Professional Documents
Culture Documents
2327-4662
c 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.
Authorized licensed use limited to: Raytheon Technologies. Downloaded on May 19,2021 at 16:03:23 UTC from IEEE Xplore. Restrictions apply.
ZHANG et al.: ENABLING PROXY-FREE PRIVACY-PRESERVING AND FEDERATED CROWDSOURCING BY USING BLOCKCHAIN 6625
1) There does not exist a central trusted authority that we mainly review some state-of-the-art works in three primary
can perform faithful key management and authorization areas: 1) task matching in crowdsourcing; 2) blockchain; and
among brokers. Existing privacy-preserving solu- 3) SE schemes.
tions [7]–[9] rely on a trusted proxy-server to perform
key management and secure task matching. However, in A. Task Matching in Crowdsourcing
a federated blockchain-based platform, it is difficult for
Research on task matching in crowdsourcing has become
a centralized third party to be trusted by various systems.
an emerging trend since the introduction of crowdsourcing.
2) There is no protection of the confidentiality of task
Crowdsourcing platforms often assign tasks to workers based
indices and matching results recorded on the blockchain,
on their interests or search history [13] but ignore the privacy
because of the transparency of the data recorded on the
issues that arise during this process. As the data submitted
blockchain.
by participants usually contain sensitive information such as
3) It is difficult to prevent a broker from accessing the on-
geographic locations and health metrics [14], it is undesired
chain data even after its query authorization is revoked.
to be exposed to public or untrusted brokers. To address this
In this article, we propose the first proxy-free privacy-
problem, some efforts [15], [16] have been made to design
preserving and federated crowdsourcing platform. It utilizes
privacy-preserving crowdsourcing systems. To et al. [17]
the blockchain as the underlying platform to interconnect
proposed a privacy-aware crowdsourcing system based on dif-
multiple brokers to form a loosely coupled federation. To
ferential privacy and geocasting to protect the location privacy
enable secure task matching across different brokers with-
of workers. In the follow-up design [16], Shen et al. designed
out involving a third-party authority, we propose to use
a secure and efficient task recommendation protocol that uti-
the rewritable deterministic hashing (RDH) [10] technique
lizes additive homomorphic encryption with the assistance of a
to design an on-chain authorization protocol among feder-
semihonest third party. However, the above-mentioned works
ated brokers. We combine RDH with searchable encryption
only consider the privacy of workers but ignoring the task
(SE) [11] to construct encrypted task indices so that privacy-
privacy. To enhance security, Shu and Jia [8] proposed to uti-
preserving task matching can be performed efficiently on the
lize the proxy reencryption technique to ensure the privacy
blockchain platform. For practical consideration, we further
of both workers and tasks when performing encrypted task
propose a secure revocation mechanism based on the punc-
recommendations. In [18], they further extended their scheme
turable encryption scheme [12]. Our proposed scheme ensures
to support proxy-free task matching with efficient revocation.
that once a broker is revoked, it cannot use its previously
Despite extensive research on privacy-preserving crowdsourc-
assigned secret keys to decrypt the newly generated task
ing, these prior works require a centralized trusted authority
ciphertexts. In summary, the main contributions of this article
to perform key management, which is not suitable for our
are as follows.
federated setting.
1) We propose a proxy-free privacy-preserving and fed-
In our federated crowdsourcing system, the access control
erated crowdsourcing framework by using blockchain.
of tasks is an important issue to be considered in the task-
It allows task matching across multiple brokers while
matching process. It is important to ensure that the tasks posted
preserving the privacy of tasks and workers. It ensures
by one broker can only be accessed by its authorized brokers.
that each search query submitted by a broker shall
Recently, some studies proposed to utilize the attribute-based
include all the correct results from other authorized
encryption (ABE) [19] technique to prevent unauthorized users
brokers.
from accessing data. However, this method incurs high com-
2) We devise a secure authorization search scheme that
putation cost when the data owner revokes authorization to
allows authorized brokers to search on-chain task indices
certain users [20]. In the follow-up design [12], Green and
without involving a central trusted authority.
Miers introduced the notion of puncturable encryption, which
3) We design an efficient authorization revocation scheme
can be viewed as a brilliant point in this design space. In this
that prevents a revoked broker from accessing any new
design, users can conveniently revoke the decryption capabil-
task-matching results.
ity for selected information by puncturing their secret keys.
The remainder of this article is organized as follows.
Along this research direction, several studies [21], [22] have
Section II reviews the related work. Section III presents the
been conducted to utilize this cryptographic primitive in dif-
system model, threat model, and preliminaries and formal-
ferent scenarios. However, no existing study has focused on
izes the target problem. Section IV introduces the design
utilizing this technique to implement the authorization-based
of our proposed proxy-free privacy-preserving and federated
task-matching service, which is the focus of this article.
crowdsourcing system. In Section V, we present the details
of our proposed system. The security analysis is conducted
in Section VI and the performance evaluation is shown in B. Blockchain and Smart Contract
Section VII. Finally, we conclude this article in Section VIII. The boom of cryptocurrencies, such as Bitcoin [28] and
Ethereum [29] vigorously promotes the development of
blockchain. To make the blockchain more powerful, some
II. R ELATED W ORK blockchain platforms, such as Ethereum and Hyperledger [30]
Our work involves a wide range of designs and techniques introduced the smart contract. Recently, some blockchain-
from applied cryptography and the blockchain. In this section, based crowdsourcing systems have been proposed. To
Authorized licensed use limited to: Raytheon Technologies. Downloaded on May 19,2021 at 16:03:23 UTC from IEEE Xplore. Restrictions apply.
6626 IEEE INTERNET OF THINGS JOURNAL, VOL. 8, NO. 8, APRIL 15, 2021
TABLE I TABLE II
C HARACTERISTICS OF R EPRESENTATIVE B LOCKCHAIN -BASED G LOSSARY
C ROWDSOURCING S CHEMES
Fig. 1. System architecture. single-user settings. In this case, data owners holding their
respective secret keys can only search or update their own
data. To broaden the application scope, some recent studies
make a clear comparison, we summarize the representative have focused on the research of encrypted search in multiuser
blockchain-based crowdsourcing schemes and compare their scenarios [37]–[40]. Blaze et al. [37] first introduced the con-
features in Table I. Li et al. [23] proposed a blockchain- cept of proxy reencryption, which was later improved by
assisted framework for crowdsourcing without relying on any Bao et al. [38] to implement encrypted search in a multiuser
third authority. Wu et al. [26] designed a blockchain-based scenario. However, due to the deterministic of the proxy reen-
task recommendation scheme for crowdsourcing, where the cryption algorithm, it suffers from statistical attacks [39].
task-matching process is reliable and transparent. However, Later, Popa and Zeldovich [41] introduced a multikey SE
these works only focus on using the blockchain to replace scheme that allows users to search for data encrypted by dif-
the existing centralized crowdsourcing platform but still lock ferent keys. However, the design cannot support the revocation
requesters and workers in an individual crowdsourcing system. of sharing, and its security notion has deficiencies in real
Guo et al. [7] proposed a federated and privacy-preserving settings [42]. Very recently, Patel et al. [10] devised RDH,
crowdsourcing platform, which utilizes the blockchain as which supports dynamic sharing and unsharing of documents
the underlying platform to perform secure task matching. amongst users. It can be regarded as an important starting
However, this work relies on a trusted third party to perform point in this design field. Nevertheless, directly applying this
key management, which may not exist in the federated set- scheme in our federated crowdsourcing scenario can leak the
ting. In this article, we utilize the blockchain to interconnect relation between on-chain task indices and task specifications
different brokers to form a federated crowdsourcing platform before searching, because of the deterministic of the RDH
without involving any trusted third party. algorithm. Therefore, there is a great need to devise a secure
search scheme for our federated crowdsourcing scenario.
C. Searchable Encryption
SE schemes [11], [31] enable untrusted servers to search
III. P ROBLEM D EFINITION AND P RELIMINARIES
directly over encrypted data without server-side decryption. It
can be considered as the cornerstone for implementing secure A. System Model and Problem Definition
task-matching services in crowdsourcing. Song et al. [32] As shown in Fig. 1, our system consists of four enti-
first proposed the notion of symmetric SE (SSE), and then ties: 1) task requesters; 2) workers; 3) brokers; and 4) the
many works have been carried out in this direction [33]–[36]. blockchain platform. Table II shows the notations used in this
Curtmola et al. [35] introduced the formal security definition article.
of SSE. In the follow-up design, Cash et al. [34] presented the 1) Task requesters are the users who post their crowdsourc-
first SSE scheme that supports conjunctive search and gen- ing tasks to the platform.
eral boolean queries. However, early studies of SSE mainly 2) Workers are the users who would like to take the
focus on the directions of query and update operations in crowdsourcing tasks matching their interests.
Authorized licensed use limited to: Raytheon Technologies. Downloaded on May 19,2021 at 16:03:23 UTC from IEEE Xplore. Restrictions apply.
ZHANG et al.: ENABLING PROXY-FREE PRIVACY-PRESERVING AND FEDERATED CROWDSOURCING BY USING BLOCKCHAIN 6627
3) Brokers are the servers that perform match between tasks 3) Task requesters and workers are honest in the sense that
and workers and recommend workers with matched they will submit valid task information and interests,
tasks. respectively.
4) Blockchain (and smart contract) is the platform that
interconnects all brokers to form a federated crowd- C. Preliminaries
sourcing system. The SC is a piece of predefined Puncturable Encryption: Puncturable encryption is an asym-
program deployed on the blockchain that automatically metric encryption scheme that prevents the decryption of some
executes the terms. ciphertexts by puncturing the secret key. It consists of four
In this privacy-preserving crowdsourcing system, a task functions: 1) PPKE.KeyGen; 2) PPKE.Enc; 3) PPKE.Pun;
requester posts a task, with a task identifier (denoted by Tid ) and 4) PPKE.Dec, defined as follows.
and the task specification. The task specification is represented 1) {PK, SK0 } ← PPKE.KeyGen(1λ , d) takes input as a
by a set of keywords, denoted by W(Tid ) = {w1 , w2 , . . . , wm }. security parameter λ and a positive integer d, which
Each worker has its interests, also represented by a set of key- denotes the maximum number of tags in each cipher-
words. For the ease of presentation of our scheme, we assume text, and outputs a public key PK and an initial secret
each worker’s interest is represented by one keyword, denoted key SK0 .
by w . Note that our solution can easily handle the case of 2) SKi ← PPKE.Pun(PK, SKi−1 , t) takes input as a public
multiple keywords of worker’s interest by repeatedly search- key PK, a secret key SKi−1 , and a tag t and outputs a
ing the multiple keywords. The task requesters and workers new secret key SKi . SKi is able to decrypt all ciphertexts
encrypt their task specifications and interests by using a deter- so long as tag t is not included in the encryption list.
ministic encryption method. Let W denote the
(Tid ) and w
3) m ← PPKE.Enc(PK, m, t1 , . . . , td ) takes input as a
ciphertext of W(Tid ) and w , respectively. public key PK and a plaintext m, together with a list of
Each task requester (and each worker) is registered with tags t1 , . . . , td , and outputs the ciphertext m. Any secret
a broker (called its home broker). The task requester and the key whose associated tag t is in the list cannot decrypt
worker submit the ciphertexts to their respective home brokers. the ciphertext m.
A broker can authorize other brokers to search its task indices. 4) m ← PPKE.Dec(PK, SKi , m, t1 , . . . , td ) takes input as
Let B denote the set of brokers in our system. Once broker a public key PK, a secret key SKi , and a ciphertext m,
bi ∈ B authorizes broker bj ∈ B, all workers registered with together with its tag list t1 , . . . , td , and outputs plaintext
broker bj are able to search tasks posted to bi . We assume m or ⊥ if the decryption failed.
there does not exist a central trusted authority in the system. In our design, we utilize the puncturable encryption tech-
The problem of our concern is that, given a worker submit- nique to prevent brokers from decrypting task information after
, its home broker is able to search
ted its encrypted interest w their authorization is revoked. Each broker uses the algorithm
all brokers that have authorized to it and return to the worker PPKE.KeyGen to generate its public key and master secret
the complete list of tasks matching its interest w , subject to
key, and utilizes the algorithm PPKE.Pun to generate secret
meeting the following requirements. keys for its authorized brokers. In the algorithm PPKE.Pun,
1) Privacy Preserving: No broker or other party can obtain the assigned secret key of each authorized broker is punctured
information about tasks and workers. by a unique tag. The algorithms PPKE.Enc and PPKE.Dec
2) Verifiability and Correctness: The completeness and are used to encrypt and decrypt search results, respectively. In
correctness of search results shall be guaranteed. the algorithm PPKE.Enc, the search result is associated with
3) Secure Revocation: A revoked broker is not able to a list of tags. If one broker whose assigned secret key is punc-
obtain any search results after its revocation. tured by a tag in the tag list, the broker cannot decrypt the
search result using PPKE.Dec with its assigned secret key.
B. Threat Model To better understand our design, we refer the readers to [12]
for a complete description and proof of the security of the
We make the following threat assumptions regarding the puncturable encryption scheme.
parties involved in our system.
1) Brokers are honest but curious. They will honestly fol-
IV. D ESIGN OF P ROXY-F REE P RIVACY-P RESERVING AND
low the predefined protocols but be curious about the
F EDERATED C ROWDSOURCING S YSTEM
sensitive information of the received tasks. Besides,
they are curious about the tasks posted by the brokers A. Overview of Our Design
who never authorize them or revoke their authorization. In our design, we utilize the blockchain as the underlying
Consistent with the security assumption in the previous platform to form a crowdsourcing federation. For the tasks
work [9], we assume that brokers do not collude with uploaded by the task requesters to their home brokers, brokers
other parties. construct encrypted task indices independently and publish
2) Peer nodes of the blockchain are potential adversaries. them on the blockchain. To enable other brokers to search,
They honestly execute the predefined task-matching pro- each broker authorizes the other brokers and posts the autho-
tocols but intend to learn sensitive on-chain information, rization information on the blockchain. The SC deployed on
including task indices, authorized lists, query transac- the blockchain is agreed by all brokers. It performs the cross-
tions, and task-matching results. broker encrypted search according to the authorization among
Authorized licensed use limited to: Raytheon Technologies. Downloaded on May 19,2021 at 16:03:23 UTC from IEEE Xplore. Restrictions apply.
6628 IEEE INTERNET OF THINGS JOURNAL, VOL. 8, NO. 8, APRIL 15, 2021
form task-worker matching. SC has four functions, namely, search token as input. SC will go through the authorized list
Authorized licensed use limited to: Raytheon Technologies. Downloaded on May 19,2021 at 16:03:23 UTC from IEEE Xplore. Restrictions apply.
ZHANG et al.: ENABLING PROXY-FREE PRIVACY-PRESERVING AND FEDERATED CROWDSOURCING BY USING BLOCKCHAIN 6629
Algorithm 1: Initialization
Input: Secure PRF G1 , the set of brokers B.
Output: Public key PKbi , master secret key SKbi ,
∀bi ∈ B.
1 (g, G) ← GG(1 );
λ
Authorized licensed use limited to: Raytheon Technologies. Downloaded on May 19,2021 at 16:03:23 UTC from IEEE Xplore. Restrictions apply.
6630 IEEE INTERNET OF THINGS JOURNAL, VOL. 8, NO. 8, APRIL 15, 2021
when bj decrypts the task-matching result. After obtaining all for bj by puncturing its master secret key SKbi on tj . With the
task-matching results ({T L, TS} pairs), SC records the result assigned secret key, bj is able to decrypt the ciphertexts gener-
set on the blockchain. ated by bi . Meanwhile, to enable bj to search the task indices
Revocation(bi , bj ): Given bi and bj , SC revokes the autho- generated by it, bi calculates the authorization ticket Abi →bj
rization of bi to bj by deleting Abi →bj in bj ’s authorized and calls the SC function SC.Authorization to add Abi →bj into
list. bj ’s authorized list. In this way, the SC is able to access the
task indices posted by bi in the task-matching process.
Task Publication: Algorithm 3 shows the detailed process
B. Construction of Secure Task-Matching Scheme of task publication. To enable other brokers to search and pro-
We now describe the detailed construction of our proposed tect the sensitive information of tasks, bi needs to encrypt its
secure task-matching scheme. This scheme consists of five constructed index Ibi and then post it on the blockchain. The
algorithms: 1) initialization; 2) authorization; 3) task pub- detailed construction of encrypted task indices to be discussed
lication; 4) task matching; and 5) authorization revocation, in Section V-C. After constructing the encrypted index Ibi , bi
discussed as follows. calls the SC function SC.Index-Update to upload the index I bi
Initialization: In the system initialization phase, brokers to the blockchain.
generate public keys, master secret keys, and corresponding Task Matching: Algorithm 4 shows the secure task-matching
parameters, as shown in Algorithm 1. Specifically, on input process. When broker bj receives a search query about interest
a security parameter λ, brokers first select generator g from submitted by a worker, it generates the search token tk and
w
the group G. Then, each broker bi ∈ B generates its public calls the SC function SC.Task-Matching to perform the on-
key PKbi and master secret key SKbi using PPKE.KeyGen, chain search. For the encrypted search results recorded on the
and selects parameter nbi . t0bi is a distinguished tag maintained blockchain, bj can decrypt them using its previously assigned
by bi . UTbi is used to record the set of tags, which has been secret keys.
used by bi . bi adds t0bi into UTbi to ensure that tag t0bi will not Authorization Revocation: The details of authorization revo-
be assigned to other brokers. Finally, the SC function SC.Setup cation are presented in Algorithm 5. To revoke its authorization
Authorized licensed use limited to: Raytheon Technologies. Downloaded on May 19,2021 at 16:03:23 UTC from IEEE Xplore. Restrictions apply.
ZHANG et al.: ENABLING PROXY-FREE PRIVACY-PRESERVING AND FEDERATED CROWDSOURCING BY USING BLOCKCHAIN 6631
Algorithm 4: Task Matching task identifiers into TL by concatenation and determines the
, broker bj ∈ B.
