Presentation is loading. Please wait.

Presentation is loading. Please wait.

Anonymity Analysis of Onion Routing in the Universally Composable Framework Joan Feigenbaum Aaron Johnson Paul Syverson Yale University U.S. Naval Research.

Published byAugustus Wright Modified over 9 years ago

Similar presentations

Presentation on theme: "Anonymity Analysis of Onion Routing in the Universally Composable Framework Joan Feigenbaum Aaron Johnson Paul Syverson Yale University U.S. Naval Research."— Presentation transcript:

1 Anonymity Analysis of Onion Routing in the Universally Composable Framework Joan Feigenbaum Aaron Johnson Paul Syverson Yale University U.S. Naval Research Laboratory Provable Privacy Workshop July 9, 2012

2 Problem ● [FJS07a] - Onion-routing I/O-automata model - Possibilistic anonymity analysis ● [FJS07b] - Onion-routing abstract model - Probabilistic anonymity analysis ● […] - How do we apply results in standard cryptographic models? ● [CL05] - “Onion routing” formalized with Universal Composability (UC) - No anonymity analysis ● [BGKM12] - Onion routing formalized with UC - Our work will provide anonymity

3 Solution ● Formalize abstract (black-box) model of onion routing in UC framework ● Focus on information leaked ● Anonymity analysis on earlier abstract model is inherited by UC version

4 Problem ● [FJS07a] - Onion-routing I/O-automata model - Possibilistic anonymity analysis ● [FJS07b] - Onion-routing abstract model - Probabilistic anonymity analysis ● […] - How do we apply results in standard cryptographic models? ● [CL05] - “Onion routing” formalized with Universal Composability (UC) - No anonymity analysis ● [BGKM12] - Onion routing formalized with UC - Our work will provide anonymity

5 I/O-automata model u 12 3 4 5 d User u running client Internet destination d Onion routing relays Adversary controls relays Encrypted onion-routing hop Unencrypted onion-routing hop

6 I/O-automata model u 12 3 4 5 d Main theorem: Adversary can only determine parts of a circuit it controls or is next to. u12

7 I/O-automata model u12 3 4 5 d 1. 2. 3. 4. v w e f

8 I/O-automata model u12 3 4 5 d 1.First router compromised 2. 3. 4. v w e f

9 I/O-automata model u12 3 4 5 d 1.First router compromised 2.Last router compromised 3. 4. v w e f

10 I/O-automata model u12 3 4 5 d 1.First router compromised 2.Last router compromised 3.First and last compromised 4. v w e f

11 I/O-automata model u12 3 4 5 d 1.First router compromised 2.Last router compromised 3.First and last compromised 4.Neither first nor last compromised v w e f

12 Problem ● [FJS07a] - Onion-routing I/O-automata model - Possibilistic anonymity analysis ● [FJS07b] - Onion-routing abstract model - Probabilistic anonymity analysis ● […] - How do we apply results in standard cryptographic models? ● [CL05] - “Onion routing” formalized with Universal Composability (UC) - No anonymity analysis ● [BGKM12] - Onion routing formalized with UC - Our work will provide anonymity

13 Black-box Abstraction ud v w e f

14 ud v w e f 1. Users choose a destination

15 Black-box Abstraction ud v w e f 1. Users choose a destination 2.Some inputs are observed

16 Black-box Abstraction ud v w e f 1. Users choose a destination 2.Some inputs are observed 3.Some outputs are observed

17 Black-box Anonymity ud v w e f The adversary can link observed inputs and outputs of the same user.

18 Black-box Anonymity ud v w e f The adversary can link observed inputs and outputs of the same user. Any configuration consistent with these observations is indistinguishable to the adversary.

19 Black-box Anonymity ud v w e f The adversary can link observed inputs and outputs of the same user. Any configuration consistent with these observations is indistinguishable to the adversary.

20 Black-box Anonymity ud v w e f The adversary can link observed inputs and outputs of the same user. Any configuration consistent with these observations is indistinguishable to the adversary.

