A Fair and Secure Reverse Auction for Government Procurement

sustainability

Article A Fair and Secure Reverse Auction for Government Procurement

Chia-Chen Lin 1,*, Ya-Fen Chang 2, Chin-Chen Chang 3 and Yao-Zhu Zheng 4

1 Department of Computer Science and Information Engineering, National Chin-Yi University of Technology, Taichung 41170, Taiwan 2 Department of Computer Science and Information Engineering, National Taichung University of Science and Technology, Taichung 40401, Taiwan; [email protected] 3 Department of Information Engineering and Computer Science, Feng Chia University, Taichung 40724, Taiwan; [email protected] 4 Department of Computer Science, National Tsing Hua University, Hsinchu 30013, Taiwan; [email protected] * Correspondence: [email protected]

Received: 21 August 2020; Accepted: 12 October 2020; Published: 16 October 2020

Abstract: With the development of e-commerce, the electronic auction is attracting the attention of many people. Many Internet companies, such as eBay and Yahoo!, have launched online auction systems. Many researchers have studied the security problems of electronic auction systems, but few of them are multi-attribute-based. In 2014, Shi proposed a provable secure, sealed-bid, and multi-attribute auction protocol based on the semi-honest model. We evaluated this protocol and found that it has some design weaknesses and is vulnerable to the illegal operations of buyers, which results in unfairness. In this paper, we improved this protocol by replacing the Paillier’s cryptosystem with the elliptic curve discrete (ECC), and we designed a novel, online, and multi-attribute reverse-auction system using the semi-honest model. In our system, sellers’ identities are not revealed to the buyers, and the buyers cannot conduct illegal operations that may compromise the fairness of the auction.

Keywords: auction; government procurement; e-commerce; information security

1. Introduction In recent years, electronic commerce, also known as e-commerce, has developed quickly. More and more consumers prefer to shop on the Internet for convenience and other benefits. As a kind of e-commerce, e-auctions also have attracted much attention. Many Internet companies, such as eBay and Yahoo!, have launched online auction platforms. Many governments have also participated in online procurement auctions. However, most of them may partially digitalize the procedure of proposal collection. As for the determination of the final winner, either it is mainly proceeded by operators rather than the digitized and automated operation or the bids have not been properly protected so that bribing problems would occur in online government procurements. Based on whether they have opening bid prices, auctions can be classified into two types including sealed-bid auctions and open auctions [1]. Furthermore, open auctions can be classified into English auctions and Dutch auctions. In an English auction, the auctioneer publishes a basic price, and bidders openly submit their bids. The bid price should be higher than the basic price, and the auction will be terminated if no bidders submit a higher price. The bidder who submits the highest price wins the auction. In a Dutch auction, the auctioneer publishes a basic price at the beginning of the auction. If no one wishes to pay this price, the auctioneer decreases the price until some bidder accepts it, and this bidder becomes the winner.

Sustainability 2020, 12, 8567; doi:10.3390/su12208567 www.mdpi.com/journal/sustainability Sustainability 2020, 12, x FOR PEER REVIEW 2 of 12

Based on the numbers of buyers and sellers, auctions can be classified into one-side auctions and doubleSustainability auctions2020 [2]., 12 ,In 8567 one-side auctions, there are several buyers in the auction for one seller or vice2 of 12 versa. The former situation is called a forward auction that is used commonly in antique auctions. In a reverse auction, there are multiple sellers for a single buyer, as shown in Figure 1b, which gives buyers aBased chance on to the find numbers the lowest-price of buyers seller. and sellers,This type auctions of auction can includes be classiﬁed governments into one-side that invite, auctions forand example, double tenders auctions for [2 ].the In one-sideconstruction auctions, of infrastructure. there are several As buyersfor the indouble the auction auction, for oneit is seller a combinationor vice versa. of forward The former and reverse situation auctions. is called In a ot forwardher words, auction in double that is auctions, used commonly there are in many antique buyersauctions. and sellers In a reverse in the process. auction, A there good are exam multipleple of a sellers double for auction a single is the buyer, stock as market. shown in Figure1b, whichBased gives on how buyers they a determine chance to ﬁnd the winner, the lowest-price auctions seller.can be This classified type of into auction single-attribute includes governments auctions andthat multi-attribute invite, for example, auctions tenders [3,4]. In for a single-attrib the constructionute auction, of infrastructure. the price is As often for the the only double determinant auction, it is of athe combination auction. In ofmulti-attribute forward and reverseauctions, auctions. more determinants In other words, influence in double the results auctions, of therethe auction, are many suchbuyers as price, and the sellers quality in the of process.the product, A good the exampledelivery date, of a double and so auction on. is the stock market.

FigureFigure 1. Different 1. Diﬀerent kinds kinds of auctions: of auctions: (a) Forward (a) Forward auction, auction, (b) (Reverseb) Reverse auction auction and and (c) Double (c) Double auction. auction.

ManyBased researchers on how they have determine studied security the winner, issues auctions in online can beauctions classified using into various single-attribute cryptographic auctions methods,and multi-attribute such as symmetrical auctions [encryptions3,4]. In a single-attribute and asymmetrical auction, encryptions, the price is different often the types only determinantof digital signatures,of the auction. such as In ring multi-attribute signature [5], auctions, message more authentication determinants codes, influence secret the sharing, results ofand the secure auction, multipartysuch as price,computation. the quality These of the methods product, are the intended delivery to date, solve and security so on. and other issues in online auctions,Many such researchersas the privacy have of bids, studied the securityprivacy of issues the bidders’ in online identities, auctions and using the various efficient cryptographic operation of themethods, auction. such However, as symmetrical most of these encryptions methods and are asymmetrical used to solve encryptions,the above issues diff erentof single-attribute types of digital auctions.signatures, Only sucha few as of ring the signaturerelated research [5], message results authentication are applicable codes,to problems secret sharing,in multi-attribute and secure auctionsmultiparty [6–9]. computation.In 2006, Suzuki These et al. [10] methods proposed are intendeda protocol to for solve multi-attribute security and auctions other issuesthat required in online a trustedauctions, authority. such as In the 2007, privacy Shih of et bids, al. [11] the proposed privacy of a themethod bidders’ with identities, a shared andhash the chain effi cientto deal operation with multipleof the auction.items in However,an online mostauction, of these but it methods was not are applicable used to solvefor multi-attribute the above issues auctions. of single-attribute In 2008, Parkesauctions. et al. [12] Only used a few homomorphic of the related encryption research in results a multiple-item are applicable auction to problems to protect in the multi-attribute privacy of theauctions bids. However, [6–9]. In 2006,it still Suzuki was not et al. suitable [10] proposed for multi-attribute a protocol for auctions. multi-attribute In 2009, auctions Xiong that et al. required [1] proposeda trusted a ring authority. signature-based In 2007, Shih auction et al. to [11 protect] proposed bidders’ a method identities with in a the shared forward hash auction, chain to but deal the with implementationmultiple items ofin their an onlineproposal auction, would butrequire it was a large not applicablecomputational for multi-attribute cost. In 2011, Srinath auctions. et al. In [13] 2008, proposedParkes etthe al. involvement [12] used homomorphic of a trusted third encryption party to in protect a multiple-item the privacy auction of bids. to protectHowever, the since privacy sealedof the bids bids. must However, be opened it still at the was end not of suitable the auct forion multi-attribute to compute a auctions.scoring function, In 2009, their Xiong privacy et al. [1] cannotproposed be fully a ring protected. signature-based Also in 2011, auction Srinath to protect et al. [14] bidders’ extended identities Parkes in et the al.’s forward [12] homomorphic auction, but the encryption-basedimplementation protocol of their proposalto a mult wouldi-attribute require protocol, a large but computational the auctioneer cost. still In had 2011, to Srinathopen the et bids al. [13 ] at proposedthe end theof the involvement auction. ofIn aother trusted words, third partythe privacy to protect of the the privacy bid with of bids. their However, method since is still sealed compromised.bids must be In opened 2012, at Xiong the end et of al. the [15] auction proposed to compute a revocable a scoring ring function, signature their to privacy protect cannot bidders’ be fully privacy,protected. but it Also was inproven 2011, Srinathto be vulnerable et al. [14] to extended DoS attack. Parkes In et2013, al.’s Chang [12] homomorphic et al. [5] proposed encryption-based a secure Englishprotocol auction to a multi-attributesystem with an protocol,on-shelf phase but the in auctioneer order to improve still had Xiong to open et al.’s the bids[15] atproposal, the end but of the theauction. new system In otherhad a words,linkability the defect privacy that of meant the bid the with attacker their could method link isdifferent still compromised. messages together In 2012, to traceXiong the et user’s al. [15 identity.] proposed In 2014, a revocable Nojoumian ring signature et al. [16] toproposed protect a bidders’ sealed-bid privacy, auction but with it was verifiable proven to secretbe vulnerablesharing. However, to DoS attack. it was In a 2013, single-attribute-based Chang et al. [5] proposed auction. a secure Also in English 2014, auctionShi [4] systemutilized with the an on-shelf phase in order to improve Xiong et al.’s [15] proposal, but the new system had a linkability defect that meant the attacker could link different messages together to trace the user’s identity. Sustainability 2020, 12, 8567 3 of 12

In 2014, Nojoumian et al. [16] proposed a sealed-bid auction with verifiable secret sharing. However, it was a single-attribute-based auction. Also in 2014, Shi [4] utilized the private set intersection proposed by Freedman et al. [17] and Paillier’s [18] encryption system to protect the privacy of bids in multi-attribute auctions. In 2008, Parkes et al. [12] addressed the bribing problem in government procurements. A government procurement auction is a kind of reverse auction. A bribed government member could reveal the bids of other bidders to a bribed bidder, who could then enter a bid that was just slightly higher than the highest bid of the other bidders. Of course, the bribed bidder would benefit significantly from such an arrangement. Parkes et al. indicated that, in 1996, Siemens was barred from bidding in public procurement auctions in Singapore for five years. This was because the company bribed the chief executive of Singapore’s public utility corporation in order to grasp information about rival bids in advance. As for mafia families in New York, they tend to pay bribes to know other bids before making their own bids for waste-disposal contracts. These illegal actions undermine the fairness of auctions and can result in the loss of the government’s financial resources. More seriously, it may cause security problems in the infrastructure and in large projects intended to benefit society in general. Thus, it is apparent that it is essential to develop and propose a secure and fair online auction system for use with government procurements. In 2014, Shi [4] proposed a provable secure, sealed-bid, multi-attribute auction protocol based on the semi-honest model. However, we found that it is vulnerable to the buyer’s illegal operations, which can result in unfairness. In this paper, we improved this protocol with the elliptic curve cryptosystem (ECC) instead of the Paillier cryptosystem, and we designed a novel, online, multi-attribute, reverse auction system based on the semi-honest model. In our proposed reverse auction, sellers’ identities are not revealed to the buyers. Thus, a buyer cannot conduct illegal operations that would compromise the fairness of the auction. Moreover, our proposal can effectively solve the bribing problem in government procurements. In 2016, Baranwal et al. [19] proposed a truthful and fair multi-attribute combinatorial reverse auction for resource procurement in cloud computing. In their scheme, the auction mechanism allows providers to reveal true information so that providers’ benefit can be maximized. To prevent providers from cheating, a penalty mechanism is involved once providers do not provide services that were agreed in advance. In 2018, Kumar et al. [20] extended the application of the reverse auction to resource procurement in the cloud market. To reduce the probability of bidder drop and insufficient competition in the cloud market and then increase the revenues of providers, they proposed a combinational reverse-auction-based mechanism with the fairness features. It is noted that Baranwal et al.’s and Kumar et al.’s schemes involved extensive simulations to prove their performance. Both of them focused on how to apply the reverse auction to assist resource procurement in the cloud market from the efficiency, instead of security, point of view. Following Baranwal et al.’s and Kumar et al.’s ideas, more and more scholars have applied the reverse auction to various domains, such as WiFi offloading [21], spatial crowdsourcing [22], etc. It is confirmed that the reverse auction has been getting attention over the last five years. In other words, how to apply either the cryptographic approach or other security approaches to secure the bids is becoming important. Our paper is organized as follows. The preliminaries of our proposal are introduced in Section2, and the security defects of Shi’s proposal are analyzed in Section3. Section4 describes our system’s adversary model, and an improved multi-attribute procurement auction is proposed in Section5. In Section6, we prove that our protocol is correct and analyze its security problems. Finally, conclusions are presented in Section7.

2. Preliminaries In this section, we introduce some basic tools which we need to use in our paper. Sustainability 2020, 12, 8567 4 of 12

2.1. Configurable Offer In a multi-attribute auction, first, the auctioneer or host of the auction should publish a set of attributes, which is designated as “A”. Thus, A = (a, a2, ... , an) represents the structure of a legal bid, where the term a (k [1, n]) is the price or non-price determinant, and n is the cardinality of k ∈ set A which indicates the attribute number in a legal bid structure of this auction such as that A’s cardinality is n above. Every attribute ak has a value domain (ak1, ak2, ... , aki) where i denotes the cardinality of the value domain, and ak can be set to any value in its value domain. If a bidder wants to participate in an auction and submits a bid, he/she should organize a bid offer O = (o1, o2, ... , on) as the published structure A where ok is the attribute value chosen from ak ’s value domain (ak1, ak2, ... , aki). The sequence of attributes is ranked by the buyer’s preferences from most preferred to least preferred. We denote P(ok) as ak’s preference, then P(o1) < P(o2) < ... P(on). Buyers can choose the final winning bid according to this preference sequence.

2.2. Elliptic Curve Cryptosystem The elliptic curve cryptosystem (ECC) is an asymmetric cryptosystem like RSA [23]. It was proposed independently by both Miller [24] and Koblitz [25] in 1985 and 1987, respectively. The key length of the ECC is 160 bits, compared with that of RSA such as 1024 bits, which is relatively short but achieves the same security requirement. Therefore, the ECC has been widely used in many cryptographic schemes in the last decade. 2 3 An elliptic curve [10,13] is defined over a finite field Fp by equation Ep(a, b): y = x + ax + b, where p is a large prime, p = 3, 4a3 + 27b2 , 0 mod p. All points on this elliptic curve form a cyclic group. Two operations can be defined. Firstly, the addition operation of this group is defined as if points P, Q, R Ep(a, b) are in one line, then P + Q + R = O. Secondly, for the multiplication operation, ∈ given an integer s F*p and a point P Ep(a, b), s P over Ep(a, b) denotes P + P + P ... + P in s times. ∈ ∈ · If P is symmetrical with P0 about the X axis, then P + P = O. Furthermore, point P is a base point with an order n if and only if n P = O. · 2.3. Elliptic Curve Discrete Logarithm Problem

Given two points P and Q over Ep(a, b), it is very diﬃcult to ﬁnd an integer s F*p such that ∈ Q = sP [26].

2.4. Private Set Intersection In 2004, Freedman et al. [17] addressed problems related to a two-party set intersection in a semi-honest and malicious environment. Assume P1 is a participant with dataset X = {x1, x2, ... ,xk} and P2 is a participant with dataset Y = {y1,y2, ... ,yk} when participating in the set intersection protocol. Both datasets X and Y are drawn from a certain common domain. First, P1 sets up a semantically secure homomorphic encryption system and publishes the public parameters. Next, P1 constructs a P i polynomial py = (y x )(y x ) ... (y x ) = k i = 1a y of degree k with roots x , x , ... ,x and sends − 1 − 2 − k i· 1 2 k P2 encrypted coeﬃcients Enc(a1), Enc(a2), ... , Enc(ak). Because of the homomorphic properties of the encryption system, P2 evaluates P10s polynomial at each point y in his or her dataset by computing Enc(r p(y ) + y ) with a random constant r for each y . After decrypting the cipher text, P1 ﬁnally obtains · i i i the value of the corresponding element for each of the elements in X Y, whereas the result is random ∩ for all other values.

2.5. Homomorphic Property of the ECC Given a secret key SK = s Z*p, the corresponding public key PK = s P, two plaintexts m , ∈ · 1 m2 encrypted with the same public key PK and the same random number r are chosen:

C = m + (PK r)x mod q, 1 1 · Sustainability 2020, 12, 8567 5 of 12

C = m + (PK r)x mod q. 2 2 · Let R = r P. The corresponding cipher texts of m , m are (C , R), (C , R), respectively. We can get · 1 2 1 2 the following property: C + C = m + (PK r)x + m + (PK r)x mod q 1 2 1 · 2 · = (m + m ) + 2 (PK r)x mod q 1 2 · = (m + m ) + 2 (SK R)x mod q 1 2 · Therefore with SK, decrypt the message as m + m = C + C 2 (SK R)x mod q. It is noted that 1 2 1 2 − · we do not use this approach to encrypt the message in our proposed protocol. By contrast, we encrypt the message as the following: C = m P + PK r mod q, 1 1· · C = m P + PK r mod q. 2 2· · Then: C + C = m P + PK r + m P + PK r mod q 1 2 1· · 2· · = (m + m )P + 2PK r mod q. 1 2 · Therefore with SK, decrypt the message as: (m + m ) P = C + C 2SK R mod q. 1 2 · 1 2 − · Furthermore, given an integer k,

k C = km P + k PK r · 1 1· · · = (km ) P + SK (kR). 1 · · Therefore with SK, decrypt the message as: (km ) P = kC SK (kR) mod q. 1 · 1 − · 2.6. Paillier Encryption System (1) Keformatted as listy generation phase: Select two large prime numbers p, q randomly, and make sure they are independent of each other such that gcd(pq,(p 1)(q 1)) = 1. Compute n = p q − − · and λ = lcm(p 1, q 1). Select a random number g Z . Ensure n divides the order of g (by n∗ 2 − − ∈ λ 2 1 checking the existence of the following modular multiplicative inverse: µ = (L(g mod n ))− mod n (L(u) = u 1/n). Note that the public key is (n, g), and the private key is (λ, µ). − (2) Encryption phase: Let m denote the message to be encrypted, and then select a random number r Z*n to derive the cipher text as c = gm rn mod n2. ∈ · (3) Decryption phase: m = L(cλ mod n2) µ mod n. · Some homomorphic properties in Paillier’s cryptosystem are listed below: Homomorphic addition:

D(E(m , r ) E(m , r ) mod n2) = m + m mod n, 1 1 · 2 2 1 2 D(E(m , r ) gm2 mod n2) = m + m mod n. 1 1 · 1 2 Homomorphic multiplication:

D(E(m , r )m2 mod n2) = m m mod n. 1 1 1· 2 More generally, D(E(m , r )k mod n2) = k m mod n. 1 1 · 1 Sustainability 2020, 12, 8567 6 of 12

2.7. Semi-Honest Model

Here, computational indistinguishability is defined as: let S 0, 1 ∗. Two ensembles de f de f ⊆ { } (indexed by S), X = Xω and Y = Yω are computationally indistinguishable if for every { }ωinS { }ωinS family of polynomial-size circuits Dn n N, there exists a negligible function µ: N [0, 1] so that { } ∈ c → pr[Dn(ω, Xω) = 1] pr[Dn(ω, Yω) = 1] < µ( ω ) . In such a case, X=Y is concluded. − According to computational indistinguishability defined above, protocol π is concluded to securely compute deterministic functionality f in the presence of static semi-honest adversaries if probabilistic polynomial-time simulators S1 and S2 exist, such that: n o n o c π c π S1(x, f (x, y)) x,y 0,1 = view (x, y) , S2(x, f (x, y)) x,y 0,1 = view (x, y) ( x = y ) . ∗ 1 x,y 0,1 ∗ ∗ 2 x,y 0,1 ∗ ∈{ } ∈{ } ∈{ } ∈{ } 3. Related Work In 2014, Shi [4] utilized the private set intersection proposed by Freedman et al. [17] and Paillier’s [18] encryption system to protect the privacy of bids. Unfortunately, we should point out that buyers can do illegal things that are contrary to fairness in Shi’s proposal. In the original proposal, bids were submitted by sellers in Paillier’s cryptosystem cipher text. Buyers compared the bid price with the expected attributes set in the cipher text to determine the best matching result without revealing information concerning the sellers’ bids. However, buyers’ homomorphic operations must use an identity-connected public key which results in revealing the identity of the bidder. Later, the buyer can determine which bids do not belong to bribed bids and stem the winning of the unbribed bidders. For example, a bribed buyer will use an unreasonable set of attributes such as an extremely high price or extremely early delivery date as input into the matching process. This will result in the unfairness of the bidding because even if an optimum bid was submitted it will not be determined as the winner. Shi’s protocol has three phases, i.e., the planning phase, the bidding phase, and the winner determination and verification phase. In the planning phase, the buyer organizes some information of the auction such as its set of attributes and deadline, then the buyer publishes them on a bulletin board. Sellers can get this information from the bulletin board. In the bidding phase, buyers and sellers can compare their bids using the above-mentioned technique of private set intersection. In the winner determination and verification phase, a buyer can decide the winner by comparing the result in the bidding phase and the preference of attributes. This process is described in detail below.

3.1. Planning Phase

The buyer announces the auction deadline T, the auction identiﬁer IDauc, and the auction attribute set A and the cardinality of bid t.

3.2. Bidding Phase

(1) Buyer B organizes oﬀer BidB = o , o , ... , ot BidB = o , o , ... , ot BidB = o , o , ... , ot , i i { 1 2 } i { 1 2 } i { 1 2 } and seller Sj organizes oﬀers BidSj where BidSj = {a1, a2, ... at}. P i (2) Seller S computes a polynomial f (x) = (x a ) (x a ) ... (x at) = t I = 0α x , and S encrypts j sj − 1 · − 2 · − i j αi and publishes ID, ESKSj(α0), ESKSj(α1), ... , ESKSj (αt), where SKSj is Sj’s private key, and E() is the Paillier encryption. (3) For each o Bid (1 i t), the buyer B chooses a random r , where 1 i t, and computes C , i ∈ Bi ≤ ≤ i i ≤ ≤ 1 C , ... ,Ct and H(r ), where C = E (r f (o ) + r ), and publishes C , C , ... , Ct and H(r ) on a 2 i i PKSj i· sj i i 1 2 i bulletin board, where H function H:{0,1}* {0,1}* is a random oracle and *denotes Kleene closure. → (4) S decrypts C = E (r f (o ) + r ) and publishes N = D E (r f (o ) + r ) on the bulletin j i PKSj i· sj i i i SKSj PKSj i· sj i i board according to Section 2.4. Sustainability 2020, 12, 8567 7 of 12

3.3. Winner Determination and Veriﬁcation Phase

Seller Sj checks if equation H(ri) = H(Ni) holds or not. If several sellers satisfy this property, then buyer Bi will choose one winner according to the buyer’s preferences, i.e., Prefer(o1) < Prefer(o2) < ... < Prefer(ot).

3.4. Security Defects In the original protocol, Shi used Paillier’s encryption. We can see that in Paillier’s encryption system, the public key is (n, g), and the private key is (λ, µ). Furthermore, the buyer does not need to encrypt or decrypt messages, but the seller still needs the public key (n, g) to conduct the homomorphic operations for the property of Paillier’s encryption system. In the original proposal, the seller should use this additional homomorphic property, i.e., D(E(m , r ) gm2 mod n ) = m + m mod n. We can 1 1 · 2 1 2 see that public key (n, g) is needed in this operation. As we analyzed before, with the public key, the seller can determine the buyer’s identity since each public key is unique and can be linked to the corresponding buyer, then he/she can do some illegal operations. For example, after receiving an encrypted bid from the seller, the buyer can use an unreasonable set of attributes {S1, S2, ... , Sn} (the price set as extremely big and delivery date set as extremely early) as input into f (x). Obviously, no one can get correct ki except for a bribed seller. Moreover, no one except the buyer himself/herself can discover this unfair bid matching operation.

4. Adversary Model A TTP (trusted third party) is used extensively in many online auction systems no matter if it is a trusted third party or semi-trusted third party [17,25]. However, in reality, no fully trusted party exists. For example, if we consider the government as a fully trusted party, then the bribery problem mentioned above comes out. Thus, some secure online auction protocols without a TTP have been proposed to solve the problem of security having to depend on a TTP. In fact, every entity in the network has the potential to do some illegal things to gain proﬁt. The security of our protocol does not rely on a TTP. In our protocol, n sellers and a buyer exist. Furthermore, a bulletin board is needed so that some information about the auction can be published to assist in running the auction. Our protocol focuses on the reverse auction, and it was designed based on one buyer and n sellers. In addition, if desired, it can be extended easily to the double auction like Shi’s auction protocol [4]. In essence, government procurement can be treated as a reverse auction. It means that a reverse auction designed for government procurement should prevent all potential attacks that exist in the conventional reverse auction. However, there are some unique problems that only occur in government procurement and deserve further investigation. Here, we deﬁne two kinds of potential attacks that may occur in the context of government procurement as follows.

(1) The auctioneer may allow a bribed bidder to modify his/her bid and win the auction by revealing information about other bids before the auction is closed or by inserting a bid for the bribed bidder after reviewing other bidders’ bids. This allows the bribed bidder to win at the best possible price. This is denoted as attack 1 in government procurement. (2) A bribed bidder may be allowed to change his/her bid even if the auction has closed in order to obtain a better price or win the auction, respectively. Bribes can be received before bids are made in exchange for a promise to modify the bidder’s bid to maximize the bribing bidder’s beneﬁt. This is denoted as attack 2 in government procurement.

A secure reverse auction should defy these two attacks when used in government procurement, and these are what our proposed auction protocol is designed to withstand. Sustainability 2020, 12, 8567 8 of 12

5. Proposed Protocol In this section, our protocol is shown in detail. Our protocol is composed of three phases: system setup, bidding phase, and winner determination and veriﬁcation phase. In the system setup phase, the buyer generates some system parameters for encryption and structures the bids on the bulletin board for the system to operate. All sellers can get the corresponding information from the bulletin board. In the bidding phase, bidders can submit their organized bids to the buyer, and the buyer executes the matching operation with the homomorphic property of ECC encryption. The computational results are published on the bulletin board. In the winner determination and veriﬁcation phase, the buyer determines who the winner of this auction is. If more than one seller meets the conditions, the buyer will choose one winner as the preference sequence of each attribute. The proposed protocol is depicted in Figure2, and the details are as follows. Sustainability 2020, 12, x FOR PEER REVIEW 8 of 12

Buyer Bulletin Board Seller

System Setup Phase 𝐵,𝐵,…,𝐵 Ω 𝐹,𝐸⁄ 𝐹 ,𝐺,𝑃,ℎ

𝐴 𝐴,𝐴,…,𝐴

𝑆,𝑆,…,𝑆

𝑓 𝑥𝑥𝑆 𝑥𝑆 … 𝑥𝑆 mod 𝑞 Bidding Phase ∑  ∙𝑥 mod q 𝑅𝑟∙𝑃 𝐶 ,𝐶 ,𝐶 ,…,𝐶 ,𝑅 𝐶 𝛼 ∙𝑃𝑠∙𝑟∙𝑃 mod 𝑞for i = 0, 1, 2,…, n Δ 𝑘 ∙ ∑ 𝐵 ∙𝐶 𝑘 mod q for i = 1, 2,…, n Φ 𝑘 ∙ ∑ 𝐵 ∙𝑅for i = 1, 2,…, n Δ,Φ for i = 1, 2,…, n 𝑘 Δ 𝑠∙Φ mod 𝑞 for i = 1, 2,…, n

𝑘 for i = 1, 2,…, n} Winner Determination and Verification Phase ℎ 𝑘 ?ℎ 𝑘 𝑃𝑟𝑒𝑓𝑒𝑟 𝐴 𝑃𝑟𝑒𝑓𝑒𝑟 𝐴 ⋯𝑃𝑟𝑒𝑓𝑒𝑟𝐴 Figure 2. Process of our protocol. 5.1. System Setup Phase 5.1. System Setup Phase Before the system operates, the buyer inputs a security parameter κ Z+ and generates a set of Before the system operates, the buyer inputs a security parameter κ∈∈Z+ and generates a set of system parameters Ω = {Fq, E/Fq, Gq, P, h()}, where q is a κ-bit prime number, Fq is a ﬁnite ﬁeld, E/Fq is system parameters Ω = {Fq, E/Fq, Gq, P, h()}, where q is a κ-bit prime number, Fq is a finite field, E/Fq is an elliptic curve over Fq of order q, Gq is an elliptical cyclic group on E/Fq, P is the generator of Gq, an elliptic curve over Fq of order q, Gq is an elliptical cyclic group on E/Fq, P is the generator of Gq, and and h() is a collision-resistant one-way hash function. h() is a collision-resistant one-way hash function. Then, the buyer publishes Ω on the bulletin board. The buyer generates a bid-attribute Then, the buyer publishes Ω on the bulletin board. The buyer generates a bid-attribute set A = set A = {A1, A2, ... , An} as the determinant of the auction and publishes A on the bulletin board. {A1, A2, …, An} as the determinant of the auction and publishes A on the bulletin board. The attributes The attributes in A are ordered by the preference sequence. The buyer organizes a set {B1, B2, ... , Bn} in A are ordered by the preference sequence. The buyer organizes a set {B1, B2,…, Bn} that denotes that denotes his/her expected attribute’s values, where Bk is a value in Ak ’s value domain for his/her expected attribute’s values, where Bk is a value in Ak ’s value domain for k = 1, 2,…, n. k = 1, 2, ... , n.

5.2. Bidding Phase If a bidder wants to anticipate this auction and sell products or services to the buyer, he/she he/she gets the system parameter Ω from the bulletin board and chooses a random number s∈Zq* as his/her the system parameter Ω from the bulletin board and chooses a random number s Zq* as his/her private key. Then, the seller organizes his/her offer’s bid-attribute set {S1, S2, …, Sn}. ∈ private key. Then, the seller organizes his/her oﬀer’s bid-attribute set {S1, S2, ... , Sn}. n i The seller computes the polynomial f(x) = (x − S1)∙(x − S2)∙… (x−Sn) mod q = ∑i=0Pαinx modi q. The The seller computes the polynomial f (x) = (x S1) (x S2) ... (x Sn) mod q = i=0αix mod q. seller chooses a random number r∈Zq* and computes− R ·= r⋅−P. For· i = 0,− 1, 2,…, n, the seller computes The seller chooses a random number r Zq* and computes R = r P. For i = 0, 1, 2, ... , n, the seller Ci = αi⋅P + s⋅r⋅P mod q. Then, the seller sends∈ C0, C1, C2,…, Cn and R· to the buyer. computes Ci = αi P + s r P mod q. Then, the seller sends C0, C1, C2, ... , Cn and R to the buyer. When the buyer· ·gets· C0, C1, C2,…, Cn and R, he/she chooses a random number ki∈Zq* and When the buyern getsj C0, C1, C2, ... , Cn and nR ,j he /she chooses a random number ki Zq* and computes Δi = (ki⋅∑Pj=0nBi ⋅Cjj)x+ki mod q and Φi = (ki⋅∑j=0Bi P)⋅Rn for ji = 1, 2,…, n. For i = 1, 2,…, n, ∈the buyer computes ∆i = (ki j=0 B Cj)x+ki mod q and Φi = (ki j=0 B ) R for i = 1, 2, ... , n. For i = 1, 2, ... , n, computes h(ki) and· keepsi ·h(ki). The buyer sends (Δi, Φ· i)’s to thei · seller. the buyer computes h(ki) and keeps h(ki). The buyer sends (∆i, Φi)’s to the seller. For i = 1, 2,…, n, the seller uses his/her private key s to compute ki′ = Δi − (s⋅Φi)x mod q and publishes ki’ on the bulletin board. Each seller follows the same procedure presented above.

5.3. Winner Determination and Verification Phase

For i = 1, 2,…, n, the buyer checks whether h(ki) = h(ki’). According to the buyer’s preference, the buyer determines the winner with the matched indices i’s. If Prefer(A1) < Prefer(A2) … < Prefer(An), the buyer obtains the largest index i of each seller such that h(ki) = h(ki′), and the seller with the largest index is the winner.

6. Correctness Proof and Security Analysis In this section, the correctness of the proposed protocol will be proven, and the corresponding security analysis will be made.

Sustainability 2020, 12, 8567 9 of 12

For i = 1, 2, ... , n, the seller uses his/her private key s to compute ki0 = ∆i (s Φi)x mod q and ’ − · publishes ki on the bulletin board. Each seller follows the same procedure presented above.

5.3. Winner Determination and Veriﬁcation Phase

’ For i = 1, 2, ... , n, the buyer checks whether h(ki) = h(ki ). According to the buyer’s preference, the buyer determines the winner with the matched indices i’s. If Prefer(A1) < Prefer(A2) ... < Prefer(An), the buyer obtains the largest index i of each seller such that h(ki) = h(ki0), and the seller with the largest index is the winner.

6. Correctness Proof and Security Analysis In this section, the correctness of the proposed protocol will be proven, and the corresponding security analysis will be made.

6.1. Correctness Proof In the proposed protocol, only when a seller’s set of oﬀer attributes has some intersection with the buyer’s set of expected attributes, the seller can get ki for the matched Ai to ensure the correctness of the proposed protocol. In the following, why the correctness of the proposed protocol is ensured is shown in detail. The buyer computes ∆i by the following equation:

Pn j ∆ = (k B C )x + k mod q i i· j=0 i · j i Pn j = (k B (α P + s r P))x + k mod q i· j=0 i · j· · · i Pn j Pn j = (k B α P + k B s r P)x + k mod q i· j=0 i · j· i· j=0 i · · · i Pn j Pn j = (k B α P + s k B r P)x + k mod q i· j=0 i · j· · i· j=0 i · · i = (k f (B ) P + s Φ )x + k mod q i· i · · i i Pn i As shown above, f (x) = (x S ) (x S ) ... (x Sn) mod q = α x mod q, and the order of − 1 · − 2 · − i=0 i E/Fq is q. If some Si equals Bi, f (Bi) = 0 and ∆i = (s Φi)x + ki mod q. Thereupon, the seller can use his/her ’ · private key s to get k = ∆ (s Φ )x mod q = k with the received (∆ , Φ )’s when S = B . On the other i i − · i i i i i i hand, if no Si is equal to Bi, f (Bi) , 0 and ∆i = (ki f (Bi) P + s Φi)x + ki mod q. When the seller can use ’ · · · his/her private key s to get k = ∆ (s Φ )x mod q = (k f (B ) P + s Φ )x + k (s Φ )x mod q , k . i i − · i i· i · · i i − · i i According to the correctness proof shown above, only the sellers can get the correct ki’s when their sets of offer attributes have some intersection with the buyer’s set of expected attributes. On the other hand, when a seller’s set of offer attributes has no intersection with the buyer’s set of expected attributes, he/she can get no ki to have himself/herself determined to be a winner. Thus, it can be concluded that our designed protocol ensures correctness such that a seller can be regarded as a candidate of the winner only when his/her set of offer attributes has some intersection with the buyer’s set of expected attributes.

6.2. Security Analysis In this section, the security analysis of the proposed protocol is made to demonstrate that the proposed protocol can ensure bid privacy, protect a bidder’s identity to prevent illegal activities from compromising fairness, support multi-attribute auction, and resist attack 1 and attack 2 in the “Adversary Model”. Then, comparisons of security properties between our protocol and other multi-attribute auction protocols are given. The details are as follows. Theory 1. Our protocol protects bid privacy.

P Proof. In the bidding phase, the seller computes f (x) = n α xi mod q, R = r P and C = α P + s r P i=0 i · i i· · · mod q for i = 0, 1, 2, ... , n, where s is his/her private key. According to the elliptic curve discrete Sustainability 2020, 12, 8567 10 of 12 logarithm problem (ECDLP), it is very difficult to find an integer β such that Q = β P. That is, · from C0, C1, C2, ... , Cn and R, the buyer can get no information about r, αi and s because of the ECDLP. Pn i Because f (x) = (x S ) (x S ) ... (x Sn) mod q = α x mod q, it denotes that S , S , ... , Sn can − 1 · − 2 · − i=0 i 1 2 be retrieved only when all of α0, α1, α2, ... , αn are known. Although αn must be 1, S1, S2, ... , Sn are still kept concealed becauseα0, α1, α2, ... , αn-1 are unknown. Consequently, the buyer cannot know Pn Pn anything about S , S , ... , Sn. On the other hand, ∆ = (k C )x+ k mod q and Φ = (k ) R. 1 2 i i· j=0· j i i i· j=0 · ’ As shown in correctness proof, f (Bi) = 0, ∆i = (s Φi)x+ ki mod q and ki = ∆i (s Φi)x mod q = ki when · ’ − · S = B , and f (B ) , 0, ∆ = (k f (B ) P + s Φ )x + k mod q and k = ∆ (s Φ )x mod q = (k f (B ) P + s Φ )x i i i i i· i · · i i i i − · i i· i · · i + k (s Φ )x mod q , k when S , B . Because of the ECDLP, the seller can get no information about B , i − · i i i i 1 B2, ... , Bn unless he/she is determined to be the final winner. From the above, the proposed protocol ensures bid privacy because the buyer gets no information about S1, S2, ... , Sn, and the seller can get no information about B1, B2, ... , Bn. Theory 2. Our protocol protects the bidder’s identity such that a bribed buyer cannot conduct illegal activities that would compromise fairness.

Proof. In our protocol, the ECC is adopted instead of Paillier’s encryption. Thus, a seller does not need to prepare a pair of keys. Instead, a seller can utilize shared system parameters Ω = {Fq, E/Fq, Gq, P, h()} to encrypt messages. The distinguished information related to a seller’s identity is his/her private key P s only. In the bidding phase, the seller computes f (x) = n α xi mod q, R = r P and C = α P + s r P i=0 i · i i· · · mod q for i = 0, 1, 2, ... , n, and then he/she sends C0, C1, C2, ... , Cn and R to the buyer. Because of the ECDLP, it is impossible for a buyer to retrieve s from C0, C1, C2, ... , Cn and R. That is, no useful information about s can be obtained. Moreover, in the proposed protocol, the buyer only needs C0, C1, C2, ... , Cn, R and the shared system parameters to execute homomorphic operations while no information related to the seller’s identity is needed. As a result, the buyer cannot be aware of who the seller of the corresponding bid is. Furthermore, a buyer cannot conduct similar illegal operations that compromise the fairness of the auction. Theory 3. Our protocol supports a multi-attribute auction.

Proof. In our protocol, Bichler et al.’s proposed configurable offer is adopted. In the system setup phase, the buyer publishes the bid-attribute set {A1, A2, ... , An} denoting that the submitted bid should have n attributes. In the bidding phase, the seller organizes his/her bid {S1, S2, ... , Sn} with respect to the published {A1, A2, ... , An}, and the buyer uses {B1, B2, ... , Bn} to execute the homomorphic operation Pn Pn by computing ∆ = (k C )x+ k mod q and Φ = (k ) R for i = 1, 2, ... , n. In the winner i i· j=0· j i i i· j=0 · determination phase, the buyer can decide the final winner with the preference of {A1, A2, ... , An}.

From the above, our protocol supports multiple attributes instead of multiple items. Moreover, the proposed protocol can be easily extended to support multi-item action if multiple buyers participate in the auction and multiple buyers do the same thing shown above. Theory 4. Our protocol can resist attack 1 and attack 2 mentioned in the “Adversary Model”.

Proof. By Theory 1, our protocol protects bid privacy for each bidder. Thus, with C0, C1, C2, ... , Cn and R, the buyer cannot get any bid information about S1, S2, ... , Sn. Furthermore, the buyer cannot mount attack 1 and attack 2 because the basis of these two attacks is revealing of bid contents. Thus, our protocol can resist attack 1 and attack 2 mentioned in the “Adversary Model”.

We make comparisons of security properties between our protocol and other ﬁve multi-attribute auction protocols in Table1. In Table1,“ ” denotes this property is supported, and “ ” denotes this 4 property is not supported. Why these ﬁve# protocols are shown to make comparisons with ours is because they support multi-attribute action. Table1 shows that our protocol is superior to the other Sustainability 2020, 12, 8567 11 of 12

ﬁve protocols because it achieves more security properties than them. Because the basis of attack 1 and attack 2 is revealing of bid contents, only Shi’s protocol [4] and our protocol can resist them. In addition, our protocol protects the bidder’s identity while Shi’s protocol [4] cannot.

Table 1. Security comparison of our proposal with the others. TTP: trusted third party.

Methods Srinath et al. [13] Srinath et al. [14] Shi [4] Baranwal et al. [19] Kumar et al. [20] Ours Properties Multi-attribute Without TTP ###### 4 4 4 Bid privacy ## # 4 4 4 4 Identity Privacy # # 4 4 4 Attack 1 ## # 4 4 4 4 Attack 2 # # 4 4 4 4 # # 7. Conclusions In this paper, we proposed a protocol with the ECC to improve the security property of Shi’s secure multi-attribute auction mechanism. First, we discussed the bribery problem in a reverse-auction situation. Second, we pointed out the security defect of the original proposal, i.e., sellers’ identities can be revealed to buyers due to the property of Paillier’s cryptosystem. Furthermore, a bribed buyer can use an unreasonable-attribute set, such as an extremely high price or extremely early delivery date, inputting it into the comparing function, and as a result, sellers who have not bribed cannot win the auction, and no one can find these actions. We designed a novel reverse auction for government procurement which does not reveal any information about the identities of the sellers, precluding buyers from taking any illegal actions that could compromise the fairness of the auction. The correctness proof and the security proof showed that our protocol was correct and that it has better security properties than some similar protocols proposed previously. With our proposed protocol, bids could be sealed properly so that not only the determination of the final winner could be digitized and conducted efficiently but also the bribing problem could be solved. In the future, we will further explore the blockchain technique and try to extend the applicability of the reverse auction for government procurement.

Author Contributions: Conceptualization, C.-C.L. and C.-C.C. formal analysis, Y.-F.C.; writing—original draft preparation, Y.-Z.Z.; project administration, C.-C.C.; funding acquisition, C.-C.L. All authors have read and agreed to the published version of the manuscript. Funding: This research was funded by Ministry of Science and Technology (MOST), Taiwan, grant number 108-2410-H-126 -021. Conﬂicts of Interest: The authors declare no conﬂict of interest.

References

1. Xiong, H.; Qin, Z.; Li, F. An anonymous sealed-bid electronic auction based on ring signature. Int. J. Netw. Secur. 2009, 8, 236–243. 2. Rivest, R.L.; Shamir, A.; Tauman, Y. How to leak a secret. In Advances in Cryptology—ASIACRYPT 2001; Springer: Berlin/Heidelberg, Germany, 2001; pp. 552–565. 3. Li, W.; Larson, M.; Hu, C.; Li, R.; Cheng, X.; Bie, R. Secure Multi-unit sealed first-price auction mechanisms. Secur. Commun. Netw. 2016, 9, 3833–3843. [CrossRef] 4. Shi, W. A provable secure sealed-bid multi-attribute auction scheme under semi-honest model. Int. J. Commun. Syst. 2014, 27, 3738–3747. [CrossRef] 5. Chang, C.C.; Cheng, T.F.; Chen, W.Y. A novel electronic English auction system with a secure on-shelf mechanism. IEEE Trans. Inf. Forens. Secur. 2013, 8, 657–668. [CrossRef] 6. Bos, J.W.; Halderman, J.A.; Heninger, N.; Moore, J.; Naehrig, M.; Wustrow, E. Elliptic curve cryptography in practice. In Financial Cryptography and Data Security; Springer: Berlin/Heidelberg, Germany, 2014; pp. 157–175. 7. Chang, C.C.; Cheng, T.F. An efficient proxy raffle protocol with anonymity-preserving. Comput. Stand. Interfaces 2009, 31, 772–778. [CrossRef] Sustainability 2020, 12, 8567 12 of 12

8. Karakaya, G.; Köksalan, M. An interactive approach for multi-attribute auctions. Decis. Support Syst. 2011, 51, 299–306. [CrossRef] 9. Lee, J.S.; Lin, K.S. An innovative electronic group-buying system for mobile commerce. Electron. Commer. Res. Appl. 2013, 12, 1–13. [CrossRef] 10. Suzuki, K.; Yokoo, M. Secure Multi-attribute Procurement Auction. Inf. Secur. Appl. 2006, 3570, 306–317. 11. Shih, D.H.; Cheng, C.H.; Shen, J.C. A secure protocol of reverse discriminatory auction with bid privacy. In Proceedings of the International Conference on the Management of Mobile Business, ICMB 2007, Toronto, ON, Canada, 9–11 July 2007. 12. Parkes, D.C.; Rabin, M.O.; Shieber, S.M.; Thorpe, C. Practical secrecy-preserving, verifiably correct and trustworthy auctions. Electron. Commer. Res. Appl. 2008, 7, 294–312. [CrossRef] 13. Srinath, T.R.; Kella, S.; Jenamani, M. A new secure protocol for multi-attribute multi-round e-reverse auction using online trusted third party. In Proceedings of the 2011 Second International Conference on Emerging Applications of Information Technology (EAIT), Kolkata, India, 19–20 February 2011; IEEE: Piscataway, NJ, USA, 2011; pp. 149–152. 14. Srinath, T.R.; Singh, M.P.; Pais, A.R. Anonymity and verifiability in multi-attribute reverse auction. Int. J. Inf. Technol. Converg. Serv. 2011, 1.[CrossRef] 15. Xiong, H.; Chen, Z.; Li, F. Bidder-anonymous English auction protocol based on revocable ring signature. Expert Syst. Appl. 2012, 3, 7062–7066. [CrossRef] 16. Nojoumian, M.; Stinson, D.R. Efficient sealed-bid auction protocols using verifiable secret sharing. In Information Security Practice and Experience; Springer International Publishing: Berlin/Heidelberg, Germany, 2014; pp. 302–317. 17. Freedman, M.J.; Nissim, K.; Pinkas, B. Efficient private matching and set intersection. In Advances in Cryptology-EUROCRYPT; Springer: Berlin/Heidelberg, Germany, 2004; pp. 1–19. 18. Paillier, P.Public-key cryptosystems based on composite degree residuosity classes. In LNCS, Proceedings of the EUROCRYPT’99, Prague, Czech Republic, 2–6 May 1999; Springer Science & Business Media: Berlin/Heidelberg, Germany, 1999; Volume 1592, pp. 223–238. 19. Baranwal, G.; Vidyarthi, D.P. A truthful and fair multi-attribute combinatorial reverse auction for resource procurement in cloud computing. IEEE Trans. Serv. Comput. 2019, 12, 851–864. [CrossRef] 20. Kumar, D.; Baranwal, G.; Raza, Z.; Vidyarthi, D.P. Fair Mechanisms for combinatorial reverse auction-based cloud market. In Information Communication Technology for Intelligent Systems; Springer: Singapore, 2019; Volume 107. [CrossRef] 21. Zhou, H.; Chen, X.; He, S.; Chen, J. DRAIM: A novel delay-constraint and reverse auction-based incentive mechanism for WiFi offloading. IEEE J. Sel. Areas Commun. 2020, 38, 711–722. [CrossRef] 22. Xiao, M.; Ma, K.; Liu, A.; Zhao, H.; Li, Z. Sra: Secure reverse auction for task assignment in spatial crowdsourcing. IEEE Trans. Knowl. Data Eng. 2020, 32, 782–796. [CrossRef] 23. Rivest, R.L.; Shamir, A.; Adleman, L. A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 1983, 26, 96–99. [CrossRef] 24. Miller, V.S. Use of elliptic curves in cryptography, advances in cryptology. In LNCS, Proceedings of the CRYPT’85, Santa Barbara, CA, USA, 18–22 August 1985; Springer Science & Business Media: Berlin/Heidelberg, Germany, 1985; Volume 218, pp. 417–426. 25. Koblitz, N. Elliptic curve cryptosystems. Math Comput. 1987, 48, 203–209. [CrossRef] 26. Tan, Z.; Liu, Z.; Tang, C. Digital proxy blind signature schemes based on DLP and ECDLP. MM Res. Prepr. 2002, 21, 212–217.

Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional aﬃliations.

© 2020 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).