Page 1
1
Analyzing Anonymity Protocols
1. Analyzing onion-routing security1. Anonymity Analysis of Onion Routing in the
Universally Composable Frameworkin Provable Privacy Workshop 2012
2. A Probabilistic Analysis of Onion Routing in a Black-box Modelin TISSEC (forthcoming)
by Joan Feigenbaum, Aaron Johnson, and Paul Syverson
2. Analyzing Dissent security1. Ongoing work with Ewa Syta, Henry Corrigan-
Gibbs, Shu-Chun Weng, and Bryan Ford
Page 2
2
Analyzing Onion-Routing Security
● Abstract (black-box) model of onion routing● Use Universally Composable (UC)
framework● Focus on information leaked● Perform anonymity analysis on model
Page 3
3
Onion-Routing Ideal Functionality
u with probability bø with probability 1-b
x
y
Upon receiving destination d from user U
d with probability bø with probability 1-b
Send (x,y) to the adversary.
FOR
Page 4
4
Black-box Model
● Ideal functionality FOR
● Environment assumptions– Each user gets a destination– Destination for user u chosen from distribution pu
● Adversary compromises a fraction b of routers before execution
Page 5
5
Anonymity Analysis of Black Box
● Can lower bound expected anonymity with standard approximation: b2 + (1-b2)pu
d
● Worst case for anonymity is when user acts exactly unlike or exactly like others
● Worst-case anonymity is typically as if √b routers compromised: b + (1-b)pu
d
● Anonymity in typical situations approaches lower bound
Page 6
6
Other ideal functionality
● Provably Secure and Practical Onion Routingby Backes, Kate, Goldberg, and MohammadiComputer Security Foundations Symposium 2012
● Functional primitive● Shown to UC-emulate FOR
Page 7
7
Analyzing Dissent security
● Fully rigorous definitions and proofs– Anonymity– Accountability– Integrity
● Standard sequence-of-games anonymity proofs
● Discovered flaws
Page 8
8
Discovered flaws
1. Adversary can unaccountably duplicate honest users’ plaintexts.
2. Commitments must be non-malleable.
3. Adversary can submit self-duplicates to cause failure with no blame.
4. Equivocation during broadcast can cause inconsistent final state.
5. Some validation checks missing
Page 9
9
Discovered Shuffle Flaws
1 2 3
{I1}1:3
{I2}1:3
{I3}1:3
{I2}2:3
{I1}2:3
{I3}2:3
{I1}3
{I3}3
{I2}3
I2
I3
I1
m2
m3
m1
Page 10
10
Discovered Shuffle Flaws
1 2 3
{I2}1:3
{I2}1:3
{I3}1:3
{I2}2:3
{I2}2:3
{I3}2:3
{I2}3
{I3}3
{I2}3
I2
I3
I2
Problem 1: Client duplication, no blamed
?
?
Page 11
11
Discovered Shuffle Flaws
1 2 3
{I2}1:3
{I2}1:3
{I3}1:3
{I2}2:3
{I2}2:3
{I3}2:3
{I2}3
{I3}3
{I2}3
I2
I3
I2
Problem 1: Client duplication, no blamedSolution: Commit to messages first.
Page 12
12
Discovered Shuffle Flaws
1 2 3
{I2}1:3
{I2}1:3
{I3}1:3
{I2}2:3
{I2}2:3
{I3}2:3
{I2}3
{I3}3
{I2}3
I2
I3
I2
Problem 1: Client duplication, no blamedSolution: Commit to messages first
non-malleably.
Page 13
13
Discovered flaws
1. Adversary can unaccountably duplicate honest users’ plaintexts.
2. Commitments must be non-malleable.
3. Adversary can submit self-duplicates to cause failure with no blame.
4. Equivocation during broadcast can cause inconsistent final state.
5. Some validation checks missing
Page 14
14
Discovered flaws
1. Adversary can unaccountably duplicate honest users’ plaintexts.
2. Commitments must be non-malleable.
3. Adversary can submit self-duplicates to cause failure with no blame.
4. Equivocation during broadcast can cause inconsistent final state.
5. Some validation checks missing
Page 15
15
Discovered flaws
1. Adversary can unaccountably duplicate honest users’ plaintexts.
2. Commitments must be non-malleable.
3. Adversary can submit self-duplicates to cause failure with no blame.
4. Equivocation during broadcast can cause inconsistent final state.
5. Some validation checks missing
Page 16
16
Discovered Shuffle Flaws
1 2 3
{I1}1:3
{I1}1:3
{I3}1:3
{I1}2:3
{I1}2:3
{I3}2:3
{I1}3
{I1}3
{I1}3
I1
I3
I1
Problem 3: Self-duplication, no blamed
?
?
Page 17
17
Discovered Shuffle Flaws
1 2 3
{I1}1:3
{I1}1:3
{I3}1:3
{I1}2:3
{I1}2:3
{I3}2:3
{I1}3
{I1}3
{I1}3
I1
I3
I1
Problem 3: Self-duplication, no blamedSolution: Blame duplicate submitters.
Page 18
18
Discovered flaws
1. Adversary can unaccountably duplicate honest users’ plaintexts.
2. Commitments must be non-malleable.
3. Adversary can submit self-duplicates to cause failure with no blame.
4. Equivocation during broadcast can cause inconsistent final state.
5. Some validation checks missing
Page 19
19
Discovered flaws
1. Adversary can unaccountably duplicate honest users’ plaintexts.
2. Commitments must be non-malleable.
3. Adversary can submit self-duplicates to cause failure with no blame.
4. Equivocation during broadcast can cause inconsistent final state.
5. Some validation checks missing
Page 20
20
Modified Dissent
1. Users non-malleably commit to messages before submission.
2. Duplicate submission punished
3. Explicit reliable broadcasts added
4. Several validation checks added with blame
5. Honest members guaranteed to agree on who to blame
Page 21
21
UC Framework
● Express security primitive as an ideal functionality F
● Construct a protocol Π that UC emulates F● Running Π can replace using F in any
protocol – security composes
Page 22
22
Sequence of Games Anonymity Proof
● Game 0: Original anonymity game● Game 1: Replace encrypted descriptors
during shuffle with encrypted fixed messages● Game 2: Replace encrypted random seeds
after shuffle with encrypted fixed messages● Game 3: Replace pseudorandom sequences
with random sequences
Page 23
23
Discovered Shuffle Flaws
1 2 3
{I1}1:3
{I2}1:3
{I3}1:3
{I2}2:3
{I2}2:3
{I3}2:3
{I2}3
{I3}3
{I2}3
I2
I3
I2
m2
m3
m2
Problem 0: Shuffle duplication attack
Page 24
24
Discovered Shuffle Flaws
1 2 3
{I1}1:3
{I2}1:3
{I3}1:3
{I2}2:3
{I2}2:3
{I3}2:3
{I2}3
{I3}3
{I2}3
I2
I3
I2
Problem 0: Shuffle duplication attackSolution: Duplicates cause NO-GO.
Blame lying shuffle.