1 privacy-preserving relationship path discovery in social networks ghita mezzour, adrian perrig,...
Post on 21-Dec-2015
217 views
TRANSCRIPT
1
Privacy-Preserving Relationship Path Discovery in Social Networks
Ghita Mezzour, Adrian Perrig, Virgil Gligor
Carnegie Mellon University
Panos Papadimitratos
EPFL
8th International Conference on Cryptology & Network SecurityDec 13th, 2009
B C
E F
Social Trust is Useful
2
Buyer Seller
People nearby in a social network are more trusted
DA
Privacy-preserving relationship path discovery scheme
B
E
A D
?
?
score
d=3
d=3
A Social Networking Problem
Relationships => private information Personal attributes Personal associations
3
Just by looking at a person’s online friends, they could predict whether the person was gay. Gay men had proportionally more gay friends than straight men.
http://www.boston.com/bostonglobe/ideas/articles/2009/09/20/project_gaydar_an_mit_experiment_raises_new_questions_about_online_privacy/
Private information is revealed by most SN sites
Partial Solution: Decentralization Characteristics
Friend list managed locally Secure channels between friends Users may be offline
Some privacy concerns are alleviated Censorship resistance
4
B
E
A
AFriend listA
B
E
Friend list
Friend list
Secure channel
Agenda Problem Definition Protocol Overview Analysis Related Work Conclusion
5
Private-Path Discovery Private relationship path
First person on the relationship path Distance to an individual on a relationship path
6
Example of private paths from A to D of distance d ≤ 3
Example of relationship paths from A to D
DA
B C
E F
B?
E?
DA
d=3
d=3
Goal 1: Relationship Privacy
7
C
A
B
E F
D
Ideal Model
A
B
E
C
F
D
A DReal Model
A
Friends = B & E
Trusted 3rd party
A
A
B
E
D
?
?
A
B
E
Private paths to D?
C
F
✕
✕
Friends = A & C
B
Private paths to D
?
?
A
B
E
D
?
?C
F
✕
✕
Goal 2: Distance Integrity Trust => Distance integrity
Higher trust requires shorter distances 1st user on path is most trusted
8
+
Non-integrity Concern User shortens paths for succeeding users (but not past herself)
D
A B? ?C D
Goal 3: Completeness Discovery of all private paths
Consent of individuals on path needed
9Corresponding private paths2 relationship paths between
A & D of distance ≤ 3
DA
B C
E F
B?
E?
DA
d=3
d=3
1 relationship path between A & D Corresponding private path
Consent
Adversary Model User of the system
Single adversary Account creation Relationship establishment
Free to arbitrarily deviate from the protocol Goal
Break relationship privacy Break distance integrity
10Example
DA
B C
E F
Agenda Problem Definition Protocol Overview Analysis Related Work Conclusion
11
Solution Overview Token flooding phase
Periodic run e.g. 1st day of each month
Token Flooding phase
Example: 1st day of each monthExample: When A & D meet at CANS
Path discovery phase
DA
B C
E F
A
B
E
A D
?
?
D
D
C
F
d=3
Private path discovery phase On demand Existing private paths returned
Token Flooding Phase (1/2)
13
T’ Computed token
T Received token
ctr Counter
d Distance Originator A
DA
B C
E Fdmax=3
T 1=H(z|
|1), 1T3=H(T1||1), 2
T2 =H(z||2), 1
T5=H(T2||1), 2
T4 =H(T
3 ||1), 3
T 6=H(T 5
||1), 3
z
T’=H(T||ctr), d
T1
T2
T3
T4
T5
T6
Token Flooding Phase (2/2) Local hash tree computation
by originator Depth Maximum degree In the paper: originator only
computes propagated tokens
?
?
?
?
T 1=H
(z||1
)
T 3=H(T 1
||1)
T8 =H(T
1 ||2)
?
?
T 4=H(T 3||1)
T7 =H(T
3 ||2)
?
?
T 9=H(T 8||1)
T10 =H(T
8 ||2)
T 5=H(T 2
||1)
T12 =H(T
2 ||2)
?
?
T 6=H(T 5||1)
T11 =H(T
5 ||2)
?
?
T 13=H(T 12||1)
T14 =H(T
12 ||2)
T2 =H(z||2)
B
E
A
A
locally computes
z
dmax=3
A
Path Discovery Phase User sends the tokens it received to the originator Originator looks up tokens in the computed hash tree Phase runs once for a given pair of users
15
A D
d=3
d=3
T4, T6T4, T6
?D
T1=H(z||1)?
BA
T3=H(T1||1) T4=H(T3||1)
?DE
?A
T2=H(z||2) T5=H(T2||1) T6=H(T5||1)
Multiple Originators
DA
B C
E F
Token distribution phase with A & E as originators
DA Private set intersection
protocol
Private path discovery between A & D
Input:Input:
Output:
A D
No output
Agenda Problem Definition Protocol Overview Analysis Related Work Conclusion
17
Network Topologies Used
18
Flickr LiveJournal Orkut YouTube
Number of users 1.8 million 5.2 million 3 million 1.1 million
% of population crawled 26.9 % 95.4 % 11.3 % unknown
Number of friend links 22.6 millions 77.4 millions 223.5 millions 4.9 millions
Mislove et al. IMC 07
Complexity
19
Computation overhead
Token floodingO(F3 + 2 F1 . F2) hash computation
Private path discovery
User discovering the private paths
F3 homomorphic encryptions
(once per input set)
F3 homomorphic decryptions
Other userO(F3 + F3
ln ln F3)exponentiations
Fi: Number of relationship paths of distance ≤ i starting from user X
dmax = 3
Token Flooding – Computation Overhead
20
10-5 10-3 10-1 10
1000
Computation overhead per user (Token Flooding by all users)
≅90%: 100 ms
≅95%: 10 s
More connected
Path Discovery – Computation Overhead
21
10-2 1 102
104
Computation overhead for the user discovering the private paths
≅70 %: 10 s
≅90%: 2 min≅80 %: 16 min
More connected
Future Work Overhead reduction
Randomized discovery Full dynamic topology support
New relationships established Old relationships revoked
Colluding adversaries Untrusted server
22
Related Work RE: Reliable Email S. Garris, M. Kaminky, M. J. Freedman, B.
Karp, D. Mazieres, H. Yu. In Symposium on Networked Systems Design and Implementation (NSDI), 2006
Private Relationships in Social Networks B. Carminati, E. Ferrari, and A. Perego. In International Conference on Data Engineering Workshops, 2007
A public-key protocol for social networks with private relationships J. Domingo-Ferrer. In Modeling Decisions for Artificial Intelligence, 2007
Privacy Preserving Grapevines: Capturing Social Network Interactions Using Delegatable Anonymous Credentials. Vijay A. Balasubramaniyan, Yunho Lee, and Mustaque Ahamad. Georgia Tech Technical Report GT-CS-09-12, Sept 2009.
23
Conclusion People nearby in a social network are more
trusted We proposed a scheme for privacy-preserving
relationship path discovery Works in decentralized social networks Avoids privacy issues common in centralized sites
Many potential applications Trust establishment Access control Email whitelisting
24
Backup Slides
25
One Intermediate Friend vs. Longer Relationship Paths
One intermediate friend Sufficient information available to users Privacy-preserving information sharing
Longer relationship paths Insufficient initial information Privacy-preserving information distribution & sharing
26
A
BA
E
C
F
B CD
A discovers that B is a common friend with C without knowing the other friends of C
Missing information
B?
E?
C
DF
DB
Background – Private Set Intersection Protocol
27
DA
A D
Computation overhead
kA homomorphic encryptions (once per input set)kD homomorphic decryptions
O(kA + kD ln ln kA)exponentiations
Trusted Third party
≈
Freedman et al. Eurocrypt 04
No output
Background-Private set intersection
Private set intersection [Freedman et al. Eurocrypt 07] Based on homomorphic encryption
Similar to public key encryption Some operations on plaintext are possible without the private key
28
A D
Computation overhead
kA homomorphic encryptions (once per input set)kD homomorphic decryptions
O(kA + kD ln ln kA)exponentiations
Communicationoverhead
kA + kD exchange of homomorphic ciphertexts
kA + kD exchange of homomorphic ciphertexts
Complexities
29
Computation Communication
Token floodingO(F3 + 2 F1 . F2) hash computation
O(F3 + 2 F1 . F2) Hash exchange
Private path discovery
User A
F3A homomorphic encryptions
(once per input set)
F3D homomorphic decryptions
F3A + F3
D homomorphic ciphertexts exchange
User DO(F3
A + F3D ln ln F3
A)exponentiations
F3A + F3
D homomorphic ciphertexts exchange
FiX Number of relationship paths of distance ≤ i starting from user X
Token Flooding Phase – Communication Overhead
30
102 104 106 108
1010
Communication overhead per user
1 MB10 MB
100 MB
Path Discovery Phase – Communication Overhead
31
Communication overhead for both users involved in the discovery
102 104 106
108
Basic Scheme – Privacy Leak Leakage of the relative positioning of users
After private path discovery phase with multiple users
32
A
C
B
E
D
F
Example topology
F
F
D
A’s perception of the social network topology
?
A
C
B
T 1=H(z|
|1),1
T2 =H(z||2),1
T3=H(T1||1),2
T4=H(T2||1),2T 7
=H(T 4||1),3
T8 =H(T
4 ||2),3
T 5=H(T 3
||1),3
T6 =H(T
3 ||2),3
?
?
?
?
?D
Randomization Technique
33
A
C
B
E
D
FT 1=H( z|
|1|1 ) ,1
T2 =H(z||1||2),1
T3=H(T1||2||1 ) ,2T5=H(T1||3||1 ) T6=H(T1||3||2 )
T4=H(T2||2||1 ) ,2T7=H(T2||3||1 ) T8=H(T2||3||2 )
T 7,3
T8 ,3
T 6,3
T5 ,3
D
E
F
A
T 1=H
( z||
1|1 )
T5=H(T1||3||1 ) T 3
=H(T 1||
2||1 )
T6 =H(T
1 ||3||2)
T2 =H( z||1|2 ) T7=H(T5||3||1 )
T 4=H(T 5
||2||
1 )
T8 =H(T
5 ||3||2 )
B
C
D
F
EE
D
FHash TreeTokens Propagated
Received token Distance Count
C
B
A
?
?
?
?
?
??
?
?
?
??
Privacy Analysis Leakage of the total num of paths with
d ≤ dmax of the other party No linkage among runs with different users
A
C
B
E
D
F F
C
B
FD
…
H(T1||2||2 )
H(T1 ||3||5)
H(T1||3||1 )
H(T 1||
2||1 )
T1
T2
T8
T4
T3
…
H(T9||2||2 )
H(T9 ||3||3)
H(T9||3||1 )
H(T 9||
2||1 )
T9
T10
T14
T12
T11
z
H( z||
2||1
)
H( z||1||2 )
F
F
D
D
D
Example topologyA’s perception of the
network topology Hash Tree