A Fair and Secure Reverse Auction for Government Procurement

: With the development of e-commerce, the electronic auction is attracting the attention of many people. Many Internet companies, such as eBay and Yahoo!, have launched online auction systems. Many researchers have studied the security problems of electronic auction systems, but few of them are multi-attribute-based. In 2014, Shi proposed a provable secure, sealed-bid, and multi-attribute auction protocol based on the semi-honest model. We evaluated this protocol and found that it has some design weaknesses and is vulnerable to the illegal operations of buyers, which results in unfairness. In this paper, we improved this protocol by replacing the Paillier’s cryptosystem with the elliptic curve discrete (ECC), and we designed a novel, online, and multi-attribute reverse-auction system using the semi-honest model. In our system, sellers’ identities are not revealed to the buyers, and the buyers cannot conduct illegal operations that may compromise the fairness of the auction.


Introduction
In recent years, electronic commerce, also known as e-commerce, has developed quickly. More and more consumers prefer to shop on the Internet for convenience and other benefits. As a kind of e-commerce, e-auctions also have attracted much attention. Many Internet companies, such as eBay and Yahoo!, have launched online auction platforms. Many governments have also participated in online procurement auctions. However, most of them may partially digitalize the procedure of proposal collection. As for the determination of the final winner, either it is mainly proceeded by operators rather than the digitized and automated operation or the bids have not been properly protected so that bribing problems would occur in online government procurements.
Based on whether they have opening bid prices, auctions can be classified into two types including sealed-bid auctions and open auctions [1]. Furthermore, open auctions can be classified into English auctions and Dutch auctions. In an English auction, the auctioneer publishes a basic price, and bidders openly submit their bids. The bid price should be higher than the basic price, and the auction will be terminated if no bidders submit a higher price. The bidder who submits the highest price wins the auction. In a Dutch auction, the auctioneer publishes a basic price at the beginning of the auction. If no one wishes to pay this price, the auctioneer decreases the price until some bidder accepts it, and this bidder becomes the winner.
Based on the numbers of buyers and sellers, auctions can be classified into one-side auctions and double auctions [2]. In one-side auctions, there are several buyers in the auction for one seller or vice versa. The former situation is called a forward auction that is used commonly in antique auctions. In a reverse auction, there are multiple sellers for a single buyer, as shown in Figure 1b, which gives buyers a chance to find the lowest-price seller. This type of auction includes governments that invite, for example, tenders for the construction of infrastructure. As for the double auction, it is a combination of forward and reverse auctions. In other words, in double auctions, there are many buyers and sellers in the process. A good example of a double auction is the stock market.
Based on how they determine the winner, auctions can be classified into single-attribute auctions and multi-attribute auctions [3,4]. In a single-attribute auction, the price is often the only determinant of the auction. In multi-attribute auctions, more determinants influence the results of the auction, such as price, the quality of the product, the delivery date, and so on. Many researchers have studied security issues in online auctions using various cryptographic methods, such as symmetrical encryptions and asymmetrical encryptions, different types of digital signatures, such as ring signature [5], message authentication codes, secret sharing, and secure multiparty computation. These methods are intended to solve security and other issues in online auctions, such as the privacy of bids, the privacy of the bidders' identities, and the efficient operation of the auction. However, most of these methods are used to solve the above issues of single-attribute auctions. Only a few of the related research results are applicable to problems in multi-attribute auctions [6][7][8][9]. In 2006, Suzuki et al. [10] proposed a protocol for multi-attribute auctions that required a trusted authority. In 2007, Shih et al. [11] proposed a method with a shared hash chain to deal with multiple items in an online auction, but it was not applicable for multi-attribute auctions. In 2008, Parkes et al. [12] used homomorphic encryption in a multiple-item auction to protect the privacy of the bids. However, it still was not suitable for multi-attribute auctions. In 2009, Xiong et al. [1] proposed a ring signature-based auction to protect bidders' identities in the forward auction, but the implementation of their proposal would require a large computational cost. In 2011, Srinath et al. [13] proposed the involvement of a trusted third party to protect the privacy of bids. However, since sealed bids must be opened at the end of the auction to compute a scoring function, their privacy cannot be fully protected. Also in 2011, Srinath et al. [14] extended Parkes et al.'s [12] homomorphic encryption-based protocol to a multi-attribute protocol, but the auctioneer still had to open the bids at the end of the auction. In other words, the privacy of the bid with their method is still compromised. In 2012, Xiong et al. [15] proposed a revocable ring signature to protect bidders' privacy, but it was proven to be vulnerable to DoS attack. In 2013, Chang et al. [5] proposed a secure English auction system with an on-shelf phase in order to improve Xiong et al.'s [15] proposal, but the new system had a linkability defect that meant the attacker could link different messages together to trace the user's identity. In 2014, Nojoumian et al. [16] proposed a sealed-bid auction with verifiable secret sharing. However, it was a single-attribute-based auction. Also in 2014, Shi [4] utilized the private set intersection proposed by Freedman et al. [17] and Paillier's [18] encryption system to protect the privacy of bids in multi-attribute auctions.
In 2008, Parkes et al. [12] addressed the bribing problem in government procurements. A government procurement auction is a kind of reverse auction. A bribed government member could reveal the bids of other bidders to a bribed bidder, who could then enter a bid that was just slightly higher than the highest bid of the other bidders. Of course, the bribed bidder would benefit significantly from such an arrangement. Parkes et al. indicated that, in 1996, Siemens was barred from bidding in public procurement auctions in Singapore for five years. This was because the company bribed the chief executive of Singapore's public utility corporation in order to grasp information about rival bids in advance. As for mafia families in New York, they tend to pay bribes to know other bids before making their own bids for waste-disposal contracts. These illegal actions undermine the fairness of auctions and can result in the loss of the government's financial resources. More seriously, it may cause security problems in the infrastructure and in large projects intended to benefit society in general. Thus, it is apparent that it is essential to develop and propose a secure and fair online auction system for use with government procurements.
In 2014, Shi [4] proposed a provable secure, sealed-bid, multi-attribute auction protocol based on the semi-honest model. However, we found that it is vulnerable to the buyer's illegal operations, which can result in unfairness. In this paper, we improved this protocol with the elliptic curve cryptosystem (ECC) instead of the Paillier cryptosystem, and we designed a novel, online, multiattribute, reverse auction system based on the semi-honest model. In our proposed reverse auction, sellers' identities are not revealed to the buyers. Thus, a buyer cannot conduct illegal operations that would compromise the fairness of the auction. Moreover, our proposal can effectively solve the bribing problem in government procurements.
In 2016, Baranwal et al. [19] proposed a truthful and fair multi-attribute combinatorial reverse auction for resource procurement in cloud computing. In their scheme, the auction mechanism allows providers to reveal true information so that providers' benefit can be maximized. To prevent providers from cheating, a penalty mechanism is involved once providers do not provide services that were agreed in advance. In 2018, Kumar et al. [20] extended the application of the reverse auction to resource procurement in the cloud market. To reduce the probability of bidder drop and insufficient competition in the cloud market and then increase the revenues of providers, they proposed a combinational reverse-auction-based mechanism with the fairness features. It is noted that Baranwal [21], spatial crowdsourcing [22], etc. It is confirmed that the reverse auction has been getting attention over the last five years. In other words, how to apply either the cryptographic approach or other security approaches to secure the bids is becoming important.
Our paper is organized as follows. The preliminaries of our proposal are introduced in Section 2, and the security defects of Shi's proposal are analyzed in Section 3. Section 4 describes our system's adversary model, and an improved multi-attribute procurement auction is proposed in Section 5. In Section 6, we prove that our protocol is correct and analyze its security problems. Finally, conclusions are presented in Section 7.

Preliminaries
In this section, we introduce some basic tools which we need to use in our paper.

Configurable Offer
In a multi-attribute auction, first, the auctioneer or host of the auction should publish a set of attributes, which is designated as "A". Thus, A = (a, a2,…, an) represents the structure of a legal bid, where the term ak (k∈ [1,n]) is the price or non-price determinant, and n is the cardinality of set A which indicates the attribute number in a legal bid structure of this auction such as that A's cardinality is n above. Every attribute ak has a value domain (ak1, ak2,…, aki) where i denotes the cardinality of the value domain, and ak can be set to any value in its value domain. If a bidder wants to participate in an auction and submits a bid, he/she should organize a bid offer O = (o1, o2,…, on) as the published structure A where ok is the attribute value chosen from ak 's value domain (ak1, ak2,…, aki). The sequence of attributes is ranked by the buyer's preferences from most preferred to least preferred. We denote P(ok) as ak's preference, then P(o1) < P(o2) < … P(on). Buyers can choose the final winning bid according to this preference sequence.

Elliptic Curve Cryptosystem
The elliptic curve cryptosystem (ECC) is an asymmetric cryptosystem like RSA [23]. It was proposed independently by both Miller [24] and Koblitz [25] in 1985 and 1987, respectively. The key length of the ECC is 160 bits, compared with that of RSA such as 1024 bits, which is relatively short but achieves the same security requirement. Therefore, the ECC has been widely used in many cryptographic schemes in the last decade.
An elliptic curve [10,13] is defined over a finite field Fp by equation Ep(a,b): All points on this elliptic curve form a cyclic group. Two operations can be defined. Firstly, the addition operation of this group is defined as if points P, Q, R∈Ep(a, b) are in one line, then P + Q + R = O. Secondly, for the multiplication operation, given an integer s ∈F* p and a point P∈Ep(a,b), s•P over Ep(a, b) denotes P + P + P … + P in s times. If P is symmetrical with P′ about the X axis, then P + P = O. Furthermore, point P is a base point with an order n if and only if n•P = O.

Elliptic Curve Discrete Logarithm Problem
Given two points P and Q over Ep(a,b), it is very difficult to find an integer s ∈F* p such that Q = sP [26].

Private Set Intersection
In 2004, Freedman et al. [17] addressed problems related to a two-party set intersection in a semihonest and malicious environment. Assume P1 is a participant with dataset X = {x1, x2, …,xk} and P2 is a participant with dataset Y = {y1,y2,…,yk} when participating in the set intersection protocol. Both datasets X and Y are drawn from a certain common domain. First, P1 sets up a semantically secure homomorphic encryption system and publishes the public parameters. Next, P1 constructs a polynomial py = (y − x1)(y − x2)…(y − xk) = ∑k i = 1ai•y i of degree k with roots x1, x2,…,xk and sends P2 encrypted coefficients Enc(a1), Enc(a2), …, Enc(ak). Because of the homomorphic properties of the encryption system, P2 evaluates P1′s polynomial at each point y in his or her dataset by computing Enc(r•p(yi) + yi) with a random constant r for each yi. After decrypting the cipher text, P1 finally obtains the value of the corresponding element for each of the elements in X∩Y, whereas the result is random for all other values.

Homomorphic Property of the ECC
Given a secret key SK = s∈Z* p, the corresponding public key PK = s•P, two plaintexts m1, m2 encrypted with the same public key PK and the same random number r are chosen: C1 = m1 + (PK•r)x mod q, C2 = m2 + (PK•r)x mod q. Let R = r•P. The corresponding cipher texts of m1, m2 are (C1, R), (C2, R), respectively. We can get the following property: It is noted that we do not use this approach to encrypt the message in our proposed protocol. By contrast, we encrypt the message as the following: Therefore with SK, decrypt the message as: Furthermore, given an integer k, Therefore with SK, decrypt the message as: (km1)•P = kC1 − SK•(kR) mod q.

Paillier Encryption System
(1) Keformatted as listy generation phase: Select two large prime numbers p, q randomly, and make sure they are independent of each other such that gcd(pq,(p − 1)(q − 1)) = 1. Compute n = p•q and Ensure n divides the order of g (by checking the existence of the following modular multiplicative inverse: μ = (L(g λ mod n 2 )) −1 mod n (L(u) = u − 1/n). Note that the public key is (n, g), and the private key is (λ, μ).
(2) Encryption phase: Let m denote the message to be encrypted, and then select a random number r∈Z* n to derive the cipher text as c = g m •r n mod n 2 . Some homomorphic properties in Paillier's cryptosystem are listed below: Homomorphic addition: Homomorphic multiplication: More generally, D(E(m1, r1) k mod n 2 ) = k•m1 mod n.

Semi-Honest Model
Here, computational indistinguishability is defined as: let

Related Work
In 2014, Shi [4] utilized the private set intersection proposed by Freedman et al. [17] and Paillier's [18] encryption system to protect the privacy of bids. Unfortunately, we should point out that buyers can do illegal things that are contrary to fairness in Shi's proposal. In the original proposal, bids were submitted by sellers in Paillier's cryptosystem cipher text. Buyers compared the bid price with the expected attributes set in the cipher text to determine the best matching result without revealing information concerning the sellers' bids. However, buyers' homomorphic operations must use an identity-connected public key which results in revealing the identity of the bidder. Later, the buyer can determine which bids do not belong to bribed bids and stem the winning of the unbribed bidders. For example, a bribed buyer will use an unreasonable set of attributes such as an extremely high price or extremely early delivery date as input into the matching process. This will result in the unfairness of the bidding because even if an optimum bid was submitted it will not be determined as the winner.
Shi's protocol has three phases, i.e., the planning phase, the bidding phase, and the winner determination and verification phase. In the planning phase, the buyer organizes some information of the auction such as its set of attributes and deadline, then the buyer publishes them on a bulletin board. Sellers can get this information from the bulletin board. In the bidding phase, buyers and sellers can compare their bids using the above-mentioned technique of private set intersection. In the winner determination and verification phase, a buyer can decide the winner by comparing the result in the bidding phase and the preference of attributes. This process is described in detail below.

Planning Phase
The buyer announces the auction deadline T, the auction identifier IDauc, and the auction attribute set A and the cardinality of bid t.

Winner Determination and Verification Phase
Seller Sj checks if equation H(ri) = H(Ni) holds or not. If several sellers satisfy this property, then buyer Bi will choose one winner according to the buyer's preferences, i.e., Prefer(o1) < Prefer(o2) < … < Prefer(ot).

Security Defects
In the original protocol, Shi used Paillier's encryption. We can see that in Paillier's encryption system, the public key is (n, g), and the private key is (λ, μ). Furthermore, the buyer does not need to encrypt or decrypt messages, but the seller still needs the public key (n, g) to conduct the homomorphic operations for the property of Paillier's encryption system. In the original proposal, the seller should use this additional homomorphic property, i.e., D(E(m1, r1)⋅g m2 mod n2) = m1 + m2 mod n. We can see that public key (n, g) is needed in this operation. As we analyzed before, with the public key, the seller can determine the buyer's identity since each public key is unique and can be linked to the corresponding buyer, then he/she can do some illegal operations. For example, after receiving an encrypted bid from the seller, the buyer can use an unreasonable set of attributes {S1, S2,…, Sn} (the price set as extremely big and delivery date set as extremely early) as input into f(x). Obviously, no one can get correct ki except for a bribed seller. Moreover, no one except the buyer himself/herself can discover this unfair bid matching operation.

Adversary Model
A TTP (trusted third party) is used extensively in many online auction systems no matter if it is a trusted third party or semi-trusted third party [17,25]. However, in reality, no fully trusted party exists. For example, if we consider the government as a fully trusted party, then the bribery problem mentioned above comes out. Thus, some secure online auction protocols without a TTP have been proposed to solve the problem of security having to depend on a TTP. In fact, every entity in the network has the potential to do some illegal things to gain profit.
The security of our protocol does not rely on a TTP. In our protocol, n sellers and a buyer exist. Furthermore, a bulletin board is needed so that some information about the auction can be published to assist in running the auction. Our protocol focuses on the reverse auction, and it was designed based on one buyer and n sellers. In addition, if desired, it can be extended easily to the double auction like Shi's auction protocol [4].
In essence, government procurement can be treated as a reverse auction. It means that a reverse auction designed for government procurement should prevent all potential attacks that exist in the conventional reverse auction. However, there are some unique problems that only occur in government procurement and deserve further investigation. Here, we define two kinds of potential attacks that may occur in the context of government procurement as follows.
(1) The auctioneer may allow a bribed bidder to modify his/her bid and win the auction by revealing information about other bids before the auction is closed or by inserting a bid for the bribed bidder after reviewing other bidders' bids. This allows the bribed bidder to win at the best possible price. This is denoted as attack 1 in government procurement. (2) A bribed bidder may be allowed to change his/her bid even if the auction has closed in order to obtain a better price or win the auction, respectively. Bribes can be received before bids are made in exchange for a promise to modify the bidder's bid to maximize the bribing bidder's benefit. This is denoted as attack 2 in government procurement.
A secure reverse auction should defy these two attacks when used in government procurement, and these are what our proposed auction protocol is designed to withstand.

Proposed Protocol
In this section, our protocol is shown in detail. Our protocol is composed of three phases: system setup, bidding phase, and winner determination and verification phase. In the system setup phase, the buyer generates some system parameters for encryption and structures the bids on the bulletin board for the system to operate. All sellers can get the corresponding information from the bulletin board. In the bidding phase, bidders can submit their organized bids to the buyer, and the buyer executes the matching operation with the homomorphic property of ECC encryption. The computational results are published on the bulletin board. In the winner determination and verification phase, the buyer determines who the winner of this auction is. If more than one seller meets the conditions, the buyer will choose one winner as the preference sequence of each attribute. The proposed protocol is depicted in Figure 2, and the details are as follows.

System Setup Phase
Before the system operates, the buyer inputs a security parameter κ∈Z + and generates a set of system parameters Ω = {Fq, E/Fq, Gq, P, h()}, where q is a κ-bit prime number, Fq is a finite field, E/Fq is an elliptic curve over Fq of order q, Gq is an elliptical cyclic group on E/Fq, P is the generator of Gq, and h() is a collision-resistant one-way hash function.
Then, the buyer publishes Ω on the bulletin board. The buyer generates a bid-attribute set A = {A1, A2, …, An} as the determinant of the auction and publishes A on the bulletin board. The attributes in A are ordered by the preference sequence. The buyer organizes a set {B1, B2,…, Bn} that denotes his/her expected attribute's values, where Bk is a value in Ak 's value domain for k = 1, 2,…, n.

Bidding Phase
If a bidder wants to anticipate this auction and sell products or services to the buyer, he/she gets the system parameter Ω from the bulletin board and chooses a random number s∈Zq* as his/her private key. Then, the seller organizes his/her offer's bid-attribute set {S1, S2, …, Sn}.
When the buyer gets C0, C1, C2,…, Cn and R, he/she chooses a random number ki∈Zq* and computes Δi = (ki⋅∑ For i = 1, 2,…, n, the seller uses his/her private key s to compute ki′ = Δi − (s⋅Φi)x mod q and publishes ki ' on the bulletin board. Each seller follows the same procedure presented above.

Winner Determination and Verification Phase
For i = 1, 2,…, n, the buyer checks whether h(ki) = h(ki ' ). According to the buyer's preference, the buyer determines the winner with the matched indices i's. If Prefer(A1) < Prefer(A2) … < Prefer(An), the buyer obtains the largest index i of each seller such that h(ki) = h(ki′), and the seller with the largest index is the winner.

Correctness Proof and Security Analysis
In this section, the correctness of the proposed protocol will be proven, and the corresponding security analysis will be made.

Correctness Proof
In the proposed protocol, only when a seller's set of offer attributes has some intersection with the buyer's set of expected attributes, the seller can get ki for the matched Ai to ensure the correctness of the proposed protocol. In the following, why the correctness of the proposed protocol is ensured is shown in detail.
The buyer computes Δi by the following equation: As shown above, According to the correctness proof shown above, only the sellers can get the correct ki's when their sets of offer attributes have some intersection with the buyer's set of expected attributes. On the other hand, when a seller's set of offer attributes has no intersection with the buyer's set of expected attributes, he/she can get no ki to have himself/herself determined to be a winner. Thus, it can be concluded that our designed protocol ensures correctness such that a seller can be regarded as a candidate of the winner only when his/her set of offer attributes has some intersection with the buyer's set of expected attributes.

Security Analysis
In this section, the security analysis of the proposed protocol is made to demonstrate that the proposed protocol can ensure bid privacy, protect a bidder's identity to prevent illegal activities from compromising fairness, support multi-attribute auction, and resist attack 1 and attack 2 in the "Adversary Model". Then, comparisons of security properties between our protocol and other multiattribute auction protocols are given. The details are as follows.

Theory 1. Our protocol protects bid privacy.
Proof. In the bidding phase, the seller computes f(x) = ∑ n i=0 αix i mod q, R = r⋅P and Ci = αi ⋅P + s⋅r⋅P mod q for i = 0, 1, 2,…, n, where s is his/her private key. According to the elliptic curve discrete logarithm problem (ECDLP), it is very difficult to find an integer β such that Q = β⋅P. That is, from C0, C1, C2, …, Cn and R, the buyer can get no information about r, αi and s because of the ECDLP. Because it denotes that S1, S2, …, Sn can be retrieved only when all of α0, α1, α2, …, αn are known. Although αn must be 1, S1, S2, …, Sn are still kept concealed becauseα0, α1, α2, …, αn-1 are unknown. Consequently, the buyer cannot know anything about S1, S2,…, Sn. On the other hand, Δi = (ki⋅∑ From the above, the proposed protocol ensures bid privacy because the buyer gets no information about S1, S2,…, Sn, and the seller can get no information about B1, B2,…, Bn. □ Theory 2. Our protocol protects the bidder's identity such that a bribed buyer cannot conduct illegal activities that would compromise fairness. Proof. In our protocol, the ECC is adopted instead of Paillier's encryption. Thus, a seller does not need to prepare a pair of keys. Instead, a seller can utilize shared system parameters Ω = {Fq, E/Fq, Gq, P, h()} to encrypt messages. The distinguished information related to a seller's identity is his/her private key s only. In the bidding phase, the seller computes f(x) = ∑ n i=0 αix i mod q, R = r⋅P and Ci = αi ⋅P + s⋅r⋅P mod q for i = 0, 1, 2,…, n, and then he/she sends C0, C1, C2,…, Cn and R to the buyer. Because of the ECDLP, it is impossible for a buyer to retrieve s from C0, C1, C2,…, Cn and R. That is, no useful information about s can be obtained. Moreover, in the proposed protocol, the buyer only needs C0, C1, C2,…, Cn, R and the shared system parameters to execute homomorphic operations while no information related to the seller's identity is needed. As a result, the buyer cannot be aware of who the seller of the corresponding bid is. Furthermore, a buyer cannot conduct similar illegal operations that compromise the fairness of the auction. □  Proof. By Theory 1, our protocol protects bid privacy for each bidder. Thus, with C0, C1, C2,…, Cn and R, the buyer cannot get any bid information about S1, S2, …, Sn. Furthermore, the buyer cannot mount attack 1 and attack 2 because the basis of these two attacks is revealing of bid contents. Thus, our protocol can resist attack 1 and attack 2 mentioned in the "Adversary Model". □ We make comparisons of security properties between our protocol and other five multi-attribute auction protocols in Table 1. In Table 1, "○" denotes this property is supported, and "△" denotes this property is not supported. Why these five protocols are shown to make comparisons with ours is because they support multi-attribute action. Table 1 shows that our protocol is superior to the other five protocols because it achieves more security properties than them. Because the basis of attack 1 and attack 2 is revealing of bid contents, only Shi's protocol [4] and our protocol can resist them. In addition, our protocol protects the bidder's identity while Shi's protocol [4] cannot. Table 1. Security comparison of our proposal with the others. TTP: trusted third party.

Conclusions
In this paper, we proposed a protocol with the ECC to improve the security property of Shi's secure multi-attribute auction mechanism. First, we discussed the bribery problem in a reverseauction situation. Second, we pointed out the security defect of the original proposal, i.e., sellers' identities can be revealed to buyers due to the property of Paillier's cryptosystem. Furthermore, a bribed buyer can use an unreasonable-attribute set, such as an extremely high price or extremely early delivery date, inputting it into the comparing function, and as a result, sellers who have not bribed cannot win the auction, and no one can find these actions. We designed a novel reverse auction for government procurement which does not reveal any information about the identities of the sellers, precluding buyers from taking any illegal actions that could compromise the fairness of the auction. The correctness proof and the security proof showed that our protocol was correct and that it has better security properties than some similar protocols proposed previously. With our proposed protocol, bids could be sealed properly so that not only the determination of the final winner could be digitized and conducted efficiently but also the bribing problem could be solved. In the future, we will further explore the blockchain technique and try to extend the applicability of the reverse auction for government procurement.

Conflicts of Interest:
The authors declare no conflict of interest.