Provable Unlinkability Against Traffic Analysis Ron Berman Joint work with Amos Fiat and Amnon Ta-Shma School of Computer Science, Tel-Aviv University.

Slides:

Advertisements

Similar presentations

Aaron Johnson with Joan Feigenbaum Paul Syverson

Advertisements

A Probabilistic Analysis of Onion Routing in a Black-box Model 10/29/2007 Workshop on Privacy in the Electronic Society Aaron Johnson (Yale) with Joan.

A Formal Analysis of Onion Routing 10/26/2007 Aaron Johnson (Yale) with Joan Feigenbaum (Yale) Paul Syverson (NRL)

Routing Complexity of Faulty Networks Omer Angel Itai Benjamini Eran Ofek Udi Wieder The Weizmann Institute of Science.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Secret Sharing Protocols [Sha79,Bla79]

Foundations of Cryptography Lecture 7 Lecturer:Danny Harnik.

I have a DREAM! (DiffeRentially privatE smArt Metering) Gergely Acs and Claude Castelluccia {gergely.acs, INRIA 2011.

Routing and Congestion Problems in General Networks Presented by Jun Zou CAS 744.

Circuit and Communication Complexity. Karchmer – Wigderson Games Given The communication game G f : Alice getss.t. f(x)=1 Bob getss.t. f(y)=0 Goal: Find.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.

Gillat Kol (IAS) joint work with Ran Raz (Weizmann + IAS) Interactive Channel Capacity.

Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

How Much Anonymity does Network Latency Leak? Paper by: Nicholas Hopper, Eugene Vasserman, Eric Chan-Tin Presented by: Dan Czerniewski October 3, 2011.

Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.

Reusable Anonymous Return Channels

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

On the Spread of Viruses on the Internet Noam Berger Joint work with C. Borgs, J.T. Chayes and A. Saberi.

1 Modeling and Analysis of Anonymous-Communication Systems Joan Feigenbaum WITS’08; Princeton NJ; June 18, 2008 Acknowledgement:

Explorations in Anonymous Communication Andrew Bortz with Luis von Ahn Nick Hopper Aladdin Center, Carnegie Mellon University, 8/19/2003.

Crowds: Anonymity for Web Transactions Paper by: Michael K. Reiter and Aviel D. Rubin, Presented by Eric M. Busse Portions excerpt from Crowds: Anonymity.

1 Authenticated Adversarial Routing Yair Amir, Paul Bunn, Rafail Ostrovsky 6 th IACR Theory of Cryptography Conference March 15, 2009.

Building Low-Diameter P2P Networks Eli Upfal Department of Computer Science Brown University Joint work with Gopal Pandurangan and Prabhakar Raghavan.

Analysis of Onion Routing Presented in by Jayanthkumar Kannan On 10/8/03.

Modelling and Analysing of Security Protocol: Lecture 9 Anonymous Protocols: Theory.

Freenet A Distributed Anonymous Information Storage and Retrieval System I Clarke O Sandberg I Clarke O Sandberg B WileyT W Hong.

Optimistic Synchronous Multi-Party Contract Signing N. Asokan, Baum-Waidner, M. Schunter, M. Waidner Presented By Uday Nayak Advisor: Chris Lynch.

1 Chapter 13: Representing Identity What is identity Different contexts, environments Pseudonymity and anonymity.

On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.

Anonymous Communication Luis von Ahn Andrew Bortz Nick Hopper The Aladdin Center Carnegie Mellon University.

Class 13 Introduction to Anonymity CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman

Toward Prevention of Traffic Analysis Fengfeng Tu 11/26/01.

Adaptively Secure Broadcast, Revisited

On the Anonymity of Anonymity Systems Andrei Serjantov (anonymous)

How to play ANY mental game

A Tale of Research: From Crowds to Deeper Understandings Matthew Wright Jan. 25, : Adv. Network Security.

Provable Protocols for Unlinkability Ron Berman, Amos Fiat, Amnon Ta-Shma Tel Aviv University.

CSE 486/586, Spring 2012 CSE 486/586 Distributed Systems Case Study: TOR Anonymity Network Bahadir Ismail Aydin Computer Sciences and Engineering University.

Preserving Link Privacy in Social Network Based Systems Prateek Mittal University of California, Berkeley Charalampos Papamanthou.

Provable Unlinkability Against Traffic Analysis Amnon Ta-Shma Joint work with Ron Berman and Amos Fiat School of Computer Science, Tel-Aviv University.

Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms David Chaum CACM Vol. 24 No. 2 February 1981 Presented by: Adam Lee 1/24/2006 David.

An efficient secure distributed anonymous routing protocol for mobile and wireless ad hoc networks Authors: A. Boukerche, K. El-Khatib, L. Xu, L. Korba.

Andreas Larsson, Philippas Tsigas SIROCCO Self-stabilizing (k,r)-Clustering in Clock Rate-limited Systems.

Crowds: Anonymity for Web Transactions Michael K. Reiter Aviel D. Rubin Jan 31, 2006Presented by – Munawar Hafiz.

Class 8 Introduction to Anonymity CIS 755: Advanced Computer Security Spring 2015 Eugene Vasserman

On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.

Secure Conjunctive Keyword Search Over Encrypted Data Philippe Golle Jessica Staddon Palo Alto Research Center Brent Waters Princeton University.

Game-based composition for key exchange Cristina Brzuska, Marc Fischlin (University of Darmstadt) Nigel Smart, Bogdan Warinschi, Steve Williams (University.

6° of Darkness or Using Webs of Trust to Solve the Problem of Global Indexes.

Umans Complexity Theory Lectures Lecture 7b: Randomization in Communication Complexity.

