An Indistinguishability-based Characterization of Anonymous Channels Alejandro Hevia Daniele Micciancio Dept. Computer Science, Dept. Computer Science & U. of Chile, Chile Engineering, U. of California at San Diego, USA PETS’08, Leuven, Belgium, July 23, 2008 Anonymous Communication The problem: Send/receive messages often reveals identities Network Eavesdropper 2 1 Anonymity’s Intuitive Ultimate Goal Avoid revealing identities… Many applications 3 Applications (cid:1) Crime tips hotline, “whistle blowers” Tip: “It was the pointy haired guy” 4 2 Querying disease databases (cid:1) Stigmatized diseases (HIV, Cancer, STDs) “Can I take medicine X if I have disease Y?” 5 Political chat rooms (cid:1) Or “forum for unpopular/sensitive topics” lawyer “Is policy X discriminatory?” office employee 6 3 Anonymous Channels (AC) (cid:1) Anonymous communication? (cid:1) Communication channel + anonymity property (cid:1) Several variants often mentioned in the literature [Pfitzmann and Köhntopp 01] (cid:1) Sender anonymity (cid:1) Receiver anonymity (cid:1) Sender and receiver anonymity (cid:1) Unlinkability (cid:1) Unobservability (cid:1) Etc. 7 Anonymous Channels: Previous Work (cid:1) Trends in previous definitions (cid:1) Intuitive but weak [Pfitzmannand Köhntopp01] to capture efficient constructions (cid:1) Strong (eg. secure function evaluation, [Ishaiet al. 06]) but less practical (cid:1) Based on “anonymity set”, logics (eg. [Halpernet al. 04]), possibilistic models (eg. [Hughes and Shmatikov04, Feigenbaumet al. 07]), and information theory (eg. [Kesdoganet al. 98, Diaz et al. 02, Serjantovand Danezis02, Chatzikokolakisand Palamidessi07]) 10 4 More Previous Work (cid:1) Other definitions in the crypto literature (computational setting) (cid:1) Some subtle definitional flaws [Beimeland Dolev03, von Ahnet al. 03, Golleand Juels04] (cid:1) Tailored to specific constructions (eg. Mixnets [Furukawa 04,Nguyen et al. 04, Wikström04]) (cid:1) Want strong definition in the computational setting (cid:1) More appealing to complexity-based cryptographers (cid:1) And capturing “unavoidably leaked” information 11 AC Definitional Challenges (cid:1) Capturing information “leaks” (cid:1) Total network flow (cid:1) Amount of traffic per party (cid:1) Value of messages sent or received per party Hide everything except what follows from leaked information 12 5 Our results (cid:1) Intuitive but strong definition, similar as other primitives in complexity-based (computational) cryptography (cid:1) The model yields different notions (cid:1) We show how they compare (implications) (cid:1) We study if and how some existing protocols achieve them 13 Motivation of our Model Inspired in standard cryptographic definitions (cid:1) privacy of encryption (“indistinguishability of ciphertexts”, IND-CPA) b ˛ {0,1} R M , M 0 1 |M |=|M | 0 1 C=E (M ) E K b K g Adversary wins if g=b Hides all information except length |M |=|M | 0 1 14 6 The Model – Basics (cid:1) Fixed number of parties (cid:1) Communication patterns as matrices 1 2 3 4 5 6 7 8 1 a 5 1 a 2 b 6 2 b a 3 7 3 a c 4 d 8 M = 4 c d 5 6 We model logical 7 messages (not packets) 8 7 m = sets of messages from party i to party j ij 15 The Model – Sent/Received Messages 1 2 3 4 5 6 7 8 1 a 5 1 a 2 b 6 2 b a 3 7 3 a c 4 d 8 M = 4 c d 5 6 Send msgs = Row 7 Received msgs = Column 8 Sent by player 4 = { c , d } Rcvd by player 6 = { a , c } 16 7 Towards a Definition (cid:1) Indistinguishability-based definition b ˛ {0,1} R M , M 0 1 Select & Run View M g b Protocol P Adversary wins if g=b M b 17 Capturing information leaks (cid:1) By restricting the matrix pair M ,M 0 1 (cid:1) Let f(M) be the information leaked (cid:1) “Select & Run” requires f(M ) = f(M ) 0 1 (cid:1) Example of leaked information: (cid:1) “Values sent per party”: f (M) = ( U m ) U j ij i c P i d = i c d d c multiset for each row i M M 0 1 18 8 Capturing (more) information leaks (cid:1) “Amount of traffic per sender” ? f (M) = ( ∑ |m | ) ∑ j ij i ∑ = ∑ i c a d e P i M M 0 1 (cid:1) “Total network flow” ? f (M) = ∑ |m | # jj ij (cid:1) Analogous for receivers, just transpose matrix (cid:1) f T(M) = f (MT) , f T(M) = f (MT) U U ∑ ∑ (cid:1) For each f, define R = { (M ,M ) | f(M ) = f(M ) } f 0 1 0 1 (cid:1) We get relations: R , R , R , R , R fU fUT f∑ f∑T f# 19 The Definition – Capturing leaks (cid:1) We require matrix pair must be in relation R (cid:1) R depends on the variant of anonymity to capture b ˛ {0,1} R M , M 0 1 Check if Select (M , M ) ˛ R & Run 0 1 View M g b Protocol P Adversary wins if g=b M b 20 9 Anonymity Variants Sender Unlinkability (SUL) R ∩ R f∑ fUT Receiver Unlinkability (RUL) R ∩ R fU f∑T Sender-Receiver Unlinkability (UL) R ∩ R f∑ f∑T Sender Anonymity (SA) R fUT Strong Sender Anonymity (SA*) R f∑T Receiver Anonymity (RA) R fU Strong Receiver Anonymity (RA*) R f∑ Sender-Receiver Anonymity (SRA) R f# Unobservability (UO) Any 21 Anonymity Variants – Examples (I) (cid:1) Sender Unlinkability (SUL): ∑= ∑ (M ,M ) ˛ R ∩R 0 1 f∑ fUT U= U a b ( ∑ ,U)-anonymity b a M M 0 1 (cid:1) Unlinkability (UL): ∑= ∑ (M ,M ) ˛ R ∩R 0 1 f∑ f∑T ∑= ∑ a c ( ∑ , ∑ )-anonymity a d M M 0 1 22 10
Description: