1 / 29

Provable Protocols for Unlinkability

Provable Protocols for Unlinkability. Ron Berman, Amos Fiat, Amnon Ta-Shma Tel Aviv University. Unlinkability. S : Set of message initiators T : Set of message recipients Every s  S sends a message to some t  T and [may] request a response

dalit
Download Presentation

Provable Protocols for Unlinkability

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Provable Protocols for Unlinkability Ron Berman, Amos Fiat, Amnon Ta-Shma Tel Aviv University

  2. Unlinkability • S: Set of message initiators • T: Set of message recipients • Every s S sends a message to some t  T and [may] request a response • Goal: Prevent adversary from knowing who is talking to whom Adversary may control all nodes in T and many other nodes and links in the network

  3. The model • A complete graph of N nodes • The adversary is capable of eavesdropping to almost all links: an ε fraction of the links are “honest” • The adversary may also control almost all nodes, subject to the above • A public key infrastructure is in place • A set S of M nodes wish to send unlinkable [two way] communications to a set T of M nodes • The Adversary is adaptive but not malicious. I.e., Adversary cannot corrupt or discard messages.

  4. Prior Work • Seminal Papers ofDavid Chaum, 1979, 1981 • Reduction to Traffic Analysis (Onion Routing) • “Chaumian Mixes” • Literally dozens (hundreds?) of papers since, dedicated conferences, etc., etc. • Many implementations • Typical paper: • Attack on prior protocol(s) • Suggest new protocol • Repeat • Very few attempts to give rigorous definitions, let alone proofs • Notable exception: Rackoff and Simon, 1993

  5. General Structure: Chaumian Mixes • Choose a random path and send message along path • Hope for sufficiently many collisions along path • If N nodes, and polylog(N) length path, then essentially need all nodes to send messages • Does not matter how many nodes actually want to send messages, many dummy messages required. Many attacks, counter measures, counter attacks, counter counter measures, etc.

  6. Chaum’s reduction to traffic analysis: Onion Routing Note: messages are same length

  7. Prior work: Chaumian Mixes Honest nodes are used to prevent adversary from knowing how messages were routed: A to C, A’ to C’, or A to C’, A’ to C.

  8. Our Results • New definitions of unlinkability based on information theory • Prove equivalence to Rackoff-Simon definitions • Prove that a suitable modification of Chaum’s original protocol is secure • Argue that many previous “informal arguments”must be wrong • Improve (?) on Rackoff-Simon in many ways: • Adaptive adversary, allow arbitrary prior knowledge • No secure computation • Much, much, simpler • Much more efficient. No need to flood network with dummy messages • Weaker attack model (not all links are under adversary control) (New definition of improve)

  9. Only Traffic Analysis • We will simply assume during this talk that the adversary cannot do anything except eavesdrop onto traffic • An Adversary controlled link reports on all traffic through the link • An Adversary controlled node reports on all trafic through the node and how routing was done

  10. How to define Unlinkability • ∏ - Random variable, permutation from S to T, [may be drawn from arbitrary prior distribution] • C – Random variable, gives all the adversary learns during communications

  11. How to define Unlinkability Rackoff and Simon: Let n be a security parameter, C and ∏ as before (We’re ignoring the issue of computational indistinguishability in this talk) (R&S only allow the uniform prior distribution)

  12. Other Definitions (Equivalent) We need the following observation to prove these equivalences, 0 ≤ α≤ 1 : Is this new? Seems unlikely.

  13. Why use I(A:B) rather than | |1? I(A:B) is monotonic: | |1 is not monotonic (the little birdy principle does not work): The intuition: the “closer” to the prior, B, the less information the adversary has Let A be a random variable giving the number of heads in 10 coin tosses Let B be the binomial distribution for the number of heads in 10 coin tosses Let C be a random variable giving the number of heads in the first coin toss Let D be a random variable giving the number of heads in the 2nd coin toss

  14. The little Birdy Principle • Richard M. Karp (1988): • Revealing more information to the adversary only makes his/her life easier • Certainly true in the context of computational complexity • Is this true in the context of unlinkability? • Depends on the definition of unlinkability • Many previous papers implicitly make use of the little birdy principle in informal arguments • Does not hold for the Rackoff-Simon definitions

  15. How could this possibly be? • The little birdy principle must hold, it’s obvious, isn’t it? • Actually, in some form it does hold, it holds on average • The reason that it does not always hold is that in some circumstances, revealing more information (selected information), only “confuses” the adversary • There must be a good political joke here somewhere, but I could not figure it out

  16. How to prove unlinkability • Define Protocol • Define Obscurant Network • Construct Obscurant Networks • Search for Obscurant Network “embedding” within execution of protocol (Uses Little Birdy Principle) • Extend result to allow prior information: Use “protocol folding” (Uses Little Birdy Principle)

  17. The protocol Nodes wishing to send messages (and only nodes wishing to send messages): • Choose a random path of length polylog(N) • Use Chaum’s onion routing to send and receive messages along this path

  18. Silly, isn’t it?” • If only 100 messages are initiated, and there are 106 nodes in the network, there will be no collusions • If the adversary controls all links then the adversary knows exactly who is talking to whom • Change attack model: adversary controls all by an arbitrarily small constant fraction of the links

  19. The protocol

  20. Introducing ambiguity via links A crossover structure of honest links introduces ambiguity

  21. Obscurant Networks • A network with crossover switches such that a pebble placed on the inputs, and setting all crossovers uniformly at random, will result in a uniform distribution over the outputs • Example: Butterfly network • Important: an obscurant network does not obscure permutations • What about non-powers of 2?

  22. Uniformly at random for these nodes Obscurant Networks of all sizes Uniformly at random for these nodes Average the probability mass

  23. Do permutation obscurant networks exist?? • Don’t know, open problem. • Don’t you need a permutation obscurant network?? • Yes, and no, what we actually find are repeated embeddings of [single pebble] obscurant networks

  24. A combinatorial lemma (N. Alon, FOCS 2001) • Given a graph with a constant fraction, f, of the total edges • Choose 4 nodes at random • A crossover network will connect them with probability f4 • f is the fraction of honest edges

  25. Strategy • Reveal all links used in every 2nd layer, this is to make pairs of layers independent choices of four nodes • For a sufficiently long set of paths, find an obscurant network in the execution of the protocol • Reveal all other edges • This revelation should not harm the protocol (requires some effort)

  26. Strategy (continued) • How do we move from [single pebble] obscurant to unlinkable? • Reveal the jth path (as a proof technique!!) to argue about the others

  27. Dealing with Prior Information Reveal to the adversary the relationship between layer i and layer 6-i

  28. Dealing with Prior Information: Folding the Network upon itself

  29. Completing the Argument: Prior Information Because the distributions (Choose the last T-1 levels at random, and fill in the 1st level to get the permutation) Given the middle permutation, and c2 C2, we can compute π, thus the data processing inequality holds

More Related