a secure and efficient protocol for electronic treasury
play

A Secure and Efficient Protocol for Electronic Treasury Auctions s 1 - PowerPoint PPT Presentation

A Secure and Efficient Protocol for Electronic Treasury Auctions s 1 , Mehmet Sabr Kiraz 2 , Osmanbey Uzunkol 2 Atilla Bekta 1 IAM, Middle East Technical University, Ankara, Turkey 2 MCS Labs, TB ITAK B ILGEM, Kocaeli, Turkey


  1. A Secure and Efficient Protocol for Electronic Treasury Auctions s 1 , Mehmet Sabır Kiraz 2 , Osmanbey Uzunkol 2 Atilla Bekta¸ 1 IAM, Middle East Technical University, Ankara, Turkey 2 MCS Labs, TÜB˙ ITAK B˙ ILGEM, Kocaeli, Turkey BalkanCryptSec 2014, ˙ ITÜ, ˙ Istanbul, Turkey October 17, 2014 A. Bekta¸ s, M. S. Kiraz, O. Uzunkol BalkanCryptSec 2014 Oct 17, 2014 1 / 27

  2. Outline Motivation 1 Auctions Current Privacy Issues Our Contribution Our Protocol 2 Security Analysis 3 A. Bekta¸ s, M. S. Kiraz, O. Uzunkol BalkanCryptSec 2014 Oct 17, 2014 2 / 27

  3. Auctions Auction: A mechanism with predefined rules for buying and selling. According to the number of participants A. Bekta¸ s, M. S. Kiraz, O. Uzunkol BalkanCryptSec 2014 Oct 17, 2014 3 / 27

  4. Auctions According to items Single-Unit Auction: Only one item is available for sale. Multi-Unit Auction: More than one homogeneous/identical item is being auctioned. Multi-Object Auction: Heterogeneous/differentiated items are being auctioned. A. Bekta¸ s, M. S. Kiraz, O. Uzunkol BalkanCryptSec 2014 Oct 17, 2014 4 / 27

  5. This Work: Treasury Auctions Method of borrowing money from the market Treasury holds regular auctions for government securities (bonds and bills) Buyers submit bids (quantity and price) Bids are ranked in order The quantity for sale is awarded to the best bids USA (world’s largest and most active market), UK, Germany and Turkey use similar methods A. Bekta¸ s, M. S. Kiraz, O. Uzunkol BalkanCryptSec 2014 Oct 17, 2014 5 / 27

  6. An Example of a Treasury Auction (Turkey) Performed only by the Treasury (Republic of Turkey Prime Ministry Undersecretariat of Treasury.) Central Bank = Financial agent of the auction process Primary Dealers = Authorized banks in Turkey Government Domestic Debt Securities (GDDSs) Government bonds: Maturity ≥ 1 year (364 days) Treasury bills: Maturity < 1 year (364 days) A. Bekta¸ s, M. S. Kiraz, O. Uzunkol BalkanCryptSec 2014 Oct 17, 2014 6 / 27

  7. An Example of a Treasury Auction (Turkey) Phase 0: Public Call Treasury issues invitations for auction (is announced on the web) Phase 1: Submission Primary Dealers participate in the auction by submitting their unencrypted bids (offers) to the Central Bank Phase 2: Sorting Central Bank sorts the list of bids by unit price and sends the ordered list to the Treasury A. Bekta¸ s, M. S. Kiraz, O. Uzunkol BalkanCryptSec 2014 Oct 17, 2014 7 / 27

  8. An Example of a Treasury Auction (Turkey) Phase 3: Cut-Off Point Treasury determines a cut-off point manually, determines the list of accepted / rejected primary dealers and sends the list of accepted bidders to the Central Bank Phase 4: Announcement of the Winners Central Bank informs the bidders about the results A. Bekta¸ s, M. S. Kiraz, O. Uzunkol BalkanCryptSec 2014 Oct 17, 2014 8 / 27

  9. An Example of a Treasury Auction (Turkey) Submitted Bids Order Name of the Unit Price Nominal Bank (TRY 100) Amount p i a i 1. Bank 1 94.80 30,000 2. Bank 2 94.00 50,000 3. Bank 3 94.50 50,000 4. Bank 2 94.80 60,000 5. Bank 4 95.00 30,000 6. Bank 5 94.70 60,000 A. Bekta¸ s, M. S. Kiraz, O. Uzunkol BalkanCryptSec 2014 Oct 17, 2014 9 / 27

