An anonymous and fair auction system based on blockchain

Consumer approval of the online auction paradigm is demonstrated by rapidly expanding online auction transaction volumes. Bidders can access a wider variety of products, and sellers can reach a larger audience through online auction platforms. However, privacy concerns have reduced users’ trust in auction platforms, and complicated disputes have led consumers to lose faith in online auctions, negatively impacting market growth. The emergence of blockchain technology has brought a new approach to solving these problems. Blockchain is a new generation of information technology that is decentralized, transparent, traceable, anti-tampering, and unforgeable, following big data, cloud computing, and artificial intelligence. In this paper, we present a blockchain-based online auction solution as well as an auction protocol that uses ring signatures to guarantee anonymity. Three features summarize this essay: (1) Using blockchain technology to ensure that the auction transaction process is transparent, traceable, tamper-proof, and unforgeable. (2) The ring signature-based anonymous auction protocol allows for concealing bidders’ public keys in a group of public keys. Because malicious individuals are prevented from evaluating data by tracking numerous transactions of a single public key, this significantly protects bidders’ privacy. (3) The proposed scheme effectively resolves disputes that may arise during the auction.


Background
With the prevalence of e-commerce, shopping online has become the main shopping method for consumers due to the convenience of online transactions. English auctions, one of the most popular auction methods, would help the seller receive greater returns than other auction models. Online auction transactions have grown dramatically in recent years. According to research by ArtTactic [1], online auction sales for Christie's, Sotheby's, and Phillips reached $1.35 billion in 2021, up 28.2% from 2020 and accounting for 10.7% of total auction sales. Internet sales in 2019 totaled $168.2 million for these three businesses, with an exponential growth rate. Estimates suggest that between 2021 and 2026, the value of the online auction industry will expand by an extra $1.9 billion, which is a very optimistic expectation.
But because of all the attention, there are many problems with the online auction market, such as fraud, user privacy, and fair trade. For example, merchants may exploit rule loopholes by utilizing fake bidder identities to win higher bids on their auctioned items. A further situation has two bidders participating in an auction concurrently, one submitting a low offer and the other a very high one. The top bidder gives up the bid as the auction ends, which causes the low bid to be accepted as the winning bid. It is abundantly clear from PR Newswire's study [2] that concerns about fraud may limit the market growth. Sincere participants are more concerned about protecting their privacy and getting treated fairly. Participants in the bidding process prioritize that disputes are resolved reasonably and that unbiased activities enable bidders to obtain lots at a reasonable cost. Indeed, utilizing a third party or applying appropriate regulations can deal with. Therefore, sincere bidders are more worried about suffering unnecessarily as a result of the revealing of personal information. This worry is necessary considering that industry giant Google recently had its usage of Google Analytics, a tool for data analytics that can track millions of users and gather data on a variety of users, banned [3,3]. In the well-established Internet economy, user data have a very high value. To gain more from it, malicious people may use analytics tools for hunting personal information about users' hobbies and financial situations by analyzing their transaction data.
Dispute resolution and anonymity have always been the two most important elements in an auction. For an auction, both the rules and the information given to bidders must be fair, consistent, and transparent. Participants provide as little personal information as possible throughout the auction to preserve anonymity and avoid exploitation.
The following are some important claim priorities in the auction process, as determined by studies [5][6][7].

3
An anonymous and fair auction system based on blockchain (1) Information about bid transactions should not be managed centrally but transparently and securely. (2) Both the winning bidder's legitimacy and the winning bid's legitimacy can be independently verified. (3) The owner of lots is not permitted to pretend to be a bidder and place bids on its own provided things. (4) When sellers and bidders disagree with a transaction, acceptable and transparent methods to handle the situation. (5) There is an appropriate way to deal with malicious bidders.
Naturally, a well-designed auction system should be extremely effective and practical. Therefore, a public English online auction system should satisfy the following requirements to preserve blockchain properties and security issues.
(1) Data Integrity [5]: The integrity of the data should be verified, ensuring the auction's accuracy.
Systems that comply with the requirements listed are regarded as workable and generally fair. It is crucial to meet these needs and deal with the difficulties to promote the healthy development of the whole auction industry. The majority of the problems with the auction process have been fixed [8,9,11,12], and some progress has been made toward user anonymity. As Lee et al. [6] pointed out, it still falls short of what is needed for online auctions since centralized auctions have several drawbacks, and the centralized method still faces numerous objections. In response to the issues highlighted above, a new architectural design paradigm for online auctions has risen with the emergence of blockchain technology.
People began to pay attention to the distributed ledger technology that underpins Bitcoin after its meteoric rise in popularity in 2008. This distributed ledger system, eventually given the moniker blockchain technology, is decentralized and tamperproof [13]. The blockchain platform conducts transactions using their private and public keys without disclosing their actual identities. In traditional PKC, the public key is used to encrypt the data, and the private key is used to decrypt the data. However, in blockchain, the public key generates a digital signature to verify the transaction, while the private key creates a digital signature that cannot be forged. In the blockchain, the keys are shorter but have the same level of security as before [14,15], with ECC using 160-bit keys while RSA requires 1024-bit keys [16]. A digital signature is an essential concept in blockchain technology, which can guarantee the authenticity and integrity of transaction data [17]. The transmitted data are tamperproof with cryptography, hashing algorithms, and digital signatures. When transaction information is posted to the blockchain, the record can no longer be altered and remains traceable and auditable, even if multiple parties are involved [18]. Adopting blockchain technology can address issues with user privacy, fraud, and fair transactions in online auctions. Numerous academics have researched the use of blockchain in online auctions [5-7, 10, 19-21]. Using blockchain in auctions increases people's trust and enthusiasm for online auctions. However, even if users only use their public and private keys for transactions, it has been demonstrated that privacy breaches may happen in blockchain [22]. Despite the address in the blockchain being pseudonymous, connecting it to the user's true identity is still feasible because numerous users frequently use the same address for transactions. Therefore, the study's focus on online auctions has shifted to how to enhance user anonymity in blockchainbased online auction systems. The blockchain auction system in this work meets the requirements [5,[8][9][10] in addition to having the following features.
(1) The Schnorr digital signature approach makes the auction mechanism more effective. (2) The anonymity of participants is entirely safeguarded by the proposed anonymous auction protocol technique, which is based on ring signatures. (3) Transparency in the transaction process is increased by decentralized blockchain technology. (4) Previous research has often given the settlement of disputes during the auction process little attention, which lessens the activity of the bidders. In this study, we enumerate the disputed situations and propose reasonable solutions to resolve them.

