1. Introduction
Network Function Virtualization (NFV) offers a flexible and scalable approach for the deployment and management of network functions. In the traditional paradigm, network functions were reliant on dedicated hardware devices. However, NFV decouples these functions from specialized hardware, enabling them to operate as software on general-purpose servers [
1]. Consequently, various network functions within an IP network can now be configured and managed with increased flexibility and efficiency.
Through the adoption of NFV, network operators and providers gain the ability to easily adjust, upgrade, and introduce new services without being tied to specific hardware dependencies. This adaptability is pivotal for meeting evolving network demands and accommodating increasing traffic. Consequently, integrating NFV with IP networks represents an innovative approach for constructing a more intelligent, flexible, and scalable network infrastructure.
VNFs necessitate execution on virtualized hardware infrastructure, such as virtual machines, containers, or other virtualization platforms, as discussed in a comprehensive review by Kaur et al. [
2]. When implementing a Service Function Chain (SFC) within this context, VNFs must go through distinct steps during instantiation.
Requirements Analysis and Planning: This initial phase involves identifying essential VNFs and determining the computing, storage, networking, and other resource requirements for each VNF.
Resource Request: The request for resources, including CPU, memory, and bandwidth, that are necessary for VNFs, must be submitted to the infrastructure or cloud service provider.
Resource Allocation: Resource allocation is carried out based on the submitted resource requests and the availability of resources.
VNF Deployment: After resource allocation, the VNFs are deployed into their designated virtualized instances, such as virtual machines or containers.
Configuration and Optimization: Each VNF undergoes configuration and optimization to ensure the efficient utilization of allocated resources and optimal performance.
Monitoring and Management: Regular and systematic monitoring of VNF performance, resource utilization, and security is a non-negotiable imperative. This enables timely adjustments and optimizations, contributing to the robustness of the entire NFV ecosystem.
In conventional NFV deployments, individual VNFs typically monopolize underlying resources to preempt conflicts. In such instances, service providers deploying service function chains can bypass concerns about interactions among different VNFs, simplifying deployment into a straightforward rental model. However, with the expanding array of network functions, particularly in the context of the burgeoning 5G and evolving 6G networks, the deployment of intricate service function chains has garnered attention. This proliferation has given rise to diverse VNF types, creating a dynamic landscape. Due to fluctuating user demands for various network services at different times, service providers often allocate excess basic resources to ensure a seamless user experience during peak traffic periods. Unfortunately, this practice often leads to the wastage of resources and higher costs. Conversely, infrastructure providers grapple with limitations in managing complex network traffic and providing flexible resource configurations.
Current research in resource sharing [
3,
4,
5,
6,
7,
8,
9,
10,
11,
12,
13] predominantly concentrates on two key dimensions. The first involves the judicious placement of VNFs, which requires determining the optimal locations and quantities within the network to maintain service quality and improve resource utilization. This encompasses an examination of infrastructure resource sharing among multiple VNFs co-located on the same node, with the overarching goal of achieving efficient infrastructure resource utilization. The second dimension centers on refining service chaining methodologies. This involves carefully scheduling data packets from various business chains on a shared VNF, enabling efficient resource sharing and promoting VNF sharing. Nevertheless, these methodologies often neglect the inherent interests among different VNF entities and infrastructure providers. As the adage goes, “all’s fair in love and war.” Devoid of appropriate incentives, even the most adept resource-sharing strategies pose implementation challenges. Hence, it becomes imperative to incorporate economic incentives into the VNF instantiation phase to maximize the benefits for both infrastructure providers and VNF entities involved in resource sharing.
Access control is a critical component in NFV, which function as a pivotal mechanism for safeguarding sensitive data and resources. This mechanism involves various operations that include different subjects, such as users, roles, services, etc. Its significance lies in its ability to regulate access to distinct objects, including files, devices, and services, while concurrently ensuring the integrity, confidentiality, and availability of resources [
14]. In multi-tenant environments that share common infrastructure and resources, access control policies can be vulnerable to inconsistencies and conflicts. This can amplify concerns regarding resource isolation and protection. Within such contexts, the presence of malicious or unauthorized entities poses a looming threat, with the potential to compromise sensitive data, disrupt normal service operations, and instigate severe consequences. These consequences can range from data breaches to service interruptions and performance degradation.
Prior investigations in the field of NFV resource sharing have notably neglected the examination of robust access control strategies, despite their pivotal significance. Other research on access control [
15,
16,
17,
18] primarily focuses on Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), and Policy-Based Access Control (PBAC). To ensure precise subject identification and verification within the NFV system, trusted identity management and authentication mechanisms are commonly deployed. These mechanisms utilize various tools, such as digital certificates, tokens, passwords, and similar techniques, as illustrated in
Figure 1. Nevertheless, in many conventional approaches, it is common to rely on third-party involvement for key distribution. If the third party lacks trustworthiness, data security is severely compromised.
Blockchain is a decentralized and distributed ledger technology that enables secure and transparent record-keeping of transactions across a network. Each transaction, or “block”, is linked to the previous one through a cryptographic hash, which forms a chain of blocks. This immutability and consensus mechanism makes it extremely resistant to tampering or unauthorized alterations. Blockchain is most commonly associated with cryptocurrencies such as Bitcoin, where it serves as the underlying technology for a secure and decentralized financial system. However, its applications extend beyond finance to various industries, including supply chain management, healthcare, and smart contracts, offering enhanced transparency, traceability, and trust in digital transactions [
19,
20,
21,
22,
23,
24]. Notably, recent studies have explored the utilization of blockchain technology in fields associated with the placement, addressing, and resource allocation of VNFs [
25,
26,
27,
28].
Game theory, a mathematical discipline [
29], delves into the strategic interactions among decision makers, commonly referred to as players, across diverse scenarios. This branch involves analyzing the choices made by players, known as strategies, and gaining a comprehensive understanding of the resulting outcomes and impacts on each participant. Whether in the realm of economic competition, political decision making, or biological interactions, game theory offers a versatile framework for examining situations wherein individuals or entities navigate decisions within dynamic and interactive environments. Its applications traverse disciplinary boundaries, providing valuable insights into cooperation, competition, and the intricate interplay of decisions within human and natural systems. Notably, in recent years, game theory has been frequently applied to delineate VNF chains and formulate strategies for the allocation of VNF resources [
30,
31,
32,
33,
34,
35].
In light of the previously discussed issues and challenges, this paper proposes a novel mechanism based on blockchain technology. This mechanism is specifically designed for resource sharing and access control during the VNF instantiation stage. The primary contributions of this research are as follows:
First, we present a comprehensive system framework for VNF resource sharing and access control based on blockchain. This framework delineates essential processes and methodologies for resource request and deployment during the VNF instantiation process.
Second, we delve into the intricate dynamics between VNF instances and infrastructure resource providers, which leads to the formulation of a resource-sharing game model. The primary goal is to optimize the benefits for both infrastructure resource providers and VNF instances involved in resource sharing. To operationalize this model, we introduce a greedy matching algorithm.
Third, we design and implement a blockchain-driven VNF attribute-encrypted access control mechanism. This mechanism leverages blockchain technology and attribute-based encryption, incorporating ciphertext policy enforcement. Furthermore, we integrate the use of a Bloom Filter to obscure the access policies of the instantiated VNF.
Ultimately, we conduct comprehensive simulation experiments using the Open Network Automation Platform (ONAP) and Ethereum to rigorously evaluate the proposed mechanism and its associated algorithms. The simulation results unequivocally confirm the effectiveness of the proposed mechanism, surpassing the performance benchmarks set by existing methodologies.
The subsequent sections of this paper are structured as follows:
Section 2 provides a review of relevant prior research.
Section 3 expounds upon the framework for the blockchain-based resource sharing and access control system. The formulation of the resource sharing game model and the accompanying greedy matching algorithm are presented in
Section 4 and
Section 5, respectively.
Section 6 offers insights into the access control algorithm based on blockchain and attribute encryption.
Section 7 is dedicated to the evaluation of performance, while the conclusion of this paper is concluded in
Section 8.
2. Related Work
According to the findings of the literature survey, the strategic placement of VNFs encompasses a multifaceted approach. This entails a thorough analysis of the necessary resources, the formulation of strategies for resource allocation, the resolution of conflicts pertaining to resource sharing, the optimization of performance, the balancing of workloads, the dynamic adjustment of resources, and the implementation of secure isolation mechanisms. These efforts are all directed towards achieving the twin objectives of maximizing resource utilization and fulfilling network functionality requirements. Huang et al. [
3] introduced AutoVNF, an automated mechanism for optimizing VNF deployment. This mechanism incorporated a resource-sharing mode and an automated resource allocation mechanism, which effectively support multiple VNFs sharing resources on a single node and dynamically allocating available nodes to VNF requests. Cohen et al. [
4] proposed two approximate algorithms to address the VNF placement problem. One for cases without capacity constraints and another for cases with capacity constraints. The primary objectives of these algorithms were to minimize the distance between users and service nodes and to reduce the deployment cost of VNFs. Sun et al. [
5] presented a method for optimizing the placement of VNFs. The method took into account the resource sharing among VNFs and the stochastic characteristics of Poisson arrival traffic. This approach utilized a queuing model to examine queueing delays within the VNF queue, thereby formulating the VNF placement problem as a 0–1 quadratic fractional programming challenge. This method addressed the complexities of balancing service quality and placement expenses across diverse traffic categories in resource-sharing VNFs. Savi et al. [
6] introduced a method that leverages Integer Linear Programming (ILP) and Heuristic Computing Algorithm (HCA) for optimizing VNF placement and SFC embedding. This approach considered the performance loss due to the sharing of processing resources in a multi-core CPU architecture, which includes the associated cost increase and context-switching overhead. The main objective of this approach was to minimize the number of activated NFV nodes, thereby reducing the implementation cost associated with NFV.
With the widespread adoption of machine learning [
36], numerous studies have been proposed to achieve intelligent VNF mapping. In their work, Sun et al. [
7] advocated for a dynamic resource allocation scheme grounded in VNFs. This scheme leveraged online learning techniques to forecast user mobility patterns and allocate resources according to the heat generated by base stations. The authors introduced a supplementary mechanism that reallocates idle resources from demand-surplus base stations to demand-deficient ones. This mechanism prioritized the requirements of the latter group. Mu et al. [
8] presented an approach based on Deep Reinforcement Learning (DRL) to optimize VNF placement. This study adopted a holistic approach to address the issue of data center server energy consumption and performance interference among VNFs. The objective is to minimize the overall server energy consumption while ensuring that the performance of each VNF exceeds a predetermined threshold. Basu et al. [
9] proposed a machine learning-based methodology that integrates SDN and NFV to realize dynamic resource sharing in 5G-assisted unmanned aerial vehicle networks. The approach employed two regression models, Support Vector Regression and Kernel Ridge Regression, to predict VNF resource requirements and dynamically allocate VNFs based on the prediction results.
VNF sharing entails the optimal utilization of a singular VNF instance to handle multiple service requests that necessitate the same category of VNF. It is also applicable in cases where a specific VNF type needs to be deployed in multiple instances to meet the requirements of a particular service. Within VNF sharing, resources assigned to a VNF specific instance are concurrently utilized by multiple data packets, thereby diminishing packet waiting times in the queue. Li et al. [
10] proposed a method tailored for deploying VNFs in data centers and introduced innovative techniques such as shared redundancy and multi-tenancy. This led to the development of a Joint Deployment and Backup Scheme (JDBS). The JDBS dynamically adjusted VNF deployment and backup strategies iteratively to effectively balance Basic Resource Consumption (BRC) and Shared Redundancy Consumption (DRC), ultimately achieving an optimal equilibrium between the two. Vieira et al. [
11] considered the dynamic characteristics of edge environments, incorporating factors such as resource availability, uncertainty in user requests, QoS requirements, and user mobility. They employed a time window strategy to process batches of continuously arriving service requests. The algorithm also presented a two-tier resource-sharing mechanism, which facilitates the sharing of VNF instances or SFC instances among multiple services to reduce resource consumption and associated costs. Ruiz et al. [
12] introduced a Genetic Algorithm-based approach to jointly addressed VNF placement, VNF chaining, and virtual topology design. The authors leveraged collaborative capabilities among Multi-access Edge Computing (MEC) nodes to enable VNF sharing. This approach utilized a novel search strategy during the chaining process, which prioritizes the identification of available VNFs in both local nodes and Central Offices. In the absence of such resources, the search extended to the physically nearest node within the topology until all network nodes have been explored. Yi et al. [
13] proposed a dynamic and flexible algorithm to address VNF shared resource allocation and rate coordination between upstream and downstream VNFs. Specifically, the algorithm considered fairness factors during VNF sharing to reduce the probability of resource contention and enhance resource utilization. Additionally, by defining a backpressure indicator for each VNF to assess its pressure status, it dynamically adjusted the processing rate between the VNF and its upstream and downstream VNFs, with the aim of optimizing the utilization of idle resources.
The study by Kumar et al. [
15] offered a comprehensive examination of security concerns and resolutions pertaining to VNF within the telecommunication domain. The paper systematically analyzed potential security threats and attacks targeting various components and layers within the NFV architecture. The proposed security measures for VNFs encompass aspects such as security hardening, role-based access control, software integrity, and protection against malicious code. Gui et al. [
16] presented a distinct identity and access control scheme tailored for microservices in 5G platforms, which relys on OpenID Connect and JSON Web Tokens. This scheme facilitated the authentication and authorization processes for both users and microservices, thereby enhancing the overall lifecycle management of virtualized services. A notable feature of this study resided in its practical application and comprehensive evaluation carried out within the context of the SONATA service platform. Simultaneously, Smine et al. [
17] proposed an innovative approach for the correct and optimal deployment of access control policies in NFV services. The approach considered a robust insider adversary model capable of compromising one or multiple VNFs within the Management and Orchestration (MANO) framework. Furthermore, Murillo et al. [
18] introduced a specialized access control framework for virtualized Industrial Control Systems (ICS). The framework incorporated an advanced policy language to clearly define the components, roles, and authorized operations within the ICS. Additionally, the system included a policy engine that facilitated the translation of high-level policies into low-level rules, enabling their execution across various virtualization platforms. The primary objective of this framework was to furnish ICS administrators with a user-friendly tool for flexibly defining and managing access control policies in virtualized ICS.
In light of the preceding analysis, contemporary research initiatives in the field of VNF resource sharing primarily focused on traffic attributes and the succession of service supply chains. Unfortunately, these efforts often neglect the crucial issue of guaranteeing a fair and just allocation of benefits among the diverse entities engaged in resource sharing. Regarding resource access control, the pertinent literature predominantly centered on enhancing extant models based on third-party authentication.
Moreover, there has been some related works on the application of blockchain in the placement and resource allocation of VNFs. Liu et al. [
25] presented a blockchain-based approach that incorporates vector commitments and Succinct Non-Interactive Knowledge Proof (SNARK) techniques for VNF management. Their proposed method efficiently managed VNF dictionaries and validates queries. Taskou et al. [
26] proposed a blockchain-based strategy for NFV resource allocation. Through the use of smart contracts, their approach achieved decentralized, secure, and reliable resource allocation. The paper defined two optimization problems: the NFV resource allocation problem, which aims to minimize energy consumption and resource costs for data centers, and the mining task offloading problem, which seeks to minimize energy consumption for mining users. Papadakis et al. [
27] introduced a blockchain-based network service marketplace and resource orchestration mechanism to enable cross-service communication within the edge cloud. Leveraging the smart contract functionality of the Hyperledger Fabric platform, the paper automated network service interactions and lifecycle management among different tenants. Additionally, it introduced an innovative service orchestrator that utilizes the capabilities of Open Source MANO (OSM), establishing cross-service communication with minimal resource requirements and instantiation costs. Regarding the allocation and competition strategies for VNF resources, Franco et al. [
28] utilized blockchain and smart contract technologies to propose a reverse auction-based solution for discovering and selecting infrastructure capable of efficiently hosting VNFs. This solution encouraged competition among Infrastructure Providers, thereby mitigating the deployment costs for VNFs while simultaneously addressing the unique needs of users. Notably, the solution leveraged the tamper-proof and auditable features of blockchain, which ensures reliable records and contract execution. An advantageous aspect of this solution was its consideration of various user and VNF requirements, such as minimum resources, geographical location, and maximum latency, rather than relying solely on pricing for infrastructure selection.
Moreover, existing literature has delved into the utilization of game theory to delineate VNF chains and formulate strategies for the allocation of VNF resources. Leivadeas et al. [
30] presented an approach grounded in graph partitioning game theory to address the placement problem of VNF service chains. The method effectively implemented service chains in cloud environments. The achievement was made possible by effectively addressing server affinity, coexistence, and latency constraints. Simultaneously, the method aimed to minimize deployment costs while also achieving resource load balancing. Chen et al. [
31] introduced an incentive-driven framework for VNF chains, aiming to optimize resource allocation across different layers, such as bandwidth and IT resources. This framework was specifically designed for Interconnected Data Center Elastic Optical Networks (IDC-EONs) and involved coordination among multiple agents. The framework employed a non-cooperative hierarchical game theory mechanism, where resource agents assume the role of leaders and VNF-SC users act as followers. Within the leader game, agents calculated VNF-SC service solutions for users and calculated them for configuration tasks. In the follower game, users competed for cross-layer resources based on the service solutions provided by agents, aiming to achieve a joint optimization of resource cost and service quality. Gao et al. (2022) [
32] introduced a VNF placement by potential games. The objective of the method was to enhance resource allocation and improve service quality in the context of satellite edge computing. The approach modeled the VNF placement problem as a non-cooperative potential game and utilized the Nash equilibrium as the solution concept. Le et al. [
33] employed a game-theoretic approach, coupled with the semi-tensor product matrix tool, to investigate the SFC routing problem. The consideration encompassed both limitations in server capacity and constraints on the minimum target rate for users. This method effectively ensured NFV server capacity constraints while meeting user rate requirements. Li et al. [
34] utilized a game-theoretic approach to address the problem of embedding multiple SFCs. The methodology considered both the impact of resource sharing among different VNFs and the limitations in capacity of various NFV nodes. The objective of this approach was to minimize the end-to-end (E2E) latency for the traffic supported by each SFC while satisfying the capacity constraints of all NFV nodes. Regarding the resource allocation mechanism for VNFs, Lima et al. [
35] proposed a approach to address the resource management and orchestration problem in NFV. The mechanism utilized a bilateral sealed-bid auction model, which treats users and infrastructure providers as buyers and sellers, respectively. It employed a centralized agent to match demands and bids, resulting in the optimization of the social welfare for both buyers and sellers.
Inspired by the mentioned research work, we present utility functions grounded in economic principles to systematically elucidate the intricate dynamics between infrastructure providers and participants in VNF resources. This undertaking requires the development of a cohesive game model for VNF resource sharing. Notably, our approach to access control for shared resources diverges significantly from conventional practices, as we strategically integrate blockchain technology. Although the attribute-based encryption method is utilized, the need for third-party authentication authorities is eliminated. This measure enhances the level of security and ensures the privacy protection when accessing VNF resources.
3. System Framework
The proposed system, as illustrated in
Figure 2, consists of five fundamental components: (i) Instantiation VNF, (ii) Infrastructure Provider, (iii) Resource Owner, (iv) Blockchain and (v) Controller.
Instantiation VNF (IV):
The instantiation process initiates with a VNF entity requesting essential resources from the Infrastructure Provider to fulfill specific operational needs.
Upon successful acquisition of the necessary resources, the entity is furnished with access policies meticulously tailored to its attribute set.
These access policies play a crucial role in ensuring the enforcement of appropriate access controls within their designated time frames.
Infrastructure Provider (IP):
Traditionally, in the context of NFV, IP has been recognized as a fundamental retailer, serving as the primary resource provider for a range of VNFs.
IP leases resources to different VNFs based on temporal agreements.
IP utilizes a range of strategies to effectively manage access control and bolster security measures.
In this study, the role of IP is translated into a resource integrator. This is achieved by collecting resource utilization and preferences data from previously deployed VNFs. In this context, IP provides a hybrid resource provisioning mechanism for newly requested instantiated VNFs. This approach aims to optimize the overall system’s resource utilization and facilitate flexible resource allocation.
Resource Owner (RO):
RO represents a currently operational VNF that is equipped with surplus resources and has a willingness to share these resources within defined temporal constraints.
This sharing initiative is designed with the objective of generating supplementary revenue and mitigating capital expenditures.
Blockchain:
Blockchain plays a pivotal role in the storage of cryptographic keys and the management of access control within the system.
All entities utilize the blockchain to create and deploy smart contracts.
These smart contracts facilitate the key distribution and access control for shared resources.
Controller:
The controller, which is implemented through smart contracts, assumes the responsibility of monitoring and managing resources throughout the entirety of the network infrastructure.
The RO periodically transmits pertinent information to the controller, thereby facilitating the efficient monitoring of the overall status of network resources.
Figure 2 illustrates the process of information exchange among the instantiation VNF, Infrastructure Provider (IP), and Resource Owner (RO) through the utilization of a blockchain-based platform that incorporates three contracts.
Initially, it is required for the RO, IP, and IV to complete the registration of external accounts and implement smart contracts on the blockchain. Following a successful registration process, the blockchain system allocates a unique anonymous identity (ID) and generates associated certificates (Cert), public keys (PK), private keys (SK), and wallet addresses (WA) to each node. These certificates play a fundamental role in user identity verification, and the mapping list (ID, Cert, PK, and WA) is securely stored within the account pool. Moreover, these data are meticulously cataloged in a comprehensive global information repository, which is under vigilant maintenance and monitoring by the control node.
Subsequently, the controller conducts periodic data collection on idle resources and sharing preferences from ROs, and stores these data in a dedicated database. Upon instantiating a new VNF, the IP utilizes real-time data from the database. This involves employing both the utility game model and the greedy matching algorithm. The goal is to efficiently match and select the most advantageous resource-sharing scheme in collaboration with the RO. The chosen scheme is then conveyed to the smart contract.
Finally, the secure allocation of shared resources is achieved through a blockchain-based encrypted access control approach. This process primarily involves key generation, resource address encryption, access policy concealment, and resource address decryption.
In the phase of key generation, the secret key (SK) is generated through the utilization of the key generation algorithm. This algorithm requires the public key, master key, and the attribute set that is linked to the resource demand collection as its input.
Moving to the resource address encryption phase, the RO initially assigns unique IDs to each shared resource. By employing a hash function, the corresponding indices (index) are derived and subsequently stored on the blockchain via a smart contract. The contract address (addr) is then communicated to the IP. Following this process, the RO independently encrypts the resource addresses and access policies, resulting in the creation of two distinct ciphertexts: encrypted address (ADC) and access policy (ACC). The aforementioned ciphertexts are securely stored on the blockchain.
In the access policy concealment phase, a Bloom Filter is employed to obscure the access policies. This process yields the creation of an Adaptive Bloom Filter (ABF), which is then stored on the blockchain, while the previous policy function is eliminated.
During the decryption phase, the IV initiates the calculation of the index and ABF associated with the shared resource by using the addr obtained from the IP. Access legitimacy is verified through a smart contract by facilitating the reconstruction of the policy function. The process of reconstruction facilitates the retrieval of the ADC and ACC ciphertexts, ultimately leading to the execution of the decryption algorithm.
5. Greedy Matching Algorithm
Preliminary work: ROs engage in creating a smart contract by utilizing their existing resources and pricing strategy. This smart contract is subsequently deployed on the Ethereum, resulting in the acquisition of a unique contract address denoted as ‘addr’. Concurrently, each shared resource is assigned an ID by the RO, and its corresponding index is determined by applying a hash function. Following this, the ROs convey both the contract address ‘addr’ and the generated IDs to the IP. This enhances the ability of the IP to access up-to-date information regarding the availability of shared resources.
The proposed resource sharing model introduces a game-theoretic problem. From the perspective of ROs, the strategy to maximize profits entails setting higher prices for unit resources. However, if the unit resource price is set too high, it may have the unintended consequence of reducing the revenue of the IP and potentially discouraging the IP from selecting the RO as a partner for resource sharing. Notably, the utility function of the IP and the cost function of the RO are both influenced by the correlation parameter
. As demonstrated in Equations (
11) and (
14), a decrease in the value of
enhances the probability of both parties attaining optimal earnings simultaneously. Consequently, ROs with a lower correlation to the IV in the current system may intentionally set a higher unit resource price, for engaging in a strategic competition among multiple ROs.
From an alternative perspective, the IP is assigned the responsibility of disseminating the resource requirements of the IV among separate ROs for either resource sharing or the allocation of exclusive resources. Consequently, the issue of resource sharing encompasses a scenario where ROs and the resource demand vector R need to be matched.
Suppose resource
i is deployed into the shared resources of
; at this point, the revenue for the IP with respect to resource
i is denoted as
From the plots of this function in
Figure 3, it can be observed that there exists a peak revenue point. Additionally, for a given resource
i, the implementation of different pricing strategies by the RO can result in distinct peak revenue points and corresponding resource quantities. These variations are influenced by factors such as the correlation and utility level, which are predetermined parameters. Furthermore, specific resource quantity requirements are essential to ensure a positive revenue. Through an analysis of this function, it can be deduced that the optimal resource quantity that maximizes revenue is denoted as
and the maximum benefit is
In the context of VNF instantiation, where the quantity of resource requests remains constant, the IP must make judicious decisions among various ROs to optimize outcomes, aiming to closely approximate the extremum of the revenue. From the RO’s perspective, the ongoing game constitutes an information-symmetric scenario due to the storage of information in the blockchain. The RO possesses comprehensive knowledge of all resource demand situations. Consequently, in the pursuit of maximizing their earnings, each RO will strategically adjust the unit price of resources to align with the objective of maximizing profit for the target resource, while also attracting the attention of the infrastructure provider.
The matching process for each shared resource consists of two distinct stages: the price competition stage among ROs and the IP decision stage.
During the stage of price competition among ROs, a game of pricing strategy unfolds. Each RO determines the price for each resource based on their utility parameter and the pricing strategies employed by other ROs. The main goal is to attract the interest of the IP and optimize financial gains. It is assumed that each RO acts rationally and possesses access to the utility function parameters of other ROs through information conveyed in smart contracts. Consequently, this scenario establishes a game of perfect information price competition.
In the RO bidding stage, where all ROs participate as players, the strategy for
is to choose a price
from the feasible set
. Their objective is to select
that satisfies
s.t.
Here,
and
denote the two points intersecting the
x-axis in
Figure 3. These points signify optimal choices for
. Their selection ensures that the demand for resources falls within a range where the IP revenue remains positive.
In the IP decision stage, subsequent to obtaining a price list from all ROs for resource
i, the IP needs to decide whether to allocate exclusive resources to the IV or opt for resource sharing with a specific RO. The objective is to select
or
such that
Through the above analysis of the game model, we devised a greedy matching algorithm in Algorithm 1.
Algorithm 1 Greedy Matching Algorithm |
Input: Resource demand vector R; Unit cost of resource i for IP ; The degree of relevance between IV and ROs ; The cost level of Rs ; Output: Resource Allocation plan for IV , The profit of IP ; The profit of ROs ; Begin 01: Initialize The utility level of resource ; The free amount of resource i in ; The unit retail price for resource i of IP ; 02: FOR Resource i in demand vector R 03: ROs engage in pricing strategy games according to Equations ( 18)–( 20), resulting in price sequences for resource i; 04: Calculate IP’s profit for each RO by Equation ( 21); 05: Sort ; 06: IP selects the largest for a decision or allocates exclusive resources for IV 07: Update , the free amount of resource i in 08: ENDFOR End |
6. Blockchain-Based Encrypted Access Control Approach
Upon achieving a match in resource sharing, ROs and IVs participate in encrypted resource allocation and access control, which is facilitated through blockchain coordination.
6.1. Bilinear Mapping
In the context of cryptographic operations, a pairing, denoted as , is a fundamental bilinear mapping. In this representation, and refer to cyclic groups of prime order p, with g serving as a generator for .
The pairing operation e is characterized by key properties:
**Bilinearity**: For any and non-zero , it holds that .
**Non-degeneracy**: The property of non-degeneracy ensures that , particularly when g operates as a generator of .
**Computability**: There exists an algorithm available that efficiently computes this mapping within a polynomial time complexity.
6.2. Linear Secret Sharing Scheme (LSSS)
In the context of LSSS [
37], let
U denote the attribute domain, and
p stand as a prime number. For every access structure
M defined on
U,
M is essentially an
r by
n matrix over the field
. The rows of this matrix
M are associated with mappings to
. Here, a secret value
s (
) and a set of random numbers
collectively compose the vector
, and its transpose is represented as
. Consequently, the product
yields
r secret shares denoted as
, each corresponding to the secret share held by
.
In terms of Linear Reconstruction, the focus is on an authorized attribute set S, where . In this context, elements are introduced, with the stipulation that for any where , it holds true that . This particular characteristic defines A as a monotonic access structure. For the purposes of this paper, we specifically emphasize monotonic access structures. In the realm of Attribute-Based Encryption (ABE), the traditional roles of entities are replaced by attributes, thus integrating authorized attribute sets within the broader access structure A.
6.3. Algorithm Steps
Step 1 Initialization:
Given a security parameter
, the initialization algorithm chooses two cyclic groups
and
of prime order
p, Additionally, it designates a generator
g for
and defines a bilinear mapping
e with the functionality
. The process of selecting and mapping groups is accomplished by utilizing the group generator algorithm. Furthermore, random elements
and
are generated. The public key
is then computed as
and the master key as
.
The process is initiated by the RO through the creation and deployment of a smart contract on the blockchain. This results in the acquisition of a designated contract address, which is denoted as . Subsequent to this step, the RO allocates a distinctive identifier, denoted as , and designed for the upcoming configurations of shared resources. Following the identifier assignment, the Hash method is employed to calculate an index, and both the contract address () and the identifier () are securely stored within the domain of the IP. Lastly, the computed index is transmitted to the blockchain through the smart contract.
Step 2 Encryption:
The attribute set of the resource
i to be shared by RO is recorded as
. By selecting
u randomly from the set of
, the following elements are computed:
These calculations result in the generation of a private key as
Subsequently, the system selects
w randomly from
and computes
by utilizing the
and the
of the resource. For each attribute in
, denoted as
and letting
be a share of
w, we can compute
These elements, in combination with the selected parameters, give rise to a partial ciphertext represented as:
The RO then employs an attribute-based encryption algorithm to encrypt the resource key
. By utilizing the public key
, the resource key
, the LSSS-based access structure
, and the
, the ciphertext
is generated. In the access structure
,
M is an
matrix, and the computation of
is carried out as
Then, the RO maps the to the and uploads this mapping to the blockchain. The RO utilizes a smart contract to define the validity access time for the .
Within the framework of this LSSS-based CP-ABE scheme, an attribute Bloom filter (ABF) is established through the following series of steps:
- (1)
The RO extracts the attribute set from the access policy defined in the access structure . An element in the ABF, denoted as e, is structured as , where r signifies the row number of the matrix M, and represents one of the attributes. These components are transformed into bit strings of lengths and , respectively.
- (2)
The bit string and bit string are combined into a -bit string. An element is introduced to the ABF, where s constitutes a secret share value. To achieve this, bit strings are randomly obtained, and is computed through secret sharing.
- (3)
Hash functions are applied to of element s in order to derive positions for each share value within the ABF as .
- (4)
The RO proceeds to store each shared value at the corresponding hash index location. Subsequently, the RO uploads both the ABF and the access matrix M to the IP.
Step 3 Decryption:
The IV initiates the process by obtaining the Resource Identifier , the address of the smart contract, and the encrypted data stored by the RO on the IP. The IV then proceeds with the following steps:
- 1.
ID Verification and Resource Existence Check: The IV hashes the received and executes the smart contract to validate the existence of the requested resource on the blockchain. If the resource cannot be located, the algorithm terminates.
- 2.
Ciphertext Access Time Check: Upon obtaining the ciphertext’s through Algorithm 2, the IV first checks whether it falls within the valid access time period. If access is not granted, termination occurs. Otherwise, the user proceeds to acquire the ciphertext of the Resource Key .
- 3.
Attribute-Based Policy Verification: Before decrypting the ciphertext, the IV must ensure that its attributes satisfy the access policy. This involves restoring the policy function .
- 4.
The reconstruction of the policy function from the Attribute Bloom Filter (ABF) is performed through the following steps:
- (1)
Utilize
n hash functions to hash the attributes
- (2)
Obtain the corresponding strings through position indexes;
- (3)
Calculate the shared value
s and output the corresponding string:
- (4)
Represent s as , and compare with . A match signifies the presence of the attribute in the ABF, while denotes the attribute’s position within the access matrix M. A mismatch indicates that the attribute is absent in the ABF.
- (5)
Upon the successful restoration of the access structure , the IV proceeds with the decryption process.
- 5.
Resource Key Retrieval: With the reconstructed access structure , the IV is able to decrypt the ciphertext to obtain the Resource Key (). The computation involves verifying that the IV’s attributes align with the access policy and calculating based on authorized attribute sets and shared values.
Algorithm 2 IV Gets CT |
Input: Resource Output: Cipher text Begin 01: = hash(); 02: IF = null 03: Return error; 04: ELSE 05: Mapping(⇒ CT.available_time) 06: IF Runing time is expired 07: Return error; 08: ELSE 09: Mapping(⇒ RO.available_time) 11: IF Sharing time is expired 12: Return error; 13: ELSE 14: Mapping(⇒) 15: ENDIF End |