  10. An Example of a Treasury Auction (Turkey) Sorted Bids New Name of the Unit Price Nominal Amount p i · a i Order Bank (TRY 100) Amount 100 p i a i 5. → 1. Bank 4 95.00 30,000 28,500 1. → 2. Bank 1 94.80 30,000 28,440 4. → 3. Bank 2 94.80 60,000 56,880 6. → 4. Bank 5 94.70 60,000 56,820 3. → 5. Bank 3 94.50 50,000 47,250 2. → 6. Bank 2 94.00 50,000 47,000 5 4 p i · a i p i · a i δ = TRY 175 , 000 → � 100 ≥ 175 , 000 and � 100 < 175 , 000 i = 1 i = 1 A. Bekta¸ s, M. S. Kiraz, O. Uzunkol BalkanCryptSec 2014 Oct 17, 2014 10 / 27

  11. An Example of a Treasury Auction (Turkey) Cut-off Point New Name of the Unit Price Nominal Amount p i · a i Order Bank (TRY 100) Amount 100 p i a i 1. Bank 4 95.00 30,000 28,500 2. Bank 1 94.80 30,000 28,440 3. Bank 2 94.80 60,000 56,880 4. Bank 5 94.70 60,000 56,820 5. Bank 3 94.50 50,000 47,250 6. Bank 2 94.00 50,000 47,000 = ⇒ Cut-off point = 4 A. Bekta¸ s, M. S. Kiraz, O. Uzunkol BalkanCryptSec 2014 Oct 17, 2014 11 / 27

  12. Current Privacy Issues - Bids are submitted in clear text - The names of the investors are not hidden in the list - A malicious Treasury can change the order on the lists the cut-off point A. Bekta¸ s, M. S. Kiraz, O. Uzunkol BalkanCryptSec 2014 Oct 17, 2014 12 / 27

  13. Our Contribution - Avoid manual listing and manual determination of the cut-off point - Achieve correctness and privacy in the malicious model - Submit bids in a secure way (i.e. confidentiality & privacy) - Propose a model by - Collecting signed encrypted bids - Putting the list in an order and determining the cut-off point under encryption - Publishing only the winners - Ensuring losers that they indeed loose By using SMPC, Secret Sharing and Threshold Homomorphic Cryptosystem (Paillier). A. Bekta¸ s, M. S. Kiraz, O. Uzunkol BalkanCryptSec 2014 Oct 17, 2014 13 / 27

  14. Paillier Cryptosystem n = pq where p � = q large primes n 2 with n | ord( g ) g ∈ R Z ∗ λ := lcm ( p − 1 , q − 1 ) µ := ( L ( g λ mod n 2 )) − 1 mod n where L ( x ) = x − 1 n : Public key (pk) ( n , g ) : Secret key (sk) ( λ, µ ) : plaintext m < n Encryption random value r < n ciphertext c = g m . r n mod n 2 ciphertext c < n 2 : Decryption plaintext m = L ( c λ mod n 2 ) .µ mod n A. Bekta¸ s, M. S. Kiraz, O. Uzunkol BalkanCryptSec 2014 Oct 17, 2014 14 / 27

  15. Paillier Encryption is Additively Homomorphic 1 mod n 2 ) . ( g m 2 . r n 2 mod n 2 ) Enc pk ( m 1 , r 1 ) · Enc pk ( m 2 , r 2 ) = ( g m 1 . r n 2 ) mod n 2 = ( g m 1 . r n 1 ) . ( g m 2 . r n = g m 1 + m 2 . ( r 1 . r 2 ) n mod n 2 = Enc pk ( m 1 + m 2 , r 1 . r 2 ) A. Bekta¸ s, M. S. Kiraz, O. Uzunkol BalkanCryptSec 2014 Oct 17, 2014 15 / 27

  16. Our Protocol: Submission and Evaluation Phase Private Input B i := ( PD i , p i , a i ) , sk ( 1 ) Primary Dealer ( PD i ) : PD i Central Bank ( CB ) : sk CB δ , sk T , sk ( 2 ) Treasury ( T ) : PD i Public Input Primary Dealer ( PD i ) : pk PD i , pk CB , pk T Central Bank ( CB ) : pk PD i , pk CB , pk T Treasury ( T ) : pk PD i , pk CB , pk T A. Bekta¸ s, M. S. Kiraz, O. Uzunkol BalkanCryptSec 2014 Oct 17, 2014 16 / 27

