A Privacy-Preserving and Quality-Aware User Selection Scheme for IoT

Abstract

In the Internet of Things (IoT), the selection of mobile users with IoT-enabled devices plays a crucial role in ensuring the efficiency and accuracy of data collection. The reputation of these mobile users is a key indicator in selecting high-quality participants, as it directly reflects the reliability of the data they submit and their past performance. However, existing approaches often rely on a trusted centralized server, which can lead to single points of failure and increased vulnerability to attacks. Additionally, they may not adequately address the potential manipulation of reputation scores by malicious entities, leading to unreliable and potentially compromised user selection. To address these challenges, we propose PRUS, a privacy-preserving and quality-aware user selection scheme for IoT. By leveraging the decentralized and immutable nature of the blockchain, PRUS enhances the reliability of the user selection process. The scheme utilizes a public-key cryptosystem with distributed decryption to protect the privacy of users’ data and reputation, while truth discovery techniques are employed to ensure the accuracy of the collected data. Furthermore, a privacy-preserving verification algorithm using reputation commitment is developed to safeguard against the malicious tampering of reputation scores. Finally, the Dirichlet distribution is used to predict future reputation values, further improving the robustness of the selection process. Security analysis demonstrates that PRUS effectively protects user privacy, and experimental results indicate that the scheme offers significant advantages in terms of communication and computational efficiency.

1. Introduction

The Internet of Things (IoT) is an evolving concept that leverages the widespread deployment of connected devices, such as sensors, smart meters, and other IoT-enabled hardware, to collect and exchange data across various applications [1,2]. These applications span a wide range of domains, including environmental monitoring, urban planning, healthcare, and intelligent transportation systems. IoT harnesses the connectivity and ubiquity of these devices to enable the real-time collection and analysis of diverse data types. By aggregating data from a multitude of interconnected devices, IoT provides valuable insights, making it a cost-effective and scalable solution for large-scale sensing and data-driven decision-making [3,4,5,6]. For instance, in the domain of the Industrial Internet of Things (IIoT), particularly within smart grids, IoT devices are utilized to monitor and manage energy consumption, enhance grid stability, and improve the overall efficiency of power distribution networks.

However, the effectiveness of IoT systems heavily relies on the selection of users who carry devices and contribute data [7,8,9]. The quality and reliability of the collected data are directly influenced by the credibility of these users, making the selection process a critical factor in ensuring the overall efficiency and accuracy of IoT applications. For instance, in a smart grid environment, selecting users who are strategically located and have a history of accurate data reporting is crucial to obtaining reliable and actionable insights for energy management. The data collected from these users often include variables such as energy consumption levels, sensor readings (e.g., temperature, humidity, and energy flow), and device operation statuses. These data points are critical for optimizing energy distribution and improving grid efficiency [10]. Similarly, in healthcare IoT, the selection of trustworthy users is vital to ensure the accuracy of health data, which can have significant implications for patient care and public health interventions [11]. Therefore, an effective user selection mechanism is essential for maximizing the potential benefits of IoT systems while minimizing the risks associated with inaccurate or unreliable data.

Given the critical role of user selection in IoT systems, the reputation of users who carry IoT-enabled devices such as smartphones, environmental sensors, smart meters, and wearable devices is a fundamental criterion for identifying participants capable of providing high-quality data [12]. Reputation values are crucial because they directly reflect a user’s reliability, which in turn impacts the quality of the data they contribute. These values are typically derived from factors such as the accuracy of the data provided, the user’s consistency in participation, and their adherence to task requirements [13]. By prioritizing users with higher reputation scores, IoT systems can significantly improve the overall quality and reliability of the data collected, ensuring that only trustworthy users are selected for critical tasks. Consequently, integrating a reputation-based user selection mechanism is essential for optimizing both the effectiveness and credibility of IoT applications.

Some user selection works have been proposed. For instance, Refs. [14,15,16] select users by maximizing the quality of sensor data or minimizing the maintenance cost. However, these solutions are centralized in nature and are prone to single-point failures and other issues. Moreover, certain studies [17,18,19] employ blockchain technology to utilize reputation as a screening metric for assessing user dependability. Specifically, they store the user’s reputation value on the blockchain to uphold credibility. However, the transparency of the blockchain could potentially result in privacy issues as reputations may be leaked. Furthermore, state-of-the-art work [7] ensures the credibility of the employee selection process while protecting the privacy of user reputation by leveraging the decentralization, transparency, and immutability of the blockchain and selects top-ranked employees through a secret minimum heap sorting scheme to provide high-quality perception services. However, this work ignores the fact that reputations may be forged. Therefore, determining reliable users for IoT, safeguarding user privacy, and preventing malicious users from manipulating reputation are crucial challenges that need addressing.

To address the aforementioned challenges, we propose a privacy-preserving and quality-aware user selection scheme for IoT environments. In our scheme, quality-aware user selection involves evaluating participants based on their reputation scores, which are calculated from multiple factors such as data accuracy and consistency in reporting. Only users who meet a certain quality threshold are selected to ensure the reliability and quality of the collected data. Our approach leverages the inherent advantages of blockchain technology, such as decentralization, transparency, and immutability, to ensure a reliable user selection process. To guarantee the provision of high-quality data, we introduce a truth discovery technique that accurately computes the true data from the information provided by users. Additionally, to protect against the risk of malicious tampering with user reputations [20], we design a privacy-preserving verification algorithm based on reputation commitment, ensuring the integrity of reputation scores before user selection. Finally, recognizing that user reputation may evolve over time due to changes in behavior [21], we employ the Dirichlet distribution to forecast future reputation based on historical truth values. Our key contributions are as follows:

• We designed a privacy-preserving and quality-aware user selection (PRUS) scheme, which uses a public-key cryptosystem with distributed decryption to protect perceived data privacy and reputation privacy and uses blockchain technology to achieve reliable user selection.
• To ensure the reliability of data in IoT, we compute the truth value through truth discovery. Recognizing the critical role of user reputation in this process, we designed a reputation verification algorithm using reputation commitment with privacy protection, ensuring that reputation values are tamper-proof. Additionally, we utilize the Dirichlet distribution to predict future reputation values, further enhancing the accuracy and reliability of user selection.
• We evaluate the privacy-preserving user selection scheme based on computational overhead and communication overhead. We experimentally verify the effectiveness and feasibility of the scheme.

The paper is organized as follows: Related works are presented in Section 2, followed by the preliminaries in Section 3. Section 4 covers the models and design goals. Our proposed scheme is detailed in Section 5, followed by the security analysis in Section 6. Section 7 discusses experimental findings, and Section 8 contains the paper’s conclusion.

2. Related Works

In this section, we mainly discuss privacy-preserving truth discovery and user selection schemes related to our work.

Table 1. Comparison with related works. ✓ means the goal is met, × means the goal is not met.

	Ref. [14]	Ref. [15]	Ref. [22]	Ref. [23]	Ref. [24]	Ref. [7]	Our PRUS
Privacy	×	×	✓	✓	✓	✓	✓
Security	×	×	×	×	✓	×	✓
Efficiency	✓	✓	×	✓	×	×	✓

shows the comparison of our PRUS scheme with previous works in terms of design goals (Section 4.4).

2.1. Privacy-Preserving Truth Discovery (PPTD)

To enhance mobile users’ privacy and prevent adversaries from linking or tracking them with sensitive information, various studies [25,26,27,28,29,30] have been conducted. To be specific, Miao et al. introduced two PPTD schemes aimed at protecting mobile users’s privacy in MCS. One scheme [25] utilized a cloud server to protect sensing data privacy, while the other [26] employed an additively homomorphic cryptosystem to ensure privacy and reduce user burdens. To address the efficiency challenges of the PPTD algorithm, Zheng et al. [27] introduced two novel privacy-aware crowdsensing strategies that significantly enhance bandwidth and computation performance. Similarly focusing on privacy preservation, Tang et al. [28] and Xu et al. [31] addressed efficiency issues in their work. Furthermore, due to the lack of practical solutions, Zhang et al. [29] presented two practical application scenarios implementing PPTD. Wu et al. [30] presented two MCS schemes using the dual clouds model: one for basic privacy-aware TD and the other for enhanced privacy TD, effectively balancing privacy and practicality considerations. These initiatives collectively tackle efficiency and overhead challenges associated with privacy preservation, although none specifically address the reliability of sensing data and users.

2.2. User Selection

Existing user selection schemes fall into two categories: traditional trust-based models and blockchain-based crowdsensing.

User selection in the traditional trust-based model. Guo et al. [14] introduced two user selection methods: one aimed at minimizing the overall distance traveled for tasks with time constraints, while the alternative approach focused on reducing the total user count for tasks that can tolerate delays. Wang et al. [15] suggested a prediction-driven approach to recruit users in mobile crowdsensing, aiming to reduce the expenses associated with uploading sensor data. Yang et al. [16] expanded on the strategy in [15] for spatiotemporal sensitive tasks. Despite framing the user selection issue as a target optimization to meet various requester needs, the actual user selection process is outsourced to a third-party platform, neglecting the fairness of outcomes. Several researchers suggested incorporating reputation into user selection. For instance, Wang et al. [32] proposed incorporating reputation levels as a determinant of user choice and compensation in MCS. Pouryazdan et al. [33] explored two approaches for evaluating reputation using statistical analysis and voting, amalgamating them to compute a collaborative reputation score for selecting users. They integrated decentralized and centralized approaches to enhance data reliability in selecting users based on reputation but overlooked reputation privacy. Wang et al. [34] devised a reliable crowdsourcing framework by introducing the social cloud as a service provider and a reputation-based auction system for selecting trustworthy users, with reputation scores stored in a database managed by the social cloud. However, the user selection process is managed by the trusted centralized server, exposing it to the same issues as the conventional trust-based model.

User selection in blockchain-based crowdsensing. To address the shortcomings of the conventional trust-based model, several studies suggested implementing user selection procedures within blockchain-based crowdsensing (BBC) systems. For instance, Wei et al. [17] proposed utilizing blockchains to save assessed reputation scores to ensure trustworthy worker selection. Kadadha et al. [18] introduced a decentralized crowdsensing platform for various requesters and workers using Ethereum (SenseChain). Within SenseChain, the Quality Information (QoI) for assignments is determined through the integration of reputation value, time, and distance metrics, aiming to select a group of workers with the highest QoI according to the requester’s needs. While this approach achieves fair and dependable worker selection, it operates in a plaintext environment, overlooking the confidentiality of reputation scores and sensory information. Zhao et al. [19] created a mobile crowdsensing system using blockchain technology and proposed a strategy for maintaining privacy while managing reputation to address unethical actions by workers. This method ensures data privacy during reputation calculation via additive secret sharing but overlooks the protection of workers’ reputation confidentiality. Duan et al. [22] concentrated solely on preserving data confidentiality. They employed the threshold Paillier cryptosystem and differential privacy to protect data privacy, integrated SGX technology for data aggregation accuracy, and utilized zero-knowledge proof to counter unauthorized data submissions. Ding et al. [23] suggested a reputation system and a dispute resolution system for selecting workers and data evaluators, aiming to enhance sensing service quality and ensure fair task data evaluation. Furthermore, Chatzopoulos et al. [24] incorporated Internet service providers (ISPs) to offer location-based task recommendations and devised cost-effective bidding for worker selection to minimize crowdsensing provider expenses. To safeguard privacy, ISPs assign distinct identifiers to users for each session to safeguard their identities and locations, although this approach may entail additional overhead for maintaining ID-to-identity mappings and facilitating operations like reputation and asset transfers. Regrettably, many of the aforementioned studies overlook the privacy implications of reputation values stemming from the transparency of blockchain technology. To address the above problem, the most recent work [7] proposed a trusted and privacy-preserving worker selection method called Trustworker for BBC systems. By leveraging the decentralization, transparency, and immutability of the blockchain, it ensures the credibility of the worker selection process while safeguarding the confidentiality of reputation and selects the top-ranked workers through a secret minimum heap sorting scheme to provide high-quality sensing services. However, this work ignores the fact that reputations can be forged, making user selection unreliable.

3. Background

In this section, we mainly discuss various background knowledge related to this scheme, such as truth discovery, a PCDD cryptosystem, an equality verification algorithm, and Dirichlet Distribution.

3.1. Truth Discovery

The concept of truth discovery serves as a crucial technology designed to resolve conflicts in noisy data and assess the trustworthiness of users through the data they furnish. Previous research [25,27,35] has highlighted its benefits in different situations. The truth discovery process commences by setting the initial truth for each task, then progresses through iterative updates to refine the weights and truths until convergence is attained.

Weight update. Regarding the original ground truth remaining constant, this phase entails the modification of user weights. User weights are adjusted based on how closely the information provided by the user corresponds to the established true value. The information provided by users typically includes sensor data such as temperature, humidity, energy consumption, or traffic flow, depending on the specific IoT application. In our case, the users involved were primarily from sectors like energy management, environmental monitoring, and smart city infrastructure, where reliable data are critical. The blockchain is employed to ensure the privacy and security of both user-provided data and reputation scores, preventing tampering and unauthorized access. When there is a high degree of alignment, the user’s weight is augmented; conversely, it is diminished in the case of discrepancies. Generally, the user’s weight is determined through the following:

$$w_k=\log \left({\displaystyle \frac{{\sum }_{k=1}^K{\sum }_{m=1}^{M}d(x_m^k,x_m^{\ast })}{{\sum }_{m=1}^{M}d(x_m^k,x_m^{\ast })}}\right),$$

(1)

where $x_m^k$ stands for the sensor data submitted by the user k for the $m\mathrm{t}\mathrm{h}$ task, and $x_m^{\ast }$ indicates the current estimated value of the $m\mathrm{t}\mathrm{h}$ task. The function $d(·)$ is used as a distance measure to evaluate the disparity between user data and the true value. In our study, we adopt the following distance function:

$$d(x_m^k,x_m^{\ast })={\displaystyle \frac{{(x_m^k-x_m^{\ast })}^2}{st{d}_m}},$$

(2)

where $st{d}_m$ denotes the standard deviation for object m across all users.

Truth discovery. By calculating the weight of each user in the above stage, the truth value of task m can be revised as:

$$x_m^{\ast }={\displaystyle \frac{{\sum }_{k=1}^K{w}_k·x_m^k}{{\sum }_{k=1}^K{w}_k}}.$$

(3)

In the given equation, K denotes the total number of users, $x_m^k$ denotes the perception data from $u_k$ for the $m\mathrm{t}\mathrm{h}$ task, $w_k$ stands for the user weight of $u_k$, and $x_m^{\ast }$ indicates the newly estimated truth.

3.2. Public-Key Cryptosystem with Distributed Decryption (PCDD)

Liu et al. [36] introduced a modified public-key cryptosystem that facilitates distributed decryption, referred to as the PCDD cryptosystem, derived from a two-factor Paillier-based cryptosystem [37]. In the PCDD, the private key is fragmented into multiple parts to ensure that no individual entity can decrypt the encrypted data alone. This approach is commonly used in secure multi-party computation due to its operational efficiency and reliability. To elaborate, the PCDD mechanism functions in the following way.

• $\mathit{KeyGen}$: Given a security parameter k and two large prime numbers p and q, where $\left|p\right|=\left|q\right|=k$, we select two strong primes $p^{\prime },q^{\prime }$ as $p^{\prime }={\displaystyle \frac{p-1}{2}}$ and $q^{\prime }={\displaystyle \frac{q-1}{2}}$. Next, we calculate $N=pq$ and $\lambda =\mathrm{lcm}\left({\displaystyle \frac{p-1}{2}},{\displaystyle \frac{q-1}{2}}\right)$. Subsequently, we define a function $L\left(x\right)={\displaystyle \frac{x-1}{N}}$. To proceed, we select a generator g of order ${\displaystyle \frac{(p-1)(q-1)}{2}}$ (obtainable by picking a random number $a\in {\mathbb{Z}}_{N^2}^{\ast }$ and setting $g=-a^{2N}$). Subsequently, we randomly choose $\theta$ from the interval $[1,{\displaystyle \frac{N}{4}}]$ and compute $h=g^{\theta }\mathrm{mod}{N}^2$. The public key is $pk=\{N,g,h\}$, while the strong private key is $SK=\lambda$.
• $\mathit{Enc}$: Given a message $m\in {\mathbb{Z}}_N$, select a random number $r\in [1,N/4]$. The ciphertext can be generated as follows:

  $$C_m=h^r(1+mN)\mathrm{mod}{N}^2.$$

  (4)
• $\mathit{SDec}$: $C_m$ can be decrypted using decryption algorithm $D_{SK}(·)$ with strong private key $SK=\lambda$ by initially performing the following calculation:

  $$C_m^{\lambda }\mathrm{mod}{N}^2=g^{\lambda ·\theta r}(1+mN\lambda )\mathrm{mod}{N}^2=(1+mN\lambda ).$$

  (5)
  Therefore, as $\gcd (\lambda ,N)=1$, the value of m can be retrieved as follows:

  $$m=L\left(C_m^{\lambda }\mathrm{mod}{N}^2\right){\lambda }^{-1}\mathrm{mod}N.$$

  (6)
• $\mathit{SkeyS}$: The strong private key $SK=\lambda$ can be randomly divided into t parts. These partial strong private keys are represented as $S{K}^{\left(i\right)}={\lambda }_i$$(i=1,\dots ,t)$. These parts satisfy the conditions ${\sum }_{i=1}^t{\lambda }_i\equiv 0\mathrm{mod}\lambda$ and ${\sum }_{i=1}^t{\lambda }_i\equiv 1\mathrm{mod}{N}^2$ simultaneously.
• $\mathit{PSDec}$: Upon receiving $C_m$, we can use the partial strong private key $S{K}^{\left(i\right)}={\lambda }_i$ to calculate the partially decrypted ciphertext $C{T}^{\left(i\right)}$ as follows:

  $$C{T}^{\left(i\right)}={\left(C_m\right)}^{{\lambda }_i}=g^{r\theta {\lambda }_i}(1+mN{\lambda }_i)\mathrm{mod}{N}^2.$$

  (7)
• $\mathit{DDSec}$: Upon receiving $C{T}^{\left(1\right)},\dots ,C{T}^{\left(t\right)}$, the DDSec algorithm computes $m=L\left({\prod }_{i=1}^{t}C{T}^{\left(i\right)}\right)$.

3.3. Equality Verification Algorithm

An algorithm for equality verification is presented to validate that two commitments encrypt identical values while preserving the confidentiality of any information beyond the commitments.

• Setup. Consider two large primes, denotes as p and q, where $q\mid (p-1)$. Let g and h be generators of the cyclic group G with order q. The algorithm utilizes p, q, g, and h as public parameters. It is assumed that $t\in {\mathbb{Z}}_p^{\ast }$ denotes the user’s value, while $t^{\prime }\in {\mathbb{Z}}_p^{\ast }$ represents the user’s submitted value, which could be potentially invalid.
• Commitment. The server obtains the value commitment $C{m}_{t^{\prime }}=g^{t^{\prime }}·h^{r^{\prime }}\mathrm{mod}p$ from the user, where $r^{\prime }\stackrel{R}{\leftarrow }{\mathbb{Z}}_p^{\ast }$.
• Challenge. The server sends $C{m}_{t^{\prime }}$ to the trusted third party (TTP).
• Response. Upon receiving $C{m}_{t^{\prime }}$, the TTP chooses $\beta ,\gamma ,{\gamma }^{\prime }\in {\mathbb{Z}}_p^{\ast }$ randomly. Subsequently, it calculates $C{m}_1=g^{\beta }·h^{\gamma }\mathrm{mod}p$, $C{m}_2=g^{\beta }·h^{{\gamma }^{\prime }}\mathrm{mod}p$, and $H=\mathrm{Hash}\left(C{m}_1\right|\left|C{m}_2\right)$, where $\mathrm{Hash}(·)$ represents a hash function. Following this, based on $C{m}_t=g^t·h^r\mathrm{mod}p$ and $r\stackrel{R}{\leftarrow }{\mathbb{Z}}_p^{\ast }$, the TTP computes $D=\beta +H·t^{\prime }$, $D_1=\gamma +H·r^{\prime }$, and $D_2={\gamma }^{\prime }+H·r$. Ultimately, the TTP transmits $\{H,D,D_1,D_2,C{m}_t\}$ to the server.
• Verification. The server checks whether Equation (8) holds.

  $$H=\mathrm{Hash}\left(g^D{h}^{D_1}{\left(C{m}_t\right)}^{-H}\left|\right|g^D{h}^{D_2}{\left(C{m}_{t^{\prime }}\right)}^{-H}\right)\mathrm{mod}p.$$

  (8)

When (8) is satisfied, the server concludes that the two commitments, $C{m}_{t^{\prime }}$ and $C{m}_t$, correspond to identical values.

3.4. Dirichlet Distribution Algorithm

The Dirichlet distribution comprises a set of continuous multivariate probability distributions defined by a prior parameter vector $\overrightarrow{\zeta }$ [38,39]. In situations involving binary state spaces, the distribution is also influenced by the Beta distribution [40]. It is commonly employed to represent the probability distribution among N-dimensional random variables $\overrightarrow{X}=\{X_1,X_2,\dots ,X_N\}$ with N representing the number of potential outcomes and $X_i$ denotes the value of the $i\mathrm{t}\mathrm{h}$ outcome. Firstly, we establish a vector $\overrightarrow{\theta }=\{{\theta }_1,{\theta }_2,\dots ,{\theta }_N\}$, where $\theta \in [0,1]$ and ${\theta }_{i-1}<{\theta }_i$. Following this, the probability distribution vector of $\overrightarrow{X}$ is denoted by $\overrightarrow{p}=\{p_1,p_2,\dots ,p_N\}$, where $p_i=P\{{\theta }_{i-1}<X_i\le {\theta }_i\}$, with $1\le i\le N$. By observing a sequence of k feasible results, the Dirichlet distribution yields prior parameters $\overrightarrow{\zeta }=\{{\zeta }_1,{\zeta }_2,\dots ,{\zeta }_N\}$ to portray the cumulative observation vector, where ${\zeta }_i>0$. As a result, the probability density function (PDF) can be formulated as

$$f\left(\overrightarrow{p}\right|\overrightarrow{\zeta })={\displaystyle \frac{\Gamma \left({\sum }_{i=1}^N{\zeta }_i\right)\times {\prod }_{i=1}^N{p}_i^{{\zeta }_i-1}}{{\sum }_{i=1}^N\Gamma \left({\zeta }_i\right)}},$$

(9)

where $\Gamma (·)$ denotes the Gamma function. Subsequently, we can compute the mean of the Dirichlet distribution as

$$E\left(p_i\right|{\overrightarrow{\zeta }}_i)={\displaystyle \frac{{\zeta }_i}{{\sum }_{i=1}^N{\zeta }_i}}.$$

(10)

4. Problem Statement

This section primarily presents the system and threat models, workflow, and design goals of the scheme.

