Professional Documents
Culture Documents
ABSTRACT Task matching in crowdsourcing is designed to provide convenient task information retrieval
and has been extensively explored. In general, the task matching process is required to be reliable and to meet
privacy requirements. However, most existing privacy-preserving task matching solutions for crowdsourcing
focus on privacy issues but ignore the reliability of the process. In this paper, we propose a blockchain-
based task matching scheme for crowdsourcing with a secure and reliable matching. Instead of utilizing a
centralized cloud server, we employ smart contracts, an emerging blockchain technology, to provide reliable
and transparent matching. In this way, data confidentiality and identity anonymity are achieved effectively
and efficiently. The extensive privacy analysis and performance evaluation show that our solution is secure
and feasible.
with multiple workers or multiple requesters. In the • Compared with the proxy-based or blockchain-based
proxy-based scheme, the relationship between workers and solutions, the BPTM provides identity anonymity to
re-encryption keys is inevitably determined. Since a query further protect privacy in crowdsourcing.
from workers is required to be re-encrypted on the platform, • Compared with the solutions that rely on the centralized
a malicious platform may learn the identity information of platform, the BPTM achieves reliable task matching and
workers and requesters by analyzing the association between prevents malicious behavior from the adversary.
re-encryption keys and search history. After the identity infor- The rest of the paper is organized as follows. Section II
mation is obtained by the malicious platform, the information presents the related work and Section III provides the pre-
may be sold to a third party, resulting in a wider disclosure. liminaries. In Section IV, we formulate the problem of task
Therefore, it is necessary to achieve the identity anonymity matching in crowdsourcing with the system model, threat
in crowdsourcing. model and design goals. In Section V, we describe the
When using searchable encryption to construct a matching detailed construction of BPTM and also analyze its security.
scheme, the designer needs to make some assumptions about In Section VI, we implement the BPTM and make a detailed
the crowdsourcing platform. Most SE solutions consider the performance analysis in comparison with the related work
platform to be honest-but-curious or even trusted. However, theoretically and experimentally. Finally, we conclude the
there may be some dishonest behavior on the platform in the paper in Section VII.
task matching service in crowdsourcing. In particular, when a
worker submits a query, malicious platforms may not perform II. RELATED WORK
operations or provide incorrect results in order to save com- There are two topics related to our research: task matching in
putation cost. The incorrect results reduce the availability of crowdsourcing and searchable encryption. They are discussed
platforms and affect the enthusiasm of workers. Scheme [11] separately below.
has the ability to validate the matching results but requires
additional computations at the worker side, which greatly A. TASK MATCHING IN CROWDSOURCING
reduces the service efficiency. Consequently, how to ensure With the growing development and popularity of crowdsourc-
the reliable matching of crowdsourcing platforms is a very ing, many researches on task matching have emerged. Task
challenging issue. It is desirable to a task matching scheme matching in crowdsourcing usually establishes the associa-
providing privacy-preserving and reliable matching. tion between workers and tasks through interest [2], loca-
In this paper, we design a blockchain-based privacy- tion [13], or reputation [14]. Considering the security and
preserving task matching scheme for crowdsourcing, privacy issues for crowdsourcing, some studies have focused
called BPTM, which focuses on three issues: (1) privacy- on protecting the privacy of workers, such as [5] based on
preserving task matching, where workers’ preferences and k-anonymity, [6] based on differential privacy, [7] based on
task requirements are well protected; (2) identity anonymity, homomorphic encryption. Furthermore, schemes [15], [16]
where the identity information of workers and requesters will based on searchable encryption can simultaneously protect
not be revealed during task matching; (3) reliable matching, the characteristics of workers and the requirements of tasks,
where the returned tasks are corresponding to the worker’s which meet the privacy requirements of task matching. How-
preferences. ever, all these schemes rely on an honest-but-curious crowd-
Considering the centralized crowdsourcing platform is vul- sourcing platform ignoring the malicious behavior from the
nerable to internal or external attacks and may maliciously platform. In fact, crowdsourcing platforms may not be honest,
modify the matching results, using traditional centralized where malicious platforms can modify matching results for
platforms for task matching cannot address these potential additional benefits [18]. Specifically, although the privacy of
issues. In BPTM, we apply the Ethereum blockchain to build workers and tasks is protected, the malicious crowdsourcing
an autonomous, accurate decentralized platform, which can platform can modify the matching results through the identity
be used to replace the potentially dishonest and vulnerable information of workers and requesters. The incorrect results
platform. To achieve the privacy-preserving task matching, hinder further development of crowdsourcing. Therefore,
we construct a searchable encryption scheme to protect task the existing solutions cannot guarantee the correctness of the
requirements and workers’ preferences. Then we use the matching results due to the potential threat of centralized
blockchain-based platform to store the encrypted index in platforms.
order to provide matching services. By combining smart
contracts with searchable encryption, identity anonymity and B. SEARCHABLE ENCRYPTION
reliable matching can be effectively achieved. Moreover, Searchable encryption supports us to implement a secure
we demonstrate that BPTM is secure and feasible through matching scheme, enabling workers to retrieve the cor-
privacy analysis and performance evaluation. The main con- responding encrypted tasks. Song et al. [21] first pro-
tributions of this paper can be summarized as follows: posed a symmetric searchable encryption mechanism.
