frameworks for privacy-preserving mobile crowdsensing...

1536-1233 (c) 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TMC.2017.2780091, IEEETransactions on Mobile Computing

1

Frameworks for Privacy-Preserving MobileCrowdsensing Incentive Mechanisms

Jian Lin, Student Member, IEEE, Dejun Yang, Member, IEEE, Ming Li, Student Member, IEEE, JiaXu, Member, IEEE, and Guoliang Xue, Fellow, IEEE

Abstract—With the rapid growth of smartphones, mobile crowdsensing emerges as a new paradigm which takes advantage of thepervasive sensor-embedded smartphones to collect data efficiently. Many auction-based incentive mechanisms have been proposed tostimulate smartphone users to participate in the mobile crowdsensing applications and systems. However, none of them has taken intoconsideration both the bid privacy of smartphone users and the social cost. In this paper, we design two frameworks forprivacy-preserving auction-based incentive mechanisms that also achieve approximate social cost minimization. In the former, eachuser submits a bid for a set of tasks it is willing to perform; in the latter, each user submits a bid for each task in its task set. Bothframeworks select users based on platform-defined score functions. As examples, we propose two score functions, linear and logfunctions, to realize the two frameworks. We rigorously prove that both proposed frameworks achieve computational efficiency,individual rationality, truthfulness, differential privacy and approximate social cost minimization. In addition, with log score function, thetwo frameworks are asymptotically optimal in terms of the social cost. Extensive simulations evaluate the performance of the twoframeworks and demonstrate that our frameworks achieve bid-privacy preservation although sacrificing social cost.

Index Terms—Mobile crowdsensing, incentive mechanism, differential privacy.

F

1 INTRODUCTION

NOWADAYS, the proliferation of smartphones is chang-ing people’s daily lives. With the advance of high-

speed 3G/4G networks and more powerful embeddedsensors (e.g., camera, accelerometer, compass, etc.), mobilecrowdsensing emerges as a new paradigm which takesadvantage of the pervasive sensor-embedded smartphonesto collect data efficiently.

A typical mobile crowdsensing system consists of acloud-based platform and a large number of smartphoneusers. The platform works as a sensing service buyer whoposts the required sensing information and recruits a setof smartphone users to provide sensing services. Once se-lected by the platform, a smartphone user starts to collectthe required data and sends it back to the platform. Thepotential effectiveness of mobile crowdsensing, especiallywith geographically distributed smartphone users, enablesnumerous mobile crowdsensing applications [34], [47], [53].However, most of them assume that the smartphone userscontribute to the platform voluntarily. In reality, smartphoneusers consume their own resources such as battery and sens-

• J. Lin and M. Li are with Colorado School of Mines, Golden, CO 80401.D. Yang is with Colorado School of Mines, Golden, CO 80401 and JiangsuKey Laboratory of Big Data Security and Intelligent Processing, NanjingUniversity of Posts and Telecommunications, Nanjing, Jiangsu 210023,China. E-mail: {jilin, djyang, mili}@mines.edu.

• J. Xu is with Jiangsu Key Laboratory of Big Data Security and Intelli-gent Processing, Nanjing University of Posts and Telecommunications,Nanjing, Jiangsu 210023, China. E-mail: [email protected].

• G. Xue is with Arizona State University, Tempe, AZ 85287. E-mail:[email protected].

This is an extended and enhanced version of the paper [30] that appeared inIEEE CNS 2016. This research was supported in part by NSF grants 1444059,1461886, 1717315, 1717197, NSFC grant 61472193, NSF of Jiangsu ProvinceBK20141429, and CCF-Tencent RAGR20150107.

ing time while completing the sensing tasks. In addition,they might suffer from the potential privacy disclosure bysharing their sensed data with personal information (e.g.,location tags and bid price). Therefore, smartphone usersmay be reluctant to participate in a mobile crowdsensingsystem and application, unless they are paid some rewardsto compensate their resource consumption or potential pri-vacy leaks. Since the number of participating smartphoneusers has a significant impact on the performance of themobile crowdsensing systems, it is necessary to stimulateusers to join the systems.

Auction is an efficient method to design incentive mech-anisms. Many auction-based incentive mechanisms havebeen proposed for mobile crowdsensing [46], [47], [49], [51].They are essentially reverse auctions in which the platformis the service buyer and the smartphone users are thebidders selling sensing services. In these mechanisms, theservice buyer selects bidders according to their submittedtask-bid pairs (elaborated in Section 3). The objectives ofthese mechanisms focus on either maximizing the totalvalue gained by the platform or minimizing the total pay-ment to the selected users. However, none of them takesusers’ privacy into consideration.

In most of the proposed truthful auction-based incen-tive mechanisms, bidders are stimulated to bid their truecosts, which are private information of smartphone users.For transparency, the platform will publish the outcome ofthe auction mechanism, which consists of winning biddersand their payments. Ensuring transparency in the procure-ment procedure is essential to efficiency, as it enhances thecompetitiveness of public procurement [36]. Meanwhile, ithas been proven by bid sale dealers for years that trans-parency leads to profit [37]. The FCC uses auctions to sellthe licenses to transmit signals over specific bands of the



2

electromagnetic spectrum, and releases the result of eachauction online for transparency [3]. In recent years, manycommercial platforms have put more emphasis on trans-parency as well, e.g., Auction.com [1], which is a trustedleader in the web-based real estate auction industry, andeBay [2], which is a multinational e-commerce corpora-tion. However, once the true cost of a smartphone useris reported to the platform, other bidders might infer thisprivate information based on the published outcome. Thisis known as inference attack [20] (we give two examples inSection 3). Inference attack has been analyzed in many areas,e.g., multilevel secure databases [22], data mining [10], web-based applications [40] and mobile devices [31]. Protectingusers’ bid privacy is important because its disclosure mightalso incur threats to users’ other private information, suchas location [25], [44]. In this paper, we focus on designingtruthful auction-based mechanisms to protect users’ bidprivacy.

To formalize the notion of users’ bid privacy, we em-ploy the concept of differential privacy [12]. Intuitively, amechanism provides differential privacy if the change ofone user’s bid has limited impact on the outcome. Wealso leverage the exponential mechanism [33], a technique todesign differentially private mechanisms, to preserve users’bid privacy.

In this paper, we study the problem of designing truth-ful mechanisms, which achieve computational efficiency,individual rationality, differential privacy, and approximatesocial cost minimization. We consider the scenario wherethere is one buyer and multiple sellers. Smartphone usersact as bidders and submit their bids to compete for thechance of being selected to perform the corresponding tasks.Besides, smartphone users do not want others to know theirown bid information. We first consider the single-bid modelin which each user can only submit a set of tasks. Then weconsider the multi-bid model in which each user can submita bid for each task in its task set. For each of these twomodels, we propose a differentially private truthful auction-based framework, named BidGuard and BidGuard-M, re-spectively. One important component of both frameworksis a platform-defined score function for selecting users. Asexamples, we propose two score functions to realize theframeworks.

The main contributions of this paper are as follows:• In this paper, we propose two frameworks, BidGuard

and BidGuard-M, for privacy-preserving mobile crowd-sensing incentive mechanisms for two different models,which achieve computational efficiency, individual ratio-nality, truthfulness, differential privacy, and approximatesocial cost minimization. Specifically, we design twodifferent score functions, linear score function and logscore function, to realize this two frameworks.

• With linear score function, BidGuard achieves(ε(e− 1)/e, δ)-differential privacy and the socialcost is at most gOPT + O(lnn) with the probabilityof at least 1 − 1/nO(1), where ε > 0 is a constant,δ ∈ (0, 1

2 ] and g is the cardinality of the largest usertask set, e is the base of the natural logarithm, OPTis the optimal social cost, and n is the number of theusers. BidGuard-M achieves 2mε-differential privacyand the social cost is at most OPT + mO(lnn) with

the probability of at least 1 − 1/nO(1), where m is thenumber of sensing tasks.

• With log score function, BidGuard achieves(ε(e− 1)/e, δ)-differential privacy and the socialcost is at most 2tHmOPT with the probability of at least1 − e−t for any constant t > 0, where Hm =

∑mj=1 1/j,

and m is the number of sensing tasks. BidGuard-Machieves 2m log 1

2( 1

1+∆ )ε-differential privacy and thesocial cost is at most 2tOPT with the probability of atleast 1 − 1/nO(1), where ∆ is the maximum differencein the bidding price. In addition, both BidGuard andBidGuard-M are proved to be asymptotically optimal.

• We evaluate the performance of BidGuard andBidGuard-M through simulations based on a real dataset. Extensive numerical results demonstrate that bothframeworks achieve bid-privacy preservation althoughsacrificing social cost.The remainder of this paper is organized as follows. In

Section 2, we briefly review the related work. In Section 3,we introduce two system models and the objectives. InSection 4 and 5, we present frameworks for the two modelsin detail and prove their properties, respectively. We eval-uate the performance of our frameworks in Section 6. Weconclude this paper in Section 7.

2 RELATED WORK

In recent years, incentive mechanisms in mobile crowd-sensing have been widely studied [16], [38]. As one of thepioneering works on designing incentive mechanisms formobile crowdsensing, Yang et al. [48], [49] proposed twoincentive mechanisms for both user-centric and platform-centric models using auction and Stackelberg game, respec-tively. The objectives of most of the state-of-art incentivemechanisms are either maximizing the total utility/value ofthe platform under a certain constraint (e.g., budget) [52]or minimizing the total payment of the platform [32].Feng et al. [15] proposed a mechanism called TRAC, whichtakes into consideration the importance of location informa-tion when assigning sensing tasks.

Many pieces of works have explored the privacy-preserving mechanisms in mobile crowdsourcing. Most ofthem [17], [26] apply the spacial and temporal cloakingtechniques like K-anonymity to blur users’ locations in acloaked area or cloaked time interval to preserve users’ pri-vacy. PEPSI [11] and AnonySense [39] focus on anonymousdata collection, which could protect users’ identities whenthey submit the tasks.

