Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.
-
Upload
vanessa-hutchinson -
Category
Documents
-
view
221 -
download
1
Transcript of Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.
![Page 1: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/1.jpg)
Towards a Theory of Onion Routing
Aaron Johnson
Yale University
5/27/2008
![Page 2: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/2.jpg)
Overview
1. Anonymous communication and onion routing
2. Formally model and analyze onion routing(Financial Cryptography 2007)
3. Probabilistic analysis of onion routing(Workshop on Privacy in the Electronic Society 2007)
1
![Page 3: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/3.jpg)
Anonymous Communication:What?
• Setting
2
![Page 4: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/4.jpg)
Anonymous Communication:What?
• Setting– Communication
network
2
![Page 5: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/5.jpg)
Anonymous Communication:What?
• Setting– Communication
network
– Adversary
2
![Page 6: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/6.jpg)
Anonymous Communication:What?
• Setting– Communication
network
– Adversary
• Anonymity
2
![Page 7: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/7.jpg)
Anonymous Communication:What?
• Setting– Communication
network
– Adversary
• Anonymity– Sender anonymity
2
![Page 8: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/8.jpg)
Anonymous Communication:What?
• Setting– Communication
network
– Adversary
• Anonymity– Sender anonymity
– Receiver anonymity
2
![Page 9: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/9.jpg)
Anonymous Communication:What?
• Setting– Communication
network
– Adversary
• Anonymity– Sender anonymity
– Receiver anonymity
w.r.t. amessage
2
![Page 10: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/10.jpg)
Anonymous Communication:What?
• Setting– Communication
network
– Adversary
• Anonymity– Sender anonymity
– Receiver anonymity
– Unlinkability
w.r.t. amessage
2
![Page 11: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/11.jpg)
Anonymous Communication:What?
• Setting– Communication
network
– Adversary
• Anonymity– Sender anonymity
– Receiver anonymity
– Unlinkability
w.r.t. amessage
w.r.t. all communication
2
![Page 12: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/12.jpg)
Anonymous Communication:Why?
3
![Page 13: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/13.jpg)
Anonymous Communication:Why?
• Useful– Individual privacy
online
– Corporate privacy
– Government and foreign intelligence
– Whistleblowers
3
![Page 14: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/14.jpg)
Anonymous Communication:Why?
• Useful– Individual privacy
online
– Corporate privacy
– Government and foreign intelligence
– Whistleblowers
• Interesting– How to define?
– Possible in communication networks?
– Cryptography from anonymity
3
![Page 15: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/15.jpg)
Anonymous Communication Protocols
• Mix Networks (1981)
• Dining cryptographers (1988)
• Onion routing (1999)
• Anonymous buses (2002)
4
![Page 16: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/16.jpg)
Anonymous Communication Protocols
• Mix Networks (1981)
• Dining cryptographers (1988)
• Onion routing (1999)
• Anonymous buses (2002)
• Crowds (1998)
• PipeNet (1998)
• Xor-trees (2000)
4
• Tarzan (2002)
• Hordes (2002)
• Salsa (2006)
• ISDN,pool,Stop-and-Go,timed,cascademixes
• etc.
![Page 17: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/17.jpg)
Deployed Anonymity Systems
• anon.penet.fi
• Freedom
• Mixminion
• Mixmaster
• Tor
• JAP
• FreeNet• anonymizer.com and
other single-hop proxies
• I2P
• MUTE
• Nodezilla
• etc.
