Privacy-Preserving Resource Evaluation in Social ...

Download PDF
3 downloads 4320 Views 132KB Size Report
Comment
digital signature and uses the commitment scheme to compute the ballot. ... access the registration phase) have in these papers a high price in terms of ...
Privacy-Preserving Resource Evaluation in Social Networks Francesco Buccafurri

Lidia Fotia

Gianluca Lax

DIMET, University of Reggio Calabria DIMET, University of Reggio Calabria DIMET, University of Reggio Calabria Via Graziella, Localit`a Feo di Vito Via Graziella, Localit`a Feo di Vito Via Graziella, Localit`a Feo di Vito 89122 Reggio Calabria, Italy 89122 Reggio Calabria, Italy 89122 Reggio Calabria, Italy E-mail: [email protected] E-mail:[email protected] E-mail:[email protected]

Abstract—In new generation social networks, we expect that the demand of tools allowing the user to effectively control privacy, without relying on the provider trustworthiness, will be more and more increasing. A lot of precious information is currently released by users with no privacy control whenever they evaluate resources, which, for example, is done in Facebook through the “Like Button”. A mechanism allowing the user to express her preferences fully preserving her privacy is thus desired, especially if it is able to protect user privacy also in case of untrustworthy social network provider. In this paper, we propose a solution to this problem, based on a DHT-based P2P social network and on a cryptographic protocol relying on partially blind digital signatures. The protocol is shown to be a solution to the trade-off between feasibility and security, since it guarantees the needed security requirements without including the complex features of existing e-voting systems.

I. I NTRODUCTION Social networks are probably the most revolutionary phenomenon of the last ten years involving the Web and people life. However, besides a lot of new opportunities, relationships, social transformations, businesses, etc., social networks have introduced a number of serious privacy problems, about which people are often unaware. Through a huge quantity of personal data, posts, photos, friendship information, any third party, like companies, scientists, governments, and so on, may potentially collect, categorize, infer complex knowledge about people, building profiles of individuals and groups whose value can be extremely high. Even though this side effect could appear not feared by users as far as public profile information is concerned, the most probable case is that of users that have not the full perception of the power of personal data as well as the exact amount of their life which is exposed to everyone. In other words, it is mostly unknown to users the possibility of disclosing even hidden aspects of their own personality, which can be effectively discovered by third parties by means of methodologies more or less sophisticated. Besides sociological, psychological and cultural reasons which drive social network users to be not too much worried about privacy, social networks themselves are typically designed in such a way that the user is stimulated to release private information, due to the value that such information consists in term of business. From this perspective the assumption that any social network provider can be considered trustworthy

is in fact unrealistic, due to the strategic advantage that personal data give to these parties. This obviously determines serious risks also for those information that the user has included into the social network as private. In this landscape, it can be expected that the growth of the digital society in every its component, and thus also in terms of user awareness, more and more will result in increasing demand of tools allowing the user to control privacy, whose effectiveness does not rely on the provider trustworthiness. This is the reason why a recent yet consolidated scientific literature exists envisioning a new paradigm of social network shifting from client-server to P2P infrastructures, coupled with encryption so that users keep control of their information [37], [5], [6]. This paper follows the path traced by the above literature, dealing with a specific problem not yet solved, to the best of our knowledge, by previous approaches. A lot of precious information is released by users through the evaluation of resources, which, for example is done in Facebook through the “Like Button”. Clearly, this information is precious because may reveal aspects of user personality, thus completing her profile. In a privacy-aware scenario like that we are considering, we cannot expect that always users want to express their preferences linking the chosen resource with their own profile. On the other hand, missing those evaluations corresponding to users which do not accept to reveal their identity is too restrictive from both user side and provider (and third parties) side. The solution of this problem is allowing the user to evaluate resources anonymously, thus fully preserving her privacy, and still allowing some useful analysis on user preferences. However, the anonymization of the process of resource evaluation is not a trivial task. Indeed, as observed earlier, we cannot assume the trustworthiness of the social network provider, which thus must not be able to link the evaluation to the user. Moreover, some of properties of evoting systems [11], [38] should be guaranteed, since the resource evaluation process can be view as a sort of “lightweighted e-voting procedure”. For example, if we make the evaluation anonymous, we have to avoid that the evaluation is duplicated, preventing the misbehavior of the user. In detail, among those required for e-voting systems [10], [33], [20], we argue that (and we give a strong support to this claim in

Section II) an evaluation system should satisfy the following properties: • Uniqueness. Each user can score a resource only one time. • Secretness. The score given by each user must be secret in order to assure voter privacy. • Individual Verifiability. Each user can verify that her score of the resource is fair. • Uncloneability. It must be impossible to generate a fake (seemingly) legal evaluation score starting from a legal one. • Robustness. The unfair behaviour of a user must be detected in order to assure that the evaluation process successes. • Scalability. Since the social-network size may be very large, the number of users involved in the generation of a single score must be limited w.r.t. the overall number of users. In this paper, we propose a solution fulfilling the above requirements, by relying on a DHT-based P2P social network (assumed given) and by designing a cryptographic protocol based on partially blind digital signatures. It is worth remarking that, as shown in detail in Section II, the proposal is very far from a trivial application of an existing e-voting system, which would be unproportionate for our context, and it is not even a simple relaxation of an existing e-voting system. The paper is organized as follows. In the next section, we contextualize our work in the literature giving also some important supports to our proposal. Next, in Section III, we briefly recall some notions useful to the reader to understand the technical aspects of the paper. The proposed protocol is described in Section V, and its security properties are analyzed in Section VI. In Section VII, we draw our conclusions and sketch possible future work. II. R ELATED W ORK Our paper proposes a privacy-preserving approach to evaluating resources in social network. A crucial component of our proposal, allowing us to obtain the above goal, is to distribute the social network (and the most voting functionalities) over the users, in a P2P fashion. Even though, to the best of our knowledge, the problem of resource evaluation in social networks guaranteeing privacy requirements has not been investigated in the literature, the idea of implementing social networks using a P2P paradigm is not new. Fang Wang et al. [37] propose to use a structure of Peer-to-Peer (P2P) social networks that captures social associations of distributed peers in resource sharing. Peer social networks appear to be mainly composed of pure resource providers that guarantee high resource availability and reliability. Sonja Buchegger et al. [5] envision a paradigm shift from client-server to a peer-topeer infrastructure coupled with encryption so that users keep control of their data and can use the social network also locally, without Internet access. PeerSoN [6] is a peer-to-peer approach coupled with encryption. The authors design a two-tiered architecture and protocols that recreate the core features of social

network in a decentralized way. This paper focuses on the P2P infrastructure for social networks, outlining the challenges and possibilities of the decentralized paradigm. Cutillo et al. [12] propose a social network based on a P2P architecture to solve privacy issues. The authors’s solution leverages the trust relationships that are part of the social network application itself. Privacy in basic data access and exchange operations within the social network is achieved by a multi-hop routing among nodes that trust each other in the social network. From the literature above, it is evident that many social networks rely on an underlaying P2P infrastructure. Also in our approach we assume that a P2P social network providing a DHT-based lookup service is given. From the side of the specific activity of resources evaluation, our paper is clearly related to the topics of e-voting, where there exists a wide literature. Chaum [8] introduced the notion of mix-net as a tool for achieving anonymity in e-mail and in electronic elections. A mix-net consists in a sequence of servers, called mixes. Each server receives a batch of input messages and produces as output the batch in permuted (mixed) order. Such mix-nets are sometimes called mix cascades or shuffle networks. When used for voting, the input messages are the ballots of the voters. An observer should not be able to tell how the inputs correspond to the outputs. This property provides voter privacy in an electronic election. A modified version of the protocol was published later by Chaum [10]. A new kind of receipt improves security by letting voters verify correctness of the election outcome, even though all election computers and records were to be compromised. The system preserves ballot secrecy, while improving access for voters, robustness, and adjudication, all at lower cost. Sako et al. [33] propose another approach to e-voting based on re-encryption mix-nets [28] and on proofs, used by voters to prove to the authorities the correctness of the votes they sent. Proofs may be interactive (e.g., classical zero-knowledge proofs) or non-interactive and simply attached to the vote. All mixes in this system have a unique private key for the El-Gamal encryption scheme. There exists a public key for an anonymous channel. Mixes produce encrypted ballots with proofs for users. During the voting stage, the voters choose their votes using an untappable channel and send them via decryption networks. This vote will be counted only after the mix posts a proof of correct decryption. This scheme is based on an ad-hoc recruitment, like for example the use of untappable channels for the transmission of data, which makes it little practical [38]. Zwierko et al. [38] propose an agent-based scheme for secure electronic voting. The scheme is universal and can be implemented in a network of stationary and mobile electronic devices. The proposed system is based on an idea of an authentication protocol with revocable anonymity, which utilizes a combination of Merkle’s puzzles [26] and a secure secret sharing scheme [30]. The protocol, presented in [20], is designed for large scale elections. The counter and voters communicate through an anonymous channel, the administrator uses a blind signature scheme so that each voter has a different

