6624
8, APRIL 15, 2021
Enabling Proxy-Free Privacy-Preserving and
Federated Crowdsourcing by Using Blockchain
Chen Zhang , Graduate Student Member, IEEE, Yu Guo , Member, IEEE, Xiaohua Jia , Fellow, IEEE,
Cong Wang , Fellow, IEEE, and Hongwei Du , Senior Member, IEEE
Abstract—With the rapid development and widespread appli-
cation of crowdsourcing, the limitations of traditional systems are
gradually exposed. First, traditional systems fail to protect the
privacy of task requesters and workers. They typically rely on
a centralized server to aggregate the task content and workers’
interests, while these data contain sensitive information. Second,
crowdsourcing resources in each system are isolated. The tasks
in one system cannot reach potential workers in other systems.
Thus, there is a great need to build a new privacy-preserving and
federated crowdsourcing system. However, the existing privacy-
preserving solutions rely on a trusted third party to perform
key management, which is not applicable in a federated setting.
To this end, we propose the first proxy-free privacy-preserving
and federated crowdsourcing system. It interconnects the existing
crowdsourcing systems and can perform encrypted task matching
across various systems without relying on a trusted third-party
authority. Our main idea is to achieve federated crowdsourcing
by moving secure task matching to the trusted smart con-
tract. To get rid of the dependence on the trusted authority,
we combine the rewritable deterministic hashing technique with
searchable encryption schemes to achieve secure on-chain task-
matching authorization. Moreover, we utilize the puncturable
encryption technique to implement secure authorization revo-
cation. We formally analyze the security of our design and
implement a prototype on Ethereum. Evaluation results demon-
strate that our design is secure and efficient for blockchain-based
crowdsourcing.
Index Terms—Blockchain, federated crowdsourcing, punc-
turable encryption, rewritable deterministic hashing (RDH),
searchable encryption (SE).
Manuscript received October 19, 2020; revised December 14, 2020;
accepted January 6, 2021. Date of publication January 13, 2021; date of
current version April 7, 2021. This work was supported in part by the
Fundamental Research Funds for the Central Universities; in part by the
Shenzhen Basic Research Program under Grant JCYJ20190806143011274;
in part by the National Natural Science Foundation of China under Grant
61772154 and Grant 61572412; in part by the Research Grants Council of
Hong Kong under Grant CityU 11208917, Grant CityU 11212717, Grant
CityU 11217819, Grant CityU 11217620, and Grant CityU C1008-16G; and
in part by the Innovation and Technology Commission of Hong Kong through
ITF Project under Grant ITS/145/19. This article was presented in part at the
IEEE/ACM International Symposium on Quality of Service (IWQoS’20).
(Corresponding author: Yu Guo.)
Chen Zhang, Xiaohua Jia, and Cong Wang are with the Department of
Computer Science, City University of Hong Kong, Hong Kong (e-mail:
c.zhang@my.cityu.edu.hk; csjia@cityu.edu.hk; congwang@cityu.edu.hk).
Yu Guo is with the School of Artificial Intelligence, Beijing Normal
University, Beijing 100875, China (e-mail: yuguo@bnu.edu.cn).
Hongwei Du is with the Department of Computer Science and Technology,
Harbin Institute of Technology (Shenzhen), Shenzhen 518055, China.
Digital Object Identifier 10.1109/JIOT.2021.3051295
2327-4662 
c 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.
Authorized licensed use limited to: Raytheon Technologies. Downloaded on May 19,2021 at 16:03:23 UTC from IEEE Xplore. Restrictions apply.
IEEE INTERNET OF THINGS JOURNAL, VOL. 8, NO.
I. I NTRODUCTION
N THE past decade, crowdsourcing [1] has developed into
I a compelling computing paradigm in the sharing economy,
which leverages the power of collective intelligence to han-
dle complex tasks. An increasing number of individuals and
organizations choose crowdsourcing as their problem-solving
method. Along with this trend, many well-known crowd-
sourcing applications, such as Amazon Mechanical Turk [2],
Pavemint [3], and CrowdFlower [4] have been deployed.
The key component of a crowdsourcing system is the task-
worker matching service. As the increasing concern of privacy,
privacy-preserving crowdsourcing systems have been studied
and developed [5], [6], [44]. In the privacy-preserving crowd-
sourcing model, task requesters encrypt task specifications
before submitting to the crowdsourcing platform (called bro-
ker), and workers also encrypt their interests and submit the
ciphertexts to the broker. The broker needs to perform task
matching over the ciphertexts of the task specifications and
interests.
Despite the prosperity of crowdsourcing, existing systems
can only work independently and cannot collaborate with each
other. Workers cannot access the tasks published in other
systems and requesters cannot reach the potential workers
outside the boundary of their systems. This greatly limits
the power of the open market of crowdsourcing systems. To
overcome this limitation, we are motivated to develop a new
federated crowdsourcing platform with privacy preserving,
which can interconnect the existing independent brokers to
form a loosely coupled federation. In such a new platform, a
broker can utilize resources of other brokers (i.e., tasks and
workers), while keeping its own autonomy. One important
concern in this new platform is how to guarantee these fed-
erated brokers return the complete and correct task-matching
results without any trust. Blockchain is a promising solution to
interconnect the federated brokers because of its transparency
and verifiability. Blockchain can be regarded as a distributed
ledger that records all transactions. All transactions recorded
on it can be seen by everyone and cannot be altered. By
using the blockchain, brokers can construct their own task
indices and post them on the blockchain, and then utilize the
smart contract (SC) to honestly perform task matching for all
authorized brokers.
While blockchain seems to be an ideal platform to build this
federated crowdsourcing system, there are still several critical
issues yet to be solved.
ZHANG et al.: ENABLING PROXY-FREE PRIVACY-PRESERVING AND FEDERATED CROWDSOURCING BY USING BLOCKCHAIN 6625

1) There does not exist a central trusted authority that we mainly review some state-of-the-art works in three primary
can perform faithful key management and authorization areas: 1) task matching in crowdsourcing; 2) blockchain; and
among brokers. Existing privacy-preserving solu- 3) SE schemes.
tions [7]–[9] rely on a trusted proxy-server to perform
key management and secure task matching. However, in A. Task Matching in Crowdsourcing
a federated blockchain-based platform, it is difficult for
Research on task matching in crowdsourcing has become
a centralized third party to be trusted by various systems.
an emerging trend since the introduction of crowdsourcing.
2) There is no protection of the confidentiality of task
Crowdsourcing platforms often assign tasks to workers based
indices and matching results recorded on the blockchain,
on their interests or search history [13] but ignore the privacy
because of the transparency of the data recorded on the
issues that arise during this process. As the data submitted
blockchain.
by participants usually contain sensitive information such as
3) It is difficult to prevent a broker from accessing the on-
geographic locations and health metrics [14], it is undesired
chain data even after its query authorization is revoked.
to be exposed to public or untrusted brokers. To address this
In this article, we propose the first proxy-free privacy-
problem, some efforts [15], [16] have been made to design
preserving and federated crowdsourcing platform. It utilizes
privacy-preserving crowdsourcing systems. To et al. [17]
the blockchain as the underlying platform to interconnect
proposed a privacy-aware crowdsourcing system based on dif-
multiple brokers to form a loosely coupled federation. To
ferential privacy and geocasting to protect the location privacy
enable secure task matching across different brokers with-
of workers. In the follow-up design [16], Shen et al. designed
out involving a third-party authority, we propose to use
a secure and efficient task recommendation protocol that uti-
the rewritable deterministic hashing (RDH) [10] technique
lizes additive homomorphic encryption with the assistance of a
to design an on-chain authorization protocol among feder-
semihonest third party. However, the above-mentioned works
ated brokers. We combine RDH with searchable encryption
only consider the privacy of workers but ignoring the task
(SE) [11] to construct encrypted task indices so that privacy-
privacy. To enhance security, Shu and Jia [8] proposed to uti-
preserving task matching can be performed efficiently on the
lize the proxy reencryption technique to ensure the privacy
blockchain platform. For practical consideration, we further
of both workers and tasks when performing encrypted task
propose a secure revocation mechanism based on the punc-
recommendations. In [18], they further extended their scheme
turable encryption scheme [12]. Our proposed scheme ensures
to support proxy-free task matching with efficient revocation.
that once a broker is revoked, it cannot use its previously
Despite extensive research on privacy-preserving crowdsourc-
assigned secret keys to decrypt the newly generated task
ing, these prior works require a centralized trusted authority
ciphertexts. In summary, the main contributions of this article
to perform key management, which is not suitable for our
are as follows.
federated setting.
1) We propose a proxy-free privacy-preserving and fed-
In our federated crowdsourcing system, the access control
erated crowdsourcing framework by using blockchain.
of tasks is an important issue to be considered in the task-
It allows task matching across multiple brokers while
matching process. It is important to ensure that the tasks posted
preserving the privacy of tasks and workers. It ensures
by one broker can only be accessed by its authorized brokers.
that each search query submitted by a broker shall
Recently, some studies proposed to utilize the attribute-based
include all the correct results from other authorized
encryption (ABE) [19] technique to prevent unauthorized users
brokers.
from accessing data. However, this method incurs high com-
2) We devise a secure authorization search scheme that
putation cost when the data owner revokes authorization to
allows authorized brokers to search on-chain task indices
certain users [20]. In the follow-up design [12], Green and
without involving a central trusted authority.
Miers introduced the notion of puncturable encryption, which
3) We design an efficient authorization revocation scheme
can be viewed as a brilliant point in this design space. In this
that prevents a revoked broker from accessing any new
design, users can conveniently revoke the decryption capabil-
task-matching results.
ity for selected information by puncturing their secret keys.
The remainder of this article is organized as follows.
Along this research direction, several studies [21], [22] have
Section II reviews the related work. Section III presents the
been conducted to utilize this cryptographic primitive in dif-
system model, threat model, and preliminaries and formal-
ferent scenarios. However, no existing study has focused on
izes the target problem. Section IV introduces the design
utilizing this technique to implement the authorization-based
of our proposed proxy-free privacy-preserving and federated
task-matching service, which is the focus of this article.
crowdsourcing system. In Section V, we present the details
of our proposed system. The security analysis is conducted
in Section VI and the performance evaluation is shown in B. Blockchain and Smart Contract
Section VII. Finally, we conclude this article in Section VIII. The boom of cryptocurrencies, such as Bitcoin [28] and
Ethereum [29] vigorously promotes the development of
blockchain. To make the blockchain more powerful, some
II. R ELATED W ORK blockchain platforms, such as Ethereum and Hyperledger [30]
Our work involves a wide range of designs and techniques introduced the smart contract. Recently, some blockchain-
from applied cryptography and the blockchain. In this section, based crowdsourcing systems have been proposed. To

