Practical secrecy-preserving, verifiably correct and trustworthy auctions

We present a practical system for conducting sealed-bid auctions that preserves the secrecy of the bids while providing for verifiable correctness and trustworthiness of the auction. The auctioneer must accept all bids submitted and follow the published rules of the auction. No party receives any useful information about bids before the auction closes and no bidder is able to change or repudiate her bid. Our solution uses Paillier's homomorphic encryption scheme [25] for zero knowledge proofs of correctness. Only minimal cryptographic technology is required of bidders; instead of employing complex interactive protocols or multi-party computation, the single auctioneer computes optimal auction results and publishes proofs of the results' correctness. Any party can check these proofs of correctness via publicly verifiable computations on encrypted bids. The system is illustrated through application to first-price, uniform-price and second-price auctions, including multi-item auctions. Our empirical results demonstrate the practicality of our method: auctions with hundreds of bidders are within reach of a single PC, while a modest distributed computing network can accommodate auctions with thousands of bids.


INTRODUCTION
In recent years, auctions and electronic marketplaces have been used to facilitate trillions of dollars in trade in the world economy [10]. Individual events, for instance, the procurement of truckload services by Proctor and Gamble, approach $1 billion in transaction value [32]. The eBay marketplace reported a record $44.3 billion volume in the 2005 calendar year, representing a 30% increase over 2004. Governments world-wide use auctions to allocate property rights, including high profile auctions for wireless spectrum [20] and licenses for new cars [2]. Previously used for rare goods, or for time-sensitive goods (e.g., flowers, fish), auctions can now be harnessed for all kinds of commercial transactions [21]. In a typical week in February, 2006, the U.S. treasury sells more than Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.
Despite this success, there is increasing evidence that fraud is an issue that can plague electronic auctions. 3 Indeed, a number of authors have argued that the reason that theoretically appealing auctions such as Vickrey auctions are rare in practice is because of the problem of fraud and untrustworthy auctioneers [31,19]. Two kinds of manipulations come to mind. The first is an auctioneer that deviates from the rules of an auction. This problem can be alleviated at a cost in privacy by the public revelation and verification of all bids. Another more subtle and harder to prevent problem can occur when an auctioneer is in collusion with some bidders, perhaps conveying useful information about bids received during the bidding process.
We have developed a practical protocol for sealed bid auctions that prevents such manipulations. An important factor in its practicality is having a clearly understandable and convincing solution accessible to knowledgable people who are nevertheless not experts on the intricacies of cryptography and general zero knowledge proofs. To that end, we have carefully examined the role of all parties in a sealed-bid auction and formalized their role in a cryptographically sound protocol. We consider who among them needs to know what, and when; based on that, we have constructed a protocol whose primary aim is not complete security, but rather practicality. We touch on the real-world issues that arise in the actual implementation of such a system. Our protocol provides clear proofs of correctness that reveal minimal knowledge to the parties involved, yet is easily implemented and requires no special technology on the part of the bidders.
We assume only commodity computing resources and a public key infrastructure under which the auctioneer, seller, bidders, and notaries all possess public/private key pairs for digital signatures. The auctioneer holds a private key for bid encryptions and publishes an appropriately certified public key. Bids are encrypted by bidders using this public key, although encrypted bids are kept secret from the auctioneer until an auction closes. The cryptographic methods of homomorphic encryption [25] are used in providing verifiable correctness and trustworthiness.
We thus present a framework for auctions that is both practical and secrecy preserving, while providing for verifiably correct and trustworthy auctions. We focus on two aspects of practicality. First, the auction must clear in reasonable time and with reasonable communication requirements, even for a large number of bidders. Second, the computational architecture must be consistent with practical business models. To achieve this we focus on proofs of correctness rather than secure computation. Unlike previous solutions, e.g., Naor et al. [22], we require neither the existence of multiple auctioneers nor that the auctioneers or bidders collaborate to conduct the auction. We believe that a model involving a single auctioneer that is solely responsible for conducting the auction and independent verification of the auction by third parties is more realistic from a business perpective.
We preserve secrecy by keeping bid information secret from everyone except the auctioneer, and keeping bid information secret even from the auctioneer until the auction closes. The only information revealed to the public is that implied by the outcome of the auction, that is, that implied by the identity of the winner or the payment made by the winner. A secrecy-preserving verification protocol allows anyone, including bidders and third parties, to verify that the auction was correct: the auctioneer correctly determined the winner(s) and associated payment(s) according to published rules. Most importantly, trustworthiness is supported by carefully ensuring that all bidders must follow through with information about bids of pre-committed value and quantity after an auction closes, and the auctioneer must accept and respect all bids in determining the outcome.
In addition to a seller, multiple bidders, and an auctioneer, our model assumes the following commercial entities: Notaries ensure the security of an auction by acting as witnesses. Notaries witness bid submission in order to protect a bidder against an auctioneer who tries to ignore her bids. They may also be used to enforce nonrepudiation of bids after the auction is closed. Delayed private key revelation services are used to prevent a bidder from refusing to respect commitments she has made during the auction protocol.
Our auction process ensures verifiable correctness and trustworthiness. Although an auctioneer learns the values of bids submitted after an auction closes, an auctioneer is not able to use this information to change the outcome in the auction or provide an advantage to any bidder. Thus, we prevent a "bad apple" within the auctioneer's organization from being able to profitably leak information during the course of an auction. On the other hand, and at a considerable gain in simplicity, we have deliberately chosen not to protect against an auctioneer revealing bid values and quantities after an auction has closed and the outcome has been announced. Our design does not provide any algorithmic enforcement for this additional privacy protection. Algorithmic and software methods are available for solving this problem. But in our view they are too cumbersome and hard to understand to find wide business applicability. 4 In solving what we view as the first-order problem of trustworthiness during the execution of an auction, we choose to push these secondary considerations into the realm of contractual obligations and the auctioneer's business reputation. An additional benefit is that this architecture will also allow for extensions to combinatorial auctions for which fully-private computational techniques cannot scale.
Parenthetically, we observe that complete secrecy by the auctioneer can be provided, in cases where it is deemed absolutely essential, by appeal to hardware solutions. Trusted servers, with specially designed hardware and software audited by third parties for correctness, and installed in physically secure locations with ongoing monitoring and auditing, can prevent the leaking of information with high assurance [33]. In fact, with such deliberately opaque servers it is of the utmost import that an auction participant can independently verify the correctness of the outcome of an auction and be assured that there is no fraud. Thus, such technological methods to eliminate secrecy leaks are very well complemented by our methods for verifiable correctness.
To demonstrate the scalability of our technology, we have conducted preliminary timing tests (Section 5). We show that for acceptable strength of the cryptographic security key, single or multiitem auctions with 100 bidders can be prepared in around two hours of computation and verified in less than half an hour, all on a standard (2.8 GHz Pentium 4) PC. We also show that the computations scale linearly with the number of bidders. Because our method is easily parallelizable, it is possible to accommodate even tens of thousands of bidders in at most a day of computation on a 64-node network.