Related works
British, Dutch, and sealed auctions are three popular styles of online bidding. A sealed auction is one in which all bidders bid simultaneously through sealed bids, no one knows what anyone else is bidding, and the bidder with the highest bid wins the lot. A Dutch auction is one in which the auctioneer sets a maximum price and then bidders shout from the high to the low price, with the first bidder to answer winning and paying the price shouted at the time. The most well-known type of auction is the British one. The bids are placed in descending order from low to high, with the final price placed by the highest bidder winning the auction. Researchers have concentrated increasingly on developing sealed online auctions [23][24][25] with blockchain technology in recent years. English auction systems based on blockchain have not received enough research. English auction systems based on blockchain have not received much research. English auctions are the major topic of this essay.
Online auction research has mainly focused on privacy and how to deal with disputes. Before 2008, [8,9,11,12] used various methods to preserve user privacy. Lee et al. [8] assumed that the registered manager and auction manager won't conspire to compromise bidder anonymity. They performed a randomization operation to protect the winner's anonymity during the bidding process. Information transparency and public verifiability are achieved by posting all pertinent information on a bulletin board. Using an elliptic curve cryptosystem, Chen minimized the time bidders must spend waiting for auction certificates to be issued, improved bidder efficiency, and made the auction efficient and simple to execute [9]. Chang et al. [11] protected the bidders' anonymity by employing the deniable authentication technique [26]. However, Jiang et al. [12] pointed out that the anonymous protocol had security flaws, and a malevolent individual might disable the auction phase by forcing bidders and auctioneers to use separate keys. The secure mutual authentication in the protocol between bidders and auctioneers is improved. These studies are all based on the centralized server system. People are still concerned about whether the transaction data will be tampered with and whether the transaction procedure is fair.
After 2008, the emergence of blockchain technology opened up new study paths for online auctions. Scholars have investigated the integration of blockchain into online auctions [5-7, 10, 19-21], with some success. Xiong et al. [10] presented a revocable ring signature-based conditional privacy-preserving auction protocol in which only RM(Registration manager) and AM(Auction manager) work together to expose the actual bidder. Chang et al. [5] presented an auction protocol based on the elliptic curve cryptosystem (ECC) and identified design faults and vulnerability to denial-of-service attacks [10]. This auction protocol does not have a transparent transaction process and depends on a reliable Agent Center. Braghin et al. [19] demonstrated how to construct several auction types based on the Ethereum blockchain while ensuring data integrity, openness, and non-repudiation. The approach, however, lacks transaction privacy and is pseudo-anonymous, as the authors lament. Enkhtaivan et al. [20] presented an anonymous English auction mechanism based on group signatures with trusted hardware and blockchain, where group signatures secure user identities. The trusted hardware environment assures that group administrators do not have additional breaches. Nevertheless, the scheme does not describe how disagreement situations are handled. Lee et al. [6] used smart contracts and reputation algorithms to develop new auction protocols on blockchain networks, but a critical flaw in the plan is that it does not prioritize user privacy. By limiting participant coalitions, Qusa et al. [21] sought to improve the e-auction system of UAE(United Arab Emirates). However, the protocol fell short of anonymity and unlinkability. Huang et al. [7] offered an anonymous bidding protocol that uses R-LRRS ring signatures to ensure anonymity, lowers disagreements through two-way confirmation, and prevents the development of dishonest bids by asking players to pay a deposit. We agree with the author's assertion that the method achieves undeniability, but dispute-freeness is not the same thing as undeniability. How disagreements are resolved is not stated in the proposed scheme, particularly if the vendor is at fault. Therefore, we think that the agreement still has an opportunity for development.
The related studies [5,6,10,[19][20][21]26] have been crucial in advancing the online auction market and guiding it in the expected direction. Table 1 shows the comparison between the existing online English auction schemes.
The summary analysis led to the following three conclusions.
(1) The methods [5,10] are vulnerable to DoS attacks and lack auction transaction transparency since they do not use blockchain technology. (2) Methods [6,18,21] either do not care about user privacy or do not protect transactional privacy when pseudo-anonymous users are involved. (3) The schemes' [7,20] unclear dispute resolution procedures weaken the activity of the auction process.
The remainder sections are described as follows: Sect. 2 focuses on the methods applied in our suggested approach. Our precise plan and the whole procedure are presented in Sect. 3. The pertinent characteristics of this design are examined and discussed in Sect. 4. The computation cost and communication cost are covered in Sect. 5 along with comparisons to other schemes. Finally, we provide a summary in Sect. 6.

Blockchain technology
Decentralization, persistency, anonymity, and auditability are fundamental characteristics of blockchain technology and have the potential to revolutionize established sectors [27,28]. Blockchain technology is predicted to tackle the trust problem in network communication successfully. Mutually misinformed parties perform secure transactions in blockchain applications without a central trust intermediary.
Blockchain is the underlying technology that underpins Bitcoin. It was suggested by Satoshi [29] in 2008 and implemented on Bitcoin in 2009 as a new technique for storing, transmitting, and controlling information. A blockchain [30] is a collection of interconnected blocks that functions as a typical public ledger by maintaining an exhaustive list of transaction data. Due to its distributed nature, blockchain can prevent single points of failure. Because the blockchain is immutable, the records An anonymous and fair auction system based on blockchain This protocol ignored user privacy and did not analyze how disputes were handled Qusa et al. [21] The e-auction system is to be improved by a blockchain-based system forbidding participant partnerships Blockchain, Smart Contracts Confidentiality was ensured via blockchain Neither anonymity nor unlinkability was attained Huang et al. [7] A two-way anonymous bidding protocol using R-LRRS ring signatures R-LRRS ring signature, policy-driven chameleon hash The R-LRRS ring signatures enabled users' anonymity. Reducing the presence of rogue bidders via deposits The program is not entirely free of controversy cannot be changed after the update. Users interact with blockchain apps through the created addresses, and the anonymity based on hash cryptography safeguards user privacy effectively and demonstrates uniqueness. People not trusting each other can be resolved because blockchain records are more authentic and trustworthy than information on traditional networks.

InterPlanetary File System (IPFS)
While online auction systems typically require displaying the photos or videos of lots, storing huge images in the blockchain is challenging. Using IPFS to store information about lots helps enhance the operating efficiency of online auctions.
A peer-to-peer (P2P) storage network, IPFS, is a new storage technology [31]. The IPFS [32,33] is a distributed file system that was created to address the issue of excessive file redundancy. IPFS is a decentralized and shared storage technology that divides files into several pieces stored on each network node, assigning a different hash value to each file. A lot of storage space is saved since there will only be one duplicate of a file with identical information in the system. The fundamental advantage of IPFS is that access may be made possible using content-based rather than location-based addressing. Additionally, multi-node storage significantly lowers the chance of data loss.

The signature scheme proposed by Schnorr
In 1989, Schnorr [34] introduced a discrete logarithm-based signature method, which garnered much attention because of its shorter signature length and quick signature generation. These two features make the signature algorithm highly attractive to application developers. Academics have developed several Schnorr-based signature methods [35,36] to improve Bitcoin's efficiency and user privacy, and the Bitcoin community is contemplating implementing the Schnorr signature algorithm [37]. We should eagerly anticipate the practical implementation of the Schnorr signature algorithm.
The procedure for generating a Schnorr signature includes three steps. Define p and q are large prime numbers, p|q − 1 . Make q ≥ 2 140 and p ≥ 2 512 . g is the element in Z p and g q = 1 mod p ( q is the order of Z p ,g ≠ 1).
(1) Key generation (a) Select a random number x(1 < x < q) as a private key. (b) Calculate the public key y = g x modp.
(2) Generate signature for message m.

AOS (Abe-Ohkubo-Suzuki) ring signature
Blockchain has many potentials, but it also has several difficulties. Studies [22,38] demonstrated that following users' bitcoin transactions can expose personal information about them, and the blockchain cannot wholly ensure transaction privacy [39]. Ring signatures can be a valuable solution to this problem.
Rivest et al. [40] initially introduced a signature technique known as a ring signature algorithm that may conceal the actual signer's identity while granting absolute signer anonymity. Ring signatures do not need an administrator, unlike group signatures, so the situation where the administrator sells the personal information of the actual signer does not arise. Additionally, ring signatures are self-organizing structures that allow the genuine signer to autonomously pick other public keys to create the ring signature. As a result, ring members do not need to join or leave a group in advance. Since ring signatures are more anonymous than group signatures, they are the best option for scenarios where users need to hide their true identities.
The real signer signs the file using its private key and the public keys of the other members in the ring signature generation process after selecting a random set of members (including itself) as potential signers. There are three primary algorithms used in this procedure.
Gen(k) : Enter the security parameters k and Gen(k) generates a public-private key pair y i , x i for each user.
Sign(m) : Select a set of public keys to build the public key set L , L = y 1 , y 2 , … , y s , y s+1 , … , y n . Sign(m) outputs a signature R for the message R with the signer's private key x s .
Verify(m, R) : By confirming that the equations are equal, the Verify(m, R) returns "True" or "False." The signature R is valid if the output is "True," and invalid if it is "False." One-way trapdoor-based public key mechanisms (e.g., RSA) or discrete logarithm puzzle-based public key structures can both make use of the AOS ring signature [41]. The AOS ring signature offers strong operational performance in addition to exceptional anonymity.
Assume that the user U k has a private key x k and public key y k (y k = g x k mod p ).L is the set of n − 1 public keys (including y k ). h( ) is a publicly available hash function.
The user generates an AOS ring signature by following these steps.

