This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2018.2883275, IEEE Transactions on Information Forensics and Security 1

CReam: A Smart Contract Enabled Collusion-Resistant e- Shuangke Wu, Yanjiao Chen, Member, IEEE, Qian Wang, Senior Member, IEEE, Minghui Li, Cong Wang, Senior Member, IEEE, and Xiangyang Luo

Abstract—Auction is an effective way to allocate goods or I.INTRODUCTION services to bidders who value them the most. The rapid growth of e- facilitates online transactions but poses new and Thanks to the dramatic development of Internet and rising distinctive challenges. It is difficult to establish trusts among popularity of electronic commerce, the scope and reach of sellers, buyers and auctioneers without the centralized auction websites or platforms (the auctioneer) that collect bids and electronic auctions (e-auction) have far exceeded what the derive the auction results. However, these third parties may initial purveyors had anticipated. E-auctions break down and be untrustworthy, and malicious sellers or buyers may refuse remove physical limitations of traditional auctions such as to deliver the goods or payment according to the protocol. geography, presence, time, space, and a small target audience Moreover, the open and anonymous online environment may [1]. It is projected that the rapid expansion of online e-auctions stimulate auction participants to form collusion coalitions to rig the auction and reap unfair profit. Many auction designs have will account for 30% of all e-commerce [2], ranging from been proposed to address these concerns, but they fall short of individuals conducting online “garage sales” to companies simultaneously achieving decentralization (i.e., held without a liquidating unwanted inventory. trusted third utility), strong consensus (i.e., the establishment of One of the major challenges faced by e-auction is a lack trust), collusion-resistance and practical implementation. of trust among sellers, buyers and auctioneers. The openness We present CReam, the first decentralized collusion-resistant and anonymity of the online environment may give rise to e-auction system that is implemented with smart contract on the transactional misbehavior, e.g., sellers may fail to deliver the blockchain. With the carefully-designed smart auction contract, mutually distrustful and rational sellers and buyers are stimu- goods after the auction, or buyers may abort during auction or lated to operate properly hence transact safely without trusted refuse to pay the required price. The websites third parties. The auction mechanism in the smart contract can and platforms that serve as auctioneers may not be trustful. The effectively prevent bidder collusion and realize economic robust- establishment of trust among auction participants and a safe ness, i.e., truthfulness. We implement a fully functional CReam transact environment have been recognized as the key stimuli on the Ethereum network. Extensive experimental results confirm that CReam can greatly reduce the probability of collusion and for online transactions and a major concern in e-auctions [3], achieve an approximate optimal revenue at a low cost of contract [4]. Existing works on building trust are mainly based on execution. economic incentives and reputation analysis [4], [5], most of which require trusted third parties to handle the transaction Index Terms—Blockchain, smart contract, . process. Similar to traditional auctions, e-auctions are also vulnerable to collusions. In an e-auction, buyers bid to compete for the goods or services provided by sellers. Selfish and rational Yanjiao’s research is supported in part by the National Natural Science buyers and sellers have incentives to collude with each other to Foundation of China under Grant 61702380, in part by the Hubei Provincial Natural Science Foundation of China under Grant 2017CFB134, and in part rig the auction for unfair profits [6], [7]. The auctioneer may by the Hubei Provincial Technological Innovation Special Funding Major also collude with buyers or sellers for economic return. By Projects under Grant 2017AAA125. Qian’s research is supported in part by allowing geographically-distant participation, e-auctions make the National Natural Science Foundation of China under Grants 61822207 and U1636219, in part by Equipment Pre-Research Joint Fund of Ministry it easier for anonymous online auction participants to form of Education of China (Youth Talent), and in part by the Outstanding Youth collusion coalitions without being detected [8]. Case studies Foundation of Hubei Province under Grant 2017CFA047. Cong’s research is have confirmed the universal existence of collusions in real- supported by the Research Grants Council of Hong Kong under Grants CityU 11276816, CityU 11212717, CityU C1008-16G and the National Natural world auctions (e.g., Treasury auctions [9] and FCC spectrum Science Foundation of China under Grant 61572412. Xiangyang’s research auctions [10]). The internet crime complaint center (IC3) is supported by the Plan for Scientific Innovation Talent of Henan Province reports showed that the auction related frauds (e.g. auction under Grant 2018JR0018. (Corresponding author: Xiangyang Luo.) fraud and no-delivery fraud) are among the top popular frauds S. Wu, Y. Chen, and Q. Wang are with the School of Computer in the U.S. [11], [12]. The IC3 report of 2015 shows that Science, Wuhan University, China, (E-mail: {wsk9551, chenyanjiao, qian- there are 116,296 online auction-related complaints submitted, wang}@whu.edu.cn). M. Li is with the School of Cyber Science and Engineering, Wuhan which led to a loss of $18,906,416. Apart from collusion- University, China, (E-mail: [email protected]). resistance, an ideal auction mechanism should also achieve C. Wang is with the Computer Science Department, City University of economic-robustness, i.e., truthfulness [13]. Truthfulness is Hong Kong, Hong Kong (E-mail: [email protected]). X. Luo is with the State Key Laboratory of Mathematical Engineering and essential for an auction scheme to resist market manipulation Advanced Computing, Zhengzhou, China (E-mail: [email protected]). and ensure auction fairness as well as efficiency. In untruthful

1556-6013 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2018.2883275, IEEE Transactions on Information Forensics and Security 2

auctions, there are chances for selfish bidders to gain an edge Smart Contract at the expense of other participants by manipulating their bids Response 1 to game the system. In truthful auctions, the dominant strategy External Input Response 2 for bidders is to bid truthfully, this it insures that each bidder (transaction, Predefined Predefined event,data, Trigger Response Response 3 will be motivated to put in a bid at the full value of the item to etc.) Conditions Actions himself, thereby eliminating the fear of market manipulation (time,event (action,

and the overhead of strategizing over others. Moreover, with etc.) event,etc.) . the true valuations, the auctioneer can allocate items efficiently Response N to buyers who value it the most, hence assuring an optimum allocation of resources. State Value We propose CReam, the first decentralized collusion- resistant e-auction system that is implemented with smart Fig. 1: The structure of a typical smart contract on Ethereum. contract on the blockchain. We aim to create a distributed, trustworthy, transparent and secure transact environment for auction participants to reach consensus over the auction re- Many famous international companies use e-auctions in their sults. We replace the centralized auctioneer (online auction deals such as British Airways, FedEx, Exxon Mobil, and platforms) with smart contract based on the blockchain. The Nestle. Despite the rising popularity of e-auctions, there are blockchain keeps a public, decentralized, and verifiable ledger several challenges, among which we are especially interested and the contract specifies the transaction agreements, which in untrustworthy centralized auctioneers and collusions among will be automatically and faithfully executed. We leverage bidders. the discrete timer on the blockchain and the deposit-and- Internet auctioneers, e.g., online auction websites, serve as refund mechanism to prevent contractual breaches and aborts the intermediary that provides a transaction platform for buyers from malicious participants. We carefully design the auction and sellers. Their major role is to ensure that the transactions algorithm to be executed by the smart contract, combining can be conducted in a safe and secure manner. The centralized the techniques of random rounding and profit estimation to platform which addresses the trust problem between buyers achieve both collusion resistance and feasibility. and sellers, however, faces scalability issues and the internet We implement a fully functional prototype of CReam on auctioneer itself may be untrustworthy. the Ethereum network. Since the contract execution consumes The vast profits of auctions as well as the anonymity and cryptocurrencies, the cost of which is highly dependent on flexibility of Internet incentivize malicious manipulation in the computational complexity of the auction algorithm, our e-auctions. Many online auction websites realize that fraud auction design does not involve complicated mathematical corrodes not only their trustworthiness but also the prosperity operations, but still achieves truthfulness, approximate rev- of the entire market. A buyer may create multiple online enue maximization and collusion resistance. The experimental identities to rig auctions. Sellers and buyers have incentives results show that the total transaction cost of the seller for to collude with each other to manipulate the auction results to executing the smart contract is about $15 when there are 40 gain unfair profits. Most existing auction mechanisms focus on bidders, and the cost per bidder is about $1. To the best of our economic-robustness, e.g., truthfulness. In a truthful auction, a knowledge, we are the first to combine the incentive mecha- bidder achieves the highest utility if she bids her true valuation. nisms with smart contract to realize decentralized collusion- However, these works assume that bidders do not collude with resistant e-auctions without trusted third parties. each other [13], [14], and the truthfulness of auctions will fall Our main contributions are summarized as follows, apart if collusion exists. • We propose a new and novel smart auction contract on the Ethereum blockchain to enforce consensus among auction B. Blockchain and Smart Contracts participants in a safe manner without trusted third parties. Cryptocurrencies have gained wide popularity in recent • We design an efficient auction algorithm which is truth- years. The basis of cryptocurrencies is a public ledger, ful, collusion-resistant, and achieves approximate revenue which stores all of the current and historical transaction optimization. records, and is maintained by a decentralized network of • We verify the feasibility of the proposed smart auction peers (the miners) [15]. The ledger is stored in the form contract by implementing it on the Ethereum network, of blockchain, on the state of which all peers reaches an and provide a comprehensive evaluation of the perfor- agreement through a consensus protocol. Thanks to its special mance on the Ethereum network. data structure, blockchain achieves decentralization, transac- tion non-tampering, traceability, and transparency. Smart con- II.PRELIMINARIES tract, built on top of cryptocurrencies, allows users to define A. e-auctions and execute contracts on the blockchain [16]. Specifically, a The e-auction is a type of e-commerce, which can broaden smart contract is a piece of computer program that resides the set of potential consumers and increase the competition at a specific address on the Ethereum blockchain, consisting among vendors. The Internet has fuelled the widespread adop- of functions (the executable units of code within a contract) tion of auctions in business-to-consumer (B2C), consumer-to- and data (the state of the smart contract). As shown in Fig. consumer (C2C), and business-to-business (B2B) transactions. 1, the program code captures the logic contractual clauses

