1
Analyzing Anonymity Protocols
1. Analyzing onion-routing security1. Anonymity Analysis of Onion Routing in the
Universally Composable Frameworkin Provable Privacy Workshop 2012
2. A Probabilistic Analysis of Onion Routing in a Black-box Modelin TISSEC (forthcoming)
by Joan Feigenbaum, Aaron Johnson, and Paul Syverson
2. Analyzing Dissent security1. Ongoing work with Ewa Syta, Henry Corrigan-
Gibbs, Shu-Chun Weng, and Bryan Ford
2
Analyzing Onion-Routing Security
● Abstract (black-box) model of onion routing● Use Universally Composable (UC)
framework● Focus on information leaked● Perform anonymity analysis on model
3
Onion-Routing Ideal Functionality
u with probability bø with probability 1-b
x
y
Upon receiving destination d from user U
d with probability bø with probability 1-b
Send (x,y) to the adversary.
FOR
4
Black-box Model
● Ideal functionality FOR
● Environment assumptions– Each user gets a destination– Destination for user u chosen from distribution pu
● Adversary compromises a fraction b of routers before execution
5
Anonymity Analysis of Black Box
● Can lower bound expected anonymity with standard approximation: b2 + (1-b2)pu
d
● Worst case for anonymity is when user acts exactly unlike or exactly like others
● Worst-case anonymity is typically as if √b routers compromised: b + (1-b)pu
d
● Anonymity in typical situations approaches lower bound
6
Other ideal functionality
● Provably Secure and Practical Onion Routingby Backes, Kate, Goldberg, and MohammadiComputer Security Foundations Symposium 2012
● Functional primitive● Shown to UC-emulate FOR
7
Analyzing Dissent security
● Fully rigorous definitions and proofs– Anonymity– Accountability– Integrity
● Standard sequence-of-games anonymity proofs
● Discovered flaws
8
Discovered flaws
1. Adversary can unaccountably duplicate honest users’ plaintexts.
2. Commitments must be non-malleable.3. Adversary can submit self-duplicates to
cause failure with no blame.4. Equivocation during broadcast can cause
inconsistent final state.5. Some validation checks missing
9
Discovered Shuffle Flaws
1 2 3
{I1}1:3
{I2}1:3
{I3}1:3
{I2}2:3
{I1}2:3
{I3}2:3
{I1}3
{I3}3
{I2}3
I2
I3
I1
m2
m3
m1
10
Discovered Shuffle Flaws
1 2 3
{I2}1:3
{I2}1:3
{I3}1:3
{I2}2:3
{I2}2:3
{I3}2:3
{I2}3
{I3}3
{I2}3
I2
I3
I2
Problem 1: Client duplication, no blamed
?
?
11
Discovered Shuffle Flaws
1 2 3
{I2}1:3
{I2}1:3
{I3}1:3
{I2}2:3
{I2}2:3
{I3}2:3
{I2}3
{I3}3
{I2}3
I2
I3
I2
Problem 1: Client duplication, no blamedSolution: Commit to messages first.
12
Discovered Shuffle Flaws
1 2 3
{I2}1:3
{I2}1:3
{I3}1:3
{I2}2:3
{I2}2:3
{I3}2:3
{I2}3
{I3}3
{I2}3
I2
I3
I2
Problem 1: Client duplication, no blamedSolution: Commit to messages first
non-malleably.
13
Discovered flaws
1. Adversary can unaccountably duplicate honest users’ plaintexts.
2. Commitments must be non-malleable.3. Adversary can submit self-duplicates to
cause failure with no blame.4. Equivocation during broadcast can cause
inconsistent final state.5. Some validation checks missing
14
Discovered flaws
1. Adversary can unaccountably duplicate honest users’ plaintexts.
2. Commitments must be non-malleable.3. Adversary can submit self-duplicates to
cause failure with no blame.4. Equivocation during broadcast can cause
inconsistent final state.5. Some validation checks missing
15
Discovered flaws
1. Adversary can unaccountably duplicate honest users’ plaintexts.
2. Commitments must be non-malleable.3. Adversary can submit self-duplicates to
cause failure with no blame.4. Equivocation during broadcast can cause
inconsistent final state.5. Some validation checks missing
16
Discovered Shuffle Flaws
1 2 3
{I1}1:3
{I1}1:3
{I3}1:3
{I1}2:3
{I1}2:3
{I3}2:3
{I1}3
{I1}3
{I1}3
I1
I3
I1
Problem 3: Self-duplication, no blamed
?
?
17
Discovered Shuffle Flaws
1 2 3
{I1}1:3
{I1}1:3
{I3}1:3
{I1}2:3
{I1}2:3
{I3}2:3
{I1}3
{I1}3
{I1}3
I1
I3
I1
Problem 3: Self-duplication, no blamedSolution: Blame duplicate submitters.
18
Discovered flaws
1. Adversary can unaccountably duplicate honest users’ plaintexts.
2. Commitments must be non-malleable.3. Adversary can submit self-duplicates to
cause failure with no blame.4. Equivocation during broadcast can cause
inconsistent final state.5. Some validation checks missing
19
Discovered flaws
1. Adversary can unaccountably duplicate honest users’ plaintexts.
2. Commitments must be non-malleable.3. Adversary can submit self-duplicates to
cause failure with no blame.4. Equivocation during broadcast can cause
inconsistent final state.5. Some validation checks missing
20
Modified Dissent
1. Users non-malleably commit to messages before submission.
2. Duplicate submission punished3. Explicit reliable broadcasts added4. Several validation checks added with blame5. Honest members guaranteed to agree on
who to blame
21
UC Framework
● Express security primitive as an ideal functionality F
● Construct a protocol Π that UC emulates F● Running Π can replace using F in any
protocol – security composes
22
Sequence of Games Anonymity Proof
● Game 0: Original anonymity game● Game 1: Replace encrypted descriptors
during shuffle with encrypted fixed messages● Game 2: Replace encrypted random seeds
after shuffle with encrypted fixed messages● Game 3: Replace pseudorandom sequences
with random sequences
23
Discovered Shuffle Flaws
1 2 3
{I1}1:3
{I2}1:3
{I3}1:3
{I2}2:3
{I2}2:3
{I3}2:3
{I2}3
{I3}3
{I2}3
I2
I3
I2
m2
m3
m2
Problem 0: Shuffle duplication attack
24
Discovered Shuffle Flaws
1 2 3
{I1}1:3
{I2}1:3
{I3}1:3
{I2}2:3
{I2}2:3
{I3}2:3
{I2}3
{I3}3
{I2}3
I2
I3
I2
Problem 0: Shuffle duplication attackSolution: Duplicates cause NO-GO.
Blame lying shuffle.