Some efforts have been specially made to protect users’privacy in mobile crowdsensing [8]. Although providinggood performance in privacy preservation, the mechanismsin [14], [18], [27], [28], [29], [35], [43], [50] are based on cryp-tography techniques and do not take into consideration theusers’ strategic behaviors. Besides, all of the cryptography-based works are vulnerable to inference attack, since anattacker can infer users’ private information through thepublished results. Sun et al. [41] proposed an auction-basedincentive mechanism which encrypts users’ bids by obliv-ious transfer. But it does not solve the issue of inferenceattack because one user still can infer others’ bids from thereceived payment. Jin et al. proposed a privacy-preserving



3

approximately truthful incentive mechanism [23], whichminimizes the total payment, and a privacy-preservingframework [24] for data aggregation. However, none of theabove works has a performance guarantee on social cost.In this paper, our objectives are preserve users’ bid privacyfrom inference attack while achieving approximate socialcost minimization.

Differential privacy was firstly introduced byDwork et al. [12]. The first differentially private auctionmechanism was proposed by McSherry et al. [33]. They alsoincorporate exponential mechanism and mechanism designto achieve differential privacy with different objectives.General methods to design truthful mechanisms whilestill preserving differential privacy have been studiedin [7], [21], [45]. However, our objective is different fromabove works. Recently, differential privacy has been usedin other applications, e.g., location-based systems [4] andspatial crowdsoucing [42]. Zhu et al. [54] proposed the firstdifferentially private spectrum auction mechanism, whichachieves strategy-proofness and approximate revenuemaximization. Note that our objective is to minimize thesocial cost, which differs from that in [54].

3 MODELS AND PROBLEM FORMULATION

In this section, we model the mobile crowdsensing system asa reverse auction and present two different models. Similarto most mobile crowdsensing systems [15], [47], [48], [49],[51], we consider a mobile crowdsensing system consistingof a platform and multiple smartphone users who are inter-ested in performing sensing tasks. In the first model, eachuser can submit only one task-bid pair. Our second modelallows each user to submit multiple task-bid pairs and canbe assigned to work on multiple tasks. Then we describe thethreat models, which threaten both of the models. At theend of this section, we present some important propertiesand give our design objective.

3.1 Single-bid ModelThe platform first publicizes a set T = {t1, t2, . . . , tm} ofm sensing tasks. Assume there is a set U = {1, 2, . . . , n} ofn > 2 smartphone users. Each user i has a task set Γi ⊆ T ,which it can perform. Each Γi is associated with a cost ci,which is a private information of user i. The platform selectsa subset of users S ⊆ U to complete all the sensing tasks inT . At last, the platform calculates the payment pi for eachselected user i ∈ S . Let −→p = (p1, p2, . . . , pn) denote thepayment profile. The utility of any user i ∈ U is

ui =

{pi − ci, if i ∈ S ;0, otherwise.

In this paper, we model the interactive process betweenthe platform and the users as a sealed-bid reverse auction,where the platform buys sensing service and the users arebidders who sell sensing service. In order to prevent themonopoly and guarantee the quality of sensing task, weassume each task in T can be completed by more thanone user in U . This assumption is reasonable for mobilecrowdsensing as made in [15]. If a task in T can only becompleted by at most one user in U , we simply remove itfrom T .

At the beginning of this auction, each user i ∈ U submitsa task-bid pair βi = (Γi, bi) to the platform, where bi is useri’s bid, representing the minimum price user i wants to sellits sensing service for. Note that in a truthful auction-basedincentive mechanism, users are stimulated to bid their truecosts, i.e., bi = ci. Without loss of generality, we assumethat each user’s bid is bounded by [bmin, bmax], where bminis normalized to 1 and bmax is a constant. Let ∆ denote thedifference between bmax and bmin. Let

−→β = (β1, β2, . . . , βn)

denote the task-bid profile. Given the task-bid profile−→β ,

the platform determines the outcome of the auction, whichconsists of selected winning users S and the payment profile−→p .

3.2 Multi-bid Model

In the single-bid model, each user submit a bid for a setof tasks. In the multi-bid model, each user is allowed tosubmit a bid for each task in its task set, and each user canbe assigned to work on multiple tasks.

The definitions of T , U , S , Γi,−→p and ∆ are the same as inSection 3.1. In the multi-bid model, for each user i ∈ U , eachtask tki in Γi has an associated cost cki . Each user i submits aset Bi = {β1

i , β2i , . . . , β

kii } of ki = |Γi| task-bid pairs. Each

task-bid pair is denoted by βki = (tki , bki ), where tki is a single

task from Γi, and bki is the minimum price user i wants tosell its sensing service for tki . Note that in a truthful auction-based incentive mechanism, users are stimulated to bid theirtrue costs, i.e., bki = cki . Let

−→B = (B1,B2, . . . ,Bn) denote the

task-bid profile. Given the task-bid profile−→B , the platform

determines the winning task-bid pair set BW ⊆⋃i∈U Bi

such that⋃βki ∈BW

tki = T . For each winning task-bid pairβki ∈ BW , the platform calculates a payment pki . A user i iscalled a winner and be added into S if it has at least onewinning task-bid pair, i.e., Bi ∩ BW 6= ∅. The payment foreach winner i is pi =

∑βki ∈Bi∩BW pki . The utility of any user

i ∈ U is

ui =

{pi −

∑βki ∈Bi∩BW cki , if i ∈ S ;

0, otherwise.

3.3 Threat Models

Threats to Incentive: We assume that users are selfish butrational. Hence user i could report a bid bi differs from itstrue cost ci, i.e., bi 6= ci in the single-bid model or reporta bid bki 6= cki in the multi-bid model to maximize its ownutility. We also assume that user i does not misreport its taskset Γi in the single-bid model as in [15], [47], [48], [49], [51],and does not misreport any tki ∈ Γi in the multi-bid model1.Other threats to incentive (e.g., collusion among bidders) areout of the scope of this paper.

Threats to Privacy: As mentioned earlier, bidders arestimulated to bid their true costs in a truthful auction-basedincentive mechanism, i.e., bi = ci in the single-bid model

1. In the single-bid model, if user i reports Γ′i containing tasks not in

Γi, i.e., Γ′i \ Γi 6= ∅, it cannot finish Γ′

i when selected. If user i reportsΓ′i ⊂ Γi with ci, the probability of user i being selected will not increase

according to our mechanism. The case where user i misreports both Γi

and ci is challenging, because calculating the true cost of Γ′i ⊂ Γi is still

an open question. In the multi-bid model, if user i reports βki containing

tasks not in Γi, i.e., t′ki /∈ Γi, it cannot finish t′ki when selected.



4

TABLE 1Example showing the inference attack in single-bid model

βi

User1 2 3 4 5

Γi t1, t2 t1 t1, t3 t1, t2 t1, t3bi $3 $1 $4 $5 $5

TABLE 2Example showing the inference attack in multi-bid model

βki

User1 2 3 4 5

tki t1 t2 t1 t1 t3 t1 t2 t1 t3bki $1.5 $1.5 $1 $1.6 $2.4 $3 $2 $2.5 $2.5

and bki = cki in the multi-bid model. However, one biddercould infer other bidders’ bid according to the outcome ofthe mechanism. This inference attack can be seen from thefollowing examples.

We first consider the single-bid model, suppose thereare 5 users in the system and their task-bid pairs βi =(Γi, bi), i ∈ [1, 5] are shown in Table 1. The platform pub-licizes a set of 3 sensing tasks T = {t1, t2, t3}. According tothe proposed truthful mechanism in TRAC [15], the winningusers S = {2, 1, 3}. Suppose user 5 is a bidder who want toinfer other bidders’ bid, and it changes its bid b5 from $5 to$3 in the next auction while the other four bidders do notchange their task-bid pairs. The winning users of the newauction is S = {2, 1, 5}. Since the platform publishes theoutcome of the mechanism for transparency, user 5 couldknow the results and infer that user 3’s bid is between $3and $5 by the fact that if it bids $5 it will be replaced by user3 and if it bid $3 it will replace user 3. We can see that, aftermany rounds of auction, user 5 might narrow down user3’s bid range, and even infer the exact value in some cases.

Next we consider the inference attack in multi-bid modelusing the example shown in Table 2. According to theproposed truthful mechanism in TRAC [15], the winningbid-pairs are BW = {β1

2 , β21 , β

23}, and thus S = {2, 1, 3}.

Suppose user 5 is a bidder who want to infer other bidders’bid, and it changes its bid b25 from $2.5 to $2 in the nextauction while the other four bidders do not change theirtask-bid pairs. Then the winning bid-pairs of the new auc-tion are BW = {β1

2 , β21 , β

25}. Based on this outcome, user 5

could infer that user 3’s bid for t3 is between $2 and $2.5by the fact that if it bids $2.5 it will be replaced by user 3and if it bids $2 it will replace user 3. After many rounds ofauction, user 5 might also narrow down user 3’s bid range,and even infer the exact value in some cases.

This inference attack is practical in most mobile crowd-sensing applications, e.g., [34], [53], where tasks are pub-licized periodically for collecting dynamic sensing data.Protecting users’ bid privacy from such inference attack isimportant because its disclosure might also incur threats tousers’ other private information, such as location [25], [44].For example, in [25] each user i’s cost of task ci is modeledas a linear function of its distance di to the task. In a truthfulmechanism, user i’s bid bi = ci. Therefore, an attacker caninfer user i’s location inside a suspicion region, which is thecircle centered at the task with radius di, by inferring itsbid bi. Besides, an attacker can also improve the inferenceaccuracy by narrowing down the victim’s bid through manyrounds of auction.

3.4 Desired PropertiesWe consider the following important properties.• Computational Efficiency: A mechanism is computa-

tionally efficient if it terminates in polynomial time.

• Individual Rationality: A mechanism is individuallyrational if each user will have a non-negative utilitywhen bidding its true cost.

• Truthfulness: A mechanism is truthful if any user’sutility is maximized when bidding its true cost.

• Social Cost Minimization: A mechanism achieves socialcost minimization if the total cost of the users in S isminimized subject to certain constraints on S .

In addition, we consider users’ bid privacy preservation.

Definition 1. (Differential Privacy [12]). A randomized functionM has ε-differential privacy if for any two input sets A and Bwith a single input difference, and for any set of outcomes O ⊆Range(M),

Pr[M(A) ∈ O] ≤ exp(ε)× Pr[M(B) ∈ O].

