Gergely Tóth, 23 September 20031 IWCIT’03, Gliwice, Poland, 22-23 September 2003 Measure for...

Gergely Tóth, 23 September 2003 1IWCIT’03, Gliwice, Poland, 22-23 September 2003

Measure for AnonymityMeasure for Anonymity

Gergely Tóth

Budapest University of Technology and Economics

Department of Measurement and Information Systems

IWCIT’03


Contents

• Background: Onion-routing

• Model of the PROB-channel

• Source- and destination-hiding property

• MIN/MAX property

• Optimum


Research Background

• Need for anonymous message anonymous message transmission techniquestransmission techniques– transparent– general-purpose– independent

• Research & planning is ongoing

• Theoretical analysis not complete


Classification of Techniques

• According to– behaviorbehavior: passive & active techniques– delaydelay: real-time & non-deterministic

systems– number of relaying nodesnumber of relaying nodes: proxy &

distributed systems– what adversaries can seewhat adversaries can see: observable &

unobservable systems– level of abstractionlevel of abstraction: black-box models &

finished implementations


An Existing Approach — Onion-routing

• Distributed system

• Onion-structuredOnion-structured packets

• Anonymity of the sender cannot be cannot be compromised even if some relaying compromised even if some relaying nodes are compromisednodes are compromised


Our Model — the PROB-channel

• PassivePassive: configuration is static (not affected by message distribution)

• Real-timeReal-time: there is a maximal delay

• ObservableObservable: an observer can eavesdrop on all connection channels

• Black-boxBlack-box ( proxyproxy): the observer cannot gain information from within the channel


Requirements for the Model

• Guaranteed transmission throughputGuaranteed transmission throughput– time between sending and delivery of

messages has a defined maximum

• Measurable anonymityMeasurable anonymity– there should be an objective, theoretical

measure for the anonymity provided

• Requirements for guaranteed anonymity Requirements for guaranteed anonymity levellevel – should be defined


Example System

• Anonymous medical consulting systemAnonymous medical consulting system– patientspatients ask questionsquestions the doctorsdoctors

• questions in e-mail

– answer on a public forumanswer on a public forum together with the question

– aim: the question should not be linkable to the the question should not be linkable to the patientpatient• questions should not be linkable to patients• patients should not be linkable to their questions


PROB-channel I.

• SendersSenders (patients) send encrypted messagesmessages (questions) to recipientsrecipients (doctors)

• The channel delivers the messages after transformingtransforming and delayingdelaying them

channel(static de laydistribution)

i

m i

i

m i

E R m mS i i[ ( ), ] E R m mR i i[ ( ), ]

encrypted message:(common fixed size)

orig inal m essage from s a

encrypted by anotherkey than i

orig inal, delivered m essage to rb


PROB-channel II.

• Message delay in the channel:– is a probability variableprobability variable ()– is message and time invariantmessage and time invariant– has a known distributiondistribution f()

f( )

m in max


The Observer

• Passive observerPassive observer:– cannot delete, alter or delay messages– cannot create new messages

• KnowsKnows:– parameters and environment of the

channel– time of sending and receipt of messages

• Aim: link messages to senderslink messages to senders (who asked the questions)


Confidence of the Observer

• How can it be computedHow can it be computed:– for each sender– for each message– by knowing the history of the systemwith what probability a certain sender sent with what probability a certain sender sent

a certain message:a certain message:

]|)([ ***

,, *** lks

sSPPlk


Global Back-tracing

• Search for the most probable match among all the possible matches

• AdvantageAdvantage: finds out the links (if possible)

• DisadvantageDisadvantage: slow (exponential)– under some circumstances even for about

30 messages unfeasible for today’s computers


Local Back-tracing

• Confidence of the observer calculated for each delivered message independently

• AdvantageAdvantage: fast (polynomial)

• DisadvantageDisadvantage: some links are not detected

][

***

][

***

,,

*,**

*

*,*,**

*

***

)]()([

)]()([

kj

j

lski

i

lkjSkR

iSkR

s ttf

ttf

P


Conclusion for Behavior of Observer

• Global back-tracingGlobal back-tracing would provide best results– for practical user unfeasibleunfeasible

• Local back-tracingLocal back-tracing is polynomial– can be used in the practiceused in the practice– for following conclusions local back-tracing

is assumed


Source-hiding Property

• Source-hiding propertySource-hiding property with parameter

Measure for sender-anonymityMeasure for sender-anonymity

The observer cannot link any message to a sender with a probability greater than .

,kRk

P


Destination-hiding Property

• Destination-hiding propertyDestination-hiding property with parameter

Measure for recipient-anonymityMeasure for recipient-anonymity

The observer cannot link any sender to a message with a probability greater than .

,jSj

P


MIN/MAX Property I.

• MIN/MAX property MIN/MAX property with parameters minmin,,maxmax

Senders don’t send messages at their own consideration, they have to follow rulesrules.

No sender sends message within min time and all senders send a message in max time.


MIN/MAX Property II.

• Upper limitUpper limit can be given to the confidence of the observer:– message invariant– depends only on the parameters of the

channel and on min, max

max

maxmax

min

minmin

1 1

1 1,

)(min||

)(maxˆ

i iqi

i iqi

qfS

qfPP

k


Problem

• Source-hiding property cancan be guaranteed– oblige senders to send messages

according to rules– MIN/MAX property

• Destination-hiding property cannotcannot be guaranteed– recipients cannot be obliged to receive

messages according to rules


Optimum

• The observer can only choose randomlyrandomly from the possible senders

• Uniform distributionUniform distribution for the delay

• With MIN/MAX property independent from actual message distribution:

,

,,

,

max

k

lkl

k

ssP

min

max

max

min, ||||

ˆ

SSPP

k


Global Optimum

• With MIN/MAX property if min = max

• The observer has to choose randomly from all the sendersall the senders

• No additional informationNo additional information is gained with the observation

||

1ˆ, S

PPk


Conclusions

• Model of the PROB-channelPROB-channel

• Confidence of the observer

• Source-hiding propertySource-hiding property– measure for sender-anonymity

• Destination-hiding propertyDestination-hiding property– measure for recipient anonymity

• MIN/MAX propertyMIN/MAX property– method for limiting confidence of the observer


Research Plans

• Open the black-box channelOpen the black-box channel– move to a distributed system (graph

consisting of nodes)– messages can be created and dropped

• Active adversaryActive adversary– can drop messages– can block messages– can delay or reorder messages

Date post:	20-Jan-2016
Category:	Documents
Upload:	jayson-scott
View:	213 times
Download:	0 times

Gergely Tóth, 23 September 20031 IWCIT’03, Gliwice, Poland, 22-23 September 2003 Measure for...

Documents