Provable Protocols for Unlinkability

1
Provable Protocols for Unlinkability

• Ron Berman, Amos Fiat, Amnon Ta-Shma
• Tel Aviv University

2
Unlinkability

• S Set of message initiators
• T Set of message recipients
• Every s ? S sends a message to some t ? T and
  may request a response
• Goal Prevent adversary from knowing who is
  talking to whom
• Adversary may control all nodes in T and many
  other nodes and links in the network

3
The model

• A complete graph of N nodes
• The adversary is capable of eavesdropping to
  almost all links an e fraction of the links are
  honest
• The adversary may also control almost all nodes,
  subject to the above
• A public key infrastructure is in place
• A set S of M nodes wish to send unlinkable two
  way communications to a set T of M nodes
• The Adversary is adaptive but not malicious.
  I.e., Adversary cannot corrupt or discard
  messages.

4
Prior Work

• Seminal Papers of David Chaum, 1979, 1981
• Reduction to Traffic Analysis (Onion Routing)
• Chaumian Mixes
• Literally dozens (hundreds?) of papers since,
  dedicated conferences, etc., etc.
• Many implementations
• Typical paper
• Attack on prior protocol(s)
• Suggest new protocol
• Repeat
• Very few attempts to give rigorous definitions,
  let alone proofs
• Notable exception Rackoff and Simon, 1993

5
General Structure Chaumian Mixes

• Choose a random path and send message along path
• Hope for sufficiently many collisions along path
• If N nodes, and polylog(N) length path, then
  essentially need all nodes to send messages
• Does not matter how many nodes actually want to
  send messages, many dummy messages required.

Many attacks, counter measures, counter attacks,
counter counter measures, etc.
6
Chaums reduction to traffic analysis Onion
Routing
Note messages are same length
7
Prior work Chaumian Mixes
Honest nodes are used to prevent adversary from
knowing how messages were routed A to C, A to
C, or A to C, A to C.
8
Our Results

• New definitions of unlinkability based on
  information theory
• Prove equivalence to Rackoff-Simon definitions
• Prove that a suitable modification of Chaums
  original protocol is secure
• Argue that many previous informal arguments
  must be wrong
• Improve (?) on Rackoff-Simon in many ways
• Adaptive adversary, allow arbitrary prior
  knowledge
• No secure computation
• Much, much, simpler
• Much more efficient. No need to flood network
  with dummy messages
• Weaker attack model (not all links are under
  adversary control) (New definition of improve)

9
Only Traffic Analysis

• We will simply assume during this talk that the
  adversary cannot do anything except eavesdrop
  onto traffic
• An Adversary controlled link reports on all
  traffic through the link
• An Adversary controlled node reports on all
  trafic through the node and how routing was done

10
How to define Unlinkability

• ? - Random variable, permutation from S to T,
  may be drawn from arbitrary prior distribution
• C Random variable, gives all the adversary
  learns during communications

11
How to define Unlinkability

• Rackoff and Simon
• Let n be a security parameter, C and ? as
  before

(Were ignoring the issue of computational
indistinguishability in this talk) (RS only
allow the uniform prior distribution)
12
Other Definitions (Equivalent)
We need the following observation to prove these
equivalences, 0 a 1
Is this new? Seems unlikely.
13
Why use I(AB) rather than 1?

• I(AB) is monotonic

1 is not monotonic (the little birdy principle
does not work)
The intuition the closer to the prior, B, the
less information the adversary has
Let A be a random variable giving the number of
heads in 10 coin tosses Let B be the binomial
distribution for the number of heads in 10 coin
tosses Let C be a random variable giving the
number of heads in the first coin toss Let D be a
random variable giving the number of heads in the
2nd coin toss
14
The little Birdy Principle

• Richard M. Karp (1988)
• Revealing more information to the adversary only
  makes his/her life easier
• Certainly true in the context of computational
  complexity
• Is this true in the context of unlinkability?
• Depends on the definition of unlinkability
• Many previous papers implicitly make use of the
  little birdy principle in informal arguments
• Does not hold for the Rackoff-Simon definitions

15
How could this possibly be?

• The little birdy principle must hold, its
  obvious, isnt it?
• Actually, in some form it does hold, it holds on
  average
• The reason that it does not always hold is that
  in some circumstances, revealing more information
  (selected information), only confuses the
  adversary
• There must be a good political joke here
  somewhere, but I could not figure it out

16
How to prove unlinkability

• Define Protocol
• Define Obscurant Network
• Construct Obscurant Networks
• Search for Obscurant Network embedding within
  execution of protocol (Uses Little Birdy
  Principle)
• Extend result to allow prior information Use
  protocol folding (Uses Little Birdy Principle)

17
The protocol

• Nodes wishing to send messages (and only nodes
  wishing to send messages)
• Choose a random path of length polylog(N)
• Use Chaums onion routing to send and receive
  messages along this path

18
Silly, isnt it?

• If only 100 messages are initiated, and there are
  106 nodes in the network, there will be no
  collusions
• If the adversary controls all links then the
  adversary knows exactly who is talking to whom
• Change attack model adversary controls all by an
  arbitrarily small constant fraction of the links

19
The protocol
20
Introducing ambiguity via links
A crossover structure of honest links introduces
ambiguity
21
Obscurant Networks

• A network with crossover switches such that a
  pebble placed on the inputs, and setting all
  crossovers uniformly at random, will result in a
  uniform distribution over the outputs
• Example Butterfly network
• Important an obscurant network does not obscure
  permutations
• What about non-powers of 2?

22
Obscurant Networks of all sizes
Uniformly at random for these nodes
Uniformly at random for these nodes
Average the probability mass
23
Do permutation obscurant networks exist??

• Dont know, open problem.
• Dont you need a permutation obscurant network??
• Yes, and no, what we actually find are repeated
  embeddings of single pebble obscurant networks

24
A combinatorial lemma (N. Alon, FOCS 2001)

• Given a graph with a constant fraction, f, of the
  total edges
• Choose 4 nodes at random
• A crossover network will connect them with
  probability f4
• f is the fraction of honest edges

25
Strategy

• Reveal all links used in every 2nd layer, this is
  to make pairs of layers independent choices of
  four nodes
• For a sufficiently long set of paths, find an
  obscurant network in the execution of the
  protocol
• Reveal all other edges
• This revelation should not harm the protocol
  (requires some effort)

26
Strategy (continued)

• How do we move from single pebble obscurant to
  unlinkable?
• Reveal the jth path (as a proof technique!!) to
  argue about the others

27
Dealing with Prior Information
Reveal to the adversary the relationship between
layer i and layer 6-i
28
Dealing with Prior Information Folding the
Network upon itself
29
Completing the Argument Prior Information
Because the distributions
(Choose the last T-1 levels at random, and fill
in the 1st level to get the permutation)
Given the middle permutation, and c2 ? C2, we can
compute p, thus the data processing inequality
holds