a practical complexity theoretic analysis of mix systems
play

A Practical Complexity-Theoretic Analysis of Mix Systems Vinh Pham 1 - PowerPoint PPT Presentation

Mar 03, 2024 •469 likes •778 views

A Practical Complexity-Theoretic Analysis of Mix Systems Vinh Pham 1 , Joss Wright 2 , Dogan Kesdogan 1 Siegen University, Germany 1 , University of Oxford, United Kingdom 2 1/13 Motivation Anonymity definition [Pfitzmann & K ohntop

  1. A Practical Complexity-Theoretic Analysis of Mix Systems Vinh Pham 1 , Joss Wright 2 , Dogan Kesdogan 1 Siegen University, Germany 1 , University of Oxford, United Kingdom 2 1/13

  2. Motivation Anonymity definition [Pfitzmann & K¨ ohntop 2010]: Anonymity of a subject means that the subject is not sufficiently identifiable within a set of subjects, the anonymity set. Anon. Set Attributes Attributes s 3 a 5 s 3 a 5 Subject s 2 a 2 s 2 a 2 s 1 a 4 s 1 a 4 How strong is the concept of anonymity sets if: a subject is associated to a fixed set of attributes H A and a subject and its attributes a ∈ H A are repeatedly observed? 2/13

  3. Simple Mix and Attacker Model Recipient set R S ′ R ′ Sender set S r 1 s 6 r 5 s 3 s 1 r 9 Mix s 5 r 2 s 8 s 4 r 3 Global passive attacker (1) Information leakage per round is ( S ′ , R ′ ) : Sender set: S (can be equal R ) Recipient set: R = { r 1 , . . . , r N } , where | R | = N Sender anonymity set: S ′ ⊂ S , where | S ′ | = b is batch size Receiver set: R ′ ⊂ R , where | R ′ | ≤ b 3/13

  4. Attacker Model (2) Alice repeatedly contacts a fixed set of recipients: Alice’s peer set: H A = { a 1 , . . . , a m } , a i ∈ R and m = |H A | Alice’s peer: If r ∈ H A , also reffered by variable a Peer: Any receiver r ∈ R of a receiver set R ′ 4/13

  5. Attacker Model (2) Alice repeatedly contacts a fixed set of recipients: Alice’s peer set: H A = { a 1 , . . . , a m } , a i ∈ R and m = |H A | Alice’s peer: If r ∈ H A , also reffered by variable a Peer: Any receiver r ∈ R of a receiver set R ′ Sender anon. set Observation: O = { a, r 2 , . . . , r b } , a set R ′ Observation a Alice containing Alice’s contacted peer a . r 2 s 2 . . . . (One contact per round to simplify maths.) . . r b s b Observation Set: OS = {O 1 , . . . , O t } 4/13

  6. Attacker Model (2) Alice repeatedly contacts a fixed set of recipients: Alice’s peer set: H A = { a 1 , . . . , a m } , a i ∈ R and m = |H A | Alice’s peer: If r ∈ H A , also reffered by variable a Peer: Any receiver r ∈ R of a receiver set R ′ Sender anon. set Observation: O = { a, r 2 , . . . , r b } , a set R ′ Observation a Alice containing Alice’s contacted peer a . r 2 s 2 . . . . (One contact per round to simplify maths.) . . r b s b Observation Set: OS = {O 1 , . . . , O t } Intersection attack Goal: Unambiguous identification of Alice’s peer set H A Known: Condition (1) and (2) Unknown: Recipient set size N , batch size b , Number of Alice’s peers m , communication distribution of senders 4/13

  7. Minimal Hitting Set Attack (HS-Attack) Example: Alice repeatedly contacts two recipients, b = 2 , m = 2 R = { 1 , . . . , 6 } 3 4 3 6 H A = { 1 , 2 } 1 2 2 1 Observations: O 1 O 2 O 3 O 4 Smallest minimal hitting set O 1 { 3 } , { 1 } O 2 { 3 , 4 } , { 3 , 2 } , { 1 , 4 } , { 1 , 2 } O 3 { 3 , 4 } , { 3 , 2 } , { 1 , 2 } O 4 { 1 , 2 } Maximal number of sets: b m 5/13