1556-6013 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2018.2883275, IEEE Transactions on Information Forensics and Security 3

between multiple parties and predefines the trigger conditions Block 1 Block 2 Block 3 Block 4 Block 5 and response actions. The execution of the functions in a smart contract is triggered by times or events, e.g., transactions added to the blockchain. Furthermore, the smart contract can receive, z store and send value of its own. The functions are stored and executed by consensus miners and the correctness of execution is guaranteed by the consensus protocol of the blockchain. Ideally, smart contracts can be viewed as being executed by a From To From To A S A S distributed trusted global machine that will faithfully perform Value Gas price Value Gas price every instruction. With the help of smart contracts, the rules 20 eth 2*10-8 6 eth 2*10-8

of financial transactions can be enforced without trusted third- Total Gas Nonce Total Gas Nonce parties. 120,000 91 98,000 18 Ethereum is a one of the most popular decentralized plat- Data Data Contract Code Fun1(param1, param2) forms that supports smart contracts, where the cryptocurrency asset is called Ether [16]. Ether is one of the most popular as- Fig. 2: The structure of Ethereum transactions. Alice creates sets by its capitalization. Ethereum smart contracts can be writ- a smart contract on the blockchain and the contract code is ten in various expressive scripting languages, among which sent and stored in the data field of a transaction. The contract Solidity is the most prevalent and stable one [17]. Therefore, is given an address S. After that, Bob calls a function of we choose Solidity to implement our auction mechanism as the contract using another transaction by sending gas to the smart contracts. Ethers are held in and can be transferred address S. between accounts. There are two types of accounts: externally owned accounts and contract accounts. An externally owned account is associated with a unique public-private key pair, transaction is described as follows: owned by a certain individual who has an ether balance and - From: a signature from an externally owned account to the private key that can sign transactions from the account. authorize the transaction. Contract accounts do not have key pairs. A contract account - To: the receiver of the transaction that can be either a maintains an Ether balance and stores the code of a contract user-controlled or contract address. that decides the flow of the ethers in the account. A contract - Data: contains the contract code to create a new contract account must be activated by an externally owned account. or execution instructions for the contract. To execute a smart contract, a user-controlled account has to - Gas Price: the conversion rate of purchasing gas using purchase a certain amount of gas using ether, which is the the Ether currency. common currency in the Ethereum network. The gas cost is - Total Gas: the maximum amount of gas that can be actually the transaction fee to encourage miners to include the consumed by the transaction. code execution of the smart contract in the blockchain. Gas - Nonce: a counter that is incremented for each new can be viewed as the metric to standardize the cost of smart transaction from an account. contracts, and each assembly operation (opcode) has a fixed gas cost based on its expected execution time. The maximum III.RELATED WORK amount of gas allowed in a block is called the block gas limit, which determines how many transactions can be put into a Auction mechanism design. Previous works mainly fo- block. A transaction whose gas cost is beyond the current cus on the design of truthful and collusion-resistant auction block gas limit will be rejected by the network. mechanisms. In [18], Zhou et al. utilized the greedy allocation A transaction in Ethereum is an instruction that is built and the critical value based pricing [19] to design a truthful and cryptographically signed by an external account owner. and computationally efficient mechanism Each transaction has two address fields that specify the sender under the interference constraints. In [20], a collusion-resistant and the receiver. One can initiate a contract by creating a spectrum auction mechanism is proposed using APM [21]. By transaction in which the receiver is a new contract account first dividing bidders into multiple non-overlapping segments address and the data field contains the contract code. A based on the interference constraints, the spectrum auction transaction can also be used as a message to invoke a function problem is transformed to a single-unit auction problem with in a contract. In this case, the receiver’s address is the contract an unlimited frequency/channel supply and the partition inde- account storing the contract code and the function to be pendence of bids enables cheating resistance. In [6], Wang et invoked along with the arguments is specified in the data al. addressed bidder collusion under channel supply dynamics field. The behavior of a contract is purely decided by the using AEM [21] and to characterize the system performance execution of its code. The execution of a function invoked in terms of social welfare. by a transaction will also consume gas and the amount of gas Different from existing works, our smart auction design consumed is converted into the amount of Ether, which will not only focus on truthfulness and collusion resistance, but be charged to the sender’s account as the transaction fee. also utilizes smart contracts to replace the centralized third- We illustrate the structure of a transaction and how smart party auction platform, which solves the problem of bidder- contract is stored in the blockchain in Fig. 2. Each field of the auctioneer and seller-auctioneer collusion. Furthermore, we

1556-6013 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2018.2883275, IEEE Transactions on Information Forensics and Security 4

Seller IV. PROBLEM FORMULATION A general e-auction usually consists of seller(s), buyer(s) Data & Currencies and an online auction platform as the auctioneer, as shown in Fig. 3. In this paper, we focus on forward auctions where there are one seller and multiple buyers.

Internet Auction Platform A. Auction Framework Our smart auction framework features a decentralized Data & Currencies e-auction system. As shown in Fig. 4, we leverage the blockchain, which is backed up by miners, to replace the Buyers Bulletin Board centralized online auction platform. We assume that the online Fig. 3: A general e-auction framework. vendor sells identical units of a single item to buyers, and each buyer demands one unit of the item, which is a common scenario in online shopping. Buyers bid to compete for the

Seller item. In the following contexts, we use buyers and bidders interchangeably without confusion. Let n denote the number Data & of all bidders. For bidder i, we have: Currencies - Bid bi: the bid submitted by bidder i. We use B = Blockchain {b1, b2, Transactions ..., bn} to denote the set of bids submitted by all bidders. - Bidder valuation vi: the true valuation of a unit of the item estimated by bidder i. Smart Contract - Bidder allocation xi: bidder i’s allocation determined by Data & x x = 1 Currencies the auction results. i is a binary value; i denotes Buyers that bidder i wins one unit of the item; otherwise xi = 0 Fig. 4: Smart auction framework. otherwise. We use X = {x1, x2, ..., xn} to denote the allocation of the auction. - Bidder payment pi: bidder i’s payment determined by the auction results. We use P = {p1, p2, ..., pn} to denote the enable the seller and buyers to reach consensus and establish set of required payments of bidders. trust of the transaction without a trusted third party. - Bidder utility (ui): bidder i’s true valuation for the item minus the payment, i.e., u = (v − p ) · x . Each bidder Smart contract. Previous works exploited the blockchain i i i i aims to maximize their utility. and smart contract to implement and enforce rules on finan- cial transactions without a centralized entity. In [22], Hahn For structured optimization problems, the mechanism may et al. implemented a smart contract-based Vickrey second incur a cost to produce a given outcome. To be specific, cost function c(·) price auction on Ethereum blockchain for distributed energy in an auction, there is a associated with X = {x , x , ..., x } transaction. However, there is only one winning bidder, and the allocation 1 2 n . For example, by taking c(X) = 0 X unlimited the probable existence of bidder collusion is ignored. In for all , we have a special case of supply auction comparison, we generalize the auction to multiple winners, , where an unlimited number of identical units which is more common in online e-auctions, and further of a single item is auctioned to bidders (e.g., digital good) [27]. achieve collusion prevention. Our work is among the first In our settings, We assume a more practical cost function as to integrate the “honest-by-mechanism” algorithm with smart X c(X) = (x · C). contract. i (1) i Apart from auctions, the blockchain can also be used for where C is the marginal cost of each unit of the item, i.e., e-voting. In [23], Mccorry et al. presented a decentralized the increment in cost for allocating one additional unit of the internet voting protocol using smart contract, which does item in the auction. not rely on any trusted authority to compute the tally or to Our smart auction framework is a single-round, sealed- protect the voter’s privacy. In [24], Dong et al. leveraged bid auction. Buyers submit their bids to the smart con- smart contract and game theory to enforce honest computation tract (the auctioneer). The smart contract takes as input the and undermine the probability of collusion between two cloud bids B = {b , b , ..., b } and the cost function c(·), then services, thus lowering the cost for verifiable computing and 1 2 n computes the allocation X = {x1, x2, ..., xn} and payment data outsourcing. In [25], Velner et al. proposed an attack P = {p , p , ..., p }. against mining pools using smart contract to reward miners 1 2 n who withhold their blocks. In [26], Juels et al. introduced several criminal smart contracts, e.g. for leaking confidential B. Design Goal information and various real-world crimes. The design objective of our smart auction framework is:

