On the Tradeoff betweenTrust and Privacy

in Wireless Ad Hoc Networks

Maxim…...….RayaReza…….….ShokriJean-Pierre..Hubaux

LCA1, EPFL, Switzerland

The Third ACM Conference on Wireless Network Security (WiSec‘10) March 2010 Hoboken, NJ, USA

The Trust-Privacy Tradeoff

Entity-centric trust• Trust is built in each entity

• The cost is reduced privacy

Data-centric trust• Trust is built in the data

• Entities can keep privacy

2

privac

yse

curit

y

securityprivacy

The Dilemma of Data-Centric Trust

• Data increasingly comes from multiple sources

• Mobile devices reflect their users’ preferences and hence characterize them

3

Ephemeral network

Users are not fully hidden behind their data!

More contributions = More accurate trust

The Privacy-Preserving Gene

• Building data-centric trust is a collective effort• Users might lose some of their privacy• What if entities are privacy-preserving?• A privacy-preserving entity maximizes its privacy• Game theory: A selfish entity optimizes its utility• Privacy-preservation = Selfishness

4

How to build data-centric trust in ephemeral networks with privacy-preserving entities?

Example: VANET• CA pre-establishes

credentials offline• Entities communicate

attributes (e.g., credentials, location)

• Communication is sequential

• There are deadlines on making decisions

• Benign entities disseminate truthful info

• Adversaries disseminate false info

5

Trust-Privacy Games

• Problem: privacy-preserving entities building data-centric trust in the presence of privacy-preserving attackers

• Game theory can help by modeling situations where the decisions of players affect each other

• Attacker-Defender Game GAD

• Trust Contribution Game GTC

• Similar to eBay auctions: privacy = money.• But, privacy cannot be «reimbursed»

6

7

A D

Minimum required trust threshold

Start

Deadline

Time ……

A D

8

A D

Start

Deadline

Time ……

A D

Winner

9

A D

Start

Deadline

Time

Attacker-Defender Game: captures at the macroscopic level the competition between attackers and defenders to support their respective versions of the truth

ADG

10

A D

Start

Deadline

Time

TCG

ADG

Trust Contribution Game: defines at the microscopic level the individual amounts of privacy to be contributed by entities in each side to collectively win GAD

Attacker-Defender Game

11

Access to channel is probabilistic

Theorem: The strategy (W,W) is the Perfect Bayesian Equilibrium of GAD

Theorem: The strategy (W,W) is the Perfect Bayesian Equilibrium of GAD

• Players– Attackers– Defenders

• Strategies– Wait (W)– Send (S)

Start

Deadline

Trust Contribution Game

12

Theorem: The Subgame Perfect Equilibrium of GTC is defined by:

Theorem: The Subgame Perfect Equilibrium of GTC is defined by:

* 0kt

No entity contributes!

Game with Incentives

13re

war

d fo

r pla

ying

ear

ly

Start

Deadline

Theorem: The equilibrium of is defined by:

K: # of users

Theorem: The equilibrium of is defined by:

K: # of users

ITCG

*2

( 1)k

r Kt

K

Corollary: The strategy (S,S) can be enforced in GAD by choosing appropriate reward r.

Corollary: The strategy (S,S) can be enforced in GAD by choosing appropriate reward r. I

Incentives help

Conclusion

• Data-centric trust can reduce privacy losses compared to entity-centric trust

• Privacy-preserving entities are selfish by definition and need a game-theoretic analysis

• Without incentives, privacy-preserving entities do not contribute to trust establishment

14