Towards a Smart Privacy-Preserving Incentive Mechanism for Vehicular Crowd Sensing

the


Introduction
As the population of cities starts to grow, the number of cars begins to increase, which has caused congestion problems on the roadways and the parking lots [1]. It is not only an inconvenience for commuters but can also cause billions of dollars in lost time and wasted fuel. Smart transportation is a solution to make real-time control decisions for traffic efficiency and security, where large amounts of traffic information are needed [2]. Nowadays, vehicles have more powerful sensoring, storing, and computing capabilities, and they are capable of collecting and sharing data. As for data acquisition, the ubiquity of crowd sensing has enabled the emergence of vehicular crowd sensing (VCS), which leverages the power of vehicles to collect massive traffic data [3]. As shown in Figure 1, when there is an emergent traffic event (e.g., rear-end accident or traffic jam) on the roadway, the vehicles around the location of the event can submit the real-time traffic data to the nearby road side units (RSUs), i.e., vehicles perform the crowd sensing task distributed by the transportation administration (TA) via RSUs. However, due to the resource consumption, fairness, and privacy leakage problems, vehicles may be reluctant to participate in crowd sensing tasks without an effective and fair incentive mechanism and privacy protection solutions.
Some privacy-preserving incentive mechanisms (PPIMs) have been proposed for protecting vehicles' privacy in VCS. However, these schemes either rely on a central platform [4] or lack of considering the fairness of the incentive mechanism [5], leading to collusion attack [6], potential privacy disclosure, or inadequate incentive. As the most popular distributed technology, blockchain has enabled incentive mechanism in VCS for secured authentication and collusion attack resistance. To be specific, smart contracts running on the blockchain take the place of the centralized platform to run the incentive mechanisms, which handles all interactions and overcomes the challenges of centralized execution, e.g., collusions between TA and RSUs, RSUs and vehicles. Although a few blockchain-based PPIMs [4,5,7] have been proposed, they either need a trusted third party to assist the privacy protection [4,7] or lack the fairness of the payments [5].
To address the privacy issue, a common method is to take advantage of the anonymous mechanism, i.e., each vehicle has multiple pseudonyms or anonymous credentials which can be anonymously authenticated to protect the vehicle's privacy. However, there exists limitation to perform complex operations on a blockchain, e.g., in Ethereum, and the gas requirements of an operation cannot exceed the block gas limit. Hence, it is challengeable to design "light" operations of anonymous authentication on the blockchain to fulfill the privacy protection of the vehicles in VCS.
To address the fairness issue, most auction-based incentive mechanisms [4,[8][9][10] encourage vehicles to take part in crowd sensing tasks, where they submit bids to the central platform to compete for a task. e platform selects winning users to perform tasks and get paid. Nevertheless, it is unfair to determine the winners and the payment only depending on the bids and without considering the reputation of the vehicles and the submitted data quality. Hence, it cannot motivate people to submit high-quality sensory data.
In this paper, to address these challenges, we propose a smart privacy-preserving incentive mechanism (SPPIM) to stimulate the vehicles to submit high-quality sensory data and get fair payment with privacy protection. We focus on the vehicles' privacy protection without a trusted platform and aim to design a fair incentive mechanism which results in a rational payment according to the past and present performance of the vehicle. Specifically, the main contributions of this paper are as follows: (i) We design a smart privacy-preserving incentive mechanism model and give an effective SPPIM based on budget-limited reverse auction via smart contract, which can ensure fairness of the payments for vehicles and data quality assurance for the task initiator.
(ii) SPPIM preserves the vehicles' privacy by using anonymous credentials without any trusted party. Meanwhile, bids preservation is achieved by using Pedersen commitment [11] from the vehicles to the task initiator. Anyone who obtains a committed bid, except the task initiator, is unable to get information about the bid's value. (iii) We make a theoretical security and privacy analysis of the proposed SPPIM and evaluate the performance of the incentive mechanism by computing the utility of the vehicle and the task initiator. Furthermore, we implement the proposed SPPIM on the Ethereum testnet to verify its feasibility and provide a comprehensive analysis of the performance.

Problem Statement
In this section, we formalize the system model of vehicular crowd sensing, the smart PPIM model, and the threat model and also identify our design goals.

