340 likes | 506 Views
Privacy-Preserving Relationship Path Discovery in Social Networks. Ghita Mezzour , Adrian Perrig, Virgil Gligor Carnegie Mellon University. Panos Papadimitratos EPFL. 8 th International Conference on Cryptology & Network Security Dec 13 th , 2009. Social Trust is Useful. d=3. d=3. ?. B.
E N D
Privacy-Preserving Relationship Path Discovery in Social Networks Ghita Mezzour, Adrian Perrig, Virgil Gligor Carnegie Mellon University Panos Papadimitratos EPFL 8th International Conference on Cryptology & Network Security Dec 13th, 2009
Social Trust is Useful d=3 d=3 ? B D A ? E Buyer Seller A B C D score F People nearby in a social network are more trusted E Privacy-preserving relationship path discovery scheme
A Social Networking Problem • Relationships => private information • Personal attributes • Personal associations Just by looking at a person’s online friends, they could predict whether the person was gay. Gay men had proportionally more gay friends than straight men. http://www.boston.com/bostonglobe/ideas/articles/2009/09/20/project_gaydar_an_mit_experiment_raises_new_questions_about_online_privacy/ • Private information is revealed by most SN sites
Partial Solution: Decentralization • Characteristics • Friend list managed locally • Secure channels between friends • Users may be offline • Some privacy concerns are alleviated • Censorship resistance B Secure channel Friend list A Friend list Friend list E
Agenda • Problem Definition • Protocol Overview • Analysis • Related Work • Conclusion
Private-Path Discovery • Private relationship path • First person on the relationship path • Distance to an individual on a relationship path d=3 A A B B C D D ? F d=3 E E ? Example of relationship paths from A to D Example of private paths from A to D of distance d ≤ 3
✕ ✕ Goal 1: Relationship Privacy Friends = A & C ✕ ✕ Trusted 3rd party B B C C C C B A A D E F F F B Private paths to D Private paths to D? E F ? Friends = B & E B B ? ? A D D A A ? D E E D A A A ? ? E Ideal Model Real Model
Goal 2: Distance Integrity • Trust => Distance integrity • Higher trust requires shorter distances • 1st user on path is most trusted ? ? • Non-integrity Concern • User shortens paths for succeeding users (but not past herself) C + A B D D
Goal 3: Completeness • Discovery of all private paths • Consent of individuals on path needed Consent A A B B C D D d=3 ? F d=3 E E ? 1 relationship path between A & D 2 relationship paths between A & D of distance ≤ 3 Corresponding private path Corresponding private paths
Adversary Model • User of the system • Single adversary • Account creation • Relationship establishment • Free to arbitrarily deviate from the protocol • Goal • Break relationship privacy • Break distance integrity A B C D F E Example
Agenda • Problem Definition • Protocol Overview • Analysis • Related Work • Conclusion
Solution Overview • Token flooding phase • Periodic run e.g. 1st day of each month • Private path discovery phase • On demand • Existing private paths returned ? B C D D A ? F E d=3 A B C D D Token Flooding phase Path discovery phase F A Example: When A & D meet at CANS Example: 1st day of each month E
Token Flooding Phase (1/2) T3 T1 T3=H(T1||1), 2 T4=H(T3||1), 3 T1=H(z||1), 1 z T4 T6 T2=H(z||2), 1 T6=H(T5||1), 3 A B C D T5=H(T2||1), 2 T’=H(T||ctr), d dmax=3 T2 T5 E F Originator A
Token Flooding Phase (2/2) ? T4=H(T3||1) • Local hash tree computationby originator • Depth • Maximum degree • In the paper: originator only computes propagated tokens ? T7=H(T3||2) T3=H(T1||1) ? ? T8=H(T1||2) T9=H(T8||1) T1=H(z||1) ? T10=H(T8||2) z ? ? T6=H(T5||1) T2=H(z||2) ? T11=H(T5||2) T5=H(T2||1) ? A B dmax=3 ? locally computes T12=H(T2||2) T13=H(T12||1) E ? A T14=H(T12||2) ?
