SPCTR: Sealed Auction-Based Procurement for Closest Pre-Tender with Range Validation

Over the past decades, there have existed extensive research works on the designs of the closest pre-tender procurement bidding. However, most solutions for the closest pre-tender only target at economic benefits while omitting the problem of bid privacy leakage. Moreover, existing works fail to provide approaches with adequate security and high efficiency. In this paper, for the first time, we propose SPCTR, a sealed-price auction-based procurement bidding system for the closest pre-tender with range validation. SPCTR allows a range validation for a supplier’s bid without leaking the secret bid. Besides, SPCTR achieves a sealedprice comparison with the pre-tender to find the closest pre-tender bid. Compared with previous works, SPCTR provides strong privacy protection for the bids of suppliers without sacrificing high efficiency. SPCTR is constructed based on carefully designed cryptographic tools with generality and simplicity which enable various operations on the encrypted values, and these tools can be easily applied to other contexts. We not only formally prove that SPCTR is secure against semihonest adversaries but also comprehensively analyze the efficiency. Experimental results validate that SPCTR achieves procurement bidding with light computation time and communication cost in practice.


Introduction
1.1. Motivation. Nowadays, Internet communication has made a huge impact on supply chain management and facilitates the ample participation of motivated suppliers. As one aspect of supply chain management, procurement is a necessary process for a company to obtain the manufacturing materials. For leveraging the competitive nature of suppliers to keep the procurement cost reasonable, the auction mechanism is introduced in the procurement. Pre-tender bidding, a popular type of auction-based procurement bidding, is widely used as a standard business requirement for many organizations in recent years [1,2]. In what follows, the process of pre-tender bidding is briefly described. First, as per the specific project, the procurement manager will generate some critical factors including the lowest bid, the highest bid, and the pre-tender. en, the procurement manager will issue the lowest bid and the highest bid while keeping the pre-tender private to himself.
Later on, suppliers submit their bids required to be validated in the range between the lowest bid and the highest bid. Finally, the supplier with the closest pre-tender bid will be claimed as the winner of the bidding system.
Unfortunately, for the concerns of privacy, the procurement bidding system is vulnerable. For example, the third-party procurement manager is not always trustworthy and suppliers are competitive to obtain the bidding. us, they probably interfere with a normal bidding system by soliciting some commercial secret values of suppliers like bids. en, the procurement manager can adjust the pre-tender for maximum profit rather than the true valuation of a project next time by monitoring the previous bids of suppliers. Moreover, by learning the historical bids of other suppliers, a supplier can submit a bid that may be closest to the pre-tender with high probability. Hence, providing strong privacy protection for suppliers' bids is of great importance in the realistic procurement bidding system.

Challenges and Solutions.
To design such a privacypreserving closest pre-tender procurement bidding system, we have to face the following two challenges. e first challenge is how to design a privacy-preserving closest pretender procurement bidding system which provides privacy protection for the secret bids while the fundamental functions of the system are maintained. Huang et al. presented a secure auction mechanism for secondary spectrum markets based on BGN cryptosystem [3]. However, the involved bilinear pairing operations make the scheme computationally expensive. Blass and Kerschbaum proposed a secure auction for blockchain by leveraging GM encryption [4]. Later on, a solution of fully private auction seeking for the highest bid was presented in [5]. ese works provide good protection for bid privacy but also face the challenge of computation efficiency. More recently, Wang et al. presented privacy-preserving truthful double online auction for heterogeneous spectrum [6]. In this work, garbled circuits are used for bid grouping rather than bid comparison [7]. To this end, we employ lightweight cryptographic primitives, such as the Paillier cryptosystem and garbled circuits to the original system. On the one hand, these cryptographic tools allow our scheme to output the correct result. For example, in the original auction, the supplier with the bid b 0 is closest to the pre-tender so that the winner is b 0 . In our privacypreserving system, despite the fact that bids are encrypted, the winner is still b 0 and will not change. On the other hand, they can ensure that the private bid of a supplier is well protected and will not be leaked to other suppliers and the procurement manager. e second challenge is how to demonstrate whether a secret bid is in a specified range or not, without revealing the secret bid. To cope with the second challenge, the technology of range proof is adopted in this paper. Roughly speaking, the range proof technology is categorized into two types: decomposition-commitment range proof [8] and signaturebased range proof [9]. However, the decomposition-commitment range proof is typically computationally expensive due to bit decomposition and commitment generation. In contrast, the signature-based proof only requires a constant number of group elements to be exchanged irrespective of the number of bits of the secret value. Chaabouni et al. presented a more efficient variant of signature-based range proof in [10]. In this work, first, the verifier sends the prover all the signatures of elements in the range, and then the prover proves that its secret value matches one of these signatures. However, the communication complexity depends on the size of the range. Improvement was made in [9], and only a constant number of elements are exchanged in the proof. Hence, for the consideration of a large number of bids, signature-based range proof is taken as our range proof technology.
All in all, our main contributions are listed as follows: (i) To our knowledge, we firstly propose a privacypreserving closest pre-tender procurement bidding system. at means a fully secure procurement bidding system is carried out without revealing suppliers' private bids. Based on the delicately designed cryptographic tools, we achieve the phase of bid comparison in a privacy-preserving manner to ensure the privacy of bids. (ii) We propose a signature-based range proof to achieve the range validation. e commit-challenge-verify process allows the bids submitted by the suppliers to be validated in a specified range (lying between the lowest bid and the highest bid). Also, the validation process will not leak the secret bids of suppliers. (iii) We present a thorough theoretical analysis of SPCTR for the concerns of both security and efficiency. At last, we construct a prototype to conduct extensive experiments to further validate the practicality in the computation time and communication cost. e remainder of this paper is organized as follows. e system model, the threat model, and design goals are presented in Section 2. Section 3 introduces the preliminaries and the necessary mathematical notations. Section 4 presents building blocks of SPCTR, including ciphertext multiplication and secure minimum value selection. In Section 5, we elaborately depict the two phases of SPCTR: BidRPrf and CloPCmp. In Section 6, we present the security and efficiency analysis for SPCTR, followed by the performance evaluation in Section 7. At last, Section 9 concludes this paper.

System Model.
We consider the construction bidding project as our application scenario. e system model of SPCTR under this application scenario is depicted in Figure 1. e model is in terms of three entities, a procurement manager, a procurement agent, and m suppliers. e functionalities of three entities are described, respectively, in the following: Procurement manager (PM): PM sets the lowest bid (b), the highest bid (b), and the pre-tender (t) for SPCTR. erein, the lowest bid b and the highest bid b are public to each entity. SPCTR requires each bid submitted by each supplier to lie in the range of [b, tb], whereas the pre-tender (t) is a secret value that only PM knows it. Furthermore, the bid which is nearest to the pre-tender t will be the winner of SPCTR. After a secure interaction between PM and the procurement agent, PM declaims the final winner of the bidding and returns this result to suppliers. Suppliers: in the bidding project, m suppliers wish to compete for undertaking the project. First, these suppliers formulate the budgets as their bids. Afterward, the suppliers should prove to PM that their bids lie in the range of [b, tb] without disclosing their bids to PM. After accomplishing the range validation, suppliers encrypt their bids by a cryptosystem and send the encrypted bids to PM. Procurement agent (PA): in [3,6], PA is presented to assist PM to promote the secure bidding. To be specific, PA will cooperate with PM to find the bid which is closest to the pre-tender. PA generates a key pair including a private key and a public key. PA holds the private key by itself and publishes the public key to other parties. Assumptions: suppliers are assumed to submit their true bids faithfully.
is means any supplier cannot falsify a bid which is in the range [b, tb] to replace the original bid which is not in the range [b, tb]. Also, suppliers are assumed to submit the same bids in the different phases of SPCTR. Finally, we assume PM and PA do not collude with each other to manipulate the bidding process and determine the final winner.

Attack
Model. In our attack model, we consider PM, PA, and suppliers to be semihonest. is implies that they follow the stipulated rules strictly but they are curious about other entities' sensitive information (e.g., their bids) and will attempt to obtain the information from the view of executing the bidding process. We consider a passive adversary A under semihonest setting.
Similar to the general security definition in [11,12], we use the simulation-based proof technique to define security [13]. Let P be a set of involved parties who execute an algorithm Π to compute a function F. In P is denoted as the input and O I is denoted as the output. Let I be a corrupted subset and Φ be auxiliary information during executing Π, e.g., the random numbers selected by P i , and the view of I be V Π I (In I , In I , Φ I ). S I is a simulator to generate a transcript of the scheme that takes In I as the input and O I as the output. In combination with the concretization of our scheme, we present a formal security definition against semihonest adversaries based on Definition 1.