1556-6013 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2018.2883275, IEEE Transactions on Information Forensics and Security 5

An e-auction system based on the blockchain and TABLE I: The auction result of the optimal k- smart contract, which can automatically make the when 5 bidders bid truthfully. UA means the corresponding allocation and payment decisions, and achieve bidder is unallocated and doesn’t have a clearing price. truthfulness, revenue maximization and collusion- b1 b2 b3 b4 b5 resistance. Bids 2 5 6 8 10 Allocation      Truthfulness is one of the most desirable economic proper- ties of auctions. A truthful auction mechanism is deemed as Price UA UA 5 5 5 economic-robust because the bidders obtain the highest utility when they submit their true valuation as the bid, which makes TABLE II: The auction result of the optimal k-Vickrey auction it easier for the seller to identify the buyers who value the item when the 3rd bidder bids untruthfully. most. Truthfulness is also the foundation of other properties, b1 b2 b3 b4 b5 e.g., revenue maximization, as the revenue will be twisted if Bids 2 5 5 8 10 bidders overbid or underbid. We formally define truthfulness as follows: Allocation      Price UA UA UA 5 5 Definition 1 (Truthfulness). An auction is truthful if truthfully is the (weakly) dominant strategy for every bidder, i.e., bidder i achieves the highest utility ui if she bids her true be zero. Therefore, we have pi ≤ bi if xi = 1, and pi = 0 if valuation bi = vi. xi = 0. To achieve price fairness, we assume that the required Auction participants may collude with each other to manip- payment for all winning bidders is the same, i.e., pi = p if ulate the auction outcome. Possible collusion patterns include xi = 1. p is an important value to be determined by the smart auctioneer-seller collusion, auctioneer-buyer collusion, seller- contract. The auction revenue function becomes: buyer collusion, and buyer-buyer collusion. Thanks to the R = (p − C) · N(B, p). (3) decentralized property of the blockchain as the auctioneer, the auctioneer-seller collusion and the auctioneer-buyer collusion where N(B, p) is the number of bids higher than or equal to are effectively prevented. The seller-buyer collusion will not p in B. be formed since there exists a conflict of interest between the seller and buyers. The seller wants to sell the item at the V. COLLUSION-RESISTANT SMART AUCTION DESIGN highest possible price, yet buyers wish to purchase the item at In this section, we present the detailed design of our smart the lowest possible price, so there is no incentive for the seller- contract enabled collusion-resistant auction. buyer collusion since it is impossible to benefit both the seller and buyers. Therefore, we focus on buyer-buyer collusions, where buyers strategically form coalitions to manipulate the A. Auction Mechanism auction results to gain unfair profits. Let p denote the clearing price, which is the price assigned We now extend the definition of truthfulness to account for to a unit of item after the auction. Let N(B, p) denote the the possibility of collusion. number of bids higher than or equal to p in the list of bids B. Definition 2 (t-truthfulness). An auction is t-truthful if for To maximize the auction revenue, a naive approach is to select any coalition of size t and any bid values of bidders outside the clearing price p that maximizes p·N(B, p). Unfortunately, the coalition, the sum of the expected utilities of the bidders this intuitive greedy algorithm, also known as the optimal in the coalition is maximized when all bidders in the coalition single price omniscient (OPT) [28], is not a truthful auction. bid their true valuations. Another solution will be the k-Vickrey auction [29], which is a truthful auction scheme. However, it is vulnerable to bidder Definition 3 ((t, P )-truthful auction). A (t, P )-truthful auction collusion, where a group of bidders coordinate their bids to is t-truthful with a high probability P , i.e., given any coalition manipulate auction results to improve the total utility of the of size equal or smaller than t, with a high probability P , coalition1. there is no non-truthful strategy for bidders in the coalition We give a toy example to illustrate how collusion bene- that increases the total utility of the coalition. fits colluders, which in turn demonstrates the necessity of The auction revenue is the difference between bidders’ collusion resistance in auction design. According to the op- payments to the smart contract and the cost of allocation: timal k-Vickrey auction mechanism, the k highest bidders are allocated the item, p is the (k + 1)th highest bid, and X the number of winners k is an optimal-in-hindsight choice R = pi − c(X). (2) i that maximizes the auction revenue R. Consider an auction with one seller and five bidders whose true valuations are The auction results should satisfy no positive transfers and {v = 2, v = 5, v = 6, v = 8, v = 10}, and the cost voluntary participation, i.e., the required payment of a bidder 1 2 3 4 5 who is allocated the item should not exceed her bid, and the 1We consider the total utility of the collusion coalition, but ignore how required payment of a bidder who is allocated nothing should bidders in the coalition split the profit.

1556-6013 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2018.2883275, IEEE Transactions on Information Forensics and Security 6

TABLE III: The auction result of the optimal k-Vickrey Algorithm 1: Collusion-resistant smart auction mecha- auction when the 2nd and the 3rd bidders collude and bid nism (CReam) untruthfully. Input: Set of bids B, marginal cost per unit C, price

b1 b2 b3 b4 b5 sampling parameter α and revenue estimation parameter γ. Bids 2 4 5 8 10 Output: price p and winning bids Bw. Allocation      1 Sort B in a non-ascending order and obtain Price UA UA 4 4 4 b1 ≥ b2 ≥ ... ≥ bn; 2 Sample y uniformly from [0, 1]; 3 Re = 0; 2 l of each item is 0. Each bidder requests one unit of the item. 4 foreach ϕ ∈ {α, α , ...α , b1} do In the truthful case, if all five bidders bid truthfully, as shown 5 if ϕ > C then in Table I, the clearing price is 5 and the auction revenue is 6 nϕ = gγ (N(B, ϕ)); 15. If the third bidder bids untruthfully, e.g., by bidding lower 7 if (ϕ − C)nϕ > Re then than her true valuation of the item, as shown in Table II, the 8 Re = (ϕ − C)nϕ; clearing price is still 5 and the auction revenue decreases to 9 p = ϕ; 10. Nevertheless, this will not happen since the third bidder 10 end is better off by being truthful. However, in a colluding case 11 end if the second and the third bidders form a collusion and both 12 end bid untruthfully, it is shown in Table III that the clearing price 13 Bw = {bi|bi ≥ p}; becomes 4, and the utility of the collusion coalition increases but the auction revenue decreases. Bidders are incentivized to form collusion coalitions as long Lemma 1. CReam has a worst case auction revenue (over as they can improve their total utility, even though the collusive the input and a random selection of y) of at least a factor of strategy may not be optimal. This malicious behavior greatly γα of the optimal revenue. disrupts the auction, not only whittling the auction revenue, but also damaging the profits of non-colluding bidders who Now we analyze the truthfulness of CReam in case of are discouraged to participate in auctions. collusion. To tackle this problem, we propose a collusion-resistant Definition 4 (t-consensus). Given the input bids B and the smart auction mechanism (CReam) that can achieve approx- random variable y, CReam reaches a t-consensus at price ϕ imate revenue maximization. Let gγ (N(B, p)) represent the if gγ (N(B, ϕ) − t) = gγ (N(B, ϕ) + t). consensus estimation function on B [28]. In gγ (N(B, p)), p is a positive real number, N(B, p) is the number of bids higher If CReam reaches a t-consensus at price ϕ, it is infeasible than or equal to p in B, and γ is a constant parameter. After for any coalition of t bidders to change their bids and ma- sampling a random variable y uniformly from [0, 1], the output nipulate the auction results at ϕ, i.e., there does not exists B0 y+j 0 of gγ (N(B, p)) is the largest member in {γ : j ∈ Z} with that yields gγ (N(B , ϕ)) 6= gγ (N(B, ϕ)). Before proving that the upper bound of N(B, p), i.e., N(B, p) is grounded to the CReam reaches a t-consensus at price ϕ, we first introduce nearest element in {γj+y : j ∈ Z}. the following lemma. For simplicity, we denote N(B, ϕ) as The detailed design of our collusion-resistant smart auction N(ϕ) without confusion. We define G as a distribution of mechanism is shown in Algorithm 1. To achieve collusion functions of the form gγ with y chosen uniformly on [0, 1]. resistance, we design the winner selection and price determi- Lemma 2. gγ (N(ϕ)) has an identical distribution to 0 nation process as follows. γy N(ϕ)/γ for y0 uniformly chosen in [0, 1]. 1) Select candidate price ϕ. After sorting B in a non- Proof. Consider a random variable d = log g(N(ϕ)) and let ascending order and obtain b ≥ b ≥ ... ≥ b , we select γ 1 2 n m = log N(ϕ) − 1. We have P r[d ≤ m + x] = P r[y0 ≤ candidate price ϕ from {α, α2, α3, ..., αl, b }, in which γ 1 x], and d is uniformly distributed between m and m + 1. α ∈ (1, +∞) is the price sampling parameter, and l Therefore, the distribution of g(N(ϕ)) is identical to that of α < b . Note that b is the highest bid. 0 1 1 γy N(ϕ)/γ. 2) Estimate the revenue yielded by ϕ. We use the estimation function gγ (N(B, ϕ)) to estimate the number of bidders Now we bound the probability that CReam reaches a t- whose bids are higher than or equal to ϕ, denoted as consensus at price ϕ. n . The estimated revenue R is the multiplication of the ϕ e Lemma 3. The probability that CReam reaches a t-consensus candidate price and the estimated number of winners. at price ϕ is 1 − log ( N(ϕ)+t ). 3) Optimal price. The optimal clearing price p is chosen as γ N(ϕ)−t the ϕ that maximizes the estimated revenue Re. Proof. For y uniformly chosen from [0, 1], the random variable γy satisfies P r[γy ≤ z] = P r[y ≤ log z] = log z = lnz . The following lemma can be derived directly from the γ γ lnγ y algorithm of CReam [21]. The probability density function for γ is π(x) = 1/(x ln γ) y R z 1 ln z for 1 ≤ x < γ. Note that P r[γ ≤ z] is 1 x ln c dx = ln c .

1556-6013 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2018.2883275, IEEE Transactions on Information Forensics and Security 7

According to Definition 4, CReam reaches a t-consensus Let I = {i:αi is relevant}. Our goal is to bound the probability i at price ϕ if gγ (N(ϕ) − t) = gγ (N(ϕ) + t), which means that CReam reaches a t-consensus at α for all i ∈ I. We N(ϕ)+t compute the probability that CReam does not reach a t- γ < gγ (N(ϕ)) ≤ N(ϕ) − t. i Using Lemma 2, we have consensus at each relevant α and use the union bound N(ϕ) + t N(ϕ) − t P r[t−consensus] P r[ < gγ (N(ϕ)) ≤ ] X γ N(ϕ) + t ≥ 1 − P r[not t − consensus at αi] N(ϕ) + t γyN(ϕ) N(ϕ) − t i∈I = P r[ < ≤ ] γ γ N(ϕ) + t X 2ct ≥ 1 + logγ (1 − r−i ) N(ϕ) − t N(ϕ) + t α m = P r[γy ≤ γ ] − P r[γy ≤ ] (4) i∈I N(ϕ) N(ϕ) ∞ X 2ct −j N(ϕ) N(ϕ) + t ≥ 1 + logγ (1 − α ) = 1 − log ( ) − log ( ) m γ N(ϕ) − t γ N(ϕ) j=0  ∞  N(ϕ) + t Y 2ct = 1 − log ( ). = 1 + log (1 − α−j) . γ N(ϕ) − t γ  m  j=0 (6) Applying Fact 1, we have Definition 5 (Relevant Price). A price ϕ is relevant if for some  ∞  coalition of t bidders, given B and y, CReam can output price X 2ct P r[t−consensus] ≥ 1 + log 1 − α−j ϕ, which is no higher than the price if these t colluders bid γ  m  j=0 truthfully. (7)  2ct α  = 1 + log 1 − ( ) Next, we will show that CReam reaches t-consensus on γ m α − 1 all relevant prices with a high probability. Note that when = 1 − Θ(t/m). CReam reaches a t-consensus, it is impossible for any coali- tion of t or fewer bidders to manipulate their bid values to lower the clearing price p. Lemma 5. If CReam reaches a t-consensus, then for any N Q coalition of t bidders, truthful bidding maximizes the group Fact 1. For 0 < ai < 1, and 1 ≤ i ≤ N, (1 − ai) ≥ i=1 utility of the coalition. N P 1 − ai. Proof. Notice that CReam outputs a single clearing price for i=1 all bidders. Bidders whose bids are at least this clearing price Lemma 4. Let αr be the highest relevant price and m = are winners and bidders whose bids are below the clearing N(B, αr) − t, then the probability that CReam reaches a price lose. When CReam reaches a t-consensus, according to t-consensus is 1 − Θ(t/m). the definition of t-consensus and relevant prices, no group of t colluders or fewer can manipulate their bids to lower the 0 Proof. For any coalition of t bidders manipulating B to be B clearing price. and any choice of y, we have Theorem 1. For a set of input bids B such that there are r r r α gγ (N(B, α )) ≥ α m/γ m + t agents above the highest relevant price, the probability and that CReam is t-truthful is 1 − Θ(t/m). i 0 i i 0 i α gγ (N(B , α )) ≤ α (N(B , α ) + t). Let’s look back at the toy example presented at the be- ginning of this section. To show how the collusion resistance Due to the fact that αi is relevant, we have of CReam, we will illustrate intuitively how this algorithm αrm/γ ≤ αi(N(B0, αi) + t). prevents the colluders from successfully increasing the group utility by fuzzing and randomization. Estimation parameters Thus, we have α and γ are set to be 1.1 and 1.2, respectively. As for αr−im/γ − t ≤ N(B0, αi). the random parameter y, we assume it is sampled as 0.5 and 0 in truthful and colluding case respectively for sim- Then, considering the probability that CReam reaches a t- plicity. Then the candidate price ϕ should be selected from i consensus at α , we have {1.1, 1.21, ..., 1.95, ..., 3.8, ..., 4.59, ..., 7.4, ..., 9.85}. The pos- N(ϕ) + t sible ϕ that might be the clearing price, the corresponding n P r[t−consensus at αi] = 1 − log ( ) ϕ γ N(ϕ) − t and the estimated revenue Re in truthful and colluding case αr−im/γ are presented in Table IV and V, respectively. It can be seen ≥ 1 − log ( ) (5) γ αr−im/γ − 2t that the clearing price should be chosen as 4.59 in both cases, 2ct and in the colluding case, the 2nd bidder is not allocated, = 1 + log (1 − ). which means the group utility reduces to 1.41. Hence CReam γ αr−im

1556-6013 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2018.2883275, IEEE Transactions on Information Forensics and Security 8

