Proof of Fairness: Dynamic and Secure Consensus Protocol for Blockchain

Abstract

Blockchain technology is a decentralized and secure paradigm for data processing, sharing, and storing. It relies on consensus protocol for all decisions, which focuses on computational and resource capability. For example, proof of work (PoW) and proof of stake (PoS) are the most famous consensus protocols that are currently used. However, these current consensus protocols are required to recruit a node with a high computational or a large amount of cryptocurrency to act as a miner node and to generate a new block. Unfortunately, these PoW and PoS protocols could be impractical for adoption in today’s technological fields, such as the Internet of Things and healthcare. In addition, these protocols are susceptible to flexibility, security, and fairness issues, as they are discussed in detail in this work. Therefore, this paper introduces a proof of fairness (PoF) as a dynamic and secure consensus protocol for enhancing the mining selection process. The selection of the miner node is influenced by numerous factors, including the time required to generate a block based on the transaction’s sensitivity. Firstly, a reverse auction mechanism is designed as an incentive mechanism to encourage all nodes to participate in the miner selection process. In a reverse auction, each node will draw its strategy based on its computational capability and claimed cost. Secondly, an expressive language is developed to categorize transaction types based on their sensitivity to processing time, ensuring compatibility with our miner selection process. Thirdly, a homomorphic concept is designed as a security and privacy scheme to protect the bidder’s data confidentiality. Finally, an extensive evaluation involving numerical analysis was carried out to assess the efficiency of the suggested PoF protocol, which confirms that the proposed PoF is dynamic and more efficient than current PoW and PoS consensus protocols.

1. Introduction

Blockchain technology emerged as a secure and trusted paradigm for the sharing and storage of data. It is built on a decentralized methodology, which securely stores committed transactions in a chain of blocks that will be shared on distributed ledgers. Blockchain technology was first proposed to ensure the secure performance of Bitcoin cryptocurrency [1]. However, it has since been used for many cloud-based applications such as health cloud, mobile cloud, Internet of Things, etc. [2,3,4,5].

The blockchain operates according to a sequence of processes, starting with transaction validation, block creation, and distributed consensus algorithms, and ending with the block verification method [6]. It uses a network of computers, called nodes. In the beginning, transactions are initiated, and then a node (j) that acts as a miner node verifies the transactions (where j is an integer number greater than 0). Next, the miner node (j) will generate a new block (b) for validated transactions. After that, it sends b via the network to other connected nodes for verification. According to the verification, nodes vote on the correctness of the block. If the block’s correctness is not confirmed, it is aborted and ignored. However, if the block’s correctness is confirmed, it is chained to the block list (ledger) using hashing.

Undoubtedly, the process of selecting a node to serve as a proposed miner node is considered an essential process of blockchain methodology [7]. Consequently, many approaches have been introduced for smoothly selecting proposed nodes, such as proof-of-work (PoW), proof-of-stake (PoS), proof-of-space, and the practical Byzantine fault Tolerance (PBFT), which are deemed the most popular approaches for blockchain methodology [2,8].

These approaches are built on a methodology that involves selecting a node with powerful computational abilities and resources. For example, in PoW, the node that succeeds in solving a certain complex puzzle will be referred to as a powerful computational node and will then be selected as a miner node. In contrast, within PoS, a node that has a large amount of cryptocurrency to stake can win. Usually, nodes need to work as miners many times to build credit, indirectly requiring higher powerful computational resources among all connected nodes to be considered as proposed miners. The same thing applies to the proof-of-space and practical Byzantine fault tolerance (PBFT). Although these approaches have functionally succeeded in selecting a miner node, they are not practical for adoption in the most sensitive systems due to the following reasons:

• Reason 1. The PoW and PoS approaches build their selection methodologies on the following factors: powerful computational resources and credit. Thus, these methods result in frequently selecting the same node as a miner in each mining session selection, resulting in the following issues:

  –

  Disappointed nodes: Nodes with limited computational resources will become disappointed and they may stop participating in other selection processes. Thus, this issue will lead to what is termed the ‘lazy’ issue.

  –

  Lazy node: Since only nodes with powerful computational capabilities will always succeed in being selected as miners, other nodes with limited computational capabilities will become disinclined to participate in the mining selection process.

  Therefore, PoW, PoS, and similar approaches seem to fail to guarantee fairness and motivation for all nodes during the miner selection process. From another angle, a hacker can use the selection methodology as a vulnerability point to launch his attack and violate the whole system. In light of this reality, the hacker can launch the following attacks:

  –

  Domination attack. Hackers equipped with supercomputing capabilities can join a blockchain system as legitimate nodes. Here, hackers will be assigned as miner nodes in many selection sessions, due to the powerful computational capabilities. Therefore, this grants them full control of most generated blocks, which can then perform various malicious behaviors.

  –

  Block Injection. Since the hackers have been assigned as miner nodes for many miner selection sessions, due to their supercomputing capabilities, they could successfully guess the puzzle algorithm. Here, a hacker can generate various attacks, such as generating a fake session for selecting a miner node and then selecting themselves to inject a fake block into a blockchain system.

• Reason 2. These approaches also provide fixed monetary rewards as compensation for the participating miner node. However, providing a merely fixed reward is not adequate to ensure the continuity of the growing blockchain system, as the blockchain will be measured by the size of its budget. For example, the total monetary rewards of the recruited miner nodes should not exceed the system budget. When the system budget is less than the allocated reward amount, the system will fail to recruit a miner for any new block. Thus, the blockchain will not be practical for adoption for most cloud-based systems.

Therefore, designing a dynamic mining protocol for ensuring fair and safe miner selection still requires serious effort. This encouraged us to conduct more investigations into the mining process. The dynamic mining protocol considers factors that PoW and PoS do not take into consideration. Having high computational power and resources is required to generate a new block of transactions. Studying the transaction specifications is non-trivial because, to the best of our knowledge, there is typically no consensus protocol model that handles them efficiently. In this work, transaction specifications have been deeply studied to find a firm expressive approach to categorize them in an obvious way. Transactions can be classified into three main categories when considering the processing time: low-sensitivity, soft-sensitivity, and hard-sensitivity levels. Indeed, the various sensitivity levels of transactions will assist us in determining the period for generating their blocks. For example, for a transaction classified as low-sensitive (to time), the period for generating a block could be longer than for a transaction with high-sensitive data (e.g., in real-time systems). Since computational capability plays a major role in affecting timing, the diverse computational capabilities of nodes could be compatible with the transactions’ various sensitivities. Thus, the period for generating a new block of transactions with low sensitivity could be suitable for a node with modest computational capability [9,10].

Therefore, varying the critical times for generating blocks based on their sensitivity opens up a chance for all nodes to be selected as miners. However, there are still some challenges to successfully designing a dynamic mining protocol, which are threefold: (1) Theoretical challenge: the theoretical framework for illustrating the interaction between nodes and selecting miner methodology needs more investigation. (2) Interaction challenge: encouraging nodes to participate in the mining process is ongoing. (3) Dynamic reward challenge: a dynamic reward for various block generation needs more consideration.

To address the above challenges, an auction-based theory can be exploited for modeling a selection mechanism to produce advantageous proprieties such as fairness and profitability [11,12]. Auction-based theories have been proposed for most spectrum network applications. Nevertheless, these models are suitable for the blockchain model, especially for the miner selection node process, which depends on the node capability and transaction sensitivity type as well as the time period for the generated block.

Guided by such a challenge, this paper aims to design a dynamic mining protocol, called proof of fairness (PoF), to solve the problems of the mining process in the blockchain. To the best of our knowledge, this is the first work that builds a secure incentive mechanism based on selecting a miner framework. The PoF protocol is resilient with respect to transaction categorization and the block generation period. It guarantees fairness in node selection, reducing the burden of reward costs on the system. In addition, it preserves the node’s private data during the selection process. The main contributions of this work are as follows:

• A reverse auction (RA) mechanism is proposed as an incentive mechanism to encourage all nodes to participate in the miner selection node process. In RA, each node draws its strategy based on its computational capability and claimed cost. It then bids with its best strategy in each selection process.
• An expressive language (EL) is designed to categorize transaction types based on their sensitivity to processing times to ensure compatibility with our miner selection process.
• A homomorphic signcryption (HSC) scheme is designed as a security and privacy scheme to protect the bidder’s data confidentiality from being disclosed.
• Inclusive validation is conducted in order to illustrate the efficiency of the proposed PoF protocol through performance evaluation and numerical analysis, demonstrating that the proposed mechanism effectively satisfies the fairness in selecting a miner node, in comparison to current PoW and PoS consensus protocols.

The rest of this article is organized as follows: Section 2 discusses the related work. Section 3 explains the preliminary results while Section 4 shows the algorithm of PoF. Section 5 shows the security mechanism for the PoF. The security analysis is presented in Section 6. The performance evaluation results, advantages, and challenges of our proposed protocol are discussed in Section 7. Finally, Section 8 concludes the paper and highlights the future directions.

2. Related Work

Blockchain is a promising technology that needs more research to enhance its application in many fields. Blockchain runs on a peer-to-peer network, where each node in the network has its copy of the ledger. Any proposal or update to the ledger takes place according to consensus protocol. This shape of a distributed system avoids having a single point of failure [13]. The consensus protocol principle controls the transaction validation process, new block proposing, and the block verification process [6,14,15,16]. This work focuses on improving the efficiency of the blockchain model and consensus protocol.

Blockchain applications use different consensus protocols such as [15,17,18], PoS [19,20], DPOS [21], proof of space [22], PBFT [23], and ripple [24]. As mentioned previously, each type of consensus protocol has some disadvantages. On top of that, all existing consensus protocols, except PoQ, do not facilitate the participation of the newly joined nodes or nodes with low computational power, low coins, and low memory space. PoQ offers a fair chance to all nodes at the expense of work efficiency and accuracy. Therefore, this work introduces a dynamic consensus protocol, namely PoF, to balance between the task requirement and node capability.

Researchers have investigated and developed blockchain technology through many comprehensive survey articles, highlighting the development of all blockchain aspects. Some researchers have worked on blockchain applications in other domains such as education, healthcare, the internet, and smart cities [2,25,26,27,28,29]. Such comprehensive studies enable us to understand the differences in the specifications of data and transactions from one system to another. They also show the differences in cost management, security requirements, and sensitivity levels.

On the other hand, there are many research articles focusing on blockchain technical aspects, such as blockchain protocols, algorithms, and architecture. While some works investigate blockchain’s security and privacy aspects [30,31,32,33,34,35,36]. The outcomes of these works guide the process of the PoF design.

3. Preliminaries

3.1. Blockchain Mechanism

Blockchain technology refers to data storage with ledgers of blocks that are linked to each other.

3.2. Consensus Mechanism

In the blockchain mechanism, assets, transactions, miners, and verifiers are the most important elements to be defined.

• Asset: This is the main database that includes data that are prepared for processing using reading and writing operations. It can be financial data, such as bank account information, or any kind of data.
• Transaction: This is a sequence of read-and-write operations that are approved or aborted together. A transaction is the fundamental unit of a blockchain. One example is to transfer a value from one address to another [10,37].
• Miner: This is a node that is responsible for verifying the transaction’s validity and generating a new proposed block in the blockchain. However, a node will only be assigned as a miner according to the consensus protocol, such as PoW or PoS.
• Verifiers: This is a group of nodes that are in charge of verifying the validity of the newly generated block [38].

3.3. Description of Transactions Classification

In a blockchain system, data are processed as transaction payloads. Then a miner node validates transactions and stores them in a newly generated block in the system. The transaction consists of multiple read-and-write operations, where some transactions have more operations than others.

Additionally, some operations within different transactions depend on the results of others. Such dependency forces some concurrent transactions to wait until another one commits or aborts. For example, there are two transactions, $T1$ and $T2$. Transaction $T1$ transfers money, USD 100 from $account1$ to $account2$, where the original balance of $account1$ is USD 150, while $T2$ transfers money, USD 70 from $account1$ to $account3$. Clearly, if $T1$ commits (is approved) and the balance of $account1$ becomes USD 50, then $T2$ should abort, and vice versa. Therefore, the transaction processing period significantly affects the correctness of the execution.

Consequently, one of the most important aspects in generating a valid new block of transactions is to consider the sensitivity to the processing time. Thus, this work aims to design an algorithm for miner node selection that considers the node’s capabilities in response to the transaction’s time sensitivity level, using a dynamic and fair consensus protocol. Indeed, in this work, we classify the transaction payload into three main categories, as follows:

• Low sensitivity: Transactions with low-sensitive payloads could be assigned as low importance to the execution time. For example, the time period for generating a block of transactions with low sensitivity could be measured by days but less than a week.
• Soft sensitivity: Transactions with soft-sensitive payloads are more important, and a new block must be generated within a few hours to a maximum of a day. Thus, the node with the capability of generating a block in a day or less has a chance of being selected as a miner node.
• Hard sensitivity: Transactions with hard-sensitive payloads can be in real-time and are measured from seconds to a maximum of a few hours. The node with the capability of generating a block in a view of seconds to a few hours will have a high chance of being assigned as a miner node.

As discussed above, the transaction classification is considered the main factor in generating a new protocol related to selecting a miner node. The proposed PoF is mainly based on the required computational capabilities, according to the transaction classification.

3.4. Architecture Model

As shown in Figure 1, the architecture of the proposed model consists of the following entities:

• Auction mechanism: In the proposed model, one trusted node acts as the auctioneer (or multiple nodes vote on decisions), starting an auction system by announcing the task along with its time period specifications. This is done to select one winner from the connected participating nodes to act as the miner node. Indeed, for decentralization, the auctioneer role can consist of multiple nodes that vote on a decision.
• Bidding mechanism: Each node selects its best strategy according to its time capacity to generate a block. Each node sends its bidding value to the auctioneer, aiming to offer a lower cost to win the auction session.
• Winner selection mechanism: According to the nodes’ bidding values, the auctioneer determines the winner that suggests the lower cost, and is capable of generating a block within the required period.
• Payment mechanism: The winning node will be rewarded financially after performing the required task.

The system model requires a trusted server that is in charge of the system parameters; then it will be suggested that the server goes offline for security purposes.

3.5. Auction Model

A reverse auction system is a type of auction model, but in a reverse way, in which a bidder offers a lower cost to win the game. Therefore, we designed a single-source reverse auction (ssR auction). It is formally defined as follows:

Definition 1.

(ssR auction). In the ssR auction, a buyer can buy a required good or service at a lower price from a single vendor.

In the consensus system, we recognize that nodes are lazy and disappointed, so in an effort to optimize the reward system and to make nodes more interested, nodes can provide their capability resources in response to the announcement with more chances to be assigned as miners. Using the ssR auction model, we propose an assignment system as an incentive mechanism. It is formally defined as follows:

Definition 2.

(Assignment system). In the assignment system, the auctioneer, $a{n}_i$, can assign the task, ${\tau }_i$, to a trusted node, $n{d}_i$, with the ability to verify and generate a new block, $b_i$, within the required time, offering a lower reward, $r_i\in \mathcal{R}$. Note that i is a positive integer number, which is used as a local index for each group. Indeed, each node, $n{d}_i$, has n sets of bid strategies, such as ${\mathcal{A}}_i=\{{\alpha }_1,\dots ,{\alpha }_n\}$, where each ${\alpha }_i\in {\mathcal{A}}_i$ has a strategy of cost, $c_i$. Therefore, the cost function, $F_C$, for each strategy ${\alpha }_i\in {\mathcal{A}}_i$ guarantees that the cost should not exceed the reward, which is defined as follows:

$$F_C\left(c_i\right)=\left\{\begin{array}{ccc}1,\hfill & \hfill if c_i\le r_i& \\ 0,\hfill & \hfill otherwise\end{array}\right.$$

Definition 3.

(Reverse Monotonic Assignment [RMA]). In the proposed assignment system, the assignment rule, Δ, is designed as a reverse monotone to ensure that a player (i)’s capability is monotonically decreasing when offering a lower cost, $c_i$, such that

$$\Delta [{\alpha }_i\left(c_i\right),\sum _{i\notin j}^n{\alpha }_j\left(c_j\right)]=1$$

where ${\sum }_{i\notin j}^n{\alpha }_j\left(c_j\right)$ denotes the bid strategies of all n players, except for player i. Consequently, the proposed assignment system is designed as a compatible incentive mechanism, which is formally defined as follows:

Definition 4.

(Incentive mechanism). The assignment system is a compatible incentive mechanism if each node, $n{d}_i$, plays with its best lower cost, $c_i$, value as its dominant strategy, ${\alpha }_i$, to win the game.

Definition 5.

(Dominant strategy). The strategy, ${\alpha }_i$, with a cost, $c_i$, is called a dominant strategy if the utility, ${\mathcal{U}}_i$, of node $n{d}_i$ consistently meets the following specifications:

$${\mathcal{U}}_i\left({\tau }_i\right)[{\alpha }_i\left(c_i\right),{\sum }_{i\notin j}^n{\alpha }_j\left(c_j\right)]\ge {\mathcal{U}}_i\left({\tau }_i\right)[{\overline{\alpha }}_i\left({\overline{c}}_i\right),{\sum }_{i\notin j}^n{\alpha }_j\left(c_j\right)].$$

where ${\overline{\alpha }}_i\left({\overline{c}}_i\right)$ is not the player (i)’s dominant strategy.

Definition 6.

(Rationality). Each player, i, is considered individually rational only if its utility, ${\mathcal{U}}_i\left({\tau }_i\right)$, of playing its dominant strategy, ${\alpha }_i\left(c_i\right)$, is non-negative, such that

$${\mathcal{U}}_i\left({\tau }_i\right)[{\alpha }_i\left(c_i\right),\sum _{i\notin j}^n{\alpha }_j\left(c_j\right)]\ge r_i.$$

Thus, in the rationality approach, the cost, $c_i$, of playing the dominant strategy, ${\alpha }_i$, should be covered by the reward, $r_i$. This is the main prerequisite for each player, i, before being involved in the game.

Definition 7.

(Player’s utility). The utility, ${\mathcal{U}}_i$, of each player, i, is formulated as follows:

$${\mathcal{U}}_i\left({\tau }_i\right)\to (r_i-c_i)>0$$

Definition 8.