In this paper, the randomized function M is correspond-ing to our frameworks, andRange(M) is the outcome spaceof the frameworks. One relaxation of differential privacy isas follows.

Definition 2. (Approximate Differential Privacy [13]). A ran-domized function M gives (ε, δ)-differential privacy if for anytwo input sets A and B with a single data difference, and for anyset of outcomes O ⊆ Range(M),

Pr[M(A) ∈ O] ≤ exp(ε)× Pr[M(B) ∈ O] + δ.

The truthfulness of an auction mechanism is guaranteedby the following theorem.

Theorem 1. [5] Let Pri(z) denote the probability that bidderi is selected when its bid is z. A mechanism with bids

−→b and

payments −→p is truthful in expectation if and only if, for anybidder i,

1) Pri(z) is monotonically non-increasing in bi;2)∫∞0 Pri(z)dz <∞;

3) The expected payment satisfies E [pi] = biPri(bi) +∫∞biPri(z)dz.

Next, we introduce the concept of the exponential mech-anism and its properties. In the literature of differentialprivacy, the exponential mechanism is often used to designprivacy-preserving mechanisms. A key component of theexponential mechanism is the score function f(A, o), whichmaps the input set A and an outcome o ∈ O to a real-valuedscore. The score represents how good the outcome o is forthe input set A compared with the optimal outcome.

Exponential mechanism εεf (A): Given an outcome spaceO, an input set A, a score function f and a small constantε, the exponential mechanism εεf (A) chooses an outcomeo ∈ O with probability

Pr[εεf (A) = o

]∝ exp (εf(A, o)) .



5

Let Λ denote an upper-bound of the difference of any twoinput sets, the exponential mechanism has the followingproperties.

Theorem 2. [33] The exponential mechanism gives 2εΛ-differential privacy.

Theorem 3. [19] For any α ≥ 0, the exponential mechanism,when used to select an output o ∈ O, εεf (A) yields 2εΛ-differential privacy, letting O∗ be the subset of O achievingf(A, o) = max

of(A, o), ensures that

Pr[f(A, εεf (A)

)< max

of(A, o)− ln(|O|/|O∗|)/ε− α/ε

]≤ exp(−α)

3.5 Design ObjectiveThe goal of our framework design is to minimize the socialcost while achieving computational efficiency, individualrationality, truthfulness and differential privacy. Specifically,the minimization problem in the single-bid model is referredto as the Social Cost Minimization (SCM) problem and theminimization problem in the multi-bid model is referredto as the SCM-M problem. Next, we give the formal for-mulation of the SCM problem and the SCM-M problem,respectively.

SCM problem: Given a task set T and a user set U ,the goal of the SCM-S problem is to find a subset of usersS ⊆ U , such that C(S) =

∑i∈S ci is minimized subject to⋃

i∈S Γi = T .SCM-M problem: Given a task set T and a user set

U , the goal of the SCM-M problem is to find a subsetof users S ⊆ U and their assigned task-bid pairs BW ,such that C(BW ) =

∑βki ∈BW

cki is minimized subject to⋃βki ∈BW

tki = T .Note that SCM problem is challenging because it is NP-

hard (proved by Theorem 4 in [30]), let alone combiningwith computational efficiency, individual rationality, truth-fulness and differential privacy. Although SCM-M can besolved optimally, it is still challenging when combiningwith the other properties. Therefore, we aim to designdifferentially private truthful frameworks with theoreticallyguaranteed approximate social cost.

4 BIDGUARD: DIFFERENTIALLY PRIVATE AUC-TION FRAMEWORK FOR THE SINGLE-BID MODEL

In this section, we design and analyze BidGuard, a differen-tially private auction framework for the Single-bid Model.

4.1 Design RationaleBidGuard integrates the exponential mechanism with thereverse auction to achieve computational efficiency, individ-ual rationality, truthfulness, differential privacy and approx-imate social cost minimization. In this framework, users areselected iteratively. In each iteration, redundant users areeliminated and each remaining user is assigned a probabilityto be selected. The framework then selects one of them as thewinner based on the probability distribution. Specifically,the probability of a user to be selected is set according to aspecific criterion. The above processes repeats until all thesensing tasks can be completed by the selected users. Finally,the framework computes the payment to each winner.

4.2 Design of BidGuard

In this section, we will describe BidGuard in detail. As il-lustrated in Algorithm 1, BidGuard consists of three phases:user screening, winner selection, and payment determina-tion. It executes these three phases iteratively until all thesensing tasks can be completed by the selected users.

Algorithm 1: BidGuardInput : A set of sensing tasks T , a set of users U ,

submitted task-bid profile−→β , and differential

privacy parameters ε > 0 and δ ∈ (0, 12 ].

Output: A set of winners S and a payment profile −→p .1 S ← ∅, Tc ← ∅, R ← U ;2 foreach i ∈ U do pi ← 0;3 while Tc 6= T do4 foreach i ∈ R do5 if Γi ⊆ Tc then R ← R \ {i};6 end7 foreach i ∈ R do8 Calculate the probability Pri(bi) of each user

being selected according to the score function;9 end

10 Select one user randomly, denoted by i′, accordingto the computed probability distribution;

11 S ← S ∪ {i′}, Tc ← Tc ∪ Γi′ , R ← R \ {i′};12 end

13 foreach i ∈ S do pi ← bi +∫ bmaxbi

Pri(z)dz

Pri(bi);

14 return S and −→p .

1) User Screening PhaseBidGuard will eliminate all the redundant users, whose

task set can be completed by the currently selected users.The set of remaining users is denoted by R.2) Winner Selection Phase

BidGuard will assign each user i ∈ R a probability ofbeing selected as follows. It first computes a criterion r(βi),which is the bid divided by the number of tasks that cannotbe completed by the currently selected users, i.e.,

r(βi) =bi

|Γi − Tc|, (1)

where Tc is the set of tasks that can be completed by thecurrently selected users. BidGuard selects the user with thelowest r(βi) in each iteration. To apply the exponentialmechanism, we need to design a score function, which isa non-increasing function of r(βi). The probability of eachuser to be selected is set according to the value of the scorefunction.3) Payment Determination Phase

Let Pri(z) denote the probability of user i being selectedwith bid z. According to Theorem 1, the payment to winneri is

pi = bi +

∫ bmax

biPri(z)dz

Pri(bi).

4.3 Design of Score Functions

To apply the exponential mechanism, we need to design ascore function. Specifically, we design two score functions,



6

linear score function and log score function. We will show thatthey have different theoretical bounds on the social cost(Section 4.4) and performance in simulations (Section 6).

Linear score function: fLIN (x) = 1− x. For any bidderi ∈ R, the probability to be selected in each iteration is

Pri(bi) ∝{

exp(ε′(1− bi

bmax|Γi−Tc| )), if i ∈ R;

0, otherwise,

where ε′ = ε/(e∆ ln(e/δ)). Note that in order to guaranteethe value of the score function is nonnegative, we normalizer(βi), i.e., bi

bmax|Γi−Tc| . Then the probability is

Pri(bi) =

exp

(ε′(1− bi

bmax|Γi−Tc|))

∑j∈R exp

(ε′(1−

bjbmax|Γj−Tc|

)

) , if i ∈ R;

0, otherwise.(2)

Log score function: fLOG(x) = log1/2 x. For any bidderi ∈ R, the probability to be selected in each iteration is

Pri(bi) ∝{

exp(ε′ log1/2

bibmax|Γi−Tc|

), if i ∈ R;

0, otherwise,

where ε′ = ε/(e ln(e/δ) log1/2 (1/(1 + ∆))). We also nor-malize the r(βi), i.e., bi

bmax|Γi−Tc| to guarantee the value ofthe score function is nonnegative. Then the probability is

Pri(bi) =

exp

(ε′ log1/2

bibmax|Γi−Tc|

)∑

j∈R exp

(ε′ log1/2

bjbmax|Γj−Tc|

) , if i ∈ R;

0, otherwise.(3)

Throughout the rest of this paper, we denote theBidGuard with linear score function fLIN and log scorefunction fLOG by LIN and LOG, respectively.

Illustrating example: We use the example in Table 1 toillustrate how LIN works. Assuming bmin = 1, bmax = 6,then ∆ = 5. Let the differential privacy parameters ε = 0.1and δ = 0.5, then ε′ = 0.1/(e × 5 ln(e/0.5)). At the begin-ning, T = {t1, t2, t3}, S = ∅, Tc = ∅,R = U = {1, 2, 3, 4, 5}.LIN starts to select users iteratively. In the first iteration,LIN calculates |Γi − Tc| for each user i ∈ R. We have|Γ1−Tc| = 2, |Γ2−Tc| = 1, |Γ3−Tc| = 2, |Γ4−Tc| = 2, and|Γ5 − Tc| = 2. Based on (2), LIN calculates the probabilityof every user in R to be selected in this iteration, e.g.,Pr1(3) = exp(0.7ε′)/(exp(0.7ε′) + exp(0.8ε′) + exp(0.6ε′) +exp(0.5ε′) + exp(0.5ε′)). LIN selects a user based on thecalculated probability distribution. Assume LIN selects user1, then S = {1}, Tc = {t1, t2}, R = {3, 5}. At the beginningof the second iteration, LIN calculates |Γi − Tc| for the re-maining users user 3 and user 5. We have |Γ3−Tc| = 1 and|Γ5 − Tc| = 1. Then LIN calculates the probabilities of user3 and user 5 to be selected in this iteration according to (2).We have Pr3(4) = exp(0.2ε′)/(exp(0.2ε′) + exp(ε′)) andPr5(5) = exp(ε′)/(exp(0.2ε′) + exp(ε′)). Assume user 3 isselected in this iteration, then LIN terminates since Tc = T .At last, LIN calculates the payment to all the selected users,i.e., user 1 and user 3. We have p1 = 3 +

∫ 63 Pr1(z)dz

Pr1(3) and

p3 = 4 +∫ 64 Pr3(z)dz

Pr3(4) .

4.4 Analysis of BidGuard

In this section, we first analyze the properties of LIN.

