A Fair and Secure Reverse Auction for Government Procurement

Abstract

With the development of e-commerce, the electronic auction is attracting the attention of many people. Many Internet companies, such as eBay and Yahoo!, have launched online auction systems. Many researchers have studied the security problems of electronic auction systems, but few of them are multi-attribute-based. In 2014, Shi proposed a provable secure, sealed-bid, and multi-attribute auction protocol based on the semi-honest model. We evaluated this protocol and found that it has some design weaknesses and is vulnerable to the illegal operations of buyers, which results in unfairness. In this paper, we improved this protocol by replacing the Paillier’s cryptosystem with the elliptic curve discrete (ECC), and we designed a novel, online, and multi-attribute reverse-auction system using the semi-honest model. In our system, sellers’ identities are not revealed to the buyers, and the buyers cannot conduct illegal operations that may compromise the fairness of the auction.

1. Introduction

In recent years, electronic commerce, also known as e-commerce, has developed quickly. More and more consumers prefer to shop on the Internet for convenience and other benefits. As a kind of e-commerce, e-auctions also have attracted much attention. Many Internet companies, such as eBay and Yahoo!, have launched online auction platforms. Many governments have also participated in online procurement auctions. However, most of them may partially digitalize the procedure of proposal collection. As for the determination of the final winner, either it is mainly proceeded by operators rather than the digitized and automated operation or the bids have not been properly protected so that bribing problems would occur in online government procurements.

Based on whether they have opening bid prices, auctions can be classified into two types including sealed-bid auctions and open auctions [1]. Furthermore, open auctions can be classified into English auctions and Dutch auctions. In an English auction, the auctioneer publishes a basic price, and bidders openly submit their bids. The bid price should be higher than the basic price, and the auction will be terminated if no bidders submit a higher price. The bidder who submits the highest price wins the auction. In a Dutch auction, the auctioneer publishes a basic price at the beginning of the auction. If no one wishes to pay this price, the auctioneer decreases the price until some bidder accepts it, and this bidder becomes the winner.

Based on the numbers of buyers and sellers, auctions can be classified into one-side auctions and double auctions [2]. In one-side auctions, there are several buyers in the auction for one seller or vice versa. The former situation is called a forward auction that is used commonly in antique auctions. In a reverse auction, there are multiple sellers for a single buyer, as shown in Figure 1b, which gives buyers a chance to find the lowest-price seller. This type of auction includes governments that invite, for example, tenders for the construction of infrastructure. As for the double auction, it is a combination of forward and reverse auctions. In other words, in double auctions, there are many buyers and sellers in the process. A good example of a double auction is the stock market.

Based on how they determine the winner, auctions can be classified into single-attribute auctions and multi-attribute auctions [3,4]. In a single-attribute auction, the price is often the only determinant of the auction. In multi-attribute auctions, more determinants influence the results of the auction, such as price, the quality of the product, the delivery date, and so on.

Many researchers have studied security issues in online auctions using various cryptographic methods, such as symmetrical encryptions and asymmetrical encryptions, different types of digital signatures, such as ring signature [5], message authentication codes, secret sharing, and secure multiparty computation. These methods are intended to solve security and other issues in online auctions, such as the privacy of bids, the privacy of the bidders’ identities, and the efficient operation of the auction. However, most of these methods are used to solve the above issues of single-attribute auctions. Only a few of the related research results are applicable to problems in multi-attribute auctions [6,7,8,9]. In 2006, Suzuki et al. [10] proposed a protocol for multi-attribute auctions that required a trusted authority. In 2007, Shih et al. [11] proposed a method with a shared hash chain to deal with multiple items in an online auction, but it was not applicable for multi-attribute auctions. In 2008, Parkes et al. [12] used homomorphic encryption in a multiple-item auction to protect the privacy of the bids. However, it still was not suitable for multi-attribute auctions. In 2009, Xiong et al. [1] proposed a ring signature-based auction to protect bidders’ identities in the forward auction, but the implementation of their proposal would require a large computational cost. In 2011, Srinath et al. [13] proposed the involvement of a trusted third party to protect the privacy of bids. However, since sealed bids must be opened at the end of the auction to compute a scoring function, their privacy cannot be fully protected. Also in 2011, Srinath et al. [14] extended Parkes et al.’s [12] homomorphic encryption-based protocol to a multi-attribute protocol, but the auctioneer still had to open the bids at the end of the auction. In other words, the privacy of the bid with their method is still compromised. In 2012, Xiong et al. [15] proposed a revocable ring signature to protect bidders’ privacy, but it was proven to be vulnerable to DoS attack. In 2013, Chang et al. [5] proposed a secure English auction system with an on-shelf phase in order to improve Xiong et al.’s [15] proposal, but the new system had a linkability defect that meant the attacker could link different messages together to trace the user’s identity. In 2014, Nojoumian et al. [16] proposed a sealed-bid auction with verifiable secret sharing. However, it was a single-attribute-based auction. Also in 2014, Shi [4] utilized the private set intersection proposed by Freedman et al. [17] and Paillier’s [18] encryption system to protect the privacy of bids in multi-attribute auctions.

