A FAIR E-TENDERING PROTOCOL
Vijayakrishnan Pasupathinathan, Josef Pieprzyk
ACAC, Department of Computing, Macquarie University, Sydney, Australia
Huaxiong Wang
Division of Mathematical Sciences, Nanyang Technological University, Singapore
Keywords:
e-tendering, e-procurement, fairness, anonymous token system.
Abstract:
Fairness in electronic tendering is of utmost importance. Current proposals and implementations do not pro-
vide fairness and are vulnerable to collusion and favouritism. Dishonest participants, either the principal or
tenderer can collude to alter or view competing tenders which would give the favoured tenderer a greater
chance of winning the contract. This paper proposes an e-tendering system that is secure and fair to all par-
ticipants. We employ the techniques of anonymous token system along with signed commitment approach
to achieve a publicly verifiable fair e-tendering protocol. We also provide a analysis that confirms that our
e-tendering protocol achieves the claimed security goals.
1 INTRODUCTION
Procurement is acquisition of works, supplies or
services by public bodies, and tendering is con-
sidered one of the fairest means of awarding con-
tracts to obtain such services. Electronic procure-
ment has received considerable attention from gov-
ernments (Public Works Canada, 2008; Inst. Info. In-
dustry, 1998; NSW Government, 2008), because of
obvious cost savings that are obtained by automat-
ing tendering and payment processes with electronic
tools. Although this interest from government have
led to development of various commercial and non-
commercial e-tendering systems around the world,
only parts of e-tendering process have been success-
fully deployed. In (Head, 2003), John Barnard refers
to discrepancy in usage of e-tendering scheme. He
observed that, although more than 75% of tenders are
electronically advertised, less than 40% provide elec-
tronic documentation required by the tender process
and less than 20% make electronic tender submis-
sions.
This may in part be explained, by concerns regard-
ing security, and availability of resources to help with
e-tender submission and review. Many e-tendering
security concerns are similar to other electronic com-
merce systems and they normally relate to inadequate
guaranteesfor confidentiality, authentication and non-
repudiation. But, the prime security issue, that has
been the main obstacle in a wide adoption of e-
tendering, is the lack of fairness of the e-tendering
process. A secure e-tendering solution should support
both fairness and transparency in order to guarantee
tenderers to see progress of their submission process-
ing. It is also important that when disputes arise, an e-
tendering system should be able to provide a full his-
tory of the events leading up to contract award which
can be publicly verified without compromising confi-
dentiality or privacy.
RELATED WORK. Most studies related to e-
procurement have mainly been in the field of elec-
tronic contracting and did not address security issues
that are unique to e-tendering. The evident gap in
the literature prompted Du et al. (Du et al., 2004b;
Du et al., 2005) and Betts et al. (Betts et al., 2006)
to define some of the security requirements for an e-
tendering system and later to propose a submission
protocol (Du et al., 2004a). Though, these studies
addresses some important security requirements that
new and existing e-tendering systems should satisfy,
they do not address the issues concerning the fairness
and transparency of the e-tendering process. An es-
sential ingredient to provide fairness is anonymity of
an e-tender submission, as anonymity guarantees that
all submitted tenders will be treated in the same unbi-
ased way. Also, because of the legal status of awarded
294
Pasupathinathan V., Pieprzyk J. and Wang H. (2008).
A FAIR E-TENDERING PROTOCOL.
In Proceedings of the International Conference on Security and Cryptography, pages 294-299
DOI: 10.5220/0001918602940299
Copyright
c
SciTePress
tenders, it is also essential for an e-tendering system
to provide good auditing and public verification of
tender award process that also meets evidentiary re-
quirements in courts of law.
This paper addresses the issue of providing
anonymity to an e-tender submission. We define fair-
ness and provide the necessary constructs to achieve
fairness in an e-tendering system. We also provide a
complete set of security requirements and present an
e-tendering system that satisfies those requirements.
ORGANISATION. Section 2 provides a overview
of main components in an e-tendering system and de-
fines its security requirements. In Section 3 we de-
scribe our proposal for a secure e-tendering system.
We make a security analysis of our proposed system
in Section 4, and finally conclude in Section 5.
2 BACKGROUND AND
SECURITY REQUIREMENTS
Current e-tendering systems attempt to mirror the tra-
ditional tendering system. The main parties in an e-
tendering system are the principal and the tenderers.