System
Model. e system model mainly consists of the following four entities: block chain network, fog servers, task initiator, and vehicles as shown in Figure 2.
(i) Blockchain network has a decentralized and public ledger, which is shared with the legitimate miners and vehicles, and serves for SPPIM in vehicular crowd sensing. Smart contracts are designed to define and execute contracts, consisting of functions and data. Without a trusted platform, SPPIM is executed in a verifiable manner via smart contracts. New blocks, with all transactions of the incentive mechanism for vehicular crowd sensing task, will be audited and finally added to the block chain. (ii) Fog servers are honest but are curious and connect with vehicles via wireless links. We assume that fog servers, acting as miners, have powerful computing and storage capabilities, and they act as the consensus nodes to maintain the blockchain network. Each fog server stores the whole ledger, which enables the validation of the blocks and transactions. Fog servers are also in charge of verifying the registration of the task initiator and vehicles and take control of the data quality. (iii) Task initiator publishes the sensing task and pays the reward to winning vehicles via smart contracts. e task initiator communicates with the fog servers via the smart contracts, which are deployed on the fog servers. In our scenario, transportation administration (TA) takes the role of the task initiator. (iv) Vehicles assume that there are N vehicles, denoted by V � (V 1 , V 2 , . . . , V N ), competing for a sensing task, and each vehicle V j will submit a bid b j , the current reputation R j , and the sensory data D j . en, vehicles can get some rewards according to their reputation and the submitted data quality.   Figure 3. We leverage the smart contract to replace the centralized platform. Our SPPIM model, based on budget-limited reverse auction [9], consists of a task initiator TA and N vehicles, i.e., V � (V 1 , V 2 , . . . , V N ). e task initiator wants to gather some data, such as emergent traffic conditions, and then publish a crowd sensing task. Vehicles are willing to collect this type of data and bid for the task. In this model, the task initiator acts as a buyer and vehicles act as sellers. All vehicles and the task initiator enter the auction process for reward payments and sensory data acquisition. e workflow of the proposed SPPIM model is as follows.
(i) TA deploys a sensing task via smart contract on the block chain. (ii) Vehicles prove their legitimate identities to fog servers anonymously. (iii) Legitimate vehicles provide their bids to fog servers, which run the deployed smart contracts to determine the winner set B w of the auction. (iv) Winning vehicles submit the required data, and fog servers calculate the reward payment P. Vehicles whose data quality meets the requirements get paid according to the data quality. (v) TA gets the collected information from the fog server. (vi) Fog servers verify all the transactions and build new blocks periodically.
We present the key notations used in this article in Table 1.

reat Model.
We assume that fog servers follow the protocols but are also curious about vehicles' privacy. Task initiators and vehicles are not trusted because they can launch attacks out of self-interests.
(i) Fog servers can launch passive attacks, and they are interested in the identity of task initiators and vehicles from the submitted messages and transactions. And they may be compromised or colluded with some vehicles or task initiator leading to privacy disclosure. (ii) A task initiator may publish a sensing task without a reward guarantee and prematurely abort a task, and it may also try to obtain the private information of vehicles by accessing the block chain. (iii) Vehicles are also curious about other vehicles' identities and bids. A dishonest vehicle may forget its reputation and try to get private information of other vehicles. A misbehaved vehicle may steal sensory data or collude with other vehicles to get extra rewards. (iv) External adversary can eavesdrop the transmitting messages to violate vehicles' privacy. And it may impersonate a legitimate vehicle to perform a crowd sensing task and even trick a task initiator into paying for a reward.

Design Goal.
Our goal is to design a privacy-preserving incentive mechanism with enhanced fairness for vehicular crowd sensing. Specifically, the proposed SPPIM will achieve the following requirements:    Security and Communication Networks server cannot identify vehicles' real identities when a task initiator publishes a task or a vehicle performs a sensing task. (iii) Bid Privacy. All vehicles cannot know the bids submitted by others before committing to their own bids. is can help prevent the vehicles' collusion. (iv) Financial Fairness. Vehicles get paid depending on their bids, the past, and current performance, i.e., reputation and the data quality. Meanwhile, vehicles or TA may attempt to deviate from the contract or prematurely abort, which will affect the SPPIM. e aborting parties will be financially penalized.
(v) Collusion Attack Resistance. If the TA or a fog server is compromised or colluded with some vehicles or task initiator, the SPPIM can still work well.

Preliminaries
We take advantage of the following cryptographic building blocks and technologies to construct our SPPIM. [12]. Let G 1 , G 2 , and G T be three cyclic groups of the same prime order q. A function e: G 1 × G 2 ⟶ G T is a bilinear map if the following properties hold:

Cryptographic Building Blocks. Bilinear Pairing
(i) Bilinearity: e(u a , v b ) � e(u, v) ab , for all u ∈ G 1 , v ∈ G 2 , and a, b ∈ Z q (ii) Nondegeneracy: e(g 1 , g 2 ) ≠ 1, where g 1 and g 2 are generators of G 1 and G 2 , respectively (iii) Computability: there exists an algorithm which can compute e(u, v) efficiently for all u ∈ G 1 and v ∈ G 2 Zero-Knowledge Proof [13]. A zero-knowledge proof is a two-party (i.e., a prover and a verifier) protocol which allows a prover to convince the verifier that something is true without revealing any information. Specifically, a prover convinces a verifier of knowledge of values (a 1 , . . . , a n ) that satisfy the predicate P denoted by ZkPoK a 1 , . . . , a n |P a 1 , . . . , a n , ZkPoK can be used as an effective way to design a secure public-key cryptosystem. In this paper, we use zeroknowledge proofs to generate the anonymous credentials of vehicles and to complete the anonymous authentication.

