MAKING REPUTATION SYSTEM TRACEABLE WITHOUT LOSING PRIVACY

Preliminary note In existing reputation system nodes usually adopt regular pseudonyms instead of true identities to gain the anonymity. However complete anonymity will cause watershed and Sybil attack, which look on system be out of control and break the fairness of the reputation system. This paper introduces the conditional anonymity mechanism to check the evaluation between anonymity nodes, evaluation between two nodes if not more than the several times, but not be evaluated between two pseudonyms belong to the same peer. It will be effective, otherwise, the node true identity will be exposed, if number of attacks of the peer within the time exceeds d times, nodes in the evaluation and transaction will be tracked. Analysis shows that this mechanism cannot only protect the identity of peer's anonymity, but identify and track malicious attackers.


Introduction
The basic idea of trust and reputation model is to allow mutual evaluation between both sides of a deal [1].The evaluation will help other nodes determine whether to make a deal with the node being evaluated.The reputation of a user depends entirely on its identity.In order to accumulate its reputation value, a user will normally use its real identity or use a pseudonym for a long time.But a long-term use of the same identity will link all the exchange information of a user together.Malicious users or outlaws will systematically analyse the data.All the activities and hobbies of a user will be exposed.This will pose a grave threat to the privacy of users [2].
In order to ensure complete anonymity, users need to change their pseudonyms periodically, which will incur the conflict between privacy and reputation, render reputation evaluation uncontrollable, and reduce the accountability of the reputation system.Truthful users may suffer from malicious users while malicious users can go unpunished.It is because malicious users abandon their previous pseudonyms along with the reputation values, and regain a new one with an initial value.Besides, due to lack of controllability, two users can collude with each other and make false mutual evaluations to increase their reputation value; malicious users will generate many pseudonyms to evaluate themselves, increasing their reputation value.
To solve the above-mentioned problems, this paper introduces evaluative mechanism, conditional anonymity in reputation system.Each user will first acquire an evaluation container from TTP based on CL protocol, and generate a Rater certificate and a Ratee certificate.When the user submits its reputation value to TTP, Rater certificate and Ratee certificate will be submitted as well.Evaluation certificates will anonymously monitor reputation evaluations between nodes.Only if the following anonymity conditions are met: 1) no ramming attack or aspersion; 2) no Sybil attack; can a node gain the reputation value, otherwise, the real identity of a node will be exposed.If a node is attacked d times or more in a limited amount of time, all evaluation and exchange information of the node will be traced.In this protocol, reputation value is bound to the fixed identity (public key or other permanent identity) to strike a balance between anonymity and reputation and ensure the privacy of identity when the reputation value is updated based on blind signature scheme.

Related work
At present, among researches on reputation system, most focus on building distributed reputation systems rather than worrying about privacy [3,4].In [5÷7], the works only address the conflict issue of anonymity in reputation system.In [8,9], users use vague identities, but all their activities will still be linked.Authors [2,10] allow a user to have multiple pseudonyms, but transaction information of each pseudonym will be linked by attackers.In [11,12], peers gain anonymity through concealing their pseudonyms.But these systems still cannot ensure completely anonymity of users.In [13,17], users periodically change their pseudonyms to ensure the anonymity of their identity and cut the links between pseudonyms.But in [13], the author only ensures that the e-cash as the reputation value cannot be repeatedly used, but does not control the frequency of evaluation for the two pseudonyms.In [17], the author introduces two TTPs to control the frequency of evaluations between two users, but the real identity of the two users is exposed to a thirdparty, secure multiparty computation [14] and Homomorphic encryption [16] is proposed to protect the identity of rater, but the protocol cannot to identity and resist the Malicious attacks.Recently a new cryptographic primitive called signature of reputation was proposed in [15].
Conditional anonymity remains an important research subject.At present, research is mainly focused on e-cash [18,19].Another kind of research is focused on key escrow [20,21].Recent correlation study [22,23] is about a user being able to only use k anonymous and unlinked identities in a limited amount of time.Conditional anonymity in reputation system is rarely touched upon in research.