The principal advertises tender requests and accepts
submissions from tenderers. On receiving the submis-
sions the principal performs tender evaluations and
selects the winning tender. Many of the current e-
tendering systems have been implemented on the as-
sumption that tendering systems are similar to auc-
tion systems. In the next section we first highlight
the main differences between an auction and tender-
ing systems, we then provide an overview of a generic
e-tendering system and the remaining of the section
we summarise the main security goals that should be
satisfied when designing an e-tendering system.
2.1 e-Tendering vs. Auction Systems
Though tendering systems do share some of the prop-
erties of auction systems, there are some security con-
siderations that are different. We also evaluate se-
lected seal-bid auction protocols proposed in the lit-
erature as they enforce privacy of competitor bids.
There are a variety of auction systems such as
English, Vickery, Sealed-Bid, Dutch, Sealed-Double
etc. , and each system has distinctive goals and em-
ploy decision strategies depending on its own rules.
In a traditional auction system the auctioneer sells the
product to a bidder who has placed the highest bid
value. Except for sealed-bid auction systems, the bid-
ing value generally are not confidential, on the con-
trary it is made public so as to receive the highest
possible bid. This is fundamentally different to an e-
tendering scheme where, the tender value should re-
main secret from other tenderer. In a traditional auc-
tion system the bid values are opened by the auction-
eer before the auction closing time, whereas in a ten-
dering system, it is important that the principal does
not know any tender values before tender submission
deadline. If this security consideration is not taken
into account, the tendering system is vulnerable to
collusion between the principal and its favourite ten-
derer.
A seal-bid auction system also shares some se-
curity properties that are applicable even to an e-
tendering system. Particularly, in both an e-tendering
system and a seal-bid auction system, there is a need
to prevent other system participants accessing a tender
(bid) submission. The authors in (Franklin and Reiter,
1996) presented a sealed-bid auction system based on
threshold secret sharing of bidding price using verifi-
able signatures to provide non-repudiation. But their
proposal does not protect the privacy of losers and
losing bids. To preserve fairness in an e-tendering
system it is essential that privacy of even losing ten-
derers are preserved. In (Cachin, 1999), Cachin pro-
posed an auction system using homomorphic encryp-
tion with an hiding assumption and an oblivious third
party. But this scheme cannot reveal the winning price
but only identifies the winner, and thus is their sys-
tem is vulnerable to bidder repudiation. In (Juels and
Szydlo, 2003) Juels et al. proposed an auction system
with proxy oblivious transfer. However, the scheme is
not publicly verifiable, therefore such auction system
when applied to e-tendering compromise the guaran-
tees provided to tenderers. It is essential that tran-
scripts generated in an e-tendering system are pub-
licly verifiable without compromising the privacy of
tender submissions or tenderers, as this provides con-
fidence to all parties involved that an e-tendering pro-
cess is being carried out in a fair and secure manner.
2.2 Security Requirements
Similar to other electronic commerce systems like
e-payments, e-auctions etc. An e-tendering is re-
quired to address generic security requirements like
confidentiality, integrity, authentication and non-
repudiation. As tendering is carried over insecure net-
works, the e-tendering system should provide com-
munication security which protects information that
is sent, between all participants. This is gener-
ally achieved by using a strong encryption. It is
also essential that an e-tendering system provides
strong storage security, as submissions are stored in
a database. Below we provide a definition for fair-
A FAIR E-TENDERING PROTOCOL
295
ness that an e-tendering system should satisfy, but we
refer the reader to the full version of paper (Pasupathi-
nathan et-al., 2008) for a more detailed analysis on the
security requirements in an e-tendering system.
Definition 2.1. An e-tendering system is fair, if and
only if:
1. It is impossible for a principal to obtain any infor-
mation about a submitted tender before the tender
submission deadline, or obtain the true identity of
a tenderer without participation from either the
tenderer or the registrar.
2. It is impossible for a corrupt participant to obtain
(or issue) a valid tender, or prohibit a honest par-
ticipant from obtaining a valid contract.
3 PROTOCOL DESCRIPTION
Our e-tendering system consists of three phases: ten-
derer registration, tender submission and, wining ten-
derer trace. The aim of the system is, when a principal
announces the winning tender, every participants (in-
cluding the principal) is convinced that the tendering
process was carried out in fair and transparent man-
ner. In this section we first describe our protocol. For
this purpose, we combine the techniques of offline e-
cash (Frankel et al., 1996) by Frankel et al. and add
signed commitment to tenders, using ideas from Ped-
erson (Pedersen, 1991).
3.1 System Setting
The system consists of a principal P , tenderer T
i
(where the index i runs from 1,...,n) and a trusted
third party called registrar R . A suitable prime or-
der subgroup, G of Z
p
, of order q is chosen, such
that p = 2q + 1 is a large prime and where the dis-
crete logarithm problem is intractable. Suitable gen-
erators g, g
1
and g
2
are chosen such that log
g
g
1
is not
known to any entity. A cryptographically strong hash
function IHI : {0, 1}
Z
q
is chosen and the tuple
(p,q,g,g
1
,IHI) is published.
The public key of the principal P is, PK
P
= g
SK
P
,
where, SK
P
is the corresponding private key. The
public keys of the registrar R is, PK
R
= g
SK
R
,
PK
1
R
= g
SK
R
1
, and PK
2
R
= g
SK
R
2
and public key of
a tenderer T
i
is, PK
T
i
= g
SK
T
i
. The tenderer also
computes z = (PK
1
R
)
SK
T
i
· PK
2
R
3.1.1 Notations
R
, represents the action of choosing uniformly
at random.
A B, represents a message being send from en-
tity A to entity B.
A : represents operations performed by entity A.
?
= and
?
6= are the testing operations for equality and
non-equality, respectively.
SIGN
k
hMi is the signature operation on message
M using key k.
3.2 Registration
During the registration phase a tenderer T
i
iden-
tifies himself/herself and presents the tuple
(PK
T
i
,
CERT
hPK
T
i
i) to the registrar and obtains a
restrictive blind signature (Brands, 1993) on a
pseudonym. The restrictive blind signature restrict
the pseudonym to be of the form I = (PK
T
i
g
1
)
s
.
The value of I is formed by the tenderer and never
revealed to the registrar. We can express this phase
as, “a tenderer T
i
engages in the registration protocol
with the registrar R using a random value s (known
only to T
i
) to obtain a restrictive blind signature on
the pseudonym I, signed using the registrar secret key
SK
R
, but where the value of I is known only to T
i
.
The following step are involved in the registration
protocol:
1. R : w
R
Z
q
; a
= g
w
; b
= (PK
T
i
g
2
)
w
2. R T
i
: a
,b
3. T
i
: s
R
Z
q
; I = (PK
T
i
g
2
)
s
; z = z
s
;
x
1
,x
2
,u,v
R
Z
q
; B
1
= g
x
1
1
,B
2
= g
x
2
2
; B = [B
1
,B
2
];
a = (a
)
u
,g
v
; b = (b
)
su
I
v
; c = IHI(I,B, z,a,b);
c
= c/u;
4. T
i
R : c
5. R : r
= c
SK
R
+ w
6. R T
i
: r
7. T
i
: r = r
u+ v mod q ; g
r
?
= PK
c
R
a
;
(PK
T
i
g
2
)
r
?
= z
c
b
The signature on value (I,B) = (z,a,b, r) satisfies the
relations g
r
= PK
IHI(I,B,z,a,b)
R
a and I
r
= z
IHI(I,B,z,a,b)
b.
3.3 Submission
The submission consists of two sub phases. Phase
one involves the tenderer making a commitment to
SECRYPT 2008 - International Conference on Security and Cryptography
296
participate in the tendering process. After the submis-
sion deadline has elapsed, phase two begins, during
which the tenderer reveals his/her commitment, thus
revealing his/her tender details.
Phase One: During this phase the tender iden-
tifies himself/herself to the principal and commits
on the tender details. T
i
engages in the protocol to
convince the principal about the correctness of the
pseudonym I. If this phase is successful, then the
protocol transcript will contain I
1
= g
u
1
s
1
and I
2
= g
s
2
,
such that I = I
1
I
2
. T
i
also creates a hash value m
of its tender documents (M), and commits this value
(m). We shall express this phase as, a tenderer T
i
engages in phase one of the submission protocol with
the principal P , using R certified (I), secret val-
ues (s,SK
T
i
), and the tender details M, to generate
proof transcripts, which contains the encryption of
T
i
s identity under public key of the registrar PK
2
R
, and
a signed commitment on M using the secret keys of
the tenderer”. The following are the steps involved in
phase one of submission protocol:
1. T
i
: I
1
= g
u
1
s
1
; I
2
= g
s
2
; m
R
Z
q
;
D
1
= PK
T
i
g
PK
2
R
m
; D
2
= g
m
2
;
2. T
i
P : I
1
,I
2
,I,B,(z,a,b,r),D
1
,D
2
3. P : I
?
= I
1
I
2
; I
?
6= 1 ;
SIGN
PK
R
h(I, B)i
?
= (z, a,b,r);
d = H(I
1
,B
1
,I
2
,B
2
,PK
P
,date/time) ;
s
0
,s
1
,s
2
R
Z
q
D = D
s
0
1
g
s
1
2
D
s
2
2
; f = (PK
2
R
)
s
0
g
s
2
2
4. P T
i
: d, f,D
5. T
i
: V = H(D
s
/ f
ms
); r
1
= d(u
1
s) + x
1
; r
2
= ds+
x
2
;
m = IHI(M),α,γ
1
,γ
2
R
Z
q
;
S = g
m
g
α
1
mod p; T = g
γ
1
g
γ
2
1
mod p
c = H(I
1
,I
2
,S, T);
s
1
= γ
1
cu
1
s mod q ; s
2
= γ
2
cs mod q ;
t
1
= s mc mod q ; t
2
= s αc mod q
6. T
i
P : r
1
,r
2
,S,t
1
,t
2
,c,V
7. P : V
?
= H(I
s
0
1
I
s
1
2
); g
r
1
1
?
= I
d
1
B
1
; g
r
2
2
?
= I
d
2
B
2
;
c
?
= H(I
1
,I
2
,S, (SI
1
I
2
)
c
g
t
1
g
t
2
mod p)
8. P T
i
:
SIGN
SK
P
hS,t
1
,t
2
,c,I
1
,I
2
,g,g
1
i
Phase Two: This phase begins after the submis-
sion deadline has passed. The principal contacts the
tenderer and request them to provide their tenders cor-
responding to their commitment in phase one. We
shall express this phase as, the tenderer T
i
engages
in phase two of the submission protocol with the prin-
cipal P , by revealing the tender details and α, to ob-
tain a proof of tender submission acceptance, signed
using the secret key of the principal (SK
P
)”.
1. T
i
P : M,α
2. P : m = IHI(M)
S = g
m
g
α
1
; s
1
= t
1
+ αc mod q ; s
2
= t
2
+ mc
mod q;
c
?
= H(I
1
,I
2
,S, (I
1
I
2
)
c
g
s
1
g
s
2
1
mod p)
3. P T
i
:
SIGN
SK
P
hS,s
1
,s
2
,c,I
1
,I
2
i
When all tenders have been received, the principal be-
gins tender evaluation procedure and announces the
winning tender. Note that the anonymity of the win-
ning tenderer need not be revoked, but generally in
government procurement the identity is made public.
To do so, the principal contacts the registrar and per-
form the trace protocol.
3.4 Trace
The trace protocol is invoked when the principal has
announced the winning tender and would like to trace
the real identity of the winning tenderer (PK
T
i
) that
corresponds to the pseudonym I. The trace protocol
may also be invoked in case of disputes (such as, no
communication from the winning tenderer after an-
nouncement of results). We shall express this phase
as, a principal P or any judicial authority engages in
a trace protocol with R to obtain the identity PK
T
i
us-
ing R certified(I), and proofs obtained during the
submission protocol”.
1. P R : I,B,(z,a,b, r),I
1
,I
2
,r
1
,r
2
,
S,t
1
,t
2
,D
1
,D
2
2. R : I
?
= I
1
I
2
; I
?
6= 1 ;
SIGN
PK
R
h(I, B)i
?
= (z, a,b,r);
d
= H(I
1
,B
1
,I
2
,B
2
,PK
P
,date/time) ;
g
r
1
1
?
= I
d
1
B
1
; g
r
2
2
?
= I
d
2
B
2
;
PK
T
i
= D
1
/D
SK
R
2
3. R P :
SIGN
R
hPK
T
i
i
REMARK: Two cases of disputes can occur in the
e-tendering system, (A) the winning tenderer does not
respond to a principal’s announcement, (B) the win-
ning tender is denied the contract. In the former case,
the principal contacts the registrar and runs the trace
protocol to obtain the true identity of the winning ten-
derer and, in the later case, the tenderer needs to con-
tact R or a judicial authority by producing the signed
proof obtained at the end of phase two of the submis-
sion protocol and identifies himself/herself using the
A FAIR E-TENDERING PROTOCOL
297
pseudonym I
1
, and proves that the winning tender be-
longs to him/her.
4 SECURITY ANALYSIS
Theorem 4.1. (Fairness) The e-tendering system de-
scribe in Section 3 is fair.
