Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Privacy-respecting Auctions as Incentive Mechanisms in Mobile Crowd Sensing

In many mobile crowdsensing scenarios it is desirable to give micro-payments to contributors as an incentive for their participation. However, to further encourage participants to use the system, one important requirement is protection of user privacy. In this work we present a reverse auction mechanism as an efficient way to offer incentives to users by allowing them to determine their own price for the data they provide, but also as a way to motivate them to submit better quality data. At the same time our auction protocol guarantees bidders’ anonymity and suggests a new rewarding mechanism that enables winners to claim their reward without being linked to the data they contributed. Our protocol is scalable, can be applied to a large class of auctions and remains both computation- and communication-efficient so that it can be run to the mobile devices of users.

Full paper: T. Dimitriou, I. Krontiris, "Privacy-respecting Auctions as Incentive Mechanisms in Mobile Crowd Sensing", the 9th WISTP International Conference on Information Security Theory and Practice (WISTP 2015), 24-25 August 2015, Heraklion, Crete, Greece.

  • Be the first to comment

  • Be the first to like this

Privacy-respecting Auctions as Incentive Mechanisms in Mobile Crowd Sensing

  1. 1. Privacy-Respecting Auctions in Mobile Crowd Sensing Tassos Dimitriou & Ioannis Krontiris 1 Privacy-Respecting Auctions as Incentive Mechanisms in Mobile Crowd Sensing Tassos Dimitriou and Ioannis Krontiris 9th WISTP International Conference on Information Security Theory and Practice (WISTP'2015). August 24 - 25, 2015 Heraklion, Crete, Greece
  2. 2. Privacy-Respecting Auctions in Mobile Crowd Sensing Tassos Dimitriou & Ioannis Krontiris 2 Outline Motivation Auction mechanism for mobile sensing Security and privacy requirements Privacy-respecting auction and Rewarding mechanism
  3. 3. Privacy-Respecting Auctions in Mobile Crowd Sensing Tassos Dimitriou & Ioannis Krontiris 3 Picture from: D. Christin, A. Reinhardt, S.S. Kanhere, M. Hollick, A Survey on Privacy in Mobile Participatory Sensing Applications, Journal of Systems & Software 2011. Mobile Sensing - Old Style Participants proactively sending data. How to motivate contribution and better quality of data? Protect privacy?
  4. 4. Privacy-Respecting Auctions in Mobile Crowd Sensing Tassos Dimitriou & Ioannis Krontiris 4 Information Discovery Here data consumers are interested in retrieving information according to some requirements from multiple data contributors that satisfy these requirements. Define: Specific geographic area Sensor types, time frame Quality criteria Post task on public domain Download task and respond
  5. 5. Privacy-Respecting Auctions in Mobile Crowd Sensing Tassos Dimitriou & Ioannis Krontiris 5 Incentives to participation Why would mobile users contribute data? Need incentives: monetary, social, gaming Micro-payments work! But how much is enough? Depends on personal preferences, perceived cost of participation, context It should be the data provider to set the price! Apply reverse-auctions: n users with lowest prices win the auction and contribute data
  6. 6. Privacy-Respecting Auctions in Mobile Crowd Sensing Tassos Dimitriou & Ioannis Krontiris 6 Multi-attributive auctions Most suitable kind: multi-attributive auctions Allow integration of quality attributes into the auction bidding, besides the price.
  7. 7. Privacy-Respecting Auctions in Mobile Crowd Sensing Tassos Dimitriou & Ioannis Krontiris 7 Privacy concerns The widespread deployment of mobile sensors introduces serious privacy risks since the frequent collection of personal data may reveal considerable information about location, personal preferences, social relationships, etc... Imperative to address privacy in mobile crowd- sensing systems It still remains an open problem on how to provide privacy protection when incentive mechanisms are also incorporated in the system.
  8. 8. Privacy-Respecting Auctions in Mobile Crowd Sensing Tassos Dimitriou & Ioannis Krontiris 8 Our contribution Incentives + Privacy A privacy-respecting protocol that allows anonymous users to participate in reverse auctions employed by an MCS system. Two main parts. Provide bidders’ anonymity for the auction Reward users and enable winners of the auction to claim their rewards without being linked to their contributed data.
  9. 9. Privacy-Respecting Auctions in Mobile Crowd Sensing Tassos Dimitriou & Ioannis Krontiris 9 Model Service Providers: • requesters of sensing data • have fixed budget Users: owners of mobile devices with sensors Auction Infrastructure: • Task Server - publishing the sensing tasks, • Auction Server - running the auction process • Report Server - collects the reports from the auction winners and forwards them to the Service Provider.
  10. 10. Privacy-Respecting Auctions in Mobile Crowd Sensing Tassos Dimitriou & Ioannis Krontiris 10 A generic auction mechanism Bid = Utility Score Si computed based also on quality factors 
 (e.g. distance from the desired location, the location accuracy, the sampling frequency, …)
  11. 11. Privacy-Respecting Auctions in Mobile Crowd Sensing Tassos Dimitriou & Ioannis Krontiris 11 Security and Privacy Requirements Correctness and Fairness: Winners get reward. No bidder can obtain an unfair advantage based on information revealed about other bids Bidders’ privacy: Bidders remain anonymous throughout the whole process of the auction -> Unlinkability between (a) identity of bidders and their bids, (b) two bids from the same bidder Confidentiality of bids: All bids remain secret until the opening phase. Applies for all parties including Auction Server. Public verifiability: The correctness of the auction process should be easy to verify by any interested party. Non-repudiation: No bidder should be able to change its mind (e.g. deny or modify its bid) once the bid is submitted.
