Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Beyond Tor:Mix Networking
Harry [email protected]@inria.fr Many slides from Claudia Diaz (KUL)
What is Anonymity?
NEXTLEAP
Encryption is not Privacy
Encryption only protects the content of a message
Metadata: Who is talking to whom and when
Metadata is not proteted by encryption.
Mixnets -
Privacy properties
• Anonymity – Anonymous sender: receiver doesn’t know who
sent – Anonymous receiver: can be reached, or replied
to, anonymously – Anonymity towards third parties
• Unlinkability: concealing relationship between two or more actions or pieces of data (generalisation of anonymity)
• Unobservability: hides participation and volume of traffic
How to measure anonymity?
• Number of subjects in the anonymity set (possibilistic approach)– what if not all of them appear to
be the target with equal likelihood?
• Probability assigned to a subject– worst case: user with highest
probability is chosen as sender/receiver (u4)
• Anonymity depends on both:– The number of subjects in the
anonymity set– The probability of each subject in
the anonymity set being the target
Anonymity Set
p4p3p2p1
u1
u2
u3
u4
Information-theoretic anonymity metrics
• Entropy: – Quantifies the expected value of the information
contained in a message.– Measure of the “uncertainty” or “average
unpredictability” in a random variable• Increases with number N of possible values and
with the uniformity of the distribution
• Distribution with entropy H equivalent to uniform distribution with 2H subjects
• Other information theoretic metrics: min-entropy, max-entropy, Rényi entropy, relative entropy, mutual information, ....
• A similar approach can be taken to measure unlinkability
i
N
ii ppH 2
1
log
Limitations of entropy metrics
• Average measure– what about worst case? min entropy– Either optimise for average or for worst case
(different results)
• How to compute the posterior distribution in complex systems?
• Result per message in one run of the system. What about repeated uses of the system (long-term patterns)?
Mixes
NEXTLEAP
Mixnets
Chaumian Mix (Chaum 1982)
• “Security without identification: transaction systems to make big brother obsolete”
• Mix: Proxy for anonymous email
• Goal: an adversary observing the input and output of the mix is not able to relate input messages to output messages– Bitwise unlinkability
• The mix performs a decryption on input messages• Input/output of the mix cannot be correlated based on
content or size– Prevent traffic analysis based on message I/O
order and timing• Achieved by batching messages
• Several mixes could be chained to distribute trust:– Sender → Mix1 : {Mix2, {Rec, msg}KMix2
}KMix1
Chaumian Mix (Chaum 1982)• Phase 1: collect inputs• Parameter T (threshold): T=4 in example
Mix
Chaumian Mix (Chaum 1982)• Phase 2: mix and flush
Mix
Variants
• Timed mix– Flush periodically, every T time units, regardless of
how many messages have arrived
• Optional flushing conditions– Example: flush only if a minimum number of
messages has been received
Pool mixes• Keep messages in an internal pool between
rounds• What do we gain?
– Improve anonymity for the same mean latency– at the cost of variance
Threshold = 4, Pool = 2
Pool mixing
• Pool mixing: increased anonymity wrt Chaumian mixes
Generalised pool mix model• Flushing condition: timer, threshold, other
event• Pool selection algorithm can be
– Dependent on traffic– Deterministic or binomial (coin flip per message)
• Example: Mixmaster
Stop-and-Go mixes (Kesdogan 1998)
• Reordering strategy based on independently delaying each message
– Anonymity level depends on volume of traffic– In threshold and pool mixes, it is the delay
that depends on the volume of traffic• Delays generated by the user from an
Exponential distribution• Timestamping to prevent active attacks
(eg., blending attacks)
Comparison: MixMaster vs Reliable(real traffic)
• MixMaster: pool mix• Reliable: SG-mix (adaptive delay
implemented
500 min = 0.3x108 ms
Don’t do this !!!
