Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Vpriv Ready

  • Be the first to comment

  • Be the first to like this

Vpriv Ready

  1. 1. VPriv: Protecting Privacy in Location-Based Vehicular Services Raluca Ada Popa and Hari Balakrishnan Computer Science and Artificial Intelligence Laboratory, M.I.T. Andrew Blumberg Department of Mathematics Stanford University (Part of the CarTel project
  2. 2. Motivation <ul><li>Location-based vehicular services are increasingly adopted: </li></ul><ul><ul><li>Automated toll collection (E-ZPass) </li></ul></ul><ul><ul><li>Automated traffic law enforcement </li></ul></ul><ul><ul><li>Traffic statistics collection </li></ul></ul><ul><ul><li>Insurance pricing based on driver behavior </li></ul></ul><ul><li>Efficiency, driver experience, safety, generating revenue </li></ul>Problem: Serious threat to the locational privacy of drivers!
  3. 3. Example: E-ZPass Account Information <ul><li>E-ZPass antenna reads account information, knows time, location </li></ul><ul><li>A centralized server can assemble </li></ul><ul><li>a driver’s path </li></ul><ul><li>Civil cases where E-ZPass data was used to infer some driver’s path </li></ul>Ideally: server computes tolling cost without knowing time and location information Antenna
  4. 4. Outline <ul><li>Motivation </li></ul><ul><li>Model </li></ul><ul><li>Architecture </li></ul><ul><li>Protocols </li></ul><ul><li>Enforcement </li></ul><ul><li>Evaluation </li></ul><ul><li>Conclusions </li></ul>
  5. 5. VPriv <ul><li>Observation: Most vehicular services are functions over time-location tuples </li></ul><ul><li>Goal: Preserve locational privacy </li></ul><ul><ul><li>Compute functions on drivers’ time-location tuples without revealing any information other than result </li></ul></ul><ul><li>IDEA: perform computations in zero-knowledge </li></ul><ul><ul><li>Secure multi-party computation </li></ul></ul><ul><li>General : applicable to all such functions </li></ul>
  6. 6. Model <ul><li>Two parties: car and server </li></ul><ul><li>Cars’ transponders periodically generate tuples: </li></ul><ul><li><tag, time, location> </li></ul><ul><ul><li>Tag is random and changing for privacy </li></ul></ul><ul><ul><li>E.g. <221, 4:21:25PM 11/25/2008, (42.35, -71.09)> </li></ul></ul><ul><ul><li>Uploaded while driving (when connected to an AP) or at end of month (from PC or cell phone) </li></ul></ul><ul><li>f is a function to compute on driver’s path </li></ul><ul><ul><li>Driver is not trusted </li></ul></ul><ul><ul><li>Server is trusted, but not with location information </li></ul></ul>
  7. 7. Goals <ul><li>Correctness </li></ul><ul><li>Locational Privacy </li></ul><ul><li>Efficiency: important for deployment </li></ul>Definition: The server learns no more information from computing f on a database of <tag, time, location> than from analyzing a database with <time, location> and the result of f. <ul><li>Database of < tag , time, location> </li></ul><ul><li>Client-server interaction during computation of f </li></ul><ul><li>Result of f </li></ul><ul><li>Database of <time, location> </li></ul><ul><li>Result of f </li></ul>
  8. 8. VPriv’s Architecture <ul><li>Two components: </li></ul><ul><li>Secure multi-party computation </li></ul><ul><ul><li>Compute f on car’s path </li></ul></ul><ul><li>Enforcement scheme </li></ul><ul><ul><li>Ensure clients abide by protocol </li></ul></ul>
  9. 9. General Protocol <ul><li>Registration: once a year </li></ul><ul><ul><li>Client commits to random tags </li></ul></ul><ul><li>Driving </li></ul><ul><ul><li>Car periodically generates <tag, time, location> </li></ul></ul><ul><li>Reconciliation: at the end of each month </li></ul><ul><ul><li>Client computes the result of f </li></ul></ul><ul><ul><li>Server challenges the client to verify result </li></ul></ul><ul><ul><li>Detection probability ≥ ½ per challenge </li></ul></ul><ul><ul><li>Detection probability exponential in # challenges </li></ul></ul><ul><ul><ul><li>(e.g. 10 challenges, 99.9% probability) </li></ul></ul></ul>
  10. 10. Applications <ul><li>Usage-based tolls </li></ul><ul><ul><li>What is the toll a driver has to pay based on his path? </li></ul></ul><ul><li>Speeding tickets </li></ul><ul><ul><li>Did the driver ever travel faster than 65MPH? </li></ul></ul><ul><li>“Pay-as-you-go” insurance premiums </li></ul><ul><ul><li>E.g. How many minutes did the driver travel over the speed limit? </li></ul></ul><ul><li>Aggregate data analysis </li></ul><ul><ul><li>What is the average speed on a road of all drivers? </li></ul></ul>
  11. 11. Outline <ul><li>Motivation </li></ul><ul><li>Model </li></ul><ul><li>Architecture </li></ul><ul><li>Protocols </li></ul><ul><ul><li>Tolling Protocol </li></ul></ul><ul><li>Enforcement </li></ul><ul><li>Evaluation </li></ul><ul><li>Conclusions </li></ul>
  12. 12. Secure Multi-Party Computation <ul><li>Yao , 1982 </li></ul><ul><li>Computation proceeds correctly without disclosing private data </li></ul><ul><li>Goldreich et al ., 1987: protocols for all realistic functions </li></ul><ul><li>But are highly complex and inefficient </li></ul><ul><li>We exploit the specificity of the problem and design efficient protocols from scratch </li></ul>
  13. 13. Tolling Protocol <ul><li>What is the point toll a client has to pay based on his path? </li></ul>
  14. 14. Crypto Tools <ul><li>Random function family: for random, looks random </li></ul><ul><li>Commitment scheme </li></ul><ul><ul><li>To commit to , Alice computes </li></ul></ul><ul><ul><li>Sends to Bob; Bob cannot guess </li></ul></ul><ul><ul><li>Later, Alice proves she committed to (‘ reveals ’) by providing and ; cannot provide other </li></ul></ul><ul><ul><li>Homomorphism: </li></ul></ul>
  15. 15. Notation <ul><li>: set of random tags of a ‘ v ’ehicle </li></ul><ul><li>: set of all tags seen at the ‘ s ’erver </li></ul><ul><li>: ‘ t ’oll associated with the tuple with tag </li></ul><ul><ul><li>< = 142, 4:21PM, GPS for Sumner Tunnel>, = $3.5 </li></ul></ul><ul><li>: indexes of server tags that belong to car </li></ul><ul><li>: total toll driver has to pay </li></ul>
  16. 16. Tolling Protocol <ul><li>Registration </li></ul><ul><ul><li>Client chooses random tags, , and a random function, </li></ul></ul><ul><ul><li>Commits to and ( sends to server) </li></ul></ul><ul><li>Driving </li></ul><ul><ul><li>Uploads < , time, location> </li></ul></ul><ul><li>Reconciliation </li></ul><ul><ul><li>Server computes toll cost, , for every tuple </li></ul></ul><ul><ul><li>Sends driver all pairs for </li></ul></ul><ul><ul><li>Client computes tolling cost </li></ul></ul>
  17. 17. <ul><li>Correctness guaranteed if server computes COST </li></ul><ul><ul><li>No privacy! </li></ul></ul><ul><li>Server computes cost in ciphertext </li></ul><ul><ul><li>Client provides , , and </li></ul></ul><ul><ul><li>Server computes Verifies if it is a </li></ul></ul><ul><ul><li>commitment to COST with </li></ul></ul><ul><ul><li>Client provides incorrect ciphertext! </li></ul></ul><ul><li>Server checks ciphertext </li></ul><ul><ul><li>Client provides </li></ul></ul><ul><ul><li>Server knows random tags (by matching to )! </li></ul></ul>Challenge Phase
  18. 18. Challenge Phase (cont’d) <ul><li>Server performs one check at a time </li></ul><ul><ul><li>Picks challenge type at random: </li></ul></ul><ul><ul><li>1, 0, 1, 1, 0, 1, 0, 0, 1, 0 … </li></ul></ul><ul><li>Why does it work? </li></ul><ul><ul><li>Correctness </li></ul></ul><ul><ul><ul><li>Misbehaving client: either ciphertext or COST is incorrect </li></ul></ul></ul><ul><ul><li>Locational privacy: </li></ul></ul><ul><ul><ul><li>Challenge 0: provide , but do not decommit </li></ul></ul></ul><ul><ul><ul><li>Challenge 1: reveal , but do not reveal </li></ul></ul></ul>
  19. 19. Related Protocols: Speeding <ul><li>Two consecutive tuples use same tag </li></ul><ul><ul><li>Server computes speed between them </li></ul></ul><ul><li>Adjust tolling protocol </li></ul><ul><ul><li>Server assigns cost of 1 to tuples over speed limit </li></ul></ul><ul><li>Speeding tickets: </li></ul><ul><li>Insurance premiums </li></ul><ul><ul><li>Number of speedups: </li></ul></ul><ul><li>Aggregate average speed on a road </li></ul>
  20. 20. Enforcement <ul><li>Misbehaving clients: </li></ul><ul><ul><li>Turn off transponder device </li></ul></ul><ul><ul><li>Use different tags </li></ul></ul><ul><ul><li>Modify location </li></ul></ul><ul><li>Random spot checks </li></ul>
  21. 21. Random spot checks <ul><li>Police cars/cameras </li></ul><ul><li>Record <license plate, time, location> </li></ul><ul><li>Check for consistency with server’s database </li></ul><ul><li>Verifies tuples at server are correct </li></ul><ul><ul><li>General , applicable to all functions </li></ul></ul>
  22. 22. Outline <ul><li>Motivation </li></ul><ul><li>Model </li></ul><ul><li>Architecture </li></ul><ul><li>Protocols </li></ul><ul><li>Enforcement </li></ul><ul><li>Evaluation </li></ul><ul><ul><li>Implementation </li></ul></ul><ul><ul><li>Enforcement Effectiveness </li></ul></ul><ul><ul><li>Security Analysis </li></ul></ul><ul><li>Conclusions </li></ul>
  23. 23. Evaluation <ul><li>Tolling protocol, C++ </li></ul><ul><li>Linear in # of driver tags and tags downloaded from server </li></ul><ul><li>Tradeoff privacy vs. efficiency </li></ul><ul><ul><li>Download ranges of tuples at server </li></ul></ul><ul><ul><li>Prove that car’s tuples are included </li></ul></ul>Range size of 1000 tags =
  24. 24. Evaluation: Implementation <ul><li>For 50,000 tuples < 1min </li></ul>Protocol running time # 10 4 of tags downloaded from server Time (s)
  25. 25. Evaluation: Enforcement <ul><li>Detection probability is exponential in # of spot checks </li></ul><ul><li>Pr = 1 – (1-p) m </li></ul><ul><ul><li>p = prob. of a spot check per segment </li></ul></ul><ul><ul><li>m = # of segments </li></ul></ul><ul><ul><li>E.g. p = 0.05, m = 60, detected 95% </li></ul></ul><ul><li>Penalty reduces incentives </li></ul><ul><ul><li>p=0.001, m = 100, detected 10% </li></ul></ul><ul><li>Practical </li></ul><ul><li>Privacy not affected </li></ul>
  26. 26. Evaluation: Enforcement (cont’d) <ul><li>Simulation on CarTel traces </li></ul><ul><ul><li>27 taxis in Boston area during Jan and Feb 2008, ~800 one-day paths </li></ul></ul><ul><ul><li>Traces contain driver ID, time, location </li></ul></ul><ul><ul><li>Place police cars randomly based on traffic patterns </li></ul></ul><ul><ul><li>Training phase: Extract 1% popular places from Jan </li></ul></ul><ul><ul><li>Testing phase: Place police cars randomly and record # of one-day paths observed </li></ul></ul>
  27. 27. Simulation Results <ul><li>E.g. 10 police cars, 90% observed (of 443 one-day paths) </li></ul>percentage of paths observed Number of police cars placed
  28. 28. Security Analysis <ul><li>Driver turns off device </li></ul><ul><li>Uploads invalid tags, time, location </li></ul><ul><li>Routers drop/corrupt tuples </li></ul><ul><li>Covert channels </li></ul><ul><ul><li>Populated area </li></ul></ul><ul><ul><li>Only Bob lives on this street </li></ul></ul><ul><ul><li>We only do not leak additional information </li></ul></ul><ul><li>Network packets information leaks identity </li></ul><ul><ul><li>Anonymizers, fixed proxy </li></ul></ul>Enforcement scheme Check tuples at server, Upload more than once
  29. 29. Related Work <ul><li>Blumberg et Al., 2005 </li></ul><ul><ul><li>Use multi-party secure computation as a black box, no resilience to physical attacks </li></ul></ul><ul><li>E-cash ( Chaum, 1985) </li></ul><ul><ul><li>Not general approach, no enforcement </li></ul></ul><ul><li>Privacy in social networks (Zhong, 2007) </li></ul><ul><ul><li>Specific point in polygon problem </li></ul></ul><ul><li>K-anonymity ( Sweeney , 2002) </li></ul><ul><li>Differential privacy ( Dwork , 2006) </li></ul><ul><li>Floating car data ( Rass , 2008) </li></ul>
  30. 30. Conclusions <ul><li>General protocol for preserving driver privacy </li></ul><ul><ul><li>Specific efficient protocols: tolling, speed </li></ul></ul><ul><li>General enforcement scheme </li></ul><ul><ul><li>Spot checks </li></ul></ul><ul><li>Practical </li></ul><ul><li>Thank you! </li></ul>
  31. 31. Protocol (One Round) Information known by both parties: <s j , t j >, c(f k (v i )) Client Server <ul><ul><li>Shuffle at random pairs <s j , t j > </li></ul></ul><ul><ul><li>Compute and send <f k (s j ), c[t j ]> </li></ul></ul><f k (s j ), c[t j ]> <ul><ul><li>If b=0 then reveal k and t j </li></ul></ul><ul><ul><li>If b=1 then reveal f k (v i ) and compute </li></ul></ul><ul><ul><li>D = ∑ J d[t j ] </li></ul></ul><ul><ul><li>Choose a random bit b </li></ul></ul>b If b=0, k, d[k], t j , d[t j ]; If b=1, f k (v i ), d[f k (v i )], D <ul><ul><li>If b= 0 , verify pairs <s j , t j > have been correctly shuffled, obfuscated and committed </li></ul></ul><ul><ul><li>If b=1 , verify that ∏ J c(t j ) is a commitment to COST with decommitment key D </li></ul></ul>
  32. 32. Enforcement Check <ul><li>Solution 1 </li></ul><ul><ul><li>Server presents driver acceptable tuples </li></ul></ul><ul><ul><li>Drivers proves one belongs to it </li></ul></ul><ul><li>Solution 2 </li></ul><ul><ul><li>Driver shows server the tuple used in that region </li></ul></ul><ul><ul><li>Driver proves he committed to it during registration </li></ul></ul>
  33. 33. Downloading a subset of tuples <ul><li>Driver requests tuples from some ranges of tags </li></ul><ul><ul><li>Eg: tags in 100-200, 1120-1150, etc. </li></ul></ul><ul><ul><li>Driver’s tuples are contained in there </li></ul></ul><ul><ul><li>Assuming random distribution of tags, driver can control the number of tuples downloaded </li></ul></ul><ul><li>Driver proves all his tuples are in there </li></ul><ul><ul><li>Shows for some random function </li></ul></ul>