3
(2) For ming a positive sequence, choose s i ∈ Z q and calculate The user verifies the ring signature by following these steps. (1) OAP: It serves as an "intermediary" between sellers and bidders by providing a platform for sellers to exhibit auction items and for buyers to bid. The following are the OAP's responsibilities: validating the sellers' and bidders' participation rights before the auction, announcing the winner's public key when the auction end, and punishing malicious bidders after the auction. An anonymous and fair auction system based on blockchain (2) DA: The DA is in charge of resolving complaints throughout the auction process and making fair judgments, making the auction system more fair and controlled. (3) SL: SL is a trustworthy user who is looking to sell precious stuff. Bids cannot be initiated by SL who are not registered. (4) BR: BR is users who have been allowed entry to the auction. Participants who have not registered are unable to bid in the auction.

Online auction procedure
This paper is divided into five phases, which are Initialization Phase, Pre-auction Phase, Auction Phase, Announce winner Phase, and Dispute Resolution Phase. Following SL and BR's submission of the required data to KGC to end the Initialization Phase, Fig. 2 depicts the bidding procedure. Additionally, as online bidding is frequently the topic of contentious circumstances, we will go into more detail on this in Sect. 3.6. Initialization Phase: The user supplies the information required to finish the registration process and receives the public and private keys.
Pre-auction Phase: To continue bidding in the auction, SL and BR must each complete a formal pre-bidding check.
Auction Phase: BR increases the price to enhance his chances of winning the desired products.
Announce Winner Phase: At this point, OAP declares the auction winner. Dispute Resolution Phase: At this phase, SL or BR can express concerns about bid anomalies, and DA will handle the case and announce the results.

System architecture diagram
This plan utilizes blockchain and ring signatures to develop a tamper-proof, supervisable, and traceable online auction system. The application layer, extension layer, protocol layer, and storage layer are the layers that make up the online auction system's layered architecture, as shown in Fig. 3.
(1) Application Layer: Displaying multiple auction situations at the application layer. Through the application interface, users may access information and statistics about auction products and manage appeals for disputes. (2) Extension Layer: In the extension layer, we can enrich the auction system's functions and drive the business to run efficiently through smart contracts. Through smart contracts, which are in charge of defining the specifics of how transactions are made and the process, some predefined rules, and terms can have their implementation automated. Before the auction is executed, the deposit must be paid according to the rules of the Deposit Contract. Once the auction is completed, the deposit can be refunded according to the terms of the Deposit Refund Contract. (3) Protocol Layer: P2P network networking, a digital signature mechanism, and a hash algorithm are integrated at the protocol layer to create a peer-to-peer, secure, and reliable network and communication foundation for the upper layer. (4) Storage Layer: Keep the programs' data files generated and required on the upper layer. The distributed ledger holds information about auction transactions, while the IPFS file system keeps information on how auction products are displayed, including images, audio, and video.

Initialization phase
Any user who wishes to utilize the system must provide the required identification data M 1 to OAP to complete the initialization. OAP then distributes the public and private keys to users. The data flow diagram for the Initialization phase is shown in Fig. 4.
Step 1. SL/BR submits identity information ID SL∕BR and role information Role SL∕BR to OAP. Step 2. OAP generates system parameters (g, p, q) . The relationship between these three parameters is as follows, Then OAP chooses a random parameter x(1 < x < q) as the private key of the applicant. And call the function createAccount ID SL∕BR , y, Role SL∕BR to create user information after calculating the public key y via Eq. (3).
The protocol for creating a new account is given in Algorithm 1. (1)

Pre-auction phase
During this phase, two aspects of work need to be completed. One is that SL requests OAP to initiate an auction, and OAP checks the lot's details SL provided. Figure 5 presents the data flow diagram for the application by SL to start a new auction. Second, BR requests OAP to participate in the auction, and OAP examines the information BR provided on the deposit transaction and credit score. Details are shown in Fig. 6.
The signature function Sig( ) is described in Algorithm 2, and the algorithm verSig( ) for verifying signatures is described in Algorithm 3. The algorithm for SL to create new auctions is described in Algorithm 4. The algorithm for BR to obtain bidding privileges is described in Algorithm 5.
Here are the steps for starting a new auction.
Step 1. After successfully storing lots of information in IPFS, SL receives a hash value HV i . Then, the required credibility values f cre and the deposit requirements f dep for qualified bidders as well as product information HV i are encrypted.
(4) C lot = Enc pre HV i , f cre , f dep , T 1 The encrypted data C lot are then signed using parameters t 1 chosen at random. SL delivers C lot and signature SL 1 , SL 1 to OAP.
Step 2. OAP initially decrypts C lot when it gets SL 1 , SL 1 , C lot from SL.
Then, make sure the timestamp is valid Choose a number t 2 at random, Step 3. After receiving OAP 1 , OAP 1 , C res 1 , SL decrypts C res 1 .
Then confirm the timestamp's validity.
Verify the signature OAP 1 , OAP 1 if the timestamp is valid.