Related Work
Much of the previous work on the use of cryptography for conducting verifiably correct and trustworthy auctions has focused on the goal of complete privacy [16,22,13]; see Brandt [5] for a recent discussion. This is typically achieved through assuming two or more trusted third parties, either with numerous auctioneers [13] or with asymmetric models in which the commerical entity of an auction issuer is assumed in addition to the auctioneer [22,18]. Some protocols achieve this property through bidder-resolved multi-party computation [5]. In comparison, we settle for verifiable correctness and trustworthiness in combination with complete privacy to all parties except the auctioneer; see also [11]. As discussed above, the auctioneer cannot learn any information about bids until the auction has closed. In return we achieve a non-interactive 5 protocol that is especially simple from a bidder's perspective. For trusted third parties we require only notaries, who provide a lightweight "witness" service and are independent business entities that already exist in practice [34]. In the same spirit, whereas previous architectures use cryptography for anonymity, we adopt business entities (e.g., notaries as proxy bidders) for this purpose. Note that achieving information-theoretic guarantees on privacy is impossible in most Vickrey auctions [6]. A single-item Vickrey auction, for example, necessarily reveals the exact second place bid to the winner.
In addition to providing business realism (also see Lipmaa et al. [18] for a critique of previously published methods), we choose to adopt standard methods from homomorphic encryption combined with test sets and eschew more complex cryptographic ideas such as secure multi-party computation, obfuscation of circuits, and oblivious transfer. As Bradford et al. [4] argue, many such complex protocols requiring the participation of bidders suffer from "protocol completion incentive problems", in which bidders who know they have lost or change their minds can disrupt the protocol and prevent the completion of an auction. We intentionally avoid such problems by having a single trusted party compute the outcome.
We share with Lipmaa et al. [18] (see also [1,3,5,35,36]) the use of homomorphic encryption, but seek a simpler solution through the use of a single auctioneer in place of the two server model adopted in their work. In their protocol, the seller and an auction authority, who are trusted not to collude, work interactively to generate zero-knowledge proofs of correctness. This results in stronger privacy properties at the cost of this additional process complexity.
Our approach can be extended to secrecy-preserving multi-item auctions (presented here) and combinatorial auctions (reserved for future work). Specifically, our trusted auctioneer can apply fast algorithms to the combinatorial optimization problem in determining winners. The auctioneer must simply construct a proof that the outcome is correct and need not involve multiple parties in computing the outcome. Earlier work on multi-item auctions either assumes distributed trust [14,36,1], or adopts multi-party computation techniques [5], and the current state of the art for secure combinatorial auctions is still not very scalable [37,35]. One practical issue, addressed in previous work but not here, is that of noncoercibility [7,34] of an auction. Noncoercibility prevents a bidder from being able to credibly claim to a third party that it bid in a particular way after the close of an auction. Auctions with this property are resistant to bidding rings, which depend on bidders proving that their bid was submitted according to the rules of the bidding ring.

PRELIMINARIES 2.1 Desired Auction Properties
Based on the analysis in the introduction, we list desiderata for our auction process.
• Non-repudiation by bidders: Once a bidder submits a bid, her bid is provably unalterable. Moreover, a bidder is committed to finally revealing her bid.
• Non-repudiation by auctioneer: The auctioneer's exclusion of a properly submitted bid can be conclusively proven and thus becomes legally actionable.
• Trustworthiness: The auctioneer cannot know the bids until after the close of the bid submission phase. Thus the auctioneer cannot collude with bidders by sharing others' bids during the auction.
• Verifiable correctness: The public and bidders receive a proof of which bids won, and (if applicable) a proof of the correctness of their own payments. The auction protocol enforces correctness; an auctioneer will not be able to present valid proofs for invalid winners or incorrect payments.
• Privacy: The bids are hidden to everyone until all bids are committed. At the close of the auction, only the auctioneer knows any private information. He may keep the outcome private, notifying only winners, or make it public by revealing some or all of the bids, items won by whom, and payments. Revelation of these values does not reveal other private information not implied by the values themselves.
In achieving these properties we make standard cryptographic assumptions. For our homomorphic encryption, we make Paillier's "Composite Residuosity Assumption" (CRA) [25]. 6 CRA implies that if the public key n is difficult to factor, then it is also difficult to compute the n th root of a number x = r n (mod n 2 ). This assumption is related to the widely accepted RSA assumption underlying the security of RSA encryption and is believed to be of similar strength. 7 We further assume that the cryptographic hash function used for commitments preserves the security of the encrypted bids. See Section 2.4.2 for a detailed description of such hash functions. Because the security of our encryption is related to the computational complexity of solving these cryptographic problems, longer cryptographic keys and more complex hash algorithms can be adopted over time as computational hardware gets more powerful. This will maintain the same level of realized security at comparable computational running time.

Real-World Components
As usual, our auction system comprises an auctioneer AU, bidders B = {B 1 , . . . , B k }, and a seller. Bidders can also be proxies to provide anonymity. In addition, we assume a universally accessible, tamper resistant clock (such as provided by the United States NIST time servers) and the following two components:

Certified Bulletin Board
The auctioneer maintains a certified bulletin board. This can be a publicly known website maintained and updated by the auctioneer. The auctioneer uses the bulletin board to post all public information about the auction, including the initial auction announcement as well as (encrypted) information about bids that have been submitted and proofs that can be used to verify all publicly available information about the outcome. All posts to the the bulletin board will carry appropriate digital signatures.