Authorized licensed use limited to: Raytheon Technologies. Downloaded on May 19,2021 at 16:03:23 UTC from IEEE Xplore. Restrictions apply.
6626
TABLE I
C HARACTERISTICS OF R EPRESENTATIVE B LOCKCHAIN -BASED
C ROWDSOURCING S CHEMES
Fig. 1. System architecture.
make a clear comparison, we summarize the representative
blockchain-based crowdsourcing schemes and compare their
features in Table I. Li et al. [23] proposed a blockchain-
assisted framework for crowdsourcing without relying on any
third authority. Wu et al. [26] designed a blockchain-based
task recommendation scheme for crowdsourcing, where the
task-matching process is reliable and transparent. However,
these works only focus on using the blockchain to replace
the existing centralized crowdsourcing platform but still lock
requesters and workers in an individual crowdsourcing system.
Guo et al. [7] proposed a federated and privacy-preserving
crowdsourcing platform, which utilizes the blockchain as
the underlying platform to perform secure task matching.
However, this work relies on a trusted third party to perform
key management, which may not exist in the federated set-
ting. In this article, we utilize the blockchain to interconnect
different brokers to form a federated crowdsourcing platform
without involving any trusted third party.
C. Searchable Encryption
SE schemes [11], [31] enable untrusted servers to search
directly over encrypted data without server-side decryption. It
can be considered as the cornerstone for implementing secure
task-matching services in crowdsourcing. Song et al. [32]
first proposed the notion of symmetric SE (SSE), and then
many works have been carried out in this direction [33]–[36].
Curtmola et al. [35] introduced the formal security definition
of SSE. In the follow-up design, Cash et al. [34] presented the
first SSE scheme that supports conjunctive search and gen-
eral boolean queries. However, early studies of SSE mainly
focus on the directions of query and update operations in
Authorized licensed use limited to: Raytheon Technologies. Downloaded on May 19,2021 at 16:03:23 UTC from IEEE Xplore. Restrictions apply.
IEEE INTERNET OF THINGS JOURNAL, VOL. 8, NO. 8, APRIL 15, 2021
TABLE II
G LOSSARY
single-user settings. In this case, data owners holding their
respective secret keys can only search or update their own
data. To broaden the application scope, some recent studies
have focused on the research of encrypted search in multiuser
scenarios [37]–[40]. Blaze et al. [37] first introduced the con-
cept of proxy reencryption, which was later improved by
Bao et al. [38] to implement encrypted search in a multiuser
scenario. However, due to the deterministic of the proxy reen-
cryption algorithm, it suffers from statistical attacks [39].
Later, Popa and Zeldovich [41] introduced a multikey SE
scheme that allows users to search for data encrypted by dif-
ferent keys. However, the design cannot support the revocation
of sharing, and its security notion has deficiencies in real
settings [42]. Very recently, Patel et al. [10] devised RDH,
which supports dynamic sharing and unsharing of documents
amongst users. It can be regarded as an important starting
point in this design field. Nevertheless, directly applying this
scheme in our federated crowdsourcing scenario can leak the
relation between on-chain task indices and task specifications
before searching, because of the deterministic of the RDH
algorithm. Therefore, there is a great need to devise a secure
search scheme for our federated crowdsourcing scenario.
III. P ROBLEM D EFINITION AND P RELIMINARIES
A. System Model and Problem Definition
As shown in Fig. 1, our system consists of four enti-
ties: 1) task requesters; 2) workers; 3) brokers; and 4) the
blockchain platform. Table II shows the notations used in this
article.
1) Task requesters are the users who post their crowdsourc-
ing tasks to the platform.
2) Workers are the users who would like to take the
crowdsourcing tasks matching their interests.
ZHANG et al.: ENABLING PROXY-FREE PRIVACY-PRESERVING AND FEDERATED CROWDSOURCING BY USING BLOCKCHAIN
3) Brokers are the servers that perform match between tasks
and workers and recommend workers with matched
tasks.
4) Blockchain (and smart contract) is the platform that
interconnects all brokers to form a federated crowd-
sourcing system. The SC is a piece of predefined
program deployed on the blockchain that automatically
executes the terms.
In this privacy-preserving crowdsourcing system, a task
requester posts a task, with a task identifier (denoted by Tid )
and the task specification. The task specification is represented
by a set of keywords, denoted by W(Tid ) = {w1 , w2 , . . . , wm }.
Each worker has its interests, also represented by a set of key-
words. For the ease of presentation of our scheme, we assume
each worker’s interest is represented by one keyword, denoted
by w . Note that our solution can easily handle the case of
multiple keywords of worker’s interest by repeatedly search-
ing the multiple keywords. The task requesters and workers
encrypt their task specifications and interests by using a deter-
ministic encryption method. Let W  denote the
 (Tid ) and w