Input: Secure PRFs {G1 , G2 }, interest w set of tags TS associated with TL. The number of tags in TS
Output: List of task identifiers. is nbi , which is a parameter selected by bi . The tag set TS
1 Calculate tk ← w · F 2 ; includes all tags in RTbi . According to the theory of punc-
bj
turable encryption, to ensure the encryption of TL, bi needs to
2 Call SC.Task-Matching(bj , tk);
add nbi − |RTbi | tags to TS if nbi > |RTbi |. For TL, its cipher-
3 Read T on the blockchain;
text T L generated by using PPKE.Enc(PKbi , TL, TS) is in the
4 for each pair of {TL, TS} in T do
form of
5
b
TL ← PPKE.Dec(PKbi , SKbij , T L, TS);
// decrypt the tasks posted by TL = ct(1) , ct(2) , ct(3,1) , . . . , ct 3,nbi . (5)
broker bi We can observe that the length of T L is related to the
value of nbi . To preserve that adversaries cannot obtain T L
before searching, we further utilize G2 (tp||s) as an over-
Algorithm 5: Authorization Revocation lay to mask ct(1) , where G2 is a different PRF from G1 .
Input: Tag set RTbi , broker bi , bj ∈ B. Let P = G2 (tp||s) ⊕ ct(1) . Then, the task index Ibi can be
Output: Tag set RTbi . constructed as
// bi revokes its authorization to
<G1 (tp s), P, ct(2) , ct(3,1) , . . . , ct 3,nbi , TS >. (6)
bj .(performed by bi )
1 bi adds tj to RTbi ; For the search query of broker bj , if (2) holds, the SC can
2 Call SC.Revocation(bi , bj ); obtain matched ciphertexts
Ibi [G1 (tp s)], and then recover T
L
in the following way:
T L ← ct(1) = P ⊕ G2 (tp||s), ct(2) , ct(3,1) , . . . , ct 3,nbi
to bj , bi just needs to add the tag associated with bj to RTbi
(7)
and call the SC function SC.Revocation to delete Abi →bj in
bj ’s authorized list. Once tj is added in RTbi , bj can no longer With the recovered T L and TS in Ibi [G1 (tp||s)], bj is able to
b
decrypt the indices newly posted by bi using its previously
decrypt TL with its previously assigned secret key SKbij .
b
assigned secret key SKbij . Discussions: nbi is an important parameter selected by bi .
It not only affects the length of ciphertexts but also deter-
C. Construction of On-Chain Task Indices mines the maximum number of brokers that bi can revoke
with its current keys. As we mentioned above, the length of
We now introduce the detailed construction of on-chain task
T L increases with the growing value of nbi . Meanwhile, the
indices. As we mentioned in Section IV-B, to enable other
number of tags in RTbi cannot exceed nbi . Once the number of
brokers that are authorized by bi to search, the column of
w·F 1
w·F 1 brokers whose authorization has been revoked by bi is greater
keyword w in Ibi is transformed into g bi in Ibi , where g bi than nbi (|RTbi | exceeds nbi ), bi needs to call the function
is a deterministic value about w. However, the operation of PPKE.KeyGen to generate new keys and redistribute secret
task publication is an online process, the deterministic prop- keys to its authorized brokers. Note that as the revocation
erty of keyword transformation will lead to task information of authorization among brokers does not happen frequently,
leakage, as adversaries can know the relation between indices the overhead caused by key reassignments is acceptable for
and keywords by observing the on-chain task indices with no brokers. After this point, the set RTbi is emptied and bi can
need to search. To cope with this problem, we introduce the continue to easily revoke its authorization to a broker by
state variable in our design and utilize the SSE technique to adding the broker’s tag into RTbi .
enhance security. Specifically, each broker (say bi ) maintains
a state table Sbi , where each keyword is associated with a
VI. S ECURITY A NALYSIS
unique state variable s which is initialized to 0. For ease of
w·F 1 In this section, we provide a rigorous security analysis to
explanation, we call g bi in (2) the search trapdoor tp for
demonstrate the security guarantees of our proposed scheme.
keyword w, which is calculated by bi . When generating new
Recall that we uniquely bridge the RDH and SSE schemes to
task indices about w, bi concatenates the state variable corre-
design the secure task-matching protocols. The RDH scheme
sponding to w with trapdoor tp, and updates the value of s by
can effectively prevent brokers without authorization from
adding 1 for each index. As shown in lines 3–6 in Algorithm 3,
learning the content of task indices. Meanwhile, the SSE
before constructing task indices about w, bi needs to obtain
scheme enables the SC to securely perform task matching
the current value of s corresponding to w. Finally, the column
while protecting on-chain data privacy. Following the security
of keyword in Ibi is the form of G1 (tp s).
notion of SE schemes [35], we formally analyze the secu-
To reduce the cost of posting task indices and defense statis-
rity guarantees following the adopted cryptographic primitives.
tical inference attacks [39], bi divides TL( w), the set of tasks
First, we define the setup leakage LStp for a given task index
about w, into several blocks with the same length, as shown in
Ibi constructed by broker bi as
Algorithm 3. p is used to record the number of tasks in each
batch, which is chosen by bi . For each block, bi packages all LSetup =
Abi
, |L|, |P|n
Authorized licensed use limited to: Raytheon Technologies. Downloaded on May 19,2021 at 16:03:23 UTC from IEEE Xplore. Restrictions apply.
6632 IEEE INTERNET OF THINGS JOURNAL, VOL. 8, NO. 8, APRIL 15, 2021
where |Abi | is the size of the authorized list of bi , and as L = G1 (gF /T ), where F is a random string from the sim-
|L|, |P|n are ciphertext lengths of n label-task pairs. When ulated list Abi and G1 is a random oracle. The result can be
a broker bj sends a search transaction for the keyword w , the simulated as P = G2 (L ) ⊕ γ , where G2 is a random oracle
view of an adversary is defined in the leakage L Match as and γ is a random string. The simulation can be extended to a
number of adaptive queries. When conducting the authoriza-
L Match
= bj , tk , Abj , L, Pq
tion update, the updated list can be simulated from LUpdate
where {bj , tk} are the search tokens, Abj is the matched autho- just like mentioned in the build procedures. The new entry is
rized list, and L, Pq are q the matched task index entries. simulated by using new random strings and recorded in the
When updating the authorized list of broker bi , the leakage list. Due to the pseudorandomness of PRF and the semantic
function LUpdate captured by an adversary is defined as security of symmetric encryption, C should not be able to dis-
tinguish the outputs of the real experiment Real (k) and the
LUpdate = op, Abi
simulated one Ideal,C ,S (k). This completes the proof.