  8. Minimal Hitting Set Attack (HS-Attack) Example: Alice repeatedly contacts two recipients, b = 2 , m = 2 R = { 1 , . . . , 6 } 3 4 3 6 H A = { 1 , 2 } 1 2 2 1 Observations: O 1 O 2 O 3 O 4 Smallest minimal hitting set O 1 { 3 } , { 1 } O 2 { 3 , 4 } , { 3 , 2 } , { 1 , 4 } , { 1 , 2 } O 3 { 3 , 4 } , { 3 , 2 } , { 1 , 2 } t h g O 4 { 1 , 2 } i t Maximal number of sets: b m 5/13

  9. Minimal Hitting Set Attack (HS-Attack) Example: Alice repeatedly contacts two recipients, b = 2 , m = 2 R = { 1 , . . . , 6 } 3 4 3 6 H A = { 1 , 2 } 1 2 2 1 Observations: O 1 O 2 O 3 O 4 By collecting observations: Smallest minimal hitting set O 1 { 3 } , { 1 } Prob. of sets H � = H A O 2 { 3 , 4 } , { 3 , 2 } , { 1 , 4 } , { 1 , 2 } decreases exponentially O 3 { 3 , 4 } , { 3 , 2 } , { 1 , 2 } O 4 { 1 , 2 } Maximal number of sets: b m 5/13

  10. Minimal Hitting Set Attack (HS-Attack) Example: Alice repeatedly contacts two recipients, b = 2 , m = 2 R = { 1 , . . . , 6 } 3 4 3 6 H A = { 1 , 2 } 1 2 2 1 Observations: O 1 O 2 O 3 O 4 By collecting observations: Smallest minimal hitting set O 1 { 3 } , { 1 } Prob. of sets H � = H A O 2 { 3 , 4 } , { 3 , 2 } , { 1 , 4 } , { 1 , 2 } decreases exponentially O 3 { 3 , 4 } , { 3 , 2 } , { 1 , 2 } ⇒ H A will become unique O 4 { 1 , 2 } smallest minimal hitting set Maximal number of sets: b m 5/13

  11. Minimal Hitting Set Attack (HS-Attack) Example: Alice repeatedly contacts two recipients, b = 2 , m = 2 R = { 1 , . . . , 6 } 3 4 3 6 H A = { 1 , 2 } 1 2 2 1 Observations: O 1 O 2 O 3 O 4 By collecting observations: Smallest minimal hitting set O 1 { 3 } , { 1 } Prob. of sets H � = H A O 2 { 3 , 4 } , { 3 , 2 } , { 1 , 4 } , { 1 , 2 } decreases exponentially O 3 { 3 , 4 } , { 3 , 2 } , { 1 , 2 } N ⇒ H A will become unique P - h a O 4 { 1 , 2 } r d smallest minimal hitting set Maximal number of sets: b m 5/13

  12. Difference to Statistical (Disclosure) Attacks Succeeds even if other recipients are more frequently observed than Alice’s peers Succeeds in the case of unpredictable distribution of recipients Example: Alice repeatedly contacts two recipients, b = 3 , m = 2 H A = { 1 , 2 } 1 2 1 2 1 1 3 4 3 5 3 5 Observations: 6 7 5 6 4 4 O 1 O 2 O 3 O 4 O 5 O 6 Peers 1 2 3 4 5 6 7 Freq. 4 2 3 3 3 2 1 6/13

  13. Difference to Statistical (Disclosure) Attacks Succeeds even if other recipients are more frequently observed than Alice’s peers Succeeds in the case of unpredictable distribution of recipients Example: Alice repeatedly contacts two recipients, b = 3 , m = 2 H A = { 1 , 2 } 1 2 1 2 1 1 3 4 3 5 3 5 Observations: 6 7 5 6 4 4 O 1 O 2 O 3 O 4 O 5 O 6 Peers 1 2 3 4 5 6 7 Freq. 4 2 3 3 3 2 1 Smallest minimal hitting set O 1 { 1 } , { 3 } , { 6 } O 2 { 1 , 2 } , { 1 , 4 } , { 1 , 7 } , { 2 , 3 } , { 3 , 4 } , { 3 , 7 } , { 2 , 6 } , { 4 , 6 } , { 6 , 7 } O 3 { 1 , 2 } , { 1 , 4 } , { 1 , 7 } , { 2 , 3 } , { 3 , 4 } , { 3 , 7 } O 4 { 1 , 2 } , { 2 , 3 } O 5 { 1 , 2 } , { 2 , 3 } O 6 { 1 , 2 } 6/13

  14. Contribution Current assumption about HS-attack: Intractable for large values N, b, m , due to solving NP-hard problems (smallest minimal hitting set) Surprises when applying HS-attack: Many non-trivial cases, solvable in polynomial mean time Mean complexity determined by some relation between N, b, m Contribution Mathematical bound of mean time complexity w.r.t. N, b, m Bound applies to non-uniform user communication Identifies Mix settings that are polynomial time breakable 7/13

  15. Estimating Number of Observations Hit by a Set C � �� � Hypothesis: H = { r 1 , . . . , r x , r x 1 +1 , . . . , r m − i } � �� � � �� � x chosen peers ( m − x ) non-chosen peers chosen: C ⊆ H , where all observations hitting C are known non-chosen: Only frequency of each single peer is known � Potential: Po ( H , C ) = |OS [ C ] | + |OS [ r ] \ OS [ C ] | � �� � � �� � r ∈H\C # obs. hitting C # obs. containing r Example: Potential of H = { r 1 , r 2 , r 3 } w.r.t. chosen peers OS = {O 1 , . . . , O 8 } 2 1 1 OS [ r 1 ] = {O 1 , O 2 , O 3 } OS [ r 1 ] OS [ r 2 ] OS [ r 2 ] = {O 2 , O 3 , O 4 , O 5 } 3 OS [ r 3 ] = {O 3 , O 4 , O 6 } 2 2 C = {} : Po ( { r 1 , r 2 , r 3 } ) = (3 + 4 + 3) OS [ r 3 ] 1 8/13

  16. Estimating Number of Observations Hit by a Set C � �� � Hypothesis: H = { r 1 , . . . , r x , r x 1 +1 , . . . , r m − i } � �� � � �� � x chosen peers ( m − x ) non-chosen peers chosen: C ⊆ H , where all observations hitting C are known non-chosen: Only frequency of each single peer is known � Potential: Po ( H , C ) = |OS [ C ] | + |OS [ r ] \ OS [ C ] | � �� � � �� � r ∈H\C # obs. hitting C # obs. containing r Example: Potential of H = { r 1 , r 2 , r 3 } w.r.t. chosen peers OS = {O 1 , . . . , O 8 } 1 1 OS [ r 1 ] = {O 1 , O 2 , O 3 } OS [ r 2 ] \ OS [ r 1 ] OS [ r 2 ] = {O 2 , O 3 , O 4 , O 5 } OS [ r 1 ] OS [ r 3 ] = {O 3 , O 4 , O 6 } 2 C = {} : Po ( { r 1 , r 2 , r 3 } ) = (3 + 4 + 3) OS [ r 3 ] \ OS [ r 1 ] C = { r 1 } : Po ( { r 1 , r 2 , r 3 } ) = 3 + (2 + 2) 1 8/13

  17. ExactHS Algorithm Computes/disproves all hypotheses H recursively within O ( b m ) Starts with C = {} Adds one suspected peer to C in each recursion level until: H ′ Po ( H ′ , C ) < |OS| , then all H ⊇ C disproved, or max C hits all observations in OS and is thus a hitting set Example: b = 2 , m = 3 , H A = { 1 , 2 , 3 } Observations: Search tree: 4 6 5 4 7 8 (2 + 2 + 2) 1 1 2 3 3 2 O 1 O 2 O 3 O 4 O 5 O 6 max H Po ( H , {} ) Peer choices: 9/13

