Anonymity Properties of Two Network Coded Gossip Protocols by Colleen A. Josephson S.B., Electrical Engineering and Computer Science, M.I.T., 2013 Submitted to the Department of Electrical Engineering and Computer Science in partial fulfillment of the requirements for the degree of Masters of Engineering in Electrical Engineering and Computer Science at the MASSACHUSETTS INSTITUTE OF TECHNOLOGY September 2014 Copyright Colleen A. Josephson, 2014. All rights reserved. The author hereby grants to MIT permission to reproduce and to distribute publicly paper and electronic copies of this thesis document in whole or in part in any medium now known or hereafter created. Author .............................................................. Department of Electrical Engineering and Computer Science August 22, 2014 Certified by.......................................................... Muriel M´edard Cecil H. Green Professor of Electrical Engineering, Thesis Supervisor August 22, 2014 Accepted by......................................................... Prof. Albert R. Meyer Chairman, Masters of Engineering Thesis Committee 2 Anonymity Properties of Two Network Coded Gossip Protocols by Colleen A. Josephson Submitted to the Department of Electrical Engineering and Computer Science on August 22, 2014, in partial fulfillment of the requirements for the degree of Masters of Engineering in Electrical Engineering and Computer Science Abstract This thesis documents the design and implementation of a new anonymous com- munications protocol, and an analysis of an existing protocol. NCGAB, proposed by Sergeev in 2013, efficiently implements broadcast over unicast and requires no pre-existing infrastructure. We propose a second protocol, CHAP, which extends NCGAB and is designed to use wireless broadcast capabilities as well as wired links. We show anonymity for some information-theoretic measures under certain assump- tions regarding adversaries and traffic independence. Numerical results show that for some networks NCGAB fully anonymizes up to 90% of messages, with the remaining 10% having strong anonymity properties. NCGAB also improves up to 30% upon the baseline anonymity provided by a network coded gossip protocol not optimized for anonymity. We compare CHAP to NCGAB and show that CHAP is at least as anonymous as NCGAB and also exhibits interesting hierarchical separability that allows multiple anonymity protocols to operate simultaneously in different domains. Thesis Supervisor: Muriel M´edard Title: Cecil H. Green Professor of Electrical Engineering 3 4 Acknowledgments I thank my advisor, Prof. Muriel M´edard, who worked hard to find me a place when I needed one. Her flexibility, understanding, and expertise made it possible for me to write this thesis with maximal enjoyment and minimal stress and anxiety, while still producing a document I am proud of. I also thank Prof. Moshe Schwartz, my co-advisor, who provided interesting ideas and helpful insights into academic culture. I wish him the best of luck in his new position at Ben-Gurion University in Be’er Sheva, Israel. I thank Kyle Miller for his unwavering support. He listened when I needed and ear, and provided helpful advice of both a technical and non-technical sort. Finally, I thank my friends and family who never doubted me and provided support and advice in various ways. 5 6 Contents 1 Introduction 17 2 Background 19 2.1 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 2.1.1 Source address re-writing . . . . . . . . . . . . . . . . . . . . . 19 2.1.2 Broadcast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 2.1.3 DC-Nets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 2.2 Network Coding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 3 CHAP 23 3.1 Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 3.2 Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 3.2.1 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 3.2.2 NCGAB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 3.3 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 3.3.1 Network Coding . . . . . . . . . . . . . . . . . . . . . . . . . . 32 3.3.2 Hierarchical Anonymity . . . . . . . . . . . . . . . . . . . . . 33 3.3.3 Omniscient wireline adversaries . . . . . . . . . . . . . . . . . 34 3.3.4 Adversaries inside the cloud . . . . . . . . . . . . . . . . . . . 34 4 Protocols inside Ad-hoc clouds 37 4.1 Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 4.2 Designing for simplicity . . . . . . . . . . . . . . . . . . . . . . . . . . 37 7 4.3 Designing for anonymity . . . . . . . . . . . . . . . . . . . . . . . . . 38 4.4 Designing for throughput . . . . . . . . . . . . . . . . . . . . . . . . . 39 4.5 Currently implemented CHAP scheme . . . . . . . . . . . . . . . . . 40 4.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 5 Simulation and Results 41 5.1 Simulator Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 5.2 NCGAB Broadcast . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 5.3 Measuring Anonymity . . . . . . . . . . . . . . . . . . . . . . . . . . 44 5.3.1 Adversary implementation . . . . . . . . . . . . . . . . . . . . 45 5.3.2 Probability of witnessing introduced message . . . . . . . . . . 54 5.4 Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 5.4.1 Anonymity . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 5.4.2 Delay and Availability . . . . . . . . . . . . . . . . . . . . . . 57 5.5 CHAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 5.5.1 CHAP Anonymity . . . . . . . . . . . . . . . . . . . . . . . . 60 5.5.2 CHAP Delay and Availability . . . . . . . . . . . . . . . . . . 61 5.5.3 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 5.5.4 Alternate topologies . . . . . . . . . . . . . . . . . . . . . . . 69 5.5.5 LOOKUP PERCENT modifications . . . . . . . . . . . . . . . 69 5.6 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 6 Conclusion 71 A Figures 73 A.1 10% dummy packets . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 A.2 25% dummy packets . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 A.3 50% dummy packets . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 B Simulator Code 77 B.1 ncgabsim.py . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 B.2 chapsim.py . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 8 B.3 ncgab stats process.py . . . . . . . . . . . . . . . . . . . . . . . . . . 104 B.4 ff.py . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 9 10