
rather than building new application-specific blockchain from scratch.
The code executed in the EVM is commonly known as a smart contract
which lies dormant and passive until its execution is triggered by transactions.
It inherits strong integrity assurance from the blockchain, even its creator cannot
modify it once it has been deployed. In Ethereum, computation is expensive as
transactions are executed and verified by the full-nodes on Ethereum network.
Therefore, Ethereum defines a gas metric to measure the computation efforts
and storage cost associated with transactions. In other words, each transaction
has a fee (i.e., consumed gas) that is paid by the transaction’s sender in Ether
(Ethereum currency). With the help of the consensus protocol, the smart con-
tract is also guaranteed to execute precisely as its code dictates. Although many
other blockchains such as Bitcoin [24] offer the capability to run smart con-
tracts, they are often very limited to a specific set of instructions. Conversely,
the instructions on EVM theoretically allow running any Turing-complete pro-
gram. However, there is a block gas limit that defines the maximum amount of
gas that can be consumed by all transactions combined in a single block. The
current block gas limit is around is 8-million gas as of May 2018 [2]. Therefore,
 Succinctly Verifiable Sealed-Bid Auction Smart Contract 5

smart contracts cannot include very expensive computations that exceed the
block gas limit.
In addition, despite the flexible programming capability in Ethereum smart
contracts, they still lack transactional privacy. In fact, the details of every trans-
action executed in the smart contract are visible to the entire network. Moreover,
these details are eventually stored in the Ethereum blockchain which also gives
the ability to review past transactions as well. Consequently, the lack of transac-
tional privacy is a major challenge towards the deployment of sensitive financial
applications. Usually, individuals and organizations prefer to preserve the pri-
vacy of their transactions. For example, an organization may not want to post
how much it spent on the purchase of some arbitrary assets.
Our contribution, we present a protocol for a sealed-bid auction smart
contract that utilizes a set of cryptographic primitives to provide the following
properties:
1. Bids’ Privacy. The submitted bids are not visible to competitors during the
bidding phase of the auction in the presence of malicious adversaries.
2. Posterior privacy. The losing bids are not revealed to the public assuming
a semi-honest auctioneer.
3. Bids’ Binding. Bidders cannot deny or change their bids once they are
committed.
4. Public Verifiability. Any individual can verify the correctness of the auction
winner proof.
5. Fairness. Rational parties are obligated to follow the proposed protocol to
avoid being financially penalized.
6. Non-Interactivity. The smart contract, on behalf of the bidders, verifies
the auction winner proof submitted by the auctioneer.
7. Scalability. The verification cost of the auction winner is nearly constant
regardless of the number of bidders.
We have also created an open-source prototype for a Vickrey auction smart
contract and made it available on Github 1 for researchers and community to
review it. The rest of this paper is organized as follows. Section 2 provides a
review of privacy-preserving protocols and sealed-bid auctions on the blockchain.
In Sect. 3, we present the cryptographic primitives and tools utilized in designing
the proposed Vickrey auction smart contract. Then, In Sect. 4, we provide the
design of the auction contract together with an analysis of the estimated gas cost
of relevant transactions. Finally, we present our conclusions and suggestions for
future work in Sect. 5.

2 Related Work
Our proposal depends on utilizing zk-SNARK and distributed ledger
(blockchain) technology to build an efficient (i.e., succinct proof with a rela-
tively small verification cost) sealed-bid auction on Ethereum. Therefore, we
1
https://github.com/hsg88/vickreyauction.
6 H. S. Galal and A. M. Youssef

provide a review of state-of-the-art research papers that utilize zk-SNARK in

building different cryptographic protocols on the blockchain, besides to papers
that provide solutions to building sealed-bid auctions on top of blockchains.
A variety of privacy-preserving protocols are built on top of blockchain
technology [5,10,11,15–17,19,20,22]. They combine cryptocurrency with crypto-
graphic primitives such as MPC protocols, commitment schemes, and ZK proofs
to achieve fairness in different adversary models. In a nutshell, initially, the proto-
col participants locks an arbitrary amount of cryptocurrency in an escrow smart
contract. Subsequently, they proceed to engage in the various steps of the proto-
col. Finally, once the protocol reaches its final state, the escrow smart contract
refunds the deposits back to the honest participants. Consequently, financially
rational participants are obligated to adhere to the protocol rules in order to
avoid the financial penalty.
One prominent example of the privacy-preserving protocol that has been
deployed on Bitcoin is Zero-Knowledge Contingent Payment [22]. It allows a
buyer and a seller to fairly trade an arbitrary digital good in exchange for bitcoins
payment. Fairness is achieved without the need for a trusted party. In essence,
by the end of the protocol, either the exchange completes with every participant
receiving what they are expecting, or none of the participants gains an advantage
over another one. Despite the limited flexibility of Bitcoin scripting language, the
authors managed to provide a solution by depending on hash-lock transactions
that allow someone to pay an arbitrary amount of bitcoins to anyone who can
provide a preimage x such that y = SHA-256(x), for a publicly known value
y. We describe a simple version of ZKCP for the sake of illustration purposes.
Suppose that a seller Bob wants to trade a digital item p in exchange for v
bitcoins. First, Bob encrypts the item p using a symmetric encryption algorithm
to obtain c = Encx (p) using a key x. Then, Bob computes the hash value of
the key y = SHA-256(x). Subsequently, he sends (c, y) along with a ZK proof
that claims c = ENCk (p) and y = SHA-256(x). After that, if Alice is interested
in that item, she creates a hash-lock transaction to pay v bitcoins to anyone
who reveals the preimage x such that y = SHA256(x). Finally, Bob receives the
payment v bitcoins by revealing x which also means that Alice can decrypt c to
get the digital good p.
Campanelli et al. [15] took a step further to propose Zero-Knowledge Contin-
gent Service Payments (ZKCSP) on top of Bitcoin. The main goal is to permit a
fair exchange of services and payments over the Bitcoin blockchain. The authors
argue that previous constructions of ZKCP [22] are not suitable for the exchange
of digital service and payments. They utilized zk-SNARK proof systems [7] to
build practical proofs for complex arguments. As an example, they built a proto-
type for Proofs of Retrievability (PoR) where a client Bob has stored some data
on a cloud server and he wants to verify whether the server still keeps and stores
his data correctly. In this case, the server offers a digital service rather than a
digital good where the server’s owner Alice wants to be certain that there is a
payment at the end of successful verification of PoR. Moreover, Bob does not
want to pay in advance. Therefore, ZKCSP tackles this situation. Also, ZKCSP
 Succinctly Verifiable Sealed-Bid Auction Smart Contract 7

can be viewed to be more general than ZKCP as it allows for the trade of goods
as well as services.
On the area of smart contract frameworks, Kosba et al. [17], presented Hawk,
a framework for writing smart contracts that preserves the privacy of financial
transactions on the blockchain. The main advantage is to allow programmers
without knowledge of cryptographic protocols to build a secure and privacy-
preserving smart contract. To this end, the framework includes a compiler that
utilizes various cryptographic primitives in generating the smart contracts. A
Hawk program source code is composed of public and private parts. The public
part is responsible for the logic that does not deal with the sensitive data or the
money flow. On the other hand, the private part is responsible for hiding the
information about data and input currency units. The compiler translates the
Hawk program into three pieces that define the cryptographic protocol between
users, manager, and the blockchain nodes. Up to our knowledge, the framework
has not been released yet and we could not find a deployed smart contract on
Ethereum blockchain built by Hawk.
On the subject of sealed-bid auctions, Blass and Kerschbaum [11] proposed
Strain, a protocol to build sealed-bid auctions, on top of blockchain technology,
that preserve bids privacy against malicious participants. Strain uses a two-party
comparison protocol to compare bids between pairs of bidders. Then, the com-
parison’s outcome is submitted to the blockchain which serves as a secure bulletin
board. Additionally, since bidders initially submit commitments to their bids,
Strain utilizes ZK proof to verify that the submitted comparison’s result corre-
sponds to the committed bids. Furthermore, Strain uses reversible commitment
scheme such that a group of bidders can jointly open the bid commitment. The
objective of this scheme is to achieve fairness against malicious participants who
prematurely abort or deviate from the protocol. As the authors reported in their
work, Strain has an obvious flaw that reveals the order of bids, similar to Ordered
Preserving Encryption (OPE). Furthermore, running protocols involving MPC
on blockchain is not efficient due to extensive computations and the number of
rounds involved. Meanwhile, our protocol does not suffer from Strains flaws, and
it utilizes zk-SNARK to generate a proof that can be efficiently verified with a
feasible cost on Ethereum.
Furthermore, Galal and Youssef [16] presented a protocol for running sealed-
bid auctions on Ethereum. The protocol ensures the public verifiability, privacy
of bids, and fairness. Initially, bidders submit Pedersen commitments of their
bids to a smart contract. Subsequently, they reveal their commitments individu-
ally to the auctioneer using RSA encryption. Finally, the auctioneer determines
the winning bid and claims the winner of the auction. There are two major issues
in this protocol. First, for each losing bid, the auctioneer has to engage into a
set of interactive commit-challenge-verify protocol to prove that the winning bid
is greater than the losing bid. In other words, the number of interactions is pro-
portional to the number of bidders. Second, current techniques for generating a
secure random number on blockchains are not proven to be secure due to min-
ers’ influence; therefore, the random numbers used in a commit-challenge-verify
8 H. S. Galal and A. M. Youssef

proof can be compromised. The approach proposed in our paper overcomes these
challenges by utilizing zk-SNARK which requires a single proof-verification for
the whole auction process. Moreover, it is a non-interactive protocol that does
not require random numbers to be generated on the blockchain.

3 Preliminaries
In this section, we briefly introduce the cryptographic primitives that are utilized
in the design of our proposed protocol for the sealed-bid auction smart contract.

3.1 Commitment Scheme

Recall that in sealed-bid auctions, the bidders initially submit their bids in sealed
envelops for a fixed period of time. Then, the auctioneer opens these envelopes
to determine the winner. In other words, we need a tool to hide the bids tem-
porarily, yet with the ability to reveal them later. This task can be easily fulfilled
by a cryptographic primitive known as commitments schemes. Typically, a com-
mitment scheme involves two parties: a sender (Alice) and a receiver (Bob).
Additionally, it provides two security properties, namely, hiding and binding.
Simply, let us denote for an abstract commitment scheme by the public algorithm
c = Com(x, r) which takes a value x, a random r, and produces a commitment
c. In the reveal phase, Alice simply reveals the values x and r , then Bob checks
whether these two values produces the same original commitment c. The hiding
property implies that it is infeasible for Bob to learn the value x given the com-
mitment c. Likewise, the binding property implies that it is infeasible for Alice
to reveal with different values x and r that produces the same commitment c.
such that when Alice commits to an arbitrary value x and sends the commit-
ment c to Bob. Although there are commitment schemes with strong security
properties (e.g., information-theoretic hiding) such as Pedersen commitment, we
instead use a relaxed one based on collision-resistant hash function due to its
flexible integration with zk-SNARK.
To be precise, we choose SHA-256 to be the public algorithm for our com-
mitment scheme. In order for Alice to commit to a bid x, she sends to Bob the
commitment c = SHA-256(s) where s = (x||r), r is a k-bit randomness, and ||
denotes the concatenation operation. Later on, to decommit c, she sends the
value s to him. Subsequently, Bob verifies that c = SHA-256(s ). Then, on suc-
cessful verification, he strips off the least significant k-bits from s to recover the
bid x.

3.2 zk-SNARK
ZK-SNARK is essentially a non-interactive zero-knowledge (NIZK) proof system.
There are several constructions of zk-SNARK especially in the field of verifiable
computations. In this paper, we follow the construction proposed by Sasson
et al. [9] to verify computations compatible with Von Neumann architecture.
 Succinctly Verifiable Sealed-Bid Auction Smart Contract 9

More precisely, to verify the correctness of the auctioneer’s computations in

determining the auction’s winner.
Typically, any NIZK proof system about NP-language L consists of the fol-
lowing three main algorithms:
1. Key generation: crs ← K(1λ , L) which takes a security parameter λ, a
description of the language L, and outputs the common reference string crs.
2. Proof generation: π ← P (crs, s, w) which takes a crs, a statement s, a
witness w such that (s, w) ∈ L, and outputs a proof π.
3. Proof verification: {0, 1} ← V (crs, π, s) which takes a proof π, the previ-
ously generated crs, a statement s, and outputs 0 or 1 to denote accept or
reject.
In general, any NIZK proof is simply a bulk of data that can be verified
at any time without prior interactions between the prover and the verifier. A
key requirement though is the proper generation of common reference string
(CRS). If there is any trapdoor in the generation of CRS, then the prover is
able to generate a fraudulent proof. Likewise, a malicious verifier can exploit the
trapdoor to extract information about the witness. Therefore, the generation of
CRS is of utmost importance to the security of NIZK proof. The zk-SNARK
construction [9] provides the following security properties:
1. Perfect Completeness. An honest prover with a valid witness can always
convince an honest verifier. More formally, given (s, w) ∈ L, crs ←
K(1λ , L), π ← P (crs, s, w), then V (crs, π) = 1.
2. Computational Soundness. A polynomial-time adversary can convince a
verifier that an invalid statement is true with a negligible probability. More
formally, given crs ← K(1λ , L), π ← A(crs, s), s ∈/ L, then P r[V (crs, π, s) =
1] ≈ 0.
3. Computational Zero-Knowledge. It is computationally infeasible for any
polynomial-time adversary to reveal any information about the witness from
the proof. More formally, there exists a simulator S = (K, P ) that outputs
a transcript that is computationally indistinguishable from the one produced
by (K, P ) in a proof π without knowing a witness.
4. Succinctness. A NIZK is said to be succinct if an honestly generated proof
has P oly(λ)- bits and the verification algorithm V (crs, π, s) runs asymptoti-
cally in O(|s| · P oly(λ)).
Recall that the key generation algorithm in zk-SNARK takes as an input a
representation of the language L. Therefore, we want to find a suitable repre-
sentation for the auction winner problem. Sasson et al. [9] proposed a general-
purpose circuit generator that takes a C-code and translates it into an arith-
metic circuit. Simply, arithmetic circuits are acyclic graphs with wires and
mathematical operation gates as edges and node, respectively [23]. More pre-
cisely, an arithmetic circuit is a function C : Fm × Fn →Fl which essentially
takes (m + n)-inputs and generates l-outputs. The arithmetic circuit C is said
to have a valid assignment tuple (a1 , ..., aN ) where N = m + n + l when
C(a1 , ..., ax+y ) = (ax+y+1 , ..., aN ).
10 H. S. Galal and A. M. Youssef

