_{1}

^{*}

Crowdsourcing allows people who are endowed with certain skills to accomplish special tasks with incentive. Despite the state-of-art crowdsourcing schemes have guaranteed low overhead and considerable quality, most of them expose task content and user’s attribute information to a centralized server. These servers are vulnerable to single points of failure, the leakage of user’s privacy information, and lacking of transparency. We therefore explored an alternative design for task assignment based on the emerging decentralized blockchain technology. While enabling the advantages of the public blockchain, changing to open operations requires some additional technology and design to preserve the privacy of user’s information. To mitigate this issue, we proposed a secure task assignment scheme, which enables task content preservation and anonymous attribute requirement checking. Specifically, by adopting the cryptographic techniques, the proposed scheme enables task requester to safely place his task in a transparent blockchain. Furthermore, the proposed scheme divides the attribute verification process into public pre-verification and requester verification, so that the requester can check only the identity of the worker, instead of verifying the attributes one by one, thereby preserving the identity of worker while significantly reducing the requester’s calculation burden. Additionally, security analysis demonstrated unrelated entities cannot learn about the task content and identity information from all data uploaded by requester and worker. Performance evaluation showed the low computational overhead of our scheme.

Crowdsourcing is a powerful method, has emerged in the landscape of problem solving, to outsource the work originally done by the designated party to an unknown group of people in an open manner [

All the participants on the process of crowdsourcing can be divided into three types of roles: requester, worker and platform. To be specific, the one that publishing tasks is considered as the requester, and the one that working on those tasks is named as the worker. The middleman between the requester and the worker is the platform, who is responsible for storing the tasks and maintaining the correct execution of the whole process. Many crowdsourcing applications share a similar structure: the requester submits the task content along with the reward to the platform, and then the workers accept the task and submit the solution of this task within the fixed time. After that, the requester confirms the quality of the solution and pays for the pre-declared reward to the worker.

Although these crowdsourcing applications have achieved considerable success, some of the key challenges still need to be addressed. One critical aspect is the lack of a credible guarantee on the quality of the work. Workers who have accepted the work may not have the corresponding skills to provide valuable answers [

Another aspect is data confidentiality. Traditional centralized platforms typically obtain task content in plaintext. The compromise of the platform will result in the disclosure of information of the user. Therefore, most of existing solutions assume that the platform should be honest during the protocol, which is impractical [

The Blockchain is a decentralized and intelligent infrastructure [

To solve the security issues in task assignment process, this paper uses skill credential to restrict the access of task content, which is achieved through Attribute-based Encryption (ABE) [

Correspondingly, the requester should be responsible for his own task. The requester will be given the ability to reveal and verify the identity of the participants in his task. But the true identity of the worker is not needed for the requester. Therefore, the identity shown to the requester will be replaced by an anonymous account approved by the authority. To fulfill the requirements of verification in above way, we design a novel scheme based on the ABE scheme proposed by Lewko and Waters [

Our contributions: In this paper, our main contributions are as follows.

1) A secure attribute-based task assignment scheme is proposed, which can preserve information security on a transparent blockchain. Moreover, everyone can verify the correctness of the process without revealing the identity of the worker.

2) We preserved the privacy of worker with a random anonymous account, so that workers can change their identity at any time, which prevent requester from discovering associations among participants in different tasks.

3) We designed the attribute verification protocol with two aspects: public pre-verification and requester verification. Most verification works are performed by blockchain while only some steps are performed privately by the requester who knows the extra information, which significantly saves the computation cost in the requester’s side. Therefore, the requester can prove the misbehaving of the worker by exposing additional information he knows.

4) We implemented the proof-of-prototype and the experimental results have shown the validation and feasibility of our proposed scheme.

The rest of this paper is organized as follows. Section 2 reviews the related work on task assignment for crowdsourcing system. We present models and goals in Section 3. Next, our scheme detail is presented in Section 4. The privacy discussions and performance evaluation are presented in Sections 5 and 6 respectively, followed by a conclusion in Sections 7.

ABE was first proposed by Sahai and Waters [

These schemes use a centralized approach with only one key distribution center (KDC), so they inherit all the centralized weaknesses such as single point of failure. The multi-authority ABE protocol is proposed and addressed to this problem. In multi-authority ABE, the entire attribute set is divided into N disjoint sets and managed by N authorities. Under this setting, each authority only knows part of user’s attribute, and user is required to get the private key from all KDCs. Based on this model, many attribute-based encryption schemes with multiple authorities have been proposed, but they still rely on a semi-honest central authority [

Many crowdsourcing systems are built in a centralized manner [

In spatial crowdsourcing (SC), the geographic location of workers and requesters is considered private information and should not be known to the platform and unrelated people. Liu et al. [

Li et al. [

Our system model is shown in

Authority: The authority has the right to endorse certain abilities in specific areas and provide qualified workers with keys that correspond to their anonymous accounts and capabilities. Note that each ability is treated as a single attribute. In addition, the authorities act as proposers of the blockchain block, that is, they are responsible for packing the information sent to the contract into blocks and appending them to the existing chain. Other entities can get the chain and verify it.

Smart Contract: The contract receives and stores the task content ciphertext posted by requester and the attribute proofs submitted by the worker. It validates the legitimacy of proof to detect misconduct, thereby ensuring a fair judgment in the dispute between the requester and the worker.

Requester: The requester encrypts the task content according to the attribute requirements of his task and submits the task ciphertext to the contract. When the worker accepts the task and submits the attribute proof, he needs to verify the legality of the worker’s anonymous identity and require the contract to make a judgment when the verification fails.

Worker: The worker creates an anonymous account in advance and obtains the credential keys from the authorities based on his or her attributes. Using these keys, he can decrypt the task ciphertext which satisfies the required policy and submit the appropriate attribute proof when deciding to accept the task.

The authorities are semi-honest which means they follow our proposed scheme in general. We assume authorities are interested in which worker is using the key they distributed to participate in the work, but they will not collude with users or other authorities. Note that our system inherits the weakness of the blockchain. Although the authorities are semi-honest, the blockchain can resist 51% attacks. However, such attacks against blockchain infrastructure are considered out of scope.

The smart contract runs on the blockchain, which guarantees its availability and integrity, but does not include confidentiality. Other entities can directly read its data through the blockchain, but have no ability to tamper it.

The requester also assumed to besemi-honest. His request can only be assigned to a valid worker when the task assignment process is properly executed, so requester will follow the scheme in general. In particular, we assume that he is interested in the identity information of the workers involved in his task.

Workers are untrusted since they are random users. They may collude with other workers to accept a task which they are not allowed to or attempt to accept a task more than one times.

In our scenario, we define the security of worker and requester information as follows:

Task content security: The task content ciphertext should only be decrypted by workers who fully satisfy the task attribute requirements.

Worker identity security: When the worker decides to accept a task, he will upload a proof to the contract. These can be divided into three main cases:

1) Given a proof. No entity can restore worker’s global identity from the proof.

2) Given two workers who have accepted the attribute key distributed by the authority, and a proof constructed by one of them. The authority cannot distinguish which worker constructed the proof.

3) Given two anonymous account and a proof constructed by one of them, other workers who can decrypt the task cannot distinguish which account construct the proof.

Tasks generally involve time-related restrictions such as deadlines. Therefore, the workers should check the consistency of time with the blockchain when accepting tasks. We introduce the epoch to the process of task acceptance. There is a stamp in each epoch. The worker’s request is legal only when the worker uses the stamp of the current epoch in his message.

In the proposed scenario, the consortium chain does not need to propose the block through the proof-of-work, so the block time is stable. Therefore, the duration of each epoch does not have a large deviation.

In this section, the proposed secure attribute-based task assignment scheme will be described in detail. To give a better understanding, the main notations will be listed in

As shown in

Notation | Definition |
---|---|

W i d | Worker’s global identity |

A P K i | The public key of attribute i |

A S K i | The secret key of attribute i |

U P K z | The public key of anonymous account Z |

U S K z | The secret key of anonymous account Z |

W S K i , i d , z | The credential key of attribute i for W i d ’s anonymous account Z |

P K requester | The public key used by the requester when publishing the task |

E n c ( k e y , c o n t e n t ) | A function to encrypt content with a public key encryption, for instance, RSA |

R s e t account | Revoked anonymous account collection |

C T task | Task content ciphertext |

P r o o f task | Proof of attribute for the task |

stamp | The stamp of current blockchain epoch |

authority creates key pair A P K i , A S K i for each of the attribute i managed by him, and publishes the A P K i on the contract. The worker creates his own anonymous account z and requests the authority to distribute the credential key W S K i , i d , z bound to his account. In step 2, the requester encrypts the task content according to the requirement policy, and publishes the task ciphertext C T task on the contract. In step 3, the worker obtains the task ciphertext that satisfies the requirement policy and decrypts it with his secret key U S K z , W S K i , i d , z to learn the task content. In step 4, when the worker intends to accept the task, he can use his secret key to build a proof P r o o f task corresponding to the task and then send it to the contract. In step 5, the contract first verifies the correctness of the proof and then asks the requester to verify whether the proof comes from a legitimate anonymous account. Otherwise, the requester can initiate the challenge by providing additional information and submit it to the contract for final judgment.

The proposed scheme is based on ABE with multiple authorities proposed by Lewko and Waters [

System Initialization In the global settings, select a prime p , groups G 1 and G T of order p , a map e : G 1 × G 1 → G T , and two hash functions H : { 0 , 1 } ∗ → G 1 , F : { 0 , 1 } ∗ → ℤ p the former maps the user’s identity W i d to G 1 and the latter maps a stamp to integers. Also, two random primitives g , u ∈ G 1 are picked. Finally, the public parameter is set as { p , G 1 , G T , e , H , F , g , u } .

Authority Setup For each attribute i managed by the authority, choose two random values a i , y i ∈ ℤ p . Note that the attribute indices i for each authority are distinct, i.e. each attribute corresponds to only one authority. The authority will keep these two values as the secret key to attribute i:

A S K i = { a i , y i } (1)

The public key of the attribute i will be posted on the contract as public knowledge.

A P K i = { e ( g , g ) a i , g y i , g 1 a i , u a i , u y i } (2)

Worker registration Workers can create new anonymous accounts at any time and request the appropriate credential keys from the authority, Workers are not allowed to have multiple qualified anonymous accounts at the same time, so when a worker applies for a new anonymous account through his global identity W i d , since the authority knows the association between the worker’s global identity and the anonymous account, the authority can announce that the worker’s previous anonymous account has been revoked. Because the authorities are semi-honest, the revoke process for anonymous accounts can be done reliably. Authorities are assumed to jointly maintain and disclose a set of revoked accounts R s e t account .

To create an anonymous account, the worker picks a random number z ∈ ℤ p as his secret key of anonymous account U S K z and then sends the corresponding public key U P K z = g z and his identity W i d to the authority. The authority will distribute a key for each attribute i that the worker has

W S K i , i d , z = g a i z H ( W i d ) y i (3)

Task publication According to the attribute requirements of the task, the requester constructs the linear secret-sharing schemes (LSSS) matrix R with ρ mapping its rows to attributes, and then the requester the task content as follows:

1) Selecting two random values s , k ∈ ℤ p and generate an asymmetric key pair, where P K requester is the public key. The task description is combined with k as the message M.

2) Choose a random vector v ∈ ℤ p h with s as its first entry, and a random vector w ∈ ℤ p h with 0 as its first entry, where h is the number of rows in R.

3) For each row R x of R, calculate λ x = R x ⋅ v and ω x = R x ⋅ w , and choose a random value r x ∈ ℤ p .

4) Calculate the following parameters

C 0 = M ⋅ e ( g , g ) s , C 1 = u k , for all x : C x , 1 = e ( g , g ) λ x + a ρ ( x ) r x , C x , 2 = g y ρ ( x ) r x + ω x , C x , 3 = g r x , C x , 4 = u a ρ ( x ) k (4)

Finally, Requester sends the task ciphertext C T task to the contract.

C T task = 〈 R , ρ , C 0 , C 1 , P K requester , { C x , 1 , C x , 2 , C x , 3 , C x , 4 } ∀ x 〉 (5)

The contract checks the correctness of C x , 4 by Equation (6) because C x , 4 will be used in the subsequent proof verification phase. The task will be retained if the check is passed.

e ( C x , 4 , u ) = e ( u a ρ ( x ) k , u ) = e ( u a ρ ( x ) , u k ) = e ( u a ρ ( x ) , C 1 ) (6)

Task decryption The worker obtains the task ciphertext C T task from the contract and decrypts it as follows:

1) Calculate H ( W i d ) with its identity W i d .

2) Choose a subset of rows R x from R such that the worker has the credential key W S K ρ ( x ) , i d , z and constants c x ∈ ℤ N which satisfies ∑ x c x R x = ( 1 , 0 , ⋯ , 0 ) .

3) For each row in R x , compute

T K x = ( C x , 1 ) z ⋅ e ( C x , 2 , H ( W i d ) ) e ( C x , 3 , W S K ρ ( x ) , i d , z ) = e ( g , g ) λ x z + a ρ ( x ) r x z ⋅ e ( g , H ( W i d ) ) y ρ ( x ) r x + ω x e ( g , g ) a ρ ( x ) r x z ⋅ e ( g , H ( W i d ) ) y ρ ( x ) r x = e ( g , g ) λ x z ⋅ e ( g , H ( W i d ) ) ω x (7)

4) Restore the task content using the anonymous account private key U S K z

M = C 0 ( ∏ x ( T K x ) ) 1 U S K z = M ⋅ e ( g , g ) s ( e ( g , g ) s z ) 1 z (8)

Finally, the worker can determine the correctness of his decryption through k in task content M and C 1 in C T task .

Proof publication After learning the content of the task, if the worker decides to accept the task, he needs to construct a proof to prove that his attributes can meet the requirements and he has not accepted this task before. This proof will be published on the contract for verification by other entities.

Proving that the worker can meet the requirements is equivalent to proving that the worker has a unrevoked anonymous account with credential key corresponding to the R x used in the decryption, so the worker constructs the proof as follows:

1) Select a random value d ∈ ℤ p blind H ( W i d ) , in addition, get the latest epoch stamp of the blockchain stamp.

2) For each row in R x , pick a random number t x ∈ ℤ p .

3) Calculate the following parameters

P 0 = H ( W i d ) k ⋅ g d , P 1 = s t a m p , P account = E n c [ P K requester , U P K z ] , for all x : P x , 2 = u t x , P x , 3 = u y ρ ( x ) t x , P x , 4 = ( W S K ρ ( x ) , i d , z ) k ⋅ g z t x + y ρ ( x ) d = g a ρ ( x ) k z + z t x + y ρ ( x ) d H ( W i d ) k y ρ ( x ) , P x , 5 = g z t x + z a ρ ( x ) k , P x , 6 = u 1 t x + F ( s t a m p ) , P x , 7 = E n c ( P K requester , u a ρ ( x ) t x k ) (9)

At last, The worker sends the proof P r o o f task to the contract as a request to accept the task.

P r o o f task = 〈 R x , P 0 . P 1 , P account , { P x , 2 , P x , 3 , P x , 4 , P x , 5 , P x , 6 , P x , 7 } ∀ x 〉 (10)

Proof verification The verification of the proof is divided into two parts: the contract verifies the correctness of all parameters except P x , 5 , P x , 7 , P account , and the requester verifies the correctness of the above three parameters and the legitimacy of the account.

For the contract, it first checks whether P 1 is the stamp of current epoch, and then tests the following equation:

e ( P x , 6 , P x , 2 ⋅ u F ( P 1 ) ) = e ( u 1 t x + F ( s t a m p ) , u t x ⋅ u F ( s t a m p ) ) = e ( u , u ) (11)

If the Equation (11) is true, it demonstrates the worker has knowledge of t x , so P x , 2 is not obtained by the worker based on any A P K , and it does not contain any information about a ρ ( x ) .

e ( u y ρ ( x ) , P x , 2 ) e ( P x , 3 , u ) = e ( u y ρ ( x ) , u t x ) e ( u y ρ ( x ) t x , u ) = 1 (12)

e ( P x , 4 , P x , 2 ) e ( P 0 , P x , 3 ) = e ( g a ρ ( x ) k z + z t x + y ρ ( x ) d H ( W i d ) k y ρ ( x ) , u t x ) e ( H ( W i d ) k ⋅ g d , u y ρ ( x ) t x ) = e ( g , u ) a ρ ( x ) k z t x + z ⋅ e ( g , u ) y ρ ( x ) d t x ⋅ e ( H ( W i d ) , u ) y ρ ( x ) t x k e ( g , u ) y ρ ( x ) d t x ⋅ e ( H ( W i d ) , u ) y ρ ( x ) t x k = e ( g , u ) a ρ ( x ) k z t x + z = e ( g z t x + z a ρ ( x ) k , u a ρ ( x ) k ) = e ( P x , 5 , C x , 4 ) (13)

when Equation (12) and Equation (13) are true, it indicates that if P x , 5 is correctly constructed, then P x , 4 must contains g a ρ ( x ) , which can only be assigned by the authority. This means that the worker does have the corresponding W S K ρ ( x ) , i d , z .

If the public verification succeeds, the next part will be verified by the requester. Since the requester owns the private key corresponding to the P K requester , he can recover the plaintext of the P x , 7 , P account . First the requester checks whether the anonymous account claimed in the P account is not in the revoked account set R s e t account and does not equal any other account that accepts this task, then he checks the following equation:

e ( P x , 7 , u ) e ( P x , 2 , C x , 4 ) = e ( u a ρ ( x ) t x k , u ) e ( u t x , u a ρ ( x ) k ) = 1 (14)

e ( P x , 5 , C x , 4 ) e ( P account , P x , 7 ) ⋅ e ( P account , u ) = e ( g z t x + z a ρ ( x ) k , u a ρ ( x ) k ) e ( g z , u a ρ ( x ) t x k ) ⋅ e ( g z , u ) = 1 (15)

Equation (14) and Equation (15) can prove the correct construction of P x , 5 and its relevance with P account , which means those attributes in the above public verifications does belong to this anonymous account. If the above check fails, the requester can reveal the plaintext of P x , 7 , P account , then the contract can repeat this process to determine which entity is misbehaving. Otherwise, the requester accepts the worker’s participation and the task assignment process ends.

In this section, we will analyze our protocol can preserve the security of worker and requester information.

First we discussed that the task content can only be decrypted by the workers who fully satisfy the access policy, since our scheme is based on ABE with multiple authorities [

Next we discussed that multiple workers cannot collude to access task content that they cannot access individually. Suppose that there is a group of workers, for any combination of attributes that satisfy the access policy, there do not exist worker who has the credential keys corresponding to all attributes in the combination. But there is at least one combination, the credential keys owned by multiple workers can satisfy all the attributes in the combination. However, as shown in Equation (7), the intermediate result T K x calculated using the credential key contains e ( g , H ( W i d ) ) . Since different workers have different W i d , different workers have different T K x for a x. Therefore, when a worker lacks a credential key, it cannot be replaced by another worker’s. This shows that even through collusion, workers cannot decrypt tasks that they cannot decrypt individually.

In our scheme, the credential key W S K i , i d , z is used in the construction of the proof. We analyze an extreme case where an entity knows all the information of a qualified worker except the secret key of the anonymous account U S K z . This scenario is reasonable, because the key is the only secret that the worker will not share with others. In this case, the entity can perform the first three steps of the task decryption process, but in step four, the entity cannot calculate the task content M according to Equation (8) due to the lack of U S K z . So the entity cannot decrypt the task content.

The identity information of the workers is anonymous account U P K z and global identity W i d . So we discuss whether other entities can get information about these two parameters from the worker’s proof. As to W i d , it exists in the form of H ( W i d ) k ⋅ g d in the proof, where g d is a one-time pad and is only known to the worker himself, so worker’s global identity cannot be obtained by any other entity from the proof.

Next we discuss that the authorities and other workers cannot obtain information about the anonymous account from the worker’s proof. The anonymous account information of the worker only exists in P x , 4 and P x , 5 . In P x , 4 , due to the use of different primitives g , u and the decisional diffie-hellman inversion problem (DDHI), g 1 t x cannot be calculated with u t x . So P x , 4 can only perform pairing operation with P x , 2 to remove the g 1 t x and get the value containing e ( g , u ) a ρ ( x ) k t x z . Note that the authority does not collude with other entities and cannot decrypt the task, so it does not know the value of k. Although authority knows the secret key of attribute a i , based on the decisional bilinear diffie-hellman problem (DBDH), the authority cannot distinguish e ( g , u ) a ρ ( x ) k t x z from a random value with the knowledge of u t x , u k , g z . Similarly, as to other workers, although they can decrypt the task content to know the value of k, but they do not know the secret key of the attribute. So they cannot distinguish e ( g , u ) a ρ ( x ) k t x z from a random value with the knowledge of u t x , u a ρ ( x ) , g z .

In P x , 5 , based on the DDHI problem, g 1 k cannot be calculated by authorities. So authority can only perform pairing operation with C x , 4 to remove the g 1 k and get the value containing e ( g , u ) a ρ ( x ) k t x z , then fall into the same case as P x , 4 above. For other workers, P x , 5 can be viewed as g z ⋅ ( t x + 1 a ρ ( x ) k ) . If they want to distinguish which anonymous account g z is used in P x , 5 with the paring operation, he needs to know the value g t x + 1 a ρ ( x ) k or u t x + 1 a ρ ( x ) k . However, neither of these values can be calculated using u t x , g 1 a ρ ( x ) , k . In addition, P x , 5 only has a meaningful pairing operation with C x , 4 , but the result will become the same case as P x , 4 described above.

In this section, we used computational cost as a metric to analyze the performance of our scheme. We used the JPBC library [

In our scheme, the requester’s calculation was mainly divided into two parts: task publication and proof verification (partial). In

The computational overhead of workers was also divided into two parts: task decryption and proof publication. In

In

blockchain and the requester in the verification work, y-axis is the calculation time and the x-axis is the amount of attribute used in the proof. It can be seen that the overhead of the verification work increases linearly according to the number of attributes, and the proportion of both remains constant at around 5:3. That is to say, although we had shifted more than half of the burden to the blockchain verifier and greatly reduced the computing time on the requester, the ratio is not large enough for the requester to easily deal with its work.

Next, we described the overhead of the authority to distribute the new key to the worker in

In

Finally, we discussed the effect of the size of the task content on calculation overhead in

In this paper, we proposed a secure attribute-based task assignment scheme which can preserve information security on a transparent blockchain. First of all, the proposed scheme preserves the privacy of requesters and workers through anonymous accounts and attribute-based encryption. Second, the proposed scheme is compatible to blockchain, so as to get rid of the weakness from centralization and provide transparency. In addition, we divided the verification process into public pre-verification and requester verification, the computing burden of the requester can be greatly reduced. Finally, we analyzed the privacy and performance of the proposed protocol to show the satisfied features in both security and efficiency. In the future work, we will consider the attribute value as part of the requester’s privacy for better security requirement and make a further improvement on the performance of the task assignment scheme.

The author declares no conflicts of interest regarding the publication of this paper.

Liang, T.Q. (2020) Enabling Privacy Preservation and Decentralization for Attribute-Based Task Assignment in Crowdsourcing. Journal of Computer and Communications, 8, 81-100. https://doi.org/10.4236/jcc.2020.84007