Universität
Karlsruhe
GERMANY
A Case for Evidence-Aware
Distributed Reputation Systems
Overcoming the Limitations of Plausibility Considerations
The Second International Conference on Trust Management
29 March - 1 April 2004 – Oxford, UK
Philipp Obreiter
Universität Karlsruhe
Institute for Program Structures und Data Organization
DIANE Project
http://www.ipd.uni-karlsruhe.de/DIANE
1/16
Motivation (1): Current State
1. service request
Anne
2. service provision
Bob
3. receipt
5. assessment of the
disrecommendation
4. disrecommendation
Chris
(”Did Anne defect or
did Bob defame?”)
Problem:
2/16
(”Anne did not provide
the service”)
Assessment of recommendations is equivalent to the
Byzantine Generals Problem
Approach: Base such assessment on plausibility considerations
 How trustworthy is the recommender?
 Does his statement correspond to one’s own prior beliefs?
Motivation (2): Target State
1. service request
Anne
2. service provision
Bob
3. NR-receipt
8. disrecommendation
(”Bob issued
defamation”)
5. receipt?
6. receipt!
Chris
4. NRdisrecommendation
7. refutation the disrecommendation
Approach: Make use of non-repudiable tokens (=evidences)
Solves the Byzantine Generals Problem:
 the defamation is refuted by presenting the receipt
 Bob’s misbehavior is proven by presenting the receipt/defamation
3/16
Overview
• Limitations of plausibility considerations
• Concept of Evidences
• Overcoming the limitations: 3 patterns
• Relationship to existing approaches
4/16
Distributed Reputation Systems: System Model
Entity A
local instance
of the DRS
5/16
Transactions
Recommendations
information system
Entity B
local instance
of the DRS
Limitations of Plausibility Considerations (1)
Limitations (Part 1)
1. request
Anne
2. provision
Bob
3. receipt
Chris
5. assessment
6/16
4. disrecommendation
 disadvantages for newcomers
 Chris cannot make use of
plausibility
 recommendations unrelated
to behavior
 Anne is disrecommended in
spite of the service provision
 Anne cannot self-recommend
 ineffective dissemination of
recommendations
 recommendations
authenticated but repudiable
Limitations of Plausibility Considerations (2)
Limitations (Part 2)
1. request
Anne
2. provision
Bob
3. receipt
Chris
5. assessment
7/16
4. disrecommendation
 unobservable recommendation
behavior
 Anne does not know about the
defamation
 unrecognized defamations
 e.g., if Chris is a newcomer
 unrecognized praising
 same as for defamations
 dissemination of assessment
results
 Chris’ assessment result cannot
be reproduced by others
Concept of Evidences: Comparison with Plausibility
no coupling
undocumented
documented
by evidences
Actual Behavior
coupling
available
evidences
Evidences
plausibility
considerations
coupling
verification
Assessment
Coupling of Actual Behavior and Assessment
 only for documented behavior (inherent restrictions!)
 plausibility considerations still necessary for undocumented
behavior
8/16
Concept of Evidences: Inherent Restrictions
Inherent Restrictions
 ensue from the criterion of incentive compatibility
 partly compromise the availability and truthfulness of evidences
1. Asymmetry of Issuance
there exists a receipt that is not acknowledged
 some behavior not documented (Coordinated Attack Problem)
2. Issuance of Negative Evidences
an entity does not disseminate negative evidences about itself
 lack of negative evidences
3. Untruthfulness Evidences
colluding entities could mutually attest good behavior
 evidence-awareness cannot solve the problem of praising
9/16
Overcoming the Limitations: Three Patterns (1)
self-recommendation
verifiable
assessment
result
1./2. request/provision
Anne
3. NR-receipt
5. receipt?
6. receipt!
8. disrecommendation
Bob
Chris
4. NRdisrecommendation
7. refutation
plausibility-less
assessment
Transferability of Evidences
 recommendation unrelated to behavior ()
 disadvantages for newcomers ()
 dissemination of assessment results 
 ineffective dissemination of recommendations 
10/16
Overcoming the Limitations: Three Patterns (2)
1./2. request/provision
Anne
3. NR-receipt
5. receipt?
6. receipt!
8. disrecommendation
If Bob does issue the receipt,
Bob’s defamation is refutable
Bob won’t defame
Bob
Chris
4. NRdisrecommendation
7. refutation
If Bob does not issue the receipt,
Bob defects
Anne won’t transact with Bob
Screening of Recommendation Behavior
 unobservable recommendation behavior 
11/16
Overcoming the Limitations: Three Patterns (3)
1./2. request/provision
Anne
3. NR-receipt
5. receipt?
6. receipt!
8. disrecommendation
Bob
4.
4. NRNRdisrecomdisrecommendation
mendation
Chris
7. refutation
Anne is given the chance to
provide refuting evidences
has to be non-repudiable,
otherwise it is ignored
Policy-based Restriction of Defamations
 unrecognized defamations ()
 ineffective dissemination of recommendations 
 unobservable recommendation behavior 
12/16
Overcoming the Limitations: Summary
Limitation
Pattern TransferScreening
ability
disadvantages for newcomers
()
recommendation unrelated to
behavior
()
ineffective dissemination of
recommendations

