BianFu: Providing Guaranteed Anonymity Using Token Ring Routing. Matt Spear David Evans

BianFu: Providing Guaranteed Anonymity Using Token Ring Routing.

Matt SpearDavid Evans

信息論匿名信息論匿名XìnXī Lùn NìMíngXìnXī Lùn NìMíng

(Information Theoretical (Information Theoretical Anonymity)Anonymity)

Provides a method that defines anonymity concretely using methods of entropy from IT.

Defines Nodes as one of: SendersSenders The nodes who send or have the ability to

send messages ReceiversReceivers The nodes who receive the messages

(passive or active (reply))MixesMixes Input a message and output a message so that

the new message is uncorrelatable with the original message

Defines Attackers as: Internal/ExternalInternal/External The attacker, if internal, controls the

actions of one or more nodes, external can only compromise communication channels

Passive/ActivePassive/Active A passive attacker can only listen to messages and cannot modify, add, or remove them; otherwise he is active

Local/GlobalLocal/Global A global attacker has access to all channels of the network; local attackers have access to part of the network





Degree Of Anonymity: Let , i.e. the probability that nodei sent

the message. Define the entropy associated

with the set. Define the maximum anonymity as The degree of anonymity is then

Trivially for one user d 0, and for perfect anonymity

d lg(N)

人群人群RénQún RénQún (Crowds)(Crowds)

System to give anonymity by being “a member of a crowd”

The message is forwarded through random nodes

On receiving a message, a node forwards it to the destination with probability (1 – pf) and to another node with probability pf

Attacker is assumed to be Internal/Passive/LocalInternal/Passive/Local

Assume N nodes and C corrupt nodes (C < N - 2)


Node0 ((0)) sends a message to (blue):

0

1

2

3

4

7

6

5


1. (0) chooses randomly a node to forward to (3).

0

1

2

3

4

7

6

5




2. (3) flips biased coin and forwards to (7)

0

1

2

3

4

7

6

5





3. (7) flips its biased coin and forwards to (5)

0

1

2

3

4

7

6

5





3. (7) flips its biased coin and forwards to (5)

4. (5) flips its biased coin and forwards to (blue)

0

1

2

3

4

7

6

5



The maximum anonymity is: HM lg(N - C)

Probability assigned to predecessor of first node in C is:

Probability to other nodes not in C is:

Therefore H(X) is:

d maximally equals 1 iff the message passes through no nodes existing in C, otherwise depends on C, N and pf, see [2] for graphs.

進餐譯解密碼者進餐譯解密碼者JìnCān YìJiěMìMǎZhěJìnCān YìJiěMìMǎZhě

(Dining Cryptographers)(Dining Cryptographers) A method to guarantee sender and receiver anonymity

Kind of like the Dining Philosophers; given N cryptographers sitting at a table one wishes to pay without revealing whom is paying against any attacker

Is impractical as the number of bits required to send a single bit anonymously grows linearly with N


(Dining Cryptographers)(Dining Cryptographers) 3 Player DC description:

Each node chooses a random bit and reveals it securely to his left neighbor (so that no others see the bit)

Each diner announces the XOR of their bits

The diner that is paying lies and announces the XNOR of the bits

Nobody can tell who is paying, only that one of the two others is paying


(Dining Cryptographers)(Dining Cryptographers) From FBI’s View:

FBI reveals 1 to Jefferson

FBI sees 1 from Washington

1 1


(Dining Cryptographers)(Dining Cryptographers)

1

From FBI’s View:



FBI cannot tell who is lying without seeing shared secret coin flip

1

01

1



1

From FBI’s View:




1

0

1

Payer

1



1

From FBI’s View:




1

0

0

Payer


(Dining Cryptographers)(Dining Cryptographers) Generalizable to N diners

Problems:

Requires pairwise secure channels between all users

Requires many messages to be exchanged

Requires secure RNG for the bits

The degree of anonymity is trivially 1 as long as C < N - 2

令牌环令牌环Lìng Pái HuánLìng Pái Huán(Token Ring)(Token Ring)

0

1

2

3

4

7

6

5

r tokens exist on a ring

A node can add a message to a token iff it is empty

The tokens are passed from (0)…(7)(0)

Advantages: global attacker cannot tell initiator of message, all nodes do the same amount of work

单蝙蝠单蝙蝠Dān BiānFúDān BiānFú

(Single BianFu)(Single BianFu) Arrange nodes into a token ring such that each node

has a symmetric key (SK) with its predecessor and successor and knows all other nodes’ public key (PK).

To send a message, a node encrypts the message with the receiver’s PK and adds it to the token.

Each node decrypts the token and determines if there is a message (if it is addressed to them)

As all messages are encrypted, and an encryption looks like a random string; no node can tell if there is a message unless it is addressed to them

0

1

2

3

4

7

6

5


(Single BianFu)(Single BianFu) (0) Sends a message to (2):

1. (0) Creates message E2(M)

Random

0

1

2

3

4

7

6

5




2. (0) Adds message E1(E2(M)) to token

E2(M)

0

1

2

3

4

7

6

5





3. (1) Sees E2(M) and has no messages so forwards the token (E2(E2(M)))

E2(M)

0

1

2

3

4

7

6

5





3. (1) Sees E2(M) and has no messages so forwards the token (E2(E2(M)))

4. (2) Sees E2(M) and tries its PK and sees M but has no idea who sent it.