TABLE IV: The estimated revenues under different candidate Seller Bidders deploys Return the deposits prices in truthful case. observe the smart of unallocated bidders; the auction contract Finalize the exchange and submit ϕ 1.95 4.59 5.56 7.40 9.85 on of resulting currency bids N(B, ϕ) 5 4 3 2 1 blockchain

nϕ 4.73 3.92 2.73 1.89 0.91 Re 9.22 17.99 15.18 13.99 8.96 z

TABLE V: The estimated revenues under different candidate prices in colluding case. Seller advertises The smart ϕ 1.95 3.80 4.59 7.40 9.85 goods contract & creates executes N(B, ϕ) 5 4 3 2 1 an auction CReam nϕ 4.30 3.58 2.99 1.73 1 Fig. 5: The events on the blockchain. Re 9.22 13.60 13.72 12.787 9.85

successfully prevents the 2nd and 3rd bidder from profiting via Timer t colluding. Seller Buyer Smart Contracts The estimation parameters α and γ have a significant Deploy impact on the performance of the collusion-resistant auction mechanism. Smaller α and γ yield a closer approximation Deposit to the optimal revenue, but will increase the probability of a successful collusion (see the experimental results in Section VI). Therefore, the tradeoff between auction revenue and Sealed Bids tbeginAuction collusion resistance should be carefully considered and we Revealed Bids Verify will further discuss it in Section VII. tfinishCommit

tfinishReveal Results B. Smart Auction Contract t In this section, we utilize the smart contract to implement transaction Balance Balance the collusion-resistant auction mechanism (CReam) without a trusted third party, e.g., an online auctioneer or Internet shop- ping platform. The smart contract leverages cryptocurrencies (e.g., Bitcoin, Ether) as money exchange between the seller and buyers. The smart contract can also impose penalties on Init Create Commit Bid misbehaving seller and buyers. Return,Confirm After the CReam smart contract is created, bidders can Reveal Bid Determine participate in the auction. The contract will accept and store & Finalize action data from the seller and bidders, and will automatically Fig. 6: The process of the smart auction. execute the auction algorithm. Fig. 5 shows the key events on the blockchain: - A new smart contract is deployed on the blockchain. message from the seller. Whenever we write “upon receiving - The seller advertises the item. () from some bID or s”, this accepts a transaction from any - Potential bidders monitor the blockchain for new auctions bidder or the seller without parameters to trigger function. and submit their bids. Init & Create. The Init function defines all the values - The smart contract executes CReam to determine win- associated with a new smart auction. Each contract should ners and the clearing price. maintain a set of variables representing the list of bidders - The smart contract returns the deposits of losing bidders. blist, the number of confirmation conf, the list of bids B, - The winning bidders confirm the transaction of the item. the list of winners W, the clearing price p and a list of - The smart contract finalizes the market clearing. timers. tbeginAuction is the time after which bidders can start Fig. 6 illustrates the process of a smart auction contract, to commit their bids. tfinishCommit and tfinishReveal are two involving various parties and their sequences of events and deadlines for bidders to commit sealed bids and revealed bids, messages. Fig. 7 provides a detailed overview of the functions respectively. ttransaction is the time when the item transaction of the smart auction contract. Note that when we write “on ends. receiving message from some bID”, this accepts a message The Create function deploys a new smart contract on from any participant who wants to bid for the items. Similarly, the blockchain, which returns the contract address on the when we write “on receiving message from s”, this accepts a blockchain. After the contract is deployed, it can be accessed

1556-6013 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2018.2883275, IEEE Transactions on Information Forensics and Security 9

Init: W = [], ob, p=0, blist=[], conf =0, B=[], two phases, commitBid and revealBid, to be executed tbeginAuction, tfinishSubmit, before the predefined tfinishCommit and tfinishReveal re- tfinishReveal, ttransaction =0 spectively. The commitBid function accepts the tuple < bID, hb, deposit, nonce >, where hb = H(nonce, b), H is Create: On (s.deposit, tbeginAuction, tfinishCommit, a trapdoor function, e.g., cryptographic hash function, and tfinishReveal, ttransaction,ob) from s nonce Verify s.deposit ≥ deposit is a random value selected for the transaction. In this way, bidders commit a bid to the contract without reveal- CommitBid: On (hb, deposit, nonce) from some bID ing their bids. hb will be stored on the blockchain as the Verify t with the same Verify bID.deposit ≥ bID.b bid and nonce used in commitBid. The bids can be verified Determine: Upon receiving () from s by checking whether hb = H(b, nonce) to ensure that the Verify t > tfinishReveal revealed bid matches the value in commitBid. The revealBid CReam(blist, B) → (W, p) function also verifies whether the deposit sent to the contract Return() during commitBid is sufficient to cover the revealed bid. A Return: Upon receiving () from s bidder with an insufficient deposit will be rejected. send(i, i.deposit) ∀i ∈ blist&i∈ / W Determine & Return. After all bids are revealed, the con- Confirm: Upon receiving () from some (bID) tract will execute the Determine function, which first ensures that the bid submission has completed (t > tfinishReveal) and Verify t > ttransaction Verify bID ∈ W then performs the CReam algorithm to determine the auction send(bID, bID.deposit − p) winners and the clearing price. After the auction results are conf = conf + 1 derived, the function Return will be called to return the Finalize: Upon receiving () from s deposits in full to losing bidders. The deposit of winning Verify t > t bidders will remain in the contract. transaction & send(s, s.deposit + p ∗ conf) Confirm Finalize. After the auction winners and the clearing price are determined, the seller transfer the item to winning bidders (t > t ), who will trigger the Fig. 7: Smart auction contract transaction Confirm function to confirm the receipt and retrieve the re- maining deposit, i.e., bID.deposit−p. The F inalize function sends to the seller her deposit and the payments from buyers by all the auction participants. Note that after creation, the who have confirmed the receipt. contract runs independently from the entity that creates the With the “self-enforcing” and unalterable characteristics contract (usually the seller). of smart contract, the correct executions of these functions The seller first calls the Init function to initialize a new are guaranteed by the rules of the underlying cryptocurrency auction, then calls function Create if he wants to start network. Since each participant is required to submit a certain an auction. During Create, the seller is allowed to set a amount of deposit beforehand, the smart contract will forfeit predefined opening bid ob, which serves as the lower bound the deposit of misbehaving participants and distribute it among of the qualified bid accepted by the contract. Moreover, to well-behaved bidders to impose penalties on improper opera- prevent a malicious seller from initializing fraudulent auctions tions such as abort. This incentivizes rational participants to and then withdrawing from transactions, the seller is required faithfully follow the auction protocol. to pay at least s.deposit to the contract. The deposit of the seller will be equally distributed among winning bidders if VI.EXPERIMENTAL RESULTS the seller aborts from the auction process. After Create, the In this section, we conduct extensive experiments to evaluate contract is ready to accept bids. the performance of CReam for an online e-auction with & commitBid revealBid. By monitoring the blockchain, multiple winners. bidders can submit their bids once the item is available for auction. Since transactions on the blockchain are trans- parent and public, bidders who commit later can observe A. Setup earlier bids and potentially exploit the information to gain In our evaluations, we use the real bids of 9 e-auctions an advantage, CReam requires sealed bids to protect them from eBay online auctions dataset [30] to model the e-auction from being observed by other bidders before the bidding settings, and the detailed statistics are shown in Tab. VI. The stage ends. Therefore, the bidding process is divided into number of bidders varies from 10 to 50, and the marginal cost

1556-6013 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2018.2883275, IEEE Transactions on Information Forensics and Security 10

1 0.96 0.96 n=40 n=40 n=30 n=30 0.95 0.94 n=20 0.94 n=20 n=10 n=10 0.9 0.92 0.92

0.85 0.9 0.9 0.8

CReam 0.88 0.88 Ratio to the OPT revenue Ratio to the OPT revenue Ratio Of revenue to OPT 0.75 k-Vickrey Median 0.7 0.86 0.86 10 15 20 25 30 35 40 45 50 1.1 1.3 1.5 1.7 1.9 2.1 2.3 2.5 1.3 1.5 1.7 1.9 2.1 2.3 2.5 2.7 2.9 Number of bidders Price parameter , Revenue estimation parameter . (a) (b) (c) Fig. 8: The auction revenue (a) under different auctions; (b) under different price sampling parameter α when γ = 1.5; (c) under different revenue estimation parameter γ when α = 1.3.