Notaries
Notaries N = {N 1 , . . . , N m } are reputable agents, such as law firms, accountants, or firms specializing in providing a witness for bidders. When preparing to participate in an auction, a bidder may select a set of notaries of her choosing from some set of notaries possibly authorized by the auctioneer. 8 In using a notary, whenever a bidder sends bid information to the auctioneer she also sends the information to any notaries she has selected. These notaries also submit this information to the auctioneer, and act as witnesses in the case that a bidder notices that an auctioneer does not post correct information to the bulletin board. We require that a majority of the notaries is uncorruptible. Note that our process is structured so that no information about the actual bids is revealed to the notaries, and their only role is to serve as witnesses in case of a dispute between a bidder and the auctioneer.

Overall Flow and Main Steps of Auction
Schematically, the auction process will proceed in three main stages. In the first stage, the auctioneer posts the auction announcement on the bulletin board. The announcement, to be detailed later on, includes a deadline time T for submitting bids. In the second stage, the bidders commit to bids but post bid information in a form that is hidden even to the auctioneer. Notaries are engaged in this stage. In the final stage, the bidders must follow through and reveal the encryptions of their bids to the auctioneer and the public. The auctioneer and other bidders verify that these encrypted bids are consistent with the posted commitments. The auctioneer then decrypts the bids in secret, and performs computation to determine the optimal outcome of the auction. The auctioneer then posts public proofs that the selection of the winner(s) and their payments was done according to the auction rules. After the last posting, any party can verify the correctness of the outcome.

Cryptographic Tools
Our system relies on mathematically sound and widely accepted cryptographic tools. We describe the tools we employ in our result, referring to other publications for established results and providing proofs for new uses of existing tools. We will sometimes refer to a "prover" P and a "verifier" V when discussing secrecy-preserving proofs of mathematical facts relating to our auctions.

Public Key Infrastructure
We assume cryptographically sound methods of establishing and exchanging public keys used for all the cryptographic tools we employ. Specifically, the auctioneer requires a public/private key pair for Paillier encryption [25]. Public keys are used for encryption and private keys for decryption. In addition, the auctioneer, notaries, and all bidders require public/private key pairs for digital signatures. The public keys of all parties must be mutually known and certified correct. We notate digital signatures as follows:

Commitments
Cryptographic commitments enable a party to commit to a particular value (such as a bid or number of items desired) without revealing that value until later, and prevent the party from claiming their value was anything other than the original value committed to. Auction participants will, when so required, commit to data D by applying a hash function H to data D then digitally signing that hash value H(D). The hash function is required to be perfectly concealing of all information about D, as well as collision resistant in the sense that it is computationally intractable to find two different data values x and y such that H(x) = H(y). In practice, we can employ a widely used hash function such as Whirlpool [28] or a member of the SHA-2 [23] family, which are assumed to have the required properties.

Sources of Randomness
Cryptographic key generation and probabilistic encryption require a good source of random data. We postulate bidders' and notaries' ability to create enough highly random data to create strong key pairs and encrypt or sign a small number of values. We further postulate that the auctioneer has a source of random data sufficient to encrypt large numbers of integers used in the secrecy-preserving proofs described below. Such a source might be hardware that extracts randomness from radio static or quantum noise in diodes. Such "hardware randomness generators" are already in widespread use in applied cryptography.

Delayed private key revelation
Let Bid i denote the bid value of bidder B i . We need to guard against a bidder B i , possibly in collusion with the auctioneer, refusing to open her commitment and reveal her encrypted bid E(Bid i ). One approach to provide non-repudiation employs a delayed private key revelation service, DPrKR. Such a service will at regular intervals (say every minute) post a new cryptographic public key followed by posting the associated private decryption key after a fixed period of time (say an hour later). 9 Before time T of the close of the auction, each bidder B i encrypts Z = E DR (E(Bid i )) (where the bid is first encypted with the public key of the auctioneer), and posts Sign i (Z) on the bulletin board using a DPrKR public encryption key DR whose decryption key will be released after time T + 1. After time T + 1, the decryption key DDR associated with DR will be posted by DPrKR. This method will be used to allow the auctioneer (and everybody else) to decrypt Z = E DR (E(Bid i )) using DDR after time T + 1 if the bidder herself refuses, guaranteeing the auctioneer alone access to Bid i . If so desired, several independent DPrKR services can be used for combining encryptions.

Verifiable and Confidential Comparisons
Paillier's encryption scheme [25] enables integer values to be encrypted in such a way that it is possible to perform arithmetic operations on those values using only the encrypted data. 10 We present a technical exposition in Appendix A for the interested reader.
Paillier's is a homomorphic encryption system, in which the result of an operation applied to two ciphertexts is a valid encryption of an operation (possibly the same one) applied to their plaintexts. 11 In cryptography, a plaintext is the original form of a message, in our case the integer representing a bid or quantity; a ciphertext is the encryption of a plaintext. Homomorphic encryption schemes enable computation over the hidden values without revealing either the values themselves or the results of the computation without proper decryption. Paillier's system employs a public/private key pair, n and φ respectively. The private key n is the product of two large prime numbers p and q, and its size is determined by the security requirements of the application. A 1024-bit public encryption key is widely considered sufficient for security until 2010 [12]. Paillier encryption is also a "probabilistic encryption" scheme. Encryptions are performed with a random "help value" r that is used to achieve semantic security: given two plaintexts and two encryptions of them, one cannot tell which ciphertext corresponds to which plaintext without being able to decrypt them. Semantic security is critical for our test set mechanism to preserve the secrecy of the bids.
The encryption of a message x will typically be denoted E(x, r), where the public key n is implicit and the help value r is made explicit. In discussion below, the help value r will sometimes be omitted to simplify notation where it is implicit or irrelevant, for example, C = E(x).
We present here a summary of the properties of, and extensions to, Paillier's scheme we use in this paper. First, given only the encryption E(x 1 ) and either another encryption E(x 2 ) or a constant k, anyone can compute the encryptions E(x 1 + x 2 ), E(x 1 + k), and E(x 1 · k) without learning anything about x 1 , x 2 , or n. Second, based on these properties and the following Range-of-Values tests, we can also prove a full set of inequality operations for two encrypted values E(x 1 ) and E(x 2 ), e.g., x 1 = x 2 , x 1 > x 2 , etc., again, without revealing anything about x 1 or x 2 . It is also possible to compare encrypted bids to constants in a similar way. We employ the notation E(x) ¢ E(y) to mean "x ≤ y can be proven using encrypted values E(x) and E(y)" and the similar notation ¤ (≥), ¡ (<), and £ (>). The verification of these comparisons is detailed in Appendix A.4.