4.1. System Model

The system model depicted in Figure 1 includes four entities: a data requester, two cloud servers, multiple mobile users, and the blockchain.

• Data requester. The data requester may belong to a management department or a service provider or be an authorized individual. They are responsible for assigning sensing tasks to IoT devices and users to collect data such as environmental conditions, energy usage, traffic flow, and other valuable information.
• Cloud servers. The cloud servers possess robust storage and computing capabilities, enabling them to gather and analyze ciphertexts. Moreover, they assess sensory data and transmit verifiable reputation to the blockchain.
• Mobile users. Mobile users can utilize various sensing devices, such as smartphones, tablets, wearable devices, and IoT sensors, to gather data related to specific tasks assigned by the data requester. These users collect data based on their location and preferences, which may include environmental metrics, energy consumption, or traffic conditions. The collected data are then submitted to the cloud or edge servers for processing and analysis. Users who consistently provide high-quality data are rewarded with a higher reputation or quality score, thereby increasing their likelihood of being selected for future tasks in the user selection process.
• Blockchain. In the PRUS scheme, a consortium blockchain is employed within the IoT environment, enabling users and requesters who are involved in IoT sensing tasks to operate as nodes within the blockchain network. Additionally, the blockchain network includes specialized reputation nodes, which are responsible for assigning reputation or quality score commitments to users based on the data they provide. These reputation nodes also update the scores based on feedback from cloud or edge servers and verify the authenticity of users’ reputation or quality scores, ensuring the integrity and reliability of the user selection process. Note that in our solution, the security access policy of the consortium chain is that users can only access their own data and cannot access other users’ data. The blockchain in this article refers to the consortium chain.

4.2. Threat Model

In this section, we outline potential threats to the blockchain, data requester, cloud servers, and mobile users as per the system model mentioned earlier.

We assume that all nodes in the blockchain are trustworthy. Like prior studies, we operate under the assumption that the information housed in the consortium chain is entirely reliable and that there will be no collaboration with external parties. The data requester and cloud servers ($S_1\mathrm{and}{S}_2$) are considered to be honest-but-curious, which means they are capable of fulfilling their responsibilities with integrity and will refrain from any form of collusion among themselves or with any malicious parties. It is important to note that while upholding their honesty, the data requester and cloud server may gain access to the confidential information of mobile users.

Mobile users, acting as data contributors, are accountable for gathering sensing data. It is assumed that the majority of these users are trustworthy, although there may be some with malicious intentions. In particular, malicious users might manipulate reputation values to meet the task’s reputation criteria and deduce the reputation of other users.

4.3. Workflow

The PRUS scheme consists of the steps illustrated in Figure 1.

• ① Register. The requester, mobile users, and cloud servers must register on the blockchain and receive a key pair. The registration details of all participants will be documented as transactions in the distributed ledger.
• ② Assign tasks. The data requester broadcasts the sensing task through the blockchain, including the task information and reputation requirements.
• ③ Recruit users. Each mobile user that intends to perceive data submits its reputation value commitment to the cloud server, which cooperates with the reputation node of the blockchain to verify whether the reputation value meets the set criteria.
• ④ Select users. The cloud server selects mobile users whose reputation values meet the criteria of the perception task.
• ⑤ Upload data. The selected mobile users upload perception data to the cloud servers.
• ⑥ Perform truth discovery. $S_1$ interacts with $S_2$ to calculate the true value of the perception task, and then $S_1$ sends the true value to the data requester.
• ⑦ Predict reputation values. The cloud server evaluates the accuracy of the data perceived by individual mobile users by comparing it to the ground truth data and then submits the evaluation outcomes to the reputation node. The reputation node then predicts the reputation score for each user using the latest and historical reputation.
• ⑧ Update reputation values. Based on the prediction results, the reputation node adjusts the reputation value of the selected mobile user, calculates the reputation commitment, and sends the reputation commitment to the user.

4.4. Design Goals

Given the threat model, this paper aims to develop a reputation-based user selection framework in IoT. The specific design goals are as follows:

• Privacy. PRUS needs to protect the confidentiality of reputation values and sensing data belonging to mobile users. It is crucial that the reputation values of mobile users remain undisclosed, untraceable, and unconnected by any ill-intentioned mobile users or potential adversaries. Simultaneously, the sensing data of mobile users must be secure throughout the truth discovery procedure.
• Security. PRUS needs to ensure that reputation scores cannot be manipulated by malicious users. Furthermore, it should prevent malicious mobile users and other attackers from deducing the reputation values of other mobile users.
• Efficiency. The communication and computational overhead for mobile users should be minimized to facilitate the practical use of PRUS.

5. The Proposed Scheme

PRUS mainly includes registration, assigning sensing tasks, recruiting users, verifying and selecting mobile users, uploading data, performing truth discovery, predicting user reputation, and updating reputation values. Here are the specifics. To enhance comprehension, we provide the symbols in

Table 2. Notations used in our scheme.

Notation	Description
$Cm$	Reputation commitment
M	The number of tasks
K	The number of mobile users participating in the sensing task
$x_m^k$	User k’s data for task m
$w_k$	User k’s reputation
$st{d}_m$	The standard deviation
${\tilde{z}}_m$	The perturbed truths
$E(·)$	The ciphertext
$\zeta$	The prior parameter
p	Probability distribution vector
$\theta$	Reputation level vector
$q_i$	Weight for each ${\theta }_i$
$R_U$	Reputation value of the mobile user

.

5.1. Register and Assign Tasks

First, the requester, mobile user, and cloud server must be registered on the blockchain. Before describing the specific steps for each stage, it is essential to establish a reliable node within the blockchain system to produce the public and private keys for both the cloud and the requester. In the consortium chain, this can be accomplished by utilizing a secure multi-party computing protocol, and the key pair can only be seen by authorized users. The public key $(n,g,h)$ is disclosed, and the private key $\lambda$ is split into two components $({\lambda }_1,{\lambda }_2)$. Server $S_1$ gets ${\lambda }_1$ and server $S_2$ gets ${\lambda }_2$. When a new mobile user joins this system, he/she uses the corresponding public key to register identity and the reputation node assigns an initial reputation value $t\in [0,b)$ and $ID$, where $t\in {\mathbb{Z}}_p^{\ast }$. Let p and q be two large primes such that q dividing $p-1$, and g and h are two generators of the cyclic group G with order q. Here, p, g, and h are public parameters.

The requester initiates the process by publishing the m tasks to any node within the blockchain network. The task details include a description of the task and a user reputation threshold $t_0$, which specifies the minimum reputation score required for performing each task. Upon receiving the task set, the reputation node first verifies the requester’s $ID$ to ensure that the requester is valid. To be specific, the mobile user uses his private key to sign a message. Then, the reputation node uses the corresponding public key to verify the signature. If the registration information is confirmed to be valid, the reputation node proceeds to broadcast the task across the blockchain.

5.2. Recruit and Select Users

The reputation node serves as the verifier, while the mobile user acts as a prover. The reputation node can validate the reputation value through the equality verification algorithm and then check if the reputation value is within the threshold through the reputation range verification (RRV) algorithm [13].