ciphertext of W(Tid ) and w , respectively.
Each task requester (and each worker) is registered with
a broker (called its home broker). The task requester and the
worker submit the ciphertexts to their respective home brokers.
A broker can authorize other brokers to search its task indices.
Let B denote the set of brokers in our system. Once broker
bi ∈ B authorizes broker bj ∈ B, all workers registered with
broker bj are able to search tasks posted to bi . We assume
there does not exist a central trusted authority in the system.
The problem of our concern is that, given a worker submit-
 , its home broker is able to search
ted its encrypted interest w
all brokers that have authorized to it and return to the worker
the complete list of tasks matching its interest w  , subject to
meeting the following requirements.
1) Privacy Preserving: No broker or other party can obtain
information about tasks and workers.
2) Verifiability and Correctness: The completeness and
correctness of search results shall be guaranteed.
3) Secure Revocation: A revoked broker is not able to
obtain any search results after its revocation.
B. Threat Model
We make the following threat assumptions regarding the
parties involved in our system.
1) Brokers are honest but curious. They will honestly fol-
low the predefined protocols but be curious about the
sensitive information of the received tasks. Besides,
they are curious about the tasks posted by the brokers
who never authorize them or revoke their authorization.
Consistent with the security assumption in the previous
work [9], we assume that brokers do not collude with
other parties.
2) Peer nodes of the blockchain are potential adversaries.
They honestly execute the predefined task-matching pro-
tocols but intend to learn sensitive on-chain information,
including task indices, authorized lists, query transac-
tions, and task-matching results.
Authorized licensed use limited to: Raytheon Technologies. Downloaded on May 19,2021 at 16:03:23 UTC from IEEE Xplore. Restrictions apply.
6627
3) Task requesters and workers are honest in the sense that
they will submit valid task information and interests,
respectively.
C. Preliminaries
Puncturable Encryption: Puncturable encryption is an asym-
metric encryption scheme that prevents the decryption of some
ciphertexts by puncturing the secret key. It consists of four
functions: 1) PPKE.KeyGen; 2) PPKE.Enc; 3) PPKE.Pun;
and 4) PPKE.Dec, defined as follows.
1) {PK, SK0 } ← PPKE.KeyGen(1λ , d) takes input as a
security parameter λ and a positive integer d, which
denotes the maximum number of tags in each cipher-
text, and outputs a public key PK and an initial secret
key SK0 .
2) SKi ← PPKE.Pun(PK, SKi−1 , t) takes input as a public
key PK, a secret key SKi−1 , and a tag t and outputs a
new secret key SKi . SKi is able to decrypt all ciphertexts
so long as tag t is not included in the encryption list.
3) m ← PPKE.Enc(PK, m, t1 , . . . , td ) takes input as a
public key PK and a plaintext m, together with a list of
tags t1 , . . . , td , and outputs the ciphertext  m. Any secret
key whose associated tag t is in the list cannot decrypt
the ciphertext  m.
4) m ← PPKE.Dec(PK, SKi ,  m, t1 , . . . , td ) takes input as
a public key PK, a secret key SKi , and a ciphertext  m,
together with its tag list t1 , . . . , td , and outputs plaintext
m or ⊥ if the decryption failed.
In our design, we utilize the puncturable encryption tech-
nique to prevent brokers from decrypting task information after
their authorization is revoked. Each broker uses the algorithm
PPKE.KeyGen to generate its public key and master secret
key, and utilizes the algorithm PPKE.Pun to generate secret
keys for its authorized brokers. In the algorithm PPKE.Pun,
the assigned secret key of each authorized broker is punctured
by a unique tag. The algorithms PPKE.Enc and PPKE.Dec
are used to encrypt and decrypt search results, respectively. In
the algorithm PPKE.Enc, the search result is associated with
a list of tags. If one broker whose assigned secret key is punc-
tured by a tag in the tag list, the broker cannot decrypt the
search result using PPKE.Dec with its assigned secret key.
To better understand our design, we refer the readers to [12]
for a complete description and proof of the security of the
puncturable encryption scheme.
IV. D ESIGN OF P ROXY-F REE P RIVACY-P RESERVING AND
F EDERATED C ROWDSOURCING S YSTEM
A. Overview of Our Design
In our design, we utilize the blockchain as the underlying
platform to form a crowdsourcing federation. For the tasks
uploaded by the task requesters to their home brokers, brokers
construct encrypted task indices independently and publish
them on the blockchain. To enable other brokers to search,
each broker authorizes the other brokers and posts the autho-
rization information on the blockchain. The SC deployed on
the blockchain is agreed by all brokers. It performs the cross-
broker encrypted search according to the authorization among
6628
Fig. 2. Structure of broker authorization and task-worker matching.
brokers. Under our design, each broker can only search the
indices posted by the brokers that give it the authorization.
After searching, the task-matching result (encrypted task iden-
tifiers) is recorded on the blockchain and then the broker who
submitted the search query can decrypt it using its previously
assigned secret keys.
To enable federated and privacy-preserving crowdsourcing
among brokers, there are two challenging issues yet to be
solved. The first one is to design a task-matching scheme
that supports authorized cross-broker encrypted search without
involving a trusted third party. As the on-chain task indices are
generated by multiple brokers under different keys, it is diffi-
cult for a broker to submit one query to search all indices
generated by different brokers. Existing solutions [7], [9],
[18] rely on a trusted authority for key management, which
is not suitable for our federated scenario, because there is
no such authority can be trusted by all parties. The second
challenge is to prevent a broker from accessing newly posted
tasks after its authorization is revoked. As the task-matching
results recorded on the blockchain are visible to everyone,
the broker whose authorization has been revoked can still
read the blockchain and decrypt other broker’s query results
using its previously assigned secret keys, which violates the
requirement of authorization-based task matching. To solve the
aforementioned two issues, we propose the RDH-based autho-
rization protocol and puncturable encryption-based secret key
management protocol. The details of the two protocols are
discussed in the following sections.
B. Cross-Broker Encrypted Task Matching
In the federated crowdsourcing system, the structure of
broker authorization and task-worker matching is illustrated
in Fig. 2. An SC is deployed on the blockchain to per-
form task-worker matching. SC has four functions, namely,
Authorized licensed use limited to: Raytheon Technologies. Downloaded on May 19,2021 at 16:03:23 UTC from IEEE Xplore. Restrictions apply.
IEEE INTERNET OF THINGS JOURNAL, VOL. 8, NO. 8, APRIL 15, 2021
authorization, index-update, task matching, and revocation, as
shown in Fig. 2.
Task requesters post tasks to their respective home bro-
kers, which construct encrypted indices and upload them to
the blockchain. When a worker submits a search query to its
home broker (say bj ), bj will generate a search token and call
SC’s task-matching function to search all matched tasks for
the worker. Our federated system requires that once a broker
(say bi ) authorizes its data to another broker (say bj ), bj shall
be able to search all tasks in the indices constructed by bi .
The indices constructed by a broker and stored with the SC is
encrypted by this broker itself, which is confidential to other
nodes (SC is on the blockchain and its data are visible to all
participants). We need to design a protocol that an authorized
broker is able to search indices encrypted by all other brokers
that have authorized it.
Broker Authorization: Assume that bi authorizes bj , as
shown in Fig. 2. bi chooses two random numbers rb1i and
rb2i , and then generates parameters Fb1i = G1 (rb1i , bi ) and
Fb2i = G1 (rb2i , bi ), respectively. G1 is a secure pseudorandom
function. bi keeps Fb1i for itself and uses it to construct task
indices (to be discussed shortly). In the meantime, bj also gen-
erates the two parameters Fb1j and Fb2j in the same way as bi . As
being authorized by bi , bj gives its Fb2j through a private chan-
nel. According to the theory of RDH [10], bi then generates
an authorization ticket
Fb1 /Fb2
Abi →bj = g i j . (1)
Finally, bi sends the pair (bi , bj , Abi →bj ) to the blockchain by
calling the SC’s authorization function.
SC maintains an authorized list for each broker. Let Abj
denote the authorized list of bj . Each element in Abj is an
authorization ticket of a broker (say bi ) that authorizes bj . For
F 1 /F 2
example, Abj [bi ] is the authorization ticket g bi bj as shown
in (1).
Task Posting and Encrypted Task Matching: A task requester
posts a task Tid with a set of encrypted keywords W  (Tid ) =
w1 , w
{ 2 , . . . , w
 m } to its home broker, say bi . After receiving a
batch of tasks, bi constructs a task index, denoted by Ibi . Ibi
is in the form of an encrypted keyword w k and a list of task
identifiers associated with wk [denoted by TL(wk )]. To enable
other brokers that are authorized by bi to search bi ’s index, bi

w·F 1
transforms each keyword in the index, say  w, into g bi . Since
this task index is to be uploaded to the blockchain, to protect
the privacy of the tasks, bi encrypts task identifiers TL(w) in
the index by using puncturable encryption (to be discussed
in Section IV-C). The ciphertext of task identifiers TL(w) is
denoted by T  L(w). Thus, the task index Ibi is transformed into
ciphertext  Ibi . The column of keywords in  Ibi is in the form

w·Fb1
of g i , and the column of task lists is in the form of T 
L(w).
Broker bi uploads the encrypted index  Ibi to the blockchain
by calling SC’s function index update.
When a worker submits a search query with the encrypted
interest w  to its home broker bj , bj generates the search token
 
w · Fbj , and calls the SC’s task-matching function with the
2
search token as input. SC will go through the authorized list
ZHANG et al.: ENABLING PROXY-FREE PRIVACY-PRESERVING AND FEDERATED CROWDSOURCING BY USING BLOCKCHAIN
Fig. 3. SC functions.
Abj , which is a list of brokers that give authorization to bj ,
and search all task indices uploaded by these brokers. For each
F 1 /F 2
element, g bi bj ∈ Abj , which denotes the authorization of bi
to bj , SC searches bi ’s encrypted index, i.e., 
Ibi by computing
the following equation with the search token w  · F 2 :
bj
 1 2 w ·F2
F /F bj

w·F 1
g bi bj = g bi .
When the above equation holds, the list of tasks TL(w) of the

matched entry of Ibi is the set of tasks that are registered in
bi and match the worker’s interest. In this way, SC can obtain
all tasks offered by the brokers that have authorized bj .
C. Encryption of Task-List and Authorization Revocation
As we discussed above, when SC finds the list of tasks that
matches the worker’s interest, SC records the search result
(i.e., list of task identifiers) on the blockchain. To protect the
privacy of the search result, all task identifiers are in cipher-
texts. The task identifiers are encrypted in the indices by the
respective brokers. Now, we have two issues: 1) how to facili-
tate the broker (say bj ) that makes the search query to decrypt
the query result and 2) after the authorization of broker bj is
revoked, how to ensure bj will not be able to decrypt newly
posted tasks.
We utilize the puncturable encryption technique to tackle
the two issues. Again, consider broker bi authorizes bj . bi has
a master secret key, denoted by SKbi . When bi authorizes bj ,
it generates a unique tag for bj , denoted by tj . Then, it uses
the puncturable encryption function as follows to generate a
Authorized licensed use limited to: Raytheon Technologies. Downloaded on May 19,2021 at 16:03:23 UTC from IEEE Xplore. Restrictions apply.
6629
Algorithm 1: Initialization
Input: Secure PRF G1 , the set of brokers B.
Output: Public key PKbi , master secret key SKbi ,
∀bi ∈ B.
1 (g, G) ← GG(1 );
λ
2 for each broker bi ∈ B do
3 Generate parameters Fb1i and Fb2i , select nbi ;
4 PKbi , SKbi ← PPKE.KeyGen(λ, nbi ), where
SKbi = {skb(1)
i
, skb(2)
i
, skb(3)
i
, skb(4)
i
= t0bi };
5 Initialize set RTbi , and UTbi to empty;
(4)
6 Add skbi into UTbi ;
7 Call SC.setup(B);
secret key for bj :
b  
SKbij ← PPKE.Pun PKbi , SKbi , tj (3)
where PKbi is the public key of bi . bi needs to pass the gen-
b b
erated secret key SKbij to bj in a private channel. With SKbij ,
after bj submits a search query, it can decrypt the ciphertexts
(in the search result) generated by bi .
bi maintains two lists of tags, one for the brokers who are
currently authorized by bi , and the other for the brokers whose
authorization is revoked. Let RTbi denote the set of tags of the
brokers whose authorization is revoked by bi . When bi revokes
the authorization of bj , it adds tj to RTbi . After this point, when
bi encrypts new task list TL (w) in the task index, it uses the
following function to encrypt TL (w):
 
 (w) ← PPKE.Enc PKbi , TL (w), RTbi .
TL (4)
According the theory of puncturable encryption [12], once bj ’s
tag tj is added in RTbi , bj will not be able to decrypt the task
(2) identifers encrypted with the new RTbi where tj is included.
By doing so, we can achieve revocation.
By using the puncturable encryption, all on-chain task
indices and the search results recorded on the blockchain are
well protected, and a broker whose authorization is revoked
will not be able to decrypt the newly posted tasks after the
time point of the revocation.
V. I MPLEMENTATION OF O UR D ESIGN BY U SING
B LOCKCHAIN
In our design, brokers submit authorization information,
constructed task indices, and search queries to the blockchain.
The SC is called by brokers to construct the authorized list
for each broker and perform task matching according to the
posted task indices and authorized lists. In this section, we
first introduce the SC we defined in our system. Then, we
present the construction of our proposed secure task-matching
scheme. Finally, the construction of encrypted task indices is
described in detail.
A. Smart Contract Functions
As shown in Fig. 3, the SC includes a setup function
together with the other four functions: 1) authorization;
6630 IEEE INTERNET OF THINGS JOURNAL, VOL. 8, NO. 8, APRIL 15, 2021

Algorithm 2: Authorization Algorithm 3: Task Publication

Input: Secure PRF G1 , ∀bi , bj ∈ B. Input: Secure PRFs {G1 , G2 }, state table Sbi , task index
b
Output: Secret key SKbij , authorization ticket Abi →bj . Ibi , broker bi ∈ B.
// bi authorizes bj . (performed by bi ) Output: Encrypted task index  I bi .
1 Select a unique tag tj and add tj into UTbi ; 1 for each keyword  w in Ibi do

w·F 1
bj
2 Generate SKb ← PPKE.Pun(PKbi , SKbi , tj ); 2 Set tp ← g bi , I  ← ∅;
i
b 3 if 
w not in Sbi then
3 Send SKbij to bj in private, and get Fb2j from bj via a
4 s ← 0, Put [w : s] to table Sbi ;
private channel;
4 Generate Abi →bj according to Eq. 1; 5 else
5 Call SC.Authorization(bi , bj , Abi →bj ); 6 s ← Sbi [
w];
7 Divide TL( w) into α blocks, where each block with p
tasks. Pad the last block to p entries if needed;
8 TS = RTbi ;
2) index update; 3) task matching; and 4) revocation. These 9 if nbi > |RTbi | then
functions are called by brokers to implement our privacy- 10 Add nbi − |RTbi | tags t ∈
/ UTbi to TS;
preserving task-matching scheme, which will be introduced
in Section V-B. 11 for each block in TL( w) do
Setup(B): Given the set of brokers B, SC initializes the on- 12 TL ← Tid1 ||Tid2 || · · · ||Tidp ;
13 Encrypt TL into T  L according to Eq. 5.
chain task index and each broker’s authorized list to empty.
Authorization(bi , bj , Abi →bj ): Given bi and bj , and the autho- 14 Generate index < L : W > according to Eq. 6;
rization ticket Abi →bj generated by bi for bj , SC adds the ticket 15 Add < L : W > into index  Ibi , s++;
into bj ’s authorized list. 16 Set Sbi [
w] ← s;
Index-Update( Ibi ): Given the task index  Ibi newly posted by 17 Call SC.Index-update(
Ibi );
broker bi , SC adds  Ibi into the on-chain task index  I.
Task Matching(bj , tk): Given bj , the broker that submits the
search query, and its generated search token tk, SC traverses
bj ’s authorized list Abj to calculate all on-chain search trap- is called to initialize the on-chain task index  I and brokers’
doors tp (to be discussed in Section V-C). For the trapdoor authorized lists.
generated by bi , SC searches bi ’s encrypted indices to obtain Authorization: For each broker, before being able to search
the set of matched tasks that are registered in bi . The task- task indices uploaded by a broker, it must obtain its autho-
matching result is in the form of {T L, TS}, where T L is the rization. Algorithm 2 shows the process of bi authorizing bj .
ciphertext of the list of matched task identifiers and TS is the To authorize bj , bi assigns a secret key to bj . Specifically,
associated tag set of T  L. Note that both T  L and TS are needed bi selects a unique tag tj and generates the secret key SKbij
b

when bj decrypts the task-matching result. After obtaining all
task-matching results ({T  L, TS} pairs), SC records the result
set on the blockchain.
Revocation(bi , bj ): Given bi and bj , SC revokes the autho-
rization of bi to bj by deleting Abi →bj in bj ’s authorized
list.
B. Construction of Secure Task-Matching Scheme
We now describe the detailed construction of our proposed
secure task-matching scheme. This scheme consists of five
algorithms: 1) initialization; 2) authorization; 3) task pub-
lication; 4) task matching; and 5) authorization revocation,
discussed as follows.
Initialization: In the system initialization phase, brokers
generate public keys, master secret keys, and corresponding
parameters, as shown in Algorithm 1. Specifically, on input
a security parameter λ, brokers first select generator g from
the group G. Then, each broker bi ∈ B generates its public
key PKbi and master secret key SKbi using PPKE.KeyGen,
and selects parameter nbi . t0bi is a distinguished tag maintained
by bi . UTbi is used to record the set of tags, which has been
used by bi . bi adds t0bi into UTbi to ensure that tag t0bi will not
be assigned to other brokers. Finally, the SC function SC.Setup
for bj by puncturing its master secret key SKbi on tj . With the
assigned secret key, bj is able to decrypt the ciphertexts gener-
ated by bi . Meanwhile, to enable bj to search the task indices
generated by it, bi calculates the authorization ticket Abi →bj
and calls the SC function SC.Authorization to add Abi →bj into
bj ’s authorized list. In this way, the SC is able to access the
task indices posted by bi in the task-matching process.
Task Publication: Algorithm 3 shows the detailed process
of task publication. To enable other brokers to search and pro-
tect the sensitive information of tasks, bi needs to encrypt its
constructed index Ibi and then post it on the blockchain. The
detailed construction of encrypted task indices to be discussed
in Section V-C. After constructing the encrypted index  Ibi , bi
calls the SC function SC.Index-Update to upload the index  I bi
to the blockchain.
Task Matching: Algorithm 4 shows the secure task-matching
process. When broker bj receives a search query about interest
 submitted by a worker, it generates the search token tk and
w
calls the SC function SC.Task-Matching to perform the on-
chain search. For the encrypted search results recorded on the
blockchain, bj can decrypt them using its previously assigned
secret keys.
Authorization Revocation: The details of authorization revo-
cation are presented in Algorithm 5. To revoke its authorization

