ebook img

ANDaNA: Anonymous Named Data Networking Application PDF

1.1 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview ANDaNA: Anonymous Named Data Networking Application

ANDaNA: Anonymous Named Data Networking Application StevenDiBenedetto Paolo Gasti GeneTsudik ErsinUzun ColoradoState University UniversityofCalifornia, Irvine Palo AltoResearch Center [email protected] {pgasti,gtsudik}@uci.edu [email protected] 2 1 Abstract fort that exemplifies the content-centric approach [23, 0 2 27, 28] to networking. NDN names content instead of Content-centric networking — also known as locations (i.e., hosts or interfaces) and thus transforms n a information-centric networking (ICN) — shifts empha- contentintoafirst-classentity.NDNalsostipulatesthat J sis from hostsandinterfaces (asin today’sInternet)to each piece of content must be signed by its producer. 0 data. Named data becomes addressable and routable, Thisallowsdecouplingoftrustin contentfromtrustin 1 whilelocationsthatcurrentlystorethatdatabecomeir- the entity that mightstore and/ordisseminate thatcon- relevanttoapplications. tent.TheseNDNfeaturesfacilitateautomaticcachingof ] R NamedDataNetworking(NDN)isalargecollabora- contenttooptimizebandwidthuse andenableeffective simultaneousutilizationofmultiplenetworkinterfaces. C tive research effort that exemplifies the content-centric . approachtonetworking.NDNhassomeinnateprivacy- However, NDN introduces certain challenges that s c friendly features, such as lack of source and destina- must be addressed in order for it to be a serious can- [ tion addresses on packets. However, as discussed in didate for the future Internet architecture. One major thispaper,NDNarchitecturepromptssomeprivacycon- argumentfor a new architectureis the inadequatelevel 2 v cerns mainly stemming from the semantic richness of of security and privacy in today’s Internet. We view 5 names. We examine privacy-relevantcharacteristics of anonymityasbeingacriticalfeatureinanynewnetwork 0 NDNandpresentaninitialattempttoachievecommuni- architecture. It helps people overcomecommunication 2 cationprivacy. Specifically,wedesignanNDNadd-on restrictionsandboundariesaswellasevadecensorship. 2 . tool,calledANDaNA,thatborrowsanumberoffeatures In addition, some applications (e.g., e-cash or anony- 2 fromTor. Aswedemonstrateviaexperiments,itprovides mous publishing) can be successfully deployed only if 1 comparableanonymitywithlowerrelativeoverhead. the underlyingnetworkallows users to hide their iden- 1 tity[14]. Evenifend-usersdonotcareaboutanonymity 1 : withrespecttoservicestheyaccess,theymightstillwant v 1 Introduction tohidetheiractivitiesfromemployers,governmentsand i X ISPs, since those might censor, misuse or accidentally Although the Internet, as a whole, is a huge global r leaksensitiveinformation[19]. a success story, it is showing clear signs of age. In the 1970s,whencoreideasunderlyingtoday’sInternetwere Lack of source/destination addresses in NDN helps developed, telephony was the only example of effec- privacy, since NDN packets carry information only tiveglobal-scalecommunications.Thus,whilethecom- about what is requested but not who is requesting it. munication solution offered by the Internet’s TCP/IP However,acloserlookrevealsthatthisisinsufficient.In suitewasuniqueandground-breaking,thecommunica- particular, NDN design introducesthree important pri- tion paradigmit focused on was similar to thatof tele- vacychallenges: phony: a point-to-point conversation between two en- 1. Name privacy: NDN content names are incen- tities. The communication world has changed dramat- tivizedtobesemanticallyrelatedtothecontentit- ically since then and today’s Internethas to accommo- self. Similar to HTTP headers, names reveal sig- date: information-intensive services, exabytes of con- nificantly more information about content than IP tentcreatedandconsumeddailyovertheWebaswellas addresses. Moreover, an observer can easily de- amenagerieofmobiledevicesconnectedtoit. Tokeep terminewhentworequestsrefertothesame(even pacewith these changesandmovetheInternetinto the encrypted)content. future,anumberofresearcheffortstodesignnewInter- 2. Content privacy: NDN allows any entity that netarchitectureshavetakenoffinthelastfewyears. knows a name to retrieve corresponding content. Named-DataNetworking(NDN)[32]isonesuchef- EncryptioninNDN isusedtoenforceaccesscon- 1 trolandisnotappliedtopubliclyavailablecontent. matureprototypeavailabletotheresearchcommunity.1 Thus,consumerswantingtoretrievepubliccontent Third,NDNisoneofonlyfourprojectsselectedbyNSF cannotrelyonencryptiontohidewhattheyaccess. FutureInternetArchitectures(FIA)program[20]. 3. Cache privacy: as with currentweb proxies, net- On the other hand, NDN is an on-going research workneighborsmaylearnabouteachothers’con- projectandisthussubjecttocontinuouschange. How- tent access using timing information to identify ever, we believe that it represents a good example of cachehits. content-centricnetworkingdesign and at least some of 4. Signature privacy: since digital signatures in its concepts will influence the future of networking. NDN content packets are required to be publicly More importantly, ideas, techniques and analysis dis- verifiable,identityofacontentsignermayleaksen- cussedinthispaperarenotspecific,orlimitedto,NDN; sitiveinformation. theyareapplicabletoawiderangeofdesigns,including Inthispaper,weattempttoaddressthesechallenges.We host-,location-andcontent-addressablenetworks. presentaninitialapproach,calledANDaNAthatcanbe Approach. NDN followsthe provendesign principle viewed as an adaptationof onionroutingto NDN. Our ofIPandclaimstobethe“thinwaist”ofthecommuni- approachisin-linewithNDNprinciples. Itisdesigned cationsprotocolstack.Thus,pushingsecurityorprivacy to take advantage of NDN strengths and work around services(thatarenotcriticalforalltypesofcommunica- its weaknesses. We optimized ANDaNA for small- to tion)intothisthinwaistwouldcontradictitsdesignprin- medium-sizeinteractivecommunication–suchasweb- ciple. Consequently,asinthecaseofIP,webelievethat browsingandinstantmessaging–thatarecharacterized