Towards Efficient and Privacy-Preserving Versatile Task Allocation for Internet of Vehicles

Nowadays, task allocation has attracted increasing attention in the Internet of Vehicles. To efficiently allocate tasks to suitable workers, users usually need to publish their task interests to the service provider, which brings a serious threat to users' privacy. Existing task allocation schemes either cannot comprehensively preserve user privacy (i.e., requester privacy and worker privacy) or introduce tremendous resource overhead. In this paper, we propose an efficient and privacy-preserving versatile task allocation scheme (PPVTA) for the Internet of vehicles. Specifically, we utilize the randomizable matrix multiplication technique to preserve requester privacy and worker privacy. Then, the polynomial fitting technique is leveraged to enrich the randomizable matrix multiplication to support versatile task allocation functions, such as threshold-based task allocation (PPVTA-I), conjunctive task allocation (PPVTA-II), and task allocation with bilateral access control (PPVTA-III). We formally analyze the security of our constructions to prove the security under the chosen-plain attack. Based on a prototype, experimental results demonstrate that our constructions have acceptable efficiency in practice.


I. INTRODUCTION
With the spread of computation and communication technologies, the Internet of vehicles attracts increasing attention [1], [2], [3], [4], [5]. Thus far, the Internet of vehicles has brought many new services and applications [6], [7], [8], [9], [10] that reinforce the transformation and enhance the users' experience. To achieve these services and applications, it is the first step to build the connection between tasks (e.g., traffic monitoring tasks and travel recommendation tasks) and workers [11], [12]. Task allocation has become a promising paradigm to connect users [13], [14] since it can allocate tasks from requesters to suitable workers based on their task interests.
Despite the appealing benefits, considering user privacy, resource overhead, and versatile task functions, it is challenging for designing such a task allocation scheme in the Internet of vehicles [15], [16], [17]. The first challenge is how to comprehensively preserve user privacy (i.e., worker privacy and requester privacy) during allocating tasks [18], [19]. In the Internet of vehicles, users' task interests usually imply their sensitive information. For example, a driver participating in traffic monitoring tasks can help other users better understand the current traffic conditions, but his or her location and route can be inferred from the tasks. It is obvious that if their sensitive information is not preserved well, users' enthusiasm for participating in the Internet of vehicles will be significantly reduced. The second challenge is how to efficiently allocate tasks to suitable workers [20]. In practical applications, the number of both tasks and workers is huge [21]. Without an efficient allocation scheme, tremendous resource overhead will be introduced to each entity in the system, especially the service provider. The final challenge is how to satisfy the versatile task allocation functions of users. With the increasing requirements of user experience, users usually have multiple task allocation functions, e.g., conjunctive task allocation [22] and task allocation with bilateral access control [23], [24]. Thus, to further enhance user experience and impel more users to participate in the Internet of vehicles, it is crucial to consider users' versatile task allocation functions.
Thus far, to resolve the above concerns, some task allocation schemes [18], [25], [26], [27], [28], [29], [30], [31], [32] are proposed. For example, Shu et al. [25] utilized the secure k-nearest neighbor computation technique to design a privacy-preserving task allocation scheme. In their scheme, users utilize vectors to represent their task interests, and the service provider achieves task allocation over the encrypted vectors. However, their scheme can only resist the known-plaintext attack, which is vulnerable to practical applications. To improve security, some task allocation schemes are proposed based on traditional cryptographic primitives, e.g., Yao's garble circuit [33], bilinear map [34], and Paillier cryptosystem [35]. For example, Yang et al. [26] utilized the bilinear map to design a privacy-preserving task allocation scheme. Based on the Paillier cryptosystem, Zhao et al. [28] proposed a bilateral privacy-preserving task allocation scheme. In these schemes, user privacy is preserved well under the chosen-plain attack. Unfortunately, due to introducing the time-consuming traditional cryptographic tools, the entities incur tremendous resource overhead in the system. In addition, these schemes usually cannot satisfy versatile task allocation functions, which significantly hinders their implementations. To address these challenges, several works have been proposed by combining the randomizable matrix multiplication technique [18], [36], [37]. For example, Zhang et al. [36] utilized the randomized matrix multiplication technique to design a privacy-preserving task allocation scheme. In their scheme, tasks can be allocated to suitable workers without compromising user privacy. However, there are two limitations. The first is that workers' ciphertexts usually are required to be re-encrypted, which introduces additional overhead. When the number of workers is huge, it is not acceptable in practice. Additionally, these schemes ignore the versatility of task allocation functions.
Challenge: How to design an efficient and versatile task allocation scheme for the Internet of vehicles with comprehensive privacy preservation (i.e., worker privacy and requester privacy)?

