See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/326499187

Decentralized Privacy Preserving Reputation System

Conference Paper · June 2018

DOI: 10.1109/DSC.2018.00106

CITATIONS READS
9 144

5 authors, including:

Isaac Obiri
University of Electronic Science and Technology of China
23 PUBLICATIONS 100 CITATIONS

SEE PROFILE

All content following this page was uploaded by Isaac Obiri on 12 April 2021.

The user has requested enhancement of the downloaded file.

 2018 IEEE Third International Conference on Data Science in Cyberspace

Decentralized Privacy Preserving Reputation

system
Erick Owiyo, Yong Wang, Eunice Asamoah, Dominic Kamenyi, Isaac Obiri
School of Computer Science and Engineering, University of Electronic Science and Technology of
China Chengdu, China 611731 Email: owiyoerick@gmail.com
history of its conduct. It is often said that, when people are
Abstract— Reputation systems are important technology for expected to deliberate one’s past for future engagement, the
making users answerable for their behaviour in a distributed person’s behaviour in the present-day will be restrained
online environment. However, it has been witnessed that users in Resnick [1], [3], [4], [5].
a reputation system often vacillate in providing negative criticism
for fear of revenge. The solution is a privacy preserving reputation One main reputation system is the ebay.com [2], it’s used to
mechanism that computes reputation in such a way that private prevent dishonest activities in e-commerce. After buying an
feedback of a user is not exposed. Many existing privacy item, a consumer can give certain review on the seller relying
preserving mechanisms rely on a centralized paradigms, hence not on his level of satisfaction. The feedbacks given by all the
suitable for a decentralized environment. Systems that are customers over sometime is considered as the reputation of the
decentralized are either inadequate or rely on trusted third parties seller. The perfect reputation score is likely only if the feedback
that are expensive and do not protect privacy under severe
adversarial models. In this paper, we describe a decentralized is honest. In most existing reputation systems, many users are
reputation system where we ensure that users own privacy is unwilling to provide true review values, particularly the
preserved. We implement a protocol that is built into the negative ones, due to fear of retaliation from the recipient users.
blockchain technology, by allowing for access control, transactions A clear solution to this challenge is that, the feedbacks are given
and data storage that are as indelible as the blockchain itself. Our as anonymous or in a privacy preserving manner such that
system computation mechanism is based on a secure multiparty nobody apart from the reviewer can know the score.
computation by a guaranteed verifiable secret sharing scheme.
Our goal is to design a system that computes the reputation of a
service provider created on the views of other entities. II. RELATED WORK
To the greatest extend, researchers have been persuaded for
Index Terms— Blockchain, Privacy preserving, Reputation the significant of a decentralized reputation systems, such as the
system
work of Donato et al. [6], Quercia [7], and McNamara et al. [8].
A decentralized system involves ad hoc networks, peer to peer
I. INTRODUCTION
networks and other networks. These are novel by the non-
Online businesses that are on the Internet networks today presence of a trusted central authority. Hasan [9], [10] and
give many important opportunities for users. Such opportunities Dimitriou [11], described a peer reliability as a measure based
need communication with unfamiliar but reliable people. on a secure computation mechanism. Their scheme ensures
Therefore, it involves substantial amount of risks. These honest users provide a correct review information but cannot
includes; e-commerce websites such as (eBay, Amazon or identify anonymous entities that gives incorrect review values.
Taobao) where customers are capable to buy an extensive Most recently, several work Voss [12], Steinbrecher [13],
selection of things of their interests (electronic goods, or even and Martucci [14], tried to solve privacy concerns but their
unusual antiques) with excellent bargains. Meanwhile, there mechanisms are based on central authority. Privacy preserving
exist a risk of a seller being signified by false name. Another reputation system for centralized environments is fairly direct.
risk is the case of peer-to-peer networks, in file sharing, where Users submit their feedback to the trusted central authority who
a user may copy a valuable file from an up-loader thinking it is then calculates and distributes the reputation score while
what it is, but chances are that the uploaded file is not as useful keeping the individual feedback secret. However, preserving
but fake content planted in the system for some hidden purpose. privacy in a reputation system for a decentralized environment
Reputation system is used to benefit potential customers to is interesting, since we do not require a central authority to rely
determine honest sellers, and consequently reduce the risk of on.
scam. Reputation is the overall view of the public about the Our objective in this research is to construct a privacy
reliability of an entity. The system allows an individual who preserving reputation mechanism that are decentralized, and do
wants to relate with an unknown person to first reflect on his not require specialised programs, or that protect users privacy
reputation to determine a collective trust they share. Reputation under any normal adversaries. In Martucci [14], users perform
systems have been extensively accepted as an answer for transaction and evaluation in connectionless pseudonym, in this
safeguarding decentralized applications from fake entities. It case, a complete anonymity of identities can easily cause
makes an entity responsible for its conduct. It also ensures that reputation model lack of control and suffer bad mouthing,
users are able to measure the honesty of an entity built on the