  12. 12. Privacy-Respecting Auctions in Mobile Crowd Sensing Tassos Dimitriou & Ioannis Krontiris 12 Auction protocol Two main phases Bidding and Opening. However, there exists an implicit setup phase: Registration During registration, • Auction Server (AS) sets up the bulletin board, publishes its public key and announces parameters of the auction − Auction ID, starting/ending time, duration of each phase, and so on. • Each bidder i creates a pseudonymous ID (BidderID) to represent its identity during the auction along with a one-time public key Ki. • AS publishes this information to the bulletin board
  13. 13. Privacy-Respecting Auctions in Mobile Crowd Sensing Tassos Dimitriou & Ioannis Krontiris 13 Auction protocol - Bidding During the bidding phase, each bidder i • computes its utility score Si, • masks it with a random number ri and • sends a commitment Ci of for the bid, where 
 hi = H(Si || ri). Note: Auction server receives a bid, however it cannot read this bid before the opening phase. Commitments are published in the bulletin board so that anybody can verify that its bid has been correctly accounted for.
  14. 14. Privacy-Respecting Auctions in Mobile Crowd Sensing Tassos Dimitriou & Ioannis Krontiris 14 Auction protocol - Opening When bidding phase is over, each bidder reveals utility score Si and ri that have been used in computing Ci . Auction server announces n highest utility scores as the winners of the auction Note: Any participant can verify correctness by computing 
 H(Si || ri) and comparing with the commitment Ci received during the bidding phase.
  15. 15. Privacy-Respecting Auctions in Mobile Crowd Sensing Tassos Dimitriou & Ioannis Krontiris 15 Incentives for participation - Rewarding The previous protocol can be extended to support a privacy-preserving credit reward mechanism for users submitting data reports. • This can be achieved using a 
 (i) a central bank system, or 
 (ii) a decentralized digital payment system (method developed here). (i) While the e-cash scheme (not shown here) may be easier conceptually, it suffers from a potential loss of privacy if the report server and the Bank collude together to reveal the bidder’s identity.
  16. 16. Privacy-Respecting Auctions in Mobile Crowd Sensing Tassos Dimitriou & Ioannis Krontiris 16 Anonymous reward tokens To eliminate the need for a centralized payment service, we can use the Report Server as an issuer of reward tokens that can be redeemed by the bidder. The token • Corresponds to an amount commensurate to the data provided by the user. • It reveals no information about the underlying user. • The recipient (RS) has first to verify their validity and then verify whether the tokens have been spent before. This approach can still be thought as a lightweight e-cash scheme, yet without the requirement of a trusted payment service
  17. 17. Privacy-Respecting Auctions in Mobile Crowd Sensing Tassos Dimitriou & Ioannis Krontiris 17 Token generation Winning Bidder Bi Report Server RS
  18. 18. Privacy-Respecting Auctions in Mobile Crowd Sensing Tassos Dimitriou & Ioannis Krontiris 18 Token spending Winning Bidder Bi Report Server RS Submission of tokens (User must prove knowledge of secret values r and s used in the creation of token T) Set h = H(Token, date/time) Set y = r + hs mod q. Token T, y Verify signature. Is T a valid token? Verify token has not been used before by searching database of used tokens. Note: The protocol ensures that i) tokens are not tied to bidder identities, and ii) the RS is protected by malicious bidders who try to double-spend tokens.
  19. 19. Privacy-Respecting Auctions in Mobile Crowd Sensing Tassos Dimitriou & Ioannis Krontiris 19 Security Analysis (1) Confidentiality of bids. Since bids are opened only after the bidding phase, nobody can compute the bids before they are opened. Recall commitment H(Si || ri). Correctness & Verifiability. All values are published in the bulletin board. • Anybody can verify correctness of the auction as all bidders reveal their utility scores Si and the random numbers ri used in signed commitment. Unlinkability between bids. Not possible to relate two bids submitted at different auctions by the same bidder. • Bidders participate in auctions using different pseudonyms and public keys. • Important to use an anonymity service so that bid submissions cannot be linked to an internet identifier such as the IP address of the bidder.
  20. 20. Privacy-Respecting Auctions in Mobile Crowd Sensing Tassos Dimitriou & Ioannis Krontiris 20 Security Analysis (2) Unforgeability/Unreusability of tokens. The zero knowledge proofs used during token spending ensure that only a bidder who knows the representation of u and v in the token ID can supply these proofs. Bidder privacy/Unlinkability of tokens. When a user tries to redeem a token and provides the server (directly or indirectly through a proxy) the zero knowledge proof, the server cannot tell which bidder created the token as the only visible part during the token construction is the public part Val, Exp of the token
  21. 21. Privacy-Respecting Auctions in Mobile Crowd Sensing Tassos Dimitriou & Ioannis Krontiris 21 Token indistinguishability experiment
  22. 22. Privacy-Respecting Auctions in Mobile Crowd Sensing Tassos Dimitriou & Ioannis Krontiris 22 Conclusions Users of mobile devices can participate anonymously in the auctions and define the price they expect for contributing sensing data. Τhe buyer of the data can select the winners based not only on the price, but also on the quality of the offered data. The winners of the auction can then collect their price without linking their real identity to the data they contributed. Our solution uses a lightweight rewarding scheme eliminating the need for a single trusted payment system. Future work: integrate anonymous reputation mechanism
  23. 23. Privacy-Respecting Auctions in Mobile Crowd Sensing Tassos Dimitriou & Ioannis Krontiris 23

×