Specifically, the mobile user first sends an ID to the reputation node. Then the reputation node gets the reputation value t of the mobile user according to $ID$ and computes the reputation commitment $Cm=g^t·h^r\mathrm{mod}p$, where $r\in {\mathbb{Z}}_p^{\ast }$. Next, the reputation node sends the r to the mobile user. The mobile user who wishes to take part in the perception task selects $\beta ,\gamma ,{\gamma }^{\prime }\in {\mathbb{Z}}_p^{\ast }$ and computes $C{m}_1=g^{\beta }·h^{\gamma }\mathrm{mod}p$, $C{m}_2=g^{\beta }·h^{{\gamma }^{\prime }}\mathrm{mod}p$, and hash value $H=Hash\left(C{m}_1\right|\left|C{m}_2\right)$, where $Hash(·)$ is a hash function. Next, the mobile user computes $C{m}^{\prime }=g^{t^{\prime }}·h^{r^{\prime }}\mathrm{mod}p,D=\beta +H·t^{\prime },D_1=\gamma +H·r^{\prime }$, and $D_2={\gamma }^{\prime }+H·r$, where $t^{\prime }\in {\mathbb{Z}}_p^{\ast }$ is a reputation value (may be invalid) uploaded by the mobile user and $r^{\prime }\in {\mathbb{Z}}_p^{\ast }$. After that, the mobile user sends $\{H,D,D_1,D_2,C{m}^{\prime }\}$ to the reputation node. Next, the reputation node verifies reputation commitment by checking if Equation (11) holds.

$$H=Hash\left(g^D{h}^{D_1}{\left(C{m}^{\prime }\right)}^{-H}\mathrm{mod}p\right|\left|g^D{h}^{D_2}{\left(Cm\right)}^{-H}\mathrm{mod}p\right).$$

(11)

If Equation (11) is satisfied, the reputation is valid.

After the above steps, we can know that the reputation value uploaded by the mobile user is $t^{\prime }=t$, and the corresponding commitment is $C{m}_t=g^t·h^{r^{\prime }}\mathrm{mod}p$. Next, the reputation node uses the RRV algorithm to verify whether the mobile user’s reputation value meets the reputation range. To be specific, the mobile user computes $C{m}_1=g^{(t-t_0)}·h^{(r^{\prime }-r_0)}\mathrm{mod}p$ and $C{m}_2=g^{(b-t)}·h^{(r_b-r^{\prime })}$, where $r_0,r_b\stackrel{R}{\leftarrow }{\mathbb{Z}}_p^{\ast }$, $t_0\in {\mathbb{Z}}_p^{\ast }$ is the reputation threshold for the sensing task, and b denotes the upper bound of t. After that, the mobile transmits $\{C{m}_1,C{m}_2,C{m}_t,C_{r_0},C_{r_b},ID\}$ to the reputation node. Here, $\{C_{r_0},C_{r_b}\}$ represents the ciphertexts encrypted by Equation (4). Upon receiving $\{C{m}_1,C{m}_2,C{m}_t,C_{r_0},C_{r_b},ID\}$, the reputation node decrypts $C_{r_0},C_{r_b}$ according to Equation (6), then gets the reputation value t based on $ID$ and checks if $t_0\le t\le b$. If this condition is not satisfied, the reputation node aborts the algorithm and outputs ⊥. Otherwise, the reputation node computes $C{m}_{r_0}=g^{t_0}·h^{r_0}\mathrm{mod}p$, $C{m}_b=g^b·h^{r_b}\mathrm{mod}p$, and checks whether Equation (12) holds.

$$\begin{array}{cc}\hfill C{m}_1& =C{m}_t·C{m}_{r_0}^{-1},\hfill \\ \hfill C{m}_2& =C{m}_b·C{m}_t^{-1}.\hfill \end{array}$$

(12)

If Equation (12) is met, the reputation value falls within the specified range, allowing the mobile user to engage in the sensing task. If not, the mobile user is ineligible to take part in the task. Then, the reputation node sends the verified mobile user $ID$ to the server.

5.3. Upload Data and Perform Privacy-Preserving Truth Discovery (PPTD)

Users who are allowed to participate in the task first encrypt their perception data and then perform PPTD. Here, we refer to Refs. [26,36] to achieve this section. In this section, we introduce privacy-preserving truth discovery, which consists of two main phases: Setup and Compute the truth. An overview of PPTD is shown as Algorithm 1.

Algorithm 1 An overview of PPTD.

1: Setup:  2: A data requester submits ${\left\{{\tilde{z}}_m\right\}}_{m=1}^M$ to $S_1$ and sends ${\{E\left[{\gamma }_m\right],E\left[{\left({\gamma }_m\right)}^2\right]\}}_{m=1}^M$ to $S_2$.  3: Mobile users submit ${\left\{{\tilde{x}}_m^k\right\}}_{k=1,m=1}^{K,M}$ to $S_1$ and transmit ${\left\{{\delta }_m^k\right\}}_{k=1,m=1}^{K,M}$ to $S_2$.  4: $S_2$ calculates ${\left\{E[{\delta }_m^k+{\gamma }_m]\right\}}_{k=1,m=1}^{K,M}$ and ${\left\{E\left[{\sum }_{m=1}^M{({\delta }_m^k+{\gamma }_m)}^2\right]\right\}}_{k=1}^K$ and submits them to $S_1$.  5: Compute the truth:  6: for each iteration do  7:    for each mobile users do  8:      $S_1$ and $S_2$ calculate weights to determine ${\overline{w}}_k$.  9:      for each task do 10:         $S_1$ and $S_2$ update the truth values to get ${\tilde{z}}_m$. 11:      end for 12:    end for 13: end for 14: $S_1$ returns ${\left\{{\tilde{z}}_m\right\}}_{m=1}^M$ to the data requester. 15: The data requester uncovers the truth for the m-th task by calculating $z_m={\tilde{z}}_m-{\gamma }_m$.

5.3.1. Setup

A data requester first generates task truths $(z_1,\dots ,z_M)$ randomly and selects corresponding random values ${\left\{{\gamma }_m\right\}}_{m=1}^M$ to perturb as ${\tilde{z}}_m=z_m+{\gamma }_m$. We use $E(·)$ to denote the ciphertext encrypted by Equation(4) and leverage $D_t(·)$ to represent $C{T}^{\left(t\right)}$ in Equation (7). The requester then encrypts these random values as $E\left({\gamma }_m\right)$ and $E\left({\gamma }_m^2\right)$. Subsequently, the perturbed truths ${\left\{{\tilde{z}}_m\right\}}_{m=1}^M$ are forwarded to $S_1$, while the ciphertexts ${\{E\left({\gamma }_m\right),E\left({\gamma }_m^2\right)\}}_{m=1}^M$ are sent to $S_2$.

Then, user $u_k$ aiming to engage in the tasks creates the sensory data $(x_1^k,\dots ,x_M^k)$ and chooses random values ${\left\{{\delta }_m^k\right\}}_{m=1}^M$ to perturb the original data as ${\tilde{x}}_m^k=x_m^k-{\delta }_m^k$. Then, $u_k$ forwards ${\left\{{\tilde{x}}_m^k\right\}}_{m=1}^M$ to $S_1$ and sends all the random values ${\left\{{\delta }_m^k\right\}}_{m=1}^M$ to $S_2$.

Upon receiving all users’ data, $S_2$ computes $E\left({\delta }_m^k\right)·E\left({\gamma }_m\right)$ to derive the ciphertext $E({\delta }_m^k+{\gamma }_m)$, and evaluates $E\left({\sum }_{m=1}^M{\left({\delta }_m^k\right)}^2\right)·{\prod }_{m=1}^M\left(E{\left({\gamma }_m\right)}^{2{\delta }_m^k}·E\left({\gamma }_m^2\right)\right)$ to obtain the ciphertext $E\left({\sum }_{m=1}^M{({\delta }_m^k+{\gamma }_m)}^2\right)$. Subsequently, $S_2$ transmits the ciphertexts ${\left\{E({\delta }_m^k+{\gamma }_m)\right\}}_{k,m=1}^{K,M}$ and ${\left\{E\left({\sum }_{m=1}^M{({\delta }_m^k+{\gamma }_m)}^2\right)\right\}}_{k=1}^K$ to $S_1$.