In 2008, Parkes et al. [12] addressed the bribing problem in government procurements. A government procurement auction is a kind of reverse auction. A bribed government member could reveal the bids of other bidders to a bribed bidder, who could then enter a bid that was just slightly higher than the highest bid of the other bidders. Of course, the bribed bidder would benefit significantly from such an arrangement. Parkes et al. indicated that, in 1996, Siemens was barred from bidding in public procurement auctions in Singapore for five years. This was because the company bribed the chief executive of Singapore’s public utility corporation in order to grasp information about rival bids in advance. As for mafia families in New York, they tend to pay bribes to know other bids before making their own bids for waste-disposal contracts. These illegal actions undermine the fairness of auctions and can result in the loss of the government’s financial resources. More seriously, it may cause security problems in the infrastructure and in large projects intended to benefit society in general. Thus, it is apparent that it is essential to develop and propose a secure and fair online auction system for use with government procurements.

In 2014, Shi [4] proposed a provable secure, sealed-bid, multi-attribute auction protocol based on the semi-honest model. However, we found that it is vulnerable to the buyer’s illegal operations, which can result in unfairness. In this paper, we improved this protocol with the elliptic curve cryptosystem (ECC) instead of the Paillier cryptosystem, and we designed a novel, online, multi-attribute, reverse auction system based on the semi-honest model. In our proposed reverse auction, sellers’ identities are not revealed to the buyers. Thus, a buyer cannot conduct illegal operations that would compromise the fairness of the auction. Moreover, our proposal can effectively solve the bribing problem in government procurements.

In 2016, Baranwal et al. [19] proposed a truthful and fair multi-attribute combinatorial reverse auction for resource procurement in cloud computing. In their scheme, the auction mechanism allows providers to reveal true information so that providers’ benefit can be maximized. To prevent providers from cheating, a penalty mechanism is involved once providers do not provide services that were agreed in advance. In 2018, Kumar et al. [20] extended the application of the reverse auction to resource procurement in the cloud market. To reduce the probability of bidder drop and insufficient competition in the cloud market and then increase the revenues of providers, they proposed a combinational reverse-auction-based mechanism with the fairness features. It is noted that Baranwal et al.’s and Kumar et al.’s schemes involved extensive simulations to prove their performance. Both of them focused on how to apply the reverse auction to assist resource procurement in the cloud market from the efficiency, instead of security, point of view. Following Baranwal et al.’s and Kumar et al.’s ideas, more and more scholars have applied the reverse auction to various domains, such as WiFi offloading [21], spatial crowdsourcing [22], etc. It is confirmed that the reverse auction has been getting attention over the last five years. In other words, how to apply either the cryptographic approach or other security approaches to secure the bids is becoming important.

Our paper is organized as follows. The preliminaries of our proposal are introduced in Section 2, and the security defects of Shi’s proposal are analyzed in Section 3. Section 4 describes our system’s adversary model, and an improved multi-attribute procurement auction is proposed in Section 5. In Section 6, we prove that our protocol is correct and analyze its security problems. Finally, conclusions are presented in Section 7.

2. Preliminaries

In this section, we introduce some basic tools which we need to use in our paper.

2.1. Configurable Offer

In a multi-attribute auction, first, the auctioneer or host of the auction should publish a set of attributes, which is designated as “A”. Thus, A = (a, a₂,…, a_n) represents the structure of a legal bid, where the term a_k (k ∈ [1, n]) is the price or non-price determinant, and n is the cardinality of set A which indicates the attribute number in a legal bid structure of this auction such as that A’s cardinality is n above. Every attribute a_k has a value domain (a_k1, a_k2,…, a_ki) where i denotes the cardinality of the value domain, and a_k can be set to any value in its value domain. If a bidder wants to participate in an auction and submits a bid, he/she should organize a bid offer O = (o₁, o₂,…, o_n) as the published structure A where o_k is the attribute value chosen from a_k ’s value domain (a_k1, a_k2,…, a_ki). The sequence of attributes is ranked by the buyer’s preferences from most preferred to least preferred. We denote P(o_k) as a_k’s preference, then P(o₁) < P(o₂) < … P(o_n). Buyers can choose the final winning bid according to this preference sequence.

2.2. Elliptic Curve Cryptosystem

The elliptic curve cryptosystem (ECC) is an asymmetric cryptosystem like RSA [23]. It was proposed independently by both Miller [24] and Koblitz [25] in 1985 and 1987, respectively. The key length of the ECC is 160 bits, compared with that of RSA such as 1024 bits, which is relatively short but achieves the same security requirement. Therefore, the ECC has been widely used in many cryptographic schemes in the last decade.

An elliptic curve [10,13] is defined over a finite field F_p by equation E_p(a, b): y² = x³ + ax + b, where p is a large prime, p ≧ 3, 4a³ + 27b² ≠ 0 mod p. All points on this elliptic curve form a cyclic group. Two operations can be defined. Firstly, the addition operation of this group is defined as if points P, Q, R ∈ E_p(a, b) are in one line, then P + Q + R = O. Secondly, for the multiplication operation, given an integer s ∈ F*p and a point P ∈ E_p(a, b), s·P over E_p(a, b) denotes P + P + P … + P in s times. If P is symmetrical with P′ about the X axis, then P + P = O. Furthermore, point P is a base point with an order n if and only if n·P = O.

2.3. Elliptic Curve Discrete Logarithm Problem

Given two points P and Q over E_p(a, b), it is very difficult to find an integer s ∈ F*p such that Q = sP [26].

2.4. Private Set Intersection

In 2004, Freedman et al. [17] addressed problems related to a two-party set intersection in a semi-honest and malicious environment. Assume P1 is a participant with dataset X = {x₁, x₂, …,x_k} and P2 is a participant with dataset Y = {y₁,y₂,…,y_k} when participating in the set intersection protocol. Both datasets X and Y are drawn from a certain common domain. First, P1 sets up a semantically secure homomorphic encryption system and publishes the public parameters. Next, P1 constructs a polynomial p_y = (y − x₁)(y − x₂)…(y − x_k) = ∑k i = 1a_i·yⁱ of degree k with roots x₁, x₂,…,x_k and sends P2 encrypted coefficients Enc(a₁), Enc(a₂), …, Enc(a_k). Because of the homomorphic properties of the encryption system, P2 evaluates P1′s polynomial at each point y in his or her dataset by computing Enc(r·p(y_i) + y_i) with a random constant r for each y_i. After decrypting the cipher text, P1 finally obtains the value of the corresponding element for each of the elements in X∩Y, whereas the result is random for all other values.

2.5. Homomorphic Property of the ECC

Given a secret key SK = s ∈ Z*p, the corresponding public key PK = s·P, two plaintexts m₁, m₂ encrypted with the same public key PK and the same random number r are chosen:

C₁ = m₁ + (PK·r)_x mod q,

C₂= m₂+ (PK·r)_x mod q.

Let R = r·P. The corresponding cipher texts of m₁, m₂ are (C₁, R), (C₂, R), respectively. We can get the following property:

C₁ + C₂ = m₁ + (PK·r)_x + m₂ + (PK·r)_x mod q

= (m₁ + m₂) + 2 (PK·r)_x mod q

= (m₁ + m₂) + 2 (SK·R)_x mod q

Therefore with SK, decrypt the message as m₁ + m₂ = C₁ + C₂ − 2 (SK·R)_x mod q. It is noted that we do not use this approach to encrypt the message in our proposed protocol. By contrast, we encrypt the message as the following:

C₁ = m₁·P + PK·r mod q,

C₂ = m₂·P + PK·r mod q.

Then:

C₁ + C₂ = m₁·P + PK·r + m₂·P + PK·r mod q

= (m₁ + m₂)P + 2PK·r mod q.

Therefore with SK, decrypt the message as: (m₁ + m₂)·P = C₁ + C₂ − 2SK·R mod q.

Furthermore, given an integer k,

k·C₁ = km₁·P + k·PK·r

= (km₁)·P + SK·(kR).

Therefore with SK, decrypt the message as: (km₁)·P = kC₁ − SK·(kR) mod q.