Definition 2.
(security). An algorithm Π is assumed to have Alice (resp. Bob) and compute F A (x, y) (resp. F B (x, y)), where (x, y) are inputs of Alice and Bob, respectively. Let ) are Alice's (resp. Bob's) input and auxiliary information, respectively, during executing Π, and is the output of Alice (resp. Bob). en, the algorithm Π is secure against semihonest adversaries if there are probabilistic polynomial time (PPT) simulators S 1 and S 2 that make equation (1) hold.

Design Goals.
In what follows, the design goals of our scheme are depicted.
Correctness: in short, after the procurement bidding, the winning supplier returned by PM in our scheme should be the same as the one obtained in the original plaintext domain. Security: PM, PA, and other suppliers cannot obtain the secret bids of suppliers except for the bidding result. Lightweight: the cryptographic tools used in our scheme should be lightweight. at is, the computation time and communication cost should be acceptable in practice without sacrificing bid privacy.

Preliminaries
In this section, we introduce the necessary preliminaries of our scheme, including Paillier cryptosystem, zero-knowledge proofs of knowledge (ZKPK), and improved garbled circuit. Paillier cryptosystem is used to generate the key pair, encrypt, and decrypt messages. ZKPK is used to achieve range validation, and the improved garbled circuit is used to enable secure closest pre-tender comparison.

Paillier Cryptosystem.
To provide the sealed-bid property, the Paillier homomorphic encryption algorithm is Security and Communication Networks adopted in our scheme [14]. A Paillier key pair consists of the private key sk and the public key pk. Having said this, the Paillier cryptosystem mainly consists of three parts including key generation, encryption, and decryption. e three parts are listed as follows: Key generation: first, two large prime integers p and q are selected. Let n � p · q, g← $ Z * n 2 ; then, the public key is pk � (n, g).
Let e � (p − 1) · (q − 1) and d � (emodn 2 ) − 1 mod n; then, the private key is sk � (e, d). Encryption: for a plaintext message b ∈ Z n , we denote b ∈ Z n 2 as its encrypted value. We select r← $ Z * n ; then, the encrypted value b is computed by the following equation: (2) Decryption: given the private key sk and b, decryption is computed by equation (3) to obtain the plaintext e Paillier cryptosystem possesses the following interesting properties including homomorphic addition and indistinguishability. Homomorphic addition: this operation allows a specific computation to be executed on ciphertexts and finally obtains a new ciphertext that can be decrypted to match the result of the computation executed directly on the plaintext. As per the homomorphic addition property of the Paillier cryptosystem, equations (4)-(6) hold, where a and b are plaintexts and u is an integer. In the following context, for easy exposition, we leave out the mod operation without confusion.
Indistinguishability: for a plaintext a, if a is encrypted twice to obtain a 1 and a 2 , respectively, then the probability that an adversary distinguishes a 1 and a 2 will only be negligible better than a random guess.

Zero-Knowledge Proofs of Knowledge.
Zero knowledge (ZK) is termed as an interactive protocol in which a prover (Alice) tries to convince a verifier (Bob) about the validity of a statement without disclosing anything else beyond the fact itself [7]. In the following, the formal description of such a proof is given. For example, there exists a proof that π � PK (w, u, v): is expression explicitly denotes that the prover tries to convince the verifier with the statement of knowing (w, u, v) by C � m r h u and I � m v . e variables (w, u, v) remain private to the verifier, whereas the variables (C, I) remain public to the verifier.

Oblivious Transfer.
Oblivious transfer (OT) is one type of two-party computing protocols where a sender (Alice) has an input, and then a receiver (Bob) learns something about the input but Alice does not know what Bob has learned [15].
In the 1-out-of-N OT protocol, the sender has N strings S 1 , S 2 , . . . , S N and the receiver can select one of N strings S i without learning anything about the other N − 1 strings. Also, the sender learns nothing about which input has been chosen by the receiver [16].

Garbled Circuit.
In [17], Yao's garbled circuits were firstly proposed for secure two-party computation, and the circuits' practice and security are demonstrated. e basic process for Yao's garbled circuits is briefly described as follows. e circuit constructor (Alice) possesses the value s 1 and the evaluator (Bob) possesses the value s 2 , respectively, and they can jointly compute a specified function f(s 1 , s 2 ) without disclosing any secret information beyond the result. Firstly, Alice converts a circuit that computes f into an encrypted form by an algorithm GreateGC. en, Alice sends the generated circuit and the garbled value to Bob. Bob explicitly computes the output of the circuit without disclosing any other information by an algorithm EvalGC. In the garbled circuit, the oblivious transfer protocol will be executed to transmit the values from Alice to Bob.
In the following, the circuits including subtraction circuit, comparison circuit, multiplexer circuit, and minimum value circuit used in our design will be introduced.
Subtraction circuit: a subtraction circuit is used to subtract two l-bit integers a and b efficiently. e circuit consisting of a chain of 1 bit subtractors (−) is shown in Figure 2. Each 1 bit subtractor has carry-in bits from the output of the last 1 bit subtractor c i and the bits a i , b i . Furthermore, the 1 bit subtractor is composed of a 2input AND gate and four XOR gates. Comparison circuit: an integer comparison circuit is constructed for comparing two l-bit integers a and b to get the comparison result z. We use equation (7) to express the integer comparison process.
A comparison circuit can be decomposed to l number of 1 bit comparators ( > ) in sequence. More specifically, the 1 bit comparator can be constructed by a 2-input AND gate and three XOR gates. Multiplexer circuit (MUX): a l-bit multiplexer circuit is constructed to choose one of the l-bit integers a and b as output as per the selection bit z. If z � 0, then the integer a will be selected. Otherwise, the integer b will be chosen. Usually, this circuit is a composed part to construct a minimum value circuit. e selection bit z can derive from the boolean output of other garbled circuits, e.g., the comparison circuit. Minimum circuit: a minimum circuit can be used to select the minimum value a and its index i from a list of l-bit values a 0 , a 1 , . . . , a m−1 . For the selected minimum value a, it makes equation (8) hold. For example, the minimum value a and its index i of the list (4, 1, 1, 3) are a � 1 and i � 1, respectively, since the leftmost minimum value 1 lies at the position of 1. Without loss of generality, we assume that the number of elements in the list m is a power of two, and the maximum index can be represented with the value of log 2 m.
e MIN circuit is constructed by a series of minimum blocks (min). e minimum value and its index will be determined by a tournament-like way of using a tree of minimum blocks. It is straightforward to obtain that the depth of the tree is log 2 m. In Figure 3, each minimum block consists of one comparison circuit and two multiplexer circuits. For each minimum block at the depth d, the left part input of the block is a d,L and its index is i d,L . Also, the right part input of the block is a d,R and its index is i d,R . rough the minimum block, the output of a d+1 and i d+1 is computed.
We illustrate the function of the minimum block specifically. First, the comparison of a d,L and a d,R is achieved by a comparison circuit. ere exists two cases. On the one hand, if a d,L is not bigger than a d,L , then the output of the comparison circuit is 0. e minimum value a d,L and its index i d,L are chosen as the output of a d+1 and i d+1 according to their corresponding multiplexer circuits. On the other hand, if a d,L is bigger than a d,L , then the output of the comparison circuit is 1. Hence, the minimum value a d,R and its index i d,R are selected as a d+1 and i d+1 .

Building Blocks
Before presenting our design, we first introduce the composed building blocks for our scheme. ese building blocks are constructed based on the secure interaction between two parties, Alice and Bob, in which we assume only Bob owns the private key for decryption in the Paillier cryptosystem.

Ciphertext Multiplication.
Given two l-bit values a and b, their encrypted forms are ⟦a⟧ and ⟦b⟧, respectively. By using the homomorphic property of Paillier encryption, the encrypted form of ⟦a · b⟧ can be obtained. We use the technology of random mask to provide a statistical security [18]. First Alice blinds a and b with two k-bit values r a and r b , respectively, and sends ⟦a + r a ⟧ and ⟦b + r b ⟧ to Bob. Bob decrypts ⟦a + r a ⟧ and ⟦b + r b ⟧ to obtain a + r a and b + r b . en, Bob computes (a + r a ) · (b + r b ) and re-encrypts (a + r a ) · (b + r b ). Afterward, Bob sends (a + r a ) · (b + r b ) to Alice. Finally, Alice computes ⟦a · b⟧ according to the following equation: Figure 4, to securely select the minimum value and its index from a list of encrypted values ⟦a 0 ⟧, ⟦a 1 ⟧, . . . , ⟦a m−1 ⟧, Alice first generates a minimum circuit consisting of m subtraction circuits and a minimum circuit using GreateGC and gets the garbled values of m random numbers r 0 , r 1 , . . . , r m−1 . en, Alice sends the garbled values r 0 , r 1 , . . . , r m−1 and the blinded ciphertexts ⟦a 0 + r 0 ⟧, ⟦a 1 + r 1 ⟧, . . . , ⟦a m−1 + r m−1 ⟧ to Bob. Afterward, Bob invokes the oblivious transfer protocol and executes decryption. en, Bob gets the garbled values a 0 + r 0 , a 1 + r 1 , . . . , a m−1 + r m−1 . Finally, EvalGC is leveraged to evaluate the garbled circuit created by GreateGC.

Secure Minimum Value Selection. As shown in
A SUB circuit is used to get the difference between two garbled values, e.g., a 0 + r 0 and r 0 . en, the l-bit value of the results will be taken as the inputs of the minimum circuit. And the index i min of the minimum value is obtained as the output. Finally, the result i min is sent to Alice. e process of secure minimum value selection is described in Algorithm 1.
In the following context, we specify i min � MinValSel (⟦a 0 ⟧, ⟦a 1 ⟧, . . . , ⟦a m−1 ⟧ for Alice to get the index of the minimum value from a list of encrypted values directly.

Our Scheme
Our procurement bidding system consists of two phases: bids' range proof validation (BidRPrf ) and secure closest Security and Communication Networks pre-tender comparison (CloPCmp). BidRPrf is used for PM to validate whether the suppliers' bids are in the specified range or not. Moreover, CloPCmp is used for PM to choose the index of the supplier whose bid is closest to the pretender securely. We use the signature-based proof technology to achieve the range proof. For each bid, it is required to be validated in the range between the lowest bid b and the highest bid b. First, PM generates a signature for each element in [b, tb].
en, PM picks x← $ Z * n 2 and computes λ b � g 1/(x+b) . Note that g is the public key of the Paillier cryptosystem. ese values λ b , λ b+1 , . . . , λ b are precomputed for the suppliers publicly to download and use in the range proof below. We call the precomputing process as PreCmp. en, C, U, V, W are sent to PM. After receiving these values, PM sends a challenge e← $ Z * n 2 to the supplier. Afterward, the supplier generates the proof composed of φ r , φ b , φ v and sends the proof to PM. Finally, PM verifies the proof and decides whether to accept or reject the proof. Note that the supplier does not need to compute the predetermined value λ b . e value λ b has been precomputed for public downloading.

Secure Closest Pre-Tender Comparison.
e high-level structure of closest pre-tender comparison is described in Figure 5. In order to find the closet pre-tender supplier securely, first, we should measure the distance between the bid b i and the pre-tender t for each supplier, and then we have to find the minimum absolute value of these distances.
is means we devote to find the minimum value of  erefore, we transform the problem to compute the minimum value from the ciphertexts of Using the homomorphic property of the Paillier cryptosystem, Algorithm 3 is designed to achieve closest pre-tender comparison securely. e details of CloPCmp are depicted in Algorithm 3. PM has a list of encrypted bids ⟦b 0 ⟧, . . . , ⟦b m−1 ⟧ and the encrypted pre-tender ⟦t⟧ while PA keeps the key pair (pk, sk). PM selects m − 1 masking random integers r 0 , r 1 , . . . , r m−1 to get B 0 , B 1 , . . . , B m−1 and sends  B 0 , B 1 , . . . , B i , PM can remove the masking numbers to get D i through the homomorphic property of the Paillier cryptosystem by Finally, the index of the minimum value can be selected through invoking MinValSel which is presented in Algorithm 1.

Security Analysis.
In this section, the security proof is formally proved. In what follows, Lemma 1 is introduced to prove that SPCTR is secure against semihonest adversaries based on the security definition of Definition 2 that is defined in Section 2.2.

Lemma 1.
Assume Bob generates the key pair (pk, sk) for the homomorphic cryptographic system and issues the public key pk for Alice. en, Alice and Bob run the algorithm Π. All the ciphertexts transmitted from Alice to Bob are uniformly distributed and independent of Alice's inputs. And all the messages transmitted from Bob to Alice are encrypted by the cryptographic system. erefore, the algorithm Π is secure against semihonest adversaries.
Proof. To prove Lemma 1, we should consider two cases, in which the party that is corrupted by the adversary is different. In the first case, Alice is corrupted, and in the second case, Bob is corrupted. In each case, we can finally infer that equation (1) holds. erefore, we conclude that the algorithm Π is secure against semihonest adversaries. In [6], we can see more details about this proof. (1) At supplier: (2) Choose v, h, h 1 , r, β, ρ, ] ← $ and compute a commitment C � h r h b 1 ; Send the commitment C and V, U, W to PM (5) At PM: (6) Send a challenge e to the supplier; (7) At supplier: Proof. It is straightforward to demonstrate the security of BidRPrf against semihonest adversaries since it is constructed based on ZKPK. In the context of ZKPK, the corrupted party (the verifier) has no private input nor output. us, the only task for the simulator is to generate a view that is indistinguishable from the real execution. Having said this, it is easy for us to pick some random values and compute new values V * , U * , W * , e * , φ * r , φ * b , φ * v which are indistinguishable from V, U, W, e, φ r , φ b , φ v . In addition, due to the property of the semihonest model which follows the protocol rules exactly, the values V * , U * , W * , e * , φ * r , φ * b , φ * v can be validated successfully. erefore, BidRPrf is secure against semihonest adversaries.

Theorem 2. MinValSel (Algorithm 1) is secure against semihonest adversaries.
Proof. Messages which are transmitted between Alice and Bob are encrypted by the semantically secure Paillier cryptosystem and are uniformly distributed in the ciphertext space Z n 2 . e result of MinValSel is revealed to determine the index of the minimum value on the ciphertexts. Note that the random masked technique we leverage will not thwart the security guarantees. In addition, the garbled circuits (e.g., the minimum circuit and the comparison circuit) which are adopted in this paper have been proved to be secure against semihonest adversaries in [19]. us, based on the foundation of Lemma 1 and sequential composition theory [20], MinValSel is secure against semihonest adversaries.

Theorem 3. CloPCmp (Algorithm 3) is secure against semihonest adversaries.
Proof. In Algorithm 3, messages are exchanged between PM and PA. By masking with some random values, messages that are sent from PM to PA include B 0 , B 1 , . . . , B n−1 , which are uniformly distributed in the ciphertext space Z n 2 . Messages that are sent from PA to PM include B * 0 B * 0 , B * 1 B * 1 , . . . , B * n−1 B * n−1 , which are encrypted by the semantically secure Paillier cryptosystem. Moreover, Min-ValSel has been proved to be secure against semihonest adversaries. erefore, on the basis of Lemma 1 and sequential composition theory [20], CloPCmp is secure against semihonest adversaries.

Efficiency Analysis.
We individually measure each phase of SPCTR to derive the computation and communication complexities and then we measure the overall computation and communication complexities.
Bids' range proof: the computation and communication complexities of this phase are mainly derived from Algorithm 2. is phase is executed by the suppliers and PM to validate whether the bids are in the required range. In terms of the computation overhead from each supplier, besides the regular modular operations, it requires 8 exponentiation operations, 3 multiplication operations, and 3 subtraction operations. Additionally, for PM, it requires 6 exponentiation operations. For the concerns of communication overhead, each supplier and PM need to exchange 7 values. Hence, the computation and communication complexities in this phase are both O(m).

Parameter Settings.
To demonstrate the practicality in the real world, the core cryptographic operations of SPCTR are prototypically implemented by Java. All the experiments were executed in a laptop with Intel i7-6560U CPU, 2.20 GHz clock. e parameters of SPCTR are sized as follows.
e Paillier cryptosystem is implemented with a 1024-bit modulus, and 80-bit wire labels are used for garbled circuits.
We are mainly concerned with two metrics: the computation time and communication cost in the performance evaluation. We set the system parameters as follows. e number of suppliers m varies from 200 to 2000. e lowest bid b spans from 50 to 500 and the highest bid b spans from 1000 to 10000. Moreover, the bit length l of a bid b i is set from 32 to 82. e bit length k of a masked random value r i is 30 bit longer than l so that k varies from 62 to 112. We set the default values of suppliers m, the lowest bid b, the highest bid b, and the bit length l as 200, 100, 10000, and 32, respectively. All experimental results are based on the average values of 10 runs. Moreover, we compare the experimental results of our scheme with other SOTA (state-of-the-art) works including SDSA [21] and PS-TAHES [6]. It is shown in Figure 7 that fixing the following factors, including the number of suppliers m � 200, the pre-tender t � 1000, and the bid range [b, tb] � [100, 10000], we select (l, k) in pairs. To keep the same statistical security level, the bit length of k is 30 bit longer than l. erefore, for a l-bit b and a k-bit r, the masked value b + r provides a statistical security of 2 l− k for b. In the experiments, the bit lengths (l, k) are varied from (32, 62) to (82, 112). We observe that the computation time increases almost linearly with the bit lengths (l, k) since the bit length increment affects the running time of operating on the bids, e.g., bid range validation in BidRPrf and ciphertext multiplication in CloPCmp. However, the communication cost almost remains the same with the bit lengths (l, k).

Computation Time and Communication
is result is consistent with the aforementioned analysis that each supplier and PM need to exchange 7 values in BidRPrf. Moreover, in CloPCmp, the size of 2m data is transmitted between PM and PA. In the experiments which are implemented using Java, we use a constant number of BigInteger to store these values. erefore, the communication cost is a constant irrespective of the bit lengths (l, k).
In Figure 8, we observe two main results. First, fixing the factor of the bid range, the computation time and communication cost increase linearly with the number of suppliers m. However, fixing the value of m, the computation time and communication cost are slightly affected by the bid range. erefore, we validate that it is the number of suppliers m rather than the bid range that determines the cost of validating a bid whether it is in a specified range or not.

Range Proof.
In the decomposition-commitment-based range proof, the secret is decomposed into individual bits. en, we demonstrate the commitments of these bits implying the number in the range [22,23]. Instead of binary decomposition, the works of multibase decomposition are presented. e secret is decomposed in base-u (u is a chosen integer). en, commitments of these u-ary digits are constructed to prove that each committed digit is indeed a digit in base-u [24,25]. Although progress has been made so far, decomposition-commitment-based range proof is computationally expensive. Alternately, the idea of signature-based range proof is using the signatures of all the integers in a public interval [26,27].

Sealed-Price Auction.
Sealed-price auction is one common form of secure computations [28][29][30]. Since the seminal Yao's work in 1982 [17], there is a surge of extensive research endeavors in the sealed-price auction design [3][4][5]. In [6], garbled circuits are proposed to resolve the problem of secure sealed-bid comparison. In [7], Kolesnikov et al. constructed a secure comparison garbled circuit. To extend more secure implementations of garbled circuits, a minimum value selection circuit is proposed in [11].

Conclusion
In this paper, we have presented SPCTR, the first sealed-bid auction-based procurement bidding system with range validation. Different from previous works, SPCTR provides full privacy protection for the bid comparison while enabling the bid range validation without leaking the secret bids. SPCTR is constructed by leveraging carefully designed secure cryptographic tools. en, security analysis and performance analysis are presented. Later on, extensive experiments are conducted to verify the practicality of SPCTR. In comparison with the previous works, SPCTR can achieve sealed-bid comparison and range validation with much less computation time and communication cost.

Data Availability
e data used to support the findings of this study are included within the article.

Conflicts of Interest
e authors declare that they have no conflicts of interest.