978-1-5386-4210-8/18/$31.00 ©2018 IEEE 665

DOI 10.1109/DSC.2018.00106

Authorized licensed use limited to: University of Electronic Science and Tech of China. Downloaded on April 12,2021 at 20:12:10 UTC from IEEE Xplore. Restrictions apply.
 watershed, and Sybil attacks, and the continual pseudonym systems have been made by Carboni [24], but none has been
updates may also result to communication overheads. In successful. We shall weigh on these technology to successfully
Bethencourt [15], he proposed a cryptographic signatures of realise the objectives of our own reputation system. This will
reputation, this supports monotonic reputation system allow us to construct a decentralized reputation system that do
anonymously but cannot be depended on, upon other reputation not need participants to rely on other entities. Integrity of the
systems, because it’s built from scratch. review history can as well be authenticated by any party in the
Additional schemes have also tried to solve the privacy system.
preserving challenges. Pavlov [16], proposed a three protocol Our main problem is the delicate parts of the system that
system, the scheme can only resist collusion attack of ݊ െ ͳ (݊ require heavy processing on the private data, since it is said that
being the number of feedback providers) users with limited the blockchain technology do not handle privacy because of its
provability. Hasan et al. [17], provided another privacy public nature [22], we propose a secure multiparty computation,
preserving protocol where each user splits his private feedback that processes and executes data queries in a decentralized
into ݇ shares ሺ݇ ൏ ݊ െ ͳሻǡ and then selects ݇ trusted agents manner without any trusted third party. It works in ways that
before sending one share to each chosen agent. At the initial information is split among different entities, and they compute
stage, the querying agent directs to trusted agents the full list of and process queries collectively without leaking information to
contributing parties. Trusted agents chooses up to ݇ agents from other parties. Therefore no single party has full admission to the
the contributors list. The likelihood that all the chosen information as a whole at any given time. Each party has a
contributors shall collude to break the trusted agent privacy is hollow (actually random) piece of the information.
very low. Dolev et al. [18], presented two main decentralized In this paper, our aim is to design a reliable, decentralized
mechanisms where the number of messages inter-exchanged is and privacy preserving reputation system that is appropriate for
proportionate to the number ݊ of the participants (the stretch of the e-commerce applications. Our system is centred on a
each message isܱሺ݊ሻ). The initial protocol presumes that the blockchain technology. It will not only reduce the transaction
querying entity is not compromised. The second protocol processing overhead, but it will also allow customers to share
presumes that any entity can behave maliciously. Other than and submit their rating reviews in a privacy preserving manner.
that, the proposed mechanisms depend on the homomorphism
encryption which is very tedious and expensive to implement.
Dolev’s protocols run redundant and ine cient computations.
Dimitriou [19] proposed an efficient multiuser computation
approach in a decentralized privacy preserving manner. The
scheme proves to be secure against collusion querying nodes
and at most ݇ ൏  ሺ݊ െ ͳሻ out of the feedback providers, but
their implementation results shows a wide communication
delay of the protocol.
The most related mechanism to our proposed system is
Kerschbaum [20], it is particularly design for the e-commerce
reputation system. Nevertheless, it is a centralized system, and Fig. 1. Example of a blockchain (Bitcoin)
consequently can possibly be misused by the central authority.
Hasan [21], proposed a related mechanism [20], the protocol Our contribution include:
attained the privacy problems, but are not reliable. (1) We present a scheme that preserves the privacy of a
With these deliberations in mind, we would like to construct customer’s review in a decentralized environment under the
a reliable privacy preserving reputation system i.e. a system that semi-honest adversarial model. Our scheme allows ݊
ensures that users do not require to rely on other participants participants to securely vote and share their ratings in such a
that may interrupt the protocol and their privacy. Our proposed way that the individual privacy is preserved against both the
mechanism is ideal for the e-commerce applications. internal and external attacks.
One way to achieve decentralization is by use of distributed (2) We design a decentralized reputation system based on
hash tables to store the evaluations submitted by the customers. blockchain technology. It allows customers to submit their
We shall achieve this by use of blockchain technology. The review on the services provided. Our system experiences very
blockchain technology which is the data structure behind the low transaction overheads because of the use of the blockchain
Bitcoin [22], made a widespread and to date it has been used in technology.
different types of applications. Pilkington [23], describes the (3) We have analyzes the protocol and can prove that our
blockchain technology as a public distributed database, and the system is resilient to collusion against up to ݊ െ ͳ corrupt users.
parties all agree with its secure state method. The blockchain The analysis allows us to create protocols and equally develop
technology is the distributed database in the Bitcoin a secure system that is custom to a standard cryptographic
mechanism, i.e. it stores the ledgers of the coins and does all the techniques.
transactions among the parties. Organization: In Section III we describe privacy problems,
In the blockchain technology, hidden reputation systems section IV we give the design and overview of our system in the
applications are normal, some efforts to construction these proposed solution. In Section V we present the protocol

666

Authorized licensed use limited to: University of Electronic Science and Tech of China. Downloaded on April 12,2021 at 20:12:10 UTC from IEEE Xplore. Restrictions apply.
 specifications, whereas security analysis and the complexity of provider will require some credentials from the customer, e.g.
the protocols is discussed in section VI. The conclusion and credit card number and address. The blockchain is part of our
future work is discussed in section VII. reputation system, it has special functions in the system as
discussed later in the paper.
III. THE PRIVACY PROBLEM
A. System Participants
We have discussed the privacy problems throughout the
ܵ: A set of service providers
paper. Reputation system, have become one of the most ‫ܥ‬: A set of customers
omnipresent means of obtaining trust in users online (examples ܲ: A set of all the participating nodes in the network. ܲǣ ൌ ܵ ‫׫‬
includes the eBay.com and Amazon.com reputation systems ‫ܥ‬.
among others). According to Hoffman et al. [27], reputation is ‫ܤ‬: Blockchain. A block is defined as a set of procedures that are
described as an opinion of the public towards a person, a group collected or gathered for maintenance reasons (most effective
of people, or an organization or an institution. In the context of way for storage). Thus, the blockchain is seen as a database
collective applications such as peer-to-peer systems, reputation whose original state is the state that all the following set of
characterizes the opinion nodes in the system and what they block operations are confined and applied. We denote ‫ܤ‬ሾͲሿ as
have about their peers. In our view, reputation allows parties to the initial block and ‫ܤ‬ሾ݊ሿ as the block in the chain. All the
build trust to a degree in which one has confidence in another operations contained in blocks ‫ܤ‬ሾͲሿ and ‫ܤ‬ሾ݊ሿ are applied at the
entity within the context of a given purpose of decision. original state of the blockchain.
Reputation based systems help participants decide who to trust. In our system, it’s compulsory for the parties to hold coins in
It encourage trustworthy behaviour, and also deter dishonest order to perform transactions and to be given a reputation. Its
participation by providing a means through which reputation significant is to prevent spams and other attacks (whitewash,
and ultimately trust can be quantified and disseminated. bad-mouth, ballot-stuffing)
‫ܣ‬: This is the set of all the addresses for the participating nodes
IV. PROPOSED SOLUTION in the network. The addresses will be used to identify the
service providers and also to order for transactions. Service
In this work, we present a model that is very closely related providers will have a unique address that will specifically be
to the e-commerce environment. Our system allows reputation used to hold and spend the coins manufactured in the
computational of the service provider while preserving the blockchain. Note: For the reputation to be given, service
privacy of the customers (raters) and ensuring the integrity of providers will need to issue reputation tokens for the
the raters vote. Before any transactions, a customer will query transactions, these tokens cost coins. For‫ܵ א ݏ‬, we denote its
the service provider’s reputation using a get reputation protocol. address as‫ܣ‬ሾ‫ݏ‬ሿ, and for address ܽ݀݀‫ݎ‬of the service provider
The protocol will allow set of customers to secretly share and we denote its address asܵሾܽ݀݀‫ݎ‬ሿ.
compute their review. Once the querying customer gets the
reputation of the service provider, he decides whether to engage
in a transaction. This is one of the core feature in this system. It
ensures that the customers have a chance to read the reputation
of the service provider and only do the transactions with the
approved ones. The service provider can learn the output review
without ever knowing who the rating customers are. No other
parties in the system can learn rating customers vote because all
computations are done in a secure computation protocols.
We have three entities for this system and each entity have
multiple roles in practical. Firstly, customers are those that
secretly share their review vote (rating) against the service
provider, while a customer is the one that queries for the service
Fig. 2. Parties’ interaction with the decentralized system.
provider’s reputation, if happy, he can choose to proceed with
the transaction by requesting for a token from the service Figure 2, show the parties register and get access into the
provider. A token acts as an evidence show, that transactions reputation system based on blockchain. A connection is created
really occurred between the customer and the service provider. with the registered parties to form a decentralized reputation
A customer can later rate the service provider depending on his system. Customers review is then secretly shared and securely
satisfaction after the transaction. Lastly, parties are all the active computed. Every share is encrypted by respective party’s public
nodes in the network (customers and service providers). key. The shared data is securely stored into the blockchain. Note
Theoretically, these are the users and the nodes that build up the that encrypted shares commitments are dispatched into the
system. blockchain. A customer can then query the parties about the
The most significant way in e-commerce is the rating of the service provider’s reputation. When there is a new customer the
service provider and therefore, in our system, we only consider process is repeated and the blockchain shall prompt a re-share
ratings of the customers to the service provider. For the success protocol. Subsequently the blockchain chooses new blocks to
of the transaction, we use blind signature because the service store the information. This process is repeated after every new

667

Authorized licensed use limited to: University of Electronic Science and Tech of China. Downloaded on April 12,2021 at 20:12:10 UTC from IEEE Xplore. Restrictions apply.
 query occurs into the system
B. System Operations
Actions performed by the customers ܿ ‫ܥ א‬
െ‫݌ݑݐ݁ݏ‬ሺሻǤ This function creates a public key for the
customers, and it’s required for every action performed by the
customer in the system.
െ‫݁ݎ̴݄ܽܵݐ݁ݎܿ݁ݏ‬ሺܵ݅ሻǤ ܿ ‫ܥ א‬, can share their secrets in a secure
computation process.
െܽܿ‫݊݋݅ݐܽݐݑ݌݁ݎ̴݁ݎ݅ݑݍ‬ሺ‫ݏ‬ሻ. The function allows customer ܿ ‫א‬
‫ ܥ‬to query the reputation of a service provider‫ܵ א ݏ‬. V. SYSTEM NETWORK PROTOCOL
െܽܿ‫݊݁݇݋ݐ̴݁ݎ݅ݑݍ‬ሺ‫ݏ‬ǡ ‫ݕ‬ሻǤThis function allows the customer ܿ ‫א‬ A. Public Key Construction Protocol
‫ ܥ‬to request for a reputation token from the‫ܵ א ݏ‬, token is the
Before the transaction takes place, customers constructs a
proof that transaction y happened between the customer ܿ ‫ܥ א‬
new public key that is needed for transaction. The public key
and‫ܵ א ݏ‬. The output of this transaction is a blinded token‫ݐ‬ҧ‫ݕ‬. will be used only for a single transaction, i.e. same as the
െ‫݊݁݇݋ݐ̴݈ܾ݀݊݅݊ݑ‬ሺ‫ݐ‬ҧ‫ݕ‬ሻǤIt is a token that was recovered using suggestions for the Bitcoin addresses. It will be part of the
acquire token protocol to output unblinded token‫ݕݐ‬. The token elliptic curve digital signature (ECDSA) key. The outline look
shows that the transaction really occurred. Note that, given two of the setup phase could look like this:
tokens ‫ ݕݐ‬and‫ ݕݐ‬ᇱ , the‫ ܵ א ݏ‬will not be able to distinguish Algorithm 1. Setup
which token belongs to which transaction. 1: Int. setup accessሺܲሻ
2: ሺ‫݌‬ǡ ܽǡ ܾǡ ‫ܩ‬ǡ ݊ǡ ݄ሻ ĸ P // The elliptic curve used for
െܾ‫ݓ݁݅ݒ݁ݎ̴ݐݏܽܿ݀ܽ݋ݎ‬ሺ‫ݏ‬ǡ ‫ݕݐ‬ሻ. This function allows customer to ECDSA, for example those of ‫ʹ݌ܿ݁ݏ‬ͷ͸݇ͳ
publish a review about the‫ܵ א ݏ‬, using the token ‫ ݕݐ‬earlier 3: ‫ ݕ݁ܭݒ݅ݎ݌‬՚ ‫ݐ݊݅݀݊ܽݎ‬ሺͲǡ ݊ሻ
unblinded. 4: ‫ ݕ݁ܭܾݑ݌‬ĸ ‫ܩ כ ݕ݁ܭݒ݅ݎ݌‬
return ሺ‫ݕ݁ܭܾݑ݌‬ǡ ‫ݕ݁ܭݒ݅ݎ݌‬ሻ
The actions performed by the service provider (‫)ܵ א ݏ‬.
B. Permission check against blockchain.
െ݅‫݊݁݇݋ݐ̴݁ݑݏݏ‬ሺܿǡ ‫ݕ‬ሻ. This function allowsܿ ‫ܥ א‬, to reacts to
the function acquire token request, he receives a blinded token It implements the publicly veri¿able contract for satisfying
‫ݐ‬ҧ‫ ݕ‬issued by the‫ܵ א ݏ‬, if and only if the ܿ ‫ ܥ א‬actually the establishment.
engaged in a transaction ‫ ݕ‬with the ‫ܵ א ݏ‬ Algorithm 2. Blockchain permission check
1: Int. setup accessሺܲሻ requesting party’s signature,
The actions performed by the blockchain. In our system, ܽ݀݀‫ݏݏ݁ݎ݀݀ܽ ݏ݁݅ݐݎܽ݌ ݌ ݎ‬, ݃ establish verifying if ܲ has
blockchain technology is required for access control sufficient access rights
management, transactions and reputation data storage though 2: Output ‫ א ݏ‬ሼͲ ͳሽ
most processes function independently. 4: Procedure ‫݊݋݅ݏݏ݅݉ݎ݄݁ܲ݇ܿ݁ܥ‬ሺܲǡ ܽ݀݀‫݌ ݎ‬ǡ ݃ሻ
െܾ‫ݐݏܽܿ݀ܽ݋ݎ‬ሺܽܿ‫ݐ‬ሻ . This is where the customer reviews are ‫ݏ‬՚ Ͳ
displayed, the history is stored in the blockchain technology for ݂݅ ‫ܮ‬ሼܽ݀݀‫݌ݎ‬ሽthen
authentication. All parties in the system can view this. ‫ ܮܥܣ‬ൌ ‫ܮ‬ሾܽ݀݀‫݌ ݎ‬ሿ
݂݅ ݃ሺ‫ܮܥܣ‬ǡ ܲሻ then
െܿܽ݊ܿ‫̴݈ܾ݁ܿ݊ܽܽ݁ݐ݈ܽݑ‬ሺ‫ݏ‬ሻ. The function allows‫ܵ א ݏ‬, with ‫ݏ‬՚ ͳ
the addressܽ݀݀‫ݎ‬, to calculate the coin balance. ݁݊݀ ݂݅
‫ݏ ݊ݎݑݐ݁ݎ‬
െ݊݁‫݇ܿ݋̴݈ܾݓ‬ሺܽ݀݀‫ݎ‬ǡ ܾሻ A new block is broadcasted. It
consists of among others, hash of the previous block, ܽ݀݀‫ݎ‬ǡ C. Blockchain Technology
reviews and transactions. In Bitcoin [22] and other digital coins, the blockchain
‫݊݋݅ݐܽݐݑ݌݉݋ܥݕݐݎܽ݌݅ݐ݈ݑܯ‬ሺ‫ܥܲܯ‬ሻ. This process allows the framework is used to evade double-spending attacks (that is to
say, paying-out twice or more using the same coin). The
customers ܿ ‫ ܥ א‬to independently share their secrets ‫ ݅ݏ‬without
similarity in our system would be the double use of the token
revealing their identity. In addition it computes the secret share
issued by the service provider. Nonetheless, this would have a
values and return the feedback ‫ ݅ݒ‬to the querying agent ܿ ‫ܥ א‬ minor effect because it can easily be detected through the same
with the help of the blockchain technology. Secret share means chain, but even if there are two different ratings in two different
assessing branches for dynamic circles. Our general idea is that chains, it would still not be a problem, because the customer
secure computation is constructed on these essential concepts may have had different opinion about the services provided.
as presented throughout this paper. The figure below shows the Therefore, in our system the customer has no reason to be
efficient execution time, while keeping both privacy and motivated for re-use of the token, while the Service provider
authentication does. To avoid negative ratings that might be issued against