privacytoolsshouldrunontopofNDN.Lookingatpri- bymoderateamountsoflow-latencytraffic[11]. vacyandanonymitytechniquesintoday’sInternet,one We provide a security analysis of the proposed ap- well-established approach is an overlay anonymization proach under a realistic adversarial model. Specif- network, exemplifiedby Tor [18]. Tor and its relatives ically, we define anonymity and unlinkability under employ layers of concentric encryption and intermedi- thissecuritymodelandshowthatthesepropertieshold ate nodes responsible for peeling off layers as packets for ANDaNA. Moreover, ANDaNA is secure with fewer travel through the overlay. This is commonly referred anonymizing router hops than Tor. We prototyped toasonionrouting. Ourapproachfallsintoroughlythe ANDaNA andassessed itsperformanceviaexperiments samecategory. However,aswediscoveranddiscussin overanetworktestbed. ResultsshowthatANDaNAin- thispaper,the task ofadaptingan anonymizationover- troduces less overhead than Tor, especially, for antici- layapproachtoNDNisnotassimpleasitmightinitially patedtrafficpatterns. seem. We believe that this work is both timely and impor- Scope. The primary focus of this paper is privacy. tant. The former – because of the recent surge of in- Security and other features of NDN are taken as given terest in content-centric networking and NDN being a withoutjustifying their existence. A numberof impor- good example of this paradigm. (Also, while NDN is tantNDN-relatedsecuritytopicsareoutofscopeofthis sufficiently mature to have a functionalprototype suit- paper,including:trustmanagement,certificationandre- able for experimental use, it is still at an early enough vocationofcredentialsaswellasroutingsecurity. stagetobeopentochange.) Thelatter–becauseitrep- resents the first attempt to identifyand address privacy Organization. We start with NDN overviewand pri- problemsinaviablecandidateforthefutureInternetar- vacyanalysisinSection2. Section3summarizesrelated chitecture. work, followed by the description of ANDaNA in Sec- tion4. Section5introducesaformalmodelforprovable Beforediscussingdetailsofourapproach,wepresent anonymityandsecurityanalysisofANDaNA.Implemen- furthermotivationforthiswork. tationdetailsandperformanceevaluationresultsaredis- cussedinSection6. ThepaperconcludesinSection7. Why NDN? There are multiple efforts to develop new 2 NDN Overview content-centric architectures and NDN is only one of those. We focus on NDN because it stands out in sev- NDN [32] is a communication architecture based eralaspects. First,itcombinessomerevolutionaryideas on named content.2 Rather than addressing content aboutcontent-basedroutingthathaveattractedconsider- by its location, NDN refers to it by name. Content ableattentionfromthenetworkingresearchcommunity. nameiscomposedofoneormorevariable-lengthcom- Second,itbuildsuponanopen-sourcecode-basecalled ponents that are opaque to the network. Component CCNx [12], thatisled andcontinuouslymaintainedby 1Weareawareofonlytwoothercontent-centric architecturepro- an industrial research lab (PARC). At the time of this posals–[33]and[36]–thathavepublicprototypes. writing (summer 2011), NDN is one of the very few 2Notethatweusetheterms”content”and”data”interchangeably content-centricarchitecturalproposalswithareasonably throughoutthispaper. 2 boundaries are explicitly delimited by “/”. For ex- suchastheIDofthecontentpublisherandinformation ample, the name of a CNN news content might be: onlocatingthepublickeyneededforverification. Pub- /ndn/cnn/news/2011aug20. Large pieces of con- lickeysaretreatedasregularcontent: sinceallcontent tentcanbesplitintofragmentswithpredictablenames: is signed, each public keycontentis effectivelya “cer- fragment 137 of a YouTube video could be named: tificate”. NDN doesnotmandateany particularcertifi- /ndn/youtube/videos/video-749.avi/137. cationinfrastructure,relegatingtrustmanagementtoin- Sincethemainabstractioniscontent,thereisnoex- dividualapplications. plicit notion of “hosts” in NDN. (However, their exis- PrivateorrestrictedcontentinNDNisprotectedvia tence is assumed.) Communicationadheres to the pull encryptionbythecontentpublisher.Oncecontentisdis- model: contentisdeliveredtoconsumersonlyuponex- tributed unencrypted, there is no mechanism to apply plicitrequest. Aconsumerrequestscontentbysending subsequent encryption. Specific applications may pro- an interest packet. If an entity (a router or a host) can videameanstoexplicitlyrequestencryptionofcontent “satisfy” a given interest, it returns the corresponding bypublishers. However,NDNdoesnotcurrentlyallow content packet. Interest and content are the only types consumerstoselectivelyconcealcontentcorresponding of packets in NDN. A content packet with name X in totheirinterests. NDNisneverforwardedorroutedunlessitispreceded Fromtheprivacyperspective,lackofsourceanddes- byaninterestfornameX.3 tinationaddressesin NDN packetsisa clear advantage When a router receives an interest for name X and over IP. In practice, this means that the adversary that there are no pending interests for the same name in its eavesdropsonalinkclosetoacontentproducercannot PIT(PendingInterestsTable),itforwardsthisinterestto immediatelyidentifytheconsumer(s)whoexpressedin- thenexthopaccordingtoitsroutingtable. Foreachfor- terestinthatcontent.Moreover,twofeaturesofstandard wardedinterest, a routerstoressome state information, NDNrouters: (1)contentcachingand(2)collapsingof including the name in the interest and the interface on redundantinterests, reducethe utility of eavesdropping whichitwasreceived. However,ifaninterestforXar- near a content producer since not all interests for the riveswhilethereisanentryforthesamenameinthePIT, samecontentreachitsproducer. theroutercollapsesthepresentinterest(andanysubse- On the other hand, NDN provides no protection quentonesforX)storingonlytheinterfaceonwhichit againstanadversarythatmonitorslocalactivityofaspe- wasreceived. Whencontentisreturned,the routerfor- cificconsumer. Asmostcontentnamesareexpectedto wardsitoutonallinterfaceswhereaninterestforXhas be semantically relevant to content itself, interests can been receivedand flushes the correspondingPIT entry. leak a lot of informationabout the content they aim to Note that, since no additionalinformationis needed to retrieve. To mitigate this issue, NDN allows the use deliver content, an interest does not carry a source ad- of“encryptednames”,wherebyaproducerencryptsthe dress. MoredetaileddiscussionofNDNroutingcanbe tail-end(afewcomponents)ofaname[27]. 