  18. ExactHS Algorithm Computes/disproves all hypotheses H recursively within O ( b m ) Starts with C = {} Adds one suspected peer to C in each recursion level until: H ′ Po ( H ′ , C ) < |OS| , then all H ⊇ C disproved, or max C hits all observations in OS and is thus a hitting set Example: b = 2 , m = 3 , H A = { 1 , 2 , 3 } Observations: Search tree: 4 6 5 4 7 8 (2 + 2 + 2) 1 1 2 3 3 2 4 , 1 O 1 O 2 O 3 O 4 O 5 O 6 Peer choices: 1 C = { 4 } 9/13

  19. ExactHS Algorithm Computes/disproves all hypotheses H recursively within O ( b m ) Starts with C = {} Adds one suspected peer to C in each recursion level until: H ′ Po ( H ′ , C ) < |OS| , then all H ⊇ C disproved, or max C hits all observations in OS and is thus a hitting set Example: b = 2 , m = 3 , H A = { 1 , 2 , 3 } Observations: Search tree: 4 6 5 4 7 8 (2 + 2 + 2) 1 1 2 3 3 2 4 , 1 O 1 O 2 O 3 O 4 O 5 O 6 2 + (2 + 1) Peer choices: 1 C = { 4 } − max H Po ( H , { 4 } ) 9/13

Recommend

Lattice-Theoretic Data-Flow Framework and Intro to SSA Last Time Started lattice theoretic

Lattice-Theoretic Data-Flow Framework and Intro to SSA Last Time Started lattice theoretic

Lattice-Theoretic Data-Flow Framework and Intro to SSA Last Time Started lattice theoretic frameworks for Data-flow analysis [Aho,Sethi,Ullman,Lam] Today Complexity and correctness of IDFA Affect of program representation on

544 views • 8 slides
Supremacy Experiments Complexity-Theoretic Foundations of Quantum . . . . . . 1 / 29 UT

Supremacy Experiments Complexity-Theoretic Foundations of Quantum . . . . . . 1 / 29 UT

. . July 7, 2017 Complexity-Theoretic Foundations of Quantum Supremacy Experiments July 7, 2017 Scott Aaronson, Lijie Chen Supremacy Experiments Complexity-Theoretic Foundations of Quantum . . . . . . 1 / 29 UT Austin, Tsinghua

761 views • 32 slides
Automata-theoretic analysis of hybrid systems Madhavan Mukund SPIC Mathematical Institute 92, G

Automata-theoretic analysis of hybrid systems Madhavan Mukund SPIC Mathematical Institute 92, G

Automata-theoretic analysis of hybrid systems Madhavan Mukund SPIC Mathematical Institute 92, G N Chetty Road Chennai 600 017, India Email: madhavan@smi.ernet.in URL: http://www.smi.ernet.in/~madhavan Tutorial at BRNS Workshop on Verification

548 views • 24 slides
Invariants Associated to K-theoretic Methods and Complexity of Algebraic Cycle Groups Karim

Invariants Associated to K-theoretic Methods and Complexity of Algebraic Cycle Groups Karim

Invariants Associated to K-theoretic Methods and Complexity of Algebraic Cycle Groups Karim Mansour University of Alberta Department of Mathematics Alberta, Canada abdelgal@ualberta.ca December 04, 2100 Detecting geometry by its interaction

663 views • 53 slides
Towards a Complexity-theoretic Understanding of Restarts in SAT solvers Chunxiao Li 1 , Noah

Towards a Complexity-theoretic Understanding of Restarts in SAT solvers Chunxiao Li 1 , Noah

Towards a Complexity-theoretic Understanding of Restarts in SAT solvers Chunxiao Li 1 , Noah Fleming 2 , Marc Vinyals 3 , Toniann Pitassi 2 and Vijay Ganesh 1 1 University of Waterloo, Canada 2 University of Toronto, Canada 3 Technion, Israel

448 views • 18 slides
Safety Analysis of Systems Aaron R. Bradley Stanford University Safety Analysis of Systems

Safety Analysis of Systems Aaron R. Bradley Stanford University Safety Analysis of Systems

Safety Analysis of Systems Aaron R. Bradley Stanford University Safety Analysis of Systems 1/39 Why Analyze Systems? Two trends: increasing prominence in controlling and decision-making roles rising complexity (multi-core

1.16k views • 86 slides
Time and Space Complexity For practical solutions to computational problems available time, and

