Download presentation
Presentation is loading. Please wait.
Published byMiguel Norris Modified over 11 years ago
1
Provable Unlinkability Against Traffic Analysis Ron Berman Joint work with Amos Fiat and Amnon Ta-Shma School of Computer Science, Tel-Aviv University
2
Outline Is it interesting? Our contribution. Problem definition. What is unlinkability? Related work. The protocol. Proof sketch. Prior information. Application: Donor Anonymity.
3
Is it interesting? A tremendous amount of work on the subject. Many practical systems, protocols and solutions. Relevant today in the context of peer to peer data exchange.
4
Our Contribution A set of simple equivalent measurements for unlinkability. Rigorous analysis and proof using information theory. Solution (and proof) for prior knowledge.
5
Problem definition N nodes in a complete network graph. Synchronous network with bounds on message travel times. A public key infrastructure (PKI) is widely available. Given senders S={s 1 …s M } and receivers R={r 1 …r M } of messages, we would like the matching Π:S R to remain unknown to an adversary. At least some of the links are honest.
6
Problem definition Chaum (1981) had shown that using onion-routing, one can assume that the adversary is restricted to traffic analysis. The unlinkability properties hadnt been proven, and the original protocol is actually insecure. We heavily rely on Chaums ideas, with some limitations to the adversary.
7
What is unlinkability? Π - actual permutation that took place during communication. C - information the adversary has. 0/1 matrix, with 1 indicating a communication line being used. 1. 2. 3. Mutual information - I(X:Y) =H(X) + H(Y) - H(X,Y) How much info does one RV convey on another. All definitions are equivalent.
8
Chaumian-MIX –Unproven security. –Requires dummy traffic. –Not efficient. Dining Cryptographers –Proven security. –Not efficient (all players must play each round). –Requires shared randomness. –Requires broadcast. Related Work
9
Crowds –Proven weak security. Busses –Proven security. –Not efficient. Related Work AMPC –Proven weak security. –Not efficient. RS93 –Proven security. –Not efficient. –Requires secure computation.
10
The Protocol Forward: Alice chooses v 1 …v t-1 and sets v 0 =Alice, v T =Bob. Alice randomly chooses r 1 …r T return keys. Each onion layer i contains: –Address of next node en route (v i+1 ). –Return key r i saved by node i. –Unique identifier z i. –Encrypted onion part sent to v i+1. Message return is done in a similar way to Chaums.
11
Example 1 2 3 4 5 1 2121 3131 4141 5151 1212 2 3232 4242 5252 1313 2323 3 4343 5353 1R1R 2R2R 3R3R 4R4R 5R5R 12340 Our Protocol
12
Using the following chain rule, we can analyze the route of each player by itself: I(П:C)= I(П(1):C)+ I(П(2):C|П(1))+…α(N) The trick is to bound the amount of information the adversary has on each player. Proof Sketch
13
We would like to show that the communications pattern contains a lot of honest crossovers: And that these crossovers hide enough information. 1 22 1 33 Proof Sketch
14
We show how to find an embedding of a structure of crossovers in the actual communications pattern. We call this structure of crossovers - obscurant networks. Proof Sketch
15
Example embedding Proof Sketch 1 3 2 4 5 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5
16
Obscurant Networks Network – layered directed circuit with same number of vertices on each layer. Crossover Network – Each vertex has in- degree and out-degree one or two. O i – The probability distribution of output when a pebble is put on starting vertex i. Proof Sketch 0.5 1
17
A network is ε-obscurant if |O i -U M |ε. Example: The butterfly network is 0- obscurant. The problem: what happens when log 2 (M) is not integer. We use two basic components: Proof Sketch B4B4 P4P4
18
Example Network Proof Sketch InitRepeat t=log(M)+log(ε -1 ) times Z=4 M=5 k=M-Z=1
19
Making sure we find an embedding Lemma [Alo01]: Let G=(V,E) be a graph and assume: then: Meaning: We have a probability of finding all-honest crossovers. Proof Sketch
20
Using the following chain rule, we can analyze the route of each player by itself: I(П:C)= I(П(1):C)+ I(П(2):C|П(1))+…α(N) The trick is to bound the amount of information the adversary has on each player. Proof Sketch
21
Prior Information Link each vertex v i (t) with v i (T-t), and reveal all data to the adversary if either one is adaptive. Effectively we have created a folding of the network: Proof Sketch 1 2 3 4 5 3 1 4 5 2 1 2 3 4 5 5 2 4 1 3 4 5 1 3 2
22
We receive the same game, with T/2 steps and f 2 probability of honest link. We show that: I(П (T) :C=(C 1,C 2 )) I(П (T/2) :C 1,C 2 ): Proof Sketch
23
Conclusion Theorem Assume our protocol runs in a network with N nodes, N(N-1)/2 communication links, some constant fraction of which are honest, then the protocol is α(n)- unlinkable when T(log(N)log 2 (N/α(n)).
24
Future Work Incomplete network graph. Malicious behavior. Multi-shot games. Dynamic network topology changes.
25
Applications More realistic approach – a link is honest some of the time. Donor privacy – the ability to donate items and answer requests, without being identified.
26
Questions?
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.