4 However, foundin[27]. thissimpleapproachdoesnotprovidemuchprivacy:the In NDN, each network entity can provide content adversary can link multiple interests for the same con- caching, which is limited only by resource availabil- tent–orthosesharingthesamenameprefix–issuedby ity. For popularcontent, this allowsintereststo be sat- differentconsumers.Moreover,anadversarycanalways isfied fromcachedcopiesdistributedoverthe network, replayaninteresttoseewhat(possiblycached)content thus maximizing resource utilization. NDN deals with itreturns,evenifanameofcontentisnotsemantically contentauthenticityandintegritybymakingdigitalsig- relevant. natures mandatory on all content packets. A signature binds content with its name, and provides origin au- 3 Related Work thenticationnomatterhoworfromwhereitisretrieved. The goal of anonymizingtools and techniques is to NDN calls entities thatpublish new contentproducers. decouple actions from entities that perform them. The Whereas,asfollowsfromtheabovediscussion,entities most basic approach to anonymity is to use a trusted that requestcontentare called consumers. (Consumers anonymizingproxy. Aproxyistypicallyinterposedbe- and producers are clearly overlapping sets.) Although tween a sender and a receiver in order to hide identity contentsignatureverificationisoptionalinNDN,asig- of the formerfromthe latter. The Anonymizer[3] and naturemustbe verifiableby anyNDN entity. To make LucentPersonalizedWebAssistant[22]areexamplesof thispossible,contentpacketscarryadditionalmetadata, thisapproach.Whilerelativelyefficient,itissusceptible 3Strictlyspeaking, contentnamedX′ 6= X canbedelivered in toa(local)passiveadversarythatmonitorsallproxyac- responsetoaninterestforX butonlyifX isaprefixofX′. Asan example,thefullnameofeachcontentpacketcontainsthehashofthat 4For example, a name such as: content;however,thishashvalueisusuallynotknowntoconsumers /ndn/xerox/parc/Alice/family/photos/Hawaiimight andistypicallyomittedfrominterests. bereplacedwith/ndn/xerox/parc/Alice/encrypted-part. 3 tivity. Also,acentralizedproxynecessitatescentralized network. It buildsa universallyverifiableset of neigh- (global)trustandrepresentsasinglepointoffailure. bors (called mimics) for every node to keep track of Amoresophisticateddecentralizedapproachisused other other Tarzan participants. Every node selects its inmixnetworks[13].Typically,amixnetworkachieves mimicspseudo-randomly. anonymity by repeatedly routing a message from one Tor[18]isthebest-knownandmost-usedlow-latency proxytoanother,suchthatthemessagegraduallyloses anonymizing tool. It is based on onion routing and any relationship with its originator. Messages must be layered encryption. Tor uses a central directory to lo- madeunintelligibletopotentiallyuntrustedintermediate cate participating nodes and requires users to build a nodes. Chaum’sinitialproposal[13]definesananony- three-hop anonymizing circuit by choosing three ran- mous email system, wherein a sender envelops a mes- dom nodes. The first is called the guard, the second sagewithseveralconcentriclayersofpublickeyencryp- – the middle, and the third — exit node. Once set up, tion. The resulting message is then forwarded to a se- each circuit in Tor lasts about 10 minutes. For better quenceof mix servers, thatgraduallyremoveonelayer performance,bandwidthavailabletonodesistakeninto of encryptionata time and forwardthe message to the accountduring circuit establishment and multiple TCP nextmixserver. connectionsare multiplexedoverone circuit. Commu- Subsequentresearchgenerallyfallsintotwoclasses: nication between Tor nodes is secured via SSL. How- delay-tolerantapplications(e.g. email,filesharing)and ever,Tordoesnotintroduceanydecoytrafficorrandom- real-time or low-latency applications (e.g. web brows- ization to hide traffic patterns. Another anonymization ing, VoIP, SSH). These two classes achieve different tool, I2P[26], adoptsmanyideasof Tor, while usinga tradeoffsbetweenperformance(intermsoflatencyand distributed untrusted directory service to keep track of bandwidth) and anonymity. For example, Babel [24], itsparticipants.I2PalsoreplacesTor’scircuit-switching Mixmaster[30] and Mixminion[16] belongto the first operation with packet-switching to achieve better load category. Their goal is to provide anonymity with re- balancingandfault-tolerance. spect to the global eavesdropper adversary. Each mix A consumer privacy technique for Information- introducesspurioustrafficandrandomizedtrafficdelays CentricNetworks(ICNs)isproposedin[4]. Insteadof in order to inhibit correlation between input and out- usingencryption,itleveragescooperationfromcontent put traffic. However, unpredictable traffic characteris- producers and requires them to mix sensitive informa- tics and high delays make these techniques unsuitable tion with so-called “cover” content. This approach re- formanyapplications. quiresproducersto cooperateand store a largeamount Low-latency anonymizing networks are at the other of cover traffic. It also does not provide consumer- endofthespectrum. Theytrytominimizeextralatency producer unlinkability or protection against malicious byforwardingtrafficasfastaspossible.Becauseofthis, producers. strategiesusedinanonymizationofdelay-toleranttraffic Telex [44] is an alternative to mix networks de- –batching(delaying)andre-orderingoftrafficinmixes, signed to evade state-levelcensorship. It uses stegano- aswellasintroductionofdecoytraffic—aregenerally graphictechniquestohidemessagesinSSLhandshakes. notapplicable.Forexample,[40]showshowtrafficpat- Usersconnecttoinnocuous-lookingunblockedwebsites terns can be used for de-anonymizationin low-latency throughSSL.SympatheticISP-sthatforwarduser’straf- anonymitysystems. Notablelow-latencytoolsaresum- ficrecoverhiddenmessagesanddeliverthemtothein- marizedbelow. tendeddestination. Whilenovel,thisapproachpresents