Anonymity Networks Laslo Hunhold Mathematisches Institut - - PowerPoint PPT Presentation

Anonymity Networks

Laslo Hunhold

Mathematisches Institut Universität zu Köln

27th July 2017

In the lecture ‘Information Theory and Statistical Physics’ by Prof. Dr. Johannes Berg

motivation

motivation

◮ hide initiator of a message in a computer network

motivation

◮ hide initiator of a message in a computer network ◮ safe whistleblowing under corporate and state surveillance

motivation

◮ hide initiator of a message in a computer network ◮ safe whistleblowing under corporate and state surveillance ◮ ‘deniable communication’

motivation

◮ hide initiator of a message in a computer network ◮ safe whistleblowing under corporate and state surveillance ◮ ‘deniable communication’ ◮ decentralized

idea

idea

node network participant link possible message path

idea

node network participant link possible message path

◮ all nodes have equal weight

idea

node network participant link possible message path

◮ all nodes have equal weight ◮ message unmodifiable, only receiver is known

idea

node network participant link possible message path

◮ all nodes have equal weight ◮ message unmodifiable, only receiver is known ◮ each node on path: biased coin flip: forward or deliver

idea

node network participant link possible message path

◮ all nodes have equal weight ◮ message unmodifiable, only receiver is known ◮ each node on path: biased coin flip: forward or deliver ◮ each node on path: initiator or just forwarder?

idea

node network participant link possible message path

◮ all nodes have equal weight ◮ message unmodifiable, only receiver is known ◮ each node on path: biased coin flip: forward or deliver ◮ each node on path: initiator or just forwarder?

→ message initator gets lost in the crowd

model

model

n1 n2 n3 n4 n5 n6 n7 n8

◮ N nodes n1, . . . , nN with P(ni is initiator) =: P(X = ni) =: pi

model

n1 n2 n3 n4 n5 n6 n7 n8

◮ N nodes n1, . . . , nN with P(ni is initiator) =: P(X = ni) =: pi ◮ ni probably innocent ↔ pi ≤ 1 2

model

n1 n2 n3 n4 n5 n6 n7 n8

◮ N nodes n1, . . . , nN with P(ni is initiator) =: P(X = ni) =: pi ◮ ni probably innocent ↔ pi ≤ 1 2 ◮ forwarding probability λ

model

n1 n2 n3 n4 n5 n6 n7 n8

◮ N nodes n1, . . . , nN with P(ni is initiator) =: P(X = ni) =: pi ◮ ni probably innocent ↔ pi ≤ 1 2 ◮ forwarding probability λ

if message received then flip biased coin P(heads) = λ if heads then forward to a uniformly chosen node else deliver to receiver end if end if

degree of anonymity

degree of anonymity

best case X := X : ∀i ∈ {1, . . . , N} : pi = 1

N

degree of anonymity

best case X := X : ∀i ∈ {1, . . . , N} : pi = 1

N

H := H(X) = −

N

• i=1

pi · ln(pi) = ln(N − C)

degree of anonymity

best case X := X : ∀i ∈ {1, . . . , N} : pi = 1

N

H := H(X) = −

N

• i=1

pi · ln(pi) = ln(N − C) worst case X := X : ∀i ∈ {1, . . . , N} \ {j} : pi = 0 ∧ pj = 1

degree of anonymity

best case X := X : ∀i ∈ {1, . . . , N} : pi = 1

N

H := H(X) = −

N

• i=1

pi · ln(pi) = ln(N − C) worst case X := X : ∀i ∈ {1, . . . , N} \ {j} : pi = 0 ∧ pj = 1 H := H(X) = −

N

• i=1

pi · ln(pi) = 1 · ln(1) = 0

degree of anonymity

best case X := X : ∀i ∈ {1, . . . , N} : pi = 1

N

H := H(X) = −

N

• i=1

pi · ln(pi) = ln(N − C) worst case X := X : ∀i ∈ {1, . . . , N} \ {j} : pi = 0 ∧ pj = 1 H := H(X) = −

N

• i=1

pi · ln(pi) = 1 · ln(1) = 0 d(X) := 1 − H − H(X) H = H(X) H ∈ [0, 1]

corruption

corruption

n1 n2 n3 n4 n5 n6 n7 n8

◮ 0 ≤ C < N corrupt nodes (incoming message passer known)

corruption

n1 n2 n3 n4 n5 n6 n7 n8

◮ 0 ≤ C < N corrupt nodes (incoming message passer known) ◮ behave normally

corruption

n1 n2 n3 n4 n5 n6 n7 n8

◮ 0 ≤ C < N corrupt nodes (incoming message passer known) ◮ behave normally ◮ wait for message to be passed to us

corruption

n1 n2 n3 n4 n5 n6 n7 n8

◮ 0 ≤ C < N corrupt nodes (incoming message passer known) ◮ behave normally ◮ wait for message to be passed to us ◮ analyze probability of passer being initiator

corruption

n1 n2 n3 n4 n5 n6 n7 n8

◮ 0 ≤ C < N corrupt nodes (incoming message passer known) ◮ behave normally ◮ wait for message to be passed to us ◮ analyze probability of passer being initiator

P(passer is initiator) > 1

2 → unmasked

analysis

events

analysis

events

nI nm nn nC 1 2 3 4

analysis

events

nI nm nn nC 1 2 3 4

let k > 0

analysis

events

nI nm nn nC 1 2 3 4

let k > 0 Hk := first corrupt node is at the kth path-position

analysis

events

nI nm nn nC 1 2 3 4

let k > 0 Hk := first corrupt node is at the kth path-position Hk+ :=

∞

• i=k

Hi

analysis

events

nI nm nn nC 1 2 3 4

let k > 0 Hk := first corrupt node is at the kth path-position Hk+ :=

∞

• i=k

Hi I := first corrupt node immediately postcedes the message initiator

analysis

events

nI nm nn nC 1 2 3 4

let k > 0 Hk := first corrupt node is at the kth path-position Hk+ :=

∞

• i=k

Hi I := first corrupt node immediately postcedes the message initiator P(passer is initiator) = P(I|H1+)

analysis

events

nI nm nn nC 1 2 3 4

let k > 0 Hk := first corrupt node is at the kth path-position Hk+ :=

∞

• i=k

Hi I := first corrupt node immediately postcedes the message initiator P(passer is initiator) = P(I|H1+) note: H1 → I, but I → H1

analysis

general probability I

P(I|H1+) = N − λ(N − C − 1) N

analysis

general probability I

P(I|H1+) = N − λ(N − C − 1) N proof:

analysis

general probability I

P(I|H1+) = N − λ(N − C − 1) N proof: P(Hk) =

• λ · N − C

N

k−1

·

• λ · C

N

analysis

general probability I

P(I|H1+) = N − λ(N − C − 1) N proof: P(Hk) =

• λ · N − C

N

k−1

·

• λ · C

N

• ⇒ P(Hk+) =

∞

• i=k

P(Hi) = . . . = C ·

• λ · N−C

N

k

(N − C) ·

• 1 − λ · N−C

N

analysis

general probability I

P(I|H1+) = N − λ(N − C − 1) N proof: P(Hk) =

• λ · N − C

N

k−1

·

• λ · C

N

• ⇒ P(Hk+) =

∞

• i=k

P(Hi) = . . . = C ·

• λ · N−C

N

k

(N − C) ·

• 1 − λ · N−C

N

• H1 → I ⇒ P(I|H1) = 1

analysis

general probability I

P(I|H1+) = N − λ(N − C − 1) N proof: P(Hk) =

• λ · N − C

N

k−1

·

• λ · C

N

• ⇒ P(Hk+) =

∞

• i=k

P(Hi) = . . . = C ·

• λ · N−C

N

k

(N − C) ·

• 1 − λ · N−C

N

• H1 → I ⇒ P(I|H1) = 1

P(I|H2+) = 1 N − C

analysis

general probability II

P(I) TP = P(H1) P(I|H1) + P(H2+) P(I|H2+)

analysis

general probability II

P(I) TP = P(H1) P(I|H1) + P(H2+) P(I|H2+) = . . .

analysis

general probability II

P(I) TP = P(H1) P(I|H1) + P(H2+) P(I|H2+) = . . . = λ · C N ·

• 1 +

λ N − λ · (N − C)

analysis

general probability II

P(I) TP = P(H1) P(I|H1) + P(H2+) P(I|H2+) = . . . = λ · C N ·

• 1 +

λ N − λ · (N − C)

• P(I|H1+) CP

= P(I ∧ H1+) P(H1+)

analysis

general probability II

P(I) TP = P(H1) P(I|H1) + P(H2+) P(I|H2+) = . . . = λ · C N ·

• 1 +

λ N − λ · (N − C)

• P(I|H1+) CP

= P(I ∧ H1+) P(H1+)

• I → H1+

= P(I) P(H1+)

analysis

general probability II

P(I) TP = P(H1) P(I|H1) + P(H2+) P(I|H2+) = . . . = λ · C N ·

• 1 +

λ N − λ · (N − C)

