Provably correct, secrecy preserving computation and its applications in auctions and securities exchanges.

摘要

Recent advances in cryptography provide powerful new tools for enhancing trust in electronic commerce at low cost. We construct a general model of provably correct, secrecy preserving computation without relying on any particular cryptographic framework or assumptions. This model employs an "Evaluator-Prover" that accepts encrypted inputs from many (possibly unaffiliated) parties, computes one or more functions on those inputs, outputs the functions' results and verifies the correctness of the results to one or more verifiers. We distinguish our work from other secure computation approaches as a balance between absolute security and a completely trusted third party, achieving a model enjoying computational tractability and suitability for business applications.;Our evaluator-prover is not trusted in the traditional sense; it is bound to output only the correct results at all times and prevented from disclosing private data by tools from other areas of computer science research such as trusted computing and network security, rather than the provably secure cryptographic tools employed in many past solutions. We show how to construct an implementation of our model using Paillier's homomorphic encryption scheme. We propose a "time-lapse cryptography service" that produces public encryption keys and guarantees decryption at a particular time by constructing and releasing the corresponding decryption key after a specific interval. This service functions as a new cryptographic commitment primitive with binding, hiding, and nonrepudiation.;Provided with these tools, we construct four new mechanisms for electronic commerce: a cryptographic sealed-bid auction protocol for one or more identical items, a cryptographic combinatorial auction protocol based on the "clock-proxy" auction, a cryptographic securities exchange that conducts a continuous double auction for a particular security, and a cryptographic combinatorial securities exchange that provides for efficient atomic exchange of baskets of many securities.;Along the way, we develop useful building blocks of independent interest, most notably a novel cryptographic mechanism to efficiently prove a solution to a linear or integer program is optimal based on its encrypted inputs and encrypted constraints; this provides unprecedented efficiency in proving the correctness of winner and price determination in our combinatorial clock-proxy auction.