PIR-Tor: Scalable Anonymous Communication Using Private Information Retrieval

PIR-Tor: Scalable Anonymous Communication Using

Private Information RetrievalPrateek Mittal Femi OlumofinCarmela TroncosoNikita BorisovIan Goldberg

Presented by Justin Chester

Background◦ Tor – Anonymous Routing◦ PIR: Private Information Retrieval

Related Work PIR-Tor Attack Resistance Performance Discussion Conclusion References

Outline

As more and more user services shift online, privacy is a growing concern.

Traditional routing makes it possible to trace online communication back to its source and discover the identity of a sender.

Is this good or bad? They who can give up essential liberty to

obtain a little temporary safety, deserve neither liberty nor safety – Benjamin Franklin

Background

How do we achieve anonymous routing? The Tor framework is a popular onion based

solution that uses a network of ~2000 volunteer relay nodes to move terabytes of data everyday for hundreds of thousands of users, including businesses, law enforcement and other government agencies, journalists, whistleblowers, and many private citizens.

Tor routing works by obtaining a global view of the relay nodes (network consensus) and selecting three to build a circuit. New circuits are constructed every 10 minutes.

Background (cont)

Tor

www.torproject.org

Tor

www.torproject.org

Tor

www.torproject.org

What is wrong with this approach? It is inefficient! “In the near future the Tor

network could be spending more bandwidth for maintaining a global view of the system than for anonymous communication itself.”

Existing solutions to the scalability problem advocate a peer-to-peer paradigm, but these have all been proven insecure.

Instead, use Private Information Retrieval (PIR)

Problem?

Naively, the only way to hide what records are wanted from a server is to download the whole database. This is inefficient.

PIR achieves two things:◦ Information-Theoretic PIR (ITPIR) allows a user to retrieve a

database record from a group of servers, each with a duplicate of the database. Privacy is guaranteed irrespective of the computational power of the servers assuming there is no collusion.

◦ Computational PIR (CPIR) allows a user to privately retrieve records from a single, computationally bound server.

PIR adds a small communication overhead as compared to non-obfuscated database queries while achieving a large savings over the naïve approach.

Private Information Retrieval

Background Related Work

◦ Distributed Hash Table◦ Random Walk

PIR-Tor Attack Resistance Performance Discussion Conclusion References

Outline

Distributed Hash Table (DHT) based Peer to Peer alternatives use a variety of mechanisms to obtain relay info, but are all vulnerable to attack (anonymity compromise).◦ Salsa – information leak attack (lookup observation)◦ NISAN – structure analysis (deterministic lookup)◦ Torsk – zero-day buddy node compromise

Random Walk based Peer to Peer alternatives have no global relay view, but are still vulnerable◦ MorphMix – route capture attack (dirty relay collusion)◦ ShadowWalker – hybrid approach, complicated weakness

Related Work

Background Related Work PIR-Tor

◦ Design Goals◦ System Architecture◦ Database Organization

Attack Resistance Performance Discussion Conclusion References

Outline

Scalable Architecture – more relays = greater anonymity

Security – preserve anonymity through easily analyzed, well-understood mechanisms

Efficient Circuit Creation – reduce latency Minimal Changes – leverage existing

implementations for incremental adoptions Preserving Tor Constraints – uphold all

existing system policies

Design Goals

CPIR at Directory Servers – directory servers are presumed to be untrustworthy

ITPIR at Guard Relays – guards are already trusted in existing model◦ Beats end-to-end timing analysis and selective

denial of service attacks in existing architecture◦ All three guards must be compromised learn

which exit relays were selected◦ Anonymity not broken unless exit node is also

compromised. No worse than existing architecture.

System Architecture

Tor constrains how relays are selected when forming a circuit◦ First node – one of three entry guards◦ Middle node – any relay◦ Last node – exit relay with matching exit policy

Advocate separation into three databases, entry guard, middle, and exit relay. Node can be guard and exit, so entered in both.

Databases should be organized by bandwidth to assist with load distribution. Relays with high bandwidth are chosen with a higher probability.

Exit database should be organized by exit policy first and then by bandwidth. Policies should have a higher degree of standardization than the existing model.

Databases should be block based.

Database Organization

Figure from Mittal et. al

Background Related Work PIR-Tor Attack Resistance

◦ Traffic Analysis & Route Fingerprinting◦ Traffic Confirmation & Behavioral Profiling◦ Reuse Analysis

Performance Discussion Conclusion References

Outline

Traffic Analysis◦ Adversary can observe part of the network and

disrupt traffic.◦ Adversary can corrupt relays and insert relays.

Route Fingerprinting◦ If clients only know a unique set of relays, this can

be used to identify them.◦ Not a problem in current Tor (global view).◦ Would be a problem for Peer-to-Peer methods.◦ Not a problem for PIR-Tor. Even though clients only

have a limited knowledge of the network, PIR techniques prevent attackers from learning.

Attack Resistance

Traffic Confirmation◦ Adversary must control first and last relay in

circuit. Can happen with probability c2, where c is the fraction of compromised bandwidth in network.

◦ This is the same probability as existing Tor Behavioral Profiling

◦ Existing problem in Tor◦ Partitioning◦ Cookies◦ Session Timing◦ Frequently Accessed Hosts

Attack Resistance

PIR-Tor allows the reuse of relays when constructing circuits If an adversary observing an exit relay can assemble an

aggregate behavioral profile for all clients using that exit. The more clients that share knowledge of a block of relay

records, and therefore an exit relay, the less likely an adversary can construct an accurate profile for a given user.

This means there is a tradeoff between load balancing and potential loss of anonymity.

