Provable Unlinkability Provable Unlinkability Against Traffic Analysis Against Traffic Analysis Ron Berman Ron Berman Joint work with Amos Fiat and Amnon Ta-Shma Joint work with Amos Fiat and Amnon Ta-Shma School of Computer Science, Tel-Aviv University School of Computer Science, Tel-Aviv University
26
Embed
Provable Unlinkability Against Traffic Analysis Ron Berman Joint work with Amos Fiat and Amnon Ta-Shma School of Computer Science, Tel-Aviv University.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Against Traffic AnalysisAgainst Traffic AnalysisRon BermanRon Berman
Joint work with Amos Fiat and Amnon Ta-ShmaJoint work with Amos Fiat and Amnon Ta-Shma
School of Computer Science, Tel-Aviv UniversitySchool of Computer Science, Tel-Aviv University
Outline• Is it interesting?• Our contribution.• Problem definition.• What is unlinkability?• Related work.• The protocol.• Proof sketch.• Prior information.• Application: Donor
Anonymity.
Is it interesting?• A tremendous amount of work on
the subject.• Many practical systems, protocols
and solutions.• Relevant today in the context of
peer to peer data exchange.
Our Contribution
• A set of simple equivalent measurements for unlinkability.
• Rigorous analysis and proof using information theory.
• Solution (and proof) for prior knowledge.
Problem definition• N nodes in a complete network graph.
• Synchronous network with bounds on message travel times.
• A public key infrastructure (PKI) is widely available.
• Given senders S=s1…sM and receivers R=r1…rM of messages, we would like the matching Π:SR to remain unknown to an adversary.
• At least some of the links are honest.
Problem definition
• Chaum (1981) had shown that using onion-routing, one can assume that the adversary is restricted to traffic analysis.
• The unlinkability properties hadn’t been proven, and the original protocol is actually insecure.
• We heavily rely on Chaum’s ideas, with some limitations to the adversary.
What is unlinkability?• Π - actual permutation that took place during
communication.• C - information the adversary has. 0/1 matrix,
with 1 indicating a communication line being used.
1. 2. 3.
• Mutual information - I(X:Y) =H(X) + H(Y) - H(X,Y)How much info does one RV convey on another.
• All definitions are equivalent.
1
Pr | 93C C RS
1Pr |c C C c
( : )I C
• Chaumian-MIX– Unproven security.– Requires dummy traffic.– Not efficient.
• Dining Cryptographers– Proven security.– Not efficient (all players must play
each round).– Requires shared randomness.– Requires broadcast.
Related Work
• Crowds– Proven weak
security.
• Busses– Proven security.– Not efficient.
Related Work
• AMPC– Proven weak security.– Not efficient.
• RS93– Proven security.– Not efficient.– Requires secure
computation.
The ProtocolForward:• Alice chooses v1…vt-1 and sets v0=Alice,
vT=Bob.
• Alice randomly chooses r1…rT return keys.
• Each onion layer i contains:
– Address of next node en route (vi+1).
– Return key ri saved by node i.
– Unique identifier zi.
– Encrypted onion part sent to vi+1.
• Message return is done in a similar way to Chaum’s.
Example
1
2
3
4
5
11
21
31
41
51
12
22
32
42
52
13
23
33
43
53
1R
2R
3R
4R
5R
1 2 3 40
Our Protocol
• Using the following chain rule, we can analyze the route of each player by itself:
I(П:C)= I(П(1):C)+ I(П(2):C|П(1))+…≤α(N)
• The trick is to bound the amount of information the adversary has on each player.
Proof Sketch
• We would like to show that the communications pattern contains a lot of honest crossovers:
• And that these crossovers hide enough information.
1
2 2’
1’
3 3’
Proof Sketch
• We show how to find an embedding of a structure of crossovers in the actual communications pattern.
• We call this structure of crossovers - “obscurant networks’’.
Proof Sketch
Example embeddingProof Sketch
1
3
2
4
5
1
2
3
4
5
1
2
3
4
5
1
2
3
4
5
1
2
3
4
5
Obscurant Networks• Network – layered directed circuit with
same number of vertices on each layer.• Crossover Network – Each vertex has in-
degree and out-degree one or two.
• Oi – The probability distribution of output when a pebble is put on starting vertex i.
Proof Sketch
0.5
0.5 1
0.5
0.5
0.5
0.5
• A network is ε-obscurant if |Oi-UM|≤ε.
• Example: The butterfly network is 0-obscurant.
• The problem: what happens when log2(M) is not integer.
• We use two basic components:
Proof Sketch
B4 P4
Example NetworkProof Sketch
Init Repeat t=log(M)+log(ε-1) times
Z=4
M=5
k=M-Z=1
Making sure we find an embedding
• Lemma [Alo01]: Let G=(V,E) be a graph and
assume:
then:
• Meaning: We have a probability of finding all-honest crossovers.
| || |
2
VE f
Proof Sketch
4
, , ,Pr ( , ), ( , ), ( , )( , )
a b c d Va c a d b c b d E f
• Using the following chain rule, we can analyze the route of each player by itself:
I(П:C)= I(П(1):C)+ I(П(2):C|П(1))+…≤α(N)
• The trick is to bound the amount of information the adversary has on each player.
Proof Sketch
Prior Information• Link each vertex vi
(t) with vi(T-t), and
reveal all data to the adversary if either one is adaptive.
• Effectively we have created a folding of the network:
Proof Sketch
1
2
3
4
5
3
1
4
5
2
1
2
3
4
5
5
2
4
1
3
4
5
1
3
2
• We receive the same game, with T/2 steps and f2 probability of honest link.
• We show that: I(П(T):C=(C1,C2))≤ I(П(T/2):C1,C2):
Proof Sketch
ConclusionTheoremAssume our protocol runs in a network
with N nodes, N(N-1)/2 communication links, some constant fraction of which are honest, then the protocol is α(n)-unlinkable when T≥Ω(log(N)log2(N/α(n)).
Future Work
• Incomplete network graph.
• Malicious behavior.
• Multi-shot games.
• Dynamic network topology changes.
Applications
• More realistic approach – a link is honest some of the time.
• Donor privacy – the ability to donate items and answer requests, without being identified.