5
![Page 18: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/18.jpg)
Onion Routing
• Practical design with low latency and overhead
•
• Open source implementation (http://tor.eff.org)
• Over 1000 volunteer routers
• Estimated 200,000 users
• Sophisticated design
6
![Page 19: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/19.jpg)
Anonymous Communication
Mix Networks
Dining cryptographers
Onion routing
Anonymous buses
Deployed Analyzed
7
![Page 20: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/20.jpg)
A Model of Onion Routing with Provable Anonymity
Johnson, Feigenbaum, and SyversonFinancial Cryptography 2007
• Formally model onion routing using input/output automata
• Characterize the situations that provide possibilistic anonymity
8
![Page 21: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/21.jpg)
How Onion Routing Works
User u running client Internet destination d
Routers running servers
u d
1 2
3
45
9
![Page 22: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/22.jpg)
How Onion Routing Works
u d
1. u creates l-hop circuit through routers
1 2
3
45
9
![Page 23: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/23.jpg)
How Onion Routing Works
u d
1. u creates l-hop circuit through routers
1 2
3
45
9
![Page 24: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/24.jpg)
How Onion Routing Works
u d
1. u creates l-hop circuit through routers
1 2
3
45
9
![Page 25: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/25.jpg)
How Onion Routing Works
u d
1. u creates l-hop circuit through routers
2. u opens a stream in the circuit to d
1 2
3
45
9
![Page 26: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/26.jpg)
How Onion Routing Works
u d
1. u creates l-hop circuit through routers
2. u opens a stream in the circuit to d
3. Data are exchanged
{{{m}3}4}1 1 2
3
45
9
![Page 27: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/27.jpg)
How Onion Routing Works
u d
1. u creates l-hop circuit through routers
2. u opens a stream in the circuit to d
3. Data are exchanged
{{m}3}4
1 2
3
45
9
![Page 28: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/28.jpg)
How Onion Routing Works
u d
1. u creates l-hop circuit through routers
2. u opens a stream in the circuit to d
3. Data are exchanged
{m}3
1 2
3
45
9
![Page 29: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/29.jpg)
How Onion Routing Works
u d
1. u creates l-hop circuit through routers
2. u opens a stream in the circuit to d
3. Data are exchanged
m
1 2
3
45
9
![Page 30: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/30.jpg)
How Onion Routing Works
u d
1. u creates l-hop circuit through routers
2. u opens a stream in the circuit to d
3. Data are exchanged
m’
1 2
3
45
9
![Page 31: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/31.jpg)
How Onion Routing Works
u d
1. u creates l-hop circuit through routers
2. u opens a stream in the circuit to d
3. Data are exchanged
{m’}3
1 2
3
45
9
![Page 32: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/32.jpg)
How Onion Routing Works
u d
1. u creates l-hop circuit through routers
2. u opens a stream in the circuit to d
3. Data are exchanged
{{m’}3}4
1 2
3
45
9
![Page 33: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/33.jpg)
How Onion Routing Works
u d
1. u creates l-hop circuit through routers
2. u opens a stream in the circuit to d
3. Data are exchanged
{{{m’}3}4}11 2
3
45
9
![Page 34: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/34.jpg)
How Onion Routing Works
u d
1. u creates l-hop circuit through routers
2. u opens a stream in the circuit to d
3. Data are exchanged.
4. Stream is closed.
1 2
3
45
9
![Page 35: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/35.jpg)
How Onion Routing Works
u
1. u creates l-hop circuit through routers
2. u opens a stream in the circuit to d
3. Data are exchanged.
4. Stream is closed.
5. Circuit is changed every few minutes.
1 2
3
45
d
9
![Page 36: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/36.jpg)
How Onion Routing Works
u
1 2
3
45
d
10
![Page 37: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/37.jpg)
How Onion Routing Works
u
1 2
3
45
d
11
![Page 38: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/38.jpg)
How Onion Routing Works
u
1 2
3
45
d
Theorem 1: Adversary can only determine parts of a circuit it controls or is next to.
11
![Page 39: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/39.jpg)
How Onion Routing Works
u
1 2
3
45
d
Theorem 1: Adversary can only determine parts of a circuit it controls or is next to.