5.3.2. Compute the Truth

Utilizing the homomorphic property, $S_1$ first computes the distance between $x_m^k$ and $z_m$ as

$$\begin{array}{cc}\hfill E\left(\sum _{m=1}^M{(x_m^k-z_m)}^2\right)& =E(\sum _{m=1}^M[{(x_m^k-z_m-({\delta }_m^k+{\gamma }_m))}^2+{({\delta }_m^k+{\gamma }_m)}^2+({\delta }_m^k+{\gamma }_m)·\hfill \\ \hfill & \left(2(x_m^k-z_m-({\delta }_m^k+{\gamma }_m))\right)\left]\right)\hfill \\ \hfill & =E\left(\sum _{m=1}^M{({\tilde{x}}_m^k-{\tilde{z}}_m)}^2\right)·E\left(\sum _{m=1}^M{({\delta }_m^k+{\gamma }_m)}^2\right)·\prod _{m=1}^{M}E{({\delta }_m^k+{\gamma }_m)}^{2({\tilde{x}}_m^k-{\tilde{z}}_m)}\hfill \\ & =C_f^k.\hfill \end{array}$$

(13)

Subsequently, $S_1$ aggregates the encrypted distances from all users and transmits the merged outcome, denoted as $C_F={\prod }_{k=1}^K{C}_f^k$, to $S_2$.

$S_2$ partially decrypts the ciphertext using the private key ${\lambda }_2$ by performing $D_2\left(C_F\right)\leftarrow PSDec({\lambda }_2,C_F)$. Next, $S_2$ sends back $D_2\left(C_F\right)$ to $S_1$. Upon receiving the partly decrypted ciphertext, $S_1$ computes

$$\begin{array}{cc}\hfill D_1\left(C_F\right)& \leftarrow PSDec({\lambda }_1,C_F)\hfill \\ \hfill \sum _{k=1}^K\sum _{m=1}^M{(x_m^k-z_m)}^2& \leftarrow DDSec(D_1\left(C_F\right),D_2\left(C_F\right)),\hfill \end{array}$$

(14)

to require the sum of all distances. For every worker, $S_1$ picks a random value $r_1^k\in {\mathbb{Z}}_n$ for the below calculation

$${\tilde{C}}_f^k=E\left({\displaystyle \frac{r_1^k{\sum }_{m=1}^M{(x_m^k-z_m)}^2}{{\sum }_{k=1}^K{\sum }_{m=1}^M{(x_m^k-z_m)}^2}}\right).$$

(15)

Next, $S_1$ decrypts part of the ciphertext $D_1\left({\tilde{C}}_f^k\right)\leftarrow PSDec({\lambda }_1,{\tilde{C}}_f^k)$ and dispatches $\{{\tilde{C}}_f^k,D_1{\left({\tilde{C}}_f^k\right)}_{k=1}^K\}$ to $S_2$. Using the private key, $S_2$ decrypts ${\tilde{C}}_f^k$ by performing the following operations:

$$\begin{array}{cc}\hfill D_2\left({\tilde{C}}_f^k\right)& \leftarrow PSDec({\lambda }_2,{\tilde{C}}_f^k),\hfill \\ \hfill {\displaystyle \frac{r_1^k{\sum }_{m=1}^M{(x_m^k-z_m)}^2}{{\sum }_{k=1}^K{\sum }_{m=1}^M{(x_m^k-z_m)}^2}}& \leftarrow DDSec(D_1\left({\tilde{C}}_f^k\right),D_2\left({\tilde{C}}_f^k\right)).\hfill \end{array}$$

(16)

Subsequently, each user’s weight can be computed as:

$$\begin{array}{cc}\hfill {\overline{w}}_k& =-\log \left({\displaystyle \frac{r_1^k{\sum }_{m=1}^M{(x_m^k-z_m)}^2}{{\sum }_{k=1}^K{\sum }_{m=1}^M{(x_m^k-z_m)}^2}}\right)+r_2^k\hfill \\ \hfill & =w_k-\log \left(r_1^k\right)+r_2^k,\hfill \end{array}$$

(17)

where $r_2^k\in {\mathbb{Z}}_n$ is utilized to perturb the weight information. Following this, $S_2$ computes $C_m={\prod }_{k=1}^{K}E{({\delta }_m^k+{\gamma }_m)}^{-r_2^k}$ and conveys the ciphertexts ${\left\{C_m\right\}}_{m=1}^M$, ${\left\{E\left(r_2^k\right)\right\}}_{k=1}^K$, and the perturbed weights ${\left\{{\overline{w}}_k\right\}}_{k=1}^K$ to $S_1$. Using $r_1^k$, each user’s weight is restored by calculating ${\tilde{w}}_k={\overline{w}}_k+r_2^k$. Following this, $S_1$ computes the summation of perturbations as:

$$\begin{array}{cc}\hfill {\tilde{C}}_m& =E\left(\sum _{k=1}^K{w}_k({\delta }_m^k+{\gamma }_m)-\sum _{k=1}^K{r}_2^k{\tilde{x}}_m^k\right)\hfill \\ \hfill & =\left(\prod _{k=1}^{K}E{({\delta }_m^k+{\gamma }_m)}^{{\overline{w}}_k}\right)·C_m·\prod _{k=1}^{K}E{\left(r_2^k\right)}^{-{\tilde{x}}_m^k}.\hfill \end{array}$$

(18)

Then $S_1$ transmits ${\{{\tilde{C}}_m,D_1\left({\tilde{C}}_m\right)\leftarrow PSDec({\lambda }_1,{\tilde{C}}_m)\}}_{m=1}^M$ back to $S_2$.

Upon receiving the ciphertexts, $S_2$ obtains the plaintext in ${\tilde{C}}_m$ through the operations:

$$\begin{array}{cc}\hfill D_2\left({\tilde{C}}_m\right)& \leftarrow PSDec({\lambda }_2,{\tilde{C}}_m),\hfill \\ \hfill {\tilde{r}}_m& \leftarrow DDSec(D_1\left({\tilde{C}}_m\right),D_2\left({\tilde{C}}_m\right)).\hfill \end{array}$$

(19)

Then $S_2$ returns ${\left(\left\{{\tilde{r}}_m\right)\right\}}_{m=1}^M,{\tilde{r}}_w={\sum }_{k=1}^K{r}_2^k)$ to $S_1$.

Using ${\tilde{r}}_m$ and ${\tilde{r}}_w$, $S_1$ updates the task truth following these steps:

$$\begin{array}{cc}\hfill {\tilde{z}}_m& =z_m+{\gamma }_m\hfill \\ \hfill & ={\displaystyle \frac{{\sum }_{k=1}^K{w}_k·(x_m^k+{\gamma }_m)}{{\sum }_{k=1}^K{w}_k}}\hfill \\ \hfill & ={\displaystyle \frac{{\sum }_{k=1}^K(w_k({\delta }_m^k+{\gamma }_m)-r_2^k({\tilde{x}}_m^k-{\delta }_m^k))}{{\sum }_{k=1}^K{w}_k-{\sum }_{k=1}^K{r}_2^k}}\hfill \\ \hfill & +{\displaystyle \frac{{\sum }_{k=1}^K(w_k+r_2^k)(x_m^k-{\delta }_m^k)}{{\sum }_{k=1}^K(w_1^k+r_2^k)-{\sum }_{k=1}^K{r}_2^k}}\hfill \\ \hfill & ={\displaystyle \frac{{\sum }_{k=1}^K{\tilde{w}}_k·{\tilde{x}}_m^k+{\tilde{r}}_{a}m}{{\sum }_{k=1}^K{\tilde{w}}_k-{\tilde{r}}_w}}.\hfill \end{array}$$

(20)

Continuing with an iterative application of the above procedure, the truths can be required. Eventually, $S_1$ transmits ${\left\{{\tilde{z}}_m\right\}}_{m=1}^M$ to the data requester as the truth can be obtained by calculating $z_m={\tilde{z}}_m-{\gamma }_m$.