Time and Space Complexity For practical solutions to computational problems available time, and

Time and Space Complexity For practical solutions to computational problems available time, and Computability and Complexity available memory are two main considerations. Lecture 14 We have already studied time complexity, now we will focus

360 views • 3 slides
Lattice-Theoretic Framework for Data-Flow Analysis Last time Generalizing data-flow

Lattice-Theoretic Framework for Data-Flow Analysis Last time Generalizing data-flow

Lattice-Theoretic Framework for Data-Flow Analysis Last time Generalizing data-flow analysis Today Introduce lattice-theoretic frameworks for data-flow analysis CS553 Lecture Lattice Theoretic Framework for DFA 1 Context

421 views • 15 slides
High-dimensional graphical model selection: Practical and information-theoretic limits Martin

High-dimensional graphical model selection: Practical and information-theoretic limits Martin

High-dimensional graphical model selection: Practical and information-theoretic limits Martin Wainwright Departments of Statistics, and EECS UC Berkeley, California, USA Based on joint work with: John Lafferty (CMU), Pradeep Ravikumar (UC

338 views • 22 slides
A computational complexity-theoretic elaboration of weak truth-table reducibility Kohtaro Tadaki

A computational complexity-theoretic elaboration of weak truth-table reducibility Kohtaro Tadaki

A computational complexity-theoretic elaboration of weak truth-table reducibility Kohtaro Tadaki Research and Development Initiative, Chuo University JST CREST Tokyo, Japan Supported by the Ministry of Economy, Trade and Industry of Japan and

464 views • 32 slides
I-Complexity and Discrete Towards Precise . . . Derivative of Logarithms: Our Result Proof A

I-Complexity and Discrete Towards Precise . . . Derivative of Logarithms: Our Result Proof A

Kolmogorov Complexity Need for Approximate . . . I-Complexity Good Properties of I- . . . I-Complexity and Discrete Towards Precise . . . Derivative of Logarithms: Our Result Proof A Group-Theoretic Acknowledgments References Explanation

481 views • 12 slides
Automated Complexity Analysis of Rewrite Systems Florian Frohn RWTH Aachen University, Germany

Automated Complexity Analysis of Rewrite Systems Florian Frohn RWTH Aachen University, Germany

Automated Complexity Analysis of Rewrite Systems Florian Frohn RWTH Aachen University, Germany December 11, 2018 Automated Complexity Analysis of Rewrite Systems 1 Automated Complexity Analysis of Rewrite Systems Florian Frohn RWTH Aachen

1.61k views • 145 slides
Complexity Analysis of Precedence Terminating Infinite Graph Rewrite Systems Naohi Eguchi Chiba

Complexity Analysis of Precedence Terminating Infinite Graph Rewrite Systems Naohi Eguchi Chiba

Complexity Analysis of Precedence Terminating Infinite Graph Rewrite Systems Naohi Eguchi Chiba University, Japan University of Innsbruck, Austria September 27, 2014 41st TRS meeting, Jozankei, Sapporo, Japan Introduction Complexity

392 views • 16 slides
The descriptive set-theoretic complexity of the set of points of continuity of a multi-valued

The descriptive set-theoretic complexity of the set of points of continuity of a multi-valued

The descriptive set-theoretic complexity of the set of points of continuity of a multi-valued function Vassilis Gregoriades Technische Universit at Darmstadt, GERMANY A multi-valued (total) function from a set X to another set Y is a function

502 views • 13 slides
Meta-Bayesian Analysis A Bayesian decision-theoretic analysis of Bayesian inference under model

Meta-Bayesian Analysis A Bayesian decision-theoretic analysis of Bayesian inference under model

Meta-Bayesian Analysis A Bayesian decision-theoretic analysis of Bayesian inference under model misspecification Jun Yang joint work with Daniel Roy Department of Statistical Sciences University of Toronto World Congress in Probability and

190 views • 17 slides
Hybrid Elections Broaden Complexity-Theoretic Resistance to Control Edith Hemaspaandra 1 Lane A.

Hybrid Elections Broaden Complexity-Theoretic Resistance to Control Edith Hemaspaandra 1 Lane A.