Preliminaries
Preliminaries are classified into bilinear map, complexity assumptions and cryptographic tool.The main classification is as follows:

Assume 1
G , 2 G , T G are cyclic groups with the exponent being prime number q, and 1 g is the generator e is a bilinear map: : ( , ) 1 e g g ≠ ; 3) computability: map e can effectively compute any input pairs.

• Strong RSA assumption
Strong RSA assumption [24]: Assuming n pq , when 1 e > and the condition mod e h g n ≡ is met, it is difficult to find a two-tuples ( , ) h e .

Cryptographic tool
• CL signature Camenish-Lysyanskaya (CL signature) [25] scheme is based on strong RSA assumption.It is between a user and a signer, allowing the user to acquire a signature σ When the user verifies the signature, besides giving necessary information to the signer, he also has to send to the signer the signature of knowledge that holds information on the value of C 1 ( ,..., ) • DY Verifiable Random Function Assume G g = < > is a group with the exponent being q (a large prime number), q s Z ∈ .This model adopts verifiable random function -Pedersen commitment -Pedersen [27] puts forward a commitment scheme on discrete logarithm problem.The public parameter is the prime exponent q of the group.The generated components (g 0 ,…, g m ), and commitment components 1 ( ,..., )  .
• Blind signature D. Chuam first put forward the term blind signature [28].Blind signature means that someone needs to sign for some data, unaware of the contents of the data.Compared with normal digital signatures, blind digital signature has two prominent features: (1) the contents of the information are not known to the signer; (2) after the signature is publicized by the recipient, the signer cannot trace the signature.In the meantime, Fait-Shamir [29] heuristic can be used to turn zeroknowledge proof into knowledge signature of m , written as: {( ) : }( ) SPK y g m α ∂ = .

General descriptions
This chapter will introduce assumptions of the system, participants and general designing ideas, etc.

Assumptions
Network environment: Assume the whole reputation system is situated in anonymous network (an Onion Router, Mixnet, etc.).
Pseudonym: Many pseudonyms will be deposited at every node in advance.The validity of pseudonyms will be verified by TTP.

Participating entities
Node(User): A node is a normal node in the network.Each node plays two different roles: as a Rater, it gives The evaluation values to other nodes, or as a Ratee, it receives others' evaluation of itself.Transaction and evaluation between two nodes is realized through pseudonym, which is also used to show the reputation value to other users.
TTP (Trusted Third Party): TTP controls information related to the reputation of each node.It creates a reputation account for each user based on the user's public key.It is assumed that TTP is trusted when verifying pseudonyms and calculating the reputation value, but not trusted when it comes to user's privacy.

General designing ideas
Assume the CL signature key pair of TTP and user's key pair are ( , ) Once the number of s i acquired from a certain node by TTP exceeds the threshold, the s of the node's evaluation container will be leaked, and all the node's evaluations will be traced.

Security model 5.1 The definition of general security
The protocol is mainly composed of the following protocols and algorithms: The key-generation algorithm of TTP.Input the system's public parameter1 k and the identity of TTP, the output will be the public/private key pair of TTP ( , ) TTP TTP pk sk .
• UserKeyGen(1 , params) The key-generation algorithm of the node.Input the system's parameter 1 k and the identity of the node ID, the output will be the public/private key pair of the node ( , ) u u pk sk .

U pk sk TTP pk sk
Evaluation certificate withdrawal protocol.The node acquires evaluation certificate container from TTP.The node's output will be evaluation container W, or false information.Identity(params, , , )

S p p
Attacker identification algorithm.The system can identify the same certificate tag S of the attacker, and the two identification proofs π 1 and π 2 .The output of the algorithm is a public key u pk and the proof G Π .

Soundness
Rater can evaluate its deal-maker through the evaluation certificate container.But the frequency of evaluation cannot exceed a limit.A knowledge extractor Κ is given.Κ and the adversary execute the certificate withdrawal protocol Withdraw , extracting m evaluation certificate tags 1 2 , ..... m S S S .For each evaluation certificate identification of the adversary, when i S S ≠ 1 i m ∀ ≤ ≤ , the probability that TTP accepts ( , ) S p as a valid evaluation certificate is negligible.

Identification of the attacker
Assume TTP is truthful, and  , , , )

Anonymity
TTP cannot acquire any information on Ratee or Rater even if it colludes with malicious users.This protocol introduces simulator S. S has some information that other participants cannot know.For example: in a normal parameter model, S itself generates information on parameters.In a random oracle model, S is the controlled random oracle.Simulator S should be able to simulate evaluation certificates (Rater certificate and Ratee certificate) without accessing the certificate container.The simulated certificate cannot be distinguished from the valid certificate.To be more specific, S can execute certificate-generation protocol (Rater certificate and Ratee certificate) without knowing secret s of the certificate container or accessing the container.

Excludability
Assume the adversary participated in the execution of the certificate-withdrawal protocol of a truthful node with the public key being u pk , and subsequently in the execution of certificate-generation protocol of the user.When an attacker inputs a public key certificate u pk and a forged proof G Π , and claims the user is the attacker, the probability that forged proof G Π gets accepted by VerifyGuilt(params, , , )

Definition of formal security
The definition of formal security depends on knowledge extractor K and the simulator S. For a given deal, the knowledge extractor K and extract the evaluated certificate tag of the adversary (when unaware of the node's key or the secret of the certificate container, simulator S) can simulate the evaluation certificategeneration protocol and the evaluated certificategeneration protocol.Under normal circumstances, the definition of knowledge extractor K and the simulator S depends on provable security model.To make the definition more general, a special protocol like a knowledge proof or zero-knowledge proof is needed.For example: a knowledge proof in the withdrawal protocol Withdraw, while a zero-knowledge proof in the evaluation certificate (Ratee certificate) generation protocol.
X Y − is used to represent the security model, . In some models of public-parameter, knowledge extractor K and simulator S are allowed to access some auxiliary information (the auxiliary information will not be provided to participants.The information knowledge extractor K and simulator S access respectively are represented by auxext and auxsim.
In the X Y − model in the language L,

Validity
To make it easier to analyse, Withdraw protocol is divided into three parts: For some f, in reputation verifying protocol, if the honest TTP accepts evaluation identification f S A ∉ , A wins.It needs to be proven that the probability is negligible that adversary A wins the game within probabilistic polynomial time (PPT).

The identification of attacker
The feature of identifying the attacker ensures that within PPT time, the probability that the adversary A wins the following game is negligible.Public parameter model assumes params and auxext are fixed.

Anonymity
Assume adversary A inquires whatever information with the public key TTP pk : a) Public key of the inquiry node j: A requests and accepts the public key j pk of j, and generates valid and truthful key pair ( , )

Excludability
Excludability ensures that only nodes that make malicious attacks need to be punished, while honest nodes need not.There are two kinds of excludability: weak excludability and strong excludability.Weak excludability punishes nodes that make attacks, while strong excludability not only punishes nodes that make attacks, but also makes malicious attackers accountable for their behaviour.This paper considers only weak excludability.To define the weak excludability in this chapter, assume adversary A will make the following attacks on user U: a) Initialization Adversary A acquires the public key of TTP through attacks.b) Inquiry Adversary A inquires node U as such: Withdraw: The adversary fakes its identity as TTP and executes certificate withdrawal protocol Withdraw with the user.The user outputs the evaluation certificate container W.
RaterCert: The adversary fakes its identity as Ratee, and executes evaluation certificate generation protocol with Rater.Rater's output is the evaluation certificate container W .
Success criterion: When the protocol ends, if VerifyGuilt(params, , , ) G S Π , then A wins the game.

Initialization
• Instructions on the parameter 1) .) is a one-way hash function with strong collision resistance; 2) P M sends the random number r to P U , where q r Z ∈ ; 3) P U sends the certificate identification and double evaluation Eq. , 1 ( ) , , ,  ( , )) , and the result of knowledge signature is φ .ψ ω = = where: , ( ) s is the secret of evaluation certificate container of.t is randomly generated by P M .ω is the noninteractive zero-knowledge signature.Assume that U colludes with TTP.U will know P M is the pseudonym of M, which poses grave threat to M's privacy.In order to solve this problem, blind signature is introduced when updating reputation value [28].Two steps are adopted: 1) P M chooses random information D, and sends it to TTP.TTP gives blind signature on D. P M acquires blind permission σ .P M deposits blind permission σ in its own database.