21 Probabilistic Black-box ud v w e f

22 ud v w e f Each user v selects a destination from distribution p v pupu

23 Probabilistic Black-box ud v w e f Each user v selects a destination from distribution p v Inputs and outputs are observed independently with probability b pupu

24 Problem ● [FJS07a] - Onion-routing I/O-automata model - Possibilistic anonymity analysis ● [FJS07b] - Onion-routing abstract model - Probabilistic anonymity analysis ● […] - How do we apply results in standard cryptographic models? ● [CL05] - “Onion routing” formalized with Universal Composability (UC) - No anonymity analysis ● [BGKM12] - Onion routing formalized with UC - Our work will provide anonymity

25 Problem ● [FJS07a] - Onion-routing I/O-automata model - Possibilistic anonymity analysis ● [FJS07b] - Onion-routing abstract model - Probabilistic anonymity analysis ● [FJS12] – Onion-routing UC formalization - “Free” probabilistic anonymity analysis ● [CL05] - “Onion routing” formalized with Universal Composability (UC) - No anonymity analysis ● [BGKM12] - Onion routing formalized with UC - Our work will provide anonymity

26 Onion-Routing UC Ideal Functionality u with probability b ø with probability 1-b x y Upon receiving destination d from user U d with probability b ø with probability 1-b Send (x,y) to the adversary. F OR

27 Black-box Model ● Ideal functionality F OR ● Environment assumptions – Each user gets a destination – Destination for user u chosen from distribution p u ● Adversary compromises a fraction b of routers before execution

28 UC Formalization ● Captures necessary properties of any crytographic implementation ● Easy to analyze resulting information leaks ● Functionality is a composable primitive ● Anonymity results are valid in probabilistic version of I/O-automata model

29 Anonymity Analysis of Black Box ● Can lower bound expected anonymity with standard approximation: b 2 + (1-b 2 )p u d ● Worst case for anonymity is when user acts exactly unlike or exactly like others ● Worst-case anonymity is typically as if √b routers compromised: b + (1-b)p u d ● Anonymity in typical situations approaches lower bound

30 Future Extensions ● Compromised links ● Non-uniform path selection ● Heterogeneous path selection ● Anonymity over time

31 Problem ● [FJS07a] - Onion-routing I/O-automata model - Possibilistic anonymity analysis ● [FJS07b] - Onion-routing abstract model - Probabilistic anonymity analysis ● [FJS12] – Onion-routing UC formalization - “Free” probabilistic anonymity analysis ● [CL05] - “Onion routing” formalized with Universal Composability (UC) - No anonymity analysis ● [BGKM12] - Onion routing formalized with UC - Our work will provide anonymity

32 [BGKM12] Ideal Functionality ● Functionality can actually send messages ● Needs wrapper to hide irrelevant circuit-building options ● Shown to UC-emulate F OR

33 References [BGKM12] Provably Secure and Practical Onion Routing, by Michael Backes, Ian Goldberg, Aniket Kate, and Esfandiar Mohammadi, in CSF12. [CL05] A Formal Treatment of Onion Routing, by Jan Camenisch and Anna Lysyanskaya, in CRYPTO 05. [FJS07a] A Model of Onion Routing with Provable Anonymity, by Joan Feigenbaum, Aaron Johnson, and Paul Syverson, in FC07. [FJS07b] Probabilistic Analysis of Onion Routing in a Black-box Model, id., in WPES07. [FJS12] A Probabilistic Analysis of Onion Routing in a Black-box Model, id. in TISSEC (forthcoming)

Download ppt "Anonymity Analysis of Onion Routing in the Universally Composable Framework Joan Feigenbaum Aaron Johnson Paul Syverson Yale University U.S. Naval Research."

Similar presentations

Aaron Johnson with Joan Feigenbaum Paul Syverson

Aaron Johnson with Joan Feigenbaum Paul Syverson
Provable Unlinkability Against Traffic Analysis Ron Berman Joint work with Amos Fiat and Amnon Ta-Shma School of Computer Science, Tel-Aviv University.

Provable Unlinkability Against Traffic Analysis Ron Berman Joint work with Amos Fiat and Amnon Ta-Shma School of Computer Science, Tel-Aviv University.
A Probabilistic Analysis of Onion Routing in a Black-box Model 10/29/2007 Workshop on Privacy in the Electronic Society Aaron Johnson (Yale) with Joan.

A Probabilistic Analysis of Onion Routing in a Black-box Model 10/29/2007 Workshop on Privacy in the Electronic Society Aaron Johnson (Yale) with Joan.
A Formal Analysis of Onion Routing 10/26/2007 Aaron Johnson (Yale) with Joan Feigenbaum (Yale) Paul Syverson (NRL)

A Formal Analysis of Onion Routing 10/26/2007 Aaron Johnson (Yale) with Joan Feigenbaum (Yale) Paul Syverson (NRL)
Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.

Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.
Tor: The Second-Generation Onion Router

Tor: The Second-Generation Onion Router
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
LASTor: A Low-Latency AS-Aware Tor Client

LASTor: A Low-Latency AS-Aware Tor Client
LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research Laboratory 20th Annual Network & Distributed.

LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research Laboratory 20th Annual Network & Distributed.
Trust-based Anonymous Communication: Models and Routing Algorithms Aaron Johnson Paul Syverson Roger Dingledine Nick Mathewson U.S. Naval Research Laboratory.

Trust-based Anonymous Communication: Models and Routing Algorithms Aaron Johnson Paul Syverson Roger Dingledine Nick Mathewson U.S. Naval Research Laboratory.
Onion Routing Security Analysis Aaron Johnson U.S. Naval Research Laboratory DC-Area Anonymity, Privacy, and Security Seminar.

Onion Routing Security Analysis Aaron Johnson U.S. Naval Research Laboratory DC-Area Anonymity, Privacy, and Security Seminar.
How Much Anonymity does Network Latency Leak? Paper by: Nicholas Hopper, Eugene Vasserman, Eric Chan-Tin Presented by: Dan Czerniewski October 3, 2011.

How Much Anonymity does Network Latency Leak? Paper by: Nicholas Hopper, Eugene Vasserman, Eric Chan-Tin Presented by: Dan Czerniewski October 3, 2011.
1 Analyzing Anonymity Protocols 1.Analyzing onion-routing security 1.Anonymity Analysis of Onion Routing in the Universally Composable Framework in Provable.

1 Analyzing Anonymity Protocols 1.Analyzing onion-routing security 1.Anonymity Analysis of Onion Routing in the Universally Composable Framework in Provable.
Location-Aware Onion Routing Aaron Johnson U.S. Naval Research Laboratory IEEE Symposium on Security and Privacy May 19, 2015.

Location-Aware Onion Routing Aaron Johnson U.S. Naval Research Laboratory IEEE Symposium on Security and Privacy May 19, 2015.
Precise Inter-procedural Analysis Sumit Gulwani George C. Necula using Random Interpretation presented by Kian Win Ong UC Berkeley.

Precise Inter-procedural Analysis Sumit Gulwani George C. Necula using Random Interpretation presented by Kian Win Ong UC Berkeley.
1 Modeling and Analysis of Anonymous-Communication Systems Joan Feigenbaum WITS’08; Princeton NJ; June 18, 2008 Acknowledgement:

1 Modeling and Analysis of Anonymous-Communication Systems Joan Feigenbaum WITS’08; Princeton NJ; June 18, 2008 Acknowledgement:
1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.

1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.
Dynamic Hypercube Topology Stefan Schmid URAW 2005 Upper Rhine Algorithms Workshop University of Tübingen, Germany.

Dynamic Hypercube Topology Stefan Schmid URAW 2005 Upper Rhine Algorithms Workshop University of Tübingen, Germany.
Privacy on the Web Gertzman Lora Krakov Lena. Why privacy? Privacy is the number one consumer issue facing the internet. An eavesdropper (server, service.

Privacy on the Web Gertzman Lora Krakov Lena. Why privacy? Privacy is the number one consumer issue facing the internet. An eavesdropper (server, service.
I NTERNET A NONYMITY By Esra Erdin. Introduction Types of Anonymity Systems TOR Overview Working Mechanism of TOR I2P Overview Working Mechanism of I2P.

I NTERNET A NONYMITY By Esra Erdin. Introduction Types of Anonymity Systems TOR Overview Working Mechanism of TOR I2P Overview Working Mechanism of I2P.

Similar presentations

Ads by Google