scavenging)for)anonymity) with)blogdrop)...monvaon) • tor)average)daily)users)in)q1)2012:)...
TRANSCRIPT
Scavenging for Anonymity with BlogDrop
Henry Corrigan-‐Gibbs Bryan Ford Yale University
Provable Privacy Workshop 9-‐10 July 2012 – Vigo, Spain
MoNvaNon
• Alice is a ciNzen of country X • Alice uses Tor to make an anonymous blog post to a server inside of country X
• Government of country X wants to find out post author’s idenNty …how hard is that?
2 9 July 2012 Provable Privacy Workshop
MoNvaNon
Alice
Blog Server
Country X
3 9 July 2012 Provable Privacy Workshop
MoNvaNon
• Tor average daily users in Q1 2012: ~49 000 in Iran ~16 000 in Syria ~2 000 in China
• Gov’t X can’t arrest thousands of people on a hunch …what if the blog post has a Nmestamp?
Tor stats from h]ps://metrics.torproject.org/ 4 9 July 2012 Provable Privacy Workshop
Internet Usage in a Day
0% 1% 2% 3% 4% 5% 6% 7% 8% 9% 10% 11% 12%
0 6 12 18 24
Percen
tage of D
ay's
Users Online
Hour of Day AOL Web Search Data Set
Data mirrored at h]p://www.gregsadetsky.com/aol-‐data/
If Alice is hiding among 3% of daily Tor users in China, she might be in trouble
5 9 July 2012 Provable Privacy Workshop
State of the art
User Sessions
Nme
Anonymity set as large as the number of online users
6 9 July 2012 Provable Privacy Workshop
Outline
• MoNvaNon • Overview: Anonymity scavenging • Ciphertext construcNon • Conclusion
7 9 July 2012 Provable Privacy Workshop
Anonymity Scavenging
• Can Alice increase latency to gain anonymity? • High-‐latency systems are unpopular à unsafe – Mixmaster/mixminion vs. Tor – Would like low-‐latency Bobs to protect high-‐security Alices
– Same moNvaNon as alpha mixing (Dingledine et al. PETS’06)
8 9 July 2012 Provable Privacy Workshop
Anonymity over Nme
User Sessions
Nme
9 9 July 2012 Provable Privacy Workshop
Anonymity over Nme
Blog A
User Sessions
10 9 July 2012 Provable Privacy Workshop
Anonymity over Nme
User Sessions
11 9 July 2012 Provable Privacy Workshop
Blog B
BlogDrop Features • Anonymous comm protocol in which user defines anonymity set size (vs. latency)
• High-‐security Alices hide amongst low-‐latency Bobs
• Accountable: protocol violaNons detectable Assump@ons • At least one server is honest • All users have pseudonym PK of blog author…more on this later
9 July 2012 Provable Privacy Workshop 12
Server X
Server Y Server Z
Blog A
Blog B
13 9 July 2012 Provable Privacy Workshop
Bob’s Ciphertexts for Blogs A and B
14 9 July 2012 Provable Privacy Workshop
Server X
Server Y Server Z
15 9 July 2012 Provable Privacy Workshop
Server X
Server Y Server Z
16 9 July 2012 Provable Privacy Workshop
Server X
Server Y Server Z
17 9 July 2012 Provable Privacy Workshop
Server X
Server Y Server Z
18 9 July 2012 Provable Privacy Workshop
Server X
Server Y Server Z
19 9 July 2012 Provable Privacy Workshop
Server X
Server Y Server Z
20 9 July 2012 Provable Privacy Workshop
Server X
Server Y Server Z
21 9 July 2012 Provable Privacy Workshop
Server X
Server Y Server Z
22 9 July 2012 Provable Privacy Workshop
Server X
Server Y Server Z
23 9 July 2012 Provable Privacy Workshop
Server X
Server Y Server Z
24 9 July 2012 Provable Privacy Workshop
Server X
Server Y Server Z
25 9 July 2012 Provable Privacy Workshop
Server X
Server Y Server Z
When each server has collected enough ciphertexts to saNsfy closure condi@on, the servers each add their own ciphertext to the set
26 9 July 2012 Provable Privacy Workshop
Server X
Server Y Server Z
27 9 July 2012 Provable Privacy Workshop
Server X
Server Y Server Z
28 9 July 2012 Provable Privacy Workshop
Server X
Server Y Server Z
Plaintext
29 9 July 2012 Provable Privacy Workshop
Server X
Server Y Server Z
Closure CondiNon • How long do servers wait before revealing the plaintext message?
• Blog author picks a “closure condiNon” – Aoer 9 July 2012 AND when there are 10 ciphertexts – Aoer Alice, Bob, Carol, and Dave (idenNfied by PKs) have all submi]ed ciphertexts
– When there are $1 000 000 in Swiss bank acct #098424713 – Others…
à Closure condiNon defines anon set à Poorly chosen closure condiNons create anonymity risks… area for future work
30 9 July 2012 Provable Privacy Workshop
Plaintext
31 9 July 2012 Provable Privacy Workshop
Server X
Server Y Server Z
32 9 July 2012 Provable Privacy Workshop
Server X
Server Y Server Z
33 9 July 2012 Provable Privacy Workshop
Server X
Server Y Server Z
34 9 July 2012 Provable Privacy Workshop
Server X
Server Y Server Z
35 9 July 2012 Provable Privacy Workshop
Server X
Server Y Server Z
36 9 July 2012 Provable Privacy Workshop
Server X
Server Y Server Z
37 9 July 2012 Provable Privacy Workshop
Server X
Server Y Server Z
38 9 July 2012 Provable Privacy Workshop
Server X
Server Y Server Z
39 9 July 2012 Provable Privacy Workshop
Server X
Server Y Server Z
40 9 July 2012 Provable Privacy Workshop
Server X
Server Y Server Z
41 9 July 2012 Provable Privacy Workshop
Server X
Server Y Server Z
42 9 July 2012 Provable Privacy Workshop
Server X
Server Y Server Z
Review
• Scavenging: Blog A and Blog B have different latencies and different anonymity set sizes
• One honest server enforces closure condi2on • I omi]ed many details – e.g., Servers can fla4en ciphertexts into an O(L) size ciphertext — avoids O(NL) storage
– How servers agree on ciphertexts – …
43 9 July 2012 Provable Privacy Workshop
Outline
• MoNvaNon • Overview: Anonymity scavenging • Ciphertext construc@on • Conclusion
44 9 July 2012 Provable Privacy Workshop
Alice (ga) gax
gay
Server X (gx)
Server Y
mga(x+y+z)
+
Ciphertext ConstrucNon
45 9 July 2012 Provable Privacy Workshop
m
gaz Server Z
Using some group G = <g> in which ElGamal cryptosystem is secure
Client/server secret graph (Chaum ’88) (Wolinsky et al., Eurosec’12)
Alice (ga) gax
gay
Bob Server X (gx)
Server Y
gbx
gby
gb(x+y+z) mga(x+y+z)
+
Ciphertext ConstrucNon
46 9 July 2012 Provable Privacy Workshop
m
gaz Server Z gbz
Alice (ga) gax
gay
Bob Carol Server X (gx)
Server Y
gbx
gby
gcx
gcy
gb(x+y+z) mga(x+y+z)
+
gc(x+y+z)
Ciphertext ConstrucNon
47 9 July 2012 Provable Privacy Workshop
m
gaz Server Z gbz gcz
Alice (ga) gax
gay
Bob Carol Server X (gx)
Server Y
gbx
gby
gcx
gcy
gb(x+y+z) mga(x+y+z)
+
gc(x+y+z)
Ciphertext ConstrucNon
48 9 July 2012 Provable Privacy Workshop
m
gaz Server Z gbz gcz
g-‐x(a+b+c)
g-‐y(a+b+c)
g-‐z(a+b+c)
Client/server secret graph (Chaum ’88) (Wolinsky et al., Eurosec’12)
9 July 2012 Provable Privacy Workshop 49
m
Ciphertexts use iteraNve ElGamal encrypNon. Non-‐author plaintext=1
We exploit ElGamal’s mulNplicaNve homomorphism to recover the plaintext
g-‐x(a+b+c) g-‐y(a+b+c)
mga(x+y+z) gb(x+y+z) gc(x+y+z)
g-‐z(a+b+c)
PrevenNng Denial of Service
PoK{ a, k: (Calice = (gxgygz)a ∧ A = ga )∨K = gk }
Alice knows the author’s secret
key and Alice can send whatever
she wants
~ OR ~ Alice knows the log of Calice and that log is equal to her private key. i.e., Alice generated her ciphertext correctly
Assume that all users know anon author’s PK
DoS-‐resistant DC-‐net (Golle and Juels, Eurocrypt’04) 50 9 July 2012 Provable Privacy Workshop
Policy Document
• The Catch 22: To get anonymous communicaNon, need to anonymously communicate the blog parameters – author’s pseudonym PK, closure condiNon, post length, etc
• Not quite: policy document only needs to be distributed once to set up blog
• e.g., Use once-‐per-‐month mix to shuffle policy documents
51 9 July 2012 Provable Privacy Workshop
Outline
• MoNvaNon • Overview: Anonymity scavenging • Ciphertext construcNon • Conclusion
52 9 July 2012 Provable Privacy Workshop
Conclusion
• Most exisNng systems allow user to be anonymous only among set of online users
• BlogDrop (via anonymity scavenging) gives anonymity among set of users over @me
• High-‐security users hide amongst low-‐latency users
• DoS-‐resistant
53 9 July 2012 Provable Privacy Workshop
54 9 July 2012 Provable Privacy Workshop