(Budget). Given the reward, $\mathcal{R}=\{r_1,r_2,\dots ,r_n\}$, and the winning set of each auction session, $\mathcal{W}$, the total budget is

$$\mathcal{B}=\left(\sum _{i\in \mathcal{W}}{r}_i\right)\ge 0.$$

3.6. Design Objective

Each node is considered selfish and always aims to win the session of the game, even if by acting in a malicious behavior, such as eavesdropping on other nodes’ cost values to claim a lower false cost, $c_i^f$, and win the game session. This approach of malicious behavior will lead to misleading the auctioneer in distinguishing the node with a lower true cost, $c_i^t$, value. Subsequently, the objective of this work is to design a secure and fair auction (SFA) model that encourages nodes to participate in a rational and fair manner, within a secure auction process. However, to achieve our work’s objective, the SFA model should solve the following issue:

Problem 1.

Truthfulness cost [TC]: The purpose of proposing TC is to design a payment system, such that each participating node’s utility cannot be guaranteed through reporting a false cost, $c_i^f$.

$${\mathcal{U}}_i(c_i,c_{-i})\le {\mathcal{U}}_i(c_i^f,c_{-i}).$$

By solving the TC problem, we can ensure that the only way for each node to maximize its utility is by reporting its true cost, $c_i^t$, regardless of the other participants’ node cost strategies, $c_{-i}$.

Problem 2.

Secure Selecting Winner [SSW]: Given several nodes, $n=\{n{d}_1,\dots ,n{d}_n\}$, and a required period, $t_i=(t_s,t_e)$, the auctioneer aims to select a winner, $\mathcal{W}\subseteq n$, with a lower trust cost ($c_i^t$) that can generate a required block within the possible time periods, $t^{\ast }$.

Problem 3.

Security and Privacy [SP]: The following information is considered as the node’s private data.

• The time, $t_i^{\ast }$, is considered private data because if the time to generate the block is disclosed, it will lead to violating the node’s capability.
• The cost, $c_i^t$, value is considered private data because if it is disclosed, it will lead to detecting the node’s best strategy, which may help other nodes set up their best cost strategies to win the session.

Therefore, the node’s ($t_i^{\ast }$ and $c_i^t$) values must be protected among the nodes. Solving the SP problem will guarantee the confidentiality of the node’s data.

4. Details of the PoF Protocol

This section describes the proposed model of PoF, as shown in Figure 2.

4.1. Incentive Mechanism

The proposed PoF model is based on a proposed ssR auction to guarantee fairness among all participating nodes when selecting a node as a miner. In particular, for each new transaction, Γ_i, an auctioneer will start announcing it to all connected nodes. Thus, the interested node, $n{d}_i$, will start generating its bid values, ${\mathcal{A}}_i$, based on its dominant strategy in order to win the auction section. Once the auctioneer receives several ${\left({\mathcal{A}}_i\right)}_{i=1}^n$ from n of interested nodes, ${\left(n{d}_i\right)}_{i=1}^n$, it will sort them in ascending order, according to their claimed costs. Therefore, the node with a lower cost will be selected as a miner node. The proposed PoF model is described in detail in the following phases.

4.1.1. Task Announcement

The auctioneer begins with the AS by announcing a block verification task, ${\tau }_i=\{{\mathrm{\Gamma }}_i,t_s,t_e\}$, which includes the transaction, ${\mathrm{\Gamma }}_i$, and time period, $[t_s,t_e]$, for verifying and generating the new block, $b_i$. Therefore, the computational capability requirements for each participating node should fit with the required time period, $[t_s,t_e]$, to verify and generate the new block, $b_i$.

4.1.2. Bidding

Each node, $n{d}_i$, with the capacity to participate in the ${\tau }_i$ is permitted to submit an auction bid as ${\mathcal{A}}_i=\{{\widehat{t}}_i,c_i\}$. $c_i$ represents the cost value for performing the ${\tau }_i$ and ${\widehat{t}}_i=(t_i^s,t_i^e)$ denotes the period where node $n{d}_i$ can perform the task ${\tau }_i$ within.

Each node, $n{d}_i$, has a different computational capability to perform the ${\tau }_i$. Therefore, each node, $n{d}_i$, computes its period ${\widehat{t}}_i$ according to its capability, as follows:

$${\widehat{t}}_i={[(t_s+{\widehat{t}}_s^i)+(t_e-{\widehat{t}}_e^i)]}^{\lambda }$$

where $(0\ge {\widehat{t}}_s^i\le t_s)$ is the expected beginning time of node $n{d}_i$ to start performing the ${\tau }_i$, which is computed as the following:

$${\widehat{t}}_s^i=\frac{t_s^i-t_s}{(t_e-t_s)}$$

In addition, $(0\ge {\widehat{t}}_e^i\le t_e)$ is the expected time of node $n{d}_i$ to finish performing the ${\tau }_i$, which is computed as follows:

$${\widehat{t}}_e^i=\frac{t_e-t_e^i}{(t_e-t_s)}$$

The $\lambda$ is an influence time factor, which is $\lambda >0$. Note that nodes might have overlapping time periods.

4.1.3. Selecting Winner Bidder (SWB)

The objective of the auctioneer is to recruit a suitable node, $n{d}_i$, to be in charge of generating a new block, $b_i$, during the range of period $[{\widehat{t}}_i\subset (t_s,t_e)]$ and with the lowest possible reward, $r_i$.

However, the node times ${\left({\widehat{t}}_i\right)}_{i=1}^n$ might overlap. To easily illustrate time conflicts, the following notations are presented:

• n denotes the number of bidder nodes.
• $g(f,u)$ denotes the conflict graph, where f represents the collection of number (n) bidders $\mathcal{A}=\{{\mathcal{A}}_1,\dots ,{\mathcal{A}}_n\}$ and u denotes a k set of edges $u=\{u_1,\dots ,u_k\}$, where each $u_i$ represents m sets of ${\left(\mathcal{A}\right)}_{i=1}^m$ that have the same period.

However, this makes (Problem 2) an NP-complete problem, which hinders the auctioneer from selecting the node as a winner. Therefore, from each $u_i\in u$, we select only one node, $n{d}_i$, with a lower cost, $c_i$, as the winner of its edge, $u_i$, and then sort all winners from all these edges, ${\left(u_i\right)}_{i=1}^k$, in a group, ∂. Finally, the auctioneer only needs to select one, $n{d}_i\in$, with a lower cost, $c_i$, as the final winner. The suggested greedy process is performed through the following steps:

• Step 1: For each $u_i$, sort nodes based on their neighbors’ costs, ${\left(c_i\right)}_{i=1}^m$, as follows:

  $$u_i{\left(c_1\right)}^{\alpha }<\dots <u_i{\left(c_i\right)}^{\alpha }<\dots <u_i{\left(c_m\right)}^{\alpha }.$$
  A node with a lower cost, $c_i$, will be selected as a winner in its edge, $u_i$.
• Step 2: Sort all winning nodes from each ${\left(u_i\right)}_{i=1}^k$ according to their cost, $c_i$, such that

  $$u_1{\left(c_i\right)}^{\alpha }<u_2{\left(c_i\right)}^{\alpha }<\dots <u_i{\left(c_i\right)}^{\alpha }<\dots <u_k{\left(c_i\right)}^{\alpha }.$$

  where $\alpha$ represents the influence factor of variance importance for generating the new block. A small $\alpha$ causes the generation of the new block to be more important.
• Step 3: The lowest cost in Step 2 will be selected as a final winner, fulfilling the following requirement:

  $$\Delta ·{\widehat{t}}_i\subset (t_e-t_s), \Delta ·c_i\ge r_i$$

Accordingly, Algorithm 1 represents the SWB process.

Algorithm 1 SWB Algorithm

Input: Task $\tau$ and bidder set $\mathcal{A}=\{{\alpha }_1,\dots ,{\alpha }_n\}$. Output: Assignment Δ.   1: $\tau \leftarrow \mathcal{A}$   2: for $i=1:m$ do   3:    $\Delta =0$;   4: end for   5: Sort bidders according to $c_i$,   6: $u_i{\left(c_1\right)}^{\alpha }<\dots <u_i{\left(c_i\right)}^{\alpha }<\dots <u_i{\left(c_m\right)}^{\alpha }$,   7: $\tau \leftarrow \tau \setminus (u_i{\left(c_i\right)}^{\alpha }\bigcup i)$   8: Sort bidders according to $c_i$,   9: $u_1{\left(c_i\right)}^{\alpha }<u_2{\left(c_i\right)}^{\alpha }<\dots <u_i{\left(c_i\right)}^{\alpha }<\dots <u_k{\left(c_i\right)}^{\alpha }$, 10: $i\leftarrow argmin\left(c_i\right)$ 11: return $\Delta =1$

Lemma 1.

The proposed SWB guarantees a fair selection methodology among all participating nodes, ${\left(n{d}_i\right)}_{i=1}^n$.

Proof. 

All nodes are first sorted according to their overlapping time to a set of groups, $u=\{u_1,\dots ,u_k\}$. Thus, we sort all winning nodes from each ${\left(u_i\right)}_{i=1}^k$ according to their cost, $c_i$, demonstrating the proposed reverse monotonic assignment [RMA] of the assignment system.    □

4.1.4. Fair Reward Mechanism

A fair reward method is designed to guarantee individual rationality, to ensure that every node, $n{d}_i$, bids by its truthful cost, $c_i^{\ast }$, as its domain strategy. The fair reward method is formally defined as follows:

Definition 9.

(Fair reward rule). The fair reward scheme, R, can be defined as follows: $r_i=c_{i+1}^{\ast }$ for a winning node, $n{d}_i$, and $r_i=0$ otherwise.

Lemma 2.

If the assignment system satisfies monotonicity, then there is a winning node, $n{d}_i$, in each $u_i$ group, and from all these winners, there must be a winner, $n{d}_i$, with the critical neighbor node, $n{d}_{i+1}$, such that $(c_i^{\ast }<c_{i+1}^{\ast })$.

Proof. 

In each $u_i$ group, we sort nodes ${\left(n{d}_i\right)}_{i=1}^m$ incrementally based on their cost values, ${\left(c_i\right)}_{i=1}^m$. It is easy to locate the node, $n{d}_i$, with a lower cost value, $c_i$. In addition, by sorting all these winning nodes according to their costs ${\left(c_i^{\ast }\right)}_{i=1}^n$, it is also easy to demonstrate the node, $n{d}_i$, with a lower $c_i^{\ast }$ and its critical neighbor node, $n{d}_{i+1}$, with $(c_i^{\ast }<c_{i+1}^{\ast })$.    □

Lemma 3.

The ssR auction mechanism can be designated as fair if a winning node obtains a fair reward, such that $r_i>c_i^{\ast }$.

Proof. 

As the monotonous assignment rule provides a fair selection rule, it is easy to generate a fair reward, as illustrated in Algorithm 2.    □

Algorithm 2  Fair reward algorithm

Input: Group bidders ${\left(u_i\right)}_{i=1}^k$, conflict graph, g, and assignment Δ. Output: Reward R   1: for  $i=1:i\in u_i$  do   2:    if $\Delta =0$ then   3:        $r_i=0$   4:    else   5:      $\Delta \leftarrow i\setminus \left\{i\right\}$   6:      while $\Delta \ne \varnothing$ do   7:         $i\leftarrow lower\left(c_i^{\ast }\right)$   8:         if $i<n{d}_{i+1}^{\ast }$ then   9:             $r_i=c_{(}{i+1)}^{\ast }$ 10:         end if 11:         $\Delta \leftarrow \Delta \setminus (n{d}_i\bigcup u_i)$ 12:      end while 13:    end if 14: end for 15: return  $R=\{r_1,r_2,\dots ,r_k\}$

4.2. Computational Complexity

The computational complexity of the greedy assignment algorithm is investigated in terms of the cost of running time. Let $g=(f,u)$ be a conflict graph with n bidder nodes and their periods, $t^{\ast }$. The computational complexity comes from the following processes:

• Sorting process: In this process, the auctioneer will sort all n bidder nodes according to their similarity times. For example, it first sorts m bidder nodes that have similar time periods in their bids in a group, $u_i$. This process will take $m\left|u\right|$ time to sort each group, $u_i$, according to their similarity time, and it will take $O\left(klogu\right)$ time to sort all n bidder nodes, such that $u=\{u_1,\dots ,u_k\}$.
• Selection process: In this process, the auctioneer selects the bidder node with the lowest cost from each $|u_i|$, which will take $O\left(k\right|u\left|\right)$ time.

Therefore, the overall complexity is $O(klogk+|u\left|\right)$.

Theorem 1.

The proposed PoF successfully achieves a selected miner node with high satisfaction and lower payment. Thus, (Problem 1) and (Problem 2) are solved.

Proof. 

The fairness of selecting the node and the reward rules are determined according to Lemmas 1–3. A winning node will be rewarded with a non-negative reward and the other node will receive no reward.   □

5. Proposed Security Mechanism for PoF

5.1. Security and Privacy Scheme

To protect the node bid values from being disclosed during the auction process, this work designed a homomorphic signcryption (HSC) scheme, which is compatible with the proposed PoF protocol. The proposed HSC scheme enables each bidder to signcrypt its strategy value and submit it to the auctioneer as a ciphertext. Since the HSC scheme satisfies a homomorphic concept, the auctioneer can sort bidders that overlap with similar time expectations without revealing their private costs. The proposed HSC scheme is based on the following:

5.1.1. Bilinear Group

The proposed HSC scheme is executed on a bilinear mapping methodology [39], which is defined as follows:

Definition 10.

(Bilinear mapping). Bilinear mapping is an admissible bilinear pairing, such that $\widehat{e}:{\Im }_1\times {\Im }_1\to {\Im }_2$, which involves mapping over elliptic curves [40]. The properties of $\widehat{e}$ are illustrated as follows:

• Bilinearity property: Let $g_1,g_2,g_3\in {\Im }_1$ and $x,z\in Z_q^{\ast }$, such that:

  –

  $\widehat{e}(g_1,g_2+g_3)=\widehat{e}(g_1,g_2)\widehat{e}(g_1,g_2)\to {\Im }_2.$

  –

  $\widehat{e}(x{g}_1,z{g}_2)=\widehat{e}{(g_1,g_2)}^{xz}=\widehat{e}(z{g}_1,x{g}_2)\to {\Im }_2.$

• Non-degeneracy property: Let $g_1\ne 0,g_2\ne 0\in {\Im }_1$, such that $\widehat{e}(g_1,g_2)\to {\mathbb{G}}_2\ne 1$.
• Computational ability property: $\widehat{e}$ is efficiently computable.

Note that ${\Im }_1$ is an additive group and ${\Im }_2$ is a multiplicative group of order q for some large prime q values.

5.1.2. Complexity Assumptions

We describe the discrete logarithm problem related to the proposed HSC as follows:

Definition 11.

Computational Diffie–Hellman $\left(CDH\right)$ Problem. Given $g,xg,zg\in {\Im }_1$ and $x,z\in Z_q^{\ast }$, where g is a generator of ${\Im }_1$, the $\left(CDH\right)$ problem is used to compute $xzg\in {\Im }_1$ within polynomial time.

Definition 12.

Decisional Bilinear Diffie–Hellman $\left(DBDH\right)$ Problem. Given $g,xg,zg,yg\in {\Im }_1$, and $x,z,y\in Z_q^{\ast }$, where g is a generator of ${\Im }_1$, the $\left(DBDH\right)$ problem is used to decide whether $h=\widehat{e}{(g,g)}^{xzy}$ within polynomial time, where $h\in {\Im }_2$.

5.2. Details of the PoF Security and Privacy Scheme

The PoF security and privacy scheme is described in detail, according to the following phases:

Phase 1:

Initialization system: The trust server generates the system parameters (${\Im }_1$, ${\Im }_2$, $\widehat{e}$, q) based on the security parameter, p, where g is a generator point of ${\Im }_1$. Then the trust server selects the master private key, $\phi \in Z_q^{\ast }$, and computes the corresponding public key, $K_{pub}=\phi g$. In addition, it chooses a secure hash function, $H_1:{\{0,1\}}^{256}\to {\Im }_1$. The trust server finally publishes the public parameters as $PM=({\Im }_1,{\Im }_2,q,g,\widehat{e},K_{pub},H_1)$.

Based on the system’s public parameters, $PM$, each node, i, selects a random number, $x_i{Z}_q^{\ast }$, as its private key and then computes its corresponding public key, $P{K}_i$ = $x_{i}g$. In addition, the node, i, selects a random number, $q_i\in Z_q^{\ast }$, as a salt key to generate its pseudo-identity as $S_i=q_i{H}_1\left(I{D}_i\right)$.

Phase 2:

Transaction generating: When node $n{d}_i$ generates a new transaction, ${\mathrm{\Gamma }}_i$, to be added to the blockchain system, it sends ${\mathrm{\Gamma }}_i$ to the auctioneer, $n{d}_{a_i}$, with its importance rate, $\mu$, to generate a ${\mathrm{\Gamma }}_i$ block. The node, $n{d}_i$, will select $y_i\in Z_q^{\ast }$ and compute both $A_{i1}=y_{i}P{K}_{a_i}$ and $A_{i2}=E_{AES}[y_{i}g,({\mathrm{\Gamma }}_i,\mu )]$. It then sends $(A_{i1},A_{i2})$ to the auctioneer, $n{d}_{a_i}$,.

Phase 3:

Auction: Once receiving $(A_{i1},A_{i2})$, the auctioneer, $n{d}_{a_i}$, uses its private key to obtain $({\mathrm{\Gamma }}_i,\mu )$, as $({\mathrm{\Gamma }}_i,\mu )=D_{AES}[\frac{1}{x_{a_i}}{A}_{i1},A_{i2}]$. Based on $\mu$, the auctioneer, $n{d}_{a_i}$, determines the range of time $(t_s,t_e)$ to generate a new block, ${\mathbb{B}}_i$ for ${\mathrm{\Gamma }}_i$ and ${\pi }_i$, as a task’s identity number. It then generates a task, ${\tau }_i=\{{\mathrm{\Gamma }}_i,t_s,t_e{\pi }_i\}$, and identifies itself to all connected nods by generating a digital signature on ${\tau }_i$ as,

$${\alpha }_i\left({\tau }_i\right)\leftarrow Sign({\tau }_i,x_{a_i}),$$

Finally, it starts an opening reverse auction session by announcing $({\tau }_i,{\alpha }_i\left({\tau }_i\right))$.

