AnonRep: Towards Tracking-Resistant Anonymous Reputation Ennan Zhai - - PowerPoint PPT Presentation

anonrep towards tracking resistant anonymous reputation
SMART_READER_LITE
LIVE PREVIEW

AnonRep: Towards Tracking-Resistant Anonymous Reputation Ennan Zhai - - PowerPoint PPT Presentation

Feb 19, 2023 382 likes •1.59k views

AnonRep: Towards Tracking-Resistant Anonymous Reputation Ennan Zhai 1 David Isaac Wolinsky 2 , Ruichuan Chen 3 , Ewa Syta 1 , Chao Teng 2 , Bryan Ford 4 1 Yale 2 Facebook 3 Bell Labs 4 EPFL Background There is too much information on

slide-1
SLIDE 1

AnonRep: Towards Tracking-Resistant Anonymous Reputation

Ennan Zhai1

David Isaac Wolinsky2, Ruichuan Chen3, Ewa Syta1, Chao Teng2, Bryan Ford4

1 Yale 2 Facebook 3 Bell Labs 4 EPFL

slide-2
SLIDE 2

Background

  • There is too much information on today’s Internet
  • Reputation system is employed:
  • Highlighting information quality
  • Filtering spam
slide-3
SLIDE 3

Background

  • There is too much information on today’s Internet
  • Reputation systems are employed:
  • Highlighting information quality
  • Filtering spam
slide-4
SLIDE 4

Stack Overfmow

slide-5
SLIDE 5

Reputation System

slide-6
SLIDE 6

Reputation System

slide-7
SLIDE 7

Reputation System

slide-8
SLIDE 8

Messages Author (Score) Votes

...

...

...

...

...

... ... ...

Reputation System

slide-9
SLIDE 9

Messages Author (Score) Votes

I like NSDI’16

Alice (0)

...

...

...

... ... ...

Reputation System

slide-10
SLIDE 10

Messages Author (Score) Votes

I like NSDI’16

Alice (0)

...

...

...

... ... ...

Reputation System

slide-11
SLIDE 11

Messages Author (Score) Votes

I like NSDI’16

Alice (0)

...

...

...

... ... ...

Reputation System

slide-12
SLIDE 12

Messages Author (Score) Votes

I like NSDI’16

Alice (0)

...

...

...

... ... ...

Bob Eve Dave

Reputation System

slide-13
SLIDE 13

Messages Author (Score) Votes

I like NSDI’16

Alice (0)

...

...

...

... ... ...

Bob Eve Dave

Reputation System

slide-14
SLIDE 14

Messages Author (Score) Votes

I like NSDI’16

Alice (0)

...

...

...

... ... ...

Bob Eve Dave

Like: 3

Reputation System

slide-15
SLIDE 15

Messages Author (Score) Votes

I like NSDI’16

Alice (3)

...

...

...

... ... ...

Bob Eve Dave

∑Vi=1+1+1=3

Like: 3

Reputation System

slide-16
SLIDE 16

Messages Author (Score) Votes

I like NSDI’16

Alice (3)

Don’t play with AlphaGo

Alice (3)

...

... ... ... Like: 3

Reputation System

slide-17
SLIDE 17

Messages Author (Score) Votes

I like NSDI’16

Alice (3)

Don’t play with AlphaGo

Alice (3)

Yale colleges are bad

Bob (1) ... ... Like: 3

Reputation System

slide-18
SLIDE 18

Messages Author (Score) Votes

I like NSDI’16

Alice (3)

Don’t play with AlphaGo

Alice (3)

Yale colleges are bad

Bob (1) ... ... Like: 3

Alice Dave

Reputation System

slide-19
SLIDE 19

Messages Author (Score) Votes

I like NSDI’16

Alice (3)

Don’t play with AlphaGo

Alice (3)

Yale colleges are bad

Bob (1) ... ... Like: 3

Dislike: 2

Alice Dave

Reputation System

slide-20
SLIDE 20

Messages Author (Score) Votes

I like NSDI’16

Alice (3)

Don’t play with AlphaGo

Alice (3)

Yale colleges are bad

Bob (-1) ... ... Like: 3

∑Vi=1-1-1=-1

Alice Dave

Dislike: 2

Reputation System

slide-21
SLIDE 21
  • People want to participate in these reputation

systems anonymously :

  • Sensitive topics
  • Business competitions
  • Other personal concerns
  • Blind signature-based efforts:
  • Also limited to positive feedback;
  • Need a centralized banker.

People Care About Privacy

slide-22
SLIDE 22
  • People want to participate in these reputation

systems anonymously :

  • Sensitive topics;
  • Business competitions;
  • Other concerns.
  • Blind signature-based efforts:
  • Also limited to positive feedback;
  • Need a centralized banker.

People Care About Privacy

slide-23
SLIDE 23

TARGET: Linkability Problem

slide-24
SLIDE 24

Messages Author (Score) Votes

I like NSDI’16

Alice (3)

Don’t play with AlphaGo

Alice (3)

Yale colleges are bad

Bob (-1) ... ... Like: 3

Alice Dave

Dislike: 2

TARGET: Linkability Problem

slide-25
SLIDE 25

Messages Author (Score) Votes

I like NSDI’16

Alice (3)

Don’t play with AlphaGo

Alice (3)

Yale colleges are bad

Bob (-1) ... ... Like: 3

Alice Dave

Dislike: 2

TARGET: Linkability Problem

Reputation system provider

slide-26
SLIDE 26

Messages Author (Score) Votes

I like NSDI’16

Alice (3)

Don’t play with AlphaGo

Alice (3)

Yale colleges are bad

Bob (-1) ... ... Like: 3

Alice Dave

Dislike: 2

TARGET: Linkability Problem

slide-27
SLIDE 27

Reputation system provider and any user should not be able to link any user’s activities

Anonymous Reputation System

slide-28
SLIDE 28

Existing Efforts

  • E-Cash based approaches [1]:
  • Only support positive feedback
  • Not support diverse reputation algorithms
  • Blind signature-based efforts [2]:
  • Also limited to positive feedback
  • Need a centralized banker

[1] John Bethencourt et al. Signatures of reputation. In FC’10. [2] Elli Androulaki et al. Reputation systems for anonymous networks. In PETS’08.

slide-29
SLIDE 29

Existing Efforts

[1] John Bethencourt et al. Signatures of reputation. In FC’10. [2] Elli Androulaki et al. Reputation systems for anonymous networks. In PETS’08.

  • E-Cash based approaches [1]:
  • Only support positive feedback
  • Not support diverse reputation algorithms
  • Blind signature-based efforts [2]:
  • Also limited to positive feedback
  • Need a centralized banker
slide-30
SLIDE 30

Existing Efforts

The primitives they depend on are computationally expensive!

[1] John Bethencourt et al. Signatures of reputation. In FC’10. [2] Elli Androulaki et al. Reputation systems for anonymous networks. In PETS’08.

  • E-Cash based approaches [1]:
  • Only support positive feedback
  • Not support diverse reputation algorithms
  • Blind signature-based efforts [2]:
  • Also limited to positive feedback
  • Need a centralized banker
slide-31
SLIDE 31

Our Goals

  • Tracking-resistant anonymous reputation:
  • Unlinkability and anonymity of users’ activities
  • Diverse reputation utilities (algorithms)
  • No need trust any centralized party
  • Scalable to large-size user set
slide-32
SLIDE 32

Our Goals

  • Tracking-resistant anonymous reputation:
  • Unlinkability and anonymity of users’ activities
  • Diverse reputation utilities (algorithms)
  • No need trust any centralized party
  • Scalable to large-size user set
slide-33
SLIDE 33

Messages Author (Score) Votes

I like NSDI’16

Alice (3)

Don’t play with AlphaGo

Alice (3)