Reverse
Auction. e auction usually acts as an effective way to allocate goods or services to bidders who give the highest bidder [14]. An auction becomes a reverse auction when swapping the roles of the buyers and the sellers. e reverse auction model was first applied in a participatory perception system in Lee and Hoh [15] and has been widely used as a design model for incentive mechanisms in mobile crowd sensing [16][17][18]. Similarly, the reverse auction is a good solution for monetary incentives in vehicular crowd sensing, which encourages vehicles to sell their data.
In this paper, we use reverse auction with budget constraints [9] to model our incentive scenario. e vehicles act as sellers/bidders and will be selected to collect data. And the TA acts as a buyer, who purchases data provided by the vehicles with a limited budget. [19] is a distributed and public ledger which maintains an evergrowing list of digital transactions, which can be verified and audited by any users. Since blockchain provides a secure method for online transactions among anonymous

Notation
Definition λ e security parameter q A large prime whose length is λ Z q An additive group of order q G, G T Two cyclic groups of the same prime order q g, g 1 Generators of G μ A daily verification key e(., .) A nondegradable bilinear mapping H(.) A collision-resistant hash function Ω A bloom filter for fast authentication factors (s, Y F � g s ) e fog's private key and public key e weight of the accuracy of the data and the submission time q i e data quality of vehicle V i m ′ e amount of vehicles who submit high-quality data p i e reward for vehicle V i in the reward payment P participants, it is inherently consistent with our requirements, i.e., without a trusted third party. Recently, smart contract [20] has been adopted to allow users to define and execute contracts on the block chain. A smart contract is a computer code running on top of a blockchain containing a set of rules under which the parties to that smart contract agree to interact with each other. If and when the predefined rules are met, the instruction of the agreement is automatically enforced. e rules of transactions in our SPPIM can be enforced with smart contracts, which avoid the collusion attack [21] between the TA and the fog server, and then vehicles' equity is guaranteed.

The Proposed Smart Privacy-Preserving Incentive Mechanism
In this section, we first describe the overview of our SPPIM and then specify the detailed mechanism and the corresponding smart contracts.

Overview of the Proposed Incentive Mechanism.
Our proposed SPPIM consists of anonymous authentication mechanism, privacy-preserving winner selection algorithm, and fairness-enhanced reward payment scheme.
(i) Anonymous Authentication Mechanism. e fog servers generate the system parameters and set the private key and public key. Vehicles get their anonymous credentials with the help of fog servers via the zero-knowledge proofs of knowledge. A fast authentication factor corresponding to each legitimate vehicle is stored in a bloom filter [22], which is kept on the blockchain for quick anonymous authentication. After passing the authentication, the vehicle can compete for a sensing task.

(ii) Privacy-Preserving Winner Selection Mechanism.
When a vehicle competes for a sensing task, it first anonymously authenticates itself and bids for it. All legitimate vehicles and TA enter the reverse auction process for the sensing task. Since the location of the same abnormal traffic condition should not be very different, vehicles with excessive location deviation will be filtered. e winner selection mechanism also takes advantage of Pedersen commitment [23] to maintain bid's privacy. Vehicles first submit their commitments to the sealed bids on the smart contracts and then reveal the commitments secretly to the fog server, who runs the winner selection algorithm to determine the winner set of the task depending on the bids, reputations, and their precise locations.
(iii) Fairness-Enhanced Reward Payment Scheme. To enhance the fairness of payment, the payment profile should be generated according to the current and previous performance of vehicles. is can motivate the vehicles to actively take part in crowd sensing tasks and to provide high-quality data. In time-sensitive VCS scenarios, the untimely information is useless, so vehicles are required to submit their reports timely. Hence, the data quality is quantified by two factors: the data accuracy and the submission time. e payment profile is generated by the submitted bids and the quantified data quality of the vehicles. e task initiator TA pays and gets the balance, and the vehicles get rewards according to the payment profile in an anonymous way via smart contracts. Finally, fog servers verify and write the transactions into the block.

Detailed Mechanism
e proposed anonymous authentication mechanism consists of ① system setup; ② anonymous certificate generation; and ③ anonymous authentication described as follows: ① System setup (offline): (i) e fog server runs setup to obtain public pa- is a bilinear map group of a prime order q > 2 λ , where λ is the security parameter. e(., .) is the bilinear map satisfying e: G × G ⟶ G T . g and g 1 are generators of G, and e(g, g) is defined as g T . H: Z q ⟶ Z q is a collision-resistant hash function. e fog server F selects s ∈ Z q randomly as its private key, and the public key is computed as Y F � g s . F also selects x, y, z, μ ∈ Z q to compute X � g x , Y � g y , and Z � g z . μ is a period verification key. F initializes an empty set Ω using bloom filter. Ω is reset periodically by the fog server because anonymous credential is only valid for a certain period. (ii) Note that a vehicle cannot apply for more than one anonymous credential within one hour for the sake of security. We use a Boolean tag T to mark the state of the vehicle, and T � 1 represents that the vehicle has applied for an anonymous certificate at some point. T will be updated to be T � 0 once in a while, e.g., one hour or later.
② Anonymous certificate generation: (i) Assume all vehicles are welcomed to compete for the sensing task. ey need to subscribe for an anonymous credential when they want to perform the task. Once the vehicle requests an anonymous credential, the fog server will set the state tag T � 1. en, the vehicle selects (k, h) ∈ Z 2 q randomly, calculates Δ � Y k Z h , and sends (Δ, H(k)) to the local fog server.
(ii) e fog checks whether H(k) does exist in Ω or not. If it does, the vehicle will be guided back to the above step. Otherwise, the fog server stores H(k) into Ω. Here, we call H(k) as the fast authentication factor. e fog server verifies the Security and Communication Networks 5 identity of the vehicle by the zero-knowledge proof of knowledge: (iii) e fog returns "failure" if the proof is unsuccessful. Otherwise, the fog sends (W, ]) to the vehicle, where ] ∈ Z q and W � (XΔ) ( If a vehicle competes for a sensing task, it first authenticates itself by offering H(k) to the fog servers. e fog runs the fast authentication algorithm to obtain TF. If TF � 0, which means H(k) does not exist in Ω, the vehicle will be rejected as an illegal participant. Otherwise, the vehicle proves itself to the fog server in the zero-knowledge proof of knowledge: If the proof is successful, the vehicle will be maintained as a legitimate candidate vehicle for bidding (Algorithm 1).

Privacy-Preserving Winner Selection Mechanism.
e goal of the proposed winner selection mechanism is to select the winning vehicles with privacy preservation. ree factors, the submitted bid's value, the vehicle's location, and the reputation, have been combined to determine the winning vehicles. Reverse auction with TA's budget constraints is adopted to model our mechanism. All vehicles and the TA enter the auction process for crowd sensing task. Each vehicle acts as a bidder and submits a bid commitment. e winning vehicles are determined by the winner selection algorithm as shown in Algorithm 2.
(i) e vehicle chooses a random c ∈ Z q , computes the commitment of a bid b ∈ Z q as C � g b g c 1 (see function Commit in section 4.3.), and then sends C to the local fog server. Note that the ciphertext of b and c is stored on the SPPIM contract rather than being sent directly to the fog server.
Assume the fog server F receives n bids 〈C i , R i , loc i 〉, i � 1, . . . , n from n legitimate vehicles V � (V 1 , V 2 , . . . , V n ), where C i represents the commitment of the bid b i submitted by V i , R i refers to its current reputation, and loc i � (l i 1 , l i 2 ) is the location using longitude and latitude, respectively. F first computes the central position (l 0 1 , l 0 2 ) of n locations and calculates the Euclidean distance ρ i of (l 0 1 , l 0 2 ) and (l i 1 , l i 2 ) n i�1 . en, F checks whether ρ i < 100 m holds. If ρ i > 100 m, the accuracy of the data is not up to the standard and then the vehicle V i will be rejected. Otherwise, the reward payment of the vehicle V i will be computed depending on the submitted data quality. e winner selection algorithm, depicted in Algorithm 2, is given by taking the bid set B � 〈C i , R i , loc i 〉, i � 1, . . . , n, the ciphertext cipher i , TA's budget B max , and the highest bid price b 0 as inputs. e output of the algorithm is the winner set B w .