Verifiable, Confidential Range-of-Values Tests
Given ciphertext C = E(x, r) we need to prove that x < 2 t for some t such that 2 t < n/2. That is, we we want to be able to verify that a bid Bid i is smaller than some agreed upon bound 2 t , without revealing any information about Bid i . The value of t determines the number of bits of resolution available to bidders in seelcting their bids. For our purposes it suffices to take t = 34, so that if bids are in units of one thousand dollars, for example, then bids are limited to at most $16 trillion.
This primitive is essential for proving inequalities. Because some of our mathematical operations are over the integers modulo n (Z n ), a small negative number is the same as a large positive number, and vice versa. For example, 13 ≡ −2 (mod 15). To prove for two values a and b that a ≥ b, we first show that a, b < n/2 and then that a − b < n/2. This works because if a and b are less than n/2 and a is greater than b, then clearly a − b < n/2, and if a is less than b, then a − b will "wrap around" modulo n and must be a large number, that is, a < b → a − b (mod n) > n/2. The formal details of this are found in Appendix A.4.
We perform the test as follows: A valid test set TS for the assertion "C = E(x, r) is an encryption of a number x < 2 t < n/2" is a set of 2t encryptions: where each of the powers of 2: 1, 2, . . . , 2 t−1 appears among the u i exactly once and the remaining t values u j are all 0.
By use of a test set TS, the prover P can prove that x < 2 t < n as follows: Range Protocol. Let x = 2 t 1 + . . . + 2 t be the representation of m, a sum of distinct powers of 2. AU selects from TS the encryptions G j 1 , . . . , G j of 2 t 1 , . . . , 2 t , and further t − encryptions G j +1 , . . . , G j t of 0. Note that: is an encryption of 0 with help value s = r −1 · s j 1 · . . . · s j t (mod n) if and only if indeed x = 2 t 1 + . . . + 2 t and the G j h were chosen as stated. Now since AU has the decryption key φ and thus knows the help value r, then he can hand over to V the set {G j 1 , . . . , G j t } and the above help value s. V can now verify on her own that (2) holds and deduce that x < 2 t < n/2.
The above protocol reveals nothing to V beyond x < 2 t < n/2, because TS is a set, in actual implementation a randomly permuted array of the elements in question. Consequently V has no information about which encryptions of powers of 2 are included in {G j 1 , . . . , G j t } Furthermore, the inclusions of t − encryptions of 0 hides even the number of non-zero bits in the binary representation of m. Finally, the inclusion of random factors s j 1 , . . . , s j t in the computation of the help value s completely masks any information about the help value r in the encryption E(x, r). Consequently no information about x is revealed.
There is, however, a problem with the above protocol in that V does not know that AU has presented her with a true test set. This is overcome as follows. For ease of understanding we first describe an interactive verification protocol, then modify it for non-interactive use. The idea is to use a "cut and choose" procedure in which the prover commits to a number of test sets and allows the verifier to choose and inspect multiple test sets and make sure that they are each valid. Finally, the remaining test sets are all used to complete the proof. An early, possibly the first, use of this idea was presented by Rabin [26]. . In our example of v = 20, that probability is, by Sterling's Theorem, about 20π 2 40 < 8 10 12 . Thus, we have a zero-knowledge protocol for V to verify interactively with AU that x < 2 t < n/2, when given a ciphertext E(x, r) such that the inequality actually holds.
Tamper Proof Non-Interactive Verification of x < 2 t < n/2. We prefer to adopt the following non-interactive method to establish the validity of test sets in our scheme. In what follows, we adopt the auctioneer AU as the prover. Suppose that there are (as in Section 3.2) 2k range-of-values tests to perform. On closing the auction but before receiving information about bids, AU posts 4kv test sets on the bulletin board. (For expository convenience, we proceed below with our assumption of v = 20.) Prior to closing, each bidder, the seller (if desired), and the auctioneer are also asked to commit to a random string of length M bits, which will be revealed after the auction closes and after the auctioneer commits to test sets. Given strings S i from each bidder, S S from the seller, and S Au from the auctioneer, the strings are XORed together to generate X = S 1 ⊕ S 2 ⊕ · · · ⊕ S k ⊕ S S ⊕ S AU . Note that even if only one of the participants chooses his string randomly and independently, then X is a truly random string.
The 80k test sets posted on the Bulletin Board are then segmented into 2k groups of 40 test sets each, i.e., the first 40 test sets, the next 40 test sets, etc. The random bit-string X is then used, in combination with a fixed rule available to all participants and posted at the start of the auction to the bulletin board, to select 20 test sets from each group. This random selection replaces the random selection by the verifier V employed in the interactive proof and allows the proof to work without interaction. In Appendix B we offer an accelerated version of this non-interactive verification, that we refer to as bulk verification. Bulk verification verifies all the test sets used in the auction en masse and economizes on the number of random sets that must be checked.
Damgård et al. [8] and Lipmaa et al. [18] present other solutions for proving an encrypted value is within a particular range.

SINGLE-ITEM AUCTIONS
Given the above cryptographic tools, we can formulate a singleitem auction succinctly. We assume that the bidders B 1 , . . . , B k are known entities with publicly known digital signatures Sign i . We further assume that the winner and her payment depend only on the ordering of the bids and that the payment is one of the bids. This class of auctions include first-price and second-price auctions, and also allows for auctions with reservation prices by a simple extension in which the seller also submits a bid [15].