Phase 4:

Bidding: Any node, $n{d}_i$, that is interested in participating in the auction system will first need to verify the ${\tau }_i$ validity, as follows:

$${\alpha }_i{\left({\tau }_i\right)}^{\prime }\leftarrow \mathbf{Verify}(P{K}_{n{d}_a},{\alpha }_i\left({\tau }_i\right)).$$

The interested node, $n{d}_i$, then generates its bid ${\mathcal{A}}_i=\{{\widehat{t}}_i,c_i\}$ values based on its computational capability for participating in ${\tau }_i$. Thus, node $n{d}_i$ will signcrypt its ${\mathcal{A}}_i$, as shown below. It randomly selects $r_i\in Z_q^{\ast }$ and computes the following:

• $E_{i1}=r_{i}P{K}_{n{d}_a}$
• $E_{i2}={\widehat{t}}_i{\pi }_{i}g$
• $E_{i3}=\frac{1}{r_i}({\pi }_i{K}_{pub}+E_{i2})$
• $E_{i4}=r_i(P{K}_{n{d}_a}+E_{i3})$
• $E_{i5}=r_i{\pi }_i(c_{i}P{K}_{n{d}_a}+K_{pub})+r_{i}g$
• $E_{i6}=(x_i+r_i)E_{i5}$
• $E_i=(E_{i1},E_{i4},E_{i5},E_{i6})$

Each node, $n{d}_i$, then sends its $(E_i,S_i)$ to the auctioneer, $n{d}_{a_i}$.

Phase 5:

Verification: Once receiving ${\left(E_{i6}\right)}_{i=1}^n$ from n nodes, the auctioneer, $n{d}_{a_i}$, aggregates all ciphertexts $\left({\sum }_{i=1}^n{E}_{i6}\right)$, of the received public keys, ${\left(P{K}_{n{d}_i}\right)}_{i=1}^n$, and verifies them simultaneously, such that the auctioneer, $n{d}_{a_i}$, only accepts $\left({\sum }_{i=1}^n{E}_{i6}\right)$ if the following equation holds:

$$V_i={\displaystyle \frac{{\prod }_{i=1}^n\widehat{e}(E_{i6},g)}{{\prod }_{i=1}^n\widehat{e}(E_{i5},(\frac{1}{x_{n{d}_a}}{E}_{i1}+P{K}_{n{d}_i}))}}=1$$

(1)

If the $V_i$ holds, the auctioneer, $n{d}_{a_i}$, accepts ${\left(E_i\right)}_{i=1}^n$ as a valid ciphertext from n nodes and will perform the next phase.

Lemma 4.

The verification phase is complete.

Proof. 

$V_i=1$, since:

$$\begin{array}{cc}\hfill V_i& ={\displaystyle \frac{{\prod }_{i=1}^n\widehat{e}(E_{i6},g)}{{\prod }_{i=1}^n\widehat{e}(E_{i5},(\frac{1}{x_{n{d}_a}}{E}_{i1}+P{K}_{n{d}_i}))}}\hfill \\ & ={\displaystyle \frac{{\prod }_{i=1}^n\widehat{e}((x_i+r_i)E_{i5},g)}{{\prod }_{i=1}^n\widehat{e}(E_{i5},(\frac{1}{x_{n{d}_a}}{E}_{i1}+P{K}_{n{d}_i}))}}\hfill \\ & ={\displaystyle \frac{{\prod }_{i=1}^n\widehat{e}((x_i{E}_{i5},g)\widehat{e}(r_i{E}_{i5},g)}{{\prod }_{i=1}^n\widehat{e}(E_{i5},(\frac{1}{x_{n{d}_a}}\left(r_{i}P{K}_{n{d}_a}\right)+P{K}_{n{d}_i}))}}\hfill \\ & ={\displaystyle \frac{{\prod }_{i=1}^n\widehat{e}((E_{i5},x_{i}g)\widehat{e}(E_{i5},r_{i}g)}{{\prod }_{i=1}^n\widehat{e}(E_{i5},(\frac{1}{x_{n{d}_a}}\left(r_i{x}_{n{d}_a}g\right)+P{K}_{n{d}_i}))}}\hfill \\ & ={\displaystyle \frac{{\prod }_{i=1}^n\widehat{e}(E_{i5},P{K}_{n{d}_i})\widehat{e}(E_{i5},r_{i}g)}{{\prod }_{i=1}^n\widehat{e}(E_{i5},(r_{i}g+P{K}_{n{d}_i}))}}\hfill \\ & ={\displaystyle \frac{{\prod }_{i=1}^n\widehat{e}(E_{i5},P{K}_{n{d}_i})\widehat{e}(E_{i5},r_{i}g)}{{\prod }_{i=1}^n\widehat{e}(E_{i5},r_{i}g)\widehat{e}(E_{i5},P{K}_{n{d}_i})}}\hfill \\ & ={\displaystyle \frac{{\prod }_{i=1}^n\widehat{e}(E_{i5},P{K}_{n{d}_i}+r_{i}g)}{{\prod }_{i=1}^n\widehat{e}(E_{i5},P{K}_{n{d}_i}+r_{i}g)}}=1\hfill \end{array}$$

□

Phase 6:

Sorting process: The auctioneer, $n{d}_{a_i}$, will first sort the nodes that have submitted the same timestamp, as follows:

• For each node, $n{d}_i$, the auctioneer, $n{d}_{a_i}$, computes

  $${\omega }_i={\displaystyle \frac{\widehat{e}(K_{pub},E_{i4})}{\widehat{e}(K_{pub},E_{i1}+{\pi }_i{K}_{pub})}}$$
• For each node, $n{d}_i$, the auctioneer, $n{d}_{a_i}$, computes the following:

  –

  $T_{i1}=\widehat{e}(K_{pub},{\pi }_i\left(t_s\right)g)$

  –

  $T_{i1}=\widehat{e}(K_{pub},{\pi }_i\left(t_e\right)g)$

  It then accepts ${\omega }_i$ as a valid timestamp if the following equation is held:

  $$T_i\leftarrow T_{i2}\le {\omega }_i\le T_{i2}$$
• Sort m sets of bidder nodes ${\left(n{d}_i\right)}_{i=1}^m$ that have valid ${\left(T_i\right)}_{i=1}^m$. Group the same ${\left({\omega }_i\right)}_{i=1}^m$ in a set, ${\partial }_i$, such that

  $${\partial }_i=\{{\omega }_i,\dots ,{\omega }_m\}.$$

Theorem 2.

The auctioneer, $n{d}_{a_i}$, can sort nodes according to their time availability ${\left({\omega }_i\right)}_{i=1}^n$, but it is not able to disclose the nodes’ time availability. This is because the auctioneer generates a second ciphertext of ${\left({\omega }_i\right)}_{i=1}^n$ from the first ciphertexts ${(E_{i4},E_{i2})}_{i=1}^n$. Therefore, the participating nodes’ private data are protected.

Proof. 

The ${\omega }_i$ ciphertext is completely encrypted, which is generated under $CDH$ and $DBDH$ assumptions. The correctness of ${\omega }_i$ is approved as follows:

$$\begin{array}{cc}\hfill {\omega }_i& ={\displaystyle \frac{\widehat{e}(K_{pub},E_{i4})}{\widehat{e}(K_{pub},E_{i1}+{\pi }_i{K}_{pub})}}\hfill \\ & ={\displaystyle \frac{\widehat{e}(K_{pub},r_i(P{K}_{n{d}_a}+E_{i3})}{\widehat{e}(K_{pub},E_{i1}+{\pi }_i{K}_{pub})}}\hfill \\ & ={\displaystyle \frac{\widehat{e}(K_{pub},(r_{i}P{K}_{n{d}_a}+r_i{E}_{i3})}{\widehat{e}(K_{pub},E_{i1}+{\pi }_i{K}_{pub})}}\hfill \end{array}$$

$$\begin{array}{cc}& ={\displaystyle \frac{\widehat{e}(K_{pub},r_{i}P{K}_{n{d}_a})\widehat{e}(K_{pub},r_i{E}_{i3})}{\widehat{e}(K_{pub},E_{i1}+{\pi }_i{K}_{pub})}}\hfill \\ & ={\displaystyle \frac{\widehat{e}(K_{pub},r_{i}P{K}_{n{d}_a})\widehat{e}(K_{pub},r_i\left[\frac{1}{r_i}({\pi }_i{K}_{pub}+E_{i2})\right])}{\widehat{e}(K_{pub},E_{i1}+{\pi }_i{K}_{pub})}}\hfill \\ & ={\displaystyle \frac{\widehat{e}(K_{pub},r_{i}P{K}_{n{d}_a})\widehat{e}(K_{pub},({\pi }_i{K}_{pub}+E_{i2}))}{\widehat{e}(K_{pub},E_{i1}+{\pi }_i{K}_{pub})}}\hfill \\ & ={\displaystyle \frac{\widehat{e}(K_{pub},E_{i1})\widehat{e}(K_{pub},{\pi }_i{K}_{pub})\widehat{e}(K_{pub},E_{i2})}{\widehat{e}(K_{pub},E_{i1}+{\pi }_i{K}_{pub})}}\hfill \\ & ={\displaystyle \frac{\widehat{e}(K_{pub},E_{i1}+{\pi }_i{K}_{pub})\widehat{e}(K_{pub},{\widehat{t}}_i{\pi }_{i}g)}{\widehat{e}(K_{pub},E_{i1}+{\pi }_i{K}_{pub})}}\hfill \\ & =\widehat{e}(K_{pub},{\widehat{t}}_i{\pi }_{i}g)\hfill \end{array}$$

