Blockchain-Based Trust Auction for Dynamic Virtual Machine Provisioning and Allocation in Clouds

Cloud computing uses virtualization technology to provide users with different types of resources in the form of services. The third party plays a crucial role in coordinating cloud market between cloud providers and users. As for providing services or trading, the extra broker fees are required for the middleman because the third party facilitates transactions. Moreover, there is no guarantee that the third party is trusted, which can lead to information leakage, data tampering, and unfair trading. Blockchain technology is an emerging technology that can store and communicate data between entities that unnecessarily trust each other. To resolve the problems, this paper presents the blockchain-based trust and fair system and develops the smart contract of auction and transaction. The prototype system is implemented based on the Hyperledger Fabric. The experimental results prove the feasibility of the scheme.


Introduction
Cloud computing is a popular paradigm of offering services over the Internet [1]. With the development of Internet technology and virtualization technology, more and more enterprises and individuals outsource their workloads to cloud providers. Cloud computing services are generally provided in three types: infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS) [2]. In cloud computing environment, cloud providers cooperate to form a huge abstract, virtualized, and dynamically expandable resource pool to provide cloud service and resources to users. A user acquires and releases resources by requesting and returning virtual machines in the cloud. To sell the VM instances to users, cloud providers can employ auctionbased models. An example of implemented auction method in Cloud computing is the spot market introduced by Amazon [3].
Current cloud resource auction integrates the network technology into the bidding system. The desirable preconditions for managing cloud resource auction are "trust" and "fair." The main entities included in cloud resource auction are cloud providers, users, and the third party (i.e., auctioneer) as shown in Figure 1. The cloud provider is an organization that offers computing resources for use on payment. A user is a person or an organization that purchases cloud service. The third party is a middleman that provides a platform to make the product available in the market. Most of the third-party platforms are centralized middlemen which can lead to a host of trust and fair issues. First, the centralized cloud computing auction system may suffer the single node attack and has a higher risk of data tampering and privacy leakage [4]. Secondly, the third-party platform completely controls over the bidding process. Users have no way to ensure that the middleman never leaks their bidding information. Even if the auction platform has security and trust issues, it still charges a large fee for service as a middleman between cloud providers and users. In addition, many existing researches and models on cloud resource auction cannot consider the transaction process after the auction. There are multiple unfair problems associated with the transaction process. For example, malicious cloud providers may not provide services or unmatched resources after charging service fees, and malicious users may not pay service fees when obtaining resources.
Blockchain, as an emerging distributed ledger technology [5], has attracted more attention from various fields, including supply chain [6], IoT [7], medical [8], and other areas. Since data storage is based on a distribution architecture and data management is based on a peer-to-peer network, data records are immutable, verifiable, and traceable [9]. Not only blockchain provides a reliable system to store data but also it improves bidding information security and immutability. So blockchain can facilitate transactions between entities that unnecessarily trust each other.
Blockchain technology has the great potential to address the challenge of conventional cloud platform. References [10][11][12] mainly aim at trust problem in the cloud platform and design a credible service transaction method combined with blockchain. In [13], a decentralized framework is proposed to address issues such as trust and data security. A blockchain-based cloud resource allocation framework is proposed in [14]. Conspicuous feature, of this model, is the timed commitment scheme, state mechanism, and ladder payment to guarantee auction fairness and trade fairness.
In this paper, we combine blockchain and smart contract technology to propose a blockchain-based cloud resource auction scheme to ensure the security of bidding data and the fairness of cloud services. The scheme designs a data encryption transmission module, which uses symmetric encryption technology to encrypt bid data to protect user privacy and prevent malicious users from leaking data. Since the blockchain is a peer-to-peer access structure, the points in the structure can be trusted with each other. Consequently, the centralized third-party platform can be removed to reduce the transaction cost. Use smart contract technology to design the auction contract and transaction contract. Some rules are written in smart contracts to achieve fair trading of cloud resources. Users must pay transaction fees in advance to obtain VM instances, and cloud providers must provide cloud resources in order to receive transaction fees. Compared with the traditional cloud resource auction system, this scheme can realize the safe auction and fair transaction of cloud resources, protect the bidding privacy of users, and resist internal malicious users.
The structure of this paper is as follows. Section 2 introduces the background, system architecture and detailed implementations. Section 3 gives the results of the proposed architecture. The last section concludes the paper.