Protocol
Step 1. AU posts the following information on the bulletin board: the terms of the auction specifying the item, the mechanism for selection of the winner, the deadline T , an identifier ID of the auction, and a Paillier encryption key n. AU knows the corresponding decryption key φ . The auctioneer also posts information about the notaries that are to be used for the auction. He posts the cryptographic hash function H to be used by all participants in constructing their commitments. Finally, the auctioneer defines the method that will be used for extracting a random permutation of test set indices from a random string to be used when proving the correctness of the auction. 12 We emphasize that all of the above data D AU is posted on the bulletin board, accompanied by AU's signature Sign AU (D AU ).
Step 2. Every B i chooses a bid Bid i . She encrypts it as C i = E(Bid i , r i ) using the public key n and a randomly chosen help value r i . In order to create efficient test sets to prove bid sizes, we restrict the size of the bid so that Bid i < 2 t < n/2 for small t, say, t = 34. Every B i also generates a random bit string S i of length M which is used in the proof. Bidder B i then commits to C i and S i by using the hash function, to form a single commitment string , which also includes the identifier ID of the auction. Finally, the bidder signs this commitment, and sends Sign i (Com i ) to AU and her notaries, if used, before time T . AU returns a signed receipt R i = Sign AU ([Com i , ID, T ]).
Note that hiding of the encrypted bids and of the random strings by use of the hash function H prevents anyone from gaining any knowledge of the data prior to time T . In particular, neither the notaries nor the auctioneer have any meaningful information.
Step 3. At time T , the AU posts all the received commitments Com 1 , . . . , Com k on the bulletin board, as well as a random bit string S AU of length M. AU also creates a number of test sets TS 1 , TS 2 , . . . , TS K , where K is a multiple of k, e.g., K = 80k. He signs and posts the test sets on the bulletin board.
Step 4. Between time T and T + 1 any Bidder B i who has a receipt R i for a bid which is not posted, can appeal her non-inclusion, resorting to her notaries if she has used them.
Step 5. After time T + 1, every B i sends to AU her encrypted bid C i = E(Bid i , r i ) as well as her random string S i . After time T + 1, AU posts the encrypted bids, C 1 , . . . ,C k , and the random strings, S 1 , . . . , S k , on the bulletin board. Every Bidder B i can verify, for any bidder B j , that the posted value Com j corresponds to the ciphertext C j and the random data string S j . In case of discrepancies she protests. This check can be performed simply by computing H(C j ), H(S j ), and checking the digital signature Sign j (H(C j ), H(S j ), ID).
To discourage AU from decrypting and observing some bids after time T and sending instructions to a favored bidder (for instance, instructing the bidder not to unlock her bid), we summarize two solutions. First, bidders who get such a warning and consequently refuse to unlock their bids before time T + 1 could be obligated to pay a large fine to a disinterested third party, such as one of the notaries in the auction. Thus, with this view the notaries not only act on behalf of a bidder in providing a witness to ensure that their own bids are respected by the auctioneer, but notaries also act on behalf of a bidder in ensuring that other bidders must follow through and reveal bids to which they had earlier committed. 13 Our preferred method (due to its simplicity) is to use delayed decryption key revelation services, DPrKR. For this, bidders must submit encryptions of their encrypted bids E DR (C i ) before time T + 1 to be decrypted at time T + 1. AU posts these on the bulletin board before time T + 1, and at time T + 1 both AU and verifiers can open them simultaneously to recover the encrypted bids C i . Incidentally, a completely trustworthy DPrKR service could even be used from the beginning of the auction, obviating the need for cryptographic commitments.
Step 6. Using the decryption key φ , AU recovers the bids Bid 1 , . . . , Bid k . The auctioneer then computes the winner of the auction and the payment according to the auction rules. The auctioneer posts the winner's identity, B i and then information to define the payment to be made by the winner to the bulletin board. This information about payment can be posted in an encrypted form if the payment is to be kept private from nonwinning bidders. Finally, and most importantly, the auctioneer also posts information that will enable any party to verify that the correct result was implemented. These include proofs of the correctness of the winner and payment, and proofs of the validity of each bid.

Verification
We now show how any verifier V (including any of the bidders) can verify on her own that the winner and payment of the auction were determined according to the rules of the auction. This will be done in a "zero knowledge" fashion, that is, without revealing anything about the value of any bid except that implied by the outcome of the auction. In addition, the auctioneer can choose how much of the outcome is revealed. For example, the proof can validate that an encrypted payment was correctly determined but without revealing any information about the value of the payment.
The class of single-item auctions under consideration (including first-price and second-price auctions) has the property that the winner and payment depend only on the ordering of the bids. In the case of a second price (or Vickrey) auction, the item is sold to the highest bidder but for the second highest price. This auction has useful theoretical properties: it is a dominant strategy for bidders to report their true willingness to pay, the auction is efficient, and Vickrey auctions with reservation prices 14 are revenue maximizing in symmetric environments when the auctioneer has the same prior information about the value of each bidder before the auction [15]. In the case of a first-price auction, the item is sold to the highest bidder for the highest price.
Take as an example the Vickrey auction and assume, without loss of generality, that AU announces that B 1 is the winning bidder, which is tantamount to the following set of claims: Note that the encrypted values were posted in Step 5 of the protocol. To prove the claims, it suffices to show that each C i is an encryption of a valid bid 0 ≤ Bid i < 2 t < n/2 for all i, and that Verifier V verifies these 2k − 1 claims in a zero knowledge fashion using the tools described above, which enables verification of the winner, item allocation, and payment as described in the next paragraphs.
Recall that the auctioneer had posted 2k groups of 40 test sets in Step 3. He creates proofs for each of the first k claims using k of these groups of 40 test sets, one for each claim. He reveals all encryptions for the subgroup of 20 test sets determined by the random string X and the random method posted in Step 1 of the auction. With each of the 20 other test sets AU performs the computation described in Section 2.4.6 (Range Protocol) and posts it on the bulletin board. V can verify that all the revealed test sets are valid, that their indices were chosen correctly, and that the k posted computations are of the form (2). This verifies the first k claims. In addition, AU posts proofs for the k − 1 claims that Bid 1 > Bid 2 and Bid 2 ≥ Bid i , 2 < i ≤ k by using k − 1 groups of 40 additional test sets for each inequality using the methods described in Section A.4.
This ordering of bids is used to verifier the winner as the bidder with identity corresponding to submitted bid E(Bid 1 ), and the item 14 In a Vickrey auction with a reservation price, in addition to bids Bid 1 , . . . , Bid k there is a price rp s from the seller. This is handled just as a bid within the auction. The item is sold to the highest bidder if the maximal bid is at least rp i but goes unsold otherwise. (Think of this as "selling back to the seller".) When sold, the payment is the maximal value of the second highest bid and the reservation price. Note that because the seller must commit to her reservation price just like any other bidder there is no danger of shill bidding.
is allocated to this bidder. In a Vickrey auction, the payment to be made by the winner is Bid 2 and this can be proved by sending a verifier V the random help value r 2 from B 2 's encrypted bid C 2 = E(Bid 2 , r 2 ). V can then verify the correctness of its payment by re-encrypting Bid 2 with r 2 and checking the result is C 2 .

