360 likes | 380 Views
This paper introduces a reputation system for anonymous networks, where peers can establish trust and make informed transactions without revealing their real identities. The proposed system ensures anonymity, security, and correctness.
E N D
Reputation Systemsfor Anonymous Networks Seung Geol Choi Columbia University joint work with Elli Androulaki, Steven M. Bellovin, Tal Malkin Columbia University
Contents • Introduction • Security Model • Our Construction • Future Directions
P2P in Anonymous networks - 1 • P2P in Anonymous networks • Underlying network is anonymous (eg. Mixnet, Onion Router) • Each peer represents himself via a pseudonym • Real identity need not be revealed in transactions
P2P in Anonymous networks - 2 • Total anonymity is problematic • Misbehaviors are untraceable: peers can easily change their pseudonyms arbitrarily. Misbehaviors remain unpunished Honest peers suffer from misbehaviors • One reasonable solution: reputation system
Reputation system • After a transaction, pseudonym P gives a reputation point to pseudonym Q. • Reputation value of P: total rep-points P has gained. • Reputation values are easily accessible. • Based on the reputation, peers can decide whether to execute a transaction with that peer. • Reputation values should be bound to each peer (identity) not pseudonym.
Identity-Bound Reputation • Why identity-bound? • Malicious peer are willing to change his pseudonym to a new one reputation system doesn’t serve its purpose. • Honest peer are reluctant to change his pseudonym Anonymity is not enjoyed by him. • To achieve it, we need a trusted party to manage reputations correctly.
Honest vs. Honest-but-curious • In existing systems [V04, S06], the trusted party is assumed totally-honest. • It knows who gives a reputation point to whom, but is assumed to keep the information secret. • But, better assume it is honest-but-curious • We can not make sure that it doesn’t leak the traffic information; anonymity may be compromised. • Need a system that remains anonymous even to the trusted party.
Our Contribution • Propose identity-bound reputation system in P2P pseudonymous networks • Definition of Security • Anonymity holds even if the bank is trying to break it. • Construction
Participating Entities • Peers • Regular users of a P2P network • Buyers and/or Merchants • Each peer has one or more pseudonyms • Bank • Manages reputation database wrt each peer • Honest-but-curious Correctly updates reputation info. may try to break unlinkability (discussed later)
Operations - 1 • Key Generation Algorithms • Bank: Bkeygen() • Peer’s Identity: Ukeygen() • Peer’s Pseudonym: Pnymgen()
Operations - 2 • RepCoin Related Operations • repcoins RepCoinWithdraw(U) : peer U withdraws repcoins from the Bank • Award(P[repcoin], Q): pseudonym P of U gives a repcoin to pseudonym Q of M • RepCoinDeposit(M, repcoin): received repcoin is deposited into M’s account in the Bank.
Reputation granting process Bank RepCoinWithdraw RepCoinDeposit U M P Q Award
Operations - 3 • Administrative Operations • proof Identify(repcoin): the Bank checks if the repcoin is double-spent. • VerifyGuilt(proof, repcoin): verify that the proof is correct
Operations - 4 • Reputation Showing • credential RepCredRequest(U): peer U obtains a credential according to its reputation • ShowReputation(P, credential): shows that pseudonym P has a certain reputation
Reputation showing process Bank RepCredRequest U M P Q ShowReputation
Correctness • Correct reputation granting process • If the process happens between honest bank and honest peers U and M, M’s reputation is increased by one. • Correct reputation showing process • If the process happens between honest bank and honest peers U and M, M can prove his reputation using RepCredRequest() and ShowReputation().
No Over-Awarding • No Collection of peers can award more repcoins than they withdrew. • If the same repcoin is used twice in awarding, the bank can find out who did it using Identify()/VerifyGuilt(). • We allow that the received repcoin may increase another peer’s reputation. • M can give the repcoin to M’ (collusion). Then M’ can use the repcoin in increasing its reputation. But, then the reputation of M is not increased.
Exculpability • Honest peer is protected from framing. • No coalition of peers, even with the Bank, can forge a proof such that Verifyguilt(proof, repcoin) is true.
Reputation Unforgeability • No coalition of peers can show a reputation which is greater than the highest of any of them. • A single peer cannot forge his reputation (special case) • If a peer U, by colluding with M, could show a reputation higher than its original one, then U must learn M’s master secret key.
Peer-Pseudonym Unlinkability • Peers consistent-looking with pseudonym P : all the peers that have more reputation than what P showed in reputation showing procedure. • Peer-Pseudonym Unlinkability • Given an honest pseudonym P, the adversary, colluding peers including Bank, guesses the owner of P no better than randomly guessing among the peers consistent-looking with P
Pseudonym-Pseudonym Unlinkability • Given two honest pseudonyms P and Q, the adversary, colluding peers including Bank, has no advantage in guessing whether P and Q belong to the same user as long as there are at least two honest peers consistent-looking with both P and Q.
Basic Approach - 1 • Reputation granting • Use e-cash as repcoin: provides anonymity for e-cash spenders. • Reputation showing • Use anonymous-credential system: provides anonymity for credential-holders.
Basic Approach - 2 • Reputation level • In reputation showing procedure, reputation is shown by the level. E.g. level x: the peer has more than 2x reputation points. • Showing exact reputation may compromise pseudonym-pseudonym unlinkability.
Reputation granting process Bank (S, pi) EC.Withdraw() EC.Deposit() W (S, pi) U M P Q EC.Spend()
Reputation showing process Bank AC.GrantCred() cred U M P Q AC.VerifyCred()
Caveat • The problem lies in achieving unlinkability • E-cash is not enough • only provides privacy on the awarding side.
Caveat: Reputation granting process Bank (S, pi) EC.Withdraw() EC.Deposit() W (S, pi) U M P Q EC.Spend() If Bank and U collude, they will know Q belongs to M
Idea • Introduce another level of blinding • Blind Permission: basically a blind signature. • Now, Q submits (S, pi) to the Bank. • Bank generates a blind signature and gives it to Q. • Then M submits the unblinded form of the signature to the Bank • Bank increases M’s reputation value.
Reputation granting process Bank sig BS.Sign() (S, pi) C W BS.Verify() (S, pi) U M P Q
Future Directions • Implementation • Better Security Model? • Less trust on the Bank? • Multi-unit Coins? • Negative Coins?