Crowds [37] is a low-latency anonymizing network significantdeploymentchallengesand requiressupport for HTTP traffic. It differs from traditional mix-based fromthenetworkinfrastructure.Furthermore,thethreat approachesasitlackslayeredencryption.Foreachmes- modelin Telex is quite differentfrom that of the other sageitreceives,ananonymizerprobabilisticallychooses anonymizing tools presented above. Moreover, estab- to either forward it to a random next hop within the lished TCP fingerprinting techniques can easily detect Crowds network or deliver it to its final destination. differencesbetweenaTelexstationandacensoredweb- Sincemessagesarenotencrypted,Crowdsisvulnerable site. Another analogous technique – called Cirripede tolocaleavesdroppersandpredecessorattacks[43]. [25]–wasrecentlyproposed. Morphmix [38, 39] is a fully distributed peer-to- 4 ANDaNA peer mix networkthat uses layered encryption. Unlike Crowds, it does not require a lookup service to keep ANDaNA is a onion routing overlay network, built trackofallparticipatingnodes. Sendersselectsthefirst on top of NDN, that provides privacy and anonymity anonymizerandeachanonymizeralongan“anonymous to consumers. In particular, ANDaNA prevents adver- tunnel”picksthenexthoptodynamicallybuildtunnels. saries from linking consumers with the content they Tarzan[21]isanotherfullydistributedpeer-to-peermix are retrieving. Following the terminology introduced 4 in[37],ANDaNAprovidesbeyondsuspicion5 degreeof A prospective AR joins ANDaNA by advertising its anonymitytoitsusers. publickey,togetherwithitsidentitydefinedas: names- ANDaNA uses multiple concentric layers of encryp- pace, organization and public key fingerprint. An AR tion and routes messages from consumers through a alsopublishesauxiliaryinformation,suchastotalband- chainofatleasttwoonionrouters.Eachrouterremoves width,averageload,anduptime. a layer of encryption and forwards the decrypted mes- Asmentionedearlier,bothinterestandcontentpack- sages to the next hop. Due to its low-latency focus, etsleakinformation. Evenifnamesininterestsarehid- ANDaNA does not guarantee privacy in presence of a den,threecomponentsofcontentpackets—signatures, global eavesdropper. However, since it is geared for a namesandcontentitself—containpotentiallysensitive world-wide (or at least geographicallydistributed) net- information. Of course, content producers could sim- work spanning a multitude of administrative domains, plygenerateanewkey-pairtosigneachcontentpacket. the existence of such an adversaryis unlikely. For this Thiswouldbeimpractical,sincehighcostsofkeygen- reason,we restrictthe adversarialcapabilitiestoeaves- erationanddistributionwouldmakeitdifficultforcon- dropping on, injecting, removing or modifying mes- sumerstoauthenticatecontent. (Notethatkey-evolving sages on a subset of available links. An adversary schemes [8] do not help, since verification keys gener- can compromise NDN routers and ANDaNA nodes at allyevolveinawaythatispredictabletoallparties,in- will. Nonetheless,consumersbenefitfromanonymityas cluding the adversary.) Alternatively, the originalcon- longastheyuseatleastonenon-compromisedANDaNA tentsignaturecouldbe replacedwith that generatedby node. Details of our adversarialmodeland formalpri- an AR. However, this would preclude end-to-end con- vacyguaranteesarediscussedinSection5. tentverifiabilityandthusbreaktheNDNtrustmodel. For this reason, ANDaNA implementsencrypteden- 4.1 Design capsulation of original content, using two symmetric We now present two techniques — asymmetric and keys securely distributed by the consumer to the ARs session-based—thatprovideprivacyandanonymityfor duringsetupoftheephemeralcircuit. Uponreceivinga NDN traffic. Traffic is routed through ephemeral cir- contentpacket,theexitrouterencryptsit,togetherwith cuits, thatare definedasa pairofdistinctanonymizing the original (cleartext) name and signature, under the routers(ARs). AnARisaNDNnode(e.g. arouterora first key provided by the consumer. Then, treating the host)thatchoosestobepartofANDaNA.Anephemeral ciphertextaspayloadforanewcontentpacket,theexit circuittransportsonlyone(oronlyafew)encryptedin- router signs and sends it to the entry router. The latter terest(s). It disappears either when the corresponding strips this signature and the name and encrypts the re- content gets delivered, or after a short timeout (hence mainingciphertextunderthesecondsymmetrickeypro- “ephemeral”). A timeoutinterval is neededso that the videdbytheconsumer. Next,itforwardstheciphertext consumer can re-issue the same encrypted interest in with the original encryptedname and a fresh (its own) case of packet loss. We refer to the first AR as entry signature. After decrypting the payload, the consumer router and the second – as exit router. They must not discardsthesignaturefromtheentryrouterandverifies belongtothesameadministrativedomainandmustnot theonefromthecontentproducer. sharethesamenameprefix. Optionally,consumerscan Becausedecryptionisdeterministic,anencryptedin- selectARsaccordingtosomeparameters,suchasadver- terest sent to an AR always producesthe same output. tisedbandwidth,availabilityoraverageload.Aspointed SinceARs are a publicresource, theadversarycanuse out in [5, 31], there is a well know natural tension be- them to decrypt previously observed interests. It can tweennon-uniform(i.e. performance-driven)choiceof thusobservethecorrespondingoutputandcorrelatein- routersandanonymity. Consumersshouldconsiderthis coming/outgoinginterests. Thisisawell-knownattack whenselectingARs. and there are several ways to mitigate it, such as en- To build an ephemeral circuit, a consumer retrieves crypted channels between communicating parties [18] thelistofARsandcorrespondingpublickeys.Although and mixing (for delay-tolerant traffic) [24]. However, wedonotmandateanyparticulartechnique,aconsumer suchtechniquestendtohavesignificantimpactoncom- canretrievethislistusing,e.g.,adirectoryservice[18] putational costs and latency. Instead, we use standard or a decentralized (peer-to-peer)mechanism. AR pub- NDNfeaturesofinterestaggregationandcachingtopre- lic keys can be authenticated using decentralized tech- ventsuchattacks,asdescribednext. niques (such as web-of-trust [2]) or a PKI infrastruc- InNDN,arouter(notjustanAR)thatreceivesdupli- ture.6 cate interestscollapsesthem. An interestis considered 5Foranypacketobservedbytheadversary,anentityisconsidered a duplicate,ifit arriveswhile anotherinterestreferring beyondsuspicionifitisaslikelytobethesenderofthispacketasany otherentity. lows the construction of a directory system with better resilience 6Note that implicit replication implemented through caching al- againstdenial-of-service(DoS)attacksthanIP. 