measuring anonymity revisited

Gergely Tóth, 5 November 2004 1Nordsec 2004, Helsinki, Finland, 4-5 November 2004

Measuring Anonymity RevisitedMeasuring Anonymity RevisitedGergely Tóth

Zoltán Hornák

Ferenc Vajda

Budapest University of Technology and Economics

Department of Measurement and Information Systems

Nordsec 2004


Outline

• Our research group

• Anonymity in general

• Anonymous communication

• Measuring anonymity– past and present approaches– our suggestion

• Summary and future plans


SEARCH-LAB at BUTE DMIS

• Budapest University of Technology and Economics (BUTEBUTE)

• Department of Measurement and Information Systems (DMISDMIS)

• Security Evaluation Analysis and Research Laboratory (SEARCH-LABSEARCH-LAB)

• Core focus: Security in mobile networksSecurity in mobile networks• Current research areas: DRM, Biometrics & DRM, Biometrics &

AnonymityAnonymity


Summary of the Presentation & Paper

• Anonymous communicationAnonymous communication is needed for several real-world scenarios

• Different implementations provide different levels of anonymity

• A theoretical, objective metricmetric is needed to be able to compare them

• After analyzing past approaches, we present our suggestion


IntroductionIntroduction


Anonymity in General

• Anonymity means hiding the identityhiding the identity– actions are performed by subjects– aim is to hide the identity of these subjects

from any possible adversary

• Possible anonymity scenariosanonymity scenarios– hide the identity of the voter during e-voting– hide the identity of the buyer during e-payment– hide the identity of the sender of e-mails


Anonymous Communication

• Several layers in the anonymity architecture with different functions

• Focus of the presentation & paper: anonymous communicationanonymous communication– systems that deliver messages so that they

cannot be traced back to their sources– several such systems have been designed– aim is now to define metrics to be

able to compare them


Need for Measuring Anonymity

• Different systemsDifferent systems– algorithms – network topologies– adversary models

• Anonymity provided has to be measured– objective, theoreticallyobjective, theoretically based metrics– should be easy to understandeasy to understand by laymen– users should be able to definedefine

their required anonymity leveltheir required anonymity level


Anonymous Anonymous CommunicationCommunication


Model of Anonymous Communication

anonymousmessage

transmission system

i i

sent message

delivered message

sent by thesender sl

delivered to therecipient rl

• Anonymous message transmissionAnonymous message transmission system– senders send encrypted messages to

recipients through a channel– the channel alters, delays and reorders

messages before delivery– an adversaryadversary tries to back-trace delivered

messages to their senders


Anonymity Terminology

• “Anonymity is the state of being not identifiable within a set of subjects, the anonymity setanonymity set”

• Sender anonymitySender anonymity means that– a particular message is not linkable to any

sender and– to a particular sender no message is

linkable.


Different Realizations

• During the evolution of science several schemes have been proposed and implemented– batch systems: MIXes– continuous-time systems– peer-to-peer systems– systems with provable anonymity, such as DC

networks

• Let’s see some examples


MIXes I – Batched Operation

• MIXes are network relays to make back-tracing messages to their senders hard

• For this they bufferbuffer incoming messages and randomly reorderrandomly reorder them upon delivery

MIX


MIXes II – the MIX Network

• They are furthermore organized in networksnetworks• There, special, onion-like messagesonion-like messages are

created and propagated

M

to Y

to MIX3

to MIX2 MIX1 MIX2 MIX3

from

sender

to

recipient

to MIX2

to MIX3

to MIX3 to Y

to Y

M to Y

M


Continuous Time Systems

• MIXes did batching, in most cases they do not guarantee real-time delivery

• On the other hand continuous-time systems process messages individuallyprocess messages individually– message delay () in the channel is a

probability variable with a given densityprobability variable with a given density f()– delay is not dependent on the actual message

distribution


PROB-channel & SG-MIX

• Two recent continuous-time systems:

– SG-MIXSG-MIX (Stop-and-go MIX): exponential density function for non real-time scenarios

– PROB-channelPROB-channel: uniform distribution with definite maximum for real-time use-cases

f( )

max

fmax

f( )


