Vpriv Ready

405 views
335 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
405
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Presentation Title
  • Vpriv Ready

    1. 1. VPriv: Protecting Privacy in Location-Based Vehicular Services Raluca Ada Popa and Hari Balakrishnan Computer Science and Artificial Intelligence Laboratory, M.I.T. Andrew Blumberg Department of Mathematics Stanford University (Part of the CarTel project http://cartel.csail.mit.edu/doku.php)
    2. 2. Motivation <ul><li>Location-based vehicular services are increasingly adopted: </li></ul><ul><ul><li>Automated toll collection (E-ZPass) </li></ul></ul><ul><ul><li>Automated traffic law enforcement </li></ul></ul><ul><ul><li>Traffic statistics collection </li></ul></ul><ul><ul><li>Insurance pricing based on driver behavior </li></ul></ul><ul><li>Efficiency, driver experience, safety, generating revenue </li></ul>Problem: Serious threat to the locational privacy of drivers!
    3. 3. Example: E-ZPass Account Information <ul><li>E-ZPass antenna reads account information, knows time, location </li></ul><ul><li>A centralized server can assemble </li></ul><ul><li>a driver’s path </li></ul><ul><li>Civil cases where E-ZPass data was used to infer some driver’s path </li></ul>Ideally: server computes tolling cost without knowing time and location information Antenna
    4. 4. Outline <ul><li>Motivation </li></ul><ul><li>Model </li></ul><ul><li>Architecture </li></ul><ul><li>Protocols </li></ul><ul><li>Enforcement </li></ul><ul><li>Evaluation </li></ul><ul><li>Conclusions </li></ul>
    5. 5. VPriv <ul><li>Observation: Most vehicular services are functions over time-location tuples </li></ul><ul><li>Goal: Preserve locational privacy </li></ul><ul><ul><li>Compute functions on drivers’ time-location tuples without revealing any information other than result </li></ul></ul><ul><li>IDEA: perform computations in zero-knowledge </li></ul><ul><ul><li>Secure multi-party computation </li></ul></ul><ul><li>General : applicable to all such functions </li></ul>
    6. 6. Model <ul><li>Two parties: car and server </li></ul><ul><li>Cars’ transponders periodically generate tuples: </li></ul><ul><li><tag, time, location> </li></ul><ul><ul><li>Tag is random and changing for privacy </li></ul></ul><ul><ul><li>E.g. <221, 4:21:25PM 11/25/2008, (42.35, -71.09)> </li></ul></ul><ul><ul><li>Uploaded while driving (when connected to an AP) or at end of month (from PC or cell phone) </li></ul></ul><ul><li>f is a function to compute on driver’s path </li></ul><ul><ul><li>Driver is not trusted </li></ul></ul><ul><ul><li>Server is trusted, but not with location information </li></ul></ul>
    7. 7. Goals <ul><li>Correctness </li></ul><ul><li>Locational Privacy </li></ul><ul><li>Efficiency: important for deployment </li></ul>Definition: The server learns no more information from computing f on a database of <tag, time, location> than from analyzing a database with <time, location> and the result of f. <ul><li>Database of < tag , time, location> </li></ul><ul><li>Client-server interaction during computation of f </li></ul><ul><li>Result of f </li></ul><ul><li>Database of <time, location> </li></ul><ul><li>Result of f </li></ul>
    8. 8. VPriv’s Architecture <ul><li>Two components: </li></ul><ul><li>Secure multi-party computation </li></ul><ul><ul><li>Compute f on car’s path </li></ul></ul><ul><li>Enforcement scheme </li></ul><ul><ul><li>Ensure clients abide by protocol </li></ul></ul>
    9. 9. General Protocol <ul><li>Registration: once a year </li></ul><ul><ul><li>Client commits to random tags </li></ul></ul><ul><li>Driving </li></ul><ul><ul><li>Car periodically generates <tag, time, location> </li></ul></ul><ul><li>Reconciliation: at the end of each month </li></ul><ul><ul><li>Client computes the result of f </li></ul></ul><ul><ul><li>Server challenges the client to verify result </li></ul></ul><ul><ul><li>Detection probability ≥ ½ per challenge </li></ul></ul><ul><ul><li>Detection probability exponential in # challenges </li></ul></ul><ul><ul><ul><li>(e.g. 10 challenges, 99.9% probability) </li></ul></ul></ul>
    10. 10. Applications <ul><li>Usage-based tolls </li></ul><ul><ul><li>What is the toll a driver has to pay based on his path? </li></ul></ul><ul><li>Speeding tickets </li></ul><ul><ul><li>Did the driver ever travel faster than 65MPH? </li></ul></ul><ul><li>“Pay-as-you-go” insurance premiums </li></ul><ul><ul><li>E.g. How many minutes did the driver travel over the speed limit? </li></ul></ul><ul><li>Aggregate data analysis </li></ul><ul><ul><li>What is the average speed on a road of all drivers? </li></ul></ul>
    11. 11. Outline <ul><li>Motivation </li></ul><ul><li>Model </li></ul><ul><li>Architecture </li></ul><ul><li>Protocols </li></ul><ul><ul><li>Tolling Protocol </li></ul></ul><ul><li>Enforcement </li></ul><ul><li>Evaluation </li></ul><ul><li>Conclusions </li></ul>
    12. 12. Secure Multi-Party Computation <ul><li>Yao , 1982 </li></ul><ul><li>Computation proceeds correctly without disclosing private data </li></ul><ul><li>Goldreich et al ., 1987: protocols for all realistic functions </li></ul><ul><li>But are highly complex and inefficient </li></ul><ul><li>We exploit the specificity of the problem and design efficient protocols from scratch </li></ul>
    13. 13. Tolling Protocol <ul><li>What is the point toll a client has to pay based on his path? </li></ul>
    14. 14. Crypto Tools <ul><li>Random function family: for random, looks random </li></ul><ul><li>Commitment scheme </li></ul><ul><ul><li>To commit to , Alice computes </li></ul></ul><ul><ul><li>Sends to Bob; Bob cannot guess </li></ul></ul><ul><ul><li>Later, Alice proves she committed to (‘ reveals ’) by providing and ; cannot provide other </li></ul></ul><ul><ul><li>Homomorphism: </li></ul></ul>
    15. 15. Notation <ul><li>: set of random tags of a ‘ v ’ehicle </li></ul><ul><li>: set of all tags seen at the ‘ s ’erver </li></ul><ul><li>: ‘ t ’oll associated with the tuple with tag </li></ul><ul><ul><li>< = 142, 4:21PM, GPS for Sumner Tunnel>, = $3.5 </li></ul></ul><ul><li>: indexes of server tags that belong to car </li></ul><ul><li>: total toll driver has to pay </li></ul>
    16. 16. Tolling Protocol <ul><li>Registration </li></ul><ul><ul><li>Client chooses random tags, , and a random function, </li></ul></ul><ul><ul><li>Commits to and ( sends to server) </li></ul></ul><ul><li>Driving </li></ul><ul><ul><li>Uploads < , time, location> </li></ul></ul><ul><li>Reconciliation </li></ul><ul><ul><li>Server computes toll cost, , for every tuple </li></ul></ul><ul><ul><li>Sends driver all pairs for </li></ul></ul><ul><ul><li>Client computes tolling cost </li></ul></ul>
    17. 17. <ul><li>Correctness guaranteed if server computes COST </li></ul><ul><ul><li>No privacy! </li></ul></ul><ul><li>Server computes cost in ciphertext </li></ul><ul><ul><li>Client provides , , and </li></ul></ul><ul><ul><li>Server computes Verifies if it is a </li></ul></ul><ul><ul><li>commitment to COST with </li></ul></ul><ul><ul><li>Client provides incorrect ciphertext! </li></ul></ul><ul><li>Server checks ciphertext </li></ul><ul><ul><li>Client provides </li></ul></ul><ul><ul><li>Server knows random tags (by matching to )! </li></ul></ul>Challenge Phase
    18. 18. Challenge Phase (cont’d) <ul><li>Server performs one check at a time </li></ul><ul><ul><li>Picks challenge type at random: </li></ul></ul><ul><ul><li>1, 0, 1, 1, 0, 1, 0, 0, 1, 0 … </li></ul></ul><ul><li>Why does it work? </li></ul><ul><ul><li>Correctness </li></ul></ul><ul><ul><ul><li>Misbehaving client: either ciphertext or COST is incorrect </li></ul></ul></ul><ul><ul><li>Locational privacy: </li></ul></ul><ul><ul><ul><li>Challenge 0: provide , but do not decommit </li></ul></ul></ul><ul><ul><ul><li>Challenge 1: reveal , but do not reveal </li></ul></ul></ul>
    19. 19. Related Protocols: Speeding <ul><li>Two consecutive tuples use same tag </li></ul><ul><ul><li>Server computes speed between them </li></ul></ul><ul><li>Adjust tolling protocol </li></ul><ul><ul><li>Server assigns cost of 1 to tuples over speed limit </li></ul></ul><ul><li>Speeding tickets: </li></ul><ul><li>Insurance premiums </li></ul><ul><ul><li>Number of speedups: </li></ul></ul><ul><li>Aggregate average speed on a road </li></ul>
    20. 20. Enforcement <ul><li>Misbehaving clients: </li></ul><ul><ul><li>Turn off transponder device </li></ul></ul><ul><ul><li>Use different tags </li></ul></ul><ul><ul><li>Modify location </li></ul></ul><ul><li>Random spot checks </li></ul>
    21. 21. Random spot checks <ul><li>Police cars/cameras </li></ul><ul><li>Record <license plate, time, location> </li></ul><ul><li>Check for consistency with server’s database </li></ul><ul><li>Verifies tuples at server are correct </li></ul><ul><ul><li>General , applicable to all functions </li></ul></ul>
    22. 22. Outline <ul><li>Motivation </li></ul><ul><li>Model </li></ul><ul><li>Architecture </li></ul><ul><li>Protocols </li></ul><ul><li>Enforcement </li></ul><ul><li>Evaluation </li></ul><ul><ul><li>Implementation </li></ul></ul><ul><ul><li>Enforcement Effectiveness </li></ul></ul><ul><ul><li>Security Analysis </li></ul></ul><ul><li>Conclusions </li></ul>
    23. 23. Evaluation <ul><li>Tolling protocol, C++ </li></ul><ul><li>Linear in # of driver tags and tags downloaded from server </li></ul><ul><li>Tradeoff privacy vs. efficiency </li></ul><ul><ul><li>Download ranges of tuples at server </li></ul></ul><ul><ul><li>Prove that car’s tuples are included </li></ul></ul>Range size of 1000 tags =
    24. 24. Evaluation: Implementation <ul><li>For 50,000 tuples < 1min </li></ul>Protocol running time # 10 4 of tags downloaded from server Time (s)
    25. 25. Evaluation: Enforcement <ul><li>Detection probability is exponential in # of spot checks </li></ul><ul><li>Pr = 1 – (1-p) m </li></ul><ul><ul><li>p = prob. of a spot check per segment </li></ul></ul><ul><ul><li>m = # of segments </li></ul></ul><ul><ul><li>E.g. p = 0.05, m = 60, detected 95% </li></ul></ul><ul><li>Penalty reduces incentives </li></ul><ul><ul><li>p=0.001, m = 100, detected 10% </li></ul></ul><ul><li>Practical </li></ul><ul><li>Privacy not affected </li></ul>
    26. 26. Evaluation: Enforcement (cont’d) <ul><li>Simulation on CarTel traces </li></ul><ul><ul><li>27 taxis in Boston area during Jan and Feb 2008, ~800 one-day paths </li></ul></ul><ul><ul><li>Traces contain driver ID, time, location </li></ul></ul><ul><ul><li>Place police cars randomly based on traffic patterns </li></ul></ul><ul><ul><li>Training phase: Extract 1% popular places from Jan </li></ul></ul><ul><ul><li>Testing phase: Place police cars randomly and record # of one-day paths observed </li></ul></ul>
    27. 27. Simulation Results <ul><li>E.g. 10 police cars, 90% observed (of 443 one-day paths) </li></ul>percentage of paths observed Number of police cars placed
    28. 28. Security Analysis <ul><li>Driver turns off device </li></ul><ul><li>Uploads invalid tags, time, location </li></ul><ul><li>Routers drop/corrupt tuples </li></ul><ul><li>Covert channels </li></ul><ul><ul><li>Populated area </li></ul></ul><ul><ul><li>Only Bob lives on this street </li></ul></ul><ul><ul><li>We only do not leak additional information </li></ul></ul><ul><li>Network packets information leaks identity </li></ul><ul><ul><li>Anonymizers, fixed proxy </li></ul></ul>Enforcement scheme Check tuples at server, Upload more than once
    29. 29. Related Work <ul><li>Blumberg et Al., 2005 </li></ul><ul><ul><li>Use multi-party secure computation as a black box, no resilience to physical attacks </li></ul></ul><ul><li>E-cash ( Chaum, 1985) </li></ul><ul><ul><li>Not general approach, no enforcement </li></ul></ul><ul><li>Privacy in social networks (Zhong, 2007) </li></ul><ul><ul><li>Specific point in polygon problem </li></ul></ul><ul><li>K-anonymity ( Sweeney , 2002) </li></ul><ul><li>Differential privacy ( Dwork , 2006) </li></ul><ul><li>Floating car data ( Rass , 2008) </li></ul>
    30. 30. Conclusions <ul><li>General protocol for preserving driver privacy </li></ul><ul><ul><li>Specific efficient protocols: tolling, speed </li></ul></ul><ul><li>General enforcement scheme </li></ul><ul><ul><li>Spot checks </li></ul></ul><ul><li>Practical </li></ul><ul><li>Thank you! </li></ul>
    31. 31. Protocol (One Round) Information known by both parties: <s j , t j >, c(f k (v i )) Client Server <ul><ul><li>Shuffle at random pairs <s j , t j > </li></ul></ul><ul><ul><li>Compute and send <f k (s j ), c[t j ]> </li></ul></ul><f k (s j ), c[t j ]> <ul><ul><li>If b=0 then reveal k and t j </li></ul></ul><ul><ul><li>If b=1 then reveal f k (v i ) and compute </li></ul></ul><ul><ul><li>D = ∑ J d[t j ] </li></ul></ul><ul><ul><li>Choose a random bit b </li></ul></ul>b If b=0, k, d[k], t j , d[t j ]; If b=1, f k (v i ), d[f k (v i )], D <ul><ul><li>If b= 0 , verify pairs <s j , t j > have been correctly shuffled, obfuscated and committed </li></ul></ul><ul><ul><li>If b=1 , verify that ∏ J c(t j ) is a commitment to COST with decommitment key D </li></ul></ul>
    32. 32. Enforcement Check <ul><li>Solution 1 </li></ul><ul><ul><li>Server presents driver acceptable tuples </li></ul></ul><ul><ul><li>Drivers proves one belongs to it </li></ul></ul><ul><li>Solution 2 </li></ul><ul><ul><li>Driver shows server the tuple used in that region </li></ul></ul><ul><ul><li>Driver proves he committed to it during registration </li></ul></ul>
    33. 33. Downloading a subset of tuples <ul><li>Driver requests tuples from some ranges of tags </li></ul><ul><ul><li>Eg: tags in 100-200, 1120-1150, etc. </li></ul></ul><ul><ul><li>Driver’s tuples are contained in there </li></ul></ul><ul><ul><li>Assuming random distribution of tags, driver can control the number of tuples downloaded </li></ul></ul><ul><li>Driver proves all his tuples are in there </li></ul><ul><ul><li>Shows for some random function </li></ul></ul>

    ×