An Efficient Privacy Preserving Spectrum Sharing Framework for Internet of Things

Internet of Things (IoT) devices are forecasted to increase to 20 billion by the year 2020. Questions are arising as where the bandwidth and radio channels come from to make it all work. It is a common belief that the spectrum under 6GHz is easy to use for various IoT applications. However, currently it has been almost fully allocated to different kinds of systems, some of which suffer from an extremely low spectrum utilization ratio. To this end, spectrum sharing approach has been proposed recently, which dynamically redistributes the incumbents’ underutilized spectrum to secondary users and exchanges for profit. To incentivize the incumbent to share the spectrum in efficient and profitable ways, auction based mechanisms are extensively discussed. Most of the existing researches propose to share the spectrum by utilizing truthful auction mechanism, in which the secondary users’ dominant strategies are to bid their true valuations. However in reality, exposing true valuation is very risky and thus keeping user’s bidding value confidential is of great importance. In this paper, we propose an efficient privacy preserving spectrum sharing framework for IoT by utilizing ElGamal cyptosystem. The proposed scheme hides the user’s bid from both the auctioneer and other users. By extensive evaluation results, we show that the proposed framework could achieve good spectrum utilization efficiency and user satisfactory ratio, at the cost of acceptable communication and computation overheads.


I. INTRODUCTION
The number of Internet of Things (IoT) devices is projected to amount to 20 billion worldwide by 2020, and 75.44 billion by 2025. Correspondingly, the data traffic skyrockets due to the tremendous increasing of IoT devices and spectrumhungry applications [1]- [4]. Since data is more and more wirelessly transferred, spectrum is expected to become the scarcest resource which hinders the development of IoT. To deal with the spectrum crunch problem, two kinds of solutions are investigated from different aspects. One solution is to exploit the usage of spectrum in higher frequency bands (6 GHz above) to scale up the network capacity. But high The associate editor coordinating the review of this manuscript and approving it for publication was Zhenyu Zhou . frequency band use-case is limited due to its propagation characteristics and therefore extensive real-world tests are required. Another solution is to enable more efficient and flexible usage of spectrum below 6 GHz. Based on the actual spectrum usage measurement results, there is a common belief that the capacity of the radio spectrum under 6 GHz has not been fully approached. For instance, the utilization ratio of TV broadcasting spectrum is less than 6% in most developed countries by considering different time and locations. These results encourage us for developing more dynamic and efficient spectrum management policies for future IoT systems.
The researches on spectrum sharing have emerged recently [5]- [9]. A paradigm shift from static spectrum allocation towards dynamic spectrum sharing has been widely VOLUME 8, 2020 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see http://creativecommons.org/licenses/by/4.0/ discussed. In the spectrum sharing framework, secondary users could access the spectrum that is underutilized by primary system, i.e., incumbent. In the context of IoT, the secondary users could be various IoT devices, and the incumbent could be the TV broadcasting, satellite, radar systems.
To incentivize the primary system to lease the access right to secondary users, researches on secondary spectrum market have attracted intensive interests. The basic idea is that the primary users sell the temporarily or spatially unused spectrum, i.e., whitespace, to secondary users, in exchanging for profit which could be money, credit or resource. Meanwhile, the secondary users reuse the whitespace by paying the spectrum access right, and thus ease their starvation for transmission opportunities. The collaboration between primary and secondary users will lead to a win-win result finally.
To efficiently and fairly allocate the spectrum resource, market-based auction mechanism [10] is considered to be one of the most promising solutions. In the context of auction-based spectrum sharing, there are two fundamental requirements. The first one is spatial reusability. In traditional auction, there is only one winner for each auctioned goods, since the auctioned goods cannot be shared. However, the spectrum resource could be shared by multiple users who are out of the interference ranges with each other. These non-interference users could form a group and bid for the spectrum resource as one entity. The second one is truthfulness. A truthful auction implies that every bidder's dominant strategy is to bid at his true valuation for the selling goods. Bidding truthfully yields the highest utilities for all the bidders, regardless of the strategies of others. Truthfulness is considered to be the most important property for an auction, since it guarantees that all the bidders would not be interested in strategically manipulating their bids to pursue higher reward.
