Privacy preserving divisible double auction with a hybridized TEE-blockchain system

Double auction mechanisms have been designed to trade a variety of divisible resources (e.g., electricity, mobile data, and cloud resources) among distributed agents. In such divisible double auction, all the agents (both buyers and sellers) are expected to submit their bid profiles, and dynamically achieve the best responses. In practice, these agents may not trust each other without a market mediator. Fortunately, smart contract is extensively used to ensure digital agreement among mutually distrustful agents. The consensus protocol helps the smart contract execution on the blockchain to ensure strong integrity and availability. However, severe privacy risks would emerge in the divisible double auction since all the agents should disclose their sensitive data such as the bid profiles (i.e., bid amount and prices in different iterations) to other agents for resource allocation and such data are replicated on all the nodes in the network. Furthermore, the consensus requirements will bring a huge burden for the blockchain, which impacts the overall performance. To address these concerns, we propose a hybridized TEE-Blockchain system (system and auction mechanism co-design) to privately execute the divisible double auction. The designed hybridized system ensures privacy, honesty and high efficiency among distributed agents. The bid profiles are sealed for optimally allocating divisible resources while ensuring truthfulness with a Nash Equilibrium. Finally, we conduct experiments and empirical studies to validate the system and auction performance using two real-world applications.


Introduction
Divisible resources (e.g., electricity, mobile data, and computation and storage resources in the cloud) have been frequently traded or allocated in a peer-to-peer mode. All the agents can purchase or sell any amount of the resources in such markets. Since all the agents generally compete with each other to maximize their payoffs, divisible double auction mechanisms (Zou et al. 2017) are designed to allow both buyers and sellers to dynamically submit their prices until convergence (e.g., achieving the Nash Equilibrium (Maheswaran and Basar 2003;Johari and Tsitsiklis 2004)) and then complete the transaction with resource allocation. Recently, smart contracts (as decentralized and self-enforcing contracts) can be designed for distributed agents to trade divisible resources with digital agreements. The blockchain-based platform supports the execution of smart contracts for strong integrity and availability, which maintain the transparency, traceable and consensus properties.
However, severe privacy concerns may arise in both double auction (Brandt et al. 2007) and blockchain-based systems (Wüst et al. 2019). For instance, during the auction, all the agents report their bidding profiles, including sensitive data such as their bidding amount and bidding prices. As rival agents, they may want to win competitive advantages in the market (more payoffs) by reporting untruthful bids if they know the others' bid profiles. Then, the market (Krishna 2009) would be deviated. Even worse, such private data might be collected and resold (Brandt et al. 2007) to other untrusted parties.
To this end, it is desirable to propose a truthful divisible double auction mechanism while preserving all the Open Access Cybersecurity *Correspondence: yuan.hong@iit.edu Illinois Institute of Technology, 10 West 35th Street, Chicago, IL 60616, USA agents' privacy (at least sealing all the bid profiles). Specifically, smart contracts on the blockchain system can be designed for the divisible double auction. However, the blockchain system has limitations on preserving privacy for sensitive data and high performance execution. To complement the blockchain system, the Trusted Execution Environment (TEE) (Hoekstra et al. 2013) could address such limitations by executing the core functionality (e.g., computation for the smart contract) in the enclave, which protects the data against malicious attacks. Compared with other types of secure and private solutions (e.g., Secure Multiparty Computation (SMC) (Paillier 1999;Okamoto and Uchiyama 1998;Naccache et al. 1998)), TEE achieves stronger security and high efficiency for blockchain execution (Das et al. 2019). Thus, in this paper, we propose an efficient and privacy preserving divisible double auction with the TEE-Blockchain hybridized system (e.g., on the Intel SGX, which is a TEE supported by an architecture extension of Intel (Hoekstra et al. 2013)). Then, the hybridized system is co-designed in three aspects.
• First, the blockchain-based platform is expected to ensure integrity and availability while it interacts with other components (i.e., TEE) for the transaction, which helps data/state recovery if the execution/protocol is broken or interrupted by accidents. • Second, the smart contract can be loaded and executed within a protected environment in Intel SGX, (namely enclave) (Tsai et al. 2017). All the agents' sensitive data can be protected during the computation. • Third, we propose an efficient, individually rational and weakly budget balanced double auction based on the Progressive Second Price (PSP) (Lazar and Semret 2001) auction, derived from the Vickrey-Clarke-Groves (VCG) (Tuffin 2002) auction. The proposed divisible double auction ensures truthfulness for all the agents by achieving a Nash Equilibrium.
Furthermore, we conduct experiments for both off-chain procedures (executing the TEE program computation) and on-chain procedures (the interaction between the blockchain and TEE) in the hybridized system to evaluate the system and auction performance using two realworld applications: (1) energy trading, and (2) wireless bandwidth allocation. The remainder of the paper is organized as follows. We first present the background to briefly introduce the divisible double auction, TEE and smart contract in "Background" section. Then, "Overview of hybridized system" section gives an overview for the proposed hybridized system, and more details of the procedures. It includes how to execute the smart contract, how to trigger the TEE, and how to interact with blockchain to perform the validation. In "Auction mechanism design" section shows the designed divisible double auction mechanism with a truthfulness guarantee. In "Discussions" section analyzes the security of the system, and discusses some real-world applications, which are supported by the proposed hybridized system. We evaluate the performance of the hybridized system in "Experimental evaluations" section. Finally, "Related work" section reviews some relevant literature, and "Conclusion" section concludes the paper.

