Provable UnlinkabilityProvable UnlinkabilityAgainst Traffic AnalysisAgainst Traffic AnalysisProvable UnlinkabilityProvable Unlinkability

Against Traffic AnalysisAgainst Traffic AnalysisRon BermanRon Berman

Joint work with Amos Fiat and Amnon Ta-ShmaJoint work with Amos Fiat and Amnon Ta-Shma

School of Computer Science, Tel-Aviv UniversitySchool of Computer Science, Tel-Aviv University

Outline• Is it interesting?• Our contribution.• Problem definition.• What is unlinkability?• Related work.• The protocol.• Proof sketch.• Prior information.• Application: Donor

Anonymity.

Is it interesting?• A tremendous amount of work on

the subject.• Many practical systems, protocols

and solutions.• Relevant today in the context of

peer to peer data exchange.

Our Contribution

• A set of simple equivalent measurements for unlinkability.

• Rigorous analysis and proof using information theory.

• Solution (and proof) for prior knowledge.

Problem definition• N nodes in a complete network graph.

• Synchronous network with bounds on message travel times.

• A public key infrastructure (PKI) is widely available.

• Given senders S=s1…sM and receivers R=r1…rM of messages, we would like the matching Π:SR to remain unknown to an adversary.

• At least some of the links are honest.

Problem definition

• Chaum (1981) had shown that using onion-routing, one can assume that the adversary is restricted to traffic analysis.

• The unlinkability properties hadn’t been proven, and the original protocol is actually insecure.

• We heavily rely on Chaum’s ideas, with some limitations to the adversary.

What is unlinkability?• Π - actual permutation that took place during

communication.• C - information the adversary has. 0/1 matrix,

with 1 indicating a communication line being used.

1. 2. 3.

• Mutual information - I(X:Y) =H(X) + H(Y) - H(X,Y)How much info does one RV convey on another.

• All definitions are equivalent.

1

Pr | 93C C RS

1Pr |c C C c

( : )I C

• Chaumian-MIX– Unproven security.– Requires dummy traffic.– Not efficient.

• Dining Cryptographers– Proven security.– Not efficient (all players must play

each round).– Requires shared randomness.– Requires broadcast.

Related Work

• Crowds– Proven weak

security.

• Busses– Proven security.– Not efficient.

Related Work

• AMPC– Proven weak security.– Not efficient.

• RS93– Proven security.– Not efficient.– Requires secure

computation.

The ProtocolForward:• Alice chooses v1…vt-1 and sets v0=Alice,

vT=Bob.

• Alice randomly chooses r1…rT return keys.

• Each onion layer i contains:

– Address of next node en route (vi+1).

– Return key ri saved by node i.

– Unique identifier zi.

– Encrypted onion part sent to vi+1.

• Message return is done in a similar way to Chaum’s.

Example

1

2

3

4

5

11

21

31

41

51

12

22

32

42

52

13

23

33

43

53

1R

2R

3R

4R

5R

1 2 3 40

Our Protocol

• Using the following chain rule, we can analyze the route of each player by itself:

I(П:C)= I(П(1):C)+ I(П(2):C|П(1))+…≤α(N)

• The trick is to bound the amount of information the adversary has on each player.

Proof Sketch

• We would like to show that the communications pattern contains a lot of honest crossovers:

• And that these crossovers hide enough information.

1

2 2’

1’

3 3’

Proof Sketch

• We show how to find an embedding of a structure of crossovers in the actual communications pattern.

• We call this structure of crossovers - “obscurant networks’’.

Proof Sketch

Example embeddingProof Sketch

1

3

2

4

5

1

2

3

4

5

1

2

3

4

5

1

2

3

4

5

1

2

3

4

5

Obscurant Networks• Network – layered directed circuit with

same number of vertices on each layer.• Crossover Network – Each vertex has in-

degree and out-degree one or two.

• Oi – The probability distribution of output when a pebble is put on starting vertex i.

Proof Sketch

0.5

0.5 1

0.5

0.5

0.5

0.5

• A network is ε-obscurant if |Oi-UM|≤ε.

• Example: The butterfly network is 0-obscurant.

• The problem: what happens when log2(M) is not integer.

• We use two basic components:

Proof Sketch

B4 P4

Example NetworkProof Sketch

Init Repeat t=log(M)+log(ε-1) times

Z=4

M=5

k=M-Z=1

Making sure we find an embedding

• Lemma [Alo01]: Let G=(V,E) be a graph and

assume:

then:

• Meaning: We have a probability of finding all-honest crossovers.

| || |

2

VE f

Proof Sketch

4

, , ,Pr ( , ), ( , ), ( , )( , )

a b c d Va c a d b c b d E f

• Using the following chain rule, we can analyze the route of each player by itself:

I(П:C)= I(П(1):C)+ I(П(2):C|П(1))+…≤α(N)

• The trick is to bound the amount of information the adversary has on each player.

Proof Sketch

Prior Information• Link each vertex vi

(t) with vi(T-t), and

reveal all data to the adversary if either one is adaptive.

• Effectively we have created a folding of the network:

Proof Sketch

1

2

3

4

5

3

1

4

5

2

1

2

3

4

5

5

2

4

1

3

4

5

1

3

2

• We receive the same game, with T/2 steps and f2 probability of honest link.

• We show that: I(П(T):C=(C1,C2))≤ I(П(T/2):C1,C2):

Proof Sketch

ConclusionTheoremAssume our protocol runs in a network

with N nodes, N(N-1)/2 communication links, some constant fraction of which are honest, then the protocol is α(n)-unlinkable when T≥Ω(log(N)log2(N/α(n)).

Future Work

• Incomplete network graph.

• Malicious behavior.

• Multi-shot games.

• Dynamic network topology changes.

Applications

• More realistic approach – a link is honest some of the time.

• Donor privacy – the ability to donate items and answer requests, without being identified.

Questions?