Credible, Truthful, and Bounded-Round Mechanisms via Cryptographic Commitments

04/03/2020 ∙ by Matheus V. X. Ferreira, et al. ∙ Princeton University 0

We consider the sale of a single item to multiple buyers by a revenue-maximizing seller. Recent work of Akbarpour and Li formalizes credibility as an auction desideratum, and prove that the only optimal, credible, strategyproof auction is the ascending price auction (Akbarpour and Li, 2019). In contrast, when buyers' valuations are MHR, we show that the mild additional assumption of a cryptographically secure commitment scheme suffices for a simple two-round auction which is optimal, credible, and strategyproof. We extend our analysis to the case when buyer valuations are α-strongly regular for any α > 0, up to arbitrary ε in credibility. Interestingly, we also prove that this construction cannot be extended to regular distributions, nor can the ε be removed with multiple bidders.



There are no comments yet.


page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1. Introduction

We consider a revenue-maximizing auctioneer with a single item to sell to multiple bidders. Starting from Myerson’s seminal work, it is traditionally assumed that the seller can commit to an auction format but that buyers must be incentivized to report their true values. Several recent works have moved beyond this assumption in repeated auctions, for example, where sellers can commit to a particular auction today, but not to their behavior tomorrow (e.g.,  (devanur2014perfect; immorlica2017repeated; liu2019auctions)). Even more recent work of Akbarpour and Li proposes a framework also for one-shot auctions (akbarpour2019credible). Our paper fits within this later framework.

Specifically, each buyer has value for the item, which is drawn independently from a distribution , and the seller knows these distributions but not the precise values. As in (myerson1981optimal), we seek auctions which are incentive compatible, and optimal among all incentive compatible auctions. (akbarpour2019credible) introduces a new desideratum, credibility. Informally, an auction is credible if the auctioneer themselves is incentivized to execute the auction in earnest, even when permitted to cheat in ways that are undetectable to the bidders (see Section 2 for a formal definition in single-item auctions).

Akbarpour and Li prove a comprehensive trilemma for single-item auctions: Myerson’s auction is the unique truthful, one-round, revenue-maximizing auction, but it is not credible. Moreover, the ascending-price auction is the unique truthful, revenue-maximizing, credible auction, but it requires an unbounded number of rounds. Finally, the first-price auction is the unique revenue-maximizing, credible, one-round auction, but it is not truthful.

Classical auction theory might take truthfulness as a first-order concern, and view the tradeoff between bounded-round and credibility as a second-order concern. But as more and more auctions are run online, credibility is not just a “bonus feature”, but a serious consideration. Specifically, reserve price-setting in ad auctions is often opaque, and a desire for transparency in execution has led major ad exchanges to switch from truthful second-price auctions to non-truthful (but credible) first-price auctions (klemperer2002really; sluis2019). At the same time, these auctions are executed in milliseconds and must conclude before a search browser loads, so bounding the number of rounds is now a first-order concern as well.

In this context, the trilemma of (akbarpour2019credible) may feel like a negative result: it is impossible to achieve all three first-order desiderata at once. Our main result circumvents their trilemma and provides a truthful, revenue-maximizing, credible, two-round auction, under the assumption of basic cryptographic primitives. That is, viewed through the framework of (akbarpour2019credible) verbatim, our auctions are not credible (see Section 4 for an example). But, provably, no auctioneer can find a profitable deviation without breaking standard cryptographic assumptions.

Interestingly, our construction is not a magic bullet with a trivial proof — we must still carefully reason about the incentives of the auctioneer within our framework. Informally, our main results are (all under the assumption of a cryptographically secure commitment scheme, see Section 2 for formal assumption, and also for formal definitions of distribution classes):

  • When all are MHR, there is a truthful, revenue-maximizing, credible, two-round auction (Theorem 4.3).

  • When all are -strongly regular for any , there is a truthful, revenue-maximizing, -credible, two-round auction (Theorem 4.4).

  • When there is a single bidder whose distribution is -strongly regular for any , there is a truthful, revenue-maximizing, credible, two-round auction (Proposition 4.5).

  • This auction is not necessarily credible when there is a single buyer from a regular distribution, so extensions to regular distributions are not possible (Theorem 4.6).

  • For any , this auction is not necessarily credible when all are -strongly regular, so the is necessary in bullet two (Theorem 4.7).

1.1. Brief Technical Overview

Our auctions are still fairly simple and require only the basic cryptographic primitive of commitment schemes. Informally, a commitment scheme allows a sender to send a commitment to a bid , such that any user who sees only learns absolutely nothing about . Moreover, the sender can later reveal , in a way that proves they committed to in the first place (assuming the sender is computationally bounded). So our skeleton is simply to (a) ask each bidder to commit to their bid, (b) forward these commitments to all other bidders, (c) ask each bidder to reveal, (d) forward these revealed bids to all other bidders. We formalize this strawman auction in Section 3.

The outlook for this strawman auction initially looks promising: it is truthful, revenue-optimal, and two-round. Like in the auctions considered in (akbarpour2019credible), the primary way in which the auctioneer can deviate is by submitting fake bids. It is not too hard to argue that if the auctioneer must reveal all committed bids, then there is no way the auctioneer can deviate from being honest in a way that is both undetectable and profitable. However, the auction must have a well-defined execution even if some bids are concealed (that is, the committed bid is never revealed). Should the auction simply stall? If so, it is undoubtedly in the auctioneer’s interest to reveal all bids. Still, this auction is extremely not robust to latency, or an adversarial attack (simply commit a bid and disappear). Perhaps the auction should reboot? This also seems undesirable, as now the auctioneer has learned some private information.

A natural suggestion (implemented in the strawman auction) is instead to replace all missing bids with . This change, however, now gives the auctioneer a new class of potential deviations: they can commit to many different fake bids and reveal them selectively based on the true bids. It is not hard to see that this auction is not credible.

We propose a straightforward modification, which is to fine any bidder who commits but does not reveal, and pay this fine to the winning bidder. Now, the auctioneer faces a tradeoff: they can still commit to as many fake bids as they like, and they can still selectively reveal them. But for every bid they choose to conceal, they pay a fine. The entire technical portion of this paper is understanding when a sufficiently large fine exists to disincentivize the auctioneer from cheating in this particular way, and how large this fine must be. The bullet points above summarize our findings: such fines exist when all distributions are MHR, and (almost) exist when all distributions are -strongly regular, but do not necessarily exist even with one buyer from a regular distribution.

1.2. Related Work

We have already overviewed the most related work above: we work in the model proposed by (akbarpour2019credible), additionally with cryptographic primitives. There is a substantial literature generally on secure multi-party computation since Yao’s millionaire problem (yao1982protocols) (see chapter 7 of (goldreich2009foundations) for a survey on the topic), most of which is unrelated to our paper.

The easiest distinction between (most of) these works and ours is that they are not Sybil-proof. Specifically, there is some trusted setup where every participant has an identity. Results such as (nurmi1993cryptographic) replace commitments with strong public-key infrastructure in our strawman proposal. Specifically, such protocols assume that a majority of participants are honestly following the protocol. In online auctions, there is no hope of preventing the auctioneer from creating thousands of fake bidders if it will (undetectably) increase their revenue (so while a majority of “real participants” may be honest, the “digital participants” are nearly-unanimously not following the protocol). A second distinction is that these protocols are often extremely complex, and certainly do not terminate in two rounds. Indeed, a central challenge for modern research in multi-party computation is developing practically reasonable protocols.

Our work is not the first to propose the use of fines to disincentivize participants from aborting a protocol (bradford2008protocol; bentov2014use), as there are known impossibility results (without monetary incentives) when participants can abort (cleve1986limits).

1.3. Roadmap

Section 2 formalizes our problem of study, including cryptographic primitives. Section 3 analyzes the strawman auction as a warmup. Section 4 proposes our auction, proves some basic facts, and states our main results. Sections 5 through 7 prove our main results. All technical sections present intuition, along with proofs (although some technical lemmas are deferred to the appendix).

2. Preliminaries

We first overview formalities with regards to auctions. Our model and definitions are identical to (akbarpour2019credible), but repeated for clarity and completeness.

2.1. Auctions

There is a single seller with a single indivisible item and bidders. Each bidder has a private value for the item, which is drawn from a distribution . We let , and use to denote the expected revenue of the optimal auction when buyers are drawn from .

Communication and rounds. The seller communicates with each bidder using a private channel (and this is the only communication — the bidders do not communicate with each other). In every round, the following occurs: (a) each bidder chooses a message to send to the auctioneer, (b) the auctioneer processes all received messages, (c) the auctioneer chooses a (personalized) message to send to each bidder. At any point, the auctioneer may terminate and select a winner of the item (potentially no one), and charge prices. Importantly, each bidder communicates only with the auctioneer, and learns only whether or not they win the item and how much they pay upon termination (if they lose, they do not learn who wins, nor how much the winner pays). We also assume there is a default message , which is sent if the bidder stays silent during a round.

Game. Observe that the communication model induces an extended form game among the bidders and the auctioneer. Like (akbarpour2019credible)

, we are interested in the case where the auctioneer commits publicly to a strategy which terminates in finite rounds with probability

. This induces an extended form game among the bidders. We’ll refer to this game as the auction, and repeat the following definitions:

Definition 2.0 (Strategyproof/Ex-Post Nash/Individually Rational).

An auction is strategyproof if for all there exists a mapping from values to strategies, and additionally for all and all , is a best response of bidder to . That is, for all , if buyers’ valuations are , then forms an ex-post Nash.111In other words, an auction need not be direct-revelation in order to be strategyproof, but there must exist a strategy () which bidder can use which is akin to “reporting .”

In this paper, we will only consider auctions for which there is a unique that always form an ex-post Nash, and refer to these strategies as “telling the truth.”

An auction is individually rational if telling the truth guarantees non-negative expected utility.

Definition 2.0 (Safe Deviation).

A safe deviation for the auctioneer in the communication game is a strategy which does not necessarily implement the promised auction, but for every bidder , their personal communication with the auctioneer and resulting allocation/price is consistent with some .

Definition 2.0 (Credible).

An auction is credible if, in expectation over , and conditioned on buyers being truthful, executing the auction in earnest maximizes expected revenue over all safe deviations.

Example 2.0 (Second-Price Auction).

(akbarpour2019credible) establishes that the second-price auction is not credible. Consider when and . An earnest execution of the second-price auction would give the item to bidder and charge . However, the auctioneer could instead give bidder the item and charge — this is a safe deviation because it is consistent with buyer bidding .

2.2. Computational Assumptions and Basic Cryptography

The only difference between our model and that of (akbarpour2019credible) is that we consider computationally-bounded participants and the existence of basic cryptographic primitives.

Commitment Scheme. A commitment scheme is a function which takes as input a message

, a one-time pad

, and outputs a commitment . Informally, a scheme is computationally binding if a computationally-bounded seller cannot find an and such that . A scheme is perfectly hiding if the distribution of commitments produced on message when is uniformly random is independent of (and therefore, even a computationally unbounded receiver learns nothing about ).

Assumption 2.1 ().

There exists a cryptographic commitment scheme satisfying:

  • (Efficiency) The function can be implemented in time .

  • (Computationally Binding) For any algorithm which takes as input a length , terminates in expected time , and outputs with , breaks commitment w.p. . Formally: .

  • (Perfectly Hiding) The distributions of and , when and are uniformly random, are identical distributions for all and .

  • (Non-malleable) Formal definitions of non-malleability are quite involved and require multiple pages to formally state (dolev2003nonmalleable; fischlin2000efficient). Informally, non-malleability guarantees that any commitment to a message of size that a computationally-bounded adversary could produce, upon receiving commitments , could also be produced without

There are indeed commitment schemes which are believed to satisfy Assumption 2.1, such as the Pedersen scheme with digital signatures.222Briefly, the Pedersen scheme requires a group of prime order under which the discrete logarithm is (believed to be) hard, with generator . Every potential receiver of a message raises to a random power to get another generator , and publicly announces . Then . Observe that for all and all , there exists a unique such that (so the scheme is perfectly hiding). But if a sender were able to break their commitment, this would explicitly learn , so it is also computationally binding. As stated, the scheme is malleable: an adversary could see and multiply it by to now get . The scheme can be made non-malleable by first using any non-malleable digital signature scheme. Note that to use exactly the Pedersen commitment scheme (with digital signatures), every bidder would need to share their own in order to receive binding commitments (and a public key), which can be done in one additional preprocessing round, and this preprocessing round could be done once and reused across indefinitely-many auctions. Note that the particular choice of a perfectly hiding (versus computationally hiding) scheme is not crucial for the spirit of our results. However, it does allow significantly cleaner theorem statements. Similarly, our main positive result (Theorem 4.3) doesn’t require non-malleability, although it does make proofs cleaner (our main extension, Theorem 4.4 necessarily requires non-malleability). Informally, Assumption 2.1 implies that unless the auctioneer is relying on events which occur with probability at most , or is computationally unbounded, the auctioneer cannot perform an unreasonable deviation, defined below.

Definition 2.0 (Reasonable Deviation).

Say that a commitment is explicitly tied to if the participant (bidder or auctioneer) who sent explicitly computed . A reasonable deviation for the auctioneer in the communication game is a strategy such that whenever the auctioneer reveals a commitment to , with , was explicitly tied to .

Observe that one kind of unreasonable deviation would violate computational binding: the auctioneer might compute , but later reveal that (unreasonable because is explicitly tied to , not ). Another kind would violate non-malleability: the auctioneer might receive commitments and send without knowing (unreasonable because is not explicitly tied to anything).

Definition 2.0 (Computationally Credible).

An auction is computationally credible if, in expectation over , and buyers being truthful, the auctioneer maximizes their expected revenue, over all deviations which are both safe and reasonable, by executing the auction in earnest.

An auction is computationally -credible if executing the auction in earnest yields a -fraction of the expected revenue of any safe, reasonable deviation.

Our main results will design auctions that are computationally credible (Theorem 4.3). One of our extensions will design an auction which is computationally -credible (Theorem 4.4), and some of our lower bounds rule out -credible mechanisms for arbitrarily close to one (Theorem 4.6).

Intuitively, what is convenient about perfect (versus computational) hiding, is that we get for free that the auctioneer learns nothing about bidders’ commitments until they are revealed (with imperfect hiding, we only know that they learn very little, and perhaps this little bit of information could help them achieve a little bit more revenue). What is convenient about computational binding is that there is a discrete undesirable event (that anyone finds an such that ), which occurs or doesn’t occur. We can therefore cleanly separate executions where this event occurs (and separately observe that this event occurs with extremely low probability, due to computational binding and non-malleability), and those where they don’t (and confirm that the auctioneer is exactly best-responding subject to this event not occurring).