An anonymous and fair auction system based on blockchain
The signature is accepted if Eq. (17) holds. With this AID i , SL could enhance the lots' details by adding more photos or videos to make it more attractive.
The steps for BR to apply for participation in the auction are as follows.
Step 1. When BR transfers a deposit to OAP, a DID i is generated. Then, BR encrypts.
BR chooses the parameters t 3 at random to sign the encrypted data C BR and transmits BR 1 , BR 1 , C BR to OAP.
Step 2. OAP gets BR 1 , BR 1 , C BR and decrypts C BR before validating the timestamp.
After confirming the timestamp is accurate, OAP checks the signature . BR 1 Step 3. BR decrypts the C res 2 and then verifies the validity of the timestamp.
After the verification of Eq. (29), make sure the signature is valid also.
When the patterns in Eq. (31) match, BR saves K ′ i as a participation ticket which will be used in the Auction Phase.
An anonymous and fair auction system based on blockchain

Auction phase
As shown in Fig. 7, BR who have K i for the auction could now bid at higher pricing. The participation qualification of BR is confirmed by OAP. SL is in charge of determining the current highest price by comparing legal offers to the current highest price and making a formal announcement. The public key set can be chosen at will. The bidder has the option of using the same public key set from the previous bid or selecting a new one for signing.
Step 1. BR chooses a price P r and the set L , which L is a randomly chosen collection of public keys. Assuming that the kth in L is the public key of BR, BR creates a ring signature as shown below.
First, choose a random number a and calculate, Then pick a random number S i and calculate, Calculate S k using the private key x k , as a result, the ring forms a closed loop. R = (c 0 , S 0 , S 1 , … , S l−1 ) is used as the ring signature. Encrypt P r , R, L to obtain C 1 , and C 1 , K ′ i to obtain C 2 .
Afterward, select a random integer t 5 to generate the signature BR 2 , BR 2 . Send BR 2 , BR 2 , C 2 to OAP.
Step 2. OAP first decrypts C 2 before confirming the timestamp's validity. (32) c k+1 = h L, P r , g a mod p Finally, choose a random number t 6 to sign M 2 and send OAP 3 , OAP 3 , M 2 to SL.
Step 3. SL verifies the validity of the timestamp and decrypts C 1 .
Then verify the signature OAP 3 , OAP 3 , OAP has approved the transaction, as shown by the validation of Eq. (50) as passed. SL then verifies the ring signature R ′ . If Eq. (53) holds, R is legal. Then call the function calMaxPrice P ′ r , R ′ , and compare P ′ r with CurWinInfo.price to get the current winner information. Algorithm 6 shows the generation of the transaction ring signature, and Algorithm 7 shows the verification process of the transaction ring signature. Algorithm 8 allows for calculating the current winner.

3
An anonymous and fair auction system based on blockchain

Announce winner phase
Following the Auction Phase, OAP publishes the winner's public key based on auction data, as shown in Fig. 8.
Step 1. OAP first verifies the auction deadline to ensure T now > T start and T now > T stop . Then compute C ′ and B win .
Next, run a query to the ledger and contrast B win with the record B ij there. Identify the final winning public key Y by getting the B ij one that fulfills Eq. (56).
Then, OAP chooses a random number t 7 to sign the information M 3 before sending it to SL and BR.
(54) C � = Enc pro 1 P r win , R win , L win Step 2. SL and BR receive M 3 and verify the validity of the timestamp first.
If the timestamp is valid, then verify the signature OAP 4 , OAP 4 .
The eventual winner is assured to be Y if Eq. (62) holds. Based on the details of the winning auction, Algorithm 9 demonstrates how OAP discovers the winner's public key.

Dispute resolution phase
There are many different forms of disagreements, but they may typically be split into two groups. The first is a disagreement application made by the buyer, while the (59) second is a dispute application initiated by the seller. We go into great depth about this through Dispute Scenario 1 and Dispute Scenario 2. Dispute Scenario 1. When an auction cannot be finished because of a malicious winner who fails to make the final payment within the time given. Now that the seller knows about the buyer's deposit payment DID i and the winning bid's signature R , they may utilize AID i , DID i , R to ask the DA for arbitration. The dispute resolution protocol for SL as an applicant is shown in Fig. 9. Details of the process are as follows.
Step 1. SL transfers AID i , DID i , R to the DA for arbitration.
Step 2. After receiving the application, the DA will first confirm the applicant as the seller of AID i .
If not, the application is invalid. Then, the DA confirms the winner's ring signature R via AID i and DID i . Next, check to see if the R provided by SL is consistent R win . If R = R win , it means that the ring signature R is valid and SL's application is legitimate. Finally, DA informs the actual signer y win that the balance payment is necessary.
Step 3. If there are no objections, the final payment is made to SL, and the final payment record BID i is sent to OAP after y win getting the notice. Alternatively, if the winner has already made the final payment, he should give OAP the final payment record BID i immediately. Step 4. Based on the payment record BID i that BR provided, DA examines whether the final payment has been made. If it does, the dispute is settled and the request for arbitration is approved. If not, DA informs OAP that BR of y win has broken the regulations.
OAP can penalize BR based on the results of the DA review and the behavior of y win . By using Eqs. (63) and (64), respectively, the OAP has the effect of reducing the user's credit and preventing BR from using the system going forward.
Dispute Scenario 2. When the winning bidder requests a refund from SL after not receiving the promised auction. Alternatively, BR may request a refund if they get an auction item and discover that it does not match the merchant's description. The buyer can apply to the DA for arbitration by submitting to the DA the auction ID ( AID i ), the record of the final payment ( BID i ), the ring signature(R ) of the bidding transaction, the description of the lots ( HV i ), and the results of the third-party appraisal ( FID i ). Figure 10 illustrates the dispute-handling process of BR as the claimant. The detailed process is as follows.
Step 1. Applicant submits AID i , BID i , R, HV i , FID i to DA.
Step 2. DA first confirms the winner's public key y win and the winner's ring signature R win for auction AID i . Then determine if the applicant is the winner, if not then the BR application is invalid. If yes, confirm whether the final payment BID i is part of the auction AID i and is paid by the applicant. If the applicant is the winner, DA compares the results of the third-party appraisal ( FID i ) with the description of the product ( HV i ) to determine whether SL is required to return the money. If SL needs to refund money to the applicant, notify SL, otherwise, the dispute is over.
Step 3. If SL agrees to the refund request, it provides the refund, the dispute processing is completed, and the application for arbitration is successful. If SL disagrees, SL needs to provide supporting documents FID i (such as logistics records, and a certificate from a third party) to DA.
Step 4. The DA takes additional review based on the supporting papers it has received. There are three chances for SL to present its arguments. If SL refuses to consent to a refund after being asked more than three times, the DA will alert the OAP that SL is breaking the rules. OAP punishes SL for following the results of DA's review and SL's behavior, as illustrated in Eqs. (63) and (64).