MULTI-ITEM AUCTIONS
Consider now auctions for multiple identical items. In these auctions, the auctioneer has some number l of available identical items for sale. Real-life examples include large lots of refurbished items on eBay, or U.S. Treasury bills. As before, we will be able to implement a general class of auctions that includes the first-price, uniform-price, and second-price (generalized Vickrey) auctions. We choose to illustrate the framework for divisible bids, in which bidders are willing to accept any number of items up to a maximal limit and bid a price per item. We also assume that no winning bids are equal. However, there is nothing about the framework that is limited in this way, and a treatment of tied bids and extensions to "all-or-nothing" bids and "bid curves" will be described in future work.

Protocol
Step 1. AU posts the auction information on the bulletin board as in Section 3.1. In addition, AU posts the total number of items available, l, and the maximum allocation to any one bidder (if any), l max .
Step 2. Each participating bidder B i prepares two integer values (Bid i , Qty i ) for each bid she wishes to submit to the auction, where Bid i is the amount that she will pay per item and Qty i is the maximum number of items desired by B i . As above, B i also generates a random bit string S i and sends it to AU. B i then encrypts Bid i and Qty i , using AU's public Paillier key n, as E(Bid i ) and E(Qty i ) and commits by sending AU and her notaries, if used, commitments and digital signature Sign i (Com i ). AU issues a receipt for these commitments and publishes them on the bulletin board in accordance with our standard protocol.
Step 3. As above, at time T AU posts received commitments, his random string S AU , and test sets on the bulletin board. The number of test sets will depend on the type of the auction and the payment calculation; these numbers are detailed in Section 5.
Step 4. As above, bidders have between time T and T + 1 to appeal non-inclusion, which may involve resorting to the commitments sent to any notaries.
Step 5. As above, bidders reveal their encrypted bids and quantities E(Bid i ) and E(Qty i ), as well as their strings S i , between time T and T + 1, which AU publishes on the bulletin board. All bidders can check that the revealed values correspond with earlier commitments.
Step 6. AU privately recovers bids Bid i and quantities Qty i using private key φ , and uses the information to compute the correct outcome of the auction. An important notion in a multi-item auction is that of the threshold bid index, α. This is defined such that bidders B α , . . . , B k do not receive any items. The sum of the quantities associated with winning bids Bid 1 , . . . , Bid α−1 is greater than or equal to the number of available items l, and this is not true for a smaller threshold index. Thus all bidders B i , such that i < α, are winners. The threshold winner α − 1 may receive some subset of her total demand. Formally, threshold index α is defined so that: Note that we have assumed here that there are enough bidders to cover all of the supply. This can be handled without loss of generality, by also introducing a single dummy bid at zero price for all supply, l. In addition to determining α, and thus the winners in the auction, AU also posts proofs of the identity of the winner(s) and their allocations on the bulletin board, as well as proofs of the validity of each bidder's bid and quantity. He also computes proofs of correctness of each winner B i 's payment. If public verification of payments is required, AU posts these correctness proofs on the bulletin board, along with the random help values needed to decrypt the payments. If the payments are to remain secret, he publishes the proofs on the bulletin board but sends the random help values privately to each winner.

Verification
The verification step in a multi-item auction is more complex than for the single item auction, but relies largely on the same cryptographic primitives used in the simpler single-item case. Each verification can be done in a zero knowledge fashion, revealing no information beyond that implied by the outcome of the auction. 15 As before, AU first publicly proves the minimum bid-ordering information, that all winning bids are strictly greater than the threshold bid Bid α , i.e., Bid i > Bid α−1 for all i < α − 1 and Bid α−1 > Bid j for all j ≥ α. This reveals only minimum public information about the value of the bids; the same information that is implied by the outcome. AU will also prove that the bid values are valid and without wraparound. (See Section 2.4.6 for an explanation of wraparound.) In addition, AU must also prove that the quantities of the items were encrypted correctly, i.e., without wraparound. We assume that l < 2 t < n/2 for number of available items l and test set size parameter t. AU first proves that no bidder has submitted a quantity greater than a specified maximum allowed allocation l max ≤ l. To do this, AU first encrypts E(l, 1) and E(l max , 1); a random help value 1 is used so that anyone can verify those encryptions. AU then proves E(Qty i )¢E(l max , 1) for all 1 ≤ i ≤ k. Next, AU can use encryptions of various sums of quantities to prove the correctness of the threshold bid index α. Paillier's homomorphic encryption system allows for a zero-knowledge proof that a ciphertext represents the encrypted value of the sum of two encrypted values; in particular, Qty i ). Given this, AU can establish Eq. 7 over the encrypted quantities:

Payment
In a first-price auction, the auctioneer can prove a payment to a third party by revealing the random help value used to encrypt win- 15 In the method presented, the verifier V learns the number of bids required to compute a Vickrey payment in the marginal economy E(B −i ). We can get around this through using multiple "thresholds" and zero allocations; we reserve a full discussion of this detail for future work.
ner B 1 's bid, and optionally the value Bid 1 itself. A verifier can simply check that the bid value corresponds with the encrypted value submitted by the bidder. Similarly, in a uniform-price auction, whereby every bidder pays the bid price of the losing threshold bidder B α−1 , then AU can provide a public proof by revealing Bid α−1 via the help value used by B α−1 . The uniform price auction is an approximation to a Vickrey auction in this setting. 16 We turn our attention to proving the correctness of prices in a generalized Vickrey auction, or Vickrey-Clarke-Groves (VCG) mechanism for this multi-item setting [15]. In a VCG mechanism the number of items are allocated according to the price bid but the actual payment for each winner depends on others' bids. The Vickrey payment for bidder B i is defined as: where V (B) is the total revenue in the auction with all bidders, V (B −i ) is the total revenue in the marginal economy with bidder B i removed, and Qty * i denotes the quantity allocated to bidder i in the auction. This has a simple interpretation: a bidder's payment is determined as the greatest amount other (displaced) bidders would have paid for the same items had B i not been participating in the auction.
We require a proof to establish the correctness of this payment. Let Qty −i j denote the quantity awarded to bidder B j in the marginal auction without bidder B i . For a non-marginal winner, i.e., i < α − 1, her VCG payment is: For the marginal winner, i = α − 1, her VCG payment is: Thus, the VCG payment by bidder B i is a linear combination of the product of the bid price and allocated quantity to bidders displaced by bidder B i from the winning allocation. In the case of a nonmarginal bidder, this computation also accounts for the effect on the allocation to bidder α − 1.
Consider the following verifiable proof structure for the term ∑ α−1< j≤β i −1 Qty −i j · Bid j that is common to both kinds of winners: Step 1. In generating the proof, AU must first establish a bid ordering for the marginal auction without B i , i.e., prove that β i is the correct threshold bid index by showing Bid j > Bid β i −1 for j = i, j < β i − 1 and Bid β i −1 > Bid j for j ≥ β i , this can be done as in the main auction. Second, AU must prove that bidder β i − 1 is the threshold winner in this auction, by proving the analogue to Eq. 7. Third, AU must publish encrypted values Pay j = Qty j · Bid j for all j > α i , j < β i − 1 (and similarly for the new marginal bidder, Pay β i −1 = Qty −i β i −1 · Bid β i −1 ), and prove the correctness of all of these ciphertexts. This requires proofs of correct multiplication, as described in Appendix A. The proof of Pay β i −1 in turn requires a proof of the quantity allocated Qty −i β i −1 to this bidder, via a proof that a published ciphertext is the encrypted value of l − ∑ j =i, j<β i −1 Qty j . Fourth, AU must publish the encrypted value of the sum of these payments and a proof of its correctness.
Step 2. A verifier V can independently compute the encrypted Vickrey payment as above and check the correctness of the proof.
Step 3. AU reveals the random help value in the resulting encrypted Vickrey payment to V, who decrypts using that value and verifies it is correct by re-encryption.
The verifier V now knows that B i 's Vickrey payment is correct knowing nothing more about any bidder's bid value than can be derived from the definition of Vickrey payments. 17 The additional term, [Qty −i α−1 · Bid α−1 − Qty * α−1 · Bid α−1 ] can be determined in the case that bidder i is the threshold winner and i = α − 1 in an analogous fashion. Encrypted values of the allocation quantities received by bidder i in the main auction and in the marginal auction, i.e., Qty * α−1 and Qty −i α−1 can be established via subtraction from total items l of the total allocation to other bidders. Then, a ciphertext for the difference, Qty −i α−1 − Qty * α−1 , and then the product (Qty −i α−1 − Qty * α−1 )Bid α−1 can be published and proved.

EMPIRICAL RESULTS
We implemented Paillier encryption and test set verification in C++ using the LiDIA number theory package [17] on a commodity Linux workstation with a Pentium 4 2.8 GHz processor.
The greatest computational cost in our protocol is the construction and verification of test sets, and in particular the exponentiation of random help values (r n ) required to encrypt or (verifiably) decrypt a value. This preparation cost dominates all other computation; for example, to sort one million random 64-bit bids takes less than one second on our system. In a single-item auction, the auctioneer can prepare for an auction of 100 bidders in about two hours, and each verifier can independently verify the auctioneer's proofs of correctness in less than half an hour. Both preparation and verification scale linearly and are easily parallelized. Thus, with modest distributed computation, even a multi-item auction with ten thousand bidders can be prepared in a few hours and verified in reasonable time.
We present data for both 1024-and 2048-bit symmetric public encryption keys, which are considered safe until 2010 and 2030, respectively [12]. Because the lifetime of a security key is based on the difficulty of breaking it on available computing power, we claim that, for the most part, an auction with "5-year" security at any point in time will take about the same amount of time as it does 17 See Footnote 15. today, as improvements in computing power for breaking keys are likely to be comparable to those in encryption. 18 Table 1 shows the time it takes to compute various cryptographic operations on our test machine. We observe that the time required to prepare or verify a test set is essentially that required by the encryption and decryption. All test sets represent 2 34 discrete values. For a single item auction of k bidders, the auctioneer must produce k proofs of valid bids (i.e. Bid i < 2 t for small t; we use 34), and k − 1 proofs of comparisons to prove the ordering of the outcome. Using the bulk verification method suggested in Appendix B, such an auction requires 10 · (2k − 1) test sets, plus 25% for the test sets that will be revealed to prove the test sets are valid. This gives us an upper bound of 25k test sets required to conduct a trustworthy single-item auction.
For a multi-item auction with payments based on one bid (e.g. firstprice or second-price), we need only add to the above k proofs Qty i < 2 t , k comparisons Qty i < l max , and 2 comparisons to prove Equation 7. This means we need about double the number of test sets, 4k + 1, to conduct such a multi-item auction; about 50k test sets are needed for trustworthiness. We list the time taken to prepare these test sets and correctness proofs in Table 2. For verified VCG payments in multi-item auctions (Section 4.2.1), we also require proofs of multiplications for at most 2k + 1 products, namely, ≤ k proofs of the products Qty i · Bid i and k + 1 proofs of the products of the partial allocation to the threshold bidder for the main economy E(B) and up to k marginal economies (that is, excluding bidder B i ) E(B −i ). Each proof of a product requires 4 exponentiations for creating the MT S ("multiplication test set") and 6 exponentiations to verify it. To achieve a reasonably small probability of error, we need to repeat the multiplication proof 80 times ( 3 4 80 ≈ 10 −10 ). Thus each proof requires 320 exponentiations to create and 480 to verify. Table 3 shows time required, again on a P4 2.8 GHz processor, to verify Vickrey payments in the worst case for various sizes of multi-item auctions. These computations are required in addition to the above computations for verifying prices and quantities.

CONCLUSIONS AND FUTURE WORK
We have presented a new protocol for sealed-bid auctions that guarantees trust and preserves a high level of secrecy, yet is practical enough to run efficiently on commodity hardware and be accepted in the business community. Because we focus on proofs of correctness and secrecy during the auction, an auctioneer can still compute optimal results efficiently and publish efficiently verifiable proofs of those results. Our protocol rests on sound cryptographic foundations, and lends itself to straightforward extensions to further types of auctions, including support for all-or-nothing bids, bid curves, and full combinatorial auctions; we intend to pursue these extensions in later work, in addition to completing a full description of tiebreaking and bulk verification of test sets. We believe that our practical test-set model will extend to other areas of privacy, including electronic transactions, trading systems, privacypreserving open outcry markets, and zero-knowledge public verification of private data.

ACKNOWLEDGMENTS
This work was supported in part by an Alfred P. Sloan Foundation Award to Parkes and NSF grant CCR-0205423 to Rabin. The authors thank Michael Hamburg, Alex Healy, and Adam Juda for helpful comments and information.