Authorized licensed use limited to: Raytheon Technologies. Downloaded on May 19,2021 at 16:03:23 UTC from IEEE Xplore. Restrictions apply.
ZHANG et al.: ENABLING PROXY-FREE PRIVACY-PRESERVING AND FEDERATED CROWDSOURCING BY USING BLOCKCHAIN
Algorithm 4: Task Matching
 , broker bj ∈ B.
Input: Secure PRFs {G1 , G2 }, interest w
Output: List of task identifiers.
1 Calculate tk ← w · F 2 ;
bj
2 Call SC.Task-Matching(bj , tk);
3 Read T on the blockchain;
 text T L generated by using PPKE.Enc(PKbi , TL, TS) is in the
4 for each pair of {TL, TS} in T do
5
b
TL ← PPKE.Dec(PKbi , SKbij , T  L, TS);
// decrypt the tasks posted by
broker bi
Algorithm 5: Authorization Revocation
Input: Tag set RTbi , broker bi , bj ∈ B.
Output: Tag set RTbi .
// bi revokes its authorization to
bj .(performed by bi )
1 bi adds tj to RTbi ;
2 Call SC.Revocation(bi , bj );
to bj , bi just needs to add the tag associated with bj to RTbi
and call the SC function SC.Revocation to delete Abi →bj in
bj ’s authorized list. Once tj is added in RTbi , bj can no longer
decrypt the indices newly posted by bi using its previously
b
assigned secret key SKbij .
C. Construction of On-Chain Task Indices
We now introduce the detailed construction of on-chain task
indices. As we mentioned in Section IV-B, to enable other
brokers that are authorized by bi to search, the column of

w·F 1 
w·F 1
keyword  w in Ibi is transformed into g bi in  Ibi , where g bi
is a deterministic value about  w. However, the operation of
task publication is an online process, the deterministic prop-
erty of keyword transformation will lead to task information
leakage, as adversaries can know the relation between indices
and keywords by observing the on-chain task indices with no
need to search. To cope with this problem, we introduce the
state variable in our design and utilize the SSE technique to
enhance security. Specifically, each broker (say bi ) maintains
a state table Sbi , where each keyword is associated with a
unique state variable s which is initialized to 0. For ease of

w·F 1
explanation, we call g bi in (2) the search trapdoor tp for
keyword  w, which is calculated by bi . When generating new
task indices about  w, bi concatenates the state variable corre-
sponding to  w with trapdoor tp, and updates the value of s by
adding 1 for each index. As shown in lines 3–6 in Algorithm 3,
before constructing task indices about  w, bi needs to obtain
the current value of s corresponding to  w. Finally, the column
of keyword in  Ibi is the form of G1 (tp s).
To reduce the cost of posting task indices and defense statis-
tical inference attacks [39], bi divides TL( w), the set of tasks
about w, into several blocks with the same length, as shown in
Algorithm 3. p is used to record the number of tasks in each

batch, which is chosen by bi . For each block, bi packages all
Abi
6631
task identifiers into TL by concatenation and determines the
set of tags TS associated with TL. The number of tags in TS
is nbi , which is a parameter selected by bi . The tag set TS
includes all tags in RTbi . According to the theory of punc-
turable encryption, to ensure the encryption of TL, bi needs to
add nbi − |RTbi | tags to TS if nbi > |RTbi |. For TL, its cipher-

form of
  
TL = ct(1) , ct(2) , ct(3,1) , . . . , ct 3,nbi . (5)
We can observe that the length of T  L is related to the
value of nbi . To preserve that adversaries cannot obtain T  L
before searching, we further utilize G2 (tp||s) as an over-
lay to mask ct(1) , where G2 is a different PRF from G1 .
Let P = G2 (tp||s) ⊕ ct(1) . Then, the task index  Ibi can be
constructed as
  
<G1 (tp s), P, ct(2) , ct(3,1) , . . . , ct 3,nbi , TS >. (6)
For the search query of broker bj , if (2) holds, the SC can
obtain matched ciphertexts 
Ibi [G1 (tp s)], and then recover T 
L
in the following way:
  

T L ← ct(1) = P ⊕ G2 (tp||s), ct(2) , ct(3,1) , . . . , ct 3,nbi
(7)
With the recovered T L and TS in  Ibi [G1 (tp||s)], bj is able to
b

decrypt TL with its previously assigned secret key SKbij .
Discussions: nbi is an important parameter selected by bi .
It not only affects the length of ciphertexts but also deter-
mines the maximum number of brokers that bi can revoke
with its current keys. As we mentioned above, the length of

T L increases with the growing value of nbi . Meanwhile, the
number of tags in RTbi cannot exceed nbi . Once the number of
brokers whose authorization has been revoked by bi is greater
than nbi (|RTbi | exceeds nbi ), bi needs to call the function
PPKE.KeyGen to generate new keys and redistribute secret
keys to its authorized brokers. Note that as the revocation
of authorization among brokers does not happen frequently,
the overhead caused by key reassignments is acceptable for
brokers. After this point, the set RTbi is emptied and bi can
continue to easily revoke its authorization to a broker by
adding the broker’s tag into RTbi .
VI. S ECURITY A NALYSIS
In this section, we provide a rigorous security analysis to
demonstrate the security guarantees of our proposed scheme.
Recall that we uniquely bridge the RDH and SSE schemes to
design the secure task-matching protocols. The RDH scheme
can effectively prevent brokers without authorization from
learning the content of task indices. Meanwhile, the SSE
scheme enables the SC to securely perform task matching
while protecting on-chain data privacy. Following the security
notion of SE schemes [35], we formally analyze the secu-
rity guarantees following the adopted cryptographic primitives.
First, we define the setup leakage LStp for a given task index

Ibi constructed by broker bi as

LSetup =
, |L|, |P|n

Authorized licensed use limited to: Raytheon Technologies. Downloaded on May 19,2021 at 16:03:23 UTC from IEEE Xplore. Restrictions apply.
6632 IEEE INTERNET OF THINGS JOURNAL, VOL. 8, NO. 8, APRIL 15, 2021

 
where |Abi | is the size of the authorized list of bi , and as L = G1 (gF /T ), where F  is a random string from the sim-
|L|, |P|n are ciphertext lengths of n label-task pairs. When ulated list Abi and G1 is a random oracle. The result can be
a broker bj sends a search transaction for the keyword w  , the simulated as P  = G2 (L ) ⊕ γ , where G2 is a random oracle
view of an adversary is defined in the leakage L Match as and γ is a random string. The simulation can be extended to a
   number of adaptive queries. When conducting the authoriza-
L Match
= bj , tk , Abj , L, Pq
tion update, the updated list can be simulated from LUpdate
where {bj , tk} are the search tokens, Abj is the matched autho- just like mentioned in the build procedures. The new entry is
rized list, and L, Pq are q the matched task index entries.
When updating the authorized list of broker bi , the leakage
function LUpdate captured by an adversary is defined as
 