2.6. Paillier Encryption System

(1)

Keformatted as listy generation phase: Select two large prime numbers p, q randomly, and make sure they are independent of each other such that gcd(pq,(p − 1)(q − 1)) = 1. Compute n = p·q and λ = lcm(p − 1, q − 1). Select a random number $g\in Z_{n^2}^{*}$. Ensure n divides the order of g (by checking the existence of the following modular multiplicative inverse: μ = (L(g^λ mod n²))⁻¹ mod n (L(u) = u − 1/n). Note that the public key is (n, g), and the private key is (λ, μ).

(2)

Encryption phase: Let m denote the message to be encrypted, and then select a random number r ∈ Z*n to derive the cipher text as c = g^m·rⁿ mod n².

(3)

Decryption phase: m = L(c^λ mod n²)·μ mod n.

Some homomorphic properties in Paillier’s cryptosystem are listed below:

Homomorphic addition:

D(E(m₁, r₁)·E(m₂, r₂) mod n²) = m₁ + m₂ mod n,

D(E(m₁, r₁)·g^m2 mod n²) = m₁ + m₂ mod n.

Homomorphic multiplication:

D(E(m₁, r₁)^m2 mod n²) = m₁·m₂ mod n.

More generally, D(E(m₁, r₁)^k mod n²) = k·m₁ mod n.

2.7. Semi-Honest Model

Here, computational indistinguishability is defined as: let $S\subseteq {\{0,1\}}^{*}$. Two ensembles (indexed by S), $X\stackrel{def}{=}{\left\{X_{\omega }\right\}}_{\omega \mathrm{in}S}$ and $Y\stackrel{def}{=}{\left\{Y_{\omega }\right\}}_{\omega \mathrm{in}S}$ are computationally indistinguishable if for every family of polynomial-size circuits ${\left\{D_n\right\}}_{n\in N}$, there exists a negligible function μ: N→[0, 1] so that $|pr[D_n(\omega ,X_{\omega })=1]-|pr[D_n(\omega ,Y_{\omega })=1]|<\mu (\left|\omega \right|)$. In such a case, $X\underset{\_}{\overset{c}{=}}Y$ is concluded.

According to computational indistinguishability defined above, protocol π is concluded to securely compute deterministic functionality f in the presence of static semi-honest adversaries if probabilistic polynomial-time simulators S₁ and S₂ exist, such that: ${\{S_1(x,f(x,y))\}}_{x,y\in {\{0,1\}}^{*}}\underset{\_}{\overset{c}{=}}{\{{view}_1^{\pi }(x,y)\}}_{x,y\in {\{0,1\}}^{*}}, {\{S_2(x,f(x,y))\}}_{x,y\in {\{0,1\}}^{*}}\underset{\_}{\overset{c}{=}}{\{{view}_2^{\pi }(x,y)\}}_{x,y\in {\{0,1\}}^{*}}(|x|=|y|)$.

3. Related Work

In 2014, Shi [4] utilized the private set intersection proposed by Freedman et al. [17] and Paillier’s [18] encryption system to protect the privacy of bids. Unfortunately, we should point out that buyers can do illegal things that are contrary to fairness in Shi’s proposal. In the original proposal, bids were submitted by sellers in Paillier’s cryptosystem cipher text. Buyers compared the bid price with the expected attributes set in the cipher text to determine the best matching result without revealing information concerning the sellers’ bids. However, buyers’ homomorphic operations must use an identity-connected public key which results in revealing the identity of the bidder. Later, the buyer can determine which bids do not belong to bribed bids and stem the winning of the unbribed bidders. For example, a bribed buyer will use an unreasonable set of attributes such as an extremely high price or extremely early delivery date as input into the matching process. This will result in the unfairness of the bidding because even if an optimum bid was submitted it will not be determined as the winner.

Shi’s protocol has three phases, i.e., the planning phase, the bidding phase, and the winner determination and verification phase. In the planning phase, the buyer organizes some information of the auction such as its set of attributes and deadline, then the buyer publishes them on a bulletin board. Sellers can get this information from the bulletin board. In the bidding phase, buyers and sellers can compare their bids using the above-mentioned technique of private set intersection. In the winner determination and verification phase, a buyer can decide the winner by comparing the result in the bidding phase and the preference of attributes. This process is described in detail below.

3.1. Planning Phase

The buyer announces the auction deadline T, the auction identifier ID_auc, and the auction attribute set A and the cardinality of bid t.

3.2. Bidding Phase

(1)

Buyer B_i organizes offer $Bi{d}_{B_i}=\{o_1,o_2, \dots ,o_t\}$$Bi{d}_{B_i}=\{o_1,o_2, \dots ,o_t\}$$Bi{d}_{B_i}=\{o_1,o_2, \dots ,o_t\}$, and seller S_j organizes offers $Bi{d}_{S_j}$ where $Bi{d}_{S_j}$ = {a₁, a₂, … a_t}.

