1 / 19

An Analysis of Parallel Mixing with Attacker-Controlled Inputs

An Analysis of Parallel Mixing with Attacker-Controlled Inputs. Nikita Borisov formerly of UC Berkeley. Definitions. “Parallel Mixing” A latency optimization for synchronous re-encryption mixnets [Golle & Juels 2004] “Attacker-Controlled Inputs”

razi
Download Presentation

An Analysis of Parallel Mixing with Attacker-Controlled Inputs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An Analysis of Parallel Mixing with Attacker-Controlled Inputs Nikita Borisov formerly of UC Berkeley

  2. Definitions • “Parallel Mixing” • A latency optimization for synchronous re-encryption mixnets [Golle & Juels 2004] • “Attacker-Controlled Inputs” • Inputs to a mixnet which can be linked to corresponding outputs • Either directly controlled by attackers or discovered through other means • “Analysis” • Low anonymity if most inputs are known • If few inputs are known, anonymity loss can be amplified with repeated mixings

  3. Synchronous Re-encryption Mixes • Messages are mixed by all mix servers • Re-encryption of each message under the same decryption key M1 M2 M3 M4 M’1 M’2 M’3 M’4 M’’1 M’’2 M’’3 M’’4 Mix 1 Mix 2

  4. Parallel Mixing Rotation Distribution Rotation M1 M2 Mix 1 Mix 1 Mix 1 Mix 1 M3 M4 Mix 2 Mix 2 Mix 2 Mix 2

  5. Properties • Initial public permutation to assign inputs to batches • T rotations, followed by 1 distribution, followed by T more rotations • Defends against up to T dishonest mixes • Latency is 2(T+1)*N/M re-encryptions • N - number of messages • M - number of mix servers • Even with T=M-1, faster than conventional cascade with N*M re-encryptions (for M>2)

  6. Attacker-Controlled Inputs 1 M1 M2 2 Mix 1 Mix 1 Mix 1 Mix 1 2 M3 M4 Mix 2 Mix 2 Mix 2 Mix 2 1

  7. Overview • Introduction • Analysis Methods • Analysis Results • Multiple-round analysis • Open problems • Conclusions

  8. Theorem 1 Definitions • (j) = # of known inputs in batch j ((1) = 1) • (j’) = # of known outputs in batch j’ ((1) = 1) • (j,j’) = # of known inputs in batch j matching outputs in batch j’ ((1,1) = 0) 1 M1 M2 2 Mix 1 Mix 1 Mix 1 Mix 1 2 M3 M4 Mix 2 Mix 2 Mix 2 Mix 2 1

  9. Theorem 1 Pr[s1 -> s1] = (1-0)/((2-1)(2-1)) = 1 1 M1 M2 2 Mix 1 Mix 1 Mix 1 Mix 1 2 M3 M4 Mix 2 Mix 2 Mix 2 Mix 2 1

  10. Anonymity Metrics • Anon [Golle and Juels ‘04] • Entropy [SD’02, DSCP’02] • Can compute either metric using Theorem 1 • Need to know (j), (j’), and (j,j’)for each j,j’

  11. Scenarios • Given a scenario: • # of known inputs • Distribution of known inputs among input batches • Distribution of known outputs among output batches • We can compute: • (j), (j’), and (j,j’) • Anonymity metrics • What’s a typical scenario? • Distribution of anonymity metrics

  12. Combinatorial Enumeration • Given # of known inputs, enumerate through all scenarios • All initial permutations • All mix shuffle choices • Compute (j), (j’), and (j,j’)for each possibility • Improvements: • Partition states into equivalence classes • Combinatorial enumeration

  13. 3 Mixes, 18 Inputs 17311151454831150294756284149883771654705774592 000000000000000000000 possible scenarios

  14. Sampling • Full enumeration still impractical for large systems • Instead, we use sampling: • Given a # of known inputs, simulate a random scenario • Compute (j), (j’), and (j,j’) and anonymity metrics • Repeat • Get a sampled distribution of metrics • Misses the tail of distribution, but we don’t care

  15. 1008 Inputs, 900 unknown

  16. 1008 inputs, 100 unknown

  17. Multiple-Round Analysis • Anonymity may be short of optimal, but with Anon > 10, who cares? • Consider repeated mixing of the same inputs • Unlikely to happen with e-voting • Likely if parallel mixing used for TCP forwarding • Each mixing is a new, random observation • Reveals new information each time • Over time, input-output correspondence identified w.h.p.

  18. Repeated mixing with 500 unknown inputs • Note: all mixes here are honest!

  19. Conclusions • Parallel mixing reveals information when attackers control some inputs • Big problem if most inputs are controlled • When fewer inputs are known, repeated mixings may still be a problem • This problem exists even if all mixes are honest • Statistical approximations should be checked by simulations

More Related