Dependability Analysis for the Blockchain Oracle System: A Quantitative Modeling Approach

Abstract

Blockchain oracles, as data intermediaries between on-chain and off-chain environments, have opened up a wide range of application scenarios for blockchain technology. The dependability of a blockchain oracle system will affect the dependability of blockchain systems. However, the dynamic and heterogeneous nature of blockchain oracle systems poses challenges to assessing their dependability. Furthermore, how to comprehensively analyze the dependability of blockchain oracle systems from multiple dimensions of transient availability, steady-state availability, and reliability is also a challenge. In order to solve these challenges, this paper proposes three models based on a semi-Markov process (SMP): (1) the SMP model for steady-state availability analysis; (2) the hierarchical model for transient analysis; and (3) the SMP model with absorption states for reliability analysis. Then, we derive the formulas for calculating the dependability metrics, which can be used to evaluate the dependability of blockchain oracle systems composed of any number of oracle nodes. Finally, based on the comparative experiments to verify the approximate accuracy of the proposed model and formulas, we analyze the impact of system parameters and the number of oracle nodes on the dependability metrics. The experimental results reveal that the key factor affecting availability is the failure time and recovery time of the threshold oracle, while the key factor affecting MTTF is the failure time of the threshold oracle.

1. Introduction

Blockchain, as a decentralized and immutable digital ledger, is increasingly being used by researchers as an underlying platform [1]. It stores transaction data across a vast network of nodes, disrupting existing business models and infrastructure in many industries to eliminate the problems associated with centralization [2]. Furthermore, blockchain has wide applications in finance [3], the Internet of Vehicles [4], healthcare [5], and the Industrial Internet of Things [6] through smart contracts. Smart contracts require data from outside the blockchain system [7,8,9]. However, the closed nature of blockchain networks prevents them from directly sensing real-world data, thus limiting their potential and scope in practical applications. To address this limitation, third-party data providers—blockchain oracles—have emerged [10,11,12]. As data intermediaries between on-chain and off-chain environments, oracles are responsible for retrieving and verifying data from the real world and submitting it to the blockchain. This crucial role unlocks broader application scenarios for blockchain technology.

Based on network administration, oracles can be divided into centralized oracles and decentralized oracles. Centralized oracles are managed by a single entity and are responsible for providing the necessary data to smart contracts. Since the validity of the contract depends entirely on the entity controlling the centralized oracle, it is subject to a single point of failure. Decentralized oracles consist of multiple oracle servers, where the oracle nodes generate partial signatures, and these signatures are aggregated into a complete legal signature in the threshold oracle. When oracles introduce external data into the blockchain, a distributed oracle system can obtain data from multiple data sources, effectively solving the problem of data source reliability [13]. However, as off-chain components, the dependability guarantees of the blockchain system do not apply to oracle systems. Moreover, most research focuses on the selection of oracle nodes, while few studies address the dependability issues of blockchain oracle systems. Therefore, it is necessary to quantitatively evaluate the dependability of oracles to provide a reference for improving the dependability of blockchain systems. The evaluation results can also provide a theoretical basis for the selection of oracle nodes.

• Oracle systems are dynamic. Oracle nodes may become unavailable due to being offline, DDoS attacks, and unexpected failures, causing the number of oracle nodes in the oracle system to change dynamically. Furthermore, the available oracle node threshold for ensuring system reliability varies as the total number of nodes changes. Therefore, analyzing the dynamic behavior of oracle systems is a challenge that needs to be addressed.
• Transient availability, steady-state availability, and reliability metrics focus on different aspects of oracle system dependability. Therefore, how to collaboratively analyze these metrics to comprehensively analyze the dependability of the oracle system is a challenge that needs to be addressed.
• Oracle systems consist of threshold oracles and oracle nodes. Different nodes perform different functions, resulting in node heterogeneity. That is, different nodes are in different states at the same time. Therefore, capturing the heterogeneity of nodes in an oracle system is a challenge that needs to be addressed.

In order to address the above challenges, this paper proposes a semi-Markov process (SMP)-based oracle system dependability evaluation approach that can characterize the behaviors of the oracle system from initial operation to failure and perform recovery operations. To the best of our knowledge, our study is the first to comprehensively analyze the dependability of an oracle system consisting of an arbitrary number of oracle nodes from three perspectives: steady-state availability, transient availability, and reliability. The blockchain oracle system’s dependability refers to its ability to provide trustworthy services. Reliability refers to the ability of a blockchain oracle system to operate continuously without failure, while availability refers to its ability to provide effective services. Steady-state analysis is used to assess the blockchain oracle system’s dependability after long-term operation. Transient analysis is used to assess the instantaneous dependability of a blockchain oracle system when encountering sudden situations during operation. The innovations of this paper are as follows:

• We propose three models for analyzing the dependability of oracle systems. Specifically, (1) an SMP model captures the failure and recovery behaviors of each oracle node in the oracle system. (2) An SMP model with absorbing states captures the oracle system’s behaviors from initial operation to failure, and (3) a hierarchical model consisting of multiple SMP models captures the behaviors of the oracle system at different points in time. In particular, these models are multidimensional, which allows them to capture the behavior of different nodes in the system.
• We derive formulas for calculating transient availability, steady-state availability, and reliability, providing a comprehensive assessment of the oracle system’s dependability. The steady-state availability formula reveals the relationship between oracle node failure and recovery parameters, which can be used to evaluate the system’s behaviors as it approaches a steady state. The transient availability formula reveals the relationship between oracle node failure, recovery parameters, and time, which can be used to evaluate the dynamic behavior of the oracle system. The reliability formula reveals the sojourn time of the oracle system in each available state, which can be used to evaluate the executable time of the oracle system. In particular, these formulas are closed-form formulas, which can help service providers identify key factors affecting the dependability of the oracle system.
• We compare simulation and numerical analysis experiments to verify the approximate accuracy of the proposed formulas and models. We also perform sensitivity analysis experiments to analyze the sensitivity of various evaluation metrics with respect to different parameters. In addition, we evaluate the impact of different oracle node numbers on the oracle system’s dependability.

The rest of this paper is organized as follows: Section 2 discusses the differences between our work and existing work. Section 3 describes the system’s behavior, the constructs, and three models and derives the calculation formulas for various metrics. Section 4 presents the results of the simulation and numerical analysis experiments. Section 5 summarizes this paper and proposes future work.

2. Related Work

This section discusses the existing work from two aspects: dependability assessment approaches and blockchain oracle dependability analysis.

2.1. Dependability Assessment Approaches

Recently, a model-driven approach has been widely used in the field of dependability assessment of various complex technical systems and devices.

Tola et al. [14] proposed multiple stochastic activity network (SAN)-based models to analyze the availability of various management and orchestration deployment configurations. Ghosh et al. [15] constructed a stochastic Petri net (SPN)-based resiliency model to evaluate cloud storage service resiliency, which can capture the impact of possible disruptions. Torquato et al. [16] evaluated the availability and security of a system that uses VM migration as rejuvenation and moving target defense-based SPNs and compared these metrics under different migration intervals. They [17] modeled the host-based attack behaviors and VM migration-based defense behaviors based on SPNs and evaluated the attack success probability and system availability. These studies [14,15,16,17] can only investigate the dependability of a system with a fixed number of nodes and are not applicable to analyzing the dependability of systems with a variable number of oracles.

