Definition of the Anonymity of Mix Network Runs Andrei Serjantov University of Cambridge Computer Laboratory

Metric in Mix Networks (PET 2002) Metric also useful in mix networks Q R D B {(A,0.125), (B,0.125), (C,0.25), (D,0.5)} A C

Route Length (Sets) (PET 2002) Q R D B {A,B,C,D} A C Now we look at how information can change APD, but not the underlying set Mix systems, often have a maximum route length (eg Mixmaster)

Route Length (probabilities) (PET 2002) Max route length = 2. A"1,3,2"Q cannot happen C"3,2" {Q or R}. S has the anonymity set {A,B} Q,R still have the anonymity set {A,B,C} but a different anonymity probability distribution (with a lower entropy) 12 3 A B C S R Q

Hence we need a principled way of calculating the anonymity of a message as seen by the attacker!

A Formal Model of a Mix Network Given a set of input messages, our model can tell us what the mix network will do → (a real trace of events which happen in the network) M2 M1 Sender2 Sender1 Sender3 R2 R1 R3 {(Sender1,[M1,M2],R1) (Sender2,[M1],R2) (Sender3,[M2],R3)}

Generating a Real Trace M2 M1 Sender 2 Sender 1 Sender3 R2 R1 R3 [(Sender 1,M 1,MixRecv,C 1),(Sender 2,M 1,MixRecv,C 2),(Mix 1,Recv (R 2),RecvRecv,C 2),(Mix 1,M 2,MixRecv,C 1),(Sender 3,M 2,MixRecv,C 3),(Mix 2,Recv (R 3),RecvRecv,C 3),(Mix 2,Recv (R 1),RecvRecv,C 1)] {(Sender1,[M1,M2],R1,C1) (Sender2,[M1],R2,C2) (Sender3,[M2],R3,C3)}

Erasing the Real Trace (1) From this, we can work out what the attacker will observe –(the real get erased to remove the information the attacker cannot see) –We get an erased trace M2 M1 Sender 2 Sender 1 Sender3 R2 R1 R3 M2 M1 Sender 2 Sender 1 Sender3 R2 R1 R3

Erasing the Real Trace (2) Real trace: [(Sender 1,M 1,MixRecv,C 1),(Sender 2,M 1,MixRecv,C 2),(Mix 1,Recv (R 2),RecvRecv,C 2),(Mix 1,M 2,MixRecv,C 1),(Sender 3,M 2,MixRecv,C 3),(Mix 2,Recv (R 3),RecvRecv,C 3),(Mix 2,Recv (R 1),RecvRecv,C 1)] Erased trace: [(Sender 1,M 1),(Sender 2,M 1),(Mix 1,Recv (R 2)), (Mix 1,M 2),(Sender 3,M 2),(Mix 2,Recv (R 3)),(Mix 2,Recv (R1))] M2 M1 Sender 2 Sender 1 Sender3 R2 R1 R3 M2 M1 Sender 2 Sender 1 Sender3 R2 R1 R3

From the Attacker’s Point of View The attacker has an observation (an erased trace Obs) He now uses the model to find all the real traces which erase to Obs → Call these All Obs = [(Sender 1,M 1),(Sender 2,M 1),(Mix 1,Recv (R 2)), (Mix 1,M 2),(Sender 3,M 2),(Mix 2,Recv (R 3)), (Mix 2,Recv (R1))] M2 M1 Sender 2 Sender 1 Sender3 R2 R1 R3

Finding All Scenarios M2 M1 Sender 2 Sender 1 Sender3 R2 R1 R3 M2 M1 Sender 2 Sender 1 Sender3 R2 R1 R3 M2 M1 Sender 2 Sender 1 Sender3 R2 R1 R3 M2 M1 Sender 2 Sender 1 Sender3 R2 R1 R3 I II III IV In 2 out of the 4 scenarios Sender 3 sent the message to R1

(In ASCII!) [[(Sender 1,M 1,MixRecv,C 1),(Sender 2,M 1,MixRecv,C 2),(Mix 1,Recv (R 2),RecvRecv,C 2),(Mix 1,M 2,MixRecv,C 1),(Sender 3,M 2,MixRecv,C 3),(Mix 2,Recv (R 3),RecvRecv,C 3),(Mix 2,Recv (R 1),RecvRecv,C 1)], [(Sender 1,M 1,MixRecv,C 1),(Sender 2,M 1,MixRecv,C 2),(Mix 1,Recv (R 2),RecvRecv,C 2),(Mix 1,M 2,MixRecv,C 1),(Sender 3,M 2,MixRecv,C 3),(Mix 2,Recv (R 3),RecvRecv,C 1),(Mix 2,Recv (R 1),RecvRecv,C 3)], [(Sender 1,M 1,MixRecv,C 1),(Sender 2,M 1,MixRecv,C 2),(Mix 1,Recv (R 2),RecvRecv,C 1),(Mix 1,M 2,MixRecv,C 2),(Sender 3,M 2,MixRecv,C 3),(Mix 2,Recv (R 3),RecvRecv,C 3),(Mix 2,Recv (R 1),RecvRecv,C 2)], [(Sender 1,M 1,MixRecv,C 1),(Sender 2,M 1,MixRecv,C 2),(Mix 1,Recv (R 2),RecvRecv,C 1),(Mix 1,M 2,MixRecv,C 2),(Sender 3,M 2,MixRecv,C 3),(Mix 2,Recv (R 3),RecvRecv,C 2),(Mix 2,Recv (R 1),RecvRecv,C 3)]]

Probabilities Suppose: –All senders equally likely to send to all receivers –All routes equally likely to be chosen →All scenarios are equiprobable For the message which arrives at R1, the anonymity probability distribution is: {(Sender 1,0.25), (Sender 2, 0.25), (Sender 3,0.5)} (Glossing over the exact details)

See my PhD Thesis for this and lots of other cool things…