Divisible double auction
In a divisible double auction, let B and S be the sets of buyers and sellers, respectively. The bidding information includes two-dimensional bid profiles, denoted as b m for buyers and s n for sellers. During the auction, the bid profiles are submitted as follows: (1) buyer m ∈ B : b m = (α m , d m ) with bid price α m and amount d m to buy, and (2) seller n ∈ S : s n = (β n , h n ) with bid price β n and amount h n to sell. b = (b m , m ∈ B) denotes the bid profiles of all the buyers while s = (s n , n ∈ S) denotes the bid profiles of all the sellers. In addition, r = (b, s) is defined as a strategy profile, which represents the bid profiles for all the agents. These are private information to be sealed amongst all the agents in the auction. A strategy profile without agent i is denoted as r −i = (r 1 , ...r i−1 , r i+1 , ..., r |m+n| ) , then r = (r i ; r −i ).
From the global viewpoint, the main goal of the divisible double auction mechanism is to seek the maximum social welfare for optimal allocation. We use A m and A n to denote the allocation of buyer m and seller n, respectively. In the current iteration (k-th iteration) of the double auction, A (k) m and A (k) n represent the allocation for buyer m (amount to purchase) and seller n (amount to sell), respectively. The details for our divisible double auction machanism are given in "Auction mechanism design" section.

Trusted execution environment (TEE)
TEE provides a fully isolated environment to prevent others (e.g., software, OS, and hosts) from tampering with or learning the state of applications running in it.
Intel SGX (Costan and Devadas 2016) is an instance of TEE that enables process execution in a protected address space enclave. The enclave ensures confidentiality and integrity for the process against attacks. An enclave is not allowed to make system calls, but can read/write memory outside the enclave region. Thus, the isolated execution can be viewed as an ideal model which guarantees to be correctly executed with confidentiality. We denote the double auction program inside the enclave as Prog x .
Remote Attestation allows to remotely verify if the pieces of code or program are running within the TEE or not. In Intel SGX, CPU can measure the trusted memory, cryptographically sign the computed results, and generate the signatures for the attesting party. The private key is only known to the hardware over the program. Group signatures (EPID) (Brickell and Li 2009) are used for setting up a secure channel for remote attestation.

Smart contract
Cryptocurrencies are traded on the decentralized network of peers which stores all the transactions via a public ledger. Through the consensus protocol, the ledger is stored as a chain of blocks with the agreement state. Smart contract is a machinery built on top of cryptocurrencies, and it defines and executes the contract on the blockchain. In other words, the smart contracts work as a program digitally among distributed agents (Miller et al. 2000). Based on the decentralized cryptocurrencies, the integrity and availability can be guaranteed. In our work, privacy will be ensured by TEE.

Overview of hybridized system
In this section, we provide an overview of the Hybridized TEE-Blockchain System (including the procedures). Figure 1 illustrates the main components of our hybridized system: all the agents ( P ), TEE ( T ), Blockchain ( BC ) and Key Management ( KM)).

Hybridized system architectures
• All the agents P (buyers and sellers) are the end users of the smart contract. Th manager P M is the delegation to compute all the incoming private agents' input and deliver results as the administrator. P M further leverages Relay to trigger the enclave to be initialized for computation (will be explained as the following). Note that the manager P M is considered to be malicious, which may collude with other agents or interrupt the computation. • TEE ( T ) is responsible to run the smart contact to processes the double auction computation among the agents (requested by the manager P M ) in the enclave E , which protects the privacy and integrity of computations. It also generates remote attestations (computation correctness) for state updates. To further improve the functionality and security of our system, we design the only interface component Relay R to provide indirect access to enclave. Relay can also provide the message passing with the Blockchain. • Blockchain ( BC ) maintains a distributed append-only ledger via running a consensus protocol. The state of BC and attestations are stored on the chain. Moreover, the validity of state update are checked by the blockchain with the TEE attestations. • Key Management ( KM ) generates keys for both private agents' inputs and state encryption. All the agents and TEE can directly interact with the KM for the key pairs via a key distribution protocol.

Enclave functionality model
Enclave (E ) protects the code of program and data during the computation for the auction. Specifically, the program running inside the enclave is completely isolated from an adversarial OS as well as other processes on the host. We formalize and integrate the Intel SGX (Shi et al. 2015) as TEE in our hybridized sytem. In order to model the ideal functionality channel with some proprieties such as privacy and authenticity, we utilize a global universal composability (UC) framework functionality (Canetti 2001) to instantiate the SGX Functions. More formally, we denote the program X which runs inside the SGX enclave as Prog x , which can be Prog da for double auction. The SGX function can be expressed as F SGX ( sgx )[Prog x , R] , where sgx is a group signature scheme and R is Relay. As shown in Fig. 2, the program Prog x is loaded into enclave via the " init " call from Relay. When Relay calls " resume ", the program is executed based on the incoming requests or inputs, denoted as inp , and computes the output with an attestation ψ att := sgx ·Sig(sk sgx , (Prog x , outp)) . The signature under TEE hardware key sk sgx and pk sgx could be obtained from the SGX Functions ( F SGX ).

Procedures
In this section, we now sketch the procedures for the execution of divisible double auction with the smart contract in the hybridized system (more details are given in Fig. 3). It depicts that the designed system is executed with three phases: (1) Initialization , (2) ExecProg , and (3) Finalization . We denote the input and output for the TEE as inp and outp , respectively. Also, regarding the deposit, we use ξ b m , ξ s n and ξ P M for all buyers, sellers and managers.
(1) Initialization . Prior to the auction phase, all the agents (buyers and sellers) are supposed to prepare for their deposits ξ b m , ξ s n . Besides, the manager also needs to deposit ξ P M (if the manager or any agent is identified to deviate the computation, then the deposit will be charged as penalty). Then the TEE will set state := init as confirming that the deposits in the blockchain. Otherwise, the TEE will set state := abort for preparing next auction and refund the deposit to the agents. For the auction computation, the TEE will fetch the key pair (pk sgx , sk sgx ) from Key Management for attestation, where the key (pk sgx ) is bundled to the executing prog x instance (auction) for checking the correctness of computation. Besides, the attestation with current state [state, ψ att ] are posted on the blockchain BC (as described in "Enclave functionality model" section).
Next, to tackle the large inputs of agents, the manager P M will handle tx :=[Enc pk (inp) , l id , ξ b m , ξ s n ] from all the agents where inp denotes the inputs of all the agents, and l id represents a unique identifier (ID). Then, P M will send tx to the Relay for executing the auction computation. Note that all the agents send the transactions through secure communication channels among all the agents and TEE. The tx is a transaction to deliver the input and output data among different system components.
(2) ExecProg . To execute the auction requested from P M , the Relay will retrieve the state information from the blockchain and Relay will trigger TEE to execute the requested service (auction) with the " resume " call if the state can be verified. Then TEE first decrypts the input data (from the Manager) with the private key sk obtained from the Key Management and launch the auction smart contract code as Prog x in the enclave (a sandboxed environment). Thus, an adversary cannot interrupt the execution or monitor data inside the enclave considering the natural merit of enclave. The final results output of the program (auction smart contract) Prog x will be securely returned to the manager.
(3) Finalization . Once manager receives the final result outp from TEE and check the correctness with the Blockchain. If the result outp is accepted by the Blockchain by checking and verifying the new state state ′ , the auction result (outp, ψ sgx , l id , ξ b m , ξ s n ) will be delivered to all the agents via Manager and Blockchain will store the new state ′ .

Threat model and properties
To ensure data privacy and integrity for the auction computation, we use the TEE's attestation (Yuan et al. 2018), where the computation is executed inside the enclave trusted by all the agents. However, the remaining software stack outside the enclave and the hardware are not trusted. The adversary may corrupt any number of agents, assuming that honest agents will trust their own codes and platform (leakage resulted from its software bugs are out of the scope). Furthermore, we assume that all the agents do not trust each other in the auction while being potentially malicious, such as stealing the bid profiles information. During the execution, each agent may send, drop, modify and record arbitrary transactions. Note that the side-channel attacks against enclave and DoS attacks are not considered in this paper.
In our proposed hybridized TEE-Blockchain system, the TEE compensates for the privacy issue with respect to the smart contract, i.e., our system can address the privacy issue for the double auction by utilizing the TEE for isolating the contract (auction process) execution inside the enclave, shielding it from potential malicious agents. From the system aspect, the following properties are addressed: • Correctness. The correctness of computation in the TEE can be guaranteed and verified by the remote attestation based on the given state and inputs. • Privacy and Security. Our system protect and verify the sensitive inputs (e.g., bid profiles) and outputs of all the agents.

Problem formulation
We represent the strategy of each agent with a non-negative valuation function V m (·) for buyers, which indicates the willingness to pay, or value for buyers to obtain the amount of divisible item. Similarly, we have negative cost function C n (·) for sellers. In the auction design, we adopt generic assumptions (Lazar and Semret 2001;Tuffin 2002) for the valuation function V m (·) : (1) V m is differentiable, concave and V m (∅) = 0 , and (2) V ′ m (·) is non-increasing and continuous; for the cost function C n (·) : (1) C n is differentiable, convex and C n (∅) = 0 , and (2) C ′ n (·) is increasing and continuous; In our settings, buyers have diminishing marginal utility while sellers have increasing marginal cost. This Assuming that each agent is selfish with the goal to maximize their own payoff. Therefore, they may untruthfully modify their bids in the auction. With the blockchain-based system to realize the smart contract for the auction, untruthful responses could be detected, and thus penalty will be applied to the cheating agent.
Thus, valuation function will be converted to V m (·) − µ p (·) where µ p (·) is a anti-monotonic function for measuring the penalty applied to the cheated amount for the buyers (Li and Marden 2014). Note that µ p (0) = 0 means if the valuation is submitted and penalty will be exempted. Similarly, the cost function will be updated as C n (y n ) + µ p (·) where µ p (·) is a monotonic function (and increasing derivative) for measuring the penalty applied to the sellers (Li and Marden 2014) and µ p (0) = 0 (exempting the penalty for truthful response of the sellers).
Then, the payoff functions are defined for buyer m and seller n as f m (r) and f n (r) , to represent their payoffs w.r.t. the bid profiles of all the agents r. Specifically, ρ m is the payment made by buyer m while ρ n is the payment received by seller n. Moreover, ρ(r i , r −i ) is defined as the difference between all the buyers' aggregated valuation if any buyer i is absent in the auction minus the aggregated valuation if i is included the auction (Lazar and Semret 2001; Zou et al. 2017;Kojima and Yamashita 2017). Similarly, ρ(r j , r −j ) is defined as the difference between all the sellers' aggregated cost if any seller j is absent minus the aggregated cost if j is included. Thus, we have: Then, given the optimal allocation profile for buyer m ∈ B and seller n ∈ S as A * m and A * n , we can define the payoffs for the buyer m and seller n as: Definition 1 (Individual Rationality) The divisible double auction mechanism achieves individual rationality if the following holds: f m (r) ≥ 0 and f n (r) ≥ 0.
It ensures that the all the agents obtain non-negative payoff while participating in the auction mechanism.
Definition 2 (Incentive Compatibility) The divisible double auction mechanism achieves incentive compatibility if the following holds: f m (r) ≥ f m (r) and f n (r) ≥ f n (r) where r and r are denoted as the true bid profile and false bid profile.
It ensures that all the agents in the auction will obtain the maximum payoff if they report the truthful bid.