2.3. Virtual Values

For a continuous single-dimensional distribution with CDF and PDF , the virtual value of is . We also use the hazard rate of . We drop the superscript if it is clear from context, and will use subscripts of instead of superscripts of (e.g. ). Note that virtual values and hazard rates are well-defined for discrete distributions as well, and satisfy all the same properties as virtual values for continuous distributions (see, e.g., (cai2019duality)).333For a discrete distribution, the hazard rate is , and the virtual value is still . For ease of exposition, we provide our examples and analysis on continuous distributions, which carries over verbatim to discrete distributions due to explicit limiting arguments provided in (cai2019duality, Section 4). Seminal work of Myerson asserts that the expected revenue of any strategyproof mechanism is its expected virtual welfare.

Theorem 2.7 ((myerson1981optimal)).

Let a strategy proof mechanism award bidder the item with probability on bids , and charge them . Then:

Finally, we conclude with a definition of classes of distributions which are relevant for our results.

Definition 2.0 (Regular, MHR, -Strongly Regular).

A distribution is -strongly regular if for all , . A distribution is regular if it is -strongly regular, and monotone hazard rate (MHR) if it is -strongly regular.

3. Strawman Computationally Credible Auctions

We propose a simple modification to any direct revelation mechanism, which turns these one-round mechanisms into two-round mechanisms. In round one, the buyer’s communication is simply a commitment to a bid. The auctioneer’s communication is to forward these commitments to all bidders. In round two, the buyer’s communication is to decommit (reveal their bid to the auctioneer). The auctioneer’s communication is to forward all (decommitted) bids to the buyers. We use the terminology reveal when a message such that is sent, and conceal when some other pair is sent instead.

Definition 3.0 (Strawman Auction).

Let be a commitment scheme satisfying Assumption 2.1. For a given direct revelation mechanism, with allocation rule and payment rule , is the following auction:


  • Each bidder picks a bid, , draws uniformly at random, and sends .

  • The auctioneer sends each commitment to all buyers.


  • Each bidder sends to the auctioneer.

  • The auctioneer forwards each to all buyers.


  • Let denote the set of bidders for which , and let . Allocate and charge payments according to .

In particular, observe that the auction’s behavior must be well-defined even when not all commitments are revealed. We quickly observe that the Strawman Auction preserves incentive compatibility:

Observation 3.1 ().

Let be a strategyproof, individually rational, direct revelation mechanism. Then is also strategyproof and individually rational. In particular, it is an ex-post Nash for each bidder to set , and to reveal in round two.


Because is individually rational, no bidder can benefit by replacing their bid with by concealing in round two. Given that bidder will reveal, and that all other bidders will also reveal,444Note that this is necessary: it is not a dominant strategy to be honest. Bidder could use a weird strategy “Commit to . If I am sent a commitment of , then conceal. Otherwise, reveal.” If bidder uses this strategy (and you are the only other bidder), it is a better response to just send and reveal, rather than being honest. it is best for bidder to commit to (because is strategyproof). ∎

Observation 3.1 establishes that this modification preserves strategyproofness. One might hope that it also encourages the auctioneer to behave honestly (if is the revenue-optimal auction) because they do not know any of the buyers’ bids before round two. So while the auctioneer can create fake bidders and submit fake bids, it seems like these bids may simply act as a reserve. And indeed, if the auctioneer must reveal all fake bids, the only reasonable deviations are to reveal the precise fake bids selected in round one (which was chosen with no information about buyers’ values). Therefore, the Strawman optimal auction would be computationally credible by the same reasoning used in (akbarpour2019credible) for the ascending price auction.

Unfortunately, the auction’s behavior must be well-defined even when some bids are concealed, and the auction cannot merely stall. For example, bidders may naturally drop out between rounds due to latency issues, or attackers may adversarially bid and conceal to stall the system. Restarting the auction is perhaps even worse, as now the auctioneer has learned some private information from those bidders who did participate honestly. This means that while it is not a safe, reasonable deviation for the auctioneer to change their commitment, it is indeed a safe, reasonable deviation for the auctioneer to simply conceal some fake bids. The following example establishes that such deviations violate computational credibility of the Strawman auction.

Example 3.0 ( is not computationally credible).

Consider that there is a single (real) buyer, whose value is drawn uniformly from , and consider the Strawman second-price auction with reserve , which tie-breaks lexicographically. The auctioneer will get expected revenue by being honest (which is optimal among all strategyproof auctions). Instead, they could create a fake bidder, and always commit to . After bidder reveals in round , the auctioneer can either (a) reveal , if , causing and yielding revenue or (b) conceal, if , causing and yielding revenue . This gets the auctioneer expected revenue .