Theorem 4. LIN achieves computational efficiency, individualrationality, truthfulness, and (ε(e− 1)/e, δ)-differential privacy,where ε > 0 and δ ∈ (0, 1

2 ] are constants, e is the base of thenatural logarithm. In addition, it has social cost at most gOPT +O(lnn) with probability at least 1 − 1/nO(1), where g is thecardinality of the largest user task set, OPT is the optimal socialcost of the SCM problem, and n is the number of users.

Proof: We first prove the computational efficiency. Theouter while-loop (Lines 3-12) will run at most m iterationssince there are m tasks. Meanwhile, the two inner for-loops(Lines 4-6) and (Lines 7-9) will run at most n iterationssince there are n users. Therefore, the total computationalcomplexity of LIN is O(mn). The individual rationality isguaranteed by the fact that the payment to each winner i is

pi = bi +∫ bmaxbi

Pri(z)dz

Pri(bi)≥ bi. In order to prove the rest of

this theorem, we prove the following lemmas.

Lemma 1. LIN is truthful.

Proof: According to (2) and (3), the probability Pri(bi)of user i being selected in BidGuard is monotonically non-increasing in its bid bi. In addition, no bid is greaterthan bmax in our model. Thus we have

∫∞0 Pri(z)dz =∫ bmax

0 Pri(z)dz <∞. Furthermore, we have

E[pi]

= (1− Pri(bi))× 0 + Pri(bi)×(bi +

∫ bmax

biPri(z)dz

Pri(bi)

)

= biPri(bi) +

∫ ∞bi

Pri(z)dz.

Then, according to Theorem 1, the lemma holds.

Lemma 2. For any constants ε > 0 and δ ∈ (0, 12 ], LIN achieves

(ε(e − 1)/e, δ)-differential privacy, where e is the base of thenatural logarithm.

Proof: Let−→β and

−→β′ be two input task-bid profiles that

differ in any user d’s bid, respectively. LetM(−→β ) andM(

−→β′)

denote the sequences of users selected by LIN with inputs−→β

and−→β′ , respectively. We show that LIN, even revealing the

order in which the users are chosen, achieves differentialprivacy for an arbitrary sequence of users I = i1, i2, . . . , ilof arbitrary length l. We consider the relative probability ofLIN for given task-bid inputs

−→β and

−→β′ :



7

Pr[M(−→β ) = I

]Pr[M(−→β′) = I

] =l∏

j=1

exp

(ε′(1−

bijbmax|Γij

−Tc|)

)∑

i∈Ujexp

(ε′(1− bi

bmax|Γi−Tc|))

exp

(ε′(1−

b′ij

bmax|Γij−Tc|

)

)∑

i∈Ujexp

(ε′(1− b′

ibmax|Γi−Tc|

)

)

=l∏

j=1

exp

(ε′(1− bij

bmax|Γij−Tc| )

)exp

(ε′(1−

b′ijbmax|Γij

−Tc| )

)

×l∏

j=1

∑i∈Uj exp

(ε′(1− b′i

bmax|Γi−Tc| ))

∑i∈Uj exp

(ε′(1− bi

bmax|Γi−Tc| )) ,

where Uj = U \ {i1, i2, . . . , ij−1} and the first equation isbased on (2). We then prove this lemma by cases. Whenbd < b′d, the second product is at most 1 because the factorfor any j ∈ [1, l] is less than 1 if d ∈ Uj and equal to 1otherwise. Therefore, we have

Pr[M(−→β ) = i1, i2, . . . , il

]Pr[M(−→β′) = i1, i2, . . . , il

] ≤ exp(ε′(1− bd

bmax|Γd−Tc| ))

exp(ε′(1− b′d

bmax|Γd−Tc| ))

= exp

(ε′

b′d − bdbmax|Γd − Tc|

)6 exp (ε′(b′d − bd))6 exp(ε′∆).

When bd ≥ b′d, the first product is at most 1 because thefactor for any j ∈ [1, l] is less than 1 if ij = d and equal to1 otherwise. In the remainder of the proof, we focus on thiscase. Therefore, we have

Pr[M(−→β ) = i1, i2, . . . , il

]Pr[M(−→β′) = i1, i2, . . . , il

]6

l∏j=1

∑i∈Uj exp

(ε′(1− b′i

bmax|Γi−Tc| ))

∑i∈Uj exp

(ε′(1− bi

bmax|Γi−Tc| ))

=l∏

j=1

∑i∈Uj exp

(ε′ θi|Γi−Tc|

)exp

(ε′(1− bi

bmax|Γi−Tc| ))

∑i∈Uj exp

(ε′(1− bi

bmax|Γi−Tc| ))

=l∏

j=1

Ei∈Uj

[exp

(ε′

θi|Γi − Tc|

)]

6l∏

j=1

Ei∈Uj [exp(ε′θi)] ,

where θi = b′i − bi. For all x 6 1, ex 6 1 + (e − 1) · x.Therefore, for all ε′ 6 1, we have

l∏j=1

Ei∈Uj [exp(ε′θi)] 6l∏

j=1

Ei∈Uj [1 + (e− 1)ε′θi]

6 exp

(e− 1)ε′l∑

j=1

Ei∈Uj [θi]

.Lemma B.2 in [19] implies that Pr[

∑lj=1Ei∈Uj [θi] >

∆ ln(e/δ)] 6 δ. LetO denote the outcome space, where each

o ∈ O is a sequence of users i1, i2, · · · , il. We split O intotwo sets O′ and O′′, where O′ = {o ∈ O|

∑lj=1Ei∈Uj [θi] ≤

∆ ln(e/δ)} and O′′ = O \ O′. Thus we have

Pr[M(−→β ) ∈ O

]=

∑o∈O

Pr[M(−→β ) = o

]=

∑o∈O′

Pr[M(−→β ) = o

]+∑o∈O′′

Pr[M(−→β ) = o

]≤

∑o∈O′

exp ((e− 1)ε′∆ ln(e/δ))Pr[M(−→β′) = o

]+ δ

≤ exp((e− 1)ε′∆ ln(e/δ)Pr[M(−→β′) ∈ O

]+ δ

= exp(ε(e− 1)/e)Pr[M(−→β′) ∈ O

]+ δ.

The lemma holds.

Lemma 3. With probability at least 1− 1/nO(1), LIN has socialcost at most gOPT + O(lnn), where g is the cardinality of thelargest user task set, OPT is the optimal social cost of the SCMproblem, and n is the number of users.

Proof: Let S∗ denote the optimal solution to theSCM problem. For LIN, we consider a sequence W ofwinners according to the order they are selected, i.e., W =w1, w2, . . . , wl.

For each wi, 1 ≤ i ≤ l, let Wi denote the set of userssatisfying ∀j ∈ Wi:

1) j ∈ S∗;2) Γj ∩ Γwi 6= ∅;3) Γj ∩ Γwk

= ∅,∀k ∈ [1, i− 1];Wi is the set of users in S∗ but not in W because of wi.For truthful mechanisms, we have bi = ci. According toTheorem 3, by taking α = O(lnn), we have

1− cwi

|Γwi− Tc|

≥ 1− cj|Γj − Tc|

−O(lnn),

with a probability of at least 1− 1/nO(1). This implies that

cj ≥cwi

|Γwi− Tc|

· |Γj − Tc| −O(lnn),

with a probability of at least 1− 1/nO(1). Summing over allj ∈ Wi, we have

∑j∈Wi

cj ≥(

cwi

|Γwi − Tc|−O(lnn)

)·∑j∈Wi

|Γj − Tc|

≥ cwi

|Γwi− Tc|

−O(lnn)

with a probability of at least 1 − 1/nO(1). The first inequal-ity holds because

∑j∈Wi

|Γj − Tc| ≥ |Wi|. The secondinequality holds because

∑j∈Wi

|Γj − Tc| ≥ 1. Note that|Γwi − Tc| can be upper bounded by a constant g, whichis the cardinality of the largest user task set. Therefore, wehave ∑

j∈Wi

cj ≥cwi

g−O(lnn)



8

Summing over all wi ∈ W , we have

OPT =∑j∈S∗

cj =∑wi∈W

∑j∈Wi

cj +∑

j∈S∗∩Wcj

≥∑wi∈W

cwi

g−O(lnn),

where the inequality holds because when n is large, |W| �n.

Then the lemma holds.For LOG we have the following properties. The proofs

are similar to those for LIN, and thus omitted.

Theorem 5. LOG achieves computational efficiency, individualrationality, truthfulness, and (ε(e− 1)/e, δ)-differential privacy,where ε > 0 and δ ∈ (0, 1

2 ] are two constants, e is the baseof the natural logarithm. In addition, it has social cost at most2tHmOPT with probability at least 1 − e−t, for any constantt > 0 and Hm =

∑mj=1 1/j, where m is the number of sensing

tasks, and OPT is the optimal social cost of the SCM problem.

Remarks: According to Theorem 4 in [30], the minimumweighted set cover problem can be reduced to the SCMproblem. It is well known that the best-possible polyno-mial time approximation algorithm is anHm-approximationalgorithm for the weighted set cover problem [9], whereHm is the m-th harmonic number. LOG has social costat most 2tHmOPT , where t is a constant, and thus it isasymptotically optimal. Even though LIN cannot be provedto be asymptotically optimal in terms of the social cost,we will show in Section 6 that it achieves better privacyprotection than LOG.

5 BIDGUARD-M: DIFFERENTIALLY PRIVATE AUC-TION FRAMEWORK FOR THE MULTI-BID MODEL

In this section, we design and analyze BidGuard-M, a differ-entially private auction framework for the multi-bid Model.

5.1 Design RationaleBidGuard-M integrates the exponential mechanism withthe reverse auction to achieve computational efficiency, in-dividual rationality, truthfulness, differential privacy andapproximate social cost minimization. In this framework,task-bid pairs are selected iteratively. In each iteration, onetask is considered. Each of the task-bid pairs with this taskis assigned a probability to be selected. The framework thenselects one of them as the winning task-bid pair according tothe probability distribution. Specifically, the probability of atask-bid pair to be selected is set according to a specific cri-terion. The above process repeats until all the sensing taskscan be completed by the selected task-bid pairs. Finally, theframework computes the payment to each winning task-bidpair.

