on the design dilemma in dining cryptographer networks
TRANSCRIPT
On the Design Dilemma in Dining Cryptographer Networks
Institute for IT-Security and Security LawComputer Networks & Communications GroupUniversity of PassauGermany
Jens Oberender Hermann de Meer
TrustBus 2008
Turin, Italy
5. September 2008
partly supported byEuroNGI Design and Engineering of the Next Generation Internet (IST-028022)EuroNF Anticipating the Network of the Future (IST-216366)
Motivation
Connection-level anonymity
Establish communication privacy
Hides relationship between initiator and receiver of a message
Being undistinguishable within the anonymity set
Anonymity evolves in a non-cooperative game
Strategies := cooperate | defect
Node strategies -> anonymity set -> anonymity grade
Nash equilibria indicate best strategy
Does rational behavior have impact on the anonymity?
How can rationality protect reachability?
2On the Design Dilemma in DC-nets
Overview
Does rational behavior have impact on the anonymity?
1) Modeling rational behavior
2) Taxonomy of anonymity techniques
3) Accessible information in Dining Cryptographer (DC) networks
How can rationality protect availability?
4) Parameterizing games during design
3On the Design Dilemma in DC-nets
Rational acting in Anonymity Networks
1. What benefit is received ?
Sender anonymity
Anonymity set enhances grade of anonymity
Challenges for design of anonymity systems Impact of strategic behavior on anonymity
Novel attacks targeting economy of anonymity
2. What cost is involved in participation?
Effective Throughput
Increase of message delay
Increase of traffic
4On the Design Dilemma in DC-nets
on purpose to counter traffic analysis
Requirements of strategic behavior in anonymity networks
Enable senders to determine anonymity
1) Rely on trustworthy entities
No abuse of collected system-wide entropy
Trust into computing anonymity grade
2) Neighborhood–based approaches (first-hand experience)
Limited credibility – eclipse attack
Anonymity grade in near future
1) Based on prediction
2) Policy enforced
5On the Design Dilemma in DC-nets
Determine anonymity grade
Strategic users consider anonymity of a message in advance
Decentralization: limited system view
6On the Design Dilemma in DC-nets
Predicted Depdendable
Without
Pre-
requisites
Relies
on
Trust
Perceived anonymity
• broadcast responses in a DC-net
Assured anonymity
• queue state in a mixer node
Reported anonymity
• reported number of participants
e.g. AN.ON
Policy-enforced anonymity
• mixer policy in high-latency
mixers, no forwarding,
before anonymity guaranteed
Dining Cryptographer (DC) networks
Round-based
Sender broadcasts message or empty packet
Disruption: message collisions require retransmission
Security objective: reachability
Coding schemes
Cost in bandwidth, computation effort
Robustness against collisions
Countermeasure to disrupters
7On the Design Dilemma in DC-nets
Apply game theory to Dining Cryptographer (DC) networks
Sequential game
Incomplete information Adversaries strategy unknown
Perfect information Time order
Non-cooperative game
Complete Information Payoff functions public
Imperfect information Concurrency
8On the Design Dilemma in DC-nets
Design dilemma: efficient or robust
Designer Efficient Robust design
Participate Leave
Conforming Disrupt
User
Adversary
/
/
/
Random disruptions
Disrupter identification removes attacker from network
Disrupt without being identified as disrupter
Rational behavior, possible to formulate as utility function
Resolving dilemma games
Iterated Prisoner’s Dilemma (IPD) -> Mixed strategy solution
Nash Equilibria in iterated games
Probability distributions
Different strategies
p>80% disrupting in non-cooperative game
Ability to identify disrupters (>18%)prevents misbehavior in sequential game
9On the Design Dilemma in DC-nets
Ability to identify disrupterUser’s preference for anonymity
0
0.2
0.4
0.6
0.8
1
0 0.2 0.4 0.6 0.8 1
Non-cooperative
Dis
rupt
pro
bab
ility
Sequential
Conclusions
Modeling of strategic behavior
Grade of anonymity relies on behavior of all participants
For design of anonymity systems
Risk-prevention of malicious participants
Dilemma games
Influence rational players through system parameters
Incomplete knowledge restrict the designer’s payoff,but parameters hinder malicious collisions
User perspective on future anonymity: more research ongoing
10On the Design Dilemma in DC-nets
DC Coding Schemes
Bitwise XOR [Chaum88]
Not robust against collisions
Low computation overhead
Bilinear Maps [Golle04]
Robust against collisions
Medium computation overhead
Identification of Disrupters [Bos89]
Robust against collisions
High computation overhead
Identifies a disrupter
11On the Design Dilemma in DC-nets
Dining Cryptographers network
Figure out, whether the meal has been paid by either one at the table
Protocol provides sender anonymity
Communication Anonymity
Anonymity := do not disclose communication relationship between sender and recipient
Technically: being indistinguishable within the anonymity set,i.e. all current communication participants
Level of anonymity scales with size of anonymity set
If a user leaves system degrades anonymityEspecially in small systems
DC net
Coding superimposes messages
Simultaneous slot occupation communication is disrupted
Effort to receive/decode broadcasts
13On the Design Dilemma in DC-nets
Game Theory and Dilemmas
Models strategic behavior, e.g. in cooperative systems
Game defines players, strategy sets, and utility
Outcome defined by strategies of all users
Pay off: effective utility depending on the outcome of the game
Strategic behavior
Rationally acting, i.e. maximize payoff
Predict strategy of other players (Non-cooperative game)
Minimize own losses (Sequential game, incomplete knowledge)
Dilemma: strategic behavior does not increase payoff for any of the players
14On the Design Dilemma in DC-nets
Stake holders of a DC-net
Dining Cryptographers network
Communicating subjects (=users)
Anonymous communication with reasonable cost
Adversary
Disrupt anonymous communications (increase user costs), but remain unidentified
DC-net designer
Facilitate high level of anonymity
Decreasing participation degrades anonymity (for small sizes)
15On the Design Dilemma in DC-nets
Send M1
Send M2 Send M3
Broadcast
1) Robust design against malicious attacks
Design parameters
α none – collision robustness full
β no –disrupter identificationpossible
User (single instance)
γ low – anonymity preferencehigh
Compute Nash equilibria , i.e. best strategy for specified parameters
Probability for efficient (0) or robust (1) algorithm
16On the Design Dilemma in DC-nets
0
1
0
1
0
1 0
0.2
0.4
0.6
0.8
1
0 0.2 0.4 0.6 0.8 1
Desig
ne
r S
tra
teg
y s
1
Sequential
Non-Coop.
=0
>0
References
Pfitzmann, A., Hansen, M.: Anonymity, unlinkability, undetectability, unobservability, pseudonymity, and identity management - a consolidated proposal for terminology. (2008) Draft
Dingledine, R., Mathewson, N.: Anonymity loves company: Usability and the network effect. In: Workshop on the Economics of Information Security. (2006)
Acquisti, A., Dingledine, R., Syverson, P.: On the economics of anonymity. In Financial Cryptography. Number 2742 in LNCS, Springer (2003)
Golle, P., Juels, A.: Dining cryptographers revisited. In: EUROCRYPT. Volume 3027 of LNCS, Springer (2004) 456-473
Bos, J.N., den Boer, B.: Detection of Disrupters in the DC Protocol. In: Workshop on the theory and application of cryptographic techniques on Advances in cryptology. (1989) 320-327
17On the Design Dilemma in DC-nets