1 / 31

Provable Unlinkability Against Traffic Analysis

Provable Unlinkability Against Traffic Analysis. Amnon Ta-Shma Joint work with Ron Berman and Amos Fiat School of Computer Science, Tel-Aviv University. Problem definition. M senders S={s 1 …s M } and M receivers R={r 1 …r M } .

dysis
Download Presentation

Provable Unlinkability Against Traffic Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Provable UnlinkabilityAgainst Traffic Analysis Amnon Ta-Shma Joint work with Ron Berman and Amos Fiat School of Computer Science, Tel-Aviv University

  2. Problem definition • Msenders S={s1…sM} and M receivers R={r1…rM}. • N nodes in a complete synchronous communication network. A public key infrastructure (PKI). We assume some of the links are honest, and some aredishonest. We look for a protocol such that the messages arrive at their destination, yet the adversary knows very little about the matching Π:SR.

  3. A very basic problem • A tremendous amount of work. • Many practical systems and protocols. • Relevant in peer to peer data exchange. • Forms a basis to many other protocols, such as electronic cash systems and voting schemes.

  4. Chaum’s work (1979) • Chaum (1979) showed that using onion-routing, one can assume the adversary is restricted to traffic analysis. • Unlinkability was never proven. In fact, Chaum’s protocol is insecure. Chaum’s work is the basis for most later work.

  5. First Attempt (1993) • Chaumian-MIX (1979) • Unproven security (in fact: insecure). • Requires dummy traffic. • RS (1993) • Proven security. • Not efficient (all players play all time). • Requires secure computation. • Many FUZZY attempts.

  6. Entirely Different Attempts • Dining Cryptographers • Proven security. • Not efficient (all players must play all time). • Requires shared randomness. • Requires broadcast. • Crowds • Proven (very) weak security. • Busses • Proven security. • Not efficient (all players play all time).

  7. Our Contribution We rely on Chaum’s ideas, but We replace FUZZY security with proven security. • A set of simple equivalent measures of unlinkability. • A connection with Information Theory. • Rigorous proof. • We can extend the proof to realistic adversaries that have prior knowledge.

  8. What is Unlinkability?

  9. What is unlinkability? • Π - actual permutation that took place during communication. • C - information the adversary has. 0/1 matrix, with 1 indicating a communication line being used. We would like to formalize: Almost always: Πdoes not carry information about C.

  10. What is unlinkability? 1. 2. 3. • Mutual information - I(X:Y) =H(X) + H(Y) - H(X,Y)How much info does one RV convey on another. • All definitions are equivalent.

  11. The Protocol

  12. The Protocol (almost Chaum) Forward: • Alice chooses v1…vt-1 , v0=Alice, vT=Bob. • Alice randomly chooses r1…rT return keys. • Each onion layer i contains: • Address of next node en route (vi+1). • Return key ri saved by node i. • Unique identifier zi. • Encrypted onion part sent to vi+1.

  13. Our Protocol 1 1 1 1 1 2 2 2 2 2 3 3 3 3 3 4 4 4 4 4 5 5 5 5 5 Example 0 1 2 3 4

  14. Chaum vs. Us 1. Chaum assumes the adversary controls all links, we assume the adversary controls only most links. 2. In Chaum, honest messages mix within a honest node (and so every vertex waits until it receives at least two messages). In our scheme, honest messages mix in honest links. 3. Chaum’s protocol is insecure, unless all honest players play all the time. Ours is secure even if honest players play only when required.

  15. The Proof

  16. Proof Idea • We show the communication pattern contains many honest crossovers: • And these crossovers hide enough information. 1 1’ 2 2’ 3 3’

  17. Honest Crossovers are Abundant No matter how the adversary chooses its links: • Lemma [Alo01]: Let G=(V,E) be a graph andassume: then:

  18. So what do we do with a honest crossover? We would like to: • First, prove that every single player is protected. • Second, prove that no information is leaked about the group behavior. The chain rule becomes handy: I(П:C)= I(П(1):C)+ I(П(2):C|П(1))+…

  19. Obscurant Networks • Crossover Network – Each vertex has in-degree and out-degree one or two. • Oi– The probability distribution of output when a pebble is put on starting vertex i. 0.5 0.5 0.5 1 0.5 0.5 0.5 A network is ε-obscurant if |Oi-UM|≤ε.

  20. Simple Obscurant Networks Exist. • For a power of two: the butterfly is 0-obscurant. • For other input lengths, We give a construction. B4 P4

  21. We look for an embedding of an obscurant network. 1 1 1 1 1 2 2 2 2 2 3 3 3 3 3 4 4 4 4 4 5 5 5 5 5

  22. Theorem Assume our protocol runs in a network with N nodes, N(N-1)/2 communication links, some constant fraction of which are honest. Then the protocol is α(n)-unlinkable when run T≥Ω(log(N)log2(N/α(n)) steps.

  23. Prior Information

  24. The Question Does the security proof hold when the adversary has extensive, a-priori information? E.g., • People like to correspond with people speaking their language… • Much mail goes within organizations.. A very realistic concern.

  25. We can handle even Prior Information! • Link each vertex vi(t) with its corresponding vertex at level T-t, and reveal all data to the adversary if either link is curious. • We prove the adversary still does not get much information about the middle layer. • We conclude from that the adversary does not learn much information about the permutation.

  26. Folding • We have a folding of the network: 1 3 1 5 4 2 1 2 2 5 3 4 3 4 1 4 5 4 1 3 5 2 5 3 2 And we return to the original problem with f2!!

  27. Extensions and Open Questions

  28. Extensions • More realistic approach – a link is honest some of the time. • Donor privacy – the ability to donate items and answer requests, without being identified.

  29. Open Questions • Incomplete network graph. • Malicious behavior. • Multi-shot games. • Dynamic network topology changes.

  30. The END

  31. Proof Sketch Example Network Z=4 k=M-Z=1 M=5 Init Repeat t=log(M)+log(ε-1) times

More Related