A Privacy-Enabled, Blockchain-Based Smart Marketplace

Abstract

Advancements in sensor-enabled devices led to the emergence of resource trading models for smart communities, such as the smart marketplace (SMP). Most of the proposed SMP architectures are based on blockchain technology, which has a public ledger to achieve transparency. Consequently, safeguarding the participant’s anonymity, untraceability, and transactional data privacy during trading becomes a challenging task. Most of the existing solutions to achieve anonymity are based on multiple account mapping, which is prone to identity-based attacks, and cryptographic techniques are used to achieve transactional data privacy, which often has a high computational overhead. In this work, we propose a lightweight privacy-enabled message exchange mechanism to accomplish our privacy goals in a blockchain-based SMP. Evaluation of the scheme was conducted to measure its resilience toward safeguarding participants’ anonymity, untraceability, and transactional data privacy during trading cycles. Statistical game theory-based security analysis and simulation based performance analysis of the proposed scheme showed that it achieved the desired privacy goals with a low computational overhead compared with existing state-of-the-art schemes.

1. Introduction

Increasing demand for resources in smart communities has prompted researchers to develop resource trading solutions in the form of the SMP [1,2]. The SMP is the result of advancements in network innovation, using sensor-enabled devices in smart homes to facilitate trade and the exchange of resources such as water, internet bandwidth and energy among the participants of a smart community. Most of the recently proposed SMP architectures are based on blockchain technology [3,4]. The blockchain is based on a public ledger and communication transparency between participants, which allow any participant to access information regarding transaction history, events and actions taking place in the SMP. Due to this very feature of the blockchain, ensuring privacy preservation of the participants becomes a challenging task, as participants may suffer from disclosure of confidential information, such as a participant’s identity and details of the executed transactions [5].

Privacy parameters with respect to the participant are classified into two categories: (1) preservation of the participant’s anonymity and untraceability, making the participant’s identity unknown and untraceable, and (2) preservation of transactional data by hiding the transaction details of the participant [3,4,5]. Various techniques have been proposed to achieve these privacy parameters in an SMP that includes the use of multiple accounts and a Merkle tree [6,7] to achieve anonymity and untraceability for the participants. Cryptographic approaches such as the Elliptic Curve Digital Signatures Algorithm (ECDSA) and elliptic curve cryptography (ECC) have been used to provide transactional data privacy [5,6,8]. The Bitmessage [9] method of decentralized peer-to-peer (P2P) message authentication and delivery based on the proof-of-work (PoW) consensus algorithm was adopted by many approaches, such as those in [6,10], to provide anonymity in a trustless network by broadcasting encrypted messages in messaging streams.

With respect to the use of the above approaches to accomplish the desired privacy parameters in a blockchain-based SMP, the following issues and limitations have been identified:

• The use of multiple accounts and Merkle trees, as in [6,7], is not very successful against blockchain analysis and other similar techniques [1,2,11]. Thus, they can be used to link multiple accounts of a participant to infer the participant’s identity. On the other hand, the implementation of a Merkle tree in a blockchain-based network, such as the Ethereum network, may inevitably require a large-scale computing resource [12].
• Cryptographic approaches, such as the ECDSA and ECC [5,6,8], utilizes time-consuming procedures, such as bilinear pairings [13,14]. The process may lead to high computational and storage overheads, thus posing practical problems due to the resource constraint nature of the smart gateway in smart homes [15,16,17].
• Instead of using an encryption method that often makes the content of the encrypted blocks mutually dependent, Bitmessage encrypts each block individually. Through this, the adversary will be able to rearrange the message blocks in such a way that the recipient can interpret it as a legitimate message [18]. With this, the adversary can infer the transactional data stored in the blocks as well as identify the participants involved in the transactions.

The situation is further aggravated when one takes into account the type of trading mechanism used in the SMP. The trading approaches may allow a participant to have only a single (one-to-one) or multiple (one-to-many) simultaneous transactions. The objective of this work is to ensure the anonymity and untraceability of the participant and provide transactional data privacy under a one-to-many trading model. To achieve these goals, a novel lightweight scheme is presented that utilizes a pair of public/private IDs with anonymous messaging streams. Security analysis and experimental evaluation of the proposed solution is performed to evaluate and compare it against existing state-of-the-art schemes.

Contributions: The following are the contributions of this paper:

• A protocol is presented to ensure the participant’s anonymity and untraceability during one-to-many trading in the SMP, using public/private pairs of communicating sessional IDs.
• A protocol is also presented to ensure privacy preservation of the transactional data of the participants during one-to-many trading in the SMP at a reduced computational overhead.
• Our results show that the proposed system is more resilient against identity-based attacks such as blockchain analysis attacks and achieves a lower probability of success of the adversary compared with that in [6,7] with a reduced computational overhead.

Organization of the Paper: The rest of this paper is organized as follows. Section 2 provides an overview of the related work. In Section 3, we present the system model. Section 4 describes the proposed security protocol. Section 5 discusses the security analysis. Section 6 explains the experimental analysis and results, and Section 7 presents the conclusions.

2. Related Work

Recently the use of the blockchain for the development of P2P resource trading models in SMPs has attracted huge attention [1]. Several approaches, such as those in [19,20,21,22,23,24,25,26,27,28,29], were proposed to realize participants’ anonymity and transactional data privacy in SMPs. An account mapping technique was used in [21] to prevent attackers from directly accessing transactional data. In this method, the characteristics of both active and inactive users’ accounts can be effectively obscured by creating multiple accounts. Similarly, in [22], it was proposed to protect the privacy of participants by dividing them into various groups. Then, a miner is chosen among the group members to collect data from the group and add them into the community’s private blockchain. This process protects the participant’s data from leaking to other participants in the network. However, recent works [1,2,11] have shown that, using a detailed analysis process [11], multiple public addresses and accounts can be connected to infer and expose the identity of the participants in blockchain-based networks. One such method is known as blockchain analysis, where transactions, addresses and entity graphs are used to expose the true identites of blockchain users [1].

Some techniques [6,8,30] use elliptic curve-based security mechanisms, such as ECC and the ECDSA, to preserve the privacy of participants and enable them to anonymously trade with each other. These schemes protect participants against attacks such as address reuse, Sybil, inferential and collusive attacks. However, the techniques presented in [6,8] can be subjected to 51 percent attacks, high latency due to a long block generation time and other mining issues. In another approach [7], a participant, such as a resource buyer, uses digital currencies to generate multiple accounts and preserve the mapping information to avoid tracking. It also involves the use of a Merkle tree [12] to create a large pool of key pairs and achieve high anonymity. However, this approach may be prone to a blockchain analysis attack, and the implementation of Merkle trees in a blockchain-based network, such as the Ethereum network, can be computationally costly, which can slow down the execution of trading transactions. Therefore, there is a need to come up with a more scalable solution that will provide user anonymity, untraceability and transactional data privacy in the resource trading environment of SMPs.

Table 1. A Summary of the blockchain-based approaches.

Technique	Objectives	Attacks Model	Analysis
ECC, ECDSA and multi-address [6,8,30]	To protect identity and privacy of participants	Inferential attack, identity and data transaction disclosure	Provides participants anonymity and data privacy. Prone to Sybil attack, high computational overhead and blockchain analysis.
Merkle tree and multi-account [7]	To preserve participants’ anonymity and untraceability	Inferential attack, identity and data transaction disclosure	Provides participants anonymity and untraceability. Prone to Sybil and blockchain analysis attacks, account or address reuse and high computational overhead.
Multi-account or address [19,20]	To achieve participants’ anonymity and transaction privacy	Inferential attack, identity linking attacks and double spending	Provides trading transaction monitoring and participant privacy. Prone to blockchain analysis and Sybil attacks.
Multi-account mapping technique [21]	To achieve transactional data privacy	Inferential attack and identity and data transaction disclosure	Provides participants anonymity. Prone to account or address reuse and blockchain analysis.
Multi-account grouping [22]	To protect the privacy of participants	Identity linking attacks and address reuse	Provides participants privacy. Prone to Sybil and double spending attack and blockchain analysis.

summarizes some of the most recent and relevant research conducted in this domain.

3. System Model

This section discusses our system models, including the network model and trading model. Moreover, it presents the security requirements and the threat model.

3.1. Network Model

The SMP has a temper-proof smart gateway, referred to here as the Smart Market Gateway (SmGW), that is connected with several participating smart homes within the smart community through their respective temper-proof sensor-enabled smart gateways. Each smart home gateway in the SMP is presumed to be registered and authenticated as a trusted member via the SmGW. A smart home in the SMP can take part in resource trading either as a resource provider (ProGW), resource requester (ReqGW) or both, as depicted in Figure 1. The system is based on private Ethereum blockchain technology accessible by the connected smart gateways, which are presumed to be computationally capable. Thus, it is assumed that all SMP participants have direct access to Ethereum smart contracts through the network, and each participant uses separate Ethereum accounts (EAs) to participate in the SMP. As a result, they can be identified by their Ethereum addresses (public keys) in the network. In addition, all participants have direct access to the public ledger of the blockchain, where all transactions are recorded and can be retrieved.

3.2. Trading Model

In Figure 1, three entities are involved in each transaction: the requester gateway (ReqGW), provider gateway (ProGW) and Smart Market Gateway (SmGW). $ProG{W}_j$, being the resource supplier (seller), first feeds the amount of the resource (e.g., energy) it is willing to sell out to the $SMP$ resource chamber, such as the smart grid (energy grid), via a transmission channel.  $ProG{W}_j$ then broadcasts the offerings anonymously to the blockchain auction board, also including the price, volume (amount), unit and type of the resource to be sold. $ReqG{W}_i$, being the potential resource requester (buyer), receives the copy of $ProG{W}_j$’s broadcasted message. If $ReqG{W}_i$ selects $ProG{W}_j$ as the potential supplier, then it sends a trading negotiation message to the respective $ProG{W}_j$ to initiate the trading negotiation process. After the successful negotiation, $ReqG{W}_i$ releases the agreed price, and the resource is released by $ProG{W}_j$, thereby completing the trading activity.

3.3. Privacy Requirements

In the context of the presented network and trading model, it is desired that the following two requirements regarding a participant’s privacy should be accomplished:

• Participant’s anonymity and untraceability: Protect the identities of participants and make them untraceable in the SMP. Their identities should be protected from identity-related attacks, such as address reuse, Sybil and blockchain analysis attacks during trading in the SMP.
• Transactional data privacy: Ensure protection against transactional data privacy attacks, such as inferential attacks and data leakage.

3.4. Threat Model

In this work, we consider the following features for the adversary $\mathcal{A}$:

• The adversary $\mathcal{A}$ has the ability to influence the means of communication of the SMP and to intercept all messages transmitted between the smart gateways.
• The adversary $\mathcal{A}$ has the ability to capture all of the session IDs in the SMP.
• $\mathcal{A}$ has the ability to launch identity-related attacks and transactional data privacy attacks.
• It was assumed that the smart gateways are temper-proof and therefore cannot be compromised.
• We assumed that the adversary cannot compromise the blockchain.

4. Anonymity, Untraceability and Transactional Data Privacy (AUT) Protocol

A secure protocol to achieve a participant’s anonymity, untraceability and transactional data privacy in the SMP is presented in this section. Note that the anonymity, untraceability and transactional data privacy solutions in this work were provided during trading activities between participants. Thus, the protocol ensured the desired privacy parameters independent of the type of trading model (one-to-one or one-to-many) used in the SMP. In order to establish trusted message streams among the participants, a lightweight Bitmessage (L-Bitmessage) technique was adopted. This technique uses cryptographic proof-of-authority (PoA) and the sped up Rivest–Shamir–Adleman (RSA) cryptosystem along with a Chinese reminder theorem (CRT) for the encryption or decryption processes. The RSA cryptosystem is a commonly used public key cryptosystem for secure data transfers [31,32]. Additionally, it is one of the oldest. The proposed protocol is presented in Algorithm 1, and the workflow is depicted in Figure 2. Similarly,

Table 2. Notations.

Symbols	Definitions
$AC{M}_{track}$	Actual ID correlation matrix
$\mathcal{A}$	Adversary or attacker
${\mathcal{A}}^{\tau }$	Attacker who reacts to all game difficulties with statistical inferences
$\mathcal{C}$	A challenger who knows the correct assignment of addresses (public keys) to blockchain users
$\delta$	An arbitrary bit chosen by $\mathcal{C}$
$E_{track}$	Consists of extra information which can be extracted from the SMP by $\mathcal{A}$
$Succes{s}_{\mathcal{A}}$	Extra success recorded by $\mathcal{A}$ against ${\mathcal{A}}^{\tau }$
$Failur{e}_{\mathcal{A}}$	Extra failure recorded by $\mathcal{A}$ against ${\mathcal{A}}^{\tau }$
$n_p$	Number of participants in SMP
$n_T$	Number of transactions which occurred during time frame $\Delta$,
$\mathcal{P}$	Participant in the SMP
$\Delta$,	Period of time for SMP trading
e/d	Public or private IDs
$\{{\alpha }_0,{\alpha }_1,...{\alpha }_n\}$	Set of IDs in the SMP
$Su{c}_{\mathcal{A}}$	Success of $\mathcal{A}$ in the game
$\rho$	The amount of running time of the attacker $\mathcal{A}$
$\gamma$	The fraction of IDs that cannot be correlated with other IDs
${\omega }_i$	The request message

provides a brief description of the important notations used in this work.

During the first stage in Figure 2, both $ProG{W}_j$ and $ReqG{W}_i$ create new pairs of session IDs $({MSID}_{{ProGW}_{Pub}},MSI{D}_{{ProGW}_{Prv}})$ and $({MSID}_{{ReqGW}_{Pub}},MSI{D}_{{ReqGW}_{Prv}})$, respectively, from their original pairs of public and private keys at the beginning of each trading activity in the system. The IDs are used to represent $ProG{W}_j$ and $ReqG{W}_i$ during trading activities. The IDs are sessional, and therefore, they are discarded after one complete trading transaction session. Both the $ProGW$ and $ReqGW$ public pair session IDs are generally chosen to be of relatively small prime values and of low hamming weights to ensure speeding up of the encryption process with a negligible computing overhead. Thus, $ProG{W}_j$ and $ReqG{W}_i$ remain anonymous under the pseudonyms of ${MSID}_{{ProGw}_{Pub}}$ and ${MSID}_{{ReqGw}_{Pub}}$, respectively, as well as untraceable without revealing their true identities (public keys). As depicted from line 1 to 13 of Algorithm 1, $ProG{W}_j$ sends a transaction ($T_{Broadcast}$) to broadcast its bids anonymously in the auction board as in Equation (1), which also includes $ProG{W}_j$’s public ID $\left({MSID}_{{ProGw}_{Pub}}\right)$, the block timestamp and the nonce:

$$\begin{array}{c}\hfill T_{Broadcast}={MSID}_{{ProGw}_{Pub}}\Vert Type\Vert Volume\Vert \\ \hfill Price\Vert Timestamp\Vert Nonce\Vert Unit\end{array}$$

(1)

In the second stage of Figure 2 and from line 14 to 18 in Algorithm 1, $ReqG{W}_i$ selects $ProG{W}_j$’s ID as the potential supplier and then encrypts a negotiation message using the chosen public ID of the potential $ProG{W}_j$ before broadcasting it anonymously in the blockchain network. This is achieved by encrypting the message with $ProG{W}_j$’s ID (${MSID}_{{ProGw}_{Pub}}$) as follows:

$${MSID}_{{ProGW}_{Pub}}({MSID}_{{ReqGW}_{Pub}},{\omega }_i,T_i)={\varphi }_i$$

(2)

where ${\omega }_i$ is the request message, $T_i$ is the block timestamp and ${MSID}_{{ReqGW}_{Pub}}$ is $ReqG{W}_i$’s public ID. $ReqG{W}_i$’s identity remains anonymous behind a pseudonym ${MSID}_{{ReqGW}_{Pub}}$. However, its important to note that each time a message is broadcasted in the system, a validating authority (node) validates the message and adds it to the blockchain based on the proof-of-authority (PoA) consensus algorithm. With this, the encrypted message is published in the blockchain network, where all participant nodes will receive a copy of the package. In the third stage of Figure 2 and line 20 in Algorithm 1, only $ProG{W}_j$, which has the right private ID, will be able to decrypt the message:

$${MSID}_{{ProGw}_{Prv}}\left({\varphi }_i\right)={\omega }_i,T_i,{MSID}_{{ReqGw}_{Pub}}$$

(3)

Algorithm 1: Proposed anonymity and transactional data privacy protection protocol.

In the fourth through sixth stage of Figure 2 and from line 21 to 37 of Algorithm 1, acknowledgement reply and payment messages are encrypted and decrypted accordingly to ensure speedy transmission of transactional messages in a secure and private manner at both sides of $ProG{W}_j$ and $ReqG{W}_i$ with a relatively low overhead until the trading activities are concluded. A new trading activity begins again with both $ProG{W}_j$ and $ReqG{W}_i$, creating new IDs from their public and private keys as depicted in stage one-B in Figure 2, which marks the beginning of the next trading session.

5. Security Analysis

Motivated by [32], blockchain-based game theory has been developed, comprising an adversary $\mathcal{A}$ and a challenger $\mathcal{C}$ in order to evaluate participant $\mathcal{P}$’s anonymity and untraceability. It is assumed that $\mathcal{C}$ knows the assigned addresses (public keys) of the blockchain users. The adversary $\mathcal{A}$ chooses an ID ${\alpha }_0$ from the set of public pairs of the session IDs that were used in the SMP within a given time frame $\Delta$, for which the adversary has no prior knowledge (conveyed in ${\rho }_{\mathcal{A}}$), and submits it to $\mathcal{C}$. Then, $\mathcal{C}$ chooses an arbitrary bit $\delta$ evenly. If $\delta =1$, then $\mathcal{C}$ selects another ID ${\alpha }_1$ arbitrarily from the SMP, where ${\alpha }_0$ and ${\alpha }_1$ belong to the same participant; otherwise, $\mathcal{C}$ arbitrarily chooses ${\alpha }_1$ so that the two IDs belong to different participants. $\mathcal{C}$ directs $\{{\alpha }_0,{\alpha }_1\}$ to $\mathcal{A}$, which replies with his or her estimate ${\delta }^{{}^{\prime }}$ for whether the two IDs are owned by the same participant. $\mathcal{A}$ wins the game if he or she responds appropriately (i.e., $\delta ={\delta }^{{}^{\prime }}$).

5.1. Anonymity and Untraceability

Proposition 1.

The system achieves (preserves) $\mathcal{P}$’s anonymity and untraceability if for an adversary $\mathcal{A}$ and $\forall \{{\alpha }_0,{\alpha }_1\}$, in a probabilistic polynomial time, $\mathcal{A}$ has only at most an insignificant advantage over ${\mathcal{A}}^{\tau }$ to win; that is, this is true if

$$\begin{array}{c}\hfill Prob[{\delta }^{{}^{\prime }}\leftarrow \mathcal{A}(SMP,{\rho }_{\mathcal{A}},{\alpha }_0,{\alpha }_1):\delta ={\delta }^{{}^{\prime }}]-\\ \hfill Prob[{\delta }^{{}^{\prime }}\leftarrow {\mathcal{A}}^{\tau }({\rho }_{\mathcal{A}},{\alpha }_0,{\alpha }_1):\delta ={\delta }^{{}^{\prime }}]\le \epsilon ,\end{array}$$

(4)

where ${\mathcal{A}}^{\tau }$ is an adversary that reacts to all game difficulties with statistical inferences and ε is the difference in probabilities for the adversary $\mathcal{A}$, which is insignificant with respect to the security parameter ρ.

Proof. 

The proposed approach leverages the E-Bitmessage process during the course of communication in the SMP. Thus, the pair of session IDs is changed every time a session starts, therefore being used once and discarded. Hence, this makes it to almost impossible for $\mathcal{A}$ to reply with a correct estimate ${\delta }^{{}^{\prime }}$. As a result, $\mathcal{A}$ has no or a less significant advantage over ${\mathcal{A}}^{\tau }$ to win the game. Thus, changing the session IDs for each connection improves the security in terms of perfect forward secrecy [10]. This implies that even if the private pair of the session IDs gets stolen by any means, such as correlation of the public pair of the session IDs in the SMP, not only are past communications still secure, but all following communications will also be secure. This feature strengthens and ensures transactional data privacy in the system.

All pairs of IDs only last for one trading session. However, encryption always needs the public key of the recipient, as well as decryption always needing the decryptor’s private key. Unlike the public/private pairs of the session IDs, the original private/public key pairs are never dropped. Thus, even if the adversary is able to obtain one single ID out of the communication, it will neither be able to read messages from the past nor upcoming messages at a probabilistic polynomial time. □

Theorem 1.

If anonymity and untraceability are achieved (preserved) for a given participant $\mathcal{P}$, then it is presumed that the adversary $\mathcal{A}$ cannot be able to launch any identity-related attacks.

Proof. 

$\left(Bycontradiction\right)$ Assuming that $\mathcal{A}$ is able to launch any of the aforementioned attacks even when the participants are anonymous and untraceable, this implies that for all adversaries $\mathcal{A}$ and $\forall \left\{{\alpha }_0\right\}$, $\mathcal{A}$ has a significant advantage over ${\mathcal{A}}^{\tau }$ to win the game at a probabilistic polynomial time, even though the system has satisfied transactional data privacy, anonymity and untraceability for the participant $\mathcal{P}$. This statement contradicts Proposition 1. Hence, Theorem 1 holds. □

Theorem 2.

The participants’ anonymity and untraceability offered by the proposed blockchain-based approach can be realized by measuring the degree to which the public pair of session IDs in the SMP can be linked to a particular address (public key) of a given participant.

Proof. 

This can be achieved by computing the estimate of $\mathcal{A}$ using an $n_{A}X{n}_A$ matrix and $E_{track}$, where $E_{track}[i,j]=\left\{{Prob}_{i,j}\right\},i,j\in [1,n_{\mathcal{A}}]$. Then, the attacker $\mathcal{A}$ calculates the probability ${Prob}_{i,j}$ for which, in every ID ${\alpha }_i$, a given ${\alpha }_i$ belongs to the same participant as every ${\alpha }_i$ in the SMP. However, $E_{track}$ also consists of extra information that can be extracted from the SMP by $\mathcal{A}$. This can be accomplished by means of statistical analysis or any other processes. Furthermore, the success of $\mathcal{A}$ in the game can be computed as follows.

Given the actual ID correlation matrix $AC{M}_{track}$, then $AC{M}_{track}=1$ if ${\alpha }_i$ and ${\alpha }_j$ are of the same participant; otherwise, $AC{M}_{track}=0$, $\forall i,j\in [1,n_{\mathcal{A}}]$. Moreover, for each ${\alpha }_i$, the error in $\mathcal{A}$’s estimate can be calculated by taking the distance of $E_{track}[i,*]$ from the actual ID correlation of ${\alpha }_i$ with other IDs in the SMP:

$$\Vert E_{track}[i,*]-AC{M}_{track}[i,*]\Vert ,$$

(5)

where $\Vert .\Vert$ implies the L1 rule of the corresponding row matrix.

Therefore, the success of $\mathcal{A}$ in the game $Su{c}_{\mathcal{A}}$ can be computed via $\mathcal{A}$’s maximum error:

$$ma{x}_{\forall {\alpha }_i\in {\rho }_{\mathcal{A}}}(\Vert E_{track}[i,*]-AC{M}_{track}[i,*]\Vert ).$$

(6)

Equally, the estimate of ${\mathcal{A}}^{\tau }$ for all possible pairs of IDs can be represented in the game by the $n_{\mathcal{A}}X{n}_{\mathcal{A}}$ matrix $E_{track}^{\tau }$, given as

$$E^{\tau }[i,j]={\vartheta }_{i,j}.$$

(7)

If ${\alpha }_0,{\alpha }_1\in {\rho }_{\mathcal{A}}$, then

$$E_{track}^{\tau }[i,j]=\gamma +(1-\gamma )1/2.$$

(8)

where ${\vartheta }_{i,j}$ denotes the probability that IDs ${\alpha }_0$ and ${\alpha }_1$ imply the same participant given ${\rho }_{\mathcal{A}}$, while $\gamma$ denotes the fraction of IDs that cannot be correlated with other IDs. However, the probability of other IDs not included in ${\rho }_{\mathcal{A}}$ is given as $1/2(1+\gamma )$, which is the probability that one of the following occurs:

1.

${\alpha }_0$ is the only ID of its owner;

2.

${\mathcal{A}}^{\tau }$ was not successful in guessing $\delta$.

Thus, with this, the degree of achievement of $\mathcal{P}$’s anonymity and untraceability features can be measured by evaluating the extra success recorded by $\mathcal{A}$ in the SMP compared with that of ${\mathcal{A}}^{\tau }$. This success is computed as

$$Succes{s}_{\mathcal{A}}=(Su{c}_{\mathcal{A}}-Su{c}_{{\mathcal{A}}^{\tau }}/Su{c}_{{\mathcal{A}}^{\tau }}).$$

(9)

while failure is computed as

$$Failur{e}_{\mathcal{A}}=1-(Su{c}_{\mathcal{A}}-Su{c}_{{\mathcal{A}}^{\tau }}/Su{c}_{{\mathcal{A}}^{\tau }}).$$

(10)

□

5.2. Transactional Data Privacy

To achieve faster encryption and decryption processes for transactional data privacy, RSA cryptosystem speedup techniques [33] were used. The decryption process is achieved using the Chinese remainder theorem (CRT), while the encryption process is achieved by choosing a very small value for the public ID. The objective is to provide a fast, secure and lighter cryptographic approach to the IoT-based resource-constraining devices for their transactional data privacy:

Proposition 2.

A secure encryption process can be accomplished with a relatively low prime value for a public ID e while at the same time achieving absolute speeding up of the entire process for data transactions.

Remark 1.

The use of such public IDs, particularly those with a number of ones in binary representation (low hamming weight) such as $e=3$, $e=17$ and $e=2^{16}+1$, can result in a low number of exponentiation operations, thus speeding up the encryption process [33].

Proof. 

For a given encryption or decryption process, the RSA bit length of the modulus n is given as $t+1$ (i.e., $\left[{log}_{2}n\right]=t+1$), where t is some integers. Therefore, the private ID d does not have its complete bit length of $t+1$ yet, even with small value for e. As a result, the RSA cryptosystem is still secure with these short public keys, as described in Proposition 2. □

Proposition 3.

A secure decryption speeding up process with a factor of four can be achieved using the CRT technique.

Remark 2.

In CRT exponentiation, all associated values (i.e., $d_p,d_q,x_p$ and $x_q$) are bounded by p and q and also have a bit length almost equal to $t/2$ bits, where p and q are prime figures, x is the base element and d is the decryption exponent. If the square-and-multiply method is used to compute two exponentiations, then each requires an average of $1.5t/2$ modular multiplications and squarings. In total, the number of modular multiplications and squarings is given as [33]

$$SQ+MULT=2\times 1.5t/2=1.5t.$$

(11)

Proof. 

The CRT version of decryption requires both primes p and q as well as the decryption exponent d, so this may seem to be an extra source of insecurity. Nevertheless, factoring in the modulus n may be easy if the decryption exponent d is given, and therefore no security is lost while using this technique.

From Equation (11), we can observe that the computational complexity is the same with regular exponentiation without the CRT. Nevertheless, all the values associated with the process have $t/2$ bits, which contrasts with operation without the CRT, where t bit variables are computed for each multiplication. In a nutshell, it can be observed that the complexity of the multiplication increases quadratically with the increase in the bit length. As a result, each $t/2$ bit multiplication is four times faster than a t bit multiplication. □

6. Experimental Analysis and Results

In this section we have selected the benchmark models of Aitzhan et al. [6] and Dorri et al. [7] based on contextual resemblance and the state of the art, while the model from Folha et al. [30] was based on similitude and recency to our proposed model.

The efficiency of our proposed approach was compared with that of the benchmark models in terms of the success of $\mathcal{A}$ in discovering the participant’s anonymity and untraceability in the SMP. All of these studies provided blockchain-based solutions in which interactions were based on transactions. These experiments were executed on the Ethereum blockchain, where all interactions are handled as transactions which can be quantified in terms of Ethereum gas per unit transaction.

Similarly, the efficacy of the chosen speeding up RSA cryptographic process at providing transactional data privacy was examined and compared to that of the standard RSA cryptographic process.

6.1. Experimental Set-Up

The experimental environment was built using the Solidity language. All the participants’ smart gateways were defined during our implementation as mappings from the Ethereum addresses of the participating smart homes. In addition, the Ethereum address of the SmGW was also initialized. Twenty different authorized participants and their trading transactions were considered in the SMP to measure the success of $\mathcal{A}$ in the game against ${\mathcal{A}}^{\tau }$. Furthermore, we evaluated the success of $\mathcal{A}$ in recovering the public IDs of the participants in the proposed approach and the other base approaches in [6,7,30]. We also analyzed the trading transaction messages to investigate the effectiveness of the proposed approach at achieving transactional data privacy. The messages were encrypted and decrypted using both the traditional RSA and the sped up RSA, each of which was enabled in the approach for separate scenarios.

Across our tests, we replicated a simulation scenario to consider both the limited information and no information situations. In the limited information situation, we assumed that $\mathcal{A}$ was aware of the position or delivery of all SMP participants and, as such, could determine if a transaction was rendered in return for traded resources. In this scenario, we had both the IDs of the provider and requester in the prior knowledge of $\mathcal{A}$ while processing $Succes{s}_{\mathcal{A}}$. In the no information situation, we assumed a situation where $\mathcal{A}$ did not know the position or operation of all participants and, as such, did not have any previous information but believed that some trading transactions took place between some participants in the network.

6.2. Evaluating the Success of $\mathcal{A}$ at Discovering Participant’s Anonymity and Untraceability in the SMP

We analyzed the metrics $Succes{s}_{\mathcal{A}}$ for the benchmark approaches [6,7,30] to check for the performance of $\mathcal{A}$ in exposing the participant’s session ID with respect to our E-Bitmessage-based approach. The results in Figure 3 show that the probability of $\mathcal{A}$’s failure in our approach was more pronounced compared with that in [6,7,30]. This shows that the degree of achievement of $\mathcal{P}$’s anonymity and untraceability could be observed with high probability (0.848 on average) in our approach. Hence, the results confirm the claim made in Proposition 1 and Theorem 1.

Furthermore, it can be observed that there was no definite trend in Figure 3 with respect to the increasing number of participants. This was due to the fact that the system at a given time instance $\Delta$ was composed of multiple participants, each carrying a different number of trading transactions with a different number of parties (trading activities). Thus, the computational complexities applied to each participant during the trading activities depends on the number of activities carried out by that participant at the given time instance. For instance, participant 9, which had fewer trading activities (having two trading sessions) at given time instance $\Delta$, would have a lower computational overhead as well as the lowest probability of $\mathcal{A}$’s success compared with participant 16 with the most trading activities (having eight trading sessions) at a given time instance $\Delta$. In a nutshell, the findings show that the fewer trading activities a participant $\mathcal{P}$ has, the lower the computational complexity applied to it, and the lower the probability of $\mathcal{A}$’s success is with it.

To have a better understanding of the trend in the results, they are further summarized in

Table 3. Results for $\mathcal{A}$’s success per group of participants in the system.

Groups of Participants	1–5	6–10	11–15	16–20
AUT-Protocol	0.12 ± 0.01	0.13 ± 0.01	0.19 ± 0.01	0.17 ± 0.02
Aitzhan et al. [6]	0.76 ± 0.01	0.72 ± 0.02	0.81 ± 0.01	0.73 ± 0.02
Dorri et al. [7]	0.67 ± 0.01	0.68 ± 0.02	0.66 ± 0.01	0.71 ± 0.02
Folha et al. [30]	0.52 ± 0.01	0.51 ± 0.02	0.56 ± 0.01	0.53 ± 0.02

, which is based on the sample of 20 participants categorized in an increasing order of five groups. The table shows that $\mathcal{A}$ had a negligible effect on the participants when using our approach, with an average efficiency of around 15% in terms of linking IDs to their correct owners. Similarly, it can be seen that the adversary exceeded ${\mathcal{A}}^{\tau }$ for the groups of Aitzhan et al. [6], Dorri et al. [7] and Folha et al. [30] by an average of about 75%, 68% and 53%, respectively, in the overall system. In addition, it can be realized that the success of $\mathcal{A}$ increased slightly as the fraction of the participants increased in our approach. The above disparities may result from the fact that Bitmessage users may add a little noise to the blockchain log during transactions. Similarly, it can be seen from Table 3 that the values in [6,7,30] were close to one. This implies that $\mathcal{A}$ performed much better than ${\mathcal{A}}^{\tau }$ and that the approximation selected by $\mathcal{A}$ was near a valid address linking to the appropriate participants. Thus, we infer that the anonymity of blockchain users can still be breached even though users manually generate new addresses to keep their addresses from being linked together.

In addition, our findings demonstrate that the benefit of $\mathcal{A}$ over ${\mathcal{A}}^{\tau }$ was not substantially influenced in the proposed approach by the number of SMP participants. This is because of the explanations given in Proposition 1 and Theorem 1. However, the findings demonstrate that the benefit of $\mathcal{A}$ in [6,7,30] increased equally as the number of participants rose. This is mostly attributed to the assumption that as the number of participants rises, the allocation of addresses to the appropriate participants becomes absolute due to a blockchain analysis attack. However, it is important to note that the system allows a participant $\mathcal{P}$ to execute O2M trading transactions at the same time. Therefore, it is probable for a participant to be present concurrently in two or more transactions.

6.3. Achieving Fast Encryption and Decryption for Transactional Data Privacy

Figure 4 and Figure 5 provide the encryption and decryption times for a message observed for each participant in the SMP, respectively. The average encryption time for the proposed approach was 0.0095 s, while it was 0.1322, 0.1376 and 0.028 s for the approaches in [6,7,30], respectively. Similarly, the average decryption time of the proposed approach was 0.010 s, while for the approaches in [6,7,30], it was 0.029, 0.051 and 0.0176 s, respectively. This shows that the speedup factor of the proposed scheme was approximately 14 for encryption and 3.5 for decryption when compared with the results in [6,7,30].

6.4. Security and Privacy Comparison

To summarize,

Table 4. Security and privacy comparison.

Security and Privacy Parameteres	Aitzhan et al. [6]	Dorri et al. [7]	Folha et al. [30]	AUT Protocol
Trasactional data privacy	No	No	Yes	Yes
Untreacibility	No	No	No	Yes
Intergrity	Yes	Yes	Yes	Yes
Anonymity	No	No	No	Yes
Non-repudiation	Yes	Yes	Yes	Yes
Confidentiality	No	No	No	Yes

compares the proposed AUT protocol to two previously existing schemes from Aitzhan et al. [6], Dorri et al. [7] and Folha et al. [30]. We used the words “Yes” and “No” to indicate whether or not a scheme fulfilled the security and privacy requirements that were evaluated. As can be seen in the Table, none of the schemes in [6,7] ensured the privacy of a participant’s data throughout the data transfers.

Similarly, the table illustrates that the schemes in [6,7,30] failed to ensure the confidentiality of participant data in blockchain network applications. Finally, as shown before in this work, the schemes in [6], [7] and [30] could not guarantee participant anonymity or untraceability. Additionally, recent studies have revealed flaws in the approaches used in these schemes [1]. Nonetheless, the proposed AUT protocol passed all of the considered security and privacy criteria in this work.

6.5. Limitations of This Study

This study has two major limitations regarding its scalability. The first is that a smaller sample size was used to assess the proposed model. The second refers to the blockchain’s architectural design. In the context of resource trade, malicious behavior is multifaceted and impacted by a number of circumstances. In the future, there will be a greater focus on participant behavior related to trust throughout the trading cycle in a blockchain network setting. Determining the characteristics that influence user behavior on blockchain-based trading platforms is another topic for future research that has been investigated. In addition, the influence of the proposed model on human behavior in a big trading environment can only be shown if the model’s basic functions and components are technically possible. The major limitation of blockchain technology is its scalability. As generic solutions for improving the scalability of blockchain technology are established, it is fair to expect that these solutions can also be relevant to SMP-based trading environments. Therefore, future research should emphasize tackling the scalability issue.

7. Conclusions

Existing privacy-enabling schemes are not effective against identity-based attacks or ensuring transactional data privacy in blockchain-based network applications, such as resource trading in the SMP. In order to achieve a participant’s anonymity, untraceability and transactional data privacy, we proposed a privacy-enabled message exchange mechanism among the participants of the SMP. Security analysis of the proposed scheme under different threat scenarios has shown that it is much more resilient to identity-based attacks compared with the benchmark protocols. Moreover, the simulation-based analysis showed that the proposed scheme not only minimizes the probability of success for the attacker but is also less computationally expensive.