Gergely Tóth, 23 September 2003 1IWCIT’03, Gliwice, Poland, 22-23 September 2003
Measure for AnonymityMeasure for Anonymity
Gergely Tóth
Budapest University of Technology and Economics
Department of Measurement and Information Systems
IWCIT’03
Gergely Tóth, 23 September 2003 2IWCIT’03, Gliwice, Poland, 22-23 September 2003
Contents
• Background: Onion-routing
• Model of the PROB-channel
• Source- and destination-hiding property
• MIN/MAX property
• Optimum
Gergely Tóth, 23 September 2003 3IWCIT’03, Gliwice, Poland, 22-23 September 2003
Research Background
• Need for anonymous message anonymous message transmission techniquestransmission techniques– transparent– general-purpose– independent
• Research & planning is ongoing
• Theoretical analysis not complete
Gergely Tóth, 23 September 2003 4IWCIT’03, Gliwice, Poland, 22-23 September 2003
Classification of Techniques
• According to– behaviorbehavior: passive & active techniques– delaydelay: real-time & non-deterministic
systems– number of relaying nodesnumber of relaying nodes: proxy &
distributed systems– what adversaries can seewhat adversaries can see: observable &
unobservable systems– level of abstractionlevel of abstraction: black-box models &
finished implementations
Gergely Tóth, 23 September 2003 5IWCIT’03, Gliwice, Poland, 22-23 September 2003
An Existing Approach — Onion-routing
• Distributed system
• Onion-structuredOnion-structured packets
• Anonymity of the sender cannot be cannot be compromised even if some relaying compromised even if some relaying nodes are compromisednodes are compromised
Gergely Tóth, 23 September 2003 6IWCIT’03, Gliwice, Poland, 22-23 September 2003
Our Model — the PROB-channel
• PassivePassive: configuration is static (not affected by message distribution)
• Real-timeReal-time: there is a maximal delay
• ObservableObservable: an observer can eavesdrop on all connection channels
• Black-boxBlack-box ( proxyproxy): the observer cannot gain information from within the channel
Gergely Tóth, 23 September 2003 7IWCIT’03, Gliwice, Poland, 22-23 September 2003
Requirements for the Model
• Guaranteed transmission throughputGuaranteed transmission throughput– time between sending and delivery of
messages has a defined maximum
• Measurable anonymityMeasurable anonymity– there should be an objective, theoretical
measure for the anonymity provided
• Requirements for guaranteed anonymity Requirements for guaranteed anonymity levellevel – should be defined
Gergely Tóth, 23 September 2003 8IWCIT’03, Gliwice, Poland, 22-23 September 2003
Example System
• Anonymous medical consulting systemAnonymous medical consulting system– patientspatients ask questionsquestions the doctorsdoctors
• questions in e-mail
– answer on a public forumanswer on a public forum together with the question
– aim: the question should not be linkable to the the question should not be linkable to the patientpatient• questions should not be linkable to patients• patients should not be linkable to their questions
Gergely Tóth, 23 September 2003 9IWCIT’03, Gliwice, Poland, 22-23 September 2003
PROB-channel I.
• SendersSenders (patients) send encrypted messagesmessages (questions) to recipientsrecipients (doctors)
• The channel delivers the messages after transformingtransforming and delayingdelaying them
channel(static de laydistribution)
i
m i
i
m i
E R m mS i i[ ( ), ] E R m mR i i[ ( ), ]
encrypted message:(common fixed size)
orig inal m essage from s a
encrypted by anotherkey than i
orig inal, delivered m essage to rb
Gergely Tóth, 23 September 2003 10IWCIT’03, Gliwice, Poland, 22-23 September 2003
PROB-channel II.
• Message delay in the channel:– is a probability variableprobability variable ()– is message and time invariantmessage and time invariant– has a known distributiondistribution f()
f( )
m in max
Gergely Tóth, 23 September 2003 11IWCIT’03, Gliwice, Poland, 22-23 September 2003
The Observer
• Passive observerPassive observer:– cannot delete, alter or delay messages– cannot create new messages
• KnowsKnows:– parameters and environment of the
channel– time of sending and receipt of messages
• Aim: link messages to senderslink messages to senders (who asked the questions)
Gergely Tóth, 23 September 2003 12IWCIT’03, Gliwice, Poland, 22-23 September 2003
Confidence of the Observer
• How can it be computedHow can it be computed:– for each sender– for each message– by knowing the history of the systemwith what probability a certain sender sent with what probability a certain sender sent
a certain message:a certain message:
]|)([ ***
,, *** lks
sSPPlk
Gergely Tóth, 23 September 2003 13IWCIT’03, Gliwice, Poland, 22-23 September 2003
Global Back-tracing
• Search for the most probable match among all the possible matches
• AdvantageAdvantage: finds out the links (if possible)
• DisadvantageDisadvantage: slow (exponential)– under some circumstances even for about
30 messages unfeasible for today’s computers
Gergely Tóth, 23 September 2003 14IWCIT’03, Gliwice, Poland, 22-23 September 2003
Local Back-tracing
• Confidence of the observer calculated for each delivered message independently
• AdvantageAdvantage: fast (polynomial)
• DisadvantageDisadvantage: some links are not detected
][
***
][
***
,,
*,**
*
*,*,**
*
***
)]()([
)]()([
kj
j
lski
i
lkjSkR
iSkR
s ttf
ttf
P
Gergely Tóth, 23 September 2003 15IWCIT’03, Gliwice, Poland, 22-23 September 2003
Conclusion for Behavior of Observer
• Global back-tracingGlobal back-tracing would provide best results– for practical user unfeasibleunfeasible
• Local back-tracingLocal back-tracing is polynomial– can be used in the practiceused in the practice– for following conclusions local back-tracing
is assumed
Gergely Tóth, 23 September 2003 16IWCIT’03, Gliwice, Poland, 22-23 September 2003
Source-hiding Property
• Source-hiding propertySource-hiding property with parameter
Measure for sender-anonymityMeasure for sender-anonymity
The observer cannot link any message to a sender with a probability greater than .
,kRk
P
Gergely Tóth, 23 September 2003 17IWCIT’03, Gliwice, Poland, 22-23 September 2003
Destination-hiding Property
• Destination-hiding propertyDestination-hiding property with parameter
Measure for recipient-anonymityMeasure for recipient-anonymity
The observer cannot link any sender to a message with a probability greater than .
,jSj
P
Gergely Tóth, 23 September 2003 18IWCIT’03, Gliwice, Poland, 22-23 September 2003
MIN/MAX Property I.
• MIN/MAX property MIN/MAX property with parameters minmin,,maxmax
Senders don’t send messages at their own consideration, they have to follow rulesrules.
No sender sends message within min time and all senders send a message in max time.
Gergely Tóth, 23 September 2003 19IWCIT’03, Gliwice, Poland, 22-23 September 2003
MIN/MAX Property II.
• Upper limitUpper limit can be given to the confidence of the observer:– message invariant– depends only on the parameters of the
channel and on min, max
max
maxmax
min
minmin
1 1
1 1,
)(min||
)(maxˆ
i iqi
i iqi
qfS
qfPP
k
Gergely Tóth, 23 September 2003 20IWCIT’03, Gliwice, Poland, 22-23 September 2003
Problem
• Source-hiding property cancan be guaranteed– oblige senders to send messages
according to rules– MIN/MAX property
• Destination-hiding property cannotcannot be guaranteed– recipients cannot be obliged to receive
messages according to rules
Gergely Tóth, 23 September 2003 21IWCIT’03, Gliwice, Poland, 22-23 September 2003
Optimum
• The observer can only choose randomlyrandomly from the possible senders
• Uniform distributionUniform distribution for the delay
• With MIN/MAX property independent from actual message distribution:
,
,,
,
max
k
lkl
k
ssP
min
max
max
min, ||||
ˆ
SSPP
k
Gergely Tóth, 23 September 2003 22IWCIT’03, Gliwice, Poland, 22-23 September 2003
Global Optimum
• With MIN/MAX property if min = max
• The observer has to choose randomly from all the sendersall the senders
• No additional informationNo additional information is gained with the observation
||
1ˆ, S
PPk
Gergely Tóth, 23 September 2003 23IWCIT’03, Gliwice, Poland, 22-23 September 2003
Conclusions
• Model of the PROB-channelPROB-channel
• Confidence of the observer
• Source-hiding propertySource-hiding property– measure for sender-anonymity
• Destination-hiding propertyDestination-hiding property– measure for recipient anonymity
• MIN/MAX propertyMIN/MAX property– method for limiting confidence of the observer
Gergely Tóth, 23 September 2003 24IWCIT’03, Gliwice, Poland, 22-23 September 2003
Research Plans
• Open the black-box channelOpen the black-box channel– move to a distributed system (graph
consisting of nodes)– messages can be created and dropped
• Active adversaryActive adversary– can drop messages– can block messages– can delay or reorder messages
Top Related