Pereira et al. [18] proposed a hierarchical model for analyzing the availability of the edge–fog–cloud continuum based on fault trees and continuous-time Markov chains (CTMCs) and identified the key elements affecting availability improvement by sensitivity analysis. Araujo et al. [19] combined reliability block diagrams (RBDs) and CTMCs to evaluate the availability of the mobile cloud environment while considering redundancy mechanisms. Simone et al. [20] analyzed the aging and rejuvenation behaviors of softwarized multi-tenant 5G architectures and developed an availability model based on CTMCs and the multidimensional universal generating function (MUGF). They [21] proposed a hierarchical model to assess the availability of Open5GS, which can capture the relationships between nodes based on RBDs and model the failure and repair behaviors of each node based on the stochastic reward network (SRN). These studies [18,19,20,21] employed hierarchical models to address the challenges of analyzing the dependability of large-scale systems. However, the studies [14,15,16,17,18,19,20,21] based on the exponential distribution assumption still have limitations in practical applications; namely, they cannot capture the failure behaviors with increasing failure rates over time.

Ivanchenko et al. [22] compared the CTMC model against the SMP model, which were used to evaluate the availability of cloud server systems, while considering failures of their components. Zheng et al. [23] proposed SPN and non-Markov models to analyze the impact of software aging and human-error-related system failures on the system’s availability and determine the optimal software rejuvenation trigger timing. The authors in [24] conducted a sensitivity analysis for the loss probability of transactions based on the Markov regenerative process. Bhardwaj et al. [25] constructed an SMP-based dependability evaluation model for a virtualized computing system that may be subject to software aging, with two hosts used for operation and backup, respectively. These studies [22,23,24,25] relaxed the assumption of exponential time intervals between event occurrences, but they failed to provide a comprehensive analysis of system dependability in terms of transient availability, steady-state availability, and reliability. In addition, blockchain oracle systems consist of multiple oracle nodes, each with distinct behaviors that may change over time. These models have limitations in capturing the dynamic and heterogeneous behaviors of blockchain oracle systems.

2.2. Blockchain Oracle Dependability Analysis

There are few studies on the dependability evaluation of blockchain oracles, and more researchers should pay attention to the selection of blockchain oracles.

Lo et al. [26] constructed fault tree diagrams to evaluate oracle reliability and identified the key factors affecting the improvement of oracle reliability. Zhu et al. [27] analyzed the dependability of a heterogeneously distributed oracle system based on the CTMC model. They assumed that the time intervals between all events follow the exponential distribution and ignored the transient dependability analysis. In contrast, we propose an SMP model to analyze the dependability of a system composed of an arbitrary number of oracles from three aspects, transient availability, steady-state availability, and reliability, under the condition that the recovery time intervals follow the general distribution.

Liu et al. [28] achieved joint optimization of security and service quality for oracle selection by using a verifiable random function and a reputation mechanism. Taghavi et al. [29] designed a reinforcement learning model for selecting the most reliable and economical oracles. Zhang et al. [30] proposed an oracle selection approach that can optimize the cost and ensure trust based on deep reinforcement learning. Ahmadjee et al. [31] used a multi-criteria decision-making approach to select secure and cost-effective oracles. The dependability assessment of the oracle system proposed in this paper can be complemented with these studies to help select optimal oracles.

3. System Description and Dependability Analysis

This section first describes the oracle system’s behaviors. Then, we construct an SMP model for capturing the failure and recovery behaviors of oracle nodes. Based on the proposed model, we derive the formulas to calculate the transient availability, steady-state availability, and reliability of the oracle system, which can be used for dependability analysis.

3.1. System Dependability

The oracle system consists of a threshold oracle and N oracle nodes. The oracle node obtains data from various data sources and generates a partial signature. M oracle nodes each generate partial signatures for the same aggregation result, and these signatures are aggregated into a complete legal signature in the threshold oracle (M < N). Each node operates independently and does not affect the others.

After a period of operation, both oracle nodes and the threshold oracle can be unavailable due to various reasons such as being offline, DDoS attacks, and unexpected failures. The threshold oracle’s unavailability causes the entire system to fail because partial signatures from various oracle nodes cannot be aggregated, while the oracle node’s unavailability does not cause the entire system to fail. Because each node operates independently, the failure of one node will not affect the other nodes. If the oracle node is unavailable, this node will be rebooted after the fix is complete. If the threshold oracle is unavailable or more than $⌊(n+1)/2⌋-1$ oracle nodes are unavailable, all nodes in the oracle system will be rebooted after the failed node is fixed. We assume that the recovery time intervals follow the general distribution and that the failure time intervals follow the exponential distribution [27].

3.2. System State

We define a $(1+N)$-tuple index $(i,j_1,\dots ,j_k,\dots ,j_N)$ to denote the oracle system’s state. Here, $i$ and $j_k$ denote the states of the threshold oracle and the kth oracle node, respectively. There are two states, Healthy and Failed, as denoted by H and F, respectively. The meaning of each state is as follows:

• State H (Healthy): In this state, the oracle node can function normally. A failed oracle node can return to this state after performing the recovery operation.
• State F (Failed): In this state, the oracle node is unavailable due to various reasons such as being offline, DDoS attacks, and unexpected failures.

Based on the descriptions above, the total number of system states is $(2^{n-1}+C_{n-1}^{(n-1)/2})/2+1$ (n is odd) or $2^{n-2}+C_{n-1}^{n/2}-1$ (n is even), and the meaningful system states are shown in Table 1. We use $(\mathrm{F},\mathrm{H},\mathrm{H},\dots ,\mathrm{H})$ to illustrate the meaningless system state. This state denotes that the threshold oracle is unavailable and that the remaining oracle nodes are available. In fact, when the threshold oracle is unavailable, the function of aggregating partial signatures cannot be completed. Even if other oracle nodes are available, the oracle system cannot be used to retrieve and verify data. Therefore, these meaningless system states can be ignored.

Table 1. The meaningful system state’s definition.

System State	State of Threshold Oracle	State of the 1st Oracle Node	…	State of the Last Oracle Node	Available or Not
$(\mathrm{H},\mathrm{H},\dots ,\mathrm{H})$	Healthy	Healthy	…	Healthy	Yes
$(\mathrm{H},\mathrm{F},\dots ,\mathrm{H})$	Healthy	Failed	…	Healthy	Yes
$(\mathrm{H},\mathrm{H},\dots ,\mathrm{F})$	Healthy	Healthy	…	Failed	Yes
$(\mathrm{F},\mathrm{F},\dots ,\mathrm{F})$	Failed	Failed	…	Failed	No

3.3. Notation and Conventions

This section introduces the notations and conventions that were used in the models and matrixes. Table 2 shows the definition of variables used in the model and matrixes. It is important to note that $s_i$ represents the system state and is used as a subscript for elements in a matrix. The subscript of an element in a matrix consists of two system states and is used to identify the transition from one state to another.

Table 2. The definition of variables used in the model.

Variable	Definition	Distribution	Default Values
$F_{d1}\left(t\right)$	The cumulative distribution function (CDF) for the holding time of the threshold oracle from the H state to the F state.	Exponential	20 days– 40 days [27]
$F_{di}\left(t\right)$	The CDF for the holding time of the ith oracle node from the H state to the F state. ($1<i\le n$)	Exponential	20 days–40 days [27]
$F_{ddi}\left(t\right)$	The CDF for the minimum holding time of other oracles from the H state to the F state after the ith oracle node suffers from failure. ($1<i\le n$)	--	--
$F_{r1}\left(t\right)$	The CDF for the holding time of the threshold oracle from the F state to the H state.	General	10 min–30 min [27]
$F_{ri}\left(t\right)$	The CDF for the holding time of the ith oracle node from the F state to the H state. ($1<i\le n$)	General	10 min–30 min [27]
$s_i$	The ith system state	--	--

3.4. Steady-State Availability Analysis

The SMP model can be used to capture the behaviors of the oracle system considered in this paper. Figure 1 shows the SMP model for the oracle system with one threshold oracle and two oracle nodes, as shown in Figure 1. Table 2 shows the definitions of the variables used in the model. The steady-state availability of the oracle system can be calculated by summing the steady-state probabilities of all available system states, as shown in Equation (1).

$${\pi }_{\mathrm{sa}}={\displaystyle \frac{1-V_{s3}{h}_{s3}}{{\displaystyle {\sum }_{i=0}^3{V}_{si}{h}_{si}}}}$$

(1)

Figure 1. The SMP model for analyzing the steady-state availability of the oracle system consisting of one threshold oracle and two oracle nodes.

In Equation (1), $V_{*}$ is the steady-state probability of the system state in the embedded discrete time Markov chain (EDTMC), which is calculated by $\mathrm{V}=\mathrm{VP}$ and subject to $\mathrm{V}{e}^T=1$. The one-step transition probability matrix P can describe the EDTMC, as shown in Equation (2). $p_{s_i{s}_j}$ denotes the probability that the EDTMC will then transition to state $s_j$ if it is already in system state $s_i$.

$$\left(\begin{array}{cccc}0& p_{s_0{s}_1}& p_{s_0{s}_2}& p_{s_0{s}_3}\\ p_{s_1{s}_0}& & & \\ p_{s_2{s}_0}& p_{s_2{s}_1}& & \\ p_{s_3{s}_0}& p_{s_3{s}_1}& & \end{array}\right)$$

(2)

where the non-null elements are given in Equations (3)–(10).

$$p_{s_0{s}_1}={\displaystyle {\int }_0^{\infty }(1-F_{d2}(t))(1-F_{d3}(t))d{F}_{d1}(t)}$$

(3)

$$p_{s_0{s}_2}={\displaystyle {\int }_0^{\infty }(1-F_{d1}(t))(1-F_{d3}(t))d{F}_{d2}(t)}$$

(4)

$$p_{s_0{s}_3}={\displaystyle {\int }_0^{\infty }(1-F_{d1}(t))(1-F_{d2}(t))d{F}_{d3}(t)}$$

(5)

$$p_{s_1{s}_0}=1$$

(6)

$$p_{s_2{s}_0}={\displaystyle {\int }_0^{\infty }(1-F_{dd2}(t))d{F}_{r2}(t)}$$

(7)

$$p_{s_2{s}_1}={\displaystyle {\int }_0^{\infty }(1-F_{r2}(t))d{F}_{dd2}(t)}$$

(8)

$$p_{s_3{s}_0}={\displaystyle {\int }_0^{\infty }(1-F_{dd3}(t))d{F}_{r3}(t)}$$

(9)

$$p_{s_3{s}_1}={\displaystyle {\int }_0^{\infty }(1-F_{r3}(t))d{F}_{dd3}(t)}$$

(10)

In Equation (1), $h_{*}$ is the mean sojourn time for each state, which is calculated by $h_{*}={\displaystyle {\int }_0^{\infty }(1-G_{*}(t))dt}$. $G_{*}$ is the sojourn time distribution for each state. Equations (11)–(14) provide the detailed process for calculating $h_{*}$.

$$h_{s_0}={\displaystyle {\int }_0^{\infty }(1-F_{d1}(t))(1-F_{d2}(t))(1-F_{d3}(t))(1-F_{d4}(t))dt}$$

(11)

$$h_{s_1}={\displaystyle {\int }_0^{\infty }(1-F_{r1}(t))dt}$$

(12)

$$h_{s_2}={\displaystyle {\int }_0^{\infty }(1-F_{r2}(t))(1-F_{dd2}(t))dt}$$

(13)

$$h_{s_3}={\displaystyle {\int }_0^{\infty }(1-F_{r3}(t))(1-F_{dd3}(t))dt}$$

(14)

Based on a three-dimensional model, we propose the SMP model for the oracle system with one threshold oracle and N oracle nodes, as shown in Figure 2. Table 2 shows the definitions of the variables used in the model. The steady-state availability of the oracle system can be calculated by summing the steady-state probabilities of all available system states, as shown in Equation (15).

$$\left\{\begin{array}{c}{\pi }_{\mathrm{sa}}={\displaystyle \frac{1-V_{s(2^{n-1}+C_{n-1}^{(n-1)/2})/2}{h}_{s(2^{n-1}+C_{n-1}^{(n-1)/2})/2}}{{\displaystyle {\sum }_{i=0}^{(2^{n-1}+C_{n-1}^{(n-1)/2})/2}{V}_{si}{h}_{si}}}},\begin{array}{cc}\begin{array}{cc}& \end{array}& n \mathrm{is} \mathrm{odd}\end{array}\\ {\pi }_{\mathrm{sa}}={\displaystyle \frac{1-V_{s{2}^{n-2}+C_{n-1}^{n/2}-2}{h}_{s{2}^{n-2}+C_{n-1}^{n/2}-2}}{{\displaystyle {\sum }_{i=0}^{2^{n-2}+C_{n-1}^{n/2}-2}{V}_{si}{h}_{si}}}},\begin{array}{cc}\begin{array}{cc} & \end{array}& n \mathrm{is} \mathrm{even}\end{array}\end{array}\right.$$

(15)

Figure 2. The SMP model for analyzing the steady-state availability of the oracle system consisting of any number of oracle nodes.

The one-step transition probability matrixes are shown in Equations (16) and (17), corresponding to the cases where n is odd and even, respectively.

$$\left(\begin{array}{ccccccccccccc}0& p_{s_0{s}_1}& p_{s_0{s}_2}& \dots & \dots & p_{s_0{s}_{n-1}}& 0& 0& \dots & \dots & \dots & 0& p_{s_0{s}_{(2^{n-1}+C_{n-1}^{(n-1)/2})/2}}\\ p_{s_1{s}_0}& 0& 0& \dots & \dots & 0& p_{s_1{s}_n}& 0& \dots & \dots & \dots & 0& p_{s_1{s}_{(2^{n-1}+C_{n-1}^{(n-1)/2})/2}}\\ p_{s_2{s}_0}& 0& 0& \dots & \dots & 0& p_{s_2{s}_n}& p_{s_2{s}_{n+1}}& \dots & 0& \dots & 0& p_{s_2{s}_{(2^{n-1}+C_{n-1}^{(n-1)/2})/2}}\\ \dots & 0& 0& \dots & \dots & 0& 0& \dots & \dots & \dots & \dots & \dots & \dots \\ \dots & 0& 0& \dots & \dots & 0& 0& \dots & \dots & \dots & \dots & \dots & \dots \\ p_{s_{n-1}{s}_0}& 0& 0& \dots & \dots & 0& 0& p_{s_{n-1}{s}_{n(n-3)/2-3}}& \dots & p_{s_{n-1}{s}_{n(n-1)/2}}& \dots & 0& \dots \\ 0& p_{s_n{s}_1}& p_{s_n{s}_2}& 0& \dots & \dots & \dots & \dots & \dots & \dots & \dots & 0& \dots \\ 0& \dots & p_{s_{n+1}{s}_2}& p_{s_{n+1}{s}_3}& 0& \dots & \dots & \dots & \dots & \dots & \dots & 0& \dots \\ \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots \\ 0& \dots & \dots & \dots & p_{s_{2n-3}{s}_{n-2}}& p_{s_{2n-3}{s}_{n-1}}& 0& \dots & \dots & \dots & \dots & 0& \dots \\ \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots \\ \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & p_{s_{(2^{n-1}+C_{n-1}^{(n-1)/2})/2-1}{s}_{(2^{n-1}+C_{n-1}^{(n-1)/2})/2}}\\ p_{s_{(2^{n-1}+C_{n-1}^{(n-1)/2})/2}}{s}_0& 0& 0& \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & 0& 0\end{array}\right)$$