LUpdate = op, Abi
where op ∈ {add, revoke} denotes update operations for autho-
rization, and Abi is the updated entry of the authorization
index A. Following the simulation-based security definition
in [43], we give the formal security definition as follows.
Definition 1: Let  = (Init, Aut, TaskPub, TaskMatch,
Revoc) be our scheme for secure task-matching services,
and let LSetup , LMatch , and LUpdate be the leakage functions.
We define the following probabilistic experiments Real (k)
and Ideal,C ,S (k) with a probabilistic polynomial time (PPT)
adversary C and a PPT simulator S.
Real (k): C selects a task index Ibi and asks the bro-
ker bi to build the real authorized list and indices via
Init, Aut, TaskPub, and Revoc algorithms with the private
key k. Then, C adaptively conducts a polynomial number of
queries via TaskMatch algorithm. Finally, C returns a bit as
the output.
Ideal,C ,S (k): C selects a task set Ibi , and S simulates
indices for C based on LSetup . From LUpdate , S can update
the authorized list. Then, C adaptively performs a polyno-
mial number of queries. From the leakage LMatch in each task
matching request, S simulates tokens and ciphertexts, which
are processed over the simulated indices. Finally, C returns a
bit as the output.
 is a (LSetup , LMatch , LUpdate )-secure scheme, if for all
PPT adversaries C, there exists a simulator S such that:
Pr[Real (k) = 1] − Pr[Ideal,C ,S (k) = 1] ≤ negl(k), where
negl(k) is a negligible function in k.
Theorem 1:  is a (LSetup , LMatch , LUpdate )-secure scheme
under the random-oracle model if {G1 , G2 } are secure PRFs.
Proof: We prove the existence of a simulator S such
that for all polynomial-time adversaries C, the outputs of
Real (k) and Ideal,C ,S (k) are computationally indistin-
guishable. Given LSetup , the simulator S generates the sim-
ulated authorized list and indices, which are indistinguishable
from the real one. It initializes a dictionary with n entries,
where each entry contains |L| and |P| bits random strings
as the simulated indices. Meanwhile, It simulates an indistin-
guishable authorized list, containing |Abi |-bit random strings
with equal length to the real one. From LMatch , S can simu-
late the first query and its corresponding results. In particular,
for each token in the query, it generates a random string as
a simulated token for the simulated indices. S operates a
random oracle to point at randomly selected entries in the
dictionary and reveals the same simulated results to match
the real ones observed from the leakage LMatch . The token is
selected by a random string T  , and the label can be simulated
Authorized licensed use limited to: Raytheon Technologies. Downloaded on May 19,2021 at 16:03:23 UTC from IEEE Xplore. Restrictions apply.
simulated by using new random strings and recorded in the
list. Due to the pseudorandomness of PRF and the semantic
security of symmetric encryption, C should not be able to dis-
tinguish the outputs of the real experiment Real (k) and the
simulated one Ideal,C ,S (k). This completes the proof.
VII. E XPERIMENTAL E VALUATION
A. Prototype Implementation
To access the performance of our design, we implement
the prototype in python and utilize Solidity1 to construct the
SC of Ethereum, with about 2500 lines of codes. We deploy
the SC on the Ethereum TestRPC and run our experiment on
a laptop with an Intel Core i5-8279U processor (2.4 GHz),
16-GB RAM, 4 Intel cores i5, and a MAC 10.15.1 operat-
ing system. The average block time for mining is set to one
second. In this experiment, we utilize the data set of a real
crowdsourcing platform Upwork to evaluate the performance.
For cryptographic primitives, we utilize the pycrypto library2
to implement pseudorandom functions and symmetric encryp-
tion via Web3.keccak and AES, respectively. Besides, we use
the functions in pypbc library3 to implement the puncturable
encryption.
B. Performance Evaluation
Local Performance Evaluation: To evaluate the performance
of our design, we first assess its off-chain performance from
the perspective of task index encryption, task index decryption,
task index initialization, adding new task indices, task match-
ing, and authorization. In our design, after receiving the tasks
uploaded by task requesters, brokers generate task indices and
use the puncturable encryption to encrypt the packed task iden-
tifiers. In Table III, we first analyze the change in task index
encryption and decryption latency with the number of indices.
The value of nbi for all brokers bi ∈ B is set to 3. As shown
in Table III, it only takes about 2.9 and 4.7 s to encrypt and
decrypt 300 task indices, which is practical to use for brokers.
We further evaluate the task index initialization latency
under the varying number of indices. Task index initializa-
tion describes the process of generating indices for all existing
tasks when constructing the system. The results show that the
time cost of task index initialization increases slightly with the
growing number of task indices. Specifically, it takes around
0.891 s to complete the initialization of 2000 task indices. In
Table III, we also investigate the incremental scalability of our
design by measuring the latency for adding new task indices.
After receiving a certain batch of new tasks, brokers aggregate
1 Online at: https://solidity.readthedocs.io/en/develop/.
2 Online at: https://pypi.org/project/pycrypto/.
3 Online at: https://github.com/debatem1/pypbc.
ZHANG et al.: ENABLING PROXY-FREE PRIVACY-PRESERVING AND FEDERATED CROWDSOURCING BY USING BLOCKCHAIN 6633

TABLE III
O FF -C HAIN P ERFORMANCE E VALUATION

Fig. 4. On-chain performance evaluation. (a) Task indices initialization. (b) Task publication latency of broker bi versus nbi . (c) Authorization latency. (d) Add
authorization latency. (e) Task-matching latency versus the number of matching tasks. (f) Task-matching latency versus the number of brokers. (g) Throughput
comparison. (h) Gas consumption.

their received tasks with the same task requirement and gen-
erate encrypted task indices. The time cost of adding new task
indices consists of generating on-chain task indices and updat-
ing the local state table. We then evaluate the task-matching
latency with the growing number of matching tasks. We can
see that the task matching operation is extremely fast.
We also measure the local authorization latency when vary-
ing the number of brokers. We consider that all brokers
have authorized each other. As shown in Table III, with the
increase in the number of brokers, there is a rapid growth
in the authorization latency. Meanwhile, we can observe that
the relationship between authorization latency and the num-
ber of brokers is nonlinear. This is because the authorization
operation among brokers is pair to pair.
On-Chain Performance Evaluation: In our design, bro-
kers require to post encrypted task indices, authorization
information, and query requests on the blockchain for
authorization-based task-matching service. To assess the utility
and overhead of our design, we further evaluate its on-
chain performance in terms of task publication, authorization,
task matching, and gas cost of the implemented contract on
Ethereum.
We first measure the transaction confirmation time of task
indices initialization. As shown in Fig. 4(a), even when the
task index load is heavy, the task index initialization can be
fast. The time cost of posting 500 on-chain task indices is
about 5.5 s, which is quite modest for blockchain-based appli-
cations. Recall that we utilize the packing method to package
multiple task identifiers corresponding to the same keyword
into one so that the actual number of posted tasks is much
more than the number of indices.
We also investigate the impact of the value of nbi on the time
cost of task publication for broker bi . As we discussed before,
nbi is related to the length of ciphertext and the maximum
number of brokers that bi can revoke. To revoke more brokers
without the need to redistribute secret keys, bi can choose a
relatively large nbi , while accepting the increase in latency
caused by it. Fig. 4(b) shows that when publishing the same
number of indices, the confirmation time of posting on-chain
task indices grows with the increase of the value of nbi . As

