aaron johnson (yale) with joan feigenbaum (yale) paul syverson (nrl)

A Probabilistic Analysis of Onion Routing in a Black-box

Model10/29/2007

Workshop on Privacy in the Electronic Society

Aaron Johnson (Yale)

with

Joan Feigenbaum (Yale)

Paul Syverson (NRL)

Contributions

Contributions1. Use a black-box abstraction to create a

probabilistic model of onion routing



2. Analyze unlinkabilitya. Provide worst-case bounds

b. Examine a typical case

Related Work• A Model of Onion Routing with Provable

AnonymityJ. Feigenbaum, A. Johnson, and P. SyversonFC 2007

• Towards an Analysis of Onion Routing SecurityP. Syverson, G. Tsudik, M. Reed, and C. LandwehrPET 2000

• An Analysis of the Degradation of Anonymous ProtocolsM. Wright, M. Adler, B. Levine, and C. ShieldsNDSS 2002

Anonymous Communication

• Sender anonymity: Adversary can’t determine the sender of a given message

• Receiver anonymity: Adversary can’t determine the receiver of a given message

• Unlinkability: Adversary can’t determine who talks to whom

How Onion Routing Works

User u running client Internet destination d

Routers running servers

u d

1 2

3

45


u d

1. u creates 3-hop circuit through routers

1 2

3

45


u d


2. u opens a stream in the circuit to d

1 2

3

45


u d



3. Data is exchanged

{{{m}3}4}1 1 2

3

45


u d




{{m}3}4

1 2

3

45


u d




{m}3

1 2

3

45


u d




m

1 2

3

45


u d




m’

1 2

3

45


u d




{m’}3

1 2

3

45


u d




{{m’}3}4

1 2

3

45


u d




{{{m’}3}4}11 2

3

45


u d



3. Data is exchanged.

4. Stream is closed.

1 2

3

45


u



3. Data is exchanged.

4. Stream is closed.

5. Circuit is changed every few minutes.

1 2

3

45

d

Adversary

u

1 2

3

45

d

Active & Local

Anonymity

u 1 2

3

45

d

1.

2.

3.

4.

v

w

e

f

Anonymity

u 1 2

3

45

d

1. First router compromised

2.

3.

4.

v

w

e

f

Anonymity

u 1 2

3

45

d


2. Last router compromised

3.

4.

v

w

e

f

Anonymity

u 1 2

3

45

d



3. First and last compromised

4.

v

w

e

f

Anonymity

u 1 2

3

45

d



3. First and last compromised

4. Neither first nor last compromised

v

w

e

f

Black-box Abstraction

u d

v

w

e

f


u d

v

w

e

f

1. Users choose a destination


u d

v

w

e

f


2. Some inputs are observed


u d

v

w

e

f


2. Some inputs are observed

3. Some outputs are observed

Black-box Anonymity

u d

v

w

e

f

• The adversary can link observed inputs and outputs of the same user.

Black-box Anonymity

u d

v

w

e

f

• The adversary can link observed inputs and outputs of the same user.

• Any configuration consistent with these observations is indistinguishable to the adversary.

Probabilistic Black-box

u d

v

w

e

f


u d

v

w

e

f

• Each user v selects a destination from distribution pv

pu


u d

v

w

e

f

• Each user v selects a destination from distribution pv

• Inputs and outputs are observed independently with probability b

pu

Probabilistic Anonymityu dvw

ef

u dvw

ef

u dvw

ef

u dvw

ef

Indistinguishable configurations

Probabilistic Anonymityu dvw

ef

u dvw

ef

u dvw

ef

u dvw

ef

Indistinguishable configurations

Conditional distribution: Pr[ud] = 1

Black Box ModelLet U be the set of users.

Let be the set of destinations.

Configuration C• User destinations CD : U• Observed inputs CI : U{0,1}

• Observed outputs CO : U{0,1}

Let X be a random configuration such that:

Pr[X=C] = u puCD(u)

bCI(u) (1-b)1-CI(u) bCO(u) (1-b)1-CO(u)

Probabilistic Anonymity

The metric Y for the unlinkability of u and d in C is:

Y(C) = Pr[XD(u)=d | XC]

Note: There are several other candidates for a probabilistic anonymity metric, e.g. entropy







Exact Bayesian inference

• Adversary after long-term intersection attack

• Worst-case adversary




Exact Bayesian inference

• Adversary after long-term intersection attack

• Worst-case adversary

Unlinkability given that u visits d:

E[Y | XD(u)=d]

Worst-case Anonymity


Theorem 1: The maximum of E[Y | XD(u)=d] over (pv)vu occurs when

1. pv=1 for all vu OR

2. pvd=1 for all vu

Let pu1 pu

2 pud-1 pu

d+1 … pu

Show max. occurs when, for all vu,ev = d orev = .


Theorem 1: The maximum of E[Y | XD(u)=d] over (pv)vu occurs when

1. pv=1 for all vu OR

2. pvd=1 for all vu

Let pu1 pu

2 pud-1 pu

d+1 … pu

Show max. occurs when, for all vu, pv

ev = 1 for

some ev.

Show max. occurs when ev=d for all vu, or whenev = for all vu.

Worst-case EstimatesLet n be the number of users.

Worst-case Estimates

Theorem 2: When pv=1 for all vu:

E[Y | XD(u)=d] = b + b(1-b)pud +

(1-b)2 pud [(1-b)/(1-(1- pu

)b)) + O(logn/n)]

Let n be the number of users.



E[Y | XD(u)=d] = b + b(1-b)pud +

(1-b)2 pud [(1-b)/(1-(1- pu

)b)) + O(logn/n)]

Theorem 3: When pvd=1 for all vu:

E[Y | XD(u)=d] = b2 + b(1-b)pud +

(1-b) pud/(1-(1- pu

d)b) + O(logn/n)]




E[Y | XD(u)=d] = b + b(1-b)pud +

(1-b)2 pud [(1-b)/(1-(1- pu

)b)) + O(logn/n)]




E[Y | XD(u)=d] = b + b(1-b)pud +

(1-b)2 pud [(1-b)/(1-(1- pu

)b)) + O(logn/n)]

b + (1-b) pud




E[Y | XD(u)=d] = b + b(1-b)pud +

(1-b)2 pud [(1-b)/(1-(1- pu

)b)) + O(logn/n)]

b + (1-b) pud

E[Y | XD(u)=d] b2 + (1-b2) pud




E[Y | XD(u)=d] = b + b(1-b)pud +

(1-b)2 pud [(1-b)/(1-(1- pu

)b)) + O(logn/n)]

b + (1-b) pud

E[Y | XD(u)=d] b2 + (1-b2) pud


Increased chance of total compromise from b2 to b.

Typical Case

Let each user select from the Zipfian distribution: pdi

= 1/(is)

Theorem 4:E[Y | XD(u)=d] = b2 + (1 − b2)pu

d+ O(1/n)

Typical Case

Let each user select from the Zipfian distribution: pdi

= 1/(is)

Theorem 4:E[Y | XD(u)=d] = b2 + (1 − b2)pu

d+ O(1/n)E[Y | XD(u)=d] b2 + (1 − b2)pu

d



2. Analyze unlinkabilitya. Provide worst-case bounds

b. Examine a typical case

Future Work

1. Extend analysis to other types of anonymity and to other systems.

2. Examine how quickly users distribution are learned.

3. Analyze timing attacks.

aaron johnson (yale) with joan feigenbaum (yale) paul syverson (nrl)

Documents

routers u

onion routing worksu

provable anonymity

given messageunlinkability

blackbox abstraction

syverson fc

shields ndss

landwehr pet