The main takeaway from this section is that the  auction serves as a good base for a computationally credible, strategyproof auction; however, we cannot force the auctioneer (or any bidder, for that matter) to reveal their bids. Our solution in Section 4 is to instead fine all bidders (including fake bidders) who conceal, to disincentivize this particular safe, reasonable deviation.

4. Deferred Revelation Auction

In this section, we describe the Deferred Revelation Auction (DRA) and prove basic facts that will be useful throughout all of our analyses. Rather than state the auction as a reduction, we directly apply it to Myerson’s revenue-optimal auction. Below, recall that is Myerson’s ironed virtual value function, which is the upper concave envelope of (for further details, see (myerson1981optimal; hartline2013mechanism)).

Definition 4.0 (Deferred Revelation Auction).

Let be a commitment scheme satisfying Assumption 2.1. For a given fine function , is the following auction:


  • Each buyer picks a bid, , draws a one-time pad uniformly at random, and sends . The distribution from which is drawn is known to the auctioneer.

  • The auctioneer sends () to all buyers. Let denote the number of tuples sent to buyer (including their own).


  • Each buyer sends to the auctioneer.

  • The auctioneer forwards each to all buyers.


  • Let denote the set of buyers for which , and let . Let .

  • If , award buyer the item. Charge them .555Here, we define the inverse of a monotone function to be .

  • Additionally, all pay buyer a fine equal to .


  • All ties are broken lexicographically, with the auctioneer treated as “buyer zero”. With this, we will write all inequalities as or , taking this tie-breaking already into account.

Above, we are essentially running the optimal  auction, but fining any buyers who conceal and paying these fines to the winning buyer. Intuitively, this helps in the following way: during round one, the auctioneer can certainly gamble and commit to several fake bids. However, they run the risk of accidentally overshooting the winning bid. In the  auction, they could simply conceal these bids. In , they must instead pay some fine . Intuitively, it seems that if the fine is large enough, the auctioneer would rather just be honest than commit to any fake bids and run the risk of paying a huge fine. This turns out to be true when each is MHR, but not in general. Before stating our main results, we recap the safe, reasonable deviations.

  1. The seller might create fake buyers during round one.

  2. The seller may selectively choose which commitments to send to buyer .

    • The seller might not send at all.

    • The seller might send , but with some instead of the true .

    • If were malleable, the seller could apply some function to and forward instead . We assumed in Assumption 2.1 that is non-malleable to avoid this, although Theorem 4.3 holds even without this assumption.

    • All of these might depend on , but not .666For example, the seller might solicit a commitment from all buyers. Then, in increasing order of , they could forward some commitments to buyer , and ask to reveal. Then, after terminating this for all buyers, they could go back and reveal commitments. As far as any individual buyer can tell, the timeline appears correct based on their interaction with the seller.

  3. The seller might conceal a commitment. This decision can depend on the entire .

Before reasoning about computational credibility, we quickly observe that is indeed strategyproof and optimal.

Observation 4.1 ().

For all , is strategyproof and revenue-optimal.


is clearly optimal, as it simply runs Myerson’s auction. It is also strategyproof: because Myerson’s auction is individually rational, buyers have no incentive to conceal their commitment in round two. Given that all buyers will reveal their commitments, it is in buyer ’s interest to commit to , because Myerson’s auction is truthful. ∎

It is more challenging to reason when

is computationally credible. While there are many ways the seller might deviate, our approach to upper bounding the seller’s revenue, fortunately, boils down to one vector of parameters determined by the seller’s decisions during round one.

Definition 4.0 ().

For a triple sent to bidder , denote the effective bid by . We call the effective commitment to buyer as . We call the effective reveal to buyer as .

Recall that is a function only of , and is a function of and .

Observation 4.2 ().

For all , under any safe, reasonable deviation to , bidder receives the item if and only if . Therefore, for at most one bidder.

We now quickly show that Observation 4.2 is enough to show that is computationally credible whenever each is bounded.

Observation 4.3 ().

Let each be bounded, and let . Then is optimal, strategyproof, and computationally credible for the instance .


Optimality and strategyproofness follow directly from Observation 4.1. To see that is computationally credible, observe that the auctioneer will certainly get negative revenue if they ever conceal a fake bid sent to buyer and sell them the item (because buyer will pay at most , while the auctioneer must pay a strictly larger fine). Therefore, any optimal safe, reasonable deviation has . Indeed, the implication is trivial, as . The implication follows because the auctioneer would get negative revenue selling the item to buyer , and could strictly improve their revenue by just revealing all commitments and not selling the item.

Once we have this implication, observe that buyer now wins the item if and only if , and is a function of . Moreover, when buyer wins, they will pay . This is a truthful mechanism, and therefore it achieves revenue no better than Myerson’s optimal auction. To recap: we have shown that every safe, reasonable deviation is strictly outperformed by another deviation, which implements a truthful mechanism, which is outperformed by executing the auction in earnest. ∎

Observation 4.3 illustrates one idea to reason about computational credibility of , but does not really shed much insight, as it is essentially just forcing the auctioneer to reveal all commitments. Our main results, therefore, concern unbounded distributions (or significantly shrinking the fines necessary for bounded distributions), where there do not exist sufficiently large fines to trivially force the auctioneer to always reveal. We begin with our positive results. Below, denotes the Myerson reserve for a one-dimensional distribution .

Theorem 4.3 ().

Let .777Note that when is MHR,  (cai2011extreme). Then when all are MHR (bounded or unbounded), is optimal, strategyproof, and computationally credible.

Theorem 4.4 ().

For all , there exists an such that for all ,888By the notation , we mean that for all fixed , the fine is . such that when all are unbounded and -strongly regular, is optimal, strategyproof, and computationally -credible.

Theorem 4.4 can be improved to remove the when there is just a single bidder, but not otherwise (see Theorem 4.7 shortly after).

Proposition 4.0 ().

Moreover, for all , there exists an with for all , such that when is -strongly regular, is optimal, strategyproof, and computationally credible when there is a single (real) buyer from .

Theorem 4.3 is our main positive result: it asserts that there is a reasonably-sized fine, which depends only on and not even on , such that these fines are sufficient to deter the auctioneer from submitting fake bids. Proposition 4.5 extends Theorem 4.3 to -strongly regular distributions when there is just a single (real) bidder. Theorem 4.4 is an extension to multiple bidders, but is a relaxation in two ways: the mechanism is only -credible, and the fine now depends on . Our main negative results establish that these are necessary, and Theorem 4.4 is essentially the limit of what achieves within the framework of -strongly regular distributions. Our negative results are as follows:

Theorem 4.6 ().

There exists an unbounded regular distribution , such that for all , is not computationally -credible for the instance and any .

Theorem 4.7 ().

For all , all , and all , there exists an unbounded that is -strongly regular such that is not computationally credible for the instance .

Before continuing, let us parse the results, which clearly distinguish between MHR, -strongly MHR, and regular distributions. On one extreme,  works as well as could be hoped for when all distributions are MHR: there is a fine which is independent of the number of buyers which suffices to ensure that  is computationally credible. On the other extreme,  does not work well at all for arbitrary regular distributions: even when , there may not exist a sufficiently large fine to discourage the auctioneer from cheating, and cheating may yield unboundedly more revenue than honesty. In the middle, we see that Theorem 4.4 does not distinguish between different values of . In this range, positive results are possible, but not quite so strong as for MHR distributions. Moreover, the positive results we prove are tight.

We conclude this section by revisiting our simple example under  instead of . Section 5 follows immediately afterwards, and proves Theorem 4.6 (perhaps unsurprisingly, the witness is the equal-revenue curve). This will give an intuition for the technical challenges, and why stronger assumptions are necessary to have the positive results in Theorems 4.3 and 4.4, whose proofs follow in Sections 6 and 7.

Example 4.0 ().

Consider that there is a single (real) buyer, whose value is drawn from

, which is the uniform distribution on

. Let also for all . Consider now the auction . The auctioneer will get expected revenue by being honest and not submitting any fake bids (which is optimal among all strategyproof auctions). Instead, the auctioneer could submit any number of fake bids. It is clear that it only makes sense to submit fake bids of , and also that it is unnecessary to submit multiple fake bids of the same value.

In order to be a reasonable deviation, if the auctioneer submits a fake bid of , then after buyer reveals in round , the auctioneer can either reveal , or conceal. In order to be a safe deviation, the auctioneer must set a price of to buyer if they reveal, and set a price of otherwise. In particular, observe that while the auctioneer can guarantee revenue when (by revealing), the best revenue they can guarantee when is . If they reveal, then they pay no fines but also receive no payment. If they conceal, then they get payment of , but also pay a fine of , for a net payment of . Therefore, no matter what strategy the auctioneer uses, they get revenue at most in expectation, the same as being honest.

Observe that if we only consider safe (but unreasonable) deviations, then the auctioneer could commit to , but reveal instead a commitment to when . Of course, doing so would require breaking the cryptographic commitment scheme, an event that can be made less likely than the inverse number of atoms in the universe. So this mechanism is not credible, but only computationally credible, and this example highlights the distinction.

5. Example: DRA on Regular Distributions

In this section, we prove Theorem 4.6. The main intuition is that the equal-revenue curve is so heavy-tailed that no matter how big the fines are, there are always some sufficiently-high fake bids that the auctioneer can set to extract additional revenue while barely ever paying the fine.

Proof of Theorem 4.6.

Let denote the equal-revenue distribution, which has CDF on . The optimal revenue that the seller can achieve by earnestly running a truthful auction for one bidder drawn from is . Consider now any fine function , and simply refer to as the fine the seller must pay per hidden fake bid, if they submit fake bids. We show in fact that for all , there not only exists a safe, reasonable deviation which achieves revenue , but also one that achieves revenue for any .

