Provable Unlinkability
Against Traffic Analysis
Ron Berman
Joint work with Amos Fiat and Amnon Ta-Shma
School of Computer Science, Tel-Aviv University
Outline
•
•
•
•
•
•
•
•
•
Is it interesting?
Our contribution.
Problem definition.
What is unlinkability?
Related work.
The protocol.
Proof sketch.
Prior information.
Application: Donor Anonymity.
Is it interesting?
• A tremendous amount of work on the
subject.
• Many practical systems, protocols
and solutions.
• Relevant today in the context of peer
to peer data exchange.
Our Contribution
• A set of simple equivalent measurements
for unlinkability.
• Rigorous analysis and proof using
information theory.
• Solution (and proof) for prior
knowledge.
Problem definition
• N nodes in a complete network graph.
• Synchronous network with bounds on message
travel times.
• A public key infrastructure (PKI) is widely
available.
• Given senders S={s1…sM} and receivers
R={r1…rM} of messages, we would like the
matching Π:SR to remain unknown to an
adversary.
• At least some of the links are honest.
Problem
definition
• Chaum (1981) had shown that using
onion-routing, one can assume that the
adversary is restricted to traffic
analysis.
• The unlinkability properties hadn’t
been proven, and the original protocol
is actually insecure.
• We heavily rely on Chaum’s ideas, with
some limitations to the adversary.
•
•
What is unlinkability?
Π - actual permutation that took place during
communication.
C - information the adversary has. 0/1 matrix, with
1 indicating a communication line being used.
1. Pr    C |      C 1     
2. PrcC    | C  c    1     
3. I ( : C )  
•
•
 RS 93
Mutual information - I(X:Y) =H(X) + H(Y) - H(X,Y)
How much info does one RV convey on another.
All definitions are equivalent.
Related Work
• Chaumian-MIX
– Unproven security.
– Requires dummy traffic.
– Not efficient.
• Dining Cryptographers
– Proven security.
– Not efficient (all players must play each
round).
– Requires shared randomness.
– Requires broadcast.
Related Work
• Crowds
– Proven weak security.
• Busses
– Proven security.
– Not efficient.
• AMPC
– Proven weak security.
– Not efficient.
• RS93
– Proven security.
– Not efficient.
– Requires secure
computation.
The Protocol
Forward:
• Alice chooses v1…vt-1 and sets v0=Alice, vT=Bob.
• Alice randomly chooses r1…rT return keys.
• Each onion layer i contains:
– Address of next node en route (vi+1).
– Return key ri saved by node i.
– Unique identifier zi.
– Encrypted onion part sent to vi+1.
• Message return is done in a similar way to
Chaum’s.
Our Protocol
Example
0
1
2
3
4
1
11
12
13
1R
2
21
22
23
2R
3
31
32
33
3R
4
41
42
43
4R
5
51
52
53
5R
Proof Sketch
• Using the following chain rule, we can analyze
the route of each player by itself:
I(П:C)= I(П(1):C)+ I(П(2):C|П(1))+…≤α(N)
• The trick is to bound the amount of
information the adversary has on each
player.
Proof Sketch
• We would like to show that the
communications pattern contains a lot of
honest crossovers:
1
1’
2
2’
3
3’
• And that these crossovers hide enough
information.
Proof Sketch
• We show how to find an embedding of a
structure of crossovers in the actual
communications pattern.
• We call this structure of crossovers “obscurant networks’’.
Proof Sketch
Example embedding
1
1
1
1
1
2
2
2
2
2
3
3
3
3
3
4
4
4
4
4
5
5
5
5
5
Proof Sketch
Obscurant Networks
• Network – layered directed circuit with
same number of vertices on each layer.
• Crossover Network – Each vertex has indegree and out-degree one or two.
• Oi – The probability distribution of output
when a pebble is put on starting vertex i.
0.5
0.5
0.5
0.5
1
0.5
0.5
Proof Sketch
• A network is ε-obscurant if |Oi-UM|≤ε.
• Example: The butterfly network is 0obscurant.
• The problem: what happens when log2(M) is
not integer.
• We use two basic components:
B4
P4
Proof Sketch
Example Network
Z=4
k=M-Z=1
M=5
Init
Repeat t=log(M)+log(ε-1)
times
Proof Sketch
Making sure we find an
embedding
• Lemma [Alo01]: Let G=(V,E) be a graph and
 | V |
assume: | E | f  
 2 
(a, c), (a, d ), (b, c)(b, d )  E   f 4
a ,b ,c , d V
then: Pr
• Meaning: We have a probability of finding
all-honest crossovers.
Proof Sketch
• Using the following chain rule, we can analyze
the route of each player by itself:
I(П:C)= I(П(1):C)+ I(П(2):C|П(1))+…≤α(N)
• The trick is to bound the amount of
information the adversary has on each
player.
Proof Sketch
Prior Information
• Link each vertex vi(t) with vi(T-t), and
reveal all data to the adversary if
either one is adaptive.
• Effectively we have created a folding of
the network:
1
3
1
5
4
2
1
2
2
5
3
4
3
4
1
4
5
4
1
3
5
2
5
3
2
Proof Sketch
• We receive the same game, with T/2 steps
and f2 probability of honest link.
• We show that: I(П(T):C=(C1,C2))≤
I(П(T/2):C1,C2):
Conclusion
Theorem
Assume our protocol runs in a network
with N nodes, N(N-1)/2 communication
links, some constant fraction of which
are honest, then the protocol is α(n)unlinkable when T≥Ω(log(N)log2(N/α(n)).
Future Work
• Incomplete network graph.
• Malicious behavior.
• Multi-shot games.
• Dynamic network topology changes.
Applications
• More realistic approach – a link is
honest some of the time.
• Donor privacy – the ability to donate
items and answer requests, without
being identified.
Questions?