5.4. Predict and Update Reputation

To enhance the assessment of a user’s past reputation, we utilize the Dirichlet distribution for reputation prediction. The process involves forecasting the user’s future reputation by leveraging their consistently standardized historical reputation. Initially, reputation normalization adjusts reputation scores to a range between 0 and 1. Subsequently, reputation aggregation combines historical data with the Dirichlet distribution to derive the probability distribution vector $\overrightarrow{p}$. The weighted average of $\overrightarrow{p}$, denoted as X, is then determined, with the expected value $E\left[X\right]$ serving as the predicted reputation. The detailed algorithm is shown as Algorithm 2.

Algorithm 2 Reputation prediction.

Input:  ${\left\{w_i\right\}}_{i=1}^m,\left\{\zeta \right\}$   1: for $i=1$ to m do   2:    $w_i={\displaystyle \frac{w_i-min\left({\left\{w_i\right\}}_{i=1}^m\right)}{max\left({\left\{w_i\right\}}_{i=1}^m\right)-min\left({\left\{w_i\right\}}_{i=1}^m\right)}}$;   3: end for   4: set $\overrightarrow{X}\leftarrow \{X_1,X_2,\dots ,X_C\}$;   5: set $\overrightarrow{\theta }\leftarrow \{{\theta }_1,{\theta }_2,\dots ,{\theta }_N\}$, (${\theta }_i\in (0,1],i\in [1,N],{\theta }_i\le {\theta }_{i+1}$);   6: set $p_i=P\{{\theta }_{i-1}<X_i\le {\theta }_i\}$, ($i=1,2,\dots ,N$);   7: set $\overrightarrow{p}\leftarrow \{p_1,p_2,\dots ,p_N\}$, (${\sum }_{i=1}^N{p}_i=1$);   8: set $\overrightarrow{\zeta }\leftarrow \{{\zeta }_1,{\zeta }_2,\dots ,{\zeta }_N\}$;   9: compute $f\left(\overrightarrow{p}\right|\overrightarrow{\zeta })=\mathrm{D}\left(\overrightarrow{p}\right|\overrightarrow{\zeta })={\displaystyle \frac{\Gamma \left({\sum }_{i=1}^N{\zeta }_i\right)}{{\prod }_{i=1}^N\Gamma \left({\zeta }_i\right)}}{\prod }_{i=1}^N{p}_i^{{\zeta }_i-1}$;  10: set ${\zeta }_0={\sum }_{i=1}^N{\zeta }_i$; set $\overrightarrow{q}\leftarrow \{q_1,q_2,\dots ,q_N\}$;  11: compute $E\left[X\right]={\sum }_{i=1}^N{q}_{i}E\left[p_i\right]={\displaystyle \frac{{\sum }_{i=1}^N{q}_i{\zeta }_i}{{\zeta }_0}}$;  12: return $E\left[X\right]$

We first normalize the reputation using Equation (18):

$$w_i={\displaystyle \frac{w_i-min\left({\left\{w_i\right\}}_{i=1}^m\right)}{max\left({\left\{w_i\right\}}_{i=1}^m\right)-min\left({\left\{w_i\right\}}_{i=1}^m\right)}},$$

(21)

where $w_i$ denotes the reputation of the mobile user.

For a specific user U, a continuous random variable X ($0\le X\le 1$) is utilized to represent the truth associated with U. The levels of truth, denoted as $\{{\theta }_1,{\theta }_2,\dots ,{\theta }_N\}$, where ${\theta }_i\in (0,1],(i=1,2,\dots ,N,{\theta }_i<{\theta }_{i+1})$, are established. The probability distribution vector of X concerning these N levels is symbolized as $\overrightarrow{p}=\{p_1,p_2,\dots ,p_N\}$, with the constraint ${\sum }_{i=1}^N{p}_i=1$, where $P\{{\theta }_{i-1}<X_i<{\theta }_i\}=p_i$ for $(i=1,2,\dots ,N)$. The vector $\zeta =\{{\zeta }_1,{\zeta }_2,\dots ,{\zeta }_N\}$ is utilized to denote the cumulative truth value. By utilizing a posterior Dirichlet distribution, the modeling of $\overrightarrow{p}$ is achieved as:

$$D\left(\overrightarrow{p}\right|\overrightarrow{\zeta })={\displaystyle \frac{\Gamma \left({\sum }_{i=1}^N{\zeta }_i\right)}{{\sum }_{i=1}^N\Gamma \left({\zeta }_i\right)}}\prod _{i=1}^N{p}_i^{{\zeta }_i-1},$$

(22)

where ${\zeta }_i$ is the accumulation value of levels that the user’s truth values belong to, and $\Gamma (·)$ represents the Gamma function.

To determine the reputation score of the user, weight values $q_i$ are assigned to each level ${\theta }_i(i\in [1,N])$. Let $p_i$ denote the probability that the true value of user U falls within level ${\theta }_i$. Consider a random variable X that represents the weighted average of the probabilities of the true value in $\overrightarrow{p}$. The user’s reputation score $R_U$ can be calculated as

$$R_U=E\left[X\right]=\sum _{i=1}^N{q}_{i}E\left[p_i\right]={\displaystyle \frac{1}{{\zeta }_0}}\sum _{i=1}^N{q}_i{\zeta }_i,$$

(23)

where ${\zeta }_0={\sum }_{i=1}^N{\zeta }_i$ and $\overrightarrow{q}\leftarrow \{q_1,q_2,\dots ,q_N\}$ is the weight for each ${\theta }_i$.

Finally, the reputation node obtains the future reputation value of each mobile user and subsequently transmits the new reputation to the user.

6. Security Analysis

In this section, we will perform a security analysis on PRUS to prove its robust security. The goal of PRUS is to protect against unauthorized alteration of reputation values by malicious users and to protect the privacy of mobile users’ data. We give the theorem and the corresponding proof below.

Theorem 1.

PRUS can resist reputation tampering and inference attacks if attacker $\mathcal{A}$ is unable to deduce or tamper with the reputation value of $u_k$ in PRUS by interacting with the cloud server through reputation commitment.

Proof. 

The reputation value $t_k$ of $u_k$ is represented in reputation commitments $C{m}_k=g_1^{t_k}·h_1^{r_k}\mathrm{mod}p$ and $C{m}_k^{\prime }=g_2^{t_k}·h_2^{r_k}\mathrm{mod}p$. An adversary A could intercept the reputation commitments $C_{mk}$ and $C_{mk}^{\prime }$ through wireless channels, but it is unable to deduce the actual reputation value $t_k$ based on the privacy analysis in [13]. This property allows the PRUS to thwart reputation inference attacks effectively.

Furthermore, if A attempts to manipulate the reputation value while computing its reputation commitment $C{m}_k^{\prime }$, the cloud server will reject the submitted sensing data from the mobile user as it would not satisfy the RRV. Consequently, the PRUS proves resilient against reputation tampering attacks.  □

Theorem 2.

PRUS can protect the data privacy of mobile users if the cloud server is unable to obtain private information like sensory data, weights, and true values through the acquired data.

Proof. 