where op ∈ {add, revoke} denotes update operations for autho-
rization, and Abi is the updated entry of the authorization VII. E XPERIMENTAL E VALUATION
index A. Following the simulation-based security definition
in [43], we give the formal security definition as follows. A. Prototype Implementation
Definition 1: Let = (Init, Aut, TaskPub, TaskMatch, To access the performance of our design, we implement
Revoc) be our scheme for secure task-matching services, the prototype in python and utilize Solidity1 to construct the
and let LSetup , LMatch , and LUpdate be the leakage functions. SC of Ethereum, with about 2500 lines of codes. We deploy
We define the following probabilistic experiments Real (k) the SC on the Ethereum TestRPC and run our experiment on
and Ideal,C ,S (k) with a probabilistic polynomial time (PPT) a laptop with an Intel Core i5-8279U processor (2.4 GHz),
adversary C and a PPT simulator S. 16-GB RAM, 4 Intel cores i5, and a MAC 10.15.1 operat-
Real (k): C selects a task index Ibi and asks the bro- ing system. The average block time for mining is set to one
ker bi to build the real authorized list and indices via second. In this experiment, we utilize the data set of a real
Init, Aut, TaskPub, and Revoc algorithms with the private crowdsourcing platform Upwork to evaluate the performance.
key k. Then, C adaptively conducts a polynomial number of For cryptographic primitives, we utilize the pycrypto library2
queries via TaskMatch algorithm. Finally, C returns a bit as to implement pseudorandom functions and symmetric encryp-
the output. tion via Web3.keccak and AES, respectively. Besides, we use
Ideal,C ,S (k): C selects a task set Ibi , and S simulates the functions in pypbc library3 to implement the puncturable
indices for C based on LSetup . From LUpdate , S can update encryption.
the authorized list. Then, C adaptively performs a polyno-
mial number of queries. From the leakage LMatch in each task B. Performance Evaluation
matching request, S simulates tokens and ciphertexts, which
Local Performance Evaluation: To evaluate the performance
are processed over the simulated indices. Finally, C returns a
of our design, we first assess its off-chain performance from
bit as the output.
the perspective of task index encryption, task index decryption,
is a (LSetup , LMatch , LUpdate )-secure scheme, if for all
task index initialization, adding new task indices, task match-
PPT adversaries C, there exists a simulator S such that:
ing, and authorization. In our design, after receiving the tasks
Pr[Real (k) = 1] − Pr[Ideal,C ,S (k) = 1] ≤ negl(k), where
uploaded by task requesters, brokers generate task indices and
negl(k) is a negligible function in k.
use the puncturable encryption to encrypt the packed task iden-
Theorem 1: is a (LSetup , LMatch , LUpdate )-secure scheme
tifiers. In Table III, we first analyze the change in task index
under the random-oracle model if {G1 , G2 } are secure PRFs.
encryption and decryption latency with the number of indices.
Proof: We prove the existence of a simulator S such
The value of nbi for all brokers bi ∈ B is set to 3. As shown
that for all polynomial-time adversaries C, the outputs of
in Table III, it only takes about 2.9 and 4.7 s to encrypt and
Real (k) and Ideal,C ,S (k) are computationally indistin-
decrypt 300 task indices, which is practical to use for brokers.
guishable. Given LSetup , the simulator S generates the sim-
We further evaluate the task index initialization latency
ulated authorized list and indices, which are indistinguishable
under the varying number of indices. Task index initializa-
from the real one. It initializes a dictionary with n entries,
tion describes the process of generating indices for all existing
where each entry contains |L| and |P| bits random strings
tasks when constructing the system. The results show that the
as the simulated indices. Meanwhile, It simulates an indistin-
time cost of task index initialization increases slightly with the
guishable authorized list, containing |Abi |-bit random strings
growing number of task indices. Specifically, it takes around
with equal length to the real one. From LMatch , S can simu-
0.891 s to complete the initialization of 2000 task indices. In
late the first query and its corresponding results. In particular,
Table III, we also investigate the incremental scalability of our
for each token in the query, it generates a random string as
design by measuring the latency for adding new task indices.
a simulated token for the simulated indices. S operates a
After receiving a certain batch of new tasks, brokers aggregate
random oracle to point at randomly selected entries in the
dictionary and reveals the same simulated results to match 1 Online at: https://solidity.readthedocs.io/en/develop/.
the real ones observed from the leakage LMatch . The token is 2 Online at: https://pypi.org/project/pycrypto/.
selected by a random string T , and the label can be simulated 3 Online at: https://github.com/debatem1/pypbc.
Authorized licensed use limited to: Raytheon Technologies. Downloaded on May 19,2021 at 16:03:23 UTC from IEEE Xplore. Restrictions apply.
ZHANG et al.: ENABLING PROXY-FREE PRIVACY-PRESERVING AND FEDERATED CROWDSOURCING BY USING BLOCKCHAIN 6633
TABLE III
O FF -C HAIN P ERFORMANCE E VALUATION
Fig. 4. On-chain performance evaluation. (a) Task indices initialization. (b) Task publication latency of broker bi versus nbi . (c) Authorization latency. (d) Add
authorization latency. (e) Task-matching latency versus the number of matching tasks. (f) Task-matching latency versus the number of brokers. (g) Throughput
comparison. (h) Gas consumption.
their received tasks with the same task requirement and gen- task matching, and gas cost of the implemented contract on
erate encrypted task indices. The time cost of adding new task Ethereum.
indices consists of generating on-chain task indices and updat- We first measure the transaction confirmation time of task
ing the local state table. We then evaluate the task-matching indices initialization. As shown in Fig. 4(a), even when the
latency with the growing number of matching tasks. We can task index load is heavy, the task index initialization can be
see that the task matching operation is extremely fast. fast. The time cost of posting 500 on-chain task indices is
We also measure the local authorization latency when vary- about 5.5 s, which is quite modest for blockchain-based appli-
ing the number of brokers. We consider that all brokers cations. Recall that we utilize the packing method to package
have authorized each other. As shown in Table III, with the multiple task identifiers corresponding to the same keyword
increase in the number of brokers, there is a rapid growth into one so that the actual number of posted tasks is much
in the authorization latency. Meanwhile, we can observe that more than the number of indices.
the relationship between authorization latency and the num- We also investigate the impact of the value of nbi on the time
ber of brokers is nonlinear. This is because the authorization cost of task publication for broker bi . As we discussed before,
operation among brokers is pair to pair. nbi is related to the length of ciphertext and the maximum
On-Chain Performance Evaluation: In our design, bro- number of brokers that bi can revoke. To revoke more brokers
kers require to post encrypted task indices, authorization without the need to redistribute secret keys, bi can choose a
information, and query requests on the blockchain for relatively large nbi , while accepting the increase in latency
authorization-based task-matching service. To assess the utility caused by it. Fig. 4(b) shows that when publishing the same
and overhead of our design, we further evaluate its on- number of indices, the confirmation time of posting on-chain
chain performance in terms of task publication, authorization, task indices grows with the increase of the value of nbi . As
Authorized licensed use limited to: Raytheon Technologies. Downloaded on May 19,2021 at 16:03:23 UTC from IEEE Xplore. Restrictions apply.