Yale colleges are bad

Bob (-1) ... ... Like: 3

Alice

Dislike: 2

Example

Dave

slide-34
SLIDE 34

Messages Author (Score) Votes

I like NSDI’16

xowa (3)

Don’t play with AlphaGo

f891 (3)

Yale colleges are bad

3fio (-1) ... ... Like: 3

k892

Example ✘ ✘ ✘

Dislike: 2

ji12

slide-35
SLIDE 35

Technical Challenges

slide-36
SLIDE 36

Technical Challenges

  • Reputation update relies on activities tracking
  • Misbehaviors detection

It is a paradox in practice!

slide-37
SLIDE 37

Technical Challenges

  • Reputation update relies on activities tracking
  • Misbehaviors (e.g., duplicate voting) detection
slide-38
SLIDE 38
  • Motivations
  • AnonRep Design
  • Practical Considerations
  • Evaluation

Road-Map

slide-39
SLIDE 39

AnonRep Deployment

slide-40
SLIDE 40

AnonRep Deployment

AnonRep Clients

slide-41
SLIDE 41

AnonRep Servers AnonRep Clients

AnonRep Deployment

slide-42
SLIDE 42

AnonRep Servers AnonRep Clients

Threat Model Anytrust Assumption

slide-43
SLIDE 43

AnonRep Servers AnonRep Clients

Threat Model

slide-44
SLIDE 44

Round1 Round n

Session: A series of rounds

Round2

... ...

AnonRep Workfmow

  • Members (including servers and clients) participate in

a continuous series of rounds

  • Each round has three steps
  • Step1: Announcement
  • Step2: Message posting
  • Step3: Feedback collection
slide-45
SLIDE 45

1 2 3 1 2 3 1 2 3

... ...

  • Each round has three steps
  • Step1: Announcement
  • Step2: Message postings
  • Step3: Feedback collection

Session: A series of rounds

AnonRep Workfmow

slide-46
SLIDE 46

1 2 3 1 2 3

A E(RA) B E(RB) C E(RC) D E(RD) ... ...

1 2 3

... ... Session: A series of rounds

AnonRep Workfmow

slide-47
SLIDE 47

1 2 3 1 2 3 1 2 3

... ... long-term identities

A E(RA) B E(RB) C E(RC) D E(RD) ... ...

Session: A series of rounds

AnonRep Workfmow

slide-48
SLIDE 48

1 2 3 1 2 3 1 2 3

... ...

Reputation ciphertexts, encrypted by all the servers

A E(RA) B E(RB) C E(RC) D E(RD) ... ...

Session: A series of rounds

AnonRep Workfmow

slide-49
SLIDE 49

... ...

1 2 3 1 2 3 1 2 3

A E(RA) B E(RB) C E(RC) D E(RD) ... ... A E(R’A) B E(R’B) C E(R’C) D E(R’D) ... ...

Session: A series of rounds

AnonRep Workfmow

slide-50
SLIDE 50

... ...

1 2 3 1 2 3 1 2 3

Session: A series of rounds

AnonRep Workfmow

A E(RA) B E(RB) C E(RC) D E(RD) ... ... A E(R’A) B E(R’B) C E(R’C) D E(R’D) ... ...

slide-51
SLIDE 51

... ...

1 2 3 1 2 3 1 2 3

A E(R’’A) B E(R’’B) C E(R’’C) D E(R’’D) ... ... A E(R’’’A) B E(R’’’B) C E(R’’’C) D E(R’’’D) ... ...

Session: A series of rounds

AnonRep Workfmow

A E(RA) B E(RB) C E(RC) D E(RD) ... ... A E(R’A) B E(R’B) C E(R’C) D E(R’D) ... ...

slide-52
SLIDE 52

... ...