Path Discovery Phase • User sends the tokens it received to the originator • Originator looks up tokens in the computed hash tree • Phase runs once for a given pair of users T4, T6 T4, T6 D D A B D A A T1=H(z||1) T3=H(T1||1) T4=H(T3||1) ? ? d=3 d=3 T2=H(z||2) T6=H(T5||1) T5=H(T2||1) ? ? E A
Multiple Originators Input: Input: Token distribution phase with A & E as originators A A A B C D D D F Private path discovery between A & D Private set intersection protocol Output: No output E
Agenda • Problem Definition • Protocol Overview • Analysis • Related Work • Conclusion
Network Topologies Used Mislove et al. IMC 07
Complexity Fi:Number of relationship paths of distance ≤ i starting from user X dmax = 3
Token Flooding – Computation Overhead ≅95%: 10 s ≅90%: 100 ms More connected 10-5 10-3 10-1 101000 Computation overhead per user (Token Flooding by all users)
Path Discovery – Computation Overhead ≅90%: 2 min ≅80 %: 16 min ≅70 %: 10 s More connected 10-2 1 102 104 Computation overhead for the user discovering the private paths
Future Work • Overhead reduction • Randomized discovery • Full dynamic topology support • New relationships established • Old relationships revoked • Colluding adversaries • Untrusted server
Related Work • RE: Reliable Email S. Garris, M. Kaminky, M. J. Freedman, B. Karp, D. Mazieres, H. Yu. In Symposium on Networked Systems Design and Implementation (NSDI), 2006 • Private Relationships in Social Networks B. Carminati, E. Ferrari, and A. Perego. In International Conference on Data Engineering Workshops, 2007 • A public-key protocol for social networks with private relationships J. Domingo-Ferrer. In Modeling Decisions for Artificial Intelligence, 2007 • Privacy Preserving Grapevines: Capturing Social Network Interactions Using Delegatable Anonymous Credentials. Vijay A. Balasubramaniyan, Yunho Lee, and Mustaque Ahamad. Georgia Tech Technical Report GT-CS-09-12, Sept 2009.
Conclusion • People nearby in a social network are more trusted • We proposed a scheme for privacy-preserving relationship path discovery • Works in decentralized social networks • Avoids privacy issues common in centralized sites • Many potential applications • Trust establishment • Access control • Email whitelisting
One Intermediate Friend vs. Longer Relationship Paths • One intermediate friend • Sufficient information available to users • Privacy-preserving information sharing • Longer relationship paths • Insufficient initial information • Privacy-preserving information distribution & sharing C A discovers that B is a common friendwith C without knowing the other friends of C Missing information A B E C A B D ? D C B B F D F E ?
Background – Private Set Intersection Protocol ≈ Trusted Third party No output A D Freedman et al. Eurocrypt 04
Background-Private set intersection • Private set intersection [Freedman et al. Eurocrypt 07] • Based on homomorphic encryption • Similar to public key encryption • Some operations on plaintext are possible without the private key
Complexities FiX Number of relationship paths of distance ≤ i starting from user X
Token Flooding Phase – Communication Overhead 100 MB 1 MB 10 MB 102 104 106 108 1010 Communication overhead per user
Path Discovery Phase – Communication Overhead 102 104 106 108 Communication overhead for both users involved in the discovery
Basic Scheme – Privacy Leak • Leakage of the relative positioning of users • After private path discovery phase with multiple users ? T5=H(T3||1),3 T3=H(T1||1),2 D ? B T6=H(T3||2),3 T1=H(z||1),1 ? F A D ? B D T2=H(z||2),1 T7=H(T4||1),3 T4=H(T2||1),2 A F ? C Example topology T8=H(T4||2),3 C E A’s perception of the social network topology ? F
Randomization Technique T4=H(T5||2||1 ) T3=H(T1||2||1 ) T7=H(T5||3||1 ) T5=H(T1||3||1 ) Received token Distance Count D T6=H(T1||3||2) T8=H(T5||3||2 ) E T3=H(T1||2||1 ) ,2 T5=H(T1||3||1 ) T6=H(T1||3||2 ) T6,3 T1=H( z||1|1 ) F B D B T5,3 T1=H( z||1|1 ) ,1 E F A T2=H( z||1|2 ) A E D T4=H(T2||2||1 ) ,2 T7=H(T2||3||1 ) T8=H(T2||3||2 ) T7,3 T2=H(z||1||2),1 C E C D T8,3 F Tokens Propagated Hash Tree F
Privacy Analysis • Leakage of the total num of paths with d ≤ dmax of the other party • No linkage among runs with different users D T2 H(T1||2||1) H(T1||2||2) T3 B T1 H(T1||3||1) T4 H( z||2||1 ) H(T1||3||5) … T8 ? F D ? z ? T10 ? B H( z||1||2 ) H(T9||2||1) B D ? ? H(T9||2||2) T11 ? F A ? T9 A F F ? H(T9||3||1) C D C ? T12 F H(T9||3||3) … C E ? ? T14 D A’s perception of the network topology Example topology Hash Tree