Bidders reveal their true valuations, however, might be very risky in reality. When the auctioneer or other bidders cannot be completely trusted, they may take malicious actions to maximize their own profits. For instance, by exploiting the bidders' true valuation information, the auctioneer might forge the auction process to maximize her profit in the future auctions [11]. We give a simple example to facilitate better understanding. Consider the case that Alice participates an online second-price auction [12], in which the bidder with the highest bid wins the auction but only needs to pay the secondhighest bid. Assume Alice values the goods at $5000. Since the second-price auction is proven to be a truthful one, Alice will bid her true valuation as her dominant strategy. Assume that Alice wins the auction and pays the second highest price, say $4000. After a period of time, the same goods is put for auction again. And Alice bids her true valuation $5000 again since she is still interested. Assume that Alice wins the auction again, however, this time she is charged with $4999. Certainly, it is reasonable to suspect that the auctioneer forges the second highest price by learning from bidders' previous bids. Therefore, protecting the bidders' private valuation against exposure is of great importance.
For an ideal privacy preserving auction [11], all the parties in the auction, including auctioneer and all bidders, can only be aware of the identities of winners and their respective charges, but the bids of individual users should be kept confidential as a private information.
In this paper, we propose an auction-based efficient privacy preserving spectrum sharing framework for IoT, by taking into consideration both the spatial spectrum reusage and truthfulness. The proposed framework intends to only reveal the winners' identities and the group bids, but keeps the individual user's bid confidential. To this end, the proposed spectrum sharing framework consists of three parties, i.e., an auctioneer, multiple bidders and a Cryptographic Authority (CA). Here, CA is a third party to generate public keys. Regarding the bidding processes, firstly the bidders send their homomorphic encrypted sealed bidding vectors (e.g., using ElGamal encryption) to the auctioneer by using the ElGamal public key generated by the CA. Then, the auctioneer constructs a mixed sealed group matrix and sends it to CA, who will decrypt the group bids by using her ElGamal private key. Finally, the auctioneer derives the winning groups and their charges. In our assumptions, either the auctioneer or CA could be untrusted, but they would not collude. The proposed framework guarantees that no bidder's bidding price would be exposed, as long as the auctioneer and CA do not collude with each other. We have performed extensive evaluations to show that the proposed framework achieves good spectrum utilization efficiency and user satisfactory ratio, at the cost of acceptable communication and computation overheads.
The rest of the paper is organized as follows. Section II introduces the preliminary for homomorphic encryption and related researches. Section III addresses the proposed efficient privacy preserving spectrum sharing framework in details. Section IV provides performance evaluations. And finally Section V draws the conclusions.

II. PRELIMINARIES AND RELATED WORK A. HOMOMORPHIC ENCRYPTION: ELGAMAL ENCRYPTION SCHEME
The proposed auction-based privacy preserving spectrum sharing framework is built based on a widely known public key homomorphic encryption scheme: ElGamal cryptosystem [13]. In this subsection, to facilitate better understanding, we briefly introduce the ElGamal encryption function. Similar to the well known RSA (Rivest-Shamir-Adleman) scheme, ElGamal encryption scheme is a public key cryptosystem, i.e., the encryption key is published, and the decryption key is kept private. The mathematical relationship between the encryption and decryption keys lies upon the discrete log problem.
• Key generation. First, the first party chooses a very large prime number p, and a primitive root modulo p, say α. Then, an integer a is chosen and β = α a (mod p) is computed. The encryption key is the ordered triple (p, α, β), which is made public. However, the integer a is kept secret, which is the decryption key.
• Encryption. To use ElGamal to encrypt a plaintext m, the second party first chooses a secret integer k and computes r = α k (mod p) and t = β k m (mod p). The pair (r, t) is second party's ciphertext, and k is known only by the second party itself.
• Decryption. Once the encrypted message has been transmitted to the first party, he could compute the plaintext m as m = tr −a (mod p) by using a. An eavesdropper knows p, α, β, r, t but is unaware of k, a. Knowledge of either a or k would be enough to decrypt the plaintext m, as m = tr −a = tβ −k (mod p). In the following part, we use El(·) to denote the ElGamal encryption. The ElGamal encryption scheme has the following very important properties, which are the keys to realize our efficient private preserving spectrum sharing framework. We omit the detailed calculations and security analysis of ElGamal encryption/decryption functions in this article, which could be found in [13].