Analysis
An auction system that balances many factors is regarded as appropriate and efficient. Our solution's security performance is based on ring signatures and blockchain technology.

Data integrity
A distributed ledger records the trade data created throughout the bidding process. Every user could notice the changes to the data since the data on the chain are open and transparent. The correctness and dependability of the data are guaranteed by the cryptographic operation and signature, respectively. The recipient can quickly spot it during the verification phase if a hostile party alters the data during transmission. Let us take the Auction Phase as an example. When BR engages in the auction, he first encrypts the data to be sent in constructing an encrypted message C 2 . The signature BR 2 , BR 2 is then created using its own private key x . Equations (65), and (66) are used by OAP to check the validity

Unforgeability
Firstly, there is very little chance that attacker A will successfully fake a signature. Assume that the probability of attacker A successfully forging a signature is P a . When attacker A generates a signature by pretending to be an actual signer, this signature must pass verification to be accepted. Equation (68) demonstrates that attacker A may successfully forge a signature that can be validated if he predicts the value t.
Due to t ∈ (1, 2, … , q) , we may draw that P a = 1∕q . And because of q ≥ 2 140 , the chance that attacker A successfully forges a signature by speculating the value t is P a ≤ 1∕2 140 . For a message to be acknowledged during the auction, it must be signed with a private key x by the sender and validated by a third party. We take the Auction Phase as an example.
Attacker A, who pretends to be BR to participate in the auction, is only able to produce the signature A , A using his private key x A as the probability is ≤ 1∕2 140 that he gets the real signer's private key. Furthermore, OAP validates the signature with Eqs. (69), and (70) when the message is received.
A faked signature cannot be confirmed since it cannot be matched using Eq. (70), which shows that the signature is invalid.
Therefore, attacker A cannot participate in the auction by forging a signature.
An anonymous and fair auction system based on blockchain

Non-repudiation
Using the Schnorr digital signature, this approach ensures non-repudiation of the sender's identity. There is a negligible possibility ( ≤ 1∕2 140 ) that the real signer's private key is being revealed, according to the proof of Sect. 4.2. Table 2 shows the signature and verification signature for each stage based on this. Every step of the data transmission process has to be signed with the sender's private key and verified by the recipient using the sender's public key. As a result, when the verification equations are true, the signature is genuine and the signer cannot deny it.

Traceability
By storing all transaction data on the blockchain, this system ensures that the data are secure and that the transaction data can be tracked. During the Auction Phase, each incremental bid needs to be approved by the OAP. For the legitimate bid information C ′ 1 (containing bid price P r , ring signature R , and public key set L ) and the bidder's public key y k , OAP computes a hash value and stores it in the ledger.
At the end of the bidding, OAP calculates the B win by Eqs. (72) and (73). The winner y m is then determined by comparing the records B ij that are equal B win , as illustrated in (74).  Thus, we can track the winning bidder once the auction is closed.

Verifiability
Each bid transaction P r , R, L will be recorded in the blockchain ledger, and when the ledger is updated, everyone will be aware of the update. In the bidding process, after the data P r , R, L are uploaded, other people can easily verify the validity of R and know the specifics P r by using Eqs. (51), (52), and (53). When the auction ends, the OAP will announce the final winner's public key, and the other participants can verify whether L is contained y win by comparing it with the public key y i in L .
In addition, others can calculate the winner's information B win and compare it with previous records in the ledger to see if the winner is legitimate. If B win is not questioned, then y win is not the declared winner, meaning that the winner is invalid.
Thus, it is said that in our program, anyone can verify the auction results.

Easy revocation
Unlike the method [5], their approach is vulnerable to attacks and cannot appropriately cancel the user's rights in their system. Our scheme makes it easy to manage the rights of the user in the system. Depending on the seriousness of the malicious person's violation, OAP may apply sanctions such as a decrease in credit level or a ban on the malicious person's ongoing use of the system. Also, the bidding transactions initiated by violators will be deemed invalid. Scenario: The user U c is the winner of an auction, but is late in paying the final payment to SL.
Following the SL appeal, the DA decides that the consumer must make the final payment on time. However, after receiving the judgment, the U c still refused to pay the final payment without legitimate reason, and the OAP confirmed that U c seriously damaged the interests of the SL.
An anonymous and fair auction system based on blockchain Analysis: Because of the severity of the violation, the OAP will penalize the user by reducing their credit level and disabling to use of the system. First, the OAP reduces the user's credit score.
Second, OAP revokes the bid and restricts U c from continuing to use the system.
Even if U c reapplies for a new account after being deactivated, he or she cannot register for a new account to utilize the auction system since his or her ID already exists in the registration list.

