A Practical Complexity-Theoretic Analysis of Mix Systems Vinh Pham 1 - - PowerPoint PPT Presentation

A Practical Complexity-Theoretic Analysis of Mix Systems

Vinh Pham1, Joss Wright2, Dogan Kesdogan1

Siegen University, Germany1, University of Oxford, United Kingdom2

1/13

Motivation

Anonymity definition [Pfitzmann & K¨

• hntop 2010]:

Anonymity of a subject means that the subject is not sufficiently identifiable within a set of subjects, the anonymity set. Subject s1 s2 s3 Attributes a4 a2 a5

• Anon. Set

s1 s2 s3 Attributes a4 a2 a5 How strong is the concept of anonymity sets if: a subject is associated to a fixed set of attributes HA and a subject and its attributes a ∈ HA are repeatedly observed?

2/13

Simple Mix and Attacker Model

Sender set S Recipient set R S′ R′ s6 s3 s1 s8 s5 s4 r2 r5 r9 r1 r3

Mix

Global passive attacker (1) Information leakage per round is (S′, R′): Sender set: S (can be equal R) Recipient set: R = {r1, . . . , rN}, where |R| = N Sender anonymity set: S′ ⊂ S, where |S′| = b is batch size Receiver set: R′ ⊂ R, where |R′| ≤ b

3/13

Attacker Model

(2) Alice repeatedly contacts a fixed set of recipients: Alice’s peer set: HA = {a1, . . . , am}, ai ∈ R and m = |HA| Alice’s peer: If r ∈ HA, also reffered by variable a Peer: Any receiver r ∈ R of a receiver set R′

4/13

Attacker Model

(2) Alice repeatedly contacts a fixed set of recipients: Alice’s peer set: HA = {a1, . . . , am}, ai ∈ R and m = |HA| Alice’s peer: If r ∈ HA, also reffered by variable a Peer: Any receiver r ∈ R of a receiver set R′

Alice

s2 . . . sb Sender anon. set a r2 . . . rb Observation

Observation: O = {a, r2, . . . , rb}, a set R′ containing Alice’s contacted peer a. (One contact per round to simplify maths.) Observation Set: OS = {O1, . . . , Ot}

4/13

Attacker Model

(2) Alice repeatedly contacts a fixed set of recipients: Alice’s peer set: HA = {a1, . . . , am}, ai ∈ R and m = |HA| Alice’s peer: If r ∈ HA, also reffered by variable a Peer: Any receiver r ∈ R of a receiver set R′

Alice

s2 . . . sb Sender anon. set a r2 . . . rb Observation

Observation: O = {a, r2, . . . , rb}, a set R′ containing Alice’s contacted peer a. (One contact per round to simplify maths.) Observation Set: OS = {O1, . . . , Ot} Intersection attack Goal: Unambiguous identification of Alice’s peer set HA Known: Condition (1) and (2) Unknown: Recipient set size N, batch size b, Number of Alice’s peers m, communication distribution of senders

4/13

Minimal Hitting Set Attack (HS-Attack)

Example: Alice repeatedly contacts two recipients, b = 2, m = 2 R = {1, . . . , 6} HA = {1, 2} Observations: 3 1 O1 4 2 O2 3 2 O3 6 1 O4

Smallest minimal hitting set O1 {3}, {1} O2 {3, 4}, {3, 2}, {1, 4}, {1, 2} O3 {3, 4}, {3, 2}, {1, 2} O4 {1, 2} Maximal number of sets: bm

5/13

Minimal Hitting Set Attack (HS-Attack)

Example: Alice repeatedly contacts two recipients, b = 2, m = 2 R = {1, . . . , 6} HA = {1, 2} Observations: 3 1 O1 4 2 O2 3 2 O3 6 1 O4

Smallest minimal hitting set O1 {3}, {1} O2 {3, 4}, {3, 2}, {1, 4}, {1, 2} O3 {3, 4}, {3, 2}, {1, 2} O4 {1, 2} Maximal number of sets: bm

t i g h t

5/13

Minimal Hitting Set Attack (HS-Attack)

Example: Alice repeatedly contacts two recipients, b = 2, m = 2 R = {1, . . . , 6} HA = {1, 2} Observations: 3 1 O1 4 2 O2 3 2 O3 6 1 O4

Smallest minimal hitting set O1 {3}, {1} O2 {3, 4}, {3, 2}, {1, 4}, {1, 2} O3 {3, 4}, {3, 2}, {1, 2} O4 {1, 2} Maximal number of sets: bm

By collecting observations:

• Prob. of sets H = HA

decreases exponentially

5/13

Minimal Hitting Set Attack (HS-Attack)

Example: Alice repeatedly contacts two recipients, b = 2, m = 2 R = {1, . . . , 6} HA = {1, 2} Observations: 3 1 O1 4 2 O2 3 2 O3 6 1 O4

Smallest minimal hitting set O1 {3}, {1} O2 {3, 4}, {3, 2}, {1, 4}, {1, 2} O3 {3, 4}, {3, 2}, {1, 2} O4 {1, 2} Maximal number of sets: bm

By collecting observations:

• Prob. of sets H = HA

decreases exponentially ⇒ HA will become unique smallest minimal hitting set

5/13

Minimal Hitting Set Attack (HS-Attack)

Example: Alice repeatedly contacts two recipients, b = 2, m = 2 R = {1, . . . , 6} HA = {1, 2} Observations: 3 1 O1 4 2 O2 3 2 O3 6 1 O4

Smallest minimal hitting set O1 {3}, {1} O2 {3, 4}, {3, 2}, {1, 4}, {1, 2} O3 {3, 4}, {3, 2}, {1, 2} O4 {1, 2} Maximal number of sets: bm

By collecting observations:

• Prob. of sets H = HA

decreases exponentially ⇒ HA will become unique smallest minimal hitting set N P

• h

a r d

5/13

Difference to Statistical (Disclosure) Attacks

Succeeds even if other recipients are more frequently observed than Alice’s peers Succeeds in the case of unpredictable distribution of recipients Example: Alice repeatedly contacts two recipients, b = 3, m = 2 HA = {1, 2} Observations: 1 3 6 O1 2 4 7 O2 1 3 5 O3 2 5 6 O4 1 3 4 O5 1 5 4 O6

Peers 1 2 3 4 5 6 7 Freq. 4 2 3 3 3 2 1

6/13

Difference to Statistical (Disclosure) Attacks

Succeeds even if other recipients are more frequently observed than Alice’s peers Succeeds in the case of unpredictable distribution of recipients Example: Alice repeatedly contacts two recipients, b = 3, m = 2 HA = {1, 2} Observations: 1 3 6 O1 2 4 7 O2 1 3 5 O3 2 5 6 O4 1 3 4 O5 1 5 4 O6

Peers 1 2 3 4 5 6 7 Freq. 4 2 3 3 3 2 1 Smallest minimal hitting set O1 {1}, {3}, {6} O2 {1, 2}, {1, 4}, {1, 7}, {2, 3}, {3, 4}, {3, 7}, {2, 6}, {4, 6}, {6, 7} O3 {1, 2}, {1, 4}, {1, 7}, {2, 3}, {3, 4}, {3, 7} O4 {1, 2}, {2, 3} O5 {1, 2}, {2, 3} O6 {1, 2}

6/13

Contribution

Current assumption about HS-attack: Intractable for large values N, b, m, due to solving NP-hard problems (smallest minimal hitting set) Surprises when applying HS-attack: Many non-trivial cases, solvable in polynomial mean time Mean complexity determined by some relation between N, b, m Contribution Mathematical bound of mean time complexity w.r.t. N, b, m Bound applies to non-uniform user communication Identifies Mix settings that are polynomial time breakable

7/13

Estimating Number of Observations Hit by a Set

Hypothesis: H = {

C

• r1, . . . , rx
• x chosen peers

, rx1+1, . . . , rm−i

• (m−x) non-chosen peers

} chosen: C ⊆ H, where all observations hitting C are known non-chosen: Only frequency of each single peer is known Potential: Po(H, C) = |OS[C]|

# obs. hitting C

+

• r∈H\C

|OS[r] \ OS[C]|

• # obs. containing r

Example: Potential of H = {r1, r2, r3} w.r.t. chosen peers

OS[r3] OS[r2] OS[r1] 1 2 1 3 2 2 1

OS = {O1, . . . , O8} OS[r1] = {O1, O2, O3} OS[r2] = {O2, O3, O4, O5} OS[r3] = {O3, O4, O6} C = {} : Po({r1, r2, r3}) = (3 + 4 + 3)

8/13

Estimating Number of Observations Hit by a Set

Hypothesis: H = {

C

• r1, . . . , rx
• x chosen peers

, rx1+1, . . . , rm−i

• (m−x) non-chosen peers

} chosen: C ⊆ H, where all observations hitting C are known non-chosen: Only frequency of each single peer is known Potential: Po(H, C) = |OS[C]|