6634 IEEE INTERNET OF THINGS JOURNAL, VOL. 8, NO. 8, APRIL 15, 2021
nbi increases, the length of ciphertext and the number of tags it takes an upward trend as the number of matching results
maintained in the task index also grow. Thus, it takes more increases. This is because the number of returned results does
time to record these on-chain task indices on the blockchain. not reach the processing threshold of task-matching operation
Meanwhile, we can see that when the value of nbi raises from at this time. As the number of matching indices continues to
1 to 9, the confirmation time for publishing 500 task indices increase, the throughput of searching multiple interests will
only increases by less than 2 s, which is acceptable for brokers. witness a gradual growth and then become stable when its
We further evaluate the authorization process on the threshold is reached.
blockchain. As shown in Fig. 4(c), the transaction confirmation To further assess the practicality of our design, Fig. 4(h)
time of on-chain authorization follows a similar upward trend plots the gas cost of our implemented SC on Ethereum. In this
as the number of brokers increases. Specifically, the latency experiment, the gas price is set to 1 Gwei and the exchange
for generating authorized lists for 14 brokers is less than 4 s, rate is 1 ether = $223.99 at the time of writing. Following this
which is quite fast for our federated crowdsourcing scenario. setting, the capital cost of SC deployment, authorization, post-
In Fig. 4(d), we also measure the dynamic change of the on- ing task indices, authorization revocation, and task matching
chain authorized lists. Observing the results, we can see that as are about $0.816, $0.071, $0.191, $1.563, and $0.241, respec-
the number of brokers joining the system increases, the latency tively. According to the evaluation results, we can confirm that
of authorizing these brokers grows gradually. Meanwhile, the the capital cost is not a burden for brokers.
results also show that when new brokers join the system, it
takes more time for all brokers to authorize these newly added
VIII. C ONCLUSION
brokers than only one broker to authorize them.
To gain a deeper understanding of the performance, we In this article, we proposed a proxy-free privacy-preserving
accordingly measure the task-matching latency when varying and federated crowdsourcing platform, which supports cross-
the number of brokers, search queries, and matching results. broker encrypted task-matching and secure authorization revo-
Fig. 4(e) depicts the change in task-matching latency under cation with the assistance of the blockchain. Specifically, we
the varying number of search requests and matching indices. first utilized the enhanced RDH technique to devise a proxy-
It can be seen from the results that when the number of free authorization scheme. Then, we combined the RDH and
search queries remains the same, the confirmation time of task SE schemes to design the privacy-preserving task-matching
recommendation increases as the number of matching tasks protocols over federated brokers. Besides, we further adopted
grows. We note that the confirmation time of task matching the puncturable encryption technique to implement secure
includes the time to search and record the search results on authorization revocation. A thorough security analysis was
the blockchain. Meanwhile, the results also present that when provided to show the security strengths of our design. The
the number of matching indices remains the same, the task- practicality and efficiency of our design were also demon-
matching latency takes an upward trend with the increasing strated by extensive evaluations and experiments. In future
number of search queries. The reason is that for each search work, we plan to explore advanced SE schemes to support
query, the SC needs to traverse the authorized list of the broker other rich query functions, such as range queries.
that submits the query and then calculate trapdoors to ensure
that each broker can only obtain the tasks that they are autho- R EFERENCES
rized to access. Thus, the search latency increases slightly as
[1] J. Howe, “The rise of crowdsourcing,” IEEE Wired Mag., vol. 53, no. 10,
the number of search queries raises. Fig. 4(f) presents the pp. 1–14, Jan. 2006.
query latency under the various number of brokers and match- [2] (2005). Amazon Mechanical Turk. [Online]. Available:
ing results. From the figure, we can find that the latency for https://www.mturk.com
[3] (2015). Pavemint. [Online]. Available: https://www.pavemint.com/
task matching rises marginally with the number of brokers in [4] (2015). CrowdFlower. [Online]. Available: https://www.
the system. This is because as the number of brokers increases, crowdflower.com
the number of elements in the authorized list also grows. It [5] D. Yuan, Q. Li, G. Li, Q. Wang, and K. Ren, “PriRadar: A privacy-
preserving framework for spatial crowdsourcing,” IEEE Trans. Inf.
tasks more time to generate search trapdoors when the length Forensics Security, vol. 15, pp. 299–314, 2020.
of the authorized list increases. Besides, we can also observe [6] X. Xu, Q. Liu, X. Zhang, J. Zhang, L. Qi, and W. Dou, “A
that the number of matching indices has a greater impact on blockchain-powered crowdsourcing method with privacy preservation in
mobile environment,” IEEE Trans. Comput. Soc. Syst., vol. 6, no. 6,
query latency than the number of brokers. It demonstrates pp. 1407–1419, Dec. 2019.
that most of the search latency are generated by calculat- [7] Y. Guo, H. Xie, Y. Miao, C. Wang, and X. Jia, “FedCrowd:
ing matching task labels and recording search results on the A federated and privacy-preserving crowdsourcing platform on
blockchain,” IEEE Trans. Services Comput., early access, Oct. 14, 2020,
blockchain. doi: 10.1109/TSC.2020.3031061.