B. RELATED WORK 1) SPECTRUM SHARING IN IOT
In the context of spectrum sharing in IoT, it is of great importance to construct an accurate radio environment map (REM). REM provides the spectrum availability information for the primary systems at any locations, by using which the IoT devices could access the whitespace without causing harmful interference to primary users. In recent years, extensive researches have been done to improve the quality of REM. A basic approach is to deploy dedicated sensors uniformly over the region of interest [14]. To solve the high cost issue, crowdsourced based approaches have been proposed [15]- [17], in which mobile users with spectrum sensors are recruited to provide measurements. Besides REM, exclusion zone determination is also very important for spectrum sharing, inside which the secondary spectrum reuse is prohibited. Ullah et al. [18] have proposed a multitiered exclusion zone framework by exploiting point-to-point mode terrain profile. And Bhattarai et al. [19] have proposed an on-the-fly exclusion zone refinement approach to ensure a probabilistic guarantee of the interference from secondary user to primary user.

2) AUCTION-BASED SPECTRUM SHARING
In the secondary spectrum market, utilizing auction-based schemes to fairly and efficiently redistribute the spectrum resource have been extensively investigated. To our limited knowledge, the first work in this topic is done by Zhou and Zheng [5], who have proposed a double spectrum auction framework which takes any reusability-driven spectrum allocation algorithm as the input, and applies a novel winner determination and pricing mechanism to achieve truthfulness, budget balance and individual rationality. Based on that, Feng et al. [6] have considered heterogeneous spectrum sharing problem and proposed a truthful double auction scheme, which allows buyers to explicitly express their personalized preferences and also addresses the problem of interference graph variation. Yi and Cai [7] have proposed a recallbased combinational spectrum auction mechanism which could deal with multiple heterogeneous secondary users with various quality-of-service requirements. Wang et al. [8], [20] have investigated the secure information transfer issue under spectrum sharing scenario by using both monetary-based and barter-like spectrum auction schemes. Moreover, finegrained auction based incentive mechanisms for crowdsourced REM construction have been proposed in [21]- [23]. However, these researches do not consider the privacy preservation issue for the individual bidder.

3) PRIVACY PRESERVING AUCTION
Extensive researches have been done on the privacy preserving auction mechanisms for conventional goods. Naor et al. [11] have proposed a privacy preserving auction mechanism by utilizing Yao's secure computation [24] and oblivious transfer functions. Abe and Suzuki [25] have proposed an M + 1-st price sealed-bid auction scheme that offers bidding price secrecy and public verifiability. Sako [26] have proposed an auction protocol in which a bid will not be successfully decrypted unless it is the highest bid. To the best of our knowledge, Pan et al.'s research [27], [28] is the first work that addresses the privacy preservation problem for spectrum auctions. They have proposed a secure spectrum auction leveraging the Paillier cryptosystem to prevent the frauds of the auctioneer as well as the bid-rigging between the bidders and the auctioneer. Furthermore, Wu et al. [29] have proposed a truthful spectrum auction mechanism for both single channel request and multichannel request. They have employed order-preserving encryption as the cryptographic tools to guarantee the k-anonymity.

