provable protocols for unlinkability
DESCRIPTION
Provable Protocols for Unlinkability. Ron Berman, Amos Fiat, Amnon Ta-Shma Tel Aviv University. Unlinkability. S : Set of message initiators T : Set of message recipients Every s S sends a message to some t T and [may] request a response - PowerPoint PPT PresentationTRANSCRIPT
Provable Protocols for Unlinkability
Ron Berman, Amos Fiat, Amnon Ta-Shma
Tel Aviv University
Unlinkability
– S: Set of message initiators
– T: Set of message recipients
– Every s S sends a message to some t T and [may] request a response
– Goal: Prevent adversary from knowing who is talking to whom
Adversary may control all nodes in T and many other nodes and links in the network
Alice Tom
Please get me the Al-QuadaManual
Ok, here it isTo/From Internet
Bob Harry
Please get me the George W. stateof the union address
Ok, here it isTo/From Internet
s TTom
FBIAgent
The model• A complete graph of N
nodes• The adversary is capable of
eavesdropping to almost all links: an ε fraction of the links are “honest”
• The adversary may also control almost all nodes, subject to the above
• A public key infrastructure is in place
• A set S of M nodes wish to send unlinkable [two way] communications to a set T of M nodes
• The Adversary is adaptive but not malicious. I.e., Adversary cannot corrupt or discard messages.
Honest
Adversary Controlled
Prior Work• Seminal Papers of David Chaum, 1979,
1981– Reduction to Traffic Analysis (Onion Routing)– “Chaumian Mixes”
• Literally dozens (hundreds?) of papers since, dedicated conferences, etc., etc.
• Many implementations• Typical paper:
– Attack on prior protocol(s)– Suggest new protocol– Repeat
• Very few attempts to give rigorous definitions, let alone proofs
• Notable exception: Rackoff and Simon, 1993
General Structure: Chaumian Mixes
• Choose a random path and send message along path
• Hope for sufficiently many collisions along path
• If N nodes, and polylog(N) length path, then essentially need all nodes to send messages
• Does not matter how many nodes actually want to send messages, many dummy messages required.
Many attacks, counter measures, counter attacks, counter counter measures, etc.
Chaum’s reduction to traffic analysis: Onion Routing
BA C D E
Pub Pub Pub PubENC (ENC (ENC (ENC ( , ), ), ), )B C D E E D C Bm R R R R
Pub Pub PubENC (ENC (ENC ( , ), ), )C D E E D Cm R R R
Pub PubENC (ENC ( , ), )D E E Dm R R
BR ER
Note: messages are same length
DRCR
Prior work: Chaumian Mixes
B
C’
A
A’
C
Honest node(the mix) Adversary node
Adversary link
Honest nodes are used to prevent adversary from knowing how messages were routed: A to C, A’ to C’, or A to C’, A’ to C.
Our Results• New definitions of unlinkability based on
information theory• Prove equivalence to Rackoff-Simon definitions• Prove that a suitable modification of Chaum’s
original protocol is secure• Argue that many previous “informal
arguments” must be wrong• Improve (?) on Rackoff-Simon in many ways:
– Adaptive adversary, allow arbitrary prior knowledge– No secure computation– Much, much, simpler– Much more efficient. No need to flood network with
dummy messages– Weaker attack model (not all links are under
adversary control) (New definition of improve)
Only Traffic Analysis
• We will simply assume during this talk that the adversary cannot do anything except eavesdrop onto traffic– An Adversary controlled link reports
on all traffic through the link– An Adversary controlled node reports
on all trafic through the node and how routing was done
How to define Unlinkability
• ∏ - Random variable, permutation from S to T, [may be drawn from arbitrary prior distribution]
• C – Random variable, gives all the adversary learns during communications
How to define Unlinkability
Rackoff and Simon: Let n be a security parameter, C and ∏
as before
1 2
1 2
1 2 1
( | ) ( | )All possible transcripts
For all ,
( | ) ( | )
Pr ( ) Pr ( ) ( )C C
c
C C
c c n
(We’re ignoring the issue of computational indistinguishability in this talk)(R&S only allow the uniform prior distribution)
Other Definitions (Equivalent)
1
1
Pr ( | ) ( ) ( )
Pr ( | ) ( ) ( )
( : ) ( )
c C
C C n n
C c n n
I C n
We need the following observation to prove these equivalences, 0 ≤ α ≤ 1 :
21
( : )Pr ( | ) 2ln 2b B
I A BA A B b
Is this new? Seems unlikely.
Why use I(A:B) rather than | |1?
I(A:B) is monotonic:
( : ) ( : )I A B I A BC
Let A be a random variable giving the number of heads in 10 coin tossesLet B be the binomial distribution for the number of heads in 10 coin tossesLet C be a random variable giving the number of heads in the first coin tossLet D be a random variable giving the number of heads in the 2nd coin toss
1 1( | 1) 63/ 256 0A C B A B
| |1 is not monotonic (the little birdy principle does not work):
1 1( | 1, 0) 7 / 64 63/ 256 ( | 1)A C D B A C B
The intuition: the “closer” to the prior, B, the less information the adversary has
The little Birdy Principle• Richard M. Karp (1988):
– Revealing more information to the adversary only makes his/her life easier
– Certainly true in the context of computational complexity
• Is this true in the context of unlinkability? – Depends on the definition of unlinkability– Many previous papers implicitly make use of
the little birdy principle in informal arguments– Does not hold for the Rackoff-Simon
definitions
How could this possibly be?