(2)

Seller S_j computes a polynomial f_sj(x) = (x − a₁)·(x − a₂)·…(x − a_t) = ∑t I = 0α_ixⁱ, and S_j encrypts α_i and publishes ID, E_SKSj(α₀), E_SKSj(α₁),…, E_SKSj (α_t), where SK_Sj is S_j’s private key, and E() is the Paillier encryption.

(3)

For each o_i ∈ Bid_Bi(1 ≤ i ≤ t), the buyer B_i chooses a random r_i, where 1 ≤ i ≤ t, and computes C₁, C₂,…,C_t and H(r_i), where C_i = E_PKSj(r_i·f_sj(o_i) + r_i), and publishes C₁, C₂,…, C_t and H(r_i) on a bulletin board, where H function H:{0,1}*→{0,1}* is a random oracle and *denotes Kleene closure.

(4)

S_j decrypts C_i = E_PKSj(r_i·f_sj(o_i) + r_i) and publishes N_i = D_SKSjE_PKSj(r_i·f_sj(o_i) + r_i) on the bulletin board according to Section 2.4.

3.3. Winner Determination and Verification Phase

Seller S_j checks if equation H(r_i) = H(N_i) holds or not. If several sellers satisfy this property, then buyer B_i will choose one winner according to the buyer’s preferences, i.e., Prefer(o₁) < Prefer(o₂) < … < Prefer(o_t).

3.4. Security Defects

In the original protocol, Shi used Paillier’s encryption. We can see that in Paillier’s encryption system, the public key is (n, g), and the private key is (λ, μ). Furthermore, the buyer does not need to encrypt or decrypt messages, but the seller still needs the public key (n, g) to conduct the homomorphic operations for the property of Paillier’s encryption system. In the original proposal, the seller should use this additional homomorphic property, i.e., D(E(m₁, r₁)·g^m2 mod n₂) = m₁ + m₂ mod n. We can see that public key (n, g) is needed in this operation. As we analyzed before, with the public key, the seller can determine the buyer’s identity since each public key is unique and can be linked to the corresponding buyer, then he/she can do some illegal operations. For example, after receiving an encrypted bid from the seller, the buyer can use an unreasonable set of attributes {S₁, S₂,…, S_n} (the price set as extremely big and delivery date set as extremely early) as input into f(x). Obviously, no one can get correct k_i except for a bribed seller. Moreover, no one except the buyer himself/herself can discover this unfair bid matching operation.

4. Adversary Model

A TTP (trusted third party) is used extensively in many online auction systems no matter if it is a trusted third party or semi-trusted third party [17,25]. However, in reality, no fully trusted party exists. For example, if we consider the government as a fully trusted party, then the bribery problem mentioned above comes out. Thus, some secure online auction protocols without a TTP have been proposed to solve the problem of security having to depend on a TTP. In fact, every entity in the network has the potential to do some illegal things to gain profit.

The security of our protocol does not rely on a TTP. In our protocol, n sellers and a buyer exist. Furthermore, a bulletin board is needed so that some information about the auction can be published to assist in running the auction. Our protocol focuses on the reverse auction, and it was designed based on one buyer and n sellers. In addition, if desired, it can be extended easily to the double auction like Shi’s auction protocol [4].

In essence, government procurement can be treated as a reverse auction. It means that a reverse auction designed for government procurement should prevent all potential attacks that exist in the conventional reverse auction. However, there are some unique problems that only occur in government procurement and deserve further investigation. Here, we define two kinds of potential attacks that may occur in the context of government procurement as follows.

(1)

The auctioneer may allow a bribed bidder to modify his/her bid and win the auction by revealing information about other bids before the auction is closed or by inserting a bid for the bribed bidder after reviewing other bidders’ bids. This allows the bribed bidder to win at the best possible price. This is denoted as attack 1 in government procurement.

(2)

A bribed bidder may be allowed to change his/her bid even if the auction has closed in order to obtain a better price or win the auction, respectively. Bribes can be received before bids are made in exchange for a promise to modify the bidder’s bid to maximize the bribing bidder’s benefit. This is denoted as attack 2 in government procurement.

A secure reverse auction should defy these two attacks when used in government procurement, and these are what our proposed auction protocol is designed to withstand.