1 OPT than the post price wins the item. We select the posted price CReam as the median number of the bids in the auction. k-Vickrey 0.9 We implement the smart auction contract in Solidity 0.4.21 [17] and test it on the Ethereum network. The contract is 0.8 loosely coupled with several addresses delegating the seller and bidders. We run the experiments on a Dell XPS with a

0.7 2.5 GHz Intel i7 CPU and 8 GB RAM. Ratio Of welfare to total bids B. Auction Performance 0.6 10 15 20 25 30 35 40 45 50 Number of bidders Comparison of different auction schemes. In Fig. 8(a), we compare the ratio of revenue to OPT against the number Fig. 9: The social welfare under different auctions. of bidders under CReam, optimal k-Vickrey and a posted price sale. We can observe that CReam achieves very high approximation ratios to the OPT, all approaching or higher per unit of the item C is set to be 1. The input parameters than 0.95. Not surprisingly, the optimal k-Vickrey obtains of the CReam algorithm are set as: price parameter α = 1.1 a higher ratio than CReam in some cases. The reason is and revenue estimation parameter γ = 1.3. All experiments that when determining the clearing price, CReam adopts the are averaged over 300 rounds. revenue estimation strategy to defend against bidder collusion. The design goals of our proposed smart auction include Consequently, in certain cases CReam may not output the real truthful bidding, collusion resistance and approximate optimal optimal price. revenue. To evaluate these properties, we adopt the following Fig. 9 illustrates the ratio of social welfare to the sum two customized performance metrics. of all bids under CReam, optimal k-Vickrey and the OPT. - Revenue. Recall that the auction revenue is Apparently, a lower clearing price yields a higher social R = (p − C) · N(B, p), welfare. However, to achieve collusion resistance, we sacrifice the performance of social welfare to some extent, and select where p is the clearing price, and N(B, p) is the number a higher clearing price. Despite of this, the social welfare of of bids higher than or equal to p in B. We would CReam is still at an acceptable level. prefer an auction that approximates the optimal revenue Impacts of system parameters. We study how price sam- [21]. Hence, we use the ratio of the actual revenue to pling parameter α and revenue estimation parameter γ affect the optimal revenue (denoted by OPT), which we have the revenue obtained by CReam in 4 e-auctions with 10, 20, introduced in Section V-A, as an evaluation metric. 30 and 40 bidders, respectively. In Fig. 8(b), we evaluate the - Social Welfare. Social welfare is another economic con- ratio of the actual revenue to the optimal revenue by varying α cern in auctions, which is the difference between the sum from 1.1 to 2.7 while fixing the revenue estimation parameter of winning bids and the cost: γ as 1.5. It can be observed that the ratio reduces as α X increases. This is because α determines the sampling interval welfare = (x b ) − C · N(B, p), i i of candidate prices. A bigger α means a larger interval, which i leads to a higher probability of missing the optimal price. We use the ratio of the social welfare to the sum of all Fig. 8(c) illustrates the ratio of the actual revenue to the bids as another evaluation metric. optimal revenue when the revenue estimation parameter γ We compare the performance of CReam with the optimal varies from 1.3 to 3.1 while fixing α as 1.3. It is demonstrated k-Vickrey auction, and a posted price sale. The posted price that the revenue decreases as γ increases. This happens due sale posts a fixed post price, and bidders whose bids are higher to the fact that γ influences the degree of estimation to the

1556-6013 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2018.2883275, IEEE Transactions on Information Forensics and Security 11

TABLE VI: The detailed statistics of 9 e-auctions on eBay.

Auction ID Bid number Median bid Clearing price 1643136423 10 148 400 1640653873 15 90 202.5 1640809330 20 150 560 1639341131 25 115.5 256.51 1650483277 30 77 124.25 3014012355 35 105 240 1640809333 40 869.44 1725 3018788243 45 115 245 8212602164 50 88.5 212.5

0.2 30 5 n=50 Seller n=100 Bidder n=150 25 4 0.15

20 3

0.1 15 2 Probability Seller cost($) Bidder cost($)

0.05 1

0 0 2 3 4 5 6 20 30 40 50 60 70 80 90 100 Size of collusion groups Number of bidders Fig. 10: The probability that a coalition can successfully Fig. 11: The average cost for the seller and bidders based on improve its total utility versus the size of collusion coalitions the number of bidders participating in the auction. when α = 1.3 and γ = 1.5. 90 9 Seller Bidder maximum revenue. A smaller γ leads to a more accurate 70 7 estimation, whereas a larger γ, which makes the estimation

fuzzier, yields a stronger prevention against collusion. 50 5

Probability of successful collusion. In Fig. 10, we evaluate Seller cost($) Bidder cost($)

the probability that a set of bidders can successfully improve 30 3 their total utility under a setting of γ = 1.5 and α = 1.3. Em- pirical studies on commercial non-collusion-resistant auctions 10 1 10/2017 12/2017 2/2018 4/2018 6/2018 8/2018 reveal that most collusion coalitions are small (< 6 bidders per Date coalition) [10], [31]. This is mainly because as the coalition Fig. 12: The fluctuation of average costs for the seller and becomes larger, there are more frictions between bidders, and bidders from October 2017 to September 2018 based on the the cost of maintaining the collusion coalition rises. By varying historical prices of Ether. the collusion coalition size from 2 to 6, it can be observed that a larger collusion coalition yields a higher successful probability. This is because a larger collusion coalition can exchange rate was 1 Ether = $195 in September 2018. As counteract the impact of revenue estimation parameter γ more we can see, the financial cost of using the smart contract effectively, and have a better chance of manipulating their on the Ethereum network is low. The cost is roughly related bids to lower the clearing price and obtain a utility gain. As to the computational and storage complexity of the function. shown in Fig. 10, our collusion-resistant auction mechanism For example, the Init function (to store a contract on the can significantly diminish the incentives of bidders to collude blockchain) and the RevealBid (require verification of hash with each other. values) cost more than other functions. For the smart auction contract, the total cost is about 2.6 million gas ($10.04) for C. Smart Contract Implementation the seller, and about 294 thousand gas ($1.15) for each bidder. In Tab. VII, we show the cost of setting up and executing Fig. 11 highlights the distribution of cost for the seller the contract on the official Ethereum network when there and bidders when the number of bidders participating in the are 20 buyers. The cost is in the amount of gas consumed auction varies. It is shown that the seller’s cost increases by each function, and the converted monetary value in US linearly with the number of bidders, while the individual dollar. The gas price was 2 ∗ 10−9 Ether (2 Gwei) and the bidder’s cost remains constant. To be more specific, we further

1556-6013 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2018.2883275, IEEE Transactions on Information Forensics and Security 12

TABLE VII: A breakdown of the costs for the seller and bidders using the smart auction contract when there are 20 bidders. We approximate the cost in USD ($) using the conversion rate of 1 Ether = $195 and the gas price of 0.00000002 Ether as listed in September 2018.

Functions Transaction Cost in Gas Execution Cost in Gas Total Cost in Gas Total Cost in $ Init 1358579 998787 2357366 9.1937274 Create 62926 41142 104068 0.4058652 CommitBid 52704 31176 83880 0.327132 RevealBid 103757 82101 185858 0.7248462 Determine 22104 832 22936 0.0894504 Return 30749 9477 40226 0.1568814 Confirm 21385 3573 24958 0.0973362 Finalize 23765 2493 26258 0.1024062 Seller Total 1498123 1056304 2575812 10.0456668 Bidder Total 177846 116850 294696 1.1493144 Auction Total 1675969 1169581 2845550 11.097645

#106 5 Fig. 13 demonstrates the breakdown of the seller’s gas Gas limit Init consumption. Except for Init, Create and F inalize, the gas 4 Create Determine cost for each function increases linearly with the number of Return bidders. The gas limit for a block was set to be 4.7 million Finalize 3 by the miners. This means that the smart contract reaches the

Gas computation and storage limit when there are 160 bidders. This 2 limit exists as the auction results are computed in a single

1 transaction and the gas used must be less than the block’s gas limit. To avoid reaching this block limit, we currently 0 recommend a safe upper limit of around 150 bidders. 20 40 60 80 100 120 140 160 Number of bidders Fig. 13: The gas cost for the seller based on the number of VII.DISCUSSIONS bidders participating in the auction. In this section, we discuss the design choices and security issues of the proposed smart auction contract. The choice of parameters α and γ. The price sam- investigate the auction fees on traditional e-auction platforms. pling parameter α and the revenue estimation parameter γ The fee for a typical auction on eBay is composed of an are two essential factors that directly affect the performance insertion fee of $0.35, and a fee that is about 10% of the of CReam. According to the experimental results shown final value of sale for most categories (has a maximum of in Section VI, a larger α leads to a higher probability of $750) [32]. By analyzing the statistics of 628 e-auctions from missing the optimal price, and a larger γ yields a more fuzzy eBay online auctions dataset, we find that the number of approximation of the optimal revenue, thus resulting in a lower bidders is smaller than 40 in 609 of e-auctions. 82.8% and ratio of the actual revenue to the optimal revenue. Smaller 74.2% of these 609 auctions have a final value of more than α and γ may make the auction more profitable, but will $155 and $200, respectively. Therefore, the cost of the seller of weaken the collusion-resilience of CReam. Therefore, we most of the e-auctions on eBay is higher than $15.8. According should carefully chose the values for these two parameters. to Fig. 11, the cost of the seller using CReam is about $15.48 When there are 50 buyers, the influence of a collusion coalition when there are 40 bidders in September 2018, which shows is relatively high, so we recommend to set α and γ as 1.3 and that CReam is a more economical choice. 1.5, respectively. Under this setting, according to Fig. 10, a To further investigate the historical fluctuation of the ex- collusion coalition of 6 bidders can manipulate the auction change rate of Ether to US dollar, we show in Fig. 12 the result with a probability of less than 20%. Furthermore, it cost of seller and each bidder when there are 40 bidders is shown in Fig. 8(b) that the revenue obtained by CReam according to the historical price of Ether from September 2017 is around 94% of the optimal revenue, which is satisfactory. to September 2018. It can be observed that in January 2018, When there are 150 bidders, since the impact of a collusion the price of Ether reaches the highest point, which makes the coalition is diluted, the two parameters can be set smaller to cost of both seller and bidders extremely expensive. However, increase the auction revenue. the price dropped sharply since then and reaches the lowest The setting of timers. When creating the smart auction point recently, which makes CReam even more cost-effective contract, a list of timers are set to enforce the auction in a than the auctions on eBay. timely manner. A minimum time interval τ (unit in seconds)