A. RELATED WORKS
Nowadays, to allocate tasks to suitable workers without compromising user privacy, some privacy-preserving task allocation schemes [18], [25], [26], [27], [28], [32], [36], [38], [39], [40], [41] have been proposed. Specifically, Gong et al. [38] proposed the first task allocation framework with privacy preservation for crowdsourcing. In their framework, worker privacy is preserved well, while the privacy of requesters is ignored. To preserve worker privacy and requester privacy simultaneously, some works [25], [39], [40], [41] have been proposed. Specifically, based on the secure k-nearest neighbor computation technique, Shu et al. [25] proposed an efficient task allocation scheme with privacy preservation. However, their scheme assumes that all the participating entities are trusted and can only resist the known-plaintext attack. To improve security, some works based on traditional cryptographic tools have been proposed. Specifically, based on bilinear maps, Tang et al. [27] designed a bilateral task allocation scheme. In their scheme, tasks are allocated to eligible workers based on their interests in a win-win manner. Additionally, their scheme can preserve requester privacy and worker privacy, simultaneously. Although these schemes can guarantee security under the chosen-plain attack, applying time-consuming tools also introduces tremendous resource overhead on each entity in the system, especially the service provider. To address these challenges above, inspired by matrix multiplication, some works are proposed to achieve efficient task allocation with security under the chosen-plain attack [18], [32], [36], [37]. Specifically, Ni et al. [18] utilized proxy re-encryption to design an accurate task allocation scheme with privacy preservation. In their scheme, both users' reputation and geographic data are considered. However, in their scheme, the matrix dimension grows with the number of tasks. Thus, when the number of tasks is huge, tremendous resource overhead is still introduced to the entities in the system. Zhang et al. [37] utilized the randomized matrix multiplication technique and data perturbation technique to design a privacy-preserving task allocation scheme. However, in their scheme, workers' ciphertexts are required to be reencrypted on the service provider side. With the re-encryption mechanism, when the number of workers is huge, it is obvious that the service provider will incur tremendous computational overhead. In addition, the above schemes ignore the versatility of task allocation.

B. CONTRIBUTIONS
To deal with the challenges, an efficient privacy-preserving versatile task allocation scheme (PPVTA) is proposed for the Internet of vehicles. Specifically, we summarize the contributions as follows: r We identify the challenges in designing task allocation schemes for the Internet of vehicles. Then, to deal with the above challenges, we propose an efficient and privacy-preserving versatile task allocation scheme, named PPVTA.
r Based on the randomizable matrix multiplication and polynomial fitting techniques, PPVTA can support versatile task allocation functions in a privacy-preserving manner. Particularly, PPVTA-I, PPVTA-II, and PPVTA-III support threshold-based task allocation, conjunctive task allocation, and task allocation with bilateral access control, respectively.
r Formal security analysis proves that PPVTA can simultaneously preserve requester privacy and worker privacy under the chosen-plain attack. Extensive experiments show that our constructions have acceptable efficiency in practice. Organization: The remainder of our paper is below. The system model and design goals are introduced in Section II. Subsequently, we provide the detailed construction of PPVTA-I in Section III and the discussion of PPVTA-II and PPVTA-III in Section IV. A formal security analysis is provided in Section V, and a performance evaluation is shown in Section VI. Finally, we give a conclusion of this paper in Section VII.