u 1 2
11
![Page 40: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/40.jpg)
Model
• Constructed with I/O automata(Lynch & Tuttle, 1989)– Models asynchrony– Relies on abstract properties of cryptosystem
• Simplified onion-routing protocol– Each user constructs a circuit to one destination– No separate destinations– No circuit teardowns
• Circuit identifiers
12
![Page 41: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/41.jpg)
Automata Protocol
u
v
w
13
![Page 42: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/42.jpg)
Automata Protocol
u
v
w
13
![Page 43: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/43.jpg)
Automata Protocol
u
v
w
13
![Page 44: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/44.jpg)
Automata Protocol
u
v
w
13
![Page 45: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/45.jpg)
Automata Protocol
u
v
w
13
![Page 46: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/46.jpg)
Automata Protocol
u
v
w
13
![Page 47: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/47.jpg)
Automata Protocol
u
v
w
13
![Page 48: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/48.jpg)
Automata Protocol
u
v
w
13
![Page 49: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/49.jpg)
Automata Protocol
u
v
w
13
![Page 50: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/50.jpg)
Automata Protocol
u
v
w
13
![Page 51: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/51.jpg)
Creating a Circuit
u 1 2 3
15
![Page 52: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/52.jpg)
Creating a Circuit
[0,{CREATE}1]
1. CREATE/CREATED
u 1 2 3
15
![Page 53: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/53.jpg)
Creating a Circuit
[0,CREATED]
1. CREATE/CREATED
u 1 2 3
15
![Page 54: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/54.jpg)
Creating a Circuit
1. CREATE/CREATED
u 1 2 3
15
![Page 55: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/55.jpg)
Creating a Circuit
1. CREATE/CREATED
2. EXTEND/EXTENDED
[0,{[EXTEND,2,{CREATE}2]}1]
u 1 2 3
15
![Page 56: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/56.jpg)
Creating a Circuit
1. CREATE/CREATED
2. EXTEND/EXTENDED
[l1,{CREATE}2]
u 1 2 3
15
![Page 57: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/57.jpg)
Creating a Circuit
1. CREATE/CREATED
2. EXTEND/EXTENDED
[l1,CREATED]u 1 2 3
15
![Page 58: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/58.jpg)
Creating a Circuit
1. CREATE/CREATED
2. EXTEND/EXTENDED
[0,{EXTENDED}1]u 1 2 3
15
![Page 59: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/59.jpg)
Creating a Circuit
1. CREATE/CREATED
2. EXTEND/EXTENDED
3. [Repeat with layer of encryption]
[0,{{[EXTEND,3,{CREATE}3]}2}1]
u 1 2 3
15
![Page 60: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/60.jpg)
Creating a Circuit
1. CREATE/CREATED
2. EXTEND/EXTENDED
3. [Repeat with layer of encryption]
u 1 2 3[l1,{[EXTEND,3,{CREATE}3]}2]
15
![Page 61: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/61.jpg)
Creating a Circuit
1. CREATE/CREATED
2. EXTEND/EXTENDED
3. [Repeat with layer of encryption]
[l2,{CREATE}3]
u 1 2 3
15
![Page 62: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/62.jpg)
Creating a Circuit
1. CREATE/CREATED
2. EXTEND/EXTENDED
3. [Repeat with layer of encryption]
[l2,CREATED]u 1 2 3
15
![Page 63: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/63.jpg)
Creating a Circuit
1. CREATE/CREATED
2. EXTEND/EXTENDED
3. [Repeat with layer of encryption]
[l1,{EXTENDED}2]u 1 2 3
15
![Page 64: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/64.jpg)
Creating a Circuit
1. CREATE/CREATED
2. EXTEND/EXTENDED
3. [Repeat with layer of encryption]
[0,{{EXTENDED}2}1]u 1 2 3
15
![Page 65: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/65.jpg)
Input/Ouput Automata• States
• Actions transition between states
• Alternating state/action sequence is an execution
• In fair executions actions enabled infinitely often occur infinitely often
• In cryptographic executions no encrypted protocol messages are sent before they are received unless the sender possesses the key
14
![Page 66: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/66.jpg)
I/O Automata Model
• Automata– User
– Server
– Complete network of FIFO Channels
– Adversary replaces some servers with arbitrary automata
• Notation– U is the set of users
– R is the set of routers
– N = U R is the set of all agents
– A N is the adversary
– K is the keyspace
– l is the (fixed) circuit length
– k(u,c,i) denotes the ith key used by user u on circuit c
16
![Page 67: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/67.jpg)
User automaton
17
![Page 68: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/68.jpg)
Server automaton
18
![Page 69: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/69.jpg)
Anonymity
19
Definition (configuration):A configuration is a function URl mapping each user to his circuit.