APPENDIX A. PAILLIER ENCRYPTION A.1 Public/Private Keys
Paillier encryption uses an encryption key n = p · q, where p and q are large primes. The decryption key is based on the factorization of n, φ = ϕ(n) = (p − 1) · (q − 1). ϕ(n) is Euler's totient function, the number of integers relatively prime to n.

A.3.1 Decryption with random help value r
It is also possible for some P who knows the r used to encrypt C = E(x, r) to show V that x is the unique decryption of C by revealing r. P may know r either by having encrypted all the values used to compute C or by computing it via the decryption key φ . To recover x, V computes A.

Uniqueness of Encryptions
Paillier encryption constitutes a bijection from (Z n × Z * n ) → Z * n 2 [25]. 19 Thus any integer in Z * n 2 represents a single valid encryption of an integer x ∈ Z n with random help value r ∈ Z * n . Consequently, if C = E(x, r), C = E(x , r ) for any x ∈ Z n and r = r.
P can attempt to cheat by providing a different random help value r . Using r instead of r in (14) will yield a different but invalid "decryption" x . V must therefore verify the provided value r is consistent with the known encryption C. This is done by re-encrypting the derived value x as C = E(x , r ) and rejecting r unless C = C.

A.4 Mathematical Operations on Encrypted Values
The following definitions apply to any values encrypted as above, such as bids, deposit amounts, or desired quantities. These properties are due to the homomorphic properties of Paillier's encryption scheme [25]. In these definitions we refer to a prover P who has the decryption key or all random help values for encrypted data, (generally the auctioneer), and a verifier V who does not.
Addition. Addition of two encrypted values: Adding a constant k to an encrypted value x is easily done by encrypting k with the random help value 1 and multiplying the two encryptions.
Multiplication or division by a constant. Division is only possible when k is invertible mod n 2 . 20 Negation. Implied by multiplication by a constant.
Comparison to a constant k. P can prove any encryption C = E(k, r) is an encryption of k by revealing the help value r used to encrypt C. V then verifies that (1 + nk)r n = C (mod n 2 ), because E(k, r) = (1 + n) k · r n (mod n 2 ) This is of particular interest when k = 0. We remark that no encryption of a value other than zero is an n th residue mod n 2 . 21 Equality comparison. Given two ciphertexts C 1 = E(x 1 , r 1 ) and C 2 = E(x 2 , r 2 ), P can prove x 1 = x 2 without revealing any additional information-most importantly, the value of x 1 or x 2 . Both P and V compute C = C 1 · C −1 2 (mod n 2 ) = E(x 1 − x 2 , r 1 /r 2 ) = E(0, r 1 /r 2 ). P then proves C is an encryption of zero as above by revealing r 1 /r 2 .
Inequality comparison. Given two ciphertexts C x = E(x) and C y = E(y), P can show x > y and x ≥ y. Because our values x and y are integers mod n 2 , we can prove x > y by showing x ≥ y + 1, provided y = n − 1. Due to the homomorphic properties of Paillier encryption, E(x + 1) = E(x) · (n + 1) (mod n 2 ), and so adding 1 to a value in its encrypted form is trivial. Thus, all ordering comparisons can be reduced to the ability to prove x ≥ y. We first specify that x and y must be in the range [0, 2 t ) for 2 t < n/2. This can be proven as in Section 2.4.6. Then, to prove x ≥ y, both P and V calculate E(x − y) = E(x) · E(y) −1 (mod n 2 ), and P proves 0 ≤ (x − y) < 2 t < n/2 from E(x − y). If in fact x < y, then (x − y) will wrap around mod n 2 so that (x − y) ≥ n/2 and no such proof is possible. This principle is also described in Section 2.4.6.
Proof of multiplication of two values. Because Paillier encryption does not enable the secrecy-preserving multiplication of two encrypted values as it does addition, we require a method that allows a prover P with three plaintexts u, v, and w such that uv = w (mod n) to prove this fact to a verifier V who has Paillier encryptions E(u), E(v), and E(w), respectively. Dåmgard et al. [8] propose another solution to this; the solution we present is in the spirit of our other cryptographic primitives. DEFINITION 2. A Multiplication Test Set (MT S) for E(u, r), E(v, s), and E(w,t) is a set of 8 elements: {E(u 1 , r 1 ), E(u 2 , r 2 ), E(v 1 , s 1 ), E(v 2 , s 2 ), where u = u 1 + u 2 (mod n) and v = v 1 + v 2 (mod n).
In each MT S, u 1 and v 1 are chosen uniformly at random from Z n ; u 2 and v 2 are correspondingly defined, as above, so that u = u 1 + u 2 (mod n) and likewise for v.
A moment's thought reveals that if MT S was not proper then the probability of V uncovering this by the random choice of (i, j) is at least 1 4 . Thus the probability of P meeting the challenge when uv = w (mod n) is at most 3 4 . This implies that if m MT S's are used and P meets all m random challenges then the probability of P cheating is smaller than ( 3 4 ) m . In practice, the auctioneer will act as P and verify the multiplications required to prove the validity of multi-item auction allocations by repeating these zero-knowledge proofs until the desired likelihood of error is achieved.

B. BULK VERIFICATION OF TEST SETS
We have already shown how AU can use a test set to prove both that for any encrypted bids E(Bid 1 ) and E(Bid 2 ), {Bid 1 , Bid 2 } ≤ 2 t and Bid 1 > Bid 2 , provided 2 t < n/2. We also provided a noninteractive proof to allow the validity of test-sets to be established. Here, we improve the computational speed of this "cut and choose" approach for multiple range-of-value proofs by allowing anyone to verify en masse a whole collection of test sets, to then be used in proofs of range and ordering of values. Recall that in single-item auctions with k bidders, AU will verify that k bids are in range, and then perform k − 1 comparisons to prove the correctness of the auction. These auctions require 2k − 1 range-of-value proofs.
Adopting numbers that are appropriate for an auction with 100 bidders and moderate security requirements, we assume for illustration that the auctioneer employs 10 test sets per proof and first creates and posts 2500 (claimed) test sets. For bulk verification we select and reveal 500 test sets uniformly at random in a collection of 2500. The probability that all 500 will be correct and 200 (or more) of the remaining 2000 are incorrect is < 7 × 10 −19 . We can then prove correctness of each bid or comparison with probability of error < 10 −10 by drawing 10 of the remaining 2000 test sets uniformly at random and proving correctness on each of them. We can achieve a truly random ordering of the 2500 test sets using the random data string X as in the main description of our method.