5.2 Design of BidGuard-MIn this section, we will describe BidGuard-M in detail asillustrated in Algorithm 2.

BidGuard-M selects a winning task-bid pair for each taskin T iteratively until all the tasks can be completed. All thewinning task-bid pairs constitute BW . At the beginning of

Algorithm 2: BidGuard-MInput : A set of sensing tasks T , a set of users U ,

submitted task-bid profile−→B , and differential

privacy parameter ε > 0.Output: A set of winners S and a payment profile −→p .

1 BW ← ∅, S ← ∅, Bt ← ∅;2 foreach i ∈ U do pi ← 0;3 foreach t ∈ T do4 foreach i ∈ U do5 if ∃βki ∈ Bi such that tki = t then

Bt ← Bt ∪ {βki };6 end7 foreach βki ∈ Bt do8 Calculate the probability Pri(bki ) of each

task-bid pair being selected according to thescore function;

9 end10 Select one task-bid pair randomly, denoted by βk

′

i′ ,according to the computed probabilitydistribution;

11 BW ← BW ∪ {βk′

i′ }, Bt ← ∅;12 end13 foreach βki ∈ BW do

14 pki ← bki +

∫ bmax

bki

Pri(z)dz

Pri(bki );

15 end16 foreach i ∈ U do17 if Bi ∩ BW 6= ∅ then18 S ← S ∪ {i};19 pi ←

∑βki ∈Bi∩BW

pki ;20 end21 end22 return S and −→p .

each iteration, BidGuard-M firstly selects for an unassignedtask t ∈ T a set of task-bid pairs Bt in which tki = t for allβki ∈ Bt. BidGuard-M will assign each task-bid pair βki ∈ Bta probability to be selected as follows. It is desired to selectthe task-bid pair with the lowest bki from Bt. To apply theexponential mechanism, we need to design a score function,which is a non-increasing function of bki . The probabilityof each task-bid pair to be selected is set according to thevalue of the score function. At last, BidGuard-M calculatesthe payment pki for each winning task-bid pair βki ∈ BW .Let Pri(z) denote the probability of a task-bid pair beingselected with bid z. According to Theorem 1, the paymentto a winning task-bid pair is

pki = bki +

∫ bmax

bkiPri(z)dz

Pri(bki ).

For each user, if it has at least one winning task-bidpair, it is added into the winner set S and its paymentpi =

∑βki ∈Bi∩BW

pki .

5.3 Design of Score Functions

Same as the single-bid model, we adopt fLIN and fLOGas score functions. We will show that they have different



9

theoretical bounds on the social cost (Section 5.4) and per-formance in simulations (Section 6).

Linear score function: For any task-bid pair βki ∈ Bt, theprobability to be selected is

Pri(bki ) ∝ exp

(ε(1− bki

bmax)

).

Note that in order to guarantee the value of the scorefunction is nonnegative, we normalize bki , i.e., bki

bmax. Then

the probability is

Pri(bki ) =

exp(ε(1− bki

bmax))

∑βkj ∈Bt

exp

(ε(1− bkj

bmax)

) . (4)

Log score function: For any task-bid pair βki ∈ Bt, theprobability to be selected is

Pri(bki ) ∝ exp

(ε log1/2

bkibmax

).

We also normalize the bki , i.e., bkibmax

to guarantee the valueof the score function is nonnegative. Then the probability is

Pri(bki ) =

exp(ε log1/2

bkibmax

)∑βkj ∈Bt

exp

(ε log1/2

bkjbmax

) . (5)

Throughout the rest of this paper, we denote theBidGuard-M with linear score function fLIN and log scorefunction fLOG by LIN-M and LOG-M, respectively.

Illustrating example: We use the example in Table 2to illustrate how LIN-M works. Let bmin = 1, bmax =4, and the differential privacy parameter ε = 0.1. Atthe beginning, T = {t1, t2, t3}, S = ∅, BW = ∅,Bt = ∅, and U = {1, 2, 3, 4, 5}. LIN-M starts to se-lect users for every task in T iteratively. For t1, LIN-Mfirst constructs B1 = {β1

1 , β12 , β

13 , β

14 , β

15}. By (4), LIN-M

calculates the probability of every task-bid pair in B1

to be selected. For example, the probability of β11 to

be selected is Pr1(1.5) = exp(0.0625)/(exp(0.0625) +exp(0.075) + exp(0.06) + exp(0.025) + exp(0.0375)). LIN-Mselects one task-bid pair based on the calculated probabilitydistribution. Assume β1

2 is selected, then BW = {β12}.

LIN-M executes the same process for t2. We have B2 ={β2

1 , β24}. The probabilities of β2

1 and β24 to be selected

are Pr1(1.5) = exp(0.0625)/(exp(0.0625) + exp(0.05)) andPr4(2) = exp(0.05)/(exp(0.0625)+exp(0.05)), respectively.Assume LIN-M selects β2

1 , then BW = {β12 , β

21}. For t3,

LIN-M constructs B3 = {β23 , β

25}. The probabilities of β2

3 andβ2

5 to be selected are Pr3(2.4) = exp(0.06)/(exp(0.06) +exp(0.0375)) and Pr5(2.5) = exp(0.0375)/(exp(0.06) +exp(0.0375)), respectively. Assume LIN-M selects β2

3 , thenBW = {β1

2 , β21 , β

23}. Once all tasks are assigned, LIN-M

calculates the payment for each task-bid pair in BW . Wehave p1

2 = 1 +∫ 41 Pr2(z)dz

Pr2(1) , p21 = 1.5 +

∫ 41.5 Pr1(z)dz

Pr1(1.5) , and

p23 = 2.4+

∫ 42.4 Pr3(z)dz

Pr3(2.4) . At last, LIN-M calculates the winnersset S = {1, 2, 3} and corresponding payments, i.e., p1 = p2

1,p2 = p1

2 and p3 = p23.

5.4 Analysis of BidGuard-M

In this section, we first analyze the properties of LIN-M.

Theorem 6. LIN-M achieves computational efficiency, individualrationality, truthfulness, and 2mε-differential privacy, where ε >0 is a constant and m is the number of sensing tasks. In addition,it has social cost at most OPT + mO(lnn) with probability atleast 1 − 1/nO(1), where OPT is the optimal social cost of theSCM-M problem, and n is the number of users.

Proof: We first prove the computational efficiency. Theouter while-loop (Lines 3-12) will run at most m iterationssince there are m tasks. Meanwhile, the two inner for-loops(Lines 4-6) and (Lines 7-9) will run at most n iterations sincethere are n users. The payment calculation for the winningtask-bid pairs (Lines 13-15) will run at most m iterationssince there are m tasks. The winner selection and paymentcalculation (Lines 16-21) will run at most n iterations sincethere are n users. Therefore, the total computational com-plexity of LIN-M is O(mn). The individual rationality isguaranteed by the fact that the payment to each winning

task-bid pair is pki = bki +

∫ bmax

bki

Pri(z)dz

Pri(bki )≥ bki . In order

to prove the rest of this theorem, we prove the followinglemmas.

Lemma 4. LIN-M is truthful.

Proof: According to (4) and (5), the probabilityPri(b

ki ) of task-bid pair βki ∈ Bt being selected in

BidGuard-M is monotonically non-increasing in its bid bki . Inaddition, no bid is greater than bmax in our model. Thus wehave

∫∞0 Pri(z)dz =

∫ bmax

0 Pri(z)dz < ∞. Furthermore,we have

E[pki ]

=(

1− Pri(bki ))× 0 + Pri(b

ki )×

bki +

∫ bmax

bkiPri(z)dz

Pri(bki )

= bki Pri(b

ki ) +

∫ ∞bki

Pri(z)dz.

Then, according to Theorem 1, the lemma holds.In order to quantify the differential privacy performance

of LIN-M, we use the following lemmas.

Lemma 5. (Composability [33]). The sequential application ofrandomized computation Mi, each giving εi-differential privacy,yields (

∑i εi)-differential privacy.

Lemma 6. For any constant ε > 0, LIN-M achieves 2mε-differential privacy, where m is the number of sensing tasks.

Proof: Since LIN-M follows the exponential mecha-nism, it selects a task-bid pair for each task based on(4). According to Theorem 2, for each task LIN-M is 2ε-differential privacy, since the largest difference in the scorefunction (Λ) is 1. LIN-M selects a task-bid pair for eachtask in T iteratively until all tasks can be finished. Thisis a sequential application of the selection mechanism forone task. Therefore, according to Lemma 5, LIN-M is 2mε-differential privacy, since there are m tasks.

Next, we bound the social cost of LIN-M.



10

Lemma 7. With probability at least 1 − 1/nO(1), LIN-M hassocial cost at mostOPT +mO(lnn), whereOPT is the optimalsocial cost of the SCM-M problem, m is the number of sensingtasks and n is the number of users.

Proof: Let B∗ denote the optimal solution to theSCM-M problem. We denote as BW an arbitrary set ofwinning task-bid pairs returned by LIN-M. Because only onetask-bid pair is selected for each task and all tasks need tobe completed, we have |B∗| = |BW |. Therefore, for any task-bid pair βkj ∈ B∗, there exists a task-bid pair βki ∈ BW suchthat tki = tkj , and vice versa. According to Theorem 3, bytaking α = O(lnn), we have

bki ≤ bkj +O(lnn) (6)

with a probability of at least 1−1/nO(1) for each task t ∈ T .Summing (6) over all tasks,

∑βki ∈BW

bki ≤∑βkj ∈B∗

bkj +

mO(lnn) with a probability at least 1 − 1/nO(1). Fortruthful mechanisms, we have bki = cki and bkj = ckj .Thus

∑βki ∈BW

bki is the social cost of LIN-M, and OPT =∑βkj ∈B∗

bkj .This concludes the proof.For LOG-M we have the following properties. The proofs

are similar to those for LIN-M, and thus omitted.

Theorem 7. LOG-M achieves computational efficiency, indi-vidual rationality, truthfulness, and 2m log 1

2( 1

1+∆ )ε-differentialprivacy, where m is the number of sensing tasks, ∆ is themaximum difference in the bidding price, and ε > 0 is a constant.In addition, it has social cost at most 2tOPT with probability atleast 1 − e−t, for any constant t > 0 and OPT is the optimalsocial cost of the SCM-M problem.