5 to the same contenthas notbeen satisfied. Also, if the Algorithm1:EncryptedInterestGeneration original interest has been satisfied and the correspond- input :Interestint; SetofℓARsandtheirkeys: ing content is still in cache, a new interest requesting R={(ARi,pki)|0<i≤ ℓ,pki∈PK} the same piece of data is satisfied with cachedcontent. output:Encryptedinterestintpki,pkj; symmetrickeysk1,k2 In this case, the router does not forward any interests. 1: Select(ARi,pki),(ARj,pkj)fromR Therefore,theadversarymustwaitfortheexpirationof 2: ifARi=ARjorARi,ARjarefromsameorganizationor ARi,ARjsharethesamenameprefixthen cachedcontent. 3: Gotoline1 AspartofANDaNA,theconsumerincludesitscurrent 4: endif timestampwithineachencryptionlayer. ARsrejectin- 5: k1←{0,1}κ; k2←{0,1}κ terestswithtimestampsoutsideapre-definedtimewin- 6: eint=AR2/Epkj(int|k2|curr timestamp+RTT/2) dow. Thus,consumersneedtobelooselysynchronized 7: eint=AR1/Epki(eint|k1|curr timestamp) 8: Outputeint,k1,k2 withARsthatmustreserveatleast(rate×window)of cache,whererateistherouter’swire-rateandwindow is the interval within which interests are accepted. In Algorithm2:ARHandlingofEncryptedInterests this way, if an interestis receivedmultipletimes by an input :EncryptedInterestintpki,pkj,where AR(e.g.incaseoflossofthecorrespondingdatapacket pki,pkj ∈PK ∪{⊥} (where“⊥”denotes“no between the AR and the consumer), the AR is able to encryption”) satisfyitusingitscache. output:Interestintpkj; symmetrickeyk1 Theencryptionalgorithmusedbyconsumerstocon- 12:: (ifinSttpekpj1,kfa1i,lstiomretismtaemstpa)m=pDissnkoit(cinutrrpeknit,pthkjen) ceal names in interests must be secure against adap- 3: Discardintpki,pkj tive chosen ciphertext (CCA) attacks.7 CCA-security 4: else [9]implies,amongotherthings,probabilisticencryption 5: Savetuple(intpki,pkj,intpkj,k1)tointernalstate andnon-malleability.Theformerpreventstheadversary 67:: endOiuftputintpkj,k1 from determining whether two encrypted interests cor- respondtothesameunencryptedinterest. Whereas,the Algorithm3:ARContentRouting latterimpliesthattheadversarycannotmodifyinterests todefeatthemechanismdescribedabove. input :Content:datak2 inresponsetointpkj,where We now describe two flavors of anonymizationpro- pkj ∈PK ∪{⊥} tocols: asymmetric and session-based. In order to al- output:Encrypteddatapacketdatak1,k2 1: Retrievetuple(intpki,pkj,intpkj,k1)frominternalstate low efficient routing of interest packets, the encrypted wherenameinintpk2matchesthatindatak2 componentisencodedattheendofthenamewithboth 2: ifk26=⊥thenRemovesignatureandnamefromdatak2 3: Createnewemptydatapacketpkt flavors. 4: Setnameonpktasthenameonintpki,pkj Asymmetric: To issue an interest, a consumer selects 5: SetthedatainpktasEk1(datak2) 6: SignpktwithAR’skey a pair of ARs and usestheir publickeysto encryptthe interest,asdescribedaboveandinAlgorithm1. Acon- 7: Outputpktasdatak1,k2 sumer also generates two symmetric keys: k and k 1 2 that will be used to encrypt the content packet on the ingE (·)andsymmetrickeyssuppliedbytheconsumer. way back. We use E (·) and E (·) to denote (CCA- k pk k secure) public key and symmetric encryptionschemes, Session-based Variant. This variant aims to reduce respectively. (amortize)theuse ofpublickeyencryptionthuslower- To account for the delay due to extra hops needed ing the computationalcost and ciphertextsize. Before toreachthesecondAR(andreducethe numberofdis- sendinganyintereststhroughephemeralcircuits,acon- cardedinterests),aconsumeraddshalfoftheestimated sumer(Alice)establishesasharedsecretkeywitheach roundtriptime(RTT)totheinnermosttimestamp.Each selectedAR.Thisisdoneviaa2-packetinterest/content ARremovestheoutermostencryptionlayer,asdetailed handshake. We do not describe the details of symmet- inAlgorithm2.SinceE (·)isCCA-secure,thedecryp- ric key setup, since there are standard ways of doing pk tionprocessfails ifthe ciphertexthasbeenmodifiedin it. We provide two options: one using Diffie-Hellman transitorwasnotencryptedundertheAR’spublickey. keyexchange[17],andtheother–usingSSL/TLS-style Content corresponding to the encrypted interest is en- protocolwherebyAliceencryptsakeyforAR . Oncea i cryptedonthewayback,asdetailedinAlgorithm3,us- symmetrickeyk issharedwithAR ,Alicecanestab- ai i lishanynumberofephemeralcircuitsusingitaseither 7Technically, in order to guarantee correctness an encryption first or second AR hop. Also at setup time, Alice and schemesuitableforANDaNAmustalsoberobust[1].However,since AR agreeonsessionidentifiervalue–sid –thatisin- CCA-secureencryptionschemesusedinpracticearealsorobust,we i ai omitthisrequirementintherestofthepaper. cluded(incleartext)insubsequentinterestssothatARi 6 canidentifytheappropriateentryforAliceandk . no control over them. An adversary can compro- ai The main advantage of the session-based approach miseexistingcontentproducersordeploycompro- isbetterperformance: bothconsumersandroutersonly misedonesandconvinceuserstopullcontentfrom perform symmetric operations after initial key setup. them. We also assume that the content providers However, one drawbackis that, since the session iden- arepubliclyaccessible,andthereforetheadversary tifiersidisnotencrypted,packetscorrespondingtothe isabletoretrievecontentfromthem. samesidareeasilylinkable. • Deploy compromised caches: Similarly to com- We notethat ourdesignneitherencouragesnor pre- promisedcontentproducers,anadversarycancom- ventsconsumersfrommixingasymmetricandsession- promise routers’ cache or deploy its own caches. based variants for the same or different ephemeral cir- The behavior of a compromised cache includes cuits. monitoring cache requests and replying with cor- rupteddata. 