Statistical disclosure attacks• Assumptions:
– Alice has persistent communication relationships (she communicates repeatedly with her friends)
– Large population of senders, and a different subset mixes their messages with hers in each round
• Method:– Combine many observations (looking at who receives when Alice
sends)
Anonymity system
Bob
Charlie
David
Ed
Fanny
Blending (n-1) attacks1. Empty the mix from legitimate messages2. Let the target message into the mix3. Fill the mix with attacker-generated
messages, while preventing other legitimate messages from entering the mix
Blending (n-1) attacks4. At the time of flushing the adversary
recognizes his own messages. The unknown message is the target
• Variants of this attack break the anonymity the other types of mixes
• The effects of the attack can be mitigated with randomization and dummy traffic
Mix
Verifiable mixing (integrity)
• Mixes can be used for implementing e-voting schemes
• In e-voting applications, it is important to make sure that1. Votes are anonymous 2. All votes are counted
• N-1 and intersection attacks hard to deploy in e-voting scenarios
• Mixes must prove that the outputs are a permutation of the (cryptographically transformed) inputs
• Whole body of research to attempt to create mix systems that are:– Robust against malicious servers that fail to
deliver some votes– No entity learns anything except for the
vote tally– Provide universal verifiability (correctness of
the tally)– Provide receipt-freeness to prevent
coercion/selling of votes
Comparison mixes
• Threshold– Latency dependent on traffic– Deterministic anonymity (per message, against
passive attacks)– Very vulnerable to fast n-1 attacks– Can include verification of shuffle
• Timed– Anonymity dependent on traffic– Deterministic latency– N-1 attacks require only delaying/dropping
legitimate messages, not generating messages– Can include verification of shuffle
• Pool– Tunable tradeoff anonymity-latency-volume of
traffic– Guaranteed lower bound for anonymity (against
passive attacks)– Increased variance of latency (and anonymity)– Both long-term disclosure and n-1 attacks are
harder to deploy– Verification of shuffle/integrity possible?
• SG-mix – Anonymity dependent on traffic– Predictable latency (chosen by user)– N-1 attacks require only delaying/dropping
legitimate messages, not generating messages– Verification of shuffle/integrity possible?
Mix Networks
NEXTLEAP
Mix Networks
Distribute trust to avoid single points of failure
Route messages through multiple mixes, to provide anonymity even if some mixes are compromised
Anonymous Routing characteristics
Network topologies
• Evaluation through simulations– Same (average) traffic load per node– Same traffic load for the network as a whole
• Input: real Tor traces– Packet timestamp per circuit (bi-directional)
Comparing Topologies• Anonymity loss: difference with maximum
achievable (log2 N , where N is the total number of circuits in the network). Overhead factor: number of dummy packets generated per real packet
Why Free Routes provide worse anonymity than Stratified
• In stratified topologies, a node is always in the same position for all the circuits it routes
• Result: messages always “mix” in all routers
to node 1
to node 2 or 3
from node 3
from node 1 or 2
In free routes, two messages may pass by the same router and not be “mixed”
Packets
NEXTLEAP
Sending Messages through a mixnet
Mixnets -
We could send Zcash transactions to a blockchain
Sphinx Packet Format for Mix-Nets Unlinkability, resistance to active attacks, indistinguishable replies, no leakage of path length
Mixnetworks -
Also used by Lightning NetworkGeorge Danezis, Ian Goldberg: Sphinx: A Compact and Provably Secure Mix Format. IEEE Symposium on Security and Privacy 2009: 269-282
Dummy traffic• Fake messages introduced to confuse the
attacker• Undistinguishable from real traffic
• Neccessary for unobservability• Increase anonymity
– Though it is unclear how to model/measure it• Dummies can be used to detect n-1 attacks:
Heartbeat Traffic• Dummy traffic is expensive (bandwidth)
– Unclear how to use it in an optimal way
Dummy traffic design
• Generated by users and/or by mixes?• Routing of dummies?• Destination? (self, mix or other user)• Frequency of generation? Deterministic or
random?• Dependent on / independent of real traffic?• Higher order correlations? (e.g., replies to
simulate “conversations”)• …
Summary
• Use-cases Messaging (email/IM) Voting Cryptocurrency
• Design choices: – Type of mix – Routing protocol– Network topology– Dummy traffic
Summary
• Impact on:– Adversary models that the system is secure
against– Security properties: anonymity, unobservability,
etc. – Real-world networking properties: performance,
scalability, etc.• Some open issues:
– Impact of user communication behavior– Optimal dummy traffic strategies– Better anonymity metrics/testing for comparing
systems?– Can we get proofs (see UC treatment of “Privacy-
preserving e-mail” in Asiacrypt 2018) – Do we bother verifying shuffling/mixing?
Questions?- See mailing list and Katzenpost specs,- mixnetworks.org
- panoramix-project.eu
Meskio/Harry [email protected]@inria.fr
MIT SocioTechnical Research Center