A blockchain-based privacy-preserving 5G network slicing service level agreement audit scheme

Network slicing, as a key technique of 5G, provides a way that network operators can segment multiple virtual logic on the same physical network and each customer can order specific slicing which can meet his requirement of 5G service. The service level agreement of network slicing (NS-SLA) of 5G, as a business agreement signed between the network operators and the customers, specifies the relevant requirements for the 5G services provided by the network operators. However, the authenticity of auditing results may not be guaranteed and the customer’s data may be leaked in the existing NS-SLA audit scheme. In this paper, a blockchain-based 5G network slicing NS-SLA audit model is proposed to address the above problems. The blockchain is applied as a public platform and all the dual monitored service parameters will be stored on the blockchain to ensure the authenticity of data. A trapdoor order-revealing encryption algorithm is introduced to audit strategy, which can encrypt the monitored parameters, realize the comparison over ciphertexts and prevent the privacy of data from leaking. Besides, an NS-SLA audit smart contract is designed to implement the audit task and execute corresponding punishment strategies automatically. We make experiments to exam the cost of the blockchain-based system and the results found clear support for the feasibility of the proposed model.

Besides, an NS-SLA audit smart contract is designed to perform the audit task and punish the offending party automatically. The contributions of this paper are summarized as follows: • We present a blockchain-based 5G network slicing NS-SLA audit scheme which realizes credible auditing and ensures the immutability of the recorded parameters on the blockchain. • The TORE algorithm-based privacy-preserving scheme is proposed to ensure the security of the monitored parameters and realizes the ciphertext auditing. All the audit tasks can be performed automatically by the designed NS-SLA audit smart contract. • We evaluate the cost of the proposed audit model which demonstrates the feasibility of the model.
The rest of this paper is organized as follows. In Sect. 2, we present the blockchain-based 5G NS-SLA audit model. The detailed TORE-based privacy-preserving NS-SLA audit is presented in Sect. 3. In Sect. 4, we conduct the performance evaluation of the proposed model. At last, the paper is concluded in Sect. 5.

SLA monitoring and auditing
Many scholars have done a lot of research about SLA management in different domains, such as Cloud platforms and Web service. For example, traditional SLA monitoring schemes depend on service providers [19] or third-party auditors (TPA) [8] to monitor service. However, all these parts may tamper with the report for benefits. Some multiparty monitoring schemes based on reputation mechanisms [9] or reasoning techniques [10] are proposed to improve SLA monitoring by collecting and inferring information from different SLA parameters. However, it is difficult to establish a trust relationship between multiple parties, and either party may provide false data. Blockchain brings new opportunities [11,20], it is a distributed ledger that implements consensus mechanism to ensure data consistency [12] and establishes a trust relationship between multiple parties. Thus, blockchain may provide a trustful platform for SLA monitoring and auditing [14,21]. In the blockchain-based SLA auditing scheme [13], all witnesses which are selected from the blockchain network nodes can detect violation and report credible feedback cooperatively. However, the ability of witness is limited and user's privacy may be disclosed due to the openness and transparency of blockchain. Similar to the Cloud platforms [22] and Web service [23], the 5G network slicing service also needs SLA to manage the service. Some researchers [24] proposed mapping mechanisms for slice template generation according to customers' information provided in the SLA. However, whether the service quality meets the SLA requirements is not considered. Papageorgiou et al. [15] designed a SLA Manager. The SLA manager is connected with the monitoring module to receive the real-time value of the current monitoring indicators and verify whether the service parameters are within the range of user requirements. However, the SLA Manager cannot guarantee the authenticity of the source of monitoring data. Touloupou et al. [25] designed a monitoring system that can automatically develop agreements based on each network slice instance and detect any violations and raise alerts. However, the proposed framework can only monitor and manage business assurance in a single network service. All these schemes don't consider the privacy issue during SLA management. Liu et al. [26] proposed a secure federated learning framework that uses local differential privacy technique and adds Gaussian noise to avoid customer privacy leakage in 5G networks. Kang et al. [27] proposed a Proof-of-Verifying consensus scheme to defend against poisoning attacks and ensure data security. Although there are lots of privacy protection method, how to design a privacy protection method suit for network slicing SLA audit needs to be explored.

Order-revealing encryption
Since order-preserving encryption (OPE) [16] can ensure that the sort order of ciphertexts is consistent with the corresponding plaintext sorting order, it is considered as one of the feasible solutions to solve the privacy leakage problem in SLA monitoring and audit. However, Naveed and Kamara [28] proved that databases encrypted by OPE are exceedingly vulnerable to "inference attacks. " The order-revealing encryption (ORE) as an improved OPE has been proposed [29]. The plaintext comparison result can be determined by ciphertext and corresponding indexes in the ORE scheme [17]. However, the leaked information in the scheme may be caused by the different indexes of the first bit of the two encrypted data. Lewi and Wu [18] proposed a trapdoor order-revealing encryption scheme (TORE) which disclosures less sequential information and provides stronger data security.

Smart contract-based 5G SLA auditing model
There are three major scenarios of 5G network, including ultra-reliability and lowlatency communication (uRLLC), massive machine-type communication (mMTC), enhanced mobile broadband (eMBB). The customer can order specific slicing which can meet his requirement under different scenarios. Since the uRLLC scenarios require ultra-real-time and high reliable services, the mMTC scenarios require massive connections, and the eMBB scenarios demand ultra-high bandwidth and big data services, a network slicing under different scenarios focus on different requirements of service parameters, as shown in Table 1.
In this section, we consider the scenario consisting of customers, network operators, base stations (BS), and some eavesdroppers. Besides, a blockchain-based 5G NS-SLA audit system model is elaborated. In this scenario, the network operators can provide customers with customized network slicing with different QoS requirements. The slicing network architecture with BS deployment for end-to-end network slicing is shown in Fig. 1. The network operator is responsible for maintaining the network.
The customer will order a network slicing with the satisfied requirement in NS-SLA from a network operator. This NS-SLA maps the requirement of QoS to the service attribute parameter level, each specific NS-SLA can be extended or customized standard service parameters, such as secrecy rate, delay, packet loss rate, and so on. In order to audit whether the QoS meets the NS-SLA standard, both customers and network operators will monitor the specific 5G service parameters. These service parameters will be recorded on the blockchain to keep the authenticity of data. Due to the transparency of blockchain, all the parameters will be encrypted before uploading it to the blockchain. In addition, a NS-SLA audit smart contract is implemented to execute audit tasks. Once violations happen, the SLA audit smart contract will be triggered to compare the monitoring data and audit data. Then, the smart contract automatically distributes rewards or punishes the offending party, with the reputations updated. The whole audit model is depicted in Fig. 2.

Blockchain-based system
This NS-SLA audit system is based on blockchain which is regarded as a trustful platform. In the blockchain network, servers from different network operators (as full nodes) can be registered as miners to package and execute transactions. However, if  Fig. 1 Architecture of slicing network. The model consists regional customers, network operator, and eavesdroppers. The figure shows the slicing network architecture with BS deployment for end-to-end network more than half of the miners come from the same network operator, the provider may launch 51%-Attack. In order to prevent someone from controlling the computing power of the blockchain network, the number of miners provided by each network operator will be limited to no more than one-third of the total number of miners. In addition, customers with personal devices can register as light nodes to download block headers or view transactions. In our blockchain-based system, customers and network operators will store their monitoring data on the blockchain. Any transaction initiated by the customer in the blockchain network will be broadcasted and verified by miners in the blockchain network. The consensus protocol of blockchain can guarantee the security and consistency of transactions. Once the transaction passes verifications, it will be permanently recorded into the blockchain and spread throughout the network which cannot be tampered. In order to monitor and verify the transaction on the blockchain, some miners in the blockchain will be selected as witnesses to finish verification tasks. The selection of witness can be executed by a witness smart contract to ensure unbiasedness and randomness of the selection process [13].
When the monitoring data has been uploaded to the blockchain, the NS-SLA audit smart contract will be triggered to finish auditing tasks. This smart contract is designed according to NS-SLA requirements and it can interact with customers and network operators. After auditing, the NS-SLA audit smart contract will automatically generate a transaction to distribute rewards and update users' reputations.

Audit model
The core of the model is violations audit by comparing the monitoring data from customers and network operators. Therefore, the audit model is one of the most important parts, which is described as follows.  Step 1 Obtain monitoring service parameters After a customer orders a network slice from a network operator, the customer will sign the NS-SLA agreement with the network operator. When the 5G network slice service starts, the network operator will continuously monitor service parameters. The monitoring parameters of the network operator are obtained by monitoring the base station to provide more reliable monitoring data. The credibility of data can be achieved by the base station in the monitoring phase. Besides, in order to ensure the authenticity of the data, the customers also monitor service parameters.
Step 2 Encrypt and upload monitored parameters Since all the monitoring data will be stored on the blockchain, the data needs to be encrypted to keep its security. On the network operator side, the monitoring parameters will be encrypted by the TORE, and then the encrypted data will be uploaded to the blockchain. Similar to the network operator side, the parameters monitored by customers are also encrypted by TORE, and then the corresponding ciphertexts are uploaded to the blockchain. The security of data is guaranteed by the TORE algorithm in the transmission phase. The data recorded on the blockchain is also credible, since the blockchain can record behaviors and data of the customer and network operator, which cannot be tampered.
Step 3 Extract and audit service parameters After storing the monitored data on the blockchain, the SLA audit smart contract extracts ciphertexts of the two sides from the corresponding block to maintain the credibility of the whole auditing process. Then, it will compare these encrypted data. If the monitoring data of both sides are equal, it proves that the true monitoring data is recorded. Then, actual monitoring data will be compared with the standard values of service parameters, to determine whether the service conforms to the 5G SLA standard.
Step 4 Punishment According to the audit result, the smart contract will judge the fault party and some punishments will be implemented. For example, network operators will compensate customers if the quality of service they provide does not meet the requirements of NS-SLA, and network operators will be paid if the quality of service meets the requirements.

Methods
In this section, we present the privacy audit model of 5G NS-SLA in detail. The proposed model can audit multiple service parameters according to the requirement in NS-SLA of specific network slicing. In order to audit these service parameters, the dual monitoring method is used. After that, all the monitored parameters will be encrypted by the TORE algorithm to ensure the security of data stored on the blockchain. A NS-SLA audit smart contract is designed to implement the audit tasks in the blockchain network. This smart contract will be triggered to compare the ciphertexts to fix whether the data from two sides is consistent and compare the encrypted data with the standard parameter in SLA to fix whether the data achieves the service requirement. In addition, some punishments will be automatically executed according to different situations. The whole privacy-preserving audit scheme will be described in detail as follows.

TORE-based privacy audit mechanism
In the proposed audit scheme, each service parameter needs to be encrypted by the TORE, each service parameter i will be set a specific plaintext space [N i ] before encrypting and the plaintext space has individual domain. All the standard service parameters and actual service parameters monitored by customers and network operators are included in the domain. In addition, each plaintext space of service parameter is shared by the customer and network operator. For each service parameter j, its corresponding plaintext space is recorded as N j and N j has n elements according to SLA requirement. All the element x ji ∈ N j in the plain N j associate with an encryption key k ji . For example, the secrecy rate as one of the 5G service parameters is monitored by customer and network operator. In the model of 5G service, the customer measures the downlink rate and computes the secrecy rate, and the network operator uses the uplink rate measured by the base station to compute the secrecy rate. After that, both the customer and the network operator will encrypt their own monitoring parameters by the TORE algorithm [18] and then upload the ciphertexts to the blockchain. Despite the public and transparent nature of the blockchain, the encrypted parameters stored on the block will not be disclosed. The TORE algorithm includes a left encryption algorithm Encrypt L and a right encryption algorithm Encrypt R . Moreover, the ciphertext generated by TORE consists of a left component ct L and a right component ct R . The whole execution process of TORE-based privacy audit scheme includes four steps: Setup, Encrypt L , Encrypt R , and Compare, and the detail is shown as follows: • Setup 1 : Firstly, a security parameter will be generated. After that, for each element in plaintext spaces, key k ji R ← − {0, 1} of a secure pseudo-random function (PRF) F : {0, 1} × {0, 1} → {0, 1} will be generated by the SLA audit smart contract. Next, sample a uniformly random permutation π : N j → N j on each plaintext space domain. The pair k ji , π is the secret key sk ji . These secret keys are shared by customers and network operators. • Encrypt L sk, x j : On the network operator side, the service parameters are monitored by the base station. After receiving the monitored parameter x j , the network operator will first select the corresponding secret key sk j of x j . Then, the permuted position π x j of x j will be computed according to permutation function, which can ensure that x j in N j can't be learned from others and protect data security while comparing ciphertexts. Next, the left ciphertext for x j is computed, according to ct Lj = F sk, π x j , π x j . In addition, the left ciphertext ct Lsj of each standard service parameter in SLA will also be computed, which is similar to the method of ct Lj . And, both the ct Lj and ct Lsj will be uploaded to the blockchain. • Encrypt R sk, y j : In this step, we use a hash function H : Besides, a comparison function CMP m i , m j is set and its outputs −1 with m i > m j , 0 with m i = m j , and 1 with m i < m j . The right encryption is finished by customers. First, the customer will monitor the service parameters y j . Next, a random nonce r R ← − {0, 1} will be sampled. Then, the customer will compute the index v jz for each z ∈ N j by using specific secret key and monitored parameter, according to v jz ← CMP π −1 (z), y j + H(F (k, z), r) (mod 3) . Finally, a group of index v j1 , v j2 , ..., v jn will be obtained and the right ciphertext is represented by the tuple ct Rj = r, v j1 , v j2 , . . . , v jn . The customer will upload ct Rj to the blockchain.
Once all the encrypted data arrive, the SLA audit smart contract will be triggered to implement the audit task. First, the ciphertexts ct Lj , ct Rj will be extracted, and then the SLA audit smart contract will execute the Compare algorithm automatically to obtain the comparison result between network operators and customers. The Compare algorithm is defined as follows: • Compare ct Lj , ct Rj : After extracting ct Lj and ct Rj , and the SLA audit smart contract will parse ct Lj = k ′ , h and ct Rj = r, v j1 , v j2 , . . . , v jn . Thereinto, k ′ = (F (k, π (x)), π (x)) is a PRF key and h = π(x) is a permuted position index. Then, the index of comparison between x j and y j will be computed, according to In order to verify the correctness of this algorithm, we set ct Lj ← Encrypt L sk, x j and ct Rj ← Encrypt R sk, y j . The proof is shown as follows:

Punishment strategies for violations
After finishing the comparison, there will be two kinds of comparison results. One is that all the monitored parameters from network operators and consumers are equal, ∀j , I j = 0 , which means that no party reports false data. In this situation, the SLA audit smart contract be triggered to extract ct Lsj from the corresponding block and then implement Compare ct Lsj , ct Rj to compare the service parameters with the NS-SLA standard values. Then, we can obtain a comparison index I sj . If I sj = 0 or 2, which proved that the quality of service reaches the NS-SLA standard, the service fees F s will be distributed to the network operator automatically by the smart contract. Otherwise, the NS-SLA standard is not reached. Thus, the deposit F d of network operator will be distributed to the miners as a reward instead of returning back, and the customer will get the service compensation F c . The other is that the monitored parameters from the above two parts are not equal, which exists at least one index that I j = 0 . Then, the NS-SLA audit smart contract will be triggered to check the comparison information in the block during the time slice t s . The times of ∃I j � = 0 and the times of total comparison num all will be increased by one. Moreover, the mismatching comparison result from the same customer will be only recorded once to prevent the malicious users provide fake data in many times. If num dif > ⌊num all /2⌋ , the network operator is cheating, the operator's deposit will not be returned as a punishment. Otherwise, the consumer reports the false service (1) parameters in the audit task, and then, the reputation of the customer will be reduced as a punishment, according to the following formula.
Thereinto, T x (i, t) is the reputation value of customer x who requests service i in time t and T x (i, t s ) is the reputation value of x during time slice t s . T x (i, t s ) integrates users' rating as a subjective source and service quality monitoring information as an objective source, and it can change dynamically with the service preferences of customers [30]. The punishment degree is determined by the compensation ratio of negotiated compensation F c , the minimum compensation F min and the maximum compensation F max . We use a punishment degree to measure the importance of this service task and multiply it by the customer's unreliability value as the reputation reduction value. At the same time, the customer's deposit F d will be distributed to miners and the payment F s for the service will be automatically sent to the network operator. When a consumer reputation value is lower than 0, it will not be able to apply for the 5G network slicing.

Results and discussion
We implement our model on the Ethereum platform, design the NS-SLA audit smart contract by solidity programming language and deploy it on the blockchain. Because Ethereum provides a blockchain platform that allows developers to use smart contracts to develop applications on it and it is easy for researchers to develop and test prototypes on the Ethereum blockchain. In this section, we first compare the proposed blockchainbased NS-SLA audit scheme with other audit schemes to show the advantage of the proposed scheme. After defining the scenario and the service parameters, we analyze the complexity of the proposed audit model. The complexity analysis includes communication overhead, smart contract overhead, and encryption overhead. Since communication overhead refers to the number of interactions between systems, which is the same as traditional systems, we mainly analyze the overhead of additional modules including smart contracts and encryption in our solution.

Comparison of the existing audit methods
From Table 2, we can see the comparison results between different schemes. Although the SLA-M scheme can monitor multiple parameters, the time overhead is relatively high. The time overhead of our audit scheme based on blockchain is within acceptable range. Both SLA-ICM [14] scheme and Sec-rSLA [13] scheme are applying blockchain and design a distributed SLA audit scheme. However, the data stored on blockchain in this scheme may leak privacy. Our scheme introduces the TROE algorithm to encrypt the service parameters to ensure the security of data and realize ciphertexts comparison. Besides, a NS-SLA audit smart contract is designed to achieve perform audit tasks automatically.

Overhead of SLA audit smart contract
In the proposed audit model, all the audit tasks are triggered to execute by the NS-SLA audit smart contract and the execution of the smart contract is one of the main costs.
In order to measure the overhead of NS-SLA audit smart contract, we deploy it on the Ethereum blockchain. Each executing step of the smart contract is depending on the state transition of interfaces. In addition, the execution of the program defined in interfaces finished by miners in the blockchain network is the main consumption of gas (a unit that can measure the workload of miners). Figure 3 shows the gas consumption of each interface in the NS-SLA audit smart contract. Since the complexity of different interfaces is different, so the gas consumption is different and the gas consumption increases with the complexity of interfaces. Overall, the total gas consumption of the NS-SLA smart contract is acceptable.

Service parameter in audit model
In the proposed scheme, the customer can order customized network slicing from the network operator according to his own QoS requirement. Thus, we define a scenario and select several parameters to evaluate the audit scheme.
In this part, we take the secrecy rate as an example of service parameters, show the acquisition process of this parameter, and evaluate the secrecy rate in the presence of eavesdroppers using simulation with the following parameters. We use the cylindrical antenna array and set the number of antennas at the transmitter as 128. The antenna  layer distance is set to 0.5 wavelength, the circle radius is set to 1 wavelength, and the number of layers is set to 10. In this scenario, we consider a hybrid unicast/multicast transmission, and users are divided into multicast group (Multi-group), unicast group (BD group) and eavesdropping group (Eve group), and all group in the system (All group). The total number of users is 42, and the number of eavesdroppers is 10. The load impedance, antenna impedance, and mutual impedance are set to Z L = 50Ω , Z A = 50Ω , Z M = 50Ω , respectively. Besides, the SNR is ranged from −10 to 35 dB. In this model, the secrecy rate of a customer can be computed as follows: Thereinto, I D is the mutual information between the legitimate senders and the legitimate receivers, which is shown as 4. I E is the mutual information between the legitimate senders and the eavesdroppers, which is shown as 5.
Both I D and I E are affected by the signal interference noise ratio (SINR). The SINR of customers in the eavesdropping group is shown in formula 6, and the parameters in this formula are the same as those in our previous work [31].
In order to maximize the secrecy rate R S , we should maximize I D and minimize I E as much as possible, according to formula 3. Then, we test the secrecy rate of the BD group, multi-group, Eve group, and All group with the increase in the number of eavesdroppers. In the NS-SLA audit model, both customers and network operator will monitor the secrecy rate as a service parameter. Figure 4 illustrates that the secrecy rate of the eavesdropping group increases greatly with the increase in a number of eavesdroppers. Besides, the secrecy rate of the BD group and All group decreases greatly with the increase in the secrecy rate of the Eve group.
Then, we set secrecy rate in NS-SLA as 90 bps/Hz and the parameters monitored by customers and network operators are randomly set ranging from 80 to 120 bps/ Hz according to Fig. 4 for testing the proposed audit scheme. When the monitored parameters of the customer and the network operator are the same, the NS-SLA smart contract will compare the monitored parameters with the standard parameters in NS-SLA. When the monitored parameters are not greater than 90 bps/Hz, the network operator will receive the rewards and the reputation value of customers and network operators will increase. Otherwise, the QoS of network slicing is not up to standard, the customer will get compensation. When the monitored parameters of the customer and the network operator are different, the offending party is found according to the monitored records. The offending party will be punished and his reputation will decline.

Overhead of TORE encryption
In this proposed audit model, the service parameter can be customized according to the requirement of customers. Thus, the conditions such as the number of parameters and the size of the space occupied by the parameters can be changed. Since encryption is one of the key points of the privacy audit model, we focus on the complexity analysis of the encryption algorithm. We set the number of input parameters to n, l is the number of bits for a parameter, and N is the size of the plaintext space.
The Encrypt phase and Compare phase are the main phases of the TORE algorithm, we evaluate the cost of the two phases, respectively, with the following parameters. The security parameter is = 128 and F is instantiated with AES-128. The number n of parameters is set from 1 to 5 in turn, the parameters are randomly selected, such as secrecy rate, online users ID, latency, and so on. Besides, the plaintext space N for each  parameter is set to 32 bits. Table 3 shows that the time cost of encryption is much higher than that of comparison under different numbers of parameters. Compared with the time cost of encryption, the time cost of comparison time can be negligible. Besides, the encryption time increases with the increasing number of the monitored parameters. Since the encryption time is microsecond level, the time cost is within an acceptable range. Since the main time cost is the encryption process, we select 3 parameters including the ID of online user, secrecy rate, and latency as auditing parameters to test the encryption time with different-sized plaintext space. Different types of base stations can access different numbers of users at the same time, ranging from hundreds to tens of thousands. The requirement of secrecy rate and latency are also different in different scenarios. From Fig. 5, we can see the average encryption time of the three parameters with different sizes of plaintext space from 8 bits to 64 bits. For example, the precision secrecy rate in 32 bits plaintext space and 64 bits plaintext space are different. Thus, the precision of service parameters should be changed by expanding the plaintext space. With the size of the plaintext space becomes larger, the range of requirement of service parameter becomes wider. During each encryption process, Encrypt L will loop n times making one pseudo-random permutation call and one pseudo-random function calls each iteration. Encrypt R will compare the given parameter value to 2 l possible values and it will loop n2 l times making one hash function call, one pseudo-random permutation call, and one pseudo-random function call each iteration. The more comparison elements in plaintext space, the more index of each element will be generated in process of right encryption. Compare ct Lj , ct Rj makes n calls to hash. With the increase in n and l, the encryption time will increase. Besides, the time complexity of encryption is exponential in the l size.
In addition, the plaintext space of size N for each service parameter will affect the length of the ciphertexts. In the left ciphertexts, ct L consists of a pseudo-random function key and a permuted position index, occupying + ⌈log N ⌉ bits of space. In the right ciphertexts, ct R consists of a nonce, together with N elements in Z 3 , occupying

Conclusion and future work
In this paper, we focus on the issue of the NS-SLA audit model of 5G and proposed a blockchain-based audit model which considers the privacy protection. In order to ensure the authenticity of the monitored data, both the customer and network operators are responsible for monitoring the service. Besides, these monitored parameters will be encrypted by the TORE, which ensures the security of data stored on the blockchain. All the audit tasks are implemented by the designed smart contract, which ensures the audit data over ciphertexts without leaking privacy and execute punishment for the offending party automatically. In the future work, we plan to further reduce the cost of the scheme.