In order to prove our proposed system is fair, we
have to prove mainly two things (cf. Definition 2.1),
(A) a principal is unable to obtain any information
regarding the tender before tender opening time (ten-
der hiding) or tenderers details until the principal has
made a decision on the tender (anonymity), and (B) a
corrupt participant does not gain any advantage. We
make use of the following theorems.
Theorem 4.2. (Hiding) Given the tuple (S, T,t
1
,t
2
) it
is infeasible to determine the value of m. Thereby, the
e-tendering system hides the value of m.
Proof. (Sketch) The commitment scheme belongs to
a class of three-pass, honest verifier zero knowledge
protocol. The protocol transcripts can be simulated by
calculating T = (SI
1
I
2
)
c
g
t
1
g
t
2
after choosing S,c,t
1
,t
2
.
As the protocol is zero-knowledge the value of m is
hidden from the principal (verifier) until the tender
submission time has elapsed.
Theorem 4.3. (Binding) If the value of the tuples
(S, T,c,t
1
,t
2
) cannot be altered, then the e-tendering
system possesses the properties required for binding
to the value of m.
This theorem follows trivially from the theorem
presented by Pedersen (Pedersen, 1991) (Theorem
3.1), which proves that the commitment scheme re-
veals no information about the value of m and such a
commitment scheme can later be opened by revealing
the value of m and α.
Theorem 4.4. If the discrete logarithm problem is
hard, a corrupt tenderer who does not know the pri-
vate keys of a honest tenderer can convince about the
commitment to the principal with a probability of 1/
2
|q|
, where |q| is bit size of q.
Proof. (Sketch) The proof follows from
(Viswanathan et al., 2000), a corrupt tenderer
can cheat the principal by guessing the challenge
correctly in advance and can form the correct
commitment transcript (From Theorem 4.2). If
|q| = log
2
q, then the number of legal challenges
will be of the form 2
|q|
. When the principal chooses
the challenges at random, the probability that a
corrupt tenderer will correctly guess the challenge is
1/2
|q|
.
Theorem 4.5. If El-Gamal encryption is secure, and
the discrete logarithm problem is intractable then, the
e-tendering system preserves tenderer anonymity.
Proof. The proof is by contradiction. Let us assume
that the principal can trace the user, i.e. given the view
of submission protocol, with non-negligible probabil-
ity η it can compute the true identity of the tenderer.
Let us also assume that the principal has access to a
polynomial time algorithm A , which on input (g,y),
produces an output x such that, x = log
g
y. For the
principal (who is the attacker on the protocol) to ob-
tain PK
T
i
, has two options. (A) The principal obtains
the secret key SK
R
of the registrar, using the algorithm
A with inputs (g
2
,PK
2
R
) and therefore can calculate
the value of D
1
and D
2
, thus can obtain the public
key PK
T
i
as in step 2 of the tracing protocol. (B)
The principal uses the algorithm A to solve for the
values (g,I
1
),(g,I
2
) and obtains the value of u
1
and
therefore can calculate PK
T
i
. Both of these options
depend on the existence of a polynomial time algo-
rithm A that can solve the discrete logarithm prob-
lem, which from our assumption, is hard. Therefore,
there exists no such algorithm A which a principal
has access to, that can solve the discrete logarithm
problem, and thus our e-tendering system preserves
tenderer anonymity.
REMARK 1: The confidentiality of the tender doc-
uments is provided by the hiding property, until the
tender submission closing time. Since, with an over-
whelming probability, only the tenderer can open the
commitment values correctly, the scheme provides
tenderer-controlled confidentiality. Our current pro-
posal does not address database security as it is out-
side the scope of this paper, but standard security
techniques should be employed to protect the contents
of databases used.
REMARK 2: Non-repudiation is provided by the
hiding property and tender binding is provided by
the non-transferability property of the e-cash scheme
which is dependent on the tenderer. To transfer cre-
dentials of a corresponding tender to another entity,
the tenderer would need to reveal his/her secret key
and the value of s. Thus a sealed tender is bound to
the real identity of the tenderer.
5 CONCLUSIONS
Electronic procurement has seen tremendous growth
in recent years and thus, there is a need for a secure
and fair system to award contracts. E-tendering has
the potential to deliver such as system in a convenient
SECRYPT 2008 - International Conference on Security and Cryptography
298
and transparent manner, and also provide confidence
to participants and creates a high degree of trust in the
process.
The goal of any electronic system trying to
achieve what has been traditionally carried out in the
brick-and-motor world should be, not only to repli-
cate the requirements of the traditional system but, to
improve the system to provide better services. We
have proposed an e-tendering system that achieves
such a goal. E-tendering systems previously pro-
posed do not adequately address the need for fair-
ness. Our proposal provides a publicly verifiable fair
e-tendering system that not only meets all the secu-
rity requirement of the traditional tendering system,
but offers new services such as anonymity and, ten-
dering hiding and binding.
REFERENCES
Angelov, S. and Grefen, P. (2001). B2b eContract handling
- a survey of projects, papers and standards. Technical
report, University of Twente, The Netherlands.
Betts, M., Black, P., Christensen, S., Dawson, E., Du, R.,
Duncan, W., Foo, E., and Gonz´alez Nieto, J. (2006).
Towards secure and legal e-tendering. In Special Issue
e-Commerce in Construction, volume 11, pages 89–
102. ITcon.
Boulmakoul, A. and Sall, M. (2002). Integrated contract
management. In 9th Workshop of HP OpenView Uni-
versity Association Online Conference.
Brands, S. A. (1993). Untraceable off-line cash in
walltes with observers. In Advances in Cryptology
- Crypto’93, volume 773, pages 302–318. Springer-
Verlag.
Cachin, C. (1999). Efficient private bidding and autions
with an oblivious third party. ACM Conference on
Computer and Communications Security’99, pages
120–127.
Du, R., Foo, E., , Gonz´alez Nieto, J., and Boyd, C.
(2005). Designing secure e-tendering systems. In
TrustBus’2005, Lecture Notes in Computer Science,
pages 70–79.
Du, R., Foo, E., Boyd, C., and Firzgerald, B. (2004a).
Secure communication protocol for preserving e-
tendering integrity. In Fifth Aisa-Pacific Industrial
Engineering and Management Systems Conference
(APIEMS’2004), volume 14, pages 16.1–16.15. Asia-
Pacific Industrial Engineering and Management Soci-
ety.
Du, R., Foo, E., Boyd, C., and Fitzgerald, B. (2004b).
Defining security services for electronic tendering.
In The Australasian Information Security Workshop
(ASIW2004), volume 32 of Conferences in Research
and Practice in Information Technology, pages 43–52.
Australian Computer Society.
Frankel, Y., Tsiounis, Y., and Yung, M. (1996). Indirect dis-
course proofs: Achieving efcient fair off-line e-cash.
In Kim, K., editor, Advances in Cryptology - ASI-
ACRYPT’96, number 1163, Berlin. Springer-Verlag.
Franklin, M. and Reiter, M. (1996). The design and imple-
mentation of a secure auction service. IEEE Transac-
tions on Software Engineering, 22(5):302–312.
Head, B. (2003). Love me e-tender.
http://www.theage.com.au/articles/
2003/08/18/1061059763517.html.
Insititute for Information Industry (1998). Report for The
Planning of Electric System of Government Procure-
ment. Public Contruction Commission (Taiwan R. O.
C.).
Juels, A. and Szdlo, M. (2003). A two-server, sealed-
bid auction protocol. Financial Cryptography’03,
page 72.
Liao, T. S., Wang, M. T., and Tserng, H. P. (2002). A
framework of electronic tendering for government
procuremnet: a lesson learned in taiwan. Automation
in Construction, (11):731–742.
Pasupathinathan, V.,Pieprzyk, J., and Wang, H. (2008). A
Fair E-tendering System. http://www.cprotocol.com.
New South Wales Government Australia (2008). NSW
government electroic procurement implemen-
tation strategy. http://www.cpsc.nsw.gov.au/e-
procurement/framework.htm.
Pedersen, T. (1991). Non-interactive and information theo-
retic secure verifiable secret sharing. In Feigenbaum,
J., editor, Advances in Cryptology - CRYPTO’91, Lec-
ture Notes in Computer Science. Springer-Verlag.
Public Works and Government Services Canada (2008).
MERX: Canada’s electronic tendering service.
http://www.merx.com/.
Viswanathan, K., Boyd, C., and Dawson, E. (2000). A
three phased scheme for seal bid auction system de-
sign. In Dawson, E., Clark, A., and Boyd, C., editors,
ACISP’2000, volume 1841 of Lecture Notes in Com-
puter Science, pages 412–426. Springer-Verlag.
A FAIR E-TENDERING PROTOCOL
299