Definition 3 (Weak Budget Balance)
In the divisible double auction, for ∀ m ∈ B and ∀ n ∈ S , if there exists: ∀m∈B (α m · d m ) ≥ ∀n∈S (β n · h n ), then the auction mechanism satisfies weak budget balance.
It ensures "no budget deficit" in the auction.

Definition 4 (Clearing Price)
The price θ is defined as the clearing price for an optimal allocation A * (·) , if there exists a feasible and efficient allocation, such that, the best response is achieved for the maximum social welfare, denoted as F (·) = m∈B V m (A m ) − n∈S C n (A n ).
We say that the clearing price θ (Brero et al. 2019) supports the optimal allocation A * (·) with the maximum social welfare.
Definition 5 (Nash Equilibrium) In the divisible double auction, Nash Equilibrium holds if given the bid profile r * such that: where r −m = {r} \ {b m } is a bid profile for all the buyers excluding buyer m from B and r −n = {r} \ {s n } is a bid profile for all the sellers except seller n from S.
Our divisible double auction mechanism will find the optimal allocation for all the agents to achieve the maximum social welfare. Moreover, the truthfulness of bids will be ensured in the smart contract via individual rationality and incentive compatibility. To preserve privacy, all the agents' bid prices and amounts (bid profiles), as well as the valuation/cost functions can be protected in the auction. The clearing price and trading amount will only be disclosed to every pair of potential sellers/buyers at the end of the auction (after convergence).

Divisible double auction mechanism
We now design the divisible double auction mechanism (DA), which will be executed as a smart contract inside the TEE. The procedures are detailed as below: (1) Initialization . Denoting the double auction program as Prog da , while executing Prog da in the enclave, the decrypted bid profiles of all the agents will be checked if they satisfy the initial condition (i.e, (α i ) max ≥ (β j ) min ). Otherwise, the state of auction will be turned from " active " into " fail ". Then, it requires all the agents to update their bid profiles. Meanwhile, the potential amount of the resources C should be smaller than the overall demand/supply. 1 The auction will be active if and only if satisfying the above conditions (Fig. 4).
(2) Iteration . Once the iteration starts, the potential amount C(r, C) is updated as below: where Q(r, c) = min{ m∈B A * m , n∈S A * n } , p b (r, C) = min {α i , A i ≥ 0} , p s (r, C) = max{β j , A j ≥ 0} and P = p b (r,C)−p s (r,C) ω max +σ max . We denote Q(r, C) as the minimum value of total demand and total supply; A coefficient P is used for gradients of marginal valuations or costs; Two variables p b (r, C) and p s (r, C) are defined to stimulate the much faster coverage in each iteration with the updated potential amount. We use ω max and σ max to denote the upper bound for buyers' valuations ∂A m |} ) and the upper bound for sellers' costs ( σ max ≥ max sup A n {| ∂ C n (A n ) ∂A n |} ). Note that the valuation function V m (A m ) and cost function C n (A n ) are updated with the penalty functions in the smart contract. The potential amount is expected to achieve a Nash Equilibrium quickly with the gradients of marginal valuations and costs.
The optimal allocation A * m and A * n are updated in each iteration, and agent derive their best responses. Given (r, C), the optimal allocations (for buyers/sellers) are where d m and h n are the updated amount for buyer m to purchase and for seller n to sell, respectively; B m (b) = {i ∈ B|α i > α m } ∪ {α i = α n and i < m} and S n (s) = {j ∈ S|β j > β n } ∪ {β i = β m and j < n}.
The updated potential amount C(r, C) can be iteratively derived based on the given potential amount C.
(3) Best Response . We use b * m and s * n to represent the best response of buyer m ∈ B and seller n ∈ S . With the bid profiles r = (b, s) and a pair of potential amounts (C, C) , the best response can be derived as below: In the divisible double auction program Prog da , the best response will be computed in each iteration and finally converge to a Nash Equilibrium. Notice that, in different applications (e.g., different divisible resources), the valuation and cost functions would be different. In this dynamic auction game, all the agents recompute their best response to the current strategies (bid profiles) of other agents.