1556-6013 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2018.2883275, IEEE Transactions on Information Forensics and Security 13

TABLE VIII: An example of the setting of timers in an auction

Timer Setting/hour Meaning

tcurrent 0 Time point when the seller creates the auction

tbeginAuction 6 Earliest starting time of the auction

tfinishCommit 66 Deadline of bid commitment

tfinishReveal 71 Deadline of bid reveal

ttransaction 72 Earliest starting time of financial transactions

is set in Create to ensure that each function remains active swings in the value of the cryptocurrency and regulatory uncer- for at least a time interval of τ. In particular, we should tainty make digital cryptocurrency risky for online merchants. have tfinishCommit − tbeginAuction > τ and tfinishReveal − Despite of the risks, a growing number of large-scale retailers tfinishCommit > τ to provide sufficient time for bidders to are already accepting cryptocurrencies, such as Software, commit and reveal their sealed bids. It also provides a time Zynga and Subway, since their sheer size and profitability window for the bidders’ transaction to be accepted by the shield them from the abrupt appreciation and devaluation of blockchain. This is necessary to prevent a cartel of miners cryptocurrencies. Small and mid-sized businesses will care- (< 51%) from attempting to censor the transaction. To be more fully evaluate the risk of investment in cryptocurrency before specific, we show an example of the settings of timers in a entering the blockchain-based market, based on the demands smart contract for a 3-day auction in Tab. VIII. Right before of targeted clients and internal business objectives. Another calling Create, the seller obtains the current time, which is possible way to address the volatility of cryptocurrencies is denoted by tcurrent and assumed to be 0 in the example. stable coins, which has entered the crypto market. Stable coin The concern of dishonest buyers. According to our smart is a cryptocurrency pegged to the value of an underlying auction contract, every winning bidder should trigger the asset, such as fiat currencies like the U.S. dollar, or financial Confirm function after receiving the item. In response, the assets like real estate, which ensures that the value of a stable smart contract refunds the deposit minus the clearing price. coin remains consistent. For example, the Silicon Valley-based The seller receives the payment of a buyer only if the receipt startup, TrustToken, has created TrueUSD as a U.S. dollar- is confirmed. Therefore, winning bidders are incentivized to backed stable coin built on the Ethereum blockchain. Stable trigger the Confirm function after receiving the item to get coins can be used for e-commerce payments to resolve the their refunds, and the seller is incentivized to send the item concern of volatility on the blockchain based market. to the winners to get the payment. However, an irrational participant may deviate from the expected behaviors, e.g., VIII.CONCLUSIONANDFUTUREWORK a seller who decides not to send the item to winners. The The first decentralized collusion-resistant smart auction con- concern of irrational seller or bidders can be mitigated from tract system, CReam presented in this paper provides a safe two aspects. First, a reputation network for decentralized and trusted transact environment for auction participants. A marketplaces can enable auction participant to evaluate the seller can easily create a CReam contract which will be trust of each other based on their reputations [33]. Second, automatically and faithfully executed to determine the allo- several companies, e.g., Maersk, IBM and Walmart, have cation and the payment among bidders, who are discouraged already succeeded in tracking cargo and streamlining supply to form collusion coalitions due to the auction mechanism. chain using blockchains, hence the contract can obtain the Moreover, by leveraging the inherent characteristics of smart transfer information from logistical records, and only confirm contract, all the participants are incentivized to follow the after successful delivery of the item [34]. protocols. Our implementation and evaluation of CReam on The extension to multi-unit demand. We analyze the the Ethereum network confirm the economic efficiency and truthfulness and collusion resistance under the assumption that collusion resistance of the auction, and show that the execution each bidder demands one unit of the item. When considering cost is as low as $1 for each bidder and $15 for the seller in the scenario where each bidder demands multiple units of the September 2018. item, the traditional non-collusion-resistant k-Vickrey auction There is a number of additional functionalities that could will even be non-truthful, since a bidder can manipulate the bid enrich our current design. First, the auction mechanism in the for one unit to influence the allocation and payment of another smart contract can be rewritten to support more complex forms unit, thus obtaining a higher utility for being untruthful. In of auctions, e.g., double auctions and combinatorial auctions. comparison, CReam will maintain truthfulness and collusion Privacy preservation is another concern that can be addressed resistance in case of multi-unit demand. However, since the using cryptographic tools [35]–[37]. We consider all of this as probability of a successful collusion increases with the size of future works. the collusion coalition, according to the experimental results in Section VI, the maximum number of bids that each bidder REFERENCES is allowed to submit should be restricted. [1] R. Bapna, “Insights and analyses of online auctions,” Communications The concern of volatility of cryptocurrencies. The wild of the Acm, vol. 44, no. 11, pp. 42–50, 2015.

1556-6013 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2018.2883275, IEEE Transactions on Information Forensics and Security 14

