Lightweight and Robust Schemes
for Privacy Protection in
Participatory Sensing
ANISHA M. LAL
Participatory Sensing
• Sensing by the individuals and groups of people contributing sensory
information
• PS, a process whereby individuals and communities use evermore-capable
mobile phones and cloud services
• Collect and analyse systematic data
• Use in discovery of new facts
Applications of Participatory Sensing
•
•
•
•
•
Retrieving information individual and group of people
Weather, environment information, pollution
Information for waste management, Road faults
Health, traffic congestion and urban mobility
Disaster management, such as flood, fire and health issues
Network Model
• contributors, central servers, and consumers.
• Contributors upload sensing data to central servers;
• central servers manage the uploaded data, and prepare it for presentation to
consumers;
• consumers retrieve the data presented from central servers.
• Contributors may be volunteers who are willing to install application softwares in
their smartphones for participatory sensing. The real identities of contributors
should be shielded for the protection of personal privacy such as locations, location
dynamics over time, trajectory, and so on.
• Central servers store the uploaded data from contributors. The data may be cleaned,
refined, reorganized, and finally provided to consumers as presenting data.
Attack model
• We concentrate on adversaries targeting peers instead of channels, as channels between
•
•
•
•
contributors and central servers are protected by other inherent security mechanisms (e.g.,
encryption and integrity protection) at link layers such as IEEE802.11i, GPRS, or CDMA.
we focus on contributors and central servers. The adversaries targeting contributors consist
of two major types:
(1) Contributors who upload forged data to misinform central servers. Thus, this kind of
contributor should be detected and the forged data should be removed, which is carried out
at the central servers.
(2) Contributors who may intentionally bypass or breach the proposed defense scheme. In
other words, the proposed scheme should defend against internal malicious contributors.
the central servers may leak contributor privacy data such as location, trajectory, behaviors,
and habits.
Design Goals
• design goals have three facets, as follows:
• confirming the trustworthiness of uploaded data in the presence of possible
malicious contributors;
• protecting contributor privacy without admission control;
• maintaining the robustness of the proposed defense system to impede those
malicious contributors who intend to subvert it.
• a scheme called LibTip (lightweight androbust for trustworthiness and
privacy)
Data Trustworthiness
• Uploaded data. These are the data sent from contributors to central servers to report on
surroundings.
• Actual data on surroundings. These are the actual data correctly reporting on surroundings.
• Trusted contributors. These are contributors whose uploaded data are accurate data on
surroundings.
• Bad-mouth contributors. These are contributors whose uploaded data are inaccurate data on
surroundings.
• Bad-mouth attacks. Such attacks are launched by bad-mouth contributors, whose uploaded
data are inaccurate.
• (Inf-policy-I) average D = Avg(Di) = ∑Di, where Avg() is a standard
function computing the average value of input parameters Di. This policy
may be used for all types of uploaded data.
• (Inf-policy-II) median D = Med(Di), where Med(Di) is a standard function
returning the median value of input parameters Di. This policy may be used
for all types of uploading data.
• (Inf-policy-III) distance average
• (Inf-policy-IV) time average
Reputation evaluation
• Suppose the current contributor reputation is R. To evaluate contributor
reputation dynamics, we propose following the evaluation policies:
Contributor privacy protection
• Contributor actual identification. This is the essential identification of a contributor
for uniquely distinguishing him/her, for example, student ID driver’s license ID,
social security number, and so on.
• Contributor privacy (CNP). This is the probability that central servers correctly
identify the contributor actual identification after observing the uploaded data of
the contributor.
• Contributor Perfect Privacy. This is guaranteed if and only if CNP = 0.
• Contributor Anonymous Identity. This is a unique identity to distinguish each
contributor in the reputation system.
The procedures for contributor privacy protection consist
of the following steps:
• (PP-Step1) Initial key preparation. When a contributor sends uploaded data for the first time, its
contributor reputation is set as an initial value of r0. It belongs to an initial group with a group
identity of gid = gid0, and has an initial group authentication key of gak = gak0. Both gid and gak
have been deployed previously by application software on smartphones.
• (PP-Step2) Contributors generate their contributor anonymous identity. The contributor
anonymous identity is randomly generated with a fixed length, when each contributor sends
uploaded data to the central servers.
• (PP-Step3) Contributors upload data to central servers. The uploaded data from a contributor to
the central servers has six tuples
• < cai, l, t,d,h(gakkcai),gid >
• where cai is the contributor anonymous identity; l is the location identity of the uploaded data; t is
the time stamp of uploaded data; d is the data of the surroundings; h(˙) is a one-way and
collision-free function.
• (PP-Step4) Central servers verify the validity of contributors. Central servers search gak by gid, and verify
whether h(gakkcai) is correct or not. If it is correct, central servers deem that the contributor possesses the
group gid, and thus have the corresponding reputation value of that group.
• (PP-Step5) Central servers update reputation. The reputation system in the central servers stores the
contributor reputation of each contributor, and updates reputation values for contributors via the
aforementioned reputation evaluation policies. That is to say, each contributor has a corresponding
contributor reputation value that is computed and maintained by the reputation system.
• (PP-Step6) The central servers update gak and gid. Reputation The reputation system maintains an update
period. It is a period determined by the central servers for updating to update all group authentication keys
and group identities.
• (PP-Step7) Contributors update gak and gid. The contributors in the same group receive the same group
authentication key (gak) and group identity (gid). The contributor replaces the old values of gid and gak with
the new ones.
Robustness enhancement
• Traitor contributors. These are the contributors who leak the group
authentication key to other contributors, so that other contributors can
obtain advantages; for example, easily obtain a higher reputation value.
• Key leakage attack. Traitor contributors leak the group authentication key to
other contributors, so that other contributors can obtain a corresponding
reputation directly, avoiding to avoid any reputation evaluation procedure.
• To further enhance the robustness of the scheme, we propose the following two methods.
• (ROB-M1) Counting group members. At the end of each updating period, the central servers
record the total number of group members. In the next period, when a member with a different
contributor anonymous identity joins the group, the central servers will decrease the count. Once
the count reaches zero, newcomers who ask to join the group are not permitted to do so.
• This method can limit the influence of the leaking of the group authentication key and detect the
key-leaking attack.
• (ROB-M2) Traitor tracing. It is appropriate that central servers can trace the traitor who exposes
the authentication group key to other contributors. The naive method is to change the group
authentication key. For example, this can be achieved by making the group authentication key
consist of two parts: one is the group authentication key generated by the central servers; the
other is the private key generated by the contributors. The traitor can be traced through the
distinct group authentication key.
The components of the scheme LibTip
Summary
• proposed a further lightweight scheme, LibTip to guarantee data
trustworthiness, reputation evaluation, contributor privacy protection, and
robustness against internal attackers in participatory sensing. LibTip provides
an integral solution package consisting of a set of methods, policies, and
procedures.