M


(Single BianFu)(Single BianFu) A global passive eavesdropper has no knowledge of if

there is a message and cannot therefore tell who initiated a message, i.e. d HM 1

A local passive eavesdropper has no knowledge of who initiated a message as it is equally likely to have come from any node (pi 1/N), again d 1

A global internal attacker has the same knowledge as a local passive eavesdropper.

Simple concept yielding perfect anonymity

Problems with simple 单蝙蝠 :

Collisions grow exponentially with N (1 - paddMsg)N/2

Adding a mechanism to support replies requires either sacrificing Sender anonymity against the receiver or generating a random SK (latter is not a big problem)

Delay grows linearly with N (i.e. the average length is N/2 and for large N this is impractical)

倍数蝙蝠倍数蝙蝠BèiShù BiānFú BèiShù BiānFú

(Multiple BianFu)(Multiple BianFu)


(Multiple BianFu)(Multiple BianFu) Keep the individual rings small by having multiple

rings that are a small fixed size (X nodes/ring)

Disable collisions by reserving a bucket for each node in the token (sender-segregated), i.e. [(0),(1),…,(X)]

Arrange each node to belong to k of these rings

All nodes know the PK of all other nodes and know the shortest path to any nodes, SK with nodes in its ring

Each ring has r tokens

Connecting nodes relay messages between rings


(Multiple BianFu)(Multiple BianFu) To send a message, a node encrypts with the SK the

destination ring of the final node and the PK encrypted message, Ei(a,Ed(M)).

Nodes receiving a message containing a forward address, look up the path to the destination and forward the message encrypting it with SK, if needed

The receiver will have no knowledge of the sender if the path length (L) is greater than or equal to 2

SK for small rings is preferable due to the high cost of PK operations


(Multiple BianFu)(Multiple BianFu) To allow the receiver to reply to the sender, the sender

simply includes a one time use SK, EDest(Rid,SKInit,Dest,M)

The sender must be sure to use the same ring id for each message to the receiver, otherwise it will decrease its entropy (anonymity)



0

1

23

4

8

56

7

(1) wishes to send a message to (5):

1. (1) Creates a message E4(B,E5(A,SK5,1,M))

2. (1) Adds it to the token and forwards it

AABB

E4(B,E5(A,SK5,2,M)) 20 43



0

1

23

4

8

56

7


1. (2) Receives the token and sees no messages for it, trying all with its PK and each with the SK it shares

2. (2) Forwards the token

AABB

E4(B,E5(A,SK5,2,M)) 20 43



0

1

23

4

8

56

7


1. (3) Receives the token and sees no messages for it, trying all with its PK and each with the SK it shares


AABB

E4(B,E5(A,SK5,2,M)) 20 43



0

1

23

4

8

56

7


1. (4) Sees there is a “route” message and forwards it to ring B (as B is destination (4) doesn’t encrypt with SK)

AABB

E4(B,E5(A,SK5,2,M)) 20 43



0

1

23

4

8

56

7


1. (4) Adds the message to the token for B


AABB

E5(A,SK5,2,M) 65 7 8



0

1

23

4

8

56

7


1. (5) Receives the token and checks for messages using its PK

2. (5) Receives M, the initiating ring id, and the SK it shares with (2) unknowing of who it shares it with

AABB

E5(A,SK5,2,M) 65 7 8


(Multiple BianFu)(Multiple BianFu) d 1 if C < k (X - 1), otherwise d 0 !

Say (i) receives the token from (i-1) and (i) somehow knows there is a message (he can be in communication with the final recipient) but as (i-1) belongs to k rings (i-1) could be forwarding a message from any of the k rings that (i-1) belongs to; each node, as in 单蝙蝠 , has a probability of 1/(N-C): as it is impossible for any node other than node (i-1) to know if (i-1) is forwarding a message or initiating his own

締結締結DìJiéDìJié

(Conclusion)(Conclusion) 蝙蝠 has the benefits of DC-Net (i.e. guaranteed

perfect anonymity) with a much lower cost of operation

Has the same requirement as in Crowds that the “route” should be constant (i.e. the ring id the node uses for its messages should be constant)

Am working on a network simulator to provide some test data

ReferencesReferences

Andrei Serjantov, George Danezis. Towards an Information Theoretic Metric for Anonymity.

Claudia Diaz, Stefaan Seys, Joris Claessens, and Bart Preneel. Towards measuring anonymity.

Michael K. Reiter and Aviel D. Rubin. Crowds: anonymity for Web transactions.

David Chaum. The Dining Cryptographers Problem: Unconditional Sender and Recipient Untraceability.

Documents

BianFu: Providing Guaranteed Anonymity Using Token Ring Routing. Matt Spear David Evans