digital signature and uses the commitment scheme to compute the ballot. The election protocols based on homomorphic encryption are described in various papers [3], [11], [13]. Cramer et al. [11] present an approach based on El-Gamal scheme in which the authorities create a pair of keys used by the voter to encrypt their vote and produce a non-interactive proof of validity. The coalition of honest authorities, checking the proofs from the voters, combine all correct votes to obtain the final tally. The protocol proposed by Damg˚ard et al. [14] utilizes the generalized Pallier’s cryptosystem. A more effective method of decryption and computing the result is presented in [11]. Another system exploiting the homomorphic encryption scheme was proposed by Ogata et al. [27] and improved in [1], [21], [28]. The voters, using the public key published by authority, compute their votes that post on the bulletin board [11]. Mixes produce encrypted ballots with proofs for users and published them on the bulletin board. After the verification of votes, the tally is computed. Some other approaches to electronic voting, also based on homomorphic encryptions, have been proposed in [3] and [24]. There are other systems based on the homomorphic encryption, which have additional features, such as tokens and re-encryption nets [3], [24]. These systems preserve the receipt-freeness property, this means that voting systems do not generate a receipt when the voter expresses her vote because it could be used by another party to coerce the voter. Unfortunately, receiptfreeness and incoercibility (providing the adversary does not access the registration phase) have in these papers a high price in terms of verifiability and scalability. Also the usage of anonymous broadcast channel makes the scheme impractical [38]. In Section I, we introduced some requirements usually guarantied in an evaluation system (namely uniqueness, secretness, verifiability, uncloneability, robustness, scalability). In e-voting systems, besides the above properties, also eligibility, fairness and receipt-freeness are provided [7], [30]. We recall that eligibility means that only those who are authorized to vote can vote and the system have to provide means to validate a voter and a permitted number of votes, fairness ensures that no intermediate result can influence the remaining voters, receiptfreeness claims that the voter is not able to prove any coercer how she had voted. From the analysis of the literature, it arises that the requirements of e-voting systems are more strict than those necessary in our scenario. Indeed, we argue that properties like eligibility, fairness and receipt-freeness, in our case would introduce an intolerable price in terms of usability and invasiveness. Eligibility is not necessary in our context because in a social network everyone should be able to perform her evaluation. Moreover, fairness is not required because the resource evaluation in social networks is inherently incremental. Finally, receipt-freeness is unproportionate for evident reasons. In other words, the above properties are not coherent with the security level we need in our case. Even though we have shown that these properties are excessive in our context, we have to

consider that some fundamental properties need to be satisfied. They are uniqueness, secreteness, verifiability, uncloneability, robustness and scalability (as observed in the Introduction). This, combined with the fact that existing e-voting systems guarantee the above features with a significative price in terms of complexity of the solution, requires us to find a new ad-hoc light-weight solution. This is just the goal of this paper. It is worth noting that a light-weight e-voting system suitable for our application cannot be obtained by trivially relaxing the existing e-voting systems through the disabling of some components, since the elimination of even one of the three components above results in the loss of some basic requirement. Indeed, the elimination of the mix-nets implies that voter anonymity (i.e., secretness) is compromised, since the relationship existing between the final vote and its voter is not removed. Furthermore, an important function of the mix is to ensure that no item is processed more than once, so that its elimination affects also the uniqueness of the vote. The elimination of proofs determines the failure of robustness and uncloneability. Indeed, it is only by means of proofs that a dishonest voter is not able to clone a vote. Not being aware of the key that generated the proof, the dishonest voter cannot generate a bogus vote with a valid proof, and therefore the vote will not be counted. Also verifiability would be compromised, since, in absence of proofs, any interested party could not check both if the ballot has been modified and if information about vote has been leaked. III. BACKGROUND In this section, we briefly recall some notions representing the background necessary to the reader to understand the technical aspects of the paper. Such notions are digital signature, blind and partially blind signature, and distributed hash table. The digital signature mechanism relies on public key infrastructure. Each user owns two keys, a private key and a public one. The private key is kept secret and the public one is made public. Guessing a private key is computationally unfeasible for enough large keys. The first step of the signature generation process is the computation of a cryptographic hash function [17], [16] of the document to be signed. The result, called digest, can substitute the original document in the signature generation process since the probability of having two distinct documents producing the same digest is negligible. Moreover, the problem of finding a document with digest equal to that of another given document is unfeasible, so that an attacker cannot corrupt a signed document without the signature detects it. The digital signature is produced by encrypting the digest with the private key using an asymmetric cryptographic cipher, typically RSA [31]. The verification of the signature is done by checking that the decryption of the signature done with the public key of the subscriber coincides with the (re-computed) digest of the document. A blind signature [9] is a signature scheme in which the signer is not aware of the content of the message to sign. Denoted by (n, e) the public key of the signer S and by (n, d) her private key, the author (say A) of the message