• The little birdy principle must hold, it’s obvious, isn’t it?
• Actually, in some form it does hold, it holds on average
• The reason that it does not always hold is that in some circumstances, revealing more information (selected information), only “confuses” the adversary
• There must be a good political joke here somewhere, but I could not figure it out
How to prove unlinkability
• Define Protocol• Define Obscurant Network• Construct Obscurant Networks• Search for Obscurant Network
“embedding” within execution of protocol (Uses Little Birdy Principle)
• Extend result to allow prior information: Use “protocol folding” (Uses Little Birdy Principle)
The protocol
Nodes wishing to send messages (and only nodes wishing to send messages):– Choose a random path of length
polylog(N) – Use Chaum’s onion routing to send
and receive messages along this path
Silly, isn’t it?”
• If only 100 messages are initiated, and there are 106 nodes in the network, there will be no collusions
• If the adversary controls all links then the adversary knows exactly who is talking to whom
• Change attack model: adversary controls all by an arbitrarily small constant fraction of the links
The protocol5
HonestLink with
traffic
AdversaryControlled Link
(no traffic)
AdversaryControlled Link
with traffic
HonestLink notraffic
AdversaryControlled Node
B
F
A
C
D
E
G
H
1 2 3 4
Introducing ambiguity via links
A
A’
B
A’’
B’
B’’
A
A’
B
A’’
B’
B’’
Or
HonestLink with
traffic
AdversaryControlled
Link(no traffic)
A crossover structure of honest links introduces ambiguity
Obscurant Networks
• A network with crossover switches such that a pebble placed on the inputs, and setting all crossovers uniformly at random, will result in a uniform distribution over the outputs
• Example: Butterfly network
• Important: an obscurant network does not obscure permutations
• What about non-powers of 2?
v4 v5 v6 v7
v11 v12 v13 v14
v18 v19 v20 v21
Obscurant Networks of all sizes
Repeatv50
v44 v45 v46 v47 v48 v49
v51 ...
v22 v23 v24 v25
v29 v30 v31 v32
v36 v37 v38 v39
v4 v5 v6 v7
v11 v12 v13 v14
v18 v19 v20 v21
v2 v3
v8 v9 v10
v15 v16 v17
v26 v27 v28
v33 v34 v35
v40 v41 v42
v43
v1
Uniformlyat random
for these nodes
Uniformlyat random
for these nodes
Average the
probability mass
Do permutation obscurant networks exist??
– Don’t know, open problem.
• Don’t you need a permutation obscurant network??– Yes, and no, what we actually find are
repeated embeddings of [single pebble] obscurant networks
A combinatorial lemma (N. Alon, FOCS 2001)
• Given a graph with a constant fraction, f, of the total edges– Choose 4 nodes at
random– A crossover
network will connect them with probability f4
• f is the fraction of honest edges
A
A’
B
B’
Strategy
• Reveal all links used in every 2nd layer, this is to make pairs of layers independent choices of four nodes
• For a sufficiently long set of paths, find an obscurant network in the execution of the protocol
• Reveal all other edges• This revelation should not harm the
protocol (requires some effort)
Strategy (continued)
• How do we move from [single pebble] obscurant to unlinkable?
• Reveal the jth path (as a proof technique!!) to argue about the others
( : ) ( : (1)) ( : (2) | (1)) ...
( : ( ) | (1), (2),... ( 1))
I C I C I C
I C M M
Dealing with Prior Information
1 2 3 4 5
B
F
A
C
D
E
G
H
5
HonestLink with
traffic
AdversaryControlled Link
(no traffic)
AdversaryControlled Link
with traffic
HonestLink notraffic
AdversaryControlled Node
B
F
A
C
D
E
G
H
1 2 3 4
Reveal to the adversary the relationship between layer i and layer 6-i
Dealing with Prior Information: Folding the
Network upon itself
B
F
A
C
D
E
G
H
1 2 3
Honest Linkno traffic
(in both folds)
Honest Linkwith traffic
(in bothfolds)
AdversaryControlled Link
(no traffic)from left fold
AdversaryControlled Node
from left fold
AdversaryControlled Link
with trafficfrom left fold
AdversaryControlled Link
(no traffic)from right fold
AdversaryControlled Nodefrom right fold
AdversaryControlled Link
with trafficfrom right fold
Completing the Argument: Prior Information
( ) ( ) ( )1 2 2 1 2
( / 2) ( / 2)1 2 1 2
( : , ) ( : ) ( : | )
I( : | ) ( : , )
T T T
T T
I C C I C I C C
C C I C C
( )2( : ) 0TI C Because the distributions
( ) ( )2 1 2 2( | ) ( | )T TC C
(Choose the last T-1 levels at random, and fill in the 1st level to get the permutation)
Given the middle permutation, and c2 C2, we can compute π, thus the data processing inequality holds