• This paper systematically analyzes the privacy and util- Boneh et al. [22] proposed the first searchable encryp-
ity of task matching in crowdsourcing and also defines tion scheme for the public setting. Since the popularity
a set of privacy and utility requirements. of cloud storage systems, a lot of schemes have been put
forward according to actual needs, including fuzzy key- TABLE 2. Notations used in this paper.
word search [23], ranked search [24] and multi-keyword
search [25]. However, all these schemes only support queries
from data owners, which is not suitable for encrypted data
matching in the multiple participant setting. In order to con-
struct a multi-owner and multi-user model, [26] and [19]
utilize broadcast encryption to generate distinct keys to each
worker based on the public master key, enabling workers
to query encrypted data. However, the broadcast encryp-
tion scheme cannot provide convenient worker registration
and revocation. Once the worker needs to be added or
revoked, the broadcast encryption scheme is required to be
re-initialized. Alternatively, Dong et al. [11], Bao et al. [10]
and Shu et al. [15] achieve the multi-user setting by using
proxy re-encryption. In proxy-based schemes, the proxy
server needs to re-encrypt the information of requesters or
workers with the corresponding re-key, which means that the
proxy server may infer the identity by analyzing the retrieval
behavior.
With the emergence of blockchain technology, some schol-
ars have tried to combine blockchain technology with the
searchable encryption. Different from the previous searchable
encryption scheme based on a centralized cloud storage plat- record of workers will be recorded on the blockchain, which
form, blockchain-based searchable encryption ensures data may result in the disclosure of identity information. Besides
owners control their data against the honest-but-curious plat- the above conventional blockchain-based SE schemes, other
forms. Li et al. [20] proposed the first searchable encryp- schemes of combining blockchains have been studied, such
tion scheme based on Bitcoin system. In their setting, as attribute-based matching [31] and authentication-based
the encrypted data and encrypted indexes are split and stored matching [32], [33]. However, these schemes cannot meet the
at a set of bitcoin transactions. However, as the amount needs of task matching in terms of scalability and efficiency
of data grows, the blockchain needs to maintain a large in crowdsourcing.
number of transactions, which has a high overhead but low This paper intends to achieve utility and security goals as
efficiency. Cai et al. [18] combines an efficient dynamic shown in Table 1. The above existing schemes cannot fully
searchable encryption scheme with blockchain, and estab- possess these features, so they cannot be directly applied to
lishes a trustworthy keyword search scheme in decentralized the task matching in crowdsourcing.
storage. Although this scheme improves the efficiency of the
system, it only supports single data owner to manage the data. III. PRELIMINARIES
Do and Ng [28] and Peng et al. [29] focus on the imple- In this section, we review some background knowledge
mentation of distributed data storage, trying to use smart before going to the details of our construction. All the nota-
contract to manipulate and authorize data. In these distributed tions in the following description can be referred in Table 2.
storage schemes, search permissions depend on the search
authorization from data owners, which is not applicable to A. BLOCKCHAIN TECHNOLOGY AND ETHEREUM
public task matching in crowdsourcing. By leveraging the 1) BLOCKCHAIN TECHNOLOGY
smart contract in Ethereum, Hu et al. [30] propose a decen- Blockchain is the core supporting technology of Bitcoin [34]
tralized privacy-preserving search scheme to build up a fair Ethereum [35] and other cryptocurrency system. The essence
data purchase service, but their construction only supports of the blockchain is a public distributed ledger that allows
upload by a single data owner. In addition, the purchase anyone to participate in. In this way, the failure of a
blockchain node does not affect other nodes. The consensus or values of the contract will eventually be recorded in the
mechanism between blockchain nodes maintains the entire blockchain and other actions will not be disclosed.
blockchain network, which allows each blockchain node to
obtain a complete copy of the database. Therefore, blockchain B. SEARCHABLE ENCRYPTION
system can only be modified in accordance with strict rules Searchable encryption is an effective way to achieve match-
and consensus. ing of encrypted data. A SE scheme mainly contains three
Blocks and transactions are the main components of the entities: data owner, data user and the matching server. The
blockchain network. Each block stores transaction informa- entire definition of SE model can be defined as a tuple SE =
tion in a certain organization. Each transaction records a (Setup, Encrypt, Match, Decrypt), shown as follows:
specific set of operations. The cryptographic hash algorithm • K ← Setup(1λ ). It is a probabilistic algorithm that is run
and the merkle tree [36] structure ensure that the data cannot by the data owner to setup the service. It takes a security
be tampered. parameter λ as input and outputs a secret key K .
• (CT , Iw ) ← Encrypt(K , D, w). It is a probabilistic algo-
2) ETHEREUM rithm that is run by the data owner to encrypt tasks.
Smart Contract, first proposed by Nick [37] in 1995, is a It takes a task description D, a keyword w and the secret
computer program that can be executed automatically accord- key K as input, and outputs a keyword ciphertext Iw and
ing to its contents. Ethereum is a programming platform that the encrypt tasks CT .
enables developers to build distributed applications based • CT 0 ← Match(K , Iw , w0 ). It is a deterministic algorithm
on smart contracts. Specifically, Ethereum can be used for that is run by the server or the data user U . It takes the
protocol programming, behavioral assurance and trading, secret key K , query keyword w0 as input, and computes
such as voting, financial transactions, company management, the trapdoor Tw0 . Then, it takes the trapdoor Tw0 as input,
and signing agreements. Compared to the Bitcoin system, matches Iw with calculations, and outputs CT 0 .
Ethereum has an innovative feature that enables programs to • D0 ← Decrypt(K , CT 0 ). It is a deterministic algorithm
be executed on the blockchain. Once the smart contract is that is run by the user U . It takes secret key K and the
deployed, it can execute the contract without relying on any encrypt tasks CT 0 as input, and outputs the original task
central authority. Ideally, the smart contract runs exactly as description D0 .
programmed, so the results are accurate and verifiable. An SE scheme is effective if for all K ← Setup(1λ ), for
all w ∈ {0, 1}∗ , (CT , Iw ) ← Encrypt(K , D, w), CT 0 ←
Match(K , Iw , w0 ), D0 ← Decrypt(K , CT 0 ), we do have D0 =
D if w0 = w.
C. BILINEAR PAIRINGS
G1 , G2 and GT are all multiplicative cyclic groups of prime
order p. Let gi denotes a generator of Gi . A bilinear map e :
G1 × G2 → GT has the following properties:
• Bilinearity: for all u ∈ G1 , v ∈ G2 , and a, b ∈ Z∗ p,
e(u , v ) = e(u, v) .
a b ab
• Non-degeneracy: e(g1 , g2 ) 6 = 1.
• Computability: it is efficient to compute e for any input.
This article will use the following assumption for bilinear
pairing:
Bilinear Decisional Diffie-Hellman Variant (BDHV)
assumption. The BDHV problem is stated as follows: given
1/a 1/a
two tuple (ga1 , gb2 , g2 , gc1 , e(g1 , g2 )abc ) and (ga1 , gb2 , g2 ,
R
gc1 , R) where gi is a generator of Gi , R ←− GT , a, b, c ∈ Z∗p
are chosen randomly. We say that the BDHV assumption
FIGURE 1. The structure of smart contract. holds if all probabilistic polynomial time machine have a
negligible advantage to distinguish.
We briefly describe the basic principles of smart contracts,
as shown in Fig. 1. The complete smart contract is stored IV. PROBLEM FORMULATION
in a block. When deploying the smart contract, it is neces- A. SYSTEM MODEL
sary to preset the trigger condition and the corresponding In our work, we consider a blockchain-based crowdsourc-
response rule. The relevant status and values are recorded ing system that uses smart contracts instead of untrusted
in the deployed smart contract. Each action from the calling servers for task matching calculations. Task requesters upload
node will be executed. Only the actions that modify the states encrypted tasks by interacting with smart contracts so that
only authorized workers can match tasks through their inter- the adversary can easily determine the identity of workers
ests. For a matching request, the smart contract will return by analyzing query records and some external knowledge.
the corresponding matching results based on the established Moreover, a malicious node could be compromised by the
logic and the input from workers. Based on the consensus, other entity and then return incorrect results to the work-
the Ethereum network guarantees that the status of the con- ers [38]. Similar to the existing blockchain-based crowd-
tract and the returned results are not tampered with, thus sourcing applications, such as [39], our structure relies on
achieving the reliability of task matching. Proof-of-Work (PoW) security, where no entity in the system
can gather more than 50% of the processing power [40].
C. DESIGN GOALS
According to the above model, the design goals of our system
are as follows:
• Privacy-preservation. This property requires that the
BPTM should protect the privacy of workers and tasks,
which means that it is impossible for a malicious node
to obtain secret key and task information through the
encrypted data during matching.
• Anonymity. Anonymity protects the identity informa-
tion of workers and requesters, and is required by most
crowdsourcing platforms. Specifically, for a query from
a worker, the identity information cannot be determined;
FIGURE 2. System model of our scheme. for a task submission from a requester, no one node
can establish the relationship between the task and the
As shown in Fig. 2, there are four entities in the crowd- requestor.
sourcing system: a key manager (KM), an Ethereum plat- • Soundness. This property is to ensure that the service
form, multiple task requesters and multiple workers. The KM provider cannot deviate from the protocol. In general,
performs system initialization and provides registration for the existing work achieves this goal through a series of
requesters and workers. Initially, KM generates the system validations. In this paper, we extend this notion to claim
parameters and deploys smart contracts on the Ethereum that the corresponding search result is reliable, and the
platform. After obtaining the secret key, the task requester service provider cannot forge or return partial results.
interacts with the smart contract to upload the encrypted Also, the correct result can be verified by most nodes
index. In order to retrieve the related tasks, the workers regis- in the blockchain.
ter on KM to obtain trapdoors that meet their characteristics. In addition, considering the use of SE to crowdsourcing,
When receiving the retrieval request, the Ethereum platform the following properties should be achieved.
authenticates the worker address and returns the relevant tasks • Efficiency. The computational overhead should be low
through matching calculations. Note that this paper is not enough to ensure that the smart contract is able to pro-
concerned with the storage problem. Encrypted task content vide matching services. Specifically, the computational
can be stored in the cloud or any distributed storage as long cost of the matching function cannot exceed the gas
as the pointer to the task content is recorded in the smart limit, and the time overhead should be acceptable.
contract. • No Proxy. A proxy-based SE scheme may reveal identity
privacy. Moreover, the vulnerability of the proxy and
B. THREAT MODEL interaction costs result in proxy-based solutions that are
In this work, KM performs registration and key delivery but not suitable for task matching.
does not store any task information. Thus, the KM is consid-
ered completely trusted and the interaction with KM requires V. OUR PROPOSED BPTM SCHEME
a secure channel. Both the requesters and the workers are In this section, we introduce the overview of BPTM, describe
considered honest in this scenario. It means that the requesters the construction in detail and discuss the security properties.
and the workers would not reveal their secret information,
including their secret keys, trapdoors, identities. A. OVERVIEW
Ethereum is an open platform, so the encrypted task index In BPTM, we applied the Ethereum blockchain to build
stored on the platform is open to all. A blockchain node an autonomous, accurate decentralized platform. Specifi-
is curious to obtain the additional information from the cally, the blockchain platform is responsible for the release
encrypted index and trapdoors. Besides, the identity informa- of crowdsourcing tasks and supports matching calculations
tion and query records are also very sensitive. The adversary for legitimate workers. However, there are some security
can launch linking attacks to establish a link between query risks associated with using the open Ethereum platform to
records and the identities. If the linking attacks are successful, implement user management [41]. To solve this dilemma,
R
BPTM uses a trusted key manager (KM) to distribute keys key Ks ←− {0, 1}λ to compute
and grant permissions. In this way, the blockchain platform is
focused on providing non-tamperable storage and verifiable CT = Enc(Ks , D),
task matching. To achieve the privacy-preserving task match- where Enc(Ks , D) denotes using AES algorithm to encrypt D,
ing, we construct a searchable encryption scheme to protect the encryption key is Ks . Then, R uploads the ciphertext CT
task requirements and workers’ preferences. Since there are to cloud or other distributed storage(e.g. IPFS3 ) and records
multiple task requesters, we exploit session keys for each task the task location l. After that, R calculates a temporary key
to achieve confidentiality. Furthermore, our keyword search
in the smart contract is based on the structure of the inverted Krt = G(e(H (tr ), tk)rk ).
index to achieve less computational overhead. To protect the R encrypts tr by randomly picking a r ∈ Zp and a session key
identity information, the worker retrieves the task by calling R
the read-only function of the blockchain, which indicates Ks ←− {0, 1}λ to compute
that the query and results will not be revealed. Therefore, C1 = F(tr , Krt ),
the adversary cannot link to the specific worker by analyzing
C2 = G(e(H (tr )r , tk)rk ) ⊕ l k Ks ,
the query requests. On the other hand, the task requester can
upload the task through an one-task-only blockchain address C3 = gr .
to prevent the adversary from linking the identity information. Finally, R stores the encrypted index (C1 , C2 , C3 ) to smart
By combining smart contracts with searchable encryption, contract.
identity anonymity and accurate matching can be effectively 3) Match: Upon receiving WK = {wk1 , wk2 , ...wkn }
achieved. from KM, the worker U first chooses an encrypted keyword
wk ∈ WK to match. Then, U calculates a temporary key
B. CONCRETE CONSTRUCTION
The BPTM consists of four phases: Service-Setup, Encrypt, Kut = G(e(wk, g)).
Match and Decrypt. The detailed BPTM is described below.
Then, the worker U computes the search trapdoor
1) Service-Setup: This phase is run by the KM to boot-
strap task matching services. Given the security parameter λ, t = F(w, Kut )
the KM consider two bilinear groups G, GT of prime order
p with a mapping e : G × G → GT . Let g be a random and invokes smart contract with t as arguments. After U
generator of group G together with two hash functions generates and submits the trapdoor, the smart contract first
judges whether U is an authorized worker. For a search
H : {0, 1}∗ → G, G : {0, 1}∗ → {0, 1}λ . request from the authorized worker, the smart contract will
return the search result according to the trapdoor t
Then KM defines a pseudorandom function
res = (C2 , C3 ).
F : {0, 1}∗ × {0, 1}λ → {0, 1}λ .
For other illegal search requests, the smart contract will reject
(Enc, Dec) are the encryption and decryption algorithms the search.
of a deterministic symmetric encryption scheme(e.g. AES 4) Decrypt: Upon receiving res = (C2 , C3 ) from the smart
scheme). The KM randomly selects s ∈ Zp as its secret key. contract, the worker U first computes
R
For each task requester, KM random select rk ←− {0, 1}λ
d = G(e(wk, C3 )), l k Ks = C2 ⊕ d.
and computes tk = gs/rk , then return rsk = (rk, tk) to the
task requester. Then, the worker U downloads the encrypted task CT from l
In order to ensure the security of the system, the KM and computes
does not provide secret key to registered workers directly.
The trapdoor is generated by KM according to the interests D = Dec(Ks , CT ),
of worker in registration. In worker registration, the worker where Dec(Ks , CT ) denotes using AES algorithm to
provides a keyword set W = {w1 , w2 , ..., wn } to represent decrypt CT , the decryption key is Ks . Finally U can recovery
his/her interests and provides his/her own Ethereum account original task description td .
address for searching. For each keyword w, the KM computes We assume that a keyword is w, t is the worker search
wk = H (w)s and returns to worker. Finally, KM adds the key corresponding to w generated by KM, an encrypted index
worker account address to the authorized set on the smart C containing the keyword q and the results results returned
contract. by the smart contract. We give the proof of the matching
2) Encrypt: When a task requester R is willing to sub- correctness and decryption correctness as follows:
mit a task for some purpose, such as software development, Theorem 1 (Matching Correctness): The task matching
copywriting or engineering design, R generates a specific service is correct. That is, c ∈ results if w = q.
crowdsourcing T = {D, tr }, indicating the description and the
requirement, respectively. R first chooses a random session 3 https://ipfs.io/
Algorithm 4 removeIndex
Input: keywordIndex, tmpParameter
set represents the input trapdoors. Then, the worker
Output: bool
uploads the trapdoors to this interface for task retrieval.
1: set Index[] res = searchIndex[keywordIndex];
Taking as input the worker address and the search trap-
2: get res length len
doors, the matching contract performs as Algorithm 5 to
3: for i ∈ [1, len] do
returns the matching results.
4: if msg.sender = res[i].requersterAddr then
5: if tmpParameter = res[i].tmp then The four interfaces (addWorker, removeWorker, addIn-
6: delete searchIndex[keywordIndex][i]; dex, removeIndex) mentioned above will change the state
7: end if of the smart contract, which means that the process con-
8: end if sumes the property of the caller’s account. Since the requester
9: end for uploads the task based on a one-task-only blockchain address,
10: return True; the addIndex interface does not verify the address. The
taskMatching interface is identified by the keyword view,
indicating that this process does not change the state. Inter-
faces that do not change state will not incur any cost and will
• addIndex(keywordIndex, encryptedTask, tmpPa- not be recorded on the blockchain.
rameter). The task requester can upload the encrypted
task through this interface. For a specific task, only D. SECURITY ANALYSIS
his owner can modify and delete it. According to the As defined by the privacy requirements in Section IV, the pro-
construction described above, when a requester wants to posed scheme achieves Privacy-preservation, Anonymity and
publish a task, he selects the keywords from the task and Soundness as follows:
builds the corresponding encrypted index (C1 , C2 , C3 ) Privacy-Preservation: Based on the security definitions
represents the input keywordIndex, encryptedTask proposed in [30], if F is a pseudorandom function and G is a
and tmpParameter, respectively. Taking as input the collision resistant hash function, then our matching construc-
requester address and encrypted index, the matching tion has the same security as [30]. Furthermore, our decrypt
contract performs as Algorithm 3 to store the task construction can be proven secure in the random oracle model
information. under variants of the BDHV assumptions. Thus, the adver-
• removeIndex(keywordIndex, tmpParameter). This sary cannot distinguish the difference between two arbitrary
interface is open to the task owner. When the task encrypted indexes. This means that the secret key and task
has been completed or canceled, the task requester can information will not be revealed even though the index is
delete the encrypted index by uploading keywordIndex public. In addition, the matching process is performed by
and tmpParameter to the smart contract. The smart the static interface that does not change the blockchain state.
contract performs Algorithm 4 to delete the task. In this way, the search process and the results are not stored
• taskMatching(trapdoor). This interface can be called publicly on the blockchain, which avoids the passive attacks.
by any authorized worker. According to the construc- Therefore, the proposed scheme provides the security of
tion described above, when a worker wants to retrieve encrypted indexes and protects the privacy during the task
the related tasks, he computes the search trapdoor matching.
TABLE 4. Smart contract cost test (gasprice=2 Gwei ,1 ether = 250 USD).
TABLE 5. Smart contract cost test under different number of task (gasprice=2 Gwei ,1 ether = 250 USD).
removeWorker of the smart contract are listed, and the cost of TABLE 6. The taskMatching cost test (gasprice=2 Gwei ).
performing these interfaces is almost unchanged. The match-
ing contract creates interface is only executed once by KM
to complete the initialization and the costs are $0.478. The
addWorker interface is executed by KM when the worker
completes the registration; The removeWorker interface is
required when KM needs to remove a worker from the autho-
rization set. The cost of these two interfaces being called 2) KM
is $0.029 and $0.007. Then, we built the encrypted indexes In the system initialization, the KM set up the system through
for five different numbers of tasks 1, 5, 10, 15, and 20, the Service-Setup. As analyzed in Table 3, the overall time
respectively. Table 5 shows the gas overhead required for cost of system initialization in BPTM is linear with the num-
addIndex and delIndex under different number of tasks. As ber of participants and the computation complexity of secret
the number of tasks increases, the cost of these three inter- key generation is W · (H + E) for each worker, E for each
faces being called increases accordingly. Specifically, the gas requester. First, we vary the different number of workers (n)
overhead of addIndex increases linearly with the number from 1,000 to 10,000 to measure the computation cost of
of tasks, and the cost of adding five encrypted indexes is secret key generation for both schemes, as shown in Fig. 3(a).
approximately $0.536. When performing the delIndex cost Our BPTM slightly outperforms pMatch and far outperforms
evaluation, we delete the encrypted index in the correspond- SEMEKS. For example, when n = 10, 000, it takes about
ing keyword. According to calculations, the cost of deleting 85s for BPTM while SEMEKS requires 450s. Then, we addi-
5 encrypted indexes is approximately $0.041. Although call- tionally calculate the computational cost of BPTM under
ing the matching interface does not incur a fee, we also eval- different task requesters 100, 500, 1000 respectively. In the
uate the gas cost for different number of matching operations crowdsourcing platform, the number of task requesters is
to assess the speed of task matching. Since the data structure generally smaller than the number of workers, so setting the
used by the taskMatching interface is a hash table and the 1000 task requesters can meet the needs of most crowdsourc-
calculation of the index is adjusted by G or F, the cost of ing platforms. We observe that in the BPTM under different
the correct search is similar. As shown in the table, it takes requesters, as the number of task requesters becomes higher,
300,000 gas to search 5 times correctly. In our experimental the corresponding time consumption is also slightly higher,
environment, the execution time of a 300000 gas operation as shown in Fig. 3(b). For the most expensive BPTM-r1000,
is no more than 1 second, so the matching process time is it takes about 90 seconds to set up a system of 10,000 workers,
acceptable. which is a one-time cost and acceptable for KM.
FIGURE 3. The time cost of the KM. (a) Time cost of worker registration. FIGURE 4. The time and transmission cost of the requester. (a) Time cost
(b) Time cost of worker and requester registration. of task encryption. (b) Transmission cost of ciphertexts.
3) REQUESTER
The overhead on each requester mainly includes the compu-
tation and transmission costs in the phase of Encrypt. The
computation complexity of keyword encryption in BPTM is
(H + F + P + 2G + 2E + Enc), which is slightly less than
(5E +H ) for pMatch and less than 9E for SEMEKS, as shown
in Table 3. In Fig. 4(a), we vary the different number of key-
words (k) in the task requirement to compare the efficiency
and find that BPTM is more efficient. We additionally carry
out the transmission overhead of interacting with the smart
contract. We vary the different number of encrypted indexes
from 1 to 20 to calculate the overhead and find that the FIGURE 5. The time cost of the worker.
transmission overhead is proportional to the gas consumption
of the smart contract. As illustrated in Fig.4(b), the overhead is (P + G + Dec), pMatch is (4E + H + 4P), and SEKEE
of uploading 20 ciphertexts to smart contracts is about 5.5kb, is (12E + 5P). Fig. 5 shows that the total time for different
and the corresponding cost of smart contracts is $1.7755. number of ciphertexts in BPTM is more efficient than that in
pMatch and SEMEKS. For example, it only takes about 1.2s
4) WORKER to match and decrypt 10 ciphertexts in BPTM while it takes
The overhead on each worker mainly includes the computa- almost 0.3s in pMatch, almost 0.5s in SEMEKS.
tion cost in the phase of Matching and Decrypt. Since the
trapdoor generation is based on the worker interest and is only VII. CONCLUSION
executed once, the trapdoor generation time is negligible. In this paper, we studied the privacy and utility issues in task
In this process, pMatch and SEMEKS have a cloud server matching for crowdsourcing and proposed the BPTM scheme
entity to assist the calculation, but we don’t have this entity, that supports multiple requesters and multiple workers by
so our comparison combines the process of matching and combining Ethereum blockchain and searchable encryption
decryption. Table 3 shows the computational cost of BPTM technology. In BPTM, we exploited the smart contract on
the Ethereum to achieve task matching, ensuring that the [18] C. Cai, X. Yuan, and C. Wang, ‘‘Towards trustworthy and private keyword
service provider cannot deviate from the protocol. We also search in encrypted decentralized storage,’’ in Proc. IEEE Int. Conf. Com-
mun., May 2017, pp. 1–7.
designed a privacy-preserving matching protocol to estab- [19] A. Kiayias, O. Oksuz, A. Russell, Q. Tang, and B. Wang, ‘‘Efficient
lish the association between workers and tasks, where the encrypted keyword search for multi-user data sharing,’’ in Proc. Eur. Symp.
Res. Comput. Secur., Sep. 2016, pp. 173–195.
interests of workers and the requirements of tasks are well [20] H. Li, H. Tian, F. Zhang, and J. He, ‘‘Blockchain-based searchable symmet-
protected. Compared with the existing privacy-preserving ric encryption scheme,’’ Comput. Elect. Eng., vol. 73, pp. 32–45, Jan. 2019.
solutions, the BPTM further protects privacy by achieving [21] D. X. Song, D. Wagner, and A. Perrig, ‘‘Practical techniques for searches
on encrypted data,’’ in Proc. IEEE Symp. Secur. Privacy, May 2000,
identity anonymity. Finally, we analyzed the performance of pp. 44–55.
the proposed scheme from both theoretical and experimental [22] D. Boneh, G. Di Crescenzo, R. Ostrovsky, and G. Persiano, ‘‘Public
key encryption with keyword search,’’ in Proc. Int. Conf. Theory Appl.
aspects. The detailed performance evaluation demonstrates Cryptograph. Techn., May 2004, pp. 506–522.
the rationality and feasibility of our proposed scheme for the [23] Z. Fu, X. Wu, C. Guan, X. Sun, and K. Ren, ‘‘Toward efficient multi-
practical use. keyword fuzzy search over encrypted outsourced data with accuracy
improvement,’’ IEEE Trans. Inf. Forensics Security, vol. 11, no. 12,
pp. 2706–2716, Dec. 2016.
VIII. ACKNOWLEGMENT [24] N. Cao, C. Wang, M. Li, K. Ren, and W. Lou, ‘‘Privacy-preserving multi-
Z. Peng was with the South China University of Technology, keyword ranked search over encrypted cloud data,’’ IEEE Trans. Parallel
Distrib. Syst., vol. 25, no. 1, pp. 222–233, Jan. 2014.
and this work was done during his Ph.D. degree at SCUT. [25] B. Wang, S. Yu, W. Lou, and Y. T. Hou, ‘‘Privacy-preserving multi-
keyword fuzzy search over encrypted data in the cloud,’’ in Proc. IEEE
Conf. Comput. Commun., May 2014, pp. 2112–2120.
REFERENCES [26] C. Wang, N. Cao, J. Li, K. Ren, and W. Lou, ‘‘Secure ranked keyword
[1] J. Howe, ‘‘The rise of crowdsourcing,’’ Wired Mag., vol. 14, no. 6, search over encrypted cloud data,’’ in Proc. IEEE 30th Int. Conf. Distrib.
pp. 1–4, Jun. 2006. Comput. Syst., Jun. 2010, pp. 253–262.
[2] X. Yin, Y. Chen, and B. Li, ‘‘Task assignment with guaranteed quality for [27] Y. Yu, Y. Li, J. Tian, and J. Liu, ‘‘Blockchain-based solutions to security
crowdsourcing platforms,’’ in Proc. IEEE 25th Int. Symp. Qual. Service, and privacy issues in the Internet of Things,’’ IEEE Wireless Commun.,
Jun. 2017, pp. 1–10. vol. 25, no. 6, pp. 12–18, Dec. 2018.
[3] M. C. Yuen, I. King, and K. S. Leung, ‘‘Task matching in crowdsourcing,’’ [28] H. G. Do and W. K. Ng, ‘‘Blockchain-based system for secure data storage
in Proc. 4th Int. Conf. Internet Things Cyber, Phys. Social Comput., with private keyword search,’’ in Proc. IEEE World Congr. Services,
Oct. 2011, pp. 409–412. Jun. 2017, pp. 90–93.
[4] J. Zhang, F. Tang, L. Barolli, Y. Yang, and W. Xu, ‘‘Information gain based [29] J. Peng, F. Guo, K. Liang, J. Lai, and Q. Wen, ‘‘Searchain: Blockchain-
maximum task matching in spatial crowdsourcing,’’ in Proc. IEEE 31st Int. based private keyword search in decentralized storage,’’ J. Future Gener.
Conf. Adv. Inf. Netw. Appl., Mar. 2017, pp. 886–893. Comput. Syst., vol. 12, Sep. 2017. doi: 10.1016/j.future.2017.08.036.
[5] S. Wu, X. Wang, S. Wang, Z. Zhang, and A. K. Tung, ‘‘K-anonymity for [30] S. Hu, C. Cai, Q. Wang, C. Wang, X. Luo, and K. Ren, ‘‘Search-
crowdsourcing database,’’ IEEE Trans. Knowl. Data Eng., vol. 26, no. 9, ing an encrypted cloud meets blockchain: A decentralized, reliable and
pp. 2207–2221, Sep. 2014. fair realization,’’ in Proc. IEEE Conf. Comput. Commun., Apr. 2018,
[6] H. To, G. Ghinita, L. Fan, and C. Shahabi, ‘‘Differentially private location pp. 792–800.
protection for worker datasets in spatial crowdsourcing,’’ IEEE Trans. [31] S. Wang, Y. Zhang, and Y. Zhang, ‘‘A blockchain-based framework for data
Mobile Comput., vol. 16, no. 4, pp. 934–949, Apr. 2017. sharing with fine-grained access control in decentralized storage systems,’’
[7] Y. Shen, L. Huang, L. Li, X. Lu, S. Wang, and W. Yang, ‘‘Towards IEEE Access, vol. 6, pp. 38437–38450, Jun. 2018.
preserving worker location privacy in spatial crowdsourcing,’’ in Proc. [32] Y. Zhang, R. H. Deng, J. Shu, K. Yang, and D. Zheng, ‘‘TKSE: Trust-
IEEE Global Commun. Conf., Dec. 2015, pp. 1–6. worthy keyword search over encrypted data with two-side verifiability via
[8] D. Cash et al., ‘‘Dynamic searchable encryption in very-large databases: blockchain,’’ IEEE Access, vol. 6, pp. 31077–31087, Jun. 2018.
Data structures and implementation,’’ in Proc. NDSS, vol. 14, Feb. 2014, [33] Y. Zhao, Y. Li, Q. Mu, B. Yang, and Y. Yu, ‘‘Secure pub-sub: Blockchain-
pp. 23–26. based fair payment with reputation for reliable cyber physical systems,’’
[9] Z. Fu, K. Ren, J. Shu, X. Sun, and F. Huang, ‘‘Enabling personalized IEEE Access, vol. 6, pp. 12295–12303, Jan. 2018.
search over encrypted outsourced data with efficiency improvement,’’ [34] S. Nakamoto. (2008). Bitcoin: A Peer-to-Peer Electronic Cash System.
IEEE Trans. Parallel Distrib. Syst., vol. 27, no. 9, pp. 2546–2559, [Online]. Available: https://bitcoin.org/
Sep. 2016. [35] G. Wood, ‘‘Ethereum: A secure decentralised generalised transaction
[10] F. Bao, R. H. Deng, X. Ding, and Y. Yang, ‘‘Private query on encrypted ledger,’’ Ethereum Project, Zug, Switzerland, Yellow Paper, 2014,
data in multi-user settings,’’ in Proc. Int. Conf. Inf. Secur. Pract. Exper., pp. 1–32, vol. 151. [Online]. Available: https://ethereum.org.
Apr. 2008, pp. 71–85. [36] R. C. Merkle, ‘‘A digital signature based on a conventional encryption
[11] C. Dong, G. Russello, and N. Dulay, ‘‘Shared and searchable encrypted function,’’ in Proc. Conf. Theory Appl. Cryptograph. Techn., Aug. 1987,
data for untrusted servers,’’ J. Comput. Secur., vol. 19, no. 3, pp. 369–378.
pp. 367–397, 2011. [37] S. Nick, ‘‘Formalizing and securing relationships on public networks,’’
[12] W. Zhang, Y. Lin, S. Xiao, J. Wu, and S. Zhou, ‘‘Privacy preserving ranked First Monday, vol. 2, no. 9, pp. 1–2, Sep. 1997.
multi-keyword search for multiple data owners in cloud computing,’’ IEEE [38] X. Liu, G. Yang, Y. Mu, and R. Deng, ‘‘Multi-user verifiable searchable
Trans. Comput., vol. 65, no. 5, pp. 1566–1577, May 2016. symmetric encryption for cloud storage,’’ IEEE Trans. Depend. Sec. Com-
[13] L. Kong, L. He, X. Y. Liu, Y. Gu, M. Y. Wu, and X. Liu, ‘‘Privacy- put., to be published. doi: 10.1109/TDSC.2018.2876831.
preserving compressive sensing for crowdsensing based trajectory recov- [39] M. Li et al., ‘‘CrowdBC: A blockchain-based decentralized framework for
ery,’’ in Proc. IEEE 35th Int. Conf. Distrib. Comput. Syst., Jul. 2015, crowdsourcing,’’ IEEE Trans. Parallel Distrib. Syst., to be published. doi:
pp. 31–40. 10.1109/tpds.2018.2881735.
[14] L. Ma, X. Liu, Q. Pei, and Y. Xiang, ‘‘Privacy-preserving reputation [40] A. Gervais, G. O. Karame, K. Wüst, V. Glykantzis, H. Ritzdorf, and
management for edge computing enhanced mobile crowdsensing,’’ IEEE S. Capkun, ‘‘On the security and performance of proof of work
Trans. Serv. Comput., to be published. doi: 10.1109/TSC.2018.2825986. blockchains,’’ in Proc. Conf. Comput. Commun. Secur., Oct. 2016,
[15] J. Shu, X. Jia, K. Yang, and H. Wang, ‘‘Privacy-preserving task recom- pp. 3–16.
mendation services for crowdsourcing,’’ IEEE Trans. Serv. Comput., to be [41] J. Wang, M. Li, Y. He, H. Li, K. Xiao, and C. Wang, ‘‘A blockchain based
published. doi: 10.1109/TSC.2018.2791601. privacy-preserving incentive mechanism in crowdsensing applications,’’
[16] J. Shu, K. Yang, X. Jia, X. Liu, C. Wang, and R. Deng, ‘‘Proxy-free IEEE Access, vol. 6, p. 17545–17556, Mar. 2018.
privacy-preserving task matching with efficient revocation in crowd- [42] K. Yang, K. Zhang, J. Ren, and X. Shen, ‘‘Security and privacy in mobile
sourcing,’’ IEEE Trans. Depend. Sec. Comput., to be published. doi: crowdsourcing networks: Challenges and opportunities,’’ IEEE Commun.
10.1109/TDSC.2018.2875682. Mag., vol. 53, no. 8, pp. 75–81, Aug. 2015.
[17] J. Shu, X. Liu, Y. Zhang, X. Jia, and R. H. Deng, ‘‘Dual-side privacy- [43] D. Wang, X. Jia, C. Wang, K. Yang, S. Fu, and M. Xu, ‘‘Generalized pattern
preserving task matching for spatial crowdsourcing,’’ J. Netw. Comput. matching string search on encrypted data in cloud systems,’’ in Proc. IEEE
Appl., vol. 123, pp. 101–111, Dec. 2018. Conf. Comput. Commun., May 2015, pp. 2101–2109.
45616 VOLUME 7, 2019
Y. Wu et al.: BPTM: Blockchain-Based Privacy-Preserving Task Matching in Crowdsourcing
YIMING WU received the B.S. degree in software BOWEN ZHAO received the B.S. degree in infor-
engineering in the direction of information secu- mation security from the Hunan University of Sci-
rity from the Wuhan University of Technology, ence and Technology, China, in 2014, and the M.S.
Wuhan, China, in 2017. He is currently pursuing degree in information security from Guangxi Uni-
the M.S. degree with the South China University of versity, China, in 2017. He is currently pursuing
Technology. His research interests include infor- the Ph.D. degree with the South China Univer-
mation security and blockchain technology. sity of Technology. His research interests include
information security and privacy preserving in
cloud computing and big data.