5. Proposed Protocol

In this section, our protocol is shown in detail. Our protocol is composed of three phases: system setup, bidding phase, and winner determination and verification phase. In the system setup phase, the buyer generates some system parameters for encryption and structures the bids on the bulletin board for the system to operate. All sellers can get the corresponding information from the bulletin board. In the bidding phase, bidders can submit their organized bids to the buyer, and the buyer executes the matching operation with the homomorphic property of ECC encryption. The computational results are published on the bulletin board. In the winner determination and verification phase, the buyer determines who the winner of this auction is. If more than one seller meets the conditions, the buyer will choose one winner as the preference sequence of each attribute. The proposed protocol is depicted in Figure 2, and the details are as follows.

5.1. System Setup Phase

Before the system operates, the buyer inputs a security parameter κ ∈ Z⁺ and generates a set of system parameters Ω = {F_q, E/F_q, G_q, P, h()}, where q is a κ-bit prime number, F_q is a finite field, E/F_q is an elliptic curve over F_q of order q, G_q is an elliptical cyclic group on E/F_q, P is the generator of G_q, and h() is a collision-resistant one-way hash function.

Then, the buyer publishes Ω on the bulletin board. The buyer generates a bid-attribute set A = {A₁, A₂, …, A_n} as the determinant of the auction and publishes A on the bulletin board. The attributes in A are ordered by the preference sequence. The buyer organizes a set {B₁, B₂,…, B_n} that denotes his/her expected attribute’s values, where B_k is a value in A_k ’s value domain for k = 1, 2,…, n.

5.2. Bidding Phase

If a bidder wants to anticipate this auction and sell products or services to the buyer, he/she gets the system parameter Ω from the bulletin board and chooses a random number s ∈ Z_q* as his/her private key. Then, the seller organizes his/her offer’s bid-attribute set {S₁, S₂, …, S_n}.

The seller computes the polynomial f(x) = (x − S₁)·(x − S₂)·… (x−S_n) mod q = ${\sum }_{i=0}^n$α_ixⁱ mod q. The seller chooses a random number r ∈ Z_q* and computes R = r·P. For i = 0, 1, 2,…, n, the seller computes C_i = α_i·P + s·r·P mod q. Then, the seller sends C₀, C₁, C₂,…, C_n and R to the buyer.

When the buyer gets C₀, C₁, C₂,…, C_n and R, he/she chooses a random number k_i ∈ Z_q* and computes Δ_i = (k_i·${\sum }_{j=0}^n{B}_i^j$·C_j)_x+k_i mod q and Φ_i = (k_i· ${\sum }_{j=0}^n{B}_i^j$)·R for i = 1, 2,…, n. For i = 1, 2,…, n, the buyer computes h(k_i) and keeps h(k_i). The buyer sends (Δ_i, Φ_i)’s to the seller.

For i = 1, 2,…, n, the seller uses his/her private key s to compute k_i′ = Δ_i − (s·Φ_i)_x mod q and publishes k_i^’ on the bulletin board. Each seller follows the same procedure presented above.

5.3. Winner Determination and Verification Phase

For i = 1, 2,…, n, the buyer checks whether h(k_i) = h(k_i^’). According to the buyer’s preference, the buyer determines the winner with the matched indices i’s. If Prefer(A₁) < Prefer(A₂) … < Prefer(A_n), the buyer obtains the largest index i of each seller such that h(k_i) = h(k_i′), and the seller with the largest index is the winner.

6. Correctness Proof and Security Analysis

In this section, the correctness of the proposed protocol will be proven, and the corresponding security analysis will be made.

6.1. Correctness Proof

In the proposed protocol, only when a seller’s set of offer attributes has some intersection with the buyer’s set of expected attributes, the seller can get k_i for the matched A_i to ensure the correctness of the proposed protocol. In the following, why the correctness of the proposed protocol is ensured is shown in detail.

The buyer computes Δ_i by the following equation:

$$\begin{array}{c}{\Delta }_i=(k_i·{\sum }_{j=0}^n{B}_i^j·C_j{)}_x+k_i \mathrm{mod} q\\ =(k_i·{\sum }_{j=0}^n{B}_i^j·({\alpha }_j·P+s·r·P){)}_x+k_i \mathrm{mod} q\\ =(k_i·{\sum }_{j=0}^n{B}_i^j·{\alpha }_j·P+k_i·{\sum }_{j=0}^n{B}_i^j·s·r·P{)}_x+k_i \mathrm{mod} q\\ =(k_i·{\sum }_{j=0}^n{B}_i^j·{\alpha }_j·P+s·k_i·{\sum }_{j=0}^n{B}_i^j·r·P{)}_x+k_i \mathrm{mod} q\\ =(k_i·f(B_i)·P+s·{\mathrm{\Phi }}_i{)}_x+k_i \mathrm{mod} q\end{array}$$