For a given , let . Consider now the following construction of fake bids: Set for all . For simplicity of notation, define . The seller’s strategy is then:

  • Commit to a bid for all .

  • When the bidder’s bid is revealed:

    • If , reveal all bids.

    • Otherwise, if , reveal bids , and conceal .

We now want to compute the seller’s expected revenue for this strategy. We do this by first upper bounding the total expected fines that the seller will pay.

Claim 5.1 ().

The total expected fines paid by the seller in expectation is at most .


Observe that the seller only ever pays a fine when . Because is drawn from the equal-revenue curve, this occurs with probability at most . Moreover, the seller submits only fake bids, and therefore the total fine they pay, conditioned on paying a fine at all, is at most . Therefore, the total expected fines paid by the seller in expectation is at most . ∎

Next, we show that the seller’s expected payment received by the buyer is still large.

Claim 5.2 ().

The expected revenue that the seller receives is at least .


We compute the probability that the buyer pays exactly , for all . Observe that the buyer pays exactly whenever which occurs with probability exactly , because is drawn from the equal-revenue curve. As , this probability is exactly (or this is a lower bound, when ). Therefore, the expected revenue can be written as:

Claims 5.1 and 5.2 together establish that the seller achieves expected revenue at least , as desired. ∎

The key feature of the equal-revenue curve which drives the proof of Theorem 4.6 is that for all probabilities , there exists an optimal reserve which is exceeded with probability at most . This allowed us to set extremely high “reserves”, to get revenue as if we are setting each of these reserves independently, while also paying fines so extremely rarely that it barely matters. In Appendix D, we show that it is really a condition like this which drives Theorem 4.6, and not just that the equal-revenue curve has infinite expectation (by providing an example of a distribution with infinite expectation and a choice of for which is computationally -credible for that distribution). We will also try to use this as intuition when explaining our (more technical) proofs for the MHR and -strongly regular cases.

6. DRA is Credible for MHR Distributions

In this section, we consider the performance of on MHR distributions. Drawing intuition from what drove the proof of Theorem 4.6, the key feature which enables a strong positive result for (even unbounded) MHR distributions is that the revenue generated by reserves significantly above the optimal reserve shrinks exponentially fast.

Recall from Section 4 that denotes the effective commitment to buyer , and that it is a function of . Our analysis breaks down the expected revenue achieved by the seller using any round one strategy into two terms: revenue from cases where there exists an such that , and revenue when all satisfy . The first case, which we proceed with now, has similarities to the analysis in Section 4, but is more precise so that it can be combined with the second case.

Lemma 6.0 ().

For any , , consider any strategy of the seller, which is a safe, reasonable deviation to . Let denote the revenue achieved by the seller on bids using this strategy. Then:


Observe first that by Observation 4.2, whenever there exists an such that , there is a unique such (otherwise, each such certainly satisfies as , which contradicts Observation 4.2). So consider the allocation rule which awards the item to bidder if and only if , and charges them . Observe first that the expected revenue of this allocation rule is at least . Indeed, if the seller chooses to reveal all commitments sent to bidder , then this will be exactly the expected revenue. If the seller (sub-optimally) chooses instead to conceal some commitments, they simply pay additional fines and get less revenue.

Importantly, observe also that this allocation rule is monotone, as doesn’t depend on . Moreover, observe that this allocation/payment rule is truthful. Therefore, Myerson’s Lemma implies that its expected revenue is exactly its expected virtual surplus, and its expected virtual surplus is exactly . This gives the following chain of inequalities:

The first line follows from the reasoning in the first paragraph: will charge bidder at most when they win. The second line is just Myerson’s lemma. The final line is just upper bounding a particular virtual value with the maximum virtual value and uses Observation 4.2 to conclude that no more than one indicator variable in the sum can be non-zero. ∎

The second step is now to bound the optimal revenue the seller can get from cases where for all . The following technical lemma will be a crucial step in this part of the analysis. Intuitively, Lemma 6.2 states that the expected value of a draw from an MHR distribution, conditioned on being large, is not much more than its expected virtual value under the same conditioning. Below, recall that we defined to be the Myerson reserve of .

Lemma 6.0 ().

Let be MHR. Let be any event such that . Then:

Equivalently, .


Recall that because is MHR, and , we have that whenever event occurs. Recalling that by definition, this rearranges to . We then immediately conclude:

Corollary 6.0 ().