II. MODELS AND DESIGN GOALS
This section first introduces the system model of PPVTA. Subsequently, the threat model of PPVTA is provided. Then, we formulate the design goals of PPVTA.

A. SYSTEM MODEL
As illustrated in Fig. 1, in PPVTA, there are five entities, i.e. workers, requesters, cloud, edge devices, and a key generation center.
r Requesters: The requesters are usually individuals and organizations. They send tasks to edge devices and find workers to complete their tasks.
r Workers: The workers are usually individuals who publish their task interests to edge devices and find suitable tasks.
r Cloud: As a storage service provider, the cloud is responsible for storing encrypted data.
r Edge devices: The edge devices are usually computing service providers in the Internet of vehicles. They are responsible for allocating tasks to suitable workers.
r Key generation center (KGC): As a trusted authority, the KGC generates system parameters and user keys. At a high level, PPVTA can be described as follows: (1) The KGC generates system parameters. Subsequently, it sends re-encryption keys to edge devices and encryption keys to workers and requesters in the system; (2) Workers send the encrypted interest matrices to edge devices; (3) Edge devices periodically upload the matrices to the cloud for long-term storage; (5) Requesters upload the encrypted task matrices to edge devices; (6) Edge devices re-encrypt the task matrices and allocate these tasks to suitable workers over the ciphertexts.

B. THREAT MODEL
The KGC is considered fully trusted and the interactions with KGC are considered secure. The workers, requesters, cloud, and edge devices are all honest-but-curious. Specifically, they are honest to execute the step of task allocation, however, they try to infer others' private information. Besides, we assume that neither the edge devices nor the cloud would not operate in collusion with other entities. Also, we assume that they do not pretend to be valid workers or requesters. The assumption is consistent with most existing IoV applications. Specifically, the chosen-plain attack (CPA) model is considered in this paper. The adversary can choose some valid plaintexts of interest vectors or task vectors and get the corresponding ciphertexts. Each entity other than the KGC can be an adversary.

C. DESIGN GOALS
The formulated design goals of this paper are below: r Utility: PPVTA should perform efficient and effective task allocation which includes multiple functions, i.e., threshold-based task allocation, conjunctive task allocation, and bilateral task allocation. r Efficiency: PPVTA should achieve task allocation with low computational and communication overhead introduced.

III. PROPOSED PPVTA SCHEMES
PPVTA has three different functions of task allocation. In this section, we only provide the detailed construction of PPVTA-I, which supports threshold-based task allocation. PPVTA-I consists of phases, i.e., setup, worker interest submission, requester task submission, and task allocation. The notations are summarized in Table 1.

A. SETUP
In this phase, the KGC generates secret keys for other entities (e.g., workers, requesters, and edge devices). Assume that M is the maximum number of keywords in the trapdoor of each task. The KGC generates four (M + 2) × (M + 2)-dimensional invertible random matrices as the master secret keys {M 1 , M 2 } and re-encryption keys {B 1 , B 2 }. Next, through secure channels, the KGC sends the re-encryption keys (B 1 , B 2 ) to edge devices.
For worker u k , the KGC takes (1, 1, . . . , 1, 0) as the main diagonal and extends the diagonal vector to an (M + 2) × (M + 2)-dimensional random lower triangular matrix I k . (1) Next, {A k,1 , A k,2 } are sent to the worker u k . Similarly, for requester u j , the KGC extends the same diagonal vector (1, 1, . . . , 1, 0) to an (M + 2) × (M + 2)dimensional random lower triangular matrix I j . Note that both matrix I k for worker u k and matrix I j for requester u j are unique. Then, the KGC computes u j 's encryption keys as Next, {B j,1 , B j,2 } are sent to the requester u j .

B. WORKER INTEREST SUBMISSION
Each worker sends the encrypted interest matrix to the edge devices in this phase. Based on the set of keywords M k that the worker u k is interested in, u k first calculates the hashes of where {r k,b } |M k | b=1 are random values. Subsequently, u k takes interest vector vecS k,b as the diagonal vector and extends it towards the interest matrix S k,b , Then, with {A k,1 , A k,2 }, u k encrypts the interest matrices as , the encrypted interest matrices to the edge devices. After a period of storage for the ciphertexts from the worker u k , the edge devices upload the ciphertexts {E k [S k,b ]} |M k | b=1 to the cloud.