Challenge

• The challenge:– with the evolution of science, newer and newer newer and newer

systemssystems are constructed– different known systems are organized into organized into

networks of various topologiesnetworks of various topologies

• Which architecture is better?– a theoretical metricmetric is needed to objectively

compare different systems– measuring should be

easy to understandeasy to understand


More Complex Systems and Networks

f( )

f( )

max

fmax

MIX

MIXMIX

MIX

MIX

f( )

f( )

max

fmax

MIXMIX MIX


Measuring Measuring AnonymityAnonymity


Attempt #1 – Anonymity Set Size

• Size of the anonymity set– the first attempt to quantity the level of

anonymity– the bigger the anonymity set, the greater

the level of anonymity– easy to calculate– easy to understand

• you are anonymous as if one had to pick randomly from 500 equal possibilities


Problem with Anonymity Set Size

• In some simple cases anonymity set size works well (e.g. for simple MIXes)

• However a closer look reveals– in the anonymity set subjects have different different

probabilitiesprobabilities, i.e. one is more likely to be the actual sender than the other according to the knowledge of the adversary

– simply the size of the anonymity set is not definite enough


Attempt #2 – Entropy

• The probabilities of the different subjects have to be considered

• For this purpose in the information theoryinformation theory a fundamental construction had been defined: entropyentropy

• The improved approach: use the entropy of the probability distribution for quantifying anonymity


Entropy – Definitions

• Determine the probabilitiesprobabilities for a sender being the originator for a message

• The anonymity setanonymity set:

• Simple entropySimple entropy measure:

• Normalized entropyNormalized entropy measure:

lks sSPPkl

)(,

l

klklks

ss PPS ,2, log

)0()(| , klk sll Pss

||log2 k

k

k

Sd


Problems with Entropy

• Entropy-based metrics aim to quantify the amount of information that is needed to totally breaktotally break anonymity

• Problem: non-desirable systemsnon-desirable systems with arbitrarily high entropy exist

– both for simple entropy and

– for normalized entropy.


Example

• 20 senders, uniform distribution, P=5%

• 101 senders, non-uniform distribution– for one sender P=50%– for all the other 100 senders P=0.5%

• For both cases entropy is the sameentropy is the sameS=4.3219 bits

• However, it is clear, that the two systems don’t achieve the same don’t achieve the same level of anonymitylevel of anonymity


Problems with Entropy – continued

• In the paper for both simple and normalized entropy degenerate cases were shown– such measures neglect the local aspectlocal aspect of

anonymity• the adversary does not necessarily want to totally does not necessarily want to totally

compromise all messagescompromise all messages• aim could be to locally guess forlocally guess for some messages some messages

with a better probability than anticipatedwith a better probability than anticipated

• Also easy understandability suffers


Our Suggestion – Maximal Probability

• Use the maximal probabilitymaximal probability as a measure

• If the above holds, a system is called source-hiding with parameter source-hiding with parameter – this approach is easy-to-understand

• =10% means that regardless what the adversary does, he won’t be able to compromise any of your messages with a probability greater than 10%

kls

P ,


Maximal Probability – continued

• Source-hiding property– it can be converted back to the entropy-based

metrics• for both simple and normalized entropy equations

were given

– considers the local aspect of anonymitylocal aspect of anonymity• for no messages can the threshold be exceeded

– for some systems source-hiding property can source-hiding property can be set as a requirementbe set as a requirement


Summary & FutureSummary & Future


Summary

• The field of anonymous communication is rapidly evolving

• In order to be able to objectively compare different systems, a theoretical metric is needed

• Our suggestion is to use the maximal probability from the probability distribution of the adversary to measure the achieved level of anonymity


Research Plans

• For some scenarios the level of anonymity can be calculated– there are constructions where the anonymity anonymity

has to be analyzed furtherhas to be analyzed further– it has to be evaluated, how the combination of combination of

different systemsdifferent systems behaves

• Systems are needed, where the level of anonymity can be set as a requirement (QoSQoS)


Thank you for your attention

Gergely TóthBudapest University of Technology and Economics

Department of Measurement and Information Systems

[email protected]

measuring anonymity revisited

Documents

anonymity setsender

encrypted messages

reorders messages

tracing messages

incoming messages

anonymity architecture

provable anonymity

sender of e