III. PROPOSED EFFICIENT PRIVACY PRESERVING SPECTRUM SHARING FRAMEWORK A. AUCTION BASED SPECTRUM SHARING FRAMEWORK WITHOUT PRIVACY PRESERVATION
In this subsection, we first present an auction-based spectrum sharing framework without privacy protection. Here, the primary system is the auctioneer, e.g., TV broadcast or naval shipborne radar system, who tends to lease M channels in exchange for proper profit. The secondary users are the bidders, e.g., IoT devices, who tend to utilize the primary spectrum to perform their own transmission. Considering the example that illustrated in Fig. 1, where the primary system tends to lease the access right of 2 channels. The secondary spectrum sharing are only allowed in particular geographic regions, i.e., outside the exclusion zones. Generally, the exclusion zones are determined by an interference threshold. The signal strength of the primary system at a given location could be provided by REM, which is either calculated by path-loss model or monitored by dedicated spectrum sensors. All the secondary users locate outside the exclusion zones, e.g., IoT devices No. 1 ∼ 9 in Fig. 1, have the opportunities to access the primary system's spectrum by participating the spectrum auction.
The main difference between spectrum auction and conventional-goods auction is spatial reusability. In spectrum auction, multiple wireless users that locate outside each others' interference ranges can share the same channel simultaneously. Exploiting spatial reusability is extremely important when we design a spectrum auction, without which huge amount of spectrum resources will be wasted. Generally, we could model the interference relationship for wireless devices as a conflict graph. As illustrated in Fig. 1, two devices that connected by an edge denotes that they are interfering with each other. Similar to [30], we calculate the interference range based on Signal to Interference plus Noise Ratio (SINR) and a threshold. Considering a scenario with totally N users 1 as N = {1, · · · , n, · · · , N }. We focus on the users that are outside the exclusion zones, which are denoted by N = {1, · · · , n, · · · , N }, where N ≤ N . By using graph coloring algorithms [31], the N users could be split into multiple nonconflicting groups G = {1, · · · , g, · · · , G}. For instance, the users in Fig. 1 are divided into 3 nonconflicting groups, and users No.1, 5, 9 within the same group, are able to access the same channel simultaneously without interfering 1 We will use terms user and device interchangably in the following articles.
with each other. We use N g to denote the set of users in group g, and have N g ∩ N g = ∅, ∀g, g ∈ G, and g∈G N g = N.
Each user outside the exclusion zones could bid one channel based on its valuation v n per channel 2 . The valuation also is known as type, which is related to its possible reward gained by accomplishing its transmission. The valuation is a private information to the user, and should be kept confidential. The user requests a channel by submitting a bid b n , which is based on its valuation v n . Based on the lowest bid in group g and the number of bidders |N g | in that group, the group bid β g is calculated as Upon receiving all the group bids, the auctioneer sorts them in non-increasing order, i.e., β 1 ≥ β 2 ≥ · · · ≥ β G , and announces the top w = min (M , G) groups as the winning groups, which is denoted by W. Certainly, the corresponding users in those groups are the winning users. All the selected winning groups are equally charged, the charge price is decided by the (w+1)-th highest group bid β w+1 to guarantee the truthfulness. Finally, this group charge is evenly shared by all the users in that winning group, therefore each winner n ∈ g is charged with p n = β w+1 /N g . Then, the utility u n of bidder n can be represented by For auction mechanism design, truthfulness is one of the most important desirable properties. Without truthfulness, the auction is vulnerable to market manipulation and leads to very poor outcomes. An auction is truthful, if for every participating user, revealing its true valuation is its dominant strategy regardless of other users' strategies.
Theorem 1: Grouped w + 1 price spectrum auction is truthful.
Proof: We will show that the bidder cannot improve its utility by bidding a value other than its true valuation. We first consider bidder n is in a winning group. When the bidder bids a higher value than her true valuation, the utility u n = v n − p n will not change since the (w + 1)th highest bid maintains. When the bidder bids a lower value b n than her true valuation, if b n ≥ β w+1 , still the utility will not change; otherwise if b n < β w+1 , bidder n's group will lose the auction and her utility will decrease to 0. Next, we consider the case that n is not in a winning group. Obviously, reporting a lower bid than her true valuation will not change her utility which is 0. When bidder n bids a higher value than her true valuation, but n's bid is not the lowest bid in her group, her group bid will not change and thus her utility will still be 0. When bidder n bids a higher value than her true valuation and n holds the lowest bid in her group g, she can make her group win. In this case, her utility is u n = v n − p n ≤ v n − β w+1 /N g ≤ v n − b n = u n = 0. To summarize, bidder n's utility would not increase when she offers a bid other than her true valuation. Table 1 lists frequently used notations.