Anonymity
First, users use the system using a pseudonym (public key Y ), which protects their privacy to a certain extent. Second, the use of ring signatures in this scheme improves the privacy of the bidders. The public key of the real bidder is hidden in a set of public keys L. Except for OAP, the odds that a participant guesses the probability of the real bidder's public key Y BR is 1∕l ( l is the number of public keys in the public key set L). The malicious person can only determine that the bidder's public key is in the set L, but cannot determine which one is the actual sender. By preventing a hostile party from tracing the transaction details of a fixed public key address, they are unable to determine which auction products the public key holder has bid on and what his preferences are. This maximizes the bidder's online privacy. Last but not least, the identity of the public key holder cannot be revealed by anybody other than the OAP, and it will not be.
Therefore, the user is anonymous and the user's privacy is guaranteed.

Dispute-freeness
Our solution is uncontested, which is crucial for online auctions. First, in our approach, information regarding the most recent auction status is distributed synchronously and consistently to all participants. Second, because of the features of blockchain, the bidding process is transparent and traceable, enabling the general public to monitor the transaction process. Finally, to protect legitimate user rights and interests, we address the conflicts arising from the bidding process through a reasonable dispute management procedure. Based on the available data, the conflict resolution outcomes are just and uncontroversial. DoS attacks would prevent regular users from accessing services by using system resources and network bandwidth or by exploiting flaws in the system to paralyze regular services in regular systems. The decentralized nature of the blockchain allows the blockchain to continue to operate and verify transactions even if one node fails and the other nodes are unaffected. The whole system can continue to operate normally. When the failed nodes resume work, they resynchronize and catch up with the latest data provided by the unaffected nodes. We use a distributed ledger to store data rather than a central server. This decentralized nature makes the cost of an attack enormous, making it difficult for a potential attacker to execute an attack operation.

(B) Sybil Attacks[42]
A Sybil attack is an effort to acquire network control, refuse replies, and interfere with requests by disguising a node as numerous nodes and broadcasting these multiple disguised nodes (Sybil nodes) to the whole P2P network. Implementing the witch attack is to spoof the network ID. Malicious bidders may tamper with the bidding process to increase their profit by creating various identities to participate in the auction. A user identity access mechanism is used in our scheme, and each joining node needs to register an account with OAP by providing an identity ID to use the system. When OAP distributes a public-private key for a new user, it first checks whether the identity ID submitted by the user already exists in the system and does not distribute a new public-private key for it if it does. In other words, an ID can only apply for a seller's public key y seller as "seller" or a buyer's public key y bidder as "bidder." Consequently, a malicious individual cannot create various identities to pose as different users to engage in the auction. Furthermore, in the blockchain context, nodes must execute a large number of calculations to confirm their authenticity, making Sybil attacks prohibitively expensive and useless. As a result, our case is immune to Sybil's assaults.

(C) Replay Attacks
When a replay attack is launched, a legal data transfer will be continually and maliciously repeated to the receiver. We prevent replay attacks by adding timestamps T i at each stage in combination with signatures. (The purpose of signatures is to prevent session hijacking and timestamps from being modified.) The receiver confirms the validity of the timestamp and verifies the signature upon receipt of the message. Taking the Auction Phase as an example, when BR needs to transmit data to OAP, it adds a timestamp T 9 to the encrypted message.
When the OAP receives the message, it verifies that the timestamp is valid by Eq. (80).
If Eq. (80) does not hold, it means that the timestamp is invalid and a replay attack will be identified as occurring. Suppose a replay attack is launched by a malicious person A. The A hijacks C 2 and modifies the timestamp T 9 to T 9−1 . When A sends the same message C 1 , K i to OAP, OAP will first check the validity of the timestamp T 9−1 . The timestamp is deemed incorrect and a replay attack takes place if the difference between the current time and T 9−1 does not meet the requirement.

Computation cost
At each stage, participants are required to sign the transmitted data and encrypt and decrypt them by using symmetric encryption and decryption algorithms. These computational costs are shown in Table 3, in which we compare the effective computational overhead at each stage.
(79) Table 3 Calculate the computation cost at each phase

Role
Role A Role B Role C

Phase
Pre-auction phase Sellers Online auction system 2T asc + 2T h + T add +

Announce winner phase
Sellers/bidders Online auction system T h + T sub + T mul + 2T exp T asc + (l + 1)T h + T add + T mul + T exp Table 4 provides an analysis of the system's communication effectiveness. We will analyze the communication costs under 3G, 4G, and 5G individually due to the various communication settings. The top 3G, 4G, and 5G transmission speeds are 6 Mbps, 100 Mbps, and 20 Gbps, respectively. In our scheme, the Auction Phase is where users interact with the system most frequently, and the communication cost is something we should consider, for instance. When BR submits a price, the data C 1 to be transferred (including bid price P r , ring signature R , and public key set L ) are [128 + (160 + 160 * l) + 512 * l] = 288 + 672 * l bits. The data C 2 to be transferred (including data C 1 , participation credentials K i , and timestamps T 9 ) are [(288 + 672 * l) + 128 + 80] = 672 * l + 496 bits. In the process of transferring data from BR to OAP, the transferred data consist of data C 2 and a signature ( , ) , and the data size is [(672 * l + 496) + 212] = (672 * l + 708) bits. When OAP transferred data to SL, the transferred data consist of data C 1 , a timestamp T 11 , and a signature ( , ) . The data size is [(288 + 672 * l) + 80 + 212] = (672 * l + 580) bits.