Remarks: LOG-M has social cost at most 2tOPT , where tis a constant, and thus it is asymptotically optimal.

6 PERFORMANCE EVALUATION

In this section, we evaluate the performance of BidGuardand BidGuard-M and compare them respectively withTRAC [15] and DP-hSRC [23]. TRAC is closest to our workin terms of the design objective, but does not protect users’bid privacy. DP-hSRC considers users’ bid privacy, butminimizes total payment instead of social cost.

6.1 Simulation Setup

All the evaluation results are based on a real data set of taxitraces. The dataset consists of the traces of 320 taxi drivers,who work in the center of Rome [6]. Each taxi driver has atablet that periodically (every 7s) retrieves the GPS locations(latitude and longitude) and sends it with the correspondingdriver ID to a central server. The mobility pattern of taxitraces can be used to depict the mobility of smartphoneusers as in [25], [47].

We consider a mobile crowdsensing system where thetask is to measure the cellular signal strength at specificlocations. Each user can sense the cellular signal strengthwithin the area centered at the user’s location with a radiusof 30m. Tasks are represented by GPS locations reported bytaxis. We assume that the driver of each taxi is a user. We

preprocess the tasks such that each task can be sensed by atleast two users according to our system model.

We use three metrics to evaluate the performance: socialcost, total payment and privacy leakage. The social cost, asdefined in Section 3, refers to the total cost of all selectedusers. The total payment measures the payment paid bythe platform to all selected users. We first compare thesocial cost and total payment of BidGuard and BidGuard-Mwith TRAC. Then we compare the social cost of BidGuardwith the optimal social cost. We define privacy leakage toquantitatively measure the differential privacy performanceof BidGuard and BidGuard-M.

Privacy Leakage: Given a mechanism M , let−→β and−→

β ′ be two task-bid profiles, which only differ in one user’sbid. Let M(

−→β ) and M(

−→β ′) denote the outcome of M with

input−→β and

−→β ′, respectively. The privacy leakage, denoted

by PL, is defined as the Kullback-Leibler divergence of thetwo outcome probability distributions based on

−→β and

−→β ′,

PL =∑o∈O

Pr[M(−→β ) = o

]ln

Pr[M(−→β ) = o

]Pr[M(−→β ′) = o

] . (7)

Note that the smaller the PL value is, the harder it is todistinguish the two task-bid profiles, and thus the better theprivacy preserving performance is achieved.

In our evaluation, we randomly select locations as thesensing tasks according to the settings. We assume the bidsof users are randomly distributed over [1, 50] for BidGuardand [1, 10] for BidGuard-M. Because users in BidGuard bidfor a set of tasks, while users in BidGuard-M bid for a singletask. We generate users’ bids according to two differentdistributions, i.e., uniform distribution and normal distribu-tion. To evaluate the impact of the number of sensing taskson the performance metrics, we set the number of users to200 and vary the number of sensing tasks from 20 to 60with a step of 10. To evaluate the impact of the numberof users on the performance metrics, we set the number ofsensing tasks to 150 and vary the number of users from100 to 300 with a step of 50. For the differential privacyparameters, we set ε = 0.1 and δ = 0.25 as default. Allthe results are averaged over 1000 independent runs foreach setting. Note that since the performances under bothuniform and normal distributions follow the same patternaccording to our evaluation, in the following we only showthe performance under the uniform distribution.

6.2 Evaluation of Social CostWe first compare the social cost of BidGuard andBidGuard-M with that of TRAC and DP-hSRC. Note thatTRAC is optimal in the multi-bid model. The impact ofthe number of sensing tasks on the social cost of BidGuardand that of BidGuard-M is shown in Fig. 1(a) and Fig. 1(b),respectively. We observe that the social cost of TRAC, DP-hSRC, BidGuard and BidGuard-M all increase when thenumber of sensing tasks grows. This is because with moresensing tasks, the platform may select more users incur-ring a higher social cost. We also see that the social costof TRAC is lower than those of DP-hSRC, BidGuard andBidGuard-M. This is because, in each iteration, TRAC isdeterminate to select the user with the lowest criterion value



11

Number of sensing tasks20 30 40 50 60

So

cia

l co

st

0100200300400500600700800

TRACLINLOGDP-hSRC

(a)Number of sensing tasks

20 30 40 50 60

So

cia

l co

st

0

100

200

300TRACLIN-MLOG-MDP-hSRC

(b)

Fig. 1. Impact of the number of sensing tasks on the social cost. (a)BidGuard. (b) BidGuard-M.

Number of users

100 150 200 250 300

So

cia

l co

st

400

700

1000

1300 TRAC

LIN

LOG

DP-hSRC

(a)Number of users

100 150 200 250 300

So

cia

l co

st

100

150

200

250

300

350

TRAC

LIN-M

LOG-M

DP-hSRC

(b)

Fig. 2. Impact of the number of users on the social cost. (a) BidGuard.(b) BidGuard-M.

(defined in (1)) in the single-bid model and the user with thelowest bid for each task in the multi-bid model. In contrast,since both BidGuard and BidGuard-M are randomized,they cannot always guarantee to select the user with thelowest criterion value or the lowest bid in each iteration.DP-hSRC selects users based on a threshold price and hasno performance guarantee on the social cost. Besides, thesocial cost of LOG is smaller than that of LIN, and the socialcost of LOG-M is lower than that of LIN-M. This is because,both LOG and LOG-M prefer to select users with low bid,as the log score function will give more probability of beingselected to low-bid users.

Fig. 2(a) and Fig. 2(b) depict the impact of the numberof users on the social cost of BidGuard and BidGuard-M,respectively. We see that the social cost decreases slightlywhen the number of users increases for TRAC, DP-hSRC,BidGuard and BidGuard-M. This is because, with moreusers, the platform can find more low-cost users to completethe sensing tasks. The social cost of TRAC is lower thanthose of DP-hSRC, BidGuard and BidGuard-M. The reasonis same as explained for Fig. 1. Meanwhile, for the samereason as above, the social cost of LOG is lower than thatof LIN, and the social cost of LOG-M is lower than that ofLIN-M.

In Fig. 3, we compare the social cost of incentive mecha-nisms in the single-bid model. Let OPT denote the optimalsolution. Since finding the optimal solution takes exponen-tial time, we set the number of the users to 10 for Fig. 3(a),and set the number of sensing tasks to 4 for Fig. 3(b). Weobserve that Fig. 3(a) and Fig. 3(b) have the same pattern inFig. 1(a) and Fig. 2(a), respectively. The reason is similar tothose explained for Fig. 1(a) and Fig. 2(a). Furthermore, weobserve that BidGuard sacrifices the social cost for the users’bid privacy, compared to TRAC and the optimal solution.Note that in Fig. 3(b), the social cost of TRAC is very close tothat of OPT. This is because TRAC is an HK -approximationalgorithm, where Hk ≈ 2.34 in this figure.


Socia

l cost

507090

110130150170 TRAC

LINLOGDP-hSRCOPT

(a)Number of users

100 150 200 250 300

Socia

l cost

0

10

20

30

40

50

60

TRAC

LIN

LOG

DP-hSRC

OPT

(b)

Fig. 3. Comparison of BidGuard, TRAC, DP-hSRC and OPT. (a) Impactof the number of sensing tasks. (b) Impact of the number of users.


Tota

l paym

ent

0200400600800

100012001400

TRACLINLOGDP-hSRC

(a)Number of sensing tasks

20 30 40 50 60

Tota

l paym

ent

0

200

400

600TRACLIN-MLOG-MDP-hSRC

(b)

Fig. 4. Impact of the number of sensing tasks on the total payment. (a)BidGuard. (b) BidGuard-M.

6.3 Evaluation of Total PaymentIn Fig. 4 and Fig. 5, we plot the impact of the number ofsensing tasks and the impact of the number of users on thetotal payment of BidGuard and BidGuard-M, respectively.The results show that the total payment of TRAC, DP-hSRC,BidGuard and BidGuard-M all follow the same pattern asthe social cost. In addition, both LOG and LOG-M havelower total payment than LIN and LIN-M, respectively. Thisis because the log score function could select users withlower bids as shown in Fig. 1 and Fig. 2. We also observethat the total payment of DP-hSRC is lower than BidGuardand BidGuard-M. This is because DP-hSRC selects and paysusers according to a single-price, and thus it has perfor-mance guarantee on the total payment. However, DP-hSRCcan only achieve approximate truthfulness, which ensuresthat no user is able to make more than a slight gain in itsexpected utility by bidding untruthfully. In addition, in thenext subsection, we will see that the privacy protection ofLIN and LIN-M are better than that of DP-hSRC.

6.4 Evaluation of Privacy LeakageNext, we evaluate BidGuard and BidGuard-M in terms ofprivacy leakage. Fig. 6(a) and Fig. 7(a) plot the impactof the number of sensing tasks on the privacy leakagefor BidGuard and BidGuard-M, respectively. Fig. 6(b) andFig. 7(b) plot the impact of the number of users on the pri-vacy leakage for BidGuard and BidGuard-M, respectively.

We observe that the privacy leakage values of BidGuard,BidGuard-M and DP-hSRC are very small. This is becausethey all achieve differential privacy. However, the privacyleakage value of TRAC is positive infinity, which indicates abad differential privacy performance. This is because TRACdoes not protect users’ bid privacy, and the denominatorcould be 0 for TRAC according to (7).

In both Fig. 6(a) and Fig. 7(a), we see that the privacyleakage of both LIN and LIN-M are always smaller thanthat of LOG and LOG-M, respectively, which indicates thatLIN and LIN-M have better privacy protection performancethan LOG and LOG-M, respectively. This is because the



12


Priva

cy le

aka

ge

0

0.2

0.4

+infLINLOGDP-hSRCTRAC

(a)Number of users

100 150 200 250 300

Priva

cy le

aka

ge

0

0.2

0.4

0.6

0.8

+infLINLOGDP-hSRCTRAC

(b)ǫ

0.1 0.3 0.5 0.7 0.9

Privacy L

eakage

0.1

0.2

0.3

0.4

0.5

0.6

LINLOGDP-hSRC

(c)0.2 0.4 0.6 0.8 1

48

49

50

51

52

Socia

l cost

ε

0.2 0.4 0.6 0.8 10.51

0.52

0.53

0.54

0.55

Privacy leakage

Social costPrivacy leakage

(d)

Fig. 6. Evaluation of privacy leakage for BidGuard. (a) Impact of the number of sensing tasks. (b) Impact of the number of users. (c) Impact of ε. (d)Social cost v.s. privacy leakage.


Priva

cy le

aka

ge

0

1

2

+inf LIN-MLOG-MDP-hSRCTRAC

(a)Number of users

100 150 200 250 300

Priva

cy le

aka

ge

0

0.5

1

1.5

+inf LIN-MLOG-MDP-hSRCTRAC

(b)ǫ

0.1 0.3 0.5 0.7 0.9

Privacy L

eakage

0.2

0.4

0.6

0.8

1

LIN-MLOG-MDP-hSRC

(c)0.2 0.4 0.6 0.8 1

66

66.5

67

67.5

So

cia

l co

st

ε

0.2 0.4 0.6 0.8 10.9

0.92

0.94

0.96

Priva

cy le

aka

ge

Social costPrivacy leakage

(d)

Fig. 7. Evaluation of privacy leakage for BidGuard-M. (a) Impact of the number of sensing tasks. (b) Impact of the number of users. (c) Impact of ε.(d) Social cost v.s. privacy leakage.

Number of users100 150 200 250 300

To

tal p

aym

en

t

0

600

1200

1800

2400

3000TRACLINLOGDP-hSRC

(a)Number of users

100 150 200 250 300

To

tal p

aym

en

t

100

250

400

550

TRACLIN-MLOG-MDP-hSRC

(b)

Fig. 5. Impact of the number of users on the total payment. (a) BidGuard.(b) BidGuard-M.

linear score function treats the probability of every out-come uniformly, however, the log score function gives moreprobability to the outcome with low social cost. We alsoobserve that the privacy leakage of both LIN and LIN-Mare always smaller than that of DP-hSRC. This is becauseDP-hSRC is a single-price mechanism in which one user’sbid change may significantly change the outcome of themechanism, and thus increases PL according to (7). Wedo not observe a pattern of the privacy leakage when thenumber of tasks increases for BidGuard. The reason is,according to the definition of privacy leakage, the differencebetween the probabilities of two outcomes to be selected isindependent of the number of sensing tasks. However, theprivacy leakage value increases when the number of tasksincreases for BidGuard-M. This is because, according to The-orem 6 and Theorem 7, the differential privacy performanceof BidGuard-M is reversely linear to the number of sensingtasks.

In both Fig. 6(b) and Fig. 7(b), we can see the impactof the number of users on the privacy leakage of BidGuardand BidGuard-M, respectively. Note that the privacy leakagevalue decreases when the number of users increases for bothDP-hSRC, BidGuard and BidGuard-M. This is because theprobability of each outcome decreases as the number ofusers increases. Specifically, the more users in the system,the more possible outcomes for DP-hSRC, BidGuard andBidGuard-M, the less difference between the probabilities of

two outcomes to be selected, and thus the better differentialprivacy performance. We also see the privacy protectionperformance of LIN and LIN-M are better than that of LOGand LOG-M, respectively. In addition, the privacy protectionperformance of LIN and LIN-M are also better than that ofDP-hSRC. The reason for this is similar to that discussedbefore.

Fig. 6(c) and Fig. 7(c) show the impact of the differentialprivacy parameter ε on the privacy leakage for BidGuardand BidGuard-M, respectively. The results show that thevalue of ε has more impact on the privacy leakage for LOGand LOG-M than that of LIN and LIN-M, respectively. This isbecause the log score function is more sensitive than thelinear score function. For LOG and LOG-M, the privacyleakage increases slightly when the value of ε grows. Thisis because, theoretically, the larger the ε is, the worse thedifferential privacy is achieved, and thus the higher privacyleakage. Meanwhile, it is easy to observe that the privacyleakage of LIN and LIN-M are smaller than that of DP-hSRC,LOG and LOG-M, respectively. This can also be explainedby the same reason for Fig. 6(a).

Fig. 6(d) and Fig. 7(d) illustrate the tradeoff between thesocial cost and the privacy leakage of LOG and LOG-M,respectively. We observe that the privacy leakage decreasesas the decreasing of ε. The reason is similar to that discussedfor Fig. 6(c). However, this improvement in privacy comes ata cost of the increased social cost for both LOG and LOG-M.

Remarks: Compared with TRAC, which does not protectusers’ bid privacy, both BidGuard and BidGuard-M sacrificethe social cost and payment for the users’ bid privacy.Compared with DP-hSRC, BidGuard and BidGuard-M havebetter bid privacy preservation and lower social cost inmost cases although incurring higher total payment. Inaddition, BidGuard and BidGuard-M achieve truthfulnesswhile DP-hSRC achieves approximate truthfulness. Besides,LIN and LIN-M outperform LOG and LOG-M in terms ofprivacy protection, respectively. However LOG and LOG-Mhave lower social cost and payment.



13

7 CONCLUSION AND FUTURE WORK

In this paper, we have proposed two general frameworks,BidGuard and BidGuard-M, for privacy-preserving mobilecrowdsensing incentive mechanisms, which achieve com-putational efficiency, individual rationality, truthfulness, ap-proximate social cost minimization, and differential privacy.We designed two score functions, linear and log, to realizethe frameworks. Note that, both BidGuard and BidGuard-Mwith log function are asymptotically optimal in terms ofthe social cost. We evaluated the performance of our frame-works through extensive simulations.

In the future, we plan to design different score functionswhich might have better performance in terms of differentialprivacy or proximate social cost minimization. In addition,we plan to evaluate our frameworks by using real-worldexperiments.

REFERENCES

[1] “Auction.com,” https://www.auction.com/.[2] “eBay,” https://www.ebay.com/.[3] “FCC auctions releases,” http://wireless.fcc.gov/auctions/

default.htm?job=archived releases.[4] M. E. Andres, N. E. Bordenabe, K. Chatzikokolakis, and

C. Palamidessi, “Geo-indistinguishability: Differential privacy forlocation-based systems,” in Proc. CCS, 2013, pp. 901–914.

[5] A. Archer and E. Tardos, “Truthful mechanisms for one-parameteragents,” in Proc. FOCS, 2001, pp. 482–491.

[6] L. Bracciale, M. Bonola, P. Loreti, G. Bianchi, R. Amici, andA. Rabuffi, “CRAWDAD data set roma/taxi (v. 2014-07-17),”Downloaded from http://crawdad.org/roma/taxi/, Jul. 2014.

[7] Y. Chen, S. Chong, I. A. Kash, T. Moran, and S. Vadhan, “Truthfulmechanisms for agents that value privacy,” in Proc. EC, 2013, pp.215–232.

[8] D. Christin, “Privacy in mobile participatory sensing: Currenttrends and future challenges,” Journal of Systems and Software, vol.116, pp. 57–68, 2016.

[9] V. Chvatal, “A greedy heuristic for the set-covering problem,”Mathematics of operations research, vol. 4, no. 3, pp. 233–235, 1979.

[10] C. Clifton, “Using sample size to limit exposure to data mining,”Journal of Computer Security, vol. 8, no. 4, pp. 281–307, 2000.

[11] E. De Cristofaro and C. Soriente, “Short paper: Pepsi—privacy-enhanced participatory sensing infrastructure,” in Proc. WiSec,2011, pp. 23–28.

[12] C. Dwork, “Differential privacy,” in Encyclopedia of Cryptographyand Security, 2011, pp. 338–340.

[13] C. Dwork, F. McSherry, K. Nissim, and A. Smith, “Calibratingnoise to sensitivity in private data analysis,” in Theory of cryptog-raphy, 2006, pp. 265–284.

[14] J. Fan, Q. Li, and G. Cao, “Privacy-aware and trustworthy dataaggregation in mobile sensing,” in Proc. CNS, 2015, pp. 31–39.

[15] Z. Feng, Y. Zhu, Q. Zhang, L. M. Ni, and A. V. Vasilakos, “TRAC:Truthful auction for location-aware collaborative sensing in mobilecrowdsourcing,” in Proc. INFOCOM, 2014, pp. 1231–1239.

[16] H. Gao, C. H. Liu, W. Wang, J. Zhao, Z. Song, X. Su, J. Crowcroft,and K. K. Leung, “A survey of incentive mechanisms for partici-patory sensing,” IEEE Communications Surveys & Tutorials, vol. 17,no. 2, pp. 918–943, 2015.

[17] B. Gedik and L. Liu, “Protecting location privacy with person-alized k-anonymity: Architecture and algorithms,” IEEE Trans.Mobile Comput., vol. 7, no. 1, pp. 1–18, 2008.

[18] S. Gisdakis, T. Giannetsos, and P. Papadimitratos, “Security, pri-vacy, and incentive provision for mobile crowd sensing systems,”IEEE Internet of Things Journal, vol. 3, no. 5, pp. 839–853, 2016.

[19] A. Gupta, K. Ligett, F. McSherry, A. Roth, and K. Talwar, “Differ-entially private combinatorial optimization,” in Proc. SODA, 2010,pp. 1106–1125.

[20] T. H. Hinke, H. S. Delugach, and R. P. Wolf, “Protecting databasesfrom inference attacks,” Computers & Security, vol. 16, no. 8, pp.687–708, 1997.

[21] Z. Huang and S. Kannan, “The exponential mechanism for socialwelfare: Private, truthful, and nearly optimal,” in Proc. FOCS,2012, pp. 140–149.

[22] S. Jajodia and C. Meadows, “Inference problems in multilevelsecure database management systems,” Information Security: Anintegrated collection of essays, vol. 1, pp. 570–584, 1995.

[23] H. Jin, L. Su, B. Ding, K. Nahrstedt, and N. Borisov, “Enablingprivacy-preserving incentives for mobile crowd sensing systems,”in Proc. ICDCS, 2016, pp. 344–353.

[24] H. Jin, L. Su, H. Xiao, and K. Nahrstedt, “INCEPTION: incentiviz-ing privacy-preserving data aggregation for mobile crowd sensingsystems,” in Proc. MobiHoc, 2016, pp. 341–350.

[25] X. Jin and Y. Zhang, “Privacy-preserving crowdsourced spectrumsensing,” in Proc. INFOCOM, 2016, pp. 1–9.

[26] P. Kalnis, G. Ghinita, K. Mouratidis, and D. Papadias, “Preventinglocation-based identity inference in anonymous spatial queries,”IEEE Trans. Knowl. Data Eng., vol. 19, no. 12, pp. 1719–1733, 2007.

[27] I. Krontiris and T. Dimitriou, “A platform for privacy protection ofdata requesters and data providers in mobile sensing,” ComputerCommunications, vol. 65, pp. 43–54, 2015.

[28] Q. Li and G. Cao, “Providing privacy-aware incentives for mobilesensing,” in Proc. PerCom, 2013, pp. 76–84.

[29] ——, “Providing efficient privacy-aware incentives for mobilesensing,” in Proc. ICDCS, 2014, pp. 208–217.

[30] J. Lin, D. Yang, M. Li, J. Xu, and G. Xue, “BidGuard: A frameworkfor privacy-preserving crowdsensing incentive mechanisms,” inProc. CNS, 2016, pp. 439–447.

[31] X. Liu, Z. Zhou, W. Diao, Z. Li, and K. Zhang, “When goodbecomes evil: Keystroke inference with smartwatch,” in Proc. CCS,2015, pp. 1273–1285.

[32] T. Luo, H.-P. Tan, and L. Xia, “Profit-maximizing incentive forparticipatory sensing,” in Proc. INFOCOM, 2014, pp. 127–135.

[33] F. McSherry and K. Talwar, “Mechanism design via differentialprivacy,” in Proc. FOCS, 2007, pp. 94–103.

[34] P. Mohan, V. N. Padmanabhan, and R. Ramjee, “Nericell: rich mon-itoring of road and traffic conditions using mobile smartphones,”in Proc. SenSys, 2008, pp. 323–336.

[35] X. Niu, M. Li, Q. Chen, Q. Cao, and H. Wang, “EPPI: An e-cent-based privacy-preserving incentive mechanism for participatorysensing systems,” in Proc. IPCCC, 2014, pp. 1–8.

[36] H. Ohashi, “Effects of transparency in procurement practiceson government expenditure: A case study of municipal publicworks,” Review of Industrial Organization, vol. 34, no. 3, pp. 267–285, 2009.

[37] S. Reporter, “The proof is in the profit. auc-tion transparency works,” http://dealerbidsale.com/the-proof-is-in-the-profit-auction-transparency-works/.

[38] F. Restuccia, S. K. Das, and J. Payton, “Incentive mechanismsfor participatory sensing: Survey and research challenges,” ACMTransactions on Sensor Networks (TOSN), vol. 12, no. 2, p. 13, 2016.

[39] M. Shin, C. Cornelius, D. Peebles, A. Kapadia, D. Kotz, andN. Triandopoulos, “Anonysense: A system for anonymous oppor-tunistic sensing,” Pervasive and Mobile Computing, vol. 7, no. 1, pp.16–30, 2011.

[40] A. Stoica and C. Farkas, “Secure xml views,” Research Directions inData and Applications Security, pp. 133–146, 2003.

[41] J. Sun and H. Ma, “Privacy-preserving verifiable incentive mech-anism for online crowdsourcing markets,” in Proc. ICCCN, 2014,pp. 1–8.

[42] H. To, G. Ghinita, and C. Shahabi, “A framework for protectingworker location privacy in spatial crowdsourcing,” in Proc. VLDB,vol. 7, no. 10, 2014, pp. 919–930.

[43] Y. Wang, Z. Cai, G. Yin, Y. Gao, X. Tong, and G. Wu, “An incen-tive mechanism with privacy protection in mobile crowdsourcingsystems,” Computer Networks, vol. 102, pp. 157–171, 2016.

[44] T. Wen, Y. Zhu, and T. Liu, “P2: A location privacy-preserving auc-tion mechanism for mobile crowd sensing,” in Proc. GLOBECOM,2016, pp. 1–6.

[45] D. Xiao, “Is privacy compatible with truthfulness?” in Proc. ITCS,2013, pp. 67–86.

[46] J. Xu, J. Xiang, and Y. Li, “Incentivize maximum continuoustime interval coverage under budget constraint in mobile crowdsensing,” Wireless Networks, pp. 1–14, 2016.

[47] J. Xu, J. Xiang, and D. Yang, “Incentive mechanisms for time win-dow dependent tasks in mobile crowdsensing,” IEEE Transactionson Wireless Communications, vol. 14, no. 11, pp. 6353–6364, 2015.

[48] D. Yang, G. Xue, G. Fang, and J. Tang, “Incentive mechanismsfor crowdsensing: Crowdsourcing with smartphones,” IEEE/ACMTrans. Netw., vol. PP, no. 99, pp. 1–13, 2015.



14

[49] D. Yang, G. Xue, X. Fang, and J. Tang, “Crowdsourcing to smart-phones: incentive mechanism design for mobile phone sensing,”in Proc. MobiCom, 2012, pp. 173–184.

[50] B. Zhang, C. H. Liu, J. Lu, Z. Song, Z. Ren, J. Ma, and W. Wang,“Privacy-preserving QoI-aware participant coordination for mo-bile crowdsourcing,” Computer Networks, vol. 101, pp. 29–41, 2016.

[51] X. Zhang, G. Xue, R. Yu, D. Yang, and J. Tang, “Truthful incentivemechanisms for crowdsourcing,” in Proc. INFOCOM, 2015, pp.2830–2838.

[52] X. Zhang, Z. Yang, Z. Zhou, H. Cai, L. Chen, and X. Li, “Freemarket of crowdsourcing: Incentive mechanism design for mobilesensing,” IEEE Trans. Parallel Distrib. Syst., vol. 25, no. 12, pp. 3190–3200, 2014.

[53] P. Zhou, Y. Zheng, and M. Li, “How long to wait?: predicting busarrival time with mobile phone based participatory sensing,” inProc. MobiSys, 2012, pp. 379–392.

[54] R. Zhu and K. G. Shin, “Differentially private and strategy-proofspectrum auction with approximate revenue maximization,” inProc. INFOCOM, 2015, pp. 918–926.

Jian Lin (S’15) received the M.S. and B.S. de-gree in computer science from Southwest Jiao-tong University, Chengdu China, in 2014 and2011, respectively.

He has been working toward the Ph.D. de-gree in computer science at Colorado Schoolof Mines, Golden, CO, USA, since 2014. Hisresearch interests include economic and opti-mization approaches to networks, mobile crowd-sensing and mobile computing.

Dejun Yang (M’13) received the B.S. degreefrom Peking University, Beijing, China, in 2007and the Ph.D. degree in computer science fromArizona State University, Tempe, AZ, USA, in2013.

Currently, he is the Ben L. Fryrear Assis-tant Professor of computer science with Col-orado School of Mines, Golden, CO, USA. Hisresearch interests include economic and opti-mization approaches to networks, crowdsourc-ing, smart grid, and security and privacy.

Prof. Yang has served as a Technical Program Committee Memberfor many conferences, including the IEEE International Conference onComputer Communications (INFOCOM), the IEEE International Confer-ence on Communications (ICC), and the IEEE Global CommunicationsConference (GLOBECOM). He has received Best Paper Awards at theIEEE GLOBECOM (2015), the IEEE International Conference on MobileAd hoc and Sensor Systems (2011), and the IEEE ICC (2011 and 2012),as well as a Best Paper Award Runner-up at the IEEE InternationalConference on Network Protocols (2010).

Ming Li (S’15) received the B.S. degree in geo-chemistry from Peking University, Beijing, China,in 2009 and the M.S. degree in computer sciencefrom Colorado School of Mines, Golden, CO,USA, in 2015.

She is currently working toward the Ph.D. de-gree at Colorado School of Mines. Her mainresearch interests include game theory, contracttheory, crowdsourcing, smartphone-based sens-ing systems, visible light communication tech-nologies.

Jia Xu (M’15) received the M.S. degree inSchool of Information and Engineering fromYangzhou University, Jiangsu, China, in 2006and the Ph.D. degree in School of Computer Sci-ence and Engineering from Nanjing Universityof Science and Technology, Jiangsu, China, in2010.

He is currently a professor in Nanjing Univer-sity of Posts and Telecommunications. He was avisiting Scholar in the Department of ElectricalEngineering & Computer Science at Colorado

School of Mines from Nov. 2014 to May. 2015. His main researchinterests include crowdsourcing, opportunistic networks and wirelesssensor networks.

Guoliang Xue (M’96-SM’99-F’11) received theB.S. degree in mathematics and the M.S. degreein operations research from Qufu Normal Univer-sity, Qufu, China, in 1981 and 1984, respectively,and the Ph.D. degree in computer science fromthe University of Minnesota, Minneapolis, MN,USA, in 1991.

Currently, he is a Professor of computer sci-ence with Arizona State University, Tempe, AZ,USA. His research interests include security,survivability, and economics of computer net-

works, social networks, and smart grids.Prof. Xue is the elected Vice President of the IEEE Communications

Society for Conferences (2016-2017). He served as a Technical Pro-gram Committee (TPC) Co-Chair for the IEEE International Conferenceon Computer Communications (INFOCOM) (2010) and as an Editorfor the IEEE/Association for Computing Machinery (ACM) TRANSAC-TIONS ON NETWORKING (2010-2014). He regularly serves on theTechnical Program Committee of security conferences such as the ACMSymposium on Information, Computer, and Communications Security;the ACM Conference on Computer and Communications Security; andthe IEEE Conference on Communications and Network Security, as wellas networking conferences such as the IEEE International Conferenceon Network Protocols, IEEE INFOCOM, and the ACM InternationalSymposium on Mobile Ad Hoc Networking and Computing (MobiHoc).He is the Area Editor of the IEEE TRANSACTIONS ON WIRELESSCOMMUNICATIONS, overseeing the wireless networking area.

frameworks for privacy-preserving mobile crowdsensing...

Documents