M generates a random number r such that it is relatively prime to N (i.e., the greatest common divisor gcd(r, n) = 1) and calculates M ′ = re M mod n. Then, S signs the blind message M ′ by S ′ = (M ′ )d mod n and sends it back to A, who computes the digital signature of the unblinded message S = (S ′ )r−1 mod n = M d . Partially blind signatures [2] are a particular type of signature allowing the signer to explicitly include in unblinded form some pre-agreed information in the blind signature, like an expiry date, and are used mainly in the context of electronic cash (e-cash). A distributed hash table (DHT) is typically used in peer-topeer systems [36], [32] in order to provide lookup services. In these systems, DHT allows us to obtain the peer linking the peers providing the service itself. In particular, a random ID is assigned to each peer and an ID (derived from the hash of the service name) is assigned to each service. The peer having the ID closest to the ID of the service stores the information about the peers providing such a service. The above indexing is dynamically maintained, according to the continuous joining and leaving of nodes in the system. IV. N OTATIONS The protocol we propose relies on an underlying distributed social network. Thus, we consider given a DHT lookup service allowing us to map any bit sequence to a node of the social network. Throughout the paper we use the following notations. We consider given a resource R which is the subject of user evaluation. We assume that R has a unique identifier IDR which can be, w.l.o.g, the URL of the resource. We denote by RU , said resource user, the user who is responsible of the resource, and by V , said voter, the user who evaluates R. For each user U we assume that a public key P KU is associated to U at the moment of the registration in the social network. Moreover, each user U owns a secret SU , distinct from the private key associated to P KU . We denote by TTP a functionally Trusted-Third-Party [25], and by CUi the i-th credential user (the role of these entities will be clarified in Section V). TTP has a pair of public and private keys. H is a cryptographic hash function. Given a user U and a message M , we denote by SU {M } the message M digitally signed by U . Given a message M , we denote by M ? the pre-blinded version of M we have to submit to a signer in order to generate a blind signature of M . Given a user U and a message M composed of two parts, say M1 and M2 , we denote by PBS U {M1 , M2? } the partially blind signature of M , where M1 is unblindly signed, and M2 is blindly signed. Observe that this notation identifies the blind part of the message M2? by using the pre-blinded version of M2 , in order to keep visible the original message M2 . The notations are summarized in Table I. V. E VALUATION P ROTOCOL In this section, we describe the proposed protocol allowing the anonymous evaluation of resources. We assume that the user preference on the resource R consists in a numeric score. Clearly, the simplest case of the “Like Button” reduces to

Symbol R IDR RU V P KU SU TTP CUi H SU {M } M? PBS U {M1 , M2? }

Description The resource to be evaluated The resource ID The user who generated R The user who evaluates R The public key of U The secret of U The Trusted-Third-Party The i-th credential user The cryptographic hash function The message M signed by U The pre-blinded version of M The partially blind signature TABLE I N OTATIONS .

only two possible scores (i.e., 0 and 1). We distinguish the following basic entities in the social network: • The user RU who publishes the resource R. • The user V who evaluates the resource R. Observe that in the evaluation process we consider only the evaluation given by one voter. Clearly, the overall evaluation of a resource involves many evaluation processes, each with a different voter. • The credential users CU , who are suitably selected users issuing the credentials that the voter needs as proof of authorization to evaluate a resource. • TTP, which is responsible of generating certified scores used by RU to show the tally of the resource evaluation. As said above, credentials for a vote are produced collaboratively by a number of credential users. Some credential users might be corrupted by an adversary, but we assume an honest majority of credential users at all times. As a consequence, our technique is parametric with respect to a value t. It is chosen in such a way that the likelihood that t randomly selected users misbehave is negligible. This is a common assumption in this context [11], [38], [19], [23], which we call here CU -collusion assumption. The protocol is based on the message exchange among the entities mentioned above. Clearly, it could happen that the communication itself identifies a party even though the message is actually anonymous. This obviously concerns a level which does not belong to the social network or the application, but belongs to the network communication protocol. Thus, this aspect involves also external entities like the network provider. Anyway, this aspect cannot be missed if we want to guarantee all the basic security properties of the entire process. In order to deal with this problem, existing e-voting systems usually adopt mix-nets [8], which are one of existing anonymity systems [18]. However, the purpose of our work is not focused on how to implement anonymity, for which in fact there is a large literature. So, we can just adopt an existing anonymity system suitable to our context. In this spirit, since we refer to a P2Psocial-network model, we argue that a system like Tor [15] can be directly exploited by possibly integrating it into the social

Fig. 1.

A graphical sketch of the protocol.

network itself. On the other hand, the real-life applicability of Tor witnessed by the existence of 800 thousand daily users in 2010 [22], is another point in favor of this choice. In principle, other systems, like [34], [35], or the development of an ad-hoc system could be considered. We are ready to present how the evaluation process proceeds. It consists of four Steps, which are CU Identification, Credential Issuing, Voting, and Score Publication. Observe that, anonymous communication introduced above is necessary for steps Voting and Score Publication, for the communication between voter and TTP. The protocol, which is sketched in Fig. 1, proceeds as follows:

1) CU Identification. The voter contacts t = 2 · t + 1 other users who play the role of credential user (i.e., they will generate the credentials). The i-th credential user CUi , where 1 ≤ i ≤ t, is selected by exploiting the DHT lookup service with input H(IDR ||i), where || is the concatenation operator and, recall, IDR is the ID of the resource and H is a cryptographic hash function. Observe that the CU-collusion assumption introduced above is applicable since the DHT lookup service ensures a uniform probability distribution of the credential user selection. As a consequence, retrieving credentials from several users is exploited here in order to avoid that the voter colludes with other malicious users to obtain the credentials giving him the possibility to vote (possibly more time the same resource). 2) Credential Issuing. This step is repeated for each 1 ≤ i ≤ t. Indeed, the goal of this step is that V obtains the t credentials she needs to vote, each from a different CUi . First, the voter contacts CUi . V and CUi exploit their asymmetric keys both for authentication and for

establishing a confidential session1 . Then, the voter sends to CUi the pre-blinded version of IDR , denoted ? by IDR . At this point, CUi generates the i-th credential ? Ci . Ci is computed as PBS CUi {ai , IDR }, where ai (unblindly signed) refers to the voter, and IDR is the ID of the resource. (We recall that the above notation means that IDR is blindly signed in Ci .) In particular, ai is obtained as H(IDV ||SCUi ), thus by applying the cryptographic hash function H to the concatenation between a voter’s identifier IDV (uniquely associated to the profile registration data), and the secret SCUi owned by CUi . This way, the credential user CUi is aware about the identity of V , but she is not aware about which resource being evaluated. Indeed, the use of SCUi ensures that none but CUi is able to link ai to the voter. However, this value will be always the same each time the same voter requires a credential. Finally, Ci is sent to V by the credential user CUi . Observe that for all messages exchanged between V to CUi , no anonymous communication is needed, since CUi is aware about the identity of V . 3) Voting. This step starts after the voter has collected the t credentials. The first task done by V is to unblind the above credentials. Coherently with our notations, ? the unblinded version of Ci = PBS CUi {ai , IDR } is Ci = SCUi {ai , IDR }. Then, V submits all the unblinded credentials to TTP together with the message ER = ⟨IDR , (r||s)? ⟩, where s is the numeric score given by the voter to the resource R, IDR identifies the resource R, and r is a 128-bit random sequence generated by V to identify her vote. Observe that both s and r are submitted to TTP in pre-blinded form, so 1 Authentication is performed through any secure public-key-based authentication protocol. For the sake of presentation, we do not treat this aspect here.

Step Credential Issuing

Voting

Score Publication

Messages For each 1 ≤ i ≤ t : { ? V → CUi : IDR ? CUi → V : PBS CUi {H(IDV ||SCUi ), IDR } } V → T T P : SCUi {H(IDV ||SCUi ), IDR }, for each 1 ≤ i ≤ t V → T T P : ⟨IDR , (r||s)? ⟩ T T P → V : PBS T T P {IDR , (r||s)? } V → T T P : ST T P {IDR , (r||s)} Fig. 2.

The formal description of the protocol.

that they keep unknown to TTP. As a consequence TTP is aware about the ID of the resource, but it is not aware about the resource evaluation done by V . At this point TTP makes the following tasks: a) It verifies authenticity and integrity of at least t + 1 credentials. b) It verifies that at least t + 1 credentials contains IDR (i.e., they refer to same resource). c) It verifies that at least t + 1 credentials have been issued by the correct credential user, as computed in Step 1. d) For each credential Ci , TTP verifies that there are at least t + 1 fresh credentials. A fresh credential SCUi {ai , IDR } is credential such that there is no identical credential in the database of past credentials stored by TTP. The failure of this test means that the user has already evaluated the resource R. Thus, in this case, no further operation is performed by TTP. Otherwise, the e-voting procedure continues as follows. TTP produces what we call evaluation record, denoted by ER, by signing with a partially blind signature the message ER received earlier. In particular, the evaluation record is ER = PBS T T P {IDR , (r||s)? }. The protocol requires that TTP uses the same key pair to sign each evaluation record. The reason of this will be clarified in Section VI. e) Finally, TTP sends ER to V . 4) Score Publication. Once the voter obtains the evaluation record, she unblinds it, producing the message ST T P {IDR , (r||s)} which we call signed ballot. Then, she sends the signed ballot to TTP. In order to prevent timing attacks, the voter introduces an unpredictable delay before sending the ballot to TTP. Now TTP verifies the ballot signature and checks that another ballot with the same random r has never been received, detecting otherwise a cloned vote. If both checks succeed, then the new score is accepted, the overall evaluation of the resource R is updated and the evaluation record is also published in the bulletin board in order to legitimate this score. Obviously, RU maintains a link from the resource R to the corresponding bulletin board published by TTP.

The formal description of the message exchanged in the protocol, based on a common syntax [8], is reported in Fig. 2. VI. S ECURITY A NALYSIS In this section, we analyze the security of the protocol presented in Section V. We consider separately all the security properties we have to guarantee, which are uniqueness, secretness, individual verifiability, uncloneability, and robustness. Uniqueness. Recall that uniqueness requires that each user can score a resource only one time. We consider several attacks. In the first attack the adversary is the voter who tries to resubmit to TTP for the second time a signed ballot ST T P {IDR , (r||s)}. TTP detects the double submission because it stores all the submitted ballots identified by r. It is worth noting that, in principle, it could happen that a different voter generates a ballot with the same identifier r since it is chosen randomly. However, the probability that 2 two voters generate the same r is p(u; D) ≈ 1 − e−u /2·D (birthday attack) where u is the number of voters and D is the cardinality of the domain of r. In our case, even hypothesizing an unrealistically high number of users, like u = 1012 , such a probability is negligible. Indeed, since r is a 128-bit sequence, p(1012 ; 2128 ) < 10−15 . Thus, r is actually an identifier of the ballot and the attach detection check of TTP cannot produce a false positive. The second attack is based on the attempt of the voter to resubmit to TTP the same credentials in order to be authorized to vote for the second time. TTP detects the double credential submission because it stores all the submitted credentials (Step 3.(d)). The third attack is based on the attempt of the voter to obtain for the second time new credentials for the same voting. Obviously, thanks to the considerations given in the second attack, we only have to analyze the case in which the voter tries to obtain fresh credentials. Let Ci be one of these credentials. Two cases may hold. The first case is that the contacted credential provider, say CUi , is the one returned by Step 1 of the protocol. In this case, the credential issued from CUi to V is SCUi {ai , IDR }, thus coincident with the credential previously released, since the value ai = H(IDV ||SCUi ) depends only on the voter’s identifier IDV of the voter and on the static secret SCUi . As a consequence, no fresh credential

has been obtained. The second case occurs if the voter contacts a provider CUx different from that returned by the lookup service with input H(IDR ||i) at the Step 1 of the protocol (i.e., CUi ) in order to obtain a different ai . Also this attack fails due to the check done by TTP in Step 3.(c). As a final remark about uniqueness we observe that depending on what we use as voter’s identifier IDV , we may ensure the vote uniqueness w.r.t. just the voter’s profile in the social network or the vote uniqueness w.r.t. the physical person identity. The former is obtained for example if we use as identifier the URL of the profile, while the latter is achieved if we adopt a secure PKI certifying the ownership of the public key registered in the profile and by using as IDV some personal identifier (like, for example, the VAT number). Secretness. Secretness ensures that the score given by each user is kept secret. In particular we mean that nobody has to be able to link any information about a vote (i.e., resource and score) to the voter. The score s is initially sent to TTP by V in the message ER = ⟨IDR , (r||s)? ⟩. Anyway, this message does not give TTP the possibility to know s, since it includes s in pre-blinded form. For the same reason, also r cannot be used to link the voter. Thus, once the ballot ST T P {IDR , (r||s)} has been produced, it cannot be linked to the voter. Similarly, the credential users know only the voter’s public key and have no possibility to guess the score resource that will be evaluated (as seen at the end of Step 2). The other users have even less information about the ballot. Clearly, the collusion between TTP and a credential user allows them to link the message ER = ⟨IDR , (r||s)? ⟩ to the identity of the voter, via the credential, since the credential user is aware about the identity of the voter. As a consequence, in this case both TTP and the credential user become able to link the voter identity to the resource being evaluated. In this case, the probability to guess the evaluation score is b−1 , where b is the number of different evaluation scores published in the bulletin board of the resource. This probability is equal to that of guessing the voter score with no knowledge. An attack aiming at breaking secretness could be based on covert channels [29]. It is a matter of fact that covert channel can be used to break unlinkability of protocols guaranteeing anonymity (see for example [4]). In the cover channel we can figure out in this case, TTP acts as attacker by using a different pair of asymmetric keys for every voter it wants to trace. This results in a linkage between the evaluation record ER = PBS T T P {IDR , (r||s)? } and the signed ballot ST T P {IDR , (r||s)}. Observe that, otherwise, this link would exist only in case of just one occurrence of IDR in the published ballots (i.e., only if the resource R has been evaluated just by one voter). The covert channel is anyway undesirable, since gives the attacker an advantage to link the voter with her vote. For example, if we combine this covert-channel attack with the collusion between TTP and a credential user described above, then TTP becomes able to link the voter with the score of her evaluation. Indeed, thanks to the collusion TTP, it links the voter with the message ER = ⟨IDR , (r||s)? ⟩,

while thanks to the covert-channel attack links ER, and thus ER = ⟨IDR , (r||s)? ⟩, to the score s. However this attack is prevented. Indeed, the protocol requires all evaluation records are signed by TTP using the same key pair2 . Thus, the voter can detects the attack by comparing the key pair used by TTP to sign her ballot and that used to verify any ballot published in the bulletin board related of any resource. Another attack we have to consider is done by a credential user CUi and is aimed at guessing the resource evaluated by the voter. Recall that CUi receives by the voter only the ? message IDR (which is pre-blinded), even though, due to the authentication step, she is aware about the identity of the voter. In this attack the credential user exploits the information that her selection has been done on the basis of the resource. To do this, she should be able to invert the composition of two hashes, namely the DHT lookup function and the function H. However, even though the inversion of the DHT lookup function is feasible since it is not a cryptographic hash, this does not occur for H, considering that IDR is the URL of the corresponding resource. Thus, the attack is prevented. Individual Verifiability. We consider now verifiability. Each user can verify that the overall score of the resource is fair since her ballot ST T P {IDR , (r||s)} is listed in the bulletin board. As already stated for uniqueness, the probability that two voters generate the same r is negligible. As a consequence, this ballot is identified by r that has been generated in Step 3. Uncloneability. This property ensures that generating a bogus ballot starting from a legal one must be detected. We observe that a valid ballot has been signed by TTP and thus it cannot be modified. Obviously, it cannot be duplicated thanks to the presence of the bit-sequence r identifying the ballot, and according to the previous probability consideration. Robustness. Concerning robustness, we highlight that whenever at most t credential users misbehave, their malicious behaviour is detected by TTP. Indeed, the voter has to provide t = 2 · t + 1 credentials and, thus, at least t + 1 of them are correct, due to the CU-collusion assumption. As a consequence, fake credentials are detected since they are in the minority during the verification phase run by TTP in Step 3.(a)–(d). Besides security aspects, we finally observe that our protocol presents a good scalability, since the number of users involved in the generation of a single score is independent of the overall number of users. In particular, the evaluation of a resource done by a voter involves a limited number (2 · t + 1) of other users (who play the role of credential users). The overall scalability of the system is clearly affected also by the scalability of the underlying anonymous communication system. But, it is well known that highly scalable anonymous communication systems exist [18].

2 In a real-life implementation of the protocol we could allow key substitution, but we require anyway that keys are long-term, preventing still the covert-channel attack

VII. C ONCLUSION AND F UTURE W ORK Resource evaluation in social networks is one of the activities where users reveal a lot of private information sometimes in an unexpected way. In a privacy-aware scenario, it would be desirable that users can choose if linking the scored resource with their profile or, in case they do not want to reveal private information, to vote anonymously the resource. In this paper, we have addressed this problem, by defining a protocol that solves the trade-off between feasibility and security. The protocol relies on a DHT-based P2P social network allowing the solution to be resistent also in case of untrustworthy social network providers. The protocol can be viewed as a light-weight e-voting procedure, since we have relaxed some unproportionate or inadequate properties of traditional e-voting systems. This allowed us to design a protocol that appears feasible in the context of social networks, since it does not require complex ad-hoc infrastructures, but it guarantees the needed security requirements. As a future research we plan to investigate some intermediate solutions, allowing the user to choose to reveal some non-identifying information about her profile when scoring a resource (taking inspiration from approaches used for selective disclosure), as well as some implementation issues. ACKNOWLEDGMENT This work was partially funded by the Italian Ministry of Research through the PRIN Project EASE (Entity Aware Search Engines). R EFERENCES [1] M. Abe. Universally verifiable mix-net with verification work independent of the number of mix-servers. Advances in CryptologyEUROCRYPT’98, pages 437–447, 1998. [2] M. Abe and E. Fujisaki. How to date blind signatures. In Advances in Cryptology-ASIACRYPT’96, pages 244–251. Springer, 1996. [3] A. Acquisti. Receipt-free homomorphic elections and write-in ballots. Tech. Rep. 2004/105, 2004. [4] M. Ates, F. Buccafurri, J. Fayolle, and G. Lax. A warning on how to implement anonymous credential protocols into the information card framework. International Journal of Information Security, 11(1):33–40, Feb. 2012. [5] S. Buchegger and A. Datta. A case for p2p infrastructure for social networks-opportunities & challenges. In Wireless On-Demand Network Systems and Services, 2009. WONS 2009. Sixth International Conference on, pages 161–168. IEEE, 2009. [6] S. Buchegger, D. Schi¨oberg, L. Vu, and A. Datta. Peerson: P2p social networking: early experiences and insights. In Proceedings of the Second ACM EuroSys Workshop on Social Network Systems, pages 46– 52. ACM, 2009. [7] M. Burmester and E. Magkos. Towards secure and practical e-elections in the new era. Secure Electronic Voting, pages 63–76, 2003. [8] D. Chaum. Untraceable electronic mail, return addresses, and digital pseudonyms. Communications of the ACM, 24(2):84–90, 1981. [9] D. Chaum. Blind signatures for untraceable payments. In Advances in Cryptology: Proceedings of Crypto, volume 82, pages 199–203, 1983. [10] D. Chaum. Elections with unconditionally-secret ballots and disruption equivalent to breaking rsa. In Advances in Cryptology-Eurocrypt88, pages 177–182. Springer, 1988. [11] R. Cramer, R. Gennaro, and B. Schoenmakers. A secure and optimally efficient multi-authority election scheme. European Transactions on Telecommunications, 8(5):481–490, 1997. [12] L. Cutillo, R. Molva, and T. Strufe. Privacy preserving social networking through decentralization. In Wireless On-Demand Network Systems and Services, 2009. WONS 2009. Sixth International Conference on, pages 145–152. IEEE, 2009.

[13] I. Damgard, J. Groth, and G. Salomonsen. The theory and implementation of an electronic voting system. Secure Electronic Voting, pages 77–98, 2003. [14] I. Damg˚ard and M. Jurik. A generalisation, a simpli. cation and some applications of paillier’s probabilistic public-key system. In Public Key Cryptography, pages 119–136. Springer, 2001. [15] R. Dingledine, N. Mathewson, and P. Syverson. Tor: The secondgeneration onion router. Technical report, DTIC Document, 2004. [16] H. Dobbertin, A. Bosselaers, and B. Preneel. RIPEMD-160: A strengthened version of RIPEMD. In Fast Software Encryption, pages 71–82. Springer, 1996. [17] D. Eastlake and P. Jones. US secure hash algorithm 1 (SHA1). Technical report, RFC 3174, September, 2001. [18] M. Edman and B. Yener. On anonymity in an electronic society: A survey of anonymous communication systems. ACM Comput. Surv., 42(1):5:1–5:35, Dec. 2009. [19] P. Fouque, G. Poupard, and J. Stern. Sharing decryption in the context of voting or lotteries. In Financial Cryptography, pages 90–104. Springer, 2001. [20] A. Fujioka, T. Okamoto, and K. Ohta. A practical secret voting scheme for large scale elections. In Advances in Cryptology-AUSCRYPT’92, pages 244–251. Springer, 1993. [21] P. Golle, S. Zhong, D. Boneh, M. Jakobsson, and A. Juels. Optimistic mixing for exit-polls. Advances in Cryptology-ASIACRYPT 2002, pages 593–602, 2002. [22] S. Hahn and K. Loesing. Privacy-preserving ways to estimate the number of tor users. Technical report, Technical report, TOR project (November 2010), 2010. [23] M. Hirt and K. Sako. Efficient receipt-free voting based on homomorphic encryption. In Advances in Cryptology EUROCRYPT 2000, pages 539– 556. Springer, 2000. [24] A. Juels, D. Catalano, and M. Jakobsson. Coercion-resistant electronic elections. In Proceedings of the 2005 ACM workshop on Privacy in the electronic society, pages 61–70. ACM, 2005. [25] A. Menezes, P. Van Oorschot, and S. Vanstone. Handbook of applied cryptography. CRC, 1997. [26] R. Merkle. Secure communications over insecure channels. Communications of the ACM, 21(4):294–299, 1978. [27] W. Ogata, K. Kurosawa, K. Sako, and K. Takatani. Fault tolerant anonymous channel. Information and communications security, pages 440–444, 1997. [28] C. Park, K. Itoh, and K. Kurosawa. Efficient anonymous channel and all/nothing election scheme. In Advances in CryptologyEUROCRYPT93, pages 248–259. Springer, 1994. [29] F. Petitcolas, R. Anderson, and M. Kuhn. Information hiding-a survey. Proceedings of the IEEE, 87(7):1062–1078, 1999. [30] J. Pieprzyk, T. Hardjono, and J. Seberry. Fundamentals of computer security. Springer Verlag, 2003. [31] R. L. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM, 21(2):120– 126, 1978. [32] A. I. T. Rowstron and P. Druschel. Pastry: Scalable, decentralized object location, and routing for large-scale peer-to-peer systems. In Proceedings of the IFIP/ACM International Conference on Distributed Systems Platforms Heidelberg, pages 329–350. Springer-Verlag, 2001. [33] K. Sako and J. Kilian. Receipt-free mix-type voting scheme. In Advances in Cryptology-EUROCRYPT95, pages 393–403. Springer, 1995. [34] R. Sherwood, B. Bhattacharjee, and A. Srinivasan. P5: A protocol for scalable anonymous communication. In Security and Privacy, 2002. Proceedings. 2002 IEEE Symposium on, pages 58–70. IEEE, 2002. [35] C. Shields and B. Levine. A protocol for anonymous communication over the internet. In Proceedings of the 7th ACM conference on Computer and communications security, pages 33–42. ACM, 2000. [36] I. Stoica, R. Morris, D. Karger, M. F. Kaashoek, and H. Balakrishnan. Chord: A scalable peer-to-peer lookup service for internet applications. In Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications, pages 149– 160. ACM Press, 2001. [37] F. Wang, Y. Moreno, and Y. Sun. Structure of peer-to-peer social networks. Physical Review E, 73(3):036123, 2006. [38] A. Zwierko and Z. Kotulski. A light-weight e-voting system with distributed trust. Electronic Notes in Theoretical Computer Science, 168:109–126, 2007.