Provable Protocols for Unlinkability Ron Berman, Amos Fiat, Amnon Ta-Shma Tel Aviv University

Unlinkability –S: Set of message initiators –T: Set of message recipients –Every s  S sends a message to some t  T and [may] request a response –Goal: Prevent adversary from knowing who is talking to whom Adversary may control all nodes in T and many other nodes and links in the network

The model A complete graph of N nodes The adversary is capable of eavesdropping to almost all links: an ε fraction of the links are “honest” The adversary may also control almost all nodes, subject to the above A public key infrastructure is in place A set S of M nodes wish to send unlinkable [two way] communications to a set T of M nodes The Adversary is adaptive but not malicious. I.e., Adversary cannot corrupt or discard messages.

Prior Work Seminal Papers of David Chaum, 1979, 1981 –Reduction to Traffic Analysis (Onion Routing) –“ Chaumian Mixes ” Literally dozens (hundreds?) of papers since, dedicated conferences, etc., etc. Many implementations Typical paper: –Attack on prior protocol(s) –Suggest new protocol –Repeat Very few attempts to give rigorous definitions, let alone proofs Notable exception: Rackoff and Simon, 1993

General Structure: Chaumian Mixes Choose a random path and send message along path Hope for sufficiently many collisions along path If N nodes, and polylog(N) length path, then essentially need all nodes to send messages Does not matter how many nodes actually want to send messages, many dummy messages required. Many attacks, counter measures, counter attacks, counter counter measures, etc.

Chaum’s reduction to traffic analysis: Onion Routing Note: messages are same length

Prior work: Chaumian Mixes Honest nodes are used to prevent adversary from knowing how messages were routed: A to C, A ’ to C ’, or A to C ’, A ’ to C.

Our Results New definitions of unlinkability based on information theory Prove equivalence to Rackoff-Simon definitions Prove that a suitable modification of Chaum ’ s original protocol is secure Argue that many previous “ informal arguments ” must be wrong Improve (?) on Rackoff-Simon in many ways: –Adaptive adversary, allow arbitrary prior knowledge –No secure computation –Much, much, simpler –Much more efficient. No need to flood network with dummy messages –Weaker attack model (not all links are under adversary control) (New definition of improve)

Only Traffic Analysis We will simply assume during this talk that the adversary cannot do anything except eavesdrop onto traffic –An Adversary controlled link reports on all traffic through the link –An Adversary controlled node reports on all trafic through the node and how routing was done

How to define Unlinkability ∏ - Random variable, permutation from S to T, [may be drawn from arbitrary prior distribution] C – Random variable, gives all the adversary learns during communications

How to define Unlinkability Rackoff and Simon: Let n be a security parameter, C and ∏ as before (We ’ re ignoring the issue of computational indistinguishability in this talk) (R&S only allow the uniform prior distribution)

Other Definitions (Equivalent) We need the following observation to prove these equivalences, 0 ≤ α ≤ 1 : Is this new? Seems unlikely.

Why use I(A:B) rather than | | 1 ? I(A:B) is monotonic: Let A be a random variable giving the number of heads in 10 coin tosses Let B be the binomial distribution for the number of heads in 10 coin tosses Let C be a random variable giving the number of heads in the first coin toss Let D be a random variable giving the number of heads in the 2 nd coin toss | | 1 is not monotonic (the little birdy principle does not work): The intuition: the “ closer ” to the prior, B, the less information the adversary has

The little Birdy Principle Richard M. Karp (1988): –Revealing more information to the adversary only makes his/her life easier –Certainly true in the context of computational complexity Is this true in the context of unlinkability? –Depends on the definition of unlinkability –Many previous papers implicitly make use of the little birdy principle in informal arguments –Does not hold for the Rackoff-Simon definitions

How could this possibly be? The little birdy principle must hold, it ’ s obvious, isn ’ t it? Actually, in some form it does hold, it holds on average The reason that it does not always hold is that in some circumstances, revealing more information (selected information), only “ confuses ” the adversary There must be a good political joke here somewhere, but I could not figure it out

How to prove unlinkability Define Protocol Define Obscurant Network Construct Obscurant Networks Search for Obscurant Network “ embedding ” within execution of protocol (Uses Little Birdy Principle) Extend result to allow prior information: Use “ protocol folding ” (Uses Little Birdy Principle)

The protocol Nodes wishing to send messages (and only nodes wishing to send messages): –Choose a random path of length polylog(N) –Use Chaum ’ s onion routing to send and receive messages along this path

Silly, isn’t it?” If only 100 messages are initiated, and there are 10 6 nodes in the network, there will be no collusions If the adversary controls all links then the adversary knows exactly who is talking to whom Change attack model: adversary controls all by an arbitrarily small constant fraction of the links

The protocol

Introducing ambiguity via links A crossover structure of honest links introduces ambiguity

Obscurant Networks A network with crossover switches such that a pebble placed on the inputs, and setting all crossovers uniformly at random, will result in a uniform distribution over the outputs Example: Butterfly network Important: an obscurant network does not obscure permutations What about non-powers of 2?

Obscurant Networks of all sizes Uniformly at random for these nodes Uniformly at random for these nodes Average the probability mass

Do permutation obscurant networks exist?? –Don ’ t know, open problem. Don ’ t you need a permutation obscurant network?? –Yes, and no, what we actually find are repeated embeddings of [single pebble] obscurant networks

A combinatorial lemma (N. Alon, FOCS 2001) Given a graph with a constant fraction, f, of the total edges –Choose 4 nodes at random –A crossover network will connect them with probability f 4 f is the fraction of honest edges

Strategy Reveal all links used in every 2 nd layer, this is to make pairs of layers independent choices of four nodes For a sufficiently long set of paths, find an obscurant network in the execution of the protocol Reveal all other edges This revelation should not harm the protocol (requires some effort)

Strategy (continued) How do we move from [single pebble] obscurant to unlinkable? Reveal the j th path (as a proof technique!!) to argue about the others

Dealing with Prior Information Reveal to the adversary the relationship between layer i and layer 6-i

Dealing with Prior Information: Folding the Network upon itself

Completing the Argument: Prior Information Because the distributions (Choose the last T-1 levels at random, and fill in the 1 st level to get the permutation) Given the middle permutation, and c 2  C 2, we can compute π, thus the data processing inequality holds