Upload
winola
View
38
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Provable Unlinkability Against Traffic Analysis. Ron Berman Joint work with Amos Fiat and Amnon Ta-Shma School of Computer Science, Tel-Aviv University. Outline. Is it interesting? Our contribution. Problem definition. What is unlinkability? Related work. The protocol. Proof sketch. - PowerPoint PPT Presentation
Citation preview
Provable UnlinkabilityProvable UnlinkabilityAgainst Traffic AnalysisAgainst Traffic AnalysisProvable UnlinkabilityProvable Unlinkability
Against Traffic AnalysisAgainst Traffic AnalysisRon BermanRon Berman
Joint work with Amos Fiat and Amnon Ta-ShmaJoint work with Amos Fiat and Amnon Ta-Shma
School of Computer Science, Tel-Aviv UniversitySchool of Computer Science, Tel-Aviv University
Outline• Is it interesting?• Our contribution.• Problem definition.• What is unlinkability?• Related work.• The protocol.• Proof sketch.• Prior information.• Application: Donor
Anonymity.
Is it interesting?• A tremendous amount of work on
the subject.• Many practical systems, protocols
and solutions.• Relevant today in the context of
peer to peer data exchange.
Our Contribution
• A set of simple equivalent measurements for unlinkability.
• Rigorous analysis and proof using information theory.
• Solution (and proof) for prior knowledge.
Problem definition• N nodes in a complete network graph.
• Synchronous network with bounds on message travel times.
• A public key infrastructure (PKI) is widely available.
• Given senders S=s1…sM and receivers R=r1…rM of messages, we would like the matching Π:SR to remain unknown to an adversary.
• At least some of the links are honest.
Problem definition
• Chaum (1981) had shown that using onion-routing, one can assume that the adversary is restricted to traffic analysis.
• The unlinkability properties hadn’t been proven, and the original protocol is actually insecure.
• We heavily rely on Chaum’s ideas, with some limitations to the adversary.
What is unlinkability?• Π - actual permutation that took place during
communication.• C - information the adversary has. 0/1 matrix,
with 1 indicating a communication line being used.
1. 2. 3.
• Mutual information - I(X:Y) =H(X) + H(Y) - H(X,Y)How much info does one RV convey on another.
• All definitions are equivalent.
1
Pr | 93C C RS
1Pr |c C C c
( : )I C
• Chaumian-MIX– Unproven security.– Requires dummy traffic.– Not efficient.
• Dining Cryptographers– Proven security.– Not efficient (all players must play
each round).– Requires shared randomness.– Requires broadcast.
Related Work
• Crowds– Proven weak
security.
• Busses– Proven security.– Not efficient.
Related Work
• AMPC– Proven weak security.– Not efficient.
• RS93– Proven security.– Not efficient.– Requires secure
computation.
The ProtocolForward:• Alice chooses v1…vt-1 and sets v0=Alice,
vT=Bob.
• Alice randomly chooses r1…rT return keys.
• Each onion layer i contains:
– Address of next node en route (vi+1).
– Return key ri saved by node i.
– Unique identifier zi.
– Encrypted onion part sent to vi+1.
• Message return is done in a similar way to Chaum’s.
Example
1
2
3
4
5
11
21
31
41
51
12
22
32
42
52
13
23
33
43
53
1R
2R
3R
4R
5R
1 2 3 40
Our Protocol
• Using the following chain rule, we can analyze the route of each player by itself:
I(П:C)= I(П(1):C)+ I(П(2):C|П(1))+…≤α(N)
• The trick is to bound the amount of information the adversary has on each player.
Proof Sketch
• We would like to show that the communications pattern contains a lot of honest crossovers:
• And that these crossovers hide enough information.
1
2 2’
1’
3 3’
Proof Sketch
• We show how to find an embedding of a structure of crossovers in the actual communications pattern.
• We call this structure of crossovers - “obscurant networks’’.
Proof Sketch
Example embeddingProof Sketch
1
3
2
4
5
1
2
3
4
5
1
2
3
4
5
1
2
3
4
5
1
2
3
4
5
Obscurant Networks• Network – layered directed circuit with
same number of vertices on each layer.• Crossover Network – Each vertex has in-
degree and out-degree one or two.
• Oi – The probability distribution of output when a pebble is put on starting vertex i.
Proof Sketch
0.5
0.5 1
0.5
0.5
0.5
0.5
• A network is ε-obscurant if |Oi-UM|≤ε.
• Example: The butterfly network is 0-obscurant.
• The problem: what happens when log2(M) is not integer.
• We use two basic components:
Proof Sketch
B4 P4
Example NetworkProof Sketch
Init Repeat t=log(M)+log(ε-1) times
Z=4
M=5
k=M-Z=1
Making sure we find an embedding
• Lemma [Alo01]: Let G=(V,E) be a graph and
assume:
then:
• Meaning: We have a probability of finding all-honest crossovers.
| || |
2
VE f
Proof Sketch
4
, , ,Pr ( , ), ( , ), ( , )( , )
a b c d Va c a d b c b d E f
• Using the following chain rule, we can analyze the route of each player by itself:
I(П:C)= I(П(1):C)+ I(П(2):C|П(1))+…≤α(N)
• The trick is to bound the amount of information the adversary has on each player.
Proof Sketch
Prior Information• Link each vertex vi
(t) with vi(T-t), and
reveal all data to the adversary if either one is adaptive.
• Effectively we have created a folding of the network:
Proof Sketch
1
2
3
4
5
3
1
4
5
2
1
2
3
4
5
5
2
4
1
3
4
5
1
3
2
• We receive the same game, with T/2 steps and f2 probability of honest link.
• We show that: I(П(T):C=(C1,C2))≤ I(П(T/2):C1,C2):
Proof Sketch
ConclusionTheoremAssume our protocol runs in a network
with N nodes, N(N-1)/2 communication links, some constant fraction of which are honest, then the protocol is α(n)-unlinkable when T≥Ω(log(N)log2(N/α(n)).
Future Work
• Incomplete network graph.
• Malicious behavior.
• Multi-shot games.
• Dynamic network topology changes.
Applications
• More realistic approach – a link is honest some of the time.
• Donor privacy – the ability to donate items and answer requests, without being identified.
Questions?