unobservable recommendation
behavior

()
unrecognized praising
13/16


unrecognized defamations
dissemination of assessment
results
Policies

Relationship to Existing Approaches
self-organized
punishment for
misbehavior
Plausibility based
distributed reputation
system
Evidence aware
distributed reputation
system
Plausibility
considerations by a
central authority
Evidence based
assessment by a
central authority
coupling of assessment with actual behavior
14/16
Summary and Future Work
Summary
 in distributed reputation systems, the truthfulness of
recommendations has to be assessed,
 existing approaches rely on plausibility considerations,
 there are several limitations of plausibility,
 we propose the use of non-repudiable tokens (evidences),
 evidences partly couple assessment and actual behavior,
 evidences allow for transferability, screening and policies,
 evidence awareness overcomes virtually every limitation
Future Work
15/16
 examine the design space of the policies and the
verification process
 implement and evaluate an evidence-aware distributed
reputation system
H
N
T
A
K
...for S
your attention
http://www.ipd.uni-karlsruhe.de/DIANE
16/16
Appendix
17/16
Distributed Reputation Systems: System Model
Entity A
local instance
of the DRS
Example:
Transactions
Recommendations
Recommendee
Anne
Transaction
local instance
of the DRS
Entity B
local instance
of the DRS
Recommender
Bob
local instance
of the DRS
Chris
Assessor
18/16
(=Recipient)
local instance
of the DRS
Recommendation
Concept of Evidences: Basics
Evidence
 non-repudiable token
 issued by an entity (evidencer)
 regarding the behavior of another entity (evidencee)
Types of Evidences
 receipt: evidencer attests that its peer has executed an action
 non-repudiable recommendation: evidencer (=recommender)
may be linked to its recommendation
 contract: evidencer attests to have agreed on some terms
 non-repudiable action: evidencer may be linked to its own action
19/16
Limitations (1): Recommender
limitations for the recommender
issuance of
recommendations
dissemination of
recommendations
facts cannot be
credibly communicated
behavior of
others
impact of recommendation
depends on own reputation
20/16
recommender in charge
of the dissemination
good conduct
of oneself
cannot
self-recommend
Limitations (2): Recommendee
limitations for the recommendee
incertitude about
recommendations
incertitude about
effectiveness
the amount and contents
of recommendations is unknown
impact on
transactions
cannot adapt
transactional behavior
to the peer’s
recommendations
doubts about the effectiveness
of the reputation system
impact on the
reputation system
necessity of
pro-active
defense
unknown
effective
pruning
doubts about
the coupling of
behavior and
reputation
lack of incentives
21/16
effective
dissemination
good behavior might not
result in good reputation
transaction peer
might not know
about relevant
recommendations
lack of protection
no protection
against defamations
Limitations (3): Assessor
limitations for the assessor
difficulties of assessing
recommendations
difficulties of disseminating
assessment results
disseminated result is subject
to plausibility considerations
plausibility considerations may
lead to inappropriate assessment
plausibility
considerations
infeasible
assessment necessitates a minimum
of background information
plausibility considerations false
plausibility considerations may
lead to wrong assessment
underestimation due to defamation
22/16
synergies with well-behaving
transaction peers are not exploited
overestimation
due to praising
betrayal by
transaction peers
Overcoming the Limitations: Summary
Patterns
Limitations to overcome
Recommender
Recommendee
Assessor
23/16
impact depends on own reputation
TransferScreening
ability
()
cannot self-recommend

in charge of the dissemination

cannot adapt to the peer's recommendations

necessity of pro-active defense unknown

good behavior might not be rewarded
requires background information
()

()
()
synergies with defamed entities unexploited
betrayed by overestimated peers
cannot credibly share assessment result

()
no protection against defamations
peer unaware of positive recommendations
Policies