• P(I|H1+) CP

= P(I ∧ H1+) P(H1+)

• I → H1+

= P(I) P(H1+) = . . .

analysis

general probability II

P(I) TP = P(H1) P(I|H1) + P(H2+) P(I|H2+) = . . . = λ · C N ·

• 1 +

λ N − λ · (N − C)

• P(I|H1+) CP

= P(I ∧ H1+) P(H1+)

• I → H1+

= P(I) P(H1+) = . . . = N − λ(N − C − 1) N

analysis

general probability II

P(I) TP = P(H1) P(I|H1) + P(H2+) P(I|H2+) = . . . = λ · C N ·

• 1 +

λ N − λ · (N − C)

• P(I|H1+) CP

= P(I ∧ H1+) P(H1+)

• I → H1+

= P(I) P(H1+) = . . . = N − λ(N − C − 1) N good node P(good node i is initiator) = 1−P(I|H1+)

N−C−1

= λ

N < 1 N ≤ 1 2

analysis

general probability II

P(I) TP = P(H1) P(I|H1) + P(H2+) P(I|H2+) = . . . = λ · C N ·

• 1 +

λ N − λ · (N − C)

• P(I|H1+) CP

= P(I ∧ H1+) P(H1+)

• I → H1+

= P(I) P(H1+) = . . . = N − λ(N − C − 1) N good node P(good node i is initiator) = 1−P(I|H1+)

N−C−1

= λ

N < 1 N ≤ 1 2

⇒ all good nodes besides passer are innocent

analysis

general probability II

P(I) TP = P(H1) P(I|H1) + P(H2+) P(I|H2+) = . . . = λ · C N ·

• 1 +

λ N − λ · (N − C)

• P(I|H1+) CP

= P(I ∧ H1+) P(H1+)

• I → H1+

= P(I) P(H1+) = . . . = N − λ(N − C − 1) N good node P(good node i is initiator) = 1−P(I|H1+)

N−C−1

= λ

N < 1 N ≤ 1 2

⇒ all good nodes besides passer are innocent corrupt node P(corrupt node i is initiator) = 0

analysis

passer innocence

analysis

passer innocence

passer innocent ⇔ λ > 1 2 ∧ N ≥ 1 1 −

1 2·λ

· (C + 1)

analysis

passer innocence

passer innocent ⇔ λ > 1 2 ∧ N ≥ 1 1 −

1 2·λ

· (C + 1) proof:

analysis

passer innocence

passer innocent ⇔ λ > 1 2 ∧ N ≥ 1 1 −

1 2·λ

· (C + 1) proof: 1 2 ≥ P(I|H1+)

analysis

passer innocence

passer innocent ⇔ λ > 1 2 ∧ N ≥ 1 1 −

1 2·λ

· (C + 1) proof: 1 2 ≥ P(I|H1+) = N − λ(N − C − 1) N

analysis

passer innocence

passer innocent ⇔ λ > 1 2 ∧ N ≥ 1 1 −

1 2·λ

· (C + 1) proof: 1 2 ≥ P(I|H1+) = N − λ(N − C − 1) N

• (λ − 1

2) > 0 ⇔ N ≥ 1 1 −

1 2·λ

· (C + 1)

analysis

degree of anonymity

analysis

degree of anonymity

d(X) = − C · 0 + P(I|H1+) · ln(P(I|H1+)) + (N − C − 1) · λ

N · ln

• λ

N

• ln(N − C)

=

analysis

degree of anonymity

d(X) = − C · 0 + P(I|H1+) · ln(P(I|H1+)) + (N − C − 1) · λ

N · ln

• λ

N

• ln(N − C)

= = . . . =

(N−λ·(N−C−1))·ln N N−λ·(N−C−1)

• +λ·(N−C−1)·ln( N

λ) N·ln(N−C)

analysis

degree of anonymity

d(X) = − C · 0 + P(I|H1+) · ln(P(I|H1+)) + (N − C − 1) · λ

N · ln

• λ

N

• ln(N − C)

= = . . . =

(N−λ·(N−C−1))·ln N N−λ·(N−C−1)

• +λ·(N−C−1)·ln( N

λ) N·ln(N−C)

0.2 0.4 0.6 0.8 1 0.2 0.4 0.6 0.8 1

C N

d(X)

conclusion

conclusion

◮ blending in with the crowd works as long as it is large enough

conclusion

◮ blending in with the crowd works as long as it is large enough ◮ nothing to hide, but others to protect

conclusion

◮ blending in with the crowd works as long as it is large enough ◮ nothing to hide, but others to protect ◮ full paper on http://frign.de/