Privacy-respecting Auctions as Incentive Mechanisms in Mobile Crowd Sensing

Privacy-Respecting Auctions in Mobile Crowd Sensing

Tassos Dimitriou & Ioannis Krontiris

1

Privacy-Respecting Auctions as Incentive Mechanisms in Mobile

Crowd Sensing

Tassos Dimitriou and Ioannis Krontiris

9th WISTP International Conference on Information Security Theory and Practice (WISTP'2015).

August 24 - 25, 2015 Heraklion, Crete, Greece



2

Outline

Motivation Auction mechanism for mobile sensing Security and privacy requirements Privacy-respecting auction and Rewarding mechanism



3

Picture from: D. Christin, A. Reinhardt, S.S. Kanhere, M. Hollick, A Survey on Privacy in Mobile Participatory Sensing Applications, Journal of Systems & Software 2011.

Mobile Sensing - Old Style Participants proactively sending data. How to motivate contribution and better quality of data? Protect privacy?



4

Information Discovery

Here data consumers are interested in retrieving information according to some requirements from multiple data contributors that satisfy these requirements.

Define: Specific geographic area Sensor types, time frame Quality criteria

Post task on public domain Download task and respond



5

Incentives to participation Why would mobile users contribute data? Need incentives: monetary, social, gaming Micro-payments work! But how much is enough? Depends on personal preferences, perceived cost of participation, context It should be the data provider to set the price! Apply reverse-auctions: n users with lowest prices win the auction and contribute data



6

Multi-attributive auctions

Most suitable kind: multi-attributive auctions Allow integration of quality attributes into the auction bidding, besides the price.



7

Privacy concerns

The widespread deployment of mobile sensors introduces serious privacy risks since the frequent collection of personal data may reveal considerable information about location, personal preferences, social relationships, etc...

Imperative to address privacy in mobile crowd-sensing systems

It still remains an open problem on how to provide privacy protection when incentive mechanisms are also incorporated in the system.



8

Our contributionIncentives + Privacy

A privacy-respecting protocol that allows anonymous users to participate in reverse auctions employed by an MCS system.

Two main parts.

Provide bidders’ anonymity for the auction

Reward users and enable winners of the auction to claim their rewards without being linked to their contributed data.



9

Model Service Providers: • requesters of sensing data • have fixed budget

Users: owners of mobile devices with sensors

Auction Infrastructure:

• Task Server - publishing the sensing tasks,

• Auction Server - running the auction process

• Report Server - collects the reports from the auction winners and forwards them to the Service Provider.



10

A generic auction mechanism

Bid = Utility Score Si computed based also on quality factors (e.g. distance from the desired location, the location accuracy, the sampling frequency, …)



11

Security and Privacy Requirements

Correctness and Fairness: Winners get reward. No bidder can obtain an unfair advantage based on information revealed about other bids

Bidders’ privacy: Bidders remain anonymous throughout the whole process of the auction -> Unlinkability between (a) identity of bidders and their bids, (b) two bids from the same bidder

Confidentiality of bids: All bids remain secret until the opening phase. Applies for all parties including Auction Server.

Public verifiability: The correctness of the auction process should be easy to verify by any interested party.

Non-repudiation: No bidder should be able to change its mind (e.g. deny or modify its bid) once the bid is submitted.



12

Auction protocolTwo main phases Bidding and Opening. However, there exists an implicit setup phase: Registration

During registration, • Auction Server (AS) sets up the bulletin

board, publishes its public key and announces parameters of the auction − Auction ID, starting/ending time, duration of

each phase, and so on. • Each bidder i creates a pseudonymous ID

(BidderID) to represent its identity during the auction along with a one-time public key Ki.

• AS publishes this information to the bulletin board



13

Auction protocol - BiddingDuring the bidding phase, each bidder i • computes its utility score Si, • masks it with a random number ri and • sends a commitment Ci of for the bid, where

hi = H(Si || ri).

Note: Auction server receives a bid, however it cannot read this bid before the opening phase. Commitments are published in the bulletin board so that anybody can verify that its bid has been correctly accounted for.



14

Auction protocol - OpeningWhen bidding phase is over, each bidder reveals utility score Si and ri that have been used in computing Ci. Auction server announces n highest utility scores as the winners of the auction

Note: Any participant can verify correctness by computing H(Si || ri) and comparing with the commitment Ci received during the bidding phase.



15

Incentives for participation - Rewarding The previous protocol can be extended to support a privacy-preserving credit reward mechanism for users submitting data reports. • This can be achieved using a

(i) a central bank system, or (ii) a decentralized digital payment system (method developed here).

(i) While the e-cash scheme (not shown here) may be easier conceptually, it suffers from a potential loss of privacy if the report server and the Bank collude together to reveal the bidder’s identity.



16

Anonymous reward tokensTo eliminate the need for a centralized payment service, we can use the Report Server as an issuer of reward tokens that can be redeemed by the bidder.

The token • Corresponds to an amount commensurate to the data

provided by the user. • It reveals no information about the underlying user. • The recipient (RS) has first to verify their validity

and then verify whether the tokens have been spent before.

This approach can still be thought as a lightweight e-cash scheme, yet without the requirement of a trusted payment service



17

Token generationWinning Bidder Bi Report Server RS



18

Token spending

Winning Bidder Bi Report Server RS

Submission of tokens (User must prove knowledge of secret values r and s used in the creation of token T)

Set h = H(Token, date/time) Set y = r + hs mod q.

Token T, y

Verify signature. Is T a valid token?

Verify token has not been used before by searching database of used tokens.

Note: The protocol ensures that i) tokens are not tied to bidder identities, and ii) the RS is protected by malicious bidders who try to double-spend tokens.



19

Security Analysis (1)Confidentiality of bids. Since bids are opened only after the bidding phase, nobody can compute the bids before they are opened. Recall commitment H(Si || ri). Correctness & Verifiability. All values are published in the bulletin board. • Anybody can verify correctness of the auction as all bidders reveal their

utility scores Si and the random numbers ri used in signed commitment. Unlinkability between bids. Not possible to relate two bids submitted at different auctions by the same bidder. • Bidders participate in auctions using different pseudonyms and public

keys. • Important to use an anonymity service so that bid submissions cannot be

linked to an internet identifier such as the IP address of the bidder.



20

Security Analysis (2)Unforgeability/Unreusability of tokens. The zero knowledge proofs used during token spending ensure that only a bidder who knows the representation of u and v in the token ID can supply these proofs.

Bidder privacy/Unlinkability of tokens. When a user tries to redeem a token and provides the server (directly or indirectly through a proxy) the zero knowledge proof, the server cannot tell which bidder created the token as the only visible part during the token construction is the public part Val, Exp of the token



21

Token indistinguishability experiment



22

Conclusions Users of mobile devices can participate anonymously in the

auctions and define the price they expect for contributing sensing data.

Τhe buyer of the data can select the winners based not only on the price, but also on the quality of the offered data.

The winners of the auction can then collect their price without linking their real identity to the data they contributed.

Our solution uses a lightweight rewarding scheme eliminating the need for a single trusted payment system.

Future work: integrate anonymous reputation mechanism



23

Technology

Privacy-respecting Auctions as Incentive Mechanisms in Mobile Crowd Sensing