1 / 26

Provable Unlinkability Against Traffic Analysis

Provable Unlinkability Against Traffic Analysis. Ron Berman Joint work with Amos Fiat and Amnon Ta-Shma School of Computer Science, Tel-Aviv University. Outline. Is it interesting? Our contribution. Problem definition. What is unlinkability? Related work. The protocol. Proof sketch.

winola
Download Presentation

Provable Unlinkability Against Traffic Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Provable UnlinkabilityAgainst Traffic Analysis Ron Berman Joint work with Amos Fiat and Amnon Ta-Shma School of Computer Science, Tel-Aviv University

  2. Outline • Is it interesting? • Our contribution. • Problem definition. • What is unlinkability? • Related work. • The protocol. • Proof sketch. • Prior information. • Application: Donor Anonymity.

  3. Is it interesting? • A tremendous amount of work on the subject. • Many practical systems, protocols and solutions. • Relevant today in the context of peer to peer data exchange.

  4. Our Contribution • A set of simple equivalent measurements for unlinkability. • Rigorous analysis and proof using information theory. • Solution (and proof) for prior knowledge.

  5. Problem definition • N nodes in a complete network graph. • Synchronous network with bounds on message travel times. • A public key infrastructure (PKI) is widely available. • Given senders S={s1…sM} and receivers R={r1…rM} of messages, we would like the matching Π:SR to remain unknown to an adversary. • At least some of the links are honest.

  6. Problem definition • Chaum (1981) had shown that using onion-routing, one can assume that the adversary is restricted to traffic analysis. • The unlinkability properties hadn’t been proven, and the original protocol is actually insecure. • We heavily rely on Chaum’s ideas, with some limitations to the adversary.

  7. What is unlinkability? • Π - actual permutation that took place during communication. • C - information the adversary has. 0/1 matrix, with 1 indicating a communication line being used. • Mutual information - I(X:Y) =H(X) + H(Y) - H(X,Y)How much info does one RV convey on another. • All definitions are equivalent.

  8. Related Work • Chaumian-MIX • Unproven security. • Requires dummy traffic. • Not efficient. • Dining Cryptographers • Proven security. • Not efficient (all players must play each round). • Requires shared randomness. • Requires broadcast.

  9. Related Work • Crowds • Proven weak security. • Busses • Proven security. • Not efficient. • AMPC • Proven weak security. • Not efficient. • RS93 • Proven security. • Not efficient. • Requires secure computation.

  10. The Protocol Forward: • Alice chooses v1…vt-1 and sets v0=Alice, vT=Bob. • Alice randomly chooses r1…rT return keys. • Each onion layer i contains: • Address of next node en route (vi+1). • Return key ri saved by node i. • Unique identifier zi. • Encrypted onion part sent to vi+1. • Message return is done in a similar way to Chaum’s.

  11. Our Protocol 13 12 11 1R 1 21 2R 2 22 23 33 31 3R 32 3 43 4R 4 41 42 53 5 52 5R 51 Example 0 1 2 3 4

  12. Proof Sketch • Using the following chain rule, we can analyze the route of each player by itself:I(П:C)= I(П(1):C)+ I(П(2):C|П(1))+…≤α(N) • The trick is to bound the amount of information the adversary has on each player.

  13. Proof Sketch • We would like to show that the communications pattern contains a lot of honest crossovers: • And that these crossovers hide enough information. 1 1’ 2 2’ 3 3’

  14. Proof Sketch • We show how to find an embedding of a structure of crossovers in the actual communications pattern. • We call this structure of crossovers - “obscurant networks’’.

  15. Proof Sketch Example embedding 1 1 1 1 1 2 2 2 2 2 3 3 3 3 3 4 4 4 4 4 5 5 5 5 5

  16. Proof Sketch Obscurant Networks • Network – layered directed circuit with same number of vertices on each layer. • Crossover Network – Each vertex has in-degree and out-degree one or two. • Oi – The probability distribution of output when a pebble is put on starting vertex i. 0.5 0.5 0.5 1 0.5 0.5 0.5

  17. Proof Sketch • A network is ε-obscurant if |Oi-UM|≤ε. • Example: The butterfly network is 0-obscurant. • The problem: what happens when log2(M) is not integer. • We use two basic components: B4 P4

  18. Proof Sketch Example Network Z=4 k=M-Z=1 M=5 Init Repeat t=log(M)+log(ε-1) times

  19. Proof Sketch Making sure we find an embedding • Lemma [Alo01]: Let G=(V,E) be a graph andassume: then: • Meaning: We have a probability of finding all-honest crossovers.

  20. Proof Sketch • Using the following chain rule, we can analyze the route of each player by itself:I(П:C)= I(П(1):C)+ I(П(2):C|П(1))+…≤α(N) • The trick is to bound the amount of information the adversary has on each player.

  21. Proof Sketch Prior Information • Link each vertex vi(t) with vi(T-t), and reveal all data to the adversary if either one is adaptive. • Effectively we have created a folding of the network: 1 3 1 5 4 2 1 2 2 5 3 4 3 4 1 4 5 4 1 3 5 2 5 3 2

  22. Proof Sketch • We receive the same game, with T/2 steps and f2 probability of honest link. • We show that: I(П(T):C=(C1,C2))≤ I(П(T/2):C1,C2):

  23. Conclusion Theorem Assume our protocol runs in a network with N nodes, N(N-1)/2 communication links, some constant fraction of which are honest, then the protocol is α(n)-unlinkable when T≥Ω(log(N)log2(N/α(n)).

  24. Future Work • Incomplete network graph. • Malicious behavior. • Multi-shot games. • Dynamic network topology changes.

  25. Applications • More realistic approach – a link is honest some of the time. • Donor privacy – the ability to donate items and answer requests, without being identified.

  26. Questions?

More Related