Presentation is loading. Please wait.

Presentation is loading. Please wait.

Explorations in Anonymous Communication Andrew Bortz with Luis von Ahn Nick Hopper Aladdin Center, Carnegie Mellon University, 8/19/2003.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Explorations in Anonymous Communication Andrew Bortz with Luis von Ahn Nick Hopper Aladdin Center, Carnegie Mellon University, 8/19/2003."— Presentation transcript:

1 Explorations in Anonymous Communication Andrew Bortz with Luis von Ahn Nick Hopper Aladdin Center, Carnegie Mellon University, 8/19/2003

2 What is it? Imagine Alice wants to send a message to Bob, but doesn’t want anyone, including Bob himself, to know she sent it Imagine Bob wants to receive messages, but doesn’t want anyone, including the sender, to know he received it

3 Anonymous Communication Study of how to facilitate communication while hiding who is talking to whom. Applicable to: Privacy in e-Commerce and in general Anonymous Bulletin Boards, i.e. AA Music Trading Freedom of speech

4 The Problem Really two different problems: Sender anonymity – hiding the honest sender (originator) of a message Receiver anonymity – hiding the intended recipient of a message sent by an honest sender Intuitively hard: Underlying network is not anonymous, even if it is secure

5 Hiding from whom? Many possibilities, but here are some common ones: Honest-but-curious users Passive, global eavesdropping (secure channels) Honest-but-curious group of users Malicious group of users Malicious group of users with eavesdropping Malicious group of users with eavesdropping and the ability to drop packets

6 Not Easy… How do you show that someone can’t do something? As is typical in cryptography… …show that if they can, they can also do something that we think/know is really hard – a reduction Assumed adversary is normally very powerful

7 Scenario Anonymous service provider Anonymous communications network Sender and receiver anonymity, as described before A request comes in for service Considering the need for anonymity, do you respond?

8 Scenario 1 Response No! Why? Sender and receiver anonymity don’t protect you If sender is an adversary, and he was able to make it so that you are the only honest user to receive that request, then by responding, you reveal your identity

9 New Definition This particular attack motivates the search for a new property: For lack of a better name, receiver anonymity 2 It is a protection for the receiver: There are always x honest receipients of every message, for definition of x Not a necessary property, but it seems important for an anonymous communications protocol to be intuitively “useful” – i.e. two- way communication

10 A Reduction Byzantine Agreement: Essentially a protocol for reliable broadcast At the end, every participant has the same value sent by the sender Authenticated Byzantine Agreement: Same problem, but now we can sign messages Result: If a protocol is receiver anonymous 2, then it is at least as hard as Authenticated Byzantine Agreement. BA and ABA are well-studied “hard” problems, and have many well-known characteristics, including lower bounds, that make this reduction very useful.

11 Break time! Any questions?

12 And now for something completely different…

13 Non-Participation The most evil of all adversarial strategies: Equivalent to pretending to be deaf when someone is talking to you -- very rude, but very effective at stopping communication Apparently fatal to several attempts at anonymous communication

14 Why is it so evil? Because it is non-localized: Non-participation problems are between pairs of users Impossible to tell which user is bad Protocols that are resistant are so because they show adaptivity They modify themselves to no longer require those users to communicate, while not losing anonymity or gaining complexity

15 Tricks and Tips Important facts: Two honest users will never not participate, so they will always communicate Every pair that no longer communicates has at least one adversary If we look at the connection graph, we see interesting properties

16 Connection Graph We assume intially a complete connection graph This is just an example connection graph of 4 honest users and 5 adversary users Blue honest users form a complete subgraph Red adversary users form an arbitrary connected subgraph

17 Tricks and Tips 2 The complexity of a protocol can typically be tied to properties of the connection graph In some situations it is possible that the adversary has to or can be forced to mimic this behavior This places constraints on his ability to interfere

18 Example: Non-Participation in k-AMT Problem: How to broadcast a message to a group of users when some of them want to prevent it Adversary wants to: Prevent it if possible, but Slow it down if not Solutions?

19 Solution After every broadcast, if you were expecting a message and didn’t get it, complain! Everyone who got it sends it to the complainer Because we assume a reliable network, he must have gotten it now!

20 Solution Analysis Works well, but seems to introduce additional communication complexity: An adversary (or a set of them) can complain every round Since this forces everyone to send the broadcast to him, he receives multiple copies => Bit inefficiency

21 Another Way Use the connection graph! If you don’t get a message, complain. Everyone removes that edge in the connection graph, and redefines the broadcast patterns to not use that edge If the graph is connected, it is always possible and easy to do optimally Problem: an adversary can make the diameter of the connection graph really big, thus making broadcast take many rounds

22 Neat Trick Require that every node be part of a complete subgraph of size k Since honest users always will be, then it doesn’t hurt them Result: By requiring the adversary to do it as well, we can bound the maximum diameter of the connection graph at 3n/k versus

23 Consequences Only works because we consider anonymity to be broken anyway if there are less than k honest users in a group (k-anonymity) Efficiency: No additional bit complexity Possibly additional rounds, but bounded by a small constant dependant on the size of the group and k

24 Just the beginning Just scratches the surface of anonymity: Formal models Different techniques Parallels to data anonymity Extensions of the idea itself In other words, lots of fun left…

25 Thank you for your time! That’s it! Any questions?

Download ppt "Explorations in Anonymous Communication Andrew Bortz with Luis von Ahn Nick Hopper Aladdin Center, Carnegie Mellon University, 8/19/2003."

Similar presentations

Provable Unlinkability Against Traffic Analysis Ron Berman Joint work with Amos Fiat and Amnon Ta-Shma School of Computer Science, Tel-Aviv University.

Provable Unlinkability Against Traffic Analysis Ron Berman Joint work with Amos Fiat and Amnon Ta-Shma School of Computer Science, Tel-Aviv University.
Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.

Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.
1 Data Link Protocols By Erik Reeber. 2 Goals Use SPIN to model-check successively more complex protocols Using the protocols in Tannenbaums 3 rd Edition.

1 Data Link Protocols By Erik Reeber. 2 Goals Use SPIN to model-check successively more complex protocols Using the protocols in Tannenbaums 3 rd Edition.
Multi-Party Contract Signing Sam Hasinoff April 9, 2001.

Multi-Party Contract Signing Sam Hasinoff April 9, 2001.
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Agreement: Byzantine Generals UNIVERSITY of WISCONSIN-MADISON Computer Sciences Department CS 739 Distributed Systems Andrea C. Arpaci-Dusseau Paper: “The.

Agreement: Byzantine Generals UNIVERSITY of WISCONSIN-MADISON Computer Sciences Department CS 739 Distributed Systems Andrea C. Arpaci-Dusseau Paper: “The.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.

Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.
NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.

NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.
Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)

Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)
15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.

15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.
COVERT MULTI-PARTY COMPUTATION YINMENG ZHANG ALADDIN REU 2005 LUIS VON AHN MANUEL BLUM.

COVERT MULTI-PARTY COMPUTATION YINMENG ZHANG ALADDIN REU 2005 LUIS VON AHN MANUEL BLUM.
1 Complexity of Network Synchronization Raeda Naamnieh.

1 Complexity of Network Synchronization Raeda Naamnieh.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CPSC 689: Discrete Algorithms for Mobile and Wireless Systems Spring 2009 Prof. Jennifer Welch.

CPSC 689: Discrete Algorithms for Mobile and Wireless Systems Spring 2009 Prof. Jennifer Welch.
20-751 ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.

ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Adaptive Security for Wireless Sensor Networks Master Thesis – June 2006.

Adaptive Security for Wireless Sensor Networks Master Thesis – June 2006.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.

8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

Similar presentations

Ads by Google