As shown above, f(x) = (x − S₁)·(x − S₂)· … (x − S_n) mod q = ${\sum }_{i=0}^n$α_ixⁱ mod q, and the order of E/F_q is q. If some S_i equals B_i, f(B_i) = 0 and Δ_i = (s·Φ_i)_x + k_i mod q. Thereupon, the seller can use his/her private key s to get k_i^’ = Δ_i − (s·Φ_i)_x mod q = k_i with the received (Δ_i, Φ_i)’s when S_i = B_i. On the other hand, if no S_i is equal to B_i, f(B_i) ≠ 0 and Δ_i = (k_i·f(B_i)·P + s·Φ_i)_x + k_i mod q. When the seller can use his/her private key s to get k_i^’ = Δ_i − (s·Φ_i)_x mod q = (k_i·f(B_i)·P + s·Φ_i)_x + k_i − (s·Φ_i)_x mod q ≠ k_i.

According to the correctness proof shown above, only the sellers can get the correct k_i’s when their sets of offer attributes have some intersection with the buyer’s set of expected attributes. On the other hand, when a seller’s set of offer attributes has no intersection with the buyer’s set of expected attributes, he/she can get no k_i to have himself/herself determined to be a winner. Thus, it can be concluded that our designed protocol ensures correctness such that a seller can be regarded as a candidate of the winner only when his/her set of offer attributes has some intersection with the buyer’s set of expected attributes.

6.2. Security Analysis

In this section, the security analysis of the proposed protocol is made to demonstrate that the proposed protocol can ensure bid privacy, protect a bidder’s identity to prevent illegal activities from compromising fairness, support multi-attribute auction, and resist attack 1 and attack 2 in the “Adversary Model”. Then, comparisons of security properties between our protocol and other multi-attribute auction protocols are given. The details are as follows.

Theory 1. 

Our protocol protects bid privacy.

Proof. 

In the bidding phase, the seller computes f(x) = ${\sum }_{i=0}^n$α_ixⁱ mod q, R = r·P and C_i = α_i·P + s·r·P mod q for i = 0, 1, 2,…, n, where s is his/her private key. According to the elliptic curve discrete logarithm problem (ECDLP), it is very difficult to find an integer β such that Q = β·P. That is, from C₀, C₁, C₂, …, C_n and R, the buyer can get no information about r, α_i and s because of the ECDLP. Because f(x) = (x − S₁)·(x − S₂)·… (x − S_n) mod q = ${\sum }_{i=0}^n$α_ixⁱ mod q, it denotes that S₁, S₂, …, S_n can be retrieved only when all of α₀, α₁, α₂, …, α_n are known. Although α_n must be 1, S₁, S₂, …, S_n are still kept concealed becauseα₀, α₁, α₂, …, α_n-1 are unknown. Consequently, the buyer cannot know anything about S₁, S₂,…, S_n. On the other hand, Δ_i = (k_i·${\sum }_{j=0}^n$·C_j)_x+ k_i mod q and Φ_i = (k_i·${\sum }_{j=0}^n$)·R. As shown in correctness proof, f(B_i) = 0, Δ_i = (s·Φ_i)_x+ k_i mod q and k_i^’ = Δ_i − (s·Φ_i)_x mod q = k_i when S_i = B_i, and f(B_i) ≠ 0, Δ_i = (k_i·f(B_i)·P + s·Φ_i)_x + k_i mod q and k_i^’ = Δ_i − (s·Φ_i)_x mod q = (k_i·f(B_i)·P + s·Φ_i)_x + k_i − (s·Φ_i)_x mod q ≠ k_i when S_i ≠ B_i. Because of the ECDLP, the seller can get no information about B₁, B₂,…, B_n unless he/she is determined to be the final winner.

From the above, the proposed protocol ensures bid privacy because the buyer gets no information about S₁, S₂,…, S_n, and the seller can get no information about B₁, B₂,…, B_n. □

Theory 2. 

Our protocol protects the bidder’s identity such that a bribed buyer cannot conduct illegal activities that would compromise fairness.

Proof. 