(16)

$$\left(\begin{array}{ccccccccccccc}0& p_{s_0{s}_1}& p_{s_0{s}_2}& \dots & \dots & p_{s_0{s}_{n-1}}& 0& 0& \dots & \dots & \dots & 0& p_{s_0{s}_{2^{n-2}+C_{n-1}^{n/2}-2}}\\ p_{s_1{s}_0}& 0& 0& \dots & \dots & 0& p_{s_1{s}_n}& 0& \dots & \dots & \dots & 0& p_{s_1{s}_{2^{n-2}+C_{n-1}^{n/2}-2}}\\ p_{s_2{s}_0}& 0& 0& \dots & \dots & 0& p_{s_2{s}_n}& p_{s_2{s}_{n+1}}& \dots & 0& \dots & 0& p_{s_2{s}_{2^{n-2}+C_{n-1}^{n/2}-2}}\\ \dots & 0& 0& \dots & \dots & 0& 0& \dots & \dots & \dots & \dots & \dots & \dots \\ \dots & 0& 0& \dots & \dots & 0& 0& \dots & \dots & \dots & \dots & \dots & \dots \\ p_{s_{n-1}{s}_0}& 0& 0& \dots & \dots & 0& 0& p_{s_{n-1}{s}_{n(n-3)/2-3}}& \dots & p_{s_{n-1}{s}_{n(n-1)/2}}& \dots & 0& \dots \\ 0& p_{s_n{s}_1}& p_{s_n{s}_2}& 0& \dots & \dots & \dots & \dots & \dots & \dots & \dots & 0& \dots \\ 0& \dots & p_{s_{n+1}{s}_2}& p_{s_{n+1}{s}_3}& 0& \dots & \dots & \dots & \dots & \dots & \dots & 0& \dots \\ \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots \\ 0& \dots & \dots & \dots & p_{s_{2n-3}{s}_{n-2}}& p_{s_{2n-3}{s}_{n-1}}& 0& \dots & \dots & \dots & \dots & 0& \dots \\ \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots \\ \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & p_{s_{2^{n-2}+C_{n-1}^{n/2}-3}{s}_{2^{n-2}+C_{n-1}^{n/2}-2}}\\ p_{s_{2^{n-2}+C_{n-1}^{n/2}-2}{s}_0}& 0& 0& \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & 0& 0\end{array}\right)$$

(17)

where the non-null elements are given in Equations (18)–(39). ($1\le i\le n-1,B=\left\{j|j\ne i,1\le j\le n-1\right\},B\prime =\left\{j\prime |1\le j\prime \le n-3\right\},B‴=\left\{j‴|1\le j‴\le n-1\right\},$$G=\left\{w|3\le w\le n\right\},G\prime =\left\{w\prime |4\le w\prime \le n\right\},G″=\left\{w″|5\le w″\le n\right\},G‴=\left\{w‴|6\le w‴n\right\}$).

$$p_{s_0{s}_i}={\displaystyle {\int }_0^{\infty }\underset{j\in B}{\Pi }(1-F_{dj}(t))(1-F_{dn}(t))d{F}_{di}(t)}$$

(18)

$$p_{s_0{s}_{(2^{n-1}+C_{n-1}^{(n-1)/2})/2}}={\displaystyle {\int }_0^{\infty }\underset{j‴\in B‴}{\Pi }(1-F_{dj‴}(t))d{F}_{dn}(t)} (n\mathrm{is}\mathrm{odd})$$

(19)

$$p_{s_0{s}_{2^{n-2}+C_{n-1}^{n/2}-2}}={\displaystyle {\int }_0^{\infty }\underset{j‴\in B‴}{\Pi }(1-F_{dj‴}(t))d{F}_{dn}(t)} (n\mathrm{is}\mathrm{even})$$

(20)

$$p_{s_i{s}_0}={\displaystyle {\int }_0^{\infty }\underset{j\in B}{\Pi }(1-F_{dj}(t))(1-F_{dn}(t))d{F}_{ri}(t)}$$

(21)

$$p_{s_i{s}_{(2^{n-1}+C_{n-1}^{(n-1)/2})/2}}={\displaystyle {\int }_0^{\infty }\underset{j\in B}{\Pi }(1-F_{dj}(t))(1-F_{ri}(t))d{F}_{dn}(t)} (n \mathrm{is} \mathrm{odd})$$

(22)

$$p_{s_i{s}_{2^{n-2}+C_{n-1}^{n/2}-2}}={\displaystyle {\int }_0^{\infty }\underset{j\in B}{\Pi }(1-F_{dj}(t))(1-F_{ri}(t))d{F}_{dn}(t)} (n \mathrm{is} \mathrm{even} )$$

(23)

$$p_{s_1{s}_n}={\displaystyle {\int }_0^{\infty }(1-F_{r1}(t))\underset{\mathrm{w}\in G}{\Pi }(1-F_{dw}(t))d{F}_{d2}(t)}(n\ge 4)$$

(24)

$$p_{s_1{s}_{2n-2}}={\displaystyle {\int }_0^{\infty }(1-F_{r1}(t))(1-F_{d2}(t))\underset{w\prime \in G\prime }{\Pi }(1-F_{dw\prime }(t))d{F}_{d3}(t)}(n\ge 4)$$

(25)

$$p_{s_1{s}_{2n-1}}={\displaystyle {\int }_0^{\infty }(1-F_{r1}(t))(1-F_{d2}(t))(1-F_{d3}(t))\underset{w″\in G″}{\Pi }(1-F_{dw″}(t))d{F}_{d4}(t)}(n\ge 5)$$

(26)

$$p_{s_1{s}_{2n}}={\displaystyle {\int }_0^{\infty }(1-F_{r1}(t))(1-F_{d2}(t))(1-F_{d3}(t))(1-F_{d4}(t))\underset{w‴\in G‴}{\Pi }(1-F_{dw‴}(t))d{F}_{d5}(t)}(n\ge 6)$$

(27)

$$p_{s_2{s}_n}={\displaystyle {\int }_0^{\infty }(1-F_{r2}(t))\underset{\mathrm{w}\in G}{\Pi }(1-F_{dw}(t))d{F}_{d1}(t)}(n\ge 4)$$

(28)

$$p_{s_2{s}_{n+1}}={\displaystyle {\int }_0^{\infty }(1-F_{r2}(t))(1-F_{d1}(t))\underset{w\prime \in G\prime }{\Pi }(1-F_{dw\prime }(t))d{F}_{d3}(t)}(n\ge 4)$$

(29)

$$p_{s_n{s}_1}={\displaystyle {\int }_0^{\infty }(1-F_{r1}(t))\underset{w\in G}{\Pi }(1-F_{dw}(t))d{F}_{r2}(t)}(n\ge 6)$$

(30)

$$p_{s_n{s}_2}={\displaystyle {\int }_0^{\infty }(1-F_{r2}(t))\underset{w\in G}{\Pi }(1-F_{dw}(t))d{F}_{r1}(t)}(n\ge 6)$$

(31)

$$p_{s_{n+1}{s}_2}={\displaystyle {\int }_0^{\infty }(1-F_{r2}(t))(1-F_{d1}(t))\underset{w\prime \in G\prime }{\Pi }(1-F_{dw\prime }(t))d{F}_{r3}(t)}(n\ge 6)$$

(32)

$$p_{s_{n+1}{s}_3}={\displaystyle {\int }_0^{\infty }(1-F_{r3}(t))(1-F_{d1}(t))\underset{w\prime \in G\prime }{\Pi }(1-F_{dw\prime }(t))d{F}_{r2}(t)}(n\ge 6)$$

(33)

$$p_{s_{2n-3}{s}_{n-2}}={\displaystyle {\int }_0^{\infty }(1-F_{r(n-2)}(t))\underset{j\prime \in B\prime }{\Pi }(1-F_{dj\prime }(t))(1-F_{dn}(t))d{F}_{r(n-1)}(t)}(n\ge 6)$$

(34)

$$p_{s_{2n-3}{s}_{n-1}}={\displaystyle {\int }_0^{\infty }(1-F_{r(n-1)}(t))\underset{j\prime \in B\prime }{\Pi }(1-F_{dj\prime }(t))(1-F_{dn}(t))d{F}_{r(n-2)}(t)}(n\ge 6)$$

(35)

$$p_{s_n{s}_{n(n-1)/2+1}}={\displaystyle {\int }_0^{\infty }(1-F_{r1}(t))(1-F_{r2}(t))\underset{w\prime \in G\prime }{\Pi }(1-F_{dw\prime }(t))d{F}_{d3}(t)}(n\ge 6)$$

(36)

$$p_{s_n{s}_q}={\displaystyle {\int }_0^{\infty }(1-F_{r1}(t))(1-F_{r2}(t))\underset{w\prime \in G\prime }{\Pi }(1-F_{d(w\prime -1)}(t))d{F}_{dn}(t)}$$

(37)

$$p_{s_{n+1}{s}_q}={\displaystyle {\int }_0^{\infty }(1-F_{r2}(t))(1-F_{r3}(t))(1-F_{d1}(t))\underset{w″\in G″}{\Pi }(1-F_{d(\mathrm{w}″-1)}(t))d{F}_{dn}(t)}$$

(38)

$$p_{s_{2n-3}{s}_q}={\displaystyle {\int }_0^{\infty }(1-F_{r(n-2)}(t))(1-F_{r(n-1)}(t))\underset{j\prime \in B\prime }{\Pi }(1-F_{dj\prime }(t))d{F}_{dn}(t)}$$

(39)

Equations (40)–(44) provide the detailed process for calculating $h_{*}$, where $1\le i\le n-1,B=\left\{j|j\ne i,1\le j\le n-1\right\},B″=\left\{j″|1\le j″\le n\right\}$.

$$h_{s_0}={\displaystyle {\int }_0^{\infty }\underset{j\in B″}{\Pi }(1-F_{dj}(t))dt}$$

(40)

$$h_{s_i}={\displaystyle {\int }_0^{\infty }\underset{j\in B}{\Pi }(1-F_{dj}(\mathrm{t}))(1-F_{ri}(\mathrm{t}))(1-F_{dn}(\mathrm{t}))dt}$$

(41)

$$h_{s_n}={\displaystyle {\int }_0^{\infty }(1-F_{r1}(t))(1-F_{r2}(t))\underset{w\in G}{\Pi }(1-F_{dw}(t))dt}$$

(42)

$$h_{s_{n+1}}={\displaystyle {\int }_0^{\infty }(1-F_{r2}(t))(1-F_{r3}(t))(1-F_{d1}(t))\underset{w\prime \in G\prime }{\Pi }(1-F_{dw\prime }(t))dt}$$

(43)

$$h_{s_{2n-3}}={\displaystyle {\int }_0^{\infty }(1-F_{r(n-2)}(t))(1-F_{r(n-1)}(t))\underset{j\prime \in B\prime }{\Pi }(1-F_{dj\prime }(t))(1-F_{dn}(t))dt}$$

(44)

3.5. Transient Availability Analysis

The hierarchical model consisting of multiple SMP models can be used to capture the dynamic behaviors of the oracle system considered in this paper. Figure 3 shows the hierarchical model for the oracle system with three nodes. Furthermore, we extend this model to the multidimensional model to analyze the oracle system with one threshold oracle and N oracle nodes, as shown in Figure 4. The definitions of the variables used in the model are shown in Table 2. The transient availability of the oracle system can be calculated by summing the transient probabilities of all available system states at time t, as shown in Equation (45).

$$\left\{\begin{array}{c}{\pi }_{\mathrm{ta}}(t)=1-{\pi }_{s(2^{n-1}+C_{n-1}^{(n-1)/2})/2}(t),\begin{array}{cc}\begin{array}{cc}& \end{array}& n \mathrm{is} \mathrm{odd}\end{array}\\ {\pi }_{\mathrm{ta}}(t)=1-{\pi }_{s{2}^{n-2}+C_{n-1}^{n/2}-2}(t),\begin{array}{cc}\begin{array}{cc} & \end{array}& n \mathrm{is} \mathrm{even}\end{array}\end{array}\right.$$

(45)

Figure 3. The hierarchical model for analyzing the transient availability of the oracle system consisting of one threshold oracle and two oracle nodes.

Figure 4. The hierarchical model for analyzing the transient availability of the oracle system consisting of any number of oracle nodes.

In order to obtain ${\pi }_{*}\left(t\right)$, we can solve $\pi \left(t\right)=\pi \left(0\right)V\left(t\right)$, where $\pi \left(0\right)$ is the initial probability vector, and $V\left(t\right)$ can be solved by taking the inverse Laplace–Stieltjes transform (LST) $V^{~}\left(s\right)=E^{~}\left(s\right)+K^{~}\left(s\right)V^{~}\left(s\right)$. $K(t)=[k_{ij}(t)]$ can be obtained by Equations (46) and (47), corresponding to the cases where n is odd and even, respectively. $E\left(t\right)=\left[E_{ii}\right(t\left)\right]$ is a diagonal matrix and can be obtained by $E_{ii}(t)=1-{\displaystyle {\sum }_j{k}_{ij}\left(t\right)}$.

$$\left(\begin{array}{ccccccccccccc}0& k_{s_0{s}_1}(t)& k_{s_0{s}_2}(t)& \dots & \dots & k_{s_0{s}_{n-1}}(t)& 0& 0& \dots & \dots & \dots & 0& k_{s_0{s}_{(2^{n-1}+C_{n-1}^{(n-1)/2})/2}}(t)\\ k_{s_1{s}_0}(t)& 0& 0& \dots & \dots & 0& k_{s_1{s}_n}(t)& 0& \dots & \dots & \dots & 0& k_{s_1{s}_{(2^{n-1}+C_{n-1}^{(n-1)/2})/2}}(t)\\ k_{s_2{s}_0}(t)& 0& 0& \dots & \dots & 0& k_{s_2{s}_n}(t)& k_{s_2{s}_{n+1}}(t)& \dots & 0& \dots & 0& k_{s_2{s}_{(2^{n-1}+C_{n-1}^{(n-1)/2})/2}}(t)\\ \dots & 0& 0& \dots & \dots & 0& 0& \dots & \dots & \dots & \dots & \dots & \dots \\ \dots & 0& 0& \dots & \dots & 0& 0& \dots & \dots & \dots & \dots & \dots & \dots \\ k_{s_{n-1}{s}_0}(t)& 0& 0& \dots & \dots & 0& 0& k_{s_{n-1}{s}_{n(n-3)/2-3}}(t)& \dots & k_{s_{n-1}{s}_{n(n-1)/2}}(t)& \dots & 0& \dots \\ 0& k_{s_n{s}_1}(t)& k_{s_n{s}_2}(t)& 0& \dots & \dots & \dots & \dots & \dots & \dots & \dots & 0& \dots \\ 0& \dots & k_{s_{n+1}{s}_2}(t)& k_{s_{n+1}{s}_3}(t)& 0& \dots & \dots & \dots & \dots & \dots & \dots & 0& \dots \\ \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots \\ 0& \dots & \dots & \dots & k_{s_{2n-3}{s}_{n-2}}(t)& k_{s_{2n-3}{s}_{n-1}}(t)& 0& \dots & \dots & \dots & \dots & 0& \dots \\ \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots \\ \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & k_{s_{(2^{n-1}+C_{n-1}^{(n-1)/2})/2-1}}{s}_{(2^{n-1}+C_{n-1}^{(n-1)/2})/2}(t)\\ k_{s_{(2^{n-1}+C_{n-1}^{(n-1)/2})/2}}{s}_0(t)& 0& 0& \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & 0& 0\end{array}\right)$$

(46)

$$\left(\begin{array}{ccccccccccccc}0& k_{s_0{s}_1}(t)& k_{s_0{s}_2}(t)& \dots & \dots & k_{s_0{s}_{n-1}}(t)& 0& 0& \dots & \dots & \dots & 0& k_{s_0{s}_{2^{n-2}+C_{n-1}^{n/2}-2}}(t)\\ k_{s_1{s}_0}(t)& 0& 0& \dots & \dots & 0& k_{s_1{s}_n}(t)& 0& \dots & \dots & \dots & 0& k_{s_1{s}_{2^{n-2}+C_{n-1}^{n/2}-2}}(t)\\ k_{s_2{s}_0}(t)& 0& 0& \dots & \dots & 0& k_{s_2{s}_n}(t)& k_{s_2{s}_{n+1}}(t)& \dots & 0& \dots & 0& k_{s_2{s}_{2^{n-2}+C_{n-1}^{n/2}-2}}(t)\\ \dots & 0& 0& \dots & \dots & 0& 0& \dots & \dots & \dots & \dots & \dots & \dots \\ \dots & 0& 0& \dots & \dots & 0& 0& \dots & \dots & \dots & \dots & \dots & \dots \\ k_{s_{n-1}{s}_0}(t)& 0& 0& \dots & \dots & 0& 0& k_{s_{n-1}{s}_{n(n-3)/2-3}}(t)& \dots & k_{s_{n-1}{s}_{n(n-1)/2}}(t)& \dots & 0& \dots \\ 0& k_{s_n{s}_1}(t)& k_{s_n{s}_2}(t)& 0& \dots & \dots & \dots & \dots & \dots & \dots & \dots & 0& \dots \\ 0& \dots & k_{s_{n+1}{s}_2}(t)& k_{s_{n+1}{s}_3}(t)& 0& \dots & \dots & \dots & \dots & \dots & \dots & 0& \dots \\ \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots \\ 0& \dots & \dots & \dots & k_{s_{2n-3}{s}_{n-2}}(t)& k_{s_{2n-3}{s}_{n-1}}(t)& 0& \dots & \dots & \dots & \dots & 0& \dots \\ \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots \\ \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & k_{s_{2^{n-2}+C_{n-1}^{n/2}-3}{s}_{2^{n-2}+C_{n-1}^{n/2}-2}}(t)\\ k_{s_{2^{n-2}+C_{n-1}^{n/2}-2}{s}_0}(t)& 0& 0& \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & 0& 0\end{array}\right)$$

(47)

3.6. Reliability Analysis

In this paper, we use the mean time to oracle system failure for evaluating the oracle system’s reliability. In order to calculate the MTTF of the oracle system, we need to consider an oracle system without recovery operations. The SMP model with absorbing states can be used to capture the behaviors of the oracle system without recovery operations. Figure 5 shows the SMP model for the oracle system with three nodes. Furthermore, we extend this model to the multidimensional model to analyze the oracle system with any number of nodes, as shown in Figure 6. The system state’s definition is shown in Table 1. The definitions of the variables used in the model are shown in Table 2. The assumptions involved in the model are consistent with those described in Section 3.1 and Section 3.2. The MTTF of the oracle system can be calculated by Equation (48).

$$\left\{\begin{array}{c}\mathrm{MTTF}={\displaystyle {\sum }_{i=0}^{(2^{n-1}+C_{n-1}^{(n-1)/2})/2-1}{V}_{si}^{\prime }{h}_{si}^{\prime }},\begin{array}{cc}\begin{array}{cc}& \end{array}& n \mathrm{is} \mathrm{odd}\end{array}\\ \mathrm{MTTF}={\displaystyle {\sum }_{i=0}^{2^{n-2}+C_{n-1}^{n/2}-3}{V}_{si}^{\prime }{h}_{si}^{\prime }},\begin{array}{cc}\begin{array}{cc}& \end{array}& n \mathrm{is} \mathrm{even}\end{array}\end{array}\right.$$

(48)

where $V_{*}^{\prime }$ is the expected number of visits to the system state until absorption and can be derived by $V_{si}^{\prime }={\alpha }_{si}^{\prime }+{\displaystyle \sum _{j=0}^{(2^{n-1}+C_{n-1}^{(n-1)/2})/2-1}{V}_{sj}^{\prime }{p}_{sjsi}^{\prime }}$ or $V_{si}^{\prime }={\alpha }_{si}^{\prime }+{\displaystyle \sum _{j=0}^{2^{n-2}+C_{n-1}^{n/2}-3}{V}_{sj}^{\prime }{p}_{sjsi}^{\prime }}$. ${\alpha }_{si}^{\prime }$ is the initial probability of the system state. $P\prime =\left[p_{ij}^{\prime }\right]$ is the one-step transition probability matrix and can be obtained by Equations (49) and (50), corresponding to the cases where n is off and even, respectively. Compared to $P$, $P\prime$ lacks a description of the transition probability from the failure system state $(\mathrm{F},\mathrm{F},\dots ,\mathrm{F})$ to the healthy system state $(\mathrm{H},\mathrm{H},\dots ,\mathrm{H})$.

$$\left(\begin{array}{ccccccccccccc}0& p{\prime }_{s_0{s}_1}& p{\prime }_{s_0{s}_2}& \dots & \dots & p{\prime }_{s_0{s}_{n-1}}& 0& 0& \dots & \dots & \dots & 0& p{\prime }_{s_0{s}_{(2^{n-1}+C_{n-1}^{(n-1)/2})/2}}\\ p{\prime }_{s_1{s}_0}& 0& 0& \dots & \dots & 0& p{\prime }_{s_1{s}_n}& 0& \dots & \dots & \dots & 0& p{\prime }_{s_1{s}_{(2^{n-1}+C_{n-1}^{(n-1)/2})/2}}\\ p{\prime }_{s_2{s}_0}& 0& 0& \dots & \dots & 0& p{\prime }_{s_2{s}_n}& p{\prime }_{s_2{s}_{n+1}}& \dots & 0& \dots & 0& p{\prime }_{s_2{s}_{(2^{n-1}+C_{n-1}^{(n-1)/2})/2}}\\ \dots & 0& 0& \dots & \dots & 0& 0& \dots & \dots & \dots & \dots & \dots & \dots \\ \dots & 0& 0& \dots & \dots & 0& 0& \dots & \dots & \dots & \dots & \dots & \dots \\ p{\prime }_{s_{n-1}{s}_0}& 0& 0& \dots & \dots & 0& 0& p{\prime }_{s_{n-1}{s}_{n(n-3)/2-3}}& \dots & p{\prime }_{s_{n-1}{s}_{n(n-1)/2}}& \dots & 0& \dots \\ 0& p{\prime }_{s_n{s}_1}& p{\prime }_{s_n{s}_2}& 0& \dots & \dots & \dots & \dots & \dots & \dots & \dots & 0& \dots \\ 0& \dots & p{\prime }_{s_{n+1}{s}_2}& p{\prime }_{s_{n+1}{s}_3}& 0& \dots & \dots & \dots & \dots & \dots & \dots & 0& \dots \\ \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots \\ 0& \dots & \dots & \dots & p{\prime }_{s_{2n-3}{s}_{n-2}}& p{\prime }_{s_{2n-3}{s}_{n-1}}& 0& \dots & \dots & \dots & \dots & 0& \dots \\ \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots \\ \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & p{\prime }_{s_{(2^{n-1}+C_{n-1}^{(n-1)/2})/2-1}{s}_{(2^{n-1}+C_{n-1}^{(n-1)/2})/2}}\\ p{\prime }_{s_{(2^{n-1}+C_{n-1}^{(n-1)/2})/2}{s}_0}& 0& 0& \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & 0& 0\end{array}\right)$$

(49)

$$\left(\begin{array}{ccccccccccccc}0& p{\prime }_{s_0{s}_1}& p{\prime }_{s_0{s}_2}& \dots & \dots & p{\prime }_{s_0{s}_{n-1}}& 0& 0& \dots & \dots & \dots & 0& p{\prime }_{s_0{s}_{2^{n-2}+C_{n-1}^{n/2}-2}}\\ p{\prime }_{s_1{s}_0}& 0& 0& \dots & \dots & 0& p{\prime }_{s_1{s}_n}& 0& \dots & \dots & \dots & 0& p{\prime }_{s_1{s}_{2^{n-2}+C_{n-1}^{n/2}-2}}\\ p{\prime }_{s_2{s}_0}& 0& 0& \dots & \dots & 0& p{\prime }_{s_2{s}_n}& p{\prime }_{s_2{s}_{n+1}}& \dots & 0& \dots & 0& p{\prime }_{s_2{s}_{2^{n-2}+C_{n-1}^{n/2}-2}}\\ \dots & 0& 0& \dots & \dots & 0& 0& \dots & \dots & \dots & \dots & \dots & \dots \\ \dots & 0& 0& \dots & \dots & 0& 0& \dots & \dots & \dots & \dots & \dots & \dots \\ p{\prime }_{s_{n-1}{s}_0}& 0& 0& \dots & \dots & 0& 0& p{\prime }_{s_{n-1}{s}_{n(n-3)/2-3}}& \dots & p{\prime }_{s_{n-1}{s}_{n(n-1)/2}}& \dots & 0& \dots \\ 0& p{\prime }_{s_n{s}_1}& p{\prime }_{s_n{s}_2}& 0& \dots & \dots & \dots & \dots & \dots & \dots & \dots & 0& \dots \\ 0& \dots & p{\prime }_{s_{n+1}{s}_2}& p{\prime }_{s_{n+1}{s}_3}& 0& \dots & \dots & \dots & \dots & \dots & \dots & 0& \dots \\ \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots \\ 0& \dots & \dots & \dots & p{\prime }_{s_{2n-3}{s}_{n-2}}& p{\prime }_{s_{2n-3}{s}_{n-1}}& 0& \dots & \dots & \dots & \dots & 0& \dots \\ \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots \\ \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & p{\prime }_{s_{2^{n-2}+C_{n-1}^{n/2}-3}{s}_{2^{n-2}+C_{n-1}^{n/2}-2}}\\ p{\prime }_{s_{2^{n-2}+C_{n-1}^{n/2}-2}{s}_0}& 0& 0& \dots & \dots & \dots & \dots & \dots & \dots & \dots & \dots & 0& 0\end{array}\right)$$

(50)

Figure 5. The SMP model for analyzing the reliability of the oracle system consisting of one threshold oracle and two oracle nodes.

Figure 6. The SMP model for analyzing the reliability of the oracle system consisting of any number of oracle nodes.

4. Experiment Results

This section first describes the comparison results between the simulation and numerical analyses. Then, we gives the sensitivity of different metrics with respect to system parameters. Finally, we analyze how oracle dependability varies with the number of oracle nodes.

4.1. Experimental Configuration

To verify the effectiveness of the proposed models and formulas in the experiment, we set $F_{d1}\left(t)=\mathrm{EXP}({\alpha }_1\right)$ and $F_{di}\left(t\right)=\mathrm{EXP}({\alpha }_i)$ as the CDFs of the threshold oracle failure time and the oracle node failure time, respectively. $F_{r1}\left(t\right)=\mathrm{u}(t-{\beta }_1)$ and $F_{ri}\left(t\right)=\mathrm{u}(t-{\beta }_i)$ are set as the CDFs of the threshold oracle recovery time and the oracle node recovery time, respectively. Table 2 gives the default parameter settings. Note that our models are also applicable to other types of CDFs and other parameter settings. We develop a simulator in the Maple language to verify the approximate accuracy of the proposed model and formulas. The simulation experiments were run 10,000 times. The results were averages of 10,000 simulation experiments. Based on the formulas derived in Section 3, we perform the numerical experiments. Simulation and numerical experiments are conducted on MAPLE. When performing the inverse LST in Maple, the first state uses table lookup. If it cannot be solved, it will proceed to the second state, which will perform factorization, transforming the original problem into a known problem. If it still cannot be solved, the third stage proceeds to solve it using algorithms such as Talbot. When calculating the solution, the digits are set to 100 to ensure that the error in the numerical results is very small and can be ignored.

4.2. Comparison of Simulation and Numerical Experiments

To verify the effectiveness of the model and formula, we develop a simulator. Table 3 shows the comparison of simulation and numerical results under different oracle node recovery times. We can observe from Table 3 that the simulation results are approximately close to the numerical results, which demonstrates the effectiveness of the proposed model and formula. The error between simulation results and numerical results is caused by the randomness of the simulation experiments.

Table 3. The comparison of simulation and numerical results.

Recovery Time	Availability		MTTF
	Simulation Result	Numerical Result	Simulation Result	Numerical Result
0.3 h	0.99872	0.998351027433575	606.56851856235	605.445170748170
0.4 h	0.99859	0.998350803952405	603.56602322027	605.357511959828
0.5 h	0.99844	0.998350580608567	601.54251087916	605.269934102579

4.3. Sensitivity Analysis

To analyze the impact of system parameters on dependability metrics, we conduct the sensitivity analysis experiment. The scaled sensitivities of availability and the MTTF can be calculated by $\mathrm{S}(M)={\displaystyle \frac{\partial M}{\partial \rho }}({\displaystyle \frac{\rho }{M}})$. Table 4 shows the sensitivities of dependability metrics with respect to system parameters, where ‘--’ indicates that the MTTF is not affected by the corresponding parameter. Table 5 and Table 6 show the specific changes in dependability metrics under different failure times and recovery times, respectively. Availability can reflect the time that the blockchain oracle system is unavailable within a year, which is known as downtime. A decrease in availability of 0.00001 will increase downtime by approximately 5 min, and a decrease in availability of 0.0000001 will increase downtime by approximately 3 s. We can observe from Table 4 that availability and the MTTF are both negatively correlated with the parameters. That is, as failure time increases, the MTTF and availability increase, while as recovery time increases, the MTTF and availability decrease. We can also observe that the key factor affecting the MTTF is the failure time of the threshold oracle, and the key factor affecting availability is the failure time and recovery time of the threshold oracle.

Table 4. The sensitivities of dependability metrics.

Parameter	Sensitivity of MTTF	Sensitivity of Availability
${\alpha }_1$	−0.998911858956048	−0.00164727844825521
${\alpha }_i$	−0.001087009945220	−0.00000203943860168
${\beta }_1$	--	−0.00164908432418301
${\beta }_i$	−0.000506780754578	−0.00000078347609441

Table 5. The dependability metrics under different failure times.

Failure Time	Transient Availability	Steady-State Availability	MTTF
625 h	0.9998477285854	0.99840075337411	624.29889391773
650 h	0.9998535839869	0.99846210044454	649.24235740467
675 h	0.9998590055456	0.99851890853281	674.18295840783
700 h	0.9998640398774	0.99857166468895	699.12132082761
725 h	0.9998687269389	0.99862078646936	724.05690262890

Table 6. The dependability metrics under different recovery times.

Recovery Time	Transient Availability	Steady-State Availability	MTTF
0.3 h	0.999020602478	0.998351027433	605.44517074817
0.4 h	0.999020501367	0.998350803952	605.35751195982
0.5 h	0.999020415433	0.998350580608	605.26993410257

4.4. Impact of the Number of Oracle Nodes on Dependability Metrics

In this section, we conduct dependability assessment experiments under the oracle node numbers of three, four, and five, respectively. Table 7, Table 8 and Table 9 show the availability of the blockchain oracle system under different node numbers. Table 10 and Figure 7 show the MTTF of the blockchain oracle system under different node numbers. These experimental results are attributed to the different conditions under which the blockchain oracle system becomes available across different node numbers. We can observe that as the number of oracle nodes increases, availability increases slightly. This is because the increase in the number of oracle nodes leads to more available system states.

Table 7. The availability of the blockchain oracle system under different node numbers and failure times.

Failure Time	3 Oracle Nodes	4 Oracle Nodes	5 Oracle Nodes
650 h	0.99846210044454	0.99846390027294	0.998463891108986
700 h	0.99857166468895	0.99857346494968	0.998573455783294
750 h	0.99866664181421	0.99866844244974	0.998668433281247

Table 8. The availability of the blockchain oracle system under different node numbers and threshold node recovery times.

Recovery Time of Threshold Time	3 Oracle Nodes	4 Oracle Nodes	5 Oracle Nodes
0.5 h	0.999174777407087	0.999175678586656	0.999175673998355
1 h	0.998350915675816	0.998352715065557	0.998352705904067
1.5 h	0.997528411442698	0.997531106084212	0.997531092364586

Table 9. The availability of the blockchain oracle system under different node numbers and oracle node recovery times.

Recovery Time of Oracle Node	3 Oracle Nodes	4 Oracle Nodes	5 Oracle Nodes
0.3 h	0.998351027433575	0.998352715424455	0.998352706954
0.4 h	0.998350803952405	0.998352714674241	0.998350801577
0.5 h	0.998350580608567	0.998352714248041	0.998350558394

Table 10. The MTTF of the blockchain oracle system under different node numbers and failure times.

Failure Time	3 Oracle Nodes	4 Oracle Nodes	5 Oracle Nodes
650 h	649.242357404679	649.9993995749	649.995515917555
700 h	699.121320827615	699.9992497412	699.994745413766
750 h	748.992453099839	750.0002100998	749.995039097604

Figure 7. The MTTF of the blockchain oracle system under different node numbers and recovery times of the threshold node.

5. Discussion

This paper takes a first step towards quantitatively assessing the dependability of a blockchain oracle system consisting of an arbitrary number of oracle nodes from the point of view of steady-state availability, transient availability, and reliability. However, our approach still has some limitations. Next, we will discuss how to extend our model to address these limitations.

• Our models employs SMP technology, providing a reference for capturing the behaviors of blockchain oracle systems composed of multiple oracle nodes. However, we assume that failure time follows an exponential distribution, which limits the wide applicability of our models. To address this limitation, our models can be extended to models built using the Markov regenerative process, in which non-regenerative states can capture failure behaviors.
• In our model, the state space is represented by multidimensional tuples, which helps capture the heterogeneous behavior of nodes in blockchain oracle systems. The derived formulas can be used to analyze dependability under different numbers of oracle nodes. However, as the variety of components in the system increases, model construction becomes more difficult. Therefore, our models can be extended to hierarchical models, where our models captures fine-grained node behaviors, while RBD captures the relationships between components, effectively enhancing the model’s scalability.
• Our models describe the failure and recovery behaviors of nodes in the blockchain oracle system. However, oracle node failures can be caused by factors such as attacks. Therefore, our models can be extended to describe fine-grained attack behaviors, such as reconnaissance, intrusion, lateral movement, and execution, and to capture recovery behaviors at different attack stages.
• Our dependability assessment model only considers the impact of node failures and recovery on the dependability of blockchain oracle systems. However, network latency and data source reliability also affect system dependability. In the future, we will deploy a real-world platform to capture the impact of network latency and data source reliability on failure time and recovery time, thereby incorporating more accurate parameters into the model for dependability analysis.
• Our research focuses on the theoretical analysis of the dependability of blockchain oracle systems. The gap between theoretical analysis and practical measurements has not yet been assessed. However, considering the difficulty of deploying a practical platform and the time required to conduct experiments, we leave this for future work. It is important to note that our research can complement practical measurement experiments by analyzing the reasons behind the measurement results.

6. Conclusions

This paper analyzes the dependability of the blockchain oracle system composed of an arbitrary number of oracle nodes by constructing SMP-based models. The proposed approach can be used to comprehensively analyze the dependability of the blockchain oracle system from three perspectives: steady-state availability, transient availability, and reliability. Experimental results demonstrate the effectiveness of the proposed model and formulas. In the future, we will explore the development of more fine-grained models to characterize the behaviors of oracle nodes under attack and their defense behaviors, thereby analyzing the security of blockchain oracle systems.