Brandts Fully Private Auction Protocol Revisited

Auctions have a long history, having been recorded as early as 500 B.C. Nowadays, electronic auctions have been a great success and are increasingly used. Many cryptographic protocols have been proposed to address the various security requirements of these electronic transactions, in particular to ensure privacy. Brandt developed a protocol that computes the winner using homomorphic operations on a distributed ElGamal encryption of the bids. He claimed that it ensures full privacy of the bidders, i.e. no information apart from the winner and the winning price is leaked. We first show that this protocol – when using malleable interactive zero-knowledge proofs – is vulnerable to attacks by dishonest bidders. Such bidders can manipulate the publicly available data in a way that allows the seller to deduce all participants’ bids. Additionally we discuss some issues with verifiability as well as attacks on non-repudiation, fairness and the privacy of individual bidders exploiting authentication problems.

💡 Research Summary

The paper revisits Brandt’s “Fully Private Auction” protocol, a celebrated construction that claims to reveal only the winner and the winning price while keeping all other bids completely confidential. The authors begin by outlining the protocol’s architecture: each bidder encrypts his bid using a distributed ElGamal scheme, the encrypted bids are combined homomorphically, and a series of interactive zero‑knowledge proofs (ZKPs) are used to convince the seller that every step has been performed correctly. In theory, this design should guarantee “full privacy” – no information about any individual bid should ever be exposed.

The core contribution of the work is a concrete attack that exploits the malleability of the interactive ZKPs employed in Brandt’s original design. A dishonest bidder can multiply his ciphertext by an arbitrary scalar and simultaneously produce a forged proof that still passes verification. Because the verification routine does not detect the manipulation, the altered ciphertexts enter the homomorphic aggregation unchanged. When the seller later decrypts the aggregated ciphertext, the scalar factors cancel out in a way that reveals the original plaintexts of all participants. Consequently, the seller can reconstruct every bid, completely violating the protocol’s privacy guarantee.

Beyond privacy, the authors examine how the same weakness undermines other security properties. Since the forged proofs are accepted, a malicious bidder can make it appear that he submitted a lower bid than he actually did, thereby influencing the auction outcome. This breaks fairness and opens the door to strategic manipulation. Moreover, the ability to tamper with proofs compromises non‑repudiation: a bidder can later deny having submitted a particular bid, or be forced to accept responsibility for a bid he never made. The paper also points out deficiencies in the authentication framework of the original protocol; without strong identity verification, man‑in‑the‑middle attacks and key substitution become feasible, further eroding trust in the system.

To mitigate these issues, the authors propose several remedial measures. First, replace the malleable interactive ZKPs with non‑malleable or non‑interactive proofs (e.g., Fiat‑Shamir transformed proofs) that are resistant to manipulation. Second, introduce integrity checks on ciphertexts before aggregation, such as hash‑based commitments or MACs, to detect any unauthorized scaling. Third, enforce a robust public‑key infrastructure with certificates and revocation mechanisms to prevent identity spoofing. Finally, they advocate formal security proofs that model the adversary’s capabilities more comprehensively, ensuring that privacy, verifiability, fairness, and non‑repudiation are all provably upheld.

In conclusion, while Brandt’s protocol was a pioneering effort in privacy‑preserving electronic auctions, the paper demonstrates that its reliance on malleable ZKPs and weak authentication leaves it vulnerable to a range of attacks that can expose all bids and compromise core security guarantees. By adopting the suggested cryptographic hardening techniques, future auction protocols can achieve the intended level of privacy and trustworthiness.