# obs. hitting C

+

• r∈H\C

|OS[r] \ OS[C]|

• # obs. containing r

Example: Potential of H = {r1, r2, r3} w.r.t. chosen peers

OS[r3] \ OS[r1] OS[r2]\ OS[r1] OS[r1] 1 1 2 1

OS = {O1, . . . , O8} OS[r1] = {O1, O2, O3} OS[r2] = {O2, O3, O4, O5} OS[r3] = {O3, O4, O6} C = {} : Po({r1, r2, r3}) = (3 + 4 + 3) C = {r1} : Po({r1, r2, r3}) = 3 + (2 + 2)

8/13

ExactHS Algorithm

Computes/disproves all hypotheses H recursively within O(bm) Starts with C = {} Adds one suspected peer to C in each recursion level until:

max

H′ Po(H′, C) < |OS|, then all H ⊇ C disproved, or

C hits all observations in OS and is thus a hitting set

Example: b = 2, m = 3, HA = {1, 2, 3} Observations: 4 1 O1 6 1 O2 5 2 O3 4 3 O4 7 3 O5 8 2 O6 Peer choices: Search tree:

(2 + 2 + 2) max

H Po(H, {}) 9/13

ExactHS Algorithm

Computes/disproves all hypotheses H recursively within O(bm) Starts with C = {} Adds one suspected peer to C in each recursion level until:

max

H′ Po(H′, C) < |OS|, then all H ⊇ C disproved, or

C hits all observations in OS and is thus a hitting set

Example: b = 2, m = 3, HA = {1, 2, 3} Observations: 4 1 O1 6 1 O2 5 2 O3 4 3 O4 7 3 O5 8 2 O6 Peer choices:

1 C = {4}

Search tree: 4, 1

(2 + 2 + 2)

9/13

ExactHS Algorithm

Computes/disproves all hypotheses H recursively within O(bm) Starts with C = {} Adds one suspected peer to C in each recursion level until:

max

H′ Po(H′, C) < |OS|, then all H ⊇ C disproved, or

C hits all observations in OS and is thus a hitting set

Example: b = 2, m = 3, HA = {1, 2, 3} Observations: 4 1 O1 6 1 O2 5 2 O3 4 3 O4 7 3 O5 8 2 O6 Peer choices:

1 C = {4}

− Search tree: 4, 1

(2 + 2 + 2) 2 + (2 + 1) max

H Po(H, {4}) 9/13

ExactHS Algorithm

Computes/disproves all hypotheses H recursively within O(bm) Starts with C = {} Adds one suspected peer to C in each recursion level until:

max

H′ Po(H′, C) < |OS|, then all H ⊇ C disproved, or

C hits all observations in OS and is thus a hitting set

Example: b = 2, m = 3, HA = {1, 2, 3} Observations: 4 1 O1 6 1 O2 5 2 O3 4 3 O4 7 3 O5 8 2 O6 Peer choices:

1 C = {4}

− Search tree: 4, 1

(2 + 2 + 2) 2 + (2 + 1)

9/13

ExactHS Algorithm

Computes/disproves all hypotheses H recursively within O(bm) Starts with C = {} Adds one suspected peer to C in each recursion level until:

max

H′ Po(H′, C) < |OS|, then all H ⊇ C disproved, or

C hits all observations in OS and is thus a hitting set

Example: b = 2, m = 3, HA = {1, 2, 3} Observations: 4 1 O1 6 1 O2 5 2 O3 4 3 O4 7 3 O5 8 2 O6 Peer choices:

1 C = {4}

−

2 C = {1}

Search tree: 4, 1

(2 + 2 + 2) 2 + (2 + 1)

9/13

ExactHS Algorithm

Computes/disproves all hypotheses H recursively within O(bm) Starts with C = {} Adds one suspected peer to C in each recursion level until:

max

H′ Po(H′, C) < |OS|, then all H ⊇ C disproved, or

C hits all observations in OS and is thus a hitting set

Example: b = 2, m = 3, HA = {1, 2, 3} Observations: 4 1 O1 6 1 O2 5 2 O3 4 3 O4 7 3 O5 8 2 O6 Peer choices:

1 C = {4}

−

2 C = {1}

Search tree: 4, 1

(2 + 2 + 2) 2 + (2 + 1) 2 + (2 + 2)