□

Phase 7:

Selecting the winning node: After sorting bidders to a set, k, of groups ${\left({\partial }_i\right)}_{i=1}^k$, the auctioneer, $n{d}_{a_i}$, then selects the winning node from each group ${\left({\partial }_i\right)}_{i=1}^k$. Accordingly, it will sort all winners incrementally, according to their costs, and then select the lower cost as the winner of winners, and determine the respective payments as follows:

• Monotonic assignment: The auctioneer, $n{d}_{a_i}$, uses its private key $\left(x_{n{d}_a}\right)$ to obtain a cost, $c_i$, value from ciphertexts, $E_{i5}$, for each node, $n{d}_i\in {\partial }_i$, as follows:

  –

  $D_i={\displaystyle \frac{1}{x_{n{a}_a}}}{E}_{i1}$

  –

  $C_i={\displaystyle \frac{E_{i5}}{({\pi }_i+1)D_i}}$

  Thus, $C_i$ is an encrypted value of the real cost, $c_i$; hence, the auctioneer, $n{d}_{a_i}$, knows nothing about the node, $n{d}_i$,’s real cost, $c_i$, value. Thus, the node, $n{d}_i$,’s private cost, $c_i$, is still secure.
  It then starts sorting nodes ${\left(n{d}_i\right)}_{i=1}^m\in {\partial }_i$ according to their ${\left(C_i\right)}_{i=1}^m$ in ascending order, such that

  $$(C_1^{\alpha }<C_2^{\alpha }<\dots <C_m^{\alpha })\in {\partial }_i$$
  The auctioneer, $n{d}_{a_i}$, selects the node with a lower cost $\left(C_i\right)$ and then deletes the other nodes. It replays this step for all groups ${\left({\partial }_i\right)}_{i=1}^k$. Finally, it sorts all winning nodes from each ${\left({\partial }_i\right)}_{i=1}^k$ according to their costs, $C_i$, such that

  $${\partial }_1{\left(C_i\right)}^{\alpha }<{\partial }_2{\left(C_i\right)}^{\alpha }<\dots <{\partial }_i{\left(C_i\right)}^{\alpha }<\dots <{\partial }_k{\left(C_i\right)}^{\alpha }.$$
  Therefore, the auctioneer, $n{d}_{a_i}$, selects the lower cost value $\left({\partial }_i{\left(C_i\right)}^{\alpha }\right)$ as a winner and then assigns the winning node, $n{d}_i$, as a miner node for this session.
• Critical payment: For the winning node, $n{d}_i\in {\partial }_i$, the auctioneer, $n{d}_{a_i}$, determines its critical neighbor $nd{(i+1)}^{\ast }\in {\partial }_{i+1}^{\ast }$ by running Algorithm 2. It then sends the ${\partial }_{i+1}{\left(C_{i+1}\right)}^{\ast }$ to the smart payment contract.

Theorem 3.

The auctioneer, $n{d}_{a_i}$, can sort nodes according to their costs ${\left(c_i\right)}_{i=1}^k$ in each group of nodes without disclosing the real cost information. The sorting process is performed on a second ciphertext of ${\left(C_i\right)}_{i=1}^k$, which is generated from the first ciphertexts ${(E_{i1},E_{i5})}_{i=1}^k$. Thus, the participating nodes’ private data are protected.

Proof. 

The $C_i$ ciphertext is completely encrypted, which is generated under the $CDH$ assumption. The correctness of $C_i$ is approved as follows:

$$\begin{array}{cc}\hfill C_i& ={\displaystyle \frac{E_{i5}}{({\pi }_i+1)D_i}}\hfill \\ & ={\displaystyle \frac{E_{i5}}{({\pi }_i+1){\displaystyle \frac{1}{x_{n{a}_a}}}{E}_{i1}}}\hfill \\ & ={\displaystyle \frac{r_i{\pi }_i(c_{i}P{K}_{n{d}_a}+K_{pub})+r_{i}g}{({\pi }_i+1)r_{i}g}}\hfill \\ & ={\displaystyle \frac{(c_i{x}_{n{d}_a}+\phi )r_i{\pi }_{i}g+r_{i}g}{{\pi }_i{r}_{i}g+r_{i}g}}\hfill \\ & =(c_i{x}_{n{d}_a}+\phi )\hfill \end{array}$$

□

Theorem 4.

The proposed PoF protocol satisfies the fairness and competition among nodes within a secure environment during the process of selecting a miner node.

Proof. 

The bidder, i, is determined according to Lemmas 1–3. In line with the miner node selection rule, every node submits its true strategy within a secure system, and the winning node, $n{d}_i$, is selected according to the lower cost among all nodes and will be paid with $c_i^{t\ast }>c_i^t$, without disclosing the $c_i^t$ value. Notably, the time required for block generation helps all nodes to calculate their best strategy, allowing them to bid in a miner selection session with a high chance of being selected or obtaining non-negative utility if not selected. Therefore, the fairness and individual competitive manner within a secure environment can be proved.   □

6. Security Analysis

This section illustrates the security analysis of the proposed homomorphic signcryption (HSC) scheme, which is designed for security and privacy for the proposed PoF protocol. Thus, in this section, we will prove the ability of the HSC scheme to solve (Problem 3) according to the following security and privacy properties.

• Privacy and integrity: In compliance with Definition 11, the bid value is signcrypted under the $CDH$ assumption, which prevents a malicious node, $n{d}_j$, from disclosing or even modifying the content of any target bid value. Since each participating node, $n{d}_i$, signcrypts its bid value using a receiver’s public key, as well as random secure, $r_i$, to calculate $(E_{i1},E_{i3},E_{i4},E_{i5})$, the malicious node, $n{d}_j$, will not be able to reveal or forge any ciphertext of $(E_{i1},E_{i3},E_{i4},E_{i5})$ within a polynomial time without knowing the receiver’s private key and the random value, $r_i$. In addition, the malicious node, $n{d}_j$, will not be able to generate a fake signature on any targeted bid value without reaching the sender’s private key that is utilized to generate $E_{i6}=(x_i+r_i)E_{i5}$.

Lemma 5.

The proposed PoF protocol achieves privacy-preservation and integrity simultaneously.

Proof. 

As the $\left(E_i\right)$ ciphertext is signcrypted with a secret random key, $r_i$, under two public keys $(P{K}_{n{d}_a},K_{pub})$, it is difficult for an adversary to reveal the real $r_i$ and both secure keys, which are the auctioneer’s private key, $x_{n{d}_a}$, and the $\phi$ of the public key, $K_{pub}$. In addition, $\left(E_i\right)$ is computed under the $CDH$ assumption, which is difficult to be computationally solved in polynomial time. Therefore, the adversary or malicious node will not be able to modify or disclose the bidder’s real cost or time period for generating a block.   □

• Authentication: The authentication property is guaranteed since the proposed security and privacy scheme is based on the signcryption technique. Each participating node, $n{d}_i$, authenticated itself by generating a signature on its encrypted bid, using its private key as $E_{i6}=(x_i+r_i)E_{i5}$. However, the auctioneer, $n{d}_{a_i}$, only accepts the $E_i$ ciphertext if it is valid according to the verification step, as illustrated in the following equation:

  $$V_i={\displaystyle \frac{\widehat{e}(E_{i6},g)}{\widehat{e}(E_{i5},\frac{1}{x_{n{d}_a}}{E}_{i1})\widehat{e}(E_{i5},P{K}_{n{d}_i})}}=1.$$
  In this work, we exploit an aggregation methodology to reduce the computational cost as used in Equation (1).

Lemma 6.

The proposed PoF protocol achieves authentication properties.

Proof. 

Each registered bidder node, $n{d}_i$, generates a signcrypted ciphertext under the $CDH$. At the same time, only a registered auctioneer, $n{d}_{a_i}$, can authenticate the bidder node, $n{d}_i$, legitimacy with a valid $E_i$ ciphertext by verifying the $E_i$ validation, using its private key under the $DBDH$. Therefore, the authentication goal of verifying the nodes’ validation is achieved.   □

• Secure winner selection: The proposed security and privacy scheme is based on a signcryption technique with a concept of a homomorphic technique in order to propose a security mechanism for PoF. According to Definitions 11, and 12, the auctioneer, $n{d}_{a_i}$, first sorts all bidders according to their time period, sorting bidders that provide the same period in a group and selecting a bidder with a lower cost as a winner from each group. Finally, it sorts all winners in descending order, according to their costs, and then selects a lower cost. The auctioneer, $n{d}_{a_i}$, performs all selecting winner processes without disclosing the bidders’ actual time periods and their real costs under the $DBDH$.