Overview, Definitions, and Discussion Inheritance and Hybrid Elections: Results Questions? Hybrid Elections Broaden Complexity-Theoretic Resistance to Control Edith Hemaspaandra 1 Lane A. Hemaspaandra 2 Jrg Rothe 3 1 Rochester Institute of

547 views • 50 slides
Public Key Cryptography Background Basic Concepts in Complexity Theory Some Number Theoretic

Public Key Cryptography Background Basic Concepts in Complexity Theory Some Number Theoretic

Public Key Cryptography Indivar Gupta SAG, DRDO, Delhi Public Key Cryptography Background Basic Concepts in Complexity Theory Some Number Theoretic &amp; Algebraic Algorithms Indivar Gupta Some Computational Hard Problems and SAG,

1.49k views • 104 slides
Applying complexity theory to policy analysis and evaluation analysis and evaluation Mat Walton

Applying complexity theory to policy analysis and evaluation analysis and evaluation Mat Walton

Applying complexity theory to policy analysis and evaluation analysis and evaluation Mat Walton School of Public Health Massey University y y Guest Lecture, The Treasury 18 March 2015 Outline Part One: What is complexity theory?

1.31k views • 47 slides
Diachronics of Redemption: A Systems Theoretic Exploration of Rosenzweigs Star Martin Zwick

Diachronics of Redemption: A Systems Theoretic Exploration of Rosenzweigs Star Martin Zwick

Diachronics of Redemption: A Systems Theoretic Exploration of Rosenzweigs Star Martin Zwick Systems Science Program Portland State University zwick@pdx.edu http://www.pdx.edu/sysc/research-systems-theory-and-philosophy

637 views • 24 slides
More Practical Single-Trace Attacks on the Number Theoretic Transform Peter Pessl, Robert Primas

More Practical Single-Trace Attacks on the Number Theoretic Transform Peter Pessl, Robert Primas

SCIENCE PASSION TECHNOLOGY More Practical Single-Trace Attacks on the Number Theoretic Transform Peter Pessl, Robert Primas Graz University of Technology LATINCRYPT 2019, October 02 &gt; www.iaik.tugraz.at www.iaik.tugraz.at

1.63k views • 60 slides
7 YEARS OF DDD or Tackling Complexity in Large Scale Marketing Systems vladikk YAY!!!

7 YEARS OF DDD or Tackling Complexity in Large Scale Marketing Systems vladikk YAY!!!

7 YEARS OF DDD or Tackling Complexity in Large Scale Marketing Systems vladikk YAY!!! @vladikk vladikk.com Internovus PART 1 5 BOUNDED CONTEXTS PART 2 5 PRACTICAL ADVICES vladikk Your Product Marketing Creatives

1.47k views • 143 slides
On the sample complexity of graph selection: Practical methods and fundamental limits Martin

On the sample complexity of graph selection: Practical methods and fundamental limits Martin

On the sample complexity of graph selection: Practical methods and fundamental limits Martin Wainwright UC Berkeley Departments of Statistics, and EECS Based on joint work with: John Lafferty (CMU) Pradeep Ravikumar (UT Austin) Prasad

1.37k views • 60 slides
Relating Proof Complexity Measures and Practical Hardness of SAT Jakob Nordstr om KTH Royal

Relating Proof Complexity Measures and Practical Hardness of SAT Jakob Nordstr om KTH Royal

Relating Proof Complexity Measures and Practical Hardness of SAT Jakob Nordstr om KTH Royal Institute of Technology Stockholm, Sweden 18th International Conference on Principles and Practice of Constraint Programming Qu ebec City,

735 views • 60 slides
Complexity of Well-Quasi-Orderings and Well-Structured Transition Systems Part IV: Complexity of

Complexity of Well-Quasi-Orderings and Well-Structured Transition Systems Part IV: Complexity of

Complexity of Well-Quasi-Orderings and Well-Structured Transition Systems Part IV: Complexity of WSTS Verification Philippe Schnoebelen LSV, CNRS &amp; ENS Cachan + Oxford 1-year visitor Oxford Dept. Comp. Sci, Mar. 9th, 2012 Part IV.a: Upper

774 views • 53 slides

More recommend