Background
2.1. Related Work. One helpful approach for the cloud computing resource supply is the mechanisms for auctions. Several authors have studied such mechanisms in different fields such as economics and computer science. In the context of cloud computing resource allocation, Jain et al. [15] proposed an efficient truthful-in-expectation mechanism for resource allocation in clouds. Zama and Grosu [16] designed truthful approximation mechanisms for the auction-based allocation of VM instances in clouds. Due to the characteristics of resources in cloud computing, more and more researchers introduce the quality of service parameter and nonprice attributes into cloud resource auction system to solve allocation problems and transaction fraud problems. In [17], the authors introduced a multiattribute auction framework and used evaluation functions to publish cloud providers for fraudulent behavior. The current works explore auctions of introducing features for the cloud resource auction system. However, none of the noticed solutions focus on the honest behavior of the auctioneer, nor in providing reliable records about transactions between the cloud provider and users.
In such a direction, to combine blockchain technology with the cloud resource auction system has become a new trend, because its decentralization and data tampering prevention might provide solutions to the shortcomings of current systems. Few works have been using blockchain to solve the cloud resource auction system issues. In one of them, Chen et al. [18] designed a blockchain-based architecture for a bidding system. Franco et al. [19] proposed a blockchain-based reserve auction for infrastructure supply in a virtual network. Also, An et al. [20] proposed a blockchain-based reserve auction for data transactions to solve the problem of third-party brokers. Ch et al. [21] presented a blockchain technology solution, using pentatopebased elliptic curve cryptography and SHA to improve the security and privacy device data. Thirumalai et al. [22] applied the knapsack method to encrypt ENPKESS keys to enrich high security in cloud systems.

2.2.
Blockchain. Blockchain originated from Bitcoin. As the underlying application technology of Bitcoin, it has received widespread attention as Bitcoin became famous. As a decentralized distributed ledger technology, blockchain integrates technologies such as distributed data storage, encryption algorithms, and consensus mechanisms. Blockchain eliminates third-party authoritative centers [23]. It can enhance 2 Wireless Communications and Mobile Computing the trust between participants without relying on the thirdparty trusted authority, because all consensus nodes participate in the process of maintaining blocks on the chain and the transaction record are stored on a peer-to-peer network to ensure that the data cannot be tampered with and any node can audit the data in the block. In addition, due to the irreversibility of the hash function and the security advantages of the consensus mechanism, the transparency, security, and immutability of transaction data are guaranteed. Since the blockchain is public and transparent, when it comes to private data, it needs to be encrypted. This paper mainly uses Diffie-Hellman key exchange algorithm [24] and symmetric encryption algorithm [25]. The characteristic of the DH algorithm is that both parties can exchange keys securely in an insecure channel. In the DH algorithm, the sender and receiver use their own private key and the other party's public key to generate a shared key. In the symmetric encryption algorithm, the sender uses the symmetric encryption key to encrypt the data, and the receiver uses the key to decrypt the data to obtain the data, which is characterized by the same encryption and decryption keys.
In the blockchain 2.0 stage, the concept of smart contract [26] is introduced. Developers can create various applications through smart contracts. In this paper, the smart contracts replace the third-party platform in the existing system and perform resource allocation and transaction management according to predefined rules.

Proposed
Model. This paper focuses on IaaS and is built under the situation that the cloud provider offers different types of resources in the form of VM instances. The blockchain-based cloud computing resource auction model is shown in Figure 2, including user, cloud provider, certifi-cate authority, data encryption transmission module, and smart contract module.
The main function of the user is to obtain the VM instances. Each user has his own public and private key PK user , SK user , and address Addr user . In the process of applying for obtaining the VM instances, the user can obtain the resources only after being authorized by smart contract. The main function of the cloud provider is to supply the VM instances. The cloud provider has his own public and private key PK cf p , SK cf p , and address Addr cf p .
The certification authority is a role in the system, which is mainly responsible for verifying the identity of users who want to join the system and then sending digital certificates to users. Only users who pass identity verification can join the system, which improves the security of the system to a certain extent.
The data encryption transmission module encrypts each user's bid information and uploads it to the smart contract module to ensure that the bid information will not be leaked. The smart contract module realizes the security and fairness of the whole auction process and solves the problems such as auction centralization, bidding information disclosure, and dishonest transaction. The module is mainly composed of two smart contracts: auction contract and transaction contract. The auction contract (AC) executes allocation algorithm and payment function, which is aimed at social welfare maximization to protect the interests of users. Use the transaction contract (TC) to determine the applicant's transaction information before the transaction occurs, freeze the prestored transaction fee when the transaction occurs, and send the transaction fee to the cloud provider after the transaction is completed and the applicant receives the VM instances. Use smart contract to replace trusted third parties   Figure 3.
Step 1. The user needs to send an identity verification application to the certification authority (CA) before logging in to the alliance chain network. After the verification is passed, the applicant will obtain the key pair and a digital certificate.
Step 2. The user sends his registration and digital certificate to the system after obtaining the digital certificate and key pair.
Step 3. The node verifies the digital certificate of the new user and confirms the identity with the CA. After identity is approved, the user will be added to the system.

User
Submission. The process of submitting bid data is shown in Figure 4.
Step 1. The user sends a request to the server to generate the public and private key on the server side. The server side returns the production key to the user.

Wireless Communications and Mobile Computing
Step 2. The user executes DH algorithm to generate public and private key pair and generate symmetric key according to the public key of the server, which is used to encrypt the transaction information.
Step 3. The user sends his public key and encrypted information to the server.
Step 4. The server generates a symmetric key according to the user's public key and decrypts the encrypted information by using the symmetric key.
Step 5. Send the bid information to the auction contract, and return the execution result to the user. Algorithm 1 describes the process of the data encrypted submission. First of all, user A requests and obtains the public key of the server. Lines 1 to 2 indicate that user A generates the symmetric key KEY cli according to the public key of the server and encrypts the bid information Inf o bid with KEY cli to generate cipher text CInf o bid . Line 3 shows that user A sends the public key of the client PK cli and encrypted bid information Inf o bid to the blockchain server. Lines 4 to 5 show that the blockchain server generates the same symmetric key KEY ser (KEY cli =KEY ser ) and decrypts the CInf o bid using KEY ser to obtain the details of the bid. Lines 6 to 11 show that the submission time limits and verifies whether the bid information has been tampered with. Finally, the server sends bid information to the AC.

Auction.
This section presents the function of the auction contract. Mahyar et al. [27] proposed truthful greedy mechanism for VM provisioning and allocation in clouds. The mechanism is mainly divided into two parts: allocation and payment. The function of auction smart is described in Algorithm 2. Lines 1 to 3 show that AC collects the bidding information and address from the users. Lines 4 to 7 show the optimal allocation of solving cloud resource allocation by calling the allocation algorithm G-VMPAC-II-ALLOC [27]. Lines 8 to 10 show that the payment of user i is calculated by calling G-VMPAC-II-PAY [27]. Finally, AC returns three output parameters:Addr * , the address set of winner;x * , the optimal allocation of cloud resources to the users; and P the payment. (1) Resource Supply.
Step 1. Applicant A sends the request information; TC first confirms his payment certificate.
Step 2. If applicant A has payment certificate, the VM instance information will be encrypted with the applicant's public key and signs it with the cloud provider's private key. The cloud provider sends encrypted information and signatures to the network as transaction data.
Step 3. The node verifies the signature and packages the verified transaction data into blocks and waits for the consensus to be on the chain.
Step 4. After the block is on the chain, applicant A can obtain the VM instance information from the block. Applicant A verifies the signature and uses his private key to decrypt the transaction data to obtain the VM instance information.(2) Payment Management.
Step 1. Applicant A sends a request to TC for prestored payment. After TC receives the transaction fee, it will generate a   Step 2. Applicant A sends the payment certificate, public key, and related information to the cloud provider.
Step 3. The cloud provider confirms the transaction and provide VM instances to applicant A.
Step 4. TC pays the service fee to the cloud provider after it receives the confirmation information that applicant A has obtained the virtual machine instance.
Algorithm 3 describes the process of the cloud provider providing resources to the applicant. Lines 2 to 5 show whether applicant A is the winner. If he is the winner, the cloud provider encrypts the resource information with his public key. Lines 6 to 9 show that the cloud provider publishes resource information on the blockchain. Lines 10 to 12 show that the applicant achieves VM instance permission information.
Algorithm 4 describes the payment management. Lines 2 to 10 show whether applicant A has stored enough money within a limited time. Lines 11 to 13 show that TC sends the transaction fee to the cloud provider.

