DAPA: A Decentralized, Accountable, and Privacy-Preserving Architecture for Car Sharing Services

Car sharing offers a flexible peer-to-peer or station based car rental service to customers. On one hand, it requires customers to expose identifications (e.g., valid driving licenses) to car sharing service providers (CSSPs) for accountability, i.e., the driving qualification of customers can be verified and misbehaving customers can be traced by CSSPs. On the other hand, privacy concerns arise when customers identities are exposed as honest-but-curious CSSPs may secretly extract customers privacy information by linking their car rental records to their identities. To resolve this contradiction, we propose a decentralized, accountable, and privacy-preserving architecture for car sharing services, named DAPA. In specific, to overcome the limitation of the single point of failure, multiple dynamic validation servers are employed to substitute a single trusted third-party authority and assist in building decentralized trust for customers. In addition, to protect customers' privacy and achieve accountability simultaneously under the decentralized architecture, a new privacy-preserving identity management (PPIM) scheme is introduced as a basic module for DAPA. Customers' identities are protected in a distributed and dynamic manner but publicly verified based on a well-designed zero-knowledge proof protocol. Only the misbehaving customers' identities can be recovered by a majority of validation servers using adaptive verifiable secret sharing/redistribution techniques. Detailed security analysis shows that DAPA can minimize privacy breaches and guarantee the accountability. Performance evaluations via extensive simulations demonstrate that DAPA is efficient in terms of computational costs and communication overheads.