![Page 70: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/70.jpg)
Anonymity
Definition (indistinguishable executions):Executions and are indistinguishable to adversary A when his actions in are the same as in after possibly applying the following:
: A permutation on the keys not held by A. : A permutation on the messages encrypted by
a key not held by A.
Definition (configuration):A configuration is a function URl mapping each user to his circuit.
19
![Page 71: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/71.jpg)
Anonymity
20
Definition (indistinguishable configurations):Configurations C and D are indistinguishable to adversary A when, for every fair, cryptographic execution C, there exists a fair, cryptographic execution D that is indistinguishable to A.
![Page 72: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/72.jpg)
Anonymity
Definition (unlinkability):User u is unlinkable to d in configuration C with respect to adversary A if there exists an indistinguishable configuration D in which u does not talk to d.
20
Definition (indistinguishable configurations):Configurations C and D are indistinguishable to adversary A when, for every fair, cryptographic execution C, there exists a fair, cryptographic execution D that is indistinguishable to A.
![Page 73: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/73.jpg)
Cu
v
1 2
3
45
21
Main Theorems
![Page 74: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/74.jpg)
32
D
21
Main Theorems
Cu
v
1 2
3
45
![Page 75: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/75.jpg)
21
Main Theorems
Cu
v
1 2
3
45
32
Dv
u
2 25
4
![Page 76: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/76.jpg)
21
Cu
v
1 2
3
45
Main Theorems
Du
v
1 2
3
45
![Page 77: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/77.jpg)
Theorem 1: Let C and D be configurations for which there exists a permutation : UU such that Ci(u) = Di((u)) if Ci(u) or Di((u)) is compromised or is adjacent to a compromised router. Then C and D are indistinguishable.
21
Main Theorems
![Page 78: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/78.jpg)
Theorem 1: Let C and D be configurations for which there exists a permutation : UU such that Ci(u) = Di((u)) if Ci(u) or Di((u)) is compromised or is adjacent to a compromised router. Then C and D are indistinguishable.
21
Main Theorems
Theorem 2: Given configuration C, let (ri-1,ri,ri+1) be three consecutive routers in a circuit such that {ri-1,ri,ri+1}A= . Let D be identical to configuration C except ri has been replaced with riA. Then C and D are indistinguishable.
![Page 79: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/79.jpg)
Theorem 1: Let C and D be configurations for which there exists a permutation : UU such that Ci(u) = Di((u)) if Ci(u) or Di((u)) is compromised or is adjacent to a compromised router. Then C and D are indistinguishable.
21
Main Theorems
Theorem 2: Given configuration C, let (ri-1,ri,ri+1) be three consecutive routers in a circuit such that {ri-1,ri,ri+1}A= . Let D be identical to configuration C except ri has been replaced with riA. Then C and D are indistinguishable.
Theorem 3: If configurations C and D are indistinguishable, then D can be reached from C by applying a sequence transformations of the type described in Theorems 1 and 2.
![Page 80: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/80.jpg)
Lemma: Let u, v be two distinct users such that neither they nor the first routers in their circuits are compromised in configuration C. Let D be identical to C except the circuits of users u and v are switched. C and D are indistinguishable to A.
22
![Page 81: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/81.jpg)
Proof: Given execution of C, construct : 1. Replace any message sent or received between u (v) and C1(u) (C1(v)) in with a message sent or received between v (u) and C1(u) (C1(v)).
22
Lemma: Let u, v be two distinct users such that neither they nor the first routers in their circuits are compromised in configuration C. Let D be identical to C except the circuits of users u and v are switched. C and D are indistinguishable to A.
![Page 82: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/82.jpg)
Proof: Given execution of C, construct : 1. Replace any message sent or received between u (v) and C1(u) (C1(v)) in with a message sent or received between v (u) and C1(u) (C1(v)). 2. Let the permutation send u to v and v to u and other users to themselves. Apply to the encryption keys.
22
Lemma: Let u, v be two distinct users such that neither they nor the first routers in their circuits are compromised in configuration C. Let D be identical to C except the circuits of users u and v are switched. C and D are indistinguishable to A.
![Page 83: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/83.jpg)
Proof: Given execution of C, construct : 1. Replace any message sent or received between u (v) and C1(u) (C1(v)) in with a message sent or received between v (u) and C1(u) (C1(v)). 2. Let the permutation send u to v and v to u and other users to themselves. Apply to the encryption keys.
i. is an execution of D.
ii. is fair.
iii. is cryptographic.
iv. is indistinguishable. 22
Lemma: Let u, v be two distinct users such that neither they nor the first routers in their circuits are compromised in configuration C. Let D be identical to C except the circuits of users u and v are switched. C and D are indistinguishable to A.
![Page 84: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/84.jpg)
UnlinkabilityCorollary: A user is unlinkable to its destination when:
23
![Page 85: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/85.jpg)
Unlinkability
23u 4?5?
The last router is unknown.
Corollary: A user is unlinkable to its destination when:
23
![Page 86: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/86.jpg)
OR
Unlinkability
23u 4?5?
The last router is unknown.
12 4The user is unknown and another unknown user has an unknown destination.
5 2?5?
4?
Corollary: A user is unlinkable to its destination when:
23
![Page 87: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/87.jpg)
OR
OR
12 4The user is unknown and another unknown user has a different destination.
5 1 2
Unlinkability
23u 4?5?
The last router is unknown.
12 4The user is unknown and another unknown user has an unknown destination.
5 2?5?
4?
Corollary: A user is unlinkable to its destination when:
23
![Page 88: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/88.jpg)
Model Robustness
• Only single encryption still works
• Can include data transfer
• Can allow users to create multiple circuits
24
![Page 89: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/89.jpg)
A Probabilistic Analysis of Onion Routing in a Black-box Model
Johnson, Feigenbaum, and SyversonWorkshop on Privacy in the Electronic Society 2007
• Use a black-box abstraction to create a probabilistic model of onion routing
• Analyze unlinkability
• Provide upper and lower bounds on anonymity
• Examine a typical case25
![Page 90: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/90.jpg)
Anonymity
u 1 2
3
45
d
1.
2.
3.
4.
v
w
e
f
26
![Page 91: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/91.jpg)
Anonymity
u 1 2
3
45
d
1. First router compromised
2.
3.
4.
v
w
e
f
26
![Page 92: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/92.jpg)
Anonymity
u 1 2
3
45
d
1. First router compromised
2. Last router compromised
3.
4.
v
w
e
f
26
![Page 93: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/93.jpg)
Anonymity
u 1 2
3
45
d
1. First router compromised
2. Last router compromised
3. First and last compromised
4.
v
w
e
f
26
![Page 94: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/94.jpg)
Anonymity
u 1 2
3
45
d
1. First router compromised
2. Last router compromised
3. First and last compromised
4. Neither first nor last compromised
v
w
e
f
26
![Page 95: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/95.jpg)
Black-box Abstraction
u d
v
w
e
f
27
![Page 96: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/96.jpg)
Black-box Abstraction
u d
v
w
e
f
1. Users choose a destination
27
![Page 97: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/97.jpg)
Black-box Abstraction
u d
v
w
e
f
1. Users choose a destination
2. Some inputs are observed
27
![Page 98: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/98.jpg)
Black-box Abstraction
u d
v
w
e
f
1. Users choose a destination
2. Some inputs are observed
3. Some outputs are observed
27
![Page 99: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/99.jpg)
Black-box Anonymity
u d
v
w
e
f
• The adversary can link observed inputs and outputs of the same user.
28
![Page 100: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/100.jpg)
Black-box Anonymity
u d
v
w
e
f
• The adversary can link observed inputs and outputs of the same user.
• Any configuration consistent with these observations is indistinguishable to the adversary. 28
![Page 101: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/101.jpg)
Black-box Anonymity
u d
v
w
e
f
• The adversary can link observed inputs and outputs of the same user.
• Any configuration consistent with these observations is indistinguishable to the adversary. 28
![Page 102: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/102.jpg)
Black-box Anonymity
u d
v
w
e
f
• The adversary can link observed inputs and outputs of the same user.
