On the Tradeoff betweenTrust and Privacy
in Wireless Ad Hoc Networks
Maxim…...….RayaReza…….….ShokriJean-Pierre..Hubaux
LCA1, EPFL, Switzerland
The Third ACM Conference on Wireless Network Security (WiSec‘10) March 2010 Hoboken, NJ, USA
The Trust-Privacy Tradeoff
Entity-centric trust• Trust is built in each entity
• The cost is reduced privacy
Data-centric trust• Trust is built in the data
• Entities can keep privacy
2
privac
yse
curit
y
securityprivacy
The Dilemma of Data-Centric Trust
• Data increasingly comes from multiple sources
• Mobile devices reflect their users’ preferences and hence characterize them
3
Ephemeral network
Users are not fully hidden behind their data!
More contributions = More accurate trust
The Privacy-Preserving Gene
• Building data-centric trust is a collective effort• Users might lose some of their privacy• What if entities are privacy-preserving?• A privacy-preserving entity maximizes its privacy• Game theory: A selfish entity optimizes its utility• Privacy-preservation = Selfishness
4
How to build data-centric trust in ephemeral networks with privacy-preserving entities?
Example: VANET• CA pre-establishes
credentials offline• Entities communicate
attributes (e.g., credentials, location)
• Communication is sequential
• There are deadlines on making decisions
• Benign entities disseminate truthful info
• Adversaries disseminate false info
5
Trust-Privacy Games
• Problem: privacy-preserving entities building data-centric trust in the presence of privacy-preserving attackers
• Game theory can help by modeling situations where the decisions of players affect each other
• Attacker-Defender Game GAD
• Trust Contribution Game GTC
• Similar to eBay auctions: privacy = money.• But, privacy cannot be «reimbursed»
6
7
A D
Minimum required trust threshold
Start
Deadline
Time ……
A D
8
A D
Start
Deadline
Time ……
A D
Winner
9
A D
Start
Deadline
Time
Attacker-Defender Game: captures at the macroscopic level the competition between attackers and defenders to support their respective versions of the truth
ADG
10
A D
Start
Deadline
Time
TCG
ADG
Trust Contribution Game: defines at the microscopic level the individual amounts of privacy to be contributed by entities in each side to collectively win GAD
Attacker-Defender Game
11
Access to channel is probabilistic
Theorem: The strategy (W,W) is the Perfect Bayesian Equilibrium of GAD
Theorem: The strategy (W,W) is the Perfect Bayesian Equilibrium of GAD
• Players– Attackers– Defenders
• Strategies– Wait (W)– Send (S)
Start
Deadline
Trust Contribution Game
12
Theorem: The Subgame Perfect Equilibrium of GTC is defined by:
Theorem: The Subgame Perfect Equilibrium of GTC is defined by:
* 0kt
No entity contributes!
Game with Incentives
13re
war
d fo
r pla
ying
ear
ly
Start
Deadline
Theorem: The equilibrium of is defined by:
K: # of users
Theorem: The equilibrium of is defined by:
K: # of users
ITCG
*2
( 1)k
r Kt
K
Corollary: The strategy (S,S) can be enforced in GAD by choosing appropriate reward r.
Corollary: The strategy (S,S) can be enforced in GAD by choosing appropriate reward r. I
Incentives help
Conclusion
• Data-centric trust can reduce privacy losses compared to entity-centric trust
• Privacy-preserving entities are selfish by definition and need a game-theoretic analysis
• Without incentives, privacy-preserving entities do not contribute to trust establishment
14