Reputation Systems for Anonymous Networks Seung Geol Choi joint work with

advertisement
Reputation Systems
for Anonymous Networks
Seung Geol Choi
Columbia University
joint work with
Elli Androulaki, Steven M. Bellovin, Tal Malkin
Columbia University
Contents




Introduction
Security Model
Our Construction
Future Directions
Introduction
P2P in Anonymous networks - 1

P2P in Anonymous networks



Underlying network is anonymous (eg. Mixnet,
Onion Router)
Each peer represents himself via a pseudonym
Real identity need not be revealed in
transactions
P2P in Anonymous networks - 2

Total anonymity is problematic


Misbehaviors are untraceable: peers can easily
change their pseudonyms arbitrarily.
 Misbehaviors remain unpunished
 Honest peers suffer from misbehaviors
One reasonable solution: reputation system
Reputation system



After a transaction, pseudonym P gives a
reputation point to pseudonym Q.
Reputation value of P: total rep-points P
has gained.
Reputation values are easily accessible.


Based on the reputation, peers can decide
whether to execute a transaction with that
peer.
Reputation values should be bound to each
peer (identity) not pseudonym.
Identity-Bound Reputation

Why identity-bound?



Malicious peer are willing to change his
pseudonym to a new one
 reputation system doesn’t serve its purpose.
Honest peer are reluctant to change his
pseudonym
 Anonymity is not enjoyed by him.
To achieve it, we need a trusted party to
manage reputations correctly.
Honest vs. Honest-but-curious

In existing systems [V04, S06], the trusted
party is assumed totally-honest.


But, better assume it is honest-but-curious


It knows who gives a reputation point to whom, but is
assumed to keep the information secret.
We can not make sure that it doesn’t leak the traffic
information; anonymity may be compromised.
Need a system that remains anonymous even to
the trusted party.
Our Contribution

Propose identity-bound reputation system
in P2P pseudonymous networks

Definition of Security


Anonymity holds even if the bank is trying to break it.
Construction
Security Model
Participating Entities

Peers




Regular users of a P2P network
Buyers and/or Merchants
Each peer has one or more pseudonyms
Bank


Manages reputation database wrt each peer
Honest-but-curious
 Correctly updates reputation info.
 may try to break unlinkability (discussed
later)
Operations - 1

Key Generation Algorithms



Bank: Bkeygen()
Peer’s Identity: Ukeygen()
Peer’s Pseudonym: Pnymgen()
Operations - 2

RepCoin Related Operations



repcoins  RepCoinWithdraw(U)
: peer U withdraws repcoins from the Bank
Award(P[repcoin], Q)
: pseudonym P of U gives a repcoin to
pseudonym Q of M
RepCoinDeposit(M, repcoin)
: received repcoin is deposited into M’s account
in the Bank.
Reputation granting process
Bank
RepCoinWithdraw
U
P
RepCoinDeposit
Award
Q
M
Operations - 3

Administrative Operations


proof  Identify(repcoin)
: the Bank checks if the repcoin is double-spent.
VerifyGuilt(proof, repcoin)
: verify that the proof is correct
Operations - 4

Reputation Showing


credential  RepCredRequest(U)
: peer U obtains a credential according to its
reputation
ShowReputation(P, credential)
: shows that pseudonym P has a certain
reputation
Reputation showing process
Bank
RepCredRequest
U
P
ShowReputation
Q
M
Security
Correctness

Correct reputation granting process


If the process happens between honest bank
and honest peers U and M, M’s reputation is
increased by one.
Correct reputation showing process

If the process happens between honest bank
and honest peers U and M, M can prove his
reputation using RepCredRequest() and
ShowReputation().
No Over-Awarding



No Collection of peers can award more
repcoins than they withdrew.
If the same repcoin is used twice in
awarding, the bank can find out who did it
using Identify()/VerifyGuilt().
We allow that the received repcoin may
increase another peer’s reputation.

M can give the repcoin to M’ (collusion). Then M’
can use the repcoin in increasing its reputation.
But, then the reputation of M is not increased.
Exculpability

Honest peer is protected from framing.

No coalition of peers, even with the Bank, can
forge a proof such that Verifyguilt(proof,
repcoin) is true.
Reputation Unforgeability

No coalition of peers can show a reputation
which is greater than the highest of any of
them.


A single peer cannot forge his reputation
(special case)
If a peer U, by colluding with M, could
show a reputation higher than its original
one, then U must learn M’s master secret
key.
Peer-Pseudonym Unlinkability

Peers consistent-looking with pseudonym P
: all the peers that have more reputation than
what P showed in reputation showing procedure.

Peer-Pseudonym Unlinkability

Given an honest pseudonym P, the adversary,
colluding peers including Bank, guesses the
owner of P no better than randomly guessing
among the peers consistent-looking with P
Pseudonym-Pseudonym
Unlinkability

Given two honest pseudonyms P and Q, the
adversary, colluding peers including Bank, has
no advantage in guessing whether P and Q
belong to the same user as long as there are at
least two honest peers consistent-looking with
both P and Q.
Our Construction
Basic Approach - 1

Reputation granting


Use e-cash as repcoin: provides anonymity for
e-cash spenders.
Reputation showing

Use anonymous-credential system: provides
anonymity for credential-holders.
Basic Approach - 2

Reputation level


In reputation showing procedure, reputation is
shown by the level.
E.g. level x: the peer has more than 2x
reputation points.
Showing exact reputation may compromise
pseudonym-pseudonym unlinkability.
Reputation granting process
Bank (S, pi)
EC.Withdraw()
EC.Deposit()
W
U
P
(S, pi)
EC.Spend()
Q
M
Reputation showing process
Bank
AC.GrantCred()
cred
U
P
AC.VerifyCred()
Q
M
Caveat

The problem lies in achieving unlinkability


E-cash is not enough
only provides privacy on the awarding side.
Caveat: Reputation granting
process
Bank (S, pi)
EC.Withdraw()
EC.Deposit()
W
U
P
(S, pi)
EC.Spend()
Q
If Bank and U collude, they will know Q
belongs to M
M
Idea

Introduce another level of blinding





Blind Permission: basically a blind signature.
Now, Q submits (S, pi) to the Bank.
Bank generates a blind signature and gives it to
Q.
Then M submits the unblinded form of the
signature to the Bank
Bank increases M’s reputation value.
Reputation granting process
Bank sig
(S, pi)
BS.Sign()
C
W
U
P
(S, pi)
BS.Verify()
Q
M
Future Directions
Future Directions


Implementation
Better Security Model?



Less trust on the Bank?
Multi-unit Coins?
Negative Coins?
Thank you
Download