9/13

ExactHS Algorithm

Computes/disproves all hypotheses H recursively within O(bm) Starts with C = {} Adds one suspected peer to C in each recursion level until:

max

H′ Po(H′, C) < |OS|, then all H ⊇ C disproved, or

C hits all observations in OS and is thus a hitting set

Example: b = 2, m = 3, HA = {1, 2, 3} Observations: 4 1 O1 6 1 O2 5 2 O3 4 3 O4 7 3 O5 8 2 O6 Peer choices:

1 C = {4}

−

2 C = {1} 1

C = {1, 3}

Search tree: 4, 1

(2 + 2 + 2) 2 + (2 + 1)

4, 3

2 + (2 + 2)

9/13

ExactHS Algorithm

Computes/disproves all hypotheses H recursively within O(bm) Starts with C = {} Adds one suspected peer to C in each recursion level until:

max

H′ Po(H′, C) < |OS|, then all H ⊇ C disproved, or

C hits all observations in OS and is thus a hitting set

Example: b = 2, m = 3, HA = {1, 2, 3} Observations: 4 1 O1 6 1 O2 5 2 O3 4 3 O4 7 3 O5 8 2 O6 Peer choices:

1 C = {4}

−

2 C = {1} 1

C = {1, 3}

Search tree: 4, 1

(2 + 2 + 2) 2 + (2 + 1)

4, 3

2 + (2 + 2) 4 + (2)

9/13

ExactHS Algorithm

Computes/disproves all hypotheses H recursively within O(bm) Starts with C = {} Adds one suspected peer to C in each recursion level until:

max

H′ Po(H′, C) < |OS|, then all H ⊇ C disproved, or

C hits all observations in OS and is thus a hitting set

Example: b = 2, m = 3, HA = {1, 2, 3} Observations: 4 1 O1 6 1 O2 5 2 O3 4 3 O4 7 3 O5 8 2 O6 Peer choices:

1 C = {4}

−

2 C = {1} 1

C = {1, 3}

1

C = {1, 3, 2} +

Search tree: 4, 1

(2 + 2 + 2) 2 + (2 + 1)

4, 3

2 + (2 + 2)

5, 2

4 + (2)

9/13

ExactHS Algorithm

Computes/disproves all hypotheses H recursively within O(bm) Starts with C = {} Adds one suspected peer to C in each recursion level until:

max

H′ Po(H′, C) < |OS|, then all H ⊇ C disproved, or

C hits all observations in OS and is thus a hitting set

Example: b = 2, m = 3, HA = {1, 2, 3} Observations: 4 1 O1 6 1 O2 5 2 O3 4 3 O4 7 3 O5 8 2 O6 Peer choices:

1 C = {4}

−

2 C = {1} 1

C = {1, 3}

1

C = {1, 3, 2} +

Search tree: 4, 1

(2 + 2 + 2) 2 + (2 + 1)

4, 3

2 + (2 + 2)

5, 2

4 + (1)

9/13

Mean Time Complexity

Number of peer choices to disprove H: Mean Difference: ED(H, C) = E(Po(H, C) − |OS|) Mean peer choices: xw = max

H=HA{|C| | C ⊆ H, ED(H, C) = 0}

Probability that a peer is contacted in an observation by: Alice: PA = 1/m, where peer is Alice’s peer (b − 1) others: PN = 1 − (1 − 1/N)b−1 ≈ (b − 1)/N Mean worst case number of computed hypotheses b xw

• m− 1

2 −

• 1

PN −m+ 1 4

Mean time complexity ranges: Linear: If non-peers are contacted with prob. PN ≈ 1/m2 Exponential: If non-peers are contacted with prob. PN ≈ 1/m

10/13

Mean Time Complexity - Theory vs. Simulation

Simulation parameters: N, b, m selected, so that xw = 2, where xw is: m−1 2−

• N

b − 1 − m + 1 4 Predicted mean time complexity O(b2) ExactHS recursion depth: # peer choices for disproofs ≈ 2, even for large values of b, m → O(b2) Mean time compl.

11/13

Conclusion

Summary: HS-attack, a baseline metric for exact identification of a sender’s recipients Intractable in worst case, but feasible in many realistic cases (Mean runtime) formula enables to adjust the Mix’s strength Open questions towards countermeasures: Robustness of HS-attack with respect to dummy traffic and with respect to incomplete observations

12/13

Finish!

13/13