Attacks on a Privacy-Preserving Publish-Subscribe System and a Ride-Hailing Service
This work exposes critical vulnerabilities in existing privacy-preserving protocols, impacting users and developers relying on these systems for secure data matching.
The authors attacked two privacy-preserving systems—a context-aware publish-subscribe system and a ride-hailing service—by cryptanalyzing a modified Paillier cryptosystem, showing that confidential subscriptions and secret keys could be learned, compromising user privacy.
A privacy-preserving Context-Aware Publish-Subscribe System (CA-PSS) enables an intermediary (broker) to match the content from a publisher and the subscription by a subscriber based on the current context while preserving confidentiality of the subscriptions and notifications. While a privacy-preserving Ride-Hailing Service (RHS) enables an intermediary (service provider) to match a ride request with a taxi driver in a privacy-friendly manner. In this work, we attack a privacy-preserving CA-PSS proposed by Nabeel et al. (2013), where we show that any entity in the system including the broker can learn the confidential subscriptions of the subscribers. We also attack a privacy-preserving RHS called lpRide proposed by Yu et al. (2019), where we show that any rider/driver can efficiently recover the secret keys of all other riders and drivers. Also, we show that any rider/driver will be able to learn the location of any rider. The attacks are based on our cryptanalysis of the modified Paillier cryptosystem proposed by Nabeel et al. that forms a building block for both the above protocols.