Abstract
An anonymous reputation system (ARS) was first proposed by Bl¨omer, Juhnke, and Kolb (FC, 2015), a protocol similar to group signatures in concept, and its definition has been refined for example by El Kaafarani, Katsumata, and Solomon (FC, 2018). A representative application of an ARS is e-commerce sites, where users are allowed to anonymously write reviews on products they have purchased, while also preventing them from double reviewing.
In this work, we revisit ARS. Our contributions are threefolds: First, we show that all previous definitions of ARS allow the users’ purchase history to leak. While users’ privacy is being guaranteed through the notion of anonymity, our findings show that this only achieves a weaker form of privacy, contrary to previously believed. Second, we formally define
purchase privacy, addressing the above shortcoming, and complement previous security models. Along the way, we notice that one of the main entities, the system manager, does not play any cryptographically relevant role in the definition of ARS. Effectively, by excluding the system manager from the definition, we are able to simplify previous definitions. Lastly, we propose a generic construction and provide one concrete efficient instantiation based on pairing-based cryptography, requiring only 16 kilobits for a signature.