C. REQUESTER TASK SUBMISSION
Each requester encrypts the task requirement keywords and publishes the ciphertexts to the edge devices in this phase. Subsequently, the edge devices re-encrypt the ciphertexts.
Step 1: The requester u j specifies the requirement which consists of |M j | keywords that u j is interested in. To make the number of keywords consistent, M − |M j | dummy keywords {w j,|M j |+1 , w j,|M j |+2 , . . . , w j,M } are added to M j . Note that each dummy keyword is different from any real dictionary word and thus it has no impact on the matching result. Based on M j , u j first calculates the hashes of keywords {d j,c } M c=1 as d j,c = h s (w j,c ).
Considering the tremendous overhead of m-degree polynomial root tracking which requires 2 m 2 complex floating point operation, we construct a polynomial fitting function of degree M, called the keyword function, as = a j,0 + a j,1 x + · · · + a j,M x M , to hide the keywords. Then, u j generates the (M + 2)dimensional task vector T j as where r j is a random value. Subsequently, u j extends the vector to an (M + 2) × (M + 2)-dimensional lower triangular random matrix T j , where the main diagonal is T j . Then, u j encrypted the matrix with At last, u j sends E j [T j ] to the edge devices.
Step 2: After receiving E j [T j ] from u j , the edge devices reencrypt the data utilizing (B 1 , B 2 ) as

D. TASK ALLOCATION
Finally, the edge devices execute task allocation in the phase.
After finding the ciphertexts of worker u k 's interest matrices in the temporary storage of the edge devices or obtaining the ciphertexts from the long-term storage of the cloud, for worker u k and requester u j , the edge devices compute In (11), tr(·) represents the matrix trace function. Obviously, b=1 is considered as score j,k , the matching score between u j and u k . If score j,k ≥ t j , the edge devices will put the worker u k 's identity id k into W j , the requester u j 's identity set of capable workers. Finally, the edge devices get W j = {id k } score j,k ≥t j after computing the matching scores.

IV. DISCUSSION
In addition to threshold-based task allocation, PPVTA can support some other functions, such as conjunctive task allocation and task allocation with bilateral access control. In this section, we focus on the other two task allocation functions of PPVTA.

A. CONJUNCTIVE TASK ALLOCATION
In practical applications, the workers are allowed to find tasks that satisfy all of their interests. To meet the requirement, PPVTA-II supports conjunctive task allocation. Specifically, unlike threshold-based task allocation, edge devices do not calculate the matching score. In the phase of worker interest submission, after the worker u k generates the interest vectors { S k,b } |M k | b=1 , u k sums these vectors as the conjunctive interest vector Then, u k generates the conjunctive interest matrix and encrypted matrix in the same way as PPVTA-I so that u k hides all his or her keywords of interests in one matrix. Then, u k sends the matrix to the edge devices. In the phase of task allocation, for worker u k and requester u j , the edge devices only compute one task allocation result j,k as j,k = 0 only if M k ⊆ M j , and if j,k = 0, the edge devices will get id k into W j , u j 's set of suitable worker identities.