[2] Y. Vakrat and A. Seidmann, “Implications of the bidders’ arrival process [28] A. V. Goldberg and J. D. Hartline, “Competitiveness via consensus,” on the design of online auctions,” in Hawaii International Conference in Fourteenth Acm-Siam Symposium on Discrete Algorithms, 2003, pp. on System Sciences, 2000, p. 6015. 215–222. [3] C. Mclaughlin, G. Prentice, L. Bradley, S. Loane, and E. J. Verner, [29] W. Vickrey, “Counterspeculation, auctions, and competitive sealed ten- “C2c online auction intentions: An application the theory of planned ders,” Journal of Finance, vol. 16, no. 1, pp. 8–37, 1961. behaviour,” in Northern Ireland Branch Conference - Psychology for A [30] Kaggle, “Online auctions dataset from ebay,” https://www.kaggle.com/ Changing World, 2014. onlineauctions/online-auctions-dataset, 2016. [4] E. S. M. T. Elkenawy, A. I. Eldesoky, and A. M. Sarhan, “A bidder [31] P. Cramton and J. A. Schwartz, “Collusive bidding in the fcc spectrum strategy system for online auctions trust measurement,” International auctions,” Contributions in Economic Analysis & Policy, vol. 1, no. 1, Journal of Strategic Information Technology & Applications, vol. 5, pp. 1078–1078, 2002. 2014. [32] eBay, “Selling fees on ebay,” https://www.ebay.com/help/selling/ [5] J. C. Wang and C. C. Chiu, “Recommending trusted online auction fees-credits-invoices/selling-fees?id=4364, 2018. sellers using social network analysis,” Expert Systems with Applications, [33] O. S. T. Litos and D. Zindros, “Trust is risk: A decentralized financial vol. 34, no. 3, pp. 1666–1679, 2008. trust platform,” in International Conference on Financial Cryptography [6] Q. Wang, Q. Sun, K. Ren, and X. Jia, “Themis: Collusion-resistant and and Data Security, 2017, pp. 340–356. fair pricing spectrum auction under dynamic supply,” IEEE Transactions [34] A. Badzar, “Blockchain for securing sustainable transport contracts on Mobile Computing, vol. PP, no. 99, pp. 1–1, 2017. and supply chain transparency,” http://lup.lub.lu.se/luur/download?func= [7] Z. Xu and W. Liang, “Collusion-resistant repeated double auctions downloadFile&recordOId=8880383&fileOId=8880390, 2016. for relay assignment in cooperative networks,” IEEE Transactions on [35] Q. Wang, M. He, M. Du, S. S. M. Chow, R. W. F. Lai, and Q. Zou, Wireless Communications, vol. 13, no. 3, pp. 1196–1207, 2014. “Searchable encryption over feature-rich data,” IEEE Transactions on [8] M. R. Albert, “E-buyer beware: Why online auction fraud should be Dependable and Secure Computing, vol. 15, no. 3, pp. 496–510, 2018. regulated,” American Business Law Journal, vol. 39, no. 4, p. 575C644, [36] Q. Wang, M. Du, X. Chen, Y. Chen, P. Zhou, X. Chen, and X. Huang, 2002. “Privacy-preserving collaborative model learning: The case of word vec- [9] G. Goswami, T. H. Noe, and M. J. Rebello, “Collusion in uniform-price tor training,” IEEE Transactions on Knowledge and Data Engineering, auction: Experimental evidence and implications for treasury auctions,” vol. PP, pp. 1–1, DOI: 10.1109/TKDE.2018.2 819 673, 2018. Review of Financial Studies, vol. 9, no. 3, pp. 757–785, 1996. [37] M. Du, Q. Wang, M. He, and J. Weng, “Privacy-preserving indexing and [10] P. Bajari and J. Yeo, “Auction design and in fcc spectrum query processing for secure dynamic cloud storage,” IEEE Transactions auctions,” Information Economics& Policy, vol. 21, no. 2, pp. 90–100, on Information Forensics and Security, vol. 13, no. 9, pp. 2320–2332, 2009. 2018. [11] I. C. C. Center, “2014 internet crime report,” https://pdf.ic3.gov/2014 IC3Report.pdf, 2015. [12] ——, “2015 internet crime report,” https://pdf.ic3.gov/2014 IC3Report. pdf, 2016. [13] M. Anisetti, C. A. Ardagna, P. A. Bonatti, E. Damiani, M. Faella, C. Galdi, and L. Sauro, “E-auctions for multi-cloud service provision- ing,” in IEEE International Conference on Services Computing, 2014, pp. 35–42. [14] Z. Bar-Yossef, K. Hildrum, and F. Wu, “Incentive-compatible online auctions for digital goods,” in Thirteenth Acm-Siam Symposium on Discrete Algorithms, 2002, pp. 964–970. [15] S. Nakamoto, “Bitcoin: A peer-to-peer electronic cash system,” Con- sulted, 2008. [16] V. Buterin et al., “A next-generation smart contract and decentralized Shuangke Wu received the B.E. degree from Wuhan application platform,” white paper, 2014. University, Wuhan, China, in 2017. She is working [17] Solidity, “Solidity 0.4.24 documentation,” https://solidity.readthedocs.io/ towards the Master degree in the School of Cyber en/develop/, 2018. Science and Engineering in Wuhan University. Her [18] X. Zhou, S. Gandhi, S. Suri, and H. Zheng, “ebay in the sky:strategy- research interests include spectrum auction security proof wireless spectrum auctions,” in International Conference on Mo- and applied cryptography. bile Computing& Networking, 2008, pp. 2–13. [19] Lehmann, Daniel, allaghan, L. Ita, Shoham, and Yoav, “Truth revelation in approximately efficient combinatorial auctions,” Journal of the Acm, vol. 49, no. 5, pp. 577–602, 2002.

[20] X. Zhou and H. Zheng, “Breaking bidder collusion in large-scale spectrum auctions,” in ACM International Symposium on Mobile Ad Hoc Networking and Computing, 2010, pp. 121–130. [21] A. V. Goldberg and J. D. Hartline, “Collusion-resistant mechanisms for single-parameter agents,” in Sixteenth Acm-Siam Symposium on Discrete Algorithms, 2005, pp. 620–629. [22] A. Hahn, R. Singh, C. C. Liu, and S. Chen, “Smart contract-based campus demonstration of decentralized transactive energy auctions,” in IEEE Power& Energy Society Innovative Smart Grid Technologies Conference, 2017, pp. 1–5. [23] P. Mccorry, S. F. Shahandashti, and H. Feng, A Smart Contract for Boardroom Voting with Maximum Voter Privacy, 2017. [24] C. Dong, Y. Wang, A. Aldweesh, P. Mccorry, and A. V. Moorsel, “Betrayal, distrust, and rationality: Smart counter-collusion contracts for Yanjiao Chen received her B.E. degree in Electronic verifiable cloud computing,” 2017. Engineering from Tsinghua University in 2010 and [25] Y. Velner, J. Teutsch, and L. Luu, “Smart contracts make bitcoin Ph.D. degree in Computer Science and Engineer- mining pools vulnerable,” in International Conference on Financial ing from Hong Kong University of Science and Cryptography and Data Security, 2017, pp. 298–316. Technology in 2015. She is currently a Professor [26] A. Juels, A. Kosba, and E. Shi, “The ring of gyges: Investigating the in Wuhan University, China. Her research interests future of criminal smart contracts,” in ACM Sigsac Conference, 2016, include spectrum management for Femtocell net- pp. 283–295. works, network economics, network security, and [27] A. V. Goldberg, J. D. Hartline, and A. Wright, “Competitive auctions and Quality of Experience (QoE) of multimedia deliv- digital goods,” in Twelfth Acm-siam Symposium on Discrete Algorithms, ery/distribution. 1999, pp. 735–744.

1556-6013 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2018.2883275, IEEE Transactions on Information Forensics and Security 15

Qian Wang is a Professor with the School of Cyber Science and Engineering, Wuhan University. He received the Ph.D. degree from Illinois Institute of Technology, USA. His research interests include AI security, data storage, search and computation outsourcing security and privacy, wireless systems security, big data security and privacy, and applied cryptography etc. Qian received National Science Fund for Excellent Young Scholars of China in 2018. He is also an expert under National “1000 Young Talents Program” of China. He is a recipient of the 2016 IEEE Asia-Pacific Outstanding Young Researcher Award. He is also a co-recipient of several Best Paper and Best Student Paper Awards from IEEE ICDCS’17, IEEE TrustCom’16, WAIM’14, and IEEE ICNP’11 etc. He serves as Associate Editors for IEEE Transactions on Dependable and Secure Computing (TDSC) and IEEE Transactions on Information Forensics and Security (TIFS). He is a Member of the IEEE and a Member of the ACM.

Minghui Li received the B.S. degree in Information Security in 2016, the M. S. degree in Computer Technology in 2018, from Wuhan University, China. She is currently pursuing the Ph.D. degree in the School of Cyber Science and Engineering, Wuhan University, China. Her research interest focuses on information security, cloud computing, artificial in- telligence security.

Cong Wang has been an Assistant Professor at the Department of Computer Science, City University of Hong Kong, since the Summer of 2012. He received his PhD in the Electrical and Computer Engineering from Illinois Institute of Technology, USA, and M.Eng and B.Eng from Wuhan University, China. His current research interests include data and computation outsourcing security in the context of cloud computing, network security in emerging Internet architecture, multimedia security and its applications, and privacy-enhancing technologies in the context of big data and IoT. He received The President’s Awards 2016 at City University of Hong Kong. He was the co-recipient of the Best Student Paper Award of IEEE ICDCS 2017, and the Best Paper Award of IEEE MSN 2015 and CHINACOM 2009. His research has been supported by multiple government research fund agencies, including National Natural Science Foundation of China, Hong Kong Research Grants Council, and Hong Kong Innovation and Technology Commission. He has been serving as the TPC co-chairs for a number of IEEE conferences/workshops. He is a member of IEEE and ACM.

Xiangyang Luo received his B.S., M.S., and Ph.D degrees from the State Key Laboratory of Math- ematical Engineering and Advanced Computing, Zhengzhou, China, in 2001, 2004, and 2010, respec- tively. He is the author or co-author of more than 100 refereed international journal and conference papers. He is currently a professor of the State Key Labo- ratory of Mathematical Engineering and Advanced Computing. His research interests are Network and Information Security. This work was supported by the National Natural Science Foundation of China, the National Key R&D Program of China, the Science and Technology Innovation Talent Project of Henan Province.

1556-6013 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. 本文献由“学霸图书馆-文献云下载”收集自网络,仅供学习交流使用。

学霸图书馆(www.xuebalib.com)是一个“整合众多图书馆数据库资源,

提供一站式文献检索和下载服务”的24 小时在线不限IP 图书馆。 图书馆致力于便利、促进学习与科研,提供最强文献下载服务。

图书馆导航:

图书馆首页 文献云下载 图书馆入口 外文数据库大全 疑难文献辅助工具