Theorem 1 The divisible double auction (as program Prog da ) achieves individual rationality and incentive compatibility.
Proof First, suppose that the truthful bid profile provided by buyer m ∈ B , then we could obtain the non-negative payoff function f m (r) = V m (A * m ) − ρ(r i , r −i ) . Correspondingly, given the truthful bid profile provided by seller n ∈ S , f n (r) = ρ(r j , r −j ) − C n (A * n ), ∀n ∈ S . Thus, the truthful bid profiles show that the non-negative payoffs are guaranteed for all the agents in the auction (individual rationality is proven).
Second, we define the A m and A n as allocation of buyer m ∈ B and seller n ∈ S , separately. And A k m and A k n represent the allocation for k-iteration. We will verify the incentive compatibility for all buyers m ∈ B first for incentive compatibility. Suppose there is truthful bid pro- If we have A k m < A m , the below holds: , ∀m ∈ B with Case (A) and (B). Similar, incentive compatibility can be proven for all the sellers ∀n ∈ S .

Discussions
In this section, we analyze the security of the proposed hybridized TEE-Blockchain system and illustrate some real-world applications supported by the system. (7)

Security
Based on the key feature of isolation in enclave, Intel SGX enables the program (data) to be executed inside the secure container (enclave) for confidentiality and integrity. The adversary cannot interrupt the computation executed in a sandboxed environment (enclave). Note that enclave is created in its virtual address space by an untrusted hosting application with OS support.
Once enclave starts initialization, data and codes inside it will be isolated from the rest of the system. Note that the encrypted data are sent from agents to enclave through secure channels. However, other malicious servers cannot eavesdrop on the encrypted data and even tamper with the communication.
During the execution, if any agents abort/skip this step or behave dishonestly during the initialization , the execution will be terminated and refunds to the honest agents within the time threshold T 1 . Afterwards the computation starts, all agents send the encrypted inputs to the interface of SGX. In this phase, if no malicious behaviors are detected by the manager, the Relay R will forward the encrypted inputs to the enclave E . However, it is hard to determine if the agents behave dishonest (i.e., fail to send message) or the Relay behave malicious (i.e, dropping message) during the execution if the enclave E does not receive any incoming requests. Thus, all agents P and Relay R both receive the challenge request (we denote as request chal ). Within the certain time threshold T 2 , if agents response with inputs and procedure will move to the next steps. Otherwise, the agents are proved to be malicious. Similarly, if the Relay R is proven to be the malicious one, the protocol is terminate and set up state is fail . In terms of the last phase Finalization , the TEE return the final results to all the agents and publish the states on the blockchain. Note that during all the data flow, the deposits of malicious agents are not refunded for punishment.

