Effective Consensus-Based Distributed Auction Scheme for Secure Data Sharing in Internet of Things

: In a traditional electronic auction, the centralized auctioneer and decentralized bidders are in an asymmetric structure, where the auctioneer has more ability to decide the auction result. This asymmetric auction structure is not fair to the participants and not suitable for data auctions in the Internet of Things (IoT). The blockchain-based auction system, with participant equality and fairness, is typically symmetrical and particularly suitable for IoT data sharing. However, when applied to IoT data sharing in reality, it faces privacy and efﬁciency problems. In this context, how to guarantee privacy and break the inherent performance bottleneck of blockchain is still a major challenge. In this paper, a consensus-based distributed auction scheme is proposed for data sharing, which enforces privacy preservation and collusion resistance. A reverse auction-based decentralized data trading model is introduced to solve the trust problem without a centralized auctioneer, where bidders reach consensus on the auction result. Speciﬁcally, we devise a differentially private auction mechanism to incentivize data owners to participate in data sharing. An effective hybrid consensus algorithm is constructed among bidders to reach consensus on the auction result with improved security and efﬁciency. Theoretical analysis shows that the proposed scheme ensures the properties of privacy preservation, incentive compatibility and collusion resistance. Experimental results reveal that the proposed mechanism guarantees the data sharing efﬁciency and has certain scalability.


Introduction
Data is central to the Internet of Things (IoT). With more and more devices connected to the IoT, the amount of data generated has exploded. IoT data are collected to serve many types of applications, including smart homes, smart grids and smart transportation [1]. How to efficiently utilize the data becomes a critical issue [2]. This calls for the development of an efficient data trading market. Auctions are one of the most popular mechanisms to motivate the IoT nodes to share their data and further earn money from the data [3][4][5][6]. Building on the characteristic of decentralization, it requires a symmetric peer-to-peer (P2P) auction paradigm for IoT data sharing.
The traditional electronic auction system, consisting of a centralized auctioneer and bidders, is an asymmetric structure [3,4,6]. The centralized asymmetric system faces trust issues, as a fully trustworthy auctioneer is difficult to realize [5]. Taking the centralized cloud-based IoT solution as an example, data owners rely on the third-party cloud for storage, access control and business services [7]. In this case, data owners and consumers have to trust the service provider and pay some fee for their services. In addition, the price and amount of data shared between the data owners and consumers can be decided even without the consent of the data owners. As a result of the centralization, these auction mechanisms lack transparency, and data owners have no way to ensure the legitimacy of the sharing [8].
Blockchain, as a trusted P2P symmetric network, is able to facilitate trust and guarantee transparency in a decentralized pattern among various entities [9]. Existing works exploit blockchain technology in data sharing [10,11], task offloading [12] and charging scheduling [13] in IoT. However, the transparency property of blockchain brings about concerns regarding the privacy protection of auction participants [14]. On one hand, an efficient auction tends to stimulate bidders to bid their true valuations to ensure fairness and achieve social welfare maximization. However, this results in the risk of leakage of private information, including the bidder's types of data, geographic location, active time and economic situation. The disclosure of this information would not only bring unfair profit to the informed entities but also cause economic damage to those whose information is disclosed [1]. On the other hand, the widely adopted proof-of-work (PoW) blockchain consensus algorithm is power-consuming and has a long confirmation delay [15,16]. Therefore, it is still an open and critical issue to develop a lightweight consensus mechanism for privacy-preserving auction while making a trade-off between the privacy and social efficiency of the auction mechanism.
In this paper, to cope with the aforementioned issues and realize a distributed reverse auction for IoT data sharing, we develop an effective consensus-based distributed auction scheme for secure data sharing. The main contributions of this work are threefold, as follows. • A consensus-based distributed reverse auction framework for data sharing is proposed, where symmetric participants are grouped into clusters for privacy, and they reach consensus on the auction result without relying on any fully trusted or semi-trusted auctioneers; • An incentive compatible privacy-preserving reverse auction mechanism is proposed to prompt data owners to share their data without worrying about privacy leakages. Differential privacy, symmetric encryption and zero-knowledge proofs are incorporated to design the auction mechanism, and a trade-off between privacy preservation and social efficiency of the auction is made; • An effective hybrid consensus algorithm is constructed, where different kinds of witnesses are selected using anonymous verifiable random functions without peer interactions, and different operations can be conducted in parallel by varying witnesses. In this way, bidders reach consensus on the auction result with low computation costs without performing the auction processes repeatedly.

Related Works
To maximize the utility of massive IoT data, various solutions have been designed for data owners and consumers to carry out data trading effectively and securely. In this section, we will first review the research on auctions for data sharing and then summarize the research on blockchain for data sharing.

Auction for Data Sharing in IoT
Some related works designed different auction mechanisms in data trading markets. Cao et al. [17] proposed an iterative auction mechanism to prevent selfish action and preserve private information. It also encourages consumers to bid reasonably during the auction process. Susanto et al. [18] proposed a double auction mechanism for mobile data trading, which achieves Nash equilibrium and truthfulness in a heterogeneous and dynamic environment. Except iterative auctions and double auctions, sealed-bid auctions have been investigated in the data market. Jiao et al. [19] proposed a sealed-bid auction model based on the Bayesian optimal mechanism to achieve profit maximization. Nonetheless, they only considered one round of auctions. An et al. [3] proposed a multi-round auction mechanism, which achieves incentive compatibility and false-name bidding proofness. The data are traded in bundles to prevent false-name bidding attacks.
Brakerski et al. [26] designed a privacy-preserving data auction scheme using Paillier encryption and a one-time pad. It enables only the winner access to the data without trusted auctioneers. They also adopt a signature to verify whether the data has been manipulated. Gao et al. [5] designed a privacy-preserving auction protocol using homomorphic encryption for data auctions in cyber-physical systems. In addition, they also enhanced the auction scheme by adding a signature to further improve security.

Blockchain for Data Sharing in IoT
Blockchain-based IoT systems are considered an effective technique for establishing secure data sharing. Li et al. [27] implemented a blockchain-based decentralized crowdsourcing system, which allows requesters to directly send tasks to workers without the involvement of traditional centralized trusted platforms. Kang et al. [10] realized secure and efficient data sharing in vehicular edge networks by exploiting permissioned blockchain and smart contracts. To resist collusion in traffic message exchanges, Feng et al. [28] proposed a consortium blockchain and region partition-based scheme to support trusted data management and deal with inside-and-outside collusive attacks. Xiong et al. [29] proposed an anti-collusion data auction mechanism based on smart contracts. Li et al. [30] presented an anonymous ad dissemination framework for advertising in internet of vehicles. The scheme achieves free-rider forbiddance and privacy preservation. The RSUs construct a consortium blockchain and manage the consensus phase. Chen et al. [11] proposed a secure and efficient data trading approach for the internet of vehicles using a consortium blockchain. An iterative double auction is adopted to determine the amount of traded data and the corresponding price. It ensures truthful data trading among vehicles. The edge servers construct the consortium blockchain and manage the auction phase instead of RSUs. Dai et al. [31] introduced a blockchain-based secure data trading ecosystem, where both data brokers and buyers are dishonest and none of them can access the raw data. Data processing algorithms encoded in smart contracts are deployed on and executed by the trusted hardware. Li et al. [32] proposed a blockchain-based data caching scheme and a decentralized data trading model to prevent the tampering of cache data and establish trust among participants. A double auction is used for data trading with maximum social welfare.
Different from the recent work, we take into consideration the performance bottleneck of the blockchain itself in this research. In addition, we achieve privacy preservation to incentivize data owners to share their data without worrying about privacy leakage. In our work, an effective consensus-based distributed reverse auction scheme is constructed, where all participants are in a symmetric structure.

Preliminaries
This section will sort out the preliminary knowledge, including the traceable ring signature, distributed Laplacian perturbation, Pedersen commitment, zero-knowledge range proof and anonymous verifiable random function.

Traceable Ring Signature
A traceable ring signature scheme is a tuple of algorithms (Gen, Sig, Ver, Trace) [33].

Distributed Laplacian Perturbation
The Laplacian distribution is divisible, and it can be constructed as the sum of gamma distributions [34]. The distributed sanitization algorithm is simple: user i calculates value (N, λ), where G 1 (N, λ) and G 2 (N, λ) denote two random values independently drawn from the same gamma distribution. If all values received from the N users of a cluster are summed up, then

Pedersen Commitment
The Pedersen commitment [35] consists of the following algorithms: • Com(x, r): this commits to a message x ∈ Z p using blinding factor r ∈ Z p and outputs X = g x h r . • Vfy(X, x, r): this verifies whether X commits to x with blinding factor r and outputs on success; otherwise, it outputs ⊥.

Zero-Knowledge Range Proof
A zero-knowledge range proof allows a prover to convince a verifier that a committed value falls within a given range. In particular, given a commitment X = g x h r ∈ G for a witness x ∈ Z p , bulletproofs [36] allows a prover to generate a non-interactive zero-knowledge (NIZK) argument. We refer to the protocol generating range arguments as RP = (Setup, P, V ), which consists of the following probabilistic polynomial-time algorithms: • RP.Setup(1 λ , n, m): this takes λ as the security parameter, n as the range bit-width, and m as the vector cardinality and outputs σ as the common reference string (CRS). • RP.P (σ, X, x, r): this takes a commitment X along with the opening vectors x and r and generates an argument π to prove {(g, h ∈ G, X; x, r) : • RP.V (σ, X, π): this returns if it accepts π; otherwise, it returns ⊥.

Anonymous Verifiable Random Function
An anonymous verifiable random function (AVRF) [37] is the tuple of the algorithms Gen, AVRFprove, AVRFverify, and Update defined as follows, where H 1 has range {0, 1} α , H 2 has range G and α is the output length of AVRF.

System Model and Design Goals
In this section, we introduce the system model, threat model and design goals.

System Model
In this paper, we introduce a consensus-based distributed reverse auction model, where the sellers compete to sell data to a buyer. Generally speaking, in data sharing markets, the reverse auction mechanism is suitable for the situation where multiple data owners tend to sell data to one data consumer or data collector [1]. In a reverse auction, the buyer submits his data requirements and the maximum price he is willing to pay for each unit of data. Sellers who have the required data can submit their bidding information including valuation per unit of data and supply volume. Those who bid lower than the buyer's price and the clearing price are the auction winners, and the payment equals the largest bid value lower than the buyer's maximum price. The decentralized system model is illustrated in Figure 1.  In the distributed system, there is no centralized auctioneer. The reverse auction is realized through off-chain allocation and on-chain verification. Three categories of participants are involved in the proposed auction scheme: sellers U i , buyer B and consensus nodes, where sellers and buyer are data providers and data consumers, respectively, and consensus nodes are selected from bidders. There are two types of consensus nodes, proposer P and validator, which are in charge of the auction solution and verification, respectively. The validator nodes are further divided into two groups, result verifier RV and proof verifier P V, which are responsible for verifying the auction result and the winners' proofs. After the verification, the validator submits votes to the contract for on-chain verification of the auction result. Finally, all results and proofs are recorded on the blockchain without manipulation.
The auction model in this paper is a reverse sealed-bid auction. The buyer is responsible for deploying the auction contract and publishing his data requirement. He commits the maximum price he would pay and reveals it after the bidding phase. Data owners can bid their valuation and supply volume during the bidding phase. For privacy preservation, sellers are grouped into clusters of size N, and Laplace noise is added to each cluster. U i randomly selects some nodes from the cluster using a secure pseudo-random function (PRF) [34] such that if U i selects U j , U j also selects U i . In particular, Afterwards, both users generate a common dummy key dk i,j from their pairwise key K i,j : dk i,j = i−j |i−j| × PRF(K i,j , r 2 ), where r 2 = r 1 is a public value. The noised bidding information is then encrypted with the dummy key. In this way, sellers' bid value and supply volume are preserved from other participants and attackers.
After the bidding phase, consensus nodes are selected to determine the winners and their payments. After verification and consensus about the auction result, it is eventually published on the blockchain. Finally, the transactions will be completed. If the winners refuse to conduct the transactions within a limited time, they will lose their deposit as a punishment.

Threat Model and Design Goals
Before we present the formal development of our solution, we establish the threat model as well as design goals for our system. This paper considers both malicious participants and outside attackers. All sellers and buyer are selfish and rational, i.e., they aim at maximizing their own profit. For example, sellers may collude together to manipulate the auction result. In addition, bidders are encouraged to submit their truthful bidding, including valuation and the supply volume. Nonetheless, if bidding profiles are obtained by a malicious user or adversary, the bidder privacy is subverted, and the auction fairness is undermined. On obtaining other's private information, attackers can gain unfair benefits and advantages. Blockchain nodes are honest but curious. To protect privacy, on-chain operations should not reveal any private information. The outside attackers may eavesdrop on the communication and try to infer the private information.
With respect to the threat model, we define the security and privacy notions of interest. To support the auditability and traceability of blockchain-based applications, we assume that each user is configured with a private key and obtains the corresponding certificate from the trusted Certification Authority. On this basis, we carry out a distributed data auction with privacy preservation and collusion resistance. The scheme in this paper needs to achieve the following goals.
All participants are in a symmetric structure. Auction allocation and pricing do not depend on trusted third parties. Bidders reach consensus on the auction result in a P2P manner with the assistance of smart contracts. (2) Privacy Preservation.
First, the real identities of the data providers and data consumers participating in the auction are hidden and cannot be inferred from the user account address, public key, signature and other information. Second, bidders submit their own bids without knowing others' valuation, and all bids remain private throughout the auction process.
The bidders can obtain highest utility if and only if they submit their bids truthfully. (4) Collusion Resistance.
Bidders can not collude together to manipulate the auction results for illicit profit. Peer nodes are prevented from colluding to announce false auction results for unfair profits. (5) Efficiency.
The overhead realizing the above goals should be acceptable from the perspective of system users. The consensus process should minimize communication and computation overhead instead of repeating the costly auction assignment and verification calculation by all miners.

Effective Consensus-Based Distributed Reverse Auction
The proposed scheme consists of three stages: the preparation stage, auction stage and consensus stage. In the first stage, a new auction smart contract is deployed by the buyer, and bidders register themselves to join in the auction. Bidders cluster together to establish dummy keys for bidding. During the auction stage, bidders submit their bid value and supply volume in private using differential privacy and modulo addition-based encryption [34]. The private bidding information is gathered and handled to generate the auction result. Then, the winning bidders prove themselves privately using a zeroknowledge range proof without revealing their bid value. In the last stage, consensus nodes are selected, and they reach consensus on the auction result. The first witnesses are selected including proposer and verifier. Then, they respectively perform the auction allocation and verification off-chain in an efficient form. Finally, the contract confirms the auction result by collecting verifiers' votes.

Preparation Stage
A buyer deploys a new smart contract on the blockchain in which the data demand is announced. Potential bidders monitor the blockchain for new auctions and register themselves to join the auction. To participate in the auction, each bidder U i needs to commit his bid BidComm i = g bid i h r i and supply volume VolComm i = g vol i h ran i and make a deposit which has a prescribed minimum dpt ∆ .
When sellers join the auction, they are grouped into clusters of size N to realize differential private bidding in the next stage. The detailed process of bidder grouping and key establishment is shown in Algorithm 1. First, bidders are grouped in to clusters of N users according to their joining time. Then pairwise keys K i,j between each pair of users inside a cluster are established, which is done by using the traditional Diffie-Hellman key exchange protocol. Finally, each user, U i , selects l other users of the cluster randomly to generate dummy keys.
It should be noted that if U i selects U j , U j also selects U i because of the secure pseudo-random function (PRF) [34]. Afterwards, both users generate a common dummy key dk i,j from We denote by l the number of selected participating users, and ind i [j]( f or j = 1, · · · , l) the index of the l users selected by node U i . Note that dk i,j = −dk j,i .

Algorithm 1 Bidder Grouping and Key Establishment
Input: Seller registration information, pseudo-random function (PRF), ω, n = 0, N, r 1 , r 2 ; Add user to the same group; 3: n ++; 4: end for 5: for 1 < i, j < N do 6: Generate K i,j = K j,i ; 7: end for 8: for 1 < i < N do 9: Randomly choose l other members: 10: 11: if PRF(K i,j , r 1 ) ω N−1 then 12: j is added to ind i ; 13: end if 14: end for 15: for 1 < j < l do 16: Generate end for 18: end for 19: The grouped bidders can join the current auction. The dummy key is used to encrypt the bidding information in the auction stage to preserve bidding information privacy, including bid privacy and supply volume privacy. As a result, the consensus nodes cannot decrypt the individual ciphertexts because they do not know dk. However, by adding up the ciphertexts of a given cluster, they can cancel out all dks and retrieve the cluster bidding, which is described in detail in next subsection.

Auction Stage
In the auction stage, data suppliers report their bid value and supply volume. The proposer selected from the bidders computes the auction solution according to Algorithm 2. Then winning bidders prove themselves in time. The auction result is verified and chained to the block after consensus.

Algorithm 2 Bidding Information Processing and Valid Price Determination
Input: Bidding information Enc( bid i ), Enc(vol i ), the number of clusters ClusterNum, the acceptable price of buyer value B Output: Group average bid bid G , group supply volume vol G , valid price vp 1: function BIDPROCESSING(Enc( bid i ), Enc(vol i )) 2: while j ClusterNum do 3: while i N and i ∈ Cluster j do 4: Grouped bidders have committed their bid value and make a deposit in the previous stage. They will bid in private in this stage through obfuscating the true bid value and encrypting the bid and volume information. Each user bids as follows: Step 1 (Bid obfuscation): Calculate the obfuscated bid value where G 1 (N, λ) and G 2 (N, λ) are random values, independently drawn from the same gamma distribution. N is the cluster size.
Step 2 (Bidding information encryption): Each noisy bid value bid i is then encrypted using the modulo addition-based encryption: where m is a large integer. The supply volume is also encrypted: The dummy keys are needed to prevent the peer node from retrieving bid i and the volume vol i information.
Step 3 (Broadcasting the bidding information): Sign the bidding information with the ring signature scheme and broadcast (Enc( bid i ), Enc(vol i ), sig).

Auction Allocation
After the bidding phase, any peer node can compute the valid price using all the bidding information. First, the bidding information is gathered and decrypted to get the group bidding information; then, the valid price is determined. Finally, winning bidders prove themselves in private.
Step 1 (Bidding information processing): The bidding information from N cluster members are collected and decrypted to obtain the group bid Gbid = Σ N i=1 Enc( bid i ) and the group supply volume vol G = Σ N i=1 Enc(vol i ), respectively (Line 1-12). As Thus, the Laplacian noise is generated in a fully distributed way, as is illustrated in the bidding phase.
In this way, no peer node can decrypt and obtain the individual bid without the dummy keys. By adding all the encrypted contributions of a cluster, dk cancels one another and the noised bid sum reveals. The added noise ensures the differential privacy of each bid [34].
The group average bid is computed as bid G = Gbid N . The group volume is the addition of all menbers' volume vol Step 2 (Valid Price Determination): The valid price is computed using the group average bids and group volumes. To ensure truthfulness, a good pricing mechanism should ensure that the payment of winners is not determined by their bid value. In doing so, the winners cannot manipulate their bid by misreporting their valuations. The valid price determination procedure is as shown in Algorithm 2 from Line 13 to Line 22.
(i) The valuation and supply of a seller group is recorded as bid G j , vol G j , respectively.
Then, the seller groups' valuations bid G [] are arranged in ascending order. (ii) Plot the supply vol G of seller groups versus the valuation bid G of seller groups in ascending order. Similarly, plot the revealed acceptable price of buyer value B in the same figure. The intersection shows the valid price vp. It is defined as the key price of winning sellers. Finally, a bidder U i wins if, and only if, his bid value is smaller than the key price: bid i < vp.
Step 3 (Privacy-preserving Washing Out): The valid price is determined in Step 2. Those bidders whose valuations are lower than the valid price bid i < vp are the winners. In this subsection, bidders prove themselves that they are the winners without revealing their bid value to wash out those with higher bids. The winners are saved to the winners set W S . The procedure of the washing-out protocol is illustrated in Figure 2. (i) Winning sellers prove that their committed bid values are indeed smaller than the valid price, i.e., bid i < vp.
(ii) The proofs are verified according to the on-chain commitment. Bidders who can provide valid proofs are the final winners. The winners are saved to the set W S .
The buyer pays each winning seller by P per unit, which is determined by the valid price in the former step P = vp. Each winning seller receives payment = vp × vol i by providing vol i units of data to the buyer.

Consensus Stage
In this part, we devise an effective hybrid consensus protocol to efficiently reach consensus on the auction result and enhance the security of the distributed data auction. The detailed design of the consensus protocol consists of the following three steps: witness selection, block generation by proposer and verification by validators. Figure 3 elaborates the optimized hybrid consensus procedure, where the efficiency comes from efficient witness selection by applying AVRF and parallel operations conducted by different kinds of witnesses.

Witness Selection
There are two categories of witnesses in our proposed consensus protocol: the proposer P, the block producer responsible for computing the auction allocation and payment, and the validator, responsible for the block verification and commitment. The validators are further divided into two categories: the result verifier RV and proof verifier P V. The witnesses are decided using AVRF without peer interaction, which guarantees fast and efficient auction allocation and verification.
The witness selection works as shown in Algorithm 3. The probability p i that a bidder U i is selected as a witness in this auction is independent of others. It depends only on U i 's relative deposit α i = dpt i /DPT, where DPT is the total stake in the system. p i is precisely given by , where f is the difficulty parameter.

Algorithm 3 Witness selection.
Input: dpt i , DPT, j = 1, Num P , Num RV , Num P V ; Output: P, RV, P V; 1: Compute for j Num P do 5: x = (PK i , Proposer, j) 6: if y < 2 α × p i then 8: U i is the j-th proposer 9: Generate π ← Proo f {(SK i ) : log H 2 (x) (u) = log g (v)} 10: end if 11: end for 12: return (P : PK, y, π = (u, π )) 13: end procedure 14: procedure RV DETERMINE(d pt i , DPT, Num RV ) 15: for j Num RV do 16: x = (PK i , Veri f ier R , j) 17: if y < 2 α × p i then 19: U i is the j-th result verifier 20: Generate end if 22: end for 23: return (RV : PK, y, π = (u, π )) 24: end procedure 25: procedure P V DETERMINE(d pt i , DPT, Num P V ) 26: for j Num P V do 27: x = (PK i , Veri f ier P , j) 28: if y < 2 α × p i then 30: U i is the j-th proof verifier 31: Generate π ← Proo f {(SK i ) : log H 2 (x) (u) = log g (v)} 32: end if 33: end for 34: return (P V : PK, y, π = (u, π )) 35: end procedure U i evaluates AVRF using SK i = k and (y, π) = AVRF(PK i , role, j). Here, role ∈ {Proposer, Veri f ier R , Veri f ier P }, and the number of each kind of witnesses is Num P , Num RV ,Num P V , respectively. To check if U i is a witness, the stakeholder computes his threshold T = 2 α × p i , where α is the output length of the AVRF. U i is selected as a witness if y < T. The proof π allows others to verify U i 's claim using U i 's verification key. The decision function for witness determination is given by: The proposer selected, donated as P, can prove his validity by AVRFprove(PK P , x), where PK P = (g, v), x = (PK P , Proposer, j). P first computes u = H 2 (x) SK P , y = H 1 (x, u) using his secret key, then secondly generates proof that he is the proposer π ← Proo f {(SK P ) : log H 2 (x) (u) = log g (v)} and finally outputs (PK P , y, π = (u, π )). Other peer nodes can verify that P is indeed the proposer responsible for auction solution.
The proof verifier P V is selected in the same way with the node type Veri f ier P (Line 25-35).

Auction Allocation by Proposer
Instead of performing costly assignment calculations on-chain, the smart contract allows a dedicated node to perform the allocation off-chain according to the on-chain information. The off-chain calculation of the auction solution does not suffer from the overhead associated with distributed and privacy-preserving solutions such as secure multi-party computation [38]. The auction solution provided by the proposer declares the valid price.
The proposer performs Algorithm 2 to deal with the bidding information and determine the valid price, which is then verified by the result verifier. Bidders who bid lower than the valid price are the winners. Winning bidders prove themselves using zero-knowledge range proof according to the washing-out protocol.
In our scheme, the number of proposers is set to 1 for efficiency. As there is only one proposer, we face a problem if the proposer is offline and fails to submit the auction result in time. To overcome this issue, we have result verifiers. They are responsible for verifying and voting for the proposer's auction resolution. If the proposer fails to submit the auction solution in time, the result verifier can act as the leader and give the solution. This is reasonable because that the result verifiers can also calculate the auction solution while their verification.

Verification by Validators
The auction solution, once submitted, can be contested within a specified amount of time by any user, while the selected result verifiers start their computation and verification in parallel with the proposer. Once the solution is submitted, verifiers can vote for the solution on the beat. The smart contract can efficiently test the validity of the solution by calculating the votes. Alternatively, if enough validators verify the auction result, it is received as the final solution. Bidders can perform the data trading.
The validators first check the validity of the proposer: AVRFverify(x, y, π). The validators output 1 if y = H 1 (x, u) and π verifies, and 0 otherwise. Then the validators conduct two rounds of verifications: first, the result verifiers verify the group bids sorting; second, the proof verifiers verify the winning sellers' proofs. The procedure is given in Algorithm 4. The winners' proofs are verified if RP.V (σ, BidComm i , π i ) = 1. Bidders who can provide valid proofs are the final winners, who are saved to the winners set W S . The 2/3 voting solution is adopted, and the auction solution generated by the proposer can be immediately confirmed if more than 2×Num RV 3 verification information is received. The verification of the auction solution can be conducted in the meantime with the proposer to save verifying and committing time, thereby greatly reducing the consensus delay. As we can see in Figure 3, the improved hybrid consensus procedure is presented based on an anonymous verifiable random function.

Theoretical Analysis
We now provide the detailed theoretical analysis of the proposed scheme, including privacy preservation, incentive compatibility and collusion resistance.

Privacy Preservation
The proposed scheme achieves privacy preservation, including bidder anonymity, bid privacy and supply volume privacy. Bidder anonymity, i.e., the fact that the bidder's real identity cannot be inferred from any information during the entire auction process, is guaranteed through the ring signature and an anonymous verifiable random function. The ring signature adopted allows a bidder to leak messages anonymously, without the risk of identity escrow [33]. The anonymous verifiable random function preserves the witnesses' identities during the consensus process. Additionally, the bidder's public key PK can be updated using Update (PK) to break the linkability [37].
Both bid privacy and supply volume privacy are preserved by differential privacy and symmetric encryption. In our privacy-preserving auction, two random processes, perturbation and clustering, are used to ensure the privacy protection. For bid privacy, each bid is first obfuscated through distributed Laplacian perturbation, then symmetrically encrypted using the dummy keys in the bidder cluster. Because of the divisibility of the Laplacian distribution and the 1 λ −differential privacy property [34,39], all bidders in a cluster maintain a private bid value. Supply volume is also encrypted using the dummy keys. The peer nodes can only decrypt the cluster volume and are prevented from retrieving the volume information vol i of a bidder. For the washing out in the auction stage, bid privacy is implemented through the zero-knowledge property [36]. The volume privacy during the trading can be preserved by using a secure communication channel between the buyer and bidder, where the precise trading process is out of our scope.

Incentive Compatibility
According to our system model described in Section 4.1, we consider that some bidders would misreport their bidding information to gain a higher utility. The bidding information that the bidders can misreport as false is their valuation. We now explain that the bidders cannot improve their utility by misreporting their values, i.e., our scheme is incentivecompatible. For any bidder U i , the utility obtained by misreporting is not larger than the utility acquired by truthful bidding. The seller's utility is denoted as the difference between the payment by the buyer and the true valuation. For simplicity of explanation, we consider that there is no seller whose valuation is larger than the buyer's reserved price, since the seller whose valuation is larger than the reserved price will not affect the auction results. To prove the incentive compatibility, we consider untruthful bidding. Theorem 1. The proposed scheme satisfies incentive compatibility, meaning that a seller cannot improve his utility by untruthful bidding in the system.
Proof of Theorem 1. In our privacy-preserving auction scheme, perturbation and clustering are used to ensure the privacy protection. During the bidding phase, the bid value is obfuscated by bid i = bid i + G 1 (N, λ) − G 2 (N, λ). All the obfuscated bid values are added according to cluster to decrypt and obtain the cluster average bid bid G = Σ N i=1 Enc( bid i )/N. These random processes lower the impact of bid changing on the auction result. According to our allocation mechanism, the winner's payment is fixed lower than the buyer's reserved price. Thus, a larger evaluation of the seller will only reduce the probability of winning, and a smaller evaluation will not improve the payment. The utility will not be increased as a result. In conclusion, a seller cannot improve his utility by untruthful bidding within our auction scheme. Above all, we can conclude that the proposed scheme satisfies incentive compatibility.

Collusion Resistance
Our proposed mechanism guarantees that no single bidder has incentive to lie for extra benefit and prevents bidder coalitions from colluding to improve their utilities. This comes from the fortunate property of differential privacy that it degrades smoothly with the number of changes in the data set.

Theorem 2 ([40]
). For the proposed auction mechanism M giving −differential privacy and the non-negative utility function µ of its range, for any D 1 and D 2 differing on, at most, t inputs This applies to the notable case that µ is the sum of the utility functions of t bidders, ensuring that their collective utility does not increase by much. Apparently, exp( t) is larger than exp( ), and the resistance to collusion declines as the size of the coalition increases. For collusion coalitions smaller than 1 = λ, the gain is essentially linear in size. Empirical studies on commercial non-collusion-resistant auctions reveal that most collusion coalitions are small (<6 bidders per coalition) [41].
Note that, to achieve the above security properties, differential privacy and clustering are adopted. This will influence the auction social efficiency, which is further discussed in the next section.

Performance Analysis
In this section, we conduct extensive theoretical and experimental analysis to evaluate the performance of the proposed scheme.

Computation and Communication Cost
First, we discuss the computation overhead of our proposed scheme, which is as shown in Table 1. During the preparation stage, each bidder generates commitments to his bid price and supply volume. Each commitment requires two exponentiations and one multiplication. Bidders also need to form clusters for private bidding, during which they are required to establish two shared keys K i,j , dk i,j as in Algorithm 1. The buyer commits his preserved accessible price. In the auction stage, a bidder first computes the perturbated bid value, then encrypts the obfuscated bid and supply volume, and finally signs the bidding information. After the valid price is determined, a winning bidder proves his bid is smaller than the valid price. After bidders make a deposit to join the auction, they can perform AVRF locally to verify if they are selected as a witness: P, RV or P V. As witnesses are divided into different categories responsible for different operations, they can conduct the consensus process in parallel with the auction allocation.  Table 2 shows the communication overhead of the proposed scheme, where the user's address Addr is 20B in length, the signature σ is |G| + 2|Z p |, the symmetric encryption result is in Z p , and the verifier's vote vote after his verification is 0 or 1. During the preparation stage, each bidder submits his bid commitment and volume commitment. Each commitment is an element in G. Bidders' clustering can be conducted off-chain and here ignores the corresponding communication overhead. The buyer publishes the auction contract, in which data represents the auction code. In the auction stage, a bidder broadcasts his bidding information Enc( bid i ), Enc(vol i ) with his signature, while the buyer reveals his preserved price value B after the bidding phase. All peers perform AVRF locally to check if they are selected as a P, RV or P V, so no communication is needed. After the verification, 2/3 positive votes need to be collected by the smart contract to finish the consensus. The votes from affirmative RV and P V are represented by 1.

Trade-Off between Privacy and Social Efficiency
In our evaluations, we used a dataset containing the real bids of electronic auctions from eBay online auctions [42] to model the auction settings. We adopted the statistics of auction ID 8214355679 to mould the reverse auction with 75 bidders. We also shuffled the bidding information to disturb the bids order, which simulates the bidding randomness and forms different bidder clusters. The shuffle process can give the performance of our scheme in the worst case. The design goal of our scheme is to provide a decentralized reverse auction with privacy preservation and incentive compatibility. One on hand, the differential privacy and clustering incentivize bidders to give their true valuation, while on the other hand, we lose some social efficiency as a result of privacy preservation. To evaluate this property, we adopted the following two customized performance metrics: social welfare and revenue. Social welfare is the difference between the sum of winning bids and the cost: Revenue is the difference between the payment and the cost: where P is the payment per data unit for the winners, and |W S | is the number of bids higher than or equal to the valid price vp. The marginal cost c, i.e., the average increment in cost for allocating one additional user, and the supply volume vol i were set to be 1 for simplicity in the experiment. We used the ratio of the social welfare and revenue to the one without privacy preservation as an evaluation metric. We carried out the experiment on the same dataset hundreds of times to test the average performance. Figure 4 shows the social welfare ratio and revenue ratio changing with different privacy parameters , i.e., 1 λ and the number of bidders in a cluster N. Figure 4a,c shows the welfare ratio with different numbers of cluster members N. It can be observed that a bigger N will reduce the welfare while providing better privacy. Similarly, a bigger provides an improved welfare efficiency and lowers the privacy level. We can see that with increasing , the social welfare grows with fluctuation ( Figure 4a). This is because the welfare is not only influenced by the differential parameter but also the bidder clustering. The randomness from the different bidder clustering results in the variation of the social welfare. Figure 4b,d gives the revenue ratio with different N. The revenue ratio keeps the same relationship with the parameters and N as the welfare ratio. The difference is that our scheme achieves a better revenue than social welfare, and the revenue ratio is more than 1 in many cases. The reason is that our noised bid and cluster average bid give a much more appropriate valid price and payment.    Figure 5 illustrates the average welfare and revenue ratio with different . It gives an obvious explanation how the welfare ratio and revenue ratio change with . It can be observed that the revenue ratio keeps the same tendency as the welfare ratio with a bit raise. In the majority of instances, the welfare ratio is above 0.95. In some cases, our social welfare with differential privacy is equal to the optimal ones without privacy, i.e., the ratio is 1. Different from the welfare ratio, our scheme enhances the revenue with a ratio of 1.000877474, 1.001214056, 1.002415409, 1.003091384 or 1.003669422 when N = 3. This is because the processes of noise addition and bidder clustering give a better valid price and a better payment as a result. In Figure 6, we compare the proposed scheme to the optimal single price omniscient (OPT) [43] against the privacy parameter . We can observe that our scheme gains high approximate welfare and revenue to OPT. Our revenue even exceeds OPTs when is bigger than 0.5. The reason is that differential privacy and clustering output a better valid price. Not surprisingly, the revenue is larger than the welfare for both OPT and our scheme because the payment is larger than the winner's bid. 6 Figure 7 clarifies the auction performance with bidder random bidding and clustering. It is obvious that the welfare and revenue ratio grows in a fluctuating manner as increases when N = 3 (Figure 7a,b). The shuffle results in a bigger fluctuation range. It can be observed that the lowest welfare and revenue ratio is about 0.6 in the worst case that the bidder cluster average bid results in a bad valid price. It is apparent that our scheme retains a better revenue than welfare in the worst case (Figure 7c). With varying and N = 3, the average revenue ratio is greater than 0.6, which reveals that our scheme gives a sensible valid price and payment. For the social welfare, the worst case is about 55% of the optimized one, which is acceptable. The relationship between the social efficiency and the privacy parameter shown in all the above figures provides a visual illustration that our scheme achieves an acceptable trade-off between privacy and social efficiency.

Deployment and Execution Cost
We implemented the logic procedure of the proposed scheme based on Ethereum. Our contract was deployed on a locally simulated network Ganache. We used a laptop with 1.6 GHz Dual-Core Intel Core i5 CPU and 8 GB of memory. The smart contract was written in Solidity 0.4.17. The interactions between participants and the involved functions were realized using Truffle based on Javascript and Web3.js. Since a small number of transactions and blocks were generated during the auction, we did not consider the impact of the world state on the invocation of the smart contracts.
In our framework, the buyer publishes the auction contract, which is responsible for bidder committing and depositing in the preparation stage and vote counting during consensus agreement. Note that the auction allocation, result verification and proof verification are conducted off-chain to save on-chain computation cost.
In Table 3, we show the cost of setting up and executing the contract on the simulated Ethereum network. The cost is in the amount of gas consumed by each function, which can be converted to the monetary value in dollar according to the gas price. The gas cost is roughly related to the computational and storage complexity of the function. As we can see, the financial cost of using the smart contract on the Ethereum network is low. For example, the contract initialization (to store the contract on the blockchain) and the bidder registration (to cluster the bidders) cost more than the bidder committing (requiring commitment storage). For the auction smart contract, the total cost for the buyer is about 1.3 million gas and about 4 million gas for each bidder. Compared with the on-chain collusion-resistant scheme [41], our scheme can save on-chain cost and support auctions with many more bidders. Overall, our scheme improves the efficiency of data sharing and has certain scalability in aspect of both on-chain and off-chain costs.

Conclusions
To meet the need for symmetric data sharing and address the security and efficiency issues in the decentralized IoT system, an effective consensus-based distributed auction model is proposed. For privacy leakages derived from the transparency of the blockchain, distributed Laplacian perturbation and symmetric encryption are adopted to realize lightweight privacy preservation. To overcome the performance bottleneck of the blockchain, an optimized hybrid consensus algorithm is constructed. Bidders can reach consensus on the auction results with low computation and communication costs. The analyses show that the proposed scheme ensures the property of privacy preservation, incentive compatibility and collusion resistance with a bit loss of social efficiency. Regarding both on-chain and off-chain costs, it reduces the computation overhead and has a certain amount of scalability to support large-scale auctions.