but quite a lot is
play

but quite a lot is. Coordination among users can help with - PowerPoint PPT Presentation

Feb 02, 2023 •106 likes •551 views

Not all is lost for anonymity but quite a lot is. Coordination among users can help with anonymity. Debajyoti Das 1 Sebastian Meiser 2 Esfandiar Mohammadi 3 Aniket Kate 1 1 Purdue University 2 Visa Research 3 ETH Zurich 1 Sender Anonymity

  1. Not all is lost for anonymity – but quite a lot is. Coordination among users can help with anonymity. Debajyoti Das 1 Sebastian Meiser 2 Esfandiar Mohammadi 3 Aniket Kate 1 1 Purdue University 2 Visa Research 3 ETH Zurich 1

  2. Sender Anonymity (AnoA definition) Alice Eve Pr[ Eve:“Alice”| Alice sends message] Bob ≤ Pr[ Eve:“Alice”| Bob sends message] + δ ( η ) 2

  3. Sender Anonymity (AnoA definition) Alice Eve Pr[ Eve:“Alice”| Alice sends message] Bob ≤ Pr[ Eve:“Alice”| Bob sends message] + δ ( η ) strong: δ ( η) ≤ negl( η ) 2

  4. Sender Anonymity (AnoA definition) Alice Eve Pr[ Eve:“Alice”| Alice sends message] Bob ≤ Pr[ Eve:“Alice”| Bob sends message] + δ ( η ) strong: δ ( η) ≤ negl( η ) 2

  5. Anonymity Trilemma • Q1: Can we achieve strong strong anonymity anonymity without introducing large latency or bandwidth overhead? low latency low bandwidth overhead overhead 3

  6. Anonymity Trilemma • Q1: Can we achieve strong strong anonymity anonymity without introducing large latency or bandwidth overhead? - NO. low latency low bandwidth overhead overhead 3

  7. Anonymity Trilemma • Q1: Can we achieve strong strong anonymity anonymity without introducing large latency or bandwidth overhead? - NO. low latency low bandwidth overhead overhead Low = constant( η ) 3

  8. Anonymity Trilemma • Q1: Can we achieve strong strong anonymity anonymity without introducing large latency or bandwidth overhead? - NO. low latency low bandwidth overhead IEEE S&P 2018 overhead Low = constant( η ) 3

  9. Outline ❖ Prior Results on Anonymity Trilemma ❖ How coordination among users can help anonymity ❖ New impossibility results for anonymity ❖ Future direction of anonymity communication protocols 4

  10. Bandwidth Overhead and Latency Overhead • We consider one communication round as one time unit. • Latency overhead l is the number of rounds a message can be delayed by the protocol before being delivered. S R Latency overhead l = 4 Bandwidth overhead β = 2 • Bandwidth overhead β is the number of noise messages per user per round, i.e., the dummy message rate. 5

  11. Prior Results for mix-nets (including onion routing) • When users send messages at bandwidth β a rate of p’ per user per round, To achieve strong anonymity: δ = negl( η ) 2 l (β+p ’ ) ≥ 1 2 l (β+p ’ ) = 1 latency l 6

  12. When Adversary can compromise c protocol parties bandwidth β • to achieve strong anonymity: 2( l −c)β ≥ 1 when c>0 l > θ(1) - 2( l −c)β ≥ 1, when l > c . - 2 l (β+p ’ ) = 1 l in θ(1) latency l 7

  13. When Adversary can compromise c protocol parties bandwidth β • to achieve strong anonymity: 2( l −c)β ≥ 1 when c>0 l > θ(1) - 2( l −c)β ≥ 1, when l > c . - 2 l (β+p ’ ) = 1 l in θ(1) latency l 7

  14. Is it impossible to achieve strong anonymity with constant latency overhead, when c>0 ? 8

  15. Is it impossible to achieve strong anonymity with constant latency overhead, when c>0 ? - NO. - Example: DC-net with user coordination . 8

  16. Is it impossible to achieve strong anonymity with constant latency overhead, when c>0 ? - NO. - Example: DC-net with user coordination . Our earlier protocol model did not assume any out-of-band user coordination. 8

  17. DC-net type protocols – user coordination • Eve cannot point to a single packet to say Charlie the real message is only inside this packet. • Another naïve way is to secret share the Bob real message among several parties. Eve • Can provide strong anonymity even with constant latency. Alice Eve can retrieves the actual message only after combining all three packets. 9

  18. DC-net type protocols – user coordination • Eve cannot point to a single packet to say Charlie the real message is only inside this packet. • Another naïve way is to secret share the Bob real message among several parties. Eve • Can provide strong anonymity even with constant latency. Alice Eve can retrieves the actual message only after combining all three packets. Issue: these protocols use very high bandwidth overhead. The overhead (number of dummy messages) per real message, B > (N-1), N = total users. 9

  19. Protocols beyond mix-nets – hybrid protocols Debo Charlie 3 2 Eve 1 Bob Alice 10

  20. Protocols beyond mix-nets – hybrid protocols Debo Charlie 3 2 Eve 1 Bob Alice Bob and Charlie send shares for Alice’s message, with some pre-setup, without Alice communicating to them. 10

  21. Protocols beyond mix-nets – hybrid protocols Debo Charlie 3 2 Eve 1 Bob Eve can retrieves the actual message only after combining all three packets. Alice Bob and Charlie send shares for Alice’s message, with some pre-setup, without Alice communicating to them. 10

  22. Assumptions on the protocols Charlie Eve1 3 1 Bob Eve2 2 Alice 11

  23. Assumptions on the protocols Charlie Eve1 3 1 Bob Eve2 2 Alice 11

  24. Assumptions on the protocols Charlie Eve1 3 1 Bob Eve2 2 Alice Assumption 1: One packet does not take part in the reconstruction of two separate messages. 11

  25. Assumptions on the protocols Eve 3 1 Bob 2 Alice 12

  26. Assumptions on the protocols Eve 3 1 Bob 2 Alice Assumption 2: Oblivious swapping is not possible. 12

  27. Assumptions on the protocols Eve 3 1 Bob 2 Alice Assumption 2: Oblivious swapping is not possible. 12

  28. Necessary Invariant for Anonymity Alice Bob Bob after (r- l ) Bob at time r r- l r t 1 t 2 Protocol t 0 Eve at time t 0 Alice For anonymity we need: • Bob sends at least one message within the time slice [r- l , r). 13

  29. Necessary Invariant for Anonymity Alice Bob Bob after (r- l ) Bob at time r r- l r t 1 t 2 Protocol t 0 Eve at time t 0 Alice For anonymity we need: • Bob sends at least one message within the time slice [r- l , r). 13

  30. Necessary Invariant for Anonymity Alice Bob Bob after (r- l ) Bob at time r r- l r t 1 t 2 Protocol t 0 Eve at time t 0 Alice For anonymity we need: • Bob sends at least one message within the time slice [r- l , r). • At least one of the packets helping the message from Alice meets a message from Bob at an honest node. 13

  31. Results are same when no parties are compromised bandwidth β • To achieve strong anonymity: δ = negl( η ) 2 l (β+p ’ ) ≥ 1 2 l (β+p ’ ) = 1 latency l 14

  32. Results are same when no parties are compromised bandwidth β • To achieve strong anonymity: δ = negl( η ) 2 l (β+p ’ ) ≥ 1 2 l (β+p ’ ) = 1 latency l The basic trilemma still holds, except l =0. 14

  33. Quantum of Solace: when protocol parties are compromised 15

  34. Quantum of Solace: when protocol parties are compromised • If strong anonymity is not required, user coordination could allow better anonymity. 15

  35. Quantum of Solace: when protocol parties are compromised • If strong anonymity is not required, user coordination could allow better anonymity. • Better resistance against compromization. 15

  36. Quantum of Solace: when protocol parties are compromised • If strong anonymity is not required, user coordination could allow better anonymity. • Better resistance against compromization. 2 l (β+p ’ ) = 1 latency l 15

  37. Quantum of Solace: when protocol parties are compromised 2( l −c)β ≥ 1 when c>0 • If strong anonymity is not required, user coordination could allow better anonymity. • Better resistance against compromization. 2 l (β+p ’ ) = 1 latency l 15

  38. Quantum of Solace: when protocol parties are compromised 2( l −c)β ≥ 1 when c>0 • If strong anonymity is not required, user coordination could allow better anonymity. • Better resistance against compromization. 2 l (β+p ’ ) = 1 latency l 15

  39. Effect of coordination: resistance against compromised protocol parties K: total number of intermediate protocol parties (routers/nodes), c: total number of compromised parties out of K parties, p: the probability that a user sends a message in a round, η: security parameter, l : latency overhead 16

  40. Takeaways bandwidth β • Our work points protocol designers to focus on hybrid protocols, to at least achieve resistance against compromization. • Still we can not do better than the limit specified by the trilemma: 2 l (β+p ’ ) ≥ 1. • If a protocol achieves strong anonymity 2 l (β+p ’ ) = 1 for 2 l (β+p ’ ) = 1, then that will be the when c>0 optimal ACN. latency l 17

  41. Leap of faith: bandwidth β Challenge: Achieve oblivious swapping at a dishonest node. when c>0 2 l (β+p ’ ) = 1 latency l 18

  42. Leap of faith: bandwidth β Challenge: Achieve oblivious swapping at a dishonest node. when c>0 Still strong anonymity will be impossible for 2 l (β+p ’ ) = 1 2 l (β+p ’ ) < 1 latency l 18

  43. A New Hope: Challenge 2: Break Assumption 1. If a protocol can use a secret sharing scheme that generates w < k*n shares for n messages such that k shares are sufficient to reconstruct all the n messages correctly, without using any trusted third party, with a communication of O(n) and constant latency overhead, that protocol can break anonymity trilemma. 19

  44. http://bit.ly/AnonymityTrilemma Thank you. ☺ @tutaidas das48@purdue.edu 20

Recommend

More recommend