Authorized licensed use limited to: Raytheon Technologies. Downloaded on May 19,2021 at 16:03:23 UTC from IEEE Xplore. Restrictions apply.
6634
nbi increases, the length of ciphertext and the number of tags
maintained in the task index also grow. Thus, it takes more
time to record these on-chain task indices on the blockchain.
Meanwhile, we can see that when the value of nbi raises from
1 to 9, the confirmation time for publishing 500 task indices
only increases by less than 2 s, which is acceptable for brokers.
We further evaluate the authorization process on the
blockchain. As shown in Fig. 4(c), the transaction confirmation
time of on-chain authorization follows a similar upward trend
as the number of brokers increases. Specifically, the latency
for generating authorized lists for 14 brokers is less than 4 s,
which is quite fast for our federated crowdsourcing scenario.
In Fig. 4(d), we also measure the dynamic change of the on-
chain authorized lists. Observing the results, we can see that as
the number of brokers joining the system increases, the latency
of authorizing these brokers grows gradually. Meanwhile, the
results also show that when new brokers join the system, it
takes more time for all brokers to authorize these newly added
brokers than only one broker to authorize them.
To gain a deeper understanding of the performance, we
accordingly measure the task-matching latency when varying
the number of brokers, search queries, and matching results.
Fig. 4(e) depicts the change in task-matching latency under
the varying number of search requests and matching indices.
It can be seen from the results that when the number of
search queries remains the same, the confirmation time of task
recommendation increases as the number of matching tasks
grows. We note that the confirmation time of task matching
includes the time to search and record the search results on
the blockchain. Meanwhile, the results also present that when
the number of matching indices remains the same, the task-
matching latency takes an upward trend with the increasing
number of search queries. The reason is that for each search
query, the SC needs to traverse the authorized list of the broker
that submits the query and then calculate trapdoors to ensure
that each broker can only obtain the tasks that they are autho-
rized to access. Thus, the search latency increases slightly as
the number of search queries raises. Fig. 4(f) presents the
query latency under the various number of brokers and match-
ing results. From the figure, we can find that the latency for
task matching rises marginally with the number of brokers in
the system. This is because as the number of brokers increases,
the number of elements in the authorized list also grows. It
tasks more time to generate search trapdoors when the length
of the authorized list increases. Besides, we can also observe
that the number of matching indices has a greater impact on
query latency than the number of brokers. It demonstrates
that most of the search latency are generated by calculat-
ing matching task labels and recording search results on the
blockchain.
To evaluate the efficiency of our design, we further com-
pare the throughput of on-chain task matching when varying
the number of search queries and matching indices, which is
shown in Fig. 4(g). The results show that when searching for
one interest, our task-matching scheme can process over 90
entries per second when the number of matching results more
than 600. Moreover, the figure also shows that the through-
put for searching multiple interests is much less than 90 and
Authorized licensed use limited to: Raytheon Technologies. Downloaded on May 19,2021 at 16:03:23 UTC from IEEE Xplore. Restrictions apply.
IEEE INTERNET OF THINGS JOURNAL, VOL. 8, NO. 8, APRIL 15, 2021
it takes an upward trend as the number of matching results
increases. This is because the number of returned results does
not reach the processing threshold of task-matching operation
at this time. As the number of matching indices continues to
increase, the throughput of searching multiple interests will
witness a gradual growth and then become stable when its
threshold is reached.
To further assess the practicality of our design, Fig. 4(h)
plots the gas cost of our implemented SC on Ethereum. In this
experiment, the gas price is set to 1 Gwei and the exchange
rate is 1 ether = $223.99 at the time of writing. Following this
setting, the capital cost of SC deployment, authorization, post-
ing task indices, authorization revocation, and task matching
are about $0.816, $0.071, $0.191, $1.563, and $0.241, respec-
tively. According to the evaluation results, we can confirm that
the capital cost is not a burden for brokers.
VIII. C ONCLUSION
In this article, we proposed a proxy-free privacy-preserving
and federated crowdsourcing platform, which supports cross-
broker encrypted task-matching and secure authorization revo-
cation with the assistance of the blockchain. Specifically, we
first utilized the enhanced RDH technique to devise a proxy-
free authorization scheme. Then, we combined the RDH and
SE schemes to design the privacy-preserving task-matching
protocols over federated brokers. Besides, we further adopted
the puncturable encryption technique to implement secure
authorization revocation. A thorough security analysis was
provided to show the security strengths of our design. The
practicality and efficiency of our design were also demon-
strated by extensive evaluations and experiments. In future
work, we plan to explore advanced SE schemes to support
other rich query functions, such as range queries.
R EFERENCES
[1] J. Howe, “The rise of crowdsourcing,” IEEE Wired Mag., vol. 53, no. 10,
pp. 1–14, Jan. 2006.
[2] (2005). Amazon Mechanical Turk. [Online]. Available:
https://www.mturk.com
[3] (2015). Pavemint. [Online]. Available: https://www.pavemint.com/
[4] (2015). CrowdFlower. [Online]. Available: https://www.
crowdflower.com
[5] D. Yuan, Q. Li, G. Li, Q. Wang, and K. Ren, “PriRadar: A privacy-
preserving framework for spatial crowdsourcing,” IEEE Trans. Inf.
Forensics Security, vol. 15, pp. 299–314, 2020.
[6] X. Xu, Q. Liu, X. Zhang, J. Zhang, L. Qi, and W. Dou, “A
blockchain-powered crowdsourcing method with privacy preservation in
mobile environment,” IEEE Trans. Comput. Soc. Syst., vol. 6, no. 6,
pp. 1407–1419, Dec. 2019.
[7] Y. Guo, H. Xie, Y. Miao, C. Wang, and X. Jia, “FedCrowd:
A federated and privacy-preserving crowdsourcing platform on
blockchain,” IEEE Trans. Services Comput., early access, Oct. 14, 2020,
doi: 10.1109/TSC.2020.3031061.
[8] J. Shu and X. Jia, “Secure task recommendation in crowdsourcing,” in
Proc. IEEE GLOBECOM, 2016, pp. 1–6.
[9] J. Shu, X. Jia, K. Yang, and H. Wang, “Privacy-preserving task recom-
mendation services for crowdsourcing,” IEEE Trans. Services Comput.,
early access, Jan. 10, 2018, doi: 10.1109/TSC.2018.2791601.
[10] S. Patel, G. Persiano, and K. Yeo, “Symmetric searchable encryption
with sharing and unsharing,” in Proc. ESORICS, 2018, pp. 207–227.
[11] R. Curtmola, J. A. Garay, S. Kamara, and R. Ostrovsky, “Searchable
symmetric encryption: Improved definitions and efficient constructions,”
in Proc. CCS, 2006, pp. 79–88.
ZHANG et al.: ENABLING PROXY-FREE PRIVACY-PRESERVING AND FEDERATED CROWDSOURCING BY USING BLOCKCHAIN
[12] M. D. Green and I. Miers, “Forward secure asynchronous messaging
from puncturable encryption,” in Proc. IEEE S&P, 2015, pp. 305–320.
[13] V. Ambati, S. Vogel, and J. G. Carbonell, “Towards task recommendation
in micro-task markets,” in Proc. AAAI, 2011, pp. 1–4.
[14] P. Créquit, G. Mansouri, M. Benchoufi, A. Vivot, and P. Ravaud,
“Mapping of crowdsourcing in health: Systematic review,” J. Med.
Internet Res., vol. 20, no. 5, p. e187, 2018.
[15] H. To, G. Ghinita, L. Fan, and C. Shahabi, “Differentially private loca-
tion protection for worker datasets in spatial crowdsourcing,” IEEE
Trans. Mobile Comput., vol. 16, no. 4, pp. 934–949, Apr. 2017.
[16] Y. Shen, L. Huang, L. Li, X. Lu, S. Wang, and W. Yang, “Towards
preserving worker location privacy in spatial crowdsourcing,” in Proc.
IEEE GLOBECOM, 2015, pp. 1–6.
[17] H. To, G. Ghinita, and C. Shahabi, “A framework for protecting worker
location privacy in spatial crowdsourcing,” Proc. VLDB Endow., vol. 7,
no. 10, pp. 919–930, 2014.
[18] J. Shu, K. Yang, X. Jia, X. Liu, C. Wang, and R. Deng, “Proxy-free
privacy-preserving task matching with efficient revocation in crowd-
sourcing,” IEEE Trans. Depend. Secure Comput., vol. 18, no. 1, pp.
117–130, Jan./Feb. 2021.
[19] A. Sahai and B. Waters, “Fuzzy identity-based encryption,” in Proc.
EUROCRYPT, 2005, pp. 457–473.
[20] J. Hur and D. K. Noh, “Attribute-based access control with efficient
revocation in data outsourcing systems,” IEEE Trans. Parallel Distrib.
Syst., vol. 22, no. 7, pp. 1214–1221, Jul. 2011.
[21] J. Wei, X. Chen, J. Wang, X. Hu, and J. Ma, “Forward-secure punc-
turable identity-based encryption for securing cloud emails,” in Proc.
ESORICS, 2019, pp. 134–150.
[22] T. V. X. Phuong, W. Susilo, J. Kim, G. Yang, and D. Liu, “Puncturable
proxy re-encryption supporting to group messaging service,” in Proc.
ESORICS, 2019, pp. 215–233.
[23] M. Li et al., “CrowdBC: A blockchain-based decentralized framework
for crowdsourcing,” IEEE Trans. Parallel Distrib. Syst., vol. 30, no. 6,
pp. 1251–1266, Jun. 2019.
[24] Y. Lu, Q. Tang, and G. Wang, “ZebraLancer: Private and anonymous
crowdsourcing system atop open blockchain,” in Proc. IEEE ICDCS,
2018, pp. 853–865.
[25] S. Han, Z. Xu, Y. Zeng, and L. Chen, “FLUID: A blockchain
based framework for crowdsourcing,” in Proc. ACM SIGMOD, 2019,
pp. 1921–1924.
[26] Y. Wu, S. Tang, B. Zhao, and Z. Peng, “BPTM: Blockchain-based
privacy-preserving task matching in crowdsourcing,” IEEE Access,
vol. 7, pp. 45605–45617, 2019.
[27] W. Feng and Z. Yan, “MCS-chain: Decentralized and trustworthy mobile
crowdsourcing based on blockchain,” Future Gener. Comput. Syst.,
vol. 95, pp. 649–666, Jun. 2019.
[28] (2009). The Bitcoin Project. [Online]. Available: https://bitcoin.org/en
[29] (2014). The Ethereum Project. [Online]. Available: https://ethereum.org
[30] (2015). The Hyperledger Project. [Online]. Available:
https://hyperledger.org
[31] Z. Zhang, J. Wang, Y. Wang, Y. Su, and X. Chen, “Towards efficient
verifiable forward secure searchable symmetric encryption,” in Proc.
ESORICS, 2019, pp. 304–321.
[32] D. X. Song, D. A. Wagner, and A. Perrig, “Practical techniques for
searches on encrypted data,” in Proc. IEEE S&P, 2000, pp. 13–18.
[33] R. Bost, B. Minaud, and O. Ohrimenko, “Forward and backward pri-
vate searchable encryption from constrained cryptographic primitives,”
in Proc. ACM SIGSAC, 2017, pp. 1465–1482.
[34] D. Cash, S. Jarecki, C. S. Jutla, H. Krawczyk, M. Rosu, and M. Steiner,
“Highly-scalable searchable symmetric encryption with support for
Boolean queries,” in Proc. CRYPTO, 2013, pp. 353–373.
[35] R. Curtmola, J. A. Garay, S. Kamara, and R. Ostrovsky, “Searchable
symmetric encryption: Improved definitions and efficient constructions,”
J. Comput. Security, vol. 19, no. 5, pp. 895–934, 2011.
[36] S. Kamara, C. Papamanthou, and T. Roeder, “Dynamic searchable
symmetric encryption,” in Proc. ACM CCS, 2012, pp. 965–976.
[37] M. Blaze, G. Bleumer, and M. Strauss, “Divertible protocols and atomic
proxy cryptography,” in Proc. EUROCRYPT, 1998, pp. 127–144.
[38] F. Bao, R. H. Deng, X. Ding, and Y. Yang, “Private query on encrypted
data in multi-user settings,” in Proc. ISPEC, 2008, pp. 71–85.
[39] M. Naveed, S. Kamara, and C. V. Wright, “Inference attacks on property-
preserving encrypted databases,” in Proc. ACM CCS, 2015, pp. 644–655.
[40] Q. Wang, Y. Guo, H. Huang, and X. Jia., “Multi-user forward
secure dynamic searchable symmetric encryption,” in Proc. NSS, 2018,
pp. 125–140.
[41] R. A. Popa and N. Zeldovich, “Multi-key searchable encryption,” in
Proc. IACR Cryptol. ePrint Archive, vol. 2013, 2013, p. 508.
Authorized licensed use limited to: Raytheon Technologies. Downloaded on May 19,2021 at 16:03:23 UTC from IEEE Xplore. Restrictions apply.
6635
[42] P. Grubbs, R. McPherson, M. Naveed, T. Ristenpart, and V. Shmatikov,
“Breaking Web applications built on top of encrypted data,” in Proc.
ACM CCS, 2016, pp. 1353–1364.
[43] D. Cash et al., “Dynamic searchable encryption in very-large databases:
Data structures and implementation,” in Proc. NDSS, 2014, p. 853.
[44] C. Zhang, Y. Guo, H. Du, and X. Jia, “PFcrowd: Privacy-preserving
and federated crowdsourcing framework by using blockchain,” in Proc.
IWQOS, 2020, pp. 1–10.
Chen Zhang (Graduate Student Member, IEEE)
received the B.E. degree in network engineer-
ing from the Harbin University of Science and
Technology, Harbin, China, in 2017, and the M.E.
degree in computer technology from Harbin Institute
of Technology (Shenzhen), Shenzhen, China, in
2019. She is currently pursuing the Ph.D. degree
with the Department of Computer Science, the City
University of Hong Kong, Hong Kong.
Her research interests include mobile-edge com-
puting and blockchain.
Yu Guo (Member, IEEE) received the B.E. degree in
software engineering from Northeastern University,
Shenyang, China, in 2013, and the M.Sc. degree in
electronic commerce and the Ph.D. degree in com-
puter science from City University of Hong Kong,
Hong Kong, in 2014 and 2019, respectively.
He is currently a Lecturer with the School of
Artificial Intelligence, Beijing Normal University,
Beijing, China. He has also been a Postdoctoral
and Research Fellow with the City University of
Hong Kong. His research interests include cloud
computing security, network security, privacy-preserving data processing, and
blockchain technology.
Dr. Guo is a co-recipient of the Best Paper Award of MMM 2016 and IEEE
ICDCS 2020.
Xiaohua Jia (Fellow, IEEE) received the B.Sc.
and M.Eng. degrees from the University of
Science and Technology of China, Hefei, China, in
1984 and 1987, respectively, and the D.Sc. degree in
information science from the University of Tokyo,
Tokyo, Japan, in 1991.
He is currently the Chair Professor with the
Department of Computer Science, City University
of Hong Kong, Hong Kong. His research interests
include cloud computing and distributed systems,
computer networks, wireless sensor networks, and
mobile wireless networks.
Dr. Jia is an Editor of the IEEE T RANSACTIONS ON PARALLEL AND
D ISTRIBUTED S YSTEMS from 2006 to 2009, Wireless Networks, Journal
of World Wide Web, and Journal of Combinatorial Optimization. He is the
General Chair of ACM MobiHoc 2008, a TPC Co-Chair of IEEE MASS 2009,
IEEE GlobeCom 2010-Ad Hoc, and Sensor Networking Symposium, an Area-
Chair of IEEE INFOCOM 2010, and a Panel Co-Chair of IEEE INFOCOM
2011. He is a Fellow of the IEEE Computer Society.
6636 IEEE INTERNET OF THINGS JOURNAL, VOL. 8, NO. 8, APRIL 15, 2021