Fairness-Enhanced Reward Payment Scheme.
We propose a fairness-enhanced reward payment scheme, where payment profile is generated depending on the data quality and the reputation of the vehicletbl2alg3.
① Data Quality Measurement. To measure the data quality submitted by the vehicle, the data structure of the sensory data is defined as D � (task, cause, proof, time). e sensory data uploaded by the winning vehicles are stored in the form as Table 2.
(i) Task is represented by the task number to distinguish different crowd sensing tasks; (ii) Cause refers to the cause of abnormal traffic conditions. For instance, "000″ means there is an accident at the location (l 1 , l 2 ); "001" means there is a traffic jam at the location (l 3 , l 2 ). (iii) Proof is the evidence the vehicle can upload to prove the cause. How to identify the evidence is out of the scope of this paper. (iv) Time is the current time of submitting the sensory data.
Assume the fog server F receives m sensory data D 1 , D 2 , . . . , D m from m winning vehicles for the same task task, where D i � (task, c i , proof i , t i ). e data quality is quantified by the submission time t i and the data accuracy, which is determined by hamming distance d(., .) of the causes. Given cause c i computes m − 1 hamming distance d(c i , c j ) for all j ≠ i to measure the similarity of the abnormal traffic conditions. A weight ω i (c) is assigned to measure the accuracy of the data as shown in Algorithm 3. A weight ω i (t) is assigned to measure the submission time of vehicle V i . e earlier the upload is, the greater weight the vehicle will gain. Finally, the data quality of V i is quantified by where θ denotes the importance of the data accuracy. ② Payment Profile Generation. e payment profile is generated by the data quality of the vehicle. For m vehicles, the sum of the submitted bids is m i�1 b i , which satisfies m i�1 b i ≤ B max . Finally, the payment for the vehicle V i is given as follows: 6 Security and Communication Networks is mechanism guarantees that as long as the vehicle provides higher quality data, they will get more rewards.

Smart PPIM Contract.
In this section, our SPPIM is implemented via smart contract. After the SPPIM contracts are created, vehicles can take part in the crowd sensing task. e contract accepts the submitted messages from the TA and vehicles and executes the proposed algorithms automatically. Figure 4 illustrates the process of a SPPIM contract, involving all interactions among the TA, the vehicles, and the smart contract.  (6) invoke Decrypt(cipher i ); invoke Reveal(C i ); (14) end for (15) return B w ALGORITHM 2: Privacy-preserving winner selection algorithm.   e Create(.) function is used to deploy a new SPPIM contract on the blockchain. If TA wants to start a task, it calls Create(.) function with the parameters such as t 1 , t 2 , t 3 , t 4 , t 5 , t 6 which define the time intervals for the six phases: the budget of a task TA.budget, the highest bidding price b 0 , the legitimate vehicles set V, the list of bids B, the list of winning vehicles B w , and the reward payment profile P. TA is required to pay at least TA.budget to the contract in order to prevent a malicious task initiator from initializing fake tasks and then withdrawing illegally. e highest bidding price b 0 is used to prevent malicious vehicles to submit an excessive bidding price. After the contract is deployed, it can be accessed by legitimate vehicles. e Authen(.) function authenticates all vehicles, which compete for the task, via the fast authentication algorithm (1) for (i � 1; i + +; i ≤ m) do (2) counter i � 0; (3) for (j � 1; j + +; j ≤ m) do (4) if d(c i , c j ) � 0 then (5) counter i + +; (6) end if (7) end for (8) if counter i ≥ ⌈(m/2)⌉ then (9) ω end if (13) Sort the submission time t in a nondescending order and obtain t 1 ≤ t 2 ≤ . . . ≤ t n ; (14) ω i (t) is assigned to measure t i ;    Security and Communication Networks and the zero-knowledge proof. Once the vehicle passes the authentication, it can submit bid. e Commit(.) function seals the bids to protect them from being observed by other vehicles before the bidding interval ends. Pedersen commitment scheme is used to commit a bid. Each vehicle submits a bid commitment along with the location and the reputation of the vehicle. e Reveal(.) function is triggered by the vehicles to reveal their bids. After that the contract can execute the winner selection algorithm. e inputs of Reveal(.) function are the cipher of the bids encrypted by the public key of the fog server Y F . To avoid repudiation attack, the ciphertext is stored on the SPPIM contract rather than being sent directly to the fog server.
e Decrypt(.) function decrypts the ciphertext of the bids submitted by the vehicles.
e WinnerSel(.) function orders the bids after all bids are revealed to determine the winning vehicles. It takes as inputs the bids, the reputation, the location of the vehicles, the TA.budget, and the highest bidding price b 0 . e result of the function is the winning vehicles set B w .
e Payment(.) function computes the reward payment of each vehicle depending on the data quality, bids, and their reputation so that the potential vehicles can get reward payment.
e Finalize(.) function returns the balance of the TA and pays incentives to vehicles after the payment profile is determined.

Privacy and Security Analysis
is section proves that our proposed SPPIM achieves user authentication, identity privacy, bid privacy, financial fairness, and collusion attack resistance.

User Authentication.
In our SPPIM, all vehicles need to authenticate themselves before performing any task. We use anonymous credentials to authenticate vehicles. e unforgeability of vehicle's identity is enabled by the security of the anonymous credentials generation. An adversary can authenticate himself by forging a verified credential and then showing it to the fog server, since the anonymous credential is generated through the zero-knowledge proof, of which the security is guaranteed by the CL signature scheme [24]. So, the proposed scheme satisfies the property of user authentication as long as the credentials are not forgeable.
Furthermore, a malicious vehicle may create multiple online identities to rig the mechanism. To prevent this attack, each vehicle should and must have only one valid anonymous credential when performing one crowd sensing task. Hence, in our SPPIM, we require that a vehicle can only apply for one anonymous credential within one hour. When the vehicle requests an anonymous credential, the fog server will set the state tag T to be 1. If a vehicle requests another anonymous credential within one hour, the fog can check the recorded state tag of the vehicle to refuse its request.

