Post on 25-Jan-2016
description
BianFu: Providing Guaranteed Anonymity Using Token Ring Routing.
Matt SpearDavid Evans
信息論匿名信息論匿名XìnXī Lùn NìMíngXìnXī Lùn NìMíng
(Information Theoretical (Information Theoretical Anonymity)Anonymity)
Provides a method that defines anonymity concretely using methods of entropy from IT.
Defines Nodes as one of: SendersSenders The nodes who send or have the ability to
send messages ReceiversReceivers The nodes who receive the messages
(passive or active (reply))MixesMixes Input a message and output a message so that
the new message is uncorrelatable with the original message
Defines Attackers as: Internal/ExternalInternal/External The attacker, if internal, controls the
actions of one or more nodes, external can only compromise communication channels
Passive/ActivePassive/Active A passive attacker can only listen to messages and cannot modify, add, or remove them; otherwise he is active
Local/GlobalLocal/Global A global attacker has access to all channels of the network; local attackers have access to part of the network
信息論匿名信息論匿名XìnXī Lùn NìMíngXìnXī Lùn NìMíng
(Information Theoretical (Information Theoretical Anonymity)Anonymity)
信息論匿名信息論匿名XìnXī Lùn NìMíngXìnXī Lùn NìMíng
(Information Theoretical (Information Theoretical Anonymity)Anonymity)
Degree Of Anonymity: Let , i.e. the probability that nodei sent
the message. Define the entropy associated
with the set. Define the maximum anonymity as The degree of anonymity is then
Trivially for one user d 0, and for perfect anonymity
d lg(N)
人群人群RénQún RénQún (Crowds)(Crowds)
System to give anonymity by being “a member of a crowd”
The message is forwarded through random nodes
On receiving a message, a node forwards it to the destination with probability (1 – pf) and to another node with probability pf
Attacker is assumed to be Internal/Passive/LocalInternal/Passive/Local
Assume N nodes and C corrupt nodes (C < N - 2)
人群人群RénQún RénQún (Crowds)(Crowds)
Node0 ((0)) sends a message to (blue):
0
1
2
3
4
7
6
5
Node0 ((0)) sends a message to (blue):
1. (0) chooses randomly a node to forward to (3).
0
1
2
3
4
7
6
5
人群人群RénQún RénQún (Crowds)(Crowds)
Node0 ((0)) sends a message to (blue):
1. (0) chooses randomly a node to forward to (3).
2. (3) flips biased coin and forwards to (7)
0
1
2
3
4
7
6
5
人群人群RénQún RénQún (Crowds)(Crowds)
Node0 ((0)) sends a message to (blue):
1. (0) chooses randomly a node to forward to (3).
2. (3) flips biased coin and forwards to (7)
3. (7) flips its biased coin and forwards to (5)
0
1
2
3
4
7
6
5
人群人群RénQún RénQún (Crowds)(Crowds)
Node0 ((0)) sends a message to (blue):
1. (0) chooses randomly a node to forward to (3).
2. (3) flips biased coin and forwards to (7)
3. (7) flips its biased coin and forwards to (5)
4. (5) flips its biased coin and forwards to (blue)
0
1
2
3
4
7
6
5
人群人群RénQún RénQún (Crowds)(Crowds)
人群人群RénQún RénQún (Crowds)(Crowds)
The maximum anonymity is: HM lg(N - C)
Probability assigned to predecessor of first node in C is:
Probability to other nodes not in C is:
Therefore H(X) is:
d maximally equals 1 iff the message passes through no nodes existing in C, otherwise depends on C, N and pf, see [2] for graphs.
進餐譯解密碼者進餐譯解密碼者JìnCān YìJiěMìMǎZhěJìnCān YìJiěMìMǎZhě
(Dining Cryptographers)(Dining Cryptographers) A method to guarantee sender and receiver anonymity
Kind of like the Dining Philosophers; given N cryptographers sitting at a table one wishes to pay without revealing whom is paying against any attacker
Is impractical as the number of bits required to send a single bit anonymously grows linearly with N
進餐譯解密碼者進餐譯解密碼者JìnCān YìJiěMìMǎZhěJìnCān YìJiěMìMǎZhě
(Dining Cryptographers)(Dining Cryptographers) 3 Player DC description:
Each node chooses a random bit and reveals it securely to his left neighbor (so that no others see the bit)
Each diner announces the XOR of their bits
The diner that is paying lies and announces the XNOR of the bits
Nobody can tell who is paying, only that one of the two others is paying
進餐譯解密碼者進餐譯解密碼者JìnCān YìJiěMìMǎZhěJìnCān YìJiěMìMǎZhě
(Dining Cryptographers)(Dining Cryptographers) From FBI’s View:
FBI reveals 1 to Jefferson
FBI sees 1 from Washington
1 1
進餐譯解密碼者進餐譯解密碼者JìnCān YìJiěMìMǎZhěJìnCān YìJiěMìMǎZhě
(Dining Cryptographers)(Dining Cryptographers)
1
From FBI’s View:
FBI reveals 1 to Jefferson
FBI sees 1 from Washington
FBI cannot tell who is lying without seeing shared secret coin flip
1
01
1
進餐譯解密碼者進餐譯解密碼者JìnCān YìJiěMìMǎZhěJìnCān YìJiěMìMǎZhě
(Dining Cryptographers)(Dining Cryptographers)
1
From FBI’s View:
FBI reveals 1 to Jefferson
FBI sees 1 from Washington
FBI cannot tell who is lying without seeing shared secret coin flip
1
0
1
Payer
1
進餐譯解密碼者進餐譯解密碼者JìnCān YìJiěMìMǎZhěJìnCān YìJiěMìMǎZhě
(Dining Cryptographers)(Dining Cryptographers)
1
From FBI’s View:
FBI reveals 1 to Jefferson
FBI sees 1 from Washington
FBI cannot tell who is lying without seeing shared secret coin flip
1
0
0
Payer
進餐譯解密碼者進餐譯解密碼者JìnCān YìJiěMìMǎZhěJìnCān YìJiěMìMǎZhě
(Dining Cryptographers)(Dining Cryptographers) Generalizable to N diners
Problems:
Requires pairwise secure channels between all users
Requires many messages to be exchanged
Requires secure RNG for the bits
The degree of anonymity is trivially 1 as long as C < N - 2
令牌环令牌环Lìng Pái HuánLìng Pái Huán(Token Ring)(Token Ring)
0
1
2
3
4
7
6
5
r tokens exist on a ring
A node can add a message to a token iff it is empty
The tokens are passed from (0)…(7)(0)
Advantages: global attacker cannot tell initiator of message, all nodes do the same amount of work
单蝙蝠单蝙蝠Dān BiānFúDān BiānFú
(Single BianFu)(Single BianFu) Arrange nodes into a token ring such that each node
has a symmetric key (SK) with its predecessor and successor and knows all other nodes’ public key (PK).
To send a message, a node encrypts the message with the receiver’s PK and adds it to the token.
Each node decrypts the token and determines if there is a message (if it is addressed to them)
As all messages are encrypted, and an encryption looks like a random string; no node can tell if there is a message unless it is addressed to them
0
1
2
3
4
7
6
5
单蝙蝠单蝙蝠Dān BiānFúDān BiānFú
(Single BianFu)(Single BianFu) (0) Sends a message to (2):
1. (0) Creates message E2(M)
Random
0
1
2
3
4
7
6
5
单蝙蝠单蝙蝠Dān BiānFúDān BiānFú
(Single BianFu)(Single BianFu) (0) Sends a message to (2):
1. (0) Creates message E2(M)
2. (0) Adds message E1(E2(M)) to token
E2(M)
0
1
2
3
4
7
6
5
单蝙蝠单蝙蝠Dān BiānFúDān BiānFú
(Single BianFu)(Single BianFu) (0) Sends a message to (2):
1. (0) Creates message E2(M)
2. (0) Adds message E1(E2(M)) to token
3. (1) Sees E2(M) and has no messages so forwards the token (E2(E2(M)))
E2(M)
0
1
2
3
4
7
6
5
单蝙蝠单蝙蝠Dān BiānFúDān BiānFú
(Single BianFu)(Single BianFu) (0) Sends a message to (2):
1. (0) Creates message E2(M)
2. (0) Adds message E1(E2(M)) to token
3. (1) Sees E2(M) and has no messages so forwards the token (E2(E2(M)))
4. (2) Sees E2(M) and tries its PK and sees M but has no idea who sent it.
M
单蝙蝠单蝙蝠Dān BiānFúDān BiānFú
(Single BianFu)(Single BianFu) A global passive eavesdropper has no knowledge of if
there is a message and cannot therefore tell who initiated a message, i.e. d HM 1
A local passive eavesdropper has no knowledge of who initiated a message as it is equally likely to have come from any node (pi 1/N), again d 1
A global internal attacker has the same knowledge as a local passive eavesdropper.
Simple concept yielding perfect anonymity
Problems with simple 单蝙蝠 :
Collisions grow exponentially with N (1 - paddMsg)N/2
Adding a mechanism to support replies requires either sacrificing Sender anonymity against the receiver or generating a random SK (latter is not a big problem)
Delay grows linearly with N (i.e. the average length is N/2 and for large N this is impractical)
倍数蝙蝠倍数蝙蝠BèiShù BiānFú BèiShù BiānFú
(Multiple BianFu)(Multiple BianFu)
倍数蝙蝠倍数蝙蝠BèiShù BiānFú BèiShù BiānFú
(Multiple BianFu)(Multiple BianFu) Keep the individual rings small by having multiple
rings that are a small fixed size (X nodes/ring)
Disable collisions by reserving a bucket for each node in the token (sender-segregated), i.e. [(0),(1),…,(X)]
Arrange each node to belong to k of these rings
All nodes know the PK of all other nodes and know the shortest path to any nodes, SK with nodes in its ring
Each ring has r tokens
Connecting nodes relay messages between rings
倍数蝙蝠倍数蝙蝠BèiShù BiānFú BèiShù BiānFú
(Multiple BianFu)(Multiple BianFu) To send a message, a node encrypts with the SK the
destination ring of the final node and the PK encrypted message, Ei(a,Ed(M)).
Nodes receiving a message containing a forward address, look up the path to the destination and forward the message encrypting it with SK, if needed
The receiver will have no knowledge of the sender if the path length (L) is greater than or equal to 2
SK for small rings is preferable due to the high cost of PK operations
倍数蝙蝠倍数蝙蝠BèiShù BiānFú BèiShù BiānFú
(Multiple BianFu)(Multiple BianFu) To allow the receiver to reply to the sender, the sender
simply includes a one time use SK, EDest(Rid,SKInit,Dest,M)
The sender must be sure to use the same ring id for each message to the receiver, otherwise it will decrease its entropy (anonymity)
倍数蝙蝠倍数蝙蝠BèiShù BiānFú BèiShù BiānFú
(Multiple BianFu)(Multiple BianFu)
0
1
23
4
8
56
7
(1) wishes to send a message to (5):
1. (1) Creates a message E4(B,E5(A,SK5,1,M))
2. (1) Adds it to the token and forwards it
AABB
E4(B,E5(A,SK5,2,M)) 20 43
倍数蝙蝠倍数蝙蝠BèiShù BiānFú BèiShù BiānFú
(Multiple BianFu)(Multiple BianFu)
0
1
23
4
8
56
7
(1) wishes to send a message to (5):
1. (2) Receives the token and sees no messages for it, trying all with its PK and each with the SK it shares
2. (2) Forwards the token
AABB
E4(B,E5(A,SK5,2,M)) 20 43
倍数蝙蝠倍数蝙蝠BèiShù BiānFú BèiShù BiānFú
(Multiple BianFu)(Multiple BianFu)
0
1
23
4
8
56
7
(1) wishes to send a message to (5):
1. (3) Receives the token and sees no messages for it, trying all with its PK and each with the SK it shares
2. (3) Forwards the token
AABB
E4(B,E5(A,SK5,2,M)) 20 43
倍数蝙蝠倍数蝙蝠BèiShù BiānFú BèiShù BiānFú
(Multiple BianFu)(Multiple BianFu)
0
1
23
4
8
56
7
(1) wishes to send a message to (5):
1. (4) Sees there is a “route” message and forwards it to ring B (as B is destination (4) doesn’t encrypt with SK)
AABB
E4(B,E5(A,SK5,2,M)) 20 43
倍数蝙蝠倍数蝙蝠BèiShù BiānFú BèiShù BiānFú
(Multiple BianFu)(Multiple BianFu)
0
1
23
4
8
56
7
(1) wishes to send a message to (5):
1. (4) Adds the message to the token for B
2. (4) Forwards the token
AABB
E5(A,SK5,2,M) 65 7 8
倍数蝙蝠倍数蝙蝠BèiShù BiānFú BèiShù BiānFú
(Multiple BianFu)(Multiple BianFu)
0
1
23
4
8
56
7
(1) wishes to send a message to (5):
1. (5) Receives the token and checks for messages using its PK
2. (5) Receives M, the initiating ring id, and the SK it shares with (2) unknowing of who it shares it with
AABB
E5(A,SK5,2,M) 65 7 8
倍数蝙蝠倍数蝙蝠BèiShù BiānFú BèiShù BiānFú
(Multiple BianFu)(Multiple BianFu) d 1 if C < k (X - 1), otherwise d 0 !
Say (i) receives the token from (i-1) and (i) somehow knows there is a message (he can be in communication with the final recipient) but as (i-1) belongs to k rings (i-1) could be forwarding a message from any of the k rings that (i-1) belongs to; each node, as in 单蝙蝠 , has a probability of 1/(N-C): as it is impossible for any node other than node (i-1) to know if (i-1) is forwarding a message or initiating his own
締結締結DìJiéDìJié
(Conclusion)(Conclusion) 蝙蝠 has the benefits of DC-Net (i.e. guaranteed
perfect anonymity) with a much lower cost of operation
Has the same requirement as in Crowds that the “route” should be constant (i.e. the ring id the node uses for its messages should be constant)
Am working on a network simulator to provide some test data
ReferencesReferences
Andrei Serjantov, George Danezis. Towards an Information Theoretic Metric for Anonymity.
Claudia Diaz, Stefaan Seys, Joris Claessens, and Bart Preneel. Towards measuring anonymity.
Michael K. Reiter and Aviel D. Rubin. Crowds: anonymity for Web transactions.
David Chaum. The Dining Cryptographers Problem: Unconditional Sender and Recipient Untraceability.