Cong Wang (Fellow, IEEE) received the B.E. Hongwei Du (Senior Member, IEEE) received
degree in electronic information engineering and the B.S. degree in computer science and technol-
M.E. degree in communication and information ogy from Huazhong Normal University, Huazhong,
System from Wuhan University, Hubei, China, and China, in 2003, and the Ph.D. degree in computer
Ph.D. degree in electrical and computer engineer- science from the City University of Hong Kong,
ing from the Illinois Institute of Technology, Illinois, Hong Kong, in 2008.
USA. He is currently an Associate Professor with the
He is currently an Associate Professor with the Department of Computer Science, Harbin Institute
Department of Computer Science, City University of Technology (Shenzhen), Shenzhen, China. He has
of Hong Kong, Hong Kong. His research has been authored or coauthored over 100 articles in refereed
supported by multiple government research fund international journals and conferences. His current
agencies, including National Natural Science Foundation of China, Hong research interests include the wireless networks, social network analysis,
Kong Research Grants Council, and Hong Kong Innovation and Technology mobile-edge computing, and algorithm analysis and design.
Commission. His current research interests include data and network security,
blockchain and decentralized applications, and privacy-enhancing technolo-
gies.
Dr. Wang received the Outstanding Researcher Award (junior faculty)
in 2019, the Outstanding Supervisor Award in 2017, and the President’s
Awards in 2019 and 2016, all from City University of Hong Kong. He is
a co-recipient of the IEEE INFOCOM Test of Time Paper Award 2020,
the Best Student Paper Award of IEEE ICDCS 2017, and the Best Paper
Award of IEEE ICPADS 2018 and MSN 2015. He is one of the Founding
Members of the Young Academy of Sciences of Hong Kong. He serves/has
served as an Associate Editor for IEEE T RANSACTIONS ON D EPENDABLE
AND S ECURE C OMPUTING , IEEE I NTERNET OF T HINGS J OURNAL , and
IEEE N ETWORKING L ETTERS, and a TPC co-chair for a number of IEEE
conferences/workshops. He is a member of ACM.

Authorized licensed use limited to: Raytheon Technologies. Downloaded on May 19,2021 at 16:03:23 UTC from IEEE Xplore. Restrictions apply.