In our protocol, the ECC is adopted instead of Paillier’s encryption. Thus, a seller does not need to prepare a pair of keys. Instead, a seller can utilize shared system parameters Ω = {F_q, E/F_q, G_q, P, h()} to encrypt messages. The distinguished information related to a seller’s identity is his/her private key s only. In the bidding phase, the seller computes f(x) = ${\sum }_{i=0}^n$α_ixⁱ mod q, R = r·P and C_i = α_i·P + s·r·P mod q for i = 0, 1, 2,…, n, and then he/she sends C₀, C₁, C₂,…, C_n and R to the buyer. Because of the ECDLP, it is impossible for a buyer to retrieve s from C₀, C₁, C₂,…, C_n and R. That is, no useful information about s can be obtained. Moreover, in the proposed protocol, the buyer only needs C₀, C₁, C₂,…, C_n, R and the shared system parameters to execute homomorphic operations while no information related to the seller’s identity is needed. As a result, the buyer cannot be aware of who the seller of the corresponding bid is. Furthermore, a buyer cannot conduct similar illegal operations that compromise the fairness of the auction. □

Theory 3. 

Our protocol supports a multi-attribute auction.

Proof. 

In our protocol, Bichler et al.’s proposed configurable offer is adopted. In the system setup phase, the buyer publishes the bid-attribute set {A₁, A₂,…, A_n} denoting that the submitted bid should have n attributes. In the bidding phase, the seller organizes his/her bid {S₁, S₂,…, S_n} with respect to the published {A₁, A₂,…, A_n}, and the buyer uses {B₁, B₂,…, B_n} to execute the homomorphic operation by computing Δ_i = (k_i·${\sum }_{j=0}^n$·C_j)_x+ k_i mod q and Φ_i = (k_i·${\sum }_{j=0}^n$)·R for i = 1, 2,…, n. In the winner determination phase, the buyer can decide the final winner with the preference of {A₁, A₂,…, A_n}. □

From the above, our protocol supports multiple attributes instead of multiple items. Moreover, the proposed protocol can be easily extended to support multi-item action if multiple buyers participate in the auction and multiple buyers do the same thing shown above.

Theory 4. 

Our protocol can resist attack 1 and attack 2 mentioned in the “Adversary Model”.

Proof. 

By Theory 1, our protocol protects bid privacy for each bidder. Thus, with C₀, C₁, C₂,…, C_n and R, the buyer cannot get any bid information about S₁, S₂, …, S_n. Furthermore, the buyer cannot mount attack 1 and attack 2 because the basis of these two attacks is revealing of bid contents. Thus, our protocol can resist attack 1 and attack 2 mentioned in the “Adversary Model”. □

We make comparisons of security properties between our protocol and other five multi-attribute auction protocols in

Table 1. Security comparison of our proposal with the others. TTP: trusted third party.

	Methods	Srinath et al. [13]	Srinath et al. [14]	Shi [4]	Baranwal et al. [19]	Kumar et al. [20]	Ours
Properties
Multi-attribute		○	○	○	○	○	○
Without TTP		△	○	○	△	△	○
Bid privacy		△	△	○	△	△	○
Identity Privacy		○	○	△	△	△	○
Attack 1		△	△	○	△	△	○
Attack 2		△	△	○	△	△	○

. In Table 1, “○” denotes this property is supported, and “△” denotes this property is not supported. Why these five protocols are shown to make comparisons with ours is because they support multi-attribute action. Table 1 shows that our protocol is superior to the other five protocols because it achieves more security properties than them. Because the basis of attack 1 and attack 2 is revealing of bid contents, only Shi’s protocol [4] and our protocol can resist them. In addition, our protocol protects the bidder’s identity while Shi’s protocol [4] cannot.

7. Conclusions

In this paper, we proposed a protocol with the ECC to improve the security property of Shi’s secure multi-attribute auction mechanism. First, we discussed the bribery problem in a reverse-auction situation. Second, we pointed out the security defect of the original proposal, i.e., sellers’ identities can be revealed to buyers due to the property of Paillier’s cryptosystem. Furthermore, a bribed buyer can use an unreasonable-attribute set, such as an extremely high price or extremely early delivery date, inputting it into the comparing function, and as a result, sellers who have not bribed cannot win the auction, and no one can find these actions. We designed a novel reverse auction for government procurement which does not reveal any information about the identities of the sellers, precluding buyers from taking any illegal actions that could compromise the fairness of the auction. The correctness proof and the security proof showed that our protocol was correct and that it has better security properties than some similar protocols proposed previously. With our proposed protocol, bids could be sealed properly so that not only the determination of the final winner could be digitized and conducted efficiently but also the bribing problem could be solved. In the future, we will further explore the blockchain technique and try to extend the applicability of the reverse auction for government procurement.