B. EFFICIENT PRIVACY PRESERVING SPECTRUM AUCTION
As we mentioned previously, preserving the users' true valuation is critical, since the auctioneer or malicious bidder may use this information to maximize their own profits and thus harm the interest of normal bidders. However, if there is only one authority carries out the auction, it is extremely hard to keep the users' bid confidential. To this end, besides the auctioneer and bidders, we introduce a third party into the spectrum auction, i.e., CA, who is responsible for generating the public keys. By decrypting the sealed information that received from the auctioneer, CA will determine the winners of the auction and decide their charges. In our considered scenario, both auctioneer and CA could be untrusted, but we assume that they would not collude.
Similar to the network model we addressed in the previous subsection, the primary system tries to lease M available channels in exchange for profit. And a secondary user candidate set N = {1, · · · , n, · · · , N }, (which consists of the users locate outside primary system's exclusion zones) is interested in bidding for the channels. We assume that bidders could not bid at arbitrary prices, and they have to pick a bid from a predefined possible price set E = {e 1 , · · · , e j , · · · , e J }, where e 1 < · · · < e j < · · · < e J . We define a binary variable χ n,j ∈ {0, 1} to denote bidder n's choice on price e j . Therefore, the bid b n of bidder n is represented by Since one bidder could not bid at multiple prices, we have J j=1 χ n,j = 1. Inspired by the previous researches [25], [27], [29], we propose an efficient privacy preserving spectrum sharing framework for future IoT system in this paper, which is built upon ElGamal cryptosystem. 3 Fig. 2 illustrates the procedure of the proposed bidding process, and the details are presented in the following parts. 3 Part of this work was published in our previous work [32].

1) GROUPING (AUCTIONEER ⇒ USERS)
The first step is the auctioneer groups the users that locate outside the exclusion zones to G groups. To guarantee the truthfulness, this grouping process is performed independently with the bidding process, therefore there is no connection between the grouping results and bidding values. As introduced previously, we construct conflict graphs by SINR calculations, and divide groups by graph coloring algorithm. The auctioneer will broadcast the grouping results to all the users in the network. The group set is denoted as G = {1, · · · , g, · · · , G}, and the set of bidders in group g is denoted as N g . Regarding the scenario that multiple primary systems with different channels, the exclusion zones could be different, and therefore the group algorithm becomes much more complicated. In this case, since every user's biding channel set is different, directly using graph coloring algorithm is not applicable. To divide the group in this scenario, we could firstly, for every channel, calculate the possible group set by using graph coloring algorithm, and then based on the possible group sets for all the channels, determine the final group result by using greedy algorithm. VOLUME 8, 2020

2) ENCRYPTED SEALED BIDDING VECTOR (USERS ⇒ AUCTIONEER)
Upon receiving the grouping results, each candidate constructs an encrypted sealed bidding vector and submits it to the auctioneer. To construct this vector, two keys are needed, i.e., the key of a public-key cryptography scheme Key pub that is generated by the auctioneer and the public key of ElGamal encryption that is generated by the CA. In order to keep user's bid confidential, every user n firstly constructs a sealed bidding vector a n instead of her bidding plaintext b n as a n = { a n [1], · · · , a n [j], · · · , a n [J ]} where El(v) and El(1) denote the ElGamal encrypted ciphertexts of public values v (v = 1) and 1, respectively. Since the ElGamal encryption key is generated by the CA, the auctioneer is unaware of the real bidding value. The only party in the framework that could decrypt the sealed bidding vector is CA, since he has the ElGamal private key. Notice that even for the same value v (or 1), the generated ciphertext El(v) (or El(1)) in different time is different, thanks to the randomizability of ElGamal cryptosystem. Therefore, all the elements in the constructed sealed bidding vector a n are indistinguishable. In other words, to obtain j, i.e., the number of El(v) elements in a n , it is a must to decrypt the sealed bidding vector by using ElGamal private key.
To prevent that the CA overhears and decrypts the original bid b n , all the bidders further encrypt their sealed bidding vectors by using the public key that broadcasted by the auctioneer and send it to the auctioneer. The message is denoted as Encrypt( a n , Key pub ), namely the encrypted sealed bidding vector.

3) MIXED SEALED GROUP MATRIX (AUCTIONEER ⇒ CA)
As long as the auctioneer receives the encrypted sealed bidding vectors from bidders, it firstly decrypts a n by using its private key, i.e., Decrypt( a n , Key pri ). Then based on the already announced grouping result, she constructs an element-wise product vector c g for each group g as follows.
where φ g (j) indicates that how many a n [j]'s plaintext is v for all n ∈ N g . Next, based on the vector c g , the auctioneer constructs a sealed group matrix M g for group g as follows.
M g = m g,1 , · · · , m g,j , · · · , m g,J where r i,j is a random generated number. Finally, to break the correspondence between M g [i, j] and c g [j]/El(v (i−1) ) r i−1,j , we create a mixed sealed group matrix M g = {m g,1 , · · · , m g,j , · · · , m g,J }. Here, m g,j is constructed by permutating the elements in each m g,j randomly. The mixed sealed group matrix M g , with fake group IDs 4 will be transferred from the auctioneer to the CA.

4) WINNERS & CLEARING PRICE (CA ⇒ AUCTIONEER)
Based on the received mixed sealed group matrix M g , CA could only decrypt the minimum bid in group g, i.e., β min g without gaining any information regarding the other bids in group g. Specifically, CA uses her ElGamal private key to decrypt the elements in m g,j . We have β min > e j−1 . Therefore, we can obtain β min g = e j * −1 by finding a m g,j * with the smallest j * that has the element with plaintext equal to 1. This searching process could be speed up by using binary search tree algorithm.
Notice that during this whole decryption process, CA can only obtain the information of β min g . Other bidding values in the group are kept confidential.
Based on the decrypted group bids {β 1 , β 2 , · · · , β g , · · · , β G }, all the groups could be sorted in non-increasing order with random tie-breaking. The clearing price e * is set with the (w + 1)−th group bid β w+1 on this ordered list. Based on this price, we have the winning group set W as Notice that the auction may fail when the first w+1 groups on the ordered list all have the same group bid. In that rare case, the auctioneer could initiate a new round auction by using a different grouping result. Finally, the information about winning group set W (with fake IDs) and clearing price e * will be transferred from the CA to the auctioneer.

5) PUBLICATIONS AND CHARGES (USERS ⇔ AUCTIONEER)
For the last step, the auctioneer converts the fake group IDs into the true IDs. The winning group, clearing price, and the mapping of winning group to the access channel number, will be published to all the bidders. The bidders in the winning groups evenly share the charge e * , i.e., pays the following amount of money, and start to use the shared channel.
In practice, this auction process would be performed periodically in a relatively long interval, e.g., every several minutes, and we assume that during that period the interference condition will not change.