Identity Privacy.
We make sure the identity privacy of our SPPIM by proving the pseudonymity and unlinkability of vehicles.
First, each vehicle has different anonymous credentials cred � (W, ], k, h) corresponding to different tasks in our SPPIM. e anonymous credential can be verified by the smart contract as the valid anonymous credential. Hence, the vehicle's pseudonymity depends on the security of the zero-knowledge proof [24], of which the security proofs are relatively straightforward.
As for the unlinkability, the fog server cannot link vehicle's identity and the vehicle's anonymous credential during vehicle registration, and the fog cannot link the vehicle's different anonymous credentials. is property also depends on the zero-knowledge proof protocols. When a vehicle is applying for an anonymous credential, the fog server does not know the values of (k, h). Meanwhile, the anonymous credential cred � (W, ], k, h) can still be acknowledged as a valid BBS signature [25].

Bid Privacy.
Our SPPIM protects the bid privacy by using Chaum-Pedersen noninteractive ZKP [23]. Vehicles send commitments rather than the actual bid. When the commitments need to be opened, each vehicle sends the ciphertext of (b, c) using the public key of the fog server to the function Reveal(.). e ciphertext will be stored on the SPPIM contract rather than being sent directly to the fog Security and Communication Networks 9 server. And we also require that the fog server should verify the correctness of the commitments opening once they are submitted. is requirement can prevent the malicious fog server from denying a correct opening of a commitment. Given a semihonest fog server, all committed bids maintain privacy from other vehicles. is ensures bid privacy.

Financial Fairness.
On the one hand, in the phase of committing bids, once the bid interval is closed (after t 3 in Figure 4), vehicles cannot change their commitments. is property can help guarantee the financial fairness from preventing some vehicles' cheating, which violates the fairness.
On the other hand, the payment profile is determined by the data quality, which depends on the data accuracy and the submission time detailed as the expression q i � θω i (c) + (1 − θ)ω i (t) in Algorithm 3. In our reward payment algorithm, the weight of the data accuracy ω i (c) is calculated according to the accuracy of the submitted data measured by the Hamming distances and the vehicles' reputation. e weight of the submission time ω i (t) is given according to the corresponding speed of each vehicle. Vehicles with good performance can get higher reward, and their reputation ranking can also be increased. It is fair, and it can also stimulate honest vehicles to submit high-quality data in time.
In addition, vehicles or TA may try to deviate from the SPPIM and aborts early to affect SPPIM execution. e aborting task initiator will be financially penalized by forfeiting its budget money deposited on the ledger, while aborting vehicles will be punished by lowering the reputation rating.

Collusion Attack Resistance.
In our SPPIM, we consider the collusions among vehicles and between the fog server and the vehicles. In our winner selection algorithm, the highest bid price b 0 is limited to prevent the malicious vehicles' collusion to bid for an over large bid price. Suppose there are some colluded vehicles which submit very high bids with the purpose of getting high reward. Under this circumstance, the sum of their bids must be larger than the budget of the TA, which is not allowed in our budget-limited reverse auction model. So, the fixed highest bid price b 0 can successfully prevent this attack.
If a fog server is compromised or even colludes with some TA or some vehicles, the SPPIM can run fine. Since vehicles generate part of their credentials by themselves, private information (k, h) ∈ Z 2 q is also kept secret by vehicles. Fog server cannot divulge identity information about any other vehicle to some colluded vehicles. Once the smart contract is deployed, it cannot be changed. e rules of the proposed SPPIM are executed faithfully via smart contracts, which can avoid the collusion between the fog server and the vehicles and between the fog server and the TA.

Performance Evaluation
We conduct extensive experiments to evaluate the performance of the proposed SPPIM with multiple vehicles and a task initiator TA, including the computational and storage costs of authentication, the utility of the vehicle and the TA, and the gas cost of each function on the SPPIM contract.