Experiment
The simulation development of the system runs on a PC and uses the Ubuntu operating system. This solution is based on the open-source framework of Hyperledger Fabric v1.1 version. The system is simulated and developed through a cloud server. The development software uses Visual Studio Code and Remote Development plug-ins. The database Couchdb is used, and the system chain code is developed using node.js.
3.1. Performance Testing. The auction phase includes reading users' data sets, executing the auction allocation algorithm, and uploading the auction results to the chain. Endorsement node (endorser) simulates the execution of the allocation algorithm by calling the chain code; ordering service (orderer) sorts transaction requests and creates the block and peer updates ledgers after verification. In order to reflect the variation of auction time with the number of users, this performance test mainly studies the execution time of auction in endorsers and auction transaction time in fabric network. The system test results of the above two items are shown in Figures 7 and 8. Figure 7 shows that the execution time of the allocation algorithm is affected by the increase in the number of users.
As the number of users varies from 10 to 300, the execution time sees an upsurge from about 14 ms to 197 ms. By testing the auction execution time in the endorser, it is found that the increase in the number of users has a positive impact on the execution time. Figure 8 mainly tests the time of auction transactions in the fabric network. After many tests, each auction transaction time of the system is close to 2000 ms, which can meet the basic business needs.
Through the analysis of test results, the system has passed the functional test and performance test, completed the expected design goal, and verified the feasibility and effectiveness of the system.

Comparison.
We compared the performance of our system with mainstream system. The result is presented in Table 1. In the table, the systems are compared on the three criteria: (i) Privacy protection: in cloud auction, bidding prices and cloud resource demands are crucial for privacy. This system tackled privacy leakage through the data encryption module. This approach encrypts private information to ensure that no plain text appears during transmission, which improves data security (ii) Decentralized for auction: it was already well known that decentralized systems, in which the smart contract acts as the third-party platform, were much more secure than centralized systems. Furthermore, to cut down the broker fees between users and cloud providers, the system should be based on the blockchain auction system (iii) Transaction management: in the cloud market, both auction security and fair transactions are required. This proposed system eliminates malicious behavior in cloud resource transactions in which each user prestores transaction fees. This approach improves fairness, especially when the user refuses to pay or the cloud provider provides substandard cloud resources

Conclusions
This paper first introduces the difficulties and challenges of the current cloud computing resource auction system. Then, through the thorough analysis of the major issues of the system, we propose a cloud computing resource auction system based on blockchain for data security and transaction fairness. To ensure the privacy and integrity of bidding data, we design an encrypted transmission module, which uses key exchange protocol and symmetric encryption technology to encrypt and transmit bidding data. In the transaction process, asymmetric encryption technology is used to encrypt the permission information of VM instance permission information to protect the rights and interests of users. Realize transaction fairness without a trusted third party through AC and TC. Transaction fairness realizes that users cannot receive VM instances without paying the corresponding service fees, and the CFP will certainly obtain the corresponding service fee after providing VM instances. This paper is a preliminary exploration of applying blockchain technology to the cloud computing resource auction filed. There are still some shortcomings, including the following: (1) the honest bidding of users and the fair distribution of the system are mainly affected by the auction mechanism. Therefore, we should optimize the auction mechanism to improve the fairness of distribution and pricing; (2) this paper only discusses the situation where one cloud service provider provides only four resources. We can explore multiple cloud auction systems and study more versatile fairness solutions to adapt to multiple market environments.

Data Availability
The data used to support the findings of this study are included within the article.

Conflicts of Interest
The authors declare that they have no conflicts of interest.