C. AN ILLUSTRATIVE EXAMPLE
We use the scenario shown in Fig. 1 to illustrate how the proposed framework works. We consider a simple example with 9 users that locate outside the exclusion zone compete for 2 channels. Firstly, we construct a conflict graph by SINR calculation, and the users could be split into 3 groups. One grouping result is shown in Fig. 3, and the users with the same color belong to the same group. Specifically, group orange: users {1, 5, 9}, group green: users {2, 6, 7}, and group red: users {3, 4, 8}. In this example, we assume that there are only 6 possible prices that the users could bid, and the price set P is {10, 12, 14, 16, 18, 20}. In Fig. 3, the values besides the users denote their bids, and all the bids must be selected from the price set P. To keep the users' bid confidential, user n encrypts her bid to a sealed bidding vector a n according to Eqn. (4). For instance, the users {1, 5, 9} (group orange) have the bids 10, 16, 18, respectively, and they are converted to the following sealed bidding vectors.
Recall that thanks to the randomizability of the ElGamal cryptosystem, all the ciphertexts El(v) and El(1) are encrypted independently. Therefore, without ElGamal private key, there is no way to tell how many El(v) (or El (1)) are in a n . To prevent the CA overhears and decrypts the sealed bidding vector, an encrypted version of a n is sent by using another public key generated by the auctioneer, i.e., Encrypt( a n , Key pub ). After the transfering, the auctioneer decrypts a n by using her private key as Decrypt( a n , Key pri ). Next, based on Eqn. (5), the auctioneer calculates the element-wise product vector c g for each group g by using a n . For instance, the element-wise product vector for the group orange would be Then, based on Eqn. (7), the auctioneer further converts it to a sealed group matrix M g for group g. For instance, the sealed group matrix for group orange would be M orange , as shown at the bottom of this page. Finally, the auctioneer sends the mixed sealed group matrix M g to the CA, which is converted from M g by permuating the elements in each column vector.
Finally, CA decrypts M g by using her ElGamal private key. By using the binary search tree algorithm, CA could find the minimum p * that m g,j * has the element with plaintext 1. Based on the obtained p * , the minimum bid in group g as β min g = e j * −1 could be easily calculated. For instance, we could decrypt the minimum bid in group orange as β min orange = e 1 = 10, by using decryption Decrypt El(v 2 ) El(v 2 ) r 3,2 = 1, and finding the minimum j is 2. Based on Eqn. (8), CA calculates the group bids, e.g., β orange = 10 × 3 = 30, β green = 14 × 3 = 42 and β red = 12 × 3 = 36. Since in this example, w = min (M , G) = min (2, 3) = 2, the clearing price is set to e * = 30, and the winning group set W consists of groups green and red. This clearing price will be shared by the users in the winning group. For instance, users {2, 6, 7} in winning group green and the users {3, 4, 8} in winning group red pay for the charges with e * /3 = 10.

