An Anonymous Reputation System with Reputation Secrecy for Manager

Abstract

In anonymous reputation systems, where after an interaction between anonymous users, one of the user evaluates the peer by giving a rating. Ratings for a user are accumulated, which becomes the reputation of the user. By using the reputation, we can know the reliability of an anonymous user. Previously, anonymous reputation systems have been proposed, using an anonymous e-cash scheme. However, in the e-cash-based systems, the bank grasps the accumulated reputations for all users, and the fluctuation of reputations. These are private information for users. Furthermore, the timing attack using the deposit times is possible, which makes the anonymity weak. In this paper, we propose an anonymous reputation system, where the reputations of users are secret for even the reputation manager such as the bank. Our approach is to adopt an anonymous credential certifying the accumulated reputation of a user. Initially a user registers with the reputation manager, and is issued an initial certificate. After each interaction with a rater, the user as the ratee obtains an updated certificate certifying the previous reputation summed up by the current rating. The update protocol is based on the zero-knowledge proofs, and thus the reputations are secret for the reputation manager. On the other hand, due to the certificate, the user cannot maliciously alter his reputation.

A Syntax and Security Requirements

1.1 A.1 Syntax

The algorithms and protocol of the anonymous reputation system are as follows.

• Setup( \(\mathsf {l}, n, L, \tilde{L}\)): This is the key setup algorithm for \(\mathsf {RM}\). In the inputs, \(\mathsf {l}\) is the security parameter, \(n\) is the maximum number of items which are offered by sellers but have not been rated yet, and \(L\) is the number of ranges used in proving for the accumulated reputation. \(\tilde{L}\) is the number of ranges used in proving for the number of ratings. This algorithm outputs \(\mathsf {RM}\)’s public key \(rpk\), \(\mathsf {RM}\)’s secret key \(rsk\), and initialize sets \(\mathcal{L}_{\mathsf {RM}}\), \(\mathcal{P}\) and \(\mathcal{S}\) as empty.

• Register: This is an interactive protocol between a joining user \(\mathsf {U}\) and \(\mathsf {RM}\) for the registration of \(\mathsf {U}\). The common input is \(rpk\). The input of \(\mathsf {RM}\) is \(rsk\). The outputs of \(\mathsf {U}\) are \(\mathsf {U}\)’s unique secret \(sec\) and an initial one-time certificate \(cert_0\) indicating accumulated reputation \(rep_0=0\) and the number of ratings \(num_0=0\).

• Show: This is an interactive protocol between a seller (registered user) \(\mathsf {U}\) and \(\mathsf {RM}\), where \(\mathsf {U}\) proves that his/her current reputation \(rep_{t-1}\) lies in range \([2^{\ell -1},2^\ell -1]\), and proves that the number of ratings \(num_{t-1}\) lies in range \([2^{\tilde{\ell }-1},2^{\tilde{\ell }}-1]\). The common input is \(rpk\). The inputs of \(\mathsf {U}\) are \(rep_{t-1}, num_{t-1}\), the user’s secret \(sec\), and the certificate \(cert_{t-1}\). The inputs of \(\mathsf {RM}\) are \(rsk\), \(\mathcal{L}_{\mathsf {RM}}\), and \(\mathcal{S}\). The outputs of \(\mathsf {U}\) are item ID number \(i\) and an updated one-time certificate \(cert_t\) for \(i\), and \(rep_t = rep_{t-1}\), \(num_t = num_{t-1}\). The outputs of \({\mathsf {RM}}\) are updated \(\mathcal{L}_{\mathsf {RM}}\), and \(\mathcal{S}\). The set \(\mathcal{L}_{\mathsf {RM}} \subset [1,n]\) consists of ID numbers of items which are offered by sellers but have not been rated yet. The set \(\mathcal{S}\) consists of tags which are included in certificates, to detect the double use of the certificates. If the certificate \(cert_{t-1}\) has been used in a past protocol, this protocol is aborted.

• Rate: This is the algorithm of \(\mathsf {RM}\) that, on inputs item ID number \(i\), the rating value \(\varDelta _{rep}\), the pending database \(\mathcal{P}\) and \(\mathcal{L}_{\mathsf {RM}}\), deletes \(i\) from \(\mathcal{L}_{\mathsf {RM}}\) and adds \((i, \varDelta _{rep})\) to \(\mathcal{P}\). The set \(\mathcal{P}\) consists of \((i,\varDelta _{rep})\) such that the rating \(\varDelta _{rep}\) has not been accumulated to the corresponding certificate yet.

• Update: This is an interactive protocol between a seller \(\mathsf {U}\) and \(\mathsf {RM}\) to accumulate the rating in the certificate. The common inputs are \(rpk\), the target item ID number \(i\), and the rating \(\varDelta _{rep}\). The inputs of \(\mathsf {U}\) are \(rep_{t-1}, num_{t-1}\), the user’s secret \(sec\), and the certificate \(cert_{t-1}\). The inputs of \(\mathsf {RM}\) are \(rsk\), \(\mathcal{P}\), \(\mathcal{L}_{\mathsf {RM}}\), and \(\mathcal{S}\). The outputs of \(\mathsf {U}\) are \(rep_t = rep_{t-1}+\varDelta _{rep}\), \(num_t = num_{t-1}+1\), and the one-time certificate \(cert_t\). \(\mathsf {RM}\) deletes \((i,\varDelta _{rep})\) from \(\mathcal{P}\). If the certificate \(cert_{t-1}\) has been used in a past protocol, this protocol is aborted.

Using the above algorithms and protocols, the system flow is as follows. First of all, \(\mathsf {RM}\) initializes the system using Setup, where the public key \(rpk\) is published. When a user wants to participate in this system, the user registers with \(\mathsf {RM}\) to obtain initial data. When a user wants to offer an item, the user registers his item and conducts Show protocol with \(\mathsf {RM}\). \(\mathsf {RM}\) publishes the item with the ranges of \(rep_{t-1}, num_{t-1}\) of the seller, where buyers can check the reliability of the seller. After a buyer has an interaction with the seller, the buyer sends his rating to \(\mathsf {RM}\). \(\mathsf {RM}\) forwards the rating to the seller, who conducts \(\mathbf{Update}\) protocol with \(\mathsf {RM}\).

1.2 A.2 Security Requirements

As the security, we consider the reputation unforgeability and the seller anonymity.

Reputation Unforgeability. Consider the following reputation unforgeability game. As the proof in [4], in order to identify the user from the Update or Show protocol transcript, we need a special algorithm, Extract.

Reputation unforgeability game: The challenger runs Setup, and obtains \(rpk\) and \(rsk\). He provides \(\mathcal{A}\) with \(rpk\), and run \(\mathcal{A}\). He initializes the database \(\mathcal{D}\) with entries \((x_{\mathsf {i}}, \mathsf {sum}_{{\mathsf {i}}, rep}, \mathsf {sum}_{{\mathsf {i}}, num})\). In the run, \(\mathcal{A}\) can query the challenger about the following queries:

• C-Register: To \(\mathcal{A}\)’s request, the challenger as \({\mathsf {RM}}\) executes Register protocol with \(\mathcal{A}\) as a user.

• C-Show: To \(\mathcal{A}\)’s request as the seller, the challenger as \({\mathsf {RM}}\) executes Show protocol with \(\mathcal{A}\).

• C-Update: To \(\mathcal{A}\)’s request for the item ID \(i\) and the rating \(\varDelta _{rep}\), using Rate, the challenger updates \(\mathcal{P}\) and \(\mathcal{L}_{\mathsf {RM}}\). Then, the challenger as \({\mathsf {RM}}\) executes Show protocol on input \((i, \varDelta _{rep})\) with \(\mathcal{A}\) as the seller. From the protocol transcript, using Extract, the challenger extracts the identity \(x_{\mathsf {i}}\) of the user. In the database \(\mathcal{D}\), the challenger renews \({\mathsf {sum}}_{{\mathsf {i}},rep} = {\mathsf {sum}}_{{\mathsf {i}},rep} + \varDelta _{rep}\), and \({\mathsf {sum}}_{{\mathsf {i}},num} = {\mathsf {sum}}_{{\mathsf {i}},num} + 1\) in the entry \((x_{\mathsf {i}}, \mathsf {sum}_{{\mathsf {i}}, rep}, \mathsf {sum}_{{\mathsf {i}}, num})\).

Finally, the challenger as \({\mathsf {RM}}\) executes Show protocol with \(\mathcal{A}\) as a seller.

Then, \(\mathcal{A}\) wins if

1. 1.

   The final Show protocol succeeds for \(rep^*_{t-1}\in [2^{\ell -1},2^{\ell }-1]\) and \(num^*_{t-1}\in [2^{\tilde{\ell }-1},2^{\tilde{\ell }}-1]\) for some \(\ell , \tilde{\ell }\).

2. 2.

   For \(x_\mathsf {i^*}\) extracted by Extract from the final Show protocol, it holds that \(\mathsf {sum}_{{\mathsf {i}^*}, rep}\notin [2^{\ell -1},2^{\ell }-1]\) or \(\mathsf {sum}_{{\mathsf {i}^*}, num}\notin [2^{\tilde{\ell }-1},2^{\tilde{\ell }}-1]\) in the entry \((x_{\mathsf {i^*}}, \mathsf {sum}_{{\mathsf {i}^*}, rep}, \mathsf {sum}_{{\mathsf {i}^*}, num})\) in \(\mathcal{D}\).

Definition 4

A reputation system is reputation unforgeable if, for any PPT adversary \(\mathcal{A}\) involved in the reputation unforgeability game, the probability that \(\mathcal{A}\) wins the game is negligible for security parameter \(\mathsf {l}\).

Seller Anonymity. As the syntax shows, the pair of Show protocol and Update protocol for the same item ID are linkable and the rating \(\varDelta _{rep}\) is revealed. Furthermore, each Show protocol reveals the ranges which \(rep\) and \(num\) lie in. The seller anonymity means that any adversary can obtain no information on the user beyond these. Since the adversary can corrupt \({\mathsf {RM}}\), the system with the seller anonymity satisfies the reputation secrecy for even the manager. In the similar way to the anonymity definition of an anonymous credential system [4], the seller anonymity is defined as follows: The interaction of the adversary (corrupting \({\mathsf {RM}}\)) with honest users is indistinguishable from some ideal game where Show and Update protocol transcripts are independent of the user’s identity. Consider the simulators, SimShow, SimUpdate for Show, Update.

Definition 5

A reputation system is seller anonymous if the following properties hold:

• No adversary can tell if it is interacting with an honest user with \(rep_{t-1}\), \(num_{t-1}, sec, cert_{t-1}\) in \(\mathbf{Show}\) protocol, or with SimShow which is not given \(rep_{t-1}, num_{t-1}, sec, cert_{t-1}\).

• No adversary can tell if it is interacting with an honest user with \(rep_{t-1}\), \(num_{t-1}, sec, cert_{t-1}\) in \(\mathbf{Update}\) protocol, or with SimUpdate which is not given \(rep_{t-1}, num_{t-1}, sec, cert_{t-1}\).