1

Analyzing Anonymity Protocols

1. Analyzing onion-routing security1. Anonymity Analysis of Onion Routing in the

Universally Composable Frameworkin Provable Privacy Workshop 2012

2. A Probabilistic Analysis of Onion Routing in a Black-box Modelin TISSEC (forthcoming)

by Joan Feigenbaum, Aaron Johnson, and Paul Syverson

2. Analyzing Dissent security1. Ongoing work with Ewa Syta, Henry Corrigan-

Gibbs, Shu-Chun Weng, and Bryan Ford

2

Analyzing Onion-Routing Security

● Abstract (black-box) model of onion routing● Use Universally Composable (UC)

framework● Focus on information leaked● Perform anonymity analysis on model

3

Onion-Routing Ideal Functionality

u with probability bø with probability 1-b

x

y

Upon receiving destination d from user U

d with probability bø with probability 1-b

Send (x,y) to the adversary.

FOR

4

Black-box Model

● Ideal functionality FOR

● Environment assumptions– Each user gets a destination– Destination for user u chosen from distribution pu

● Adversary compromises a fraction b of routers before execution

5

Anonymity Analysis of Black Box

● Can lower bound expected anonymity with standard approximation: b2 + (1-b2)pu

d

● Worst case for anonymity is when user acts exactly unlike or exactly like others

● Worst-case anonymity is typically as if √b routers compromised: b + (1-b)pu

d

● Anonymity in typical situations approaches lower bound

6

Other ideal functionality

● Provably Secure and Practical Onion Routingby Backes, Kate, Goldberg, and MohammadiComputer Security Foundations Symposium 2012

● Functional primitive● Shown to UC-emulate FOR

7

Analyzing Dissent security

● Fully rigorous definitions and proofs– Anonymity– Accountability– Integrity

● Standard sequence-of-games anonymity proofs

● Discovered flaws

8

Discovered flaws

1. Adversary can unaccountably duplicate honest users’ plaintexts.

2. Commitments must be non-malleable.

3. Adversary can submit self-duplicates to cause failure with no blame.

4. Equivocation during broadcast can cause inconsistent final state.

5. Some validation checks missing

9

Discovered Shuffle Flaws

1 2 3

{I1}1:3

{I2}1:3

{I3}1:3

{I2}2:3

{I1}2:3

{I3}2:3

{I1}3

{I3}3

{I2}3

I2

I3

I1

m2

m3

m1

10

Discovered Shuffle Flaws

1 2 3

{I2}1:3

{I2}1:3

{I3}1:3

{I2}2:3

{I2}2:3

{I3}2:3

{I2}3

{I3}3

{I2}3

I2

I3

I2

Problem 1: Client duplication, no blamed

?

?

11

Discovered Shuffle Flaws

1 2 3

{I2}1:3

{I2}1:3

{I3}1:3

{I2}2:3

{I2}2:3

{I3}2:3

{I2}3

{I3}3

{I2}3

I2

I3

I2

Problem 1: Client duplication, no blamedSolution: Commit to messages first.

12

Discovered Shuffle Flaws

1 2 3

{I2}1:3

{I2}1:3

{I3}1:3

{I2}2:3

{I2}2:3

{I3}2:3

{I2}3

{I3}3

{I2}3

I2

I3

I2

Problem 1: Client duplication, no blamedSolution: Commit to messages first

non-malleably.

13

Discovered flaws

1. Adversary can unaccountably duplicate honest users’ plaintexts.

2. Commitments must be non-malleable.

3. Adversary can submit self-duplicates to cause failure with no blame.

4. Equivocation during broadcast can cause inconsistent final state.

5. Some validation checks missing

14

Discovered flaws

1. Adversary can unaccountably duplicate honest users’ plaintexts.

2. Commitments must be non-malleable.

3. Adversary can submit self-duplicates to cause failure with no blame.

4. Equivocation during broadcast can cause inconsistent final state.

5. Some validation checks missing

15

Discovered flaws

1. Adversary can unaccountably duplicate honest users’ plaintexts.

2. Commitments must be non-malleable.

3. Adversary can submit self-duplicates to cause failure with no blame.

4. Equivocation during broadcast can cause inconsistent final state.

5. Some validation checks missing

16

Discovered Shuffle Flaws

1 2 3

{I1}1:3

{I1}1:3

{I3}1:3

{I1}2:3

{I1}2:3

{I3}2:3

{I1}3

{I1}3

{I1}3

I1

I3

I1

Problem 3: Self-duplication, no blamed

?

?

17

Discovered Shuffle Flaws

1 2 3

{I1}1:3

{I1}1:3

{I3}1:3

{I1}2:3

{I1}2:3

{I3}2:3

{I1}3

{I1}3

{I1}3

I1

I3

I1

Problem 3: Self-duplication, no blamedSolution: Blame duplicate submitters.

18

Discovered flaws

1. Adversary can unaccountably duplicate honest users’ plaintexts.

2. Commitments must be non-malleable.

3. Adversary can submit self-duplicates to cause failure with no blame.

4. Equivocation during broadcast can cause inconsistent final state.

5. Some validation checks missing

19

Discovered flaws

1. Adversary can unaccountably duplicate honest users’ plaintexts.

2. Commitments must be non-malleable.

3. Adversary can submit self-duplicates to cause failure with no blame.

4. Equivocation during broadcast can cause inconsistent final state.

5. Some validation checks missing

20

Modified Dissent

1. Users non-malleably commit to messages before submission.

2. Duplicate submission punished

3. Explicit reliable broadcasts added

4. Several validation checks added with blame

5. Honest members guaranteed to agree on who to blame

21

UC Framework

● Express security primitive as an ideal functionality F

● Construct a protocol Π that UC emulates F● Running Π can replace using F in any

protocol – security composes

22

Sequence of Games Anonymity Proof

● Game 0: Original anonymity game● Game 1: Replace encrypted descriptors

during shuffle with encrypted fixed messages● Game 2: Replace encrypted random seeds

after shuffle with encrypted fixed messages● Game 3: Replace pseudorandom sequences

with random sequences

23

Discovered Shuffle Flaws

1 2 3

{I1}1:3

{I2}1:3

{I3}1:3

{I2}2:3

{I2}2:3

{I3}2:3

{I2}3

{I3}3

{I2}3

I2

I3

I2

m2

m3

m2

Problem 0: Shuffle duplication attack

24

Discovered Shuffle Flaws

1 2 3

{I1}1:3

{I2}1:3

{I3}1:3

{I2}2:3

{I2}2:3

{I3}2:3

{I2}3

{I3}3

{I2}3

I2

I3

I2

Problem 0: Shuffle duplication attackSolution: Duplicates cause NO-GO.

Blame lying shuffle.