Iris: Dynamic Privacy Preserving Search in Authenticated Chord Peer-to-Peer Networks

TL;DR

This work addresses query privacy in structured P2P networks, specifically authenticated Chord, by introducing Iris, a privacy-preserving lookup that conceals the target from intermediate nodes. It defines a practical privacy notion called alpha-delta privacy to quantify information leakage across the iterative search and develops an Iris mechanism that uses intermediate identifiers and linear interpolation to guide routing without exposing the target. The authors provide formal security analysis showing correctness and alpha-delta privacy against lone and colluding adversaries, and validate the approach with Matlab simulations demonstrating tunable privacy with modest overhead. The results indicate that Iris can be deployed alongside vanilla Chord without requiring network-wide changes, enabling configurable privacy for privacy-conscious queries in real-world P2P systems while preserving authentication and data integrity.

Abstract

In structured peer-to-peer networks, like Chord, users find data by asking a number of intermediate nodes in the network. Each node provides the identity of the closet known node to the address of the data, until eventually the node responsible for the data is reached. This structure means that the intermediate nodes learn the address of the sought after data. Revealing this information to other nodes makes Chord unsuitable for applications that require query privacy so in this paper we present a scheme Iris to provide query privacy while maintaining compatibility with the existing Chord protocol. This means that anyone using it will be able to execute a privacy preserving query but it does not require other nodes in the network to use it (or even know about it). In order to better capture the privacy achieved by the iterative nature of the search we propose a new privacy notion, inspired by $k$-anonymity. This new notion called $(α,δ)$-privacy, allows us to formulate privacy guarantees against adversaries that collude and take advantage of the total amount of information leaked in all iterations of the search. We present a security analysis of the proposed algorithm based on the privacy notion we introduce. We also develop a prototype of the algorithm in Matlab and evaluate its performance. Our analysis proves Iris to be $(α,δ)$-private while introducing a modest performance overhead. Importantly the overhead is tunable and proportional to the required level of privacy, so no privacy means no overhead.

Figures (11)

• Figure 1: An example of the Chord's retrieve algorithm. Node $8$ executes retrieve to fetch the data associated with object $62$. The participating nodes in the network are depicted as grey circles and the registered objects as white squares.
• Figure 2: The privacy metric. The orange dashed line indicates the ${prior}_i$ range of $N_i$ against $N_r$. The green dashed line shows the ${posterior}_i$ range of $N_i$ after knowing $I_i$. Both ranges are computed based on ${UB}_i$, i.e., the upper bound of node $N_i$’s estimate regarding the range in which belongs the actual target of node $N_r$.
• Figure 3: Iris's application example. The requester targeting object $O_p=75$ selects $\delta=22$ and $\alpha=0.25$. queries back to back nodes for identifiers chosen in the interval $[53,75)$. In every iteration the interval degrades, converging at the end to node $N_t=76$.
• Figure 4: A colluding adversary. Assuming that $N_j$ is the first asked colluding adversary, every other colluding node that the requester queries can use $UB_j$ instead of $UB_i$ in their calculation to infer the target.
• Figure 5: Probability Calculation: We mark with $O$ the addresses that $O_p$ can obtain and with $o$ and $x$ the explicit value(s) of $O_p$ and $R_i$, we examine.

Theorems & Definitions (1)

• Definition 1: $(\alpha,\delta)$-privacy