Let each be MHR, and consider where for all . Consider any strategy of the seller, which is a safe, reasonable deviation, and let denote the revenue achieved by the seller on bids using this strategy. Then:


For ease of notation let , and let

denote the indicator random variable for the event that

, for all , and the item is awarded to bidder . Then clearly when this occurs, the payment made by bidder is at most . But additionally, selling the item to buyer when requires concealing at least one commitment and paying a fine (otherwise, bidder expects not to win the item). As the fine charged per concealed commitment is , this means that the seller’s total revenue is at most . In particular, this also concludes that the seller’s total revenue when awarding the item to buyer when is non-positive. Therefore, we can write:

But now let’s consider separately for each . The event satisfies the hypotheses of Lemma 6.2, as implies that . Therefore, Lemma 6.2 allows us to conclude that:

The first line is just linearity of expectation, and the second line follows by Lemma 6.2. Now, we can put everything together to conclude:

The first line is simply restating the work above. The second line is just upper bounding each with the maximum virtual value. The final line simply observes that at most one of the indicators can be one (because at most one bidder can receive the item), and that a prerequisite for any of them to be one is that all . ∎

Lemma 6.1 and Corollary 6.3 together suffice to prove Theorem 4.3.

Proof of Theorem 4.3.

Lemma 6.1 upper bounds the expected revenue of any safe, reasonable deviation when some . Corollary 6.3 upper bounds the expected revenue of any safe, reasonable deviation when all . Together, this implies that for any safe, reasonable deviation:

The RHS is now precisely the expected revenue that the seller achieves by executing the protocol in earnest, so this series of inequalities explicitly witnesses that every safe, reasonable deviation yields expected revenue at most that of being honest. ∎

To repeat the key steps in the proof: Lemma 6.1 doesn’t use at all the particular form of , nor that each is MHR. It merely says that the revenue achieved from cases where the seller may as well reveal all commitments is the same as a truthful auction (because these commitments to are a function only of ). Corollary 6.3 uses the particular form of and that each is MHR to conclude that even when the seller might strategically conceal some commitments, it does no better than a truthful auction. Interestingly, observe that the entire proof only used the property that can be written as a function of , which is true even when the commitment scheme is malleable. So Theorem 4.3 holds even for malleable commitment schemes (but still requires the commitment scheme to be binding).

7. Extensions and Limitations of -Strongly Regular Distributions

We now provide an extension of Theorem 4.3 to -strongly regular distributions, but also prove the limits of such an extension. The proof of our extension follows a similar outline to Section 6. In particular, recall that Lemma 6.1 held for all distributions, not just MHR. So we will use Lemma 6.1 verbatim to handle the case where some . Lemma 6.2, however, requires the MHR assumption. Our first step is to extend (and relax) Lemma 6.2. The proof of Lemma 7.1 and Corollary 7.2 are similar to Section 6, and deferred to Appendix B.

Lemma 7.0 ().

Let be -strongly regular. Let be such that . Then:

Equivalently, .

In Corollary 7.2 below, we will consider again safe, reasonable deviations from a particular . Below, we’ll let denote the revenue achieved by the seller (using this particular deviation) on bids , and .

Corollary 7.0 ().

Let each be -strongly regular, and consider where for all . Consider any strategy of the seller which is a safe, reasonable deviation. Finally, let denote the indicator random variable for the event that the item is awarded to bidder , , and for all . Then:

From here, making use of Corollary 7.2 is not as straight-forward as in the MHR case. We first need another technical lemma, bounding the achievable revenue by posting a very high price for a single -strongly regular distribution. The proof of Lemma 7.3 appears in Appendix B.

Lemma 7.0 ().

Let be -strongly regular. Then for all ,

And finally, we need one more technical lemma before we can wrap up the proof of Theorem 4.4. This technical lemma is the only reason why Theorem 4.4 applies to unbounded distributions, and also the only reason why we need non-malleability of the commitment scheme. We show in Appendix E that both non-malleability and unbounded distributions are indeed necessary (via a counterexample to Theorem 4.4 otherwise). The proof of Lemma 7.4 is included, as it has no counterpart in Section 6.

Lemma 7.0 ().

Let each be unbounded. Then for all , all , and any safe, reasonable deviation in it must be that for at least distinct bidders, . In particular, .


For simplicity of notation, relabel the bidders by the order in which the seller requests their decommitment (if some are requested simultaneously, break those ties arbitrarily). Importantly, observe that the seller cannot request decommitment from a bidder until they have forwarded all commitments. Therefore, the decision of which commitments to forward to bidder can depend only on .

So now assume for contradiction that the lemma fails for some . Then there is some bidder with (recall that includes their own commitment too). In particular, this means that there is some bidder whose commitment was not forwarded to bidder , and that was completely unknown when this decision was made. In particular, the following situation now has non-zero probability:

  • First, draw to determine which commitments to forward to bidder . Observe that this also suffices to define , as it is independent of both and .

  • Now, it is entirely possible that , as is unbounded. Observe that determining this only requires additionally drawing .

  • Now, this sets . As we have yet to draw , it is entirely possible that , as is unbounded.

The above derives a contradiction to the deviation being safe and reasonable, as now two distinct buyers are both expecting to win the item. The “In particular,…” part of the statement follows simply as the sum is maximized when there is exactly one bidder with , for all . ∎

We can now wrap up the proof of Theorem 4.4.

Proof of Theorem 4.4.

Consider first combining Lemma 6.1 and Corollary 7.2. If we set , we get: