PSPAB: Privacy-preserving average procurement bidding system with double-spending checking

Several organizations use auctions in a procurement bidding system to maintain a low procurement cost. Although several privacy-preserving auction solutions for different application scenarios have been proposed over the past few decades, none of them can perform efficient average procurement bidding while ensuring strong privacy protection for the bids of suppliers. To address this problem, we propose PSPAB, a lightweight, secure average procurement bidding system based on cryptographic tools, to provide full privacy for bids. In addition, this system allows the procurement manager to identify the users in the case of double spending. We formally prove the security of PSPAB under a semi-honest adversary model. Experimental results validate the theoretical analysis and practical application of PSPAB in real-world scenarios.


Introduction
Nowadays, government organizations and private businesses use various auction mechanisms for procuring goods and services. One of the most popular mechanisms is the standard lowestprice auction. The supplier who bids the lowest price is declared as the winner. However, the lowest-price auction mechanism has drawbacks. It can be expensive for the procurement manager if the winning supplier underestimates the cost of a project to seek the lowest price and eventually suffers from the well-known winner's curse. For example, a supplier bids for a new construction project seeking to increase the winning probability as much as possible; hence, the supplier tends to submit as low a bid as possible and underestimates the eventual cost. As the project is underestimated, the winning supplier will risk defaulting on the project midway through completion to prevent a loss. Therefore, the average-bid auction is presented to overcome this problem [1]. The supplier with the closest bid to the average of all the submitted bids is declared as the winner. Our paper focuses on the average-bid auction procurement mechanism.
Over the past few decades, studies have been extensively conducted on the design of average-bid auction mechanisms [2][3][4][5], in which the procurement manager is assumed to be The rest of the paper is organized as follows. Section 2 overviews the related works. Section 3 presents the problem statement. Section 4 introduces the building blocks for PSPAB. The technical details of PSPAB are described in Section 5. The performance analysis and experimental results are given in Section 6 and Section 7, respectively. Section 8 concludes the whole paper.

Sealed price auction
Sealed-price auctions have been extensively investigated over the past few decades. A general secure auction system was presented [17] for secondary spectrum markets, in which the BGN cryptosystem was applied to achieve sealed-price comparison. However, the use of expensive bilinear pairing computation made the solution inefficient. More recently, Blass et al. designed a secure auction for blockchains based on the Fischlin tool [18]. However, this scheme had a high interactive communication overhead between the auctioneer and the suppliers. To achieve a higher efficiency, a fully private auction FPAHB for the highest bid was presented [19] to address the problem of sealed-bid comparison. However, FPAHB lacked feasibility for practical application, as a base value was required to be set in advance. In [20], the Paillier cryptosystem was employed to design a secure truthful double spectrum auction called PS-Trust. However, PS-Trust cannot protect the geo-location information privacy. Furthermore, by using the Paillier cryptosystem and garbled circuits, two privacy-preserving and truthful double auctions for spectrum allocation were proposed in different application scenarios [9,21]. However, they both lack the ability to handle the double-spending problem.

Double spending check
In [11], Rosenfeld et al. presented a hash-based proof of work to prevent double-spending currency. However, that study focused on blockchain currencies and it was infeasible for deployment in procurement bidding systems. In [10], a lightweight countermeasure that enabled the detection of double-spending attacks in fast transactions was proposed. For effective doublespending detection, a third-party "observer" or a deployment of "a listening period" was required, which resulted in an additional computation overhead. Everaere et al. proposed a risk management approach for double-spending protection by introducing the service of a trusted third-party trader [12]. However, the trusted third-party trader faced the unfairness problem with a high probability. Two generic frameworks for collecting and accumulate incentives were proposed [14,15] by using different cryptographic tools. However, in these studies, double-spending solutions could only be used to deter users but such users could not be identified. Dimitriou et al. proposed REWARDS, a privacy-preserving rewards and incentive scheme for a smart electricity grid based on a partially blind signature, in which the double-spending users could be identified. However, REWARDS could not be applied to our scheme directly because it did not present the explicit algorithm to identify the double-spending suppliers.
For ease of explanation, Table 1 lists the comparisons with previous works.

System model
Our procurement bidding system is modeled as in Fig 1. It comprises three entities: suppliers, a procurement manager (PM), and a procurement agent (PA). The PM and the PA are semihonest and do not collude with each other. The PA exists to cooperate with the PM to determine the winning supplier. The PA is transparent to the bids of suppliers and provides the critical security functionality in our system. Notably, such models involving agents are a popular trend in auction-based applications (e.g., [8,9,17]), and we adopt such a widely used model. We consider an average procurement bidding system, where the PM finds the supplier with the bid closest to the average value of all the bids. In addition, our scheme supports the doublespending checking functionality. First, each supplier submits an identity commitment and proof to the PA, who verifies this proof. Subsequently, the suppliers submit their encrypted bids to the PM. Then, the PA cooperates with the PM to determine the winning supplier. During the process of procurement, the secret bid of each supplier is well protected. The mathematical notations throughout our paper are summarized in Table 2.

Threat model and design goals
According to the most popular security studies [8,22,23], we observe that the security threats are derived from the PM and the PA. Therefore, we consider the PM and the PA to be adversaries. The PM and the PA are assumed to be semi-honest and non-colluding. That is, the PM and the PA will faithfully obey the procurement rules but they want solicit secret bids beyond the procurement result.
Our objective in this study is to design a secure average procurement bidding mechanism with the double-spending checking functionality. In our scheme, the PM and the PA do not know the bid values. In other words, the scheme is provably secure under a standard security model and achieves information-theoretic security [24]. Additionally, we avoid using computation-extensive operations and adopt lightweight cryptographic operations to design a secure and efficient average procurement bidding system with an affordable computation time and communication cost. Furthermore, our scheme supports double-spending detection. Each supplier submits a commitment including identification information. Then, the PA verifies the identification proof. Before presenting the formal security definition, we firstly introduce two basic terms that will be used in the following section.
• Computational indistinguishability. As represented in [25], a probability ensemble Y is defined as Y ¼ fYðx; lÞg x2ð0;1Þ � ;l2N , where x is represented as the input and λ is represented as the security parameter. If two probability ensembles Y and Z are computationally indistinguishable, then Y and Z are denoted as Y� c Z. Then the following inequation holds, |Pr[D(Y(x, λ))] = 1|−|Pr[D(Z(x, λ))] = 1|�μ(λ), where D denotes a non-uniform polynomial time algorithm and μ(�) denotes a negligible function.
• Composition theorem for semi-honest model. As described in [26], we suppose that a functionality f 2 is privately reducible to another functionality f 1 . If there exists an algorithm for privately computing f 1 , then there exists an algorithm for privately computing f 2 .

Building blocks
In this section, we introduce building blocks for PSPAB, including Paillier encryption, zeroknowledge proof, garbled circuits, and partially blinded signature.

Paillier encryption
Based on the hardness of the composite residuosity class problem, Paillier cryptosystem with the homomorphic property was proposed in [27]. First, two large prime integers p and q are selected. Let n = p � q, where Z n 2 is the set of integers modulo n 2 and Z � n 2 is a subset of Z n 2 relatively prime to n 2 . We select a random value g $ Z � n 2 and compute l ¼ ðp À 1Þðq À 1Þ; k ¼ ðg l mod n 2 À 1Þ n ; x ¼ k À 1 mod n, where λ is the least common multiple. Then the public key is pk = (g, n) and the private key is sk = λ. Let m 2 Z n denote as the plaintext. We select r $ Z � n and compute the ciphertext c 2 Z n 2 as c = E(m, r) = g m r n mod n 2 .  Finally the decryption can be implemented by DðEðm; rÞÞ ¼ m ¼ c l mod n 2 À 1 n x mod n. Paillier cryptosystem has the following homomorphic properties.
In the following context, we leave out the mod operation without confusion for easy exposition.

Zero-knowledge proof
Zero-knowledge proof (ZKP) is one of the most popular tools in the recent cryptographic field. The fundamental notion of zero-knowledge was introduced by Goldwasser, Micali, and Rackoff in [28]. The most intriguing nature of ZKP is that the prover tries to convince the verifier about the validity of a statement without revealing any secret more beyond the statement. For example, from the commitment Com = g x h r , in a zero-knowledge manner, the predicate (x = 1_x = 0) can be proven by the proof of knowledge POK(r: Com/g = h r _Com = h r ).

Garbled circuits
The seminal work of Yao's garbled circuits was presented in [29]. The secure subtraction circuit (SecSub), the secure comparison circuit (SecCmp), and the secure minimum circuit (Sec-Min) were proposed in [26,30]. We observe that the object value is obtained by recursively invoking a basic circuit (e.g., SUB, CMP, and MIN). Functionally, the secure subtraction circuit SecSub is used to subtract two l-bit integers a and b securely. In addition, the secure comparison circuit SecCmp is employed to compare two l-bit integers a and b efficiently. Moreover, the secure minimum circuit SecMin is constructed to find the minimum value from a list of values. For more details, we refer the readers to [26,30].

Partially blinded signature
The partially blinded signature was proposed in [31] and extended in [32]. The blinded signature allows a user to sign a message without revealing any information about the message. Original blind signatures cannot embed information (e.g., expire date). Hence, it creates an issue that when the previous signatures expire, the signer is to issue new public keys. Partially blinded signatures overcome this shortcoming in which the signer can embed the expire date in the signed message. In this way, signed information can be safely deleted once they are outdated. In [16], for liability attribution, the partially blinded signature was modified so that the user's public identity was revealed if a user tried to use the same token more than once.

Our scheme
Our procurement bidding system consists of three phases: the identity verification of suppliers (IdVfy), double-spending check (DSChk), and bid comparison (BidCmp). IdVfy is used by the PA to verify the identities of suppliers. In addition, DSChk is used by the PA to check whether there exist double-spending behaviors, i.e., whether a supplier submits the same bid more than once. Finally, BidCmp is employed by the PM to select securely the winning supplier with the bid closest to the average value of all the bids. Before we describe these phases in detail, we first introduce the setup process for our scheme.

Setup
Let κ denote the system security parameter. Two large primes p and q are selected. Let n = p � q, g; h; h 1 $ Z � n 2 , s = (p − 1) � (q − 1), and w = g s . We encode the system parameter as params = (g, h, h 1 , w) and the expiration time as z = H(params, expiration), where H denotes a secure hash function. The private key is sk = s and the public key is pk = (g, h, h 1 , w, z).

IdVfy
First, the supplier computes a commitment C ¼ h r h y i within its secret ID y i . Then the supplier needs to convince the PA that both I and C correspond to the same secret ID y i . To this end, along with I and C, the supplier sends to the PA the proof POKfðr; y i Þ : 1 g of knowledge of r and y i . The identity verification process can be described in Algorithm 1.
Algorithm 1: IdVfy Require: a random value r $ Z � n 2 , the secret identity ID y i Ensure: True or False At Supplier: The correctness of P 1 and P 2 in Algorithm 1 can be validated through Eq 2.
That completes the proof.

DSChk
By following the work of [16], we customize a partially blinded signature to check the suppliers' double-spending behaviors. First, the PM picks r 1 $ Z � n 2 and creates one-time tags z 1 ¼ Cg r 1 ; z 2 ¼ z z 1 . Then the supplier blinds z, z 1 , z 2 into z ¼ z g ; z 1 ¼ z g 1 ; z 2 ¼ z z 1 . Later on, the supplier selects t $ Z � n 2 and computes η = z τ which serves as a commitment. Then the PA proves in zero knowledge that it knows the secret values corresponding to w and z. Moreover, the ZK proof is converted to a signature σ. Then the supplier computes ε 1 , μ 1 and performs the signature validity test. If the supplier exists double-spending behaviors, there will be two different ε 1 , μ 1 and ε 0 1 ; m 0 1 associated with the same identity I. Hence, the PA can compute r ¼ m 1 0 À m 1 ε 1 À ε 0 1 and retrieve the public identity of the supplier as I ¼ I 0 1 r . The double-spending checking details are described in Algorithm 2 where a function DleSpend invokes Algorithm 3.

Algorithm 2: DSChk
Require: the encrypted bid hb i i, the commitment C, the value r corresponding to y i , the public key pk = (g, h, h 1 , w, z), the private key sk = s, the list L; Ensure: the double-spending public identity I or NULL; At the PA: 1: Choose a random value r 1 $ Z � n 2 , compute z 1 ¼ Cg r 1 ; z 2 ¼ z z 1 and send r 1 to the supplier; At the Supplier: 2: Choose g; t $ Z � n 2 and compute z 1 ¼ Cg r At the PA: 3: Choose m; r 2 ; r 3 ; r 4 ; $ Z � n 2 and compute a ¼ g m ; a 1 ¼ g r 2 z r 4 1 ; a 2 ¼ h r 3 z r 4 2 ; 4: Send a, a 1 , a 2 to the supplier; At the supplier: 5: Choose t 1 ; t 2 ; t 3 ; t 4 ; t 5 $ Z � n 2 and compute a ¼ ag t 1 w t 2 ; a 1 ¼ a g 1 g t 3 z t 4 1 ; a 2 ¼ a g 2 h t 5 z t 4 2 ; ε ¼ Hðz; z 1 ; a; a 1 ; a 2 ; Z; hb i iÞ; n ¼ ε À t 2 À t 4 ; 6: Send ν to the PA; At the PA: 7: Compute c = ν − r 4 , r 5 = μ − cs and send c, r 2 , r 3 , r 4 , r 5 to the supplier; At the supplier: 8: Choose R $ Z � n 2 , compute ρ = r 5 + t 1 , ω = c + t 2 , ρ 1 = γr 2 + t 3 , ρ 2 = γr 3 + t 5 , ω 1 = r 4 + t 4 , θ = τ − ω 1 γ, σ = (ζ, ζ 1 , ρ, ω, ρ 1 , ρ 2 , ω 1 , θ), ε 1 = H (σ, I r , R), � = H(I), μ 1 = � − ε 1 r, I 0 = I r , send (ε 1 , �, μ 1 , I 0 ) to the PA; At the PA: Decrypt We assume the number of suppliers m equals to 6, then the high-level structure of average procurement bidding system is described in Fig 2. In order to find the supplier with the bid closest to the average value of all the bids securely, first, for each supplier, we should measure the distance between the bid b i and the average bid b, then we have to find the minimum absolute value of these distances. That is, we devote to find the minimum value of jb 1 À bj; jb 2 À bj; . . . ; jb m À b j. Moreover, with the consideration of privacy preservation, the minimum value selection of jb 1 À bj; jb 2 À bj; . . . ; jb m À bj is desired to achieve on the ciphertexts. However, it is hard to compute the minimum value from jb 1 À bj; jb 2 À bj; . . . ; jb m À bj on the ciphertexts directly. Therefore, we should find out another candidate way. Since b ¼  The PM chooses the winning supplier i w with the bid closest to the average value of all the bids.

Security analysis
The phases IdVfy and DSChk are designed to support the double-spending checking functionality in our scheme. The main cryptographic tools in these phases are zero-knowledge proof and the partially blind signature scheme. Their security in these two phases has been proven in [32,33], respectively. Hence, our study focuses on the demonstration of the security of BidCmp under the semi-honest model.
The high level of the algorithm is described before providing a formal definition. Bob generates a key pair, (sk, pk), and sends the public key, pk, to Alice. Alice encrypts the data and masks them with random values by leveraging the homomorphic properties of a specific cryptosystem. Then, Alice sends the masked encrypted data to Bob. Then, Bob decrypts the data and performs some operations on the decrypted data. Subsequently, Bob re-encrypts the result and sends it to Alice. The privacy of Bob can be guaranteed by the semantic security of the adopted cryptosystem. Moreover, Bob does not have any knowledge of Alice's privacy during the process. Similar to the works in [20,21,34], the formal security of an algorithm under the semi-honest model is presented as follows.
Definition 1 (Security): An algorithm P has two parties Alice (resp. Bob) and computes f A (x, y) (resp. f B (x, y)), where (x, y) are inputs of Alice and Bob, respectively. Let V A P ðx; yÞ (resp. V B P ðx; yÞ) denote as Alice's (resp. Bob's) view during executing P on the input of (x, y). Moreover, ðx; r A ; fm i g t i¼1 Þ (resp. ðy; r B ; fm i g t i¼1 Þ) are Alice's (resp. Bob's) input, randomly selected values, and passed messages between the parties. Then the algorithm P is secure against semi-honest adversaries if there are probabilistic polynomial time (PPT) simulators S 1 and S 2 that make Eq 3 hold. Recall that the symbol � c means computational indistinguishability.
Based on Definition 1, we can obtain the following Lemma 1. Lemma 1: Assume Bob generate the key pair (pk, sk) for the homomorphic cryptographic system and issue the public key pk to Alice. Then Alice and Bob run the algorithm P. All the ciphertexts transmitted from Alice to Bob are uniformly distributed and independent of Alice's inputs. And all the messages transmitted from Bob to Alice are encrypted by the cryptographic system. Therefore, the algorithm P is secure against semi-honest adversaries.
Proof. To prove Lemma 1, we consider simulators in two different cases depending on which party is corrupted by the adversary. In the first case, Alice is corrupted and in the second case, Bob is corrupted. Moreover, in each case, finally we can infer that Eq 3 holds. Hence, we conclude that the algorithm P is secure against semi-honest adversaries. In [9], we can see more details.
Theorem 1: BidCmp (Algorithm 4) is secure against semi-honest adversaries. Proof. In Algorithm 4, messages are exchanged between the PM and the PA. By using random values, messages are masked and sent from the PM to the PA including B 1 0 ; B 2 0 . . . ; B m 0 , which are uniformly distributed in the ciphertext space Z n 2 . In addition, messages hB 1 B 1 i, hB 2 B 2 i, . . ., hB m B m i, which are encrypted by the semantically secure Paillier cryptosystem, are sent from the PA to the PM. Moreover, SecMin is a direction application of Yao's garbled circuit and its security has been demonstrated in [35]. Therefore, based on Lemma 1 and sequential composition theory [36]. BidCmp is secure against semi-honest adversaries.
Theorem 2: Since the security of the above algorithms are secure, then our scheme PSPAB is secure against semi-honest adversaries.
Proof. The private information (e.g., bids) is well-protected by the cryptographic system. Besides, BidCmp is secure against semi-honest adversaries. Hence, no information about secret bids is disclosed to each other party. That means, our scheme PSPAB is secure against semi-honest adversaries.

Efficiency analysis
We In sum, with a combination of three phases, the computation complexity and communication complexity are both O(m).

Experimental results
The core cryptographic operations are prototypically implemented using Java to demonstrate the feasibility of PSPAB. We are mainly concerned with two metrics in the performance evaluations.
1. Computation time. The overall processing time is derived from the following phases of PSPAB. It consists of the total computation time at the PA's side and the suppliers' side in IdVfy and DSChk, and the total computation time at the PM's side and the PA's side in BidCmp.
2. Communication cost. The overall communication cost in different phases consists of the communication costs between the PA and the suppliers in IdVfy and DSChk, and the communication cost between the PM and the PA in BidCmp. We use a system function "System.nanoTime" in Java to obtain the computation time. For example, we present a pseudo code of computation time for BidCmp in Algorithm 5. Note that 10 computation times for BidCmp are measured, and then, the average computation time is obtained for better precision. is because the multiple homomorphic operations used in BidCmp are more computationally intensive than the commitment operation in IdVfy and the partially blind signature operation in DSChk. We compare our scheme with two state-of-the-art works, i.e., SDSA [8] and PS-TAHES [9], in Fig 5 for a well-rounded performance evaluation. The computation time and communication cost increase with the number of suppliers, m. We observe that the increase rate of these parameters for PSPAB is more moderate compared with those of SDSA and PS-TAHES. For m = 1000, the computation time and communication cost of PSPAB are 44 s and 940KB, respectively. The computation time is shorter than those of PS-TAHES (149 s, 3.4 × faster) and SDSA (57 s, 1.3 × faster). The communication cost is also lower than those of PS-TAHES (74MB, 82 × smaller) and SDSA (88MB, 97 × smaller). We can see more details in Tables 3  and 4. The reason for this performance improvement is that our framework is general and  efficient, which avoids computation-intensive operations; moreover, it applies lightweight cryptographic tools to provide bid privacy protection. In Fig 6, we fix m to 200 and vary the bit length, l, of bids from 30 to 70. Accordingly, the bit length, k, of the randomly masked values changes from 60 to 100, which provides the statistical security of 2 l−k . We observe that the computation time increases with l, as it affects the execution time of the bid operations of PSPAB, e.g., secure bid comparison in BidCmp. However, as analyzed in the previous section, the number of exchanged values between the supplier and the PA in different phases remains constant for each supplier. Therefore, the communication cost almost remains constant with the increase in l.

Conclusion and future work
In this paper, we proposed a lightweight average procurement bidding system (PSPAB) with the double-spending checking functionality. That is, we designed a series of secure basic operations by leveraging lightweight cryptographic primitives such as the Paillier cryptosystem, garbled circuits, and partially blind signature. Then, security analysis and performance analysis were performed. Finally, we compared PSPAB with two state-of-the-art works, SDSA and PS-TAHES, to demonstrate its superiority. Under the same system parameters, the computation time of PSPAB is 3.4 × faster and 1.3 × faster than PS-TAHES and SDSA, respectively. Besides, the communication cost is 82 × smaller and 97 × smaller than PS-TAHES and SDSA, respectively. Our design can be further enhanced in the future. First, rather than the partially blind signature, a more efficient cryptographic tool can be used to enable double checking. Second, the latest multi-party comparison studies can be employed to make our scheme more efficient. Finally, we can make our scheme more widely applicable to other procurement bidding systems, such as the closest pretender bidding system.