IV. PERFORMANCE EVALUATIONS
In this section, we evaluate the proposed efficient privacy preserving spectrum sharing framework by simulations. The evaluation metrics include spectrum utilization efficiency, user satisfactory ratio, computation overhead and communication overhead. The considered scenario is a 1500m × 1500m square area, with multiple users randomly distributed. We assume the primary transmitter locates in the top right corner, and thus the surrounding 350m × 350m area is considered as the exclusion zone. The number of primary system's channels, number of possible prices, number of bidders are set to 20, 1000 and 500, respectively, unless explicitly stated otherwise. Similar to the setting in [33], we set the interference range to 1.7 times of the outdoor transmission range of IEEE 802.11n which is 425m. We average the simulation results by 100 trials with randomly generated user locations and bidding values. Firstly, in Fig. 4, we compare the proposed scheme with the privacy preserving conventional goods auction scheme [25] in terms of channel utilization efficiency. Here, the channel utilization efficiency is defined as the average number of users that share the same channel. In Fig. 4a, the number of channels is set to 20, and the number of bidders are varied from 50 to 500. As expected, for the proposed framework, the channel utilization efficiency increases when the number of bidders raises. Based on our scenario and inference range settings, we can infer that one group could consist of roughly 9 users without interference at most. Therefore, when the number of bidders increases, the channel utilization efficiency will approximate to this value. And regarding the cases that there is only small number of bidders, the channel is oversupplied obviously. In Fig. 4b, the number of bidders are set to 200, and the number of channels are varied from 5 to 40. We could observe that when the number of channel is small, e.g., 5 channels, the competition among the bidders becomes intense, and it would be easier to construct a group with more users. It is clear that the channel utilization efficiency of the proposed framework outperforms the one of the conventional privacy preserving auction scheme [25].
Secondly, we evaluate the proposed scheme on users' satisfactory ratio and show the results in Fig. 5. Here, the satisfactory ratio indicates the ratio of bidders who win the auction and thus could access the primary system's spectrum. Fig. 5a illustrates the satisfactory ratio varies with the number of bidders, when the number of channel is fixed to 20. We can see that when the number of bidders is less than 150, over 90% user satisfactory ratio could be achieved. This result is expected due to competitions among bidders are not very intense in that setting, and the 10% unsatisfied users are mainly locate inside the exclusion zones. When the number of bidders increases, the satisfactory ratio of both the proposed scheme and conventional auction scheme decrease, which means more and more bidders cannot win the auction. In Fig. 5b, we fix the number of bidders to 200, and change the number of channels from 5 to 40. We could observe that 25 channels or more could satisfy almost all 200 bidders. Finally, compared to conventional auction scheme, the proposed scheme could greatly improve the users' satisfactory ratio by taking into consideration the spectrum reusability.
Next, we illustrate the proposed scheme's computation overhead in Fig. 6. The prime number used in ElGamal encryption function is set to 128 bits. We adopt an evaluation environment with Intel Core i7-3770 CPU at 3.4 GHz. We compare the computation overhead for different parties, i.e., auctioneer, CA and bidder. From the results shown in Figs. 6a and 6b, we can observe that the auctioneer and CA's computation overheads increase linearly. It is confirmed that the ElGamal encryption and decryption processes contribute to this overhead mostly. We observe that the computation overhead at auctioneer is the heaviest, e.g., 21.2 seconds in the scenario with 500 bidders and 1000 possible prices. For each group g, the encryption overhead is proportional with |N g | × P times. The computation overhead at CA is much lower than that of auctioneer, e.g., 6.1 seconds in the same scenario. The reason is that the ElGamal decryption times is much smaller than the ElGamal encryption times, since we  use binary search tree algorithm to find the minimum bid in each group instead of decrypting all the elements. At last, we can see that the computation time in individual bidder is comparatively small, e.g., 0.05 seconds in the same scenario. Therefore, we can conclude that the proposed framework is feasible for the low-cost IoT devices. Notice that in our simulation, we do not use any multithreading functions, which could speed up the computation time. Based on our simulation results, the proposed efficient spectrum sharing framework is totally feasible for IoT scenario, since the heavy computation tasks are carried on powerful auctioneer and CA. And because the computation time is at the scale of dozens of seconds, we could expect the proposed framework works well if the spectrum auction is performed in comparatively long-term scale, e.g., every 30 minutes.
Finally, Fig. 7 illustrates the evaluation results in terms of communication overhead by comparing the proposed scheme with no-privacy-preserving spectrum auction scheme [5]. Since the data transfer between auctioneer and CA could be wired, we only focus on the bidder's communication overhead. For the no-privacy-preserving scheme, the payload for the bidding information is extremely low. For instance, when the number of possible prices P = 1000, the noprivacy-preserving scheme only needs to transmit a packet with 10 bits. Notice that here we do not consider the control header overhead for both schemes. From the single user communication overhead result shown in Fig. 7a, the communication overhead of the proposed framework reaches 62.5 KB when P = 2000. The majority of this overhead comes from the ElGamal ciphertext for every possible price. VOLUME 8, 2020 However, it is considered that this amount of communication overhead is acceptable even for low-cost IoT devices, since the bidding process is carried out in a comparatively long period. Furthermore, Fig. 7b illustrates the network total communication overhead. The communication overhead for the whole wireless network of the proposed scheme reaches 15.625 Mb, but that of the no-privacy-preserving scheme is still lower than 1 Kb.

V. CONCLUSION
In this paper, we have proposed an auction-based efficient privacy preserving spectrum sharing framework for IoT systems. The proposed auction framework enables an efficient and profitable allocation of underutilized spectral resources by taking into consideration the spectrum reusability. The truthfulness of the proposed spectrum auction scheme has been proved, therefore revealing the true valuation is every bidder's dominant strategy. The proposed framework utilizes the ElGamal cryptosystem to only reveal the groups' bid but keep the bidders' bids confidential. The evaluation results validate that the proposed framework could achieve high spectrum utilization efficiency and user satisfactory ratio, at acceptable communication and computation costs.