Communication cost
Thus, the total transferred data size is (1344 * l + 1288) bits. It can be seen that in a 3G environment, the process takes time (224 * l + 214.67) us. It needs (13.44 * l + 12.88) us in a 4G environment and (0.068 * l + 0.065) us in a 5G environment. Assuming that the bidder selects 20 public keys (including its public key) to form a ring signature, the total size of the data transferred in this process is 28296 bits. In a 3G environment, the time consumption is 4716 us, in a 4G environment the time consumption is 282.96 us, while in a 5G environment, it only takes 1.431 us.

Performance analysis
In this section, we perform an experimental evaluation of the proposed scheme. Caliper [43] is a blockchain performance testing framework that supports multiple blockchain platforms such as Hyperledger Fabric, Ethereum, and FISCO BCOS. We deployed the test scenario on a server with an 11th Gen Intel(R) Core (TM) i5-11400F @ 2.60 GHz 2.59 GHz CPU and 2 GB RAM. We are using Fabric Docker Image version 2.2.0 and Go version 1.13.12. The physical machine OS (Operating System) is Ubuntu 18.04.6 LTS. We take two smart contracts from the Auction Phase for analysis and use throughput and transaction latency as the main performance metrics for benchmarking. The performance of blockchain applications is affected by many complex or unstable factors and is usually evaluated in terms of both throughput and latency. Fig. 11 The throughput at different transaction volumes Fig. 12 The avg latency at different transaction volumes Throughput, expressed in TPS (Transaction Per Second), is the rate at which transactions are added to the ledger. It is a crucial indicator of the system's processing power. Latency is the amount of time between when an application sends a transaction proposal and when the transaction is committed to the ledger. This is the first thing that users care about when using blockchain applications. We examine the data in our test scenario with the max latency. Figure 11 shows how throughput changes as the number of transactions increases when the block size and sending rate are fixed. As you can see from the histogram, the TPS has been between 20 and 30 during the test, and it is steadily and slowly increasing. For the contract "SubmitBidPrice," the TPS has a minimum value of 21.41 when the transaction volume is set to 50 and reaches a maximum of 26.83 when the transaction volume is set to 500. For the contract "UpdateWinnerInfo," the TPS has a minimum value of 21.27 when the volume is set to 50 and reaches a maximum of 28.74 when the volume is set to 500. In addition, Fig. 12 shows how the avg latency varies as the number of transactions increases. As a whole, the latency varies between 0.06 and 0.17 s as the number of transactions increases, with an overall upward trend. When the transaction volume is set to 500, the max latency of "SubmitBidPrice" and "UpdateWinnerInfo" peaks at 0.13 s and 0.17 s, respectively.
Combining the data in Figs. 11 and 12 and the current usage of blockchain applications, the system performance is passable. However, we should also realize that we can start from several aspects to improve the system's performance. Among them, the mode of multi-chain parallel computing can significantly improve the TPS of the blockchain system, and this is also the direction of our future research.

Compare with other schemes
Popular systems (such as [6,19,21]) lack transactional privacy and pay insufficient attention to user privacy, as discussed in Sect. 1.2. In our solution, we protect the  [7,20]) lack a clear dispute management scheme. To address this shortcoming and strengthen the auction agreement, we propose a workable dispute-handling technique. Furthermore, our scheme uses decentralized blockchain technology to make the auction process transparent, as a lack of transparency in the transaction process (e.g., [5,10]) might undermine the trust of bidders. In Table 5, we contrast our subject with various previous auction cases.

Conclusions
Online auctions have a promising future and are important to the global economy. A fair online auction environment can enhance people's trust in online auctions and increase their participation. In this paper, we propose an anonymous English bidding protocol based on blockchain and ring signatures, detailing how to improve the privacy of online auctions. We demonstrate different stages of data integrity, unforgeability, and non-reputation and illustrate why our protocol resists DoS attacks, replay attacks, and Sybil attacks. Through scenario analysis, the protocol's traceability and ease of revocation are shown, along with how it promotes anonymity and dispute freeness. We also discuss the computation cost at different stages and the communication cost in different network environments, which are reasonable and acceptable. The contribution of our scheme is as follows.
(1) A decentralized online auction system is built using blockchain technology, which provides a secure and transparent online bidding environment, ensuring the transparency of the auction transaction process and that the transaction process is supervisable. (2) In terms of users' privacy, the proposed ring signature-based anonymous auction protocol enhances user anonymity and ensures user privacy during the transaction, so that users do not have to worry about behavioral data being used by those with an interest. (3) In terms of disputes, unlike most of the previous research proposals that did not clarify how these disputes would be handled, we propose a clear disputehandling scheme. When interests are compromised, both the grantor and the bidder can obtain a fair result through arbitration.

3
Enc phase ()/Dec phase () Symmetric encryption and decryption functions in each phase.

Data availability
The data used to support the findings of this study are available from the corresponding author upon request.

Conflict of interest
The authors declare no conflict of interest.
Ethical approval This study is only based on theoretical basic research. It is not involving humans.

Informed consent
This study is only based on theoretical basic research. It is not involving humans.