On the Tradeoff between Trust and Privacy in Wireless Ad Hoc Networks
description
Transcript of On the Tradeoff between Trust and Privacy in Wireless Ad Hoc Networks
On the Tradeoff betweenTrust and Privacy
in Wireless Ad Hoc NetworksMaxim…...….RayaReza…….….ShokriJean-Pierre..Hubaux
LCA1, EPFL, Switzerland
The Third ACM Conference on Wireless Network Security (WiSec‘10) March 2010 Hoboken, NJ, USA
The Trust-Privacy Tradeoff
Entity-centric trust• Trust is built in each entity
• The cost is reduced privacy
Data-centric trust• Trust is built in the data
• Entities can keep privacy
2
priva
cyse
curit
y
securityprivacy
The Dilemma of Data-Centric Trust
• Data increasingly comes from multiple sources
• Mobile devices reflect their users’ preferences and hence characterize them
3
Ephemeral network
Users are not fully hidden behind their data!
More contributions = More accurate trust
The Privacy-Preserving Gene
• Building data-centric trust is a collective effort• Users might lose some of their privacy• What if entities are privacy-preserving?• A privacy-preserving entity maximizes its privacy• Game theory: A selfish entity optimizes its utility• Privacy-preservation = Selfishness
4
How to build data-centric trust in ephemeral networks with privacy-preserving entities?
Example: VANET• CA pre-establishes
credentials offline• Entities communicate
attributes (e.g., credentials, location)
• Communication is sequential
• There are deadlines on making decisions
• Benign entities disseminate truthful info
• Adversaries disseminate false info
5
Trust-Privacy Games• Problem: privacy-preserving entities building data-centric
trust in the presence of privacy-preserving attackers• Game theory can help by modeling situations where the
decisions of players affect each other
• Attacker-Defender Game GAD
• Trust Contribution Game GTC
• Similar to eBay auctions: privacy = money.• But, privacy cannot be «reimbursed»
6
7
A D
Minimum required trust threshold
Start
Deadline
Time ……
A D
8
A D
Start
Deadline
Time ……
A D
Winner
9
A D
Start
Deadline
Time
Attacker-Defender Game: captures at the macroscopic level the competition between attackers and defenders to support their respective versions of the truth
ADG
10
A D
Start
Deadline
Time
TCG
ADG
Trust Contribution Game: defines at the microscopic level the individual amounts of privacy to be contributed by entities in each side to collectively win GAD
Attacker-Defender Game
11
Access to channel is probabilistic
Theorem: The strategy (W,W) is the Perfect Bayesian Equilibrium of GAD
• Players– Attackers– Defenders
• Strategies– Wait (W)– Send (S)
Start
Deadline
Trust Contribution Game
12
Theorem: The Subgame Perfect Equilibrium of GTC is defined by:
* 0kt
No entity contributes!
Game with Incentives
13re
war
d fo
r pla
ying
ear
ly
Start
Deadline
Theorem: The equilibrium of is defined by:
K: # of users
ITCG
*2
( 1)k
r KtK
Corollary: The strategy (S,S) can be enforced in GAD by choosing appropriate reward r. I
Incentives help
Conclusion
• Data-centric trust can reduce privacy losses compared to entity-centric trust
• Privacy-preserving entities are selfish by definition and need a game-theoretic analysis
• Without incentives, privacy-preserving entities do not contribute to trust establishment
14