Privacy-Enhanced Reputation-Feedback Methods to Reduce Feedback Extortion in Online Auctions

Priv acy-Enhanced Reputation-F eedbac k Metho ds to Reduce F eedbac k Extortion in Online Auctions Mic hael T. Goo drich Dept. of Computer Science Univ ersity of California, Irvine Irvine, California 92697-3435 USA Florian Kersch baum SAP Research Vincenz-Priessnitz-Str. 1 76131 Karlsruhe, Germany Abstract In this paper, we study methods for improving the utilit y and priv acy of reputation scores for online auctions, such as used in eBay , so as to reduce the effectiveness of feedbac k extor- tion. The main ideas behind our techniques are to use randomization and v arious schemes to escro w reputations scores until appropriate external even ts o ccur. Depending on the degree of utilit y and priv acy needed, these external techniques could dep end on the num b er and type of reputation scores collected. Moreov er, if additional priv acy protection is needed, then random sampling can b e used with resp ect reputation scores in such a wa y that reputation aggregates remain useful, but individual reputation scores are probabilistically hidden from users. Finally , w e show that if priv acy is also desired with resp ect to the the reputation aggregator, then we can use zero-knowledge pro ofs for reputation comparisons. 1 In tro duction No w that online auctions are a mature Internet enterprise, online auctions are a common source of complain ts of Internet fraud. The most common first line defense for dealing with auction fraud is to provide a feedbac k system, so that buyers and sellers can rate each other. That is, to provide a means for deterring c heating and fraud, the managers of online auction systems allow sellers to rate buy ers on how quickly and honestly they pay for the items for whic h they are the highest bidder and buy ers to rate sellers on ho w honestly they describ ed their go o ds and how well they shipp ed them. Not surprisingly , the feedback rating score of a buyer or seller can hav e dramatic impacts on their ability to buy and sell go o ds [19]. Rating systems v ary from those that rate on a n umerical scale to those, suc h as eBay , that rate on a simple “negativ e,” “neutral,” and “p ositiv e” contin uum. In practice, how ev er, these different feedbac k mechanisms are similar, in that an ything but the highest, most p ositiv e rating is seen as a bad score. Th us, we take the simplified view in this pap er that feedback ev aluations are essential binary , b eing either “p ositiv e” or “negativ e.” Because of the imp ortance of reputation in online auctions, there is a strong incen tiv e for buy ers and sellers to work hard to get highly p ositive ratings. Naturally , the inten t of this incentiv e is that buy ers and sellers should b e on their b est b eha vior, with buy ers b eing fast and reliable with their pa yments and sellers b eing fast and reliable with their item descriptions and shipping metho ds. Unfortunately , dishonest or incomp etent buyers and sellers still wan t p ositiv e feedbac k, and some are even willing to manipulate the system to get it. In particular, some buy ers and sellers 1 who deserve negativ e feedback will nevertheless pressure their trading partner for p ositiv e feedback ev en if their b eha vior is more accurately classified as “negative.” F or example, a seller migh t threaten to provide negative feedback to an unhappy buyer if she pro vides negative feedback on the seller. Suc h fe e db ack extortion b ecame such a problem within eBa y , for example, that in January 2008 eBa y c hanged its feedbac k policy so that sellers can only provide p ositiv e feedbac k for buyers. In addition, the eBay web site contains the follo wing feedback extortion p olicy 1 : Buy ers aren’t allo wed to demand go o ds or services outside of the transaction while threatening negative Feedback, neutral Feedback, or low detailed seller ratings. Sellers can’t require buy ers to leave sp ecific Feedback or detailed seller ratings. Sellers also can’t demand that buy ers withdra w existing F eedback or detailed seller ratings. This applies to all Feedback activity , whether it happ ened b efo re, during, o r after delivery of items o r services describ ed in the original listing. This solution remov es the p ossibilit y of feedbac k extortion from sellers, of course, but it also completely negates the usefulness of feedback on buy ers. Now the only influence that a seller can pro vide on the reputation of a p o or buyer is to say nothing at all and hop e that other, external metho ds can b e used to resolve any disputes with buy ers. Even then, this seller feedback restriction approac h still does not stop feedback extortion from buy ers, who can still threaten negative feedbac k on sellers unless they giv e the buyers p ositiv e feedbac k by a certain deadline. Th us, w e are interested in this pap er on sc hemes that can promote go o d-qualit y , accurate feedbac k, while discouraging or ev en preven ting feedback extortion. 1.1 Prior Related Results The p ositiv e impact of feedback on in teracting parties has b een studied by economists for a long time and even b een exp erimen tally v erified [4]. Nev ertheless only the bilateral feedbac k system enabled the emerging problem of feedback retaliation. 1.1.1 F eedbac k Correction and Ev aluation F eedbac k retaliation is well-kno wn folklore in online auction sites. Resnick and Zeckhauser system- atically ev aluated eBa y feedbac k data [19]. They noticed that only 0 . 3 p ercen t of all transactions w ere rated negative, but in case one partner rated negative the probability of the other partner rating negative was ov er 37%. F urthermore, only roughly half of the transactions w ere rated at all. This data at least suggests that there is a problem of feedbac k extortion and reluctance to rate negativ ely . Miller et al. suggest a paymen t mechanism to elicit honest feedback [14]. Suc h a pa yment mec hanism can b e implemented cost-neutral to the reputation platform and ha ve a Nash equilibrium for truth-telling. Of course, its realization in volv es another accounting mec hanism not necessary in our implemen tation. T raupman and Wilensky suggest a statistical method in order to correct the error from nega- tiv e ratings [20]. Nev ertheless they ev aluate their system only under synthetic data from current reputation systems. Clearly this does not tak e in to account the game changing effect a change in 1 http://pages.ebay.com/help/policies/feedback- extortion.html 2 the reputation scoring algorithm has. F or example, if it b ecomes less threatening for someone to b e rated negative, he migh t b e inclined to even low er his ratings or p erform w orse. 1.1.2 F eedbac k Computation Priv acy Priv acy as a mec hanism to protect against feedback extortion has b een prop osed previously by Kersc hbaum [12], in that he presents a proto col for a priv ate and reliable reputation system using t wo mutually distrustful service providers, i.e., where there is no single trusted reputation provider an ymore. Nev ertheless, the prop osed mechanism still suffers from a long delay b efore publishing results, whic h this pap er remov es via sampling and escrow. Note that, in the context of this pap er, priv acy deals with the secrecy of a rating score, i.e., how an agent was rated. Other priv ate reputation systems, e.g., [1, 15, 18], only protect the identit y of the rater, i.e., who has rated, which do es not protect against feedback extortion. Priv ately computing a reputation score is an instance of secure computation (SC) [2, 11, 21]. SC allo ws a num b er of parties to compute a function (suc h as a reputation score) on joint inputs (such as the ratings) without disclosing an ything except what can b e inferred from one party’s input and output. W e stress that a straight-forw ard application of SC do es not protect the rating b y itself. The con tin uous release of the reputation score, i.e., the result of the aggregation mec hanism, rev eals the input and breaks priv acy . Proto cols that implement secure computation therefore either use a more complicated reputation mec hanism, e.g. collab orativ e filtering [5], or simply do not reveal the result [17]. 1.1.3 Differen tial Priv acy The work of this pap er is also related to approaches used in the context of differ ential privacy (e.g., see [9]) for hiding the contribution of a single v alue to the whole through the introduction of random noise or assumed randomness. Unfortunately , such approaches are not a go o d fit for protecting the priv acy of reputation scores in online auctions. There are t wo primary reasons for this difficult y . First, most existing schemes, such as that b y Din ur and Nissim [7], for protecting the priv acy of individual v alues that contribute to a sum require that one at least knows the n umber of items included in the sum. But reputation scores hav e an arbitrary , un b ounded n umber of items that can b e included—they are the total n umber of items b ough t or sold by a member of an auction—and making suc h previous differential-priv acy metho ds work for such un b ounded summations app ears difficult. Second, a reputation score evolv es ov er time. So we cannot assume that such scores are dra wn uniformly at random from some distribution, sa y , as is needed in the differential-priv acy scheme of Duan [8]. Likewise, a participant that queries his or her own reputation after every transaction can b e mo deled as issuing correlated summation queries, but existing tec hniques, such as that of Li et al. [13], for obfuscating suc h queries, app ear to in tro duce to o muc h noise to b e of practical use for reputation aggregation. 1.2 Our Results In this pap er, we first present a game-theoretic analysis of simple reputation escrow. In simple reputation escrow w e consider a single transaction and its feedback. W e sho w that when pla yers 3 are forced to leav e feedback concurrently they are inclined to lea ve correct feedbac k. This applies ev en in case b oth play ers exp erienced a negative transaction. Bu y er , Ali c e, se nd s pa yme n t Sell er , Bob , s en ds pu r c has ed i t em Bob Ali c e Bu y er ’ s f ee db ack Sell er ’ s f ee db ack F ee db ack es c r o w F ee db ack s c or es ar e n ot r eleas ed un ti l both ar e r eceiv ed . Figure 1: F eedback escrow. W e then extend this result to a reputation system that keeps feedback escrow ed forev er, i.e., it remains en tirely priv ate. This ma y seem imp ossible at first sigh t, since c hanges in the reputation score reveal the type of left feedback. Nevertheless w e in tro duce a randomized sampling technique that can compute reliable av erages while still providing priv acy of the feedback. W e show the error b ounds of this sampling tec hnique and conclude that it is a reliable estimator of p erformance. As a last result, we remo ve the need for a trusted reputation service provider. W e adapt the previous result of Kersch baum [12] to include the randomized sampling technique. This adaption requires an additional zero-knowledge pro of for correct sampling. The challenge in its construction is that the input for the pro of is distributed. In summary , this pap er con tributes • a game-the or etic analysis of r eputation escr ow • a r andomize d fe e db ack sampling me chanisms that pro vides priv acy of ratings despite immedi- ate publishing • a se cur e c omputation of a zer o-know le dge pr o of for correct sampling that remov es the need for a trusted reputation service provider The remainder of the pap er is structured as follo ws: Section 2 introduces reputation escrow and presents its game-theoretic analysis. Section 3 describes the s ampling algorithm and analyses its error b ounds. Section 4 explains ho w to remo ve the need for a trusted reputation provider and the secure computation proto col for the necessary zero-knowledge pro of including a security pro of. W e conclude in Section 5. 4 2 Simple Reputation Escro w The first solution w e consider is a simple one—escrow the feedbac k from a buyer or seller, whic h ev er comes first, un til the second part y in the transaction p osts feedback on the first. (See Figure 1.) This simple approach remov es the sequential nature of feedback scoring for determining a p er- son’s reputation in the online auction; hence, it preven ts quid pro quo retaliation or reward, for non-rep eated transactions. When an online auction uses a reputation escro w, a buyer or seller can- not know the feedbac k score they are receiving from the other un til they p ost their own feedbac k score for the other. Rather than argue the b enefits of a reputation escro w in an ad ho c manner, ho wev er, let us analyze its b enefits using game theory . 2.1 Studying Reputation Escro w Through a Game Theoretic Lens When a buyer, Alice, and seller, Bob, are contemplating the feedbac k to giv e one another after a transaction, there are several factors that impact their resp ectiv e decisions. Let us mo del what we feel are the most imp ortant of these factors using the follo wing non-negativ e parameters (where we let x represent A for “Alice” or B for “Bob” and w e let y denote the other part y , i.e., “Bob” or “Alice”) • ∆ x : the utilit y that x receives b y having his or her reputation factor increase from the receipt of a p ositiv e feedback score. So − ∆ x is the amoun t b y whic h x ’s reputation utility would decrease from his/her receiving a negative feedback score. • f x : the normalized utility that x receives from giving a correct feedback (e.g., from the satis- faction of doing the right thing and/or helping other auction users learn the true reputation of y b etter). • r x : the normalized utility that x receiv es from p erforming a rev enge punishment on y for a negativ e feedback from y . It is a recognition of human nature to allo w for this parameter, but w e nevertheless assume that revenge satisfaction cannot fully ov ercome negativ e feedback, ev en when one is also giving out the correct feedback (so r x + f x < ∆ x ). There are four differen t games that Alice and Bob can play , dep ending on whether eac h w an ts to giv e the other a p ositiv e (P) feedbac k or a negativ e feedback (N). W e can mo del these games using a tw o-b y-tw o pa yoff matrix, where we let Alice b e the ro w play er and let Bob b e the column play er. These are shown in Figure 2 in generic form. If Alice and Bob b oth wan t to give p ositiv e feedback (the P-P game), then this is either a game strictly dominated by the (P ,P) resp onse (if r x < f x ), which is the unique Nash equilibrium in this case, or (if r x > f x ) it is an instance of a generic stag hun t game 2 . In the case of a stag hun t game (i.e., if r x > f x ), there tw o Nash equilibria for this game, the (P ,P) resp onse and the (N,N) resp onse. Clearly , how ev er, the (P ,P) resp onse is preferred b y b oth parties, even in this case, so it is the most likely resp onse, as one would exp ect, ev en if r x > f x . The N-P and P-N games are less in teresting, from a game theoretic p oint of view, in that one pla yer has a dominating N strategy and, giv en that c hoice, the other play er’s b est choice is either 2 In a stag hunt game, tw o play ers are h unting a stag. If they coop erate, they both share the prize. If one of them do es not co operate, while the other still do es, then the non-co op erator gets a hare (which is worth less than half a stag), while the stag h unter gets nothing. If they both defect, they b oth get hares. 5 P N P (∆ A + f A , ∆ B + f B ) ( − ∆ A + f A , ∆ B ) N (∆ A , − ∆ B + f B ) ( − ∆ A + r A , − ∆ B + r B ) (a) P N P (∆ A + f A , ∆ B ) ( − ∆ A + f A , ∆ B + f B ) N (∆ A , − ∆ B ) ( − ∆ A + r A , − ∆ B + r B + f B ) (b) P N P (∆ A , ∆ B + f B ) ( − ∆ A , ∆ B ) N (∆ A + f A , − ∆ B + f B ) ( − ∆ A + f A + r A , − ∆ B + r B ) (c) P N P (∆ A , ∆ B ) ( − ∆ A , ∆ B + f B ) N (∆ A + f A , − ∆ B ) ( − ∆ A + f A + r A , − ∆ B + f B + r B ) (d) Figure 2: The four games that come from Alice and Bob resp ectiv ely wan ting to give (a) P-P feedbac k, (b) P-N feedback, (c) N-P feedbac k, and (d) N-N feedbac k. P or N dep ending on the relative utility they receive from altruism (their f x v alue) or revenge (their r x v alue). So, if r x > f x , then (N,N) is the unique Nash equilibrium for b oth of these games. Alternativ ely , if r x < f x , then (N,P) or (P ,N) is the unique Nash equilibrium, dep ending on whether it is Alice or Bob that feels the other deserves a negativ e feedbac k (i.e., whether they are playing the N-P game or the P-N game). The N-N game, on the other hand, is an instance of a generic prisoner’s dilemma game 3 . In spite of the dilemma p osed by the fact that (P ,P) is a highest pay off choice for b oth pla yers, the Nash equilibrium for this game is (N,N). So as to pro vide more concrete examples of these games, we show examples of these games and in Figure 3 using the concrete v alues, ∆ x = 5, f x = 3, and r x = 1. Note that in this case, where rev enge is less p o werful than altruism, i.e., when r x < f x , then we get that the Nash equilibrium for eac h game is the desired feedbac k that w e would like to see for this reputation system. That is, the system works in this case, in that the optimal choice for each pla yer in this system is to provide the feedbac k that they feel is most appropriate for the other play er. Of course, ev en in the case when rev enge is stronger than altruism, the tw o parties don’t know with certain ty which game they are actually playing, b et w een the games P-P , P-N, N-P , and N- N. A t b est, they can eliminate t wo of these games, based on what they think is the appropriate feedbac k to giv e the other p erson. But they don’t know the feedbac k the other p erson feels is most 3 In a prisoner’s dilemma game, t wo prisoner’s are accused of a crime. If they b oth den y the other is guilty , then they both go free. If only one testifies against the other, on the other hand, then he gets a reward and go es free, while the other gets a heavy sentence. But if both of them testifies against the other, they b oth get mo dest prison terms. 6 P N P (8 , 8) ( − 2 , 5) N (5 , − 2) ( − 4 , − 4) (a) P N P (8 , 5) ( − 2 , 8) N (5 , − 5) ( − 4 , − 1) (b) P N P (5 , 8) ( − 5 , 5) N (8 , − 2) ( − 1 , − 4) (c) P N P (5 , 5) ( − 5 , 8) N (8 , − 5) ( − 1 , − 1) (d) Figure 3: The four games that come from Alice and Bob resp ectiv ely wan ting to give (a) P-P feedbac k, (b) P-N feedbac k, (c) N-P feedback, and (d) N-N feedbac k, for the concrete v alues, ∆ x = 5, f x = 3, and r x = 1. appropriate to giv e them. Based on the ab o v e analysis, if a p erson feels the other pla yer deserv es a negativ e feedback (N), then they should giv e them a negativ e feedback. But, even if revenge is stronger than altruism (i.e., r x > f x ), a play er who feels the other p erson des erv es a p ositiv e rating (P), has to make an educated guess as to whether they are playing the P-P game or the N-P or P-N game (dep ending on whether they are the buy er or seller). By assigning probabilities, based on ho w satisfied they think the other p erson is, a play er can calculate an exp ected return based on their probabilities that they are pla ying, sa y , the P-P game or the P-N game. In most cases, the optimal choice in this instance will b e to provide p ositiv e feedback for the other p erson when they deserv e it. Thus, even if rev enge is stronger than altruism, the reputation system should work and it should score p eople with their appropriate feedbac k scores most of the time. 2.2 Wh y Non-Escro w ed Systems Breakdown In a n utshell, a crucial prop ert y that allo ws the reputation escro w system to w ork is that the buyer and seller ha ve a degree of uncertaint y ab out what the other p erson is going to do. In fact, they don’t kno w for certain even what game they are pla ying, b et ween the choices of P-P , N-P , P-N, and N-N. And that uncertaint y pushes eac h p erson to pro vide the appropriate level of feedback as their optimal resp onse. In this subsection, we outline wh y remo ving this uncertaint y , as in a non-escro wed system, allows for feedbac k extortion. Supp ose now that the feedbac k game is play ed sequen tially , so that play er x first mak es their 7 c hoice, whic h is revealed to pla yer y , and then y makes their choice. F or simplicity , let us assume that it is the buyer, Alice, who go es first and the seller, Bob, who go es second (the reverse scenario is similar). Notice immediately that as so on as Alice pro vides her feedbac k, Bob kno ws her response and can react to that choice with certain ty . Moreov er, Alice now kno ws that Bob is going to realize her resp onse as so on as she reveals it, and this can in fact influence the choice Alice is going to mak e. This influence do esn’t mak e muc h of a difference, how ev er, in three of the feedback games. In the P-P game, for instance, Alice rev eals a p ositiv e resp onse and Bob replies with a p ositiv e resp onse, as these are the optimal choices for them. Lik ewise, in the P-N game, Alice reveals her p ositiv e or negative resp onse dep ending on whether she fa vors altruism ov er revenge, just as in the sync hronized v ersion, and then is hit with a negativ e feedbac k from Bob either wa y . And in the N-N game, Alice reveals a negative resp onse and is immediately hit with negative feedbac k from Bob, as this is the equilibrium choice for b oth of them. Something interesting happ ens in the N-P game, how ev er, where Alice feels that the correct assessmen t of her satisfaction with the transaction is negative while Bob feels that the correct assessmen t of his satisfaction with the transaction is p ositive. Let’s lo oks at the p ossible scenarios: • A lic e r eve als a p ositive r esp onse . In this case, Bob’s optimal resp onse is also p ositive, and the pa yoff is (∆ A , ∆ B + f B ). • A lic e r eve als a ne gative r esp onse . In this case, dep ending on Bob’s relative utility b et ween altruism and rev enge, his optimal resp onse is either p ositiv e, with pay off (∆ A + f A , − ∆ B + f B ), or negativ e, with pay off ( − ∆ A + f A , − ∆ B + r B ). Th us, Alice kno ws that if she reveals a p ositiv e resp onse, she is giving up on a higher pay off, of ∆ A + f A , whic h she might get from Bob should he b e an altruistic p erson. But this is exactly the decision that Bob can no w influence. Should he rev eal to Alice ahead of her choice (e.g., using an email threat or even just a snide comment) that he prefers rev enge ov er altruism, then her optimal c hoice is no w to giv e him p ositiv e feedbac k. That is, she is making a sub optimal choice for herself, based on pressure from Bob, which is extortion. Of course, Bob w ould not know at the p oin t of his threats whether Alice and he are playing the P-P , N-P , P-N, or N-N game, but he loses nothing in the P-P , P-N, or N-N game from revealing his preference for revenge o ver altruism. Since he gains something in the N-P game from this revelation, Bob is therefore motiv ated to threaten Alice with retaliation should she give him negative feedbac k. The reputation escrow system reduces the p ossibilit y of this abuse, ho wev er, b y making it imp ossible for Bob to know with certaint y the feedbac k he is getting from Alice (and vice versa) until after he reveals his feedbac k score. Of course, if Bob strongly susp ects that Alice has given him negative feedback, then he may refuse to give Alice any feedbac k, so as to av oid getting her feedback. So this simple reputation escro w approac h has the drawbac k that it allo ws for Bob to effectiv ely blo c k feedback that he an ticipates will b e negative. The simple reputation escro w system returns the feedback pro cess to hav e the play ers giving their honest feedback when they are b oth motiv ated to complete the feedbac k pro cess. But it do esn’t stop this feedback blo c k age that either Alice or Bob could initiate against the other. The next solution we describ e addresses this drawbac k. 8 3 Sampling from Arc hiv ed Reputation Scores Let us now consider a more restrictiv e reputation escrow system, where w e escro w all feedback and nev er release it in its raw form, ev er. That is, let us consider an ar chive d reputation escrow. At first, this might seem to b e a w asted effort, whic h could never yield useful reputation data, but there is a work around. Since one of the main reasons for ha ving a reputation feedbac k score is so that we can compute reputation av erages for each participant in an online auction, let us consider ho w we could use an arc hived reputation escrow to compute a reputation score. Supp ose that Alice has just left feedbac k for Bob, and, lik e all of his feedbac k scores, this score is not released. W e nevertheless would lik e to compute a reputation score, which is the av erage of his reputation scores (e.g., on a scale of 1 to 5, for degree of satisfaction, 0 to 1, for p ositive-negativ e, or − 1 to 1, for negative-neutral-positive). Let n denote the num b er of feedbac k scores that Bob no w has and let S denote the sum of these scores. Th us, w e are interested in computing S/n , Bob’s a verage feedbac k score. But if w e directly release S/n and Bob has b een keeping track of how this a verage score c hanges each time he receives a new feedback score (and, in particular, Bob knows this a verage b efore Alice gives her feedback), then Bob can figure out how Alice rated him. So instead of directly computing S/n , we indep enden tly sample from Bob’s feedback scores r < n times, with each score b eing equally lik ely (and allowing for rep etitions, since eac h selection is indep enden t). W e then compute the sum, T , of the chosen scores and we release Bob’s computed a verage feedback score, F B , as F B = T n r , where the parameter r is determined b elo w in our analysis. So let us study the degree of accuracy and priv acy that comes from this sampling approach. 3.1 Accuracy Let us simplify our analysis b y assuming that the scores are either 1, for “p ositiv e,” or 0, for “negativ e.” This is actually not muc h of a restriction in practice, since praise inflation in online auctions o ccurs to such a regular degree that anything but the highest feedback score is considered negativ e. That is, buy ers tend to rate sellers b y the p ercen tage of feedbacks that are the highest p ossible. Let X i b e a random v ariable that is 1 if the i th feedback score chosen from Bob’s feedbacks is p ositiv e, so X i = 0 if this score is negative. So we can write T = r X i =1 X i . T o analyze the accuracy of this random sampling method, let us consider the exp ected error that o ccurs from this approach, E      T r − p n      , where p is the num b er of p ositiv e feedbacks that Bob has. 9 F or relatively small v alues of n and r , w e can compute this exp ected v alue directly as r X i =0     T r − p n     Pr( T = i ) , whic h is the same as r X i =0     i r − p n      r i   p n  i  1 − p n  r − i . The exp ected error is maximized for p = n 2 . This implies that the necessary sample size r for achieving an exp ected error of 5% or 10%, respectively , is constant and indep endent of the n umber of feedbac k scores n . Figure 4 depicts the exp ected error for sample sizes of 1 to 75. W e conclude that 16 samples are sufficient to low er the exp ected error below 10% and 64 samples for 5%. Consequently it is sufficient and efficient to sample a (small) fixed n umber of feedback scores. Figure 4: Exp ected Error o ver Sample Size 3.2 Priv acy An ob jectiv e commonly opp osing accuracy is priv acy , and this remains the case with resp ect to sampled reputation scores. The question is ho w well do es sampling protect a single feedback score. Assume an attac ker is observing its av erage feedback score F B , e.g., after eac h transaction. W e 10 need to determine the probability that if he observes a lo wer score, a negativ e feedbac k w as left. This probabilit y determines the reliabilit y of the observ ation. W e conduct the follo wing exp erimen t. Given n and p we take r random samples and compute F B . Now we introduce tw o cases: (a) a p ositive feedbac k is left (b) a negative feedback is left. W e choose r random samples again and compute F 0 B . W e define a privacy br e ach as the ev ent, if • in case a: F 0 B > F B • in case b: F 0 B < F B . W e conducted this exp eriment for a range of v alues and in most cases the probabilit y of a priv acy breac h was so low that we did not observe one even for very large sample sizes. Nev ertheless, in teresting situations arise in the b orderline cases, where priv acy breaches are likely . In the remainder of this section, we assume a sampling rate r n = 1 2 . As we hav e seen in Section 3.1, this rate quickly leads to accurate estimations. The first b orderline case is when there is a very low num ber of feedback scores (as would o ccur, sa y , with a buyer or seller just starting out). Clearly new feedback can result in a significan t change of the score. F or example, if a seller has one p ositiv e score and one negativ e score, then the next feedbac k will change the score p n b y an absolute v alue of 1 6 . In Figure 5, we depict the results of our exp erimen ts for a small n umber of feedback scores. The probabilit y of a priv acy breach for such small n um b ers of feedback scores is shown. W e assume a score p n = 1 2 that minimizes accuracy . The probability is depicted on a logarithmic scale and from the graph w e conclude an exponential decrease. Even for tw o feedbac ks w e measured only a priv acy breac h probability of less than 17%. F or four feedbac ks this probability is already less than 4%. Th us, one wa y to mitigate the risk of a priv acy breac h in this case is to simply dela y the release of an agent’s av erage feedbac k score un til he or she has reac hed some reasonable threshold, of, say , 5 or 10 scores. The second b orderline case is when an agen t has a high num b er of p ositiv e feedbac k scores. Clearly , negative feedback is easier to sp ot in a sea of p ositiv e feedback. Assuming one has a set of nearly uniformly p ositive feedback scores, then another p ositive feedback will main tain the high a verage or slightly increase it and a negative feedbac k will lo wer the av erage score if it is sampled. Therefore the probability of a priv acy breac h is exactly the sampling rate r n in case of previous scores b eing uniformly p ositiv e. In Figure 6, we sho w the results of our exp eriments for the probability of a priv acy breach for high feedbac k scores. W e assume n = 100 feedback ratings hav e b een left. The probability is depicted on a logarithmic scale for p = 95 to p = 100 positive ratings among this set of scores. F rom the graph, w e conclude an exp onen tial decrease of the probabilit y of priv acy breach with decreasing p ositiv e ratings. Nevertheless, for 99% p ositiv e ratings, the priv acy breach probabilit y is already lo wer than 12%. Again, as with the b orderline case of to o few scores, a p ossible countermeasure in the case of many p ositiv e scores is to wait un til a minimum num ber of additional ratings has b een receiv ed b efore publishing a score. This waiting p erio d do es not hav e to b e large, since we hav e seen that already a second negativ e feedback rating is hard to detect. W e therefore only hav e to w ait until it is lik ely that one negative feedbac k has b een left. 11 Figure 5: Probability of priv acy breac h for a small n umber of feedback scores. W e stress that these exp erimen ts rely on a single sample for eac h feedback score. If the feedbac k score is computed multiple times with differen t sampling sets, but identical feedbac k ratings, the probabilit y of a priv acy breac h increases. This risk can b e reduced, how ev er, b y using a sampling rate that is not to o close to 1, so that it would be difficult for an adversary to kno w when the scores from v arious agents are included. 4 Un trusted Reputation Pro vider So far we ha ve considered metho ds for protecting the rater and ratee in an online auction, but the service provider aggregating the reputation scores was assumed to b e fully trust worth y . Ideally , the rater and ratee should not hav e to fully trust the reputation provider. F or instance, in [12], a sc heme has b een presented for distributing trust ov er tw o reputation pro viders S P 1 and S P 2 . The adv an tage of this scheme is that the first reputation provider, S P 1 , only learns the ratings and the ratee whereas the second reputation provider only learns the rater (in addition to the reputation score). This distribution ensures priv acy of the rating against a single service pro vider. F urthermore, using v erification algorithms, rater and ratee can ensure that all, but only v alid, 12 Figure 6: Probability of Priv acy Breac h for High F eedbac k Score ratings ha v e been aggregated in to the reputation score, i.e., it is not p ossible for the service pro vider to in ven t or suppress ratings. In the sc heme from Kersc hbaum [12], eac h transaction has a unique iden tifier g r and rating z . The first service provider publishes a public key and we denote with E () the encryption using this public k ey . 4 The sc heme consists of the follo wing proto cols and algorithms: • Alice (ratee) and Bob (rater): A ← → B T okenIssue() → Alice: r , Bob: g r , . . . 5 . • Bob and S P 2 : B ← → S P 2 RatingSubmission() → S P 2 : g r , E ( z ) . . . . • S P 2 : PublishRatings() → g r , E ( z ) , . . . . • Alice or Bob: V erifyRatings() → > ∨ ⊥ • S P 1 : PublishReputation() → s = f ( z , . . . ) , . . . . • Alice (ratee): V erifyReputation() → > ∨ ⊥ 4 W e omit the identit y as a subscript, since there is only one public key in the system. 5 W e omit the details for ac hieving security against false ratings or false aggregation. 13 The scheme consists of t wo basic mechanisms for securit y . F or integrit y , it relies on the bilinear decisional Diffie-Hellman assumption and the idea that intermediate results are hard to compute, but can b e used to solv e an instance of the problem. W e refer the reader to [12] for details. F or confiden tiality , it relies on encryption. A rating z is encrypted using the public key of the first reputation provider S P 1 , suc h that only he will learn the rating, but he will not learn who it is from. Homomorphic encryption is used in order to compute the reputation score on encrypted ratings. F or instance, Paillier encryption [16] is an instance of homomorphic encryption that is public-key and semantically secure. Semantic securit y in this case means that a ciphertext is indistinguishable from any other ciphertext due to randomization. W e can mak e this randomization explicit in our notation. A plaintext x with randomization r is denoted b y E ( x, r ). 6 The randomization carries through the homomorphic prop ert y , i.e., E ( x 1 , r 1 ) E ( x 2 , r 2 ) = E ( x 1 + x 2 , r 1 r 2 ) E ( x 1 , r 1 ) x 2 = E ( x 1 x 2 , r x 2 1 ) 4.1 Escro w The scheme in [12] was designed for the unilateral sc heme and therefore ob viously does not apply to a scheme with feedback escrow. Before extending this scheme to handle escrow, w e need to mak e it bilateral. Therefore, for eac h transaction let there no w b e tw o T okenIssue() proto cols. One where Alice is the ratee and obtains r A and Bob is the rater and obtains g r A and another one with the roles reversed and the iden tifiers r B and g r B . The basic idea for implementing escrow is that S P 2 no w only publishes ratings for transactions where b oth parties hav e submitted ratings. Note that S P 1 cannot implemen t escrow, since it implies learning both parties—ratee and rater—of the transaction. Instead, S P 2 implemen ts escro w learning b oth parties of the transactions, but not the rating z . The rater submits next to g r A also g r A r B to S P 2 in the proto col RatingSubmission(), whic h is a common v alue to b oth instances b elonging to the same transactions. The reputation provider S P 2 only publishes ratings for which b oth ratings with g r A r B ha ve b een received. Alice and Bob can prev ent S P 2 from suppressing ratings by signaling their submissions to each other. 4.2 Sampling In order to extend this scheme further to handle sampling, we let the second reputation provider S P 2 select the subset of ratings. Two questions immediately arise: First, ho w can we ensure that he chooses the selection fairly (i.e., non-adaptive to the rating) and, second, how can we still v erify the aggregation. The idea for solving the first issue is that the reputation pro vider chooses the samples first and binds himself to them using a commitmen t. The idea for the second is to extend the zero-kno wledge pro of for aggregation by sampling. Let us start with the simplest zero kno wledge pro of that E ( x, r ) is an encryption x . The verifier (encryptor) rev eals r and the pro ver encrypts x with r and verifies that the ciphertexts matc h. 6 W e omit the randomization, if it is irrelev an t for the exp osition. 14 This basic idea has b een used to v erify that the reputation score s has been correctly aggregated. The ciphertext of the reputation score E ( s, r ) can b e computed as the pro duct of the ciphertexts of the ratings. Then the reputation pro vider S P 2 publishes s and the corresp onding r , and the ratee v erifies that this corresp onds to the pro duct of the ciphertexts. Of course, when introducing sampling, this sampling needs to b e considered in the aggregation. A sampling is nothing else than a pro duct with a bit b ∈ { 0 , 1 } , ho wev er. If the bit b is one, the rating is selected; if the bit is zero, it is not. So we now let the second reputation provider S P 1 select this bit and instead of publish the rating E ( z ), he publishes E ( bz ). The zero-knowledge pro of of the first reputation provider S P 1 then remains unc hanged. F ur- thermore, S P 2 can ev en pro ve that it adhered to the sampling rate by revealing the sum and randomness of the ciphertext of the sum of the sampling bits in the same wa y . The remaining problems are for S P 2 to commit to b and prov e in zero-knowledge that E S P 1 ( bz ) has a plaintext of the pro duct of the committed bit and the rating. As a commitment w e let S P 2 publish c = E S P 1 ( b, r ). In [6], there is a zero-kno wledge pro of (ZKP) that c is a ciphertext for one-out-of-tw o plaintexts (which are 0 and 1 in our case). S P 2 publishes such a ZKP along with c and keeps b and r for his priv ate records. In order to make eac h ZKP non-interactiv e the first reputation provider S P 1 , which is not in volv ed in any suc h ZKP , publishes a common random string. W e can then use the techniques from [3] in order to make all pro ofs non-interactiv e. In [6], another ZKP is giv en for proving, for E ( α , r α ), E ( β , r β ), E ( γ , r γ ) that γ = αβ . W e can use this pro of for our scheme, s ince if S P 2 also publishes E S P 1 ( z ) and prov es that E S P 1 ( bz ) is indeed a ciphertext of the pro duct, then the priv acy of the rating against S P 2 is still main tained, but Alice and Bob can still verify the ratings using V erifyRating(). W e briefly review the ZKP from [6]. Public Input: e α = E ( α, r α ), e β = E ( β , r β ), e γ = E ( γ , r γ ) Private Input of the Pr over: α , r α , β , r β , γ , r γ The prov er chooses random v alues d , r d , r dβ and publishes e d = E ( d, r d ) and e dβ = E ( dβ , r dβ ). The prov er retriev es u from the common random string and publishes v = uα + d and r 1 = r u α r d . Finally , the prov er publishes r 2 = r v β ( r dβ r u γ ) − 1 . The verifier also retrieves u from the common random string and v erifies that e u α e d = E ( v , r 1 ) and e v β ( e dβ e u γ ) − 1 = E (0 , r 2 ). In summary , the ZKP consists of: • E ( d, r d ) • E ( dβ , r dβ ) • v = uα + d, r 1 = r u α r d • r 2 = r v β ( r dβ r u γ ) − 1 Lemma 1: The ZKP is complete and honest-v erifier zero-knowledge. There are tw o differences in our sc heme to the setup of [6]. First, the tw o ciphertexts for the factors a and b are distributed o v er tw o parties: Bob and S P 2 . The reputation service pro vider S P 2 holds the sampling bit b and the rater Bob the rating z . Second, neither of those t wo parties has the secret key for the encryption scheme, but that is with the first service pro vider S P 1 . F ortunately , 15 the ZKP can b e computed without knowledge of the secret key , as long as the randomness for the ciphertexts is known, but that is, of course, distributed o ver the tw o parties, again. The basic idea is to p erform a secure computation for the zero-kno wledge pro of, i.e., S P 2 and Bob jointly engage in a computation of the result of the ZKP without either learning the other part y’s input. W e can make use of the following observ ation: Plain text and randomization computations in P aillier’s encryption system are in similar groups. Plain text computations are in Z n and randomization computations are in Z ∗ n 2 . Both share the mo dulus n of secret factorization. F ortunately , there exists a corresp onding encryption scheme by Damgard and Jurik [6] op erating with plaintexts in Z n 2 for each P aillier encryption scheme [16] op erating with plaintexts in Z n . The other homomorphic properties are preserv ed and even the priv ate and public k eys are iden tical. W e denote E 0 ( x, r ) the encryption of plaintext x ∈ Z n 2 with randomization r ∈ Z ∗ n 3 in Damgard and Jurik’s encryption scheme. In the SubmitRating() proto col, Bob then not only sends E ( z , r z ) (his encrypted rating), but also c ho oses d , r d , and r 0 . Bob publishes E ( d, r d ) and v = uz + d and c ho oses r 1 = r u z r d , i.e., we set z = α and b = β in the previous pro of. The random n umbers r dβ and r γ in the previous pro of are (secretly) shared b etw een Bob and S P 2 . Bob also submits the ciphertext E 0 ( r u z r d , r 0 ). Once the the second reputation pro vider S P 2 receiv ed Bob’s submission, he chooses r z b and publishes the multiplication of the sampling bit b and the rating z : E ( z b, r 0 z b ) = E ( z , r z ) b E (0 , r z b ) ( r 0 z b = r b z r z b ). Then he c ho oses r db and publishes E ( db, r 0 db ) = E ( d, r d ) b E (0 , r db ) ( r 0 db = r b d r db ). If the sampling bit b = 1 is one, then S P 2 computes E 0 ( r − 1 2 , r 00 ) = E 0 ( r u z r d , r 0 ) ( r v b ) − 1 r db r u zb If the sampling bit b = 0 is zero, then S P 2 computes E 0 ( r − 1 2 , r 00 ) = E 0 (( r v b ) − 1 r db r u z b , r 00 ) Note that this only w orks, b ecause of the small domain of the sampling, since we can a v oid expo- nen tiation of encrypted v alues. The first reputation provider S P 1 decrypts and publishes (the inv erse) r 2 . During V erifyRating() Alice and Bob can now verify that E ( z b, r 0 z b ) is indeed an encryption of the pro duct of E ( b, r b ) and E ( z , r z ). They only need to verify that E ( z , r z ) u E ( d, r d ) = E ( v , r 1 ) and that E ( b, r b ) v ( E ( db, r db ) E ( z , r z ) u ) − 1 = E (0 , r 2 ) Note that the first reputation pro vider S P 1 still do es not learn the rater and the second repu- tation provider S P 2 still do es not learn the rating. The sampling bit is known to b oth reputation pro viders, but remains entirely secret from the rater and ratee. The first service provider learns the sampling bit from the ciphertext, but he would learn it with some error from the rating anyw a y . Lemma 2: The proto col ab o v e is secure in the semi-honest mo del, i.e., neither Bob nor the second reputation S P 2 learn an ything that cannot b e derived from their input and output. Pro of: W e give standard sim ulators for the views of the parties following the seminal work of [10]. First the reputation pro viders view can b e simulated b y ciphertexts and tw o random n umbers for 16 v and r 1 . Both v and r 1 are perfect secret shares where one share is only known Bob ( d and r d ). Note that ciphertexts are under the priv ate k ey of S P 1 and therefore cannot b e decrypted by either part y . Bob’s view can b e simulated by ciphertexts and one random num b er for r 2 . Also r 2 is a p erfect secret share due to r z b . Our scheme do es not require security against malicious attac kers. Instead, follo wing the proposal from [12], we can implement a detection pro cedure based on signed messages. In the case of a dispute, all parties could then op en their messages and the culprit would b e identified. 5 Conclusion In this pap er, w e hav e studied the problem of reputation feedback extortion and how it can b e mitigated. W e advocated the use of feedback escro w to increase the likelihoo d of the v arious parties giving honest feedbac k, random sampling to decrease the abilit y of either party tying a sp ecific feedback score to a sp ecific individual, and zero-kno wledge pro ofs as a means to reduce the need for a trusted reputation provider. Some directions for future work include an extension of differential priv acy tec hniques to rep- utation scores for online auctions when the n umber of auction in teractions is unbounded or not kno wn in adv ance. Ac kno wledgments This researc h was supp orted in part b y the National Science F oundation under grants 0724806, 0847968, 0953071, 1011840. References [1] E. Androulaki, S. Choi, S. Bellovin, and T. Malkin. Reputation systems for anonymous net works. In Pr o c e e dings of the 8th International Symp osium on Privacy Enhancing T e chnolo gies , pages 202–218, 2008. [2] M. Ben-Or, S. Goldwasser, and A. Wigderson. Completeness theorems for non-cryptographic fault tolerant distributed computation. In Pr o c e e dings of 20th A CM Symp osium on The ory of Computing , pages 1–10, 1988. [3] M. Blum, P . F eldman, and S. Micali. Non-interactiv e zero-knowledge and its applications. In Pr o c e e dings of the 20th ACM Symp osium on The ory of Computing , pages 103–112, 1988. [4] C. Camerer and K. W eigelt. Exp erimen tal tests of a sequen tial equilibrium reputation mo del. Ec onometric a , 56(1):1–36, 1988. [5] J. Canny . Collab orativ e filtering with priv acy . In Pr o c e e dings of the IEEE Symp osium on Se curity and Privacy , pages 45–57, 2002. [6] I. Damg ˚ ard and M. Jurik. A ge neralisation, a simplification and some applications of pailliers probabilistic public-k ey system. In Pr o c e e dings of International Confer enc e on The ory and Pr actic e of Public-Key Crypto gr aphy , pages 119–136, 2001. 17 [7] I. Dinur and K. Nissim. Revealing information while preserving priv acy . In PODS ’03: Pr o c e e dings of the twenty-se c ond A CM SIGMOD-SIGACT-SIGAR T symp osium on Principles of datab ase systems , pages 202–210, New Y ork, NY, USA, 2003. ACM. [8] Y. Duan. Priv acy without noise. In Pr o c. of 18th A CM Conf. on Information and Know le dge Management , pages 1517–1520, 2009. [9] C. Dwork. Differential priv acy: a survey of results. In Pr o c. of the 5th Int. Conf. on The ory and Applic ations of Mo dels of Computation (T AMC) , pages 1–19. Springer, 2008. [10] O. Goldreich. Secure multi-part y computation. Av ailable at www.wisdom.w eizmann.ac.il/˜o ded/pp.h tml, 2002. [11] O. Goldreich, S. Micali, and A. Wigderson. How to pla y any mental game. In Pr o c e e dings of the 19th Symp osium on the The ory of Computing , pages 218–229, 1987. [12] F. Kersch baum. A v erifiable, centralized, co ercion-free reputation system. In Pr o c e e dings of the ACM Workshop on Privacy in the Ele ctr onic So ciety , pages 61–70, 2009. [13] C. Li, M. Hay , V. Rastogi, G. Miklau, and A. McGregor. Optimizing linear counting queries under differential priv acy . In Pr o c. of 29th ACM Symp. on Principles of Datab ase Systems of Data (PODS) , pages 123–134, 2010. [14] N. Miller, P . Resnic k, and R. Zeckhauser. Eliciting informative feedbac k: The p eer prediction metho d. Management Scienc e , 51(9):1359–1373, 2005. [15] V. Naessens, L. Demuync k, and B. De Deck er. A fair anon ymous submission and review system. In Pr o c e e dings of the 10th IFIP International Confer enc e on Communic ations and Multime dia Se curity , pages 43–53, 2006. [16] P . Paillier. Public-key cryptosystems based on comp osite degree residuosity classes. In A dvanc es in Cryptolo gy – EUR OCR YPT , pages 223–238, 1999. [17] E. Pa vlov, J. Rosensc hein, and Z. T op ol. Supp orting priv acy in decentralized additiv e reputation systems. In Pr o c e e dings of the 2nd International Confer enc e on T rust Management , pages 108–119, 2004. [18] F. Pingel and S. Steinbrec her. Multilateral secure cross-communit y reputation systems for in ternet communities. In Pr o c e e dings of the 5th International Confer enc e on T rust, Privacy and Se curity in Digital Business , pages 69–78, 2008. [19] P . Resnick and R. Zeckhauser. T rust among strangers in internet transactions: Empirical analysis of ebay’ s reputation system. A dvanc es in Applie d Micr o e c onomics , 11:127–157, 2002. [20] J. T raupman and R. Wilensky . Robust reputations for p eer-to-peer marketplaces. In Pr o c e e dings of the 4th International Confer enc e on T rust Management , pages 382–396, 2006. [21] A. Y ao. How to generate and exchange secrets. In Pr o c e e dings of the 27th IEEE Symp osium on F oundations of Computer Scienc e , pages 162–167, 1986. 18