Anonymity without Anonymity without Sacrificing Performance Sacrificing Performance Enhanced Nymble System with Distributed Architecture

CS 858 Project PresentationOmid Ardakanian*

Nam Pham*

*David R. Cheriton School of Computer Science, University of Waterloo

OutlineOutline Introduction

◦ Review of Nymble

◦ New goals

Ring Signature for dummies!

Proposed Solution

◦ Distributed Pseudonym Manager

◦ Distributed Nymble Manager

Analysis

Future Work

Summary

Review of NymbleReview of Nymble

Nymble WeaknessesNymble Weaknesses

Collusion between NM and PM◦De-anonymizes the network

◦Reveals user behavior

TTPs are single point of failureScalability problem

Related WorkRelated WorkBLacklistable Anonymous Credential

(BLAC)

◦ Pros: Eliminates the reliance of TTPs

◦ Cons: Suffers from severe bottleneck at the side of Service Providers

PEREA

◦ Pros: Computation is linear in the size of the blacklist

◦ Cons: Performance is still a problem

New goalsNew goals

Maintaining security properties of original Nymble Design◦Mis-authentication resistance

◦Blacklistability

◦Anonymity and Non-frameability

Enhancements◦Unconditional Anonymity

◦Scalability & Robustness

Proposed SolutionsProposed Solutions

Consists of two main parts:

◦Distributing Pseudonym Manager

◦Distributing Nymble Manager

Ring SignatureRing Signature

By Rivest, Shamir and Tauman◦A group member can sign a message

on behalf of the group without revealing her identity.

◦Ring signature is created on demand! No setup procedure or agreement

Distributing Pseudonym Distributing Pseudonym ManagerManager

User PM

IP address

pnym

Previously

Motivation If a pseudonym can

represent an IP, why don’t we use it recursively?

Alice PMi

IPA

Round 1Round 1

PM1

PM2

PMn

Alice◦Chooses a random index i◦Connects to PMi directly with her IPA

◦Requests a pseudonym for the next round

Alice PMj

IPAIPA

Round 1 (cont’d)Round 1 (cont’d)

PM1

PM2

PMn

PMi ◦Generates a codename for Alice◦Signs using a ring signature scheme◦Informs all other PMs

“IPA has been issued a pseudonym in round 1”

IPA

IPA

Alice PMi

Codename +

AckIPA

Round 1 (cont’d)Round 1 (cont’d)

PM1

PM2

PMn

PMi ◦Waits for Acknowledgements from

other PMs◦Sends ‘codename’ back to Alice

Ack

Ack

Somebody PMj

codename

Round 2Round 2

PM1

PM2

PMn

Alice◦Chooses another random index j

◦Connects to PMj anonymously using Tor

◦Requests a pseudonym to connect to NM

Somebody PMj

codenamecodename +

Round 2 (cont’d)Round 2 (cont’d)

PM1

PM2

PMn

PMj ◦Verifies the validity of <codename,

signature>◦Creates a pnym for that ‘somebody’

◦Signs pnym using a ring signature scheme◦ Informs all other PMs: “The guy with ‘codename’

has been issued a pseudonym in round 2”

codename

codename

Somebody PMjpnym +

Ack

Round 2 (cont’d)Round 2 (cont’d)

PM1

PM2

PMn

PMj ◦Waits for Acknowledgement from other

PMs◦Sends <pnym, signature> back to the

user

Ack

Ack

Aspects of DPMAspects of DPMAlice’s IP address is protected by

one more security levelIt’s not feasible for Alice to obtain

more than one pseudonym with her IP

Tor Network

Distributing NMDistributing NM

NM

PMi PMj

Cod

enam

e ac

quis

ition

Pseud

onym

acq

uisitio

n

NymbleTicket acquisition

Distributing NMDistributing NM

Tor Network

Service Provider

Serve

r Auth

entic

ation

Distributing NMDistributing NMService Provider

NM’

Linking Token Extraction

Tor Network

NM

Distributing NM - Distributing NM - RequirementsRequirements

Distributing NM (cont’d)Distributing NM (cont’d)Seed HkhkN

(pnym,sid,w)

How should we generate the seed?◦ S1: Ask another NM to create the hash of

server id with his own key Seed will not be unique

◦ S2: Ask another NM to create the hash of server id with the shared key Vulnerable to brute force attack

AnalysisAnalysisOur Solution:

◦Provides collusion prevention without eliminating TTPs No proof generation and proof verification

needed Better performance than BLAC and PEREA

◦Decreases the number of required signature

◦Eliminates unnecessary key sharing

◦Makes use of an efficient ring signature scheme with efficient size

Future WorkFuture Work

Dynamic ForgivenessMultiple Rounds for Pseudonym

RegistrationOptimal Ring SignatureExperimental Analysis

SummarySummaryWe introduced an anonymous

blocking system based on Nymble◦Using distributed TTPs architecture◦With collusion resistance feature◦With less computation cost◦With increased usability

Thank You!Thank You!