4.2 SystemandSecurityModel • Observeandreplaytraffic: Anadversarycantap In order for our discussion to relate to prior work, a link carrying anonymized traffic. By doing this we usethe notionof“indistinguishableconfigurations” it learns, among other things, packetcontents and fromtheframeworkintroducedin[19]; theactualdefi- traffic patterns. The traffic observed by an adver- nitionsareinSection5. sarycanbereplayedbyanycompromisedrouter. Our security analysis considers the worst case sce- An adversarycan iteratively compromiseentities of its nario, i.e., interests being satisfied by the content pro- choice, and use the informationit gathersto determine ducer rather than a router’s cache. While, in normal what should be compromised next. In order to make conditions, encrypted interests are satisfied by caches our model realistic, the time required by an adversary onlyincaseofpacketloss,fullydecryptedinterestsmay to compromise or deploy a router, a cache or a con- not have to reach to content producers. A system se- tent producer is significantly higher that the round-trip cureincaseofcachemissesisalsosecurewheninterests time (RTT) of an anonymizedinterest and correspond- aresatisfiedbycontentcachedatroutersalongtheway. ing data. This implies that all the state informationre- (Recall that, when an interest is satisfied by a router’s coveredfromanewlycompromisedrouteronlyrefersto cache, it is not forwarded any further.) This limits the packetsreceivedaftertheadversarydecidestocompro- adversary’sabilitytoobserveinterestsintransit. misesuchrouter. Adversary Goals and Capabilities. The goal of an Apowerfulclassofattacksagainstanonymizingnet- adversaryistolinkconsumerswiththeiractions.Inpar- works is called fingerprinting [29, 41]. Inter-packet ticular, it may wantto determinewhatcontentis being time intervals are usually not hidden in low latency requestedbyaparticularuserand/orwhichusersarere- onionroutingnetworksbecause packetsare dispatched questing specific content. A somewhat related goal is as quickly as possible. This behavior can be exploited determining which cache (if any) is satisfying a con- byanadversary,whocancorrelateinter-packetintervals sumer’s requests. Our adversary is local and active: it on two links and use this information to determine if controls only a subset of network entities and can per- theobservedpacketsbelongtothesameconsumer[41]. formanyactionusuallyallowedtosuchentities. More- Thisclassofattacksissignificantlyhardertoexecuteon over, it is capable of selectively compromising addi- ANDaNAbecauseofthenatureofephemeralcircuitsand tionalnetworkentitiesaccordingtoitslocalinformation. becauseoftheuseofcachesonrouters. Ephemeralcir- Our model allows the adversary to perform the fol- cuitsdonotallowtheadversarytogatherenoughpack- lowingactions: etswithuniformdelayssincetheyareusedtotransport • Deploy compromised routers: ANDaNA is an onlyoneoraverysmallnumberofinterestsandcorre- open network, therefore an adversary can deploy spondingdata. Active adversaries who can control the compromisedanonymizersandregularrouters. As communicationlinkofacontentprovidercanaddmea- such, routers may exhibit malicious behavior in- surabledelaystosomeofthepacketsinordertoidentify cludinginjection,delay,alteration,ordroptraffic. consumers.However,consumersmaybeabletoretrieve • Compromise existing routers: An adversarycan thesamecontentthroughcachesmakingsuchattackin- selectanyrouter(eitherARsorregularrouters)in effective.Throughputfingerprintingconsistsinmeasur- thenetworkandcompromiseit. Asaresult,thead- ingthethroughputofthecircuitusedbyaconsumerto versary learns all the private information(e.g. de- identify the slowest anonymizer in the consumer’s cir- cryption keys, pending decrypted interests, cache cuit [29]. Throughputfingerprinting is difficult to per- content,etc.) ofsuchrouter. forminANDaNAsinceeachephemeralcircuitdoesnot • Control content producers: Content producers carry enough information to mount an attack. In par- arenotpartofANDaNA.Assuch,thenetworkhas ticular, the authors of [29] report that a successful at- 7 tack requires at least a few minutes of traffic on Tor. 5 Security Analysis Similarly, ephemeral circuits provide an effective pro- In this section we propose a formal model for eval- tection against known attacks such as the predecessor uating the security of ANDaNA. We define consumer attack[43]. anonymity and unlinkability with respect to an adver- Consumers,ProducersandARs. Eachconsumerruns sary within this model. We finally provide necessary severalprocessesthatgenerateinterests. Forouranaly- andsufficientconditionsforanonymityandunlinkabil- sis,interestsarecreatedbyaspecificinterfaceofahost, ity. Asouranalysisshows,weareabletoobtainalevel and the corresponding content is delivered back to the ofanonymitycomparabletoTorwithtwo—ratherthan same interface. Interest encryption is either performed Tor’sthree—ARsthankstothelackofsourceaddresses ontheconsumer’shost,oronanentitythatroutescon- inNDNinterests. sumer’s traffic. In the latter case, the channel between In general, efficacy of ANDaNA depends on the in- the user and the anonymizing entity is considered se- ability of the adversary to correlate input and output cure. of a non-compromisedAR, and its inability to observe Content is generated by producers, i.e., entities that all producer and consumers at the same time. Since can sign data. We do not assume the correspondence ANDaNA is designed for low-latencytraffic, we do not between a producerand a particular host. Content can intentionallydelaymessagesorintroducedummypack- beeitherstoredinrouters’caches,atserversordynami- ets, otherthansomelimitedpadding. Thisissimilarto callygeneratedinresponsetoaninterest. how Tor and other low-latency anonymizing networks ARsperforminterestsdecryptionandcontentencap- forward traffic, and implies that traffic patterns remain sulation. EachARadvertisesapublickeyforsignature almostunchangedastheypassthroughthenetwork[31]. verificationandoneormorepublickeysforencryption. It is well known