Authentication Performance.
e process of generating an anonymous credential is of the smart contract. We make a simulation related to the acquisition of anonymous credentials. We use JAVA pairing-based cryptography library to implement the cryptographic algorithms in our simulation. e number of total vehicles requesting for anonymous credentials N vehicles is set as 100, 200, 300, 400, 500 { }, and the number of authenticated vehicles N authen is set as 10, 20, 30, 40, 50 { }. In each set of experiments with different number of vehicles, we took an average result of 100 times round.
When the vehicle requests for an anonymous credential, the execution time is around 38 ms and 45 ms at the vehicle side and the fog side. Figure 6(a) shows that, as the number of requesting vehicles increases, the time spent on each vehicle and the fog server almost maintains the same. When a vehicle competes for a task, the execution time of anonymous authentication is 18 ms and 25 ms at the vehicle side and the fog side. Figure 6(b) shows that the total time of the authentication is 213 ms, 451 ms, 659 ms, 1091 ms, and 2162 ms assuming N authen � 10, 20,30,40,50 { } at the fog side. Figure 7(a) indicates that our SPPIM requires at most 112 byte bandwidth per authentication. Only the fast authentication factor H(k) and the credential cred � (W, ], k, h) need to be transmitted to the smart contract deployed on the fog server. As the number of authenticated vehicles increases to 50, the bandwidth requirement is less than 6 kb, which is feasible.
As for the storage cost, the fog server needs to maintain a list of fast authentication factors of legitimate vehicles and its private key at the fog side. Since the number of the legitimate vehicles is large, we use bloom filter Ω to help diminish the storage overheads, which depends on the size of the bloom filter. e vehicle only stores the anonymous credential cred � (W, ], k, h). Figure 7(b) shows that the storage cost is very small at both the vehicle and fog server side.

SPPIM Performance.
From the reward payment algorithm in Algorithm 3, we get that the utility of vehicle V i is p i and the utility of TA is e proposed SPPIM is effective because it brings profits to the task initiator and the honest vehicles. In our experiments, we study several factors that affect the utility of the vehicle and the TA, including the number of rewarded vehicles, the budget of the TA, and the data quality. e number of the rewarded vehicles ranges from 10 to 50, and the submitted data are different in two ways: data accuracy and the submission time. As shown in Figures 8(a) and 8(b), the utility of the vehicle is nearly independent of the number of the rewarded vehicles N reward , and the vehicle can get a higher utility when the budget of TA becomes bigger. Since the highest bidding price b 0 increases as the budget increases, vehicles can bid a higher price if b 0 is bigger. e utility p i increases roughly linearly with the total bidding price of vehicles. Figure 8(c) shows that the utility of the vehicle increases as the reputation of the vehicle increases on the premise that the data accuracy satisfies the requirement, given a fixed budget TA.budget � 200. If the submission time t i of the vehicle is shorter (e.g., t 3 in Figure 8(c)), it can get more reward. e utility of the TA is almost not influenced by the budget of the TA and the number of the rewarded vehicles as shown in Figure 8(d). e approximation number of the rewarded vehicles can be determined by the expression TA.budget/b 0 . Once N reward is fixed, the utility of the TA is determined by the payment P of the vehicles, and the average of each payment p i is around b 0 .

SPPIM Contract Cost.
We implement the SPPIM contract in Solidity 0.4.18 [26] and test it on the Ethereum network. We run the experiments on a HP Pavilion Notebook with a 2.3 GHz Intel i5-6300HQ CPU and 8 GB RAM. To be specific, we create a local private Ethereum blockchain to test our SPPIM using the Geth client version 1.7.3 [27]. To realize the cryptographic algorithms on the SPPIM contract, we use Ethereum Improvement Proposals, EIP-196 [28], to fulfill elliptic curve point addition and scalar multiplication operations efficiently in the algorithm. Barreto-Naehrig E: y 2 � x 3 + 3 over F q [29] is adopted in EIP-196. Table 3 shows the consumed gas cost for different functions in SPPIM tested on the private Ethereum network where there are 20 vehicles competing for a task, and the number of the rewarded vehicles is 10. Table 3 gives the gas cost consumed by each function and the converted monetary value in US dollar. As of October 19, 2020, the ether exchange rate is 1 ether � 375.27$ [30] and the gas price is approximately 20 Gwei � 20 × 10 − 9 ether. We find that the financial cost of running the SPPIM contract on the Ethereum network is within reasonable bounds. e Create(.) function, to deploy SPPIM contract on the blockchain, and the Authen(.), to verify zero-knowledge proof, cost more than other functions. However, the Create(.) function executes only once to create and deploy the SPPIM contract on the Ethereum network, so it is a onetime cost and requires no more cost for its maintenance. e cost of the Authen(.) can be seen as the price of privacy protection, which increases linearly with the number of authenticated vehicles N authen , as shown in Figure 9. Note that the execution of "heavy" functions in Ethereum is impossible due to the block gas limit. In Figure 9, the gas cost is over 8m when the number of authenticated vehicles is larger than 40. When the block gas limit is 8m, the maximum value of N authen should be less than 40. Figure 10 shows the gas cost of the TA and a vehicle when the number of authenticated vehicles N authen and rewarded vehicles N reward varies. TA's cost increases linearly with N reward as shown in Figure 10(a), while the vehicle's cost keeps constant as shown in Figure 10(b). Figure 11 shows that the gas cost of the TA depends on the number of rewarded vehicles N reward . Given a fixed N authen , the gas cost of each function increases linearly with N reward except for Create(.) function.    The number of the rewarded vehicles

Related Work
In this section, some related works are divided into three categories: (1) incentive mechanisms for vehicular crowd sensing; (2) blockchain-based works in vehicular network; and (3) privacy preservation for incentive mechanism in vehicular crowd sensing.

Incentive Mechanisms for Vehicular Crowd
Sensing. e incentive mechanisms in vehicular crowd sensing mainly include monetary incentives and nonmonetary incentives, which stimulate vehicles via some forms of compensation, such as reputation [31], credits [32], and virtual coins [7]. Correspondingly, monetary incentive mechanism motivates vehicles to take part in tasks by financial incentives, which have stronger motivational effects and are easy to accomplish together with other incentives. Recently, Yin et al. [33] considered the scheduling problem of emergent tasks in the Internet of Vehicles and proposed a bidding mechanism to encourage vehicles to perform tasks. e winner vehicles can get some monetary reward after finishing the task. Li et al. [7] proposed an incentive announcement network, where users manage their reputation points which are earned or spent as incentives. Guo et al. [8] presented a dynamic incentive mechanism for mobile crowd    sensing, and they pointed out that the quality of the sensing data is often neglected in the existing monetary-based incentive studies. Zhang et al. [9] presented an auction-based incentive mechanism in crowdsourcing systems, in which two allocation algorithms were given to guarantee the truthfulness and budget feasibility. In general, monetary incentives often increase user participation enthusiasm and enhance high-quality data collection habits [34]. However, most proposed monetary incentive mechanisms are centralized, which will cause privacy leakage and the single point of failure problem.

Some Works Based on Blockchain in Vehicular Network.
Nowadays, there have been several works [5,7,35,36] related to blockchain technology in vehicular networks.
Dorri et al. [35] proposed a blockchain-based privacy-preserving communication scheme for smart vehicles. Sharma et al. [36] gave a blockchain-based transport management system in the smart city. Li et al. [7] proposed an incentive announcement network based on blockchain for smart vehicles. Li et al. [5] constructed an anonymous advertising scheme in vehicular networks. Vehicles can send transactions to the blockchain to get a predefined reward, which does not consider the data quality problem of Ad dissemination.

Privacy Preservation for Incentive Mechanism in VCS.
In order to protect the privacy of vehicles, some privacypreserving incentive mechanisms in VCS have been proposed. Lai et al. [32] took advantages of symmetric  encryption to protect personal profiles and the designated verifier signature to preserve transaction privacy in highway VANETs. Wang et al. [37] gave a node cooperation privacy protection method based on k-anonymity technology. Ten or more nodes form a k-anonymous group and submit signcrypted group data. Miners verify the legality of group data by the group blind signature algorithm that could resist against user's privacy leakage. Similarly, Wang et al. [10] utilized differential privacy technology to obfuscate bids in mobile crowd sensing. Li et al. [7] proposed a privacypreserving incentive mechanism in VANETs. Vehicles protect their privacy by acquiring other vehicles' encrypted signatures to construct a threshold ring signature. However, there is a trusted third party who needs to generate keys and can actually trace vehicles' privacy, which is different from our SPPIM design. Lai et al. [4] utilized a blockchain-based payment system to guarantee the fairness of payments. e partially blind signature was applied to realize pseudonym management, which is designed to protect the privacy of users. However, pseudonyms are assigned by a third-party authority, which is avoided in our design. e scheme proposed by Lai et al. is simulated in MATLAB, not fulfilled on the blockchain, while our SPPIM is accomplished by the smart contract on the blockchain. Different from existing works, we propose a hybrid solution SPPIM to address the privacy preservation and fairness problem in incentive mechanisms of VCS. Our SPPIM not only utilizes smart contracts to replace the centralized platform but also addresses the privacy-preserving problem of the vehicles and the fairness problem of the incentive mechanisms.

Conclusion
In this paper, we propose an effective smart privacypreserving incentive mechanism via smart contract on the blockchain, which can ensure privacy preservation and fairness for vehicles and data quality assurance for the task initiator. Our SPPIM preserves the privacy of vehicles by utilizing zero-knowledge proof-based anonymous credentials without any trusted third party. Meanwhile, fairness-enhanced reward payments are determined by the committed bids, the reputations, and the submitted data quality of the winning vehicles. We verify the performance and the feasibility of the proposed SPPIM by implementing it on the Ethereum testnet. In the future work, we will design the optimized algorithms to enrich our current design, which can reduce the execution cost of the contract.
Data Availability e data and VS code used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest
e authors declare that they have no conflicts of interest.