4 Auction Contract Design

In this section, we present the protocol for running a Vickrey auction as a smart
contract on top of Ethereum. Our protocol is composed of six phases, where
the first two phases are responsible for initializing the zk-SNARK proof system,
while, the remaining four phases deal with the auctioning process itself.

4.1 Arithmetic Circuit Generation

Recall that before we can use the first algorithm in zk-SNARK, namely key
generation, we need an arithmetic circuit that represents the function we want
to provide a proof about its correct execution. Practically, creating an arith-
metic circuit for complex arguments is a tedious and error-prone task, especially
when the arguments involve operations that are intrinsically depending on log-
ical operators such as the comparison operation and SHA-256 transformation.
For this reason, we utilize the general-purpose circuit generator [3,9] to translate
a program code into an arithmetic circuit.
Arguably, using a general-purpose arithmetic circuit generator often yields
an inefficient circuit with a large number of gates. However, the computation
problem of Vickrey auction, as shown in Algorithm 1, is not complex to the
degree we worry about the performance of the generated circuit. Moreover, it is
reported in [9] that the size of the generated arithmetic circuits scales additively
rather than multiplicatively with respect to the size of the translated code.

Algorithm 1. Find highest and second-highest bids and verify commitments

1: function Auction(C, U, V )
2: highest ← 0, secondHighest ← 0, status ← 0, i ← 0
3: success ← true
4: while i < N do  N is the constant number of bidders
5: if C[i] = SHA-256(U [i], V [i]) then  check if commitment is valid
6: success ← f alse
7: return [success, highest, secondHighest]
8: end if
9: if highest < bid then
10: secondHighest ← highest
11: highest ← bid
12: end if
13: i←i+1
14: end while
15: success ← true
16: return [success, highest, secondHighest]
17: end function

While the auctioneer might be tempted to omit commitments to let a col-

luding bidder win the auction, doing so will result in a failed verification by
 Succinctly Verifiable Sealed-Bid Auction Smart Contract 11

the smart contract. In other words, the algorithm does not check whether the
auctioneer supplies all commitments as part of the public inputs. On the other
hand, the verification which is carried out by the smart contract does supply all
commitments. As a consequence, there will be a difference between the public
parameters used by the auctioneer to generate the proof, and the public param-
eters used by the smart contract to verify the proof. Therefore, the verification
will fail, and the auctioneer will be penalized if he cannot supply a valid proof
that uses the same public parameters as the smart contract.

4.2 Generation of CRS

The outputs of the CRS generation algorithm are the proving and verification
keys which are used by the prover and verifier, respectively. It is a mandatory
requirement in any NIZK proof system including zk-SNARK to ensure the proper
generation of CRS in order to preserve the zero-knowledge and soundness prop-
erties. Commonly, the CRS is usually generated by a trusted party. However,
this is against the whole premise of the blockchain as a decentralized platform
that does not require a trusted party. Moreover, it is sufficient to generate the
CRS only one-time as long as the problem statement does not change. In other
words, we can initially generate the CRS for the Vickrey auction. Then, we can
utilize the resultant CRS in multiple Vickrey auctions.
To avoid the need for a trusted party, various MPC protocols have been
proposed to generate the CRS. Bowe et al. [13] presented an MPC protocol to
generate CRS for the Zcash cryptocurrency. For the sake of simplicity, let us
consider that the CRS is composed of a single element s · g where s ∈ F∗p and g
is the generator for a group G written in the additive notation. Consider that,
a prover Alice and a verifier Bob want to generate the CRS such that none of
them has knowledge of its discrete log. The protocol runs as follows:

1. Alice chooses a uniform number s1 ∈ F∗p and sends the element s1 · g to Bob.
2. Bob chooses a number s2 ∈ F∗p and sends the element s2 s1 · g to Alice.
3. Finally, Alice and Bob use the element s2 s1 · g as the CRS.

The problem with this simple protocol is that Bob can maliciously choose s2 in a
way that affects the final output of s. Therefore, the authors in [8,13] proposed a
pre-commitment step where each participant first picks a secret number si then
sends a commitment to it. Later on, they follow the same steps as above but
with providing a ZK proof that they used the same secret number corresponding
to their commitments. A major problem with this protocol is that the pre-
commitment step requires a pre-selection of participants. Moreover, there is an
overhead with generating the commitments and verifying the associated ZK
proofs.
We follow the MPC protocol for CRS generation in [14] for a number of
reasons. First, it does not require a pre-selection of parties to participate in the
MPC protocol. Therefore, instead of trusting a specific group of people with the
generation of the CRS, any individual can actively join to be assured that a
12 H. S. Galal and A. M. Youssef

valid CRS is generated even when the rest of participants are malicious. Second,
It is more scalable and efficient than the previous construction as it is only
a two-round protocol. The basic idea is to use random beacons to eliminate
the step of pre-commitment in [13]. Fortunately, Ethereum is the second most
popular blockchain, which implies that a large number (i.e., more than 51%) of
the miners in the network are reasonably assumed to act honestly. Therefore,
we can leverage the blockchain itself as a source of random beacons [12] without
worrying about the influence of malicious miners. Hence, the MPC protocol for
CRS generation proceeds as follows:

1. Alice chooses a uniform number s1 ∈ F∗p and sends the element s1 · g to Bob.
2. Similarly, Bob chooses a uniform number s2 ∈ F∗p and sends the element
s2 s1 · g to the smart contract.
3. A beacon s3 is read from the blockchain, and the element s3 s2 s1 · g is used
as CRS.

Assuming that no malicious miner can affect the beacon s3 in a way that
makes finding the discrete log of s3 s2 s1 .g an easy problem, then we can safely
say that the generated CRS has no trapdoor that compromises the security of
a zk-SNARK proof. We also note that it is an optional task for the bidders to
participate in the CRS generation. In other words, the integration of the random
beacon in the MPC protocol is sufficient to ensure that the auctioneer cannot
control the trapdoor of the generated CRS. Obviously, the achieved security is
much stronger when at least one honest bidder participates in the MPC protocol.

1. T1 , T2 , T3 define the periods using block numbers for the following phases:
commitments of bids, opening the commitments, and proof generation and
verification, respectively. Note that, T refers to the current block number.
2. N is the maximum number of bidders.
3. F defines the financial deposit of ethers to guarantee fairness against financial
rational malicious participants.
4. Apk is the auctioneer’s public key of an asymmetric encryption scheme.
5. V key is the verification key part of the generated CRS.

Create: {T1 , T2 , T3 , N, F, Apk , V key} : from auctioneer A

Set state := IN IT, bidders := {}
Set highestBid := 0, secondHighestBid := 0
Store N, F, Apk , V key
Store T1 , T2 , T3
Assert T < T1 < T2 < T3 < T4
Assert ledger[A] >= F
Set ledger[A] := ledger[A] − F
Set deposit := deposit + F

Fig. 1. Pseudocode for Vickrey auction smart contract constructor

 Succinctly Verifiable Sealed-Bid Auction Smart Contract 13

4.3 Smart Contract Deployment

The auctioneer deploys the smart contract that runs the Vickrey auction on top
of Ethereum. The deployment is basically a transaction that carries the com-
piled EVM bytecode as a payload and triggers the execution of the constructor.
The constructor is responsible for initializing the state of variables in the smart
contract. In Fig. 1, we show a pseudocode to illustrate the initialization of the
state variables based on the parameters received from the auctioneer.

4.4 Submission of Bids

In this phase, the bidders create transactions to pay F -ethers and submit com-
mitments of their bids as described in Sect. 3 to the function Bid which stores
the commitments on the smart contract as shown in Fig. 2.

Bid: {commitB } from a bidder B:

Assert T < T1
Assert ledger[B] > F
Set ledger[B] := ledger[B] − F
Set deposit := deposit + F
Set bidders[B].Commit := commitB

Fig. 2. Pseudocode for the submission of bid commitment

We also note that at the end of this phase, if the number of the submitted
commitments is less than the maximum number of bidders N , then the auction-
eer has to submit the remaining number of commitments with an underlying bid
value equals to zero. The reason behind this step is due to technical limitation
in the general-purpose arithmetic circuit generator [9]. More precisely, the trans-
lated code is not allowed to have loops with variable number of iterations, so we
have to fix the loop counter to the maximum number of bidders N . Basically, the
circuit generator flattens and unrolls the loop iterations, therefore, the number
of iterations has to be known in advance.

4.5 Opening the Commitments

In this phase, each bidder Bi encrypts the pair (xi , ri ) by the public key Apk ,
where xi is the bid value, and ri is a random number. Then, the ciphertext is
sent to the function Open on the smart contract as shown in Fig. 3.
Arguably, paying for a transaction that stores the ciphertext on the smart
contract seems to be an unnecessary task at the first glance. However, we chose
to store the ciphertext rather than sending them off-chain to the auctioneer so we
can avoid the following attack scenario. Suppose a malicious auctioneer pretends
that an arbitrary bidder Bob has not submitted a ciphertext of the correct
14 H. S. Galal and A. M. Youssef

Open: {ciphertextB } from a bidder B:

Assert T1 < T < T2
Assert B ∈ bidders
Set bidders[B].Ciphertext := ciphertextB

Fig. 3. Pseudocode for the Open function

opening values of his associated commitment. In this case, Bob has no chance
of denying this false claim. However, if Bob’s ciphertext is stored on the smart
contract, then the transaction that carried Bob’s ciphertext of his commitment’s
opening values sufficiently defeats this false claim. Furthermore, as it is shown
in the pseudocode Fig. 3, the ciphertext is stored in a mapping bidders[Bob] as
part of a structure that also contains the sealed-bid (commitment) with senders
address as a key. When the auctioneer tries to claim that Bob’s ciphertext does
not contain the valid openings of his commitment, then Bob is alerted to submit
the opening values as plaintext to the smart contract. Subsequently, based on
these values, the smart contract recomputes the commitment and the ciphertext,
then it compares them against the commitment and ciphertext which are stored
in the mapping bidders[Bob]. In the case, they are found to be equal, then the
protocol terminates by penalizing the auctioneer and refunding the initial deposit
to all bidders. Otherwise, Bob is penalized and his commitments and ciphertext
are discarded from further processing steps.

4.6 Proof Generation and Verification

In this phase, the auctioneer reads the ciphertext stored on the smart contract
and decrypts them off-chain. As a result, the auctioneer has a knowledge of
the necessary witness (i.e., openings of commitments), highest-bid, and second-
highest bid to generate a proof. Hence, the auctioneer creates a transaction to
pass the highest and second-highest bids as part of the public inputs, and the
generated proof as shown in Fig. 4.

Prove: {bid1 , bid2 , proof } from auctioneer A:

Assert T2 < T < T3
Assert state = init
Set highestBid := bid1
Set secondHighestBid := bid2
Set params := {bid1 , bid2 , bidders.commits, true}
Assert V erif y(V key, proof, params)
Set state := valid

Fig. 4. Pseudocode for the Reveal function

 Succinctly Verifiable Sealed-Bid Auction Smart Contract 15

The function Verify checks the validity of the submitted proof based on
the verification key V key and the public inputs params. It utilizes the pre-
compiled contracts EIP-196 [27] and EIP-197 [26] to perform the necessary
elliptic-curve pairing operations required for zk-SNARK proof verification [9].
Finally, it returns a boolean output to indicate whether to accept the proof or
reject it.
Once the verification of zk-SNARK proof has passed successfully, the auc-
tioneer creates a transaction to finalize the auctioning process. Basically, the
auctioneer reveals to the smart contract the openings associated with the auc-
tion winner commitment as shown in Fig. 5. Then, the smart contract checks
whether the winner’s bid value equals to the highest bid, and it also checks that
the commitment of the opening values is equivalent to one of the previously sub-
mitted commitments by the bidders. Finally, the smart contract determines the
address associated with the auction winner, and it begins to refund the deposit
F to the losing bidders and the auctioneer. However, the winner deposit is not
refunded until she fulfills the payment of the second-highest bid.

Finalize: {bidw , randomw } from auctioneer A:

Assert T2 < T < T3
Assert state = valid
Assert highestBid = bidw
Set commitw := SHA256(bidw , randomw )
Assert commitw ∈ bidders.commits
Set winner := F ind(bidders, commitw )
Set ledger[A] := ledger[A] + F
Set deposit := deposit − F
For b ∈ bidders − {winner}
Set ledger[b] := ledger[b] + F
Set deposit := deposit − F
Set state := f inalized

Fig. 5. Pseudocode for the Finalize function

As shown in Fig. 6, there is one more function in the smart contract called
Dispute. The objective of this function is to counter a possible malicious behavior
by the auctioneer. Let us assume the auctioneer refuses to carry out the proof
generation and verification task. This will certainly result in a permanent lock
of the deposits paid by the bidders. Therefore, any bidder can call this function
that checks if the state variable on the smart contract is still equal to init after
the block number T3 has been mined, then it refunds the deposits back to the
bidders. Consequently, only the auctioneer ends up being financially penalized
since there is no way to refund his deposit.
16 H. S. Galal and A. M. Youssef

Dispute: Assert T > T3

Assert state = init
For b ∈ bidders
Set ledger[b] := ledger[b] + F
Set deposit := deposit F

Fig. 6. Pseudocode for the Dispute function

4.7 Gas Cost Analysis

We have implemented a prototype for the proposed protocol and smart contract,
We have also made it open-source and published it on Github repository 2 . To
experiment with our prototype, we have created a local Ethereum blockchain
using the Geth client version 1.8.10. The genesis file that is responsible for the ini-
tialization of the local blockchain contains the following attribute in order to sup-
port the pre-compiled contracts EIP-196 and EIP-197: {“byzantiumBlock  : 0 }.
In our experiment, we created test-case with the number of bidders N = 100,
respectively. Table 1 shows the gas cost and the corresponding price in USD for
the deployment and functions calls on the smart contract. At the time of car-
rying out our experiment, May 30th, 2018, the ether exchange rate is 1 ether
= 583$ and the median gas price is approximately 20 Gwei = 20 × 10−9 ether.

