ebook img

An Indistinguishability-based Characterization of Anonymous Channels Anonymous Communication PDF

15 Pages·2008·0.45 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview An Indistinguishability-based Characterization of Anonymous Channels Anonymous Communication

An Indistinguishability-based Characterization of Anonymous Channels Alejandro Hevia Daniele Micciancio Dept. Computer Science, Dept. Computer Science & U. of Chile, Chile Engineering, U. of California at San Diego, USA PETS’08, Leuven, Belgium, July 23, 2008 Anonymous Communication The problem: Send/receive messages often reveals identities Network Eavesdropper 2 1 Anonymity’s Intuitive Ultimate Goal Avoid revealing identities… Many applications 3 Applications (cid:1) Crime tips hotline, “whistle blowers” Tip: “It was the pointy haired guy” 4 2 Querying disease databases (cid:1) Stigmatized diseases (HIV, Cancer, STDs) “Can I take medicine X if I have disease Y?” 5 Political chat rooms (cid:1) Or “forum for unpopular/sensitive topics” lawyer “Is policy X discriminatory?” office employee 6 3 Anonymous Channels (AC) (cid:1) Anonymous communication? (cid:1) Communication channel + anonymity property (cid:1) Several variants often mentioned in the literature [Pfitzmann and Köhntopp 01] (cid:1) Sender anonymity (cid:1) Receiver anonymity (cid:1) Sender and receiver anonymity (cid:1) Unlinkability (cid:1) Unobservability (cid:1) Etc. 7 Anonymous Channels: Previous Work (cid:1) Trends in previous definitions (cid:1) Intuitive but weak [Pfitzmannand Köhntopp01] to capture efficient constructions (cid:1) Strong (eg. secure function evaluation, [Ishaiet al. 06]) but less practical (cid:1) Based on “anonymity set”, logics (eg. [Halpernet al. 04]), possibilistic models (eg. [Hughes and Shmatikov04, Feigenbaumet al. 07]), and information theory (eg. [Kesdoganet al. 98, Diaz et al. 02, Serjantovand Danezis02, Chatzikokolakisand Palamidessi07]) 10 4 More Previous Work (cid:1) Other definitions in the crypto literature (computational setting) (cid:1) Some subtle definitional flaws [Beimeland Dolev03, von Ahnet al. 03, Golleand Juels04] (cid:1) Tailored to specific constructions (eg. Mixnets [Furukawa 04,Nguyen et al. 04, Wikström04]) (cid:1) Want strong definition in the computational setting (cid:1) More appealing to complexity-based cryptographers (cid:1) And capturing “unavoidably leaked” information 11 AC Definitional Challenges (cid:1) Capturing information “leaks” (cid:1) Total network flow (cid:1) Amount of traffic per party (cid:1) Value of messages sent or received per party Hide everything except what follows from leaked information 12 5 Our results (cid:1) Intuitive but strong definition, similar as other primitives in complexity-based (computational) cryptography (cid:1) The model yields different notions (cid:1) We show how they compare (implications) (cid:1) We study if and how some existing protocols achieve them 13 Motivation of our Model Inspired in standard cryptographic definitions (cid:1) privacy of encryption (“indistinguishability of ciphertexts”, IND-CPA) b ˛ {0,1} R M , M 0 1 |M |=|M | 0 1 C=E (M ) E K b K g Adversary wins if g=b Hides all information except length |M |=|M | 0 1 14 6 The Model – Basics (cid:1) Fixed number of parties (cid:1) Communication patterns as matrices 1 2 3 4 5 6 7 8 1 a 5 1 a 2 b 6 2 b a 3 7 3 a c 4 d 8 M = 4 c d 5 6 We model logical 7 messages (not packets) 8 7 m = sets of messages from party i to party j ij 15 The Model – Sent/Received Messages 1 2 3 4 5 6 7 8 1 a 5 1 a 2 b 6 2 b a 3 7 3 a c 4 d 8 M = 4 c d 5 6 Send msgs = Row 7 Received msgs = Column 8 Sent by player 4 = { c , d } Rcvd by player 6 = { a , c } 16 7 Towards a Definition (cid:1) Indistinguishability-based definition b ˛ {0,1} R M , M 0 1 Select & Run View M g b Protocol P Adversary wins if g=b M b 17 Capturing information leaks (cid:1) By restricting the matrix pair M ,M 0 1 (cid:1) Let f(M) be the information leaked (cid:1) “Select & Run” requires f(M ) = f(M ) 0 1 (cid:1) Example of leaked information: (cid:1) “Values sent per party”: f (M) = ( U m ) U j ij i c P i d = i c d d c multiset for each row i M M 0 1 18 8 Capturing (more) information leaks (cid:1) “Amount of traffic per sender” ? f (M) = ( ∑ |m | ) ∑ j ij i ∑ = ∑ i c a d e P i M M 0 1 (cid:1) “Total network flow” ? f (M) = ∑ |m | # jj ij (cid:1) Analogous for receivers, just transpose matrix (cid:1) f T(M) = f (MT) , f T(M) = f (MT) U U ∑ ∑ (cid:1) For each f, define R = { (M ,M ) | f(M ) = f(M ) } f 0 1 0 1 (cid:1) We get relations: R , R , R , R , R fU fUT f∑ f∑T f# 19 The Definition – Capturing leaks (cid:1) We require matrix pair must be in relation R (cid:1) R depends on the variant of anonymity to capture b ˛ {0,1} R M , M 0 1 Check if Select (M , M ) ˛ R & Run 0 1 View M g b Protocol P Adversary wins if g=b M b 20 9 Anonymity Variants Sender Unlinkability (SUL) R ∩ R f∑ fUT Receiver Unlinkability (RUL) R ∩ R fU f∑T Sender-Receiver Unlinkability (UL) R ∩ R f∑ f∑T Sender Anonymity (SA) R fUT Strong Sender Anonymity (SA*) R f∑T Receiver Anonymity (RA) R fU Strong Receiver Anonymity (RA*) R f∑ Sender-Receiver Anonymity (SRA) R f# Unobservability (UO) Any 21 Anonymity Variants – Examples (I) (cid:1) Sender Unlinkability (SUL): ∑= ∑ (M ,M ) ˛ R ∩R 0 1 f∑ fUT U= U a b ( ∑ ,U)-anonymity b a M M 0 1 (cid:1) Unlinkability (UL): ∑= ∑ (M ,M ) ˛ R ∩R 0 1 f∑ f∑T ∑= ∑ a c ( ∑ , ∑ )-anonymity a d M M 0 1 22 10

Description:
The model yields different notions. ▫ We show how they compare (implications). ▫ We study if and how some existing protocols achieve them. 14.
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.