that, in Tor, this allows the adversary ARs mustrefreshtheir encryptionkeysfrequently,dis- thatobservesbothendsofacommunicationflowtocon- cardingold keysafter a shortgraceperiod. In orderto firmasuspectedlinkbetweenthem[5,35]. Forthisrea- simplifykeydistributionandallowconsumertoimme- son, a global passive adversary can violate anonymity diatelytrustnewpublickeysfromrouters,weuseasim- properties of both Tor and ANDaNA. However, we be- ple keyhierarchywherea longlived publickeyowned lievethatsuchanadversaryisunrealisticinageographi- by the router (the signing key), is used to certify short callydistributednetworkspanningovermultipleadmin- livedencryptionkeys. Thesigningkeymaybecertified istrativedomains,anddesigningagainstitwouldresult by other entities using techniques like web-of-trust or inoverkill. PKI. We assume that any adversary monitoring all inter- Denial-of-serviceAttacks. ANDaNAisenvisionedasa faces of an AR can correlate entering encrypted traffic publicoverlaynetworkandisclearlysusceptibletoDoS with its exiting, decryptedcounterpartusing timing in- attacks. Since anyone can join ANDaNA as an AR or formation. However, we believe that the shortlifespan use it as a consumer, we make no distinction between of ephemeral circuits – and therefore the limited num- insiderandoutsiderattacks. Theadversarycansendnu- ber of related packets traveling through a single AR – merousintereststoARsorconstructephemeralcircuits severely limits the adversary’s ability to carry out this longer than two hops in order to maximize effective- attack. Unfortunately, at the time of this writing we nessofattacks. Moreover,itcanconsumeARresources do not have enough experimental evidence to confirm by sending malformed encrypted interests that require this. For the sake of safety, in the analysis below we ARstoperformexpensiveandultimatelyuselesspublic assume that, by compromisingall interfaces of an AR, key decryption. Similar to Tor, before establishing an the adversary also compromises the AR itself. There- ephemeralcircuit,anARcanaskaconsumertosolvean fore,anon-compromisedARmusthaveatleastonenon- easy-to-verify/expensive-to-solvepuzzle. Thisandsim- compromisedinterface. Tosumup,weassumethat: ilartechniquesforANDaNAaresubjectsoffuturework. Assumption 5.1. Adv cannotcorrelate inputandout- Inasettingwithlong-livedcircuits,suchasTor,disrupt- putofanon-compromisedAR. inganodeeffectivelyshutsdownallcircuitsthatinclude it. Due to the short lifespan of our ephemeralcircuits, Ouranalysisisbasedonindistinguishableconfigura- the same attack on ANDaNA only causes a very small tions. Aconfigurationdefinesconsumers’activitywith numberofinterests/datapacketsperusertobedropped. respecttoaparticularnetwork.Advonlycontrolsasub- Abuse. Similar to any other anonymity service, set of network entities and observes only some pack- ANDaNA can be abused for a variety of nefarious pur- ets. Therefore, it cannot distinguish between two con- poses. Wedonotelaborateonthistopic. However,exit figurations that vary only in the activity that it cannot policies similar to those in Tor [18] can be used with directly observe or in the content of encrypted pack- ANDaNAbasedoncontentnames. ets that it cannot decrypt. In order to provide mean- 8 ingful anonymity guarantees, we identify a set of con- removestheouterlayerofencryption.WhileE isCCA- figurations that have one or more equivalent counter- secure (and therefore also CPA-secure), we do not re- parts. However,unlike[19], ouranalysistakesintoac- quire E to be key private [6]. Key privacy prevents an count the infrastructure underlying ANDaNA, i.e., the observerfrom learning the public key used to generate network topology and packets exchanged over the ac- a ciphertext. InANDaNA, knowledgeof thepublickey tualnetwork. Webelievethatthismakesourmodeland usedtoencrypttheouterlayerofaninterestdoesnotre- analysisbothrealisticandfine-grained,sinceitaccounts vealanymoreinformationthanthe(cleartext)nameon for all adversarialadvantages related to the underlying theinterest. networkstructure. Packetssentbya non-compromised Wedefinetheanonymitysetwithrespecttointerface consumerutoanon-compromisedARrtransitthrough ifr as: i several — possibly compromised — NDN routers that arenotpartofANDaNA.Themodelof[19]considersr Aifri ={d| Pr[d→int r|int❀ifri]>0} compromisedeven if only one link between u and r is controlledbytheadversary.Whereas,inourmodel,ris In other words, for each interface ifri of router r, Aifri contains all entities that could have sent int with non- consideredtobenon-compromised. zeroprobability. Wedefinepathint = {ifr | int ❀ ifr}. i i Thisis the sequence of interfacestraversedby int. We NotationandDefinitions useittodefinetheanonymitysetofaninterestwithre- Table1summarizesournotation.Theintersectionof spectAdv: PandCmightnotbeempty,whichreflectsthefactthat ciloanrlsyu,moeurrsmcaondealctdoaesspnroodtupcreervsenantdrovuitceersvefrrosam. bSeiimng- AiAntdv , \ Aifri producersand/orconsumers.Therefore,R∩PandR∩C pathint∩IFAdv mightbenon-empty. Intuitively, if u is far away from a compromisedentity The adversary is defined as a 4-tuple: Adv = d, then all sets Aint such that u ∈ Aint are a large Adv Adv (P ,C ,R ,IF ) ⊂ (P,C,R,IF) where indi- subsetofC. Adv canruleoutpossiblesendersofanin- Adv Adv Adv Adv vidualcomponentsspecify (respectively)sets of: com- terest (i.e., determine if u ∈/ Aint ) only if it controls Adv promisedproducers,consumers, routersand interfaces. at least one entity (routers, interfaces) along each path Ifr∈R ,thenAdvcontrolsallinterfacesandhasac- thatudoesnotsharewithotherconsumers.Thelevelof Adv cesstoalldecryptionkeyandstateinformationofr. If anonymityofu ∈ Aint withrespecttoAdv ispropor- Adv allinterfacesofr areinIF ,thenr ∈ R . Inother tionaltothesizeofAint . Inparticular,ifuistheonly Adv Adv Adv words, for the sake of this analysis, controlling all in- member of Aint , it has no anonymity, since int must Adv terfacesofarouterisequivalenttolearningthatrouter’s havebeenissuedbyu. decryption/secretkey. We emphasizethatforr ∈ R to Aconfigurationisadescriptionofthenetworkactiv- benon-compromised,atleastoneofitsinterfacesmust