Table 1. Gas cost associated with the various functions in the smart contract

Function Transaction cost Price

Deployment 1346611 15.70
Bid 115583 1.35
Open 44176 0.52
Prove 3395077 39.58
Finalize 92362 1.07
Dispute 47112 0.55

The smart contract deployment cost is a little bit expensive as it involves the
deployment of helper contracts and libraries that are responsible for verifying
zk-SNARK proof. However, this cost can be significantly reduced if the helper
contracts and libraries are already deployed beforehand. Also, the cost of the
Prove function is constant due to the fixed cost of the elliptic-curve operations
performed during the verification of the zk-SNARK proof. Arguably, this cost
might be not convenient for relatively cheap auctioned assets. However, our work
scales much better and more efficiently than previous auctions constructions on
blockchain [11,16,25].
2
https://github.com/hsg88/VickreyAuction.
Another random document with
no related content on Scribd:
not distant, and in a few moments they struck against the shore, and
were held fast by running between some small trees. The dog again
set up a howl, and the people before mentioned, now thinking
something was the matter, entered a boat and went to the island,
where they found you fast asleep in the basket, and dry as a biscuit!”
When Amy had reached this point of her story, Anna put her arms
around the dog’s neck, and with her eyes swimming in tears, kissed
him over and over again. She said nothing, however, for her heart
was too full. Her sister then went on to tell the rest of the story—but
as the reader will easily guess it all, I need not repeat it here. If any
of my young readers are curious to know all about it, I shall be at
their service, whenever they will give me a call.

Attachment to our Country.—When Gulliver was in Lilliput, he

lay down to sleep. In the morning he found himself fastened down to
the earth by a thousand little cords which the Lilliputians had thrown
over him. Every man is thus attached to some spot on earth by the
thousand small threads which habit and association are continually
throwing around him. Of these, perhaps, one of the strongest is that
which makes us love the place where our fathers are entombed.
When the Canadian Indians were once solicited to emigrate, “What!”
they replied, “shall we say to the bones of our fathers, ‘Arise, and go
with us into a foreign land?’”
 The Fox and the Tortoise;
a fable, to show the advantages of honesty.

A fox that had been robbing some hen-roosts, and had therefore
excited the indignation of the people, was one day pursued by a
party of hunters, and sorely pressed by their hounds. At last he came
to a secluded spot, and having for the time eluded his enemies, he
sat down to take breath. Near by there chanced to be a tortoise, and
as birds and beasts always talk in fables, it was a matter of course
that the two animals on the present occasion should fall into
conversation.
“You seem,” said the tortoise, “to be very much out of breath: pray
let me ask you what is the matter?”
“Matter enough!” replied the fox. “I occasionally slip into the
farmers’ hen-roosts, and take away a few of their fowls, or now and
then I carry off a fat goose or a stray lamb; and behold, I am hunted
by all people with all their hounds, as if I was the greatest rascal on
the face of the earth! Whew! how hot I am. These villanous hounds
put me in a terrible tremor. One of them came so close as to snap at
my throat with his long ugly teeth, and I really thought my last hour
was come. What a terrible life it is I lead: I cannot stir abroad but
some hound is on my track, or some bullet whistles near my heart.
Even in my den of rocks I have no peace, for I am ever dreaming of
the sound of muskets or the baying of hounds.”
As the fox said this, the cry of the hunters and their hounds came
near, and to save his life, he was again obliged to take to flight. The
humble tortoise, observing all this, remarked very wisely, as follows:
“How much better it is to be honest and content with what we can
call our own, than to be forever running after forbidden pleasures,
thus drawing down upon ourselves the enmity of mankind, and all
the disquietude of a guilty conscience.”

The Insincerity of Flattery.—“What little, ugly-looking, red-

headed monster is that, playing among those children?” “That,
madam, is my eldest son!” “Indeed! you don’t say so; what a
beautiful little cherub it is!”
 The Travels, Adventures and Experiences of
Thomas Trotter.

CHAPTER I.
My Birth and Parentage.—​The reasons why I became a Traveller.—​
My first Travels.—​Advantage of having good legs.—​My first
Voyage to the Mediterranean.—​The Orange and Lemon
Trade.—​The Gulf Stream.—​Whales.—​Portuguese Man-of-
War.

Ever since my earliest remembrance I have had a great passion

for travelling, seeing foreign countries, and studying foreign
manners. I believe this disposition runs in our family, for all the
Trotters, I am assured, have been great travellers. My great
grandfather, Absalom Trotter, was famous for having the longest legs
in the state of Massachusetts, and for making the best use of them.
He could beat a horse at a stretch of a month or so; but he died just
as the Providence railroad was completed. My great aunt, Peggy
Trotter, was also celebrated among her neighbors for an
unconquerable propensity to move about. There was not a story
circulating in the town, but she was the first to find it out, and the
most industrious in communicating it to all her acquaintance. If she
had lived till this day, I verily believe the newspaper editors would
have hired her to carry expresses; for when she once got hold of a
piece of intelligence, it is inconceivable how rapidly she made it fly
through all quarters of the town. When she died, people were afraid
that news would be scarce forever afterwards; but steamboats came
into fashion about that time, so that we have not been without a
supply of intelligence from various parts.
 I was born in Fleet street, down at the north end, in Boston. My
father was a West-India captain, who used to sail in a little schooner
from Boston to Guadaloupe. He commonly carried out a load of
lumber, that is, pine boards, plank, timber, and shingles; and brought
back a cargo of molasses. Every time he returned from a voyage, he
brought us oranges, lemons, and pine-apples, fruits which do not
grow hereabouts. These rarities always excited my admiration; and I
was delighted to sit in the chimney-corner during the long winter
evenings, and listen to his description of the West-India islands,
where the summer and the fruits and the green fields last the whole
year round; and where no snow or ice chills the air, but fresh verdure
and bright flowers enliven the landscape from the beginning of the
year to the end of it.
The more of these stories I heard, the more I wanted to hear, for it
is notorious that there is no passion so insatiable as curiosity. And
when our curiosity is directed towards a useful object, the indulgence
of it becomes both proper and beneficial. The world is filled with
variety, and this variety is evidently designed by Providence to
stimulate our curiosity, so that we may be incited to action and the
pursuit of knowledge. In this way I became seized with an irresistible
inclination to travel and see the world. My neighbor Timothy Doolittle,
who had nobody to tell him stories when he was a boy, on the
contrary, never cared to move about, or know how the rest of the
world lived, or what was doing out of his own chimney-corner. I
believe he never in his life walked further than Roxbury Neck; and if
anybody should ask him how big the world was, he would say it
extended from Bunker Hill to Brookline! Such magnificent notions of
the universe will a man have who never stirs abroad.
I could give a long account of my early travels—how they began
in very infancy when I first ventured out the front door—how I next
rambled down the street, and was amazed to see how large the town
was—how I then grew more courageous, and journeyed as far as
Faneuil Hall Market; what surprising discoveries I made there; what
perilous adventures I met with on the way thither and back—how I
next made a still bolder excursion as far as Fort Hill, got overtaken
by night, and was brought back by the town crier—how, finally, after
a great many hair-breadth escapes and daring exploits, I became so
experienced in travelling that I ventured into the country to see what
sort of people lived there; and how in a single day I penetrated as far
as the Blue Hills, and found the inhabitants of Milton and Dorchester
an exceedingly civil, pleasant and good sort of people. I might give
the particulars of all these peregrinations at full length, if I had room
in these pages. But as it is very probable that most of my readers
have travelled the same route and seen pretty much the same
things, I have concluded to omit them for the present, and pass on to
the narrative of my travels and adventures in foreign countries, which
will probably offer more novelty and instruction.
My father died when I was ten years old; and as my mother had
been dead several years before, I was left to the care of my aunt
Katy Walker. I had little chance of gratifying my roving inclination
under her care, for she could not afford me any money, and
travelling is expensive. The most I could do was to take long walks
now and then, with a staff in my hand, and a pack over my back. In
this way I have travelled over nearly all the state of Massachusetts;
and can assure my readers, that they will learn more by travelling on
foot in a single day than they will in a week by being whirled along in
a railroad car. The main thing is to have good vigorous limbs; and a
man’s legs will always grow strong if he walks enough. After trudging
up and down for some years, a second cousin of mine, Captain
Scudder, who used to visit at our house, came one day to tell me
that he was about to make a voyage to the Mediterranean, to bring
home a cargo of oranges and lemons for the Boston market. He
offered to take me with him, and I gladly accepted the proposal. To
visit Europe was the great object of my wishes; and the
Mediterranean countries had the greatest of all possible attractions
for me. I was never tired of thinking of the interesting territories which
were situated upon that famous sea—their romantic shores—their
beautiful islands—their bright sky—their charming climate—their
magnificent cities—their picturesque inhabitants, and the multitude of
glorious and ever-memorable historical events connected with them.
All these thoughts threw me into a rapture, and my impatience to set
out upon the voyage was such, that I deemed every moment lost, till
I was on board, and the vessel was fairly under weigh.
 We sailed in the brig Swift, bound to Malta. We carried a cargo of
logwood, coffee, sugar, beeswax, raw hides, tobacco, cotton, and
staves. These articles generally compose the cargo of vessels
bound to the Italian ports. The logwood, coffee, sugar, tobacco, and
cotton, are productions not raised in those countries. Hides and
staves are much cheaper, and more abundant, in our country than in
theirs. They have no great pastures and tracts of wild country filled
with droves of cattle, as you will find in many parts of America.
Forests of large trees are so scarce with them, that wood of every
kind bears a high price. Beeswax is an article which they use to a
great extent, as their custom is to burn enormously long wax candles
in their churches and religious processions.
It was about the middle of December when we set sail. This is
considered the best season for a voyage such as we were bound
upon. The oranges are ripe in January and February, so that when
the vessel arrives out, the fruit is all freshly gathered and ready for
shipping. A great deal of care is necessary in the importation of this
sort of fruit; for if the weather be too warm, or the oranges have been
too long taken from the trees, they will be spoiled on the passage. It
very often happens that a vessel arrives at Boston from Sicily in the
summer with a load of oranges and lemons, and having had a long
passage, the whole cargo is found to be spoiled, and must be thrown
away. This most commonly happens in the Italian vessels, which do
not sail so fast as the Americans’, and have not crews so expert in
navigation.
Well, I was now fairly on board. We hoisted sail; the wind blew
fresh from the northwest; we scudded by the castle, we were soon
outside of Boston lighthouse. The pilot jumped into his boat and
bade us good-by. I looked after him as his little wherry kept bobbing
up and down between the waves, till he was too far off to be seen
any longer. The steeples of Boston and the neighboring hills
gradually sunk in the horizon; night came on, and I could see no
more of my native land. We carried all sail through the night, in order
to get well off the coast while the wind was fair, as the weather is
very variable near the land, and it is highly dangerous to be near the
coast in winter. By-and-by we had furious squalls of wind, which tore
our sails, and put us in great danger. In a day or two more we
crossed the Gulf Stream, which is a long and wide current of water
running through the Atlantic, from the Gulf of Mexico nearly across
the ocean. I was astonished to find the water in this current blood-
warm, although it was the middle of winter; but Captain Scudder
informed me that this is always the case, as the water comes from a
warm climate. Dreadful thunder-storms also happen here, and a
great many ships have been struck and burnt up by lightning in the
Gulf Stream.
We were all very glad when we had crossed this remarkable
current, for we had nothing but squalls of wind and showers of rain
while we were in it. At length we got fairly out into blue water, the sky
grew clear, we had a bright sun and a fair wind, and although the sea
continued to roll and dash pretty turbulently, yet it was a pleasure to
stand on the deck and look at the glorious broad ocean, with its blue
waves, crested with white foam, sparkling in the sun. Two or three
ships had kept us company off the coast, and for some days we
could discern their white sails on the verge of the horizon; but they
presently sunk out of sight, and we found ourselves with nothing but
sea around and sky above us.
One day, as I was walking on the deck and looking out for a sail, I
was surprised to see a stream of water rise up out of the sea at
some distance. I pointed it out to the man who was steering at the
helm, and was told by him that it was a whale, spouting. I had never
seen a whale before, and was anxious to get a nearer view of so
wonderful a creature. My wish was soon gratified. Presently he
directed his course towards our vessel, and passed by us, spouting
up streams of water from his nose in a manner that excited my
astonishment. When I contemplated the monstrous bulk of this
creature, and the amazing swiftness with which he dashed through
the water, I could not repress a feeling of terror. Yet it is well known
that men are courageous enough to go out to sea in little boats for
the purpose of catching such enormous monsters. The description of
the whale fishery is one of the most interesting items in the history of
human courage and skill, and shows how the ingenuity of man can
triumph over the strength of the mightiest of all the brute creation.
The whale is attacked, pursued for miles across his own element,
and finally killed and taken by six or eight men in a boat, so small
that, if he had but the sense to open his mouth, he might swallow the
boat and its crew.
I had another amusement at sea in witnessing the gambols of the
shoals of porpoises which now and then came tumbling around us.
These fish generally move in single file through the water, and when
they meet a ship at sea, they shoot right before her bows, so as
almost to strike the vessel; but as they dart with great velocity, they
always manage to steer clear. At such times it is highly interesting to
watch their movements, as they glance through the water just below
the surface. When the sun shines, they glisten in the waves with all
the hues of the rainbow, and one would almost imagine they were
proud of showing their gaudy colors, for they dart along the ship’s
side, as if on purpose to be seen. This diversion is often fatal to
them, for the sailors contrive to catch them with harpoons. They are
very fat, and yield a large quantity of oil. Their flesh is black, and
tastes a good deal like pork; it is much relished by crews that have
been long deprived of fresh provisions.
In the course of our voyage, as I was looking over the vessel’s
side one bright, sunshiny day, I saw something sailing along on the
top of the waves that looked exactly like one of the chip boats which
the boys sail in the Frog Pond. The sailors told me it was a fish
called the Portuguese man-of-war. I looked upon it with admiration. It
was a most curious sort of shell-fish, with a thin white membrane or
wing spread in the air for a sail. By the help of this it steered before
the wind just like a ship, and kept company with us for two or three
miles. When I was looking at it with a spy-glass, it suddenly struck its
sail, dove under water, and was out of sight in an instant.
(To be continued.)
 Story of Philip Brusque.
(Continued from page 21.)