B. TASK ALLOCATION WITH BILATERAL ACCESS CONTROL
To improve the accuracy of sensing data, both workers and requesters may have the requirements of access control. PPVTA-III supports task allocation with bilateral access control. Specifically, each user generates two matrices, i.e., policy matrix and attribute matrix, and the principle of task allocation in PPVTA-III is similar to PPVTA-II. In PPVTA-III, the matrices are extended to M + 4 dimensions, where M is the maximum number of both requester u j and worker u k 's policies.
In the phase of setup, all the secret keys are extended to (M + 4)-dimensional matrices and the main diagonals of both I k and I j are (M + 4)-dimensional vectors (1, 1, . . . , 1, 0). Then, the KGC generates the secret keys and sends them to the edge devices, workers, and requesters.
In the phase of worker interest submission, the worker u k first adds M − |P k | dummy keywords to P k and then calculates the hashes of attributes {e k,b } |A k | b=1 and hashes of policies Similarly to the generation of the task vector in PPVTA-I, u k generates coefficients of the policy function {g k,b } M b=0 . Then, u k generates an (M + 4)-dimensional attribute vector X k as and an (M + 4)-dimensional policy vector Y k as Y k = (s k,3 · g k,0 , s k,3 · g k,1 , . . . , s k,3 · g k,M , −s k,1 , s k,2 , 0), Similarly, in the phase of requester task submission, the requester u j generates an (M + 4)-dimensional attribute vector X j as and an (M + 4)-dimensional policy vector Y j as s j,1 , s j,2 , and s j,3 are random values. Then, u j also generates and encrypts the two matrices and sends the encrypted attribute and policy matrices to the edge devices. Next, the edge devices re-encrypt the two matrices.
In the phase of task allocation, the edge devices compute the task allocation result j,k as j,k = 0 only if A k ⊆ P j and A j ⊆ P k . Note that because of the random values s k,1 , s k,2 , s j,1 , and s j,2 , the edge devices cannot get any privacy by only calculating tr . If j,k = 0, the edge devices will add the worker u k 's identity id k to u j 's worker identity set W j .

V. SECURITY ANALYSIS
We first provide a formal security analysis of the security of our proposed encryption and re-encryption methods. Then, we prove that both requester privacy and worker privacy are preserved well in PPVTA. Since the encryption process of requesters is similar to that of workers, we focus on the security of the workers' encryption process due to space limitations.
Theorem 1: Our encryption method is secure against the chosen-plain attack.
Proof: As shown in Fig. 2, we provide an experiment between challenger C and adversary A. Based on the experiment, we define security under the CPA model as where is negligible.
Assume that X 0 = (x 0,0 , x 0,1 , . . . , x 0,M+2 ) is the vector to be encrypted. In the Challenge phase, the challenger C sets X 0 as the main diagonal and then generates a random lower triangular matrix X 0 . Next, C utilizes the secret keys (A 1 , A 2 ) to generate the ciphertext A 1 × X 0 × A 2 . Assume that the elements in A 1 , X 0 , and the production of A 1 × X 0 are a 1,i, j , x 0,i, j , and z 1,i, j , respectively. Then, C computes where For simplicity, * denotes the random values in X 0 . Next, we assume that the elements in A 2 and the production of A 1 × X 0 × A 2 are a 2,i, j and z 2,i, j , respectively. Then, C computes z 2,i, j = z 1,i,1 z 2,1, j + z 1,i,2 z 2,2, j + · · · + z 1,i,M+2 z 2,M+2, j It can be seen that ∀M are fixed values. Therefore, it is obvious that z 2,i, j is a random value associated with x 0,i, j . That is, although adversary A can request the corresponding ciphertexts from C continuously, the ciphertexts look random from the view of A. Thus, A has a negligible advantage to distinguish the corresponding plaintexts. Subsequently, A can only guess b = 0 or b = 1 at random. It can be seen that where is negligible. Therefore, Theorem 1 is proven.
Theorem 2: Our re-encryption method for requesters is secure against the chosen-plain attack.
Proof: Similar to the security analysis of the encryption method, we can prove that the proposed re-encryption method is secure against the chosen-plain attack. Thus, we omit the detailed proof.
Theorem 3: If both Theorems 1 and 2 are proven, the privacy of interest and task will be not leaked to any adversary.
Proof: In our proposed construction, workers and requesters do not receive data from other entities. Since the encryption and re-encryption methods have been proven to be secure against the chosen-plain attack, workers and requesters cannot infer others' private data based on their secret keys.
, score j,k , δ j,k,b , and t j . Similar to the cloud, the edge devices cannot obtain any private data from Since score j,k , δ j,k,b , and t j do not contain private data of interests and tasks, the edge device cannot break privacy.

VI. PERFORMANCE ANALYSIS
In this section, based on a prototype, we analyze the performance of our constructions, i.e., PPVTA-I, PPVTA-II, and PPVTA-III. We make comparisons between our constructions and the two most recent multi-keyword task allocation schemes FRUIT [36] and SETM [26].

A. EXPERIMENTAL CONFIGURATION
The cloud server is deployed on the aliyun platform, 1 which is 64-bit, 4 CPUs with 16 GB of RAM. We utilize four laptops with 16 GB of RAM to act as edge devices. Users communicate with the laptops on their mobile phones. In our constructions and FRUIT, the security parameter λ equals 80, and the programs are coded in Java by using the Jama library. In SETM, programs are coded in Java by using the JPBC library. The Type A curve with 80-bit security is selected. Each experiment is executed ten times, and we record the average running time as the final experimental results. The number of keywords ranges from 10 to 100.

B. EXPERIMENTAL EVALUATION 1) ON THE WORKER SIDE
We evaluate the computational costs on the worker side and illustrate the experimental results in Fig. 3. Particularly, in Fig. 3, we range the number of keywords from 5 to 100. It can be seen that PPVTA-II and PPVTA-III are more efficient than other schemes. The computational costs of PPVTA-I are 1 https://www.aliyun.com/?utm_content=se_1012440662 In SETM, the worker requires 4T ex p + |M k |T mul to encrypt his or her interest, where T ex p denotes the time for executing an exponent operation and T mul denotes the time for executing a multiple operation in the bilinear maps. In addition, it can be seen that the computational costs of PPVTA-I and FRUIT grow linearly with the number of keywords, and they require 2|M k |T M+2 and 2|M k |T M+4 , respectively.

2) ON THE EDGE DEVICES
Next, we evaluate the computational costs of the edge devices. Specifically, the number of keywords is set as 10, 20, 50, and 100. The number of workers ranges from 5 to 130. The experimental results are shown in Fig. 4. Since SETM relies on time-consuming pairing operations to perform the matching operations, the computational costs of SETM are much higher than other schemes, which are designed based on the randomizable matrix multiplication technique. Also, it can be seen that FRUIT has higher computational costs than PPVTA-I, PPVTA-II, and PPVTA-III. This is because, in FRUIT, additional matrix operations are required to re-encrypt the workers' ciphertexts. In addition, PPVTA-I has higher computational costs than PPVTA-II and PPVTA-III. This is because PPVTA-I requires (|M k | + 2)T M+2 to perform the matching operations, while in PPVTA-II and PPVTA-III, only T M+2 and 2T M+4 are required, respectively.

3) ON THE REQUESTER SIDE
Then, we evaluate the computational cost of the requester side and range the number of keywords from 5 to 100. We illustrate the experimental results in Fig. 5. Particularly, to generate task ciphertext, the computational cost in SETM is (3|M k | + 3)T ex p + 3|M k |T mul , which is much higher than other schemes. Additionally, since  PPVTA-III needs to generate attribute and policy matrices, while other schemes only need to generate an attribute matrix, PPVTA-III has higher computational costs than other schemes. In summary, our proposed constructions have practically acceptable efficiency.

VII. CONCLUSION
In this paper, based on the techniques of polynomial fitting and randomizable matrix multiplication, an efficient and privacy-preserving versatile task allocation scheme (PPVTA) is proposed for the Internet of vehicles. PPVTA can support versatile task allocation functions with privacy preservation in practical applications. Particularly, PPVTA-I, PPVTA-II, and PPVTA-III support threshold-based task allocation, conjunctive task allocation, and task allocation with bilateral access control, respectively. Security analysis proves that in our constructions, both worker privacy and requester privacy are preserved well under the chosen-plain attack. Experimental results on a prototype demonstrate that our constructions have acceptable efficiency in practice. For future work, to provide more versatile task allocation functions, we will further extend our constructions to support location-based and reputationbased task allocation in the Internet of vehicles.