ity.Eachconfigurationmapsconsumerstotheiractions, be non-compromised. If p ∈ P , Adv controls p’s definedastheinteresttheyissue andthecorresponding Adv interfaces,monitorsinterestsreceivedbypandcontrols contentproducers. More formally, a configurationis a bothcontentandtimingofp’sresponsestoincomingin- relation: terests. If c ∈ C , then Adv controls all fields and Adv timingofinterests. Finally,ifif ∈ IFAdv,thenAdv can C :C→{(r1,r2,p,intpk1,pk2)} listen to all traffic flowing through if, as well as send- with(r ,r ,p,int )∈R2×P×{0,1}∗,thatmaps ingnewtrafficfromit. IFAdv includesalltheinterfaces a consu1me2rto: appka1i,rpko2f routersdefining an ephemeral ofcompromisedconsumers,producersandroutersplus circuit,aninterest(encryptedforthiscircuit)andapro- additionalinterfaceseavesdroppedonbyAdv. ducer. C(u)isa4-tuplethatrepresentsoneactionofu Foreaseofnotation,wedonotexplicitlyindicatethe in C. C is the selection on the i-th component of C, nameofthenextrouterininterestpacketsnorsymmetric i i.e., ifC(u) = (r ,r ,p,int ), thenC (u) = r , keyschosenbyconsumers. We denoteencryptedinter- 1 2 pk1,pk2 1 1 C (u)=r ,C (u)=pandC (u)=int . estsas: 2We say2that3twoconfigurati4onsC andpCk1′,pakr2e“indis- int =E (E (int)) pk1,pk2 pk1 pk2 tinguishable with respect to Adv” if Adv can only de- withpk ,pk ∈PK ∪{⊥}where⊥indicatesaspecial terminewithprobabilityatmost1/2+εwhichconfig- 1 2 symbolfor“noencryption”. Ifpk =⊥thenpk =⊥. uration correspondsto the observednetwork, for some 1 2 The size of public keys is a function of the global se- εnegligibleinthesecurityparameterκ. Wedenotetwo curity parameter κ. For simplicity, we denote intpk1,⊥ suchconfigurationsasC ≡Adv C′. asint . WhenanARreceivesint andifitisin We now show that assumption 5.1 holds if a pas- pk1 pk1,pk2 possessionofthedecryptionkeycorrespondingtopk ,it siveadversaryobservesonlyinputandoutputvaluesof 1 9 C setofallconsumers,u∈C Adv adversary P setofallcontentproducers,p∈P d anentity,i.e.,arouterorahost R setofallrouters,r∈R d →intr entitydsendsinterestinttosomeinterfaceofrouterr IF setofallinterfacesonallnetworkdevices int❀ifr routerrreceivesinterestintoninterfaceifr i i ifri ∈IF i-thinterfaceonrouterr Epk(·) CCA-securehybridencryptionscheme PK setofallpublickeys intpk1,pk2 interestencryptedunderpublickeyspk1,pk2 (pki,ski) public/priv.encryptionkeypairofanARri ⊥ noencryption Table1.Notation. an AR (i.e., it cannot use timing information or other 2. C (u) = C (u′), C (u) ∈/ R and C (u) ∈ 1 1 1 Adv 1 side-channels), and the underlying encryption scheme Aintpk2 whereC (u)=int issemanticallysecure. Claim 5.1belowstatesthat, for 3. CA(duv) = C (u4′), C (u)p∈/k1,pRk2 and C (u) ∈ 2 2 2 Adv 2 anyencryptedinterest,Advcannotdetermineifitcorre- Aint whereC (u)=int Adv 4 pk1,pk2 spondsto an interest decryptedby a non-compromised router,by observingthe two andwith noadditionalin- Informally,thetheoremabovestatesthatANDaNApro- formation. vides consumer anonymity with respect to Adv if: 1. Adv cannotobserveencryptedinterestscomingfromu Claim 5.1. Given any CPA-secure public key encryp- and u′, or it cannot distinguish between the two con- tion scheme E and two same-length interests int0,int1 sumersduetoanonymityprovidedbythenetworklayer; chosenbyAdv,Advhasonlynegligibleadvantageover or 2. u,u′ share an non-compromisedfirst router in at 1/2indeterminingthevalueofarandomlyselectedbit least one ephemeral circuit; or 3. u,u′ share an non- b, given intb , int0 and int1 , with pk ∈ PK compromised second router in at least one ephemeral pk1,pk2 pk2 pk2 1 andpk ∈PK∪{⊥}. circuit. 2 Similarly to consumer anonymity, producer Duetothelackofspace,Claim5.1isformallyjustified anonymity is defined in terms of indistinguishable inAppendixA. configurations. In particular, a producer p enjoys AnonymityDefinitionsandConditions anonymity with respect to Adv which observes int ifAdv cannotdistinguishbetweenaconfigu- In this section we present formal definitions of pk1,pk2 rationC wherepproducesthecontentcorrespondingto anonymityfor our model. We introducethe notionsof intandaconfigurationC′ wherep′ andnotpproduces consumeranonymity,produceranonymityandproducer thatcontent. and consumer unlinkability. We show that ephemeral circuits composed of two anonymizing routers — at Definition 5.2 (Produceranonymity). Given int pk1,pk2 leastoneofwhichisnotcompromised—providecon- for p ∈ P, u ∈ C has producer anonymity in configu- sumer and producer anonymity. This, in turn, implies rationC withrespectto p,Adv ifthereexists anindis- consumer and producer unlinkability. Due to the lack tinguishableconfigurationC′suchthatint issent pk1,pk2 ofspace,wedeferformalproofsofthetheoremsinthis byanon-compromisedconsumertoaproducerdifferent sectiontoAppendixA. fromp. A consumer u enjoys consumer anonymity if Adv cannot determine whether u or a different user u′ is Theorem5.2. uhasproduceranonymityinC withre- specttop,Advifanyofthefollowingconditionshold: retrieving some specific content. This notion is for- 1. There exists C(u) such that C (u) (the first malizedusingindistinguishableconfigurations: givena 1 anonymizing router) is not compromised and configuration C in which u retrieves content t, u has C (u)=int ,C (u)=C (u′)andC (u)= cCo′nisnumwehriacnhoun′ymreittryieivfethsetreaenxdisAtadnvotchaenrncootndfiegtuerrmatiionne p46=C3(u′)fpokr1,spokm2 en1on-compr1omisedu′ ∈3C,or whetherheisobservingC orC′. Moreformally: 2. There exists C(u) such that C2(u) (the sec- ond anonymizing router) is not compromised and Dhaesficnointisounm5e.r1a(nCoonnysmuimtyeirnacnoonnfiygmuirtayt)i.onuC∈w(Cith\rCesApdevc)t Cp46=(uC)3=(ui′n)tfpokr1,spokm2,eCn2o(nu-)co=mCpr2o(mu′i)seadnud′C∈3(Cu)= to Adv if there exists C′ ≡ C such that C′(u′) = Adv Finally,wedefineproducerandconsumerunlinkability C(u)andu′ 6=u. as: Theorem5.1. u∈(C\CAdv)hasconsumeranonymity Definition 5.3 (Producer and consumer unlinkability). inC withrespecttoAdvifthereexistsu′ 6=usuchthat Wesaythatu∈(C\C )andp∈Pareunlinkablein Adv anyofthefollowingconditionshold: C withrespecttoAdv ifthereexistsC′ ≡ C where Adv 1. u,u′ ∈AC4(u) u’sinterestsaresenttoaproducerp′ 6=p. Adv 10

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.