  17. Our Protocol: Submission and Evaluation Phase Primary Dealer ( PD i ) computes (1) y i := ( p i · a i ) / 100 that is amount of payment (2) S B i := Sign PD i [ Hash ( B i )] (3) X i := ( Enc pk PDi ( S B i ) , Enc pk T ( p i ) , Enc pk T ( a i ) , Enc pk T ( y i )) and sends X i to the Central Bank ( CB ). A. Bekta¸ s, M. S. Kiraz, O. Uzunkol BalkanCryptSec 2014 Oct 17, 2014 17 / 27

  18. Our Protocol: Submission and Evaluation Phase Treasury ( T ) computes Enc pk T ( δ ) where δ is the amount of required debt of the Treasury and sends Sign T [ Enc pk T ( δ )] to the Central Bank ( CB ). A. Bekta¸ s, M. S. Kiraz, O. Uzunkol BalkanCryptSec 2014 Oct 17, 2014 18 / 27

  19. Our Protocol: Submission and Evaluation Phase Central Bank ( CB ) (1) Verifies Sign T [ Enc pk T ( δ )] k k � � (2) Computes output 1 := Enc pk T ( y i ) = Enc pk T ( y i ) i = 1 i = 1 k k � � Enc pk T ( a i ) = Enc pk T ( output 2 := a i ) i = 1 i = 1 A. Bekta¸ s, M. S. Kiraz, O. Uzunkol BalkanCryptSec 2014 Oct 17, 2014 19 / 27

  20. Our Protocol: Submission and Evaluation Phase (3) Runs subprotocols using Enc pk T ( δ ) and X i ’s m � (4) Computes output 3 := Enc pk T ( p k ) , output 4 := Enc pk T ( y j ) j = 1 m � Enc pk T ( a j ) , output 6 := Enc pk T ( p m ) output 5 := j = 1 where k is the number of bids, m is the cut-off point and j is the position of the bid in the sorted list. and sends Sign CB [ output i , X j : i = 1 , . . . , 6 , j = 1 , . . . , m ] to the � � Treasury ( T ). A. Bekta¸ s, M. S. Kiraz, O. Uzunkol BalkanCryptSec 2014 Oct 17, 2014 20 / 27

  21. Our Protocol: Submission and Evaluation Phase Treasury ( T ) (1) Verifies Sign CB [ output i , X j : i = 1 , . . . , 6 , j = 1 , . . . , m ] � � (2) Computes Dec sk T ([ � output i � : i = 1 , . . . , 6 ]) (3) Computes H j := Hash ( X j ) for j = 1 , . . . , m (4) Forms a lookup table with rows � � X j , H j A. Bekta¸ s, M. S. Kiraz, O. Uzunkol BalkanCryptSec 2014 Oct 17, 2014 21 / 27

  22. Our Protocol: Award Phase Primary Dealer ( PD i ) computes Hash ( X i ) and sends it with his certificate cert i to the Treasury ( T ). Treasury ( T ) ? (1) Verifies Hash ( X i ) ∈ { H j : j = 1 , . . . , m } and determines res = “Accept/Reject” (2) Computes Dec sk ( 2 ) ( Enc pk PDi ( Sign T [ res ])) and sends it to PDi Primary Dealer ( PD i ) A. Bekta¸ s, M. S. Kiraz, O. Uzunkol BalkanCryptSec 2014 Oct 17, 2014 22 / 27

  23. Our Protocol: Award Phase Primary Dealer ( PD i ) (1) Computes Dec sk ( 1 ) ( Dec sk ( 2 ) ( Enc pk PDi ( Sign T [ res ]))) to get PDi PDi Sign T [ res ] (2) Verifies Sign T [ res ] (3) Computes Dec sk ( 1 ) ( Enc pk PDi ( S B i )) and sends it to the Treasury PDi ( T ). A. Bekta¸ s, M. S. Kiraz, O. Uzunkol BalkanCryptSec 2014 Oct 17, 2014 23 / 27

Recommend


More recommend