Presentation is loading. Please wait.

Presentation is loading. Please wait.

Provable Unlinkability Against Traffic Analysis Amnon Ta-Shma Joint work with Ron Berman and Amos Fiat School of Computer Science, Tel-Aviv University.

Published byStephen Merritt Modified over 9 years ago

Similar presentations

Presentation on theme: "Provable Unlinkability Against Traffic Analysis Amnon Ta-Shma Joint work with Ron Berman and Amos Fiat School of Computer Science, Tel-Aviv University."— Presentation transcript:

1 Provable Unlinkability Against Traffic Analysis Amnon Ta-Shma Joint work with Ron Berman and Amos Fiat School of Computer Science, Tel-Aviv University

2 Problem definition M senders S={s 1 …s M } and M receivers R={r 1 …r M }. N nodes in a complete synchronous communication network. A public key infrastructure (PKI). We assume some of the links are honest, and some are dishonest. We look for a protocol such that the messages arrive at their destination, yet the adversary knows very little about the matching Π:S  R.

3 A very basic problem A tremendous amount of work. Many practical systems and protocols. Relevant in peer to peer data exchange. Forms a basis to many other protocols, such as electronic cash systems and voting schemes.

4 Chaum’s work (1979) Chaum (1979) showed that using onion- routing, one can assume the adversary is restricted to traffic analysis. Unlinkability was never proven. In fact, Chaum’s protocol is insecure. Chaum’s work is the basis for most later work.

5 Chaumian-MIX (1979)  Unproven security (in fact: insecure).  Requires dummy traffic. RS (1993)  Proven security.  Not efficient (all players play all time).  Requires secure computation. Many FUZZY attempts. First Attempt (1993)

6 Dining Cryptographers  Proven security.  Not efficient (all players must play all time).  Requires shared randomness.  Requires broadcast. Crowds  Proven (very) weak security. Busses  Proven security.  Not efficient (all players play all time). Entirely Different Attempts

7 Our Contribution A set of simple equivalent measures of unlinkability. A connection with Information Theory. Rigorous proof. We can extend the proof to realistic adversaries that have prior knowledge. We rely on Chaum’s ideas, but We replace FUZZY security with proven security. with proven security.

8 What is Unlinkability?

9 What is unlinkability? Π - actual permutation that took place during communication. C - information the adversary has. 0/1 matrix, with 1 indicating a communication line being used. We would like to formalize: Almost always: Π does not carry information about C.

10 1. 2. 3. Mutual information - I(X:Y) =H(X) + H(Y) - H(X,Y) How much info does one RV convey on another. All definitions are equivalent. What is unlinkability?

11 The Protocol

12 The Protocol (almost Chaum) Forward: Alice chooses v 1 …v t-1, v 0 =Alice, v T =Bob. Alice randomly chooses r 1 …r T return keys. Each onion layer i contains:  Address of next node en route (v i+1 ).  Return key r i saved by node i.  Unique identifier z i.  Encrypted onion part sent to v i+1.

13 Example 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 12340 Our Protocol

14 Chaum vs. Us 1.Chaum assumes the adversary controls all links, we assume the adversary controls only most links. 2.In Chaum, honest messages mix within a honest node (and so every vertex waits until it receives at least two messages). In our scheme, honest messages mix in honest links. 3.Chaum’s protocol is insecure, unless all honest players play all the time. Ours is secure even if honest players play only when required.

15 The Proof

16 We show the communication pattern contains many honest crossovers: And these crossovers hide enough information. 1 22’ 1’ 33’ Proof Idea

17 Honest Crossovers are Abundant No matter how the adversary chooses its links: Lemma [Alo01]: Let G=(V,E) be a graph and assume: then:

18 So what do we do with a honest crossover? We would like to: First, prove that every single player is protected. Second, prove that no information is leaked about the group behavior. The chain rule becomes handy: I(П:C)= I(П(1):C)+ I(П(2):C|П(1))+ …

19 Obscurant Networks Crossover Network – Each vertex has in-degree and out-degree one or two. O i – The probability distribution of output when a pebble is put on starting vertex i. 0.5 1 A network is ε-obscurant if |O i -U M |≤ε.

20 For a power of two: the butterfly is 0-obscurant. For other input lengths, We give a construction. B4B4 P4P4 Simple Obscurant Networks Exist.

21 We look for an embedding of an obscurant network. 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5

22 Theorem Assume our protocol runs in a network with N nodes, N(N-1)/2 communication links, some constant fraction of which are honest. Then the protocol is α(n)-unlinkable when run T≥Ω(log(N)log 2 (N/α(n)) steps.

23 Prior Information

24 The Question Does the security proof hold when the adversary has extensive, a-priori information? E.g., People like to correspond with people speaking their language… Much mail goes within organizations.. A very realistic concern.

25 Link each vertex v i (t) with its corresponding vertex at level T-t, and reveal all data to the adversary if either link is curious. We prove the adversary still does not get much information about the middle layer. We conclude from that the adversary does not learn much information about the permutation. We can handle even Prior Information!

26 We have a folding of the network: 1 2 3 4 5 3 1 4 5 2 1 2 3 4 5 5 2 4 1 3 4 5 1 3 2 Folding And we return to the original problem with f 2 !!

27 Extensions and Open Questions

28 Extensions More realistic approach – a link is honest some of the time. Donor privacy – the ability to donate items and answer requests, without being identified.

29 Open Questions Incomplete network graph. Malicious behavior. Multi-shot games. Dynamic network topology changes.

30 The END

31 Example Network Proof Sketch InitRepeat t=log(M)+log(ε -1 ) times Z=4 M=5 k=M-Z=1

Download ppt "Provable Unlinkability Against Traffic Analysis Amnon Ta-Shma Joint work with Ron Berman and Amos Fiat School of Computer Science, Tel-Aviv University."

Similar presentations

Aaron Johnson with Joan Feigenbaum Paul Syverson

Aaron Johnson with Joan Feigenbaum Paul Syverson
Provable Unlinkability Against Traffic Analysis Ron Berman Joint work with Amos Fiat and Amnon Ta-Shma School of Computer Science, Tel-Aviv University.

Provable Unlinkability Against Traffic Analysis Ron Berman Joint work with Amos Fiat and Amnon Ta-Shma School of Computer Science, Tel-Aviv University.
A Formal Analysis of Onion Routing 10/26/2007 Aaron Johnson (Yale) with Joan Feigenbaum (Yale) Paul Syverson (NRL)

A Formal Analysis of Onion Routing 10/26/2007 Aaron Johnson (Yale) with Joan Feigenbaum (Yale) Paul Syverson (NRL)
Secret Sharing Protocols [Sha79,Bla79]

Secret Sharing Protocols [Sha79,Bla79]
Circuit and Communication Complexity. Karchmer – Wigderson Games Given The communication game G f : Alice getss.t. f(x)=1 Bob getss.t. f(y)=0 Goal: Find.

Circuit and Communication Complexity. Karchmer – Wigderson Games Given The communication game G f : Alice getss.t. f(x)=1 Bob getss.t. f(y)=0 Goal: Find.
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.

Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.
Gillat Kol (IAS) joint work with Ran Raz (Weizmann + IAS) Interactive Channel Capacity.

Gillat Kol (IAS) joint work with Ran Raz (Weizmann + IAS) Interactive Channel Capacity.
Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.
Congestion Games with Player- Specific Payoff Functions Igal Milchtaich, Department of Mathematics, The Hebrew University of Jerusalem, 1993 Presentation.

Congestion Games with Player- Specific Payoff Functions Igal Milchtaich, Department of Mathematics, The Hebrew University of Jerusalem, 1993 Presentation.
CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.
Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto.

Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto.
Trust-based Anonymous Communication: Models and Routing Algorithms Aaron Johnson Paul Syverson Roger Dingledine Nick Mathewson U.S. Naval Research Laboratory.

Trust-based Anonymous Communication: Models and Routing Algorithms Aaron Johnson Paul Syverson Roger Dingledine Nick Mathewson U.S. Naval Research Laboratory.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
Short course on quantum computing Andris Ambainis University of Latvia.

Short course on quantum computing Andris Ambainis University of Latvia.
How Much Anonymity does Network Latency Leak? Paper by: Nicholas Hopper, Eugene Vasserman, Eric Chan-Tin Presented by: Dan Czerniewski October 3, 2011.

How Much Anonymity does Network Latency Leak? Paper by: Nicholas Hopper, Eugene Vasserman, Eric Chan-Tin Presented by: Dan Czerniewski October 3, 2011.
Lecture 7 CS 728 Searchable Networks. Errata: Differences between Copying and Preferential Attachment In generative model: let p k be fraction of nodes.

Lecture 7 CS 728 Searchable Networks. Errata: Differences between Copying and Preferential Attachment In generative model: let p k be fraction of nodes.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
1 Modeling and Analysis of Anonymous-Communication Systems Joan Feigenbaum WITS’08; Princeton NJ; June 18, 2008 Acknowledgement:

1 Modeling and Analysis of Anonymous-Communication Systems Joan Feigenbaum WITS’08; Princeton NJ; June 18, 2008 Acknowledgement:

Similar presentations

Ads by Google