Reputation evaluation verifying protocol
M sends the blind permission ( , ) D σ to TTP with its real identity U M .TTP verifies whether the blind permission was used.If not, TTP updates the reputation value of M in reputation account.
( ) R is the same, and the secret of each node s is unique, then s must be the same with 1 s .TTP can calculate the user's public key through two double evaluation equations , ( ) , and generate violation proof 1 2 ( , ) . The calculation of the user's public key is as follows: If S is the same with any S in rater Cert saved by TTP, it shows the frequency of mutual evaluations made between two users exceeds a limit.For Rater, 1 1 ) have the same identification S. Through two double evaluation equations ( , ) . The calculation of the public key of Rater is as follows: For Ratee, 1 1 1 ( , ) have the same identification V. Through two double evaluation equations, , ( ) ( , ) , The calculation of the public key of Ratee is as follows: )

Verifying violation proof
Violation proof 1 2 ( , ) , where ( , , ) Identity(params, , , ) S p p algorithm, compare the output with the output of public key u pk .Use it as input and check if these two match.Subsequently, verify i φ related to ( , , ) i i i S r T .If both are verified as valid, then VerifyGuilt(params, , , ) accepts the violation proof, otherwise it refuses the violation proof.TTP records the violator in the set Ψ .

Tracing malicious nodes
Complete anonymity does not mean that none of evaluations of deals can be traced.If that is the case, such a system will bring convenience to outlaws.This paper has the following considerations when tracing malicious nodes: a) if it is a valid evaluation, TTP cannot identify the user's real identity, or trace the user; b) if the violation of a node occurs less than d times in a limited amount of time, the node will not be traced; c) if the violation of a node occurs more than d times in a limited amount of time, the system will trace the violator.In order to trace a violator, TTP needs to acquire the key s of the violator's certificate container.The process is as follows: x V H r T = = .d is the threshold value.

Verifying the sub-key
When the node updates its reputation value, if u pk is in the violators set Ψ in the time limit ( ) t n , the peer must submit valid i s The key of the container s can be acquired.A includes all certificate tags of all deal-makers.For A to win the game, it must make sure that TTP will accept an evaluation certificate of a non-truthful proof with a relatively high probability.
Assume A is sure that a truthful TTP receives invalid identification S in reputation evaluation verifying protocol, where f S A ∉ .Then A must forge a wrong proof: a) A must know TTP's signature on public B, C; b) S and T will be generated in the proof Γ.Under the assumption that CL signature is secure (based on strong RAS assumption and LRSW), a) occurs with the probability that 1 ( ) V k is negligible; under the discrete assumption, b) occurs with the probability that 2 ( ) V k is negligible.Then A occurs with the probability of . Thus, the total success probability of A is negligible.

Anonymity analysis
Theorem 2: The identity anonymity of Ratee and Rater should be ensured in executing the protocols.
Proof: Adversary A can act as a corrupted TTP and Ratee, generate and publicize the public key TTP pk The calculation of this scheme, and those from [31] and [32] is mainly on multi-based modular exponent and single-based modular exponent.But through proper methods, calculations like x x g g can be taken as 1,2 single modular exponent, and calculations like g g g can be taken as 1,5 modular exponent.
Considering that the evaluation certificate container withdrawal protocol in this scheme, e-cash withdrawal protocol in [31] and user registration protocol in [32]can all be executed offline, the comparison on efficiency will mainly focus on the executing efficiency of these three schemes in terms of reputation evaluation and reputation verifying protocol.
In this scheme, Rater needs to execute modular exponent calculations for 11 times to generate reputation evaluation certificate.TTP needs to execute modular exponent calculations for 16 times to verify the validity of the evaluation certificate and the Ratee certificate; in [31], Rater needs to execute modular exponent calculations for 27 times to generate e-cash that acts as evaluation value.In the reputation evaluation verifying protocol, TTP needs to execute modular exponent calculations for 16 times to verify the validity of e-cash; in [32], reputation Rater needs to execute modular exponent calculations for more than 30 times to generate the signature of reputation value, and the reputation value recipient also needs to execute modular exponent calculations for more than 30 times to verify the signature of the reputation value.Compared with [31] and [32], in terms of the complication of calculation, this scheme has made improvements.
In terms of the complication of information, the three schemes are basically the same.

Comparison of anonymity and security
Both this scheme and [32] adopt zero-knowledge proof and blind signature technology to realize the anonymity of the Ratee.Though [31] adopts e-cash technology, this technology is based on zero-knowledge proof.Thus, the privacy technology used in these three schemes is similar; all three realized the anonymity of Ratee.But in terms of security, this scheme can resist and identify Sybil attack and ballot-stuffing attack.The work in [31] cannot resist or identify any malicious attack.And [32] can only resist Sybil attack.This paper addresses such problems as the conflict between anonymity and reputation and the uncontrollability of reputation evaluation that are prominent in reputation system where nodes' identity is absolutely anonymous.It introduces conditional anonymity into reputation system to anonymously monitor the reputations evaluations made by users.Only when the anonymity condition is met can the reputation value be gained.Violators will be exposed and punished.Nodes that exceed the violation frequency in a certain time limit will be traced.Reputation evaluations made between users will be controlled.Based on blind signature, when a user updates the reputation value, its privacy can be protected, and its temporary certificates unlinked.It can also reconcile the conflict between anonymity and reputation.

1 (
But the signer does not know the exact value of C. The signer calculates ( ) CLSign C and sends it to the user, who will get

−
represents zero-knowledge simulator of proof protocol (Prot).
denoting the beginning, the middle and the ending of the protocol (letters b, m, e represents beginning, middle and ending).b Withdraw ends when the node sends message to TTP. e Withdraw ends when TTP sends message to the user.e Withdraw is taken as the proof protocol.The user is the prover, TTP verifier.m Withdraw output from the verifier determines whether TTP will continue e Withdraw , and send the ending message to the peer. 1 m represents the first information the peer will send to TTP. 1 b represents the state information when TTP received 1 m .The detailed requirements of validity are as follows: a) Whatever model is given, there exists a highly efficient interpretable language S L A executes the game as follows: A plays withdrawal protocol with TTP and reputation verifying protocol VerifyRep for any times.If the ist withdrawal protocol Withdraw succeeds, then the output of knowledge extractor

A
executes the game as follows: A executes Withdraw and reputation verifying protocol VerifyRep with TTP.If the withdrawal protocol is executed successfully, the output of the knowledge extractor refers to the evaluation tag of the node with the public key being i pk .In the reputation verifying protocol VerifyRep , if TTP accepts twice the

6. 7 identifying 6 . 7 . 1 1 , 1
Attacker Identifying the attacker If the certificate identification S in rater Cert equals certificate identification V in ratee Cert , it means two temporary certificates of the same user are making mutual evaluations.Since in 2

6. 8 . 1
The generation of a sub-keyBy using Feldman's non-interactive verifiable key sharing, assume d is the pre-set threshold value.If the public key u pk of the violator first appears in the set Ψ of TTP, the node needs to select a 1 d − key sharing polynomial ( ) f x .The calculation of polynomial coefficient is the node's public key being i pk , and can trace all evaluation and transaction records of the node with the public key being i pk .private key of TTP) execute f Withdraw . f n is the modulus of special RSA. 1 . • Key generation TTP key generation: by executing TTP key generation algorithm TTPKeygen(1 , params) * ' rater Cert is as follows: value of P M should be updated.But since the reputation account of P M is bound to the real identity M U of P M .If P M updates reputation value directly, will know P M is the temporary certificate of U M , and reveal the link between user's temporary certificate and real identity.
1) P M submits Rater certificate rater Cert and ratee Cert .6.6 Reputation value updating protocol After rater Cert and ratee Cert are verified, reputation

Table 2
Anonymity and security