Mix networks with restricted routes PET 2003 Mix Networks with Restricted Routes George Danezis University of Cambridge Computer Laboratory Privacy Enhancing.

Towards a Scalable and Robust DHT Baruch Awerbuch Johns Hopkins University Christian Scheideler Technical University of Munich.

Anonymous communication over social networks Shishir Nagaraja and Ross Anderson Security Group Computer Laboratory.

NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholder to insert your own image. Fast.

1 Anonymity. 2 Overview  What is anonymity?  Why should anyone care about anonymity?  Relationship with security and in particular identification 

Theory of Computational Complexity Probability and Computing Chapter Hikaru Inada Iwama and Ito lab M1.

Information Complexity Lower Bounds

Anonymous Communication

---On the ‘Vuvuzela’ Scheme

What is the next line of the proof?

Towards Measuring Anonymity

CMSC 414 Computer and Network Security Lecture 3

Anonymous Communication

Switching Lemmas and Proof Complexity

Anonymous Communication

Anonymity – Generalizing Mixes

Presentation transcript:

Provable Unlinkability Against Traffic Analysis Ron Berman Joint work with Amos Fiat and Amnon Ta-Shma School of Computer Science, Tel-Aviv University

Outline Is it interesting? Our contribution. Problem definition. What is unlinkability? Related work. The protocol. Proof sketch. Prior information. Application: Donor Anonymity.

Is it interesting? A tremendous amount of work on the subject. Many practical systems, protocols and solutions. Relevant today in the context of peer to peer data exchange.

Our Contribution A set of simple equivalent measurements for unlinkability. Rigorous analysis and proof using information theory. Solution (and proof) for prior knowledge.

Problem definition N nodes in a complete network graph. Synchronous network with bounds on message travel times. A public key infrastructure (PKI) is widely available. Given senders S={s 1 …s M } and receivers R={r 1 …r M } of messages, we would like the matching Π:S R to remain unknown to an adversary. At least some of the links are honest.

Problem definition Chaum (1981) had shown that using onion-routing, one can assume that the adversary is restricted to traffic analysis. The unlinkability properties hadnt been proven, and the original protocol is actually insecure. We heavily rely on Chaums ideas, with some limitations to the adversary.

What is unlinkability? Π - actual permutation that took place during communication. C - information the adversary has. 0/1 matrix, with 1 indicating a communication line being used Mutual information - I(X:Y) =H(X) + H(Y) - H(X,Y) How much info does one RV convey on another. All definitions are equivalent.

Chaumian-MIX –Unproven security. –Requires dummy traffic. –Not efficient. Dining Cryptographers –Proven security. –Not efficient (all players must play each round). –Requires shared randomness. –Requires broadcast. Related Work

Crowds –Proven weak security. Busses –Proven security. –Not efficient. Related Work AMPC –Proven weak security. –Not efficient. RS93 –Proven security. –Not efficient. –Requires secure computation.

The Protocol Forward: Alice chooses v 1 …v t-1 and sets v 0 =Alice, v T =Bob. Alice randomly chooses r 1 …r T return keys. Each onion layer i contains: –Address of next node en route (v i+1 ). –Return key r i saved by node i. –Unique identifier z i. –Encrypted onion part sent to v i+1. Message return is done in a similar way to Chaums.

Example R1R 2R2R 3R3R 4R4R 5R5R Our Protocol

Using the following chain rule, we can analyze the route of each player by itself: I(П:C)= I(П(1):C)+ I(П(2):C|П(1))+…α(N) The trick is to bound the amount of information the adversary has on each player. Proof Sketch

We would like to show that the communications pattern contains a lot of honest crossovers: And that these crossovers hide enough information Proof Sketch

We show how to find an embedding of a structure of crossovers in the actual communications pattern. We call this structure of crossovers - obscurant networks. Proof Sketch

Example embedding Proof Sketch

Obscurant Networks Network – layered directed circuit with same number of vertices on each layer. Crossover Network – Each vertex has in- degree and out-degree one or two. O i – The probability distribution of output when a pebble is put on starting vertex i. Proof Sketch 0.5 1

A network is ε-obscurant if |O i -U M |ε. Example: The butterfly network is 0- obscurant. The problem: what happens when log 2 (M) is not integer. We use two basic components: Proof Sketch B4B4 P4P4

Example Network Proof Sketch InitRepeat t=log(M)+log(ε -1 ) times Z=4 M=5 k=M-Z=1

Making sure we find an embedding Lemma [Alo01]: Let G=(V,E) be a graph and assume: then: Meaning: We have a probability of finding all-honest crossovers. Proof Sketch

Using the following chain rule, we can analyze the route of each player by itself: I(П:C)= I(П(1):C)+ I(П(2):C|П(1))+…α(N) The trick is to bound the amount of information the adversary has on each player. Proof Sketch

Prior Information Link each vertex v i (t) with v i (T-t), and reveal all data to the adversary if either one is adaptive. Effectively we have created a folding of the network: Proof Sketch

We receive the same game, with T/2 steps and f 2 probability of honest link. We show that: I(П (T) :C=(C 1,C 2 )) I(П (T/2) :C 1,C 2 ): Proof Sketch

Conclusion Theorem Assume our protocol runs in a network with N nodes, N(N-1)/2 communication links, some constant fraction of which are honest, then the protocol is α(n)- unlinkable when T(log(N)log 2 (N/α(n)).

Future Work Incomplete network graph. Malicious behavior. Multi-shot games. Dynamic network topology changes.

Applications More realistic approach – a link is honest some of the time. Donor privacy – the ability to donate items and answer requests, without being identified.

Questions?