CHAPTER II.
Brusque discovers that man wants something beside Liberty; he
wants Company—Society.

Such were the thoughts of Brusque, as he stood on a little hill in

the centre of the island, and looked round upon what now seemed
entirely his own. Nor did anything happen to disturb his peace for a
long time. There was fruit enough for his support upon the trees, and
he found a cave in a rock, which served him for a house and a
home. The weather was almost constantly fine, and so mild was the
temperature, that he hardly needed a shelter, even at night.
So the time slid on very pleasantly with Philip for about a year. By
this time, he began to be a little tired of his own company; nor could
the chattering of the macaws and parrots, of which there were many
in the trees, entirely satisfy him. He caught some of the young birds,
and reared them, and taught them to speak, but still he felt lonely. At
last it came to be his custom every day to go upon the top of the
highest hill, and look far off upon the ocean, hoping to see a ship, for
he yearned in his heart to have some human being for a companion.
Then the tears would fill his eyes, and flow down his rough cheeks;
and then he would speak or think to himself as follows:
“Liberty is indeed a dear and beautiful thing, but still I want
something beside liberty. I want to hear a human voice. I want to
look into a human face. I want some one to speak to. I feel as if my
very heart would wither for the want of a friend. I feel a thirst within,
and I have no means of satisfying it. I feel within a voice speaking,
and there is no answer. This beautiful island is becoming a desert to
me, without even an echo. O! dear France! O! dear, dear home! How
gladly would I give up this hollow and useless liberty for the
pleasures of friendship and society. I would be willing to be
restrained by the thousand meshes of the law, if I might once more
enjoy the pleasure of living in the midst of my fellow-men.”
With these thoughts dwelling in his mind, Philip went to rest one
night, and though it was very stormy, he slept soundly. In the
morning the feelings of yesterday came back, and with a sad heart
he went again to the top of the hill; for the hope of seeing a ship, and
of once more being restored to human society, haunted him
perpetually. Long he stood upon the hill and looked out upon the
sea, now tossing from the tempest of the night, and throwing up a
thousand white-caps in every direction. Having gazed upon this
scene for more than an hour, he chanced to turn his eyes towards
the extremity of the island, where, at the distance of about a mile, he
distinctly saw a human being on the shore. He paused but a moment
to assure himself that he was not mistaken, and then set off like a
deer toward the stranger.
Brusque did not stop in his way, but ran with all his might. When
he came near the object of his attention, he saw that it was a man,
and without waiting to examine farther, ran toward him with open
arms. The man was alarmed, and stooping down, he picked up a
stone, and threatened to hurl it at Brusque. The latter now paused,
and the parties soon came to an understanding.
The stranger said that he was a fisherman from Mauritius, an
island in the Indian Ocean, belonging to the French nation. It is
inhabited chiefly by French people, and negroes, who are their
slaves. The whole population is about 20,000.
It seems that the fisherman had been driven out to sea by a
storm, and, the weather being cloudy and he having no compass, did
not know which way to steer for home. Thus he wandered about
several days, till, on the preceding night, in an attempt to land upon
the island where he now found himself, his little smack was dashed
in pieces, and he only saved himself by swimming.
No sooner had he told his story, than Philip put his arms around
him and kissed him over and over again. He was indeed delighted,
for now he had a companion, for which he had sighed so long. Now,
he had a human face to look upon; now, he could listen to a human
voice; now, he had some one into whose mind he could pour his own
thoughts and feelings. Now, in social intercourse, he could quench
that thirst which had parched his soul in solitude.
Full of these thoughts, Philip took the stranger, and led him to his
cave. He gathered for him some fresh pine-apples, and some
oranges, and placed them before him. When the fisherman began to
eat with a hearty appetite, Philip clapped his hands in joy. He then
ran to a little spring that was near, and brought some cool water in a
gourd shell, and gave it to the fisherman.
Now Philip Brusque was rather a proud man, and it was very
strange to see him waiting upon the rough fisherman, as if he were a
servant. But Philip was acting according to the dictates of his heart,
and so, though a seeming slave, he did not feel that his liberty was
violated. He was, in fact, acting according to his own pleasure, and
he was seeking happiness in his own way. If Philip had been
compelled to serve the fisherman, he would have hated and resisted
the task; but now, doing it freely, he found pleasure in it. So true it is
that we do things when we are free, with delight, which slavery would
turn into bitterness and sources of discontent.
Things went on very well for a few days. The fisherman took up
his abode in Philip’s cave, and there he lay a great part of the time.
Brusque brought him fruit and water, and all he wanted, and he did it
cheerfully for a time. But, by-and-by, the fisherman began to
command Brusque to wait upon him, to do this and that, and to bring
him this thing and that thing. This immediately changed the face of
affairs between the parties. Brusque became angry, and told the
fisherman to wait upon himself.
The fisherman made a rude reply, and high words followed.
Brusque ordered the fisherman to quit his cave. The fisherman told
Brusque to leave it himself. Their faces were full of red wrath. Anger
begets anger. The fisherman struck Brusque a blow. Brusque
retaliated, and being a powerful man, he instantly stretched the
fisherman on the ground. He was completely stunned, and lay
without motion, seeming actually to be dead.
Brusque’s anger was too high for the immediate return of reason.
He looked on the pale form with a feeling of delight, and spoke some
words of triumph between his firm-set teeth. But this feeling soon
passed away, and a better one returned. Believing that the fisherman
was dead, he now began to feel regret and remorse. Already was
that monitor within, called conscience, telling him that he had
violated a universal law, a law enacted by the Maker of man, and
whispered into every man’s bosom. Already Brusque felt that while a
fellow-being was on the island, he was not absolutely free; that this
fellow-being had rights as well as himself; that he had a right to his
life, and that in taking it away he had done a great wrong to justice,
to liberty, and himself.
While these thoughts were passing in his mind, the fisherman
moved, and showed signs of returning life. Brusque was again full of
joy, and fetching some water, sprinkled it over the man’s face. In a
short time he so far recovered as to sit upright, and soon after he
was able to walk about. Brusque led him to the cave, where, lying
down, the fisherman fell asleep.
Brusque now left him, and walked forth by himself. He was of a
reflecting turn, and from his training in the revolution, his reflections
often took a political cast. On this occasion, his thoughts ran thus:—
“What a strange creature I am! A few weeks since, I was mad with
joy at the arrival of this fisherman; soon he became the tyrant of my
life; I then wished him dead; and when I thought I had killed him, my
heart smote me, and I was more miserable than if death had stared
me in the face. He is now alive again, and I am relieved of a load;
and yet, in the midst of this happiness, which seems born of misery, I
still feel a strange sadness at my heart.
“When I was alone, I was perfectly free, but I soon found that
freedom, without society, was like the waters of the river, near which
Tantalus was so chained that he could not drink, thus dying of thirst
with a flood before his eyes.
“I therefore yearned for society, and then I had it by the arrival of
this fisherman. But he became a torment to me. What then is the
difficulty? I believe it is the want of some rules, by which we may
regulate our conduct. Though there are but two of us, still we find it
necessary to enter into a compact. We must form a government, we
must submit to laws, rules, and regulations. We must each submit to
the abridgment of some portion of our liberty, some portion of our
privileges, in order to secure the rest.”
Full of these thoughts, Brusque returned to the cave, and when
the fisherman awoke, he spoke to him on the subject of their quarrel,
and then set forth the necessity of laying down certain rules by which
the essential rights of each should be preserved, and a state of
harmony ensured. To this the fisherman agreed, and the following
code of laws being drawn up by Brusque, they were passed
unanimously:—
Be it ordained by Philip Brusque, late of France, and Jaques
Piquet, of Mauritius, to ensure harmony, establish justice, and
promote the good of all parties:
1. This island shall be called Fredonia.
2. Liberty, being a great good in itself, and the right of every
human being, it shall only be abridged so far as the good of society
may require. But as all laws restrain liberty, we, the people of
Fredonia, submit to the following:
3. The cave called the Castaway’s Home, lately occupied by
Philip Brusque, shall be alternately occupied for a day and night by
said Philip Brusque and Jaques Piquet; the former beginning this
day, and the latter taking it the next day, and so forth.
4. Each person shall have a right to build himself a house, and
shall have exclusive possession of the same.
5. If two persons wish the same fruit at the same time, they shall
draw lots for the first choice, if they cannot agree otherwise as to the
division.
 6. If any difference arises between the two parties, Philip Brusque
and Jaques Piquet, they shall decide such questions by lot.
7. This code of laws shall be changed, or modified, or added to,
only by the consent of the parties, Philip Brusque and Jaques Piquet.
All which is done this 27th day of June, A. D. 18—.
This was neatly cut with a penknife on a board which had come
ashore from the wreck of Philip’s vessel, and it became the statute
law of the island of Fredonia.
(To be continued.)

Contentment.—A gentleman, it is said, had a board put on a

part of his land, on which was written, “I will give this field to any one
who is really contented;” and when an applicant came, he always
said, “Are you contented?” The general reply was, “I am.” “Then,”
rejoined the gentleman, “why do you want my field?”
 Napoleon’s Last Obsequies.

In the first number of our Magazine we stated that the remains of

the late Emperor Napoleon had been conveyed from St. Helena to
France, for interment in the Hospital of the Invalides at Paris. This
event having caused the display of much splendid pageantry, and
public feeling among the French, we have thought it would be
interesting to our readers to see a minute and correct account of the
events and ceremonies that took place on this remarkable occasion.
The body of the Emperor was found in the earth at St. Helena,
where it had been deposited in a tomb of very strong and compact
masonry, so that although the workmen began at noon, it was ten
o’clock at night before they were able to reach the body. It was
enclosed in three coffins, two of mahogany and one of lead, all of
which were found in a perfect state, though nearly twenty years had
elapsed since they had been laid in the earth.
It is difficult to describe with what anxiety, with what emotions,
those who were present waited for the moment which was to expose
to them all that death had left of Napoleon. Notwithstanding the
singular state of preservation of the tomb and coffins, they could
scarcely hope to find anything but some misshapen remains of the
least perishable parts of the costume to evidence the identity. But
when, by the hand of Dr. Guillard, the satin sheet over the body was
raised, an indescribable feeling of surprise and affection was
expressed by the spectators, most of whom burst into tears. The
Emperor himself was before their eyes! The features of his face,
though changed, were perfectly recognised—the hands perfectly
beautiful—his well-known costume had suffered but little, and the
colors were easily distinguished—the epaulets, the decorations, and
the hat, seemed to be entirely preserved from decay—the attitude
itself was full of ease; and but for the fragments of the satin lining,
which covered as with a fine gauze several parts of the uniform, they
might have believed that they saw before them Napoleon still
extended on a bed of state. General Bertrand and M. Marchand, who
were present at the interment, quickly pointed out the different
articles which each had deposited in the coffin, and in the precise
position which they had previously described. It was even remarked
that the left hand which General Bertrand had taken to kiss for the
last time before the coffin was closed up, still remained slightly
raised.
The body was now placed in a new leaden coffin or sarcophagus,
sent out from France for the purpose, and conveyed with appropriate
ceremonies on board a French man-of-war, which immediately sailed
for Cherbourg. Great preparations were made in France for its
reception. On the arrival of the ship at Cherbourg, a steamboat was
ready to convey it up the Seine to Paris. A great number of
steamboats and vessels of all sorts were collected together, forming
a numerous fleet, under convoy of which the corpse was transported
up the river, stopping occasionally at the cities and towns on the way,
to allow the inhabitants the opportunity of gratifying their curiosity
and displaying their enthusiasm, by paying homage to the remains of
the great soldier and chieftain of the French empire. The crowds that
assembled all along the banks of the river were immense. The
military turned out by hundreds and thousands. All sorts of
pageantry, exhibition, and pompous show—consisting of triumphal
arches, pyramids, bridges, columns, and other fanciful and imposing
devices—contributed to give effect to the solemnities.
On the fourteenth of December, 1840, the procession reached St.
Germain, a place within a few miles of Paris. The crowd of
spectators which had thronged to the spot from Paris was so
immense, that it was impossible to proceed and land the body till the
middle of the next day. Two battalions of troops were stationed on
the banks of the river; and the stream was covered with vessels
decked with laurels and wreaths of immortelles, a bright, unfading,
yellow flower, very much in use among the French on funeral
occasions.
At the great bridge of Neuilly, three or four miles from Paris, an
immense rostral column had been prepared, surmounted by a ball or
globe, representing the world, and six feet in diameter. This was
crowned by a huge eagle; but owing to the intense cold of the