• Any configuration consistent with these observations is indistinguishable to the adversary. 28
![Page 103: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/103.jpg)
Probabilistic Black-box
u d
v
w
e
f
29
![Page 104: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/104.jpg)
Probabilistic Black-box
u d
v
w
e
f
• Each user v selects a destination from distribution pv
pu
29
![Page 105: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/105.jpg)
Probabilistic Black-box
u d
v
w
e
f
• Each user v selects a destination from distribution pv
• Inputs and outputs are observed independently with probability b
pu
29
![Page 106: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/106.jpg)
Black Box ModelLet U be the set of users.
Let be the set of destinations.
Configuration C• User destinations CD : U• Observed inputs CI : U{0,1}
• Observed outputs CO : U{0,1}
Let X be a random configuration such that:
Pr[X=C] = u [puCD(u)][bCI(u)(1-b)1-CI(u)][bCO(u)(1-b)1-CO(u)]
30
![Page 107: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/107.jpg)
Probabilistic Anonymityu dvw
ef
u dvw
ef
u dvw
ef
u dvw
ef
Indistinguishable configurations
31
Conditional distribution: Pr[ud] = 1
![Page 108: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/108.jpg)
Probabilistic Anonymity
The metric Y for the unlinkability of u and d in C is:
Y(C) = Pr[XD(u)=d | XC]
Exact Bayesian inference
• Adversary after long-term intersection attack
• Worst-case adversary
Unlinkability given that u visits d:
E[Y | XD(u)=d]
32
![Page 109: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/109.jpg)
Anonymity Bounds
1. Lower bound:E[Y | XD(u)=d] b2 + (1-b2) pu
d
33
![Page 110: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/110.jpg)
Anonymity Bounds
1. Lower bound:E[Y | XD(u)=d] b2 + (1-b2) pu
d
2. Upper bounds:a. pv
=1 for all vu, where pv pv
e for e d
b. pvd=1 for all vu
33
![Page 111: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/111.jpg)
Anonymity Bounds
1. Lower bound:E[Y | XD(u)=d] b2 + (1-b2) pu
d
2. Upper bounds:a. pv
=1 for all vu, where pv pv
e for e d
E[Y | XD(u)=d] b + (1-b) pud + O(logn/n)
b. pvd=1 for all vu
E[Y | XD(u)=d] b2 + (1-b2) pud + O(logn/n)
33
![Page 112: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/112.jpg)
Lower Bound
Theorem 2: E[Y | XD(u)=d] b2 + (1-b2) pud
34
![Page 113: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/113.jpg)
Lower Bound
Theorem 2: E[Y | XD(u)=d] b2 + (1-b2) pud
Proof:
34
![Page 114: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/114.jpg)
Lower Bound
Theorem 2: E[Y | XD(u)=d] b2 + (1-b2) pud
Proof:E[Y | XD(u)=d] = b2 + b(1-b) pu
d + (1-b) E[Y | XD(u)=d XI(u)=0]
34
![Page 115: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/115.jpg)
Lower Bound
Theorem 2: E[Y | XD(u)=d] b2 + (1-b2) pud
Proof:E[Y | XD(u)=d] = b2 + b(1-b) pu
d + (1-b) E[Y | XD(u)=d XI(u)=0]
34
![Page 116: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/116.jpg)
Lower Bound
Theorem 2: E[Y | XD(u)=d] b2 + (1-b2) pud
Let Ci be the configuration equivalence classes.Let Di be the event Ci XD(u)=d.
