Explorations in Anonymous Communication Andrew Bortz with Luis von Ahn Nick Hopper Aladdin Center, Carnegie Mellon University, 8/19/2003.

Slides:



Advertisements
Similar presentations
Provable Unlinkability Against Traffic Analysis Ron Berman Joint work with Amos Fiat and Amnon Ta-Shma School of Computer Science, Tel-Aviv University.
Advertisements

Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.
1 Data Link Protocols By Erik Reeber. 2 Goals Use SPIN to model-check successively more complex protocols Using the protocols in Tannenbaums 3 rd Edition.
Multi-Party Contract Signing Sam Hasinoff April 9, 2001.
Secure Multiparty Computations on Bitcoin
Agreement: Byzantine Generals UNIVERSITY of WISCONSIN-MADISON Computer Sciences Department CS 739 Distributed Systems Andrea C. Arpaci-Dusseau Paper: “The.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.
NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.
Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)
15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.
COVERT MULTI-PARTY COMPUTATION YINMENG ZHANG ALADDIN REU 2005 LUIS VON AHN MANUEL BLUM.
1 Complexity of Network Synchronization Raeda Naamnieh.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CPSC 689: Discrete Algorithms for Mobile and Wireless Systems Spring 2009 Prof. Jennifer Welch.
ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.
ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Adaptive Security for Wireless Sensor Networks Master Thesis – June 2006.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Modelling and Analysing of Security Protocol: Lecture 9 Anonymous Protocols: Theory.
EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
Aladdin Center, Carnegie Mellon University Deniable and Traceable Anonymity Andrew Bortz Joint work with: Luis von Ahn Nick Hopper Kevin O’Neill (Cornell)
Anonymous Communication Luis von Ahn Andrew Bortz Nick Hopper The Aladdin Center Carnegie Mellon University.
K-Anonymous Message Transmission Luis von Ahn Andrew Bortz Nick Hopper The Aladdin Center Carnegie Mellon University.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Encryption. Introduction Computer security is the prevention of or protection against –access to information by unauthorized recipients –intentional but.
Adaptively Secure Broadcast, Revisited
Pretty Good Privacy by Philip Zimmerman presented by: Chris Ward.
Network Security Chapter Computer Networks, Fifth Edition by Andrew Tanenbaum and David Wetherall, © Pearson Education-Prentice Hall, 2011.
On the Anonymity of Anonymity Systems Andrei Serjantov (anonymous)
Programming Satan’s Computer
ISNE101 Dr. Ken Cosh Week 14. This Week  Challenges (still) facing Modern IS  Reliability  Security.
Provable Protocols for Unlinkability Ron Berman, Amos Fiat, Amnon Ta-Shma Tel Aviv University.
Securing Every Bit: Authenticated Broadcast in Wireless Networks Dan Alistarh, Seth Gilbert, Rachid Guerraoui, Zarko Milosevic, and Calvin Newport.
Provable Unlinkability Against Traffic Analysis Amnon Ta-Shma Joint work with Ron Berman and Amos Fiat School of Computer Science, Tel-Aviv University.
Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms David Chaum CACM Vol. 24 No. 2 February 1981 Presented by: Adam Lee 1/24/2006 David.
Equality Function Computation (How to make simple things complicated) Nitin Vaidya University of Illinois at Urbana-Champaign Joint work with Guanfeng.
Anonymous Communication -- a brief survey
CS4231 Parallel and Distributed Algorithms AY 2006/2007 Semester 2 Lecture 10 Instructor: Haifeng YU.
Presented by: Suparita Parakarn Kinzang Wangdi Research Report Presentation Computer Network Security.
Byzantine fault-tolerance COMP 413 Fall Overview Models –Synchronous vs. asynchronous systems –Byzantine failure model Secure storage with self-certifying.
Encryption Questions answered in this lecture: How does encryption provide privacy? How does encryption provide authentication? What is public key encryption?
Network Security – Special Topic on Skype Security.
Lecture 16: Security CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9.
Copyright 1999 S.D. Personick. All Rights Reserved. Telecommunications Networking II Lecture 41b Cryptography and Its Applications.
6 June Lecture 2 1 TU Dresden - Ws on Proof Theory and Computation Formal Methods for Security Protocols Catuscia Palamidessi Penn State University,
CRYPTOGRAPHY. WHAT IS PUBLIC-KEY ENCRYPTION? Encryption is the key to information security The main idea- by using only public information, a sender can.
Secure Computation (Lecture 2) Arpita Patra. Vishwaroop of MPC.
+ Security. + What is network security? confidentiality: only sender, intended receiver should “understand” message contents sender encrypts message receiver.
6° of Darkness or Using Webs of Trust to Solve the Problem of Global Indexes.
Network Security Continued. Digital Signature You want to sign a document. Three conditions. – 1. The receiver can verify the identity of the sender.
Chap 15. Agreement. Problem Processes need to agree on a single bit No link failures A process can fail by crashing (no malicious behavior) Messages take.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
 5.1 Zero-Knowledge Proofs  5.2 Zero-Knowledge Proofs of Identity  5.3 Identity-Based Public-Key Cryptography  5.4 Oblivious Transfer  5.5 Oblivious.
INCS 741: Cryptography Overview and Basic Concepts.
Lower bounds for Unconditionally Secure MPC Ivan Damgård Jesper Buus Nielsen Antigoni Polychroniadou Aarhus University.
reaching agreement in the presence of faults
When Is Agreement Possible
THE NEED FOR ADDRESSING
4 The scenario is: Marcia had a bad experience on Facebook, she used to receive massages from a guy that she didn't know personally; she just accepted.
– Communication Technology in a Changing World
0x1A Great Papers in Computer Security
Security through Encryption
CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9
Outline Network characteristics that affect security
CDK: Chapter 7 TvS: Chapter 9
Outline The spoofing problem Approaches to handle spoofing
Digital Signatures Network Security.
Presentation transcript:

Explorations in Anonymous Communication Andrew Bortz with Luis von Ahn Nick Hopper Aladdin Center, Carnegie Mellon University, 8/19/2003

What is it? Imagine Alice wants to send a message to Bob, but doesn’t want anyone, including Bob himself, to know she sent it Imagine Bob wants to receive messages, but doesn’t want anyone, including the sender, to know he received it

Anonymous Communication Study of how to facilitate communication while hiding who is talking to whom. Applicable to: Privacy in e-Commerce and in general Anonymous Bulletin Boards, i.e. AA Music Trading Freedom of speech

The Problem Really two different problems: Sender anonymity – hiding the honest sender (originator) of a message Receiver anonymity – hiding the intended recipient of a message sent by an honest sender Intuitively hard: Underlying network is not anonymous, even if it is secure

Hiding from whom? Many possibilities, but here are some common ones: Honest-but-curious users Passive, global eavesdropping (secure channels) Honest-but-curious group of users Malicious group of users Malicious group of users with eavesdropping Malicious group of users with eavesdropping and the ability to drop packets

Not Easy… How do you show that someone can’t do something? As is typical in cryptography… …show that if they can, they can also do something that we think/know is really hard – a reduction Assumed adversary is normally very powerful

Scenario Anonymous service provider Anonymous communications network Sender and receiver anonymity, as described before A request comes in for service Considering the need for anonymity, do you respond?

Scenario 1 Response No! Why? Sender and receiver anonymity don’t protect you If sender is an adversary, and he was able to make it so that you are the only honest user to receive that request, then by responding, you reveal your identity

New Definition This particular attack motivates the search for a new property: For lack of a better name, receiver anonymity 2 It is a protection for the receiver: There are always x honest receipients of every message, for definition of x Not a necessary property, but it seems important for an anonymous communications protocol to be intuitively “useful” – i.e. two- way communication

A Reduction Byzantine Agreement: Essentially a protocol for reliable broadcast At the end, every participant has the same value sent by the sender Authenticated Byzantine Agreement: Same problem, but now we can sign messages Result: If a protocol is receiver anonymous 2, then it is at least as hard as Authenticated Byzantine Agreement. BA and ABA are well-studied “hard” problems, and have many well-known characteristics, including lower bounds, that make this reduction very useful.

Break time! Any questions?

And now for something completely different…

Non-Participation The most evil of all adversarial strategies: Equivalent to pretending to be deaf when someone is talking to you -- very rude, but very effective at stopping communication Apparently fatal to several attempts at anonymous communication

Why is it so evil? Because it is non-localized: Non-participation problems are between pairs of users Impossible to tell which user is bad Protocols that are resistant are so because they show adaptivity They modify themselves to no longer require those users to communicate, while not losing anonymity or gaining complexity

Tricks and Tips Important facts: Two honest users will never not participate, so they will always communicate Every pair that no longer communicates has at least one adversary If we look at the connection graph, we see interesting properties

Connection Graph We assume intially a complete connection graph This is just an example connection graph of 4 honest users and 5 adversary users Blue honest users form a complete subgraph Red adversary users form an arbitrary connected subgraph

Tricks and Tips 2 The complexity of a protocol can typically be tied to properties of the connection graph In some situations it is possible that the adversary has to or can be forced to mimic this behavior This places constraints on his ability to interfere

Example: Non-Participation in k-AMT Problem: How to broadcast a message to a group of users when some of them want to prevent it Adversary wants to: Prevent it if possible, but Slow it down if not Solutions?

Solution After every broadcast, if you were expecting a message and didn’t get it, complain! Everyone who got it sends it to the complainer Because we assume a reliable network, he must have gotten it now!

Solution Analysis Works well, but seems to introduce additional communication complexity: An adversary (or a set of them) can complain every round Since this forces everyone to send the broadcast to him, he receives multiple copies => Bit inefficiency

Another Way Use the connection graph! If you don’t get a message, complain. Everyone removes that edge in the connection graph, and redefines the broadcast patterns to not use that edge If the graph is connected, it is always possible and easy to do optimally Problem: an adversary can make the diameter of the connection graph really big, thus making broadcast take many rounds

Neat Trick Require that every node be part of a complete subgraph of size k Since honest users always will be, then it doesn’t hurt them Result: By requiring the adversary to do it as well, we can bound the maximum diameter of the connection graph at 3n/k versus

Consequences Only works because we consider anonymity to be broken anyway if there are less than k honest users in a group (k-anonymity) Efficiency: No additional bit complexity Possibly additional rounds, but bounded by a small constant dependant on the size of the group and k

Just the beginning Just scratches the surface of anonymity: Formal models Different techniques Parallels to data anonymity Extensions of the idea itself In other words, lots of fun left…

Thank you for your time! That’s it! Any questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.