1 2 3 1 2 3 1 2 3

Session: A series of rounds

AnonRep Workfmow

A E(R’’A) B E(R’’B) C E(R’’C) D E(R’’D) ... ... A E(R’’’A) B E(R’’’B) C E(R’’’C) D E(R’’’D) ... ... A E(RA) B E(RB) C E(RC) D E(RD) ... ... A E(R’A) B E(R’B) C E(R’C) D E(R’D) ... ...

slide-53
SLIDE 53

Three Steps in Each Round

A E(RA) B E(RB) C E(RC) D E(RD) ... ...

Reputation list

slide-54
SLIDE 54

Step1: Announcement

NymC Rc NymA Ra NymD Rd NymB Rb ... ...

Three Steps in Each Round

Fresh pseudonym list

A E(RA) B E(RB) C E(RC) D E(RD) ... ...

Reputation list

Run by servers

slide-55
SLIDE 55

NymC Rc NymA Ra NymD Rd NymB Rb ... ...

ID Msg User

Score 1 Hi NymB 3 2 Hello NymA 2 ... ... ... ...

Step2: Message Posting

Three Steps in Each Round

Fresh pseudonym list

A E(RA) B E(RB) C E(RC) D E(RD) ... ...

Reputation list

Step1: Announcement

Run by servers

slide-56
SLIDE 56

NymC Rc NymA Ra NymD Rd NymB Rb ... ...

Step3: Feedback Collection

Three Steps in Each Round

A E(R’A) B E(R’B) C E(R’C) D E(R’D) ... ...

Step2: Message Posting

Fresh pseudonym list

ID Msg User

Score 1 Hi NymB 3 2 Hello NymA 2 ... ... ... ...

A E(RA) B E(RB) C E(RC) D E(RD) ... ...

Reputation list Updated Reputation list

Step1: Announcement

Run by servers Run by servers

slide-57
SLIDE 57

Step1: Announcement

slide-58
SLIDE 58

Step1: Announcement

Reputation List Fresh Nym List

S1 S2 S3

Reputations have been encrypted by all the servers

  • 1
slide-59
SLIDE 59

Step1: Announcement

Reputation List Fresh Nym List

S1 S2 S3

* C. Andrew Neff. A verifiable secret shuffle and its application to e-voting. In CCS’01.

slide-60
SLIDE 60

Step1: Announcement

Reputation List Fresh Nym List

S1 S2 S3

slide-61
SLIDE 61

Step1: Announcement

Reputation List Fresh Nym List

S1 S2 S3

slide-62
SLIDE 62

Step1: Announcement

Reputation List Fresh Nym List

S1 S2 S3

slide-63
SLIDE 63

Step1: Announcement

Reputation List Fresh Nym List

Shuffle

S1 S2 S3

slide-64
SLIDE 64

Step1: Announcement

Reputation List Fresh Nym List

Shuffle

S1 S2 S3 Proof

slide-65
SLIDE 65

Step1: Announcement

Reputation List Fresh Nym List

S1 S2 S3

slide-66
SLIDE 66

Step1: Announcement

Reputation List

Proof

Shuffle

Fresh Nym List

S1 S2 S3

slide-67
SLIDE 67

Step1: Announcement

Reputation List Fresh Nym List

S1 S2 S3

slide-68
SLIDE 68

Step1: Announcement

Reputation List Fresh Nym List

S1 S2 S3

slide-69
SLIDE 69

Step2: Message Posting

slide-70
SLIDE 70

Step2: Message Posting

Nym

Score

NymC

  • 2

NymA 2 NymD

  • 1

NymB 3 ... ...

Fresh Nym List

slide-71
SLIDE 71

Step2: Message Posting

MsgID Msg User Score ... ... ... ...

Nym

Score

NymC

  • 2

NymA 2 NymD

  • 1

NymB 3 ... ...

Fresh Nym List

slide-72
SLIDE 72

Step2: Message Posting

Bob

Nym

Score

NymC

  • 2

NymA 2 NymD

  • 1

NymB 3 ... ...

MsgID Msg User Score ... ... ... ...

Fresh Nym List

slide-73
SLIDE 73

Step2: Message Posting

Bob (“Hi”, NymB, Sigb)

Nym

Score

NymC

  • 2

NymA 2 NymD

  • 1

NymB 3 ... ...

MsgID Msg User Score ... ... ... ...

Fresh Nym List

slide-74
SLIDE 74

Step2: Message Posting

Bob

( “ H i ” , N y mB , S i gb )

Nym

Score

NymC

  • 2

NymA 2 NymD

  • 1

NymB 3 ... ...

MsgID Msg User Score ... ... ... ...

Fresh Nym List

slide-75
SLIDE 75

Step2: Message Posting

Bob

( “ H i ” , N y mB , S i gb )

Nym

Score

NymC

  • 2

NymA 2 NymD

  • 1

NymB 3 ... ...

MsgID Msg User Score

Msg1 Hi NymB 3

... ... ... ...

Fresh Nym List

slide-76
SLIDE 76

Step2: Message Posting

Alice

(“OK”, NymA, Siga)

Nym

Score

NymC

  • 2

NymA 2 NymD

  • 1

NymB 3 ... ...

MsgID Msg User Score

Msg1 Hi NymB 3

... ... ... ...

Fresh Nym List

slide-77
SLIDE 77

Step2: Message Posting

Alice

(“OK”, NymA, Siga)

Nym

Score

NymC

  • 2

NymA 2 NymD

  • 1

NymB 3 ... ...

MsgID Msg User Score

Msg1 Hi NymB 3 Msg2 OK NymA 2

... ... ... ...

Fresh Nym List

slide-78
SLIDE 78

Step3: Feedback Collection

slide-79
SLIDE 79

Step3: Feedback Collection

MsgID Msg User Score Votes

Msg1 Hi NymB 3 Msg2 Hello NymA 2

... ... ... ...

slide-80
SLIDE 80

Dave

(“+1”, Msg2, sig)

Step3: Feedback Collection

MsgID Msg User Score Votes

Msg1 Hi NymB 3 Msg2 Hello NymA 2

... ... ... ...

slide-81
SLIDE 81

Positive feedback

Step3: Feedback Collection

(“+1”, Msg2, sig)

Dave

MsgID Msg User Score Votes

Msg1 Hi NymB 3 Msg2 Hello NymA 2

... ... ... ...

slide-82
SLIDE 82

Message ID

Step3: Feedback Collection

(“+1”, Msg2, sig)

Dave

MsgID Msg User Score Votes

Msg1 Hi NymB 3 Msg2 Hello NymA 2

... ... ... ...

slide-83
SLIDE 83

Linkable Ring Signature

Step3: Feedback Collection

(“+1”, Msg2, sig)

Dave

MsgID Msg User Score Votes

Msg1 Hi NymB 3 Msg2 Hello NymA 2

... ... ... ...

slide-84
SLIDE 84

Linkable Ring Signature (LRS)

(PK1,SK1) (PK2,SK2) (PK3,SK3)

Verifier

One member signed the msg, but I do not know who did that.

* Liu et al. Linkable ring signatures: Security models and new schemes. In ICCSA’05.

slide-85
SLIDE 85

Linkable Ring Signature (LRS)

(PK1,SK1) (PK2,SK2) (PK3,SK3)

One member signed the msg, but I do not know who did that.

  • LRS can hide voter’s pseudonym
  • LRS can avoid duplicate votes
  • Different messages have different LRS

Verifier

* Liu et al. Linkable ring signatures: Security models and new schemes. In ICCSA’05.

slide-86
SLIDE 86

Linkable Ring Signature (LRS)

(PK1,SK1) (PK2,SK2) (PK3,SK3)

One member signed the msg, but I do not know who did that.

  • LRS can hide voter’s pseudonym
  • LRS can avoid duplicate votes
  • Different messages have different LRS

Verifier

* Liu et al. Linkable ring signatures: Security models and new schemes. In ICCSA’05.

slide-87
SLIDE 87

Linkable Ring Signature (LRS)

(PK1,SK1) (PK2,SK2) (PK3,SK3)

One member signed the msg, but I do not know who did that.

  • LRS can hide voter’s pseudonym
  • LRS can avoid duplicate votes
  • Different messages have different LRS

Verifier

* Liu et al. Linkable ring signatures: Security models and new schemes. In ICCSA’05.

slide-88
SLIDE 88

Step3: Feedback Collection

MsgID Msg User Score Votes

Msg1 Hi NymB 3 Msg2 Hello NymA 2

... ... ... ...

Like: 1 Like: 2

Dislike: 1

slide-89
SLIDE 89

Step3: Feedback Collection

MsgID Msg User Score Votes

Msg1 Hi NymB 3 Msg2 Hello NymA 2

... ... ... ...

Like: 1 Like: 2

Dislike: 1

AnonRep supports diverse reputation algorithms

slide-90
SLIDE 90

3+2-1=4 2+1=3

Step3: Feedback Collection

MsgID Msg User Score Votes

Msg1 Hi NymB 3 Msg2 Hello NymA 2

... ... ... ...

Like: 1 Like: 2

Dislike: 1

slide-91
SLIDE 91

NymB’s reputation becomes 4 NymA’s reputation becomes 3

Step3: Feedback Collection

3+2-1=4 2+1=3

MsgID Msg User Score Votes

Msg1 Hi NymB 4 Msg2 Hello NymA 3

... ... ... ...

Like: 1 Like: 2

Dislike: 1

slide-92
SLIDE 92

Fresh Nym list with updated reputation

Step3: Feedback Collection

3+2-1=4 2+1=3

MsgID Msg User Score Votes

Msg1 Hi NymB 4 Msg2 Hello NymA 3

... ... ... ...

Like: 1 Like: 2

Dislike: 1

slide-93
SLIDE 93

Updated Fresh Nym List

Step3: Feedback Collection

Reverse Process

slide-94
SLIDE 94

Updated Reputation List Updated Fresh Nym List

Step3: Feedback Collection

Reverse Announcement Process

slide-95
SLIDE 95

NymC Rc NymA Ra NymD Rd NymB Rb ... ...

Step3: Feedback Collection

Three Steps in Each Round

A E(R’A) B E(R’B) C E(R’C) D E(R’D) ... ...

Step2: Message Posting

Fresh pseudonym list

ID Msg User

Score 1 Hi NymB 3 2 Hello NymA 2 ... ... ... ...

A E(RA) B E(RB) C E(RC) D E(RD) ... ...

Reputation list Updated Reputation list

Step1: Announcement

Run by servers Run by servers

slide-96
SLIDE 96

... ...

1 2 3 1 2 3 1 2 3

Session, Rounds and Steps

Session: A series of rounds

A E(R’’A) B E(R’’B) C E(R’’C) D E(R’’D) ... ... A E(R’’’A) B E(R’’’B) C E(R’’’C) D E(R’’’D) ... ... A E(RA) B E(RB) C E(RC) D E(RD) ... ... A E(R’A) B E(R’B) C E(R’C) D E(R’D) ... ...

slide-97
SLIDE 97
  • Motivations
  • AnonRep Design
  • Practical Considerations
  • Evaluation

Road-Map

slide-98
SLIDE 98

Practical Considerations

  • Intersection attacks on special reputations
  • Performance optimization
  • Misbehavior detection
  • Registration verifjcation
slide-99
SLIDE 99
  • Intersection attacks on special reputations
  • Performance optimization
  • Misbehavior detection
  • Registration verifjcation

Please see our paper for more details

Practical Considerations

slide-100
SLIDE 100

Intersection Attack

Msg1 csdfsa(100)

like:1 dislike:0

Msg2 9sf1aaa(2)

like:1 dislike:4

Msg3 ty4azko(3)

like:3 dislike:4

... ... ... ...

Round i

slide-101
SLIDE 101

Intersection Attack

Msg1 csdfsa(100)

like:1 dislike:0

Msg2 9sf1aaa(2)

like:1 dislike:4

Msg3 ty4azko(3)

like:3 dislike:4

... ... ... ...

Round i

slide-102
SLIDE 102

Intersection Attack

Msg1 csdfsa(100)

like:1 dislike:0

Msg2 9sf1aaa(2)

like:1 dislike:4

Msg3 ty4azko(3)

like:3 dislike:4

... ... ... ...

Round i Round i+1

Msg4 u78edja(-2)

like:0 dislike:2

Msg5 79fdad(4)

like:6 dislike:3

Msg6 ie821a(101)

like:0 dislike:1

... ... ... ...

slide-103
SLIDE 103

Intersection Attack

Msg1 csdfsa(100)

like:1 dislike:0

Msg2 9sf1aaa(2)

like:1 dislike:4

Msg3 ty4azko(3)

like:3 dislike:4

... ... ... ...

Round i Round i+1

Msg4 u78edja(-2)

like:0 dislike:2

Msg5 79fdad(4)

like:6 dislike:3

Msg6 ie821a(101)

like:0 dislike:1

... ... ... ...

slide-104
SLIDE 104

Intersection Attack

Msg1 csdfsa(100)

like:1 dislike:0

Msg2 9sf1aaa(2)

like:1 dislike:4

Msg3 ty4azko(3)

like:3 dislike:4

... ... ... ... Msg4 u78edja(-2)

like:0 dislike:2

Msg5 79fdad(4)

like:6 dislike:3

Msg6 ie821a(101)

like:0 dislike:1

... ... ... ... Msg7 829q(-2)

like:1 dislike:1

Msg8 fapqx(100)

like:3 dislike:2

Msg9 zcvbfa(2)

like:1 dislike:2

... ... ... ...

Round i Round i+1 Round i+2

slide-105
SLIDE 105

Intersection Attack

Msg1 csdfsa(100)

like:1 dislike:0

Msg2 9sf1aaa(2)

like:1 dislike:4

Msg3 ty4azko(3)

like:3 dislike:4

... ... ... ... Msg4 u78edja(-2)

like:0 dislike:2

Msg5 79fdad(4)

like:6 dislike:3

Msg6 ie821a(101)

like:0 dislike:1

... ... ... ... Msg7 829q(-2)

like:1 dislike:1

Msg8 fapqx(100)

like:3 dislike:2

Msg9 zcvbfa(2)

like:1 dislike:2

... ... ... ...

Round i Round i+1 Round i+2

slide-106
SLIDE 106

Intersection Attack

Msg1 csdfsa(100)

like:1 dislike:0

Msg2 9sf1aaa(2)

like:1 dislike:4

Msg3 ty4azko(3)

like:3 dislike:4

... ... ... ... Msg4 u78edja(-2)

like:0 dislike:2

Msg5 79fdad(4)

like:6 dislike:3

Msg6 ie821a(101)

like:0 dislike:1

... ... ... ... Msg7 829q(-2)

like:1 dislike:1

Msg8 fapqx(100)

like:3 dislike:2

Msg9 zcvbfa(2)

like:1 dislike:2

... ... ... ...

Round i Round i+1 Round i+2

slide-107
SLIDE 107

Security-Enhanced AnonRep

slide-108
SLIDE 108

Security-Enhanced AnonRep

  • Actual reputation scores are maintained as ciphertexts
  • Solution: Homomorphic encryption [1]
  • Reputation budget: posting message with budget < actual score
  • Solution: Zero-knowledge proof

[1] Cramer et al. A secure and optimally efficient multi-authority election scheme. In EUROCRYPT’97. [2] Camenisch et al. Proof systems for general statements about discrete logarithms. In ETH TR’97.

slide-109
SLIDE 109

Security-Enhanced AnonRep

  • Actual reputation scores are maintained as ciphertexts
  • Solution: Homomorphic encryption [1]
  • Reputation budget: posting message with budget < actual score
  • Solution: Zero-knowledge proof [2]

[1] Cramer et al. A secure and optimally efficient multi-authority election scheme. In EUROCRYPT’97. [2] Camenisch et al. Proof systems for general statements about discrete logarithms. In ETH TR’97.

slide-110
SLIDE 110

Security-Enhanced AnonRep

Msg1 csdfsa(2)

like:1 dislike:0

Msg2 9sf1aaa(2)

like:1 dislike:4

Msg3 ty4azko(3)

like:3 dislike:4

... ... ... ... Msg4 u78edja(-2)

like:0 dislike:2

Msg5 79fdad(4)

like:6 dislike:3

Msg6 ie821a(5)

like:0 dislike:1

... ... ... ... Msg7 829q(-2)

like:1 dislike:1

Msg8 fapqx(1)

like:3 dislike:2

Msg9 zcvbfa(2)

like:1 dislike:2

... ... ... ...

Round i Round i+1 Round i+2

✘ ✘

slide-111
SLIDE 111

Security-Enhanced AnonRep

Msg1 csdfsa(100)

like:1 dislike:0

Msg2 9sf1aaa(2)

like:1 dislike:4

Msg3 ty4azko(3)

like:3 dislike:4

... ... ... ... Msg4 u78edja(-2)

like:0 dislike:2

Msg5 79fdad(4)

like:6 dislike:3

Msg6 ie821a(101)

like:0 dislike:1

... ... ... ... Msg7 829q(-2)

like:1 dislike:1

Msg8 fapqx(100)

like:3 dislike:2

Msg9 zcvbfa(2)

like:1 dislike:2

... ... ... ... Msg1 csdfsa(2)

like:1 dislike:0

Msg2 9sf1aaa(2)

like:1 dislike:4

Msg3 ty4azko(3)

like:3 dislike:4

... ... ... ... Msg4 u78edja(-2)

like:0 dislike:2

Msg5 79fdad(4)

like:6 dislike:3

Msg6 ie821a(5)

like:0 dislike:1

... ... ... ... Msg7 829q(-2)

like:1 dislike:1

Msg8 fapqx(1)

like:3 dislike:2

Msg9 zcvbfa(2)

like:1 dislike:2

... ... ... ...

Round i Round i+1 Round i+2

✘ ✘

Round i Round i+1 Round i+2

V.S.

slide-112
SLIDE 112
  • Motivations
  • AnonRep Design
  • Practical Considerations
  • Evaluation

Road-Map

slide-113
SLIDE 113

Implementation

  • A working prototype in Go Language
  • Heavily depends on DeDiS Crypto Go library
  • Our prototype is open source

https://github.com/anonyreputation/anonCred https://github.com/DeDiS/crypto

slide-114
SLIDE 114

Evaluation

0.1 1 10 100 1000 100 1000 10000 100000

Run time (second) Number of clients

Server Clients

Computational overhead in announcement step

slide-115
SLIDE 115

Evaluation

0.1 1 10 100 1000 100 1000 10000 100000

Run time (second) Number of clients

Server Clients

Computational overhead in announcement step

slide-116
SLIDE 116

Evaluation

0.1 1 10 100 1000 100 1000 10000 100000

Run time (second) Number of clients

Server Clients

Computational overhead in announcement step

slide-117
SLIDE 117

Evaluation

0.01 0.1 1 10 100 100 1000 10000 100000

Run time (seconds) Number of clients

Linkable ring signature generation Verification

Computational overhead of feedback step

slide-118
SLIDE 118

Evaluation

0.01 0.1 1 10 100 100 1000 10000 100000

Run time (seconds) Number of clients

Linkable ring signature generation Verification

Computational overhead of feedback step

slide-119
SLIDE 119

Conclusion

  • Find out more at:
  • http://dedis.cs.yale.edu/dissent/
  • The fjrst practical tracking-resistant anonymous

reputation system:

  • Unlinkability and anonymity of users’ activities
  • Diverse reputation utilities (algorithms)
  • No need trust any centralized party
  • Scalable to large-size user set