668

Authorized licensed use limited to: University of Electronic Science and Tech of China. Downloaded on April 12,2021 at 20:12:10 UTC from IEEE Xplore. Restrictions apply.
 him. Our system allows the customer to re-broadcast a review D. Share and Compute
about the service provider. In our system, the computation Share and compute is illustrated in protocol 4 and 5 respectively
exertion is ef¿ciently distributed throughout the system. are the MPC. They load and store shares into to the blockchain.
Comprised messages in the blockchain includes:- We use quorum to give a wide scale into a bigger networks.
Reviews - This holds the addresses of the correlated service Algorithm 4. Secret Sharing Protocol
provider, the signature on the token (hashed address), the 1: Init. Setup access(P)
customers actual review (rating), the message signature (used 2: Register. Upon receiving (register) from some party Pi
during the transaction by using customer’s conforming secret 3: Share ĸ Upon receiving
key and public key), the pointer to the last review block. ሺܿሻ
Transactions - With the same manner as Bitcoin, the ൬‫݁ݎ݄ܽݏ‬ǡ ‫ ݅ݏܯܯܱܥ‬൜‫ܯܯܱܥ‬ ൠ൰ ݅ǡ from the customer ܿ.
ሾ‫݅ݏ‬ሿ݅
transaction account whose coin balance will decrease must be 4: Select ‫ ܲ ؿ ݍ‬ĸ random quorum and store an ‫ݔ‬௥௘௙ ,
signed with its correlated private key. During the transaction,
objects that has the metadata ሺܿǡ ‫ݎ‬ǡ ‫݅ݏ‬ǡcurrent time)
one’s wallet will increase while the other reduces but with the
5: Access ĸ Upon receiving access, ሼ‫ݏ‬iሽ݅ to customer c,
same number of coins and tokens.
access is set as ሾܿሿǣ ൌ ሼ ‫ݏ‬iሽ݅
Relations – this is between the RSA-key used by the service
• Allow ܿ ‫ ܥ א‬to query all ‫ݔ‬௥௘௙
provider to build a blind signature, and his address. Because if
these two does not relate, an attacker can exploit the system. • For new customers ĸ select random computation
Identity management – We show how blockchain is ‫ ܲ ؿ ݍ‬for each input reference from ‫ݔ‬௥௘௙ ǡ ݅ǡ ‫ݔ א‬௥௘௙
compatible with the secure multiparty computation, we detailed call for re-share ‫ݔ‬௥௘௙ ǡ ݅Ǥ ‫ ݎ‬՚ “
how complex identities are formed using blind signature. For 6: then instruct ‫݌‬௜ ‫ ݍ ؿ‬to initialize compute protocol (݂ሺ‫݅ݏ‬ሻǡ
the success of our work, we describe identities that captures ‫ݔ‬௥௘௙ ǡ ݅ ‫ݔ א‬௥௘௙ ǡ ‫))ݏ‬
shared identities through multiple entities and their semantics.
The pseudo-anonymous part of a shared identity is a ሺʹ݊ ൅ ͳሻ-
tuple – Algorithm 5. Secure computation protocol
௣ଵ ௣ଶ ௣௡
݄ܵܽ‫ ݌ݕݐ݅ݐ݊݁݀ܫ݀݁ݎ‬ൌ ሺܽ݀݀‫݌ݎ‬ǡ ‫݇݌‬௦௜௚ ǡ ‫݇݌‬௦௜௚ ǡ ǥ ǡ ‫݇݌‬௦௜௚ ሻ (1) 1: ‫݈݋ܿ݋ݐ݋ݎܲ ݁ݐݑ݌݉݋ܥ‬ሺ݂ǡ ‫݅ݏ‬ǡ ‫ݏ‬ሻ݂‫ݍ א ݅ܲ ݕݐݎܽ݌ܽݎ݋‬ǣ
where ݊ denotes the number of parties. Note that for ݊ ൌ ͳ we 2: ࡵ࢔࢏࢚Ǥ Uphold the state for the computation, i.e., Let,
return to the distinct pseudo-identity case. We integrate the idea ‫׷ ݀݊ݑ݋ݎ‬ൌ ͳǡ ݂௖௨௥௥ ሼshows current operationሽ ‫׷‬ൌ
of meta-data. Meta-data contains the fundamental semantic ݂ǡ ‫ݖ‬௖௨௥௥ ሼprovisional valuesሽ ‫׷‬ൌ ‫݅ݔ‬
meaning of an identity. It includes public access control rules Sync. On input ሺ‫ܿ݊ݕݏ‬ሻ
which the network uses to moderate access-control. 3:݂݅ ‫ ͳ ݀݊ݑ݋ݎ‬՜ ‫݂݄݁ݐ ݕݎ݁ݑݍ‬ሼ‫݅ݏ‬ሽ݅‫݄݁ݐ ݁ݐܽ݀݌ݑ ݀݊ܽ ݀ݎ݋ܿ݁ݎ‬
Algorithm 3. Blockchain Store and Load Protocol ‫ݖ ݈ܽ݊݋݅ݏ݅ݒ݋ݎ݌‬௖௨௥௥ Values.
ሺ௦ሻ
procedure STORE ሺ‫ݏ‬ǡ ‫ݕ݁ܭܾݑ݌‬ǡ ܽ݀݀‫ܲݎ‬ǡ ‫ݍ‬௥௘௔ௗ ݁ǡ ݊ǡ ‫ ݔ‬ሻ 4: ݁‫ ݁ݐݑܿ݁ݔ‬ሺ݂௖௨௥௥ ሺ‫ݖ‬௖௨௥௥ ሻ locally until interface is required
οሺ݁ǡ ݊ሻ is the service provider’s public RSA key pair, ‫ ݔ‬the let ‫ݔ‬௖௨௥௥ be the hidden shares
identi¿er of the transaction 5: ‫ݓ ݐ݁ݏ‬௖௨௥௥ ‫׷‬ൌ ‫ܥܰܧ‬ሺ‫݅ݎ‬ǡ ‫݌ݏ‬Ǥ ݁‫݇݌‬ሻ݂݅this is the output stage
1: ݉ଵ Ћ ݄ܽ‫ ݄ݏ‬ሺ‫ݕ݁ܭܾݑ݌‬ሻ ο( ݄ܽ‫ ݄ݏ‬is a cryptographic hash gate ࢕࢚ࢎࢋ࢘࢝࢏࢙ࢋ
6: ‫ ݀݊݁ݏ‬ሺ‫ܿ݊ݕݏ‬ǡ ‫݀݊ݑ݋ݎ‬ǡ ‫ݔ‬௖௨௥௥ ǡ ‫ݓ‬௖௨௥௥ ሻ to the ݂ሼ‫݅ݏ‬ሽ݅
function such as ‫ʹ݄ܽݏ‬ͷ͸ܴ
7: ‫׷ ݀݊ݑ݋ݎ‬ൌ ‫ ݀݊ݑ݋ݎ‬൅ ͳ
2: if check Permission ሺ‫ݏ‬ǡ ‫ݕ݁ܭܾݑ݌‬ǡ ܽ݀݀‫ܲݎ‬ǡ ݁ǡ ݊ǡ ‫ݔ‬ሻ= True
‫ܥ א ܾ݄݁ݐ ݎ݋݂ ݈݋ܿ݋ݐ݋ݎܲ ݁ݐݑ݌݉݋ܥ‬ǣ
Then
8:ࡱ࢞ࢋࢉ࢛࢚ࢋ: Send input ሺ݁‫݁ݐݑܿ݁ݔ‬ǡ ݂ǡ ‫ݔ‬௥௘௙ ൌ ሼ‫ݔ‬௥௘௙ ǡ ݆ሽ௠ ௝ୀ଴ ሻ to
3: ܽ௦ ൌ ‫ܪ‬ሺܽ݀݀‫ܲݎ‬ȁȁ‫ݏ‬ሻ
ሺ௦ሻ the ݅݊‫݊݋݅ݐܿ݊ݑ̴݂݂݁ܿܽݎ݁ݐ‬
4:݈ሾܽ௦ ሿ ĸ ‫ݍ‬௥௘௔ௗ
ࡾࢋ࢙࢛࢒࢚. For input (‫ݐ݈ݑݏ݁ݎ‬ሻ
5: MPCሾܽ௦ ሿ ՚ ‫ݏ‬ሻ
9: for each ‫݅݌‬
6: return ሾܽ௦ ሿ
10: query ‫݅ݔ‬ǡ ‫ ݅ݓ‬from the function
7: end if
11: ‫׷ ݅ݎ‬ൌ ‫ܥܧܦ‬ሺ‫݅ݓ‬ǡ ‫݌ݏ‬Ǥ ݁‫݇݌‬ሻ
8: return ‫ ׎‬or [Null] Procedure LOAD
12: ‫ݔ ݐܿݑݎݐݏ݊݋ܿ݁ݎ‬ǡ ‫ݎ‬Ǣ ‫׷ ݖ‬ൌ ‫ ݔ‬െ ‫ݐݑ݌ݐݑ݋݄݁ݐݏ݅ݎ‬
ሺ‫ݏ‬ǡ ‫ݕ݁ܭܾݑ݌‬ǡ ܽ݀݀‫ܲݎ‬ǡ ݁ǡ ݊ǡ ܽ௦ ሻοሺ݁ǡ ݊ሻis the service
Otherwise
provider’s private RSA key pair
ሺ௦ሻ
13: if state: = DISAGREEMENT suspect: = list of the parties
9: ‫ݍ‬௥௘௔ௗ Ћ ݈ሾܽ௦ ሿ that didn’t accurately encrypt shares.
ሺ௦ሻ
10 if check Permission ሺ‫ݏ‬ǡ ‫ݕ݁ܭܾݑ݌‬ǡ ܽ݀݀‫ܲݎ‬ǡ ݁ǡ ݊ǡ ‫ݍ‬௥௘௔ௗ ሻ= 14: send ሺ݀݅‫݁ݐݑ݌ݏ‬ǡ ‫ݐܿ݁݌ݏݑݏ‬ǡ ‫݌ݏ‬Ǥ ݁‫݇݌‬ሻ to the function.
True then 15: ‫׷ ݅ݎ‬ൌ ‫ܥܧܦ‬ሺ‫݅ݓ‬ǡ ‫݌ݏ‬Ǥ ݁‫݇݌‬ሻ
11: return MPCሾܽ௦ ሿ
E. Token Transaction
12: end if
13:‫”‘׎ܖܚܝܜ܍ܚ‬ሾ‫ܔܔܝۼ‬ሿ Algorithm 6 illustrates token transaction. A customer hashes
14: end procedure such as ‫ʹ݄ܽݏ‬ͷ͸ܴ the earlier created public key and requests a blind signature that
totally makes the token not relatable to the transaction, and thus

669

Authorized licensed use limited to: University of Electronic Science and Tech of China. Downloaded on April 12,2021 at 20:12:10 UTC from IEEE Xplore. Restrictions apply.
 can warrant the anonymity needed. We de¿nes three protocols, stuffing attacks may not be entirely alleviated, but the coin
acquire_token (‫ݏ‬ǡ ‫)ݕ‬, unblind_token (‫ݐ‬ҧy) and issue_token (ܿǡ ‫)ݕ‬ currency presented in this protocol helps reduce the danger of
Algorithm 6. Token transaction vote stuffing. The system restricts on the number of tokens to
1:procedureACQUIRE_TOKEN be issued, against the sum of coins to be owned
ሺ‫ݏ‬ǡ ‫ݕ݁ܭܾݑ݌‬ǡ ݁ǡ ݊ǡ ‫ݔ‬ሻοሺ݁ǡ ݊ሻ is the service provider’s Formula 2‫ݕݐ݈ܾ݅݅ܽ݁݃ݎ݋݂ܷ݊݊݋݅ݐܽݐݑ݌ܴ݁ ׷‬. Given the public
public RSA key pair, ‫ ݔ‬the identi¿er of the transaction history nature of the blockchain, a service provider is not
2: ݉ଵ Ћ ݄ܽ‫ ݄ݏ‬ሺ‫ݕ݁ܭܾݑ݌‬ሻ ο( ݄ܽ‫ ݄ݏ‬is a cryptographic hash capable of promoting a reputation that doesn’t belong to him,
function such as sha256R except for minor likelihood ‫ א‬ሺ݃ሻǤ
3: ‫ ݎ‬Ћ rand݅݊‫ݐ‬ሺͲǡ ݊ሻ Proof: Reputation is linked to the address that represents the
4: ݉ଵ ĸ ݉ଵ ‫ ݎ‬௘ public key. Hence, the service provider persuasively can
5: sendሺሺ݉ଵ ǡ ‫ݔ‬ሻǡ ‫ݏ‬ሻ convince the customers that he owns the address. For instance,
when the token is issued, by using the service provider’s
6: return ሺ݉ଵ ǡ ‫ݎ‬ሻ
address, the blind signature could itself be signed. The service
7: procedure ISSUE_TOKENሺܿǡ ݉ଵ ǡ ݀ǡ ݊ǡ ‫ݔ‬ሻοሺ ሺ݊ǡ ݀ሻ is
provider could as well publish the signature for the blind
the service provider’s private RSA key pair
signature protocol, which is signed using the private key and
8: ݂݅ verifyሺ‫ݔ‬ሻ ‫ ݄݊݁ݐ‬ο the has to specify
consistence to the public key of its address. This theory is
Verify
safeguarded as long as the standard signature scheme is
9: ‫ݐ‬ҧ‫ ݕ‬ĸ ݉ଵௗ ݉‫݊݀݋‬
protected therefore we can say that the signatures is not
10: sendሺ‫ݐ‬ҧ‫ݕ‬ǡ ܿሻ
forgeable.
11: return ‫ݐ‬ҧ such as ‫ʹ݄ܽݏ‬ͷ͸ܴ
Formula 3: Customer anonymity. Given that the ratings for
12: procedure UN_BLIND_TOKENሺ‫ݐ‬ҧ‫ݕ‬ǡ ‫ݎ‬ǡ ݁ǡ ݊ሻ
a particular service provider is broadcasted in the blockchain
13:‫ ݐ‬՚  ‫ݐ‬ҧ‫ି ݎݕ‬ଵ ݉‫݊݀݋‬
network, the identity which is associated with customer that
14: return ‫ݐ‬ publishes the rating is vague from the service provider’s view,
among the customers that were earlier in the transaction with
VI. SECURITY ANALYSIS the service provider.
We discuss the security analysis objectives of our protocol Proof: In any transaction, the service provider can view:
schemes which can show the evidence and determines that we -The customer identity.
have achieved the security goals of our scheme. Various parts -The transaction information (date, address, cost, goods and
of our system uses mathematical functions which takes a money transfer)
variable length input string, then converts it into a fixed length -Random view about the customer’s address, which is unlikable
binary sequence, the process is known as a one way hash to the authentic signatures. This is guaranteed by the blind
function . signature protocol.
The customer’s review includes:-
A. Analysis of the System Protocols
-Transaction address created by the customer.
For the verifications and proofs we describe security -The service provider’s identity.
parameter݃, which symbolizes for instance the scope of the - Hashed signatures on the address.
public key parameters. A function ݂ሺ݃ሻ is insignificant if its - Rating to the service provider.
inverse raises faster than other polynomial function, it means For each transaction, a customer randomly creates a new
that address. This means that the address is independent from the
‫ ݊׊‬൐ Ͳ݂ሺ݃ሻ݃௡ ሱۛۛۛሮ Ͳ (2) customer’s identity. Though the service provider knows its
௚՜ାஶ
Therefore: identity, he cannot distinguish and link the actual signature
Formula 1ǣ ܶ‫ݕݐ݈ܾ݅݅ܽ݁݃ݎ݋݂ܷ݊݊݁݇݋‬. Given a public key of issued to the randomized view, he obtainable at the token
a service provider, the polybounded logarithmic (security issuing stage. Lastly, we presume that the service provider does
parameter ݃), and the sum of signatures from the arbitrary not have an idea of the rating by the customer before it’s
messages, a user is not in a position to create e.g. a signature actually broadcasted on the network
of an address but only through additional token (i.e. signature Formula 4: Unlink-ability of the customer’s information.
on the hash of an address) except for minor likelihood Given two different information, (hiding the customer’s
Proof: We are guided by the assumption of the blinding identity, and the time interval before the review is displayed).
signature structure that we have employed, it is resistant against This process makes it very difficult to know if the information
counterfeit attacks as defined by the scheme of Okamoto [25], broadcasted are of similar customer or not.
it is true even on a typical model, without assuming that the Proof: Every information is signed and issued by randomly
hash functions are true random oracles. In the case of Chaum created addresses that are very self-determined. Besides, the
signature scheme [26], it needs the supposition and with a tokens with signatures are not linkable to the actual transactions
robust assumption as the stronger “one-more” RSA-inversion as earlier presented. Therefore it is not possible to conclude if
[9]. different information reports were created by the same
Statement 1. This means that badmouthing attacks are not customer. Our scheme is capable of hiding the identity of all the
likely to happen on this system. On the other hand, ballot customers who have given their opinion on the service provider

670

Authorized licensed use limited to: University of Electronic Science and Tech of China. Downloaded on April 12,2021 at 20:12:10 UTC from IEEE Xplore. Restrictions apply.
 likewise to those that have had interaction with a certain service multiparty computation. This method has had been examined
provider in a given time. This process gives some fulfilment of by numerous researchers [22]. We practice the same exemplary.
the݃ െanonymity.
We construct a model that shows that the customer reviews
are indistinguishable. For instance, supposing a customer buys
certain goods from a particular service provider. The influx of
the customers into the system can be demonstrated by a Poisson
procedure, parameterɉ. On top, we assume that later after the
customer receives the goods, he will take some time before he
review the service provider. For our system the customer waits
for a period of  times which is evenly dispersed over ሾͲǢ ɒሿ for
approximatelyɒ ൐ Ͳ. This shows that our system protocol is
capable of hiding the identity of the customer who has had
transaction with the service provider for some time frame. This
therefore explains the following deliberation:- Fig. 5. Stimulus performance comparison of our secure MPC
Formula 5: ‫ݕݐ݈ܾ݄݅݅ܽݏ݅ݑ݃݊݅ݐݏ݅݀݊ܫ‬Ǥ Given that the influx of and traditional MPC
the customers is demonstrated with a Poisson process of a C. System Performance
parameterߣ, when customers wait for an evenly dispersed
This refers to the time it takes to get complete response from
period of time ሾͲǢ ߬ሿ before submitting their reviews into the
all the communications in the system i.e. from the secure share
system, This means that the customer’s is indistinguishable in
and computation to the submission of the reputation review.
excess to a set of ߣ߬ customers.
The communication delay directly depends on the node with the
Proof: Let us denote ܶ௖ as the influx period of the
most consuming time. In our protocol, ݊ െ ͳ random numbers
customerܿ, and we denote ܴ௖ as the time corresponding
is generated, the split voteሺ݊ െ ͳȀ݊) is added, and ሺ݊ െ ͳ ൅
customerܿsubmits its review. Therefore, given a set of
ሺ݊ െ ͳȀ݊ሻ messages is shared and computed. This also reduces
customer‫ܿݏ‬, the service provider has no idea which review the
overhead delays.
corresponding customer submitted among the other reviews
forwarded throughout the ሾ݃௖ Ǣ ݃௖ ൅ ߬ሿ by other customers. All
through, the average posting period of ߣ߬ review are submitted
since ܰሺ‫ݐ‬ሻ is a Poisson process with a parameterߣ,
then‫݊׊‬ǡ ‫ݎ‬ǣ ‫ܧ‬൫ܰሺ‫ ݐ‬൅ ‫ݎ‬ሻ െ ܰሺ‫ݐ‬ሻ൯ ൌ ߣ߬.

Fig. 6. Response Time

D. Bandwidth Utilization
When computing bandwidth, you can't assume each passage
is used at each period. When no communication is taking place,
it means that no packets are sent. Therefore the whole
bandwidth is not utilized at all times. Note that for the graphs
where the priority load is low, the utilization first increases
Fig. 4. Customer influx time and submission
linearly.
B. Secure Computation
The Figure below demonstrates how an ordinary secure
computation is overwhelm by the amount of users, yet
comparatively, our systems implementation measure up to quiet
a large network. We organizes the system in such a way that the
private data is not disclosed. The nonconformity is openly
observable in the system. The likelihood of an attack on secure
network protocols may also advance for lack of definite
equality in the protocol. For some condition, a malicious party
may acquire the output and terminate the protocol. Otherwise,
by use of blockchain we exploit the Bitcoin security deposits as
a means for punishing malicious entities in the secure Fig. 7. Bandwidth Utilization

671

Authorized licensed use limited to: University of Electronic Science and Tech of China. Downloaded on April 12,2021 at 20:12:10 UTC from IEEE Xplore. Restrictions apply.
 VII. CONCLUSION [12] M. Voss, ‘‘Privacy Preserving online reputation system’’,
User’s privacy should not depend on the third party entity in In International Information Security Workshops, (2004), pp.
a reputation system, because they are vulnerable to threats and 245-260.
exploitation. Alternatively, parties should individually own and [13] S. Steinrecher, ‘‘Design options for privacy-respecting
control their data. Our mechanism allows this by using reputation systems within centralized internet communities’’, In
blockchain technology as an access control go-between, with a SEC, (2006), pp. 123-134.
secure computation secret sharing solution. Parties do not need [14] L. A Martucci, S. Ries and M. Muhlhauser, ‘‘Sybil-Free
to trust any third party. Besides, the blockchain technology pseudonyms, Privacy and Trust: Identity Management in the
identifies parties as the rightful owners of their individual data. Internet of Services’’, Journal of Information Processing, vol.
Organizations, can sizer the opportunity and focus on
19, no. 1, (2011), pp. 1-15
employing data without excessively worried about correctly
securing and classifying them. [15] J. Bethencourt, E. Shi and D. Song, ‘‘Signature of
reputation: Towards trust without Identity’’, In: Sio, R (ed.) FC
REFERENCES 2010, LNCS, vol. 6052, (2010), pp. 400-407. Springer,
Heidelberg.
[1] P. Resnick, R. Zeckhauser, E. Friedman, and K. Kuwabara.
[16] E. Pavlov, J.S. Rosenschein, and Z. Topol, ‘‘Supporting
Reputation systems. Communications of the ACM,
privacy in decentralized additive reputation systems,’’ 2nd
43(12):4548, December 2000.
International Conference on Trust Management, LNCS 2995,
[2] A. Jøsang, R. Ismail, and C. Boyd, ‘‘A survey of trust and
pp. 108-119, 2004.
reputation systems for online service provision,’’ Decision
[17] O. Hasan, L. Brunie, and E. Bertino, ‘‘k-shares: A privacy
Support Systems, vol.43, no.2, pp.618---644, 2007.
preserving reputation protocol for decentralized
[3] P. Resnick and R. Zeckhauser, ‘‘Trust among strangers in
environments,’’25th IFIP International Information Security
internet transactions: Empirical analysis of ebay’s reputation
Conference (SEC), pp. 253-264, 2010.
system,’’ Volume 11 of Advances in Applied Microeconomics,
[18] S. Dolev, N. Gilboa, and M. Kopeetsky, ‘‘Computing multi-
pp. 127---157, 2002.
party trust privately: In o (n) time units sending one (possibly
[4] P. Resnick and R. Zeckhauser. Trust among strangers in
large) message at a time,’’ Proc. 2010 ACM Symposium on
internet transactions: Empirical analysis of ebay's reputation
Applied Computing, pp. 1460-1465, 2010.
system. The Economics of the Internet and E-Commerce.
[19] T. Dimitriou and A. Michalas, ‘‘Multi-party trust
Michael R. Baye, editor. Volume 11 of Advances in Applied
computation in decentralized environment in the presence of
Microeconomics, pages 127{157, 2002.
malicious adversaries,’’ Ad Hoc Networks, 2013
[5] E. Pavlov, J. S. Rosenschein, and Z. Topol. Supporting
[20] Florian Kerschbaum. A veri• able, centralized, coercion-
privacy in decentralized additive reputation systems. In
free reputation system. In Proceedings of the 8th ACM
Proceedings of the Second International Conference on Trust
Workshop on Privacy in the Electronic Society, WPES ’09,
Management (iTrust 2004), Oxford, UK, 2004.
pages 61---70, New York, NY, USA, 2009. ACM
[6] D. Donato, M. Paniccia, M. Selis, C. Castillo, G. Cortese,
[21] Omar Hasan, Lionel Brunie, Elisa Bertino, and Ning
and S. Leonardi. New metrics for reputation management in
Shang. A decentralized privacy preserving reputation protocol
p2p networks. In Proceedings of the 3rd International
for the malicious adversarial model. IEEE Transactions on
Workshop on Adversarial Information Retrieval on the Web
Information Forensics and Security, 8(6):949---962, 2013. Basic
(AIRWeb'07), 2007.
format for patents (when available online).
[7] D. Quercia. Trust Models for Mobile Content-Sharing
[22] Satoshi Nakamoto. Bitcoin: A peer-to-peer electronic cash
Applications. PhD thesis, University College London, 2009.
system, 2008. https: //bitcoin.org/bitcoin.pdf.
[8] L. McNamara, C. Mascolo, and L. Capra. Media sharing
[23] Marc Pilkington. Blockchain technology: Principles and
based on colocation prediction in urban transport. In
applications. Research Handbook on Digital Transformations,
Proceedings of the 14th ACM International Conference on
edited by F. Xavier Olleros and Majlinda Zhegu. Edward
Mobile Computing and Networking, 2008.
Elgar, 2016.
[9] O. Hasan, L. Brunie and E. Bertino, ‘‘Preserving Privacy
[24] Davide Carboni. Feedback based reputation on top of the
of feedback providers in a decentralized reputation systems’’,
bitcoin blockchain. arXiv preprint arXiv:1502.01504, 2015.
Computer security, (2011),
[25] Tatsuaki Okamoto. E•cient blind and partially blind
http://dx.doi.org/10/1016/j.cose.2011.12.003.
signatures without random oracles. In Theory of cryptography,
[10] O. Hasan, L. Brunie and E. Bertino, ‘‘A Decentralized
pages 80-99. Springer, 2006.
Privacy Preserving Reputation Protocol for the Malicious
[26] David Chaum, Amos Fiat, and Moni Naor. Untraceable
Adversarial Model’’, Rapport de recherché RR-LIRIS-2012-
electronic cash. In Proceedings on Advances in cryptology,
008, (2012).
pages 319---327. Springer-Verlag New York, Inc., 1990.
[11] T. Dimitriou and A. Michalas, ‘‘Multi-Party Trust
[27] K. Hoffman, D. Zage, and C. Nita-Rotaru. A survey of
Computation in Decentralized Environments’’New
attack and defense techniques for reputation systems. ACM
Technologies, Mobility and Se (NTMS), (2012, pp. 1-5).
Computing Surveys, 41(4), December 2009.

672

Authorized licensed
View publication stats use limited to: University of Electronic Science and Tech of China. Downloaded on April 12,2021 at 20:12:10 UTC from IEEE Xplore. Restrictions apply.