1 / 33

Anonymity Analysis of Onion Routing in the Universally Composable Framework

Anonymity Analysis of Onion Routing in the Universally Composable Framework. Joan Feigenbaum Aaron Johnson Paul Syverson Yale University U.S. Naval Research Laboratory. Provable Privacy Workshop July 9, 2012. Problem.

danil
Download Presentation

Anonymity Analysis of Onion Routing in the Universally Composable Framework

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Anonymity Analysis of Onion Routing in the Universally ComposableFramework Joan Feigenbaum Aaron Johnson Paul Syverson Yale University U.S. Naval Research Laboratory Provable Privacy Workshop July 9, 2012

  2. Problem • [FJS07a] - Onion-routing I/O-automata model - Possibilistic anonymity analysis • [FJS07b] - Onion-routing abstract model - Probabilistic anonymity analysis • […] - How do we apply results in standard cryptographic models? • [CL05] - “Onion routing” formalized with Universal Composability (UC) - No anonymity analysis • [BGKM12] - Onion routing formalized with UC - Our work will provide anonymity

  3. Solution • Formalize abstract (black-box) model of onion routing in UC framework • Focus on information leaked • Anonymity analysis on earlier abstract model is inherited by UC version

  4. Problem • [FJS07a] - Onion-routing I/O-automata model - Possibilistic anonymity analysis • [FJS07b] - Onion-routing abstract model - Probabilistic anonymity analysis • […] - How do we apply results in standard cryptographic models? • [CL05] - “Onion routing” formalized with Universal Composability (UC) - No anonymity analysis • [BGKM12] - Onion routing formalized with UC - Our work will provide anonymity

  5. I/O-automata model Adversary controls relays 1 2 u d 3 5 User u running client Internet destination d 4 Onion routing relays Encrypted onion-routing hop Unencrypted onion-routing hop

  6. I/O-automata model 1 2 u d 3 5 4 u 1 2 Main theorem: Adversary can only determine parts of a circuit it controls or is next to.

  7. I/O-automata model u 1 2 d v e 3 5 4 w f

  8. I/O-automata model u 1 2 d v e 3 5 4 w f • First router compromised

  9. I/O-automata model u 1 2 d v e 3 5 4 w f • First router compromised • Last router compromised

  10. I/O-automata model u 1 2 d v e 3 5 4 w f • First router compromised • Last router compromised • First and last compromised

  11. I/O-automata model u 1 2 d v e 3 5 4 w f • First router compromised • Last router compromised • First and last compromised • Neither first nor last compromised

  12. Problem • [FJS07a] - Onion-routing I/O-automata model - Possibilistic anonymity analysis • [FJS07b] - Onion-routing abstract model - Probabilistic anonymity analysis • […] - How do we apply results in standard cryptographic models? • [CL05] - “Onion routing” formalized with Universal Composability (UC) - No anonymity analysis • [BGKM12] - Onion routing formalized with UC - Our work will provide anonymity

  13. Black-box Abstraction u d v e w f

  14. Black-box Abstraction u d v e w f • Users choose a destination

  15. Black-box Abstraction u d v e w f • Users choose a destination • Some inputs are observed

  16. Black-box Abstraction u d v e w f • Users choose a destination • Some inputs are observed • Some outputs are observed

  17. Black-box Anonymity u d v e w f • The adversary can link observed inputs and outputs of the same user.

  18. Black-box Anonymity u d v e w f • The adversary can link observed inputs and outputs of the same user. • Any configuration consistent with these observations is indistinguishable to the adversary.

  19. Black-box Anonymity u d v e w f • The adversary can link observed inputs and outputs of the same user. • Any configuration consistent with these observations is indistinguishable to the adversary.

  20. Black-box Anonymity u d v e w f • The adversary can link observed inputs and outputs of the same user. • Any configuration consistent with these observations is indistinguishable to the adversary.

  21. Probabilistic Black-box u d v e w f

  22. Probabilistic Black-box u d v e w f pu • Each user v selects a destination from distribution pv

  23. Probabilistic Black-box u d v e w f pu • Each user v selects a destination from distribution pv • Inputs and outputs are observed independently with probability b

  24. Problem • [FJS07a] - Onion-routing I/O-automata model - Possibilistic anonymity analysis • [FJS07b] - Onion-routing abstract model - Probabilistic anonymity analysis • […] - How do we apply results in standard cryptographic models? • [CL05] - “Onion routing” formalized with Universal Composability (UC) - No anonymity analysis • [BGKM12] - Onion routing formalized with UC - Our work will provide anonymity

  25. Problem • [FJS07a] - Onion-routing I/O-automata model - Possibilistic anonymity analysis • [FJS07b] - Onion-routing abstract model - Probabilistic anonymity analysis • [FJS12] – Onion-routing UC formalization - “Free” probabilistic anonymity analysis • [CL05] - “Onion routing” formalized with Universal Composability (UC) - No anonymity analysis • [BGKM12] - Onion routing formalized with UC - Our work will provide anonymity

  26. Onion-Routing UC Ideal Functionality Upon receiving destination d from user U u with probability b øwith probability 1-b x d with probability b øwith probability 1-b y Send (x,y) to the adversary. FOR

  27. Black-box Model • Ideal functionality FOR • Environment assumptions • Each user gets a destination • Destination for user u chosen from distribution pu • Adversary compromises a fraction b of routers before execution

  28. UC Formalization • Captures necessary properties of any crytographic implementation • Easy to analyze resulting information leaks • Functionality is a composable primitive • Anonymity results are valid in probabilistic version of I/O-automata model

  29. Anonymity Analysis of Black Box • Can lower bound expected anonymity with standard approximation: b2 + (1-b2)pud • Worst case for anonymity is when user acts exactly unlike or exactly like others • Worst-case anonymity is typically as if √b routers compromised: b + (1-b)pud • Anonymity in typical situations approaches lower bound

  30. Future Extensions • Compromised links • Non-uniform path selection • Heterogeneous path selection • Anonymity over time

  31. Problem • [FJS07a] - Onion-routing I/O-automata model - Possibilistic anonymity analysis • [FJS07b] - Onion-routing abstract model - Probabilistic anonymity analysis • [FJS12] – Onion-routing UC formalization - “Free” probabilistic anonymity analysis • [CL05] - “Onion routing” formalized with Universal Composability (UC) - No anonymity analysis • [BGKM12] - Onion routing formalized with UC - Our work will provide anonymity

  32. [BGKM12] Ideal Functionality • Functionality can actually send messages • Needs wrapper to hide irrelevant circuit-building options • Shown to UC-emulate FOR

  33. References [BGKM12] Provably Secure and Practical Onion Routing,by Michael Backes, Ian Goldberg, Aniket Kate, and EsfandiarMohammadi, in CSF12. [CL05] A Formal Treatment of Onion Routing, by Jan Camenisch and Anna Lysyanskaya, in CRYPTO 05. [FJS07a] A Model of Onion Routing with Provable Anonymity,by Joan Feigenbaum, Aaron Johnson, and Paul Syverson, in FC07. [FJS07b] Probabilistic Analysis of Onion Routing in a Black-box Model, id., in WPES07. [FJS12] A Probabilistic Analysis of Onion Routing in a Black-box Model, id.in TISSEC (forthcoming)

More Related