34
![Page 117: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/117.jpg)
Lower Bound
Theorem 2: E[Y | XD(u)=d] b2 + (1-b2) pud
Let Ci be the configuration equivalence classes.Let Di be the event Ci XD(u)=d.E[Y | XD(u)=d XI(u)=0]
= i (Pr[Di])2
Pr[Ci] Pr[XD(u)=d]
34
![Page 118: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/118.jpg)
Lower Bound
Theorem 2: E[Y | XD(u)=d] b2 + (1-b2) pud
Let Ci be the configuration equivalence classes.Let Di be the event Ci XD(u)=d.E[Y | XD(u)=d XI(u)=0]
= i (Pr[Di])2
Pr[Ci] Pr[XD(u)=d]
(i Pr[Di] Pr[Ci] / Pr[Ci])2
Pr[XD(u)=d]by Cauchy-Schwartz
34
![Page 119: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/119.jpg)
Lower Bound
Theorem 2: E[Y | XD(u)=d] b2 + (1-b2) pud
Let Ci be the configuration equivalence classes.Let Di be the event Ci XD(u)=d.E[Y | XD(u)=d XI(u)=0]
= i (Pr[Di])2
Pr[Ci] Pr[XD(u)=d]
(i Pr[Di] Pr[Ci] / Pr[Ci])2
Pr[XD(u)=d]
= pud
by Cauchy-Schwartz
34
![Page 120: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/120.jpg)
Lower Bound
Theorem 2: E[Y | XD(u)=d] b2 + (1-b2) pud
Proof:E[Y | XD(u)=d] = b2 + b(1-b) pu
d + (1-b) E[Y | XD(u)=d XI(u)=0]
34
![Page 121: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/121.jpg)
Lower Bound
Theorem 2: E[Y | XD(u)=d] b2 + (1-b2) pud
Proof:E[Y | XD(u)=d] = b2 + b(1-b) pu
d + (1-b) E[Y | XD(u)=d XI(u)=0] b2 + b(1-b) pu
d + (1-b) pud
34
![Page 122: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/122.jpg)
Lower Bound
Theorem 2: E[Y | XD(u)=d] b2 + (1-b2) pud
Proof:E[Y | XD(u)=d] = b2 + b(1-b) pu
d + (1-b) E[Y | XD(u)=d XI(u)=0] b2 + b(1-b) pu
d + (1-b) pud
= b2 + (1-b2) pud
34
![Page 123: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/123.jpg)
Upper Bound
35
![Page 124: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/124.jpg)
Upper Bound
Theorem 3: The maximum of E[Y | XD(u)=d] over (pv)vu occurs when
1. pv=1 for all vu OR
2. pvd=1 for all vu
Let pu1 pu
2 pud-1 pu
d+1 … pu
35
![Page 125: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/125.jpg)
Upper Bound
Theorem 3: The maximum of E[Y | XD(u)=d] over (pv)vu occurs when
1. pv=1 for all vu OR
2. pvd=1 for all vu
Let pu1 pu
2 pud-1 pu
d+1 … pu
Show max. occurs when, for all vu, pv
ev = 1 for
some ev. 35
![Page 126: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/126.jpg)
Show max. occurs when, for all vu,ev = d orev = .
Upper Bound
Theorem 3: The maximum of E[Y | XD(u)=d] over (pv)vu occurs when
1. pv=1 for all vu OR
2. pvd=1 for all vu
Let pu1 pu
2 pud-1 pu
d+1 … pu
Show max. occurs when, for all vu, pv
ev = 1 for
some ev. 35
![Page 127: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/127.jpg)
Show max. occurs when, for all vu,ev = d orev = .
Upper Bound
Theorem 3: The maximum of E[Y | XD(u)=d] over (pv)vu occurs when
1. pv=1 for all vu OR
2. pvd=1 for all vu
Let pu1 pu
2 pud-1 pu
d+1 … pu
Show max. occurs when, for all vu, pv
ev = 1 for
some ev.
Show max. occurs when ev=d for all vu, or whenev = for all vu. 35
![Page 128: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/128.jpg)
Upper-bound EstimatesLet n be the number of users.
36
![Page 129: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/129.jpg)
Upper-bound Estimates
Theorem 4: When pv=1 for all vu:
E[Y | XD(u)=d] = b + b(1-b)pud +
(1-b)2 pud [(1-b)/(1-(1- pu
)b)) + O(logn/n)]
Let n be the number of users.
36
![Page 130: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/130.jpg)
Upper-bound Estimates
Theorem 4: When pv=1 for all vu:
E[Y | XD(u)=d] = b + b(1-b)pud +
(1-b)2 pud [(1-b)/(1-(1- pu
)b)) + O(logn/n)]
Theorem 5: When pvd=1 for all vu:
E[Y | XD(u)=d] = b2 + b(1-b)pud +
(1-b) pud/(1-(1- pu
d)b) + O(logn/n)]
Let n be the number of users.
36
![Page 131: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/131.jpg)
Upper-bound Estimates
Theorem 4: When pv=1 for all vu:
E[Y | XD(u)=d] = b + b(1-b)pud +
(1-b)2 pud [(1-b)/(1-(1- pu
)b)) + O(logn/n)]
Let n be the number of users.
36
![Page 132: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/132.jpg)
Upper-bound Estimates
Theorem 4: When pv=1 for all vu:
E[Y | XD(u)=d] = b + b(1-b)pud +
(1-b)2 pud [(1-b)/(1-(1- pu
)b)) + O(logn/n)]
b + (1-b) pud
Let n be the number of users.
For pu small
36
![Page 133: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/133.jpg)
Upper-bound Estimates
Theorem 4: When pv=1 for all vu:
E[Y | XD(u)=d] = b + b(1-b)pud +
(1-b)2 pud [(1-b)/(1-(1- pu
)b)) + O(logn/n)]
b + (1-b) pud
E[Y | XD(u)=d] b2 + (1-b2) pud
Let n be the number of users.
For pu small
36
![Page 134: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/134.jpg)
Upper-bound Estimates
Theorem 4: When pv=1 for all vu:
E[Y | XD(u)=d] = b + b(1-b)pud +
(1-b)2 pud [(1-b)/(1-(1- pu
)b)) + O(logn/n)]
b + (1-b) pud
E[Y | XD(u)=d] b2 + (1-b2) pud
Let n be the number of users.
Increased chance of total compromise from b2 to b.
For pu small
36
![Page 135: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/135.jpg)
Typical Case
Let each user select from the Zipfian distribution: pdi
= 1/(is)
Theorem 6:E[Y | XD(u)=d] = b2 + (1 − b2)pu
d+ O(1/n)
37
![Page 136: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/136.jpg)
Typical Case
Let each user select from the Zipfian distribution: pdi
= 1/(is)
Theorem 6:E[Y | XD(u)=d] = b2 + (1 − b2)pu
d+ O(1/n)E[Y | XD(u)=d] b2 + (1 − b2)pu
d
37
![Page 137: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/137.jpg)
Future Work
• Investigate improved protocols to defeat timing attacks.
• Examine how quickly users distribution are learned.
• Formally analyze scalable, P2P designs.
38
![Page 138: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/138.jpg)
Related work• A Formal Treatment of Onion Routing
Jan Camenisch and Anna LysyanskayaCRYPTO 2005
• A formalization of anonymity and onion routingS. Mauw, J. Verschuren, and E.P. de VinkESORICS 2004
• I/O Automaton Models and Proofs for Shared-Key Communication SystemsNancy LynchCSFW 1999
5
![Page 139: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/139.jpg)
Overview
• Formally model onion routing using input/output automata– Simplified onion-routing protocol– Non-cryptographic analysis
• Characterize the situations that provide anonymity
6
![Page 140: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/140.jpg)
Overview
• Formally model onion routing using input/output automata– Simplified onion-routing protocol– Non-cryptographic analysis
• Characterize the situations that provide anonymity– Send a message, receive a message,
communicate with a destination– Possibilistic anonymity
6
![Page 141: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/141.jpg)
Future Work
• Construct better models of time
• Exhibit a cryptosystem with the desired properties
• Incorporate probabilistic behavior by users
26
![Page 142: Towards a Theory of Onion Routing Aaron Johnson Yale University 5/27/2008.](https://reader038.fdocuments.in/reader038/viewer/2022102814/551469c0550346414e8b5d1e/html5/thumbnails/142.jpg)
Related Work• A Model of Onion Routing with Provable
AnonymityJ. Feigenbaum, A. Johnson, and P. SyversonFC 2007
• Towards an Analysis of Onion Routing SecurityP. Syverson, G. Tsudik, M. Reed, and C. LandwehrPET 2000
• An Analysis of the Degradation of Anonymous ProtocolsM. Wright, M. Adler, B. Levine, and C. ShieldsNDSS 2002