Analysis for b = 1◦ Query returns a set B containing b blocks◦ e: given exit relay, Pr[e] is probability that the returned B contains e. This

depends on the selection algorithm for relays.◦ Fraction of clients that have knowledge of e is α

α = (1 − (1 − Pr[e])b)

Attack Resistance

BW – Bandwidth based relay selectionSB(s) – Snader Borisov relay selection

SB(1) offers best protection, but does not load balance the network well

If, besides the exit relay, the adversary controls the destination of the client traffic, then it can determine the middle relay from the circuit. The probability of two clients sharing knowledge of an exit and middle is much smaller than just sharing an exit. This greatly increases the chance of compromising anonymity.

Figure from Mittal et al.

Background Related Work PIR-Tor Attack Resistance Performance

◦ CPIR◦ ITPIR

Discussion Conclusion References

Outline

Standard CPIR security parameters (l0 = 19 and N = 50) Hardware – dual Intel Xeon E5420 2.50 GHz quad-core

machine running Ubuntu Linux 10.04.1 using only one core Relay descriptor size 2100 bytes (max found in current Tor) Exit database set to half the size of middle database Varied number of relays in PIR database and measured

a) Server computationb) Total communicationc) Client computation

Performance – CPIR

Figure from Mittal et al.

R denotes the CPIR recursion parameter. The communication cost in this scheme is proportional to 8R * n1/(R+1) where n is number of relays in the database.

Increasing R reduces communication (and client computation) drastically while having only a small impact on server computation.

Hardware – dual Intel Xeon E5420 2.50 GHz quad-core machine running Ubuntu Linux 10.04.1 using only one core

Relay descriptor size 2100 bytes (max found in current Tor) Exit database set to half the size of middle database Varied number of relays in PIR database and measured

a) Server computationb) Total communicationc) Client computation

Performance – ITPIR

Figure from Mittal et al.

Compare the performance for when 18 circuits are setup vs. just 1New downloads every 3 hours, new circuit setup every 10 min (6/hour)3 * 6 = 18

In this architecture, block are not reused, so security is equivalent to Tor if all guards are honest

Background Related Work PIR-Tor Attack Resistance Performance Discussion Conclusion References

Outline

CPIR vs. ITPIR Robustness Scaling Strategies Preventing Denial of Service (DoS) Churn Number of Circuits Path Constraints Optional Global View Limitations

Discussion

CPIR is more easily integrated into existing Tor architecture.

CPIR is ideal for short browsing sessions or when the client doesn’t care about circuit linkability.

ITPIR results in great communication savings for the client.

ITPIR supports a variety of workloads while maintaining security

CPIR vs. ITPIR

Each block of the descriptor database is signed by a trusted directory authority to prevent malicious servers from manipulating values.

However, malicious servers can simply return garbage or refuse to reply.

This type of attack is easily detected and avoided by CPIR and ITPIR

Robustness

Download new relay descriptors on demand instead of periodically. This reduces overhead, but increases circuit setup time.

Use micro-descriptors, relay descriptors that contain rarely changing information. Frequently changing info resides in the network consensus (global view). This reduces PIR database sizes with computational and communication savings

Scaling Strategies

Whenever a PIR sever begins to get congested with queries, it can send a computationally hard puzzle for the client to solve.

The server will not spend resources to service the query until a correct answer is recieved

Preventing Denial of Service

As the current Tor network experiences churn, the number of network consensus downloads increases.

As long as the rate of database updates is less than 10 min, the number of PIR queries made should not increase since only a small number of directory servers or guards will need to have the network consensus.

Churn

Communication overhead of PIR-Tor is directly proportional to the number of circuits constructed.

Tor developers are proposing the use of separate circuits for each application used to prevent certain types of profiling attacks.

To compensate, the timeout period can be increased from 10 min to balance overhead

Number of Circuits

There are several proposals to increase the constraints on relay selection◦ Minimize end-to-end timing attacks◦ Applications choose based on performance

Node based selection Link based selection End-to-end based selection

PIR-Tor is easily able to incorporate these constraints by adjusting the relay selection algorithms

Path Constraints

There are cases where it may be beneficial to support global view download in addition to selective download.◦ Research◦ Development◦ Paranoia

Directory servers can be easily modified to support this option.

Optional Global View

Tor is supported by volunteer relays. PIR-Tor requires a tradeoff between bandwidth use and computation, requiring a different commitment from volunteers. However, PIR-Tor reduces overall resource consumption.

Peer-to-Peer alternatives offer better scaling properties, but PIR-Tor offers much better security properties.

The presented analysis of PIR-Tor relies on an assumption about the standardization of exit policies, though outlier can be tolerated

Limitations

Background Related Work PIR-Tor Attack Resistance Performance Discussion Conclusion References

Outline

This paper presents PIR-Tor, a new architecture for the Tor network that leverages existing Private Information Retrieval techniques.◦ Reduces communication overhead by orders of

magnitude◦ Slightly increases computational requirement◦ Preserves or improves security of existing Tor

Compares two roughly equivalent flavors◦ Computational PIR-Tor (CPIR-Tor)◦ Information Theoretic PIR-Tor (ITPIR-Tor)

Conclusion

Tor Project: Overview. 2011. https://www.torproject.org/about/overview.html.en

Benjamin Franklin. 2011. http://en.wikiquote.org/wiki/Benjamin_Franklin

Prateek Mittal, Femi Olumofin, Carmela Troncoso, Nikita Borisov, and Ian Goldberg. PIR-Tor: Scalable anonymous communication using private information retrieval. Technical Re- port CACR 2011-05, Centre for Applied Cryptographic Research, 2011. http://www.cacr.math.uwaterloo.ca/techreports/2011/cacr2011-05.pdf

References