To evaluate the efficiency of our design, we further com- [8] J. Shu and X. Jia, “Secure task recommendation in crowdsourcing,” in
pare the throughput of on-chain task matching when varying Proc. IEEE GLOBECOM, 2016, pp. 1–6.
the number of search queries and matching indices, which is [9] J. Shu, X. Jia, K. Yang, and H. Wang, “Privacy-preserving task recom-
mendation services for crowdsourcing,” IEEE Trans. Services Comput.,
shown in Fig. 4(g). The results show that when searching for early access, Jan. 10, 2018, doi: 10.1109/TSC.2018.2791601.
one interest, our task-matching scheme can process over 90 [10] S. Patel, G. Persiano, and K. Yeo, “Symmetric searchable encryption
entries per second when the number of matching results more with sharing and unsharing,” in Proc. ESORICS, 2018, pp. 207–227.
[11] R. Curtmola, J. A. Garay, S. Kamara, and R. Ostrovsky, “Searchable
than 600. Moreover, the figure also shows that the through- symmetric encryption: Improved definitions and efficient constructions,”
put for searching multiple interests is much less than 90 and in Proc. CCS, 2006, pp. 79–88.
Authorized licensed use limited to: Raytheon Technologies. Downloaded on May 19,2021 at 16:03:23 UTC from IEEE Xplore. Restrictions apply.
ZHANG et al.: ENABLING PROXY-FREE PRIVACY-PRESERVING AND FEDERATED CROWDSOURCING BY USING BLOCKCHAIN 6635
[12] M. D. Green and I. Miers, “Forward secure asynchronous messaging [42] P. Grubbs, R. McPherson, M. Naveed, T. Ristenpart, and V. Shmatikov,
from puncturable encryption,” in Proc. IEEE S&P, 2015, pp. 305–320. “Breaking Web applications built on top of encrypted data,” in Proc.
[13] V. Ambati, S. Vogel, and J. G. Carbonell, “Towards task recommendation ACM CCS, 2016, pp. 1353–1364.
in micro-task markets,” in Proc. AAAI, 2011, pp. 1–4. [43] D. Cash et al., “Dynamic searchable encryption in very-large databases:
[14] P. Créquit, G. Mansouri, M. Benchoufi, A. Vivot, and P. Ravaud, Data structures and implementation,” in Proc. NDSS, 2014, p. 853.
“Mapping of crowdsourcing in health: Systematic review,” J. Med. [44] C. Zhang, Y. Guo, H. Du, and X. Jia, “PFcrowd: Privacy-preserving
Internet Res., vol. 20, no. 5, p. e187, 2018. and federated crowdsourcing framework by using blockchain,” in Proc.
[15] H. To, G. Ghinita, L. Fan, and C. Shahabi, “Differentially private loca- IWQOS, 2020, pp. 1–10.
tion protection for worker datasets in spatial crowdsourcing,” IEEE
Trans. Mobile Comput., vol. 16, no. 4, pp. 934–949, Apr. 2017.
[16] Y. Shen, L. Huang, L. Li, X. Lu, S. Wang, and W. Yang, “Towards
preserving worker location privacy in spatial crowdsourcing,” in Proc.
IEEE GLOBECOM, 2015, pp. 1–6.
[17] H. To, G. Ghinita, and C. Shahabi, “A framework for protecting worker
location privacy in spatial crowdsourcing,” Proc. VLDB Endow., vol. 7,
no. 10, pp. 919–930, 2014.
[18] J. Shu, K. Yang, X. Jia, X. Liu, C. Wang, and R. Deng, “Proxy-free Chen Zhang (Graduate Student Member, IEEE)
privacy-preserving task matching with efficient revocation in crowd- received the B.E. degree in network engineer-
sourcing,” IEEE Trans. Depend. Secure Comput., vol. 18, no. 1, pp. ing from the Harbin University of Science and
117–130, Jan./Feb. 2021. Technology, Harbin, China, in 2017, and the M.E.
[19] A. Sahai and B. Waters, “Fuzzy identity-based encryption,” in Proc. degree in computer technology from Harbin Institute
EUROCRYPT, 2005, pp. 457–473. of Technology (Shenzhen), Shenzhen, China, in
[20] J. Hur and D. K. Noh, “Attribute-based access control with efficient 2019. She is currently pursuing the Ph.D. degree
revocation in data outsourcing systems,” IEEE Trans. Parallel Distrib. with the Department of Computer Science, the City
Syst., vol. 22, no. 7, pp. 1214–1221, Jul. 2011. University of Hong Kong, Hong Kong.
[21] J. Wei, X. Chen, J. Wang, X. Hu, and J. Ma, “Forward-secure punc- Her research interests include mobile-edge com-
turable identity-based encryption for securing cloud emails,” in Proc. puting and blockchain.
ESORICS, 2019, pp. 134–150.
[22] T. V. X. Phuong, W. Susilo, J. Kim, G. Yang, and D. Liu, “Puncturable
proxy re-encryption supporting to group messaging service,” in Proc.
ESORICS, 2019, pp. 215–233.
[23] M. Li et al., “CrowdBC: A blockchain-based decentralized framework
for crowdsourcing,” IEEE Trans. Parallel Distrib. Syst., vol. 30, no. 6,
pp. 1251–1266, Jun. 2019.
[24] Y. Lu, Q. Tang, and G. Wang, “ZebraLancer: Private and anonymous
crowdsourcing system atop open blockchain,” in Proc. IEEE ICDCS, Yu Guo (Member, IEEE) received the B.E. degree in
2018, pp. 853–865. software engineering from Northeastern University,
[25] S. Han, Z. Xu, Y. Zeng, and L. Chen, “FLUID: A blockchain Shenyang, China, in 2013, and the M.Sc. degree in
based framework for crowdsourcing,” in Proc. ACM SIGMOD, 2019, electronic commerce and the Ph.D. degree in com-
pp. 1921–1924. puter science from City University of Hong Kong,
[26] Y. Wu, S. Tang, B. Zhao, and Z. Peng, “BPTM: Blockchain-based Hong Kong, in 2014 and 2019, respectively.
privacy-preserving task matching in crowdsourcing,” IEEE Access, He is currently a Lecturer with the School of
vol. 7, pp. 45605–45617, 2019. Artificial Intelligence, Beijing Normal University,
[27] W. Feng and Z. Yan, “MCS-chain: Decentralized and trustworthy mobile Beijing, China. He has also been a Postdoctoral
crowdsourcing based on blockchain,” Future Gener. Comput. Syst., and Research Fellow with the City University of
vol. 95, pp. 649–666, Jun. 2019. Hong Kong. His research interests include cloud
[28] (2009). The Bitcoin Project. [Online]. Available: https://bitcoin.org/en computing security, network security, privacy-preserving data processing, and
[29] (2014). The Ethereum Project. [Online]. Available: https://ethereum.org blockchain technology.
[30] (2015). The Hyperledger Project. [Online]. Available: Dr. Guo is a co-recipient of the Best Paper Award of MMM 2016 and IEEE
https://hyperledger.org ICDCS 2020.
[31] Z. Zhang, J. Wang, Y. Wang, Y. Su, and X. Chen, “Towards efficient
verifiable forward secure searchable symmetric encryption,” in Proc.
ESORICS, 2019, pp. 304–321.
[32] D. X. Song, D. A. Wagner, and A. Perrig, “Practical techniques for
searches on encrypted data,” in Proc. IEEE S&P, 2000, pp. 13–18.
[33] R. Bost, B. Minaud, and O. Ohrimenko, “Forward and backward pri-
vate searchable encryption from constrained cryptographic primitives,”
in Proc. ACM SIGSAC, 2017, pp. 1465–1482.
[34] D. Cash, S. Jarecki, C. S. Jutla, H. Krawczyk, M. Rosu, and M. Steiner, Xiaohua Jia (Fellow, IEEE) received the B.Sc.
“Highly-scalable searchable symmetric encryption with support for and M.Eng. degrees from the University of
Boolean queries,” in Proc. CRYPTO, 2013, pp. 353–373. Science and Technology of China, Hefei, China, in
[35] R. Curtmola, J. A. Garay, S. Kamara, and R. Ostrovsky, “Searchable 1984 and 1987, respectively, and the D.Sc. degree in
symmetric encryption: Improved definitions and efficient constructions,” information science from the University of Tokyo,
J. Comput. Security, vol. 19, no. 5, pp. 895–934, 2011. Tokyo, Japan, in 1991.
[36] S. Kamara, C. Papamanthou, and T. Roeder, “Dynamic searchable He is currently the Chair Professor with the
symmetric encryption,” in Proc. ACM CCS, 2012, pp. 965–976. Department of Computer Science, City University
[37] M. Blaze, G. Bleumer, and M. Strauss, “Divertible protocols and atomic of Hong Kong, Hong Kong. His research interests
proxy cryptography,” in Proc. EUROCRYPT, 1998, pp. 127–144. include cloud computing and distributed systems,
[38] F. Bao, R. H. Deng, X. Ding, and Y. Yang, “Private query on encrypted computer networks, wireless sensor networks, and
data in multi-user settings,” in Proc. ISPEC, 2008, pp. 71–85. mobile wireless networks.
[39] M. Naveed, S. Kamara, and C. V. Wright, “Inference attacks on property- Dr. Jia is an Editor of the IEEE T RANSACTIONS ON PARALLEL AND
preserving encrypted databases,” in Proc. ACM CCS, 2015, pp. 644–655. D ISTRIBUTED S YSTEMS from 2006 to 2009, Wireless Networks, Journal
[40] Q. Wang, Y. Guo, H. Huang, and X. Jia., “Multi-user forward of World Wide Web, and Journal of Combinatorial Optimization. He is the
secure dynamic searchable symmetric encryption,” in Proc. NSS, 2018, General Chair of ACM MobiHoc 2008, a TPC Co-Chair of IEEE MASS 2009,
pp. 125–140. IEEE GlobeCom 2010-Ad Hoc, and Sensor Networking Symposium, an Area-
[41] R. A. Popa and N. Zeldovich, “Multi-key searchable encryption,” in Chair of IEEE INFOCOM 2010, and a Panel Co-Chair of IEEE INFOCOM
Proc. IACR Cryptol. ePrint Archive, vol. 2013, 2013, p. 508. 2011. He is a Fellow of the IEEE Computer Society.
Authorized licensed use limited to: Raytheon Technologies. Downloaded on May 19,2021 at 16:03:23 UTC from IEEE Xplore. Restrictions apply.
6636 IEEE INTERNET OF THINGS JOURNAL, VOL. 8, NO. 8, APRIL 15, 2021
Cong Wang (Fellow, IEEE) received the B.E. Hongwei Du (Senior Member, IEEE) received
degree in electronic information engineering and the B.S. degree in computer science and technol-
M.E. degree in communication and information ogy from Huazhong Normal University, Huazhong,
System from Wuhan University, Hubei, China, and China, in 2003, and the Ph.D. degree in computer
Ph.D. degree in electrical and computer engineer- science from the City University of Hong Kong,
ing from the Illinois Institute of Technology, Illinois, Hong Kong, in 2008.
USA. He is currently an Associate Professor with the
He is currently an Associate Professor with the Department of Computer Science, Harbin Institute
Department of Computer Science, City University of Technology (Shenzhen), Shenzhen, China. He has
of Hong Kong, Hong Kong. His research has been authored or coauthored over 100 articles in refereed
supported by multiple government research fund international journals and conferences. His current
agencies, including National Natural Science Foundation of China, Hong research interests include the wireless networks, social network analysis,
Kong Research Grants Council, and Hong Kong Innovation and Technology mobile-edge computing, and algorithm analysis and design.
Commission. His current research interests include data and network security,
blockchain and decentralized applications, and privacy-enhancing technolo-
gies.
Dr. Wang received the Outstanding Researcher Award (junior faculty)
in 2019, the Outstanding Supervisor Award in 2017, and the President’s
Awards in 2019 and 2016, all from City University of Hong Kong. He is
a co-recipient of the IEEE INFOCOM Test of Time Paper Award 2020,
the Best Student Paper Award of IEEE ICDCS 2017, and the Best Paper
Award of IEEE ICPADS 2018 and MSN 2015. He is one of the Founding
Members of the Young Academy of Sciences of Hong Kong. He serves/has
served as an Associate Editor for IEEE T RANSACTIONS ON D EPENDABLE
AND S ECURE C OMPUTING , IEEE I NTERNET OF T HINGS J OURNAL , and
IEEE N ETWORKING L ETTERS, and a TPC co-chair for a number of IEEE
conferences/workshops. He is a member of ACM.
Authorized licensed use limited to: Raytheon Technologies. Downloaded on May 19,2021 at 16:03:23 UTC from IEEE Xplore. Restrictions apply.