Real-world applications
In practice, divisible resources which could be privately traded using our system, e.g., electricity , cloud resources (Jin et al. 2018;Fujiwara et al. 2010), and wireless spectrum (Kebriaei et al. 2016). We now discuss two of them as representative applications. Note that different valuation/cost functions will be defined and implemented in different applications.
Energy Trading. There is demand from power grid for trading the excessive locally generated energy, e.g., the renewable energy resources (Aliabadi et al. 2017;Faqiry and Das 2016). The proposed hybridized system is able to implement the privacy preserving divisible double auction for energy trading, due to the divisible of electricity resource. The valuation/cost functions are defined as V m (x m ) = ζ m log(x m + 1) and C n (y n ) = a n y 2 n + b n y n (Bompard et al. 2007), where ζ m is a parameter leveraged by the behavior preference of buyer. The parameter of a n and b n are used for leveraging how much the sellers incline to sell. The valuation/cost functions follow the general assumption illustrated in "Auction mechanism design" section. Eventually, hybridized system only generate the clearing price for the auction to all the agents. The energy amount of each pair of buyer and seller will only obtain the amount traded between them.
Wireless Bandwidth Allocation. We can model the wireless bandwidth allocation (Feng et al. 2015;Zhang et al. 2016b) based on our proposed hybridized system for network traffic and services. In terms of a MVNO (Mobile Virtual Network Operator), the valuation function for buyer m is defined as V m (x m ) = ζ m ln(x m ) where ζ m defined as a positive-valued parameter. This indicates that buyers willing to pay for the bandwidth. Meanwhile, the cost function of seller n, an InP (Infrastructure Provider) is denoted as C n (y n ) = α n e y n , where y n presents the bandwidth it can supply and α n as another positive-valued parameter (bandwidth) for the seller n. As expected, the valuation/cost functions are also follow the general assumptions, and execute privately and truthfully via hybridized system for such divisible double auction.
Each agent can be either a buyer or seller in the auction for both applications.
In the experiments of energy trading/auction, we utilize the valuation function V m (x m ) = ζ m log(x m + 1) and cost function C n (y n )=a n y 2 n + b n y n , as detailed in Zou et al. (2017). We adopt the same parameters ζ m = 50 , a n = 30 and b n = 0 as Zou et al. (2017). Similarly, wireless bandwidth allocation is implemented with the valuation function V m (x m ) = ζ m ln(x m ) and cost function C n (y n ) = α n e y n , where ζ m = 50 and a n = 2 Feng  (2015). For the energy trading, real datasets from the UMASS Trace Repository (Barker et al. 2012) are adopted while synthetic datasets are generated per (Feng et al. 2015;Zhang et al. 2016b) for the wireless bandwidth allocation.

Off-chain evaluation
Performance Evaluation We first evaluate system performance for securely perform computation for the auction (the off-chain computation for the optimal allocation). Figure 5a presents the percentage of total reduced runtime for the off-chain computation by comparing the our hybridized TEE-blockchain system ("Hybrid") with the cryptographic protocol based double auction system (Liu et al. 2020) ("PANDA"). Note that this evaluation is performed by the varying the number of agents (from 50 to 200) with the different key sizes (from 512-bit to 2048-bit). As shown in Fig. 5a, compared with "PANDA", the runtime of our ("Hybrid") has been significantly reduced for all different key sizes. The hybridized system ("Hybrid") shows the higher efficiency and scalability by reducing more than 15 % runtime (on average) with strong security guarantees (in case of the 2048-bit key size), 18 % average runtime for 1024-bit key size and 35% average runtime for 512-bit key size. Furthermore, Fig. 5b illustrates the comparison between the total bandwidth for ("PANDA") and ("Hybrid") during the auction. The "PANDA" composes cryptographic primitives for secure computation, which results in heavy burdens for computation. With the TEEblockchain system, the bandwidth of "Hybrid" has been drastically reduced to make the communications more efficient.
In addition, Fig. 5c presents the latency of 720 different auctions. The latency of our hybridized system is less than 1 s for most auctions, which is also significantly lower than the cryptographic protocols (PANDA). It indicates that the real-time performance of divisible double auction can be achieved via the hybridized TEE-blockchain system. Finally, Fig. 5d illustrates the throughput (bits/sec) of the system on a varying number of agents (1024-bit key). Essentially, throughput measures the amount of data transmitted during a specified time period via a network, interface, or channel. In this case, we use the throughput to measure the average size of the encrypted data that are transmitted among different agents per second. It is defined as throughput (bits/ sec) = (the average data size of all the communication channels)/(the average time). Note that the average time includes the agents' local computational time. As shown in Fig. 5d, the throughput of "Hybrid" increases slower than "PANDA" as the number of agents increases. Case study. We also conduct empirical studies for two example applications (energy trading and wireless bandwidth allocation) in case of 20 agents, including 12 buyers and 8 sellers. Figures 6 and 7 demonstrate the detailed results on (1) allocation ( A * m (b, C) and A * n=1 (s, C) ), (2) potential amount (C), and (3) social welfare ( F (·) ) in each iteration until achieving the Nash Equilibrium, for both applications.
First, Figs. 6a and 7a show the allocation for five randomly picked agents (three buyers and two sellers) in different iterations. The allocation of both buyers and sellers increase and finally achieve the optimally allocated amount after multiple iterations. Second, in Figs. 6b and 7b, the potential amount of the auction (used for updating the allocation for buyers and sellers in each iteration) grows until convergence while moving to new iterations. Finally, the social welfare ( F (·) ) is derived based on equation F (·) = m∈B V m (A m ) − n∈S C n (A n ) . Figure 6c presents an increasing trend in multiple iterations and the social welfare of energy trading converges to the maximum value $38 while the social welfare of the wireless bandwidth allocation in Fig. 7c converges to the maximum value $75.

On-chain performance evaluation
Besides the off-chain computation, we demonstrate the performance of on-chain transactions.  shows the runtime for different package functionalities.

Related work
There were some other auction mechanisms for allocating divisible resources, i.e., spectrum allocation (Wu et al. 2011;Dong et al. 2012). Combinatorial auctions (Dong et al. 2012) was discussed for cognitive radio networks. Strategy-proof mechanism for multi-radio spectrum buyers was proposed by Wu and Vaidya (Wu et al. 2011). A sealed-bid reserve auction was modeled for the radio spectrum allocation problem. Hoefer et al. (Hoefer et al. 2014) investigated the combinatorial auctions with a conflict graph via an approximation algorithm (LP formulation). Other studies related to divisible resources auctions focused on the revenue maximization (Jia et al. 2009) or the efficiency of social maximization (Dong et al. 2012;Gopinathan and Li 2010). The privacy concerns in auction mechanism for divisible resources have been raised in Chen et al. (2014); Huang et al. (2015). In Suzuki and Yokoo (2003) cryptographic techniques were proposed for achieving the privacy and security in the auction game. A cryptographic scheme for one-side auctions was proposed in Huang Huang et al. (2013). In addition, Cheng et al. (2019) presented the complementary characters for blockchain and TEE, the rigorous security proofs are provided to support the confidentiality of the hybrid system. Also, the Hawk system (Kosba et al. 2016) was designed as a decentralized smart contract framework for running the contracts off-chain while posting zeroknowledge proofs on-chain. Zhang et al. (2016a) proposed a system Town Crier that authenticates data feed using smart contracts supported by the Ethereum platform. It enables data fetching from existing HTTPenabled data sources, and utilizes TEE to execute its core functionality and protect its data against malicious attackers.
In the context of double auction, a recent scheme was proposed to protect privacy for the bids (Liu et al. 2020). However, it requires a heavy computation burden by composing the cryptographic primitives. Instead, ETA (Liu et al. 2021a) was proposed for an efficient and private system, which securely executes double auction for allocating divisible resources among distributed agents within the Intel SGX. However, TEE cannot guarantee the availability (as the host can terminate TEE). We extend the ETA system to the Hybridized TEE-Blockchain System (Liu et al. 2021b), which enables smart contract execution on the blockchain to ensure strong integrity and availability with high efficiency. Therefore, the proposed hybridized system can securely and efficiently perform secure computation for the double auction.

Conclusion
In this paper, we design a hybridized TEE-Blockchain system to securely execute divisible double auction among distributed agents within the enclave in a highly efficient way. Meanwhile, it interacts with the blockchain for validation and storage. The proposed divisible double auction mechanism guarantees individual rationality, incentive compatibility, weak budget balance and pareto efficiency. The input private data of all the agents in the divisible double auction can also be protected in the hybridized system. The experimental results have demonstrated both effectiveness and efficiency for the designed hybridized system to privately compute the optimal allocation and execute the divisible double auction.