For $S_1$, the known values include the ciphertexts $(E[{\delta }_m^k+{\gamma }_m],E\left[{\sum }_{m=1}^M{({\delta }_m^k+{\gamma }_m)}^2\right]$, ${\tilde{C}}_m,E\left[r_2^k\right])$ and plaintexts $\left({\tilde{y}}_m,{\tilde{x}}_m^k,{\sum }_{k=1}^K{\sum }_{m=1}^M{(x_m^k-z_m)}^2,w_k,{\tilde{r}}_m,{\tilde{r}}_w\right)$. Without the undisclosed values ${\gamma }_m$ and ${\delta }_m^k$, $S_1$ cannot deduce the true task from ${\tilde{y}}_m$ or the sensor data from ${\tilde{x}}_m^k$. Additionally, as $r_2^k$ is randomly generated, $S_1$ remains unable to extract confidential information from ${\tilde{r}}_m$ and ${\tilde{r}}_w$, and it cannot differentiate the individual users’ weights $w_k$ from the perturbed weight data ${\overline{w}}_k$.

For $S_2$, the information it possesses comprises the encrypted values $\left(E\left[{\gamma }_m\right],E\left[{\gamma }_m^2\right],C_m\right)$ and the plaintexts $\left({\delta }_m^k,w_k\right)$. Without knowing the other private key or the perturbed sensory data ${\tilde{x}}_m^k$, $S_2$ cannot recover users’ sensory data or infer their weights, even if it holds some random values or colludes with other users.

In essence, the sensory data, weights, and truths of users are safeguarded confidentially within the PRUS.  □

7. Experiments

In this section, we will examine and assess the performance of PRUS, focusing on the reputation range verification (RRV) algorithm and the privacy-preserving truth discovery (PPTD) algorithm. To enhance the clarity of our analysis, we will begin by evaluating the RRV algorithm with regard to computation and communication workload. Following that, we will explore how the quantity of mobile users and sensing tasks affects the computational and communication burden of the PPTD algorithm. Lastly, we will delve into the computational load associated with reputation prediction.

In order to better demonstrate the effectiveness of the PRUS, we conducted experiments to showcase the runtime and cost of each algorithm. The operations of the mobile users, cloud servers, blockchain, and data requester were conducted on a laptop with an Intel(R) Core(TM) i5-8300H CPU and a memory of 8 GB. The operating system was 64-bit Windows 10. Regarding user size, the selection of users in our experiments was based on a fixed number of participants, depending on the task requirements. The user size varied between 10 and 50 participants. The criteria for selecting participants included their past performance (data accuracy), geographic location (for task relevance), and reputation scores derived from previous task participation.

7.1. Evaluation of RRV Algorithm

In this section, we will examine the computational and communication overheads associated with the RRV.

Computation overhead. The PRUS scheme employs the RRV algorithm to prevent dishonest mobile users from manipulating reputation values within the reputation range of the sensing task. This algorithm verifies the validity of reputation values against the reputation threshold. The RRV algorithm involves four commitment generation operations, one hash generation operation, one hash verification operation, an exponential operation, a multiplication operation, and two comparison operations. Based on this breakdown, the computational complexity of the RRV algorithm was determined to be $\mathcal{O}\left(K\right)$. The running time of PRUS under various combinations of mobile users, sensing tasks, and reputation nodes is illustrated in Figure 2.

Communication overhead. According to the RRV algorithm, when a mobile user participates in a perception task, the cloud server communicates with the mobile user and the reputation node. The mobile user sends the reputation commitment to the cloud server, and then the cloud server and the reputation node first verify whether the commitment is valid. In this process, the communication result is $\{H,D,D_1,D_2,C{m}_t\}$, so the communication cost is $4\left|H\right|+\left|p\right|$, where $\left|p\right|$ is the public parameter size; then, the cloud server verifies whether the commitment is within the reputation threshold of the perception task. The product of this process is $\{C_{t_0},C_{r_0},b\}$ and $\{C{m}_1,C{m}_2\}$, so the communication cost is $4\left|p\right|+\left|b\right|$.

7.2. Evaluation of PPTD Algorithm

Next, we evaluate the performance of the PPTD algorithm in PRUS from the perspective of computation and communication costs. We also evaluate the efficiency by implementing the RPTD scheme [41], as it is also developed using data perturbation and homomorphic Paillier encryption.

Computation overhead. In Figure 3, we describe the computational overhead of each entity. As shown in Figure 3a, on the mobile user side, our PPTD scheme outperforms the RPTD scheme. For instance, with 100 sensing tasks, RPTD takes 125 ms, while our scheme takes less than 1 ms. In Figure 3b,c, the computational overhead for each iteration on the cloud server is displayed for varying numbers of users and tasks. The PPTD scheme is more efficient than the scheme in [41] due to RPTD’s utilization of the traditional homomorphic Paillier cryptosystem for data encryption, while our PPTD employs data perturbation for enhanced data privacy.

Communication overhead. We calculate the communication cost of PPTD in two processes: Setup and Compute the truth. Given the plaintext’s small size relative to the ciphertext, our focus lies on transmitting the size of the ciphertext, denoted by $\left|C\right|$.

Table 3. Communication overhead comparison.

		Our PPTD	RPTD
Setup	Data upload	———-	$M·\left|C\right|$
	Compute the ciphertext	$(KM+K)·\left|C\right|$	——-
Compute the truth values	Weight update	$(2K+2)·\left|C\right|$	$(4KM+2)·\left|C\right|$
	Truth update	$(K+3M)·\left|C\right|$	$(2M+2)·\left|C\right|$

summarizes the communication overhead of our PPTD and RPTD [41] schemes at different stages. As can be seen from the table, the cost of our PPTD in the process of calculating the truth value is lower than that of RPTD [41]. This is because all calculations performed on the mobile user device are performed in the plaintext domain, so our PPTD has less communication overhead.

7.3. Discussion

The PRUS scheme, as demonstrated in our experimental evaluation, performs efficiently within the scope of the current study. The combination of blockchain, privacy-preserving algorithms, and truth discovery provides a robust framework for user selection in IoT environments.

In terms of scalability, while the current experiments focus on small-sized IoT networks, the PRUS scheme has the potential to scale to larger networks. One of the key advantages of PRUS over previous schemes is its efficiency in both communication and computation, as demonstrated in our results. By leveraging blockchain’s decentralized nature and optimizing the truth discovery process, PRUS reduces the reliance on centralized servers, which are often bottlenecks in scalability. Additional optimizations will be required in extremely large IoT networks, where millions of devices are interconnected. We can focus on enhancing the scalability of key components, such as reputation verification and truth discovery, to ensure that PRUS remains efficient even in highly distributed, large-scale environments.

8. Conclusions

In this paper, we proposed PRUS, a privacy-preserving and quality-aware user selection scheme tailored for IoT environments. PRUS leverages the decentralized and immutable nature of the blockchain to enhance the reliability and security of the user selection process. Through a combination of a public-key cryptosystem with distributed decryption, truth discovery, and privacy-preserving algorithms, our scheme ensures that users’ data privacy and reputation are protected while maintaining high-quality data collection. In addition, we design a privacy-preserving verification algorithm, which prevents malicious tampering of reputation scores, and the application of the Dirichlet distribution to predict future reputation values, further improving the robustness of the selection process. Our security analysis demonstrated that PRUS effectively protects user privacy, and our experimental results confirmed that the scheme offers significant advantages in terms of communication and computational efficiency when compared to previous approaches.

Due to the integration of blockchain, truth discovery, and privacy protection algorithms, the implementation of the PRUS scheme is relatively complex. Future research will focus on optimizing PRUS for scalability in extremely large networks with millions of interconnected devices. Moreover, additional optimizations will be explored to further reduce communication overhead and improve computational performance.