Lemma 7.

The proposed PoF protocol ensures secure winner selection.

Proof. 

Each registered bidder node, $n{d}_i$, signcrypts its value with a secret random key, $r_i$, and $(P{K}_{n{d}_a},K_{pub})$. In contrast, according to Definition 12, only the auctioneer, $n{d}_{a_i}$, can sort all bidders based on their periods, as it sorts bidders that provide the same time period in a group by computing ${\left({\omega }_i\right)}_{i=1}^n$. The time value of each bidder is encrypted under $r_i$ and the public key $K_{pub}$ to generate the ciphertext of time value as follows:

$$E_{i4}=r_i[P{K}_{n{d}_a}+\frac{1}{r_i}({\pi }_i{K}_{pub}+{\widehat{t}}_i{\pi }_{i}g)],$$

The auctioneer, $n{d}_{a_i}$, will perform a sorting process among all bidders without revealing their actual time periods as time $({\widehat{t}}_i)$ is preserved under $r_i$ and $K_{pub}$. In addition, the auctioneer, $n{d}_{a_i}$, selects a winner from all winner bidders by decrypting the ciphertext using its private key to compute $D_i=\frac{1}{x_{n{d}_a}}{E}_{i1}$. Even with computing $D_i$, the bidder’s private cost is still encrypted under the public key $\left(P{K}_{n{d}_a}\right)$, where the proposed scheme is designed in a way to enable the auctioneer, $n{d}_{a_i}$, to select a winning node without disclosing its real cost value. Therefore, the goal of a secure winner selection is achieved.   □

Theorem 5.

The proposed HSC scheme successfully achieved all security and privacy properties for the proposed PoF protocol from solving (Problem 3).

Proof. 

According to Lemmas 5 and 6, the proposed HSC scheme is efficiently capable of protecting the $t_i^{\ast }$ and $c_i^t$ of each participating node during the auction session from being disclosed or modified. In contrast, the auctioneer node can select an authenticated node as a winning node without revealing their private data. Therefore, we can claim that (Problem 3) has efficiently been solved with the proposed HSC scheme.   □

7. Performance Evaluation

This section first shows a numerical analysis of the fairness of PoF, which is investigated through the satisfaction of the nodes and the auctioneer. Secondly, this section presents the experimental simulation results and analysis, starting by illustrating the parameters and the platform used in this evaluation. Then, a comparison among the PoF with PoW and PoS protocols will be displayed in terms of the efficient mining processes. Finally, cryptographic cost terms and communication overhead will be evaluated.

7.1. Numerical Analysis

In this part, we briefly illustrate a numerical analysis for the proposed PoF protocol in terms of fairness in selecting a miner node. Thus, measuring satisfaction among participating nodes is a practical methodology for numerically analyzing the proposed PoF’s efficiency.

Therefore, in this analysis, we set N number of nodes as $ND=\{n{d}_1,\dots ,n{d}_N\}$ and a task, $\tau =\{\mathrm{\Gamma },t_s,t_e\}$, (as mentioned earlier, $t_s$ and $t_e$ mean the task’s starting and ending times).

7.1.1. Participating Node’s Satisfaction

Node satisfaction is achieved when most nodes have a higher chance to participate in the auction session. Therefore, the overall node satisfaction ($N{D}^{Stf}$) is measured based on the following equations:

$$N{D}^{Stf}=\left[{\displaystyle \frac{z}{N}}\right]$$

(2)

where z is the total number of nodes that are capable of processing $\tau$ within a specific period of time, $t_s-t_e$. Thus, $N{D}^{Stf}$ shows the ratio of the nodes that participate in the auction of $\tau$ among all nodes, N. Indeed, we find $Tim{e}_c$, which is a set of nodes that are capable of processing $\tau$ within the time limits, where the size of $Tim{e}_c$ is z, and it is computed based on the following equations:

$$Tim{e}_c.z\to \left[\sum _{i=1}^k\left(n{d}_i.{\tau }^{\epsilon }\right)\right]\parallel [t_s-t_e]$$

(3)

where “||” refers to time duration, and $\epsilon$ is a threshold for measuring task $\tau$ sensitivity, as follows:

• $\epsilon =1$ denotes $\tau$ with hard sensitivity, where there is a short period of execution.
• $\epsilon =2$ denotes $\tau$ with soft sensitivity, where there is a medium period of execution.
• $\epsilon =3$ denotes $\tau$ with low sensitivity, where there is a long period of execution.

In addition, k is an integer number that represents the number of nodes that have processing capabilities to process the task, $\tau$ (without considering the time limits). Therefore, we find the set of nodes that have processing capabilities, denoted as $P_c$, and the size of $P_c$ is k. Indeed, for all nodes, N, if the node’s capabilities ($n{d}_i.cp$) are more than the task’s cost (${\tau }^{\epsilon }.c$), it will be a member of $P_c$, as shown in the following equations:

$$P_c.k\to \left[\sum _{i=1}^N\left({\displaystyle \frac{n{d}_i.cp}{{\tau }^{\epsilon }.c}}\right)\right]>0$$

(4)

In short, among N values, we first find the number of nodes that have processing capabilities to process the task, $\tau$; let us say k nodes. Secondly, among k nodes, we find the number of nodes that can process the $\tau$ within time limits; let us say z nodes. Therefore, it is clear that ($z\subseteq k\subseteq N$).

For example, for a highly sensitive task, ${\tau }^1$, only z nodes can participate; those nodes can process this task on time. Therefore, the ratio of node participation will be $(z/N)$. However, for low-sensitivity tasks ${\tau }^3$, almost all nodes can participate, which makes $z\approx N$, and increases node satisfaction to almost 1.

In contrast, other consensus protocols do not reach such node satisfaction. For example, within PoS, if one node stakes a high amount, all nodes that cannot stake a higher amount will drop off. If this scenario keeps happening, those nodes will be disappointed instead of satisfied. The same example somehow applies to the PoW and other consensus protocols.

7.1.2. Auctioneer’s Satisfaction

The auctioneer’s satisfaction, $A{N}^{Stf}$, is achieved when n of the announced tasks $\tau =\{{\tau }_1,\dots ,{\tau }_n\}$ are processed within the required time periods and with a lower payment of rewards $\left({\sum }_{i=1}^n{r}_i\right)$. In fact, the total paid rewards should not exceed the budget, $\mathcal{B}$. In addition, having more participating nodes increases node competition, which enables the auctioneer to select the node with minimum bids and, consequently, minimum rewards. Therefore, the auctioneer’s satisfaction can be measured as the following equations:

$$A{N}^{Stf}\to \left[\left({\displaystyle \frac{z}{{\sum }_{i=1}^n\left({\tau }_i^{\epsilon }\right)}}\right),\left[\left(\sum _{i=1}^n{\tau }_i^{\epsilon }\ast \sum _{i=1}^n{r}_i\right)\right]\le \mathcal{B}\right]$$

(5)

Therefore, $A{N}^{Stf}$ linearly increases when more nodes participate, and it is significantly affected by the n sizes of processed tasks, ${\sum }_{i=1}^n\left({\tau }_i^{\epsilon }\right)$, and rewards $\left({\sum }_{i=1}^n{r}_i\right)$.

On the other hand, some other consensuses protocols assign a fixed reward, regardless of the task cost, which challenges fairness and the auctioneer’s satisfaction. Some consensuses protocols require solving a complex computation (e.g., mathematical puzzle) in addition to task processing, which is another overhead that requires corresponding rewards.

7.2. Parameter Setting and Platform

• Cryptographic system parameter. The proposed security and privacy cryptographic scheme is executed on the type A of the JPBC (http://gas.dia.unisa.it/projects/jpbc (accessed on 18 October 2023)) library based on a security parameter, $\Theta =128$, over the elliptic curve, $y^2=x^3+x$, and field, ${\mathbb{F}}_q$, with the embedding degree, $\kappa =2$. The operation is executed using Java programming language.
• Blockchain system parameter. A simulation of the proposed scheme is used to determine its actual fairness in the mining process. In the simulation setting, we instantiate 100 virtual node servers. We assume that the 100 nodes randomly send their bidding values in each mining session, including their costs and time periods to the auctioneer. For a real simulation, we use a private blockchain network using the Hyperledger Besu (https://www.hyperledger.org (accessed on 21 October 2023)). This is an open-service platform that provides web client management and monitoring tools based on Java and JavaScript. The parameter settings are built on three servers for the test chain. The first server node is installed to manage the HTTP execution based on next.js (https://nextjs.org/ (accessed on 21 October 2023)). The second node is a truffle server installed to manage the Ethereum. The third node is the nginx server installed to act as an auctioneer server.

7.3. Performance of PoF Protocol

In the simulation, we appreciate that all nodes are arbitrarily connected and managed by the auctioneer. In this experiment, the auctioneer server is in charge of selecting a miner node as a winner by considering the level sensitivity of the block, the time of generation, and its social cost. We set up a time interval $[t_s,t_e]$, determined to be 40 ms, 60 ms, and 80 ms as the required times to generate a new block. Thus, the node that has the computational capability of generating a block within the required time interval can participate in the auction process by sending its bidding value.

As shown in Figure 3a, it can be inferred that the number of bidder nodes is influenced by the time periods. For example, if the time period is 60 ms, the number of nodes increases because nodes with various computational capabilities have a higher chance of being selected as winners.

This will positively affect the auctioneer satisfaction as shown in Figure 3b. This is because the cost of a range of 100 nodes initially decreases as more nodes participate in the auction system. Therefore, the auctioneer will easily find a participant node with a lower social cost that has compatible computational power for achieving the required mining process at the required time. The auctioneer’s satisfaction is measured by selecting a node that can perform the task at a lower cost. Moreover, node satisfaction is measured by increasing the chances for all nodes to win the auction session fairly.

A Fairness of Selecting Miner Node

The fairness in selecting a miner node is mainly measured by evaluating the participating nodes’ satisfaction. Since the PoW and PoS require powerful computational features and resources, most nodes that have limited computational powers feel as if they are not capable of winning the session. Thus, this will lead to node satisfaction issues, which results in stopping nodes from participating in any further mining selection process. Even when assigning various time durations (40 ms, 60 ms, and 80 ms) as the time for generating a block to encourage node participation in the miner selection process, they still feel unsatisfied, as shown in Figure 4a,b.

Compared with the proposed PoF protocol, Figure 4c illustrates that nodes are satisfied even when increasing the number of nodes. This is because the proposed PoF protocol selects a miner node based on two factors: lower costs and low time durations to generate blocks. Therefore, the node that is capable of generating a block within the required time duration, and at a lower cost, has a high chance to win the selection session.

Moreover, in PoW and PoS protocols, the puzzle complexity and amount of money linearly increase with the number of participating nodes, which will increase the transmission time and cost. Then the auctioneer could be incapable of handling all received messages within $\epsilon$. Thus, as shown in Figure 5a, most of the received messages of bidder nodes in PoW and PoS could be dropped, which allows excluding several nodes from being selected as a miner. Consequently, the fairness and competition among nodes in PoW and PoS protocols are not guaranteed.

In contrast, the proposed PoF protocol gives all nodes, even those with limited computational capabilities, a sense of having a high chance of being selected as a miner. Our PoF protocol works effectively and dynamically to select a miner process with guaranteed fairness among participating nodes, in comparison with other PoW and PoS protocols. Thus, nodes in the proposed PoF protocol are more eager to participate in each miner selection session, while nodes in PoW and PoS are lazy or disappointed, as shown in Figure 5b.

7.4. Comparisons of Effectiveness

The performance effectiveness of the proposed protocol has been compared with PoW and PoS in terms of the following considerations:

Time Cost of Miner Node Selection

The total time cost in selecting a miner node is majorly affected by two factors: the time of the computational cost and the time of the transmission cost. To produce an accurate evaluation, we set a threshold ($ϵ$ = 1 s) as the maximum time of the session that the auctioneer, $n{d}_{a_i}$, can use to select a winning node, $n{d}_i$, as a miner from the n bidder nodes. Additionally, we set a threshold ($\epsilon$ = 10,240 bits) as a maximum capability of the auctioneer, $n{d}_{a_i}$, to deal with n received messages from n nodes during the $ϵ$ of selecting the miner node.

• Time of computational cost: Comparing PoF to PoW and PoS protocols, we observe that, with increasing the number, n, of bidder nodes, the computational costs linearly increase in PoW and PoS protocols compared to our proposed PoF protocol, as illustrated in Figure 6a. This is because, with increasing n bidder nodes, the complexity of the mathematical puzzle in the PoW protocol will also be increased, which increases the computational cost of solving the puzzle. Additionally, within the PoS protocol, the computational cost for counting and collecting the amount of cryptocurrency will increase by increasing n bidder nodes.
• Time cost of transmission message: As shown in Figure 6b, the proposed PoF protocol has a lower transmission cost compared with PoW and PoS protocols. The transmission cost in the PoW protocol increases linearly with the cost of the mathematical puzzle. As discussed previously, with the increasing number of bidders, the complexity of the puzzle will also increase. Thus, this will also increase the size of the message length, and the transmission time cost will increase. In addition, in the PoS protocol, the transmission cost also increases linearly when increasing the amount of cryptocurrency. When increasing the number of bidders, each node will increase its amount of cryptocurrency to win the session.

Thus, the time cost of selecting miner nodes in PoW and PoS protocols is not practical as the number of connected nodes increases, due to the requirement for high computational power or high credit, along with high bandwidth for transmitting their messages. Therefore, the proposed PoF protocol is more suitable with limited computational and communication overhead, with stable bandwidth and computational costs when selecting a miner node.

7.5. Performance of a Security and Privacy Scheme of PoF Protocol

Since the node’s winning depends on providing its best strategy, the node’s data strategy should be protected from being disclosed or forged. However, the designed cryptography must be compatible with the time period of the miner node selection process. This work mainly focuses on the computational and communication overhead of proposed cryptographic operations and omits the computations performed for selecting miners and generating blocks.

7.5.1. Computational Cost

To evaluate the proposed security and privacy scheme and illustrate its performance efficiency, the time consumption of performing the cryptographic computational operations is considered. The scalar multiplication in ${\Im }_1$ and pairing $\widehat{e}$ are the main operations that are considered to evaluate the time consumption of the proposed scheme. Let $m{G}_1$ and $\widehat{p}$ denote the scalar multiplication in ${\Im }_1$ and bilinear pairing $\widehat{e}$, respectively. The computational cost of the proposed scheme will be evaluated using the following phases:

• Bidding phase $\left(Bid\right)$: In this phase, each node, $n{d}_i$, encrypts its best strategy, which generates nine multiplication operations, $9\left(m{G}_1\right))$, in ${\Im }_1$.
• Verification phase $\left(Ver\right)$: In this phase, the auctioneer will take three bilinear pairing for n nodes $n\left[3\left(\widehat{p}\right)\right]$ to verify their validation.
• Sorting phase $\left(Sort\right)$: In this phase, the auctioneer will also take three bilinear pairing $3\left(\widehat{p}\right)$ to sort nodes based on their time and social costs.
• Selecting the winner phase $\left(WinSel\right)$: In this phase, the auctioneer needs to compute three multiplication operations, $3\left(m{G}_1\right))$ in ${\Im }_1$.

Table 1. Computational overhead.

	$\left(\mathit{Bid}\right)$	$\mathit{Ver}$	$\mathit{Sort}$	$\mathit{WinSel}$
Operations	$\mathbf{9}{\mathit{mG}}_{\mathbf{1}}$	$\mathbf{3}\widehat{\mathit{p}}$	$\mathit{n}\left(\mathbf{3}\widehat{\mathit{p}}\right)$	$\mathbf{3}{\mathit{mG}}_{\mathbf{1}}$
$n=50$
Max Time	16.20 ms	27.85 ms	461.20 ms	5.30 ms
Min Time	13.70 ms	20.80 ms	189.5 ms	3.50 ms
Average Time	14.61 ms	22.70 ms	276.30 ms	4.10 ms
$n=100$
Max Time	16.91 ms	28.10 ms	635.50 ms	5.62 ms
Min Time	13.70 ms	21.66 ms	337 ms	3.50 ms
Average Time	14.75 ms	23.10 ms	454 ms	4.80 ms

illustrates the computational costs of the proposed scheme with 50 connection nodes. It shows that the verification process is the most expensive phase, consuming large computational costs. This is because the auctioneer is required to verify the validity for n bidder nodes. However, as shown in Table 1, by evaluating the scheme with 100 connection nodes, the verification process does not largely consume costs, as the auctioneer performs an aggregation algorithm to aggregate all ciphertexts of the nodes, verifying them simultaneously. In contrast, the computational time costs of the other phases are not affected by n.

7.5.2. Communication Cost

The ciphertext length size is used to measure the cost of the proposed communication propriety. The communication overhead of the proposed protocol is analyzed in terms of considering communication from bidders to the auctioneer. In submitting a bid value, a node, $n{d}_i$, is required to send the ciphertext of its bids $(E_i,S_i)$ to the auctioneer, $n{d}_{a_i}$, which is $\left(5\right|{\Im }_1\left|\right)$. The binary length for every multiplication generated by a scalar point in ${\Im }_1$ is 160 bits. Therefore, 800 bits is the size length of the ciphertext $(E_i,S_i)$ that is generated for communication from the bidders to the auctioneer.

8. Conclusions and Future Work

This paper presents a new dynamic mining protocol that takes into account the time-sensitivity of transactions and selects the appropriate miner accordingly, rather than solely considering computational and resource capabilities. The paper introduces a reverse auction mechanism as an incentive for all nodes to participate in the miner selection process. Additionally, an expressive language is devised to classify transaction types based on their sensitivity to processing times, making them compatible with our miner selection process. Furthermore, a homomorphic concept is developed as a privacy-preserving scheme to safeguard the confidentiality of bidders’ data. Finally, the effectiveness of the PoF is extensively validated through numerical analysis and simulation. The results demonstrate that the proposed mechanism effectively ensures fair miner node selection while reducing the burden of reward costs on the system. In the future, the research will focus on a smooth, decentralized, and low-cost auctioneer selection process, as well as applying and measuring the performance of the PoF on real applications. This will include extensive testing of the performance and efficiency of the proposed security scheme against different kinds of attacks.